meta-security: subtree update:2df7dd9fba..3001c3ebfc
Armin Kuster (6):
meta-security: add layer index callouts
meta-security-compliance/conf/layer.conf: fix typo
python3-suricata-update: update to 1.1.1
libhtp: bugfix only update 0.5.32
lib/oeqa/runtime: suricata add tests
suricata: update to 4.1.6
Philip Tricca (1):
tpm2-abrmd: Port command line options to new version.
Trevor Woerner (1):
tpm2-abrmd-init.sh: fix for /dev/tpmrmX
Yi Zhao (1):
libseccomp: upgrade 2.4.1 -> 2.4.2
Change-Id: Ic00ca8ac8ff5d3fbe0b79aa4a42243b197080f14
Signed-off-by: Brad Bishop <bradleyb@fuzziesquirrel.com>
diff --git a/meta-security/lib/oeqa/runtime/cases/suricata.py b/meta-security/lib/oeqa/runtime/cases/suricata.py
index 17fc8c5..7f052ec 100644
--- a/meta-security/lib/oeqa/runtime/cases/suricata.py
+++ b/meta-security/lib/oeqa/runtime/cases/suricata.py
@@ -1,6 +1,7 @@
# Copyright (C) 2019 Armin Kuster <akuster808@gmail.com>
#
import re
+from tempfile import mkstemp
from oeqa.runtime.case import OERuntimeTestCase
from oeqa.core.decorator.depends import OETestDepends
@@ -9,6 +10,22 @@
class SuricataTest(OERuntimeTestCase):
+ @classmethod
+ def setUpClass(cls):
+ cls.tmp_fd, cls.tmp_path = mkstemp()
+ with os.fdopen(cls.tmp_fd, 'w') as f:
+ # use google public dns
+ f.write("nameserver 8.8.8.8")
+ f.write(os.linesep)
+ f.write("nameserver 8.8.4.4")
+ f.write(os.linesep)
+ f.write("nameserver 127.0.0.1")
+ f.write(os.linesep)
+
+ @classmethod
+ def tearDownClass(cls):
+ os.remove(cls.tmp_path)
+
@OEHasPackage(['suricata'])
@OETestDepends(['ssh.SSHTest.test_ssh'])
def test_suricata_help(self):
@@ -18,10 +35,42 @@
self.assertEqual(status, 1, msg = msg)
@OETestDepends(['suricata.SuricataTest.test_suricata_help'])
- def test_suricata_unittest(self):
- status, output = self.target.run('suricata -u')
- match = re.search('FAILED: 0 ', output)
- if not match:
- msg = ('suricata unittest had an unexpected failure. '
- 'Status and output:%s and %s' % (status, output))
- self.assertEqual(status, 0, msg = msg)
+ def test_ping_openinfosecfoundation_org(self):
+ dst = '/etc/resolv.conf'
+ self.tc.target.run('rm -f %s' % dst)
+ (status, output) = self.tc.target.copyTo(self.tmp_path, dst)
+ msg = 'File could not be copied. Output: %s' % output
+ self.assertEqual(status, 0, msg=msg)
+
+ status, output = self.target.run('ping -c 1 openinfosecfoundation.org')
+ msg = ('ping openinfosecfoundation.org failed: output is:\n%s' % output)
+ self.assertEqual(status, 0, msg = msg)
+
+ @OEHasPackage(['python3-suricata-update'])
+ @OETestDepends(['suricata.SuricataTest.test_ping_openinfosecfoundation_org'])
+ def test_suricata_update(self):
+ status, output = self.tc.target.run('suricata-update')
+ msg = ('suricata-update had an unexpected failure. '
+ 'Status and output:%s and %s' % (status, output))
+ self.assertEqual(status, 0, msg = msg)
+
+ @OETestDepends(['suricata.SuricataTest.test_suricata_update'])
+ def test_suricata_update_sources_list(self):
+ status, output = self.tc.target.run('suricata-update list-sources')
+ msg = ('suricata-update list-sources had an unexpected failure. '
+ 'Status and output:%s and %s' % (status, output))
+ self.assertEqual(status, 0, msg = msg)
+
+ @OETestDepends(['suricata.SuricataTest.test_suricata_update_sources_list'])
+ def test_suricata_update_sources(self):
+ status, output = self.tc.target.run('suricata-update update-sources')
+ msg = ('suricata-update update-sources had an unexpected failure. '
+ 'Status and output:%s and %s' % (status, output))
+ self.assertEqual(status, 0, msg = msg)
+
+ @OETestDepends(['suricata.SuricataTest.test_suricata_update_sources'])
+ def test_suricata_update_enable_source(self):
+ status, output = self.tc.target.run('suricata-update enable-source oisf/trafficid')
+ msg = ('suricata-update enable-source oisf/trafficid had an unexpected failure. '
+ 'Status and output:%s and %s' % (status, output))
+ self.assertEqual(status, 0, msg = msg)
diff --git a/meta-security/meta-integrity/conf/layer.conf b/meta-security/meta-integrity/conf/layer.conf
index 962424c..bfc9c6f 100644
--- a/meta-security/meta-integrity/conf/layer.conf
+++ b/meta-security/meta-integrity/conf/layer.conf
@@ -24,3 +24,5 @@
LAYERSERIES_COMPAT_integrity = "zeus"
# ima-evm-utils depends on keyutils from meta-oe
LAYERDEPENDS_integrity = "core openembedded-layer"
+
+BBLAYERS_LAYERINDEX_NAME_integrity = "meta-integrity"
diff --git a/meta-security/meta-security-compliance/conf/layer.conf b/meta-security/meta-security-compliance/conf/layer.conf
index 0e93bd0..8572a1f 100644
--- a/meta-security/meta-security-compliance/conf/layer.conf
+++ b/meta-security/meta-security-compliance/conf/layer.conf
@@ -11,3 +11,5 @@
LAYERSERIES_COMPAT_scanners-layer = "zeus"
LAYERDEPENDS_scanners-layer = "core openembedded-layer meta-python"
+
+BBLAYERS_LAYERINDEX_NAME_scanners-layer = "meta-security-compliance"
diff --git a/meta-security/meta-tpm/conf/layer.conf b/meta-security/meta-tpm/conf/layer.conf
index 3af2d95..175eba8 100644
--- a/meta-security/meta-tpm/conf/layer.conf
+++ b/meta-security/meta-tpm/conf/layer.conf
@@ -14,3 +14,4 @@
core \
openembedded-layer \
"
+BBLAYERS_LAYERINDEX_NAME_tpm-layer = "meta-tpm"
diff --git a/meta-security/meta-tpm/recipes-tpm2/tpm2-abrmd/files/tpm2-abrmd-init.sh b/meta-security/meta-tpm/recipes-tpm2/tpm2-abrmd/files/tpm2-abrmd-init.sh
index c8dfb7d..9bb7da9 100644
--- a/meta-security/meta-tpm/recipes-tpm2/tpm2-abrmd/files/tpm2-abrmd-init.sh
+++ b/meta-security/meta-tpm/recipes-tpm2/tpm2-abrmd/files/tpm2-abrmd-init.sh
@@ -27,7 +27,7 @@
start)
echo -n "Starting $DESC: "
- if [ ! -e /dev/tpm* ]
+ if [ ! -e /dev/tpm? ]
then
echo "device driver not loaded, skipping."
exit 0
diff --git a/meta-security/meta-tpm/recipes-tpm2/tpm2-abrmd/files/tpm2-abrmd.default b/meta-security/meta-tpm/recipes-tpm2/tpm2-abrmd/files/tpm2-abrmd.default
index 987978a..b4b3c20 100644
--- a/meta-security/meta-tpm/recipes-tpm2/tpm2-abrmd/files/tpm2-abrmd.default
+++ b/meta-security/meta-tpm/recipes-tpm2/tpm2-abrmd/files/tpm2-abrmd.default
@@ -1 +1 @@
-DAEMON_OPTS="--tcti=device --logger=syslog --max-connections=20 --max-transient-objects=20 --fail-on-loaded-trans"
+DAEMON_OPTS="--tcti=device --logger=syslog --max-connections=20 --max-transients=20 --flush-all"
diff --git a/meta-security/recipes-ids/suricata/libhtp_0.5.31.bb b/meta-security/recipes-ids/suricata/libhtp_0.5.32.bb
similarity index 100%
rename from meta-security/recipes-ids/suricata/libhtp_0.5.31.bb
rename to meta-security/recipes-ids/suricata/libhtp_0.5.32.bb
diff --git a/meta-security/recipes-ids/suricata/python3-suricata-update_1.0.5.bb b/meta-security/recipes-ids/suricata/python3-suricata-update_1.1.1.bb
similarity index 86%
rename from meta-security/recipes-ids/suricata/python3-suricata-update_1.0.5.bb
rename to meta-security/recipes-ids/suricata/python3-suricata-update_1.1.1.bb
index 63f75e0..0070b5b 100644
--- a/meta-security/recipes-ids/suricata/python3-suricata-update_1.0.5.bb
+++ b/meta-security/recipes-ids/suricata/python3-suricata-update_1.1.1.bb
@@ -5,8 +5,8 @@
LIC_FILES_CHKSUM = "file://LICENSE;beginline=1;endline=2;md5=c70d8d3310941dcdfcd1e02800a1f548"
-SRCREV = "dcd0f630e13463750efb1593ad3ccae1ae6c27d4"
-SRC_URI = "git://github.com/OISF/suricata-update;branch='master-1.0.x'"
+SRCREV = "9630630ffc493ca26299d174ee2066aa1405b2d4"
+SRC_URI = "git://github.com/OISF/suricata-update;branch='master-1.1.x'"
S = "${WORKDIR}/git"
diff --git a/meta-security/recipes-ids/suricata/suricata.inc b/meta-security/recipes-ids/suricata/suricata.inc
index 1f4baff..3adbcf6 100644
--- a/meta-security/recipes-ids/suricata/suricata.inc
+++ b/meta-security/recipes-ids/suricata/suricata.inc
@@ -2,8 +2,8 @@
SECTION = "security Monitor/Admin"
LICENSE = "GPLv2"
-VER = "4.1.5"
+VER = "4.1.6"
SRC_URI = "http://www.openinfosecfoundation.org/download/suricata-${VER}.tar.gz"
-SRC_URI[md5sum] = "0dfd68f6f4314c5c2eed7128112eff3b"
-SRC_URI[sha256sum] = "cee5f6535cd7fe63fddceab62eb3bc66a63fc464466c88ec7a41b7a1331ac74b"
+SRC_URI[md5sum] = "da5de1e8053f05cbd295793210117d34"
+SRC_URI[sha256sum] = "8441ac89016106459ade2112fcde58b3f789e4beb2fd8bfa081ffb75eec75fe0"
diff --git a/meta-security/recipes-ids/suricata/suricata_4.1.5.bb b/meta-security/recipes-ids/suricata/suricata_4.1.6.bb
similarity index 98%
rename from meta-security/recipes-ids/suricata/suricata_4.1.5.bb
rename to meta-security/recipes-ids/suricata/suricata_4.1.6.bb
index b2700d6..9b7122b 100644
--- a/meta-security/recipes-ids/suricata/suricata_4.1.5.bb
+++ b/meta-security/recipes-ids/suricata/suricata_4.1.6.bb
@@ -10,7 +10,6 @@
file://suricata.yaml \
file://suricata.service \
file://run-ptest \
- file://0001-af-packet-fix-build-on-recent-Linux-kernels.patch \
"
inherit autotools-brokensep pkgconfig python3-dir systemd ptest
diff --git a/meta-security/recipes-security/libseccomp/files/0001-tests-rely-on-__SNR_xxx-instead-of-__NR_xxx-for-sysc.patch b/meta-security/recipes-security/libseccomp/files/0001-tests-rely-on-__SNR_xxx-instead-of-__NR_xxx-for-sysc.patch
new file mode 100644
index 0000000..a53433f
--- /dev/null
+++ b/meta-security/recipes-security/libseccomp/files/0001-tests-rely-on-__SNR_xxx-instead-of-__NR_xxx-for-sysc.patch
@@ -0,0 +1,45 @@
+From 1ecdddb2a5b61cf527d1f238f88a9d129239f87a Mon Sep 17 00:00:00 2001
+From: Paul Moore <paul@paul-moore.com>
+Date: Tue, 5 Nov 2019 15:11:11 -0500
+Subject: [PATCH] tests: rely on __SNR_xxx instead of __NR_xxx for syscalls
+
+We recently changed how libseccomp handles syscall numbers that are
+not defined natively, but we missed test #15.
+
+Acked-by: Tom Hromatka <tom.hromatka@oracle.com>
+Signed-off-by: Paul Moore <paul@paul-moore.com>
+
+Upstream-Status: Backport
+[https://github.com/seccomp/libseccomp/commit/1ecdddb2a5b61cf527d1f238f88a9d129239f87a]
+
+Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
+---
+ tests/15-basic-resolver.c | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+diff --git a/tests/15-basic-resolver.c b/tests/15-basic-resolver.c
+index 6badef1..0c1eefe 100644
+--- a/tests/15-basic-resolver.c
++++ b/tests/15-basic-resolver.c
+@@ -55,15 +55,15 @@ int main(int argc, char *argv[])
+ unsigned int arch;
+ char *name = NULL;
+
+- if (seccomp_syscall_resolve_name("open") != __NR_open)
++ if (seccomp_syscall_resolve_name("open") != __SNR_open)
+ goto fail;
+- if (seccomp_syscall_resolve_name("read") != __NR_read)
++ if (seccomp_syscall_resolve_name("read") != __SNR_read)
+ goto fail;
+ if (seccomp_syscall_resolve_name("INVALID") != __NR_SCMP_ERROR)
+ goto fail;
+
+ rc = seccomp_syscall_resolve_name_rewrite(SCMP_ARCH_NATIVE, "openat");
+- if (rc != __NR_openat)
++ if (rc != __SNR_openat)
+ goto fail;
+
+ while ((arch = arch_list[iter++]) != -1) {
+--
+2.17.1
+
diff --git a/meta-security/recipes-security/libseccomp/libseccomp_2.4.1.bb b/meta-security/recipes-security/libseccomp/libseccomp_2.4.2.bb
similarity index 90%
rename from meta-security/recipes-security/libseccomp/libseccomp_2.4.1.bb
rename to meta-security/recipes-security/libseccomp/libseccomp_2.4.2.bb
index 37a7982..07db82a 100644
--- a/meta-security/recipes-security/libseccomp/libseccomp_2.4.1.bb
+++ b/meta-security/recipes-security/libseccomp/libseccomp_2.4.2.bb
@@ -4,9 +4,10 @@
LICENSE = "LGPL-2.1"
LIC_FILES_CHKSUM = "file://LICENSE;beginline=0;endline=1;md5=8eac08d22113880357ceb8e7c37f989f"
-SRCREV = "fb43972ea1aab24f2a70193fb7445c2674f594e3"
+SRCREV = "1b6cfd1fc0b7499a28c24299a93a80bd18619563"
SRC_URI = "git://github.com/seccomp/libseccomp.git;branch=release-2.4 \
+ file://0001-tests-rely-on-__SNR_xxx-instead-of-__NR_xxx-for-sysc.patch \
file://run-ptest \
"