From b2fe863db1c3690813aab4707203ed8fbcdc7d52 Mon Sep 17 00:00:00 2001 From: Andrew Geissler Date: Fri, 21 Aug 2020 15:57:21 -0500 Subject: meta-security: subtree update:066a04425c..787ba6faea Armin Kuster (10): lynis: update to 3.0.0 security images: Move to recipe-core security packagegroups: move to recipes-core packagegroup-security-tpm: add more packages for building packagegroup-core-security: remove clamav for riscv* libsecomp: rv32/rv64 target builds are not supported yet packagegroup-core-security: remove libseccomp for riscv* libseccomp: update to 2.5.0 packagegroup-core-security: restore riscv64 for libssecomp trousers: Several Security fixes Charlie Davies (1): clamav: add INSTALL_CLAMAV_CVD flag to do_install Kai Kang (1): libseccomp: fix cross compile error for mips Yi Zhao (1): ibmswtpm2: upgrade 1563 -> 1628 Signed-off-by: Andrew Geissler Change-Id: I0341c0d4cd61fb6ef7db6a29f9fc60de3caa822f --- .../recipes-auditors/lynis/lynis_2.7.5.bb | 41 ---------- .../recipes-auditors/lynis/lynis_3.0.0.bb | 40 +++++++++ .../packagegroup/packagegroup-security-tpm.bb | 5 ++ ...tiple-security-issues-that-are-present-if.patch | 94 ++++++++++++++++++++++ .../meta-tpm/recipes-tpm/trousers/trousers_git.bb | 1 + .../recipes-tpm2/ibmswtpm2/ibmswtpm2_1563.bb | 27 ------- .../recipes-tpm2/ibmswtpm2/ibmswtpm2_1628.bb | 26 ++++++ .../recipes-core/images/security-build-image.bb | 19 +++++ .../recipes-core/images/security-client-image.bb | 16 ++++ .../recipes-core/images/security-server-image.bb | 19 +++++ .../recipes-core/images/security-test-image.bb | 33 ++++++++ .../packagegroup-core-security-ptest.bb | 28 +++++++ .../packagegroup/packagegroup-core-security.bb | 66 +++++++++++++++ .../recipes-scanners/clamav/clamav_0.101.5.bb | 4 +- .../images/security-build-image.bb | 19 ----- .../images/security-client-image.bb | 16 ---- .../images/security-server-image.bb | 19 ----- .../recipes-security/images/security-test-image.bb | 33 -------- .../libseccomp/files/fix-mips-build-failure.patch | 49 +++++++++++ .../libseccomp/libseccomp_2.4.3.bb | 43 ---------- .../libseccomp/libseccomp_2.5.0.bb | 48 +++++++++++ .../packagegroup-core-security-ptest.bb | 28 ------- .../packagegroup/packagegroup-core-security.bb | 68 ---------------- 23 files changed, 447 insertions(+), 295 deletions(-) delete mode 100644 meta-security/meta-security-compliance/recipes-auditors/lynis/lynis_2.7.5.bb create mode 100644 meta-security/meta-security-compliance/recipes-auditors/lynis/lynis_3.0.0.bb create mode 100644 meta-security/meta-tpm/recipes-tpm/trousers/files/0001-Correct-multiple-security-issues-that-are-present-if.patch delete mode 100644 meta-security/meta-tpm/recipes-tpm2/ibmswtpm2/ibmswtpm2_1563.bb create mode 100644 meta-security/meta-tpm/recipes-tpm2/ibmswtpm2/ibmswtpm2_1628.bb create mode 100644 meta-security/recipes-core/images/security-build-image.bb create mode 100644 meta-security/recipes-core/images/security-client-image.bb create mode 100644 meta-security/recipes-core/images/security-server-image.bb create mode 100644 meta-security/recipes-core/images/security-test-image.bb create mode 100644 meta-security/recipes-core/packagegroup/packagegroup-core-security-ptest.bb create mode 100644 meta-security/recipes-core/packagegroup/packagegroup-core-security.bb delete mode 100644 meta-security/recipes-security/images/security-build-image.bb delete mode 100644 meta-security/recipes-security/images/security-client-image.bb delete mode 100644 meta-security/recipes-security/images/security-server-image.bb delete mode 100644 meta-security/recipes-security/images/security-test-image.bb create mode 100644 meta-security/recipes-security/libseccomp/files/fix-mips-build-failure.patch delete mode 100644 meta-security/recipes-security/libseccomp/libseccomp_2.4.3.bb create mode 100644 meta-security/recipes-security/libseccomp/libseccomp_2.5.0.bb delete mode 100644 meta-security/recipes-security/packagegroup/packagegroup-core-security-ptest.bb delete mode 100644 meta-security/recipes-security/packagegroup/packagegroup-core-security.bb diff --git a/meta-security/meta-security-compliance/recipes-auditors/lynis/lynis_2.7.5.bb b/meta-security/meta-security-compliance/recipes-auditors/lynis/lynis_2.7.5.bb deleted file mode 100644 index 245761c37b..0000000000 --- a/meta-security/meta-security-compliance/recipes-auditors/lynis/lynis_2.7.5.bb +++ /dev/null @@ -1,41 +0,0 @@ -# Copyright (C) 2017 Armin Kuster -# Released under the MIT license (see COPYING.MIT for the terms) - -SUMMARY = "Lynis is a free and open source security and auditing tool." -HOMEDIR = "https://cisofy.com/" -LICENSE = "GPL-3.0" -LIC_FILES_CHKSUM = "file://LICENSE;md5=3edd6782854304fd11da4975ab9799c1" - -SRC_URI = "https://cisofy.com/files/${BPN}-${PV}.tar.gz" - -SRC_URI[md5sum] = "fb527b6976e70a6bcd57036c9cddc242" -SRC_URI[sha256sum] = "3d27ade73a5c1248925ad9c060024940ce5d2029f40aaa901f43314888fe324d" - -S = "${WORKDIR}/${BPN}" - -inherit autotools-brokensep - -do_compile[noexec] = "1" -do_configure[noexec] = "1" - -do_install () { - install -d ${D}/${bindir} - install -d ${D}/${sysconfdir}/lynis - install -m 555 ${S}/lynis ${D}/${bindir} - - install -d ${D}/${datadir}/lynis/db - install -d ${D}/${datadir}/lynis/plugins - install -d ${D}/${datadir}/lynis/include - install -d ${D}/${datadir}/lynis/extras - - cp -r ${S}/db/* ${D}/${datadir}/lynis/db/. - cp -r ${S}/plugins/* ${D}/${datadir}/lynis/plugins/. - cp -r ${S}/include/* ${D}/${datadir}/lynis/include/. - cp -r ${S}/extras/* ${D}/${datadir}/lynis/extras/. - cp ${S}/*.prf ${D}/${sysconfdir}/lynis -} - -FILES_${PN} += "${sysconfdir}/developer.prf ${sysconfdir}/default.prf" -FILES_${PN}-doc += "lynis.8 FAQ README CHANGELOG.md CONTRIBUTIONS.md CONTRIBUTORS.md" - -RDEPENDS_${PN} += "procps findutils" diff --git a/meta-security/meta-security-compliance/recipes-auditors/lynis/lynis_3.0.0.bb b/meta-security/meta-security-compliance/recipes-auditors/lynis/lynis_3.0.0.bb new file mode 100644 index 0000000000..2d5962362a --- /dev/null +++ b/meta-security/meta-security-compliance/recipes-auditors/lynis/lynis_3.0.0.bb @@ -0,0 +1,40 @@ +# Copyright (C) 2017 Armin Kuster +# Released under the MIT license (see COPYING.MIT for the terms) + +SUMMARY = "Lynis is a free and open source security and auditing tool." +HOMEDIR = "https://cisofy.com/" +LICENSE = "GPL-3.0" +LIC_FILES_CHKSUM = "file://LICENSE;md5=3edd6782854304fd11da4975ab9799c1" + +SRC_URI = "https://cisofy.com/files/${BPN}-${PV}.tar.gz" + +SRC_URI[sha256sum] = "3cc165f9007ba41de6d0b693a1167dbaf0179085f9506dcba64b4b8e37e1bda2" + +S = "${WORKDIR}/${BPN}" + +inherit autotools-brokensep + +do_compile[noexec] = "1" +do_configure[noexec] = "1" + +do_install () { + install -d ${D}/${bindir} + install -d ${D}/${sysconfdir}/lynis + install -m 555 ${S}/lynis ${D}/${bindir} + + install -d ${D}/${datadir}/lynis/db + install -d ${D}/${datadir}/lynis/plugins + install -d ${D}/${datadir}/lynis/include + install -d ${D}/${datadir}/lynis/extras + + cp -r ${S}/db/* ${D}/${datadir}/lynis/db/. + cp -r ${S}/plugins/* ${D}/${datadir}/lynis/plugins/. + cp -r ${S}/include/* ${D}/${datadir}/lynis/include/. + cp -r ${S}/extras/* ${D}/${datadir}/lynis/extras/. + cp ${S}/*.prf ${D}/${sysconfdir}/lynis +} + +FILES_${PN} += "${sysconfdir}/developer.prf ${sysconfdir}/default.prf" +FILES_${PN}-doc += "lynis.8 FAQ README CHANGELOG.md CONTRIBUTIONS.md CONTRIBUTORS.md" + +RDEPENDS_${PN} += "procps findutils" diff --git a/meta-security/meta-tpm/recipes-core/packagegroup/packagegroup-security-tpm.bb b/meta-security/meta-tpm/recipes-core/packagegroup/packagegroup-security-tpm.bb index 25126effb1..3844c7f9fd 100644 --- a/meta-security/meta-tpm/recipes-core/packagegroup/packagegroup-security-tpm.bb +++ b/meta-security/meta-tpm/recipes-core/packagegroup/packagegroup-security-tpm.bb @@ -11,6 +11,11 @@ SUMMARY_packagegroup-security-tpm = "Security TPM support" RDEPENDS_packagegroup-security-tpm = " \ tpm-tools \ trousers \ + pcr-extend \ + tpm-quote-tools \ + swtpm \ + openssl-tpm-engine \ + libtpm \ ${X86_TPM_MODULES} \ " diff --git a/meta-security/meta-tpm/recipes-tpm/trousers/files/0001-Correct-multiple-security-issues-that-are-present-if.patch b/meta-security/meta-tpm/recipes-tpm/trousers/files/0001-Correct-multiple-security-issues-that-are-present-if.patch new file mode 100644 index 0000000000..72c81d11af --- /dev/null +++ b/meta-security/meta-tpm/recipes-tpm/trousers/files/0001-Correct-multiple-security-issues-that-are-present-if.patch @@ -0,0 +1,94 @@ +From e74dd1d96753b0538192143adf58d04fcd3b242b Mon Sep 17 00:00:00 2001 +From: Matthias Gerstner +Date: Fri, 14 Aug 2020 22:14:36 -0700 +Subject: [PATCH] Correct multiple security issues that are present if the tcsd + is started by root instead of the tss user. + +Patch fixes the following 3 CVEs: + +CVE-2020-24332 +If the tcsd daemon is started with root privileges, +the creation of the system.data file is prone to symlink attacks + +CVE-2020-24330 +If the tcsd daemon is started with root privileges, +it fails to drop the root gid after it is no longer needed + +CVE-2020-24331 +If the tcsd daemon is started with root privileges, +the tss user has read and write access to the /etc/tcsd.conf file + +Authored-by: Matthias Gerstner +Signed-off-by: Debora Velarde Babb + +Upstream-Status: Backport +CVE: CVE-2020-24332 +CVE: CVE-2020-24330 +CVE: CVE-2020-24331 + +Signed-off-by: Armin Kuster + +--- + src/tcs/ps/tcsps.c | 2 +- + src/tcsd/svrside.c | 1 + + src/tcsd/tcsd_conf.c | 10 +++++----- + 3 files changed, 7 insertions(+), 6 deletions(-) + +Index: git/src/tcs/ps/tcsps.c +=================================================================== +--- git.orig/src/tcs/ps/tcsps.c ++++ git/src/tcs/ps/tcsps.c +@@ -72,7 +72,7 @@ get_file() + } + + /* open and lock the file */ +- system_ps_fd = open(tcsd_options.system_ps_file, O_CREAT|O_RDWR, 0600); ++ system_ps_fd = open(tcsd_options.system_ps_file, O_CREAT|O_RDWR|O_NOFOLLOW, 0600); + if (system_ps_fd < 0) { + LogError("system PS: open() of %s failed: %s", + tcsd_options.system_ps_file, strerror(errno)); +Index: git/src/tcsd/svrside.c +=================================================================== +--- git.orig/src/tcsd/svrside.c ++++ git/src/tcsd/svrside.c +@@ -473,6 +473,7 @@ main(int argc, char **argv) + } + return TCSERR(TSS_E_INTERNAL_ERROR); + } ++ setgid(pwd->pw_gid); + setuid(pwd->pw_uid); + #endif + #endif +Index: git/src/tcsd/tcsd_conf.c +=================================================================== +--- git.orig/src/tcsd/tcsd_conf.c ++++ git/src/tcsd/tcsd_conf.c +@@ -743,7 +743,7 @@ conf_file_init(struct tcsd_config *conf) + #ifndef SOLARIS + struct group *grp; + struct passwd *pw; +- mode_t mode = (S_IRUSR|S_IWUSR); ++ mode_t mode = (S_IRUSR|S_IWUSR|S_IRGRP); + #endif /* SOLARIS */ + TSS_RESULT result; + +@@ -798,15 +798,15 @@ conf_file_init(struct tcsd_config *conf) + } + + /* make sure user/group TSS owns the conf file */ +- if (pw->pw_uid != stat_buf.st_uid || grp->gr_gid != stat_buf.st_gid) { ++ if (stat_buf.st_uid != 0 || grp->gr_gid != stat_buf.st_gid) { + LogError("TCSD config file (%s) must be user/group %s/%s", tcsd_config_file, +- TSS_USER_NAME, TSS_GROUP_NAME); ++ "root", TSS_GROUP_NAME); + return TCSERR(TSS_E_INTERNAL_ERROR); + } + +- /* make sure only the tss user can manipulate the config file */ ++ /* make sure only the tss user can read (but not manipulate) the config file */ + if (((stat_buf.st_mode & 0777) ^ mode) != 0) { +- LogError("TCSD config file (%s) must be mode 0600", tcsd_config_file); ++ LogError("TCSD config file (%s) must be mode 0640", tcsd_config_file); + return TCSERR(TSS_E_INTERNAL_ERROR); + } + #endif /* SOLARIS */ diff --git a/meta-security/meta-tpm/recipes-tpm/trousers/trousers_git.bb b/meta-security/meta-tpm/recipes-tpm/trousers/trousers_git.bb index fe8f557144..95e821bfa6 100644 --- a/meta-security/meta-tpm/recipes-tpm/trousers/trousers_git.bb +++ b/meta-security/meta-tpm/recipes-tpm/trousers/trousers_git.bb @@ -16,6 +16,7 @@ SRC_URI = " \ file://tcsd.service \ file://get-user-ps-path-use-POSIX-getpwent-instead-of-getpwe.patch \ file://0001-build-don-t-override-localstatedir-mandir-sysconfdir.patch \ + file://0001-Correct-multiple-security-issues-that-are-present-if.patch \ " S = "${WORKDIR}/git" diff --git a/meta-security/meta-tpm/recipes-tpm2/ibmswtpm2/ibmswtpm2_1563.bb b/meta-security/meta-tpm/recipes-tpm2/ibmswtpm2/ibmswtpm2_1563.bb deleted file mode 100644 index 80542269eb..0000000000 --- a/meta-security/meta-tpm/recipes-tpm2/ibmswtpm2/ibmswtpm2_1563.bb +++ /dev/null @@ -1,27 +0,0 @@ -SUMMARY = "IBM's Software TPM 2.0" -LICENSE = "BSD" -SECTION = "securty/tpm" -LIC_FILES_CHKSUM = "file://../LICENSE;md5=1e023f61454ac828b4aa1bc4293f7d5f" - -DEPENDS = "openssl" - -SRC_URI = "https://sourceforge.net/projects/ibmswtpm2/files/ibmtpm${PV}.tar.gz \ - file://remove_optimization.patch \ - " -SRC_URI[md5sum] = "13013612b3a13dc935fefe1a5684179c" -SRC_URI[sha256sum] = "fc3a17f8315c1f47670764f2384943afc0d3ba1e9a0422dacb08d455733bd1e9" -SRC_URI[sha1sum] = "a2a5335024a2edc1739f08b99e716fa355be627d" -SRC_URI[sha384sum] = "b1f278acabe2198aa79c0fe8aa0182733fe701336cbf54a88058be0b574cab768f59f9315882d0e689e634678d05b79f" -SRC_URI[sha512sum] = "ff0b9e5f0d0070eb572b23641f7a0e70a8bc65cbf4b59dca1778be3bb014124011221a492147d4c492584e87af23e2f842ca6307641b3919f67a3f27f09312c0" - -S = "${WORKDIR}/src" - -do_compile () { - make CC='${CC}' -} - -do_install () { - install -d ${D}/${bindir} - install -m 0755 tpm_server ${D}/${bindir} -} - diff --git a/meta-security/meta-tpm/recipes-tpm2/ibmswtpm2/ibmswtpm2_1628.bb b/meta-security/meta-tpm/recipes-tpm2/ibmswtpm2/ibmswtpm2_1628.bb new file mode 100644 index 0000000000..3373a307f4 --- /dev/null +++ b/meta-security/meta-tpm/recipes-tpm2/ibmswtpm2/ibmswtpm2_1628.bb @@ -0,0 +1,26 @@ +SUMMARY = "IBM's Software TPM 2.0" +LICENSE = "BSD" +SECTION = "securty/tpm" +LIC_FILES_CHKSUM = "file://../LICENSE;md5=1e023f61454ac828b4aa1bc4293f7d5f" + +DEPENDS = "openssl" + +SRC_URI = "https://sourceforge.net/projects/ibmswtpm2/files/ibmtpm${PV}.tar.gz \ + file://remove_optimization.patch \ + " +SRC_URI[md5sum] = "bfd3eca2411915f24de628b9ec36f259" +SRC_URI[sha256sum] = "a8e874e7a1ae13a1290d7679d846281f72d0eb6a5e4cfbafca5297dbf4e29ea3" +SRC_URI[sha1sum] = "7c8241a4e97a801eace9f0eea8cdda7c58114f7f" +SRC_URI[sha384sum] = "eec25cc8ba0e3cb27d41ba4fa4c71d8158699953ccb61bb6d440236dcbd8f52b6954eaae9d640a713186e0b99311fd91" +SRC_URI[sha512sum] = "ab47caa4406ba57c0afc6fadae304fc9ef5e3e125be0f2fb1955a419cf93cd5e9176e103f0b566825abc16cca00b795f98d2b407f0a2bf7b141ef4b025d907d0" + +S = "${WORKDIR}/src" + +do_compile () { + make CC='${CC}' +} + +do_install () { + install -d ${D}/${bindir} + install -m 0755 tpm_server ${D}/${bindir} +} diff --git a/meta-security/recipes-core/images/security-build-image.bb b/meta-security/recipes-core/images/security-build-image.bb new file mode 100644 index 0000000000..a8757f980e --- /dev/null +++ b/meta-security/recipes-core/images/security-build-image.bb @@ -0,0 +1,19 @@ +DESCRIPTION = "A small image for building meta-security packages" + +IMAGE_FEATURES += "ssh-server-openssh" + +IMAGE_INSTALL = "\ + packagegroup-base \ + packagegroup-core-boot \ + packagegroup-core-security \ + os-release" + +IMAGE_LINGUAS ?= " " + +LICENSE = "MIT" + +inherit core-image + +export IMAGE_BASENAME = "security-build-image" + +IMAGE_ROOTFS_EXTRA_SPACE = "5242880" diff --git a/meta-security/recipes-core/images/security-client-image.bb b/meta-security/recipes-core/images/security-client-image.bb new file mode 100644 index 0000000000..f4ebc697cd --- /dev/null +++ b/meta-security/recipes-core/images/security-client-image.bb @@ -0,0 +1,16 @@ +DESCRIPTION = "A Client side Security example" + +IMAGE_INSTALL = "\ + packagegroup-base \ + packagegroup-core-boot \ + os-release \ + samhain-client \ + ${@bb.utils.contains("DISTRO_FEATURES", "x11", "packagegroup-xfce-base", "", d)}" + +IMAGE_LINGUAS ?= " " + +LICENSE = "MIT" + +inherit core-image + +export IMAGE_BASENAME = "security-client-image" diff --git a/meta-security/recipes-core/images/security-server-image.bb b/meta-security/recipes-core/images/security-server-image.bb new file mode 100644 index 0000000000..4927e0ee5d --- /dev/null +++ b/meta-security/recipes-core/images/security-server-image.bb @@ -0,0 +1,19 @@ +DESCRIPTION = "A Serve side image for Security example " + +IMAGE_FEATURES += "ssh-server-openssh" + +IMAGE_INSTALL = "\ + packagegroup-base \ + packagegroup-core-boot \ + samhain-server \ + os-release " + +IMAGE_LINGUAS ?= " " + +LICENSE = "MIT" + +inherit core-image + +export IMAGE_BASENAME = "security-server-image" + +IMAGE_ROOTFS_EXTRA_SPACE = "5242880" diff --git a/meta-security/recipes-core/images/security-test-image.bb b/meta-security/recipes-core/images/security-test-image.bb new file mode 100644 index 0000000000..c71d7267d5 --- /dev/null +++ b/meta-security/recipes-core/images/security-test-image.bb @@ -0,0 +1,33 @@ +DESCRIPTION = "A small image for testing meta-security packages" + +IMAGE_FEATURES += "ssh-server-openssh" + +TEST_SUITES = "ssh ping ptest apparmor clamav samhain sssd tripwire checksec smack suricata" + +INSTALL_CLAMAV_CVD = "1" + +IMAGE_INSTALL = "\ + packagegroup-base \ + packagegroup-core-boot \ + packagegroup-core-security-ptest \ + clamav \ + tripwire \ + checksec \ + suricata \ + samhain-standalone \ + ${@bb.utils.contains("DISTRO_FEATURES", "pam", "sssd", "",d)} \ + ${@bb.utils.contains("DISTRO_FEATURES", "apparmor", "apparmor", "",d)} \ + ${@bb.utils.contains("DISTRO_FEATURES", "smack", "smack-test", "",d)} \ + os-release \ + " + + +IMAGE_LINGUAS ?= " " + +LICENSE = "MIT" + +inherit core-image + +export IMAGE_BASENAME = "security-test-image" + +IMAGE_ROOTFS_EXTRA_SPACE = "5242880" diff --git a/meta-security/recipes-core/packagegroup/packagegroup-core-security-ptest.bb b/meta-security/recipes-core/packagegroup/packagegroup-core-security-ptest.bb new file mode 100644 index 0000000000..cf34ded19c --- /dev/null +++ b/meta-security/recipes-core/packagegroup/packagegroup-core-security-ptest.bb @@ -0,0 +1,28 @@ +DESCRIPTION = "Security ptest packagegroup" +LICENSE = "MIT" +LIC_FILES_CHKSUM = "file://${COMMON_LICENSE_DIR}/MIT;md5=0835ade698e0bcf8506ecda2f7b4f302 \ + file://${COREBASE}/meta/COPYING.MIT;md5=3da9cfbcb788c80a0384361b4de20420" + +inherit features_check + +REQUIRED_DISTRO_FEATURES = "ptest" + +PACKAGES = "\ + ${PN} \ + " + +ALLOW_EMPTY_${PN} = "1" + +SUMMARY_${PN} = "Security packages with ptests" +RDEPENDS_${PN} = " \ + ptest-runner \ + samhain-standalone-ptest \ + keyutils-ptest \ + libseccomp-ptest \ + python3-scapy-ptest \ + suricata-ptest \ + tripwire-ptest \ + python3-fail2ban-ptest \ + ${@bb.utils.contains("DISTRO_FEATURES", "apparmor", "apparmor-ptest", "",d)} \ + ${@bb.utils.contains("DISTRO_FEATURES", "smack", "smack-ptest", "",d)} \ + " diff --git a/meta-security/recipes-core/packagegroup/packagegroup-core-security.bb b/meta-security/recipes-core/packagegroup/packagegroup-core-security.bb new file mode 100644 index 0000000000..c6342fdb29 --- /dev/null +++ b/meta-security/recipes-core/packagegroup/packagegroup-core-security.bb @@ -0,0 +1,66 @@ +DESCRIPTION = "Security packagegroup for Poky" +LICENSE = "MIT" +LIC_FILES_CHKSUM = "file://${COMMON_LICENSE_DIR}/MIT;md5=0835ade698e0bcf8506ecda2f7b4f302 \ + file://${COREBASE}/meta/COPYING.MIT;md5=3da9cfbcb788c80a0384361b4de20420" + +inherit packagegroup + +PACKAGES = "\ + packagegroup-core-security \ + packagegroup-security-utils \ + packagegroup-security-scanners \ + packagegroup-security-ids \ + packagegroup-security-mac \ + " + +RDEPENDS_packagegroup-core-security = "\ + packagegroup-security-utils \ + packagegroup-security-scanners \ + packagegroup-security-ids \ + packagegroup-security-mac \ + " + +SUMMARY_packagegroup-security-utils = "Security utilities" +RDEPENDS_packagegroup-security-utils = "\ + checksec \ + nmap \ + pinentry \ + python3-scapy \ + ding-libs \ + keyutils \ + ${@bb.utils.contains_any("TUNE_FEATURES", "riscv32 ", "", " libseccomp",d)} \ + ${@bb.utils.contains("DISTRO_FEATURES", "pam", "sssd", "",d)} \ + ${@bb.utils.contains("DISTRO_FEATURES", "pax", "pax-utils", "",d)} \ + " + +SUMMARY_packagegroup-security-scanners = "Security scanners" +RDEPENDS_packagegroup-security-scanners = "\ + nikto \ + checksecurity \ + ${@bb.utils.contains_any("TUNE_FEATURES", "riscv32 riscv64", "", " clamav clamav-freshclam clamav-cvd",d)} \ + " + +SUMMARY_packagegroup-security-audit = "Security Audit tools " +RDEPENDS_packagegroup-security-audit = " \ + buck-security \ + redhat-security \ + " + +SUMMARY_packagegroup-security-hardening = "Security Hardening tools" +RDEPENDS_packagegroup-security-hardening = " \ + bastille \ + " + +SUMMARY_packagegroup-security-ids = "Security Intrusion Detection systems" +RDEPENDS_packagegroup-security-ids = " \ + tripwire \ + samhain-standalone \ + suricata \ + " + +SUMMARY_packagegroup-security-mac = "Security Mandatory Access Control systems" +RDEPENDS_packagegroup-security-mac = " \ + ${@bb.utils.contains("DISTRO_FEATURES", "tomoyo", "ccs-tools", "",d)} \ + ${@bb.utils.contains("DISTRO_FEATURES", "apparmor", "apparmor", "",d)} \ + ${@bb.utils.contains("DISTRO_FEATURES", "smack", "smack", "",d)} \ + " diff --git a/meta-security/recipes-scanners/clamav/clamav_0.101.5.bb b/meta-security/recipes-scanners/clamav/clamav_0.101.5.bb index 2ea2c9bd27..770186ad47 100644 --- a/meta-security/recipes-scanners/clamav/clamav_0.101.5.bb +++ b/meta-security/recipes-scanners/clamav/clamav_0.101.5.bb @@ -89,7 +89,9 @@ do_install_append_class-target () { install -m 0644 ${WORKDIR}/volatiles.03_clamav ${D}${sysconfdir}/default/volatiles/volatiles.03_clamav sed -i -e 's#${STAGING_DIR_HOST}##g' ${D}${libdir}/pkgconfig/libclamav.pc rm ${D}/${libdir}/libclamav.so - install -m 666 ${S}/clamav_db/* ${D}/${localstatedir}/lib/clamav/. + if [ "${INSTALL_CLAMAV_CVD}" = "1" ]; then + install -m 666 ${S}/clamav_db/* ${D}/${localstatedir}/lib/clamav/. + fi if ${@bb.utils.contains('DISTRO_FEATURES','systemd','true','false',d)};then install -D -m 0644 ${WORKDIR}/clamav.service ${D}${systemd_unitdir}/system/clamav.service install -d ${D}${sysconfdir}/tmpfiles.d diff --git a/meta-security/recipes-security/images/security-build-image.bb b/meta-security/recipes-security/images/security-build-image.bb deleted file mode 100644 index a8757f980e..0000000000 --- a/meta-security/recipes-security/images/security-build-image.bb +++ /dev/null @@ -1,19 +0,0 @@ -DESCRIPTION = "A small image for building meta-security packages" - -IMAGE_FEATURES += "ssh-server-openssh" - -IMAGE_INSTALL = "\ - packagegroup-base \ - packagegroup-core-boot \ - packagegroup-core-security \ - os-release" - -IMAGE_LINGUAS ?= " " - -LICENSE = "MIT" - -inherit core-image - -export IMAGE_BASENAME = "security-build-image" - -IMAGE_ROOTFS_EXTRA_SPACE = "5242880" diff --git a/meta-security/recipes-security/images/security-client-image.bb b/meta-security/recipes-security/images/security-client-image.bb deleted file mode 100644 index f4ebc697cd..0000000000 --- a/meta-security/recipes-security/images/security-client-image.bb +++ /dev/null @@ -1,16 +0,0 @@ -DESCRIPTION = "A Client side Security example" - -IMAGE_INSTALL = "\ - packagegroup-base \ - packagegroup-core-boot \ - os-release \ - samhain-client \ - ${@bb.utils.contains("DISTRO_FEATURES", "x11", "packagegroup-xfce-base", "", d)}" - -IMAGE_LINGUAS ?= " " - -LICENSE = "MIT" - -inherit core-image - -export IMAGE_BASENAME = "security-client-image" diff --git a/meta-security/recipes-security/images/security-server-image.bb b/meta-security/recipes-security/images/security-server-image.bb deleted file mode 100644 index 4927e0ee5d..0000000000 --- a/meta-security/recipes-security/images/security-server-image.bb +++ /dev/null @@ -1,19 +0,0 @@ -DESCRIPTION = "A Serve side image for Security example " - -IMAGE_FEATURES += "ssh-server-openssh" - -IMAGE_INSTALL = "\ - packagegroup-base \ - packagegroup-core-boot \ - samhain-server \ - os-release " - -IMAGE_LINGUAS ?= " " - -LICENSE = "MIT" - -inherit core-image - -export IMAGE_BASENAME = "security-server-image" - -IMAGE_ROOTFS_EXTRA_SPACE = "5242880" diff --git a/meta-security/recipes-security/images/security-test-image.bb b/meta-security/recipes-security/images/security-test-image.bb deleted file mode 100644 index c71d7267d5..0000000000 --- a/meta-security/recipes-security/images/security-test-image.bb +++ /dev/null @@ -1,33 +0,0 @@ -DESCRIPTION = "A small image for testing meta-security packages" - -IMAGE_FEATURES += "ssh-server-openssh" - -TEST_SUITES = "ssh ping ptest apparmor clamav samhain sssd tripwire checksec smack suricata" - -INSTALL_CLAMAV_CVD = "1" - -IMAGE_INSTALL = "\ - packagegroup-base \ - packagegroup-core-boot \ - packagegroup-core-security-ptest \ - clamav \ - tripwire \ - checksec \ - suricata \ - samhain-standalone \ - ${@bb.utils.contains("DISTRO_FEATURES", "pam", "sssd", "",d)} \ - ${@bb.utils.contains("DISTRO_FEATURES", "apparmor", "apparmor", "",d)} \ - ${@bb.utils.contains("DISTRO_FEATURES", "smack", "smack-test", "",d)} \ - os-release \ - " - - -IMAGE_LINGUAS ?= " " - -LICENSE = "MIT" - -inherit core-image - -export IMAGE_BASENAME = "security-test-image" - -IMAGE_ROOTFS_EXTRA_SPACE = "5242880" diff --git a/meta-security/recipes-security/libseccomp/files/fix-mips-build-failure.patch b/meta-security/recipes-security/libseccomp/files/fix-mips-build-failure.patch new file mode 100644 index 0000000000..7d17a038af --- /dev/null +++ b/meta-security/recipes-security/libseccomp/files/fix-mips-build-failure.patch @@ -0,0 +1,49 @@ +Backport patch to fix cross compile error for mips: + +| syscalls.h:44:6: error: expected identifier or '(' before numeric constant +| 44 | int mips; +| | ^~~~ + +Upstream-Status: Submitted [https://github.com/seccomp/libseccomp/pull/279/commits/04c519e5] + +Signed-off-by: Kai Kang + +From 04c519e5b1de53592e98307813e5c6db7418f91b Mon Sep 17 00:00:00 2001 +From: Paul Moore +Date: Sun, 2 Aug 2020 09:57:39 -0400 +Subject: [PATCH] build: undefine "mips" to prevent build problems for MIPS + targets + +It turns out that the MIPS GCC compiler defines a "mips" cpp macro +which was resulting in build failures on MIPS so we need to +undefine the "mips" macro during build. As this should be safe +to do in all architectures, just add it to the compiler flags by +default. + +This was reported in the following GH issue: +* https://github.com/seccomp/libseccomp/issues/274 + +Reported-by: Rongwei Zhang +Suggested-by: Rongwei Zhang +Signed-off-by: Paul Moore +--- + configure.ac | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/configure.ac b/configure.ac +index 40d9dcbb..3e877348 100644 +--- a/configure.ac ++++ b/configure.ac +@@ -65,9 +65,11 @@ m4_ifdef([AM_SILENT_RULES], [AM_SILENT_RULES([yes])]) + + dnl #### + dnl build flags ++dnl NOTE: the '-Umips' is here because MIPS GCC compilers "helpfully" define it ++dnl for us which wreaks havoc on the build + dnl #### + AM_CPPFLAGS="-I\${top_srcdir}/include -I\${top_builddir}/include" +-AM_CFLAGS="-Wall" ++AM_CFLAGS="-Wall -Umips" + AM_LDFLAGS="-Wl,-z -Wl,relro" + AC_SUBST([AM_CPPFLAGS]) + AC_SUBST([AM_CFLAGS]) diff --git a/meta-security/recipes-security/libseccomp/libseccomp_2.4.3.bb b/meta-security/recipes-security/libseccomp/libseccomp_2.4.3.bb deleted file mode 100644 index 9ca41e650b..0000000000 --- a/meta-security/recipes-security/libseccomp/libseccomp_2.4.3.bb +++ /dev/null @@ -1,43 +0,0 @@ -SUMMARY = "interface to seccomp filtering mechanism" -DESCRIPTION = "The libseccomp library provides and easy to use, platform independent,interface to the Linux Kernel's syscall filtering mechanism: seccomp." -SECTION = "security" -LICENSE = "LGPL-2.1" -LIC_FILES_CHKSUM = "file://LICENSE;beginline=0;endline=1;md5=8eac08d22113880357ceb8e7c37f989f" - -SRCREV = "1dde9d94e0848e12da20602ca38032b91d521427" - -SRC_URI = "git://github.com/seccomp/libseccomp.git;branch=release-2.4 \ - file://run-ptest \ -" - -S = "${WORKDIR}/git" - -inherit autotools-brokensep pkgconfig ptest - -PACKAGECONFIG ??= "" -PACKAGECONFIG[python] = "--enable-python, --disable-python, python" - -DISABLE_STATIC = "" - -do_compile_ptest() { - oe_runmake -C tests check-build -} - -do_install_ptest() { - install -d ${D}${PTEST_PATH}/tests - install -d ${D}${PTEST_PATH}/tools - for file in $(find tests/* -executable -type f); do - install -m 744 ${S}/${file} ${D}/${PTEST_PATH}/tests - done - for file in $(find tests/*.tests -type f); do - install -m 744 ${S}/${file} ${D}/${PTEST_PATH}/tests - done - for file in $(find tools/* -executable -type f); do - install -m 744 ${S}/${file} ${D}/${PTEST_PATH}/tools - done -} - -FILES_${PN} = "${bindir} ${libdir}/${BPN}.so*" -FILES_${PN}-dbg += "${libdir}/${PN}/tests/.debug/* ${libdir}/${PN}/tools/.debug" - -RDEPENDS_${PN}-ptest = "bash" diff --git a/meta-security/recipes-security/libseccomp/libseccomp_2.5.0.bb b/meta-security/recipes-security/libseccomp/libseccomp_2.5.0.bb new file mode 100644 index 0000000000..35365d5b43 --- /dev/null +++ b/meta-security/recipes-security/libseccomp/libseccomp_2.5.0.bb @@ -0,0 +1,48 @@ +SUMMARY = "interface to seccomp filtering mechanism" +DESCRIPTION = "The libseccomp library provides and easy to use, platform independent,interface to the Linux Kernel's syscall filtering mechanism: seccomp." +SECTION = "security" +LICENSE = "LGPL-2.1" +LIC_FILES_CHKSUM = "file://LICENSE;beginline=0;endline=1;md5=8eac08d22113880357ceb8e7c37f989f" + +DEPENDS += "gperf-native" + +SRCREV = "f13f58efc690493fe7aa69f54cb52a118f3769c1" + +SRC_URI = "git://github.com/seccomp/libseccomp.git;branch=release-2.5 \ + file://run-ptest \ + file://fix-mips-build-failure.patch \ +" + +COMPATIBLE_HOST_riscv32 = "null" + +S = "${WORKDIR}/git" + +inherit autotools-brokensep pkgconfig ptest + +PACKAGECONFIG ??= "" +PACKAGECONFIG[python] = "--enable-python, --disable-python, python3" + +DISABLE_STATIC = "" + +do_compile_ptest() { + oe_runmake -C tests check-build +} + +do_install_ptest() { + install -d ${D}${PTEST_PATH}/tests + install -d ${D}${PTEST_PATH}/tools + for file in $(find tests/* -executable -type f); do + install -m 744 ${S}/${file} ${D}/${PTEST_PATH}/tests + done + for file in $(find tests/*.tests -type f); do + install -m 744 ${S}/${file} ${D}/${PTEST_PATH}/tests + done + for file in $(find tools/* -executable -type f); do + install -m 744 ${S}/${file} ${D}/${PTEST_PATH}/tools + done +} + +FILES_${PN} = "${bindir} ${libdir}/${BPN}.so*" +FILES_${PN}-dbg += "${libdir}/${PN}/tests/.debug/* ${libdir}/${PN}/tools/.debug" + +RDEPENDS_${PN}-ptest = "bash" diff --git a/meta-security/recipes-security/packagegroup/packagegroup-core-security-ptest.bb b/meta-security/recipes-security/packagegroup/packagegroup-core-security-ptest.bb deleted file mode 100644 index cf34ded19c..0000000000 --- a/meta-security/recipes-security/packagegroup/packagegroup-core-security-ptest.bb +++ /dev/null @@ -1,28 +0,0 @@ -DESCRIPTION = "Security ptest packagegroup" -LICENSE = "MIT" -LIC_FILES_CHKSUM = "file://${COMMON_LICENSE_DIR}/MIT;md5=0835ade698e0bcf8506ecda2f7b4f302 \ - file://${COREBASE}/meta/COPYING.MIT;md5=3da9cfbcb788c80a0384361b4de20420" - -inherit features_check - -REQUIRED_DISTRO_FEATURES = "ptest" - -PACKAGES = "\ - ${PN} \ - " - -ALLOW_EMPTY_${PN} = "1" - -SUMMARY_${PN} = "Security packages with ptests" -RDEPENDS_${PN} = " \ - ptest-runner \ - samhain-standalone-ptest \ - keyutils-ptest \ - libseccomp-ptest \ - python3-scapy-ptest \ - suricata-ptest \ - tripwire-ptest \ - python3-fail2ban-ptest \ - ${@bb.utils.contains("DISTRO_FEATURES", "apparmor", "apparmor-ptest", "",d)} \ - ${@bb.utils.contains("DISTRO_FEATURES", "smack", "smack-ptest", "",d)} \ - " diff --git a/meta-security/recipes-security/packagegroup/packagegroup-core-security.bb b/meta-security/recipes-security/packagegroup/packagegroup-core-security.bb deleted file mode 100644 index e0a9d05347..0000000000 --- a/meta-security/recipes-security/packagegroup/packagegroup-core-security.bb +++ /dev/null @@ -1,68 +0,0 @@ -DESCRIPTION = "Security packagegroup for Poky" -LICENSE = "MIT" -LIC_FILES_CHKSUM = "file://${COMMON_LICENSE_DIR}/MIT;md5=0835ade698e0bcf8506ecda2f7b4f302 \ - file://${COREBASE}/meta/COPYING.MIT;md5=3da9cfbcb788c80a0384361b4de20420" - -inherit packagegroup - -PACKAGES = "\ - packagegroup-core-security \ - packagegroup-security-utils \ - packagegroup-security-scanners \ - packagegroup-security-ids \ - packagegroup-security-mac \ - " - -RDEPENDS_packagegroup-core-security = "\ - packagegroup-security-utils \ - packagegroup-security-scanners \ - packagegroup-security-ids \ - packagegroup-security-mac \ - " - -SUMMARY_packagegroup-security-utils = "Security utilities" -RDEPENDS_packagegroup-security-utils = "\ - checksec \ - nmap \ - pinentry \ - python3-scapy \ - ding-libs \ - keyutils \ - libseccomp \ - ${@bb.utils.contains("DISTRO_FEATURES", "pam", "sssd", "",d)} \ - ${@bb.utils.contains("DISTRO_FEATURES", "pax", "pax-utils", "",d)} \ - " - -SUMMARY_packagegroup-security-scanners = "Security scanners" -RDEPENDS_packagegroup-security-scanners = "\ - nikto \ - checksecurity \ - clamav \ - clamav-freshclam \ - clamav-cvd \ - " - -SUMMARY_packagegroup-security-audit = "Security Audit tools " -RDEPENDS_packagegroup-security-audit = " \ - buck-security \ - redhat-security \ - " - -SUMMARY_packagegroup-security-hardening = "Security Hardening tools" -RDEPENDS_packagegroup-security-hardening = " \ - bastille \ - " - -SUMMARY_packagegroup-security-ids = "Security Intrusion Detection systems" -RDEPENDS_packagegroup-security-ids = " \ - tripwire \ - samhain-standalone \ - suricata \ - " - -SUMMARY_packagegroup-security-mac = "Security Mandatory Access Control systems" -RDEPENDS_packagegroup-security-mac = " \ - ${@bb.utils.contains("DISTRO_FEATURES", "tomoyo", "ccs-tools", "",d)} \ - ${@bb.utils.contains("DISTRO_FEATURES", "apparmor", "apparmor", "",d)} \ - ${@bb.utils.contains("DISTRO_FEATURES", "smack", "smack", "",d)} \ - " -- cgit v1.2.3