subtree updates
meta-openembedded: a9e6d16e66..11df15765c:
Adrian Fiergolski (1):
python3-matplotlib: add missing dependency
Adrian Freihofer (6):
conntrack-tools: fix postinst script
networkmanager: improve dependency handling
networkmanager: simplify selective installation
networkmanager: use nftables by default
networkmanager: udpate to 1.38.0
modemmanager: update to 1.18.8
Armin Kuster (2):
mariadb: update to 10.7.4
mariadb: Fix i386 Clang builds
Bartosz Golaszewski (2):
python3-uinput: new package
python3-speedtest-cli: fix RDEPENDS
Changqing Li (1):
redis: upgrade 7.0-rc3 -> 7.0.0
Denys Dmytriyenko (1):
devmem2: the source and patches moved to github repo
Enrico Scholz (1):
nodejs-oe-cache-native: initial checkin
Jiaqing Zhao (1):
openldap: Remove unnecessary use-urandom.patch
Kai Kang (2):
libportal: add distro features check
graphviz: rrecommends on liberation-fonts
Khem Raj (5):
ubi-utils-klibc: Disable lzo compression by default
unattended-upgrades: Disable auto-detecting modules
sdbus-c++: Link with libatomic for rv32
sdbus-c++-libsystemd: Fix patch fuzz
python3-uinput: Fix build on 32bit arches using 64bit times_t
Luca Boccassi (1):
dbus-broker: update 29 -> 31
Marcel Ziswiler (1):
libavtp: add recipe for audio video transport protocol (avtp)
Markus Volk (6):
jack: allow to build native/nativesdk
pipewire: reduce native/nativesdk dependencies; add backport patch
p8platform: unbreak do_populate_sdk
pavucontrol: update; fix build for wayland only
gnome-disk-utility: fix build for wayland only
unblock some recipes for wayland
Martin Jansa (1):
mm-common: package the files from ${PN} in ${PN}-dev and use allarch
Ming Liu (1):
bluealsa: uprev to 4.0.0
Nikhil R (1):
duktape: Add ptest
Peter Marko (1):
libgpiod: move test dependencies to ptest package
Ross Burton (8):
python3-cppy: fix inherits and DEPENDS
python3-setuptools-scm-git-archive: add new recipe
python3-traitlets: upgrade to 5.2.1
python3-pathspec: add new recipe
python3-hatchling: add new recipe and build class
python3-editables: add new recipe
python3-setuptools-declarative-requirements: add new recipe
lzop: add (from oe-core)
Samuli Piippo (2):
flite: add recipe
libtomcrypt: add recipe
Thomas Perrot (1):
nbd: update 3.20 -> 3.24
Vyacheslav Yurkov (4):
packagegroup-meta-filesystems: fix build issue
overlayfs-progs: add new recipe
overlayfs-tools: add new recipe
xfstests: add new recipe
Wang Mingyu (38):
babeld: upgrade 1.12 -> 1.12.1
ctags: upgrade 5.9.20220508.0 -> 5.9.20220515.0
libbpf: upgrade 0.7.0 -> 0.8.0
evtest: upgrade 1.34 -> 1.35
nbdkit: upgrade 1.31.5 -> 1.31.7
smarty: upgrade 4.1.0 -> 4.1.1
thingsboard-gateway: upgrade 2.9 -> 3.1
opencl-headers: upgrade 2022.01.04 -> 2022.05.18
python3-robotframework: upgrade 5.0 -> 5.0.1
python3-watchdog: upgrade 2.1.7 -> 2.1.8
python3-web3: upgrade 5.29.0 -> 5.29.1
python3-xmlschema: upgrade 1.10.0 -> 1.11.0
python3-sqlalchemy: upgrade 1.4.35 -> 1.4.36
python3-yappi: upgrade 1.3.3 -> 1.3.5
apitrace: upgrade 11.0 -> 11.1
ctags: upgrade 5.9.20220515.0 -> 5.9.20220529.0
gedit: upgrade 42.0 -> 42.1
hidapi: upgrade 0.11.2 -> 0.12.0
libbytesize: upgrade 2.6 -> 2.7
libdvdread: upgrade 6.1.2 -> 6.1.3
links: upgrade 2.26 -> 2.27
libxmlb: upgrade 0.3.8 -> 0.3.9
ser2net: upgrade 4.3.5 -> 4.3.6
python3-awesomeversion: upgrade 22.5.1 -> 22.5.2
htop: upgrade 3.2.0 -> 3.2.1
hwdata: upgrade 0.359 -> 0.360
libnet-dns-perl: upgrade 1.33 -> 1.34
tinyproxy: upgrade 1.11.0 -> 1.11.1
function2: upgrade 4.2.0 -> 4.2.1
openvpn: upgrade 2.5.6 -> 2.5.7
poppler: upgrade 22.05.0 -> 22.06.0
sshfs-fuse: upgrade 3.7.2 -> 3.7.3
tgt: upgrade 1.0.82 -> 1.0.83
tracker: upgrade 3.3.0 -> 3.3.1
unbound: upgrade 1.15.0 -> 1.16.0
zabbix: upgrade 6.0.4 -> 6.0.5
botan: upgrade 2.19.1 -> 2.19.2
evolution-data-server: upgrade 3.44.1 -> 3.44.2
Wolfgang Meyer (1):
fbida: remove bash from RDEPENDS
Xu Huan (17):
python3-pint: upgrade 0.19.1 -> 0.19.2
python3-pylint: upgrade 2.13.7 -> 2.13.9
python3-redis: upgrade 4.2.2 -> 4.3.1
python3-werkzeug: upgrade 2.1.1 -> 2.1.2
python3-zeroconf: upgrade 0.38.4 -> 0.38.6
python3-sentry-sdk: upgrade 1.5.10 -> 1.5.12
python3-astroid: upgrade 2.11.3 -> 2.11.5
python3-cachetools: upgrade 5.0.0 -> 5.1.0
python3-imageio: upgrade 2.19.1 -> 2.19.2
python3-asyncinotify: upgrade 2.0.2 -> 2.0.3
python3-croniter: upgrade 1.3.4 -> 1.3.5
python3-google-api-core: upgrade 2.7.3 -> 2.8.0
python3-flask-socketio: upgrade 5.1.2 -> 5.2.0
python3-h5py: upgrade 3.6.0 -> 3.7.0
python3-lz4: upgrade 4.0.0 -> 4.0.1
python3-mypy: upgrade 0.950 -> 0.960
python3-pyscaffold: upgrade 4.2.1 -> 4.2.2
zhengrq.fnst (10):
python3-google-api-python-client: upgrade 2.45.0 -> 2.48.0
python3-grpcio-tools: upgrade 1.46.0 -> 1.46.3
python3-openpyxl: upgrade 3.0.9 -> 3.0.10
python3-paramiko: upgrade 2.10.4 -> 2.11.0
python3-humanize: upgrade 4.0.0 -> 4.1.0
python3-pychromecast: upgrade 12.1.1 -> 12.1.2
python3-cachetools: upgrade 5.1.0 -> 5.2.0
python3-google-api-python-client: upgrade 2.48.0 -> 2.49.0
python3-googleapis-common-protos: upgrade 1.56.1 -> 1.56.2
python3-imageio: upgrade 2.19.2 -> 2.19.3
zhengruoqin (6):
python3-bitarray: upgrade 2.5.0 -> 2.5.1
python3-eventlet: upgrade 0.33.0 -> 0.33.1
python3-googleapis-common-protos: upgrade 1.56.0 -> 1.56.1
python3-imageio: upgrade 2.18.0 -> 2.19.1
python3-pyjwt: upgrade 2.3.0 -> 2.4.0
python3-wrapt: upgrade 1.14.0 -> 1.14.1
poky: 13d70e57f8..ee0d001b81:
Alex Stewart (1):
opkg: upgrade to version 0.6.0
Alexander Kanavin (23):
bash: submit patch upstream
valgrind: submit arm patches upstream
apt: fix upstream version check
zip/unzip: mark all submittable patches as Inactive-Upstream
less: mark upstream version as unknown
wayland: exclude pre-releases from version check
mesa-demos: update 8.4.0 -> 8.5.0
seatd: update 0.6.4 -> 0.7.0
systemd: update 250.5 -> 251.2
btrfs-tools: update 5.16.2 -> 5.18
llvm: update 14.0.3 -> 14.0.4
python3-psutil: update 5.9.0 -> 5.9.1
tiff: update 4.3.0 -> 4.4.0
pulseaudio: update 15.0 -> 16.0
alsa-utils-scripts: merge into alsa-utils
alsa-utils: update 1.2.6 -> 1.2.7
ovmf: update 202202 -> 202205
cmake: update 3.23.1 -> 3.23.2
ltp: upgrade 20220121 -> 20220527
perl: update 5.34.1 -> 5.36.0
perl: drop perltoc regeneration
perl: clean prior to build
perl: enable _GNU_SOURCE define via d_gnulibc
Bruce Ashfield (7):
linux-yocto/5.15: bpf: explicitly disable unpriv eBPF by default
linux-yocto/5.15: update to v5.15.43
linux-yocto/5.10: update to v5.10.118
linux-yocto/5.15: Enable MDIO bus config
linux-yocto/5.15: cfg/xen: Move x86 configs to separate file
linux-yocto/5.15: update to v5.15.44
linux-yocto/5.10: update to v5.10.119
Chen Qi (1):
libsdl2: add back xvm and xinerama options
Daiane Angolini (1):
python3-pip: Fix RDEPENDS after the update
Davide Gardenal (2):
efivar: add musl libc compatibility
baremetal-image: fix broken symlink in do_rootfs
Dmitry Baryshkov (2):
go.bbclass: fix path to linker in native Go builds
linux-firmware: add support for building snapshots
Ernst Sjöstrand (2):
cve-check: Add helper for symlink handling
cve-check: Only include installed packages for rootfs manifest
He Zhe (1):
lttng-modules: Fix build failure for 5.10.119+ and 5.15.44+ kernel
Jack Mitchell (1):
meson.bbclass: add cython binary to cross/native toolchain config
Jeremy Puhlman (1):
gcc: depend on zstd-native
Jiaqing Zhao (1):
systemd: Correct 0001-pass-correct-parameters-to-getdents64.patch
Joerg Vehlow (1):
libseccomp: Add missing files for ptests
Jose Quaresma (1):
archiver: use bb.note instead of echo
Kai Kang (1):
xxhash: fix build with gcc 12
Marcel Ziswiler (2):
alsa-plugins: fix libavtp vs. avtp packageconfig
gstreamer1.0-plugins-bad: add libavtp packageconfig
Markus Volk (1):
gcr: build with gtk+3 for wayland
Marta Rybczynska (4):
cve-check: move update_symlinks to a library
cve-check: write empty fragment files in the text mode
cve-check: fix return type in check_cves
cve-update-db-native: make it possible to disable database updates
Martin Jansa (9):
makedevs: Don't use COPYING.patch just to add license file into ${S}
insane.bbclass: make sure to close .patch files
staging.bbclass: process direct dependencies in deterministic order
patch.py: make sure that patches/series file exists before quilt pop
lttng-modules: fix shell syntax
buildhistory.bbclass: fix shell syntax when using dash
rootfs.py: close kernel_abi_ver_file
ltp: use bfd even when gold is used with ld-is-gold
systemd: Fix build without utmp
Michael Opdenacker (1):
migration guides: release notes for 4.0.1
Mikko Rapeli (1):
bitbake: event.py: ignore exceptions from stdout and sterr operations in atexit
Ming Liu (1):
udev-extraconf: let automount base directory configurable
Mingli Yu (4):
perl: Fix build with gcc-12
ccache: Fix build with gcc-12
oescripts: change compare logic in OEListPackageconfigTests
python3-cryptography: remove test_x509.py
Naveen Saini (1):
pciutils: avoid lspci conflict with busybox
Pavel Zhukov (6):
bitbake.conf: Make TCLIBC and TCMODE lazy assigned
bitbake: fetch2: Honour BB_FETCH_PREMIRRORONLY option
bitbake: Add tests to cover BB_FETCH_PREMIRRORONLY functionality
dbus: Specify runstatedir configure option
bitbake: tests/fetch: Drop unnecessary duplicated function
bitbake: tests/fetch: Add tests for premirror using real project
Peter Kjellerstedt (2):
libseccomp: Correct LIC_FILES_CHKSUM
license.bbclass: Bound beginline and endline in copy_license_files()
Quentin Schulz (2):
docs: set_versions.py: remove honister from active releases list
docs: set_versions.py: check for first latest release tag
Rasmus Villemoes (2):
vim: put xxd in its own package
e2fsprogs: add alternatives handling of lsattr as well
Ricardo Salveti (1):
gnu-efi: enable for riscv64
Richard Purdie (51):
cve-extra-exclusions: Add kernel CVEs
lzo: Add further info to a patch and mark as Inactive-Upstream
python3: Remove problematic paths from sysroot files
python3: Ensure stale empty python module directories don't break the build
Revert "qemu.inc: Remove empty egg-info directories before running meson"
Revert "meson.bblcass: Remove empty egg-info directories before running meson"
vim: Upgrade 8.2.4912 -> 8.2.5034 to fix 9 CVEs
tiff: Add jbig PACKAGECONFIG and clarify CVE-2022-1210
libxslt: Mark CVE-2022-29824 as not applying
oeqa/imagefeatures: Replace lzo with zst
oeqa/imagefeatures: Disable squashfs-lzo
cve-check: Allow warnings to be disabled
openssl: Backport fix for ptest cert expiry
bitbake: runqueue: Fix unihash cache mismatch issues
bitbake: cache/siggen: Add unihash cache copy function
bitbake: bitbake: Bump to version 2.0.1
populate_sdk_ext: Fix race condition on bb_unihashes.dat
gcc-cross-canadian: Add nativesdk-zstd dependency
glib-2.0: upgrade 2.72.1 -> 2.72.2
dnf: upgrade 4.12.0 -> 4.13.0
python3-dtschema: upgrade 2022.4 -> 2022.5
python3-sphinx: upgrade 4.5.0 -> 5.0.0
python3-pip: upgrade 22.1.1 -> 22.1.2
alsa-lib: upgrade 1.2.6.1 -> 1.2.7
sysklogd: upgrade 2.3.0 -> 2.4.0
libxkbcommon: upgrade 1.4.0 -> 1.4.1
piglit: upgrade to latest revision
sysstat: upgrade 12.4.5 -> 12.6.0
harfbuzz: upgrade 4.2.1 -> 4.3.0
gtk+3: upgrade 3.24.33 -> 3.24.34
xwayland: upgrade 22.1.1 -> 22.1.2
alsa-ucm-conf: upgrade 1.2.6.3 -> 1.2.7
gnutls: upgrade 3.7.5 -> 3.7.6
webkitgtk: upgrade 2.36.1 -> 2.36.3
diffoscope: upgrade 212 -> 215
populate_sdk_ext: Fix second bb_unihashes reference
sanity: Switch to make 4.0 as a minimum version
perl: Add dependency on make-native to avoid race issues
glibc: Drop make-native dependency
bitbake: fetch/wget: Move files into place atomically
bitbake: server/process: Avoid risk of exception deadlocks
bitbake: server/process: Remove daemonic thread usage
bitbake: server/process: Avoid tracebacks at exit
uboot-sign: Fix potential index error issues
selftest/multiconfig: Test that multiconfigs in separate layers works
bitbake: cooker: Drop sre_constants usage
classes/buildcfg: Move git/layer revision code into new OE module buildcfg
lib/buildcfg: Share common clean/dirty layer function
buildcfg: Drop unused svn revision function
base/buildhistory/image-buildinfo: Use common buildcfg function
image-buildinfo: Improve and extend to SDK coverage too
Robert Yang (1):
systemd: Set RebootWatchdogSec to 60s as watchdog
Ross Burton (8):
python3-pluggy: add BBCLASSEXTEND for native/nativesdk
btrfs-tools: add a PACKAGECONFIG for lzo
tiff: mark CVE-2022-1622 and CVE-2022-1623 as invalid
packagegroup-self-hosted: remove lzo
libarchive: disable LZO by default
squashfs-tools: disable LZO by default
lzop: remove recipe from oe-core
setuptools3: clean up class
Rusty Howell (1):
oe-depends-dot: Handle new format for task-depends.dot
Sean Anderson (1):
rootfs.py: find .ko.zst kernel modules
Stefan Wiehler (1):
kernel-yocto.bbclass: Reset to exiting on non-zero return code at end of task
Tobias Schmidl (2):
oeqa/selftest/wic.py: Repaired test_qemu()
wic/plugins/images/direct: Allow changes in fstab on rootfs
Vyacheslav Yurkov (2):
files: rootfs-postcommands: move helper commands to script
files: respect overlayfs owner from lower layer
Xiaobing Luo (1):
devtool: Fix _copy_file() TypeError
Zach Welch (2):
test-manual/intro: reorder bitbake-selftest steps
test-manual/intro: bitbake-selftest needs bitbake
leimaohui (1):
gnutls: Added fips option.
wangmy (30):
bind: upgrade 9.18.2 -> 9.18.3
ccache: upgrade 4.6 -> 4.6.1
init-system-helpers: upgrade 1.62 -> 1.63
ninja: upgrade 1.10.2 -> 1.11.0
python3-certifi: upgrade 2021.10.8 -> 2022.5.18.1
python3-cython: upgrade 0.29.28 -> 0.29.30
python3-hypothesis: upgrade 6.46.4 -> 6.46.7
python3-importlib-metadata: upgrade 4.11.3 -> 4.11.4
python3-magic: upgrade 0.4.25 -> 0.4.26
python3-pip: upgrade 22.1 -> 22.1.1
python3-setuptools: upgrade 62.3.1 -> 62.3.2
python3-hypothesis: upgrade 6.46.7 -> 6.46.9
python3-semantic-version: upgrade 2.9.0 -> 2.10.0
python3-webcolors: upgrade 1.11.1 -> 1.12
python3-pytest-subtests: upgrade 0.7.0 -> 0.8.0
asciidoc: upgrade 10.1.4 -> 10.2.0
cups: upgrade 2.4.1 -> 2.4.2
iproute2: upgrade 5.17.0 -> 5.18.0
iw: upgrade 5.16 -> 5.19
logrotate: upgrade 3.19.0 -> 3.20.1
dpkg: upgrade 1.21.7 -> 1.21.8
repo: upgrade 2.25 -> 2.26
iso-codes: upgrade 4.9.0 -> 4.10.0
lttng-ust: upgrade 2.13.2 -> 2.13.3
meson: upgrade 0.62.1 -> 0.62.2
mtools: upgrade 4.0.39 -> 4.0.40
nettle: upgrade 3.7.3 -> 3.8
kbd: upgrade 2.4.0 -> 2.5.0
python3-hypothesis: upgrade 6.46.9 -> 6.46.11
xkeyboard-config: upgrade 2.35.1 -> 2.36
meta-security: 7628a3e90b..8c6fe006a1:
Armin Kuster (18):
swtpm: enable seccomp if DISTRO is enabled
security-tpm2-image: add swtpm
swtpm: enable gnutls
oeqa/swtpm: add swtpm runtime
oeqa/tpm2: fix and cleanup tests
tpm2-pkcs11: we really need the symlinks
smack-test: switch to python3
oeqa/smack: consolidate classes
checksec: update 2.6.0
chkrootkit: update SRC_URI
packagegroup-core-security: add arpwatch and chkrootkit to pkg grp
layer.conf: Post release codename changes
README: Update for dynamic layers
arpwatch: riscv not supported
packagegroup-core-security: drop arpwatch for riscv from pkg grp
chkrootkit: Fix missing includes for musl
arpwatch: update to 3.3
packagegroup-core-security: don't include aprwatch for musl
Signed-off-by: Andrew Geissler <geissonator@yahoo.com>
Change-Id: Ic83db16445cf0a1286685f11d378e1e3e9b794c3
diff --git a/meta-security/README b/meta-security/README
index 081669f..2d1996b 100644
--- a/meta-security/README
+++ b/meta-security/README
@@ -28,20 +28,10 @@
This layer depends on:
URI: git://git.openembedded.org/openembedded-core
- branch: master
+ branch: [same one as checked out for this layer]
URI: git://git.openembedded.org/meta-openembedded/meta-oe
- branch: master
-
- URI: git://git.openembedded.org/meta-openembedded/meta-perl
- branch: master
-
- URI: git://git.openembedded.org/meta-openembedded/meta-python
- branch: master
-
- URI: git://git.openembedded.org/meta-openembedded/meta-networking
- branch: master
-
+ branch: [same one as checked out for this layer]
Adding the security layer to your build
========================================
@@ -57,21 +47,22 @@
BBLAYERS ?= " \
/path/to/oe-core/meta \
/path/to/meta-openembedded/meta-oe \
- /path/to/meta-openembedded/meta-perl \
- /path/to/meta-openembedded/meta-python \
- /path/to/meta-openembedded/meta-networking \
/path/to/layer/meta-security "
-Optional Rust dependancy
+Optional Dynamic layer dependancy
======================================
-If you want to use the latest Suricata that needs rust, you will need to clone
- URI: https://github.com/meta-rust/meta-rust.git
- branch: master
+ URI: git://git.openembedded.org/meta-openembedded/meta-oe
- BBLAYERS += "/path/to/layer/meta-rust"
+ URI: git://git.openembedded.org/meta-openembedded/meta-perl
-This will activate the dynamic-layer mechanism and pull in the newer suricata
+ URI: git://git.openembedded.org/meta-openembedded/meta-python
+
+ BBLAYERS += "/path/to/layer/meta-openembedded/meta-oe"
+ BBLAYERS += "/path/to/layer/meta-openembedded/meta-perl"
+ BBLAYERS += "/path/to/layer/meta-openembedded/meta-python"
+
+This will activate the dynamic-layer mechanism.
diff --git a/meta-security/conf/layer.conf b/meta-security/conf/layer.conf
index 7d57f9c..fa7d79e 100644
--- a/meta-security/conf/layer.conf
+++ b/meta-security/conf/layer.conf
@@ -9,7 +9,7 @@
BBFILE_PATTERN_security = "^${LAYERDIR}/"
BBFILE_PRIORITY_security = "8"
-LAYERSERIES_COMPAT_security = "kirkstone"
+LAYERSERIES_COMPAT_security = "kirkstone langdale"
LAYERDEPENDS_security = "core openembedded-layer"
diff --git a/meta-security/lib/oeqa/runtime/cases/smack.py b/meta-security/lib/oeqa/runtime/cases/smack.py
index 35e87ef..b8255c7 100644
--- a/meta-security/lib/oeqa/runtime/cases/smack.py
+++ b/meta-security/lib/oeqa/runtime/cases/smack.py
@@ -29,8 +29,6 @@
status,output = self.target.run("cat /proc/self/attr/current")
self.current_label = output.strip()
-class SmackAccessLabel(SmackBasicTest):
-
@OETestDepends(['smack.SmackBasicTest.test_smack_basic'])
def test_add_access_label(self):
''' Test if chsmack can correctly set a SMACK label '''
@@ -54,8 +52,6 @@
"%s %s" %(LABEL,label_retrieved))
-class SmackExecLabel(SmackBasicTest):
-
@OETestDepends(['smack.SmackBasicTest.test_smack_basic'])
def test_add_exec_label(self):
'''Test if chsmack can correctly set a SMACK Exec label'''
@@ -79,8 +75,6 @@
"%s %s" %(LABEL,label_retrieved))
-class SmackMmapLabel(SmackBasicTest):
-
@OETestDepends(['smack.SmackBasicTest.test_smack_basic'])
def test_add_mmap_label(self):
'''Test if chsmack can correctly set a SMACK mmap label'''
@@ -104,8 +98,6 @@
"%s %s" %(LABEL,label_retrieved))
-class SmackTransmutable(SmackBasicTest):
-
@OETestDepends(['smack.SmackBasicTest.test_smack_basic'])
def test_add_transmutable(self):
'''Test if chsmack can correctly set a SMACK transmutable mode'''
@@ -128,8 +120,6 @@
"%s %s" %(LABEL,label_retrieved))
-class SmackChangeSelfLabelPrivilege(SmackBasicTest):
-
@OETestDepends(['smack.SmackBasicTest.test_smack_basic'])
def test_privileged_change_self_label(self):
'''Test if privileged process (with CAP_MAC_ADMIN privilege)
@@ -145,8 +135,6 @@
self.assertIn("PRIVILEGED", output,
"Privilege process did not change label.Output: %s" %output)
-class SmackChangeSelfLabelUnprivilege(SmackBasicTest):
-
@OETestDepends(['smack.SmackBasicTest.test_smack_basic'])
def test_unprivileged_change_self_label(self):
'''Test if unprivileged process (without CAP_MAC_ADMIN privilege)
@@ -163,8 +151,6 @@
"Unprivileged process should not be able to change its label")
-class SmackChangeFileLabelPrivilege(SmackBasicTest):
-
@OETestDepends(['smack.SmackBasicTest.test_smack_basic'])
def test_unprivileged_change_file_label(self):
'''Test if unprivileged process cannot change file labels'''
@@ -183,8 +169,6 @@
self.target.run("rm %s" % filename)
self.assertEqual( status, 0, "Unprivileged process changed label for %s" %filename)
-class SmackLoadRule(SmackBasicTest):
-
@OETestDepends(['smack.SmackBasicTest.test_smack_basic'])
def test_load_smack_rule(self):
'''Test if new smack access rules can be loaded'''
@@ -211,8 +195,6 @@
self.target.run('echo -n "%s" > %s/load' %(clean, self.smack_path))
-class SmackOnlycap(SmackBasicTest):
-
@OETestDepends(['smack.SmackBasicTest.test_smack_basic'])
def test_smack_onlycap(self):
'''Test if smack onlycap label can be set
@@ -223,7 +205,6 @@
status, output = self.target.run("sh /usr/sbin/test_smack_onlycap.sh")
self.assertEqual(status, 0, output)
-class SmackNetlabel(SmackBasicTest):
@OETestDepends(['smack.SmackBasicTest.test_smack_basic'])
def test_smack_netlabel(self):
@@ -246,7 +227,6 @@
test_label, output,
"Did not find expected label in output: %s" %output)
-class SmackCipso(SmackBasicTest):
@OETestDepends(['smack.SmackBasicTest.test_smack_basic'])
def test_smack_cipso(self):
@@ -287,7 +267,6 @@
self.assertEqual(status, 0, "Cipso rule C was not set")
self.assertIn("/17,33", output, "Rule C was not set correctly")
-class SmackDirect(SmackBasicTest):
@OETestDepends(['smack.SmackBasicTest.test_smack_basic'])
def test_smack_direct(self):
@@ -308,8 +287,6 @@
"Smack direct label does not match.")
-class SmackAmbient(SmackBasicTest):
-
@OETestDepends(['smack.SmackBasicTest.test_smack_basic'])
def test_smack_ambient(self):
test_ambient = "test_ambient"
@@ -330,8 +307,6 @@
"Ambient label does not match")
-class SmackloadBinary(SmackBasicTest):
-
@OETestDepends(['smack.SmackBasicTest.test_smack_basic'])
def test_smackload(self):
'''Test if smackload command works'''
@@ -345,8 +320,6 @@
self.assertEqual(status, 0, "Smackload rule was loaded correctly")
-class SmackcipsoBinary(SmackBasicTest):
-
@OETestDepends(['smack.SmackBasicTest.test_smack_basic'])
def test_smackcipso(self):
'''Test if smackcipso command works'''
@@ -362,8 +335,6 @@
self.assertIn( "2/2", output, "Rule was not set correctly. Got: %s" %output)
-class SmackEnforceFileAccess(SmackBasicTest):
-
@OETestDepends(['smack.SmackBasicTest.test_smack_basic'])
def test_smack_enforce_file_access(self):
'''Test if smack file access is enforced (rwx)
@@ -375,8 +346,6 @@
self.assertEqual(status, 0, output)
-class SmackEnforceMmap(SmackBasicTest):
-
@OETestDepends(['smack.SmackBasicTest.test_smack_basic'])
def test_smack_mmap_enforced(self):
'''Test if smack mmap access is enforced'''
@@ -449,8 +418,6 @@
"Output: %s" %output)
-class SmackEnforceTransmutable(SmackBasicTest):
-
@OETestDepends(['smack.SmackBasicTest.test_smack_basic'])
def test_smack_transmute_dir(self):
'''Test if smack transmute attribute works
@@ -473,8 +440,6 @@
"Did not get expected label. Output: %s" % output)
-class SmackTcpSockets(SmackBasicTest):
-
@OETestDepends(['smack.SmackBasicTest.test_smack_basic'])
def test_smack_tcp_sockets(self):
'''Test if smack is enforced on tcp sockets
@@ -485,8 +450,6 @@
self.assertEqual(status, 0, output)
-class SmackUdpSockets(SmackBasicTest):
-
@OETestDepends(['smack.SmackBasicTest.test_smack_basic'])
def test_smack_udp_sockets(self):
'''Test if smack is enforced on udp sockets
@@ -497,8 +460,6 @@
self.assertEqual(status, 0, output)
-class SmackFileLabels(SmackBasicTest):
-
@OETestDepends(['smack.SmackBasicTest.test_smack_basic'])
def test_smack_labels(self):
'''Check for correct Smack labels.'''
diff --git a/meta-security/meta-hardening/conf/layer.conf b/meta-security/meta-hardening/conf/layer.conf
index bc33d97..5983161 100644
--- a/meta-security/meta-hardening/conf/layer.conf
+++ b/meta-security/meta-hardening/conf/layer.conf
@@ -8,6 +8,6 @@
BBFILE_PATTERN_harden-layer = "^${LAYERDIR}/"
BBFILE_PRIORITY_harden-layer = "10"
-LAYERSERIES_COMPAT_harden-layer = "kirkstone"
+LAYERSERIES_COMPAT_harden-layer = "kirkstone langdale"
LAYERDEPENDS_harden-layer = "core openembedded-layer"
diff --git a/meta-security/meta-integrity/conf/layer.conf b/meta-security/meta-integrity/conf/layer.conf
index 3d58be4..1fcf33c 100644
--- a/meta-security/meta-integrity/conf/layer.conf
+++ b/meta-security/meta-integrity/conf/layer.conf
@@ -20,7 +20,7 @@
# interactive shell is enough.
OE_TERMINAL_EXPORTS += "INTEGRITY_BASE"
-LAYERSERIES_COMPAT_integrity = "kirkstone"
+LAYERSERIES_COMPAT_integrity = "kirkstone langdale"
# ima-evm-utils depends on keyutils from meta-oe
LAYERDEPENDS_integrity = "core openembedded-layer"
diff --git a/meta-security/meta-parsec/conf/layer.conf b/meta-security/meta-parsec/conf/layer.conf
index 544cc4e..a748d77 100644
--- a/meta-security/meta-parsec/conf/layer.conf
+++ b/meta-security/meta-parsec/conf/layer.conf
@@ -8,7 +8,7 @@
BBFILE_PATTERN_parsec-layer = "^${LAYERDIR}/"
BBFILE_PRIORITY_parsec-layer = "5"
-LAYERSERIES_COMPAT_parsec-layer = "kirkstone"
+LAYERSERIES_COMPAT_parsec-layer = "kirkstone langdale"
LAYERDEPENDS_parsec-layer = "core clang-layer"
BBLAYERS_LAYERINDEX_NAME_parsec-layer = "meta-parsec"
diff --git a/meta-security/meta-security-compliance/conf/layer.conf b/meta-security/meta-security-compliance/conf/layer.conf
index 7c07625..ec57541 100644
--- a/meta-security/meta-security-compliance/conf/layer.conf
+++ b/meta-security/meta-security-compliance/conf/layer.conf
@@ -8,7 +8,7 @@
BBFILE_PATTERN_scanners-layer = "^${LAYERDIR}/"
BBFILE_PRIORITY_scanners-layer = "10"
-LAYERSERIES_COMPAT_scanners-layer = "kirkstone"
+LAYERSERIES_COMPAT_scanners-layer = "kirkstone langdale"
LAYERDEPENDS_scanners-layer = "core openembedded-layer meta-python"
diff --git a/meta-security/meta-security-isafw/conf/layer.conf b/meta-security/meta-security-isafw/conf/layer.conf
index e8cdc1b..724742d 100644
--- a/meta-security/meta-security-isafw/conf/layer.conf
+++ b/meta-security/meta-security-isafw/conf/layer.conf
@@ -14,4 +14,4 @@
LAYERDEPENDS_security-isafw = "core"
-LAYERSERIES_COMPAT_security-isafw = "kirkstone"
+LAYERSERIES_COMPAT_security-isafw = "kirkstone langdale"
diff --git a/meta-security/meta-tpm/conf/layer.conf b/meta-security/meta-tpm/conf/layer.conf
index 52e3ee0..1fd2e4c 100644
--- a/meta-security/meta-tpm/conf/layer.conf
+++ b/meta-security/meta-tpm/conf/layer.conf
@@ -8,7 +8,7 @@
BBFILE_PATTERN_tpm-layer = "^${LAYERDIR}/"
BBFILE_PRIORITY_tpm-layer = "10"
-LAYERSERIES_COMPAT_tpm-layer = "kirkstone"
+LAYERSERIES_COMPAT_tpm-layer = "kirkstone langdale"
LAYERDEPENDS_tpm-layer = " \
core \
diff --git a/meta-security/meta-tpm/lib/oeqa/runtime/cases/swtpm.py b/meta-security/meta-tpm/lib/oeqa/runtime/cases/swtpm.py
new file mode 100644
index 0000000..df47b35
--- /dev/null
+++ b/meta-security/meta-tpm/lib/oeqa/runtime/cases/swtpm.py
@@ -0,0 +1,24 @@
+# Copyright (C) 2022 Armin Kuster <akuster808@gmail.com>
+#
+from oeqa.runtime.case import OERuntimeTestCase
+from oeqa.core.decorator.depends import OETestDepends
+from oeqa.runtime.decorator.package import OEHasPackage
+from oeqa.core.decorator.data import skipIfNotFeature
+
+class SwTpmTest(OERuntimeTestCase):
+ @classmethod
+ def setUpClass(cls):
+ cls.tc.target.run('mkdir /tmp/myvtpm2')
+ cls.tc.target.run('chown tss:root /tmp/myvtpm2')
+
+ @classmethod
+ def tearDownClass(cls):
+ cls.tc.target.run('rm -fr /tmp/myvtpm2')
+
+ @skipIfNotFeature('tpm2','Test tpm2_swtpm_socket requires tpm2 to be in DISTRO_FEATURES')
+ @OETestDepends(['ssh.SSHTest.test_ssh'])
+ @OEHasPackage(['swtpm'])
+ def test_swtpm2_ek_cert(self):
+ cmd = 'swtpm_setup --tpmstate /tmp/myvtpm2 --create-ek-cert --create-platform-cert --tpm2',
+ status, output = self.target.run(cmd)
+ self.assertEqual(status, 0, msg="swtpm create-ek-cert failed: %s" % output)
diff --git a/meta-security/meta-tpm/lib/oeqa/runtime/cases/tpm2.py b/meta-security/meta-tpm/lib/oeqa/runtime/cases/tpm2.py
index c2c95e7..e64d19d 100644
--- a/meta-security/meta-tpm/lib/oeqa/runtime/cases/tpm2.py
+++ b/meta-security/meta-tpm/lib/oeqa/runtime/cases/tpm2.py
@@ -1,11 +1,19 @@
-# Copyright (C) 2019 Armin Kuster <akuster808@gmail.com>
+# Copyright (C) 2019 - 2022 Armin Kuster <akuster808@gmail.com>
#
from oeqa.runtime.case import OERuntimeTestCase
from oeqa.core.decorator.depends import OETestDepends
from oeqa.runtime.decorator.package import OEHasPackage
-
+from oeqa.core.decorator.data import skipIfNotFeature
class Tpm2Test(OERuntimeTestCase):
+ @classmethod
+ def setUpClass(cls):
+ cls.tc.target.run('mkdir /tmp/myvtpm2')
+
+ @classmethod
+ def tearDownClass(cls):
+ cls.tc.target.run('rm -fr /tmp/myvtpm2')
+
def check_endlines(self, results, expected_endlines):
for line in results.splitlines():
for el in expected_endlines:
@@ -19,20 +27,19 @@
@OEHasPackage(['tpm2-tools'])
@OEHasPackage(['tpm2-abrmd'])
@OEHasPackage(['swtpm'])
+ @skipIfNotFeature('tpm2','Test tpm2_startup requires tpm2 to be in DISTRO_FEATURES')
@OETestDepends(['ssh.SSHTest.test_ssh'])
- def test_tpm2_swtpm_socket(self):
+ def test_tpm2_startup(self):
cmds = [
- 'mkdir /tmp/myvtpm',
- 'swtpm socket --tpmstate dir=/tmp/myvtpm --tpm2 --ctrl type=tcp,port=2322 --server type=tcp,port=2321 --flags not-need-init &',
- 'export TPM2TOOLS_TCTI="swtpm:port=2321"',
- 'tpm2_startup -c'
+ 'swtpm socket -d --tpmstate dir=/tmp/myvtpm2 --tpm2 --ctrl type=tcp,port=2322 --server type=tcp,port=2321 --flags not-need-init',
+ 'tpm2_startup -c -T "swtpm:port=2321"',
]
for cmd in cmds:
status, output = self.target.run(cmd)
self.assertEqual(status, 0, msg='\n'.join([cmd, output]))
- @OETestDepends(['tpm2.Tpm2Test.test_tpm2_swtpm_socket'])
+ @OETestDepends(['tpm2.Tpm2Test.test_tpm2_startup'])
def test_tpm2_pcrread(self):
(status, output) = self.target.run('tpm2_pcrread')
expected_endlines = []
@@ -49,7 +56,7 @@
@OEHasPackage(['p11-kit'])
@OEHasPackage(['tpm2-pkcs11'])
- @OETestDepends(['tpm2.Tpm2Test.test_tpm2_swtpm_socket'])
+ @OETestDepends(['tpm2.Tpm2Test.test_tpm2_pcrread'])
def test_tpm2_pkcs11(self):
(status, output) = self.target.run('p11-kit list-modules -v')
self.assertEqual(status, 0, msg="Modules missing: %s" % output)
diff --git a/meta-security/meta-tpm/recipes-core/images/security-tpm2-image.bb b/meta-security/meta-tpm/recipes-core/images/security-tpm2-image.bb
index 7e047d1..941a661 100644
--- a/meta-security/meta-tpm/recipes-core/images/security-tpm2-image.bb
+++ b/meta-security/meta-tpm/recipes-core/images/security-tpm2-image.bb
@@ -7,6 +7,7 @@
packagegroup-core-boot \
packagegroup-security-tpm2 \
os-release \
+ swtpm \
"
IMAGE_LINGUAS ?= " "
diff --git a/meta-security/meta-tpm/recipes-tpm/swtpm/swtpm_0.7.1.bb b/meta-security/meta-tpm/recipes-tpm/swtpm/swtpm_0.7.1.bb
index 85e4c5d..03899d8 100644
--- a/meta-security/meta-tpm/recipes-tpm/swtpm/swtpm_0.7.1.bb
+++ b/meta-security/meta-tpm/recipes-tpm/swtpm/swtpm_0.7.1.bb
@@ -20,14 +20,15 @@
TSS_USER="tss"
TSS_GROUP="tss"
-PACKAGECONFIG ?= "openssl"
+PACKAGECONFIG ?= "openssl gnutls"
PACKAGECONFIG += "${@bb.utils.contains('DISTRO_FEATURES', 'selinux', 'selinux', '', d)}"
+PACKAGECONFIG += "${@bb.utils.contains('DISTRO_FEATURES', 'seccomp', 'seccomp', '', d)}"
PACKAGECONFIG += "${@bb.utils.contains('BBFILE_COLLECTIONS', 'filesystems-layer', 'cuse', '', d)}"
PACKAGECONFIG[openssl] = "--with-openssl, --without-openssl, openssl"
# expect, bash, tpm2-pkcs11-tools (tpm2_ptool), tpmtool and certtool is
# used by swtpm-create-tpmca (the last two is provided by gnutls)
# gnutls is required by: swtpm-create-tpmca, swtpm-localca and swtpm_cert
-PACKAGECONFIG[gnutls] = "--with-gnutls, --without-gnutls, gnutls, gnutls, expect bash tpm2-pkcs11-tools"
+PACKAGECONFIG[gnutls] = "--with-gnutls, --without-gnutls, gnutls-native gnutls, gnutls-bin expect bash tpm2-pkcs11-tools"
PACKAGECONFIG[selinux] = "--with-selinux, --without-selinux, libselinux"
PACKAGECONFIG[cuse] = "--with-cuse, --without-cuse, fuse"
PACKAGECONFIG[seccomp] = "--with-seccomp, --without-seccomp, libseccomp"
diff --git a/meta-security/meta-tpm/recipes-tpm2/tpm2-pkcs11/tpm2-pkcs11_1.8.0.bb b/meta-security/meta-tpm/recipes-tpm2/tpm2-pkcs11/tpm2-pkcs11_1.8.0.bb
index e8812d0..dd0a0b5 100644
--- a/meta-security/meta-tpm/recipes-tpm2/tpm2-pkcs11/tpm2-pkcs11_1.8.0.bb
+++ b/meta-security/meta-tpm/recipes-tpm2/tpm2-pkcs11/tpm2-pkcs11_1.8.0.bb
@@ -25,15 +25,6 @@
}
do_install:append() {
- install -d ${D}${libdir}/pkcs11
- install -d ${D}${datadir}/p11-kit
-
- # remove symlinks
- rm -f ${D}${libdir}/pkcs11/libtpm2_pkcs11.so
-
- #install lib
- install -m 755 ${B}/src/.libs/libtpm2_pkcs11.so ${D}${libdir}/pkcs11/libtpm2_pkcs11.so
-
cd ${S}/tools
export PYTHONPATH="${D}${PYTHON_SITEPACKAGES_DIR}"
${PYTHON_PN} setup.py install --root="${D}" --prefix="${prefix}" --install-lib="${PYTHON_SITEPACKAGES_DIR}" --optimize=1 --skip-build
@@ -53,5 +44,7 @@
${datadir}/p11-kit/* \
"
+INSANE_SKIP:${PN} += "dev-so"
+
RDEPENDS:${PN} = "p11-kit tpm2-tools "
RDEPENDS:${PN}-tools = "${PYTHON_PN}-pyyaml ${PYTHON_PN}-cryptography ${PYTHON_PN}-pyasn1-modules"
diff --git a/meta-security/recipes-core/packagegroup/packagegroup-core-security.bb b/meta-security/recipes-core/packagegroup/packagegroup-core-security.bb
index 9010054..f381d91 100644
--- a/meta-security/recipes-core/packagegroup/packagegroup-core-security.bb
+++ b/meta-security/recipes-core/packagegroup/packagegroup-core-security.bb
@@ -42,10 +42,13 @@
SUMMARY:packagegroup-security-scanners = "Security scanners"
RDEPENDS:packagegroup-security-scanners = "\
+ ${@bb.utils.contains_any("TUNE_FEATURES", "riscv32 riscv64", "", " arpwatch",d)} \
+ chkrootkit \
isic \
${@bb.utils.contains_any("TUNE_FEATURES", "riscv32 riscv64", "", " clamav clamav-daemon clamav-freshclam",d)} \
"
RDEPENDS:packagegroup-security-scanners:remove:libc-musl = "clamav clamav-daemon clamav-freshclam"
+RDEPENDS:packagegroup-security-scanners:remove:libc-musl = "arpwatch"
SUMMARY:packagegroup-security-audit = "Security Audit tools "
RDEPENDS:packagegroup-security-audit = " \
diff --git a/meta-security/recipes-mac/smack/smack-test_1.0.bb b/meta-security/recipes-mac/smack/smack-test_1.0.bb
index d7824ae..3ab57c6 100644
--- a/meta-security/recipes-mac/smack/smack-test_1.0.bb
+++ b/meta-security/recipes-mac/smack/smack-test_1.0.bb
@@ -22,4 +22,4 @@
install -m 0755 *.sh ${D}${sbindir}
}
-RDEPENDS:${PN} = "smack python mmap-smack-test tcp-smack-test udp-smack-test"
+RDEPENDS:${PN} = "smack python3-core mmap-smack-test tcp-smack-test udp-smack-test"
diff --git a/meta-security/recipes-scanners/arpwatch/arpwatch_3.1.bb b/meta-security/recipes-scanners/arpwatch/arpwatch_3.3.bb
similarity index 88%
rename from meta-security/recipes-scanners/arpwatch/arpwatch_3.1.bb
rename to meta-security/recipes-scanners/arpwatch/arpwatch_3.3.bb
index c8d31cf..8efb339 100644
--- a/meta-security/recipes-scanners/arpwatch/arpwatch_3.1.bb
+++ b/meta-security/recipes-scanners/arpwatch/arpwatch_3.3.bb
@@ -1,7 +1,7 @@
SUMARRY = "The ethernet monitor program; for keeping track of ethernet/ip address pairings"
LICENSE = "BSD-4-Clause"
HOME_PAGE = "http://ee.lbl.gov/"
-LIC_FILES_CHKSUM = "file://configure;md5=74ca964ed34fda7b46c6fe3e50bded9d"
+LIC_FILES_CHKSUM = "file://configure;md5=0f6cca2f69f384a14e2f5803210ca92e"
DEPENDS += "libpcap"
@@ -9,10 +9,10 @@
file://arpwatch.conf \
file://arpwatch.default \
file://arpwatch_init \
- file://postfix_workaround.patch \
- file://host_contam_fix.patch "
+ file://host_contam_fix.patch \
+ "
-SRC_URI[sha256sum] = "ee1d15d9a07952c0c017908b9dbfd5ac988fed0058c3cc4fa6c13e0be36f3a9f"
+SRC_URI[sha256sum] = "d47fa8b291fc37a25a2d0f3e1b64f451dc0be82d714a10ffa6ef8b0b9e33e166"
inherit autotools-brokensep update-rc.d useradd
@@ -80,4 +80,8 @@
FILES:${PN} = "${bindir} ${sbindir} ${prefix}/etc/rc.d \
${sysconfdir} /var/lib/arpwatch"
+COMPATIBLE_HOST:riscv32 = "null"
+COMPATIBLE_HOST:riscv64 = "null"
+OMPATIBLE_HOST:libc-musl = "null"
+
RDEPENDS:${PN} = "libpcap"
diff --git a/meta-security/recipes-scanners/arpwatch/files/host_contam_fix.patch b/meta-security/recipes-scanners/arpwatch/files/host_contam_fix.patch
index 7d7ffac..2e27aa4 100644
--- a/meta-security/recipes-scanners/arpwatch/files/host_contam_fix.patch
+++ b/meta-security/recipes-scanners/arpwatch/files/host_contam_fix.patch
@@ -4,11 +4,11 @@
Signed-off-by: Armin Kuster <akuster808@gmail.com>
-Index: arpwatch-3.0/configure
+Index: arpwatch-3.3/configure
===================================================================
---- arpwatch-3.0.orig/configure
-+++ arpwatch-3.0/configure
-@@ -4349,8 +4349,8 @@ fi
+--- arpwatch-3.3.orig/configure
++++ arpwatch-3.3/configure
+@@ -4353,8 +4353,8 @@ fi
CC=cc
export CC
fi
diff --git a/meta-security/recipes-scanners/checksec/checksec_2.4.0.bb b/meta-security/recipes-scanners/checksec/checksec_2.6.0.bb
similarity index 64%
rename from meta-security/recipes-scanners/checksec/checksec_2.4.0.bb
rename to meta-security/recipes-scanners/checksec/checksec_2.6.0.bb
index 9a6e44a..f4a014e 100644
--- a/meta-security/recipes-scanners/checksec/checksec_2.4.0.bb
+++ b/meta-security/recipes-scanners/checksec/checksec_2.6.0.bb
@@ -4,10 +4,10 @@
LICENSE = "BSD-3-Clause"
HOMEPAGE="https://github.com/slimm609/checksec.sh"
-LIC_FILES_CHKSUM = "file://LICENSE.txt;md5=8d90285f711cf1f378e2c024457066d8"
+LIC_FILES_CHKSUM = "file://LICENSE.txt;md5=879b2147c754bc040c29e9c3b84da836"
-SRCREV = "c3754e45e04f9104db93b2048afd094427102d48"
-SRC_URI = "git://github.com/slimm609/checksec.sh;branch=master;protocol=https"
+SRCREV = "2753ebb89fcdc96433ae8a4c4e5a49214a845be2"
+SRC_URI = "git://github.com/slimm609/checksec.sh;branch=main;protocol=https"
S = "${WORKDIR}/git"
@@ -17,3 +17,5 @@
}
RDEPENDS:${PN} = "bash openssl-bin binutils"
+
+BBCLASSEXTEND = "native"
diff --git a/meta-security/recipes-scanners/rootkits/chkrootkit_0.55.bb b/meta-security/recipes-scanners/rootkits/chkrootkit_0.55.bb
index 20015a1..fe0e989 100644
--- a/meta-security/recipes-scanners/rootkits/chkrootkit_0.55.bb
+++ b/meta-security/recipes-scanners/rootkits/chkrootkit_0.55.bb
@@ -5,7 +5,8 @@
LICENSE = "BSD-2-Clause"
LIC_FILES_CHKSUM = "file://COPYRIGHT;md5=fdbe53788f7081c63387d8087273f5ff"
-SRC_URI = "ftp://ftp.pangeia.com.br/pub/seg/pac/${BPN}.tar.gz"
+SRC_URI = "http://archive.ubuntu.com/ubuntu/pool/universe/c/${BPN}/${BPN}_${PV}.orig.tar.gz \
+ file://musl_fix.patch"
SRC_URI[sha256sum] = "a81c0286ec449313f953701202a00e81b204fc2cf43e278585a11c12a5e0258b"
inherit autotools-brokensep
diff --git a/meta-security/recipes-scanners/rootkits/files/musl_fix.patch b/meta-security/recipes-scanners/rootkits/files/musl_fix.patch
new file mode 100644
index 0000000..a33523b
--- /dev/null
+++ b/meta-security/recipes-scanners/rootkits/files/musl_fix.patch
@@ -0,0 +1,58 @@
+chkrootkit: Fix missing includes for musl
+
+
+Upstream-Status: Backport
+https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=07737b95af2452c0055e1ed0660590c1487befdb
+https://bugs.gentoo.org/715552
+
+Signed-off-by: Armin Kuster <akuster808@gamil.com>
+
+Index: chkrootkit-0.55/chkdirs.c
+===================================================================
+--- chkrootkit-0.55.orig/chkdirs.c
++++ chkrootkit-0.55/chkdirs.c
+@@ -33,7 +33,7 @@
+ #elif defined(__APPLE__) && defined(__MACH__)
+ #include <sys/syslimits.h>
+ #endif
+-
++#include <limits.h>
+ #include <stdio.h>
+ #include <stdlib.h>
+ #include <sys/types.h>
+Index: chkrootkit-0.55/chklastlog.c
+===================================================================
+--- chkrootkit-0.55.orig/chklastlog.c
++++ chkrootkit-0.55/chklastlog.c
+@@ -41,6 +41,7 @@ int main () { return 0; }
+ #include <stdlib.h>
+ #endif
+ #include <sys/stat.h>
++#include <fcntl.h>
+ #include <unistd.h>
+ #include <string.h>
+ #include <signal.h>
+Index: chkrootkit-0.55/chkproc.c
+===================================================================
+--- chkrootkit-0.55.orig/chkproc.c
++++ chkrootkit-0.55/chkproc.c
+@@ -65,6 +65,7 @@ int main (){ return 0; }
+ #include <string.h>
+ #include <errno.h>
+ #include <sys/types.h>
++#include <fcntl.h>
+ #include <dirent.h>
+ #include <ctype.h>
+ #include <stdlib.h>
+Index: chkrootkit-0.55/chkwtmp.c
+===================================================================
+--- chkrootkit-0.55.orig/chkwtmp.c
++++ chkrootkit-0.55/chkwtmp.c
+@@ -25,6 +25,7 @@ int main () { return 0; }
+ #include <stdio.h>
+ #include <stdlib.h>
+ #include <unistd.h>
++#include <fcntl.h>
+ #include <string.h>
+ #include <utmp.h>
+ #include <time.h>