reset upstream subtrees to HEAD
Reset the following subtrees on HEAD:
poky: 8217b477a1(master)
meta-xilinx: 64aa3d35ae(master)
meta-openembedded: 0435c9e193(master)
meta-raspberrypi: 490a4441ac(master)
meta-security: cb6d1c85ee(master)
Squashed patches:
meta-phosphor: drop systemd 239 patches
meta-phosphor: mrw-api: use correct install path
Change-Id: I268e2646d9174ad305630c6bbd3fbc1a6105f43d
Signed-off-by: Brad Bishop <bradleyb@fuzziesquirrel.com>
diff --git a/meta-security/README b/meta-security/README
index e238271..5abb0e2 100644
--- a/meta-security/README
+++ b/meta-security/README
@@ -57,8 +57,14 @@
When sending single patches, please using something like:
'git send-email -1 --to yocto@yoctoproject.org --subject-prefix=meta-security][PATCH'
+These values can be set as defaults for this repository:
+
+$ git config sendemail.to yocto@yoctoproject.org
+$ git config format.subjectPrefix meta-security][PATCH
+
+Now you can just do 'git send-email origin/master' to send all local patches.
+
Maintainers: Armin Kuster <akuster808@gmail.com>
- Saul Wold <sgw@linux.intel.com>
License
diff --git a/meta-security/conf/distro/include/maintainers.inc b/meta-security/conf/distro/include/maintainers.inc
new file mode 100644
index 0000000..94b45f2
--- /dev/null
+++ b/meta-security/conf/distro/include/maintainers.inc
@@ -0,0 +1,59 @@
+# meta-securiyt Maintainers File
+#
+# This file contains a list of recipe maintainers.
+#
+# Please submit any patches against recipes in meta to the
+# Yocto mail list (yocto@yoctoproject.org)
+#
+# If you have problems with or questions about a particular recipe, feel
+# free to contact the maintainer directly (cc:ing the appropriate mailing list
+# puts it in the archive and helps other people who might have the same
+# questions in the future), but please try to do the following first:
+#
+# - look in the Yocto Project Bugzilla
+# (http://bugzilla.yoctoproject.org/) to see if a problem has
+# already been reported
+#
+# The format is as a bitbake variable override for each recipe
+#
+# RECIPE_MAINTAINER_pn-<recipe name> = "Full Name <address@domain>"
+#
+# Please keep this list in alphabetical order.
+RECIPE_MAINTAINER_pn-aircrack-ng = "Armin Kuster <akuster808@gmail.com>"
+RECIPE_MAINTAINER_pn-apparmor = "Armin Kuster <akuster808@gmail.com>"
+RECIPE_MAINTAINER_pn-bastille = "Armin Kuster <akuster808@gmail.com>"
+RECIPE_MAINTAINER_pn-buck-security = "Armin Kuster <akuster808@gmail.com>"
+RECIPE_MAINTAINER_pn-ccs-tools = "Armin Kuster <akuster808@gmail.com>"
+RECIPE_MAINTAINER_pn-checksec = "Armin Kuster <akuster808@gmail.com>"
+RECIPE_MAINTAINER_pn-checksecurity = "Armin Kuster <akuster808@gmail.com>"
+RECIPE_MAINTAINER_pn-clamav = "Armin Kuster <akuster808@gmail.com>"
+RECIPE_MAINTAINER_pn-ding-libs = "Armin Kuster <akuster808@gmail.com>"
+RECIPE_MAINTAINER_pn-ecryptfs-utils = "Armin Kuster <akuster808@gmail.com>"
+RECIPE_MAINTAINER_pn-fscryptctl = "Armin Kuster <akuster808@gmail.com>"
+RECIPE_MAINTAINER_pn-google-authenticator-libpam = "Armin Kuster <akuster808@gmail.com>"
+RECIPE_MAINTAINER_pn-hash-perl = "Armin Kuster <akuster808@gmail.com>"
+RECIPE_MAINTAINER_pn-isic = "Armin Kuster <akuster808@gmail.com>"
+RECIPE_MAINTAINER_pn-keyutils = "Armin Kuster <akuster808@gmail.com>"
+RECIPE_MAINTAINER_pn-libaes-siv = "Armin Kuster <akuster808@gmail.com>"
+RECIPE_MAINTAINER_pn-libenv-perl = "Armin Kuster <akuster808@gmail.com>"
+RECIPE_MAINTAINER_pn-libgssglue = "Armin Kuster <akuster808@gmail.com>"
+RECIPE_MAINTAINER_pn-libhtp = "Armin Kuster <akuster808@gmail.com>"
+RECIPE_MAINTAINER_pn-libmhash = "Armin Kuster <akuster808@gmail.com>"
+RECIPE_MAINTAINER_pn-libmspack = "Armin Kuster <akuster808@gmail.com>"
+RECIPE_MAINTAINER_pn-lib-perl = "Armin Kuster <akuster808@gmail.com>"
+RECIPE_MAINTAINER_pn-libseccomp = "Armin Kuster <akuster808@gmail.com>"
+RECIPE_MAINTAINER_pn-libwhisker2-perl = "Armin Kuster <akuster808@gmail.com>"
+RECIPE_MAINTAINER_pn-ncrack = "Armin Kuster <akuster808@gmail.com>"
+RECIPE_MAINTAINER_pn-nikto = "Armin Kuster <akuster808@gmail.com>"
+RECIPE_MAINTAINER_pn-paxctl = "Armin Kuster <akuster808@gmail.com>"
+RECIPE_MAINTAINER_pn-python3-fail2ban = "Armin Kuster <akuster808@gmail.com>"
+RECIPE_MAINTAINER_pn-python3-scapy = "Armin Kuster <akuster808@gmail.com>"
+RECIPE_MAINTAINER_pn-python-fail2ban = "Armin Kuster <akuster808@gmail.com>"
+RECIPE_MAINTAINER_pn-python-scapy = "Armin Kuster <akuster808@gmail.com>"
+RECIPE_MAINTAINER_pn-redhat-security = "Armin Kuster <akuster808@gmail.com>"
+RECIPE_MAINTAINER_pn-samhain = "Armin Kuster <akuster808@gmail.com>"
+RECIPE_MAINTAINER_pn-smack = "Armin Kuster <akuster808@gmail.com>"
+RECIPE_MAINTAINER_pn-sssd = "Armin Kuster <akuster808@gmail.com>"
+RECIPE_MAINTAINER_pn-suricata = "Armin Kuster <akuster808@gmail.com>"
+RECIPE_MAINTAINER_pn-tripwire = "Armin Kuster <akuster808@gmail.com>"
+RECIPE_MAINTAINER_pn-xmlsec1 = "Armin Kuster <akuster808@gmail.com>"
diff --git a/meta-security/conf/layer.conf b/meta-security/conf/layer.conf
index 19e647e..716f8ac 100644
--- a/meta-security/conf/layer.conf
+++ b/meta-security/conf/layer.conf
@@ -13,4 +13,4 @@
LAYERDEPENDS_security = "core openembedded-layer perl-layer networking-layer meta-python"
-DEFAULT_TEST_SUITES_pn-security-build-image = " ${PTESTTESTSUITE}"
+DEFAULT_TEST_SUITES_pn-security-build-image = " ping ssh ptest"
diff --git a/meta-security/lib/oeqa/runtime/cases/apparmor.py b/meta-security/lib/oeqa/runtime/cases/apparmor.py
new file mode 100644
index 0000000..e2cb316
--- /dev/null
+++ b/meta-security/lib/oeqa/runtime/cases/apparmor.py
@@ -0,0 +1,27 @@
+# Copyright (C) 2019 Armin Kuster <akuster808@gmail.com>
+#
+import re
+
+from oeqa.runtime.case import OERuntimeTestCase
+from oeqa.core.decorator.depends import OETestDepends
+from oeqa.runtime.decorator.package import OEHasPackage
+
+
+class ApparmorTest(OERuntimeTestCase):
+
+ @OEHasPackage(['apparmor'])
+ @OETestDepends(['ssh.SSHTest.test_ssh'])
+ def test_apparmor_help(self):
+ status, output = self.target.run('aa-status --help')
+ msg = ('apparmor command does not work as expected. '
+ 'Status and output:%s and %s' % (status, output))
+ self.assertEqual(status, 0, msg = msg)
+
+ @OETestDepends(['apparmor.ApparmorTest.test_apparmor_help'])
+ def test_apparmor_aa_status(self):
+ status, output = self.target.run('aa-status')
+ match = re.search('apparmor module is loaded.', output)
+ if not match:
+ msg = ('aa-status failed. '
+ 'Status and output:%s and %s' % (status, output))
+ self.assertEqual(status, 0, msg = msg)
diff --git a/meta-security/lib/oeqa/runtime/cases/clamav.py b/meta-security/lib/oeqa/runtime/cases/clamav.py
new file mode 100644
index 0000000..fc77330
--- /dev/null
+++ b/meta-security/lib/oeqa/runtime/cases/clamav.py
@@ -0,0 +1,38 @@
+# Copyright (C) 2019 Armin Kuster <akuster808@gmail.com>
+#
+import re
+
+from oeqa.runtime.case import OERuntimeTestCase
+from oeqa.core.decorator.depends import OETestDepends
+from oeqa.runtime.decorator.package import OEHasPackage
+
+
+class ClamavTest(OERuntimeTestCase):
+
+ @OEHasPackage(['clamav'])
+ @OETestDepends(['ssh.SSHTest.test_ssh'])
+ def test_freshclam_help(self):
+ status, output = self.target.run('freshclam --help ')
+ msg = ('freshclam --hlep command does not work as expected. ',
+ 'Status and output:%s and %s' % (status, output))
+ self.assertEqual(status, 0, msg = msg)
+
+ @OETestDepends(['clamav.ClamavTest.test_freshclam_help'])
+ def test_freshclam_download(self):
+ status, output = self.target.run('freshclam --show-progress')
+ match = re.search('Database updated', output)
+ #match = re.search('main.cvd is up to date', output)
+ if not match:
+ msg = ('freshclam : DB dowbload failed. '
+ 'Status and output:%s and %s' % (status, output))
+ self.assertEqual(status, 1, msg = msg)
+
+ @OETestDepends(['clamav.ClamavTest.test_freshclam_download'])
+ def test_freshclam_check_mirrors(self):
+ status, output = self.target.run('freshclam --list-mirrors')
+ match = re.search('Failures: 0', output)
+ if not match:
+ msg = ('freshclam --list-mirrors: failed. '
+ 'Status and output:%s and %s' % (status, output))
+ self.assertEqual(status, 1, msg = msg)
+
diff --git a/meta-security/lib/oeqa/runtime/cases/samhain.py b/meta-security/lib/oeqa/runtime/cases/samhain.py
new file mode 100644
index 0000000..e4bae7b
--- /dev/null
+++ b/meta-security/lib/oeqa/runtime/cases/samhain.py
@@ -0,0 +1,20 @@
+# Copyright (C) 2019 Armin Kuster <akuster808@gmail.com>
+#
+import re
+
+from oeqa.runtime.case import OERuntimeTestCase
+from oeqa.core.decorator.depends import OETestDepends
+from oeqa.runtime.decorator.package import OEHasPackage
+
+
+class SamhainTest(OERuntimeTestCase):
+
+ @OEHasPackage(['samhain-standalone'])
+ @OETestDepends(['ssh.SSHTest.test_ssh'])
+ def test_samhain_standalone_help(self):
+ status, output = self.target.run('samhain --help')
+ match = re.search('Please report bugs to support@la-samhna.de.', output)
+ if not match:
+ msg = ('samhain-standalone command does not work as expected. '
+ 'Status and output:%s and %s' % (status, output))
+ self.assertEqual(status, 1, msg = msg)
diff --git a/meta-security/lib/oeqa/runtime/cases/sssd.py b/meta-security/lib/oeqa/runtime/cases/sssd.py
new file mode 100644
index 0000000..4644836
--- /dev/null
+++ b/meta-security/lib/oeqa/runtime/cases/sssd.py
@@ -0,0 +1,37 @@
+# Copyright (C) 2019 Armin Kuster <akuster808@gmail.com>
+#
+import re
+
+from oeqa.runtime.case import OERuntimeTestCase
+from oeqa.core.decorator.depends import OETestDepends
+from oeqa.runtime.decorator.package import OEHasPackage
+
+
+class SSSDTest(OERuntimeTestCase):
+
+ @OEHasPackage(['sssd'])
+ @OETestDepends(['ssh.SSHTest.test_ssh'])
+ def test_sssd_help(self):
+ status, output = self.target.run('sssctl --help')
+ msg = ('sssctl command does not work as expected. '
+ 'Status and output:%s and %s' % (status, output))
+ self.assertEqual(status, 1, msg = msg)
+
+ @OETestDepends(['sssd.SSSDTest.test_sssd_help'])
+ def test_sssd_sssctl_conf_perms_chk(self):
+ status, output = self.target.run('sssctl domain-status')
+ match = re.search('ConfDB initialization has failed', output)
+ if match:
+ msg = ('sssctl domain-status failed, check sssd.conf perms. '
+ 'Status and output:%s and %s' % (status, output))
+ self.assertEqual(status, 0, msg = msg)
+
+ @OETestDepends(['sssd.SSSDTest.test_sssd_sssctl_conf_perms_chk'])
+ def test_sssd_sssctl_deamon(self):
+ status, output = self.target.run('sssctl domain-status')
+ match = re.search('No domains configured, fatal error!', output)
+ if match:
+ msg = ('sssctl domain-status failed, sssd.conf not setup correctly. '
+ 'Status and output:%s and %s' % (status, output))
+ self.assertEqual(status, 0, msg = msg)
+
diff --git a/meta-security/lib/oeqa/runtime/cases/suricata.py b/meta-security/lib/oeqa/runtime/cases/suricata.py
new file mode 100644
index 0000000..17fc8c5
--- /dev/null
+++ b/meta-security/lib/oeqa/runtime/cases/suricata.py
@@ -0,0 +1,27 @@
+# Copyright (C) 2019 Armin Kuster <akuster808@gmail.com>
+#
+import re
+
+from oeqa.runtime.case import OERuntimeTestCase
+from oeqa.core.decorator.depends import OETestDepends
+from oeqa.runtime.decorator.package import OEHasPackage
+
+
+class SuricataTest(OERuntimeTestCase):
+
+ @OEHasPackage(['suricata'])
+ @OETestDepends(['ssh.SSHTest.test_ssh'])
+ def test_suricata_help(self):
+ status, output = self.target.run('suricata --help')
+ msg = ('suricata command does not work as expected. '
+ 'Status and output:%s and %s' % (status, output))
+ self.assertEqual(status, 1, msg = msg)
+
+ @OETestDepends(['suricata.SuricataTest.test_suricata_help'])
+ def test_suricata_unittest(self):
+ status, output = self.target.run('suricata -u')
+ match = re.search('FAILED: 0 ', output)
+ if not match:
+ msg = ('suricata unittest had an unexpected failure. '
+ 'Status and output:%s and %s' % (status, output))
+ self.assertEqual(status, 0, msg = msg)
diff --git a/meta-security/lib/oeqa/runtime/cases/tripwire.py b/meta-security/lib/oeqa/runtime/cases/tripwire.py
new file mode 100644
index 0000000..659724d
--- /dev/null
+++ b/meta-security/lib/oeqa/runtime/cases/tripwire.py
@@ -0,0 +1,47 @@
+# Copyright (C) 2019 Armin Kuster <akuster808@gmail.com>
+#
+import re
+
+from oeqa.runtime.case import OERuntimeTestCase
+from oeqa.core.decorator.depends import OETestDepends
+from oeqa.runtime.decorator.package import OEHasPackage
+
+
+class TripwireTest(OERuntimeTestCase):
+
+ @OEHasPackage(['tripwire'])
+ @OETestDepends(['ssh.SSHTest.test_ssh'])
+ def test_tripwire_help(self):
+ status, output = self.target.run('tripwire --help')
+ msg = ('tripwire command does not work as expected. '
+ 'Status and output:%s and %s' % (status, output))
+ self.assertEqual(status, 8, msg = msg)
+
+ @OETestDepends(['tripwire.TripwireTest.test_tripwire_help'])
+ def test_tripwire_twinstall(self):
+ status, output = self.target.run('/etc/tripwire/twinstall.sh')
+ match = re.search('The database was successfully generated.', output)
+ if not match:
+ msg = ('/etc/tripwire/twinstall.sh failed. '
+ 'Status and output:%s and %s' % (status, output))
+ self.assertEqual(status, 0, msg = msg)
+
+ @OETestDepends(['tripwire.TripwireTest.test_tripwire_twinstall'])
+ def test_tripwire_twadmin(self):
+ status, output = self.target.run('twadmin --create-cfgfile --cfgfile /etc/tripwire/twcfg.enc --site-keyfile /etc/tripwire/site.key -Q tripwire /etc/tripwire/twcfg.txt')
+ status, output = self.target.run('twadmin --create-polfile --cfgfile /etc/tripwire/twcfg.enc --polfile /etc/tripwire/twpol.enc --site-keyfile /etc/tripwire/site.key -Q tripwire /etc/tripwire/twpol.txt')
+ match = re.search('Wrote policy file: /etc/tripwire/twpol.enc', output)
+ if not match:
+ msg = ('twadmin --create-profile ; failed. '
+ 'Status and output:%s and %s' % (status, output))
+ self.assertEqual(status, 0, msg = msg)
+
+ @OETestDepends(['tripwire.TripwireTest.test_tripwire_twadmin'])
+ def test_tripwire_init(self):
+ status, hostname = self.target.run('hostname')
+ status, output = self.target.run('tripwire --init --cfgfile /etc/tripwire/twcfg.enc --polfile /etc/tripwire/tw.pol --site-keyfile /etc/tripwire/site.key --local-keyfile /etc/tripwire/%s-local.key -P tripwire' % hostname)
+ match = re.search('The database was successfully generated.', output)
+ if not match:
+ msg = ('tripwire --init; Failed for host: %s. '
+ 'Status and output:%s and %s' % (hostname, status, output))
+ self.assertEqual(status, 0, msg = msg)
diff --git a/meta-security/meta-security-compliance/recipes-auditors/lynis/lynis_2.6.8.bb b/meta-security/meta-security-compliance/recipes-auditors/lynis/lynis_2.7.2.bb
similarity index 89%
rename from meta-security/meta-security-compliance/recipes-auditors/lynis/lynis_2.6.8.bb
rename to meta-security/meta-security-compliance/recipes-auditors/lynis/lynis_2.7.2.bb
index 28a4469..3ba82f9 100644
--- a/meta-security/meta-security-compliance/recipes-auditors/lynis/lynis_2.6.8.bb
+++ b/meta-security/meta-security-compliance/recipes-auditors/lynis/lynis_2.7.2.bb
@@ -8,8 +8,8 @@
SRC_URI = "https://cisofy.com/files/${BPN}-${PV}.tar.gz"
-SRC_URI[md5sum] = "91a538055bfb682733ef8e4fe7eb0902"
-SRC_URI[sha256sum] = "2e4c5157a4f2d9bb37d3f0f1f5bea03f92233a2a7d4df6eddf231a784087dfac"
+SRC_URI[md5sum] = "3422cee3b12fc33338fcde003d65e234"
+SRC_URI[sha256sum] = "fde6ccf8d6ec0ae1e9c9f4a6d640cddcde4bf7a92f8437d47d16a5477e21bfda"
S = "${WORKDIR}/${BPN}"
diff --git a/meta-security/meta-security-compliance/recipes-openscap/oe-scap/oe-scap_1.0.bb b/meta-security/meta-security-compliance/recipes-openscap/oe-scap/oe-scap_1.0.bb
index 5b61375..e84ed30 100644
--- a/meta-security/meta-security-compliance/recipes-openscap/oe-scap/oe-scap_1.0.bb
+++ b/meta-security/meta-security-compliance/recipes-openscap/oe-scap/oe-scap_1.0.bb
@@ -8,12 +8,11 @@
SRCREV = "7147871d7f37d408c0dd7720ef0fd3ec1b54ad98"
SRC_URI = "git://github.com/akuster/oe-scap.git"
SRC_URI += " \
- file://run_cve.sh \
- file://run_test.sh \
- file://OpenEmbedded_nodistro_0.xml \
- file://OpenEmbedded_nodistro_0.xccdf.xml \
-"
-
+ file://run_cve.sh \
+ file://run_test.sh \
+ file://OpenEmbedded_nodistro_0.xml \
+ file://OpenEmbedded_nodistro_0.xccdf.xml \
+ "
S = "${WORKDIR}/git"
diff --git a/meta-security/meta-security-compliance/recipes-openscap/openscap-daemon/files/0001-Renamed-module-and-variables-to-get-rid-of-async.patch b/meta-security/meta-security-compliance/recipes-openscap/openscap-daemon/files/0001-Renamed-module-and-variables-to-get-rid-of-async.patch
new file mode 100644
index 0000000..2a518bf
--- /dev/null
+++ b/meta-security/meta-security-compliance/recipes-openscap/openscap-daemon/files/0001-Renamed-module-and-variables-to-get-rid-of-async.patch
@@ -0,0 +1,130 @@
+From c34349720a57997d30946286756e2ba9dbab6ace Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Mat=C4=9Bj=20T=C3=BD=C4=8D?= <matyc@redhat.com>
+Date: Mon, 2 Jul 2018 11:21:19 +0200
+Subject: [PATCH] Renamed module and variables to get rid of async.
+
+async is a reserved word in Python 3.7.
+
+Upstream-Status: Backport
+[https://github.com/OpenSCAP/openscap-daemon/commit/c34349720a57997d30946286756e2ba9dbab6ace]
+
+Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
+---
+ openscap_daemon/{async.py => async_tools.py} | 0
+ openscap_daemon/dbus_daemon.py | 2 +-
+ openscap_daemon/system.py | 16 ++++++++--------
+ tests/unit/test_basic_update.py | 3 ++-
+ 4 files changed, 11 insertions(+), 10 deletions(-)
+ rename openscap_daemon/{async.py => async_tools.py} (100%)
+
+diff --git a/openscap_daemon/async.py b/openscap_daemon/async_tools.py
+similarity index 100%
+rename from openscap_daemon/async.py
+rename to openscap_daemon/async_tools.py
+diff --git a/openscap_daemon/dbus_daemon.py b/openscap_daemon/dbus_daemon.py
+index e6eadf9..cb6a8b6 100644
+--- a/openscap_daemon/dbus_daemon.py
++++ b/openscap_daemon/dbus_daemon.py
+@@ -81,7 +81,7 @@ class OpenSCAPDaemonDbus(dbus.service.Object):
+ @dbus.service.method(dbus_interface=dbus_utils.DBUS_INTERFACE,
+ in_signature="", out_signature="a(xsi)")
+ def GetAsyncActionsStatus(self):
+- return self.system.async.get_status()
++ return self.system.async_manager.get_status()
+
+ @dbus.service.method(dbus_interface=dbus_utils.DBUS_INTERFACE,
+ in_signature="s", out_signature="(sssn)")
+diff --git a/openscap_daemon/system.py b/openscap_daemon/system.py
+index 2012f6e..85c2680 100644
+--- a/openscap_daemon/system.py
++++ b/openscap_daemon/system.py
+@@ -26,7 +26,7 @@ import logging
+ from openscap_daemon.task import Task
+ from openscap_daemon.config import Configuration
+ from openscap_daemon import oscap_helpers
+-from openscap_daemon import async
++from openscap_daemon import async_tools
+
+
+ class ResultsNotAvailable(Exception):
+@@ -40,7 +40,7 @@ TASK_ACTION_PRIORITY = 10
+
+ class System(object):
+ def __init__(self, config_file):
+- self.async = async.AsyncManager()
++ self.async_manager = async_tools.AsyncManager()
+
+ logging.info("Loading configuration from '%s'.", config_file)
+ self.config = Configuration()
+@@ -90,7 +90,7 @@ class System(object):
+ input_file, tailoring_file, None
+ )
+
+- class AsyncEvaluateSpecAction(async.AsyncAction):
++ class AsyncEvaluateSpecAction(async_tools.AsyncAction):
+ def __init__(self, system, spec):
+ super(System.AsyncEvaluateSpecAction, self).__init__()
+
+@@ -113,7 +113,7 @@ class System(object):
+ return "Evaluate Spec '%s'" % (self.spec)
+
+ def evaluate_spec_async(self, spec):
+- return self.async.enqueue(
++ return self.async_manager.enqueue(
+ System.AsyncEvaluateSpecAction(
+ self,
+ spec
+@@ -488,7 +488,7 @@ class System(object):
+
+ return ret
+
+- class AsyncUpdateTaskAction(async.AsyncAction):
++ class AsyncUpdateTaskAction(async_tools.AsyncAction):
+ def __init__(self, system, task_id, reference_datetime):
+ super(System.AsyncUpdateTaskAction, self).__init__()
+
+@@ -536,7 +536,7 @@ class System(object):
+
+ if task.should_be_updated(reference_datetime):
+ self.tasks_scheduled.add(task.id_)
+- self.async.enqueue(
++ self.async_manager.enqueue(
+ System.AsyncUpdateTaskAction(
+ self,
+ task.id_,
+@@ -662,7 +662,7 @@ class System(object):
+ fix_type
+ )
+
+- class AsyncEvaluateCVEScannerWorkerAction(async.AsyncAction):
++ class AsyncEvaluateCVEScannerWorkerAction(async_tools.AsyncAction):
+ def __init__(self, system, worker):
+ super(System.AsyncEvaluateCVEScannerWorkerAction, self).__init__()
+
+@@ -680,7 +680,7 @@ class System(object):
+ return "Evaluate CVE Scanner Worker '%s'" % (self.worker)
+
+ def evaluate_cve_scanner_worker_async(self, worker):
+- return self.async.enqueue(
++ return self.async_manager.enqueue(
+ System.AsyncEvaluateCVEScannerWorkerAction(
+ self,
+ worker
+diff --git a/tests/unit/test_basic_update.py b/tests/unit/test_basic_update.py
+index 6f683e6..7f953f7 100755
+--- a/tests/unit/test_basic_update.py
++++ b/tests/unit/test_basic_update.py
+@@ -37,8 +37,9 @@ class BasicUpdateTest(unit_test_harness.APITest):
+ print(self.system.tasks)
+ self.system.schedule_tasks()
+
+- while len(self.system.async.actions) > 0:
++ while len(self.system.async_manager.actions) > 0:
+ time.sleep(1)
+
++
+ if __name__ == "__main__":
+ BasicUpdateTest.run()
+--
+2.7.4
+
diff --git a/meta-security/meta-security-compliance/recipes-openscap/openscap-daemon/openscap-daemon_0.1.10.bb b/meta-security/meta-security-compliance/recipes-openscap/openscap-daemon/openscap-daemon_0.1.10.bb
index a6a9373..ca6e030 100644
--- a/meta-security/meta-security-compliance/recipes-openscap/openscap-daemon/openscap-daemon_0.1.10.bb
+++ b/meta-security/meta-security-compliance/recipes-openscap/openscap-daemon/openscap-daemon_0.1.10.bb
@@ -9,7 +9,9 @@
DEPENDS = "python3-dbus"
SRCREV = "f25b16afb6ac761fea13132ff406fba4cdfd2b76"
-SRC_URI = "git://github.com/OpenSCAP/openscap-daemon.git"
+SRC_URI = "git://github.com/OpenSCAP/openscap-daemon.git \
+ file://0001-Renamed-module-and-variables-to-get-rid-of-async.patch \
+ "
inherit setuptools3
diff --git a/meta-security/meta-security-compliance/recipes-openscap/scap-security-guide/scap-security-guide_0.1.33.bb b/meta-security/meta-security-compliance/recipes-openscap/scap-security-guide/scap-security-guide_0.1.33.bb
index 7fa417d..27d3d86 100644
--- a/meta-security/meta-security-compliance/recipes-openscap/scap-security-guide/scap-security-guide_0.1.33.bb
+++ b/meta-security/meta-security-compliance/recipes-openscap/scap-security-guide/scap-security-guide_0.1.33.bb
@@ -19,6 +19,8 @@
STAGING_OSCAP_BUILDDIR = "${TMPDIR}/work-shared/openscap/oscap-build-artifacts"
+OECMAKE_GENERATOR = "Unix Makefiles"
+
EXTRA_OECMAKE += "-DSSG_PRODUCT_CHROMIUM:BOOL=OFF"
EXTRA_OECMAKE += "-DSSG_PRODUCT_DEBIAN8:BOOL=OFF"
EXTRA_OECMAKE += "-DSSG_PRODUCT_FEDORA:BOOL=OFF"
diff --git a/meta-security/meta-tpm/conf/distro/include/maintainers.inc b/meta-security/meta-tpm/conf/distro/include/maintainers.inc
new file mode 100644
index 0000000..74c1a18
--- /dev/null
+++ b/meta-security/meta-tpm/conf/distro/include/maintainers.inc
@@ -0,0 +1,39 @@
+# meta-tpm Maintainers File
+#
+# This file contains a list of recipe maintainers.
+#
+# Please submit any patches against recipes in meta to the
+# Yocto mail list (yocto@yoctoproject.org)
+#
+# If you have problems with or questions about a particular recipe, feel
+# free to contact the maintainer directly (cc:ing the appropriate mailing list
+# puts it in the archive and helps other people who might have the same
+# questions in the future), but please try to do the following first:
+#
+# - look in the Yocto Project Bugzilla
+# (http://bugzilla.yoctoproject.org/) to see if a problem has
+# already been reported
+#
+# The format is as a bitbake variable override for each recipe
+#
+# RECIPE_MAINTAINER_pn-<recipe name> = "Full Name <address@domain>"
+#
+# Please keep this list in alphabetical order.
+RECIPE_MAINTAINER_pn-aircrack-ng = "Armin Kuster <akuster808@gmail.com>"
+RECIPE_MAINTAINER_pn-pcr-extend = "Armin Kuster <akuster808@gmail.com>"
+RECIPE_MAINTAINER_pn-tpm-quote-tools = "Armin Kuster <akuster808@gmail.com>"
+RECIPE_MAINTAINER_pn-libtpm = "Armin Kuster <akuster808@gmail.com>"
+RECIPE_MAINTAINER_pn-trousers = "Armin Kuster <akuster808@gmail.com>"
+RECIPE_MAINTAINER_pn-swtpm = "Armin Kuster <akuster808@gmail.com>"
+RECIPE_MAINTAINER_pn-openssl-tpm-engine = "Armin Kuster <akuster808@gmail.com>"
+RECIPE_MAINTAINER_pn-tpm-tools = "Armin Kuster <akuster808@gmail.com>"
+RECIPE_MAINTAINER_pn-tpm2-abrmd = "Armin Kuster <akuster808@gmail.com>"
+RECIPE_MAINTAINER_pn-tpm2-totp = "Armin Kuster <akuster808@gmail.com>"
+RECIPE_MAINTAINER_pn-tpm2-tcti-uefi = "Armin Kuster <akuster808@gmail.com>"
+RECIPE_MAINTAINER_pn-tpm2-tss-engine = "Armin Kuster <akuster808@gmail.com>"
+RECIPE_MAINTAINER_pn-tpm2-pkcs11 = "Armin Kuster <akuster808@gmail.com>"
+RECIPE_MAINTAINER_pn-tpm2-tss = "Armin Kuster <akuster808@gmail.com>"
+RECIPE_MAINTAINER_pn-cryptsetup-tpm-incubator = "Armin Kuster <akuster808@gmail.com>"
+RECIPE_MAINTAINER_pn-tpm2-tools = "Armin Kuster <akuster808@gmail.com>"
+RECIPE_MAINTAINER_pn-ibmswtpm2 = "Armin Kuster <akuster808@gmail.com>"
+
diff --git a/meta-security/meta-tpm/lib/oeqa/runtime/cases/tpm2.py b/meta-security/meta-tpm/lib/oeqa/runtime/cases/tpm2.py
new file mode 100644
index 0000000..240a9b3
--- /dev/null
+++ b/meta-security/meta-tpm/lib/oeqa/runtime/cases/tpm2.py
@@ -0,0 +1,43 @@
+# Copyright (C) 2019 Armin Kuster <akuster808@gmail.com>
+#
+from oeqa.runtime.case import OERuntimeTestCase
+from oeqa.core.decorator.depends import OETestDepends
+from oeqa.runtime.decorator.package import OEHasPackage
+
+
+class Tpm2Test(OERuntimeTestCase):
+ def check_endlines(self, results, expected_endlines):
+ for line in results.splitlines():
+ for el in expected_endlines:
+ if line == el:
+ expected_endlines.remove(el)
+ break
+
+ if expected_endlines:
+ self.fail('Missing expected line endings:\n %s' % '\n '.join(expected_endlines))
+
+ @OEHasPackage(['tpm2.0-tss'])
+ @OEHasPackage(['tpm2-abrmd'])
+ @OEHasPackage(['tpm2.0-tools'])
+ @OEHasPackage(['ibmswtpm2'])
+ @OETestDepends(['ssh.SSHTest.test_ssh'])
+ def test_tpm2_sim(self):
+ cmds = [
+ 'tpm_server &',
+ 'tpm2-abrmd --allow-root --tcti=mssim &'
+ ]
+
+ for cmd in cmds:
+ status, output = self.target.run(cmd)
+ self.assertEqual(status, 0, msg='\n'.join([cmd, output]))
+
+ @OETestDepends(['tpm2.Tpm2Test.test_tpm2_sim'])
+ def test_tpm2(self):
+ (status, output) = self.target.run('tpm2_pcrlist')
+ expected_endlines = []
+ expected_endlines.append('sha1 :')
+ expected_endlines.append(' 0 : 0000000000000000000000000000000000000003')
+ expected_endlines.append(' 1 : 0000000000000000000000000000000000000000')
+
+ self.check_endlines(output, expected_endlines)
+
diff --git a/meta-security/meta-tpm/recipes-core/packagegroup/packagegroup-security-tpm2.bb b/meta-security/meta-tpm/recipes-core/packagegroup/packagegroup-security-tpm2.bb
index c4c8fb2..5ded3a2 100644
--- a/meta-security/meta-tpm/recipes-core/packagegroup/packagegroup-security-tpm2.bb
+++ b/meta-security/meta-tpm/recipes-core/packagegroup/packagegroup-security-tpm2.bb
@@ -9,10 +9,15 @@
SUMMARY_packagegroup-security-tpm2 = "Security TPM 2.0 support"
RDEPENDS_packagegroup-security-tpm2 = " \
- tpm2.0-tools \
+ tpm2-tools \
trousers \
libtss2 \
libtss2-tcti-device \
libtss2-tcti-mssim \
tpm2-abrmd \
+ tpm2-pkcs11 \
+ cryptsetup-tpm-incubator \
"
+
+RDEPENDS_packagegroup-security-tpm2_append_x86 = " tpm2-tcti-uefi"
+RDEPENDS_packagegroup-security-tpm2_append_x86-64 = " tpm2-tcti-uefi"
diff --git a/meta-security/meta-tpm/recipes-tpm/libtpm/libtpm_1.0.bb b/meta-security/meta-tpm/recipes-tpm/libtpm/libtpm_0.6.0.bb
similarity index 70%
rename from meta-security/meta-tpm/recipes-tpm/libtpm/libtpm_1.0.bb
rename to meta-security/meta-tpm/recipes-tpm/libtpm/libtpm_0.6.0.bb
index a930d7b..a882960 100644
--- a/meta-security/meta-tpm/recipes-tpm/libtpm/libtpm_1.0.bb
+++ b/meta-security/meta-tpm/recipes-tpm/libtpm/libtpm_0.6.0.bb
@@ -2,8 +2,10 @@
LICENSE = "BSD-3-Clause"
LIC_FILES_CHKSUM = "file://LICENSE;md5=e73f0786a936da3814896df06ad225a9"
-SRCREV = "4111bd1bcf721e6e7b5f11ed9c2b93083677aa25"
-SRC_URI = "git://github.com/stefanberger/libtpms.git"
+SRCREV = "9dc915572b51db0714640ba1ddf8cca9c0f24f05"
+SRC_URI = "git://github.com/stefanberger/libtpms.git;branch=stable-${PV}"
+
+PE = "1"
S = "${WORKDIR}/git"
inherit autotools-brokensep pkgconfig
@@ -11,6 +13,4 @@
PACKAGECONFIG ?= "openssl"
PACKAGECONFIG[openssl] = "--with-openssl, --without-openssl, openssl"
-PV = "1.0+git${SRCPV}"
-
BBCLASSEXTEND = "native"
diff --git a/meta-security/meta-tpm/recipes-tpm/swtpm/swtpm_1.0.bb b/meta-security/meta-tpm/recipes-tpm/swtpm/swtpm_0.1.0.bb
similarity index 77%
rename from meta-security/meta-tpm/recipes-tpm/swtpm/swtpm_1.0.bb
rename to meta-security/meta-tpm/recipes-tpm/swtpm/swtpm_0.1.0.bb
index 3fe1393..42de8b1 100644
--- a/meta-security/meta-tpm/recipes-tpm/swtpm/swtpm_1.0.bb
+++ b/meta-security/meta-tpm/recipes-tpm/swtpm/swtpm_0.1.0.bb
@@ -9,11 +9,12 @@
# then swtpm_setup needs them at runtime
DEPENDS += "tpm-tools-native expect-native socat-native"
-SRCREV = "94bb9f2d716d09bcc6cd2a2e033018f8592008e7"
-SRC_URI = "git://github.com/stefanberger/swtpm.git;branch=tpm2-preview.v2 \
+SRCREV = "d803d84575ab3e5dac316bf863c7f569a27ea35f"
+SRC_URI = "git://github.com/stefanberger/swtpm.git;branch=stable-${PV} \
file://fix_fcntl_h.patch \
file://ioctl_h.patch \
"
+PE = "1"
S = "${WORKDIR}/git"
@@ -23,8 +24,9 @@
TSS_USER="tss"
TSS_GROUP="tss"
-PACKAGECONFIG ?= "openssl cuse"
+PACKAGECONFIG ?= "openssl"
PACKAGECONFIG += "${@bb.utils.contains('DISTRO_FEATURES', 'selinux', 'selinux', '', d)}"
+PACKAGECONFIG += "${@bb.utils.contains('BBFILE_COLLECTIONS', 'filesystems-layer', 'cuse', '', d)}"
PACKAGECONFIG[openssl] = "--with-openssl, --without-openssl, openssl"
PACKAGECONFIG[gnutls] = "--with-gnutls, --without-gnutls, gnutls"
PACKAGECONFIG[selinux] = "--with-selinux, --without-selinux, libselinux"
@@ -39,12 +41,11 @@
USERADD_PARAM_${PN} = "--system -g ${TSS_GROUP} --home-dir \
--no-create-home --shell /bin/false ${BPN}"
+PACKAGE_BEFORE_PN = "${PN}-cuse"
+FILES_${PN}-cuse = "${bindir}/swtpm_cuse"
+
+INSANE_SKIP_${PN} += "dev-so"
+
RDEPENDS_${PN} = "libtpm expect socat bash tpm-tools"
BBCLASSEXTEND = "native nativesdk"
-
-python() {
- if 'cuse' in d.getVar('PACKAGECONFIG') and \
- 'filesystems-layer' not in d.getVar('BBFILE_COLLECTIONS').split():
- raise bb.parse.SkipRecipe('Cuse enabled which requires meta-filesystems to be present.')
-}
diff --git a/meta-security/meta-tpm/recipes-tpm/tpm2.0-tools/tpm2.0-tools_3.1.2.bb b/meta-security/meta-tpm/recipes-tpm/tpm2.0-tools/tpm2.0-tools_3.1.2.bb
deleted file mode 100644
index 3f40eb7..0000000
--- a/meta-security/meta-tpm/recipes-tpm/tpm2.0-tools/tpm2.0-tools_3.1.2.bb
+++ /dev/null
@@ -1,15 +0,0 @@
-SUMMARY = "Tools for TPM2."
-DESCRIPTION = "tpm2.0-tools"
-LICENSE = "BSD"
-LIC_FILES_CHKSUM = "file://LICENSE;md5=91b7c548d73ea16537799e8060cea819"
-SECTION = "tpm"
-
-DEPENDS = "pkgconfig tpm2.0-tss openssl curl autoconf-archive"
-
-SRCREV = "5e2f1aafc58e60c5050f85147a14914561f28ad9"
-
-SRC_URI = "git://github.com/01org/tpm2.0-tools.git;name=tpm2.0-tools;destsuffix=tpm2.0-tools;branch=3.X"
-
-S = "${WORKDIR}/tpm2.0-tools"
-
-inherit autotools pkgconfig
diff --git a/meta-security/meta-tpm/recipes-tpm/tpm2simulator/tpm2simulator_138.bb b/meta-security/meta-tpm/recipes-tpm/tpm2simulator/tpm2simulator_138.bb
deleted file mode 100644
index 866791c..0000000
--- a/meta-security/meta-tpm/recipes-tpm/tpm2simulator/tpm2simulator_138.bb
+++ /dev/null
@@ -1,22 +0,0 @@
-SUMMARY = "TPM 2.0 Simulator Extraction Script"
-LICENSE = "BSD-2-Clause"
-LIC_FILES_CHKSUM = "file://LICENSE;md5=1415f7be284540b81d9d28c67c1a6b8b"
-
-DEPENDS = "python"
-
-SRCREV = "e45324eba268723d39856111e7933c5c76238481"
-SRC_URI = "git://github.com/stwagnr/tpm2simulator.git"
-
-S = "${WORKDIR}/git"
-OECMAKE_SOURCEPATH = "${S}/cmake"
-
-inherit native lib_package cmake
-
-EXTRA_OECMAKE = " \
- -DCMAKE_BUILD_TYPE=Debug \
- -DSPEC_VERSION=138 \
-"
-
-do_configure_prepend () {
- sed -i 's/^SET = False/SET = True/' ${S}/scripts/settings.py
-}
diff --git a/meta-security/meta-tpm/recipes-tpm2/cryptsetup-tpm-incubator/cryptsetup-tpm-incubator_0.9.9.bb b/meta-security/meta-tpm/recipes-tpm2/cryptsetup-tpm-incubator/cryptsetup-tpm-incubator_0.9.9.bb
new file mode 100644
index 0000000..8b50445
--- /dev/null
+++ b/meta-security/meta-tpm/recipes-tpm2/cryptsetup-tpm-incubator/cryptsetup-tpm-incubator_0.9.9.bb
@@ -0,0 +1,41 @@
+SUMMARY = "An extension to cryptsetup/LUKS that enables use of the TPM 2.0 via tpm2-tss"
+DESCRIPTION = "Cryptsetup is utility used to conveniently setup disk encryption based on DMCrypt kernel module."
+
+SECTION = "security/tpm"
+LICENSE = "LGPL-2.1 | GPL-2.0"
+LIC_FILES_CHKSUM = "file://COPYING;md5=32107dd283b1dfeb66c9b3e6be312326 \
+ file://COPYING.LGPL;md5=1960515788100ce5f9c98ea78a65dc52 \
+ "
+
+DEPENDS = "autoconf-archive pkgconfig gettext libtss2-dev libdevmapper popt libgcrypt json-c"
+
+SRC_URI = "git://github.com/AndreasFuchsSIT/cryptsetup-tpm-incubator.git;branch=luks2tpm \
+ file://configure_fix.patch "
+
+SRCREV = "15c283195f19f1d980e39ba45448683d5e383179"
+
+S = "${WORKDIR}/git"
+
+inherit autotools pkgconfig gettext
+
+PACKAGECONFIG ??= "openssl"
+PACKAGECONFIG[openssl] = "--with-crypto_backend=openssl,,openssl"
+PACKAGECONFIG[gcrypt] = "--with-crypto_backend=gcrypt,,libgcrypt"
+
+EXTRA_OECONF = "--enable-static"
+
+RRECOMMENDS_${PN} = "kernel-module-aes-generic \
+ kernel-module-dm-crypt \
+ kernel-module-md5 \
+ kernel-module-cbc \
+ kernel-module-sha256-generic \
+ kernel-module-xts \
+ "
+
+RDEPENDS_${PN} += "lvm2"
+RRECOMMENDS_${PN} += "lvm2-udevrules"
+
+RREPLACES_${PN} = "cryptsetup"
+RCONFLICTS_${PN} ="cryptsetup"
+
+BBCLASSEXTEND = "native nativesdk"
diff --git a/meta-security/meta-tpm/recipes-tpm2/cryptsetup-tpm-incubator/files/configure_fix.patch b/meta-security/meta-tpm/recipes-tpm2/cryptsetup-tpm-incubator/files/configure_fix.patch
new file mode 100644
index 0000000..8c7b6da
--- /dev/null
+++ b/meta-security/meta-tpm/recipes-tpm2/cryptsetup-tpm-incubator/files/configure_fix.patch
@@ -0,0 +1,16 @@
+Upstream-Status: OE specific
+Signed-off-by: Armin Kuster <akuster808@gmail.com>
+
+Index: git/configure.ac
+===================================================================
+--- git.orig/configure.ac
++++ git/configure.ac
+@@ -16,7 +16,7 @@ AC_CONFIG_HEADERS([config.h:config.h.in]
+
+ # For old automake use this
+ #AM_INIT_AUTOMAKE(dist-xz subdir-objects)
+-AM_INIT_AUTOMAKE([dist-xz 1.12 serial-tests subdir-objects])
++AM_INIT_AUTOMAKE([dist-xz 1.12 serial-tests subdir-objects foreign])
+
+ if test "x$prefix" = "xNONE"; then
+ sysconfdir=/etc
diff --git a/meta-security/meta-tpm/recipes-tpm2/ibmswtpm2/ibmswtpm2_1332.bb b/meta-security/meta-tpm/recipes-tpm2/ibmswtpm2/ibmswtpm2_1332.bb
new file mode 100644
index 0000000..a6068e6
--- /dev/null
+++ b/meta-security/meta-tpm/recipes-tpm2/ibmswtpm2/ibmswtpm2_1332.bb
@@ -0,0 +1,24 @@
+SUMMARY = "IBM's Software TPM 2.0"
+
+LICENSE = "BSD"
+SECTION = "securty/tpm"
+LIC_FILES_CHKSUM = "file://../LICENSE;md5=1e023f61454ac828b4aa1bc4293f7d5f"
+
+SRC_URI = "https://sourceforge.net/projects/ibmswtpm2/files/ibmtpm1332.tar.gz"
+SRC_URI[md5sum] = "0ab34a655b4e09812d7ada19746af4f9"
+SRC_URI[sha256sum] = "8e8193af3d11d9ff6a951dda8cd1f4693cb01934a8ad7876b84e92c6148ab0fd"
+
+DEPENDS = "openssl"
+
+S = "${WORKDIR}/src"
+
+LDFLAGS = "${LDFALGS}"
+
+do_compile () {
+ make CC='${CC}'
+}
+
+do_install () {
+ install -d ${D}/${bindir}
+ install -m 0755 tpm_server ${D}/${bindir}
+}
diff --git a/meta-security/meta-tpm/recipes-tpm/tpm2-abrmd/files/tpm2-abrmd-init.sh b/meta-security/meta-tpm/recipes-tpm2/tpm2-abrmd/files/tpm2-abrmd-init.sh
similarity index 100%
rename from meta-security/meta-tpm/recipes-tpm/tpm2-abrmd/files/tpm2-abrmd-init.sh
rename to meta-security/meta-tpm/recipes-tpm2/tpm2-abrmd/files/tpm2-abrmd-init.sh
diff --git a/meta-security/meta-tpm/recipes-tpm/tpm2-abrmd/files/tpm2-abrmd.default b/meta-security/meta-tpm/recipes-tpm2/tpm2-abrmd/files/tpm2-abrmd.default
similarity index 100%
rename from meta-security/meta-tpm/recipes-tpm/tpm2-abrmd/files/tpm2-abrmd.default
rename to meta-security/meta-tpm/recipes-tpm2/tpm2-abrmd/files/tpm2-abrmd.default
diff --git a/meta-security/meta-tpm/recipes-tpm/tpm2-abrmd/tpm2-abrmd_2.0.2.bb b/meta-security/meta-tpm/recipes-tpm2/tpm2-abrmd/tpm2-abrmd_2.1.1.bb
similarity index 88%
rename from meta-security/meta-tpm/recipes-tpm/tpm2-abrmd/tpm2-abrmd_2.0.2.bb
rename to meta-security/meta-tpm/recipes-tpm2/tpm2-abrmd/tpm2-abrmd_2.1.1.bb
index 6347379..a4c6682 100644
--- a/meta-security/meta-tpm/recipes-tpm/tpm2-abrmd/tpm2-abrmd_2.0.2.bb
+++ b/meta-security/meta-tpm/recipes-tpm2/tpm2-abrmd/tpm2-abrmd_2.1.1.bb
@@ -9,16 +9,17 @@
LICENSE = "BSD-2-Clause"
LIC_FILES_CHKSUM = "file://${S}/LICENSE;md5=500b2e742befc3da00684d8a1d5fd9da"
-DEPENDS = "autoconf-archive dbus glib-2.0 tpm2.0-tss glib-2.0-native \
+DEPENDS = "autoconf-archive dbus glib-2.0 tpm2-tss glib-2.0-native \
libtss2 libtss2-mu libtss2-tcti-device libtss2-tcti-mssim"
SRC_URI = "\
- git://github.com/01org/tpm2-abrmd.git \
+ git://github.com/tpm2-software/tpm2-abrmd.git \
file://tpm2-abrmd-init.sh \
file://tpm2-abrmd.default \
"
-SRCREV = "d0120ace58d97bc9520c0d558657eaca87ae73b1"
+
+SRCREV = "06d9d433ba27159687255406baa37940db15465b"
S = "${WORKDIR}/git"
@@ -49,6 +50,6 @@
FILES_${PN} += "${libdir}/systemd/system-preset \
${datadir}/dbus-1"
-RDEPENDS_${PN} += "tpm2.0-tss"
+RDEPENDS_${PN} += "tpm2-tss"
BBCLASSEXTEND = "native"
diff --git a/meta-security/meta-tpm/recipes-tpm2/tpm2-pkcs11/files/bootstrap_fixup.patch b/meta-security/meta-tpm/recipes-tpm2/tpm2-pkcs11/files/bootstrap_fixup.patch
new file mode 100644
index 0000000..d38e237
--- /dev/null
+++ b/meta-security/meta-tpm/recipes-tpm2/tpm2-pkcs11/files/bootstrap_fixup.patch
@@ -0,0 +1,12 @@
+Upstream-Status: OE specific
+Signed-off-by: Armin Kuster <akuster808@gmail.com>
+
+Index: git/bootstrap
+===================================================================
+--- git.orig/bootstrap
++++ git/bootstrap
+@@ -27,4 +27,3 @@ echo "Generating file lists: ${VARS_FILE
+ ) > ${VARS_FILE}
+
+ mkdir -p m4
+-${AUTORECONF} --install --sym $@
diff --git a/meta-security/meta-tpm/recipes-tpm2/tpm2-pkcs11/tpm2-pkcs11_0.9.9.bb b/meta-security/meta-tpm/recipes-tpm2/tpm2-pkcs11/tpm2-pkcs11_0.9.9.bb
new file mode 100644
index 0000000..9031e63
--- /dev/null
+++ b/meta-security/meta-tpm/recipes-tpm2/tpm2-pkcs11/tpm2-pkcs11_0.9.9.bb
@@ -0,0 +1,21 @@
+SUMMARY = "A PKCS#11 interface for TPM2 hardware"
+DESCRIPTION = "PKCS #11 is a Public-Key Cryptography Standard that defines a standard method to access cryptographic services from tokens/ devices such as hardware security modules (HSM), smart cards, etc. In this project we intend to use a TPM2 device as the cryptographic token."
+SECTION = "security/tpm"
+LICENSE = "BSD-2-Clause"
+LIC_FILES_CHKSUM = "file://LICENSE;md5=b748af41ef1300c98e105b3b7ec4ecc1"
+
+DEPENDS = "autoconf-archive pkgconfig dstat sqlite3 openssl libtss2-dev tpm2-tools"
+
+SRC_URI = "git://github.com/tpm2-software/tpm2-pkcs11.git \
+ file://bootstrap_fixup.patch \
+ "
+
+SRCREV = "3107d89b406ecd9c007884613733c9a344ef6d39"
+
+S = "${WORKDIR}/git"
+
+inherit autotools-brokensep pkgconfig
+
+do_configure_prepend () {
+ ${S}/bootstrap
+}
diff --git a/meta-security/meta-tpm/recipes-tpm2/tpm2-tcti-uefi/files/configure_oe_fixup.patch b/meta-security/meta-tpm/recipes-tpm2/tpm2-tcti-uefi/files/configure_oe_fixup.patch
new file mode 100644
index 0000000..8a216cd
--- /dev/null
+++ b/meta-security/meta-tpm/recipes-tpm2/tpm2-tcti-uefi/files/configure_oe_fixup.patch
@@ -0,0 +1,27 @@
+Upstream-Status: OE specific
+Signed-off-by: Armin Kuster <akuster808@gmail.com>
+
+Index: git/configure.ac
+===================================================================
+--- git.orig/configure.ac
++++ git/configure.ac
+@@ -84,9 +84,6 @@ AC_ARG_WITH([efi-lds],
+ AS_HELP_STRING([--with-efi-lds=LDS_PATH],[Path to gnu-efi lds file.]),
+ [],
+ [with_efi_lds="/usr/lib/elf_${ARCH}_efi.lds"])
+-AC_CHECK_FILE(["${with_efi_lds}"],
+- [],
+- [AC_MSG_ERROR([Missing file: ${with_efi_lds}.])])
+ EXTRA_LDFLAGS="-L /usr/lib -L /usr/lib64 -Wl,--script=${with_efi_lds}"
+
+ # path to object file from gnu-efi
+@@ -94,9 +91,6 @@ AC_ARG_WITH([efi-crt0],
+ AS_HELP_STRING([--with-efi-crt0=OBJ_PATH],[Path to gnu-efi crt0 object file.]),
+ [],
+ [with_efi_crt0="/usr/lib/crt0-efi-${ARCH}.o"])
+-AC_CHECK_FILE(["${with_efi_crt0}"],
+- [],
+- [AC_MSG_ERROR([Missing ${with_efi_crt0} file.])])
+ EXTRA_LDLIBS="${with_efi_crt0}"
+
+ # check for efi and gnuefi libraries
diff --git a/meta-security/meta-tpm/recipes-tpm2/tpm2-tcti-uefi/tpm2-tcti-uefi_0.9.9.bb b/meta-security/meta-tpm/recipes-tpm2/tpm2-tcti-uefi/tpm2-tcti-uefi_0.9.9.bb
new file mode 100644
index 0000000..815691d
--- /dev/null
+++ b/meta-security/meta-tpm/recipes-tpm2/tpm2-tcti-uefi/tpm2-tcti-uefi_0.9.9.bb
@@ -0,0 +1,18 @@
+SUMMARY = "TCTI module for use with TSS2 libraries in UEFI environment"
+SECTION = "security/tpm"
+LICENSE = "BSD-2-Clause"
+LIC_FILES_CHKSUM = "file://LICENSE;md5=500b2e742befc3da00684d8a1d5fd9da"
+DEPENDS = "libtss2-dev gnu-efi-native gnu-efi pkgconfig"
+
+SRC_URI = "git://github.com/tpm2-software/tpm2-tcti-uefi.git \
+ file://configure_oe_fixup.patch \
+ "
+SRCREV = "131889d12d2c7d8974711d2ebd1032cd32577b7f"
+
+S = "${WORKDIR}/git"
+
+inherit autotools pkgconfig
+
+COMPATIBLE_HOST = "(i.86|x86_64).*-linux"
+EXTRA_OECONF_append = " --with-efi-includedir=${STAGING_INCDIR}/efi --with-efi-lds=${STAGING_LIBDIR_NATIVE}/"
+RDEPENDS_${PN} = "gnu-efi"
diff --git a/meta-security/meta-tpm/recipes-tpm2/tpm2-tools/tpm2-tools_3.1.3.bb b/meta-security/meta-tpm/recipes-tpm2/tpm2-tools/tpm2-tools_3.1.3.bb
new file mode 100644
index 0000000..1f1f5c6
--- /dev/null
+++ b/meta-security/meta-tpm/recipes-tpm2/tpm2-tools/tpm2-tools_3.1.3.bb
@@ -0,0 +1,15 @@
+SUMMARY = "Tools for TPM2."
+DESCRIPTION = "tpm2-tools"
+LICENSE = "BSD"
+LIC_FILES_CHKSUM = "file://LICENSE;md5=91b7c548d73ea16537799e8060cea819"
+SECTION = "tpm"
+
+DEPENDS = "pkgconfig tpm2-tss openssl curl autoconf-archive"
+
+SRCREV = "74ba065e5914bc5d713ca3709d62a5751b097369"
+
+SRC_URI = "git://github.com/tpm2-software/tpm2-tools.git;branch=3.X"
+
+S = "${WORKDIR}/git"
+
+inherit autotools pkgconfig
diff --git a/meta-security/meta-tpm/recipes-tpm2/tpm2-totp/files/litpm2_totp_build_fix.patch b/meta-security/meta-tpm/recipes-tpm2/tpm2-totp/files/litpm2_totp_build_fix.patch
new file mode 100644
index 0000000..c147054
--- /dev/null
+++ b/meta-security/meta-tpm/recipes-tpm2/tpm2-totp/files/litpm2_totp_build_fix.patch
@@ -0,0 +1,36 @@
+C99 fixes:
+
+ src/libtpm2-totp.c:172:13: error: format '%li' expects argument of type 'long int', but argument 3 has type 'size_t' {aka 'unsigned int'} [-Werror=format=]
+| dbg("Calling Esys_GetRandom for %li bytes", SECRETLEN - *secret_size);
+
+src/tpm2-totp.c:343:23: error: format '%ld' expects argument of type 'long int', but argument 3 has type 'uint64_t' {aka 'long long unsigned int'} [-Werror=format=]
+
+Upstream-Status: Pending
+Signed-off-by: Armin Kuster <akuster808@gmail.com>
+
+Index: git/src/libtpm2-totp.c
+===================================================================
+--- git.orig/src/libtpm2-totp.c
++++ git/src/libtpm2-totp.c
+@@ -169,7 +169,7 @@ tpm2totp_generateKey(uint32_t pcrs, uint
+ if (rc != TPM2_RC_INITIALIZE) chkrc(rc, goto error);
+
+ while (*secret_size < SECRETLEN) {
+- dbg("Calling Esys_GetRandom for %li bytes", SECRETLEN - *secret_size);
++ dbg("Calling Esys_GetRandom for %li bytes", (long int) (SECRETLEN - *secret_size));
+ rc = Esys_GetRandom(ctx,
+ ESYS_TR_NONE, ESYS_TR_NONE, ESYS_TR_NONE,
+ SECRETLEN - *secret_size, &t);
+Index: git/src/tpm2-totp.c
+===================================================================
+--- git.orig/src/tpm2-totp.c
++++ git/src/tpm2-totp.c
+@@ -340,7 +340,7 @@ main(int argc, char **argv)
+ localtime (&now));
+ chkrc(rc, exit(1));
+ }
+- printf("%s%06ld", timestr, totp);
++ printf("%s%06ld", timestr, (long int)totp);
+ break;
+ case CMD_RESEAL:
+ rc = tpm2totp_loadKey_nv(opt.nvindex, &keyBlob, &keyBlob_size);
diff --git a/meta-security/meta-tpm/recipes-tpm2/tpm2-totp/tpm2-totp_0.9.9.bb b/meta-security/meta-tpm/recipes-tpm2/tpm2-totp/tpm2-totp_0.9.9.bb
new file mode 100644
index 0000000..bc94ab7
--- /dev/null
+++ b/meta-security/meta-tpm/recipes-tpm2/tpm2-totp/tpm2-totp_0.9.9.bb
@@ -0,0 +1,17 @@
+SUMMARY = "The tpm2-tss-engine project implements a cryptographic engine for OpenSSL."
+DESCRIPTION = "The tpm2-tss-engine project implements a cryptographic engine for OpenSSL for Trusted Platform Module (TPM 2.0) using the tpm2-tss software stack that follows the Trusted Computing Groups (TCG) TPM Software Stack (TSS 2.0). It uses the Enhanced System API (ESAPI) interface of the TSS 2.0 for downwards communication. It supports RSA decryption and signatures as well as ECDSA signatures."
+
+LICENSE = "BSD-2-Clause"
+LIC_FILES_CHKSUM = "file://LICENSE;md5=ed23833e93c95173c8d8913745e4b4e1"
+
+SECTION = "security/tpm"
+
+DEPENDS = "autoconf-archive libtss2-dev qrencode"
+
+SRCREV = "44fcb6819f79302d5a088b3def648616e3551d4a"
+SRC_URI = "git://github.com/tpm2-software/tpm2-totp.git \
+ file://litpm2_totp_build_fix.patch "
+
+inherit autotools-brokensep pkgconfig
+
+S = "${WORKDIR}/git"
diff --git a/meta-security/meta-tpm/recipes-tpm2/tpm2-tss-engine/tpm2-tss-engine_0.9.9.bb b/meta-security/meta-tpm/recipes-tpm2/tpm2-tss-engine/tpm2-tss-engine_0.9.9.bb
new file mode 100644
index 0000000..36530be
--- /dev/null
+++ b/meta-security/meta-tpm/recipes-tpm2/tpm2-tss-engine/tpm2-tss-engine_0.9.9.bb
@@ -0,0 +1,23 @@
+SUMMARY = "The tpm2-tss-engine project implements a cryptographic engine for OpenSSL."
+DESCRIPTION = "The tpm2-tss-engine project implements a cryptographic engine for OpenSSL for Trusted Platform Module (TPM 2.0) using the tpm2-tss software stack that follows the Trusted Computing Groups (TCG) TPM Software Stack (TSS 2.0). It uses the Enhanced System API (ESAPI) interface of the TSS 2.0 for downwards communication. It supports RSA decryption and signatures as well as ECDSA signatures."
+
+LICENSE = "BSD-2-Clause"
+LIC_FILES_CHKSUM = "file://LICENSE;md5=3fb0047fd29391478a71e8e6101c76eb"
+
+SECTION = "security/tpm"
+
+DEPENDS = "autoconf-archive-native bash-completion libtss2 libgcrypt openssl"
+
+SRCREV = "bef89ec79cbb4c99963b0e336d9184827c545782"
+SRC_URI = "git://github.com/tpm2-software/tpm2-tss-engine.git"
+
+inherit autotools-brokensep pkgconfig systemd
+
+S = "${WORKDIR}/git"
+
+PACKAGES += "${PN}-engines ${PN}-engines-staticdev ${PN}-bash-completion"
+
+FILES_${PN}-dev = "${libdir}/engines-1.1/tpm2tss.so ${includedir}/*"
+FILES_${PN}-engines = "${libdir}/engines-1.1/lib*.so*"
+FILES_${PN}-engines-staticdev = "${libdir}/engines-1.1/libtpm2tss.a"
+FILES_${PN}-bash-completion += "${datadir}/bash-completion/completions"
diff --git a/meta-security/meta-tpm/recipes-tpm/tpm2.0-tss/tpm2.0-tss/ax_pthread.m4 b/meta-security/meta-tpm/recipes-tpm2/tpm2-tss/tpm2-tss/ax_pthread.m4
similarity index 100%
rename from meta-security/meta-tpm/recipes-tpm/tpm2.0-tss/tpm2.0-tss/ax_pthread.m4
rename to meta-security/meta-tpm/recipes-tpm2/tpm2-tss/tpm2-tss/ax_pthread.m4
diff --git a/meta-security/meta-tpm/recipes-tpm/tpm2.0-tss/tpm2.0-tss/fix_musl_select_include.patch b/meta-security/meta-tpm/recipes-tpm2/tpm2-tss/tpm2-tss/fix_musl_select_include.patch
similarity index 100%
rename from meta-security/meta-tpm/recipes-tpm/tpm2.0-tss/tpm2.0-tss/fix_musl_select_include.patch
rename to meta-security/meta-tpm/recipes-tpm2/tpm2-tss/tpm2-tss/fix_musl_select_include.patch
diff --git a/meta-security/meta-tpm/recipes-tpm/tpm2.0-tss/tpm2.0-tss_2.0.1.bb b/meta-security/meta-tpm/recipes-tpm2/tpm2-tss/tpm2-tss_2.2.1.bb
similarity index 82%
rename from meta-security/meta-tpm/recipes-tpm/tpm2.0-tss/tpm2.0-tss_2.0.1.bb
rename to meta-security/meta-tpm/recipes-tpm2/tpm2-tss/tpm2-tss_2.2.1.bb
index 9d1ff72..78bdeeb 100644
--- a/meta-security/meta-tpm/recipes-tpm/tpm2.0-tss/tpm2.0-tss_2.0.1.bb
+++ b/meta-security/meta-tpm/recipes-tpm2/tpm2-tss/tpm2-tss_2.2.1.bb
@@ -1,19 +1,22 @@
SUMMARY = "Software stack for TPM2."
-DESCRIPTION = "tpm2.0-tss like woah."
+DESCRIPTION = "OSS implementation of the TCG TPM2 Software Stack (TSS2) "
LICENSE = "BSD-2-Clause"
-LIC_FILES_CHKSUM = "file://LICENSE;md5=0b1d631c4218b72f6b05cb58613606f4"
+LIC_FILES_CHKSUM = "file://LICENSE;md5=500b2e742befc3da00684d8a1d5fd9da"
SECTION = "tpm"
-DEPENDS = "autoconf-archive-native libgcrypt"
+DEPENDS = "autoconf-archive-native libgcrypt openssl"
-SRCREV = "dc31e8dca9dbc77d16e419dc514ce8c526cd3351"
+SRCREV = "eb69e13559f20a0b49002a685c6f4a39be9503e2"
-SRC_URI = "git://github.com/tpm2-software/tpm2-tss.git;branch=2.0.x"
+SRC_URI = "git://github.com/tpm2-software/tpm2-tss.git;branch=2.2.x"
inherit autotools-brokensep pkgconfig systemd
S = "${WORKDIR}/git"
+PACKAGECONFIG ??= ""
+PACKAGECONFIG[oxygen] = ",--disable-doxygen-doc, "
+
do_configure_prepend () {
./bootstrap
}
@@ -72,3 +75,5 @@
FILES_libtss2-staticdev = "${libdir}/libtss*a"
FILES_${PN} = "${libdir}/udev"
+
+RDEPENDS_libtss2 = "libgcrypt"
diff --git a/meta-security/recipes-security/samhain/files/run-ptest b/meta-security/recipes-ids/samhain/files/run-ptest
similarity index 100%
rename from meta-security/recipes-security/samhain/files/run-ptest
rename to meta-security/recipes-ids/samhain/files/run-ptest
diff --git a/meta-security/recipes-security/samhain/files/samhain-add-LDFLAGS-variable-for-samhain_setpwd.patch b/meta-security/recipes-ids/samhain/files/samhain-add-LDFLAGS-variable-for-samhain_setpwd.patch
similarity index 100%
rename from meta-security/recipes-security/samhain/files/samhain-add-LDFLAGS-variable-for-samhain_setpwd.patch
rename to meta-security/recipes-ids/samhain/files/samhain-add-LDFLAGS-variable-for-samhain_setpwd.patch
diff --git a/meta-security/recipes-security/samhain/files/samhain-avoid-searching-host-for-postgresql.patch b/meta-security/recipes-ids/samhain/files/samhain-avoid-searching-host-for-postgresql.patch
similarity index 100%
rename from meta-security/recipes-security/samhain/files/samhain-avoid-searching-host-for-postgresql.patch
rename to meta-security/recipes-ids/samhain/files/samhain-avoid-searching-host-for-postgresql.patch
diff --git a/meta-security/recipes-security/samhain/files/samhain-client.default b/meta-security/recipes-ids/samhain/files/samhain-client.default
similarity index 100%
rename from meta-security/recipes-security/samhain/files/samhain-client.default
rename to meta-security/recipes-ids/samhain/files/samhain-client.default
diff --git a/meta-security/recipes-security/samhain/files/samhain-client.init b/meta-security/recipes-ids/samhain/files/samhain-client.init
similarity index 100%
rename from meta-security/recipes-security/samhain/files/samhain-client.init
rename to meta-security/recipes-ids/samhain/files/samhain-client.init
diff --git a/meta-security/recipes-security/samhain/files/samhain-configure-add-option-for-ps.patch b/meta-security/recipes-ids/samhain/files/samhain-configure-add-option-for-ps.patch
similarity index 100%
rename from meta-security/recipes-security/samhain/files/samhain-configure-add-option-for-ps.patch
rename to meta-security/recipes-ids/samhain/files/samhain-configure-add-option-for-ps.patch
diff --git a/meta-security/recipes-security/samhain/files/samhain-cross-compile.patch b/meta-security/recipes-ids/samhain/files/samhain-cross-compile.patch
similarity index 100%
rename from meta-security/recipes-security/samhain/files/samhain-cross-compile.patch
rename to meta-security/recipes-ids/samhain/files/samhain-cross-compile.patch
diff --git a/meta-security/recipes-security/samhain/files/samhain-mips64-aarch64-dnmalloc-hash-fix.patch b/meta-security/recipes-ids/samhain/files/samhain-mips64-aarch64-dnmalloc-hash-fix.patch
similarity index 100%
rename from meta-security/recipes-security/samhain/files/samhain-mips64-aarch64-dnmalloc-hash-fix.patch
rename to meta-security/recipes-ids/samhain/files/samhain-mips64-aarch64-dnmalloc-hash-fix.patch
diff --git a/meta-security/recipes-security/samhain/files/samhain-not-run-ptest-on-host.patch b/meta-security/recipes-ids/samhain/files/samhain-not-run-ptest-on-host.patch
similarity index 100%
rename from meta-security/recipes-security/samhain/files/samhain-not-run-ptest-on-host.patch
rename to meta-security/recipes-ids/samhain/files/samhain-not-run-ptest-on-host.patch
diff --git a/meta-security/recipes-security/samhain/files/samhain-pid-path.patch b/meta-security/recipes-ids/samhain/files/samhain-pid-path.patch
similarity index 100%
rename from meta-security/recipes-security/samhain/files/samhain-pid-path.patch
rename to meta-security/recipes-ids/samhain/files/samhain-pid-path.patch
diff --git a/meta-security/recipes-security/samhain/files/samhain-samhainrc-fix-files-dirs-path.patch b/meta-security/recipes-ids/samhain/files/samhain-samhainrc-fix-files-dirs-path.patch
similarity index 100%
rename from meta-security/recipes-security/samhain/files/samhain-samhainrc-fix-files-dirs-path.patch
rename to meta-security/recipes-ids/samhain/files/samhain-samhainrc-fix-files-dirs-path.patch
diff --git a/meta-security/recipes-security/samhain/files/samhain-samhainrc.patch b/meta-security/recipes-ids/samhain/files/samhain-samhainrc.patch
similarity index 100%
rename from meta-security/recipes-security/samhain/files/samhain-samhainrc.patch
rename to meta-security/recipes-ids/samhain/files/samhain-samhainrc.patch
diff --git a/meta-security/recipes-security/samhain/files/samhain-server-volatiles b/meta-security/recipes-ids/samhain/files/samhain-server-volatiles
similarity index 100%
rename from meta-security/recipes-security/samhain/files/samhain-server-volatiles
rename to meta-security/recipes-ids/samhain/files/samhain-server-volatiles
diff --git a/meta-security/recipes-security/samhain/files/samhain-server.default b/meta-security/recipes-ids/samhain/files/samhain-server.default
similarity index 100%
rename from meta-security/recipes-security/samhain/files/samhain-server.default
rename to meta-security/recipes-ids/samhain/files/samhain-server.default
diff --git a/meta-security/recipes-security/samhain/files/samhain-server.init b/meta-security/recipes-ids/samhain/files/samhain-server.init
similarity index 100%
rename from meta-security/recipes-security/samhain/files/samhain-server.init
rename to meta-security/recipes-ids/samhain/files/samhain-server.init
diff --git a/meta-security/recipes-security/samhain/files/samhain-sha256-big-endian.patch b/meta-security/recipes-ids/samhain/files/samhain-sha256-big-endian.patch
similarity index 100%
rename from meta-security/recipes-security/samhain/files/samhain-sha256-big-endian.patch
rename to meta-security/recipes-ids/samhain/files/samhain-sha256-big-endian.patch
diff --git a/meta-security/recipes-security/samhain/files/samhain-standalone.default b/meta-security/recipes-ids/samhain/files/samhain-standalone.default
similarity index 100%
rename from meta-security/recipes-security/samhain/files/samhain-standalone.default
rename to meta-security/recipes-ids/samhain/files/samhain-standalone.default
diff --git a/meta-security/recipes-security/samhain/files/samhain-standalone.init b/meta-security/recipes-ids/samhain/files/samhain-standalone.init
similarity index 100%
rename from meta-security/recipes-security/samhain/files/samhain-standalone.init
rename to meta-security/recipes-ids/samhain/files/samhain-standalone.init
diff --git a/meta-security/recipes-security/samhain/files/samhain.service b/meta-security/recipes-ids/samhain/files/samhain.service
similarity index 100%
rename from meta-security/recipes-security/samhain/files/samhain.service
rename to meta-security/recipes-ids/samhain/files/samhain.service
diff --git a/meta-security/recipes-security/samhain/samhain-client_4.3.0.bb b/meta-security/recipes-ids/samhain/samhain-client_4.3.2.bb
similarity index 100%
rename from meta-security/recipes-security/samhain/samhain-client_4.3.0.bb
rename to meta-security/recipes-ids/samhain/samhain-client_4.3.2.bb
diff --git a/meta-security/recipes-security/samhain/samhain-server_4.3.0.bb b/meta-security/recipes-ids/samhain/samhain-server_4.3.2.bb
similarity index 100%
rename from meta-security/recipes-security/samhain/samhain-server_4.3.0.bb
rename to meta-security/recipes-ids/samhain/samhain-server_4.3.2.bb
diff --git a/meta-security/recipes-security/samhain/samhain-standalone_4.3.0.bb b/meta-security/recipes-ids/samhain/samhain-standalone_4.3.2.bb
similarity index 100%
rename from meta-security/recipes-security/samhain/samhain-standalone_4.3.0.bb
rename to meta-security/recipes-ids/samhain/samhain-standalone_4.3.2.bb
diff --git a/meta-security/recipes-security/samhain/samhain.inc b/meta-security/recipes-ids/samhain/samhain.inc
similarity index 96%
rename from meta-security/recipes-security/samhain/samhain.inc
rename to meta-security/recipes-ids/samhain/samhain.inc
index 944bf0d..1b9af39 100644
--- a/meta-security/recipes-security/samhain/samhain.inc
+++ b/meta-security/recipes-ids/samhain/samhain.inc
@@ -19,8 +19,8 @@
file://samhain.service \
"
-SRC_URI[md5sum] = "a00e99375675fc6e50cca3e208f5207e"
-SRC_URI[sha256sum] = "8551dc3b0851889a2b979097e9c02309b40d48b4659f02efe7fe525ce8361a0d"
+SRC_URI[md5sum] = "eae4674164d7c78f5bb39c72b7029c8b"
+SRC_URI[sha256sum] = "0582864ef56ab796031e8e611ed66c48adeb3a30ec34e1a8d0088572442035fc"
UPSTREAM_CHECK_URI = "https://www.la-samhna.de/samhain/archive.html"
UPSTREAM_CHECK_REGEX = "samhain_signed-(?P<pver>(\d+(\.\d+)+))\.tar"
@@ -117,6 +117,7 @@
--enable-network=${SAMHAIN_MODE} \
--with-pid-file=${localstatedir}/run/samhain.pid \
--with-data-file=${localstatedir}/lib/samhain/samhain_file \
+ --disable-dnmalloc \
${EXTRA_OECONF}
}
diff --git a/meta-security/recipes-security/suricata/files/emerging.rules.tar.gz b/meta-security/recipes-ids/suricata/files/emerging.rules.tar.gz
similarity index 100%
rename from meta-security/recipes-security/suricata/files/emerging.rules.tar.gz
rename to meta-security/recipes-ids/suricata/files/emerging.rules.tar.gz
Binary files differ
diff --git a/meta-security/recipes-security/suricata/files/no_libhtp_build.patch b/meta-security/recipes-ids/suricata/files/no_libhtp_build.patch
similarity index 100%
rename from meta-security/recipes-security/suricata/files/no_libhtp_build.patch
rename to meta-security/recipes-ids/suricata/files/no_libhtp_build.patch
diff --git a/meta-security/recipes-security/suricata/files/run-ptest b/meta-security/recipes-ids/suricata/files/run-ptest
similarity index 100%
rename from meta-security/recipes-security/suricata/files/run-ptest
rename to meta-security/recipes-ids/suricata/files/run-ptest
diff --git a/meta-security/recipes-security/suricata/files/suricata.service b/meta-security/recipes-ids/suricata/files/suricata.service
similarity index 100%
rename from meta-security/recipes-security/suricata/files/suricata.service
rename to meta-security/recipes-ids/suricata/files/suricata.service
diff --git a/meta-security/recipes-security/suricata/files/suricata.yaml b/meta-security/recipes-ids/suricata/files/suricata.yaml
similarity index 100%
rename from meta-security/recipes-security/suricata/files/suricata.yaml
rename to meta-security/recipes-ids/suricata/files/suricata.yaml
diff --git a/meta-security/recipes-security/suricata/files/volatiles.03_suricata b/meta-security/recipes-ids/suricata/files/volatiles.03_suricata
similarity index 100%
rename from meta-security/recipes-security/suricata/files/volatiles.03_suricata
rename to meta-security/recipes-ids/suricata/files/volatiles.03_suricata
diff --git a/meta-security/recipes-security/suricata/libhtp_0.5.27.bb b/meta-security/recipes-ids/suricata/libhtp_0.5.29.bb
similarity index 100%
rename from meta-security/recipes-security/suricata/libhtp_0.5.27.bb
rename to meta-security/recipes-ids/suricata/libhtp_0.5.29.bb
diff --git a/meta-security/recipes-ids/suricata/suricata.inc b/meta-security/recipes-ids/suricata/suricata.inc
new file mode 100644
index 0000000..7be403c
--- /dev/null
+++ b/meta-security/recipes-ids/suricata/suricata.inc
@@ -0,0 +1,9 @@
+HOMEPAGE = "http://suricata-ids.org/"
+SECTION = "security Monitor/Admin"
+LICENSE = "GPLv2"
+
+VER = "4.1.3"
+SRC_URI = "http://www.openinfosecfoundation.org/download/suricata-${VER}.tar.gz"
+
+SRC_URI[md5sum] = "35c4a8e6be3910831649a073950195df"
+SRC_URI[sha256sum] = "6cda6c80b753ce36483c6be535358b971f3890b9aa27a58c2d2f7e89dd6c6aa0"
diff --git a/meta-security/recipes-security/suricata/suricata_4.0.5.bb b/meta-security/recipes-ids/suricata/suricata_4.1.3.bb
similarity index 96%
rename from meta-security/recipes-security/suricata/suricata_4.0.5.bb
rename to meta-security/recipes-ids/suricata/suricata_4.1.3.bb
index 6c0a109..d6f5937 100644
--- a/meta-security/recipes-security/suricata/suricata_4.0.5.bb
+++ b/meta-security/recipes-ids/suricata/suricata_4.1.3.bb
@@ -16,7 +16,7 @@
SRC_URI[rules.md5sum] = "205c5e5b54e489207ed892c03ad75b33"
SRC_URI[rules.sha256sum] = "4aa81011b246875a57181c6a0569ca887845e366904bcaf0043220f33bd69798"
-inherit autotools-brokensep pkgconfig python-dir systemd ptest
+inherit autotools-brokensep pkgconfig python3-dir systemd ptest
CFLAGS += "-D_DEFAULT_SOURCE"
@@ -26,6 +26,7 @@
EXTRA_OECONF += " --disable-debug \
--enable-non-bundled-htp \
--disable-gccmarch-native \
+ --disable-suricata-update \
"
PACKAGECONFIG ??= "htp jansson file pcre yaml pcap cap-ng net nfnetlink nss nspr"
@@ -44,7 +45,7 @@
PACKAGECONFIG[file] = ",,file, file"
PACKAGECONFIG[nss] = "--with-libnss-includes=${STAGING_INCDIR} --with-libnss-libraries=${STAGING_LIBDIR}, nss, nss,"
PACKAGECONFIG[nspr] = "--with-libnspr-includes=${STAGING_INCDIR} --with-libnspr-libraries=${STAGING_LIBDIR}, nspr, nspr,"
-PACKAGECONFIG[python] = "--enable-python, --disable-python, python, python"
+PACKAGECONFIG[python] = "--enable-python, --disable-python, python3, python3"
PACKAGECONFIG[unittests] = "--enable-unittests, --disable-unittests,"
export logdir = "${localstatedir}/log"
diff --git a/meta-security/recipes-security/tripwire/files/add_armeb_arch.patch b/meta-security/recipes-ids/tripwire/files/add_armeb_arch.patch
similarity index 100%
rename from meta-security/recipes-security/tripwire/files/add_armeb_arch.patch
rename to meta-security/recipes-ids/tripwire/files/add_armeb_arch.patch
diff --git a/meta-security/recipes-security/tripwire/files/run-ptest b/meta-security/recipes-ids/tripwire/files/run-ptest
similarity index 100%
rename from meta-security/recipes-security/tripwire/files/run-ptest
rename to meta-security/recipes-ids/tripwire/files/run-ptest
diff --git a/meta-security/recipes-security/tripwire/files/tripwire.cron b/meta-security/recipes-ids/tripwire/files/tripwire.cron
similarity index 100%
rename from meta-security/recipes-security/tripwire/files/tripwire.cron
rename to meta-security/recipes-ids/tripwire/files/tripwire.cron
diff --git a/meta-security/recipes-security/tripwire/files/tripwire.sh b/meta-security/recipes-ids/tripwire/files/tripwire.sh
similarity index 100%
rename from meta-security/recipes-security/tripwire/files/tripwire.sh
rename to meta-security/recipes-ids/tripwire/files/tripwire.sh
diff --git a/meta-security/recipes-security/tripwire/files/tripwire.txt b/meta-security/recipes-ids/tripwire/files/tripwire.txt
similarity index 100%
rename from meta-security/recipes-security/tripwire/files/tripwire.txt
rename to meta-security/recipes-ids/tripwire/files/tripwire.txt
diff --git a/meta-security/recipes-security/tripwire/files/twcfg.txt b/meta-security/recipes-ids/tripwire/files/twcfg.txt
similarity index 100%
rename from meta-security/recipes-security/tripwire/files/twcfg.txt
rename to meta-security/recipes-ids/tripwire/files/twcfg.txt
diff --git a/meta-security/recipes-security/tripwire/files/twinstall.sh b/meta-security/recipes-ids/tripwire/files/twinstall.sh
similarity index 100%
rename from meta-security/recipes-security/tripwire/files/twinstall.sh
rename to meta-security/recipes-ids/tripwire/files/twinstall.sh
diff --git a/meta-security/recipes-security/tripwire/files/twpol-yocto.txt b/meta-security/recipes-ids/tripwire/files/twpol-yocto.txt
similarity index 100%
rename from meta-security/recipes-security/tripwire/files/twpol-yocto.txt
rename to meta-security/recipes-ids/tripwire/files/twpol-yocto.txt
diff --git a/meta-security/recipes-security/tripwire/tripwire_2.4.3.6.bb b/meta-security/recipes-ids/tripwire/tripwire_2.4.3.7.bb
similarity index 93%
rename from meta-security/recipes-security/tripwire/tripwire_2.4.3.6.bb
rename to meta-security/recipes-ids/tripwire/tripwire_2.4.3.7.bb
index 59d1f35..c26392a 100644
--- a/meta-security/recipes-security/tripwire/tripwire_2.4.3.6.bb
+++ b/meta-security/recipes-ids/tripwire/tripwire_2.4.3.7.bb
@@ -6,7 +6,7 @@
LICENSE = "GPLv2"
LIC_FILES_CHKSUM = "file://COPYING;md5=1c069be8dbbe48e89b580ab4ed86c127"
-SRCREV = "80db91b4c1ca4be9efafd2286e3b2ad32ba4c34c"
+SRCREV = "6e64a9e5b70a909ec439bc5a099e3fcf38c614b0"
SRC_URI = "\
git://github.com/Tripwire/tripwire-open-source.git \
@@ -62,6 +62,7 @@
do_install_ptest_append () {
install -d ${D}${PTEST_PATH}/tests
cp -a ${S}/src/test-harness/* ${D}${PTEST_PATH}
+ sed -i -e 's@../../../../bin@${sbindir}@' ${D}${PTEST_PATH}/twtools.pm
}
FILES_${PN} += "${libdir} ${docdir}/${PN}/*"
@@ -70,4 +71,4 @@
FILES_${PN}-ptest += "${PTEST_PATH}/tests "
RDEPENDS_${PN} += " perl nano msmtp cronie"
-RDEPENDS_${PN}-ptest = " perl lib-perl"
+RDEPENDS_${PN}-ptest = " perl lib-perl perl-modules "
diff --git a/meta-security/recipes-kernel/linux/linux-yocto-5.0/apparmor.cfg b/meta-security/recipes-kernel/linux/linux-yocto-5.0/apparmor.cfg
new file mode 100644
index 0000000..b5f9bb2
--- /dev/null
+++ b/meta-security/recipes-kernel/linux/linux-yocto-5.0/apparmor.cfg
@@ -0,0 +1,15 @@
+CONFIG_AUDIT=y
+# CONFIG_NETFILTER_XT_TARGET_AUDIT is not set
+CONFIG_SECURITY_NETWORK=y
+# CONFIG_SECURITY_NETWORK_XFRM is not set
+CONFIG_SECURITY_PATH=y
+# CONFIG_SECURITY_SELINUX is not set
+CONFIG_SECURITY_APPARMOR=y
+CONFIG_SECURITY_APPARMOR_HASH=y
+CONFIG_SECURITY_APPARMOR_HASH_DEFAULT=y
+# CONFIG_SECURITY_APPARMOR_DEBUG is not set
+CONFIG_INTEGRITY_AUDIT=y
+CONFIG_DEFAULT_SECURITY_APPARMOR=y
+# CONFIG_DEFAULT_SECURITY_DAC is not set
+CONFIG_DEFAULT_SECURITY="apparmor"
+CONFIG_AUDIT_GENERIC=y
diff --git a/meta-security/recipes-kernel/linux/linux-yocto-5.0/apparmor_on_boot.cfg b/meta-security/recipes-kernel/linux/linux-yocto-5.0/apparmor_on_boot.cfg
new file mode 100644
index 0000000..fc35740
--- /dev/null
+++ b/meta-security/recipes-kernel/linux/linux-yocto-5.0/apparmor_on_boot.cfg
@@ -0,0 +1 @@
+CONFIG_SECURITY_APPARMOR_BOOTPARAM_VALUE=1
diff --git a/meta-security/recipes-kernel/linux/linux-yocto-5.0/smack-default-lsm.cfg b/meta-security/recipes-kernel/linux/linux-yocto-5.0/smack-default-lsm.cfg
new file mode 100644
index 0000000..b5c4845
--- /dev/null
+++ b/meta-security/recipes-kernel/linux/linux-yocto-5.0/smack-default-lsm.cfg
@@ -0,0 +1,2 @@
+CONFIG_DEFAULT_SECURITY="smack"
+CONFIG_DEFAULT_SECURITY_SMACK=y
diff --git a/meta-security/recipes-kernel/linux/linux-yocto-5.0/smack.cfg b/meta-security/recipes-kernel/linux/linux-yocto-5.0/smack.cfg
new file mode 100644
index 0000000..62f465a
--- /dev/null
+++ b/meta-security/recipes-kernel/linux/linux-yocto-5.0/smack.cfg
@@ -0,0 +1,8 @@
+CONFIG_IP_NF_SECURITY=m
+CONFIG_IP6_NF_SECURITY=m
+CONFIG_EXT2_FS_SECURITY=y
+CONFIG_EXT3_FS_SECURITY=y
+CONFIG_EXT4_FS_SECURITY=y
+CONFIG_SECURITY=y
+CONFIG_SECURITY_SMACK=y
+CONFIG_TMPFS_XATTR=y
diff --git a/meta-security/recipes-kernel/linux/linux-yocto/apparmor.cfg b/meta-security/recipes-kernel/linux/linux-yocto/apparmor.cfg
index 1dc4168..b5f9bb2 100644
--- a/meta-security/recipes-kernel/linux/linux-yocto/apparmor.cfg
+++ b/meta-security/recipes-kernel/linux/linux-yocto/apparmor.cfg
@@ -1,13 +1,15 @@
CONFIG_AUDIT=y
-CONFIG_AUDITSYSCALL=y
-CONFIG_AUDIT_WATCH=y
-CONFIG_AUDIT_TREE=y
# CONFIG_NETFILTER_XT_TARGET_AUDIT is not set
+CONFIG_SECURITY_NETWORK=y
+# CONFIG_SECURITY_NETWORK_XFRM is not set
CONFIG_SECURITY_PATH=y
# CONFIG_SECURITY_SELINUX is not set
CONFIG_SECURITY_APPARMOR=y
-CONFIG_SECURITY_APPARMOR_BOOTPARAM_VALUE=1
CONFIG_SECURITY_APPARMOR_HASH=y
CONFIG_SECURITY_APPARMOR_HASH_DEFAULT=y
+# CONFIG_SECURITY_APPARMOR_DEBUG is not set
CONFIG_INTEGRITY_AUDIT=y
-# CONFIG_DEFAULT_SECURITY_APPARMOR is not set
+CONFIG_DEFAULT_SECURITY_APPARMOR=y
+# CONFIG_DEFAULT_SECURITY_DAC is not set
+CONFIG_DEFAULT_SECURITY="apparmor"
+CONFIG_AUDIT_GENERIC=y
diff --git a/meta-security/recipes-kernel/linux/linux-yocto/apparmor_on_boot.cfg b/meta-security/recipes-kernel/linux/linux-yocto/apparmor_on_boot.cfg
new file mode 100644
index 0000000..fc35740
--- /dev/null
+++ b/meta-security/recipes-kernel/linux/linux-yocto/apparmor_on_boot.cfg
@@ -0,0 +1 @@
+CONFIG_SECURITY_APPARMOR_BOOTPARAM_VALUE=1
diff --git a/meta-security/recipes-kernel/linux/linux-yocto_4.%.bbappend b/meta-security/recipes-kernel/linux/linux-yocto_4.%.bbappend
index 067be8f..321392c 100644
--- a/meta-security/recipes-kernel/linux/linux-yocto_4.%.bbappend
+++ b/meta-security/recipes-kernel/linux/linux-yocto_4.%.bbappend
@@ -2,6 +2,7 @@
SRC_URI += "\
${@bb.utils.contains('DISTRO_FEATURES', 'apparmor', ' file://apparmor.cfg', '', d)} \
+ ${@bb.utils.contains('DISTRO_FEATURES', 'apparmor', ' file://apparmor_on_boot.cfg', '', d)} \
"
SRC_URI += "\
diff --git a/meta-security/recipes-kernel/linux/linux-yocto_5.0.%.bbappend b/meta-security/recipes-kernel/linux/linux-yocto_5.0.%.bbappend
new file mode 100644
index 0000000..f810e21
--- /dev/null
+++ b/meta-security/recipes-kernel/linux/linux-yocto_5.0.%.bbappend
@@ -0,0 +1,11 @@
+FILESEXTRAPATHS_prepend := "${THISDIR}/${PN}-5.0:"
+
+SRC_URI += "\
+ ${@bb.utils.contains('DISTRO_FEATURES', 'apparmor', ' file://apparmor.cfg', '', d)} \
+ ${@bb.utils.contains('DISTRO_FEATURES', 'apparmor', ' file://apparmor_on_boot.cfg', '', d)} \
+"
+
+SRC_URI += "\
+ ${@bb.utils.contains('DISTRO_FEATURES', 'smack', ' file://smack.cfg', '', d)} \
+ ${@bb.utils.contains('DISTRO_FEATURES', 'smack', ' file://smack-default-lsm.cfg', '', d)} \
+"
diff --git a/meta-security/recipes-security/AppArmor/apparmor_2.12.bb b/meta-security/recipes-mac/AppArmor/apparmor_2.13.2.bb
similarity index 81%
rename from meta-security/recipes-security/AppArmor/apparmor_2.12.bb
rename to meta-security/recipes-mac/AppArmor/apparmor_2.13.2.bb
index e3f8dc9..62ed611 100644
--- a/meta-security/recipes-security/AppArmor/apparmor_2.12.bb
+++ b/meta-security/recipes-mac/AppArmor/apparmor_2.13.2.bb
@@ -24,18 +24,15 @@
file://run-ptest \
"
-SRC_URI[md5sum] = "49054f58042f8e51ea92cc866575a833"
-SRC_URI[sha256sum] = "8a2b0cd083faa4d0640f579024be3a629faa7db3b99540798a1a050e2eaba056"
+SRC_URI[md5sum] = "2439b35266b5a3a461b0a2dba6e863c3"
+SRC_URI[sha256sum] = "844def9926dfda5c7858428d06e44afc80573f9706458b6e7282edbb40b11a30"
PARALLEL_MAKE = ""
-inherit pkgconfig autotools-brokensep update-rc.d python3native perlnative ptest cpan
-inherit ${@bb.utils.contains('VIRTUAL-RUNTIME_init_manager','systemd','systemd','', d)}
+inherit pkgconfig autotools-brokensep update-rc.d python3native perlnative ptest cpan manpages systemd
-S = "${WORKDIR}/apparmor-${PV}"
-
-PACKAGECONFIG ?="man python perl"
-PACKAGECONFIG[man] = "--enable-man-pages, --disable-man-pages"
+PACKAGECONFIG ??= "python perl"
+PACKAGECONFIG[manpages] = "--enable-man-pages, --disable-man-pages"
PACKAGECONFIG[python] = "--with-python, --without-python, python3 swig-native"
PACKAGECONFIG[perl] = "--with-perl, --without-perl, perl perl-native swig-native"
PACKAGECONFIG[apache2] = ",,apache2,"
@@ -50,8 +47,7 @@
raise bb.parse.SkipRecipe('Requires meta-webserver to be present.')
}
-CONFIGUREOPTS_remove = "--disable-static"
-EXTRA_OECONF_append = " --enable-static"
+DISABLE_STATIC = ""
do_configure() {
cd ${S}/libraries/libapparmor
@@ -60,11 +56,16 @@
libtoolize --automake -c --force
automake -ac
./configure ${CONFIGUREOPTS} ${EXTRA_OECONF}
- sed -i -e 's#^YACC.*#YACC := bison#' ${S}/parser/Makefile
- sed -i -e 's#^LEX.*#LEX := flex#' ${S}/parser/Makefile
}
do_compile () {
+ # Fixes:
+ # | sed -ie 's///g' Makefile.perl
+ # | sed: -e expression #1, char 0: no previous regular expression
+ #| Makefile:478: recipe for target 'Makefile.perl' failed
+ sed -i "s@sed -ie 's///g' Makefile.perl@@" ${S}/libraries/libapparmor/swig/perl/Makefile
+
+
oe_runmake -C ${B}/libraries/libapparmor
oe_runmake -C ${B}/binutils
oe_runmake -C ${B}/utils
@@ -90,6 +91,11 @@
oe_runmake -C ${B}/parser DESTDIR="${D}" install
oe_runmake -C ${B}/profiles DESTDIR="${D}" install
+ # If perl is disabled this script won't be any good
+ if ! ${@bb.utils.contains('PACKAGECONFIG','perl','true','false', d)}; then
+ rm -f ${D}${sbindir}/aa-notify
+ fi
+
if test -z "${HTTPD}" ; then
oe_runmake -C ${B}/changehat/mod_apparmor DESTDIR="${D}" install
fi
@@ -104,11 +110,8 @@
install ${WORKDIR}/apparmor ${D}/${INIT_D_DIR}/apparmor
install ${WORKDIR}/functions ${D}/lib/apparmor
- if [ "${VIRTUAL-RUNTIME_init_manager}" = "systemd" ]; then
- install -d ${D}${systemd_system_unitdir}
- install ${WORKDIR}/apparmor.service \
- ${D}${systemd_system_unitdir}
- fi
+ install -d ${D}${systemd_system_unitdir}
+ install ${WORKDIR}/apparmor.service ${D}${systemd_system_unitdir}
}
do_compile_ptest () {
@@ -146,14 +149,12 @@
SYSTEMD_SERVICE_${PN} = "apparmor.service"
SYSTEMD_AUTO_ENABLE = "disable"
-PACKAGES += "${@bb.utils.contains('PACKAGECONFIG', 'apache2', 'mod-${PN}', '', d)}"
+PACKAGES += "mod-${PN}"
FILES_${PN} += "/lib/apparmor/ ${sysconfdir}/apparmor ${PYTHON_SITEPACKAGES_DIR}"
FILES_mod-${PN} = "${libdir}/apache2/modules/*"
-ALLOW_EMPTY_${PN} = "1"
-
RDEPENDS_${PN} += "bash lsb"
RDEPENDS_${PN} += "${@bb.utils.contains('PACKAGECONFIG','python','python3 python3-modules','', d)}"
RDEPENDS_${PN}_remove += "${@bb.utils.contains('PACKAGECONFIG','perl','','perl', d)}"
-RDEPENDS_${PN}-ptest += "perl coreutils dbus-lib"
+RDEPENDS_${PN}-ptest += "perl coreutils dbus-lib bash"
diff --git a/meta-security/recipes-security/AppArmor/files/apparmor b/meta-security/recipes-mac/AppArmor/files/apparmor
similarity index 100%
rename from meta-security/recipes-security/AppArmor/files/apparmor
rename to meta-security/recipes-mac/AppArmor/files/apparmor
diff --git a/meta-security/recipes-security/AppArmor/files/apparmor.rc b/meta-security/recipes-mac/AppArmor/files/apparmor.rc
similarity index 100%
rename from meta-security/recipes-security/AppArmor/files/apparmor.rc
rename to meta-security/recipes-mac/AppArmor/files/apparmor.rc
diff --git a/meta-security/recipes-security/AppArmor/files/apparmor.service b/meta-security/recipes-mac/AppArmor/files/apparmor.service
similarity index 100%
rename from meta-security/recipes-security/AppArmor/files/apparmor.service
rename to meta-security/recipes-mac/AppArmor/files/apparmor.service
diff --git a/meta-security/recipes-security/AppArmor/files/crosscompile_perl_bindings.patch b/meta-security/recipes-mac/AppArmor/files/crosscompile_perl_bindings.patch
similarity index 100%
rename from meta-security/recipes-security/AppArmor/files/crosscompile_perl_bindings.patch
rename to meta-security/recipes-mac/AppArmor/files/crosscompile_perl_bindings.patch
diff --git a/meta-security/recipes-security/AppArmor/files/disable_pdf.patch b/meta-security/recipes-mac/AppArmor/files/disable_pdf.patch
similarity index 100%
rename from meta-security/recipes-security/AppArmor/files/disable_pdf.patch
rename to meta-security/recipes-mac/AppArmor/files/disable_pdf.patch
diff --git a/meta-security/recipes-security/AppArmor/files/disable_perl_h_check.patch b/meta-security/recipes-mac/AppArmor/files/disable_perl_h_check.patch
similarity index 100%
rename from meta-security/recipes-security/AppArmor/files/disable_perl_h_check.patch
rename to meta-security/recipes-mac/AppArmor/files/disable_perl_h_check.patch
diff --git a/meta-security/recipes-security/AppArmor/files/functions b/meta-security/recipes-mac/AppArmor/files/functions
similarity index 100%
rename from meta-security/recipes-security/AppArmor/files/functions
rename to meta-security/recipes-mac/AppArmor/files/functions
diff --git a/meta-security/recipes-security/AppArmor/files/run-ptest b/meta-security/recipes-mac/AppArmor/files/run-ptest
similarity index 100%
rename from meta-security/recipes-security/AppArmor/files/run-ptest
rename to meta-security/recipes-mac/AppArmor/files/run-ptest
diff --git a/meta-security/recipes-security/smack/files/run-ptest b/meta-security/recipes-mac/smack/files/run-ptest
similarity index 100%
rename from meta-security/recipes-security/smack/files/run-ptest
rename to meta-security/recipes-mac/smack/files/run-ptest
diff --git a/meta-security/recipes-security/smack/files/smack_generator_make_fixup.patch b/meta-security/recipes-mac/smack/files/smack_generator_make_fixup.patch
similarity index 100%
rename from meta-security/recipes-security/smack/files/smack_generator_make_fixup.patch
rename to meta-security/recipes-mac/smack/files/smack_generator_make_fixup.patch
diff --git a/meta-security/recipes-security/smack/smack_1.3.1.bb b/meta-security/recipes-mac/smack/smack_1.3.1.bb
similarity index 100%
rename from meta-security/recipes-security/smack/smack_1.3.1.bb
rename to meta-security/recipes-mac/smack/smack_1.3.1.bb
diff --git a/meta-security/recipes-perl/perl/libwhisker2-perl_2.5.bb b/meta-security/recipes-perl/perl/libwhisker2-perl_2.5.bb
index d9af430..71857ab 100644
--- a/meta-security/recipes-perl/perl/libwhisker2-perl_2.5.bb
+++ b/meta-security/recipes-perl/perl/libwhisker2-perl_2.5.bb
@@ -24,4 +24,6 @@
oe_runmake install DESTDIR=${D} INSTALLDIR=${PERLLIBDIRS}/vendor_perl/${PERLVERSION} MANDIR=${datadir}/perl/${PERLVERSION}
}
+FILES_${PN} += "${datadir}/perl"
+
BBCLASSEXTEND = "native"
diff --git a/meta-security/recipes-security/checksec/checksec_1.11.bb b/meta-security/recipes-security/checksec/checksec_1.11.bb
new file mode 100644
index 0000000..59a67bd
--- /dev/null
+++ b/meta-security/recipes-security/checksec/checksec_1.11.bb
@@ -0,0 +1,19 @@
+SUMMARY = "Linux system security checks"
+DESCRIPTION = "The checksec script is designed to test what standard Linux OS and PaX security features are being used."
+SECTION = "security"
+LICENSE = "BSD"
+HOMEPAGE="https://github.com/slimm609/checksec.sh"
+
+LIC_FILES_CHKSUM = "file://LICENSE.txt;md5=93fddcca19f6c897871f9b5f9a035f4a"
+
+SRCREV = "a57e03c4f62dbaca0ec949bbc58491fb0c461447"
+SRC_URI = "git://github.com/slimm609/checksec.sh"
+
+S = "${WORKDIR}/git"
+
+do_install() {
+ install -d ${D}${bindir}
+ install -m 0755 ${S}/checksec ${D}${bindir}
+}
+
+RDEPENDS_${PN} = "bash openssl-bin"
diff --git a/meta-security/recipes-security/checksec/checksec_1.5.bb b/meta-security/recipes-security/checksec/checksec_1.5.bb
deleted file mode 100644
index 07f0f7c..0000000
--- a/meta-security/recipes-security/checksec/checksec_1.5.bb
+++ /dev/null
@@ -1,18 +0,0 @@
-SUMMARY = "Program radominization"
-DESCRIPTION = "The checksec.sh script is designed to test what standard Linux OS and PaX security features are being used."
-SECTION = "security"
-LICENSE = "BSD"
-HOMEPAGE="http://www.trapkit.de/tools/checksec.html"
-
-LIC_FILES_CHKSUM = "file://checksec.sh;md5=075996be339ab16ad7b94d6de3ee07bd"
-
-SRC_URI = "file://checksec.sh"
-
-S = "${WORKDIR}"
-
-do_install() {
- install -d ${D}${bindir}
- install -m 0755 ${WORKDIR}/checksec.sh ${D}${bindir}
-}
-
-RDEPENDS_${PN} = "bash"
diff --git a/meta-security/recipes-security/checksec/files/checksec.sh b/meta-security/recipes-security/checksec/files/checksec.sh
deleted file mode 100644
index dd1f72e..0000000
--- a/meta-security/recipes-security/checksec/files/checksec.sh
+++ /dev/null
@@ -1,882 +0,0 @@
-#!/bin/bash
-#
-# The BSD License (http://www.opensource.org/licenses/bsd-license.php)
-# specifies the terms and conditions of use for checksec.sh:
-#
-# Copyright (c) 2009-2011, Tobias Klein.
-# All rights reserved.
-#
-# Redistribution and use in source and binary forms, with or without
-# modification, are permitted provided that the following conditions
-# are met:
-#
-# * Redistributions of source code must retain the above copyright
-# notice, this list of conditions and the following disclaimer.
-# * Redistributions in binary form must reproduce the above copyright
-# notice, this list of conditions and the following disclaimer in
-# the documentation and/or other materials provided with the
-# distribution.
-# * Neither the name of Tobias Klein nor the name of trapkit.de may be
-# used to endorse or promote products derived from this software
-# without specific prior written permission.
-#
-# THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
-# "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
-# LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
-# FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
-# COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT,
-# INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING,
-# BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS
-# OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED
-# AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY,
-# OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF
-# THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH
-# DAMAGE.
-#
-# Name : checksec.sh
-# Version : 1.5
-# Author : Tobias Klein
-# Date : November 2011
-# Download: http://www.trapkit.de/tools/checksec.html
-# Changes : http://www.trapkit.de/tools/checksec_changes.txt
-#
-# Description:
-#
-# Modern Linux distributions offer some mitigation techniques to make it
-# harder to exploit software vulnerabilities reliably. Mitigations such
-# as RELRO, NoExecute (NX), Stack Canaries, Address Space Layout
-# Randomization (ASLR) and Position Independent Executables (PIE) have
-# made reliably exploiting any vulnerabilities that do exist far more
-# challenging. The checksec.sh script is designed to test what *standard*
-# Linux OS and PaX (http://pax.grsecurity.net/) security features are being
-# used.
-#
-# As of version 1.3 the script also lists the status of various Linux kernel
-# protection mechanisms.
-#
-# Credits:
-#
-# Thanks to Brad Spengler (grsecurity.net) for the PaX support.
-# Thanks to Jon Oberheide (jon.oberheide.org) for the kernel support.
-# Thanks to Ollie Whitehouse (Research In Motion) for rpath/runpath support.
-#
-# Others that contributed to checksec.sh (in no particular order):
-#
-# Simon Ruderich, Denis Scherbakov, Stefan Kuttler, Radoslaw Madej,
-# Anthony G. Basile, Martin Vaeth and Brian Davis.
-#
-
-# global vars
-have_readelf=1
-verbose=false
-
-# FORTIFY_SOURCE vars
-FS_end=_chk
-FS_cnt_total=0
-FS_cnt_checked=0
-FS_cnt_unchecked=0
-FS_chk_func_libc=0
-FS_functions=0
-FS_libc=0
-
-# version information
-version() {
- echo "checksec v1.5, Tobias Klein, www.trapkit.de, November 2011"
- echo
-}
-
-# help
-help() {
- echo "Usage: checksec [OPTION]"
- echo
- echo "Options:"
- echo
- echo " --file <executable-file>"
- echo " --dir <directory> [-v]"
- echo " --proc <process name>"
- echo " --proc-all"
- echo " --proc-libs <process ID>"
- echo " --kernel"
- echo " --fortify-file <executable-file>"
- echo " --fortify-proc <process ID>"
- echo " --version"
- echo " --help"
- echo
- echo "For more information, see:"
- echo " http://www.trapkit.de/tools/checksec.html"
- echo
-}
-
-# check if command exists
-command_exists () {
- type $1 > /dev/null 2>&1;
-}
-
-# check if directory exists
-dir_exists () {
- if [ -d $1 ] ; then
- return 0
- else
- return 1
- fi
-}
-
-# check user privileges
-root_privs () {
- if [ $(/usr/bin/id -u) -eq 0 ] ; then
- return 0
- else
- return 1
- fi
-}
-
-# check if input is numeric
-isNumeric () {
- echo "$@" | grep -q -v "[^0-9]"
-}
-
-# check if input is a string
-isString () {
- echo "$@" | grep -q -v "[^A-Za-z]"
-}
-
-# check file(s)
-filecheck() {
- # check for RELRO support
- if readelf -l $1 2>/dev/null | grep -q 'GNU_RELRO'; then
- if readelf -d $1 2>/dev/null | grep -q 'BIND_NOW'; then
- echo -n -e '\033[32mFull RELRO \033[m '
- else
- echo -n -e '\033[33mPartial RELRO\033[m '
- fi
- else
- echo -n -e '\033[31mNo RELRO \033[m '
- fi
-
- # check for stack canary support
- if readelf -s $1 2>/dev/null | grep -q '__stack_chk_fail'; then
- echo -n -e '\033[32mCanary found \033[m '
- else
- echo -n -e '\033[31mNo canary found\033[m '
- fi
-
- # check for NX support
- if readelf -W -l $1 2>/dev/null | grep 'GNU_STACK' | grep -q 'RWE'; then
- echo -n -e '\033[31mNX disabled\033[m '
- else
- echo -n -e '\033[32mNX enabled \033[m '
- fi
-
- # check for PIE support
- if readelf -h $1 2>/dev/null | grep -q 'Type:[[:space:]]*EXEC'; then
- echo -n -e '\033[31mNo PIE \033[m '
- elif readelf -h $1 2>/dev/null | grep -q 'Type:[[:space:]]*DYN'; then
- if readelf -d $1 2>/dev/null | grep -q '(DEBUG)'; then
- echo -n -e '\033[32mPIE enabled \033[m '
- else
- echo -n -e '\033[33mDSO \033[m '
- fi
- else
- echo -n -e '\033[33mNot an ELF file\033[m '
- fi
-
- # check for rpath / run path
- if readelf -d $1 2>/dev/null | grep -q 'rpath'; then
- echo -n -e '\033[31mRPATH \033[m '
- else
- echo -n -e '\033[32mNo RPATH \033[m '
- fi
-
- if readelf -d $1 2>/dev/null | grep -q 'runpath'; then
- echo -n -e '\033[31mRUNPATH \033[m '
- else
- echo -n -e '\033[32mNo RUNPATH \033[m '
- fi
-}
-
-# check process(es)
-proccheck() {
- # check for RELRO support
- if readelf -l $1/exe 2>/dev/null | grep -q 'Program Headers'; then
- if readelf -l $1/exe 2>/dev/null | grep -q 'GNU_RELRO'; then
- if readelf -d $1/exe 2>/dev/null | grep -q 'BIND_NOW'; then
- echo -n -e '\033[32mFull RELRO \033[m '
- else
- echo -n -e '\033[33mPartial RELRO \033[m '
- fi
- else
- echo -n -e '\033[31mNo RELRO \033[m '
- fi
- else
- echo -n -e '\033[31mPermission denied (please run as root)\033[m\n'
- exit 1
- fi
-
- # check for stack canary support
- if readelf -s $1/exe 2>/dev/null | grep -q 'Symbol table'; then
- if readelf -s $1/exe 2>/dev/null | grep -q '__stack_chk_fail'; then
- echo -n -e '\033[32mCanary found \033[m '
- else
- echo -n -e '\033[31mNo canary found \033[m '
- fi
- else
- if [ "$1" != "1" ] ; then
- echo -n -e '\033[33mPermission denied \033[m '
- else
- echo -n -e '\033[33mNo symbol table found\033[m '
- fi
- fi
-
- # first check for PaX support
- if cat $1/status 2> /dev/null | grep -q 'PaX:'; then
- pageexec=( $(cat $1/status 2> /dev/null | grep 'PaX:' | cut -b6) )
- segmexec=( $(cat $1/status 2> /dev/null | grep 'PaX:' | cut -b10) )
- mprotect=( $(cat $1/status 2> /dev/null | grep 'PaX:' | cut -b8) )
- randmmap=( $(cat $1/status 2> /dev/null | grep 'PaX:' | cut -b9) )
- if [[ "$pageexec" = "P" || "$segmexec" = "S" ]] && [[ "$mprotect" = "M" && "$randmmap" = "R" ]] ; then
- echo -n -e '\033[32mPaX enabled\033[m '
- elif [[ "$pageexec" = "p" && "$segmexec" = "s" && "$randmmap" = "R" ]] ; then
- echo -n -e '\033[33mPaX ASLR only\033[m '
- elif [[ "$pageexec" = "P" || "$segmexec" = "S" ]] && [[ "$mprotect" = "m" && "$randmmap" = "R" ]] ; then
- echo -n -e '\033[33mPaX mprot off \033[m'
- elif [[ "$pageexec" = "P" || "$segmexec" = "S" ]] && [[ "$mprotect" = "M" && "$randmmap" = "r" ]] ; then
- echo -n -e '\033[33mPaX ASLR off\033[m '
- elif [[ "$pageexec" = "P" || "$segmexec" = "S" ]] && [[ "$mprotect" = "m" && "$randmmap" = "r" ]] ; then
- echo -n -e '\033[33mPaX NX only\033[m '
- else
- echo -n -e '\033[31mPaX disabled\033[m '
- fi
- # fallback check for NX support
- elif readelf -W -l $1/exe 2>/dev/null | grep 'GNU_STACK' | grep -q 'RWE'; then
- echo -n -e '\033[31mNX disabled\033[m '
- else
- echo -n -e '\033[32mNX enabled \033[m '
- fi
-
- # check for PIE support
- if readelf -h $1/exe 2>/dev/null | grep -q 'Type:[[:space:]]*EXEC'; then
- echo -n -e '\033[31mNo PIE \033[m '
- elif readelf -h $1/exe 2>/dev/null | grep -q 'Type:[[:space:]]*DYN'; then
- if readelf -d $1/exe 2>/dev/null | grep -q '(DEBUG)'; then
- echo -n -e '\033[32mPIE enabled \033[m '
- else
- echo -n -e '\033[33mDynamic Shared Object\033[m '
- fi
- else
- echo -n -e '\033[33mNot an ELF file \033[m '
- fi
-}
-
-# check mapped libraries
-libcheck() {
- libs=( $(awk '{ print $6 }' /proc/$1/maps | grep '/' | sort -u | xargs file | grep ELF | awk '{ print $1 }' | sed 's/:/ /') )
-
- printf "\n* Loaded libraries (file information, # of mapped files: ${#libs[@]}):\n\n"
-
- for element in $(seq 0 $((${#libs[@]} - 1)))
- do
- echo " ${libs[$element]}:"
- echo -n " "
- filecheck ${libs[$element]}
- printf "\n\n"
- done
-}
-
-# check for system-wide ASLR support
-aslrcheck() {
- # PaX ASLR support
- if !(cat /proc/1/status 2> /dev/null | grep -q 'Name:') ; then
- echo -n -e ':\033[33m insufficient privileges for PaX ASLR checks\033[m\n'
- echo -n -e ' Fallback to standard Linux ASLR check'
- fi
-
- if cat /proc/1/status 2> /dev/null | grep -q 'PaX:'; then
- printf ": "
- if cat /proc/1/status 2> /dev/null | grep 'PaX:' | grep -q 'R'; then
- echo -n -e '\033[32mPaX ASLR enabled\033[m\n\n'
- else
- echo -n -e '\033[31mPaX ASLR disabled\033[m\n\n'
- fi
- else
- # standard Linux 'kernel.randomize_va_space' ASLR support
- # (see the kernel file 'Documentation/sysctl/kernel.txt' for a detailed description)
- printf " (kernel.randomize_va_space): "
- if /sbin/sysctl -a 2>/dev/null | grep -q 'kernel.randomize_va_space = 1'; then
- echo -n -e '\033[33mOn (Setting: 1)\033[m\n\n'
- printf " Description - Make the addresses of mmap base, stack and VDSO page randomized.\n"
- printf " This, among other things, implies that shared libraries will be loaded to \n"
- printf " random addresses. Also for PIE-linked binaries, the location of code start\n"
- printf " is randomized. Heap addresses are *not* randomized.\n\n"
- elif /sbin/sysctl -a 2>/dev/null | grep -q 'kernel.randomize_va_space = 2'; then
- echo -n -e '\033[32mOn (Setting: 2)\033[m\n\n'
- printf " Description - Make the addresses of mmap base, heap, stack and VDSO page randomized.\n"
- printf " This, among other things, implies that shared libraries will be loaded to random \n"
- printf " addresses. Also for PIE-linked binaries, the location of code start is randomized.\n\n"
- elif /sbin/sysctl -a 2>/dev/null | grep -q 'kernel.randomize_va_space = 0'; then
- echo -n -e '\033[31mOff (Setting: 0)\033[m\n'
- else
- echo -n -e '\033[31mNot supported\033[m\n'
- fi
- printf " See the kernel file 'Documentation/sysctl/kernel.txt' for more details.\n\n"
- fi
-}
-
-# check cpu nx flag
-nxcheck() {
- if grep -q nx /proc/cpuinfo; then
- echo -n -e '\033[32mYes\033[m\n\n'
- else
- echo -n -e '\033[31mNo\033[m\n\n'
- fi
-}
-
-# check for kernel protection mechanisms
-kernelcheck() {
- printf " Description - List the status of kernel protection mechanisms. Rather than\n"
- printf " inspect kernel mechanisms that may aid in the prevention of exploitation of\n"
- printf " userspace processes, this option lists the status of kernel configuration\n"
- printf " options that harden the kernel itself against attack.\n\n"
- printf " Kernel config: "
-
- if [ -f /proc/config.gz ] ; then
- kconfig="zcat /proc/config.gz"
- printf "\033[32m/proc/config.gz\033[m\n\n"
- elif [ -f /boot/config-`uname -r` ] ; then
- kconfig="cat /boot/config-`uname -r`"
- printf "\033[33m/boot/config-`uname -r`\033[m\n\n"
- printf " Warning: The config on disk may not represent running kernel config!\n\n";
- elif [ -f "${KBUILD_OUTPUT:-/usr/src/linux}"/.config ] ; then
- kconfig="cat ${KBUILD_OUTPUT:-/usr/src/linux}/.config"
- printf "\033[33m%s\033[m\n\n" "${KBUILD_OUTPUT:-/usr/src/linux}/.config"
- printf " Warning: The config on disk may not represent running kernel config!\n\n";
- else
- printf "\033[31mNOT FOUND\033[m\n\n"
- exit 0
- fi
-
- printf " GCC stack protector support: "
- if $kconfig | grep -qi 'CONFIG_CC_STACKPROTECTOR=y'; then
- printf "\033[32mEnabled\033[m\n"
- else
- printf "\033[31mDisabled\033[m\n"
- fi
-
- printf " Strict user copy checks: "
- if $kconfig | grep -qi 'CONFIG_DEBUG_STRICT_USER_COPY_CHECKS=y'; then
- printf "\033[32mEnabled\033[m\n"
- else
- printf "\033[31mDisabled\033[m\n"
- fi
-
- printf " Enforce read-only kernel data: "
- if $kconfig | grep -qi 'CONFIG_DEBUG_RODATA=y'; then
- printf "\033[32mEnabled\033[m\n"
- else
- printf "\033[31mDisabled\033[m\n"
- fi
- printf " Restrict /dev/mem access: "
- if $kconfig | grep -qi 'CONFIG_STRICT_DEVMEM=y'; then
- printf "\033[32mEnabled\033[m\n"
- else
- printf "\033[31mDisabled\033[m\n"
- fi
-
- printf " Restrict /dev/kmem access: "
- if $kconfig | grep -qi 'CONFIG_DEVKMEM=y'; then
- printf "\033[31mDisabled\033[m\n"
- else
- printf "\033[32mEnabled\033[m\n"
- fi
-
- printf "\n"
- printf "* grsecurity / PaX: "
-
- if $kconfig | grep -qi 'CONFIG_GRKERNSEC=y'; then
- if $kconfig | grep -qi 'CONFIG_GRKERNSEC_HIGH=y'; then
- printf "\033[32mHigh GRKERNSEC\033[m\n\n"
- elif $kconfig | grep -qi 'CONFIG_GRKERNSEC_MEDIUM=y'; then
- printf "\033[33mMedium GRKERNSEC\033[m\n\n"
- elif $kconfig | grep -qi 'CONFIG_GRKERNSEC_LOW=y'; then
- printf "\033[31mLow GRKERNSEC\033[m\n\n"
- else
- printf "\033[33mCustom GRKERNSEC\033[m\n\n"
- fi
-
- printf " Non-executable kernel pages: "
- if $kconfig | grep -qi 'CONFIG_PAX_KERNEXEC=y'; then
- printf "\033[32mEnabled\033[m\n"
- else
- printf "\033[31mDisabled\033[m\n"
- fi
-
- printf " Prevent userspace pointer deref: "
- if $kconfig | grep -qi 'CONFIG_PAX_MEMORY_UDEREF=y'; then
- printf "\033[32mEnabled\033[m\n"
- else
- printf "\033[31mDisabled\033[m\n"
- fi
-
- printf " Prevent kobject refcount overflow: "
- if $kconfig | grep -qi 'CONFIG_PAX_REFCOUNT=y'; then
- printf "\033[32mEnabled\033[m\n"
- else
- printf "\033[31mDisabled\033[m\n"
- fi
-
- printf " Bounds check heap object copies: "
- if $kconfig | grep -qi 'CONFIG_PAX_USERCOPY=y'; then
- printf "\033[32mEnabled\033[m\n"
- else
- printf "\033[31mDisabled\033[m\n"
- fi
-
- printf " Disable writing to kmem/mem/port: "
- if $kconfig | grep -qi 'CONFIG_GRKERNSEC_KMEM=y'; then
- printf "\033[32mEnabled\033[m\n"
- else
- printf "\033[31mDisabled\033[m\n"
- fi
-
- printf " Disable privileged I/O: "
- if $kconfig | grep -qi 'CONFIG_GRKERNSEC_IO=y'; then
- printf "\033[32mEnabled\033[m\n"
- else
- printf "\033[31mDisabled\033[m\n"
- fi
-
- printf " Harden module auto-loading: "
- if $kconfig | grep -qi 'CONFIG_GRKERNSEC_MODHARDEN=y'; then
- printf "\033[32mEnabled\033[m\n"
- else
- printf "\033[31mDisabled\033[m\n"
- fi
-
- printf " Hide kernel symbols: "
- if $kconfig | grep -qi 'CONFIG_GRKERNSEC_HIDESYM=y'; then
- printf "\033[32mEnabled\033[m\n"
- else
- printf "\033[31mDisabled\033[m\n"
- fi
- else
- printf "\033[31mNo GRKERNSEC\033[m\n\n"
- printf " The grsecurity / PaX patchset is available here:\n"
- printf " http://grsecurity.net/\n"
- fi
-
- printf "\n"
- printf "* Kernel Heap Hardening: "
-
- if $kconfig | grep -qi 'CONFIG_KERNHEAP=y'; then
- if $kconfig | grep -qi 'CONFIG_KERNHEAP_FULLPOISON=y'; then
- printf "\033[32mFull KERNHEAP\033[m\n\n"
- else
- printf "\033[33mPartial KERNHEAP\033[m\n\n"
- fi
- else
- printf "\033[31mNo KERNHEAP\033[m\n\n"
- printf " The KERNHEAP hardening patchset is available here:\n"
- printf " https://www.subreption.com/kernheap/\n\n"
- fi
-}
-
-# --- FORTIFY_SOURCE subfunctions (start) ---
-
-# is FORTIFY_SOURCE supported by libc?
-FS_libc_check() {
- printf "* FORTIFY_SOURCE support available (libc) : "
-
- if [ "${#FS_chk_func_libc[@]}" != "0" ] ; then
- printf "\033[32mYes\033[m\n"
- else
- printf "\033[31mNo\033[m\n"
- exit 1
- fi
-}
-
-# was the binary compiled with FORTIFY_SOURCE?
-FS_binary_check() {
- printf "* Binary compiled with FORTIFY_SOURCE support: "
-
- for FS_elem_functions in $(seq 0 $((${#FS_functions[@]} - 1)))
- do
- if [[ ${FS_functions[$FS_elem_functions]} =~ _chk ]] ; then
- printf "\033[32mYes\033[m\n"
- return
- fi
- done
- printf "\033[31mNo\033[m\n"
- exit 1
-}
-
-FS_comparison() {
- echo
- printf " ------ EXECUTABLE-FILE ------- . -------- LIBC --------\n"
- printf " FORTIFY-able library functions | Checked function names\n"
- printf " -------------------------------------------------------\n"
-
- for FS_elem_libc in $(seq 0 $((${#FS_chk_func_libc[@]} - 1)))
- do
- for FS_elem_functions in $(seq 0 $((${#FS_functions[@]} - 1)))
- do
- FS_tmp_func=${FS_functions[$FS_elem_functions]}
- FS_tmp_libc=${FS_chk_func_libc[$FS_elem_libc]}
-
- if [[ $FS_tmp_func =~ ^$FS_tmp_libc$ ]] ; then
- printf " \033[31m%-30s\033[m | __%s%s\n" $FS_tmp_func $FS_tmp_libc $FS_end
- let FS_cnt_total++
- let FS_cnt_unchecked++
- elif [[ $FS_tmp_func =~ ^$FS_tmp_libc(_chk) ]] ; then
- printf " \033[32m%-30s\033[m | __%s%s\n" $FS_tmp_func $FS_tmp_libc $FS_end
- let FS_cnt_total++
- let FS_cnt_checked++
- fi
-
- done
- done
-}
-
-FS_summary() {
- echo
- printf "SUMMARY:\n\n"
- printf "* Number of checked functions in libc : ${#FS_chk_func_libc[@]}\n"
- printf "* Total number of library functions in the executable: ${#FS_functions[@]}\n"
- printf "* Number of FORTIFY-able functions in the executable : %s\n" $FS_cnt_total
- printf "* Number of checked functions in the executable : \033[32m%s\033[m\n" $FS_cnt_checked
- printf "* Number of unchecked functions in the executable : \033[31m%s\033[m\n" $FS_cnt_unchecked
- echo
-}
-
-# --- FORTIFY_SOURCE subfunctions (end) ---
-
-if !(command_exists readelf) ; then
- printf "\033[31mWarning: 'readelf' not found! It's required for most checks.\033[m\n\n"
- have_readelf=0
-fi
-
-# parse command-line arguments
-case "$1" in
-
- --version)
- version
- exit 0
- ;;
-
- --help)
- help
- exit 0
- ;;
-
- --dir)
- if [ "$3" = "-v" ] ; then
- verbose=true
- fi
- if [ $have_readelf -eq 0 ] ; then
- exit 1
- fi
- if [ -z "$2" ] ; then
- printf "\033[31mError: Please provide a valid directory.\033[m\n\n"
- exit 1
- fi
- # remove trailing slashes
- tempdir=`echo $2 | sed -e "s/\/*$//"`
- if [ ! -d $tempdir ] ; then
- printf "\033[31mError: The directory '$tempdir' does not exist.\033[m\n\n"
- exit 1
- fi
- cd $tempdir
- printf "RELRO STACK CANARY NX PIE RPATH RUNPATH FILE\n"
- for N in [A-Za-z]*; do
- if [ "$N" != "[A-Za-z]*" ]; then
- # read permissions?
- if [ ! -r $N ]; then
- printf "\033[31mError: No read permissions for '$tempdir/$N' (run as root).\033[m\n"
- else
- # ELF executable?
- out=`file $N`
- if [[ ! $out =~ ELF ]] ; then
- if [ "$verbose" = "true" ] ; then
- printf "\033[34m*** Not an ELF file: $tempdir/"
- file $N
- printf "\033[m"
- fi
- else
- filecheck $N
- if [ `find $tempdir/$N \( -perm -004000 -o -perm -002000 \) -type f -print` ]; then
- printf "\033[37;41m%s%s\033[m" $2 $N
- else
- printf "%s%s" $tempdir/ $N
- fi
- echo
- fi
- fi
- fi
- done
- exit 0
- ;;
-
- --file)
- if [ $have_readelf -eq 0 ] ; then
- exit 1
- fi
- if [ -z "$2" ] ; then
- printf "\033[31mError: Please provide a valid file.\033[m\n\n"
- exit 1
- fi
- # does the file exist?
- if [ ! -e $2 ] ; then
- printf "\033[31mError: The file '$2' does not exist.\033[m\n\n"
- exit 1
- fi
- # read permissions?
- if [ ! -r $2 ] ; then
- printf "\033[31mError: No read permissions for '$2' (run as root).\033[m\n\n"
- exit 1
- fi
- # ELF executable?
- out=`file $2`
- if [[ ! $out =~ ELF ]] ; then
- printf "\033[31mError: Not an ELF file: "
- file $2
- printf "\033[m\n"
- exit 1
- fi
- printf "RELRO STACK CANARY NX PIE RPATH RUNPATH FILE\n"
- filecheck $2
- if [ `find $2 \( -perm -004000 -o -perm -002000 \) -type f -print` ] ; then
- printf "\033[37;41m%s%s\033[m" $2 $N
- else
- printf "%s" $2
- fi
- echo
- exit 0
- ;;
-
- --proc-all)
- if [ $have_readelf -eq 0 ] ; then
- exit 1
- fi
- cd /proc
- printf "* System-wide ASLR"
- aslrcheck
- printf "* Does the CPU support NX: "
- nxcheck
- printf " COMMAND PID RELRO STACK CANARY NX/PaX PIE\n"
- for N in [1-9]*; do
- if [ $N != $$ ] && readlink -q $N/exe > /dev/null; then
- printf "%16s" `head -1 $N/status | cut -b 7-`
- printf "%7d " $N
- proccheck $N
- echo
- fi
- done
- if [ ! -e /usr/bin/id ] ; then
- printf "\n\033[33mNote: If you are running 'checksec.sh' as an unprivileged user, you\n"
- printf " will not see all processes. Please run the script as root.\033[m\n\n"
- else
- if !(root_privs) ; then
- printf "\n\033[33mNote: You are running 'checksec.sh' as an unprivileged user.\n"
- printf " Too see all processes, please run the script as root.\033[m\n\n"
- fi
- fi
- exit 0
- ;;
-
- --proc)
- if [ $have_readelf -eq 0 ] ; then
- exit 1
- fi
- if [ -z "$2" ] ; then
- printf "\033[31mError: Please provide a valid process name.\033[m\n\n"
- exit 1
- fi
- if !(isString "$2") ; then
- printf "\033[31mError: Please provide a valid process name.\033[m\n\n"
- exit 1
- fi
- cd /proc
- printf "* System-wide ASLR"
- aslrcheck
- printf "* Does the CPU support NX: "
- nxcheck
- printf " COMMAND PID RELRO STACK CANARY NX/PaX PIE\n"
- for N in `ps -Ao pid,comm | grep $2 | cut -b1-6`; do
- if [ -d $N ] ; then
- printf "%16s" `head -1 $N/status | cut -b 7-`
- printf "%7d " $N
- # read permissions?
- if [ ! -r $N/exe ] ; then
- if !(root_privs) ; then
- printf "\033[31mNo read permissions for '/proc/$N/exe' (run as root).\033[m\n\n"
- exit 1
- fi
- if [ ! `readlink $N/exe` ] ; then
- printf "\033[31mPermission denied. Requested process ID belongs to a kernel thread.\033[m\n\n"
- exit 1
- fi
- exit 1
- fi
- proccheck $N
- echo
- fi
- done
- exit 0
- ;;
-
- --proc-libs)
- if [ $have_readelf -eq 0 ] ; then
- exit 1
- fi
- if [ -z "$2" ] ; then
- printf "\033[31mError: Please provide a valid process ID.\033[m\n\n"
- exit 1
- fi
- if !(isNumeric "$2") ; then
- printf "\033[31mError: Please provide a valid process ID.\033[m\n\n"
- exit 1
- fi
- cd /proc
- printf "* System-wide ASLR"
- aslrcheck
- printf "* Does the CPU support NX: "
- nxcheck
- printf "* Process information:\n\n"
- printf " COMMAND PID RELRO STACK CANARY NX/PaX PIE\n"
- N=$2
- if [ -d $N ] ; then
- printf "%16s" `head -1 $N/status | cut -b 7-`
- printf "%7d " $N
- # read permissions?
- if [ ! -r $N/exe ] ; then
- if !(root_privs) ; then
- printf "\033[31mNo read permissions for '/proc/$N/exe' (run as root).\033[m\n\n"
- exit 1
- fi
- if [ ! `readlink $N/exe` ] ; then
- printf "\033[31mPermission denied. Requested process ID belongs to a kernel thread.\033[m\n\n"
- exit 1
- fi
- exit 1
- fi
- proccheck $N
- echo
- libcheck $N
- fi
- exit 0
- ;;
-
- --kernel)
- cd /proc
- printf "* Kernel protection information:\n\n"
- kernelcheck
- exit 0
- ;;
-
- --fortify-file)
- if [ $have_readelf -eq 0 ] ; then
- exit 1
- fi
- if [ -z "$2" ] ; then
- printf "\033[31mError: Please provide a valid file.\033[m\n\n"
- exit 1
- fi
- # does the file exist?
- if [ ! -e $2 ] ; then
- printf "\033[31mError: The file '$2' does not exist.\033[m\n\n"
- exit 1
- fi
- # read permissions?
- if [ ! -r $2 ] ; then
- printf "\033[31mError: No read permissions for '$2' (run as root).\033[m\n\n"
- exit 1
- fi
- # ELF executable?
- out=`file $2`
- if [[ ! $out =~ ELF ]] ; then
- printf "\033[31mError: Not an ELF file: "
- file $2
- printf "\033[m\n"
- exit 1
- fi
- if [ -e /lib/libc.so.6 ] ; then
- FS_libc=/lib/libc.so.6
- elif [ -e /lib64/libc.so.6 ] ; then
- FS_libc=/lib64/libc.so.6
- elif [ -e /lib/i386-linux-gnu/libc.so.6 ] ; then
- FS_libc=/lib/i386-linux-gnu/libc.so.6
- elif [ -e /lib/x86_64-linux-gnu/libc.so.6 ] ; then
- FS_libc=/lib/x86_64-linux-gnu/libc.so.6
- else
- printf "\033[31mError: libc not found.\033[m\n\n"
- exit 1
- fi
-
- FS_chk_func_libc=( $(readelf -s $FS_libc | grep _chk@@ | awk '{ print $8 }' | cut -c 3- | sed -e 's/_chk@.*//') )
- FS_functions=( $(readelf -s $2 | awk '{ print $8 }' | sed 's/_*//' | sed -e 's/@.*//') )
-
- FS_libc_check
- FS_binary_check
- FS_comparison
- FS_summary
-
- exit 0
- ;;
-
- --fortify-proc)
- if [ $have_readelf -eq 0 ] ; then
- exit 1
- fi
- if [ -z "$2" ] ; then
- printf "\033[31mError: Please provide a valid process ID.\033[m\n\n"
- exit 1
- fi
- if !(isNumeric "$2") ; then
- printf "\033[31mError: Please provide a valid process ID.\033[m\n\n"
- exit 1
- fi
- cd /proc
- N=$2
- if [ -d $N ] ; then
- # read permissions?
- if [ ! -r $N/exe ] ; then
- if !(root_privs) ; then
- printf "\033[31mNo read permissions for '/proc/$N/exe' (run as root).\033[m\n\n"
- exit 1
- fi
- if [ ! `readlink $N/exe` ] ; then
- printf "\033[31mPermission denied. Requested process ID belongs to a kernel thread.\033[m\n\n"
- exit 1
- fi
- exit 1
- fi
- if [ -e /lib/libc.so.6 ] ; then
- FS_libc=/lib/libc.so.6
- elif [ -e /lib64/libc.so.6 ] ; then
- FS_libc=/lib64/libc.so.6
- elif [ -e /lib/i386-linux-gnu/libc.so.6 ] ; then
- FS_libc=/lib/i386-linux-gnu/libc.so.6
- elif [ -e /lib/x86_64-linux-gnu/libc.so.6 ] ; then
- FS_libc=/lib/x86_64-linux-gnu/libc.so.6
- else
- printf "\033[31mError: libc not found.\033[m\n\n"
- exit 1
- fi
- printf "* Process name (PID) : %s (%d)\n" `head -1 $N/status | cut -b 7-` $N
- FS_chk_func_libc=( $(readelf -s $FS_libc | grep _chk@@ | awk '{ print $8 }' | cut -c 3- | sed -e 's/_chk@.*//') )
- FS_functions=( $(readelf -s $2/exe | awk '{ print $8 }' | sed 's/_*//' | sed -e 's/@.*//') )
-
- FS_libc_check
- FS_binary_check
- FS_comparison
- FS_summary
- fi
- exit 0
- ;;
-
- *)
- if [ "$#" != "0" ] ; then
- printf "\033[31mError: Unknown option '$1'.\033[m\n\n"
- fi
- help
- exit 1
- ;;
-esac
diff --git a/meta-security/recipes-security/clamav/clamav_0.99.4.bb b/meta-security/recipes-security/clamav/clamav_0.99.4.bb
index 8c2c2fa..6219d9e 100644
--- a/meta-security/recipes-security/clamav/clamav_0.99.4.bb
+++ b/meta-security/recipes-security/clamav/clamav_0.99.4.bb
@@ -31,17 +31,13 @@
# Clamav has a built llvm version 2 but does not build with gcc 6.x,
# disable the internal one. This is a known issue
-# If you want LLVM support, use meta-oe llvm3.3 to build for GCC 6.X,
-# as defined below
+# If you want LLVM support, use the one in core
-CLAMAV_LLVM ?= "oellvm"
-CLAMAV_LLVM_RELEASE ?= "6.0"
-
-PACKAGECONFIG ?= "ncurses openssl bz2 zlib ${CLAMAV_LLVM}"
+PACKAGECONFIG ?= "ncurses openssl bz2 zlib llvm"
PACKAGECONFIG += " ${@bb.utils.contains("DISTRO_FEATURES", "ipv6", "ipv6", "", d)}"
PACKAGECONFIG += "${@bb.utils.contains('DISTRO_FEATURES', 'systemd', 'systemd', '', d)}"
-PACKAGECONFIG[oellvm] = "--with-system-llvm --with-llvm-linking=dynamic --disable-llvm, ,llvm${CLAMAV_LLVM_RELEASE}"
+PACKAGECONFIG[llvm] = "--with-system-llvm --with-llvm-linking=dynamic --disable-llvm, ,llvm8.0"
PACKAGECONFIG[pcre] = "--with-pcre=${STAGING_LIBDIR}, --without-pcre, libpcre"
PACKAGECONFIG[xml] = "--with-xml=${STAGING_LIBDIR}/.., --with-xml=no, libxml2,"
diff --git a/meta-security/recipes-security/fail2ban/python-fail2ban.inc b/meta-security/recipes-security/fail2ban/python-fail2ban.inc
index 9245f17..7270ed8 100644
--- a/meta-security/recipes-security/fail2ban/python-fail2ban.inc
+++ b/meta-security/recipes-security/fail2ban/python-fail2ban.inc
@@ -9,7 +9,7 @@
LICENSE = "GPL-2.0"
LIC_FILES_CHKSUM = "file://COPYING;md5=ecabc31e90311da843753ba772885d9f"
-SRCREV ="ac0d441fd68852ffda7b15c71f16b7f4fde1a7ee"
+SRCREV ="aa565eb80ec6043317e8430cabcaf9c3f4e61578"
SRC_URI = " \
git://github.com/fail2ban/fail2ban.git;branch=0.11 \
file://initd \
diff --git a/meta-security/recipes-security/fail2ban/python-fail2ban_0.10.3.1.bb b/meta-security/recipes-security/fail2ban/python-fail2ban_0.10.4.0.bb
similarity index 100%
rename from meta-security/recipes-security/fail2ban/python-fail2ban_0.10.3.1.bb
rename to meta-security/recipes-security/fail2ban/python-fail2ban_0.10.4.0.bb
diff --git a/meta-security/recipes-security/fail2ban/python3-fail2ban_0.10.3.1.bb b/meta-security/recipes-security/fail2ban/python3-fail2ban_0.10.4.0.bb
similarity index 100%
rename from meta-security/recipes-security/fail2ban/python3-fail2ban_0.10.3.1.bb
rename to meta-security/recipes-security/fail2ban/python3-fail2ban_0.10.4.0.bb
diff --git a/meta-security/recipes-security/keyutils/files/keyutils-use-relative-path-for-link.patch b/meta-security/recipes-security/keyutils/files/keyutils-use-relative-path-for-link.patch
deleted file mode 100644
index dde1af4..0000000
--- a/meta-security/recipes-security/keyutils/files/keyutils-use-relative-path-for-link.patch
+++ /dev/null
@@ -1,28 +0,0 @@
-Subject: [PATCH] keyutils: use relative path for link
-
-The absolute path of the symlink will be invalid
-when populated in sysroot, so use relative path instead.
-
-Upstream-Status: Pending
-
-Signed-off-by: Jackie Huang <jackie.huang@windriver.com>
----
- Makefile | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/Makefile b/Makefile
-index 824bbbf..8ce3a13 100644
---- a/Makefile
-+++ b/Makefile
-@@ -167,7 +167,7 @@ ifeq ($(NO_SOLIB),0)
- $(INSTALL) -D $(LIBNAME) $(DESTDIR)$(LIBDIR)/$(LIBNAME)
- $(LNS) $(LIBNAME) $(DESTDIR)$(LIBDIR)/$(SONAME)
- mkdir -p $(DESTDIR)$(USRLIBDIR)
-- $(LNS) $(LIBDIR)/$(SONAME) $(DESTDIR)$(USRLIBDIR)/$(DEVELLIB)
-+ $(LNS) $(SONAME) $(DESTDIR)$(USRLIBDIR)/$(DEVELLIB)
- endif
- $(INSTALL) -D keyctl $(DESTDIR)$(BINDIR)/keyctl
- $(INSTALL) -D request-key $(DESTDIR)$(SBINDIR)/request-key
---
-2.11.0
-
diff --git a/meta-security/recipes-security/keyutils/keyutils_1.5.10.bb b/meta-security/recipes-security/keyutils/keyutils_1.6.bb
similarity index 75%
rename from meta-security/recipes-security/keyutils/keyutils_1.5.10.bb
rename to meta-security/recipes-security/keyutils/keyutils_1.6.bb
index a4222b9..c961fa2 100644
--- a/meta-security/recipes-security/keyutils/keyutils_1.5.10.bb
+++ b/meta-security/recipes-security/keyutils/keyutils_1.6.bb
@@ -16,14 +16,13 @@
inherit siteinfo ptest
SRC_URI = "http://people.redhat.com/dhowells/keyutils/${BP}.tar.bz2 \
- file://keyutils-use-relative-path-for-link.patch \
file://keyutils-test-fix-output-format.patch \
file://keyutils-fix-error-report-by-adding-default-message.patch \
file://run-ptest \
"
-SRC_URI[md5sum] = "3771676319bc7b84b1549b5c63ff5243"
-SRC_URI[sha256sum] = "115c3deae7f181778fd0e0ffaa2dad1bf1fe2f5677cf2e0e348cdb7a1c93afb6"
+SRC_URI[md5sum] = "191987b0ab46bb5b50efd70a6e6ce808"
+SRC_URI[sha256sum] = "d3aef20cec0005c0fa6b4be40079885567473185b1a57b629b030e67942c7115"
EXTRA_OEMAKE = "'CFLAGS=${CFLAGS} -Wall' \
NO_ARLIB=1 \
@@ -36,6 +35,7 @@
"
do_install () {
+ install -d ${D}/${nonarch_base_libdir}/pkgconfig
oe_runmake DESTDIR=${D} install
}
@@ -44,4 +44,8 @@
sed -i -e 's/OSDIST=Unknown/OSDIST=${DISTRO}/' ${D}${PTEST_PATH}/tests/prepare.inc.sh
}
-RDEPENDS_${PN}-ptest += "glibc-utils"
+FILES_${PN}-dev += "${nonarch_base_libdir}/pkgconfig/libkeyutils.pc"
+
+RDEPENDS_${PN}-ptest += "lsb"
+RDEPENDS_${PN}-ptest_append_libc-glibc = " glibc-utils"
+RDEPENDS_${PN}-ptest_append_libc-musl = " musl-utils"
diff --git a/meta-security/recipes-security/libmspack/libmspack_0.5.bb b/meta-security/recipes-security/libmspack/libmspack_0.9.1.bb
similarity index 71%
rename from meta-security/recipes-security/libmspack/libmspack_0.5.bb
rename to meta-security/recipes-security/libmspack/libmspack_0.9.1.bb
index 80db23c..56a8a07 100644
--- a/meta-security/recipes-security/libmspack/libmspack_0.5.bb
+++ b/meta-security/recipes-security/libmspack/libmspack_0.9.1.bb
@@ -6,10 +6,10 @@
LIC_FILES_CHKSUM = "file://COPYING.LIB;beginline=1;endline=2;md5=5b1fd1f66ef926b3c8a5bb00a72a28dd"
-SRC_URI = "${DEBIAN_MIRROR}/main/libm/${BPN}/${BPN}_${PV}.orig.tar.gz\
-"
-SRC_URI[md5sum] = "3aa3f6b9ef101463270c085478fda1da"
-SRC_URI[sha256sum] = "8967f275525f5067b364cee43b73e44d0433668c39f9376dfff19f653d1c8110"
+SRC_URI = "${DEBIAN_MIRROR}/main/libm/${BPN}/${BPN}_${PV}.orig.tar.gz"
+
+SRC_URI[md5sum] = "9602ae4a6b0468d9aaef6359c1e90657"
+SRC_URI[sha256sum] = "62a336d9c798638aaf3dceb43843320061544bbf35547c316b075b99112f2e40"
inherit autotools
diff --git a/meta-security/recipes-security/libseccomp/libseccomp_2.3.3.bb b/meta-security/recipes-security/libseccomp/libseccomp_2.4.0.bb
similarity index 95%
rename from meta-security/recipes-security/libseccomp/libseccomp_2.3.3.bb
rename to meta-security/recipes-security/libseccomp/libseccomp_2.4.0.bb
index 9c66db6..41ffd62 100644
--- a/meta-security/recipes-security/libseccomp/libseccomp_2.3.3.bb
+++ b/meta-security/recipes-security/libseccomp/libseccomp_2.4.0.bb
@@ -4,9 +4,9 @@
LICENSE = "LGPL-2.1"
LIC_FILES_CHKSUM = "file://LICENSE;beginline=0;endline=1;md5=8eac08d22113880357ceb8e7c37f989f"
-SRCREV = "74b190e1aa05f07da0c61fb9a30dbc9c18ce2c9d"
+SRCREV = "4d64011741375bb1a4ba7d71905ca37b97885083"
-SRC_URI = "git://github.com/seccomp/libseccomp.git;branch=release-2.3 \
+SRC_URI = "git://github.com/seccomp/libseccomp.git;branch=release-2.4 \
file://run-ptest \
"
diff --git a/meta-security/recipes-security/ncrack/ncrack_0.7.bb b/meta-security/recipes-security/ncrack/ncrack_0.7.bb
new file mode 100644
index 0000000..06ba2b6
--- /dev/null
+++ b/meta-security/recipes-security/ncrack/ncrack_0.7.bb
@@ -0,0 +1,18 @@
+SUMMARY = "Network authentication cracking tool"
+DESCRIPTION = "Ncrack is designed for high-speed parallel testing of network devices for poor passwords."
+HOMEPAGE = "https://nmap.org/ncrack"
+SECTION = "security"
+
+LICENSE = "GPL-2.0"
+LIC_FILES_CHKSUM = "file://COPYING;md5=198fa93d4e80225839e595336f3b5ff0"
+
+SRCREV = "3a793a21820708466081825beda9fce857f36cb6"
+SRC_URI = "git://github.com/nmap/ncrack.git"
+
+DEPENDS = "openssl zlib"
+
+inherit autotools-brokensep
+
+S = "${WORKDIR}/git"
+
+INSANE_SKIP_${PN} = "already-stripped"
diff --git a/meta-security/recipes-security/nikto/files/CVE-2018-11652.patch b/meta-security/recipes-security/nikto/files/CVE-2018-11652.patch
deleted file mode 100644
index 5ddb169..0000000
--- a/meta-security/recipes-security/nikto/files/CVE-2018-11652.patch
+++ /dev/null
@@ -1,106 +0,0 @@
-From e759b3300aace5314fe3d30800c8bd83c81c29f7 Mon Sep 17 00:00:00 2001
-From: sullo <sullo@cirt.net>
-Date: Thu, 31 May 2018 23:30:03 -0400
-Subject: [PATCH] Fix CSV injection issue if server responds with a malicious
- Server string & CSV output is opened in Excel or other spreadsheet app.
- Potentially malicious cell start characters are now prefaced with a ' mark.
- Thanks to Adam (@bytesoverbombs) for letting me know!
-
-Also fixed a crash in the outdated plugin if the $sepr field ends up being something that triggers a panic in split().
-
-CVE: CVE-2018-11652
-Upstream-Status: Backport
-Signed-off-by: Nagalakshmi Veeramallu <nveeramallu@mvista.com>
----
- plugins/nikto_outdated.plugin | 2 +-
- plugins/nikto_report_csv.plugin | 42 +++++++++++++++++++++++++++++------------
- 2 files changed, 31 insertions(+), 13 deletions(-)
-
-diff --git a/plugins/nikto_outdated.plugin b/plugins/nikto_outdated.plugin
-index 72379cc..eb1d889 100644
---- a/plugins/nikto_outdated.plugin
-+++ b/plugins/nikto_outdated.plugin
-@@ -83,7 +83,7 @@ sub nikto_outdated {
- $sepr = substr($sepr, (length($sepr) - 1), 1);
-
- # break up ID string on $sepr
-- my @T = split(/$sepr/, $mark->{'banner'});
-+ my @T = split(/\\$sepr/, $mark->{'banner'});
-
- # assume last is version...
- for ($i = 0 ; $i < $#T ; $i++) { $MATCHSTRING .= "$T[$i] "; }
-diff --git a/plugins/nikto_report_csv.plugin b/plugins/nikto_report_csv.plugin
-index d13acab..b942e78 100644
---- a/plugins/nikto_report_csv.plugin
-+++ b/plugins/nikto_report_csv.plugin
-@@ -52,10 +52,12 @@ sub csv_open {
- sub csv_host_start {
- my ($handle, $mark) = @_;
- $mark->{'banner'} =~ s/"/\\"/g;
-- print OUT "\"$mark->{'hostname'}\","
-- . "\"$mark->{'ip'}\","
-- . "\"$mark->{'port'}\"," . "\"\"," . "\"\"," . "\"\","
-- . "\"$mark->{'banner'}\"\n";
-+ print $handle "\"" . csv_safecell($hostname) . "\","
-+ . "\"" . csv_safecell($mark->{'ip'}) . "\","
-+ . "\"" . csv_safecell($mark->{'port'}) . "\"," . "\"\"," . "\"\"," . "\"\","
-+ #. "\"" . $mark->{'banner'} . "\"\n";
-+ . "\"" . csv_safecell($mark->{'banner'}) . "\"\n";
-+
- return;
- }
-
-@@ -65,26 +67,42 @@ sub csv_item {
- my ($handle, $mark, $item) = @_;
- foreach my $uri (split(' ', $item->{'uri'})) {
- my $line = '';
-- $line .= "\"$item->{'mark'}->{'hostname'}\",";
-- $line .= "\"$item->{'mark'}->{'ip'}\",";
-- $line .= "\"$item->{'mark'}->{'port'}\",";
-+ $line .= "\"" . csv_safecell($hostname) . "\",";
-+ $line .= "\"" . csv_safecell($item->{'mark'}->{'ip'}) . \",";
-+ $line .= "\"" . csv_safecell($item->{'mark'}->{'port'}) . "\",";
-
- $line .= "\"";
- if ($item->{'osvdb'} ne '') { $line .= "OSVDB-" . $item->{'osvdb'}; }
- $line .= "\",";
-
- $line .= "\"";
-- if ($item->{'method'} ne '') { $line .= $item->{'method'}; }
-+ if ($item->{'method'} ne '') { $line .= csv_safecell($item->{'method'}); }
- $line .= "\",";
-
- $line .= "\"";
-- if ($uri ne '') { $line .= $mark->{'root'} . $uri; }
-+ { $line .= csv_safecell($mark->{'root'}) . $uri; }
-+ else { $line .= csv_safecell($ur
- $line .= "\",";
-
-- $item->{'message'} =~ s/"/\\"/g;
-- $line .= "\"$item->{'message'}\"";
-- print $handle "$line\n";
-+ my $msg = $item->{'message'};
-+ $uri=quotemeta($uri);
-+ my $root = quotemeta($mark->{'root'});
-+ $msg =~ s/^$uri:\s//;
-+ $msg =~ s/^$root$uri:\s//;
-+ $msg =~ s/"/\\"/g;
-+ $line .= "\"" . csv_safecell($msg) ."\"";
-+ print $handle "$line\n";
-+
- }
- }
-
-+###############################################################################
-+# prevent CSV injection attacks
-+sub csv_safecell {
-+ my $celldata = $_[0] || return;
-+ if ($celldata =~ /^[=+@-]/) { $celldata = "'" . $celldata; }
-+ return $celldata;
-+}
-+
-+
- 1;
---
-2.6.4
-
diff --git a/meta-security/recipes-security/nikto/files/location.patch b/meta-security/recipes-security/nikto/files/location.patch
index a95b062..edaa204 100644
--- a/meta-security/recipes-security/nikto/files/location.patch
+++ b/meta-security/recipes-security/nikto/files/location.patch
@@ -1,36 +1,36 @@
-From e10b9b1f6704057ace39956ae1dc5c7caca07ff1 Mon Sep 17 00:00:00 2001
-From: Andrei Dinu <andrei.adrianx.dinu@intel.com>
-Date: Mon, 8 Jul 2013 11:53:54 +0300
-Subject: [PATCH] Setting the location of nikto on the image
+From d1cb702d5147abea0d3208a4d554c61a6f2decd6 Mon Sep 17 00:00:00 2001
+From: Scott Ellis <scott@jumpnowtek.com>
+Date: Fri, 28 Dec 2018 11:08:25 -0500
+Subject: [PATCH] Set custom paths
-Upstream Status: Inapropriate
+Upstream Status: Inappropriate
-Signed-off-by: Andrei Dinu <andrei.adrianx.dinu@intel.com>
+Signed-off-by: Scott Ellis <scott@jumpnowtek.com>
---
- nikto.conf | 10 +++++-----
+ nikto.conf | 10 +++++-----
1 file changed, 5 insertions(+), 5 deletions(-)
-diff --git a/nikto.conf b/nikto.conf
-index 25b784d..9577033 100644
+diff --git a/program/nikto.conf b/program/nikto.conf
+index bf36c58..8c55415 100644
--- a/nikto.conf
+++ b/nikto.conf
-@@ -61,11 +61,11 @@ CIRT=174.142.17.165
+@@ -61,11 +61,11 @@ CIRT=107.170.99.251
CHECKMETHODS=HEAD GET
# If you want to specify the location of any of the files, specify them here
-# EXECDIR=/opt/nikto # Location of Nikto
-# PLUGINDIR=/opt/nikto/plugins # Location of plugin dir
--# DBDIR=/opt/nikto/databases # Location of plugin dir
--# TEMPLATEDIR=/opt/nikto/templates # Location of tempmlate dir
+-# DBDIR=/opt/nikto/databases # Location of database dir
+-# TEMPLATEDIR=/opt/nikto/templates # Location of template dir
-# DOCDIR=/opt/nikto/docs # Location of docs dir
+EXECDIR=/usr/bin/nikto # Location of Nikto
+PLUGINDIR=/etc/nikto/plugins # Location of plugin dir
-+DBDIR=/etc/nikto/databases # Location of plugin dir
-+TEMPLATEDIR=/etc/nikto/templates # Location of tempmlate dir
++DBDIR=/etc/nikto/databases # Location of database dir
++TEMPLATEDIR=/etc/nikto/templates # Location of template dir
+DOCDIR=/usr/share/doc/nikto # Location of docs dir
# Default plugin macros
- @@MUTATE=dictionary;subdomain
+ # Remove plugins designed to be run standalone
--
-1.7.9.5
+2.7.4
diff --git a/meta-security/recipes-security/nikto/nikto_2.1.5.bb b/meta-security/recipes-security/nikto/nikto_2.1.5.bb
deleted file mode 100644
index 19eb14f..0000000
--- a/meta-security/recipes-security/nikto/nikto_2.1.5.bb
+++ /dev/null
@@ -1,108 +0,0 @@
-SUMMARY = "web server scanner"
-DESCRIPTION = "Nikto is an Open Source (GPL) web server scanner which performs comprehensive tests against web servers for multiple items, including over 6500 potentially dangerous \
- files/CGIs, checks for outdated versions of over 1250 servers, and version specific problems on over 270 servers."
-SECTION = "security"
-LICENSE = "GPLv2"
-
-LIC_FILES_CHKSUM = "file://${COMMON_LICENSE_DIR}/GPL-2.0;md5=801f80980d171dd6425610833a22dbe6"
-
-SRC_URI = "http://cirt.net/nikto/${BP}.tar.gz \
- file://location.patch \
- file://CVE-2018-11652.patch"
-
-SRC_URI[md5sum] = "efcc98a918becb77471ee9a5df0a7b1e"
-SRC_URI[sha256sum] = "0e672a6a46bf2abde419a0e8ea846696d7f32e99ad18a6b405736ee6af07509f"
-
-do_install() {
- install -d ${D}${bindir}
- install -d ${D}${datadir}
- install -d ${D}${datadir}/man/man1
- install -d ${D}${datadir}/doc/nikto
- install -d ${D}${sysconfdir}/nikto
- install -d ${D}${sysconfdir}/nikto/databases
- install -d ${D}${sysconfdir}/nikto/plugins
- install -d ${D}${sysconfdir}/nikto/templates
-
- install -m 0644 databases/db_404_strings ${D}${sysconfdir}/nikto/databases
- install -m 0644 databases/db_content_search ${D}${sysconfdir}/nikto/databases
- install -m 0644 databases/db_dictionary ${D}${sysconfdir}/nikto/databases
- install -m 0644 databases/db_embedded ${D}${sysconfdir}/nikto/databases
- install -m 0644 databases/db_favicon ${D}${sysconfdir}/nikto/databases
- install -m 0644 databases/db_headers ${D}${sysconfdir}/nikto/databases
- install -m 0644 databases/db_httpoptions ${D}${sysconfdir}/nikto/databases
- install -m 0644 databases/db_multiple_index ${D}${sysconfdir}/nikto/databases
- install -m 0644 databases/db_outdated ${D}${sysconfdir}/nikto/databases
- install -m 0644 databases/db_parked_strings ${D}${sysconfdir}/nikto/databases
- install -m 0644 databases/db_realms ${D}${sysconfdir}/nikto/databases
- install -m 0644 databases/db_server_msgs ${D}${sysconfdir}/nikto/databases
- install -m 0644 databases/db_subdomains ${D}${sysconfdir}/nikto/databases
- install -m 0644 databases/db_tests ${D}${sysconfdir}/nikto/databases
- install -m 0644 databases/db_variables ${D}${sysconfdir}/nikto/databases
-
- install -m 0644 plugins/JSON-PP.pm ${D}${sysconfdir}/nikto/plugins
- install -m 0644 plugins/LW2.pm ${D}${sysconfdir}/nikto/plugins
- install -m 0644 plugins/nikto_apache_expect_xss.plugin ${D}${sysconfdir}/nikto/plugins
- install -m 0644 plugins/nikto_apacheusers.plugin ${D}${sysconfdir}/nikto/plugins
- install -m 0644 plugins/nikto_auth.plugin ${D}${sysconfdir}/nikto/plugins
- install -m 0644 plugins/nikto_cgi.plugin ${D}${sysconfdir}/nikto/plugins
- install -m 0644 plugins/nikto_clientaccesspolicy.plugin ${D}${sysconfdir}/nikto/plugins
- install -m 0644 plugins/nikto_content_search.plugin ${D}${sysconfdir}/nikto/plugins
- install -m 0644 plugins/nikto_cookies.plugin ${D}${sysconfdir}/nikto/plugins
- install -m 0644 plugins/nikto_core.plugin ${D}${sysconfdir}/nikto/plugins
- install -m 0644 plugins/nikto_dictionary_attack.plugin ${D}${sysconfdir}/nikto/plugins
- install -m 0644 plugins/nikto_embedded.plugin ${D}${sysconfdir}/nikto/plugins
- install -m 0644 plugins/nikto_favicon.plugin ${D}${sysconfdir}/nikto/plugins
- install -m 0644 plugins/nikto_fileops.plugin ${D}${sysconfdir}/nikto/plugins
- install -m 0644 plugins/nikto_headers.plugin ${D}${sysconfdir}/nikto/plugins
- install -m 0644 plugins/nikto_httpoptions.plugin ${D}${sysconfdir}/nikto/plugins
- install -m 0644 plugins/nikto_msgs.plugin ${D}${sysconfdir}/nikto/plugins
- install -m 0644 plugins/nikto_multiple_index.plugin ${D}${sysconfdir}/nikto/plugins
- install -m 0644 plugins/nikto_outdated.plugin ${D}${sysconfdir}/nikto/plugins
- install -m 0644 plugins/nikto_parked.plugin ${D}${sysconfdir}/nikto/plugins
- install -m 0644 plugins/nikto_paths.plugin ${D}${sysconfdir}/nikto/plugins
- install -m 0644 plugins/nikto_put_del_test.plugin ${D}${sysconfdir}/nikto/plugins
- install -m 0644 plugins/nikto_report_csv.plugin ${D}${sysconfdir}/nikto/plugins
- install -m 0644 plugins/nikto_report_html.plugin ${D}${sysconfdir}/nikto/plugins
- install -m 0644 plugins/nikto_report_msf.plugin ${D}${sysconfdir}/nikto/plugins
- install -m 0644 plugins/nikto_report_nbe.plugin ${D}${sysconfdir}/nikto/plugins
- install -m 0644 plugins/nikto_report_text.plugin ${D}${sysconfdir}/nikto/plugins
- install -m 0644 plugins/nikto_report_xml.plugin ${D}${sysconfdir}/nikto/plugins
- install -m 0644 plugins/nikto_robots.plugin ${D}${sysconfdir}/nikto/plugins
- install -m 0644 plugins/nikto_siebel.plugin ${D}${sysconfdir}/nikto/plugins
- install -m 0644 plugins/nikto_ssl.plugin ${D}${sysconfdir}/nikto/plugins
- install -m 0644 plugins/nikto_subdomain.plugin ${D}${sysconfdir}/nikto/plugins
- install -m 0644 plugins/nikto_tests.plugin ${D}${sysconfdir}/nikto/plugins
-
- install -m 0644 templates/htm_close.tmpl ${D}${sysconfdir}/nikto/templates
- install -m 0644 templates/htm_end.tmpl ${D}${sysconfdir}/nikto/templates
- install -m 0644 templates/htm_host_head.tmpl ${D}${sysconfdir}/nikto/templates
- install -m 0644 templates/htm_host_im.tmpl ${D}${sysconfdir}/nikto/templates
- install -m 0644 templates/htm_host_item.tmpl ${D}${sysconfdir}/nikto/templates
- install -m 0644 templates/htm_start.tmpl ${D}${sysconfdir}/nikto/templates
- install -m 0644 templates/htm_stop.tmpl ${D}${sysconfdir}/nikto/templates
- install -m 0644 templates/htm_start.tmpl ${D}${sysconfdir}/nikto/templates
- install -m 0644 templates/htm_summary.tmpl ${D}${sysconfdir}/nikto/templates
- install -m 0644 templates/xml_end.tmpl ${D}${sysconfdir}/nikto/templates
- install -m 0644 templates/xml_host_head.tmpl ${D}${sysconfdir}/nikto/templates
- install -m 0644 templates/xml_host_im.tmpl ${D}${sysconfdir}/nikto/templates
- install -m 0644 templates/xml_host_item.tmpl ${D}${sysconfdir}/nikto/templates
- install -m 0644 templates/xml_start.tmpl ${D}${sysconfdir}/nikto/templates
- install -m 0644 templates/xml_summary.tmpl ${D}${sysconfdir}/nikto/templates
-
- install -m 0644 nikto.conf ${D}${sysconfdir}
-
- install -m 0755 nikto.pl ${D}${bindir}/nikto
- install -m 0644 replay.pl ${D}${bindir}
- install -m 0644 docs/nikto.1 ${D}${datadir}/man/man1
-
- install -m 0644 docs/CHANGES.txt ${D}${datadir}/doc/nikto
- install -m 0644 docs/LICENSE.txt ${D}${datadir}/doc/nikto
- install -m 0644 docs/nikto.dtd ${D}${datadir}/doc/nikto
- install -m 0644 docs/nikto_manual.html ${D}${datadir}/doc/nikto
-}
-
-RDEPENDS_${PN} = "perl libnet-ssleay-perl libwhisker2-perl \
- perl-module-getopt-long perl-module-time-local \
- perl-module-io-socket perl-module-overloading \
- perl-module-base perl-module-b perl-module-bytes \
- nikto-doc"
diff --git a/meta-security/recipes-security/nikto/nikto_2.1.6.bb b/meta-security/recipes-security/nikto/nikto_2.1.6.bb
new file mode 100644
index 0000000..2d2c46c
--- /dev/null
+++ b/meta-security/recipes-security/nikto/nikto_2.1.6.bb
@@ -0,0 +1,118 @@
+SUMMARY = "web server scanner"
+DESCRIPTION = "Nikto is an Open Source web server scanner which performs comprehensive tests against web servers"
+SECTION = "security"
+HOMEPAGE = "https://cirt.net/Nikto2"
+
+LICENSE = "GPLv2"
+LIC_FILES_CHKSUM = "file://${COMMON_LICENSE_DIR}/GPL-2.0;md5=801f80980d171dd6425610833a22dbe6"
+
+SRCREV = "f1bbd1a8756c076c8fd4f4dd0bc34a8ef215ae79"
+SRC_URI = "git://github.com/sullo/nikto.git \
+ file://location.patch"
+
+S = "${WORKDIR}/git/program"
+
+do_install() {
+ install -d ${D}${bindir}
+ install -d ${D}${datadir}
+ install -d ${D}${datadir}/man/man1
+ install -d ${D}${datadir}/doc/nikto
+ install -d ${D}${sysconfdir}/nikto
+ install -d ${D}${sysconfdir}/nikto/databases
+ install -d ${D}${sysconfdir}/nikto/plugins
+ install -d ${D}${sysconfdir}/nikto/templates
+
+ install -m 0644 databases/db_404_strings ${D}${sysconfdir}/nikto/databases
+ install -m 0644 databases/db_content_search ${D}${sysconfdir}/nikto/databases
+ install -m 0644 databases/db_dictionary ${D}${sysconfdir}/nikto/databases
+ install -m 0644 databases/db_dir_traversal ${D}${sysconfdir}/nikto/databases
+ install -m 0644 databases/db_domino ${D}${sysconfdir}/nikto/databases
+ install -m 0644 databases/db_drupal ${D}${sysconfdir}/nikto/databases
+ install -m 0644 databases/db_embedded ${D}${sysconfdir}/nikto/databases
+ install -m 0644 databases/db_favicon ${D}${sysconfdir}/nikto/databases
+ install -m 0644 databases/db_headers ${D}${sysconfdir}/nikto/databases
+ install -m 0644 databases/db_httpoptions ${D}${sysconfdir}/nikto/databases
+ install -m 0644 databases/db_multiple_index ${D}${sysconfdir}/nikto/databases
+ install -m 0644 databases/db_outdated ${D}${sysconfdir}/nikto/databases
+ install -m 0644 databases/db_parked_strings ${D}${sysconfdir}/nikto/databases
+ install -m 0644 databases/db_realms ${D}${sysconfdir}/nikto/databases
+ install -m 0644 databases/db_server_msgs ${D}${sysconfdir}/nikto/databases
+ install -m 0644 databases/db_tests ${D}${sysconfdir}/nikto/databases
+ install -m 0644 databases/db_variables ${D}${sysconfdir}/nikto/databases
+
+ install -m 0644 plugins/LW2.pm ${D}${sysconfdir}/nikto/plugins
+ install -m 0644 plugins/nikto_apache_expect_xss.plugin ${D}${sysconfdir}/nikto/plugins
+ install -m 0644 plugins/nikto_apacheusers.plugin ${D}${sysconfdir}/nikto/plugins
+ install -m 0644 plugins/nikto_auth.plugin ${D}${sysconfdir}/nikto/plugins
+ install -m 0644 plugins/nikto_cgi.plugin ${D}${sysconfdir}/nikto/plugins
+ install -m 0644 plugins/nikto_clientaccesspolicy.plugin ${D}${sysconfdir}/nikto/plugins
+ install -m 0644 plugins/nikto_content_search.plugin ${D}${sysconfdir}/nikto/plugins
+ install -m 0644 plugins/nikto_cookies.plugin ${D}${sysconfdir}/nikto/plugins
+ install -m 0644 plugins/nikto_core.plugin ${D}${sysconfdir}/nikto/plugins
+ install -m 0644 plugins/nikto_dictionary_attack.plugin ${D}${sysconfdir}/nikto/plugins
+ install -m 0644 plugins/nikto_dir_traversal.plugin ${D}${sysconfdir}/nikto/plugins
+ install -m 0644 plugins/nikto_dishwasher.plugin ${D}${sysconfdir}/nikto/plugins
+ install -m 0644 plugins/nikto_docker_registry.plugin ${D}${sysconfdir}/nikto/plugins
+ install -m 0644 plugins/nikto_domino.plugin ${D}${sysconfdir}/nikto/plugins
+ install -m 0644 plugins/nikto_drupal.plugin ${D}${sysconfdir}/nikto/plugins
+ install -m 0644 plugins/nikto_embedded.plugin ${D}${sysconfdir}/nikto/plugins
+ install -m 0644 plugins/nikto_favicon.plugin ${D}${sysconfdir}/nikto/plugins
+ install -m 0644 plugins/nikto_fileops.plugin ${D}${sysconfdir}/nikto/plugins
+ install -m 0644 plugins/nikto_headers.plugin ${D}${sysconfdir}/nikto/plugins
+ install -m 0644 plugins/nikto_httpoptions.plugin ${D}${sysconfdir}/nikto/plugins
+ install -m 0644 plugins/nikto_ms10_070.plugin ${D}${sysconfdir}/nikto/plugins
+ install -m 0644 plugins/nikto_msgs.plugin ${D}${sysconfdir}/nikto/plugins
+ install -m 0644 plugins/nikto_multiple_index.plugin ${D}${sysconfdir}/nikto/plugins
+ install -m 0644 plugins/nikto_negotiate.plugin ${D}${sysconfdir}/nikto/plugins
+ install -m 0644 plugins/nikto_origin_reflection.plugin ${D}${sysconfdir}/nikto/plugins
+ install -m 0644 plugins/nikto_outdated.plugin ${D}${sysconfdir}/nikto/plugins
+ install -m 0644 plugins/nikto_parked.plugin ${D}${sysconfdir}/nikto/plugins
+ install -m 0644 plugins/nikto_paths.plugin ${D}${sysconfdir}/nikto/plugins
+ install -m 0644 plugins/nikto_put_del_test.plugin ${D}${sysconfdir}/nikto/plugins
+ install -m 0644 plugins/nikto_report_csv.plugin ${D}${sysconfdir}/nikto/plugins
+ install -m 0644 plugins/nikto_report_html.plugin ${D}${sysconfdir}/nikto/plugins
+ install -m 0644 plugins/nikto_report_json.plugin ${D}${sysconfdir}/nikto/plugins
+ install -m 0644 plugins/nikto_report_nbe.plugin ${D}${sysconfdir}/nikto/plugins
+ install -m 0644 plugins/nikto_report_sqlg.plugin ${D}${sysconfdir}/nikto/plugins
+ install -m 0644 plugins/nikto_report_text.plugin ${D}${sysconfdir}/nikto/plugins
+ install -m 0644 plugins/nikto_report_xml.plugin ${D}${sysconfdir}/nikto/plugins
+ install -m 0644 plugins/nikto_robots.plugin ${D}${sysconfdir}/nikto/plugins
+ install -m 0644 plugins/nikto_siebel.plugin ${D}${sysconfdir}/nikto/plugins
+ install -m 0644 plugins/nikto_sitefiles.plugin ${D}${sysconfdir}/nikto/plugins
+ install -m 0644 plugins/nikto_ssl.plugin ${D}${sysconfdir}/nikto/plugins
+ install -m 0644 plugins/nikto_strutshock.plugin ${D}${sysconfdir}/nikto/plugins
+ install -m 0644 plugins/nikto_tests.plugin ${D}${sysconfdir}/nikto/plugins
+
+ install -m 0644 templates/htm_close.tmpl ${D}${sysconfdir}/nikto/templates
+ install -m 0644 templates/htm_end.tmpl ${D}${sysconfdir}/nikto/templates
+ install -m 0644 templates/htm_host_head.tmpl ${D}${sysconfdir}/nikto/templates
+ install -m 0644 templates/htm_host_im.tmpl ${D}${sysconfdir}/nikto/templates
+ install -m 0644 templates/htm_host_item.tmpl ${D}${sysconfdir}/nikto/templates
+ install -m 0644 templates/htm_start.tmpl ${D}${sysconfdir}/nikto/templates
+ install -m 0644 templates/htm_stop.tmpl ${D}${sysconfdir}/nikto/templates
+ install -m 0644 templates/htm_start.tmpl ${D}${sysconfdir}/nikto/templates
+ install -m 0644 templates/htm_summary.tmpl ${D}${sysconfdir}/nikto/templates
+ install -m 0644 templates/xml_end.tmpl ${D}${sysconfdir}/nikto/templates
+ install -m 0644 templates/xml_host_head.tmpl ${D}${sysconfdir}/nikto/templates
+ install -m 0644 templates/xml_host_im.tmpl ${D}${sysconfdir}/nikto/templates
+ install -m 0644 templates/xml_host_item.tmpl ${D}${sysconfdir}/nikto/templates
+ install -m 0644 templates/xml_start.tmpl ${D}${sysconfdir}/nikto/templates
+ install -m 0644 templates/xml_summary.tmpl ${D}${sysconfdir}/nikto/templates
+
+ install -m 0644 nikto.conf ${D}${sysconfdir}
+
+ install -m 0755 nikto.pl ${D}${bindir}/nikto
+ install -m 0644 replay.pl ${D}${bindir}
+ install -m 0644 docs/nikto.1 ${D}${datadir}/man/man1
+
+ install -m 0644 docs/CHANGES.txt ${D}${datadir}/doc/nikto
+ install -m 0644 docs/LICENSE.txt ${D}${datadir}/doc/nikto
+ install -m 0644 docs/nikto.dtd ${D}${datadir}/doc/nikto
+ install -m 0644 docs/nikto_manual.html ${D}${datadir}/doc/nikto
+}
+
+RDEPENDS_${PN} = "perl libnet-ssleay-perl libwhisker2-perl \
+ perl-module-getopt-long perl-module-time-local \
+ perl-module-io-socket perl-module-overloading \
+ perl-module-base perl-module-b perl-module-bytes"
+
diff --git a/meta-security/recipes-security/packagegroup/packagegroup-core-security.bb b/meta-security/recipes-security/packagegroup/packagegroup-core-security.bb
index e847847..b8ab27d 100644
--- a/meta-security/recipes-security/packagegroup/packagegroup-core-security.bb
+++ b/meta-security/recipes-security/packagegroup/packagegroup-core-security.bb
@@ -78,7 +78,7 @@
python-scapy-ptest \
suricata-ptest \
tripwire-ptest \
- python3-fail2ban-ptest \
+ python-fail2ban-ptest \
${@bb.utils.contains("DISTRO_FEATURES", "apparmor", "apparmor-ptest", "",d)} \
${@bb.utils.contains("DISTRO_FEATURES", "smack", "smack-ptest", "",d)} \
ptest-runner \
diff --git a/meta-security/recipes-security/scapy/files/run-ptest b/meta-security/recipes-security/scapy/files/run-ptest
old mode 100755
new mode 100644
diff --git a/meta-security/recipes-security/scapy/python-scapy.inc b/meta-security/recipes-security/scapy/python-scapy.inc
index 5abe7db..99f30a7 100644
--- a/meta-security/recipes-security/scapy/python-scapy.inc
+++ b/meta-security/recipes-security/scapy/python-scapy.inc
@@ -5,16 +5,25 @@
LIC_FILES_CHKSUM = "file://bin/scapy;beginline=9;endline=13;md5=1d5249872cc54cd4ca3d3879262d0c69"
-SRC_URI[md5sum] = "d7d3c4294f5a718e234775d38dbeb7ec"
-SRC_URI[sha256sum] = "452f714f5c2eac6fd0a6146b1dbddfc24dd5f4103f3ed76227995a488cfb2b73"
+S = "${WORKDIR}/git"
-inherit pypi ptest
+SRCREV = "bad14cb1a5aee29f8107fbe8ad008d4645f14da7"
+SRC_URI = "git://github.com/secdev/scapy.git"
+
+inherit ptest
+
+do_install_append() {
+ if [ "${PYTHON_PN}" = "python3" ]; then
+ sed -i -e 's/python/python3/' ${D}${bindir}/scapy
+ sed -i -e 's/python/python3/' ${D}${bindir}/UTscapy
+ fi
+}
do_install_ptest() {
install -m 0644 ${S}/test/regression.uts ${D}${PTEST_PATH}
sed -i 's,@PTEST_PATH@,${PTEST_PATH},' ${D}${PTEST_PATH}/run-ptest
}
-RDEPENDS_${PN} = "tcpdump ${PYTHON_PN}-compression ${PYTHON_PN}-netclient \
+RDEPENDS_${PN} = "tcpdump ${PYTHON_PN}-compression ${PYTHON_PN}-cryptography ${PYTHON_PN}-netclient \
${PYTHON_PN}-netserver ${PYTHON_PN}-pydoc ${PYTHON_PN}-pkgutil ${PYTHON_PN}-shell \
${PYTHON_PN}-threading ${PYTHON_PN}-numbers ${PYTHON_PN}-pycrypto"
diff --git a/meta-security/recipes-security/scapy/python-scapy_2.4.0.bb b/meta-security/recipes-security/scapy/python-scapy_2.4.2.bb
similarity index 100%
rename from meta-security/recipes-security/scapy/python-scapy_2.4.0.bb
rename to meta-security/recipes-security/scapy/python-scapy_2.4.2.bb
diff --git a/meta-security/recipes-security/scapy/python3-scapy_2.4.0.bb b/meta-security/recipes-security/scapy/python3-scapy_2.4.2.bb
similarity index 98%
rename from meta-security/recipes-security/scapy/python3-scapy_2.4.0.bb
rename to meta-security/recipes-security/scapy/python3-scapy_2.4.2.bb
index 93ca7be..83c79f4 100644
--- a/meta-security/recipes-security/scapy/python3-scapy_2.4.0.bb
+++ b/meta-security/recipes-security/scapy/python3-scapy_2.4.2.bb
@@ -2,3 +2,4 @@
require python-scapy.inc
SRC_URI += "file://run-ptest"
+
diff --git a/meta-security/recipes-security/sssd/sssd_1.16.3.bb b/meta-security/recipes-security/sssd/sssd_1.16.4.bb
similarity index 80%
rename from meta-security/recipes-security/sssd/sssd_1.16.3.bb
rename to meta-security/recipes-security/sssd/sssd_1.16.4.bb
index 8f7f805..34bc8c8 100644
--- a/meta-security/recipes-security/sssd/sssd_1.16.3.bb
+++ b/meta-security/recipes-security/sssd/sssd_1.16.4.bb
@@ -11,13 +11,16 @@
SRC_URI = "https://releases.pagure.org/SSSD/${BPN}/${BP}.tar.gz\
file://sssd.conf "
-SRC_URI[md5sum] = "af4288c9d1f9953e3b3b6e0b165a5ece"
-SRC_URI[sha256sum] = "ee5d17a0c663c09819cbab9364085b9e57faeca02406cc30efe14cc0cfc04ec4"
+SRC_URI[md5sum] = "757bbb6f15409d8d075f4f06cb678d50"
+SRC_URI[sha256sum] = "6bb212cd6b75b918e945c24e7c3f95a486fb54d7f7d489a9334cfa1a1f3bf959"
-inherit autotools pkgconfig gettext update-rc.d python-dir distro_features_check
+inherit autotools pkgconfig gettext python-dir distro_features_check
REQUIRED_DISTRO_FEATURES = "pam"
+SSSD_UID ?= "root"
+SSSD_GID ?= "root"
+
CACHED_CONFIGUREVARS = "ac_cv_member_struct_ldap_conncb_lc_arg=no \
ac_cv_path_NSUPDATE=${bindir} \
ac_cv_path_PYTHON2=${PYTHON_DIR} ac_cv_prog_HAVE_PYTHON3=${PYTHON_DIR} \
@@ -25,6 +28,7 @@
PACKAGECONFIG ?="nss nscd"
PACKAGECONFIG += "${@bb.utils.contains('DISTRO_FEATURES', 'selinux', 'selinux', '', d)}"
+PACKAGECONFIG += "${@bb.utils.contains('DISTRO_FEATURES', 'systemd', 'systemd', '', d)}"
PACKAGECONFIG[ssh] = "--with-ssh, --with-ssh=no, "
PACKAGECONFIG[samba] = "--with-samba, --with-samba=no, samba"
@@ -55,6 +59,17 @@
rmdir --ignore-fail-on-non-empty "${D}/${bindir}"
install -d ${D}/${sysconfdir}/${BPN}
install -m 600 ${WORKDIR}/${BPN}.conf ${D}/${sysconfdir}/${BPN}
+
+ # Remove /var/run as it is created on startup
+ rm -rf ${D}${localstatedir}/run
+
+}
+
+pkg_postinst_ontarget_${PN} () {
+if [ -e /etc/init.d/populate-volatile.sh ] ; then
+ ${sysconfdir}/init.d/populate-volatile.sh update
+fi
+ chown ${SSSD_UID}:${SSSD_GID} ${sysconfdir}/${BPN}/${BPN}.conf
}
CONFFILES_${PN} = "${sysconfdir}/${BPN}/${BPN}.conf"
@@ -70,4 +85,4 @@
# The package contains symlinks that trip up insane
INSANE_SKIP_${PN} = "dev-so"
-RDEPENDS_${PN} += "bind dbus"
+RDEPENDS_${PN} = "bind dbus libldb libpam"
diff --git a/meta-security/recipes-security/suricata/suricata.inc b/meta-security/recipes-security/suricata/suricata.inc
deleted file mode 100644
index 1f42121..0000000
--- a/meta-security/recipes-security/suricata/suricata.inc
+++ /dev/null
@@ -1,9 +0,0 @@
-HOMEPAGE = "http://suricata-ids.org/"
-SECTION = "security Monitor/Admin"
-LICENSE = "GPLv2"
-
-VER = "4.0.5"
-SRC_URI = "http://www.openinfosecfoundation.org/download/suricata-${VER}.tar.gz"
-
-SRC_URI[md5sum] = "ea0cb823d6a86568152f75ade6de442f"
-SRC_URI[sha256sum] = "74dacb4359d57fbd3452e384eeeb1dd77b6ae00f02e9994ad5a7b461d5f4c6c2"
diff --git a/meta-security/recipes-security/xmlsec1/xmlsec1_1.2.26.bb b/meta-security/recipes-security/xmlsec1/xmlsec1_1.2.27.bb
similarity index 69%
rename from meta-security/recipes-security/xmlsec1/xmlsec1_1.2.26.bb
rename to meta-security/recipes-security/xmlsec1/xmlsec1_1.2.27.bb
index 2dbbf33..eac8d6b 100644
--- a/meta-security/recipes-security/xmlsec1/xmlsec1_1.2.26.bb
+++ b/meta-security/recipes-security/xmlsec1/xmlsec1_1.2.27.bb
@@ -5,7 +5,7 @@
XML security standards "XML Digital Signature" and "XML Encryption". \
"
HOMEPAGE = "http://www.aleksey.com/xmlsec/"
-DEPENDS = "libtool libxml2 libxslt openssl zlib libgcrypt gnutls nss nspr libgpg-error"
+DEPENDS = "libtool libxml2 libxslt zlib"
LICENSE = "MIT"
LIC_FILES_CHKSUM = "file://COPYING;md5=352791d62092ea8104f085042de7f4d0"
@@ -20,17 +20,25 @@
file://run-ptest \
"
-SRC_URI[md5sum] = "9c4aaf9ff615a73921b9e3bf4988d878"
-SRC_URI[sha256sum] = "8d8276c9c720ca42a3b0023df8b7ae41a2d6c5f9aa8d20ed1672d84cc8982d50"
+SRC_URI[md5sum] = "508bee7e4f1b99f2d50aaa7d38ede56e"
+SRC_URI[sha256sum] = "97d756bad8e92588e6997d2227797eaa900d05e34a426829b149f65d87118eb6"
inherit autotools-brokensep ptest pkgconfig
CFLAGS += "-I${STAGING_INCDIR}/nspr4 -I${STAGING_INCDIR}/nss3"
CPPFLAGS += "-I${STAGING_INCDIR}/nspr4 -I${STAGING_INCDIR}/nss3"
-EXTRA_OECONF = "\
- --with-nss=${STAGING_LIBDIR}/../.. --with-nspr=${STAGING_LIBDIR}/../.. \
- "
+PACKAGECONFIG ??= "gnutls libgcrypt nss openssl des"
+PACKAGECONFIG[gnutls] = ",,gnutls"
+PACKAGECONFIG[libgcrypt] = ",,libgcrypt"
+PACKAGECONFIG[nss] = "--with-nss=${STAGING_LIBDIR}/../.. --with-nspr=${STAGING_LIBDIR}/../..,,nss nspr"
+PACKAGECONFIG[openssl] = ",,openssl"
+PACKAGECONFIG[des] = ",--disable-des,,"
+
+# these can be dynamically loaded with xmlSecCryptoDLLoadLibrary()
+FILES_SOLIBSDEV = "${libdir}/libxmlsec1.so"
+FILES_${PN} += "${libdir}/libxmlsec1-*.so"
+INSANE_SKIP_${PN} = "dev-so"
FILES_${PN}-dev += "${libdir}/xmlsec1Conf.sh"
FILES_${PN}-dbg += "${PTEST_PATH}/.debug/*"