meta-security: subtree update:b72cc7f87c..95fe86eb98
André Draszik (1):
linux-yocto: update the bbappend to 5.x
Armin Kuster (36):
README: add pull request option
sssd: drop py2 support
python3-fail2ban: update to latest
Apparmor: fix some runtime depends
linux-yocto-dev: remove "+"
checksecurity: fix runtime issues
buck-security: fix rdebends and minor style cleanup
swtpm: fix configure error
ecryptfs-utils: search nspr header files in ${STAGING_INCDIR}/nspr directory
bastille: convert to py3
tpm2-tools: update to 4.1.1
tpm2-tcti-uefi: fix build issue for i386 machine
tpm2-tss: update to 2.3.2
ibmswtpm2: update to 1563
python3-fail2ban: add 2-3 conversion changes
google-authenticator-libpam: install module in pam location
apparmor: update to tip
clamav: add bison-native to depend
meta-security-isafw: import layer from Intel
isafw: fix to work against master
layer.conf: add zeus
README.md: update to new maintainer
clamav-native: missed bison fix
secuirty*-image: remove dead var and minor cleanup
libtpm: fix build issue over pod2man
sssd: python2 not supported
libseccomp: update to 2.4.3
lynis: add missing rdepends
fail2ban: change hardcoded sysklogd to VIRTUAL-RUNTIME_base-utils-syslog
chkrootkit: add rootkit recipe
clamav: move to recipes-scanners
checksec: move to recipe-scanners
checksecurity: move to recipes-scanners
buck-security: move to recipes-scanners
arpwatch: add new recipe
buck-security: fix runtime issue with missing per module
Bartosz Golaszewski (3):
linux: drop the bbappend for linux v4.x series
classes: provide a class for generating dm-verity meta-data images
dm-verity: add a working example for BeagleBone Black
Haseeb Ashraf (1):
samhain: dnmalloc hash fix for aarch64 and mips64
Jan Luebbe (2):
apparmor: fix wrong executable permission on service file
apparmor: update to 2.13.4
Jonatan Pålsson (10):
README: Add meta-python to list of layer deps
sssd: Add PACKAGECONFIG for python2
sssd: Fix typo in PACKAGECONFIG. cyrpto -> crypto
sssd: DEPEND on nss if nothing else is chosen
sssd: Sort PACKAGECONFIG entries
sssd: Add autofs PACKAGECONFIG
sssd: Add sudo PACKAGECONFIG
sssd: Add missing files to SYSTEMD_SERVICE
sssd: Add missing DEPENDS on jansson
sssd: Add infopipe PACKAGECONFIG
Kai Kang (1):
sssd: fix for ldblibdir and systemd etc
Martin Jansa (1):
layer.conf: update LAYERSERIES_COMPAT for dunfell
Mingli Yu (1):
linux-yocto: update the bbappend to 5.x
Pierre-Jean Texier via Lists.Yoctoproject.Org (1):
google-authenticator-libpam: upgrade 1.07 -> 1.08
Yi Zhao (5):
samhain: fix build with new version attr
scap-security-guide: fix xml parsing error when build remediation files
scap-security-guide: pass the correct schema file path to openscap-native
openscap-daemon: add missing runtime dependencies
samhain-server: add volatile file for systemd
Change-Id: I3d4a4055cb9420e97d3eacf8436d9b048d34733f
Signed-off-by: Andrew Geissler <geissonator@yahoo.com>
diff --git a/meta-security/meta-security-isfafw/classes/isafw.bbclass b/meta-security/meta-security-isfafw/classes/isafw.bbclass
new file mode 100644
index 0000000..146acdf
--- /dev/null
+++ b/meta-security/meta-security-isfafw/classes/isafw.bbclass
@@ -0,0 +1,318 @@
+# Security scanning class
+#
+# Based in part on buildhistory.bbclass which was in turn based on
+# testlab.bbclass and packagehistory.bbclass
+#
+# Copyright (C) 2011-2015 Intel Corporation
+# Copyright (C) 2007-2011 Koen Kooi <koen@openembedded.org>
+#
+
+LICENSE = "MIT"
+
+require conf/distro/include/distro_alias.inc
+
+ISAFW_WORKDIR = "${WORKDIR}/isafw"
+ISAFW_REPORTDIR ?= "${LOG_DIR}/isafw-report"
+ISAFW_LOGDIR ?= "${LOG_DIR}/isafw-logs"
+
+ISAFW_PLUGINS_WHITELIST ?= ""
+ISAFW_PLUGINS_BLACKLIST ?= ""
+
+ISAFW_LA_PLUGIN_IMAGE_WHITELIST ?= ""
+ISAFW_LA_PLUGIN_IMAGE_BLACKLIST ?= ""
+
+# First, code to handle scanning each recipe that goes into the build
+
+do_analysesource[nostamp] = "1"
+do_analysesource[cleandirs] = "${ISAFW_WORKDIR}"
+
+python do_analysesource() {
+ from isafw import isafw
+
+ imageSecurityAnalyser = isafw_init(isafw, d)
+
+ if not d.getVar('SRC_URI', True):
+ # Recipe didn't fetch any sources, nothing to do here I assume?
+ return
+
+ recipe = isafw.ISA_package()
+ recipe.name = d.getVar('BPN', True)
+ recipe.version = d.getVar('PV', True)
+ recipe.version = recipe.version.split('+git', 1)[0]
+
+ for p in d.getVar('PACKAGES', True).split():
+ license = str(d.getVar('LICENSE_' + p, True))
+ if license == "None":
+ license = d.getVar('LICENSE', True)
+ license = license.replace("(", "")
+ license = license.replace(")", "")
+ licenses = license.split()
+ while '|' in licenses:
+ licenses.remove('|')
+ while '&' in licenses:
+ licenses.remove('&')
+ for l in licenses:
+ recipe.licenses.append(p + ":" + canonical_license(d, l))
+
+ aliases = d.getVar('DISTRO_PN_ALIAS', True)
+ if aliases:
+ recipe.aliases = aliases.split()
+ faliases = []
+ for a in recipe.aliases:
+ if (a != "OSPDT") and (not (a.startswith("upstream="))):
+ faliases.append(a.split('=', 1)[-1])
+ # remove possible duplicates in pkg names
+ faliases = list(set(faliases))
+ recipe.aliases = faliases
+
+ for patch in src_patches(d):
+ _,_,local,_,_,_=bb.fetch.decodeurl(patch)
+ recipe.patch_files.append(os.path.basename(local))
+ if (not recipe.patch_files) :
+ recipe.patch_files.append("None")
+
+ # Pass the recipe object to the security framework
+ bb.debug(1, '%s: analyse sources' % (d.getVar('PN', True)))
+ imageSecurityAnalyser.process_package(recipe)
+
+ return
+}
+
+addtask do_analysesource before do_build
+
+# This task intended to be called after default task to process reports
+
+PR_ORIG_TASK := "${BB_DEFAULT_TASK}"
+addhandler process_reports_handler
+process_reports_handler[eventmask] = "bb.event.BuildCompleted"
+
+python process_reports_handler() {
+ from isafw import isafw
+
+ dd = d.createCopy()
+ target_sysroot = dd.expand("${STAGING_DIR}/${MACHINE}")
+ native_sysroot = dd.expand("${STAGING_DIR}/${BUILD_ARCH}")
+ staging_populate_sysroot_dir(target_sysroot, native_sysroot, True, dd)
+
+ dd.setVar("STAGING_DIR_NATIVE", native_sysroot)
+ savedenv = os.environ.copy()
+ os.environ["PATH"] = dd.getVar("PATH", True)
+
+ imageSecurityAnalyser = isafw_init(isafw, dd)
+ bb.debug(1, 'isafw: process reports')
+ imageSecurityAnalyser.process_report()
+
+ os.environ["PATH"] = savedenv["PATH"]
+}
+
+do_build[depends] += "cve-update-db-native:do_populate_cve_db ca-certificates-native:do_populate_sysroot"
+do_build[depends] += "python3-lxml-native:do_populate_sysroot"
+
+# These tasks are intended to be called directly by the user (e.g. bitbake -c)
+
+addtask do_analyse_sources after do_analysesource
+do_analyse_sources[doc] = "Produce ISAFW reports based on given package without building it"
+do_analyse_sources[nostamp] = "1"
+do_analyse_sources() {
+ :
+}
+
+addtask do_analyse_sources_all after do_analysesource
+do_analyse_sources_all[doc] = "Produce ISAFW reports for all packages in given target without building them"
+do_analyse_sources_all[recrdeptask] = "do_analyse_sources_all do_analysesource"
+do_analyse_sources_all[recideptask] = "do_${PR_ORIG_TASK}"
+do_analyse_sources_all[nostamp] = "1"
+do_analyse_sources_all() {
+ :
+}
+
+python() {
+ # We probably don't need to scan these
+ if bb.data.inherits_class('native', d) or \
+ bb.data.inherits_class('nativesdk', d) or \
+ bb.data.inherits_class('cross', d) or \
+ bb.data.inherits_class('crosssdk', d) or \
+ bb.data.inherits_class('cross-canadian', d) or \
+ bb.data.inherits_class('packagegroup', d) or \
+ bb.data.inherits_class('image', d):
+ bb.build.deltask('do_analysesource', d)
+}
+
+fakeroot python do_analyse_image() {
+
+ from isafw import isafw
+
+ imageSecurityAnalyser = isafw_init(isafw, d)
+
+ # Directory where the image's entire contents can be examined
+ rootfsdir = d.getVar('IMAGE_ROOTFS', True)
+
+ imagebasename = d.getVar('IMAGE_BASENAME', True)
+
+ kernelconf = d.getVar('STAGING_KERNEL_BUILDDIR', True) + "/.config"
+ if os.path.exists(kernelconf):
+ kernel = isafw.ISA_kernel()
+ kernel.img_name = imagebasename
+ kernel.path_to_config = kernelconf
+ bb.debug(1, 'do kernel conf analysis on %s' % kernelconf)
+ imageSecurityAnalyser.process_kernel(kernel)
+ else:
+ bb.debug(1, 'Kernel configuration file is missing. Not performing analysis on %s' % kernelconf)
+
+ pkglist = manifest2pkglist(d)
+
+ imagebasename = d.getVar('IMAGE_BASENAME', True)
+
+ if (pkglist):
+ pkg_list = isafw.ISA_pkg_list()
+ pkg_list.img_name = imagebasename
+ pkg_list.path_to_list = pkglist
+ bb.debug(1, 'do pkg list analysis on %s' % pkglist)
+ imageSecurityAnalyser.process_pkg_list(pkg_list)
+
+ fs = isafw.ISA_filesystem()
+ fs.img_name = imagebasename
+ fs.path_to_fs = rootfsdir
+
+ bb.debug(1, 'do image analysis on %s' % rootfsdir)
+ imageSecurityAnalyser.process_filesystem(fs)
+}
+
+do_rootfs[depends] += "checksec-native:do_populate_sysroot ca-certificates-native:do_populate_sysroot"
+do_rootfs[depends] += "prelink-native:do_populate_sysroot"
+do_rootfs[depends] += "python3-lxml-native:do_populate_sysroot"
+
+isafw_init[vardepsexclude] = "DATETIME"
+def isafw_init(isafw, d):
+ import re, errno
+
+ isafw_config = isafw.ISA_config()
+ # Override the builtin default in curl-native (used by cve-update-db-nativ)
+ # because that default is a path that may not be valid: when curl-native gets
+ # installed from sstate, we end up with the sysroot path as it was on the
+ # original build host, which is not necessarily the same path used now
+ # (see https://bugzilla.yoctoproject.org/show_bug.cgi?id=9883).
+ #
+ # Can't use ${sysconfdir} here, it already includes ${STAGING_DIR_NATIVE}
+ # when the current recipe is native.
+ isafw_config.cacert = d.expand('${STAGING_DIR_NATIVE}/etc/ssl/certs/ca-certificates.crt')
+
+ bb.utils.export_proxies(d)
+
+ isafw_config.machine = d.getVar('MACHINE', True)
+ isafw_config.timestamp = d.getVar('DATETIME', True)
+ isafw_config.reportdir = d.getVar('ISAFW_REPORTDIR', True) + "_" + isafw_config.timestamp
+ if not os.path.exists(os.path.dirname(isafw_config.reportdir + "/test")):
+ try:
+ os.makedirs(os.path.dirname(isafw_config.reportdir + "/test"))
+ except OSError as exc:
+ if exc.errno == errno.EEXIST and os.path.isdir(isafw_config.reportdir):
+ pass
+ else: raise
+ isafw_config.logdir = d.getVar('ISAFW_LOGDIR', True)
+ # Adding support for arm
+ # TODO: Add support for other platforms
+ isafw_config.arch = d.getVar('TARGET_ARCH', True)
+ if ( isafw_config.arch != "arm" ):
+ isafw_config.arch = "x86"
+
+ whitelist = d.getVar('ISAFW_PLUGINS_WHITELIST', True)
+ blacklist = d.getVar('ISAFW_PLUGINS_BLACKLIST', True)
+ if whitelist:
+ isafw_config.plugin_whitelist = re.split(r'[,\s]*', whitelist)
+ if blacklist:
+ isafw_config.plugin_blacklist = re.split(r'[,\s]*', blacklist)
+
+ la_image_whitelist = d.getVar('ISAFW_LA_PLUGIN_IMAGE_WHITELIST', True)
+ la_image_blacklist = d.getVar('ISAFW_LA_PLUGIN_IMAGE_BLACKLIST', True)
+ if la_image_whitelist:
+ isafw_config.la_plugin_image_whitelist = re.split(r'[,\s]*', la_image_whitelist)
+ if la_image_blacklist:
+ isafw_config.la_plugin_image_blacklist = re.split(r'[,\s]*', la_image_blacklist)
+
+ return isafw.ISA(isafw_config)
+
+# based on toaster.bbclass _toaster_load_pkgdatafile function
+def binary2source(dirpath, filepath):
+ import re
+ originPkg = ""
+ with open(os.path.join(dirpath, filepath), "r") as fin:
+ for line in fin:
+ try:
+ kn, kv = line.strip().split(": ", 1)
+ m = re.match(r"^PKG_([^A-Z:]*)", kn)
+ if m:
+ originPkg = str(m.group(1))
+ except ValueError:
+ pass # ignore lines without valid key: value pairs:
+ if not originPkg:
+ originPkg = "UNKNOWN"
+ return originPkg
+
+manifest2pkglist[vardepsexclude] = "DATETIME"
+def manifest2pkglist(d):
+ import glob
+
+ manifest_file = d.getVar('IMAGE_MANIFEST', True)
+ imagebasename = d.getVar('IMAGE_BASENAME', True)
+ reportdir = d.getVar('ISAFW_REPORTDIR', True) + "_" + d.getVar('DATETIME', True)
+ pkgdata_dir = d.getVar("PKGDATA_DIR", True)
+ rr_dir = "%s/runtime-reverse/" % pkgdata_dir
+ pkglist = reportdir + "/pkglist"
+
+ with open(pkglist, 'a') as foutput:
+ foutput.write("Packages for image " + imagebasename + "\n")
+ try:
+ with open(manifest_file, 'r') as finput:
+ for line in finput:
+ items = line.split()
+ if items and (len(items) >= 3):
+ pkgnames = map(os.path.basename, glob.glob(os.path.join(rr_dir, items[0])))
+ for pkgname in pkgnames:
+ originPkg = binary2source(rr_dir, pkgname)
+ version = items[2]
+ if not version:
+ version = "undetermined"
+ foutput.write(pkgname + " " + version + " " + originPkg + "\n")
+ except IOError:
+ bb.debug(1, 'isafw: manifest file not found. Skip pkg list analysis')
+ return "";
+
+
+ return pkglist
+
+# NOTE: by the time IMAGE_POSTPROCESS_COMMAND items are called, the image
+# has been stripped of the package manager database (if runtime package management
+# is not enabled, i.e. 'package-management' is not in IMAGE_FEATURES). If you
+# do want to be using the package manager to operate on the image contents, you'll
+# need to call your function from ROOTFS_POSTINSTALL_COMMAND or
+# ROOTFS_POSTUNINSTALL_COMMAND instead - however if you do that you should then be
+# aware that what you'll be looking at isn't exactly what you will see in the image
+# at runtime (there will be other postprocessing functions called after yours).
+#
+# do_analyse_image does not need the package manager database. Making it
+# a separate task instead of a IMAGE_POSTPROCESS_COMMAND has several
+# advantages:
+# - all other image commands are guaranteed to have completed
+# - it can run in parallel to other tasks which depend on the complete
+# image, instead of blocking those other tasks
+# - meta-swupd helper images do not need to be analysed and won't be
+# because nothing depends on their "do_build" task, only on
+# do_image_complete
+python () {
+ if bb.data.inherits_class('image', d):
+ bb.build.addtask('do_analyse_image', 'do_build', 'do_image_complete', d)
+}
+
+python isafwreport_handler () {
+
+ import shutil
+
+ logdir = e.data.getVar('ISAFW_LOGDIR', True)
+ if os.path.exists(os.path.dirname(logdir+"/test")):
+ shutil.rmtree(logdir)
+ os.makedirs(os.path.dirname(logdir+"/test"))
+
+}
+addhandler isafwreport_handler
+isafwreport_handler[eventmask] = "bb.event.BuildStarted"