From d1d22e6713c601a72ff7329133cd86f30ac3d6ce Mon Sep 17 00:00:00 2001 From: Andrew Geissler Date: Fri, 16 Oct 2020 10:14:32 -0500 Subject: meta-security: subtree update:d6baccc068..4c2f7ffd49 Adrian (1): gitignore added Armin Kuster (31): kas: build with ptest. remove apparmor softHSM: add pkg packagegroup-core-security: add softHSM libest: add recipe packagegroup-core-security: add libest package opendnssec: add recipe packagegroup-core-security: add opendnssec to pkg grp gitlab-ci: allow test to fail libseccomp: fix ptest failures. packagegroup-core-security-ptest: remove keyutils-ptest security-test-image: simplify packagegroup-core-security-ptest: remove apparmor: fix build issue with ptest enabled. security-test-image: tweak to get more tests to runn apparmor: update to 3.0 packagegroup-core-security: apparmor 3.0 ptest does not build suricata: fix compiling on gcc10 qemux86-test: add apparmor back apparmor: fix build for on musl ecryptfs-utils: fix musl build libest: fix musl build. sssd: update to latest ltm 1.16.5 packagegroup-core-security: remove clamav from musl image suricata: update to 4.1.9 kas: fixup alt configs gitlab-ci: add qemux86 and qemuarm64 musl builds tpm2-tss: update to 2.4.3 tpm2-totp: update to 0.2.1 tpm2-abrmd: update to 2.3.3 tpm2-tools: update to 4.3.0 tpm2-pkcs11: update to 1.4.0 Mingli Yu (1): scap-security-guide: add expat-native to DEPENDS Naveen Saini (3): initramfs-framework/dmverity: add retry loop for slow boot devices wic: add wks.in for intel dm-verity linux-%/5.x: Add dm-verity fragment as needed Signed-off-by: Andrew Geissler Change-Id: If3a721fdd99bb6e35c82cf4e7485f06cebaef905 --- .../ecryptfs-utils/ecryptfs-utils_111.bb | 1 + .../files/define_musl_sword_type.patch | 15 ++ .../recipes-security/libest/libest_3.2.0.bb | 27 +++ .../libseccomp/libseccomp_2.5.0.bb | 2 +- .../opendnssec/files/fix_fprint.patch | 25 +++ .../opendnssec/files/libdns_conf_fix.patch | 217 +++++++++++++++++++++ .../opendnssec/files/libxml2_conf.patch | 112 +++++++++++ .../opendnssec/opendnssec_2.1.6.bb | 37 ++++ .../recipes-security/softHSM/softhsm_2.6.1.bb | 30 +++ ...sing-defines-which-otherwise-are-availabl.patch | 32 +++ meta-security/recipes-security/sssd/sssd_1.16.4.bb | 126 ------------ meta-security/recipes-security/sssd/sssd_1.16.5.bb | 128 ++++++++++++ 12 files changed, 625 insertions(+), 127 deletions(-) create mode 100644 meta-security/recipes-security/ecryptfs-utils/files/define_musl_sword_type.patch create mode 100644 meta-security/recipes-security/libest/libest_3.2.0.bb create mode 100644 meta-security/recipes-security/opendnssec/files/fix_fprint.patch create mode 100644 meta-security/recipes-security/opendnssec/files/libdns_conf_fix.patch create mode 100644 meta-security/recipes-security/opendnssec/files/libxml2_conf.patch create mode 100644 meta-security/recipes-security/opendnssec/opendnssec_2.1.6.bb create mode 100644 meta-security/recipes-security/softHSM/softhsm_2.6.1.bb create mode 100644 meta-security/recipes-security/sssd/files/0002-Provide-missing-defines-which-otherwise-are-availabl.patch delete mode 100644 meta-security/recipes-security/sssd/sssd_1.16.4.bb create mode 100644 meta-security/recipes-security/sssd/sssd_1.16.5.bb (limited to 'meta-security/recipes-security') diff --git a/meta-security/recipes-security/ecryptfs-utils/ecryptfs-utils_111.bb b/meta-security/recipes-security/ecryptfs-utils/ecryptfs-utils_111.bb index d8cd06f8dc..4a99b5af48 100644 --- a/meta-security/recipes-security/ecryptfs-utils/ecryptfs-utils_111.bb +++ b/meta-security/recipes-security/ecryptfs-utils/ecryptfs-utils_111.bb @@ -16,6 +16,7 @@ SRC_URI = "\ file://ecryptfs-utils-CVE-2016-6224.patch \ file://0001-avoid-race-condition.patch \ file://ecryptfs.service \ + file://define_musl_sword_type.patch \ " SRC_URI[md5sum] = "83513228984f671930752c3518cac6fd" diff --git a/meta-security/recipes-security/ecryptfs-utils/files/define_musl_sword_type.patch b/meta-security/recipes-security/ecryptfs-utils/files/define_musl_sword_type.patch new file mode 100644 index 0000000000..3b29be038b --- /dev/null +++ b/meta-security/recipes-security/ecryptfs-utils/files/define_musl_sword_type.patch @@ -0,0 +1,15 @@ +Index: ecryptfs-utils-111/src/utils/mount.ecryptfs_private.c +=================================================================== +--- ecryptfs-utils-111.orig/src/utils/mount.ecryptfs_private.c ++++ ecryptfs-utils-111/src/utils/mount.ecryptfs_private.c +@@ -45,6 +45,10 @@ + #include + #include "../include/ecryptfs.h" + ++#ifndef __SWORD_TYPE ++typedef __typeof__( ((struct statfs *)0)->f_type ) __SWORD_TYPE; ++#endif ++ + /* Perhaps a future version of this program will allow these to be configurable + * by the system administrator (or user?) at run time. For now, these are set + * to reasonable values to reduce the burden of input validation. diff --git a/meta-security/recipes-security/libest/libest_3.2.0.bb b/meta-security/recipes-security/libest/libest_3.2.0.bb new file mode 100644 index 0000000000..f993bd65ec --- /dev/null +++ b/meta-security/recipes-security/libest/libest_3.2.0.bb @@ -0,0 +1,27 @@ +SUMMARY = "EST is used for secure certificate \ +enrollment and is compatible with Suite B certs (as well as RSA \ +and DSA certificates)" + +LICENSE = "OpenSSL" +LIC_FILES_CHKSUM = "file://LICENSE;md5=ecb78acde8e3b795de8ef6b61aed5885" + +SRCREV = "4ca02c6d7540f2b1bcea278a4fbe373daac7103b" +SRC_URI = "git://github.com/cisco/libest" + +DEPENDS = "openssl" + +#fatal error: execinfo.h: No such file or directory +DEPENDS_append_libc-musl = " libexecinfo" + +inherit autotools-brokensep + +EXTRA_OECONF = "--disable-pthreads --with-ssl-dir=${STAGING_LIBDIR}" + +CFLAGS += "-fcommon" +LDFLAGS_append_libc-musl = " -lexecinfo" + +S = "${WORKDIR}/git" + +PACKAGES = "${PN} ${PN}-dbg ${PN}-dev" + +FILES_${PN} = "${bindir}/* ${libdir}/libest-3.2.0p.so" diff --git a/meta-security/recipes-security/libseccomp/libseccomp_2.5.0.bb b/meta-security/recipes-security/libseccomp/libseccomp_2.5.0.bb index 35365d5b43..0cf2d70b84 100644 --- a/meta-security/recipes-security/libseccomp/libseccomp_2.5.0.bb +++ b/meta-security/recipes-security/libseccomp/libseccomp_2.5.0.bb @@ -45,4 +45,4 @@ do_install_ptest() { FILES_${PN} = "${bindir} ${libdir}/${BPN}.so*" FILES_${PN}-dbg += "${libdir}/${PN}/tests/.debug/* ${libdir}/${PN}/tools/.debug" -RDEPENDS_${PN}-ptest = "bash" +RDEPENDS_${PN}-ptest = "coreutils bash" diff --git a/meta-security/recipes-security/opendnssec/files/fix_fprint.patch b/meta-security/recipes-security/opendnssec/files/fix_fprint.patch new file mode 100644 index 0000000000..da0bcfe740 --- /dev/null +++ b/meta-security/recipes-security/opendnssec/files/fix_fprint.patch @@ -0,0 +1,25 @@ +format not a string literal and no format arguments + +missing module_str in call + +Upstream-Status: Pending +Signed-off-by: Armin Kuster + +../../../git/enforcer/src/keystate/keystate_ds.c:192:7: error: format not a string literal and no format arguments [-Werror=format-security] +| 192 | ods_log_error_and_printf(sockfd, "Failed to run %s", cp_ds); +| | ^~~~~~~~~~~~~~~~~~~~~~~~ + + +Index: git/enforcer/src/keystate/keystate_ds.c +=================================================================== +--- git.orig/enforcer/src/keystate/keystate_ds.c ++++ git/enforcer/src/keystate/keystate_ds.c +@@ -189,7 +189,7 @@ exec_dnskey_by_id(int sockfd, struct dbw + status = 0; + } + else { +- ods_log_error_and_printf(sockfd, "Failed to run %s", cp_ds); ++ ods_log_error_and_printf(sockfd, module_str, "Failed to run %s", cp_ds); + status = 7; + } + } diff --git a/meta-security/recipes-security/opendnssec/files/libdns_conf_fix.patch b/meta-security/recipes-security/opendnssec/files/libdns_conf_fix.patch new file mode 100644 index 0000000000..126e197f3c --- /dev/null +++ b/meta-security/recipes-security/opendnssec/files/libdns_conf_fix.patch @@ -0,0 +1,217 @@ +Configure does not work with OE pkg-config for the ldns option + +Upstream-Status: OE specific + +Signed-off-by: Armin Kuster + +Index: opendnssec-2.1.6/m4/acx_ldns.m4 +=================================================================== +--- opendnssec-2.1.6.orig/m4/acx_ldns.m4 ++++ opendnssec-2.1.6/m4/acx_ldns.m4 +@@ -1,128 +1,65 @@ +-AC_DEFUN([ACX_LDNS],[ +- AC_ARG_WITH(ldns, +- [AC_HELP_STRING([--with-ldns=PATH],[specify prefix of path of ldns library to use])], +- [ +- LDNS_PATH="$withval" +- AC_PATH_PROGS(LDNS_CONFIG, ldns-config, ldns-config, $LDNS_PATH/bin) +- ],[ +- LDNS_PATH="/usr/local" +- AC_PATH_PROGS(LDNS_CONFIG, ldns-config, ldns-config, $PATH) +- ]) +- +- if test -x "$LDNS_CONFIG" +- then +- AC_MSG_CHECKING(what are the ldns includes) +- LDNS_INCLUDES="`$LDNS_CONFIG --cflags`" +- AC_MSG_RESULT($LDNS_INCLUDES) +- +- AC_MSG_CHECKING(what are the ldns libs) +- LDNS_LIBS="`$LDNS_CONFIG --libs`" +- AC_MSG_RESULT($LDNS_LIBS) +- else +- AC_MSG_CHECKING(what are the ldns includes) +- LDNS_INCLUDES="-I$LDNS_PATH/include" +- AC_MSG_RESULT($LDNS_INCLUDES) +- +- AC_MSG_CHECKING(what are the ldns libs) +- LDNS_LIBS="-L$LDNS_PATH/lib -lldns" +- AC_MSG_RESULT($LDNS_LIBS) +- fi +- +- tmp_CPPFLAGS=$CPPFLAGS +- tmp_LIBS=$LIBS +- +- CPPFLAGS="$CPPFLAGS $LDNS_INCLUDES" +- LIBS="$LIBS $LDNS_LIBS" +- +- AC_CHECK_LIB(ldns, ldns_rr_new,,[AC_MSG_ERROR([Can't find ldns library])]) +- LIBS=$tmp_LIBS +- +- AC_MSG_CHECKING([for ldns version]) +- CHECK_LDNS_VERSION=m4_format(0x%02x%02x%02x, $1, $2, $3) +- AC_LANG_PUSH([C]) +- AC_RUN_IFELSE([ +- AC_LANG_SOURCE([[ +- #include +- int main() +- { +- #ifdef LDNS_REVISION +- if (LDNS_REVISION >= $CHECK_LDNS_VERSION) +- return 0; +- #endif +- return 1; +- } +- ]]) +- ],[ +- AC_MSG_RESULT([>= $1.$2.$3]) +- ],[ +- AC_MSG_RESULT([< $1.$2.$3]) +- AC_MSG_ERROR([ldns library too old ($1.$2.$3 or later required)]) +- ],[]) +- AC_LANG_POP([C]) ++#serial 11 + +- CPPFLAGS=$tmp_CPPFLAGS +- +- AC_SUBST(LDNS_INCLUDES) +- AC_SUBST(LDNS_LIBS) +-]) +- +- +-AC_DEFUN([ACX_LDNS_NOT],[ +- AC_ARG_WITH(ldns, +- [AC_HELP_STRING([--with-ldns=PATH],[specify prefix of path of ldns library to use])], +- [ +- LDNS_PATH="$withval" +- AC_PATH_PROGS(LDNS_CONFIG, ldns-config, ldns-config, $LDNS_PATH/bin) +- ],[ +- LDNS_PATH="/usr/local" +- AC_PATH_PROGS(LDNS_CONFIG, ldns-config, ldns-config, $PATH) +- ]) +- +- if test -x "$LDNS_CONFIG" +- then +- AC_MSG_CHECKING(what are the ldns includes) +- LDNS_INCLUDES="`$LDNS_CONFIG --cflags`" +- AC_MSG_RESULT($LDNS_INCLUDES) +- +- AC_MSG_CHECKING(what are the ldns libs) +- LDNS_LIBS="`$LDNS_CONFIG --libs`" +- AC_MSG_RESULT($LDNS_LIBS) +- else +- AC_MSG_CHECKING(what are the ldns includes) +- LDNS_INCLUDES="-I$LDNS_PATH/include" +- AC_MSG_RESULT($LDNS_INCLUDES) +- +- AC_MSG_CHECKING(what are the ldns libs) +- LDNS_LIBS="-L$LDNS_PATH/lib -lldns" +- AC_MSG_RESULT($LDNS_LIBS) +- fi +- +- tmp_CPPFLAGS=$CPPFLAGS +- +- CPPFLAGS="$CPPFLAGS $LDNS_INCLUDES" +- +- AC_MSG_CHECKING([for ldns version not $1.$2.$3]) +- CHECK_LDNS_VERSION=m4_format(0x%02x%02x%02x, $1, $2, $3) +- AC_LANG_PUSH([C]) +- AC_RUN_IFELSE([ +- AC_LANG_SOURCE([[ +- #include +- int main() +- { +- #ifdef LDNS_REVISION +- if (LDNS_REVISION != $CHECK_LDNS_VERSION) +- return 0; +- #endif +- return 1; +- } +- ]]) +- ],[ +- AC_MSG_RESULT([ok]) +- ],[ +- AC_MSG_RESULT([no]) +- AC_MSG_ERROR([ldns version $1.$2.$3 is not compatible due to $4]) +- ],[]) +- AC_LANG_POP([C]) +- +- CPPFLAGS=$tmp_CPPFLAGS ++AU_ALIAS([CHECK_LDNS], [ACX_LDNS]) ++AC_DEFUN([ACX_LDNS], [ ++ found=false ++ AC_ARG_WITH([ldns], ++ [AS_HELP_STRING([--with-ldns=DIR], ++ [root of the lnds directory])], ++ [ ++ case "$withval" in ++ "" | y | ye | yes | n | no) ++ AC_MSG_ERROR([Invalid --with-lnds value]) ++ ;; ++ *) ldnsdirs="$withval" ++ ;; ++ esac ++ ], [ ++ # if pkg-config is installed and lnds has installed a .pc file, ++ # then use that information and don't search ldnsdirs ++ AC_CHECK_TOOL([PKG_CONFIG], [pkg-config]) ++ if test x"$PKG_CONFIG" != x""; then ++ OPENSSL_LDFLAGS=`$PKG_CONFIG ldns --libs-only-L 2>/dev/null` ++ if test $? = 0; then ++ LDNS_LIBS=`$PKG_CONFIG ldns --libs-only-l 2>/dev/null` ++ LDNS_INCLUDES=`$PKG_CONFIG ldns --cflags-only-I 2>/dev/null` ++ found=true ++ fi ++ fi ++ ++ # no such luck; use some default ldnsdirs ++ if ! $found; then ++ ldnsdirs="/usr/local/ldns /usr/lib/ldns /usr/ldns /usr/local /usr" ++ fi ++ ] ++ ) ++ ++ ++ if ! $found; then ++ LDNS_INCLUDES= ++ for ldnsdir in $ldnsdirs; do ++ AC_MSG_CHECKING([for LDNS in $ldnsdir]) ++ if test -f "$ldnsdir/include/ldns/dnssec.h"; then ++ LDNS_INCLUDES="-I$ldnsdir/include" ++ LDNS_LDFLAGS="-L$ldnsdir/lib" ++ LDNS_LIBS="-lldns" ++ found=true ++ AC_MSG_RESULT([yes]) ++ break ++ else ++ AC_MSG_RESULT([no]) ++ fi ++ done ++ ++ # if the file wasn't found, well, go ahead and try the link anyway -- maybe ++ # it will just work! ++ fi ++ ++ LDFLAGS="$LDFLAGS $OPENSSL_LDFLAGS" ++ LIBS="$LDNS_LIBS $LIBS" ++ CPPFLAGS="$LDNS_INCLUDES $CPPFLAGS" ++ ++ AC_SUBST([LDNS_INCLUDES]) ++ AC_SUBST([LDNS_LIBS]) ++ AC_SUBST([LDNS_LDFLAGS]) + ]) +Index: opendnssec-2.1.6/configure.ac +=================================================================== +--- opendnssec-2.1.6.orig/configure.ac ++++ opendnssec-2.1.6/configure.ac +@@ -138,9 +138,7 @@ AC_CHECK_MEMBER([struct sockaddr_un.sun_ + + # common dependencies + ACX_LIBXML2 +-ACX_LDNS(1,6,17) +-ACX_LDNS_NOT(1,6,14, [binary incompatibility, see http://open.nlnetlabs.nl/pipermail/ldns-users/2012-October/000564.html]) +-ACX_LDNS_NOT(1,6,15, [fail to create NSEC3 bitmap for empty non-terminals, see http://www.nlnetlabs.nl/pipermail/ldns-users/2012-November/000565.html]) ++ACX_LDNS(1.6.17) + ACX_PKCS11_MODULES + ACX_RT + ACX_LIBC diff --git a/meta-security/recipes-security/opendnssec/files/libxml2_conf.patch b/meta-security/recipes-security/opendnssec/files/libxml2_conf.patch new file mode 100644 index 0000000000..b4ed4306da --- /dev/null +++ b/meta-security/recipes-security/opendnssec/files/libxml2_conf.patch @@ -0,0 +1,112 @@ +configure does not work with OE pkg-config for the libxml2 option + +Upstream-Status: OE specific + +Signed-off-by: Armin Kuster + +Index: opendnssec-2.1.6/m4/acx_libxml2.m4 +=================================================================== +--- opendnssec-2.1.6.orig/m4/acx_libxml2.m4 ++++ opendnssec-2.1.6/m4/acx_libxml2.m4 +@@ -1,37 +1,67 @@ ++#serial 11 ++AU_ALIAS([CHECK_XML2], [ACX_LIBXML2]) + AC_DEFUN([ACX_LIBXML2],[ +- AC_ARG_WITH(libxml2, +- [AS_HELP_STRING([--with-libxml2=DIR],[look for libxml2 in this dir])], +- [ +- XML2_PATH="$withval" +- AC_PATH_PROGS(XML2_CONFIG, xml2-config, xml2-config, $XML2_PATH/bin) +- ],[ +- XML2_PATH="/usr/local" +- AC_PATH_PROGS(XML2_CONFIG, xml2-config, xml2-config, $PATH) +- ]) +- if test -x "$XML2_CONFIG" +- then +- AC_MSG_CHECKING(what are the xml2 includes) +- XML2_INCLUDES="`$XML2_CONFIG --cflags`" +- AC_MSG_RESULT($XML2_INCLUDES) +- +- AC_MSG_CHECKING(what are the xml2 libs) +- XML2_LIBS="`$XML2_CONFIG --libs`" +- AC_MSG_RESULT($XML2_LIBS) +- +- tmp_CPPFLAGS=$CPPFLAGS +- tmp_LIBS=$LIBS +- +- CPPFLAGS="$CPPFLAGS $XML2_INCLUDES" +- LIBS="$LIBS $XML2_LIBS" +- +- AC_CHECK_LIB(xml2, xmlDocGetRootElement,,[AC_MSG_ERROR([Can't find libxml2 library])]) +- +- CPPFLAGS=$tmp_CPPFLAGS +- LIBS=$tmp_LIBS +- else +- AC_MSG_ERROR([libxml2 required, but not found.]) +- fi ++ found=false ++ AC_ARG_WITH([libxml2], ++ [AS_HELP_STRING([--with-libxml2=DIR], ++ [root of the libxml directory])], ++ [ ++ case "$withval" in ++ "" | y | ye | yes | n | no) ++ AC_MSG_ERROR([Invalid --with-libxml2 value]) ++ ;; ++ *) xml2dirs="$withval" ++ ;; ++ esac ++ ], [ ++ # if pkg-config is installed and openssl has installed a .pc file, ++ # then use that information and don't search ssldirs ++ AC_CHECK_TOOL([PKG_CONFIG], [pkg-config]) ++ if test x"$PKG_CONFIG" != x""; then ++ XML2_LDFLAGS=`$PKG_CONFIG libxml-2.0 --libs-only-L 2>/dev/null` ++ if test $? = 0; then ++ XML2_LIBS=`$PKG_CONFIG libxml-2.0 --libs-only-l 2>/dev/null` ++ XML2_INCLUDES=`$PKG_CONFIG libxml-2.0 --cflags-only-I 2>/dev/null` ++ found=true ++ fi ++ fi + +- AC_SUBST(XML2_INCLUDES) +- AC_SUBST(XML2_LIBS) ++ # no such luck; use some default ssldirs ++ if ! $found; then ++ xml2dirs="/usr/local/libxml /usr/lib/libxml /usr/libxml /usr/pkg /usr/local /usr" ++ fi ++ ] ++ ) ++ ++ ++ # note that we #include , so the libxml2 headers have to be in ++ # an 'libxml' subdirectory ++ ++ if ! $found; then ++ XML2_INCLUDES= ++ for xml2dir in $xml2dirs; do ++ AC_MSG_CHECKING([for XML2 in $xml2dir]) ++ if test -f "$xml2dir/include/libxml2/libxml/tree.h"; then ++ XML2_INCLUDES="-I$xml2dir/include/libxml2" ++ XML2_LDFLAGS="-L$xml2dir/lib" ++ XML2_LIBS="-lxml2" ++ found=true ++ AC_MSG_RESULT([yes]) ++ break ++ else ++ AC_MSG_RESULT([no]) ++ fi ++ done ++ ++ # if the file wasn't found, well, go ahead and try the link anyway -- maybe ++ # it will just work! ++ fi ++ ++ LDFLAGS="$LDFLAGS $XML2_LDFLAGS" ++ LIBS="$XML2_LIBS $LIBS" ++ CPPFLAGS="$XML2_INCLUDES $CPPFLAGS" ++ ++ AC_SUBST(XML2_INCLUDES) ++ AC_SUBST(XML2_LIBS) ++ AC_SUBST(XML2_LDFLAGS) + ]) diff --git a/meta-security/recipes-security/opendnssec/opendnssec_2.1.6.bb b/meta-security/recipes-security/opendnssec/opendnssec_2.1.6.bb new file mode 100644 index 0000000000..5e42ca8f74 --- /dev/null +++ b/meta-security/recipes-security/opendnssec/opendnssec_2.1.6.bb @@ -0,0 +1,37 @@ +SUMMARY = "OpenDNSSEC is a policy-based zone signer that automates the process of keeping track of DNSSEC keys and the signing of zones" + +LICENSE = "BSD" +LIC_FILES_CHKSUM = "file://LICENSE;md5=b041dbe2da80d4efd951393fbba90937" + +DEPENDS = "libxml2 openssl ldns libmicrohttpd jansson libyaml " + +SRC_URI = "git://github.com/opendnssec/opendnssec;branch=develop \ + file://libxml2_conf.patch \ + file://libdns_conf_fix.patch \ + file://fix_fprint.patch \ + " + +SRCREV = "5876bccb38428790e2e9afc806ca68b029879874" + +inherit autotools pkgconfig perlnative + +S = "${WORKDIR}/git" + +EXTRA_OECONF = " --with-libxml2=${STAGING_DIR_HOST}/usr --with-ldns=${STAGING_DIR_HOST}/usr \ + --with-ssl=${STAGING_DIR_HOST}/usr " + +CFLAGS += "-fcommon" + +PACKAGECONFIG ?= "sqlite3" + +PACKAGECONFIG[cunit] = "--with-cunit=${STAGING_DIR_HOST}/usr, --without-cunit," +PACKAGECONFIG[sqlite3] = "--with-sqlite3=${STAGING_DIR_HOST}/usr, ,sqlite3, sqlite3" +PACKAGECONFIG[mysql] = "--with-mysql=yes, , mariadb, mariadb" +PACKAGECONFIG[readline] = "--with-readline, --without-readline, readline" +PACKAGECONFIG[unwind] = "--with-libunwind, --without-libunwind" + +do_install_append () { + rm -rf ${D}${localstatedir}/run +} + +RDEPENDS_${PN} = "softhsm" diff --git a/meta-security/recipes-security/softHSM/softhsm_2.6.1.bb b/meta-security/recipes-security/softHSM/softhsm_2.6.1.bb new file mode 100644 index 0000000000..74e837aa5e --- /dev/null +++ b/meta-security/recipes-security/softHSM/softhsm_2.6.1.bb @@ -0,0 +1,30 @@ +SUMMARY = "SoftHSM is an implementation of a cryptographic store accessible through a PKCS #11 interface." +HOMEPAGE = "www.opendnssec.org" + +LICENSE = "BSD" +LIC_FILES_CHKSUM = "file://LICENSE;md5=ef3f77a3507c3d91e75b9f2bdaee4210" + +DEPENDS = "sqlite3" + +SRC_URI = "https://dist.opendnssec.org/source/softhsm-2.6.1.tar.gz" +SRC_URI[sha256sum] = "61249473054bcd1811519ef9a989a880a7bdcc36d317c9c25457fc614df475f2" + +inherit autotools pkgconfig siteinfo + +EXTRA_OECONF += " --with-sqlite3=${STAGING_DIR_HOST}/usr" +EXTRA_OECONF += "${@oe.utils.conditional('SITEINFO_BITS', '64', ' --enable-64bit', '', d)}" + +PACKAGECONFIG ?= "pk11 openssl" + +PACKAGECONFIG[npm] = ",--disable-non-paged-memory" +PACKAGECONFIG[ecc] = "--enable-ecc,--disable-ecc" +PACKAGECONFIG[gost] = "--enable-gost,--disable-gost" +PACKAGECONFIG[eddsa] = "--enable-eddsa, --disable-eddsa" +PACKAGECONFIG[fips] = "--enable-fips, --disable-fips" +PACKAGECONFIG[notvisable] = "--disable-visibility" +PACKAGECONFIG[openssl] = "--with-openssl=${STAGING_DIR_HOST}/usr --with-crypto-backend=openssl, --without-openssl, openssl, openssl" +PACKAGECONFIG[botan] = "--with-botan=${STAGING_DIR_HOST}/usr --with-crypto-backend=botan, --without-botan, botan" +PACKAGECONFIG[migrate] = "--with-migrate" +PACKAGECONFIG[pk11] = "--enable-p11-kit --with-p11-kit==${STAGING_DIR_HOST}/usr, --without-p11-kit, p11-kit, p11-kit" + +RDEPENDS_${PN} = "sqlite3" diff --git a/meta-security/recipes-security/sssd/files/0002-Provide-missing-defines-which-otherwise-are-availabl.patch b/meta-security/recipes-security/sssd/files/0002-Provide-missing-defines-which-otherwise-are-availabl.patch new file mode 100644 index 0000000000..1a22332094 --- /dev/null +++ b/meta-security/recipes-security/sssd/files/0002-Provide-missing-defines-which-otherwise-are-availabl.patch @@ -0,0 +1,32 @@ +From 37a0999e5a9f54e1c61a02a7fbab6fcd04738b3c Mon Sep 17 00:00:00 2001 +From: Armin Kuster +Date: Thu, 8 Oct 2020 05:54:13 -0700 +Subject: [PATCH] Provide missing defines which otherwise are available on + glibc system headers + +Signed-off-by: Armin Kuster + +Upsteam-Status: Pending + +--- + src/util/util.h | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/src/util/util.h b/src/util/util.h +index 8a754dbfd..6e55b4bdc 100644 +--- a/src/util/util.h ++++ b/src/util/util.h +@@ -76,6 +76,10 @@ + #define MAX(a, b) (((a) > (b)) ? (a) : (b)) + #endif + ++#ifndef ALLPERMS ++# define ALLPERMS (S_ISUID|S_ISGID|S_ISVTX|S_IRWXU|S_IRWXG|S_IRWXO)/* 07777 */ ++#endif ++ + #define SSSD_MAIN_OPTS SSSD_DEBUG_OPTS + + #define SSSD_SERVER_OPTS(uid, gid) \ +-- +2.17.1 + diff --git a/meta-security/recipes-security/sssd/sssd_1.16.4.bb b/meta-security/recipes-security/sssd/sssd_1.16.4.bb deleted file mode 100644 index e54fa98e97..0000000000 --- a/meta-security/recipes-security/sssd/sssd_1.16.4.bb +++ /dev/null @@ -1,126 +0,0 @@ -SUMMARY = "system security services daemon" -DESCRIPTION = "SSSD is a system security services daemon" -HOMEPAGE = "https://pagure.io/SSSD/sssd/" -SECTION = "base" -LICENSE = "GPLv3+" -LIC_FILES_CHKSUM = "file://COPYING;md5=d32239bcb673463ab874e80d47fae504" - -DEPENDS = "openldap cyrus-sasl libtdb ding-libs libpam c-ares krb5 autoconf-archive" -DEPENDS += "libldb dbus libtalloc libpcre glib-2.0 popt e2fsprogs libtevent" - -# If no crypto has been selected, default to DEPEND on nss, since that's what -# sssd will pick if no active choice is made during configure -DEPENDS += "${@bb.utils.contains('PACKAGECONFIG', 'nss', '', \ - bb.utils.contains('PACKAGECONFIG', 'crypto', '', 'nss', d), d)}" - -SRC_URI = "https://releases.pagure.org/SSSD/${BPN}/${BP}.tar.gz \ - file://sssd.conf \ - file://volatiles.99_sssd \ - file://fix-ldblibdir.patch \ - file://0001-build-Don-t-use-AC_CHECK_FILE-when-building-manpages.patch \ - file://0001-nss-Collision-with-external-nss-symbol.patch \ - " - -SRC_URI[md5sum] = "757bbb6f15409d8d075f4f06cb678d50" -SRC_URI[sha256sum] = "6bb212cd6b75b918e945c24e7c3f95a486fb54d7f7d489a9334cfa1a1f3bf959" - -inherit autotools pkgconfig gettext python3-dir features_check systemd - -REQUIRED_DISTRO_FEATURES = "pam" - -SSSD_UID ?= "root" -SSSD_GID ?= "root" - -CACHED_CONFIGUREVARS = "ac_cv_member_struct_ldap_conncb_lc_arg=no \ - ac_cv_path_NSUPDATE=${bindir} ac_cv_prog_HAVE_PYTHON3=${PYTHON_DIR} \ - " - -PACKAGECONFIG ?="nss nscd autofs sudo infopipe" -PACKAGECONFIG += "${@bb.utils.contains('DISTRO_FEATURES', 'selinux', 'selinux', '', d)}" -PACKAGECONFIG += "${@bb.utils.contains('DISTRO_FEATURES', 'systemd', 'systemd', '', d)}" - -PACKAGECONFIG[autofs] = "--with-autofs, --with-autofs=no" -PACKAGECONFIG[crypto] = "--with-crypto=libcrypto, , libcrypto" -PACKAGECONFIG[curl] = "--with-kcm, --without-kcm, curl jansson" -PACKAGECONFIG[infopipe] = "--with-infopipe, --with-infopipe=no, " -PACKAGECONFIG[manpages] = "--with-manpages, --with-manpages=no, libxslt-native docbook-xml-dtd4-native docbook-xsl-stylesheets-native" -PACKAGECONFIG[nl] = "--with-libnl, --with-libnl=no, libnl" -PACKAGECONFIG[nscd] = "--with-nscd=${sbindir}, --with-nscd=no " -PACKAGECONFIG[nss] = "--with-crypto=nss, ,nss," -PACKAGECONFIG[python3] = "--with-python3-bindings, --without-python3-bindings" -PACKAGECONFIG[samba] = "--with-samba, --with-samba=no, samba" -PACKAGECONFIG[selinux] = "--with-selinux, --with-selinux=no --with-semanage=no, libselinux" -PACKAGECONFIG[ssh] = "--with-ssh, --with-ssh=no, " -PACKAGECONFIG[sudo] = "--with-sudo, --with-sudo=no, " -PACKAGECONFIG[systemd] = "--with-initscript=systemd,--with-initscript=sysv" - -EXTRA_OECONF += " \ - --disable-cifs-idmap-plugin \ - --without-nfsv4-idmapd-plugin \ - --without-ipa-getkeytab \ - --without-python2-bindings \ - --enable-pammoddir=${base_libdir}/security \ - --without-python2-bindings \ - --without-secrets \ - --with-xml-catalog-path=${STAGING_ETCDIR_NATIVE}/xml/catalog \ -" - -do_configure_prepend() { - mkdir -p ${AUTOTOOLS_AUXDIR}/build - cp ${STAGING_DATADIR_NATIVE}/gettext/config.rpath ${AUTOTOOLS_AUXDIR}/build/ - - # libresove has host path, remove it - sed -i -e "s#\$sss_extra_libdir##" ${S}/src/external/libresolv.m4 -} - -do_install () { - oe_runmake install DESTDIR="${D}" - rmdir --ignore-fail-on-non-empty "${D}/${bindir}" - install -d ${D}/${sysconfdir}/${BPN} - install -m 600 ${WORKDIR}/${BPN}.conf ${D}/${sysconfdir}/${BPN} - install -D -m 644 ${WORKDIR}/volatiles.99_sssd ${D}/${sysconfdir}/default/volatiles/99_sssd - - if ${@bb.utils.contains('DISTRO_FEATURES', 'systemd', 'true', 'false', d)}; then - install -d ${D}${sysconfdir}/tmpfiles.d - echo "d /var/log/sssd 0750 - - - -" > ${D}${sysconfdir}/tmpfiles.d/sss.conf - fi - - # Remove /var/run as it is created on startup - rm -rf ${D}${localstatedir}/run - - rm -f ${D}${systemd_system_unitdir}/sssd-secrets.* -} - -pkg_postinst_ontarget_${PN} () { -if [ -e /etc/init.d/populate-volatile.sh ] ; then - ${sysconfdir}/init.d/populate-volatile.sh update -fi - chown ${SSSD_UID}:${SSSD_GID} ${sysconfdir}/${BPN}/${BPN}.conf -} - -CONFFILES_${PN} = "${sysconfdir}/${BPN}/${BPN}.conf" - -INITSCRIPT_NAME = "sssd" -INITSCRIPT_PARAMS = "start 02 5 3 2 . stop 20 0 1 6 ." -SYSTEMD_SERVICE_${PN} = " \ - ${@bb.utils.contains('PACKAGECONFIG', 'autofs', 'sssd-autofs.service sssd-autofs.socket', '', d)} \ - ${@bb.utils.contains('PACKAGECONFIG', 'curl', 'sssd-kcm.service sssd-kcm.socket', '', d)} \ - ${@bb.utils.contains('PACKAGECONFIG', 'infopipe', 'sssd-ifp.service ', '', d)} \ - ${@bb.utils.contains('PACKAGECONFIG', 'ssh', 'sssd-ssh.service sssd-ssh.socket', '', d)} \ - ${@bb.utils.contains('PACKAGECONFIG', 'sudo', 'sssd-sudo.service sssd-sudo.socket', '', d)} \ - sssd-nss.service \ - sssd-nss.socket \ - sssd-pam-priv.socket \ - sssd-pam.service \ - sssd-pam.socket \ - sssd.service \ -" -SYSTEMD_AUTO_ENABLE = "disable" - -FILES_${PN} += "${libdir} ${datadir} ${base_libdir}/security/pam_sss.so" -FILES_${PN}-dev = " ${includedir}/* ${libdir}/*la ${libdir}/*/*la" - -# The package contains symlinks that trip up insane -INSANE_SKIP_${PN} = "dev-so" - -RDEPENDS_${PN} = "bind dbus libldb libpam" diff --git a/meta-security/recipes-security/sssd/sssd_1.16.5.bb b/meta-security/recipes-security/sssd/sssd_1.16.5.bb new file mode 100644 index 0000000000..9784ec77d8 --- /dev/null +++ b/meta-security/recipes-security/sssd/sssd_1.16.5.bb @@ -0,0 +1,128 @@ +SUMMARY = "system security services daemon" +DESCRIPTION = "SSSD is a system security services daemon" +HOMEPAGE = "https://pagure.io/SSSD/sssd/" +SECTION = "base" +LICENSE = "GPLv3+" +LIC_FILES_CHKSUM = "file://COPYING;md5=d32239bcb673463ab874e80d47fae504" + +DEPENDS = "openldap cyrus-sasl libtdb ding-libs libpam c-ares krb5 autoconf-archive" +DEPENDS_append = " libldb dbus libtalloc libpcre glib-2.0 popt e2fsprogs libtevent" + +DEPENDS_append_libc-musl = " musl-nscd" + +# If no crypto has been selected, default to DEPEND on nss, since that's what +# sssd will pick if no active choice is made during configure +DEPENDS += "${@bb.utils.contains('PACKAGECONFIG', 'nss', '', \ + bb.utils.contains('PACKAGECONFIG', 'crypto', '', 'nss', d), d)}" + +SRC_URI = "https://releases.pagure.org/SSSD/${BPN}/${BP}.tar.gz \ + file://sssd.conf \ + file://volatiles.99_sssd \ + file://fix-ldblibdir.patch \ + file://0001-build-Don-t-use-AC_CHECK_FILE-when-building-manpages.patch \ + file://0001-nss-Collision-with-external-nss-symbol.patch \ + file://0002-Provide-missing-defines-which-otherwise-are-availabl.patch \ + " + +SRC_URI[sha256sum] = "2e1a7bf036b583f686d35164f2d79bdf4857b98f51fe8b0d17aa0fa756e4d0c0" + +inherit autotools pkgconfig gettext python3-dir features_check systemd + +REQUIRED_DISTRO_FEATURES = "pam" + +SSSD_UID ?= "root" +SSSD_GID ?= "root" + +CACHED_CONFIGUREVARS = "ac_cv_member_struct_ldap_conncb_lc_arg=no \ + ac_cv_path_NSUPDATE=${bindir} ac_cv_prog_HAVE_PYTHON3=${PYTHON_DIR} \ + " + +PACKAGECONFIG ?="nss nscd autofs sudo infopipe" +PACKAGECONFIG += "${@bb.utils.contains('DISTRO_FEATURES', 'selinux', 'selinux', '', d)}" +PACKAGECONFIG += "${@bb.utils.contains('DISTRO_FEATURES', 'systemd', 'systemd', '', d)}" + +PACKAGECONFIG[autofs] = "--with-autofs, --with-autofs=no" +PACKAGECONFIG[crypto] = "--with-crypto=libcrypto, , libcrypto" +PACKAGECONFIG[curl] = "--with-kcm, --without-kcm, curl jansson" +PACKAGECONFIG[infopipe] = "--with-infopipe, --with-infopipe=no, " +PACKAGECONFIG[manpages] = "--with-manpages, --with-manpages=no, libxslt-native docbook-xml-dtd4-native docbook-xsl-stylesheets-native" +PACKAGECONFIG[nl] = "--with-libnl, --with-libnl=no, libnl" +PACKAGECONFIG[nscd] = "--with-nscd=${sbindir}, --with-nscd=no " +PACKAGECONFIG[nss] = "--with-crypto=nss, ,nss," +PACKAGECONFIG[python3] = "--with-python3-bindings, --without-python3-bindings" +PACKAGECONFIG[samba] = "--with-samba, --with-samba=no, samba" +PACKAGECONFIG[selinux] = "--with-selinux, --with-selinux=no --with-semanage=no, libselinux" +PACKAGECONFIG[ssh] = "--with-ssh, --with-ssh=no, " +PACKAGECONFIG[sudo] = "--with-sudo, --with-sudo=no, " +PACKAGECONFIG[systemd] = "--with-initscript=systemd,--with-initscript=sysv" + +EXTRA_OECONF += " \ + --disable-cifs-idmap-plugin \ + --without-nfsv4-idmapd-plugin \ + --without-ipa-getkeytab \ + --without-python2-bindings \ + --enable-pammoddir=${base_libdir}/security \ + --without-python2-bindings \ + --without-secrets \ + --with-xml-catalog-path=${STAGING_ETCDIR_NATIVE}/xml/catalog \ +" + +do_configure_prepend() { + mkdir -p ${AUTOTOOLS_AUXDIR}/build + cp ${STAGING_DATADIR_NATIVE}/gettext/config.rpath ${AUTOTOOLS_AUXDIR}/build/ + + # libresove has host path, remove it + sed -i -e "s#\$sss_extra_libdir##" ${S}/src/external/libresolv.m4 +} + +do_install () { + oe_runmake install DESTDIR="${D}" + rmdir --ignore-fail-on-non-empty "${D}/${bindir}" + install -d ${D}/${sysconfdir}/${BPN} + install -m 600 ${WORKDIR}/${BPN}.conf ${D}/${sysconfdir}/${BPN} + install -D -m 644 ${WORKDIR}/volatiles.99_sssd ${D}/${sysconfdir}/default/volatiles/99_sssd + + if ${@bb.utils.contains('DISTRO_FEATURES', 'systemd', 'true', 'false', d)}; then + install -d ${D}${sysconfdir}/tmpfiles.d + echo "d /var/log/sssd 0750 - - - -" > ${D}${sysconfdir}/tmpfiles.d/sss.conf + fi + + # Remove /var/run as it is created on startup + rm -rf ${D}${localstatedir}/run + + rm -f ${D}${systemd_system_unitdir}/sssd-secrets.* +} + +pkg_postinst_ontarget_${PN} () { +if [ -e /etc/init.d/populate-volatile.sh ] ; then + ${sysconfdir}/init.d/populate-volatile.sh update +fi + chown ${SSSD_UID}:${SSSD_GID} ${sysconfdir}/${BPN}/${BPN}.conf +} + +CONFFILES_${PN} = "${sysconfdir}/${BPN}/${BPN}.conf" + +INITSCRIPT_NAME = "sssd" +INITSCRIPT_PARAMS = "start 02 5 3 2 . stop 20 0 1 6 ." +SYSTEMD_SERVICE_${PN} = " \ + ${@bb.utils.contains('PACKAGECONFIG', 'autofs', 'sssd-autofs.service sssd-autofs.socket', '', d)} \ + ${@bb.utils.contains('PACKAGECONFIG', 'curl', 'sssd-kcm.service sssd-kcm.socket', '', d)} \ + ${@bb.utils.contains('PACKAGECONFIG', 'infopipe', 'sssd-ifp.service ', '', d)} \ + ${@bb.utils.contains('PACKAGECONFIG', 'ssh', 'sssd-ssh.service sssd-ssh.socket', '', d)} \ + ${@bb.utils.contains('PACKAGECONFIG', 'sudo', 'sssd-sudo.service sssd-sudo.socket', '', d)} \ + sssd-nss.service \ + sssd-nss.socket \ + sssd-pam-priv.socket \ + sssd-pam.service \ + sssd-pam.socket \ + sssd.service \ +" +SYSTEMD_AUTO_ENABLE = "disable" + +FILES_${PN} += "${libdir} ${datadir} ${base_libdir}/security/pam_sss.so" +FILES_${PN}-dev = " ${includedir}/* ${libdir}/*la ${libdir}/*/*la" + +# The package contains symlinks that trip up insane +INSANE_SKIP_${PN} = "dev-so" + +RDEPENDS_${PN} = "bind dbus libldb libpam" -- cgit v1.2.3