diff options
| author | Brad Bishop <bradleyb@fuzziesquirrel.com> | 2019-04-05 15:28:33 -0400 |
|---|---|---|
| committer | Brad Bishop <bradleyb@fuzziesquirrel.com> | 2019-04-05 19:31:28 +0000 |
| commit | 193236933b0f4ab91b1625b64e2187e2db4e0e8f (patch) | |
| tree | e12769d7c76d8b0517d6de3d3c72189753d253ed /meta-security | |
| parent | bd93df9478f2f56ffcbc8cb88f1709c735dcd85b (diff) | |
| download | talos-openbmc-193236933b0f4ab91b1625b64e2187e2db4e0e8f.tar.gz talos-openbmc-193236933b0f4ab91b1625b64e2187e2db4e0e8f.zip | |
reset upstream subtrees to HEAD
Reset the following subtrees on HEAD:
poky: 8217b477a1(master)
meta-xilinx: 64aa3d35ae(master)
meta-openembedded: 0435c9e193(master)
meta-raspberrypi: 490a4441ac(master)
meta-security: cb6d1c85ee(master)
Squashed patches:
meta-phosphor: drop systemd 239 patches
meta-phosphor: mrw-api: use correct install path
Change-Id: I268e2646d9174ad305630c6bbd3fbc1a6105f43d
Signed-off-by: Brad Bishop <bradleyb@fuzziesquirrel.com>
Diffstat (limited to 'meta-security')
123 files changed, 1091 insertions, 1297 deletions
diff --git a/meta-security/README b/meta-security/README index e238271a6..5abb0e262 100644 --- a/meta-security/README +++ b/meta-security/README @@ -57,8 +57,14 @@ Send pull requests, patches, comments or questions to yocto@yoctoproject.org When sending single patches, please using something like: 'git send-email -1 --to yocto@yoctoproject.org --subject-prefix=meta-security][PATCH' +These values can be set as defaults for this repository: + +$ git config sendemail.to yocto@yoctoproject.org +$ git config format.subjectPrefix meta-security][PATCH + +Now you can just do 'git send-email origin/master' to send all local patches. + Maintainers: Armin Kuster <akuster808@gmail.com> - Saul Wold <sgw@linux.intel.com> License diff --git a/meta-security/conf/distro/include/maintainers.inc b/meta-security/conf/distro/include/maintainers.inc new file mode 100644 index 000000000..94b45f288 --- /dev/null +++ b/meta-security/conf/distro/include/maintainers.inc @@ -0,0 +1,59 @@ +# meta-securiyt Maintainers File +# +# This file contains a list of recipe maintainers. +# +# Please submit any patches against recipes in meta to the +# Yocto mail list (yocto@yoctoproject.org) +# +# If you have problems with or questions about a particular recipe, feel +# free to contact the maintainer directly (cc:ing the appropriate mailing list +# puts it in the archive and helps other people who might have the same +# questions in the future), but please try to do the following first: +# +# - look in the Yocto Project Bugzilla +# (http://bugzilla.yoctoproject.org/) to see if a problem has +# already been reported +# +# The format is as a bitbake variable override for each recipe +# +# RECIPE_MAINTAINER_pn-<recipe name> = "Full Name <address@domain>" +# +# Please keep this list in alphabetical order. +RECIPE_MAINTAINER_pn-aircrack-ng = "Armin Kuster <akuster808@gmail.com>" +RECIPE_MAINTAINER_pn-apparmor = "Armin Kuster <akuster808@gmail.com>" +RECIPE_MAINTAINER_pn-bastille = "Armin Kuster <akuster808@gmail.com>" +RECIPE_MAINTAINER_pn-buck-security = "Armin Kuster <akuster808@gmail.com>" +RECIPE_MAINTAINER_pn-ccs-tools = "Armin Kuster <akuster808@gmail.com>" +RECIPE_MAINTAINER_pn-checksec = "Armin Kuster <akuster808@gmail.com>" +RECIPE_MAINTAINER_pn-checksecurity = "Armin Kuster <akuster808@gmail.com>" +RECIPE_MAINTAINER_pn-clamav = "Armin Kuster <akuster808@gmail.com>" +RECIPE_MAINTAINER_pn-ding-libs = "Armin Kuster <akuster808@gmail.com>" +RECIPE_MAINTAINER_pn-ecryptfs-utils = "Armin Kuster <akuster808@gmail.com>" +RECIPE_MAINTAINER_pn-fscryptctl = "Armin Kuster <akuster808@gmail.com>" +RECIPE_MAINTAINER_pn-google-authenticator-libpam = "Armin Kuster <akuster808@gmail.com>" +RECIPE_MAINTAINER_pn-hash-perl = "Armin Kuster <akuster808@gmail.com>" +RECIPE_MAINTAINER_pn-isic = "Armin Kuster <akuster808@gmail.com>" +RECIPE_MAINTAINER_pn-keyutils = "Armin Kuster <akuster808@gmail.com>" +RECIPE_MAINTAINER_pn-libaes-siv = "Armin Kuster <akuster808@gmail.com>" +RECIPE_MAINTAINER_pn-libenv-perl = "Armin Kuster <akuster808@gmail.com>" +RECIPE_MAINTAINER_pn-libgssglue = "Armin Kuster <akuster808@gmail.com>" +RECIPE_MAINTAINER_pn-libhtp = "Armin Kuster <akuster808@gmail.com>" +RECIPE_MAINTAINER_pn-libmhash = "Armin Kuster <akuster808@gmail.com>" +RECIPE_MAINTAINER_pn-libmspack = "Armin Kuster <akuster808@gmail.com>" +RECIPE_MAINTAINER_pn-lib-perl = "Armin Kuster <akuster808@gmail.com>" +RECIPE_MAINTAINER_pn-libseccomp = "Armin Kuster <akuster808@gmail.com>" +RECIPE_MAINTAINER_pn-libwhisker2-perl = "Armin Kuster <akuster808@gmail.com>" +RECIPE_MAINTAINER_pn-ncrack = "Armin Kuster <akuster808@gmail.com>" +RECIPE_MAINTAINER_pn-nikto = "Armin Kuster <akuster808@gmail.com>" +RECIPE_MAINTAINER_pn-paxctl = "Armin Kuster <akuster808@gmail.com>" +RECIPE_MAINTAINER_pn-python3-fail2ban = "Armin Kuster <akuster808@gmail.com>" +RECIPE_MAINTAINER_pn-python3-scapy = "Armin Kuster <akuster808@gmail.com>" +RECIPE_MAINTAINER_pn-python-fail2ban = "Armin Kuster <akuster808@gmail.com>" +RECIPE_MAINTAINER_pn-python-scapy = "Armin Kuster <akuster808@gmail.com>" +RECIPE_MAINTAINER_pn-redhat-security = "Armin Kuster <akuster808@gmail.com>" +RECIPE_MAINTAINER_pn-samhain = "Armin Kuster <akuster808@gmail.com>" +RECIPE_MAINTAINER_pn-smack = "Armin Kuster <akuster808@gmail.com>" +RECIPE_MAINTAINER_pn-sssd = "Armin Kuster <akuster808@gmail.com>" +RECIPE_MAINTAINER_pn-suricata = "Armin Kuster <akuster808@gmail.com>" +RECIPE_MAINTAINER_pn-tripwire = "Armin Kuster <akuster808@gmail.com>" +RECIPE_MAINTAINER_pn-xmlsec1 = "Armin Kuster <akuster808@gmail.com>" diff --git a/meta-security/conf/layer.conf b/meta-security/conf/layer.conf index 19e647e7f..716f8acc7 100644 --- a/meta-security/conf/layer.conf +++ b/meta-security/conf/layer.conf @@ -13,4 +13,4 @@ LAYERSERIES_COMPAT_security = "thud" LAYERDEPENDS_security = "core openembedded-layer perl-layer networking-layer meta-python" -DEFAULT_TEST_SUITES_pn-security-build-image = " ${PTESTTESTSUITE}" +DEFAULT_TEST_SUITES_pn-security-build-image = " ping ssh ptest" diff --git a/meta-security/lib/oeqa/runtime/cases/apparmor.py b/meta-security/lib/oeqa/runtime/cases/apparmor.py new file mode 100644 index 000000000..e2cb316d1 --- /dev/null +++ b/meta-security/lib/oeqa/runtime/cases/apparmor.py @@ -0,0 +1,27 @@ +# Copyright (C) 2019 Armin Kuster <akuster808@gmail.com> +# +import re + +from oeqa.runtime.case import OERuntimeTestCase +from oeqa.core.decorator.depends import OETestDepends +from oeqa.runtime.decorator.package import OEHasPackage + + +class ApparmorTest(OERuntimeTestCase): + + @OEHasPackage(['apparmor']) + @OETestDepends(['ssh.SSHTest.test_ssh']) + def test_apparmor_help(self): + status, output = self.target.run('aa-status --help') + msg = ('apparmor command does not work as expected. ' + 'Status and output:%s and %s' % (status, output)) + self.assertEqual(status, 0, msg = msg) + + @OETestDepends(['apparmor.ApparmorTest.test_apparmor_help']) + def test_apparmor_aa_status(self): + status, output = self.target.run('aa-status') + match = re.search('apparmor module is loaded.', output) + if not match: + msg = ('aa-status failed. ' + 'Status and output:%s and %s' % (status, output)) + self.assertEqual(status, 0, msg = msg) diff --git a/meta-security/lib/oeqa/runtime/cases/clamav.py b/meta-security/lib/oeqa/runtime/cases/clamav.py new file mode 100644 index 000000000..fc77330dd --- /dev/null +++ b/meta-security/lib/oeqa/runtime/cases/clamav.py @@ -0,0 +1,38 @@ +# Copyright (C) 2019 Armin Kuster <akuster808@gmail.com> +# +import re + +from oeqa.runtime.case import OERuntimeTestCase +from oeqa.core.decorator.depends import OETestDepends +from oeqa.runtime.decorator.package import OEHasPackage + + +class ClamavTest(OERuntimeTestCase): + + @OEHasPackage(['clamav']) + @OETestDepends(['ssh.SSHTest.test_ssh']) + def test_freshclam_help(self): + status, output = self.target.run('freshclam --help ') + msg = ('freshclam --hlep command does not work as expected. ', + 'Status and output:%s and %s' % (status, output)) + self.assertEqual(status, 0, msg = msg) + + @OETestDepends(['clamav.ClamavTest.test_freshclam_help']) + def test_freshclam_download(self): + status, output = self.target.run('freshclam --show-progress') + match = re.search('Database updated', output) + #match = re.search('main.cvd is up to date', output) + if not match: + msg = ('freshclam : DB dowbload failed. ' + 'Status and output:%s and %s' % (status, output)) + self.assertEqual(status, 1, msg = msg) + + @OETestDepends(['clamav.ClamavTest.test_freshclam_download']) + def test_freshclam_check_mirrors(self): + status, output = self.target.run('freshclam --list-mirrors') + match = re.search('Failures: 0', output) + if not match: + msg = ('freshclam --list-mirrors: failed. ' + 'Status and output:%s and %s' % (status, output)) + self.assertEqual(status, 1, msg = msg) + diff --git a/meta-security/lib/oeqa/runtime/cases/samhain.py b/meta-security/lib/oeqa/runtime/cases/samhain.py new file mode 100644 index 000000000..e4bae7bda --- /dev/null +++ b/meta-security/lib/oeqa/runtime/cases/samhain.py @@ -0,0 +1,20 @@ +# Copyright (C) 2019 Armin Kuster <akuster808@gmail.com> +# +import re + +from oeqa.runtime.case import OERuntimeTestCase +from oeqa.core.decorator.depends import OETestDepends +from oeqa.runtime.decorator.package import OEHasPackage + + +class SamhainTest(OERuntimeTestCase): + + @OEHasPackage(['samhain-standalone']) + @OETestDepends(['ssh.SSHTest.test_ssh']) + def test_samhain_standalone_help(self): + status, output = self.target.run('samhain --help') + match = re.search('Please report bugs to support@la-samhna.de.', output) + if not match: + msg = ('samhain-standalone command does not work as expected. ' + 'Status and output:%s and %s' % (status, output)) + self.assertEqual(status, 1, msg = msg) diff --git a/meta-security/lib/oeqa/runtime/cases/sssd.py b/meta-security/lib/oeqa/runtime/cases/sssd.py new file mode 100644 index 000000000..464483625 --- /dev/null +++ b/meta-security/lib/oeqa/runtime/cases/sssd.py @@ -0,0 +1,37 @@ +# Copyright (C) 2019 Armin Kuster <akuster808@gmail.com> +# +import re + +from oeqa.runtime.case import OERuntimeTestCase +from oeqa.core.decorator.depends import OETestDepends +from oeqa.runtime.decorator.package import OEHasPackage + + +class SSSDTest(OERuntimeTestCase): + + @OEHasPackage(['sssd']) + @OETestDepends(['ssh.SSHTest.test_ssh']) + def test_sssd_help(self): + status, output = self.target.run('sssctl --help') + msg = ('sssctl command does not work as expected. ' + 'Status and output:%s and %s' % (status, output)) + self.assertEqual(status, 1, msg = msg) + + @OETestDepends(['sssd.SSSDTest.test_sssd_help']) + def test_sssd_sssctl_conf_perms_chk(self): + status, output = self.target.run('sssctl domain-status') + match = re.search('ConfDB initialization has failed', output) + if match: + msg = ('sssctl domain-status failed, check sssd.conf perms. ' + 'Status and output:%s and %s' % (status, output)) + self.assertEqual(status, 0, msg = msg) + + @OETestDepends(['sssd.SSSDTest.test_sssd_sssctl_conf_perms_chk']) + def test_sssd_sssctl_deamon(self): + status, output = self.target.run('sssctl domain-status') + match = re.search('No domains configured, fatal error!', output) + if match: + msg = ('sssctl domain-status failed, sssd.conf not setup correctly. ' + 'Status and output:%s and %s' % (status, output)) + self.assertEqual(status, 0, msg = msg) + diff --git a/meta-security/lib/oeqa/runtime/cases/suricata.py b/meta-security/lib/oeqa/runtime/cases/suricata.py new file mode 100644 index 000000000..17fc8c508 --- /dev/null +++ b/meta-security/lib/oeqa/runtime/cases/suricata.py @@ -0,0 +1,27 @@ +# Copyright (C) 2019 Armin Kuster <akuster808@gmail.com> +# +import re + +from oeqa.runtime.case import OERuntimeTestCase +from oeqa.core.decorator.depends import OETestDepends +from oeqa.runtime.decorator.package import OEHasPackage + + +class SuricataTest(OERuntimeTestCase): + + @OEHasPackage(['suricata']) + @OETestDepends(['ssh.SSHTest.test_ssh']) + def test_suricata_help(self): + status, output = self.target.run('suricata --help') + msg = ('suricata command does not work as expected. ' + 'Status and output:%s and %s' % (status, output)) + self.assertEqual(status, 1, msg = msg) + + @OETestDepends(['suricata.SuricataTest.test_suricata_help']) + def test_suricata_unittest(self): + status, output = self.target.run('suricata -u') + match = re.search('FAILED: 0 ', output) + if not match: + msg = ('suricata unittest had an unexpected failure. ' + 'Status and output:%s and %s' % (status, output)) + self.assertEqual(status, 0, msg = msg) diff --git a/meta-security/lib/oeqa/runtime/cases/tripwire.py b/meta-security/lib/oeqa/runtime/cases/tripwire.py new file mode 100644 index 000000000..659724d0a --- /dev/null +++ b/meta-security/lib/oeqa/runtime/cases/tripwire.py @@ -0,0 +1,47 @@ +# Copyright (C) 2019 Armin Kuster <akuster808@gmail.com> +# +import re + +from oeqa.runtime.case import OERuntimeTestCase +from oeqa.core.decorator.depends import OETestDepends +from oeqa.runtime.decorator.package import OEHasPackage + + +class TripwireTest(OERuntimeTestCase): + + @OEHasPackage(['tripwire']) + @OETestDepends(['ssh.SSHTest.test_ssh']) + def test_tripwire_help(self): + status, output = self.target.run('tripwire --help') + msg = ('tripwire command does not work as expected. ' + 'Status and output:%s and %s' % (status, output)) + self.assertEqual(status, 8, msg = msg) + + @OETestDepends(['tripwire.TripwireTest.test_tripwire_help']) + def test_tripwire_twinstall(self): + status, output = self.target.run('/etc/tripwire/twinstall.sh') + match = re.search('The database was successfully generated.', output) + if not match: + msg = ('/etc/tripwire/twinstall.sh failed. ' + 'Status and output:%s and %s' % (status, output)) + self.assertEqual(status, 0, msg = msg) + + @OETestDepends(['tripwire.TripwireTest.test_tripwire_twinstall']) + def test_tripwire_twadmin(self): + status, output = self.target.run('twadmin --create-cfgfile --cfgfile /etc/tripwire/twcfg.enc --site-keyfile /etc/tripwire/site.key -Q tripwire /etc/tripwire/twcfg.txt') + status, output = self.target.run('twadmin --create-polfile --cfgfile /etc/tripwire/twcfg.enc --polfile /etc/tripwire/twpol.enc --site-keyfile /etc/tripwire/site.key -Q tripwire /etc/tripwire/twpol.txt') + match = re.search('Wrote policy file: /etc/tripwire/twpol.enc', output) + if not match: + msg = ('twadmin --create-profile ; failed. ' + 'Status and output:%s and %s' % (status, output)) + self.assertEqual(status, 0, msg = msg) + + @OETestDepends(['tripwire.TripwireTest.test_tripwire_twadmin']) + def test_tripwire_init(self): + status, hostname = self.target.run('hostname') + status, output = self.target.run('tripwire --init --cfgfile /etc/tripwire/twcfg.enc --polfile /etc/tripwire/tw.pol --site-keyfile /etc/tripwire/site.key --local-keyfile /etc/tripwire/%s-local.key -P tripwire' % hostname) + match = re.search('The database was successfully generated.', output) + if not match: + msg = ('tripwire --init; Failed for host: %s. ' + 'Status and output:%s and %s' % (hostname, status, output)) + self.assertEqual(status, 0, msg = msg) diff --git a/meta-security/meta-security-compliance/recipes-auditors/lynis/lynis_2.6.8.bb b/meta-security/meta-security-compliance/recipes-auditors/lynis/lynis_2.7.2.bb index 28a44691c..3ba82f9e4 100644 --- a/meta-security/meta-security-compliance/recipes-auditors/lynis/lynis_2.6.8.bb +++ b/meta-security/meta-security-compliance/recipes-auditors/lynis/lynis_2.7.2.bb @@ -8,8 +8,8 @@ LIC_FILES_CHKSUM = "file://LICENSE;md5=3edd6782854304fd11da4975ab9799c1" SRC_URI = "https://cisofy.com/files/${BPN}-${PV}.tar.gz" -SRC_URI[md5sum] = "91a538055bfb682733ef8e4fe7eb0902" -SRC_URI[sha256sum] = "2e4c5157a4f2d9bb37d3f0f1f5bea03f92233a2a7d4df6eddf231a784087dfac" +SRC_URI[md5sum] = "3422cee3b12fc33338fcde003d65e234" +SRC_URI[sha256sum] = "fde6ccf8d6ec0ae1e9c9f4a6d640cddcde4bf7a92f8437d47d16a5477e21bfda" S = "${WORKDIR}/${BPN}" diff --git a/meta-security/meta-security-compliance/recipes-openscap/oe-scap/oe-scap_1.0.bb b/meta-security/meta-security-compliance/recipes-openscap/oe-scap/oe-scap_1.0.bb index 5b6137569..e84ed30f8 100644 --- a/meta-security/meta-security-compliance/recipes-openscap/oe-scap/oe-scap_1.0.bb +++ b/meta-security/meta-security-compliance/recipes-openscap/oe-scap/oe-scap_1.0.bb @@ -8,12 +8,11 @@ LICENSE = "MIT" SRCREV = "7147871d7f37d408c0dd7720ef0fd3ec1b54ad98" SRC_URI = "git://github.com/akuster/oe-scap.git" SRC_URI += " \ - file://run_cve.sh \ - file://run_test.sh \ - file://OpenEmbedded_nodistro_0.xml \ - file://OpenEmbedded_nodistro_0.xccdf.xml \ -" - + file://run_cve.sh \ + file://run_test.sh \ + file://OpenEmbedded_nodistro_0.xml \ + file://OpenEmbedded_nodistro_0.xccdf.xml \ + " S = "${WORKDIR}/git" diff --git a/meta-security/meta-security-compliance/recipes-openscap/openscap-daemon/files/0001-Renamed-module-and-variables-to-get-rid-of-async.patch b/meta-security/meta-security-compliance/recipes-openscap/openscap-daemon/files/0001-Renamed-module-and-variables-to-get-rid-of-async.patch new file mode 100644 index 000000000..2a518bfe9 --- /dev/null +++ b/meta-security/meta-security-compliance/recipes-openscap/openscap-daemon/files/0001-Renamed-module-and-variables-to-get-rid-of-async.patch @@ -0,0 +1,130 @@ +From c34349720a57997d30946286756e2ba9dbab6ace Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Mat=C4=9Bj=20T=C3=BD=C4=8D?= <matyc@redhat.com> +Date: Mon, 2 Jul 2018 11:21:19 +0200 +Subject: [PATCH] Renamed module and variables to get rid of async. + +async is a reserved word in Python 3.7. + +Upstream-Status: Backport +[https://github.com/OpenSCAP/openscap-daemon/commit/c34349720a57997d30946286756e2ba9dbab6ace] + +Signed-off-by: Yi Zhao <yi.zhao@windriver.com> +--- + openscap_daemon/{async.py => async_tools.py} | 0 + openscap_daemon/dbus_daemon.py | 2 +- + openscap_daemon/system.py | 16 ++++++++-------- + tests/unit/test_basic_update.py | 3 ++- + 4 files changed, 11 insertions(+), 10 deletions(-) + rename openscap_daemon/{async.py => async_tools.py} (100%) + +diff --git a/openscap_daemon/async.py b/openscap_daemon/async_tools.py +similarity index 100% +rename from openscap_daemon/async.py +rename to openscap_daemon/async_tools.py +diff --git a/openscap_daemon/dbus_daemon.py b/openscap_daemon/dbus_daemon.py +index e6eadf9..cb6a8b6 100644 +--- a/openscap_daemon/dbus_daemon.py ++++ b/openscap_daemon/dbus_daemon.py +@@ -81,7 +81,7 @@ class OpenSCAPDaemonDbus(dbus.service.Object): + @dbus.service.method(dbus_interface=dbus_utils.DBUS_INTERFACE, + in_signature="", out_signature="a(xsi)") + def GetAsyncActionsStatus(self): +- return self.system.async.get_status() ++ return self.system.async_manager.get_status() + + @dbus.service.method(dbus_interface=dbus_utils.DBUS_INTERFACE, + in_signature="s", out_signature="(sssn)") +diff --git a/openscap_daemon/system.py b/openscap_daemon/system.py +index 2012f6e..85c2680 100644 +--- a/openscap_daemon/system.py ++++ b/openscap_daemon/system.py +@@ -26,7 +26,7 @@ import logging + from openscap_daemon.task import Task + from openscap_daemon.config import Configuration + from openscap_daemon import oscap_helpers +-from openscap_daemon import async ++from openscap_daemon import async_tools + + + class ResultsNotAvailable(Exception): +@@ -40,7 +40,7 @@ TASK_ACTION_PRIORITY = 10 + + class System(object): + def __init__(self, config_file): +- self.async = async.AsyncManager() ++ self.async_manager = async_tools.AsyncManager() + + logging.info("Loading configuration from '%s'.", config_file) + self.config = Configuration() +@@ -90,7 +90,7 @@ class System(object): + input_file, tailoring_file, None + ) + +- class AsyncEvaluateSpecAction(async.AsyncAction): ++ class AsyncEvaluateSpecAction(async_tools.AsyncAction): + def __init__(self, system, spec): + super(System.AsyncEvaluateSpecAction, self).__init__() + +@@ -113,7 +113,7 @@ class System(object): + return "Evaluate Spec '%s'" % (self.spec) + + def evaluate_spec_async(self, spec): +- return self.async.enqueue( ++ return self.async_manager.enqueue( + System.AsyncEvaluateSpecAction( + self, + spec +@@ -488,7 +488,7 @@ class System(object): + + return ret + +- class AsyncUpdateTaskAction(async.AsyncAction): ++ class AsyncUpdateTaskAction(async_tools.AsyncAction): + def __init__(self, system, task_id, reference_datetime): + super(System.AsyncUpdateTaskAction, self).__init__() + +@@ -536,7 +536,7 @@ class System(object): + + if task.should_be_updated(reference_datetime): + self.tasks_scheduled.add(task.id_) +- self.async.enqueue( ++ self.async_manager.enqueue( + System.AsyncUpdateTaskAction( + self, + task.id_, +@@ -662,7 +662,7 @@ class System(object): + fix_type + ) + +- class AsyncEvaluateCVEScannerWorkerAction(async.AsyncAction): ++ class AsyncEvaluateCVEScannerWorkerAction(async_tools.AsyncAction): + def __init__(self, system, worker): + super(System.AsyncEvaluateCVEScannerWorkerAction, self).__init__() + +@@ -680,7 +680,7 @@ class System(object): + return "Evaluate CVE Scanner Worker '%s'" % (self.worker) + + def evaluate_cve_scanner_worker_async(self, worker): +- return self.async.enqueue( ++ return self.async_manager.enqueue( + System.AsyncEvaluateCVEScannerWorkerAction( + self, + worker +diff --git a/tests/unit/test_basic_update.py b/tests/unit/test_basic_update.py +index 6f683e6..7f953f7 100755 +--- a/tests/unit/test_basic_update.py ++++ b/tests/unit/test_basic_update.py +@@ -37,8 +37,9 @@ class BasicUpdateTest(unit_test_harness.APITest): + print(self.system.tasks) + self.system.schedule_tasks() + +- while len(self.system.async.actions) > 0: ++ while len(self.system.async_manager.actions) > 0: + time.sleep(1) + ++ + if __name__ == "__main__": + BasicUpdateTest.run() +-- +2.7.4 + diff --git a/meta-security/meta-security-compliance/recipes-openscap/openscap-daemon/openscap-daemon_0.1.10.bb b/meta-security/meta-security-compliance/recipes-openscap/openscap-daemon/openscap-daemon_0.1.10.bb index a6a9373ea..ca6e03079 100644 --- a/meta-security/meta-security-compliance/recipes-openscap/openscap-daemon/openscap-daemon_0.1.10.bb +++ b/meta-security/meta-security-compliance/recipes-openscap/openscap-daemon/openscap-daemon_0.1.10.bb @@ -9,7 +9,9 @@ LICENSE = "LGPL-2.1" DEPENDS = "python3-dbus" SRCREV = "f25b16afb6ac761fea13132ff406fba4cdfd2b76" -SRC_URI = "git://github.com/OpenSCAP/openscap-daemon.git" +SRC_URI = "git://github.com/OpenSCAP/openscap-daemon.git \ + file://0001-Renamed-module-and-variables-to-get-rid-of-async.patch \ + " inherit setuptools3 diff --git a/meta-security/meta-security-compliance/recipes-openscap/scap-security-guide/scap-security-guide_0.1.33.bb b/meta-security/meta-security-compliance/recipes-openscap/scap-security-guide/scap-security-guide_0.1.33.bb index 7fa417de4..27d3d869a 100644 --- a/meta-security/meta-security-compliance/recipes-openscap/scap-security-guide/scap-security-guide_0.1.33.bb +++ b/meta-security/meta-security-compliance/recipes-openscap/scap-security-guide/scap-security-guide_0.1.33.bb @@ -19,6 +19,8 @@ S = "${WORKDIR}/git" STAGING_OSCAP_BUILDDIR = "${TMPDIR}/work-shared/openscap/oscap-build-artifacts" +OECMAKE_GENERATOR = "Unix Makefiles" + EXTRA_OECMAKE += "-DSSG_PRODUCT_CHROMIUM:BOOL=OFF" EXTRA_OECMAKE += "-DSSG_PRODUCT_DEBIAN8:BOOL=OFF" EXTRA_OECMAKE += "-DSSG_PRODUCT_FEDORA:BOOL=OFF" diff --git a/meta-security/meta-tpm/conf/distro/include/maintainers.inc b/meta-security/meta-tpm/conf/distro/include/maintainers.inc new file mode 100644 index 000000000..74c1a1812 --- /dev/null +++ b/meta-security/meta-tpm/conf/distro/include/maintainers.inc @@ -0,0 +1,39 @@ +# meta-tpm Maintainers File +# +# This file contains a list of recipe maintainers. +# +# Please submit any patches against recipes in meta to the +# Yocto mail list (yocto@yoctoproject.org) +# +# If you have problems with or questions about a particular recipe, feel +# free to contact the maintainer directly (cc:ing the appropriate mailing list +# puts it in the archive and helps other people who might have the same +# questions in the future), but please try to do the following first: +# +# - look in the Yocto Project Bugzilla +# (http://bugzilla.yoctoproject.org/) to see if a problem has +# already been reported +# +# The format is as a bitbake variable override for each recipe +# +# RECIPE_MAINTAINER_pn-<recipe name> = "Full Name <address@domain>" +# +# Please keep this list in alphabetical order. +RECIPE_MAINTAINER_pn-aircrack-ng = "Armin Kuster <akuster808@gmail.com>" +RECIPE_MAINTAINER_pn-pcr-extend = "Armin Kuster <akuster808@gmail.com>" +RECIPE_MAINTAINER_pn-tpm-quote-tools = "Armin Kuster <akuster808@gmail.com>" +RECIPE_MAINTAINER_pn-libtpm = "Armin Kuster <akuster808@gmail.com>" +RECIPE_MAINTAINER_pn-trousers = "Armin Kuster <akuster808@gmail.com>" +RECIPE_MAINTAINER_pn-swtpm = "Armin Kuster <akuster808@gmail.com>" +RECIPE_MAINTAINER_pn-openssl-tpm-engine = "Armin Kuster <akuster808@gmail.com>" +RECIPE_MAINTAINER_pn-tpm-tools = "Armin Kuster <akuster808@gmail.com>" +RECIPE_MAINTAINER_pn-tpm2-abrmd = "Armin Kuster <akuster808@gmail.com>" +RECIPE_MAINTAINER_pn-tpm2-totp = "Armin Kuster <akuster808@gmail.com>" +RECIPE_MAINTAINER_pn-tpm2-tcti-uefi = "Armin Kuster <akuster808@gmail.com>" +RECIPE_MAINTAINER_pn-tpm2-tss-engine = "Armin Kuster <akuster808@gmail.com>" +RECIPE_MAINTAINER_pn-tpm2-pkcs11 = "Armin Kuster <akuster808@gmail.com>" +RECIPE_MAINTAINER_pn-tpm2-tss = "Armin Kuster <akuster808@gmail.com>" +RECIPE_MAINTAINER_pn-cryptsetup-tpm-incubator = "Armin Kuster <akuster808@gmail.com>" +RECIPE_MAINTAINER_pn-tpm2-tools = "Armin Kuster <akuster808@gmail.com>" +RECIPE_MAINTAINER_pn-ibmswtpm2 = "Armin Kuster <akuster808@gmail.com>" + diff --git a/meta-security/meta-tpm/lib/oeqa/runtime/cases/tpm2.py b/meta-security/meta-tpm/lib/oeqa/runtime/cases/tpm2.py new file mode 100644 index 000000000..240a9b3ba --- /dev/null +++ b/meta-security/meta-tpm/lib/oeqa/runtime/cases/tpm2.py @@ -0,0 +1,43 @@ +# Copyright (C) 2019 Armin Kuster <akuster808@gmail.com> +# +from oeqa.runtime.case import OERuntimeTestCase +from oeqa.core.decorator.depends import OETestDepends +from oeqa.runtime.decorator.package import OEHasPackage + + +class Tpm2Test(OERuntimeTestCase): + def check_endlines(self, results, expected_endlines): + for line in results.splitlines(): + for el in expected_endlines: + if line == el: + expected_endlines.remove(el) + break + + if expected_endlines: + self.fail('Missing expected line endings:\n %s' % '\n '.join(expected_endlines)) + + @OEHasPackage(['tpm2.0-tss']) + @OEHasPackage(['tpm2-abrmd']) + @OEHasPackage(['tpm2.0-tools']) + @OEHasPackage(['ibmswtpm2']) + @OETestDepends(['ssh.SSHTest.test_ssh']) + def test_tpm2_sim(self): + cmds = [ + 'tpm_server &', + 'tpm2-abrmd --allow-root --tcti=mssim &' + ] + + for cmd in cmds: + status, output = self.target.run(cmd) + self.assertEqual(status, 0, msg='\n'.join([cmd, output])) + + @OETestDepends(['tpm2.Tpm2Test.test_tpm2_sim']) + def test_tpm2(self): + (status, output) = self.target.run('tpm2_pcrlist') + expected_endlines = [] + expected_endlines.append('sha1 :') + expected_endlines.append(' 0 : 0000000000000000000000000000000000000003') + expected_endlines.append(' 1 : 0000000000000000000000000000000000000000') + + self.check_endlines(output, expected_endlines) + diff --git a/meta-security/meta-tpm/recipes-core/packagegroup/packagegroup-security-tpm2.bb b/meta-security/meta-tpm/recipes-core/packagegroup/packagegroup-security-tpm2.bb index c4c8fb22b..5ded3a2cc 100644 --- a/meta-security/meta-tpm/recipes-core/packagegroup/packagegroup-security-tpm2.bb +++ b/meta-security/meta-tpm/recipes-core/packagegroup/packagegroup-security-tpm2.bb @@ -9,10 +9,15 @@ PACKAGES = "packagegroup-security-tpm2" SUMMARY_packagegroup-security-tpm2 = "Security TPM 2.0 support" RDEPENDS_packagegroup-security-tpm2 = " \ - tpm2.0-tools \ + tpm2-tools \ trousers \ libtss2 \ libtss2-tcti-device \ libtss2-tcti-mssim \ tpm2-abrmd \ + tpm2-pkcs11 \ + cryptsetup-tpm-incubator \ " + +RDEPENDS_packagegroup-security-tpm2_append_x86 = " tpm2-tcti-uefi" +RDEPENDS_packagegroup-security-tpm2_append_x86-64 = " tpm2-tcti-uefi" diff --git a/meta-security/meta-tpm/recipes-tpm/libtpm/libtpm_1.0.bb b/meta-security/meta-tpm/recipes-tpm/libtpm/libtpm_0.6.0.bb index a930d7bc3..a88296046 100644 --- a/meta-security/meta-tpm/recipes-tpm/libtpm/libtpm_1.0.bb +++ b/meta-security/meta-tpm/recipes-tpm/libtpm/libtpm_0.6.0.bb @@ -2,8 +2,10 @@ SUMMARY = "LIBPM - Software TPM Library" LICENSE = "BSD-3-Clause" LIC_FILES_CHKSUM = "file://LICENSE;md5=e73f0786a936da3814896df06ad225a9" -SRCREV = "4111bd1bcf721e6e7b5f11ed9c2b93083677aa25" -SRC_URI = "git://github.com/stefanberger/libtpms.git" +SRCREV = "9dc915572b51db0714640ba1ddf8cca9c0f24f05" +SRC_URI = "git://github.com/stefanberger/libtpms.git;branch=stable-${PV}" + +PE = "1" S = "${WORKDIR}/git" inherit autotools-brokensep pkgconfig @@ -11,6 +13,4 @@ inherit autotools-brokensep pkgconfig PACKAGECONFIG ?= "openssl" PACKAGECONFIG[openssl] = "--with-openssl, --without-openssl, openssl" -PV = "1.0+git${SRCPV}" - BBCLASSEXTEND = "native" diff --git a/meta-security/meta-tpm/recipes-tpm/swtpm/swtpm_1.0.bb b/meta-security/meta-tpm/recipes-tpm/swtpm/swtpm_0.1.0.bb index 3fe1393af..42de8b18e 100644 --- a/meta-security/meta-tpm/recipes-tpm/swtpm/swtpm_1.0.bb +++ b/meta-security/meta-tpm/recipes-tpm/swtpm/swtpm_0.1.0.bb @@ -9,11 +9,12 @@ DEPENDS = "libtasn1 expect socat glib-2.0 net-tools-native libtpm libtpm-native" # then swtpm_setup needs them at runtime DEPENDS += "tpm-tools-native expect-native socat-native" -SRCREV = "94bb9f2d716d09bcc6cd2a2e033018f8592008e7" -SRC_URI = "git://github.com/stefanberger/swtpm.git;branch=tpm2-preview.v2 \ +SRCREV = "d803d84575ab3e5dac316bf863c7f569a27ea35f" +SRC_URI = "git://github.com/stefanberger/swtpm.git;branch=stable-${PV} \ file://fix_fcntl_h.patch \ file://ioctl_h.patch \ " +PE = "1" S = "${WORKDIR}/git" @@ -23,8 +24,9 @@ PARALLEL_MAKE = "" TSS_USER="tss" TSS_GROUP="tss" -PACKAGECONFIG ?= "openssl cuse" +PACKAGECONFIG ?= "openssl" PACKAGECONFIG += "${@bb.utils.contains('DISTRO_FEATURES', 'selinux', 'selinux', '', d)}" +PACKAGECONFIG += "${@bb.utils.contains('BBFILE_COLLECTIONS', 'filesystems-layer', 'cuse', '', d)}" PACKAGECONFIG[openssl] = "--with-openssl, --without-openssl, openssl" PACKAGECONFIG[gnutls] = "--with-gnutls, --without-gnutls, gnutls" PACKAGECONFIG[selinux] = "--with-selinux, --without-selinux, libselinux" @@ -39,12 +41,11 @@ GROUPADD_PARAM_${PN} = "--system ${TSS_USER}" USERADD_PARAM_${PN} = "--system -g ${TSS_GROUP} --home-dir \ --no-create-home --shell /bin/false ${BPN}" +PACKAGE_BEFORE_PN = "${PN}-cuse" +FILES_${PN}-cuse = "${bindir}/swtpm_cuse" + +INSANE_SKIP_${PN} += "dev-so" + RDEPENDS_${PN} = "libtpm expect socat bash tpm-tools" BBCLASSEXTEND = "native nativesdk" - -python() { - if 'cuse' in d.getVar('PACKAGECONFIG') and \ - 'filesystems-layer' not in d.getVar('BBFILE_COLLECTIONS').split(): - raise bb.parse.SkipRecipe('Cuse enabled which requires meta-filesystems to be present.') -} diff --git a/meta-security/meta-tpm/recipes-tpm/tpm2.0-tools/tpm2.0-tools_3.1.2.bb b/meta-security/meta-tpm/recipes-tpm/tpm2.0-tools/tpm2.0-tools_3.1.2.bb deleted file mode 100644 index 3f40eb70e..000000000 --- a/meta-security/meta-tpm/recipes-tpm/tpm2.0-tools/tpm2.0-tools_3.1.2.bb +++ /dev/null @@ -1,15 +0,0 @@ -SUMMARY = "Tools for TPM2." -DESCRIPTION = "tpm2.0-tools" -LICENSE = "BSD" -LIC_FILES_CHKSUM = "file://LICENSE;md5=91b7c548d73ea16537799e8060cea819" -SECTION = "tpm" - -DEPENDS = "pkgconfig tpm2.0-tss openssl curl autoconf-archive" - -SRCREV = "5e2f1aafc58e60c5050f85147a14914561f28ad9" - -SRC_URI = "git://github.com/01org/tpm2.0-tools.git;name=tpm2.0-tools;destsuffix=tpm2.0-tools;branch=3.X" - -S = "${WORKDIR}/tpm2.0-tools" - -inherit autotools pkgconfig diff --git a/meta-security/meta-tpm/recipes-tpm/tpm2simulator/tpm2simulator_138.bb b/meta-security/meta-tpm/recipes-tpm/tpm2simulator/tpm2simulator_138.bb deleted file mode 100644 index 866791c29..000000000 --- a/meta-security/meta-tpm/recipes-tpm/tpm2simulator/tpm2simulator_138.bb +++ /dev/null @@ -1,22 +0,0 @@ -SUMMARY = "TPM 2.0 Simulator Extraction Script" -LICENSE = "BSD-2-Clause" -LIC_FILES_CHKSUM = "file://LICENSE;md5=1415f7be284540b81d9d28c67c1a6b8b" - -DEPENDS = "python" - -SRCREV = "e45324eba268723d39856111e7933c5c76238481" -SRC_URI = "git://github.com/stwagnr/tpm2simulator.git" - -S = "${WORKDIR}/git" -OECMAKE_SOURCEPATH = "${S}/cmake" - -inherit native lib_package cmake - -EXTRA_OECMAKE = " \ - -DCMAKE_BUILD_TYPE=Debug \ - -DSPEC_VERSION=138 \ -" - -do_configure_prepend () { - sed -i 's/^SET = False/SET = True/' ${S}/scripts/settings.py -} diff --git a/meta-security/meta-tpm/recipes-tpm2/cryptsetup-tpm-incubator/cryptsetup-tpm-incubator_0.9.9.bb b/meta-security/meta-tpm/recipes-tpm2/cryptsetup-tpm-incubator/cryptsetup-tpm-incubator_0.9.9.bb new file mode 100644 index 000000000..8b504453f --- /dev/null +++ b/meta-security/meta-tpm/recipes-tpm2/cryptsetup-tpm-incubator/cryptsetup-tpm-incubator_0.9.9.bb @@ -0,0 +1,41 @@ +SUMMARY = "An extension to cryptsetup/LUKS that enables use of the TPM 2.0 via tpm2-tss" +DESCRIPTION = "Cryptsetup is utility used to conveniently setup disk encryption based on DMCrypt kernel module." + +SECTION = "security/tpm" +LICENSE = "LGPL-2.1 | GPL-2.0" +LIC_FILES_CHKSUM = "file://COPYING;md5=32107dd283b1dfeb66c9b3e6be312326 \ + file://COPYING.LGPL;md5=1960515788100ce5f9c98ea78a65dc52 \ + " + +DEPENDS = "autoconf-archive pkgconfig gettext libtss2-dev libdevmapper popt libgcrypt json-c" + +SRC_URI = "git://github.com/AndreasFuchsSIT/cryptsetup-tpm-incubator.git;branch=luks2tpm \ + file://configure_fix.patch " + +SRCREV = "15c283195f19f1d980e39ba45448683d5e383179" + +S = "${WORKDIR}/git" + +inherit autotools pkgconfig gettext + +PACKAGECONFIG ??= "openssl" +PACKAGECONFIG[openssl] = "--with-crypto_backend=openssl,,openssl" +PACKAGECONFIG[gcrypt] = "--with-crypto_backend=gcrypt,,libgcrypt" + +EXTRA_OECONF = "--enable-static" + +RRECOMMENDS_${PN} = "kernel-module-aes-generic \ + kernel-module-dm-crypt \ + kernel-module-md5 \ + kernel-module-cbc \ + kernel-module-sha256-generic \ + kernel-module-xts \ + " + +RDEPENDS_${PN} += "lvm2" +RRECOMMENDS_${PN} += "lvm2-udevrules" + +RREPLACES_${PN} = "cryptsetup" +RCONFLICTS_${PN} ="cryptsetup" + +BBCLASSEXTEND = "native nativesdk" diff --git a/meta-security/meta-tpm/recipes-tpm2/cryptsetup-tpm-incubator/files/configure_fix.patch b/meta-security/meta-tpm/recipes-tpm2/cryptsetup-tpm-incubator/files/configure_fix.patch new file mode 100644 index 000000000..8c7b6da41 --- /dev/null +++ b/meta-security/meta-tpm/recipes-tpm2/cryptsetup-tpm-incubator/files/configure_fix.patch @@ -0,0 +1,16 @@ +Upstream-Status: OE specific +Signed-off-by: Armin Kuster <akuster808@gmail.com> + +Index: git/configure.ac +=================================================================== +--- git.orig/configure.ac ++++ git/configure.ac +@@ -16,7 +16,7 @@ AC_CONFIG_HEADERS([config.h:config.h.in] + + # For old automake use this + #AM_INIT_AUTOMAKE(dist-xz subdir-objects) +-AM_INIT_AUTOMAKE([dist-xz 1.12 serial-tests subdir-objects]) ++AM_INIT_AUTOMAKE([dist-xz 1.12 serial-tests subdir-objects foreign]) + + if test "x$prefix" = "xNONE"; then + sysconfdir=/etc diff --git a/meta-security/meta-tpm/recipes-tpm2/ibmswtpm2/ibmswtpm2_1332.bb b/meta-security/meta-tpm/recipes-tpm2/ibmswtpm2/ibmswtpm2_1332.bb new file mode 100644 index 000000000..a6068e65c --- /dev/null +++ b/meta-security/meta-tpm/recipes-tpm2/ibmswtpm2/ibmswtpm2_1332.bb @@ -0,0 +1,24 @@ +SUMMARY = "IBM's Software TPM 2.0" + +LICENSE = "BSD" +SECTION = "securty/tpm" +LIC_FILES_CHKSUM = "file://../LICENSE;md5=1e023f61454ac828b4aa1bc4293f7d5f" + +SRC_URI = "https://sourceforge.net/projects/ibmswtpm2/files/ibmtpm1332.tar.gz" +SRC_URI[md5sum] = "0ab34a655b4e09812d7ada19746af4f9" +SRC_URI[sha256sum] = "8e8193af3d11d9ff6a951dda8cd1f4693cb01934a8ad7876b84e92c6148ab0fd" + +DEPENDS = "openssl" + +S = "${WORKDIR}/src" + +LDFLAGS = "${LDFALGS}" + +do_compile () { + make CC='${CC}' +} + +do_install () { + install -d ${D}/${bindir} + install -m 0755 tpm_server ${D}/${bindir} +} diff --git a/meta-security/meta-tpm/recipes-tpm/tpm2-abrmd/files/tpm2-abrmd-init.sh b/meta-security/meta-tpm/recipes-tpm2/tpm2-abrmd/files/tpm2-abrmd-init.sh index c8dfb7de3..c8dfb7de3 100644 --- a/meta-security/meta-tpm/recipes-tpm/tpm2-abrmd/files/tpm2-abrmd-init.sh +++ b/meta-security/meta-tpm/recipes-tpm2/tpm2-abrmd/files/tpm2-abrmd-init.sh diff --git a/meta-security/meta-tpm/recipes-tpm/tpm2-abrmd/files/tpm2-abrmd.default b/meta-security/meta-tpm/recipes-tpm2/tpm2-abrmd/files/tpm2-abrmd.default index 987978a66..987978a66 100644 --- a/meta-security/meta-tpm/recipes-tpm/tpm2-abrmd/files/tpm2-abrmd.default +++ b/meta-security/meta-tpm/recipes-tpm2/tpm2-abrmd/files/tpm2-abrmd.default diff --git a/meta-security/meta-tpm/recipes-tpm/tpm2-abrmd/tpm2-abrmd_2.0.2.bb b/meta-security/meta-tpm/recipes-tpm2/tpm2-abrmd/tpm2-abrmd_2.1.1.bb index 63473790d..a4c66823f 100644 --- a/meta-security/meta-tpm/recipes-tpm/tpm2-abrmd/tpm2-abrmd_2.0.2.bb +++ b/meta-security/meta-tpm/recipes-tpm2/tpm2-abrmd/tpm2-abrmd_2.1.1.bb @@ -9,16 +9,17 @@ SECTION = "security/tpm" LICENSE = "BSD-2-Clause" LIC_FILES_CHKSUM = "file://${S}/LICENSE;md5=500b2e742befc3da00684d8a1d5fd9da" -DEPENDS = "autoconf-archive dbus glib-2.0 tpm2.0-tss glib-2.0-native \ +DEPENDS = "autoconf-archive dbus glib-2.0 tpm2-tss glib-2.0-native \ libtss2 libtss2-mu libtss2-tcti-device libtss2-tcti-mssim" SRC_URI = "\ - git://github.com/01org/tpm2-abrmd.git \ + git://github.com/tpm2-software/tpm2-abrmd.git \ file://tpm2-abrmd-init.sh \ file://tpm2-abrmd.default \ " -SRCREV = "d0120ace58d97bc9520c0d558657eaca87ae73b1" + +SRCREV = "06d9d433ba27159687255406baa37940db15465b" S = "${WORKDIR}/git" @@ -49,6 +50,6 @@ do_install_append() { FILES_${PN} += "${libdir}/systemd/system-preset \ ${datadir}/dbus-1" -RDEPENDS_${PN} += "tpm2.0-tss" +RDEPENDS_${PN} += "tpm2-tss" BBCLASSEXTEND = "native" diff --git a/meta-security/meta-tpm/recipes-tpm2/tpm2-pkcs11/files/bootstrap_fixup.patch b/meta-security/meta-tpm/recipes-tpm2/tpm2-pkcs11/files/bootstrap_fixup.patch new file mode 100644 index 000000000..d38e23777 --- /dev/null +++ b/meta-security/meta-tpm/recipes-tpm2/tpm2-pkcs11/files/bootstrap_fixup.patch @@ -0,0 +1,12 @@ +Upstream-Status: OE specific +Signed-off-by: Armin Kuster <akuster808@gmail.com> + +Index: git/bootstrap +=================================================================== +--- git.orig/bootstrap ++++ git/bootstrap +@@ -27,4 +27,3 @@ echo "Generating file lists: ${VARS_FILE + ) > ${VARS_FILE} + + mkdir -p m4 +-${AUTORECONF} --install --sym $@ diff --git a/meta-security/meta-tpm/recipes-tpm2/tpm2-pkcs11/tpm2-pkcs11_0.9.9.bb b/meta-security/meta-tpm/recipes-tpm2/tpm2-pkcs11/tpm2-pkcs11_0.9.9.bb new file mode 100644 index 000000000..9031e63e4 --- /dev/null +++ b/meta-security/meta-tpm/recipes-tpm2/tpm2-pkcs11/tpm2-pkcs11_0.9.9.bb @@ -0,0 +1,21 @@ +SUMMARY = "A PKCS#11 interface for TPM2 hardware" +DESCRIPTION = "PKCS #11 is a Public-Key Cryptography Standard that defines a standard method to access cryptographic services from tokens/ devices such as hardware security modules (HSM), smart cards, etc. In this project we intend to use a TPM2 device as the cryptographic token." +SECTION = "security/tpm" +LICENSE = "BSD-2-Clause" +LIC_FILES_CHKSUM = "file://LICENSE;md5=b748af41ef1300c98e105b3b7ec4ecc1" + +DEPENDS = "autoconf-archive pkgconfig dstat sqlite3 openssl libtss2-dev tpm2-tools" + +SRC_URI = "git://github.com/tpm2-software/tpm2-pkcs11.git \ + file://bootstrap_fixup.patch \ + " + +SRCREV = "3107d89b406ecd9c007884613733c9a344ef6d39" + +S = "${WORKDIR}/git" + +inherit autotools-brokensep pkgconfig + +do_configure_prepend () { + ${S}/bootstrap +} diff --git a/meta-security/meta-tpm/recipes-tpm2/tpm2-tcti-uefi/files/configure_oe_fixup.patch b/meta-security/meta-tpm/recipes-tpm2/tpm2-tcti-uefi/files/configure_oe_fixup.patch new file mode 100644 index 000000000..8a216cd45 --- /dev/null +++ b/meta-security/meta-tpm/recipes-tpm2/tpm2-tcti-uefi/files/configure_oe_fixup.patch @@ -0,0 +1,27 @@ +Upstream-Status: OE specific +Signed-off-by: Armin Kuster <akuster808@gmail.com> + +Index: git/configure.ac +=================================================================== +--- git.orig/configure.ac ++++ git/configure.ac +@@ -84,9 +84,6 @@ AC_ARG_WITH([efi-lds], + AS_HELP_STRING([--with-efi-lds=LDS_PATH],[Path to gnu-efi lds file.]), + [], + [with_efi_lds="/usr/lib/elf_${ARCH}_efi.lds"]) +-AC_CHECK_FILE(["${with_efi_lds}"], +- [], +- [AC_MSG_ERROR([Missing file: ${with_efi_lds}.])]) + EXTRA_LDFLAGS="-L /usr/lib -L /usr/lib64 -Wl,--script=${with_efi_lds}" + + # path to object file from gnu-efi +@@ -94,9 +91,6 @@ AC_ARG_WITH([efi-crt0], + AS_HELP_STRING([--with-efi-crt0=OBJ_PATH],[Path to gnu-efi crt0 object file.]), + [], + [with_efi_crt0="/usr/lib/crt0-efi-${ARCH}.o"]) +-AC_CHECK_FILE(["${with_efi_crt0}"], +- [], +- [AC_MSG_ERROR([Missing ${with_efi_crt0} file.])]) + EXTRA_LDLIBS="${with_efi_crt0}" + + # check for efi and gnuefi libraries diff --git a/meta-security/meta-tpm/recipes-tpm2/tpm2-tcti-uefi/tpm2-tcti-uefi_0.9.9.bb b/meta-security/meta-tpm/recipes-tpm2/tpm2-tcti-uefi/tpm2-tcti-uefi_0.9.9.bb new file mode 100644 index 000000000..815691dfe --- /dev/null +++ b/meta-security/meta-tpm/recipes-tpm2/tpm2-tcti-uefi/tpm2-tcti-uefi_0.9.9.bb @@ -0,0 +1,18 @@ +SUMMARY = "TCTI module for use with TSS2 libraries in UEFI environment" +SECTION = "security/tpm" +LICENSE = "BSD-2-Clause" +LIC_FILES_CHKSUM = "file://LICENSE;md5=500b2e742befc3da00684d8a1d5fd9da" +DEPENDS = "libtss2-dev gnu-efi-native gnu-efi pkgconfig" + +SRC_URI = "git://github.com/tpm2-software/tpm2-tcti-uefi.git \ + file://configure_oe_fixup.patch \ + " +SRCREV = "131889d12d2c7d8974711d2ebd1032cd32577b7f" + +S = "${WORKDIR}/git" + +inherit autotools pkgconfig + +COMPATIBLE_HOST = "(i.86|x86_64).*-linux" +EXTRA_OECONF_append = " --with-efi-includedir=${STAGING_INCDIR}/efi --with-efi-lds=${STAGING_LIBDIR_NATIVE}/" +RDEPENDS_${PN} = "gnu-efi" diff --git a/meta-security/meta-tpm/recipes-tpm2/tpm2-tools/tpm2-tools_3.1.3.bb b/meta-security/meta-tpm/recipes-tpm2/tpm2-tools/tpm2-tools_3.1.3.bb new file mode 100644 index 000000000..1f1f5c606 --- /dev/null +++ b/meta-security/meta-tpm/recipes-tpm2/tpm2-tools/tpm2-tools_3.1.3.bb @@ -0,0 +1,15 @@ +SUMMARY = "Tools for TPM2." +DESCRIPTION = "tpm2-tools" +LICENSE = "BSD" +LIC_FILES_CHKSUM = "file://LICENSE;md5=91b7c548d73ea16537799e8060cea819" +SECTION = "tpm" + +DEPENDS = "pkgconfig tpm2-tss openssl curl autoconf-archive" + +SRCREV = "74ba065e5914bc5d713ca3709d62a5751b097369" + +SRC_URI = "git://github.com/tpm2-software/tpm2-tools.git;branch=3.X" + +S = "${WORKDIR}/git" + +inherit autotools pkgconfig diff --git a/meta-security/meta-tpm/recipes-tpm2/tpm2-totp/files/litpm2_totp_build_fix.patch b/meta-security/meta-tpm/recipes-tpm2/tpm2-totp/files/litpm2_totp_build_fix.patch new file mode 100644 index 000000000..c14705458 --- /dev/null +++ b/meta-security/meta-tpm/recipes-tpm2/tpm2-totp/files/litpm2_totp_build_fix.patch @@ -0,0 +1,36 @@ +C99 fixes: + + src/libtpm2-totp.c:172:13: error: format '%li' expects argument of type 'long int', but argument 3 has type 'size_t' {aka 'unsigned int'} [-Werror=format=] +| dbg("Calling Esys_GetRandom for %li bytes", SECRETLEN - *secret_size); + +src/tpm2-totp.c:343:23: error: format '%ld' expects argument of type 'long int', but argument 3 has type 'uint64_t' {aka 'long long unsigned int'} [-Werror=format=] + +Upstream-Status: Pending +Signed-off-by: Armin Kuster <akuster808@gmail.com> + +Index: git/src/libtpm2-totp.c +=================================================================== +--- git.orig/src/libtpm2-totp.c ++++ git/src/libtpm2-totp.c +@@ -169,7 +169,7 @@ tpm2totp_generateKey(uint32_t pcrs, uint + if (rc != TPM2_RC_INITIALIZE) chkrc(rc, goto error); + + while (*secret_size < SECRETLEN) { +- dbg("Calling Esys_GetRandom for %li bytes", SECRETLEN - *secret_size); ++ dbg("Calling Esys_GetRandom for %li bytes", (long int) (SECRETLEN - *secret_size)); + rc = Esys_GetRandom(ctx, + ESYS_TR_NONE, ESYS_TR_NONE, ESYS_TR_NONE, + SECRETLEN - *secret_size, &t); +Index: git/src/tpm2-totp.c +=================================================================== +--- git.orig/src/tpm2-totp.c ++++ git/src/tpm2-totp.c +@@ -340,7 +340,7 @@ main(int argc, char **argv) + localtime (&now)); + chkrc(rc, exit(1)); + } +- printf("%s%06ld", timestr, totp); ++ printf("%s%06ld", timestr, (long int)totp); + break; + case CMD_RESEAL: + rc = tpm2totp_loadKey_nv(opt.nvindex, &keyBlob, &keyBlob_size); diff --git a/meta-security/meta-tpm/recipes-tpm2/tpm2-totp/tpm2-totp_0.9.9.bb b/meta-security/meta-tpm/recipes-tpm2/tpm2-totp/tpm2-totp_0.9.9.bb new file mode 100644 index 000000000..bc94ab711 --- /dev/null +++ b/meta-security/meta-tpm/recipes-tpm2/tpm2-totp/tpm2-totp_0.9.9.bb @@ -0,0 +1,17 @@ +SUMMARY = "The tpm2-tss-engine project implements a cryptographic engine for OpenSSL." +DESCRIPTION = "The tpm2-tss-engine project implements a cryptographic engine for OpenSSL for Trusted Platform Module (TPM 2.0) using the tpm2-tss software stack that follows the Trusted Computing Groups (TCG) TPM Software Stack (TSS 2.0). It uses the Enhanced System API (ESAPI) interface of the TSS 2.0 for downwards communication. It supports RSA decryption and signatures as well as ECDSA signatures." + +LICENSE = "BSD-2-Clause" +LIC_FILES_CHKSUM = "file://LICENSE;md5=ed23833e93c95173c8d8913745e4b4e1" + +SECTION = "security/tpm" + +DEPENDS = "autoconf-archive libtss2-dev qrencode" + +SRCREV = "44fcb6819f79302d5a088b3def648616e3551d4a" +SRC_URI = "git://github.com/tpm2-software/tpm2-totp.git \ + file://litpm2_totp_build_fix.patch " + +inherit autotools-brokensep pkgconfig + +S = "${WORKDIR}/git" diff --git a/meta-security/meta-tpm/recipes-tpm2/tpm2-tss-engine/tpm2-tss-engine_0.9.9.bb b/meta-security/meta-tpm/recipes-tpm2/tpm2-tss-engine/tpm2-tss-engine_0.9.9.bb new file mode 100644 index 000000000..36530be2c --- /dev/null +++ b/meta-security/meta-tpm/recipes-tpm2/tpm2-tss-engine/tpm2-tss-engine_0.9.9.bb @@ -0,0 +1,23 @@ +SUMMARY = "The tpm2-tss-engine project implements a cryptographic engine for OpenSSL." +DESCRIPTION = "The tpm2-tss-engine project implements a cryptographic engine for OpenSSL for Trusted Platform Module (TPM 2.0) using the tpm2-tss software stack that follows the Trusted Computing Groups (TCG) TPM Software Stack (TSS 2.0). It uses the Enhanced System API (ESAPI) interface of the TSS 2.0 for downwards communication. It supports RSA decryption and signatures as well as ECDSA signatures." + +LICENSE = "BSD-2-Clause" +LIC_FILES_CHKSUM = "file://LICENSE;md5=3fb0047fd29391478a71e8e6101c76eb" + +SECTION = "security/tpm" + +DEPENDS = "autoconf-archive-native bash-completion libtss2 libgcrypt openssl" + +SRCREV = "bef89ec79cbb4c99963b0e336d9184827c545782" +SRC_URI = "git://github.com/tpm2-software/tpm2-tss-engine.git" + +inherit autotools-brokensep pkgconfig systemd + +S = "${WORKDIR}/git" + +PACKAGES += "${PN}-engines ${PN}-engines-staticdev ${PN}-bash-completion" + +FILES_${PN}-dev = "${libdir}/engines-1.1/tpm2tss.so ${includedir}/*" +FILES_${PN}-engines = "${libdir}/engines-1.1/lib*.so*" +FILES_${PN}-engines-staticdev = "${libdir}/engines-1.1/libtpm2tss.a" +FILES_${PN}-bash-completion += "${datadir}/bash-completion/completions" diff --git a/meta-security/meta-tpm/recipes-tpm/tpm2.0-tss/tpm2.0-tss/ax_pthread.m4 b/meta-security/meta-tpm/recipes-tpm2/tpm2-tss/tpm2-tss/ax_pthread.m4 index d383ad5c6..d383ad5c6 100644 --- a/meta-security/meta-tpm/recipes-tpm/tpm2.0-tss/tpm2.0-tss/ax_pthread.m4 +++ b/meta-security/meta-tpm/recipes-tpm2/tpm2-tss/tpm2-tss/ax_pthread.m4 diff --git a/meta-security/meta-tpm/recipes-tpm/tpm2.0-tss/tpm2.0-tss/fix_musl_select_include.patch b/meta-security/meta-tpm/recipes-tpm2/tpm2-tss/tpm2-tss/fix_musl_select_include.patch index ecaca6ea5..ecaca6ea5 100644 --- a/meta-security/meta-tpm/recipes-tpm/tpm2.0-tss/tpm2.0-tss/fix_musl_select_include.patch +++ b/meta-security/meta-tpm/recipes-tpm2/tpm2-tss/tpm2-tss/fix_musl_select_include.patch diff --git a/meta-security/meta-tpm/recipes-tpm/tpm2.0-tss/tpm2.0-tss_2.0.1.bb b/meta-security/meta-tpm/recipes-tpm2/tpm2-tss/tpm2-tss_2.2.1.bb index 9d1ff72f3..78bdeebe0 100644 --- a/meta-security/meta-tpm/recipes-tpm/tpm2.0-tss/tpm2.0-tss_2.0.1.bb +++ b/meta-security/meta-tpm/recipes-tpm2/tpm2-tss/tpm2-tss_2.2.1.bb @@ -1,19 +1,22 @@ SUMMARY = "Software stack for TPM2." -DESCRIPTION = "tpm2.0-tss like woah." +DESCRIPTION = "OSS implementation of the TCG TPM2 Software Stack (TSS2) " LICENSE = "BSD-2-Clause" -LIC_FILES_CHKSUM = "file://LICENSE;md5=0b1d631c4218b72f6b05cb58613606f4" +LIC_FILES_CHKSUM = "file://LICENSE;md5=500b2e742befc3da00684d8a1d5fd9da" SECTION = "tpm" -DEPENDS = "autoconf-archive-native libgcrypt" +DEPENDS = "autoconf-archive-native libgcrypt openssl" -SRCREV = "dc31e8dca9dbc77d16e419dc514ce8c526cd3351" +SRCREV = "eb69e13559f20a0b49002a685c6f4a39be9503e2" -SRC_URI = "git://github.com/tpm2-software/tpm2-tss.git;branch=2.0.x" +SRC_URI = "git://github.com/tpm2-software/tpm2-tss.git;branch=2.2.x" inherit autotools-brokensep pkgconfig systemd S = "${WORKDIR}/git" +PACKAGECONFIG ??= "" +PACKAGECONFIG[oxygen] = ",--disable-doxygen-doc, " + do_configure_prepend () { ./bootstrap } @@ -72,3 +75,5 @@ FILES_libtss2-dev = " \ FILES_libtss2-staticdev = "${libdir}/libtss*a" FILES_${PN} = "${libdir}/udev" + +RDEPENDS_libtss2 = "libgcrypt" diff --git a/meta-security/recipes-security/samhain/files/run-ptest b/meta-security/recipes-ids/samhain/files/run-ptest index 2a4a76530..2a4a76530 100755 --- a/meta-security/recipes-security/samhain/files/run-ptest +++ b/meta-security/recipes-ids/samhain/files/run-ptest diff --git a/meta-security/recipes-security/samhain/files/samhain-add-LDFLAGS-variable-for-samhain_setpwd.patch b/meta-security/recipes-ids/samhain/files/samhain-add-LDFLAGS-variable-for-samhain_setpwd.patch index 088a938e3..088a938e3 100644 --- a/meta-security/recipes-security/samhain/files/samhain-add-LDFLAGS-variable-for-samhain_setpwd.patch +++ b/meta-security/recipes-ids/samhain/files/samhain-add-LDFLAGS-variable-for-samhain_setpwd.patch diff --git a/meta-security/recipes-security/samhain/files/samhain-avoid-searching-host-for-postgresql.patch b/meta-security/recipes-ids/samhain/files/samhain-avoid-searching-host-for-postgresql.patch index 6bf67e09b..6bf67e09b 100644 --- a/meta-security/recipes-security/samhain/files/samhain-avoid-searching-host-for-postgresql.patch +++ b/meta-security/recipes-ids/samhain/files/samhain-avoid-searching-host-for-postgresql.patch diff --git a/meta-security/recipes-security/samhain/files/samhain-client.default b/meta-security/recipes-ids/samhain/files/samhain-client.default index 9899577ae..9899577ae 100644 --- a/meta-security/recipes-security/samhain/files/samhain-client.default +++ b/meta-security/recipes-ids/samhain/files/samhain-client.default diff --git a/meta-security/recipes-security/samhain/files/samhain-client.init b/meta-security/recipes-ids/samhain/files/samhain-client.init index d5fabeded..d5fabeded 100644 --- a/meta-security/recipes-security/samhain/files/samhain-client.init +++ b/meta-security/recipes-ids/samhain/files/samhain-client.init diff --git a/meta-security/recipes-security/samhain/files/samhain-configure-add-option-for-ps.patch b/meta-security/recipes-ids/samhain/files/samhain-configure-add-option-for-ps.patch index 8de0735fc..8de0735fc 100644 --- a/meta-security/recipes-security/samhain/files/samhain-configure-add-option-for-ps.patch +++ b/meta-security/recipes-ids/samhain/files/samhain-configure-add-option-for-ps.patch diff --git a/meta-security/recipes-security/samhain/files/samhain-cross-compile.patch b/meta-security/recipes-ids/samhain/files/samhain-cross-compile.patch index 7f80a5c61..7f80a5c61 100644 --- a/meta-security/recipes-security/samhain/files/samhain-cross-compile.patch +++ b/meta-security/recipes-ids/samhain/files/samhain-cross-compile.patch diff --git a/meta-security/recipes-security/samhain/files/samhain-mips64-aarch64-dnmalloc-hash-fix.patch b/meta-security/recipes-ids/samhain/files/samhain-mips64-aarch64-dnmalloc-hash-fix.patch index 060866068..060866068 100644 --- a/meta-security/recipes-security/samhain/files/samhain-mips64-aarch64-dnmalloc-hash-fix.patch +++ b/meta-security/recipes-ids/samhain/files/samhain-mips64-aarch64-dnmalloc-hash-fix.patch diff --git a/meta-security/recipes-security/samhain/files/samhain-not-run-ptest-on-host.patch b/meta-security/recipes-ids/samhain/files/samhain-not-run-ptest-on-host.patch index 528431311..528431311 100644 --- a/meta-security/recipes-security/samhain/files/samhain-not-run-ptest-on-host.patch +++ b/meta-security/recipes-ids/samhain/files/samhain-not-run-ptest-on-host.patch diff --git a/meta-security/recipes-security/samhain/files/samhain-pid-path.patch b/meta-security/recipes-ids/samhain/files/samhain-pid-path.patch index 592bd165f..592bd165f 100644 --- a/meta-security/recipes-security/samhain/files/samhain-pid-path.patch +++ b/meta-security/recipes-ids/samhain/files/samhain-pid-path.patch diff --git a/meta-security/recipes-security/samhain/files/samhain-samhainrc-fix-files-dirs-path.patch b/meta-security/recipes-ids/samhain/files/samhain-samhainrc-fix-files-dirs-path.patch index dad6b150e..dad6b150e 100644 --- a/meta-security/recipes-security/samhain/files/samhain-samhainrc-fix-files-dirs-path.patch +++ b/meta-security/recipes-ids/samhain/files/samhain-samhainrc-fix-files-dirs-path.patch diff --git a/meta-security/recipes-security/samhain/files/samhain-samhainrc.patch b/meta-security/recipes-ids/samhain/files/samhain-samhainrc.patch index 145700a0e..145700a0e 100644 --- a/meta-security/recipes-security/samhain/files/samhain-samhainrc.patch +++ b/meta-security/recipes-ids/samhain/files/samhain-samhainrc.patch diff --git a/meta-security/recipes-security/samhain/files/samhain-server-volatiles b/meta-security/recipes-ids/samhain/files/samhain-server-volatiles index 6b8070936..6b8070936 100644 --- a/meta-security/recipes-security/samhain/files/samhain-server-volatiles +++ b/meta-security/recipes-ids/samhain/files/samhain-server-volatiles diff --git a/meta-security/recipes-security/samhain/files/samhain-server.default b/meta-security/recipes-ids/samhain/files/samhain-server.default index bc3d67cde..bc3d67cde 100644 --- a/meta-security/recipes-security/samhain/files/samhain-server.default +++ b/meta-security/recipes-ids/samhain/files/samhain-server.default diff --git a/meta-security/recipes-security/samhain/files/samhain-server.init b/meta-security/recipes-ids/samhain/files/samhain-server.init index c456e51c9..c456e51c9 100644 --- a/meta-security/recipes-security/samhain/files/samhain-server.init +++ b/meta-security/recipes-ids/samhain/files/samhain-server.init diff --git a/meta-security/recipes-security/samhain/files/samhain-sha256-big-endian.patch b/meta-security/recipes-ids/samhain/files/samhain-sha256-big-endian.patch index 3065c7309..3065c7309 100644 --- a/meta-security/recipes-security/samhain/files/samhain-sha256-big-endian.patch +++ b/meta-security/recipes-ids/samhain/files/samhain-sha256-big-endian.patch diff --git a/meta-security/recipes-security/samhain/files/samhain-standalone.default b/meta-security/recipes-ids/samhain/files/samhain-standalone.default index 507a59f29..507a59f29 100644 --- a/meta-security/recipes-security/samhain/files/samhain-standalone.default +++ b/meta-security/recipes-ids/samhain/files/samhain-standalone.default diff --git a/meta-security/recipes-security/samhain/files/samhain-standalone.init b/meta-security/recipes-ids/samhain/files/samhain-standalone.init index 2f23bffd9..2f23bffd9 100644 --- a/meta-security/recipes-security/samhain/files/samhain-standalone.init +++ b/meta-security/recipes-ids/samhain/files/samhain-standalone.init diff --git a/meta-security/recipes-security/samhain/files/samhain.service b/meta-security/recipes-ids/samhain/files/samhain.service index e4f216ab4..e4f216ab4 100644 --- a/meta-security/recipes-security/samhain/files/samhain.service +++ b/meta-security/recipes-ids/samhain/files/samhain.service diff --git a/meta-security/recipes-security/samhain/samhain-client_4.3.0.bb b/meta-security/recipes-ids/samhain/samhain-client_4.3.2.bb index 812408e5e..812408e5e 100644 --- a/meta-security/recipes-security/samhain/samhain-client_4.3.0.bb +++ b/meta-security/recipes-ids/samhain/samhain-client_4.3.2.bb diff --git a/meta-security/recipes-security/samhain/samhain-server_4.3.0.bb b/meta-security/recipes-ids/samhain/samhain-server_4.3.2.bb index 9341d4440..9341d4440 100644 --- a/meta-security/recipes-security/samhain/samhain-server_4.3.0.bb +++ b/meta-security/recipes-ids/samhain/samhain-server_4.3.2.bb diff --git a/meta-security/recipes-security/samhain/samhain-standalone_4.3.0.bb b/meta-security/recipes-ids/samhain/samhain-standalone_4.3.2.bb index 4fed9e9e9..4fed9e9e9 100644 --- a/meta-security/recipes-security/samhain/samhain-standalone_4.3.0.bb +++ b/meta-security/recipes-ids/samhain/samhain-standalone_4.3.2.bb diff --git a/meta-security/recipes-security/samhain/samhain.inc b/meta-security/recipes-ids/samhain/samhain.inc index 944bf0d0b..1b9af39ce 100644 --- a/meta-security/recipes-security/samhain/samhain.inc +++ b/meta-security/recipes-ids/samhain/samhain.inc @@ -19,8 +19,8 @@ SRC_URI = "http://la-samhna.de/archive/samhain_signed-${PV}.tar.gz \ file://samhain.service \ " -SRC_URI[md5sum] = "a00e99375675fc6e50cca3e208f5207e" -SRC_URI[sha256sum] = "8551dc3b0851889a2b979097e9c02309b40d48b4659f02efe7fe525ce8361a0d" +SRC_URI[md5sum] = "eae4674164d7c78f5bb39c72b7029c8b" +SRC_URI[sha256sum] = "0582864ef56ab796031e8e611ed66c48adeb3a30ec34e1a8d0088572442035fc" UPSTREAM_CHECK_URI = "https://www.la-samhna.de/samhain/archive.html" UPSTREAM_CHECK_REGEX = "samhain_signed-(?P<pver>(\d+(\.\d+)+))\.tar" @@ -117,6 +117,7 @@ do_configure () { --enable-network=${SAMHAIN_MODE} \ --with-pid-file=${localstatedir}/run/samhain.pid \ --with-data-file=${localstatedir}/lib/samhain/samhain_file \ + --disable-dnmalloc \ ${EXTRA_OECONF} } diff --git a/meta-security/recipes-security/suricata/files/emerging.rules.tar.gz b/meta-security/recipes-ids/suricata/files/emerging.rules.tar.gz Binary files differindex aed375474..aed375474 100644 --- a/meta-security/recipes-security/suricata/files/emerging.rules.tar.gz +++ b/meta-security/recipes-ids/suricata/files/emerging.rules.tar.gz diff --git a/meta-security/recipes-security/suricata/files/no_libhtp_build.patch b/meta-security/recipes-ids/suricata/files/no_libhtp_build.patch index 2ebf021fc..2ebf021fc 100644 --- a/meta-security/recipes-security/suricata/files/no_libhtp_build.patch +++ b/meta-security/recipes-ids/suricata/files/no_libhtp_build.patch diff --git a/meta-security/recipes-security/suricata/files/run-ptest b/meta-security/recipes-ids/suricata/files/run-ptest index 666ba9c95..666ba9c95 100644 --- a/meta-security/recipes-security/suricata/files/run-ptest +++ b/meta-security/recipes-ids/suricata/files/run-ptest diff --git a/meta-security/recipes-security/suricata/files/suricata.service b/meta-security/recipes-ids/suricata/files/suricata.service index a99a76ef8..a99a76ef8 100644 --- a/meta-security/recipes-security/suricata/files/suricata.service +++ b/meta-security/recipes-ids/suricata/files/suricata.service diff --git a/meta-security/recipes-security/suricata/files/suricata.yaml b/meta-security/recipes-ids/suricata/files/suricata.yaml index 8d06a2744..8d06a2744 100644 --- a/meta-security/recipes-security/suricata/files/suricata.yaml +++ b/meta-security/recipes-ids/suricata/files/suricata.yaml diff --git a/meta-security/recipes-security/suricata/files/volatiles.03_suricata b/meta-security/recipes-ids/suricata/files/volatiles.03_suricata index 4627bd3b0..4627bd3b0 100644 --- a/meta-security/recipes-security/suricata/files/volatiles.03_suricata +++ b/meta-security/recipes-ids/suricata/files/volatiles.03_suricata diff --git a/meta-security/recipes-security/suricata/libhtp_0.5.27.bb b/meta-security/recipes-ids/suricata/libhtp_0.5.29.bb index 8305f7010..8305f7010 100644 --- a/meta-security/recipes-security/suricata/libhtp_0.5.27.bb +++ b/meta-security/recipes-ids/suricata/libhtp_0.5.29.bb diff --git a/meta-security/recipes-security/suricata/suricata.inc b/meta-security/recipes-ids/suricata/suricata.inc index 1f421210d..7be403ccb 100644 --- a/meta-security/recipes-security/suricata/suricata.inc +++ b/meta-security/recipes-ids/suricata/suricata.inc @@ -2,8 +2,8 @@ HOMEPAGE = "http://suricata-ids.org/" SECTION = "security Monitor/Admin" LICENSE = "GPLv2" -VER = "4.0.5" +VER = "4.1.3" SRC_URI = "http://www.openinfosecfoundation.org/download/suricata-${VER}.tar.gz" -SRC_URI[md5sum] = "ea0cb823d6a86568152f75ade6de442f" -SRC_URI[sha256sum] = "74dacb4359d57fbd3452e384eeeb1dd77b6ae00f02e9994ad5a7b461d5f4c6c2" +SRC_URI[md5sum] = "35c4a8e6be3910831649a073950195df" +SRC_URI[sha256sum] = "6cda6c80b753ce36483c6be535358b971f3890b9aa27a58c2d2f7e89dd6c6aa0" diff --git a/meta-security/recipes-security/suricata/suricata_4.0.5.bb b/meta-security/recipes-ids/suricata/suricata_4.1.3.bb index 6c0a109be..d6f5937d1 100644 --- a/meta-security/recipes-security/suricata/suricata_4.0.5.bb +++ b/meta-security/recipes-ids/suricata/suricata_4.1.3.bb @@ -16,7 +16,7 @@ SRC_URI += " \ SRC_URI[rules.md5sum] = "205c5e5b54e489207ed892c03ad75b33" SRC_URI[rules.sha256sum] = "4aa81011b246875a57181c6a0569ca887845e366904bcaf0043220f33bd69798" -inherit autotools-brokensep pkgconfig python-dir systemd ptest +inherit autotools-brokensep pkgconfig python3-dir systemd ptest CFLAGS += "-D_DEFAULT_SOURCE" @@ -26,6 +26,7 @@ CACHED_CONFIGUREVARS = "ac_cv_header_htp_htp_h=yes ac_cv_lib_htp_htp_conn_create EXTRA_OECONF += " --disable-debug \ --enable-non-bundled-htp \ --disable-gccmarch-native \ + --disable-suricata-update \ " PACKAGECONFIG ??= "htp jansson file pcre yaml pcap cap-ng net nfnetlink nss nspr" @@ -44,7 +45,7 @@ PACKAGECONFIG[jansson] = "--with-libjansson-includes=${STAGING_INCDIR} --with-li PACKAGECONFIG[file] = ",,file, file" PACKAGECONFIG[nss] = "--with-libnss-includes=${STAGING_INCDIR} --with-libnss-libraries=${STAGING_LIBDIR}, nss, nss," PACKAGECONFIG[nspr] = "--with-libnspr-includes=${STAGING_INCDIR} --with-libnspr-libraries=${STAGING_LIBDIR}, nspr, nspr," -PACKAGECONFIG[python] = "--enable-python, --disable-python, python, python" +PACKAGECONFIG[python] = "--enable-python, --disable-python, python3, python3" PACKAGECONFIG[unittests] = "--enable-unittests, --disable-unittests," export logdir = "${localstatedir}/log" diff --git a/meta-security/recipes-security/tripwire/files/add_armeb_arch.patch b/meta-security/recipes-ids/tripwire/files/add_armeb_arch.patch index 2379d6654..2379d6654 100644 --- a/meta-security/recipes-security/tripwire/files/add_armeb_arch.patch +++ b/meta-security/recipes-ids/tripwire/files/add_armeb_arch.patch diff --git a/meta-security/recipes-security/tripwire/files/run-ptest b/meta-security/recipes-ids/tripwire/files/run-ptest index aedfddc59..aedfddc59 100644 --- a/meta-security/recipes-security/tripwire/files/run-ptest +++ b/meta-security/recipes-ids/tripwire/files/run-ptest diff --git a/meta-security/recipes-security/tripwire/files/tripwire.cron b/meta-security/recipes-ids/tripwire/files/tripwire.cron index 2035508d7..2035508d7 100644 --- a/meta-security/recipes-security/tripwire/files/tripwire.cron +++ b/meta-security/recipes-ids/tripwire/files/tripwire.cron diff --git a/meta-security/recipes-security/tripwire/files/tripwire.sh b/meta-security/recipes-ids/tripwire/files/tripwire.sh index 4276d10eb..4276d10eb 100644 --- a/meta-security/recipes-security/tripwire/files/tripwire.sh +++ b/meta-security/recipes-ids/tripwire/files/tripwire.sh diff --git a/meta-security/recipes-security/tripwire/files/tripwire.txt b/meta-security/recipes-ids/tripwire/files/tripwire.txt index 332d00420..332d00420 100644 --- a/meta-security/recipes-security/tripwire/files/tripwire.txt +++ b/meta-security/recipes-ids/tripwire/files/tripwire.txt diff --git a/meta-security/recipes-security/tripwire/files/twcfg.txt b/meta-security/recipes-ids/tripwire/files/twcfg.txt index 224e9201e..224e9201e 100644 --- a/meta-security/recipes-security/tripwire/files/twcfg.txt +++ b/meta-security/recipes-ids/tripwire/files/twcfg.txt diff --git a/meta-security/recipes-security/tripwire/files/twinstall.sh b/meta-security/recipes-ids/tripwire/files/twinstall.sh index 7d1b63fe5..7d1b63fe5 100644 --- a/meta-security/recipes-security/tripwire/files/twinstall.sh +++ b/meta-security/recipes-ids/tripwire/files/twinstall.sh diff --git a/meta-security/recipes-security/tripwire/files/twpol-yocto.txt b/meta-security/recipes-ids/tripwire/files/twpol-yocto.txt index 65f5f7500..65f5f7500 100644 --- a/meta-security/recipes-security/tripwire/files/twpol-yocto.txt +++ b/meta-security/recipes-ids/tripwire/files/twpol-yocto.txt diff --git a/meta-security/recipes-security/tripwire/tripwire_2.4.3.6.bb b/meta-security/recipes-ids/tripwire/tripwire_2.4.3.7.bb index 59d1f35c5..c26392a04 100644 --- a/meta-security/recipes-security/tripwire/tripwire_2.4.3.6.bb +++ b/meta-security/recipes-ids/tripwire/tripwire_2.4.3.7.bb @@ -6,7 +6,7 @@ SECTION = "security Monitor/Admin" LICENSE = "GPLv2" LIC_FILES_CHKSUM = "file://COPYING;md5=1c069be8dbbe48e89b580ab4ed86c127" -SRCREV = "80db91b4c1ca4be9efafd2286e3b2ad32ba4c34c" +SRCREV = "6e64a9e5b70a909ec439bc5a099e3fcf38c614b0" SRC_URI = "\ git://github.com/Tripwire/tripwire-open-source.git \ @@ -62,6 +62,7 @@ do_install () { do_install_ptest_append () { install -d ${D}${PTEST_PATH}/tests cp -a ${S}/src/test-harness/* ${D}${PTEST_PATH} + sed -i -e 's@../../../../bin@${sbindir}@' ${D}${PTEST_PATH}/twtools.pm } FILES_${PN} += "${libdir} ${docdir}/${PN}/*" @@ -70,4 +71,4 @@ FILES_${PN}-staticdev += "${localstatedir}/lib/${PN}/lib*.a" FILES_${PN}-ptest += "${PTEST_PATH}/tests " RDEPENDS_${PN} += " perl nano msmtp cronie" -RDEPENDS_${PN}-ptest = " perl lib-perl" +RDEPENDS_${PN}-ptest = " perl lib-perl perl-modules " diff --git a/meta-security/recipes-kernel/linux/linux-yocto-5.0/apparmor.cfg b/meta-security/recipes-kernel/linux/linux-yocto-5.0/apparmor.cfg new file mode 100644 index 000000000..b5f9bb2a6 --- /dev/null +++ b/meta-security/recipes-kernel/linux/linux-yocto-5.0/apparmor.cfg @@ -0,0 +1,15 @@ +CONFIG_AUDIT=y +# CONFIG_NETFILTER_XT_TARGET_AUDIT is not set +CONFIG_SECURITY_NETWORK=y +# CONFIG_SECURITY_NETWORK_XFRM is not set +CONFIG_SECURITY_PATH=y +# CONFIG_SECURITY_SELINUX is not set +CONFIG_SECURITY_APPARMOR=y +CONFIG_SECURITY_APPARMOR_HASH=y +CONFIG_SECURITY_APPARMOR_HASH_DEFAULT=y +# CONFIG_SECURITY_APPARMOR_DEBUG is not set +CONFIG_INTEGRITY_AUDIT=y +CONFIG_DEFAULT_SECURITY_APPARMOR=y +# CONFIG_DEFAULT_SECURITY_DAC is not set +CONFIG_DEFAULT_SECURITY="apparmor" +CONFIG_AUDIT_GENERIC=y diff --git a/meta-security/recipes-kernel/linux/linux-yocto-5.0/apparmor_on_boot.cfg b/meta-security/recipes-kernel/linux/linux-yocto-5.0/apparmor_on_boot.cfg new file mode 100644 index 000000000..fc3574015 --- /dev/null +++ b/meta-security/recipes-kernel/linux/linux-yocto-5.0/apparmor_on_boot.cfg @@ -0,0 +1 @@ +CONFIG_SECURITY_APPARMOR_BOOTPARAM_VALUE=1 diff --git a/meta-security/recipes-kernel/linux/linux-yocto-5.0/smack-default-lsm.cfg b/meta-security/recipes-kernel/linux/linux-yocto-5.0/smack-default-lsm.cfg new file mode 100644 index 000000000..b5c48454e --- /dev/null +++ b/meta-security/recipes-kernel/linux/linux-yocto-5.0/smack-default-lsm.cfg @@ -0,0 +1,2 @@ +CONFIG_DEFAULT_SECURITY="smack" +CONFIG_DEFAULT_SECURITY_SMACK=y diff --git a/meta-security/recipes-kernel/linux/linux-yocto-5.0/smack.cfg b/meta-security/recipes-kernel/linux/linux-yocto-5.0/smack.cfg new file mode 100644 index 000000000..62f465a45 --- /dev/null +++ b/meta-security/recipes-kernel/linux/linux-yocto-5.0/smack.cfg @@ -0,0 +1,8 @@ +CONFIG_IP_NF_SECURITY=m +CONFIG_IP6_NF_SECURITY=m +CONFIG_EXT2_FS_SECURITY=y +CONFIG_EXT3_FS_SECURITY=y +CONFIG_EXT4_FS_SECURITY=y +CONFIG_SECURITY=y +CONFIG_SECURITY_SMACK=y +CONFIG_TMPFS_XATTR=y diff --git a/meta-security/recipes-kernel/linux/linux-yocto/apparmor.cfg b/meta-security/recipes-kernel/linux/linux-yocto/apparmor.cfg index 1dc4168ee..b5f9bb2a6 100644 --- a/meta-security/recipes-kernel/linux/linux-yocto/apparmor.cfg +++ b/meta-security/recipes-kernel/linux/linux-yocto/apparmor.cfg @@ -1,13 +1,15 @@ CONFIG_AUDIT=y -CONFIG_AUDITSYSCALL=y -CONFIG_AUDIT_WATCH=y -CONFIG_AUDIT_TREE=y # CONFIG_NETFILTER_XT_TARGET_AUDIT is not set +CONFIG_SECURITY_NETWORK=y +# CONFIG_SECURITY_NETWORK_XFRM is not set CONFIG_SECURITY_PATH=y # CONFIG_SECURITY_SELINUX is not set CONFIG_SECURITY_APPARMOR=y -CONFIG_SECURITY_APPARMOR_BOOTPARAM_VALUE=1 CONFIG_SECURITY_APPARMOR_HASH=y CONFIG_SECURITY_APPARMOR_HASH_DEFAULT=y +# CONFIG_SECURITY_APPARMOR_DEBUG is not set CONFIG_INTEGRITY_AUDIT=y -# CONFIG_DEFAULT_SECURITY_APPARMOR is not set +CONFIG_DEFAULT_SECURITY_APPARMOR=y +# CONFIG_DEFAULT_SECURITY_DAC is not set +CONFIG_DEFAULT_SECURITY="apparmor" +CONFIG_AUDIT_GENERIC=y diff --git a/meta-security/recipes-kernel/linux/linux-yocto/apparmor_on_boot.cfg b/meta-security/recipes-kernel/linux/linux-yocto/apparmor_on_boot.cfg new file mode 100644 index 000000000..fc3574015 --- /dev/null +++ b/meta-security/recipes-kernel/linux/linux-yocto/apparmor_on_boot.cfg @@ -0,0 +1 @@ +CONFIG_SECURITY_APPARMOR_BOOTPARAM_VALUE=1 diff --git a/meta-security/recipes-kernel/linux/linux-yocto_4.%.bbappend b/meta-security/recipes-kernel/linux/linux-yocto_4.%.bbappend index 067be8fe1..321392c0b 100644 --- a/meta-security/recipes-kernel/linux/linux-yocto_4.%.bbappend +++ b/meta-security/recipes-kernel/linux/linux-yocto_4.%.bbappend @@ -2,6 +2,7 @@ FILESEXTRAPATHS_prepend := "${THISDIR}/${PN}:" SRC_URI += "\ ${@bb.utils.contains('DISTRO_FEATURES', 'apparmor', ' file://apparmor.cfg', '', d)} \ + ${@bb.utils.contains('DISTRO_FEATURES', 'apparmor', ' file://apparmor_on_boot.cfg', '', d)} \ " SRC_URI += "\ diff --git a/meta-security/recipes-kernel/linux/linux-yocto_5.0.%.bbappend b/meta-security/recipes-kernel/linux/linux-yocto_5.0.%.bbappend new file mode 100644 index 000000000..f810e2112 --- /dev/null +++ b/meta-security/recipes-kernel/linux/linux-yocto_5.0.%.bbappend @@ -0,0 +1,11 @@ +FILESEXTRAPATHS_prepend := "${THISDIR}/${PN}-5.0:" + +SRC_URI += "\ + ${@bb.utils.contains('DISTRO_FEATURES', 'apparmor', ' file://apparmor.cfg', '', d)} \ + ${@bb.utils.contains('DISTRO_FEATURES', 'apparmor', ' file://apparmor_on_boot.cfg', '', d)} \ +" + +SRC_URI += "\ + ${@bb.utils.contains('DISTRO_FEATURES', 'smack', ' file://smack.cfg', '', d)} \ + ${@bb.utils.contains('DISTRO_FEATURES', 'smack', ' file://smack-default-lsm.cfg', '', d)} \ +" diff --git a/meta-security/recipes-security/AppArmor/apparmor_2.12.bb b/meta-security/recipes-mac/AppArmor/apparmor_2.13.2.bb index e3f8dc99c..62ed61148 100644 --- a/meta-security/recipes-security/AppArmor/apparmor_2.12.bb +++ b/meta-security/recipes-mac/AppArmor/apparmor_2.13.2.bb @@ -24,18 +24,15 @@ SRC_URI = " \ file://run-ptest \ " -SRC_URI[md5sum] = "49054f58042f8e51ea92cc866575a833" -SRC_URI[sha256sum] = "8a2b0cd083faa4d0640f579024be3a629faa7db3b99540798a1a050e2eaba056" +SRC_URI[md5sum] = "2439b35266b5a3a461b0a2dba6e863c3" +SRC_URI[sha256sum] = "844def9926dfda5c7858428d06e44afc80573f9706458b6e7282edbb40b11a30" PARALLEL_MAKE = "" -inherit pkgconfig autotools-brokensep update-rc.d python3native perlnative ptest cpan -inherit ${@bb.utils.contains('VIRTUAL-RUNTIME_init_manager','systemd','systemd','', d)} +inherit pkgconfig autotools-brokensep update-rc.d python3native perlnative ptest cpan manpages systemd -S = "${WORKDIR}/apparmor-${PV}" - -PACKAGECONFIG ?="man python perl" -PACKAGECONFIG[man] = "--enable-man-pages, --disable-man-pages" +PACKAGECONFIG ??= "python perl" +PACKAGECONFIG[manpages] = "--enable-man-pages, --disable-man-pages" PACKAGECONFIG[python] = "--with-python, --without-python, python3 swig-native" PACKAGECONFIG[perl] = "--with-perl, --without-perl, perl perl-native swig-native" PACKAGECONFIG[apache2] = ",,apache2," @@ -50,8 +47,7 @@ python() { raise bb.parse.SkipRecipe('Requires meta-webserver to be present.') } -CONFIGUREOPTS_remove = "--disable-static" -EXTRA_OECONF_append = " --enable-static" +DISABLE_STATIC = "" do_configure() { cd ${S}/libraries/libapparmor @@ -60,11 +56,16 @@ do_configure() { libtoolize --automake -c --force automake -ac ./configure ${CONFIGUREOPTS} ${EXTRA_OECONF} - sed -i -e 's#^YACC.*#YACC := bison#' ${S}/parser/Makefile - sed -i -e 's#^LEX.*#LEX := flex#' ${S}/parser/Makefile } do_compile () { + # Fixes: + # | sed -ie 's///g' Makefile.perl + # | sed: -e expression #1, char 0: no previous regular expression + #| Makefile:478: recipe for target 'Makefile.perl' failed + sed -i "s@sed -ie 's///g' Makefile.perl@@" ${S}/libraries/libapparmor/swig/perl/Makefile + + oe_runmake -C ${B}/libraries/libapparmor oe_runmake -C ${B}/binutils oe_runmake -C ${B}/utils @@ -90,6 +91,11 @@ do_install () { oe_runmake -C ${B}/parser DESTDIR="${D}" install oe_runmake -C ${B}/profiles DESTDIR="${D}" install + # If perl is disabled this script won't be any good + if ! ${@bb.utils.contains('PACKAGECONFIG','perl','true','false', d)}; then + rm -f ${D}${sbindir}/aa-notify + fi + if test -z "${HTTPD}" ; then oe_runmake -C ${B}/changehat/mod_apparmor DESTDIR="${D}" install fi @@ -104,11 +110,8 @@ do_install () { install ${WORKDIR}/apparmor ${D}/${INIT_D_DIR}/apparmor install ${WORKDIR}/functions ${D}/lib/apparmor - if [ "${VIRTUAL-RUNTIME_init_manager}" = "systemd" ]; then - install -d ${D}${systemd_system_unitdir} - install ${WORKDIR}/apparmor.service \ - ${D}${systemd_system_unitdir} - fi + install -d ${D}${systemd_system_unitdir} + install ${WORKDIR}/apparmor.service ${D}${systemd_system_unitdir} } do_compile_ptest () { @@ -146,14 +149,12 @@ SYSTEMD_PACKAGES = "${PN}" SYSTEMD_SERVICE_${PN} = "apparmor.service" SYSTEMD_AUTO_ENABLE = "disable" -PACKAGES += "${@bb.utils.contains('PACKAGECONFIG', 'apache2', 'mod-${PN}', '', d)}" +PACKAGES += "mod-${PN}" FILES_${PN} += "/lib/apparmor/ ${sysconfdir}/apparmor ${PYTHON_SITEPACKAGES_DIR}" FILES_mod-${PN} = "${libdir}/apache2/modules/*" -ALLOW_EMPTY_${PN} = "1" - RDEPENDS_${PN} += "bash lsb" RDEPENDS_${PN} += "${@bb.utils.contains('PACKAGECONFIG','python','python3 python3-modules','', d)}" RDEPENDS_${PN}_remove += "${@bb.utils.contains('PACKAGECONFIG','perl','','perl', d)}" -RDEPENDS_${PN}-ptest += "perl coreutils dbus-lib" +RDEPENDS_${PN}-ptest += "perl coreutils dbus-lib bash" diff --git a/meta-security/recipes-security/AppArmor/files/apparmor b/meta-security/recipes-mac/AppArmor/files/apparmor index ac3ab9a4a..ac3ab9a4a 100644 --- a/meta-security/recipes-security/AppArmor/files/apparmor +++ b/meta-security/recipes-mac/AppArmor/files/apparmor diff --git a/meta-security/recipes-security/AppArmor/files/apparmor.rc b/meta-security/recipes-mac/AppArmor/files/apparmor.rc index 1507d7b5f..1507d7b5f 100644 --- a/meta-security/recipes-security/AppArmor/files/apparmor.rc +++ b/meta-security/recipes-mac/AppArmor/files/apparmor.rc diff --git a/meta-security/recipes-security/AppArmor/files/apparmor.service b/meta-security/recipes-mac/AppArmor/files/apparmor.service index e66afe4e1..e66afe4e1 100644 --- a/meta-security/recipes-security/AppArmor/files/apparmor.service +++ b/meta-security/recipes-mac/AppArmor/files/apparmor.service diff --git a/meta-security/recipes-security/AppArmor/files/crosscompile_perl_bindings.patch b/meta-security/recipes-mac/AppArmor/files/crosscompile_perl_bindings.patch index ef55de717..ef55de717 100644 --- a/meta-security/recipes-security/AppArmor/files/crosscompile_perl_bindings.patch +++ b/meta-security/recipes-mac/AppArmor/files/crosscompile_perl_bindings.patch diff --git a/meta-security/recipes-security/AppArmor/files/disable_pdf.patch b/meta-security/recipes-mac/AppArmor/files/disable_pdf.patch index c6b4bddc2..c6b4bddc2 100644 --- a/meta-security/recipes-security/AppArmor/files/disable_pdf.patch +++ b/meta-security/recipes-mac/AppArmor/files/disable_pdf.patch diff --git a/meta-security/recipes-security/AppArmor/files/disable_perl_h_check.patch b/meta-security/recipes-mac/AppArmor/files/disable_perl_h_check.patch index cf2640fce..cf2640fce 100644 --- a/meta-security/recipes-security/AppArmor/files/disable_perl_h_check.patch +++ b/meta-security/recipes-mac/AppArmor/files/disable_perl_h_check.patch diff --git a/meta-security/recipes-security/AppArmor/files/functions b/meta-security/recipes-mac/AppArmor/files/functions index cef8cfe7d..cef8cfe7d 100644 --- a/meta-security/recipes-security/AppArmor/files/functions +++ b/meta-security/recipes-mac/AppArmor/files/functions diff --git a/meta-security/recipes-security/AppArmor/files/run-ptest b/meta-security/recipes-mac/AppArmor/files/run-ptest index 3b8e427eb..3b8e427eb 100644 --- a/meta-security/recipes-security/AppArmor/files/run-ptest +++ b/meta-security/recipes-mac/AppArmor/files/run-ptest diff --git a/meta-security/recipes-security/smack/files/run-ptest b/meta-security/recipes-mac/smack/files/run-ptest index 049a9b47a..049a9b47a 100644 --- a/meta-security/recipes-security/smack/files/run-ptest +++ b/meta-security/recipes-mac/smack/files/run-ptest diff --git a/meta-security/recipes-security/smack/files/smack_generator_make_fixup.patch b/meta-security/recipes-mac/smack/files/smack_generator_make_fixup.patch index 4d677e751..4d677e751 100644 --- a/meta-security/recipes-security/smack/files/smack_generator_make_fixup.patch +++ b/meta-security/recipes-mac/smack/files/smack_generator_make_fixup.patch diff --git a/meta-security/recipes-security/smack/smack_1.3.1.bb b/meta-security/recipes-mac/smack/smack_1.3.1.bb index 246562afe..246562afe 100644 --- a/meta-security/recipes-security/smack/smack_1.3.1.bb +++ b/meta-security/recipes-mac/smack/smack_1.3.1.bb diff --git a/meta-security/recipes-perl/perl/libwhisker2-perl_2.5.bb b/meta-security/recipes-perl/perl/libwhisker2-perl_2.5.bb index d9af4300a..71857ab3e 100644 --- a/meta-security/recipes-perl/perl/libwhisker2-perl_2.5.bb +++ b/meta-security/recipes-perl/perl/libwhisker2-perl_2.5.bb @@ -24,4 +24,6 @@ do_install() { oe_runmake install DESTDIR=${D} INSTALLDIR=${PERLLIBDIRS}/vendor_perl/${PERLVERSION} MANDIR=${datadir}/perl/${PERLVERSION} } +FILES_${PN} += "${datadir}/perl" + BBCLASSEXTEND = "native" diff --git a/meta-security/recipes-security/checksec/checksec_1.11.bb b/meta-security/recipes-security/checksec/checksec_1.11.bb new file mode 100644 index 000000000..59a67bd65 --- /dev/null +++ b/meta-security/recipes-security/checksec/checksec_1.11.bb @@ -0,0 +1,19 @@ +SUMMARY = "Linux system security checks" +DESCRIPTION = "The checksec script is designed to test what standard Linux OS and PaX security features are being used." +SECTION = "security" +LICENSE = "BSD" +HOMEPAGE="https://github.com/slimm609/checksec.sh" + +LIC_FILES_CHKSUM = "file://LICENSE.txt;md5=93fddcca19f6c897871f9b5f9a035f4a" + +SRCREV = "a57e03c4f62dbaca0ec949bbc58491fb0c461447" +SRC_URI = "git://github.com/slimm609/checksec.sh" + +S = "${WORKDIR}/git" + +do_install() { + install -d ${D}${bindir} + install -m 0755 ${S}/checksec ${D}${bindir} +} + +RDEPENDS_${PN} = "bash openssl-bin" diff --git a/meta-security/recipes-security/checksec/checksec_1.5.bb b/meta-security/recipes-security/checksec/checksec_1.5.bb deleted file mode 100644 index 07f0f7c79..000000000 --- a/meta-security/recipes-security/checksec/checksec_1.5.bb +++ /dev/null @@ -1,18 +0,0 @@ -SUMMARY = "Program radominization" -DESCRIPTION = "The checksec.sh script is designed to test what standard Linux OS and PaX security features are being used." -SECTION = "security" -LICENSE = "BSD" -HOMEPAGE="http://www.trapkit.de/tools/checksec.html" - -LIC_FILES_CHKSUM = "file://checksec.sh;md5=075996be339ab16ad7b94d6de3ee07bd" - -SRC_URI = "file://checksec.sh" - -S = "${WORKDIR}" - -do_install() { - install -d ${D}${bindir} - install -m 0755 ${WORKDIR}/checksec.sh ${D}${bindir} -} - -RDEPENDS_${PN} = "bash" diff --git a/meta-security/recipes-security/checksec/files/checksec.sh b/meta-security/recipes-security/checksec/files/checksec.sh deleted file mode 100644 index dd1f72e54..000000000 --- a/meta-security/recipes-security/checksec/files/checksec.sh +++ /dev/null @@ -1,882 +0,0 @@ -#!/bin/bash -# -# The BSD License (http://www.opensource.org/licenses/bsd-license.php) -# specifies the terms and conditions of use for checksec.sh: -# -# Copyright (c) 2009-2011, Tobias Klein. -# All rights reserved. -# -# Redistribution and use in source and binary forms, with or without -# modification, are permitted provided that the following conditions -# are met: -# -# * Redistributions of source code must retain the above copyright -# notice, this list of conditions and the following disclaimer. -# * Redistributions in binary form must reproduce the above copyright -# notice, this list of conditions and the following disclaimer in -# the documentation and/or other materials provided with the -# distribution. -# * Neither the name of Tobias Klein nor the name of trapkit.de may be -# used to endorse or promote products derived from this software -# without specific prior written permission. -# -# THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS -# "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT -# LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS -# FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE -# COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, -# INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, -# BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS -# OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED -# AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, -# OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF -# THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH -# DAMAGE. -# -# Name : checksec.sh -# Version : 1.5 -# Author : Tobias Klein -# Date : November 2011 -# Download: http://www.trapkit.de/tools/checksec.html -# Changes : http://www.trapkit.de/tools/checksec_changes.txt -# -# Description: -# -# Modern Linux distributions offer some mitigation techniques to make it -# harder to exploit software vulnerabilities reliably. Mitigations such -# as RELRO, NoExecute (NX), Stack Canaries, Address Space Layout -# Randomization (ASLR) and Position Independent Executables (PIE) have -# made reliably exploiting any vulnerabilities that do exist far more -# challenging. The checksec.sh script is designed to test what *standard* -# Linux OS and PaX (http://pax.grsecurity.net/) security features are being -# used. -# -# As of version 1.3 the script also lists the status of various Linux kernel -# protection mechanisms. -# -# Credits: -# -# Thanks to Brad Spengler (grsecurity.net) for the PaX support. -# Thanks to Jon Oberheide (jon.oberheide.org) for the kernel support. -# Thanks to Ollie Whitehouse (Research In Motion) for rpath/runpath support. -# -# Others that contributed to checksec.sh (in no particular order): -# -# Simon Ruderich, Denis Scherbakov, Stefan Kuttler, Radoslaw Madej, -# Anthony G. Basile, Martin Vaeth and Brian Davis. -# - -# global vars -have_readelf=1 -verbose=false - -# FORTIFY_SOURCE vars -FS_end=_chk -FS_cnt_total=0 -FS_cnt_checked=0 -FS_cnt_unchecked=0 -FS_chk_func_libc=0 -FS_functions=0 -FS_libc=0 - -# version information -version() { - echo "checksec v1.5, Tobias Klein, www.trapkit.de, November 2011" - echo -} - -# help -help() { - echo "Usage: checksec [OPTION]" - echo - echo "Options:" - echo - echo " --file <executable-file>" - echo " --dir <directory> [-v]" - echo " --proc <process name>" - echo " --proc-all" - echo " --proc-libs <process ID>" - echo " --kernel" - echo " --fortify-file <executable-file>" - echo " --fortify-proc <process ID>" - echo " --version" - echo " --help" - echo - echo "For more information, see:" - echo " http://www.trapkit.de/tools/checksec.html" - echo -} - -# check if command exists -command_exists () { - type $1 > /dev/null 2>&1; -} - -# check if directory exists -dir_exists () { - if [ -d $1 ] ; then - return 0 - else - return 1 - fi -} - -# check user privileges -root_privs () { - if [ $(/usr/bin/id -u) -eq 0 ] ; then - return 0 - else - return 1 - fi -} - -# check if input is numeric -isNumeric () { - echo "$@" | grep -q -v "[^0-9]" -} - -# check if input is a string -isString () { - echo "$@" | grep -q -v "[^A-Za-z]" -} - -# check file(s) -filecheck() { - # check for RELRO support - if readelf -l $1 2>/dev/null | grep -q 'GNU_RELRO'; then - if readelf -d $1 2>/dev/null | grep -q 'BIND_NOW'; then - echo -n -e '\033[32mFull RELRO \033[m ' - else - echo -n -e '\033[33mPartial RELRO\033[m ' - fi - else - echo -n -e '\033[31mNo RELRO \033[m ' - fi - - # check for stack canary support - if readelf -s $1 2>/dev/null | grep -q '__stack_chk_fail'; then - echo -n -e '\033[32mCanary found \033[m ' - else - echo -n -e '\033[31mNo canary found\033[m ' - fi - - # check for NX support - if readelf -W -l $1 2>/dev/null | grep 'GNU_STACK' | grep -q 'RWE'; then - echo -n -e '\033[31mNX disabled\033[m ' - else - echo -n -e '\033[32mNX enabled \033[m ' - fi - - # check for PIE support - if readelf -h $1 2>/dev/null | grep -q 'Type:[[:space:]]*EXEC'; then - echo -n -e '\033[31mNo PIE \033[m ' - elif readelf -h $1 2>/dev/null | grep -q 'Type:[[:space:]]*DYN'; then - if readelf -d $1 2>/dev/null | grep -q '(DEBUG)'; then - echo -n -e '\033[32mPIE enabled \033[m ' - else - echo -n -e '\033[33mDSO \033[m ' - fi - else - echo -n -e '\033[33mNot an ELF file\033[m ' - fi - - # check for rpath / run path - if readelf -d $1 2>/dev/null | grep -q 'rpath'; then - echo -n -e '\033[31mRPATH \033[m ' - else - echo -n -e '\033[32mNo RPATH \033[m ' - fi - - if readelf -d $1 2>/dev/null | grep -q 'runpath'; then - echo -n -e '\033[31mRUNPATH \033[m ' - else - echo -n -e '\033[32mNo RUNPATH \033[m ' - fi -} - -# check process(es) -proccheck() { - # check for RELRO support - if readelf -l $1/exe 2>/dev/null | grep -q 'Program Headers'; then - if readelf -l $1/exe 2>/dev/null | grep -q 'GNU_RELRO'; then - if readelf -d $1/exe 2>/dev/null | grep -q 'BIND_NOW'; then - echo -n -e '\033[32mFull RELRO \033[m ' - else - echo -n -e '\033[33mPartial RELRO \033[m ' - fi - else - echo -n -e '\033[31mNo RELRO \033[m ' - fi - else - echo -n -e '\033[31mPermission denied (please run as root)\033[m\n' - exit 1 - fi - - # check for stack canary support - if readelf -s $1/exe 2>/dev/null | grep -q 'Symbol table'; then - if readelf -s $1/exe 2>/dev/null | grep -q '__stack_chk_fail'; then - echo -n -e '\033[32mCanary found \033[m ' - else - echo -n -e '\033[31mNo canary found \033[m ' - fi - else - if [ "$1" != "1" ] ; then - echo -n -e '\033[33mPermission denied \033[m ' - else - echo -n -e '\033[33mNo symbol table found\033[m ' - fi - fi - - # first check for PaX support - if cat $1/status 2> /dev/null | grep -q 'PaX:'; then - pageexec=( $(cat $1/status 2> /dev/null | grep 'PaX:' | cut -b6) ) - segmexec=( $(cat $1/status 2> /dev/null | grep 'PaX:' | cut -b10) ) - mprotect=( $(cat $1/status 2> /dev/null | grep 'PaX:' | cut -b8) ) - randmmap=( $(cat $1/status 2> /dev/null | grep 'PaX:' | cut -b9) ) - if [[ "$pageexec" = "P" || "$segmexec" = "S" ]] && [[ "$mprotect" = "M" && "$randmmap" = "R" ]] ; then - echo -n -e '\033[32mPaX enabled\033[m ' - elif [[ "$pageexec" = "p" && "$segmexec" = "s" && "$randmmap" = "R" ]] ; then - echo -n -e '\033[33mPaX ASLR only\033[m ' - elif [[ "$pageexec" = "P" || "$segmexec" = "S" ]] && [[ "$mprotect" = "m" && "$randmmap" = "R" ]] ; then - echo -n -e '\033[33mPaX mprot off \033[m' - elif [[ "$pageexec" = "P" || "$segmexec" = "S" ]] && [[ "$mprotect" = "M" && "$randmmap" = "r" ]] ; then - echo -n -e '\033[33mPaX ASLR off\033[m ' - elif [[ "$pageexec" = "P" || "$segmexec" = "S" ]] && [[ "$mprotect" = "m" && "$randmmap" = "r" ]] ; then - echo -n -e '\033[33mPaX NX only\033[m ' - else - echo -n -e '\033[31mPaX disabled\033[m ' - fi - # fallback check for NX support - elif readelf -W -l $1/exe 2>/dev/null | grep 'GNU_STACK' | grep -q 'RWE'; then - echo -n -e '\033[31mNX disabled\033[m ' - else - echo -n -e '\033[32mNX enabled \033[m ' - fi - - # check for PIE support - if readelf -h $1/exe 2>/dev/null | grep -q 'Type:[[:space:]]*EXEC'; then - echo -n -e '\033[31mNo PIE \033[m ' - elif readelf -h $1/exe 2>/dev/null | grep -q 'Type:[[:space:]]*DYN'; then - if readelf -d $1/exe 2>/dev/null | grep -q '(DEBUG)'; then - echo -n -e '\033[32mPIE enabled \033[m ' - else - echo -n -e '\033[33mDynamic Shared Object\033[m ' - fi - else - echo -n -e '\033[33mNot an ELF file \033[m ' - fi -} - -# check mapped libraries -libcheck() { - libs=( $(awk '{ print $6 }' /proc/$1/maps | grep '/' | sort -u | xargs file | grep ELF | awk '{ print $1 }' | sed 's/:/ /') ) - - printf "\n* Loaded libraries (file information, # of mapped files: ${#libs[@]}):\n\n" - - for element in $(seq 0 $((${#libs[@]} - 1))) - do - echo " ${libs[$element]}:" - echo -n " " - filecheck ${libs[$element]} - printf "\n\n" - done -} - -# check for system-wide ASLR support -aslrcheck() { - # PaX ASLR support - if !(cat /proc/1/status 2> /dev/null | grep -q 'Name:') ; then - echo -n -e ':\033[33m insufficient privileges for PaX ASLR checks\033[m\n' - echo -n -e ' Fallback to standard Linux ASLR check' - fi - - if cat /proc/1/status 2> /dev/null | grep -q 'PaX:'; then - printf ": " - if cat /proc/1/status 2> /dev/null | grep 'PaX:' | grep -q 'R'; then - echo -n -e '\033[32mPaX ASLR enabled\033[m\n\n' - else - echo -n -e '\033[31mPaX ASLR disabled\033[m\n\n' - fi - else - # standard Linux 'kernel.randomize_va_space' ASLR support - # (see the kernel file 'Documentation/sysctl/kernel.txt' for a detailed description) - printf " (kernel.randomize_va_space): " - if /sbin/sysctl -a 2>/dev/null | grep -q 'kernel.randomize_va_space = 1'; then - echo -n -e '\033[33mOn (Setting: 1)\033[m\n\n' - printf " Description - Make the addresses of mmap base, stack and VDSO page randomized.\n" - printf " This, among other things, implies that shared libraries will be loaded to \n" - printf " random addresses. Also for PIE-linked binaries, the location of code start\n" - printf " is randomized. Heap addresses are *not* randomized.\n\n" - elif /sbin/sysctl -a 2>/dev/null | grep -q 'kernel.randomize_va_space = 2'; then - echo -n -e '\033[32mOn (Setting: 2)\033[m\n\n' - printf " Description - Make the addresses of mmap base, heap, stack and VDSO page randomized.\n" - printf " This, among other things, implies that shared libraries will be loaded to random \n" - printf " addresses. Also for PIE-linked binaries, the location of code start is randomized.\n\n" - elif /sbin/sysctl -a 2>/dev/null | grep -q 'kernel.randomize_va_space = 0'; then - echo -n -e '\033[31mOff (Setting: 0)\033[m\n' - else - echo -n -e '\033[31mNot supported\033[m\n' - fi - printf " See the kernel file 'Documentation/sysctl/kernel.txt' for more details.\n\n" - fi -} - -# check cpu nx flag -nxcheck() { - if grep -q nx /proc/cpuinfo; then - echo -n -e '\033[32mYes\033[m\n\n' - else - echo -n -e '\033[31mNo\033[m\n\n' - fi -} - -# check for kernel protection mechanisms -kernelcheck() { - printf " Description - List the status of kernel protection mechanisms. Rather than\n" - printf " inspect kernel mechanisms that may aid in the prevention of exploitation of\n" - printf " userspace processes, this option lists the status of kernel configuration\n" - printf " options that harden the kernel itself against attack.\n\n" - printf " Kernel config: " - - if [ -f /proc/config.gz ] ; then - kconfig="zcat /proc/config.gz" - printf "\033[32m/proc/config.gz\033[m\n\n" - elif [ -f /boot/config-`uname -r` ] ; then - kconfig="cat /boot/config-`uname -r`" - printf "\033[33m/boot/config-`uname -r`\033[m\n\n" - printf " Warning: The config on disk may not represent running kernel config!\n\n"; - elif [ -f "${KBUILD_OUTPUT:-/usr/src/linux}"/.config ] ; then - kconfig="cat ${KBUILD_OUTPUT:-/usr/src/linux}/.config" - printf "\033[33m%s\033[m\n\n" "${KBUILD_OUTPUT:-/usr/src/linux}/.config" - printf " Warning: The config on disk may not represent running kernel config!\n\n"; - else - printf "\033[31mNOT FOUND\033[m\n\n" - exit 0 - fi - - printf " GCC stack protector support: " - if $kconfig | grep -qi 'CONFIG_CC_STACKPROTECTOR=y'; then - printf "\033[32mEnabled\033[m\n" - else - printf "\033[31mDisabled\033[m\n" - fi - - printf " Strict user copy checks: " - if $kconfig | grep -qi 'CONFIG_DEBUG_STRICT_USER_COPY_CHECKS=y'; then - printf "\033[32mEnabled\033[m\n" - else - printf "\033[31mDisabled\033[m\n" - fi - - printf " Enforce read-only kernel data: " - if $kconfig | grep -qi 'CONFIG_DEBUG_RODATA=y'; then - printf "\033[32mEnabled\033[m\n" - else - printf "\033[31mDisabled\033[m\n" - fi - printf " Restrict /dev/mem access: " - if $kconfig | grep -qi 'CONFIG_STRICT_DEVMEM=y'; then - printf "\033[32mEnabled\033[m\n" - else - printf "\033[31mDisabled\033[m\n" - fi - - printf " Restrict /dev/kmem access: " - if $kconfig | grep -qi 'CONFIG_DEVKMEM=y'; then - printf "\033[31mDisabled\033[m\n" - else - printf "\033[32mEnabled\033[m\n" - fi - - printf "\n" - printf "* grsecurity / PaX: " - - if $kconfig | grep -qi 'CONFIG_GRKERNSEC=y'; then - if $kconfig | grep -qi 'CONFIG_GRKERNSEC_HIGH=y'; then - printf "\033[32mHigh GRKERNSEC\033[m\n\n" - elif $kconfig | grep -qi 'CONFIG_GRKERNSEC_MEDIUM=y'; then - printf "\033[33mMedium GRKERNSEC\033[m\n\n" - elif $kconfig | grep -qi 'CONFIG_GRKERNSEC_LOW=y'; then - printf "\033[31mLow GRKERNSEC\033[m\n\n" - else - printf "\033[33mCustom GRKERNSEC\033[m\n\n" - fi - - printf " Non-executable kernel pages: " - if $kconfig | grep -qi 'CONFIG_PAX_KERNEXEC=y'; then - printf "\033[32mEnabled\033[m\n" - else - printf "\033[31mDisabled\033[m\n" - fi - - printf " Prevent userspace pointer deref: " - if $kconfig | grep -qi 'CONFIG_PAX_MEMORY_UDEREF=y'; then - printf "\033[32mEnabled\033[m\n" - else - printf "\033[31mDisabled\033[m\n" - fi - - printf " Prevent kobject refcount overflow: " - if $kconfig | grep -qi 'CONFIG_PAX_REFCOUNT=y'; then - printf "\033[32mEnabled\033[m\n" - else - printf "\033[31mDisabled\033[m\n" - fi - - printf " Bounds check heap object copies: " - if $kconfig | grep -qi 'CONFIG_PAX_USERCOPY=y'; then - printf "\033[32mEnabled\033[m\n" - else - printf "\033[31mDisabled\033[m\n" - fi - - printf " Disable writing to kmem/mem/port: " - if $kconfig | grep -qi 'CONFIG_GRKERNSEC_KMEM=y'; then - printf "\033[32mEnabled\033[m\n" - else - printf "\033[31mDisabled\033[m\n" - fi - - printf " Disable privileged I/O: " - if $kconfig | grep -qi 'CONFIG_GRKERNSEC_IO=y'; then - printf "\033[32mEnabled\033[m\n" - else - printf "\033[31mDisabled\033[m\n" - fi - - printf " Harden module auto-loading: " - if $kconfig | grep -qi 'CONFIG_GRKERNSEC_MODHARDEN=y'; then - printf "\033[32mEnabled\033[m\n" - else - printf "\033[31mDisabled\033[m\n" - fi - - printf " Hide kernel symbols: " - if $kconfig | grep -qi 'CONFIG_GRKERNSEC_HIDESYM=y'; then - printf "\033[32mEnabled\033[m\n" - else - printf "\033[31mDisabled\033[m\n" - fi - else - printf "\033[31mNo GRKERNSEC\033[m\n\n" - printf " The grsecurity / PaX patchset is available here:\n" - printf " http://grsecurity.net/\n" - fi - - printf "\n" - printf "* Kernel Heap Hardening: " - - if $kconfig | grep -qi 'CONFIG_KERNHEAP=y'; then - if $kconfig | grep -qi 'CONFIG_KERNHEAP_FULLPOISON=y'; then - printf "\033[32mFull KERNHEAP\033[m\n\n" - else - printf "\033[33mPartial KERNHEAP\033[m\n\n" - fi - else - printf "\033[31mNo KERNHEAP\033[m\n\n" - printf " The KERNHEAP hardening patchset is available here:\n" - printf " https://www.subreption.com/kernheap/\n\n" - fi -} - -# --- FORTIFY_SOURCE subfunctions (start) --- - -# is FORTIFY_SOURCE supported by libc? -FS_libc_check() { - printf "* FORTIFY_SOURCE support available (libc) : " - - if [ "${#FS_chk_func_libc[@]}" != "0" ] ; then - printf "\033[32mYes\033[m\n" - else - printf "\033[31mNo\033[m\n" - exit 1 - fi -} - -# was the binary compiled with FORTIFY_SOURCE? -FS_binary_check() { - printf "* Binary compiled with FORTIFY_SOURCE support: " - - for FS_elem_functions in $(seq 0 $((${#FS_functions[@]} - 1))) - do - if [[ ${FS_functions[$FS_elem_functions]} =~ _chk ]] ; then - printf "\033[32mYes\033[m\n" - return - fi - done - printf "\033[31mNo\033[m\n" - exit 1 -} - -FS_comparison() { - echo - printf " ------ EXECUTABLE-FILE ------- . -------- LIBC --------\n" - printf " FORTIFY-able library functions | Checked function names\n" - printf " -------------------------------------------------------\n" - - for FS_elem_libc in $(seq 0 $((${#FS_chk_func_libc[@]} - 1))) - do - for FS_elem_functions in $(seq 0 $((${#FS_functions[@]} - 1))) - do - FS_tmp_func=${FS_functions[$FS_elem_functions]} - FS_tmp_libc=${FS_chk_func_libc[$FS_elem_libc]} - - if [[ $FS_tmp_func =~ ^$FS_tmp_libc$ ]] ; then - printf " \033[31m%-30s\033[m | __%s%s\n" $FS_tmp_func $FS_tmp_libc $FS_end - let FS_cnt_total++ - let FS_cnt_unchecked++ - elif [[ $FS_tmp_func =~ ^$FS_tmp_libc(_chk) ]] ; then - printf " \033[32m%-30s\033[m | __%s%s\n" $FS_tmp_func $FS_tmp_libc $FS_end - let FS_cnt_total++ - let FS_cnt_checked++ - fi - - done - done -} - -FS_summary() { - echo - printf "SUMMARY:\n\n" - printf "* Number of checked functions in libc : ${#FS_chk_func_libc[@]}\n" - printf "* Total number of library functions in the executable: ${#FS_functions[@]}\n" - printf "* Number of FORTIFY-able functions in the executable : %s\n" $FS_cnt_total - printf "* Number of checked functions in the executable : \033[32m%s\033[m\n" $FS_cnt_checked - printf "* Number of unchecked functions in the executable : \033[31m%s\033[m\n" $FS_cnt_unchecked - echo -} - -# --- FORTIFY_SOURCE subfunctions (end) --- - -if !(command_exists readelf) ; then - printf "\033[31mWarning: 'readelf' not found! It's required for most checks.\033[m\n\n" - have_readelf=0 -fi - -# parse command-line arguments -case "$1" in - - --version) - version - exit 0 - ;; - - --help) - help - exit 0 - ;; - - --dir) - if [ "$3" = "-v" ] ; then - verbose=true - fi - if [ $have_readelf -eq 0 ] ; then - exit 1 - fi - if [ -z "$2" ] ; then - printf "\033[31mError: Please provide a valid directory.\033[m\n\n" - exit 1 - fi - # remove trailing slashes - tempdir=`echo $2 | sed -e "s/\/*$//"` - if [ ! -d $tempdir ] ; then - printf "\033[31mError: The directory '$tempdir' does not exist.\033[m\n\n" - exit 1 - fi - cd $tempdir - printf "RELRO STACK CANARY NX PIE RPATH RUNPATH FILE\n" - for N in [A-Za-z]*; do - if [ "$N" != "[A-Za-z]*" ]; then - # read permissions? - if [ ! -r $N ]; then - printf "\033[31mError: No read permissions for '$tempdir/$N' (run as root).\033[m\n" - else - # ELF executable? - out=`file $N` - if [[ ! $out =~ ELF ]] ; then - if [ "$verbose" = "true" ] ; then - printf "\033[34m*** Not an ELF file: $tempdir/" - file $N - printf "\033[m" - fi - else - filecheck $N - if [ `find $tempdir/$N \( -perm -004000 -o -perm -002000 \) -type f -print` ]; then - printf "\033[37;41m%s%s\033[m" $2 $N - else - printf "%s%s" $tempdir/ $N - fi - echo - fi - fi - fi - done - exit 0 - ;; - - --file) - if [ $have_readelf -eq 0 ] ; then - exit 1 - fi - if [ -z "$2" ] ; then - printf "\033[31mError: Please provide a valid file.\033[m\n\n" - exit 1 - fi - # does the file exist? - if [ ! -e $2 ] ; then - printf "\033[31mError: The file '$2' does not exist.\033[m\n\n" - exit 1 - fi - # read permissions? - if [ ! -r $2 ] ; then - printf "\033[31mError: No read permissions for '$2' (run as root).\033[m\n\n" - exit 1 - fi - # ELF executable? - out=`file $2` - if [[ ! $out =~ ELF ]] ; then - printf "\033[31mError: Not an ELF file: " - file $2 - printf "\033[m\n" - exit 1 - fi - printf "RELRO STACK CANARY NX PIE RPATH RUNPATH FILE\n" - filecheck $2 - if [ `find $2 \( -perm -004000 -o -perm -002000 \) -type f -print` ] ; then - printf "\033[37;41m%s%s\033[m" $2 $N - else - printf "%s" $2 - fi - echo - exit 0 - ;; - - --proc-all) - if [ $have_readelf -eq 0 ] ; then - exit 1 - fi - cd /proc - printf "* System-wide ASLR" - aslrcheck - printf "* Does the CPU support NX: " - nxcheck - printf " COMMAND PID RELRO STACK CANARY NX/PaX PIE\n" - for N in [1-9]*; do - if [ $N != $$ ] && readlink -q $N/exe > /dev/null; then - printf "%16s" `head -1 $N/status | cut -b 7-` - printf "%7d " $N - proccheck $N - echo - fi - done - if [ ! -e /usr/bin/id ] ; then - printf "\n\033[33mNote: If you are running 'checksec.sh' as an unprivileged user, you\n" - printf " will not see all processes. Please run the script as root.\033[m\n\n" - else - if !(root_privs) ; then - printf "\n\033[33mNote: You are running 'checksec.sh' as an unprivileged user.\n" - printf " Too see all processes, please run the script as root.\033[m\n\n" - fi - fi - exit 0 - ;; - - --proc) - if [ $have_readelf -eq 0 ] ; then - exit 1 - fi - if [ -z "$2" ] ; then - printf "\033[31mError: Please provide a valid process name.\033[m\n\n" - exit 1 - fi - if !(isString "$2") ; then - printf "\033[31mError: Please provide a valid process name.\033[m\n\n" - exit 1 - fi - cd /proc - printf "* System-wide ASLR" - aslrcheck - printf "* Does the CPU support NX: " - nxcheck - printf " COMMAND PID RELRO STACK CANARY NX/PaX PIE\n" - for N in `ps -Ao pid,comm | grep $2 | cut -b1-6`; do - if [ -d $N ] ; then - printf "%16s" `head -1 $N/status | cut -b 7-` - printf "%7d " $N - # read permissions? - if [ ! -r $N/exe ] ; then - if !(root_privs) ; then - printf "\033[31mNo read permissions for '/proc/$N/exe' (run as root).\033[m\n\n" - exit 1 - fi - if [ ! `readlink $N/exe` ] ; then - printf "\033[31mPermission denied. Requested process ID belongs to a kernel thread.\033[m\n\n" - exit 1 - fi - exit 1 - fi - proccheck $N - echo - fi - done - exit 0 - ;; - - --proc-libs) - if [ $have_readelf -eq 0 ] ; then - exit 1 - fi - if [ -z "$2" ] ; then - printf "\033[31mError: Please provide a valid process ID.\033[m\n\n" - exit 1 - fi - if !(isNumeric "$2") ; then - printf "\033[31mError: Please provide a valid process ID.\033[m\n\n" - exit 1 - fi - cd /proc - printf "* System-wide ASLR" - aslrcheck - printf "* Does the CPU support NX: " - nxcheck - printf "* Process information:\n\n" - printf " COMMAND PID RELRO STACK CANARY NX/PaX PIE\n" - N=$2 - if [ -d $N ] ; then - printf "%16s" `head -1 $N/status | cut -b 7-` - printf "%7d " $N - # read permissions? - if [ ! -r $N/exe ] ; then - if !(root_privs) ; then - printf "\033[31mNo read permissions for '/proc/$N/exe' (run as root).\033[m\n\n" - exit 1 - fi - if [ ! `readlink $N/exe` ] ; then - printf "\033[31mPermission denied. Requested process ID belongs to a kernel thread.\033[m\n\n" - exit 1 - fi - exit 1 - fi - proccheck $N - echo - libcheck $N - fi - exit 0 - ;; - - --kernel) - cd /proc - printf "* Kernel protection information:\n\n" - kernelcheck - exit 0 - ;; - - --fortify-file) - if [ $have_readelf -eq 0 ] ; then - exit 1 - fi - if [ -z "$2" ] ; then - printf "\033[31mError: Please provide a valid file.\033[m\n\n" - exit 1 - fi - # does the file exist? - if [ ! -e $2 ] ; then - printf "\033[31mError: The file '$2' does not exist.\033[m\n\n" - exit 1 - fi - # read permissions? - if [ ! -r $2 ] ; then - printf "\033[31mError: No read permissions for '$2' (run as root).\033[m\n\n" - exit 1 - fi - # ELF executable? - out=`file $2` - if [[ ! $out =~ ELF ]] ; then - printf "\033[31mError: Not an ELF file: " - file $2 - printf "\033[m\n" - exit 1 - fi - if [ -e /lib/libc.so.6 ] ; then - FS_libc=/lib/libc.so.6 - elif [ -e /lib64/libc.so.6 ] ; then - FS_libc=/lib64/libc.so.6 - elif [ -e /lib/i386-linux-gnu/libc.so.6 ] ; then - FS_libc=/lib/i386-linux-gnu/libc.so.6 - elif [ -e /lib/x86_64-linux-gnu/libc.so.6 ] ; then - FS_libc=/lib/x86_64-linux-gnu/libc.so.6 - else - printf "\033[31mError: libc not found.\033[m\n\n" - exit 1 - fi - - FS_chk_func_libc=( $(readelf -s $FS_libc | grep _chk@@ | awk '{ print $8 }' | cut -c 3- | sed -e 's/_chk@.*//') ) - FS_functions=( $(readelf -s $2 | awk '{ print $8 }' | sed 's/_*//' | sed -e 's/@.*//') ) - - FS_libc_check - FS_binary_check - FS_comparison - FS_summary - - exit 0 - ;; - - --fortify-proc) - if [ $have_readelf -eq 0 ] ; then - exit 1 - fi - if [ -z "$2" ] ; then - printf "\033[31mError: Please provide a valid process ID.\033[m\n\n" - exit 1 - fi - if !(isNumeric "$2") ; then - printf "\033[31mError: Please provide a valid process ID.\033[m\n\n" - exit 1 - fi - cd /proc - N=$2 - if [ -d $N ] ; then - # read permissions? - if [ ! -r $N/exe ] ; then - if !(root_privs) ; then - printf "\033[31mNo read permissions for '/proc/$N/exe' (run as root).\033[m\n\n" - exit 1 - fi - if [ ! `readlink $N/exe` ] ; then - printf "\033[31mPermission denied. Requested process ID belongs to a kernel thread.\033[m\n\n" - exit 1 - fi - exit 1 - fi - if [ -e /lib/libc.so.6 ] ; then - FS_libc=/lib/libc.so.6 - elif [ -e /lib64/libc.so.6 ] ; then - FS_libc=/lib64/libc.so.6 - elif [ -e /lib/i386-linux-gnu/libc.so.6 ] ; then - FS_libc=/lib/i386-linux-gnu/libc.so.6 - elif [ -e /lib/x86_64-linux-gnu/libc.so.6 ] ; then - FS_libc=/lib/x86_64-linux-gnu/libc.so.6 - else - printf "\033[31mError: libc not found.\033[m\n\n" - exit 1 - fi - printf "* Process name (PID) : %s (%d)\n" `head -1 $N/status | cut -b 7-` $N - FS_chk_func_libc=( $(readelf -s $FS_libc | grep _chk@@ | awk '{ print $8 }' | cut -c 3- | sed -e 's/_chk@.*//') ) - FS_functions=( $(readelf -s $2/exe | awk '{ print $8 }' | sed 's/_*//' | sed -e 's/@.*//') ) - - FS_libc_check - FS_binary_check - FS_comparison - FS_summary - fi - exit 0 - ;; - - *) - if [ "$#" != "0" ] ; then - printf "\033[31mError: Unknown option '$1'.\033[m\n\n" - fi - help - exit 1 - ;; -esac diff --git a/meta-security/recipes-security/clamav/clamav_0.99.4.bb b/meta-security/recipes-security/clamav/clamav_0.99.4.bb index 8c2c2fa2f..6219d9ed2 100644 --- a/meta-security/recipes-security/clamav/clamav_0.99.4.bb +++ b/meta-security/recipes-security/clamav/clamav_0.99.4.bb @@ -31,17 +31,13 @@ GID = "clamav" # Clamav has a built llvm version 2 but does not build with gcc 6.x, # disable the internal one. This is a known issue -# If you want LLVM support, use meta-oe llvm3.3 to build for GCC 6.X, -# as defined below +# If you want LLVM support, use the one in core -CLAMAV_LLVM ?= "oellvm" -CLAMAV_LLVM_RELEASE ?= "6.0" - -PACKAGECONFIG ?= "ncurses openssl bz2 zlib ${CLAMAV_LLVM}" +PACKAGECONFIG ?= "ncurses openssl bz2 zlib llvm" PACKAGECONFIG += " ${@bb.utils.contains("DISTRO_FEATURES", "ipv6", "ipv6", "", d)}" PACKAGECONFIG += "${@bb.utils.contains('DISTRO_FEATURES', 'systemd', 'systemd', '', d)}" -PACKAGECONFIG[oellvm] = "--with-system-llvm --with-llvm-linking=dynamic --disable-llvm, ,llvm${CLAMAV_LLVM_RELEASE}" +PACKAGECONFIG[llvm] = "--with-system-llvm --with-llvm-linking=dynamic --disable-llvm, ,llvm8.0" PACKAGECONFIG[pcre] = "--with-pcre=${STAGING_LIBDIR}, --without-pcre, libpcre" PACKAGECONFIG[xml] = "--with-xml=${STAGING_LIBDIR}/.., --with-xml=no, libxml2," diff --git a/meta-security/recipes-security/fail2ban/python-fail2ban.inc b/meta-security/recipes-security/fail2ban/python-fail2ban.inc index 9245f17b1..7270ed8ac 100644 --- a/meta-security/recipes-security/fail2ban/python-fail2ban.inc +++ b/meta-security/recipes-security/fail2ban/python-fail2ban.inc @@ -9,7 +9,7 @@ HOMEPAGE = "http://www.fail2ban.org" LICENSE = "GPL-2.0" LIC_FILES_CHKSUM = "file://COPYING;md5=ecabc31e90311da843753ba772885d9f" -SRCREV ="ac0d441fd68852ffda7b15c71f16b7f4fde1a7ee" +SRCREV ="aa565eb80ec6043317e8430cabcaf9c3f4e61578" SRC_URI = " \ git://github.com/fail2ban/fail2ban.git;branch=0.11 \ file://initd \ diff --git a/meta-security/recipes-security/fail2ban/python-fail2ban_0.10.3.1.bb b/meta-security/recipes-security/fail2ban/python-fail2ban_0.10.4.0.bb index 17a7dd8dd..17a7dd8dd 100644 --- a/meta-security/recipes-security/fail2ban/python-fail2ban_0.10.3.1.bb +++ b/meta-security/recipes-security/fail2ban/python-fail2ban_0.10.4.0.bb diff --git a/meta-security/recipes-security/fail2ban/python3-fail2ban_0.10.3.1.bb b/meta-security/recipes-security/fail2ban/python3-fail2ban_0.10.4.0.bb index 5c887e857..5c887e857 100644 --- a/meta-security/recipes-security/fail2ban/python3-fail2ban_0.10.3.1.bb +++ b/meta-security/recipes-security/fail2ban/python3-fail2ban_0.10.4.0.bb diff --git a/meta-security/recipes-security/keyutils/files/keyutils-use-relative-path-for-link.patch b/meta-security/recipes-security/keyutils/files/keyutils-use-relative-path-for-link.patch deleted file mode 100644 index dde1af44a..000000000 --- a/meta-security/recipes-security/keyutils/files/keyutils-use-relative-path-for-link.patch +++ /dev/null @@ -1,28 +0,0 @@ -Subject: [PATCH] keyutils: use relative path for link - -The absolute path of the symlink will be invalid -when populated in sysroot, so use relative path instead. - -Upstream-Status: Pending - -Signed-off-by: Jackie Huang <jackie.huang@windriver.com> ---- - Makefile | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/Makefile b/Makefile -index 824bbbf..8ce3a13 100644 ---- a/Makefile -+++ b/Makefile -@@ -167,7 +167,7 @@ ifeq ($(NO_SOLIB),0) - $(INSTALL) -D $(LIBNAME) $(DESTDIR)$(LIBDIR)/$(LIBNAME) - $(LNS) $(LIBNAME) $(DESTDIR)$(LIBDIR)/$(SONAME) - mkdir -p $(DESTDIR)$(USRLIBDIR) -- $(LNS) $(LIBDIR)/$(SONAME) $(DESTDIR)$(USRLIBDIR)/$(DEVELLIB) -+ $(LNS) $(SONAME) $(DESTDIR)$(USRLIBDIR)/$(DEVELLIB) - endif - $(INSTALL) -D keyctl $(DESTDIR)$(BINDIR)/keyctl - $(INSTALL) -D request-key $(DESTDIR)$(SBINDIR)/request-key --- -2.11.0 - diff --git a/meta-security/recipes-security/keyutils/keyutils_1.5.10.bb b/meta-security/recipes-security/keyutils/keyutils_1.6.bb index a4222b9e9..c961fa293 100644 --- a/meta-security/recipes-security/keyutils/keyutils_1.5.10.bb +++ b/meta-security/recipes-security/keyutils/keyutils_1.6.bb @@ -16,14 +16,13 @@ LIC_FILES_CHKSUM = "file://LICENCE.GPL;md5=5f6e72824f5da505c1f4a7197f004b45 \ inherit siteinfo ptest SRC_URI = "http://people.redhat.com/dhowells/keyutils/${BP}.tar.bz2 \ - file://keyutils-use-relative-path-for-link.patch \ file://keyutils-test-fix-output-format.patch \ file://keyutils-fix-error-report-by-adding-default-message.patch \ file://run-ptest \ " -SRC_URI[md5sum] = "3771676319bc7b84b1549b5c63ff5243" -SRC_URI[sha256sum] = "115c3deae7f181778fd0e0ffaa2dad1bf1fe2f5677cf2e0e348cdb7a1c93afb6" +SRC_URI[md5sum] = "191987b0ab46bb5b50efd70a6e6ce808" +SRC_URI[sha256sum] = "d3aef20cec0005c0fa6b4be40079885567473185b1a57b629b030e67942c7115" EXTRA_OEMAKE = "'CFLAGS=${CFLAGS} -Wall' \ NO_ARLIB=1 \ @@ -36,6 +35,7 @@ EXTRA_OEMAKE = "'CFLAGS=${CFLAGS} -Wall' \ " do_install () { + install -d ${D}/${nonarch_base_libdir}/pkgconfig oe_runmake DESTDIR=${D} install } @@ -44,4 +44,8 @@ do_install_ptest () { sed -i -e 's/OSDIST=Unknown/OSDIST=${DISTRO}/' ${D}${PTEST_PATH}/tests/prepare.inc.sh } -RDEPENDS_${PN}-ptest += "glibc-utils" +FILES_${PN}-dev += "${nonarch_base_libdir}/pkgconfig/libkeyutils.pc" + +RDEPENDS_${PN}-ptest += "lsb" +RDEPENDS_${PN}-ptest_append_libc-glibc = " glibc-utils" +RDEPENDS_${PN}-ptest_append_libc-musl = " musl-utils" diff --git a/meta-security/recipes-security/libmspack/libmspack_0.5.bb b/meta-security/recipes-security/libmspack/libmspack_0.9.1.bb index 80db23cec..56a8a0770 100644 --- a/meta-security/recipes-security/libmspack/libmspack_0.5.bb +++ b/meta-security/recipes-security/libmspack/libmspack_0.9.1.bb @@ -6,10 +6,10 @@ DEPENDS = "" LIC_FILES_CHKSUM = "file://COPYING.LIB;beginline=1;endline=2;md5=5b1fd1f66ef926b3c8a5bb00a72a28dd" -SRC_URI = "${DEBIAN_MIRROR}/main/libm/${BPN}/${BPN}_${PV}.orig.tar.gz\ -" -SRC_URI[md5sum] = "3aa3f6b9ef101463270c085478fda1da" -SRC_URI[sha256sum] = "8967f275525f5067b364cee43b73e44d0433668c39f9376dfff19f653d1c8110" +SRC_URI = "${DEBIAN_MIRROR}/main/libm/${BPN}/${BPN}_${PV}.orig.tar.gz" + +SRC_URI[md5sum] = "9602ae4a6b0468d9aaef6359c1e90657" +SRC_URI[sha256sum] = "62a336d9c798638aaf3dceb43843320061544bbf35547c316b075b99112f2e40" inherit autotools diff --git a/meta-security/recipes-security/libseccomp/libseccomp_2.3.3.bb b/meta-security/recipes-security/libseccomp/libseccomp_2.4.0.bb index 9c66db68c..41ffd625c 100644 --- a/meta-security/recipes-security/libseccomp/libseccomp_2.3.3.bb +++ b/meta-security/recipes-security/libseccomp/libseccomp_2.4.0.bb @@ -4,9 +4,9 @@ SECTION = "security" LICENSE = "LGPL-2.1" LIC_FILES_CHKSUM = "file://LICENSE;beginline=0;endline=1;md5=8eac08d22113880357ceb8e7c37f989f" -SRCREV = "74b190e1aa05f07da0c61fb9a30dbc9c18ce2c9d" +SRCREV = "4d64011741375bb1a4ba7d71905ca37b97885083" -SRC_URI = "git://github.com/seccomp/libseccomp.git;branch=release-2.3 \ +SRC_URI = "git://github.com/seccomp/libseccomp.git;branch=release-2.4 \ file://run-ptest \ " diff --git a/meta-security/recipes-security/ncrack/ncrack_0.7.bb b/meta-security/recipes-security/ncrack/ncrack_0.7.bb new file mode 100644 index 000000000..06ba2b6df --- /dev/null +++ b/meta-security/recipes-security/ncrack/ncrack_0.7.bb @@ -0,0 +1,18 @@ +SUMMARY = "Network authentication cracking tool" +DESCRIPTION = "Ncrack is designed for high-speed parallel testing of network devices for poor passwords." +HOMEPAGE = "https://nmap.org/ncrack" +SECTION = "security" + +LICENSE = "GPL-2.0" +LIC_FILES_CHKSUM = "file://COPYING;md5=198fa93d4e80225839e595336f3b5ff0" + +SRCREV = "3a793a21820708466081825beda9fce857f36cb6" +SRC_URI = "git://github.com/nmap/ncrack.git" + +DEPENDS = "openssl zlib" + +inherit autotools-brokensep + +S = "${WORKDIR}/git" + +INSANE_SKIP_${PN} = "already-stripped" diff --git a/meta-security/recipes-security/nikto/files/CVE-2018-11652.patch b/meta-security/recipes-security/nikto/files/CVE-2018-11652.patch deleted file mode 100644 index 5ddb16926..000000000 --- a/meta-security/recipes-security/nikto/files/CVE-2018-11652.patch +++ /dev/null @@ -1,106 +0,0 @@ -From e759b3300aace5314fe3d30800c8bd83c81c29f7 Mon Sep 17 00:00:00 2001 -From: sullo <sullo@cirt.net> -Date: Thu, 31 May 2018 23:30:03 -0400 -Subject: [PATCH] Fix CSV injection issue if server responds with a malicious - Server string & CSV output is opened in Excel or other spreadsheet app. - Potentially malicious cell start characters are now prefaced with a ' mark. - Thanks to Adam (@bytesoverbombs) for letting me know! - -Also fixed a crash in the outdated plugin if the $sepr field ends up being something that triggers a panic in split(). - -CVE: CVE-2018-11652 -Upstream-Status: Backport -Signed-off-by: Nagalakshmi Veeramallu <nveeramallu@mvista.com> ---- - plugins/nikto_outdated.plugin | 2 +- - plugins/nikto_report_csv.plugin | 42 +++++++++++++++++++++++++++++------------ - 2 files changed, 31 insertions(+), 13 deletions(-) - -diff --git a/plugins/nikto_outdated.plugin b/plugins/nikto_outdated.plugin -index 72379cc..eb1d889 100644 ---- a/plugins/nikto_outdated.plugin -+++ b/plugins/nikto_outdated.plugin -@@ -83,7 +83,7 @@ sub nikto_outdated { - $sepr = substr($sepr, (length($sepr) - 1), 1); - - # break up ID string on $sepr -- my @T = split(/$sepr/, $mark->{'banner'}); -+ my @T = split(/\\$sepr/, $mark->{'banner'}); - - # assume last is version... - for ($i = 0 ; $i < $#T ; $i++) { $MATCHSTRING .= "$T[$i] "; } -diff --git a/plugins/nikto_report_csv.plugin b/plugins/nikto_report_csv.plugin -index d13acab..b942e78 100644 ---- a/plugins/nikto_report_csv.plugin -+++ b/plugins/nikto_report_csv.plugin -@@ -52,10 +52,12 @@ sub csv_open { - sub csv_host_start { - my ($handle, $mark) = @_; - $mark->{'banner'} =~ s/"/\\"/g; -- print OUT "\"$mark->{'hostname'}\"," -- . "\"$mark->{'ip'}\"," -- . "\"$mark->{'port'}\"," . "\"\"," . "\"\"," . "\"\"," -- . "\"$mark->{'banner'}\"\n"; -+ print $handle "\"" . csv_safecell($hostname) . "\"," -+ . "\"" . csv_safecell($mark->{'ip'}) . "\"," -+ . "\"" . csv_safecell($mark->{'port'}) . "\"," . "\"\"," . "\"\"," . "\"\"," -+ #. "\"" . $mark->{'banner'} . "\"\n"; -+ . "\"" . csv_safecell($mark->{'banner'}) . "\"\n"; -+ - return; - } - -@@ -65,26 +67,42 @@ sub csv_item { - my ($handle, $mark, $item) = @_; - foreach my $uri (split(' ', $item->{'uri'})) { - my $line = ''; -- $line .= "\"$item->{'mark'}->{'hostname'}\","; -- $line .= "\"$item->{'mark'}->{'ip'}\","; -- $line .= "\"$item->{'mark'}->{'port'}\","; -+ $line .= "\"" . csv_safecell($hostname) . "\","; -+ $line .= "\"" . csv_safecell($item->{'mark'}->{'ip'}) . \","; -+ $line .= "\"" . csv_safecell($item->{'mark'}->{'port'}) . "\","; - - $line .= "\""; - if ($item->{'osvdb'} ne '') { $line .= "OSVDB-" . $item->{'osvdb'}; } - $line .= "\","; - - $line .= "\""; -- if ($item->{'method'} ne '') { $line .= $item->{'method'}; } -+ if ($item->{'method'} ne '') { $line .= csv_safecell($item->{'method'}); } - $line .= "\","; - - $line .= "\""; -- if ($uri ne '') { $line .= $mark->{'root'} . $uri; } -+ { $line .= csv_safecell($mark->{'root'}) . $uri; } -+ else { $line .= csv_safecell($ur - $line .= "\","; - -- $item->{'message'} =~ s/"/\\"/g; -- $line .= "\"$item->{'message'}\""; -- print $handle "$line\n"; -+ my $msg = $item->{'message'}; -+ $uri=quotemeta($uri); -+ my $root = quotemeta($mark->{'root'}); -+ $msg =~ s/^$uri:\s//; -+ $msg =~ s/^$root$uri:\s//; -+ $msg =~ s/"/\\"/g; -+ $line .= "\"" . csv_safecell($msg) ."\""; -+ print $handle "$line\n"; -+ - } - } - -+############################################################################### -+# prevent CSV injection attacks -+sub csv_safecell { -+ my $celldata = $_[0] || return; -+ if ($celldata =~ /^[=+@-]/) { $celldata = "'" . $celldata; } -+ return $celldata; -+} -+ -+ - 1; --- -2.6.4 - diff --git a/meta-security/recipes-security/nikto/files/location.patch b/meta-security/recipes-security/nikto/files/location.patch index a95b0629f..edaa20475 100644 --- a/meta-security/recipes-security/nikto/files/location.patch +++ b/meta-security/recipes-security/nikto/files/location.patch @@ -1,36 +1,36 @@ -From e10b9b1f6704057ace39956ae1dc5c7caca07ff1 Mon Sep 17 00:00:00 2001 -From: Andrei Dinu <andrei.adrianx.dinu@intel.com> -Date: Mon, 8 Jul 2013 11:53:54 +0300 -Subject: [PATCH] Setting the location of nikto on the image +From d1cb702d5147abea0d3208a4d554c61a6f2decd6 Mon Sep 17 00:00:00 2001 +From: Scott Ellis <scott@jumpnowtek.com> +Date: Fri, 28 Dec 2018 11:08:25 -0500 +Subject: [PATCH] Set custom paths -Upstream Status: Inapropriate +Upstream Status: Inappropriate -Signed-off-by: Andrei Dinu <andrei.adrianx.dinu@intel.com> +Signed-off-by: Scott Ellis <scott@jumpnowtek.com> --- - nikto.conf | 10 +++++----- + nikto.conf | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) -diff --git a/nikto.conf b/nikto.conf -index 25b784d..9577033 100644 +diff --git a/program/nikto.conf b/program/nikto.conf +index bf36c58..8c55415 100644 --- a/nikto.conf +++ b/nikto.conf -@@ -61,11 +61,11 @@ CIRT=174.142.17.165 +@@ -61,11 +61,11 @@ CIRT=107.170.99.251 CHECKMETHODS=HEAD GET # If you want to specify the location of any of the files, specify them here -# EXECDIR=/opt/nikto # Location of Nikto -# PLUGINDIR=/opt/nikto/plugins # Location of plugin dir --# DBDIR=/opt/nikto/databases # Location of plugin dir --# TEMPLATEDIR=/opt/nikto/templates # Location of tempmlate dir +-# DBDIR=/opt/nikto/databases # Location of database dir +-# TEMPLATEDIR=/opt/nikto/templates # Location of template dir -# DOCDIR=/opt/nikto/docs # Location of docs dir +EXECDIR=/usr/bin/nikto # Location of Nikto +PLUGINDIR=/etc/nikto/plugins # Location of plugin dir -+DBDIR=/etc/nikto/databases # Location of plugin dir -+TEMPLATEDIR=/etc/nikto/templates # Location of tempmlate dir ++DBDIR=/etc/nikto/databases # Location of database dir ++TEMPLATEDIR=/etc/nikto/templates # Location of template dir +DOCDIR=/usr/share/doc/nikto # Location of docs dir # Default plugin macros - @@MUTATE=dictionary;subdomain + # Remove plugins designed to be run standalone -- -1.7.9.5 +2.7.4 diff --git a/meta-security/recipes-security/nikto/nikto_2.1.5.bb b/meta-security/recipes-security/nikto/nikto_2.1.5.bb deleted file mode 100644 index 19eb14f3e..000000000 --- a/meta-security/recipes-security/nikto/nikto_2.1.5.bb +++ /dev/null @@ -1,108 +0,0 @@ -SUMMARY = "web server scanner" -DESCRIPTION = "Nikto is an Open Source (GPL) web server scanner which performs comprehensive tests against web servers for multiple items, including over 6500 potentially dangerous \ - files/CGIs, checks for outdated versions of over 1250 servers, and version specific problems on over 270 servers." -SECTION = "security" -LICENSE = "GPLv2" - -LIC_FILES_CHKSUM = "file://${COMMON_LICENSE_DIR}/GPL-2.0;md5=801f80980d171dd6425610833a22dbe6" - -SRC_URI = "http://cirt.net/nikto/${BP}.tar.gz \ - file://location.patch \ - file://CVE-2018-11652.patch" - -SRC_URI[md5sum] = "efcc98a918becb77471ee9a5df0a7b1e" -SRC_URI[sha256sum] = "0e672a6a46bf2abde419a0e8ea846696d7f32e99ad18a6b405736ee6af07509f" - -do_install() { - install -d ${D}${bindir} - install -d ${D}${datadir} - install -d ${D}${datadir}/man/man1 - install -d ${D}${datadir}/doc/nikto - install -d ${D}${sysconfdir}/nikto - install -d ${D}${sysconfdir}/nikto/databases - install -d ${D}${sysconfdir}/nikto/plugins - install -d ${D}${sysconfdir}/nikto/templates - - install -m 0644 databases/db_404_strings ${D}${sysconfdir}/nikto/databases - install -m 0644 databases/db_content_search ${D}${sysconfdir}/nikto/databases - install -m 0644 databases/db_dictionary ${D}${sysconfdir}/nikto/databases - install -m 0644 databases/db_embedded ${D}${sysconfdir}/nikto/databases - install -m 0644 databases/db_favicon ${D}${sysconfdir}/nikto/databases - install -m 0644 databases/db_headers ${D}${sysconfdir}/nikto/databases - install -m 0644 databases/db_httpoptions ${D}${sysconfdir}/nikto/databases - install -m 0644 databases/db_multiple_index ${D}${sysconfdir}/nikto/databases - install -m 0644 databases/db_outdated ${D}${sysconfdir}/nikto/databases - install -m 0644 databases/db_parked_strings ${D}${sysconfdir}/nikto/databases - install -m 0644 databases/db_realms ${D}${sysconfdir}/nikto/databases - install -m 0644 databases/db_server_msgs ${D}${sysconfdir}/nikto/databases - install -m 0644 databases/db_subdomains ${D}${sysconfdir}/nikto/databases - install -m 0644 databases/db_tests ${D}${sysconfdir}/nikto/databases - install -m 0644 databases/db_variables ${D}${sysconfdir}/nikto/databases - - install -m 0644 plugins/JSON-PP.pm ${D}${sysconfdir}/nikto/plugins - install -m 0644 plugins/LW2.pm ${D}${sysconfdir}/nikto/plugins - install -m 0644 plugins/nikto_apache_expect_xss.plugin ${D}${sysconfdir}/nikto/plugins - install -m 0644 plugins/nikto_apacheusers.plugin ${D}${sysconfdir}/nikto/plugins - install -m 0644 plugins/nikto_auth.plugin ${D}${sysconfdir}/nikto/plugins - install -m 0644 plugins/nikto_cgi.plugin ${D}${sysconfdir}/nikto/plugins - install -m 0644 plugins/nikto_clientaccesspolicy.plugin ${D}${sysconfdir}/nikto/plugins - install -m 0644 plugins/nikto_content_search.plugin ${D}${sysconfdir}/nikto/plugins - install -m 0644 plugins/nikto_cookies.plugin ${D}${sysconfdir}/nikto/plugins - install -m 0644 plugins/nikto_core.plugin ${D}${sysconfdir}/nikto/plugins - install -m 0644 plugins/nikto_dictionary_attack.plugin ${D}${sysconfdir}/nikto/plugins - install -m 0644 plugins/nikto_embedded.plugin ${D}${sysconfdir}/nikto/plugins - install -m 0644 plugins/nikto_favicon.plugin ${D}${sysconfdir}/nikto/plugins - install -m 0644 plugins/nikto_fileops.plugin ${D}${sysconfdir}/nikto/plugins - install -m 0644 plugins/nikto_headers.plugin ${D}${sysconfdir}/nikto/plugins - install -m 0644 plugins/nikto_httpoptions.plugin ${D}${sysconfdir}/nikto/plugins - install -m 0644 plugins/nikto_msgs.plugin ${D}${sysconfdir}/nikto/plugins - install -m 0644 plugins/nikto_multiple_index.plugin ${D}${sysconfdir}/nikto/plugins - install -m 0644 plugins/nikto_outdated.plugin ${D}${sysconfdir}/nikto/plugins - install -m 0644 plugins/nikto_parked.plugin ${D}${sysconfdir}/nikto/plugins - install -m 0644 plugins/nikto_paths.plugin ${D}${sysconfdir}/nikto/plugins - install -m 0644 plugins/nikto_put_del_test.plugin ${D}${sysconfdir}/nikto/plugins - install -m 0644 plugins/nikto_report_csv.plugin ${D}${sysconfdir}/nikto/plugins - install -m 0644 plugins/nikto_report_html.plugin ${D}${sysconfdir}/nikto/plugins - install -m 0644 plugins/nikto_report_msf.plugin ${D}${sysconfdir}/nikto/plugins - install -m 0644 plugins/nikto_report_nbe.plugin ${D}${sysconfdir}/nikto/plugins - install -m 0644 plugins/nikto_report_text.plugin ${D}${sysconfdir}/nikto/plugins - install -m 0644 plugins/nikto_report_xml.plugin ${D}${sysconfdir}/nikto/plugins - install -m 0644 plugins/nikto_robots.plugin ${D}${sysconfdir}/nikto/plugins - install -m 0644 plugins/nikto_siebel.plugin ${D}${sysconfdir}/nikto/plugins - install -m 0644 plugins/nikto_ssl.plugin ${D}${sysconfdir}/nikto/plugins - install -m 0644 plugins/nikto_subdomain.plugin ${D}${sysconfdir}/nikto/plugins - install -m 0644 plugins/nikto_tests.plugin ${D}${sysconfdir}/nikto/plugins - - install -m 0644 templates/htm_close.tmpl ${D}${sysconfdir}/nikto/templates - install -m 0644 templates/htm_end.tmpl ${D}${sysconfdir}/nikto/templates - install -m 0644 templates/htm_host_head.tmpl ${D}${sysconfdir}/nikto/templates - install -m 0644 templates/htm_host_im.tmpl ${D}${sysconfdir}/nikto/templates - install -m 0644 templates/htm_host_item.tmpl ${D}${sysconfdir}/nikto/templates - install -m 0644 templates/htm_start.tmpl ${D}${sysconfdir}/nikto/templates - install -m 0644 templates/htm_stop.tmpl ${D}${sysconfdir}/nikto/templates - install -m 0644 templates/htm_start.tmpl ${D}${sysconfdir}/nikto/templates - install -m 0644 templates/htm_summary.tmpl ${D}${sysconfdir}/nikto/templates - install -m 0644 templates/xml_end.tmpl ${D}${sysconfdir}/nikto/templates - install -m 0644 templates/xml_host_head.tmpl ${D}${sysconfdir}/nikto/templates - install -m 0644 templates/xml_host_im.tmpl ${D}${sysconfdir}/nikto/templates - install -m 0644 templates/xml_host_item.tmpl ${D}${sysconfdir}/nikto/templates - install -m 0644 templates/xml_start.tmpl ${D}${sysconfdir}/nikto/templates - install -m 0644 templates/xml_summary.tmpl ${D}${sysconfdir}/nikto/templates - - install -m 0644 nikto.conf ${D}${sysconfdir} - - install -m 0755 nikto.pl ${D}${bindir}/nikto - install -m 0644 replay.pl ${D}${bindir} - install -m 0644 docs/nikto.1 ${D}${datadir}/man/man1 - - install -m 0644 docs/CHANGES.txt ${D}${datadir}/doc/nikto - install -m 0644 docs/LICENSE.txt ${D}${datadir}/doc/nikto - install -m 0644 docs/nikto.dtd ${D}${datadir}/doc/nikto - install -m 0644 docs/nikto_manual.html ${D}${datadir}/doc/nikto -} - -RDEPENDS_${PN} = "perl libnet-ssleay-perl libwhisker2-perl \ - perl-module-getopt-long perl-module-time-local \ - perl-module-io-socket perl-module-overloading \ - perl-module-base perl-module-b perl-module-bytes \ - nikto-doc" diff --git a/meta-security/recipes-security/nikto/nikto_2.1.6.bb b/meta-security/recipes-security/nikto/nikto_2.1.6.bb new file mode 100644 index 000000000..2d2c46ca1 --- /dev/null +++ b/meta-security/recipes-security/nikto/nikto_2.1.6.bb @@ -0,0 +1,118 @@ +SUMMARY = "web server scanner" +DESCRIPTION = "Nikto is an Open Source web server scanner which performs comprehensive tests against web servers" +SECTION = "security" +HOMEPAGE = "https://cirt.net/Nikto2" + +LICENSE = "GPLv2" +LIC_FILES_CHKSUM = "file://${COMMON_LICENSE_DIR}/GPL-2.0;md5=801f80980d171dd6425610833a22dbe6" + +SRCREV = "f1bbd1a8756c076c8fd4f4dd0bc34a8ef215ae79" +SRC_URI = "git://github.com/sullo/nikto.git \ + file://location.patch" + +S = "${WORKDIR}/git/program" + +do_install() { + install -d ${D}${bindir} + install -d ${D}${datadir} + install -d ${D}${datadir}/man/man1 + install -d ${D}${datadir}/doc/nikto + install -d ${D}${sysconfdir}/nikto + install -d ${D}${sysconfdir}/nikto/databases + install -d ${D}${sysconfdir}/nikto/plugins + install -d ${D}${sysconfdir}/nikto/templates + + install -m 0644 databases/db_404_strings ${D}${sysconfdir}/nikto/databases + install -m 0644 databases/db_content_search ${D}${sysconfdir}/nikto/databases + install -m 0644 databases/db_dictionary ${D}${sysconfdir}/nikto/databases + install -m 0644 databases/db_dir_traversal ${D}${sysconfdir}/nikto/databases + install -m 0644 databases/db_domino ${D}${sysconfdir}/nikto/databases + install -m 0644 databases/db_drupal ${D}${sysconfdir}/nikto/databases + install -m 0644 databases/db_embedded ${D}${sysconfdir}/nikto/databases + install -m 0644 databases/db_favicon ${D}${sysconfdir}/nikto/databases + install -m 0644 databases/db_headers ${D}${sysconfdir}/nikto/databases + install -m 0644 databases/db_httpoptions ${D}${sysconfdir}/nikto/databases + install -m 0644 databases/db_multiple_index ${D}${sysconfdir}/nikto/databases + install -m 0644 databases/db_outdated ${D}${sysconfdir}/nikto/databases + install -m 0644 databases/db_parked_strings ${D}${sysconfdir}/nikto/databases + install -m 0644 databases/db_realms ${D}${sysconfdir}/nikto/databases + install -m 0644 databases/db_server_msgs ${D}${sysconfdir}/nikto/databases + install -m 0644 databases/db_tests ${D}${sysconfdir}/nikto/databases + install -m 0644 databases/db_variables ${D}${sysconfdir}/nikto/databases + + install -m 0644 plugins/LW2.pm ${D}${sysconfdir}/nikto/plugins + install -m 0644 plugins/nikto_apache_expect_xss.plugin ${D}${sysconfdir}/nikto/plugins + install -m 0644 plugins/nikto_apacheusers.plugin ${D}${sysconfdir}/nikto/plugins + install -m 0644 plugins/nikto_auth.plugin ${D}${sysconfdir}/nikto/plugins + install -m 0644 plugins/nikto_cgi.plugin ${D}${sysconfdir}/nikto/plugins + install -m 0644 plugins/nikto_clientaccesspolicy.plugin ${D}${sysconfdir}/nikto/plugins + install -m 0644 plugins/nikto_content_search.plugin ${D}${sysconfdir}/nikto/plugins + install -m 0644 plugins/nikto_cookies.plugin ${D}${sysconfdir}/nikto/plugins + install -m 0644 plugins/nikto_core.plugin ${D}${sysconfdir}/nikto/plugins + install -m 0644 plugins/nikto_dictionary_attack.plugin ${D}${sysconfdir}/nikto/plugins + install -m 0644 plugins/nikto_dir_traversal.plugin ${D}${sysconfdir}/nikto/plugins + install -m 0644 plugins/nikto_dishwasher.plugin ${D}${sysconfdir}/nikto/plugins + install -m 0644 plugins/nikto_docker_registry.plugin ${D}${sysconfdir}/nikto/plugins + install -m 0644 plugins/nikto_domino.plugin ${D}${sysconfdir}/nikto/plugins + install -m 0644 plugins/nikto_drupal.plugin ${D}${sysconfdir}/nikto/plugins + install -m 0644 plugins/nikto_embedded.plugin ${D}${sysconfdir}/nikto/plugins + install -m 0644 plugins/nikto_favicon.plugin ${D}${sysconfdir}/nikto/plugins + install -m 0644 plugins/nikto_fileops.plugin ${D}${sysconfdir}/nikto/plugins + install -m 0644 plugins/nikto_headers.plugin ${D}${sysconfdir}/nikto/plugins + install -m 0644 plugins/nikto_httpoptions.plugin ${D}${sysconfdir}/nikto/plugins + install -m 0644 plugins/nikto_ms10_070.plugin ${D}${sysconfdir}/nikto/plugins + install -m 0644 plugins/nikto_msgs.plugin ${D}${sysconfdir}/nikto/plugins + install -m 0644 plugins/nikto_multiple_index.plugin ${D}${sysconfdir}/nikto/plugins + install -m 0644 plugins/nikto_negotiate.plugin ${D}${sysconfdir}/nikto/plugins + install -m 0644 plugins/nikto_origin_reflection.plugin ${D}${sysconfdir}/nikto/plugins + install -m 0644 plugins/nikto_outdated.plugin ${D}${sysconfdir}/nikto/plugins + install -m 0644 plugins/nikto_parked.plugin ${D}${sysconfdir}/nikto/plugins + install -m 0644 plugins/nikto_paths.plugin ${D}${sysconfdir}/nikto/plugins + install -m 0644 plugins/nikto_put_del_test.plugin ${D}${sysconfdir}/nikto/plugins + install -m 0644 plugins/nikto_report_csv.plugin ${D}${sysconfdir}/nikto/plugins + install -m 0644 plugins/nikto_report_html.plugin ${D}${sysconfdir}/nikto/plugins + install -m 0644 plugins/nikto_report_json.plugin ${D}${sysconfdir}/nikto/plugins + install -m 0644 plugins/nikto_report_nbe.plugin ${D}${sysconfdir}/nikto/plugins + install -m 0644 plugins/nikto_report_sqlg.plugin ${D}${sysconfdir}/nikto/plugins + install -m 0644 plugins/nikto_report_text.plugin ${D}${sysconfdir}/nikto/plugins + install -m 0644 plugins/nikto_report_xml.plugin ${D}${sysconfdir}/nikto/plugins + install -m 0644 plugins/nikto_robots.plugin ${D}${sysconfdir}/nikto/plugins + install -m 0644 plugins/nikto_siebel.plugin ${D}${sysconfdir}/nikto/plugins + install -m 0644 plugins/nikto_sitefiles.plugin ${D}${sysconfdir}/nikto/plugins + install -m 0644 plugins/nikto_ssl.plugin ${D}${sysconfdir}/nikto/plugins + install -m 0644 plugins/nikto_strutshock.plugin ${D}${sysconfdir}/nikto/plugins + install -m 0644 plugins/nikto_tests.plugin ${D}${sysconfdir}/nikto/plugins + + install -m 0644 templates/htm_close.tmpl ${D}${sysconfdir}/nikto/templates + install -m 0644 templates/htm_end.tmpl ${D}${sysconfdir}/nikto/templates + install -m 0644 templates/htm_host_head.tmpl ${D}${sysconfdir}/nikto/templates + install -m 0644 templates/htm_host_im.tmpl ${D}${sysconfdir}/nikto/templates + install -m 0644 templates/htm_host_item.tmpl ${D}${sysconfdir}/nikto/templates + install -m 0644 templates/htm_start.tmpl ${D}${sysconfdir}/nikto/templates + install -m 0644 templates/htm_stop.tmpl ${D}${sysconfdir}/nikto/templates + install -m 0644 templates/htm_start.tmpl ${D}${sysconfdir}/nikto/templates + install -m 0644 templates/htm_summary.tmpl ${D}${sysconfdir}/nikto/templates + install -m 0644 templates/xml_end.tmpl ${D}${sysconfdir}/nikto/templates + install -m 0644 templates/xml_host_head.tmpl ${D}${sysconfdir}/nikto/templates + install -m 0644 templates/xml_host_im.tmpl ${D}${sysconfdir}/nikto/templates + install -m 0644 templates/xml_host_item.tmpl ${D}${sysconfdir}/nikto/templates + install -m 0644 templates/xml_start.tmpl ${D}${sysconfdir}/nikto/templates + install -m 0644 templates/xml_summary.tmpl ${D}${sysconfdir}/nikto/templates + + install -m 0644 nikto.conf ${D}${sysconfdir} + + install -m 0755 nikto.pl ${D}${bindir}/nikto + install -m 0644 replay.pl ${D}${bindir} + install -m 0644 docs/nikto.1 ${D}${datadir}/man/man1 + + install -m 0644 docs/CHANGES.txt ${D}${datadir}/doc/nikto + install -m 0644 docs/LICENSE.txt ${D}${datadir}/doc/nikto + install -m 0644 docs/nikto.dtd ${D}${datadir}/doc/nikto + install -m 0644 docs/nikto_manual.html ${D}${datadir}/doc/nikto +} + +RDEPENDS_${PN} = "perl libnet-ssleay-perl libwhisker2-perl \ + perl-module-getopt-long perl-module-time-local \ + perl-module-io-socket perl-module-overloading \ + perl-module-base perl-module-b perl-module-bytes" + diff --git a/meta-security/recipes-security/packagegroup/packagegroup-core-security.bb b/meta-security/recipes-security/packagegroup/packagegroup-core-security.bb index e847847b8..b8ab27df1 100644 --- a/meta-security/recipes-security/packagegroup/packagegroup-core-security.bb +++ b/meta-security/recipes-security/packagegroup/packagegroup-core-security.bb @@ -78,7 +78,7 @@ RDEPENDS_packagegroup-security-ptest = " \ python-scapy-ptest \ suricata-ptest \ tripwire-ptest \ - python3-fail2ban-ptest \ + python-fail2ban-ptest \ ${@bb.utils.contains("DISTRO_FEATURES", "apparmor", "apparmor-ptest", "",d)} \ ${@bb.utils.contains("DISTRO_FEATURES", "smack", "smack-ptest", "",d)} \ ptest-runner \ diff --git a/meta-security/recipes-security/scapy/files/run-ptest b/meta-security/recipes-security/scapy/files/run-ptest index 91b29f907..91b29f907 100755..100644 --- a/meta-security/recipes-security/scapy/files/run-ptest +++ b/meta-security/recipes-security/scapy/files/run-ptest diff --git a/meta-security/recipes-security/scapy/python-scapy.inc b/meta-security/recipes-security/scapy/python-scapy.inc index 5abe7db76..99f30a7bf 100644 --- a/meta-security/recipes-security/scapy/python-scapy.inc +++ b/meta-security/recipes-security/scapy/python-scapy.inc @@ -5,16 +5,25 @@ LICENSE = "GPLv2" LIC_FILES_CHKSUM = "file://bin/scapy;beginline=9;endline=13;md5=1d5249872cc54cd4ca3d3879262d0c69" -SRC_URI[md5sum] = "d7d3c4294f5a718e234775d38dbeb7ec" -SRC_URI[sha256sum] = "452f714f5c2eac6fd0a6146b1dbddfc24dd5f4103f3ed76227995a488cfb2b73" +S = "${WORKDIR}/git" -inherit pypi ptest +SRCREV = "bad14cb1a5aee29f8107fbe8ad008d4645f14da7" +SRC_URI = "git://github.com/secdev/scapy.git" + +inherit ptest + +do_install_append() { + if [ "${PYTHON_PN}" = "python3" ]; then + sed -i -e 's/python/python3/' ${D}${bindir}/scapy + sed -i -e 's/python/python3/' ${D}${bindir}/UTscapy + fi +} do_install_ptest() { install -m 0644 ${S}/test/regression.uts ${D}${PTEST_PATH} sed -i 's,@PTEST_PATH@,${PTEST_PATH},' ${D}${PTEST_PATH}/run-ptest } -RDEPENDS_${PN} = "tcpdump ${PYTHON_PN}-compression ${PYTHON_PN}-netclient \ +RDEPENDS_${PN} = "tcpdump ${PYTHON_PN}-compression ${PYTHON_PN}-cryptography ${PYTHON_PN}-netclient \ ${PYTHON_PN}-netserver ${PYTHON_PN}-pydoc ${PYTHON_PN}-pkgutil ${PYTHON_PN}-shell \ ${PYTHON_PN}-threading ${PYTHON_PN}-numbers ${PYTHON_PN}-pycrypto" diff --git a/meta-security/recipes-security/scapy/python-scapy_2.4.0.bb b/meta-security/recipes-security/scapy/python-scapy_2.4.2.bb index 98db1fd6d..98db1fd6d 100644 --- a/meta-security/recipes-security/scapy/python-scapy_2.4.0.bb +++ b/meta-security/recipes-security/scapy/python-scapy_2.4.2.bb diff --git a/meta-security/recipes-security/scapy/python3-scapy_2.4.0.bb b/meta-security/recipes-security/scapy/python3-scapy_2.4.2.bb index 93ca7be8a..83c79f484 100644 --- a/meta-security/recipes-security/scapy/python3-scapy_2.4.0.bb +++ b/meta-security/recipes-security/scapy/python3-scapy_2.4.2.bb @@ -2,3 +2,4 @@ inherit setuptools3 require python-scapy.inc SRC_URI += "file://run-ptest" + diff --git a/meta-security/recipes-security/sssd/sssd_1.16.3.bb b/meta-security/recipes-security/sssd/sssd_1.16.4.bb index 8f7f805fd..34bc8c804 100644 --- a/meta-security/recipes-security/sssd/sssd_1.16.3.bb +++ b/meta-security/recipes-security/sssd/sssd_1.16.4.bb @@ -11,13 +11,16 @@ DEPENDS += "libldb dbus libtalloc libpcre glib-2.0 popt e2fsprogs libtevent" SRC_URI = "https://releases.pagure.org/SSSD/${BPN}/${BP}.tar.gz\ file://sssd.conf " -SRC_URI[md5sum] = "af4288c9d1f9953e3b3b6e0b165a5ece" -SRC_URI[sha256sum] = "ee5d17a0c663c09819cbab9364085b9e57faeca02406cc30efe14cc0cfc04ec4" +SRC_URI[md5sum] = "757bbb6f15409d8d075f4f06cb678d50" +SRC_URI[sha256sum] = "6bb212cd6b75b918e945c24e7c3f95a486fb54d7f7d489a9334cfa1a1f3bf959" -inherit autotools pkgconfig gettext update-rc.d python-dir distro_features_check +inherit autotools pkgconfig gettext python-dir distro_features_check REQUIRED_DISTRO_FEATURES = "pam" +SSSD_UID ?= "root" +SSSD_GID ?= "root" + CACHED_CONFIGUREVARS = "ac_cv_member_struct_ldap_conncb_lc_arg=no \ ac_cv_path_NSUPDATE=${bindir} \ ac_cv_path_PYTHON2=${PYTHON_DIR} ac_cv_prog_HAVE_PYTHON3=${PYTHON_DIR} \ @@ -25,6 +28,7 @@ CACHED_CONFIGUREVARS = "ac_cv_member_struct_ldap_conncb_lc_arg=no \ PACKAGECONFIG ?="nss nscd" PACKAGECONFIG += "${@bb.utils.contains('DISTRO_FEATURES', 'selinux', 'selinux', '', d)}" +PACKAGECONFIG += "${@bb.utils.contains('DISTRO_FEATURES', 'systemd', 'systemd', '', d)}" PACKAGECONFIG[ssh] = "--with-ssh, --with-ssh=no, " PACKAGECONFIG[samba] = "--with-samba, --with-samba=no, samba" @@ -55,6 +59,17 @@ do_install () { rmdir --ignore-fail-on-non-empty "${D}/${bindir}" install -d ${D}/${sysconfdir}/${BPN} install -m 600 ${WORKDIR}/${BPN}.conf ${D}/${sysconfdir}/${BPN} + + # Remove /var/run as it is created on startup + rm -rf ${D}${localstatedir}/run + +} + +pkg_postinst_ontarget_${PN} () { +if [ -e /etc/init.d/populate-volatile.sh ] ; then + ${sysconfdir}/init.d/populate-volatile.sh update +fi + chown ${SSSD_UID}:${SSSD_GID} ${sysconfdir}/${BPN}/${BPN}.conf } CONFFILES_${PN} = "${sysconfdir}/${BPN}/${BPN}.conf" @@ -70,4 +85,4 @@ FILES_${PN}-dev = " ${includedir}/* ${libdir}/*la ${libdir}/*/*la" # The package contains symlinks that trip up insane INSANE_SKIP_${PN} = "dev-so" -RDEPENDS_${PN} += "bind dbus" +RDEPENDS_${PN} = "bind dbus libldb libpam" diff --git a/meta-security/recipes-security/xmlsec1/xmlsec1_1.2.26.bb b/meta-security/recipes-security/xmlsec1/xmlsec1_1.2.27.bb index 2dbbf331e..eac8d6bd4 100644 --- a/meta-security/recipes-security/xmlsec1/xmlsec1_1.2.26.bb +++ b/meta-security/recipes-security/xmlsec1/xmlsec1_1.2.27.bb @@ -5,7 +5,7 @@ DESCRIPTION = "\ XML security standards "XML Digital Signature" and "XML Encryption". \ " HOMEPAGE = "http://www.aleksey.com/xmlsec/" -DEPENDS = "libtool libxml2 libxslt openssl zlib libgcrypt gnutls nss nspr libgpg-error" +DEPENDS = "libtool libxml2 libxslt zlib" LICENSE = "MIT" LIC_FILES_CHKSUM = "file://COPYING;md5=352791d62092ea8104f085042de7f4d0" @@ -20,17 +20,25 @@ SRC_URI = "http://www.aleksey.com/xmlsec/download/${BP}.tar.gz \ file://run-ptest \ " -SRC_URI[md5sum] = "9c4aaf9ff615a73921b9e3bf4988d878" -SRC_URI[sha256sum] = "8d8276c9c720ca42a3b0023df8b7ae41a2d6c5f9aa8d20ed1672d84cc8982d50" +SRC_URI[md5sum] = "508bee7e4f1b99f2d50aaa7d38ede56e" +SRC_URI[sha256sum] = "97d756bad8e92588e6997d2227797eaa900d05e34a426829b149f65d87118eb6" inherit autotools-brokensep ptest pkgconfig CFLAGS += "-I${STAGING_INCDIR}/nspr4 -I${STAGING_INCDIR}/nss3" CPPFLAGS += "-I${STAGING_INCDIR}/nspr4 -I${STAGING_INCDIR}/nss3" -EXTRA_OECONF = "\ - --with-nss=${STAGING_LIBDIR}/../.. --with-nspr=${STAGING_LIBDIR}/../.. \ - " +PACKAGECONFIG ??= "gnutls libgcrypt nss openssl des" +PACKAGECONFIG[gnutls] = ",,gnutls" +PACKAGECONFIG[libgcrypt] = ",,libgcrypt" +PACKAGECONFIG[nss] = "--with-nss=${STAGING_LIBDIR}/../.. --with-nspr=${STAGING_LIBDIR}/../..,,nss nspr" +PACKAGECONFIG[openssl] = ",,openssl" +PACKAGECONFIG[des] = ",--disable-des,," + +# these can be dynamically loaded with xmlSecCryptoDLLoadLibrary() +FILES_SOLIBSDEV = "${libdir}/libxmlsec1.so" +FILES_${PN} += "${libdir}/libxmlsec1-*.so" +INSANE_SKIP_${PN} = "dev-so" FILES_${PN}-dev += "${libdir}/xmlsec1Conf.sh" FILES_${PN}-dbg += "${PTEST_PATH}/.debug/*" |
