[yocto] [meta-security][v3][PATCH] apparmor: ptest fail to build on arm
exclude arm and aarch64 ptest tasks [v2&3] Sent before committing. Signed-off-by: Armin Kuster --- recipes-mac/AppArmor/apparmor_2.13.3.bb | 18 ++ 1 file changed, 18 insertions(+) diff --git a/recipes-mac/AppArmor/apparmor_2.13.3.bb b/recipes-mac/AppArmor/apparmor_2.13.3.bb index d434fd3..60d5e68 100644 --- a/recipes-mac/AppArmor/apparmor_2.13.3.bb +++ b/recipes-mac/AppArmor/apparmor_2.13.3.bb @@ -123,6 +123,15 @@ do_install () { fi } +#Building ptest on arm fails. +do_compile_ptest_aarch64 () { + : +} + +do_compile_ptest_arm () { + : +} + do_compile_ptest () { oe_runmake -C ${B}/tests/regression/apparmor oe_runmake -C ${B}/parser/tst @@ -150,6 +159,15 @@ do_install_ptest () { cp -rf ${B}/binutils ${t} } +#Building ptest on arm fails. +do_install_ptest_aarch64 () { + : +} + +do_install_ptest_arm() { + : +} + pkg_postinst_ontarget_${PN} () { if [ ! -d /etc/apparmor.d/cache ] ; then mkdir /etc/apparmor.d/cache -- 2.17.1 -- ___ yocto mailing list yocto@yoctoproject.org https://lists.yoctoproject.org/listinfo/yocto
[yocto] [meta-security][v2][PATCH] apparmor: ptest fail to build on arm
exclude arm and aarch64 ptest tasks Signed-off-by: Armin Kuster --- recipes-mac/AppArmor/apparmor_2.13.3.bb | 22 ++ 1 file changed, 22 insertions(+) diff --git a/recipes-mac/AppArmor/apparmor_2.13.3.bb b/recipes-mac/AppArmor/apparmor_2.13.3.bb index d434fd3..ba7065b 100644 --- a/recipes-mac/AppArmor/apparmor_2.13.3.bb +++ b/recipes-mac/AppArmor/apparmor_2.13.3.bb @@ -42,6 +42,8 @@ PACKAGECONFIG[aa-decode] = ",,,bash" PAMLIB="${@bb.utils.contains('DISTRO_FEATURES', 'pam', '1', '0', d)}" HTTPD="${@bb.utils.contains('PACKAGECONFIG', 'apache2', '1', '0', d)}" +#Building ptest on arm fails. + python() { if 'apache2' in d.getVar('PACKAGECONFIG').split() and \ 'webserver' not in d.getVar('BBFILE_COLLECTIONS').split(): @@ -50,6 +52,10 @@ python() { DISABLE_STATIC = "" +do_configure_ptest_base_aarch64[noexec] = "1" +do_compile_ptest_base_aarch64[noexec] = "1" +do_install_ptest_base_aarch64[noexec] = "1" + do_configure() { cd ${S}/libraries/libapparmor aclocal @@ -123,6 +129,14 @@ do_install () { fi } +do_compile_ptest_aarch64 () { + : +} + +do_compile_ptest_arm () { + : +} + do_compile_ptest () { oe_runmake -C ${B}/tests/regression/apparmor oe_runmake -C ${B}/parser/tst @@ -150,6 +164,14 @@ do_install_ptest () { cp -rf ${B}/binutils ${t} } +do_install_ptest_aarch64 () { + : +} + +do_install_ptest_arm() { + : +} + pkg_postinst_ontarget_${PN} () { if [ ! -d /etc/apparmor.d/cache ] ; then mkdir /etc/apparmor.d/cache -- 2.17.1 -- ___ yocto mailing list yocto@yoctoproject.org https://lists.yoctoproject.org/listinfo/yocto
[yocto] [meta-security][PATCH] apparmor: ptest fail to build on arm
exclude arm and aarch64 ptest tasks Signed-off-by: Armin Kuster --- recipes-mac/AppArmor/apparmor_2.13.3.bb | 22 ++ 1 file changed, 22 insertions(+) diff --git a/recipes-mac/AppArmor/apparmor_2.13.3.bb b/recipes-mac/AppArmor/apparmor_2.13.3.bb index d434fd3..ba7065b 100644 --- a/recipes-mac/AppArmor/apparmor_2.13.3.bb +++ b/recipes-mac/AppArmor/apparmor_2.13.3.bb @@ -42,6 +42,8 @@ PACKAGECONFIG[aa-decode] = ",,,bash" PAMLIB="${@bb.utils.contains('DISTRO_FEATURES', 'pam', '1', '0', d)}" HTTPD="${@bb.utils.contains('PACKAGECONFIG', 'apache2', '1', '0', d)}" +#Building ptest on arm fails. + python() { if 'apache2' in d.getVar('PACKAGECONFIG').split() and \ 'webserver' not in d.getVar('BBFILE_COLLECTIONS').split(): @@ -50,6 +52,10 @@ python() { DISABLE_STATIC = "" +do_configure_ptest_base_aarch64[noexec] = "1" +do_compile_ptest_base_aarch64[noexec] = "1" +do_install_ptest_base_aarch64[noexec] = "1" + do_configure() { cd ${S}/libraries/libapparmor aclocal @@ -123,6 +129,14 @@ do_install () { fi } +do_compile_ptest_aarch64 () { + : +} + +do_compile_ptest_arm () { + : +} + do_compile_ptest () { oe_runmake -C ${B}/tests/regression/apparmor oe_runmake -C ${B}/parser/tst @@ -150,6 +164,14 @@ do_install_ptest () { cp -rf ${B}/binutils ${t} } +do_install_ptest_aarch64 () { + : +} + +do_install_ptest_arm() { + : +} + pkg_postinst_ontarget_${PN} () { if [ ! -d /etc/apparmor.d/cache ] ; then mkdir /etc/apparmor.d/cache -- 2.17.1 -- ___ yocto mailing list yocto@yoctoproject.org https://lists.yoctoproject.org/listinfo/yocto
[yocto] [meta-security][PATCH] apparmor: fix systemd support so it works
[Yocto # 13568] Signed-off-by: Armin Kuster --- recipes-mac/AppArmor/apparmor_2.13.3.bb | 16 +++- 1 file changed, 11 insertions(+), 5 deletions(-) diff --git a/recipes-mac/AppArmor/apparmor_2.13.3.bb b/recipes-mac/AppArmor/apparmor_2.13.3.bb index 6183064..d434fd3 100644 --- a/recipes-mac/AppArmor/apparmor_2.13.3.bb +++ b/recipes-mac/AppArmor/apparmor_2.13.3.bb @@ -42,7 +42,6 @@ PACKAGECONFIG[aa-decode] = ",,,bash" PAMLIB="${@bb.utils.contains('DISTRO_FEATURES', 'pam', '1', '0', d)}" HTTPD="${@bb.utils.contains('PACKAGECONFIG', 'apache2', '1', '0', d)}" - python() { if 'apache2' in d.getVar('PACKAGECONFIG').split() and \ 'webserver' not in d.getVar('BBFILE_COLLECTIONS').split(): @@ -86,7 +85,6 @@ do_compile () { do_install () { install -d ${D}/${INIT_D_DIR} install -d ${D}/lib/apparmor - oe_runmake -C ${B}/libraries/libapparmor DESTDIR="${D}" install oe_runmake -C ${B}/binutils DESTDIR="${D}" install oe_runmake -C ${B}/utils DESTDIR="${D}" install @@ -116,8 +114,13 @@ do_install () { install ${WORKDIR}/apparmor ${D}/${INIT_D_DIR}/apparmor install ${WORKDIR}/functions ${D}/lib/apparmor - install -d ${D}${systemd_system_unitdir} - install ${WORKDIR}/apparmor.service ${D}${systemd_system_unitdir} + sed -i -e 's/getconf _NPROCESSORS_ONLN/nproc/' ${D}/lib/apparmor/functions + sed -i -e 's/ls -AU/ls -A/' ${D}/lib/apparmor/functions + + if ${@bb.utils.contains('DISTRO_FEATURES','systemd','true','false',d)}; then + install -d ${D}${systemd_system_unitdir} + install ${WORKDIR}/apparmor.service ${D}${systemd_system_unitdir} + fi } do_compile_ptest () { @@ -153,13 +156,16 @@ if [ ! -d /etc/apparmor.d/cache ] ; then fi } +# We need the init script so don't rm it +RMINITDIR_class-target_remove = " rm_sysvinit_initddir" + INITSCRIPT_PACKAGES = "${PN}" INITSCRIPT_NAME = "apparmor" INITSCRIPT_PARAMS = "start 16 2 3 4 5 . stop 35 0 1 6 ." SYSTEMD_PACKAGES = "${PN}" SYSTEMD_SERVICE_${PN} = "apparmor.service" -SYSTEMD_AUTO_ENABLE = "disable" +SYSTEMD_AUTO_ENABLE ?= "enable" PACKAGES += "mod-${PN}" -- 2.17.1 -- ___ yocto mailing list yocto@yoctoproject.org https://lists.yoctoproject.org/listinfo/yocto
[yocto] [meta-security][PATCH] checksec: add missing rdepends to readelf
update test to check for depends Signed-off-by: Armin Kuster --- lib/oeqa/runtime/cases/checksec.py | 1 + recipes-security/checksec/checksec_2.1.0.bb | 2 +- 2 files changed, 2 insertions(+), 1 deletion(-) diff --git a/lib/oeqa/runtime/cases/checksec.py b/lib/oeqa/runtime/cases/checksec.py index ff6d2f3..e46744c 100644 --- a/lib/oeqa/runtime/cases/checksec.py +++ b/lib/oeqa/runtime/cases/checksec.py @@ -24,6 +24,7 @@ class CheckSecTest(OERuntimeTestCase): self.assertEqual(status, 0, msg = msg) @OETestDepends(['checksec.CheckSecTest.test_checksec_xml']) +@OEHasPackage(['binutils']) def test_checksec_fortify(self): status, output = self.target.run('checksec --fortify-proc 1') match = re.search('FORTIFY_SOURCE support:', output) diff --git a/recipes-security/checksec/checksec_2.1.0.bb b/recipes-security/checksec/checksec_2.1.0.bb index 5c6528e..b67c98b 100644 --- a/recipes-security/checksec/checksec_2.1.0.bb +++ b/recipes-security/checksec/checksec_2.1.0.bb @@ -16,4 +16,4 @@ do_install() { install -m 0755 ${S}/checksec ${D}${bindir} } -RDEPENDS_${PN} = "bash openssl-bin" +RDEPENDS_${PN} = "bash openssl-bin binutils" -- 2.17.1 -- ___ yocto mailing list yocto@yoctoproject.org https://lists.yoctoproject.org/listinfo/yocto
[yocto] [meta-security][PATCH] suricata: fix compile issue
cp: cannot stat '/./tmp-glibc/work/core2-32-oe-linux/suricata/4.1.5-r0/rules': No such file or directory | WARNING: exit code 1 from a shell command. Signed-off-by: Armin Kuster --- recipes-ids/suricata/suricata_4.1.5.bb | 3 --- 1 file changed, 3 deletions(-) diff --git a/recipes-ids/suricata/suricata_4.1.5.bb b/recipes-ids/suricata/suricata_4.1.5.bb index cda1c87..e15a9a3 100644 --- a/recipes-ids/suricata/suricata_4.1.5.bb +++ b/recipes-ids/suricata/suricata_4.1.5.bb @@ -52,9 +52,6 @@ do_install_append () { oe_runmake install-conf DESTDIR=${D} -# mimic move of downloaded rules to e_sysconfrulesdir -cp -rf ${WORKDIR}/rules ${D}${sysconfdir}/suricata - oe_runmake install-rules DESTDIR=${D} install -d ${D}${sysconfdir}/suricata ${D}${sysconfdir}/default/volatiles -- 2.17.1 -- ___ yocto mailing list yocto@yoctoproject.org https://lists.yoctoproject.org/listinfo/yocto
[yocto] [thud][PATCH] linux-yocto/4.14: meta-yocto-bsp update to 143
Signed-off-by: Armin Kuster --- .../recipes-kernel/linux/linux-yocto_4.14.bbappend | 20 ++-- 1 file changed, 10 insertions(+), 10 deletions(-) diff --git a/meta-yocto-bsp/recipes-kernel/linux/linux-yocto_4.14.bbappend b/meta-yocto-bsp/recipes-kernel/linux/linux-yocto_4.14.bbappend index 426757e..5277798 100644 --- a/meta-yocto-bsp/recipes-kernel/linux/linux-yocto_4.14.bbappend +++ b/meta-yocto-bsp/recipes-kernel/linux/linux-yocto_4.14.bbappend @@ -8,11 +8,11 @@ KMACHINE_genericx86 ?= "common-pc" KMACHINE_genericx86-64 ?= "common-pc-64" KMACHINE_beaglebone-yocto ?= "beaglebone" -SRCREV_machine_genericx86?= "5252513a39b4b3773debab1f77071d7c430ecb10" -SRCREV_machine_genericx86-64 ?= "5252513a39b4b3773debab1f77071d7c430ecb10" -SRCREV_machine_edgerouter ?= "d8fb40cd0e99325715c70aed6f361a8318097829" -SRCREV_machine_beaglebone-yocto ?= "c67809688bd22cb4cb909bcf1a1045e6337c3229" -SRCREV_machine_mpc8315e-rdb ?= "258ee8228e0a512c6dbe2a0dadcd9f030ba45964" +SRCREV_machine_genericx86?= "bc9d4b045fa0254d14ef3a667a200f02cb9af755" +SRCREV_machine_genericx86-64 ?= "bc9d4b045fa0254d14ef3a667a200f02cb9af755" +SRCREV_machine_edgerouter ?= "326e296f237347e965a38acb34f09e594430b0c6" +SRCREV_machine_beaglebone-yocto ?= "1b8c86329c9dbb10b8fcaeb2dceb75680994cd84" +SRCREV_machine_mpc8315e-rdb ?= "f26672ec1f164b0f2a15d629128a91093f971bdd" COMPATIBLE_MACHINE_genericx86 = "genericx86" COMPATIBLE_MACHINE_genericx86-64 = "genericx86-64" @@ -20,8 +20,8 @@ COMPATIBLE_MACHINE_edgerouter = "edgerouter" COMPATIBLE_MACHINE_beaglebone-yocto = "beaglebone-yocto" COMPATIBLE_MACHINE_mpc8315e-rdb = "mpc8315e-rdb" -LINUX_VERSION_genericx86 = "4.14.98" -LINUX_VERSION_genericx86-64 = "4.14.98" -LINUX_VERSION_edgerouter = "4.14.98" -LINUX_VERSION_beaglebone-yocto = "4.14.98" -LINUX_VERSION_mpc8315e-rdb = "4.14.98" +LINUX_VERSION_genericx86 = "4.14.143" +LINUX_VERSION_genericx86-64 = "4.14.143" +LINUX_VERSION_edgerouter = "4.14.143" +LINUX_VERSION_beaglebone-yocto = "4.14.143" +LINUX_VERSION_mpc8315e-rdb = "4.14.143" -- 2.7.4 -- ___ yocto mailing list yocto@yoctoproject.org https://lists.yoctoproject.org/listinfo/yocto
[yocto] [meta-security][PATCH] layer.conf: Update for zeus series
Signed-off-by: Armin Kuster --- conf/layer.conf | 2 +- meta-integrity/conf/layer.conf | 2 +- meta-security-compliance/conf/layer.conf | 2 +- meta-tpm/conf/layer.conf | 2 +- 4 files changed, 4 insertions(+), 4 deletions(-) diff --git a/conf/layer.conf b/conf/layer.conf index b9a4f25..3e890e1 100644 --- a/conf/layer.conf +++ b/conf/layer.conf @@ -9,6 +9,6 @@ BBFILE_COLLECTIONS += "security" BBFILE_PATTERN_security = "^${LAYERDIR}/" BBFILE_PRIORITY_security = "8" -LAYERSERIES_COMPAT_security = "warrior" +LAYERSERIES_COMPAT_security = "zeus" LAYERDEPENDS_security = "core openembedded-layer perl-layer networking-layer meta-python" diff --git a/meta-integrity/conf/layer.conf b/meta-integrity/conf/layer.conf index 41989da..962424c 100644 --- a/meta-integrity/conf/layer.conf +++ b/meta-integrity/conf/layer.conf @@ -21,6 +21,6 @@ INTEGRITY_BASE := '${LAYERDIR}' # interactive shell is enough. OE_TERMINAL_EXPORTS += "INTEGRITY_BASE" -LAYERSERIES_COMPAT_integrity = "warrior" +LAYERSERIES_COMPAT_integrity = "zeus" # ima-evm-utils depends on keyutils from meta-oe LAYERDEPENDS_integrity = "core openembedded-layer" diff --git a/meta-security-compliance/conf/layer.conf b/meta-security-compliance/conf/layer.conf index 9ccadab..0e93bd0 100644 --- a/meta-security-compliance/conf/layer.conf +++ b/meta-security-compliance/conf/layer.conf @@ -8,6 +8,6 @@ BBFILE_COLLECTIONS += "scanners-layer" BBFILE_PATTERN_scanners-layer = "^${LAYERDIR}/" BBFILE_PRIORITY_scanners-layer = "10" -LAYERSERIES_COMPAT_scanners-layer = "warrior" +LAYERSERIES_COMPAT_scanners-layer = "zeus" LAYERDEPENDS_scanners-layer = "core openembedded-layer meta-python" diff --git a/meta-tpm/conf/layer.conf b/meta-tpm/conf/layer.conf index cdccc55..3af2d95 100644 --- a/meta-tpm/conf/layer.conf +++ b/meta-tpm/conf/layer.conf @@ -8,7 +8,7 @@ BBFILE_COLLECTIONS += "tpm-layer" BBFILE_PATTERN_tpm-layer = "^${LAYERDIR}/" BBFILE_PRIORITY_tpm-layer = "10" -LAYERSERIES_COMPAT_tpm-layer = "warrior" +LAYERSERIES_COMPAT_tpm-layer = "zeus" LAYERDEPENDS_tpm-layer = " \ core \ -- 2.17.1 -- ___ yocto mailing list yocto@yoctoproject.org https://lists.yoctoproject.org/listinfo/yocto
[yocto] [warrior 2/3] conf/poky: add debian-10 to the supported distribution list
From: Ross Burton Debian 10 is the new stable release and is being tested on the autobuilder, so add this to the supported distribution list. [ YOCTO #13432 ] Signed-off-by: Ross Burton Signed-off-by: Richard Purdie Signed-off-by: Armin Kuster --- meta-poky/conf/distro/poky.conf | 1 + 1 file changed, 1 insertion(+) diff --git a/meta-poky/conf/distro/poky.conf b/meta-poky/conf/distro/poky.conf index 87759b3..f2df2c1 100644 --- a/meta-poky/conf/distro/poky.conf +++ b/meta-poky/conf/distro/poky.conf @@ -59,6 +59,7 @@ SANITY_TESTED_DISTROS ?= " \ centos-7 \n \ debian-8 \n \ debian-9 \n \ +debian-10 \n \ opensuse-42.3 \n \ " # -- 2.7.4 -- ___ yocto mailing list yocto@yoctoproject.org https://lists.yoctoproject.org/listinfo/yocto
[yocto] [warrior 1/3] meta-yocto-bsp: Bump to the latest stable kernel for all the BSP
From: Kevin Hao Boot test for all these boards. Signed-off-by: Kevin Hao Signed-off-by: Richard Purdie Signed-off-by: Armin Kuster --- .../recipes-kernel/linux/linux-yocto_4.19.bbappend | 20 ++-- .../recipes-kernel/linux/linux-yocto_5.0.bbappend| 20 ++-- 2 files changed, 20 insertions(+), 20 deletions(-) diff --git a/meta-yocto-bsp/recipes-kernel/linux/linux-yocto_4.19.bbappend b/meta-yocto-bsp/recipes-kernel/linux/linux-yocto_4.19.bbappend index 6025230..ec269d9 100644 --- a/meta-yocto-bsp/recipes-kernel/linux/linux-yocto_4.19.bbappend +++ b/meta-yocto-bsp/recipes-kernel/linux/linux-yocto_4.19.bbappend @@ -8,11 +8,11 @@ KMACHINE_genericx86 ?= "common-pc" KMACHINE_genericx86-64 ?= "common-pc-64" KMACHINE_beaglebone-yocto ?= "beaglebone" -SRCREV_machine_genericx86?= "11e0e616ed095bb8012e1b4a231254c9656a0193" -SRCREV_machine_genericx86-64 ?= "11e0e616ed095bb8012e1b4a231254c9656a0193" -SRCREV_machine_edgerouter ?= "eebb51300a07804a020ec468b5f8c5bf720198d9" -SRCREV_machine_beaglebone-yocto ?= "eebb51300a07804a020ec468b5f8c5bf720198d9" -SRCREV_machine_mpc8315e-rdb ?= "8b60f968823256f5d2889c4520d70299ca21411b" +SRCREV_machine_genericx86?= "5664dc14399edcaad210bbeb6343d84561fb3ea8" +SRCREV_machine_genericx86-64 ?= "5664dc14399edcaad210bbeb6343d84561fb3ea8" +SRCREV_machine_edgerouter ?= "5664dc14399edcaad210bbeb6343d84561fb3ea8" +SRCREV_machine_beaglebone-yocto ?= "5664dc14399edcaad210bbeb6343d84561fb3ea8" +SRCREV_machine_mpc8315e-rdb ?= "d419f4ca6ba4b097b8ad710a93b89510f5b2998c" COMPATIBLE_MACHINE_genericx86 = "genericx86" COMPATIBLE_MACHINE_genericx86-64 = "genericx86-64" @@ -20,8 +20,8 @@ COMPATIBLE_MACHINE_edgerouter = "edgerouter" COMPATIBLE_MACHINE_beaglebone-yocto = "beaglebone-yocto" COMPATIBLE_MACHINE_mpc8315e-rdb = "mpc8315e-rdb" -LINUX_VERSION_genericx86 = "4.19.19" -LINUX_VERSION_genericx86-64 = "4.19.19" -LINUX_VERSION_edgerouter = "4.19.14" -LINUX_VERSION_beaglebone-yocto = "4.19.14" -LINUX_VERSION_mpc8315e-rdb = "4.19.14" +LINUX_VERSION_genericx86 = "4.19.34" +LINUX_VERSION_genericx86-64 = "4.19.34" +LINUX_VERSION_edgerouter = "4.19.34" +LINUX_VERSION_beaglebone-yocto = "4.19.34" +LINUX_VERSION_mpc8315e-rdb = "4.19.34" diff --git a/meta-yocto-bsp/recipes-kernel/linux/linux-yocto_5.0.bbappend b/meta-yocto-bsp/recipes-kernel/linux/linux-yocto_5.0.bbappend index 5cf6e1f..d7cf121 100644 --- a/meta-yocto-bsp/recipes-kernel/linux/linux-yocto_5.0.bbappend +++ b/meta-yocto-bsp/recipes-kernel/linux/linux-yocto_5.0.bbappend @@ -8,11 +8,11 @@ KMACHINE_genericx86 ?= "common-pc" KMACHINE_genericx86-64 ?= "common-pc-64" KMACHINE_beaglebone-yocto ?= "beaglebone" -SRCREV_machine_genericx86?= "3df4aae6074e94e794e27fe7f17451d9353cdf3d" -SRCREV_machine_genericx86-64 ?= "3df4aae6074e94e794e27fe7f17451d9353cdf3d" -SRCREV_machine_edgerouter ?= "3df4aae6074e94e794e27fe7f17451d9353cdf3d" -SRCREV_machine_beaglebone-yocto ?= "3df4aae6074e94e794e27fe7f17451d9353cdf3d" -SRCREV_machine_mpc8315e-rdb ?= "8b62af7f252af10588276802c4c6d7c502e875be" +SRCREV_machine_genericx86?= "f990fd0ce123aa6035042efad09b2ddc3e7d48f4" +SRCREV_machine_genericx86-64 ?= "f990fd0ce123aa6035042efad09b2ddc3e7d48f4" +SRCREV_machine_edgerouter ?= "f990fd0ce123aa6035042efad09b2ddc3e7d48f4" +SRCREV_machine_beaglebone-yocto ?= "f990fd0ce123aa6035042efad09b2ddc3e7d48f4" +SRCREV_machine_mpc8315e-rdb ?= "670ce7e9db627d0c2067cfdb571ddc1f117818d8" COMPATIBLE_MACHINE_genericx86 = "genericx86" COMPATIBLE_MACHINE_genericx86-64 = "genericx86-64" @@ -20,8 +20,8 @@ COMPATIBLE_MACHINE_edgerouter = "edgerouter" COMPATIBLE_MACHINE_beaglebone-yocto = "beaglebone-yocto" COMPATIBLE_MACHINE_mpc8315e-rdb = "mpc8315e-rdb" -LINUX_VERSION_genericx86 = "5.0.3" -LINUX_VERSION_genericx86-64 = "5.0.3" -LINUX_VERSION_edgerouter = "5.0.3" -LINUX_VERSION_beaglebone-yocto = "5.0.3" -LINUX_VERSION_mpc8315e-rdb = "5.0.3" +LINUX_VERSION_genericx86 = "5.0.13" +LINUX_VERSION_genericx86-64 = "5.0.13" +LINUX_VERSION_edgerouter = "5.0.13" +LINUX_VERSION_beaglebone-yocto = "5.0.13" +LINUX_VERSION_mpc8315e-rdb = "5.0.13" -- 2.7.4 -- ___ yocto mailing list yocto@yoctoproject.org https://lists.yoctoproject.org/listinfo/yocto
[yocto] [warrior 3/3] conf/poky: add Fedora 30 and Opensuse Leap 15.1 to supported distributions
From: Ross Burton Signed-off-by: Ross Burton Signed-off-by: Richard Purdie Signed-off-by: Armin Kuster --- meta-poky/conf/distro/poky.conf | 2 ++ 1 file changed, 2 insertions(+) diff --git a/meta-poky/conf/distro/poky.conf b/meta-poky/conf/distro/poky.conf index f2df2c1..de744f6 100644 --- a/meta-poky/conf/distro/poky.conf +++ b/meta-poky/conf/distro/poky.conf @@ -56,11 +56,13 @@ SANITY_TESTED_DISTROS ?= " \ ubuntu-18.04 \n \ fedora-28 \n \ fedora-29 \n \ +fedora-30 \n \ centos-7 \n \ debian-8 \n \ debian-9 \n \ debian-10 \n \ opensuse-42.3 \n \ +opensuseleap-15.1 \n \ " # # OELAYOUT_ABI allows us to notify users when the format of TMPDIR changes in -- 2.7.4 -- ___ yocto mailing list yocto@yoctoproject.org https://lists.yoctoproject.org/listinfo/yocto
[yocto] [warrior 0/3] Pull request
Please merge these changes to meta-yocto warrior The following changes since commit c16082ffa61f485e120670fbdf075f3fa8597494: poky.conf: Bump version for 2.7.1 warrior release (2019-06-30 22:41:39 +0100) are available in the git repository at: git://git.yoctoproject.org/poky-contrib meta-yocto/stable/warrior-next http://git.yoctoproject.org/cgit.cgi/poky-contrib/log/?h=meta-yocto/stable/warrior-next Kevin Hao (1): meta-yocto-bsp: Bump to the latest stable kernel for all the BSP Ross Burton (2): conf/poky: add debian-10 to the supported distribution list conf/poky: add Fedora 30 and Opensuse Leap 15.1 to supported distributions meta-poky/conf/distro/poky.conf | 3 +++ .../recipes-kernel/linux/linux-yocto_4.19.bbappend | 20 ++-- .../recipes-kernel/linux/linux-yocto_5.0.bbappend| 20 ++-- 3 files changed, 23 insertions(+), 20 deletions(-) -- 2.7.4 -- ___ yocto mailing list yocto@yoctoproject.org https://lists.yoctoproject.org/listinfo/yocto
[yocto] [meta-security][PATCH 2/2] suricata-update: add package to pull rules
Signed-off-by: Armin Kuster --- .../suricata/python3-suricata-update_1.0.5.bb | 15 +++ 1 file changed, 15 insertions(+) create mode 100644 recipes-ids/suricata/python3-suricata-update_1.0.5.bb diff --git a/recipes-ids/suricata/python3-suricata-update_1.0.5.bb b/recipes-ids/suricata/python3-suricata-update_1.0.5.bb new file mode 100644 index 000..63f75e0 --- /dev/null +++ b/recipes-ids/suricata/python3-suricata-update_1.0.5.bb @@ -0,0 +1,15 @@ +SUMMARY = "The tool for updating your Suricata rules. " +HOMEPAGE = "http://suricata-ids.org/; +SECTION = "security Monitor/Admin" +LICENSE = "GPLv2" + +LIC_FILES_CHKSUM = "file://LICENSE;beginline=1;endline=2;md5=c70d8d3310941dcdfcd1e02800a1f548" + +SRCREV = "dcd0f630e13463750efb1593ad3ccae1ae6c27d4" +SRC_URI = "git://github.com/OISF/suricata-update;branch='master-1.0.x'" + +S = "${WORKDIR}/git" + +inherit python3native setuptools3 + +RDEPENDS_${PN} = "python3-pyyaml" -- 2.17.1 -- ___ yocto mailing list yocto@yoctoproject.org https://lists.yoctoproject.org/listinfo/yocto
[yocto] [PATCH 8/8] tpm2-pkcs11: update to tip
Signed-off-by: Armin Kuster --- meta-tpm/recipes-tpm2/tpm2-pkcs11/tpm2-pkcs11_0.9.9.bb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/meta-tpm/recipes-tpm2/tpm2-pkcs11/tpm2-pkcs11_0.9.9.bb b/meta-tpm/recipes-tpm2/tpm2-pkcs11/tpm2-pkcs11_0.9.9.bb index 222bb6d..2185749 100644 --- a/meta-tpm/recipes-tpm2/tpm2-pkcs11/tpm2-pkcs11_0.9.9.bb +++ b/meta-tpm/recipes-tpm2/tpm2-pkcs11/tpm2-pkcs11_0.9.9.bb @@ -10,7 +10,7 @@ SRC_URI = "git://github.com/tpm2-software/tpm2-pkcs11.git \ file://bootstrap_fixup.patch \ " -SRCREV = "9eed9df823a960da481327468a73d477241befdb" +SRCREV = "caf20c04651029626466c59d88b36c05cc6ea20b" S = "${WORKDIR}/git" -- 2.17.1 -- ___ yocto mailing list yocto@yoctoproject.org https://lists.yoctoproject.org/listinfo/yocto
[yocto] [PATCH 6/8] tpm2-totp: update to 0.1.2
Signed-off-by: Armin Kuster --- .../tpm2-totp/{tpm2-totp_0.1.1.bb => tpm2-totp_0.1.2.bb}| 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) rename meta-tpm/recipes-tpm2/tpm2-totp/{tpm2-totp_0.1.1.bb => tpm2-totp_0.1.2.bb} (90%) diff --git a/meta-tpm/recipes-tpm2/tpm2-totp/tpm2-totp_0.1.1.bb b/meta-tpm/recipes-tpm2/tpm2-totp/tpm2-totp_0.1.2.bb similarity index 90% rename from meta-tpm/recipes-tpm2/tpm2-totp/tpm2-totp_0.1.1.bb rename to meta-tpm/recipes-tpm2/tpm2-totp/tpm2-totp_0.1.2.bb index d47b756..8a2504d 100644 --- a/meta-tpm/recipes-tpm2/tpm2-totp/tpm2-totp_0.1.1.bb +++ b/meta-tpm/recipes-tpm2/tpm2-totp/tpm2-totp_0.1.2.bb @@ -9,7 +9,7 @@ DEPENDS = "autoconf-archive libtss2-dev qrencode" PE = "1" -SRCREV = "2807a509a9da383e14dc0f759e71fd676db04ab1" +SRCREV = "15cc8fbc8fe71be9c04c3169ee1f70450d52a51a" SRC_URI = "git://github.com/tpm2-software/tpm2-totp.git;branch=v0.1.x \ file://litpm2_totp_build_fix.patch " -- 2.17.1 -- ___ yocto mailing list yocto@yoctoproject.org https://lists.yoctoproject.org/listinfo/yocto
[yocto] [PATCH 4/8] tpm2-tss: update to 2.3.0
drop patch already in update Signed-off-by: Armin Kuster --- ...-ax_code_coverage.m4-version-2019.01.patch | 84 --- .../{tpm2-tss_2.2.3.bb => tpm2-tss_2.3.1.bb} | 5 +- 2 files changed, 2 insertions(+), 87 deletions(-) delete mode 100644 meta-tpm/recipes-tpm2/tpm2-tss/tpm2-tss/0001-build-update-for-ax_code_coverage.m4-version-2019.01.patch rename meta-tpm/recipes-tpm2/tpm2-tss/{tpm2-tss_2.2.3.bb => tpm2-tss_2.3.1.bb} (93%) diff --git a/meta-tpm/recipes-tpm2/tpm2-tss/tpm2-tss/0001-build-update-for-ax_code_coverage.m4-version-2019.01.patch b/meta-tpm/recipes-tpm2/tpm2-tss/tpm2-tss/0001-build-update-for-ax_code_coverage.m4-version-2019.01.patch deleted file mode 100644 index 86b2cb6..000 --- a/meta-tpm/recipes-tpm2/tpm2-tss/tpm2-tss/0001-build-update-for-ax_code_coverage.m4-version-2019.01.patch +++ /dev/null @@ -1,84 +0,0 @@ -From ec08ab41495ac40641475707c46e844503ada5b3 Mon Sep 17 00:00:00 2001 -From: Jonas Witschel -Date: Mon, 7 Jan 2019 22:15:06 +0100 -Subject: [PATCH] build: update for ax_code_coverage.m4 version 2019.01.06 - -@CODE_COVERAGE_RULES@ doesn't exist any more and needs to be replaced. -Also includes a compatibility switch for older versions of the file. - -Signed-off-by: Jonas Witschel - .gitignore | 1 + - .travis.yml | 10 +- - Makefile.am | 6 ++ - configure.ac | 3 +++ - 4 files changed, 15 insertions(+), 5 deletions(-) - -diff --git a/.gitignore b/.gitignore -index 7c6a7b62e6c1..aa1a7efdff71 100644 a/.gitignore -+++ b/.gitignore -@@ -26,6 +26,7 @@ - AUTHORS - tags - aclocal.m4 -+aminclude_static.am - autom4te.cache/ - [Bb]uild/ - [Dd]ebug/ -diff --git a/.travis.yml b/.travis.yml -index 55f88e22999b..a668e2953dc2 100644 a/.travis.yml -+++ b/.travis.yml -@@ -44,11 +44,11 @@ addons: - - install: - # Autoconf archive -- - wget https://download.01.org/tpm2/autoconf-archive-2017.09.28.tar.xz -- - sha256sum autoconf-archive-2017.09.28.tar.xz | grep -q 5c9fb5845b38b28982a3ef12836f76b35f46799ef4a2e46b48e2bd3c6182fa01 || travis_terminate 1 -- - tar xJf autoconf-archive-2017.09.28.tar.xz -- - cp autoconf-archive-2017.09.28/m4/ax_code_coverage.m4 m4/ -- - cp autoconf-archive-2017.09.28/m4/ax_prog_doxygen.m4 m4/ -+ - wget http://ftpmirror.gnu.org/autoconf-archive/autoconf-archive-2019.01.06.tar.xz -+ - sha256sum autoconf-archive-2019.01.06.tar.xz | grep -q 17195c833098da79de5778ee90948f4c5d90ed1a0cf8391b4ab348e2ec511e3f || travis_terminate 1 -+ - tar xJf autoconf-archive-2019.01.06.tar.xz -+ - cp autoconf-archive-2019.01.06/m4/ax_code_coverage.m4 m4/ -+ - cp autoconf-archive-2019.01.06/m4/ax_prog_doxygen.m4 m4/ - # IBM-TPM - - wget https://download.01.org/tpm2/ibmtpm974.tar.gz - # OpenSSL 1.0.2 -diff --git a/Makefile.am b/Makefile.am -index 1b792d89a392..8e62e9c77c7d 100644 a/Makefile.am -+++ b/Makefile.am -@@ -19,7 +19,13 @@ noinst_PROGRAMS = - - ### Add ax_* rules ### - # ax_code_coverage -+if AUTOCONF_CODE_COVERAGE_2019_01_06 -+include $(top_srcdir)/aminclude_static.am -+clean-local: code-coverage-clean -+dist-clean-local: code-coverage-dist-clean -+else - @CODE_COVERAGE_RULES@ -+endif - - # ax_doxygen - @DX_RULES@ -diff --git a/configure.ac b/configure.ac -index 6c7b0fd96399..22b79c50c015 100644 a/configure.ac -+++ b/configure.ac -@@ -312,6 +312,9 @@ AS_IF([test "x$enable_doxygen_doc" != xno], - [ERROR_IF_NO_PROG([doxygen])]) - - AX_CODE_COVERAGE -+m4_ifdef([_AX_CODE_COVERAGE_RULES], -+ [AM_CONDITIONAL(AUTOCONF_CODE_COVERAGE_2019_01_06, [true])], -+ [AM_CONDITIONAL(AUTOCONF_CODE_COVERAGE_2019_01_06, [false])]) - - AC_OUTPUT - --- -2.20.1 - diff --git a/meta-tpm/recipes-tpm2/tpm2-tss/tpm2-tss_2.2.3.bb b/meta-tpm/recipes-tpm2/tpm2-tss/tpm2-tss_2.3.1.bb similarity index 93% rename from meta-tpm/recipes-tpm2/tpm2-tss/tpm2-tss_2.2.3.bb rename to meta-tpm/recipes-tpm2/tpm2-tss/tpm2-tss_2.3.1.bb index ffbd3f4..3e77f71 100644 --- a/meta-tpm/recipes-tpm2/tpm2-tss/tpm2-tss_2.2.3.bb +++ b/meta-tpm/recipes-tpm2/tpm2-tss/tpm2-tss_2.3.1.bb @@ -6,10 +6,9 @@ SECTION = "tpm" DEPENDS = "autoconf-archive-native libgcrypt openssl" -SRCREV = "36b1539c82bf675265d6f6a6cd808a189b6971f4" +SRCREV = "a99e733ba66c359502689a9c42fd5e02ed1dd7d6" -SRC_URI = "git://github.com/tpm2-software/tpm2-tss.git;branch=2.2.x \ -file://0001-build-update-for-ax_code_coverage.m4-version-2019.01.patch" +SRC_URI = "git://github.com/tpm2-software/tpm2-tss.git;branch=2.3.x" inherit autotools-brokensep pkgconfig systemd -- 2.17.1 -- ___ yocto mailing list yocto@yoctoproject.org https://lists.yoctoproject.org/listinfo/yocto
[yocto] [PATCH 5/8] tpm2-tss-engine: update to 1.0.1
Signed-off-by: Armin Kuster --- .../{tpm2-tss-engine_1.0.0.bb => tpm2-tss-engine_1.0.1.bb} | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) rename meta-tpm/recipes-tpm2/tpm2-tss-engine/{tpm2-tss-engine_1.0.0.bb => tpm2-tss-engine_1.0.1.bb} (95%) diff --git a/meta-tpm/recipes-tpm2/tpm2-tss-engine/tpm2-tss-engine_1.0.0.bb b/meta-tpm/recipes-tpm2/tpm2-tss-engine/tpm2-tss-engine_1.0.1.bb similarity index 95% rename from meta-tpm/recipes-tpm2/tpm2-tss-engine/tpm2-tss-engine_1.0.0.bb rename to meta-tpm/recipes-tpm2/tpm2-tss-engine/tpm2-tss-engine_1.0.1.bb index 0a8d54f..8825737 100644 --- a/meta-tpm/recipes-tpm2/tpm2-tss-engine/tpm2-tss-engine_1.0.0.bb +++ b/meta-tpm/recipes-tpm2/tpm2-tss-engine/tpm2-tss-engine_1.0.1.bb @@ -8,7 +8,7 @@ SECTION = "security/tpm" DEPENDS = "autoconf-archive-native bash-completion libtss2 libgcrypt openssl" -SRCREV = "a81d44a8610e28e5987af64f8aae16e4a2d09eaa" +SRCREV = "e1bbabe29377e45282d753a1b103625c420a19cf" SRC_URI = "git://github.com/tpm2-software/tpm2-tss-engine.git" inherit autotools-brokensep pkgconfig systemd -- 2.17.1 -- ___ yocto mailing list yocto@yoctoproject.org https://lists.yoctoproject.org/listinfo/yocto
[yocto] [PATCH 7/8] tpm2-tcti-uefi: update to tip
Signed-off-by: Armin Kuster --- meta-tpm/recipes-tpm2/tpm2-tcti-uefi/tpm2-tcti-uefi_0.9.9.bb | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/meta-tpm/recipes-tpm2/tpm2-tcti-uefi/tpm2-tcti-uefi_0.9.9.bb b/meta-tpm/recipes-tpm2/tpm2-tcti-uefi/tpm2-tcti-uefi_0.9.9.bb index e822e29..f4918ec 100644 --- a/meta-tpm/recipes-tpm2/tpm2-tcti-uefi/tpm2-tcti-uefi_0.9.9.bb +++ b/meta-tpm/recipes-tpm2/tpm2-tcti-uefi/tpm2-tcti-uefi_0.9.9.bb @@ -6,9 +6,9 @@ DEPENDS = "libtss2-dev gnu-efi-native gnu-efi pkgconfig autoconf-archive-native" SRC_URI = "git://github.com/tpm2-software/tpm2-tcti-uefi.git \ file://configure_oe_fixup.patch \ - file://0001-configure.ac-stop-inserting-host-directories-into-co.patch \ + file://0001-configure.ac-stop-inserting-host-directories-into-co.patch \ " -SRCREV = "7baf1eebfeb56a896bdd5d677fb24377d619eb9d" +SRCREV = "431c85f45dcdca5da003ed47c6e9814282476938" S = "${WORKDIR}/git" -- 2.17.1 -- ___ yocto mailing list yocto@yoctoproject.org https://lists.yoctoproject.org/listinfo/yocto
[yocto] [PATCH 3/8] tpm2-abrmd: update to 2.2.0
Signed-off-by: Armin Kuster --- .../tpm2-abrmd/{tpm2-abrmd_2.1.1.bb => tpm2-abrmd_2.2.0.bb}| 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) rename meta-tpm/recipes-tpm2/tpm2-abrmd/{tpm2-abrmd_2.1.1.bb => tpm2-abrmd_2.2.0.bb} (97%) diff --git a/meta-tpm/recipes-tpm2/tpm2-abrmd/tpm2-abrmd_2.1.1.bb b/meta-tpm/recipes-tpm2/tpm2-abrmd/tpm2-abrmd_2.2.0.bb similarity index 97% rename from meta-tpm/recipes-tpm2/tpm2-abrmd/tpm2-abrmd_2.1.1.bb rename to meta-tpm/recipes-tpm2/tpm2-abrmd/tpm2-abrmd_2.2.0.bb index a4c6682..021c969 100644 --- a/meta-tpm/recipes-tpm2/tpm2-abrmd/tpm2-abrmd_2.1.1.bb +++ b/meta-tpm/recipes-tpm2/tpm2-abrmd/tpm2-abrmd_2.2.0.bb @@ -12,14 +12,13 @@ LIC_FILES_CHKSUM = "file://${S}/LICENSE;md5=500b2e742befc3da00684d8a1d5fd9da" DEPENDS = "autoconf-archive dbus glib-2.0 tpm2-tss glib-2.0-native \ libtss2 libtss2-mu libtss2-tcti-device libtss2-tcti-mssim" - SRC_URI = "\ git://github.com/tpm2-software/tpm2-abrmd.git \ file://tpm2-abrmd-init.sh \ file://tpm2-abrmd.default \ " -SRCREV = "06d9d433ba27159687255406baa37940db15465b" +SRCREV = "ac2a5a4b5a4e548177ed7a5b74cea23e00fd30b4" S = "${WORKDIR}/git" -- 2.17.1 -- ___ yocto mailing list yocto@yoctoproject.org https://lists.yoctoproject.org/listinfo/yocto
[yocto] [PATCH 2/8] swtpm: update to 0.2.0
Signed-off-by: Armin Kuster --- meta-tpm/recipes-tpm/swtpm/{swtpm_0.1.0.bb => swtpm_0.2.0.bb} | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) rename meta-tpm/recipes-tpm/swtpm/{swtpm_0.1.0.bb => swtpm_0.2.0.bb} (96%) diff --git a/meta-tpm/recipes-tpm/swtpm/swtpm_0.1.0.bb b/meta-tpm/recipes-tpm/swtpm/swtpm_0.2.0.bb similarity index 96% rename from meta-tpm/recipes-tpm/swtpm/swtpm_0.1.0.bb rename to meta-tpm/recipes-tpm/swtpm/swtpm_0.2.0.bb index 42de8b1..f3a53dd 100644 --- a/meta-tpm/recipes-tpm/swtpm/swtpm_0.1.0.bb +++ b/meta-tpm/recipes-tpm/swtpm/swtpm_0.2.0.bb @@ -9,7 +9,7 @@ DEPENDS = "libtasn1 expect socat glib-2.0 net-tools-native libtpm libtpm-native" # then swtpm_setup needs them at runtime DEPENDS += "tpm-tools-native expect-native socat-native" -SRCREV = "d803d84575ab3e5dac316bf863c7f569a27ea35f" +SRCREV = "39673a0139b0ee14a0109aba50a0635592c672c4" SRC_URI = "git://github.com/stefanberger/swtpm.git;branch=stable-${PV} \ file://fix_fcntl_h.patch \ file://ioctl_h.patch \ -- 2.17.1 -- ___ yocto mailing list yocto@yoctoproject.org https://lists.yoctoproject.org/listinfo/yocto
[yocto] [PATCH 1/8] libtpm: update to 0.7.0
Signed-off-by: Armin Kuster --- .../recipes-tpm/libtpm/{libtpm_0.6.0.bb => libtpm_0.7.0.bb} | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) rename meta-tpm/recipes-tpm/libtpm/{libtpm_0.6.0.bb => libtpm_0.7.0.bb} (88%) diff --git a/meta-tpm/recipes-tpm/libtpm/libtpm_0.6.0.bb b/meta-tpm/recipes-tpm/libtpm/libtpm_0.7.0.bb similarity index 88% rename from meta-tpm/recipes-tpm/libtpm/libtpm_0.6.0.bb rename to meta-tpm/recipes-tpm/libtpm/libtpm_0.7.0.bb index a882960..d9863fa 100644 --- a/meta-tpm/recipes-tpm/libtpm/libtpm_0.6.0.bb +++ b/meta-tpm/recipes-tpm/libtpm/libtpm_0.7.0.bb @@ -2,7 +2,7 @@ SUMMARY = "LIBPM - Software TPM Library" LICENSE = "BSD-3-Clause" LIC_FILES_CHKSUM = "file://LICENSE;md5=e73f0786a936da3814896df06ad225a9" -SRCREV = "9dc915572b51db0714640ba1ddf8cca9c0f24f05" +SRCREV = "c26e8f7b08b19a69cea9e8f1f1e6639c7951fb01" SRC_URI = "git://github.com/stefanberger/libtpms.git;branch=stable-${PV}" PE = "1" -- 2.17.1 -- ___ yocto mailing list yocto@yoctoproject.org https://lists.yoctoproject.org/listinfo/yocto
[yocto] [meta-security][PATCH 3/3] suricata: update to 4.1.4
Backport patch to fix build against newer kernels. Signed-off-by: Armin Kuster --- ...-packet-fix-build-on-recent-Linux-kernels.patch | 26 ++ .../{libhtp_0.5.29.bb => libhtp_0.5.30.bb} | 0 recipes-ids/suricata/suricata.inc | 6 ++--- .../{suricata_4.1.3.bb => suricata_4.1.4.bb} | 11 - 4 files changed, 35 insertions(+), 8 deletions(-) create mode 100644 recipes-ids/suricata/files/0001-af-packet-fix-build-on-recent-Linux-kernels.patch rename recipes-ids/suricata/{libhtp_0.5.29.bb => libhtp_0.5.30.bb} (100%) rename recipes-ids/suricata/{suricata_4.1.3.bb => suricata_4.1.4.bb} (95%) diff --git a/recipes-ids/suricata/files/0001-af-packet-fix-build-on-recent-Linux-kernels.patch b/recipes-ids/suricata/files/0001-af-packet-fix-build-on-recent-Linux-kernels.patch new file mode 100644 index 000..74e9a56 --- /dev/null +++ b/recipes-ids/suricata/files/0001-af-packet-fix-build-on-recent-Linux-kernels.patch @@ -0,0 +1,26 @@ +From b37554e0bc3cf383e6547c5c6a69c6f6849c09e3 Mon Sep 17 00:00:00 2001 +From: Eric Leblond +Date: Wed, 17 Jul 2019 12:35:12 +0200 +Subject: [PATCH] af-packet: fix build on recent Linux kernels + +Upstream-Status: Backport +Signed-off-by: Armin kuster +--- + src/source-af-packet.c | 4 + 1 file changed, 4 insertions(+) + +Index: suricata-4.1.4/src/source-af-packet.c +=== +--- suricata-4.1.4.orig/src/source-af-packet.c suricata-4.1.4/src/source-af-packet.c +@@ -64,6 +64,10 @@ + #include + #endif + ++#if HAVE_LINUX_SOCKIOS_H ++#include ++#endif ++ + #ifdef HAVE_PACKET_EBPF + #include "util-ebpf.h" + #include diff --git a/recipes-ids/suricata/libhtp_0.5.29.bb b/recipes-ids/suricata/libhtp_0.5.30.bb similarity index 100% rename from recipes-ids/suricata/libhtp_0.5.29.bb rename to recipes-ids/suricata/libhtp_0.5.30.bb diff --git a/recipes-ids/suricata/suricata.inc b/recipes-ids/suricata/suricata.inc index 7be403c..54f91c5 100644 --- a/recipes-ids/suricata/suricata.inc +++ b/recipes-ids/suricata/suricata.inc @@ -2,8 +2,8 @@ HOMEPAGE = "http://suricata-ids.org/; SECTION = "security Monitor/Admin" LICENSE = "GPLv2" -VER = "4.1.3" +VER = "4.1.4" SRC_URI = "http://www.openinfosecfoundation.org/download/suricata-${VER}.tar.gz; -SRC_URI[md5sum] = "35c4a8e6be3910831649a073950195df" -SRC_URI[sha256sum] = "6cda6c80b753ce36483c6be535358b971f3890b9aa27a58c2d2f7e89dd6c6aa0" +SRC_URI[md5sum] = "cb8bf6b8330c44ae78dfb5b083a6fe82" +SRC_URI[sha256sum] = "2da50d91f92adf8b1af930f388361f76424420b88f553f610e2780e4240f2009" diff --git a/recipes-ids/suricata/suricata_4.1.3.bb b/recipes-ids/suricata/suricata_4.1.4.bb similarity index 95% rename from recipes-ids/suricata/suricata_4.1.3.bb rename to recipes-ids/suricata/suricata_4.1.4.bb index d6f5937..f860af9 100644 --- a/recipes-ids/suricata/suricata_4.1.3.bb +++ b/recipes-ids/suricata/suricata_4.1.4.bb @@ -7,11 +7,12 @@ LIC_FILES_CHKSUM = "file://LICENSE;beginline=1;endline=2;md5=c70d8d3310941dcdfcd SRC_URI += "file://emerging.rules.tar.gz;name=rules" SRC_URI += " \ - file://volatiles.03_suricata \ - file://suricata.yaml \ - file://suricata.service \ - file://run-ptest \ - " +file://volatiles.03_suricata \ +file://suricata.yaml \ +file://suricata.service \ +file://run-ptest \ +file://0001-af-packet-fix-build-on-recent-Linux-kernels.patch \ +" SRC_URI[rules.md5sum] = "205c5e5b54e489207ed892c03ad75b33" SRC_URI[rules.sha256sum] = "4aa81011b246875a57181c6a0569ca887845e366904bcaf0043220f33bd69798" -- 2.7.4 -- ___ yocto mailing list yocto@yoctoproject.org https://lists.yoctoproject.org/listinfo/yocto
[yocto] [meta-security][PATCH 2/3] oe-scap: Fix QA RDEPENDS error
ERROR: oe-scap-1.0-r0 do_package_qa: QA Issue: /usr/share/oe-scap/run_tests.sh contained in package oe-scap requires /bin/bash, but no providers found in RDEPENDS_oe-scap? [file-rdeps] Signed-off-by: Armin Kuster --- meta-security-compliance/recipes-openscap/oe-scap/oe-scap_1.0.bb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/meta-security-compliance/recipes-openscap/oe-scap/oe-scap_1.0.bb b/meta-security-compliance/recipes-openscap/oe-scap/oe-scap_1.0.bb index e84ed30..fd53fcb 100644 --- a/meta-security-compliance/recipes-openscap/oe-scap/oe-scap_1.0.bb +++ b/meta-security-compliance/recipes-openscap/oe-scap/oe-scap_1.0.bb @@ -30,4 +30,4 @@ do_install () { FILES_${PN} += "${datadir}/oe-scap" -RDEPENDS_${PN} = "openscap" +RDEPENDS_${PN} = "openscap bash" -- 2.7.4 -- ___ yocto mailing list yocto@yoctoproject.org https://lists.yoctoproject.org/listinfo/yocto
[yocto] [meta-security][PATCH 1/3] cryptsetup-tpm-incubator: fix QA error RDEPENDS
ERROR: cryptsetup-tpm-incubator-0.9.9-r0 do_package_qa: QA Issue: /usr/lib/libcryptsetup.so.12.3.0 contained in package cryptsetup-tpm-incubator requires libdevmapper.so.1.02(DM_1_02_97)(64bit), but no providers found in RDEPENDS_cryptsetup-tpm-incubator? [file-rdeps] Signed-off-by: Armin Kuster --- .../cryptsetup-tpm-incubator/cryptsetup-tpm-incubator_0.9.9.bb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/meta-tpm/recipes-tpm2/cryptsetup-tpm-incubator/cryptsetup-tpm-incubator_0.9.9.bb b/meta-tpm/recipes-tpm2/cryptsetup-tpm-incubator/cryptsetup-tpm-incubator_0.9.9.bb index 8b50445..8385c94 100644 --- a/meta-tpm/recipes-tpm2/cryptsetup-tpm-incubator/cryptsetup-tpm-incubator_0.9.9.bb +++ b/meta-tpm/recipes-tpm2/cryptsetup-tpm-incubator/cryptsetup-tpm-incubator_0.9.9.bb @@ -32,7 +32,7 @@ RRECOMMENDS_${PN} = "kernel-module-aes-generic \ kernel-module-xts \ " -RDEPENDS_${PN} += "lvm2" +RDEPENDS_${PN} += "lvm2 libdevmapper" RRECOMMENDS_${PN} += "lvm2-udevrules" RREPLACES_${PN} = "cryptsetup" -- 2.7.4 -- ___ yocto mailing list yocto@yoctoproject.org https://lists.yoctoproject.org/listinfo/yocto
[yocto] [meta-security][PATCH 2/2] scap-security-guide: add depends on openscap-native do_install
This ensures openscap-native does install the needed patches security guilde needs to build Minor recipe cleanup too Signed-off-by: Armin Kuster --- .../scap-security-guide/scap-security-guide.inc| 7 --- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/meta-security-compliance/recipes-openscap/scap-security-guide/scap-security-guide.inc b/meta-security-compliance/recipes-openscap/scap-security-guide/scap-security-guide.inc index 341721a..3212310 100644 --- a/meta-security-compliance/recipes-openscap/scap-security-guide/scap-security-guide.inc +++ b/meta-security-compliance/recipes-openscap/scap-security-guide/scap-security-guide.inc @@ -7,14 +7,11 @@ LIC_FILES_CHKSUM = "file://LICENSE;md5=97662e4486d9a1d09f358851d9f41a1a" LICENSE = "LGPL-2.1" DEPENDS = "openscap-native python3 python3-pyyaml-native python3-jinja2-native libxml2-native" -RDEPENDS_${PN} = "openscap" S = "${WORKDIR}/git" inherit cmake pkgconfig python3native -#PARALLEL_MAKE = "" - STAGING_OSCAP_BUILDDIR = "${TMPDIR}/work-shared/openscap/oscap-build-artifacts" OECMAKE_GENERATOR = "Unix Makefiles" @@ -23,9 +20,13 @@ EXTRA_OECMAKE += "-DENABLE_PYTHON_COVERAGE=OFF" B = "${S}/build" +do_configure[depends] += "openscap-native:do_install" + do_configure_prepend () { sed -i -e 's:NAMES\ sed:NAMES\ ${HOSTTOOLS_DIR}/sed:g' ${S}/CMakeLists.txt sed -i -e 's:NAMES\ grep:NAMES\ ${HOSTTOOLS_DIR}/grep:g' ${S}/CMakeLists.txt } FILES_${PN} += "${datadir}/xml" + +RDEPENDS_${PN} = "openscap" -- 2.17.1 -- ___ yocto mailing list yocto@yoctoproject.org https://lists.yoctoproject.org/listinfo/yocto
[yocto] [meta-security][PATCH 1/2] openscap: Drop nostamp
add cleandir depends to do_install task This nostamp is causing issues with the yocto-check-layer when checking hash changes. Signed-off-by: Armin Kuster --- .../recipes-openscap/openscap/openscap.inc | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/meta-security-compliance/recipes-openscap/openscap/openscap.inc b/meta-security-compliance/recipes-openscap/openscap/openscap.inc index ed8d8ff..afa576a 100644 --- a/meta-security-compliance/recipes-openscap/openscap/openscap.inc +++ b/meta-security-compliance/recipes-openscap/openscap/openscap.inc @@ -40,15 +40,14 @@ do_configure_append_class-native () { sed -i 's:OSCAP_DEFAULT_XSLT_PATH.*$:OSCAP_DEFAULT_XSLT_PATH "${STAGING_OSCAP_BUILDDIR}${datadir_native}/openscap/xsl":' ${B}/config.h } -do_clean[cleandirs] += "${STAGING_OSCAP_BUILDDIR}" -do_install[nostamp] = "1" - +do_install_class-native[cleandirs] += " ${STAGING_OSCAP_BUILDDIR}" do_install_append_class-native () { oscapdir=${STAGING_OSCAP_BUILDDIR}/${datadir_native} install -d $oscapdir cp -a ${D}/${STAGING_DATADIR_NATIVE}/openscap $oscapdir } + FILES_${PN} += "${PYTHON_SITEPACKAGES_DIR}" RDEPENDS_${PN} += "libxml2 python3-core libgcc bash" -- 2.17.1 -- ___ yocto mailing list yocto@yoctoproject.org https://lists.yoctoproject.org/listinfo/yocto
[yocto] [meta-security][PATCH] apparmor: drop lsb RDEPENDS
remove lsb functions from init script Signed-off-by: Armin Kuster --- recipes-mac/AppArmor/apparmor_2.13.3.bb | 2 +- recipes-mac/AppArmor/files/apparmor | 1 - 2 files changed, 1 insertion(+), 2 deletions(-) diff --git a/recipes-mac/AppArmor/apparmor_2.13.3.bb b/recipes-mac/AppArmor/apparmor_2.13.3.bb index 9322018..8484404 100644 --- a/recipes-mac/AppArmor/apparmor_2.13.3.bb +++ b/recipes-mac/AppArmor/apparmor_2.13.3.bb @@ -160,7 +160,7 @@ PACKAGES += "mod-${PN}" FILES_${PN} += "/lib/apparmor/ ${sysconfdir}/apparmor ${PYTHON_SITEPACKAGES_DIR}" FILES_mod-${PN} = "${libdir}/apache2/modules/*" -RDEPENDS_${PN} += "bash lsb" +RDEPENDS_${PN} += "bash" RDEPENDS_${PN} += "${@bb.utils.contains('PACKAGECONFIG','python','python3-core python3-modules','', d)}" RDEPENDS_${PN}_remove += "${@bb.utils.contains('PACKAGECONFIG','perl','','perl', d)}" RDEPENDS_${PN}-ptest += "perl coreutils dbus-lib bash" diff --git a/recipes-mac/AppArmor/files/apparmor b/recipes-mac/AppArmor/files/apparmor index ac3ab9a..604e48d 100644 --- a/recipes-mac/AppArmor/files/apparmor +++ b/recipes-mac/AppArmor/files/apparmor @@ -47,7 +47,6 @@ log_end_msg () { } . /lib/apparmor/functions -. /lib/lsb/init-functions usage() { echo "Usage: $0 {start|stop|restart|reload|force-reload|status|recache}" -- 2.17.1 -- ___ yocto mailing list yocto@yoctoproject.org https://lists.yoctoproject.org/listinfo/yocto
[yocto] [meta-security][PATCH 4/4] initramfs-framework-ima: correct IMA_POLICY name
it had ima_policy_hashed and did not match the recipe ima-policy-hashed found by yocto-check-layer Signed-off-by: Armin Kuster --- .../recipes-core/initrdscripts/initramfs-framework-ima.bb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/meta-integrity/recipes-core/initrdscripts/initramfs-framework-ima.bb b/meta-integrity/recipes-core/initrdscripts/initramfs-framework-ima.bb index 6057e8d..95c853a 100644 --- a/meta-integrity/recipes-core/initrdscripts/initramfs-framework-ima.bb +++ b/meta-integrity/recipes-core/initrdscripts/initramfs-framework-ima.bb @@ -12,7 +12,7 @@ LIC_FILES_CHKSUM = "file://${COREBASE}/meta/COPYING.MIT;md5=3da9cfbcb788c80a0384 # This policy file will get installed as /etc/ima/ima-policy. # It is located via the normal file search path, so a .bbappend # to this recipe can just point towards one of its own files. -IMA_POLICY ?= "ima_policy_hashed" +IMA_POLICY ?= "ima-policy-hashed" SRC_URI = " file://ima" -- 2.17.1 -- ___ yocto mailing list yocto@yoctoproject.org https://lists.yoctoproject.org/listinfo/yocto
[yocto] [meta-security][PATCH 3/4] busybox: fix sig changes when layer added
Signed-off-by: Armin Kuster --- recipes-core/busybox/busybox_%.bbappend| 4 +--- recipes-core/busybox/busybox_libsecomp.inc | 3 +++ 2 files changed, 4 insertions(+), 3 deletions(-) create mode 100644 recipes-core/busybox/busybox_libsecomp.inc diff --git a/recipes-core/busybox/busybox_%.bbappend b/recipes-core/busybox/busybox_%.bbappend index 8bb0706..27a2482 100644 --- a/recipes-core/busybox/busybox_%.bbappend +++ b/recipes-core/busybox/busybox_%.bbappend @@ -1,3 +1 @@ -FILESEXTRAPATHS_prepend := "${THISDIR}/${PN}:" - -SRC_URI += "file://head.cfg" +require ${@bb.utils.contains('DISTRO_FEATURES', 'ptest', 'busybox_libsecomp.inc', '', d)} diff --git a/recipes-core/busybox/busybox_libsecomp.inc b/recipes-core/busybox/busybox_libsecomp.inc new file mode 100644 index 000..4af22ce --- /dev/null +++ b/recipes-core/busybox/busybox_libsecomp.inc @@ -0,0 +1,3 @@ +FILESEXTRAPATHS_prepend := "${THISDIR}/busybox:" + +SRC_URI_append = " file://head.cfg" -- 2.17.1 -- ___ yocto mailing list yocto@yoctoproject.org https://lists.yoctoproject.org/listinfo/yocto
[yocto] [meta-security][PATCH 2/4] packagegroup-core-security: update package name
Also remove tpm packagegroup reference Signed-off-by: Armin Kuster --- recipes-security/packagegroup/packagegroup-core-security.bb | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) diff --git a/recipes-security/packagegroup/packagegroup-core-security.bb b/recipes-security/packagegroup/packagegroup-core-security.bb index 20ba46f..e0a9d05 100644 --- a/recipes-security/packagegroup/packagegroup-core-security.bb +++ b/recipes-security/packagegroup/packagegroup-core-security.bb @@ -11,7 +11,6 @@ PACKAGES = "\ packagegroup-security-scanners \ packagegroup-security-ids \ packagegroup-security-mac \ -${@bb.utils.contains("MACHINE_FEATURES", "tpm", "packagegroup-security-tpm", "",d)} \ " RDEPENDS_packagegroup-core-security = "\ @@ -19,7 +18,6 @@ RDEPENDS_packagegroup-core-security = "\ packagegroup-security-scanners \ packagegroup-security-ids \ packagegroup-security-mac \ -${@bb.utils.contains("MACHINE_FEATURES", "tpm", "packagegroup-security-tpm", "",d)} \ " SUMMARY_packagegroup-security-utils = "Security utilities" @@ -27,7 +25,7 @@ RDEPENDS_packagegroup-security-utils = "\ checksec \ nmap \ pinentry \ -python-scapy \ +python3-scapy \ ding-libs \ keyutils \ libseccomp \ -- 2.17.1 -- ___ yocto mailing list yocto@yoctoproject.org https://lists.yoctoproject.org/listinfo/yocto
[yocto] [meta-security][PATCH 1/4] packagegroup-core-security-ptest: only included if ptest is enabled
update python package names Signed-off-by: Armin Kuster --- .../packagegroup/packagegroup-core-security-ptest.bb| 6 +- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/recipes-security/packagegroup/packagegroup-core-security-ptest.bb b/recipes-security/packagegroup/packagegroup-core-security-ptest.bb index ddcf208..39873b8 100644 --- a/recipes-security/packagegroup/packagegroup-core-security-ptest.bb +++ b/recipes-security/packagegroup/packagegroup-core-security-ptest.bb @@ -3,6 +3,10 @@ LICENSE = "MIT" LIC_FILES_CHKSUM = "file://${COMMON_LICENSE_DIR}/MIT;md5=0835ade698e0bcf8506ecda2f7b4f302 \ file://${COREBASE}/meta/COPYING.MIT;md5=3da9cfbcb788c80a0384361b4de20420" +inherit distro_features_check + +REQUIRED_DISTRO_FEATURES = "ptest" + PACKAGES = "\ ${PN} \ " @@ -15,7 +19,7 @@ RDEPENDS_${PN} = " \ samhain-standalone-ptest \ keyutils-ptest \ libseccomp-ptest \ -python-scapy-ptest \ +python3-scapy-ptest \ suricata-ptest \ tripwire-ptest \ python-fail2ban-ptest \ -- 2.17.1 -- ___ yocto mailing list yocto@yoctoproject.org https://lists.yoctoproject.org/listinfo/yocto
[yocto] [meta-security][PATCH] python-scapy: drop py2 package
fixup run-ptest Signed-off-by: Armin Kuster --- recipes-security/scapy/files/run-ptest| 2 +- recipes-security/scapy/python-scapy.inc | 22 --- recipes-security/scapy/python-scapy_2.4.3.bb | 11 recipes-security/scapy/python3-scapy_2.4.3.bb | 27 --- 4 files changed, 25 insertions(+), 37 deletions(-) delete mode 100644 recipes-security/scapy/python-scapy.inc delete mode 100644 recipes-security/scapy/python-scapy_2.4.3.bb diff --git a/recipes-security/scapy/files/run-ptest b/recipes-security/scapy/files/run-ptest index 91b29f9..797d8ec 100644 --- a/recipes-security/scapy/files/run-ptest +++ b/recipes-security/scapy/files/run-ptest @@ -1,4 +1,4 @@ #!/bin/sh -UTscapy -t regression.uts -f text -l -C \ +UTscapy3 -t regression.uts -f text -l -C \ -o @PTEST_PATH@/scapy_ptest_$(date +%Y%m%d-%H%M%S).log \ 2>&1 | sed -e 's/^passed None/PASS:/' -e 's/^failed None/FAIL:/' diff --git a/recipes-security/scapy/python-scapy.inc b/recipes-security/scapy/python-scapy.inc deleted file mode 100644 index 28e13f2..000 --- a/recipes-security/scapy/python-scapy.inc +++ /dev/null @@ -1,22 +0,0 @@ -SUMMARY = "Network scanning and manipulation tool" -DESCRIPTION = "Scapy is a powerful interactive packet manipulation program. It is able to forge or decode packets of a wide number of protocols, send them on the wire, capture them, match requests and replies, and much more. It can easily handle most classical tasks like scanning, tracerouting, probing, unit tests, attacks or network discovery (it can replace hping, 85% of nmap, arpspoof, arp-sk, arping, tcpdump, tethereal, p0f, etc.). It also performs very well at a lot of other specific tasks that most other tools can't handle, like sending invalid frames, injecting your own 802.11 frames, combining technics (VLAN hopping+ARP cache poisoning, VOIP decoding on WEP encrypted channel, ...), etc." -SECTION = "security" -LICENSE = "GPLv2" - -LIC_FILES_CHKSUM = "file://LICENSE;md5=b234ee4d69f5fce4486a80fdaf4a4263" - -S = "${WORKDIR}/git" - -SRCREV = "3047580162a9407ef05fe981983cacfa698f1159" -SRC_URI = "git://github.com/secdev/scapy.git" - -inherit ptest - -do_install_ptest() { -install -m 0644 ${S}/test/regression.uts ${D}${PTEST_PATH} -sed -i 's,@PTEST_PATH@,${PTEST_PATH},' ${D}${PTEST_PATH}/run-ptest -} - -RDEPENDS_${PN} = "tcpdump ${PYTHON_PN}-compression ${PYTHON_PN}-cryptography ${PYTHON_PN}-netclient \ - ${PYTHON_PN}-netserver ${PYTHON_PN}-pydoc ${PYTHON_PN}-pkgutil ${PYTHON_PN}-shell \ - ${PYTHON_PN}-threading ${PYTHON_PN}-numbers ${PYTHON_PN}-pycrypto" diff --git a/recipes-security/scapy/python-scapy_2.4.3.bb b/recipes-security/scapy/python-scapy_2.4.3.bb deleted file mode 100644 index 982620e..000 --- a/recipes-security/scapy/python-scapy_2.4.3.bb +++ /dev/null @@ -1,11 +0,0 @@ -inherit setuptools -require python-scapy.inc - -SRC_URI += "file://run-ptest" - -RDEPENDS_${PN} += "${PYTHON_PN}-subprocess" - -do_install_append() { -mv ${D}${bindir}/scapy ${D}${bindir}/scapy2 -mv ${D}${bindir}/UTscapy ${D}${bindir}/UTscapy2 -} diff --git a/recipes-security/scapy/python3-scapy_2.4.3.bb b/recipes-security/scapy/python3-scapy_2.4.3.bb index abcaeeb..925f188 100644 --- a/recipes-security/scapy/python3-scapy_2.4.3.bb +++ b/recipes-security/scapy/python3-scapy_2.4.3.bb @@ -1,9 +1,30 @@ -inherit setuptools3 -require python-scapy.inc +SUMMARY = "Network scanning and manipulation tool" +DESCRIPTION = "Scapy is a powerful interactive packet manipulation program. It is able to forge or decode packets of a wide number of protocols, send them on the wire, capture them, match requests and replies, and much more. It can easily handle most classical tasks like scanning, tracerouting, probing, unit tests, attacks or network discovery (it can replace hping, 85% of nmap, arpspoof, arp-sk, arping, tcpdump, tethereal, p0f, etc.). It also performs very well at a lot of other specific tasks that most other tools can't handle, like sending invalid frames, injecting your own 802.11 frames, combining technics (VLAN hopping+ARP cache poisoning, VOIP decoding on WEP encrypted channel, ...), etc." +SECTION = "security" +LICENSE = "GPLv2" -SRC_URI += "file://run-ptest" +LIC_FILES_CHKSUM = "file://LICENSE;md5=b234ee4d69f5fce4486a80fdaf4a4263" + +S = "${WORKDIR}/git" + +SRCREV = "3047580162a9407ef05fe981983cacfa698f1159" +SRC_URI = "git://github.com/secdev/scapy.git \ + file://run-ptest" + +S = "${WORKDIR}/git" + +inherit setuptools3 ptest do_install_append() { mv ${D}${bindir}/scapy ${D}${bindir}/scapy3 mv ${D}${bindir}/UTscapy ${D}${bindir}/UTscapy3 } + +do_install_ptest() { +install -m 0644 ${S}
[yocto] [meta-security][PATCH] integrity-image: IMA_EVM_KEY_DIR has no affect, remove
Signed-off-by: Armin Kuster --- meta-integrity/recipes-core/images/integrity-image-minimal.bb | 1 - 1 file changed, 1 deletion(-) diff --git a/meta-integrity/recipes-core/images/integrity-image-minimal.bb b/meta-integrity/recipes-core/images/integrity-image-minimal.bb index e1bc6ff..1a3a30a 100644 --- a/meta-integrity/recipes-core/images/integrity-image-minimal.bb +++ b/meta-integrity/recipes-core/images/integrity-image-minimal.bb @@ -17,6 +17,5 @@ inherit core-image export IMAGE_BASENAME = "integrity-image-minimal" INHERIT += "ima-evm-rootfs" -IMA_EVM_KEY_DIR = "${INTEGRITY_BASE}/data/debug-keys" QB_KERNEL_CMDLINE_APPEND_append = " ima_appraise=fix ima_policy=tcb ima_policy=appraise_tcb" -- 2.17.1 -- ___ yocto mailing list yocto@yoctoproject.org https://lists.yoctoproject.org/listinfo/yocto
[yocto] [meta-security][PATCH] apparmor: update to 2.13.3
create the cache dir at install time Signed-off-by: Armin Kuster --- .../AppArmor/{apparmor_2.13.2.bb => apparmor_2.13.3.bb} | 8 +++- 1 file changed, 7 insertions(+), 1 deletion(-) rename recipes-mac/AppArmor/{apparmor_2.13.2.bb => apparmor_2.13.3.bb} (96%) diff --git a/recipes-mac/AppArmor/apparmor_2.13.2.bb b/recipes-mac/AppArmor/apparmor_2.13.3.bb similarity index 96% rename from recipes-mac/AppArmor/apparmor_2.13.2.bb rename to recipes-mac/AppArmor/apparmor_2.13.3.bb index 1e9715d..9322018 100644 --- a/recipes-mac/AppArmor/apparmor_2.13.2.bb +++ b/recipes-mac/AppArmor/apparmor_2.13.3.bb @@ -24,7 +24,7 @@ SRC_URI = " \ file://run-ptest \ " -SRCREV = "af4808b5f6b58946f5c5a4de4b77df5e0eae6ca0" +SRCREV = "2f9d9ea7e01a115b29858455d3b1b5c6a0bab75c" S = "${WORKDIR}/git" PARALLEL_MAKE = "" @@ -141,6 +141,12 @@ do_install_ptest () { cp -rf ${B}/binutils ${t} } +pkg_postinst_ontarget_${PN} () { +if [ ! -d /etc/apparmor.d/cache ] ; then +mkdir /etc/apparmor.d/cache +fi +} + INITSCRIPT_PACKAGES = "${PN}" INITSCRIPT_NAME = "apparmor" INITSCRIPT_PARAMS = "start 16 2 3 4 5 . stop 35 0 1 6 ." -- 2.17.1 -- ___ yocto mailing list yocto@yoctoproject.org https://lists.yoctoproject.org/listinfo/yocto
[yocto] [meta-security][PATCH 2/2] apparmor: fix RDPENDS
apparmor-2.13.2-r0 do_package_qa: QA Issue: /usr/bin/aa-easyprof contained in package apparmor requires /usr/bin/python3, but no providers found in RDEPENDS_apparmor? [file-rdeps] Signed-off-by: Armin Kuster --- recipes-mac/AppArmor/apparmor_2.13.2.bb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/recipes-mac/AppArmor/apparmor_2.13.2.bb b/recipes-mac/AppArmor/apparmor_2.13.2.bb index 4eaec00..1e9715d 100644 --- a/recipes-mac/AppArmor/apparmor_2.13.2.bb +++ b/recipes-mac/AppArmor/apparmor_2.13.2.bb @@ -155,6 +155,6 @@ FILES_${PN} += "/lib/apparmor/ ${sysconfdir}/apparmor ${PYTHON_SITEPACKAGES_DIR} FILES_mod-${PN} = "${libdir}/apache2/modules/*" RDEPENDS_${PN} += "bash lsb" -RDEPENDS_${PN} += "${@bb.utils.contains('PACKAGECONFIG','python','python3 python3-modules','', d)}" +RDEPENDS_${PN} += "${@bb.utils.contains('PACKAGECONFIG','python','python3-core python3-modules','', d)}" RDEPENDS_${PN}_remove += "${@bb.utils.contains('PACKAGECONFIG','perl','','perl', d)}" RDEPENDS_${PN}-ptest += "perl coreutils dbus-lib bash" -- 2.7.4 -- ___ yocto mailing list yocto@yoctoproject.org https://lists.yoctoproject.org/listinfo/yocto
[yocto] [meta-security][PATCH 1/2] linux-stable: rename to more generic bbappend
use wildcards Signed-off-by: Armin Kuster --- recipes-kernel/linux/{linux-stable_5.2.bbappend => linux-%_5.%.bbappend} | 0 1 file changed, 0 insertions(+), 0 deletions(-) rename recipes-kernel/linux/{linux-stable_5.2.bbappend => linux-%_5.%.bbappend} (100%) diff --git a/recipes-kernel/linux/linux-stable_5.2.bbappend b/recipes-kernel/linux/linux-%_5.%.bbappend similarity index 100% rename from recipes-kernel/linux/linux-stable_5.2.bbappend rename to recipes-kernel/linux/linux-%_5.%.bbappend -- 2.7.4 -- ___ yocto mailing list yocto@yoctoproject.org https://lists.yoctoproject.org/listinfo/yocto
[yocto] [meta-security][PATCH 2/2] linux-yocto-dev: update to use kernel cache
Signed-off-by: Armin Kuster --- recipes-kernel/linux/linux-yocto-dev.bbappend | 13 ++--- 1 file changed, 2 insertions(+), 11 deletions(-) diff --git a/recipes-kernel/linux/linux-yocto-dev.bbappend b/recipes-kernel/linux/linux-yocto-dev.bbappend index 68b2b8b..239e30e 100644 --- a/recipes-kernel/linux/linux-yocto-dev.bbappend +++ b/recipes-kernel/linux/linux-yocto-dev.bbappend @@ -1,11 +1,2 @@ -FILESEXTRAPATHS_prepend := "${THISDIR}/linux-yocto-5.0:" - -SRC_URI += "\ -${@bb.utils.contains('DISTRO_FEATURES', 'apparmor', ' file://apparmor.cfg', '', d)} \ -${@bb.utils.contains('DISTRO_FEATURES', 'apparmor', ' file://apparmor_on_boot.cfg', '', d)} \ -" - -SRC_URI += "\ -${@bb.utils.contains('DISTRO_FEATURES', 'smack', ' file://smack.cfg', '', d)} \ -${@bb.utils.contains('DISTRO_FEATURES', 'smack', ' file://smack-default-lsm.cfg', '', d)} \ -" +KERNEL_FEATURES_append = " ${@bb.utils.contains("DISTRO_FEATURES", "apparmor", " features/apparmor/apparmor.scc", "" ,d)}" ++KERNEL_FEATURES_append = " ${@bb.utils.contains("DISTRO_FEATURES", "smack", " features/smack/smack.scc", "" ,d)}" -- 2.17.1 -- ___ yocto mailing list yocto@yoctoproject.org https://lists.yoctoproject.org/listinfo/yocto
[yocto] [meta-security][PATCH 1/2] linux-yocto: use 4.19 kernel cache now
remove kernel fragments now that they are in the kernel-cache for 4.19 update bbappend accordingly. Signed-off-by: Armin Kuster --- recipes-kernel/linux/linux-yocto/apparmor.cfg | 15 --- .../linux/linux-yocto/apparmor_on_boot.cfg| 1 - .../linux/linux-yocto/smack-default-lsm.cfg | 2 -- recipes-kernel/linux/linux-yocto/smack.cfg| 8 recipes-kernel/linux/linux-yocto/yama.cfg | 1 - recipes-kernel/linux/linux-yocto_4.%.bbappend | 13 ++--- 6 files changed, 2 insertions(+), 38 deletions(-) delete mode 100644 recipes-kernel/linux/linux-yocto/apparmor.cfg delete mode 100644 recipes-kernel/linux/linux-yocto/apparmor_on_boot.cfg delete mode 100644 recipes-kernel/linux/linux-yocto/smack-default-lsm.cfg delete mode 100644 recipes-kernel/linux/linux-yocto/smack.cfg delete mode 100644 recipes-kernel/linux/linux-yocto/yama.cfg diff --git a/recipes-kernel/linux/linux-yocto/apparmor.cfg b/recipes-kernel/linux/linux-yocto/apparmor.cfg deleted file mode 100644 index b5f9bb2..000 --- a/recipes-kernel/linux/linux-yocto/apparmor.cfg +++ /dev/null @@ -1,15 +0,0 @@ -CONFIG_AUDIT=y -# CONFIG_NETFILTER_XT_TARGET_AUDIT is not set -CONFIG_SECURITY_NETWORK=y -# CONFIG_SECURITY_NETWORK_XFRM is not set -CONFIG_SECURITY_PATH=y -# CONFIG_SECURITY_SELINUX is not set -CONFIG_SECURITY_APPARMOR=y -CONFIG_SECURITY_APPARMOR_HASH=y -CONFIG_SECURITY_APPARMOR_HASH_DEFAULT=y -# CONFIG_SECURITY_APPARMOR_DEBUG is not set -CONFIG_INTEGRITY_AUDIT=y -CONFIG_DEFAULT_SECURITY_APPARMOR=y -# CONFIG_DEFAULT_SECURITY_DAC is not set -CONFIG_DEFAULT_SECURITY="apparmor" -CONFIG_AUDIT_GENERIC=y diff --git a/recipes-kernel/linux/linux-yocto/apparmor_on_boot.cfg b/recipes-kernel/linux/linux-yocto/apparmor_on_boot.cfg deleted file mode 100644 index fc35740..000 --- a/recipes-kernel/linux/linux-yocto/apparmor_on_boot.cfg +++ /dev/null @@ -1 +0,0 @@ -CONFIG_SECURITY_APPARMOR_BOOTPARAM_VALUE=1 diff --git a/recipes-kernel/linux/linux-yocto/smack-default-lsm.cfg b/recipes-kernel/linux/linux-yocto/smack-default-lsm.cfg deleted file mode 100644 index b5c4845..000 --- a/recipes-kernel/linux/linux-yocto/smack-default-lsm.cfg +++ /dev/null @@ -1,2 +0,0 @@ -CONFIG_DEFAULT_SECURITY="smack" -CONFIG_DEFAULT_SECURITY_SMACK=y diff --git a/recipes-kernel/linux/linux-yocto/smack.cfg b/recipes-kernel/linux/linux-yocto/smack.cfg deleted file mode 100644 index 62f465a..000 --- a/recipes-kernel/linux/linux-yocto/smack.cfg +++ /dev/null @@ -1,8 +0,0 @@ -CONFIG_IP_NF_SECURITY=m -CONFIG_IP6_NF_SECURITY=m -CONFIG_EXT2_FS_SECURITY=y -CONFIG_EXT3_FS_SECURITY=y -CONFIG_EXT4_FS_SECURITY=y -CONFIG_SECURITY=y -CONFIG_SECURITY_SMACK=y -CONFIG_TMPFS_XATTR=y diff --git a/recipes-kernel/linux/linux-yocto/yama.cfg b/recipes-kernel/linux/linux-yocto/yama.cfg deleted file mode 100644 index 3b55731..000 --- a/recipes-kernel/linux/linux-yocto/yama.cfg +++ /dev/null @@ -1 +0,0 @@ -CONFIG_SECURITY_YAMA=y diff --git a/recipes-kernel/linux/linux-yocto_4.%.bbappend b/recipes-kernel/linux/linux-yocto_4.%.bbappend index 321392c..39d4e6f 100644 --- a/recipes-kernel/linux/linux-yocto_4.%.bbappend +++ b/recipes-kernel/linux/linux-yocto_4.%.bbappend @@ -1,11 +1,2 @@ -FILESEXTRAPATHS_prepend := "${THISDIR}/${PN}:" - -SRC_URI += "\ -${@bb.utils.contains('DISTRO_FEATURES', 'apparmor', ' file://apparmor.cfg', '', d)} \ -${@bb.utils.contains('DISTRO_FEATURES', 'apparmor', ' file://apparmor_on_boot.cfg', '', d)} \ -" - -SRC_URI += "\ -${@bb.utils.contains('DISTRO_FEATURES', 'smack', ' file://smack.cfg', '', d)} \ -${@bb.utils.contains('DISTRO_FEATURES', 'smack', ' file://smack-default-lsm.cfg', '', d)} \ -" +KERNEL_FEATURES_append = " ${@bb.utils.contains("DISTRO_FEATURES", "apparmor", " features/apparmor/apparmor.scc", "" ,d)}" +KERNEL_FEATURES_append = " ${@bb.utils.contains("DISTRO_FEATURES", "smack", " features/smack/smack.scc", "" ,d)}" -- 2.17.1 -- ___ yocto mailing list yocto@yoctoproject.org https://lists.yoctoproject.org/listinfo/yocto
[yocto] [meta-security][PATCH 3/3] linux-stable/5.2: add stable bbappend
Signed-off-by: Armin Kuster --- recipes-kernel/linux/linux-stable_5.2.bbappend | 4 1 file changed, 4 insertions(+) create mode 100644 recipes-kernel/linux/linux-stable_5.2.bbappend diff --git a/recipes-kernel/linux/linux-stable_5.2.bbappend b/recipes-kernel/linux/linux-stable_5.2.bbappend new file mode 100644 index 000..76b5df5 --- /dev/null +++ b/recipes-kernel/linux/linux-stable_5.2.bbappend @@ -0,0 +1,4 @@ +KERNEL_FEATURES_append = " ${@bb.utils.contains("DISTRO_FEATURES", "apparmor", " features/apparmor/apparmor.scc", "" ,d)}" +KERNEL_FEATURES_append = " ${@bb.utils.contains("DISTRO_FEATURES", "smack", " features/smack/smack.scc", "" ,d)}" +KERNEL_FEATURES_append = " ${@bb.utils.contains("DISTRO_FEATURES", "yama", " features/yama/yama.scc", "" ,d)}" + -- 2.17.1 -- ___ yocto mailing list yocto@yoctoproject.org https://lists.yoctoproject.org/listinfo/yocto
[yocto] [meta-security][PATCH 2/3] meta-integrity: remove kernel fragments now in cache
Signed-off-by: Armin Kuster --- .../recipes-kernel/linux/linux-%.bbappend | 5 ++--- .../recipes-kernel/linux/linux/ima.cfg | 18 -- .../linux/linux/ima_evm_root_ca.cfg| 3 --- .../recipes-kernel/linux/linux/modsign.cfg | 5 - .../recipes-kernel/linux/linux/modsign.scc | 4 5 files changed, 2 insertions(+), 33 deletions(-) delete mode 100644 meta-integrity/recipes-kernel/linux/linux/ima.cfg delete mode 100644 meta-integrity/recipes-kernel/linux/linux/ima_evm_root_ca.cfg delete mode 100644 meta-integrity/recipes-kernel/linux/linux/modsign.cfg delete mode 100644 meta-integrity/recipes-kernel/linux/linux/modsign.scc diff --git a/meta-integrity/recipes-kernel/linux/linux-%.bbappend b/meta-integrity/recipes-kernel/linux/linux-%.bbappend index ca96c8d..f9a48cd 100644 --- a/meta-integrity/recipes-kernel/linux/linux-%.bbappend +++ b/meta-integrity/recipes-kernel/linux/linux-%.bbappend @@ -1,6 +1,5 @@ -FILESEXTRAPATHS_prepend := "${THISDIR}/linux:" +KERNEL_FEATURES_append = " ${@bb.utils.contains("DISTRO_FEATURES", "ima", " features/ima/ima.scc", "" ,d)}" -SRC_URI += "${@bb.utils.contains('DISTRO_FEATURES', 'ima', ' file://ima.cfg', '', d)}" -SRC_URI += "${@bb.utils.contains('DISTRO_FEATURES', 'modsign', ' file://modsign.scc file://modsign.cfg', '', d)}" +KERNEL_FEATURES_append = " ${@bb.utils.contains('DISTRO_FEATURES', 'modsign', ' features/ima/modsign.scc', '', d)}" inherit ${@bb.utils.contains('DISTRO_FEATURES', 'modsign', 'kernel-modsign', '', d)} diff --git a/meta-integrity/recipes-kernel/linux/linux/ima.cfg b/meta-integrity/recipes-kernel/linux/linux/ima.cfg deleted file mode 100644 index b3e47ba..000 --- a/meta-integrity/recipes-kernel/linux/linux/ima.cfg +++ /dev/null @@ -1,18 +0,0 @@ -CONFIG_IMA=y -CONFIG_IMA_MEASURE_PCR_IDX=10 -CONFIG_IMA_NG_TEMPLATE=y -CONFIG_IMA_DEFAULT_TEMPLATE="ima-ng" -CONFIG_IMA_DEFAULT_HASH_SHA1=y -CONFIG_IMA_DEFAULT_HASH="sha1" -CONFIG_IMA_APPRAISE=y -CONFIG_IMA_APPRAISE_BOOTPARAM=y -CONFIG_IMA_TRUSTED_KEYRING=y -CONFIG_SIGNATURE=y -CONFIG_IMA_WRITE_POLICY=y -CONFIG_IMA_READ_POLICY=y -CONFIG_IMA_LOAD_X509=y -CONFIG_IMA_X509_PATH="/etc/keys/x509_ima.der" - -#CONFIG_INTEGRITY_SIGNATURE=y -#CONFIG_INTEGRITY_ASYMMETRIC_KEYS=y -#CONFIG_INTEGRITY_TRUSTED_KEYRING=y diff --git a/meta-integrity/recipes-kernel/linux/linux/ima_evm_root_ca.cfg b/meta-integrity/recipes-kernel/linux/linux/ima_evm_root_ca.cfg deleted file mode 100644 index 9a45425..000 --- a/meta-integrity/recipes-kernel/linux/linux/ima_evm_root_ca.cfg +++ /dev/null @@ -1,3 +0,0 @@ -# CONFIG_IMA_APPRAISE_SIGNED_INIT is not set -CONFIG_EVM_LOAD_X509=y -CONFIG_EVM_X509_PATH="/etc/keys/x509_evm.der" diff --git a/meta-integrity/recipes-kernel/linux/linux/modsign.cfg b/meta-integrity/recipes-kernel/linux/linux/modsign.cfg deleted file mode 100644 index c0c4ebc..000 --- a/meta-integrity/recipes-kernel/linux/linux/modsign.cfg +++ /dev/null @@ -1,5 +0,0 @@ -CONFIG_MODULE_SIG=y -CONFIG_MODULE_SIG_FORCE=y -CONFIG_MODULE_SIG_SHA256=y -CONFIG_MODULE_SIG_HASH="sha256" -CONFIG_MODULE_SIG_KEY="modsign_key.pem" diff --git a/meta-integrity/recipes-kernel/linux/linux/modsign.scc b/meta-integrity/recipes-kernel/linux/linux/modsign.scc deleted file mode 100644 index bce78ae..000 --- a/meta-integrity/recipes-kernel/linux/linux/modsign.scc +++ /dev/null @@ -1,4 +0,0 @@ -define KFEATURE_DESCRIPTION "Kernel Module Signing (modsign) enablement" -define KFEATURE_COMPATIBILITY all - -kconf non-hardware modsign.cfg -- 2.17.1 -- ___ yocto mailing list yocto@yoctoproject.org https://lists.yoctoproject.org/listinfo/yocto
[yocto] [meta-security][PATCH 1/3] linux-%: remove kernel fragments now in cache
Signed-off-by: Armin Kuster --- recipes-kernel/linux/linux-%.bbapend | 9 - recipes-kernel/linux/linux/apparmor.cfg | 9 - recipes-kernel/linux/linux/apparmor_on_boot.cfg | 1 - recipes-kernel/linux/linux/smack-default-lsm.cfg | 2 -- recipes-kernel/linux/linux/smack.cfg | 7 --- 5 files changed, 28 deletions(-) delete mode 100644 recipes-kernel/linux/linux-%.bbapend delete mode 100644 recipes-kernel/linux/linux/apparmor.cfg delete mode 100644 recipes-kernel/linux/linux/apparmor_on_boot.cfg delete mode 100644 recipes-kernel/linux/linux/smack-default-lsm.cfg delete mode 100644 recipes-kernel/linux/linux/smack.cfg diff --git a/recipes-kernel/linux/linux-%.bbapend b/recipes-kernel/linux/linux-%.bbapend deleted file mode 100644 index ec7adeb..000 --- a/recipes-kernel/linux/linux-%.bbapend +++ /dev/null @@ -1,9 +0,0 @@ -FILESEXTRAPATHS_prepend := "${THISDIR}/linux:" - -SRC_URI += "\ -${@bb.utils.contains('DISTRO_FEATURES', 'apparmor', ' file://apparmor.cfg', '', d)} \ -${@bb.utils.contains('DISTRO_FEATURES', 'apparmor', ' file://apparmor_on_boot.cfg', '', d)} \ -${@bb.utils.contains('DISTRO_FEATURES', 'smack', ' file://smack.cfg', '', d)} \ -${@bb.utils.contains('DISTRO_FEATURES', 'smack', ' file://smack-default-lsm.cfg', '', d)} \ -${@bb.utils.contains('DISTRO_FEATURES', 'yama', ' file://yama.cfg', '', d)} \ -" diff --git a/recipes-kernel/linux/linux/apparmor.cfg b/recipes-kernel/linux/linux/apparmor.cfg deleted file mode 100644 index ae6cdcd..000 --- a/recipes-kernel/linux/linux/apparmor.cfg +++ /dev/null @@ -1,9 +0,0 @@ -CONFIG_AUDIT=y -CONFIG_SECURITY_PATH=y -CONFIG_SECURITY_APPARMOR=y -CONFIG_SECURITY_APPARMOR_HASH=y -CONFIG_SECURITY_APPARMOR_HASH_DEFAULT=y -CONFIG_INTEGRITY_AUDIT=y -CONFIG_DEFAULT_SECURITY_APPARMOR=y -CONFIG_DEFAULT_SECURITY="apparmor" -CONFIG_AUDIT_GENERIC=y diff --git a/recipes-kernel/linux/linux/apparmor_on_boot.cfg b/recipes-kernel/linux/linux/apparmor_on_boot.cfg deleted file mode 100644 index fc35740..000 --- a/recipes-kernel/linux/linux/apparmor_on_boot.cfg +++ /dev/null @@ -1 +0,0 @@ -CONFIG_SECURITY_APPARMOR_BOOTPARAM_VALUE=1 diff --git a/recipes-kernel/linux/linux/smack-default-lsm.cfg b/recipes-kernel/linux/linux/smack-default-lsm.cfg deleted file mode 100644 index b5c4845..000 --- a/recipes-kernel/linux/linux/smack-default-lsm.cfg +++ /dev/null @@ -1,2 +0,0 @@ -CONFIG_DEFAULT_SECURITY="smack" -CONFIG_DEFAULT_SECURITY_SMACK=y diff --git a/recipes-kernel/linux/linux/smack.cfg b/recipes-kernel/linux/linux/smack.cfg deleted file mode 100644 index 0d5fc64..000 --- a/recipes-kernel/linux/linux/smack.cfg +++ /dev/null @@ -1,7 +0,0 @@ -CONFIG_NETLABEL=y -CONFIG_SECURITY_NETWORK=y -# CONFIG_SECURITY_NETWORK_XFRM is not set -CONFIG_SECURITY_SMACK=y -CONFIG_SECURITY_SMACK_BRINGUP=y -CONFIG_SECURITY_SMACK_APPEND_SIGNALS=y -CONFIG_TMPFS_XATTR=y -- 2.17.1 -- ___ yocto mailing list yocto@yoctoproject.org https://lists.yoctoproject.org/listinfo/yocto
[yocto] [meta-integrity][PAYTCH] integrity-image: IMA_EVM_KEY_DIR has no affect, remove
Signed-off-by: Armin Kuster --- meta-integrity/recipes-core/images/integrity-image-minimal.bb | 1 - 1 file changed, 1 deletion(-) diff --git a/meta-integrity/recipes-core/images/integrity-image-minimal.bb b/meta-integrity/recipes-core/images/integrity-image-minimal.bb index e1bc6ff..1a3a30a 100644 --- a/meta-integrity/recipes-core/images/integrity-image-minimal.bb +++ b/meta-integrity/recipes-core/images/integrity-image-minimal.bb @@ -17,6 +17,5 @@ inherit core-image export IMAGE_BASENAME = "integrity-image-minimal" INHERIT += "ima-evm-rootfs" -IMA_EVM_KEY_DIR = "${INTEGRITY_BASE}/data/debug-keys" QB_KERNEL_CMDLINE_APPEND_append = " ima_appraise=fix ima_policy=tcb ima_policy=appraise_tcb" -- 2.17.1 -- ___ yocto mailing list yocto@yoctoproject.org https://lists.yoctoproject.org/listinfo/yocto
[linux-yocto] [PATCH 4/4] kernel-cache: add yama security fragments
Signed-off-by: Armin Kuster --- features/yama/yama.cfg | 1 + features/yama/yama.scc | 4 2 files changed, 5 insertions(+) create mode 100644 features/yama/yama.cfg create mode 100644 features/yama/yama.scc diff --git a/features/yama/yama.cfg b/features/yama/yama.cfg new file mode 100644 index ..3b55731f --- /dev/null +++ b/features/yama/yama.cfg @@ -0,0 +1 @@ +CONFIG_SECURITY_YAMA=y diff --git a/features/yama/yama.scc b/features/yama/yama.scc new file mode 100644 index ..c5e5427d --- /dev/null +++ b/features/yama/yama.scc @@ -0,0 +1,4 @@ +define KFEATURE_DESCRIPTION "Enable/disable configurations for yama security" +define KFEATURE_COMPATIBILITY all + +kconf non-hardware yama.cfg -- 2.17.1 -- ___ linux-yocto mailing list linux-yocto@yoctoproject.org https://lists.yoctoproject.org/listinfo/linux-yocto
[linux-yocto] [PATCH 2/4] kernel-cache: add smack
Signed-off-by: Armin Kuster --- features/smack/smack.cfg | 10 ++ features/smack/smack.scc | 4 2 files changed, 14 insertions(+) create mode 100644 features/smack/smack.cfg create mode 100644 features/smack/smack.scc diff --git a/features/smack/smack.cfg b/features/smack/smack.cfg new file mode 100644 index ..19587977 --- /dev/null +++ b/features/smack/smack.cfg @@ -0,0 +1,10 @@ +CONFIG_NETLABEL=y +CONFIG_SECURITYFS=y +CONFIG_SECURITY_NETWORK=y +CONFIG_SECURITY_SMACK=y +CONFIG_SECURITY_SMACK_APPEND_SIGNALS=y +CONFIG_EVM=y +CONFIG_EVM_ATTR_FSUUID=y +CONFIG_DEFAULT_SECURITY_SMACK=y +CONFIG_CRYPTO_HASH_INFO=y +CONFIG_CRC_CCITT=y diff --git a/features/smack/smack.scc b/features/smack/smack.scc new file mode 100644 index ..b53fa56e --- /dev/null +++ b/features/smack/smack.scc @@ -0,0 +1,4 @@ +define KFEATURE_DESCRIPTION "Enable/disable configurations for smack security" +define KFEATURE_COMPATIBILITY all + +kconf non-hardware smack.cfg -- 2.17.1 -- ___ linux-yocto mailing list linux-yocto@yoctoproject.org https://lists.yoctoproject.org/listinfo/linux-yocto
[linux-yocto] [PATCH 1/4] kernel-cache: add apparmor fragments
Signed-off-by: Armin Kuster --- features/apparmor/apparmor.cfg | 7 +++ features/apparmor/apparmor.scc | 5 + features/apparmor/apparmor_on_boot.cfg | 1 + 3 files changed, 13 insertions(+) create mode 100644 features/apparmor/apparmor.cfg create mode 100644 features/apparmor/apparmor.scc create mode 100644 features/apparmor/apparmor_on_boot.cfg diff --git a/features/apparmor/apparmor.cfg b/features/apparmor/apparmor.cfg new file mode 100644 index ..de242a20 --- /dev/null +++ b/features/apparmor/apparmor.cfg @@ -0,0 +1,7 @@ +CONFIG_SECURITYFS=y +CONFIG_SECURITY_NETWORK=y +CONFIG_SECURITY_PATH=y +CONFIG_SECURITY_APPARMOR=y +CONFIG_SECURITY_APPARMOR_HASH=y +CONFIG_SECURITY_APPARMOR_HASH_DEFAULT=y +CONFIG_DEFAULT_SECURITY_APPARMOR=y diff --git a/features/apparmor/apparmor.scc b/features/apparmor/apparmor.scc new file mode 100644 index ..2ff331c4 --- /dev/null +++ b/features/apparmor/apparmor.scc @@ -0,0 +1,5 @@ +define KFEATURE_DESCRIPTION "Enable/disable configurations for apparmor security" +define KFEATURE_COMPATIBILITY all + +kconf non-hardware apparmor.cfg +kconf non-hardware apparmor_on_boot.cfg diff --git a/features/apparmor/apparmor_on_boot.cfg b/features/apparmor/apparmor_on_boot.cfg new file mode 100644 index ..fc357401 --- /dev/null +++ b/features/apparmor/apparmor_on_boot.cfg @@ -0,0 +1 @@ +CONFIG_SECURITY_APPARMOR_BOOTPARAM_VALUE=1 -- 2.17.1 -- ___ linux-yocto mailing list linux-yocto@yoctoproject.org https://lists.yoctoproject.org/listinfo/linux-yocto
[linux-yocto] [PATCH 3/4] kernel-cache: add ima fragments
Signed-off-by: Armin Kuster --- features/ima/ima.cfg | 18 ++ features/ima/ima.scc | 4 features/ima/ima_evm_root_ca.cfg | 3 +++ features/ima/modsign.cfg | 3 +++ features/ima/modsign.scc | 6 ++ 5 files changed, 34 insertions(+) create mode 100644 features/ima/ima.cfg create mode 100644 features/ima/ima.scc create mode 100644 features/ima/ima_evm_root_ca.cfg create mode 100644 features/ima/modsign.cfg create mode 100644 features/ima/modsign.scc diff --git a/features/ima/ima.cfg b/features/ima/ima.cfg new file mode 100644 index ..b3e47ba3 --- /dev/null +++ b/features/ima/ima.cfg @@ -0,0 +1,18 @@ +CONFIG_IMA=y +CONFIG_IMA_MEASURE_PCR_IDX=10 +CONFIG_IMA_NG_TEMPLATE=y +CONFIG_IMA_DEFAULT_TEMPLATE="ima-ng" +CONFIG_IMA_DEFAULT_HASH_SHA1=y +CONFIG_IMA_DEFAULT_HASH="sha1" +CONFIG_IMA_APPRAISE=y +CONFIG_IMA_APPRAISE_BOOTPARAM=y +CONFIG_IMA_TRUSTED_KEYRING=y +CONFIG_SIGNATURE=y +CONFIG_IMA_WRITE_POLICY=y +CONFIG_IMA_READ_POLICY=y +CONFIG_IMA_LOAD_X509=y +CONFIG_IMA_X509_PATH="/etc/keys/x509_ima.der" + +#CONFIG_INTEGRITY_SIGNATURE=y +#CONFIG_INTEGRITY_ASYMMETRIC_KEYS=y +#CONFIG_INTEGRITY_TRUSTED_KEYRING=y diff --git a/features/ima/ima.scc b/features/ima/ima.scc new file mode 100644 index ..f2ccbd6a --- /dev/null +++ b/features/ima/ima.scc @@ -0,0 +1,4 @@ +define KFEATURE_DESCRIPTION "Enable/disable configurations for ima security" +define KFEATURE_COMPATIBILITY all + +kconf non-hardware ima.cfg diff --git a/features/ima/ima_evm_root_ca.cfg b/features/ima/ima_evm_root_ca.cfg new file mode 100644 index ..9a454257 --- /dev/null +++ b/features/ima/ima_evm_root_ca.cfg @@ -0,0 +1,3 @@ +# CONFIG_IMA_APPRAISE_SIGNED_INIT is not set +CONFIG_EVM_LOAD_X509=y +CONFIG_EVM_X509_PATH="/etc/keys/x509_evm.der" diff --git a/features/ima/modsign.cfg b/features/ima/modsign.cfg new file mode 100644 index ..24c402c8 --- /dev/null +++ b/features/ima/modsign.cfg @@ -0,0 +1,3 @@ +CONFIG_MODULE_SIG_SHA256=y +CONFIG_MODULE_SIG_HASH="sha256" +CONFIG_MODULE_SIG_KEY="modsign_key.pem" diff --git a/features/ima/modsign.scc b/features/ima/modsign.scc new file mode 100644 index ..489fa5e5 --- /dev/null +++ b/features/ima/modsign.scc @@ -0,0 +1,6 @@ +define KFEATURE_DESCRIPTION "Kernel Module Signing (modsign) enablement" +define KFEATURE_COMPATIBILITY all + +kconf non-hardware features/module-signing/signing.cfg +kconf non-hardware features/module-signing/force-signing.cfg +kconf non-hardware modsign.cfg -- 2.17.1 -- ___ linux-yocto mailing list linux-yocto@yoctoproject.org https://lists.yoctoproject.org/listinfo/linux-yocto
[linux-yocto] [PATCH 0/4] More security fragments
It is time to move the kernel fragments out of meta-security to cache. It should make maintenance easier. Armin Kuster (4): kernel-cache: add apparmor fragments kernel-cache: add smack kernel-cache: add ima fragments kernel-cache: add yama security fragments features/apparmor/apparmor.cfg | 7 +++ features/apparmor/apparmor.scc | 5 + features/apparmor/apparmor_on_boot.cfg | 1 + features/ima/ima.cfg | 18 ++ features/ima/ima.scc | 4 features/ima/ima_evm_root_ca.cfg | 3 +++ features/ima/modsign.cfg | 3 +++ features/ima/modsign.scc | 6 ++ features/smack/smack.cfg | 10 ++ features/smack/smack.scc | 4 features/yama/yama.cfg | 1 + features/yama/yama.scc | 4 12 files changed, 66 insertions(+) create mode 100644 features/apparmor/apparmor.cfg create mode 100644 features/apparmor/apparmor.scc create mode 100644 features/apparmor/apparmor_on_boot.cfg create mode 100644 features/ima/ima.cfg create mode 100644 features/ima/ima.scc create mode 100644 features/ima/ima_evm_root_ca.cfg create mode 100644 features/ima/modsign.cfg create mode 100644 features/ima/modsign.scc create mode 100644 features/smack/smack.cfg create mode 100644 features/smack/smack.scc create mode 100644 features/yama/yama.cfg create mode 100644 features/yama/yama.scc -- 2.17.1 -- ___ linux-yocto mailing list linux-yocto@yoctoproject.org https://lists.yoctoproject.org/listinfo/linux-yocto
[yocto] [meta-security][v2][PATCH] kernel-modsign.bbclass: add support for kernel modules signing
From: Dmitry Eremin-Solenikov Add bbclass responsible for handling signing of kernel modules. Signed-off-by: Dmitry Eremin-Solenikov fixup class to avoid including in every configure task Signed-off-by: Armin Kuster --- meta-integrity/classes/kernel-modsign.bbclass | 29 ++ meta-integrity/data/debug-keys/privkey_modsign.pem | 28 + meta-integrity/data/debug-keys/x509_modsign.crt| 22 3 files changed, 79 insertions(+) create mode 100644 meta-integrity/classes/kernel-modsign.bbclass create mode 100644 meta-integrity/data/debug-keys/privkey_modsign.pem create mode 100644 meta-integrity/data/debug-keys/x509_modsign.crt diff --git a/meta-integrity/classes/kernel-modsign.bbclass b/meta-integrity/classes/kernel-modsign.bbclass new file mode 100644 index 000..09025ba --- /dev/null +++ b/meta-integrity/classes/kernel-modsign.bbclass @@ -0,0 +1,29 @@ +# No default! Either this or MODSIGN_PRIVKEY/MODSIGN_X509 have to be +# set explicitly in a local.conf before activating kernel-modsign. +# To use the insecure (because public) example keys, use +# MODSIGN_KEY_DIR = "${INTEGRITY_BASE}/data/debug-keys" +MODSIGN_KEY_DIR ?= "MODSIGN_KEY_DIR_NOT_SET" + +# Private key for modules signing. The default is okay when +# using the example key directory. +MODSIGN_PRIVKEY ?= "${MODSIGN_KEY_DIR}/privkey_modsign.pem" + +# Public part of certificates used for modules signing. +# The default is okay when using the example key directory. +MODSIGN_X509 ?= "${MODSIGN_KEY_DIR}/x509_modsign.crt" + +# If this class is enabled, disable stripping signatures from modules +INHIBIT_PACKAGE_STRIP = "1" + +kernel_do_configure_prepend() { +if [ -f "${MODSIGN_PRIVKEY}" -a -f "${MODSIGN_X509}" ]; then +cat "${MODSIGN_PRIVKEY}" "${MODSIGN_X509}" \ +> "${B}/modsign_key.pem" +else +bberror "Either modsign key or certificate are invalid" +fi +} + +do_shared_workdir_append() { +cp modsign_key.pem $kerneldir/ +} diff --git a/meta-integrity/data/debug-keys/privkey_modsign.pem b/meta-integrity/data/debug-keys/privkey_modsign.pem new file mode 100644 index 000..4cac00a --- /dev/null +++ b/meta-integrity/data/debug-keys/privkey_modsign.pem @@ -0,0 +1,28 @@ +-BEGIN PRIVATE KEY- +MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQDEWsJjB2pA5Ih6 +EelXvVjwWY1ix1azMciNRNPPQN1AMXF0K/VUkfOYbaPajg1cQYEf9gk3q7OZ5Axk +UY/e5piZORaPcsmj0lV0L+NSlRYydR5M/QxtEz26585FgqRGdAe6umStPmVKdqa2 +d68O4PgQgJJtVuz6ndm+0uNEUDCVLwhkGQSwNB3qBbZAUX9escZ/a8eUiBfMYKaO +k8JRyM+2br9dgpTFg4UfBYexgNSQo8g5TIBGc8KgQiKCuFj1fQEhV5z4RusHthjc +NYXa3RHmdclxyrGeYr5ZRc47HqE1gd5NDR0WeHn4C4YKcfK1rZZz/2+6hfsIRfGx +6cQKk23hAgMBAAECggEAJ0ULiWirPG04SkmYxF5vEiqm1zGMymvTc0VnoxSS60q4 +KQa9mvtRn5OV6JjuXRwQqga30zV4xvdP7yRMxMSTkllThL7tSuE/C+yj5xlABjlc +JQOa35mwh9fibg5xslF0Vkj+55MKCPlv4CBRl4Uwt4QvRMTUwk6dhMeCgmATR1J1 +2/7AipjtfFYreDx7sLbRVvSzUhmZS0iCbNOhtTWPLNW+9YKHTOffKa04HzNtnAXq +OjJ0IRZD/C6LfkBUsnHg2eEiA97QXh/Srsl9nc8DaUK1IXRywEdmYIoNMWMav2Hm +RO8kkU30BqKW+/EO2ZbH2GmkxvwWd0ocBnLC3FRWEQKBgQDu4T8CB3YsOcVjqem4 +iBlaSht/b46YQc7A1SOqZCimehmmXNSxQOkapIG3wlIr5edtXQA+xv09+WrproUB +SjAnqaH6pYeCvbNlY5k344gtYs+Kco2rq5GYa+LumAeX2Sam8F7u4LxvEogCecX7 +e4rnG3lt3AVuuRE7zpCQtaWcJQKBgQDSbUvea9pcYli9pssTl+ijQKkgG9DdaYbA +I5w5bY1TPYZ/Ocysljefv/ssaHFh4DPxE1MQ5JHwZgZRo1EICxxYzGsLjyR/fmjz +1c/NJlTtalCNtLvWaf7b02ag/abnP8neiSpLL5xqHvGo5ikWwgYQD+9HVKGvL3S1 +kI7x/ziADQKBgQCqFbkuMa/jh3LTJp0iZc1fa1qu3vhx0pFq3Zeab9w9xLxUps5O +MwCGltFBzNuDJBwm00wkZrzTjq6gGkHbjD5DT1XkyE13OqjsLQFgOOKyJiPN2Qik +TfHJzC91YMwvQ09xF78QaPXiRBiRYrEkAXACY56PKVS45I6vvcFTN/Ll/QKBgA9m +KDMyuVwhZlUaq6nXaBLqXHYZEwPhARd2g6xANCNvUTRmSnAm3hM2vW7WhdWfzq1J +uL53u6ZYEQZQaVGpXn2xF/RUmVsrKQsPDpH4yCZHrXVxUH20bA4yPkRxy5EIvgEn +EI1IAq5RbWXq0f70W/U49U3HB74GPwg6d/uFreDRAoGAN+v9gMQA6A1vM7LvbYR8 +5CwwyqS/CfI9zKPLn53QstguXC/ObafIYQzVRqGb9lCQgtlmmKw4jMY0B/lDzpcH +zS8rqoyvDj/m7i17NYkqXErJKLRQ0ptXKdLXHlG0u185e7Y5p4O3Z5dk8bACkpHi +hp764y+BtU4qIcVaPsPK4uU= +-END PRIVATE KEY- diff --git a/meta-integrity/data/debug-keys/x509_modsign.crt b/meta-integrity/data/debug-keys/x509_modsign.crt new file mode 100644 index 000..5fa2a90 --- /dev/null +++ b/meta-integrity/data/debug-keys/x509_modsign.crt @@ -0,0 +1,22 @@ +-BEGIN CERTIFICATE- +MIIDnjCCAoagAwIBAgIUUqmBj5Q8edHMMTXsoGVGEEKdwV4wDQYJKoZIhvcNAQEL +BQAwZzEqMCgGA1UEAxMhbWV0YS1zZWN1cml0eSBtb2R1bGVzIHNpZ25pbmcga2V5 +MRQwEgYDVQQKEwtleGFtcGxlLmNvbTEjMCEGCSqGSIb3DQEJARYUam9obi5kb2VA +ZXhhbXBsZS5jb20wIBcNMTkwNzI3MjIzOTA3WhgPMjExOTA3MjcyMjM5MTVaMGcx +KjAoBgNVBAMTIW1ldGEtc2VjdXJpdHkgbW9kdWxlcyBzaWduaW5nIGtleTEUMBIG +A1UEChMLZXhhbXBsZS5jb20xIzAhBgkqhkiG9w0BCQEWFGpvaG4uZG9lQGV4YW1w +bGUuY29tMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAxFrCYwdqQOSI +ehHpV71Y8FmNYsdWszHIjUTTz0DdQDFxdCv1VJHzmG2j2o4NXEGBH/YJN6uzmeQM +ZFGP3uaYmTkWj3LJo9JVdC/jUpUWMnUeTP0MbRM9uufORYKkRnQHurpkrT5lSnam +tnevDuD4E
[yocto] [meta-security][PATCH 2/2] waf-cross-answers: remove files
Signed-off-by: Armin Kuster --- files/waf-cross-answers/README | 3 -- files/waf-cross-answers/cross-answers-aarch64.txt | 39 - .../waf-cross-answers/cross-answers-aarch64_be.txt | 39 - files/waf-cross-answers/cross-answers-arm.txt | 40 -- files/waf-cross-answers/cross-answers-armeb.txt| 40 -- files/waf-cross-answers/cross-answers-i586.txt | 40 -- files/waf-cross-answers/cross-answers-i686.txt | 40 -- files/waf-cross-answers/cross-answers-mips.txt | 40 -- files/waf-cross-answers/cross-answers-mips64.txt | 39 - files/waf-cross-answers/cross-answers-mips64el.txt | 39 - files/waf-cross-answers/cross-answers-mipsel.txt | 40 -- files/waf-cross-answers/cross-answers-powerpc.txt | 40 -- .../waf-cross-answers/cross-answers-powerpc64.txt | 40 -- files/waf-cross-answers/cross-answers-riscv64.txt | 39 - files/waf-cross-answers/cross-answers-x86_64.txt | 39 - 15 files changed, 557 deletions(-) delete mode 100644 files/waf-cross-answers/README delete mode 100644 files/waf-cross-answers/cross-answers-aarch64.txt delete mode 100644 files/waf-cross-answers/cross-answers-aarch64_be.txt delete mode 100644 files/waf-cross-answers/cross-answers-arm.txt delete mode 100644 files/waf-cross-answers/cross-answers-armeb.txt delete mode 100644 files/waf-cross-answers/cross-answers-i586.txt delete mode 100644 files/waf-cross-answers/cross-answers-i686.txt delete mode 100644 files/waf-cross-answers/cross-answers-mips.txt delete mode 100644 files/waf-cross-answers/cross-answers-mips64.txt delete mode 100644 files/waf-cross-answers/cross-answers-mips64el.txt delete mode 100644 files/waf-cross-answers/cross-answers-mipsel.txt delete mode 100644 files/waf-cross-answers/cross-answers-powerpc.txt delete mode 100644 files/waf-cross-answers/cross-answers-powerpc64.txt delete mode 100644 files/waf-cross-answers/cross-answers-riscv64.txt delete mode 100644 files/waf-cross-answers/cross-answers-x86_64.txt diff --git a/files/waf-cross-answers/README b/files/waf-cross-answers/README deleted file mode 100644 index dda45c5..000 --- a/files/waf-cross-answers/README +++ /dev/null @@ -1,3 +0,0 @@ -The files in this directory are cross answers files -used by waf-samba.bbclass, please see waf-samba.bbclass -for details about how they are used. diff --git a/files/waf-cross-answers/cross-answers-aarch64.txt b/files/waf-cross-answers/cross-answers-aarch64.txt deleted file mode 100644 index 1023f6a..000 --- a/files/waf-cross-answers/cross-answers-aarch64.txt +++ /dev/null @@ -1,39 +0,0 @@ -Checking uname sysname type: "Linux" -Checking uname version type: "# Wed May 20 10:34:39 UTC 2015" -Checking simple C program: "hello world" -rpath library support: OK --Wl,--version-script support: OK -Checking getconf LFS_CFLAGS: NO -Checking correct behavior of strtoll: NO -Checking for working strptime: OK -Checking for C99 vsnprintf: "1" -Checking for HAVE_SHARED_MMAP: OK -Checking for HAVE_MREMAP: OK -Checking for HAVE_SECURE_MKSTEMP: OK -Checking for HAVE_IFACE_GETIFADDRS: NO -Checking for HAVE_IFACE_IFCONF: NO -Checking for HAVE_IFACE_IFREQ: NO -Checking for large file support without additional flags: OK -Checking for HAVE_INCOHERENT_MMAP: NO -Checking value of NSIG: "65" -Checking value of _NSIG: "65" -Checking value of SIGRTMAX: "64" -Checking value of SIGRTMIN: "34" -Checking whether the WRFILE -keytab is supported: OK -Checking for kernel change notify support: OK -Checking for Linux kernel oplocks: OK -Checking for kernel share modes: OK -Checking whether POSIX capabilities are available: OK -Checking if can we convert from CP850 to UCS-2LE: OK -Checking if can we convert from UTF-8 to UCS-2LE: OK -vfs_fileid checking for statfs() and struct statfs.f_fsid: OK -Checking whether we can use Linux thread-specific credentials: OK -Checking whether fcntl locking is available: OK -Checking for the maximum value of the 'time_t' type: OK -Checking whether the realpath function allows a NULL argument: OK -Checking for ftruncate extend: OK -getcwd takes a NULL argument: OK -Checking for small off_t: NO -Checking whether blkcnt_t is 32 bit: NO -Checking whether blkcnt_t is 64 bit: OK -Checking whether fcntl lock supports open file description locks: OK diff --git a/files/waf-cross-answers/cross-answers-aarch64_be.txt b/files/waf-cross-answers/cross-answers-aarch64_be.txt deleted file mode 100644 index 1023f6a..000 --- a/files/waf-cross-answers/cross-answers-aarch64_be.txt +++ /dev/null @@ -1,39 +0,0 @@ -Checking uname sysname type: "Linux" -Checking uname version type: "# Wed May 20 10:34:39 UTC 2015"
[yocto] [meta-security][PATCH 1/2] libldb: remove recipe
Signed-off-by: Armin Kuster --- .../libldb/avoid-openldap-unless-wanted.patch | 13 -- ...-import-target-module-while-cross-compile.patch | 58 --- recipes-support/libldb/libldb/options-1.3.1.patch | 193 - recipes-support/libldb/libldb_1.3.1.bb | 64 --- 4 files changed, 328 deletions(-) delete mode 100644 recipes-support/libldb/libldb/avoid-openldap-unless-wanted.patch delete mode 100755 recipes-support/libldb/libldb/do-not-import-target-module-while-cross-compile.patch delete mode 100644 recipes-support/libldb/libldb/options-1.3.1.patch delete mode 100644 recipes-support/libldb/libldb_1.3.1.bb diff --git a/recipes-support/libldb/libldb/avoid-openldap-unless-wanted.patch b/recipes-support/libldb/libldb/avoid-openldap-unless-wanted.patch deleted file mode 100644 index 8ab094f..000 --- a/recipes-support/libldb/libldb/avoid-openldap-unless-wanted.patch +++ /dev/null @@ -1,13 +0,0 @@ a/wscript 2015-11-18 12:43:33.0 +0100 -+++ b/wscript 2015-11-18 12:46:25.0 +0100 -@@ -58,9 +58,7 @@ - if conf.env.standalone_ldb: - conf.CHECK_XSLTPROC_MANPAGES() - --# we need this for the ldap backend --if conf.CHECK_FUNCS_IN('ber_flush ldap_open ldap_initialize', 'lber ldap', headers='lber.h ldap.h'): --conf.env.ENABLE_LDAP_BACKEND = True -+conf.env.ENABLE_LDAP_BACKEND = False - - # we don't want any libraries or modules to rely on runtime - # resolution of symbols diff --git a/recipes-support/libldb/libldb/do-not-import-target-module-while-cross-compile.patch b/recipes-support/libldb/libldb/do-not-import-target-module-while-cross-compile.patch deleted file mode 100755 index fdd312c..000 --- a/recipes-support/libldb/libldb/do-not-import-target-module-while-cross-compile.patch +++ /dev/null @@ -1,58 +0,0 @@ -Some modules such as dynamic library maybe cann't be imported while cross compile, -we just check whether does the module exist. - -Signed-off-by: Bian Naimeng - -Index: ldb-1.1.26/buildtools/wafsamba/samba_bundled.py -=== ldb-1.1.26.orig/buildtools/wafsamba/samba_bundled.py -+++ ldb-1.1.26/buildtools/wafsamba/samba_bundled.py -@@ -2,6 +2,7 @@ - - import sys - import Build, Options, Logs -+import imp, os - from Configure import conf - from samba_utils import TO_LIST - -@@ -230,17 +231,32 @@ def CHECK_BUNDLED_SYSTEM_PYTHON(conf, li - # versions - minversion = minimum_library_version(conf, libname, minversion) - --try: --m = __import__(modulename) --except ImportError: --found = False --else: -+# Find module in PYTHONPATH -+stuff = imp.find_module(modulename, [os.environ["PYTHONPATH"]]) -+if stuff: - try: --version = m.__version__ --except AttributeError: -+m = imp.load_module(modulename, stuff[0], stuff[1], stuff[2]) -+except ImportError: - found = False -+ -+if conf.env.CROSS_COMPILE: -+# Some modules such as dynamic library maybe cann't be imported -+# while cross compile, we just check whether the module exist -+Logs.warn('Cross module[%s] has been found, but can not be loaded.' % (stuff[1])) -+found = True - else: --found = tuplize_version(version) >= tuplize_version(minversion) -+try: -+version = m.__version__ -+except AttributeError: -+found = False -+else: -+found = tuplize_version(version) >= tuplize_version(minversion) -+finally: -+if stuff[0]: -+stuff[0].close() -+else: -+found = False -+ - if not found and not conf.LIB_MAY_BE_BUNDLED(libname): - Logs.error('ERROR: Python module %s of version %s not found, and bundling disabled' % (libname, minversion)) - sys.exit(1) diff --git a/recipes-support/libldb/libldb/options-1.3.1.patch b/recipes-support/libldb/libldb/options-1.3.1.patch deleted file mode 100644 index ffe253b..000 --- a/recipes-support/libldb/libldb/options-1.3.1.patch +++ /dev/null @@ -1,193 +0,0 @@ -From a4da3ab4d76013aaa731d43d52ccca1ebd37c395 Mon Sep 17 00:00:00 2001 -From: Jackie Huang -Date: Wed, 21 Sep 2016 10:06:39 +0800 -Subject: [PATCH 1/1] ldb: Add configure options for packages - -Add configure options for the following packages: - - acl - - attr - - libaio - - libbsd - - libcap - - valgrind - -Upstream-Status: Inappropriate [oe deterministic build specific] - -Signed-off-by: Jackie Huang - lib/replace/system/wscript_configure | 6 ++- - lib/replace/wscript | 94 +++- - wscript | 7 +++ - 3 files changed, 83 insertions(+), 24 deletions(-) - -diff --git a/lib/replace/system/wscript_configure b/li
[yocto] [meta-security][PATCH] keyutils: remove from meta-security
now in meta-oe Signed-off-by: Armin Kuster --- .../files/fix_library_install_path.patch | 28 -- ...ror-report-by-adding-default-message.patch | 42 --- .../keyutils-test-fix-output-format.patch | 41 -- recipes-security/keyutils/files/run-ptest | 3 -- recipes-security/keyutils/keyutils_1.6.bb | 53 --- 5 files changed, 167 deletions(-) delete mode 100644 recipes-security/keyutils/files/fix_library_install_path.patch delete mode 100644 recipes-security/keyutils/files/keyutils-fix-error-report-by-adding-default-message.patch delete mode 100644 recipes-security/keyutils/files/keyutils-test-fix-output-format.patch delete mode 100755 recipes-security/keyutils/files/run-ptest delete mode 100644 recipes-security/keyutils/keyutils_1.6.bb diff --git a/recipes-security/keyutils/files/fix_library_install_path.patch b/recipes-security/keyutils/files/fix_library_install_path.patch deleted file mode 100644 index 938fe2e..000 --- a/recipes-security/keyutils/files/fix_library_install_path.patch +++ /dev/null @@ -1,28 +0,0 @@ -From b0355cc205543ffd33752874295139d57c4fbc3e Mon Sep 17 00:00:00 2001 -From: Wenzong Fan -Date: Tue, 26 Sep 2017 07:59:51 + -Subject: [PATCH] Subject: [PATCH] keyutils: use relative path for link - -The absolute path of the symlink will be invalid -when populated in sysroot, so use relative path instead. - -Upstream-Status: Pending - -Signed-off-by: Jackie Huang -Signed-off-by: Wenzong Fan -{rebased for 1.6] -Signed-off-by: Armin Kuster - -Index: keyutils-1.6/Makefile -=== keyutils-1.6.orig/Makefile -+++ keyutils-1.6/Makefile -@@ -184,7 +184,7 @@ ifeq ($(NO_SOLIB),0) - $(INSTALL) -D $(LIBNAME) $(DESTDIR)$(LIBDIR)/$(LIBNAME) - $(LNS) $(LIBNAME) $(DESTDIR)$(LIBDIR)/$(SONAME) - mkdir -p $(DESTDIR)$(USRLIBDIR) -- $(LNS) $(LIBDIR)/$(SONAME) $(DESTDIR)$(USRLIBDIR)/$(DEVELLIB) -+ $(LNS) $(SONAME) $(DESTDIR)$(USRLIBDIR)/$(DEVELLIB) - sed \ - -e 's,@VERSION\@,$(VERSION),g' \ - -e 's,@prefix\@,$(PREFIX),g' \ diff --git a/recipes-security/keyutils/files/keyutils-fix-error-report-by-adding-default-message.patch b/recipes-security/keyutils/files/keyutils-fix-error-report-by-adding-default-message.patch deleted file mode 100644 index acd91c0..000 --- a/recipes-security/keyutils/files/keyutils-fix-error-report-by-adding-default-message.patch +++ /dev/null @@ -1,42 +0,0 @@ -fix keyutils test error report - -Upstream-Status: Pending - -"Permission denied" may be the reason of EKEYEXPIRED and EKEYREVOKED. -"Required key not available" may be the reason of EKEYREVOKED. -EXPIRED and REVOKED are 2 status of kernel security keys features. -But the userspace keyutils lib will output the error message, which may -have several reasons. - -Signed-off-by: Han Chao - -diff --git a/tests/toolbox.inc.sh b/tests/toolbox.inc.sh -index bbca00a..739e9d0 100644 a/tests/toolbox.inc.sh -+++ b/tests/toolbox.inc.sh -@@ -227,11 +227,12 @@ function expect_error () - ;; - EKEYEXPIRED) - my_err="Key has expired" -- alt_err="Unknown error 127" -+ alt_err="Permission denied" - ;; - EKEYREVOKED) - my_err="Key has been revoked" -- alt_err="Unknown error 128" -+ alt_err="Permission denied" -+ alt2_err="Required key not available" - ;; - EKEYREJECTED) - my_err="Key has been rejected" -@@ -249,6 +250,9 @@ function expect_error () - elif [ "x$alt_err" != "x" ] && expr "$my_errmsg" : ".*: $alt_err" >&/dev/null - then - : -+elif [ "x$alt2_err" != "x" ] && expr "$my_errmsg" : ".*: $alt2_err" >&/dev/null -+then -+ : - elif [ "x$old_err" != "x" ] && expr "$my_errmsg" : ".*: $old_err" >&/dev/null - then - : - diff --git a/recipes-security/keyutils/files/keyutils-test-fix-output-format.patch b/recipes-security/keyutils/files/keyutils-test-fix-output-format.patch deleted file mode 100644 index a4ffd50..000 --- a/recipes-security/keyutils/files/keyutils-test-fix-output-format.patch +++ /dev/null @@ -1,41 +0,0 @@ -From 49b6321368e4bd3cd233d045cd09004ddd7968b2 Mon Sep 17 00:00:00 2001 -From: Jackie Huang -Date: Mon, 15 May 2017 14:52:00 +0800 -Subject: [PATCH] keyutils: fix output format - -keyutils ptest output format is incorrect, according to yocto -Development Manual -(http://www.yoctoproject.org/docs/latest/dev-manual/dev-manual.html#testing-packages-with-ptest) -5.10.6. Testing Packages With ptestThe test generates output in the format used by Automake: -: -where the result can be PASS, FAIL, or
[yocto] [patchwork][PATCH] filters: Escape State names when generating selector HTML
From: Andrew Donnellan States with names containing special characters are not correctly escaped when generating the select list. Use escape() to fix this. Signed-off-by: Andrew Donnellan (cherry picked from commit b3fa0c402e060622a5ed539a465d2fa98b1d2e13) Signed-off-by: Daniel Axtens [Fixup for 1.16 context, CVE-2019-13122 ] Signed-off-by: Armin Kuster --- patchwork/filters.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/patchwork/filters.py b/patchwork/filters.py index 87c904f..b734207 100644 --- a/patchwork/filters.py +++ b/patchwork/filters.py @@ -212,7 +212,7 @@ class StateFilter(Filter): selected = ' selected="true"' str += '%s' % ( -state.id, selected, state.name) +state.id, selected, escape(state.name)) str += '' return mark_safe(str) -- 2.7.4 -- ___ yocto mailing list yocto@yoctoproject.org https://lists.yoctoproject.org/listinfo/yocto
[yocto] [patchwork][PATCH] security fix CVE-2019-13122
This is an untested backported patch from stable/2.0 patchwork for the OE version. It is a function already being used in the file so I have high confidence it wont introduce any new issues. Andrew Donnellan (1): filters: Escape State names when generating selector HTML patchwork/filters.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) -- 2.7.4 -- ___ yocto mailing list yocto@yoctoproject.org https://lists.yoctoproject.org/listinfo/yocto
[yocto] [meta-security-compliance][PATCH 3/4] scap-security-guide: update to 0.1.44
create a PV version to track upstream git version includes OE changes Signed-off-by: Armin Kuster --- .../scap-security-guide.inc | 47 ++ .../scap-security-guide_0.1.44.bb | 8 +++ .../scap-security-guide_git.bb| 63 +++ 3 files changed, 63 insertions(+), 55 deletions(-) create mode 100644 meta-security-compliance/recipes-openscap/scap-security-guide/scap-security-guide.inc create mode 100644 meta-security-compliance/recipes-openscap/scap-security-guide/scap-security-guide_0.1.44.bb diff --git a/meta-security-compliance/recipes-openscap/scap-security-guide/scap-security-guide.inc b/meta-security-compliance/recipes-openscap/scap-security-guide/scap-security-guide.inc new file mode 100644 index 000..ed70c18 --- /dev/null +++ b/meta-security-compliance/recipes-openscap/scap-security-guide/scap-security-guide.inc @@ -0,0 +1,47 @@ +# Copyright (C) 2017 Armin Kuster +# Released under the MIT license (see COPYING.MIT for the terms) + +SUMARRY = "SCAP content for various platforms" +HOME_URL = "https://www.open-scap.org/security-policies/scap-security-guide/; +LIC_FILES_CHKSUM = "file://LICENSE;md5=97662e4486d9a1d09f358851d9f41a1a" +LICENSE = "LGPL-2.1" + +DEPENDS = "openscap-native python3 python3-pyyaml-native python3-jinja2-native libxml2-native" + +S = "${WORKDIR}/git" + +inherit cmake pkgconfig python3native + +#PARALLEL_MAKE = "" + +STAGING_OSCAP_BUILDDIR = "${TMPDIR}/work-shared/openscap/oscap-build-artifacts" + +OECMAKE_GENERATOR = "Unix Makefiles" + +EXTRA_OECMAKE += "-DENABLE_PYTHON_COVERAGE=OFF" + +do_configure_prepend () { + sed -i -e 's:NAMES\ sed:NAMES\ ${HOSTTOOLS_DIR}/sed:g' ${S}/CMakeLists.txt +sed -i 's:/usr/share/openscap/:${STAGING_OSCAP_BUILDDIR}${datadir_native}/openscap/:g' ${S}/cmake/SSGCommon.cmake +} + +do_compile () { + cd ${S}/build + cmake ../ + # oddly rhel7 needs to build first + make rhel7 +} + +do_install () { + cd ${S}/build + make DESTDIR=${D} install +} + +localdatadir = "${prefix}/local/share" +localmandir = "${localdatadir}/man" +localdocdir = "${localdatadir}/doc" +localxmldir = "${localdatadir}/xml" + +FILES_${PN} += "${localdatadir} ${localxmldir}" +FILES_${PN}-doc += "${localmandir} ${localdocdir}" +RDEPNEDS_${PN} = "openscap" diff --git a/meta-security-compliance/recipes-openscap/scap-security-guide/scap-security-guide_0.1.44.bb b/meta-security-compliance/recipes-openscap/scap-security-guide/scap-security-guide_0.1.44.bb new file mode 100644 index 000..d80ecd7 --- /dev/null +++ b/meta-security-compliance/recipes-openscap/scap-security-guide/scap-security-guide_0.1.44.bb @@ -0,0 +1,8 @@ +SUMARRY = "SCAP content for various platforms, upstream version" + +SRCREV = "8cb2d0f351faff5440742258782281164953b0a6" +SRC_URI = "git://github.com/ComplianceAsCode/content.git" + +DEFAULT_PREFERENCE = "-1" + +require scap-security-guide.inc diff --git a/meta-security-compliance/recipes-openscap/scap-security-guide/scap-security-guide_git.bb b/meta-security-compliance/recipes-openscap/scap-security-guide/scap-security-guide_git.bb index 3f76038..cb21fed 100644 --- a/meta-security-compliance/recipes-openscap/scap-security-guide/scap-security-guide_git.bb +++ b/meta-security-compliance/recipes-openscap/scap-security-guide/scap-security-guide_git.bb @@ -1,60 +1,13 @@ -# Copyright (C) 2017 Armin Kuster -# Released under the MIT license (see COPYING.MIT for the terms) +SUMARRY = "SCAP content for various platforms, OE changes" -SUMARRY = "SCAP content for various platforms" -HOME_URL = "https://www.open-scap.org/security-policies/scap-security-guide/; -LIC_FILES_CHKSUM = "file://LICENSE;md5=236e81befc8154d18c93c848185d7e52" -LICENSE = "LGPL-2.1" +SRCREV = "5fdfdcb2e95afbd86ace555beca5d20cbf1043ed" +SRC_URI = "git://github.com/akuster/scap-security-guide.git;branch=oe-0.1.44;" +PV = "v0.1.44+git${SRCPV}" -DEPENDS = "openscap-native" +require scap-security-guide.inc -SRCREV = "423d9f40021a03abd018bef7818a3a9fe91a083c" -SRC_URI = "git://github.com/akuster/scap-security-guide.git;branch=oe;" -PV = "v0.1.33+git${SRCPV}" - -inherit cmake - -PARALLEL_MAKE = "" - -S = "${WORKDIR}/git" - -STAGING_OSCAP_BUILDDIR = "${TMPDIR}/work-shared/openscap/oscap-build-artifacts" - -OECMAKE_GENERATOR = "Unix Makefiles" - -EXTRA_OECMAKE += "-DSSG_PRODUCT_CHROMIUM:BOOL=OFF" -EXTRA_OECMAKE += "-DSSG_PRODUCT_DEBIAN8:BOOL=OFF" -EXTRA_OECMAKE += "-DSSG_PRODUCT_FEDORA:BOOL=OFF" -EXTRA_OECMAKE += "-DSSG_PRODUCT_FIREFOX:BOOL=OFF" -EXTRA_OECMAKE +=
[yocto] [meta-security-compliance][PATCH 4/4] meta-security-compliance: add meta-python
with some for the recipe updates, more pyton support is needed Signed-off-by: Armin Kuster --- meta-security-compliance/conf/layer.conf | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) diff --git a/meta-security-compliance/conf/layer.conf b/meta-security-compliance/conf/layer.conf index b245a16..9ccadab 100644 --- a/meta-security-compliance/conf/layer.conf +++ b/meta-security-compliance/conf/layer.conf @@ -10,6 +10,4 @@ BBFILE_PRIORITY_scanners-layer = "10" LAYERSERIES_COMPAT_scanners-layer = "warrior" -LAYERDEPENDS_scanners-layer = " \ -core \ -" +LAYERDEPENDS_scanners-layer = "core openembedded-layer meta-python" -- 2.17.1 -- ___ yocto mailing list yocto@yoctoproject.org https://lists.yoctoproject.org/listinfo/yocto
[yocto] [meta-security-compliance][PATCH 1/4] openscap_git: update to 1.3.0
removed unneeded patch convert over to cmake refactor files Signed-off-by: Armin Kuster --- .../openscap/files/crypto_pkgconfig.patch | 36 .../recipes-openscap/openscap/openscap.inc| 75 + .../recipes-openscap/openscap/openscap_git.bb | 83 +-- 3 files changed, 78 insertions(+), 116 deletions(-) delete mode 100644 meta-security-compliance/recipes-openscap/openscap/files/crypto_pkgconfig.patch diff --git a/meta-security-compliance/recipes-openscap/openscap/files/crypto_pkgconfig.patch b/meta-security-compliance/recipes-openscap/openscap/files/crypto_pkgconfig.patch deleted file mode 100644 index 2d70855..000 --- a/meta-security-compliance/recipes-openscap/openscap/files/crypto_pkgconfig.patch +++ /dev/null @@ -1,36 +0,0 @@ -Index: git/configure.ac -=== git.orig/configure.ac -+++ git/configure.ac -@@ -360,25 +360,13 @@ case "${with_crypto}" in - AC_DEFINE([HAVE_NSS3], [1], [Define to 1 if you have 'NSS' library.]) - ;; - gcrypt) -- SAVE_LIBS=$LIBS --AC_CHECK_LIB([gcrypt], [gcry_check_version], -- [crapi_CFLAGS=`libgcrypt-config --cflags`; -- crapi_LIBS=`libgcrypt-config --libs`; -- crapi_libname="GCrypt";], -- [AC_MSG_ERROR([library 'gcrypt' is required for GCrypt.])], -- []) --AC_DEFINE([HAVE_GCRYPT], [1], [Define to 1 if you have 'gcrypt' library.]) -- AC_CACHE_CHECK([for GCRYCTL_SET_ENFORCED_FIPS_FLAG], --[ac_cv_gcryctl_set_enforced_fips_flag], --[AC_COMPILE_IFELSE([AC_LANG_PROGRAM([#include], --[return GCRYCTL_SET_ENFORCED_FIPS_FLAG;])], -- [ac_cv_gcryctl_set_enforced_fips_flag=yes], -- [ac_cv_gcryctl_set_enforced_fips_flag=no])]) -+ PKG_CHECK_MODULES([libgcrypt], [libgcrypt >= 1.7.9],[], -+AC_MSG_FAILURE([libgcrypt devel support is missing])) - -- if test "${ac_cv_gcryctl_set_enforced_fips_flag}" == "yes"; then -- AC_DEFINE([HAVE_GCRYCTL_SET_ENFORCED_FIPS_FLAG], [1], [Define to 1 if you have 'gcrypt' library with GCRYCTL_SET_ENFORCED_FIPS_FLAG.]) -- fi -- LIBS=$SAVE_LIBS -+ crapi_libname="libgcrypt" -+ crapi_CFLAGS=$libgcrypt_CFLAGS -+ crapi_LIBS=$libgcrypt_LIBS -+AC_DEFINE([HAVE_GCRYPT], [1], [Define to 1 if you have 'libgcrypt' library.]) - ;; - *) - AC_MSG_ERROR([unknown crypto backend]) diff --git a/meta-security-compliance/recipes-openscap/openscap/openscap.inc b/meta-security-compliance/recipes-openscap/openscap/openscap.inc index e9589b6..4c1f206 100644 --- a/meta-security-compliance/recipes-openscap/openscap/openscap.inc +++ b/meta-security-compliance/recipes-openscap/openscap/openscap.inc @@ -1,2 +1,77 @@ +# Copyright (C) 2017 Armin Kuster +# Released under the MIT license (see COPYING.MIT for the terms) + +SUMARRY = "NIST Certified SCAP 1.2 toolkit" +HOME_URL = "https://www.open-scap.org/tools/openscap-base/; +LIC_FILES_CHKSUM = "file://COPYING;md5=fbc093901857fcd118f065f900982c24" +LICENSE = "LGPL-2.1" + +DEPENDS = "autoconf-archive dbus acl bzip2 pkgconfig gconf procps curl libxml2 libxslt libcap swig libgcrypt chrpath-replacement-native " + +DEPENDS_class-native = "autoconf-archive-native pkgconfig-native swig-native curl-native libxml2-native libxslt-native dpkg-native libgcrypt-native nss-native" + +inherit cmake pkgconfig python3native perlnative ptest + +S = "${WORKDIR}/git" + +PACKAGECONFIG ?= "python3 rpm perl" +PACKAGECONFIG[python3] = "-DENABLE_PYTHON3=True, , python3, python3" +PACKAGECONFIG[perl] = "-DENABLE_PERL=True,, perl, perl" +PACKAGECONFIG[rpm] = "-DENABLE_OSCAP_UTIL_AS_RPM=True, ,rpm, rpm" + +EXTRA_OECONF += "-DENABLE_PROBES_INDEPENDENT=yes -DENABLE_PROBES_LINUX=yes -DWITH_CRYPTO=gcrypt\ + -DENABLE_PROBES_SOLARIS=yes -DENABLE_PROBES_UNIX=yes -DENABLE_TESTS=no \ + -DENABLE_OSCAP_UTIL_SSH=yes -DENABLE_OSCAP_UTIL=yes -DENABLE_SCE=yes \ +-DENABLE_OSCAP_UTIL_DOCKER=no \ +" + +EXTRA_OECONF_class-native += "-DENABLE_PROBES=True" + STAGING_OSCAP_DIR = "${TMPDIR}/work-shared/${MACHINE}/oscap-source" STAGING_OSCAP_BUILDDIR = "${TMPDIR}/work-shared/openscap/oscap-build-artifacts" + +EXTRANATIVEPATH += "chrpath-native" + +do_configure_append_class-native () { + sed -i 's:OSCAP_DEFAULT_CPE_PATH.*$:OSCAP_DEFAULT_CPE_PATH "${STAGING_OSCAP_BUILDDIR}${datadir_native}/openscap/cpe":' ${S}/config.h + sed -i 's:OSCAP_DEFAULT_SCHEMA_PATH.*$
[yocto] [meta-security-compliance][PATCH 2/4] openscap: add 1.3.1 recipes for upstream source
Signed-off-by: Armin Kuster --- .../recipes-openscap/openscap/openscap.inc| 11 +-- .../recipes-openscap/openscap/openscap_1.3.1.bb | 10 ++ .../recipes-openscap/openscap/openscap_git.bb | 4 ++-- 3 files changed, 17 insertions(+), 8 deletions(-) create mode 100644 meta-security-compliance/recipes-openscap/openscap/openscap_1.3.1.bb diff --git a/meta-security-compliance/recipes-openscap/openscap/openscap.inc b/meta-security-compliance/recipes-openscap/openscap/openscap.inc index 4c1f206..e5daaf8 100644 --- a/meta-security-compliance/recipes-openscap/openscap/openscap.inc +++ b/meta-security-compliance/recipes-openscap/openscap/openscap.inc @@ -10,10 +10,10 @@ DEPENDS = "autoconf-archive dbus acl bzip2 pkgconfig gconf procps curl libxml2 l DEPENDS_class-native = "autoconf-archive-native pkgconfig-native swig-native curl-native libxml2-native libxslt-native dpkg-native libgcrypt-native nss-native" -inherit cmake pkgconfig python3native perlnative ptest - S = "${WORKDIR}/git" +inherit cmake pkgconfig python3native perlnative ptest + PACKAGECONFIG ?= "python3 rpm perl" PACKAGECONFIG[python3] = "-DENABLE_PYTHON3=True, , python3, python3" PACKAGECONFIG[perl] = "-DENABLE_PERL=True,, perl, perl" @@ -25,7 +25,6 @@ EXTRA_OECONF += "-DENABLE_PROBES_INDEPENDENT=yes -DENABLE_PROBES_LINUX=yes -DWIT -DENABLE_OSCAP_UTIL_DOCKER=no \ " -EXTRA_OECONF_class-native += "-DENABLE_PROBES=True" STAGING_OSCAP_DIR = "${TMPDIR}/work-shared/${MACHINE}/oscap-source" STAGING_OSCAP_BUILDDIR = "${TMPDIR}/work-shared/openscap/oscap-build-artifacts" @@ -33,9 +32,9 @@ STAGING_OSCAP_BUILDDIR = "${TMPDIR}/work-shared/openscap/oscap-build-artifacts" EXTRANATIVEPATH += "chrpath-native" do_configure_append_class-native () { - sed -i 's:OSCAP_DEFAULT_CPE_PATH.*$:OSCAP_DEFAULT_CPE_PATH "${STAGING_OSCAP_BUILDDIR}${datadir_native}/openscap/cpe":' ${S}/config.h - sed -i 's:OSCAP_DEFAULT_SCHEMA_PATH.*$:OSCAP_DEFAULT_SCHEMA_PATH "${STAGING_OSCAP_BUILDDIR}${datadir_native}/openscap/schemas":' ${S}/config.h - sed -i 's:OSCAP_DEFAULT_XSLT_PATH.*$:OSCAP_DEFAULT_XSLT_PATH "${STAGING_OSCAP_BUILDDIR}${datadir_native}/openscap/xsl":' ${S}/config.h + sed -i 's:OSCAP_DEFAULT_CPE_PATH.*$:OSCAP_DEFAULT_CPE_PATH "${STAGING_OSCAP_BUILDDIR}${datadir_native}/openscap/cpe":' ${B}/config.h + sed -i 's:OSCAP_DEFAULT_SCHEMA_PATH.*$:OSCAP_DEFAULT_SCHEMA_PATH "${STAGING_OSCAP_BUILDDIR}${datadir_native}/openscap/schemas":' ${B}/config.h + sed -i 's:OSCAP_DEFAULT_XSLT_PATH.*$:OSCAP_DEFAULT_XSLT_PATH "${STAGING_OSCAP_BUILDDIR}${datadir_native}/openscap/xsl":' ${B}/config.h } do_clean[cleandirs] += " ${STAGING_OSCAP_BUILDDIR}" diff --git a/meta-security-compliance/recipes-openscap/openscap/openscap_1.3.1.bb b/meta-security-compliance/recipes-openscap/openscap/openscap_1.3.1.bb new file mode 100644 index 000..c29fd42 --- /dev/null +++ b/meta-security-compliance/recipes-openscap/openscap/openscap_1.3.1.bb @@ -0,0 +1,10 @@ +SUMARRY = "NIST Certified SCAP 1.2 toolkit" + +require openscap.inc + +SRCREV = "3a4c635691380fa990a226acc8558db35d7ebabc" +SRC_URI = "git://github.com/OpenSCAP/openscap.git;branch=maint-1.3 \ + file://run-ptest \ +" + +DEFAULT_PREFERENCE = "-1" diff --git a/meta-security-compliance/recipes-openscap/openscap/openscap_git.bb b/meta-security-compliance/recipes-openscap/openscap/openscap_git.bb index 3dfa99e..aded920 100644 --- a/meta-security-compliance/recipes-openscap/openscap/openscap_git.bb +++ b/meta-security-compliance/recipes-openscap/openscap/openscap_git.bb @@ -3,9 +3,9 @@ SUMARRY = "NIST Certified SCAP 1.2 toolkit with OE changes" +include openscap.inc + SRCREV = "4bbdb46ff651f809d5b38ca08d769790c4bfff90" SRC_URI = "git://github.com/akuster/openscap.git;branch=oe-1.3 \ file://run-ptest \ " - -include openscap.inc -- 2.17.1 -- ___ yocto mailing list yocto@yoctoproject.org https://lists.yoctoproject.org/listinfo/yocto
[yocto] [meta-security-compliance][PATCH 2/2] meta-security-compliance: update README
Signed-off-by: Armin Kuster --- meta-security-compliance/README | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/meta-security-compliance/README b/meta-security-compliance/README index b29c143..320f856 100644 --- a/meta-security-compliance/README +++ b/meta-security-compliance/README @@ -28,9 +28,9 @@ Maintenance Send pull requests, patches, comments or questions to yocto@yoctoproject.org When sending single patches, please using something like: -'git send-email -1 --to yocto@yoctoproject.org --subject-prefix=meta-security][PATCH' +'git send-email -1 --to yocto@yoctoproject.org --subject-prefix=meta-security-compliance][PATCH' -Layer Maintainer: Armin Kuster +Layer Maintainer: Armin Kuster License -- 2.17.1 -- ___ yocto mailing list yocto@yoctoproject.org https://lists.yoctoproject.org/listinfo/yocto
[yocto] [meta-security-compliance][PATCH 1/2] lynis: update to 2.7.5
Signed-off-by: Armin Kuster --- .../recipes-auditors/lynis/{lynis_2.7.2.bb => lynis_2.7.5.bb} | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) rename meta-security-compliance/recipes-auditors/lynis/{lynis_2.7.2.bb => lynis_2.7.5.bb} (89%) diff --git a/meta-security-compliance/recipes-auditors/lynis/lynis_2.7.2.bb b/meta-security-compliance/recipes-auditors/lynis/lynis_2.7.5.bb similarity index 89% rename from meta-security-compliance/recipes-auditors/lynis/lynis_2.7.2.bb rename to meta-security-compliance/recipes-auditors/lynis/lynis_2.7.5.bb index 3ba82f9..21e4517 100644 --- a/meta-security-compliance/recipes-auditors/lynis/lynis_2.7.2.bb +++ b/meta-security-compliance/recipes-auditors/lynis/lynis_2.7.5.bb @@ -8,8 +8,8 @@ LIC_FILES_CHKSUM = "file://LICENSE;md5=3edd6782854304fd11da4975ab9799c1" SRC_URI = "https://cisofy.com/files/${BPN}-${PV}.tar.gz; -SRC_URI[md5sum] = "3422cee3b12fc8fcde003d65e234" -SRC_URI[sha256sum] = "fde6ccf8d6ec0ae1e9c9f4a6d640cddcde4bf7a92f8437d47d16a5477e21bfda" +SRC_URI[md5sum] = "fb527b6976e70a6bcd57036c9cddc242" +SRC_URI[sha256sum] = "3d27ade73a5c1248925ad9c060024940ce5d2029f40aaa901f43314888fe324d" S = "${WORKDIR}/${BPN}" -- 2.17.1 -- ___ yocto mailing list yocto@yoctoproject.org https://lists.yoctoproject.org/listinfo/yocto
[yocto] [meta-security][PATCH 2/2] clamav: minor recipe cleanup
Signed-off-by: Armin Kuster --- recipes-security/clamav/clamav_0.99.4.bb | 6 ++ 1 file changed, 2 insertions(+), 4 deletions(-) diff --git a/recipes-security/clamav/clamav_0.99.4.bb b/recipes-security/clamav/clamav_0.99.4.bb index 7d8767e..7f04337 100644 --- a/recipes-security/clamav/clamav_0.99.4.bb +++ b/recipes-security/clamav/clamav_0.99.4.bb @@ -66,14 +66,12 @@ EXTRA_OECONF_class-native += "${EXTRA_OECONF_CLAMAV}" EXTRA_OECONF_class-target += "--with-user=${UID} --with-group=${GID} --disable-rpath ${EXTRA_OECONF_CLAMAV}" do_configure () { -cd ${S} -./configure ${CONFIGUREOPTS} ${EXTRA_OECONF} +${S}/configure ${CONFIGUREOPTS} ${EXTRA_OECONF} install -d ${S}/clamav_db } do_configure_class-native () { -cd ${S} -./configure ${CONFIGUREOPTS} ${EXTRA_OECONF} +${S}/configure ${CONFIGUREOPTS} ${EXTRA_OECONF} } -- 2.17.1 -- ___ yocto mailing list yocto@yoctoproject.org https://lists.yoctoproject.org/listinfo/yocto
[yocto] [meta-security][PATCH 1/2] libmspack: update SRC_URI and package
Signed-off-by: Armin Kuster --- .../{libmspack_0.10.1.bb => libmspack_1.9.1.bb}| 10 +- 1 file changed, 5 insertions(+), 5 deletions(-) rename recipes-security/libmspack/{libmspack_0.10.1.bb => libmspack_1.9.1.bb} (53%) diff --git a/recipes-security/libmspack/libmspack_0.10.1.bb b/recipes-security/libmspack/libmspack_1.9.1.bb similarity index 53% rename from recipes-security/libmspack/libmspack_0.10.1.bb rename to recipes-security/libmspack/libmspack_1.9.1.bb index b46159f..8c288be 100644 --- a/recipes-security/libmspack/libmspack_0.10.1.bb +++ b/recipes-security/libmspack/libmspack_1.9.1.bb @@ -6,11 +6,11 @@ DEPENDS = "" LIC_FILES_CHKSUM = "file://COPYING.LIB;beginline=1;endline=2;md5=5b1fd1f66ef926b3c8a5bb00a72a28dd" -SRC_URI = "${DEBIAN_MIRROR}/main/libm/${BPN}/${BPN}_${PV}.orig.tar.xz" - -SRC_URI[md5sum] = "d894d91eba4d2c6f76695fc9566d5387" -SRC_URI[sha256sum] = "850c57442b850bf1bc0fc4ea8880903ebf2bed063c3c80782ee4626fbcb0e67d" +SRCREV = "63d3faf90423a4a6c174539a7d32111a840adadc" +SRC_URI = "git://github.com/kyz/libmspack.git" inherit autotools -S = "${WORKDIR}/${BP}alpha" +S = "${WORKDIR}/git/${BPN}" + +inherit autotools -- 2.17.1 -- ___ yocto mailing list yocto@yoctoproject.org https://lists.yoctoproject.org/listinfo/yocto
[yocto] [meta-security][meta-tpm][PATCH 8/9] tpm2-totp: update to offical release v0.1.1
Clean up recipe to match actual app Signed-off-by: Armin Kuster --- .../recipes-tpm2/tpm2-totp/tpm2-totp_0.1.1.bb | 18 ++ .../recipes-tpm2/tpm2-totp/tpm2-totp_0.9.9.bb | 17 - 2 files changed, 18 insertions(+), 17 deletions(-) create mode 100644 meta-tpm/recipes-tpm2/tpm2-totp/tpm2-totp_0.1.1.bb delete mode 100644 meta-tpm/recipes-tpm2/tpm2-totp/tpm2-totp_0.9.9.bb diff --git a/meta-tpm/recipes-tpm2/tpm2-totp/tpm2-totp_0.1.1.bb b/meta-tpm/recipes-tpm2/tpm2-totp/tpm2-totp_0.1.1.bb new file mode 100644 index 000..d47b756 --- /dev/null +++ b/meta-tpm/recipes-tpm2/tpm2-totp/tpm2-totp_0.1.1.bb @@ -0,0 +1,18 @@ +SUMMARY = "Attest the trustworthiness of a device against a human using time-based one-time passwords" + +LICENSE = "BSD-3-Clause" +LIC_FILES_CHKSUM = "file://LICENSE;md5=ed23833e93c95173c8d8913745e4b4e1" + +SECTION = "security/tpm" + +DEPENDS = "autoconf-archive libtss2-dev qrencode" + +PE = "1" + +SRCREV = "2807a509a9da383e14dc0f759e71fd676db04ab1" +SRC_URI = "git://github.com/tpm2-software/tpm2-totp.git;branch=v0.1.x \ + file://litpm2_totp_build_fix.patch " + +inherit autotools-brokensep pkgconfig + +S = "${WORKDIR}/git" diff --git a/meta-tpm/recipes-tpm2/tpm2-totp/tpm2-totp_0.9.9.bb b/meta-tpm/recipes-tpm2/tpm2-totp/tpm2-totp_0.9.9.bb deleted file mode 100644 index bc94ab7..000 --- a/meta-tpm/recipes-tpm2/tpm2-totp/tpm2-totp_0.9.9.bb +++ /dev/null @@ -1,17 +0,0 @@ -SUMMARY = "The tpm2-tss-engine project implements a cryptographic engine for OpenSSL." -DESCRIPTION = "The tpm2-tss-engine project implements a cryptographic engine for OpenSSL for Trusted Platform Module (TPM 2.0) using the tpm2-tss software stack that follows the Trusted Computing Groups (TCG) TPM Software Stack (TSS 2.0). It uses the Enhanced System API (ESAPI) interface of the TSS 2.0 for downwards communication. It supports RSA decryption and signatures as well as ECDSA signatures." - -LICENSE = "BSD-2-Clause" -LIC_FILES_CHKSUM = "file://LICENSE;md5=ed23833e93c95173c8d8913745e4b4e1" - -SECTION = "security/tpm" - -DEPENDS = "autoconf-archive libtss2-dev qrencode" - -SRCREV = "44fcb6819f79302d5a088b3def648616e3551d4a" -SRC_URI = "git://github.com/tpm2-software/tpm2-totp.git \ - file://litpm2_totp_build_fix.patch " - -inherit autotools-brokensep pkgconfig - -S = "${WORKDIR}/git" -- 2.17.1 -- ___ yocto mailing list yocto@yoctoproject.org https://lists.yoctoproject.org/listinfo/yocto
[yocto] [meta-security][meta-tpm][PATCH 7/9] tpm2-tss: update to 2.2.3
Signed-off-by: Armin Kuster --- .../tpm2-tss/{tpm2-tss_2.2.1.bb => tpm2-tss_2.2.3.bb} | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) rename meta-tpm/recipes-tpm2/tpm2-tss/{tpm2-tss_2.2.1.bb => tpm2-tss_2.2.3.bb} (97%) diff --git a/meta-tpm/recipes-tpm2/tpm2-tss/tpm2-tss_2.2.1.bb b/meta-tpm/recipes-tpm2/tpm2-tss/tpm2-tss_2.2.3.bb similarity index 97% rename from meta-tpm/recipes-tpm2/tpm2-tss/tpm2-tss_2.2.1.bb rename to meta-tpm/recipes-tpm2/tpm2-tss/tpm2-tss_2.2.3.bb index 78bdeeb..cf93159 100644 --- a/meta-tpm/recipes-tpm2/tpm2-tss/tpm2-tss_2.2.1.bb +++ b/meta-tpm/recipes-tpm2/tpm2-tss/tpm2-tss_2.2.3.bb @@ -6,7 +6,7 @@ SECTION = "tpm" DEPENDS = "autoconf-archive-native libgcrypt openssl" -SRCREV = "eb69e13559f20a0b49002a685c6f4a39be9503e2" +SRCREV = "36b1539c82bf675265d6f6a6cd808a189b6971f4" SRC_URI = "git://github.com/tpm2-software/tpm2-tss.git;branch=2.2.x" -- 2.17.1 -- ___ yocto mailing list yocto@yoctoproject.org https://lists.yoctoproject.org/listinfo/yocto
[yocto] [meta-security][meta-tpm][PATCH 6/9] tpm2-tools: update to 3.2.0
Signed-off-by: Armin Kuster --- .../tpm2-tools/{tpm2-tools_3.1.3.bb => tpm2-tools_3.2.0.bb} | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) rename meta-tpm/recipes-tpm2/tpm2-tools/{tpm2-tools_3.1.3.bb => tpm2-tools_3.2.0.bb} (86%) diff --git a/meta-tpm/recipes-tpm2/tpm2-tools/tpm2-tools_3.1.3.bb b/meta-tpm/recipes-tpm2/tpm2-tools/tpm2-tools_3.2.0.bb similarity index 86% rename from meta-tpm/recipes-tpm2/tpm2-tools/tpm2-tools_3.1.3.bb rename to meta-tpm/recipes-tpm2/tpm2-tools/tpm2-tools_3.2.0.bb index 1f1f5c6..b6f1be0 100644 --- a/meta-tpm/recipes-tpm2/tpm2-tools/tpm2-tools_3.1.3.bb +++ b/meta-tpm/recipes-tpm2/tpm2-tools/tpm2-tools_3.2.0.bb @@ -6,7 +6,7 @@ SECTION = "tpm" DEPENDS = "pkgconfig tpm2-tss openssl curl autoconf-archive" -SRCREV = "74ba065e5914bc5d713ca3709d62a5751b097369" +SRCREV = "a17daa948fc67685651bf3b7a589ed341080ddd3" SRC_URI = "git://github.com/tpm2-software/tpm2-tools.git;branch=3.X" -- 2.17.1 -- ___ yocto mailing list yocto@yoctoproject.org https://lists.yoctoproject.org/listinfo/yocto
[yocto] [meta-security][meta-tpm][PATCH 3/9] tpm image: split out tpm2
Signed-off-by: Armin Kuster --- meta-tpm/recipes-core/images/security-tpm-image.bb | 7 +++ 1 file changed, 3 insertions(+), 4 deletions(-) diff --git a/meta-tpm/recipes-core/images/security-tpm-image.bb b/meta-tpm/recipes-core/images/security-tpm-image.bb index a337076..dbdd309 100644 --- a/meta-tpm/recipes-core/images/security-tpm-image.bb +++ b/meta-tpm/recipes-core/images/security-tpm-image.bb @@ -1,14 +1,13 @@ -DESCRIPTION = "A small image for building meta-security packages" +DESCRIPTION = "A small image for building a tpm image for testing" IMAGE_FEATURES += "ssh-server-openssh" IMAGE_INSTALL = "\ packagegroup-base \ packagegroup-core-boot \ -${@bb.utils.contains('MACHINE_FEATURES', 'tpm', 'packagegroup-security-tpm', '', d)} \ -${@bb.utils.contains('MACHINE_FEATURES', 'tpm2', 'packagegroup-security-tpm2', '', d)} \ +packagegroup-security-tpm \ os-release \ -${CORE_IMAGE_EXTRA_INSTALL}" +" IMAGE_LINGUAS ?= " " -- 2.17.1 -- ___ yocto mailing list yocto@yoctoproject.org https://lists.yoctoproject.org/listinfo/yocto
[yocto] [meta-security][meta-tpm][PATCH 9/9] tpm2-tss-engine: update to 1.0.0
Signed-off-by: Armin Kuster --- .../{tpm2-tss-engine_0.9.9.bb => tpm2-tss-engine_1.0.0.bb} | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) rename meta-tpm/recipes-tpm2/tpm2-tss-engine/{tpm2-tss-engine_0.9.9.bb => tpm2-tss-engine_1.0.0.bb} (95%) diff --git a/meta-tpm/recipes-tpm2/tpm2-tss-engine/tpm2-tss-engine_0.9.9.bb b/meta-tpm/recipes-tpm2/tpm2-tss-engine/tpm2-tss-engine_1.0.0.bb similarity index 95% rename from meta-tpm/recipes-tpm2/tpm2-tss-engine/tpm2-tss-engine_0.9.9.bb rename to meta-tpm/recipes-tpm2/tpm2-tss-engine/tpm2-tss-engine_1.0.0.bb index 36530be..0a8d54f 100644 --- a/meta-tpm/recipes-tpm2/tpm2-tss-engine/tpm2-tss-engine_0.9.9.bb +++ b/meta-tpm/recipes-tpm2/tpm2-tss-engine/tpm2-tss-engine_1.0.0.bb @@ -8,7 +8,7 @@ SECTION = "security/tpm" DEPENDS = "autoconf-archive-native bash-completion libtss2 libgcrypt openssl" -SRCREV = "bef89ec79cbb4c99963b0e336d9184827c545782" +SRCREV = "a81d44a8610e28e5987af64f8aae16e4a2d09eaa" SRC_URI = "git://github.com/tpm2-software/tpm2-tss-engine.git" inherit autotools-brokensep pkgconfig systemd -- 2.17.1 -- ___ yocto mailing list yocto@yoctoproject.org https://lists.yoctoproject.org/listinfo/yocto
[yocto] [meta-security][meta-tpm][PATCH 4/9] tpm2-pkcs11/tpm2-pkcs11: update to tip
license-check-sum: Add SPDX format Signed-off-by: Armin Kuster --- meta-tpm/recipes-tpm2/tpm2-pkcs11/tpm2-pkcs11_0.9.9.bb | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/meta-tpm/recipes-tpm2/tpm2-pkcs11/tpm2-pkcs11_0.9.9.bb b/meta-tpm/recipes-tpm2/tpm2-pkcs11/tpm2-pkcs11_0.9.9.bb index 9031e63..222bb6d 100644 --- a/meta-tpm/recipes-tpm2/tpm2-pkcs11/tpm2-pkcs11_0.9.9.bb +++ b/meta-tpm/recipes-tpm2/tpm2-pkcs11/tpm2-pkcs11_0.9.9.bb @@ -2,7 +2,7 @@ SUMMARY = "A PKCS#11 interface for TPM2 hardware" DESCRIPTION = "PKCS #11 is a Public-Key Cryptography Standard that defines a standard method to access cryptographic services from tokens/ devices such as hardware security modules (HSM), smart cards, etc. In this project we intend to use a TPM2 device as the cryptographic token." SECTION = "security/tpm" LICENSE = "BSD-2-Clause" -LIC_FILES_CHKSUM = "file://LICENSE;md5=b748af41ef1300c98e105b3b7ec4ecc1" +LIC_FILES_CHKSUM = "file://LICENSE;md5=93645981214b60a02688745c14f93c95" DEPENDS = "autoconf-archive pkgconfig dstat sqlite3 openssl libtss2-dev tpm2-tools" @@ -10,7 +10,7 @@ SRC_URI = "git://github.com/tpm2-software/tpm2-pkcs11.git \ file://bootstrap_fixup.patch \ " -SRCREV = "3107d89b406ecd9c007884613733c9a344ef6d39" +SRCREV = "9eed9df823a960da481327468a73d477241befdb" S = "${WORKDIR}/git" -- 2.17.1 -- ___ yocto mailing list yocto@yoctoproject.org https://lists.yoctoproject.org/listinfo/yocto
[yocto] [meta-security][meta-tpm][PATCH 5/9] tpm2-tcti-uefi: update to tip
Signed-off-by: Armin Kuster --- meta-tpm/recipes-tpm2/tpm2-tcti-uefi/tpm2-tcti-uefi_0.9.9.bb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/meta-tpm/recipes-tpm2/tpm2-tcti-uefi/tpm2-tcti-uefi_0.9.9.bb b/meta-tpm/recipes-tpm2/tpm2-tcti-uefi/tpm2-tcti-uefi_0.9.9.bb index 815691d..43854c4 100644 --- a/meta-tpm/recipes-tpm2/tpm2-tcti-uefi/tpm2-tcti-uefi_0.9.9.bb +++ b/meta-tpm/recipes-tpm2/tpm2-tcti-uefi/tpm2-tcti-uefi_0.9.9.bb @@ -7,7 +7,7 @@ DEPENDS = "libtss2-dev gnu-efi-native gnu-efi pkgconfig" SRC_URI = "git://github.com/tpm2-software/tpm2-tcti-uefi.git \ file://configure_oe_fixup.patch \ " -SRCREV = "131889d12d2c7d8974711d2ebd1032cd32577b7f" +SRCREV = "7baf1eebfeb56a896bdd5d677fb24377d619eb9d" S = "${WORKDIR}/git" -- 2.17.1 -- ___ yocto mailing list yocto@yoctoproject.org https://lists.yoctoproject.org/listinfo/yocto
[yocto] [meta-security][meta-tpm][PATCH 2/9] tpm2 images: create tpm2 image and fix packagegroup
Signed-off-by: Armin Kuster --- .../recipes-core/images/security-tpm2-image.bb | 18 ++ .../packagegroup/packagegroup-security-tpm2.bb | 5 - 2 files changed, 22 insertions(+), 1 deletion(-) create mode 100644 meta-tpm/recipes-core/images/security-tpm2-image.bb diff --git a/meta-tpm/recipes-core/images/security-tpm2-image.bb b/meta-tpm/recipes-core/images/security-tpm2-image.bb new file mode 100644 index 000..7e047d1 --- /dev/null +++ b/meta-tpm/recipes-core/images/security-tpm2-image.bb @@ -0,0 +1,18 @@ +DESCRIPTION = "A small image for building a tpm2 image for testing" + +IMAGE_FEATURES += "ssh-server-openssh" + +IMAGE_INSTALL = "\ +packagegroup-base \ +packagegroup-core-boot \ +packagegroup-security-tpm2 \ +os-release \ +" + +IMAGE_LINGUAS ?= " " + +LICENSE = "MIT" + +inherit core-image + +export IMAGE_BASENAME = "security-tpm2-image" diff --git a/meta-tpm/recipes-core/packagegroup/packagegroup-security-tpm2.bb b/meta-tpm/recipes-core/packagegroup/packagegroup-security-tpm2.bb index 5ded3a2..9296d99 100644 --- a/meta-tpm/recipes-core/packagegroup/packagegroup-security-tpm2.bb +++ b/meta-tpm/recipes-core/packagegroup/packagegroup-security-tpm2.bb @@ -5,17 +5,20 @@ LIC_FILES_CHKSUM = "file://${COMMON_LICENSE_DIR}/MIT;md5=0835ade698e0bcf8506ecda inherit packagegroup -PACKAGES = "packagegroup-security-tpm2" +PACKAGES = "${PN}" SUMMARY_packagegroup-security-tpm2 = "Security TPM 2.0 support" RDEPENDS_packagegroup-security-tpm2 = " \ tpm2-tools \ trousers \ +tpm2-tss \ libtss2 \ +libtss2-mu \ libtss2-tcti-device \ libtss2-tcti-mssim \ tpm2-abrmd \ tpm2-pkcs11 \ +ibmswtpm2 \ cryptsetup-tpm-incubator \ " -- 2.17.1 -- ___ yocto mailing list yocto@yoctoproject.org https://lists.yoctoproject.org/listinfo/yocto
[yocto] [meta-security][meta-tpm][PATCH 1/9] runtime: tpm2 fix names in packagecheck
Signed-off-by: Armin Kuster --- meta-tpm/lib/oeqa/runtime/cases/tpm2.py | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/meta-tpm/lib/oeqa/runtime/cases/tpm2.py b/meta-tpm/lib/oeqa/runtime/cases/tpm2.py index 240a9b3..c6f9d92 100644 --- a/meta-tpm/lib/oeqa/runtime/cases/tpm2.py +++ b/meta-tpm/lib/oeqa/runtime/cases/tpm2.py @@ -16,9 +16,9 @@ class Tpm2Test(OERuntimeTestCase): if expected_endlines: self.fail('Missing expected line endings:\n %s' % '\n '.join(expected_endlines)) -@OEHasPackage(['tpm2.0-tss']) +@OEHasPackage(['tpm2-tss']) @OEHasPackage(['tpm2-abrmd']) -@OEHasPackage(['tpm2.0-tools']) +@OEHasPackage(['tpm2-tools']) @OEHasPackage(['ibmswtpm2']) @OETestDepends(['ssh.SSHTest.test_ssh']) def test_tpm2_sim(self): -- 2.17.1 -- ___ yocto mailing list yocto@yoctoproject.org https://lists.yoctoproject.org/listinfo/yocto
[yocto] [meta-integrity][PATCH] ima-evm-utils: update to tip
Signed-off-by: Armin Kuster --- .../recipes-security/ima-evm-utils/ima-evm-utils_git.bb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/meta-integrity/recipes-security/ima-evm-utils/ima-evm-utils_git.bb b/meta-integrity/recipes-security/ima-evm-utils/ima-evm-utils_git.bb index 929d853..623de09 100644 --- a/meta-integrity/recipes-security/ima-evm-utils/ima-evm-utils_git.bb +++ b/meta-integrity/recipes-security/ima-evm-utils/ima-evm-utils_git.bb @@ -7,7 +7,7 @@ DEPENDS += "openssl attr keyutils" DEPENDS_class-native += "openssl-native keyutils-native" PV = "1.0+git${SRCPV}" -SRCREV = "0267fa16990fd0ddcc89984a8e55b27d43e80167" +SRCREV = "782224f33cd711050cbf6146a12122cd73f9136b" SRC_URI = "git://git.code.sf.net/p/linux-ima/ima-evm-utils" # Documentation depends on asciidoc, which we do not have, so -- 2.17.1 -- ___ yocto mailing list yocto@yoctoproject.org https://lists.yoctoproject.org/listinfo/yocto
[yocto] [meta-security][PATCH 12/14] initramfs: clean up to pull in packages.
Signed-off-by: Armin Kuster --- .../initrdscripts/initramfs-framework-ima.bb | 12 1 file changed, 4 insertions(+), 8 deletions(-) diff --git a/meta-integrity/recipes-core/initrdscripts/initramfs-framework-ima.bb b/meta-integrity/recipes-core/initrdscripts/initramfs-framework-ima.bb index aca38b7..6057e8d 100644 --- a/meta-integrity/recipes-core/initrdscripts/initramfs-framework-ima.bb +++ b/meta-integrity/recipes-core/initrdscripts/initramfs-framework-ima.bb @@ -8,25 +8,21 @@ SUMMARY = "IMA module for the modular initramfs system" LICENSE = "MIT" LIC_FILES_CHKSUM = "file://${COREBASE}/meta/COPYING.MIT;md5=3da9cfbcb788c80a0384361b4de20420" -RDEPENDS_${PN} += "initramfs-framework-base" # This policy file will get installed as /etc/ima/ima-policy. # It is located via the normal file search path, so a .bbappend # to this recipe can just point towards one of its own files. IMA_POLICY ?= "ima_policy_hashed" -FILESEXTRAPATHS =. "${IMA_EVM_BASE}/data:" -SRC_URI = " \ -file://${IMA_POLICY} \ -file://ima \ -" +SRC_URI = " file://ima" do_install () { install -d ${D}/${sysconfdir}/ima -install ${WORKDIR}/${IMA_POLICY} ${D}/${sysconfdir}/ima-policy install -d ${D}/init.d install ${WORKDIR}/ima ${D}/init.d/20-ima } FILES_${PN} = "/init.d ${sysconfdir}" -RDEPENDS_${PN} = "keyutils" + +RDEPENDS_${PN} = "keyutils ${IMA_POLICY}" +RDEPENDS_${PN} += "initramfs-framework-base" -- 2.17.1 -- ___ yocto mailing list yocto@yoctoproject.org https://lists.yoctoproject.org/listinfo/yocto
[yocto] [meta-security][PATCH 11/14] data: remove policies
Signed-off-by: Armin Kuster --- meta-integrity/data/ima_policy_appraise_all | 29 meta-integrity/data/ima_policy_hashed | 77 - meta-integrity/data/ima_policy_simple | 4 -- 3 files changed, 110 deletions(-) delete mode 100644 meta-integrity/data/ima_policy_appraise_all delete mode 100644 meta-integrity/data/ima_policy_hashed delete mode 100644 meta-integrity/data/ima_policy_simple diff --git a/meta-integrity/data/ima_policy_appraise_all b/meta-integrity/data/ima_policy_appraise_all deleted file mode 100644 index 36e71a7..000 --- a/meta-integrity/data/ima_policy_appraise_all +++ /dev/null @@ -1,29 +0,0 @@ -# -# Integrity measure policy (http://sourceforge.net/p/linux-ima/wiki/Home/#measure-nothing-appraise-everything) -# -# Do not measure anything, but appraise everything -# -# PROC_SUPER_MAGIC -dont_appraise fsmagic=0x9fa0 -# SYSFS_MAGIC -dont_appraise fsmagic=0x62656572 -# DEBUGFS_MAGIC -dont_appraise fsmagic=0x64626720 -# TMPFS_MAGIC -dont_appraise fsmagic=0x01021994 -# RAMFS_MAGIC -dont_appraise fsmagic=0x858458f6 -# DEVPTS_SUPER_MAGIC -dont_appraise fsmagic=0x1cd1 -# BIFMT -dont_appraise fsmagic=0x42494e4d -# SECURITYFS_MAGIC -dont_appraise fsmagic=0x73636673 -# SELINUXFS_MAGIC -dont_appraise fsmagic=0xf97cff8c -# NSFS_MAGIC (introduced in 3.19, see cd025f7 and e149ed2 in the upstream Linux kernel) -dont_appraise fsmagic=0x6e736673 -# EFIVARFS_MAGIC -dont_appraise fsmagic=0xde5e81e4 - -appraise diff --git a/meta-integrity/data/ima_policy_hashed b/meta-integrity/data/ima_policy_hashed deleted file mode 100644 index 7f89c8d..000 --- a/meta-integrity/data/ima_policy_hashed +++ /dev/null @@ -1,77 +0,0 @@ -# With this policy, all files on regular partitions are -# appraised. Files with signed IMA hash and normal hash are -# accepted. Signed files cannot be modified while hashed files can be -# (which will also update the hash). However, signed files can -# be deleted, so in practice it is still possible to replace them -# with a modified version. -# -# Without EVM, this is obviously not very secure, so this policy is -# just an example and/or basis for further improvements. For that -# purpose, some comments show what could be added to make the policy -# more secure. -# -# With EVM the situation might be different because access -# to the EVM key can be restricted. -# -# Files which are appraised are also measured. This allows -# debugging whether a file is in policy by looking at -# /sys/kernel/security/ima/ascii_runtime_measurements - -# PROC_SUPER_MAGIC -dont_appraise fsmagic=0x9fa0 -dont_measure fsmagic=0x9fa0 -# SYSFS_MAGIC -dont_appraise fsmagic=0x62656572 -dont_measure fsmagic=0x62656572 -# DEBUGFS_MAGIC -dont_appraise fsmagic=0x64626720 -dont_measure fsmagic=0x64626720 -# TMPFS_MAGIC -dont_appraise fsmagic=0x01021994 -dont_measure fsmagic=0x01021994 -# RAMFS_MAGIC -dont_appraise fsmagic=0x858458f6 -dont_measure fsmagic=0x858458f6 -# DEVPTS_SUPER_MAGIC -dont_appraise fsmagic=0x1cd1 -dont_measure fsmagic=0x1cd1 -# BIFMT -dont_appraise fsmagic=0x42494e4d -dont_measure fsmagic=0x42494e4d -# SECURITYFS_MAGIC -dont_appraise fsmagic=0x73636673 -dont_measure fsmagic=0x73636673 -# SELINUXFS_MAGIC -dont_appraise fsmagic=0xf97cff8c -dont_measure fsmagic=0xf97cff8c -# NSFS_MAGIC (introduced in 3.19, see cd025f7 and e149ed2 in the upstream Linux kernel) -dont_appraise fsmagic=0x6e736673 -dont_measure fsmagic=0x6e736673 -# SMACK_MAGIC -dont_appraise fsmagic=0x43415d53 -dont_measure fsmagic=0x43415d53 -# CGROUP_SUPER_MAGIC -dont_appraise fsmagic=0x27e0eb -dont_measure fsmagic=0x27e0eb -# EFIVARFS_MAGIC -dont_appraise fsmagic=0xde5e81e4 -dont_measure fsmagic=0xde5e81e4 - -# Special partition, no checking done. -# dont_measure fsuuid=a11234... -# dont_appraise fsuuid=a11243... - -# Special immutable group. -# appraise appraise_type=imasig func=FILE_CHECK mask=MAY_READ fgroup=200 - -# All executables must be signed - too strict, we need to -# allow installing executables on the device. -# appraise appraise_type=imasig func=FILE_MMAP mask=MAY_EXEC -# appraise appraise_type=imasig func=BPRM_CHECK mask=MAY_EXEC - -# Default rule. Would be needed also when other rules were added that -# determine what to do in case of reading (mask=MAY_READ or -# mask=MAY_EXEC) because otherwise writing does not update the file -# hash. -appraise -measure diff --git a/meta-integrity/data/ima_policy_simple b/meta-integrity/data/ima_policy_simple deleted file mode 100644 index 38ca8f5..000 --- a/meta-integrity/data/ima_policy_simple +++ /dev/null @@ -1,4 +0,0 @@ -# Very simple policy demonstrating the systemd policy loading bug -# (policy with one line works, two lines don't). -dont_appraise fsmagic=0x9fa0 -dont_appraise fsmagic=0x62656572 -- 2.17.1 -- ___ yocto mailing list yocto@yoctoproject.org https://lists.yoctoproject.org/listinfo/yocto
[yocto] [meta-security][PATCH 06/14] linux: update bbappend
remove untested code Signed-off-by: Armin Kuster --- .../recipes-kernel/linux/linux-%.bbappend | 117 +- 1 file changed, 2 insertions(+), 115 deletions(-) diff --git a/meta-integrity/recipes-kernel/linux/linux-%.bbappend b/meta-integrity/recipes-kernel/linux/linux-%.bbappend index 48560b1..931854e 100644 --- a/meta-integrity/recipes-kernel/linux/linux-%.bbappend +++ b/meta-integrity/recipes-kernel/linux/linux-%.bbappend @@ -1,116 +1,3 @@ -IMA_ENABLED_HERE := "${@'yes' if bb.data.inherits_class('kernel', d) and 'ima' in d.getVar('DISTRO_FEATURES', True).split() else 'no'}" +FILESEXTRAPATHS_prepend := "${THISDIR}/linux:" -IMA_FILESEXTRAPATHS_yes := "${THISDIR}/linux:" -IMA_FILESEXTRAPATHS_no := "" -FILESEXTRAPATHS_prepend := "${IMA_FILESEXTRAPATHS_${IMA_ENABLED_HERE}}" - -# These two patches are necessary to unpack archives with security.ima xattr -# such that security.ima is taken from the archive. If the policy -# allows hashing, unpatched kernels (at least up to 4.3) will replace -# a signed hash in security.ima with a locally computed hash. -# -# Note that only bsdtar/libarchive are known to work; GNU tar sets -# the security.ima on an empty file and the tries re-opening it for -# writing its content, which then fails due to the IMA hash mismatch. -# -# Kernels >= 4.7 have the patches, while older kernels are likely to -# need the patches. So apply them by default. To avoid that, -# set IMA_EVM_SETATTR_PATCH_x.y.z (where x.y.z == linux kernel version) -# to an empty string (to avoid patching) or some other patch files -# suitable for that kernel. -def ima_evm_setattr_patch(d): -result = [] -linux_version = d.getVar('LINUX_VERSION', True) or '' -# These two patches are known to be included upstream. -if bb.utils.vercmp_string_op(linux_version, '4.7', '<'): -patches = d.getVar('IMA_EVM_SETATTR_PATCH_' + linux_version, True) -if patches != None: -# Patches explicitly chosen, may be empty. -result.append(patches) -else: -# Enabled by default. -result.append('file://0001-ima-fix-ima_inode_post_setattr.patch file://0002-ima-add-support-for-creating-files-using-the-mknodat.patch') -# This one addresses a problem added in 4.2. The upstream revert will land -# in some future kernel. We need to extend version check once we know -# which kernels have the patch. -if bb.utils.vercmp_string_op(linux_version, '4.2', '>='): -patches = d.getVar('IMA_EVM_SETATTR_REVERT_PATCH_' + linux_version, True) -if patches != None: -# Patches explicitly chosen, may be empty. -result.append(patches) -else: -# Enabled by default. - result.append('file://Revert-ima-limit-file-hash-setting-by-user-to-fix-an.patch') -return ' '.join(result) - -# Edison kernel too old, patch not applicable -> swupd is broken in Ostro OS for Edison. -IMA_EVM_SETATTR_PATCH_3.10.98 = "" - -# Kernel config fragment enabling IMA/EVM and (where necessary and possible) -# also patching the kernel. -IMA_EVM_CFG_yes = " file://ima.cfg \ -${@ ima_evm_setattr_patch(d)} \ - " -IMA_EVM_CFG_no = "" -SRC_URI_append = "${IMA_EVM_CFG_${IMA_ENABLED_HERE}}" - -# IMA_EVM_ROOT_CA, if set, is the absolute path to a der-encoded -# x509 CA certificate which will get compiled into the kernel. -# The kernel will then use it to validate additional certificates, -# like the one loaded dynamically for IMA. -# -# Depending on the kernel version, there are two ways to add the -# CA certificate: -# - For Linux < 4.3, we put the x509 file into the source directory -# where the kernel compilation will find it automatically -# (http://lxr.free-electrons.com/source/kernel/Makefile?v=4.2#L115). -# - For Linux >= 4.3, we set SYSTEM_TRUSTED_KEYS -# (http://lxr.free-electrons.com/source/certs/Kconfig?v=4.3#L29). -# The ima_evm_root_ca.cfg only contains a blank file name. -# The actual file name gets patched in after the file was used -# to configure the kernel (see do_kernel_configme_append). -# This has to point to a single file, i.e. using it for IMA has to -# be coordinated with other usages. -# -# The IMA_EVM_ROOT_CA default is set globally in ima-evm-rootfs.bbclass. -# Need weaker default here in case that ima-evm-rootfs.bbclass is not -# inherited. -IMA_EVM_ROOT_CA ??= "" - -# Add CONFIG_SYSTEM_TRUSTED_KEYS (for recent kernels) and -# copy the root certificate into the build directory. By using -# the normal fetcher mechanism for the certificate we ensure that -# a rebuild is triggered when the file name or content change. -# -# Recompiling on name change is a bit too aggressive and causes -# unnecessary rebuilds when only the location of the file, but not its -# content change. This may need further work, should
[yocto] [meta-security][PATCH 14/14] image: add image for testing
Signed-off-by: Armin Kuster --- .../images/integrity-image-minimal.bb | 22 +++ 1 file changed, 22 insertions(+) create mode 100644 meta-integrity/recipes-core/images/integrity-image-minimal.bb diff --git a/meta-integrity/recipes-core/images/integrity-image-minimal.bb b/meta-integrity/recipes-core/images/integrity-image-minimal.bb new file mode 100644 index 000..6ed724d --- /dev/null +++ b/meta-integrity/recipes-core/images/integrity-image-minimal.bb @@ -0,0 +1,22 @@ +DESCRIPTION = "An image as an exmaple for Ima support" + +IMAGE_FEATURES += "ssh-server-openssh" + + +IMAGE_INSTALL = "\ +packagegroup-base \ +packagegroup-core-boot \ +packagegroup-ima-evm-utils \ +os-release" + + +LICENSE = "MIT" + +inherit core-image + +export IMAGE_BASENAME = "integrity-image-minimal" + +INHERIT += "ima-evm-rootfs" +IMA_EVM_KEY_DIR = "${IMA_EVM_BASE}/data/debug-keys" + +QB_KERNEL_CMDLINE_APPEND_append = " ima_appraise=fix ima_policy=tcb ima_policy=appraise_tcb" -- 2.17.1 -- ___ yocto mailing list yocto@yoctoproject.org https://lists.yoctoproject.org/listinfo/yocto
[yocto] [meta-security][PATCH 09/14] ima_policy_simple: add another sample policy
Signed-off-by: Armin Kuster --- .../ima_policy_simple/files/ima_policy_simple | 4 .../ima_policy_simple/ima-policy-simple_1.0.bb | 18 ++ 2 files changed, 22 insertions(+) create mode 100644 meta-integrity/recipes-security/ima_policy_simple/files/ima_policy_simple create mode 100644 meta-integrity/recipes-security/ima_policy_simple/ima-policy-simple_1.0.bb diff --git a/meta-integrity/recipes-security/ima_policy_simple/files/ima_policy_simple b/meta-integrity/recipes-security/ima_policy_simple/files/ima_policy_simple new file mode 100644 index 000..38ca8f5 --- /dev/null +++ b/meta-integrity/recipes-security/ima_policy_simple/files/ima_policy_simple @@ -0,0 +1,4 @@ +# Very simple policy demonstrating the systemd policy loading bug +# (policy with one line works, two lines don't). +dont_appraise fsmagic=0x9fa0 +dont_appraise fsmagic=0x62656572 diff --git a/meta-integrity/recipes-security/ima_policy_simple/ima-policy-simple_1.0.bb b/meta-integrity/recipes-security/ima_policy_simple/ima-policy-simple_1.0.bb new file mode 100644 index 000..17132aa --- /dev/null +++ b/meta-integrity/recipes-security/ima_policy_simple/ima-policy-simple_1.0.bb @@ -0,0 +1,18 @@ +SUMMARY = "IMA sample simple policy" +LICENSE = "MIT" +LIC_FILES_CHKSUM = "file://${COREBASE}/meta/COPYING.MIT;md5=3da9cfbcb788c80a0384361b4de20420" + +# This policy file will get installed as /etc/ima/ima-policy. +# It is located via the normal file search path, so a .bbappend +# to this recipe can just point towards one of its own files. +IMA_POLICY ?= "ima_policy_simple" + +SRC_URI = " file://${IMA_POLICY}" + +do_install () { +install -d ${D}/${sysconfdir}/ima +install ${WORKDIR}/${IMA_POLICY} ${D}/${sysconfdir}/ima/ima-policy +} + +FILES_${PN} = "${sysconfdir}/ima" +RDEPENDS_${PN} = "ima-evm-utils" -- 2.17.1 -- ___ yocto mailing list yocto@yoctoproject.org https://lists.yoctoproject.org/listinfo/yocto
[yocto] [meta-security][PATCH 13/14] runtime qa: moderize ima test
Signed-off-by: Armin Kuster --- meta-integrity/lib/oeqa/runtime/__init__.py | 0 meta-integrity/lib/oeqa/runtime/cases/ima.py | 129 +++ meta-integrity/lib/oeqa/runtime/ima.py | 82 3 files changed, 129 insertions(+), 82 deletions(-) delete mode 100644 meta-integrity/lib/oeqa/runtime/__init__.py create mode 100644 meta-integrity/lib/oeqa/runtime/cases/ima.py delete mode 100644 meta-integrity/lib/oeqa/runtime/ima.py diff --git a/meta-integrity/lib/oeqa/runtime/__init__.py b/meta-integrity/lib/oeqa/runtime/__init__.py deleted file mode 100644 index e69de29..000 diff --git a/meta-integrity/lib/oeqa/runtime/cases/ima.py b/meta-integrity/lib/oeqa/runtime/cases/ima.py new file mode 100644 index 000..0c8617a --- /dev/null +++ b/meta-integrity/lib/oeqa/runtime/cases/ima.py @@ -0,0 +1,129 @@ +#!/usr/bin/env python +# +# Authors: Cristina Moraru +# Alexandru Cornea + +import string +from time import sleep +from oeqa.runtime.case import OERuntimeTestCase +from oeqa.core.decorator.depends import OETestDepends +from oeqa.runtime.decorator.package import OEHasPackage +from oeqa.core.decorator.data import skipIfNotFeature +from oeqa.core.decorator.data import skipIfDataVar, skipIfNotDataVar +import bb +blacklist = ["/usr/bin/uz", "/bin/su.shadow"] + +class IMACheck(OERuntimeTestCase): + +@classmethod +def setUpClass(cls): +locations = ["/bin", "/usr/bin"] +cls.binaries = [] +for l in locations: +status, output = cls.tc.target.run("find %s -type f" % l) +cls.binaries.extend(output.split("\n")) + +cls.total = len(cls.binaries) + + +@OETestDepends(['ssh.SSHTest.test_ssh']) +def test_ima_enabled(self): +''' Test if IMA policy is loaded before systemd starts''' + +ima_search = "ima: " +systemd_search = "systemd .* running" +status, output = self.target.run("dmesg | grep -n '%s'" % ima_search) +self.assertEqual( status, 0, "Did not find '%s' in dmesg" % ima_search) + + +@skipIfNotFeature('systemd', + 'Test requires systemd to be in DISTRO_FEATURES') +@skipIfNotDataVar('VIRTUAL-RUNTIME_init_manager', 'systemd', + 'systemd is not the init manager for this image') +@OETestDepends(['ima.IMACheck.test_ima_enabled']) +def test_ima_before_systemd(self): +''' Test if IMA policy is loaded before systemd starts''' +ima_search = "ima: " +systemd_search = "systemd .* running" +status, output = self.target.run("dmesg | grep -n '%s'" % ima_search) +self.assertEqual( status, 0, "Did not find '%s' in dmesg" % ima_search) +ima_id = int(output.split(":")[0]) +status, output = self.target.run("dmesg | grep -n '%s'" % systemd_search) +self.assertEqual(status, 0, "Did not find '%s' in dmesg" % systemd_search) +init_id = int(output.split(":")[0]) +if ima_id > init_id: +self.fail("IMA does not start before systemd") + + +@OETestDepends(['ima.IMACheck.test_ima_enabled']) +def test_ima_hash(self): +''' Test if IMA stores correct file hash ''' +filename = "/etc/filetest" +ima_measure_file = "/sys/kernel/security/ima/ascii_runtime_measurements" +status, output = self.target.run("echo test > %s" % filename) +self.assertEqual(status, 0, "Cannot create file %s on target" % filename) + +# wait for the IMA system to update the entry +maximum_tries = 30 +tries = 0 +status, output = self.target.run("sha1sum %s" %filename) +sleep(2) +current_hash = output.split()[0] +ima_hash = "" + +while tries < maximum_tries: +status, output = self.target.run("cat %s | grep %s" \ +% (ima_measure_file, filename)) +# get last entry, 4th field +if status == 0: +tokens = output.split("\n")[-1].split()[3] +ima_hash = tokens.split(":")[1] +if ima_hash == current_hash: +break + +tries += 1 +sleep(1) + +# clean target +self.target.run("rm %s" % filename) +if ima_hash != current_hash: +self.fail("Hash stored by IMA does not match actual hash") + + +@OETestDepends(['ima.IMACheck.test_ima_enabled']) +def test_ima_signature(self): +''' Test if IMA stores correct signature for system binaries''' +passed = 0 +failed = 0 +for b in self.binaries: +if b in blacklist: +continue +status, output =
[yocto] [meta-security][PATCH 08/14] ima-policy-hashed: add new recipe
Signed-off-by: Armin Kuster --- .../ima_policy_hashed/files/ima_policy_hashed | 77 +++ .../ima-policy-hashed_1.0.bb | 20 + 2 files changed, 97 insertions(+) create mode 100644 meta-integrity/recipes-security/ima_policy_hashed/files/ima_policy_hashed create mode 100644 meta-integrity/recipes-security/ima_policy_hashed/ima-policy-hashed_1.0.bb diff --git a/meta-integrity/recipes-security/ima_policy_hashed/files/ima_policy_hashed b/meta-integrity/recipes-security/ima_policy_hashed/files/ima_policy_hashed new file mode 100644 index 000..7f89c8d --- /dev/null +++ b/meta-integrity/recipes-security/ima_policy_hashed/files/ima_policy_hashed @@ -0,0 +1,77 @@ +# With this policy, all files on regular partitions are +# appraised. Files with signed IMA hash and normal hash are +# accepted. Signed files cannot be modified while hashed files can be +# (which will also update the hash). However, signed files can +# be deleted, so in practice it is still possible to replace them +# with a modified version. +# +# Without EVM, this is obviously not very secure, so this policy is +# just an example and/or basis for further improvements. For that +# purpose, some comments show what could be added to make the policy +# more secure. +# +# With EVM the situation might be different because access +# to the EVM key can be restricted. +# +# Files which are appraised are also measured. This allows +# debugging whether a file is in policy by looking at +# /sys/kernel/security/ima/ascii_runtime_measurements + +# PROC_SUPER_MAGIC +dont_appraise fsmagic=0x9fa0 +dont_measure fsmagic=0x9fa0 +# SYSFS_MAGIC +dont_appraise fsmagic=0x62656572 +dont_measure fsmagic=0x62656572 +# DEBUGFS_MAGIC +dont_appraise fsmagic=0x64626720 +dont_measure fsmagic=0x64626720 +# TMPFS_MAGIC +dont_appraise fsmagic=0x01021994 +dont_measure fsmagic=0x01021994 +# RAMFS_MAGIC +dont_appraise fsmagic=0x858458f6 +dont_measure fsmagic=0x858458f6 +# DEVPTS_SUPER_MAGIC +dont_appraise fsmagic=0x1cd1 +dont_measure fsmagic=0x1cd1 +# BIFMT +dont_appraise fsmagic=0x42494e4d +dont_measure fsmagic=0x42494e4d +# SECURITYFS_MAGIC +dont_appraise fsmagic=0x73636673 +dont_measure fsmagic=0x73636673 +# SELINUXFS_MAGIC +dont_appraise fsmagic=0xf97cff8c +dont_measure fsmagic=0xf97cff8c +# NSFS_MAGIC (introduced in 3.19, see cd025f7 and e149ed2 in the upstream Linux kernel) +dont_appraise fsmagic=0x6e736673 +dont_measure fsmagic=0x6e736673 +# SMACK_MAGIC +dont_appraise fsmagic=0x43415d53 +dont_measure fsmagic=0x43415d53 +# CGROUP_SUPER_MAGIC +dont_appraise fsmagic=0x27e0eb +dont_measure fsmagic=0x27e0eb +# EFIVARFS_MAGIC +dont_appraise fsmagic=0xde5e81e4 +dont_measure fsmagic=0xde5e81e4 + +# Special partition, no checking done. +# dont_measure fsuuid=a11234... +# dont_appraise fsuuid=a11243... + +# Special immutable group. +# appraise appraise_type=imasig func=FILE_CHECK mask=MAY_READ fgroup=200 + +# All executables must be signed - too strict, we need to +# allow installing executables on the device. +# appraise appraise_type=imasig func=FILE_MMAP mask=MAY_EXEC +# appraise appraise_type=imasig func=BPRM_CHECK mask=MAY_EXEC + +# Default rule. Would be needed also when other rules were added that +# determine what to do in case of reading (mask=MAY_READ or +# mask=MAY_EXEC) because otherwise writing does not update the file +# hash. +appraise +measure diff --git a/meta-integrity/recipes-security/ima_policy_hashed/ima-policy-hashed_1.0.bb b/meta-integrity/recipes-security/ima_policy_hashed/ima-policy-hashed_1.0.bb new file mode 100644 index 000..3352daa --- /dev/null +++ b/meta-integrity/recipes-security/ima_policy_hashed/ima-policy-hashed_1.0.bb @@ -0,0 +1,20 @@ +SUMMARY = "IMA sample hash policy" +LICENSE = "MIT" +LIC_FILES_CHKSUM = "file://${COREBASE}/meta/COPYING.MIT;md5=3da9cfbcb788c80a0384361b4de20420" + +# This policy file will get installed as /etc/ima/ima-policy. +# It is located via the normal file search path, so a .bbappend +# to this recipe can just point towards one of its own files. +IMA_POLICY ?= "ima_policy_hashed" + +SRC_URI = " \ +file://${IMA_POLICY} \ +" + +do_install () { +install -d ${D}/${sysconfdir}/ima +install ${WORKDIR}/${IMA_POLICY} ${D}/${sysconfdir}/ima/ima-policy +} + +FILES_${PN} = "${sysconfdir}/ima" +RDEPENDS_${PN} = "ima-evm-utils" -- 2.17.1 -- ___ yocto mailing list yocto@yoctoproject.org https://lists.yoctoproject.org/listinfo/yocto
[yocto] [meta-security][PATCH 10/14] policy: add ima appraise all policy
Signed-off-by: Armin Kuster --- .../files/ima_policy_appraise_all | 29 +++ .../ima-policy-appraise-all_1.0.bb| 18 2 files changed, 47 insertions(+) create mode 100644 meta-integrity/recipes-security/ima_policy_appraise_all/files/ima_policy_appraise_all create mode 100644 meta-integrity/recipes-security/ima_policy_appraise_all/ima-policy-appraise-all_1.0.bb diff --git a/meta-integrity/recipes-security/ima_policy_appraise_all/files/ima_policy_appraise_all b/meta-integrity/recipes-security/ima_policy_appraise_all/files/ima_policy_appraise_all new file mode 100644 index 000..36e71a7 --- /dev/null +++ b/meta-integrity/recipes-security/ima_policy_appraise_all/files/ima_policy_appraise_all @@ -0,0 +1,29 @@ +# +# Integrity measure policy (http://sourceforge.net/p/linux-ima/wiki/Home/#measure-nothing-appraise-everything) +# +# Do not measure anything, but appraise everything +# +# PROC_SUPER_MAGIC +dont_appraise fsmagic=0x9fa0 +# SYSFS_MAGIC +dont_appraise fsmagic=0x62656572 +# DEBUGFS_MAGIC +dont_appraise fsmagic=0x64626720 +# TMPFS_MAGIC +dont_appraise fsmagic=0x01021994 +# RAMFS_MAGIC +dont_appraise fsmagic=0x858458f6 +# DEVPTS_SUPER_MAGIC +dont_appraise fsmagic=0x1cd1 +# BIFMT +dont_appraise fsmagic=0x42494e4d +# SECURITYFS_MAGIC +dont_appraise fsmagic=0x73636673 +# SELINUXFS_MAGIC +dont_appraise fsmagic=0xf97cff8c +# NSFS_MAGIC (introduced in 3.19, see cd025f7 and e149ed2 in the upstream Linux kernel) +dont_appraise fsmagic=0x6e736673 +# EFIVARFS_MAGIC +dont_appraise fsmagic=0xde5e81e4 + +appraise diff --git a/meta-integrity/recipes-security/ima_policy_appraise_all/ima-policy-appraise-all_1.0.bb b/meta-integrity/recipes-security/ima_policy_appraise_all/ima-policy-appraise-all_1.0.bb new file mode 100644 index 000..b58d3fe --- /dev/null +++ b/meta-integrity/recipes-security/ima_policy_appraise_all/ima-policy-appraise-all_1.0.bb @@ -0,0 +1,18 @@ +SUMMARY = "IMA sample simple appraise policy " +LICENSE = "MIT" +LIC_FILES_CHKSUM = "file://${COREBASE}/meta/COPYING.MIT;md5=3da9cfbcb788c80a0384361b4de20420" + +# This policy file will get installed as /etc/ima/ima-policy. +# It is located via the normal file search path, so a .bbappend +# to this recipe can just point towards one of its own files. +IMA_POLICY ?= "ima_policy_appraise_all" + +SRC_URI = " file://${IMA_POLICY}" + +do_install () { +install -d ${D}/${sysconfdir}/ima +install ${WORKDIR}/${IMA_POLICY} ${D}/${sysconfdir}/ima/ima-policy +} + +FILES_${PN} = "${sysconfdir}/ima" +RDEPENDS_${PN} = "ima-evm-utils" -- 2.17.1 -- ___ yocto mailing list yocto@yoctoproject.org https://lists.yoctoproject.org/listinfo/yocto
[yocto] [meta-security][PATCH 07/14] base-files: add appending to automount securityfs
Signed-off-by: Armin Kuster --- meta-integrity/recipes-core/base-files/base-files-ima.inc| 5 + meta-integrity/recipes-core/base-files/base-files_%.bbappend | 1 + 2 files changed, 6 insertions(+) create mode 100644 meta-integrity/recipes-core/base-files/base-files-ima.inc create mode 100644 meta-integrity/recipes-core/base-files/base-files_%.bbappend diff --git a/meta-integrity/recipes-core/base-files/base-files-ima.inc b/meta-integrity/recipes-core/base-files/base-files-ima.inc new file mode 100644 index 000..7e9e210 --- /dev/null +++ b/meta-integrity/recipes-core/base-files/base-files-ima.inc @@ -0,0 +1,5 @@ +# Append iversion option for auto types +do_install_append() { +sed -i 's/\s*auto\s*defaults/&,iversion/' "${D}${sysconfdir}/fstab" +echo 'securityfs /sys/kernel/security securityfs defaults 0 0' >> "${D}${sysconfdir}/fstab" +} diff --git a/meta-integrity/recipes-core/base-files/base-files_%.bbappend b/meta-integrity/recipes-core/base-files/base-files_%.bbappend new file mode 100644 index 000..c006f0e --- /dev/null +++ b/meta-integrity/recipes-core/base-files/base-files_%.bbappend @@ -0,0 +1 @@ +require ${@bb.utils.contains('DISTRO_FEATURES', 'ima', 'base-files-ima.inc', '', d)} -- 2.17.1 -- ___ yocto mailing list yocto@yoctoproject.org https://lists.yoctoproject.org/listinfo/yocto
[yocto] [meta-security][PATCH 01/14] meta-integrity: port over from meta-intel-iot-security
Signed-off-by: Armin Kuster --- meta-integrity/README.md | 253 ++ meta-integrity/classes/ima-evm-rootfs.bbclass | 92 +++ meta-integrity/conf/layer.conf| 22 ++ .../data/debug-keys/privkey_ima.pem | 16 ++ meta-integrity/data/debug-keys/x509_ima.der | Bin 0 -> 707 bytes meta-integrity/data/ima_policy_appraise_all | 29 ++ meta-integrity/data/ima_policy_hashed | 77 ++ meta-integrity/data/ima_policy_simple | 4 + meta-integrity/lib/oeqa/runtime/__init__.py | 0 meta-integrity/lib/oeqa/runtime/ima.py| 82 ++ .../initrdscripts/initramfs-framework-ima.bb | 32 +++ .../initrdscripts/initramfs-framework-ima/ima | 52 .../packagegroup-ima-evm-utils.bb | 9 + .../systemd/files/machine-id-commit-sync.conf | 2 + .../systemd/files/random-seed-sync.conf | 3 + .../recipes-core/systemd/systemd_%.bbappend | 13 + .../recipes-kernel/linux/linux-%.bbappend | 116 .../0001-ima-fix-ima_inode_post_setattr.patch | 51 ...for-creating-files-using-the-mknodat.patch | 138 ++ ...-file-hash-setting-by-user-to-fix-an.patch | 60 + .../recipes-kernel/linux/linux/ima.cfg| 16 ++ .../linux/linux/ima_evm_root_ca.cfg | 3 + .../ima-evm-utils/ima-evm-utils.inc | 19 ++ ...nd-line-apply-operation-to-all-paths.patch | 68 + .../ima-evm-utils/disable-doc-creation.patch | 50 ...t-depend-on-xattr.h-with-IMA-defines.patch | 47 .../ima-evm-utils/ima-evm-utils_git.bb| 17 ++ meta-integrity/scripts/ima-gen-CA-signed.sh | 48 meta-integrity/scripts/ima-gen-local-ca.sh| 42 +++ meta-integrity/scripts/ima-gen-self-signed.sh | 41 +++ 30 files changed, 1402 insertions(+) create mode 100644 meta-integrity/README.md create mode 100644 meta-integrity/classes/ima-evm-rootfs.bbclass create mode 100644 meta-integrity/conf/layer.conf create mode 100644 meta-integrity/data/debug-keys/privkey_ima.pem create mode 100644 meta-integrity/data/debug-keys/x509_ima.der create mode 100644 meta-integrity/data/ima_policy_appraise_all create mode 100644 meta-integrity/data/ima_policy_hashed create mode 100644 meta-integrity/data/ima_policy_simple create mode 100644 meta-integrity/lib/oeqa/runtime/__init__.py create mode 100644 meta-integrity/lib/oeqa/runtime/ima.py create mode 100644 meta-integrity/recipes-core/initrdscripts/initramfs-framework-ima.bb create mode 100644 meta-integrity/recipes-core/initrdscripts/initramfs-framework-ima/ima create mode 100644 meta-integrity/recipes-core/packagegroups/packagegroup-ima-evm-utils.bb create mode 100644 meta-integrity/recipes-core/systemd/files/machine-id-commit-sync.conf create mode 100644 meta-integrity/recipes-core/systemd/files/random-seed-sync.conf create mode 100644 meta-integrity/recipes-core/systemd/systemd_%.bbappend create mode 100644 meta-integrity/recipes-kernel/linux/linux-%.bbappend create mode 100644 meta-integrity/recipes-kernel/linux/linux/0001-ima-fix-ima_inode_post_setattr.patch create mode 100644 meta-integrity/recipes-kernel/linux/linux/0002-ima-add-support-for-creating-files-using-the-mknodat.patch create mode 100644 meta-integrity/recipes-kernel/linux/linux/Revert-ima-limit-file-hash-setting-by-user-to-fix-an.patch create mode 100644 meta-integrity/recipes-kernel/linux/linux/ima.cfg create mode 100644 meta-integrity/recipes-kernel/linux/linux/ima_evm_root_ca.cfg create mode 100644 meta-integrity/recipes-security/ima-evm-utils/ima-evm-utils.inc create mode 100644 meta-integrity/recipes-security/ima-evm-utils/ima-evm-utils/command-line-apply-operation-to-all-paths.patch create mode 100644 meta-integrity/recipes-security/ima-evm-utils/ima-evm-utils/disable-doc-creation.patch create mode 100644 meta-integrity/recipes-security/ima-evm-utils/ima-evm-utils/evmctl.c-do-not-depend-on-xattr.h-with-IMA-defines.patch create mode 100644 meta-integrity/recipes-security/ima-evm-utils/ima-evm-utils_git.bb create mode 100755 meta-integrity/scripts/ima-gen-CA-signed.sh create mode 100755 meta-integrity/scripts/ima-gen-local-ca.sh create mode 100755 meta-integrity/scripts/ima-gen-self-signed.sh diff --git a/meta-integrity/README.md b/meta-integrity/README.md new file mode 100644 index 000..ba96d8e --- /dev/null +++ b/meta-integrity/README.md @@ -0,0 +1,253 @@ +This README file contains information on the contents of the +integrity layer. + +Please see the corresponding sections below for details. + + +Dependencies + + +This layer depends on: + +URI: git://git.openembedded.org/bitbake +branch: master + +URI: git://git.openembedded.org/openembedded-core +layers: meta +branch: master + +URI: git://github.com/01org/meta-security/meta-integrate +layers: security-framework +branch: master + + +Patches +=== + +Please submit any patches against the integrity layer via Git
[yocto] [meta-security][PATCH 04/14] ima-evm-utils: cleanup and update to tip
update to tip backported patches to fix build issues. fix native support Signed-off-by: Armin Kuster --- .../ima-evm-utils/ima-evm-utils.inc | 19 -- ...link-to-libcrypto-instead-of-OpenSSL.patch | 65 +++ ...ls-replace-INCLUDES-with-AM_CPPFLAGS.patch | 43 ...clude-hash-info.gen-into-distributio.patch | 31 + ...ma-evm-utils-update-.gitignore-files.patch | 34 ++ .../ima-evm-utils/ima-evm-utils_git.bb| 30 - 6 files changed, 200 insertions(+), 22 deletions(-) delete mode 100644 meta-integrity/recipes-security/ima-evm-utils/ima-evm-utils.inc create mode 100644 meta-integrity/recipes-security/ima-evm-utils/ima-evm-utils/0001-ima-evm-utils-link-to-libcrypto-instead-of-OpenSSL.patch create mode 100644 meta-integrity/recipes-security/ima-evm-utils/ima-evm-utils/0002-ima-evm-utils-replace-INCLUDES-with-AM_CPPFLAGS.patch create mode 100644 meta-integrity/recipes-security/ima-evm-utils/ima-evm-utils/0003-ima-evm-utils-include-hash-info.gen-into-distributio.patch create mode 100644 meta-integrity/recipes-security/ima-evm-utils/ima-evm-utils/0004-ima-evm-utils-update-.gitignore-files.patch diff --git a/meta-integrity/recipes-security/ima-evm-utils/ima-evm-utils.inc b/meta-integrity/recipes-security/ima-evm-utils/ima-evm-utils.inc deleted file mode 100644 index 72a13f7..000 --- a/meta-integrity/recipes-security/ima-evm-utils/ima-evm-utils.inc +++ /dev/null @@ -1,19 +0,0 @@ -DESCRIPTION = "IMA/EVM control utility" -LICENSE = "GPL-2.0-with-OpenSSL-exception" -LIC_FILES_CHKSUM = "file://COPYING;md5=b234ee4d69f5fce4486a80fdaf4a4263" - -DEPENDS = " \ -openssl \ -attr \ -keyutils \ -pkgconfig \ -" - -# blkid is called by evmctl when creating evm checksums. -# This is less useful when signing files on the build host, -# so disable it when compiling on the host. -RDEPENDS_${PN}_append_class-target = " util-linux-blkid" - -inherit autotools - -BBCLASSEXTEND = "native" diff --git a/meta-integrity/recipes-security/ima-evm-utils/ima-evm-utils/0001-ima-evm-utils-link-to-libcrypto-instead-of-OpenSSL.patch b/meta-integrity/recipes-security/ima-evm-utils/ima-evm-utils/0001-ima-evm-utils-link-to-libcrypto-instead-of-OpenSSL.patch new file mode 100644 index 000..5ccb73d --- /dev/null +++ b/meta-integrity/recipes-security/ima-evm-utils/ima-evm-utils/0001-ima-evm-utils-link-to-libcrypto-instead-of-OpenSSL.patch @@ -0,0 +1,65 @@ +From 4feaf9b61f93e4043eca26b4ec9f9f68d0cf5e68 Mon Sep 17 00:00:00 2001 +From: Dmitry Eremin-Solenikov +Date: Wed, 6 Mar 2019 01:08:43 +0300 +Subject: [PATCH 1/4] ima-evm-utils: link to libcrypto instead of OpenSSL + +There is no need to link to full libssl. evmctl uses functions from +libcrypto, so let's link only against that library. + +Signed-off-by: Dmitry Eremin-Solenikov +--- + configure.ac| 4 +--- + src/Makefile.am | 9 - + 2 files changed, 5 insertions(+), 8 deletions(-) + +diff --git a/configure.ac b/configure.ac +index 60f3684..32e8d85 100644 +--- a/configure.ac b/configure.ac +@@ -24,9 +24,7 @@ LT_INIT + # Checks for header files. + AC_HEADER_STDC + +-PKG_CHECK_MODULES(OPENSSL, [ openssl >= 0.9.8 ]) +-AC_SUBST(OPENSSL_CFLAGS) +-AC_SUBST(OPENSSL_LIBS) ++PKG_CHECK_MODULES(LIBCRYPTO, [libcrypto >= 0.9.8 ]) + AC_SUBST(KERNEL_HEADERS) + AC_CHECK_HEADER(unistd.h) + AC_CHECK_HEADERS(openssl/conf.h) +diff --git a/src/Makefile.am b/src/Makefile.am +index d74fc6f..b81281a 100644 +--- a/src/Makefile.am b/src/Makefile.am +@@ -1,11 +1,11 @@ + lib_LTLIBRARIES = libimaevm.la + + libimaevm_la_SOURCES = libimaevm.c +-libimaevm_la_CPPFLAGS = $(OPENSSL_CFLAGS) ++libimaevm_la_CPPFLAGS = $(LIBCRYPTO_CFLAGS) + # current[:revision[:age]] + # result: [current-age].age.revision + libimaevm_la_LDFLAGS = -version-info 0:0:0 +-libimaevm_la_LIBADD = $(OPENSSL_LIBS) ++libimaevm_la_LIBADD = $(LIBCRYPTO_LIBS) + + include_HEADERS = imaevm.h + +@@ -17,12 +17,11 @@ hash_info.h: Makefile + bin_PROGRAMS = evmctl + + evmctl_SOURCES = evmctl.c +-evmctl_CPPFLAGS = $(OPENSSL_CFLAGS) ++evmctl_CPPFLAGS = $(LIBCRYPTO_CFLAGS) + evmctl_LDFLAGS = $(LDFLAGS_READLINE) +-evmctl_LDADD = $(OPENSSL_LIBS) -lkeyutils libimaevm.la ++evmctl_LDADD = $(LIBCRYPTO_LIBS) -lkeyutils libimaevm.la + + INCLUDES = -I$(top_srcdir) -include config.h + + CLEANFILES = hash_info.h + DISTCLEANFILES = @DISTCLEANFILES@ +- +-- +2.17.1 + diff --git a/meta-integrity/recipes-security/ima-evm-utils/ima-evm-utils/0002-ima-evm-utils-replace-INCLUDES-with-AM_CPPFLAGS.patch b/meta-integrity/recipes-security/ima-evm-utils/ima-evm-utils/0002-ima-evm-utils-replace-INCLUDES-with-AM_CPPFLAGS.patch new file mode 100644 index 000..8237274 --- /dev/null +++ b/meta-integrity/recipes-security/ima-evm-utils/ima-evm-utils/0002-ima-evm-utils-replace-INCLUDES-with-AM_CPPFLAGS.patch @@ -0,0 +1,43 @@ +From 5bb10f3da420f4c46e44423276a9da0d4bc1b691 Mon Sep 17 00:00:00 2001 +From: Dmitr
[yocto] [meta-security][PATCH 05/14] ima.cfg: update to 5.0 kernel
Signed-off-by: Armin Kuster --- .../recipes-kernel/linux/linux/ima.cfg| 28 ++- .../linux/linux/ima_evm_root_ca.cfg | 6 ++-- 2 files changed, 18 insertions(+), 16 deletions(-) diff --git a/meta-integrity/recipes-kernel/linux/linux/ima.cfg b/meta-integrity/recipes-kernel/linux/linux/ima.cfg index 02381aa..b3e47ba 100644 --- a/meta-integrity/recipes-kernel/linux/linux/ima.cfg +++ b/meta-integrity/recipes-kernel/linux/linux/ima.cfg @@ -1,16 +1,18 @@ -# Enable bare minimum IMA measurement and appraisal as needed by this layer. - -CONFIG_SECURITY=y -CONFIG_INTEGRITY=y - -# measurement CONFIG_IMA=y - -# appraisal +CONFIG_IMA_MEASURE_PCR_IDX=10 +CONFIG_IMA_NG_TEMPLATE=y +CONFIG_IMA_DEFAULT_TEMPLATE="ima-ng" +CONFIG_IMA_DEFAULT_HASH_SHA1=y +CONFIG_IMA_DEFAULT_HASH="sha1" CONFIG_IMA_APPRAISE=y -CONFIG_INTEGRITY_SIGNATURE=y -CONFIG_INTEGRITY_ASYMMETRIC_KEYS=y - -# Kernel will get built with embedded X.509 root CA key and all keys -# need to be signed with that. +CONFIG_IMA_APPRAISE_BOOTPARAM=y CONFIG_IMA_TRUSTED_KEYRING=y +CONFIG_SIGNATURE=y +CONFIG_IMA_WRITE_POLICY=y +CONFIG_IMA_READ_POLICY=y +CONFIG_IMA_LOAD_X509=y +CONFIG_IMA_X509_PATH="/etc/keys/x509_ima.der" + +#CONFIG_INTEGRITY_SIGNATURE=y +#CONFIG_INTEGRITY_ASYMMETRIC_KEYS=y +#CONFIG_INTEGRITY_TRUSTED_KEYRING=y diff --git a/meta-integrity/recipes-kernel/linux/linux/ima_evm_root_ca.cfg b/meta-integrity/recipes-kernel/linux/linux/ima_evm_root_ca.cfg index 7338232..9a45425 100644 --- a/meta-integrity/recipes-kernel/linux/linux/ima_evm_root_ca.cfg +++ b/meta-integrity/recipes-kernel/linux/linux/ima_evm_root_ca.cfg @@ -1,3 +1,3 @@ -CONFIG_KEYS=y -CONFIG_SYSTEM_TRUSTED_KEYRING=y -CONFIG_SYSTEM_TRUSTED_KEYS="" +# CONFIG_IMA_APPRAISE_SIGNED_INIT is not set +CONFIG_EVM_LOAD_X509=y +CONFIG_EVM_X509_PATH="/etc/keys/x509_evm.der" -- 2.17.1 -- ___ yocto mailing list yocto@yoctoproject.org https://lists.yoctoproject.org/listinfo/yocto
[yocto] [meta-security][PATCH 03/14] README: update
Signed-off-by: Armin Kuster --- meta-integrity/README.md | 5 + 1 file changed, 1 insertion(+), 4 deletions(-) diff --git a/meta-integrity/README.md b/meta-integrity/README.md index ba96d8e..5bef76e 100644 --- a/meta-integrity/README.md +++ b/meta-integrity/README.md @@ -24,12 +24,9 @@ This layer depends on: Patches === -Please submit any patches against the integrity layer via Github -pull requests. - For discussion or patch submission via email, use the yocto@yoctoproject.org mailing list. When submitting patches that way, -make sure to copy the maintainer and add a "[meta-]" +make sure to copy the maintainer and add a "[meta-integrity]" prefix to the subject of the mails. Maintainer: Armin Kuster -- 2.17.1 -- ___ yocto mailing list yocto@yoctoproject.org https://lists.yoctoproject.org/listinfo/yocto
[yocto] [meta-security][PATCH 02/14] layer.conf: add LAYERSERIES_COMPAT
Signed-off-by: Armin Kuster --- meta-integrity/conf/layer.conf | 2 ++ 1 file changed, 2 insertions(+) diff --git a/meta-integrity/conf/layer.conf b/meta-integrity/conf/layer.conf index e8bb268..2f696cf 100644 --- a/meta-integrity/conf/layer.conf +++ b/meta-integrity/conf/layer.conf @@ -20,3 +20,5 @@ IMA_EVM_BASE := '${LAYERDIR}' # dependent on location of the layer). Exporting it to just the # interactive shell is enough. OE_TERMINAL_EXPORTS += "IMA_EVM_BASE" + +LAYERSERIES_COMPAT_integrity = "warrior" -- 2.17.1 -- ___ yocto mailing list yocto@yoctoproject.org https://lists.yoctoproject.org/listinfo/yocto
[yocto] [meta-security][PATCH 00/14] Port over meta-integrity
Copied meta-integrity from meta-intel-iot-security that Intel created, to carry on maintenance. This update that code base to work on master. runtime test passes on Arm H/w and qemux86-64 Armin Kuster (14): meta-integrity: port over from meta-intel-iot-security layer.conf: add LAYERSERIES_COMPAT README: update ima-evm-utils: cleanup and update to tip ima.cfg: update to 5.0 kernel linux: update bbappend base-files: add appending to automount securityfs ima-policy-hashed: add new recipe ima_policy_simple: add another sample policy policy: add ima appraise all policy data: remove policies initramfs: clean up to pull in packages. runtime qa: moderize ima test image: add image for testing meta-integrity/README.md | 250 ++ meta-integrity/classes/ima-evm-rootfs.bbclass | 92 +++ meta-integrity/conf/layer.conf| 24 ++ .../data/debug-keys/privkey_ima.pem | 16 ++ meta-integrity/data/debug-keys/x509_ima.der | Bin 0 -> 707 bytes meta-integrity/lib/oeqa/runtime/cases/ima.py | 129 + .../base-files/base-files-ima.inc | 5 + .../base-files/base-files_%.bbappend | 1 + .../images/integrity-image-minimal.bb | 22 ++ .../initrdscripts/initramfs-framework-ima.bb | 28 ++ .../initrdscripts/initramfs-framework-ima/ima | 52 .../packagegroup-ima-evm-utils.bb | 9 + .../systemd/files/machine-id-commit-sync.conf | 2 + .../systemd/files/random-seed-sync.conf | 3 + .../recipes-core/systemd/systemd_%.bbappend | 13 + .../recipes-kernel/linux/linux-%.bbappend | 3 + .../0001-ima-fix-ima_inode_post_setattr.patch | 51 ...for-creating-files-using-the-mknodat.patch | 138 ++ ...-file-hash-setting-by-user-to-fix-an.patch | 60 + .../recipes-kernel/linux/linux/ima.cfg| 18 ++ .../linux/linux/ima_evm_root_ca.cfg | 3 + ...link-to-libcrypto-instead-of-OpenSSL.patch | 65 + ...ls-replace-INCLUDES-with-AM_CPPFLAGS.patch | 43 +++ ...clude-hash-info.gen-into-distributio.patch | 31 +++ ...ma-evm-utils-update-.gitignore-files.patch | 34 +++ ...nd-line-apply-operation-to-all-paths.patch | 68 + .../ima-evm-utils/disable-doc-creation.patch | 50 ...t-depend-on-xattr.h-with-IMA-defines.patch | 47 .../ima-evm-utils/ima-evm-utils_git.bb| 41 +++ .../files/ima_policy_appraise_all | 29 ++ .../ima-policy-appraise-all_1.0.bb| 18 ++ .../ima_policy_hashed/files/ima_policy_hashed | 77 ++ .../ima-policy-hashed_1.0.bb | 20 ++ .../ima_policy_simple/files/ima_policy_simple | 4 + .../ima-policy-simple_1.0.bb | 18 ++ meta-integrity/scripts/ima-gen-CA-signed.sh | 48 meta-integrity/scripts/ima-gen-local-ca.sh| 42 +++ meta-integrity/scripts/ima-gen-self-signed.sh | 41 +++ 38 files changed, 1595 insertions(+) create mode 100644 meta-integrity/README.md create mode 100644 meta-integrity/classes/ima-evm-rootfs.bbclass create mode 100644 meta-integrity/conf/layer.conf create mode 100644 meta-integrity/data/debug-keys/privkey_ima.pem create mode 100644 meta-integrity/data/debug-keys/x509_ima.der create mode 100644 meta-integrity/lib/oeqa/runtime/cases/ima.py create mode 100644 meta-integrity/recipes-core/base-files/base-files-ima.inc create mode 100644 meta-integrity/recipes-core/base-files/base-files_%.bbappend create mode 100644 meta-integrity/recipes-core/images/integrity-image-minimal.bb create mode 100644 meta-integrity/recipes-core/initrdscripts/initramfs-framework-ima.bb create mode 100644 meta-integrity/recipes-core/initrdscripts/initramfs-framework-ima/ima create mode 100644 meta-integrity/recipes-core/packagegroups/packagegroup-ima-evm-utils.bb create mode 100644 meta-integrity/recipes-core/systemd/files/machine-id-commit-sync.conf create mode 100644 meta-integrity/recipes-core/systemd/files/random-seed-sync.conf create mode 100644 meta-integrity/recipes-core/systemd/systemd_%.bbappend create mode 100644 meta-integrity/recipes-kernel/linux/linux-%.bbappend create mode 100644 meta-integrity/recipes-kernel/linux/linux/0001-ima-fix-ima_inode_post_setattr.patch create mode 100644 meta-integrity/recipes-kernel/linux/linux/0002-ima-add-support-for-creating-files-using-the-mknodat.patch create mode 100644 meta-integrity/recipes-kernel/linux/linux/Revert-ima-limit-file-hash-setting-by-user-to-fix-an.patch create mode 100644 meta-integrity/recipes-kernel/linux/linux/ima.cfg create mode 100644 meta-integrity/recipes-kernel/linux/linux/ima_evm_root_ca.cfg create mode 100644 meta-integrity/recipes-security/ima-evm-utils/ima-evm-utils/0001-ima-evm-utils-link-to-libcrypto-instead-of-OpenSSL.patch create mode 100644 meta-integrity/recipes-security/ima-evm-utils/ima-evm-utils/0002-ima-evm-utils-replace-INCLUDES-with-AM_CPPFLAGS.patch create mode 100644 meta-integrity/reci
[yocto] [meta-security][PATCH] checksec: add runtime test
Signed-off-by: Armin Kuster --- lib/oeqa/runtime/cases/checksec.py | 33 ++ 1 file changed, 33 insertions(+) create mode 100644 lib/oeqa/runtime/cases/checksec.py diff --git a/lib/oeqa/runtime/cases/checksec.py b/lib/oeqa/runtime/cases/checksec.py new file mode 100644 index 000..ff6d2f3 --- /dev/null +++ b/lib/oeqa/runtime/cases/checksec.py @@ -0,0 +1,33 @@ +# Copyright (C) 2019 Armin Kuster +# +import re + +from oeqa.runtime.case import OERuntimeTestCase +from oeqa.core.decorator.depends import OETestDepends +from oeqa.runtime.decorator.package import OEHasPackage + + +class CheckSecTest(OERuntimeTestCase): + +@OEHasPackage(['checksec']) +@OETestDepends(['ssh.SSHTest.test_ssh']) +def test_checksec_help(self): +status, output = self.target.run('checksec --help ') +msg = ('checksec command does not work as expected. ' +'Status and output:%s and %s' % (status, output)) +self.assertEqual(status, 0, msg = msg) + +@OETestDepends(['checksec.CheckSecTest.test_checksec_help']) +def test_checksec_xml(self): +status, output = self.target.run('checksec --format xml --proc-all') +msg = ('checksec xml failed. Output: %s' % output) +self.assertEqual(status, 0, msg = msg) + +@OETestDepends(['checksec.CheckSecTest.test_checksec_xml']) +def test_checksec_fortify(self): +status, output = self.target.run('checksec --fortify-proc 1') +match = re.search('FORTIFY_SOURCE support:', output) +if not match: +msg = ('checksec : fortify-proc failed. ' + 'Status and output:%s and %s' % (status, output)) +self.assertEqual(status, 1, msg = msg) -- 2.17.1 -- ___ yocto mailing list yocto@yoctoproject.org https://lists.yoctoproject.org/listinfo/yocto
[yocto] [meta-security][v2][PATCH] keyutils: fix library install path
[v2] fix multilib support Als add native support Signed-off-by: Armin Kuster --- .../files/fix_library_install_path.patch | 28 +++ recipes-security/keyutils/keyutils_1.6.bb | 14 ++ 2 files changed, 36 insertions(+), 6 deletions(-) create mode 100644 recipes-security/keyutils/files/fix_library_install_path.patch diff --git a/recipes-security/keyutils/files/fix_library_install_path.patch b/recipes-security/keyutils/files/fix_library_install_path.patch new file mode 100644 index 000..938fe2e --- /dev/null +++ b/recipes-security/keyutils/files/fix_library_install_path.patch @@ -0,0 +1,28 @@ +From b0355cc205543ffd33752874295139d57c4fbc3e Mon Sep 17 00:00:00 2001 +From: Wenzong Fan +Date: Tue, 26 Sep 2017 07:59:51 + +Subject: [PATCH] Subject: [PATCH] keyutils: use relative path for link + +The absolute path of the symlink will be invalid +when populated in sysroot, so use relative path instead. + +Upstream-Status: Pending + +Signed-off-by: Jackie Huang +Signed-off-by: Wenzong Fan +{rebased for 1.6] +Signed-off-by: Armin Kuster + +Index: keyutils-1.6/Makefile +=== +--- keyutils-1.6.orig/Makefile keyutils-1.6/Makefile +@@ -184,7 +184,7 @@ ifeq ($(NO_SOLIB),0) + $(INSTALL) -D $(LIBNAME) $(DESTDIR)$(LIBDIR)/$(LIBNAME) + $(LNS) $(LIBNAME) $(DESTDIR)$(LIBDIR)/$(SONAME) + mkdir -p $(DESTDIR)$(USRLIBDIR) +- $(LNS) $(LIBDIR)/$(SONAME) $(DESTDIR)$(USRLIBDIR)/$(DEVELLIB) ++ $(LNS) $(SONAME) $(DESTDIR)$(USRLIBDIR)/$(DEVELLIB) + sed \ + -e 's,@VERSION\@,$(VERSION),g' \ + -e 's,@prefix\@,$(PREFIX),g' \ diff --git a/recipes-security/keyutils/keyutils_1.6.bb b/recipes-security/keyutils/keyutils_1.6.bb index c961fa2..4d3a96f 100644 --- a/recipes-security/keyutils/keyutils_1.6.bb +++ b/recipes-security/keyutils/keyutils_1.6.bb @@ -12,13 +12,13 @@ LICENSE = "LGPLv2.1+ & GPLv2.0+" LIC_FILES_CHKSUM = "file://LICENCE.GPL;md5=5f6e72824f5da505c1f4a7197f004b45 \ file://LICENCE.LGPL;md5=7d1cacaa3ea752b72ea5e525df54a21f" - -inherit siteinfo ptest +inherit siteinfo autotools-brokensep ptest SRC_URI = "http://people.redhat.com/dhowells/keyutils/${BP}.tar.bz2 \ file://keyutils-test-fix-output-format.patch \ file://keyutils-fix-error-report-by-adding-default-message.patch \ file://run-ptest \ + file://fix_library_install_path.patch \ " SRC_URI[md5sum] = "191987b0ab46bb5b50efd70a6e6ce808" @@ -28,14 +28,15 @@ EXTRA_OEMAKE = "'CFLAGS=${CFLAGS} -Wall' \ NO_ARLIB=1 \ BINDIR=${base_bindir} \ SBINDIR=${base_sbindir} \ -LIBDIR=${base_libdir} \ -USRLIBDIR=${base_libdir} \ +LIBDIR=${libdir} \ +USRLIBDIR=${libdir} \ +INCLUDEDIR=${includedir} \ BUILDFOR=${SITEINFO_BITS}-bit \ NO_GLIBC_KEYERR=1 \ " do_install () { -install -d ${D}/${nonarch_base_libdir}/pkgconfig +install -d ${D}/${libdir}/pkgconfig oe_runmake DESTDIR=${D} install } @@ -44,8 +45,9 @@ do_install_ptest () { sed -i -e 's/OSDIST=Unknown/OSDIST=${DISTRO}/' ${D}${PTEST_PATH}/tests/prepare.inc.sh } -FILES_${PN}-dev += "${nonarch_base_libdir}/pkgconfig/libkeyutils.pc" RDEPENDS_${PN}-ptest += "lsb" RDEPENDS_${PN}-ptest_append_libc-glibc = " glibc-utils" RDEPENDS_${PN}-ptest_append_libc-musl = " musl-utils" + +BBCLASSEXTEND = "native nativesdk" -- 2.17.1 -- ___ yocto mailing list yocto@yoctoproject.org https://lists.yoctoproject.org/listinfo/yocto
[yocto] [meta-security][PATCH] keyutils: fix library install path
Signed-off-by: Armin Kuster --- .../files/fix_library_install_path.patch | 28 +++ recipes-security/keyutils/keyutils_1.6.bb | 1 + 2 files changed, 29 insertions(+) create mode 100644 recipes-security/keyutils/files/fix_library_install_path.patch diff --git a/recipes-security/keyutils/files/fix_library_install_path.patch b/recipes-security/keyutils/files/fix_library_install_path.patch new file mode 100644 index 000..938fe2e --- /dev/null +++ b/recipes-security/keyutils/files/fix_library_install_path.patch @@ -0,0 +1,28 @@ +From b0355cc205543ffd33752874295139d57c4fbc3e Mon Sep 17 00:00:00 2001 +From: Wenzong Fan +Date: Tue, 26 Sep 2017 07:59:51 + +Subject: [PATCH] Subject: [PATCH] keyutils: use relative path for link + +The absolute path of the symlink will be invalid +when populated in sysroot, so use relative path instead. + +Upstream-Status: Pending + +Signed-off-by: Jackie Huang +Signed-off-by: Wenzong Fan +{rebased for 1.6] +Signed-off-by: Armin Kuster + +Index: keyutils-1.6/Makefile +=== +--- keyutils-1.6.orig/Makefile keyutils-1.6/Makefile +@@ -184,7 +184,7 @@ ifeq ($(NO_SOLIB),0) + $(INSTALL) -D $(LIBNAME) $(DESTDIR)$(LIBDIR)/$(LIBNAME) + $(LNS) $(LIBNAME) $(DESTDIR)$(LIBDIR)/$(SONAME) + mkdir -p $(DESTDIR)$(USRLIBDIR) +- $(LNS) $(LIBDIR)/$(SONAME) $(DESTDIR)$(USRLIBDIR)/$(DEVELLIB) ++ $(LNS) $(SONAME) $(DESTDIR)$(USRLIBDIR)/$(DEVELLIB) + sed \ + -e 's,@VERSION\@,$(VERSION),g' \ + -e 's,@prefix\@,$(PREFIX),g' \ diff --git a/recipes-security/keyutils/keyutils_1.6.bb b/recipes-security/keyutils/keyutils_1.6.bb index c961fa2..2968a24 100644 --- a/recipes-security/keyutils/keyutils_1.6.bb +++ b/recipes-security/keyutils/keyutils_1.6.bb @@ -19,6 +19,7 @@ SRC_URI = "http://people.redhat.com/dhowells/keyutils/${BP}.tar.bz2 \ file://keyutils-test-fix-output-format.patch \ file://keyutils-fix-error-report-by-adding-default-message.patch \ file://run-ptest \ + file://fix_library_install_path.patch \ " SRC_URI[md5sum] = "191987b0ab46bb5b50efd70a6e6ce808" -- 2.17.1 -- ___ yocto mailing list yocto@yoctoproject.org https://lists.yoctoproject.org/listinfo/yocto
[yocto] [meta-security][PATCH] checksec: update to 1.11.1
* checksec.sh: Updated to 1.11.1 * checksec.sh: resolved issues with readelf * checksec.sh: Added docker images for testing * checksec.sh: Added armhf and aarch64 libc locations * checksec.sh: Replace FS_COUNT with fgrep * checksec.sh: Fixed symbols count in csv * checksec.sh: Fixed RW-RPATH and RW-RUNPATH * checksec.sh: Added stack canaries generated by intel compiler * checksec.sh: Mute stat errors for non-existent directories * checksec.sh: Removed invalid json structures and duplicate kernel checks * checksec.sh: fixed spaces in -d option * checksec.sh: Added stack-protector-string check * checksec.sh: Add arm64 specific kernel checks * checksec.sh: Add REFCOUNT_FULL to kernel tests * checksec.sh: Remove OSX support Signed-off-by: Armin Kuster --- .../checksec/{checksec_1.11.bb => checksec_1.11.1.bb} | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) rename recipes-security/checksec/{checksec_1.11.bb => checksec_1.11.1.bb} (91%) diff --git a/recipes-security/checksec/checksec_1.11.bb b/recipes-security/checksec/checksec_1.11.1.bb similarity index 91% rename from recipes-security/checksec/checksec_1.11.bb rename to recipes-security/checksec/checksec_1.11.1.bb index 59a67bd..835dffc 100644 --- a/recipes-security/checksec/checksec_1.11.bb +++ b/recipes-security/checksec/checksec_1.11.1.bb @@ -6,7 +6,7 @@ HOMEPAGE="https://github.com/slimm609/checksec.sh; LIC_FILES_CHKSUM = "file://LICENSE.txt;md5=93fddcca19f6c897871f9b5f9a035f4a" -SRCREV = "a57e03c4f62dbaca0ec949bbc58491fb0c461447" +SRCREV = "3c15cb89641c700096fdec0c1904a0cf9b83c5e2" SRC_URI = "git://github.com/slimm609/checksec.sh" S = "${WORKDIR}/git" -- 2.17.1 -- ___ yocto mailing list yocto@yoctoproject.org https://lists.yoctoproject.org/listinfo/yocto
[yocto] [PATCH 2/2] oeqa/systemd_boot: Drop OETestID
From: Richard Purdie Matching changes in OE-Core. drop OETestID. Signed-off-by: Richard Purdie Signed-off-by: Armin Kuster --- meta-yocto-bsp/lib/oeqa/selftest/cases/systemd_boot.py | 3 --- 1 file changed, 3 deletions(-) diff --git a/meta-yocto-bsp/lib/oeqa/selftest/cases/systemd_boot.py b/meta-yocto-bsp/lib/oeqa/selftest/cases/systemd_boot.py index dfd739a..0a3a2cd 100644 --- a/meta-yocto-bsp/lib/oeqa/selftest/cases/systemd_boot.py +++ b/meta-yocto-bsp/lib/oeqa/selftest/cases/systemd_boot.py @@ -1,14 +1,11 @@ import os from oeqa.selftest.case import OESelftestTestCase -from oeqa.core.decorator.oeid import OETestID from oeqa.core.decorator.depends import OETestDepends from oeqa.utils.commands import runCmd, bitbake, get_bb_var, runqemu class Systemdboot(OESelftestTestCase): -@OETestID(1445) -@OETestID(1528) def test_efi_systemdboot_images_can_be_built(self): """ Summary: Check if systemd-boot images can be built correctly -- 2.7.4 -- ___ yocto mailing list yocto@yoctoproject.org https://lists.yoctoproject.org/listinfo/yocto
[yocto] [PATCH 1/2] linux-yocto: update genericx86* SRCREV for 4.19
From: Naveen Saini Bump to kernel release v4.19.19 Signed-off-by: Naveen Saini Signed-off-by: Ross Burton Signed-off-by: Richard Purdie Signed-off-by: Armin Kuster --- meta-yocto-bsp/recipes-kernel/linux/linux-yocto_4.19.bbappend | 8 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/meta-yocto-bsp/recipes-kernel/linux/linux-yocto_4.19.bbappend b/meta-yocto-bsp/recipes-kernel/linux/linux-yocto_4.19.bbappend index 8e708cb..6025230 100644 --- a/meta-yocto-bsp/recipes-kernel/linux/linux-yocto_4.19.bbappend +++ b/meta-yocto-bsp/recipes-kernel/linux/linux-yocto_4.19.bbappend @@ -8,8 +8,8 @@ KMACHINE_genericx86 ?= "common-pc" KMACHINE_genericx86-64 ?= "common-pc-64" KMACHINE_beaglebone-yocto ?= "beaglebone" -SRCREV_machine_genericx86?= "eebb51300a07804a020ec468b5f8c5bf720198d9" -SRCREV_machine_genericx86-64 ?= "eebb51300a07804a020ec468b5f8c5bf720198d9" +SRCREV_machine_genericx86?= "11e0e616ed095bb8012e1b4a231254c9656a0193" +SRCREV_machine_genericx86-64 ?= "11e0e616ed095bb8012e1b4a231254c9656a0193" SRCREV_machine_edgerouter ?= "eebb51300a07804a020ec468b5f8c5bf720198d9" SRCREV_machine_beaglebone-yocto ?= "eebb51300a07804a020ec468b5f8c5bf720198d9" SRCREV_machine_mpc8315e-rdb ?= "8b60f968823256f5d2889c4520d70299ca21411b" @@ -20,8 +20,8 @@ COMPATIBLE_MACHINE_edgerouter = "edgerouter" COMPATIBLE_MACHINE_beaglebone-yocto = "beaglebone-yocto" COMPATIBLE_MACHINE_mpc8315e-rdb = "mpc8315e-rdb" -LINUX_VERSION_genericx86 = "4.19.14" -LINUX_VERSION_genericx86-64 = "4.19.14" +LINUX_VERSION_genericx86 = "4.19.19" +LINUX_VERSION_genericx86-64 = "4.19.19" LINUX_VERSION_edgerouter = "4.19.14" LINUX_VERSION_beaglebone-yocto = "4.19.14" LINUX_VERSION_mpc8315e-rdb = "4.19.14" -- 2.7.4 -- ___ yocto mailing list yocto@yoctoproject.org https://lists.yoctoproject.org/listinfo/yocto
[yocto] [PATCH 0/2] meta-yocto warrior-next patch review
From: Armin Kuster please review these change for the next meta-yocto warrior update The following changes since commit 299b4150c66520985415fcc91119d563f7ba663c: poky.conf: Bump version for 2.7 warrior release (2019-04-12 13:50:29 +0100) are available in the git repository at: git://git.yoctoproject.org/poky-contrib meta-yocto/stable/warrior-nmut http://git.yoctoproject.org/cgit.cgi//log/?h=meta-yocto/stable/warrior-nmut Naveen Saini (1): linux-yocto: update genericx86* SRCREV for 4.19 Richard Purdie (1): oeqa/systemd_boot: Drop OETestID meta-yocto-bsp/lib/oeqa/selftest/cases/systemd_boot.py| 3 --- meta-yocto-bsp/recipes-kernel/linux/linux-yocto_4.19.bbappend | 8 2 files changed, 4 insertions(+), 7 deletions(-) -- 2.7.4 -- ___ yocto mailing list yocto@yoctoproject.org https://lists.yoctoproject.org/listinfo/yocto
[yocto] [meta-security][PATCH 2/2] smack: kernel fragment update
Signed-off-by: Armin Kuster --- recipes-kernel/linux/linux-yocto-5.0/smack.cfg | 11 +-- 1 file changed, 5 insertions(+), 6 deletions(-) diff --git a/recipes-kernel/linux/linux-yocto-5.0/smack.cfg b/recipes-kernel/linux/linux-yocto-5.0/smack.cfg index 62f465a..0d5fc64 100644 --- a/recipes-kernel/linux/linux-yocto-5.0/smack.cfg +++ b/recipes-kernel/linux/linux-yocto-5.0/smack.cfg @@ -1,8 +1,7 @@ -CONFIG_IP_NF_SECURITY=m -CONFIG_IP6_NF_SECURITY=m -CONFIG_EXT2_FS_SECURITY=y -CONFIG_EXT3_FS_SECURITY=y -CONFIG_EXT4_FS_SECURITY=y -CONFIG_SECURITY=y +CONFIG_NETLABEL=y +CONFIG_SECURITY_NETWORK=y +# CONFIG_SECURITY_NETWORK_XFRM is not set CONFIG_SECURITY_SMACK=y +CONFIG_SECURITY_SMACK_BRINGUP=y +CONFIG_SECURITY_SMACK_APPEND_SIGNALS=y CONFIG_TMPFS_XATTR=y -- 2.17.1 -- ___ yocto mailing list yocto@yoctoproject.org https://lists.yoctoproject.org/listinfo/yocto
[yocto] [meta-security][PATCH 1/2] oe-selftest: add running cve checker
Signed-off-by: Armin Kuster --- lib/oeqa/selftest/cases/cvechecker.py | 27 +++ 1 file changed, 27 insertions(+) create mode 100644 lib/oeqa/selftest/cases/cvechecker.py diff --git a/lib/oeqa/selftest/cases/cvechecker.py b/lib/oeqa/selftest/cases/cvechecker.py new file mode 100644 index 000..23ca7d2 --- /dev/null +++ b/lib/oeqa/selftest/cases/cvechecker.py @@ -0,0 +1,27 @@ +import os +import re + +from oeqa.selftest.case import OESelftestTestCase +from oeqa.utils.commands import bitbake, get_bb_var + +class CveCheckerTests(OESelftestTestCase): +def test_cve_checker(self): +image = "core-image-sato" + +deploy_dir = get_bb_var("DEPLOY_DIR_IMAGE") +image_link_name = get_bb_var('IMAGE_LINK_NAME', image) + +manifest_link = os.path.join(deploy_dir, "%s.cve" % image_link_name) + +self.logger.info('CVE_CHECK_MANIFEST = "%s"' % manifest_link) +if (not 'cve-check' in get_bb_var('INHERIT')): +add_cve_check_config = 'INHERIT += "cve-check"' +self.append_config(add_cve_check_config) +self.append_config('CVE_CHECK_MANIFEST = "%s"' % manifest_link) +result = bitbake("-k -c cve_check %s" % image, ignore_status=True) +if (not 'cve-check' in get_bb_var('INHERIT')): +self.remove_config(add_cve_check_config) + +isfile = os.path.isfile(manifest_link) +self.assertEqual(True, isfile, 'Failed to create cve data file : %s' % manifest_link) + -- 2.17.1 -- ___ yocto mailing list yocto@yoctoproject.org https://lists.yoctoproject.org/listinfo/yocto
[yocto] [meta-security][PATCH] samhain: add more tests and fix ret checks
Signed-off-by: Armin Kuster --- lib/oeqa/runtime/cases/samhain.py | 31 +++ 1 file changed, 27 insertions(+), 4 deletions(-) diff --git a/lib/oeqa/runtime/cases/samhain.py b/lib/oeqa/runtime/cases/samhain.py index e4bae7b..5043a38 100644 --- a/lib/oeqa/runtime/cases/samhain.py +++ b/lib/oeqa/runtime/cases/samhain.py @@ -1,6 +1,7 @@ # Copyright (C) 2019 Armin Kuster # import re +import os from oeqa.runtime.case import OERuntimeTestCase from oeqa.core.decorator.depends import OETestDepends @@ -11,10 +12,32 @@ class SamhainTest(OERuntimeTestCase): @OEHasPackage(['samhain-standalone']) @OETestDepends(['ssh.SSHTest.test_ssh']) -def test_samhain_standalone_help(self): +def test_samhain_help(self): +machine = self.td.get('MACHINE', '') +status, output = self.target.run('echo "127.0.0.1 %s.localdomain %s" >> /etc/hosts' % (machine, machine)) +msg = ("samhain can't append hosts. " + 'Status and output:%s and %s' % (status, output)) +self.assertEqual(status, 0, msg = msg) + status, output = self.target.run('samhain --help') -match = re.search('Please report bugs to supp...@la-samhna.de.', output) +msg = ('samhain command does not work as expected. ' + 'Status and output:%s and %s' % (status, output)) +self.assertEqual(status, 0, msg = msg) + +@OETestDepends(['samhain.SamhainTest.test_samhain_help']) +def test_samhain_init_db(self): +status, output = self.target.run('samhain -t init') +match = re.search('FAILED: 0 ', output) +if not match: +msg = ('samhain database init had an unexpected failure. ' + 'Status and output:%s and %s' % (status, output)) +self.assertEqual(status, 0, msg = msg) + +@OETestDepends(['samhain.SamhainTest.test_samhain_init_db']) +def test_samhain_db_check(self): +status, output = self.target.run('samhain -t check') +match = re.search('FAILED: 0 ', output) if not match: -msg = ('samhain-standalone command does not work as expected. ' +msg = ('samhain errors found in db. ' 'Status and output:%s and %s' % (status, output)) -self.assertEqual(status, 1, msg = msg) +self.assertEqual(status, 0, msg = msg) -- 2.17.1 -- ___ yocto mailing list yocto@yoctoproject.org https://lists.yoctoproject.org/listinfo/yocto
[yocto] [meta-security][PATCH 2/2] smack-test: add smack tests from meta-intel-iot-security
ported over smack tests Signed-off-by: Armin Kuster --- lib/oeqa/runtime/cases/smack.py | 529 ++ recipes-mac/smack/mmap-smack-test/mmap.c | 7 + recipes-mac/smack/mmap-smack-test_1.0.bb | 16 + recipes-mac/smack/smack-test/notroot.py | 33 ++ .../smack-test/smack_test_file_access.sh | 54 ++ .../test_privileged_change_self_label.sh | 18 + .../smack/smack-test/test_smack_onlycap.sh| 27 + recipes-mac/smack/smack-test_1.0.bb | 21 + recipes-mac/smack/tcp-smack-test/tcp_client.c | 111 recipes-mac/smack/tcp-smack-test/tcp_server.c | 118 .../tcp-smack-test/test_smack_tcp_sockets.sh | 108 recipes-mac/smack/tcp-smack-test_1.0.bb | 24 + .../udp-smack-test/test_smack_udp_sockets.sh | 107 recipes-mac/smack/udp-smack-test/udp_client.c | 75 +++ recipes-mac/smack/udp-smack-test/udp_server.c | 93 +++ recipes-mac/smack/udp-smack-test_1.0.bb | 23 + 16 files changed, 1364 insertions(+) create mode 100644 lib/oeqa/runtime/cases/smack.py create mode 100644 recipes-mac/smack/mmap-smack-test/mmap.c create mode 100644 recipes-mac/smack/mmap-smack-test_1.0.bb create mode 100644 recipes-mac/smack/smack-test/notroot.py create mode 100644 recipes-mac/smack/smack-test/smack_test_file_access.sh create mode 100644 recipes-mac/smack/smack-test/test_privileged_change_self_label.sh create mode 100644 recipes-mac/smack/smack-test/test_smack_onlycap.sh create mode 100644 recipes-mac/smack/smack-test_1.0.bb create mode 100644 recipes-mac/smack/tcp-smack-test/tcp_client.c create mode 100644 recipes-mac/smack/tcp-smack-test/tcp_server.c create mode 100644 recipes-mac/smack/tcp-smack-test/test_smack_tcp_sockets.sh create mode 100644 recipes-mac/smack/tcp-smack-test_1.0.bb create mode 100644 recipes-mac/smack/udp-smack-test/test_smack_udp_sockets.sh create mode 100644 recipes-mac/smack/udp-smack-test/udp_client.c create mode 100644 recipes-mac/smack/udp-smack-test/udp_server.c create mode 100644 recipes-mac/smack/udp-smack-test_1.0.bb diff --git a/lib/oeqa/runtime/cases/smack.py b/lib/oeqa/runtime/cases/smack.py new file mode 100644 index 000..35e87ef --- /dev/null +++ b/lib/oeqa/runtime/cases/smack.py @@ -0,0 +1,529 @@ +import unittest +import re +import os +import string +from oeqa.runtime.case import OERuntimeTestCase +from oeqa.core.decorator.depends import OETestDepends +from oeqa.runtime.decorator.package import OEHasPackage +from oeqa.core.decorator.data import skipIfNotFeature + +MAX_LABEL_LEN = 255 +LABEL = "a" * MAX_LABEL_LEN + +class SmackBasicTest(OERuntimeTestCase): +''' base smack test ''' + +@classmethod +def setUpClass(cls): +cls.smack_path = "" +cls.current_label = "" +cls.uid = 1000 + +@skipIfNotFeature('smack', +'Test requires smack to be in DISTRO_FEATURES') +@OEHasPackage(['smack-test']) +@OETestDepends(['ssh.SSHTest.test_ssh']) +def test_smack_basic(self): +status, output = self.target.run("grep smack /proc/mounts | awk '{print $2}'") +self.smack_path = output +status,output = self.target.run("cat /proc/self/attr/current") +self.current_label = output.strip() + +class SmackAccessLabel(SmackBasicTest): + +@OETestDepends(['smack.SmackBasicTest.test_smack_basic']) +def test_add_access_label(self): +''' Test if chsmack can correctly set a SMACK label ''' +filename = "/tmp/test_access_label" +self.target.run("touch %s" %filename) +status, output = self.target.run("chsmack -a %s %s" %(LABEL, filename)) +self.assertEqual( +status, 0, +"Cannot set smack access label. " +"Status and output: %d %s" %(status, output)) +status, output = self.target.run("chsmack %s" %filename) +self.target.run("rm %s" %filename) +m = re.search('(?<=access=")\S+(?=")', output) +if m is None: +self.fail("Did not find access attribute") +else: +label_retrieved = m .group(0) +self.assertEqual( +LABEL, label_retrieved, +"label not set correctly. expected and gotten: " +"%s %s" %(LABEL,label_retrieved)) + + +class SmackExecLabel(SmackBasicTest): + +@OETestDepends(['smack.SmackBasicTest.test_smack_basic']) +def test_add_exec_label(self): +'''Test if chsmack can correctly set a SMACK Exec label''' +filename = "/tmp/test_exec_label" +self.target.run("touch %s" %filename) +status, output = self.target.run("chsmack -e %s %s" %(LABEL, filename)) +self.assertEqual( +status, 0, +"Cannot set smack exec label. " +"Status and outpu
[yocto] [meta-security][PATCH 1/2] smack: move patch to smack dir
Signed-off-by: Armin Kuster --- recipes-mac/smack/{files => smack}/run-ptest | 0 .../smack/{files => smack}/smack_generator_make_fixup.patch | 0 2 files changed, 0 insertions(+), 0 deletions(-) rename recipes-mac/smack/{files => smack}/run-ptest (100%) rename recipes-mac/smack/{files => smack}/smack_generator_make_fixup.patch (100%) diff --git a/recipes-mac/smack/files/run-ptest b/recipes-mac/smack/smack/run-ptest similarity index 100% rename from recipes-mac/smack/files/run-ptest rename to recipes-mac/smack/smack/run-ptest diff --git a/recipes-mac/smack/files/smack_generator_make_fixup.patch b/recipes-mac/smack/smack/smack_generator_make_fixup.patch similarity index 100% rename from recipes-mac/smack/files/smack_generator_make_fixup.patch rename to recipes-mac/smack/smack/smack_generator_make_fixup.patch -- 2.17.1 -- ___ yocto mailing list yocto@yoctoproject.org https://lists.yoctoproject.org/listinfo/yocto
[yocto] [meta-security][PATCH] apparmor: add a few more runtime
Signed-off-by: Armin Kuster --- lib/oeqa/runtime/cases/apparmor.py | 19 +++ 1 file changed, 19 insertions(+) diff --git a/lib/oeqa/runtime/cases/apparmor.py b/lib/oeqa/runtime/cases/apparmor.py index e2cb316..b6a9537 100644 --- a/lib/oeqa/runtime/cases/apparmor.py +++ b/lib/oeqa/runtime/cases/apparmor.py @@ -25,3 +25,22 @@ class ApparmorTest(OERuntimeTestCase): msg = ('aa-status failed. ' 'Status and output:%s and %s' % (status, output)) self.assertEqual(status, 0, msg = msg) + +@OETestDepends(['apparmor.ApparmorTest.test_apparmor_aa_status']) +def test_apparmor_aa_complain(self): +status, output = self.target.run('aa-complain /etc/apparmor.d/*') +match = re.search('apparmor module is loaded.', output) +if not match: +msg = ('aa-complain failed. ' + 'Status and output:%s and %s' % (status, output)) +self.assertEqual(status, 0, msg = msg) + +@OETestDepends(['apparmor.ApparmorTest.test_apparmor_aa_complain']) +def test_apparmor_aa_enforce(self): +status, output = self.target.run('aa-enforce /etc/apparmor.d/*') +match = re.search('apparmor module is loaded.', output) +if not match: +msg = ('aa-enforce failed. ' + 'Status and output:%s and %s' % (status, output)) +self.assertEqual(status, 0, msg = msg) + -- 2.17.1 -- ___ yocto mailing list yocto@yoctoproject.org https://lists.yoctoproject.org/listinfo/yocto
[yocto] [meta-cgl][PATCH] cfg files: update do to 4.19 changes
Signed-off-by: Armin Kuster --- meta-cgl-common/recipes-kernel/linux/files/cfg/4-kgdb.cfg | 1 - meta-cgl-common/recipes-kernel/linux/files/cfg/5-quota.cfg | 2 -- meta-cgl-common/recipes-kernel/linux/files/cfg/9-filesystem-acl.cfg | 1 - meta-cgl-common/recipes-kernel/linux/files/cfg/00014-selinux.cfg| 2 -- meta-cgl-common/recipes-kernel/linux/files/cfg/00018-ipsec.cfg | 1 - meta-cgl-common/recipes-kernel/linux/files/cfg/00026-lm-sensors.cfg | 1 - 6 files changed, 8 deletions(-) diff --git a/meta-cgl-common/recipes-kernel/linux/files/cfg/4-kgdb.cfg b/meta-cgl-common/recipes-kernel/linux/files/cfg/4-kgdb.cfg index f23cfe3..ebaf5f3 100644 --- a/meta-cgl-common/recipes-kernel/linux/files/cfg/4-kgdb.cfg +++ b/meta-cgl-common/recipes-kernel/linux/files/cfg/4-kgdb.cfg @@ -1,6 +1,5 @@ #depends CONFIG_DEBUG_KERNEL=y -CONFIG_EXPERIMENTAL=y #configs CONFIG_KGDB=y diff --git a/meta-cgl-common/recipes-kernel/linux/files/cfg/5-quota.cfg b/meta-cgl-common/recipes-kernel/linux/files/cfg/5-quota.cfg index 6d212ca..6839c29 100644 --- a/meta-cgl-common/recipes-kernel/linux/files/cfg/5-quota.cfg +++ b/meta-cgl-common/recipes-kernel/linux/files/cfg/5-quota.cfg @@ -2,5 +2,3 @@ CONFIG_QUOTA=y CONFIG_QUOTA_DEBUG=y CONFIG_QUOTA_NETLINK_INTERFACE=y CONFIG_QUOTA_TREE=y -CONFIG_QUOTA_CTL=y -CONFIG_QUOTA_CTL_COMPAT=y diff --git a/meta-cgl-common/recipes-kernel/linux/files/cfg/9-filesystem-acl.cfg b/meta-cgl-common/recipes-kernel/linux/files/cfg/9-filesystem-acl.cfg index 7293fe1..4ddfefd 100644 --- a/meta-cgl-common/recipes-kernel/linux/files/cfg/9-filesystem-acl.cfg +++ b/meta-cgl-common/recipes-kernel/linux/files/cfg/9-filesystem-acl.cfg @@ -1,4 +1,3 @@ CONFIG_EXT4_FS_POSIX_ACL=y CONFIG_FS_POSIX_ACL=y -CONFIG_GENERIC_ACL=y CONFIG_TMPFS_POSIX_ACL=y diff --git a/meta-cgl-common/recipes-kernel/linux/files/cfg/00014-selinux.cfg b/meta-cgl-common/recipes-kernel/linux/files/cfg/00014-selinux.cfg index ce7d61d..1efd63e 100644 --- a/meta-cgl-common/recipes-kernel/linux/files/cfg/00014-selinux.cfg +++ b/meta-cgl-common/recipes-kernel/linux/files/cfg/00014-selinux.cfg @@ -9,8 +9,6 @@ CONFIG_SECURITY_SELINUX=y CONFIG_SECURITY_NETWORK_XFRM=y CONFIG_NETWORK_SECMARK=y CONFIG_EXT2_FS_XATTR=y -CONFIG_EXT3_FS_XATTR=y -CONFIG_EXT4_FS_XATTR=y CONFIG_REISERFS_FS_XATTR=y CONFIG_JFFS2_FS_XATTR=y CONFIG_EXT2_FS_SECURITY=y diff --git a/meta-cgl-common/recipes-kernel/linux/files/cfg/00018-ipsec.cfg b/meta-cgl-common/recipes-kernel/linux/files/cfg/00018-ipsec.cfg index d6103ad..d1a1d2e 100644 --- a/meta-cgl-common/recipes-kernel/linux/files/cfg/00018-ipsec.cfg +++ b/meta-cgl-common/recipes-kernel/linux/files/cfg/00018-ipsec.cfg @@ -1,6 +1,5 @@ CONFIG_NET=y CONFIG_NET_KEY=y -CONFIG_NET_AH=y CONFIG_INET_ESP=y CONFIG_XFRM_USER=y CONFIG_CRYPTO=y diff --git a/meta-cgl-common/recipes-kernel/linux/files/cfg/00026-lm-sensors.cfg b/meta-cgl-common/recipes-kernel/linux/files/cfg/00026-lm-sensors.cfg index 71c4cad..c588180 100644 --- a/meta-cgl-common/recipes-kernel/linux/files/cfg/00026-lm-sensors.cfg +++ b/meta-cgl-common/recipes-kernel/linux/files/cfg/00026-lm-sensors.cfg @@ -66,7 +66,6 @@ CONFIG_SENSORS_GL518SM=m CONFIG_SENSORS_GL520SM=m CONFIG_SENSORS_GPIO_FAN=m CONFIG_SENSORS_HIH6130=m -CONFIG_SENSORS_HTU21=m CONFIG_SENSORS_IBMAEM=m CONFIG_SENSORS_IBMPEX=m CONFIG_SENSORS_JC42=m -- 2.7.4 -- ___ yocto mailing list yocto@yoctoproject.org https://lists.yoctoproject.org/listinfo/yocto