meta-security: subtree update:ab239f1497..46f7e7acbe
Armin Kuster (18):
python3-scapy: update to 2.4.5
lkrg-module: update 0.9.1
packagegroup-core-security: exclude ossec-hids from musl
ossec-hids: musl not compatable
sssd: update to 2.5.0
busybox: drop as libsecomp is in core
linux-%_5.%.bbappend: drop recipe
initramfs-framework: fix YCL issue.
python3-scapy: drop , now in meta-python
packagegroup-core-security: drop python3-scapy
meta-hardening/initscripts: missed overide.
meta-security: add sanity check
meta-security/recipe-kernel: use sanity check
linux-yocto-dev: drop bbappend
meta-tpm: add layer sanity check
meta-tpm/linux-yocto: use sanity support
meta-integrity: add sanity check
meta-integrity/recipe-kernel: use sanity check
Federico Pellegrin (1):
aircrack-ng: update to 1.6
Kai Kang (2):
sssd: set pid path with /run
sssd: add fix-ldblibdir.patch back
Ricardo Salveti (1):
tpm2-tss: fix usrmerge udev install path
Robert P. J. Day (1):
Correct "securiyt" typo in maintainers.inc
Sekine Shigeki (1):
smack: add 3 cves to allowlist
Upgrade Helper (2):
clamav: upgrade to latest revision
opendnssec: upgrade 2.1.8 -> 2.1.9
Yi Zhao (1):
libgssglue: update SRC_URI
Signed-off-by: Andrew Geissler <geissonator@yahoo.com>
Change-Id: I3bcabc218b240681d525111d16f963eb9b33c922
diff --git a/meta-security/meta-integrity/README.md b/meta-security/meta-integrity/README.md
index 5048fba..8254b0d 100644
--- a/meta-security/meta-integrity/README.md
+++ b/meta-security/meta-integrity/README.md
@@ -1,8 +1,24 @@
This README file contains information on the contents of the
integrity layer.
-Please see the corresponding sections below for details.
+The bbappend files for some recipes (e.g. linux-yocto) in this layer need
+to have 'integrity' in DISTRO_FEATURES to have effect.
+To enable them, add in configuration file the following line.
+
+ DISTRO_FEATURES_append = " integrity"
+
+If meta-integrity is included, but integrity is not enabled as a
+distro feature a warning is printed at parse time:
+
+ You have included the meta-integritry layer, but
+ 'integrity' has not been enabled in your DISTRO_FEATURES. Some bbappend files
+ and preferred version setting may not take effect.
+
+If you know what you are doing, this warning can be disabled by setting the following
+variable in your configuration:
+
+ SKIP_META_INTEGRITY_SANITY_CHECK = 1
Dependencies
============
diff --git a/meta-security/meta-integrity/classes/sanity-meta-integrity.bbclass b/meta-security/meta-integrity/classes/sanity-meta-integrity.bbclass
new file mode 100644
index 0000000..6ba7e3f
--- /dev/null
+++ b/meta-security/meta-integrity/classes/sanity-meta-integrity.bbclass
@@ -0,0 +1,10 @@
+addhandler integrity_bbappend_distrocheck
+integrity_bbappend_distrocheck[eventmask] = "bb.event.SanityCheck"
+python integrity_bbappend_distrocheck() {
+ skip_check = e.data.getVar('SKIP_META_INTEGRITY_SANITY_CHECK') == "1"
+ if 'integrity' not in e.data.getVar('DISTRO_FEATURES').split() and not skip_check:
+ bb.warn("You have included the meta-integrity layer, but \
+'integrity' has not been enabled in your DISTRO_FEATURES. Some bbappend files \
+and preferred version setting may not take effect. See the meta-integrity README \
+for details on enabling integrity support.")
+}
diff --git a/meta-security/meta-integrity/conf/layer.conf b/meta-security/meta-integrity/conf/layer.conf
index ba028da..37776f8 100644
--- a/meta-security/meta-integrity/conf/layer.conf
+++ b/meta-security/meta-integrity/conf/layer.conf
@@ -26,6 +26,10 @@
BBLAYERS_LAYERINDEX_NAME_integrity = "meta-integrity"
+# Sanity check for meta-integrity layer.
+# Setting SKIP_META_INTEGRITY_SANITY_CHECK to "1" would skip the bbappend files check.
+INHERIT += "sanity-meta-integrity"
+
BBFILES_DYNAMIC += " \
networking-layer:${LAYERDIR}/dynamic-layers/meta-networking/recipes-*/*/*.bbappend \
"
diff --git a/meta-security/meta-integrity/recipes-kernel/linux/linux-%.bbappend b/meta-security/meta-integrity/recipes-kernel/linux/linux-%.bbappend
index f9a48cd..be60bfe 100644
--- a/meta-security/meta-integrity/recipes-kernel/linux/linux-%.bbappend
+++ b/meta-security/meta-integrity/recipes-kernel/linux/linux-%.bbappend
@@ -1,5 +1 @@
-KERNEL_FEATURES_append = " ${@bb.utils.contains("DISTRO_FEATURES", "ima", " features/ima/ima.scc", "" ,d)}"
-
-KERNEL_FEATURES_append = " ${@bb.utils.contains('DISTRO_FEATURES', 'modsign', ' features/ima/modsign.scc', '', d)}"
-
-inherit ${@bb.utils.contains('DISTRO_FEATURES', 'modsign', 'kernel-modsign', '', d)}
+require ${@bb.utils.contains_any('DISTRO_FEATURES', 'integrity ', 'linux_ima.inc', '', d)}
diff --git a/meta-security/meta-integrity/recipes-kernel/linux/linux_ima.inc b/meta-security/meta-integrity/recipes-kernel/linux/linux_ima.inc
new file mode 100644
index 0000000..f9a48cd
--- /dev/null
+++ b/meta-security/meta-integrity/recipes-kernel/linux/linux_ima.inc
@@ -0,0 +1,5 @@
+KERNEL_FEATURES_append = " ${@bb.utils.contains("DISTRO_FEATURES", "ima", " features/ima/ima.scc", "" ,d)}"
+
+KERNEL_FEATURES_append = " ${@bb.utils.contains('DISTRO_FEATURES', 'modsign', ' features/ima/modsign.scc', '', d)}"
+
+inherit ${@bb.utils.contains('DISTRO_FEATURES', 'modsign', 'kernel-modsign', '', d)}