subtree updates
poky: ee0d001b81..4161dbbbd6:
Aatir Manzur (1):
docs: add CONVERSION_CMD definition
Ahmed Hossam (1):
insane.bbclass: host-user-contaminated: Correct per package home path
Alejandro Hernandez Samaniego (1):
package.bbclass: Fix base directory for debugsource files when using externalsrc
Alex Kiernan (1):
python3-cryptography: Cleanup DEPENDS/RDEPENDS
Alexander Kanavin (53):
mesa: update 22.0.3 -> 22.1.2
python3-numpy: update 1.22.3 -> 1.22.4
python3-setuptools: update 62.3.2 -> 62.5.0
vulkan: upgrade 1.3.211.0 -> 1.3.216.0
lttng-modules: update 2.13.3 -> 2.13.4
go: update 1.18.2 -> 1.18.3
ell: update 0.50 -> 0.51
libdrm: update 2.4.110 -> 2.4.111
diffoscope: upgrade 215 -> 216
dos2unix: upgrade 7.4.2 -> 7.4.3
librsvg: upgrade 2.54.3 -> 2.54.4
puzzles: upgrade to latest revision
sudo: upgrade 1.9.10 -> 1.9.11p2
wireless-regdb: upgrade 2022.04.08 -> 2022.06.06
x264: upgrade to latest revision
python3-requests: upgrade 2.27.1 -> 2.28.0
oeqa/sdk: drop the nativesdk-python 2.x test
python3-hatch-vcs: fix upstream version check
at: take tarballs from debian
pango: exclude 1.9x versions which are 2.x pre-releases.
adwaita-icon-theme: upgrade 41.0 -> 42.0
rust: update 1.60.0 -> 1.62.0
weston: update 10.0.0 -> 10.0.1
python3-setuptools-scm: upgrade 6.4.2 -> 7.0.3
waffle: correctly request wayland-scanner executable
openssl: update 3.0.4 -> 3.0.5
diffoscope: upgrade 216 -> 217
glib-2.0: upgrade 2.72.2 -> 2.72.3
glib-networking: upgrade 2.72.0 -> 2.72.1
gstreamer1.0: upgrade 1.20.2 -> 1.20.3
harfbuzz: upgrade 4.3.0 -> 4.4.1
kmod: upgrade 29 -> 30
libsoup: upgrade 3.0.6 -> 3.0.7
mesa: upgrade 22.1.2 -> 22.1.3
mpg123: upgrade 1.29.3 -> 1.30.0
nghttp2: upgrade 1.47.0 -> 1.48.0
piglit: upgrade to latest revision
pulseaudio: upgrade 16.0 -> 16.1
python3-cffi: upgrade 1.15.0 -> 1.15.1
python3-cryptography: upgrade 37.0.2 -> 37.0.3
python3-cryptography-vectors: upgrade 37.0.2 -> 37.0.3
python3-hatchling: upgrade 1.3.0 -> 1.3.1
python3-hypothesis: upgrade 6.46.11 -> 6.48.2
python3-jsonschema: upgrade 4.6.0 -> 4.6.1
python3-mako: upgrade 1.2.0 -> 1.2.1
python3-pycryptodomex: upgrade 3.14.1 -> 3.15.0
python3-requests: upgrade 2.28.0 -> 2.28.1
python3-setuptools: upgrade 62.5.0 -> 62.6.0
python3-sphinx: upgrade 5.0.0 -> 5.0.2
xcb-proto: upgrade 1.15 -> 1.15.2
procps: restrict version check to 3.x
ncurses: mark upstream version as unknown
wayland: update 1.20.0 -> 1.21.0
Alexandre Belloni (1):
oeqa/selftest/bbtests: Update message lookup for test_git_unpack_nonetwork_fail
Aryaman Gupta (5):
buildstats.py: enable collection of /proc/pressure data
pybootchartgui: render cpu and io pressure
buildstats.bbclass: correct sampling of system stats
buildstats.py: close /proc/pressure/cpu file descriptor
buildperf/base.py: skip reduced_proc_pressure directory
Bruce Ashfield (29):
perf: fix reproducibility in 5.19+
linux-yocto/5.10: update to v5.10.121
linux-yocto/5.15: update to v5.15.46
linux-yocto/5.15: update to v5.15.48
linux-yocto/5.10: update to v5.10.123
linux-yocto-dev: bump to v5.19-rc
linux-yocto/5.15: drop obselete GPIO sysfs ABI
lttng-modules: fix 5.19+ build
kernel-devsrc: fix reproducibility and buildpaths QA warning
linux-yocto/5.15: update to v5.15.52
linux-yocto/5.10: update to v5.10.128
kernel-devsrc: ppc32: fix reproducibility
linux-yocto/5.15: fix qemuppc buildpaths warning
linux-yocto/5.15: fix build_OID_registry buildpaths warning
yocto-bsps: update to v5.10.128 and buildpaths fixes
yocto-bsps: update to v5.15.52 and buildpaths fixes
linux-yocto/5.10: fix build_OID_registry/conmakehash buildpaths warning
linux-yocto/5.10: fix buildpaths issue with gen-mach-types
linux-yocto/5.15: fix buildpaths issue with gen-mach-types
yocto-bsps/5.10: fix buildpaths issue with gen-mach-types
yocto-bsps/5.15: fix buildpaths issue with gen-mach-types
linux-yocto/5.15: update to v5.15.54
linux-yocto/5.15: fix buildpaths issue with pnmtologo
linux-yocto/5.10: update to v5.10.130
linux-yocto/5.10: fix buildpaths issue with pnmtologo
yocto-bsps/5.10: fix buildpaths issue with pnmtologo
yocto-bsps/5.15: fix buildpaths issue with pnmtologo
yocto-bsps: update to v5.15.54
yocto-bsps: update to v5.10.130
Christoph Lauer (1):
package.bbclass: Avoid stripping signed kernel modules in splitdebuginfo
David Bagonyi (1):
sanity.bbclass: Add ftps to accepted URI protocols for mirrors sanity
Dmitry Baryshkov (1):
linux-firmware: upgrade 20220509 -> 20220610
Enrico Scholz (6):
npm: replace 'npm pack' call by 'tar czf'
npm: return content of 'package.json' in 'npm_pack'
npm: take 'version' directly from 'package.json'
npm: disable 'audit' + 'fund'
lib:npm_registry: initial checkin
npm: use npm_registry to cache package
Federico Pellegrin (1):
signing-keys: fix RDEPENDS to signing-keys-dev
Gennaro Iorio (1):
bitbake: fetch2: gitsm: fix incorrect handling of git submodule relative urls
He Zhe (1):
curl: Fix build failure for qemuriscv64
Jacob Kroon (1):
bitbake: bitbake-user-manual: Correct description of the ??= operator
Jose Quaresma (3):
archiver: don't use machine variables in shared recipes
sstate: Use the python3 ThreadPoolExecutor instead of the OE ThreadedPool
oe/utils: remove the ThreadedPool
Joshua Watt (1):
classes/create-spdx: Add SPDX_PRETTY option
Kai Kang (1):
glibc-tests: not clear BBCLASSEXTEND
Khem Raj (2):
libmodule-build-perl: Use env utility to find perl interpreter
ltp: Remove -mfpmath=sse on x86
Luca Ceresoli (1):
llvm: add PACKAGECONFIG[optviewer]
Lucas Stach (1):
perf: sort-pmuevents: really keep array terminators
Marius Kriegerowski (1):
scriptutils: fix style to be more PEP8 compliant
Marta Rybczynska (2):
cve-check: add support for Ignored CVEs
oeqa/selftest/cve_check: add tests for Ignored and partial reports
Martin Jansa (3):
mesa: backport a patch to support compositors without zwp_linux_dmabuf_v1 again
wic: fix WicError message
bitbake: fetch2/git: show SRCREV and git repo in error message about fixed SRCREV
Maxime Roussin-Bélanger (1):
libffi: fix native build being not portable
Michael Halstead (2):
releases: include 3.1.17
releases: include 4.0.2
Michael Opdenacker (18):
rootfs-postcommands.bbclass: correct comments
dev-manual: mention the new CVE patch metrics page
dev-manual: fix references to BitBake user manual
docs: standards.md: add more rules: line wrapping and variables
doc: standard for bulleted lists
ref-manual: add description for the "sysroot" term
manuals: update host tool requirements
ref-manual: document SSTATE_EXCLUDEDEPS_SYSROOT
ref-manual: document SYSTEMD_DEFAULT_TARGET
ref-manual: IMAGE_FEATURES: add allow-root-login and correct allow-empty-password
ref-manual: correct description of empty-root-passwd in IMAGE_FEATURES
bitbake: doc: bitbake-user-manual: add explicit target for crates fetcher
bitbake: doc: bitbake-user-manual: document npm and npmsw fetchers
dev-manual: NPM packages: minor grammar fix
manuals: switch to the sstate mirror shared between all versions
manuals: replace hyphens with em dashes
dev-manual: update section about creating NPM packages
dev-manual: improve screenshot resolution
Ming Liu (3):
udev-extraconf: fix some systemd automount issues
meta: introduce UBOOT_MKIMAGE_KERNEL_TYPE
udev-extraconf:mount.sh: fix path mismatching issues
Mingli Yu (1):
vim: not adjust script pathnames for native scripts either
Muhammad Hamza (6):
initramfs-framework: move storage mounts to actual rootfs
udev-extraconf/mount.sh: add LABELs to mountpoints
udev-extraconf/mount.sh: save mount name in our tmp filecache
udev-extraconf/mount.sh: only mount devices on hotplug
udev-extraconf: force systemd-udevd to use shared MountFlags
udev-extraconf/mount.sh: ignore lvm in automount
Nick Potenski (1):
systemd: systemd-systemctl: Support instance conf files during enable
Ola x Nilsson (1):
bitbake: ConfHandler: Remove lingering close
Pascal Bach (1):
bin_package: install into base_prefix
Paul Eggleton (4):
devtool: ignore pn- overrides when determining SRC_URI overrides
patch: handle if S points to a subdirectory of a git repo
devtool: finish: handle patching when S points to subdir of a git repo
oe-selftest: devtool: test modify git recipe building from a subdir
Paulo Neves (14):
python: Avoid shebang overflow on python-config.py
gtk-doc: Fix potential shebang overflow on gtkdoc-mkhtml2
ref-manual: SYSTEMD_SERVICE allows multiple services
ref-manual: SYSTEMD_SERVICE overrides depend on SYSTEMD_PACKAGES
insane.bbclass: Make do_qa_staging check shebangs
oeqa/selftest: Add test for shebang overflow
oeqa/selftest: Test staged .la and .pc files
utils: Add cmdline_shebang_wrapper util.
libcheck: Fix too long shebang for native case.
utils: create_cmdline_shebang_wrapper whitespace and sed refactor
utils: create_cmdline_shebang_wrapper preserve permission and ownership
oeqa/sysroot.py: Check bitbake return status
bitbake: fetch: bb.fatal when trying to checksum non-existing files
oeqa: test_invalid_recipe_src_uri expect parse time error
Pavel Zhukov (4):
systemd: Add missed sys/file.h includes for musl
systemd: Rebase patches on v251
bitbake: tests/fetch: Add test for broken mirror tarball
systemd: update upstream status of merged patches
Peter Bergin (2):
systemd: add packageconfig for sysext
rust: fix issue building cross-canadian tools for aarch64 on x86_64
Peter Kjellerstedt (2):
ref-manual: Add documentation for INCOMPATIBLE_LICENSE_EXCEPTIONS
base.bbclass: Correct the test for obsolete license exceptions
Peter Marko (1):
alsa-state: correct license
Pgowda (1):
binutils : CVE-2019-1010204
Quentin Schulz (3):
docs: releases: move hardknott and honister to outdated section
docs: conf.py: bump minimum Sphinx version requirement
Revert "docs: conf.py: fix cve extlinks caption for sphinx <4.0"
Raju Kumar Pothuraju (2):
runqemu: add QB_KERNEL_CMDLINE
kernel-uboot.bbclass: Use vmlinux.initramfs when INITRAMFS_IMAGE_BUNDLE set
Richard Purdie (42):
gcc-source: Fix incorrect task dependencies from ${B}
vim: Upgrade 8.2.5034 -> 8.2.5083
local.conf.sample: Update sstate url to new 'all' path
ref/dev-manual: Update multiconfig documentation
oeqa/runtime/scp: Disable scp test for dropbear
unzip: Port debian fixes for two CVEs
elfutils/flex: Disable parallel make ptest compile
bitbake: server/process: Fix logging issues where only the first message was displayed
coreutils: Tweak packaging variable names for coreutils-dev
packagegroup-core-ssh-dropbear: Add openssh-sftp-server recommendation
bitbake.conf/recipes: Introduce add DEV_PKG_DEPENDENCY to change RDEPENDS:${PN}-dev
bitbake.conf: Change -dev RDEPENDS to RRECOMMENDS
vim: 8.2.5083 -> 9.0.0005
ncurses: 6.3 -> 6.3+20220423
oe-selftest-image: Ensure the image has sftp as well as dropbear
cve-extra-exclusions: Clean up and ignore three CVEs (2xqemu and nasm)
openssl: Upgrade 3.0.3 -> 3.0.4
insane: Fix buildpaths test to work with special devices
go: Filter build paths on staticly linked arches
glibc-tests: Avoid reproducibility issues
gperf: Add a patch to work around reproducibility issues
bitbake: ConfHandler/BBHandler: Improve comment error messages and add tests
icon-naming-utils: Resurrect for sato-icon-theme
sato-icon-theme: Add back with support for scalable icons
lua: Fix multilib buildpath reproducibility issues
vala: Fix on target wrapper buildpaths issue
gtk-doc: Remove hardcoded buildpath
gperf: Switch to upstream patch
qemu: Avoid accidental librdmacm linkage
kernel-arch: Fix buildpaths leaking into external module compiles
qemu: Fix slirp determinism issue
qemu: Add PACKAGECONFIG for brlapi
gcc-runtime: Fix build when using gold
insane: Add buildpaths to WARN_QA by default
insane: Reword staging to refer to populate_sysroot
bitbake: fetch2: Ensure directory exists before creating symlink
bitbake: fetch2: Drop DL_DIR fallback for local file fetcher
oeqa/selftest/sstatetests: Update test to work with bitbake changes
gcc-runtime: Fix missing MLPREFIX in debug mappings
insane: Drop debug exclusion from buildpaths test
selftest/runtime_test/virgl: Disable for all almalinux
local.conf.sample: Mention other MACHINE options may exist
Robert Joslyn (1):
curl: Update to 7.84.0
Ross Burton (24):
python3: fix a race condition in the test_socket.testSockName test
Add python3-editables (from meta-python)
Add python3-pathspec (from meta-python)
Add python3-hatchling (from meta-oe)
python3-hatch-vcs: add new recipe
python3-jsonschema: upgrade 4.5.1 -> 4.6.0
package_manager: Change complementary package handling to not include soft dependencies
cups: ignore CVE-2022-26691
cve-check: hook cleanup to the BuildCompleted event, not CookerExit
busybox: fix CVE-2022-30065
ncurses: use GitHub mirror, not Debian's packaging
ltp: remove open-posix-testsuite build logs
tiff: backport the fix for CVE-2022-2056, CVE-2022-2057, and CVE-2022-2058
perl: don't install Makefile.old into perl-ptest
vim: upgrade to 9.0.0021
ltp: fix builds when host ld doesn't know about target ELF formats
python3-setuptools-scm: add missing python3-typing-extensions dependency
python3-flit-core: bootstrap explicitly
python3-installer: bootstrap by installing installer with installer
python3-picobuild: add new recipe
python_pep517: use picobuild instead of manually calling the API
classes: remove obsolete PEP517_BUILD_API
python3-hatchling: remove PEP517_BUILD_API
documentation: remove obsolete PEP517_BUILD_API
Steve Sakoman (3):
qemu: add PACKAGECONFIG for capstone
qemu: Avoid accidental libvdeplug linkage
ruby: add PACKAGECONFIG for capstone
Sundeep KOKKONDA (2):
glibc: stable 2.35 branch updates
binutils : stable 2.38 branch updates
Thomas Perrot (1):
opensbi: Update to v1.1
Thomas Roos (1):
recipetool/devtool: Fix python egg whitespace issues in PACKAGECONFIG
Xu Huan (2):
python3: upgrade 3.10.4 -> 3.10.5
python3-magic: upgrade 0.4.26 -> 0.4.27
Yi Zhao (2):
popt: fix override syntax in RDEPENDS
git: fix override syntax in RDEPENDS
Yogesh Tyagi (2):
testimage : remove curl-ptest from rpm index
curl : Add ptest
Yue Tao (1):
gnupg: upgrade to 2.3.7 to fix CVE-2022-34903
Yulong (Kevin) Liu (1):
python3-pyasn1: Eliminated ptest deprecation warnings
aatir (1):
docs: make DISTRO_FEATURES description more explicit
niko.mauno@vaisala.com (3):
ptest.bbclass: Honor PARALLEL_MAKE, PARALLEL_MAKEINST
valgrind: Drop redundant oe_runmake parameter
strace: Drop redundant oe_runmake parameter
pgowda (1):
gcc: Backport a fix for gcc bug 105039
ssuesens (3):
weston.py: added xwayland test
weston.init: enabled xwayland
xwayland.weston-start: adaption of X11-unix folder
wangmy (57):
btrfs-tools: upgrade 5.18 -> 5.18.1
ethtool: upgrade 5.17 -> 5.18
file: upgrade 5.41 -> 5.42
libx11: upgrade 1.8 -> 1.8.1
lighttpd: upgrade 1.4.64 -> 1.4.65
gnu-config: update to latest version
musl-obstack: upgrade 1.1 -> 1.2
piglit: upgrade to latest revision
stress-ng: upgrade 0.14.01 -> 0.14.02
erofs-utils: upgrade 1.4 -> 1.5
alsa-lib: upgrade 1.2.7 -> 1.2.7.1
alsa-plugins: upgrade 1.2.6 -> 1.2.7.1
alsa-ucm-conf: upgrade 1.2.7 -> 1.2.7.1
bind: upgrade 9.18.3 -> 9.18.4
kbd: upgrade 2.5.0 -> 2.5.1
libproxy: upgrade 0.4.17 -> 0.4.18
python3-dbusmock: upgrade 0.27.5 -> 0.28.0
sbc: upgrade 1.5 -> 2.0
strace: upgrade 5.17 -> 5.18
python3-chardet: upgrade 4.0.0 -> 5.0.0
python3-importlib-metadata: upgrade 4.11.4 -> 4.12.0
python3-babel: upgrade 2.10.1 -> 2.10.3
python3-certifi: upgrade 2022.5.18.1 -> 2022.6.15
python3-dbusmock: upgrade 0.28.0 -> 0.28.1
python3-numpy: upgrade 1.22.4 -> 1.23.0
python3-pycryptodome: upgrade 3.14.1 -> 3.15.0
dmidecode: upgrade 3.3 -> 3.4
git: upgrade 2.36.1 -> 2.37.0
harfbuzz: upgrade 4.3.0 -> 4.4.0
speexdsp: upgrade 1.2.0 -> 1.2.1
speex: upgrade 1.2.0 -> 1.2.1
repo: upgrade 2.26 -> 2.27
sqlite3: upgrade 3.38.5 -> 3.39.0
sudo: upgrade 1.9.11p2 -> 1.9.11p3
createrepo-c: upgrade 0.20.0 -> 0.20.1
gst-devtools: upgrade 1.20.2 -> 1.20.3
gstreamer1.0-libav: upgrade 1.20.2 -> 1.20.3
gstreamer1.0-omx: upgrade 1.20.2 -> 1.20.3
gstreamer1.0-plugins-bad: upgrade 1.20.2 -> 1.20.3
gstreamer1.0-plugins-base: upgrade 1.20.2 -> 1.20.3
gstreamer1.0-plugins-good: upgrade 1.20.2 -> 1.20.3
gstreamer1.0-plugins-ugly: upgrade 1.20.2 -> 1.20.3
gstreamer1.0-python: upgrade 1.20.2 -> 1.20.3
gstreamer1.0-rtsp-server: upgrade 1.20.2 -> 1.20.3
gstreamer1.0-vaapi: upgrade 1.20.2 -> 1.20.3
inetutils: upgrade 2.2 -> 2.3
python3-atomicwrites: upgrade 1.4.0 -> 1.4.1
python3-cryptography: upgrade 37.0.3 -> 37.0.4
python3-cryptography-vectors: upgrade 37.0.3 -> 37.0.4
python3-hatchling: upgrade 1.3.1 -> 1.5.0
python3-imagesize: upgrade 1.3.0 -> 1.4.1
python3-jsonschema: upgrade 4.6.1 -> 4.7.1
python3-numpy: upgrade 1.23.0 -> 1.23.1
python3-typing-extensions: upgrade 4.2.0 -> 4.3.0
python3-urllib3: upgrade 1.26.9 -> 1.26.10
init-system-helpers: upgrade 1.63 -> 1.64
dpkg: upgrade 1.21.8 -> 1.21.9
meta-security: 8c6fe006a1..7ad5f6a9da:
Armin Kuster (32):
apparmor: fix ownership issues
sssd:move to dynamic networking-layer
layer.conf:add meta-netorking to BBFILES_DYNAMIC
packagegroup-core-security: drop sssd
packagegroup-core-security.bbappend: add sssd
oeqa: fix checksec runtime test
sssd: use example conf file
oeqa: sssd.py fix tests
sssd: update to 2.7.1
security-test-image: auto include layers if present.
smack-test: more py3 covertion
oeqa: update smack runtime test
aide: add a few more config options
oeqa: add aide test
libmhash: add native pkg support
classes: add aide routines
aide: add native support for build time db creation
aide.conf: adjust to allow for build time db creation
firejail: Add new package
oeqa: Add a very basic firejail test
packagegroup-core-security: add firejail
security-test-image: add firejail and aide test suites
oeqa/clamav drop depricated --list-mirror test
oeqa: meta-tpm shut swtpm down before and after testing
oeqa: shut done swtpm before and after testing
ccs-tools: update to 1.8.9
lynis: update to 3.0.8
README: update email address
packagegroup-core-security: skip mips firejail
chipsec: update to 1.8.5
security-build-image: add lkrg-module to build image
lkrg: update to 0.9.3
Jeremy A. Puhlman (2):
clamav: make install owner match the added user name
python3-privacyidea: add correct path to lib/privacyidea
Jose Quaresma (1):
meta-integrity: kernel-modsign: prevents splitting out debug symbols
Yi Zhao (1):
aide: fix typo
meta-openembedded: 11df15765c..31c10bd3e6:
Adrian Freihofer (3):
firewalld: update to 1.1.1 fixes ptest
firewalld: upgrade 1.1.1 -> 1.2.0
libqmi: upgrade 1.30.4 -> 1.30.8
Akash Hadke (2):
ntfs-3g-ntfsprogs: Set CVE_PRODUCT to "tuxera:ntfs-3g"
iperf: Set CVE_PRODUCT to "iperf_project:iperf"
Alex Kiernan (2):
jansson: Upgrade 2.13.1 -> 2.14
nftables: Upgrade 1.0.2 -> 1.0.4
Alex Stewart (1):
openvpn: distribute sample-config-files
Andreas Müller (1):
glmark2: Build with meson
Andrej Valek (1):
poco: upgrade 1.11.3 -> 1.12.0
Andrew Davis (1):
libsdl: The libsdl and libsdl2 are not virtual
Ashish Sharma (1):
netserver: don't change permissions on /dev/null
Aurélien Bertron (1):
fix(syslog-ng): warning about conf version
Bartosz Golaszewski (1):
python3-pybluez: fix a runtime issue with python 3.10
Ben Powell (1):
python3-can: Add typing-extensions dependency
Changqing Li (3):
chrony: create /var/lib/chrony by systemd-tmpfiles
redis: upgrade 6.2.6 -> 6.2.7
redis: upgrade 7.0.0 to 7.0.2
Chen Qi (2):
apache2: split out a new package apache2-utils
ntfs-3g-ntfsprogs: upgrade to 2022.5.17
Daide Li (1):
python3-iperf: initial add 0.1.11
Davide Gardenal (9):
usrsctp: add CVE_VERSION to correctly check for CVEs
ntp: ignore many CVEs
openflow: ignore CVE-2018-1078
emlog: ignore unrelated CVEs
imagemagick: upgrade 7.0.10-25 -> 7.0.10-62
wireshark: upgrade 3.4.11 -> 3.4.12
thrift: add CVE_PRODUCT to fix CVE reporting
spice: ignore patched CVEs
quagga: ignore CVE-2016-4049
Fabien Parent (1):
gpsd-machine-conf: allow creation of an empty package
Harshal (1):
lldpd: upgrade 1.0.8 -> 1.0.14
Hitendra Prajapati (1):
cyrus-sasl: CVE-2022-24407 failure to properly escape SQL input allows an attacker to execute arbitrary SQL commands
Jan Vermaete (1):
netdata: version bump 1.34.1 -> 1.35.0
Javier Viguera (1):
networkmanager: fix build with enabled ppp
Jeremy Puhlman (1):
freeradius: mutlilib fixes
Jonas Gorski (1):
abseil-cpp: do not enforce -mfpu=neon on arm
Kai Kang (4):
libdbi-perl: fix interpreter on shebang line
libdev-checklib-perl: fix interpreter of script use-devel-checklib
libparse-yapp-perl: update interpreter of yapp
python3-flatbuffer: enable native
Khem Raj (8):
libxml++: Disable parallel make in ptest compile
geos: Disable inlining
php: Fix absolute paths to php in phar.phar scripts
libspiro: Add recipe
fontforge: Upgrade to 20220308
opencv: Link with libatomic on mips
fontforge: Use alternate way to detect libm
opencv: Link with libatomic on rv32
Leon Anavi (19):
python3-traitlets: Upgrade 5.2.1 -> 5.3.0
python3-humanize: Upgrade 4.1.0 -> 4.2.0
python3-autobahn: Upgrade 22.4.2 -> 22.5.1
python3-elementpath: Upgrade 2.5.0 -> 2.5.3
python3-eth-hash: Upgrade 0.3.2 -> 0.3.3
python3-serpent: Upgrade 1.40 -> 1.41
python3-web3: Upgrade 5.29.1 -> 5.29.2
python3-pika: Upgrade 1.2.1 -> 1.3.0
python3-tabulate: Upgrade 0.8.9 -> 0.8.10
python3-marshmallow: Upgrade 3.15.0 -> 3.17.0
python3-pychromecast: Upgrade 12.1.3 -> 12.1.4
python3-humanize: Upgrade 4.2.0 -> 4.2.3
python3-tornado: Upgrade 6.1 -> 6.2
python3-coverage: Upgrade 6.3.2 -> 6.4.1
python3-email-validator: Upgrade 1.1.3 -> 1.2.1
python3-networkx: Upgrade 2.7.1 -> 2.8.4
python3-unidiff: Upgrade 0.7.3 -> 0.7.4
python3-toolz: Upgrade 0.11.2 -> 0.12.0
python3-ansi2html: Upgrade 1.7.0 -> 1.8.0
Marcus Flyckt (1):
python3-pyconnman: Add 'future' runtime dependency
Markus Volk (1):
flatbuffers: update to 2.0.6
Martin Jansa (3):
glmark2: fix compatibility with python-3.11
leveldb: switch from master branch to main
tesseract-lang: switch from master branch to main
Mikko Rapeli (1):
polkit: switch back to mozjs but leave duktape as PACKAGECONFIG option
Mingli Yu (3):
kronosnet: Fix build with gcc-12
s-nail: Fix build with gcc-12
mariadb: Upgrade to 10.8.3
Pascal Bach (1):
python3-pybind11: upgrade 2.8.1 -> 2.9.2
Peter Kjellerstedt (1):
cryptsetup: Add support for building without SSH tokens
Ross Burton (5):
python3-cbor2: upgrade 5.4.2 to 5.4.3
cppzmq: fix -dev RDEPENDS
python3-hatchling: remove (now in oe-core)
python3-pathspec: remove (now in oe-core)
python3-editables: remove (now in oe-core)
Sakib Sajal (1):
minicoredumper: retry elf parsing as long as needed
Theodore A. Roth (1):
crda: Depend on correct wireless-regdb package
Wentao Zhang (1):
protobuf-c: update to 1.4.1 fix CVE-2022-33070
Xu Huan (20):
python3-lxml: upgrade 4.8.0 -> 4.9.0
python3-msgpack: upgrade 1.0.3 -> 1.0.4
python3-protobuf: upgrade 3.20.1 -> 4.21.1
python3-mypy: upgrade 0.960 -> 0.961
python3-pylint: upgrade 2.13.9 -> 2.14.1
python3-smbus2: upgrade 0.4.1 -> 0.4.2
python3-pillow: upgrade 9.0.1 -> 9.1.1
python3-pychromecast: upgrade 12.1.2 -> 12.1.3
python3-pylint: upgrade 2.14.1 -> 2.14.3
python3-pyscaffold: upgrade 4.2.2 -> 4.2.3
python3-redis: upgrade 4.3.1 -> 4.3.3
python3-aiohue: upgrade 4.4.1 -> 4.4.2
python3-astroid: upgrade 2.11.5 -> 2.11.6
python3-charset-normalizer: upgrade 2.0.12 -> 2.1.0
python3-colorama: upgrade 0.4.4 -> 0.4.5
python3-eth-typing: upgrade 3.0.0 -> 3.1.0
python3-autobahn: upgrade 22.5.1 -> 22.6.1
python3-awesomeversion: upgrade 22.5.2 -> 22.6.0
python3-grpcio: upgrade 1.45.0 -> 1.47.0
python3-lxml: upgrade 4.9.0 -> 4.9.1
Yi Zhao (12):
openldap: pass correct URANDOM_DEVICE to CPPFLAGS
openvpn: eliminate build path from openvpn --version option
grubby: fix syntax for ALTERNATIVE
duktape: fix override syntax in RDEPENDS
polkit-group-rule-udisks2: fix override syntax in RDEPENDS
libcrypt-openssl-guess-perl: fix syntax for PROVIDES
evince: fix typo for RRECOMMENDS
blueman: fix typo for RRECOMMENDS
dnsmasq: Security fix CVE-2022-0934
strongswan: upgrade 5.9.5 -> 5.9.6
openvpn: add PACKAGECONFIG for systemd
openvpn: add PACKAGECONFIG for selinux
Yue Tao (2):
exo: upgrade 4.16.3 -> 4.16.4
dlt-daemon: upgrade to commit 6a3bd901d8 to fix CVE-2022-31291
Zoltán Böszörményi (5):
opencv: Upgrade to version 4.6.0
proj: Upgrade to 8.2.1
python3-pyproj: New recipe for pyproj version 3.3.1
geos: Upgrade to 3.9.3
libspatialite: Upgrade to 5.0.1
jybros (1):
clinfo: use virtual opencl loader provider
wangmy (72):
python3-cantools: upgrade 37.0.7 -> 37.1.0
python3-regex: upgrade 2022.4.24 -> 2022.6.2
python3-sqlalchemy: upgrade 1.4.36 -> 1.4.37
python3-twine: upgrade 4.0.0 -> 4.0.1
python3-waitress: upgrade 2.1.1 -> 2.1.2
python3-xmlschema: upgrade 1.11.0 -> 1.11.1
gspell: upgrade 1.10.0 -> 1.11.1
ctags: upgrade 5.9.20220529.0 -> 5.9.20220605.0
feh: upgrade 3.8 -> 3.9
inotify-tools: upgrade 3.22.1.0 -> 3.22.6.0
apache2: upgrade 2.4.53 -> 2.4.54
libnftnl: upgrade 1.2.1 -> 1.2.2
nbdkit: upgrade 1.31.7 -> 1.31.8
irssi: upgrade 1.2.3 -> 1.4.1
musl-nscd: upgrade 1.0.2 -> 1.1.0
rdma-core: upgrade 40.0 -> 41.0
snort: upgrade 2.9.19 -> 2.9.20
php: upgrade 8.1.6 -> 8.1.7
poco: upgrade 1.11.2 -> 1.11.3
pyxdg: upgrade 0.27 -> 0.28
syslog-ng: upgrade 3.36.1 -> 3.37.1
dnf-plugin-tui: Added postatinstall
python3-dill: upgrade 0.3.4 -> 0.3.5.1
python3-robotframework-seriallibrary: upgrade 0.3.1 -> 0.4.3
python3-ujson: upgrade 5.1.0 -> 5.3.0
python3-watchdog: upgrade 2.1.8 -> 2.1.9
python3-websocket-client: upgrade 1.3.2 -> 1.3.3
gnome-commander: upgrade 1.14.2 -> 1.14.3
libwacom: upgrade 2.2.0 -> 2.3.0
nbdkit: upgrade 1.31.8 -> 1.31.9
googletest: upgrade 1.11.0 -> 1.12.0
gperftools: upgrade 2.9.1 -> 2.10
iwd: upgrade 1.27 -> 1.28
libzip: upgrade 1.8.0 -> 1.9.0
postgresql: upgrade 14.3 -> 14.4
uftrace: upgrade 0.11 -> 0.12
python3-googleapis-common-protos: upgrade 1.56.2 -> 1.56.3
python3-ifaddr: upgrade 0.1.7 -> 0.2.0
python3-jmespath: upgrade 1.0.0 -> 1.0.1
python3-pandas: upgrade 1.4.2 -> 1.4.3
python3-zeroconf: upgrade 0.38.6 -> 0.38.7
geocode-glib: upgrade 3.26.2 -> 3.26.3
gnome-bluetooth: upgrade 42.0 -> 42.1
gnome-calculator: upgrade 42.0 -> 42.2
gnome-text-editor: upgrade 42.1 -> 42.2
gtk4: upgrade 4.6.4 -> 4.6.6
gtksourceview5: upgrade 5.4.1 -> 5.4.2
gvfs: upgrade 1.50.0 -> 1.50.2
abseil-cpp: upgrade 20211102 -> 20220623
capnproto: upgrade 0.9.1 -> 0.10.2
ctags: upgrade 5.9.20220605.0 -> 5.9.20220703.0
fwupd: upgrade 1.7.6 -> 1.8.1
googletest: upgrade 1.12.0 -> 1.12.1
nautilus: upgrade 42.1.1 -> 42.2
nbdkit: upgrade 1.31.9 -> 1.31.10
openconnect: upgrade 8.20 -> 9.01
bats: upgrade 1.6.1 -> 1.7.0
cloc: upgrade 1.92 -> 1.94
hwdata: upgrade 0.360 -> 0.361
libvpx: upgrade 1.11.0 -> 1.12.0
libzip: upgrade 1.9.0 -> 1.9.2
pegtl: upgrade 3.2.5 -> 3.2.6
phoronix-test-suite: upgrade 10.8.3 -> 10.8.4
poppler: upgrade 22.06.0 -> 22.07.0
netdata: upgrade 1.35.0 -> 1.35.1
evince: upgrade 42.2 -> 42.3
gjs: upgrade 1.72.0 -> 1.72.1
gnome-bluetooth: upgrade 42.1 -> 42.2
libadwaita: upgrade 1.1.1 -> 1.1.2
liburing: upgrade 2.1 -> 2.2
libcrypt-openssl-rsa-perl: upgrade 0.32 -> 0.33
libencode-perl: upgrade 3.17 -> 3.18
zhengruoqin (23):
python3-absl: upgrade 1.0.0 -> 1.1.0
python3-alembic: upgrade 1.7.7 -> 1.8.0
python3-asyncinotify: upgrade 2.0.3 -> 2.0.4
python3-crc32c: upgrade 2.2.post0 -> 2.3
python3-msk: upgrade 0.3.16 -> 0.4.0
python3-bitstruct: upgrade 8.14.1 -> 8.15.1
python3-google-api-python-client: upgrade 2.49.0 -> 2.50.0
python3-google-auth: upgrade 2.6.6 -> 2.7.0
python3-xmlschema: upgrade 1.11.1 -> 1.11.2
python3-flask-wtf: upgrade 0.15.1 -> 1.0.1
python3-gnupg: upgrade 0.4.8 -> 0.4.9
python3-google-api-python-client: upgrade 2.50.0 -> 2.51.0
python3-kiwisolver: upgrade 1.4.2 -> 1.4.3
python3-nmap: upgrade 1.5.1 -> 1.5.4
python3-asyncinotify: upgrade 2.0.4 -> 2.0.5
python3-google-auth: upgrade 2.7.0 -> 2.8.0
python3-protobuf: upgrade 4.21.1 -> 4.21.2
python3-sqlalchemy: upgrade 1.4.37 -> 1.4.39
python3-xmlschema: upgrade 1.11.2 -> 1.11.3
python3-engineio: upgrade 4.3.2 -> 4.3.3
python3-google-api-core: upgrade 2.8.0 -> 2.8.2
python3-google-auth: upgrade 2.8.0 -> 2.9.0
python3-grpcio-tools: upgrade 1.46.3 -> 1.47.0
Signed-off-by: Andrew Geissler <geissonator@yahoo.com>
Change-Id: I22f0dab7f3253d77cc99fd462c6be45ddeb333cd
diff --git a/meta-security/classes/aide-base.bbclass b/meta-security/classes/aide-base.bbclass
new file mode 100644
index 0000000..36cc454
--- /dev/null
+++ b/meta-security/classes/aide-base.bbclass
@@ -0,0 +1,11 @@
+#
+# Copyright 2022 Armin Kuster <akuster808@gmail.com>
+#
+
+STAGING_AIDE_DIR ?= "${TMPDIR}/work-shared/${MACHINE}/aida"
+AIDE_INCLUDE_DIRS ?= "/lib"
+AIDE_SKIP_DIRS ?= "/lib/modules/.\*"
+
+AIDE_SCAN_POSTINIT ?= "0"
+AIDE_RESCAN_POSTINIT ?= "0"
+
diff --git a/meta-security/classes/aide-db-init.bbclass b/meta-security/classes/aide-db-init.bbclass
new file mode 100644
index 0000000..800006f
--- /dev/null
+++ b/meta-security/classes/aide-db-init.bbclass
@@ -0,0 +1,52 @@
+#
+# Copyright 2022 Armin Kuster <akuster808@gmail.com>
+#
+# This class creates the initial aide database durning
+# the build cycle allowing for that set being skipped during boot
+# It has an additional benefit of having not being tamper with
+# after build.
+#
+# To have the aide db created during build
+# 1. Extend local.conf:
+# INHERIT += "adie-init-db"
+#
+# These are the defaults as defined in aide-base.bbclass
+# They can be overriden in your local.conf or other distro include
+#
+# To define where the share directory should be.
+# STAGING_AIDE_DIR = "${TMPDIR}/work-shared/${MACHINE}/aida"
+#
+# To define which directories should be inclued in a scan
+# AIDE_INCLUDE_DIRS ?= "/lib"
+#
+# To exclude directories and files from being scanned
+# AIDE_SKIP_DIRS ?= "/lib/modules/.\*"
+#
+# To controll if a db init should happen at postint
+# AIDE_SCAN_POSTINIT ?= "0"
+#
+# To cotroll if a db recan should be run at postinit
+# AIDE_RESCAN_POSTINIT ?= "0"
+
+inherit aide-base
+
+aide_init_db() {
+ for dir in ${AIDE_INCLUDE_DIRS}; do
+ echo "${IMAGE_ROOTFS}${dir} NORMAL" >> ${STAGING_AIDE_DIR}/aide.conf
+ done
+ for dir in ${AIDE_SKIP_DIRS}; do
+ echo "!${IMAGE_ROOTFS}${dir}" >> ${STAGING_AIDE_DIR}/aide.conf
+ done
+
+
+ ${STAGING_AIDE_DIR}/bin/aide -c ${STAGING_AIDE_DIR}/aide.conf --init
+ gunzip ${STAGING_AIDE_DIR}/lib/aide.db.gz
+ # strip out native path
+ sed -i -e 's:${IMAGE_ROOTFS}::' ${STAGING_AIDE_DIR}/lib/aide.db
+ gzip -9 ${STAGING_AIDE_DIR}/lib/aide.db
+ cp -f ${STAGING_AIDE_DIR}/lib/aide.db.gz ${IMAGE_ROOTFS}${libdir}/aide
+}
+
+EXTRA_IMAGEDEPENDS:append = " aide-native"
+
+ROOTFS_POSTPROCESS_COMMAND:append = " aide_init_db;"
diff --git a/meta-security/conf/layer.conf b/meta-security/conf/layer.conf
index fa7d79e..470c7f6 100644
--- a/meta-security/conf/layer.conf
+++ b/meta-security/conf/layer.conf
@@ -18,6 +18,8 @@
perl-layer:${LAYERDIR}/dynamic-layers/meta-perl/recipes-*/*/*.bbappend \
meta-python:${LAYERDIR}/dynamic-layers/meta-python/recipes-*/*/*.bb \
meta-python:${LAYERDIR}/dynamic-layers/meta-python/recipes-*/*/*.bbappend \
+ networking-layer:${LAYERDIR}/dynamic-layers/networking-layer/recipes-*/*/*.bb \
+ networking-layer:${LAYERDIR}/dynamic-layers/networking-layer/recipes-*/*/*.bbappend \
"
# Sanity check for meta-security layer.
diff --git a/meta-security/dynamic-layers/meta-python/recipes-security/mfa/python3-privacyidea_3.6.2.bb b/meta-security/dynamic-layers/meta-python/recipes-security/mfa/python3-privacyidea_3.6.2.bb
index 40f6d15..8b6af5e 100644
--- a/meta-security/dynamic-layers/meta-python/recipes-security/mfa/python3-privacyidea_3.6.2.bb
+++ b/meta-security/dynamic-layers/meta-python/recipes-security/mfa/python3-privacyidea_3.6.2.bb
@@ -19,7 +19,7 @@
USERADD_PARAM:${PN} = "--system -g privacyidea -o -r -d /opt/${BPN} \
--shell /bin/false privacyidea"
-FILES:${PN} += " ${prefix}/etc/privacyidea/* ${datadir}/lib/privacyidea/*"
+FILES:${PN} += " ${prefix}/etc/privacyidea/* ${prefix}/lib/privacyidea/*"
RDEPENDS:${PN} += " bash perl freeradius-mysql freeradius-utils"
diff --git a/meta-security/dynamic-layers/networking-layer/recipes-core/packagegroup/packagegroup-core-security.bbappend b/meta-security/dynamic-layers/networking-layer/recipes-core/packagegroup/packagegroup-core-security.bbappend
new file mode 100644
index 0000000..6bafd9f
--- /dev/null
+++ b/meta-security/dynamic-layers/networking-layer/recipes-core/packagegroup/packagegroup-core-security.bbappend
@@ -0,0 +1,4 @@
+
+RDEPENDS:packagegroup-security-utils += "\
+ ${@bb.utils.contains("DISTRO_FEATURES", "pam", "sssd", "",d)} \
+"
diff --git a/meta-security/recipes-security/sssd/files/drop_ntpdate_chk.patch b/meta-security/dynamic-layers/networking-layer/recipes-security/sssd/files/drop_ntpdate_chk.patch
similarity index 100%
rename from meta-security/recipes-security/sssd/files/drop_ntpdate_chk.patch
rename to meta-security/dynamic-layers/networking-layer/recipes-security/sssd/files/drop_ntpdate_chk.patch
diff --git a/meta-security/recipes-security/sssd/files/fix-ldblibdir.patch b/meta-security/dynamic-layers/networking-layer/recipes-security/sssd/files/fix-ldblibdir.patch
similarity index 100%
rename from meta-security/recipes-security/sssd/files/fix-ldblibdir.patch
rename to meta-security/dynamic-layers/networking-layer/recipes-security/sssd/files/fix-ldblibdir.patch
diff --git a/meta-security/recipes-security/sssd/files/fix_gid.patch b/meta-security/dynamic-layers/networking-layer/recipes-security/sssd/files/fix_gid.patch
similarity index 87%
rename from meta-security/recipes-security/sssd/files/fix_gid.patch
rename to meta-security/dynamic-layers/networking-layer/recipes-security/sssd/files/fix_gid.patch
index 9b481cc..419b83f 100644
--- a/meta-security/recipes-security/sssd/files/fix_gid.patch
+++ b/meta-security/dynamic-layers/networking-layer/recipes-security/sssd/files/fix_gid.patch
@@ -12,10 +12,10 @@
Upstream-Status: Pending
Signed-off-by: Armin Kuster <akuster808@gmail.com>
-Index: sssd-2.5.0/src/util/debug.h
+Index: sssd-2.7.1/src/util/debug.h
===================================================================
---- sssd-2.5.0.orig/src/util/debug.h
-+++ sssd-2.5.0/src/util/debug.h
+--- sssd-2.7.1.orig/src/util/debug.h
++++ sssd-2.7.1/src/util/debug.h
@@ -24,6 +24,8 @@
#include "config.h"
@@ -23,5 +23,5 @@
+#include <unistd.h>
+#include <sys/types.h>
#include <stdbool.h>
+ #include <sys/types.h>
- #include "util/util_errors.h"
diff --git a/meta-security/recipes-security/sssd/files/musl_fixup.patch b/meta-security/dynamic-layers/networking-layer/recipes-security/sssd/files/musl_fixup.patch
similarity index 100%
rename from meta-security/recipes-security/sssd/files/musl_fixup.patch
rename to meta-security/dynamic-layers/networking-layer/recipes-security/sssd/files/musl_fixup.patch
diff --git a/meta-security/recipes-security/sssd/files/no_gen.patch b/meta-security/dynamic-layers/networking-layer/recipes-security/sssd/files/no_gen.patch
similarity index 72%
rename from meta-security/recipes-security/sssd/files/no_gen.patch
rename to meta-security/dynamic-layers/networking-layer/recipes-security/sssd/files/no_gen.patch
index 5c83777..7d8e80b 100644
--- a/meta-security/recipes-security/sssd/files/no_gen.patch
+++ b/meta-security/dynamic-layers/networking-layer/recipes-security/sssd/files/no_gen.patch
@@ -4,11 +4,11 @@
Signed-off-by: Armin Kuster <akuster808@gmail.com>
-Index: sssd-2.5.0/Makefile.am
+Index: sssd-2.7.1/Makefile.am
===================================================================
---- sssd-2.5.0.orig/Makefile.am
-+++ sssd-2.5.0/Makefile.am
-@@ -1033,8 +1033,6 @@ generate-sbus-code:
+--- sssd-2.7.1.orig/Makefile.am
++++ sssd-2.7.1/Makefile.am
+@@ -1023,8 +1023,6 @@ generate-sbus-code:
.PHONY: generate-sbus-code
diff --git a/meta-security/dynamic-layers/networking-layer/recipes-security/sssd/files/sssd.conf b/meta-security/dynamic-layers/networking-layer/recipes-security/sssd/files/sssd.conf
new file mode 100644
index 0000000..1e8b537
--- /dev/null
+++ b/meta-security/dynamic-layers/networking-layer/recipes-security/sssd/files/sssd.conf
@@ -0,0 +1,15 @@
+[sssd]
+services = nss, pam
+domains = shadowutils
+
+[nss]
+
+[pam]
+
+[domain/shadowutils]
+id_provider = files
+
+auth_provider = proxy
+proxy_pam_target = sssd-shadowutils
+
+proxy_fast_alias = True
diff --git a/meta-security/recipes-security/sssd/files/volatiles.99_sssd b/meta-security/dynamic-layers/networking-layer/recipes-security/sssd/files/volatiles.99_sssd
similarity index 100%
rename from meta-security/recipes-security/sssd/files/volatiles.99_sssd
rename to meta-security/dynamic-layers/networking-layer/recipes-security/sssd/files/volatiles.99_sssd
diff --git a/meta-security/recipes-security/sssd/sssd_2.5.2.bb b/meta-security/dynamic-layers/networking-layer/recipes-security/sssd/sssd_2.7.1.bb
similarity index 85%
rename from meta-security/recipes-security/sssd/sssd_2.5.2.bb
rename to meta-security/dynamic-layers/networking-layer/recipes-security/sssd/sssd_2.7.1.bb
index 9f1d627..71f14a0 100644
--- a/meta-security/recipes-security/sssd/sssd_2.5.2.bb
+++ b/meta-security/dynamic-layers/networking-layer/recipes-security/sssd/sssd_2.7.1.bb
@@ -5,8 +5,9 @@
LICENSE = "GPL-3.0-or-later"
LIC_FILES_CHKSUM = "file://COPYING;md5=d32239bcb673463ab874e80d47fae504"
-DEPENDS = "acl attr openldap cyrus-sasl libtdb ding-libs libpam c-ares krb5 autoconf-archive"
-DEPENDS:append = " libldb dbus libtalloc libpcre glib-2.0 popt e2fsprogs libtevent bind p11-kit"
+DEPENDS = "acl attr cyrus-sasl libtdb ding-libs libpam c-ares krb5 autoconf-archive"
+DEPENDS:append = " libldb dbus libtalloc libpcre2 glib-2.0 popt e2fsprogs libtevent"
+DEPENDS:append = " openldap bind p11-kit jansson softhsm openssl libunistring"
DEPENDS:append:libc-musl = " musl-nscd"
@@ -23,10 +24,9 @@
file://drop_ntpdate_chk.patch \
file://fix-ldblibdir.patch \
file://musl_fixup.patch \
- file://CVE-2021-3621.patch \
"
-SRC_URI[sha256sum] = "5e21b3c7b4a2f1063d0fbdd3216d29886b6eaba153b44fb5961698367f399a0f"
+SRC_URI[sha256sum] = "8eebd541a640aec95ed4b2da89713f0cbe8e4edf96895fbb972c0b9d570635c3"
inherit autotools pkgconfig gettext python3-dir features_check systemd
@@ -39,7 +39,7 @@
ac_cv_prog_HAVE_PYTHON3=${PYTHON_DIR} \
"
-PACKAGECONFIG ?="nss nscd autofs sudo infopipe"
+PACKAGECONFIG ?="nss autofs sudo infopipe"
PACKAGECONFIG += "${@bb.utils.contains('DISTRO_FEATURES', 'selinux', 'selinux', '', d)}"
PACKAGECONFIG += "${@bb.utils.contains('DISTRO_FEATURES', 'systemd', 'systemd', '', d)}"
@@ -49,8 +49,8 @@
PACKAGECONFIG[infopipe] = "--with-infopipe, --with-infopipe=no, "
PACKAGECONFIG[manpages] = "--with-manpages, --with-manpages=no, libxslt-native docbook-xml-dtd4-native docbook-xsl-stylesheets-native"
PACKAGECONFIG[nl] = "--with-libnl, --with-libnl=no, libnl"
-PACKAGECONFIG[nscd] = "--with-nscd=${sbindir}, --with-nscd=no "
PACKAGECONFIG[nss] = ", ,nss,"
+PACKAGECONFIG[oidc_child] = "--with-oidc-child, --without-oidc-child"
PACKAGECONFIG[python3] = "--with-python3-bindings, --without-python3-bindings"
PACKAGECONFIG[samba] = "--with-samba, --with-samba=no, samba"
PACKAGECONFIG[selinux] = "--with-selinux, --with-selinux=no --with-semanage=no, libselinux"
@@ -65,7 +65,6 @@
--without-python2-bindings \
--enable-pammoddir=${base_libdir}/security \
--without-python2-bindings \
- --without-secrets \
--with-xml-catalog-path=${STAGING_ETCDIR_NATIVE}/xml/catalog \
--with-pid-path=/run \
"
@@ -74,8 +73,8 @@
mkdir -p ${AUTOTOOLS_AUXDIR}/build
cp ${STAGING_DATADIR_NATIVE}/gettext/config.rpath ${AUTOTOOLS_AUXDIR}/build/
- # libresove has host path, remove it
- sed -i -e "s#\$sss_extra_libdir##" ${S}/src/external/libresolv.m4
+ # additional_libdir defaults to /usr/lib so replace with staging_libdir globally
+ sed -i -e "s#\$additional_libdir#\${STAGING_LIBDIR}#" ${S}/src/build_macros.m4
}
do_compile:prepend () {
@@ -84,7 +83,11 @@
do_install () {
oe_runmake install DESTDIR="${D}"
rmdir --ignore-fail-on-non-empty "${D}/${bindir}"
+
install -d ${D}/${sysconfdir}/${BPN}
+ install -d ${D}/${PYTHON_SITEPACKAGES_DIR}
+ mv ${D}/${BPN} ${D}/${PYTHON_SITEPACKAGES_DIR}
+
install -m 600 ${WORKDIR}/${BPN}.conf ${D}/${sysconfdir}/${BPN}
# /var/log/sssd needs to be created in runtime. Use rmdir to catch if
@@ -106,6 +109,7 @@
# Remove /run as it is created on startup
rm -rf ${D}/run
+# rm -fr ${D}/sssd
rm -f ${D}${systemd_system_unitdir}/sssd-secrets.*
}
@@ -116,8 +120,6 @@
chown ${SSSD_UID}:${SSSD_GID} ${sysconfdir}/${BPN}/${BPN}.conf
}
-FILES:${PN} += "${nonarch_libdir}/tmpfiles.d"
-
CONFFILES:${PN} = "${sysconfdir}/${BPN}/${BPN}.conf"
INITSCRIPT_NAME = "sssd"
@@ -141,10 +143,13 @@
ALLOW_EMPTY:libsss-sudo = "1"
FILES:${PN} += "${base_libdir}/security/pam_sss*.so \
+ ${nonarch_libdir}/tmpfiles.d \
${datadir}/dbus-1/system-services/*.service \
${libdir}/krb5/* \
${libdir}/ldb/* \
+ ${PYTHON_SITEPACKAGES_DIR}/sssd \
"
+
FILES:libsss-sudo = "${libdir}/libsss_sudo.so"
RDEPENDS:${PN} = "bind bind-utils dbus libldb libpam libsss-sudo"
diff --git a/meta-security/lib/oeqa/runtime/cases/aide.py b/meta-security/lib/oeqa/runtime/cases/aide.py
new file mode 100644
index 0000000..4c7633c
--- /dev/null
+++ b/meta-security/lib/oeqa/runtime/cases/aide.py
@@ -0,0 +1,26 @@
+# Copyright (C) 2022 Armin Kuster <akuster808@gmail.com>
+#
+import re
+
+from oeqa.runtime.case import OERuntimeTestCase
+from oeqa.core.decorator.depends import OETestDepends
+from oeqa.runtime.decorator.package import OEHasPackage
+
+
+class AideTest(OERuntimeTestCase):
+
+ @OEHasPackage(['aide'])
+ @OETestDepends(['ssh.SSHTest.test_ssh'])
+ def test_aide_help(self):
+ status, output = self.target.run('aide --help')
+ msg = ('Aide help command does not work as expected. '
+ 'Status and output:%s and %s' % (status, output))
+ self.assertEqual(status, 0, msg = msg)
+
+ @OETestDepends(['aide.AideTest.test_aide_help'])
+ def test_aide_dbinit(self):
+ status, output = self.target.run('aide --init')
+ match = re.search('Number of entries:', output)
+ if not match:
+ msg = ('Aide db init failed: output is:\n%s' % output)
+ self.assertEqual(status, 0, msg = msg)
diff --git a/meta-security/lib/oeqa/runtime/cases/checksec.py b/meta-security/lib/oeqa/runtime/cases/checksec.py
index e46744c..53e6c1d 100644
--- a/meta-security/lib/oeqa/runtime/cases/checksec.py
+++ b/meta-security/lib/oeqa/runtime/cases/checksec.py
@@ -19,7 +19,7 @@
@OETestDepends(['checksec.CheckSecTest.test_checksec_help'])
def test_checksec_xml(self):
- status, output = self.target.run('checksec --format xml --proc-all')
+ status, output = self.target.run('checksec --format=xml --proc=1')
msg = ('checksec xml failed. Output: %s' % output)
self.assertEqual(status, 0, msg = msg)
diff --git a/meta-security/lib/oeqa/runtime/cases/clamav.py b/meta-security/lib/oeqa/runtime/cases/clamav.py
index cf83937..e0cad8f 100644
--- a/meta-security/lib/oeqa/runtime/cases/clamav.py
+++ b/meta-security/lib/oeqa/runtime/cases/clamav.py
@@ -1,4 +1,4 @@
-# Copyright (C) 2019 Armin Kuster <akuster808@gmail.com>
+# Copyright (C) 2019 - 2022 Armin Kuster <akuster808@gmail.com>
#
import re
from tempfile import mkstemp
@@ -48,21 +48,8 @@
self.assertEqual(status, 0, msg = msg)
@OETestDepends(['clamav.ClamavTest.test_ping_clamav_net'])
- def test_freshclam_check_mirrors(self):
- status, output = self.target.run('freshclam --list-mirrors')
- match = re.search('Failures: 0', output)
- if not match:
- msg = ('freshclam --list-mirrors: failed. '
- 'Status and output:%s and %s' % (status, output))
- self.assertEqual(status, 1, msg = msg)
-
- @OETestDepends(['clamav.ClamavTest.test_freshclam_check_mirrors'])
def test_freshclam_download(self):
status, output = self.target.run('freshclam --show-progress')
- match = re.search('Database updated', output)
- #match = re.search('main.cvd is up to date', output)
- if not match:
- msg = ('freshclam : DB dowbload failed. '
- 'Status and output:%s and %s' % (status, output))
- self.assertEqual(status, 1, msg = msg)
-
+ msg = ('freshclam : DB dowbload failed. '
+ 'Status and output:%s and %s' % (status, output))
+ self.assertEqual(status, 0, msg = msg)
diff --git a/meta-security/lib/oeqa/runtime/cases/firejail.py b/meta-security/lib/oeqa/runtime/cases/firejail.py
new file mode 100644
index 0000000..88a8dda
--- /dev/null
+++ b/meta-security/lib/oeqa/runtime/cases/firejail.py
@@ -0,0 +1,18 @@
+# Copyright (C) 2022 Armin Kuster <akuster808@gmail.com>
+#
+import re
+
+from oeqa.runtime.case import OERuntimeTestCase
+from oeqa.core.decorator.depends import OETestDepends
+from oeqa.runtime.decorator.package import OEHasPackage
+
+class FirejailTest(OERuntimeTestCase):
+
+ @OEHasPackage(['firejail'])
+ @OEHasPackage(['libseccomp'])
+ @OETestDepends(['ssh.SSHTest.test_ssh'])
+ def test_firejail_basic(self):
+ status, output = self.target.run('firejail --help')
+ msg = ('Firejail --help command does not work as expected. '
+ 'Status and output:%s and %s' % (status, output))
+ self.assertEqual(status, 0, msg = msg)
diff --git a/meta-security/lib/oeqa/runtime/cases/smack.py b/meta-security/lib/oeqa/runtime/cases/smack.py
index b8255c7..6b87574 100644
--- a/meta-security/lib/oeqa/runtime/cases/smack.py
+++ b/meta-security/lib/oeqa/runtime/cases/smack.py
@@ -15,17 +15,16 @@
@classmethod
def setUpClass(cls):
- cls.smack_path = ""
cls.current_label = ""
cls.uid = 1000
+ status, output = cls.tc.target.run("grep smack /proc/mounts | awk '{print $2}'")
+ cls.smack_path = output
@skipIfNotFeature('smack',
'Test requires smack to be in DISTRO_FEATURES')
@OEHasPackage(['smack-test'])
@OETestDepends(['ssh.SSHTest.test_ssh'])
def test_smack_basic(self):
- status, output = self.target.run("grep smack /proc/mounts | awk '{print $2}'")
- self.smack_path = output
status,output = self.target.run("cat /proc/self/attr/current")
self.current_label = output.strip()
@@ -41,11 +40,11 @@
"Status and output: %d %s" %(status, output))
status, output = self.target.run("chsmack %s" %filename)
self.target.run("rm %s" %filename)
- m = re.search('(?<=access=")\S+(?=")', output)
+ m = re.search('(access=")\S+(?=")', output)
if m is None:
self.fail("Did not find access attribute")
else:
- label_retrieved = m .group(0)
+ label_retrieved = re.split("access=\"", output)[1][:-1]
self.assertEqual(
LABEL, label_retrieved,
"label not set correctly. expected and gotten: "
@@ -64,11 +63,11 @@
"Status and output: %d %s" %(status, output))
status, output = self.target.run("chsmack %s" %filename)
self.target.run("rm %s" %filename)
- m= re.search('(?<=execute=")\S+(?=")', output)
+ m= re.search('(execute=")\S+(?=")', output)
if m is None:
self.fail("Did not find execute attribute")
else:
- label_retrieved = m.group(0)
+ label_retrieved = re.split("execute=\"", output)[1][:-1]
self.assertEqual(
LABEL, label_retrieved,
"label not set correctly. expected and gotten: " +
@@ -87,11 +86,11 @@
"Status and output: %d %s" %(status, output))
status, output = self.target.run("chsmack %s" %filename)
self.target.run("rm %s" %filename)
- m = re.search('(?<=mmap=")\S+(?=")', output)
+ m = re.search('(mmap=")\S+(?=")', output)
if m is None:
self.fail("Did not find mmap attribute")
else:
- label_retrieved = m.group(0)
+ label_retrieved = re.split("mmap=\"", output)[1][:-1]
self.assertEqual(
LABEL, label_retrieved,
"label not set correctly. expected and gotten: " +
@@ -109,11 +108,11 @@
"Status and output: %d %s" %(status, output))
status, output = self.target.run("chsmack %s" %directory)
self.target.run("rmdir %s" %directory)
- m = re.search('(?<=transmute=")\S+(?=")', output)
+ m = re.search('(transmute=")\S+(?=")', output)
if m is None:
self.fail("Did not find transmute attribute")
else:
- label_retrieved = m.group(0)
+ label_retrieved = re.split("transmute=\"", output)[1][:-1]
self.assertEqual(
"TRUE", label_retrieved,
"label not set correctly. expected and gotten: " +
@@ -127,10 +126,10 @@
'''
labelf = "/proc/self/attr/current"
- command = "/bin/sh -c 'echo PRIVILEGED >%s; cat %s'" %(labelf, labelf)
+ command = "/bin/sh -c 'echo PRIVILEGED >%s'; cat %s" %(labelf, labelf)
status, output = self.target.run(
- "notroot.py 0 %s %s" %(self.current_label, command))
+ "/usr/sbin/notroot.py 0 %s %s" %(self.current_label, command))
self.assertIn("PRIVILEGED", output,
"Privilege process did not change label.Output: %s" %output)
@@ -142,7 +141,7 @@
command = "/bin/sh -c 'echo %s >/proc/self/attr/current'" %LABEL
status, output = self.target.run(
- "notroot.py %d %s %s"
+ "/usr/sbin/notroot.py %d %s %s"
%(self.uid, self.current_label, command) +
" 2>&1 | grep 'Operation not permitted'" )
@@ -160,9 +159,9 @@
filename = "/tmp/test_unprivileged_change_file_label"
self.target.run("touch %s" % filename)
- self.target.run("notroot.py %d %s" %(self.uid, self.current_label))
+ self.target.run("/usr/sbin/notroot.py %d %s" %(self.uid, self.current_label))
status, output = self.target.run(
- "notroot.py " +
+ "/usr/sbin/notroot.py " +
"%d unprivileged %s -a %s %s 2>&1 " %(self.uid, chsmack, LABEL, filename) +
"| grep 'Operation not permitted'" )
@@ -347,78 +346,6 @@
@OETestDepends(['smack.SmackBasicTest.test_smack_basic'])
- def test_smack_mmap_enforced(self):
- '''Test if smack mmap access is enforced'''
- raise unittest.SkipTest("Depends on mmap_test, which was removed from the layer while investigating its license.")
-
- # 12345678901234567890123456789012345678901234567890123456
- delr1="mmap_label mmap_test_label1 -----"
- delr2="mmap_label mmap_test_label2 -----"
- delr3="mmap_file_label mmap_test_label1 -----"
- delr4="mmap_file_label mmap_test_label2 -----"
-
- RuleA="mmap_label mmap_test_label1 rw---"
- RuleB="mmap_label mmap_test_label2 r--at"
- RuleC="mmap_file_label mmap_test_label1 rw---"
- RuleD="mmap_file_label mmap_test_label2 rwxat"
-
- mmap_label="mmap_label"
- file_label="mmap_file_label"
- test_file = "/usr/sbin/smack_test_mmap"
- mmap_exe = "/tmp/mmap_test"
- status, echo = self.target.run("which echo")
- status, output = self.target.run(
- "notroot.py %d %s %s 'test' > %s" \
- %(self.uid, self.current_label, echo, test_file))
- status, output = self.target.run("ls %s" %test_file)
- self.assertEqual(status, 0, "Could not create mmap test file")
- self.target.run("chsmack -m %s %s" %(file_label, test_file))
- self.target.run("chsmack -e %s %s" %(mmap_label, mmap_exe))
-
- # test with no rules with mmap label or exec label as subject
- # access should be granted
- self.target.run('echo -n "%s" > %s/load' %(delr1, self.smack_path))
- self.target.run('echo -n "%s" > %s/load' %(delr2, self.smack_path))
- self.target.run('echo -n "%s" > %s/load' %(delr3, self.smack_path))
- self.target.run('echo -n "%s" > %s/load' %(delr4, self.smack_path))
- status, output = self.target.run("%s %s 0 2" % (mmap_exe, test_file))
- self.assertEqual(
- status, 0,
- "Should have mmap access without rules. Output: %s" %output)
-
- # add rules that do not match access required
- self.target.run('echo -n "%s" > %s/load' %(RuleA, self.smack_path))
- self.target.run('echo -n "%s" > %s/load' %(RuleB, self.smack_path))
- status, output = self.target.run("%s %s 0 2" % (mmap_exe, test_file))
- self.assertNotEqual(
- status, 0,
- "Should not have mmap access with unmatching rules. " +
- "Output: %s" %output)
- self.assertIn(
- "Permission denied", output,
- "Mmap access should be denied with unmatching rules")
-
- # add rule to match only partially (one way)
- self.target.run('echo -n "%s" > %s/load' %(RuleC, self.smack_path))
- status, output = self.target.run("%s %s 0 2" %(mmap_exe, test_file))
- self.assertNotEqual(
- status, 0,
- "Should not have mmap access with partial matching rules. " +
- "Output: %s" %output)
- self.assertIn(
- "Permission denied", output,
- "Mmap access should be denied with partial matching rules")
-
- # add rule to match fully
- self.target.run('echo -n "%s" > %s/load' %(RuleD, self.smack_path))
- status, output = self.target.run("%s %s 0 2" %(mmap_exe, test_file))
- self.assertEqual(
- status, 0,
- "Should have mmap access with full matching rules." +
- "Output: %s" %output)
-
-
- @OETestDepends(['smack.SmackBasicTest.test_smack_basic'])
def test_smack_transmute_dir(self):
'''Test if smack transmute attribute works
diff --git a/meta-security/lib/oeqa/runtime/cases/sssd.py b/meta-security/lib/oeqa/runtime/cases/sssd.py
index 4644836..1dfdb94 100644
--- a/meta-security/lib/oeqa/runtime/cases/sssd.py
+++ b/meta-security/lib/oeqa/runtime/cases/sssd.py
@@ -28,10 +28,10 @@
@OETestDepends(['sssd.SSSDTest.test_sssd_sssctl_conf_perms_chk'])
def test_sssd_sssctl_deamon(self):
- status, output = self.target.run('sssctl domain-status')
+ status, output = self.target.run('sssctl domain-list')
match = re.search('No domains configured, fatal error!', output)
if match:
- msg = ('sssctl domain-status failed, sssd.conf not setup correctly. '
+ msg = ('sssctl domain-list failed, sssd.conf not setup correctly. '
'Status and output:%s and %s' % (status, output))
self.assertEqual(status, 0, msg = msg)
diff --git a/meta-security/meta-integrity/classes/kernel-modsign.bbclass b/meta-security/meta-integrity/classes/kernel-modsign.bbclass
index 093c358..d3aa7fb 100644
--- a/meta-security/meta-integrity/classes/kernel-modsign.bbclass
+++ b/meta-security/meta-integrity/classes/kernel-modsign.bbclass
@@ -13,7 +13,9 @@
MODSIGN_X509 ?= "${MODSIGN_KEY_DIR}/x509_modsign.crt"
# If this class is enabled, disable stripping signatures from modules
+# as well disable the debug symbols split
INHIBIT_PACKAGE_STRIP = "1"
+INHIBIT_PACKAGE_DEBUG_SPLIT = "1"
kernel_do_configure:prepend() {
if [ -f "${MODSIGN_PRIVKEY}" -a -f "${MODSIGN_X509}" ]; then
diff --git a/meta-security/meta-parsec/lib/oeqa/runtime/cases/parsec.py b/meta-security/meta-parsec/lib/oeqa/runtime/cases/parsec.py
index d3d3f2e..11e5572 100644
--- a/meta-security/meta-parsec/lib/oeqa/runtime/cases/parsec.py
+++ b/meta-security/meta-parsec/lib/oeqa/runtime/cases/parsec.py
@@ -12,8 +12,13 @@
class ParsecTest(OERuntimeTestCase):
@classmethod
def setUpClass(cls):
+ cls.tc.target.run('swtpm_ioctl -s --tcp :2322')
cls.toml_file = '/etc/parsec/config.toml'
+ @classmethod
+ def tearDownClass(cls):
+ cls.tc.target.run('swtpm_ioctl -s --tcp :2322')
+
def setUp(self):
super(ParsecTest, self).setUp()
if 'systemd' in self.tc.td['DISTRO_FEATURES']:
diff --git a/meta-security/meta-security-compliance/README b/meta-security/meta-security-compliance/README
index 320f856..3311d05 100644
--- a/meta-security/meta-security-compliance/README
+++ b/meta-security/meta-security-compliance/README
@@ -28,7 +28,7 @@
Send pull requests, patches, comments or questions to yocto@yoctoproject.org
When sending single patches, please using something like:
-'git send-email -1 --to yocto@yoctoproject.org --subject-prefix=meta-security-compliance][PATCH'
+'git send-email -1 --to yocto@lists.yoctoproject.org --subject-prefix=meta-security-compliance][PATCH'
Layer Maintainer: Armin Kuster <akuster808@gmail.com>
diff --git a/meta-security/meta-security-compliance/recipes-auditors/lynis/lynis_3.0.0.bb b/meta-security/meta-security-compliance/recipes-auditors/lynis/lynis_3.0.8.bb
similarity index 92%
rename from meta-security/meta-security-compliance/recipes-auditors/lynis/lynis_3.0.0.bb
rename to meta-security/meta-security-compliance/recipes-auditors/lynis/lynis_3.0.8.bb
index f665e29..d38c17a 100644
--- a/meta-security/meta-security-compliance/recipes-auditors/lynis/lynis_3.0.0.bb
+++ b/meta-security/meta-security-compliance/recipes-auditors/lynis/lynis_3.0.8.bb
@@ -8,7 +8,7 @@
SRC_URI = "https://cisofy.com/files/${BPN}-${PV}.tar.gz"
-SRC_URI[sha256sum] = "3cc165f9007ba41de6d0b693a1167dbaf0179085f9506dcba64b4b8e37e1bda2"
+SRC_URI[sha256sum] = "98373a4cc9d0471ab9bebb249e442fcf94b6bf6d4e9c6fc0b22bca1506646c63"
S = "${WORKDIR}/${BPN}"
diff --git a/meta-security/meta-tpm/lib/oeqa/runtime/cases/swtpm.py b/meta-security/meta-tpm/lib/oeqa/runtime/cases/swtpm.py
index df47b35..0be5c59 100644
--- a/meta-security/meta-tpm/lib/oeqa/runtime/cases/swtpm.py
+++ b/meta-security/meta-tpm/lib/oeqa/runtime/cases/swtpm.py
@@ -8,11 +8,13 @@
class SwTpmTest(OERuntimeTestCase):
@classmethod
def setUpClass(cls):
+ cls.tc.target.run('swtpm_ioctl -s --tcp :2322')
cls.tc.target.run('mkdir /tmp/myvtpm2')
cls.tc.target.run('chown tss:root /tmp/myvtpm2')
@classmethod
def tearDownClass(cls):
+ cls.tc.target.run('swtpm_ioctl -s --tcp :2322')
cls.tc.target.run('rm -fr /tmp/myvtpm2')
@skipIfNotFeature('tpm2','Test tpm2_swtpm_socket requires tpm2 to be in DISTRO_FEATURES')
diff --git a/meta-security/meta-tpm/lib/oeqa/runtime/cases/tpm2.py b/meta-security/meta-tpm/lib/oeqa/runtime/cases/tpm2.py
index e64d19d..8e90dc9 100644
--- a/meta-security/meta-tpm/lib/oeqa/runtime/cases/tpm2.py
+++ b/meta-security/meta-tpm/lib/oeqa/runtime/cases/tpm2.py
@@ -8,10 +8,12 @@
class Tpm2Test(OERuntimeTestCase):
@classmethod
def setUpClass(cls):
+ cls.tc.target.run('swtpm_ioctl -s --tcp :2322')
cls.tc.target.run('mkdir /tmp/myvtpm2')
@classmethod
def tearDownClass(cls):
+ cls.tc.target.run('swtpm_ioctl -s --tcp :2322')
cls.tc.target.run('rm -fr /tmp/myvtpm2')
def check_endlines(self, results, expected_endlines):
diff --git a/meta-security/recipes-core/images/security-build-image.bb b/meta-security/recipes-core/images/security-build-image.bb
index a8757f9..411cd20 100644
--- a/meta-security/recipes-core/images/security-build-image.bb
+++ b/meta-security/recipes-core/images/security-build-image.bb
@@ -3,6 +3,7 @@
IMAGE_FEATURES += "ssh-server-openssh"
IMAGE_INSTALL = "\
+ ${@bb.utils.contains("DISTRO_FEATURES", "lkrg", "lkrg-module", "",d)} \
packagegroup-base \
packagegroup-core-boot \
packagegroup-core-security \
diff --git a/meta-security/recipes-core/images/security-test-image.bb b/meta-security/recipes-core/images/security-test-image.bb
index 54d8978..81f69dd 100644
--- a/meta-security/recipes-core/images/security-test-image.bb
+++ b/meta-security/recipes-core/images/security-test-image.bb
@@ -4,7 +4,16 @@
IMAGE_FEATURES += "ssh-server-openssh"
-TEST_SUITES = "ssh ping ptest apparmor clamav samhain sssd tripwire checksec smack suricata"
+IMAGE_INSTALL:append = "\
+ ${@bb.utils.contains("DISTRO_FEATURES", "smack", "smack-test", "",d)} \
+ ${@bb.utils.contains("BBFILE_COLLECTIONS", "tpm-layer", "packagegroup-security-tpm","", d)} \
+ ${@bb.utils.contains("BBFILE_COLLECTIONS", "tpm-layer", "packagegroup-security-tpm2","", d)} \
+ ${@bb.utils.contains("BBFILE_COLLECTIONS", "parsec-layer", "packagegroup-security-parsec","", d)} \
+ ${@bb.utils.contains("BBFILE_COLLECTIONS", "integrity", "packagegroup-ima-evm-utils","", d)} \
+"
+
+TEST_SUITES = "ssh ping apparmor clamav samhain sssd checksec smack suricata aide firejail"
+TEST_SUITES:append = " parsec tpm2 swtpm ima"
INSTALL_CLAMAV_CVD = "1"
diff --git a/meta-security/recipes-core/packagegroup/packagegroup-core-security.bb b/meta-security/recipes-core/packagegroup/packagegroup-core-security.bb
index f381d91..05951da 100644
--- a/meta-security/recipes-core/packagegroup/packagegroup-core-security.bb
+++ b/meta-security/recipes-core/packagegroup/packagegroup-core-security.bb
@@ -35,11 +35,14 @@
pinentry \
softhsm \
sshguard \
+ firejail \
${@bb.utils.contains_any("TUNE_FEATURES", "riscv32 ", "", " libseccomp",d)} \
- ${@bb.utils.contains("DISTRO_FEATURES", "pam", "sssd google-authenticator-libpam", "",d)} \
+ ${@bb.utils.contains("DISTRO_FEATURES", "pam", "google-authenticator-libpam", "",d)} \
${@bb.utils.contains("DISTRO_FEATURES", "pax", "pax-utils packctl", "",d)} \
"
+RDEPENDS:packagegroup-security-utils:remove:mipsarch = "firejail"
+
SUMMARY:packagegroup-security-scanners = "Security scanners"
RDEPENDS:packagegroup-security-scanners = "\
${@bb.utils.contains_any("TUNE_FEATURES", "riscv32 riscv64", "", " arpwatch",d)} \
diff --git a/meta-security/recipes-ids/aide/aide/aide.conf b/meta-security/recipes-ids/aide/aide/aide.conf
index 2c99e07..c4b917e 100644
--- a/meta-security/recipes-ids/aide/aide/aide.conf
+++ b/meta-security/recipes-ids/aide/aide/aide.conf
@@ -51,7 +51,7 @@
#crc32: crc32 checksum (MHASH only)
#whirlpool: whirlpool checksum (MHASH only)
-FIPSR = p+i+n+u+g+s+m+c+acl+selinux+xattrs+sha256
+FIPSR = p+u+g+s+acl+xattrs+sha256
#R: p+i+n+u+g+s+m+c+acl+selinux+xattrs+md5
#L: p+i+n+u+g+acl+selinux+xattrs
@@ -70,10 +70,10 @@
NORMAL = FIPSR+sha512
# For directories, don't bother doing hashes
-DIR = p+i+n+u+g+acl+selinux+xattrs
+DIR = p+u+g+acl+xattrs
# Access control only
-PERMS = p+i+u+g+acl+selinux
+PERMS = p+u+g+acl
# Logfile are special, in that they often change
LOG = >
@@ -83,12 +83,9 @@
# Some files get updated automatically, so the inode/ctime/mtime change
# but we want to know when the data inside them changes
-DATAONLY = p+n+u+g+s+acl+selinux+xattrs+sha256
+DATAONLY = p+u+g+s+acl+xattrs+sha256
# Next decide what directories/files you want in the database.
# Check only permissions, inode, user and group for /etc, but
# cover some important files closely.
-/bin NORMAL
-/sbin NORMAL
-/lib NORMAL
diff --git a/meta-security/recipes-ids/aide/aide_0.17.4.bb b/meta-security/recipes-ids/aide/aide_0.17.4.bb
index 6bc2bfe..7ce0729 100644
--- a/meta-security/recipes-ids/aide/aide_0.17.4.bb
+++ b/meta-security/recipes-ids/aide/aide_0.17.4.bb
@@ -10,9 +10,9 @@
SRC_URI[sha256sum] = "c81505246f3ffc2e76036d43a77212ae82895b5881d9b9e25c1361b1a9b7a846"
-inherit autotools pkgconfig
+inherit autotools pkgconfig aide-base
-PACKAGECONFIG ??=" mhash zlib e2fsattrs \
+PACKAGECONFIG ??=" mhash zlib e2fsattrs posix capabilities curl \
${@bb.utils.contains('DISTRO_FEATURES', 'selinux', 'selinux audit', '', d)} \
${@bb.utils.contains('DISTRO_FEATURES', 'xattr', 'xattr', '', d)} \
"
@@ -24,11 +24,34 @@
PACKAGECONFIG[gcrypt] = "--with-gcrypt, --without-gcrypt, libgcrypt, libgcrypt"
PACKAGECONFIG[mhash] = "--with-mhash, --without-mhash, libmhash, libmhash"
PACKAGECONFIG[e2fsattrs] = "--with-e2fsattrs, --without-e2fsattrs, e2fsprogs, e2fsprogs"
+PACKAGECONFIG[capabilities] = "--with-capabilities, --without-capabilities, libcap, libcap"
+PACKAGECONFIG[posix] = "--with-posix-acl, --without-posix-acl, acl, acl"
+
+
+do_install[nostamp] = "1"
do_install:append () {
install -d ${D}${libdir}/${PN}/logs
install -d ${D}${sysconfdir}
install ${WORKDIR}/aide.conf ${D}${sysconfdir}/
+
+ for dir in ${AIDE_INCLUDE_DIRS}; do
+ echo "${dir} NORMAL" >> ${D}${sysconfdir}/aide.conf
+ done
+ for dir in ${AIDE_SKIP_DIRS}; do
+ echo "!${dir}" >> ${D}${sysconfdir}/aide.conf
+ done
+}
+
+do_install:class-native () {
+ install -d ${STAGING_AIDE_DIR}/bin
+ install -d ${STAGING_AIDE_DIR}/lib/logs
+
+ install ${B}/aide ${STAGING_AIDE_DIR}/bin
+ install ${WORKDIR}/aide.conf ${STAGING_AIDE_DIR}/
+
+ sed -i -s "s:\@\@define DBDIR.*:\@\@define DBDIR ${STAGING_AIDE_DIR}/lib:" ${STAGING_AIDE_DIR}/aide.conf
+ sed -i -e "s:\@\@define LOGDIR.*:\@\@define LOGDIR ${STAGING_AIDE_DIR}/lib/logs:" ${STAGING_AIDE_DIR}/aide.conf
}
CONF_FILE = "${sysconfdir}/aide.conf"
@@ -36,6 +59,14 @@
FILES:${PN} += "${libdir}/${PN} ${sysconfdir}/aide.conf"
pkg_postinst_ontarget:${PN} () {
- /usr/bin/aide -i
+ if [ ${AIDE_SCAN_POSTINIT} ]; then
+ ${bindir}/aide -i
+ fi
+ if [ ${AIDE_RESCAN_POSTINIT} && -e ${libdir}/aide/aide.db.gz ]; then
+ ${bindir}/aide -C
+ fi
}
-RDPENDS_${PN} = "bison, libpcre"
+
+RDEPENDS:${PN} = "bison libpcre"
+
+BBCLASSEXTEND = "native"
diff --git a/meta-security/recipes-kernel/lkrg/files/makefile_cleanup.patch b/meta-security/recipes-kernel/lkrg/files/makefile_cleanup.patch
index 799b1a6..f29afbe 100644
--- a/meta-security/recipes-kernel/lkrg/files/makefile_cleanup.patch
+++ b/meta-security/recipes-kernel/lkrg/files/makefile_cleanup.patch
@@ -1,73 +1,53 @@
-Upstream-Status: Pending
-
-This needs more work. Its my starting point.
-
+Upstream-Status: Inappropriate [embedded specific]
+
Signed-off-by: Armin Kuster <akuster808@gmail.com>
+
Index: git/Makefile
===================================================================
--- git.orig/Makefile
+++ git/Makefile
-@@ -4,28 +4,10 @@
- # Author:
- # - Adam 'pi3' Zabrocki (http://pi3.com.pl)
- ##
--
--P_OUTPUT = output
+@@ -7,15 +7,8 @@
+
+ P_OUTPUT = output
P_PWD ?= $(shell pwd)
-P_KVER ?= $(shell uname -r)
--P_BOOTUP_SCRIPT ?= scripts/bootup/lkrg-bootup.sh
--TARGET := p_lkrg
+ P_BOOTUP_SCRIPT ?= scripts/bootup/lkrg-bootup.sh
+ TARGET := p_lkrg
-ifneq ($(KERNELRELEASE),)
- KERNEL := /lib/modules/$(KERNELRELEASE)/build
-else
- ## KERNELRELEASE not set.
- KERNEL := /lib/modules/$(P_KVER)/build
-endif
--
--#
--# Uncomment for debug compilation
--#
--# ccflags-m := -ggdb -DP_LKRG_DEBUG_BUILD -finstrument-functions
--# ccflags-y := ${ccflags-m}
--# p_lkrg-objs += src/modules/print_log/p_lkrg_debug_log.o
--obj-m += $(TARGET).o
--$(TARGET)-objs += src/modules/ksyms/p_resolve_ksym.o \
-+obj-m := p_lkrg.o
-+p_lkrg-y := src/modules/ksyms/p_resolve_ksym.o \
- src/modules/hashing/p_lkrg_fast_hash.o \
- src/modules/comm_channel/p_comm_channel.o \
- src/modules/integrity_timer/p_integrity_timer.o \
-@@ -92,23 +74,14 @@ $(TARGET)-objs += src/modules/ksyms/p_re
+ #
+ # Use DEBUG=on for debug build.
+@@ -94,14 +87,13 @@ $(TARGET)-objs += src/modules/ksyms/p_re
src/p_lkrg_main.o
-all:
-# $(MAKE) -C $(KERNEL) M=$(P_PWD) modules CONFIG_DEBUG_SECTION_MISMATCH=y
- $(MAKE) -C $(KERNEL) M=$(P_PWD) modules
-- mkdir -p $(P_OUTPUT)
-- cp $(P_PWD)/$(TARGET).ko $(P_OUTPUT)
--
--install:
-- $(MAKE) -C $(KERNEL) M=$(P_PWD) modules_install
-- depmod -a
-- $(P_PWD)/$(P_BOOTUP_SCRIPT) install
-
--uninstall:
-- $(P_PWD)/$(P_BOOTUP_SCRIPT) uninstall
+modules:
+ $(MAKE) -C $(KERNEL_SRC) M=$(P_PWD) modules
-+
-+modules_install:
+ mkdir -p $(P_OUTPUT)
+ cp $(P_PWD)/$(TARGET).ko $(P_OUTPUT)
+
+-install:
+- $(MAKE) -C $(KERNEL) M=$(P_PWD) modules_install
++moduled_install:
+ $(MAKE) -C $(KERNEL_SRC) M=$(P_PWD) modules_install
+ depmod -a
+ $(P_PWD)/$(P_BOOTUP_SCRIPT) install
+
+@@ -109,7 +101,7 @@ uninstall:
+ $(P_PWD)/$(P_BOOTUP_SCRIPT) uninstall
clean:
- $(MAKE) -C $(KERNEL) M=$(P_PWD) clean
-- $(RM) Module.markers modules.order
-- $(RM) $(P_PWD)/src/modules/kmod/client/kmod/Module.markers
-- $(RM) $(P_PWD)/src/modules/kmod/client/kmod/modules.order
-- $(RM) -rf $(P_OUTPUT)
-+ rm -f *.o *~ core .depend .*.cmd *.ko *.mod.c
-+ rm -f Module.markers Module.symvers modules.order
-+ rm -rf .tmp_versions Modules.symvers
++ $(MAKE) -C $(KERNEL_SRC) M=$(P_PWD) clean
+ $(RM) Module.markers modules.order
+ $(RM) $(P_PWD)/src/modules/kmod/client/kmod/Module.markers
+ $(RM) $(P_PWD)/src/modules/kmod/client/kmod/modules.order
diff --git a/meta-security/recipes-kernel/lkrg/lkrg-module_0.9.2.bb b/meta-security/recipes-kernel/lkrg/lkrg-module_0.9.3.bb
similarity index 90%
rename from meta-security/recipes-kernel/lkrg/lkrg-module_0.9.2.bb
rename to meta-security/recipes-kernel/lkrg/lkrg-module_0.9.3.bb
index 85f7d44..2553974 100644
--- a/meta-security/recipes-kernel/lkrg/lkrg-module_0.9.2.bb
+++ b/meta-security/recipes-kernel/lkrg/lkrg-module_0.9.3.bb
@@ -9,10 +9,11 @@
DEPENDS = "virtual/kernel elfutils"
-SRCREV = "43db5f19fca259feb1962f6db33382348cbc8320"
-
SRC_URI = "git://github.com/lkrg-org/lkrg.git;protocol=https;branch=main \
- file://makefile_cleanup.patch "
+ file://makefile_cleanup.patch \
+"
+
+SRCREV = "c578e9f786299b67ffd62057b4534b0bf4fb7ece"
S = "${WORKDIR}/git"
diff --git a/meta-security/recipes-mac/AppArmor/apparmor_3.0.4.bb b/meta-security/recipes-mac/AppArmor/apparmor_3.0.4.bb
index 046a3a0..896abfe 100644
--- a/meta-security/recipes-mac/AppArmor/apparmor_3.0.4.bb
+++ b/meta-security/recipes-mac/AppArmor/apparmor_3.0.4.bb
@@ -101,6 +101,8 @@
if ${@bb.utils.contains('DISTRO_FEATURES','systemd','true','false',d)}; then
oe_runmake -C ${B}/parser DESTDIR="${D}" install-systemd
fi
+ chown root:root -R ${D}/${sysconfdir}/apparmor.d
+ chown root:root -R ${D}/${datadir}/apparmor
}
#Building ptest on arm fails.
diff --git a/meta-security/recipes-mac/ccs-tools/ccs-tools_1.8.4.bb b/meta-security/recipes-mac/ccs-tools/ccs-tools_1.8.9.bb
similarity index 87%
rename from meta-security/recipes-mac/ccs-tools/ccs-tools_1.8.4.bb
rename to meta-security/recipes-mac/ccs-tools/ccs-tools_1.8.9.bb
index 8d148bb..ff800ce 100644
--- a/meta-security/recipes-mac/ccs-tools/ccs-tools_1.8.4.bb
+++ b/meta-security/recipes-mac/ccs-tools/ccs-tools_1.8.9.bb
@@ -7,11 +7,10 @@
DEPENDS = "ncurses"
-DS = "20150505"
+DS = "20210910"
SRC_URI = "http://osdn.dl.sourceforge.jp/tomoyo/49693/${BPN}-${PV}-${DS}.tar.gz"
-SRC_URI[md5sum] = "eeee8eb96a7680bfa9c8f6de55502c44"
-SRC_URI[sha256sum] = "c358b80a2ea77a9dda79dc2a056dae3acaf3a72fcb8481cfb1cd1f16746324b4"
+SRC_URI[sha256sum] = "7900126cf2dd8706c42c2c1ef7a37fd8b50f1505abd7d9c3d653dc390fb4d620"
S = "${WORKDIR}/${BPN}"
diff --git a/meta-security/recipes-mac/smack/smack-test/notroot.py b/meta-security/recipes-mac/smack/smack-test/notroot.py
index f0eb0b5..89f83f4 100644
--- a/meta-security/recipes-mac/smack/smack-test/notroot.py
+++ b/meta-security/recipes-mac/smack/smack-test/notroot.py
@@ -1,4 +1,4 @@
-#!/usr/bin/env python
+#!/usr/bin/env python3
#
# Script used for running executables with custom labels, as well as custom uid/gid
# Process label is changed by writing to /proc/self/attr/curent
@@ -9,8 +9,8 @@
# """By default, each user in Debian GNU/Linux is given a corresponding group
# with the same name. """
#
-# Usage: root@desk:~# python notroot.py <uid> <label> <full_path_to_executable> [arguments ..]
-# eg: python notroot.py 1000 User::Label /bin/ping -c 3 192.168.1.1
+# Usage: root@desk:~# python3 notroot.py <uid> <label> <full_path_to_executable> [arguments ..]
+# eg: python3 notroot.py 1000 User::Label /bin/ping -c 3 192.168.1.1
#
# Author: Alexandru Cornea <alexandru.cornea@intel.com>
import os
@@ -28,6 +28,6 @@
os.setuid(uid)
os.execv(path,sys.argv)
-except Exception,e:
- print e.message
- sys.exit(1)
+except Exception as e:
+ print(e.strerror)
+ sys.exit(-1)
diff --git a/meta-security/recipes-mac/smack/smack-test/smack_test_file_access.sh b/meta-security/recipes-mac/smack/smack-test/smack_test_file_access.sh
index 5a0ce84..598f1df 100644
--- a/meta-security/recipes-mac/smack/smack-test/smack_test_file_access.sh
+++ b/meta-security/recipes-mac/smack/smack-test/smack_test_file_access.sh
@@ -8,7 +8,7 @@
ECHO=`which echo`
uid=1000
initial_label=`cat /proc/self/attr/current`
-python $TMP/notroot.py $uid "TheOther" $ECHO 'TEST' > $test_file
+python3 $TMP/notroot.py $uid "TheOther" $ECHO 'TEST' > $test_file
chsmack -a "TheOther" $test_file
# 12345678901234567890123456789012345678901234567890123456
@@ -17,7 +17,7 @@
# Remove pre-existent rules for "TheOne TheOther <access>"
echo -n "$delrule" > $SMACK_PATH/load
-python $TMP/notroot.py $uid "TheOne" $CAT $test_file 2>&1 1>/dev/null | grep -q "Permission denied" || RC=$?
+python3 $TMP/notroot.py $uid "TheOne" $CAT $test_file 2>&1 1>/dev/null | grep -q "Permission denied" || RC=$?
if [ $RC -ne 0 ]; then
echo "Process with different label than the test file and no read access on it can read it"
exit $RC
@@ -25,7 +25,7 @@
# adding read access
echo -n "$rule_ro" > $SMACK_PATH/load
-python $TMP/notroot.py $uid "TheOne" $CAT $test_file | grep -q "TEST" || RC=$?
+python3 $TMP/notroot.py $uid "TheOne" $CAT $test_file | grep -q "TEST" || RC=$?
if [ $RC -ne 0 ]; then
echo "Process with different label than the test file but with read access on it cannot read it"
exit $RC
@@ -36,7 +36,7 @@
# changing label of test file to *
# according to SMACK documentation, read access on a * object is always permitted
chsmack -a '*' $test_file
-python $TMP/notroot.py $uid "TheOne" $CAT $test_file | grep -q "TEST" || RC=$?
+python3 $TMP/notroot.py $uid "TheOne" $CAT $test_file | grep -q "TEST" || RC=$?
if [ $RC -ne 0 ]; then
echo "Process cannot read file with * label"
exit $RC
@@ -45,7 +45,7 @@
# changing subject label to *
# according to SMACK documentation, every access requested by a star labeled subject is rejected
TOUCH=`which touch`
-python $TMP/notroot.py $uid '*' $TOUCH $TMP/test_file_2
+python3 $TMP/notroot.py $uid '*' $TOUCH $TMP/test_file_2
ls -la $TMP/test_file_2 2>&1 | grep -q 'No such file or directory' || RC=$?
if [ $RC -ne 0 ];then
echo "Process with label '*' should not have any access"
diff --git a/meta-security/recipes-scanners/clamav/clamav_0.104.0.bb b/meta-security/recipes-scanners/clamav/clamav_0.104.0.bb
index 3bcb5eb..18e8329 100644
--- a/meta-security/recipes-scanners/clamav/clamav_0.104.0.bb
+++ b/meta-security/recipes-scanners/clamav/clamav_0.104.0.bb
@@ -56,7 +56,7 @@
do_install:append () {
install -d ${D}/${sysconfdir}
- install -d -o ${CLAMAV_UID} -g ${CLAMAV_GID} ${D}/${localstatedir}/lib/clamav
+ install -d -o ${PN} -g ${CLAMAV_GID} ${D}/${localstatedir}/lib/clamav
install -d ${D}${sysconfdir}/clamav ${D}${sysconfdir}/default/volatiles
install -m 644 ${WORKDIR}/clamd.conf ${D}/${prefix}/${sysconfdir}
diff --git a/meta-security/recipes-security/Firejail/firejail/exclude_seccomp_util_compiles.patch b/meta-security/recipes-security/Firejail/firejail/exclude_seccomp_util_compiles.patch
new file mode 100644
index 0000000..a32720a
--- /dev/null
+++ b/meta-security/recipes-security/Firejail/firejail/exclude_seccomp_util_compiles.patch
@@ -0,0 +1,45 @@
+Exclude all the seccomp files to run during build.
+
+Upstream-Status: Inappropriate [embedded specific]
+There are some files that need to run to generate the appropriate files
+we are currently doing this on the target.
+Signed-off-by: Armin Kuster <akuster808@gmail.com>
+
+Index: git/Makefile.in
+===================================================================
+--- git.orig/Makefile.in
++++ git/Makefile.in
+@@ -34,7 +34,6 @@ MYDIRS = src/lib $(MAN_SRC) $(COMPLETION
+ MYLIBS = src/libpostexecseccomp/libpostexecseccomp.so src/libtrace/libtrace.so src/libtracelog/libtracelog.so
+ COMPLETIONS = src/zsh_completion/_firejail src/bash_completion/firejail.bash_completion
+ MANPAGES = firejail.1 firemon.1 firecfg.1 firejail-profile.5 firejail-login.5 firejail-users.5 jailcheck.1
+-SECCOMP_FILTERS = seccomp seccomp.debug seccomp.32 seccomp.block_secondary seccomp.mdwx seccomp.mdwx.32
+ ALL_ITEMS = $(APPS) $(SBOX_APPS) $(SBOX_APPS_NON_DUMPABLE) $(MYLIBS)
+
+ .PHONY: all_items $(ALL_ITEMS)
+@@ -52,7 +51,7 @@ $(MANPAGES): src/man
+
+ man: $(MANPAGES)
+
+-filters: $(SECCOMP_FILTERS) $(SBOX_APPS_NON_DUMPABLE)
++filters: $(SBOX_APPS_NON_DUMPABLE)
+ seccomp: src/fseccomp/fseccomp src/fsec-optimize/fsec-optimize
+ src/fseccomp/fseccomp default seccomp
+ src/fsec-optimize/fsec-optimize seccomp
+@@ -81,7 +80,6 @@ clean:
+ done
+ $(MAKE) -C test clean
+ rm -f $(MANPAGES) $(MANPAGES:%=%.gz) firejail*.rpm
+- rm -f $(SECCOMP_FILTERS)
+ rm -f test/utils/index.html*
+ rm -f test/utils/wget-log
+ rm -f test/utils/firejail-test-file*
+@@ -119,7 +117,7 @@ endif
+ # libraries and plugins
+ install -m 0755 -d $(DESTDIR)$(libdir)/firejail
+ install -m 0755 -t $(DESTDIR)$(libdir)/firejail src/firecfg/firejail-welcome.sh
+- install -m 0644 -t $(DESTDIR)$(libdir)/firejail $(MYLIBS) $(SECCOMP_FILTERS)
++ install -m 0644 -t $(DESTDIR)$(libdir)/firejail $(MYLIBS)
+ install -m 0755 -t $(DESTDIR)$(libdir)/firejail $(SBOX_APPS)
+ install -m 0755 -t $(DESTDIR)$(libdir)/firejail src/profstats/profstats
+ # plugins w/o read permission (non-dumpable)
diff --git a/meta-security/recipes-security/Firejail/firejail_0.9.70.bb b/meta-security/recipes-security/Firejail/firejail_0.9.70.bb
new file mode 100644
index 0000000..35f7b07
--- /dev/null
+++ b/meta-security/recipes-security/Firejail/firejail_0.9.70.bb
@@ -0,0 +1,63 @@
+#
+# Copyright 2022 Armin Kuster <akuster808@gmail.com>
+#
+SUMMARY = "Linux namespaces and seccomp-bpf sandbox"
+DESCRIPTION = "Firejail is a SUID sandbox program that reduces the risk of security breaches \
+by restricting the running environment of untrusted applications using Linux namespaces, \
+seccomp-bpf and Linux capabilities."
+
+LIC_FILES_CHKSUM = "file://COPYING;md5=b234ee4d69f5fce4486a80fdaf4a4263"
+LICENSE = "GPL-2.0-only"
+
+SRCREV = "b4b08d21cd95725c9d55dfdb6987fcc6d7893247"
+SRC_URI = "git://github.com/netblue30/firejail.git;protocol=https;branch=master \
+ file://exclude_seccomp_util_compiles.patch \
+ "
+
+DEPENDS = "libseccomp"
+
+S = "${WORKDIR}/git"
+
+inherit autotools-brokensep pkgconfig bash-completion features_check
+
+REQUIRED_DISTRO_FEATURES = "seccomp"
+
+PACKAGECONFIG ?= ""
+PACKAGECONFIG += "${@bb.utils.contains('DISTRO_FEATURES', 'apparmor', 'apparmor', '', d)}"
+PACKAGECONFIG += "${@bb.utils.contains('DISTRO_FEATURES', 'selinux', 'selinux', '', d)}"
+PACKAGECONFIG += "${@bb.utils.contains('DISTRO_FEATURES', 'x11', 'x11', '', d)}"
+
+PACKAGECONFIG[apparmor] = "--enable-apparmor, --disable-apparmor, apparmor, apparmor"
+PACKAGECONFIG[selinux] = "--enable-selinux, --disable-selinux, libselinux"
+PACKAGECONFIG[x11] = " --enable-x11, --disable-x11, "
+PACKAGECONFIG[dbusproxy] = ", --disable-dbusproxy, "
+PACKAGECONFIG[notmpfs] = ", --disable-usertmpfs ,"
+PACKAGECONFIG[nofiretunnel] = ", --disable-firetunnel , "
+PACKAGECONFIG[noprivatehome] = ", --disable-private-home, "
+PACKAGECONFIG[nochroot] = ", --disable-chroot, "
+PACKAGECONFIG[nonetwork] = ", --disable-network, "
+PACKAGECONFIG[nouserns] = ", --disable-userns, "
+PACKAGECONFIG[nofiletransfer] = ", --disable-file-transfer, "
+PACKAGECONFIG[nosuid] = ", --disable-suid, "
+
+EXTRA_OECONF = "--disable-man --enable-busybox-workaround"
+
+PACKAGES:append = " ${PN}-vim ${PN}-zsh"
+
+FILES:${PN}-vim = "${datadir}/vim/"
+FILES:${PN}-zsh = "${datadir}/zsh/"
+
+pkg_postinst_ontarget:${PN} () {
+ ${libdir}/${BPN}/fseccomp default ${libdir}/${BPN}/seccomp
+ ${libdir}/${BPN}/fsec-optimize ${libdir}/${BPN}/seccomp
+ ${libdir}/${BPN}/fseccomp default ${libdir}/${BPN}/seccomp.debug allow-debuggers
+ ${libdir}/${BPN}/fsec-optimize ${libdir}/${BPN}/seccomp.debug
+ ${libdir}/${BPN}/fseccomp secondary 32 ${libdir}/${BPN}/seccomp.32
+ ${libdir}/${BPN}/fsec-optimize ${libdir}/${BPN}/seccomp.32
+ ${libdir}/${BPN}/fseccomp secondary block ${libdir}/${BPN}/seccomp.block_secondary
+ ${libdir}/${BPN}/fseccomp memory-deny-write-execute ${libdir}/${BPN}/seccomp.mdwx
+}
+
+COMPATIBLE_MACHINE:mips64 = "(!.*mips64).*"
+
+RDEPENDS:${PN} = "bash"
diff --git a/meta-security/recipes-security/chipsec/chipsec_git.bb b/meta-security/recipes-security/chipsec/chipsec_1.8.5.bb
similarity index 71%
rename from meta-security/recipes-security/chipsec/chipsec_git.bb
rename to meta-security/recipes-security/chipsec/chipsec_1.8.5.bb
index d6c3ff2..48dfe45 100644
--- a/meta-security/recipes-security/chipsec/chipsec_git.bb
+++ b/meta-security/recipes-security/chipsec/chipsec_1.8.5.bb
@@ -7,21 +7,17 @@
LICENSE = "GPL-2.0-only"
LIC_FILES_CHKSUM = "file://COPYING;md5=bc2d1f9b427be5fb63f6af9da56f7c5d"
-SRC_URI = "git://github.com/chipsec/chipsec.git;branch=master;protocol=https \
- "
+DEPENDS = "virtual/kernel nasm-native"
-SRCREV = "b2a61684826dc8b9f622a844a40efea579cd7e7d"
-
-COMPATIBLE_HOST = "(i.86|x86_64).*-linux"
+SRC_URI = "git://github.com/chipsec/chipsec.git;branch=main;protocol=https"
+SRCREV = "07a532aac9f6c3d94b8895cf89336b6a2e60c0d9"
S = "${WORKDIR}/git"
-EXTRA_OEMAKE = "CC='${CC}' LDFLAGS='${LDFLAGS}' CFLAGS='${CFLAGS}'"
-
-DEPENDS = "virtual/kernel nasm-native python3-setuptools-native"
-RDEPENDS:${PN} += "python3 python3-modules"
inherit module setuptools3
+EXTRA_OEMAKE = "CC='${CC}' LDFLAGS='${LDFLAGS}' CFLAGS='${CFLAGS}'"
+
do_compile:append() {
cd ${S}/drivers/linux
oe_runmake KSRC=${STAGING_KERNEL_BUILDDIR}
@@ -31,5 +27,8 @@
install -m 0644 ${S}/drivers/linux/chipsec.ko ${D}${PYTHON_SITEPACKAGES_DIR}/chipsec/helper/linux
}
-FILES:${PN} += "${exec_prefix} \
-"
+COMPATIBLE_HOST = "(i.86|x86_64).*-linux"
+
+FILES:${PN} += "${exec_prefix}"
+
+RDEPENDS:${PN} = "python3 python3-modules"
diff --git a/meta-security/recipes-security/libmhash/libmhash_0.9.9.9.bb b/meta-security/recipes-security/libmhash/libmhash_0.9.9.9.bb
index 35c5ff8..4d1f584 100644
--- a/meta-security/recipes-security/libmhash/libmhash_0.9.9.9.bb
+++ b/meta-security/recipes-security/libmhash/libmhash_0.9.9.9.bb
@@ -35,3 +35,5 @@
do_install_ptest() {
install -m 0755 ${S}/demo/mhash ${D}${PTEST_PATH}
}
+
+BBCLASSEXTEND = "native"
diff --git a/meta-security/recipes-security/sssd/files/CVE-2021-3621.patch b/meta-security/recipes-security/sssd/files/CVE-2021-3621.patch
deleted file mode 100644
index 7a59df9..0000000
--- a/meta-security/recipes-security/sssd/files/CVE-2021-3621.patch
+++ /dev/null
@@ -1,288 +0,0 @@
-Backport patch to fix CVE-2021-3621.
-
-Upstream-Status: Backport [https://github.com/SSSD/sssd/commit/7ab83f9]
-CVE: CVE-2021-3621
-
-Signed-off-by: Kai Kang <kai.kang@windriver.com>
-
-From 7ab83f97e1cbefb78ece17232185bdd2985f0bbe Mon Sep 17 00:00:00 2001
-From: Alexey Tikhonov <atikhono@redhat.com>
-Date: Fri, 18 Jun 2021 13:17:19 +0200
-Subject: [PATCH] TOOLS: replace system() with execvp() to avoid execution of
- user supplied command
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-:relnote: A flaw was found in SSSD, where the sssctl command was
-vulnerable to shell command injection via the logs-fetch and
-cache-expire subcommands. This flaw allows an attacker to trick
-the root user into running a specially crafted sssctl command,
-such as via sudo, to gain root access. The highest threat from this
-vulnerability is to confidentiality, integrity, as well as system
-availability.
-This patch fixes a flaw by replacing system() with execvp().
-
-:fixes: CVE-2021-3621
-
-Reviewed-by: Pavel Březina <pbrezina@redhat.com>
----
- src/tools/sssctl/sssctl.c | 39 ++++++++++++++++-------
- src/tools/sssctl/sssctl.h | 2 +-
- src/tools/sssctl/sssctl_data.c | 57 +++++++++++-----------------------
- src/tools/sssctl/sssctl_logs.c | 32 +++++++++++++++----
- 4 files changed, 73 insertions(+), 57 deletions(-)
-
-diff --git a/src/tools/sssctl/sssctl.c b/src/tools/sssctl/sssctl.c
-index 2997dbf968..8adaf30910 100644
---- a/src/tools/sssctl/sssctl.c
-+++ b/src/tools/sssctl/sssctl.c
-@@ -97,22 +97,36 @@ sssctl_prompt(const char *message,
- return SSSCTL_PROMPT_ERROR;
- }
-
--errno_t sssctl_run_command(const char *command)
-+errno_t sssctl_run_command(const char *const argv[])
- {
- int ret;
-+ int wstatus;
-
-- DEBUG(SSSDBG_TRACE_FUNC, "Running %s\n", command);
-+ DEBUG(SSSDBG_TRACE_FUNC, "Running '%s'\n", argv[0]);
-
-- ret = system(command);
-+ ret = fork();
- if (ret == -1) {
-- DEBUG(SSSDBG_CRIT_FAILURE, "Unable to execute %s\n", command);
- ERROR("Error while executing external command\n");
- return EFAULT;
-- } else if (WEXITSTATUS(ret) != 0) {
-- DEBUG(SSSDBG_CRIT_FAILURE, "Command %s failed with [%d]\n",
-- command, WEXITSTATUS(ret));
-+ }
-+
-+ if (ret == 0) {
-+ /* cast is safe - see
-+ https://pubs.opengroup.org/onlinepubs/9699919799/functions/exec.html
-+ "The statement about argv[] and envp[] being constants ... "
-+ */
-+ execvp(argv[0], discard_const_p(char * const, argv));
- ERROR("Error while executing external command\n");
-- return EIO;
-+ _exit(1);
-+ } else {
-+ if (waitpid(ret, &wstatus, 0) == -1) {
-+ ERROR("Error while executing external command '%s'\n", argv[0]);
-+ return EFAULT;
-+ } else if (WEXITSTATUS(wstatus) != 0) {
-+ ERROR("Command '%s' failed with [%d]\n",
-+ argv[0], WEXITSTATUS(wstatus));
-+ return EIO;
-+ }
- }
-
- return EOK;
-@@ -132,11 +146,14 @@ static errno_t sssctl_manage_service(enum sssctl_svc_action action)
- #elif defined(HAVE_SERVICE)
- switch (action) {
- case SSSCTL_SVC_START:
-- return sssctl_run_command(SERVICE_PATH" sssd start");
-+ return sssctl_run_command(
-+ (const char *[]){SERVICE_PATH, "sssd", "start", NULL});
- case SSSCTL_SVC_STOP:
-- return sssctl_run_command(SERVICE_PATH" sssd stop");
-+ return sssctl_run_command(
-+ (const char *[]){SERVICE_PATH, "sssd", "stop", NULL});
- case SSSCTL_SVC_RESTART:
-- return sssctl_run_command(SERVICE_PATH" sssd restart");
-+ return sssctl_run_command(
-+ (const char *[]){SERVICE_PATH, "sssd", "restart", NULL});
- }
- #endif
-
-diff --git a/src/tools/sssctl/sssctl.h b/src/tools/sssctl/sssctl.h
-index 0115b2457c..599ef65196 100644
---- a/src/tools/sssctl/sssctl.h
-+++ b/src/tools/sssctl/sssctl.h
-@@ -47,7 +47,7 @@ enum sssctl_prompt_result
- sssctl_prompt(const char *message,
- enum sssctl_prompt_result defval);
-
--errno_t sssctl_run_command(const char *command);
-+errno_t sssctl_run_command(const char *const argv[]); /* argv[0] - command */
- bool sssctl_start_sssd(bool force);
- bool sssctl_stop_sssd(bool force);
- bool sssctl_restart_sssd(bool force);
-diff --git a/src/tools/sssctl/sssctl_data.c b/src/tools/sssctl/sssctl_data.c
-index 8d79b977fd..bf22913416 100644
---- a/src/tools/sssctl/sssctl_data.c
-+++ b/src/tools/sssctl/sssctl_data.c
-@@ -105,15 +105,15 @@ static errno_t sssctl_backup(bool force)
- }
- }
-
-- ret = sssctl_run_command("sss_override user-export "
-- SSS_BACKUP_USER_OVERRIDES);
-+ ret = sssctl_run_command((const char *[]){"sss_override", "user-export",
-+ SSS_BACKUP_USER_OVERRIDES, NULL});
- if (ret != EOK) {
- ERROR("Unable to export user overrides\n");
- return ret;
- }
-
-- ret = sssctl_run_command("sss_override group-export "
-- SSS_BACKUP_GROUP_OVERRIDES);
-+ ret = sssctl_run_command((const char *[]){"sss_override", "group-export",
-+ SSS_BACKUP_GROUP_OVERRIDES, NULL});
- if (ret != EOK) {
- ERROR("Unable to export group overrides\n");
- return ret;
-@@ -158,8 +158,8 @@ static errno_t sssctl_restore(bool force_start, bool force_restart)
- }
-
- if (sssctl_backup_file_exists(SSS_BACKUP_USER_OVERRIDES)) {
-- ret = sssctl_run_command("sss_override user-import "
-- SSS_BACKUP_USER_OVERRIDES);
-+ ret = sssctl_run_command((const char *[]){"sss_override", "user-import",
-+ SSS_BACKUP_USER_OVERRIDES, NULL});
- if (ret != EOK) {
- ERROR("Unable to import user overrides\n");
- return ret;
-@@ -167,8 +167,8 @@ static errno_t sssctl_restore(bool force_start, bool force_restart)
- }
-
- if (sssctl_backup_file_exists(SSS_BACKUP_USER_OVERRIDES)) {
-- ret = sssctl_run_command("sss_override group-import "
-- SSS_BACKUP_GROUP_OVERRIDES);
-+ ret = sssctl_run_command((const char *[]){"sss_override", "group-import",
-+ SSS_BACKUP_GROUP_OVERRIDES, NULL});
- if (ret != EOK) {
- ERROR("Unable to import group overrides\n");
- return ret;
-@@ -296,40 +296,19 @@ errno_t sssctl_cache_expire(struct sss_cmdline *cmdline,
- void *pvt)
- {
- errno_t ret;
-- char *cmd_args = NULL;
-- const char *cachecmd = SSS_CACHE;
-- char *cmd = NULL;
-- int i;
--
-- if (cmdline->argc == 0) {
-- ret = sssctl_run_command(cachecmd);
-- goto done;
-- }
-
-- cmd_args = talloc_strdup(tool_ctx, "");
-- if (cmd_args == NULL) {
-- ret = ENOMEM;
-- goto done;
-+ const char **args = talloc_array_size(tool_ctx,
-+ sizeof(char *),
-+ cmdline->argc + 2);
-+ if (!args) {
-+ return ENOMEM;
- }
-+ memcpy(&args[1], cmdline->argv, sizeof(char *) * cmdline->argc);
-+ args[0] = SSS_CACHE;
-+ args[cmdline->argc + 1] = NULL;
-
-- for (i = 0; i < cmdline->argc; i++) {
-- cmd_args = talloc_strdup_append(cmd_args, cmdline->argv[i]);
-- if (i != cmdline->argc - 1) {
-- cmd_args = talloc_strdup_append(cmd_args, " ");
-- }
-- }
--
-- cmd = talloc_asprintf(tool_ctx, "%s %s", cachecmd, cmd_args);
-- if (cmd == NULL) {
-- ret = ENOMEM;
-- goto done;
-- }
--
-- ret = sssctl_run_command(cmd);
--
--done:
-- talloc_free(cmd_args);
-- talloc_free(cmd);
-+ ret = sssctl_run_command(args);
-
-+ talloc_free(args);
- return ret;
- }
-diff --git a/src/tools/sssctl/sssctl_logs.c b/src/tools/sssctl/sssctl_logs.c
-index 9ff2be05b6..ebb2c4571c 100644
---- a/src/tools/sssctl/sssctl_logs.c
-+++ b/src/tools/sssctl/sssctl_logs.c
-@@ -31,6 +31,7 @@
- #include <ldb.h>
- #include <popt.h>
- #include <stdio.h>
-+#include <glob.h>
-
- #include "util/util.h"
- #include "tools/common/sss_process.h"
-@@ -230,6 +231,7 @@ errno_t sssctl_logs_remove(struct sss_cmdline *cmdline,
- {
- struct sssctl_logs_opts opts = {0};
- errno_t ret;
-+ glob_t globbuf;
-
- /* Parse command line. */
- struct poptOption options[] = {
-@@ -253,8 +255,20 @@ errno_t sssctl_logs_remove(struct sss_cmdline *cmdline,
-
- sss_signal(SIGHUP);
- } else {
-+ globbuf.gl_offs = 4;
-+ ret = glob(LOG_PATH"/*.log", GLOB_ERR|GLOB_DOOFFS, NULL, &globbuf);
-+ if (ret != 0) {
-+ DEBUG(SSSDBG_CRIT_FAILURE, "Unable to expand log files list\n");
-+ return ret;
-+ }
-+ globbuf.gl_pathv[0] = discard_const_p(char, "truncate");
-+ globbuf.gl_pathv[1] = discard_const_p(char, "--no-create");
-+ globbuf.gl_pathv[2] = discard_const_p(char, "--size");
-+ globbuf.gl_pathv[3] = discard_const_p(char, "0");
-+
- PRINT("Truncating log files...\n");
-- ret = sssctl_run_command("truncate --no-create --size 0 " LOG_FILES);
-+ ret = sssctl_run_command((const char * const*)globbuf.gl_pathv);
-+ globfree(&globbuf);
- if (ret != EOK) {
- ERROR("Unable to truncate log files\n");
- return ret;
-@@ -269,8 +283,8 @@ errno_t sssctl_logs_fetch(struct sss_cmdline *cmdline,
- void *pvt)
- {
- const char *file;
-- const char *cmd;
- errno_t ret;
-+ glob_t globbuf;
-
- /* Parse command line. */
- ret = sss_tool_popt_ex(cmdline, NULL, SSS_TOOL_OPT_OPTIONAL, NULL, NULL,
-@@ -280,13 +294,19 @@ errno_t sssctl_logs_fetch(struct sss_cmdline *cmdline,
- return ret;
- }
-
-- cmd = talloc_asprintf(tool_ctx, "tar -czf %s %s", file, LOG_FILES);
-- if (cmd == NULL) {
-- ERROR("Out of memory!");
-+ globbuf.gl_offs = 3;
-+ ret = glob(LOG_PATH"/*.log", GLOB_ERR|GLOB_DOOFFS, NULL, &globbuf);
-+ if (ret != 0) {
-+ DEBUG(SSSDBG_CRIT_FAILURE, "Unable to expand log files list\n");
-+ return ret;
- }
-+ globbuf.gl_pathv[0] = discard_const_p(char, "tar");
-+ globbuf.gl_pathv[1] = discard_const_p(char, "-czf");
-+ globbuf.gl_pathv[2] = discard_const_p(char, file);
-
- PRINT("Archiving log files into %s...\n", file);
-- ret = sssctl_run_command(cmd);
-+ ret = sssctl_run_command((const char * const*)globbuf.gl_pathv);
-+ globfree(&globbuf);
- if (ret != EOK) {
- ERROR("Unable to archive log files\n");
- return ret;
diff --git a/meta-security/recipes-security/sssd/files/sssd.conf b/meta-security/recipes-security/sssd/files/sssd.conf
deleted file mode 100644
index 1709a7a..0000000
--- a/meta-security/recipes-security/sssd/files/sssd.conf
+++ /dev/null
@@ -1,8 +0,0 @@
-[sssd]
-services = nss, pam
-config_file_version = 2
-
-[nss]
-
-[pam]
-