meta-security: subtree update:46f7e7acbe..152cdb506b
Anton Antonov (1):
Do not use clang toolchain in Parsec recipes
Armin Kuster (9):
initramfs-framework: fix typo in conditional
ssshgaurd: add packaage
packagegroup-core-security: add sshguard
initramfs-framework: rename files dir
sssd: update to 2.5.1
suricata: update to 6.0.3
kas/kas-security-alt.yml: add meta-rust
.gitlab-ci.yml: fix qemux86 musl order
tpm-tools: fix build issue
Yi Zhao (2):
apparmor: upgrade 3.0 -> 3.0.1
apparmor: use its own initscript and service files
Signed-off-by: Andrew Geissler <geissonator@yahoo.com>
Change-Id: Idf435d7f6b767d87ae2cc720b520e57c22645935
diff --git a/meta-security/.gitlab-ci.yml b/meta-security/.gitlab-ci.yml
index 206d724..762ba66 100644
--- a/meta-security/.gitlab-ci.yml
+++ b/meta-security/.gitlab-ci.yml
@@ -66,7 +66,7 @@
qemux86-musl:
extends: .musl
- needs: ['qemux86-parsec']
+ needs: ['qemux86']
script:
- kas build --target security-build-image kas/$CI_JOB_NAME.yml
diff --git a/meta-security/dynamic-layers/meta-rust/recipes-ids/suricata/libhtp_0.5.37.bb b/meta-security/dynamic-layers/meta-rust/recipes-ids/suricata/libhtp_0.5.38.bb
similarity index 90%
rename from meta-security/dynamic-layers/meta-rust/recipes-ids/suricata/libhtp_0.5.37.bb
rename to meta-security/dynamic-layers/meta-rust/recipes-ids/suricata/libhtp_0.5.38.bb
index 34e72e9..38dece9 100644
--- a/meta-security/dynamic-layers/meta-rust/recipes-ids/suricata/libhtp_0.5.37.bb
+++ b/meta-security/dynamic-layers/meta-rust/recipes-ids/suricata/libhtp_0.5.38.bb
@@ -5,7 +5,7 @@
LIC_FILES_CHKSUM = "file://LICENSE;beginline=1;endline=2;md5=596ab7963a1a0e5198e5a1c4aa621843"
SRC_URI = "git://github.com/OISF/libhtp.git;protocol=https;branch=0.5.x"
-SRCREV = "eaa2db29e65e7f2691c18a9022aeb5fb836ec5f1"
+SRCREV = "fca44158911a1642880ea5c774151a33ad33d906"
DEPENDS = "zlib"
diff --git a/meta-security/dynamic-layers/meta-rust/recipes-ids/suricata/suricata.inc b/meta-security/dynamic-layers/meta-rust/recipes-ids/suricata/suricata.inc
index 85f419e..7d3509a 100644
--- a/meta-security/dynamic-layers/meta-rust/recipes-ids/suricata/suricata.inc
+++ b/meta-security/dynamic-layers/meta-rust/recipes-ids/suricata/suricata.inc
@@ -1,8 +1,3 @@
HOMEPAGE = "http://suricata-ids.org/"
SECTION = "security Monitor/Admin"
LICENSE = "GPLv2"
-
-VER = "6.0.2"
-SRC_URI = "http://www.openinfosecfoundation.org/download/suricata-${VER}.tar.gz"
-
-SRC_URI[sha256sum] = "5e4647a07cb31b5d6d0049972a45375c137de908a964a44e2d6d231fa3ad4b52"
diff --git a/meta-security/dynamic-layers/meta-rust/recipes-ids/suricata/suricata_6.0.2.bb b/meta-security/dynamic-layers/meta-rust/recipes-ids/suricata/suricata_6.0.3.bb
similarity index 92%
rename from meta-security/dynamic-layers/meta-rust/recipes-ids/suricata/suricata_6.0.2.bb
rename to meta-security/dynamic-layers/meta-rust/recipes-ids/suricata/suricata_6.0.3.bb
index a4255d2..632f1d8 100644
--- a/meta-security/dynamic-layers/meta-rust/recipes-ids/suricata/suricata_6.0.2.bb
+++ b/meta-security/dynamic-layers/meta-rust/recipes-ids/suricata/suricata_6.0.3.bb
@@ -2,10 +2,13 @@
require suricata.inc
-DEPENDS = "lz4 libhtp"
-
LIC_FILES_CHKSUM = "file://LICENSE;beginline=1;endline=2;md5=c70d8d3310941dcdfcd1e02800a1f548"
+SRC_URI = "http://www.openinfosecfoundation.org/download/suricata-${PV}.tar.gz"
+SRC_URI[sha256sum] = "daf134bb2d7c980035e9ae60f7aaf313323a809340009f26e48110ccde81f602"
+
+DEPENDS = "lz4 libhtp"
+
SRC_URI += " \
file://volatiles.03_suricata \
file://tmpfiles.suricata \
@@ -84,6 +87,16 @@
crate://crates.io/log/0.4.0 \
crate://crates.io/rand_hc/0.2.0 \
crate://crates.io/wasi/0.9.0+wasi-snapshot-preview1 \
+ crate://crates.io/sawp/0.5.0 \
+ crate://crates.io/sawp-modbus/0.5.0 \
+ crate://crates.io/brotli/3.3.0 \
+ crate://crates.io/flate2/1.0.20 \
+ crate://crates.io/alloc-no-stdlib/2.0.1 \
+ crate://crates.io/alloc-stdlib/0.2.1 \
+ crate://crates.io/brotli-decompressor/2.3.1 \
+ crate://crates.io/crc32fast/1.2.1 \
+ crate://crates.io/miniz_oxide/0.4.4 \
+ crate://crates.io/adler/1.0.2 \
"
# test case support
diff --git a/meta-security/kas/kas-security-alt.yml b/meta-security/kas/kas-security-alt.yml
index 1514524..25384df 100644
--- a/meta-security/kas/kas-security-alt.yml
+++ b/meta-security/kas/kas-security-alt.yml
@@ -3,6 +3,11 @@
includes:
- kas-security-base.yml
+repos:
+ meta-rust:
+ url: https://github.com/meta-rust/meta-rust.git
+ refspec: master
+
local_conf_header:
alt: |
DISTRO_FEATURES_append = " systemd"
diff --git a/meta-security/meta-parsec/recipes-parsec/parsec-service/parsec-service_0.7.0.bb b/meta-security/meta-parsec/recipes-parsec/parsec-service/parsec-service_0.7.0.bb
index 0e14955..d57a43a 100644
--- a/meta-security/meta-parsec/recipes-parsec/parsec-service/parsec-service_0.7.0.bb
+++ b/meta-security/meta-parsec/recipes-parsec/parsec-service/parsec-service_0.7.0.bb
@@ -10,8 +10,7 @@
file://parsec-tmpfiles.conf \
"
-DEPENDS = "tpm2-tss"
-TOOLCHAIN = "clang"
+DEPENDS = "tpm2-tss clang-native"
CARGO_BUILD_FLAGS += " --features all-providers,cryptoki/generate-bindings,tss-esapi/generate-bindings"
diff --git a/meta-security/meta-parsec/recipes-parsec/parsec-tool/parsec-tool_0.3.0.bb b/meta-security/meta-parsec/recipes-parsec/parsec-tool/parsec-tool_0.3.0.bb
index 35c65c0..881f8d8 100644
--- a/meta-security/meta-parsec/recipes-parsec/parsec-tool/parsec-tool_0.3.0.bb
+++ b/meta-security/meta-parsec/recipes-parsec/parsec-tool/parsec-tool_0.3.0.bb
@@ -7,8 +7,6 @@
SRC_URI += "crate://crates.io/parsec-tool/${PV} \
"
-TOOLCHAIN = "clang"
-
do_install() {
install -d ${D}/${bindir}
install -m 755 "${B}/target/${TARGET_SYS}/release/parsec-tool" "${D}${bindir}/parsec-tool"
diff --git a/meta-security/meta-tpm/recipes-tpm/tpm-tools/tpm-tools_1.3.9.2.bb b/meta-security/meta-tpm/recipes-tpm/tpm-tools/tpm-tools_1.3.9.2.bb
index 8aeb8ac..9e0a686 100644
--- a/meta-security/meta-tpm/recipes-tpm/tpm-tools/tpm-tools_1.3.9.2.bb
+++ b/meta-security/meta-tpm/recipes-tpm/tpm-tools/tpm-tools_1.3.9.2.bb
@@ -9,16 +9,16 @@
LICENSE = "CPL-1.0"
LIC_FILES_CHKSUM = "file://LICENSE;md5=059e8cd6165cb4c31e351f2b69388fd9"
-DEPENDS = "libtspi openssl"
+DEPENDS = "libtspi openssl perl"
DEPENDS_class-native = "trousers-native"
SRCREV = "bf43837575c5f7d31865562dce7778eae970052e"
SRC_URI = " \
- git://git.code.sf.net/p/trousers/tpm-tools \
- file://tpm-tools-extendpcr.patch \
- file://04-fix-FTBFS-clang.patch \
- file://openssl1.1_fix.patch \
- "
+ git://git.code.sf.net/p/trousers/tpm-tools \
+ file://tpm-tools-extendpcr.patch \
+ file://04-fix-FTBFS-clang.patch \
+ file://openssl1.1_fix.patch \
+ "
inherit autotools-brokensep gettext
diff --git a/meta-security/recipes-core/initrdscripts/initramfs-framework/dmverity b/meta-security/recipes-core/initrdscripts/initramfs-framework-dm/dmverity
similarity index 100%
rename from meta-security/recipes-core/initrdscripts/initramfs-framework/dmverity
rename to meta-security/recipes-core/initrdscripts/initramfs-framework-dm/dmverity
diff --git a/meta-security/recipes-core/initrdscripts/initramfs-framework.inc b/meta-security/recipes-core/initrdscripts/initramfs-framework.inc
index dad9c96..12010bf 100644
--- a/meta-security/recipes-core/initrdscripts/initramfs-framework.inc
+++ b/meta-security/recipes-core/initrdscripts/initramfs-framework.inc
@@ -1,4 +1,4 @@
-FILESEXTRAPATHS_prepend := "${THISDIR}/${PN}:"
+FILESEXTRAPATHS_prepend := "${THISDIR}/initramfs-framework-dm:"
SRC_URI_append = "\
file://dmverity \
diff --git a/meta-security/recipes-core/initrdscripts/initramfs-framework_1.0.bbappend b/meta-security/recipes-core/initrdscripts/initramfs-framework_1.0.bbappend
index dc74e01..f5d476e 100644
--- a/meta-security/recipes-core/initrdscripts/initramfs-framework_1.0.bbappend
+++ b/meta-security/recipes-core/initrdscripts/initramfs-framework_1.0.bbappend
@@ -1 +1 @@
-require ${@bb.utils.contains('IMAGE_CLASSES', 'dm-verity', 'initramfs-framework.inc', '', d)}
+require ${@bb.utils.contains('IMAGE_CLASSES', 'dm-verity-img', 'initramfs-framework.inc', '', d)}
diff --git a/meta-security/recipes-core/packagegroup/packagegroup-core-security.bb b/meta-security/recipes-core/packagegroup/packagegroup-core-security.bb
index e7b6d9b..8e06f30 100644
--- a/meta-security/recipes-core/packagegroup/packagegroup-core-security.bb
+++ b/meta-security/recipes-core/packagegroup/packagegroup-core-security.bb
@@ -40,6 +40,7 @@
softhsm \
libest \
opendnssec \
+ sshguard \
${@bb.utils.contains_any("TUNE_FEATURES", "riscv32 ", "", " libseccomp",d)} \
${@bb.utils.contains("DISTRO_FEATURES", "pam", "sssd google-authenticator-libpam", "",d)} \
${@bb.utils.contains("DISTRO_FEATURES", "pax", "pax-utils packctl", "",d)} \
diff --git a/meta-security/recipes-mac/AppArmor/apparmor_3.0.bb b/meta-security/recipes-mac/AppArmor/apparmor_3.0.1.bb
similarity index 80%
rename from meta-security/recipes-mac/AppArmor/apparmor_3.0.bb
rename to meta-security/recipes-mac/AppArmor/apparmor_3.0.1.bb
index d9c3e4d..ff5b39b 100644
--- a/meta-security/recipes-mac/AppArmor/apparmor_3.0.bb
+++ b/meta-security/recipes-mac/AppArmor/apparmor_3.0.1.bb
@@ -15,24 +15,16 @@
SRC_URI = " \
git://gitlab.com/apparmor/apparmor.git;protocol=https;branch=apparmor-3.0 \
+ file://run-ptest \
file://disable_perl_h_check.patch \
file://crosscompile_perl_bindings.patch \
- file://apparmor.rc \
- file://functions \
- file://apparmor \
- file://apparmor.service \
file://0001-Makefile.am-suppress-perllocal.pod.patch \
- file://run-ptest \
- file://0001-apparmor-fix-manpage-order.patch \
file://0001-Revert-profiles-Update-make-check-to-select-tools-ba.patch \
- file://0001-libapparmor-add-missing-include-for-socklen_t.patch \
- file://0002-libapparmor-add-aa_features_new_from_file-to-public-.patch \
- file://0003-libapparmor-add-_aa_asprintf-to-private-symbols.patch \
- file://0001-aa_status-Fix-build-issue-with-musl.patch \
- file://0001-parser-Makefile-dont-force-host-cpp-to-detect-reallo.patch \
+ file://0001-Makefile-fix-hardcoded-installation-directories.patch \
+ file://0001-rc.apparmor.debian-add-missing-functions.patch \
"
-SRCREV = "5d51483bfecf556183558644dc8958135397a7e2"
+SRCREV = "b0f08aa9d678197b8e3477c2fbff790f50a1de5e"
S = "${WORKDIR}/git"
PARALLEL_MAKE = ""
@@ -85,8 +77,6 @@
}
do_install () {
- install -d ${D}/${INIT_D_DIR}
- install -d ${D}/lib/apparmor
oe_runmake -C ${B}/libraries/libapparmor DESTDIR="${D}" install
oe_runmake -C ${B}/binutils DESTDIR="${D}" install
oe_runmake -C ${B}/utils DESTDIR="${D}" install
@@ -102,16 +92,16 @@
fi
if ${@bb.utils.contains('DISTRO_FEATURES', 'pam', 'true', 'false', d)}; then
- install -d ${D}/lib/security
oe_runmake -C ${B}/changehat/pam_apparmor DESTDIR="${D}" install
fi
- install -m 755 ${WORKDIR}/apparmor ${D}/${INIT_D_DIR}/apparmor
- install -m 755 ${WORKDIR}/functions ${D}/lib/apparmor
+ if ${@bb.utils.contains('DISTRO_FEATURES','sysvinit','true','false',d)}; then
+ install -d ${D}${sysconfdir}/init.d
+ install -m 755 ${B}/parser/rc.apparmor.debian ${D}${sysconfdir}/init.d/apparmor
+ fi
if ${@bb.utils.contains('DISTRO_FEATURES','systemd','true','false',d)}; then
- install -d ${D}${systemd_system_unitdir}
- install -m 0644 ${WORKDIR}/apparmor.service ${D}${systemd_system_unitdir}
+ oe_runmake -C ${B}/parser DESTDIR="${D}" install-systemd
fi
}
@@ -158,15 +148,6 @@
:
}
-pkg_postinst_ontarget_${PN} () {
-if [ ! -d /etc/apparmor.d/cache ] ; then
- mkdir /etc/apparmor.d/cache
-fi
-}
-
-# We need the init script so don't rm it
-RMINITDIR_class-target_remove = " rm_sysvinit_initddir"
-
INITSCRIPT_PACKAGES = "${PN}"
INITSCRIPT_NAME = "apparmor"
INITSCRIPT_PARAMS = "start 16 2 3 4 5 . stop 35 0 1 6 ."
@@ -177,9 +158,9 @@
PACKAGES += "mod-${PN}"
-FILES_${PN} += "/lib/apparmor/ /lib/security/ ${sysconfdir}/apparmor ${nonarch_libdir}/${PYTHON_DIR}/site-packages"
+FILES_${PN} += "${nonarch_base_libdir}/apparmor/ ${base_libdir}/security/ ${sysconfdir}/apparmor ${nonarch_libdir}/${PYTHON_DIR}/site-packages"
FILES_mod-${PN} = "${libdir}/apache2/modules/*"
-FILES_${PN}-dbg += "/lib/security/"
+FILES_${PN}-dbg += "${base_libdir}/security/.debug"
DEPENDS_append_libc-musl = " fts "
RDEPENDS_${PN}_libc-musl += "musl-utils"
diff --git a/meta-security/recipes-mac/AppArmor/files/0001-Makefile-fix-hardcoded-installation-directories.patch b/meta-security/recipes-mac/AppArmor/files/0001-Makefile-fix-hardcoded-installation-directories.patch
new file mode 100644
index 0000000..f10acb1
--- /dev/null
+++ b/meta-security/recipes-mac/AppArmor/files/0001-Makefile-fix-hardcoded-installation-directories.patch
@@ -0,0 +1,51 @@
+From 363114dcd72abf1c0dcd637c66037227b8be229b Mon Sep 17 00:00:00 2001
+From: Yi Zhao <yi.zhao@windriver.com>
+Date: Mon, 21 Jun 2021 14:18:30 +0800
+Subject: [PATCH 1/2] Makefile: fix hardcoded installation directories
+
+Update the installation directories to fix the do_install error for
+multilib and usrmerge.
+
+Upstream-Status: Inappropriate [configuration]
+
+Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
+---
+ changehat/pam_apparmor/Makefile | 2 +-
+ parser/Makefile | 8 ++++----
+ 2 files changed, 5 insertions(+), 5 deletions(-)
+
+diff --git a/changehat/pam_apparmor/Makefile b/changehat/pam_apparmor/Makefile
+index f6ece2d1..0143ae9f 100644
+--- a/changehat/pam_apparmor/Makefile
++++ b/changehat/pam_apparmor/Makefile
+@@ -77,7 +77,7 @@ $(NAME).so: ${OBJECTS}
+
+ # need some better way of determining this
+ DESTDIR=/
+-SECDIR ?= ${DESTDIR}/lib/security
++SECDIR ?= ${DESTDIR}/${base_libdir}/security
+
+ .PHONY: install
+ install: $(NAME).so
+diff --git a/parser/Makefile b/parser/Makefile
+index 8250ac45..cf18bc11 100644
+--- a/parser/Makefile
++++ b/parser/Makefile
+@@ -23,10 +23,10 @@ COMMONDIR=../common/
+ include $(COMMONDIR)/Make.rules
+
+ DESTDIR=/
+-APPARMOR_BIN_PREFIX=${DESTDIR}/lib/apparmor
+-SBINDIR=${DESTDIR}/sbin
+-USR_SBINDIR=${DESTDIR}/usr/sbin
+-SYSTEMD_UNIT_DIR=${DESTDIR}/usr/lib/systemd/system
++APPARMOR_BIN_PREFIX=${DESTDIR}/${nonarch_base_libdir}/apparmor
++SBINDIR=${DESTDIR}/${base_sbindir}
++USR_SBINDIR=${DESTDIR}/${sbindir}
++SYSTEMD_UNIT_DIR=${DESTDIR}/${systemd_system_unitdir}
+ CONFDIR=/etc/apparmor
+ INSTALL_CONFDIR=${DESTDIR}${CONFDIR}
+ LOCALEDIR=/usr/share/locale
+--
+2.17.1
+
diff --git a/meta-security/recipes-mac/AppArmor/files/0001-Revert-profiles-Update-make-check-to-select-tools-ba.patch b/meta-security/recipes-mac/AppArmor/files/0001-Revert-profiles-Update-make-check-to-select-tools-ba.patch
index 791437d..e7abd60 100644
--- a/meta-security/recipes-mac/AppArmor/files/0001-Revert-profiles-Update-make-check-to-select-tools-ba.patch
+++ b/meta-security/recipes-mac/AppArmor/files/0001-Revert-profiles-Update-make-check-to-select-tools-ba.patch
@@ -6,7 +6,7 @@
This reverts commit 6016f931ebf7b61e1358f19453ef262d9d184a4e.
-Upstream-Statue: OE specific
+Upstream-Status: Inappropriate [OE specific]
These changes cause during packaging with perms changing.
Signed-off-by: Armin Kuster <akuster808@gmail.com>
diff --git a/meta-security/recipes-mac/AppArmor/files/0001-aa_status-Fix-build-issue-with-musl.patch b/meta-security/recipes-mac/AppArmor/files/0001-aa_status-Fix-build-issue-with-musl.patch
deleted file mode 100644
index 239562a..0000000
--- a/meta-security/recipes-mac/AppArmor/files/0001-aa_status-Fix-build-issue-with-musl.patch
+++ /dev/null
@@ -1,31 +0,0 @@
-From 2bf15cc68f31c9f41962bb60a669ab2b453a039b Mon Sep 17 00:00:00 2001
-From: Armin Kuster <akuster808@gmail.com>
-Date: Wed, 7 Oct 2020 08:27:11 -0700
-Subject: [PATCH] aa_status: Fix build issue with musl
-
-add limits.h
-
-aa_status.c:269:22: error: 'PATH_MAX' undeclared (first use in this function); did you mean 'AF_MAX'?
-| 269 | real_exe = calloc(PATH_MAX + 1, sizeof(char));
-
-Upstream-Status: Pending
-Signed-off-by: Armin Kuster <akuster808@gmail.com>
----
- binutils/aa_status.c | 1 +
- 1 file changed, 1 insertion(+)
-
-diff --git a/binutils/aa_status.c b/binutils/aa_status.c
-index 78b03409..41f1954e 100644
---- a/binutils/aa_status.c
-+++ b/binutils/aa_status.c
-@@ -10,6 +10,7 @@
- #include <stdio.h>
- #include <stdlib.h>
- #include <string.h>
-+#include <limits.h>
- #include <sys/types.h>
- #include <sys/stat.h>
- #include <sys/wait.h>
---
-2.17.1
-
diff --git a/meta-security/recipes-mac/AppArmor/files/0001-apparmor-fix-manpage-order.patch b/meta-security/recipes-mac/AppArmor/files/0001-apparmor-fix-manpage-order.patch
deleted file mode 100644
index 9f3dce4..0000000
--- a/meta-security/recipes-mac/AppArmor/files/0001-apparmor-fix-manpage-order.patch
+++ /dev/null
@@ -1,43 +0,0 @@
-From c9baef0c70122e1be33b627874772e6e9a5d7744 Mon Sep 17 00:00:00 2001
-From: Armin Kuster <akuster808@gmail.com>
-Date: Fri, 2 Oct 2020 19:43:44 -0700
-Subject: [PATCH] apparmor: fix manpage order
-
-It trys to create a symlink before the man pages are installed.
-
- ln -sf aa-status.8 /(path}/apparmor/3.0-r0/image/usr/share/man/man8/apparmor_status.8
- | ln: failed to create symbolic link '{path}/apparmor/3.0-r0/image/usr/share/man/man8/apparmor_status.8': No such file or directory
-
-Upstream-Status: Pending
-Signed-off-by: Armin Kuster <akuster808@gmail.com>
-
-...
-
-install -d /{path}/apparmor/3.0-r0/image/usr/share/man/man8 ; install -m 644 aa-status.8 /{path}/apparmor/3.0-r0/image/usr/share/man/man8;
-
-Signed-off-by: Armin Kuster <akuster@mvista.com>
----
- binutils/Makefile | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/binutils/Makefile b/binutils/Makefile
-index 99e54875..3f1d0011 100644
---- a/binutils/Makefile
-+++ b/binutils/Makefile
-@@ -156,12 +156,12 @@ install-arch: arch
- install -m 755 -d ${SBINDIR}
- ln -sf aa-status ${SBINDIR}/apparmor_status
- install -m 755 ${SBINTOOLS} ${SBINDIR}
-- ln -sf aa-status.8 ${DESTDIR}/${MANDIR}/man8/apparmor_status.8
-
- .PHONY: install-indep
- install-indep: indep
- $(MAKE) -C po install NAME=${NAME} DESTDIR=${DESTDIR}
- $(MAKE) install_manpages DESTDIR=${DESTDIR}
-+ ln -sf aa-status.8 ${DESTDIR}/${MANDIR}/man8/apparmor_status.8
-
- ifndef VERBOSE
- .SILENT: clean
---
-2.17.1
-
diff --git a/meta-security/recipes-mac/AppArmor/files/0001-libapparmor-add-missing-include-for-socklen_t.patch b/meta-security/recipes-mac/AppArmor/files/0001-libapparmor-add-missing-include-for-socklen_t.patch
deleted file mode 100644
index 2a56d8b..0000000
--- a/meta-security/recipes-mac/AppArmor/files/0001-libapparmor-add-missing-include-for-socklen_t.patch
+++ /dev/null
@@ -1,36 +0,0 @@
-From 47263a3a74d7973e7a54b17db6aa903701468ffd Mon Sep 17 00:00:00 2001
-From: Patrick Steinhardt <ps@pks.im>
-Date: Sat, 3 Oct 2020 20:37:55 +0200
-Subject: [PATCH] libapparmor: add missing include for `socklen_t`
-
-While `include/sys/apparmor.h` makes use of `socklen_t`, it doesn't
-include the `<sys/socket.h>` header to make its declaration available.
-While this works on systems using glibc via transitive includes, it
-breaks compilation on musl libc.
-
-Fix the issue by including the header.
-
-Signed-off-by: Patrick Steinhardt <ps@pks.im>
-
-Upstream-Status: Backport
-Signed-off-by: Armin Kuster <akuster808@gmail.com>
-
----
- libraries/libapparmor/include/sys/apparmor.h | 1 +
- 1 file changed, 1 insertion(+)
-
-diff --git a/libraries/libapparmor/include/sys/apparmor.h b/libraries/libapparmor/include/sys/apparmor.h
-index 32892d06..d70eff94 100644
---- a/libraries/libapparmor/include/sys/apparmor.h
-+++ b/libraries/libapparmor/include/sys/apparmor.h
-@@ -21,6 +21,7 @@
- #include <stdbool.h>
- #include <stdint.h>
- #include <unistd.h>
-+#include <sys/socket.h>
- #include <sys/types.h>
-
- #ifdef __cplusplus
---
-2.17.1
-
diff --git a/meta-security/recipes-mac/AppArmor/files/0001-parser-Makefile-dont-force-host-cpp-to-detect-reallo.patch b/meta-security/recipes-mac/AppArmor/files/0001-parser-Makefile-dont-force-host-cpp-to-detect-reallo.patch
deleted file mode 100644
index 9f7ad3c..0000000
--- a/meta-security/recipes-mac/AppArmor/files/0001-parser-Makefile-dont-force-host-cpp-to-detect-reallo.patch
+++ /dev/null
@@ -1,37 +0,0 @@
-From 965bb9c3e464f756b258a7c259a92bce3cde74e7 Mon Sep 17 00:00:00 2001
-From: Armin Kuster <akuster@mvista.com>
-Date: Wed, 7 Oct 2020 20:50:38 -0700
-Subject: [PATCH] parser/Makefile: dont force host cpp to detect reallocarray
-
-In cross build environments, using the hosts cpp gives incorrect
-detection of reallocarray. Change cpp to a variable.
-
-fixes:
-parser_misc.c: In function 'int capable_add_cap(const char*, int, unsigned int, capability_flags)':
-| parser_misc.c:297:37: error: 'reallocarray' was not declared in this scope
-| 297 | tmp = (struct capability_table *) reallocarray(cap_table, sizeof(struct capability_table), cap_table_size+1);
-
-Signed-off-by: Armin Kuster <akuster808@gmail.com>
-
-Upstream-Status: Pending
-
----
- parser/Makefile | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/parser/Makefile b/parser/Makefile
-index acef3d77..8250ac45 100644
---- a/parser/Makefile
-+++ b/parser/Makefile
-@@ -54,7 +54,7 @@ endif
- CPPFLAGS += -D_GNU_SOURCE
-
- STDLIB_INCLUDE:="\#include <stdlib.h>"
--HAVE_REALLOCARRAY:=$(shell echo $(STDLIB_INCLUDE) | cpp ${CPPFLAGS} | grep -q reallocarray && echo true)
-+HAVE_REALLOCARRAY:=$(shell echo $(STDLIB_INCLUDE) | ${CPP} ${CPPFLAGS} | grep -q reallocarray && echo true)
-
- WARNINGS = -Wall
- CXX_WARNINGS = ${WARNINGS} ${EXTRA_WARNINGS}
---
-2.17.1
-
diff --git a/meta-security/recipes-mac/AppArmor/files/0001-rc.apparmor.debian-add-missing-functions.patch b/meta-security/recipes-mac/AppArmor/files/0001-rc.apparmor.debian-add-missing-functions.patch
new file mode 100644
index 0000000..53bdde8
--- /dev/null
+++ b/meta-security/recipes-mac/AppArmor/files/0001-rc.apparmor.debian-add-missing-functions.patch
@@ -0,0 +1,57 @@
+From a737c95ac0f887c365fe8f16583ea95da79de1e9 Mon Sep 17 00:00:00 2001
+From: Yi Zhao <yi.zhao@windriver.com>
+Date: Mon, 21 Jun 2021 16:53:39 +0800
+Subject: [PATCH] rc.apparmor.debian: add missing functions
+
+Add missing functions:
+ aa_log_action_start
+ aa_log_action_end
+ aa_log_daemon_msg
+ aa_log_end_msg
+
+Fixes:
+$ /etc/init.d/apparmor start
+/lib/apparmor/rc.apparmor.functions: line 294: aa_log_daemon_msg: command not found
+/lib/apparmor/rc.apparmor.functions: line 214: aa_log_action_start: command not found
+
+Upstream-Status: Pending
+
+Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
+---
+ parser/rc.apparmor.debian | 20 ++++++++++++++++++++
+ 1 file changed, 20 insertions(+)
+
+diff --git a/parser/rc.apparmor.debian b/parser/rc.apparmor.debian
+index 8efd4400..f35124e8 100644
+--- a/parser/rc.apparmor.debian
++++ b/parser/rc.apparmor.debian
+@@ -70,6 +70,26 @@ aa_log_skipped_msg() {
+ echo ": Skipped."
+ }
+
++aa_log_action_start()
++{
++ echo "$@"
++}
++
++aa_log_action_end()
++{
++ printf ""
++}
++
++aa_log_daemon_msg()
++{
++ echo "$@"
++}
++
++aa_log_end_msg()
++{
++ printf ""
++}
++
+ usage() {
+ echo "Usage: $0 {start|stop|restart|try-restart|reload|force-reload|status|kill}"
+ }
+--
+2.17.1
+
diff --git a/meta-security/recipes-mac/AppArmor/files/0002-libapparmor-add-aa_features_new_from_file-to-public-.patch b/meta-security/recipes-mac/AppArmor/files/0002-libapparmor-add-aa_features_new_from_file-to-public-.patch
deleted file mode 100644
index 333f40f..0000000
--- a/meta-security/recipes-mac/AppArmor/files/0002-libapparmor-add-aa_features_new_from_file-to-public-.patch
+++ /dev/null
@@ -1,37 +0,0 @@
-From c9255a03436e6a91bd4e410601da8d43a341ffc2 Mon Sep 17 00:00:00 2001
-From: Patrick Steinhardt <ps@pks.im>
-Date: Sat, 3 Oct 2020 20:58:45 +0200
-Subject: [PATCH] libapparmor: add `aa_features_new_from_file` to public
- symbols
-
-With AppArmor release 3.0, a new function `aa_features_new_from_file`
-was added, but not added to the list of public symbols. As a result,
-it's not possible to make use of this function when linking against
-libapparmor.so.
-
-Fix the issue by adding it to the symbol map.
-
-Signed-off-by: Patrick Steinhardt <ps@pks.im>
-
-Upstream-Status: Backport
-Signed-off-by: Armin Kuster <akuster808@gmail.com>
-
----
- libraries/libapparmor/src/libapparmor.map | 1 +
- 1 file changed, 1 insertion(+)
-
-diff --git a/libraries/libapparmor/src/libapparmor.map b/libraries/libapparmor/src/libapparmor.map
-index bbff51f5..1579509a 100644
---- a/libraries/libapparmor/src/libapparmor.map
-+++ b/libraries/libapparmor/src/libapparmor.map
-@@ -117,6 +117,7 @@ APPARMOR_2.13.1 {
-
- APPARMOR_3.0 {
- global:
-+ aa_features_new_from_file;
- aa_features_write_to_fd;
- aa_features_value;
- local:
---
-2.17.1
-
diff --git a/meta-security/recipes-mac/AppArmor/files/0003-libapparmor-add-_aa_asprintf-to-private-symbols.patch b/meta-security/recipes-mac/AppArmor/files/0003-libapparmor-add-_aa_asprintf-to-private-symbols.patch
deleted file mode 100644
index 543c7a1..0000000
--- a/meta-security/recipes-mac/AppArmor/files/0003-libapparmor-add-_aa_asprintf-to-private-symbols.patch
+++ /dev/null
@@ -1,34 +0,0 @@
-From 9a8fee6bf1c79c261374d928b838b5eb9244ee9b Mon Sep 17 00:00:00 2001
-From: Patrick Steinhardt <ps@pks.im>
-Date: Sat, 3 Oct 2020 21:04:57 +0200
-Subject: [PATCH] libapparmor: add _aa_asprintf to private symbols
-
-While `_aa_asprintf` is supposed to be of private visibility, it's used
-by apparmor_parser and thus required to be visible when linking. This
-commit thus adds it to the list of private symbols to make it available
-for linking in apparmor_parser.
-
-Signed-off-by: Patrick Steinhardt <ps@pks.im>
-
-Upstream-Status: Backport
-Signed-off-by: Armin Kuster <akuster808@gmail.com>
-
----
- libraries/libapparmor/src/libapparmor.map | 1 +
- 1 file changed, 1 insertion(+)
-
-diff --git a/libraries/libapparmor/src/libapparmor.map b/libraries/libapparmor/src/libapparmor.map
-index 1579509a..41e541ac 100644
---- a/libraries/libapparmor/src/libapparmor.map
-+++ b/libraries/libapparmor/src/libapparmor.map
-@@ -127,6 +127,7 @@ APPARMOR_3.0 {
- PRIVATE {
- global:
- _aa_is_blacklisted;
-+ _aa_asprintf;
- _aa_autofree;
- _aa_autoclose;
- _aa_autofclose;
---
-2.17.1
-
diff --git a/meta-security/recipes-mac/AppArmor/files/apparmor b/meta-security/recipes-mac/AppArmor/files/apparmor
deleted file mode 100644
index 604e48d..0000000
--- a/meta-security/recipes-mac/AppArmor/files/apparmor
+++ /dev/null
@@ -1,226 +0,0 @@
-#!/bin/sh
-# ----------------------------------------------------------------------
-# Copyright (c) 1999, 2000, 2001, 2002, 2003, 2004, 2005, 2006, 2007
-# NOVELL (All rights reserved)
-# Copyright (c) 2008, 2009 Canonical, Ltd.
-#
-# This program is free software; you can redistribute it and/or
-# modify it under the terms of version 2 of the GNU General Public
-# License published by the Free Software Foundation.
-#
-# This program is distributed in the hope that it will be useful,
-# but WITHOUT ANY WARRANTY; without even the implied warranty of
-# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
-# GNU General Public License for more details.
-#
-# You should have received a copy of the GNU General Public License
-# along with this program; if not, contact Novell, Inc.
-# ----------------------------------------------------------------------
-# Authors:
-# Steve Beattie <steve.beattie@canonical.com>
-# Kees Cook <kees@ubuntu.com>
-#
-# /etc/init.d/apparmor
-#
-### BEGIN INIT INFO
-# Provides: apparmor
-# Required-Start: $local_fs
-# Required-Stop: umountfs
-# Default-Start: S
-# Default-Stop:
-# Short-Description: AppArmor initialization
-# Description: AppArmor init script. This script loads all AppArmor profiles.
-### END INIT INFO
-
-log_daemon_msg() {
- echo $*
-}
-
-log_end_msg () {
- retval=$1
- if [ $retval -eq 0 ]; then
- echo "."
- else
- echo " failed!"
- fi
- return $retval
-}
-
-. /lib/apparmor/functions
-
-usage() {
- echo "Usage: $0 {start|stop|restart|reload|force-reload|status|recache}"
-}
-
-test -x ${PARSER} || exit 0 # by debian policy
-# LSM is built-in, so it is either there or not enabled for this boot
-test -d /sys/module/apparmor || exit 0
-
-securityfs() {
- # Need securityfs for any mode
- if [ ! -d "${AA_SFS}" ]; then
- if cut -d" " -f2,3 /proc/mounts | grep -q "^${SECURITYFS} securityfs"'$' ; then
- log_daemon_msg "AppArmor not available as kernel LSM."
- log_end_msg 1
- exit 1
- else
- log_daemon_msg "Mounting securityfs on ${SECURITYFS}"
- if ! mount -t securityfs none "${SECURITYFS}"; then
- log_end_msg 1
- exit 1
- fi
- fi
- fi
- if [ ! -w "$AA_SFS"/.load ]; then
- log_daemon_msg "Insufficient privileges to change profiles."
- log_end_msg 1
- exit 1
- fi
-}
-
-handle_system_policy_package_updates() {
- apparmor_was_updated=0
-
- if ! compare_previous_version ; then
- # On snappy flavors, if the current and previous versions are
- # different then clear the system cache. snappy will handle
- # "$PROFILES_CACHE_VAR" itself (on Touch flavors
- # compare_previous_version always returns '0' since snappy
- # isn't available).
- clear_cache_system
- apparmor_was_updated=1
- elif ! compare_and_save_debsums apparmor ; then
- # If the system policy has been updated since the last time we
- # ran, clear the cache to prevent potentially stale binary
- # cache files after an Ubuntu image based upgrade (LP:
- # #1350673). This can be removed once all system image flavors
- # move to snappy (on snappy systems compare_and_save_debsums
- # always returns '0' since /var/lib/dpkg doesn't exist).
- clear_cache
- apparmor_was_updated=1
- fi
-
- if [ -x /usr/bin/aa-clickhook ] || [ -x /usr/bin/aa-profile-hook ] ; then
- # If packages for system policy that affect click packages have
- # been updated since the last time we ran, run aa-clickhook -f
- force_clickhook=0
- force_profile_hook=0
- if ! compare_and_save_debsums apparmor-easyprof-ubuntu ; then
- force_clickhook=1
- fi
- if ! compare_and_save_debsums apparmor-easyprof-ubuntu-snappy ; then
- force_clickhook=1
- fi
- if ! compare_and_save_debsums click-apparmor ; then
- force_clickhook=1
- force_profile_hook=1
- fi
- if [ -x /usr/bin/aa-clickhook ] && ([ $force_clickhook -eq 1 ] || [ $apparmor_was_updated -eq 1 ]) ; then
- aa-clickhook -f
- fi
- if [ -x /usr/bin/aa-profile-hook ] && ([ $force_profile_hook -eq 1 ] || [ $apparmor_was_updated -eq 1 ]) ; then
- aa-profile-hook -f
- fi
- fi
-}
-
-# Allow "recache" even when running on the liveCD
-if [ "$1" = "recache" ]; then
- log_daemon_msg "Recaching AppArmor profiles"
- recache_profiles
- rc=$?
- log_end_msg "$rc"
- exit $rc
-fi
-
-# do not perform start/stop/reload actions when running from liveCD
-test -d /rofs/etc/apparmor.d && exit 0
-
-rc=255
-case "$1" in
- start)
- if test -x /sbin/systemd-detect-virt && \
- systemd-detect-virt --quiet --container && \
- ! is_container_with_internal_policy; then
- log_daemon_msg "Not starting AppArmor in container"
- log_end_msg 0
- exit 0
- fi
- log_daemon_msg "Starting AppArmor profiles"
- securityfs
- # That is only useful for click, snappy and system images,
- # i.e. not in Debian. And it reads and writes to /var, that
- # can be remote-mounted, so it would prevent us from using
- # Before=sysinit.target without possibly introducing dependency
- # loops.
- handle_system_policy_package_updates
- load_configured_profiles
- rc=$?
- log_end_msg "$rc"
- ;;
- stop)
- log_daemon_msg "Clearing AppArmor profiles cache"
- clear_cache
- rc=$?
- log_end_msg "$rc"
- cat >&2 <<EOM
-All profile caches have been cleared, but no profiles have been unloaded.
-Unloading profiles will leave already running processes permanently
-unconfined, which can lead to unexpected situations.
-
-To set a process to complain mode, use the command line tool
-'aa-complain'. To really tear down all profiles, run the init script
-with the 'teardown' option."
-EOM
- ;;
- teardown)
- if test -x /sbin/systemd-detect-virt && \
- systemd-detect-virt --quiet --container && \
- ! is_container_with_internal_policy; then
- log_daemon_msg "Not tearing down AppArmor in container"
- log_end_msg 0
- exit 0
- fi
- log_daemon_msg "Unloading AppArmor profiles"
- securityfs
- running_profile_names | while read profile; do
- if ! unload_profile "$profile" ; then
- log_end_msg 1
- exit 1
- fi
- done
- rc=0
- log_end_msg $rc
- ;;
- restart|reload|force-reload)
- if test -x /sbin/systemd-detect-virt && \
- systemd-detect-virt --quiet --container && \
- ! is_container_with_internal_policy; then
- log_daemon_msg "Not reloading AppArmor in container"
- log_end_msg 0
- exit 0
- fi
- log_daemon_msg "Reloading AppArmor profiles"
- securityfs
- clear_cache
- load_configured_profiles
- rc=$?
- unload_obsolete_profiles
-
- log_end_msg "$rc"
- ;;
- status)
- securityfs
- if [ -x /usr/sbin/aa-status ]; then
- aa-status --verbose
- else
- cat "$AA_SFS"/profiles
- fi
- rc=$?
- ;;
- *)
- usage
- rc=1
- ;;
- esac
-exit $rc
diff --git a/meta-security/recipes-mac/AppArmor/files/apparmor.rc b/meta-security/recipes-mac/AppArmor/files/apparmor.rc
deleted file mode 100644
index 1507d7b..0000000
--- a/meta-security/recipes-mac/AppArmor/files/apparmor.rc
+++ /dev/null
@@ -1,98 +0,0 @@
-description "Pre-cache and pre-load apparmor profiles"
-author "Dimitri John Ledkov <xnox@ubuntu.com> and Jamie Strandboge <jamie@ubuntu.com>"
-
-task
-
-start on starting rc-sysinit
-
-script
- [ -d /rofs/etc/apparmor.d ] && exit 0 # do not load on liveCD
- [ -d /sys/module/apparmor ] || exit 0 # do not load without AppArmor
- [ -x /sbin/apparmor_parser ] || exit 0 # do not load without parser
-
- . /lib/apparmor/functions
-
- systemd-detect-virt --quiet --container && ! is_container_with_internal_policy && exit 0 || true
-
- # Need securityfs for any mode
- if [ ! -d /sys/kernel/security/apparmor ]; then
- if cut -d" " -f2,3 /proc/mounts | grep -q "^/sys/kernel/security securityfs"'$' ; then
- exit 0
- else
- mount -t securityfs none /sys/kernel/security || exit 0
- fi
- fi
-
- [ -w /sys/kernel/security/apparmor/.load ] || exit 0
-
- apparmor_was_updated=0
- if ! compare_previous_version ; then
- # On snappy flavors, if the current and previous versions are
- # different then clear the system cache. snappy will handle
- # "$PROFILES_CACHE_VAR" itself (on Touch flavors
- # compare_previous_version always returns '0' since snappy
- # isn't available).
- clear_cache_system
- apparmor_was_updated=1
- elif ! compare_and_save_debsums apparmor ; then
- # If the system policy has been updated since the last time we
- # ran, clear the cache to prevent potentially stale binary
- # cache files after an Ubuntu image based upgrade (LP:
- # #1350673). This can be removed once all system image flavors
- # move to snappy (on snappy systems compare_and_save_debsums
- # always returns '0' since /var/lib/dpkg doesn't exist).
- clear_cache
- apparmor_was_updated=1
- fi
-
- if [ -x /usr/bin/aa-clickhook ] || [ -x /usr/bin/aa-profile-hook ] ; then
- # If packages for system policy that affect click packages have
- # been updated since the last time we ran, run aa-clickhook -f
- force_clickhook=0
- force_profile_hook=0
- if ! compare_and_save_debsums apparmor-easyprof-ubuntu ; then
- force_clickhook=1
- fi
- if ! compare_and_save_debsums apparmor-easyprof-ubuntu-snappy ; then
- force_clickhook=1
- fi
- if ! compare_and_save_debsums click-apparmor ; then
- force_clickhook=1
- force_profile_hook=1
- fi
- if [ -x /usr/bin/aa-clickhook ] && ([ $force_clickhook -eq 1 ] || [ $apparmor_was_updated -eq 1 ]) ; then
- aa-clickhook -f
- fi
- if [ -x /usr/bin/aa-profile-hook ] && ([ $force_profile_hook -eq 1 ] || [ $apparmor_was_updated -eq 1 ]) ; then
- aa-profile-hook -f
- fi
- fi
-
- if [ "$ACTION" = "teardown" ]; then
- running_profile_names | while read profile; do
- unload_profile "$profile"
- done
- exit 0
- fi
-
- if [ "$ACTION" = "clear" ]; then
- clear_cache
- exit 0
- fi
-
- if [ "$ACTION" = "reload" ] || [ "$ACTION" = "force-reload" ]; then
- clear_cache
- load_configured_profiles
- unload_obsolete_profiles
- exit 0
- fi
-
- # Note: if apparmor-easyprof-ubuntu md5sums didn't match up above,
- # aa-clickhook will have already compiled the policy, generated the cache
- # files and loaded them into the kernel by this point, so reloading click
- # policy from cache, while fairly fast (<2 seconds for 250 profiles on
- # armhf), is redundant. Fixing this would complicate the logic quite a bit
- # and it wouldn't improve the (by far) common case (ie, when
- # 'aa-clickhook -f' is not run).
- load_configured_profiles
-end script
diff --git a/meta-security/recipes-mac/AppArmor/files/apparmor.service b/meta-security/recipes-mac/AppArmor/files/apparmor.service
deleted file mode 100644
index e66afe4..0000000
--- a/meta-security/recipes-mac/AppArmor/files/apparmor.service
+++ /dev/null
@@ -1,22 +0,0 @@
-[Unit]
-Description=AppArmor initialization
-After=local-fs.target
-Before=sysinit.target
-AssertPathIsReadWrite=/sys/kernel/security/apparmor/.load
-ConditionSecurity=apparmor
-DefaultDependencies=no
-Documentation=man:apparmor(7)
-Documentation=http://wiki.apparmor.net/
-
-# Don't start this unit on the Ubuntu Live CD
-ConditionPathExists=!/rofs/etc/apparmor.d
-
-[Service]
-Type=oneshot
-RemainAfterExit=yes
-ExecStart=/etc/init.d/apparmor start
-ExecStop=/etc/init.d/apparmor stop
-ExecReload=/etc/init.d/apparmor reload
-
-[Install]
-WantedBy=sysinit.target
diff --git a/meta-security/recipes-mac/AppArmor/files/disable_pdf.patch b/meta-security/recipes-mac/AppArmor/files/disable_pdf.patch
deleted file mode 100644
index c6b4bdd..0000000
--- a/meta-security/recipes-mac/AppArmor/files/disable_pdf.patch
+++ /dev/null
@@ -1,33 +0,0 @@
-Index: apparmor-2.10.95/parser/Makefile
-===================================================================
---- apparmor-2.10.95.orig/parser/Makefile
-+++ apparmor-2.10.95/parser/Makefile
-@@ -139,17 +139,6 @@ export Q VERBOSE BUILD_OUTPUT
- po/${NAME}.pot: ${SRCS} ${HDRS}
- $(MAKE) -C po ${NAME}.pot NAME=${NAME} SOURCES="${SRCS} ${HDRS}"
-
--techdoc.pdf: techdoc.tex
-- timestamp=$(shell date --utc "+%Y%m%d%H%M%S%z" -r $< );\
-- while pdflatex "\def\fixedpdfdate{$$timestamp}\input $<" ${BUILD_OUTPUT} || exit 1 ; \
-- grep -q "Label(s) may have changed" techdoc.log; \
-- do :; done
--
--techdoc/index.html: techdoc.pdf
-- latex2html -show_section_numbers -split 0 -noinfo -nonavigation -noaddress techdoc.tex ${BUILD_OUTPUT}
--
--techdoc.txt: techdoc/index.html
-- w3m -dump $< > $@
-
- # targets arranged this way so that people who don't want full docs can
- # pick specific targets they want.
-@@ -159,9 +148,7 @@ manpages: $(MANPAGES)
-
- htmlmanpages: $(HTMLMANPAGES)
-
--pdf: techdoc.pdf
--
--docs: manpages htmlmanpages pdf
-+docs: manpages htmlmanpages
-
- indep: docs
- $(Q)$(MAKE) -C po all
diff --git a/meta-security/recipes-mac/AppArmor/files/functions b/meta-security/recipes-mac/AppArmor/files/functions
deleted file mode 100644
index e9e2bbf..0000000
--- a/meta-security/recipes-mac/AppArmor/files/functions
+++ /dev/null
@@ -1,271 +0,0 @@
-# /lib/apparmor/functions for Debian -*- shell-script -*-
-# ----------------------------------------------------------------------
-# Copyright (c) 1999, 2000, 2001, 2002, 2003, 2004, 2005, 2006, 2007
-# NOVELL (All rights reserved)
-# Copyright (c) 2008-2010 Canonical, Ltd.
-#
-# This program is free software; you can redistribute it and/or
-# modify it under the terms of version 2 of the GNU General Public
-# License published by the Free Software Foundation.
-#
-# This program is distributed in the hope that it will be useful,
-# but WITHOUT ANY WARRANTY; without even the implied warranty of
-# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
-# GNU General Public License for more details.
-#
-# You should have received a copy of the GNU General Public License
-# along with this program; if not, contact Novell, Inc.
-# ----------------------------------------------------------------------
-# Authors:
-# Kees Cook <kees@ubuntu.com>
-
-PROFILES="/etc/apparmor.d"
-PROFILES_CACHE="$PROFILES/cache"
-PROFILES_VAR="/var/lib/apparmor/profiles"
-PROFILES_SNAPPY="/var/lib/snapd/apparmor/profiles"
-PROFILES_CACHE_VAR="/var/cache/apparmor"
-PARSER="/sbin/apparmor_parser"
-SECURITYFS="/sys/kernel/security"
-export AA_SFS="$SECURITYFS/apparmor"
-
-# Suppress warnings when booting in quiet mode
-quiet_arg=""
-[ "${QUIET:-no}" = yes ] && quiet_arg="-q"
-[ "${quiet:-n}" = y ] && quiet_arg="-q"
-
-foreach_configured_profile() {
- rc_all="0"
- for pdir in "$PROFILES" "$PROFILES_VAR" "$PROFILES_SNAPPY" ; do
- if [ ! -d "$pdir" ]; then
- continue
- fi
- num=`find "$pdir" -type f ! -name '*.md5sums' | wc -l`
- if [ "$num" = "0" ]; then
- continue
- fi
-
- cache_dir="$PROFILES_CACHE"
- if [ -d "$PROFILES_CACHE_VAR" ] && [ "$pdir" = "$PROFILES_VAR" ] || [ "$pdir" = "$PROFILES_SNAPPY" ]; then
- cache_dir="$PROFILES_CACHE_VAR"
- fi
- cache_args="--cache-loc=$cache_dir"
- if [ ! -d "$cache_dir" ]; then
- cache_args=
- fi
-
- # LP: #1383858 - expr tree simplification is too slow for
- # Touch policy on ARM, so disable it for now
- cache_extra_args=
- if [ -d "$PROFILES_CACHE_VAR" ] && [ "$pdir" = "$PROFILES_VAR" ] || [ "$pdir" = "$PROFILES_SNAPPY" ]; then
- cache_extra_args="-O no-expr-simplify"
- fi
-
- # If need to compile everything, then use -n1 with xargs to
- # take advantage of -P. When cache files are in use, omit -n1
- # since it is considerably faster on moderately sized profile
- # sets to give the parser all the profiles to load at once
- n1_args=
- num=`find "$cache_dir" -type f ! -name '.features' | wc -l`
- if [ "$num" = "0" ]; then
- n1_args="-n1"
- fi
-
- (ls -1 "$pdir" | egrep -v '(\.dpkg-(new|old|dist|bak)|~)$' | \
- while read profile; do
- if [ -f "$pdir"/"$profile" ]; then
- echo "$pdir"/"$profile"
- fi
- done) | \
- xargs $n1_args -d"\n" -P$(getconf _NPROCESSORS_ONLN) "$PARSER" "$@" $cache_args $cache_extra_args -- || {
- rc_all="$?"
- # FIXME: when the parser properly handles broken
- # profiles (LP: #1377338), remove this if statement.
- # For now, if the xargs returns with error, just run
- # through everything with -n1. (This could be broken
- # out and refactored, but this is temporary so make it
- # easy to understand and revert)
- if [ "$rc_all" != "0" ]; then
- (ls -1 "$pdir" | \
- egrep -v '(\.dpkg-(new|old|dist|bak)|~)$' | \
- while read profile; do
- if [ -f "$pdir"/"$profile" ]; then
- echo "$pdir"/"$profile"
- fi
- done) | \
- xargs -n1 -d"\n" -P$(getconf _NPROCESSORS_ONLN) "$PARSER" "$@" $cache_args $cache_extra_args -- || {
- rc_all="$?"
- }
- fi
- }
- done
- return $rc_all
-}
-
-load_configured_profiles() {
- clear_cache_if_outdated
- foreach_configured_profile $quiet_arg --write-cache --replace
-}
-
-load_configured_profiles_without_caching() {
- foreach_configured_profile $quiet_arg --replace
-}
-
-recache_profiles() {
- clear_cache
- foreach_configured_profile $quiet_arg --write-cache --skip-kernel-load
-}
-
-configured_profile_names() {
- foreach_configured_profile $quiet_arg -N 2>/dev/null | LC_COLLATE=C sort | grep -v '//'
-}
-
-running_profile_names() {
- # Output a sorted list of loaded profiles, skipping libvirt's
- # dynamically generated files
- cat "$AA_SFS"/profiles | sed -e "s/ (\(enforce\|complain\))$//" | egrep -v '^libvirt-[0-9a-f\-]+$' | LC_COLLATE=C sort | grep -v '//'
-}
-
-unload_profile() {
- echo -n "$1" > "$AA_SFS"/.remove
-}
-
-clear_cache() {
- clear_cache_system
- clear_cache_var
-}
-
-clear_cache_system() {
- find "$PROFILES_CACHE" -maxdepth 1 -type f -print0 | xargs -0 rm -f --
-}
-
-clear_cache_var() {
- find "$PROFILES_CACHE_VAR" -maxdepth 1 -type f -print0 | xargs -0 rm -f --
-}
-
-read_features_dir()
-{
- for f in `ls -A "$1"` ; do
- if [ -f "$1/$f" ] ; then
- read -r KF < "$1/$f" || true
- echo -n "$f {$KF } "
- elif [ -d "$1/$f" ] ; then
- echo -n "$f {"
- KF=`read_features_dir "$1/$f"` || true
- echo -n "$KF} "
- fi
- done
-}
-
-clear_cache_if_outdated() {
- if [ -r "$PROFILES_CACHE"/.features ]; then
- if [ -d "$AA_SFS"/features ]; then
- KERN_FEATURES=`read_features_dir "$AA_SFS"/features`
- else
- read -r KERN_FEATURES < "$AA_SFS"/features
- fi
- CACHE_FEATURES=`tr '\n' ' ' < "$PROFILES_CACHE"/.features`
- if [ "$KERN_FEATURES" != "$CACHE_FEATURES" ]; then
- clear_cache
- fi
- fi
-}
-
-unload_obsolete_profiles() {
- # Currently we must re-parse all the profiles to get policy names. :(
- aa_configured=$(mktemp -t aa-XXXXXX)
- configured_profile_names > "$aa_configured" || true
- aa_loaded=$(mktemp -t aa-XXXXXX)
- running_profile_names > "$aa_loaded" || true
- LC_COLLATE=C comm -2 -3 "$aa_loaded" "$aa_configured" | while read profile ; do
- unload_profile "$profile"
- done
- rm -f "$aa_configured" "$aa_loaded"
-}
-
-# If the system debsum differs from the saved debsum, the new system debsum is
-# saved and non-zero is returned. Returns 0 if the two debsums matched or if
-# the system debsum file does not exist. This can be removed when system image
-# flavors all move to snappy.
-compare_and_save_debsums() {
- pkg="$1"
-
- if [ -n $pkg ] && [ -d "$PROFILES_VAR" ]; then
- sums="/var/lib/dpkg/info/${pkg}.md5sums"
- # store saved md5sums in /var/lib/apparmor/profiles since
- # /var/cache/apparmor might be cleared by apparmor
- saved_sums="${PROFILES_VAR}/.${pkg}.md5sums"
-
- if [ -f "$sums" ] && \
- ! diff -q "$sums" "$saved_sums" 2>&1 >/dev/null ; then
- cp -f "$sums" "$saved_sums"
- return 1
- fi
- fi
-
- return 0
-}
-
-compare_previous_version() {
- installed="/usr/share/snappy/security-policy-version"
- previous="/var/lib/snappy/security-policy-version"
-
- # When just $previous doesn't exist, assume this is a new system with
- # no cache and don't do anything special.
- if [ -f "$installed" ] && [ -f "$previous" ]; then
- pv=`grep '^apparmor/' "$previous" | cut -d ' ' -f 2`
- iv=`grep '^apparmor/' "$installed" | cut -d ' ' -f 2`
- if [ -n "$iv" ] && [ -n "$pv" ] && [ "$iv" != "$pv" ]; then
- # snappy updates $previous elsewhere, so just return
- return 1
- fi
- fi
-
- return 0
-}
-
-# Checks to see if the current container is capable of having internal AppArmor
-# profiles that should be loaded. Callers of this function should have already
-# verified that they're running inside of a container environment with
-# something like `systemd-detect-virt --container`.
-#
-# The only known container environments capable of supporting internal policy
-# are LXD and LXC environment.
-#
-# Returns 0 if the container environment is capable of having its own internal
-# policy and non-zero otherwise.
-#
-# IMPORTANT: This function will return 0 in the case of a non-LXD/non-LXC
-# system container technology being nested inside of a LXD/LXC container that
-# utilized an AppArmor namespace and profile stacking. The reason 0 will be
-# returned is because .ns_stacked will be "yes" and .ns_name will still match
-# "lx[dc]-*" since the nested system container technology will not have set up
-# a new AppArmor profile namespace. This will result in the nested system
-# container's boot process to experience failed policy loads but the boot
-# process should continue without any loss of functionality. This is an
-# unsupported configuration that cannot be properly handled by this function.
-is_container_with_internal_policy() {
- local ns_stacked_path="${AA_SFS}/.ns_stacked"
- local ns_name_path="${AA_SFS}/.ns_name"
- local ns_stacked
- local ns_name
-
- if ! [ -f "$ns_stacked_path" ] || ! [ -f "$ns_name_path" ]; then
- return 1
- fi
-
- read -r ns_stacked < "$ns_stacked_path"
- if [ "$ns_stacked" != "yes" ]; then
- return 1
- fi
-
- # LXD and LXC set up AppArmor namespaces starting with "lxd-" and
- # "lxc-", respectively. Return non-zero for all other namespace
- # identifiers.
- read -r ns_name < "$ns_name_path"
- if [ "${ns_name#lxd-*}" = "$ns_name" ] && \
- [ "${ns_name#lxc-*}" = "$ns_name" ]; then
- return 1
- fi
-
- return 0
-}
diff --git a/meta-security/recipes-security/sshguard/sshguard_2.4.2.bb b/meta-security/recipes-security/sshguard/sshguard_2.4.2.bb
new file mode 100644
index 0000000..bd7f979
--- /dev/null
+++ b/meta-security/recipes-security/sshguard/sshguard_2.4.2.bb
@@ -0,0 +1,11 @@
+SUMARRY=" Intelligently block brute-force attacks by aggregating system logs "
+HOMEPAGE = "https://www.sshguard.net/"
+LIC_FILES_CHKSUM = "file://COPYING;md5=47a33fc98cd20713882c4d822a57bf4d"
+LICENSE = "BSD-1-Clause"
+
+
+SRC_URI="https://sourceforge.net/projects/sshguard/files/sshguard/${PV}/sshguard-${PV}.tar.gz"
+
+SRC_URI[sha256sum] = "2770b776e5ea70a9bedfec4fd84d57400afa927f0f7522870d2dcbbe1ace37e8"
+
+inherit autotools-brokensep
diff --git a/meta-security/recipes-security/sssd/files/musl_fixup.patch b/meta-security/recipes-security/sssd/files/musl_fixup.patch
new file mode 100644
index 0000000..68f267c
--- /dev/null
+++ b/meta-security/recipes-security/sssd/files/musl_fixup.patch
@@ -0,0 +1,53 @@
+fix musl build failures
+
+Missing _PATH_HOSTS and some NETDB defines when musl is enabled.
+
+These are work arounds for now while we figure out where the real fix should reside (musl, gcompact, sssd):
+
+./sssd-2.5.1/src/providers/fail_over.c:1199:19: error: '_PATH_HOSTS' undeclared (first use in this function)
+| 1199 | _PATH_HOSTS);
+| | ^~~~~~~~~~~
+
+and
+
+i./sssd-2.5.1/src/sss_client/nss_ipnetworks.c:415:21: error: 'NETDB_INTERNAL' undeclared (first use in this function)
+| 415 | *h_errnop = NETDB_INTERNAL;
+
+
+Upstream-Status: Pending
+Signed-off-by: Armin Kuster <akuster808@gmail.com>
+
+Index: sssd-2.5.1/src/providers/fail_over.c
+===================================================================
+--- sssd-2.5.1.orig/src/providers/fail_over.c
++++ sssd-2.5.1/src/providers/fail_over.c
+@@ -31,6 +31,10 @@
+ #include <talloc.h>
+ #include <netdb.h>
+
++#if !defined(_PATH_HOSTS)
++#define _PATH_HOSTS "/etc/hosts"
++#endif
++
+ #include "util/dlinklist.h"
+ #include "util/refcount.h"
+ #include "util/util.h"
+Index: sssd-2.5.1/src/sss_client/sss_cli.h
+===================================================================
+--- sssd-2.5.1.orig/src/sss_client/sss_cli.h
++++ sssd-2.5.1/src/sss_client/sss_cli.h
+@@ -44,6 +44,14 @@ typedef int errno_t;
+ #define EOK 0
+ #endif
+
++#ifndef NETDB_INTERNAL
++# define NETDB_INTERNAL (-1)
++#endif
++
++#ifndef NETDB_SUCCESS
++# define NETDB_SUCCESS (0)
++#endif
++
+ #define SSS_NSS_PROTOCOL_VERSION 1
+ #define SSS_PAM_PROTOCOL_VERSION 3
+ #define SSS_SUDO_PROTOCOL_VERSION 1
diff --git a/meta-security/recipes-security/sssd/sssd_2.5.0.bb b/meta-security/recipes-security/sssd/sssd_2.5.1.bb
similarity index 95%
rename from meta-security/recipes-security/sssd/sssd_2.5.0.bb
rename to meta-security/recipes-security/sssd/sssd_2.5.1.bb
index 84b7b0e..9205843 100644
--- a/meta-security/recipes-security/sssd/sssd_2.5.0.bb
+++ b/meta-security/recipes-security/sssd/sssd_2.5.1.bb
@@ -15,15 +15,17 @@
DEPENDS += "${@bb.utils.contains('PACKAGECONFIG', 'nss', '', \
bb.utils.contains('PACKAGECONFIG', 'crypto', '', 'nss', d), d)}"
-SRC_URI = "https://github.com/SSSD/sssd/releases/download/2.5.0/sssd-2.5.0.tar.gz \
+SRC_URI = "https://github.com/SSSD/sssd/releases/download/${PV}/sssd-${PV}.tar.gz \
file://sssd.conf \
file://volatiles.99_sssd \
file://no_gen.patch \
file://fix_gid.patch \
file://drop_ntpdate_chk.patch \
file://fix-ldblibdir.patch \
+ file://musl_fixup.patch \
"
-SRC_URI[sha256sum] = "afa62d7d8d23fca3aba093abe4ec0d14e7d9346c5b28ceb7c2c624bed98caa06"
+
+SRC_URI[sha256sum] = "ce2f5d84a3f1750093318afd27f4fd75b1e3e75f7d80fc42d21a40cc54b58ea4"
inherit autotools pkgconfig gettext python3-dir features_check systemd