subtree updates
meta-arm: 3fcafa3a94..d6fac49541:
Abdellatif El Khlifi (1):
arm-bsp/u-boot: corstone1000: upgrade NVMXIP support
Denys Dmytriyenko (1):
optee-os: do not explicitly set CFG_MAP_EXT_DT_SECURE=y
Emekcan Aras (8):
arm-bsp/u-boot: corstone1000: Fix EFI multiple protocol install failure
arm-bsp/u-boot: corstone1000: Enable EFI set/get time services
arm-bsp/trusted-services: corstone1000: GetNextVariableName Fix
arm-bsp/optee-os:corstone1000: Drop SPMC non secure interrupt patches
arm-bsp/u-boot: corstone1000: Fix u-boot compilation warnings
arm-bsp/trusted-services: corstone1000: Fix PSA_RAW_KEY agreement test
arm-bsp/trusted-services: corstone1000: Fix Capsule Update
arm-bsp/trusted-firmware-a: corstone1000: Fix Trusted-Firmware-A version for corstone1000
Jon Mason (3):
trusted-firmware-a: update to the latest TF-A LTS
arm-bsp/tc1: update to use the latest tf-a
arm/scp-firmware: update to v2.12.0
Khem Raj (2):
gn: update to latest
gn: Fix build with gcc13
Ross Burton (8):
arm/trusted-firmware-m: remove -fcanon-prefix-map from DEBUG_PREFIX_MAP
arm-bsp/external-system: remove -fcanon-prefix-map from DEBUG_PREFIX_MAP
arm-toolchain/external-arm: remove -fcanon-prefix-map from DEBUG_PREFIX_MAP
arm/scp-firmware: use concerete toolchain
arm-toolchain/gcc-arm-12.2: remove
arm/gn: fix build with GCC <13
CI: always put the build logs in an artifact
CI: print the name of the documentation when building
Sumit Garg (1):
external-arm-toolchain: Enforce absolute path check
meta-openembedded: def4759e95..2638d458a5:
Adrian Zaharia (2):
meta-python: Add stopit
python3-stopit: add missing run-time dependencies
Alex Kiernan (1):
ostree: Upgrade 2023.3 -> 2023.4
Bartosz Golaszewski (55):
python3-pywbemtools: remove build-time dependencies
python3-pywbem: drop unneeded class from RDEPENDS
python3-pywbem: don't use PYTHON_PN
python3-pywbem: order RDEPENDS alphabetically
python3-pywbem: add missing run-time dependencies
python3-padatious: add missing run-time dependencies
python3-pako: add missing run-time dependencies
python3-paramiko: stop using PYTHON_PN
python3-paramiko: add missing run-time dependencies
python3-path: fix coding style
python3-path: add missing run-time dependencies
python3-ecdsa: don't install tests
python3-et-xmlfile: fix coding style
python3-et-xmlfile: add missing run-time dependencies
python3-flask-user: fix coding style
python3-flask-user: add missing run-time dependencies
python3-isort: fix coding style
python3-isort: add missing run-time dependencies
python3-isodate: stop using PYTHON_PN
python3-isodate: add missing run-time dependencies
python-idna-ssl: add missing run-time dependencies
python3-hpack: add missing run-time dependencies
python3-h11: add missing run-time dependencies
python3-gsocketpool: drop unneeded DEPENDS
python3-gsocketpool: stop using PYTHON_PN
python3-gsocketpool: add missing run-time dependencies
python3-flask-mail: stop using PYTHON_PN
python3-flask-mail: add missing run-time dependencies
python3-flask-sijax: stop using PYTHON_PN
python3-flask-sijax: add missing run-time dependencies
python3-flask-script: remove recipe
python3-aioserial: fix coding style
python3-aioserial: add missing run-time dependencies
python3-aspectlib: add missing run-time dependencies
python3-asyncio-throttle: add missing run-time dependencies
python3-attrdict3: add missing run-time dependencies
python3-betamax: add missing run-time dependencies
python3-binwalk: add missing run-time dependencies
python3-can: fix coding style
python3-can: add missing run-time dependencies
python3-click-spinner: add missing run-time dependencies
python3-colorlog: add missing run-time dependencies
python3-colorzero: add missing run-time dependencies
python3-configobj: fix coding style
python3-configobj: add missing run-time dependencies
python3-configshell-fb: add missing run-time dependencies
python3-coverage: fix coding style and RDEPENDS
python3-custom-inherit: add missing run-time dependencies
python3-dateparser: fix coding style
python3-dateparser: add missing run-time dependencies
python3-tzlocal: fix coding style
python3-tzlocal: add missing run-time dependencies
python3-dbus-next: add missing run-time dependencies
python3-defusedxml: add missing run-time dependencies
python3-setuptools-scm-git-archive: add missing run-time dependencies
Beniamin Sandu (5):
lmsensors: do not pull in unneeded perl modules for run-time dependencies
mdns: remove unneeded headers
mbedtls: add support for v3.x
rasdaemon: upgrade to 0.8.0
unbound: add option to build with libevent
Chen Qi (1):
redis: use the files path correctly
Denys Dmytriyenko (1):
grpc: point to the native protobuf compiler binary
Enguerrand de Ribaucourt (4):
cukinia: remove trailing whitespaces
cukinia: upgrade 0.6.1 -> 0.6.2
cukinia: inherit allarch
cukinia: add libgpiod-tools to RRECOMMENDS
Etienne Cordonnier (1):
uutils-coreutils: upgrade 0.0.18 -> 0.0.19
Joe Slater (2):
libgpiod: modify test 'gpioset: toggle (continuous)'
python3-sqlparse: fix CVE-2023-30608
Johannes Kauffmann (3):
open62541: add multithreading PACKAGECONFIG option
open62541: allow disabling subscriptions
ntpd: switch service type from forking to simple
Khem Raj (16):
ply: Demand BFD linker explicitly
crucible: Upgrade to 2023.04.12 release
schroedinger: Fix building tests
fwts: Fix build issues found with lld linker
xfce4-sensors-plugin: Use bfd linker instead of lld
ostree: Fix build errors found with lld linker
spice-gtk: Fix build with lld linker
sblim-sfcb: Fix build with lld linker
libtracefs: Fix build with clang+musl
gosu: Upgrade to 1.16 release
layers: Move READMEs to markdown format
xdg-desktop-portal-wlr: Fix build with older mesa
geary: Fix build with vala >= 0.56.8
libforms: Replace hardcoded dep on mesa with virtual/libgl
syzkaller: Upgrade to latest tip of trunk
ristretto: Upgrade to 0.13.1 release
Markus Volk (1):
gnome-software: upgrade 44.1 -> 44.2
Martin Jansa (5):
asio: fix malformed Upstream-Status
libgpiod: fix malformed Upstream-Status
postfix: fix malformed Upstream-Status
*.patch: add Upstream-Status to all patches
postfix: remove 2nd Upstream-Status
Michael Heimpold (1):
php: drop explicite ARM_INSTRUCTION_SET
Patrick Williams (1):
libplist_2.3.0: compile fix for version
Peter Kjellerstedt (1):
glog: Correct the packaging of /usr/share/glog/cmake/FindUnwind.cmake
Peter Marko (1):
python3-stopit: fix override syntax
Randolph Sapp (1):
opengl-es-cts: 3.2.8.0 -> 3.2.9.3
Remi Peuvergne (2):
zeromq: consider license exception over LGPL-3.0
zeromq: consider license exception over LGPL-3.0
Sandeep Gundlupet Raju (1):
opencv: Revert fix runtime dependencies
Soumya (1):
opencv: Fix for CVE-2023-2617
Wang Mingyu (57):
ctags: upgrade 6.0.20230604.0 -> 6.0.20230611.0
gjs: upgrade 1.76.0 -> 1.76.1
ipcalc: upgrade 1.0.2 -> 1.0.3
libadwaita: upgrade 1.3.2 -> 1.3.3
libjcat: upgrade 0.1.13 -> 0.1.14
libqb: upgrade 2.0.6 -> 2.0.7
mbpoll: upgrade 1.5.0 -> 1.5.2
mpich: upgrade 4.1.1 -> 4.1.2
nautilus: upgrade 44.2 -> 44.2.1
ntp: upgrade 4.2.8p16 -> 4.2.8p17
python3-eth-account: upgrade 0.8.0 -> 0.9.0
python3-eth-hash: upgrade 0.5.1 -> 0.5.2
python3-eth-typing: upgrade 3.3.0 -> 3.4.0
python3-eth-utils: upgrade 2.1.0 -> 2.1.1
python3-platformdirs: upgrade 3.5.1 -> 3.5.3
pcsc-lite: upgrade 1.9.9 -> 2.0.0
php: upgrade 8.2.6 -> 8.2.7
python3-argcomplete: upgrade 3.0.8 -> 3.1.0
python3-autobahn: upgrade 23.1.2 -> 23.6.1
python3-cassandra-driver: upgrade 3.27.0 -> 3.28.0
python3-cmake: upgrade 3.26.3 -> 3.26.4
python3-django: upgrade 4.2.1 -> 4.2.2
python3-hexbytes: upgrade 0.3.0 -> 0.3.1
python3-imageio: upgrade 2.30.0 -> 2.31.0
python3-pykickstart: upgrade 3.47 -> 3.48
python3-pymisp: upgrade 2.4.171 -> 2.4.172
python3-pymodbus: upgrade 3.3.0 -> 3.3.1
python3-sentry-sdk: upgrade 1.25.0 -> 1.25.1
python3-websocket-client: upgrade 1.5.2 -> 1.5.3
python3-zeroconf: upgrade 0.63.0 -> 0.64.1
remmina: upgrade 1.4.30 -> 1.4.31
tio: upgrade 2.5 -> 2.6
libtracefs: upgrade 1.6.4 -> 1.7.0
adw-gtk3: upgrade 4.7 -> 4.8
evince: upgrade 44.1 -> 44.2
gensio: upgrade 2.6.5 -> 2.6.6
redis-plus-plus: upgrade 1.3.8 -> 1.3.9
python3-click-repl: upgrade 0.2.0 -> 0.3.0
python3-platformdirs: upgrade 3.5.3 -> 3.6.0
python3-pytest-mock: upgrade 3.10.0 -> 3.11.1
python3-croniter: upgrade 1.3.15 -> 1.4.1
python3-elementpath: upgrade 4.1.2 -> 4.1.3
python3-google-api-core: upgrade 2.11.0 -> 2.11.1
python3-google-api-python-client: upgrade 2.88.0 -> 2.89.0
python3-googleapis-common-protos: upgrade 1.59.0 -> 1.59.1
python3-google-auth: upgrade 2.19.1 -> 2.20.0
python3-imageio: upgrade 2.31.0 -> 2.31.1
python3-protobuf: upgrade 4.23.2 -> 4.23.3
python3-pyproj: upgrade 3.5.0 -> 3.6.0
python3-rich: upgrade 13.4.1 -> 13.4.2
python3-robotframework: upgrade 6.0.2 -> 6.1
python3-ujson: upgrade 5.7.0 -> 5.8.0
python3-xmlschema: upgrade 2.3.0 -> 2.3.1
python3-xmodem: upgrade 0.4.6 -> 0.4.7
python3-zeroconf: upgrade 0.64.1 -> 0.68.0
strongswan: upgrade 5.9.10 -> 5.9.11
rdfind: upgrade 1.5.0 -> 1.6.0
Xiangyu Chen (1):
meta-oe: add pahole to NON_MULTILIB_RECIPES
Zoltán Böszörményi (3):
mpich: Upgrade to 4.1.1
python3-meson-python: New recipe
python_mesonpy: New class
poky: 00f3d58064..13b646c0e1:
Adrian Freihofer (9):
runqemu-ifup: remove uid parameter
runqemu-ifup: configurable tap names
runqemu-ifup: fix tap index
runqemu-ifup: remove only our taps
runqemu-gen-tapdevs: remove staging dir parameter
runqemu-gen-tapdevs: remove uid parameter
runqemu-gen-tapdevs: configurable tap names
runqemu-gen-tapdevs: remove only our taps
runqemu: configurable tap names
Alberto Planas (2):
bitbake.conf: add unzstd in HOSTTOOLS
rpm2cpio.sh: update to the last 4.x version
Alejandro Hernandez Samaniego (2):
baremetal-helloworld: Update SRCREV to fix entry addresses for ARM architectures
runqemu: Stop passing bindir to the runqemu-ifup call
Alex Kiernan (1):
eudev: Upgrade 3.2.11 -> 3.2.12
Alexander Kanavin (60):
scripts/runqemu: split lock dir creation into a reusable function
scripts/runqemu: allocate unfsd ports in a way that doesn't race or clash with unrelated processes
apmd: remove recipe and apm MACHINE_FEATURE
qemu: a pending patch was submitted and accepted upstream
maintainers.inc: unassign Adrian Bunk from wireless-regdb
maintainers.inc: unassign Alistair Francis from opensbi
maintainers.inc: unassign Chase Qi from libc-test
maintainers.inc: unassign Oleksandr Kravchuk from python3 and all other items
maintainers.inc: unassign Ricardo Neri from ovmf
grub: submit determinism.patch upstream
apr: upgrade 1.7.3 -> 1.7.4
at-spi2-core: upgrade 2.48.0 -> 2.48.3
btrfs-tools: upgrade 6.3 -> 6.3.1
attr: package /etc/xattr.conf with the library that consumes it
glib-2.0: backport a patch to address ptest fails caused by coreutils 9.2+
diffoscope: upgrade 236 -> 242
dnf: upgrade 4.14.0 -> 4.16.1
ethtool: upgrade 6.2 -> 6.3
gawk: upgrade 5.2.1 -> 5.2.2
strace: upgrade 6.2 -> 6.3
coreutils: upgrade 9.1 -> 9.3
gnupg: upgrade 2.4.0 -> 2.4.2
gobject-introspection: upgrade 1.74.0 -> 1.76.1
kmscube: upgrade to latest revision
libmodulemd: upgrade 2.14.0 -> 2.15.0
libuv: license file was split in two in the 1.45.0 version update
libx11: upgrade 1.8.4 -> 1.8.5
libxslt: upgrade 1.1.37 -> 1.1.38
linux-firmware: upgrade 20230404 -> 20230515
ltp: upgrade 20230127 -> 20230516
mesa: upgrade 23.0.3 -> 23.1.1
meson: upgrade 1.1.0 -> 1.1.1
mmc-utils: upgrade to latest revision
nettle: upgrade 3.8.1 -> 3.9
nghttp2: upgrade 1.52.0 -> 1.53.0
parted: upgrade 3.5 -> 3.6
puzzles: upgrade to latest revision
python3: upgrade 3.11.2 -> 3.11.3
python3-certifi: upgrade 2022.12.7 -> 2023.5.7
python3-docutils: upgrade 0.19 -> 0.20.1
python3-flit-core: upgrade 3.8.0 -> 3.9.0
python3-importlib-metadata: upgrade 6.2.0 -> 6.6.0
python3-pyasn1: upgrade 0.4.8 -> 0.5.0
python3-pyopenssl: upgrade 23.1.1 -> 23.2.0
python3-sphinx: remove BSD-3-Clause from LICENSE
serf: upgrade 1.3.9 -> 1.3.10
shaderc: upgrade 2023.2 -> 2023.4
squashfs-tools: upgrade 4.5.1 -> 4.6.1
vala: upgrade 0.56.6 -> 0.56.8
vulkan: upgrade 1.3.243.0 -> 1.3.250.0
wget: upgrade 1.21.3 -> 1.21.4
wireless-regdb: upgrade 2023.02.13 -> 2023.05.03
xf86-input-libinput: upgrade 1.2.1 -> 1.3.0
xf86-input-mouse: upgrade 1.9.4 -> 1.9.5
zstd: upgrade 1.5.4 -> 1.5.5
gdb: upgrade 13.1 -> 13.2
libxcrypt: upgrade 4.4.33 -> 4.4.34
zstd: fix a reproducibility issue in 1.5.5
sysfsutils: fetch a supported fork from github
sysfsutils: update 2.1.0 -> 2.1.1
Alexandre Belloni (1):
base-passwd: fix patchreview warning
Alexis Lothoré (3):
oeqa/core/runner: add helper to know about expected failures
oeqa/target/ssh: update options for SCP
testimage: implement test artifacts retriever for failing tests
Anuj Mittal (1):
glib-2.0: upgrade 2.76.2 -> 2.76.3
BELOUARGA Mohamed (1):
meta: lib: oe: npm_registry: Add more safe caracters
Bruce Ashfield (4):
linux-yocto/6.1: update to v6.1.33
linux-yocto/6.1: fix intermittent x86 boot hangs
linux-yocto/6.1: update to v6.1.34
linux-yocto/6.1: update to v6.1.35
Charlie Wu (1):
devtool: Fix the wrong variable in srcuri_entry
Chen Qi (7):
sdk.py: error out when moving file fails
sdk.py: fix moving dnf contents
rpm: write macros under libdir
zip: fix configure check by using _Static_assert
zip: remove unnecessary LARGE_FILE_SUPPORT CLFAGS
unzip: fix configure check for cross compilation
unzip: remove hardcoded LARGE_FILE_SUPPORT
Denys Dmytriyenko (1):
binutils: move packaging of gprofng static lib into common .inc
Ed Beroset (1):
Add clarification for SRCREV
Fabien Mahot (2):
useradd-example: package typo correction
oeqa/selftest/bbtests: add non-existent prefile/postfile tests
Hannu Lounento (1):
profile-manual: fix blktrace remote usage instructions
Ian Ray (1):
systemd-systemctl: support instance expansion in WantedBy
Jermain Horsman (1):
logrotate: Do not create logrotate.status file
Jose Quaresma (1):
selftest/reproducible: Allow chose the package manager
Jörg Sommer (2):
runqemu-gen-tapdevs: Refactoring
runqemu-ifupdown/get-tapdevs: Add support for ip tuntap
Khem Raj (12):
llvm: Upgrade to 16.0.5
glibc: Pass linker choice via compiler flags
libgcc: Always use BFD linker
efivar: Upgrade to tip of trunk
babeltrace2: Always use BFD linker when building tests with ld-is-lld distro feature
parted: Add missing libuuid to linker cmdline for libparted-fs-resize.so
kernel: Add kernel specific STRIP variable
libxml2: Do not use lld linker when building with tests on rv64
llvm: Bump to 16.0.6
go-helloworld: Upgrade to tip of trunk
rpcsvc-proto: Upgrade to 1.4.4
python3-bcrypt: Use BFD linker when building tests
Louis Rannou (3):
rootfs-postcommands: change sysusers.d command
systemd: replace the sysusers.d basic configuration
base-passwd: add the wheel group
Luca Ceresoli (1):
ref-manual: classes: devicetree: fix sentence saying the same thing twice
Markus Volk (2):
gtk4: upgrade 4.10.3 -> 4.10.4
gstreamer1.0-plugins-bad: use oneVPL instead of intel-mediasdk for msdk
Martin Jansa (1):
libstd-rs, rust: use bfd linker instead of gold
Michael Opdenacker (5):
psplash: replace Yocto .h by .png splashscreen
migration-guides: release-notes-4.3: update documentation notes
bitbake: bitbake-user-manual: explicit variables taking a colon separated list
bitbake: bitbake-user-manual: revert change about PREFERRED_PROVIDERS
ref-manual: variables.rst: explicit variables accepting colon separated lists
Mikko Rapeli (4):
useradd-staticids.bbclass: improve error message
selftest reproducible.py: support different build targets
variables.rst: document OEQA_REPRODUCIBLE_TEST_TARGET and OEQA_REPRODUCIBLE_TEST_SSTATE_TARGETS
reproducible-builds.rst: document OEQA_REPRODUCIBLE_TEST_TARGET and OEQA_REPRODUCIBLE_TEST_SSTATE_TARGETS
Ming Liu (2):
weston-init: introduce xwayland PACKAGECONFIG
meta: introduce KCONFIG_CONFIG_ENABLE_MENUCONFIG
Mingli Yu (2):
qemu: Split the qemu package
u-boot-tools: Use PATH_MAX for path length
Petr Gotthard (1):
lighttpd: upgrade 1.4.69 -> 1.4.71
Quentin Schulz (5):
bitbake: docs: bitbake-user-manual: bitbake-user-manual-hello: add links and highlights for variables
docs: bsp-guide: bsp: fix typo
docs: ref-manual: terms: fix typos in SPDX term
docs: fix unnecessary double white space
docs: ref-manual: terms: fix incorrect note directive
Randolph Sapp (6):
weston-init: make sure the render group exists
weston-init: add weston user to the render group
weston-init: add the weston user to the wayland group
weston-init: fix the mixed indentation
weston-init: guard against systemd configs
weston-init: add profile to point users to global socket
Remi Peuvergne (1):
common-licenses: Add LGPL-3.0-with-zeromq-exception
Richard Purdie (18):
runqemu/qemu-helper: Drop tunctl
runqemu-if*: Rename confusing variable name
oeqa/selftest/oescripts: Fix qemu-helper selftest
oeqa/logparser: Fix ptest No-section exception
strace: Disable failing test
strace: Merge two similar patches
testimage: Only note missing target directories, don't warn
ptest-runner: Pull in sync fix to improve log warnings
scripts/runqemu-ifup: Fix extra parameter issue
scripts/runqemu-ifup: Fix 10 or more tap devices
bitbake: runqueue: Fix handling of virtual files in layername calculation
ptest-runner: Ensure data writes don't race
bitbake.conf: Add layer-<layername> override support
insane: Improve patch-status layer filtering
genericx86: Drop gma500-gfx-check
bitbake: doc: Document FILE_LAYERNAME
migration-guides: add notes on FILE_LAYERNAME
migration-guides: add notes on systemd/usrmerge changes
Ross Burton (15):
nettle: rewrite ptest integration
nettle: inherit lib_package
cve-extra-exclusions: add more ignores for 2023 kernel CVEs
cve-extra-exclusions: remove 2019 blanket ignores
poky-altconfig: enable usrmerge DISTRO_FEATURE
gi-docgen: correct comment
gobject-introspection: remove obsolete DEPENDS
coreutils: fix build when the host has fr_FR.
cve-extra-exclusions: call out an Ubuntu-specific issue explicitly
cve-extra-exclusions: CVE-2023-3141 was backported in Linux 6.1.30
erofs-utils: backport fixes for CVE-2023-33551 and CVE-2023-33552
ghostscript: mostly rewrite recipe
python3-dbusmock: only recommend python3-pygobject
sysfsutils: don't install to base_libdir
base: improve LICENSE_FLAGS_DETAILS output
Sakib Sajal (1):
go: Upgrade 1.20.4 -> 1.20.5
Soumya (1):
perl: fix CVE-2023-31484
Stefano Babic (2):
libubootenv: upgrade 0.3.3 -> 0.3.4
mtd-utils: export headers and libraries for MTD and UBI
Sudip Mukherjee (2):
dpkg: upgrade to v1.21.22
cmake: upgrade to v3.26.4
Tan Wen Yan (1):
linux-yocto/6.1: update genericx86* machines to v6.1.30
Tom Hochstein (1):
weston: Cleanup and fix x11 and xwayland dependencies
Trevor Gamblin (2):
runqemu-gen-tapdevs: fix missing variable quote
glib-networking: use correct error code in ptest
Vincent Davis Jr (4):
spirv-tools: fix INTERFACE_LINK_LIBRARIES cmake prop
vulkan-validation-layers: add new recipe v1.3.243.0
spirv-tools: Use baselib instead of base_libdir
vulkan-validation-layers: cleanup recipe
Xiangyu Chen (1):
dbus: upgrade 1.14.6 -> 1.14.8
nikhil (1):
libwebp: Fix CVE-2023-1999
schitrod=cisco.com@lists.openembedded.org (1):
cups: Fix CVE-2023-32324
meta-security: 180dac9aec..405cca4028:
Ahmed Abdelfattah (1):
swtpm: fix parser error when using USERADDEXTENSION="useradd-staticids"
Armin Kuster (25):
scap-security-guide: update to 0.1.67
scap-security-guide: update to tip
scap-security-guide_git: drop oe version
openscap-daemon: This is now obsolete
oe-scap: Not maintained nor upstreamed
openscap: Fix native build missing depends
openscap: Drop OE specific recipe
lynis: move to main meta-security layer
openscap: move to main meta-security layer
meta-security-compliance: remove layer
openscap: add support for OpenEmbedded nodistro and Poky
scap-security-guide: add OE support
packagegroup-core-security: add compliance pkg group
kas: ci changes do to meta-security-compliance being removed
meta-security-isafw: drop layer isafw project archived
openscap: Update to tip to get OE/Poky support
scap-security-guide: bump the number of test that pass
clamav: drop unused patch
isic: fine tune Upstream-Status
scap-security-guide: Add Poky
arpwatch: Fix typo in COMPATIBLE_HOST:libc-musl = "null"
scap-security-guide: add Upstream-Status
scap-security-guide: Does not build for musl
openscap: update to 1.3.8
packagegroup-core-security: add os-release
Chen Qi (1):
complicance/isafw: remove oeqa addpylib
Kevin Hao (1):
dmverity: Suppress the realpath errors
Martin Jansa (5):
*.patch: add Upstream-Status to all patches
meta-tpm: *.patch: fix malformed Upstream-Status lines
dynamic-layers: *.patch: fix malformed and missing Upstream-Status lines
*.patch: fix malformed Upstream-Status and SOB lines
.patch: remove probably unused patches
Paul Gortmaker (7):
dm-verity: add descriptive strings for "wic list images"
dm-verity: restructure the veritysetup arg parsing
dm-verity: save veritysetup args beside runtime environment
dm-verity: add support for hash storage on separate partition
dm-verity: add wks.in fragment with dynamic build hash data
dm-verity: hook separate hash into initramfs framework
dm-verity: add sample systemd separate hash example and doc
Samantha Jalabert (1):
buck-security: fix missing dependencies to perl modules
meta-raspberrypi: 8e07f0d328..dff85b9a9f:
Khem Raj (1):
linux-raspberrypi-6.1: Update to 6.1.34 release
Martin Jansa (1):
*.patch: add Upstream-Status to all patches
Signed-off-by: Patrick Williams <patrick@stwcx.xyz>
Change-Id: If34dfa008a81d778c7bc02627388238f5125d85c
diff --git a/meta-security/.gitlab-ci.yml b/meta-security/.gitlab-ci.yml
index a4137cb..1e82a87 100644
--- a/meta-security/.gitlab-ci.yml
+++ b/meta-security/.gitlab-ci.yml
@@ -52,7 +52,6 @@
extends: .base
script:
- kas shell kas/$CI_JOB_NAME.yml -c "bitbake -k security-build-image integrity-image-minimal"
- - kas build --target security-build-image kas/$CI_JOB_NAME-comp.yml
- kas build --target harden-image-minimal kas/$CI_JOB_NAME-harden.yml
qemux86-musl:
diff --git a/meta-security/classes/dm-verity-img.bbclass b/meta-security/classes/dm-verity-img.bbclass
index d809985..045c860 100644
--- a/meta-security/classes/dm-verity-img.bbclass
+++ b/meta-security/classes/dm-verity-img.bbclass
@@ -10,11 +10,22 @@
# assure data integrity, the root hash must be stored in a trusted location
# or cryptographically signed and verified.
#
+# Optionally, we can store the hash data on a separate device or partition
+# for improved compartmentalization and ease of use/deployment.
+#
# Usage:
# DM_VERITY_IMAGE = "core-image-full-cmdline" # or other image
# DM_VERITY_IMAGE_TYPE = "ext4" # or ext2, ext3 & btrfs
+# DM_VERITY_SEPARATE_HASH = "1" # optional; store hash on separate dev
# IMAGE_CLASSES += "dm-verity-img"
#
+# Using the GPT UUIDs specified in the standard can also be useful in that
+# they are displayed and translated in cfdisk output.
+#
+# DM_VERITY_ROOT_GUID = <UUID for your architecture and root-fs>
+# DM_VERITY_RHASH_GUID = <UUID for your architecture and verity-hash>
+# https://uapi-group.org/specifications/specs/discoverable_partitions_specification/
+
# The resulting image can then be used to implement the device mapper block
# integrity checking on the target device.
@@ -28,13 +39,23 @@
# Define the hash block size to use in veritysetup.
DM_VERITY_IMAGE_HASH_BLOCK_SIZE ?= "4096"
+# Should we store the hash data on a separate device/partition?
+DM_VERITY_SEPARATE_HASH ?= "0"
+
+# These are arch specific. We could probably intelligently auto-assign these?
+# Take x86-64 values as defaults. No impact on functionality currently.
+# See SD_GPT_ROOT_X86_64 and SD_GPT_ROOT_X86_64_VERITY in the spec.
+# Note - these are passed directly to sgdisk so hyphens needed.
+DM_VERITY_ROOT_GUID ?= "4f68bce3-e8cd-4db1-96e7-fbcaf984b709"
+DM_VERITY_RHASH_GUID ?= "2c7357ed-ebd2-46d9-aec1-23d437ec2bf5"
+
# Process the output from veritysetup and generate the corresponding .env
# file. The output from veritysetup is not very machine-friendly so we need to
# convert it to some better format. Let's drop the first line (doesn't contain
# any useful info) and feed the rest to a script.
process_verity() {
local ENV="${STAGING_VERITY_DIR}/${IMAGE_BASENAME}.$TYPE.verity.env"
- install -d ${STAGING_VERITY_DIR}
+ local WKS_INC="${STAGING_VERITY_DIR}/${IMAGE_BASENAME}.$TYPE.wks.in"
rm -f $ENV
# Each line contains a key and a value string delimited by ':'. Read the
@@ -51,6 +72,43 @@
# Add partition size
echo "DATA_SIZE=$SIZE" >> $ENV
+
+ # Add whether we are storing the hash data separately
+ echo "SEPARATE_HASH=${DM_VERITY_SEPARATE_HASH}" >> $ENV
+
+ # Configured for single partition use of veritysetup? OK, we are done.
+ if [ ${DM_VERITY_SEPARATE_HASH} -eq 0 ]; then
+ return
+ fi
+
+ # Craft up the UUIDs that are part of the verity standard for root & hash
+ # while we are here and in shell. Re-read our output to get ROOT_HASH
+ # and then cut it in 1/2 ; HI for data UUID and LO for hash-data UUID.
+ # https://uapi-group.org/specifications/specs/discoverable_partitions_specification/
+
+ ROOT_HASH=$(cat $ENV | grep ^ROOT_HASH | sed 's/ROOT_HASH=//' | tr a-f A-F)
+ ROOT_HI=$(echo "obase=16;ibase=16;$ROOT_HASH/2^80" | /usr/bin/bc)
+ ROOT_LO=$(echo "obase=16;ibase=16;$ROOT_HASH%2^80" | /usr/bin/bc)
+
+ # Hyphenate as per UUID spec and as expected by wic+sgdisk parameters.
+ # Prefix with leading zeros, in case hash chunks weren't using highest bits
+ # "bc" needs upper case, /dev/disk/by-partuuid/ is lower case. <sigh>
+ ROOT_UUID=$(echo 00000000$ROOT_HI | sed 's/.*\(.\{32\}\)$/\1/' | \
+ sed 's/./-&/9;s/./-&/14;s/./-&/19;s/./-&/24' | tr A-F a-f )
+ RHASH_UUID=$(echo 00000000$ROOT_LO | sed 's/.*\(.\{32\}\)$/\1/' | \
+ sed 's/./-&/9;s/./-&/14;s/./-&/19;s/./-&/24' | tr A-F a-f )
+
+ # Emit the values needed for a veritysetup run in the initramfs
+ echo "ROOT_UUID=$ROOT_UUID" >> $ENV
+ echo "RHASH_UUID=$RHASH_UUID" >> $ENV
+
+ # Create wks.in fragment with build specific UUIDs for partitions.
+ # Unfortunately the wks.in does not support line continuations...
+ # First, the unappended filesystem data partition.
+ echo 'part / --source rawcopy --ondisk sda --sourceparams="file=${IMGDEPLOYDIR}/${DM_VERITY_IMAGE}-${MACHINE}.${DM_VERITY_IMAGE_TYPE}.verity" --part-name verityroot --part-type="${DM_VERITY_ROOT_GUID}"'" --uuid=\"$ROOT_UUID\"" > $WKS_INC
+
+ # note: no default mount point for hash data partition
+ echo 'part --source rawcopy --ondisk sda --sourceparams="file=${IMGDEPLOYDIR}/${DM_VERITY_IMAGE}-${MACHINE}.${DM_VERITY_IMAGE_TYPE}.vhash" --part-name verityhash --part-type="${DM_VERITY_RHASH_GUID}"'" --uuid=\"$RHASH_UUID\"" >> $WKS_INC
}
verity_setup() {
@@ -58,6 +116,12 @@
local INPUT=${IMAGE_NAME}${IMAGE_NAME_SUFFIX}.$TYPE
local SIZE=$(stat --printf="%s" $INPUT)
local OUTPUT=$INPUT.verity
+ local OUTPUT_HASH=$INPUT.verity
+ local HASH_OFFSET=""
+ local SETUP_ARGS=""
+ local SAVED_ARGS="${STAGING_VERITY_DIR}/${IMAGE_BASENAME}.$TYPE.verity.args"
+
+ install -d ${STAGING_VERITY_DIR}
if [ ${DM_VERITY_IMAGE_DATA_BLOCK_SIZE} -ge ${DM_VERITY_IMAGE_HASH_BLOCK_SIZE} ]; then
align=${DM_VERITY_IMAGE_DATA_BLOCK_SIZE}
@@ -66,11 +130,33 @@
fi
SIZE=$(expr \( $SIZE + $align - 1 \) / $align \* $align)
+ # Assume some users may want separate hash vs. appended hash
+ if [ ${DM_VERITY_SEPARATE_HASH} -eq 1 ]; then
+ OUTPUT_HASH=$INPUT.vhash
+ else
+ HASH_OFFSET="--hash-offset="$SIZE
+ fi
+
cp -a $INPUT $OUTPUT
+ SETUP_ARGS=" \
+ --data-block-size=${DM_VERITY_IMAGE_DATA_BLOCK_SIZE} \
+ --hash-block-size=${DM_VERITY_IMAGE_HASH_BLOCK_SIZE} \
+ $HASH_OFFSET format $OUTPUT $OUTPUT_HASH \
+ "
+
+ echo "veritysetup $SETUP_ARGS" > $SAVED_ARGS
+
# Let's drop the first line of output (doesn't contain any useful info)
# and feed the rest to another function.
- veritysetup --data-block-size=${DM_VERITY_IMAGE_DATA_BLOCK_SIZE} --hash-block-size=${DM_VERITY_IMAGE_HASH_BLOCK_SIZE} --hash-offset=$SIZE format $OUTPUT $OUTPUT | tail -n +2 | process_verity
+ veritysetup $SETUP_ARGS | tail -n +2 | process_verity
+}
+
+# make "dateless" symlink for the hash so the wks can find it.
+verity_hash() {
+ cd ${IMGDEPLOYDIR}
+ ln -sf ${IMAGE_NAME}${IMAGE_NAME_SUFFIX}.${DM_VERITY_IMAGE_TYPE}.vhash \
+ ${IMAGE_BASENAME}-${MACHINE}.${DM_VERITY_IMAGE_TYPE}.vhash
}
VERITY_TYPES = " \
@@ -83,10 +169,12 @@
CONVERSIONTYPES += "verity"
CONVERSION_CMD:verity = "verity_setup ${type}"
CONVERSION_DEPENDS_verity = "cryptsetup-native"
+IMAGE_CMD:vhash = "verity_hash"
python __anonymous() {
verity_image = d.getVar('DM_VERITY_IMAGE')
verity_type = d.getVar('DM_VERITY_IMAGE_TYPE')
+ verity_hash = d.getVar('DM_VERITY_SEPARATE_HASH')
image_fstypes = d.getVar('IMAGE_FSTYPES')
pn = d.getVar('PN')
@@ -101,6 +189,8 @@
bb.fatal('DM_VERITY_IMAGE_TYPE must contain exactly one type')
d.appendVar('IMAGE_FSTYPES', ' %s.verity' % verity_type)
+ if verity_hash == "1":
+ d.appendVar('IMAGE_FSTYPES', ' vhash')
# If we're using wic: we'll have to use partition images and not the rootfs
# source plugin so add the appropriate dependency.
diff --git a/meta-security/docs/dm-verity-systemd-hash-x86-64.txt b/meta-security/docs/dm-verity-systemd-hash-x86-64.txt
new file mode 100644
index 0000000..673b810
--- /dev/null
+++ b/meta-security/docs/dm-verity-systemd-hash-x86-64.txt
@@ -0,0 +1,43 @@
+dm-verity and x86-64 and systemd - separate hash device
+-------------------------------------------------------
+
+Everything said in "dm-verity-systemd-x86-64.txt" applies here.
+However booting under QEMU is not tested - only on real hardware.
+So for your MACHINE you need to choose "genericx86-64".
+
+Also, you'll need to point at the hash specific WKS file:
+
+WKS_FILES += " systemd-bootdisk-dmverity-hash.wks.in"
+
+The fundamental difference is to use a separate device/partition for
+storage of the hash data -- instead of "hiding" it beyond the filesystem
+in what is essentially a 5-10% oversized partition. This takes any manual
+math calculations of size/offset out of the picture, and uses the kernel's
+natural behaviour of compartmentalizing devices to ensure they are separate.
+
+The example hash.wks file added here essentially adds a hash-only partition
+directly after the filesystem partition. So the filesystem partition is
+no longer "oversized" and no offsets are needed/used.
+
+Since we are now using multiple partitions, we make a better effort to use
+accepted GPT partition types and UUIDs based on the roothash. This means
+easier sysadmin level use/debugging based on cfdisk output etc.
+
+Generating the separate root hash image is driven off enabling this:
+ DM_VERITY_SEPARATE_HASH = "1"
+
+Two other variables control the GPT UUIDs - set to x86-64 defaults:
+
+ DM_VERITY_ROOT_GUID ?= "4f68bce3-e8cd-4db1-96e7-fbcaf984b709"
+ DM_VERITY_RHASH_GUID ?= "2c7357ed-ebd2-46d9-aec1-23d437ec2bf5"
+
+See: https://uapi-group.org/specifications/specs/discoverable_partitions_specification/
+
+Finally, the UUIDs (not the "partition types" above) are based off of
+the root node hash value as per the systemd "autodetect" proposed standard.
+These will obviously change with every update/rebuild of the root image.
+
+While not strictly coupled to any functionality at this point in time, it
+does aid in easier debugging, and puts us in alignment with using systemd
+inside the initramfs to replace manual veritysetup like configuration we
+currently do in the initramfs today, should we decide to do so later on.
diff --git a/meta-security/dynamic-layers/meta-perl/recipes-scanners/checksecurity/files/check-setuid-use-more-portable-find-args.patch b/meta-security/dynamic-layers/meta-perl/recipes-scanners/checksecurity/files/check-setuid-use-more-portable-find-args.patch
index 1a2f364..1754e1e 100644
--- a/meta-security/dynamic-layers/meta-perl/recipes-scanners/checksecurity/files/check-setuid-use-more-portable-find-args.patch
+++ b/meta-security/dynamic-layers/meta-perl/recipes-scanners/checksecurity/files/check-setuid-use-more-portable-find-args.patch
@@ -3,6 +3,7 @@
Date: Wed, 5 Sep 2018 23:21:43 +0500
Subject: [PATCH] check-setuid: use more portable find args
+Upstream-Status: Pending
Signed-off-by: Christopher Larson <chris_larson@mentor.com>
---
plugins/check-setuid | 6 +++---
diff --git a/meta-security/dynamic-layers/meta-perl/recipes-security/bastille/files/accept_os_flag_in_backend.patch b/meta-security/dynamic-layers/meta-perl/recipes-security/bastille/files/accept_os_flag_in_backend.patch
index 4a438e4..907d86b 100644
--- a/meta-security/dynamic-layers/meta-perl/recipes-security/bastille/files/accept_os_flag_in_backend.patch
+++ b/meta-security/dynamic-layers/meta-perl/recipes-security/bastille/files/accept_os_flag_in_backend.patch
@@ -1,4 +1,4 @@
-Upstream Status: Inappropriate [No upstream maintenance]
+Upstream-Status: Inappropriate [No upstream maintenance]
Signed-off-by: Anne Mulhern <mulhern@yoctoproject.org>
diff --git a/meta-security/dynamic-layers/meta-perl/recipes-security/bastille/files/allow_os_with_assess.patch b/meta-security/dynamic-layers/meta-perl/recipes-security/bastille/files/allow_os_with_assess.patch
index e112f90..4edb1f3 100644
--- a/meta-security/dynamic-layers/meta-perl/recipes-security/bastille/files/allow_os_with_assess.patch
+++ b/meta-security/dynamic-layers/meta-perl/recipes-security/bastille/files/allow_os_with_assess.patch
@@ -1,4 +1,4 @@
-Upstream Status: Inappropriate [No upstream maintenance]
+Upstream-Status: Inappropriate [No upstream maintenance]
Signed-off-by: Anne Mulhern <mulhern@yoctoproject.org>
diff --git a/meta-security/dynamic-layers/meta-perl/recipes-security/bastille/files/call_output_config.patch b/meta-security/dynamic-layers/meta-perl/recipes-security/bastille/files/call_output_config.patch
index 1e898b1..f01cc47 100644
--- a/meta-security/dynamic-layers/meta-perl/recipes-security/bastille/files/call_output_config.patch
+++ b/meta-security/dynamic-layers/meta-perl/recipes-security/bastille/files/call_output_config.patch
@@ -1,4 +1,4 @@
-Upstream Status: Inappropriate [No upstream maintenance]
+Upstream-Status: Inappropriate [No upstream maintenance]
Signed-off-by: Anne Mulhern <mulhern@yoctoproject.org>
diff --git a/meta-security/dynamic-layers/meta-perl/recipes-security/bastille/files/do_not_apply_config.patch b/meta-security/dynamic-layers/meta-perl/recipes-security/bastille/files/do_not_apply_config.patch
index 574aa98..640d5ff 100644
--- a/meta-security/dynamic-layers/meta-perl/recipes-security/bastille/files/do_not_apply_config.patch
+++ b/meta-security/dynamic-layers/meta-perl/recipes-security/bastille/files/do_not_apply_config.patch
@@ -1,4 +1,4 @@
-Upstream Status: Inappropriate [No upstream maintenance]
+Upstream-Status: Inappropriate [No upstream maintenance]
Signed-off-by: Anne Mulhern <mulhern@yoctoproject.org>
diff --git a/meta-security/dynamic-layers/meta-perl/recipes-security/bastille/files/edit_usage_message.patch b/meta-security/dynamic-layers/meta-perl/recipes-security/bastille/files/edit_usage_message.patch
index 72cdc2f..4ca9c63 100644
--- a/meta-security/dynamic-layers/meta-perl/recipes-security/bastille/files/edit_usage_message.patch
+++ b/meta-security/dynamic-layers/meta-perl/recipes-security/bastille/files/edit_usage_message.patch
@@ -1,4 +1,4 @@
-Upstream Status: Inappropriate [No upstream maintenance]
+Upstream-Status: Inappropriate [No upstream maintenance]
Signed-off-by: Anne Mulhern <mulhern@yoctoproject.org>
diff --git a/meta-security/dynamic-layers/meta-perl/recipes-security/bastille/files/find_existing_config.patch b/meta-security/dynamic-layers/meta-perl/recipes-security/bastille/files/find_existing_config.patch
index c075875..7f6aea0 100644
--- a/meta-security/dynamic-layers/meta-perl/recipes-security/bastille/files/find_existing_config.patch
+++ b/meta-security/dynamic-layers/meta-perl/recipes-security/bastille/files/find_existing_config.patch
@@ -1,4 +1,4 @@
-Upstream Status: Inappropriate [No upstream maintenance]
+Upstream-Status: Inappropriate [No upstream maintenance]
Signed-off-by: Anne Mulhern <mulhern@yoctoproject.org>
diff --git a/meta-security/dynamic-layers/meta-perl/recipes-security/bastille/files/fix_missing_use_directives.patch b/meta-security/dynamic-layers/meta-perl/recipes-security/bastille/files/fix_missing_use_directives.patch
index 05f145a..d909f10 100644
--- a/meta-security/dynamic-layers/meta-perl/recipes-security/bastille/files/fix_missing_use_directives.patch
+++ b/meta-security/dynamic-layers/meta-perl/recipes-security/bastille/files/fix_missing_use_directives.patch
@@ -1,4 +1,4 @@
-Upstream Status: Inappropriate [No upstream maintenance]
+Upstream-Status: Inappropriate [No upstream maintenance]
Signed-off-by: Anne Mulhern <mulhern@yoctoproject.org>
diff --git a/meta-security/dynamic-layers/meta-perl/recipes-security/bastille/files/fix_number_of_modules.patch b/meta-security/dynamic-layers/meta-perl/recipes-security/bastille/files/fix_number_of_modules.patch
index 743e549..4f46924 100644
--- a/meta-security/dynamic-layers/meta-perl/recipes-security/bastille/files/fix_number_of_modules.patch
+++ b/meta-security/dynamic-layers/meta-perl/recipes-security/bastille/files/fix_number_of_modules.patch
@@ -1,4 +1,4 @@
-Upstream Status: Inappropriate [No upstream maintenance]
+Upstream-Status: Inappropriate [No upstream maintenance]
Signed-off-by: Anne Mulhern <mulhern@yoctoproject.org>
diff --git a/meta-security/dynamic-layers/meta-perl/recipes-security/bastille/files/fix_version_parse.patch b/meta-security/dynamic-layers/meta-perl/recipes-security/bastille/files/fix_version_parse.patch
index 5923c04..c38f45e 100644
--- a/meta-security/dynamic-layers/meta-perl/recipes-security/bastille/files/fix_version_parse.patch
+++ b/meta-security/dynamic-layers/meta-perl/recipes-security/bastille/files/fix_version_parse.patch
@@ -1,4 +1,4 @@
-Upstream Status: Inappropriate [No upstream maintenance]
+Upstream-Status: Inappropriate [No upstream maintenance]
Signed-off-by: Anne Mulhern <mulhern@yoctoproject.org>
diff --git a/meta-security/dynamic-layers/meta-perl/recipes-security/bastille/files/fixed_defined_warnings.patch b/meta-security/dynamic-layers/meta-perl/recipes-security/bastille/files/fixed_defined_warnings.patch
index e7996e3..5a6476b 100644
--- a/meta-security/dynamic-layers/meta-perl/recipes-security/bastille/files/fixed_defined_warnings.patch
+++ b/meta-security/dynamic-layers/meta-perl/recipes-security/bastille/files/fixed_defined_warnings.patch
@@ -11,7 +11,7 @@
Fixed also some warnings regarding defined statements
in API.pm.
-Upstream Status: Inappropriate [No upstream maintenance]
+Upstream-Status: Inappropriate [No upstream maintenance]
Signed-off-by: Andrei Dinu <andrei.adrianx.dinu@intel.com>
diff --git a/meta-security/dynamic-layers/meta-perl/recipes-security/bastille/files/organize_distro_discovery.patch b/meta-security/dynamic-layers/meta-perl/recipes-security/bastille/files/organize_distro_discovery.patch
index d64d1e2..5a5be6f 100644
--- a/meta-security/dynamic-layers/meta-perl/recipes-security/bastille/files/organize_distro_discovery.patch
+++ b/meta-security/dynamic-layers/meta-perl/recipes-security/bastille/files/organize_distro_discovery.patch
@@ -1,4 +1,4 @@
-Upstream Status: Inappropriate [No upstream maintenance]
+Upstream-Status: Inappropriate [No upstream maintenance]
Signed-off-by: Anne Mulhern <mulhern@yoctoproject.org>
diff --git a/meta-security/dynamic-layers/meta-perl/recipes-security/bastille/files/remove_questions_text_file_references.patch b/meta-security/dynamic-layers/meta-perl/recipes-security/bastille/files/remove_questions_text_file_references.patch
index bd094ee..f95579d 100644
--- a/meta-security/dynamic-layers/meta-perl/recipes-security/bastille/files/remove_questions_text_file_references.patch
+++ b/meta-security/dynamic-layers/meta-perl/recipes-security/bastille/files/remove_questions_text_file_references.patch
@@ -1,4 +1,4 @@
-Upstream Status: Inappropriate [No upstream maintenance]
+Upstream-Status: Inappropriate [No upstream maintenance]
Signed-off-by: Anne Mulhern <mulhern@yoctoproject.org>
diff --git a/meta-security/dynamic-layers/meta-perl/recipes-security/bastille/files/simplify_B_place.patch b/meta-security/dynamic-layers/meta-perl/recipes-security/bastille/files/simplify_B_place.patch
index 307fdca..afbd4e0 100644
--- a/meta-security/dynamic-layers/meta-perl/recipes-security/bastille/files/simplify_B_place.patch
+++ b/meta-security/dynamic-layers/meta-perl/recipes-security/bastille/files/simplify_B_place.patch
@@ -1,4 +1,4 @@
-Upstream Status: Inappropriate [No upstream maintenance]
+Upstream-Status: Inappropriate [No upstream maintenance]
Signed-off-by: Anne Mulhern <mulhern@yoctoproject.org>
diff --git a/meta-security/dynamic-layers/meta-perl/recipes-security/bastille/files/upgrade_options_processing.patch b/meta-security/dynamic-layers/meta-perl/recipes-security/bastille/files/upgrade_options_processing.patch
index 4093867..5052bd8 100644
--- a/meta-security/dynamic-layers/meta-perl/recipes-security/bastille/files/upgrade_options_processing.patch
+++ b/meta-security/dynamic-layers/meta-perl/recipes-security/bastille/files/upgrade_options_processing.patch
@@ -1,4 +1,4 @@
-Upstream Status: Inappropriate [No upstream maintenance]
+Upstream-Status: Inappropriate [No upstream maintenance]
Signed-off-by: Anne Mulhern <mulhern@yoctoproject.org>
diff --git a/meta-security/dynamic-layers/meta-perl/recipes-security/nikto/files/location.patch b/meta-security/dynamic-layers/meta-perl/recipes-security/nikto/files/location.patch
index edaa204..0715f31 100644
--- a/meta-security/dynamic-layers/meta-perl/recipes-security/nikto/files/location.patch
+++ b/meta-security/dynamic-layers/meta-perl/recipes-security/nikto/files/location.patch
@@ -3,7 +3,7 @@
Date: Fri, 28 Dec 2018 11:08:25 -0500
Subject: [PATCH] Set custom paths
-Upstream Status: Inappropriate
+Upstream-Status: Inappropriate
Signed-off-by: Scott Ellis <scott@jumpnowtek.com>
---
diff --git a/meta-security/dynamic-layers/meta-python/recipes-security/fail2ban/files/0001-To-fix-build-error-of-xrang.patch b/meta-security/dynamic-layers/meta-python/recipes-security/fail2ban/files/0001-To-fix-build-error-of-xrang.patch
deleted file mode 100644
index 7f0812c..0000000
--- a/meta-security/dynamic-layers/meta-python/recipes-security/fail2ban/files/0001-To-fix-build-error-of-xrang.patch
+++ /dev/null
@@ -1,28 +0,0 @@
-From fe3436d65518099d35c643848cba50253abc249c Mon Sep 17 00:00:00 2001
-From: Lei Maohui <leimaohui@cn.fujitsu.com>
-Date: Thu, 9 May 2019 14:44:51 +0900
-Subject: [PATCH] To fix build error of xrange.
-
-NameError: name 'xrange' is not defined
-
-Signed-off-by: Lei Maohui <leimaohui@cn.fujitsu.com>
----
- fail2ban/__init__.py | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/fail2ban/__init__.py b/fail2ban/__init__.py
-index fa6dcf7..61789a4 100644
---- a/fail2ban/__init__.py
-+++ b/fail2ban/__init__.py
-@@ -82,7 +82,7 @@ strptime("2012", "%Y")
-
- # short names for pure numeric log-level ("Level 25" could be truncated by short formats):
- def _init():
-- for i in xrange(50):
-+ for i in range(50):
- if logging.getLevelName(i).startswith('Level'):
- logging.addLevelName(i, '#%02d-Lev.' % i)
- _init()
---
-2.7.4
-
diff --git a/meta-security/kas/kas-security-base.yml b/meta-security/kas/kas-security-base.yml
index e7abb3c..fa7915c 100644
--- a/meta-security/kas/kas-security-base.yml
+++ b/meta-security/kas/kas-security-base.yml
@@ -9,7 +9,6 @@
../meta-security:
meta-tpm:
meta-integrity:
- meta-security-compliance:
meta-hardening:
poky:
diff --git a/meta-security/kas/qemux86-comp.yml b/meta-security/kas/qemux86-comp.yml
deleted file mode 100644
index 478d631..0000000
--- a/meta-security/kas/qemux86-comp.yml
+++ /dev/null
@@ -1,11 +0,0 @@
-header:
- version: 8
- includes:
- - kas-security-base.yml
-
-local_conf_header:
- meta-compliance: |
- IMAGE_INSTALL:append = " lynis"
- IMAGE_INSTALL:append = " openscap openscap-daemon scap-security-guide"
-
-machine: qemux86
diff --git a/meta-security/meta-integrity/recipes-security/ima-evm-utils/ima-evm-utils/0001-Do-not-get-generation-using-ioctl-when-evm_portable-.patch b/meta-security/meta-integrity/recipes-security/ima-evm-utils/ima-evm-utils/0001-Do-not-get-generation-using-ioctl-when-evm_portable-.patch
index 3624576..f0d8975 100644
--- a/meta-security/meta-integrity/recipes-security/ima-evm-utils/ima-evm-utils/0001-Do-not-get-generation-using-ioctl-when-evm_portable-.patch
+++ b/meta-security/meta-integrity/recipes-security/ima-evm-utils/ima-evm-utils/0001-Do-not-get-generation-using-ioctl-when-evm_portable-.patch
@@ -13,6 +13,8 @@
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
---
+Upstream-Status: Pending
+
src/evmctl.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
@@ -30,6 +32,8 @@
int fd = open(file, 0);
---
+Upstream-Status: Pending
+
2.39.2
diff --git a/meta-security/meta-security-compliance/README b/meta-security/meta-security-compliance/README
deleted file mode 100644
index 3311d05..0000000
--- a/meta-security/meta-security-compliance/README
+++ /dev/null
@@ -1,41 +0,0 @@
-# Meta-security-compliance
-
-This layer is meant to contain programs to help in security compliance and auditing
-
-
-Dependencies
-============
-
-This layer depends on:
-
- URI: git://git.openembedded.org/bitbake
- branch: master
-
- URI: git://git.openembedded.org/openembedded-core
- layers: meta
- branch: master
-
-or
-
- URI: git://git.yoctoproject.org/poky
- branch: master
-
-
-
-Maintenance
------------
-
-Send pull requests, patches, comments or questions to yocto@yoctoproject.org
-
-When sending single patches, please using something like:
-'git send-email -1 --to yocto@lists.yoctoproject.org --subject-prefix=meta-security-compliance][PATCH'
-
-Layer Maintainer: Armin Kuster <akuster808@gmail.com>
-
-
-License
-=======
-
-All metadata is MIT licensed unless otherwise stated. Source code included
-in tree for individual recipes is under the LICENSE stated in each recipe
-(.bb file) unless otherwise stated.
diff --git a/meta-security/meta-security-compliance/conf/layer.conf b/meta-security/meta-security-compliance/conf/layer.conf
deleted file mode 100644
index cb33c2c..0000000
--- a/meta-security/meta-security-compliance/conf/layer.conf
+++ /dev/null
@@ -1,17 +0,0 @@
-# We have a conf and classes directory, add to BBPATH
-BBPATH .= ":${LAYERDIR}"
-
-# We have a recipes directory, add to BBFILES
-BBFILES += "${LAYERDIR}/recipes*/*/*.bb ${LAYERDIR}/recipes*/*/*.bbappend"
-
-BBFILE_COLLECTIONS += "scanners-layer"
-BBFILE_PATTERN_scanners-layer = "^${LAYERDIR}/"
-BBFILE_PRIORITY_scanners-layer = "6"
-
-LAYERSERIES_COMPAT_scanners-layer = "mickledore"
-
-LAYERDEPENDS_scanners-layer = "core openembedded-layer meta-python"
-
-BBLAYERS_LAYERINDEX_NAME_scanners-layer = "meta-security-compliance"
-
-addpylib ${LAYERDIR}/lib oeqa
diff --git a/meta-security/meta-security-compliance/recipes-openscap/oe-scap/files/OpenEmbedded_nodistro_0.xccdf.xml b/meta-security/meta-security-compliance/recipes-openscap/oe-scap/files/OpenEmbedded_nodistro_0.xccdf.xml
deleted file mode 100644
index d3b2c9a..0000000
--- a/meta-security/meta-security-compliance/recipes-openscap/oe-scap/files/OpenEmbedded_nodistro_0.xccdf.xml
+++ /dev/null
@@ -1,14 +0,0 @@
-<?xml version="1.0" encoding="UTF-8"?>
-<xccdf:Benchmark xmlns:xccdf="http://checklists.nist.gov/xccdf/1.1" xmlns:oval="http://oval.mitre.org/XMLSchema/oval-common-5" xmlns:oval-def="http://oval.mitre.org/XMLSchema/oval-definitions-5" id="generated-xccdf" resolved="1">
- <xccdf:status>incomplete</xccdf:status>
- <xccdf:title>Automatically generated XCCDF from OVAL file: OpenEmbedded_nodistro_0.xml</xccdf:title>
- <xccdf:description>This file has been generated automatically from oval definitions file.</xccdf:description>
- <xccdf:version time="2017-06-07T04:05:05">None, generated from OVAL file.</xccdf:version>
- <xccdf:Rule selected="true" id="oval-com.redhat.rhsa-def-20171365">
- <xccdf:title>CPE-2017:1365: nss security and bug fix update (Important)</xccdf:title>
- <xccdf:ident system="http://cve.mitre.org">CVE-2017-7502</xccdf:ident>
- <xccdf:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
- <xccdf:check-content-ref href="OpenEmbedded_nodistro_0.xml" name="oval:com.redhat.rhsa:def:20171365"/>
- </xccdf:check>
- </xccdf:Rule>
-</xccdf:Benchmark>
diff --git a/meta-security/meta-security-compliance/recipes-openscap/oe-scap/files/OpenEmbedded_nodistro_0.xml b/meta-security/meta-security-compliance/recipes-openscap/oe-scap/files/OpenEmbedded_nodistro_0.xml
deleted file mode 100644
index a9bf2a0..0000000
--- a/meta-security/meta-security-compliance/recipes-openscap/oe-scap/files/OpenEmbedded_nodistro_0.xml
+++ /dev/null
@@ -1,83 +0,0 @@
-<?xml version="1.0" encoding="utf-8"?>
-<oval_definitions xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5" xmlns:oval="http://oval.mitre.org/XMLSchema/oval-common-5" xmlns:oval-def="http://oval.mitre.org/XMLSchema/oval-definitions-5" xmlns:red-def="http://oval.mitre.org/XMLSchema/oval-definitions-5#linux" xmlns:unix-def="http://oval.mitre.org/XMLSchema/oval-definitions-5#unix" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://oval.mitre.org/XMLSchema/oval-common-5 oval-common-schema.xsd http://oval.mitre.org/XMLSchema/oval-definitions-5 oval-definitions-schema.xsd http://oval.mitre.org/XMLSchema/oval-definitions-5#unix unix-definitions-schema.xsd http://oval.mitre.org/XMLSchema/oval-definitions-5#linux linux-definitions-schema.xsd">
- <generator>
- <oval:product_name>OpenEmbedded Errata Test System</oval:product_name>
- <oval:schema_version>5.10.1</oval:schema_version>
- <oval:timestamp>2017-06-07T04:05:05</oval:timestamp>
- </generator>
-
- <definitions>
- <definition class="patch" id="oval:com.redhat.rhsa:def:20171365" version="604">
- <metadata>
- <title>CPE-2017:1365: nss security and bug fix update (Important)</title>
- <affected family="unix">
- <platform>OpenEmbedded Nodistro</platform>
- </affected>
- <reference ref_id="RHSA-2017:1365-03" ref_url="https://access.redhat.com/errata/RHSA-2017:1365" source="RHSA"/>
- <reference ref_id="CVE-2017-7502" ref_url="https://access.redhat.com/security/cve/CVE-2017-7502" source="CVE"/>
- <description>Network Security Services (NSS) is a set of libraries designed to support the cross-platform development of security-enabled client and server applications.
-
-Security Fix(es):
-
-* A null pointer dereference flaw was found in the way NSS handled empty SSLv2 messages. An attacker could use this flaw to crash a server application compiled against the NSS library. (CVE-2017-7502)
-
-Bug Fix(es):
-
-* The Network Security Services (NSS) code and Certificate Authority (CA) list have been updated to meet the recommendations as published with the latest Mozilla Firefox Extended Support Release (ESR). The updated CA list improves compatibility with the certificates that are used in the Internet Public Key Infrastructure (PKI). To avoid certificate validation refusals, Red Hat recommends installing the updated CA list on June 12, 2017. (BZ#1451421)</description>
-
-<!-- ~~~~~~~~~~~~~~~~~~~~ advisory details ~~~~~~~~~~~~~~~~~~~ -->
-
-<advisory from="example.com">
- <severity>Important</severity>
- <rights>NA</rights>
- <issued date="2017-05-30"/>
- <updated date="2017-05-30"/>
- <cve cvss3="7.5/CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" cwe="CWE-476" href="https://access.redhat.com/security/cve/CVE-2017-7502">CVE-2017-7502</cve>
- <bugzilla href="https://bugzilla.redhat.com/1446631" id="1446631">CVE-2017-7502 nss: Null pointer dereference when handling empty SSLv2 messages</bugzilla>
- <affected_cpe_list>
- <cpe>cpe:/o:openembedded:nodistro:0</cpe>
- </affected_cpe_list>
-</advisory>
- </metadata>
-
-<criteria operator="AND">
- <criterion comment="Red Hat Enterprise Linux 7 Client is installed" test_ref="oval:com.redhat.rhsa:tst:20171365001"/>
- <criterion comment="nss is earlier than 0:3.28.4-r0" test_ref="oval:com.redhat.rhsa:tst:20171365007"/>
-</criteria>
-
- </definition>
- </definitions>
- <tests>
- <!-- ~~~~~~~~~~~~~~~~~~~~~ rpminfo tests ~~~~~~~~~~~~~~~~~~~~~ -->
- <rpminfo_test check="at least one" comment="Red Hat Enterprise Linux 7 Client is installed" id="oval:com.redhat.rhsa:tst:20171365001" version="604" xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#linux">
- <object object_ref="oval:com.redhat.rhsa:obj:20171365001"/>
- <state state_ref="oval:com.redhat.rhsa:ste:20171365002"/>
-</rpminfo_test>
-<rpminfo_test check="at least one" comment="nss is earlier than 0:3.31.4-r0" id="oval:com.redhat.rhsa:tst:20171365007" version="604" xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#linux">
- <object object_ref="oval:com.redhat.rhsa:obj:20171365006"/>
- <state state_ref="oval:com.redhat.rhsa:ste:20171365003"/>
-</rpminfo_test>
-
- </tests>
-
- <objects>
- <!-- ~~~~~~~~~~~~~~~~~~~~ rpminfo objects ~~~~~~~~~~~~~~~~~~~~ -->
- <rpminfo_object id="oval:com.redhat.rhsa:obj:20171365006" version="604" xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#linux">
- <name>nss</name>
-</rpminfo_object>
-<rpminfo_object id="oval:com.redhat.rhsa:obj:20171365001" version="604" xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#linux">
- <name>openembedded-release</name>
-</rpminfo_object>
-
- </objects>
- <states>
- <!-- ~~~~~~~~~~~~~~~~~~~~ rpminfo states ~~~~~~~~~~~~~~~~~~~~~ -->
-<rpminfo_state id="oval:com.redhat.rhsa:ste:20171365002" version="604" xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#linux">
- <version operation="pattern match">^1[^\d]</version>
-</rpminfo_state>
-<rpminfo_state id="oval:com.redhat.rhsa:ste:20171365003" version="604" xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#linux">
- <evr datatype="evr_string" operation="less than">0:3.31.4-r0</evr>
-</rpminfo_state>
-
- </states>
-</oval_definitions>
diff --git a/meta-security/meta-security-compliance/recipes-openscap/oe-scap/files/oval-to-xccdf.xslt b/meta-security/meta-security-compliance/recipes-openscap/oe-scap/files/oval-to-xccdf.xslt
deleted file mode 100644
index 2243ac4..0000000
--- a/meta-security/meta-security-compliance/recipes-openscap/oe-scap/files/oval-to-xccdf.xslt
+++ /dev/null
@@ -1,72 +0,0 @@
-<?xml version="1.0" encoding="UTF-8"?>
-<!-- Copyright 2012 Red Hat Inc., Durham, North Carolina. All Rights Reserved.
-
-This transformation is free software; you can redistribute it and/or modify
-it under the terms of the GNU Lesser General Public License as published by
-the Free Software Foundation; either version 2.1 of the License.
-
-This transformation is distributed in the hope that it will be useful, but
-WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
-or FITNESS FOR A PARTICULAR PURPOSE. See the GNU Lesser General Public License
-for more details.
-
-You should have received a copy of the GNU Lesser General Public License along
-with this library; if not, write to the Free Software Foundation, Inc., 59
-Temple Place, Suite 330, Boston, MA 02111-1307 USA
-
-Authors:
- Šimon Lukašík <slukasik@redhat.com>
--->
-<xsl:stylesheet xmlns:xsl="http://www.w3.org/1999/XSL/Transform" version="1.0"
- xmlns:xccdf="http://checklists.nist.gov/xccdf/1.1"
- xmlns:oval="http://oval.mitre.org/XMLSchema/oval-common-5"
- xmlns:oval-def="http://oval.mitre.org/XMLSchema/oval-definitions-5">
- <xsl:output method="xml" encoding="UTF-8"/>
-
- <xsl:template match="/">
- <xccdf:Benchmark id="generated-xccdf" resolved="1">
- <xccdf:status>incomplete</xccdf:status>
- <xccdf:title>
- <xsl:text>Automatically generated XCCDF from OVAL file: </xsl:text>
- <xsl:value-of select="$ovalfile"/>
- </xccdf:title>
- <xccdf:description>This file has been generated automatically from oval definitions file.</xccdf:description>
- <xccdf:version>
- <xsl:attribute name="time">
- <xsl:value-of select="normalize-space(oval-def:oval_definitions/oval-def:generator/oval:timestamp[1]/text())"/>
- </xsl:attribute>
- <xsl:text>None, generated from OVAL file.</xsl:text>
- </xccdf:version>
- <xsl:apply-templates select="oval-def:oval_definitions/oval-def:definitions/oval-def:definition"/>
- </xccdf:Benchmark>
- </xsl:template>
-
- <xsl:template match="oval-def:definition">
- <xccdf:Rule selected="true">
- <xsl:attribute name="id">
- <xsl:value-of select="translate(@id,':','-')"/>
- </xsl:attribute>
- <xccdf:title>
- <xsl:copy-of select="oval-def:metadata/oval-def:title/text()"/>
- </xccdf:title>
- <xsl:apply-templates select="oval-def:metadata/oval-def:advisory/oval-def:cve"/>
- <xccdf:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
- <xccdf:check-content-ref href="file">
- <xsl:attribute name="name">
- <xsl:value-of select="@id"/>
- </xsl:attribute>
- <xsl:attribute name="href">
- <xsl:value-of select="$ovalfile"/>
- </xsl:attribute>
- </xccdf:check-content-ref>
- </xccdf:check>
- </xccdf:Rule>
- </xsl:template>
-
- <xsl:template match="oval-def:cve">
- <xccdf:ident system="http://cve.mitre.org">
- <xsl:copy-of select="text()"/>
- </xccdf:ident>
- </xsl:template>
-</xsl:stylesheet>
-
diff --git a/meta-security/meta-security-compliance/recipes-openscap/oe-scap/files/run_cve.sh b/meta-security/meta-security-compliance/recipes-openscap/oe-scap/files/run_cve.sh
deleted file mode 100644
index 48a7485..0000000
--- a/meta-security/meta-security-compliance/recipes-openscap/oe-scap/files/run_cve.sh
+++ /dev/null
@@ -1,7 +0,0 @@
-#!/bin/sh
-
-oscap oval eval \
---report oval.html \
---verbose-log-file filedevel.log \
---verbose DEVEL \
-/usr/share/xml/scap/ssg/content/ssg-openembedded-ds.xml
diff --git a/meta-security/meta-security-compliance/recipes-openscap/oe-scap/files/run_test.sh b/meta-security/meta-security-compliance/recipes-openscap/oe-scap/files/run_test.sh
deleted file mode 100644
index 70cd82c..0000000
--- a/meta-security/meta-security-compliance/recipes-openscap/oe-scap/files/run_test.sh
+++ /dev/null
@@ -1,5 +0,0 @@
-#!/bin/sh
-
-#oscap oval eval --result-file ./myresults.xml ./OpenEmbedded_nodistro_0.xml
-
-oscap xccdf eval --results results.xml --report report.html OpenEmbedded_nodistro_0.xccdf.xml
diff --git a/meta-security/meta-security-compliance/recipes-openscap/oe-scap/oe-scap_1.0.bb b/meta-security/meta-security-compliance/recipes-openscap/oe-scap/oe-scap_1.0.bb
deleted file mode 100644
index 7e9f214..0000000
--- a/meta-security/meta-security-compliance/recipes-openscap/oe-scap/oe-scap_1.0.bb
+++ /dev/null
@@ -1,33 +0,0 @@
-# Copyright (C) 2017 Armin Kuster <akuster808@gmail.com>
-# Released under the MIT license (see COPYING.MIT for the terms)
-
-SUMARRY = "OE SCAP files"
-LIC_FILES_CHKSUM = "file://README.md;md5=46dec9f167b6e05986cb4023df6d92f4"
-LICENSE = "MIT"
-
-SRCREV = "7147871d7f37d408c0dd7720ef0fd3ec1b54ad98"
-SRC_URI = "git://github.com/akuster/oe-scap.git;branch=master;protocol=https"
-SRC_URI += " \
- file://run_cve.sh \
- file://run_test.sh \
- file://OpenEmbedded_nodistro_0.xml \
- file://OpenEmbedded_nodistro_0.xccdf.xml \
- "
-
-S = "${WORKDIR}/git"
-
-do_configure[noexec] = "1"
-do_compile[noexec] = "1"
-
-do_install () {
- install -d ${D}/${datadir}/oe-scap
- install ${WORKDIR}/run_cve.sh ${D}/${datadir}/oe-scap/.
- install ${WORKDIR}/run_test.sh ${D}/${datadir}/oe-scap/.
- install ${WORKDIR}/OpenEmbedded_nodistro_0.xml ${D}/${datadir}/oe-scap/.
- install ${WORKDIR}/OpenEmbedded_nodistro_0.xccdf.xml ${D}/${datadir}/oe-scap/.
- cp ${S}/* ${D}/${datadir}/oe-scap/.
-}
-
-FILES:${PN} += "${datadir}/oe-scap"
-
-RDEPENDS:${PN} = "openscap bash"
diff --git a/meta-security/meta-security-compliance/recipes-openscap/openscap-daemon/files/0001-Renamed-module-and-variables-to-get-rid-of-async.patch b/meta-security/meta-security-compliance/recipes-openscap/openscap-daemon/files/0001-Renamed-module-and-variables-to-get-rid-of-async.patch
deleted file mode 100644
index 2a518bf..0000000
--- a/meta-security/meta-security-compliance/recipes-openscap/openscap-daemon/files/0001-Renamed-module-and-variables-to-get-rid-of-async.patch
+++ /dev/null
@@ -1,130 +0,0 @@
-From c34349720a57997d30946286756e2ba9dbab6ace Mon Sep 17 00:00:00 2001
-From: =?UTF-8?q?Mat=C4=9Bj=20T=C3=BD=C4=8D?= <matyc@redhat.com>
-Date: Mon, 2 Jul 2018 11:21:19 +0200
-Subject: [PATCH] Renamed module and variables to get rid of async.
-
-async is a reserved word in Python 3.7.
-
-Upstream-Status: Backport
-[https://github.com/OpenSCAP/openscap-daemon/commit/c34349720a57997d30946286756e2ba9dbab6ace]
-
-Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
----
- openscap_daemon/{async.py => async_tools.py} | 0
- openscap_daemon/dbus_daemon.py | 2 +-
- openscap_daemon/system.py | 16 ++++++++--------
- tests/unit/test_basic_update.py | 3 ++-
- 4 files changed, 11 insertions(+), 10 deletions(-)
- rename openscap_daemon/{async.py => async_tools.py} (100%)
-
-diff --git a/openscap_daemon/async.py b/openscap_daemon/async_tools.py
-similarity index 100%
-rename from openscap_daemon/async.py
-rename to openscap_daemon/async_tools.py
-diff --git a/openscap_daemon/dbus_daemon.py b/openscap_daemon/dbus_daemon.py
-index e6eadf9..cb6a8b6 100644
---- a/openscap_daemon/dbus_daemon.py
-+++ b/openscap_daemon/dbus_daemon.py
-@@ -81,7 +81,7 @@ class OpenSCAPDaemonDbus(dbus.service.Object):
- @dbus.service.method(dbus_interface=dbus_utils.DBUS_INTERFACE,
- in_signature="", out_signature="a(xsi)")
- def GetAsyncActionsStatus(self):
-- return self.system.async.get_status()
-+ return self.system.async_manager.get_status()
-
- @dbus.service.method(dbus_interface=dbus_utils.DBUS_INTERFACE,
- in_signature="s", out_signature="(sssn)")
-diff --git a/openscap_daemon/system.py b/openscap_daemon/system.py
-index 2012f6e..85c2680 100644
---- a/openscap_daemon/system.py
-+++ b/openscap_daemon/system.py
-@@ -26,7 +26,7 @@ import logging
- from openscap_daemon.task import Task
- from openscap_daemon.config import Configuration
- from openscap_daemon import oscap_helpers
--from openscap_daemon import async
-+from openscap_daemon import async_tools
-
-
- class ResultsNotAvailable(Exception):
-@@ -40,7 +40,7 @@ TASK_ACTION_PRIORITY = 10
-
- class System(object):
- def __init__(self, config_file):
-- self.async = async.AsyncManager()
-+ self.async_manager = async_tools.AsyncManager()
-
- logging.info("Loading configuration from '%s'.", config_file)
- self.config = Configuration()
-@@ -90,7 +90,7 @@ class System(object):
- input_file, tailoring_file, None
- )
-
-- class AsyncEvaluateSpecAction(async.AsyncAction):
-+ class AsyncEvaluateSpecAction(async_tools.AsyncAction):
- def __init__(self, system, spec):
- super(System.AsyncEvaluateSpecAction, self).__init__()
-
-@@ -113,7 +113,7 @@ class System(object):
- return "Evaluate Spec '%s'" % (self.spec)
-
- def evaluate_spec_async(self, spec):
-- return self.async.enqueue(
-+ return self.async_manager.enqueue(
- System.AsyncEvaluateSpecAction(
- self,
- spec
-@@ -488,7 +488,7 @@ class System(object):
-
- return ret
-
-- class AsyncUpdateTaskAction(async.AsyncAction):
-+ class AsyncUpdateTaskAction(async_tools.AsyncAction):
- def __init__(self, system, task_id, reference_datetime):
- super(System.AsyncUpdateTaskAction, self).__init__()
-
-@@ -536,7 +536,7 @@ class System(object):
-
- if task.should_be_updated(reference_datetime):
- self.tasks_scheduled.add(task.id_)
-- self.async.enqueue(
-+ self.async_manager.enqueue(
- System.AsyncUpdateTaskAction(
- self,
- task.id_,
-@@ -662,7 +662,7 @@ class System(object):
- fix_type
- )
-
-- class AsyncEvaluateCVEScannerWorkerAction(async.AsyncAction):
-+ class AsyncEvaluateCVEScannerWorkerAction(async_tools.AsyncAction):
- def __init__(self, system, worker):
- super(System.AsyncEvaluateCVEScannerWorkerAction, self).__init__()
-
-@@ -680,7 +680,7 @@ class System(object):
- return "Evaluate CVE Scanner Worker '%s'" % (self.worker)
-
- def evaluate_cve_scanner_worker_async(self, worker):
-- return self.async.enqueue(
-+ return self.async_manager.enqueue(
- System.AsyncEvaluateCVEScannerWorkerAction(
- self,
- worker
-diff --git a/tests/unit/test_basic_update.py b/tests/unit/test_basic_update.py
-index 6f683e6..7f953f7 100755
---- a/tests/unit/test_basic_update.py
-+++ b/tests/unit/test_basic_update.py
-@@ -37,8 +37,9 @@ class BasicUpdateTest(unit_test_harness.APITest):
- print(self.system.tasks)
- self.system.schedule_tasks()
-
-- while len(self.system.async.actions) > 0:
-+ while len(self.system.async_manager.actions) > 0:
- time.sleep(1)
-
-+
- if __name__ == "__main__":
- BasicUpdateTest.run()
---
-2.7.4
-
diff --git a/meta-security/meta-security-compliance/recipes-openscap/openscap-daemon/openscap-daemon_0.1.10.bb b/meta-security/meta-security-compliance/recipes-openscap/openscap-daemon/openscap-daemon_0.1.10.bb
deleted file mode 100644
index 9659323..0000000
--- a/meta-security/meta-security-compliance/recipes-openscap/openscap-daemon/openscap-daemon_0.1.10.bb
+++ /dev/null
@@ -1,23 +0,0 @@
-# Copyright (C) 2017 Armin Kuster <akuster808@gmail.com>
-# Released under the MIT license (see COPYING.MIT for the terms)
-
-SUMARRY = "The OpenSCAP Daemon is a service that runs in the background."
-HOME_URL = "https://www.open-scap.org/tools/openscap-daemon/"
-LIC_FILES_CHKSUM = "file://LICENSE;md5=40d2542b8c43a3ec2b7f5da31a697b88"
-LICENSE = "LGPL-2.1-only"
-
-DEPENDS = "python3-dbus"
-
-SRCREV = "f25b16afb6ac761fea13132ff406fba4cdfd2b76"
-SRC_URI = "git://github.com/OpenSCAP/openscap-daemon.git;branch=master;protocol=https \
- file://0001-Renamed-module-and-variables-to-get-rid-of-async.patch \
- "
-
-inherit python_setuptools_build_meta
-
-S = "${WORKDIR}/git"
-
-RDEPENDS:${PN} = "openscap scap-security-guide \
- python3-core python3-dbus \
- python3-pygobject \
- "
diff --git a/meta-security/meta-security-compliance/recipes-openscap/openscap/openscap_1.3.7.bb b/meta-security/meta-security-compliance/recipes-openscap/openscap/openscap_1.3.7.bb
deleted file mode 100644
index cfe93f0..0000000
--- a/meta-security/meta-security-compliance/recipes-openscap/openscap/openscap_1.3.7.bb
+++ /dev/null
@@ -1,19 +0,0 @@
-SUMARRY = "NIST Certified SCAP 1.2 toolkit"
-
-DEPENDS:append = " xmlsec1"
-
-require openscap.inc
-
-inherit systemd
-
-SRCREV = "55efbfda0f617e05862ab6ed4862e10dbee52b03"
-SRC_URI = "git://github.com/OpenSCAP/openscap.git;branch=maint-1.3;protocol=https"
-
-SYSTEMD_PACKAGES = "${PN}"
-SYSTEMD_SERVICE:${PN} = "oscap-remediate.service"
-
-do_install:append () {
- if ${@bb.utils.contains('DISTRO_FEATURES','systemd','true','false',d)}; then
- install -D -m 0644 ${B}/oscap-remediate.service ${D}${systemd_system_unitdir}/oscap-remediate.service
- fi
-}
diff --git a/meta-security/meta-security-compliance/recipes-openscap/openscap/openscap_git.bb b/meta-security/meta-security-compliance/recipes-openscap/openscap/openscap_git.bb
deleted file mode 100644
index 3543e11..0000000
--- a/meta-security/meta-security-compliance/recipes-openscap/openscap/openscap_git.bb
+++ /dev/null
@@ -1,14 +0,0 @@
-# Copyright (C) 2017 Armin Kuster <akuster808@gmail.com>
-# Released under the MIT license (see COPYING.MIT for the terms)
-
-SUMARRY = "NIST Certified SCAP 1.2 toolkit with OE changes"
-
-include openscap.inc
-
-SRCREV = "a85943eee400fdbe59234d1c4a02d8cf710c4625"
-SRC_URI = "git://github.com/akuster/openscap.git;branch=oe-1.3;protocol=https \
-"
-
-PV = "1.3.3+git${SRCPV}"
-
-DEFAULT_PREFERENCE = "-1"
diff --git a/meta-security/meta-security-compliance/recipes-openscap/scap-security-guide/files/0001-Fix-XML-parsing-of-the-remediation-functions-file.patch b/meta-security/meta-security-compliance/recipes-openscap/scap-security-guide/files/0001-Fix-XML-parsing-of-the-remediation-functions-file.patch
deleted file mode 100644
index c0b93e4..0000000
--- a/meta-security/meta-security-compliance/recipes-openscap/scap-security-guide/files/0001-Fix-XML-parsing-of-the-remediation-functions-file.patch
+++ /dev/null
@@ -1,39 +0,0 @@
-From 174293162e5840684d967e36840fc1f9f57c90be Mon Sep 17 00:00:00 2001
-From: =?UTF-8?q?Mat=C4=9Bj=20T=C3=BD=C4=8D?= <matyc@redhat.com>
-Date: Thu, 5 Dec 2019 15:02:05 +0100
-Subject: [PATCH] Fix XML "parsing" of the remediation functions file.
-
-A proper fix is not worth the effort, as we aim to kill shared Bash remediation
-with Jinja2 macros.
-
-Upstream-Status: Backport
-[https://github.com/ComplianceAsCode/content/commit/174293162e5840684d967e36840fc1f9f57c90be]
-
-Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
----
- ssg/build_remediations.py | 8 ++++----
- 1 file changed, 4 insertions(+), 4 deletions(-)
-
-diff --git a/ssg/build_remediations.py b/ssg/build_remediations.py
-index 7da807bd6..13e90f732 100644
---- a/ssg/build_remediations.py
-+++ b/ssg/build_remediations.py
-@@ -56,11 +56,11 @@ def get_available_functions(build_dir):
- remediation_functions = []
- with codecs.open(xmlfilepath, "r", encoding="utf-8") as xmlfile:
- filestring = xmlfile.read()
-- # This regex looks implementation dependent but we can rely on
-- # ElementTree sorting XML attrs alphabetically. Hidden is guaranteed
-- # to be the first attr and ID is guaranteed to be second.
-+ # This regex looks implementation dependent but we can rely on the element attributes
-+ # being present on one line.
-+ # We can't rely on ElementTree sorting XML attrs in any way since Python 3.7.
- remediation_functions = re.findall(
-- r'<Value hidden=\"true\" id=\"function_(\S+)\"',
-+ r'<Value.*id=\"function_(\S+)\"',
- filestring, re.DOTALL
- )
-
---
-2.17.1
-
diff --git a/meta-security/meta-security-compliance/recipes-openscap/scap-security-guide/files/0001-Fix-platform-spec-file-check-tests-in-installed-OS-d.patch b/meta-security/meta-security-compliance/recipes-openscap/scap-security-guide/files/0001-Fix-platform-spec-file-check-tests-in-installed-OS-d.patch
deleted file mode 100644
index 60664a3..0000000
--- a/meta-security/meta-security-compliance/recipes-openscap/scap-security-guide/files/0001-Fix-platform-spec-file-check-tests-in-installed-OS-d.patch
+++ /dev/null
@@ -1,46 +0,0 @@
-From 2beb4bc83a157b21edb1a3fef295cd4cced467df Mon Sep 17 00:00:00 2001
-From: Jate Sujjavanich <jatedev@gmail.com>
-Date: Thu, 7 Jan 2021 18:10:01 -0500
-Subject: [PATCH 1/3] Fix platform spec, file check, tests in installed OS
- detect for openembedded
-
-Change platform to multi in openembedded installed check matching others
-and allowing compile of xml into oval
----
- shared/checks/oval/installed_OS_is_openembedded.xml | 11 ++++++-----
- 1 file changed, 6 insertions(+), 5 deletions(-)
-
-diff --git a/shared/checks/oval/installed_OS_is_openembedded.xml b/shared/checks/oval/installed_OS_is_openembedded.xml
-index 763d17bcb..01df16b43 100644
---- a/shared/checks/oval/installed_OS_is_openembedded.xml
-+++ b/shared/checks/oval/installed_OS_is_openembedded.xml
-@@ -1,11 +1,9 @@
--</def-group>
--
- <def-group>
- <definition class="inventory" id="installed_OS_is_openembedded" version="2">
- <metadata>
- <title>OpenEmbedded</title>
- <affected family="unix">
-- <platform>OPENEMBEDDED</platform>
-+ <platform>multi_platform_all</platform>
- </affected>
- <reference ref_id="cpe:/o:openembedded:openembedded:0"
- source="CPE" />
-@@ -20,8 +18,11 @@
- </criteria>
- </definition>
-
-- <ind:textfilecontent54_object id="test_openembedded" version="1" comment="Check OPenEmbedded version">
-- <ind:filepath>/etc/os-release/ind:filepath>
-+ <ind:textfilecontent54_test check="all" check_existence="at_least_one_exists" comment="Check OpenEmbedded version" id="test_openembedded" version="1">
-+ <ind:object object_ref="obj_openembedded" />
-+ </ind:textfilecontent54_test>
-+ <ind:textfilecontent54_object id="obj_openembedded" version="1" comment="Check OpenEmbedded version">
-+ <ind:filepath>/etc/os-release</ind:filepath>
- <ind:pattern operation="pattern match">^VERSION_ID=\"nodistro\.[0-9].$</ind:pattern>
- <ind:instance datatype="int">1</ind:instance>
- </ind:textfilecontent54_object>
---
-2.24.3 (Apple Git-128)
-
diff --git a/meta-security/meta-security-compliance/recipes-openscap/scap-security-guide/files/0001-fix-deprecated-instance-of-element.getchildren.patch b/meta-security/meta-security-compliance/recipes-openscap/scap-security-guide/files/0001-fix-deprecated-instance-of-element.getchildren.patch
deleted file mode 100644
index 01e3dd6..0000000
--- a/meta-security/meta-security-compliance/recipes-openscap/scap-security-guide/files/0001-fix-deprecated-instance-of-element.getchildren.patch
+++ /dev/null
@@ -1,43 +0,0 @@
-From e435bf2dc59d652710104a1c59332e410b12bb64 Mon Sep 17 00:00:00 2001
-From: Vojtech Polasek <vpolasek@redhat.com>
-Date: Mon, 8 Jun 2020 12:33:48 +0200
-Subject: [PATCH] fix deprecated instance of element.getchildren
-
-Upstream-Status: Backport
-[https://github.com/ComplianceAsCode/content/commit/e435bf2dc59d652710104a1c59332e410b12bb64]
-
-Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
----
- ssg/build_remediations.py | 2 +-
- ssg/build_stig.py | 2 +-
- 2 files changed, 2 insertions(+), 2 deletions(-)
-
-diff --git a/ssg/build_remediations.py b/ssg/build_remediations.py
-index fdde0f268..c18d6bd54 100644
---- a/ssg/build_remediations.py
-+++ b/ssg/build_remediations.py
-@@ -735,7 +735,7 @@ def expand_xccdf_subs(fix, remediation_type, remediation_functions):
- # First concat output form of modified fix text (including text appended
- # to all children of the fix)
- modfix = [fix.text]
-- for child in fix.getchildren():
-+ for child in list(fix):
- if child is not None and child.text is not None:
- modfix.append(child.text)
- modfixtext = "".join(modfix)
-diff --git a/ssg/build_stig.py b/ssg/build_stig.py
-index 528285f3d..6122981fc 100644
---- a/ssg/build_stig.py
-+++ b/ssg/build_stig.py
-@@ -38,7 +38,7 @@ def add_references(reference, destination):
- for ref in refs:
- if (ref.get('href').startswith(stig_refs) and
- ref.text in dictionary):
-- index = rule.getchildren().index(ref)
-+ index = list(rule).index(ref)
- new_ref = ET.Element(
- '{%s}reference' % XCCDF11_NS, {'href': stig_ns})
- new_ref.text = dictionary[ref.text]
---
-2.17.1
-
diff --git a/meta-security/meta-security-compliance/recipes-openscap/scap-security-guide/files/0001-installed_OS_is_openembedded-Update-pattern-match.patch b/meta-security/meta-security-compliance/recipes-openscap/scap-security-guide/files/0001-installed_OS_is_openembedded-Update-pattern-match.patch
deleted file mode 100644
index 61d9206..0000000
--- a/meta-security/meta-security-compliance/recipes-openscap/scap-security-guide/files/0001-installed_OS_is_openembedded-Update-pattern-match.patch
+++ /dev/null
@@ -1,30 +0,0 @@
-From d943e41d64da6af89a6b8224110299ad88747497 Mon Sep 17 00:00:00 2001
-From: Akshay Bhat <akshay.bhat@timesys.com>
-Date: Mon, 14 Feb 2022 13:00:31 -0500
-Subject: [PATCH] installed_OS_is_openembedded: Update pattern match
-
-The VERSION_ID string is no longer quoted with f451c68667cca of
-openembedded-core. Update the pattern match check in
-installed_OS_is_openembedded to match the same.
-
-Signed-off-by: Akshay Bhat <akshay.bhat@timesys.com>
----
- shared/checks/oval/installed_OS_is_openembedded.xml | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/shared/checks/oval/installed_OS_is_openembedded.xml b/shared/checks/oval/installed_OS_is_openembedded.xml
-index 01df16b43..eaf9f2b10 100644
---- a/shared/checks/oval/installed_OS_is_openembedded.xml
-+++ b/shared/checks/oval/installed_OS_is_openembedded.xml
-@@ -23,7 +23,7 @@
- </ind:textfilecontent54_test>
- <ind:textfilecontent54_object id="obj_openembedded" version="1" comment="Check OpenEmbedded version">
- <ind:filepath>/etc/os-release</ind:filepath>
-- <ind:pattern operation="pattern match">^VERSION_ID=\"nodistro\.[0-9].$</ind:pattern>
-+ <ind:pattern operation="pattern match">^VERSION_ID=nodistro\.[0-9]$</ind:pattern>
- <ind:instance datatype="int">1</ind:instance>
- </ind:textfilecontent54_object>
-
---
-2.25.1
-
diff --git a/meta-security/meta-security-compliance/recipes-openscap/scap-security-guide/files/0002-Fix-missing-openembedded-from-ssg-constants.py.patch b/meta-security/meta-security-compliance/recipes-openscap/scap-security-guide/files/0002-Fix-missing-openembedded-from-ssg-constants.py.patch
deleted file mode 100644
index 1e712f6..0000000
--- a/meta-security/meta-security-compliance/recipes-openscap/scap-security-guide/files/0002-Fix-missing-openembedded-from-ssg-constants.py.patch
+++ /dev/null
@@ -1,34 +0,0 @@
-From 037a12301968a56f0c7e492ea4a05d2eecbd4cc6 Mon Sep 17 00:00:00 2001
-From: Jate Sujjavanich <jatedev@gmail.com>
-Date: Fri, 8 Jan 2021 20:18:00 -0500
-Subject: [PATCH 2/3] Fix missing openembedded from ssg/constants.py
-
----
- ssg/constants.py | 4 +++-
- 1 file changed, 3 insertions(+), 1 deletion(-)
-
-diff --git a/ssg/constants.py b/ssg/constants.py
-index fab7cda5d..2ca289f84 100644
---- a/ssg/constants.py
-+++ b/ssg/constants.py
-@@ -234,7 +234,8 @@ PRODUCT_TO_CPE_MAPPING = {
- }
-
- MULTI_PLATFORM_LIST = ["rhel", "fedora", "rhosp", "rhv", "debian", "ubuntu",
-- "wrlinux", "opensuse", "sle", "ol", "ocp", "example"]
-+ "wrlinux", "opensuse", "sle", "ol", "ocp", "example",
-+ "openembedded"]
-
- MULTI_PLATFORM_MAPPING = {
- "multi_platform_debian": ["debian8"],
-@@ -249,6 +250,7 @@ MULTI_PLATFORM_MAPPING = {
- "multi_platform_sle": ["sle11", "sle12"],
- "multi_platform_ubuntu": ["ubuntu1404", "ubuntu1604", "ubuntu1804"],
- "multi_platform_wrlinux": ["wrlinux"],
-+ "multi_platform_openembedded": ["openembedded"],
- }
-
- RHEL_CENTOS_CPE_MAPPING = {
---
-2.24.3 (Apple Git-128)
-
diff --git a/meta-security/meta-security-compliance/recipes-openscap/scap-security-guide/files/0002-Fixed-the-broken-fix-when-greedy-regex-ate-the-whole.patch b/meta-security/meta-security-compliance/recipes-openscap/scap-security-guide/files/0002-Fixed-the-broken-fix-when-greedy-regex-ate-the-whole.patch
deleted file mode 100644
index f0c9909..0000000
--- a/meta-security/meta-security-compliance/recipes-openscap/scap-security-guide/files/0002-Fixed-the-broken-fix-when-greedy-regex-ate-the-whole.patch
+++ /dev/null
@@ -1,35 +0,0 @@
-From 28a35d63a0cc6b7beb51c77d93bb30778e6960cd Mon Sep 17 00:00:00 2001
-From: =?UTF-8?q?Mat=C4=9Bj=20T=C3=BD=C4=8D?= <matyc@redhat.com>
-Date: Mon, 9 Dec 2019 13:41:47 +0100
-Subject: [PATCH] Fixed the broken fix, when greedy regex ate the whole file.
-
-We want to match attributes in an XML element, not in the whole file.
-
-Upstream-Status: Backport
-[https://github.com/ComplianceAsCode/content/commit/28a35d63a0cc6b7beb51c77d93bb30778e6960cd]
-
-Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
----
- ssg/build_remediations.py | 4 ++--
- 1 file changed, 2 insertions(+), 2 deletions(-)
-
-diff --git a/ssg/build_remediations.py b/ssg/build_remediations.py
-index 13e90f732..edf31c0cf 100644
---- a/ssg/build_remediations.py
-+++ b/ssg/build_remediations.py
-@@ -57,10 +57,10 @@ def get_available_functions(build_dir):
- with codecs.open(xmlfilepath, "r", encoding="utf-8") as xmlfile:
- filestring = xmlfile.read()
- # This regex looks implementation dependent but we can rely on the element attributes
-- # being present on one line.
-+ # being present. Beware, DOTALL means we go through the whole file at once.
- # We can't rely on ElementTree sorting XML attrs in any way since Python 3.7.
- remediation_functions = re.findall(
-- r'<Value.*id=\"function_(\S+)\"',
-+ r'<Value[^>]+id=\"function_(\S+)\"',
- filestring, re.DOTALL
- )
-
---
-2.17.1
-
diff --git a/meta-security/meta-security-compliance/recipes-openscap/scap-security-guide/files/0002-fix-deprecated-getiterator-function.patch b/meta-security/meta-security-compliance/recipes-openscap/scap-security-guide/files/0002-fix-deprecated-getiterator-function.patch
deleted file mode 100644
index 84271c4..0000000
--- a/meta-security/meta-security-compliance/recipes-openscap/scap-security-guide/files/0002-fix-deprecated-getiterator-function.patch
+++ /dev/null
@@ -1,58 +0,0 @@
-From b0adc1d53780def4a95e310b6d26bb91ee97177e Mon Sep 17 00:00:00 2001
-From: Vojtech Polasek <vpolasek@redhat.com>
-Date: Mon, 8 Jun 2020 13:27:41 +0200
-Subject: [PATCH] fix deprecated getiterator function
-
-Upstream-Status: Backport
-[https://github.com/ComplianceAsCode/content/commit/b0adc1d53780def4a95e310b6d26bb91ee97177e]
-
-Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
----
- ssg/build_cpe.py | 6 +++---
- ssg/id_translate.py | 2 +-
- 2 files changed, 4 insertions(+), 4 deletions(-)
-
-diff --git a/ssg/build_cpe.py b/ssg/build_cpe.py
-index 2e5d24a5d..8c046777a 100644
---- a/ssg/build_cpe.py
-+++ b/ssg/build_cpe.py
-@@ -17,7 +17,7 @@ def extract_subelement(objects, sub_elem_type):
- """
-
- for obj in objects:
-- for subelement in obj.getiterator():
-+ for subelement in obj.iter():
- if subelement.get(sub_elem_type):
- sub_element = subelement.get(sub_elem_type)
- return sub_element
-@@ -44,12 +44,12 @@ def extract_referred_nodes(tree_with_refs, tree_with_ids, attrname):
- reflist = []
- elementlist = []
-
-- for element in tree_with_refs.getiterator():
-+ for element in tree_with_refs.iter():
- value = element.get(attrname)
- if value is not None:
- reflist.append(value)
-
-- for element in tree_with_ids.getiterator():
-+ for element in tree_with_ids.iter():
- if element.get("id") in reflist:
- elementlist.append(element)
-
-diff --git a/ssg/id_translate.py b/ssg/id_translate.py
-index 72b07be18..ba9225904 100644
---- a/ssg/id_translate.py
-+++ b/ssg/id_translate.py
-@@ -64,7 +64,7 @@ class IDTranslator(object):
- )
-
- def translate(self, tree, store_defname=False):
-- for element in tree.getiterator():
-+ for element in tree.iter():
- idname = element.get("id")
- if idname:
- # store the old name if requested (for OVAL definitions)
---
-2.17.1
-
diff --git a/meta-security/meta-security-compliance/recipes-openscap/scap-security-guide/files/0003-fix-remaining-getchildren-and-getiterator-functions.patch b/meta-security/meta-security-compliance/recipes-openscap/scap-security-guide/files/0003-fix-remaining-getchildren-and-getiterator-functions.patch
deleted file mode 100644
index 8162292..0000000
--- a/meta-security/meta-security-compliance/recipes-openscap/scap-security-guide/files/0003-fix-remaining-getchildren-and-getiterator-functions.patch
+++ /dev/null
@@ -1,57 +0,0 @@
-From a0da16c5eeb9a7414f7f2a37a6b270c8d04b2ddf Mon Sep 17 00:00:00 2001
-From: Vojtech Polasek <vpolasek@redhat.com>
-Date: Mon, 8 Jun 2020 14:01:55 +0200
-Subject: [PATCH] fix remaining getchildren and getiterator functions
-
-Upstream-Status: Backport
-[https://github.com/ComplianceAsCode/content/commit/a0da16c5eeb9a7414f7f2a37a6b270c8d04b2ddf]
-
-Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
----
- build-scripts/sds_move_ocil_to_checks.py | 2 +-
- build-scripts/verify_references.py | 2 +-
- shared/transforms/pcidss/transform_benchmark_to_pcidss.py | 2 +-
- 3 files changed, 3 insertions(+), 3 deletions(-)
-
-diff --git a/build-scripts/sds_move_ocil_to_checks.py b/build-scripts/sds_move_ocil_to_checks.py
-index 5f5139659..64dc19084 100755
---- a/build-scripts/sds_move_ocil_to_checks.py
-+++ b/build-scripts/sds_move_ocil_to_checks.py
-@@ -106,7 +106,7 @@ def move_ocil_content_from_ds_extended_component_to_ds_component(datastreamtree,
- timestamp = extendedcomp.get('timestamp')
-
- # Get children elements of <ds:extended-component> containing OCIL content
-- extchildren = extendedcomp.getchildren()
-+ extchildren = list(extendedcomp)
- # There should be just one OCIL subcomponent in <ds:extended-component>
- if len(extchildren) != 1:
- sys.stderr.write("ds:extended-component contains more than one element!"
-diff --git a/build-scripts/verify_references.py b/build-scripts/verify_references.py
-index 69b3e2d1f..95d387f46 100755
---- a/build-scripts/verify_references.py
-+++ b/build-scripts/verify_references.py
-@@ -179,7 +179,7 @@ def main():
- check_content_refs = xccdftree.findall(".//{%s}check-content-ref"
- % xccdf_ns)
-
-- xccdf_parent_map = dict((c, p) for p in xccdftree.getiterator() for c in p)
-+ xccdf_parent_map = dict((c, p) for p in xccdftree.iter() for c in p)
- # now we can actually do the verification work here
- if options.rules_with_invalid_checks or options.all_checks:
- for check_content_ref in check_content_refs:
-diff --git a/shared/transforms/pcidss/transform_benchmark_to_pcidss.py b/shared/transforms/pcidss/transform_benchmark_to_pcidss.py
-index 0ceaf727d..c94b12c45 100755
---- a/shared/transforms/pcidss/transform_benchmark_to_pcidss.py
-+++ b/shared/transforms/pcidss/transform_benchmark_to_pcidss.py
-@@ -111,7 +111,7 @@ def main():
- benchmark.findall(".//{%s}Value" % (XCCDF_NAMESPACE)):
- values.append(value)
-
-- parent_map = dict((c, p) for p in benchmark.getiterator() for c in p)
-+ parent_map = dict((c, p) for p in benchmark.iter() for c in p)
- for rule in \
- benchmark.findall(".//{%s}Rule" % (XCCDF_NAMESPACE)):
- parent_map[rule].remove(rule)
---
-2.17.1
-
diff --git a/meta-security/meta-security-compliance/recipes-openscap/scap-security-guide/scap-security-guide.inc b/meta-security/meta-security-compliance/recipes-openscap/scap-security-guide/scap-security-guide.inc
deleted file mode 100644
index 6f29eda..0000000
--- a/meta-security/meta-security-compliance/recipes-openscap/scap-security-guide/scap-security-guide.inc
+++ /dev/null
@@ -1,35 +0,0 @@
-# Copyright (C) 2017 Armin Kuster <akuster808@gmail.com>
-# Released under the MIT license (see COPYING.MIT for the terms)
-
-SUMARRY = "SCAP content for various platforms"
-HOME_URL = "https://www.open-scap.org/security-policies/scap-security-guide/"
-LIC_FILES_CHKSUM = "file://LICENSE;md5=97662e4486d9a1d09f358851d9f41a1a"
-LICENSE = "LGPL-2.1-only"
-
-DEPENDS = "openscap-native python3 python3-pyyaml-native python3-jinja2-native libxml2-native expat-native"
-
-S = "${WORKDIR}/git"
-
-inherit cmake pkgconfig python3native python3targetconfig
-
-STAGING_OSCAP_BUILDDIR = "${TMPDIR}/work-shared/openscap/oscap-build-artifacts"
-export OSCAP_CPE_PATH="${STAGING_OSCAP_BUILDDIR}${datadir_native}/openscap/cpe"
-export OSCAP_SCHEMA_PATH="${STAGING_OSCAP_BUILDDIR}${datadir_native}/openscap/schemas"
-export OSCAP_XSLT_PATH="${STAGING_OSCAP_BUILDDIR}${datadir_native}/openscap/xsl"
-
-OECMAKE_GENERATOR = "Unix Makefiles"
-
-EXTRA_OECMAKE += "-DENABLE_PYTHON_COVERAGE=OFF"
-
-B = "${S}/build"
-
-do_configure[depends] += "openscap-native:do_install"
-
-do_configure:prepend () {
- sed -i -e 's:NAMES\ sed:NAMES\ ${HOSTTOOLS_DIR}/sed:g' ${S}/CMakeLists.txt
- sed -i -e 's:NAMES\ grep:NAMES\ ${HOSTTOOLS_DIR}/grep:g' ${S}/CMakeLists.txt
-}
-
-FILES:${PN} += "${datadir}/xml"
-
-RDEPENDS:${PN} = "openscap"
diff --git a/meta-security/meta-security-compliance/recipes-openscap/scap-security-guide/scap-security-guide_0.1.44.bb b/meta-security/meta-security-compliance/recipes-openscap/scap-security-guide/scap-security-guide_0.1.44.bb
deleted file mode 100644
index ecf136d..0000000
--- a/meta-security/meta-security-compliance/recipes-openscap/scap-security-guide/scap-security-guide_0.1.44.bb
+++ /dev/null
@@ -1,8 +0,0 @@
-SUMARRY = "SCAP content for various platforms, upstream version"
-
-SRCREV = "8cb2d0f351faff5440742258782281164953b0a6"
-SRC_URI = "git://github.com/ComplianceAsCode/content.git;branch=master;protocol=https"
-
-DEFAULT_PREFERENCE = "-1"
-
-require scap-security-guide.inc
diff --git a/meta-security/meta-security-compliance/recipes-openscap/scap-security-guide/scap-security-guide_git.bb b/meta-security/meta-security-compliance/recipes-openscap/scap-security-guide/scap-security-guide_git.bb
deleted file mode 100644
index f493ea8..0000000
--- a/meta-security/meta-security-compliance/recipes-openscap/scap-security-guide/scap-security-guide_git.bb
+++ /dev/null
@@ -1,18 +0,0 @@
-SUMARRY = "SCAP content for various platforms, OE changes"
-
-SRCREV = "5fdfdcb2e95afbd86ace555beca5d20cbf1043ed"
-SRC_URI = "git://github.com/akuster/scap-security-guide.git;branch=oe-0.1.44;;protocol=https \
- file://0001-Fix-XML-parsing-of-the-remediation-functions-file.patch \
- file://0002-Fixed-the-broken-fix-when-greedy-regex-ate-the-whole.patch \
- file://0001-fix-deprecated-instance-of-element.getchildren.patch \
- file://0002-fix-deprecated-getiterator-function.patch \
- file://0003-fix-remaining-getchildren-and-getiterator-functions.patch \
- file://0001-Fix-platform-spec-file-check-tests-in-installed-OS-d.patch \
- file://0002-Fix-missing-openembedded-from-ssg-constants.py.patch \
- file://0001-installed_OS_is_openembedded-Update-pattern-match.patch \
- "
-PV = "0.1.44+git${SRCPV}"
-
-require scap-security-guide.inc
-
-EXTRA_OECMAKE += "-DSSG_PRODUCT_OPENEMBEDDED=ON"
diff --git a/meta-security/meta-security-isafw/.gitignore b/meta-security/meta-security-isafw/.gitignore
deleted file mode 100644
index 2f836aa..0000000
--- a/meta-security/meta-security-isafw/.gitignore
+++ /dev/null
@@ -1,2 +0,0 @@
-*~
-*.pyc
diff --git a/meta-security/meta-security-isafw/COPYING.MIT b/meta-security/meta-security-isafw/COPYING.MIT
deleted file mode 100644
index fb950dc..0000000
--- a/meta-security/meta-security-isafw/COPYING.MIT
+++ /dev/null
@@ -1,17 +0,0 @@
-Permission is hereby granted, free of charge, to any person obtaining a copy
-of this software and associated documentation files (the "Software"), to deal
-in the Software without restriction, including without limitation the rights
-to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
-copies of the Software, and to permit persons to whom the Software is
-furnished to do so, subject to the following conditions:
-
-The above copyright notice and this permission notice shall be included in
-all copies or substantial portions of the Software.
-
-THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
-IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
-FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
-AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
-LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
-OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
-THE SOFTWARE.
diff --git a/meta-security/meta-security-isafw/README.md b/meta-security/meta-security-isafw/README.md
deleted file mode 100644
index 16041cb..0000000
--- a/meta-security/meta-security-isafw/README.md
+++ /dev/null
@@ -1,92 +0,0 @@
-**meta-security-isafw** is an OE layer that allows enabling the Image
-Security Analysis Framework (isafw) for your image builds.
-
-The primary purpose of isafw is to provide an extensible
-framework for analysing different security aspects of images
-during the build process.
-
-The isafw project itself can be found at
- https://github.com/01org/isafw
-
-The framework supports a number of callbacks (such as
-process_package(), process_filesystem(), and etc.) that are invoked
-by the bitbake during different stages of package and image build.
-These callbacks are then forwarded for processing to the avaliable
-ISA FW plugins that have registered for these callbacks.
-Plugins can do their own processing on each stage of the build
-process and produce security reports.
-
-Dependencies
-------------
-
-The **meta-security-isafw** layer depends on the Open Embeeded
-core layer:
-
- git://git.openembedded.org/openembedded-core
-
-
-Usage
------
-
-In order to enable the isafw during the image build, please add
-the following line to your build/conf/local.conf file:
-
-```python
-INHERIT += "isafw"
-```
-
-Next you need to update your build/conf/bblayers.conf file with the
-location of meta-security-isafw layer on your filesystem along with
-any other layers needed. e.g.:
-
-```python
-BBLAYERS ?= " \
- /OE/oe-core/meta \
- /OE/meta-security/meta-security-isafw \
- "
-```
-
-Also, some isafw plugins require network connection, so in case of a
-proxy setup please make sure to export http_proxy variable into your
-environment.
-
-In order to produce image reports, you can execute image build
-normally. For example:
-
-```shell
-bitbake core-image-minimal
-```
-
-If you are only interested to produce a report based on packages
-and without building an image, please use:
-
-```shell
-bitbake -c analyse_sources_all core-image-minimal
-```
-
-
-Logs
-----
-
-All isafw plugins by default create their logs under the
-${LOG_DIR}/isafw-report/ directory, where ${LOG_DIR} is a bitbake
-default location for log files. If you wish to change this location,
-please define ISAFW_REPORTDIR variable in your local.conf file.
-
-Patches
--------
-end pull requests, patches, comments or questions to yocto@lists.yoctoproject.org
-
-When sending single patches, please using something like:
-'git send-email -1 --to yocto@lists.yoctoproject.org --subject-prefix=meta-security-isafw][PATCH'
-
-These values can be set as defaults for this repository:
-
-$ git config sendemail.to yocto@lists.yoctoproject.org
-$ git config format.subjectPrefix meta-security-isafw][PATCH
-
-Now you can just do 'git send-email origin/master' to send all local patches.
-
-For pull requests, please use create-pull-request and send-pull-request.
-
-Maintainers: Armin Kuster <akuster808@gmail.com>
diff --git a/meta-security/meta-security-isafw/classes/isafw.bbclass b/meta-security/meta-security-isafw/classes/isafw.bbclass
deleted file mode 100644
index 3854c0f..0000000
--- a/meta-security/meta-security-isafw/classes/isafw.bbclass
+++ /dev/null
@@ -1,317 +0,0 @@
-# Security scanning class
-#
-# Based in part on buildhistory.bbclass which was in turn based on
-# testlab.bbclass and packagehistory.bbclass
-#
-# Copyright (C) 2011-2015 Intel Corporation
-# Copyright (C) 2007-2011 Koen Kooi <koen@openembedded.org>
-#
-
-LICENSE = "MIT"
-
-require conf/distro/include/distro_alias.inc
-
-ISAFW_WORKDIR = "${WORKDIR}/isafw"
-ISAFW_REPORTDIR ?= "${LOG_DIR}/isafw-report"
-ISAFW_LOGDIR ?= "${LOG_DIR}/isafw-logs"
-
-ISAFW_PLUGINS_WHITELIST ?= ""
-ISAFW_PLUGINS_BLACKLIST ?= ""
-
-ISAFW_LA_PLUGIN_IMAGE_WHITELIST ?= ""
-ISAFW_LA_PLUGIN_IMAGE_BLACKLIST ?= ""
-
-# First, code to handle scanning each recipe that goes into the build
-
-do_analysesource[nostamp] = "1"
-do_analysesource[cleandirs] = "${ISAFW_WORKDIR}"
-
-python do_analysesource() {
- from isafw import isafw
-
- imageSecurityAnalyser = isafw_init(isafw, d)
-
- if not d.getVar('SRC_URI', True):
- # Recipe didn't fetch any sources, nothing to do here I assume?
- return
-
- recipe = isafw.ISA_package()
- recipe.name = d.getVar('BPN', True)
- recipe.version = d.getVar('PV', True)
- recipe.version = recipe.version.split('+git', 1)[0]
-
- for p in d.getVar('PACKAGES', True).split():
- license = str(d.getVar('LICENSE:' + p, True))
- if license == "None":
- license = d.getVar('LICENSE', True)
- license = license.replace("(", "")
- license = license.replace(")", "")
- licenses = license.split()
- while '|' in licenses:
- licenses.remove('|')
- while '&' in licenses:
- licenses.remove('&')
- for l in licenses:
- recipe.licenses.append(p + ":" + canonical_license(d, l))
-
- aliases = d.getVar('DISTRO_PN_ALIAS', True)
- if aliases:
- recipe.aliases = aliases.split()
- faliases = []
- for a in recipe.aliases:
- if (a != "OSPDT") and (not (a.startswith("upstream="))):
- faliases.append(a.split('=', 1)[-1])
- # remove possible duplicates in pkg names
- faliases = list(set(faliases))
- recipe.aliases = faliases
-
- for patch in src_patches(d):
- _,_,local,_,_,_=bb.fetch.decodeurl(patch)
- recipe.patch_files.append(os.path.basename(local))
- if (not recipe.patch_files) :
- recipe.patch_files.append("None")
-
- # Pass the recipe object to the security framework
- bb.debug(1, '%s: analyse sources' % (d.getVar('PN', True)))
- imageSecurityAnalyser.process_package(recipe)
-
- return
-}
-
-addtask do_analysesource before do_build
-
-# This task intended to be called after default task to process reports
-
-PR_ORIG_TASK := "${BB_DEFAULT_TASK}"
-addhandler process_reports_handler
-process_reports_handler[eventmask] = "bb.event.BuildCompleted"
-
-python process_reports_handler() {
- from isafw import isafw
-
- dd = d.createCopy()
- target_sysroot = dd.expand("${STAGING_DIR}/${MACHINE}")
- native_sysroot = dd.expand("${STAGING_DIR}/${BUILD_ARCH}")
- staging_populate_sysroot_dir(target_sysroot, native_sysroot, True, dd)
-
- dd.setVar("STAGING_DIR_NATIVE", native_sysroot)
- savedenv = os.environ.copy()
- os.environ["PATH"] = dd.getVar("PATH", True)
-
- imageSecurityAnalyser = isafw_init(isafw, dd)
- bb.debug(1, 'isafw: process reports')
- imageSecurityAnalyser.process_report()
-
- os.environ["PATH"] = savedenv["PATH"]
-}
-
-do_build[depends] += "cve-update-db-native:do_fetch ca-certificates-native:do_populate_sysroot"
-do_build[depends] += "python3-lxml-native:do_populate_sysroot"
-
-# These tasks are intended to be called directly by the user (e.g. bitbake -c)
-
-addtask do_analyse_sources after do_analysesource
-do_analyse_sources[doc] = "Produce ISAFW reports based on given package without building it"
-do_analyse_sources[nostamp] = "1"
-do_analyse_sources() {
- :
-}
-
-addtask do_analyse_sources_all after do_analysesource
-do_analyse_sources_all[doc] = "Produce ISAFW reports for all packages in given target without building them"
-do_analyse_sources_all[recrdeptask] = "do_analyse_sources_all do_analysesource"
-do_analyse_sources_all[recideptask] = "do_${PR_ORIG_TASK}"
-do_analyse_sources_all[nostamp] = "1"
-do_analyse_sources_all() {
- :
-}
-
-python() {
- # We probably don't need to scan these
- if bb.data.inherits_class('native', d) or \
- bb.data.inherits_class('nativesdk', d) or \
- bb.data.inherits_class('cross', d) or \
- bb.data.inherits_class('crosssdk', d) or \
- bb.data.inherits_class('cross-canadian', d) or \
- bb.data.inherits_class('packagegroup', d) or \
- bb.data.inherits_class('image', d):
- bb.build.deltask('do_analysesource', d)
-}
-
-fakeroot python do_analyse_image() {
-
- from isafw import isafw
-
- imageSecurityAnalyser = isafw_init(isafw, d)
-
- # Directory where the image's entire contents can be examined
- rootfsdir = d.getVar('IMAGE_ROOTFS', True)
-
- imagebasename = d.getVar('IMAGE_BASENAME', True)
-
- kernelconf = d.getVar('STAGING_KERNEL_BUILDDIR', True) + "/.config"
- if os.path.exists(kernelconf):
- kernel = isafw.ISA_kernel()
- kernel.img_name = imagebasename
- kernel.path_to_config = kernelconf
- bb.debug(1, 'do kernel conf analysis on %s' % kernelconf)
- imageSecurityAnalyser.process_kernel(kernel)
- else:
- bb.debug(1, 'Kernel configuration file is missing. Not performing analysis on %s' % kernelconf)
-
- pkglist = manifest2pkglist(d)
-
- imagebasename = d.getVar('IMAGE_BASENAME', True)
-
- if (pkglist):
- pkg_list = isafw.ISA_pkg_list()
- pkg_list.img_name = imagebasename
- pkg_list.path_to_list = pkglist
- bb.debug(1, 'do pkg list analysis on %s' % pkglist)
- imageSecurityAnalyser.process_pkg_list(pkg_list)
-
- fs = isafw.ISA_filesystem()
- fs.img_name = imagebasename
- fs.path_to_fs = rootfsdir
-
- bb.debug(1, 'do image analysis on %s' % rootfsdir)
- imageSecurityAnalyser.process_filesystem(fs)
-}
-
-do_rootfs[depends] += "checksec-native:do_populate_sysroot ca-certificates-native:do_populate_sysroot"
-do_rootfs[depends] += "python3-lxml-native:do_populate_sysroot"
-
-isafw_init[vardepsexclude] = "DATETIME"
-def isafw_init(isafw, d):
- import re, errno
-
- isafw_config = isafw.ISA_config()
- # Override the builtin default in curl-native (used by cve-update-db-nativ)
- # because that default is a path that may not be valid: when curl-native gets
- # installed from sstate, we end up with the sysroot path as it was on the
- # original build host, which is not necessarily the same path used now
- # (see https://bugzilla.yoctoproject.org/show_bug.cgi?id=9883).
- #
- # Can't use ${sysconfdir} here, it already includes ${STAGING_DIR_NATIVE}
- # when the current recipe is native.
- isafw_config.cacert = d.expand('${STAGING_DIR_NATIVE}/etc/ssl/certs/ca-certificates.crt')
-
- bb.utils.export_proxies(d)
-
- isafw_config.machine = d.getVar('MACHINE', True)
- isafw_config.timestamp = d.getVar('DATETIME', True)
- isafw_config.reportdir = d.getVar('ISAFW_REPORTDIR', True) + "_" + isafw_config.timestamp
- if not os.path.exists(os.path.dirname(isafw_config.reportdir + "/test")):
- try:
- os.makedirs(os.path.dirname(isafw_config.reportdir + "/test"))
- except OSError as exc:
- if exc.errno == errno.EEXIST and os.path.isdir(isafw_config.reportdir):
- pass
- else: raise
- isafw_config.logdir = d.getVar('ISAFW_LOGDIR', True)
- # Adding support for arm
- # TODO: Add support for other platforms
- isafw_config.arch = d.getVar('TARGET_ARCH', True)
- if ( isafw_config.arch != "arm" ):
- isafw_config.arch = "x86"
-
- whitelist = d.getVar('ISAFW_PLUGINS_WHITELIST', True)
- blacklist = d.getVar('ISAFW_PLUGINS_BLACKLIST', True)
- if whitelist:
- isafw_config.plugin_whitelist = re.split(r'[,\s]*', whitelist)
- if blacklist:
- isafw_config.plugin_blacklist = re.split(r'[,\s]*', blacklist)
-
- la_image_whitelist = d.getVar('ISAFW_LA_PLUGIN_IMAGE_WHITELIST', True)
- la_image_blacklist = d.getVar('ISAFW_LA_PLUGIN_IMAGE_BLACKLIST', True)
- if la_image_whitelist:
- isafw_config.la_plugin_image_whitelist = re.split(r'[,\s]*', la_image_whitelist)
- if la_image_blacklist:
- isafw_config.la_plugin_image_blacklist = re.split(r'[,\s]*', la_image_blacklist)
-
- return isafw.ISA(isafw_config)
-
-# based on toaster.bbclass _toaster_load_pkgdatafile function
-def binary2source(dirpath, filepath):
- import re
- originPkg = ""
- with open(os.path.join(dirpath, filepath), "r") as fin:
- for line in fin:
- try:
- kn, kv = line.strip().split(": ", 1)
- m = re.match(r"^PKG_([^A-Z:]*)", kn)
- if m:
- originPkg = str(m.group(1))
- except ValueError:
- pass # ignore lines without valid key: value pairs:
- if not originPkg:
- originPkg = "UNKNOWN"
- return originPkg
-
-manifest2pkglist[vardepsexclude] = "DATETIME"
-def manifest2pkglist(d):
- import glob
-
- manifest_file = d.getVar('IMAGE_MANIFEST', True)
- imagebasename = d.getVar('IMAGE_BASENAME', True)
- reportdir = d.getVar('ISAFW_REPORTDIR', True) + "_" + d.getVar('DATETIME', True)
- pkgdata_dir = d.getVar("PKGDATA_DIR", True)
- rr_dir = "%s/runtime-reverse/" % pkgdata_dir
- pkglist = reportdir + "/pkglist"
-
- with open(pkglist, 'a') as foutput:
- foutput.write("Packages for image " + imagebasename + "\n")
- try:
- with open(manifest_file, 'r') as finput:
- for line in finput:
- items = line.split()
- if items and (len(items) >= 3):
- pkgnames = map(os.path.basename, glob.glob(os.path.join(rr_dir, items[0])))
- for pkgname in pkgnames:
- originPkg = binary2source(rr_dir, pkgname)
- version = items[2]
- if not version:
- version = "undetermined"
- foutput.write(pkgname + " " + version + " " + originPkg + "\n")
- except IOError:
- bb.debug(1, 'isafw: manifest file not found. Skip pkg list analysis')
- return "";
-
-
- return pkglist
-
-# NOTE: by the time IMAGE_POSTPROCESS_COMMAND items are called, the image
-# has been stripped of the package manager database (if runtime package management
-# is not enabled, i.e. 'package-management' is not in IMAGE_FEATURES). If you
-# do want to be using the package manager to operate on the image contents, you'll
-# need to call your function from ROOTFS_POSTINSTALL_COMMAND or
-# ROOTFS_POSTUNINSTALL_COMMAND instead - however if you do that you should then be
-# aware that what you'll be looking at isn't exactly what you will see in the image
-# at runtime (there will be other postprocessing functions called after yours).
-#
-# do_analyse_image does not need the package manager database. Making it
-# a separate task instead of a IMAGE_POSTPROCESS_COMMAND has several
-# advantages:
-# - all other image commands are guaranteed to have completed
-# - it can run in parallel to other tasks which depend on the complete
-# image, instead of blocking those other tasks
-# - meta-swupd helper images do not need to be analysed and won't be
-# because nothing depends on their "do_build" task, only on
-# do_image_complete
-python () {
- if bb.data.inherits_class('image', d):
- bb.build.addtask('do_analyse_image', 'do_build', 'do_image_complete', d)
-}
-
-python isafwreport_handler () {
-
- import shutil
-
- logdir = e.data.getVar('ISAFW_LOGDIR', True)
- if os.path.exists(os.path.dirname(logdir+"/test")):
- shutil.rmtree(logdir)
- os.makedirs(os.path.dirname(logdir+"/test"))
-
-}
-addhandler isafwreport_handler
-isafwreport_handler[eventmask] = "bb.event.BuildStarted"
diff --git a/meta-security/meta-security-isafw/conf/layer.conf b/meta-security/meta-security-isafw/conf/layer.conf
deleted file mode 100644
index fca5868..0000000
--- a/meta-security/meta-security-isafw/conf/layer.conf
+++ /dev/null
@@ -1,19 +0,0 @@
-# We have a conf and classes directory, add to BBPATH
-BBPATH .= ":${LAYERDIR}"
-
-# We have recipes-* directories, add to BBFILES
-BBFILES += "${LAYERDIR}/recipes-*/*/*.bb ${LAYERDIR}/recipes-*/*/*.bbappend"
-
-BBFILE_COLLECTIONS += "security-isafw"
-BBFILE_PATTERN_security-isafw = "^${LAYERDIR}/"
-BBFILE_PRIORITY_security-isafw = "6"
-
-# This should only be incremented on significant changes that will
-# cause compatibility issues with other layers
-LAYERVERSION_security-isafw = "1"
-
-LAYERDEPENDS_security-isafw = "core"
-
-LAYERSERIES_COMPAT_security-isafw = "mickledore"
-
-addpylib ${LAYERDIR}/lib oeqa
diff --git a/meta-security/meta-security-isafw/lib/isafw/__init__.py b/meta-security/meta-security-isafw/lib/isafw/__init__.py
deleted file mode 100644
index 50527fb..0000000
--- a/meta-security/meta-security-isafw/lib/isafw/__init__.py
+++ /dev/null
@@ -1,40 +0,0 @@
-#
-# __init__.py - part of ISA FW
-#
-# Copyright (c) 2015 - 2016, Intel Corporation
-#
-# Redistribution and use in source and binary forms, with or without
-# modification, are permitted provided that the following conditions are met:
-#
-# * Redistributions of source code must retain the above copyright notice,
-# this list of conditions and the following disclaimer.
-# * Redistributions in binary form must reproduce the above copyright
-# notice, this list of conditions and the following disclaimer in the
-# documentation and/or other materials provided with the distribution.
-# * Neither the name of Intel Corporation nor the names of its contributors
-# may be used to endorse or promote products derived from this software
-# without specific prior written permission.
-#
-# THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
-# AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
-# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
-# DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE
-# FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
-# DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
-# SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
-# CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY,
-# OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
-# OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
-
-"""isafw
-
-Current Contents:
-
-* isafw.py - main class
-* plugins - ISA plugins
-* plugins/configs - configuration data for the plugins
-"""
-
-__all__ = [
- 'isafw',
-]
diff --git a/meta-security/meta-security-isafw/lib/isafw/isafw.py b/meta-security/meta-security-isafw/lib/isafw/isafw.py
deleted file mode 100644
index a1a76b8..0000000
--- a/meta-security/meta-security-isafw/lib/isafw/isafw.py
+++ /dev/null
@@ -1,158 +0,0 @@
-#
-# isafw.py - Main classes for ISA FW
-#
-# Copyright (c) 2015 - 2016, Intel Corporation
-#
-# Redistribution and use in source and binary forms, with or without
-# modification, are permitted provided that the following conditions are met:
-#
-# * Redistributions of source code must retain the above copyright notice,
-# this list of conditions and the following disclaimer.
-# * Redistributions in binary form must reproduce the above copyright
-# notice, this list of conditions and the following disclaimer in the
-# documentation and/or other materials provided with the distribution.
-# * Neither the name of Intel Corporation nor the names of its contributors
-# may be used to endorse or promote products derived from this software
-# without specific prior written permission.
-#
-# THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
-# AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
-# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
-# DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE
-# FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
-# DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
-# SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
-# CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY,
-# OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
-# OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
-
-from __future__ import absolute_import, print_function
-
-import sys
-import traceback
-try:
- # absolute import
- import isafw.isaplugins as isaplugins
-except ImportError:
- # relative import when installing as separate modules
- import isaplugins
-try:
- from bb import error
-except ImportError:
- error = print
-
-__all__ = [
- 'ISA_package',
- 'ISA_pkg_list',
- 'ISA_kernel',
- 'ISA_filesystem',
- 'ISA_config',
- 'ISA',
-]
-
-# classes for representing objects for ISA plugins
-
-# source package
-
-
-class ISA_package:
- # pkg name (mandatory argument)
- name = ""
- # full version (mandatory argument)
- version = ""
- licenses = [] # list of licences for all subpackages
- aliases = [] # list of alias names for packages if exist
- source_files = [] # list of strings of source files
- patch_files = [] # list of patch files to be applied
- path_to_sources = "" # path to the source files
-
-# package list
-
-
-class ISA_pkg_list:
- # image name (mandatory argument)
- img_name = ""
- # path to the pkg list file (mandatory argument)
- path_to_list = ""
-
-# kernel
-
-
-class ISA_kernel:
- # image name (mandatory argument)
- img_name = ""
- # path to the kernel config file (mandatory argument)
- path_to_config = ""
-
-# filesystem
-
-
-class ISA_filesystem:
- # image name (mandatory argument)
- img_name = ""
- type = "" # filesystem type
- # path to the fs location (mandatory argument)
- path_to_fs = ""
-
-# configuration of ISAFW
-# if both whitelist and blacklist is empty, all avaliable plugins will be used
-# if whitelist has entries, then only whitelisted plugins will be used from a set of avaliable plugins
-# if blacklist has entries, then the specified plugins won't be used even
-# if avaliable and even if specified in whitelist
-
-
-class ISA_config:
- plugin_whitelist = "" # comma separated list of plugins to whitelist
- plugin_blacklist = "" # comma separated list of plugins to blacklist
- cacert = None # If set, a CA certificate file that replaces the system default one
- reportdir = "" # location of produced reports
- logdir = "" # location of produced logs
- timestamp = "" # timestamp of the build provided by build system
- full_reports = False # produce full reports for plugins, False by default
- machine = "" # name of machine build is produced for
- la_plugin_image_whitelist = ""# whitelist of images for violating license checks
- la_plugin_image_blacklist = ""# blacklist of images for violating license checks
- arch = "" # target architecture
-
-class ISA:
- def call_plugins(self, methodname, *parameters, **keywords):
- for name in isaplugins.__all__:
- plugin = getattr(isaplugins, name)
- method = getattr(plugin, methodname, None)
- if not method:
- # Not having init() is an error, everything else is optional.
- if methodname == "init":
- error("No init() defined for plugin %s.\n"
- "Skipping this plugin." %
- (methodname, plugin.getPluginName()))
- continue
- if self.ISA_config.plugin_whitelist and plugin.getPluginName() not in self.ISA_config.plugin_whitelist:
- continue
- if self.ISA_config.plugin_blacklist and plugin.getPluginName() in self.ISA_config.plugin_blacklist:
- continue
- try:
- method(*parameters, **keywords)
- except:
- error("Exception in plugin %s %s():\n%s" %
- (plugin.getPluginName(),
- methodname,
- traceback.format_exc()))
-
- def __init__(self, ISA_config):
- self.ISA_config = ISA_config
- self.call_plugins("init", ISA_config)
-
- def process_package(self, ISA_package):
- self.call_plugins("process_package", ISA_package)
-
- def process_pkg_list(self, ISA_pkg_list):
- self.call_plugins("process_pkg_list", ISA_pkg_list)
-
- def process_kernel(self, ISA_kernel):
- self.call_plugins("process_kernel", ISA_kernel)
-
- def process_filesystem(self, ISA_filesystem):
- self.call_plugins("process_filesystem", ISA_filesystem)
-
- def process_report(self):
- self.call_plugins("process_report")
diff --git a/meta-security/meta-security-isafw/lib/isafw/isaplugins/ISA_cfa_plugin.py b/meta-security/meta-security-isafw/lib/isafw/isaplugins/ISA_cfa_plugin.py
deleted file mode 100644
index daecba1..0000000
--- a/meta-security/meta-security-isafw/lib/isafw/isaplugins/ISA_cfa_plugin.py
+++ /dev/null
@@ -1,392 +0,0 @@
-#
-# ISA_cfa_plugin.py - Compile flag analyzer plugin, part of ISA FW
-# Main functionality is based on build_comp script from Clear linux project
-#
-# Copyright (c) 2015 - 2016, Intel Corporation
-#
-# Redistribution and use in source and binary forms, with or without
-# modification, are permitted provided that the following conditions are met:
-#
-# * Redistributions of source code must retain the above copyright notice,
-# this list of conditions and the following disclaimer.
-# * Redistributions in binary form must reproduce the above copyright
-# notice, this list of conditions and the following disclaimer in the
-# documentation and/or other materials provided with the distribution.
-# * Neither the name of Intel Corporation nor the names of its contributors
-# may be used to endorse or promote products derived from this software
-# without specific prior written permission.
-#
-# THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
-# AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
-# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
-# DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE
-# FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
-# DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
-# SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
-# CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY,
-# OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
-# OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
-
-import subprocess
-import os
-import sys
-import re
-import copy
-try:
- from lxml import etree
-except ImportError:
- try:
- import xml.etree.cElementTree as etree
- except ImportError:
- import xml.etree.ElementTree as etree
-
-
-CFChecker = None
-
-
-class ISA_CFChecker():
- initialized = False
- no_relro = []
- partial_relro = []
- no_canary = []
- no_pie = []
- execstack = []
- execstack_not_defined = []
- nodrop_groups = []
- no_mpx = []
-
- def __init__(self, ISA_config):
- self.logfile = ISA_config.logdir + "/isafw_cfalog"
- self.full_report_name = ISA_config.reportdir + "/cfa_full_report_" + \
- ISA_config.machine + "_" + ISA_config.timestamp
- self.problems_report_name = ISA_config.reportdir + \
- "/cfa_problems_report_" + ISA_config.machine + "_" + ISA_config.timestamp
- self.full_reports = ISA_config.full_reports
- self.ISA_filesystem = ""
- # check that checksec and other tools are installed
- tools_errors = _check_tools()
- if tools_errors:
- with open(self.logfile, 'w') as flog:
- flog.write(tools_errors)
- return
- self.initialized = True
- with open(self.logfile, 'w') as flog:
- flog.write("\nPlugin ISA_CFChecker initialized!\n")
- return
-
- def process_filesystem(self, ISA_filesystem):
- self.ISA_filesystem = ISA_filesystem
- fs_path = self.ISA_filesystem.path_to_fs
- img_name = self.ISA_filesystem.img_name
- if (self.initialized):
- if (img_name and fs_path):
- with open(self.logfile, 'a') as flog:
- flog.write("\n\nFilesystem path is: " + fs_path)
- if self.full_reports:
- with open(self.full_report_name + "_" + img_name, 'w') as ffull_report:
- ffull_report.write(
- "Security-relevant flags for executables for image: " + img_name + '\n')
- ffull_report.write("With rootfs location at " + fs_path + "\n\n")
- files = self.find_files(fs_path)
- import multiprocessing
- pool = multiprocessing.Pool()
- results = pool.imap(process_file_wrapper, files)
- pool.close()
- pool.join()
- self.process_results(results)
- else:
- with open(self.logfile, 'a') as flog:
- flog.write(
- "Mandatory arguments such as image name and path to the filesystem are not provided!\n")
- flog.write("Not performing the call.\n")
- else:
- with open(self.logfile, 'a') as flog:
- flog.write("Plugin hasn't initialized! Not performing the call.\n")
-
- def process_results(self, results):
- fs_path = self.ISA_filesystem.path_to_fs
- for result in results:
- if not result:
- with open(self.logfile, 'a') as flog:
- flog.write("\nError in returned result")
- continue
- with open(self.logfile, 'a') as flog:
- flog.write("\n\nFor file: " + str(result[0]) + "\nlog is: " + str(result[5]))
- if result[1]:
- with open(self.logfile, 'a') as flog:
- flog.write("\n\nsec_field: " + str(result[1]))
- if "No RELRO" in result[1]:
- self.no_relro.append(result[0].replace(fs_path, ""))
- elif "Partial RELRO" in result[1]:
- self.partial_relro.append(result[0].replace(fs_path, ""))
- if "No canary found" in result[1]:
- self.no_canary.append(result[0].replace(fs_path, ""))
- if "No PIE" in result[1]:
- self.no_pie.append(result[0].replace(fs_path, ""))
- if result[2]:
- if result[2] == "execstack":
- self.execstack.append(result[0].replace(fs_path, ""))
- elif result[2] == "not_defined":
- self.execstack_not_defined.append(result[0].replace(fs_path, ""))
- if result[3] and (result[3] == True):
- self.nodrop_groups.append(result[0].replace(fs_path, ""))
- if result[4] and (result[4] == True):
- self.no_mpx.append(result[0].replace(fs_path, ""))
- self.write_full_report(result)
- self.write_report()
- self.write_report_xml()
-
- def write_full_report(self, result):
- if not self.full_reports:
- return
- fs_path = self.ISA_filesystem.path_to_fs
- img_name = self.ISA_filesystem.img_name
- with open(self.full_report_name + "_" + img_name, 'a') as ffull_report:
- ffull_report.write('\nFile: ' + result[0].replace(fs_path, ""))
- ffull_report.write('\nsecurity flags: ' + str(result[1]))
- ffull_report.write('\nexecstack: ' + str(result[2]))
- ffull_report.write('\nnodrop_groups: ' + str(result[3]))
- ffull_report.write('\nno mpx: ' + str(result[4]))
- ffull_report.write('\n')
-
- def write_report(self):
- fs_path = self.ISA_filesystem.path_to_fs
- img_name = self.ISA_filesystem.img_name
- with open(self.problems_report_name + "_" + img_name, 'w') as fproblems_report:
- fproblems_report.write("Report for image: " + img_name + '\n')
- fproblems_report.write("With rootfs location at " + fs_path + "\n\n")
- fproblems_report.write("Relocation Read-Only\n")
- fproblems_report.write("More information about RELRO and how to enable it:")
- fproblems_report.write(
- " http://tk-blog.blogspot.de/2009/02/relro-not-so-well-known-memory.html\n")
- fproblems_report.write("Files with no RELRO:\n")
- for item in self.no_relro:
- fproblems_report.write(item + '\n')
- fproblems_report.write("Files with partial RELRO:\n")
- for item in self.partial_relro:
- fproblems_report.write(item + '\n')
- fproblems_report.write("\n\nStack protection\n")
- fproblems_report.write(
- "More information about canary stack protection and how to enable it:")
- fproblems_report.write("https://lwn.net/Articles/584225/ \n")
- fproblems_report.write("Files with no canary:\n")
- for item in self.no_canary:
- fproblems_report.write(item + '\n')
- fproblems_report.write("\n\nPosition Independent Executable\n")
- fproblems_report.write("More information about PIE protection and how to enable it:")
- fproblems_report.write(
- "https://securityblog.redhat.com/2012/11/28/position-independent-executables-pie/\n")
- fproblems_report.write("Files with no PIE:\n")
- for item in self.no_pie:
- fproblems_report.write(item + '\n')
- fproblems_report.write("\n\nNon-executable stack\n")
- fproblems_report.write("Files with executable stack enabled:\n")
- for item in self.execstack:
- fproblems_report.write(item + '\n')
- fproblems_report.write("\n\nFiles with no ability to fetch executable stack status:\n")
- for item in self.execstack_not_defined:
- fproblems_report.write(item + '\n')
- fproblems_report.write("\n\nGrop initialization:\n")
- fproblems_report.write(
- "If using setuid/setgid calls in code, one must call initgroups or setgroups\n")
- fproblems_report.write(
- "Files that don't initialize groups while using setuid/setgid:\n")
- for item in self.nodrop_groups:
- fproblems_report.write(item + '\n')
- fproblems_report.write("\n\nMemory Protection Extensions\n")
- fproblems_report.write("More information about MPX protection and how to enable it:")
- fproblems_report.write(
- "https://software.intel.com/sites/default/files/managed/9d/f6/Intel_MPX_EnablingGuide.pdf\n")
- fproblems_report.write("Files that don't have MPX protection enabled:\n")
- for item in self.no_mpx:
- fproblems_report.write(item + '\n')
-
- def write_report_xml(self):
- numTests = len(self.no_relro) + len(self.partial_relro) + len(self.no_canary) + len(self.no_pie) + \
- len(self.execstack) + len(self.execstack_not_defined) + \
- len(self.nodrop_groups) + len(self.no_mpx)
- root = etree.Element('testsuite', name='ISA_CFChecker', tests=str(numTests))
- if self.no_relro:
- for item in self.no_relro:
- tcase1 = etree.SubElement(
- root, 'testcase', classname='files_with_no_RELRO', name=item)
- etree.SubElement(tcase1, 'failure', message=item, type='violation')
- if self.partial_relro:
- for item in self.partial_relro:
- tcase1 = etree.SubElement(
- root, 'testcase', classname='files_with_partial_RELRO', name=item)
- etree.SubElement(tcase1, 'failure', message=item, type='violation')
- if self.no_canary:
- for item in self.no_canary:
- tcase2 = etree.SubElement(
- root, 'testcase', classname='files_with_no_canary', name=item)
- etree.SubElement(tcase2, 'failure', message=item, type='violation')
- if self.no_pie:
- for item in self.no_pie:
- tcase3 = etree.SubElement(
- root, 'testcase', classname='files_with_no_PIE', name=item)
- etree.SubElement(tcase3, 'failure', message=item, type='violation')
- if self.execstack:
- for item in self.execstack:
- tcase5 = etree.SubElement(
- root, 'testcase', classname='files_with_execstack', name=item)
- etree.SubElement(tcase5, 'failure', message=item, type='violation')
- if self.execstack_not_defined:
- for item in self.execstack_not_defined:
- tcase6 = etree.SubElement(
- root, 'testcase', classname='files_with_execstack_not_defined', name=item)
- etree.SubElement(tcase6, 'failure', message=item, type='violation')
- if self.nodrop_groups:
- for item in self.nodrop_groups:
- tcase7 = etree.SubElement(
- root, 'testcase', classname='files_with_nodrop_groups', name=item)
- etree.SubElement(tcase7, 'failure', message=item, type='violation')
- if self.no_mpx:
- for item in self.no_mpx:
- tcase8 = etree.SubElement(
- root, 'testcase', classname='files_with_no_mpx', name=item)
- etree.SubElement(tcase8, 'failure', message=item, type='violation')
- tree = etree.ElementTree(root)
- output = self.problems_report_name + "_" + self.ISA_filesystem.img_name + '.xml'
- try:
- tree.write(output, encoding='UTF-8', pretty_print=True, xml_declaration=True)
- except TypeError:
- tree.write(output, encoding='UTF-8', xml_declaration=True)
-
- def find_files(self, init_path):
- list_of_files = []
- for (dirpath, dirnames, filenames) in os.walk(init_path):
- for f in filenames:
- list_of_files.append(str(dirpath + "/" + f)[:])
- return list_of_files
-
-
-def _check_tools():
-
- def _is_in_path(executable):
- "Check for presence of executable in PATH"
- for path in os.environ["PATH"].split(os.pathsep):
- path = path.strip('"')
- if (os.path.isfile(os.path.join(path, executable)) and
- os.access(os.path.join(path, executable), os.X_OK)):
- return True
- return False
-
- tools = {
- "checksec.sh": "Please install checksec from http://www.trapkit.de/tools/checksec.html\n",
- "execstack": "Please install execstack from prelink package\n",
- "readelf": "Please install binutils\n",
- "objdump": "Please install binutils\n",
- }
- output = ""
- for tool in tools:
- if not _is_in_path(tool):
- output += tools[tool]
- return output
-
-
-def get_info(tool, args, file_name):
- env = copy.deepcopy(os.environ)
- env['PSEUDO_UNLOAD'] = "1"
- cmd = [tool, args, file_name]
- with open(os.devnull, 'wb') as DEVNULL:
- try:
- result = subprocess.check_output(cmd, stderr=DEVNULL, env=env).decode('utf-8')
- except:
- return ""
- else:
- return result
-
-def get_security_flags(file_name):
- env = copy.deepcopy(os.environ)
- env['PSEUDO_UNLOAD'] = "1"
- cmd = ['checksec.sh', '--file', file_name]
- try:
- result = subprocess.check_output(cmd, env=env).decode('utf-8').splitlines()[1]
- except:
- return "Not able to fetch flags"
- else:
- # remove ansi escape color sequences
- result = re.sub(r'\x1b[^m]*m', '', result)
- return re.split(r' {2,}', result)[:-1]
-
-
-def process_file(file):
- log = "File from map " + file
- fun_results = [file, [], "", False, False, log]
- if not os.path.isfile(file):
- return fun_results
- env = copy.deepcopy(os.environ)
- env['PSEUDO_UNLOAD'] = "1"
- # getting file type
- cmd = ['file', '--mime-type', file]
- try:
- result = subprocess.check_output(cmd, env=env).decode('utf-8')
- except:
- fun_results[-1] += "\nNot able to decode mime type"
- return fun_results
- file_type = result.split()[-1]
- # looking for links
- if "symlink" in file_type:
- file = os.path.realpath(file)
- cmd = ['file', '--mime-type', file]
- try:
- result = subprocess.check_output(cmd, env=env).decode('utf-8')
- except:
- fun_results[-1] += "\nNot able to decode mime type"
- return fun_results
- file_type = result.split()[-1]
- # checking security flags if applies
- if "application" not in file_type:
- return fun_results
- fun_results[-1] += "\nFile type: " + file_type
- if (("octet-stream" in file_type) or ("dosexec" in file_type) or
- ("archive" in file_type) or ("xml" in file_type) or
- ("gzip" in file_type) or ("postscript" in file_type) or
- ("pdf" in file_type)):
- return fun_results
- fun_results[1] = get_security_flags(file)
- tmp = get_info("execstack", '-q', file)
- if tmp.startswith("X "):
- fun_results[2] = "execstack"
- elif tmp.startswith("? "):
- fun_results[2] = "not_defined"
- tmp = get_info("readelf", '-s', file)
- if ("setgid@GLIBC" in tmp) or ("setegid@GLIBC" in tmp) or ("setresgid@GLIBC" in tmp):
- if ("setuid@GLIBC" in tmp) or ("seteuid@GLIBC" in tmp) or ("setresuid@GLIBC" in tmp):
- if ("setgroups@GLIBC" not in tmp) and ("initgroups@GLIBC" not in tmp):
- fun_results[3] = True
- tmp = get_info("objdump", '-d', file)
- if ("bndcu" not in tmp) and ("bndcl" not in tmp) and ("bndmov" not in tmp):
- fun_results[4] = True
- return fun_results
-
-def process_file_wrapper(file):
- # Ensures that exceptions get logged with the original backtrace.
- # Without this, they appear with a backtrace rooted in
- # the code which transfers back the result to process_results().
- try:
- return process_file(file)
- except:
- from isafw import isafw
- import traceback
- isafw.error('Internal error:\n%s' % traceback.format_exc())
- raise
-
-# ======== supported callbacks from ISA ============ #
-
-
-def init(ISA_config):
- global CFChecker
- CFChecker = ISA_CFChecker(ISA_config)
-
-
-def getPluginName():
- return "ISA_CFChecker"
-
-
-def process_filesystem(ISA_filesystem):
- global CFChecker
- return CFChecker.process_filesystem(ISA_filesystem)
-
-# =================================================== #
diff --git a/meta-security/meta-security-isafw/lib/isafw/isaplugins/ISA_cve_plugin.py b/meta-security/meta-security-isafw/lib/isafw/isaplugins/ISA_cve_plugin.py
deleted file mode 100644
index 268aa45..0000000
--- a/meta-security/meta-security-isafw/lib/isafw/isaplugins/ISA_cve_plugin.py
+++ /dev/null
@@ -1,217 +0,0 @@
-#
-# ISA_cve_plugin.py - CVE checker plugin, part of ISA FW
-#
-# Copyright (c) 2015 - 2016, Intel Corporation
-#
-# Redistribution and use in source and binary forms, with or without
-# modification, are permitted provided that the following conditions are met:
-#
-# * Redistributions of source code must retain the above copyright notice,
-# this list of conditions and the following disclaimer.
-# * Redistributions in binary form must reproduce the above copyright
-# notice, this list of conditions and the following disclaimer in the
-# documentation and/or other materials provided with the distribution.
-# * Neither the name of Intel Corporation nor the names of its contributors
-# may be used to endorse or promote products derived from this software
-# without specific prior written permission.
-#
-# THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
-# AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
-# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
-# DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE
-# FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
-# DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
-# SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
-# CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY,
-# OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
-# OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
-
-import subprocess
-import os, sys
-import re
-
-CVEChecker = None
-pkglist = "/cve_check_tool_pkglist"
-
-
-class ISA_CVEChecker:
- initialized = False
-
- def __init__(self, ISA_config):
- self.cacert = ISA_config.cacert
- self.reportdir = ISA_config.reportdir
- self.timestamp = ISA_config.timestamp
- self.logfile = ISA_config.logdir + "/isafw_cvelog"
- self.report_name = ISA_config.reportdir + "/cve_report_" + \
- ISA_config.machine + "_" + ISA_config.timestamp
- self.initialized = True
- with open(self.logfile, 'a') as flog:
- flog.write("\nPlugin ISA_CVEChecker initialized!\n")
- output = ""
- # check that cve-check-tool is installed
-
- def process_package(self, ISA_pkg):
- if (self.initialized):
- if (ISA_pkg.name and ISA_pkg.version and ISA_pkg.patch_files):
- alias_pkgs_faux = []
- # need to compose faux format line for cve-check-tool
- cve_patch_info = self.process_patch_list(ISA_pkg.patch_files)
- pkgline_faux = ISA_pkg.name + "," + ISA_pkg.version + "," + cve_patch_info + ",\n"
- if ISA_pkg.aliases:
- for a in ISA_pkg.aliases:
- alias_pkgs_faux.append(
- a + "," + ISA_pkg.version + "," + cve_patch_info + ",\n")
- pkglist_faux = pkglist + "_" + self.timestamp + ".faux"
- with open(self.reportdir + pkglist_faux, 'a') as fauxfile:
- fauxfile.write(pkgline_faux)
- for a in alias_pkgs_faux:
- fauxfile.write(a)
-
- with open(self.logfile, 'a') as flog:
- flog.write("\npkg info: " + pkgline_faux)
- else:
- self.initialized = False
- with open(self.logfile, 'a') as flog:
- flog.write(
- "Mandatory arguments such as pkg name, version and list of patches are not provided!\n")
- flog.write("Not performing the call.\n")
- else:
- with open(self.logfile, 'a') as flog:
- flog.write(
- "Plugin hasn't initialized! Not performing the call.\n")
-
- def process_report(self):
- if not os.path.isfile(self.reportdir + pkglist + "_" + self.timestamp + ".faux"):
- return
- if (self.initialized):
- with open(self.logfile, 'a') as flog:
- flog.write("Creating report in HTML format.\n")
- result = self.process_report_type("html")
-
- with open(self.logfile, 'a') as flog:
- flog.write("Creating report in CSV format.\n")
- result = self.process_report_type("csv")
-
- pkglist_faux = pkglist + "_" + self.timestamp + ".faux"
- os.remove(self.reportdir + pkglist_faux)
-
- with open(self.logfile, 'a') as flog:
- flog.write("Creating report in XML format.\n")
- self.write_report_xml(result)
-
- def write_report_xml(self, result):
- try:
- from lxml import etree
- except ImportError:
- try:
- import xml.etree.cElementTree as etree
- except ImportError:
- import xml.etree.ElementTree as etree
- num_tests = 0
- root = etree.Element('testsuite', name='CVE_Plugin', tests='1')
-
- if result :
- num_tests = 1
- tcase = etree.SubElement(
- root, 'testcase', classname='ISA_CVEChecker', name="Error in cve-check-tool")
- etree.SubElement( tcase, 'failure', message=result, type='violation')
- else:
- with open(self.report_name + ".csv", 'r') as f:
- for line in f:
- num_tests += 1
- line = line.strip()
- line_sp = line.split(',', 2)
- if (len(line_sp) >= 3) and (line_sp[2].startswith('CVE')):
- tcase = etree.SubElement(
- root, 'testcase', classname='ISA_CVEChecker', name=line.split(',', 1)[0])
- etree.SubElement(
- tcase, 'failure', message=line, type='violation')
- else:
- tcase = etree.SubElement(
- root, 'testcase', classname='ISA_CVEChecker', name=line.split(',', 1)[0])
-
- root.set('tests', str(num_tests))
- tree = etree.ElementTree(root)
- output = self.report_name + '.xml'
- try:
- tree.write(output, encoding='UTF-8',
- pretty_print=True, xml_declaration=True)
- except TypeError:
- tree.write(output, encoding='UTF-8', xml_declaration=True)
-
- def process_report_type(self, rtype):
- # now faux file is ready and we can process it
- args = ""
- result = ""
- tool_stderr_value = ""
- args += "cve-check-tool "
- if self.cacert:
- args += "--cacert '%s' " % self.cacert
- if rtype != "html":
- args += "-c "
- rtype = "csv"
- pkglist_faux = pkglist + "_" + self.timestamp + ".faux"
- args += "-a -t faux '" + self.reportdir + pkglist_faux + "'"
- with open(self.logfile, 'a') as flog:
- flog.write("Args: " + args)
- try:
- popen = subprocess.Popen(
- args, shell=True, env=os.environ, stdout=subprocess.PIPE, stderr=subprocess.PIPE)
- result = popen.communicate()
- except:
- tool_stderr_value = "Error in executing cve-check-tool" + str(sys.exc_info())
- with open(self.logfile, 'a') as flog:
- flog.write("Error in executing cve-check-tool: " +
- str(sys.exc_info()))
- else:
- stdout_value = result[0]
- tool_stderr_value = result[1].decode('utf-8')
- if not tool_stderr_value and popen.returncode == 0:
- report = self.report_name + "." + rtype
- with open(report, 'wb') as freport:
- freport.write(stdout_value)
- else:
- tool_stderr_value = tool_stderr_value + \
- "\ncve-check-tool terminated with exit code " + str(popen.returncode)
- return tool_stderr_value
-
- def process_patch_list(self, patch_files):
- patch_info = ""
- for patch in patch_files:
- patch1 = patch.partition("cve")
- if (patch1[0] == patch):
- # no cve substring, try CVE
- patch1 = patch.partition("CVE")
- if (patch1[0] == patch):
- continue
- patchstripped = patch1[2].split('-')
- try:
- patch_info += " CVE-" + \
- patchstripped[1] + "-" + re.findall('\d+', patchstripped[2])[0]
- except IndexError:
- # string parsing attempt failed, so just skip this patch
- continue
- return patch_info
-
-# ======== supported callbacks from ISA ============= #
-
-
-def init(ISA_config):
- global CVEChecker
- CVEChecker = ISA_CVEChecker(ISA_config)
-
-
-def getPluginName():
- return "ISA_CVEChecker"
-
-
-def process_package(ISA_pkg):
- global CVEChecker
- return CVEChecker.process_package(ISA_pkg)
-
-
-def process_report():
- global CVEChecker
- return CVEChecker.process_report()
-
-# ==================================================== #
diff --git a/meta-security/meta-security-isafw/lib/isafw/isaplugins/ISA_fsa_plugin.py b/meta-security/meta-security-isafw/lib/isafw/isaplugins/ISA_fsa_plugin.py
deleted file mode 100644
index 0909756..0000000
--- a/meta-security/meta-security-isafw/lib/isafw/isaplugins/ISA_fsa_plugin.py
+++ /dev/null
@@ -1,185 +0,0 @@
-#
-# ISA_fsa_plugin.py - Filesystem analyser plugin, part of ISA FW
-#
-# Copyright (c) 2015 - 2016, Intel Corporation
-#
-# Redistribution and use in source and binary forms, with or without
-# modification, are permitted provided that the following conditions are met:
-#
-# * Redistributions of source code must retain the above copyright notice,
-# this list of conditions and the following disclaimer.
-# * Redistributions in binary form must reproduce the above copyright
-# notice, this list of conditions and the following disclaimer in the
-# documentation and/or other materials provided with the distribution.
-# * Neither the name of Intel Corporation nor the names of its contributors
-# may be used to endorse or promote products derived from this software
-# without specific prior written permission.
-#
-# THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
-# AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
-# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
-# DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE
-# FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
-# DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
-# SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
-# CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY,
-# OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
-# OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
-import os
-from stat import *
-try:
- from lxml import etree
-except ImportError:
- try:
- import xml.etree.cElementTree as etree
- except ImportError:
- import xml.etree.ElementTree as etree
-
-
-FSAnalyzer = None
-
-
-class ISA_FSChecker():
- initialized = False
-
- def __init__(self, ISA_config):
- self.logfile = ISA_config.logdir + "/isafw_fsalog"
- self.full_report_name = ISA_config.reportdir + "/fsa_full_report_" + \
- ISA_config.machine + "_" + ISA_config.timestamp
- self.problems_report_name = ISA_config.reportdir + \
- "/fsa_problems_report_" + ISA_config.machine + "_" + ISA_config.timestamp
- self.full_reports = ISA_config.full_reports
- self.initialized = True
- self.setuid_files = []
- self.setgid_files = []
- self.ww_files = []
- self.no_sticky_bit_ww_dirs = []
- with open(self.logfile, 'w') as flog:
- flog.write("\nPlugin ISA_FSChecker initialized!\n")
-
- def process_filesystem(self, ISA_filesystem):
- if (self.initialized):
- if (ISA_filesystem.img_name and ISA_filesystem.path_to_fs):
- with open(self.logfile, 'a') as flog:
- flog.write("Analyzing filesystem at: " + ISA_filesystem.path_to_fs +
- " for the image: " + ISA_filesystem.img_name + "\n")
- self.files = self.find_fsobjects(ISA_filesystem.path_to_fs)
- with open(self.logfile, 'a') as flog:
- flog.write("\nFilelist is: " + str(self.files))
- if self.full_reports:
- with open(self.full_report_name + "_" + ISA_filesystem.img_name, 'w') as ffull_report:
- ffull_report.write(
- "Report for image: " + ISA_filesystem.img_name + '\n')
- ffull_report.write(
- "With rootfs location at " + ISA_filesystem.path_to_fs + "\n\n")
- for f in self.files:
- st = os.lstat(f)
- i = f.replace(ISA_filesystem.path_to_fs, "")
- if self.full_reports:
- with open(self.full_report_name + "_" + ISA_filesystem.img_name, 'a') as ffull_report:
- ffull_report.write("File: " + i + ' mode: ' + str(oct(st.st_mode)) +
- " uid: " + str(st.st_uid) + " gid: " + str(st.st_gid) + '\n')
- if ((st.st_mode & S_ISUID) == S_ISUID):
- self.setuid_files.append(i)
- if ((st.st_mode & S_ISGID) == S_ISGID):
- self.setgid_files.append(i)
- if ((st.st_mode & S_IWOTH) == S_IWOTH):
- if (((st.st_mode & S_IFDIR) == S_IFDIR) and ((st.st_mode & S_ISVTX) != S_ISVTX)):
- self.no_sticky_bit_ww_dirs.append(i)
- if (((st.st_mode & S_IFREG) == S_IFREG) and ((st.st_mode & S_IFLNK) != S_IFLNK)):
- self.ww_files.append(i)
- self.write_problems_report(ISA_filesystem)
- self.write_problems_report_xml(ISA_filesystem)
- else:
- with open(self.logfile, 'a') as flog:
- flog.write(
- "Mandatory arguments such as image name and path to the filesystem are not provided!\n")
- flog.write("Not performing the call.\n")
- else:
- with open(self.logfile, 'a') as flog:
- flog.write(
- "Plugin hasn't initialized! Not performing the call.\n")
-
- def write_problems_report(self, ISA_filesystem):
- with open(self.problems_report_name + "_" + ISA_filesystem.img_name, 'w') as fproblems_report:
- fproblems_report.write(
- "Report for image: " + ISA_filesystem.img_name + '\n')
- fproblems_report.write(
- "With rootfs location at " + ISA_filesystem.path_to_fs + "\n\n")
- fproblems_report.write("Files with SETUID bit set:\n")
- for item in self.setuid_files:
- fproblems_report.write(item + '\n')
- fproblems_report.write("\n\nFiles with SETGID bit set:\n")
- for item in self.setgid_files:
- fproblems_report.write(item + '\n')
- fproblems_report.write("\n\nWorld-writable files:\n")
- for item in self.ww_files:
- fproblems_report.write(item + '\n')
- fproblems_report.write(
- "\n\nWorld-writable dirs with no sticky bit:\n")
- for item in self.no_sticky_bit_ww_dirs:
- fproblems_report.write(item + '\n')
-
- def write_problems_report_xml(self, ISA_filesystem):
- num_tests = len(self.setuid_files) + len(self.setgid_files) + \
- len(self.ww_files) + len(self.no_sticky_bit_ww_dirs)
- root = etree.Element(
- 'testsuite', name='FSA_Plugin', tests=str(num_tests))
- if self.setuid_files:
- for item in self.setuid_files:
- tcase1 = etree.SubElement(
- root, 'testcase', classname='Files_with_SETUID_bit_set', name=item)
- etree.SubElement(
- tcase1, 'failure', message=item, type='violation')
- if self.setgid_files:
- for item in self.setgid_files:
- tcase2 = etree.SubElement(
- root, 'testacase', classname='Files_with_SETGID_bit_set', name=item)
- etree.SubElement(
- tcase2, 'failure', message=item, type='violation')
- if self.ww_files:
- for item in self.ww_files:
- tcase3 = etree.SubElement(
- root, 'testase', classname='World-writable_files', name=item)
- etree.SubElement(
- tcase3, 'failure', message=item, type='violation')
- if self.no_sticky_bit_ww_dirs:
- for item in self.no_sticky_bit_ww_dirs:
- tcase4 = etree.SubElement(
- root, 'testcase', classname='World-writable_dirs_with_no_sticky_bit', name=item)
- etree.SubElement(
- tcase4, 'failure', message=item, type='violation')
- tree = etree.ElementTree(root)
- output = self.problems_report_name + "_" + ISA_filesystem.img_name + '.xml'
- try:
- tree.write(output, encoding='UTF-8',
- pretty_print=True, xml_declaration=True)
- except TypeError:
- tree.write(output, encoding='UTF-8', xml_declaration=True)
-
- def find_fsobjects(self, init_path):
- list_of_files = []
- for (dirpath, dirnames, filenames) in os.walk(init_path):
- if (dirpath != init_path):
- list_of_files.append(str(dirpath)[:])
- for f in filenames:
- list_of_files.append(str(dirpath + "/" + f)[:])
- return list_of_files
-
-# ======== supported callbacks from ISA ============= #
-
-
-def init(ISA_config):
- global FSAnalyzer
- FSAnalyzer = ISA_FSChecker(ISA_config)
-
-
-def getPluginName():
- return "ISA_FSChecker"
-
-
-def process_filesystem(ISA_filesystem):
- global FSAnalyzer
- return FSAnalyzer.process_filesystem(ISA_filesystem)
-
-# ==================================================== #
diff --git a/meta-security/meta-security-isafw/lib/isafw/isaplugins/ISA_kca_plugin.py b/meta-security/meta-security-isafw/lib/isafw/isaplugins/ISA_kca_plugin.py
deleted file mode 100644
index ba09819..0000000
--- a/meta-security/meta-security-isafw/lib/isafw/isaplugins/ISA_kca_plugin.py
+++ /dev/null
@@ -1,323 +0,0 @@
-#
-# ISA_kca_plugin.py - Kernel config options analyzer plugin, part of ISA FW
-#
-# Copyright (c) 2015 - 2016, Intel Corporation
-#
-# Redistribution and use in source and binary forms, with or without
-# modification, are permitted provided that the following conditions are met:
-#
-# * Redistributions of source code must retain the above copyright notice,
-# this list of conditions and the following disclaimer.
-# * Redistributions in binary form must reproduce the above copyright
-# notice, this list of conditions and the following disclaimer in the
-# documentation and/or other materials provided with the distribution.
-# * Neither the name of Intel Corporation nor the names of its contributors
-# may be used to endorse or promote products derived from this software
-# without specific prior written permission.
-#
-# THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
-# AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
-# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
-# DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE
-# FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
-# DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
-# SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
-# CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY,
-# OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
-# OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
-
-try:
- from lxml import etree
-except ImportError:
- try:
- import xml.etree.cElementTree as etree
- except ImportError:
- import xml.etree.ElementTree as etree
-import importlib
-
-KCAnalyzer = None
-
-
-class ISA_KernelChecker():
- initialized = False
-
- def __init__(self, ISA_config):
- self.logfile = ISA_config.logdir + "/isafw_kcalog"
- self.full_report_name = ISA_config.reportdir + "/kca_full_report_" + \
- ISA_config.machine + "_" + ISA_config.timestamp
- self.problems_report_name = ISA_config.reportdir + \
- "/kca_problems_report_" + ISA_config.machine + "_" + ISA_config.timestamp
- self.full_reports = ISA_config.full_reports
- self.initialized = True
- self.arch = ISA_config.arch
- with open(self.logfile, 'w') as flog:
- flog.write("\nPlugin ISA_KernelChecker initialized!\n")
-
- def append_recommendation(self, report, key, value):
- report.write("Recommended value:\n")
- report.write(key + ' : ' + str(value) + '\n')
- comment = self.comments.get(key, '')
- if comment != '':
- report.write("Comment:\n")
- report.write(comment + '\n')
-
- def process_kernel(self, ISA_kernel):
- if (self.initialized):
- if (ISA_kernel.img_name and ISA_kernel.path_to_config):
- # Merging common and arch configs
- common_config_module = importlib.import_module('isafw.isaplugins.configs.kca.{}'.format('common'))
- arch_config_module = importlib.import_module('isafw.isaplugins.configs.kca.{}'.format(self.arch))
-
- for c in ["hardening_kco", "keys_kco", "security_kco", "integrity_kco",
- "hardening_kco_ref", "keys_kco_ref", "security_kco_ref", "integrity_kco_ref",
- "comments"]:
- setattr(self, c, merge_config(getattr(arch_config_module, c), getattr(common_config_module, c)))
- with open(self.logfile, 'a') as flog:
- flog.write("Analyzing kernel config file at: " + ISA_kernel.path_to_config +
- " for the image: " + ISA_kernel.img_name + "\n")
- with open(ISA_kernel.path_to_config, 'r') as fkernel_conf:
- for line in fkernel_conf:
- line = line.strip('\n')
- for key in self.hardening_kco:
- if key + '=' in line:
- self.hardening_kco[key] = line.split('=')[1]
- for key in self.keys_kco:
- if key + '=' in line:
- self.keys_kco[key] = line.split('=')[1]
- for key in self.security_kco:
- if key + '=' in line:
- self.security_kco[key] = line.split('=')[1]
- for key in self.integrity_kco:
- if key + '=' in line:
- self.integrity_kco[key] = line.split('=')[1]
- with open(self.logfile, 'a') as flog:
- flog.write("\n\nhardening_kco values: " +
- str(self.hardening_kco))
- flog.write("\n\nkeys_kco values: " + str(self.keys_kco))
- flog.write("\n\nsecurity_kco values: " +
- str(self.security_kco))
- flog.write("\n\nintegrity_kco values: " +
- str(self.integrity_kco))
- self.write_full_report(ISA_kernel)
- self.write_problems_report(ISA_kernel)
-
- else:
- with open(self.logfile, 'a') as flog:
- flog.write(
- "Mandatory arguments such as image name and path to config are not provided!\n")
- flog.write("Not performing the call.\n")
- else:
- with open(self.logfile, 'a') as flog:
- flog.write(
- "Plugin hasn't initialized! Not performing the call!\n")
-
- def write_full_report(self, ISA_kernel):
- if self.full_reports:
- with open(self.full_report_name + "_" + ISA_kernel.img_name, 'w') as freport:
- freport.write("Report for image: " +
- ISA_kernel.img_name + '\n')
- freport.write("With the kernel conf at: " +
- ISA_kernel.path_to_config + '\n\n')
- freport.write("Hardening options:\n")
- for key in sorted(self.hardening_kco):
- freport.write(
- key + ' : ' + str(self.hardening_kco[key]) + '\n')
- freport.write("\nKey-related options:\n")
- for key in sorted(self.keys_kco):
- freport.write(key + ' : ' + str(self.keys_kco[key]) + '\n')
- freport.write("\nSecurity options:\n")
- for key in sorted(self.security_kco):
- freport.write(
- key + ' : ' + str(self.security_kco[key]) + '\n')
- freport.write("\nIntegrity options:\n")
- for key in sorted(self.integrity_kco):
- freport.write(
- key + ' : ' + str(self.integrity_kco[key]) + '\n')
-
- def write_problems_report(self, ISA_kernel):
- self.write_text_problems_report(ISA_kernel)
- self.write_xml_problems_report(ISA_kernel)
-
- def write_text_problems_report(self, ISA_kernel):
- with open(self.problems_report_name + "_" + ISA_kernel.img_name, 'w') as freport:
- freport.write("Report for image: " + ISA_kernel.img_name + '\n')
- freport.write("With the kernel conf at: " +
- ISA_kernel.path_to_config + '\n\n')
- freport.write("Hardening options that need improvement:\n")
- for key in sorted(self.hardening_kco):
- if (self.hardening_kco[key] != self.hardening_kco_ref[key]):
- valid = False
- if (key == "CONFIG_CMDLINE"):
- if (len(self.hardening_kco['CONFIG_CMDLINE']) > 0):
- valid = True
- if (key == "CONFIG_DEBUG_STRICT_USER_COPY_CHECKS"):
- if (self.hardening_kco['CONFIG_ARCH_HAS_DEBUG_STRICT_USER_COPY_CHECKS'] == 'y'):
- valid = True
- if (key == "CONFIG_RANDOMIZE_BASE_MAX_OFFSET"):
- options = self.hardening_kco_ref[key].split(',')
- for option in options:
- if (option == self.hardening_kco[key]):
- valid = True
- break
- if not valid:
- freport.write("\nActual value:\n")
- freport.write(
- key + ' : ' + str(self.hardening_kco[key]) + '\n')
- self.append_recommendation(freport, key, self.hardening_kco_ref[key])
- freport.write("\nKey-related options that need improvement:\n")
- for key in sorted(self.keys_kco):
- if (self.keys_kco[key] != self.keys_kco_ref[key]):
- freport.write("\nActual value:\n")
- freport.write(key + ' : ' + str(self.keys_kco[key]) + '\n')
- self.append_recommendation(freport, key, self.keys_kco_ref[key])
- freport.write("\nSecurity options that need improvement:\n")
- for key in sorted(self.security_kco):
- if (self.security_kco[key] != self.security_kco_ref[key]):
- valid = False
- if (key == "CONFIG_DEFAULT_SECURITY"):
- options = self.security_kco_ref[key].split(',')
- for option in options:
- if (option == self.security_kco[key]):
- valid = True
- break
- if ((key == "CONFIG_SECURITY_SELINUX") or
- (key == "CONFIG_SECURITY_SMACK") or
- (key == "CONFIG_SECURITY_APPARMOR") or
- (key == "CONFIG_SECURITY_TOMOYO")):
- if ((self.security_kco['CONFIG_SECURITY_SELINUX'] == 'y') or
- (self.security_kco['CONFIG_SECURITY_SMACK'] == 'y') or
- (self.security_kco['CONFIG_SECURITY_APPARMOR'] == 'y') or
- (self.security_kco['CONFIG_SECURITY_TOMOYO'] == 'y')):
- valid = True
- if not valid:
- freport.write("\nActual value:\n")
- freport.write(
- key + ' : ' + str(self.security_kco[key]) + '\n')
- self.append_recommendation(freport, key, self.security_kco_ref[key])
- freport.write("\nIntegrity options that need improvement:\n")
- for key in sorted(self.integrity_kco):
- if (self.integrity_kco[key] != self.integrity_kco_ref[key]):
- valid = False
- if ((key == "CONFIG_IMA_DEFAULT_HASH_SHA1") or
- (key == "CONFIG_IMA_DEFAULT_HASH_SHA256") or
- (key == "CONFIG_IMA_DEFAULT_HASH_SHA512") or
- (key == "CONFIG_IMA_DEFAULT_HASH_WP512")):
- if ((self.integrity_kco['CONFIG_IMA_DEFAULT_HASH_SHA256'] == 'y') or
- (self.integrity_kco['CONFIG_IMA_DEFAULT_HASH_SHA512'] == 'y')):
- valid = True
- if not valid:
- freport.write("\nActual value:\n")
- freport.write(
- key + ' : ' + str(self.integrity_kco[key]) + '\n')
- self.append_recommendation(freport, key, self.integrity_kco_ref[key])
-
- def write_xml_problems_report(self, ISA_kernel):
- # write_problems_report_xml
- num_tests = len(self.hardening_kco) + len(self.keys_kco) + \
- len(self.security_kco) + len(self.integrity_kco)
- root = etree.Element(
- 'testsuite', name='KCA_Plugin', tests=str(num_tests))
- for key in sorted(self.hardening_kco):
- tcase1 = etree.SubElement(
- root, 'testcase', classname='Hardening options', name=key)
- if (self.hardening_kco[key] != self.hardening_kco_ref[key]):
- valid = False
- if (key == "CONFIG_CMDLINE"):
- if (len(self.hardening_kco['CONFIG_CMDLINE']) > 0):
- valid = True
- if (key == "CONFIG_DEBUG_STRICT_USER_COPY_CHECKS"):
- if (self.hardening_kco['CONFIG_ARCH_HAS_DEBUG_STRICT_USER_COPY_CHECKS'] == 'y'):
- valid = True
- if (key == "CONFIG_RANDOMIZE_BASE_MAX_OFFSET"):
- options = self.hardening_kco_ref[key].split(',')
- for option in options:
- if (option == self.hardening_kco[key]):
- valid = True
- break
- if not valid:
- msg1 = 'current=' + key + ' is ' + \
- str(self.hardening_kco[
- key]) + ', recommended=' + key + ' is ' + str(self.hardening_kco_ref[key])
- etree.SubElement(
- tcase1, 'failure', message=msg1, type='violation')
- for key in sorted(self.keys_kco):
- tcase2 = etree.SubElement(
- root, 'testcase', classname='Key-related options', name=key)
- if (self.keys_kco[key] != self.keys_kco_ref[key]):
- msg2 = 'current=' + key + ' is ' + \
- str(self.keys_kco[key] + ', recommended=' +
- key + ' is ' + str(self.keys_kco_ref[key]))
- etree.SubElement(
- tcase2, 'failure', message=msg2, type='violation')
- for key in sorted(self.security_kco):
- tcase3 = etree.SubElement(
- root, 'testcase', classname='Security options', name=key)
- if (self.security_kco[key] != self.security_kco_ref[key]):
- valid = False
- if (key == "CONFIG_DEFAULT_SECURITY"):
- options = self.security_kco_ref[key].split(',')
- for option in options:
- if (option == self.security_kco[key]):
- valid = True
- break
- if ((key == "CONFIG_SECURITY_SELINUX") or
- (key == "CONFIG_SECURITY_SMACK") or
- (key == "CONFIG_SECURITY_APPARMOR") or
- (key == "CONFIG_SECURITY_TOMOYO")):
- if ((self.security_kco['CONFIG_SECURITY_SELINUX'] == 'y') or
- (self.security_kco['CONFIG_SECURITY_SMACK'] == 'y') or
- (self.security_kco['CONFIG_SECURITY_APPARMOR'] == 'y') or
- (self.security_kco['CONFIG_SECURITY_TOMOYO'] == 'y')):
- valid = True
- if not valid:
- msg3 = 'current=' + key + ' is ' + \
- str(self.security_kco[key]) + ', recommended=' + \
- key + ' is ' + str(self.security_kco_ref[key])
- etree.SubElement(
- tcase3, 'failure', message=msg3, type='violation')
- for key in sorted(self.integrity_kco):
- tcase4 = etree.SubElement(
- root, 'testcase', classname='Integrity options', name=key)
- if (self.integrity_kco[key] != self.integrity_kco_ref[key]):
- valid = False
- if ((key == "CONFIG_IMA_DEFAULT_HASH_SHA1") or
- (key == "CONFIG_IMA_DEFAULT_HASH_SHA256") or
- (key == "CONFIG_IMA_DEFAULT_HASH_SHA512") or
- (key == "CONFIG_IMA_DEFAULT_HASH_WP512")):
- if ((self.integrity_kco['CONFIG_IMA_DEFAULT_HASH_SHA256'] == 'y') or
- (self.integrity_kco['CONFIG_IMA_DEFAULT_HASH_SHA512'] == 'y')):
- valid = True
- if not valid:
- msg4 = 'current=' + key + ' is ' + \
- str(self.integrity_kco[
- key]) + ', recommended=' + key + ' is ' + str(self.integrity_kco_ref[key])
- etree.SubElement(
- tcase4, 'failure', message=msg4, type='violation')
- tree = etree.ElementTree(root)
- output = self.problems_report_name + "_" + ISA_kernel.img_name + '.xml'
- try:
- tree.write(output, encoding='UTF-8',
- pretty_print=True, xml_declaration=True)
- except TypeError:
- tree.write(output, encoding='UTF-8', xml_declaration=True)
-
-
-def merge_config(arch_kco, common_kco):
- merged = arch_kco.copy()
- merged.update(common_kco)
- return merged
-
-# ======== supported callbacks from ISA ============= #
-def init(ISA_config):
- global KCAnalyzer
- KCAnalyzer = ISA_KernelChecker(ISA_config)
-
-
-def getPluginName():
- return "ISA_KernelChecker"
-
-
-def process_kernel(ISA_kernel):
- global KCAnalyzer
- return KCAnalyzer.process_kernel(ISA_kernel)
-# ==================================================== #
diff --git a/meta-security/meta-security-isafw/lib/isafw/isaplugins/ISA_la_plugin.py b/meta-security/meta-security-isafw/lib/isafw/isaplugins/ISA_la_plugin.py
deleted file mode 100644
index 20e7e26b..0000000
--- a/meta-security/meta-security-isafw/lib/isafw/isaplugins/ISA_la_plugin.py
+++ /dev/null
@@ -1,273 +0,0 @@
-#
-# ISA_la_plugin.py - License analyzer plugin, part of ISA FW
-# Functionality is based on similar scripts from Clear linux project
-#
-# Copyright (c) 2015 - 2016, Intel Corporation
-#
-# Redistribution and use in source and binary forms, with or without
-# modification, are permitted provided that the following conditions are met:
-#
-# * Redistributions of source code must retain the above copyright notice,
-# this list of conditions and the following disclaimer.
-# * Redistributions in binary form must reproduce the above copyright
-# notice, this list of conditions and the following disclaimer in the
-# documentation and/or other materials provided with the distribution.
-# * Neither the name of Intel Corporation nor the names of its contributors
-# may be used to endorse or promote products derived from this software
-# without specific prior written permission.
-#
-# THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
-# AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
-# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
-# DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE
-# FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
-# DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
-# SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
-# CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY,
-# OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
-# OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
-
-import subprocess
-import os, sys
-
-LicenseChecker = None
-
-flicenses = "/configs/la/licenses"
-fapproved_non_osi = "/configs/la/approved-non-osi"
-fexceptions = "/configs/la/exceptions"
-funwanted = "/configs/la/violations"
-
-
-class ISA_LicenseChecker():
- initialized = False
- rpm_present = False
-
- def __init__(self, ISA_config):
- self.logfile = ISA_config.logdir + "/isafw_lalog"
- self.unwanted = []
- self.report_name = ISA_config.reportdir + "/la_problems_report_" + \
- ISA_config.machine + "_" + ISA_config.timestamp
- self.image_pkg_list = ISA_config.reportdir + "/pkglist"
- self.image_pkgs = []
- self.la_plugin_image_whitelist = ISA_config.la_plugin_image_whitelist
- self.la_plugin_image_blacklist = ISA_config.la_plugin_image_blacklist
- self.initialized = True
- with open(self.logfile, 'a') as flog:
- flog.write("\nPlugin ISA_LA initialized!\n")
- # check that rpm is installed (supporting only rpm packages for now)
- DEVNULL = open(os.devnull, 'wb')
- rc = subprocess.call(["which", "rpm"], stdout=DEVNULL, stderr=DEVNULL)
- DEVNULL.close()
- if rc == 0:
- self.rpm_present = True
- else:
- with open(self.logfile, 'a') as flog:
- flog.write("rpm tool is missing! Licence info is expected from build system\n")
-
- def process_package(self, ISA_pkg):
- if (self.initialized):
- if ISA_pkg.name:
- if (not ISA_pkg.licenses):
- # need to determine licenses first
- # for this we need rpm tool to be present
- if (not self.rpm_present):
- with open(self.logfile, 'a') as flog:
- flog.write("rpm tool is missing and licence info is not provided. Cannot proceed.\n")
- return;
- if (not ISA_pkg.source_files):
- if (not ISA_pkg.path_to_sources):
- self.initialized = False
- with open(self.logfile, 'a') as flog:
- flog.write(
- "No path to sources or source file list is provided!")
- flog.write(
- "\nNot able to determine licenses for package: " + ISA_pkg.name)
- return
- # need to build list of source files
- ISA_pkg.source_files = self.find_files(
- ISA_pkg.path_to_sources)
- for i in ISA_pkg.source_files:
- if (i.endswith(".spec")):# supporting rpm only for now
- args = ("rpm", "-q", "--queryformat",
- "%{LICENSE} ", "--specfile", i)
- try:
- popen = subprocess.Popen(
- args, stdout=subprocess.PIPE)
- popen.wait()
- ISA_pkg.licenses = popen.stdout.read().split()
- except:
- self.initialized = False
- with open(self.logfile, 'a') as flog:
- flog.write(
- "Error in executing rpm query: " + str(sys.exc_info()))
- flog.write(
- "\nNot able to process package: " + ISA_pkg.name)
- return
- for l in ISA_pkg.licenses:
- if (not self.check_license(l, flicenses) and
- not self.check_license(l, fapproved_non_osi) and
- not self.check_exceptions(ISA_pkg.name, l, fexceptions)):
- # log the package as not following correct license
- with open(self.report_name, 'a') as freport:
- freport.write(l + "\n")
- if (self.check_license(l, funwanted)):
- # log the package as having license that should not be
- # used
- with open(self.report_name + "_unwanted", 'a') as freport:
- freport.write(l + "\n")
- else:
- self.initialized = False
- with open(self.logfile, 'a') as flog:
- flog.write(
- "Mandatory argument package name is not provided!\n")
- flog.write("Not performing the call.\n")
- else:
- with open(self.logfile, 'a') as flog:
- flog.write(
- "Plugin hasn't initialized! Not performing the call.")
-
- def process_report(self):
- if (self.initialized):
- with open(self.logfile, 'a') as flog:
- flog.write("Creating report with violating licenses.\n")
- self.process_pkg_list()
- self.write_report_unwanted()
- with open(self.logfile, 'a') as flog:
- flog.write("Creating report in XML format.\n")
- self.write_report_xml()
-
- def process_pkg_list(self):
- if os.path.isfile (self.image_pkg_list):
- img_name = ""
- with open(self.image_pkg_list, 'r') as finput:
- for line in finput:
- line = line.strip()
- if not line:
- continue
- if line.startswith("Packages "):
- img_name = line.split()[3]
- with open(self.logfile, 'a') as flog:
- flog.write("img_name: " + img_name + "\n")
- continue
- package_info = line.split()
- pkg_name = package_info[0]
- orig_pkg_name = package_info[2]
- if (not self.image_pkgs) or ((pkg_name + " from " + img_name) not in self.image_pkgs):
- self.image_pkgs.append(pkg_name + " from " + img_name + " " + orig_pkg_name)
-
- def write_report_xml(self):
- try:
- from lxml import etree
- except ImportError:
- try:
- import xml.etree.cElementTree as etree
- except ImportError:
- import xml.etree.ElementTree as etree
- num_tests = 0
- root = etree.Element('testsuite', name='LA_Plugin', tests='2')
- if os.path.isfile(self.report_name):
- with open(self.report_name, 'r') as f:
- class_name = "Non-approved-licenses"
- for line in f:
- line = line.strip()
- if line == "":
- continue
- if line.startswith("Packages that "):
- class_name = "Violating-licenses"
- continue
- num_tests += 1
- tcase1 = etree.SubElement(
- root, 'testcase', classname=class_name, name=line.split(':', 1)[0])
- etree.SubElement(
- tcase1, 'failure', message=line, type='violation')
- else:
- tcase1 = etree.SubElement(
- root, 'testcase', classname='ISA_LAChecker', name='none')
- num_tests = 1
- root.set('tests', str(num_tests))
- tree = etree.ElementTree(root)
- output = self.report_name + '.xml'
- try:
- tree.write(output, encoding='UTF-8',
- pretty_print=True, xml_declaration=True)
- except TypeError:
- tree.write(output, encoding='UTF-8', xml_declaration=True)
-
- def write_report_unwanted(self):
- if os.path.isfile(self.report_name + "_unwanted"):
- with open(self.logfile, 'a') as flog:
- flog.write("image_pkgs: " + str(self.image_pkgs) + "\n")
- flog.write("self.la_plugin_image_whitelist: " + str(self.la_plugin_image_whitelist) + "\n")
- flog.write("self.la_plugin_image_blacklist: " + str(self.la_plugin_image_blacklist) + "\n")
- with open(self.report_name, 'a') as fout:
- with open(self.report_name + "_unwanted", 'r') as f:
- fout.write(
- "\n\nPackages that violate mandatory license requirements:\n")
- for line in f:
- line = line.strip()
- pkg_name = line.split(':',1)[0]
- if (not self.image_pkgs):
- fout.write(line + " from image name not available \n")
- continue
- for pkg_info in self.image_pkgs:
- image_pkg_name = pkg_info.split()[0]
- image_name = pkg_info.split()[2]
- image_orig_pkg_name = pkg_info.split()[3]
- if ((image_pkg_name == pkg_name) or (image_orig_pkg_name == pkg_name)):
- if self.la_plugin_image_whitelist and (image_name not in self.la_plugin_image_whitelist):
- continue
- if self.la_plugin_image_blacklist and (image_name in self.la_plugin_image_blacklist):
- continue
- fout.write(line + " from image " + image_name)
- if (image_pkg_name != image_orig_pkg_name):
- fout.write(" binary_pkg_name " + image_pkg_name + "\n")
- continue
- fout.write("\n")
- os.remove(self.report_name + "_unwanted")
-
- def find_files(self, init_path):
- list_of_files = []
- for (dirpath, dirnames, filenames) in os.walk(init_path):
- for f in filenames:
- list_of_files.append(str(dirpath + "/" + f)[:])
- return list_of_files
-
- def check_license(self, license, file_path):
- with open(os.path.dirname(__file__) + file_path, 'r') as f:
- for line in f:
- s = line.rstrip()
- curr_license = license.split(':',1)[1]
- if s == curr_license:
- return True
- return False
-
- def check_exceptions(self, pkg_name, license, file_path):
- with open(os.path.dirname(__file__) + file_path, 'r') as f:
- for line in f:
- s = line.rstrip()
- curr_license = license.split(':',1)[1]
- if s == pkg_name + " " + curr_license:
- return True
- return False
-
-# ======== supported callbacks from ISA ============= #
-
-def init(ISA_config):
- global LicenseChecker
- LicenseChecker = ISA_LicenseChecker(ISA_config)
-
-
-def getPluginName():
- return "ISA_LicenseChecker"
-
-
-def process_package(ISA_pkg):
- global LicenseChecker
- return LicenseChecker.process_package(ISA_pkg)
-
-
-def process_report():
- global LicenseChecker
- return LicenseChecker.process_report()
-
-# ==================================================== #
diff --git a/meta-security/meta-security-isafw/lib/isafw/isaplugins/__init__.py b/meta-security/meta-security-isafw/lib/isafw/isaplugins/__init__.py
deleted file mode 100644
index ad1997d..0000000
--- a/meta-security/meta-security-isafw/lib/isafw/isaplugins/__init__.py
+++ /dev/null
@@ -1,42 +0,0 @@
-#
-# __init__.py - part of ISA FW
-#
-# Copyright (c) 2015 - 2016, Intel Corporation
-#
-# Redistribution and use in source and binary forms, with or without
-# modification, are permitted provided that the following conditions are met:
-#
-# * Redistributions of source code must retain the above copyright notice,
-# this list of conditions and the following disclaimer.
-# * Redistributions in binary form must reproduce the above copyright
-# notice, this list of conditions and the following disclaimer in the
-# documentation and/or other materials provided with the distribution.
-# * Neither the name of Intel Corporation nor the names of its contributors
-# may be used to endorse or promote products derived from this software
-# without specific prior written permission.
-#
-# THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
-# AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
-# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
-# DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE
-# FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
-# DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
-# SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
-# CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY,
-# OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
-# OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
-
-import glob
-import keyword
-import os
-import sys
-
-basedir = os.path.dirname(__file__)
-
-__all__ = []
-for name in glob.glob(os.path.join(basedir, '*.py')):
- module = os.path.splitext(os.path.split(name)[-1])[0]
- if not module.startswith('_') and not keyword.iskeyword(module):
- __import__(__name__ + '.' + module)
- __all__.append(module)
-__all__.sort()
diff --git a/meta-security/meta-security-isafw/lib/isafw/isaplugins/configs/__init__.py b/meta-security/meta-security-isafw/lib/isafw/isaplugins/configs/__init__.py
deleted file mode 100644
index e69de29..0000000
--- a/meta-security/meta-security-isafw/lib/isafw/isaplugins/configs/__init__.py
+++ /dev/null
diff --git a/meta-security/meta-security-isafw/lib/isafw/isaplugins/configs/kca/__init__.py b/meta-security/meta-security-isafw/lib/isafw/isaplugins/configs/kca/__init__.py
deleted file mode 100644
index e69de29..0000000
--- a/meta-security/meta-security-isafw/lib/isafw/isaplugins/configs/kca/__init__.py
+++ /dev/null
diff --git a/meta-security/meta-security-isafw/lib/isafw/isaplugins/configs/kca/arm.py b/meta-security/meta-security-isafw/lib/isafw/isaplugins/configs/kca/arm.py
deleted file mode 100644
index d47ba9f..0000000
--- a/meta-security/meta-security-isafw/lib/isafw/isaplugins/configs/kca/arm.py
+++ /dev/null
@@ -1,24 +0,0 @@
-############################################################################################
-# Kernel Hardening Configurations
-############################################################################################
-hardening_kco = {'CONFIG_DEFAULT_MMAP_MIN_ADDR': 'not set',}
-hardening_kco_ref = {'CONFIG_DEFAULT_MMAP_MIN_ADDR': '32768',}
-############################################################################################
-# Keys Kernel Configuration
-############################################################################################
-keys_kco = {}
-keys_kco_ref = {}
-############################################################################################
-# Security Kernel Configuration
-############################################################################################
-security_kco = {'CONFIG_LSM_MMAP_MIN_ADDR': 'not set',}
-security_kco_ref = {'CONFIG_LSM_MMAP_MIN_ADDR': '32768',}
-############################################################################################
-# Integrity Kernel Configuration
-############################################################################################
-integrity_kco = {}
-integrity_kco_ref = {}
-############################################################################################
-# Comments
-############################################################################################
-comments = {'CONFIG_DEFAULT_MMAP_MIN_ADDR': 'Defines the portion of low virtual memory that should be protected from userspace allocation. Keeping a user from writing to low pages can help reduce the impact of kernel NULL pointer bugs.'}
diff --git a/meta-security/meta-security-isafw/lib/isafw/isaplugins/configs/kca/common.py b/meta-security/meta-security-isafw/lib/isafw/isaplugins/configs/kca/common.py
deleted file mode 100644
index faa388c..0000000
--- a/meta-security/meta-security-isafw/lib/isafw/isaplugins/configs/kca/common.py
+++ /dev/null
@@ -1,242 +0,0 @@
-############################################################################################
-# Kernel Hardening Configurations
-############################################################################################
-hardening_kco = {'CONFIG_SERIAL_8250_CONSOLE': 'not set',
- 'CONFIG_SERIAL_CORE': 'not set',
- 'CONFIG_SERIAL_CORE_CONSOLE': 'not set',
- 'CONFIG_CMDLINE_BOOL': 'not set',
- 'CONFIG_CMDLINE': 'not set',
- 'CONFIG_CMDLINE_OVERRIDE': 'not set',
- 'CONFIG_DEBUG_INFO': 'not set',
- 'CONFIG_KGDB': 'not set',
- 'CONFIG_KPROBES': 'not set',
- 'CONFIG_FTRACE': 'not set',
- 'CONFIG_OPROFILE': 'not set',
- 'CONFIG_PROFILING': 'not set',
- 'CONFIG_MAGIC_SYSRQ': 'not set',
- 'CONFIG_DEBUG_BUGVERBOSE': 'not set',
- 'CONFIG_IP_PNP': 'not set',
- 'CONFIG_IKCONFIG': 'not set',
- 'CONFIG_SWAP': 'not set',
- 'CONFIG_NAMESPACES': 'not set',
- 'CONFIG_NFSD': 'not set',
- 'CONFIG_NFS_FS': 'not set',
- 'CONFIG_BINFMT_MISC': 'not set',
- 'CONFIG_KALLSYMS': 'not set',
- 'CONFIG_KALLSYMS_ALL': 'not set',
- 'CONFIG_BUG': 'not set',
- 'CONFIG_SYSCTL_SYSCALL': 'not set',
- 'CONFIG_MODULE_UNLOAD': 'not set',
- 'CONFIG_MODULE_FORCE_LOAD': 'not set',
- 'CONFIG_DEVMEM': 'not set',
- 'CONFIG_COREDUMP': 'not set',
- 'CONFIG_CROSS_MEMORY_ATTACH': 'not set',
- 'CONFIG_UNIX_DIAG': 'not set',
- 'CONFIG_CHECKPOINT_RESTORE': 'not set',
- 'CONFIG_PANIC_ON_OOPS': 'not set',
- 'CONFIG_PACKET_DIAG': 'not set',
- 'CONFIG_FW_LOADER_USER_HELPER': 'not set',
- 'CONFIG_BPF_JIT': 'not set',
- 'CONFIG_USELIB': 'not set',
- 'CONFIG_CC_STACKPROTECTOR': 'not set',
- 'CONFIG_KEXEC': 'not set',
- 'CONFIG_PROC_KCORE': 'not set',
- 'CONFIG_SECURITY_DMESG_RESTRICT': 'not set',
- 'CONFIG_DEBUG_STACKOVERFLOW': 'not set',
- 'CONFIG_DEBUG_STRICT_USER_COPY_CHECKS': 'not set',
- 'CONFIG_ARCH_HAS_DEBUG_STRICT_USER_COPY_CHECKS': 'not set',
- 'CONFIG_IKCONFIG_PROC': 'not set',
- 'CONFIG_RANDOMIZE_BASE': 'not set',
- 'CONFIG_DEBUG_RODATA': 'not set',
- 'CONFIG_STRICT_DEVMEM': 'not set',
- 'CONFIG_DEVKMEM': 'not set',
- 'CONFIG_ARCH_BINFMT_ELF_RANDOMIZE_PIE': 'not set',
- 'CONFIG_DEBUG_KERNEL': 'not set',
- 'CONFIG_DEBUG_FS': 'not set',
- 'CONFIG_MODULE_SIG_FORCE': 'not set',
- }
-hardening_kco_ref = {'CONFIG_SERIAL_8250_CONSOLE': 'not set',
- 'CONFIG_SERIAL_CORE': 'not set',
- 'CONFIG_SERIAL_CORE_CONSOLE': 'not set',
- 'CONFIG_CMDLINE_BOOL': 'y',
- 'CONFIG_CMDLINE': '"cmd_line"',
- 'CONFIG_CMDLINE_OVERRIDE': 'y',
- 'CONFIG_DEBUG_INFO': 'not set',
- 'CONFIG_KGDB': 'not set',
- 'CONFIG_KPROBES': 'not set',
- 'CONFIG_FTRACE': 'not set',
- 'CONFIG_OPROFILE': 'not set',
- 'CONFIG_PROFILING': 'not set',
- 'CONFIG_MAGIC_SYSRQ': 'not set',
- 'CONFIG_DEBUG_BUGVERBOSE': 'not set',
- 'CONFIG_IP_PNP': 'not set',
- 'CONFIG_IKCONFIG': 'not set',
- 'CONFIG_SWAP': 'not set',
- 'CONFIG_NAMESPACES': 'not set',
- 'CONFIG_NFSD': 'not set',
- 'CONFIG_NFS_FS': 'not set',
- 'CONFIG_BINFMT_MISC': 'not set',
- 'CONFIG_KALLSYMS': 'not set',
- 'CONFIG_KALLSYMS_ALL': 'not set',
- 'CONFIG_BUG': 'not set',
- 'CONFIG_SYSCTL_SYSCALL': 'not set',
- 'CONFIG_MODULE_UNLOAD': 'not set',
- 'CONFIG_MODULE_FORCE_LOAD': 'not set',
- 'CONFIG_DEVMEM': 'not set',
- 'CONFIG_COREDUMP': 'not set',
- 'CONFIG_CROSS_MEMORY_ATTACH': 'not set',
- 'CONFIG_UNIX_DIAG': 'not set',
- 'CONFIG_CHECKPOINT_RESTORE': 'not set',
- 'CONFIG_PANIC_ON_OOPS': 'y',
- 'CONFIG_PACKET_DIAG': 'not set',
- 'CONFIG_FW_LOADER_USER_HELPER': 'not set',
- 'CONFIG_BPF_JIT': 'not set',
- 'CONFIG_USELIB': 'not set',
- 'CONFIG_CC_STACKPROTECTOR': 'y',
- 'CONFIG_KEXEC': 'not set',
- 'CONFIG_PROC_KCORE': 'not set',
- 'CONFIG_SECURITY_DMESG_RESTRICT': 'y',
- 'CONFIG_DEBUG_STACKOVERFLOW': 'y',
- 'CONFIG_DEBUG_STRICT_USER_COPY_CHECKS': 'y',
- 'CONFIG_ARCH_HAS_DEBUG_STRICT_USER_COPY_CHECKS': 'y',
- 'CONFIG_IKCONFIG_PROC': 'not set',
- 'CONFIG_RANDOMIZE_BASE': 'y',
- 'CONFIG_DEBUG_RODATA': 'y',
- 'CONFIG_STRICT_DEVMEM': 'y',
- 'CONFIG_DEVKMEM': 'not set',
- 'CONFIG_ARCH_BINFMT_ELF_RANDOMIZE_PIE': 'y',
- 'CONFIG_DEBUG_KERNEL': 'not set',
- 'CONFIG_DEBUG_FS': 'not set',
- 'CONFIG_MODULE_SIG_FORCE': 'y',
- }
-############################################################################################
-# Keys Kernel Configuration
-############################################################################################
-keys_kco = {'CONFIG_KEYS': 'not set',
- 'CONFIG_TRUSTED_KEYS': 'not set',
- 'CONFIG_ENCRYPTED_KEYS': 'not set',
- 'CONFIG_KEYS_DEBUG_PROC_KEYS': 'not set'
- }
-keys_kco_ref = {'CONFIG_KEYS': 'y',
- 'CONFIG_TRUSTED_KEYS': 'y',
- 'CONFIG_ENCRYPTED_KEYS': 'y',
- 'CONFIG_KEYS_DEBUG_PROC_KEYS': 'not set'
- }
-############################################################################################
-# Security Kernel Configuration
-############################################################################################
-security_kco = {'CONFIG_SECURITY': 'not set',
- 'CONFIG_SECURITYFS': 'not set',
- 'CONFIG_SECURITY_NETWORKING': 'not set',
- 'CONFIG_DEFAULT_SECURITY': 'not set',
- 'CONFIG_SECURITY_SELINUX': 'not set',
- 'CONFIG_SECURITY_SMACK': 'not set',
- 'CONFIG_SECURITY_TOMOYO': 'not set',
- 'CONFIG_SECURITY_APPARMOR': 'not set',
- 'CONFIG_SECURITY_YAMA': 'not set',
- 'CONFIG_SECURITY_YAMA_STACKED': 'not set'
- }
-security_kco_ref = {'CONFIG_SECURITY': 'y',
- 'CONFIG_SECURITYFS': 'y',
- 'CONFIG_SECURITY_NETWORKING': 'y',
- 'CONFIG_DEFAULT_SECURITY': '"selinux","smack","apparmor","tomoyo"',
- 'CONFIG_SECURITY_SELINUX': 'y',
- 'CONFIG_SECURITY_SMACK': 'y',
- 'CONFIG_SECURITY_TOMOYO': 'y',
- 'CONFIG_SECURITY_APPARMOR': 'y',
- 'CONFIG_SECURITY_YAMA': 'y',
- 'CONFIG_SECURITY_YAMA_STACKED': 'y'
- }
-############################################################################################
-# Integrity Kernel Configuration
-############################################################################################
-integrity_kco = {'CONFIG_INTEGRITY': 'not set',
- 'CONFIG_INTEGRITY_SIGNATURE': 'not set',
- 'CONFIG_INTEGRITY_AUDIT': 'not set',
- 'CONFIG_IMA': 'not set',
- 'CONFIG_IMA_LSM_RULES': 'not set',
- 'CONFIG_IMA_APPRAISE': 'not set',
- 'CONFIG_IMA_TRUSTED_KEYRING': 'not set',
- 'CONFIG_IMA_APPRAISE_SIGNED_INIT': 'not set',
- 'CONFIG_EVM': 'not set',
- 'CONFIG_EVM_ATTR_FSUUID': 'not set',
- 'CONFIG_EVM_EXTRA_SMACK_XATTRS': 'not set',
- 'CONFIG_IMA_DEFAULT_HASH_SHA1': 'not set',
- 'CONFIG_IMA_DEFAULT_HASH_SHA256': 'not set',
- 'CONFIG_IMA_DEFAULT_HASH_SHA512': 'not set',
- 'CONFIG_IMA_DEFAULT_HASH_WP512': 'not set'
- }
-integrity_kco_ref = {'CONFIG_INTEGRITY': 'y',
- 'CONFIG_INTEGRITY_SIGNATURE': 'y',
- 'CONFIG_INTEGRITY_AUDIT': 'y',
- 'CONFIG_IMA': 'y',
- 'CONFIG_IMA_LSM_RULES': 'y',
- 'CONFIG_IMA_APPRAISE': 'y',
- 'CONFIG_IMA_TRUSTED_KEYRING': 'y',
- 'CONFIG_IMA_APPRAISE_SIGNED_INIT': 'y',
- 'CONFIG_EVM': 'y',
- 'CONFIG_EVM_ATTR_FSUUID': 'y',
- 'CONFIG_EVM_EXTRA_SMACK_XATTRS': 'y',
- 'CONFIG_IMA_DEFAULT_HASH_SHA1': 'not set',
- 'CONFIG_IMA_DEFAULT_HASH_SHA256': 'y',
- 'CONFIG_IMA_DEFAULT_HASH_SHA512': 'y',
- 'CONFIG_IMA_DEFAULT_HASH_WP512': 'not set'
- }
-############################################################################################
-# Comments
-############################################################################################
-comments = { # Kernel Hardening Configurations
- 'CONFIG_SERIAL_8250_CONSOLE': 'Enables the serial console. Providing access to the serial console would assist an attacker in discovering attack vectors.',
- 'CONFIG_SERIAL_CORE': 'Enables the serial console. Providing access to the serial console would assist an attacker in discovering attack vectors.',
- 'CONFIG_SERIAL_CORE_CONSOLE': 'Enables the serial console. Providing access to the serial console would assist an attacker in discovering attack vectors.',
- 'CONFIG_CMDLINE_BOOL': 'Enables the kernel command line to be hardcoded directly into the kernel. Hardcoding the command line allows tighter control over kernel command line options.',
- 'CONFIG_CMDLINE': 'Defines the kernel command line to be hardcoded into the kernel. Hardcoding the command line allows tighter control over kernel command line options.',
- 'CONFIG_CMDLINE_OVERRIDE': 'Enables the kernel to ignore the boot loader command line and to use only the hardcoded command line. Hardcoding the command line allows tighter control over kernel command line options.',
- 'CONFIG_DEBUG_INFO': 'Enables debug symbols in the kernel. Providing debug symbols would assist an attacker in discovering attack vectors.',
- 'CONFIG_KGDB': 'Enables KGDB over USB and console ports. Providing KGDB would assist an attacker in discovering attack vectors.',
- 'CONFIG_KPROBES': 'Enables Kernel Dynamic Probes. Providing kprobes allows the attacker to collect debug and performance information.',
- 'CONFIG_FTRACE': 'Enables the kernel to trace every function. Providing kernel trace functionality would assist an attacker in discovering attack vectors.',
- 'CONFIG_OPROFILE': 'Enables a profiling system capable of profiling kernel and kernel modules. Providing profiling functionality would assist an attacker in discovering attack vectors.',
- 'CONFIG_PROFILING': 'Enables a profiling system capable of profiling kernel and kernel modules. Providing profiling functionality would assist an attacker in discovering attack vectors.',
- 'CONFIG_MAGIC_SYSRQ': 'Enables a console device to interpret special characters as SysRQ system commands. SysRQ commands are an immediate attack vector as they provide the ability to dump information or reboot the device.',
- 'CONFIG_DEBUG_BUGVERBOSE': 'Enables verbose logging for BUG() panics. Verbose logging would assist an attacker in discovering attack vectors.',
- 'CONFIG_IP_PNP': 'Enables automatic configuration of IP addresses of devices and of the routing table during kernel boot. Providing networking functionality before the system has come up would assist an attacker in discovering attack vectors.',
- 'CONFIG_IKCONFIG': 'Enables access to the kernel config through /proc/config.gz. Leaking the kernel configuration would assist an attacker in discovering attack vectors.',
- 'CONFIG_SWAP': 'Enables swap files for kernel. The ability to read kernel memory pages in swap files would assist an attacker in discovering attack vectors.',
- 'CONFIG_NAMESPACES': 'Enabling this can result in duplicates of dev nodes, pids and mount points, which can be useful to attackers trying to spoof running environments on devices.',
- 'CONFIG_NFSD': 'Enables remote access to files residing on this system using Sun\'s Network File System protocol. Providing remote access to the file system would assist an attacker in discovering attack vectors.',
- 'CONFIG_NFS_FS': 'Enables remote access to files residing on this system using Sun\'s Network File System protocol. Providing remote access to the file system would assist an attacker in discovering attack vectors.',
- 'CONFIG_BINFMT_MISC': 'Enables support for binary formats other than ELF. Providing the ability to use alternate interpreters would assist an attacker in discovering attack vectors.',
- 'CONFIG_KALLSYMS': 'Enables printing of symbolic crash information and symbolic stack backtraces. Verbose logging would assist an attacker in discovering attack vectors.',
- 'CONFIG_KALLSYMS_ALL': 'Enables printing of symbolic crash information and symbolic stack backtraces. Verbose logging would assist an attacker in discovering attack vectors.',
- 'CONFIG_BUG': 'Enables display of backtrace and register information for BUGs and WARNs in kernel space. Verbose logging would assist an attacker in discovering attack vectors.',
- 'CONFIG_SYSCTL_SYSCALL': 'Enables sysctl to read and write kernel parameters. Use of deprecated and unmaintained features is not recommended.',
- 'CONFIG_MODULE_UNLOAD': 'Enables the ability to unload a kernel module. Allowing module unloading enables the attacker to disable security modules.',
- 'CONFIG_MODULE_FORCE_LOAD': 'Enables forced loading of modules without version information. Providing an attacker with the ability to force load a module assists in discovering attack vectors.',
- 'CONFIG_DEVMEM': 'Enables mem device, which provides access to physical memory. Providing a view into physical memory would assist an attacker in discovering attack vectors.',
- 'CONFIG_COREDUMP': 'Enables support for performing core dumps. Providing core dumps would assist an attacker in discovering attack vectors.',
- 'CONFIG_CROSS_MEMORY_ATTACH': 'Enables cross-process virtual memory access. Providing virtual memory access to and from a hostile process would assist an attacker in discovering attack vectors.',
- 'CONFIG_UNIX_DIAG': 'Enables support for socket monitoring interface. Allows the attacker to inspect shared file descriptors on Unix Domain sockets or traffic on \'localhost\'.',
- 'CONFIG_CHECKPOINT_RESTORE': 'Enables the checkpoint/restore service which can freeze and migrate processes. Providing a method for manipulating process state would assist an attacker in discovering attack vectors.',
- 'CONFIG_PANIC_ON_OOPS': 'Enables conversion of kernel OOPs to PANIC. When fuzzing the kernel or attempting kernel exploits, attackers are likely to trigger kernel OOPSes. Setting the behavior on OOPS to PANIC can impede their progress.',
- 'CONFIG_PACKET_DIAG': 'Enables support for socket monitoring interface. Allows the attacker to inspect shared file descriptors on Unix Domain sockets or traffic on \'localhost\'.',
- 'CONFIG_FW_LOADER_USER_HELPER': 'Enables the invocation of user-helper (e.g. udev) for loading firmware files as a fallback after the direct file loading in kernel fails. Providing firmware auto loader functionality would assist an attacker in discovering attack vectors.',
- 'CONFIG_BPF_JIT': 'Enables Berkeley Packet Filter filtering capabilities. The BPF JIT can be used to create kernel-payloads from firewall table rules which assist an attacker in discovering attack vectors.',
- 'CONFIG_USELIB': 'Enables the uselib syscall. The uselib system call has no valid use in any libc6 or uclibc system. Legacy features would assist an attacker in discovering attack vectors.',
- 'CONFIG_CC_STACKPROTECTOR': 'Enables the stack protector GCC feature which defends against stack-based buffer overflows',
- 'CONFIG_KEXEC': 'Enables the ability to shutdown your current kernel, and start another one. If enabled, this can be used as a way to bypass signed kernels.',
- 'CONFIG_PROC_KCORE': 'Enables access to a kernel core dump from userspace. Providing access to core dumps of the kernel would assist an attacker in discovering attack vectors.',
- 'CONFIG_SECURITY_DMESG_RESTRICT': 'Enables restrictions on unprivileged users reading the kernel syslog via dmesg(8). Unrestricted access to kernel syslogs would assist an attacker in discovering attack vectors.',
- 'CONFIG_DEBUG_STACKOVERFLOW': 'Enables messages to be printed if free stack space drops below a certain limit. Leaking information about resources used by the kernel would assist an attacker in discovering attack vectors.',
- 'CONFIG_DEBUG_STRICT_USER_COPY_CHECKS': 'Converts a certain set of sanity checks for user copy operations into compile time failures. The copy_from_user() etc checks help test if there are sufficient security checks on the length argument of the copy operation by having gcc prove that the argument is within bounds.',
- 'CONFIG_ARCH_HAS_DEBUG_STRICT_USER_COPY_CHECKS': 'Required to enable DEBUG_STRICT_USER_COPY_CHECKS, but alone does not provide security.',
- 'CONFIG_IKCONFIG_PROC': 'Enables access to the kernel config through /proc/config.gz. Leaking the kernel configuration would assist an attacker in discovering attack vectors.',
- 'CONFIG_RANDOMIZE_BASE': 'Enables Kernel Address Space Layout randomization (kASLR). This hinders some types of security attacks by making it more difficult for an attacker to predict target addresses.',
- 'CONFIG_DEBUG_RODATA': 'Sets kernel text and rodata sections as read-only and write-protected. This guards against malicious attempts to change the kernel\'s executable code.',
- 'CONFIG_STRICT_DEVMEM': 'Enables restriction of userspace access to kernel memory. Failure to enable this option provides an immediate attack vector.',
- 'CONFIG_DEVKMEM': 'Enables kmem device, which direct maps kernel memory. Providing a view into kernel memory would assist an attacker in discovering attack vectors.',
- 'CONFIG_ARCH_BINFMT_ELF_RANDOMIZE_PIE': 'Enables randomization of PIE load address for ELF binaries. This hinders some types of security attacks by making it more difficult for an attacker to predict target addresses.',
- 'CONFIG_DEBUG_KERNEL': 'Enables sysfs output intended to assist with debugging a kernel. The information output to sysfs would assist an attacker in discovering attack vectors.',
- 'CONFIG_DEBUG_FS': 'Enables the kernel debug filesystem. The kernel debug filesystem presents a lot of useful information and means of manipulation of the kernel to an attacker.',
- 'CONFIG_MODULE_SIG_FORCE': 'Enables validation of module signature. Disabling this option enables an attacker to load unsigned modules.',
-}
diff --git a/meta-security/meta-security-isafw/lib/isafw/isaplugins/configs/kca/x86.py b/meta-security/meta-security-isafw/lib/isafw/isaplugins/configs/kca/x86.py
deleted file mode 100644
index cbaddf8..0000000
--- a/meta-security/meta-security-isafw/lib/isafw/isaplugins/configs/kca/x86.py
+++ /dev/null
@@ -1,38 +0,0 @@
-############################################################################################
-# Kernel Hardening Configurations
-############################################################################################
-hardening_kco = {'CONFIG_DEFAULT_MMAP_MIN_ADDR': 'not set',
- 'CONFIG_RANDOMIZE_BASE_MAX_OFFSET': 'not set',
- 'CONFIG_X86_INTEL_MPX': 'not set',
- 'CONFIG_X86_MSR': 'not set'
- }
-hardening_kco_ref = {'CONFIG_DEFAULT_MMAP_MIN_ADDR': '65536', # x86 specific
- 'CONFIG_RANDOMIZE_BASE_MAX_OFFSET': '0x20000000,0x40000000', # x86 specific
- 'CONFIG_X86_INTEL_MPX': 'y', # x86 and certain HW variants specific
- 'CONFIG_X86_MSR': 'not set'
- }
-############################################################################################
-# Keys Kernel Configuration
-############################################################################################
-keys_kco = {}
-keys_kco_ref = {}
-############################################################################################
-# Security Kernel Configuration
-############################################################################################
-security_kco = {'CONFIG_LSM_MMAP_MIN_ADDR': 'not set',
- 'CONFIG_INTEL_TXT': 'not set'}
-security_kco_ref = {'CONFIG_LSM_MMAP_MIN_ADDR': '65536', # x86 specific
- 'CONFIG_INTEL_TXT': 'y'}
-############################################################################################
-# Integrity Kernel Configuration
-############################################################################################
-integrity_kco = {}
-integrity_kco_ref = {}
-############################################################################################
-# Comments
-############################################################################################
-comments = {'CONFIG_DEFAULT_MMAP_MIN_ADDR': 'Defines the portion of low virtual memory that should be protected from userspace allocation. Keeping a user from writing to low pages can help reduce the impact of kernel NULL pointer bugs.',
- 'CONFIG_RANDOMIZE_BASE_MAX_OFFSET': 'Defines the maximal offset in bytes that will be applied to the kernel when kernel Address Space Layout Randomization (kASLR) is active.',
- 'CONFIG_X86_INTEL_MPX': 'Enables MPX hardware features that can be used with compiler-instrumented code to check memory references. It is designed to detect buffer overflow or underflow bugs.',
- 'CONFIG_X86_MSR': 'Enables privileged processes access to the x86 Model-Specific Registers (MSRs). MSR accesses are directed to a specific CPU on multi-processor systems. This alone does not provide security.'
- }
diff --git a/meta-security/meta-security-isafw/lib/isafw/isaplugins/configs/la/approved-non-osi b/meta-security/meta-security-isafw/lib/isafw/isaplugins/configs/la/approved-non-osi
deleted file mode 100644
index 5e7a69f..0000000
--- a/meta-security/meta-security-isafw/lib/isafw/isaplugins/configs/la/approved-non-osi
+++ /dev/null
@@ -1,43 +0,0 @@
-Artistic-1.0-perl
-BSD-2-Clause-FreeBSD
-BSD-3-Clause-Clear
-BSD-4-Clause
-BSD-4-Clause-UC
-bzip2-1.0.5
-bzip2-1.0.6
-CC0-1.0
-CC-BY-SA-3.0
-ErlPL-1.1
-FTL
-GFDL-1.1
-GFDL-1.1+
-GFDL-1.2
-GFDL-1.2+
-GFDL-1.3
-GFDL-1.3+
-GPL-1.0
-GPL-1.0+
-ICU
-IJG
-Libpng
-libtiff
-MIT-feh
-MIT-Opengroup
-mpich2
-Muddy-MIT
-OFL-1.0
-OLDAP-2.0.1
-OLDAP-2.8
-OpenSSL
-PHP-3.01
-Qhull
-Ruby
-SGI-B-2.0
-TCL
-Vim
-X11
-Zend-2.0
-zlib-acknowledgement
-ZPL-1.1
-ZPL-2.0
-ZPL-2.1
diff --git a/meta-security/meta-security-isafw/lib/isafw/isaplugins/configs/la/exceptions b/meta-security/meta-security-isafw/lib/isafw/isaplugins/configs/la/exceptions
deleted file mode 100644
index e69de29..0000000
--- a/meta-security/meta-security-isafw/lib/isafw/isaplugins/configs/la/exceptions
+++ /dev/null
diff --git a/meta-security/meta-security-isafw/lib/isafw/isaplugins/configs/la/licenses b/meta-security/meta-security-isafw/lib/isafw/isaplugins/configs/la/licenses
deleted file mode 100644
index 8fff0b1..0000000
--- a/meta-security/meta-security-isafw/lib/isafw/isaplugins/configs/la/licenses
+++ /dev/null
@@ -1,105 +0,0 @@
-AFL-1.1
-AFL-1.2
-AFL-2.0
-AFL-2.1
-AFL-3.0
-APL-1.0
-Apache-1.1
-Apache-2.0
-APSL-1.0
-APSL-1.1
-APSL-1.2
-APSL-2.0
-Artistic-1.0
-Artistic-1.0-Perl
-Artistic-1.0-cl8
-Artistic-2.0
-AAL
-BSL-1.0
-BSD-2-Clause
-BSD-3-Clause
-CNRI-Python
-CDDL-1.0
-CPAL-1.0
-CPL-1.0
-CATOSL-1.1
-CUA-OPL-1.0
-EPL-1.0
-ECL-1.0
-ECL-2.0
-EFL-1.0
-EFL-2.0
-Entessa
-EUDatagrid
-EUPL-1.1
-Fair
-Frameworx-1.0
-AGPL-3.0
-GPL-2.0
-GPL-2.0+
-GPL-2.0-with-autoconf-exception
-GPL-2.0-with-bison-exception
-GPL-2.0-with-classpath-exception
-GPL-2.0-with-font-exception
-GPL-2.0-with-GCC-exception
-GPL-3.0
-GPL-3.0+
-GPL-3.0-with-autoconf-exception
-GPL-3.0-with-GCC-exception
-LGPL-2.1
-LGPL-2.1+
-LGPL-3.0
-LGPL-3.0+
-LGPL-2.0
-LGPL-2.0+
-HPND
-IPL-1.0
-Intel
-IPA
-ISC
-LPPL-1.3c
-LPL-1.02
-LPL-1.0
-MS-PL
-MS-RL
-MirOS
-MIT
-Motosoto
-MPL-1.0
-MPL-1.1
-MPL-2.0
-MPL-2.0-no-copyleft-exception
-Multics
-NASA-1.3
-Naumen
-NGPL
-Nokia
-NPOSL-3.0
-NTP
-OCLC-2.0
-OGTSL
-OSL-1.0
-OSL-2.0
-OSL-2.1
-OSL-3.0
-PHP-3.0
-PostgreSQL
-Python-2.0
-QPL-1.0
-RPSL-1.0
-RPL-1.1
-RPL-1.5
-RSCPL
-OFL-1.1
-SimPL-2.0
-Sleepycat
-SISSL
-SPL-1.0
-Watcom-1.0
-NCSA
-VSL-1.0
-W3C
-WXwindows
-Xnet
-Zlib
-ZPL-2.0
diff --git a/meta-security/meta-security-isafw/lib/isafw/isaplugins/configs/la/violations b/meta-security/meta-security-isafw/lib/isafw/isaplugins/configs/la/violations
deleted file mode 100644
index 5da203b..0000000
--- a/meta-security/meta-security-isafw/lib/isafw/isaplugins/configs/la/violations
+++ /dev/null
@@ -1,7 +0,0 @@
-GPL-3.0
-GPL-3.0+
-GPL-3.0-with-autoconf-exception
-GPL-3.0-with-GCC-exception
-LGPL-3.0
-LGPL-3.0+
-
diff --git a/meta-security/meta-security-isafw/recipes-devtools/checksec/checksec_1.5-1.bb b/meta-security/meta-security-isafw/recipes-devtools/checksec/checksec_1.5-1.bb
deleted file mode 100644
index 74f5d39..0000000
--- a/meta-security/meta-security-isafw/recipes-devtools/checksec/checksec_1.5-1.bb
+++ /dev/null
@@ -1,25 +0,0 @@
-SUMMARY = "Checksec tool"
-DESCRIPTION = "The checksec.sh script is designed to test what standard Linux OS and PaX security features are being used."
-SECTION = "security"
-LICENSE = "BSD-3-Clause"
-HOMEPAGE="http://www.trapkit.de/tools/checksec.html"
-
-LIC_FILES_CHKSUM = "file://checksec-${PV}.sh;beginline=3;endline=34;md5=6dab14470bfdf12634b866dbdd7a04b0"
-
-SRC_URI = "http://www.trapkit.de/tools/checksec.sh;downloadfilename=checksec-${PV}.sh"
-
-SRC_URI[md5sum] = "57cc3fbbbe48e8ebd4672c569954374d"
-SRC_URI[sha256sum] = "05822cd8668589038d20650faa0e56f740911d8ad06f7005b3d12a5c76591b90"
-
-
-S = "${WORKDIR}"
-
-do_install() {
- install -d ${D}${bindir}
- install -m 0755 ${WORKDIR}/checksec-${PV}.sh ${D}${bindir}/checksec.sh
- sed -i 's/\r//' ${D}${bindir}/checksec.sh
-}
-
-RDEPENDS:${PN} = "bash binutils"
-
-BBCLASSEXTEND = "native"
diff --git a/meta-security/meta-tpm/recipes-tpm/libtpm/files/Convert-another-vdprintf-to-dprintf.patch b/meta-security/meta-tpm/recipes-tpm/libtpm/files/Convert-another-vdprintf-to-dprintf.patch
deleted file mode 100644
index 9e1021a..0000000
--- a/meta-security/meta-tpm/recipes-tpm/libtpm/files/Convert-another-vdprintf-to-dprintf.patch
+++ /dev/null
@@ -1,26 +0,0 @@
-From 09e7dd42e5201d079bad70e9f7cc6033ce1c7cad Mon Sep 17 00:00:00 2001
-From: Stefan Berger <stefanb@linux.vnet.ibm.com>
-Date: Fri, 3 Feb 2017 10:58:22 -0500
-Subject: [PATCH] Convert another vdprintf to dprintf
-
-Signed-off-by: Stefan Berger <stefanb@linux.vnet.ibm.com>
-Upstream-Status: Backport
-Signed-off-by: Armin Kuster <akuster@mvista.com>
-
----
- src/tpm_library.c | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-Index: git/src/tpm_library.c
-===================================================================
---- git.orig/src/tpm_library.c
-+++ git/src/tpm_library.c
-@@ -427,7 +427,7 @@ void TPMLIB_LogPrintfA(unsigned int inde
- indent = sizeof(spaces) - 1;
- memset(spaces, ' ', indent);
- spaces[indent] = 0;
-- vdprintf(debug_fd, spaces, NULL);
-+ dprintf(debug_fd, "%s", spaces);
- }
-
- va_start(args, format);
diff --git a/meta-security/meta-tpm/recipes-tpm/libtpm/files/Use-format-s-for-call-to-dprintf.patch b/meta-security/meta-tpm/recipes-tpm/libtpm/files/Use-format-s-for-call-to-dprintf.patch
deleted file mode 100644
index a71b5c1..0000000
--- a/meta-security/meta-tpm/recipes-tpm/libtpm/files/Use-format-s-for-call-to-dprintf.patch
+++ /dev/null
@@ -1,33 +0,0 @@
-From 6a9b4e5d70f770aa9ca31e3e6d3b1ae72c192070 Mon Sep 17 00:00:00 2001
-From: Stefan Berger <stefanb@linux.vnet.ibm.com>
-Date: Tue, 31 Jan 2017 20:10:51 -0500
-Subject: [PATCH] Use format '%s' for call to dprintf
-
-Fix the dprintf call to use a format parameter that otherwise causes
-errors with gcc on certain platforms.
-
-Signed-off-by: Stefan Berger <stefanb@linux.vnet.ibm.com>
-
-Upstream-Status: Backport
-replaces local patch
-Signed-off-by: Armin Kuster <akuster@mvsita.com>
-
----
- src/tpm_library.c | 4 ++--
- 1 file changed, 2 insertions(+), 2 deletions(-)
-
-Index: git/src/tpm_library.c
-===================================================================
---- git.orig/src/tpm_library.c
-+++ git/src/tpm_library.c
-@@ -405,8 +405,8 @@ int TPMLIB_LogPrintf(const char *format,
- }
-
- if (debug_prefix)
-- dprintf(debug_fd, debug_prefix);
-- dprintf(debug_fd, buffer);
-+ dprintf(debug_fd, "%s", debug_prefix);
-+ dprintf(debug_fd, "%s", buffer);
-
- return i;
- }
diff --git a/meta-security/meta-tpm/recipes-tpm/libtpm/files/fix_signed_issue.patch b/meta-security/meta-tpm/recipes-tpm/libtpm/files/fix_signed_issue.patch
deleted file mode 100644
index fc13aa5..0000000
--- a/meta-security/meta-tpm/recipes-tpm/libtpm/files/fix_signed_issue.patch
+++ /dev/null
@@ -1,48 +0,0 @@
-Upstream-Status: Pending
-Signed-off-by: Armin kuster <akuster808@gmail.com>
-
-Index: git/src/swtpm/ctrlchannel.c
-===================================================================
---- git.orig/src/swtpm/ctrlchannel.c
-+++ git/src/swtpm/ctrlchannel.c
-@@ -152,7 +152,8 @@ static int ctrlchannel_receive_state(ptm
- uint32_t tpm_number = 0;
- unsigned char *blob = NULL;
- uint32_t blob_length = be32toh(pss->u.req.length);
-- uint32_t remain = blob_length, offset = 0;
-+ ssize_t remain = (ssize_t) blob_length;
-+ uint32_t offset = 0;
- TPM_RESULT res;
- uint32_t flags = be32toh(pss->u.req.state_flags);
- TPM_BOOL is_encrypted = (flags & PTM_STATE_FLAG_ENCRYPTED) != 0;
-Index: git/src/swtpm_ioctl/tpm_ioctl.c
-===================================================================
---- git.orig/src/swtpm_ioctl/tpm_ioctl.c
-+++ git/src/swtpm_ioctl/tpm_ioctl.c
-@@ -303,7 +303,7 @@ static int do_save_state_blob(int fd, bo
- numbytes = write(file_fd, pgs.u.resp.data,
- devtoh32(is_chardev, pgs.u.resp.length));
-
-- if (numbytes != devtoh32(is_chardev, pgs.u.resp.length)) {
-+ if (numbytes != (ssize_t) devtoh32(is_chardev, pgs.u.resp.length)) {
- fprintf(stderr,
- "Could not write to file '%s': %s\n",
- filename, strerror(errno));
-@@ -420,7 +420,7 @@ static int do_load_state_blob(int fd, bo
- had_error = true;
- break;
- }
-- pss.u.req.length = htodev32(is_chardev, numbytes);
-+ pss.u.req.length = htodev32(is_chardev, (uint32_t) numbytes);
-
- /* the returnsize is zero on all intermediate packets */
- returnsize = ((size_t)numbytes < sizeof(pss.u.req.data))
-@@ -863,7 +863,7 @@ int main(int argc, char *argv[])
- return EXIT_FAILURE;
- }
- /* no tpm_result here */
-- printf("ptm capability is 0x%lx\n", (uint64_t)devtoh64(is_chardev, cap));
-+ printf("ptm capability is 0x%llx\n", (uint64_t)devtoh64(is_chardev, cap));
-
- } else if (!strcmp(command, "-i")) {
- init.u.req.init_flags = htodev32(is_chardev, PTM_INIT_FLAG_DELETE_VOLATILE);
diff --git a/meta-security/meta-tpm/recipes-tpm/swtpm/files/fix_fcntl_h.patch b/meta-security/meta-tpm/recipes-tpm/swtpm/files/fix_fcntl_h.patch
deleted file mode 100644
index 3d16431..0000000
--- a/meta-security/meta-tpm/recipes-tpm/swtpm/files/fix_fcntl_h.patch
+++ /dev/null
@@ -1,31 +0,0 @@
-From 8750a6c3f0b4d9e7e45b4079150d29eb44774e9c Mon Sep 17 00:00:00 2001
-From: Armin Kuster <akuster@mvista.com>
-Date: Tue, 14 Mar 2017 22:59:36 -0700
-Subject: [PATCH 2/4] logging: Fix musl build issue with fcntl
-
- error: #warning redirecting incorrect #include <sys/fcntl.h> to <fcntl.h> [-Werror=cpp]
- #warning redirecting incorrect #include <sys/fcntl.h> to <fcntl.
-
-Upstream-Status: Pending
-Signed-off-by: Armin Kuster <akuster@mvista.com>
-
----
- src/swtpm/logging.c | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/src/swtpm/logging.c b/src/swtpm/logging.c
-index f16cab6..7da8606 100644
---- a/src/swtpm/logging.c
-+++ b/src/swtpm/logging.c
-@@ -45,7 +45,7 @@
- #include <errno.h>
- #include <string.h>
- #include <sys/types.h>
--#include <sys/fcntl.h>
-+#include <fcntl.h>
- #include <sys/stat.h>
- #include <stdio.h>
- #include <stdlib.h>
---
-2.11.0
-
diff --git a/meta-security/meta-tpm/recipes-tpm/swtpm/files/fix_lib_search_path.patch b/meta-security/meta-tpm/recipes-tpm/swtpm/files/fix_lib_search_path.patch
deleted file mode 100644
index 60958f7..0000000
--- a/meta-security/meta-tpm/recipes-tpm/swtpm/files/fix_lib_search_path.patch
+++ /dev/null
@@ -1,66 +0,0 @@
-From 672bb4ee625da3141ba6cecb0601c7563de4c483 Mon Sep 17 00:00:00 2001
-From: Armin Kuster <akuster808@gmail.com>
-Date: Thu, 13 Oct 2016 02:03:56 -0700
-Subject: [PATCH 1/4] swtpm: add new package
-
-Upstream-Status: Inappropriate [OE config]
-
-Signed-off-by: Armin Kuster <akuster808@gmail.com>
-
-Rebased to current tip.
-
-Signed-off-by: Patrick Ohly <patrick.ohly@intel.com>
-
----
- configure.ac | 34 ++++++++++------------------------
- 1 file changed, 10 insertions(+), 24 deletions(-)
-
-diff --git a/configure.ac b/configure.ac
-index abf5be1..85ed6ac 100644
---- a/configure.ac
-+++ b/configure.ac
-@@ -395,31 +395,17 @@ CFLAGS="$CFLAGS -Wformat -Wformat-security"
- dnl We have to make sure libtpms is using the same crypto library
- dnl to avoid problems
- AC_MSG_CHECKING([the crypto library libtpms is using])
--dirs=$($CC $CFLAGS -Xlinker --verbose 2>/dev/null | \
-- sed -n '/SEARCH_DIR/p' | \
-- sed 's/SEARCH_DIR("\(@<:@^"@:>@*\)"); */\1 /g' | \
-- sed 's|=/|/|g')
--for dir in $dirs $LIBRARY_PATH; do
-- if test -r $dir/libtpms.so; then
-- if test -n "`ldd $dir/libtpms.so | grep libcrypto.so`"; then
-- libtpms_cryptolib="openssl"
-- break
-- fi
-- if test -n "`ldd $dir/libtpms.so | grep libnss3.so`"; then
-- libtpms_cryptolib="freebl"
-- break
-- fi
-+dir="$SEARCH_DIR"
-+if test -r $dir/libtpms.so; then
-+ if test -n "`ldd $dir/libtpms.so | grep libcrypto.so`"; then
-+ libtpms_cryptolib="openssl"
-+ break
- fi
-- case $host_os in
-- cygwin|openbsd*)
-- if test -r $dir/libtpms.a; then
-- if test -n "$(nm $dir/libtpms.a | grep "U AES_encrypt")"; then
-- libtpms_cryptolib="openssl"
-- fi
-- fi
-- ;;
-- esac
--done
-+ if test -n "`ldd $dir/libtpms.so | grep libnss3.so`"; then
-+ libtpms_cryptolib="freebl"
-+ break
-+ fi
-+fi
-
- if test -z "$libtpms_cryptolib"; then
- AC_MSG_ERROR([Could not determine libtpms crypto library.])
---
-2.11.0
-
diff --git a/meta-security/meta-tpm/recipes-tpm/swtpm/swtpm_0.8.0.bb b/meta-security/meta-tpm/recipes-tpm/swtpm/swtpm_0.8.0.bb
index 614b07f..da86c47 100644
--- a/meta-security/meta-tpm/recipes-tpm/swtpm/swtpm_0.8.0.bb
+++ b/meta-security/meta-tpm/recipes-tpm/swtpm/swtpm_0.8.0.bb
@@ -36,7 +36,7 @@
USERADD_PACKAGES = "${PN}"
GROUPADD_PARAM:${PN} = "--system ${TSS_USER}"
-USERADD_PARAM:${PN} = "--system -g ${TSS_GROUP} --home-dir \
+USERADD_PARAM:${PN} = "--system -g ${TSS_GROUP} --home-dir / \
--no-create-home --shell /bin/false ${BPN}"
diff --git a/meta-security/meta-tpm/recipes-tpm1/openssl-tpm-engine/files/0001-create-tpm-key-support-well-known-key-option.patch b/meta-security/meta-tpm/recipes-tpm1/openssl-tpm-engine/files/0001-create-tpm-key-support-well-known-key-option.patch
index bed8b92..e6068aff 100644
--- a/meta-security/meta-tpm/recipes-tpm1/openssl-tpm-engine/files/0001-create-tpm-key-support-well-known-key-option.patch
+++ b/meta-security/meta-tpm/recipes-tpm1/openssl-tpm-engine/files/0001-create-tpm-key-support-well-known-key-option.patch
@@ -1,3 +1,5 @@
+Upstream-Status: Pending
+
commit 16dac0cb7b73b8a7088300e45b98ac20819b03ed
Author: Junxian.Xiao <Junxian.Xiao@windriver.com>
Date: Wed Jun 19 18:57:13 2013 +0800
diff --git a/meta-security/meta-tpm/recipes-tpm1/openssl-tpm-engine/files/0002-libtpm-support-env-TPM_SRK_PW.patch b/meta-security/meta-tpm/recipes-tpm1/openssl-tpm-engine/files/0002-libtpm-support-env-TPM_SRK_PW.patch
index 2caaaf0..74def4f 100644
--- a/meta-security/meta-tpm/recipes-tpm1/openssl-tpm-engine/files/0002-libtpm-support-env-TPM_SRK_PW.patch
+++ b/meta-security/meta-tpm/recipes-tpm1/openssl-tpm-engine/files/0002-libtpm-support-env-TPM_SRK_PW.patch
@@ -1,3 +1,5 @@
+Upstream-Status: Pending
+
commit 16dac0cb7b73b8a7088300e45b98ac20819b03ed
Author: Junxian.Xiao <Junxian.Xiao@windriver.com>
Date: Wed Jun 19 18:57:13 2013 +0800
diff --git a/meta-security/meta-tpm/recipes-tpm1/openssl-tpm-engine/files/0003-tpm-openssl-tpm-engine-parse-an-encrypted-tpm-SRK-pa.patch b/meta-security/meta-tpm/recipes-tpm1/openssl-tpm-engine/files/0003-tpm-openssl-tpm-engine-parse-an-encrypted-tpm-SRK-pa.patch
index cc8772d..732961d 100644
--- a/meta-security/meta-tpm/recipes-tpm1/openssl-tpm-engine/files/0003-tpm-openssl-tpm-engine-parse-an-encrypted-tpm-SRK-pa.patch
+++ b/meta-security/meta-tpm/recipes-tpm1/openssl-tpm-engine/files/0003-tpm-openssl-tpm-engine-parse-an-encrypted-tpm-SRK-pa.patch
@@ -17,6 +17,8 @@
Signed-off-by: Meng Li <Meng.Li@windriver.com>
---
+Upstream-Status: Pending
+
e_tpm.c | 157 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++-
e_tpm.h | 4 ++
e_tpm_err.c | 4 ++
diff --git a/meta-security/meta-tpm/recipes-tpm1/openssl-tpm-engine/files/0004-tpm-openssl-tpm-engine-change-variable-c-type-from-c.patch b/meta-security/meta-tpm/recipes-tpm1/openssl-tpm-engine/files/0004-tpm-openssl-tpm-engine-change-variable-c-type-from-c.patch
index 535472a..3cbfc3c 100644
--- a/meta-security/meta-tpm/recipes-tpm1/openssl-tpm-engine/files/0004-tpm-openssl-tpm-engine-change-variable-c-type-from-c.patch
+++ b/meta-security/meta-tpm/recipes-tpm1/openssl-tpm-engine/files/0004-tpm-openssl-tpm-engine-change-variable-c-type-from-c.patch
@@ -12,6 +12,8 @@
Signed-off-by: Meng Li <Meng.Li@windriver.com>
---
+Upstream-Status: Pending
+
create_tpm_key.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/meta-security/meta-tpm/recipes-tpm1/tpm-tools/files/tpm-tools-extendpcr.patch b/meta-security/meta-tpm/recipes-tpm1/tpm-tools/files/tpm-tools-extendpcr.patch
index 40150af..d427d67 100644
--- a/meta-security/meta-tpm/recipes-tpm1/tpm-tools/files/tpm-tools-extendpcr.patch
+++ b/meta-security/meta-tpm/recipes-tpm1/tpm-tools/files/tpm-tools-extendpcr.patch
@@ -1,3 +1,5 @@
+Upstream-Status: Pending
+
Index: git/include/tpm_tspi.h
===================================================================
--- git.orig/include/tpm_tspi.h
diff --git a/meta-security/meta-tpm/recipes-tpm2/ibmswtpm2/files/tune-makefile.patch b/meta-security/meta-tpm/recipes-tpm2/ibmswtpm2/files/tune-makefile.patch
index 962bfc1..09aab78 100644
--- a/meta-security/meta-tpm/recipes-tpm2/ibmswtpm2/files/tune-makefile.patch
+++ b/meta-security/meta-tpm/recipes-tpm2/ibmswtpm2/files/tune-makefile.patch
@@ -12,7 +12,7 @@
ERROR: QA Issue: File /usr/bin/tpm_server in package ibmswtpm2 doesn't have GNU_HASH (didn't pass LDFLAGS?) [ldflags]
-Upstream-Status: OE specific
+Upstream-Status: Inappropriate [OE specific]
Signed-off-by: Jens Rehsack <sno@NetBSD.org>
diff --git a/meta-security/meta-tpm/recipes-tpm2/tpm2-tcti-uefi/files/configure_oe_fixup.patch b/meta-security/meta-tpm/recipes-tpm2/tpm2-tcti-uefi/files/configure_oe_fixup.patch
index 8a216cd..a238c7f 100644
--- a/meta-security/meta-tpm/recipes-tpm2/tpm2-tcti-uefi/files/configure_oe_fixup.patch
+++ b/meta-security/meta-tpm/recipes-tpm2/tpm2-tcti-uefi/files/configure_oe_fixup.patch
@@ -1,4 +1,4 @@
-Upstream-Status: OE specific
+Upstream-Status: Inappropriate [OE specific]
Signed-off-by: Armin Kuster <akuster808@gmail.com>
Index: git/configure.ac
diff --git a/meta-security/meta-tpm/recipes-tpm2/tpm2-tcti-uefi/files/fix_header_file.patch b/meta-security/meta-tpm/recipes-tpm2/tpm2-tcti-uefi/files/fix_header_file.patch
index fc730e1..2554282 100644
--- a/meta-security/meta-tpm/recipes-tpm2/tpm2-tcti-uefi/files/fix_header_file.patch
+++ b/meta-security/meta-tpm/recipes-tpm2/tpm2-tcti-uefi/files/fix_header_file.patch
@@ -4,7 +4,7 @@
ARCH is host arch, not target arch
-Upstream-Status: Submitted
+Upstream-Status: Submitted
Signed-off-by: Armin Kuster <akuster808@gmail.com>
Index: git/src/uefi-types.h
diff --git a/meta-security/meta-tpm/recipes-tpm2/tpm2-tcti-uefi/tpm2-tcti-uefi/0001-configure.ac-stop-inserting-host-directories-into-co.patch b/meta-security/meta-tpm/recipes-tpm2/tpm2-tcti-uefi/tpm2-tcti-uefi/0001-configure.ac-stop-inserting-host-directories-into-co.patch
index b3f2287..fe96b40 100644
--- a/meta-security/meta-tpm/recipes-tpm2/tpm2-tcti-uefi/tpm2-tcti-uefi/0001-configure.ac-stop-inserting-host-directories-into-co.patch
+++ b/meta-security/meta-tpm/recipes-tpm2/tpm2-tcti-uefi/tpm2-tcti-uefi/0001-configure.ac-stop-inserting-host-directories-into-co.patch
@@ -6,7 +6,7 @@
Do not insert /usr/lib and /usr/lib64 into library search path.
-Upstream-Status: OE specific
+Upstream-Status: Inappropriate [OE specific]
Signed-off-by: Dmitry Eremin-Solenikov <dmitry_eremin-solenikov@mentor.com>
---
configure.ac | 2 +-
diff --git a/meta-security/meta-tpm/recipes-tpm2/tpm2-tss/tpm2-tss/fixup_hosttools.patch b/meta-security/meta-tpm/recipes-tpm2/tpm2-tss/tpm2-tss/fixup_hosttools.patch
index 04a2964..3f680ba 100644
--- a/meta-security/meta-tpm/recipes-tpm2/tpm2-tss/tpm2-tss/fixup_hosttools.patch
+++ b/meta-security/meta-tpm/recipes-tpm2/tpm2-tss/tpm2-tss/fixup_hosttools.patch
@@ -2,7 +2,7 @@
Not appropriate for cross build env.
-Upstream-Status: OE [inappropriate]
+Upstream-Status: Inappropriate [OE specific]
Signed-off-by: Armin Kuster <akuster808@gmail.com>
Index: tpm2-tss-4.0.1/configure.ac
diff --git a/meta-security/meta-security-compliance/recipes-auditors/lynis/files/0001-osdetection-add-OpenEmbedded-and-Poky.patch b/meta-security/recipes-compliance/lynis/files/0001-osdetection-add-OpenEmbedded-and-Poky.patch
similarity index 100%
rename from meta-security/meta-security-compliance/recipes-auditors/lynis/files/0001-osdetection-add-OpenEmbedded-and-Poky.patch
rename to meta-security/recipes-compliance/lynis/files/0001-osdetection-add-OpenEmbedded-and-Poky.patch
diff --git a/meta-security/meta-security-compliance/recipes-auditors/lynis/lynis_3.0.8.bb b/meta-security/recipes-compliance/lynis/lynis_3.0.8.bb
similarity index 100%
rename from meta-security/meta-security-compliance/recipes-auditors/lynis/lynis_3.0.8.bb
rename to meta-security/recipes-compliance/lynis/lynis_3.0.8.bb
diff --git a/meta-security/meta-security-compliance/recipes-openscap/openscap/openscap.inc b/meta-security/recipes-compliance/openscap/openscap_1.3.8.bb
similarity index 68%
rename from meta-security/meta-security-compliance/recipes-openscap/openscap/openscap.inc
rename to meta-security/recipes-compliance/openscap/openscap_1.3.8.bb
index e875227..ecc347c 100644
--- a/meta-security/meta-security-compliance/recipes-openscap/openscap/openscap.inc
+++ b/meta-security/recipes-compliance/openscap/openscap_1.3.8.bb
@@ -1,4 +1,4 @@
-# Copyright (C) 2017 Armin Kuster <akuster808@gmail.com>
+# Copyright (C) 2017 - 2023 Armin Kuster <akuster808@gmail.com>
# Released under the MIT license (see COPYING.MIT for the terms)
SUMARRY = "NIST Certified SCAP 1.2 toolkit"
@@ -6,12 +6,17 @@
LIC_FILES_CHKSUM = "file://COPYING;md5=fbc093901857fcd118f065f900982c24"
LICENSE = "LGPL-2.1-only"
-DEPENDS = "dbus acl bzip2 pkgconfig gconf procps curl libxml2 libxslt libcap swig libpcre"
-DEPENDS:class-native = "pkgconfig-native swig-native curl-native libxml2-native libxslt-native libcap-native libpcre-native"
+DEPENDS = "dbus acl bzip2 pkgconfig gconf procps curl libxml2 libxslt libcap swig libpcre xmlsec1"
+DEPENDS:class-native = "pkgconfig-native swig-native curl-native libxml2-native libxslt-native libcap-native libpcre-native xmlsec1-native"
+
+#Jun 22th, 2023
+SRCREV = "a81c66d9bc36612dd1ca83a8c959a59e172eb4b9"
+SRC_URI = "git://github.com/OpenSCAP/openscap.git;branch=maint-1.3;protocol=https \
+ "
S = "${WORKDIR}/git"
-inherit cmake pkgconfig python3native python3targetconfig perlnative
+inherit cmake pkgconfig python3native python3targetconfig perlnative systemd
PACKAGECONFIG ?= "python3 rpm perl gcrypt ${@bb.utils.contains('DISTRO_FEATURES', 'selinux', 'selinux', '', d)}"
PACKAGECONFIG[python3] = "-DENABLE_PYTHON3=ON, ,python3, python3"
@@ -20,6 +25,7 @@
PACKAGECONFIG[gcrypt] = "-DWITH_CRYPTO=gcrypt, ,libgcrypt"
PACKAGECONFIG[nss3] = "-DWITH_CRYPTO=nss3, ,nss"
PACKAGECONFIG[selinux] = ", ,libselinux"
+PACKAGECONFIG[remdediate_service] = "-DENABLE_OSCAP_REMEDIATE_SERVICE=ON,-DENABLE_OSCAP_REMEDIATE_SERVICE=NO,"
EXTRA_OECMAKE += "-DENABLE_PROBES_LINUX=ON -DENABLE_PROBES_UNIX=ON \
-DENABLE_PROBES_SOLARIS=OFF -DENABLE_PROBES_INDEPENDENT=ON \
@@ -40,6 +46,14 @@
sed -i 's:OSCAP_DEFAULT_XSLT_PATH.*$:OSCAP_DEFAULT_XSLT_PATH "${STAGING_OSCAP_BUILDDIR}${datadir_native}/openscap/xsl":' ${B}/config.h
}
+do_install:append () {
+ if ${@bb.utils.contains('DISTRO_FEATURES','systemd','true','false',d)}; then
+ if ${@bb.utils.contains('PACKAGECONFIG','remdediate_service','true','false',d)}; then
+ install -D -m 0644 ${B}/oscap-remediate.service ${D}${systemd_system_unitdir}/oscap-remediate.service
+ fi
+ fi
+}
+
do_install:class-native[cleandirs] += " ${STAGING_OSCAP_BUILDDIR}"
do_install:append:class-native () {
oscapdir=${STAGING_OSCAP_BUILDDIR}/${datadir_native}
@@ -48,8 +62,14 @@
}
+SYSTEMD_PACKAGES = "${PN}"
+SYSTEMD_SERVICE:${PN} = "${@bb.utils.contains('PACKAGECONFIG','remdediate_service', 'oscap-remediate.service', '',d)}"
+SYSTEMD_AUTO_ENABLE = "disable"
+
+
FILES:${PN} += "${PYTHON_SITEPACKAGES_DIR}"
-RDEPENDS:${PN} += "libxml2 python3-core libgcc bash"
+RDEPENDS:${PN} = "libxml2 python3-core libgcc bash"
+RDEPENDS:${PN}-class-target = "libxml2 python3-core libgcc bash os-release"
BBCLASSEXTEND = "native"
diff --git a/meta-security/recipes-compliance/scap-security-guide/files/0001-scap-security-guide-add-Poky-support.patch b/meta-security/recipes-compliance/scap-security-guide/files/0001-scap-security-guide-add-Poky-support.patch
new file mode 100644
index 0000000..355f954
--- /dev/null
+++ b/meta-security/recipes-compliance/scap-security-guide/files/0001-scap-security-guide-add-Poky-support.patch
@@ -0,0 +1,91 @@
+From 23a224203a73688567f500380644e5cf30c8ed99 Mon Sep 17 00:00:00 2001
+From: Armin Kuster <akuster808@gmail.com>
+Date: Thu, 22 Jun 2023 06:19:26 -0400
+Subject: [PATCH] scap-security-guide: add Poky support
+
+Signed-off-by: Armin Kuster <akuster808@gmail.com>
+
+Upstream-Status: Pending
+Signed-off-by: Armin Kuster <akuster808@gmail.com>
+
+---
+ products/openembedded/product.yml | 7 +++-
+ .../openembedded/transforms/constants.xslt | 4 +--
+ shared/checks/oval/installed_OS_is_poky.xml | 33 +++++++++++++++++++
+ 3 files changed, 41 insertions(+), 3 deletions(-)
+ create mode 100644 shared/checks/oval/installed_OS_is_poky.xml
+
+diff --git a/products/openembedded/product.yml b/products/openembedded/product.yml
+index 9f2f12d737..a495e197c0 100644
+--- a/products/openembedded/product.yml
++++ b/products/openembedded/product.yml
+@@ -14,6 +14,11 @@ init_system: "systemd"
+ cpes_root: "../../shared/applicability"
+ cpes:
+ - openembedded:
+- name: "cpe:/o:openembedded"
++ name: "cpe:/o:openembedded:nodistro:"
+ title: "OpenEmbedded nodistro"
+ check_id: installed_OS_is_openembedded
++
++ - poky:
++ name: "cpe:/o:openembedded:poky:"
++ title: "OpenEmbedded Poky reference distribution"
++ check_id: installed_OS_is_poky
+diff --git a/products/openembedded/transforms/constants.xslt b/products/openembedded/transforms/constants.xslt
+index 85e812a7c1..8901def2f9 100644
+--- a/products/openembedded/transforms/constants.xslt
++++ b/products/openembedded/transforms/constants.xslt
+@@ -2,8 +2,8 @@
+
+ <xsl:include href="../../../shared/transforms/shared_constants.xslt"/>
+
+-<xsl:variable name="product_long_name">OpenEmbedded nodistro</xsl:variable>
+-<xsl:variable name="product_short_name">OE nodistro</xsl:variable>
++<xsl:variable name="product_long_name">OpenEmbedded based distribution</xsl:variable>
++<xsl:variable name="product_short_name">OE distros</xsl:variable>
+ <xsl:variable name="product_stig_id_name">empty</xsl:variable>
+ <xsl:variable name="prod_type">openembedded</xsl:variable>
+
+diff --git a/shared/checks/oval/installed_OS_is_poky.xml b/shared/checks/oval/installed_OS_is_poky.xml
+new file mode 100644
+index 0000000000..9c41acd786
+--- /dev/null
++++ b/shared/checks/oval/installed_OS_is_poky.xml
+@@ -0,0 +1,33 @@
++<def-group>
++ <definition class="inventory" id="installed_OS_is_poky" version="1">
++ <metadata>
++ <title>Poky</title>
++ <affected family="unix">
++ <platform>multi_platform_all</platform>
++ </affected>
++ <description>The operating system installed is a Poky referenece based System</description>
++ </metadata>
++ <criteria comment="System is Poky reference distribution" operator="AND">
++ <extend_definition comment="Installed OS is part of the Unix family" definition_ref="installed_OS_is_part_of_Unix_family" />
++ <criterion comment="Poky based distro" test_ref="test_os_release_poky" />
++ <criterion comment="Poky referenece distribution is installed" test_ref="test_poky" />
++ </criteria>
++ </definition>
++
++ <unix:file_test check="all" check_existence="all_exist" comment="/etc/os-release exists" id="test_os_release_poky" version="1">
++ <unix:object object_ref="obj_os_release_poky" />
++ </unix:file_test>
++ <unix:file_object comment="check /etc/os-release file" id="obj_os_release_poky" version="1">
++ <unix:filepath>/etc/os-release</unix:filepath>
++ </unix:file_object>
++
++ <ind:textfilecontent54_test check="all" check_existence="at_least_one_exists" comment="Check OpenEmbedded" id="test_poky" version="1">
++ <ind:object object_ref="obj_poky" />
++ </ind:textfilecontent54_test>
++ <ind:textfilecontent54_object id="obj_poky" version="1" comment="Check Poky">
++ <ind:filepath>/etc/os-release</ind:filepath>
++ <ind:pattern operation="pattern match">^ID=poky$</ind:pattern>
++ <ind:instance datatype="int">1</ind:instance>
++ </ind:textfilecontent54_object>
++
++</def-group>
+--
+2.34.1
+
diff --git a/meta-security/recipes-compliance/scap-security-guide/files/0001-scap-security-guide-add-openembedded.patch b/meta-security/recipes-compliance/scap-security-guide/files/0001-scap-security-guide-add-openembedded.patch
new file mode 100644
index 0000000..f003f72
--- /dev/null
+++ b/meta-security/recipes-compliance/scap-security-guide/files/0001-scap-security-guide-add-openembedded.patch
@@ -0,0 +1,231 @@
+From f6287d146762b8360bd7099f4724a58eedba7d2a Mon Sep 17 00:00:00 2001
+From: Armin Kuster <akuster808@gmail.com>
+Date: Wed, 14 Jun 2023 07:46:55 -0400
+Subject: [PATCH] scap-security-guide: add openembedded
+
+Signed-off-by: Armin Kuster <akuster808@gmail.com>
+
+Upstream-Status: Pending
+Signed-off-by: Armin Kuster <akuster808@gmail.com>
+
+---
+ CMakeLists.txt | 5 +++
+ build_product | 1 +
+ products/openembedded/CMakeLists.txt | 6 ++++
+ products/openembedded/product.yml | 19 +++++++++++
+ .../openembedded/profiles/standard.profile | 12 +++++++
+ .../openembedded/transforms/constants.xslt | 10 ++++++
+ .../oval/installed_OS_is_openembedded.xml | 33 +++++++++++++++++++
+ .../oval/sysctl_kernel_ipv6_disable.xml | 1 +
+ ssg/constants.py | 5 ++-
+ 9 files changed, 91 insertions(+), 1 deletion(-)
+ create mode 100644 products/openembedded/CMakeLists.txt
+ create mode 100644 products/openembedded/product.yml
+ create mode 100644 products/openembedded/profiles/standard.profile
+ create mode 100644 products/openembedded/transforms/constants.xslt
+ create mode 100644 shared/checks/oval/installed_OS_is_openembedded.xml
+
+diff --git a/CMakeLists.txt b/CMakeLists.txt
+index 85ec289644..09ac96784e 100644
+--- a/CMakeLists.txt
++++ b/CMakeLists.txt
+@@ -95,6 +95,7 @@ option(SSG_PRODUCT_UBUNTU1804 "If enabled, the Ubuntu 18.04 SCAP content will be
+ option(SSG_PRODUCT_UBUNTU2004 "If enabled, the Ubuntu 20.04 SCAP content will be built" ${SSG_PRODUCT_DEFAULT})
+ option(SSG_PRODUCT_UBUNTU2204 "If enabled, the Ubuntu 22.04 SCAP content will be built" ${SSG_PRODUCT_DEFAULT})
+ option(SSG_PRODUCT_UOS20 "If enabled, the Uos 20 SCAP content will be built" ${SSG_PRODUCT_DEFAULT})
++option(SSG_PRODUCT_OE "If enabled, the OpenEmbedded SCAP content will be built" ${SSG_PRODUCT_DEFAULT})
+
+
+ option(SSG_CENTOS_DERIVATIVES_ENABLED "If enabled, CentOS derivative content will be built from the RHEL content" TRUE)
+@@ -289,6 +290,7 @@ message(STATUS "Ubuntu 18.04: ${SSG_PRODUCT_UBUNTU1804}")
+ message(STATUS "Ubuntu 20.04: ${SSG_PRODUCT_UBUNTU2004}")
+ message(STATUS "Ubuntu 22.04: ${SSG_PRODUCT_UBUNTU2204}")
+ message(STATUS "Uos 20: ${SSG_PRODUCT_UOS20}")
++message(STATUS "OpenEmbedded nodistro: ${SSG_PRODUCT_OE}")
+
+
+
+@@ -410,6 +412,9 @@ endif()
+ if (SSG_PRODUCT_UOS20)
+ add_subdirectory("products/uos20" "uos20")
+ endif()
++if (SSG_PRODUCT_OE)
++ add_subdirectory("products/openembedded" "openembedded")
++endif()
+
+ # ZIP only contains source datastreams and kickstarts, people who
+ # want sources to build from should get the tarball instead.
+diff --git a/build_product b/build_product
+index fc793cbe70..197d925b7e 100755
+--- a/build_product
++++ b/build_product
+@@ -333,6 +333,7 @@ all_cmake_products=(
+ UBUNTU2204
+ UOS20
+ MACOS1015
++ OPENEMBEDDED
+ )
+
+ DEFAULT_OVAL_MAJOR_VERSION=5
+diff --git a/products/openembedded/CMakeLists.txt b/products/openembedded/CMakeLists.txt
+new file mode 100644
+index 0000000000..1981adf53e
+--- /dev/null
++++ b/products/openembedded/CMakeLists.txt
+@@ -0,0 +1,6 @@
++# Sometimes our users will try to do: "cd openembedded; cmake ." That needs to error in a nice way.
++if ("${CMAKE_SOURCE_DIR}" STREQUAL "${CMAKE_CURRENT_SOURCE_DIR}")
++ message(FATAL_ERROR "cmake has to be used on the root CMakeLists.txt, see the Building ComplianceAsCode section in the Developer Guide!")
++endif()
++
++ssg_build_product("openembedded")
+diff --git a/products/openembedded/product.yml b/products/openembedded/product.yml
+new file mode 100644
+index 0000000000..9f2f12d737
+--- /dev/null
++++ b/products/openembedded/product.yml
+@@ -0,0 +1,19 @@
++product: openembedded
++full_name: OpemEmbedded
++type: platform
++
++benchmark_id: OPENEMBEDDED
++benchmark_root: "../../linux_os/guide"
++
++profiles_root: "./profiles"
++
++pkg_manager: "dnf"
++
++init_system: "systemd"
++
++cpes_root: "../../shared/applicability"
++cpes:
++ - openembedded:
++ name: "cpe:/o:openembedded"
++ title: "OpenEmbedded nodistro"
++ check_id: installed_OS_is_openembedded
+diff --git a/products/openembedded/profiles/standard.profile b/products/openembedded/profiles/standard.profile
+new file mode 100644
+index 0000000000..44339d716c
+--- /dev/null
++++ b/products/openembedded/profiles/standard.profile
+@@ -0,0 +1,12 @@
++documentation_complete: true
++
++title: 'Sample Security Profile for OpenEmbedded Distros'
++
++description: |-
++ This profile is an sample for use in documentation and example content.
++ The selected rules are standard and should pass quickly on most systems.
++
++selections:
++ - file_owner_etc_passwd
++ - file_groupowner_etc_passwd
++ - file_permissions_etc_passwd
+diff --git a/products/openembedded/transforms/constants.xslt b/products/openembedded/transforms/constants.xslt
+new file mode 100644
+index 0000000000..85e812a7c1
+--- /dev/null
++++ b/products/openembedded/transforms/constants.xslt
+@@ -0,0 +1,10 @@
++<xsl:stylesheet version="1.0" xmlns:xsl="http://www.w3.org/1999/XSL/Transform">
++
++<xsl:include href="../../../shared/transforms/shared_constants.xslt"/>
++
++<xsl:variable name="product_long_name">OpenEmbedded nodistro</xsl:variable>
++<xsl:variable name="product_short_name">OE nodistro</xsl:variable>
++<xsl:variable name="product_stig_id_name">empty</xsl:variable>
++<xsl:variable name="prod_type">openembedded</xsl:variable>
++
++</xsl:stylesheet>
+diff --git a/shared/checks/oval/installed_OS_is_openembedded.xml b/shared/checks/oval/installed_OS_is_openembedded.xml
+new file mode 100644
+index 0000000000..17c2873686
+--- /dev/null
++++ b/shared/checks/oval/installed_OS_is_openembedded.xml
+@@ -0,0 +1,33 @@
++<def-group>
++ <definition class="inventory" id="installed_OS_is_openembedded" version="1">
++ <metadata>
++ <title>OpenEmbedded</title>
++ <affected family="unix">
++ <platform>multi_platform_all</platform>
++ </affected>
++ <description>The operating system installed is an OpenEmbedded System</description>
++ </metadata>
++ <criteria comment="System is OpenEmbedded" operator="AND">
++ <extend_definition comment="Installed OS is part of the Unix family" definition_ref="installed_OS_is_part_of_Unix_family" />
++ <criterion comment="OpenEmbedded distro" test_ref="test_os_release" />
++ <criterion comment="OpenEmbedded is installed" test_ref="test_openembedded" />
++ </criteria>
++ </definition>
++
++ <unix:file_test check="all" check_existence="all_exist" comment="/etc/os-release exists" id="test_os_release" version="1">
++ <unix:object object_ref="obj_os_release" />
++ </unix:file_test>
++ <unix:file_object comment="check /etc/os-release file" id="obj_os_release" version="1">
++ <unix:filepath>/etc/os-release</unix:filepath>
++ </unix:file_object>
++
++ <ind:textfilecontent54_test check="all" check_existence="at_least_one_exists" comment="Check OpenEmbedded" id="test_openembedded" version="1">
++ <ind:object object_ref="obj_openembedded" />
++ </ind:textfilecontent54_test>
++ <ind:textfilecontent54_object id="obj_openembedded" version="1" comment="Check OpenEmbedded">
++ <ind:filepath>/etc/os-release</ind:filepath>
++ <ind:pattern operation="pattern match">^ID=nodistro$</ind:pattern>
++ <ind:instance datatype="int">1</ind:instance>
++ </ind:textfilecontent54_object>
++
++</def-group>
+diff --git a/shared/checks/oval/sysctl_kernel_ipv6_disable.xml b/shared/checks/oval/sysctl_kernel_ipv6_disable.xml
+index affb9770cb..4f22df262c 100644
+--- a/shared/checks/oval/sysctl_kernel_ipv6_disable.xml
++++ b/shared/checks/oval/sysctl_kernel_ipv6_disable.xml
+@@ -8,6 +8,7 @@
+ <platform>multi_platform_debian</platform>
+ <platform>multi_platform_example</platform>
+ <platform>multi_platform_fedora</platform>
++ <platform>multi_platform_openembedded</platform>
+ <platform>multi_platform_opensuse</platform>
+ <platform>multi_platform_ol</platform>
+ <platform>multi_platform_rhcos</platform>
+diff --git a/ssg/constants.py b/ssg/constants.py
+index f66ba008fa..630fbdfcb9 100644
+--- a/ssg/constants.py
++++ b/ssg/constants.py
+@@ -219,6 +219,7 @@ FULL_NAME_TO_PRODUCT_MAPPING = {
+ "Ubuntu 20.04": "ubuntu2004",
+ "Ubuntu 22.04": "ubuntu2204",
+ "UnionTech OS Server 20": "uos20",
++ "OpenEmbedded": "openembedded",
+ "Not Applicable" : "example"
+ }
+
+@@ -267,7 +268,7 @@ REFERENCES = dict(
+
+ MULTI_PLATFORM_LIST = ["rhel", "fedora", "rhv", "debian", "ubuntu",
+ "opensuse", "sle", "ol", "ocp", "rhcos",
+- "example", "eks", "alinux", "uos", "anolis"]
++ "example", "eks", "alinux", "uos", "anolis", "openembedded"]
+
+ MULTI_PLATFORM_MAPPING = {
+ "multi_platform_alinux": ["alinux2", "alinux3"],
+@@ -285,6 +286,7 @@ MULTI_PLATFORM_MAPPING = {
+ "multi_platform_sle": ["sle12", "sle15"],
+ "multi_platform_ubuntu": ["ubuntu1604", "ubuntu1804", "ubuntu2004", "ubuntu2204"],
+ "multi_platform_uos": ["uos20"],
++ "multi_platform_openembedded": ["openembedded"],
+ }
+
+ RHEL_CENTOS_CPE_MAPPING = {
+@@ -454,6 +456,7 @@ MAKEFILE_ID_TO_PRODUCT_MAP = {
+ 'ocp': 'Red Hat OpenShift Container Platform',
+ 'rhcos': 'Red Hat Enterprise Linux CoreOS',
+ 'eks': 'Amazon Elastic Kubernetes Service',
++ 'openembedded': 'OpenEmbedded',
+ }
+
+ # References that can not be used with product-qualifiers
+--
+2.34.1
+
diff --git a/meta-security/recipes-compliance/scap-security-guide/files/0001-standard.profile-expand-checks.patch b/meta-security/recipes-compliance/scap-security-guide/files/0001-standard.profile-expand-checks.patch
new file mode 100644
index 0000000..061c5f0
--- /dev/null
+++ b/meta-security/recipes-compliance/scap-security-guide/files/0001-standard.profile-expand-checks.patch
@@ -0,0 +1,231 @@
+From 7af2da3bbe1d5b4cba89c6dae9ea267717b865ea Mon Sep 17 00:00:00 2001
+From: Armin Kuster <akuster808@gmail.com>
+Date: Wed, 21 Jun 2023 07:46:38 -0400
+Subject: [PATCH] standard.profile: expand checks
+
+Upstream-Status: Pending
+Signed-off-by: Armin Kuster <akuster808@gmail.com>
+
+Upstream-status: Pending
+---
+ .../openembedded/profiles/standard.profile | 206 ++++++++++++++++++
+ 1 file changed, 206 insertions(+)
+
+diff --git a/products/openembedded/profiles/standard.profile b/products/openembedded/profiles/standard.profile
+index 44339d716c..877d1a3971 100644
+--- a/products/openembedded/profiles/standard.profile
++++ b/products/openembedded/profiles/standard.profile
+@@ -9,4 +9,210 @@ description: |-
+ selections:
+ - file_owner_etc_passwd
+ - file_groupowner_etc_passwd
++ - service_crond_enabled
++ - file_groupowner_crontab
++ - file_owner_crontab
++ - file_permissions_crontab
++ - file_groupowner_cron_hourly
++ - file_owner_cron_hourly
++ - file_permissions_cron_hourly
++ - file_groupowner_cron_daily
++ - file_owner_cron_daily
++ - file_permissions_cron_daily
++ - file_groupowner_cron_weekly
++ - file_owner_cron_weekly
++ - file_permissions_cron_weekly
++ - file_groupowner_cron_monthly
++ - file_owner_cron_monthly
++ - file_permissions_cron_monthly
++ - file_groupowner_cron_d
++ - file_owner_cron_d
++ - file_permissions_cron_d
++ - file_groupowner_cron_allow
++ - file_owner_cron_allow
++ - file_cron_deny_not_exist
++ - file_groupowner_at_allow
++ - file_owner_at_allow
++ - file_at_deny_not_exist
++ - file_permissions_at_allow
++ - file_permissions_cron_allow
++ - file_groupowner_sshd_config
++ - file_owner_sshd_config
++ - file_permissions_sshd_config
++ - file_permissions_sshd_private_key
++ - file_permissions_sshd_pub_key
++ - sshd_set_loglevel_verbose
++ - sshd_set_loglevel_info
++ - sshd_max_auth_tries_value=4
++ - sshd_set_max_auth_tries
++ - sshd_disable_rhosts
++ - disable_host_auth
++ - sshd_disable_root_login
++ - sshd_disable_empty_passwords
++ - sshd_do_not_permit_user_env
++ - sshd_idle_timeout_value=15_minutes
++ - sshd_set_idle_timeout
++ - sshd_set_keepalive
++ - var_sshd_set_keepalive=0
++ - sshd_set_login_grace_time
++ - var_sshd_set_login_grace_time=60
++ - sshd_enable_warning_banner
++ - sshd_enable_pam
++ - sshd_set_maxstartups
++ - var_sshd_set_maxstartups=10:30:60
++ - sshd_set_max_sessions
++ - var_sshd_max_sessions=10
++ - accounts_password_pam_minclass
++ - accounts_password_pam_minlen
++ - accounts_password_pam_retry
++ - var_password_pam_minclass=4
++ - var_password_pam_minlen=14
++ - locking_out_password_attempts
++ - accounts_password_pam_pwhistory_remember_password_auth
++ - accounts_password_pam_pwhistory_remember_system_auth
++ - var_password_pam_remember_control_flag=required
++ - var_password_pam_remember=5
++ - set_password_hashing_algorithm_systemauth
++ - accounts_maximum_age_login_defs
++ - var_accounts_maximum_age_login_defs=365
++ - accounts_password_set_max_life_existing
++ - accounts_minimum_age_login_defs
++ - var_accounts_minimum_age_login_defs=7
++ - accounts_password_set_min_life_existing
++ - accounts_password_warn_age_login_defs
++ - var_accounts_password_warn_age_login_defs=7
++ - account_disable_post_pw_expiration
++ - var_account_disable_post_pw_expiration=30
++ - no_shelllogin_for_systemaccounts
++ - accounts_tmout
++ - var_accounts_tmout=15_min
++ - accounts_root_gid_zero
++ - accounts_umask_etc_bashrc
++ - accounts_umask_etc_login_defs
++ - use_pam_wheel_for_su
++ - sshd_allow_only_protocol2
++ - journald_forward_to_syslog
++ - journald_compress
++ - journald_storage
++ - service_auditd_enabled
++ - service_httpd_disabled
++ - service_vsftpd_disabled
++ - service_named_disabled
++ - service_nfs_disabled
++ - service_rpcbind_disabled
++ - service_slapd_disabled
++ - service_dhcpd_disabled
++ - service_cups_disabled
++ - service_ypserv_disabled
++ - service_rsyncd_disabled
++ - service_avahi-daemon_disabled
++ - service_snmpd_disabled
++ - service_squid_disabled
++ - service_smb_disabled
++ - service_dovecot_disabled
++ - banner_etc_motd
++ - login_banner_text=cis_banners
++ - banner_etc_issue
++ - login_banner_text=cis_banners
++ - file_groupowner_etc_motd
++ - file_owner_etc_motd
++ - file_permissions_etc_motd
++ - file_groupowner_etc_issue
++ - file_owner_etc_issue
++ - file_permissions_etc_issue
++ - ensure_gpgcheck_globally_activated
++ - package_aide_installed
++ - aide_periodic_cron_checking
++ - grub2_password
++ - file_groupowner_grub2_cfg
++ - file_owner_grub2_cfg
++ - file_permissions_grub2_cfg
++ - require_singleuser_auth
++ - require_emergency_target_auth
++ - disable_users_coredumps
++ - coredump_disable_backtraces
++ - coredump_disable_storage
++ - configure_crypto_policy
++ - var_system_crypto_policy=default_policy
++ - dir_perms_world_writable_sticky_bits
+ - file_permissions_etc_passwd
++ - file_owner_etc_shadow
++ - file_groupowner_etc_shadow
++ - file_groupowner_etc_group
++ - file_owner_etc_group
++ - file_permissions_etc_group
++ - file_groupowner_etc_gshadow
++ - file_owner_etc_gshadow
++ - file_groupowner_backup_etc_passwd
++ - file_owner_backup_etc_passwd
++ - file_permissions_backup_etc_passwd
++ - file_groupowner_backup_etc_shadow
++ - file_owner_backup_etc_shadow
++ - file_permissions_backup_etc_shadow
++ - file_groupowner_backup_etc_group
++ - file_owner_backup_etc_group
++ - file_permissions_backup_etc_group
++ - file_groupowner_backup_etc_gshadow
++ - file_owner_backup_etc_gshadow
++ - file_permissions_backup_etc_gshadow
++ - file_permissions_unauthorized_world_writable
++ - file_permissions_ungroupowned
++ - accounts_root_path_dirs_no_write
++ - root_path_no_dot
++ - accounts_no_uid_except_zero
++ - file_ownership_home_directories
++ - file_groupownership_home_directories
++ - no_netrc_files
++ - no_rsh_trust_files
++ - account_unique_id
++ - group_unique_id
++ - group_unique_name
++ - kernel_module_sctp_disabled
++ - kernel_module_dccp_disabled
++ - wireless_disable_interfaces
++ - sysctl_net_ipv4_ip_forward
++ - sysctl_net_ipv6_conf_all_forwarding
++ - sysctl_net_ipv6_conf_all_forwarding_value=disabled
++ - sysctl_net_ipv4_conf_all_send_redirects
++ - sysctl_net_ipv4_conf_default_send_redirects
++ - sysctl_net_ipv4_conf_all_accept_source_route
++ - sysctl_net_ipv4_conf_all_accept_source_route_value=disabled
++ - sysctl_net_ipv4_conf_default_accept_source_route
++ - sysctl_net_ipv4_conf_default_accept_source_route_value=disabled
++ - sysctl_net_ipv6_conf_all_accept_source_route
++ - sysctl_net_ipv6_conf_all_accept_source_route_value=disabled
++ - sysctl_net_ipv6_conf_default_accept_source_route
++ - sysctl_net_ipv6_conf_default_accept_source_route_value=disabled
++ - sysctl_net_ipv4_conf_all_accept_redirects
++ - sysctl_net_ipv4_conf_all_accept_redirects_value=disabled
++ - sysctl_net_ipv4_conf_default_accept_redirects
++ - sysctl_net_ipv4_conf_default_accept_redirects_value=disabled
++ - sysctl_net_ipv6_conf_all_accept_redirects
++ - sysctl_net_ipv6_conf_all_accept_redirects_value=disabled
++ - sysctl_net_ipv6_conf_default_accept_redirects
++ - sysctl_net_ipv6_conf_default_accept_redirects_value=disabled
++ - sysctl_net_ipv4_conf_all_secure_redirects
++ - sysctl_net_ipv4_conf_all_secure_redirects_value=disabled
++ - sysctl_net_ipv4_conf_default_secure_redirects
++ - sysctl_net_ipv4_conf_default_secure_redirects_value=disabled
++ - sysctl_net_ipv4_conf_all_log_martians
++ - sysctl_net_ipv4_conf_all_log_martians_value=enabled
++ - sysctl_net_ipv4_conf_default_log_martians
++ - sysctl_net_ipv4_conf_default_log_martians_value=enabled
++ - sysctl_net_ipv4_icmp_echo_ignore_broadcasts
++ - sysctl_net_ipv4_icmp_echo_ignore_broadcasts_value=enabled
++ - sysctl_net_ipv4_icmp_ignore_bogus_error_responses
++ - sysctl_net_ipv4_icmp_ignore_bogus_error_responses_value=enabled
++ - sysctl_net_ipv4_conf_all_rp_filter
++ - sysctl_net_ipv4_conf_all_rp_filter_value=enabled
++ - sysctl_net_ipv4_conf_default_rp_filter
++ - sysctl_net_ipv4_conf_default_rp_filter_value=enabled
++ - sysctl_net_ipv4_tcp_syncookies
++ - sysctl_net_ipv4_tcp_syncookies_value=enabled
++ - sysctl_net_ipv6_conf_all_accept_ra
++ - sysctl_net_ipv6_conf_all_accept_ra_value=disabled
++ - sysctl_net_ipv6_conf_default_accept_ra
++ - sysctl_net_ipv6_conf_default_accept_ra_value=disabled
++ - package_firewalld_installed
++ - service_firewalld_enabled
++ - package_iptables_installed
+--
+2.34.1
+
diff --git a/meta-security/recipes-compliance/scap-security-guide/files/run_eval.sh b/meta-security/recipes-compliance/scap-security-guide/files/run_eval.sh
new file mode 100644
index 0000000..cc79bac
--- /dev/null
+++ b/meta-security/recipes-compliance/scap-security-guide/files/run_eval.sh
@@ -0,0 +1,3 @@
+#!/bin/sh
+
+oscap xccdf eval --results results.xml --report report.html --profile xccdf_org.ssgproject.content_profile_standard /usr/share/xml/scap/ssg/content/ssg-openembedded-ds.xml
diff --git a/meta-security/recipes-compliance/scap-security-guide/scap-security-guide_0.1.67.bb b/meta-security/recipes-compliance/scap-security-guide/scap-security-guide_0.1.67.bb
new file mode 100644
index 0000000..31ab96e
--- /dev/null
+++ b/meta-security/recipes-compliance/scap-security-guide/scap-security-guide_0.1.67.bb
@@ -0,0 +1,45 @@
+# Copyright (C) 2017 - 2023 Armin Kuster <akuster808@gmail.com>
+# Released under the MIT license (see COPYING.MIT for the terms)
+
+SUMARRY = "SCAP content for various platforms, upstream version"
+HOME_URL = "https://www.open-scap.org/security-policies/scap-security-guide/"
+LIC_FILES_CHKSUM = "file://LICENSE;md5=9bfa86579213cb4c6adaffface6b2820"
+LICENSE = "BSD-3-Clause"
+
+SRCREV = "dad85502ce8da722a6afc391346c41cee61e90a9"
+SRC_URI = "git://github.com/ComplianceAsCode/content.git;branch=master;protocol=https \
+ file://0001-scap-security-guide-add-openembedded.patch \
+ file://0001-standard.profile-expand-checks.patch \
+ file://0001-scap-security-guide-add-Poky-support.patch \
+ file://run_eval.sh \
+ "
+
+
+DEPENDS = "openscap-native python3-pyyaml-native python3-jinja2-native libxml2-native expat-native coreutils-native"
+
+S = "${WORKDIR}/git"
+B = "${S}/build"
+
+inherit cmake pkgconfig python3native python3targetconfig
+
+OECMAKE_GENERATOR = "Unix Makefiles"
+
+EXTRA_OECMAKE += "-DENABLE_PYTHON_COVERAGE=OFF -DSSG_PRODUCT_DEFAULT=OFF -DSSG_PRODUCT_OE=ON"
+
+do_configure[depends] += "openscap-native:do_install"
+
+do_configure:prepend () {
+ sed -i -e 's:NAMES\ sed:NAMES\ ${HOSTTOOLS_DIR}/sed:g' ${S}/CMakeLists.txt
+ sed -i -e 's:NAMES\ grep:NAMES\ ${HOSTTOOLS_DIR}/grep:g' ${S}/CMakeLists.txt
+}
+
+do_install:append() {
+ install -d ${D}${datadir}/openscap
+ install ${WORKDIR}/run_eval.sh ${D}${datadir}/openscap/.
+}
+
+FILES:${PN} += "${datadir}/xml ${datadir}/openscap"
+
+RDEPENDS:${PN} = "openscap"
+
+COMPATIBLE_HOST:libc-musl = "null"
diff --git a/meta-security/recipes-core/initrdscripts/initramfs-framework-dm/dmverity b/meta-security/recipes-core/initrdscripts/initramfs-framework-dm/dmverity
index c815940..1923490 100644
--- a/meta-security/recipes-core/initrdscripts/initramfs-framework-dm/dmverity
+++ b/meta-security/recipes-core/initrdscripts/initramfs-framework-dm/dmverity
@@ -8,13 +8,42 @@
DATA_SIZE="__not_set__"
DATA_BLOCK_SIZE="__not_set__"
ROOT_HASH="__not_set__"
+ SEPARATE_HASH="__not_set__"
. /usr/share/misc/dm-verity.env
C=0
delay=${bootparam_rootdelay:-1}
timeout=${bootparam_roottimeout:-5}
- RDEV="$(realpath /dev/disk/by-partuuid/${bootparam_root#PARTUUID=})"
+
+ # we know exactly what we are looking for; don't need the wide hunt below
+ if [ "${SEPARATE_HASH}" -eq "1" ]; then
+ while [ ! -b "/dev/disk/by-partuuid/${ROOT_UUID}" ]; do
+ if [ $(( $C * $delay )) -gt $timeout ]; then
+ fatal "Root device (data) resolution failed"
+ exit 1
+ fi
+ debug "Sleeping for $delay second(s) to wait for root data to settle..."
+ sleep $delay
+ C=$(( $C + 1 ))
+ done
+
+ veritysetup \
+ --data-block-size=${DATA_BLOCK_SIZE} \
+ create rootfs \
+ /dev/disk/by-partuuid/${ROOT_UUID} \
+ /dev/disk/by-partuuid/${RHASH_UUID} \
+ ${ROOT_HASH}
+
+ mount \
+ -o ro \
+ /dev/mapper/rootfs \
+ ${ROOTFS_DIR} || exit 2
+
+ return
+ fi
+
+ RDEV="$(realpath /dev/disk/by-partuuid/${bootparam_root#PARTUUID=} 2>/dev/null)"
while [ ! -b "${RDEV}" ]; do
if [ $(( $C * $delay )) -gt $timeout ]; then
fatal "Root device resolution failed"
@@ -23,22 +52,22 @@
case "${bootparam_root}" in
ID=*)
- RDEV="$(realpath /dev/disk/by-id/${bootparam_root#ID=})"
+ RDEV="$(realpath /dev/disk/by-id/${bootparam_root#ID=} 2>/dev/null)"
;;
LABEL=*)
- RDEV="$(realpath /dev/disk/by-label/${bootparam_root#LABEL=})"
+ RDEV="$(realpath /dev/disk/by-label/${bootparam_root#LABEL=} 2>/dev/null)"
;;
PARTLABEL=*)
- RDEV="$(realpath /dev/disk/by-partlabel/${bootparam_root#PARTLABEL=})"
+ RDEV="$(realpath /dev/disk/by-partlabel/${bootparam_root#PARTLABEL=} 2>/dev/null)"
;;
PARTUUID=*)
- RDEV="$(realpath /dev/disk/by-partuuid/${bootparam_root#PARTUUID=})"
+ RDEV="$(realpath /dev/disk/by-partuuid/${bootparam_root#PARTUUID=} 2>/dev/null)"
;;
PATH=*)
- RDEV="$(realpath /dev/disk/by-path/${bootparam_root#PATH=})"
+ RDEV="$(realpath /dev/disk/by-path/${bootparam_root#PATH=} 2>/dev/null)"
;;
UUID=*)
- RDEV="$(realpath /dev/disk/by-uuid/${bootparam_root#UUID=})"
+ RDEV="$(realpath /dev/disk/by-uuid/${bootparam_root#UUID=} 2>/dev/null)"
;;
*)
RDEV="${bootparam_root}"
diff --git a/meta-security/recipes-core/packagegroup/packagegroup-core-security.bb b/meta-security/recipes-core/packagegroup/packagegroup-core-security.bb
index b009a4d..494745b 100644
--- a/meta-security/recipes-core/packagegroup/packagegroup-core-security.bb
+++ b/meta-security/recipes-core/packagegroup/packagegroup-core-security.bb
@@ -12,6 +12,7 @@
packagegroup-security-audit \
packagegroup-security-ids \
packagegroup-security-mac \
+ packagegroup-security-compliance \
${@bb.utils.contains("DISTRO_FEATURES", "ptest", "packagegroup-meta-security-ptest-packages", "", d)} \
"
@@ -21,6 +22,7 @@
packagegroup-security-audit \
packagegroup-security-ids \
packagegroup-security-mac \
+ packagegroup-security-compliance \
${@bb.utils.contains("DISTRO_FEATURES", "ptest", "packagegroup-meta-security-ptest-packages", "", d)} \
"
@@ -91,6 +93,16 @@
RDEPENDS:packagegroup-security-mac:remove:mipsarch = "apparmor"
+SUMMARY:packagegroup-security-compliance = "Security Compliance applications"
+RDEPENDS:packagegroup-security-compliance = " \
+ lynis \
+ openscap \
+ scap-security-guide \
+ os-release \
+ "
+
+RDEPENDS:packagegroup-security-compliance:remove:libc-musl = "openscap scap-security-guide"
+
RDEPENDS:packagegroup-meta-security-ptest-packages = "\
ptest-runner \
samhain-standalone-ptest \
diff --git a/meta-security/recipes-ids/samhain/files/samhain-not-run-ptest-on-host.patch b/meta-security/recipes-ids/samhain/files/samhain-not-run-ptest-on-host.patch
index 5284313..e00fc2a 100644
--- a/meta-security/recipes-ids/samhain/files/samhain-not-run-ptest-on-host.patch
+++ b/meta-security/recipes-ids/samhain/files/samhain-not-run-ptest-on-host.patch
@@ -1,6 +1,6 @@
not run test on host, since we are doing cross-compile
-Upstream-status: Inappropriate [cross compile specific]
+Upstream-Status: Inappropriate [cross compile specific]
Signed-off-by: Roy Li <rongqing.li@windriver.com>
---
diff --git a/meta-security/recipes-ids/samhain/files/samhain-pid-path.patch b/meta-security/recipes-ids/samhain/files/samhain-pid-path.patch
index 592bd16..8fdadd1 100644
--- a/meta-security/recipes-ids/samhain/files/samhain-pid-path.patch
+++ b/meta-security/recipes-ids/samhain/files/samhain-pid-path.patch
@@ -2,15 +2,15 @@
Author: Aws Ismail <aws.ismail@windriver.com>
Date: Thu Jan 10 16:29:05 2013 -0500
- Set the PID Lock path for samhain.pid
+Set the PID Lock path for samhain.pid
- The explicit path for samhain.pid inorder
- for samhain to work properly after it initial
- database build.
+The explicit path for samhain.pid inorder
+for samhain to work properly after it initial
+database build.
- Upstream-Status: Inappropriate [configuration]
+Upstream-Status: Inappropriate [configuration]
- Signed-off-by: Aws Ismail <aws.ismail@windriver.com>
+Signed-off-by: Aws Ismail <aws.ismail@windriver.com>
diff --git a/samhainrc.linux b/samhainrc.linux
index 10a8176..a7b06e6 100644
diff --git a/meta-security/recipes-ids/suricata/files/fixup.patch b/meta-security/recipes-ids/suricata/files/fixup.patch
index fc44ce6..4646aa9 100644
--- a/meta-security/recipes-ids/suricata/files/fixup.patch
+++ b/meta-security/recipes-ids/suricata/files/fixup.patch
@@ -1,6 +1,6 @@
Skip pkg Makefile from using its own rust steps
-Upstream-Status: OE Specific
+Upstream-Status: Inappropriate [OE Specific]
Signed-off-by: Armin Kuster <akuster808@gmail.com>
diff --git a/meta-security/recipes-ids/tripwire/files/add_armeb_arch.patch b/meta-security/recipes-ids/tripwire/files/add_armeb_arch.patch
deleted file mode 100644
index 2379d66..0000000
--- a/meta-security/recipes-ids/tripwire/files/add_armeb_arch.patch
+++ /dev/null
@@ -1,18 +0,0 @@
-tripwire: Add armeb support
-
-Upstream-Status: Submitted to tripwire-dev
-
-Signed-off-by: Armin Kuster <akuster@mvista.com>
-
-diff -Naurp tripwire-2.4.2.2-src_org/config.sub tripwire-2.4.2.2-src/config.sub
---- tripwire-2.4.2.2-src_org/config.sub 2015-07-20 15:03:04.161452573 +0530
-+++ tripwire-2.4.2.2-src/config.sub 2015-07-20 15:06:07.077673139 +0530
-@@ -268,7 +268,7 @@ case $basic_machine in
- # FIXME: clean up the formatting here.
- vax-* | tahoe-* | i*86-* | i860-* | ia64-* | m32r-* | m68k-* | m68000-* \
- | m88k-* | sparc-* | ns32k-* | fx80-* | arc-* | c[123]* | aarch64-* | aarch64be-* \
-- | arm-* | armbe-* | armle-* | armv*-* | strongarm-* | xscale-* \
-+ | arm-* | armeb-* | armbe-* | armle-* | armv*-* | strongarm-* | xscale-* \
- | mips-* | pyramid-* | tron-* | a29k-* | romp-* | rs6000-* \
- | power-* | none-* | 580-* | cray2-* | h8300-* | h8500-* | i960-* \
- | xmp-* | ymp-* \
diff --git a/meta-security/recipes-mac/AppArmor/files/crosscompile_perl_bindings.patch b/meta-security/recipes-mac/AppArmor/files/crosscompile_perl_bindings.patch
index ef55de7..585f306 100644
--- a/meta-security/recipes-mac/AppArmor/files/crosscompile_perl_bindings.patch
+++ b/meta-security/recipes-mac/AppArmor/files/crosscompile_perl_bindings.patch
@@ -5,7 +5,7 @@
done via the compiler rather than the linker directly so pass in CC not LD
here.
-Signed-Off-By: Tom Rini <trini@konsulko.com>
+Signed-off-by: Tom Rini <trini@konsulko.com>
--- a/libraries/libapparmor/swig/perl/Makefile.am.orig 2017-06-13 19:04:43.296676212 -0400
+++ b/libraries/libapparmor/swig/perl/Makefile.am 2017-06-13 19:05:03.488676693 -0400
diff --git a/meta-security/recipes-mac/AppArmor/files/disable_perl_h_check.patch b/meta-security/recipes-mac/AppArmor/files/disable_perl_h_check.patch
deleted file mode 100644
index cf2640f..0000000
--- a/meta-security/recipes-mac/AppArmor/files/disable_perl_h_check.patch
+++ /dev/null
@@ -1,19 +0,0 @@
-Upstream-Status: Inappropriate [configuration]
-
-Remove file check for $perl_includedir/perl.h. AC_CHECK_FILE will fail on
-cross compilation. Rather than try and get a compile check to work here,
-we know that we have what's required via our metadata so remove only this
-check.
-
-Signed-Off-By: Tom Rini <trini@konsulko.com>
-
---- a/libraries/libapparmor/configure.ac.orig 2017-06-13 16:41:38.668471495 -0400
-+++ b/libraries/libapparmor/configure.ac 2017-06-13 16:41:40.708471543 -0400
-@@ -58,7 +58,6 @@
- AC_PATH_PROG(PERL, perl)
- test -z "$PERL" && AC_MSG_ERROR([perl is required when enabling perl bindings])
- perl_includedir="`$PERL -e 'use Config; print $Config{archlib}'`/CORE"
-- AC_CHECK_FILE($perl_includedir/perl.h, enable_perl=yes, enable_perl=no)
- fi
-
-
diff --git a/meta-security/recipes-perl/perl/files/libwhisker2.patch b/meta-security/recipes-perl/perl/files/libwhisker2.patch
index c066366..4ea1ee5 100644
--- a/meta-security/recipes-perl/perl/files/libwhisker2.patch
+++ b/meta-security/recipes-perl/perl/files/libwhisker2.patch
@@ -7,6 +7,8 @@
Signed-off-by: Andrei Dinu <andrei.adrianx.dinu@intel.com>
---
+Upstream-Status: Pending
+
Makefile.pl | 12 +++++++-----
1 file changed, 7 insertions(+), 5 deletions(-)
diff --git a/meta-security/recipes-scanners/arpwatch/arpwatch_3.3.bb b/meta-security/recipes-scanners/arpwatch/arpwatch_3.3.bb
index 8efb339..4b4d476 100644
--- a/meta-security/recipes-scanners/arpwatch/arpwatch_3.3.bb
+++ b/meta-security/recipes-scanners/arpwatch/arpwatch_3.3.bb
@@ -82,6 +82,6 @@
COMPATIBLE_HOST:riscv32 = "null"
COMPATIBLE_HOST:riscv64 = "null"
-OMPATIBLE_HOST:libc-musl = "null"
+COMPATIBLE_HOST:libc-musl = "null"
RDEPENDS:${PN} = "libpcap"
diff --git a/meta-security/recipes-scanners/arpwatch/files/postfix_workaround.patch b/meta-security/recipes-scanners/arpwatch/files/postfix_workaround.patch
deleted file mode 100644
index 95213f2..0000000
--- a/meta-security/recipes-scanners/arpwatch/files/postfix_workaround.patch
+++ /dev/null
@@ -1,91 +0,0 @@
-Sendmail exists after the system boots. We are using postfix
-so no need to check if it exists.
-
-Upstream-Status: Inappropriate [embedded specific]
-
-Signed-off-by: Armin Kuster <akuster808@gmail.com>
-
-Index: arpwatch-3.0/configure
-===================================================================
---- arpwatch-3.0.orig/configure
-+++ arpwatch-3.0/configure
-@@ -636,7 +636,6 @@ LBL_LIBS
- HAVE_FREEBSD_TRUE
- HAVE_FREEBSD_FALSE
- PYTHON
--V_SENDMAIL
- LIBOBJS
- INSTALL_DATA
- INSTALL_SCRIPT
-@@ -5573,53 +5572,6 @@ fi
- done
-
-
--# Extract the first word of "sendmail", so it can be a program name with args.
--set dummy sendmail; ac_word=$2
--{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for $ac_word" >&5
--$as_echo_n "checking for $ac_word... " >&6; }
--if ${ac_cv_path_V_SENDMAIL+:} false; then :
-- $as_echo_n "(cached) " >&6
--else
-- case $V_SENDMAIL in
-- [\\/]* | ?:[\\/]*)
-- ac_cv_path_V_SENDMAIL="$V_SENDMAIL" # Let the user override the test with a path.
-- ;;
-- *)
-- as_save_IFS=$IFS; IFS=$PATH_SEPARATOR
--as_dummy="$PATH:/usr/sbin:/usr/lib:/usr/bin:/usr/ucblib:/usr/local/etc"
--for as_dir in $as_dummy
--do
-- IFS=$as_save_IFS
-- test -z "$as_dir" && as_dir=.
-- for ac_exec_ext in '' $ac_executable_extensions; do
-- if as_fn_executable_p "$as_dir/$ac_word$ac_exec_ext"; then
-- ac_cv_path_V_SENDMAIL="$as_dir/$ac_word$ac_exec_ext"
-- $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5
-- break 2
-- fi
--done
-- done
--IFS=$as_save_IFS
--
-- ;;
--esac
--fi
--V_SENDMAIL=$ac_cv_path_V_SENDMAIL
--if test -n "$V_SENDMAIL"; then
-- { $as_echo "$as_me:${as_lineno-$LINENO}: result: $V_SENDMAIL" >&5
--$as_echo "$V_SENDMAIL" >&6; }
--else
-- { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5
--$as_echo "no" >&6; }
--fi
--
--
--
--if test -z "${V_SENDMAIL}" ; then
-- as_fn_error $? "Can't find sendmail" "$LINENO" 5
--fi
--
--
- python=${PYTHON:-python}
- # Extract the first word of "${python}", so it can be a program name with args.
- set dummy ${python}; ac_word=$2
-Index: arpwatch-3.0/configure.in
-===================================================================
---- arpwatch-3.0.orig/configure.in
-+++ arpwatch-3.0/configure.in
-@@ -76,13 +76,6 @@ AC_LBL_UNION_WAIT
- AC_CHECK_LIB(resolv, res_query)
- AC_LBL_LIBPCAP(V_PCAPDEP, V_INCLS)
-
--AC_PATH_PROG(V_SENDMAIL, sendmail,,
-- $PATH:/usr/sbin:/usr/lib:/usr/bin:/usr/ucblib:/usr/local/etc)
--
--if test -z "${V_SENDMAIL}" ; then
-- AC_MSG_ERROR([Can't find sendmail])
--fi
--
- dnl AC_LBL_CHECK_TYPE(int32_t, int)
- dnl AC_LBL_CHECK_TYPE(u_int32_t, u_int)
-
diff --git a/meta-security/recipes-scanners/buck-security/buck-security_0.7.bb b/meta-security/recipes-scanners/buck-security/buck-security_0.7.bb
index 881c2a3..85884a7 100644
--- a/meta-security/recipes-scanners/buck-security/buck-security_0.7.bb
+++ b/meta-security/recipes-scanners/buck-security/buck-security_0.7.bb
@@ -33,6 +33,7 @@
perl-module-lib perl-module-posix perl-module-term-ansicolor \
perl-module-time-localtime pinentry perl-module-pod-usage \
perl-module-pod-text perl-module-file-glob \
+ perl-module-cwd perl-module-encode perl-module-encode-encoding \
"
RDEPENDS:${PN}:class-native = "coreutils net-tools perl perl-module-data-dumper \
diff --git a/meta-security/recipes-scanners/clamav/files/fix2_libcurl_check.patch b/meta-security/recipes-scanners/clamav/files/fix2_libcurl_check.patch
deleted file mode 100644
index 46406e9..0000000
--- a/meta-security/recipes-scanners/clamav/files/fix2_libcurl_check.patch
+++ /dev/null
@@ -1,122 +0,0 @@
-clamav .102.2 tries to find clamav using culf_config. Use EO pkg_config instead
-
-Upstream-Status: OE specific
-Signed-off-by: Armin Kuster <akuster808@gmail.com>
-
-Index: git/configure
-===================================================================
---- git.orig/configure
-+++ git/configure
-@@ -28850,39 +28850,14 @@ $as_echo_n "checking for libcurl install
- if test "${with_libcurl+set}" = set; then :
- withval=$with_libcurl;
- find_curl="no"
--if test "X$withval" = "Xyes"; then
-- find_curl="yes"
--else
-- if test "X$withval" != "Xno"; then
-- if test -f "${withval}/bin/curl-config"; then
-- LIBCURL_HOME="$withval"
-- have_curl="yes"
-- fi
-- fi
--fi
--
--else
-- find_curl="yes"
--fi
--
--
--if test "X$find_curl" = "Xyes"; then
-- for p in /usr/local /usr ; do
-- if test -f "${p}/bin/curl-config"; then
-- LIBCURL_HOME=$p
-- have_curl="yes"
-- fi
-- done
--fi
--
--if test "X$have_curl" = "Xyes"; then
-- { $as_echo "$as_me:${as_lineno-$LINENO}: result: $LIBCURL_HOME" >&5
--$as_echo "$LIBCURL_HOME" >&6; }
-- if test -f "$LIBCURL_HOME/bin/curl-config"; then
-+ #save_LDFLAGS="$LDFLAGS"
-+ if test "X$withval" != "Xno"; then
-+ LIBCURL_HOME="$withval"
-+ if test "${PKG_CONFIG} libcurl --exists"; then
- CURL_LDFLAGS="$LDFLAGS"
-- CURL_LIBS=$($LIBCURL_HOME/bin/curl-config --libs)
-- CURL_CPPFLAGS=$($LIBCURL_HOME/bin/curl-config --cflags)
-- else
-+ CURL_LIBS=$($PKG_CONFIG libcurl --libs)
-+ CURL_CPPFLAGS=$($PKG_CONFIG libcurl --cflags)
-+ else
- if test "$LIBCURL_HOME" != "/usr"; then
- CURL_LDFLAGS="-L$LIBCURL_HOME/lib"
- CURL_CPPFLAGS="-I$LIBCURL_HOME/include"
-@@ -28891,60 +28866,12 @@ $as_echo "$LIBCURL_HOME" >&6; }
- CURL_CPPFLAGS=""
- fi
- CURL_LIBS="-lcurl"
-- fi
-- save_LDFLAGS="$LDFLAGS"
-- LDFLAGS="$CURL_LDFLAGS $CURL_LIBS"
-- { $as_echo "$as_me:${as_lineno-$LINENO}: checking for curl_easy_init in -lcurl" >&5
--$as_echo_n "checking for curl_easy_init in -lcurl... " >&6; }
--if ${ac_cv_lib_curl_curl_easy_init+:} false; then :
-- $as_echo_n "(cached) " >&6
--else
-- ac_check_lib_save_LIBS=$LIBS
--LIBS="-lcurl $CURL_LIBS
-- $LIBS"
--cat confdefs.h - <<_ACEOF >conftest.$ac_ext
--/* end confdefs.h. */
--
--/* Override any GCC internal prototype to avoid an error.
-- Use char because int might match the return type of a GCC
-- builtin and then its argument prototype would still apply. */
--#ifdef __cplusplus
--extern "C"
--#endif
--char curl_easy_init ();
--int
--main ()
--{
--return curl_easy_init ();
-- ;
-- return 0;
--}
--_ACEOF
--if ac_fn_c_try_link "$LINENO"; then :
-- ac_cv_lib_curl_curl_easy_init=yes
--else
-- ac_cv_lib_curl_curl_easy_init=no
--fi
--rm -f core conftest.err conftest.$ac_objext \
-- conftest$ac_exeext conftest.$ac_ext
--LIBS=$ac_check_lib_save_LIBS
--fi
--{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_lib_curl_curl_easy_init" >&5
--$as_echo "$ac_cv_lib_curl_curl_easy_init" >&6; }
--if test "x$ac_cv_lib_curl_curl_easy_init" = xyes; then :
--
-- curl_msg="";
-- have_curl="yes";
-- CLAMSUBMIT_LIBS="$CLAMSUBMIT_LIBS $CURL_LDFLAGS $CURL_LIBS";
-- CLAMSUBMIT_CFLAGS="$CLAMSUBMIT_CFLAGS $CURL_CPPFLAGS";
-- FRESHCLAM_LIBS="$FRESHCLAM_LIBS $CURL_LDFLAGS $CURL_LIBS";
-- FRESHCLAM_CPPFLAGS="$FRESHCLAM_CPPFLAGS $CURL_CPPFLAGS"
--
--else
--
-- as_fn_error $? "Your libcurl is misconfigured. libcurl (e.g. libcurl-devel) is required in order to build freshclam and clamsubmit." "$LINENO" 5
-+ fi
-
--fi
-+ have_curl="yes"
-+ LDFLAGS="$save_LDFLAGS"
-+ LDFLAGS="$CURL_LDFLAGS $CURL_LIBS"
-+ fi
-
- LDFLAGS="$save_LDFLAGS"
- else
diff --git a/meta-security/recipes-scanners/clamav/files/test.patch b/meta-security/recipes-scanners/clamav/files/test.patch
deleted file mode 100644
index a22b45d..0000000
--- a/meta-security/recipes-scanners/clamav/files/test.patch
+++ /dev/null
@@ -1,24 +0,0 @@
-Index: clamav-0.103.0/Makefile.am
-===================================================================
---- clamav-0.103.0.orig/Makefile.am
-+++ clamav-0.103.0/Makefile.am
-@@ -28,7 +28,6 @@ else
- SUBDIRS = libltdl libclamav shared libfreshclam clamscan clamd clamdscan freshclam sigtool clamconf database docs etc clamav-milter test clamdtop clambc unit_tests
- EXTRA_DIST = examples shared libclamav.pc.in COPYING.bzip2 COPYING.lzma COPYING.unrar COPYING.LGPL COPYING.llvm COPYING.file COPYING.zlib COPYING.getopt COPYING.regex COPYING.YARA COPYING.pcre platform.h.in libclamunrar libclamunrar_iface libclammspack clamdscan/clamdscan.map win32 ChangeLog.md INSTALL.cmake.md INSTALL.autotools.md NEWS.md README.md cmake CMakeLists.txt CMakeOptions.cmake $(top_srcdir)/**/CMakeLists.txt libclammspack/config.h.in.cmake clamav-config.h.cmake.in target.h.cmake.in autogen.sh
-
--bin_SCRIPTS=clamav-config
-
- if BUILD_CLAMONACC
- SUBDIRS += clamonacc
-Index: clamav-0.103.0/Makefile.in
-===================================================================
---- clamav-0.103.0.orig/Makefile.in
-+++ clamav-0.103.0/Makefile.in
-@@ -641,7 +641,6 @@ ACLOCAL_AMFLAGS = -I m4
- @BUILD_LIBCLAMAV_ONLY_TRUE@SUBDIRS = libclamav $(am__append_1) \
- @BUILD_LIBCLAMAV_ONLY_TRUE@ $(am__append_2) $(am__append_3)
- @BUILD_LIBCLAMAV_ONLY_FALSE@bin_SCRIPTS = clamav-config
--@BUILD_LIBCLAMAV_ONLY_TRUE@bin_SCRIPTS = clamav-config
- @BUILD_LIBCLAMAV_ONLY_FALSE@EXTRA_DIST = examples shared libclamav.pc.in COPYING.bzip2 COPYING.lzma COPYING.unrar COPYING.LGPL COPYING.llvm COPYING.file COPYING.zlib COPYING.getopt COPYING.regex COPYING.YARA COPYING.pcre platform.h.in libclamunrar libclamunrar_iface libclammspack clamdscan/clamdscan.map win32 ChangeLog.md INSTALL.cmake.md INSTALL.autotools.md NEWS.md README.md cmake CMakeLists.txt CMakeOptions.cmake $(top_srcdir)/**/CMakeLists.txt libclammspack/config.h.in.cmake clamav-config.h.cmake.in target.h.cmake.in autogen.sh
- pkgconfigdir = $(libdir)/pkgconfig
- pkgconfig_DATA = libclamav.pc
diff --git a/meta-security/recipes-security/ecryptfs-utils/files/define_musl_sword_type.patch b/meta-security/recipes-security/ecryptfs-utils/files/define_musl_sword_type.patch
index 3b29be0..01b7dd8 100644
--- a/meta-security/recipes-security/ecryptfs-utils/files/define_musl_sword_type.patch
+++ b/meta-security/recipes-security/ecryptfs-utils/files/define_musl_sword_type.patch
@@ -1,3 +1,5 @@
+Upstream-Status: Pending
+
Index: ecryptfs-utils-111/src/utils/mount.ecryptfs_private.c
===================================================================
--- ecryptfs-utils-111.orig/src/utils/mount.ecryptfs_private.c
diff --git a/meta-security/recipes-security/ecryptfs-utils/files/ecryptfs-utils-CVE-2016-6224.patch b/meta-security/recipes-security/ecryptfs-utils/files/ecryptfs-utils-CVE-2016-6224.patch
index 4252f97..a457d79 100644
--- a/meta-security/recipes-security/ecryptfs-utils/files/ecryptfs-utils-CVE-2016-6224.patch
+++ b/meta-security/recipes-security/ecryptfs-utils/files/ecryptfs-utils-CVE-2016-6224.patch
@@ -14,7 +14,7 @@
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-6224
https://bazaar.launchpad.net/~ecryptfs/ecryptfs/trunk/revision/882
-Upstream-Status: backport
+Upstream-Status: Backport
Signed-off-by: Li Zhou <li.zhou@windriver.com>
---
diff --git a/meta-security/recipes-security/isic/files/configure_fix.patch b/meta-security/recipes-security/isic/files/configure_fix.patch
index fc2a774..ed2bf7a 100644
--- a/meta-security/recipes-security/isic/files/configure_fix.patch
+++ b/meta-security/recipes-security/isic/files/configure_fix.patch
@@ -1,6 +1,7 @@
isic: add with-libnet remove libnet test
-Inappropriate - builds fine on non-oe systems. We need to exlude
+Upstream-Status: Inappropriate [embedded specific]
+builds fine on non-oe systems. We need to exlude
cross compile libnet test. Pass in the location for libnet.a. Path
did not support mulitlib either.
diff --git a/meta-security/recipes-security/isic/files/isic-0.07-make.patch b/meta-security/recipes-security/isic/files/isic-0.07-make.patch
index 9cffa8a..94349ce 100644
--- a/meta-security/recipes-security/isic/files/isic-0.07-make.patch
+++ b/meta-security/recipes-security/isic/files/isic-0.07-make.patch
@@ -1,6 +1,6 @@
isic: Fixup makefile to support destination
-Backport:
+Upstream-Status: Backport
http://pkgs.fedoraproject.org/cgit/isic.git/tree/isic-0.07-make.patch
Signed-off-by: Armin Kuster <akuser808@gmail.com>
diff --git a/meta-security/recipes-security/isic/files/isic-0.07-netinet.patch b/meta-security/recipes-security/isic/files/isic-0.07-netinet.patch
index c4ea74e..448ba68 100644
--- a/meta-security/recipes-security/isic/files/isic-0.07-netinet.patch
+++ b/meta-security/recipes-security/isic/files/isic-0.07-netinet.patch
@@ -1,6 +1,6 @@
isic: add missing header file
-Backport:
+Upstream-Status: Backport
http://pkgs.fedoraproject.org/cgit/isic.git/tree/isic-0.07-netinet.patch
Signed-off-by: Armin Kuster <akuster808@gmail.com>
diff --git a/meta-security/recipes-security/krill/files/panic_workaround.patch b/meta-security/recipes-security/krill/files/panic_workaround.patch
index dc26416..f63169f 100644
--- a/meta-security/recipes-security/krill/files/panic_workaround.patch
+++ b/meta-security/recipes-security/krill/files/panic_workaround.patch
@@ -1,4 +1,4 @@
-Upstream-Status: OE specific
+Upstream-Status: Inappropriate [OE specific]
Signed-off-by: Armin Kuster <akuster808@gmail.com>
Index: git/Cargo.toml
diff --git a/meta-security/recipes-security/opendnssec/files/libdns_conf_fix.patch b/meta-security/recipes-security/opendnssec/files/libdns_conf_fix.patch
index 31d7252..220a2b8 100644
--- a/meta-security/recipes-security/opendnssec/files/libdns_conf_fix.patch
+++ b/meta-security/recipes-security/opendnssec/files/libdns_conf_fix.patch
@@ -1,6 +1,6 @@
Configure does not work with OE pkg-config for the ldns option
-Upstream-Status: OE specific
+Upstream-Status: Inappropriate [OE specific]
Signed-off-by: Armin Kuster <akuster808@gmail.com>
diff --git a/meta-security/recipes-security/opendnssec/files/libxml2_conf.patch b/meta-security/recipes-security/opendnssec/files/libxml2_conf.patch
index b4ed430..c20d5d2 100644
--- a/meta-security/recipes-security/opendnssec/files/libxml2_conf.patch
+++ b/meta-security/recipes-security/opendnssec/files/libxml2_conf.patch
@@ -1,6 +1,6 @@
configure does not work with OE pkg-config for the libxml2 option
-Upstream-Status: OE specific
+Upstream-Status: Inappropriate [OE specific]
Signed-off-by: Armin Kuster <akuster808@gmail.com>
diff --git a/meta-security/wic/beaglebone-yocto-verity.wks.in b/meta-security/wic/beaglebone-yocto-verity.wks.in
index a1d7738..d2923de 100644
--- a/meta-security/wic/beaglebone-yocto-verity.wks.in
+++ b/meta-security/wic/beaglebone-yocto-verity.wks.in
@@ -3,6 +3,7 @@
# Copyright (C) 2020 BayLibre SAS
# Author: Bartosz Golaszewski <bgolaszewski@baylibre.com>
#
+# short-description: Create a u-SD image for beaglebone-black with dm-verity
# A dm-verity variant of the regular wks for beaglebone black. We need to fetch
# the partition images from the DEPLOY_DIR_IMAGE as the rootfs source plugin will
# not recreate the exact block device corresponding with the hash tree. We must
diff --git a/meta-security/wic/systemd-bootdisk-dmverity-hash.wks.in b/meta-security/wic/systemd-bootdisk-dmverity-hash.wks.in
new file mode 100644
index 0000000..e400593
--- /dev/null
+++ b/meta-security/wic/systemd-bootdisk-dmverity-hash.wks.in
@@ -0,0 +1,18 @@
+# short-description: Create an EFI disk image with systemd-boot and separate hash dm-verity
+# A dm-verity variant of the regular wks for IA machines. We need to fetch
+# the partition images from the IMGDEPLOYDIR as the rootfs source plugin will
+# not recreate the exact block device corresponding with the hash tree. We must
+# not alter the label or any other setting on the image.
+# Based on OE-core's systemd-bootdisk.wks and meta-security's beaglebone-yocto-verity.wks.in file
+#
+# This .wks only works with the dm-verity-img class and separate hash data. (DM_VERITY_SEPARATE_HASH)
+
+part /boot --source bootimg-efi --sourceparams="loader=systemd-boot,initrd=microcode.cpio" --ondisk sda --label msdos --active --align 1024 --use-uuid
+
+# include the root+hash part with the dynamic hash/UUIDs from the build.
+include ${STAGING_VERITY_DIR}/${IMAGE_BASENAME}.${DM_VERITY_IMAGE_TYPE}.wks.in
+
+# add "console=ttyS0,115200" or whatever you need to the --append="..."
+bootloader --ptable gpt --timeout=5 --append="root=/dev/mapper/rootfs"
+
+part swap --ondisk sda --size 44 --label swap1 --fstype=swap --use-uuid
diff --git a/meta-security/wic/systemd-bootdisk-dmverity.wks.in b/meta-security/wic/systemd-bootdisk-dmverity.wks.in
index a275a48..8466368 100644
--- a/meta-security/wic/systemd-bootdisk-dmverity.wks.in
+++ b/meta-security/wic/systemd-bootdisk-dmverity.wks.in
@@ -1,3 +1,4 @@
+# short-description: Create an EFI disk image with systemd-boot and dm-verity
# A dm-verity variant of the regular wks for IA machines. We need to fetch
# the partition images from the IMGDEPLOYDIR as the rootfs source plugin will
# not recreate the exact block device corresponding with the hash tree. We must