Re: [yocto] any interest in an official "meta-rubygems" layer?

[Armin Kuster]

On 1/27/21 12:04 PM, Robert P. J. Day wrote:
>   regarding the proposed "meta-rubygems" layer --- which sounds like
> it's going to take off as it can be initialized quite a lot just from
> konrad's existing meta-sca layer, what are the options for "official"
> YP hosting?
>
>   i notice that quite a number of layers live at git.yoctoproject.org
> -- would this proposed layer even be eligible for that and, if so,
> what are the benefits of living under the git.YP.org umbrella?
Are you a member of the Yocto Project?

regards,
Armin

>
>   if not there, then github would be the obvious alternative.
> thoughts?
>
> rday
>
> 
>


-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#52124): https://lists.yoctoproject.org/g/yocto/message/52124
Mute This Topic: https://lists.yoctoproject.org/mt/80151914/21656
Group Owner: yocto+ow...@lists.yoctoproject.org
Unsubscribe: https://lists.yoctoproject.org/g/yocto/unsub 
[arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-

Re: [yocto] any interest in an official "meta-rubygems" layer?

[Armin Kuster]

On 1/27/21 1:29 PM, Robert P. J. Day wrote:
> On Wed, 27 Jan 2021, Armin Kuster wrote:
>
>>
>> On 1/27/21 12:04 PM, Robert P. J. Day wrote:
>>>   regarding the proposed "meta-rubygems" layer --- which sounds like
>>> it's going to take off as it can be initialized quite a lot just from
>>> konrad's existing meta-sca layer, what are the options for "official"
>>> YP hosting?
>>>
>>>   i notice that quite a number of layers live at git.yoctoproject.org
>>> -- would this proposed layer even be eligible for that and, if so,
>>> what are the benefits of living under the git.YP.org umbrella?
>> Are you a member of the Yocto Project?
>   i personally am not, so i suspect github is the option.


Regardless of its home, there seems to be interest in such a layer.
There is nothing stopping you from registering in the layer in the layer
index and see where it goes from there.

Ruby was part of meta-openembedded. Maybe OE would want to host such a
layer or include it within meta-openembedded.


-armin
>
> rday



-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#52127): https://lists.yoctoproject.org/g/yocto/message/52127
Mute This Topic: https://lists.yoctoproject.org/mt/80151914/21656
Group Owner: yocto+ow...@lists.yoctoproject.org
Unsubscribe: https://lists.yoctoproject.org/g/yocto/unsub 
[arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-

[yocto] [meta-security][PATCH 2/2] lkrg-module: Add Linux Kernel Runtime Guard

[Armin Kuster]

For more info see: https://github.com/openwall/lkrg

Add to local.conf:
IMAGE_INSTALL_append = " kernel-module-lkrg"

Need these kconfig options enabled:
CONFIG_KALLSYMS_ALL=y
CONFIG_JUMP_LABEL=y
CONFIG_DEBUG_KERNEL=y

To invoke module:

sudo insmod {path-to-modules}/p_lkrg.ko kint_enforce=1

Signed-off-by: Armin Kuster 
---
 .../lkrg/files/makefile_cleanup.patch | 73 +++
 recipes-kernel/lkrg/lkrg-module_0.9.0.bb  | 33 +
 2 files changed, 106 insertions(+)
 create mode 100644 recipes-kernel/lkrg/files/makefile_cleanup.patch
 create mode 100644 recipes-kernel/lkrg/lkrg-module_0.9.0.bb

diff --git a/recipes-kernel/lkrg/files/makefile_cleanup.patch 
b/recipes-kernel/lkrg/files/makefile_cleanup.patch
new file mode 100644
index 000..106dc3f
--- /dev/null
+++ b/recipes-kernel/lkrg/files/makefile_cleanup.patch
@@ -0,0 +1,73 @@
+Upstream-Status: Pending
+
+This needs more work. Its my starting point.
+
+Signed-off-by: Armin Kuster 
+
+Index: lkrg-0.9.0/Makefile
+===
+--- lkrg-0.9.0.orig/Makefile
 lkrg-0.9.0/Makefile
+@@ -4,28 +4,10 @@
+ # Author:
+ #  - Adam 'pi3' Zabrocki (http://pi3.com.pl)
+ ##
+-
+-P_OUTPUT = output
+ P_PWD ?= $(shell pwd)
+-P_KVER ?= $(shell uname -r)
+-P_BOOTUP_SCRIPT ?= scripts/bootup/lkrg-bootup.sh
+-TARGET := p_lkrg
+-ifneq ($(KERNELRELEASE),)
+-KERNEL := /lib/modules/$(KERNELRELEASE)/build
+-else
+-## KERNELRELEASE not set.
+-KERNEL := /lib/modules/$(P_KVER)/build
+-endif
+-
+-#
+-# Uncomment for debug compilation
+-#
+-# ccflags-m := -ggdb -DP_LKRG_DEBUG_BUILD -finstrument-functions
+-# ccflags-y := ${ccflags-m}
+-# p_lkrg-objs += src/modules/print_log/p_lkrg_debug_log.o
+ 
+-obj-m += $(TARGET).o
+-$(TARGET)-objs += src/modules/ksyms/p_resolve_ksym.o \
++obj-m := p_lkrg.o
++p_lkrg-y := src/modules/ksyms/p_resolve_ksym.o \
+   src/modules/hashing/p_lkrg_fast_hash.o \
+   src/modules/comm_channel/p_comm_channel.o \
+   src/modules/integrity_timer/p_integrity_timer.o \
+@@ -91,23 +73,14 @@ $(TARGET)-objs += src/modules/ksyms/p_re
+   src/p_lkrg_main.o
+ 
+ 
+-all:
+-# $(MAKE) -C $(KERNEL) M=$(P_PWD) modules CONFIG_DEBUG_SECTION_MISMATCH=y
+-  $(MAKE) -C $(KERNEL) M=$(P_PWD) modules
+-  mkdir -p $(P_OUTPUT)
+-  cp $(P_PWD)/$(TARGET).ko $(P_OUTPUT)
+-
+-install:
+-  $(MAKE) -C $(KERNEL) M=$(P_PWD) modules_install
+-  depmod -a
+-  $(P_PWD)/$(P_BOOTUP_SCRIPT) install
+ 
+-uninstall:
+-  $(P_PWD)/$(P_BOOTUP_SCRIPT) uninstall
++modules:
++  $(MAKE) -C $(KERNEL_SRC) M=$(P_PWD) modules
++
++modules_install:
++  $(MAKE) -C $(KERNEL_SRC) M=$(P_PWD) modules_install
+ 
+ clean:
+-  $(MAKE) -C $(KERNEL) M=$(P_PWD) clean
+-  $(RM) Module.markers modules.order
+-  $(RM) $(P_PWD)/src/modules/kmod/client/kmod/Module.markers
+-  $(RM) $(P_PWD)/src/modules/kmod/client/kmod/modules.order
+-  $(RM) -rf $(P_OUTPUT)
++  rm -f *.o *~ core .depend .*.cmd *.ko *.mod.c
++  rm -f Module.markers Module.symvers modules.order
++  rm -rf .tmp_versions Modules.symvers
diff --git a/recipes-kernel/lkrg/lkrg-module_0.9.0.bb 
b/recipes-kernel/lkrg/lkrg-module_0.9.0.bb
new file mode 100644
index 000..dbc195d
--- /dev/null
+++ b/recipes-kernel/lkrg/lkrg-module_0.9.0.bb
@@ -0,0 +1,33 @@
+SUMMARY = "Linux Kernel Runtime Guard"
+DESCRIPTION="LKRG performs runtime integrity checking of the Linux \
+kernel and detection of security vulnerability exploits against the kernel."
+SECTION = "security"
+HOMEPAGE = "https://www.openwall.com/lkrg/";
+LICENSE = "GPLv2"
+
+LIC_FILES_CHKSUM = "file://LICENSE;md5=d931f44a1f4be309bcdac742d7ed92f9"
+
+DEPENDS = "virtual/kernel elfutils"
+
+SRC_URI = "https://www.openwall.com/lkrg/lkrg-${PV}.tar.gz \
+   file://makefile_cleanup.patch "
+
+SRC_URI[sha256sum] = 
"a997e4d98962c359f3af163bbcfa38a736d2a50bfe35c15065b74cb57f8742bf"
+
+S = "${WORKDIR}/lkrg-${PV}"
+
+inherit module kernel-module-split
+
+MAKE_TARGETS = "modules"
+
+MODULE_NAME = "p_lkrg"
+
+module_do_install() {
+install -d 
${D}${nonarch_base_libdir}/modules/${KERNEL_VERSION}/kernel/${MODULE_NAME}
+install -m 0644 ${MODULE_NAME}.ko \
+
${D}${nonarch_base_libdir}/modules/${KERNEL_VERSION}/kernel/${MODULE_NAME}/${MODULE_NAME}.ko
+}
+
+RPROVIDES_${PN} += "kernel-module-lkrg"
+
+COMPATIBLE_HOST = "(i.86|x86_64|arm|aarch64).*-linux"
-- 
2.25.1


-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#53119): https://lists.yoctoproject.org/g/yocto/message/53119
Mute This Topic: https://lists.yoctoproject.org/mt/82081732/21656
Group Owner: yocto+ow...@lists.yoctoproject.org
Unsubscribe: https://lists.yoctoproject.org/g/yocto/unsub 
[arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-

[yocto] [meta-security][PATCH 1/2] clamav: remove rest of mirror.dat ref

[Armin Kuster]

Signed-off-by: Armin Kuster 
---
 recipes-scanners/clamav/clamav_0.104.0.bb | 6 ++
 1 file changed, 2 insertions(+), 4 deletions(-)

diff --git a/recipes-scanners/clamav/clamav_0.104.0.bb 
b/recipes-scanners/clamav/clamav_0.104.0.bb
index ba036b0..36e498d 100644
--- a/recipes-scanners/clamav/clamav_0.104.0.bb
+++ b/recipes-scanners/clamav/clamav_0.104.0.bb
@@ -31,7 +31,7 @@ inherit cmake chrpath pkgconfig useradd systemd 
multilib_header multilib_script
 CLAMAV_UID ?= "clamav"
 CLAMAV_GID ?= "clamav"
 
-MULTILIB_SCRIPTS = "${PN}-dev:${bindir}/clamav-config 
${PN}-cvd:${localstatedir}/lib/clamav/mirrors.dat"
+MULTILIB_SCRIPTS = "${PN}-dev:${bindir}/clamav-config"
 
 EXTRA_OECMAKE = " -DCMAKE_BUILD_TYPE=Release -DOPTIMIZE=ON 
-DENABLE_JSON_SHARED=OFF \
   -DCLAMAV_GROUP=${CLAMAV_GID} -DCLAMAV_USER=${CLAMAV_UID} \ 
@@ -85,7 +85,7 @@ pkg_postinst_ontarget_${PN} () {
 }
 
 
-PACKAGES = "${PN} ${PN}-dev ${PN}-dbg ${PN}-daemon ${PN}-doc ${PN}-cvd \
+PACKAGES = "${PN} ${PN}-dev ${PN}-dbg ${PN}-daemon ${PN}-doc \
 ${PN}-clamdscan ${PN}-freshclam ${PN}-libclamav ${PN}-staticdev"
 
 FILES_${PN} = "${bindir}/clambc ${bindir}/clamscan ${bindir}/clamsubmit 
${sbindir}/clamonacc \
@@ -134,8 +134,6 @@ FILES_${PN}-doc = "${mandir}/man/* \
${datadir}/man/* \
${docdir}/* "
 
-FILES_${PN}-cvd =  "${localstatedir}/lib/clamav/*.cvd 
${localstatedir}/lib/clamav/*.dat"
-
 USERADD_PACKAGES = "${PN}"
 GROUPADD_PARAM_${PN} = "--system ${CLAMAV_UID}"
 USERADD_PARAM_${PN} = "--system -g ${CLAMAV_GID} --home-dir  \
-- 
2.25.1


-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#53118): https://lists.yoctoproject.org/g/yocto/message/53118
Mute This Topic: https://lists.yoctoproject.org/mt/82081731/21656
Group Owner: yocto+ow...@lists.yoctoproject.org
Unsubscribe: https://lists.yoctoproject.org/g/yocto/unsub 
[arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-

Re: [yocto] [meta-security][PATCH] meta: drop IMA_POLICY from policy recipes

[Armin Kuster]

merged.

thanks
-armin

On 3/22/21 6:02 AM, liu.min...@gmail.com wrote:
> From: Ming Liu 
>
> IMA_POLICY is being referred as policy recipe name in some places and it
> is also being referred as policy file in other places, they are
> conflicting with each other which make it impossible to set a IMA_POLICY
> global variable in config file.
>
> Fix it by dropping IMA_POLICY definitions from policy recipes
>
> Signed-off-by: Ming Liu 
> ---
>  .../ima-policy-appraise-all_1.0.bb   | 9 ++---
>  .../ima_policy_hashed/ima-policy-hashed_1.0.bb   | 9 ++---
>  .../ima_policy_simple/ima-policy-simple_1.0.bb   | 9 ++---
>  3 files changed, 6 insertions(+), 21 deletions(-)
>
> diff --git 
> a/meta-integrity/recipes-security/ima_policy_appraise_all/ima-policy-appraise-all_1.0.bb
>  
> b/meta-integrity/recipes-security/ima_policy_appraise_all/ima-policy-appraise-all_1.0.bb
> index da62a4c..84ea161 100644
> --- 
> a/meta-integrity/recipes-security/ima_policy_appraise_all/ima-policy-appraise-all_1.0.bb
> +++ 
> b/meta-integrity/recipes-security/ima_policy_appraise_all/ima-policy-appraise-all_1.0.bb
> @@ -2,19 +2,14 @@ SUMMARY = "IMA sample simple appraise policy "
>  LICENSE = "MIT"
>  LIC_FILES_CHKSUM = 
> "file://${COREBASE}/meta/COPYING.MIT;md5=3da9cfbcb788c80a0384361b4de20420"
>  
> -# This policy file will get installed as /etc/ima/ima-policy.
> -# It is located via the normal file search path, so a .bbappend
> -# to this recipe can just point towards one of its own files.
> -IMA_POLICY ?= "ima_policy_appraise_all"
> -
> -SRC_URI = " file://${IMA_POLICY}"
> +SRC_URI = " file://ima_policy_appraise_all"
>  
>  inherit features_check
>  REQUIRED_DISTRO_FEATURES = "ima"
>  
>  do_install () {
>  install -d ${D}/${sysconfdir}/ima
> -install ${WORKDIR}/${IMA_POLICY}  ${D}/${sysconfdir}/ima/ima-policy
> +install ${WORKDIR}/ima_policy_appraise_all 
> ${D}/${sysconfdir}/ima/ima-policy
>  }
>  
>  FILES_${PN} = "${sysconfdir}/ima"
> diff --git 
> a/meta-integrity/recipes-security/ima_policy_hashed/ima-policy-hashed_1.0.bb 
> b/meta-integrity/recipes-security/ima_policy_hashed/ima-policy-hashed_1.0.bb
> index ebb0426..ff7169e 100644
> --- 
> a/meta-integrity/recipes-security/ima_policy_hashed/ima-policy-hashed_1.0.bb
> +++ 
> b/meta-integrity/recipes-security/ima_policy_hashed/ima-policy-hashed_1.0.bb
> @@ -2,13 +2,8 @@ SUMMARY = "IMA sample hash policy"
>  LICENSE = "MIT"
>  LIC_FILES_CHKSUM = 
> "file://${COREBASE}/meta/COPYING.MIT;md5=3da9cfbcb788c80a0384361b4de20420"
>  
> -# This policy file will get installed as /etc/ima/ima-policy.
> -# It is located via the normal file search path, so a .bbappend
> -# to this recipe can just point towards one of its own files.
> -IMA_POLICY ?= "ima_policy_hashed"
> -
>  SRC_URI = " \
> -file://${IMA_POLICY} \
> +file://ima_policy_hashed \
>  "
>  
>  inherit features_check
> @@ -16,7 +11,7 @@ REQUIRED_DISTRO_FEATURES = "ima"
>  
>  do_install () {
>  install -d ${D}/${sysconfdir}/ima
> -install ${WORKDIR}/${IMA_POLICY}  ${D}/${sysconfdir}/ima/ima-policy
> +install ${WORKDIR}/ima_policy_hashed ${D}/${sysconfdir}/ima/ima-policy
>  }
>  
>  FILES_${PN} = "${sysconfdir}/ima"
> diff --git 
> a/meta-integrity/recipes-security/ima_policy_simple/ima-policy-simple_1.0.bb 
> b/meta-integrity/recipes-security/ima_policy_simple/ima-policy-simple_1.0.bb
> index cb4b6b8..0e56aec 100644
> --- 
> a/meta-integrity/recipes-security/ima_policy_simple/ima-policy-simple_1.0.bb
> +++ 
> b/meta-integrity/recipes-security/ima_policy_simple/ima-policy-simple_1.0.bb
> @@ -2,19 +2,14 @@ SUMMARY = "IMA sample simple policy"
>  LICENSE = "MIT"
>  LIC_FILES_CHKSUM = 
> "file://${COREBASE}/meta/COPYING.MIT;md5=3da9cfbcb788c80a0384361b4de20420"
>  
> -# This policy file will get installed as /etc/ima/ima-policy.
> -# It is located via the normal file search path, so a .bbappend
> -# to this recipe can just point towards one of its own files.
> -IMA_POLICY ?= "ima_policy_simple"
> -
> -SRC_URI = " file://${IMA_POLICY}"
> +SRC_URI = " file://ima_policy_simple"
>  
>  inherit features_check
>  REQUIRED_DISTRO_FEATURES = "ima"
>  
>  do_install () {
>  install -d ${D}/${sysconfdir}/ima
> -install ${WORKDIR}/${IMA_POLICY}  ${D}/${sysconfdir}/ima/ima-policy
> +install ${WORKDIR}/ima_policy_simple ${D}/${sysconfdir}/ima/ima-policy
>  }
>  
>  FILES_${PN} = "${sysconfdir}/ima"


-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#53125): https://lists.yoctoproject.org/g/yocto/message/53125
Mute This Topic: https://lists.yoctoproject.org/mt/81523442/21656
Group Owner: yocto+ow...@lists.yoctoproject.org
Unsubscribe: https://lists.yoctoproject.org/g/yocto/unsub 
[arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-

Re: [yocto] [meta-security][PATCH] Use libest "main" branch instead of "master".

[Armin Kuster]

merged

thanks,
armin

On 4/7/21 3:19 AM, Anton Antonov wrote:
> This patch fixes the issue:
>
> WARNING: libest-3.2.0-r0 do_fetch: Failed to fetch URL 
> git://github.com/cisco/libest, attempting MIRRORS if available
> ERROR: libest-3.2.0-r0 do_fetch: Fetcher failure: Unable to find revision 
> 4ca02c6d7540f2b1bcea278a4fbe373daac7103b in branch master even from upstream
> ERROR: libest-3.2.0-r0 do_fetch: Fetcher failure for URL: 
> 'git://github.com/cisco/libest'. Unable to fetch URL from any source.
>
> Signed-off-by: Anton Antonov 
> ---
>  recipes-security/libest/libest_3.2.0.bb | 2 +-
>  1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/recipes-security/libest/libest_3.2.0.bb 
> b/recipes-security/libest/libest_3.2.0.bb
> index f993bd6..5b6dc99 100644
> --- a/recipes-security/libest/libest_3.2.0.bb
> +++ b/recipes-security/libest/libest_3.2.0.bb
> @@ -6,7 +6,7 @@ LICENSE = "OpenSSL"
>  LIC_FILES_CHKSUM = "file://LICENSE;md5=ecb78acde8e3b795de8ef6b61aed5885"
>  
>  SRCREV = "4ca02c6d7540f2b1bcea278a4fbe373daac7103b"
> -SRC_URI = "git://github.com/cisco/libest"
> +SRC_URI = "git://github.com/cisco/libest;branch=main"
>  
>  DEPENDS = "openssl"
>  
>
> 
>


-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#53126): https://lists.yoctoproject.org/g/yocto/message/53126
Mute This Topic: https://lists.yoctoproject.org/mt/81912123/21656
Group Owner: yocto+ow...@lists.yoctoproject.org
Unsubscribe: https://lists.yoctoproject.org/g/yocto/unsub 
[arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-

Re: [yocto] [meta-security][PATCH] initramfs-framework-ima: introduce IMA_FORCE

[Armin Kuster]

merged,
Thanks

On 4/8/21 11:38 AM, Ming Liu wrote:
> From: Ming Liu 
>
> Introduce IMA_FORCE to allow the IMA policy be applied forcely even
> 'no_ima' boot parameter is available.
>
> This ensures the end users have a way to disable 'no_ima' support if
> they want to, because it may expose a security risk if an attacker can
> find a way to change kernel arguments, it will easily bypass rootfs
> authenticity checks.
>
> Signed-off-by: Sergio Prado 
> Signed-off-by: Ming Liu 
> ---
>  .../initrdscripts/initramfs-framework-ima.bb | 5 +
>  .../initrdscripts/initramfs-framework-ima/ima| 9 +++--
>  2 files changed, 12 insertions(+), 2 deletions(-)
>
> diff --git 
> a/meta-integrity/recipes-core/initrdscripts/initramfs-framework-ima.bb 
> b/meta-integrity/recipes-core/initrdscripts/initramfs-framework-ima.bb
> index 77f6f7c..6471c53 100644
> --- a/meta-integrity/recipes-core/initrdscripts/initramfs-framework-ima.bb
> +++ b/meta-integrity/recipes-core/initrdscripts/initramfs-framework-ima.bb
> @@ -14,6 +14,9 @@ LIC_FILES_CHKSUM = 
> "file://${COREBASE}/meta/COPYING.MIT;md5=3da9cfbcb788c80a0384
>  # to this recipe can just point towards one of its own files.
>  IMA_POLICY ?= "ima-policy-hashed"
>  
> +# Force proceed IMA procedure even 'no_ima' boot parameter is available.
> +IMA_FORCE ?= "false"
> +
>  SRC_URI = " file://ima"
>  
>  inherit features_check
> @@ -23,6 +26,8 @@ do_install () {
>  install -d ${D}/${sysconfdir}/ima
>  install -d ${D}/init.d
>  install ${WORKDIR}/ima  ${D}/init.d/20-ima
> +
> +sed -i "s/@@FORCE_IMA@@/${IMA_FORCE}/g" ${D}/init.d/20-ima
>  }
>  
>  FILES_${PN} = "/init.d ${sysconfdir}"
> diff --git 
> a/meta-integrity/recipes-core/initrdscripts/initramfs-framework-ima/ima 
> b/meta-integrity/recipes-core/initrdscripts/initramfs-framework-ima/ima
> index cff26a3..8971494 100644
> --- a/meta-integrity/recipes-core/initrdscripts/initramfs-framework-ima/ima
> +++ b/meta-integrity/recipes-core/initrdscripts/initramfs-framework-ima/ima
> @@ -2,11 +2,16 @@
>  #
>  # Loads IMA policy into the kernel.
>  
> +force_ima=@@FORCE_IMA@@
> +
>  ima_enabled() {
> -if [ "$bootparam_no_ima" = "true" ]; then
> +if [ "$force_ima" = "true" ]; then
> +return 0
> +elif [ "$bootparam_no_ima" = "true" ]; then
>  return 1
> +else
> +return 0
>  fi
> -return 0
>  }
>  
>  ima_run() {
>
> 
>


-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#53127): https://lists.yoctoproject.org/g/yocto/message/53127
Mute This Topic: https://lists.yoctoproject.org/mt/81950278/21656
Group Owner: yocto+ow...@lists.yoctoproject.org
Unsubscribe: https://lists.yoctoproject.org/g/yocto/unsub 
[arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-

Re: [yocto] [meta-security][PATCH 1/2] Add meta-parsec layer into meta-security.

[Armin Kuster]

o-bitbake
> +
> +  When you have crago-bitbake built:
> +1. Checkout the required version of parsec repository.
> +2. Run cargo-bitbake inside the repository. It will produce a BB file.
> +3. Create a new include file with SRC_URI and LIC_FILES_CHKSUM from the BB 
> file.
> +
> +Manual testing with runqemu
> +===
> +
> +  This layer also contains a recipe for pasec-tool which can be used for
> +manual testing of the Parsec service:
> +
> +IMAGE_INSTALL_append += " parsec-tools"
> +
> +  There are a series of Parsec Demo videos showing how to use parsec-tool
> +to test the Parsec service base functionality:
> +https://www.youtube.com/watch?v=ido0CyUdMHM&list=PLKjl7IFAwc4S7WQqqphCsyy6DPDxJ2Skg&index=4
> +
> +  You can use runqemu to start a VM with a built image file and run
> +manual tests with parsec-tool.
> +
> +1. MbedCrypto provider
> +  The default Parsec service config file contains the MbedCrypto provider
> +enabled. No changes required for manual testing.
> +
> +2. PKCS11 provider
> +  The Software HSM can be used for manual testing of the provider by
> +including it into your test image:
> +
> +IMAGE_INSTALL_append += " softhsm"
> +
> +Inside the running VM:
> +- Stop Parsec
> +```bash
> +systemctl stop parsec
> +```
> +- Initialise a token and notice the result slot number
> +```bash
> +softhsm2-util --init-token --slot 0 --label "Parsec Service" --pin 123456 
> --so-pin 123456
> +```
> +- Change the token ownership:
> +```bash
> +for d in /var/lib/softhsm/tokens/*; do chown -R parsec $d; done
> +```
> +- Enable the PKCS11 provider and update its parameters in the Parsec config 
> file
> +/etc/parsec/config.toml
> +```
> +library_path = "/usr/lib/softhsm/libsofthsm2.so"
> +slot_number = 
> +user_pin = "123456"
> +```
> +- Start Parsec
> +```bash
> +systemctl start parsec
> +```
> +
> +3. TPM provider
> +  The IBM Software TPM service can be used for manual testing of the 
> provider by
> +including it into your test image:
> +
> +IMAGE_INSTALL_append += " ibmswtpm2 tpm2-tools libtss2 
> libtss2-tcti-mssim"
> +
> +Inside the running VM:
> +- Stop Parsec
> +```bash
> +systemctl stop parsec
> +```
> +- Start and configure the Software TPM server
> +```bash
> +   /usr/bin/tpm_server &
> +   sleep 5
> +   /usr/bin/tpm2_startup -c -T mssim
> +   /usr/bin/tpm2_changeauth -c owner tpm_pass
> +```
> +- Enable the TPM provider and update its parameters in the Parsec config file
> +/etc/parsec/config.toml
> +```
> +tcti = "mssim"
> +owner_hierarchy_auth = "hex:74706d5f70617373"
> +```
> +- Start Parsec
> +```bash
> +systemctl start parsec
> +```
> +
> +Maintenance
> +---
> +
> +Send pull requests, patches, comments or questions to yo...@yoctoproject.org
> +
> +When sending single patches, please using something like:
> +'git send-email -1 --to yo...@yoctoproject.org 
> --subject-prefix=meta-parsec][PATCH'
> +
> +These values can be set as defaults for this repository:
> +
> +$ git config sendemail.to yo...@yoctoproject.org
> +$ git config format.subjectPrefix meta-parsec][PATCH
> +
> +Now you can just do 'git send-email origin/master' to send all local patches.
> +
> +Maintainers:Anton Antonov 
> +Armin Kuster 
> +
> +
> +License
> +===
> +
> +All metadata is MIT licensed unless otherwise stated. Source code included
> +in tree for individual recipes is under the LICENSE stated in each recipe
> +(.bb file) unless otherwise stated.
> diff --git a/meta-parsec/conf/layer.conf b/meta-parsec/conf/layer.conf
> new file mode 100644
> index 000..2d4aa12
> --- /dev/null
> +++ b/meta-parsec/conf/layer.conf
> @@ -0,0 +1,14 @@
> +# We have a conf and classes directory, add to BBPATH
> +BBPATH .= ":${LAYERDIR}"
> +
> +# We have a recipes directory, add to BBFILES
> +BBFILES += "${LAYERDIR}/recipes*/*/*.bb ${LAYERDIR}/recipes*/*/*.bbappend"
> +
> +BBFILE_COLLECTIONS += "parsec-layer"
> +BBFILE_PATTERN_parsec-layer = "^${LAYERDIR}/"
> +BBFILE_PRIORITY_parsec-layer = "5"
> +
> +LAYERSERIES_COMPAT_parsec-layer = "hardknott gatesgarth"
> +
> +LAYERDEPENDS_parsec-layer = "core rust-layer clang-layer tpm-layer"
> +BBLAYERS_LAYERINDEX_NAME_parsec-layer = "meta-parsec"
> diff --git a/meta-parsec/recipes-parsec/parsec-service/files/cryptoki.patch 
> b/meta-parsec/recipes-parsec/parsec-service/files/cryptoki.patch
> new file mode 100644
> index 000..c234479
>

Re: [yocto] [meta-security][PATCH] Clearly define clang toolchain in Parsec recipes

[Armin Kuster]

merged,
Thanks

On 4/12/21 8:30 AM, Anton Antonov wrote:
> Signed-off-by: Anton Antonov 
> ---
>  .../recipes-parsec/parsec-service/parsec-service_0.7.0.bb | 4 ++--
>  meta-parsec/recipes-parsec/parsec-tool/parsec-tool_0.3.0.bb   | 3 +--
>  2 files changed, 3 insertions(+), 4 deletions(-)
>
> diff --git 
> a/meta-parsec/recipes-parsec/parsec-service/parsec-service_0.7.0.bb 
> b/meta-parsec/recipes-parsec/parsec-service/parsec-service_0.7.0.bb
> index b3f7b21..0e14955 100644
> --- a/meta-parsec/recipes-parsec/parsec-service/parsec-service_0.7.0.bb
> +++ b/meta-parsec/recipes-parsec/parsec-service/parsec-service_0.7.0.bb
> @@ -10,8 +10,8 @@ SRC_URI += "crate://crates.io/parsec-service/${PV} \
>  file://parsec-tmpfiles.conf \
>  "
>  
> -DEPENDS = "clang-native tpm2-tss"
> -INSANE_SKIP_${PN} += "dev-deps"
> +DEPENDS = "tpm2-tss"
> +TOOLCHAIN = "clang"
>  
>  CARGO_BUILD_FLAGS += " --features 
> all-providers,cryptoki/generate-bindings,tss-esapi/generate-bindings"
>  
> diff --git a/meta-parsec/recipes-parsec/parsec-tool/parsec-tool_0.3.0.bb 
> b/meta-parsec/recipes-parsec/parsec-tool/parsec-tool_0.3.0.bb
> index 939e771..35c65c0 100644
> --- a/meta-parsec/recipes-parsec/parsec-tool/parsec-tool_0.3.0.bb
> +++ b/meta-parsec/recipes-parsec/parsec-tool/parsec-tool_0.3.0.bb
> @@ -7,8 +7,7 @@ inherit cargo
>  SRC_URI += "crate://crates.io/parsec-tool/${PV} \
>  "
>  
> -DEPENDS = "clang-native"
> -INSANE_SKIP_${PN} += "dev-deps"
> +TOOLCHAIN = "clang"
>  
>  do_install() {
>install -d ${D}/${bindir}
>
> 
>


-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#53129): https://lists.yoctoproject.org/g/yocto/message/53129
Mute This Topic: https://lists.yoctoproject.org/mt/82041138/21656
Group Owner: yocto+ow...@lists.yoctoproject.org
Unsubscribe: https://lists.yoctoproject.org/g/yocto/unsub 
[arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-

[yocto] [meta-security][PATCH] packagegroup-core-security: exclude apparmor in mips64

[Armin Kuster]

Signed-off-by: Armin Kuster 
---
 recipes-core/packagegroup/packagegroup-core-security.bb | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/recipes-core/packagegroup/packagegroup-core-security.bb 
b/recipes-core/packagegroup/packagegroup-core-security.bb
index 9ac0d2c..a6142a8 100644
--- a/recipes-core/packagegroup/packagegroup-core-security.bb
+++ b/recipes-core/packagegroup/packagegroup-core-security.bb
@@ -80,6 +80,9 @@ RDEPENDS_packagegroup-security-mac = " \
 ${@bb.utils.contains("DISTRO_FEATURES", "smack", "smack", "",d)} \
 "
 
+RDEPENDS_packagegroup-security-mac_remove_mips64 = "apparmor"
+RDEPENDS_packagegroup-security-mac_remove_mips64le = "apparmor"
+
 RDEPENDS_packagegroup-meta-security-ptest-packages = "\
 ptest-runner \
 samhain-standalone-ptest \
-- 
2.17.1


-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#53195): https://lists.yoctoproject.org/g/yocto/message/53195
Mute This Topic: https://lists.yoctoproject.org/mt/82236033/21656
Group Owner: yocto+ow...@lists.yoctoproject.org
Unsubscribe: https://lists.yoctoproject.org/g/yocto/unsub 
[arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-

Re: [yocto] [meta-security][PATCH] packagegroup-core-security: exclude apparmor in mips64

[Armin Kuster]

On 4/20/21 9:07 AM, Khem Raj wrote:
>
>
> On 4/20/21 7:41 AM, Armin Kuster wrote:
>> Signed-off-by: Armin Kuster 
>> ---
>>   recipes-core/packagegroup/packagegroup-core-security.bb | 3 +++
>>   1 file changed, 3 insertions(+)
>>
>> diff --git a/recipes-core/packagegroup/packagegroup-core-security.bb
>> b/recipes-core/packagegroup/packagegroup-core-security.bb
>> index 9ac0d2c..a6142a8 100644
>> --- a/recipes-core/packagegroup/packagegroup-core-security.bb
>> +++ b/recipes-core/packagegroup/packagegroup-core-security.bb
>> @@ -80,6 +80,9 @@ RDEPENDS_packagegroup-security-mac = " \
>>   ${@bb.utils.contains("DISTRO_FEATURES", "smack", "smack", "",d)} \
>>   "
>>   +RDEPENDS_packagegroup-security-mac_remove_mips64 = "apparmor"
>> +RDEPENDS_packagegroup-security-mac_remove_mips64le = "apparmor"
>> +
>
> this should be mips64el
Actuall, this is the wrong patch. working on too many systems.

Thanks for the review.

-armin
>
>>   RDEPENDS_packagegroup-meta-security-ptest-packages = "\
>>   ptest-runner \
>>   samhain-standalone-ptest \
>>
>>
>>
>> 
>>


-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#53223): https://lists.yoctoproject.org/g/yocto/message/53223
Mute This Topic: https://lists.yoctoproject.org/mt/82236033/21656
Group Owner: yocto+ow...@lists.yoctoproject.org
Unsubscribe: https://lists.yoctoproject.org/g/yocto/unsub 
[arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-

[yocto] The Yocto Project 2021 virtual Summit CFP reminder

[Armin Kuster]

Hello all,

This is a reminder that the 2021 Yocto Project Summit CFP window closes
this Sunday at 11:59 PM PST.

If anyone is interested, please visit:
https://pretalx.com/yocto-project-summit-2021/cfp

Kind regards,
Armin

sorry about the cross posting.



-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#53242): https://lists.yoctoproject.org/g/yocto/message/53242
Mute This Topic: https://lists.yoctoproject.org/mt/82312965/21656
Group Owner: yocto+ow...@lists.yoctoproject.org
Unsubscribe: https://lists.yoctoproject.org/g/yocto/unsub 
[arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-

[yocto] [meta-security][PATCH] ossec-hids: add new pkg

[Armin Kuster]

Signed-off-by: Armin Kuster 
---
 ...Makefile-drop-running-scrips-install.patch |  37 +++
 .../0002-Makefile-don-t-set-uid-gid.patch | 251 ++
 recipes-ids/ossec/ossec-hids_3.6.0.bb | 161 +++
 3 files changed, 449 insertions(+)
 create mode 100644 
recipes-ids/ossec/files/0001-Makefile-drop-running-scrips-install.patch
 create mode 100644 
recipes-ids/ossec/files/0002-Makefile-don-t-set-uid-gid.patch
 create mode 100644 recipes-ids/ossec/ossec-hids_3.6.0.bb

diff --git 
a/recipes-ids/ossec/files/0001-Makefile-drop-running-scrips-install.patch 
b/recipes-ids/ossec/files/0001-Makefile-drop-running-scrips-install.patch
new file mode 100644
index 000..08e018f
--- /dev/null
+++ b/recipes-ids/ossec/files/0001-Makefile-drop-running-scrips-install.patch
@@ -0,0 +1,37 @@
+From b948d36a8ca8e04794381f0f6eba29daf7e3fd01 Mon Sep 17 00:00:00 2001
+From: Armin Kuster 
+Date: Wed, 21 Apr 2021 00:56:53 +
+Subject: [PATCH 1/2] Makefile: drop running scrips @ install
+
+Upstream-Status: Inappropriate [embedded specific]
+
+Signed-off-by: Armin Kuster 
+---
+ src/Makefile | 4 
+ 1 file changed, 4 deletions(-)
+
+diff --git a/src/Makefile b/src/Makefile
+index 06a7094c..dfb8cb58 100644
+--- a/src/Makefile
 b/src/Makefile
+@@ -409,7 +409,6 @@ install-hybrid: install-server-generic
+ install-server: install-server-generic
+ 
+ install-common: build
+-  ./init/adduser.sh ${OSSEC_USER} ${OSSEC_USER_MAIL} ${OSSEC_USER_REM} 
${OSSEC_GROUP} ${PREFIX}
+   $(call INSTALL_CMD,0550,root,${OSSEC_GROUP}) -d ${PREFIX}/
+   $(call INSTALL_CMD,0750,${OSSEC_USER},${OSSEC_GROUP}) -d ${PREFIX}/logs
+   $(call INSTALL_CMD,0660,${OSSEC_USER},${OSSEC_GROUP}) /dev/null 
${PREFIX}/logs/ossec.log
+@@ -485,9 +484,6 @@ endif
+   $(call INSTALL_CMD,0550,root,${OSSEC_GROUP}) -d ${PREFIX}/var
+   $(call INSTALL_CMD,0770,root,${OSSEC_GROUP}) -d ${PREFIX}/var/run
+ 
+-  ./init/fw-check.sh execute
+-
+-
+ 
+ install-server-generic: install-common
+   $(call INSTALL_CMD,0660,${OSSEC_USER},${OSSEC_GROUP}) /dev/null 
${PREFIX}/logs/active-responses.log
+-- 
+2.25.1
+
diff --git a/recipes-ids/ossec/files/0002-Makefile-don-t-set-uid-gid.patch 
b/recipes-ids/ossec/files/0002-Makefile-don-t-set-uid-gid.patch
new file mode 100644
index 000..d5e3403
--- /dev/null
+++ b/recipes-ids/ossec/files/0002-Makefile-don-t-set-uid-gid.patch
@@ -0,0 +1,251 @@
+From d9ec907881b72d42b4918f7cfb46516ce8e2 Mon Sep 17 00:00:00 2001
+From: Armin Kuster 
+Date: Sat, 24 Apr 2021 23:07:29 +
+Subject: [PATCH 2/2] Makefile: don't set uid/gid
+
+Upstream-Status: Inappropriate [embedded specific]
+
+Signed-off-by: Armin Kuster 
+---
+ src/Makefile | 166 +--
+ 1 file changed, 83 insertions(+), 83 deletions(-)
+
+diff --git a/src/Makefile b/src/Makefile
+index dfb8cb58..a4d69ef6 100644
+--- a/src/Makefile
 b/src/Makefile
+@@ -21,7 +21,7 @@ OSSEC_USER?=ossec
+ OSSEC_USER_MAIL?=ossecm
+ OSSEC_USER_REM?=ossecr
+ 
+-INSTALL_CMD?=install -m $(1) -o $(2) -g $(3)
++INSTALL_CMD?=install -m $(1) 
+ INSTALL_LOCALTIME?=yes
+ INSTALL_RESOLVCONF?=yes
+ 
+@@ -397,10 +397,10 @@ endif
+ install: install-${TARGET}
+ 
+ install-agent: install-common
+-  $(call INSTALL_CMD,0550,root,0) ossec-agentd ${PREFIX}/bin
+-  $(call INSTALL_CMD,0550,root,0) agent-auth ${PREFIX}/bin
++  $(call INSTALL_CMD,0550) ossec-agentd ${PREFIX}/bin
++  $(call INSTALL_CMD,0550) agent-auth ${PREFIX}/bin
+ 
+-  $(call INSTALL_CMD,0750,${OSSEC_USER},${OSSEC_GROUP}) -d 
${PREFIX}/queue/rids
++  $(call INSTALL_CMD,0750) -d ${PREFIX}/queue/rids
+ 
+ install-local: install-server-generic
+ 
+@@ -409,129 +409,129 @@ install-hybrid: install-server-generic
+ install-server: install-server-generic
+ 
+ install-common: build
+-  $(call INSTALL_CMD,0550,root,${OSSEC_GROUP}) -d ${PREFIX}/
+-  $(call INSTALL_CMD,0750,${OSSEC_USER},${OSSEC_GROUP}) -d ${PREFIX}/logs
+-  $(call INSTALL_CMD,0660,${OSSEC_USER},${OSSEC_GROUP}) /dev/null 
${PREFIX}/logs/ossec.log
+-
+-  $(call INSTALL_CMD,0550,root,0) -d ${PREFIX}/bin
+-  $(call INSTALL_CMD,0550,root,0) ossec-logcollector ${PREFIX}/bin
+-  $(call INSTALL_CMD,0550,root,0) ossec-syscheckd ${PREFIX}/bin
+-  $(call INSTALL_CMD,0550,root,0) ossec-execd ${PREFIX}/bin
+-  $(call INSTALL_CMD,0550,root,0) manage_agents ${PREFIX}/bin
+-  $(call INSTALL_CMD,0550,root,0) ../contrib/util.sh ${PREFIX}/bin/
+-  $(call INSTALL_CMD,0550,root,0) ${OSSEC_CONTROL_SRC} 
${PREFIX}/bin/ossec-control
++  $(call INSTALL_CMD,0550) -d ${PREFIX}/
++  $(call INSTALL_CMD,0750) -d ${PREFIX}/logs
++  $(call INSTALL_CMD,0660) /dev/null ${PREFIX}/logs/ossec.log
++
++  $(call INSTALL_CMD,0550) -d ${PREFIX}/bin
++  $(call INSTALL_CMD,0550) ossec-logcollector ${PREFIX}/bin
++  $(call INSTALL_CMD,0550) ossec-syscheckd ${PREFIX}/bin
++  $(call INSTALL_CMD,0550) ossec-execd ${PREFIX}/bin
++  $

[yocto] [meta-security][PATCH] libseccomp: drop recipe. In core now

[Armin Kuster]

Signed-off-by: Armin Kuster 
---
 recipes-security/libseccomp/files/run-ptest   |  4 --
 .../libseccomp/libseccomp_2.5.1.bb| 47 ---
 2 files changed, 51 deletions(-)
 delete mode 100644 recipes-security/libseccomp/files/run-ptest
 delete mode 100644 recipes-security/libseccomp/libseccomp_2.5.1.bb

diff --git a/recipes-security/libseccomp/files/run-ptest 
b/recipes-security/libseccomp/files/run-ptest
deleted file mode 100644
index 54b4a63..000
--- a/recipes-security/libseccomp/files/run-ptest
+++ /dev/null
@@ -1,4 +0,0 @@
-#!/bin/sh
-
-cd tests
-./regression -a
diff --git a/recipes-security/libseccomp/libseccomp_2.5.1.bb 
b/recipes-security/libseccomp/libseccomp_2.5.1.bb
deleted file mode 100644
index 40ac1a8..000
--- a/recipes-security/libseccomp/libseccomp_2.5.1.bb
+++ /dev/null
@@ -1,47 +0,0 @@
-SUMMARY = "interface to seccomp filtering mechanism"
-DESCRIPTION = "The libseccomp library provides and easy to use, platform 
independent,interface to the Linux Kernel's syscall filtering mechanism: 
seccomp."
-SECTION = "security"
-LICENSE = "LGPL-2.1"
-LIC_FILES_CHKSUM = 
"file://LICENSE;beginline=0;endline=1;md5=8eac08d22113880357ceb8e7c37f989f"
-
-DEPENDS += "gperf-native"
-
-SRCREV = "4bf70431a339a2886ab8c82e9a45378f30c6e6c7"
-
-SRC_URI = "git://github.com/seccomp/libseccomp.git;branch=release-2.5 \
-   file://run-ptest \
-   "
-
-COMPATIBLE_HOST_riscv32 = "null"
-
-S = "${WORKDIR}/git"
-
-inherit autotools-brokensep pkgconfig ptest
-
-PACKAGECONFIG ??= ""
-PACKAGECONFIG[python] = "--enable-python, --disable-python, python3"
-
-DISABLE_STATIC = ""
-
-do_compile_ptest() {
-oe_runmake -C tests check-build
-}
-
-do_install_ptest() {
-install -d ${D}${PTEST_PATH}/tests
-install -d ${D}${PTEST_PATH}/tools
-for file in $(find tests/* -executable -type f); do
-install -m 744 ${S}/${file} ${D}/${PTEST_PATH}/tests
-done
-for file in $(find tests/*.tests -type f); do
-install -m 744 ${S}/${file} ${D}/${PTEST_PATH}/tests
-done
-for file in $(find tools/* -executable -type f); do
-install -m 744 ${S}/${file} ${D}/${PTEST_PATH}/tools
-done
-}
-
-FILES_${PN} = "${bindir} ${libdir}/${BPN}.so*"
-FILES_${PN}-dbg += "${libdir}/${PN}/tests/.debug/* 
${libdir}/${PN}/tools/.debug"
-
-RDEPENDS_${PN}-ptest = "coreutils bash"
-- 
2.25.1


-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#53271): https://lists.yoctoproject.org/g/yocto/message/53271
Mute This Topic: https://lists.yoctoproject.org/mt/82379034/21656
Group Owner: yocto+ow...@lists.yoctoproject.org
Unsubscribe: https://lists.yoctoproject.org/g/yocto/unsub 
[arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-

Re: [yocto] [meta-security] [dunfell] [PATCH 0/3] Backport several IMA fixes to LTS dunfell

[Armin Kuster]

On 4/18/21 11:41 PM, liu.min...@gmail.com wrote:
> From: Ming Liu 

I have not forgotten about these. My build system is backlogged.

I hope to process these by this weekend.

-armin
>
> Ming Liu (3):
>   ima-evm-keys: add file-checksums to IMA_EVM_X509
>   meta: drop IMA_POLICY from policy recipes
>   initramfs-framework-ima: introduce IMA_FORCE
>
>  .../initrdscripts/initramfs-framework-ima.bb | 5 +
>  .../initrdscripts/initramfs-framework-ima/ima| 9 +++--
>  .../recipes-security/ima-evm-keys/ima-evm-keys_1.0.bb| 1 +
>  .../ima-policy-appraise-all_1.0.bb   | 9 ++---
>  .../ima_policy_hashed/ima-policy-hashed_1.0.bb   | 9 ++---
>  .../ima_policy_simple/ima-policy-simple_1.0.bb   | 9 ++---
>  6 files changed, 19 insertions(+), 23 deletions(-)
>


-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#53278): https://lists.yoctoproject.org/g/yocto/message/53278
Mute This Topic: https://lists.yoctoproject.org/mt/82203043/21656
Group Owner: yocto+ow...@lists.yoctoproject.org
Unsubscribe: https://lists.yoctoproject.org/g/yocto/unsub 
[arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-

Re: [yocto] Can layer maintainers add yocto-X.Y tags for yocto-3.3 and later?

[Armin Kuster]

On 4/27/21 9:48 AM, Randy MacLeod wrote:
> Hi,
>
>
> I've CCed some of the maintainers of more widely used Yocto layers
> to get comments on about tagging. Please add in people who I may
> have missed.
>
>
> For a while now, oe-core has had a yocto-X.Y tag in addition to the
> release branch name. This helps users easily find the exact commit
> that corresponds to the say 3.3 GA release. There have been some
> omissions in tagging but Michael and Richard are adjusting the
> release process so that tagging will happen more consistently.
>
> Most yocto layers have not adopted the tagging perhaps because they
> weren't aware of it so that's why I'm writing this email. Tagging
> will make it easy to find the first commit for a specific release
> independent of what the branching policy of a layer is. Layer
> maintainers sometimes create the release branch in advance of
> when oe-core is released and by adding the tag, it would make it
> clear when the layer considers content to be officially released.

So the official starting point is what you are looking for? is there any
expectation to tag for dot release alignment?

> Of course it's up to users to decide if they are going to follow
> the HEAD of a branch or, for some reason, stick with a tagged commit
> or private branch off that commit.
>
What's more important, tag or branch? Many layers hosted on git.yp.org
don't have the 'hardknott' branch.  If the discipline to create a new
branch is not their, I have a hard time believing 'tagging' will be high
on their list.

>
> Are there any concerns about attempting to do this for yocto-3.3
> and later?

Tagging in Poky has a meaning of a fully QA set of sources at a given
point of time.  It may be interpreted by users that if a tag showed up
in other layers, those layers are also fully tested.


>
> Should we make it a requirement for yocto compliance?
I think you mean 'Yocto Compatible'.  Branching is already a requirement
IIRC as the program is against a specific branch.

-armin

> Should it be a feature tested by the yocto compliance script?

>
>
>
> Here's what's in oe-core and bitbake now:
> $ cd .../oe-core.git
> $ git tag -l | grep yocto-3
> yocto-3.0
> yocto-3.1
> yocto-3.1.7
> yocto-3.2
> yocto-3.2.1
> yocto-3.3
>
> $ cd bitbake/
> $ git tag -l | grep yocto-3
> yocto-3.0
> yocto-3.1
> yocto-3.2
>



-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#53299): https://lists.yoctoproject.org/g/yocto/message/53299
Mute This Topic: https://lists.yoctoproject.org/mt/82408504/21656
Group Owner: yocto+ow...@lists.yoctoproject.org
Unsubscribe: https://lists.yoctoproject.org/g/yocto/unsub 
[arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-

Re: [yocto] [OE-core] [PATCH 6/7] default-distrovars.inc: add wayland/opengl to default distro features

[Armin Kuster]

On 4/27/21 9:09 AM, Randy MacLeod wrote:
> Cross-posting to yocto since this is of general interest.
>
> On 2021-04-23 2:02 p.m., Alexander Kanavin wrote:
>> This puts them on equal terms with x11 distro feature
>> (which I think is due).
>>
>> Signed-off-by: Alexander Kanavin 
>> ---
>>   meta/conf/distro/include/default-distrovars.inc | 2 +-
>>   1 file changed, 1 insertion(+), 1 deletion(-)
>>
>> diff --git a/meta/conf/distro/include/default-distrovars.inc
>> b/meta/conf/distro/include/default-distrovars.inc
>> index 9fcc10f83a..384ee7fc98 100644
>> --- a/meta/conf/distro/include/default-distrovars.inc
>> +++ b/meta/conf/distro/include/default-distrovars.inc
>> @@ -10,7 +10,7 @@ LOCALE_UTF8_ONLY ?= "0"
>>   LOCALE_UTF8_IS_DEFAULT ?= "1"
>>   LOCALE_UTF8_IS_DEFAULT_class-nativesdk = "0"
>>   -DISTRO_FEATURES_DEFAULT ?= "acl alsa argp bluetooth debuginfod
>> ext2 ipv4 ipv6 largefile pcmcia usbgadget usbhost wifi xattr nfs
>> zeroconf pci 3g nfc x11 vfat"
>> +DISTRO_FEATURES_DEFAULT ?= "acl alsa argp bluetooth debuginfod ext2
>> ipv4 ipv6 largefile pcmcia usbgadget usbhost wifi xattr nfs zeroconf
>> pci 3g nfc x11 vfat wayland opengl"
>>   DISTRO_FEATURES ?= "${DISTRO_FEATURES_DEFAULT}"
>>   IMAGE_FEATURES ?= ""
>>  
>
Randy,


> We (Wind River) already drop the x11 DF from some of our distros and
> we'd likely do the same for wayland and opengl so while this seems
> like the wrong change for headless systems it is one we could deal with.
>
> There was some discussion about this topic on the tech call today and
> people were concerned about BSP support for opengl since the software
> rendering in mesa is horridly slow.

Thanks for bring this issue up.

>
> Kevin, Bryan,
> Can you comment if you think we'd have any show-stopper problems
> with opengl support for BSPs?

Err, are they going to check my BSP ; )

>
> Joshua said that weston has a usable RDP (remote desktop backend) but
> I'm not sure how usable it is especially for single application sharing.
> This contrasts with x11 where you can use X11 forwarding over
> ssh trivially for whole desktops or an application.
>
> In conclusion, I see the value in pushing yocto forward but we may need
> to wait for agreement from BSP folks so let's see what they say.
The layer index  BSP list is long so waiting for feedback may not be
practical.  I think it may be  more of an awareness and how can the BSP
maintainers work around the default if there are issues rather than 
stopping this progress  in core.

I personal would rather see my layer break so that I will be forced to
take action.  I see this as being  no different than when we update
u-boot or the kernel.

- armin

> ../Randy
>
>
>>
>>
>>
>>
>
>
>
> 
>



-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#53301): https://lists.yoctoproject.org/g/yocto/message/53301
Mute This Topic: https://lists.yoctoproject.org/mt/82407574/21656
Group Owner: yocto+ow...@lists.yoctoproject.org
Unsubscribe: https://lists.yoctoproject.org/g/yocto/unsub 
[arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-

Re: [yocto] AppArmor with BusyBox

[Armin Kuster]

On 4/27/21 8:33 PM, Khem Raj wrote:
>
>
> On Tue, Apr 27, 2021 at 3:34 PM Konstantin Aladyshev
> mailto:aladyshe...@gmail.com>> wrote:
>
> I've added `IMAGE_INSTALL += "findutils"` to my `conf/local.conf`
> file, and it seems like it was enough. There weren't any build
> conflicts.
>
> Should the AppArmor recipe be upgraded in some way to indicate that it
> needs a full-featured findutils package instead of a busybox one?
>
>
> I think it will be useful to dig a bit further and find out what
> option does it need from findutils package sometimes this could be
> solved by using compatible options etc 
>
> If we find out that it has hard dependency on findutils then it should
> be added to apparmor recipe RDEPENDS

You are using systemd.

There is a comment regarding coreutils and findutils

|# Add coreutils and findutils only if sysvinit scripts are in use

Patches welcome.

- Armin


|
>
>
>
> Best regards,
> Konstantin Aladyshev
>
> On Mon, Apr 26, 2021 at 5:08 PM Quentin Schulz
>  > wrote:
> >
> > Hi Konstantin,
> >
> > On Mon, Apr 26, 2021 at 01:45:30PM +0300, Konstantin Aladyshev
> wrote:
> > > I'm using the OpenBMC system
> (https://github.com/openbmc/openbmc) and
> > > I've tried to enable AppArmor functionality from the
> 'meta-security'
> > > layer.
> > >
> > > To achieve this I've added these strings to my local.conf file:
> > > DISTRO_FEATURES_append = " apparmor"
> > > IMAGE_INSTALL += "apparmor"
> > >
> > > The AppArmor functionality was installed to my image, but
> > > unfortunately I've come to this issue:
> > >
> > > kernel: AppArmor: AppArmor initialized
> > > kernel: AppArmor: AppArmor Filesystem Enabled
> > > kernel: AppArmor: AppArmor sha1 policy hashing enabled
> > > systemd[1]: systemd 247.3+ running in system mode. (+PAM -AUDIT
> > > -SELINUX -IMA -APPARMOR -SMACK +SYSVINIT -UTMP -LIBCRYPTSETUP
> -GCRYPT
> > > -GNUTLS -ACL +XZ -LZ4 -ZSTD -SECCOMP +BLKID -ELFUTILS +KMOD
> -IDN2 -IDN
> > > -PCRE2 default-hierarchy=hybrid)
> > > systemd[1]: Starting AppArmor initialization...
> > > apparmor[113]: Starting AppArmor profiles
> > > apparmor[128]: xargs: invalid option -- 'd'
> >
> > Busybox implementation of xargs does not support specifying a
> delimiter.
> >
> > I suggest you to install the full-featured xargs which is
> provided by
> > the findutils recipe.
> >
> > You probably need to disable xargs Busybox implementation otherwise
> > there'll be a conflict (you'll know, Yocto won't create the image).
> >
> > Cheers,
> > Quentin
>
>
>
>
> 
>



-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#53310): https://lists.yoctoproject.org/g/yocto/message/53310
Mute This Topic: https://lists.yoctoproject.org/mt/82378246/21656
Group Owner: yocto+ow...@lists.yoctoproject.org
Unsubscribe: https://lists.yoctoproject.org/g/yocto/unsub 
[arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-

Re: [yocto] [meta-security] [dunfell] [PATCH 0/3] Backport several IMA fixes to LTS dunfell

[Armin Kuster]

merged.

thanks

On 4/18/21 11:41 PM, liu.min...@gmail.com wrote:
> From: Ming Liu 
>
> Ming Liu (3):
>   ima-evm-keys: add file-checksums to IMA_EVM_X509
>   meta: drop IMA_POLICY from policy recipes
>   initramfs-framework-ima: introduce IMA_FORCE
>
>  .../initrdscripts/initramfs-framework-ima.bb | 5 +
>  .../initrdscripts/initramfs-framework-ima/ima| 9 +++--
>  .../recipes-security/ima-evm-keys/ima-evm-keys_1.0.bb| 1 +
>  .../ima-policy-appraise-all_1.0.bb   | 9 ++---
>  .../ima_policy_hashed/ima-policy-hashed_1.0.bb   | 9 ++---
>  .../ima_policy_simple/ima-policy-simple_1.0.bb   | 9 ++---
>  6 files changed, 19 insertions(+), 23 deletions(-)
>


-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#53318): https://lists.yoctoproject.org/g/yocto/message/53318
Mute This Topic: https://lists.yoctoproject.org/mt/82203043/21656
Group Owner: yocto+ow...@lists.yoctoproject.org
Unsubscribe: https://lists.yoctoproject.org/g/yocto/unsub 
[arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-

Re: [yocto] Can layer maintainers add yocto-X.Y tags for yocto-3.3 and later?

[Armin Kuster]

On 4/27/21 10:06 AM, Khem Raj wrote:
> On Tue, Apr 27, 2021 at 9:48 AM Randy MacLeod
>  wrote:
>> Hi,
>>
>>
>> I've CCed some of the maintainers of more widely used Yocto layers
>> to get comments on about tagging. Please add in people who I may
>> have missed.
>>
>>
>> For a while now, oe-core has had a yocto-X.Y tag in addition to the
>> release branch name. This helps users easily find the exact commit
>> that corresponds to the say 3.3 GA release. There have been some
>> omissions in tagging but Michael and Richard are adjusting the
>> release process so that tagging will happen more consistently.
>>
>> Most yocto layers have not adopted the tagging perhaps because they
>> weren't aware of it so that's why I'm writing this email. Tagging
>> will make it easy to find the first commit for a specific release
>> independent of what the branching policy of a layer is. Layer
>> maintainers sometimes create the release branch in advance of
>> when oe-core is released and by adding the tag, it would make it
>> clear when the layer considers content to be officially released.
>> Of course it's up to users to decide if they are going to follow
>> the HEAD of a branch or, for some reason, stick with a tagged commit
>> or private branch off that commit.
>>
> I think this could be a good thing, although it does put the burden on
> release maintainers. mostly they
> test against the tip of the release branch,  So if yocto project
> testing is including these layers for wider
> testing and can then recommend a validated commit then perhaps this
> could be made viable.

That could open up a can of worms as who will fix the QA test failures?

-armin


>
>> Are there any concerns about attempting to do this for yocto-3.3
>> and later?
>>
>> Should we make it a requirement for yocto compliance?
>> Should it be a feature tested by the yocto compliance script?
>>
>>
>>
>> Here's what's in oe-core and bitbake now:
>> $ cd .../oe-core.git
>> $ git tag -l | grep yocto-3
>> yocto-3.0
>> yocto-3.1
>> yocto-3.1.7
>> yocto-3.2
>> yocto-3.2.1
>> yocto-3.3
>>
>> $ cd bitbake/
>> $ git tag -l | grep yocto-3
>> yocto-3.0
>> yocto-3.1
>> yocto-3.2
>>
>> --
>> # Randy MacLeod
>> # Wind River Linux



-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#53327): https://lists.yoctoproject.org/g/yocto/message/53327
Mute This Topic: https://lists.yoctoproject.org/mt/82408504/21656
Group Owner: yocto+ow...@lists.yoctoproject.org
Unsubscribe: https://lists.yoctoproject.org/g/yocto/unsub 
[arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-

Re: [yocto] [PATCH yocto-autobuilder2 1/2] meta-arm has a hardknott branch now

[Armin Kuster]

On 4/29/21 2:25 PM, Ross Burton wrote:
> On Thu, 29 Apr 2021 at 20:35, Randy MacLeod  
> wrote:
>> It doesn't have a yocto-3.3 tag yet...
>> Could you add one?
> When we actually release, yes.
So do you plan on doing the dot releases too?

-armin
> Ross
>
> 
>


-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#53329): https://lists.yoctoproject.org/g/yocto/message/53329
Mute This Topic: https://lists.yoctoproject.org/mt/82432233/21656
Group Owner: yocto+ow...@lists.yoctoproject.org
Unsubscribe: https://lists.yoctoproject.org/g/yocto/unsub 
[arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-

Re: [yocto] Can layer maintainers add yocto-X.Y tags for yocto-3.3 and later?

[Armin Kuster]

On 4/29/21 12:37 PM, Randy MacLeod wrote:
> On 2021-04-27 1:06 p.m., Khem Raj wrote:
>> On Tue, Apr 27, 2021 at 9:48 AM Randy MacLeod
>>  wrote:
>>> Hi,
>>>
>>>
>>> I've CCed some of the maintainers of more widely used Yocto layers
>>> to get comments on about tagging. Please add in people who I may
>>> have missed.
>>>
>>>
>>> For a while now, oe-core has had a yocto-X.Y tag in addition to the
>>> release branch name. This helps users easily find the exact commit
>>> that corresponds to the say 3.3 GA release. There have been some
>>> omissions in tagging but Michael and Richard are adjusting the
>>> release process so that tagging will happen more consistently.
>>>
>>> Most yocto layers have not adopted the tagging perhaps because they
>>> weren't aware of it so that's why I'm writing this email. Tagging
>>> will make it easy to find the first commit for a specific release
>>> independent of what the branching policy of a layer is. Layer
>>> maintainers sometimes create the release branch in advance of
>>> when oe-core is released and by adding the tag, it would make it
>>> clear when the layer considers content to be officially released.
>>> Of course it's up to users to decide if they are going to follow
>>> the HEAD of a branch or, for some reason, stick with a tagged commit
>>> or private branch off that commit.
>>>
>> I think this could be a good thing, although it does put the burden on
>> release maintainers. mostly they
>> test against the tip of the release branch,  So if yocto project
>> testing is including these layers for wider
>> testing and can then recommend a validated commit then perhaps this
>> could be made viable.
>
>
> How about:
>
> https://git.openembedded.org/meta-openembedded/commit/?id=71b546ed8595b14d29efc1e8b951f8c845ad10c4
>

The implication here is that the Yocto Project has run QA if this is in
response to Khem's statement above, Or am I miss interpreting your
recommendation?


Now regarding meta-security, I would not use a "yocto" named tag.   I am
not  a fan of an upstream Project telling me to use their tagging
scheme. If I do that, then I need to be open to WindRriver, MontaVista,
Petalinux, Mentor, Enea, Arm and  etc tags.  Those Companies send me
patches.  Does RedHat tell the kernel.org to use their tags? No, its the
other way around.

If I would tag meta-security, I would have to write up the meaning of it
and possible a policy/process around it so if a new maintainer came
along they could  continue that process or do something else. This is a
hard sell as I am not seeing the benefit to this layer in adopting a
tagging scheme.

- Armin

>
> ../Randy
>
>>
>>> Are there any concerns about attempting to do this for yocto-3.3
>>> and later?
>>>
>>> Should we make it a requirement for yocto compliance?
>>> Should it be a feature tested by the yocto compliance script?
>>>
>>>
>>>
>>> Here's what's in oe-core and bitbake now:
>>> $ cd .../oe-core.git
>>> $ git tag -l | grep yocto-3
>>> yocto-3.0
>>> yocto-3.1
>>> yocto-3.1.7
>>> yocto-3.2
>>> yocto-3.2.1
>>> yocto-3.3
>>>
>>> $ cd bitbake/
>>> $ git tag -l | grep yocto-3
>>> yocto-3.0
>>> yocto-3.1
>>> yocto-3.2
>>>
>>> -- 
>>> # Randy MacLeod
>>> # Wind River Linux
>
>



-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#53331): https://lists.yoctoproject.org/g/yocto/message/53331
Mute This Topic: https://lists.yoctoproject.org/mt/82408504/21656
Group Owner: yocto+ow...@lists.yoctoproject.org
Unsubscribe: https://lists.yoctoproject.org/g/yocto/unsub 
[arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-

Re: [yocto] what OE/YP layers should be considered "supported"?

[Armin Kuster]

Helllo Robert,

On 5/4/21 2:03 PM, Robert P. J. Day wrote:
>   related to something that richard purdie mentioned on the OE list,
> if one wanted to do a YP-wide "cleanup" of some indeterminate form,
> what are the layers that would be considered mandatory to cover in
> such a cleanup?
I don't have an context in the email you are referring to. Can you
include it please?
Supported will mean different things to different people.

-Armin
>   no-brainers would, of course, include:
>
>   * oe-core
>   * meta-openembedded
>
> beyond that, what else? i would think:
>
>   * meta-virtualization
>   * meta-java
>   * meta-security
>   * ... more? ...
>
> and there are the vendor layers:
>
>   * meta-intel
>   * meta-freescale
>   * meta-qcom
>   * meta-boundary
>
> where can one stop?
>
> rday
>
> 
>


-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#53383): https://lists.yoctoproject.org/g/yocto/message/53383
Mute This Topic: https://lists.yoctoproject.org/mt/82589884/21656
Group Owner: yocto+ow...@lists.yoctoproject.org
Unsubscribe: https://lists.yoctoproject.org/g/yocto/unsub 
[arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-

[yocto] [meta-security][PATCH 2/2] tpm2-pkcs11: Update to 1.6.0

[Armin Kuster]

Includes gcc11 fix.
Added p11-kit
Minor cleanup

Signed-off-by: Armin Kuster 
---
 .../recipes-tpm2/tpm2-pkcs11/files/677.patch  | 295 ++
 ...2-pkcs11_1.5.0.bb => tpm2-pkcs11_1.6.0.bb} |  27 +-
 2 files changed, 314 insertions(+), 8 deletions(-)
 create mode 100644 meta-tpm/recipes-tpm2/tpm2-pkcs11/files/677.patch
 rename meta-tpm/recipes-tpm2/tpm2-pkcs11/{tpm2-pkcs11_1.5.0.bb => 
tpm2-pkcs11_1.6.0.bb} (76%)

diff --git a/meta-tpm/recipes-tpm2/tpm2-pkcs11/files/677.patch 
b/meta-tpm/recipes-tpm2/tpm2-pkcs11/files/677.patch
new file mode 100644
index 000..5c91a5e
--- /dev/null
+++ b/meta-tpm/recipes-tpm2/tpm2-pkcs11/files/677.patch
@@ -0,0 +1,295 @@
+From 2b74d3df9b3b6932052ace627b21ff1352aa2932 Mon Sep 17 00:00:00 2001
+From: William Roberts 
+Date: Wed, 5 May 2021 13:32:05 -0500
+Subject: [PATCH 1/4] test: fix build for gcc11
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Fixes 0 size regions by ignoring them. The test code intentionally does
+bad things.
+
+test/unit/test_twist.c: In function ‘test_twistbin_aappend_twist_null’:
+test/unit/test_twist.c:327:18: error: ‘twistbin_aappend’ accessing 16 bytes in 
a region of size 0 [-Werror=stringop-overflow=]
+  327 | actual = twistbin_aappend(expected, (binarybuffer *) 
0xDEADBEEF, 0);
+  |  
^~
+
+Signed-off-by: William Roberts 
+
+Upstream-Status: Pending
+Fix out for merge to offical repo
+
+Signed-off-by: Armin Kuster 
+
+---
+ test/unit/test_twist.c | 12 
+ 1 file changed, 12 insertions(+)
+
+diff --git a/test/unit/test_twist.c b/test/unit/test_twist.c
+index ec66f69f..58d4530a 100644
+--- a/test/unit/test_twist.c
 b/test/unit/test_twist.c
+@@ -244,15 +244,23 @@ void test_twistbin_create(void **state) {
+ void test_twistbin_new_overflow_1(void **state) {
+ (void) state;
+ 
++#pragma GCC diagnostic push
++#pragma GCC diagnostic ignored "-Wpragmas"
++#pragma GCC diagnostic ignored "-Wstringop-overflow"
+   twist actual = twistbin_new((void *) 0xDEADBEEF, ~0);
+   assert_null(actual);
++#pragma GCC diagnostic pop
+ }
+ 
+ void test_twistbin_new_overflow_2(void **state) {
+ (void) state;
+ 
++#pragma GCC diagnostic push
++#pragma GCC diagnostic ignored "-Wpragmas"
++#pragma GCC diagnostic ignored "-Wstringop-overflow"
+   twist actual = twistbin_new((void *) 0xDEADBEEF, ~0 - sizeof(void *));
+   assert_null(actual);
++#pragma GCC diagnostic pop
+ }
+ 
+ void test_twistbin_new_overflow_3(void **state) {
+@@ -318,8 +326,12 @@ void test_twistbin_aappend_twist_null(void **state) {
+   twist actual = twistbin_aappend(expected, NULL, 42);
+   assert_ptr_equal((void * )actual, (void * )expected);
+ 
++#pragma GCC diagnostic push
++#pragma GCC diagnostic ignored "-Wpragmas"
++#pragma GCC diagnostic ignored "-Wstringop-overflow"
+   actual = twistbin_aappend(expected, (binarybuffer *) 0xDEADBEEF, 0);
+   assert_ptr_equal((void * )actual, (void * )expected);
++#pragma GCC diagnostic pop
+ 
+   twist_free(actual);
+ }
+
+From 5bea05613e638375b73e29e5d56a9dabcfd2269d Mon Sep 17 00:00:00 2001
+From: William Roberts 
+Date: Wed, 5 May 2021 11:52:23 -0500
+Subject: [PATCH 2/4] utils: fix stringop-overread in str_padded_copy
+
+cc1: all warnings being treated as errors
+| make: *** [Makefile:1953: src/lib/slot.lo] Error 1
+| make: *** Waiting for unfinished jobs
+| In file included from src/lib/mutex.h:10,
+| from src/lib/session_ctx.h:6,
+| from src/lib/digest.h:13,
+| from src/lib/tpm.c:28:
+| In function 'str_padded_copy',
+| inlined from 'tpm_get_token_info' at src/lib/tpm.c:742:5:
+| src/lib/utils.h:42:5: error: 'strnlen' specified bound 32 exceeds source 
size 5 [-Werror=stringop-overread]
+| 42 | memcpy(dst, src, strnlen((char *)(src), dst_len));
+| | ^
+| src/lib/utils.h: In function 'tpm_get_token_info':
+| src/lib/tpm.c:739:19: note: source object declared here
+| 739 | unsigned char manufacturerID[sizeof(UINT32)+1] = {0}; // 4 bytes + 
'\0' as temp storage
+| | ^~
+| cc1: all warnings being treated as errors
+| make: *** [Makefile:1953: src/lib/tpm.lo] Error 1
+| WARNING: exit code 1 from a shell command.
+
+Fixes #676
+
+Signed-off-by: William Roberts 
+---
+ src/lib/general.c | 8 
+ src/lib/general.h | 2 +-
+ src/lib/slot.c| 4 ++--
+ src/lib/token.c   | 4 ++--
+ src/lib/tpm.c | 7 +++
+ src/lib/utils.h   | 6 --
+ 6 files changed, 16 insertions(+), 15 deletions(-)
+
+diff --git a/src/lib/general.c b/src/lib/general.c
+index 9b7327c1..eaddaf82 100644
+--- a/src/lib/general.c
 b/src/lib/general.c
+@@ -19,8 +19,8 @@
+   #define VERSION "UNKNOWN"
+ #endif
+ 
+-#define LIBRARY_DESCRIPTION (CK_UTF8CHAR_PTR)"TPM2.0 Cryptoki"
+-#de

[yocto] [meta-security][PATCH 1/2] tripwire: Blacklist pkg, upstream seems abandond

[Armin Kuster]

Last update was 2018. Does not build with gcc11.
There are other actively maintained IDS options.

Signed-off-by: Armin Kuster 
---
 recipes-core/packagegroup/packagegroup-core-security.bb | 2 --
 recipes-ids/tripwire/tripwire_2.4.3.7.bb| 2 ++
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/recipes-core/packagegroup/packagegroup-core-security.bb 
b/recipes-core/packagegroup/packagegroup-core-security.bb
index a6142a8..6d2dd7c 100644
--- a/recipes-core/packagegroup/packagegroup-core-security.bb
+++ b/recipes-core/packagegroup/packagegroup-core-security.bb
@@ -68,7 +68,6 @@ RDEPENDS_packagegroup-security-hardening = " \
 
 SUMMARY_packagegroup-security-ids = "Security Intrusion Detection systems"
 RDEPENDS_packagegroup-security-ids = " \
-tripwire \
 samhain-standalone \
 ${@bb.utils.contains_any("TUNE_FEATURES", "ppc7400 riscv32 riscv64", "", " 
suricata",d)} \
 "
@@ -89,7 +88,6 @@ RDEPENDS_packagegroup-meta-security-ptest-packages = "\
 libseccomp-ptest \
 python3-scapy-ptest \
 suricata-ptest \
-tripwire-ptest \
 python3-fail2ban-ptest \
 ${@bb.utils.contains("DISTRO_FEATURES", "smack", "smack-ptest", "",d)} \
 "
diff --git a/recipes-ids/tripwire/tripwire_2.4.3.7.bb 
b/recipes-ids/tripwire/tripwire_2.4.3.7.bb
index 4f50bff..36e5d00 100644
--- a/recipes-ids/tripwire/tripwire_2.4.3.7.bb
+++ b/recipes-ids/tripwire/tripwire_2.4.3.7.bb
@@ -73,3 +73,5 @@ FILES_${PN}-ptest += "${PTEST_PATH}/tests "
 
 RDEPENDS_${PN} += " perl nano msmtp cronie"
 RDEPENDS_${PN}-ptest = " perl lib-perl perl-modules "
+
+PNBLACKLIST[tripwire] ?= "Upsteram project appears to be abondoned, fails to 
build with gcc11"
-- 
2.25.1


-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#53420): https://lists.yoctoproject.org/g/yocto/message/53420
Mute This Topic: https://lists.yoctoproject.org/mt/82683848/21656
Group Owner: yocto+ow...@lists.yoctoproject.org
Unsubscribe: https://lists.yoctoproject.org/g/yocto/unsub 
[arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-

[yocto] [meta-security][PATCH 2/6] ossec-hids: add UPSTREAM_CHECK_COMMITS

[Armin Kuster]

Signed-off-by: Armin Kuster 
---
 recipes-ids/ossec/ossec-hids_3.6.0.bb | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/recipes-ids/ossec/ossec-hids_3.6.0.bb 
b/recipes-ids/ossec/ossec-hids_3.6.0.bb
index 10354a7..242bbdb 100644
--- a/recipes-ids/ossec/ossec-hids_3.6.0.bb
+++ b/recipes-ids/ossec/ossec-hids_3.6.0.bb
@@ -11,6 +11,8 @@ SRC_URI = "git://github.com/ossec/ossec-hids;branch=master \
 
 SRCREV = "1303c78e2c67d7acee0508cb00c3bc63baaa27c2"
 
+UPSTREAM_CHECK_COMMITS = "1"
+
 inherit autotools-brokensep  useradd
 
 S = "${WORKDIR}/git"
-- 
2.25.1


-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#53424): https://lists.yoctoproject.org/g/yocto/message/53424
Mute This Topic: https://lists.yoctoproject.org/mt/82700740/21656
Group Owner: yocto+ow...@lists.yoctoproject.org
Unsubscribe: https://lists.yoctoproject.org/g/yocto/unsub 
[arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-

[yocto] [meta-security][PATCH 3/6] python3-scapy: add UPSTREAM_CHECK_COMMITS

[Armin Kuster]

Signed-off-by: Armin Kuster 
---
 recipes-security/scapy/python3-scapy_2.4.4.bb | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/recipes-security/scapy/python3-scapy_2.4.4.bb 
b/recipes-security/scapy/python3-scapy_2.4.4.bb
index 8d81ed1..23ddfce 100644
--- a/recipes-security/scapy/python3-scapy_2.4.4.bb
+++ b/recipes-security/scapy/python3-scapy_2.4.4.bb
@@ -13,6 +13,8 @@ SRC_URI = "git://github.com/secdev/scapy.git \
 
 S = "${WORKDIR}/git"
 
+UPSTREAM_CHECK_COMMITS = "1"
+
 inherit setuptools3 ptest
 
 do_install_append() {
-- 
2.25.1


-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#53425): https://lists.yoctoproject.org/g/yocto/message/53425
Mute This Topic: https://lists.yoctoproject.org/mt/82700741/21656
Group Owner: yocto+ow...@lists.yoctoproject.org
Unsubscribe: https://lists.yoctoproject.org/g/yocto/unsub 
[arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-

[yocto] [meta-security][PATCH 1/6] clamav: update to tip.

[Armin Kuster]

Add UPSTEAM_CHECK

Signed-off-by: Armin Kuster 
---
 recipes-scanners/clamav/clamav_0.104.0.bb | 5 -
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/recipes-scanners/clamav/clamav_0.104.0.bb 
b/recipes-scanners/clamav/clamav_0.104.0.bb
index 36e498d..6892bb0 100644
--- a/recipes-scanners/clamav/clamav_0.104.0.bb
+++ b/recipes-scanners/clamav/clamav_0.104.0.bb
@@ -8,7 +8,8 @@ DEPENDS = "glibc llvm libtool db openssl zlib curl libxml2 
bison pcre2 json-c li
  
 LIC_FILES_CHKSUM = 
"file://COPYING.txt;beginline=2;endline=3;md5=f7029fbbc5898b273d5902896f7bbe17"
 
-SRCREV = "5553a5e206ceae5d920368baee7d403f823bcb6f"
+# May 2nd
+SRCREV = "de0086aa918b79cd22570d0c05977a288b197e23"
 
 SRC_URI = "git://github.com/vrtadmin/clamav-devel;branch=dev/0.104 \
 file://clamd.conf \
@@ -28,6 +29,8 @@ BINCONFIG = "${bindir}/clamav-config"
 
 inherit cmake chrpath pkgconfig useradd systemd multilib_header multilib_script
 
+UPSTREAM_CHECK_COMMITS = "1"
+
 CLAMAV_UID ?= "clamav"
 CLAMAV_GID ?= "clamav"
 
-- 
2.25.1


-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#53423): https://lists.yoctoproject.org/g/yocto/message/53423
Mute This Topic: https://lists.yoctoproject.org/mt/82700738/21656
Group Owner: yocto+ow...@lists.yoctoproject.org
Unsubscribe: https://lists.yoctoproject.org/g/yocto/unsub 
[arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-

[yocto] [meta-security][PATCH 4/6] suricata: 4.1.x add UPSTREAM_CHECK_REGEX

[Armin Kuster]

Signed-off-by: Armin Kuster 
---
 recipes-ids/suricata/suricata_4.1.10.bb | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/recipes-ids/suricata/suricata_4.1.10.bb 
b/recipes-ids/suricata/suricata_4.1.10.bb
index 3f7beaa..bf08843 100644
--- a/recipes-ids/suricata/suricata_4.1.10.bb
+++ b/recipes-ids/suricata/suricata_4.1.10.bb
@@ -12,6 +12,8 @@ SRC_URI += " \
 file://run-ptest \
 "
 
+UPSTREAM_CHECK_URI = "www.openinfosecfoundation.org/download"
+
 inherit autotools-brokensep pkgconfig python3-dir systemd ptest
 
 CFLAGS += "-D_DEFAULT_SOURCE -fcommon"
-- 
2.25.1


-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#53426): https://lists.yoctoproject.org/g/yocto/message/53426
Mute This Topic: https://lists.yoctoproject.org/mt/82700742/21656
Group Owner: yocto+ow...@lists.yoctoproject.org
Unsubscribe: https://lists.yoctoproject.org/g/yocto/unsub 
[arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-

[yocto] [meta-security][PATCH 5/6] ibmswtpm2: update to 1661

[Armin Kuster]

Drop patch now included in updated

Signed-off-by: Armin Kuster 
---
 .../ibmswtpm2/files/fix-wrong-cast.patch  | 27 ---
 .../{ibmswtpm2_1637.bb => ibmswtpm2_1661.bb}  | 10 +++
 2 files changed, 4 insertions(+), 33 deletions(-)
 delete mode 100644 meta-tpm/recipes-tpm2/ibmswtpm2/files/fix-wrong-cast.patch
 rename meta-tpm/recipes-tpm2/ibmswtpm2/{ibmswtpm2_1637.bb => 
ibmswtpm2_1661.bb} (69%)

diff --git a/meta-tpm/recipes-tpm2/ibmswtpm2/files/fix-wrong-cast.patch 
b/meta-tpm/recipes-tpm2/ibmswtpm2/files/fix-wrong-cast.patch
deleted file mode 100644
index f2938e0..000
--- a/meta-tpm/recipes-tpm2/ibmswtpm2/files/fix-wrong-cast.patch
+++ /dev/null
@@ -1,27 +0,0 @@
-Fix strict aliasing issue of gcc10
-
-fixes:
-
-TpmFail.c: In function 'TpmLogFailure':
-TpmFail.c:217:23: error: dereferencing type-punned pointer will break 
strict-aliasing rules [-Werror=strict-aliasing]
-  217 | s_failFunction = *(UINT32 *)&function; /* kgold */
-  |   ^~~
-cc1: all warnings being treated as errors
-
-Upstream-Status: Submitted
-
-Signed-off-by: Jens Rehsack 
-
-Index: src/TpmFail.c
-===
 src.orig/TpmFail.c 2020-09-10 15:43:57.085063875 +0200
-+++ src/TpmFail.c  2020-09-10 15:48:35.563302634 +0200
-@@ -214,7 +214,7 @@
- // On a 64-bit machine, this may truncate the address of the string
- // of the function name where the error occurred.
- #if FAIL_TRACE
--s_failFunction = *(UINT32 *)&function;/* kgold */
-+memcpy(&s_failFunction, function, sizeof(uint32_t));  /* kgold */
- s_failLine = line;
- #else
- s_failFunction = 0;
diff --git a/meta-tpm/recipes-tpm2/ibmswtpm2/ibmswtpm2_1637.bb 
b/meta-tpm/recipes-tpm2/ibmswtpm2/ibmswtpm2_1661.bb
similarity index 69%
rename from meta-tpm/recipes-tpm2/ibmswtpm2/ibmswtpm2_1637.bb
rename to meta-tpm/recipes-tpm2/ibmswtpm2/ibmswtpm2_1661.bb
index 301980d..7ea40a8 100644
--- a/meta-tpm/recipes-tpm2/ibmswtpm2/ibmswtpm2_1637.bb
+++ b/meta-tpm/recipes-tpm2/ibmswtpm2/ibmswtpm2_1661.bb
@@ -17,13 +17,11 @@ DEPENDS = "openssl"
 
 SRC_URI = "https://sourceforge.net/projects/ibmswtpm2/files/ibmtpm${PV}.tar.gz 
\
file://tune-makefile.patch \
-   file://fix-wrong-cast.patch \
"
-SRC_URI[md5sum] = "43b217d87056e9155633925eb6ef749c"
-SRC_URI[sha256sum] = 
"dd3a4c3f7724243bc9ebcd5c39bbf87b82c696d1c1241cb8e5883534f6e2e327"
-SRC_URI[sha1sum] = "ab4b94079e57a86996991e8a2b749ce063e4ad3e"
-SRC_URI[sha384sum] = 
"bbef16a934853ce78cba7ddc766aa9d7ef3cde3430a322b1be772bf3ad4bd6d413ae9c4de21bc1a4879d17dfe2aadc1d"
-SRC_URI[sha512sum] = 
"007aa415cccf19a2bcf789c426727dc4032dcb04cc9d11eedc231d2add708c1134d3d5ee5cfbe7de68307c95fff7a30bd306fbd8d53c198a5ef348440440a6ed"
+
+SRC_URI[sha256sum] = 
"55145928ad2b24f34be6a0eacf9fb492e10e0ea919b8428c721fa970e85d6147"
+
+UPSTREAM_CHECK_REGEX = "libtpm(?P).tar.gz"
 
 S = "${WORKDIR}/src"
 
-- 
2.25.1


-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#53427): https://lists.yoctoproject.org/g/yocto/message/53427
Mute This Topic: https://lists.yoctoproject.org/mt/82700743/21656
Group Owner: yocto+ow...@lists.yoctoproject.org
Unsubscribe: https://lists.yoctoproject.org/g/yocto/unsub 
[arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-

[yocto] [meta-security][PATCH 6/6] ibmtpm2tss: update to tip

[Armin Kuster]

Signed-off-by: Armin Kuster 
---
 meta-tpm/recipes-tpm2/ibmtpm2tss/ibmtpm2tss_1.6.0.bb | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/meta-tpm/recipes-tpm2/ibmtpm2tss/ibmtpm2tss_1.6.0.bb 
b/meta-tpm/recipes-tpm2/ibmtpm2tss/ibmtpm2tss_1.6.0.bb
index 4d9b554..ae8974b 100644
--- a/meta-tpm/recipes-tpm2/ibmtpm2tss/ibmtpm2tss_1.6.0.bb
+++ b/meta-tpm/recipes-tpm2/ibmtpm2tss/ibmtpm2tss_1.6.0.bb
@@ -17,11 +17,13 @@ DEPENDS = "openssl ibmswtpm2"
 
 inherit autotools pkgconfig
 
-SRCREV = "3e736f712ba53c8f06e66751f60fae428fd2e20f"
+SRCREV = "c4e131e34ec0ed09411aa3bc76f76129ef881573"
 SRC_URI = " git://git.code.sf.net/p/ibmtpm20tss/tss;nobranch=1 \
file://0001-utils-12-Makefile.am-expand-wildcards-in-prereqs.patch \
"
 
+UPSTREAM_CHECK_COMMITS = "1"
+
 EXTRA_OECONF = "--disable-tpm-1.2"
 
 S = "${WORKDIR}/git"
-- 
2.25.1


-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#53428): https://lists.yoctoproject.org/g/yocto/message/53428
Mute This Topic: https://lists.yoctoproject.org/mt/82700744/21656
Group Owner: yocto+ow...@lists.yoctoproject.org
Unsubscribe: https://lists.yoctoproject.org/g/yocto/unsub 
[arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-

Re: [yocto] [Openembedded-architecture] Open Source Maintainers - An open letter/request

[Armin Kuster]

On 5/10/21 8:14 AM, Richard Purdie wrote:
> TLDR: The project is seen as mature, employers don't prioritise maintaining
> things and we're struggling for maintainers and help with day to day work
>
>
> Open source projects survive, not just through development work and 
> contributions of new features but through a whole load of "unglamorous" 
> day to day "admin" work. This may be tracking down a regression, 
> triaging failing builds, making a release of a component, reviewing a 
> patch, documenting something or many other activities.
>
> I love the fact we have active contributions, particularly for new features
> but we are continuing to struggle in many of the other areas above. I am
> extrememly grateful for the help we do receive with these tasks!
>
> As a project we have automated an absolute ton of things, we can test
> changes in ways we could only dream of a few years ago but maintaining
> this automation, tracking down regressions and ensuring it all stays working
> does have a cost.
>
> I am worried, not just about the core of the project, but the wider layer
> ecosystem since "layer maintainer" isn't seen as a particularly interesting
> career enabling focus by employers and it seems a lot of this work isn't 
> being 
> recognised. Internal business pressures are often continually being
> prioritised over this.
>
> The YP+OE ecosystem is becoming more mature and this means we have our 
> experienced developers being pulled away to new things and few people
> are replacing them so it feels like we're seeing a gradual skills drain/fade.
>
> There are a few things companies can do to help:
>
> a) Publicly acknowledge you use the project. 
>
> I'm often asked where the project is being used but I find it hard to point
> at companies using it, or products developed with it. It does help to be able
> to point at real users rather than theoretical scenarios. We *know* it is used
> in some interesting places but many won't let us say that publicly.
>
> https://wiki.yoctoproject.org/wiki/Project_Users
>
> b) Embrace employee's Open Source contributions, code and otherwise
>
> If companies can find ways to recognise the value of having open source
> experts/leaders working for them from a career development and reward 
> perspective, that would encourage people to do the important work needed
>
> c) Consider Yocto Project membership
>
> https://www.yoctoproject.org/ecosystem/members/
> https://www.yoctoproject.org/join/
>
> We're finding that some infrastructure and roles need to be centrally funded
> as the work is important but no one company is willing to commit people to it.
> We're only able to to this through project membership which supports things
> like the autobuilder, LTS, our build triage process and my own role.
>
> d) Support employees in spending some time on open source projects
>
> I hear quite often that employees get XX% time to spend on open source
> projects. I also hear they get pulled onto mission critical product 
> deliverables and can't prioritise that other project work. Finding ways
> to ensure employees can spend time on open source projects including 
> management support would help a lot.
>
> e) Transition roles
>
> If someone has a key role in a project but is moving to new things, help
> them find a replacement and allow them time to train/transition to that
> new person. Some companies do this really well, I'd call out NI and opkg
> maintainership as a particularly good exmaple.
>
>
>
> I appreciate these are difficult times, both for individuals and for 
> businesses. I'd like to conclude by thanking everyone who does participate
> and contribute. Whilst I do want/need to highlight the above (and have been
> asked to do so that people have something they can point people at), the 
> project is proving to be successful, going to interesting places and making
> things possible we can all be proud of!
Thanks for summarizing all this.

So is the ask to forward this within the one's Employer?

-armin
>
> Cheers,
>
> Richard
>
>
>
>
>
>
> 
>



-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#53439): https://lists.yoctoproject.org/g/yocto/message/53439
Mute This Topic: https://lists.yoctoproject.org/mt/82730738/21656
Group Owner: yocto+ow...@lists.yoctoproject.org
Unsubscribe: https://lists.yoctoproject.org/g/yocto/unsub 
[arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-

[yocto] [meta-security][v2][PATCH] suricata: 4.1.x add UPSTREAM_CHECK_URI

[Armin Kuster]

Signed-off-by: Armin Kuster 
---
 recipes-ids/suricata/suricata_4.1.10.bb | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/recipes-ids/suricata/suricata_4.1.10.bb 
b/recipes-ids/suricata/suricata_4.1.10.bb
index 3f7beaa..bf08843 100644
--- a/recipes-ids/suricata/suricata_4.1.10.bb
+++ b/recipes-ids/suricata/suricata_4.1.10.bb
@@ -12,6 +12,8 @@ SRC_URI += " \
 file://run-ptest \
 "
 
+UPSTREAM_CHECK_URI = "www.openinfosecfoundation.org/download"
+
 inherit autotools-brokensep pkgconfig python3-dir systemd ptest
 
 CFLAGS += "-D_DEFAULT_SOURCE -fcommon"
-- 
2.25.1


-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#53490): https://lists.yoctoproject.org/g/yocto/message/53490
Mute This Topic: https://lists.yoctoproject.org/mt/82790439/21656
Group Owner: yocto+ow...@lists.yoctoproject.org
Unsubscribe: https://lists.yoctoproject.org/g/yocto/unsub 
[arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-

[yocto] [meta-security][PATCH 3/6] packagegroup-core-security: fix typo for mips

[Armin Kuster]

Signed-off-by: Armin Kuster 
---
 recipes-core/packagegroup/packagegroup-core-security.bb | 3 +--
 1 file changed, 1 insertion(+), 2 deletions(-)

diff --git a/recipes-core/packagegroup/packagegroup-core-security.bb 
b/recipes-core/packagegroup/packagegroup-core-security.bb
index 6d2dd7c..54b8297 100644
--- a/recipes-core/packagegroup/packagegroup-core-security.bb
+++ b/recipes-core/packagegroup/packagegroup-core-security.bb
@@ -79,8 +79,7 @@ RDEPENDS_packagegroup-security-mac = " \
 ${@bb.utils.contains("DISTRO_FEATURES", "smack", "smack", "",d)} \
 "
 
-RDEPENDS_packagegroup-security-mac_remove_mips64 = "apparmor"
-RDEPENDS_packagegroup-security-mac_remove_mips64le = "apparmor"
+RDEPENDS_packagegroup-security-mac_remove_mipsarch = "apparmor"
 
 RDEPENDS_packagegroup-meta-security-ptest-packages = "\
 ptest-runner \
-- 
2.25.1


-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#53493): https://lists.yoctoproject.org/g/yocto/message/53493
Mute This Topic: https://lists.yoctoproject.org/mt/82790454/21656
Group Owner: yocto+ow...@lists.yoctoproject.org
Unsubscribe: https://lists.yoctoproject.org/g/yocto/unsub 
[arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-

[yocto] [meta-security][PATCH 4/6] Apparmor: fix multi config build issue.

[Armin Kuster]

Signed-off-by: Armin Kuster 
---
 recipes-mac/AppArmor/apparmor_3.0.bb | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/recipes-mac/AppArmor/apparmor_3.0.bb 
b/recipes-mac/AppArmor/apparmor_3.0.bb
index 015205d..d9c3e4d 100644
--- a/recipes-mac/AppArmor/apparmor_3.0.bb
+++ b/recipes-mac/AppArmor/apparmor_3.0.bb
@@ -177,8 +177,9 @@ SYSTEMD_AUTO_ENABLE ?= "enable"
 
 PACKAGES += "mod-${PN}"
 
-FILES_${PN} += "/lib/apparmor/ /lib/security/ ${sysconfdir}/apparmor 
${PYTHON_SITEPACKAGES_DIR}"
+FILES_${PN} += "/lib/apparmor/ /lib/security/ ${sysconfdir}/apparmor 
${nonarch_libdir}/${PYTHON_DIR}/site-packages"
 FILES_mod-${PN} = "${libdir}/apache2/modules/*"
+FILES_${PN}-dbg += "/lib/security/"
 
 DEPENDS_append_libc-musl = " fts "
 RDEPENDS_${PN}_libc-musl +=  "musl-utils"
-- 
2.25.1


-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#53494): https://lists.yoctoproject.org/g/yocto/message/53494
Mute This Topic: https://lists.yoctoproject.org/mt/82790455/21656
Group Owner: yocto+ow...@lists.yoctoproject.org
Unsubscribe: https://lists.yoctoproject.org/g/yocto/unsub 
[arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-

[yocto] [meta-security][PATCH 6/6] packagegroup-core-security: add aide and ossec

[Armin Kuster]

Signed-off-by: Armin Kuster 
---
 recipes-core/packagegroup/packagegroup-core-security.bb | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/recipes-core/packagegroup/packagegroup-core-security.bb 
b/recipes-core/packagegroup/packagegroup-core-security.bb
index 54b8297..0bddf64 100644
--- a/recipes-core/packagegroup/packagegroup-core-security.bb
+++ b/recipes-core/packagegroup/packagegroup-core-security.bb
@@ -70,6 +70,8 @@ SUMMARY_packagegroup-security-ids = "Security Intrusion 
Detection systems"
 RDEPENDS_packagegroup-security-ids = " \
 samhain-standalone \
 ${@bb.utils.contains_any("TUNE_FEATURES", "ppc7400 riscv32 riscv64", "", " 
suricata",d)} \
+ossec-hids \
+aide \
 "
 
 SUMMARY_packagegroup-security-mac = "Security Mandatory Access Control systems"
-- 
2.25.1


-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#53496): https://lists.yoctoproject.org/g/yocto/message/53496
Mute This Topic: https://lists.yoctoproject.org/mt/82790457/21656
Group Owner: yocto+ow...@lists.yoctoproject.org
Unsubscribe: https://lists.yoctoproject.org/g/yocto/unsub 
[arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-

[yocto] [meta-security][PATCH 1/6] ibmswtpm2: update to 1661

[Armin Kuster]

Drop patch now included in updated

Signed-off-by: Armin Kuster 
---
 .../ibmswtpm2/files/fix-wrong-cast.patch  | 27 ---
 .../{ibmswtpm2_1637.bb => ibmswtpm2_1661.bb}  | 10 +++
 2 files changed, 4 insertions(+), 33 deletions(-)
 delete mode 100644 meta-tpm/recipes-tpm2/ibmswtpm2/files/fix-wrong-cast.patch
 rename meta-tpm/recipes-tpm2/ibmswtpm2/{ibmswtpm2_1637.bb => 
ibmswtpm2_1661.bb} (69%)

diff --git a/meta-tpm/recipes-tpm2/ibmswtpm2/files/fix-wrong-cast.patch 
b/meta-tpm/recipes-tpm2/ibmswtpm2/files/fix-wrong-cast.patch
deleted file mode 100644
index f2938e0..000
--- a/meta-tpm/recipes-tpm2/ibmswtpm2/files/fix-wrong-cast.patch
+++ /dev/null
@@ -1,27 +0,0 @@
-Fix strict aliasing issue of gcc10
-
-fixes:
-
-TpmFail.c: In function 'TpmLogFailure':
-TpmFail.c:217:23: error: dereferencing type-punned pointer will break 
strict-aliasing rules [-Werror=strict-aliasing]
-  217 | s_failFunction = *(UINT32 *)&function; /* kgold */
-  |   ^~~
-cc1: all warnings being treated as errors
-
-Upstream-Status: Submitted
-
-Signed-off-by: Jens Rehsack 
-
-Index: src/TpmFail.c
-===
 src.orig/TpmFail.c 2020-09-10 15:43:57.085063875 +0200
-+++ src/TpmFail.c  2020-09-10 15:48:35.563302634 +0200
-@@ -214,7 +214,7 @@
- // On a 64-bit machine, this may truncate the address of the string
- // of the function name where the error occurred.
- #if FAIL_TRACE
--s_failFunction = *(UINT32 *)&function;/* kgold */
-+memcpy(&s_failFunction, function, sizeof(uint32_t));  /* kgold */
- s_failLine = line;
- #else
- s_failFunction = 0;
diff --git a/meta-tpm/recipes-tpm2/ibmswtpm2/ibmswtpm2_1637.bb 
b/meta-tpm/recipes-tpm2/ibmswtpm2/ibmswtpm2_1661.bb
similarity index 69%
rename from meta-tpm/recipes-tpm2/ibmswtpm2/ibmswtpm2_1637.bb
rename to meta-tpm/recipes-tpm2/ibmswtpm2/ibmswtpm2_1661.bb
index 301980d..7ea40a8 100644
--- a/meta-tpm/recipes-tpm2/ibmswtpm2/ibmswtpm2_1637.bb
+++ b/meta-tpm/recipes-tpm2/ibmswtpm2/ibmswtpm2_1661.bb
@@ -17,13 +17,11 @@ DEPENDS = "openssl"
 
 SRC_URI = "https://sourceforge.net/projects/ibmswtpm2/files/ibmtpm${PV}.tar.gz 
\
file://tune-makefile.patch \
-   file://fix-wrong-cast.patch \
"
-SRC_URI[md5sum] = "43b217d87056e9155633925eb6ef749c"
-SRC_URI[sha256sum] = 
"dd3a4c3f7724243bc9ebcd5c39bbf87b82c696d1c1241cb8e5883534f6e2e327"
-SRC_URI[sha1sum] = "ab4b94079e57a86996991e8a2b749ce063e4ad3e"
-SRC_URI[sha384sum] = 
"bbef16a934853ce78cba7ddc766aa9d7ef3cde3430a322b1be772bf3ad4bd6d413ae9c4de21bc1a4879d17dfe2aadc1d"
-SRC_URI[sha512sum] = 
"007aa415cccf19a2bcf789c426727dc4032dcb04cc9d11eedc231d2add708c1134d3d5ee5cfbe7de68307c95fff7a30bd306fbd8d53c198a5ef348440440a6ed"
+
+SRC_URI[sha256sum] = 
"55145928ad2b24f34be6a0eacf9fb492e10e0ea919b8428c721fa970e85d6147"
+
+UPSTREAM_CHECK_REGEX = "libtpm(?P).tar.gz"
 
 S = "${WORKDIR}/src"
 
-- 
2.25.1


-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#53491): https://lists.yoctoproject.org/g/yocto/message/53491
Mute This Topic: https://lists.yoctoproject.org/mt/82790452/21656
Group Owner: yocto+ow...@lists.yoctoproject.org
Unsubscribe: https://lists.yoctoproject.org/g/yocto/unsub 
[arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-

[yocto] [meta-security][PATCH 5/6] aide: Add another ids

[Armin Kuster]

Signed-off-by: Armin Kuster 
---
 recipes-ids/aide/aide/aide.conf | 94 +
 recipes-ids/aide/aide_0.17.3.bb | 41 ++
 2 files changed, 135 insertions(+)
 create mode 100644 recipes-ids/aide/aide/aide.conf
 create mode 100644 recipes-ids/aide/aide_0.17.3.bb

diff --git a/recipes-ids/aide/aide/aide.conf b/recipes-ids/aide/aide/aide.conf
new file mode 100644
index 000..2c99e07
--- /dev/null
+++ b/recipes-ids/aide/aide/aide.conf
@@ -0,0 +1,94 @@
+# Example configuration file for AIDE.
+
+@@define DBDIR /usr/lib/aide
+@@define LOGDIR /usr/lib/aide/logs
+
+# The location of the database to be read.
+database_in=file:@@{DBDIR}/aide.db.gz
+
+# The location of the database to be written.
+#database_out=sql:host:port:database:login_name:passwd:table
+#database_out=file:aide.db.new
+database_out=file:@@{DBDIR}/aide.db.gz
+
+# Whether to gzip the output to database
+gzip_dbout=yes
+
+# Default.
+log_level=warning
+
+report_url=file:@@{LOGDIR}/aide.log
+report_url=stdout
+#report_url=stderr
+#NOT IMPLEMENTED report_url=mailto:r...@foo.com
+#NOT IMPLEMENTED report_url=syslog:LOG_AUTH
+
+# These are the default rules.
+#
+#p:  permissions
+#i:  inode:
+#n:  number of links
+#u:  user
+#g:  group
+#s:  size
+#b:  block count
+#m:  mtime
+#a:  atime
+#c:  ctime
+#S:  check for growing size
+#acl:   Access Control Lists
+#selinuxSELinux security context
+#xattrs:Extended file attributes
+#md5:md5 checksum
+#sha1:   sha1 checksum
+#sha256:sha256 checksum
+#sha512:sha512 checksum
+#rmd160: rmd160 checksum
+#tiger:  tiger checksum
+
+#haval:  haval checksum (MHASH only)
+#gost:   gost checksum (MHASH only)
+#crc32:  crc32 checksum (MHASH only)
+#whirlpool: whirlpool checksum (MHASH only)
+
+FIPSR = p+i+n+u+g+s+m+c+acl+selinux+xattrs+sha256
+
+#R: p+i+n+u+g+s+m+c+acl+selinux+xattrs+md5
+#L: p+i+n+u+g+acl+selinux+xattrs
+#E: Empty group
+#>: Growing logfile p+u+g+i+n+S+acl+selinux+xattrs
+
+# You can create custom rules like this.
+# With MHASH...
+# ALLXTRAHASHES = sha1+rmd160+sha256+sha512+whirlpool+tiger+haval+gost+crc32
+ALLXTRAHASHES = sha1+rmd160+sha256+sha512+tiger
+# Everything but access time (Ie. all changes)
+EVERYTHING = R+ALLXTRAHASHES
+
+# Sane, with multiple hashes
+# NORMAL = R+rmd160+sha256+whirlpool
+NORMAL = FIPSR+sha512
+
+# For directories, don't bother doing hashes
+DIR = p+i+n+u+g+acl+selinux+xattrs
+
+# Access control only
+PERMS = p+i+u+g+acl+selinux
+
+# Logfile are special, in that they often change
+LOG = >
+
+# Just do sha256 and sha512 hashes
+LSPP = FIPSR+sha512
+
+# Some files get updated automatically, so the inode/ctime/mtime change
+# but we want to know when the data inside them changes
+DATAONLY =  p+n+u+g+s+acl+selinux+xattrs+sha256
+
+# Next decide what directories/files you want in the database.
+
+# Check only permissions, inode, user and group for /etc, but
+# cover some important files closely.
+/bin NORMAL
+/sbin NORMAL
+/lib NORMAL
diff --git a/recipes-ids/aide/aide_0.17.3.bb b/recipes-ids/aide/aide_0.17.3.bb
new file mode 100644
index 000..522cd85
--- /dev/null
+++ b/recipes-ids/aide/aide_0.17.3.bb
@@ -0,0 +1,41 @@
+SUMMARY = "Advanced Intrusion Detection Environment"
+HOMEPAGE = "https://aide.github.io";
+LIC_FILES_CHKSUM = "file://COPYING;md5=b234ee4d69f5fce4486a80fdaf4a4263"
+LICENSE = "GPL-2.0"
+
+DEPENDS = "bison-native libpcre"
+
+SRC_URI = 
"https://github.com/aide/aide/releases/download/v${PV}/${BPN}-${PV}.tar.gz \
+   file://aide.conf"
+
+SRC_URI[sha256sum] = 
"a2eb1883cafaad056fbe43ee1e8ae09fd36caa30a0bc8edfea5d47bd67c464f8"
+
+inherit autotools pkgconfig
+
+PACKAGECONFIG ??=" mhash zlib e2fsattrs \
+ ${@bb.utils.contains('DISTRO_FEATURES', 'selinux', 'selinux 
audit', '', d)} \
+ ${@bb.utils.contains('DISTRO_FEATURES', 'xattr', 'xattr', '', 
d)} \
+ "
+PACKAGECONFIG[selinux] = "--with-selinux, --without-selinux, libselinux, 
libselinux"
+PACKAGECONFIG[zlib] = "--with-zlib, --without-zlib, zlib, zlib "
+PACKAGECONFIG[xattr] = "--with-xattr, --without-xattr, attr, attr"
+PACKAGECONFIG[curl] = "--with-curl, --without-curl, curl, libcurl"
+PACKAGECONFIG[audit] = "--with-audit, --without-audit,"
+PACKAGECONFIG[gcrypt] = "--with-gcrypt, --without-gcrypt, libgcrypt, libgcrypt"
+PACKAGECONFIG[mhash] = "--with-mhash, --without-mhash, libmhash, libmhash"
+PACKAGECONFIG[e2fsattrs] = "--with-e2fsattrs, --without-e2fsattrs, e2fsprogs, 
e2fsprogs"
+
+do_install_append () {
+install -d ${D}${libdir}/${PN}/logs   
+install -d ${D}${sysconfdir}   
+install ${WORKDIR}/aide.conf ${D}${sys

[yocto] [meta-security][PATCH 2/6] ibmtpm2tss: update to tip

[Armin Kuster]

Signed-off-by: Armin Kuster 
---
 meta-tpm/recipes-tpm2/ibmtpm2tss/ibmtpm2tss_1.6.0.bb | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/meta-tpm/recipes-tpm2/ibmtpm2tss/ibmtpm2tss_1.6.0.bb 
b/meta-tpm/recipes-tpm2/ibmtpm2tss/ibmtpm2tss_1.6.0.bb
index 4d9b554..ae8974b 100644
--- a/meta-tpm/recipes-tpm2/ibmtpm2tss/ibmtpm2tss_1.6.0.bb
+++ b/meta-tpm/recipes-tpm2/ibmtpm2tss/ibmtpm2tss_1.6.0.bb
@@ -17,11 +17,13 @@ DEPENDS = "openssl ibmswtpm2"
 
 inherit autotools pkgconfig
 
-SRCREV = "3e736f712ba53c8f06e66751f60fae428fd2e20f"
+SRCREV = "c4e131e34ec0ed09411aa3bc76f76129ef881573"
 SRC_URI = " git://git.code.sf.net/p/ibmtpm20tss/tss;nobranch=1 \
file://0001-utils-12-Makefile.am-expand-wildcards-in-prereqs.patch \
"
 
+UPSTREAM_CHECK_COMMITS = "1"
+
 EXTRA_OECONF = "--disable-tpm-1.2"
 
 S = "${WORKDIR}/git"
-- 
2.25.1


-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#53492): https://lists.yoctoproject.org/g/yocto/message/53492
Mute This Topic: https://lists.yoctoproject.org/mt/82790453/21656
Group Owner: yocto+ow...@lists.yoctoproject.org
Unsubscribe: https://lists.yoctoproject.org/g/yocto/unsub 
[arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-

[yocto] [meta-selinux][PATCH 2/2] MAINTAINERS: update email address

[Armin Kuster]

Include example send-email

Signed-off-by: Armin Kuster 
---
 MAINTAINERS | 9 -
 1 file changed, 8 insertions(+), 1 deletion(-)

diff --git a/MAINTAINERS b/MAINTAINERS
index 36c451f..0dc492e 100644
--- a/MAINTAINERS
+++ b/MAINTAINERS
@@ -1,7 +1,14 @@
 This file contains a list of maintainers for the meta-selinux layer.
 
 Please submit any patches against meta-selinux to the Yocto Project mailing
-list (yo...@yoctoproject.org).
+list (yocto@lists.yoctoproject.org).
+
+git send-email -1 --to yocto@lists.yoctoproject.org 
--subject-prefix=meta-selinux][PATCH
+
+These values can be set as defaults for this repository:
+
+$ git config sendemail.to yocto@lists.yoctoproject.org
+$ git config format.subjectPrefix meta-selinux][PATCH
 
 You may also contact the maintainers directly.
 
-- 
2.17.1


-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#53516): https://lists.yoctoproject.org/g/yocto/message/53516
Mute This Topic: https://lists.yoctoproject.org/mt/82817560/21656
Group Owner: yocto+ow...@lists.yoctoproject.org
Unsubscribe: https://lists.yoctoproject.org/g/yocto/unsub 
[arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-

[yocto] [meta-selinux][PATCH 1/2] audit: pkg now in meta-oe

[Armin Kuster]

Signed-off-by: Armin Kuster 
---
 .../Fixed-swig-host-contamination-issue.patch |  57 ---
 .../audit/audit/audit-volatile.conf   |   1 -
 recipes-security/audit/audit/auditd   | 153 --
 recipes-security/audit/audit/auditd.service   |  28 
 recipes-security/audit/audit_3.0.1.bb | 109 -
 5 files changed, 348 deletions(-)
 delete mode 100644 
recipes-security/audit/audit/Fixed-swig-host-contamination-issue.patch
 delete mode 100644 recipes-security/audit/audit/audit-volatile.conf
 delete mode 100644 recipes-security/audit/audit/auditd
 delete mode 100644 recipes-security/audit/audit/auditd.service
 delete mode 100644 recipes-security/audit/audit_3.0.1.bb

diff --git 
a/recipes-security/audit/audit/Fixed-swig-host-contamination-issue.patch 
b/recipes-security/audit/audit/Fixed-swig-host-contamination-issue.patch
deleted file mode 100644
index 740bcb5..000
--- a/recipes-security/audit/audit/Fixed-swig-host-contamination-issue.patch
+++ /dev/null
@@ -1,57 +0,0 @@
-From 3d13f92c1bb293523670ba01aea7e655b00a6709 Mon Sep 17 00:00:00 2001
-From: Li xin 
-Date: Sun, 19 Jul 2015 02:42:58 +0900
-Subject: [PATCH] audit: Fixed swig host contamination issue
-
-The audit build uses swig to generate a python wrapper.
-Unfortunately, the swig info file references host include
-directories.  Some of these were previously noticed and
-eliminated, but the one fixed here was not.
-
-Upstream-Status: Inappropriate [embedded specific]
-
-Signed-off-by: Anders Hedlund 
-Signed-off-by: Joe Slater 
-Signed-off-by: Yi Zhao 

- bindings/swig/python3/Makefile.am | 3 ++-
- bindings/swig/src/auditswig.i | 2 +-
- 2 files changed, 3 insertions(+), 2 deletions(-)
-
-diff --git a/bindings/swig/python3/Makefile.am 
b/bindings/swig/python3/Makefile.am
-index dd9d934..61b486d 100644
 a/bindings/swig/python3/Makefile.am
-+++ b/bindings/swig/python3/Makefile.am
-@@ -22,6 +22,7 @@
- CONFIG_CLEAN_FILES = *.loT *.rej *.orig
- AM_CFLAGS = -fPIC -DPIC -fno-strict-aliasing $(PYTHON3_CFLAGS)
- AM_CPPFLAGS = -I. -I$(top_builddir) -I${top_srcdir}/lib $(PYTHON3_INCLUDES)
-+STDINC ?= /usr/include
- LIBS = $(top_builddir)/lib/libaudit.la
- SWIG_FLAGS = -python -py3 -modern
- SWIG_INCLUDES = -I. -I$(top_builddir) -I${top_srcdir}/lib $(PYTHON3_INCLUDES)
-@@ -36,7 +37,7 @@ _audit_la_DEPENDENCIES =${top_srcdir}/lib/libaudit.h 
${top_builddir}/lib/libaudi
- _audit_la_LIBADD = ${top_builddir}/lib/libaudit.la
- nodist__audit_la_SOURCES  = audit_wrap.c
- audit.py audit_wrap.c: ${srcdir}/../src/auditswig.i 
--  swig -o audit_wrap.c ${SWIG_FLAGS} ${SWIG_INCLUDES} 
${srcdir}/../src/auditswig.i 
-+  swig -o audit_wrap.c ${SWIG_FLAGS} ${SWIG_INCLUDES} -I$(STDINC) 
${srcdir}/../src/auditswig.i
- 
- CLEANFILES = audit.py* audit_wrap.c *~
- 
-diff --git a/bindings/swig/src/auditswig.i b/bindings/swig/src/auditswig.i
-index 21aafca..dd0f62c 100644
 a/bindings/swig/src/auditswig.i
-+++ b/bindings/swig/src/auditswig.i
-@@ -39,7 +39,7 @@ signed
- #define __attribute(X) /*nothing*/
- typedef unsigned __u32;
- typedef unsigned uid_t;
--%include "/usr/include/linux/audit.h"
-+%include "linux/audit.h"
- #define __extension__ /*nothing*/
- %include 
- %include "../lib/libaudit.h"
--- 
-2.17.1
-
diff --git a/recipes-security/audit/audit/audit-volatile.conf 
b/recipes-security/audit/audit/audit-volatile.conf
deleted file mode 100644
index 9cbe154..000
--- a/recipes-security/audit/audit/audit-volatile.conf
+++ /dev/null
@@ -1 +0,0 @@
-d  /var/log/audit 0750 root root -
diff --git a/recipes-security/audit/audit/auditd 
b/recipes-security/audit/audit/auditd
deleted file mode 100644
index 6aa7f94..000
--- a/recipes-security/audit/audit/auditd
+++ /dev/null
@@ -1,153 +0,0 @@
-#! /bin/sh
-### BEGIN INIT INFO
-# Provides:  auditd
-# Required-Start:$local_fs
-# Required-Stop: $local_fs
-# Default-Start: 2 3 4 5
-# Default-Stop:  0 1 6
-# Short-Description: Audit Daemon
-# Description:   Collects audit information from Linux 2.6 Kernels.
-### END INIT INFO
-
-# Author: Philipp Matthias Hahn 
-# Based on Debians /etc/init.d/skeleton and Auditds init.d/auditd.init
-
-# June, 2012: Adopted for yocto 
-
-# PATH should only include /usr/* if it runs after the mountnfs.sh script
-PATH=/sbin:/bin:/usr/sbin:/usr/bin
-DESC="audit daemon"
-NAME=auditd
-DAEMON=/sbin/auditd
-PIDFILE=/var/run/"$NAME".pid
-SCRIPTNAME=/etc/init.d/"$NAME"
-
-# Exit if the package is not installed
-[ -x "$DAEMON" ] || exit 0
-
-# Read configuration variable file if it is present
-[ -r /etc/default/"$NAME" ] && . /etc/default/"$NAME"
-
-. /etc/default/rcS
-
-. /etc/init.d/functions
-
-#
-# Function that starts the daemon/service
-#
-do_start()
-{
-   # Return
-   #   0 if daemon has been started
-   #   1 if daemon was already running
-   #   2 if daemon could not be star

[yocto] [meta-security][PATCH 1/2] clamav: fix systemd startup

[Armin Kuster]

cleanup recipe

Signed-off-by: Armin Kuster 
---
 recipes-scanners/clamav/clamav_0.104.0.bb | 44 ++-
 .../clamav/files/fix_systemd_socket.patch | 25 +++
 2 files changed, 48 insertions(+), 21 deletions(-)
 create mode 100644 recipes-scanners/clamav/files/fix_systemd_socket.patch

diff --git a/recipes-scanners/clamav/clamav_0.104.0.bb 
b/recipes-scanners/clamav/clamav_0.104.0.bb
index 6892bb0..ce5b0ea 100644
--- a/recipes-scanners/clamav/clamav_0.104.0.bb
+++ b/recipes-scanners/clamav/clamav_0.104.0.bb
@@ -16,9 +16,9 @@ SRC_URI = 
"git://github.com/vrtadmin/clamav-devel;branch=dev/0.104 \
 file://freshclam.conf \
 file://volatiles.03_clamav \
 file://tmpfiles.clamav \
-file://${BPN}.service \
 file://headers_fixup.patch \
 file://oe_cmake_fixup.patch \
+file://fix_systemd_socket.patch \
 "
 S = "${WORKDIR}/git"
 
@@ -70,31 +70,29 @@ do_install_append () {
 rm ${D}/${libdir}/libmspack.so
 
 if ${@bb.utils.contains('DISTRO_FEATURES','systemd','true','false',d)};then
-install -D -m 0644 ${WORKDIR}/clamav.service 
${D}${systemd_unitdir}/system/clamav.service
 install -d ${D}${sysconfdir}/tmpfiles.d
 install -m 0644 ${WORKDIR}/tmpfiles.clamav 
${D}${sysconfdir}/tmpfiles.d/clamav.conf
 fi
 oe_multilib_header clamav-types.h
 }
 
-pkg_postinst_ontarget_${PN} () {
-if command -v systemd-tmpfiles >/dev/null; then
-systemd-tmpfiles --create ${sysconfdir}/tmpfiles.d/clamav.conf
-elif [ -e ${sysconfdir}/init.d/populate-volatile.sh ]; then
-${sysconfdir}/init.d/populate-volatile.sh update
+pkg_postinst_${PN} () {
+if [ -z "$D" ]; then
+if command -v systemd-tmpfiles >/dev/null; then
+systemd-tmpfiles --create ${sysconfdir}/tmpfiles.d/clamav.conf
+elif [ -e ${sysconfdir}/init.d/populate-volatile.sh ]; then
+${sysconfdir}/init.d/populate-volatile.sh update
+fi
+chown -R ${CLAMAV_UID}:${CLAMAV_GID} ${localstatedir}/lib/clamav
 fi
-mkdir -p ${localstatedir}/lib/clamav
-chown -R ${CLAMAV_UID}:${CLAMAV_GID} ${localstatedir}/lib/clamav
 }
 
-
-PACKAGES = "${PN} ${PN}-dev ${PN}-dbg ${PN}-daemon ${PN}-doc \
-${PN}-clamdscan ${PN}-freshclam ${PN}-libclamav ${PN}-staticdev"
+PACKAGES += "${PN}-daemon ${PN}-clamdscan ${PN}-freshclam ${PN}-libclamav"
 
 FILES_${PN} = "${bindir}/clambc ${bindir}/clamscan ${bindir}/clamsubmit 
${sbindir}/clamonacc \
 ${bindir}/*sigtool ${mandir}/man1/clambc* 
${mandir}/man1/clamscan* \
 ${mandir}/man1/sigtool* ${mandir}/man1/clambsubmit*  \
-${docdir}/clamav/* ${libdir}/libmspack* "
+${docdir}/clamav/*"
 
 FILES_${PN}-clamdscan = " ${bindir}/clamdscan \
 ${docdir}/clamdscan/* \
@@ -106,11 +104,11 @@ FILES_${PN}-daemon = "${bindir}/clamconf 
${bindir}/clamdtop ${sbindir}/clamd \
 ${mandir}/man5/clamd*  ${mandir}/man8/clamd* \
 ${sysconfdir}/clamd.conf* \
 /usr/etc/clamd.conf* \
-${systemd_unitdir}/system/clamav-daemon/* \
+${systemd_system_unitdir}/clamav-daemon/* \
 ${docdir}/clamav-daemon/*  ${sysconfdir}/clamav-daemon 
\
 ${sysconfdir}/logcheck/ignore.d.server/clamav-daemon \
-${systemd_unitdir}/system/clamav-daemon.service \
-${systemd_unitdir}/system/clamav-clamonacc.service \
+${systemd_system_unitdir}/clamav-daemon.service \
+${systemd_system_unitdir}/clamav-clamonacc.service \
 "
 
 FILES_${PN}-freshclam = "${bindir}/freshclam \
@@ -121,7 +119,7 @@ FILES_${PN}-freshclam = "${bindir}/freshclam \
 ${localstatedir}/lib/clamav \
 ${docdir}/${PN}-freshclam ${mandir}/man1/freshclam.* \
 ${mandir}/man5/freshclam.conf.* \
-${systemd_unitdir}/system/clamav-freshclam.service"
+${systemd_system_unitdir}/clamav-freshclam.service"
 
 FILES_${PN}-dev = " ${bindir}/clamav-config ${libdir}/*.la \
 ${libdir}/pkgconfig/*.pc \
@@ -131,7 +129,8 @@ FILES_${PN}-dev = " ${bindir}/clamav-config ${libdir}/*.la \
 FILES_${PN}-staticdev = "${libdir}/*.a"
 
 FILES_${PN}-libclamav = "${libdir}/libclamav.so* ${libdir}/libclammspack.so* \
- ${libdir}/libfreshclam.so* ${docdir}/libclamav/* "
+ ${libdir}/libfreshclam.so* ${docdir}/libclamav/* \
+ ${libdir}/libmspack* "
 
 FILES_${PN}-doc = "${mandir}/man/* \
${datadir}/man/* \
@@ -140,12

[yocto] [meta-security][PATCH 2/2] packagegroup-core-security: add clamav-daemon

[Armin Kuster]

Signed-off-by: Armin Kuster 
---
 recipes-core/packagegroup/packagegroup-core-security.bb | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/recipes-core/packagegroup/packagegroup-core-security.bb 
b/recipes-core/packagegroup/packagegroup-core-security.bb
index 0bddf64..d7349b0 100644
--- a/recipes-core/packagegroup/packagegroup-core-security.bb
+++ b/recipes-core/packagegroup/packagegroup-core-security.bb
@@ -51,9 +51,9 @@ RDEPENDS_packagegroup-security-scanners = "\
 isic \
 nikto \
 checksecurity \
-${@bb.utils.contains_any("TUNE_FEATURES", "riscv32 riscv64", "", " clamav 
clamav-freshclam",d)} \
+${@bb.utils.contains_any("TUNE_FEATURES", "riscv32 riscv64", "", " clamav 
clamav-daemon clamav-freshclam",d)} \
 "
-RDEPENDS_packagegroup-security-scanners_remove_libc-musl = "clamav 
clamav-freshclam"
+RDEPENDS_packagegroup-security-scanners_remove_libc-musl = "clamav 
clamav-daemon clamav-freshclam"
 
 SUMMARY_packagegroup-security-audit = "Security Audit tools "
 RDEPENDS_packagegroup-security-audit = " \
-- 
2.25.1


-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#53521): https://lists.yoctoproject.org/g/yocto/message/53521
Mute This Topic: https://lists.yoctoproject.org/mt/82847957/21656
Group Owner: yocto+ow...@lists.yoctoproject.org
Unsubscribe: https://lists.yoctoproject.org/g/yocto/unsub 
[arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-

[yocto] [meta-security][PATCH 4/4] lkrg-module: update 0.9.1

[Armin Kuster]

LIC_FILES_CHKSUM updated do to yr change and adding new copyrights

Signed-off-by: Armin Kuster 
---
 .../lkrg/{lkrg-module_0.9.0.bb => lkrg-module_0.9.1.bb}   | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)
 rename recipes-kernel/lkrg/{lkrg-module_0.9.0.bb => lkrg-module_0.9.1.bb} (84%)

diff --git a/recipes-kernel/lkrg/lkrg-module_0.9.0.bb 
b/recipes-kernel/lkrg/lkrg-module_0.9.1.bb
similarity index 84%
rename from recipes-kernel/lkrg/lkrg-module_0.9.0.bb
rename to recipes-kernel/lkrg/lkrg-module_0.9.1.bb
index dbc195d..287b4e8 100644
--- a/recipes-kernel/lkrg/lkrg-module_0.9.0.bb
+++ b/recipes-kernel/lkrg/lkrg-module_0.9.1.bb
@@ -5,14 +5,14 @@ SECTION = "security"
 HOMEPAGE = "https://www.openwall.com/lkrg/";
 LICENSE = "GPLv2"
 
-LIC_FILES_CHKSUM = "file://LICENSE;md5=d931f44a1f4be309bcdac742d7ed92f9"
+LIC_FILES_CHKSUM = "file://LICENSE;md5=5105ead24b08a32954f34cbaa7112432"
 
 DEPENDS = "virtual/kernel elfutils"
 
 SRC_URI = "https://www.openwall.com/lkrg/lkrg-${PV}.tar.gz \
file://makefile_cleanup.patch "
 
-SRC_URI[sha256sum] = 
"a997e4d98962c359f3af163bbcfa38a736d2a50bfe35c15065b74cb57f8742bf"
+SRC_URI[sha256sum] = 
"cabbee1addbf3ae23a584203831e4bd1b730d22bfd1b3e44883214f220b3babd"
 
 S = "${WORKDIR}/lkrg-${PV}"
 
-- 
2.25.1


-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#53530): https://lists.yoctoproject.org/g/yocto/message/53530
Mute This Topic: https://lists.yoctoproject.org/mt/82877313/21656
Group Owner: yocto+ow...@lists.yoctoproject.org
Unsubscribe: https://lists.yoctoproject.org/g/yocto/unsub 
[arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-

[yocto] [meta-security][PATCH 3/4] python3-scapy: update to 2.4.5

[Armin Kuster]

Signed-off-by: Armin Kuster 
---
 .../scapy/{python3-scapy_2.4.4.bb => python3-scapy_2.4.5.bb}  | 4 +---
 1 file changed, 1 insertion(+), 3 deletions(-)
 rename recipes-security/scapy/{python3-scapy_2.4.4.bb => 
python3-scapy_2.4.5.bb} (95%)

diff --git a/recipes-security/scapy/python3-scapy_2.4.4.bb 
b/recipes-security/scapy/python3-scapy_2.4.5.bb
similarity index 95%
rename from recipes-security/scapy/python3-scapy_2.4.4.bb
rename to recipes-security/scapy/python3-scapy_2.4.5.bb
index 23ddfce..8f36520 100644
--- a/recipes-security/scapy/python3-scapy_2.4.4.bb
+++ b/recipes-security/scapy/python3-scapy_2.4.5.bb
@@ -5,9 +5,7 @@ LICENSE = "GPLv2"
 
 LIC_FILES_CHKSUM = "file://LICENSE;md5=b234ee4d69f5fce4486a80fdaf4a4263"
 
-S = "${WORKDIR}/git"
-
-SRCREV = "95ba5b8504152a1f820bbe679ccf03668cb5118f"
+SRCREV = "32cd7eb0f620d9adf171c48d55514e8326a538d7"
 SRC_URI = "git://github.com/secdev/scapy.git \
file://run-ptest"
 
-- 
2.25.1


-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#53529): https://lists.yoctoproject.org/g/yocto/message/53529
Mute This Topic: https://lists.yoctoproject.org/mt/82877312/21656
Group Owner: yocto+ow...@lists.yoctoproject.org
Unsubscribe: https://lists.yoctoproject.org/g/yocto/unsub 
[arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-

[yocto] [meta-security][PATCH 1/4] clamav: upgrade to latest revision

[Armin Kuster]

From: Upgrade Helper 

Signed-off-by: Armin Kuster 
---
 recipes-scanners/clamav/clamav_0.104.0.bb | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/recipes-scanners/clamav/clamav_0.104.0.bb 
b/recipes-scanners/clamav/clamav_0.104.0.bb
index ce5b0ea..4f20309 100644
--- a/recipes-scanners/clamav/clamav_0.104.0.bb
+++ b/recipes-scanners/clamav/clamav_0.104.0.bb
@@ -8,8 +8,8 @@ DEPENDS = "glibc llvm libtool db openssl zlib curl libxml2 
bison pcre2 json-c li
  
 LIC_FILES_CHKSUM = 
"file://COPYING.txt;beginline=2;endline=3;md5=f7029fbbc5898b273d5902896f7bbe17"
 
-# May 2nd
-SRCREV = "de0086aa918b79cd22570d0c05977a288b197e23"
+# May 15th
+SRCREV = "fe96de86bb90c489aa509ee9135f776b7a2a7eb4"
 
 SRC_URI = "git://github.com/vrtadmin/clamav-devel;branch=dev/0.104 \
 file://clamd.conf \
-- 
2.25.1


-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#53527): https://lists.yoctoproject.org/g/yocto/message/53527
Mute This Topic: https://lists.yoctoproject.org/mt/82877310/21656
Group Owner: yocto+ow...@lists.yoctoproject.org
Unsubscribe: https://lists.yoctoproject.org/g/yocto/unsub 
[arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-

[yocto] [meta-security][PATCH 2/4] opendnssec: upgrade 2.1.8 -> 2.1.9

[Armin Kuster]

From: Upgrade Helper 

Signed-off-by: Armin Kuster 
---
 .../opendnssec/{opendnssec_2.1.8.bb => opendnssec_2.1.9.bb} | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)
 rename recipes-security/opendnssec/{opendnssec_2.1.8.bb => 
opendnssec_2.1.9.bb} (92%)

diff --git a/recipes-security/opendnssec/opendnssec_2.1.8.bb 
b/recipes-security/opendnssec/opendnssec_2.1.9.bb
similarity index 92%
rename from recipes-security/opendnssec/opendnssec_2.1.8.bb
rename to recipes-security/opendnssec/opendnssec_2.1.9.bb
index cf6bdbd..2b79609 100644
--- a/recipes-security/opendnssec/opendnssec_2.1.8.bb
+++ b/recipes-security/opendnssec/opendnssec_2.1.9.bb
@@ -10,7 +10,7 @@ SRC_URI = 
"https://dist.opendnssec.org/source/opendnssec-${PV}.tar.gz \
file://libdns_conf_fix.patch \
"
 
-SRC_URI[sha256sum] = 
"900a213103ff19a405e446327fbfcea9ec13e405283d87b6ffc24a10d9a268f5"
+SRC_URI[sha256sum] = 
"6d1d466c8d7f507f3e665f4bfe4d16a68d6bff9d7c2ab65f852e2b2a821c28b5"
 
 inherit autotools pkgconfig perlnative
 
-- 
2.25.1


-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#53528): https://lists.yoctoproject.org/g/yocto/message/53528
Mute This Topic: https://lists.yoctoproject.org/mt/82877311/21656
Group Owner: yocto+ow...@lists.yoctoproject.org
Unsubscribe: https://lists.yoctoproject.org/g/yocto/unsub 
[arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-

[yocto] [meta-security][PATCH 1/3] packagegroup-core-security: exclude ossec-hids from musl

[Armin Kuster]

Signed-off-by: Armin Kuster 
---
 recipes-core/packagegroup/packagegroup-core-security.bb | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/recipes-core/packagegroup/packagegroup-core-security.bb 
b/recipes-core/packagegroup/packagegroup-core-security.bb
index d7349b0..cf9620f 100644
--- a/recipes-core/packagegroup/packagegroup-core-security.bb
+++ b/recipes-core/packagegroup/packagegroup-core-security.bb
@@ -74,6 +74,8 @@ RDEPENDS_packagegroup-security-ids = " \
 aide \
 "
 
+RDEPENDS_packagegroup-security-ids_remove_libc-musl = "ossec-hids"
+
 SUMMARY_packagegroup-security-mac = "Security Mandatory Access Control systems"
 RDEPENDS_packagegroup-security-mac = " \
 ${@bb.utils.contains("DISTRO_FEATURES", "tomoyo", "ccs-tools", "",d)} \
-- 
2.24.3


-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#53585): https://lists.yoctoproject.org/g/yocto/message/53585
Mute This Topic: https://lists.yoctoproject.org/mt/82938142/21656
Group Owner: yocto+ow...@lists.yoctoproject.org
Unsubscribe: https://lists.yoctoproject.org/g/yocto/unsub 
[arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-

[yocto] [meta-security][PATCH 3/3] sssd: update to 2.5.0

[Armin Kuster]

Add new depends
Drop obsolete patches

Signed-off-by: Armin Kuster 
---
 ...AC_CHECK_FILE-when-building-manpages.patch | 34 
 ...s-Collision-with-external-nss-symbol.patch | 78 ---
 ...defines-which-otherwise-are-availabl.patch | 32 
 .../sssd/files/fix-ldblibdir.patch| 25 --
 recipes-security/sssd/files/fix_gid.patch | 27 +++
 recipes-security/sssd/files/no_gen.patch  | 19 +
 .../sssd/{sssd_1.16.5.bb => sssd_2.5.0.bb}| 23 +++---
 7 files changed, 56 insertions(+), 182 deletions(-)
 delete mode 100644 
recipes-security/sssd/files/0001-build-Don-t-use-AC_CHECK_FILE-when-building-manpages.patch
 delete mode 100644 
recipes-security/sssd/files/0001-nss-Collision-with-external-nss-symbol.patch
 delete mode 100644 
recipes-security/sssd/files/0002-Provide-missing-defines-which-otherwise-are-availabl.patch
 delete mode 100644 recipes-security/sssd/files/fix-ldblibdir.patch
 create mode 100644 recipes-security/sssd/files/fix_gid.patch
 create mode 100644 recipes-security/sssd/files/no_gen.patch
 rename recipes-security/sssd/{sssd_1.16.5.bb => sssd_2.5.0.bb} (86%)

diff --git 
a/recipes-security/sssd/files/0001-build-Don-t-use-AC_CHECK_FILE-when-building-manpages.patch
 
b/recipes-security/sssd/files/0001-build-Don-t-use-AC_CHECK_FILE-when-building-manpages.patch
deleted file mode 100644
index b64670c..000
--- 
a/recipes-security/sssd/files/0001-build-Don-t-use-AC_CHECK_FILE-when-building-manpages.patch
+++ /dev/null
@@ -1,34 +0,0 @@
-From d54aa109600bcd02bf72cfe64c01935890a102a1 Mon Sep 17 00:00:00 2001
-From: =?UTF-8?q?Jonatan=20P=C3=A5lsson?= 
-Date: Fri, 21 Aug 2020 14:45:10 +0200
-Subject: [PATCH] build: Don't use AC_CHECK_FILE when building manpages
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-AC_CHECK_FILE does not support cross-compilation, and will only check
-the host rootfs. Replace AC_CHECK_FILE with a 'test -f ' instead,
-to allow building manpages when cross-compiling.
-
-Upstream-status: Submitted [https://github.com/SSSD/sssd/pull/5289]
-Signed-off-by: Jonatan Pålsson 

- src/external/docbook.m4 | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/src/external/docbook.m4 b/src/external/docbook.m4
-index deb8632fa..acdc89a68 100644
 a/src/external/docbook.m4
-+++ b/src/external/docbook.m4
-@@ -18,7 +18,7 @@ dnl Checks if the XML catalog given by FILE exists and
- dnl if a particular URI appears in the XML catalog
- AC_DEFUN([CHECK_STYLESHEET],
- [
--  AC_CHECK_FILE($1, [], [AC_MSG_ERROR([could not find XML catalog])])
-+  AS_IF([test -f "$1"], [], [AC_MSG_ERROR([could not find XML catalog])])
- 
-   AC_MSG_CHECKING([for ifelse([$3],,[$2],[$3]) in XML catalog])
-   if AC_RUN_LOG([$XSLTPROC --catalogs --nonet --noout "$2" >&2]); then
--- 
-2.26.1
-
diff --git 
a/recipes-security/sssd/files/0001-nss-Collision-with-external-nss-symbol.patch 
b/recipes-security/sssd/files/0001-nss-Collision-with-external-nss-symbol.patch
deleted file mode 100644
index c319269..000
--- 
a/recipes-security/sssd/files/0001-nss-Collision-with-external-nss-symbol.patch
+++ /dev/null
@@ -1,78 +0,0 @@
-From 05c315100a70d3372e891e9a0ea981a875b2ec90 Mon Sep 17 00:00:00 2001
-From: =?UTF-8?q?Michal=20=C5=BDidek?= 
-Date: Thu, 27 Feb 2020 06:50:40 +0100
-Subject: [PATCH] nss: Collision with external nss symbol
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-One of our internal static function names started
-to collide with external nss symbol. Additional
-sss_ suffix was added to avoid the collision.
-
-This is needed to unblock Fedora Rawhide's
-SSSD build.
-
-Reviewed-by: Pavel Březina 
-
-Upstream-Status: Backport [https://github.com/SSSD/sssd.git]
-Signed-off-by: hongxu@windriver.com
-Signed-off-by: qi.c...@windriver.com

- src/responder/nss/nss_cmd.c | 18 ++
- 1 file changed, 10 insertions(+), 8 deletions(-)
-
-diff --git a/src/responder/nss/nss_cmd.c b/src/responder/nss/nss_cmd.c
-index 25e663ed5..a4d4cfc0b 100644
 a/src/responder/nss/nss_cmd.c
-+++ b/src/responder/nss/nss_cmd.c
-@@ -728,11 +728,13 @@ done:
- talloc_free(cmd_ctx);
- }
- 
--static void nss_setnetgrent_done(struct tevent_req *subreq);
-+static void sss_nss_setnetgrent_done(struct tevent_req *subreq);
- 
--static errno_t nss_setnetgrent(struct cli_ctx *cli_ctx,
--   enum cache_req_type type,
--   nss_protocol_fill_packet_fn fill_fn)
-+/* This function's name started to collide with external nss symbol,
-+ * so it has additional sss_* prefix unlike other functions here. */
-+static errno_t sss_nss_setnetgrent(struct cli_ctx *cli_ctx,
-+   enum cache_req_type type,
-+   nss_protocol_fill_packet_fn fill_fn)
- {
- struct nss_ctx *nss_ctx;
- struct nss

[yocto] [meta-security][PATCH 2/3] ossec-hids: musl not compatable

[Armin Kuster]

Signed-off-by: Armin Kuster 
---
 recipes-ids/ossec/ossec-hids_3.6.0.bb | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/recipes-ids/ossec/ossec-hids_3.6.0.bb 
b/recipes-ids/ossec/ossec-hids_3.6.0.bb
index 242bbdb..778278b 100644
--- a/recipes-ids/ossec/ossec-hids_3.6.0.bb
+++ b/recipes-ids/ossec/ossec-hids_3.6.0.bb
@@ -161,3 +161,5 @@ USERADD_PARAM_${PN} = "--system --home-dir /var/ossec -g 
ossec --shell /bin/fals
 GROUPADD_PARAM_${PN} = "--system ossec"
 
 RDEPENDS_${PN} = "openssl bash"
+
+COMPATIBLE_HOST_libc-musl = "null"
-- 
2.24.3


-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#53586): https://lists.yoctoproject.org/g/yocto/message/53586
Mute This Topic: https://lists.yoctoproject.org/mt/82938143/21656
Group Owner: yocto+ow...@lists.yoctoproject.org
Unsubscribe: https://lists.yoctoproject.org/g/yocto/unsub 
[arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-

[yocto] [meta-security][v2][PATCH] sssd: update to 2.5.0

[Armin Kuster]

Add new depends
Drop obsolete patches

Signed-off-by: Armin Kuster 


v2]
Fix issue with nsupdate check
don't use host bind
---
 ...AC_CHECK_FILE-when-building-manpages.patch | 34 
 ...s-Collision-with-external-nss-symbol.patch | 78 ---
 ...defines-which-otherwise-are-availabl.patch | 32 
 .../sssd/files/drop_ntpdate_chk.patch | 28 +++
 .../sssd/files/fix-ldblibdir.patch| 25 --
 recipes-security/sssd/files/fix_gid.patch | 27 +++
 recipes-security/sssd/files/no_gen.patch  | 19 +
 .../sssd/{sssd_1.16.5.bb => sssd_2.5.0.bb}| 29 +++
 8 files changed, 89 insertions(+), 183 deletions(-)
 delete mode 100644 
recipes-security/sssd/files/0001-build-Don-t-use-AC_CHECK_FILE-when-building-manpages.patch
 delete mode 100644 
recipes-security/sssd/files/0001-nss-Collision-with-external-nss-symbol.patch
 delete mode 100644 
recipes-security/sssd/files/0002-Provide-missing-defines-which-otherwise-are-availabl.patch
 create mode 100644 recipes-security/sssd/files/drop_ntpdate_chk.patch
 delete mode 100644 recipes-security/sssd/files/fix-ldblibdir.patch
 create mode 100644 recipes-security/sssd/files/fix_gid.patch
 create mode 100644 recipes-security/sssd/files/no_gen.patch
 rename recipes-security/sssd/{sssd_1.16.5.bb => sssd_2.5.0.bb} (85%)

diff --git 
a/recipes-security/sssd/files/0001-build-Don-t-use-AC_CHECK_FILE-when-building-manpages.patch
 
b/recipes-security/sssd/files/0001-build-Don-t-use-AC_CHECK_FILE-when-building-manpages.patch
deleted file mode 100644
index b64670c..000
--- 
a/recipes-security/sssd/files/0001-build-Don-t-use-AC_CHECK_FILE-when-building-manpages.patch
+++ /dev/null
@@ -1,34 +0,0 @@
-From d54aa109600bcd02bf72cfe64c01935890a102a1 Mon Sep 17 00:00:00 2001
-From: =?UTF-8?q?Jonatan=20P=C3=A5lsson?= 
-Date: Fri, 21 Aug 2020 14:45:10 +0200
-Subject: [PATCH] build: Don't use AC_CHECK_FILE when building manpages
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-AC_CHECK_FILE does not support cross-compilation, and will only check
-the host rootfs. Replace AC_CHECK_FILE with a 'test -f ' instead,
-to allow building manpages when cross-compiling.
-
-Upstream-status: Submitted [https://github.com/SSSD/sssd/pull/5289]
-Signed-off-by: Jonatan Pålsson 

- src/external/docbook.m4 | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/src/external/docbook.m4 b/src/external/docbook.m4
-index deb8632fa..acdc89a68 100644
 a/src/external/docbook.m4
-+++ b/src/external/docbook.m4
-@@ -18,7 +18,7 @@ dnl Checks if the XML catalog given by FILE exists and
- dnl if a particular URI appears in the XML catalog
- AC_DEFUN([CHECK_STYLESHEET],
- [
--  AC_CHECK_FILE($1, [], [AC_MSG_ERROR([could not find XML catalog])])
-+  AS_IF([test -f "$1"], [], [AC_MSG_ERROR([could not find XML catalog])])
- 
-   AC_MSG_CHECKING([for ifelse([$3],,[$2],[$3]) in XML catalog])
-   if AC_RUN_LOG([$XSLTPROC --catalogs --nonet --noout "$2" >&2]); then
--- 
-2.26.1
-
diff --git 
a/recipes-security/sssd/files/0001-nss-Collision-with-external-nss-symbol.patch 
b/recipes-security/sssd/files/0001-nss-Collision-with-external-nss-symbol.patch
deleted file mode 100644
index c319269..000
--- 
a/recipes-security/sssd/files/0001-nss-Collision-with-external-nss-symbol.patch
+++ /dev/null
@@ -1,78 +0,0 @@
-From 05c315100a70d3372e891e9a0ea981a875b2ec90 Mon Sep 17 00:00:00 2001
-From: =?UTF-8?q?Michal=20=C5=BDidek?= 
-Date: Thu, 27 Feb 2020 06:50:40 +0100
-Subject: [PATCH] nss: Collision with external nss symbol
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-One of our internal static function names started
-to collide with external nss symbol. Additional
-sss_ suffix was added to avoid the collision.
-
-This is needed to unblock Fedora Rawhide's
-SSSD build.
-
-Reviewed-by: Pavel Březina 
-
-Upstream-Status: Backport [https://github.com/SSSD/sssd.git]
-Signed-off-by: hongxu@windriver.com
-Signed-off-by: qi.c...@windriver.com

- src/responder/nss/nss_cmd.c | 18 ++
- 1 file changed, 10 insertions(+), 8 deletions(-)
-
-diff --git a/src/responder/nss/nss_cmd.c b/src/responder/nss/nss_cmd.c
-index 25e663ed5..a4d4cfc0b 100644
 a/src/responder/nss/nss_cmd.c
-+++ b/src/responder/nss/nss_cmd.c
-@@ -728,11 +728,13 @@ done:
- talloc_free(cmd_ctx);
- }
- 
--static void nss_setnetgrent_done(struct tevent_req *subreq);
-+static void sss_nss_setnetgrent_done(struct tevent_req *subreq);
- 
--static errno_t nss_setnetgrent(struct cli_ctx *cli_ctx,
--   enum cache_req_type type,
--   nss_protocol_fill_packet_fn fill_fn)
-+/* This function's name started to collide with external nss symbol,
-+ * so it has additional sss_* prefix unlike other functions here. */
-+static errno_t sss_nss_setnetgrent(struct cli_ctx *cl

[yocto] [meta-security][PATCH 2/5] linux-%_5.%.bbappend: drop recipe

[Armin Kuster]

Signed-off-by: Armin Kuster 
---
 recipes-kernel/linux/linux-%_5.%.bbappend | 4 
 1 file changed, 4 deletions(-)
 delete mode 100644 recipes-kernel/linux/linux-%_5.%.bbappend

diff --git a/recipes-kernel/linux/linux-%_5.%.bbappend 
b/recipes-kernel/linux/linux-%_5.%.bbappend
deleted file mode 100644
index 6bc40cd..000
--- a/recipes-kernel/linux/linux-%_5.%.bbappend
+++ /dev/null
@@ -1,4 +0,0 @@
-KERNEL_FEATURES_append = " ${@bb.utils.contains("DISTRO_FEATURES", "apparmor", 
" features/apparmor/apparmor.scc", "" ,d)}"
-KERNEL_FEATURES_append = " ${@bb.utils.contains("DISTRO_FEATURES", "smack", " 
features/smack/smack.scc", "" ,d)}"
-KERNEL_FEATURES_append = " ${@bb.utils.contains("DISTRO_FEATURES", "yama", " 
features/yama/yama.scc", "" ,d)}"
-KERNEL_FEATURES_append = " ${@bb.utils.contains("IMAGE_CLASSES", 
"dm-verity-img", " features/device-mapper/dm-verity.scc", "" ,d)}"
-- 
2.24.3


-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#53702): https://lists.yoctoproject.org/g/yocto/message/53702
Mute This Topic: https://lists.yoctoproject.org/mt/83192546/21656
Group Owner: yocto+ow...@lists.yoctoproject.org
Unsubscribe: https://lists.yoctoproject.org/g/yocto/unsub 
[arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-

[yocto] [meta-security][PATCH 3/5] initramfs-framework: fix YCL issue.

[Armin Kuster]

Signed-off-by: Armin Kuster 
---
 .../initrdscripts/initramfs-framework.inc   | 16 
 .../initramfs-framework_1.0.bbappend| 17 +
 2 files changed, 17 insertions(+), 16 deletions(-)
 create mode 100644 recipes-core/initrdscripts/initramfs-framework.inc

diff --git a/recipes-core/initrdscripts/initramfs-framework.inc 
b/recipes-core/initrdscripts/initramfs-framework.inc
new file mode 100644
index 000..dad9c96
--- /dev/null
+++ b/recipes-core/initrdscripts/initramfs-framework.inc
@@ -0,0 +1,16 @@
+FILESEXTRAPATHS_prepend := "${THISDIR}/${PN}:"
+
+SRC_URI_append = "\
+file://dmverity \
+"
+
+do_install_append() {
+# dm-verity
+install ${WORKDIR}/dmverity ${D}/init.d/80-dmverity
+}
+
+PACKAGES_append = " initramfs-module-dmverity"
+
+SUMMARY_initramfs-module-dmverity = "initramfs dm-verity rootfs support"
+RDEPENDS_initramfs-module-dmverity = "${PN}-base"
+FILES_initramfs-module-dmverity = "/init.d/80-dmverity"
diff --git a/recipes-core/initrdscripts/initramfs-framework_1.0.bbappend 
b/recipes-core/initrdscripts/initramfs-framework_1.0.bbappend
index dad9c96..dc74e01 100644
--- a/recipes-core/initrdscripts/initramfs-framework_1.0.bbappend
+++ b/recipes-core/initrdscripts/initramfs-framework_1.0.bbappend
@@ -1,16 +1 @@
-FILESEXTRAPATHS_prepend := "${THISDIR}/${PN}:"
-
-SRC_URI_append = "\
-file://dmverity \
-"
-
-do_install_append() {
-# dm-verity
-install ${WORKDIR}/dmverity ${D}/init.d/80-dmverity
-}
-
-PACKAGES_append = " initramfs-module-dmverity"
-
-SUMMARY_initramfs-module-dmverity = "initramfs dm-verity rootfs support"
-RDEPENDS_initramfs-module-dmverity = "${PN}-base"
-FILES_initramfs-module-dmverity = "/init.d/80-dmverity"
+require ${@bb.utils.contains('IMAGE_CLASSES', 'dm-verity', 
'initramfs-framework.inc', '', d)}
-- 
2.24.3


-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#53703): https://lists.yoctoproject.org/g/yocto/message/53703
Mute This Topic: https://lists.yoctoproject.org/mt/83192547/21656
Group Owner: yocto+ow...@lists.yoctoproject.org
Unsubscribe: https://lists.yoctoproject.org/g/yocto/unsub 
[arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-

[yocto] [meta-security][PATCH 4/5] python3-scapy: drop , now in meta-python

[Armin Kuster]

Signed-off-by: Armin Kuster 
---
 recipes-security/scapy/files/run-ptest|  4 ---
 recipes-security/scapy/python3-scapy_2.4.5.bb | 30 ---
 2 files changed, 34 deletions(-)
 delete mode 100644 recipes-security/scapy/files/run-ptest
 delete mode 100644 recipes-security/scapy/python3-scapy_2.4.5.bb

diff --git a/recipes-security/scapy/files/run-ptest 
b/recipes-security/scapy/files/run-ptest
deleted file mode 100644
index 797d8ec..000
--- a/recipes-security/scapy/files/run-ptest
+++ /dev/null
@@ -1,4 +0,0 @@
-#!/bin/sh
-UTscapy3 -t regression.uts -f text -l -C \
--o @PTEST_PATH@/scapy_ptest_$(date +%Y%m%d-%H%M%S).log \
-2>&1 | sed -e 's/^passed None/PASS:/' -e 's/^failed None/FAIL:/'
diff --git a/recipes-security/scapy/python3-scapy_2.4.5.bb 
b/recipes-security/scapy/python3-scapy_2.4.5.bb
deleted file mode 100644
index 8f36520..000
--- a/recipes-security/scapy/python3-scapy_2.4.5.bb
+++ /dev/null
@@ -1,30 +0,0 @@
-SUMMARY = "Network scanning and manipulation tool"
-DESCRIPTION = "Scapy is a powerful interactive packet manipulation program. It 
is able to forge or decode packets of a wide number of protocols, send them on 
the wire, capture them, match requests and replies, and much more. It can 
easily handle most classical tasks like scanning, tracerouting, probing, unit 
tests, attacks or network discovery (it can replace hping, 85% of nmap, 
arpspoof, arp-sk, arping, tcpdump, tethereal, p0f, etc.). It also performs very 
well at a lot of other specific tasks that most other tools can't handle, like 
sending invalid frames, injecting your own 802.11 frames, combining technics 
(VLAN hopping+ARP cache poisoning, VOIP decoding on WEP encrypted channel, 
...), etc."
-SECTION = "security"
-LICENSE = "GPLv2"
-
-LIC_FILES_CHKSUM = "file://LICENSE;md5=b234ee4d69f5fce4486a80fdaf4a4263"
-
-SRCREV = "32cd7eb0f620d9adf171c48d55514e8326a538d7"
-SRC_URI = "git://github.com/secdev/scapy.git \
-   file://run-ptest"
-
-S = "${WORKDIR}/git"
-
-UPSTREAM_CHECK_COMMITS = "1"
-
-inherit setuptools3 ptest
-
-do_install_append() {
-mv ${D}${bindir}/scapy ${D}${bindir}/scapy3
-mv ${D}${bindir}/UTscapy ${D}${bindir}/UTscapy3
-}
-
-do_install_ptest() {
-install -m 0644 ${S}/test/regression.uts ${D}${PTEST_PATH}
-sed -i 's,@PTEST_PATH@,${PTEST_PATH},' ${D}${PTEST_PATH}/run-ptest
-}
-
-RDEPENDS_${PN} = "tcpdump ${PYTHON_PN}-compression ${PYTHON_PN}-cryptography 
${PYTHON_PN}-netclient  \
-  ${PYTHON_PN}-netserver ${PYTHON_PN}-pydoc 
${PYTHON_PN}-pkgutil ${PYTHON_PN}-shell \
-  ${PYTHON_PN}-threading ${PYTHON_PN}-numbers 
${PYTHON_PN}-pycrypto"
-- 
2.24.3


-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#53704): https://lists.yoctoproject.org/g/yocto/message/53704
Mute This Topic: https://lists.yoctoproject.org/mt/83192548/21656
Group Owner: yocto+ow...@lists.yoctoproject.org
Unsubscribe: https://lists.yoctoproject.org/g/yocto/unsub 
[arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-

[yocto] [meta-security][PATCH 1/5] busybox: drop as libsecomp is in core

[Armin Kuster]

Signed-off-by: Armin Kuster 
---
 recipes-core/busybox/busybox/head.cfg  | 1 -
 recipes-core/busybox/busybox_%.bbappend| 1 -
 recipes-core/busybox/busybox_libsecomp.inc | 3 ---
 3 files changed, 5 deletions(-)
 delete mode 100644 recipes-core/busybox/busybox/head.cfg
 delete mode 100644 recipes-core/busybox/busybox_%.bbappend
 delete mode 100644 recipes-core/busybox/busybox_libsecomp.inc

diff --git a/recipes-core/busybox/busybox/head.cfg 
b/recipes-core/busybox/busybox/head.cfg
deleted file mode 100644
index 16017ea..000
--- a/recipes-core/busybox/busybox/head.cfg
+++ /dev/null
@@ -1 +0,0 @@
-CONFIG_FEATURE_FANCY_HEAD=y
diff --git a/recipes-core/busybox/busybox_%.bbappend 
b/recipes-core/busybox/busybox_%.bbappend
deleted file mode 100644
index 27a2482..000
--- a/recipes-core/busybox/busybox_%.bbappend
+++ /dev/null
@@ -1 +0,0 @@
-require ${@bb.utils.contains('DISTRO_FEATURES', 'ptest', 
'busybox_libsecomp.inc', '', d)}
diff --git a/recipes-core/busybox/busybox_libsecomp.inc 
b/recipes-core/busybox/busybox_libsecomp.inc
deleted file mode 100644
index 4af22ce..000
--- a/recipes-core/busybox/busybox_libsecomp.inc
+++ /dev/null
@@ -1,3 +0,0 @@
-FILESEXTRAPATHS_prepend := "${THISDIR}/busybox:"
-
-SRC_URI_append  = " file://head.cfg"
-- 
2.24.3


-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#53701): https://lists.yoctoproject.org/g/yocto/message/53701
Mute This Topic: https://lists.yoctoproject.org/mt/83192545/21656
Group Owner: yocto+ow...@lists.yoctoproject.org
Unsubscribe: https://lists.yoctoproject.org/g/yocto/unsub 
[arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-

[yocto] [meta-security][PATCH 5/5] packagegroup-core-security: drop python3-scapy

[Armin Kuster]

Signed-off-by: Armin Kuster 
---
 recipes-core/packagegroup/packagegroup-core-security.bb | 2 --
 1 file changed, 2 deletions(-)

diff --git a/recipes-core/packagegroup/packagegroup-core-security.bb 
b/recipes-core/packagegroup/packagegroup-core-security.bb
index cf9620f..e7b6d9b 100644
--- a/recipes-core/packagegroup/packagegroup-core-security.bb
+++ b/recipes-core/packagegroup/packagegroup-core-security.bb
@@ -37,7 +37,6 @@ RDEPENDS_packagegroup-security-utils = "\
 pinentry \
 python3-privacyidea \
 python3-fail2ban \
-python3-scapy \
 softhsm \
 libest \
 opendnssec \
@@ -89,7 +88,6 @@ RDEPENDS_packagegroup-meta-security-ptest-packages = "\
 ptest-runner \
 samhain-standalone-ptest \
 libseccomp-ptest \
-python3-scapy-ptest \
 suricata-ptest \
 python3-fail2ban-ptest \
 ${@bb.utils.contains("DISTRO_FEATURES", "smack", "smack-ptest", "",d)} \
-- 
2.24.3


-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#53705): https://lists.yoctoproject.org/g/yocto/message/53705
Mute This Topic: https://lists.yoctoproject.org/mt/83192549/21656
Group Owner: yocto+ow...@lists.yoctoproject.org
Unsubscribe: https://lists.yoctoproject.org/g/yocto/unsub 
[arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-

[yocto] [meta-security][PATCH 3/4] meta-integrity: YCL fixups

[Armin Kuster]

We wont need the linux-% once the kernel-feature class is included in
core.
Move the inherit into the image itself.
Drop kernel patches not being used.

Signed-off-by: Armin Kuster 
---
 .../images/integrity-image-minimal.bb |   2 +
 .../recipes-kernel/linux/linux-%.bbappend |   5 -
 .../0001-ima-fix-ima_inode_post_setattr.patch |  51 ---
 ...for-creating-files-using-the-mknodat.patch | 138 --
 ...-file-hash-setting-by-user-to-fix-an.patch |  60 
 5 files changed, 2 insertions(+), 254 deletions(-)
 delete mode 100644 meta-integrity/recipes-kernel/linux/linux-%.bbappend
 delete mode 100644 
meta-integrity/recipes-kernel/linux/linux/0001-ima-fix-ima_inode_post_setattr.patch
 delete mode 100644 
meta-integrity/recipes-kernel/linux/linux/0002-ima-add-support-for-creating-files-using-the-mknodat.patch
 delete mode 100644 
meta-integrity/recipes-kernel/linux/linux/Revert-ima-limit-file-hash-setting-by-user-to-fix-an.patch

diff --git a/meta-integrity/recipes-core/images/integrity-image-minimal.bb 
b/meta-integrity/recipes-core/images/integrity-image-minimal.bb
index 1a3a30a..4e7895a 100644
--- a/meta-integrity/recipes-core/images/integrity-image-minimal.bb
+++ b/meta-integrity/recipes-core/images/integrity-image-minimal.bb
@@ -13,6 +13,8 @@ IMAGE_INSTALL = "\
 LICENSE = "MIT"
 
 inherit core-image
+inherit ${@bb.utils.contains('DISTRO_FEATURES', 'modsign', 'kernel-modsign', 
'', d)}
+
 
 export IMAGE_BASENAME = "integrity-image-minimal"
 
diff --git a/meta-integrity/recipes-kernel/linux/linux-%.bbappend 
b/meta-integrity/recipes-kernel/linux/linux-%.bbappend
deleted file mode 100644
index f9a48cd..000
--- a/meta-integrity/recipes-kernel/linux/linux-%.bbappend
+++ /dev/null
@@ -1,5 +0,0 @@
-KERNEL_FEATURES_append = " ${@bb.utils.contains("DISTRO_FEATURES", "ima", " 
features/ima/ima.scc", "" ,d)}"
-
-KERNEL_FEATURES_append = " ${@bb.utils.contains('DISTRO_FEATURES', 'modsign', 
' features/ima/modsign.scc', '', d)}"
-
-inherit ${@bb.utils.contains('DISTRO_FEATURES', 'modsign', 'kernel-modsign', 
'', d)}
diff --git 
a/meta-integrity/recipes-kernel/linux/linux/0001-ima-fix-ima_inode_post_setattr.patch
 
b/meta-integrity/recipes-kernel/linux/linux/0001-ima-fix-ima_inode_post_setattr.patch
deleted file mode 100644
index 64016dd..000
--- 
a/meta-integrity/recipes-kernel/linux/linux/0001-ima-fix-ima_inode_post_setattr.patch
+++ /dev/null
@@ -1,51 +0,0 @@
-From 45ea681ebc0dd44aaec5d3cc4143b9722070d3ac Mon Sep 17 00:00:00 2001
-From: Mimi Zohar 
-Date: Tue, 8 Mar 2016 16:43:55 -0500
-Subject: [PATCH] ima: fix ima_inode_post_setattr
-
-Changing file metadata (eg. uid, guid) could result in having to
-re-appraise a file's integrity, but does not change the "new file"
-status nor the security.ima xattr.  The IMA_PERMIT_DIRECTIO and
-IMA_DIGSIG_REQUIRED flags are policy rule specific.  This patch
-only resets these flags, not the IMA_NEW_FILE or IMA_DIGSIG flags.
-
-With this patch, changing the file timestamp will not remove the
-file signature on new files.
-
-Upstream-Status: Accepted 
[https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/security/integrity/ima/ima_appraise.c?id=42a4c603198f0d45b7aa936d3ac6ba1b8bd14a1b]
-
-Reported-by: Dmitry Rozhkov 
-Signed-off-by: Mimi Zohar 

- security/integrity/ima/ima_appraise.c | 2 +-
- security/integrity/integrity.h| 1 +
- 2 files changed, 2 insertions(+), 1 deletion(-)
-
-diff --git a/security/integrity/ima/ima_appraise.c 
b/security/integrity/ima/ima_appraise.c
-index 4df493e..a384ba1 100644
 a/security/integrity/ima/ima_appraise.c
-+++ b/security/integrity/ima/ima_appraise.c
-@@ -327,7 +327,7 @@ void ima_inode_post_setattr(struct dentry *dentry)
-   if (iint) {
-   iint->flags &= ~(IMA_APPRAISE | IMA_APPRAISED |
-IMA_APPRAISE_SUBMASK | IMA_APPRAISED_SUBMASK |
--   IMA_ACTION_FLAGS);
-+   IMA_ACTION_RULE_FLAGS);
-   if (must_appraise)
-   iint->flags |= IMA_APPRAISE;
-   }
-diff --git a/security/integrity/integrity.h b/security/integrity/integrity.h
-index 0fc9519..f9decae 100644
 a/security/integrity/integrity.h
-+++ b/security/integrity/integrity.h
-@@ -28,6 +28,7 @@
- 
- /* iint cache flags */
- #define IMA_ACTION_FLAGS  0xff00
-+#define IMA_ACTION_RULE_FLAGS 0x0600
- #define IMA_DIGSIG0x0100
- #define IMA_DIGSIG_REQUIRED   0x0200
- #define IMA_PERMIT_DIRECTIO   0x0400
--- 
-2.5.0
-
diff --git 
a/meta-integrity/recipes-kernel/linux/linux/0002-ima-add-support-for-creating-files-using-the-mknodat.patch
 
b/meta-integrity/recipes-kernel/linux/linux/0002-ima-add-support-for-creatin

[yocto] [meta-security][PATCH 4/4] meta-hardening/initscripts: missed overide.

[Armin Kuster]

Helps pass YCL.

Signed-off-by: Armin Kuster 
---
 .../recipes-core/initscripts/initscripts_1.0.bbappend   | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/meta-hardening/recipes-core/initscripts/initscripts_1.0.bbappend 
b/meta-hardening/recipes-core/initscripts/initscripts_1.0.bbappend
index 896b039..f943cb3 100644
--- a/meta-hardening/recipes-core/initscripts/initscripts_1.0.bbappend
+++ b/meta-hardening/recipes-core/initscripts/initscripts_1.0.bbappend
@@ -1,4 +1,4 @@
-FILESEXTRAPATHS_prepend := "${THISDIR}/files:"
+FILESEXTRAPATHS_prepend_harden := "${THISDIR}/files:"
 
 SRC_URI_append_harden = " file://mountall.sh"
 
-- 
2.25.1


-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#53719): https://lists.yoctoproject.org/g/yocto/message/53719
Mute This Topic: https://lists.yoctoproject.org/mt/83216179/21656
Group Owner: yocto+ow...@lists.yoctoproject.org
Unsubscribe: https://lists.yoctoproject.org/g/yocto/unsub 
[arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-

[yocto] [meta-security][PATCH 2/4] meta-tpm: remove linux-yocto

[Armin Kuster]

Signed-off-by: Armin Kuster 
---
 .../recipes-kernel/linux/linux-yocto/tpm.cfg|  8 
 .../recipes-kernel/linux/linux-yocto/tpm.scc|  3 ---
 .../recipes-kernel/linux/linux-yocto/tpm2.cfg   |  6 --
 .../recipes-kernel/linux/linux-yocto/tpm2.scc   |  3 ---
 .../linux/linux-yocto/tpm_i2c.cfg   | 15 ---
 .../linux/linux-yocto/tpm_i2c.scc   |  6 --
 .../linux/linux-yocto/tpm_x86.cfg   |  4 
 .../recipes-kernel/linux/linux-yocto/vtpm.cfg   |  5 -
 .../recipes-kernel/linux/linux-yocto/vtpm.scc   |  4 
 .../linux/linux-yocto_5.%.bbappend  | 17 -
 10 files changed, 71 deletions(-)
 delete mode 100644 meta-tpm/recipes-kernel/linux/linux-yocto/tpm.cfg
 delete mode 100644 meta-tpm/recipes-kernel/linux/linux-yocto/tpm.scc
 delete mode 100644 meta-tpm/recipes-kernel/linux/linux-yocto/tpm2.cfg
 delete mode 100644 meta-tpm/recipes-kernel/linux/linux-yocto/tpm2.scc
 delete mode 100644 meta-tpm/recipes-kernel/linux/linux-yocto/tpm_i2c.cfg
 delete mode 100644 meta-tpm/recipes-kernel/linux/linux-yocto/tpm_i2c.scc
 delete mode 100644 meta-tpm/recipes-kernel/linux/linux-yocto/tpm_x86.cfg
 delete mode 100644 meta-tpm/recipes-kernel/linux/linux-yocto/vtpm.cfg
 delete mode 100644 meta-tpm/recipes-kernel/linux/linux-yocto/vtpm.scc
 delete mode 100644 meta-tpm/recipes-kernel/linux/linux-yocto_5.%.bbappend

diff --git a/meta-tpm/recipes-kernel/linux/linux-yocto/tpm.cfg 
b/meta-tpm/recipes-kernel/linux/linux-yocto/tpm.cfg
deleted file mode 100644
index 8782823..000
--- a/meta-tpm/recipes-kernel/linux/linux-yocto/tpm.cfg
+++ /dev/null
@@ -1,8 +0,0 @@
-CONFIG_HW_RANDOM_TPM=y
-CONFIG_TCG_TPM=y
-CONFIG_TCG_TIS_CORE=y
-CONFIG_TCG_TIS=y
-CONFIG_SECURITYFS=y
-CONFIG_TCG_NSC=m
-CONFIG_TCG_ATMEL=m
-CONFIG_TCG_INFINEON=m
diff --git a/meta-tpm/recipes-kernel/linux/linux-yocto/tpm.scc 
b/meta-tpm/recipes-kernel/linux/linux-yocto/tpm.scc
deleted file mode 100644
index 2949ed4..000
--- a/meta-tpm/recipes-kernel/linux/linux-yocto/tpm.scc
+++ /dev/null
@@ -1,3 +0,0 @@
-define KFEATURE_DESCRIPTION "Enable TPM"
-
-kconf hardware tpm.cfg
diff --git a/meta-tpm/recipes-kernel/linux/linux-yocto/tpm2.cfg 
b/meta-tpm/recipes-kernel/linux/linux-yocto/tpm2.cfg
deleted file mode 100644
index a81b54d..000
--- a/meta-tpm/recipes-kernel/linux/linux-yocto/tpm2.cfg
+++ /dev/null
@@ -1,6 +0,0 @@
-CONFIG_HW_RANDOM_TPM=y
-CONFIG_TCG_TPM=y
-CONFIG_TCG_TIS_CORE=y
-CONFIG_TCG_TIS=y
-CONFIG_TCG_CRB=y
-CONFIG_SECURITYFS=y
diff --git a/meta-tpm/recipes-kernel/linux/linux-yocto/tpm2.scc 
b/meta-tpm/recipes-kernel/linux/linux-yocto/tpm2.scc
deleted file mode 100644
index 088148f..000
--- a/meta-tpm/recipes-kernel/linux/linux-yocto/tpm2.scc
+++ /dev/null
@@ -1,3 +0,0 @@
-define KFEATURE_DESCRIPTION "Enable TPM 2.0"
-
-kconf hardware tpm2.cfg
diff --git a/meta-tpm/recipes-kernel/linux/linux-yocto/tpm_i2c.cfg 
b/meta-tpm/recipes-kernel/linux/linux-yocto/tpm_i2c.cfg
deleted file mode 100644
index 59993f9..000
--- a/meta-tpm/recipes-kernel/linux/linux-yocto/tpm_i2c.cfg
+++ /dev/null
@@ -1,15 +0,0 @@
-CONFIG_HW_RANDOM_TPM=y
-CONFIG_TCG_TPM=y
-CONFIG_TCG_TIS_CORE=y
-CONFIG_TCG_TIS=y
-CONFIG_SECURITYFS=y
-
-CONFIG_REGMAP_I2C=y
-CONFIG_I2C_BOARDINFO=y
-CONFIG_I2C_COMPAT=y
-CONFIG_RTC_I2C_AND_SPI=y
-
-CONFIG_TCG_TIS_I2C_ATMEL=m
-CONFIG_TCG_TIS_I2C_INFINEON=m
-CONFIG_TCG_TIS_I2C_NUVOTON=m
-CONFIG_TCG_TIS_ST33ZP24_I2C=m
diff --git a/meta-tpm/recipes-kernel/linux/linux-yocto/tpm_i2c.scc 
b/meta-tpm/recipes-kernel/linux/linux-yocto/tpm_i2c.scc
deleted file mode 100644
index 0e4eedb..000
--- a/meta-tpm/recipes-kernel/linux/linux-yocto/tpm_i2c.scc
+++ /dev/null
@@ -1,6 +0,0 @@
-define KFEATURE_DESCRIPTION "Enable TPM i2c"
-
-include features/i2c/i2c.scc
-
-kconf hardware tpm_i2c.cfg
-
diff --git a/meta-tpm/recipes-kernel/linux/linux-yocto/tpm_x86.cfg 
b/meta-tpm/recipes-kernel/linux/linux-yocto/tpm_x86.cfg
deleted file mode 100644
index 8be331a..000
--- a/meta-tpm/recipes-kernel/linux/linux-yocto/tpm_x86.cfg
+++ /dev/null
@@ -1,4 +0,0 @@
-CONFIG_TCG_NSC=m
-CONFIG_TCG_ATMEL=m
-CONFIG_TCG_INFINEON=m
-CONFIG_TCG_TIS_ST33ZP24=m
diff --git a/meta-tpm/recipes-kernel/linux/linux-yocto/vtpm.cfg 
b/meta-tpm/recipes-kernel/linux/linux-yocto/vtpm.cfg
deleted file mode 100644
index a8b3758..000
--- a/meta-tpm/recipes-kernel/linux/linux-yocto/vtpm.cfg
+++ /dev/null
@@ -1,5 +0,0 @@
-CONFIG_HW_RANDOM_TPM=y
-CONFIG_TCG_TPM=y
-CONFIG_TCG_VTPM_PROXY=y
-CONFIG_SECURITYFS=y
-~
diff --git a/meta-tpm/recipes-kernel/linux/linux-yocto/vtpm.scc 
b/meta-tpm/recipes-kernel/linux/linux-yocto/vtpm.scc
deleted file mode 100644
index e842da6..000
--- a/meta-tpm/recipes-kernel/linux/linux-yocto/vtpm.scc
+++ /dev/null
@@ -1,4 +0,0 @@
-define KFEATURE_DESCRIPTION "Enable vTPM"
-
-kconf hardware vtpm.cfg
-
diff --git a/meta-tpm/recipes-kernel/linux/linux-yocto_5.%.bbappend 
b/meta-tpm/recipes-kernel/linux/linux-yocto_5.%

[yocto] [meta-security][PATCH 1/4] linux-yocto: remove bbappend

[Armin Kuster]

Signed-off-by: Armin Kuster 
---
 recipes-kernel/linux/linux-yocto-dev.bbappend | 3 ---
 recipes-kernel/linux/linux-yocto_5.%.bbappend | 3 ---
 2 files changed, 6 deletions(-)
 delete mode 100644 recipes-kernel/linux/linux-yocto-dev.bbappend
 delete mode 100644 recipes-kernel/linux/linux-yocto_5.%.bbappend

diff --git a/recipes-kernel/linux/linux-yocto-dev.bbappend 
b/recipes-kernel/linux/linux-yocto-dev.bbappend
deleted file mode 100644
index fa536d0..000
--- a/recipes-kernel/linux/linux-yocto-dev.bbappend
+++ /dev/null
@@ -1,3 +0,0 @@
-KERNEL_FEATURES_append = " ${@bb.utils.contains("DISTRO_FEATURES", "apparmor", 
" features/apparmor/apparmor.scc", "" ,d)}"
-KERNEL_FEATURES_append = " ${@bb.utils.contains("DISTRO_FEATURES", "smack", " 
features/smack/smack.scc", "" ,d)}"
-KERNEL_FEATURES_append = " ${@bb.utils.contains("IMAGE_CLASSES", 
"dm-verity-img", " features/device-mapper/dm-verity.scc", "" ,d)}"
diff --git a/recipes-kernel/linux/linux-yocto_5.%.bbappend 
b/recipes-kernel/linux/linux-yocto_5.%.bbappend
deleted file mode 100644
index fa536d0..000
--- a/recipes-kernel/linux/linux-yocto_5.%.bbappend
+++ /dev/null
@@ -1,3 +0,0 @@
-KERNEL_FEATURES_append = " ${@bb.utils.contains("DISTRO_FEATURES", "apparmor", 
" features/apparmor/apparmor.scc", "" ,d)}"
-KERNEL_FEATURES_append = " ${@bb.utils.contains("DISTRO_FEATURES", "smack", " 
features/smack/smack.scc", "" ,d)}"
-KERNEL_FEATURES_append = " ${@bb.utils.contains("IMAGE_CLASSES", 
"dm-verity-img", " features/device-mapper/dm-verity.scc", "" ,d)}"
-- 
2.25.1


-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#53716): https://lists.yoctoproject.org/g/yocto/message/53716
Mute This Topic: https://lists.yoctoproject.org/mt/83216173/21656
Group Owner: yocto+ow...@lists.yoctoproject.org
Unsubscribe: https://lists.yoctoproject.org/g/yocto/unsub 
[arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-

[yocto] [meta-security][PATCH 0/7] YCL cleanups

[Armin Kuster]

This series superceeds the privious set to help
pass the check-layer scrip.

Armin Kuster (7):
  meta-security: add sanity check
  meta-security/recipe-kernel: use sanity check
  linux-yocto-dev: drop bbappend
  meta-tpm: add layer sanity check
  meta-tpm/linux-yocto: use sanity support
  meta-integrity: add sanity check
  meta-integrity/recipe-kernel: use sanity check

 README| 18 ++
 classes/sanity-meta-security.bbclass  | 10 ++
 conf/layer.conf   |  4 
 meta-integrity/README.md  | 18 +-
 .../classes/sanity-meta-integrity.bbclass | 10 ++
 meta-integrity/conf/layer.conf|  4 
 .../recipes-kernel/linux/linux-%.bbappend |  6 +-
 .../recipes-kernel/linux/linux_ima.inc|  5 +
 meta-tpm/README   | 19 +++
 meta-tpm/classes/sanity-meta-tpm.bbclass  | 10 ++
 meta-tpm/conf/layer.conf  |  4 
 .../linux/linux-yocto_5.%.bbappend| 18 +-
 .../recipes-kernel/linux/linux-yocto_tpm.inc  | 17 +
 recipes-kernel/linux/linux-yocto_5.%.bbappend |  4 +---
 ...-dev.bbappend => linux-yocto_security.inc} |  0
 15 files changed, 121 insertions(+), 26 deletions(-)
 create mode 100644 classes/sanity-meta-security.bbclass
 create mode 100644 meta-integrity/classes/sanity-meta-integrity.bbclass
 create mode 100644 meta-integrity/recipes-kernel/linux/linux_ima.inc
 create mode 100644 meta-tpm/classes/sanity-meta-tpm.bbclass
 create mode 100644 meta-tpm/recipes-kernel/linux/linux-yocto_tpm.inc
 rename recipes-kernel/linux/{linux-yocto-dev.bbappend => 
linux-yocto_security.inc} (100%)

-- 
2.25.1


-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#53759): https://lists.yoctoproject.org/g/yocto/message/53759
Mute This Topic: https://lists.yoctoproject.org/mt/83339074/21656
Group Owner: yocto+ow...@lists.yoctoproject.org
Unsubscribe: https://lists.yoctoproject.org/g/yocto/unsub 
[arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-

[yocto] [meta-security][PATCH 1/7] meta-security: add sanity check

[Armin Kuster]

Signed-off-by: Armin Kuster 
---
 README   | 18 ++
 classes/sanity-meta-security.bbclass | 10 ++
 conf/layer.conf  |  4 
 3 files changed, 32 insertions(+)
 create mode 100644 classes/sanity-meta-security.bbclass

diff --git a/README b/README
index eb15366..4047b86 100644
--- a/README
+++ b/README
@@ -1,6 +1,24 @@
 Meta-security
 =
 
+The bbappend files for some recipes (e.g. linux-yocto) in this layer need
+to have 'security' in DISTRO_FEATURES to have effect.
+To enable them, add in configuration file the following line.
+
+  DISTRO_FEATURES_append = " security"
+
+If meta-security is included, but security  is not enabled as a
+distro feature a warning is printed at parse time:
+
+You have included the meta-security layer, but
+'security' has not been enabled in your DISTRO_FEATURES. Some bbappend 
files
+and preferred version setting may not take effect.
+
+If you know what you are doing, this warning can be disabled by setting the 
following
+variable in your configuration:
+
+  SKIP_META_SECURITY_SANITY_CHECK = 1
+
 This layer provides security tools, hardening tools for Linux kernels
 and libraries for implementing security mechanisms.
 
diff --git a/classes/sanity-meta-security.bbclass 
b/classes/sanity-meta-security.bbclass
new file mode 100644
index 000..b6c6b9c
--- /dev/null
+++ b/classes/sanity-meta-security.bbclass
@@ -0,0 +1,10 @@
+addhandler security_bbappend_distrocheck
+security_bbappend_distrocheck[eventmask] = "bb.event.SanityCheck"
+python security_bbappend_distrocheck() {
+skip_check = e.data.getVar('SKIP_META_SECUIRTY_SANITY_CHECK') == "1"
+if 'security' not in e.data.getVar('DISTRO_FEATURES').split() and not 
skip_check:
+bb.warn("You have included the meta-security layer, but \
+'security' has not been enabled in your DISTRO_FEATURES. Some bbappend files \
+and preferred version setting may not take effect. See the meta-security 
README \
+for details on enabling security support.")
+}
diff --git a/conf/layer.conf b/conf/layer.conf
index 906e024..7853d6e 100644
--- a/conf/layer.conf
+++ b/conf/layer.conf
@@ -13,6 +13,10 @@ LAYERSERIES_COMPAT_security = "hardknott"
 
 LAYERDEPENDS_security = "core openembedded-layer perl-layer networking-layer 
meta-python"
 
+# Sanity check for meta-security layer.
+# Setting SKIP_META_SECURITY_SANITY_CHECK to "1" would skip the bbappend files 
check.
+INHERIT += "sanity-meta-security"
+
 BBFILES_DYNAMIC += " \
 rust-layer:${LAYERDIR}/dynamic-layers/meta-rust/recipes-*/*/*.bb  \
 "
-- 
2.25.1


-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#53760): https://lists.yoctoproject.org/g/yocto/message/53760
Mute This Topic: https://lists.yoctoproject.org/mt/83339075/21656
Group Owner: yocto+ow...@lists.yoctoproject.org
Unsubscribe: https://lists.yoctoproject.org/g/yocto/unsub 
[arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-

[yocto] [meta-security][PATCH 2/7] meta-security/recipe-kernel: use sanity check

[Armin Kuster]

Signed-off-by: Armin Kuster 
---
 recipes-kernel/linux/linux-yocto-dev.bbappend | 4 +---
 recipes-kernel/linux/linux-yocto_5.%.bbappend | 4 +---
 recipes-kernel/linux/linux-yocto_security.inc | 3 +++
 3 files changed, 5 insertions(+), 6 deletions(-)
 create mode 100644 recipes-kernel/linux/linux-yocto_security.inc

diff --git a/recipes-kernel/linux/linux-yocto-dev.bbappend 
b/recipes-kernel/linux/linux-yocto-dev.bbappend
index fa536d0..1d9054f 100644
--- a/recipes-kernel/linux/linux-yocto-dev.bbappend
+++ b/recipes-kernel/linux/linux-yocto-dev.bbappend
@@ -1,3 +1 @@
-KERNEL_FEATURES_append = " ${@bb.utils.contains("DISTRO_FEATURES", "apparmor", 
" features/apparmor/apparmor.scc", "" ,d)}"
-KERNEL_FEATURES_append = " ${@bb.utils.contains("DISTRO_FEATURES", "smack", " 
features/smack/smack.scc", "" ,d)}"
-KERNEL_FEATURES_append = " ${@bb.utils.contains("IMAGE_CLASSES", 
"dm-verity-img", " features/device-mapper/dm-verity.scc", "" ,d)}"
+require ${@bb.utils.contains('DISTRO_FEATURES', 'security', 
'${BPN}_security.inc', '', d)}
diff --git a/recipes-kernel/linux/linux-yocto_5.%.bbappend 
b/recipes-kernel/linux/linux-yocto_5.%.bbappend
index fa536d0..1d9054f 100644
--- a/recipes-kernel/linux/linux-yocto_5.%.bbappend
+++ b/recipes-kernel/linux/linux-yocto_5.%.bbappend
@@ -1,3 +1 @@
-KERNEL_FEATURES_append = " ${@bb.utils.contains("DISTRO_FEATURES", "apparmor", 
" features/apparmor/apparmor.scc", "" ,d)}"
-KERNEL_FEATURES_append = " ${@bb.utils.contains("DISTRO_FEATURES", "smack", " 
features/smack/smack.scc", "" ,d)}"
-KERNEL_FEATURES_append = " ${@bb.utils.contains("IMAGE_CLASSES", 
"dm-verity-img", " features/device-mapper/dm-verity.scc", "" ,d)}"
+require ${@bb.utils.contains('DISTRO_FEATURES', 'security', 
'${BPN}_security.inc', '', d)}
diff --git a/recipes-kernel/linux/linux-yocto_security.inc 
b/recipes-kernel/linux/linux-yocto_security.inc
new file mode 100644
index 000..fa536d0
--- /dev/null
+++ b/recipes-kernel/linux/linux-yocto_security.inc
@@ -0,0 +1,3 @@
+KERNEL_FEATURES_append = " ${@bb.utils.contains("DISTRO_FEATURES", "apparmor", 
" features/apparmor/apparmor.scc", "" ,d)}"
+KERNEL_FEATURES_append = " ${@bb.utils.contains("DISTRO_FEATURES", "smack", " 
features/smack/smack.scc", "" ,d)}"
+KERNEL_FEATURES_append = " ${@bb.utils.contains("IMAGE_CLASSES", 
"dm-verity-img", " features/device-mapper/dm-verity.scc", "" ,d)}"
-- 
2.25.1


-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#53761): https://lists.yoctoproject.org/g/yocto/message/53761
Mute This Topic: https://lists.yoctoproject.org/mt/83339076/21656
Group Owner: yocto+ow...@lists.yoctoproject.org
Unsubscribe: https://lists.yoctoproject.org/g/yocto/unsub 
[arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-

[yocto] [meta-security][PATCH 4/7] meta-tpm: add layer sanity check

[Armin Kuster]

Signed-off-by: Armin Kuster 
---
 meta-tpm/README  | 19 +++
 meta-tpm/classes/sanity-meta-tpm.bbclass | 10 ++
 meta-tpm/conf/layer.conf |  4 
 3 files changed, 33 insertions(+)
 create mode 100644 meta-tpm/classes/sanity-meta-tpm.bbclass

diff --git a/meta-tpm/README b/meta-tpm/README
index dd662b3..59d2ee3 100644
--- a/meta-tpm/README
+++ b/meta-tpm/README
@@ -1,6 +1,25 @@
 meta-tpm layer
 ==
 
+The bbappend files for some recipes (e.g. linux-yocto) in this layer need
+to have 'tpm' in DISTRO_FEATURES to have effect.
+To enable them, add in configuration file the following line.
+
+  DISTRO_FEATURES_append = " tmp"
+
+If meta-tpm is included, but tpm is not enabled as a
+distro feature a warning is printed at parse time:
+
+You have included the meta-tpm layer, but
+'tpm' has not been enabled in your DISTRO_FEATURES. Some bbappend files
+and preferred version setting may not take effect.
+
+If you know what you are doing, this warning can be disabled by setting the 
following
+variable in your configuration:
+
+  SKIP_META_TPM_SANITY_CHECK = 1
+
+
 This layer contains base TPM recipes.
 
 Dependencies
diff --git a/meta-tpm/classes/sanity-meta-tpm.bbclass 
b/meta-tpm/classes/sanity-meta-tpm.bbclass
new file mode 100644
index 000..2f8b52d
--- /dev/null
+++ b/meta-tpm/classes/sanity-meta-tpm.bbclass
@@ -0,0 +1,10 @@
+addhandler tpm_machinecheck
+tpm_machinecheck[eventmask] = "bb.event.SanityCheck"
+python tpm_machinecheck() {
+skip_check = e.data.getVar('SKIP_META_TPM_SANITY_CHECK') == "1"
+if 'tpm' not in e.data.getVar('DISTRO_FEATURES').split() and not 
skip_check:
+bb.warn("You have included the meta-tpm layer, but \
+'tpm or tpm2' has not been enabled in your DISTRO_FEATURES. Some bbappend 
files \
+and preferred version setting may not take effect. See the meta-tpm README \
+for details on enabling tpm support.")
+}
diff --git a/meta-tpm/conf/layer.conf b/meta-tpm/conf/layer.conf
index 1b766cb..0b102c5 100644
--- a/meta-tpm/conf/layer.conf
+++ b/meta-tpm/conf/layer.conf
@@ -17,6 +17,10 @@ LAYERDEPENDS_tpm-layer = " \
 "
 BBLAYERS_LAYERINDEX_NAME_tpm-layer = "meta-tpm"
 
+# Sanity check for meta-integrity layer.
+# Setting SKIP_META_TPM_SANITY_CHECK to "1" would skip the bbappend files 
check.
+INHERIT += "sanity-meta-tpm"
+
 BBFILES_DYNAMIC += " \
 
networking-layer:${LAYERDIR}/dynamic-layers/meta-networking/recipes-*/*/*.bbappend
 \
 "
-- 
2.25.1


-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#53763): https://lists.yoctoproject.org/g/yocto/message/53763
Mute This Topic: https://lists.yoctoproject.org/mt/83339078/21656
Group Owner: yocto+ow...@lists.yoctoproject.org
Unsubscribe: https://lists.yoctoproject.org/g/yocto/unsub 
[arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-

[yocto] [meta-security][PATCH 3/7] linux-yocto-dev: drop bbappend

[Armin Kuster]

Signed-off-by: Armin Kuster 
---
 recipes-kernel/linux/linux-yocto-dev.bbappend | 1 -
 1 file changed, 1 deletion(-)
 delete mode 100644 recipes-kernel/linux/linux-yocto-dev.bbappend

diff --git a/recipes-kernel/linux/linux-yocto-dev.bbappend 
b/recipes-kernel/linux/linux-yocto-dev.bbappend
deleted file mode 100644
index 1d9054f..000
--- a/recipes-kernel/linux/linux-yocto-dev.bbappend
+++ /dev/null
@@ -1 +0,0 @@
-require ${@bb.utils.contains('DISTRO_FEATURES', 'security', 
'${BPN}_security.inc', '', d)}
-- 
2.25.1


-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#53762): https://lists.yoctoproject.org/g/yocto/message/53762
Mute This Topic: https://lists.yoctoproject.org/mt/83339077/21656
Group Owner: yocto+ow...@lists.yoctoproject.org
Unsubscribe: https://lists.yoctoproject.org/g/yocto/unsub 
[arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-

[yocto] [meta-security][PATCH 7/7] meta-integrity/recipe-kernel: use sanity check

[Armin Kuster]

Signed-off-by: Armin Kuster 
---
 meta-integrity/recipes-kernel/linux/linux-%.bbappend | 6 +-
 meta-integrity/recipes-kernel/linux/linux_ima.inc| 5 +
 2 files changed, 6 insertions(+), 5 deletions(-)
 create mode 100644 meta-integrity/recipes-kernel/linux/linux_ima.inc

diff --git a/meta-integrity/recipes-kernel/linux/linux-%.bbappend 
b/meta-integrity/recipes-kernel/linux/linux-%.bbappend
index f9a48cd..be60bfe 100644
--- a/meta-integrity/recipes-kernel/linux/linux-%.bbappend
+++ b/meta-integrity/recipes-kernel/linux/linux-%.bbappend
@@ -1,5 +1 @@
-KERNEL_FEATURES_append = " ${@bb.utils.contains("DISTRO_FEATURES", "ima", " 
features/ima/ima.scc", "" ,d)}"
-
-KERNEL_FEATURES_append = " ${@bb.utils.contains('DISTRO_FEATURES', 'modsign', 
' features/ima/modsign.scc', '', d)}"
-
-inherit ${@bb.utils.contains('DISTRO_FEATURES', 'modsign', 'kernel-modsign', 
'', d)}
+require ${@bb.utils.contains_any('DISTRO_FEATURES', 'integrity ', 
'linux_ima.inc', '', d)}
diff --git a/meta-integrity/recipes-kernel/linux/linux_ima.inc 
b/meta-integrity/recipes-kernel/linux/linux_ima.inc
new file mode 100644
index 000..f9a48cd
--- /dev/null
+++ b/meta-integrity/recipes-kernel/linux/linux_ima.inc
@@ -0,0 +1,5 @@
+KERNEL_FEATURES_append = " ${@bb.utils.contains("DISTRO_FEATURES", "ima", " 
features/ima/ima.scc", "" ,d)}"
+
+KERNEL_FEATURES_append = " ${@bb.utils.contains('DISTRO_FEATURES', 'modsign', 
' features/ima/modsign.scc', '', d)}"
+
+inherit ${@bb.utils.contains('DISTRO_FEATURES', 'modsign', 'kernel-modsign', 
'', d)}
-- 
2.25.1


-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#53766): https://lists.yoctoproject.org/g/yocto/message/53766
Mute This Topic: https://lists.yoctoproject.org/mt/83339082/21656
Group Owner: yocto+ow...@lists.yoctoproject.org
Unsubscribe: https://lists.yoctoproject.org/g/yocto/unsub 
[arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-

[yocto] [meta-security][PATCH 5/7] meta-tpm/linux-yocto: use sanity support

[Armin Kuster]

Signed-off-by: Armin Kuster 
---
 .../linux/linux-yocto_5.%.bbappend | 18 +-
 .../recipes-kernel/linux/linux-yocto_tpm.inc   | 17 +
 2 files changed, 18 insertions(+), 17 deletions(-)
 create mode 100644 meta-tpm/recipes-kernel/linux/linux-yocto_tpm.inc

diff --git a/meta-tpm/recipes-kernel/linux/linux-yocto_5.%.bbappend 
b/meta-tpm/recipes-kernel/linux/linux-yocto_5.%.bbappend
index cea8b1b..2cf1453 100644
--- a/meta-tpm/recipes-kernel/linux/linux-yocto_5.%.bbappend
+++ b/meta-tpm/recipes-kernel/linux/linux-yocto_5.%.bbappend
@@ -1,17 +1 @@
-FILESEXTRAPATHS_prepend := "${THISDIR}/linux-yocto:"
-
-# Enable tpm in kernel 
-SRC_URI_append_x86 = " \
-${@bb.utils.contains('MACHINE_FEATURES', 'tpm', 'file://tpm.scc', '', d)} \
-${@bb.utils.contains('MACHINE_FEATURES', 'tpm2', 'file://tpm2.scc', '', 
d)} \
-"
-
-SRC_URI_append_x86-64 = " \
-${@bb.utils.contains('MACHINE_FEATURES', 'tpm', 'file://tpm.scc', '', d)} \
-${@bb.utils.contains('MACHINE_FEATURES', 'tpm2', 'file://tpm2.scc', '', 
d)} \
-"
-
-SRC_URI += " \
-${@bb.utils.contains('MACHINE_FEATURES', 'tpm_i2c', 'file://tpm_i2c.scc', 
'', d)} \
-${@bb.utils.contains('MACHINE_FEATURES', 'vtpm', 'file://vtpm.scc', '', 
d)} \
-"
+require ${@bb.utils.contains_any('DISTRO_FEATURES', 'tpm', 
'linux-yocto_tpm.inc', '', d)}
diff --git a/meta-tpm/recipes-kernel/linux/linux-yocto_tpm.inc 
b/meta-tpm/recipes-kernel/linux/linux-yocto_tpm.inc
new file mode 100644
index 000..cea8b1b
--- /dev/null
+++ b/meta-tpm/recipes-kernel/linux/linux-yocto_tpm.inc
@@ -0,0 +1,17 @@
+FILESEXTRAPATHS_prepend := "${THISDIR}/linux-yocto:"
+
+# Enable tpm in kernel 
+SRC_URI_append_x86 = " \
+${@bb.utils.contains('MACHINE_FEATURES', 'tpm', 'file://tpm.scc', '', d)} \
+${@bb.utils.contains('MACHINE_FEATURES', 'tpm2', 'file://tpm2.scc', '', 
d)} \
+"
+
+SRC_URI_append_x86-64 = " \
+${@bb.utils.contains('MACHINE_FEATURES', 'tpm', 'file://tpm.scc', '', d)} \
+${@bb.utils.contains('MACHINE_FEATURES', 'tpm2', 'file://tpm2.scc', '', 
d)} \
+"
+
+SRC_URI += " \
+${@bb.utils.contains('MACHINE_FEATURES', 'tpm_i2c', 'file://tpm_i2c.scc', 
'', d)} \
+${@bb.utils.contains('MACHINE_FEATURES', 'vtpm', 'file://vtpm.scc', '', 
d)} \
+"
-- 
2.25.1


-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#53764): https://lists.yoctoproject.org/g/yocto/message/53764
Mute This Topic: https://lists.yoctoproject.org/mt/83339079/21656
Group Owner: yocto+ow...@lists.yoctoproject.org
Unsubscribe: https://lists.yoctoproject.org/g/yocto/unsub 
[arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-

[yocto] [meta-security][PATCH 6/7] meta-integrity: add sanity check

[Armin Kuster]

Signed-off-by: Armin Kuster 
---
 meta-integrity/README.md   | 18 +-
 .../classes/sanity-meta-integrity.bbclass  | 10 ++
 meta-integrity/conf/layer.conf |  4 
 3 files changed, 31 insertions(+), 1 deletion(-)
 create mode 100644 meta-integrity/classes/sanity-meta-integrity.bbclass

diff --git a/meta-integrity/README.md b/meta-integrity/README.md
index 5048fba..8254b0d 100644
--- a/meta-integrity/README.md
+++ b/meta-integrity/README.md
@@ -1,8 +1,24 @@
 This README file contains information on the contents of the
 integrity layer.
 
-Please see the corresponding sections below for details.
 
+The bbappend files for some recipes (e.g. linux-yocto) in this layer need
+to have 'integrity' in DISTRO_FEATURES to have effect.
+To enable them, add in configuration file the following line.
+
+  DISTRO_FEATURES_append = " integrity"
+
+If meta-integrity is included, but integrity is not enabled as a
+distro feature a warning is printed at parse time:
+
+You have included the meta-integritry layer, but
+'integrity' has not been enabled in your DISTRO_FEATURES. Some bbappend 
files
+and preferred version setting may not take effect.
+
+If you know what you are doing, this warning can be disabled by setting the 
following
+variable in your configuration:
+
+  SKIP_META_INTEGRITY_SANITY_CHECK = 1
 
 Dependencies
 
diff --git a/meta-integrity/classes/sanity-meta-integrity.bbclass 
b/meta-integrity/classes/sanity-meta-integrity.bbclass
new file mode 100644
index 000..6ba7e3f
--- /dev/null
+++ b/meta-integrity/classes/sanity-meta-integrity.bbclass
@@ -0,0 +1,10 @@
+addhandler integrity_bbappend_distrocheck
+integrity_bbappend_distrocheck[eventmask] = "bb.event.SanityCheck"
+python integrity_bbappend_distrocheck() {
+skip_check = e.data.getVar('SKIP_META_INTEGRITY_SANITY_CHECK') == "1"
+if 'integrity' not in e.data.getVar('DISTRO_FEATURES').split() and not 
skip_check:
+bb.warn("You have included the meta-integrity layer, but \
+'integrity' has not been enabled in your DISTRO_FEATURES. Some bbappend files \
+and preferred version setting may not take effect. See the meta-integrity 
README \
+for details on enabling integrity support.")
+}
diff --git a/meta-integrity/conf/layer.conf b/meta-integrity/conf/layer.conf
index ba028da..37776f8 100644
--- a/meta-integrity/conf/layer.conf
+++ b/meta-integrity/conf/layer.conf
@@ -26,6 +26,10 @@ LAYERDEPENDS_integrity = "core openembedded-layer"
 
 BBLAYERS_LAYERINDEX_NAME_integrity = "meta-integrity"
 
+# Sanity check for meta-integrity layer.
+# Setting SKIP_META_INTEGRITY_SANITY_CHECK to "1" would skip the bbappend 
files check.
+INHERIT += "sanity-meta-integrity"
+
 BBFILES_DYNAMIC += " \
 
networking-layer:${LAYERDIR}/dynamic-layers/meta-networking/recipes-*/*/*.bbappend
 \
 "
-- 
2.25.1


-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#53765): https://lists.yoctoproject.org/g/yocto/message/53765
Mute This Topic: https://lists.yoctoproject.org/mt/83339080/21656
Group Owner: yocto+ow...@lists.yoctoproject.org
Unsubscribe: https://lists.yoctoproject.org/g/yocto/unsub 
[arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-

Re: [yocto] [PATCH] smack: add 3 cves to allowlist

[Armin Kuster]

On 6/18/21 5:16 AM, Sekine Shigeki wrote:
> CVE-2014-0363, CVE-2014-0364, CVE-2016-10027 are not for smack of 
> smack-team(https://github.com/smack-team/smack) but other project.

Thanks. So this is for meta-security layer based on version.

- armin
>
> Signed-off-by: Sekine Shigeki 
> ---
>  recipes-mac/smack/smack_1.3.1.bb | 5 +
>  1 file changed, 5 insertions(+)
>
> diff --git a/recipes-mac/smack/smack_1.3.1.bb 
> b/recipes-mac/smack/smack_1.3.1.bb
> index b1ea4e9..6ae715e 100644
> --- a/recipes-mac/smack/smack_1.3.1.bb
> +++ b/recipes-mac/smack/smack_1.3.1.bb
> @@ -13,6 +13,11 @@ SRC_URI = " \
>  
>  PV = "1.3.1"
>  
> +# CVE-2014-0363, CVE-2014-0364, CVE-2016-10027 is valnerble for other 
> product.
> +CVE_CHECK_WHITELIST += "CVE-2014-0363"
> +CVE_CHECK_WHITELIST += "CVE-2014-0364"
> +CVE_CHECK_WHITELIST += "CVE-2016-10027"
> +
>  inherit autotools update-rc.d pkgconfig ptest
>  inherit 
> ${@bb.utils.contains('VIRTUAL-RUNTIME_init_manager','systemd','systemd','', 
> d)}
>  inherit features_check
>
> 
>


-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#53913): https://lists.yoctoproject.org/g/yocto/message/53913
Mute This Topic: https://lists.yoctoproject.org/mt/83626672/21656
Group Owner: yocto+ow...@lists.yoctoproject.org
Unsubscribe: https://lists.yoctoproject.org/g/yocto/unsub 
[arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-

Re: [yocto] [PATCH] smack: add 3 cves to allowlist

[Armin Kuster]

merged.

On 6/18/21 5:16 AM, Sekine Shigeki wrote:
> CVE-2014-0363, CVE-2014-0364, CVE-2016-10027 are not for smack of 
> smack-team(https://github.com/smack-team/smack) but other project.
>
> Signed-off-by: Sekine Shigeki 
> ---
>  recipes-mac/smack/smack_1.3.1.bb | 5 +
>  1 file changed, 5 insertions(+)
>
> diff --git a/recipes-mac/smack/smack_1.3.1.bb 
> b/recipes-mac/smack/smack_1.3.1.bb
> index b1ea4e9..6ae715e 100644
> --- a/recipes-mac/smack/smack_1.3.1.bb
> +++ b/recipes-mac/smack/smack_1.3.1.bb
> @@ -13,6 +13,11 @@ SRC_URI = " \
>  
>  PV = "1.3.1"
>  
> +# CVE-2014-0363, CVE-2014-0364, CVE-2016-10027 is valnerble for other 
> product.
> +CVE_CHECK_WHITELIST += "CVE-2014-0363"
> +CVE_CHECK_WHITELIST += "CVE-2014-0364"
> +CVE_CHECK_WHITELIST += "CVE-2016-10027"
> +
>  inherit autotools update-rc.d pkgconfig ptest
>  inherit 
> ${@bb.utils.contains('VIRTUAL-RUNTIME_init_manager','systemd','systemd','', 
> d)}
>  inherit features_check
>
> 
>


-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#53923): https://lists.yoctoproject.org/g/yocto/message/53923
Mute This Topic: https://lists.yoctoproject.org/mt/83626672/21656
Group Owner: yocto+ow...@lists.yoctoproject.org
Unsubscribe: https://lists.yoctoproject.org/g/yocto/unsub 
[arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-

Re: [yocto] [meta-security][PATCH] sssd: set pid path with /run

[Armin Kuster]

series merged.

thanks

On 6/15/21 1:50 AM, kai.k...@windriver.com wrote:
> From: Kai Kang 
>
> /var/run is deprecated and set pid path with /run to store pid files for
> the SSSD.
>
> Signed-off-by: Kai Kang 
> ---
>  recipes-security/sssd/sssd_2.5.0.bb | 5 +++--
>  1 file changed, 3 insertions(+), 2 deletions(-)
>
> diff --git a/recipes-security/sssd/sssd_2.5.0.bb 
> b/recipes-security/sssd/sssd_2.5.0.bb
> index 4c92519..c699527 100644
> --- a/recipes-security/sssd/sssd_2.5.0.bb
> +++ b/recipes-security/sssd/sssd_2.5.0.bb
> @@ -63,6 +63,7 @@ EXTRA_OECONF += " \
>  --without-python2-bindings \
>  --without-secrets \
>  --with-xml-catalog-path=${STAGING_ETCDIR_NATIVE}/xml/catalog \
> +--with-pid-path=/run \
>  "
>  
>  do_configure_prepend() {
> @@ -88,8 +89,8 @@ do_install () {
>  echo "d /var/log/sssd 0750 - - - -" > 
> ${D}${sysconfdir}/tmpfiles.d/sss.conf
>  fi
>  
> -# Remove /var/run as it is created on startup
> -rm -rf ${D}${localstatedir}/run
> +# Remove /run as it is created on startup
> +rm -rf ${D}/run
>  
>  rm -f ${D}${systemd_system_unitdir}/sssd-secrets.*
>  }


-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#53924): https://lists.yoctoproject.org/g/yocto/message/53924
Mute This Topic: https://lists.yoctoproject.org/mt/83551538/21656
Group Owner: yocto+ow...@lists.yoctoproject.org
Unsubscribe: https://lists.yoctoproject.org/g/yocto/unsub 
[arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-

[yocto] [meta-security][PATCH] initramfs-framework: fix typo in conditional

[Armin Kuster]

Signed-off-by: Armin Kuster 
---
 recipes-core/initrdscripts/initramfs-framework_1.0.bbappend | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/recipes-core/initrdscripts/initramfs-framework_1.0.bbappend 
b/recipes-core/initrdscripts/initramfs-framework_1.0.bbappend
index dc74e01..f5d476e 100644
--- a/recipes-core/initrdscripts/initramfs-framework_1.0.bbappend
+++ b/recipes-core/initrdscripts/initramfs-framework_1.0.bbappend
@@ -1 +1 @@
-require ${@bb.utils.contains('IMAGE_CLASSES', 'dm-verity', 
'initramfs-framework.inc', '', d)}
+require ${@bb.utils.contains('IMAGE_CLASSES', 'dm-verity-img', 
'initramfs-framework.inc', '', d)}
-- 
2.17.1


-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#53925): https://lists.yoctoproject.org/g/yocto/message/53925
Mute This Topic: https://lists.yoctoproject.org/mt/83677261/21656
Group Owner: yocto+ow...@lists.yoctoproject.org
Unsubscribe: https://lists.yoctoproject.org/g/yocto/unsub 
[arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-

Re: [yocto] [meta-security][PATCH] aircrack-ng: update to 1.6

[Armin Kuster]

merged,

thanks   

On 6/15/21 9:32 PM, Federico Pellegrin wrote:
> Signed-off-by: Federico Pellegrin 
> ---
>  .../{aircrack-ng_1.3.bb => aircrack-ng_1.6.bb}| 8 +---
>  1 file changed, 5 insertions(+), 3 deletions(-)
>  rename recipes-security/aircrack-ng/{aircrack-ng_1.3.bb => 
> aircrack-ng_1.6.bb} (82%)
>
> diff --git a/recipes-security/aircrack-ng/aircrack-ng_1.3.bb 
> b/recipes-security/aircrack-ng/aircrack-ng_1.6.bb
> similarity index 82%
> rename from recipes-security/aircrack-ng/aircrack-ng_1.3.bb
> rename to recipes-security/aircrack-ng/aircrack-ng_1.6.bb
> index d739227..8d3b531 100644
> --- a/recipes-security/aircrack-ng/aircrack-ng_1.3.bb
> +++ b/recipes-security/aircrack-ng/aircrack-ng_1.6.bb
> @@ -9,8 +9,8 @@ DEPENDS = "libnl openssl sqlite3 libpcre libpcap"
>  
>  SRC_URI = "http://download.aircrack-ng.org/${BP}.tar.gz";
>  
> -SRC_URI[md5sum] = "c7c5b076dee0c25ee580b0f56f455623"
> -SRC_URI[sha256sum] = 
> "8ae08a7c28741f6ace2769267112053366550e7f746477081188ad38410383ca"
> +SRC_URI[md5sum] = "22ddc85549b51ed0da0931d01ef215e5"
> +SRC_URI[sha256sum] = 
> "4f0bfd486efc6ea7229f7fbc54340ff8b2094a0d73e9f617e0a39f878999a247"
>  
>  inherit autotools-brokensep pkgconfig
>  
> @@ -29,6 +29,8 @@ do_install () {
>  make DESTDIR=${D} ${OEMAKE_EXTRA} ext_scripts=true install
>  }
>  
> -FILES_${PN} += "/usr/local/"
> +FILES_${PN} += "${libdir}/*.so"
> +FILES_SOLIBSDEV = ""
> +INSANE_SKIP_${PN} += "dev-so"
>  
>  RDEPENDS_${PN} = "libpcap"


-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#53926): https://lists.yoctoproject.org/g/yocto/message/53926
Mute This Topic: https://lists.yoctoproject.org/mt/83573954/21656
Group Owner: yocto+ow...@lists.yoctoproject.org
Unsubscribe: https://lists.yoctoproject.org/g/yocto/unsub 
[arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-

[yocto] [meta-security][PATCH 2/4] ssshgaurd: add packaage

[Armin Kuster]

Signed-off-by: Armin Kuster 
---
 recipes-security/sshguard/sshguard_2.4.2.bb | 11 +++
 1 file changed, 11 insertions(+)
 create mode 100644 recipes-security/sshguard/sshguard_2.4.2.bb

diff --git a/recipes-security/sshguard/sshguard_2.4.2.bb 
b/recipes-security/sshguard/sshguard_2.4.2.bb
new file mode 100644
index 000..bd7f979
--- /dev/null
+++ b/recipes-security/sshguard/sshguard_2.4.2.bb
@@ -0,0 +1,11 @@
+SUMARRY=" Intelligently block brute-force attacks by aggregating system logs "
+HOMEPAGE = "https://www.sshguard.net/";
+LIC_FILES_CHKSUM = "file://COPYING;md5=47a33fc98cd20713882c4d822a57bf4d"
+LICENSE = "BSD-1-Clause"
+
+
+SRC_URI="https://sourceforge.net/projects/sshguard/files/sshguard/${PV}/sshguard-${PV}.tar.gz";
+
+SRC_URI[sha256sum] = 
"2770b776e5ea70a9bedfec4fd84d57400afa927f0f7522870d2dcbbe1ace37e8"
+
+inherit autotools-brokensep
-- 
2.17.1


-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#53985): https://lists.yoctoproject.org/g/yocto/message/53985
Mute This Topic: https://lists.yoctoproject.org/mt/83830264/21656
Group Owner: yocto+ow...@lists.yoctoproject.org
Unsubscribe: https://lists.yoctoproject.org/g/yocto/unsub 
[arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-

[yocto] [meta-security][PATCH 1/4] initramfs-framework: fix typo in conditional

[Armin Kuster]

Signed-off-by: Armin Kuster 
---
 recipes-core/initrdscripts/initramfs-framework_1.0.bbappend | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/recipes-core/initrdscripts/initramfs-framework_1.0.bbappend 
b/recipes-core/initrdscripts/initramfs-framework_1.0.bbappend
index dc74e01..f5d476e 100644
--- a/recipes-core/initrdscripts/initramfs-framework_1.0.bbappend
+++ b/recipes-core/initrdscripts/initramfs-framework_1.0.bbappend
@@ -1 +1 @@
-require ${@bb.utils.contains('IMAGE_CLASSES', 'dm-verity', 
'initramfs-framework.inc', '', d)}
+require ${@bb.utils.contains('IMAGE_CLASSES', 'dm-verity-img', 
'initramfs-framework.inc', '', d)}
-- 
2.17.1


-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#53984): https://lists.yoctoproject.org/g/yocto/message/53984
Mute This Topic: https://lists.yoctoproject.org/mt/83830263/21656
Group Owner: yocto+ow...@lists.yoctoproject.org
Unsubscribe: https://lists.yoctoproject.org/g/yocto/unsub 
[arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-

[yocto] [meta-security][PATCH 3/4] packagegroup-core-security: add sshguard

[Armin Kuster]

Signed-off-by: Armin Kuster 
---
 recipes-core/packagegroup/packagegroup-core-security.bb | 1 +
 1 file changed, 1 insertion(+)

diff --git a/recipes-core/packagegroup/packagegroup-core-security.bb 
b/recipes-core/packagegroup/packagegroup-core-security.bb
index e7b6d9b..8e06f30 100644
--- a/recipes-core/packagegroup/packagegroup-core-security.bb
+++ b/recipes-core/packagegroup/packagegroup-core-security.bb
@@ -40,6 +40,7 @@ RDEPENDS_packagegroup-security-utils = "\
 softhsm \
 libest \
 opendnssec \
+sshguard \
 ${@bb.utils.contains_any("TUNE_FEATURES", "riscv32 ", "", " 
libseccomp",d)} \
 ${@bb.utils.contains("DISTRO_FEATURES", "pam", "sssd 
google-authenticator-libpam", "",d)} \
 ${@bb.utils.contains("DISTRO_FEATURES", "pax", "pax-utils packctl", "",d)} 
\
-- 
2.17.1


-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#53986): https://lists.yoctoproject.org/g/yocto/message/53986
Mute This Topic: https://lists.yoctoproject.org/mt/83830266/21656
Group Owner: yocto+ow...@lists.yoctoproject.org
Unsubscribe: https://lists.yoctoproject.org/g/yocto/unsub 
[arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-

[yocto] [meta-security][PATCH 4/4] initramfs-framework: rename files dir

[Armin Kuster]

Fixes:
ERROR: initramfs-framework-1.0-r4 do_fetch: Fetcher failure for URL: 
'file://dmverity'. Unable to fetch URL from any source.

Signed-off-by: Armin Kuster 
---
 .../{initramfs-framework => initramfs-framework-dm}/dmverity| 0
 recipes-core/initrdscripts/initramfs-framework.inc  | 2 +-
 2 files changed, 1 insertion(+), 1 deletion(-)
 rename recipes-core/initrdscripts/{initramfs-framework => 
initramfs-framework-dm}/dmverity (100%)

diff --git a/recipes-core/initrdscripts/initramfs-framework/dmverity 
b/recipes-core/initrdscripts/initramfs-framework-dm/dmverity
similarity index 100%
rename from recipes-core/initrdscripts/initramfs-framework/dmverity
rename to recipes-core/initrdscripts/initramfs-framework-dm/dmverity
diff --git a/recipes-core/initrdscripts/initramfs-framework.inc 
b/recipes-core/initrdscripts/initramfs-framework.inc
index dad9c96..12010bf 100644
--- a/recipes-core/initrdscripts/initramfs-framework.inc
+++ b/recipes-core/initrdscripts/initramfs-framework.inc
@@ -1,4 +1,4 @@
-FILESEXTRAPATHS_prepend := "${THISDIR}/${PN}:"
+FILESEXTRAPATHS_prepend := "${THISDIR}/initramfs-framework-dm:"
 
 SRC_URI_append = "\
 file://dmverity \
-- 
2.17.1


-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#53987): https://lists.yoctoproject.org/g/yocto/message/53987
Mute This Topic: https://lists.yoctoproject.org/mt/83830269/21656
Group Owner: yocto+ow...@lists.yoctoproject.org
Unsubscribe: https://lists.yoctoproject.org/g/yocto/unsub 
[arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-

[yocto] [meta-security][PATCH] sssd: update to 2.5.1

[Armin Kuster]

See full change log: https://sssd.io/release-notes/sssd-2.5.1.html

Including a musl build work around

Signed-off-by: Armin Kuster 
---
 recipes-security/sssd/files/musl_fixup.patch  | 53 +++
 .../sssd/{sssd_2.5.0.bb => sssd_2.5.1.bb} |  6 ++-
 2 files changed, 57 insertions(+), 2 deletions(-)
 create mode 100644 recipes-security/sssd/files/musl_fixup.patch
 rename recipes-security/sssd/{sssd_2.5.0.bb => sssd_2.5.1.bb} (96%)

diff --git a/recipes-security/sssd/files/musl_fixup.patch 
b/recipes-security/sssd/files/musl_fixup.patch
new file mode 100644
index 000..68f267c
--- /dev/null
+++ b/recipes-security/sssd/files/musl_fixup.patch
@@ -0,0 +1,53 @@
+fix musl build failures
+
+Missing _PATH_HOSTS and some NETDB defines when musl is enabled.
+
+These are work arounds for now while we figure out where the real fix should 
reside (musl, gcompact, sssd):
+
+./sssd-2.5.1/src/providers/fail_over.c:1199:19: error: '_PATH_HOSTS' 
undeclared (first use in this function)
+|  1199 |   _PATH_HOSTS);
+|   |   ^~~
+
+and 
+
+i./sssd-2.5.1/src/sss_client/nss_ipnetworks.c:415:21: error: 'NETDB_INTERNAL' 
undeclared (first use in this function)
+|   415 | *h_errnop = NETDB_INTERNAL;
+
+
+Upstream-Status: Pending
+Signed-off-by: Armin Kuster 
+
+Index: sssd-2.5.1/src/providers/fail_over.c
+===
+--- sssd-2.5.1.orig/src/providers/fail_over.c
 sssd-2.5.1/src/providers/fail_over.c
+@@ -31,6 +31,10 @@
+ #include 
+ #include 
+ 
++#if !defined(_PATH_HOSTS)
++#define _PATH_HOSTS "/etc/hosts"
++#endif
++
+ #include "util/dlinklist.h"
+ #include "util/refcount.h"
+ #include "util/util.h"
+Index: sssd-2.5.1/src/sss_client/sss_cli.h
+===
+--- sssd-2.5.1.orig/src/sss_client/sss_cli.h
 sssd-2.5.1/src/sss_client/sss_cli.h
+@@ -44,6 +44,14 @@ typedef int errno_t;
+ #define EOK 0
+ #endif
+ 
++#ifndef NETDB_INTERNAL
++# define NETDB_INTERNAL (-1)
++#endif
++
++#ifndef NETDB_SUCCESS
++# define NETDB_SUCCESS (0)
++#endif
++
+ #define SSS_NSS_PROTOCOL_VERSION 1
+ #define SSS_PAM_PROTOCOL_VERSION 3
+ #define SSS_SUDO_PROTOCOL_VERSION 1
diff --git a/recipes-security/sssd/sssd_2.5.0.bb 
b/recipes-security/sssd/sssd_2.5.1.bb
similarity index 96%
rename from recipes-security/sssd/sssd_2.5.0.bb
rename to recipes-security/sssd/sssd_2.5.1.bb
index 84b7b0e..9205843 100644
--- a/recipes-security/sssd/sssd_2.5.0.bb
+++ b/recipes-security/sssd/sssd_2.5.1.bb
@@ -15,15 +15,17 @@ DEPENDS_append_libc-musl = " musl-nscd"
 DEPENDS += "${@bb.utils.contains('PACKAGECONFIG', 'nss', '', \
bb.utils.contains('PACKAGECONFIG', 'crypto', '', 'nss', d), d)}"
 
-SRC_URI = 
"https://github.com/SSSD/sssd/releases/download/2.5.0/sssd-2.5.0.tar.gz \
+SRC_URI = 
"https://github.com/SSSD/sssd/releases/download/${PV}/sssd-${PV}.tar.gz \
file://sssd.conf \
file://volatiles.99_sssd \
file://no_gen.patch \
file://fix_gid.patch \
file://drop_ntpdate_chk.patch \
file://fix-ldblibdir.patch \
+   file://musl_fixup.patch \
"
-SRC_URI[sha256sum] = 
"afa62d7d8d23fca3aba093abe4ec0d14e7d9346c5b28ceb7c2c624bed98caa06"
+
+SRC_URI[sha256sum] = 
"ce2f5d84a3f1750093318afd27f4fd75b1e3e75f7d80fc42d21a40cc54b58ea4"
 
 inherit autotools pkgconfig gettext python3-dir features_check systemd
 
-- 
2.25.1


-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#54043): https://lists.yoctoproject.org/g/yocto/message/54043
Mute This Topic: https://lists.yoctoproject.org/mt/83985837/21656
Group Owner: yocto+ow...@lists.yoctoproject.org
Unsubscribe: https://lists.yoctoproject.org/g/yocto/unsub 
[arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-

[yocto] [meta-security][PATCH] sssd: update to 2.5.1

[Armin Kuster]

See full change log: https://sssd.io/release-notes/sssd-2.5.1.html

Including a musl build work around

Signed-off-by: Armin Kuster 
---
 recipes-security/sssd/files/musl_fixup.patch  | 53 +++
 .../sssd/{sssd_2.5.0.bb => sssd_2.5.1.bb} |  6 ++-
 2 files changed, 57 insertions(+), 2 deletions(-)
 create mode 100644 recipes-security/sssd/files/musl_fixup.patch
 rename recipes-security/sssd/{sssd_2.5.0.bb => sssd_2.5.1.bb} (96%)

diff --git a/recipes-security/sssd/files/musl_fixup.patch 
b/recipes-security/sssd/files/musl_fixup.patch
new file mode 100644
index 000..68f267c
--- /dev/null
+++ b/recipes-security/sssd/files/musl_fixup.patch
@@ -0,0 +1,53 @@
+fix musl build failures
+
+Missing _PATH_HOSTS and some NETDB defines when musl is enabled.
+
+These are work arounds for now while we figure out where the real fix should 
reside (musl, gcompact, sssd):
+
+./sssd-2.5.1/src/providers/fail_over.c:1199:19: error: '_PATH_HOSTS' 
undeclared (first use in this function)
+|  1199 |   _PATH_HOSTS);
+|   |   ^~~
+
+and 
+
+i./sssd-2.5.1/src/sss_client/nss_ipnetworks.c:415:21: error: 'NETDB_INTERNAL' 
undeclared (first use in this function)
+|   415 | *h_errnop = NETDB_INTERNAL;
+
+
+Upstream-Status: Pending
+Signed-off-by: Armin Kuster 
+
+Index: sssd-2.5.1/src/providers/fail_over.c
+===
+--- sssd-2.5.1.orig/src/providers/fail_over.c
 sssd-2.5.1/src/providers/fail_over.c
+@@ -31,6 +31,10 @@
+ #include 
+ #include 
+ 
++#if !defined(_PATH_HOSTS)
++#define _PATH_HOSTS "/etc/hosts"
++#endif
++
+ #include "util/dlinklist.h"
+ #include "util/refcount.h"
+ #include "util/util.h"
+Index: sssd-2.5.1/src/sss_client/sss_cli.h
+===
+--- sssd-2.5.1.orig/src/sss_client/sss_cli.h
 sssd-2.5.1/src/sss_client/sss_cli.h
+@@ -44,6 +44,14 @@ typedef int errno_t;
+ #define EOK 0
+ #endif
+ 
++#ifndef NETDB_INTERNAL
++# define NETDB_INTERNAL (-1)
++#endif
++
++#ifndef NETDB_SUCCESS
++# define NETDB_SUCCESS (0)
++#endif
++
+ #define SSS_NSS_PROTOCOL_VERSION 1
+ #define SSS_PAM_PROTOCOL_VERSION 3
+ #define SSS_SUDO_PROTOCOL_VERSION 1
diff --git a/recipes-security/sssd/sssd_2.5.0.bb 
b/recipes-security/sssd/sssd_2.5.1.bb
similarity index 96%
rename from recipes-security/sssd/sssd_2.5.0.bb
rename to recipes-security/sssd/sssd_2.5.1.bb
index 84b7b0e..9205843 100644
--- a/recipes-security/sssd/sssd_2.5.0.bb
+++ b/recipes-security/sssd/sssd_2.5.1.bb
@@ -15,15 +15,17 @@ DEPENDS_append_libc-musl = " musl-nscd"
 DEPENDS += "${@bb.utils.contains('PACKAGECONFIG', 'nss', '', \
bb.utils.contains('PACKAGECONFIG', 'crypto', '', 'nss', d), d)}"
 
-SRC_URI = 
"https://github.com/SSSD/sssd/releases/download/2.5.0/sssd-2.5.0.tar.gz \
+SRC_URI = 
"https://github.com/SSSD/sssd/releases/download/${PV}/sssd-${PV}.tar.gz \
file://sssd.conf \
file://volatiles.99_sssd \
file://no_gen.patch \
file://fix_gid.patch \
file://drop_ntpdate_chk.patch \
file://fix-ldblibdir.patch \
+   file://musl_fixup.patch \
"
-SRC_URI[sha256sum] = 
"afa62d7d8d23fca3aba093abe4ec0d14e7d9346c5b28ceb7c2c624bed98caa06"
+
+SRC_URI[sha256sum] = 
"ce2f5d84a3f1750093318afd27f4fd75b1e3e75f7d80fc42d21a40cc54b58ea4"
 
 inherit autotools pkgconfig gettext python3-dir features_check systemd
 
-- 
2.25.1


-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#54044): https://lists.yoctoproject.org/g/yocto/message/54044
Mute This Topic: https://lists.yoctoproject.org/mt/83985837/21656
Group Owner: yocto+ow...@lists.yoctoproject.org
Unsubscribe: https://lists.yoctoproject.org/g/yocto/unsub 
[arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-

[yocto] meta-parsec build failure

[Armin Kuster]

The parsec-service in meta-parsec has been failing ever since gcc 11 was
merged into core.

https://errors.yoctoproject.org/Errors/Build/123537/

I have already opened an issue with upstream:
https://github.com/parallaxsecond/rust-psa-crypto/issues/85

If anyone is interested in this package, I could use an extra set of
eye's on progress of this build failure.

regards,
Armin

-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#54052): https://lists.yoctoproject.org/g/yocto/message/54052
Mute This Topic: https://lists.yoctoproject.org/mt/84006480/21656
Group Owner: yocto+ow...@lists.yoctoproject.org
Unsubscribe: https://lists.yoctoproject.org/g/yocto/unsub 
[arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-

Re: [yocto] meta-parsec build failure

[Armin Kuster]

On 7/5/21 4:15 PM, Khem Raj wrote:
> yeah perhaps try using -DMBEDTLS_FATAL_WARNINGS=OFF
I would love to try that out, Where would I apply that?
 mbedtls is a dependent create to a dependent create to parsec-service
recipe.  The Rust paradigm in OE  does make my head hurt.

-armin
>
> On Mon, Jul 5, 2021 at 1:57 PM Armin Kuster  wrote:
>> The parsec-service in meta-parsec has been failing ever since gcc 11 was
>> merged into core.
>>
>> https://errors.yoctoproject.org/Errors/Build/123537/
>>
>> I have already opened an issue with upstream:
>> https://github.com/parallaxsecond/rust-psa-crypto/issues/85
>>
>> If anyone is interested in this package, I could use an extra set of
>> eye's on progress of this build failure.
>>
>> regards,
>> Armin
>>
>> 
>>


-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#54054): https://lists.yoctoproject.org/g/yocto/message/54054
Mute This Topic: https://lists.yoctoproject.org/mt/84006480/21656
Group Owner: yocto+ow...@lists.yoctoproject.org
Unsubscribe: https://lists.yoctoproject.org/g/yocto/unsub 
[arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-

[yocto] [meta-security][PATCH] suricata: update to 6.0.3

[Armin Kuster]

add new crates
minor cleanup

Signed-off-by: Armin Kuster 
---
 .../{libhtp_0.5.37.bb => libhtp_0.5.38.bb}  |  2 +-
 .../meta-rust/recipes-ids/suricata/suricata.inc |  5 -
 .../{suricata_6.0.2.bb => suricata_6.0.3.bb}| 17 +++--
 3 files changed, 16 insertions(+), 8 deletions(-)
 rename dynamic-layers/meta-rust/recipes-ids/suricata/{libhtp_0.5.37.bb => 
libhtp_0.5.38.bb} (91%)
 rename dynamic-layers/meta-rust/recipes-ids/suricata/{suricata_6.0.2.bb => 
suricata_6.0.3.bb} (92%)

diff --git a/dynamic-layers/meta-rust/recipes-ids/suricata/libhtp_0.5.37.bb 
b/dynamic-layers/meta-rust/recipes-ids/suricata/libhtp_0.5.38.bb
similarity index 91%
rename from dynamic-layers/meta-rust/recipes-ids/suricata/libhtp_0.5.37.bb
rename to dynamic-layers/meta-rust/recipes-ids/suricata/libhtp_0.5.38.bb
index 34e72e9..38dece9 100644
--- a/dynamic-layers/meta-rust/recipes-ids/suricata/libhtp_0.5.37.bb
+++ b/dynamic-layers/meta-rust/recipes-ids/suricata/libhtp_0.5.38.bb
@@ -5,7 +5,7 @@ require suricata.inc
 LIC_FILES_CHKSUM = 
"file://LICENSE;beginline=1;endline=2;md5=596ab7963a1a0e5198e5a1c4aa621843"
 
 SRC_URI = "git://github.com/OISF/libhtp.git;protocol=https;branch=0.5.x"
-SRCREV = "eaa2db29e65e7f2691c18a9022aeb5fb836ec5f1"
+SRCREV = "fca44158911a1642880ea5c774151a33ad33d906"
 
 DEPENDS = "zlib"
 
diff --git a/dynamic-layers/meta-rust/recipes-ids/suricata/suricata.inc 
b/dynamic-layers/meta-rust/recipes-ids/suricata/suricata.inc
index 85f419e..7d3509a 100644
--- a/dynamic-layers/meta-rust/recipes-ids/suricata/suricata.inc
+++ b/dynamic-layers/meta-rust/recipes-ids/suricata/suricata.inc
@@ -1,8 +1,3 @@
 HOMEPAGE = "http://suricata-ids.org/";
 SECTION = "security Monitor/Admin"
 LICENSE = "GPLv2"
-
-VER = "6.0.2"
-SRC_URI = 
"http://www.openinfosecfoundation.org/download/suricata-${VER}.tar.gz";
-
-SRC_URI[sha256sum] = 
"5e4647a07cb31b5d6d0049972a45375c137de908a964a44e2d6d231fa3ad4b52"
diff --git a/dynamic-layers/meta-rust/recipes-ids/suricata/suricata_6.0.2.bb 
b/dynamic-layers/meta-rust/recipes-ids/suricata/suricata_6.0.3.bb
similarity index 92%
rename from dynamic-layers/meta-rust/recipes-ids/suricata/suricata_6.0.2.bb
rename to dynamic-layers/meta-rust/recipes-ids/suricata/suricata_6.0.3.bb
index a4255d2..632f1d8 100644
--- a/dynamic-layers/meta-rust/recipes-ids/suricata/suricata_6.0.2.bb
+++ b/dynamic-layers/meta-rust/recipes-ids/suricata/suricata_6.0.3.bb
@@ -2,10 +2,13 @@ SUMMARY = "The Suricata Engine is an Open Source Next 
Generation Intrusion Detec
 
 require suricata.inc
 
-DEPENDS = "lz4 libhtp"
-
 LIC_FILES_CHKSUM = 
"file://LICENSE;beginline=1;endline=2;md5=c70d8d3310941dcdfcd1e02800a1f548"
 
+SRC_URI = "http://www.openinfosecfoundation.org/download/suricata-${PV}.tar.gz";
+SRC_URI[sha256sum] = 
"daf134bb2d7c980035e9ae60f7aaf313323a809340009f26e48110ccde81f602"
+
+DEPENDS = "lz4 libhtp"
+
 SRC_URI += " \
 file://volatiles.03_suricata \
 file://tmpfiles.suricata \
@@ -84,6 +87,16 @@ SRC_URI += " \
 crate://crates.io/log/0.4.0 \
 crate://crates.io/rand_hc/0.2.0 \
 crate://crates.io/wasi/0.9.0+wasi-snapshot-preview1 \
+crate://crates.io/sawp/0.5.0 \
+crate://crates.io/sawp-modbus/0.5.0 \
+crate://crates.io/brotli/3.3.0 \
+crate://crates.io/flate2/1.0.20 \
+crate://crates.io/alloc-no-stdlib/2.0.1 \
+crate://crates.io/alloc-stdlib/0.2.1 \
+crate://crates.io/brotli-decompressor/2.3.1 \
+crate://crates.io/crc32fast/1.2.1 \
+crate://crates.io/miniz_oxide/0.4.4 \
+crate://crates.io/adler/1.0.2 \
 "
 
 # test case support
-- 
2.25.1


-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#54067): https://lists.yoctoproject.org/g/yocto/message/54067
Mute This Topic: https://lists.yoctoproject.org/mt/84038604/21656
Group Owner: yocto+ow...@lists.yoctoproject.org
Unsubscribe: https://lists.yoctoproject.org/g/yocto/unsub 
[arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-

[yocto] [meta-security][PATCH] tpm-tools: fix build issue

[Armin Kuster]

This error occurs randomly.
/bin/bash: pod2man: command not found

[Yocto #14304]

minor space/tab cleanup

Signed-off-by: Armin Kuster 
Cc: Ben 
---
 meta-tpm/recipes-tpm/tpm-tools/tpm-tools_1.3.9.2.bb | 12 ++--
 1 file changed, 6 insertions(+), 6 deletions(-)

diff --git a/meta-tpm/recipes-tpm/tpm-tools/tpm-tools_1.3.9.2.bb 
b/meta-tpm/recipes-tpm/tpm-tools/tpm-tools_1.3.9.2.bb
index 8aeb8ac..9e0a686 100644
--- a/meta-tpm/recipes-tpm/tpm-tools/tpm-tools_1.3.9.2.bb
+++ b/meta-tpm/recipes-tpm/tpm-tools/tpm-tools_1.3.9.2.bb
@@ -9,16 +9,16 @@ SECTION = "tpm"
 LICENSE = "CPL-1.0"
 LIC_FILES_CHKSUM = "file://LICENSE;md5=059e8cd6165cb4c31e351f2b69388fd9"
 
-DEPENDS = "libtspi openssl"
+DEPENDS = "libtspi openssl perl"
 DEPENDS_class-native = "trousers-native"
 
 SRCREV = "bf43837575c5f7d31865562dce7778eae970052e"
 SRC_URI = " \
-   git://git.code.sf.net/p/trousers/tpm-tools \
-   file://tpm-tools-extendpcr.patch \
-   file://04-fix-FTBFS-clang.patch \
-file://openssl1.1_fix.patch \
-   "
+git://git.code.sf.net/p/trousers/tpm-tools \
+file://tpm-tools-extendpcr.patch \
+file://04-fix-FTBFS-clang.patch \
+file://openssl1.1_fix.patch \
+"
 
 inherit autotools-brokensep gettext
 
-- 
2.25.1


-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#54094): https://lists.yoctoproject.org/g/yocto/message/54094
Mute This Topic: https://lists.yoctoproject.org/mt/8494/21656
Group Owner: yocto+ow...@lists.yoctoproject.org
Unsubscribe: https://lists.yoctoproject.org/g/yocto/unsub 
[arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-

Re: [yocto] [meta-security][PATCH 2/2] apparmor: use its own initscript and service files

[Armin Kuster]

merged.

thanks for the reminder.

-armin

On 7/6/21 2:03 AM, Yi Zhao wrote:
>
> Ping ...
>
>
> On 6/23/21 5:15 PM, Yi Zhao wrote:
>> Use initscript and service files provided by apparmor.
>>
>> Signed-off-by: Yi Zhao 
>> ---
>>  recipes-mac/AppArmor/apparmor_3.0.1.bb|  33 +--
>>  ...x-hardcoded-installation-directories.patch |  51 
>>  ...pparmor.debian-add-missing-functions.patch |  57 
>>  recipes-mac/AppArmor/files/apparmor   | 226 ---
>>  recipes-mac/AppArmor/files/apparmor.rc|  98 ---
>>  recipes-mac/AppArmor/files/apparmor.service   |  22 --
>>  recipes-mac/AppArmor/files/functions  | 271 --
>>  7 files changed, 118 insertions(+), 640 deletions(-)
>>  create mode 100644 
>> recipes-mac/AppArmor/files/0001-Makefile-fix-hardcoded-installation-directories.patch
>>  create mode 100644 
>> recipes-mac/AppArmor/files/0001-rc.apparmor.debian-add-missing-functions.patch
>>  delete mode 100644 recipes-mac/AppArmor/files/apparmor
>>  delete mode 100644 recipes-mac/AppArmor/files/apparmor.rc
>>  delete mode 100644 recipes-mac/AppArmor/files/apparmor.service
>>  delete mode 100644 recipes-mac/AppArmor/files/functions
>>
>> diff --git a/recipes-mac/AppArmor/apparmor_3.0.1.bb 
>> b/recipes-mac/AppArmor/apparmor_3.0.1.bb
>> index 6377683..ff5b39b 100644
>> --- a/recipes-mac/AppArmor/apparmor_3.0.1.bb
>> +++ b/recipes-mac/AppArmor/apparmor_3.0.1.bb
>> @@ -15,15 +15,13 @@ DEPENDS = "bison-native apr gettext-native 
>> coreutils-native swig-native"
>>  
>>  SRC_URI = " \
>>  
>> git://gitlab.com/apparmor/apparmor.git;protocol=https;branch=apparmor-3.0 \
>> +file://run-ptest \
>>  file://disable_perl_h_check.patch \
>>  file://crosscompile_perl_bindings.patch \
>> -file://apparmor.rc \
>> -file://functions \
>> -file://apparmor \
>> -file://apparmor.service \
>>  file://0001-Makefile.am-suppress-perllocal.pod.patch \
>> -file://run-ptest \
>>  file://0001-Revert-profiles-Update-make-check-to-select-tools-ba.patch \
>> +file://0001-Makefile-fix-hardcoded-installation-directories.patch \
>> +file://0001-rc.apparmor.debian-add-missing-functions.patch \
>>  "
>>  
>>  SRCREV = "b0f08aa9d678197b8e3477c2fbff790f50a1de5e"
>> @@ -79,8 +77,6 @@ do_compile () {
>>  }
>>  
>>  do_install () {
>> -install -d ${D}/${INIT_D_DIR}
>> -install -d ${D}/lib/apparmor
>>  oe_runmake -C ${B}/libraries/libapparmor DESTDIR="${D}" install
>>  oe_runmake -C ${B}/binutils DESTDIR="${D}" install
>>  oe_runmake -C ${B}/utils DESTDIR="${D}" install
>> @@ -96,16 +92,16 @@ do_install () {
>>  fi
>>  
>>  if ${@bb.utils.contains('DISTRO_FEATURES', 'pam', 'true', 'false', d)}; 
>> then
>> -install -d ${D}/lib/security
>>  oe_runmake -C ${B}/changehat/pam_apparmor DESTDIR="${D}" install
>>  fi
>>  
>> -install -m 755 ${WORKDIR}/apparmor ${D}/${INIT_D_DIR}/apparmor
>> -install -m 755 ${WORKDIR}/functions ${D}/lib/apparmor
>> +if 
>> ${@bb.utils.contains('DISTRO_FEATURES','sysvinit','true','false',d)}; then
>> +install -d ${D}${sysconfdir}/init.d
>> +install -m 755 ${B}/parser/rc.apparmor.debian 
>> ${D}${sysconfdir}/init.d/apparmor
>> +fi
>>  
>>  if ${@bb.utils.contains('DISTRO_FEATURES','systemd','true','false',d)}; 
>> then
>> -install -d ${D}${systemd_system_unitdir}
>> -install -m 0644 ${WORKDIR}/apparmor.service 
>> ${D}${systemd_system_unitdir}
>> +oe_runmake -C ${B}/parser DESTDIR="${D}" install-systemd
>>  fi
>>  }
>>  
>> @@ -152,15 +148,6 @@ do_install_ptest_arm() {
>>:
>>  }
>>  
>> -pkg_postinst_ontarget_${PN} () {
>> -if [ ! -d /etc/apparmor.d/cache ] ; then
>> -mkdir /etc/apparmor.d/cache
>> -fi
>> -}
>> -
>> -# We need the init script so don't rm it
>> -RMINITDIR_class-target_remove = " rm_sysvinit_initddir"
>> -
>>  INITSCRIPT_PACKAGES = "${PN}"
>>  INITSCRIPT_NAME = "apparmor"
>>  INITSCRIPT_PARAMS = "start 16 2 3 4 5 . stop 35 0 1 6 ."
>> @@ -171,9 +158,9 @@ SYSTEMD_AUTO_ENABLE ?= "enable"
>>  
>>  PACKAGES += "mod-${PN}"
>>  
>> -FILES_${PN} += "/lib/apparmor/ /lib/security/ ${sysconfdir}/apparmor 
>> ${nonarch_libdir}/${PYTHON_DIR}/site-packages"
>> +FILES_${PN} += "${nonarch_base_libdir}/apparmor/ ${base_libdir}/security/ 
>> ${sysconfdir}/apparmor ${nonarch_libdir}/${PYTHON_DIR}/site-packages"
>>  FILES_mod-${PN} = "${libdir}/apache2/modules/*"
>> -FILES_${PN}-dbg += "/lib/security/"
>> +FILES_${PN}-dbg += "${base_libdir}/security/.debug"
>>  
>>  DEPENDS_append_libc-musl = " fts "
>>  RDEPENDS_${PN}_libc-musl +=  "musl-utils"
>> diff --git 
>> a/recipes-mac/AppArmor/files/0001-Makefile-fix-hardcoded-installation-directories.patch
>>  
>> b/recipes-mac/AppArmor/files/0001-Makefile-fix-hardcoded-installation-directories.patch
>> new file mode 100644
>> index 000..f10acb1
>> --- /dev/null
>> +++ 
>> b/recipes-mac/AppArmor/files/0001-Makefile-fix-hardcoded-installation-directories.patch

[yocto] [meta-security][PATCH 1/2] suricata.inc: exclude ppc in rust version

[Armin Kuster]

Signed-off-by: Armin Kuster 
---
 dynamic-layers/meta-rust/recipes-ids/suricata/suricata.inc | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/dynamic-layers/meta-rust/recipes-ids/suricata/suricata.inc 
b/dynamic-layers/meta-rust/recipes-ids/suricata/suricata.inc
index 7d3509a..8ddd5e2 100644
--- a/dynamic-layers/meta-rust/recipes-ids/suricata/suricata.inc
+++ b/dynamic-layers/meta-rust/recipes-ids/suricata/suricata.inc
@@ -1,3 +1,5 @@
 HOMEPAGE = "http://suricata-ids.org/";
 SECTION = "security Monitor/Admin"
 LICENSE = "GPLv2"
+
+COMPATIBLE_HOST_powerpc = 'null'
-- 
2.25.1


-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#54138): https://lists.yoctoproject.org/g/yocto/message/54138
Mute This Topic: https://lists.yoctoproject.org/mt/84269128/21656
Group Owner: yocto+ow...@lists.yoctoproject.org
Unsubscribe: https://lists.yoctoproject.org/g/yocto/unsub 
[arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-

[yocto] [meta-security][PATCH 2/2] suricata: Drop 4.1.x its EOL

[Armin Kuster]

Signed-off-by: Armin Kuster 
---
 ...et-fix-build-on-recent-Linux-kernels.patch |   26 -
 .../suricata/files/no_libhtp_build.patch  |   38 -
 recipes-ids/suricata/files/run-ptest  |3 -
 recipes-ids/suricata/files/suricata.service   |   20 -
 recipes-ids/suricata/files/suricata.yaml  | 1326 -
 recipes-ids/suricata/files/tmpfiles.suricata  |2 -
 .../suricata/files/volatiles.03_suricata  |2 -
 recipes-ids/suricata/libhtp_0.5.36.bb |   15 -
 .../suricata/python3-suricata-update_1.2.1.bb |   17 -
 recipes-ids/suricata/suricata.inc |8 -
 recipes-ids/suricata/suricata_4.1.10.bb   |   99 --
 11 files changed, 1556 deletions(-)
 delete mode 100644 
recipes-ids/suricata/files/0001-af-packet-fix-build-on-recent-Linux-kernels.patch
 delete mode 100644 recipes-ids/suricata/files/no_libhtp_build.patch
 delete mode 100644 recipes-ids/suricata/files/run-ptest
 delete mode 100644 recipes-ids/suricata/files/suricata.service
 delete mode 100644 recipes-ids/suricata/files/suricata.yaml
 delete mode 100644 recipes-ids/suricata/files/tmpfiles.suricata
 delete mode 100644 recipes-ids/suricata/files/volatiles.03_suricata
 delete mode 100644 recipes-ids/suricata/libhtp_0.5.36.bb
 delete mode 100644 recipes-ids/suricata/python3-suricata-update_1.2.1.bb
 delete mode 100644 recipes-ids/suricata/suricata.inc
 delete mode 100644 recipes-ids/suricata/suricata_4.1.10.bb

diff --git 
a/recipes-ids/suricata/files/0001-af-packet-fix-build-on-recent-Linux-kernels.patch
 
b/recipes-ids/suricata/files/0001-af-packet-fix-build-on-recent-Linux-kernels.patch
deleted file mode 100644
index 530568b..000
--- 
a/recipes-ids/suricata/files/0001-af-packet-fix-build-on-recent-Linux-kernels.patch
+++ /dev/null
@@ -1,26 +0,0 @@
-From b37554e0bc3cf383e6547c5c6a69c6f6849c09e3 Mon Sep 17 00:00:00 2001
-From: Eric Leblond 
-Date: Wed, 17 Jul 2019 12:35:12 +0200
-Subject: [PATCH] af-packet: fix build on recent Linux kernels
-
-Upstream-Status: Backport
-Signed-off-by: Armin kuster 

- src/source-af-packet.c | 4 
- 1 file changed, 4 insertions(+)
-
-Index: suricata-4.1.5/src/source-af-packet.c
-===
 suricata-4.1.5.orig/src/source-af-packet.c
-+++ suricata-4.1.5/src/source-af-packet.c
-@@ -68,6 +68,10 @@
- #include 
- #endif
- 
-+#if HAVE_LINUX_SOCKIOS_H
-+#include 
-+#endif
-+
- #ifdef HAVE_PACKET_EBPF
- #include "util-ebpf.h"
- #include 
diff --git a/recipes-ids/suricata/files/no_libhtp_build.patch 
b/recipes-ids/suricata/files/no_libhtp_build.patch
deleted file mode 100644
index 2ebf021..000
--- a/recipes-ids/suricata/files/no_libhtp_build.patch
+++ /dev/null
@@ -1,38 +0,0 @@
-Upstream-Status: Inappropriate [configuration]
-
-Signed-of_by: Armin Kuster 
-
-Index: suricata-2.0.5/Makefile.am
-===
 suricata-2.0.5.orig/Makefile.am
-+++ suricata-2.0.5/Makefile.am
-@@ -5,7 +5,7 @@ ACLOCAL_AMFLAGS = -I m4
- EXTRA_DIST = ChangeLog COPYING LICENSE suricata.yaml.in \
-  classification.config threshold.config \
-  reference.config
--SUBDIRS = $(HTP_DIR) src qa rules doc contrib scripts
-+SUBDIRS = src qa rules doc contrib scripts
- 
- CLEANFILES = stamp-h[0-9]*
- 
-Index: suricata-2.0.5/Makefile.in
-===
 suricata-2.0.5.orig/Makefile.in
-+++ suricata-2.0.5/Makefile.in
-@@ -229,7 +229,6 @@ HAVE_PCAP_CONFIG = @HAVE_PCAP_CONFIG@
- HAVE_PKG_CONFIG = @HAVE_PKG_CONFIG@
- HAVE_PYTHON_CONFIG = @HAVE_PYTHON_CONFIG@
- HAVE_WGET = @HAVE_WGET@
--HTP_DIR = @HTP_DIR@
- HTP_LDADD = @HTP_LDADD@
- INSTALL = @INSTALL@
- INSTALL_DATA = @INSTALL_DATA@
-@@ -369,7 +368,7 @@ EXTRA_DIST = ChangeLog COPYING LICENSE s
-  classification.config threshold.config \
-  reference.config
- 
--SUBDIRS = $(HTP_DIR) src qa rules doc contrib scripts
-+SUBDIRS = src qa rules doc contrib scripts
- CLEANFILES = stamp-h[0-9]*
- all: config.h
-   $(MAKE) $(AM_MAKEFLAGS) all-recursive
diff --git a/recipes-ids/suricata/files/run-ptest 
b/recipes-ids/suricata/files/run-ptest
deleted file mode 100644
index 666ba9c..000
--- a/recipes-ids/suricata/files/run-ptest
+++ /dev/null
@@ -1,3 +0,0 @@
-#!/bin/sh
-
-suricata -u
diff --git a/recipes-ids/suricata/files/suricata.service 
b/recipes-ids/suricata/files/suricata.service
deleted file mode 100644
index a99a76e..000
--- a/recipes-ids/suricata/files/suricata.service
+++ /dev/null
@@ -1,20 +0,0 @@
-[Unit]
-Description=Suricata IDS/IDP daemon
-After=network.target
-Requires=network.target
-Documentation=man:suricata(8) man:suricatasc(8)
-Documentation=https://redmine.openinfosecfoundation.org/projects/suricata/wiki
-
-[Service]
-Type=simple
-CapabilityBoundingSet=CAP_NET_ADMIN CAP_NET_RAW
-RestrictAddressFamilies=
-ExecStart=/usr/bin/suricata -c /etc/suricata/suricata.yaml eth0
-ExecReload=/bin/kill -HU

Re: [yocto] [meta-security][PATCH] Do not use clang toolchain in Parsec recipes

[Armin Kuster]

On 7/15/21 4:42 AM, Anton Antonov wrote:
> Signed-off-by: Anton Antonov 

Merged.

thanks
Armin
> ---
>  .../recipes-parsec/parsec-service/parsec-service_0.7.0.bb  | 3 +--
>  meta-parsec/recipes-parsec/parsec-tool/parsec-tool_0.3.0.bb| 2 --
>  2 files changed, 1 insertion(+), 4 deletions(-)
>
> diff --git 
> a/meta-parsec/recipes-parsec/parsec-service/parsec-service_0.7.0.bb 
> b/meta-parsec/recipes-parsec/parsec-service/parsec-service_0.7.0.bb
> index 0e14955..d57a43a 100644
> --- a/meta-parsec/recipes-parsec/parsec-service/parsec-service_0.7.0.bb
> +++ b/meta-parsec/recipes-parsec/parsec-service/parsec-service_0.7.0.bb
> @@ -10,8 +10,7 @@ SRC_URI += "crate://crates.io/parsec-service/${PV} \
>  file://parsec-tmpfiles.conf \
>  "
>  
> -DEPENDS = "tpm2-tss"
> -TOOLCHAIN = "clang"
> +DEPENDS = "tpm2-tss clang-native"
>  
>  CARGO_BUILD_FLAGS += " --features 
> all-providers,cryptoki/generate-bindings,tss-esapi/generate-bindings"
>  
> diff --git a/meta-parsec/recipes-parsec/parsec-tool/parsec-tool_0.3.0.bb 
> b/meta-parsec/recipes-parsec/parsec-tool/parsec-tool_0.3.0.bb
> index 35c65c0..881f8d8 100644
> --- a/meta-parsec/recipes-parsec/parsec-tool/parsec-tool_0.3.0.bb
> +++ b/meta-parsec/recipes-parsec/parsec-tool/parsec-tool_0.3.0.bb
> @@ -7,8 +7,6 @@ inherit cargo
>  SRC_URI += "crate://crates.io/parsec-tool/${PV} \
>  "
>  
> -TOOLCHAIN = "clang"
> -
>  do_install() {
>install -d ${D}/${bindir}
>install -m 755 "${B}/target/${TARGET_SYS}/release/parsec-tool" 
> "${D}${bindir}/parsec-tool"
>
> 
>


-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#54140): https://lists.yoctoproject.org/g/yocto/message/54140
Mute This Topic: https://lists.yoctoproject.org/mt/84223005/21656
Group Owner: yocto+ow...@lists.yoctoproject.org
Unsubscribe: https://lists.yoctoproject.org/g/yocto/unsub 
[arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-

[yocto] [meta-security][PATCH 1/2] crowdsec: add pkg

[Armin Kuster]

Signed-off-by: Armin Kuster 
---
 recipes-ids/crowdsec/crowdsec_1.1.1.bb | 42 ++
 1 file changed, 42 insertions(+)
 create mode 100644 recipes-ids/crowdsec/crowdsec_1.1.1.bb

diff --git a/recipes-ids/crowdsec/crowdsec_1.1.1.bb 
b/recipes-ids/crowdsec/crowdsec_1.1.1.bb
new file mode 100644
index 000..1243a3c
--- /dev/null
+++ b/recipes-ids/crowdsec/crowdsec_1.1.1.bb
@@ -0,0 +1,42 @@
+SUMMARY = "CrowdSec is a free, modern & collaborative behavior detection 
engine, coupled with a global IP reputation network."
+
+LICENSE = "MIT"
+LIC_FILES_CHKSUM = 
"file://src/import/LICENSE;md5=105e75b680b2ab82fa5718661b41f3bf"
+
+SRC_URI = "git://github.com/crowdsecurity/crowdsec.git;branch=master"
+SRCREV = "73e0bbaf93070f4a640eb5a22212b5dcf26699de"
+
+DEPENDS = "jq-native"
+
+GO_IMPORT = "import"
+
+inherit go
+
+S = "${WORKDIR}/git"
+
+do_compile() {
+export GOARCH="${TARGET_GOARCH}"
+export GOROOT="${STAGING_LIBDIR_NATIVE}/${TARGET_SYS}/go"
+
+# Pass the needed cflags/ldflags so that cgo
+# can find the needed headers files and libraries
+export CGO_ENABLED="1"
+export CFLAGS=""
+export LDFLAGS=""
+export CGO_CFLAGS="${BUILDSDK_CFLAGS} --sysroot=${STAGING_DIR_TARGET}"
+export CGO_LDFLAGS="${BUILDSDK_LDFLAGS} --sysroot=${STAGING_DIR_TARGET}"
+
+cd ${S}/src/import
+oe_runmake release
+}
+
+do_install_ () {
+   chmod +x -R --silent ${B}/pkg
+}
+
+
+INSANE_SKIP_${PN} = "already-stripped"
+INSANE_SKIP_${PN}-dev = "ldflags"
+
+RDEPENDS_${PN} = "go"
+RDEPENDS_${PN}-dev = "bash"
-- 
2.25.1


-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#54226): https://lists.yoctoproject.org/g/yocto/message/54226
Mute This Topic: https://lists.yoctoproject.org/mt/84475778/21656
Group Owner: yocto+ow...@lists.yoctoproject.org
Unsubscribe: https://lists.yoctoproject.org/g/yocto/unsub 
[arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-

[yocto] [meta-security][PATCH 2/2] packagegroup-core-security.bb: fix suricat-ptest inclusion

[Armin Kuster]

drop libseccomp ptest

Signed-off-by: Armin Kuster 
---
 recipes-core/packagegroup/packagegroup-core-security.bb | 3 +--
 1 file changed, 1 insertion(+), 2 deletions(-)

diff --git a/recipes-core/packagegroup/packagegroup-core-security.bb 
b/recipes-core/packagegroup/packagegroup-core-security.bb
index 8e06f30..37473d1 100644
--- a/recipes-core/packagegroup/packagegroup-core-security.bb
+++ b/recipes-core/packagegroup/packagegroup-core-security.bb
@@ -88,8 +88,7 @@ RDEPENDS_packagegroup-security-mac_remove_mipsarch = 
"apparmor"
 RDEPENDS_packagegroup-meta-security-ptest-packages = "\
 ptest-runner \
 samhain-standalone-ptest \
-libseccomp-ptest \
-suricata-ptest \
+${@bb.utils.contains_any("TUNE_FEATURES", "ppc7400 riscv32 riscv64", "", " 
suricata-ptest",d)} \
 python3-fail2ban-ptest \
 ${@bb.utils.contains("DISTRO_FEATURES", "smack", "smack-ptest", "",d)} \
 "
-- 
2.25.1


-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#54227): https://lists.yoctoproject.org/g/yocto/message/54227
Mute This Topic: https://lists.yoctoproject.org/mt/84475779/21656
Group Owner: yocto+ow...@lists.yoctoproject.org
Unsubscribe: https://lists.yoctoproject.org/g/yocto/unsub 
[arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-

[yocto] [meta-security][PATCH 1/2] krill: Add new pkg

[Armin Kuster]

Signed-off-by: Armin Kuster 
---
 .../krill/files/panic_workaround.patch|  16 +
 .../recipes-security/krill/krill.inc  | 325 ++
 .../recipes-security/krill/krill_0.9.1.bb |  39 +++
 3 files changed, 380 insertions(+)
 create mode 100644 
dynamic-layers/meta-rust/recipes-security/krill/files/panic_workaround.patch
 create mode 100644 dynamic-layers/meta-rust/recipes-security/krill/krill.inc
 create mode 100644 
dynamic-layers/meta-rust/recipes-security/krill/krill_0.9.1.bb

diff --git 
a/dynamic-layers/meta-rust/recipes-security/krill/files/panic_workaround.patch 
b/dynamic-layers/meta-rust/recipes-security/krill/files/panic_workaround.patch
new file mode 100644
index 000..9b08cb5
--- /dev/null
+++ 
b/dynamic-layers/meta-rust/recipes-security/krill/files/panic_workaround.patch
@@ -0,0 +1,16 @@
+Upstream-Status: OE specific
+Signed-off-by: Armin Kuster 
+
+Index: git/Cargo.toml
+===
+--- git.orig/Cargo.toml
 git/Cargo.toml
+@@ -71,7 +71,7 @@ static-openssl = [ "openssl/vendored" ]
+ # Make sure that Krill crashes on panics, rather than losing threads and
+ # limping on in a bad state.
+ [profile.release]
+-panic = "abort"
++#panic = "abort"
+ 
+ [dev-dependencies]
+ # for user management
diff --git a/dynamic-layers/meta-rust/recipes-security/krill/krill.inc 
b/dynamic-layers/meta-rust/recipes-security/krill/krill.inc
new file mode 100644
index 000..f86468b
--- /dev/null
+++ b/dynamic-layers/meta-rust/recipes-security/krill/krill.inc
@@ -0,0 +1,325 @@
+# please note if you have entries that do not begin with crate://
+# you must change them to how that package can be fetched
+SRC_URI += " \
+crate://crates.io/addr2line/0.14.1 \
+crate://crates.io/adler/1.0.2 \
+crate://crates.io/adler32/1.2.0 \
+crate://crates.io/aho-corasick/0.7.15 \
+crate://crates.io/ansi_term/0.11.0 \
+crate://crates.io/ansi_term/0.12.1 \
+crate://crates.io/arrayref/0.3.6 \
+crate://crates.io/arrayvec/0.5.2 \
+crate://crates.io/ascii-canvas/2.0.0 \
+crate://crates.io/ascii/1.0.0 \
+crate://crates.io/atty/0.2.14 \
+crate://crates.io/autocfg/0.1.7 \
+crate://crates.io/autocfg/1.0.1 \
+crate://crates.io/backtrace/0.3.56 \
+crate://crates.io/base64/0.10.1 \
+crate://crates.io/base64/0.12.3 \
+crate://crates.io/base64/0.13.0 \
+crate://crates.io/basic-cookies/0.1.4 \
+crate://crates.io/bcder/0.5.1 \
+crate://crates.io/bit-set/0.5.2 \
+crate://crates.io/bit-vec/0.6.3 \
+crate://crates.io/bitflags/1.2.1 \
+crate://crates.io/blake2b_simd/0.5.11 \
+crate://crates.io/block-buffer/0.9.0 \
+crate://crates.io/bumpalo/3.6.1 \
+crate://crates.io/byteorder/1.4.3 \
+crate://crates.io/bytes/0.4.12 \
+crate://crates.io/bytes/0.5.6 \
+crate://crates.io/bytes/1.0.1 \
+crate://crates.io/cc/1.0.67 \
+crate://crates.io/cfg-if/0.1.10 \
+crate://crates.io/cfg-if/1.0.0 \
+crate://crates.io/chrono/0.4.19 \
+crate://crates.io/chunked_transfer/1.4.0 \
+crate://crates.io/cipher/0.2.5 \
+crate://crates.io/clap/2.33.3 \
+crate://crates.io/clokwerk/0.3.4 \
+crate://crates.io/cloudabi/0.0.3 \
+crate://crates.io/constant_time_eq/0.1.5 \
+crate://crates.io/cookie/0.12.0 \
+crate://crates.io/cookie_store/0.7.0 \
+crate://crates.io/core-foundation-sys/0.8.2 \
+crate://crates.io/core-foundation/0.9.1 \
+crate://crates.io/cpuid-bool/0.1.2 \
+crate://crates.io/crc32fast/1.2.1 \
+crate://crates.io/crossbeam-deque/0.7.3 \
+crate://crates.io/crossbeam-epoch/0.8.2 \
+crate://crates.io/crossbeam-queue/0.2.3 \
+crate://crates.io/crossbeam-utils/0.7.2 \
+crate://crates.io/crossbeam-utils/0.8.3 \
+crate://crates.io/crunchy/0.2.2 \
+crate://crates.io/crypto-mac/0.10.0 \
+crate://crates.io/ctrlc/3.1.9 \
+crate://crates.io/deunicode/0.4.3 \
+crate://crates.io/diff/0.1.12 \
+crate://crates.io/digest/0.9.0 \
+crate://crates.io/dirs/1.0.5 \
+crate://crates.io/dtoa/0.4.8 \
+crate://crates.io/either/1.6.1 \
+crate://crates.io/ena/0.14.0 \
+crate://crates.io/encoding_rs/0.8.28 \
+crate://crates.io/error-chain/0.11.0 \
+crate://crates.io/failure/0.1.8 \
+crate://crates.io/failure_derive/0.1.8 \
+crate://crates.io/fern/0.5.9 \
+crate://crates.io/fixedbitset/0.2.0 \
+crate://crates.io/flate2/1.0.20 \
+crate://crates.io/fnv/1.0.7 \
+crate://crates.io/foreign-types-shared/0.1.1 \
+crate://crates.io/foreign-types/0.3.2 \
+crate://crates.io/form_urlencoded/1.0.1 \
+crate://crates.io/fuchsia-cprng/0.1.1 \
+crate://crates.io/fuchsia-zircon-sys/0.3.3 \
+crate://crates.io/fuchsia-zircon/0.3.3 \
+crate://crates.io/futures-channel/0.3.14 \
+crate://crates.io/futures-core/0.3.14 \
+crate://crates.io/futures-cpupool/0.1.8 \
+crate://crates.io/futures-execu

[yocto] [meta-security][PATCH 2/2] clamav: fix branch name and update

[Armin Kuster]

They dropped the dev branch for rel. Update to tip.
Refresh patches

Signed-off-by: Armin Kuster 
---
 recipes-scanners/clamav/clamav_0.104.0.bb  | 6 +++---
 recipes-scanners/clamav/files/fix_systemd_socket.patch | 4 ++--
 recipes-scanners/clamav/files/headers_fixup.patch  | 8 
 recipes-scanners/clamav/files/oe_cmake_fixup.patch | 2 +-
 4 files changed, 10 insertions(+), 10 deletions(-)

diff --git a/recipes-scanners/clamav/clamav_0.104.0.bb 
b/recipes-scanners/clamav/clamav_0.104.0.bb
index 4f20309..5759ddd 100644
--- a/recipes-scanners/clamav/clamav_0.104.0.bb
+++ b/recipes-scanners/clamav/clamav_0.104.0.bb
@@ -8,10 +8,10 @@ DEPENDS = "glibc llvm libtool db openssl zlib curl libxml2 
bison pcre2 json-c li
  
 LIC_FILES_CHKSUM = 
"file://COPYING.txt;beginline=2;endline=3;md5=f7029fbbc5898b273d5902896f7bbe17"
 
-# May 15th
-SRCREV = "fe96de86bb90c489aa509ee9135f776b7a2a7eb4"
+# July 27th
+SRCREV = "c389dfa4c3af92b006ada4f7595bbc3e6df3f356"
 
-SRC_URI = "git://github.com/vrtadmin/clamav-devel;branch=dev/0.104 \
+SRC_URI = "git://github.com/vrtadmin/clamav-devel;branch=rel/0.104 \
 file://clamd.conf \
 file://freshclam.conf \
 file://volatiles.03_clamav \
diff --git a/recipes-scanners/clamav/files/fix_systemd_socket.patch 
b/recipes-scanners/clamav/files/fix_systemd_socket.patch
index 3e9abe2..3347770 100644
--- a/recipes-scanners/clamav/files/fix_systemd_socket.patch
+++ b/recipes-scanners/clamav/files/fix_systemd_socket.patch
@@ -12,9 +12,9 @@ Index: git/clamd/CMakeLists.txt
 ===
 --- git.orig/clamd/CMakeLists.txt
 +++ git/clamd/CMakeLists.txt
-@@ -54,4 +54,10 @@ if(SYSTEMD_FOUND)
+@@ -60,4 +60,10 @@ if(SYSTEMD_FOUND)
  install(
- FILES ${CMAKE_CURRENT_BINARY_DIR}/clamav-daemon.service
+ FILES ${CMAKE_CURRENT_BINARY_DIR}/clamav-daemon.socket
  DESTINATION ${SYSTEMD_UNIT_DIR})
 +configure_file(
 +${CMAKE_CURRENT_SOURCE_DIR}/clamav-daemon.socket.in
diff --git a/recipes-scanners/clamav/files/headers_fixup.patch 
b/recipes-scanners/clamav/files/headers_fixup.patch
index 9de0a26..369aa58 100644
--- a/recipes-scanners/clamav/files/headers_fixup.patch
+++ b/recipes-scanners/clamav/files/headers_fixup.patch
@@ -7,7 +7,7 @@ Index: git/CMakeLists.txt
 ===
 --- git.orig/CMakeLists.txt
 +++ git/CMakeLists.txt
-@@ -374,8 +373,6 @@ check_include_file("stdlib.h"
+@@ -443,8 +443,6 @@ check_include_file("stdlib.h"
  check_include_file("string.h"   HAVE_STRING_H)
  check_include_file("strings.h"  HAVE_STRINGS_H)
  check_include_file("sys/cdefs.h"HAVE_SYS_CDEFS_H)
@@ -16,7 +16,7 @@ Index: git/CMakeLists.txt
  check_include_file("sys/mman.h" HAVE_SYS_MMAN_H)
  check_include_file("sys/param.h"HAVE_SYS_PARAM_H)
  check_include_file("sys/queue.h"HAVE_SYS_QUEUE_H)
-@@ -410,8 +407,6 @@ endif()
+@@ -479,8 +477,6 @@ endif()
  
  # int-types variants
  check_include_file("inttypes.h" HAVE_INTTYPES_H)
@@ -25,7 +25,7 @@ Index: git/CMakeLists.txt
  check_include_file("stdint.h"   HAVE_STDINT_H)
  
  # this hack required to silence warnings on systems with inttypes.h
-@@ -539,17 +528,11 @@ check_type_size("time_t"  SIZEOF_TIME_T)
+@@ -608,17 +604,11 @@ check_type_size("time_t"  SIZEOF_TIME_T)
  # Checks for library functions.
  include(CheckSymbolExists)
  check_symbol_exists(_Exit   "stdlib.h"  HAVE__EXIT)
@@ -44,7 +44,7 @@ Index: git/CMakeLists.txt
  check_symbol_exists(timegm  "time.h"HAVE_TIMEGM)
  check_symbol_exists(vsnprintf   "stdio.h"   HAVE_VSNPRINTF)
  
-@@ -563,10 +546,9 @@ else()
+@@ -632,10 +622,9 @@ else()
  check_symbol_exists(fseeko  "stdio.h"   HAVE_FSEEKO)
  check_symbol_exists(getaddrinfo "netdb.h"   HAVE_GETADDRINFO)
  check_symbol_exists(getpagesize "unistd.h"  HAVE_GETPAGESIZE)
diff --git a/recipes-scanners/clamav/files/oe_cmake_fixup.patch 
b/recipes-scanners/clamav/files/oe_cmake_fixup.patch
index b284915..c9c88b9 100644
--- a/recipes-scanners/clamav/files/oe_cmake_fixup.patch
+++ b/recipes-scanners/clamav/files/oe_cmake_fixup.patch
@@ -22,7 +22,7 @@ Index: git/CMakeLists.txt
  if(C_LINUX)
  if(CMAKE_COMPILER_IS_GNUCXX)
  # Set _GNU_SOURCE for O_LARGEFILE, O_CLOEXEC, O_DIRECTORY, 
O_NOFOLLOW, etc flags on older systems
-@@ -512,14 +506,8 @@ include(TestInline)
+@@ -581,14 +575,8 @@ include(TestInline)
  include(CheckFileOffsetBits)
  # Determine how to pack structs on this platform.
  include(CheckStructPacking)
-- 
2.25.1


-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#54241): https:

Re: [yocto] [meta-security][WIP][PATCH 1/2] Convert to new override syntax

[Armin Kuster]

/ccs-tools/ccs-tools_1.8.4.bb  |  6 +-
>  recipes-mac/smack/smack-test_1.0.bb   |  2 +-
>  recipes-mac/smack/smack_1.3.1.bb  | 14 ++--
>  recipes-perl/perl/libwhisker2-perl_2.5.bb |  2 +-
>  .../python/python3-oauth2client_4.1.3.bb  |  2 +-
>  recipes-scanners/arpwatch/arpwatch_3.1.bb |  8 +-
>  .../buck-security/buck-security_0.7.bb|  6 +-
>  recipes-scanners/checksec/checksec_2.4.0.bb   |  2 +-
>  .../checksecurity/checksecurity_2.0.15.bb |  2 +-
>  recipes-scanners/clamav/clamav_0.104.0.bb | 38 +-
>  .../aircrack-ng/aircrack-ng_1.6.bb|  6 +-
>  recipes-security/bastille/bastille_3.2.1.bb   |  6 +-
>  .../bastille/files/AccountPermission.pm   | 16 ++--
>  .../bastille/files/FileContent.pm | 16 ++--
>  .../ecryptfs-utils/ecryptfs-utils_111.bb  | 12 +--
>  .../fail2ban/python3-fail2ban_0.11.2.bb   | 16 ++--
>  .../fscryptctl/fscryptctl_1.0.0.bb|  2 +-
>  .../google-authenticator-libpam_1.08.bb   |  2 +-
>  recipes-security/libest/libest_3.2.0.bb   |  6 +-
>  recipes-security/libgssglue/libgssglue_0.4.bb |  4 +-
>  .../mfa/python3-privacyidea_3.5.2.bb  | 40 +-
>  recipes-security/ncrack/ncrack_0.7.bb |  2 +-
>  recipes-security/nikto/nikto_2.1.6.bb |  2 +-
>  .../opendnssec/opendnssec_2.1.9.bb|  4 +-
>  recipes-security/paxctl/paxctl_0.9.bb |  4 +-
>  .../redhat-security/redhat-security_1.0.bb|  2 +-
>  recipes-security/sssd/sssd_2.5.1.bb   | 22 +++---
>  101 files changed, 435 insertions(+), 435 deletions(-)
>
> diff --git a/README b/README
> index 4047b86..081669f 100644
> --- a/README
> +++ b/README
> @@ -5,7 +5,7 @@ The bbappend files for some recipes (e.g. linux-yocto) in 
> this layer need
>  to have 'security' in DISTRO_FEATURES to have effect.
>  To enable them, add in configuration file the following line.
>  
> -  DISTRO_FEATURES_append = " security"
> +  DISTRO_FEATURES:append = " security"
>  
>  If meta-security is included, but security  is not enabled as a
>  distro feature a warning is printed at parse time:
> diff --git a/conf/distro/include/maintainers.inc 
> b/conf/distro/include/maintainers.inc
> index e02b903..f623d70 100644
> --- a/conf/distro/include/maintainers.inc
> +++ b/conf/distro/include/maintainers.inc
> @@ -16,42 +16,42 @@
>  #
>  # The format is as a bitbake variable override for each recipe
>  #
> -#RECIPE_MAINTAINER_pn- = "Full Name "
> +#RECIPE_MAINTAINER:pn- = "Full Name "
>  #
>  # Please keep this list in alphabetical order.
> -RECIPE_MAINTAINER_pn-aircrack-ng = "Armin Kuster "
> -RECIPE_MAINTAINER_pn-apparmor = "Armin Kuster "
> -RECIPE_MAINTAINER_pn-bastille = "Armin Kuster "
> -RECIPE_MAINTAINER_pn-buck-security = "Armin Kuster "
> -RECIPE_MAINTAINER_pn-ccs-tools = "Armin Kuster "
> -RECIPE_MAINTAINER_pn-checksec = "Armin Kuster "
> -RECIPE_MAINTAINER_pn-checksecurity = "Armin Kuster "
> -RECIPE_MAINTAINER_pn-clamav = "Armin Kuster "
> -RECIPE_MAINTAINER_pn-ding-libs = "Armin Kuster "
> -RECIPE_MAINTAINER_pn-ecryptfs-utils = "Armin Kuster "
> -RECIPE_MAINTAINER_pn-fscryptctl = "Armin Kuster "
> -RECIPE_MAINTAINER_pn-google-authenticator-libpam = "Armin Kuster 
> "
> -RECIPE_MAINTAINER_pn-hash-perl = "Armin Kuster "
> -RECIPE_MAINTAINER_pn-isic = "Armin Kuster "
> -RECIPE_MAINTAINER_pn-keyutils = "Armin Kuster "
> -RECIPE_MAINTAINER_pn-libaes-siv = "Armin Kuster "
> -RECIPE_MAINTAINER_pn-libgssglue = "Armin Kuster "
> -RECIPE_MAINTAINER_pn-libhtp = "Armin Kuster "
> -RECIPE_MAINTAINER_pn-libmhash = "Armin Kuster "
> -RECIPE_MAINTAINER_pn-libmspack = "Armin Kuster "
> -RECIPE_MAINTAINER_pn-lib-perl = "Armin Kuster "
> -RECIPE_MAINTAINER_pn-libseccomp = "Armin Kuster "
> -RECIPE_MAINTAINER_pn-libwhisker2-perl = "Armin Kuster "
> -RECIPE_MAINTAINER_pn-ncrack = "Armin Kuster "
> -RECIPE_MAINTAINER_pn-nikto = "Armin Kuster "
> -RECIPE_MAINTAINER_pn-paxctl = "Armin Kuster "
> -RECIPE_MAINTAINER_pn-python3-fail2ban = "Armin Kuster "
> -RECIPE_MAINTAINER_pn-python3-scapy = "Armin Kuster "
> -RECIPE_MAINTAINER_pn-python-fail2ban = "Armin Kuster "
> -RECIPE_MAINTAINER_pn-python-scapy = "Armin Kuster "
> -RECIPE_MAINTAINER_pn-redhat-security = "Armin Kuster "
> -RECIPE_MAINTAINER_pn-samhain = "Armin Kuster "
> -RECIPE_MAINTAINER_pn-smack = "Armi

[yocto] [meta-security][PATCH] packagegroup-core-security.bb: only include suricat-ptest if rust is included

[Armin Kuster]

Signed-off-by: Armin Kuster 
---
 .../packagegroup/packagegroup-core-security.bb| 15 +--
 1 file changed, 13 insertions(+), 2 deletions(-)

diff --git a/recipes-core/packagegroup/packagegroup-core-security.bb 
b/recipes-core/packagegroup/packagegroup-core-security.bb
index c76b3de..6375e24 100644
--- a/recipes-core/packagegroup/packagegroup-core-security.bb
+++ b/recipes-core/packagegroup/packagegroup-core-security.bb
@@ -69,11 +69,16 @@ RDEPENDS:packagegroup-security-hardening = " \
 SUMMARY:packagegroup-security-ids = "Security Intrusion Detection systems"
 RDEPENDS:packagegroup-security-ids = " \
 samhain-standalone \
-${@bb.utils.contains_any("TUNE_FEATURES", "ppc7400 riscv32 riscv64", "", " 
suricata",d)} \
+${@bb.utils.contains("BBLAYERS", "meta-rust", "suricata","", d)} \
 ossec-hids \
 aide \
 "
 
+RDEPENDS:packagegroup-security-ids:remove:powerpc = "suricata"
+RDEPENDS:packagegroup-security-ids:remove:powerpc64le = "suricata"
+RDEPENDS:packagegroup-security-ids:remove:powerpc64 = "suricata"
+RDEPENDS:packagegroup-security-ids:remove:riscv32 = "suricata"
+RDEPENDS:packagegroup-security-ids:remove:riscv64 = "suricata"
 RDEPENDS:packagegroup-security-ids:remove:libc-musl = "ossec-hids"
 
 SUMMARY:packagegroup-security-mac = "Security Mandatory Access Control systems"
@@ -88,7 +93,13 @@ RDEPENDS:packagegroup-security-mac:remove:mipsarch = 
"apparmor"
 RDEPENDS:packagegroup-meta-security-ptest-packages = "\
 ptest-runner \
 samhain-standalone-ptest \
-${@bb.utils.contains_any("TUNE_FEATURES", "ppc7400 riscv32 riscv64", "", " 
suricata-ptest",d)} \
+${@bb.utils.contains("BBLAYERS", "meta-rust", "suricata-ptest","", d)} \
 python3-fail2ban-ptest \
 ${@bb.utils.contains("DISTRO_FEATURES", "smack", "smack-ptest", "",d)} \
 "
+
+RDEPENDS:packagegroup-security-ptest-packages:remove:powerpc = "suricata-ptest"
+RDEPENDS:packagegroup-security-ptest-packages:remove:powerpc64le = 
"suricata-ptest"
+RDEPENDS:packagegroup-security-ptest-packages:remove:powerpc64 = 
"suricata-ptest"
+RDEPENDS:packagegroup-security-ptest-packages:remove:riscv32 = "suricata-ptest"
+RDEPENDS:packagegroup-security-ptest-packages:remove:riscv64 = "suricata-ptest"
-- 
2.25.1


-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#54272): https://lists.yoctoproject.org/g/yocto/message/54272
Mute This Topic: https://lists.yoctoproject.org/mt/84592006/21656
Group Owner: yocto+ow...@lists.yoctoproject.org
Unsubscribe: https://lists.yoctoproject.org/g/yocto/unsub 
[arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-

Re: [yocto] [meta-security][WIP][PATCH 2/2] layer.conf: Update to honister

[Armin Kuster]

merged

thanks

On 7/30/21 2:25 AM, Martin Jansa wrote:
> This marks the layers as compatible with honister now they use the new 
> override
> syntax.
>
> Signed-off-by: Martin Jansa 
> ---
>  conf/layer.conf  | 2 +-
>  meta-hardening/conf/layer.conf   | 2 +-
>  meta-integrity/conf/layer.conf   | 2 +-
>  meta-parsec/conf/layer.conf  | 2 +-
>  meta-security-compliance/conf/layer.conf | 2 +-
>  meta-security-isafw/conf/layer.conf  | 2 +-
>  meta-tpm/conf/layer.conf | 2 +-
>  7 files changed, 7 insertions(+), 7 deletions(-)
>
> diff --git a/conf/layer.conf b/conf/layer.conf
> index 7853d6e..cdcfaee 100644
> --- a/conf/layer.conf
> +++ b/conf/layer.conf
> @@ -9,7 +9,7 @@ BBFILE_COLLECTIONS += "security"
>  BBFILE_PATTERN_security = "^${LAYERDIR}/"
>  BBFILE_PRIORITY_security = "8"
>  
> -LAYERSERIES_COMPAT_security = "hardknott"
> +LAYERSERIES_COMPAT_security = "honister"
>  
>  LAYERDEPENDS_security = "core openembedded-layer perl-layer networking-layer 
> meta-python"
>  
> diff --git a/meta-hardening/conf/layer.conf b/meta-hardening/conf/layer.conf
> index 085ea45..1cd6f4f 100644
> --- a/meta-hardening/conf/layer.conf
> +++ b/meta-hardening/conf/layer.conf
> @@ -8,6 +8,6 @@ BBFILE_COLLECTIONS += "harden-layer"
>  BBFILE_PATTERN_harden-layer = "^${LAYERDIR}/"
>  BBFILE_PRIORITY_harden-layer = "10"
>  
> -LAYERSERIES_COMPAT_harden-layer = "hardknott"
> +LAYERSERIES_COMPAT_harden-layer = "honister"
>  
>  LAYERDEPENDS_harden-layer = "core openembedded-layer"
> diff --git a/meta-integrity/conf/layer.conf b/meta-integrity/conf/layer.conf
> index 37776f8..e9446e6 100644
> --- a/meta-integrity/conf/layer.conf
> +++ b/meta-integrity/conf/layer.conf
> @@ -20,7 +20,7 @@ INTEGRITY_BASE := '${LAYERDIR}'
>  # interactive shell is enough.
>  OE_TERMINAL_EXPORTS += "INTEGRITY_BASE"
>  
> -LAYERSERIES_COMPAT_integrity = "hardknott"
> +LAYERSERIES_COMPAT_integrity = "honister"
>  # ima-evm-utils depends on keyutils from meta-oe
>  LAYERDEPENDS_integrity = "core openembedded-layer"
>  
> diff --git a/meta-parsec/conf/layer.conf b/meta-parsec/conf/layer.conf
> index 2d4aa12..86d41b2 100644
> --- a/meta-parsec/conf/layer.conf
> +++ b/meta-parsec/conf/layer.conf
> @@ -8,7 +8,7 @@ BBFILE_COLLECTIONS += "parsec-layer"
>  BBFILE_PATTERN_parsec-layer = "^${LAYERDIR}/"
>  BBFILE_PRIORITY_parsec-layer = "5"
>  
> -LAYERSERIES_COMPAT_parsec-layer = "hardknott gatesgarth"
> +LAYERSERIES_COMPAT_parsec-layer = "honister"
>  
>  LAYERDEPENDS_parsec-layer = "core rust-layer clang-layer tpm-layer"
>  BBLAYERS_LAYERINDEX_NAME_parsec-layer = "meta-parsec"
> diff --git a/meta-security-compliance/conf/layer.conf 
> b/meta-security-compliance/conf/layer.conf
> index 2024d4a..ec4fd47 100644
> --- a/meta-security-compliance/conf/layer.conf
> +++ b/meta-security-compliance/conf/layer.conf
> @@ -8,7 +8,7 @@ BBFILE_COLLECTIONS += "scanners-layer"
>  BBFILE_PATTERN_scanners-layer = "^${LAYERDIR}/"
>  BBFILE_PRIORITY_scanners-layer = "10"
>  
> -LAYERSERIES_COMPAT_scanners-layer = "hardknott"
> +LAYERSERIES_COMPAT_scanners-layer = "honister"
>  
>  LAYERDEPENDS_scanners-layer = "core openembedded-layer meta-python"
>  
> diff --git a/meta-security-isafw/conf/layer.conf 
> b/meta-security-isafw/conf/layer.conf
> index 1f1095f..86b0d4b 100644
> --- a/meta-security-isafw/conf/layer.conf
> +++ b/meta-security-isafw/conf/layer.conf
> @@ -14,4 +14,4 @@ LAYERVERSION_security-isafw = "1"
>  
>  LAYERDEPENDS_security-isafw = "core"
>  
> -LAYERSERIES_COMPAT_security-isafw = "hardknott"
> +LAYERSERIES_COMPAT_security-isafw = "honister"
> diff --git a/meta-tpm/conf/layer.conf b/meta-tpm/conf/layer.conf
> index 0b102c5..b00dd3c 100644
> --- a/meta-tpm/conf/layer.conf
> +++ b/meta-tpm/conf/layer.conf
> @@ -8,7 +8,7 @@ BBFILE_COLLECTIONS += "tpm-layer"
>  BBFILE_PATTERN_tpm-layer = "^${LAYERDIR}/"
>  BBFILE_PRIORITY_tpm-layer = "10"
>  
> -LAYERSERIES_COMPAT_tpm-layer = "hardknott"
> +LAYERSERIES_COMPAT_tpm-layer = "honister"
>  
>  LAYERDEPENDS_tpm-layer = " \
>  core \
>
> 
>


-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#54273): https://lists.yoctoproject.org/g/yocto/message/54273
Mute This Topic: https://lists.yoctoproject.org/mt/84546896/21656
Group Owner: yocto+ow...@lists.yoctoproject.org
Unsubscribe: https://lists.yoctoproject.org/g/yocto/unsub 
[arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-

Re: [yocto] [meta-security][PATCH 1/2] image-with-hardened-binaries: add class

[Armin Kuster]

Hello Max,


On 8/18/21 8:42 AM, Maximilian Blenk via lists.yoctoproject.org wrote:
> Add class to analyze binaries with checksec.py. checksec.py is a tool
> that checks if security features of a compiler have been used. To do
> so, it analyses the resulting binaries:
>  * NX Proctection is enabled
>  * Full RELRO is enabled
>  * RPATH and RUNPATH are not set
>  * Executables are compiled to be position independent
>  * FORTIFY_SOURCE is set (false-positives possible)
>  * Stack Canaries are enabled (false-positives possible)
>
> Signed-off-by: Maximilian Blenk 
> ---
> Hi guys,
>
> we are currently working on adding automatically checking the binaries
> we put into an image for the presence of certain recommended compiler
> features. To achieve this, we created a bbclass that wraps around the
> existing project checksec.py (https://github.com/Wenzel/checksec.py). In
> particular, checksec.py is used to check if
> * relro is enabled
> * executables are compiled to be position indipendet code
> * rpath and runpath are not set
> * stack canaries are enabled
> * fortify source is enabled
> I must however admit that the last two checks can suffer from
> false-positives which need manual analysis and whitelisting (check can
> also be completely disabled).
>
> Motivation:
> We've decided that such checks would be a nice thing to have because
> people might overwrite important compiler flags in their local recipe.
> Additionally there is always the possibility that components are shipped
> as binaries instead of code (so they are actually build outside the
> current build environment). Overall we've detected several cases where
> required compiler flags have not been applied to shipped components.
> After internal discussion we came to the conclusion that you guys would
> maybe also be interested in this kind of checks, so I'm offering this
> patch to you as well.

Is this a v2 or a resend?

Thanks for the patch set. I will need some time to take a look at it.

- armin
> I would really appreciate your feedback :-)
>
> BR Max
>
>  classes/image-with-hardened-binaries.bbclass  | 338 ++
>  ...1-main-Add-option-to-ignore-symlinks.patch |  81 +
>  .../0002-Elf-Fix-relro-detection.patch|  51 +++
>  ...heck-Treat-binaries-with-0-fortifiab.patch |  33 ++
>  ...o-use-pre-compiled-version-of-spdlog.patch | 154 
>  .../python/python3-asttokens_2.0.5.bb |  15 +
>  .../python3-checksec.py-native_0.6.1.bb   |  31 ++
>  .../python/python3-colorama_%.bbappend|   1 +
>  .../python/python3-commonmark_0.9.1.bb|  14 +
>  .../python/python3-docopt_0.6.2.bb|  18 +
>  .../python/python3-icontract_2.5.3.bb |  14 +
>  .../python/python3-lief_0.11.5.bb |  36 ++
>  .../python/python3-pylddwrap_1.0.1.bb |  21 ++
>  recipes-devtools/python/python3-rich_7.1.0.bb |  16 +
>  .../python/python3-setuptools-scm_6.0.1.bb|  17 +
>  .../python/python3-toml_%.bbappend|   1 +
>  16 files changed, 841 insertions(+)
>  create mode 100644 classes/image-with-hardened-binaries.bbclass
>  create mode 100644 
> recipes-devtools/python/files/python3-checksec.py/0001-main-Add-option-to-ignore-symlinks.patch
>  create mode 100644 
> recipes-devtools/python/files/python3-checksec.py/0002-Elf-Fix-relro-detection.patch
>  create mode 100644 
> recipes-devtools/python/files/python3-checksec.py/0003-fortify-source-check-Treat-binaries-with-0-fortifiab.patch
>  create mode 100644 
> recipes-devtools/python/files/python3-lief/0001-Enable-to-use-pre-compiled-version-of-spdlog.patch
>  create mode 100644 recipes-devtools/python/python3-asttokens_2.0.5.bb
>  create mode 100644 
> recipes-devtools/python/python3-checksec.py-native_0.6.1.bb
>  create mode 100644 recipes-devtools/python/python3-colorama_%.bbappend
>  create mode 100644 recipes-devtools/python/python3-commonmark_0.9.1.bb
>  create mode 100644 recipes-devtools/python/python3-docopt_0.6.2.bb
>  create mode 100644 recipes-devtools/python/python3-icontract_2.5.3.bb
>  create mode 100644 recipes-devtools/python/python3-lief_0.11.5.bb
>  create mode 100644 recipes-devtools/python/python3-pylddwrap_1.0.1.bb
>  create mode 100644 recipes-devtools/python/python3-rich_7.1.0.bb
>  create mode 100644 recipes-devtools/python/python3-setuptools-scm_6.0.1.bb
>  create mode 100644 recipes-devtools/python/python3-toml_%.bbappend
>
> diff --git a/classes/image-with-hardened-binaries.bbclass 
> b/classes/image-with-hardened-binaries.bbclass
> new file mode 100644
> index 000..d7d3908
> --- /dev/null
> +++ b/classes/image-with-hardened-binaries.bbclass
> @@ -0,0 +1,338 @@
> +# Provide qa checks to ensure all applications and libraries shipped with 
> the image
> +# have common compiler security features enabled. In particular there are 
> checks that:
> +# * nx protection is enabled
> +# * relro is enabled
> +# * executables (except for static linked ones) are position independent
> +# * rpath and runpath a

Re: [yocto] [meta-security][PATCH 1/2] image-with-hardened-binaries: add class

[Armin Kuster]

Hello Max,

See feedback below

On 8/13/21 6:18 AM, Maximilian Blenk wrote:
> Add class to analyze binaries with checksec.py. checksec.py is a tool
> that checks if security features of a compiler have been used. To do
> so, it analyses the resulting binaries:
>  * NX Proctection is enabled
>  * Full RELRO is enabled
>  * RPATH and RUNPATH are not set
>  * Executables are compiled to be position independent
>  * FORTIFY_SOURCE is set (false-positives possible)
>  * Stack Canaries are enabled (false-positives possible)
>
> Signed-off-by: Maximilian Blenk 
> ---
> Hi guys,
>
> we are currently working on adding automatically checking the binaries
> we put into an image for the presence of certain recommended compiler
> features. To achieve this, we created a bbclass that wraps around the
> existing project checksec.py (https://github.com/Wenzel/checksec.py). In
> particular, checksec.py is used to check if
> * relro is enabled
> * executables are compiled to be position indipendet code
> * rpath and runpath are not set
> * stack canaries are enabled
> * fortify source is enabled
> I must however admit that the last two checks can suffer from
> false-positives which need manual analysis and whitelisting (check can
> also be completely disabled).
>
> Motivation:
> We've decided that such checks would be a nice thing to have because
> people might overwrite important compiler flags in their local recipe.
> Additionally there is always the possibility that components are shipped
> as binaries instead of code (so they are actually build outside the
> current build environment). Overall we've detected several cases where
> required compiler flags have not been applied to shipped components.
> After internal discussion we came to the conclusion that you guys would
> maybe also be interested in this kind of checks, so I'm offering this
> patch to you as well.
>
> I would really appreciate your feedback :-)

I used these against current master and found some duplicate recipes in
either Core or meta-python so I removed these.

 python3-asttokens_2.0.5.bb 
 python3-colorama_%.bbappend   
 python3-docopt_0.6.2.bb  
 python3-setuptools-scm_6.0.1.bb
 python3-toml_%.bbappend

see:
https://gitlab.com/akuster/meta-security/-/commit/1332825d23eb8ff08e124422b3f25a030c032c0b

I needed to covert to the new overrides scheme before I could build.

see:
https://gitlab.com/akuster/meta-security/-/commit/847bd7551acd3a9ca539b9beccd83a149bdd417d

feel free to reuse those changes.

Regarding the selftest, is there test for failure?

I ran this against core-image-minimal and nothing was printed out. Does
that mean its fine?

You may want to remove the ".py" from
python3-checksec.py-native_0.6.1.bb, its not needed.

-armin
>
> BR Max
>
>  classes/image-with-hardened-binaries.bbclass  | 338 ++
>  ...1-main-Add-option-to-ignore-symlinks.patch |  81 +
>  .../0002-Elf-Fix-relro-detection.patch|  51 +++
>  ...heck-Treat-binaries-with-0-fortifiab.patch |  33 ++
>  ...o-use-pre-compiled-version-of-spdlog.patch | 154 
>  .../python/python3-asttokens_2.0.5.bb |  15 +
>  .../python3-checksec.py-native_0.6.1.bb   |  31 ++
>  .../python/python3-colorama_%.bbappend|   1 +
>  .../python/python3-commonmark_0.9.1.bb|  14 +
>  .../python/python3-docopt_0.6.2.bb|  18 +
>  .../python/python3-icontract_2.5.3.bb |  14 +
>  .../python/python3-lief_0.11.5.bb |  36 ++
>  .../python/python3-pylddwrap_1.0.1.bb |  21 ++
>  recipes-devtools/python/python3-rich_7.1.0.bb |  16 +
>  .../python/python3-setuptools-scm_6.0.1.bb|  17 +
>  .../python/python3-toml_%.bbappend|   1 +
>  16 files changed, 841 insertions(+)
>  create mode 100644 classes/image-with-hardened-binaries.bbclass
>  create mode 100644 
> recipes-devtools/python/files/python3-checksec.py/0001-main-Add-option-to-ignore-symlinks.patch
>  create mode 100644 
> recipes-devtools/python/files/python3-checksec.py/0002-Elf-Fix-relro-detection.patch
>  create mode 100644 
> recipes-devtools/python/files/python3-checksec.py/0003-fortify-source-check-Treat-binaries-with-0-fortifiab.patch
>  create mode 100644 
> recipes-devtools/python/files/python3-lief/0001-Enable-to-use-pre-compiled-version-of-spdlog.patch
>  create mode 100644 recipes-devtools/python/python3-asttokens_2.0.5.bb
>  create mode 100644 
> recipes-devtools/python/python3-checksec.py-native_0.6.1.bb
>  create mode 100644 recipes-devtools/python/python3-colorama_%.bbappend
>  create mode 100644 recipes-devtools/python/python3-commonmark_0.9.1.bb
>  create mode 100644 recipes-devtools/python/python3-docopt_0.6.2.bb
>  create mode 100644 recipes-devtools/python/python3-icontract_2.5.3.bb
>  create mode 100644 recipes-devtools/python/python3-lief_0.11.5.bb
>  create mode 100644 recipes-devtools/python/python3-pylddwrap_1.0.1.bb
>  create mode 100644 recipes-devtools/python/python3-rich_7.1.0.bb
>  create mode 100644 re

[yocto] [meta-security][PATCH 2/6] krill: Rust is in core now

[Armin Kuster]

drop dynamic-layer

Signed-off-by: Armin Kuster 
---
 .../krill/files/panic_workaround.patch| 0
 .../recipes-security => recipes-security}/krill/krill.inc | 0
 .../recipes-security => recipes-security}/krill/krill_0.9.1.bb| 0
 3 files changed, 0 insertions(+), 0 deletions(-)
 rename {dynamic-layers/meta-rust/recipes-security => 
recipes-security}/krill/files/panic_workaround.patch (100%)
 rename {dynamic-layers/meta-rust/recipes-security => 
recipes-security}/krill/krill.inc (100%)
 rename {dynamic-layers/meta-rust/recipes-security => 
recipes-security}/krill/krill_0.9.1.bb (100%)

diff --git 
a/dynamic-layers/meta-rust/recipes-security/krill/files/panic_workaround.patch 
b/recipes-security/krill/files/panic_workaround.patch
similarity index 100%
rename from 
dynamic-layers/meta-rust/recipes-security/krill/files/panic_workaround.patch
rename to recipes-security/krill/files/panic_workaround.patch
diff --git a/dynamic-layers/meta-rust/recipes-security/krill/krill.inc 
b/recipes-security/krill/krill.inc
similarity index 100%
rename from dynamic-layers/meta-rust/recipes-security/krill/krill.inc
rename to recipes-security/krill/krill.inc
diff --git a/dynamic-layers/meta-rust/recipes-security/krill/krill_0.9.1.bb 
b/recipes-security/krill/krill_0.9.1.bb
similarity index 100%
rename from dynamic-layers/meta-rust/recipes-security/krill/krill_0.9.1.bb
rename to recipes-security/krill/krill_0.9.1.bb
-- 
2.25.1


-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#54582): https://lists.yoctoproject.org/g/yocto/message/54582
Mute This Topic: https://lists.yoctoproject.org/mt/85186916/21656
Group Owner: yocto+ow...@lists.yoctoproject.org
Unsubscribe: https://lists.yoctoproject.org/g/yocto/unsub 
[arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-

[yocto] [meta-security][PATCH 3/6] suricata: rust is in core

[Armin Kuster]

drop dynamic-layer

Signed-off-by: Armin Kuster 
---
 .../recipes-ids => recipes-ids}/suricata/files/fixup.patch| 0
 .../recipes-ids => recipes-ids}/suricata/files/run-ptest  | 0
 .../recipes-ids => recipes-ids}/suricata/files/suricata.service   | 0
 .../recipes-ids => recipes-ids}/suricata/files/suricata.yaml  | 0
 .../recipes-ids => recipes-ids}/suricata/files/tmpfiles.suricata  | 0
 .../suricata/files/volatiles.03_suricata  | 0
 .../recipes-ids => recipes-ids}/suricata/libhtp_0.5.38.bb | 0
 .../meta-rust/recipes-ids => recipes-ids}/suricata/suricata.inc   | 0
 .../recipes-ids => recipes-ids}/suricata/suricata_6.0.3.bb| 0
 9 files changed, 0 insertions(+), 0 deletions(-)
 rename {dynamic-layers/meta-rust/recipes-ids => 
recipes-ids}/suricata/files/fixup.patch (100%)
 rename {dynamic-layers/meta-rust/recipes-ids => 
recipes-ids}/suricata/files/run-ptest (100%)
 rename {dynamic-layers/meta-rust/recipes-ids => 
recipes-ids}/suricata/files/suricata.service (100%)
 rename {dynamic-layers/meta-rust/recipes-ids => 
recipes-ids}/suricata/files/suricata.yaml (100%)
 rename {dynamic-layers/meta-rust/recipes-ids => 
recipes-ids}/suricata/files/tmpfiles.suricata (100%)
 rename {dynamic-layers/meta-rust/recipes-ids => 
recipes-ids}/suricata/files/volatiles.03_suricata (100%)
 rename {dynamic-layers/meta-rust/recipes-ids => 
recipes-ids}/suricata/libhtp_0.5.38.bb (100%)
 rename {dynamic-layers/meta-rust/recipes-ids => 
recipes-ids}/suricata/suricata.inc (100%)
 rename {dynamic-layers/meta-rust/recipes-ids => 
recipes-ids}/suricata/suricata_6.0.3.bb (100%)

diff --git a/dynamic-layers/meta-rust/recipes-ids/suricata/files/fixup.patch 
b/recipes-ids/suricata/files/fixup.patch
similarity index 100%
rename from dynamic-layers/meta-rust/recipes-ids/suricata/files/fixup.patch
rename to recipes-ids/suricata/files/fixup.patch
diff --git a/dynamic-layers/meta-rust/recipes-ids/suricata/files/run-ptest 
b/recipes-ids/suricata/files/run-ptest
similarity index 100%
rename from dynamic-layers/meta-rust/recipes-ids/suricata/files/run-ptest
rename to recipes-ids/suricata/files/run-ptest
diff --git 
a/dynamic-layers/meta-rust/recipes-ids/suricata/files/suricata.service 
b/recipes-ids/suricata/files/suricata.service
similarity index 100%
rename from dynamic-layers/meta-rust/recipes-ids/suricata/files/suricata.service
rename to recipes-ids/suricata/files/suricata.service
diff --git a/dynamic-layers/meta-rust/recipes-ids/suricata/files/suricata.yaml 
b/recipes-ids/suricata/files/suricata.yaml
similarity index 100%
rename from dynamic-layers/meta-rust/recipes-ids/suricata/files/suricata.yaml
rename to recipes-ids/suricata/files/suricata.yaml
diff --git 
a/dynamic-layers/meta-rust/recipes-ids/suricata/files/tmpfiles.suricata 
b/recipes-ids/suricata/files/tmpfiles.suricata
similarity index 100%
rename from 
dynamic-layers/meta-rust/recipes-ids/suricata/files/tmpfiles.suricata
rename to recipes-ids/suricata/files/tmpfiles.suricata
diff --git 
a/dynamic-layers/meta-rust/recipes-ids/suricata/files/volatiles.03_suricata 
b/recipes-ids/suricata/files/volatiles.03_suricata
similarity index 100%
rename from 
dynamic-layers/meta-rust/recipes-ids/suricata/files/volatiles.03_suricata
rename to recipes-ids/suricata/files/volatiles.03_suricata
diff --git a/dynamic-layers/meta-rust/recipes-ids/suricata/libhtp_0.5.38.bb 
b/recipes-ids/suricata/libhtp_0.5.38.bb
similarity index 100%
rename from dynamic-layers/meta-rust/recipes-ids/suricata/libhtp_0.5.38.bb
rename to recipes-ids/suricata/libhtp_0.5.38.bb
diff --git a/dynamic-layers/meta-rust/recipes-ids/suricata/suricata.inc 
b/recipes-ids/suricata/suricata.inc
similarity index 100%
rename from dynamic-layers/meta-rust/recipes-ids/suricata/suricata.inc
rename to recipes-ids/suricata/suricata.inc
diff --git a/dynamic-layers/meta-rust/recipes-ids/suricata/suricata_6.0.3.bb 
b/recipes-ids/suricata/suricata_6.0.3.bb
similarity index 100%
rename from dynamic-layers/meta-rust/recipes-ids/suricata/suricata_6.0.3.bb
rename to recipes-ids/suricata/suricata_6.0.3.bb
-- 
2.25.1


-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#54583): https://lists.yoctoproject.org/g/yocto/message/54583
Mute This Topic: https://lists.yoctoproject.org/mt/85186917/21656
Group Owner: yocto+ow...@lists.yoctoproject.org
Unsubscribe: https://lists.yoctoproject.org/g/yocto/unsub 
[arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-

[yocto] [meta-security][PATCH 1/6] dm-verity-img.bbclass: more overided fixups

[Armin Kuster]

Signed-off-by: Armin Kuster 
---
 classes/dm-verity-img.bbclass | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/classes/dm-verity-img.bbclass b/classes/dm-verity-img.bbclass
index 16d395b..a0950da 100644
--- a/classes/dm-verity-img.bbclass
+++ b/classes/dm-verity-img.bbclass
@@ -63,8 +63,8 @@ verity_setup() {
 VERITY_TYPES = "ext2.verity ext3.verity ext4.verity btrfs.verity"
 IMAGE_TYPES += "${VERITY_TYPES}"
 CONVERSIONTYPES += "verity"
-CONVERSION_CMD_verity = "verity_setup ${type}"
-CONVERSION_DEPENDS_verity = "cryptsetup-native"
+CONVERSION_CMD:verity = "verity_setup ${type}"
+CONVERSION_DEPENDS:verity = "cryptsetup-native"
 
 python __anonymous() {
 verity_image = d.getVar('DM_VERITY_IMAGE')
-- 
2.25.1


-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#54581): https://lists.yoctoproject.org/g/yocto/message/54581
Mute This Topic: https://lists.yoctoproject.org/mt/85186915/21656
Group Owner: yocto+ow...@lists.yoctoproject.org
Unsubscribe: https://lists.yoctoproject.org/g/yocto/unsub 
[arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-

[yocto] [meta-security][PATCH 5/6] layer.conf: drop meta-rust

[Armin Kuster]

Signed-off-by: Armin Kuster 
---
 meta-parsec/conf/layer.conf | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/meta-parsec/conf/layer.conf b/meta-parsec/conf/layer.conf
index 86d41b2..2eeb71b 100644
--- a/meta-parsec/conf/layer.conf
+++ b/meta-parsec/conf/layer.conf
@@ -10,5 +10,5 @@ BBFILE_PRIORITY_parsec-layer = "5"
 
 LAYERSERIES_COMPAT_parsec-layer = "honister"
 
-LAYERDEPENDS_parsec-layer = "core rust-layer clang-layer tpm-layer"
+LAYERDEPENDS_parsec-layer = "core clang-layer tpm-layer"
 BBLAYERS_LAYERINDEX_NAME_parsec-layer = "meta-parsec"
-- 
2.25.1


-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#54585): https://lists.yoctoproject.org/g/yocto/message/54585
Mute This Topic: https://lists.yoctoproject.org/mt/85186920/21656
Group Owner: yocto+ow...@lists.yoctoproject.org
Unsubscribe: https://lists.yoctoproject.org/g/yocto/unsub 
[arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-