From b95905d1c8bee73bd53457a1895e33c119eb9680 Mon Sep 17 00:00:00 2001 From: "William A. Kennington III" Date: Wed, 2 Jun 2021 12:40:56 -0700 Subject: meta-openembedded: subtree update:4fe1065655..2449e5f07a MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Alexander Kanavin (1): remmina: make avahi support optional and off by default Alexander Vickberg (1): hostapd: fix building with CONFIG_TLS=internal Andreas Müller (63): mariadb: Fix configure evolution-data-server: Backport upstream patch to fix configure on latest CMake libgtop: tidy up recipe xfce4-systemload-plugin: upgrade 1.3.0 -> 1.3.1 / introduce PACKAGECONFIGs xfce4-clipman-plugin: upgrade 1.6.1 -> 1.6.2 xfce4-panel: upgrade 4.16.2 -> 4.16.3 fluidsynth: upgrade 2.2.0 -> 2.2.1 gparted: upgrade 1.2.0 -> 1.3.0 poppler: upgrade 21.04.0 -> 21.05.0 tracker: upgrade 2.3.6 -> 3.0.4 tracker-miners: upgrade 2.3.5 -> 3.0.5 nautilus: upgrade 3.36.3 -> 40.1 gnome-photos: upgrade 3.34.2 -> 40.0 file-roller: upgrade 3.36.3 -> 3.38.1 tepl: upgrade 4.4.0 -> 6.00.0 gedit: upgrade 3.36.2 -> 40.1 evince: upgrade 3.38.0 -> 40.1 gnome-calculator: upgrade 3.36.0 -> 40.1 gnome-system-monitor: upgrade 3.36.1 -> 40.1 dconf-editor: upgrade 3.38.2 -> 3.38.3 libwnck3: upgrade 3.36.0 -> 40.0 babl: upgrade 0.1.84 -> 0.1.86 gimp: upgrade 2.10.22 -> 2.10.24 gegl: add PACKAGECONFIG libraw and enable it by default gegl: add poppler PCAKAGECONFIG and enable it by default Revert "gimp: Disable svg icons on arm" grilo-plugins: initial add 0.3.13 gnome-photos: rrecommend grilo-plugins gnome-photos: Let all desktops add gnome-photos to their start menu meta-gnome: remove upstream-version-is-even from inherit on 40.x version recipes portaudio-v19: upgrade 19.6.0 -> 19.7.0 mousepad: upgrade 0.5.4 -> 0.5.5 network-manager-applet: upgrade 1.18.0 -> 1.22.0 nano: upgrade 5.6 -> 5.7 gnuplot: upgrade 5.2.8 -> 5.4.1 zsh: upgrade 5.4.2 -> 5.8 ttf-lohit: upgrade 2 -> 2.92.1 xrdp: upgrade 0.9.15 -> 0.9.16 snappy: upgrade 1.1.8 -> 1.1.9 redis: upgrade 6.2.2 -> 6.2.3 remmina: upgrade 1.4.11 -> 1.4.17 libpeas: upgrade 1.26.0 -> 1.30.0 modemmanager: upgrade 1.16.2 -> 1.16.4 mm-common: upgrade 1.0.2 -> 1.0.3 protobuf: upgrade 3.15.2 -> 3.17.0 qpdf: upgrade 10.2.0 -> 10.3.2 libmxml: upgrade 3.1 -> 3.2 libgusb: upgrade 0.3.5 -> 0.3.6 libeigen: upgrade 3.3.7 -> 3.3.9 giflib: upgrade 5.1.4 -> 5.2.1 fltk: upgrade 1.3.5 -> 1.3.6 botan: upgrade 2.14.0 -> 2.18.1 dialog: upgrade 1.3-20210319 -> 1.3-20210509 colord: upgrade 1.4.4 -> 1.4.5 flatbuffers: upgrade 1.12.0 -> 2.0.0 gtkwave: upgrade 3.3.108 -> 3.3.109 / move to gtk3 / tidy up recipe hwdata: upgrade 0.346 -> 0.347 mime-support: upgrade 3.48 -> 3.62 mpv: upgrade 0.32.0 -> 0.33.1 renderdoc: upgrade 1.7 -> 1.13 xfce4-screenshooter: upgrade 1.9.8 -> 1.9.9 hunspell-dictionaries: use better names for dictionary files gupnp: upgrade 1.2.4 -> 1.2.6 Andrej Kozemcak (1): squid: upgrade 4.14 -> 4.15 Armin Kuster (6): audit: migrate from meta-selinux packagegroup-meta-oe: add audit to pkg grp python3-scapy: move from meta-security python3-scapy: add pkg to pkg grp python3-scapy: drop from pkg grp python3-scapy: drop this recipe Ayoub Zaki (1): evemu-tools: Add initial recipe Bartosz Golaszewski (3): python3-pycocotools: new package python3-pydbus-manager: add runtime dependencies python3-asyncio-glib: new package Bruce Mitchell (1): makedumpfile: Bump srcrev Changqing Li (3): python3-paho-mqtt: add package python3-paho-mqtt-examples nmap: change shebang to python3 libgtop: fix do_compile error Chen Qi (1): mutter: add polkit to REQUIRED_DISTRO_FEATRUES Daniel Ammann (1): nyancat: add new package Gianfranco (1): vboxguestdrivers: upgrade 6.1.20 -> 6.1.22 Guy Morand (1): qperf: add qperf recipe Hongxu Jia (1): cdrkit: add nativesdk support Kai Kang (1): thunar: 4.16.6 -> 4.16.8 Khem Raj (47): liburing: Upgrade to 2.0 catch2: Upgrade to 2.13.6 mongodb: Update to 4.4.6-rc0 icewm: Upgrade to 2.3.3 python3-m2crypto: Pass correct ABI defines to swig python3-lazy-object-proxy: Add missing dep on pip python3-markdown: Remove sdbus-c++-libsystemd: Avoid hard dependency on rsync libmusicbrainz: Rework native and target pieces abseil-cpp: Upgrade to lts_2021_03_24 grpc: Upgrade to 1.37.1 minicoredumper: Replace pthread_mutexattr_setrobust_np with pthread_mutexattr_setrobust libupnp: Do not use _np versions of mutex APIs mariadb: Upgrade to 10.5.10 apitrace: Upgrade to 0.10 evolution-data-server: Update to 3.40.1 mongodb: Do not use MINSIGSTKSZ tbb: Fix build with GCC 11 breakpad: Fix type mismatch for SIGSTKSZ packagegroup-meta-networking.bb: Add http-parser to packagegroup-meta-networking-support nautilus: Exclude from builds python3-m2crypto: Fix build on riscv and mips googletest: Update to tip of trunk libraw: Move from meta-qt5-extra to meta-oe Revert "nautilus: Exclude from builds" libcamera: Update to latest master tip python3-haversine: Fix build with latest python/setuptools opencv: Disable tbb on riscv/musl rdma-core: Upgrade to 35.0 wireshark: Add zstd via packageconfig dhcp-relay: Use recent config.guess and config.sub for bind projucer: Update to latest master tip opencv: Do not lock to gcc only compiler minifi-cpp: Fix build with llvm C++ runtime sdbus-cpp: Do not fetch googletest on the fly python3-grpcio: Update to 1.38.0 heaptrack: Fix build with clang and llvm libunwind grpc: Upgrade to 1.38.0 packagegroup-meta-oe: Add qperf package dovecot: Fix build with llvm libunwind mpich: Upgrade to 3.4.2 packagegroup-meta-oe: Add evemu-tools vk-gl-cts: Fix O_TRUNC conflict with fcntl.h dhcp-relay: Fix libtool files for internal bind build mongodb: Change PV to 4.4.6 mongodb: Fix -Wc++11-narrowing warning on 32bit mariadb: Include missing sys/type.h for ssize_t Leon Anavi (81): python3-pywbemtools: Upgrade 0.8.1 -> 0.9.0 python3-humanize: Upgrade 3.4.1 -> 3.5.0 python3-elementpath: Upgrade 2.2.1 -> 2.2.2 python3-typing-extensions: Upgrade 3.7.4.3 -> 3.10.0.0 python3-watchdog: Upgrade 2.0.3 -> 2.1.0 python3-greenlet: Upgrade 1.0.0 -> 1.1.0 python3-bitarray: Upgrade 2.0.1 -> 2.1.0 python3-websockets: Upgrade 8.1 -> 9.0.1 python3-babel: Upgrade 2.9.0 -> 2.9.1 python3-croniter: Upgrade 1.0.12 -> 1.0.13 python3-serpent: Upgrade 1.30.2 -> 1.40 python3-cerberus: Upgrade 1.3.3 -> 1.3.4 python3-aiohue: Upgrade 2.2.0 -> 2.3.0 python3-robotframework: Upgrade 4.0.1 -> 4.0.2 python3-sentry-sdk: Upgrade 1.0.0 -> 1.1.0 python3-aiohue: Upgrade 2.3.0 -> 2.3.1 python3-watchdog: Upgrade 2.1.0 -> 2.1.1 python3-itsdangerous: Upgrade 1.1.0 -> 2.0.0 python3-websocket-client: Upgrade 0.58.0 -> 0.59.0 python3-google-api-python-client: Upgrade 2.2.0 -> 2.4.0 python3-configargparse: Upgrade 1.4 -> 1.4.1 python3-click: Upgrade 7.1.2 -> 8.0.0 python3-pysonos: Upgrade 0.0.43 -> 0.0.46 python3-rfc3339-validator: Upgrade 0.1.3 -> 0.1.4 python3-pymongo: Upgrade 3.11.3 -> 3.11.4 python3-alembic: Upgrade 1.5.8 -> 1.6.2 python3-deprecated: Add recipe python3-pymisp: Upgrade 2.4.142 -> 2.4.143 python3-aiohue: Upgrade 2.3.1 -> 2.4.0 python3-pyroute2: Upgrade 0.5.18 -> 0.5.19 python3-matplotlib-inline: Add recipe python3-ipython: Upgrade 7.22.0 -> 7.23.1 python3-sh: Upgrade 1.14.1 -> 1.14.2 python3-javaobj-py3: Upgrade 0.4.2 -> 0.4.3 python3-pyjwt: Upgrade 2.0.1 -> 2.1.0 python3-aiofiles: Upgrade 0.6.0 -> 0.7.0 python3-aiohue: Upgrade 2.4.0 -> 2.5.0 python3-cbor2: Upgrade 5.2.0 -> 5.3.0 python3-websockets: Upgrade 9.0.1 -> 9.0.2 python3-decorator: Upgrade 5.0.7 -> 5.0.9 python3-websocket-client: Upgrade 0.59.0 -> 1.0.0 python3-pysonos: Upgrade 0.0.46 -> 0.0.48 surf: Upgrade 2.0 -> 2.1 python3-pywbem: Upgrade 1.1.3 -> 1.2.0 python3-watchdog: Upgrade 2.1.1 -> 2.1.2 python3-click: Upgrade 8.0.0 -> 8.0.1 python3-pysonos: Upgrade 0.0.48 -> 0.0.49 python3-pytest-runner: Upgrade 5.3.0 -> 5.3.1 python3-xmlschema: Upgrade 1.6.1 -> 1.6.2 python3-websocket-client: Upgrade 1.0.0 -> 1.0.1 python3-alembic: Upgrade 1.6.2 -> 1.6.4 python3-sqlalchemy: Upgrade 1.4.11 -> 1.4.15 python3-flask-migrate: Upgrade 2.7.0 -> 3.0.0 python3-flask: Upgrade 1.1.2 -> 2.0.1 python3-flask-wtf: Upgrade 0.14.3 -> 0.15.1 python3-flask-socketio: Upgrade 5.0.1 -> 5.0.3 python3-werkzeug: Upgrade 1.0.1 -> 2.0.1 python3-bidict: Add recipe python3-socketio: Upgrade 5.1.0 -> 5.3.0 python3-robotframework: Upgrade 4.0.2 -> 4.0.3 python3-flask-restful: Upgrade 0.3.8 -> 0.3.9 python3-pysonos: Upgrade 0.0.49 -> 0.0.50 python3-aenum: Upgrade 3.0.0 -> 3.1.0 python3-pyscaffold: Upgrade 4.0.1 -> 4.0.2 python3-urllib3: Upgrade 1.26.4 -> 1.26.5 python3-tqdm: Upgrade 4.60.0 -> 4.61.0 python3-flask: Extend RDEPENDS python3-ecdsa: Upgrade 0.16.1 -> 0.17.0 python3-alembic: Upgrade 1.6.4 -> 1.6.5 python3-websockets: Upgrade 9.0.2 -> 9.1 python3-pyzmq: Upgrade 22.0.3 -> 22.1.0 python3-ntplib: Upgrade 0.3.4 -> 0.4.0 python3-humanize: Upgrade 3.5.0 -> 3.6.0 python3-astroid: Upgrade 2.5.6 -> 2.5.7 python3-netifaces: Upgrade 0.10.9 -> 0.11.0 python3-certifi: Upgrade 2020.12.5 -> 2021.5.30 python3-click-repl: Upgrade 0.1.6 -> 0.2.0 python3-google-api-python-client: Upgrade 2.4.0 -> 2.6.0 python3-pytest-helpers-namespace: Upgrade 2021.3.24 -> 2021.4.29 python3-ipython: Upgrade 7.23.1 -> 7.24.0 python3-ruamel-yaml: Upgrade 0.17.4 -> 0.17.7 LiweiSong (1): pm-graph: parse separated cpu exec line Martin Jansa (7): ostree: switch from default master branch to main to fix do_fetch failure snappy: explicity disable building tests and benchmark libtinyxml2: restore building shared library zsh: work around file-rdeps QA issues with usrmerge in DISTRO_FEATURES snappy: fix native build with older gcc on host p7zip: refresh patches with devtool to apply cleanly gtkwave: set REQUIRED_DISTRO_FEATURES only to wayland Nisha Parrakat (1): p7zip: build and package lib7z.so needed for fastboot Nuno Sá (2): libiio: add serial backend support libiio: mark libxml2 as depends for usb_backend Robert Joslyn (1): ctags: Use PACKAGECONFIG for build options Romain Naour (4): poke: add recipe for version 1.2 poke: add optional json-c dependency packagegroup-meta-oe: Add poke to packagegroup-meta-oe-devtools libiec61850: Upgrade to 1.5.0 Ross Burton (3): nss: disable -Werror nss: remove -march vs -mcpu workaround meta-gnome: add Cogl/Clutter from oe-core Saul Wold (2): opencv: remove tbb packageconfig for powerpc sysdig: disable building for ppc Stefan Ghinea (1): thunar: fix CVE-2021-32563 Stefan Wiehler (3): http-parser: add recipe restinio: add recipe restinio: fix license Trevor Gamblin (6): python3-django: upgrade 2.2.20 -> 2.2.22 python3-django: upgrade 3.2 -> 3.2.2 python3-django: upgrade 2.2.22 -> 2.2.23 python3-django: upgrade 3.2.2 -> 3.2.3 python3-ujson: fix ptests python3-prettytable: add python3-sqlite3 for ptest William A. Kennington III (1): span-lite: upgrade 0.8.1 -> 0.9.2 Yi Zhao (1): dhcp-relay: add recipe wangmy (11): uftrace: Fix a plthook crash on aarch64 with binutils2.35.1 and later versions on aarch64 exiv2: Fix CVE-2021-29457 exiv2: Fix CVE-2021-29458 exiv2: Fix CVE-2021-29463 exiv2: Fix CVE-2021-3482 exiv2: Fix CVE-2021-29464 exiv2: Fix CVE-2021-29470 exiv2: Fix CVE-2021-29473 libsdl: Fix CVE-2019-13616 trace-cmd: Conflict resolution uftrace: upgrade 0.9.4 -> 0.10 zangrc (21): ifenslave: upgrade 2.11 -> 2.12 lksctp-tools: upgrade 1.0.18 -> 1.0.19 nbdkit: upgrade 1.25.6 -> 1.25.7 tcpreplay: upgrade 4.3.3 -> 4.3.4 cloc: upgrade 1.88 -> 1.90 gensio: upgrade 2.2.4 -> 2.2.5 iwd: upgrade 1.13 -> 1.14 makedumpfile: upgrade 1.6.8 -> 1.6.9 postgresql: upgrade 13.2 -> 13.3 libencode-perl: upgrade 3.08 -> 3.10 python3-xlsxwriter: upgrade 1.4.0 -> 1.4.3 python3-itsdangerous: upgrade 2.0.0 -> 2.0.1 python3-protobuf: upgrade 3.14.0 -> 3.17.0 python3-pulsectl: upgrade 21.3.4 -> 21.5.17 python3-engineio: upgrade 3.13.0 -> 4.2.0 python3-can: upgrade 3.3.3 -> 3.3.4 gexiv2: upgrade 0.12.1 -> 0.12.2 gnome-autoar: upgrade 0.3.1 -> 0.3.2 gnome-bluetooth: upgrade 3.34.1 -> 3.34.5 libgweather: upgrade 3.36.1 -> 3.36.2 libstemmer: upgrade 2.0.0 -> 2.1.0 zhengruoqin (8): libdivecomputer: upgrade 0.6.0 -> 0.7.0 libjcat: upgrade 0.1.6 -> 0.1.7 libxmlb: upgrade 0.3.0 -> 0.3.1 chrony: upgrade 4.0 -> 4.1 libqmi: upgrade 1.28.2 -> 1.28.4 libtinyxml2: upgrade 8.0.0 -> 8.1.0 libndp: upgrade 1.7 -> 1.8 valijson: upgrade 0.3 -> 0.4 Change-Id: I8a1f42af3063886d88a7c0c5c79a45dde55c34da Signed-off-by: William A. Kennington III --- ...ubstitue-functions-for-strndupa-rawmemchr.patch | 133 ++++++++++++++++++ .../Fixed-swig-host-contamination-issue.patch | 57 ++++++++ .../audit/audit/audit-volatile.conf | 1 + .../meta-oe/recipes-security/audit/audit/auditd | 153 +++++++++++++++++++++ .../recipes-security/audit/audit/auditd.service | 28 ++++ .../meta-oe/recipes-security/audit/audit_2.8.5.bb | 105 ++++++++++++++ .../meta-oe/recipes-security/audit/audit_3.0.1.bb | 109 +++++++++++++++ .../meta-oe/recipes-security/nmap/nmap_7.80.bb | 8 +- 8 files changed, 591 insertions(+), 3 deletions(-) create mode 100644 meta-openembedded/meta-oe/recipes-security/audit/audit/Add-substitue-functions-for-strndupa-rawmemchr.patch create mode 100644 meta-openembedded/meta-oe/recipes-security/audit/audit/Fixed-swig-host-contamination-issue.patch create mode 100644 meta-openembedded/meta-oe/recipes-security/audit/audit/audit-volatile.conf create mode 100644 meta-openembedded/meta-oe/recipes-security/audit/audit/auditd create mode 100644 meta-openembedded/meta-oe/recipes-security/audit/audit/auditd.service create mode 100644 meta-openembedded/meta-oe/recipes-security/audit/audit_2.8.5.bb create mode 100644 meta-openembedded/meta-oe/recipes-security/audit/audit_3.0.1.bb (limited to 'meta-openembedded/meta-oe/recipes-security') diff --git a/meta-openembedded/meta-oe/recipes-security/audit/audit/Add-substitue-functions-for-strndupa-rawmemchr.patch b/meta-openembedded/meta-oe/recipes-security/audit/audit/Add-substitue-functions-for-strndupa-rawmemchr.patch new file mode 100644 index 0000000000..bb6c61e805 --- /dev/null +++ b/meta-openembedded/meta-oe/recipes-security/audit/audit/Add-substitue-functions-for-strndupa-rawmemchr.patch @@ -0,0 +1,133 @@ +From bdcdc3dff4469aac88e718bd15958d5ed4b9392a Mon Sep 17 00:00:00 2001 +From: Steve Grubb +Date: Tue, 26 Feb 2019 18:33:33 -0500 +Subject: [PATCH] Add substitue functions for strndupa & rawmemchr + +Upstream-Status: Backport +[https://github.com/linux-audit/audit-userspace/commit/d579a08bb1cde71f939c13ac6b2261052ae9f77e] +--- + auparse/auparse.c | 12 +++++++++++- + auparse/interpret.c | 9 ++++++++- + configure.ac | 14 +++++++++++++- + src/ausearch-lol.c | 12 +++++++++++- + 4 files changed, 43 insertions(+), 4 deletions(-) + +diff --git a/auparse/auparse.c b/auparse/auparse.c +index 650db02..2e1c737 100644 +--- a/auparse/auparse.c ++++ b/auparse/auparse.c +@@ -1,5 +1,5 @@ + /* auparse.c -- +- * Copyright 2006-08,2012-17 Red Hat Inc., Durham, North Carolina. ++ * Copyright 2006-08,2012-19 Red Hat Inc., Durham, North Carolina. + * All Rights Reserved. + * + * This library is free software; you can redistribute it and/or +@@ -1118,6 +1118,16 @@ static int str2event(char *s, au_event_t *e) + return 0; + } + ++#ifndef HAVE_STRNDUPA ++static inline char *strndupa(const char *old, size_t n) ++{ ++ size_t len = strnlen(old, n); ++ char *tmp = alloca(len + 1); ++ tmp[len] = 0; ++ return memcpy(tmp, old, len); ++} ++#endif ++ + /* Returns 0 on success and 1 on error */ + static int extract_timestamp(const char *b, au_event_t *e) + { +diff --git a/auparse/interpret.c b/auparse/interpret.c +index 51c4a5e..67b7b77 100644 +--- a/auparse/interpret.c ++++ b/auparse/interpret.c +@@ -853,6 +853,13 @@ err_out: + return print_escaped(id->val); + } + ++// rawmemchr is faster. Let's use it if we have it. ++#ifdef HAVE_RAWMEMCHR ++#define STRCHR rawmemchr ++#else ++#define STRCHR strchr ++#endif ++ + static const char *print_proctitle(const char *val) + { + char *out = (char *)print_escaped(val); +@@ -863,7 +870,7 @@ static const char *print_proctitle(const char *val) + // Proctitle has arguments separated by NUL bytes + // We need to write over the NUL bytes with a space + // so that we can see the arguments +- while ((ptr = rawmemchr(ptr, '\0'))) { ++ while ((ptr = STRCHR(ptr, '\0'))) { + if (ptr >= end) + break; + *ptr = ' '; +diff --git a/configure.ac b/configure.ac +index 54bdbf1..aef07fb 100644 +--- a/configure.ac ++++ b/configure.ac +@@ -1,7 +1,7 @@ + dnl + define([AC_INIT_NOTICE], + [### Generated automatically using autoconf version] AC_ACVERSION [ +-### Copyright 2005-18 Steve Grubb ++### Copyright 2005-19 Steve Grubb + ### + ### Permission is hereby granted, free of charge, to any person obtaining a + ### copy of this software and associated documentation files (the "Software"), +@@ -72,6 +72,18 @@ dnl; posix_fallocate is used in audisp-remote + AC_CHECK_FUNCS([posix_fallocate]) + dnl; signalfd is needed for libev + AC_CHECK_FUNC([signalfd], [], [ AC_MSG_ERROR([The signalfd system call is necessary for auditd]) ]) ++dnl; check if rawmemchr is available ++AC_CHECK_FUNCS([rawmemchr]) ++dnl; check if strndupa is available ++AC_LINK_IFELSE( ++ [AC_LANG_SOURCE( ++ [[ ++ #define _GNU_SOURCE ++ #include ++ int main() { (void) strndupa("test", 10); return 0; }]])], ++ [AC_DEFINE(HAVE_STRNDUPA, 1, [Let us know if we have it or not])], ++ [] ++) + + ALLWARNS="" + ALLDEBUG="-g" +diff --git a/src/ausearch-lol.c b/src/ausearch-lol.c +index 5d17a72..758c33e 100644 +--- a/src/ausearch-lol.c ++++ b/src/ausearch-lol.c +@@ -1,6 +1,6 @@ + /* + * ausearch-lol.c - linked list of linked lists library +-* Copyright (c) 2008,2010,2014,2016 Red Hat Inc., Durham, North Carolina. ++* Copyright (c) 2008,2010,2014,2016,2019 Red Hat Inc., Durham, North Carolina. + * All Rights Reserved. + * + * This software may be freely redistributed and/or modified under the +@@ -152,6 +152,16 @@ static int compare_event_time(event *e1, event *e2) + return 0; + } + ++#ifndef HAVE_STRNDUPA ++static inline char *strndupa(const char *old, size_t n) ++{ ++ size_t len = strnlen(old, n); ++ char *tmp = alloca(len + 1); ++ tmp[len] = 0; ++ return memcpy(tmp, old, len); ++} ++#endif ++ + /* + * This function will look at the line and pick out pieces of it. + */ +-- +2.7.4 + diff --git a/meta-openembedded/meta-oe/recipes-security/audit/audit/Fixed-swig-host-contamination-issue.patch b/meta-openembedded/meta-oe/recipes-security/audit/audit/Fixed-swig-host-contamination-issue.patch new file mode 100644 index 0000000000..740bcb5a7f --- /dev/null +++ b/meta-openembedded/meta-oe/recipes-security/audit/audit/Fixed-swig-host-contamination-issue.patch @@ -0,0 +1,57 @@ +From 3d13f92c1bb293523670ba01aea7e655b00a6709 Mon Sep 17 00:00:00 2001 +From: Li xin +Date: Sun, 19 Jul 2015 02:42:58 +0900 +Subject: [PATCH] audit: Fixed swig host contamination issue + +The audit build uses swig to generate a python wrapper. +Unfortunately, the swig info file references host include +directories. Some of these were previously noticed and +eliminated, but the one fixed here was not. + +Upstream-Status: Inappropriate [embedded specific] + +Signed-off-by: Anders Hedlund +Signed-off-by: Joe Slater +Signed-off-by: Yi Zhao +--- + bindings/swig/python3/Makefile.am | 3 ++- + bindings/swig/src/auditswig.i | 2 +- + 2 files changed, 3 insertions(+), 2 deletions(-) + +diff --git a/bindings/swig/python3/Makefile.am b/bindings/swig/python3/Makefile.am +index dd9d934..61b486d 100644 +--- a/bindings/swig/python3/Makefile.am ++++ b/bindings/swig/python3/Makefile.am +@@ -22,6 +22,7 @@ + CONFIG_CLEAN_FILES = *.loT *.rej *.orig + AM_CFLAGS = -fPIC -DPIC -fno-strict-aliasing $(PYTHON3_CFLAGS) + AM_CPPFLAGS = -I. -I$(top_builddir) -I${top_srcdir}/lib $(PYTHON3_INCLUDES) ++STDINC ?= /usr/include + LIBS = $(top_builddir)/lib/libaudit.la + SWIG_FLAGS = -python -py3 -modern + SWIG_INCLUDES = -I. -I$(top_builddir) -I${top_srcdir}/lib $(PYTHON3_INCLUDES) +@@ -36,7 +37,7 @@ _audit_la_DEPENDENCIES =${top_srcdir}/lib/libaudit.h ${top_builddir}/lib/libaudi + _audit_la_LIBADD = ${top_builddir}/lib/libaudit.la + nodist__audit_la_SOURCES = audit_wrap.c + audit.py audit_wrap.c: ${srcdir}/../src/auditswig.i +- swig -o audit_wrap.c ${SWIG_FLAGS} ${SWIG_INCLUDES} ${srcdir}/../src/auditswig.i ++ swig -o audit_wrap.c ${SWIG_FLAGS} ${SWIG_INCLUDES} -I$(STDINC) ${srcdir}/../src/auditswig.i + + CLEANFILES = audit.py* audit_wrap.c *~ + +diff --git a/bindings/swig/src/auditswig.i b/bindings/swig/src/auditswig.i +index 21aafca..dd0f62c 100644 +--- a/bindings/swig/src/auditswig.i ++++ b/bindings/swig/src/auditswig.i +@@ -39,7 +39,7 @@ signed + #define __attribute(X) /*nothing*/ + typedef unsigned __u32; + typedef unsigned uid_t; +-%include "/usr/include/linux/audit.h" ++%include "linux/audit.h" + #define __extension__ /*nothing*/ + %include + %include "../lib/libaudit.h" +-- +2.17.1 + diff --git a/meta-openembedded/meta-oe/recipes-security/audit/audit/audit-volatile.conf b/meta-openembedded/meta-oe/recipes-security/audit/audit/audit-volatile.conf new file mode 100644 index 0000000000..9cbe1547a3 --- /dev/null +++ b/meta-openembedded/meta-oe/recipes-security/audit/audit/audit-volatile.conf @@ -0,0 +1 @@ +d /var/log/audit 0750 root root - diff --git a/meta-openembedded/meta-oe/recipes-security/audit/audit/auditd b/meta-openembedded/meta-oe/recipes-security/audit/audit/auditd new file mode 100644 index 0000000000..6aa7f94751 --- /dev/null +++ b/meta-openembedded/meta-oe/recipes-security/audit/audit/auditd @@ -0,0 +1,153 @@ +#! /bin/sh +### BEGIN INIT INFO +# Provides: auditd +# Required-Start: $local_fs +# Required-Stop: $local_fs +# Default-Start: 2 3 4 5 +# Default-Stop: 0 1 6 +# Short-Description: Audit Daemon +# Description: Collects audit information from Linux 2.6 Kernels. +### END INIT INFO + +# Author: Philipp Matthias Hahn +# Based on Debians /etc/init.d/skeleton and Auditds init.d/auditd.init + +# June, 2012: Adopted for yocto + +# PATH should only include /usr/* if it runs after the mountnfs.sh script +PATH=/sbin:/bin:/usr/sbin:/usr/bin +DESC="audit daemon" +NAME=auditd +DAEMON=/sbin/auditd +PIDFILE=/var/run/"$NAME".pid +SCRIPTNAME=/etc/init.d/"$NAME" + +# Exit if the package is not installed +[ -x "$DAEMON" ] || exit 0 + +# Read configuration variable file if it is present +[ -r /etc/default/"$NAME" ] && . /etc/default/"$NAME" + +. /etc/default/rcS + +. /etc/init.d/functions + +# +# Function that starts the daemon/service +# +do_start() +{ + # Return + # 0 if daemon has been started + # 1 if daemon was already running + # 2 if daemon could not be started + start-stop-daemon -S --quiet --pidfile "$PIDFILE" --exec "$DAEMON" --test > /dev/null \ + || return 1 + start-stop-daemon -S --quiet --pidfile "$PIDFILE" --exec "$DAEMON" -- \ + $EXTRAOPTIONS \ + || return 2 + if [ -f /etc/audit/audit.rules ] + then + /sbin/auditctl -R /etc/audit/audit.rules >/dev/null + fi +} + +# +# Function that stops the daemon/service +# +do_stop() +{ + # Return + # 0 if daemon has been stopped + # 1 if daemon was already stopped + # 2 if daemon could not be stopped + # other if a failure occurred + start-stop-daemon -K --quiet --pidfile "$PIDFILE" --name "$NAME" + RETVAL="$?" + [ "$RETVAL" = 2 ] && return 2 + # Many daemons don't delete their pidfiles when they exit. + rm -f "$PIDFILE" + rm -f /var/run/audit_events + # Remove watches so shutdown works cleanly + case "$AUDITD_CLEAN_STOP" in + no|NO) ;; + *) /sbin/auditctl -D >/dev/null ;; + esac + return "$RETVAL" +} + +# +# Function that sends a SIGHUP to the daemon/service +# +do_reload() { + start-stop-daemon -K --signal HUP --quiet --pidfile $PIDFILE --name $NAME + return 0 +} + +if [ ! -e /var/log/audit ]; then + mkdir -p /var/log/audit + [ -x /sbin/restorecon ] && /sbin/restorecon -F $(readlink -f /var/log/audit) +fi + +case "$1" in + start) + [ "$VERBOSE" != no ] && echo "Starting $DESC" "$NAME" + do_start + case "$?" in + 0|1) [ "$VERBOSE" != no ] && echo 0 ;; + 2) [ "$VERBOSE" != no ] && echo 1 ;; + esac + ;; + stop) + [ "$VERBOSE" != no ] && echo "Stopping $DESC" "$NAME" + do_stop + case "$?" in + 0|1) [ "$VERBOSE" != no ] && echo 0 ;; + 2) [ "$VERBOSE" != no ] && echo 1 ;; + esac + ;; + reload|force-reload) + echo "Reloading $DESC" "$NAME" + do_reload + echo $? + ;; + restart) + echo "Restarting $DESC" "$NAME" + do_stop + case "$?" in + 0|1) + do_start + case "$?" in + 0) echo 0 ;; + 1) echo 1 ;; # Old process is still running + *) echo 1 ;; # Failed to start + esac + ;; + *) + # Failed to stop + echo 1 + ;; + esac + ;; + rotate) + echo "Rotating $DESC logs" "$NAME" + start-stop-daemon -K --signal USR1 --quiet --pidfile "$PIDFILE" --name "$NAME" + echo $? + ;; + status) + pidofproc "$DAEMON" >/dev/null + status=$? + if [ $status -eq 0 ]; then + echo "$NAME is running." + else + echo "$NAME is not running." + fi + exit $status + ;; + *) + echo "Usage: $SCRIPTNAME {start|stop|restart|reload|force-reload|rotate|status}" >&2 + exit 3 + ;; +esac + +: diff --git a/meta-openembedded/meta-oe/recipes-security/audit/audit/auditd.service b/meta-openembedded/meta-oe/recipes-security/audit/audit/auditd.service new file mode 100644 index 0000000000..06c63f0e5e --- /dev/null +++ b/meta-openembedded/meta-oe/recipes-security/audit/audit/auditd.service @@ -0,0 +1,28 @@ +[Unit] +Description=Security Auditing Service +DefaultDependencies=no +After=local-fs.target systemd-tmpfiles-setup.service +Before=sysinit.target shutdown.target +Conflicts=shutdown.target +ConditionKernelCommandLine=!audit=0 + +[Service] +Type=forking +PIDFile=/run/auditd.pid +ExecStart=/sbin/auditd +## To use augenrules, uncomment the next line and comment/delete the auditctl line. +## NOTE: augenrules expect any rules to be added to /etc/audit/rules.d/ +#ExecStartPost=-/sbin/augenrules --load +ExecStartPost=-/sbin/auditctl -R /etc/audit/audit.rules +# By default we don't clear the rules on exit. +# To enable this, uncomment the next line. +#ExecStopPost=/sbin/auditctl -R /etc/audit/audit-stop.rules + +### Security Settings ### +MemoryDenyWriteExecute=true +LockPersonality=true +ProtectControlGroups=true +ProtectKernelModules=true + +[Install] +WantedBy=multi-user.target diff --git a/meta-openembedded/meta-oe/recipes-security/audit/audit_2.8.5.bb b/meta-openembedded/meta-oe/recipes-security/audit/audit_2.8.5.bb new file mode 100644 index 0000000000..ee3b3b5e08 --- /dev/null +++ b/meta-openembedded/meta-oe/recipes-security/audit/audit_2.8.5.bb @@ -0,0 +1,105 @@ +SUMMARY = "User space tools for kernel auditing" +DESCRIPTION = "The audit package contains the user space utilities for \ +storing and searching the audit records generated by the audit subsystem \ +in the Linux kernel." +HOMEPAGE = "http://people.redhat.com/sgrubb/audit/" +SECTION = "base" +LICENSE = "GPLv2+ & LGPLv2+" +LIC_FILES_CHKSUM = "file://COPYING;md5=94d55d512a9ba36caa9b7df079bae19f" + +SRC_URI = "git://github.com/linux-audit/${BPN}-userspace.git;branch=2.8_maintenance \ + file://Add-substitue-functions-for-strndupa-rawmemchr.patch \ + file://Fixed-swig-host-contamination-issue.patch \ + file://auditd \ + file://auditd.service \ + file://audit-volatile.conf \ +" + +S = "${WORKDIR}/git" +SRCREV = "5fae55c1ad15b3cefe6890eba7311af163e9133c" + +inherit autotools python3native update-rc.d systemd + +UPDATERCPN = "auditd" +INITSCRIPT_NAME = "auditd" +INITSCRIPT_PARAMS = "defaults" + +SYSTEMD_PACKAGES = "auditd" +SYSTEMD_SERVICE_auditd = "auditd.service" + +DEPENDS += "python3 tcp-wrappers libcap-ng linux-libc-headers swig-native" + +EXTRA_OECONF += "--without-prelude \ + --with-libwrap \ + --enable-gssapi-krb5=no \ + --with-libcap-ng=yes \ + --with-python3=yes \ + --libdir=${base_libdir} \ + --sbindir=${base_sbindir} \ + --without-python \ + --without-golang \ + --disable-zos-remote \ + " +EXTRA_OECONF_append_arm = " --with-arm=yes" +EXTRA_OECONF_append_aarch64 = " --with-aarch64=yes" + +EXTRA_OEMAKE += "PYLIBVER='python${PYTHON_BASEVERSION}' \ + PYINC='${STAGING_INCDIR}/$(PYLIBVER)' \ + pyexecdir=${libdir}/python${PYTHON_BASEVERSION}/site-packages \ + STDINC='${STAGING_INCDIR}' \ + pkgconfigdir=${libdir}/pkgconfig \ + " + +SUMMARY_audispd-plugins = "Plugins for the audit event dispatcher" +DESCRIPTION_audispd-plugins = "The audispd-plugins package provides plugins for the real-time \ +interface to the audit system, audispd. These plugins can do things \ +like relay events to remote machines or analyze events for suspicious \ +behavior." + +PACKAGES =+ "audispd-plugins" +PACKAGES += "auditd ${PN}-python" + +FILES_${PN} = "${sysconfdir}/libaudit.conf ${base_libdir}/libaudit.so.1* ${base_libdir}/libauparse.so.*" +FILES_auditd += "${bindir}/* ${base_sbindir}/* ${sysconfdir}/*" +FILES_audispd-plugins += "${sysconfdir}/audisp/audisp-remote.conf \ + ${sysconfdir}/audisp/plugins.d/au-remote.conf \ + ${sbindir}/audisp-remote ${localstatedir}/spool/audit \ + " +FILES_${PN}-dbg += "${libdir}/python${PYTHON_BASEVERSION}/*/.debug" +FILES_${PN}-python = "${libdir}/python${PYTHON_BASEVERSION}" + +CONFFILES_auditd += "${sysconfdir}/audit/audit.rules" +RDEPENDS_auditd += "bash" + +do_install_append() { + rm -f ${D}/${libdir}/python${PYTHON_BASEVERSION}/site-packages/*.a + rm -f ${D}/${libdir}/python${PYTHON_BASEVERSION}/site-packages/*.la + + # reuse auditd config + [ ! -e ${D}/etc/default ] && mkdir ${D}/etc/default + mv ${D}/etc/sysconfig/auditd ${D}/etc/default + rmdir ${D}/etc/sysconfig/ + + # replace init.d + install -D -m 0755 ${WORKDIR}/auditd ${D}/etc/init.d/auditd + rm -rf ${D}/etc/rc.d + + if ${@bb.utils.contains('DISTRO_FEATURES', 'systemd', 'true', 'false', d)}; then + install -d ${D}${sysconfdir}/tmpfiles.d/ + install -m 0644 ${WORKDIR}/audit-volatile.conf ${D}${sysconfdir}/tmpfiles.d/ + fi + + # install systemd unit files + install -d ${D}${systemd_unitdir}/system + install -m 0644 ${WORKDIR}/auditd.service ${D}${systemd_unitdir}/system + + # audit-2.5 doesn't install any rules by default, so we do that here + mkdir -p ${D}/etc/audit ${D}/etc/audit/rules.d + cp ${S}/rules/10-base-config.rules ${D}/etc/audit/rules.d/audit.rules + + chmod 750 ${D}/etc/audit ${D}/etc/audit/rules.d + chmod 640 ${D}/etc/audit/auditd.conf ${D}/etc/audit/rules.d/audit.rules + + # Based on the audit.spec "Copy default rules into place on new installation" + cp ${D}/etc/audit/rules.d/audit.rules ${D}/etc/audit/audit.rules +} diff --git a/meta-openembedded/meta-oe/recipes-security/audit/audit_3.0.1.bb b/meta-openembedded/meta-oe/recipes-security/audit/audit_3.0.1.bb new file mode 100644 index 0000000000..ba24d360ed --- /dev/null +++ b/meta-openembedded/meta-oe/recipes-security/audit/audit_3.0.1.bb @@ -0,0 +1,109 @@ +SUMMARY = "User space tools for kernel auditing" +DESCRIPTION = "The audit package contains the user space utilities for \ +storing and searching the audit records generated by the audit subsystem \ +in the Linux kernel." +HOMEPAGE = "http://people.redhat.com/sgrubb/audit/" +SECTION = "base" +LICENSE = "GPLv2+ & LGPLv2+" +LIC_FILES_CHKSUM = "file://COPYING;md5=94d55d512a9ba36caa9b7df079bae19f" + +SRC_URI = "git://github.com/linux-audit/${BPN}-userspace.git;branch=master \ + file://Fixed-swig-host-contamination-issue.patch \ + file://auditd \ + file://auditd.service \ + file://audit-volatile.conf \ +" + +S = "${WORKDIR}/git" +SRCREV = "46cb7d92443c9ec7b3af15fb0baa65f65f6415d3" + +inherit autotools python3native update-rc.d systemd + +UPDATERCPN = "auditd" +INITSCRIPT_NAME = "auditd" +INITSCRIPT_PARAMS = "defaults" + +SYSTEMD_PACKAGES = "auditd" +SYSTEMD_SERVICE_auditd = "auditd.service" + +DEPENDS = "python3 tcp-wrappers libcap-ng linux-libc-headers swig-native" + +EXTRA_OECONF = " --with-libwrap \ + --enable-gssapi-krb5=no \ + --with-libcap-ng=yes \ + --with-python3=yes \ + --libdir=${base_libdir} \ + --sbindir=${base_sbindir} \ + --without-python \ + --without-golang \ + --disable-zos-remote \ + --with-arm=yes \ + --with-aarch64=yes \ + " + +EXTRA_OEMAKE = "PYLIBVER='python${PYTHON_BASEVERSION}' \ + PYINC='${STAGING_INCDIR}/$(PYLIBVER)' \ + pyexecdir=${libdir}/python${PYTHON_BASEVERSION}/site-packages \ + STDINC='${STAGING_INCDIR}' \ + pkgconfigdir=${libdir}/pkgconfig \ + " + +SUMMARY_audispd-plugins = "Plugins for the audit event dispatcher" +DESCRIPTION_audispd-plugins = "The audispd-plugins package provides plugins for the real-time \ +interface to the audit system, audispd. These plugins can do things \ +like relay events to remote machines or analyze events for suspicious \ +behavior." + +PACKAGES =+ "audispd-plugins" +PACKAGES += "auditd ${PN}-python" + +FILES_${PN} = "${sysconfdir}/libaudit.conf ${base_libdir}/libaudit.so.1* ${base_libdir}/libauparse.so.*" +FILES_auditd = "${bindir}/* ${base_sbindir}/* ${sysconfdir}/* ${datadir}/audit/*" +FILES_audispd-plugins = "${sysconfdir}/audit/audisp-remote.conf \ + ${sysconfdir}/audit/plugins.d/au-remote.conf \ + ${sysconfdir}/audit/plugins.d/syslog.conf \ + ${base_sbindir}/audisp-remote \ + ${base_sbindir}/audisp-syslog \ + ${localstatedir}/spool/audit \ + " +FILES_${PN}-dbg += "${libdir}/python${PYTHON_BASEVERSION}/*/.debug" +FILES_${PN}-python = "${libdir}/python${PYTHON_BASEVERSION}" + +CONFFILES_auditd = "${sysconfdir}/audit/audit.rules" +RDEPENDS_auditd = "bash" + +do_install_append() { + rm -f ${D}/${libdir}/python${PYTHON_BASEVERSION}/site-packages/*.a + rm -f ${D}/${libdir}/python${PYTHON_BASEVERSION}/site-packages/*.la + + # reuse auditd config + [ ! -e ${D}/etc/default ] && mkdir ${D}/etc/default + mv ${D}/etc/sysconfig/auditd ${D}/etc/default + rmdir ${D}/etc/sysconfig/ + + # replace init.d + install -D -m 0755 ${WORKDIR}/auditd ${D}/etc/init.d/auditd + rm -rf ${D}/etc/rc.d + + if ${@bb.utils.contains('DISTRO_FEATURES', 'systemd', 'true', 'false', d)}; then + # install systemd unit files + install -d ${D}${systemd_unitdir}/system + install -m 0644 ${WORKDIR}/auditd.service ${D}${systemd_unitdir}/system + + install -d ${D}${sysconfdir}/tmpfiles.d/ + install -m 0644 ${WORKDIR}/audit-volatile.conf ${D}${sysconfdir}/tmpfiles.d/ + fi + + # audit-2.5 doesn't install any rules by default, so we do that here + mkdir -p ${D}/etc/audit ${D}/etc/audit/rules.d + cp ${S}/rules/10-base-config.rules ${D}/etc/audit/rules.d/audit.rules + + chmod 750 ${D}/etc/audit ${D}/etc/audit/rules.d + chmod 640 ${D}/etc/audit/auditd.conf ${D}/etc/audit/rules.d/audit.rules + + # Based on the audit.spec "Copy default rules into place on new installation" + cp ${D}/etc/audit/rules.d/audit.rules ${D}/etc/audit/audit.rules + + # Create /var/spool/audit directory for audisp-remote + install -m 0700 -d ${D}${localstatedir}/spool/audit +} diff --git a/meta-openembedded/meta-oe/recipes-security/nmap/nmap_7.80.bb b/meta-openembedded/meta-oe/recipes-security/nmap/nmap_7.80.bb index c76d2324e7..17bc40911d 100644 --- a/meta-openembedded/meta-oe/recipes-security/nmap/nmap_7.80.bb +++ b/meta-openembedded/meta-oe/recipes-security/nmap/nmap_7.80.bb @@ -50,9 +50,11 @@ do_configure() { } do_install_append() { - if [ -f "${D}${bindir}/ndiff" ]; then - sed -i 's@^#!.*$@#!/usr/bin/env python3@g' ${D}${bindir}/ndiff - fi + for f in ndiff uninstall_ndiff; do + if [ -f ${D}${bindir}/$f ]; then + sed -i 's@^#!.*$@#!/usr/bin/env python3@g' ${D}${bindir}/$f + fi + done } FILES_${PN} += "${PYTHON_SITEPACKAGES_DIR} ${datadir}/ncat" -- cgit v1.2.3