meta-security: subtree update:066a04425c..787ba6faea
Armin Kuster (10):
lynis: update to 3.0.0
security images: Move to recipe-core
security packagegroups: move to recipes-core
packagegroup-security-tpm: add more packages for building
packagegroup-core-security: remove clamav for riscv*
libsecomp: rv32/rv64 target builds are not supported yet
packagegroup-core-security: remove libseccomp for riscv*
libseccomp: update to 2.5.0
packagegroup-core-security: restore riscv64 for libssecomp
trousers: Several Security fixes
Charlie Davies (1):
clamav: add INSTALL_CLAMAV_CVD flag to do_install
Kai Kang (1):
libseccomp: fix cross compile error for mips
Yi Zhao (1):
ibmswtpm2: upgrade 1563 -> 1628
Signed-off-by: Andrew Geissler <geissonator@yahoo.com>
Change-Id: I0341c0d4cd61fb6ef7db6a29f9fc60de3caa822f
diff --git a/meta-security/meta-security-compliance/recipes-auditors/lynis/lynis_2.7.5.bb b/meta-security/meta-security-compliance/recipes-auditors/lynis/lynis_3.0.0.bb
similarity index 89%
rename from meta-security/meta-security-compliance/recipes-auditors/lynis/lynis_2.7.5.bb
rename to meta-security/meta-security-compliance/recipes-auditors/lynis/lynis_3.0.0.bb
index 245761c..2d59623 100644
--- a/meta-security/meta-security-compliance/recipes-auditors/lynis/lynis_2.7.5.bb
+++ b/meta-security/meta-security-compliance/recipes-auditors/lynis/lynis_3.0.0.bb
@@ -8,8 +8,7 @@
SRC_URI = "https://cisofy.com/files/${BPN}-${PV}.tar.gz"
-SRC_URI[md5sum] = "fb527b6976e70a6bcd57036c9cddc242"
-SRC_URI[sha256sum] = "3d27ade73a5c1248925ad9c060024940ce5d2029f40aaa901f43314888fe324d"
+SRC_URI[sha256sum] = "3cc165f9007ba41de6d0b693a1167dbaf0179085f9506dcba64b4b8e37e1bda2"
S = "${WORKDIR}/${BPN}"
diff --git a/meta-security/meta-tpm/recipes-core/packagegroup/packagegroup-security-tpm.bb b/meta-security/meta-tpm/recipes-core/packagegroup/packagegroup-security-tpm.bb
index 25126ef..3844c7f 100644
--- a/meta-security/meta-tpm/recipes-core/packagegroup/packagegroup-security-tpm.bb
+++ b/meta-security/meta-tpm/recipes-core/packagegroup/packagegroup-security-tpm.bb
@@ -11,6 +11,11 @@
RDEPENDS_packagegroup-security-tpm = " \
tpm-tools \
trousers \
+ pcr-extend \
+ tpm-quote-tools \
+ swtpm \
+ openssl-tpm-engine \
+ libtpm \
${X86_TPM_MODULES} \
"
diff --git a/meta-security/meta-tpm/recipes-tpm/trousers/files/0001-Correct-multiple-security-issues-that-are-present-if.patch b/meta-security/meta-tpm/recipes-tpm/trousers/files/0001-Correct-multiple-security-issues-that-are-present-if.patch
new file mode 100644
index 0000000..72c81d1
--- /dev/null
+++ b/meta-security/meta-tpm/recipes-tpm/trousers/files/0001-Correct-multiple-security-issues-that-are-present-if.patch
@@ -0,0 +1,94 @@
+From e74dd1d96753b0538192143adf58d04fcd3b242b Mon Sep 17 00:00:00 2001
+From: Matthias Gerstner <mgerstner@suse.de>
+Date: Fri, 14 Aug 2020 22:14:36 -0700
+Subject: [PATCH] Correct multiple security issues that are present if the tcsd
+ is started by root instead of the tss user.
+
+Patch fixes the following 3 CVEs:
+
+CVE-2020-24332
+If the tcsd daemon is started with root privileges,
+the creation of the system.data file is prone to symlink attacks
+
+CVE-2020-24330
+If the tcsd daemon is started with root privileges,
+it fails to drop the root gid after it is no longer needed
+
+CVE-2020-24331
+If the tcsd daemon is started with root privileges,
+the tss user has read and write access to the /etc/tcsd.conf file
+
+Authored-by: Matthias Gerstner <mgerstner@suse.de>
+Signed-off-by: Debora Velarde Babb <debora@linux.ibm.com>
+
+Upstream-Status: Backport
+CVE: CVE-2020-24332
+CVE: CVE-2020-24330
+CVE: CVE-2020-24331
+
+Signed-off-by: Armin Kuster <akuster@mvista.com>
+
+---
+ src/tcs/ps/tcsps.c | 2 +-
+ src/tcsd/svrside.c | 1 +
+ src/tcsd/tcsd_conf.c | 10 +++++-----
+ 3 files changed, 7 insertions(+), 6 deletions(-)
+
+Index: git/src/tcs/ps/tcsps.c
+===================================================================
+--- git.orig/src/tcs/ps/tcsps.c
++++ git/src/tcs/ps/tcsps.c
+@@ -72,7 +72,7 @@ get_file()
+ }
+
+ /* open and lock the file */
+- system_ps_fd = open(tcsd_options.system_ps_file, O_CREAT|O_RDWR, 0600);
++ system_ps_fd = open(tcsd_options.system_ps_file, O_CREAT|O_RDWR|O_NOFOLLOW, 0600);
+ if (system_ps_fd < 0) {
+ LogError("system PS: open() of %s failed: %s",
+ tcsd_options.system_ps_file, strerror(errno));
+Index: git/src/tcsd/svrside.c
+===================================================================
+--- git.orig/src/tcsd/svrside.c
++++ git/src/tcsd/svrside.c
+@@ -473,6 +473,7 @@ main(int argc, char **argv)
+ }
+ return TCSERR(TSS_E_INTERNAL_ERROR);
+ }
++ setgid(pwd->pw_gid);
+ setuid(pwd->pw_uid);
+ #endif
+ #endif
+Index: git/src/tcsd/tcsd_conf.c
+===================================================================
+--- git.orig/src/tcsd/tcsd_conf.c
++++ git/src/tcsd/tcsd_conf.c
+@@ -743,7 +743,7 @@ conf_file_init(struct tcsd_config *conf)
+ #ifndef SOLARIS
+ struct group *grp;
+ struct passwd *pw;
+- mode_t mode = (S_IRUSR|S_IWUSR);
++ mode_t mode = (S_IRUSR|S_IWUSR|S_IRGRP);
+ #endif /* SOLARIS */
+ TSS_RESULT result;
+
+@@ -798,15 +798,15 @@ conf_file_init(struct tcsd_config *conf)
+ }
+
+ /* make sure user/group TSS owns the conf file */
+- if (pw->pw_uid != stat_buf.st_uid || grp->gr_gid != stat_buf.st_gid) {
++ if (stat_buf.st_uid != 0 || grp->gr_gid != stat_buf.st_gid) {
+ LogError("TCSD config file (%s) must be user/group %s/%s", tcsd_config_file,
+- TSS_USER_NAME, TSS_GROUP_NAME);
++ "root", TSS_GROUP_NAME);
+ return TCSERR(TSS_E_INTERNAL_ERROR);
+ }
+
+- /* make sure only the tss user can manipulate the config file */
++ /* make sure only the tss user can read (but not manipulate) the config file */
+ if (((stat_buf.st_mode & 0777) ^ mode) != 0) {
+- LogError("TCSD config file (%s) must be mode 0600", tcsd_config_file);
++ LogError("TCSD config file (%s) must be mode 0640", tcsd_config_file);
+ return TCSERR(TSS_E_INTERNAL_ERROR);
+ }
+ #endif /* SOLARIS */
diff --git a/meta-security/meta-tpm/recipes-tpm/trousers/trousers_git.bb b/meta-security/meta-tpm/recipes-tpm/trousers/trousers_git.bb
index fe8f557..95e821b 100644
--- a/meta-security/meta-tpm/recipes-tpm/trousers/trousers_git.bb
+++ b/meta-security/meta-tpm/recipes-tpm/trousers/trousers_git.bb
@@ -16,6 +16,7 @@
file://tcsd.service \
file://get-user-ps-path-use-POSIX-getpwent-instead-of-getpwe.patch \
file://0001-build-don-t-override-localstatedir-mandir-sysconfdir.patch \
+ file://0001-Correct-multiple-security-issues-that-are-present-if.patch \
"
S = "${WORKDIR}/git"
diff --git a/meta-security/meta-tpm/recipes-tpm2/ibmswtpm2/ibmswtpm2_1563.bb b/meta-security/meta-tpm/recipes-tpm2/ibmswtpm2/ibmswtpm2_1563.bb
deleted file mode 100644
index 8054226..0000000
--- a/meta-security/meta-tpm/recipes-tpm2/ibmswtpm2/ibmswtpm2_1563.bb
+++ /dev/null
@@ -1,27 +0,0 @@
-SUMMARY = "IBM's Software TPM 2.0"
-LICENSE = "BSD"
-SECTION = "securty/tpm"
-LIC_FILES_CHKSUM = "file://../LICENSE;md5=1e023f61454ac828b4aa1bc4293f7d5f"
-
-DEPENDS = "openssl"
-
-SRC_URI = "https://sourceforge.net/projects/ibmswtpm2/files/ibmtpm${PV}.tar.gz \
- file://remove_optimization.patch \
- "
-SRC_URI[md5sum] = "13013612b3a13dc935fefe1a5684179c"
-SRC_URI[sha256sum] = "fc3a17f8315c1f47670764f2384943afc0d3ba1e9a0422dacb08d455733bd1e9"
-SRC_URI[sha1sum] = "a2a5335024a2edc1739f08b99e716fa355be627d"
-SRC_URI[sha384sum] = "b1f278acabe2198aa79c0fe8aa0182733fe701336cbf54a88058be0b574cab768f59f9315882d0e689e634678d05b79f"
-SRC_URI[sha512sum] = "ff0b9e5f0d0070eb572b23641f7a0e70a8bc65cbf4b59dca1778be3bb014124011221a492147d4c492584e87af23e2f842ca6307641b3919f67a3f27f09312c0"
-
-S = "${WORKDIR}/src"
-
-do_compile () {
- make CC='${CC}'
-}
-
-do_install () {
- install -d ${D}/${bindir}
- install -m 0755 tpm_server ${D}/${bindir}
-}
-
diff --git a/meta-security/meta-tpm/recipes-tpm2/ibmswtpm2/ibmswtpm2_1628.bb b/meta-security/meta-tpm/recipes-tpm2/ibmswtpm2/ibmswtpm2_1628.bb
new file mode 100644
index 0000000..3373a30
--- /dev/null
+++ b/meta-security/meta-tpm/recipes-tpm2/ibmswtpm2/ibmswtpm2_1628.bb
@@ -0,0 +1,26 @@
+SUMMARY = "IBM's Software TPM 2.0"
+LICENSE = "BSD"
+SECTION = "securty/tpm"
+LIC_FILES_CHKSUM = "file://../LICENSE;md5=1e023f61454ac828b4aa1bc4293f7d5f"
+
+DEPENDS = "openssl"
+
+SRC_URI = "https://sourceforge.net/projects/ibmswtpm2/files/ibmtpm${PV}.tar.gz \
+ file://remove_optimization.patch \
+ "
+SRC_URI[md5sum] = "bfd3eca2411915f24de628b9ec36f259"
+SRC_URI[sha256sum] = "a8e874e7a1ae13a1290d7679d846281f72d0eb6a5e4cfbafca5297dbf4e29ea3"
+SRC_URI[sha1sum] = "7c8241a4e97a801eace9f0eea8cdda7c58114f7f"
+SRC_URI[sha384sum] = "eec25cc8ba0e3cb27d41ba4fa4c71d8158699953ccb61bb6d440236dcbd8f52b6954eaae9d640a713186e0b99311fd91"
+SRC_URI[sha512sum] = "ab47caa4406ba57c0afc6fadae304fc9ef5e3e125be0f2fb1955a419cf93cd5e9176e103f0b566825abc16cca00b795f98d2b407f0a2bf7b141ef4b025d907d0"
+
+S = "${WORKDIR}/src"
+
+do_compile () {
+ make CC='${CC}'
+}
+
+do_install () {
+ install -d ${D}/${bindir}
+ install -m 0755 tpm_server ${D}/${bindir}
+}
diff --git a/meta-security/recipes-security/images/security-build-image.bb b/meta-security/recipes-core/images/security-build-image.bb
similarity index 100%
rename from meta-security/recipes-security/images/security-build-image.bb
rename to meta-security/recipes-core/images/security-build-image.bb
diff --git a/meta-security/recipes-security/images/security-client-image.bb b/meta-security/recipes-core/images/security-client-image.bb
similarity index 100%
rename from meta-security/recipes-security/images/security-client-image.bb
rename to meta-security/recipes-core/images/security-client-image.bb
diff --git a/meta-security/recipes-security/images/security-server-image.bb b/meta-security/recipes-core/images/security-server-image.bb
similarity index 100%
rename from meta-security/recipes-security/images/security-server-image.bb
rename to meta-security/recipes-core/images/security-server-image.bb
diff --git a/meta-security/recipes-security/images/security-test-image.bb b/meta-security/recipes-core/images/security-test-image.bb
similarity index 100%
rename from meta-security/recipes-security/images/security-test-image.bb
rename to meta-security/recipes-core/images/security-test-image.bb
diff --git a/meta-security/recipes-security/packagegroup/packagegroup-core-security-ptest.bb b/meta-security/recipes-core/packagegroup/packagegroup-core-security-ptest.bb
similarity index 100%
rename from meta-security/recipes-security/packagegroup/packagegroup-core-security-ptest.bb
rename to meta-security/recipes-core/packagegroup/packagegroup-core-security-ptest.bb
diff --git a/meta-security/recipes-security/packagegroup/packagegroup-core-security.bb b/meta-security/recipes-core/packagegroup/packagegroup-core-security.bb
similarity index 90%
rename from meta-security/recipes-security/packagegroup/packagegroup-core-security.bb
rename to meta-security/recipes-core/packagegroup/packagegroup-core-security.bb
index e0a9d05..c6342fd 100644
--- a/meta-security/recipes-security/packagegroup/packagegroup-core-security.bb
+++ b/meta-security/recipes-core/packagegroup/packagegroup-core-security.bb
@@ -28,7 +28,7 @@
python3-scapy \
ding-libs \
keyutils \
- libseccomp \
+ ${@bb.utils.contains_any("TUNE_FEATURES", "riscv32 ", "", " libseccomp",d)} \
${@bb.utils.contains("DISTRO_FEATURES", "pam", "sssd", "",d)} \
${@bb.utils.contains("DISTRO_FEATURES", "pax", "pax-utils", "",d)} \
"
@@ -37,9 +37,7 @@
RDEPENDS_packagegroup-security-scanners = "\
nikto \
checksecurity \
- clamav \
- clamav-freshclam \
- clamav-cvd \
+ ${@bb.utils.contains_any("TUNE_FEATURES", "riscv32 riscv64", "", " clamav clamav-freshclam clamav-cvd",d)} \
"
SUMMARY_packagegroup-security-audit = "Security Audit tools "
diff --git a/meta-security/recipes-scanners/clamav/clamav_0.101.5.bb b/meta-security/recipes-scanners/clamav/clamav_0.101.5.bb
index 2ea2c9b..770186a 100644
--- a/meta-security/recipes-scanners/clamav/clamav_0.101.5.bb
+++ b/meta-security/recipes-scanners/clamav/clamav_0.101.5.bb
@@ -89,7 +89,9 @@
install -m 0644 ${WORKDIR}/volatiles.03_clamav ${D}${sysconfdir}/default/volatiles/volatiles.03_clamav
sed -i -e 's#${STAGING_DIR_HOST}##g' ${D}${libdir}/pkgconfig/libclamav.pc
rm ${D}/${libdir}/libclamav.so
- install -m 666 ${S}/clamav_db/* ${D}/${localstatedir}/lib/clamav/.
+ if [ "${INSTALL_CLAMAV_CVD}" = "1" ]; then
+ install -m 666 ${S}/clamav_db/* ${D}/${localstatedir}/lib/clamav/.
+ fi
if ${@bb.utils.contains('DISTRO_FEATURES','systemd','true','false',d)};then
install -D -m 0644 ${WORKDIR}/clamav.service ${D}${systemd_unitdir}/system/clamav.service
install -d ${D}${sysconfdir}/tmpfiles.d
diff --git a/meta-security/recipes-security/libseccomp/files/fix-mips-build-failure.patch b/meta-security/recipes-security/libseccomp/files/fix-mips-build-failure.patch
new file mode 100644
index 0000000..7d17a03
--- /dev/null
+++ b/meta-security/recipes-security/libseccomp/files/fix-mips-build-failure.patch
@@ -0,0 +1,49 @@
+Backport patch to fix cross compile error for mips:
+
+| syscalls.h:44:6: error: expected identifier or '(' before numeric constant
+| 44 | int mips;
+| | ^~~~
+
+Upstream-Status: Submitted [https://github.com/seccomp/libseccomp/pull/279/commits/04c519e5]
+
+Signed-off-by: Kai Kang <kai.kang@windriver.com>
+
+From 04c519e5b1de53592e98307813e5c6db7418f91b Mon Sep 17 00:00:00 2001
+From: Paul Moore <paul@paul-moore.com>
+Date: Sun, 2 Aug 2020 09:57:39 -0400
+Subject: [PATCH] build: undefine "mips" to prevent build problems for MIPS
+ targets
+
+It turns out that the MIPS GCC compiler defines a "mips" cpp macro
+which was resulting in build failures on MIPS so we need to
+undefine the "mips" macro during build. As this should be safe
+to do in all architectures, just add it to the compiler flags by
+default.
+
+This was reported in the following GH issue:
+* https://github.com/seccomp/libseccomp/issues/274
+
+Reported-by: Rongwei Zhang <pudh4418@gmail.com>
+Suggested-by: Rongwei Zhang <pudh4418@gmail.com>
+Signed-off-by: Paul Moore <paul@paul-moore.com>
+---
+ configure.ac | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/configure.ac b/configure.ac
+index 40d9dcbb..3e877348 100644
+--- a/configure.ac
++++ b/configure.ac
+@@ -65,9 +65,11 @@ m4_ifdef([AM_SILENT_RULES], [AM_SILENT_RULES([yes])])
+
+ dnl ####
+ dnl build flags
++dnl NOTE: the '-Umips' is here because MIPS GCC compilers "helpfully" define it
++dnl for us which wreaks havoc on the build
+ dnl ####
+ AM_CPPFLAGS="-I\${top_srcdir}/include -I\${top_builddir}/include"
+-AM_CFLAGS="-Wall"
++AM_CFLAGS="-Wall -Umips"
+ AM_LDFLAGS="-Wl,-z -Wl,relro"
+ AC_SUBST([AM_CPPFLAGS])
+ AC_SUBST([AM_CFLAGS])
diff --git a/meta-security/recipes-security/libseccomp/libseccomp_2.4.3.bb b/meta-security/recipes-security/libseccomp/libseccomp_2.5.0.bb
similarity index 87%
rename from meta-security/recipes-security/libseccomp/libseccomp_2.4.3.bb
rename to meta-security/recipes-security/libseccomp/libseccomp_2.5.0.bb
index 9ca41e6..35365d5 100644
--- a/meta-security/recipes-security/libseccomp/libseccomp_2.4.3.bb
+++ b/meta-security/recipes-security/libseccomp/libseccomp_2.5.0.bb
@@ -4,18 +4,23 @@
LICENSE = "LGPL-2.1"
LIC_FILES_CHKSUM = "file://LICENSE;beginline=0;endline=1;md5=8eac08d22113880357ceb8e7c37f989f"
-SRCREV = "1dde9d94e0848e12da20602ca38032b91d521427"
+DEPENDS += "gperf-native"
-SRC_URI = "git://github.com/seccomp/libseccomp.git;branch=release-2.4 \
+SRCREV = "f13f58efc690493fe7aa69f54cb52a118f3769c1"
+
+SRC_URI = "git://github.com/seccomp/libseccomp.git;branch=release-2.5 \
file://run-ptest \
+ file://fix-mips-build-failure.patch \
"
+COMPATIBLE_HOST_riscv32 = "null"
+
S = "${WORKDIR}/git"
inherit autotools-brokensep pkgconfig ptest
PACKAGECONFIG ??= ""
-PACKAGECONFIG[python] = "--enable-python, --disable-python, python"
+PACKAGECONFIG[python] = "--enable-python, --disable-python, python3"
DISABLE_STATIC = ""