subtree updates
poky: 4e511f0abc..a015ed7704:
Adrian Bunk (22):
gnutls: upgrade 3.6.5 -> 3.6.7
dhcp: Replace OE specific patch for compatibility with latest bind with upstream patch
Set XZ_COMPRESSION_LEVEL to -9
gcc: Remove Java support variables
Use the best xz compression for the SDK
gnome-doc-utils: Remove stale patch
libxcrypt: Stop adding -std=gnu99 to CPPFLAGS
file: Stop adding -std=c99 to CFLAGS
gnu-efi: Remove support patch for gcc < 4.7
grub: Use -Wno-error instead of doing this on a per-warning basis
socat: upgrade 1.7.3.2 -> 1.7.3.3
bison: upgrade 3.0.4 -> 3.1
mmc-utils: update to the latest upstream code
cogl: upgrade 1.22.2 -> 1.22.4
cogl: remove -Werror=maybe-uninitialized workaround
libxcb: remove workaround patch for a bug that was fixed in gcc 5 in 2015
sysstat: inherit upstream-version-is-even
ccache: upgrade 3.6 -> 3.7.1
lttng-modules: upgrade 2.10.8 -> 2.10.9
iproute2: Remove bogus workaround patch for musl
openssl: Remove openssl10
Remove irda-utils and the irda feature
Alejandro Enedino Hernandez Samaniego (1):
run-postinsts: Fix full execution of scripts at first boot
Alejandro del Castillo (1):
opkg: add ptest
Alex Kiernan (12):
systemd-conf: simplify creation of machine-specific configuration
systemctl-native: Rewrite in Python supporting preset-all and mask
image: call systemctl preset-all for images
uboot-sign: Fix build when UBOOT_DTB_BINARY is empty
patchelf: Upgrade 0.9 -> 0.10
python3: Add ntpath.py to python core
go: Exclude vcs files when installing deps
recipetool: fix unbound variable when fixed SRCREV can't be found
systemd: Default to non-stateless images
systemd-systemctl: Restore support for enable command
systemd: Restore mask and preset targets, fix instance creation
shadow: Backport last change reproducibility
Alexander Kanavin (38):
python3: add a tr-tr locale for test_locale ptest
gobject-introspection: update to 1.60.1
dtc: upgrade 1.4.7 -> 1.5.0
webkitgtk: update to 2.24.0
libdazzle: update to 3.32.1
vala: update to 0.44.3
libdnf: update to 0.28.1
libcomps: upgrade 0.1.10 -> 0.1.11
dnf: upgrade 4.1.0 -> 4.2.2
btrfs-tools: upgrade 4.20.1 -> 4.20.2
meson: update to 0.50.0
libmodulemd: update to 2.2.3
at-spi2-core: fix meson 0.50 build
ffmpeg: update to 4.1.3
python: update to 2.7.16
python: update to 3.7.3
python-numpy: update to 1.16.2
icu: update to 64.1
epiphany: update to 3.32.1.2
python3: add another multilib fix
meson: do not try to substitute the prefix in python supplied paths
python3-pygobject: update to 3.32.0
meson: add missing Upstream-Status and SOB to a patch
acpica: update to 20190405
msmtp: fix upstream version check
python-scons: update to 3.0.5
python-setuptools: update to 41.0.1
python3-mako: update to 1.0.9
python3-pbr: update to 5.1.3
python3-pip: update to 19.0.3
buildhistory: call a dependency parser only on actual dependency lists
gtk-doc.bbclass: unify option setting for meson-based recipes
python3-pycairo: update to 1.18.1
maintainers.inc: take over as perl maintainer
xorg-lib: drop native overrides for REQUIRED_DISTRO_FEATURES
meson: update to 0.50.1
perl: update to 5.28.2
packagegroup-self-hosted: drop epiphany
Alistair Francis (5):
u-boot: Upgrade from 2019.01 to 2019.04
beaglebone-yocto: Update u-boot config to match u-boot 19.04
u-boot: Fix missing Python.h build failure
libsoup: Upgrade from 2.64.2 to 2.66.1
qemu: Upgrade from 3.1.0 to 4.0.0
Andre Rosa (1):
bitbake: utils: Let mkdirhier fail if existing path is not a folder
Andreas Müller (17):
gobject-introspection: auto-enable/-disable gobject-introspection for meson
libmodulemd: use gobject-introspection.bbclass on/off mechanism
gdk-pixbuf: use gobject-introspection.bbclass on/off mechanism
json-glib: use gobject-introspection.bbclass on/off mechanism
libdazzle: use gobject-introspection.bbclass on/off mechanism
clutter-gtk-1.0: use gobject-introspection.bbclass on/off mechanism
pango: use gobject-introspection.bbclass on/off mechanism
at-spi2-core: use gobject-introspection.bbclass on/off mechanism
atk: use gobject-introspection.bbclass on/off mechanism
libsoup-2.4: use gobject-introspection.bbclass on/off mechanism
glib-networking: upgrade 2.58.0 -> 2.60.1
gst-plugins: move 'inherit gobject-introspection' to recipes supporting GI
gstreamer1.0-python: rework gobject-introspection handling
insane.bbclass: Trigger unrecognzed configure option for meson
vte: upgrade 0.52.2 -> 0.56.1
vte: move shell auto scripts into seperate package
qemu: split out vte into seperate PACKAGECONFIG
Andreas Obergschwandtner (1):
uboot-sign: add support for different u-boot configurations
Andrej Valek (2):
dropbear: update to 2019.78
systemd: upgrade to 242
Angus Lees (1):
Revert "wic: Set a miniumum FAT16 volume size."
Anuj Mittal (4):
gcc: fix CVE-2018-18484
gdb: fix CVE-2017-9778
binutils: fix CVE-2019-9074 CVE-2019-9075 CVE-2019-9076 CVE-2019-9077
openssh: fix CVE-2018-20685, CVE-2019-6109, CVE-2019-6111
Armin Kuster (8):
resulttool: add ltp test support
logparser: Add decoding ltp logs
ltp: add runtime test
resulttool: add LTP compliance section
logparser: Add LTP compliance section
ltp_compliance: add new runtime
manual compliance: remove bits done at runtime
nss: cleanup recipe to match OE style
Beniamin Sandu (1):
kernel-devsrc: check for localversion files in the kernel source tree
Breno Leitao (3):
weston-init: Fix tab indentation
weston-init: Add support for non-root start
weston-init: Fix WESTON_USER typo
Bruce Ashfield (8):
linux-yocto/5.0: update to v5.0.5
linux-yocto-rt: update to 5.0.5-rt3
linux-yocto/5.0: update to v5.0.7
linux-yocto/4.19: update to v4.19.34
linux-yocto-rt/4.19: fix merge conflict in lru_drain
linux-yocto/5.0: port RAID configuration tweaks from master
linux-yocto/5.0: integrate TCP timeout / hang fix
linux-yocto/5.0: update TCP patch to mainline version
Changhyeok Bae (2):
iw: upgrade 4.14 -> 5.0.1
iptables: upgrade 1.6.2 -> 1.8.2
Changqing Li (11):
ruby: make ext module fiddle can compile success
ruby: add ptest
cogl: fix compile error caused by -Werror=maybe-uninitialized
systemd: change default locale from C.UTF-8 to C
m4: add ptest support
gettext: add ptest support
waffle: supprt build waffle without x11
piglit: support build piglit without x11
dbus: fix ptest failure
populate_sdk_base: provide options to set sdk type
python3: fix do_install fail for parallel buiild
Chee Yang Lee (1):
wic/bootimg-efi: replace hardcoded volume name with label
Chen Qi (9):
runqemu: do not check return code of tput
busybox: fix ptest failure about 'dc'
base-files: move hostname operations out of issue file settings
webkitgtk: set CVE_PRODUCT
dropbear: set CVE_PRODUCT
libsdl: set CVE_PRODUCT
ghostscript: set CVE_PRODUCT
flac: also add flac to CVE_PRODUCT
squashfs-tools: set CVE_PRODUCT
David Reyna (1):
bitbake: toaster: update to Warrior
Dengke Du (2):
perf: workaround the error cased by maybe-uninitialized warning
linux-yocto_5.0: set devicetree for armv5
Denys Dmytriyenko (1):
weston: upgrade 5.0.0 -> 6.0.0
Douglas Royds (2):
distutils: Run python from the PATH in the -native case as well
distutils: Tidy and simplify for readability
Fabio Berton (1):
mesa: Update 19.0.1 -> 19.0.3
He Zhe (2):
ltp: Fix setrlimit03 call succeeded unexpectedly
systemd: Bump up SRCREV to systemd-stable top to include the fix for shutdown now hang
Hongxu Jia (15):
image_types.bbclass: fix a race between the ubi and ubifs FSTYPES
cpio/tar/native.bbclass: move rmt to sbindir and add a prefix to avoid native clashing
acpica: use update-alternatives for acpidump
apr: upgrade 1.6.5 -> 1.7.0
man-pages: upgrade 4.16 -> 5.01
man-db: upgrade 2.8.4 -> 2.8.5
bash: upgrade 4.4.18 -> 5.0
ncurses: fix incorrect UPSTREAM_CHECK_GITTAGREGEX
gpgme: upgrade 1.12.0 -> 1.13.0
subversion: upgrade 1.11.1 -> 1.12.0
groff: upgrade 1.22.3 -> 1.22.4
libxml2: upgrade 2.9.8 -> 2.9.9
ghostscript: 9.26 -> 9.27
groff: imporve musl support
oeqa/targetcontrol.py: fix qemuparams not work in runqemu with launch_cmd
Jacob Kroon (3):
grub-efi-native: Install grub-editenv
bitbake: knotty: Pretty print task elapsed time
base-passwd: Add kvm group
Jaewon Lee (1):
Adding back wrapper and using OEPYTHON3HOME variable for python3
Jens Rehsack (1):
kernel-module-split.bbclass: support CONFIG_MODULE_COMPRESS=y
Jonas Bonn (3):
systemd: don't build firstboot by default
systemd: do not create machine-id
systemd: create preset files instead of installing in image
Joshua Watt (6):
classes/waf: Set WAFLOCK
resulttool: Load results from URL
resulttool: Add log subcommand
qemux86: Allow higher tunes
bitbake.conf: Account for older versions of bitbake
resulttool: Add option to dump all ptest logs
Kai Kang (5):
msmtp: 1.6.6 -> 1.8.3
cryptodev: fix module loading error
target-sdk-provides-dummy: resolve sstate conflict
bitbake.conf: set NO_RECOMMENDATIONS with weak assignment
webkitgtk: fix compile error for arm64
Kevin Hao (1):
meta-yocto-bsp: Bump to the latest stable kernel for all the BSP
Khem Raj (9):
gcc-cross-canadian: Make baremetal specific code generic
musl: Upgrade to master past 1.1.22
webkitgtk: Fix build with clang
mdadm: Disable Werror
gcc-target: Do not set --with-sysroot and gxx-include-dir paths
systemd: Add -Wno-error=format-overflow to fix build with gcc9
systemd: Backport patch to fix build with gcc9
libgfortan: Package target gcc include directory to fix
gcc-9: Add recipes for gcc 9.1 release
Lei Maohui (2):
dnf: Enable nativesdk
icu: Added armeb support.
Lei Yang (1):
recipetool: add missed module
Luca Boccassi (1):
systemd: add cgroupv2 PACKAGECONFIG
Mardegan, Alberto (1):
oeqa/core/runner: dump stdout and stderr of each test case
Mariano Lopez (5):
update-alternatives.bbclass: Add function to get metadata
ptest.bbclass: Add feature to populate a binary directory
util-linux: Use PTEST binary directory
busybox: Use PTEST binary directory
ptest.bbclass: Use d.getVar instead of os.environ
Martin Jansa (6):
connman: add PACKAGECONFIG for nfc, fix MACHINE_ARCH signature when l2tp is enabled
icecc.bbclass: stop causing everything to be effectivelly MACHINE_ARCH
glibc: always use bfd linker
opkg: fix ptest packaging when OPKGLIBDIR == libdir
kexec-tools: refresh patches with devtool
perf: make sure that the tools/include/uapi/asm-generic directory exists
Matthias Schiffer (1):
systemd: move "machines" symlinks to systemd-container
Max Kellermann (2):
useradd-staticids: print exception after parse_args() error
initrdscripts: merge multiple "mkdir" calls
Michael Scott (2):
kernel-fitimage: support RISC-V
procps: update legacy sysctl.conf to fix rp_filter sysctl issue
Mikko Rapeli (3):
elfutils: remove Elfutils-Exception and include GPLv2 for shared libraries
oeqa/sdk: use bash to execute SDK test commands
openssh: recommend rng-tools with sshd
Mingli Yu (6):
nettle: fix ptest failure
elfutils: add ptest support
elfutils: fix build failure with musl
gcc-sanitizers: fix -Werror=maybe-uninitialized issue
nettle: fix the Segmentation fault
nettle: fix ptest failure
Nathan Rossi (1):
ccmake.bbclass: Fix up un-escaped quotes in output formatting
Naveen Saini (5):
core-image-rt: make sure that we append to DEPENDS
core-image-rt-sdk: make sure that we append to DEPENDS
bitbake.conf: add git-lfs to HOSTTOOLS_NONFATAL
bitbake: bitbake: fetch2/git: git-lfs check
linux-yocto: update genericx86* SRCREV for 4.19
Oleksandr Kravchuk (52):
iproute2: update to 5.0.0
curl: update to 7.64.1
libxext: update to 1.3.4
x11perf: update to 1.6.1
libxdmcp: update to 1.1.3
libxkbfile: update 1.1.0
libxvmc: update to 1.0.11
libxrandr: update to 1.5.2
connman: update to 1.37
ethtool: update to 5.0
tar: update to 1.32
ffmpeg: update to 4.1.2
librepo: update to 1.9.6
libxmu: update to 1.1.3
libxcrypt: update to 4.4.4
wget: update to 1.20.2
libsecret: 0.18.8
createrepo-c: update to 0.12.2
libinput: update to 1.13.0
cronie: update to 1.5.4
libyaml: update to 0.2.2
fontconfig: update to 2.13.1
makedepend: update to 1.0.6
libdrm: update to 2.4.98
libinput: update to 1.13.1
libnotify: update to 0.7.8
libpng: update to 1.6.37
libcroco: update to 0.6.13
libpsl: update to 0.21.0
git: update to 2.21.0
quota: update to 4.05
gnupg: update to 2.2.15
lz4: update to 1.9.0
orc: update to 0.4.29
help2man-native: update to 1.47.10
cups: update to 2.2.11
pixman: update to 0.38.4
libcap: update to 2.27
ninja: add Upstream-Status and SOB for musl patch
python-numpy: update to 1.16.3
python3-pygobject: update to 3.32.1
wget: update to 1.20.3
libsolv: update to 0.7.4
ell: add recipe
sqlite3: update to 3.28.0
kmscube: update to latest revision
coreutils: update to 8.31
mtools: update to 4.0.23
msmtp: update to 1.8.4
wpa-supplicant: update to 2.8
bitbake.conf: use https instead of http
ell: update to 0.20
Paul Barker (3):
oe.path: Add copyhardlink() helper function
license_image: Use new oe.path.copyhardlink() helper
gdb: Fix aarch64 build with musl
Peter Kjellerstedt (1):
systemd: Use PACKAGECONFIG definition to depend on libnss-myhostname
Randy MacLeod (5):
valgrind: update from 3.14.0 to 3.15.0
valgrind: fix vg_regtest return code
valgrind: update the ptest subdirs list
valgrind: adjust test filters and expected output
valgrind: fix call/cachegrind ptests
Richard Purdie (52):
pseudo: Update to gain key bugfixes
python3: Avoid hanging tests
python3: Fix ptest output parsing
go.bbclass: Remove unused override
goarch.bbclass: Simplify logic
e2fsprogs: Skip slow ptest tests
bitbake: bitbake: Update version to 1.42.0
poky.conf: Bump version for 2.7 warrior release
build-appliance-image: Update to warrior head revision
bitbake: bitbake: Post release version bumnp to 1.43
poky.conf: Post release version bump
build-appliance-image: Update to master head revision
Revert "nettle: fix ptest failure"
core-image-sato-sdk-ptest: Try and keep image below 4GB limit
core-image-sato-ptest-fast: Add 'fast' ptest execution image
core-image-sato-sdk-ptest: Include more ptests in ptest image
core-image-sato-sdk-ptest: Add temporary PROVIDES core-image-sato-ptest
resultool/resultutils: Fix module import error
lttng-tools: Add missing patch Upstream-Status
utils/multiprocess_launch: Improve failing subprocess output
python3: Drop ptest hack
ptest-packagelists: Add m4 and gettext as 'fast' ptests
bitbake: knotty: Implement console 'keepalive' output
bitbake: build: Ensure warning for invalid task dependencies is useful
bitbake: build: Disable warning about dependent tasks for now
oeqa/ssh: Avoid unicode decode exceptions
elfutils: ptest fixes
elfutils: Fix ptest compile failures on musl
bitbake: bitbake: Add initial pass of SPDX license headers to source code
bitbake: bitbake: Drop duplicate license boilerplace text
bitbake: bitbake: Strip old editor directives from file headers
bitbake: HEADER: Drop it
openssh/systemd/python/qemu: Fix patch Upstream-Status
scripts/pybootchart: Fix mixed indentation
scripts/pybootchart: Port to python3
scripts/pybootchart/draw: Clarify some variable names
scripts/pybootchart/draw: Fix some bounding problems
coreutils: Fix patch upstream status field
oeqa: Drop OETestID
meta/lib+scripts: Convert to SPDX license headers
oeqa/core/runner: Handle unexpectedSucesses
oeqa/systemd_boot: Drop OETestID
oeqa/runner: Fix subunit setupClass/setupModule failure handling
oeqa/concurrenttest: Patch subunit module to handle classSetup failures
tcmode-default: Add PREFERRED_VERSION for libgfortran
oeqa/selftest: Automate manual pybootchart tests
openssh: Avoid PROVIDES warning from rng-tools dependency
oeqa/target/ssh: Replace suggogatepass with ignoring errors
core-image-sato-sdk-ptest: Tweak size to stay within 4GB limit
valgrind: Include debugging symbols in ptests
dbus-test: Improve ptest dependencies dependencies
ptest: Add RDEPENDS frpm PN-ptest to PN package
Robert Joslyn (1):
qemu: Add PACKAGECONFIG for snappy
Robert Yang (6):
bitbake: bitbake-diffsigs: Use 4 spaces as indent for recursecb
bitbake: bb: siggen: Make dump_sigfile and compare_sigfiles print uuid4
bitbake: bb: siggen: Print more info when basehash are mis-matched
bitbake: BBHandler: Fix addtask and deltask
bitbake: build.py: check dependendent task for addtask
bitbake: tests/parse.py: Add testcase for addtask and deltask
Ross Burton (14):
lttng-tools: fix Upstream-Status
acpica: upgrade to 20190215
staging: add ${datadir}/gtk-doc/html to the sysroot blacklist
mpg123: port to use libsdl2
meta-poky: remove obsolete DISTRO_FEATURES_LIBC
m4: update patch status
packagegroup-core-full-cmdline: remove zlib
wic: change expand behaviour to match docs
wic: add global debug option
gtk-icon-cache: clean up DEPENDS
patch: add minver and maxver parameters
glib-2.0: fix locale handling
glib-2.0: add missing locales for the tests
glib-2.0: fix last failing ptest
Scott Rifenbark (34):
bitbake: poky.ent: Removed "ECLIPSE" entity variables.
bitbake: bitbake-user-manual: Added section on modifying variables
Makefile: Removed Eclipse support
Documentation: Removed customization.xsl files for Eclipse
mega-manual: Removed two Eclipse figures from tarball list
mega-manual, overview-manual: Added updated index releases figure
poky.ent: Removed Eclipse related variables.
mega-manual: Removed the Eclipse chapters
dev-manual: Removed all references to Eclipse.
overview-manual: Removed all references to Eclipse
profile-manual: Removed all references to Eclipse
ref-manual: Removed all references to Eclipse
sdk-manual: Removed all references to Eclipse
sdk-manual: Removed all references to Eclipse
dev-manual; brief-yoctoprojectqs: Updated checkout branch example
dev-manual: Added reasoning blurb to "Viewing Variables" section.
ref-manual: Inserted Migration 2.7 section.
ref-manual: Added Eclipse removal for migration section.
ref-manual: Added "License Value Corrections to migration.
ref-manual: Added Fedora 29 to the supported distros list.
poky.ent: changed 2.7 release variable date to "May 2019"
ref-manual: Review comments applied to 2.7 migration section.
documentation: Prepared for 2.8 release
bsp-guide: Removed inaccurate "container layer" references.
ref-manual: Updated the "Container Layer" term.
bsp-guide: Updated the "beaglebone-yocto.conf" example.
documentation: Cleaned up "plug-in"/"plugin" terminology.
bsp-guide: Updated the BSP kernel recipe example.
ref-manual: Updated PREFERRED_VERSION variable to use 5.0
bsp-guide: More corrections to the BSP Kernel Recipe example
dev-manual: Added cross-link to "Fetchers" section in BB manual.
bitbake: bitbake-user-manual: Added npm to other fetcher list.
overview-manual: Updated SMC section to link to fetchers
ref-manual: Added "npm" information to the SRC_URI variable.
Stefan Kral (1):
bitbake: build: Add verbnote to shell log commands
Stefan Müller-Klieser (1):
cml1.bbclass: fix undefined behavior
Steven Hung (洪于玉) (1):
kernel.bbclass: convert base_do_unpack_append() to a task
Tom Rini (2):
vim: Rework to not rely on relative directories
vim: Update to 8.1.1240
Wenlin Kang (1):
systemd: install libnss-myhostname.so when myhostname be enabled
Yeoh Ee Peng (1):
resulttool/manualexecution: Refactor and remove duplicate code
Yi Zhao (2):
harfbuzz: update source checksums after upstream replaced the tarball
libyaml: update SRC_URI[md5sum] and SRC_URI[sha256sum]
Ying-Chun Liu (PaulLiu) (1):
uboot-sign: Fix u-boot-nodtb symlinks
Zang Ruochen (10):
libatomic-ops:upgrade 7.6.8 -> 7.6.10
libgpg-error:upgrade 1.35 -> 1.36
libxft:upgrade 2.3.2 -> 2.3.3
libxxf86dga:upgrade 1.1.4 -> 1.1.5
nss:upgrade 3.42.1 -> 3.43
sysprof:upgrade 3.30.2 -> 3.32.0
libtirpc:upgrade 1.0.3 -> 1.1.4
xtrans:upgrade 1.3.5 -> 1.4.0
harfbuzz:upgrade 2.3.1 -> 2.4.0
icu: Upgrade 64.1 -> 64.2
Zheng Ruoqin (1):
sanity: check_perl_modules bug fix
sangeeta jain (1):
resulttool/manualexecution: Enable test case configuration option
meta-openembedded: 4a9deabbc8..1ecd8b4364:
Adrian Bunk (34):
linux-atm: Remove DEPENDS on virtual/kernel and PACKAGE_ARCH
linux-atm: Replace bogus on_exit removal with musl-specific hack
ledmon: Mark as incompatible on musl instead of adding bogus patch
efivars: Drop workaround patch for host gcc < 4.7
sshfs-fuse: upgrade 2.8 -> 2.10
wv: upgrade 1.2.4 -> 1.2.9
caps: Upgrade 0.9.24 -> 0.9.26
dvb-apps: Remove dvb-fe-xc5000c-4.1.30.7.fw
schroedinger: Remove the obsolete DEPENDS on liboil
vlc: Remove workaround and patches for problems fixed upstream
Remove liboil
dnrd: Remove stale files of recipe removed 2 years ago
postfix: Upgrade 3.4.1 -> 3.4.5
pptp-linux: Upgrade 1.9.0 -> 1.10.0
dovecot: Upgrade 2.2.36 -> 2.2.36.3
postgresql: Upgrade 11.2 -> 11.3
rocksdb: Upgrade 5.18.2 -> 5.18.3
cloud9: Remove stale files of recipe removed 2 years ago
fluentbit: Upgrade 0.12.1 -> 0.12.19
libcec: Upgrade 4.0.2 -> 4.0.4
libqb: Upgrade 1.0.3 -> 1.0.5
openwsman: Upgrade 2.6.8 -> 2.6.9
glm: Upgrade 0.9.9.3 -> 0.9.9.5
fvwm: Upgrade 2.6.7 -> 2.6.8
augeas: Upgrade 1.11.0 -> 1.12.0
ccid: Upgrade 1.4.24 -> 1.4.30
daemonize: Upgrade 1.7.7 -> 1.7.8
inotify-tools: Upgrade 3.14 -> 3.20.1
liboop: Upgrade 1.0 -> 1.0.1
ode: Remove stale file of recipe removed 2 years ago
openwbem: Remove stale files of recipe removed 2 years ago
catch2: Upgrade 2.6.1 -> 2.7.2
geos: Upgrade 3.4.2 -> 3.4.3
rdfind: Upgrade 1.3.4 -> 1.4.1
Akshay Bhat (3):
python-urllib3: Set CVE_PRODUCT
python3-pillow: Set CVE_PRODUCT
python-requests: Set CVE_PRODUCT
Alistair Francis (3):
mycroft: Update the systemd service to ensure we are ready to start
mycroft: Bump from 19.2.2 to 19.2.3
python-obd: Add missing RDEPENDS
Andreas Müller (33):
gvfs: remove executable permission from systemd user services
udisks2: upgrade 2.8.1 -> 2.8.2
parole: upgrade 1.0.1 -> 1.0.2
ristretto: upgrade 0.8.3 -> 0.8.4
networkmanager: rework musl build
gvfs: remove systemd user unit executable permission adjustment
fltk: upgrade 1.3.4-2 -> 1.3.5
samba: install bundled libs into seperate packages
samba: rework localstatedir package split
fluidsynth: upgrade 2.0.4 -> 2.0.5
xfce4-vala: auto-detect vala api version
gnome-desktop3: set correct meson gtk doc option
vlc: rework qt PACKAGECONFIG
evince: add patch to fix build with recent gobject-introspection
xfce4-cpufreq-plugin: Fix memory leak and reduce CPU load
packagegroup-meta-networking: replace DISTRO_FEATURE by DISTRO_FEATURES
meta-xfce: add meta-networking to layer depends
gtksourceview4: initial add 4.2.0
gtksourceview-classic-light: extend to gtksourceview4
itstool: rework - it went out too early
fontforge: upgrade 20170731 -> 20190413
exo: upgrade 0.12.4 -> 0.12.5
xfce4-places-plugin: upgrade 1.7.0 -> 1.8.0
xfce4-datetime-plugin: upgrade 0.7.0 -> 0.7.1
xfce4-notifyd: upgrade 0.4.3 -> 0.4.4
desktop-file-utils: remove - a more recent version is in oe-core
libwnck3: upgrade 3.30.0 and move to meson build
xfce4-terminal: add vte-prompt to RRECOMMENDS
xfce4-session: get rid of machine-host
xfce4-session: remove strange entry in FILES_${PN}
libxfce4ui: Add PACKAGECONFIG 'gladeui2' for glade (gtk3) support
glade3: move to to meta-xfce
Remove me as maintainer
Andrej Valek (2):
squid: upgrade squid 3.5.28 -> 4.6
ntp: upgrade 4.2.8p12 -> 4.2.8p13
Ankit Navik (1):
libnfc: Initial recipe for Near Field Communication library.
Armin Kuster (1):
meta-filesystems: drop bitbake from README
Changqing Li (5):
gd: fix compile error caused by -Werror=maybe-uninitialized
apache2: add back patch for set perlbin
php: upgrade 7.3.2 -> 7.3.4
postgresql: fix compile error
php: correct httpd path
Chris Garren (1):
python-cryptography: Move linker flag to .inc
Denys Dmytriyenko (1):
v4l-utils: upgrade 1.16.0 -> 1.16.5
Gianfranco Costamagna (1):
cpprest: update to 2.10.13, drop 32bit build fix upstream
Hains van den Bosch (1):
libcdio: update to version 2.1.0
Hongxu Jia (1):
pmtools: use update-alternatives for acpidump
Hongzhi.Song (1):
lua: upgrade from v5.3.4 to v5.3.5
Ivan Maidanski (1):
bdwgc: upgrade 7.6.12 -> 8.0.4
Johannes Pointner (1):
samba: update to 4.8.11
Kai Kang (3):
gvfs: fix typo libexec
drbd: fix compile errors
drbd-utils: fix file conflict with base-files
Khem Raj (3):
redis: Upgrade to 4.0.14
squid: Link with libatomic on mips/ppc
cpupower: Inherit bash completion class
Leon Anavi (1):
openbox: Add python-shell as a runtime dependency
Liwei Song (1):
ledmon: control hard disk led for RAID arrays
Mark Asselstine (1):
xfconf: fix 'Failed to get connection to xfconfd' during do_rootfs
Martin Jansa (13):
ftgl: add x11 to required DISTRO_FEATURES like freeglut
libforms: add x11 to required DISTRO_FEATURES because of libx11
Revert "ell: remove recipe"
ne10: set NE10_TARGET_ARCH with an override instead of anonymous python
libopus: use armv7a, aarch64 overrides when adding ne10 dependency
esound: fix SRC_URI for multilib
opusfile: fix SRC_URI for multilib
miniupnpd: fix SRC_URI for multilib
zbar: fix SRC_URI for multilib
libvncserver: set PV in the recipe
efivar: prevent native efivar depending on target kernel
libdbi-perl: prevent native libdbi-perl depending on target perl
aufs-util: prevent native aufs-util depending on target kernel
Ming Liu (1):
libmodbus: add documentation PACKAGECONFIG
Mingli Yu (6):
indent: Upgrade to 2.2.12
hostapd: Upgrade to 2.8
hwdata: Upgrade to 0.322
rrdtool: Upgrade to 1.7.1
libdev-checklib-perl: add new recipe
libdbd-mysql-perl: Upgrade to 4.050
Nathan Rossi (1):
fatresize_1.0.2.bb: Add recipe for fatresize command line tool
Nicolas Dechesne (3):
cpupower: remove LIC_FILES_CHKSUM
bpftool: remove LIC_FILES_CHKSUM
cannelloni: move from meta-oe to meta-networking
Oleksandr Kravchuk (38):
smcroute: update to 2.4.4
phytool: update to v2
fwknop: update to 2.6.10
cifs-utils: update to 6.9
keepalived: update to 2.0.15
usbredir: update to 0.8.0
open-isns: update to 0.99
nanomsg: update to 1.1.5
stunnel: update to 5.51
babeld: update to 1.8.4
drbd-utils: update to 9.8.0
drbd: update to 9.0.17-1
macchanger: update to 1.7.0
wolfssl: update to 4.0.0
ell: remove recipe
analyze-suspend: update to 5.3
chrony: update to 3.4
nghttp2: update to 1.38
nano: update to 4.1
networkmanager-openvpn: update to 1.8.10
wpan-tools: update to 0.9
uftp: update to 4.9.9
vblade: add UPSTREAM_CHECK_URI
traceroute: add UPSTREAM_CHECK_URI
nuttcp: update to 8.2.2
nfacct: add UPSTREAM_CHECK_URI
nftables: add UPSTREAM_CHECK_URI
libnetfilter-queue: update to 1.0.3
arno-iptables-firewall: update to 2.0.3
ypbind-mt: update to 2.6
ebtables: add UPSTREAM_CHECK_URI
doxygen: replace ninja 1.9.0 fix with official one
libnetfilter-queue: fix update to 1.0.3
networkd-dispatcher: update to 2.0.1
opensaf: update to 5.19.01
libnetfilter-conntrack: update to 1.0.7
conntrack-tools: update to 1.4.5
openvpn: update to 2.4.7
Paolo Valente (1):
s-suite: push SRCREV to version 3.2
Parthiban Nallathambi (6):
python3-aiohttp: add version 3.5.4
python3-supervisor: add version 4.0.2
python3-websocket-client: add version 0.56.0
python3-tinyrecord: add version 0.1.5
python3-sentry-sdk: add version 0.7.14
python3-raven: add version 6.10.0
Pascal Bach (2):
paho-mqtt-c: 1.2.1 -> 1.3.0
thrift: update to 0.12.0
Pavel Modilaynen (1):
jsoncpp: add native BBCLASSEXTEND
Peter Kjellerstedt (2):
apache2: Correct appending to SYSROOT_PREPROCESS_FUNCS
apache2: Correct packaging of build and doc related files
Philip Balister (1):
sip: Update to 4.19.16.
Qi.Chen@windriver.com (4):
multipath-tools: fix up patch to avoid segfault
netkit-rsh: add tag to CVE patch
ipsec-tools: fix CVE tag in patch
gd: set CVE_PRODUCT
Randy MacLeod (1):
imagemagick: update from 7.0.8-35 to 7.0.8-43
Robert Joslyn (5):
gpm: Fix gpm path in unit file
gpm: Add PID file to systemd unit file
gpm: Generate documentation
gpm: Remove duplicate definition of _GNU_SOURCE
gpm: Recipe cleanup
Sean Nyekjaer (2):
cannelloni: new package, CAN to ethernet proxy
ser2net: upgrade to version 3.5.1
Vincent Prince (1):
mongodb: Fix build with gcc
Wenlin Kang (1):
samba: add PACKAGECONFIG for libunwind
Yi Zhao (7):
python-flask-socketio: move to meta-python directory
apache2: upgrade 2.4.34 -> 2.4.39
apache-websocket: upgrade to latest git rev
netkit-rsh: security fixes
openhpi: fix failure of ptest case ohpi_035
openhpi: update openhpi-fix-testfail-errors.patch
phpmyadmin: upgrade 4.8.3 -> 4.8.5
Zang Ruochen (43):
xlsatoms: upgrade 1.1.2 -> 1.1.3
xrdb: upgrade 1.1.1 -> 1.2.0
xrefresh: upgrade 1.0.5 -> 1.0.6
xsetroot: upgrade 1.1.1 -> 1.1.2
xstdcmap: upgrade 1.0.3 -> 1.0.4
xbitmaps: upgrade 1.1.1 -> 1.1.2
wireshark: upgrade 3.0.0 -> 3.0.1
python-cffi: upgrade 1.11.5 -> 1.12.2
python-attrs: upgrade 18.1.0 -> 19.1.0
python-certifi: upgrade 2018.8.13 -> 2019.3.9
python-beabutifulsoup4: upgrade 4.6.0 -> 4.7.1
python-dateutil: upgrade 2.7.3 -> 2.8.0
python-mako: upgrade 1.0.7 -> 1.0.9
python-msgpack: upgrade 0.6.0 -> 0.6.1
python-paste: upgrade 3.0.6 -> 3.0.8
python-psutil: upgrade 5.4.6 -> 5.6.1
python-py: upgrade 1.6.0 -> 1.8.0
python-pymongo: upgrade 3.7.1 -> 3.7.2
python-pyopenssl: upgrade 18.0.0 -> 19.0.0
python-pytz: upgrade 2018.5 -> 2019.1
python-stevedore: upgrade 1.29.0 -> 1.30.1
python-pbr: upgrade 4.2.0 -> 5.1.3
python-cython: upgrade 0.28.5 -> 0.29.6
python-editor: upgrade 1.0.3 -> 1.0.4
python-jinja2: upgrade 2.10 -> 2.10.1
python-lxml: upgrade 4.3.1 -> 4.3.3
python-alembic: upgrade 1.0.0 -> 1.0.9
python-cffi: upgrade 1.12.2 -> 1.12.3
python-hyperlink: upgrade 18.0.0 -> 19.0.0
python-twisted: upgrade 18.4.0 -> 19.2.0
python-zopeinterface: upgrade 4.5.0 -> 4.6.0
python-decorator: upgrade 4.3.0 -> 4.4.0
python-pip: upgrade 18.0 -> 19.1
python-pyasn1: upgrade 0.4.4 -> 0.4.5
libnet-dns-perl: upgrade 1.19 -> 1.20
python-alembic: upgrade 1.0.9 -> 1.0.10
python-cython: upgrade 0.29.6 -> 0.29.7
python-mock: upgrade 2.0.0 -> 3.0.5
python-pbr: upgrade 5.1.3 -> 5.2.0
python-psutil: upgrade 5.6.1 -> 5.6.2
python-pymongo: upgrade 3.7.2 -> 3.8.0
python-pyperclip: upgrade 1.6.2 -> 1.7.0
python-rfc3987: upgrade 1.3.7 -> 1.3.8
leimaohui (3):
To fix confilict error with python3-pbr.
python-pycodestyle: Fix conflict error with python3-pycodestyle during do_rootfs
mozjs: Make mozjs support arm32BE.
meta-raspberrypi: 9ceb84ee9e..7059c37451:
Francesco Giancane (1):
qtbase_%.bbappend: update PACKAGECONFIG name for xkbcommon
Gianluigi Tiesi (1):
psplash: Raise alternatives priority to 200
Martin Jansa (3):
linux_raspberrypi_4.19: Update to 4.19.34
bluez5: apply the same patches and pi-bluetooth dependency for all rpi MACHINEs
userland: use default PACKAGE_ARCH
Paul Barker (3):
linux-raspberrypi: Update 4.14.y kernel
linux-raspberrypi: Switch default back to 4.14.y
linux-raspberrypi 4.9: Drop old version
meta-security: 8a1f54a246..9f5cc2a7eb:
Alexander Kanavin (1):
apparmor: fetch from git
Armin Kuster (15):
clamav runtime: add resolve.conf support
clamav: fix llvm reference version
libldb: add waf-cross-answeres
clamav: runtime fix local routing
clamav: add clamav-cvd package for cvd db
clamav-native: fix new build issue
apparmor: fix fragment for 5.0 kernel
apparmor: add a few more runtime
smack: move patch to smack dir
smack-test: add smack tests from meta-intel-iot-security
samhain: add more tests and fix ret checks
libldb: add earlier version
libseccomp: update to 2.4.1
oe-selftest: add running cve checker
smack: kernel fragment update
Yi Zhao (2):
meta-tpm/conf/layer.conf: update layer dependencies
meta-tpm/README: update
Change-Id: I9e02cb75a779f25fca84395144025410bb609dfa
Signed-off-by: Brad Bishop <bradleyb@fuzziesquirrel.com>
diff --git a/meta-security/files/waf-cross-answers/README b/meta-security/files/waf-cross-answers/README
new file mode 100644
index 0000000..dda45c5
--- /dev/null
+++ b/meta-security/files/waf-cross-answers/README
@@ -0,0 +1,3 @@
+The files in this directory are cross answers files
+used by waf-samba.bbclass, please see waf-samba.bbclass
+for details about how they are used.
diff --git a/meta-security/files/waf-cross-answers/cross-answers-aarch64.txt b/meta-security/files/waf-cross-answers/cross-answers-aarch64.txt
new file mode 100644
index 0000000..1023f6a
--- /dev/null
+++ b/meta-security/files/waf-cross-answers/cross-answers-aarch64.txt
@@ -0,0 +1,39 @@
+Checking uname sysname type: "Linux"
+Checking uname version type: "# Wed May 20 10:34:39 UTC 2015"
+Checking simple C program: "hello world"
+rpath library support: OK
+-Wl,--version-script support: OK
+Checking getconf LFS_CFLAGS: NO
+Checking correct behavior of strtoll: NO
+Checking for working strptime: OK
+Checking for C99 vsnprintf: "1"
+Checking for HAVE_SHARED_MMAP: OK
+Checking for HAVE_MREMAP: OK
+Checking for HAVE_SECURE_MKSTEMP: OK
+Checking for HAVE_IFACE_GETIFADDRS: NO
+Checking for HAVE_IFACE_IFCONF: NO
+Checking for HAVE_IFACE_IFREQ: NO
+Checking for large file support without additional flags: OK
+Checking for HAVE_INCOHERENT_MMAP: NO
+Checking value of NSIG: "65"
+Checking value of _NSIG: "65"
+Checking value of SIGRTMAX: "64"
+Checking value of SIGRTMIN: "34"
+Checking whether the WRFILE -keytab is supported: OK
+Checking for kernel change notify support: OK
+Checking for Linux kernel oplocks: OK
+Checking for kernel share modes: OK
+Checking whether POSIX capabilities are available: OK
+Checking if can we convert from CP850 to UCS-2LE: OK
+Checking if can we convert from UTF-8 to UCS-2LE: OK
+vfs_fileid checking for statfs() and struct statfs.f_fsid: OK
+Checking whether we can use Linux thread-specific credentials: OK
+Checking whether fcntl locking is available: OK
+Checking for the maximum value of the 'time_t' type: OK
+Checking whether the realpath function allows a NULL argument: OK
+Checking for ftruncate extend: OK
+getcwd takes a NULL argument: OK
+Checking for small off_t: NO
+Checking whether blkcnt_t is 32 bit: NO
+Checking whether blkcnt_t is 64 bit: OK
+Checking whether fcntl lock supports open file description locks: OK
diff --git a/meta-security/files/waf-cross-answers/cross-answers-aarch64_be.txt b/meta-security/files/waf-cross-answers/cross-answers-aarch64_be.txt
new file mode 100644
index 0000000..1023f6a
--- /dev/null
+++ b/meta-security/files/waf-cross-answers/cross-answers-aarch64_be.txt
@@ -0,0 +1,39 @@
+Checking uname sysname type: "Linux"
+Checking uname version type: "# Wed May 20 10:34:39 UTC 2015"
+Checking simple C program: "hello world"
+rpath library support: OK
+-Wl,--version-script support: OK
+Checking getconf LFS_CFLAGS: NO
+Checking correct behavior of strtoll: NO
+Checking for working strptime: OK
+Checking for C99 vsnprintf: "1"
+Checking for HAVE_SHARED_MMAP: OK
+Checking for HAVE_MREMAP: OK
+Checking for HAVE_SECURE_MKSTEMP: OK
+Checking for HAVE_IFACE_GETIFADDRS: NO
+Checking for HAVE_IFACE_IFCONF: NO
+Checking for HAVE_IFACE_IFREQ: NO
+Checking for large file support without additional flags: OK
+Checking for HAVE_INCOHERENT_MMAP: NO
+Checking value of NSIG: "65"
+Checking value of _NSIG: "65"
+Checking value of SIGRTMAX: "64"
+Checking value of SIGRTMIN: "34"
+Checking whether the WRFILE -keytab is supported: OK
+Checking for kernel change notify support: OK
+Checking for Linux kernel oplocks: OK
+Checking for kernel share modes: OK
+Checking whether POSIX capabilities are available: OK
+Checking if can we convert from CP850 to UCS-2LE: OK
+Checking if can we convert from UTF-8 to UCS-2LE: OK
+vfs_fileid checking for statfs() and struct statfs.f_fsid: OK
+Checking whether we can use Linux thread-specific credentials: OK
+Checking whether fcntl locking is available: OK
+Checking for the maximum value of the 'time_t' type: OK
+Checking whether the realpath function allows a NULL argument: OK
+Checking for ftruncate extend: OK
+getcwd takes a NULL argument: OK
+Checking for small off_t: NO
+Checking whether blkcnt_t is 32 bit: NO
+Checking whether blkcnt_t is 64 bit: OK
+Checking whether fcntl lock supports open file description locks: OK
diff --git a/meta-security/files/waf-cross-answers/cross-answers-arm.txt b/meta-security/files/waf-cross-answers/cross-answers-arm.txt
new file mode 100644
index 0000000..a5cd998
--- /dev/null
+++ b/meta-security/files/waf-cross-answers/cross-answers-arm.txt
@@ -0,0 +1,40 @@
+Checking uname sysname type: "Linux"
+Checking uname version type: "# Wed May 20 10:34:39 UTC 2015"
+Checking simple C program: "hello world"
+rpath library support: OK
+-Wl,--version-script support: OK
+Checking getconf LFS_CFLAGS: NO
+Checking correct behavior of strtoll: NO
+Checking for working strptime: OK
+Checking for C99 vsnprintf: "1"
+Checking for HAVE_SHARED_MMAP: OK
+Checking for HAVE_MREMAP: OK
+Checking for HAVE_SECURE_MKSTEMP: OK
+Checking for HAVE_IFACE_GETIFADDRS: NO
+Checking for HAVE_IFACE_IFCONF: NO
+Checking for HAVE_IFACE_IFREQ: NO
+Checking for large file support without additional flags: NO
+Checking for -D_FILE_OFFSET_BITS=64: OK
+Checking for HAVE_INCOHERENT_MMAP: NO
+Checking value of NSIG: "65"
+Checking value of _NSIG: "65"
+Checking value of SIGRTMAX: "64"
+Checking value of SIGRTMIN: "34"
+Checking whether the WRFILE -keytab is supported: OK
+Checking for kernel change notify support: OK
+Checking for Linux kernel oplocks: OK
+Checking for kernel share modes: OK
+Checking whether POSIX capabilities are available: OK
+Checking if can we convert from CP850 to UCS-2LE: OK
+Checking if can we convert from UTF-8 to UCS-2LE: OK
+vfs_fileid checking for statfs() and struct statfs.f_fsid: OK
+Checking whether we can use Linux thread-specific credentials with 32-bit system calls: OK
+Checking whether fcntl locking is available: OK
+Checking for the maximum value of the 'time_t' type: NO
+Checking whether the realpath function allows a NULL argument: OK
+Checking for ftruncate extend: OK
+getcwd takes a NULL argument: OK
+Checking for small off_t: NO
+Checking whether blkcnt_t is 32 bit: NO
+Checking whether blkcnt_t is 64 bit: OK
+Checking whether fcntl lock supports open file description locks: OK
diff --git a/meta-security/files/waf-cross-answers/cross-answers-armeb.txt b/meta-security/files/waf-cross-answers/cross-answers-armeb.txt
new file mode 100644
index 0000000..a5cd998
--- /dev/null
+++ b/meta-security/files/waf-cross-answers/cross-answers-armeb.txt
@@ -0,0 +1,40 @@
+Checking uname sysname type: "Linux"
+Checking uname version type: "# Wed May 20 10:34:39 UTC 2015"
+Checking simple C program: "hello world"
+rpath library support: OK
+-Wl,--version-script support: OK
+Checking getconf LFS_CFLAGS: NO
+Checking correct behavior of strtoll: NO
+Checking for working strptime: OK
+Checking for C99 vsnprintf: "1"
+Checking for HAVE_SHARED_MMAP: OK
+Checking for HAVE_MREMAP: OK
+Checking for HAVE_SECURE_MKSTEMP: OK
+Checking for HAVE_IFACE_GETIFADDRS: NO
+Checking for HAVE_IFACE_IFCONF: NO
+Checking for HAVE_IFACE_IFREQ: NO
+Checking for large file support without additional flags: NO
+Checking for -D_FILE_OFFSET_BITS=64: OK
+Checking for HAVE_INCOHERENT_MMAP: NO
+Checking value of NSIG: "65"
+Checking value of _NSIG: "65"
+Checking value of SIGRTMAX: "64"
+Checking value of SIGRTMIN: "34"
+Checking whether the WRFILE -keytab is supported: OK
+Checking for kernel change notify support: OK
+Checking for Linux kernel oplocks: OK
+Checking for kernel share modes: OK
+Checking whether POSIX capabilities are available: OK
+Checking if can we convert from CP850 to UCS-2LE: OK
+Checking if can we convert from UTF-8 to UCS-2LE: OK
+vfs_fileid checking for statfs() and struct statfs.f_fsid: OK
+Checking whether we can use Linux thread-specific credentials with 32-bit system calls: OK
+Checking whether fcntl locking is available: OK
+Checking for the maximum value of the 'time_t' type: NO
+Checking whether the realpath function allows a NULL argument: OK
+Checking for ftruncate extend: OK
+getcwd takes a NULL argument: OK
+Checking for small off_t: NO
+Checking whether blkcnt_t is 32 bit: NO
+Checking whether blkcnt_t is 64 bit: OK
+Checking whether fcntl lock supports open file description locks: OK
diff --git a/meta-security/files/waf-cross-answers/cross-answers-i586.txt b/meta-security/files/waf-cross-answers/cross-answers-i586.txt
new file mode 100644
index 0000000..a5cd998
--- /dev/null
+++ b/meta-security/files/waf-cross-answers/cross-answers-i586.txt
@@ -0,0 +1,40 @@
+Checking uname sysname type: "Linux"
+Checking uname version type: "# Wed May 20 10:34:39 UTC 2015"
+Checking simple C program: "hello world"
+rpath library support: OK
+-Wl,--version-script support: OK
+Checking getconf LFS_CFLAGS: NO
+Checking correct behavior of strtoll: NO
+Checking for working strptime: OK
+Checking for C99 vsnprintf: "1"
+Checking for HAVE_SHARED_MMAP: OK
+Checking for HAVE_MREMAP: OK
+Checking for HAVE_SECURE_MKSTEMP: OK
+Checking for HAVE_IFACE_GETIFADDRS: NO
+Checking for HAVE_IFACE_IFCONF: NO
+Checking for HAVE_IFACE_IFREQ: NO
+Checking for large file support without additional flags: NO
+Checking for -D_FILE_OFFSET_BITS=64: OK
+Checking for HAVE_INCOHERENT_MMAP: NO
+Checking value of NSIG: "65"
+Checking value of _NSIG: "65"
+Checking value of SIGRTMAX: "64"
+Checking value of SIGRTMIN: "34"
+Checking whether the WRFILE -keytab is supported: OK
+Checking for kernel change notify support: OK
+Checking for Linux kernel oplocks: OK
+Checking for kernel share modes: OK
+Checking whether POSIX capabilities are available: OK
+Checking if can we convert from CP850 to UCS-2LE: OK
+Checking if can we convert from UTF-8 to UCS-2LE: OK
+vfs_fileid checking for statfs() and struct statfs.f_fsid: OK
+Checking whether we can use Linux thread-specific credentials with 32-bit system calls: OK
+Checking whether fcntl locking is available: OK
+Checking for the maximum value of the 'time_t' type: NO
+Checking whether the realpath function allows a NULL argument: OK
+Checking for ftruncate extend: OK
+getcwd takes a NULL argument: OK
+Checking for small off_t: NO
+Checking whether blkcnt_t is 32 bit: NO
+Checking whether blkcnt_t is 64 bit: OK
+Checking whether fcntl lock supports open file description locks: OK
diff --git a/meta-security/files/waf-cross-answers/cross-answers-i686.txt b/meta-security/files/waf-cross-answers/cross-answers-i686.txt
new file mode 100644
index 0000000..a5cd998
--- /dev/null
+++ b/meta-security/files/waf-cross-answers/cross-answers-i686.txt
@@ -0,0 +1,40 @@
+Checking uname sysname type: "Linux"
+Checking uname version type: "# Wed May 20 10:34:39 UTC 2015"
+Checking simple C program: "hello world"
+rpath library support: OK
+-Wl,--version-script support: OK
+Checking getconf LFS_CFLAGS: NO
+Checking correct behavior of strtoll: NO
+Checking for working strptime: OK
+Checking for C99 vsnprintf: "1"
+Checking for HAVE_SHARED_MMAP: OK
+Checking for HAVE_MREMAP: OK
+Checking for HAVE_SECURE_MKSTEMP: OK
+Checking for HAVE_IFACE_GETIFADDRS: NO
+Checking for HAVE_IFACE_IFCONF: NO
+Checking for HAVE_IFACE_IFREQ: NO
+Checking for large file support without additional flags: NO
+Checking for -D_FILE_OFFSET_BITS=64: OK
+Checking for HAVE_INCOHERENT_MMAP: NO
+Checking value of NSIG: "65"
+Checking value of _NSIG: "65"
+Checking value of SIGRTMAX: "64"
+Checking value of SIGRTMIN: "34"
+Checking whether the WRFILE -keytab is supported: OK
+Checking for kernel change notify support: OK
+Checking for Linux kernel oplocks: OK
+Checking for kernel share modes: OK
+Checking whether POSIX capabilities are available: OK
+Checking if can we convert from CP850 to UCS-2LE: OK
+Checking if can we convert from UTF-8 to UCS-2LE: OK
+vfs_fileid checking for statfs() and struct statfs.f_fsid: OK
+Checking whether we can use Linux thread-specific credentials with 32-bit system calls: OK
+Checking whether fcntl locking is available: OK
+Checking for the maximum value of the 'time_t' type: NO
+Checking whether the realpath function allows a NULL argument: OK
+Checking for ftruncate extend: OK
+getcwd takes a NULL argument: OK
+Checking for small off_t: NO
+Checking whether blkcnt_t is 32 bit: NO
+Checking whether blkcnt_t is 64 bit: OK
+Checking whether fcntl lock supports open file description locks: OK
diff --git a/meta-security/files/waf-cross-answers/cross-answers-mips.txt b/meta-security/files/waf-cross-answers/cross-answers-mips.txt
new file mode 100644
index 0000000..3e239e7
--- /dev/null
+++ b/meta-security/files/waf-cross-answers/cross-answers-mips.txt
@@ -0,0 +1,40 @@
+Checking uname sysname type: "Linux"
+Checking uname version type: "# Wed May 20 10:34:39 UTC 2015"
+Checking simple C program: "hello world"
+rpath library support: OK
+-Wl,--version-script support: OK
+Checking getconf LFS_CFLAGS: NO
+Checking correct behavior of strtoll: NO
+Checking for working strptime: OK
+Checking for C99 vsnprintf: "1"
+Checking for HAVE_SHARED_MMAP: OK
+Checking for HAVE_MREMAP: OK
+Checking for HAVE_SECURE_MKSTEMP: OK
+Checking for HAVE_IFACE_GETIFADDRS: NO
+Checking for HAVE_IFACE_IFCONF: NO
+Checking for HAVE_IFACE_IFREQ: NO
+Checking for large file support without additional flags: NO
+Checking for -D_FILE_OFFSET_BITS=64: OK
+Checking for HAVE_INCOHERENT_MMAP: NO
+Checking value of NSIG: "128"
+Checking value of _NSIG: "128"
+Checking value of SIGRTMAX: "127"
+Checking value of SIGRTMIN: "34"
+Checking whether the WRFILE -keytab is supported: OK
+Checking for kernel change notify support: OK
+Checking for Linux kernel oplocks: OK
+Checking for kernel share modes: OK
+Checking whether POSIX capabilities are available: OK
+Checking if can we convert from CP850 to UCS-2LE: OK
+Checking if can we convert from UTF-8 to UCS-2LE: OK
+vfs_fileid checking for statfs() and struct statfs.f_fsid: OK
+Checking whether we can use Linux thread-specific credentials: OK
+Checking whether fcntl locking is available: OK
+Checking for the maximum value of the 'time_t' type: NO
+Checking whether the realpath function allows a NULL argument: OK
+Checking for ftruncate extend: OK
+getcwd takes a NULL argument: OK
+Checking for small off_t: NO
+Checking whether blkcnt_t is 32 bit: NO
+Checking whether blkcnt_t is 64 bit: OK
+Checking whether fcntl lock supports open file description locks: OK
diff --git a/meta-security/files/waf-cross-answers/cross-answers-mips64.txt b/meta-security/files/waf-cross-answers/cross-answers-mips64.txt
new file mode 100644
index 0000000..82e694f
--- /dev/null
+++ b/meta-security/files/waf-cross-answers/cross-answers-mips64.txt
@@ -0,0 +1,39 @@
+Checking uname sysname type: "Linux"
+Checking uname version type: "# Wed May 20 10:34:39 UTC 2015"
+Checking simple C program: "hello world"
+rpath library support: OK
+-Wl,--version-script support: OK
+Checking getconf LFS_CFLAGS: NO
+Checking correct behavior of strtoll: NO
+Checking for working strptime: OK
+Checking for C99 vsnprintf: "1"
+Checking for HAVE_SHARED_MMAP: OK
+Checking for HAVE_MREMAP: OK
+Checking for HAVE_SECURE_MKSTEMP: OK
+Checking for HAVE_IFACE_GETIFADDRS: NO
+Checking for HAVE_IFACE_IFCONF: NO
+Checking for HAVE_IFACE_IFREQ: NO
+Checking for large file support without additional flags: OK
+Checking for HAVE_INCOHERENT_MMAP: OK
+Checking value of NSIG: "128"
+Checking value of _NSIG: "128"
+Checking value of SIGRTMAX: "127"
+Checking value of SIGRTMIN: "34"
+Checking whether the WRFILE -keytab is supported: OK
+Checking for kernel change notify support: OK
+Checking for Linux kernel oplocks: OK
+Checking for kernel share modes: OK
+Checking whether POSIX capabilities are available: OK
+Checking if can we convert from CP850 to UCS-2LE: OK
+Checking if can we convert from UTF-8 to UCS-2LE: OK
+vfs_fileid checking for statfs() and struct statfs.f_fsid: OK
+Checking whether we can use Linux thread-specific credentials: OK
+Checking whether fcntl locking is available: OK
+Checking for the maximum value of the 'time_t' type: OK
+Checking whether the realpath function allows a NULL argument: OK
+Checking for ftruncate extend: OK
+getcwd takes a NULL argument: OK
+Checking for small off_t: NO
+Checking whether blkcnt_t is 32 bit: NO
+Checking whether blkcnt_t is 64 bit: OK
+Checking whether fcntl lock supports open file description locks: OK
diff --git a/meta-security/files/waf-cross-answers/cross-answers-mips64el.txt b/meta-security/files/waf-cross-answers/cross-answers-mips64el.txt
new file mode 100644
index 0000000..82e694f
--- /dev/null
+++ b/meta-security/files/waf-cross-answers/cross-answers-mips64el.txt
@@ -0,0 +1,39 @@
+Checking uname sysname type: "Linux"
+Checking uname version type: "# Wed May 20 10:34:39 UTC 2015"
+Checking simple C program: "hello world"
+rpath library support: OK
+-Wl,--version-script support: OK
+Checking getconf LFS_CFLAGS: NO
+Checking correct behavior of strtoll: NO
+Checking for working strptime: OK
+Checking for C99 vsnprintf: "1"
+Checking for HAVE_SHARED_MMAP: OK
+Checking for HAVE_MREMAP: OK
+Checking for HAVE_SECURE_MKSTEMP: OK
+Checking for HAVE_IFACE_GETIFADDRS: NO
+Checking for HAVE_IFACE_IFCONF: NO
+Checking for HAVE_IFACE_IFREQ: NO
+Checking for large file support without additional flags: OK
+Checking for HAVE_INCOHERENT_MMAP: OK
+Checking value of NSIG: "128"
+Checking value of _NSIG: "128"
+Checking value of SIGRTMAX: "127"
+Checking value of SIGRTMIN: "34"
+Checking whether the WRFILE -keytab is supported: OK
+Checking for kernel change notify support: OK
+Checking for Linux kernel oplocks: OK
+Checking for kernel share modes: OK
+Checking whether POSIX capabilities are available: OK
+Checking if can we convert from CP850 to UCS-2LE: OK
+Checking if can we convert from UTF-8 to UCS-2LE: OK
+vfs_fileid checking for statfs() and struct statfs.f_fsid: OK
+Checking whether we can use Linux thread-specific credentials: OK
+Checking whether fcntl locking is available: OK
+Checking for the maximum value of the 'time_t' type: OK
+Checking whether the realpath function allows a NULL argument: OK
+Checking for ftruncate extend: OK
+getcwd takes a NULL argument: OK
+Checking for small off_t: NO
+Checking whether blkcnt_t is 32 bit: NO
+Checking whether blkcnt_t is 64 bit: OK
+Checking whether fcntl lock supports open file description locks: OK
diff --git a/meta-security/files/waf-cross-answers/cross-answers-mipsel.txt b/meta-security/files/waf-cross-answers/cross-answers-mipsel.txt
new file mode 100644
index 0000000..3e239e7
--- /dev/null
+++ b/meta-security/files/waf-cross-answers/cross-answers-mipsel.txt
@@ -0,0 +1,40 @@
+Checking uname sysname type: "Linux"
+Checking uname version type: "# Wed May 20 10:34:39 UTC 2015"
+Checking simple C program: "hello world"
+rpath library support: OK
+-Wl,--version-script support: OK
+Checking getconf LFS_CFLAGS: NO
+Checking correct behavior of strtoll: NO
+Checking for working strptime: OK
+Checking for C99 vsnprintf: "1"
+Checking for HAVE_SHARED_MMAP: OK
+Checking for HAVE_MREMAP: OK
+Checking for HAVE_SECURE_MKSTEMP: OK
+Checking for HAVE_IFACE_GETIFADDRS: NO
+Checking for HAVE_IFACE_IFCONF: NO
+Checking for HAVE_IFACE_IFREQ: NO
+Checking for large file support without additional flags: NO
+Checking for -D_FILE_OFFSET_BITS=64: OK
+Checking for HAVE_INCOHERENT_MMAP: NO
+Checking value of NSIG: "128"
+Checking value of _NSIG: "128"
+Checking value of SIGRTMAX: "127"
+Checking value of SIGRTMIN: "34"
+Checking whether the WRFILE -keytab is supported: OK
+Checking for kernel change notify support: OK
+Checking for Linux kernel oplocks: OK
+Checking for kernel share modes: OK
+Checking whether POSIX capabilities are available: OK
+Checking if can we convert from CP850 to UCS-2LE: OK
+Checking if can we convert from UTF-8 to UCS-2LE: OK
+vfs_fileid checking for statfs() and struct statfs.f_fsid: OK
+Checking whether we can use Linux thread-specific credentials: OK
+Checking whether fcntl locking is available: OK
+Checking for the maximum value of the 'time_t' type: NO
+Checking whether the realpath function allows a NULL argument: OK
+Checking for ftruncate extend: OK
+getcwd takes a NULL argument: OK
+Checking for small off_t: NO
+Checking whether blkcnt_t is 32 bit: NO
+Checking whether blkcnt_t is 64 bit: OK
+Checking whether fcntl lock supports open file description locks: OK
diff --git a/meta-security/files/waf-cross-answers/cross-answers-powerpc.txt b/meta-security/files/waf-cross-answers/cross-answers-powerpc.txt
new file mode 100644
index 0000000..27b9378
--- /dev/null
+++ b/meta-security/files/waf-cross-answers/cross-answers-powerpc.txt
@@ -0,0 +1,40 @@
+Checking uname sysname type: "Linux"
+Checking uname version type: "# Wed May 20 10:34:39 UTC 2015"
+Checking simple C program: "hello world"
+rpath library support: OK
+-Wl,--version-script support: OK
+Checking getconf LFS_CFLAGS: NO
+Checking correct behavior of strtoll: NO
+Checking for working strptime: OK
+Checking for C99 vsnprintf: "1"
+Checking for HAVE_SHARED_MMAP: OK
+Checking for HAVE_MREMAP: OK
+Checking for HAVE_SECURE_MKSTEMP: OK
+Checking for HAVE_IFACE_GETIFADDRS: NO
+Checking for HAVE_IFACE_IFCONF: NO
+Checking for HAVE_IFACE_IFREQ: NO
+Checking for large file support without additional flags: NO
+Checking for -D_FILE_OFFSET_BITS=64: OK
+Checking for HAVE_INCOHERENT_MMAP: NO
+Checking value of NSIG: "65"
+Checking value of _NSIG: "65"
+Checking value of SIGRTMAX: "64"
+Checking value of SIGRTMIN: "34"
+Checking whether the WRFILE -keytab is supported: OK
+Checking for kernel change notify support: OK
+Checking for Linux kernel oplocks: OK
+Checking for kernel share modes: OK
+Checking whether POSIX capabilities are available: OK
+Checking if can we convert from CP850 to UCS-2LE: OK
+Checking if can we convert from UTF-8 to UCS-2LE: OK
+vfs_fileid checking for statfs() and struct statfs.f_fsid: OK
+Checking whether we can use Linux thread-specific credentials: OK
+Checking whether fcntl locking is available: OK
+Checking for the maximum value of the 'time_t' type: NO
+Checking whether the realpath function allows a NULL argument: OK
+Checking for ftruncate extend: OK
+getcwd takes a NULL argument: OK
+Checking for small off_t: NO
+Checking whether blkcnt_t is 32 bit: NO
+Checking whether blkcnt_t is 64 bit: OK
+Checking whether fcntl lock supports open file description locks: OK
diff --git a/meta-security/files/waf-cross-answers/cross-answers-powerpc64.txt b/meta-security/files/waf-cross-answers/cross-answers-powerpc64.txt
new file mode 100644
index 0000000..7fd3092
--- /dev/null
+++ b/meta-security/files/waf-cross-answers/cross-answers-powerpc64.txt
@@ -0,0 +1,40 @@
+Checking uname sysname type: "Linux"
+Checking uname version type: "# Wed May 20 10:34:39 UTC 2015"
+Checking simple C program: "hello world"
+rpath library support: OK
+-Wl,--version-script support: OK
+Checking getconf LFS_CFLAGS: NO
+Checking correct behavior of strtoll: NO
+Checking for working strptime: OK
+Checking for C99 vsnprintf: "1"
+Checking for HAVE_SHARED_MMAP: OK
+Checking for HAVE_MREMAP: OK
+Checking for HAVE_SECURE_MKSTEMP: OK
+Checking for HAVE_IFACE_GETIFADDRS: NO
+Checking for HAVE_IFACE_IFCONF: NO
+Checking for HAVE_IFACE_IFREQ: NO
+Checking for large file support without additional flags: OK
+Checking for HAVE_INCOHERENT_MMAP: NO
+Checking value of NSIG: "65"
+Checking value of _NSIG: "65"
+Checking value of SIGRTMAX: "64"
+Checking value of SIGRTMIN: "34"
+Checking whether the WRFILE -keytab is supported: OK
+Checking for kernel change notify support: OK
+Checking for Linux kernel oplocks: OK
+Checking for kernel share modes: OK
+Checking whether POSIX capabilities are available: OK
+Checking if can we convert from CP850 to UCS-2LE: (255, "")
+Checking if can we convert from IBM850 to UCS-2LE: (255, "")
+Checking if can we convert from UTF-8 to UCS-2LE: OK
+vfs_fileid checking for statfs() and struct statfs.f_fsid: OK
+Checking whether we can use Linux thread-specific credentials: OK
+Checking whether fcntl locking is available: OK
+Checking for the maximum value of the 'time_t' type: OK
+Checking whether the realpath function allows a NULL argument: OK
+Checking for ftruncate extend: OK
+getcwd takes a NULL argument: OK
+Checking for small off_t: NO
+Checking whether blkcnt_t is 32 bit: NO
+Checking whether blkcnt_t is 64 bit: OK
+Checking whether fcntl lock supports open file description locks: OK
diff --git a/meta-security/files/waf-cross-answers/cross-answers-riscv64.txt b/meta-security/files/waf-cross-answers/cross-answers-riscv64.txt
new file mode 100644
index 0000000..1023f6a
--- /dev/null
+++ b/meta-security/files/waf-cross-answers/cross-answers-riscv64.txt
@@ -0,0 +1,39 @@
+Checking uname sysname type: "Linux"
+Checking uname version type: "# Wed May 20 10:34:39 UTC 2015"
+Checking simple C program: "hello world"
+rpath library support: OK
+-Wl,--version-script support: OK
+Checking getconf LFS_CFLAGS: NO
+Checking correct behavior of strtoll: NO
+Checking for working strptime: OK
+Checking for C99 vsnprintf: "1"
+Checking for HAVE_SHARED_MMAP: OK
+Checking for HAVE_MREMAP: OK
+Checking for HAVE_SECURE_MKSTEMP: OK
+Checking for HAVE_IFACE_GETIFADDRS: NO
+Checking for HAVE_IFACE_IFCONF: NO
+Checking for HAVE_IFACE_IFREQ: NO
+Checking for large file support without additional flags: OK
+Checking for HAVE_INCOHERENT_MMAP: NO
+Checking value of NSIG: "65"
+Checking value of _NSIG: "65"
+Checking value of SIGRTMAX: "64"
+Checking value of SIGRTMIN: "34"
+Checking whether the WRFILE -keytab is supported: OK
+Checking for kernel change notify support: OK
+Checking for Linux kernel oplocks: OK
+Checking for kernel share modes: OK
+Checking whether POSIX capabilities are available: OK
+Checking if can we convert from CP850 to UCS-2LE: OK
+Checking if can we convert from UTF-8 to UCS-2LE: OK
+vfs_fileid checking for statfs() and struct statfs.f_fsid: OK
+Checking whether we can use Linux thread-specific credentials: OK
+Checking whether fcntl locking is available: OK
+Checking for the maximum value of the 'time_t' type: OK
+Checking whether the realpath function allows a NULL argument: OK
+Checking for ftruncate extend: OK
+getcwd takes a NULL argument: OK
+Checking for small off_t: NO
+Checking whether blkcnt_t is 32 bit: NO
+Checking whether blkcnt_t is 64 bit: OK
+Checking whether fcntl lock supports open file description locks: OK
diff --git a/meta-security/files/waf-cross-answers/cross-answers-x86_64.txt b/meta-security/files/waf-cross-answers/cross-answers-x86_64.txt
new file mode 100644
index 0000000..1023f6a
--- /dev/null
+++ b/meta-security/files/waf-cross-answers/cross-answers-x86_64.txt
@@ -0,0 +1,39 @@
+Checking uname sysname type: "Linux"
+Checking uname version type: "# Wed May 20 10:34:39 UTC 2015"
+Checking simple C program: "hello world"
+rpath library support: OK
+-Wl,--version-script support: OK
+Checking getconf LFS_CFLAGS: NO
+Checking correct behavior of strtoll: NO
+Checking for working strptime: OK
+Checking for C99 vsnprintf: "1"
+Checking for HAVE_SHARED_MMAP: OK
+Checking for HAVE_MREMAP: OK
+Checking for HAVE_SECURE_MKSTEMP: OK
+Checking for HAVE_IFACE_GETIFADDRS: NO
+Checking for HAVE_IFACE_IFCONF: NO
+Checking for HAVE_IFACE_IFREQ: NO
+Checking for large file support without additional flags: OK
+Checking for HAVE_INCOHERENT_MMAP: NO
+Checking value of NSIG: "65"
+Checking value of _NSIG: "65"
+Checking value of SIGRTMAX: "64"
+Checking value of SIGRTMIN: "34"
+Checking whether the WRFILE -keytab is supported: OK
+Checking for kernel change notify support: OK
+Checking for Linux kernel oplocks: OK
+Checking for kernel share modes: OK
+Checking whether POSIX capabilities are available: OK
+Checking if can we convert from CP850 to UCS-2LE: OK
+Checking if can we convert from UTF-8 to UCS-2LE: OK
+vfs_fileid checking for statfs() and struct statfs.f_fsid: OK
+Checking whether we can use Linux thread-specific credentials: OK
+Checking whether fcntl locking is available: OK
+Checking for the maximum value of the 'time_t' type: OK
+Checking whether the realpath function allows a NULL argument: OK
+Checking for ftruncate extend: OK
+getcwd takes a NULL argument: OK
+Checking for small off_t: NO
+Checking whether blkcnt_t is 32 bit: NO
+Checking whether blkcnt_t is 64 bit: OK
+Checking whether fcntl lock supports open file description locks: OK
diff --git a/meta-security/lib/oeqa/runtime/cases/apparmor.py b/meta-security/lib/oeqa/runtime/cases/apparmor.py
index e2cb316..b6a9537 100644
--- a/meta-security/lib/oeqa/runtime/cases/apparmor.py
+++ b/meta-security/lib/oeqa/runtime/cases/apparmor.py
@@ -25,3 +25,22 @@
msg = ('aa-status failed. '
'Status and output:%s and %s' % (status, output))
self.assertEqual(status, 0, msg = msg)
+
+ @OETestDepends(['apparmor.ApparmorTest.test_apparmor_aa_status'])
+ def test_apparmor_aa_complain(self):
+ status, output = self.target.run('aa-complain /etc/apparmor.d/*')
+ match = re.search('apparmor module is loaded.', output)
+ if not match:
+ msg = ('aa-complain failed. '
+ 'Status and output:%s and %s' % (status, output))
+ self.assertEqual(status, 0, msg = msg)
+
+ @OETestDepends(['apparmor.ApparmorTest.test_apparmor_aa_complain'])
+ def test_apparmor_aa_enforce(self):
+ status, output = self.target.run('aa-enforce /etc/apparmor.d/*')
+ match = re.search('apparmor module is loaded.', output)
+ if not match:
+ msg = ('aa-enforce failed. '
+ 'Status and output:%s and %s' % (status, output))
+ self.assertEqual(status, 0, msg = msg)
+
diff --git a/meta-security/lib/oeqa/runtime/cases/clamav.py b/meta-security/lib/oeqa/runtime/cases/clamav.py
index fc77330..d0bc645 100644
--- a/meta-security/lib/oeqa/runtime/cases/clamav.py
+++ b/meta-security/lib/oeqa/runtime/cases/clamav.py
@@ -1,6 +1,7 @@
# Copyright (C) 2019 Armin Kuster <akuster808@gmail.com>
#
import re
+from tempfile import mkstemp
from oeqa.runtime.case import OERuntimeTestCase
from oeqa.core.decorator.depends import OETestDepends
@@ -9,6 +10,22 @@
class ClamavTest(OERuntimeTestCase):
+ @classmethod
+ def setUpClass(cls):
+ cls.tmp_fd, cls.tmp_path = mkstemp()
+ with os.fdopen(cls.tmp_fd, 'w') as f:
+ # use gooled public dns
+ f.write("nameserver 8.8.8.8")
+ f.write(os.linesep)
+ f.write("nameserver 8.8.4.4")
+ f.write(os.linesep)
+ f.write("nameserver 127.0.0.1")
+ f.write(os.linesep)
+
+ @classmethod
+ def tearDownClass(cls):
+ os.remove(cls.tmp_path)
+
@OEHasPackage(['clamav'])
@OETestDepends(['ssh.SSHTest.test_ssh'])
def test_freshclam_help(self):
@@ -18,6 +35,19 @@
self.assertEqual(status, 0, msg = msg)
@OETestDepends(['clamav.ClamavTest.test_freshclam_help'])
+ @OEHasPackage(['openssh-scp', 'dropbear'])
+ def test_ping_clamav_net(self):
+ dst = '/etc/resolv.conf'
+ self.tc.target.run('rm -f %s' % dst)
+ (status, output) = self.tc.target.copyTo(self.tmp_path, dst)
+ msg = 'File could not be copied. Output: %s' % output
+ self.assertEqual(status, 0, msg=msg)
+
+ status, output = self.target.run('ping -c 1 database.clamav.net')
+ msg = ('ping database.clamav.net failed: output is:\n%s' % output)
+ self.assertEqual(status, 0, msg = msg)
+
+ @OETestDepends(['clamav.ClamavTest.test_ping_clamav_net'])
def test_freshclam_download(self):
status, output = self.target.run('freshclam --show-progress')
match = re.search('Database updated', output)
diff --git a/meta-security/lib/oeqa/runtime/cases/samhain.py b/meta-security/lib/oeqa/runtime/cases/samhain.py
index e4bae7b..5043a38 100644
--- a/meta-security/lib/oeqa/runtime/cases/samhain.py
+++ b/meta-security/lib/oeqa/runtime/cases/samhain.py
@@ -1,6 +1,7 @@
# Copyright (C) 2019 Armin Kuster <akuster808@gmail.com>
#
import re
+import os
from oeqa.runtime.case import OERuntimeTestCase
from oeqa.core.decorator.depends import OETestDepends
@@ -11,10 +12,32 @@
@OEHasPackage(['samhain-standalone'])
@OETestDepends(['ssh.SSHTest.test_ssh'])
- def test_samhain_standalone_help(self):
- status, output = self.target.run('samhain --help')
- match = re.search('Please report bugs to support@la-samhna.de.', output)
- if not match:
- msg = ('samhain-standalone command does not work as expected. '
+ def test_samhain_help(self):
+ machine = self.td.get('MACHINE', '')
+ status, output = self.target.run('echo "127.0.0.1 %s.localdomain %s" >> /etc/hosts' % (machine, machine))
+ msg = ("samhain can't append hosts. "
'Status and output:%s and %s' % (status, output))
- self.assertEqual(status, 1, msg = msg)
+ self.assertEqual(status, 0, msg = msg)
+
+ status, output = self.target.run('samhain --help')
+ msg = ('samhain command does not work as expected. '
+ 'Status and output:%s and %s' % (status, output))
+ self.assertEqual(status, 0, msg = msg)
+
+ @OETestDepends(['samhain.SamhainTest.test_samhain_help'])
+ def test_samhain_init_db(self):
+ status, output = self.target.run('samhain -t init')
+ match = re.search('FAILED: 0 ', output)
+ if not match:
+ msg = ('samhain database init had an unexpected failure. '
+ 'Status and output:%s and %s' % (status, output))
+ self.assertEqual(status, 0, msg = msg)
+
+ @OETestDepends(['samhain.SamhainTest.test_samhain_init_db'])
+ def test_samhain_db_check(self):
+ status, output = self.target.run('samhain -t check')
+ match = re.search('FAILED: 0 ', output)
+ if not match:
+ msg = ('samhain errors found in db. '
+ 'Status and output:%s and %s' % (status, output))
+ self.assertEqual(status, 0, msg = msg)
diff --git a/meta-security/lib/oeqa/runtime/cases/smack.py b/meta-security/lib/oeqa/runtime/cases/smack.py
new file mode 100644
index 0000000..35e87ef
--- /dev/null
+++ b/meta-security/lib/oeqa/runtime/cases/smack.py
@@ -0,0 +1,529 @@
+import unittest
+import re
+import os
+import string
+from oeqa.runtime.case import OERuntimeTestCase
+from oeqa.core.decorator.depends import OETestDepends
+from oeqa.runtime.decorator.package import OEHasPackage
+from oeqa.core.decorator.data import skipIfNotFeature
+
+MAX_LABEL_LEN = 255
+LABEL = "a" * MAX_LABEL_LEN
+
+class SmackBasicTest(OERuntimeTestCase):
+ ''' base smack test '''
+
+ @classmethod
+ def setUpClass(cls):
+ cls.smack_path = ""
+ cls.current_label = ""
+ cls.uid = 1000
+
+ @skipIfNotFeature('smack',
+ 'Test requires smack to be in DISTRO_FEATURES')
+ @OEHasPackage(['smack-test'])
+ @OETestDepends(['ssh.SSHTest.test_ssh'])
+ def test_smack_basic(self):
+ status, output = self.target.run("grep smack /proc/mounts | awk '{print $2}'")
+ self.smack_path = output
+ status,output = self.target.run("cat /proc/self/attr/current")
+ self.current_label = output.strip()
+
+class SmackAccessLabel(SmackBasicTest):
+
+ @OETestDepends(['smack.SmackBasicTest.test_smack_basic'])
+ def test_add_access_label(self):
+ ''' Test if chsmack can correctly set a SMACK label '''
+ filename = "/tmp/test_access_label"
+ self.target.run("touch %s" %filename)
+ status, output = self.target.run("chsmack -a %s %s" %(LABEL, filename))
+ self.assertEqual(
+ status, 0,
+ "Cannot set smack access label. "
+ "Status and output: %d %s" %(status, output))
+ status, output = self.target.run("chsmack %s" %filename)
+ self.target.run("rm %s" %filename)
+ m = re.search('(?<=access=")\S+(?=")', output)
+ if m is None:
+ self.fail("Did not find access attribute")
+ else:
+ label_retrieved = m .group(0)
+ self.assertEqual(
+ LABEL, label_retrieved,
+ "label not set correctly. expected and gotten: "
+ "%s %s" %(LABEL,label_retrieved))
+
+
+class SmackExecLabel(SmackBasicTest):
+
+ @OETestDepends(['smack.SmackBasicTest.test_smack_basic'])
+ def test_add_exec_label(self):
+ '''Test if chsmack can correctly set a SMACK Exec label'''
+ filename = "/tmp/test_exec_label"
+ self.target.run("touch %s" %filename)
+ status, output = self.target.run("chsmack -e %s %s" %(LABEL, filename))
+ self.assertEqual(
+ status, 0,
+ "Cannot set smack exec label. "
+ "Status and output: %d %s" %(status, output))
+ status, output = self.target.run("chsmack %s" %filename)
+ self.target.run("rm %s" %filename)
+ m= re.search('(?<=execute=")\S+(?=")', output)
+ if m is None:
+ self.fail("Did not find execute attribute")
+ else:
+ label_retrieved = m.group(0)
+ self.assertEqual(
+ LABEL, label_retrieved,
+ "label not set correctly. expected and gotten: " +
+ "%s %s" %(LABEL,label_retrieved))
+
+
+class SmackMmapLabel(SmackBasicTest):
+
+ @OETestDepends(['smack.SmackBasicTest.test_smack_basic'])
+ def test_add_mmap_label(self):
+ '''Test if chsmack can correctly set a SMACK mmap label'''
+ filename = "/tmp/test_exec_label"
+ self.target.run("touch %s" %filename)
+ status, output = self.target.run("chsmack -m %s %s" %(LABEL, filename))
+ self.assertEqual(
+ status, 0,
+ "Cannot set smack mmap label. "
+ "Status and output: %d %s" %(status, output))
+ status, output = self.target.run("chsmack %s" %filename)
+ self.target.run("rm %s" %filename)
+ m = re.search('(?<=mmap=")\S+(?=")', output)
+ if m is None:
+ self.fail("Did not find mmap attribute")
+ else:
+ label_retrieved = m.group(0)
+ self.assertEqual(
+ LABEL, label_retrieved,
+ "label not set correctly. expected and gotten: " +
+ "%s %s" %(LABEL,label_retrieved))
+
+
+class SmackTransmutable(SmackBasicTest):
+
+ @OETestDepends(['smack.SmackBasicTest.test_smack_basic'])
+ def test_add_transmutable(self):
+ '''Test if chsmack can correctly set a SMACK transmutable mode'''
+
+ directory = "~/test_transmutable"
+ self.target.run("mkdir -p %s" %directory)
+ status, output = self.target.run("chsmack -t %s" %directory)
+ self.assertEqual(status, 0, "Cannot set smack transmutable. "
+ "Status and output: %d %s" %(status, output))
+ status, output = self.target.run("chsmack %s" %directory)
+ self.target.run("rmdir %s" %directory)
+ m = re.search('(?<=transmute=")\S+(?=")', output)
+ if m is None:
+ self.fail("Did not find transmute attribute")
+ else:
+ label_retrieved = m.group(0)
+ self.assertEqual(
+ "TRUE", label_retrieved,
+ "label not set correctly. expected and gotten: " +
+ "%s %s" %(LABEL,label_retrieved))
+
+
+class SmackChangeSelfLabelPrivilege(SmackBasicTest):
+
+ @OETestDepends(['smack.SmackBasicTest.test_smack_basic'])
+ def test_privileged_change_self_label(self):
+ '''Test if privileged process (with CAP_MAC_ADMIN privilege)
+ can change its label.
+ '''
+
+ labelf = "/proc/self/attr/current"
+ command = "/bin/sh -c 'echo PRIVILEGED >%s; cat %s'" %(labelf, labelf)
+
+ status, output = self.target.run(
+ "notroot.py 0 %s %s" %(self.current_label, command))
+
+ self.assertIn("PRIVILEGED", output,
+ "Privilege process did not change label.Output: %s" %output)
+
+class SmackChangeSelfLabelUnprivilege(SmackBasicTest):
+
+ @OETestDepends(['smack.SmackBasicTest.test_smack_basic'])
+ def test_unprivileged_change_self_label(self):
+ '''Test if unprivileged process (without CAP_MAC_ADMIN privilege)
+ cannot change its label'''
+
+ command = "/bin/sh -c 'echo %s >/proc/self/attr/current'" %LABEL
+ status, output = self.target.run(
+ "notroot.py %d %s %s"
+ %(self.uid, self.current_label, command) +
+ " 2>&1 | grep 'Operation not permitted'" )
+
+ self.assertEqual(
+ status, 0,
+ "Unprivileged process should not be able to change its label")
+
+
+class SmackChangeFileLabelPrivilege(SmackBasicTest):
+
+ @OETestDepends(['smack.SmackBasicTest.test_smack_basic'])
+ def test_unprivileged_change_file_label(self):
+ '''Test if unprivileged process cannot change file labels'''
+
+ status, chsmack = self.target.run("which chsmack")
+ status, touch = self.target.run("which touch")
+ filename = "/tmp/test_unprivileged_change_file_label"
+
+ self.target.run("touch %s" % filename)
+ self.target.run("notroot.py %d %s" %(self.uid, self.current_label))
+ status, output = self.target.run(
+ "notroot.py " +
+ "%d unprivileged %s -a %s %s 2>&1 " %(self.uid, chsmack, LABEL, filename) +
+ "| grep 'Operation not permitted'" )
+
+ self.target.run("rm %s" % filename)
+ self.assertEqual( status, 0, "Unprivileged process changed label for %s" %filename)
+
+class SmackLoadRule(SmackBasicTest):
+
+ @OETestDepends(['smack.SmackBasicTest.test_smack_basic'])
+ def test_load_smack_rule(self):
+ '''Test if new smack access rules can be loaded'''
+
+ # old 23 character format requires special spaces formatting
+ # 12345678901234567890123456789012345678901234567890123
+ ruleA="TheOne TheOther rwxat"
+ ruleB="TheOne TheOther r----"
+ clean="TheOne TheOther -----"
+ modeA = "rwxat"
+ modeB = "r"
+
+ status, output = self.target.run('echo -n "%s" > %s/load' %(ruleA, self.smack_path))
+ status, output = self.target.run( 'cat %s/load | grep "^TheOne" | grep " TheOther "' %self.smack_path)
+ self.assertEqual(status, 0, "Rule A was not added")
+ mode = list(filter(bool, output.split(" ")))[2].strip()
+ self.assertEqual( mode, modeA, "Mode A was not set correctly; mode: %s" %mode)
+
+ status, output = self.target.run( 'echo -n "%s" > %s/load' %(ruleB, self.smack_path))
+ status, output = self.target.run( 'cat %s/load | grep "^TheOne" | grep " TheOther "' %self.smack_path)
+ mode = list(filter(bool, output.split(" ")))[2].strip()
+ self.assertEqual( mode, modeB, "Mode B was not set correctly; mode: %s" %mode)
+
+ self.target.run('echo -n "%s" > %s/load' %(clean, self.smack_path))
+
+
+class SmackOnlycap(SmackBasicTest):
+
+ @OETestDepends(['smack.SmackBasicTest.test_smack_basic'])
+ def test_smack_onlycap(self):
+ '''Test if smack onlycap label can be set
+
+ test needs to change the running label of the current process,
+ so whole test takes places on image
+ '''
+ status, output = self.target.run("sh /usr/sbin/test_smack_onlycap.sh")
+ self.assertEqual(status, 0, output)
+
+class SmackNetlabel(SmackBasicTest):
+
+ @OETestDepends(['smack.SmackBasicTest.test_smack_basic'])
+ def test_smack_netlabel(self):
+
+ test_label="191.191.191.191 TheOne"
+ expected_label="191.191.191.191/32 TheOne"
+
+ status, output = self.target.run( "echo -n '%s' > %s/netlabel" %(test_label, self.smack_path))
+ self.assertEqual( status, 0, "Netlabel /32 could not be set. Output: %s" %output)
+
+ status, output = self.target.run("cat %s/netlabel" %self.smack_path)
+ self.assertIn( expected_label, output, "Did not find expected label in output: %s" %output)
+
+ test_label="253.253.253.0/24 TheOther"
+ status, output = self.target.run( "echo -n '%s' > %s/netlabel" %(test_label, self.smack_path))
+ self.assertEqual( status, 0, "Netlabel /24 could not be set. Output: %s" %output)
+
+ status, output = self.target.run("cat %s/netlabel" %self.smack_path)
+ self.assertIn(
+ test_label, output,
+ "Did not find expected label in output: %s" %output)
+
+class SmackCipso(SmackBasicTest):
+
+ @OETestDepends(['smack.SmackBasicTest.test_smack_basic'])
+ def test_smack_cipso(self):
+ '''Test if smack cipso rules can be set'''
+ # 12345678901234567890123456789012345678901234567890123456
+ ruleA="TheOneA 2 0 "
+ ruleB="TheOneB 3 1 55 "
+ ruleC="TheOneC 4 2 17 33 "
+
+ status, output = self.target.run(
+ "echo -n '%s' > %s/cipso" %(ruleA, self.smack_path))
+ self.assertEqual(status, 0,
+ "Could not set cipso label A. Ouput: %s" %output)
+
+ status, output = self.target.run(
+ "cat %s/cipso | grep '^TheOneA'" %self.smack_path)
+ self.assertEqual(status, 0, "Cipso rule A was not set")
+ self.assertIn(" 2", output, "Rule A was not set correctly")
+
+ status, output = self.target.run(
+ "echo -n '%s' > %s/cipso" %(ruleB, self.smack_path))
+ self.assertEqual(status, 0,
+ "Could not set cipso label B. Ouput: %s" %output)
+
+ status, output = self.target.run(
+ "cat %s/cipso | grep '^TheOneB'" %self.smack_path)
+ self.assertEqual(status, 0, "Cipso rule B was not set")
+ self.assertIn("/55", output, "Rule B was not set correctly")
+
+ status, output = self.target.run(
+ "echo -n '%s' > %s/cipso" %(ruleC, self.smack_path))
+ self.assertEqual(
+ status, 0,
+ "Could not set cipso label C. Ouput: %s" %output)
+
+ status, output = self.target.run(
+ "cat %s/cipso | grep '^TheOneC'" %self.smack_path)
+ self.assertEqual(status, 0, "Cipso rule C was not set")
+ self.assertIn("/17,33", output, "Rule C was not set correctly")
+
+class SmackDirect(SmackBasicTest):
+
+ @OETestDepends(['smack.SmackBasicTest.test_smack_basic'])
+ def test_smack_direct(self):
+ status, initial_direct = self.target.run(
+ "cat %s/direct" %self.smack_path)
+
+ test_direct="17"
+ status, output = self.target.run(
+ "echo '%s' > %s/direct" %(test_direct, self.smack_path))
+ self.assertEqual(status, 0 ,
+ "Could not set smack direct. Output: %s" %output)
+ status, new_direct = self.target.run("cat %s/direct" %self.smack_path)
+ # initial label before checking
+ status, output = self.target.run(
+ "echo '%s' > %s/direct" %(initial_direct, self.smack_path))
+ self.assertEqual(
+ test_direct, new_direct.strip(),
+ "Smack direct label does not match.")
+
+
+class SmackAmbient(SmackBasicTest):
+
+ @OETestDepends(['smack.SmackBasicTest.test_smack_basic'])
+ def test_smack_ambient(self):
+ test_ambient = "test_ambient"
+ status, initial_ambient = self.target.run("cat %s/ambient" %self.smack_path)
+ status, output = self.target.run(
+ "echo '%s' > %s/ambient" %(test_ambient, self.smack_path))
+ self.assertEqual(status, 0,
+ "Could not set smack ambient. Output: %s" %output)
+
+ status, output = self.target.run("cat %s/ambient" %self.smack_path)
+ # Filter '\x00', which is sometimes added to the ambient label
+ new_ambient = ''.join(filter(lambda x: x in string.printable, output))
+ initial_ambient = ''.join(filter(lambda x: x in string.printable, initial_ambient))
+ status, output = self.target.run(
+ "echo '%s' > %s/ambient" %(initial_ambient, self.smack_path))
+ self.assertEqual(
+ test_ambient, new_ambient.strip(),
+ "Ambient label does not match")
+
+
+class SmackloadBinary(SmackBasicTest):
+
+ @OETestDepends(['smack.SmackBasicTest.test_smack_basic'])
+ def test_smackload(self):
+ '''Test if smackload command works'''
+ rule="testobject testsubject rwx"
+
+ status, output = self.target.run("echo -n '%s' > /tmp/rules" %rule)
+ status, output = self.target.run("smackload /tmp/rules")
+ self.assertEqual( status, 0, "Smackload failed to load rule. Output: %s" %output)
+
+ status, output = self.target.run( "cat %s/load | grep '%s'" %(self.smack_path, rule))
+ self.assertEqual(status, 0, "Smackload rule was loaded correctly")
+
+
+class SmackcipsoBinary(SmackBasicTest):
+
+ @OETestDepends(['smack.SmackBasicTest.test_smack_basic'])
+ def test_smackcipso(self):
+ '''Test if smackcipso command works'''
+ # 12345678901234567890123456789012345678901234567890123456
+ rule="cipsolabel 2 2 "
+
+ status, output = self.target.run("echo '%s' | smackcipso" %rule)
+ self.assertEqual( status, 0, "Smackcipso failed to load rule. Output: %s" %output)
+
+ status, output = self.target.run(
+ "cat %s/cipso | grep 'cipsolabel'" %self.smack_path)
+ self.assertEqual(status, 0, "smackcipso rule was loaded correctly")
+ self.assertIn( "2/2", output, "Rule was not set correctly. Got: %s" %output)
+
+
+class SmackEnforceFileAccess(SmackBasicTest):
+
+ @OETestDepends(['smack.SmackBasicTest.test_smack_basic'])
+ def test_smack_enforce_file_access(self):
+ '''Test if smack file access is enforced (rwx)
+
+ test needs to change the running label of the current process,
+ so whole test takes places on image
+ '''
+ status, output = self.target.run("sh /usr/sbin/smack_test_file_access.sh")
+ self.assertEqual(status, 0, output)
+
+
+class SmackEnforceMmap(SmackBasicTest):
+
+ @OETestDepends(['smack.SmackBasicTest.test_smack_basic'])
+ def test_smack_mmap_enforced(self):
+ '''Test if smack mmap access is enforced'''
+ raise unittest.SkipTest("Depends on mmap_test, which was removed from the layer while investigating its license.")
+
+ # 12345678901234567890123456789012345678901234567890123456
+ delr1="mmap_label mmap_test_label1 -----"
+ delr2="mmap_label mmap_test_label2 -----"
+ delr3="mmap_file_label mmap_test_label1 -----"
+ delr4="mmap_file_label mmap_test_label2 -----"
+
+ RuleA="mmap_label mmap_test_label1 rw---"
+ RuleB="mmap_label mmap_test_label2 r--at"
+ RuleC="mmap_file_label mmap_test_label1 rw---"
+ RuleD="mmap_file_label mmap_test_label2 rwxat"
+
+ mmap_label="mmap_label"
+ file_label="mmap_file_label"
+ test_file = "/usr/sbin/smack_test_mmap"
+ mmap_exe = "/tmp/mmap_test"
+ status, echo = self.target.run("which echo")
+ status, output = self.target.run(
+ "notroot.py %d %s %s 'test' > %s" \
+ %(self.uid, self.current_label, echo, test_file))
+ status, output = self.target.run("ls %s" %test_file)
+ self.assertEqual(status, 0, "Could not create mmap test file")
+ self.target.run("chsmack -m %s %s" %(file_label, test_file))
+ self.target.run("chsmack -e %s %s" %(mmap_label, mmap_exe))
+
+ # test with no rules with mmap label or exec label as subject
+ # access should be granted
+ self.target.run('echo -n "%s" > %s/load' %(delr1, self.smack_path))
+ self.target.run('echo -n "%s" > %s/load' %(delr2, self.smack_path))
+ self.target.run('echo -n "%s" > %s/load' %(delr3, self.smack_path))
+ self.target.run('echo -n "%s" > %s/load' %(delr4, self.smack_path))
+ status, output = self.target.run("%s %s 0 2" % (mmap_exe, test_file))
+ self.assertEqual(
+ status, 0,
+ "Should have mmap access without rules. Output: %s" %output)
+
+ # add rules that do not match access required
+ self.target.run('echo -n "%s" > %s/load' %(RuleA, self.smack_path))
+ self.target.run('echo -n "%s" > %s/load' %(RuleB, self.smack_path))
+ status, output = self.target.run("%s %s 0 2" % (mmap_exe, test_file))
+ self.assertNotEqual(
+ status, 0,
+ "Should not have mmap access with unmatching rules. " +
+ "Output: %s" %output)
+ self.assertIn(
+ "Permission denied", output,
+ "Mmap access should be denied with unmatching rules")
+
+ # add rule to match only partially (one way)
+ self.target.run('echo -n "%s" > %s/load' %(RuleC, self.smack_path))
+ status, output = self.target.run("%s %s 0 2" %(mmap_exe, test_file))
+ self.assertNotEqual(
+ status, 0,
+ "Should not have mmap access with partial matching rules. " +
+ "Output: %s" %output)
+ self.assertIn(
+ "Permission denied", output,
+ "Mmap access should be denied with partial matching rules")
+
+ # add rule to match fully
+ self.target.run('echo -n "%s" > %s/load' %(RuleD, self.smack_path))
+ status, output = self.target.run("%s %s 0 2" %(mmap_exe, test_file))
+ self.assertEqual(
+ status, 0,
+ "Should have mmap access with full matching rules." +
+ "Output: %s" %output)
+
+
+class SmackEnforceTransmutable(SmackBasicTest):
+
+ @OETestDepends(['smack.SmackBasicTest.test_smack_basic'])
+ def test_smack_transmute_dir(self):
+ '''Test if smack transmute attribute works
+
+ test needs to change the running label of the current process,
+ so whole test takes places on image
+ '''
+ test_dir = "/tmp/smack_transmute_dir"
+ label="transmute_label"
+ status, initial_label = self.target.run("cat /proc/self/attr/current")
+
+ self.target.run("mkdir -p %s" % test_dir)
+ self.target.run("chsmack -a %s %s" % (label, test_dir))
+ self.target.run("chsmack -t %s" % test_dir)
+ self.target.run("echo -n '%s %s rwxat' | smackload" %(initial_label, label) )
+
+ self.target.run("touch %s/test" % test_dir)
+ status, output = self.target.run("chsmack %s/test" % test_dir)
+ self.assertIn( 'access="%s"' %label, output,
+ "Did not get expected label. Output: %s" % output)
+
+
+class SmackTcpSockets(SmackBasicTest):
+
+ @OETestDepends(['smack.SmackBasicTest.test_smack_basic'])
+ def test_smack_tcp_sockets(self):
+ '''Test if smack is enforced on tcp sockets
+
+ whole test takes places on image, depends on tcp_server/tcp_client'''
+
+ status, output = self.target.run("sh /usr/sbin/test_smack_tcp_sockets.sh")
+ self.assertEqual(status, 0, output)
+
+
+class SmackUdpSockets(SmackBasicTest):
+
+ @OETestDepends(['smack.SmackBasicTest.test_smack_basic'])
+ def test_smack_udp_sockets(self):
+ '''Test if smack is enforced on udp sockets
+
+ whole test takes places on image, depends on udp_server/udp_client'''
+
+ status, output = self.target.run("sh /usr/sbin/test_smack_udp_sockets.sh")
+ self.assertEqual(status, 0, output)
+
+
+class SmackFileLabels(SmackBasicTest):
+
+ @OETestDepends(['smack.SmackBasicTest.test_smack_basic'])
+ def test_smack_labels(self):
+ '''Check for correct Smack labels.'''
+ expected = '''
+/tmp/ access="*"
+/etc/ access="System::Shared" transmute="TRUE"
+/etc/passwd access="System::Shared"
+/etc/terminfo access="System::Shared" transmute="TRUE"
+/etc/skel/ access="System::Shared" transmute="TRUE"
+/etc/skel/.profile access="System::Shared"
+/var/log/ access="System::Log" transmute="TRUE"
+/var/tmp/ access="*"
+'''
+ files = ' '.join([x.split()[0] for x in expected.split('\n') if x])
+ files_wildcard = ' '.join([x + '/*' for x in files.split()])
+ # Auxiliary information.
+ status, output = self.target.run(
+ 'set -x; mount; ls -l -d %s; find %s | xargs ls -d -l; find %s | xargs chsmack' % (
+ ' '.join([x.rstrip('/') for x in files.split()]), files, files
+ )
+ )
+ msg = "File status:\n" + output
+ status, output = self.target.run('chsmack %s' % files)
+ self.assertEqual(
+ status, 0, msg="status and output: %s and %s\n%s" % (status,output, msg))
+ self.longMessage = True
+ self.maxDiff = None
+ self.assertEqual(output.strip().split('\n'), expected.strip().split('\n'), msg=msg)
diff --git a/meta-security/lib/oeqa/selftest/cases/cvechecker.py b/meta-security/lib/oeqa/selftest/cases/cvechecker.py
new file mode 100644
index 0000000..23ca7d2
--- /dev/null
+++ b/meta-security/lib/oeqa/selftest/cases/cvechecker.py
@@ -0,0 +1,27 @@
+import os
+import re
+
+from oeqa.selftest.case import OESelftestTestCase
+from oeqa.utils.commands import bitbake, get_bb_var
+
+class CveCheckerTests(OESelftestTestCase):
+ def test_cve_checker(self):
+ image = "core-image-sato"
+
+ deploy_dir = get_bb_var("DEPLOY_DIR_IMAGE")
+ image_link_name = get_bb_var('IMAGE_LINK_NAME', image)
+
+ manifest_link = os.path.join(deploy_dir, "%s.cve" % image_link_name)
+
+ self.logger.info('CVE_CHECK_MANIFEST = "%s"' % manifest_link)
+ if (not 'cve-check' in get_bb_var('INHERIT')):
+ add_cve_check_config = 'INHERIT += "cve-check"'
+ self.append_config(add_cve_check_config)
+ self.append_config('CVE_CHECK_MANIFEST = "%s"' % manifest_link)
+ result = bitbake("-k -c cve_check %s" % image, ignore_status=True)
+ if (not 'cve-check' in get_bb_var('INHERIT')):
+ self.remove_config(add_cve_check_config)
+
+ isfile = os.path.isfile(manifest_link)
+ self.assertEqual(True, isfile, 'Failed to create cve data file : %s' % manifest_link)
+
diff --git a/meta-security/meta-tpm/README b/meta-security/meta-tpm/README
index bbc70bb..dd662b3 100644
--- a/meta-security/meta-tpm/README
+++ b/meta-security/meta-tpm/README
@@ -2,3 +2,60 @@
==============
This layer contains base TPM recipes.
+
+Dependencies
+============
+
+This layer depends on:
+
+ URI: git://git.openembedded.org/openembedded-core
+ branch: master
+ revision: HEAD
+ prio: default
+
+ URI: git://git.openembedded.org/meta-openembedded/meta-oe
+ branch: master
+ revision: HEAD
+ prio: default
+
+Adding the meta-tpm layer to your build
+========================================
+
+In order to use this layer, you need to make the build system aware of
+it.
+
+Assuming this layer exists at the top-level of your
+yocto build tree, you can add it to the build system by adding the
+location of the meta-tpm layer to bblayers.conf, along with any
+other layers needed. e.g.:
+
+ BBLAYERS ?= " \
+ /path/to/oe-core/meta \
+ /path/to/meta-openembedded/meta-oe \
+ /path/to/layer/meta-tpm \
+
+
+Maintenance
+-----------
+
+Send pull requests, patches, comments or questions to yocto@yoctoproject.org
+
+When sending single patches, please using something like:
+'git send-email -1 --to yocto@yoctoproject.org --subject-prefix=meta-security][PATCH'
+
+These values can be set as defaults for this repository:
+
+$ git config sendemail.to yocto@yoctoproject.org
+$ git config format.subjectPrefix meta-security][PATCH
+
+Now you can just do 'git send-email origin/master' to send all local patches.
+
+Maintainers: Armin Kuster <akuster808@gmail.com>
+
+
+License
+=======
+
+All metadata is MIT licensed unless otherwise stated. Source code included
+in tree for individual recipes is under the LICENSE stated in each recipe
+(.bb file) unless otherwise stated.
diff --git a/meta-security/meta-tpm/conf/layer.conf b/meta-security/meta-tpm/conf/layer.conf
index 15a2bef..bf9a76e 100644
--- a/meta-security/meta-tpm/conf/layer.conf
+++ b/meta-security/meta-tpm/conf/layer.conf
@@ -12,4 +12,5 @@
LAYERDEPENDS_tpm-layer = " \
core \
+ openembedded-layer \
"
diff --git a/meta-security/recipes-kernel/linux/linux-yocto-5.0/apparmor.cfg b/meta-security/recipes-kernel/linux/linux-yocto-5.0/apparmor.cfg
index b5f9bb2..ae6cdcd 100644
--- a/meta-security/recipes-kernel/linux/linux-yocto-5.0/apparmor.cfg
+++ b/meta-security/recipes-kernel/linux/linux-yocto-5.0/apparmor.cfg
@@ -1,15 +1,9 @@
CONFIG_AUDIT=y
-# CONFIG_NETFILTER_XT_TARGET_AUDIT is not set
-CONFIG_SECURITY_NETWORK=y
-# CONFIG_SECURITY_NETWORK_XFRM is not set
CONFIG_SECURITY_PATH=y
-# CONFIG_SECURITY_SELINUX is not set
CONFIG_SECURITY_APPARMOR=y
CONFIG_SECURITY_APPARMOR_HASH=y
CONFIG_SECURITY_APPARMOR_HASH_DEFAULT=y
-# CONFIG_SECURITY_APPARMOR_DEBUG is not set
CONFIG_INTEGRITY_AUDIT=y
CONFIG_DEFAULT_SECURITY_APPARMOR=y
-# CONFIG_DEFAULT_SECURITY_DAC is not set
CONFIG_DEFAULT_SECURITY="apparmor"
CONFIG_AUDIT_GENERIC=y
diff --git a/meta-security/recipes-kernel/linux/linux-yocto-5.0/smack.cfg b/meta-security/recipes-kernel/linux/linux-yocto-5.0/smack.cfg
index 62f465a..0d5fc64 100644
--- a/meta-security/recipes-kernel/linux/linux-yocto-5.0/smack.cfg
+++ b/meta-security/recipes-kernel/linux/linux-yocto-5.0/smack.cfg
@@ -1,8 +1,7 @@
-CONFIG_IP_NF_SECURITY=m
-CONFIG_IP6_NF_SECURITY=m
-CONFIG_EXT2_FS_SECURITY=y
-CONFIG_EXT3_FS_SECURITY=y
-CONFIG_EXT4_FS_SECURITY=y
-CONFIG_SECURITY=y
+CONFIG_NETLABEL=y
+CONFIG_SECURITY_NETWORK=y
+# CONFIG_SECURITY_NETWORK_XFRM is not set
CONFIG_SECURITY_SMACK=y
+CONFIG_SECURITY_SMACK_BRINGUP=y
+CONFIG_SECURITY_SMACK_APPEND_SIGNALS=y
CONFIG_TMPFS_XATTR=y
diff --git a/meta-security/recipes-mac/AppArmor/apparmor_2.13.2.bb b/meta-security/recipes-mac/AppArmor/apparmor_2.13.2.bb
index 62ed611..4eaec00 100644
--- a/meta-security/recipes-mac/AppArmor/apparmor_2.13.2.bb
+++ b/meta-security/recipes-mac/AppArmor/apparmor_2.13.2.bb
@@ -14,7 +14,7 @@
DEPENDS = "bison-native apr gettext-native coreutils-native"
SRC_URI = " \
- http://archive.ubuntu.com/ubuntu/pool/main/a/${BPN}/${BPN}_${PV}.orig.tar.gz \
+ git://gitlab.com/apparmor/apparmor.git;protocol=https;branch=apparmor-2.13 \
file://disable_perl_h_check.patch \
file://crosscompile_perl_bindings.patch \
file://apparmor.rc \
@@ -24,8 +24,8 @@
file://run-ptest \
"
-SRC_URI[md5sum] = "2439b35266b5a3a461b0a2dba6e863c3"
-SRC_URI[sha256sum] = "844def9926dfda5c7858428d06e44afc80573f9706458b6e7282edbb40b11a30"
+SRCREV = "af4808b5f6b58946f5c5a4de4b77df5e0eae6ca0"
+S = "${WORKDIR}/git"
PARALLEL_MAKE = ""
diff --git a/meta-security/recipes-mac/smack/mmap-smack-test/mmap.c b/meta-security/recipes-mac/smack/mmap-smack-test/mmap.c
new file mode 100644
index 0000000..f358d27
--- /dev/null
+++ b/meta-security/recipes-mac/smack/mmap-smack-test/mmap.c
@@ -0,0 +1,7 @@
+#include <stdio.h>
+
+int main(int argc, char **argv)
+{
+ printf("Original test program removed while investigating its license.\n");
+ return 1;
+}
diff --git a/meta-security/recipes-mac/smack/mmap-smack-test_1.0.bb b/meta-security/recipes-mac/smack/mmap-smack-test_1.0.bb
new file mode 100644
index 0000000..9d11509
--- /dev/null
+++ b/meta-security/recipes-mac/smack/mmap-smack-test_1.0.bb
@@ -0,0 +1,16 @@
+SUMMARY = "Mmap binary used to test smack mmap attribute"
+DESCRIPTION = "Mmap binary used to test smack mmap attribute"
+LICENSE = "MIT"
+LIC_FILES_CHKSUM = "file://${COMMON_LICENSE_DIR}/MIT;md5=0835ade698e0bcf8506ecda2f7b4f302"
+
+SRC_URI = "file://mmap.c"
+
+S = "${WORKDIR}"
+do_compile() {
+ ${CC} mmap.c ${LDFLAGS} -o mmap_test
+}
+
+do_install() {
+ install -d ${D}${bindir}
+ install -m 0755 mmap_test ${D}${bindir}
+}
diff --git a/meta-security/recipes-mac/smack/smack-test/notroot.py b/meta-security/recipes-mac/smack/smack-test/notroot.py
new file mode 100644
index 0000000..f0eb0b5
--- /dev/null
+++ b/meta-security/recipes-mac/smack/smack-test/notroot.py
@@ -0,0 +1,33 @@
+#!/usr/bin/env python
+#
+# Script used for running executables with custom labels, as well as custom uid/gid
+# Process label is changed by writing to /proc/self/attr/curent
+#
+# Script expects user id and group id to exist, and be the same.
+#
+# From adduser manual:
+# """By default, each user in Debian GNU/Linux is given a corresponding group
+# with the same name. """
+#
+# Usage: root@desk:~# python notroot.py <uid> <label> <full_path_to_executable> [arguments ..]
+# eg: python notroot.py 1000 User::Label /bin/ping -c 3 192.168.1.1
+#
+# Author: Alexandru Cornea <alexandru.cornea@intel.com>
+import os
+import sys
+
+try:
+ uid = int(sys.argv[1])
+ sys.argv.pop(1)
+ label = sys.argv[1]
+ sys.argv.pop(1)
+ open("/proc/self/attr/current", "w").write(label)
+ path=sys.argv[1]
+ sys.argv.pop(0)
+ os.setgid(uid)
+ os.setuid(uid)
+ os.execv(path,sys.argv)
+
+except Exception,e:
+ print e.message
+ sys.exit(1)
diff --git a/meta-security/recipes-mac/smack/smack-test/smack_test_file_access.sh b/meta-security/recipes-mac/smack/smack-test/smack_test_file_access.sh
new file mode 100644
index 0000000..5a0ce84
--- /dev/null
+++ b/meta-security/recipes-mac/smack/smack-test/smack_test_file_access.sh
@@ -0,0 +1,54 @@
+#!/bin/sh
+
+SMACK_PATH=`grep smack /proc/mounts | awk '{print $2}' `
+RC=0
+TMP="/tmp"
+test_file=$TMP/smack_test_access_file
+CAT=`which cat`
+ECHO=`which echo`
+uid=1000
+initial_label=`cat /proc/self/attr/current`
+python $TMP/notroot.py $uid "TheOther" $ECHO 'TEST' > $test_file
+chsmack -a "TheOther" $test_file
+
+# 12345678901234567890123456789012345678901234567890123456
+delrule="TheOne TheOther -----"
+rule_ro="TheOne TheOther r----"
+
+# Remove pre-existent rules for "TheOne TheOther <access>"
+echo -n "$delrule" > $SMACK_PATH/load
+python $TMP/notroot.py $uid "TheOne" $CAT $test_file 2>&1 1>/dev/null | grep -q "Permission denied" || RC=$?
+if [ $RC -ne 0 ]; then
+ echo "Process with different label than the test file and no read access on it can read it"
+ exit $RC
+fi
+
+# adding read access
+echo -n "$rule_ro" > $SMACK_PATH/load
+python $TMP/notroot.py $uid "TheOne" $CAT $test_file | grep -q "TEST" || RC=$?
+if [ $RC -ne 0 ]; then
+ echo "Process with different label than the test file but with read access on it cannot read it"
+ exit $RC
+fi
+
+# Remove pre-existent rules for "TheOne TheOther <access>"
+echo -n "$delrule" > $SMACK_PATH/load
+# changing label of test file to *
+# according to SMACK documentation, read access on a * object is always permitted
+chsmack -a '*' $test_file
+python $TMP/notroot.py $uid "TheOne" $CAT $test_file | grep -q "TEST" || RC=$?
+if [ $RC -ne 0 ]; then
+ echo "Process cannot read file with * label"
+ exit $RC
+fi
+
+# changing subject label to *
+# according to SMACK documentation, every access requested by a star labeled subject is rejected
+TOUCH=`which touch`
+python $TMP/notroot.py $uid '*' $TOUCH $TMP/test_file_2
+ls -la $TMP/test_file_2 2>&1 | grep -q 'No such file or directory' || RC=$?
+if [ $RC -ne 0 ];then
+ echo "Process with label '*' should not have any access"
+ exit $RC
+fi
+exit 0
diff --git a/meta-security/recipes-mac/smack/smack-test/test_privileged_change_self_label.sh b/meta-security/recipes-mac/smack/smack-test/test_privileged_change_self_label.sh
new file mode 100644
index 0000000..26d9e9d
--- /dev/null
+++ b/meta-security/recipes-mac/smack/smack-test/test_privileged_change_self_label.sh
@@ -0,0 +1,18 @@
+#!/bin/sh
+
+initial_label=`cat /proc/self/attr/current 2>/dev/null`
+modified_label="test_label"
+
+echo "$modified_label" >/proc/self/attr/current 2>/dev/null
+
+new_label=`cat /proc/self/attr/current 2>/dev/null`
+
+if [ "$new_label" != "$modified_label" ]; then
+ # restore proper label
+ echo $initial_label >/proc/self/attr/current
+ echo "Privileged process could not change its label"
+ exit 1
+fi
+
+echo "$initial_label" >/proc/self/attr/current 2>/dev/null
+exit 0
\ No newline at end of file
diff --git a/meta-security/recipes-mac/smack/smack-test/test_smack_onlycap.sh b/meta-security/recipes-mac/smack/smack-test/test_smack_onlycap.sh
new file mode 100644
index 0000000..1c4a93a
--- /dev/null
+++ b/meta-security/recipes-mac/smack/smack-test/test_smack_onlycap.sh
@@ -0,0 +1,27 @@
+#!/bin/sh
+RC=0
+SMACK_PATH=`grep smack /proc/mounts | awk '{print $2}'`
+test_label="test_label"
+onlycap_initial=`cat $SMACK_PATH/onlycap`
+smack_initial=`cat /proc/self/attr/current`
+
+# need to set out label to be the same as onlycap, otherwise we lose our smack privileges
+# even if we are root
+echo "$test_label" > /proc/self/attr/current
+
+echo "$test_label" > $SMACK_PATH/onlycap || RC=$?
+if [ $RC -ne 0 ]; then
+ echo "Onlycap label could not be set"
+ return $RC
+fi
+
+if [ `cat $SMACK_PATH/onlycap` != "$test_label" ]; then
+ echo "Onlycap label was not set correctly."
+ return 1
+fi
+
+# resetting original onlycap label
+echo "$onlycap_initial" > $SMACK_PATH/onlycap 2>/dev/null
+
+# resetting our initial's process label
+echo "$smack_initial" > /proc/self/attr/current
diff --git a/meta-security/recipes-mac/smack/smack-test_1.0.bb b/meta-security/recipes-mac/smack/smack-test_1.0.bb
new file mode 100644
index 0000000..7cf8f2e
--- /dev/null
+++ b/meta-security/recipes-mac/smack/smack-test_1.0.bb
@@ -0,0 +1,21 @@
+SUMMARY = "Smack test scripts"
+DESCRIPTION = "Smack scripts"
+LICENSE = "MIT"
+LIC_FILES_CHKSUM = "file://${COMMON_LICENSE_DIR}/MIT;md5=0835ade698e0bcf8506ecda2f7b4f302"
+
+SRC_URI = " \
+ file://notroot.py \
+ file://smack_test_file_access.sh \
+ file://test_privileged_change_self_label.sh \
+ file://test_smack_onlycap.sh \
+"
+
+S = "${WORKDIR}"
+
+do_install() {
+ install -d ${D}${sbindir}
+ install -m 0755 notroot.py ${D}${sbindir}
+ install -m 0755 *.sh ${D}${sbindir}
+}
+
+RDEPENDS_${PN} = "smack python mmap-smack-test tcp-smack-test udp-smack-test"
diff --git a/meta-security/recipes-mac/smack/files/run-ptest b/meta-security/recipes-mac/smack/smack/run-ptest
similarity index 100%
rename from meta-security/recipes-mac/smack/files/run-ptest
rename to meta-security/recipes-mac/smack/smack/run-ptest
diff --git a/meta-security/recipes-mac/smack/files/smack_generator_make_fixup.patch b/meta-security/recipes-mac/smack/smack/smack_generator_make_fixup.patch
similarity index 100%
rename from meta-security/recipes-mac/smack/files/smack_generator_make_fixup.patch
rename to meta-security/recipes-mac/smack/smack/smack_generator_make_fixup.patch
diff --git a/meta-security/recipes-mac/smack/tcp-smack-test/tcp_client.c b/meta-security/recipes-mac/smack/tcp-smack-test/tcp_client.c
new file mode 100644
index 0000000..185f973
--- /dev/null
+++ b/meta-security/recipes-mac/smack/tcp-smack-test/tcp_client.c
@@ -0,0 +1,111 @@
+// (C) Copyright 2015 Intel Corporation
+//
+// Permission is hereby granted, free of charge, to any person obtaining a copy
+// of this software and associated documentation files (the "Software"), to deal
+// in the Software without restriction, including without limitation the rights
+// to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+// copies of the Software, and to permit persons to whom the Software is
+// furnished to do so, subject to the following conditions:
+//
+// The above copyright notice and this permission notice shall be included in
+// all copies or substantial portions of the Software.
+//
+// THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+// IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+// FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+// AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+// LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+// OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
+// THE SOFTWARE.
+#include <stdio.h>
+#include <sys/socket.h>
+#include <sys/types.h>
+#include <errno.h>
+#include <netinet/in.h>
+#include <unistd.h>
+#include <netdb.h>
+#include <string.h>
+#include <sys/xattr.h>
+
+int main(int argc, char* argv[])
+{
+
+ int sock;
+ char message[255] = "hello";
+ struct sockaddr_in server_addr;
+ char* label_in;
+ char* label_out;
+ char* attr_out = "security.SMACK64IPOUT";
+ char* attr_in = "security.SMACK64IPIN";
+ char out[256];
+ int port;
+
+ struct timeval timeout;
+ timeout.tv_sec = 15;
+ timeout.tv_usec = 0;
+
+ struct hostent* host = gethostbyname("localhost");
+
+ if (argc != 4)
+ {
+ perror("Client: Arguments missing, please provide socket labels");
+ return 2;
+ }
+
+ port = atoi(argv[1]);
+ label_in = argv[2];
+ label_out = argv[3];
+
+ if((sock = socket(AF_INET, SOCK_STREAM, 0)) < 0)
+ {
+ perror("Client: Socket failure");
+ return 2;
+ }
+
+
+ if(fsetxattr(sock, attr_out, label_out, strlen(label_out), 0) < 0)
+ {
+ perror("Client: Unable to set attribute SMACK64IPOUT");
+ return 2;
+ }
+
+ if(fsetxattr(sock, attr_in, label_in, strlen(label_in), 0) < 0)
+ {
+ perror("Client: Unable to set attribute SMACK64IPIN");
+ return 2;
+ }
+
+ server_addr.sin_family = AF_INET;
+ server_addr.sin_port = htons(port);
+ bcopy((char*) host->h_addr, (char*) &server_addr.sin_addr.s_addr,host->h_length);
+ bzero(&(server_addr.sin_zero),8);
+
+ if(setsockopt(sock, SOL_SOCKET, SO_SNDTIMEO, &timeout, sizeof(timeout)) < 0)
+ {
+ perror("Client: Set timeout failed\n");
+ return 2;
+ }
+
+ if (connect(sock, (struct sockaddr *)&server_addr,sizeof(struct sockaddr)) == -1)
+ {
+ perror("Client: Connection failure");
+ close(sock);
+ return 1;
+ }
+
+
+ if(write(sock, message, strlen(message)) < 0)
+ {
+ perror("Client: Error sending data\n");
+ close(sock);
+ return 1;
+ }
+ close(sock);
+ return 0;
+}
+
+
+
+
+
+
diff --git a/meta-security/recipes-mac/smack/tcp-smack-test/tcp_server.c b/meta-security/recipes-mac/smack/tcp-smack-test/tcp_server.c
new file mode 100644
index 0000000..9285dc6
--- /dev/null
+++ b/meta-security/recipes-mac/smack/tcp-smack-test/tcp_server.c
@@ -0,0 +1,118 @@
+// (C) Copyright 2015 Intel Corporation
+//
+// Permission is hereby granted, free of charge, to any person obtaining a copy
+// of this software and associated documentation files (the "Software"), to deal
+// in the Software without restriction, including without limitation the rights
+// to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+// copies of the Software, and to permit persons to whom the Software is
+// furnished to do so, subject to the following conditions:
+//
+// The above copyright notice and this permission notice shall be included in
+// all copies or substantial portions of the Software.
+//
+// THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+// IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+// FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+// AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+// LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+// OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
+// THE SOFTWARE.
+#include <stdio.h>
+#include <sys/socket.h>
+#include <sys/types.h>
+#include <errno.h>
+#include <netinet/in.h>
+#include <unistd.h>
+#include <string.h>
+
+int main(int argc, char* argv[])
+{
+
+ int sock;
+ int clientsock;
+ char message[255];
+ socklen_t client_length;
+ struct sockaddr_in server_addr, client_addr;
+ char* label_in;
+ char* attr_in = "security.SMACK64IPIN";
+ int port;
+
+ struct timeval timeout;
+ timeout.tv_sec = 15;
+ timeout.tv_usec = 0;
+
+ if (argc != 3)
+ {
+ perror("Server: Argument missing please provide port and label for SMACK64IPIN");
+ return 2;
+ }
+
+ port = atoi(argv[1]);
+ label_in = argv[2];
+ bzero(message,255);
+
+
+ if((sock = socket(AF_INET, SOCK_STREAM, 0)) < 0)
+ {
+ perror("Server: Socket failure");
+ return 2;
+ }
+
+
+ if(fsetxattr(sock, attr_in, label_in, strlen(label_in),0) < 0)
+ {
+ perror("Server: Unable to set attribute ipin 2");
+ return 2;
+ }
+
+ server_addr.sin_family = AF_INET;
+ server_addr.sin_port = htons(port);
+ server_addr.sin_addr.s_addr = INADDR_ANY;
+ bzero(&(server_addr.sin_zero),8);
+
+ if(setsockopt(sock, SOL_SOCKET, SO_RCVTIMEO, &timeout, sizeof(timeout)) < 0)
+ {
+ perror("Server: Set timeout failed\n");
+ return 2;
+ }
+
+ if(bind(sock, (struct sockaddr*) &server_addr, sizeof(server_addr)) < 0)
+ {
+ perror("Server: Bind failure ");
+ return 2;
+ }
+
+ listen(sock, 1);
+ client_length = sizeof(client_addr);
+
+ clientsock = accept(sock,(struct sockaddr*) &client_addr, &client_length);
+
+ if (clientsock < 0)
+ {
+ perror("Server: Connection failed");
+ close(sock);
+ return 1;
+ }
+
+
+ if(fsetxattr(clientsock, "security.SMACK64IPIN", label_in, strlen(label_in),0) < 0)
+ {
+ perror(" Server: Unable to set attribute ipin 2");
+ close(sock);
+ return 2;
+ }
+
+ if(read(clientsock, message, 254) < 0)
+ {
+ perror("Server: Error when reading from socket");
+ close(clientsock);
+ close(sock);
+ return 1;
+ }
+
+
+ close(clientsock);
+ close(sock);
+
+ return 0;
+}
diff --git a/meta-security/recipes-mac/smack/tcp-smack-test/test_smack_tcp_sockets.sh b/meta-security/recipes-mac/smack/tcp-smack-test/test_smack_tcp_sockets.sh
new file mode 100644
index 0000000..ed18f23
--- /dev/null
+++ b/meta-security/recipes-mac/smack/tcp-smack-test/test_smack_tcp_sockets.sh
@@ -0,0 +1,108 @@
+#!/bin/sh
+RC=0
+test_file=/tmp/smack_socket_tcp
+SMACK_PATH=`grep smack /proc/mounts | awk '{print $2}' `
+# make sure no access is granted
+# 12345678901234567890123456789012345678901234567890123456
+echo -n "label1 label2 -----" > $SMACK_PATH/load
+
+tcp_server=`which tcp_server`
+if [ -z $tcp_server ]; then
+ if [ -f "/tmp/tcp_server" ]; then
+ tcp_server="/tmp/tcp_server"
+ else
+ echo "tcp_server binary not found"
+ exit 1
+ fi
+fi
+tcp_client=`which tcp_client`
+if [ -z $tcp_client ]; then
+ if [ -f "/tmp/tcp_client" ]; then
+ tcp_client="/tmp/tcp_client"
+ else
+ echo "tcp_client binary not found"
+ exit 1
+ fi
+fi
+
+# checking access for sockets with different labels
+$tcp_server 50016 label1 &>/dev/null &
+server_pid=$!
+sleep 2
+$tcp_client 50016 label2 label1 &>/dev/null &
+client_pid=$!
+
+wait $server_pid
+server_rv=$?
+wait $client_pid
+client_rv=$?
+
+if [ $server_rv -eq 0 -o $client_rv -eq 0 ]; then
+ echo "Sockets with different labels should not communicate on tcp"
+ exit 1
+fi
+
+# granting access between different labels
+# 12345678901234567890123456789012345678901234567890123456
+echo -n "label1 label2 rw---" > $SMACK_PATH/load
+# checking access for sockets with different labels, but having a rule granting rw
+$tcp_server 50017 label1 2>$test_file &
+server_pid=$!
+sleep 1
+$tcp_client 50017 label2 label1 2>$test_file &
+client_pid=$!
+wait $server_pid
+server_rv=$?
+wait $client_pid
+client_rv=$?
+if [ $server_rv -ne 0 -o $client_rv -ne 0 ]; then
+ echo "Sockets with different labels, but having rw access, should communicate on tcp"
+ exit 1
+fi
+
+# checking access for sockets with the same label
+$tcp_server 50018 label1 2>$test_file &
+server_pid=$!
+sleep 1
+$tcp_client 50018 label1 label1 2>$test_file &
+client_pid=$!
+wait $server_pid
+server_rv=$?
+wait $client_pid
+client_rv=$?
+if [ $server_rv -ne 0 -o $client_rv -ne 0 ]; then
+ echo "Sockets with same labels should communicate on tcp"
+ exit 1
+fi
+
+# checking access on socket labeled star (*)
+# should always be permitted
+$tcp_server 50019 \* 2>$test_file &
+server_pid=$!
+sleep 1
+$tcp_client 50019 label1 label1 2>$test_file &
+client_pid=$!
+wait $server_pid
+server_rv=$?
+wait $client_pid
+client_rv=$?
+if [ $server_rv -ne 0 -o $client_rv -ne 0 ]; then
+ echo "Should have access on tcp socket labeled star (*)"
+ exit 1
+fi
+
+# checking access from socket labeled star (*)
+# all access from subject star should be denied
+$tcp_server 50020 label1 2>$test_file &
+server_pid=$!
+sleep 1
+$tcp_client 50020 label1 \* 2>$test_file &
+client_pid=$!
+wait $server_pid
+server_rv=$?
+wait $client_pid
+client_rv=$?
+if [ $server_rv -eq 0 -o $client_rv -eq 0 ]; then
+ echo "Socket labeled star should not have access to any tcp socket"
+ exit 1
+fi
diff --git a/meta-security/recipes-mac/smack/tcp-smack-test_1.0.bb b/meta-security/recipes-mac/smack/tcp-smack-test_1.0.bb
new file mode 100644
index 0000000..d2b3f6b
--- /dev/null
+++ b/meta-security/recipes-mac/smack/tcp-smack-test_1.0.bb
@@ -0,0 +1,24 @@
+SUMMARY = "Binary used to test smack tcp sockets"
+DESCRIPTION = "Server and client binaries used to test smack attributes on TCP sockets"
+LICENSE = "MIT"
+LIC_FILES_CHKSUM = "file://${COMMON_LICENSE_DIR}/MIT;md5=0835ade698e0bcf8506ecda2f7b4f302"
+
+SRC_URI = "file://tcp_server.c \
+ file://tcp_client.c \
+ file://test_smack_tcp_sockets.sh \
+"
+
+S = "${WORKDIR}"
+
+do_compile() {
+ ${CC} tcp_client.c ${LDFLAGS} -o tcp_client
+ ${CC} tcp_server.c ${LDFLAGS} -o tcp_server
+}
+
+do_install() {
+ install -d ${D}${bindir}
+ install -d ${D}${sbindir}
+ install -m 0755 tcp_server ${D}${bindir}
+ install -m 0755 tcp_client ${D}${bindir}
+ install -m 0755 test_smack_tcp_sockets.sh ${D}${sbindir}
+}
diff --git a/meta-security/recipes-mac/smack/udp-smack-test/test_smack_udp_sockets.sh b/meta-security/recipes-mac/smack/udp-smack-test/test_smack_udp_sockets.sh
new file mode 100644
index 0000000..419ab9f
--- /dev/null
+++ b/meta-security/recipes-mac/smack/udp-smack-test/test_smack_udp_sockets.sh
@@ -0,0 +1,107 @@
+#!/bin/sh
+RC=0
+test_file="/tmp/smack_socket_udp"
+SMACK_PATH=`grep smack /proc/mounts | awk '{print $2}' `
+
+udp_server=`which udp_server`
+if [ -z $udp_server ]; then
+ if [ -f "/tmp/udp_server" ]; then
+ udp_server="/tmp/udp_server"
+ else
+ echo "udp_server binary not found"
+ exit 1
+ fi
+fi
+udp_client=`which udp_client`
+if [ -z $udp_client ]; then
+ if [ -f "/tmp/udp_client" ]; then
+ udp_client="/tmp/udp_client"
+ else
+ echo "udp_client binary not found"
+ exit 1
+ fi
+fi
+
+# make sure no access is granted
+# 12345678901234567890123456789012345678901234567890123456
+echo -n "label1 label2 -----" > $SMACK_PATH/load
+
+# checking access for sockets with different labels
+$udp_server 50021 label2 2>$test_file &
+server_pid=$!
+sleep 1
+$udp_client 50021 label1 2>$test_file &
+client_pid=$!
+wait $server_pid
+server_rv=$?
+wait $client_pid
+client_rv=$?
+if [ $server_rv -eq 0 ]; then
+ echo "Sockets with different labels should not communicate on udp"
+ exit 1
+fi
+
+# granting access between different labels
+# 12345678901234567890123456789012345678901234567890123456
+echo -n "label1 label2 rw---" > $SMACK_PATH/load
+# checking access for sockets with different labels, but having a rule granting rw
+$udp_server 50022 label2 2>$test_file &
+server_pid=$!
+sleep 1
+$udp_client 50022 label1 2>$test_file &
+client_pid=$!
+wait $server_pid
+server_rv=$?
+wait $client_pid
+client_rv=$?
+if [ $server_rv -ne 0 -o $client_rv -ne 0 ]; then
+ echo "Sockets with different labels, but having rw access, should communicate on udp"
+ exit 1
+fi
+
+# checking access for sockets with the same label
+$udp_server 50023 label1 &
+server_pid=$!
+sleep 1
+$udp_client 50023 label1 2>$test_file &
+client_pid=$!
+wait $server_pid
+server_rv=$?
+wait $client_pid
+client_rv=$?
+if [ $server_rv -ne 0 -o $client_rv -ne 0 ]; then
+ echo "Sockets with same labels should communicate on udp"
+ exit 1
+fi
+
+# checking access on socket labeled star (*)
+# should always be permitted
+$udp_server 50024 \* 2>$test_file &
+server_pid=$!
+sleep 1
+$udp_client 50024 label1 2>$test_file &
+client_pid=$!
+wait $server_pid
+server_rv=$?
+wait $client_pid
+client_rv=$?
+if [ $server_rv -ne 0 -o $client_rv -ne 0 ]; then
+ echo "Should have access on udp socket labeled star (*)"
+ exit 1
+fi
+
+# checking access from socket labeled star (*)
+# all access from subject star should be denied
+$udp_server 50025 label1 2>$test_file &
+server_pid=$!
+sleep 1
+$udp_client 50025 \* 2>$test_file &
+client_pid=$!
+wait $server_pid
+server_rv=$?
+wait $client_pid
+client_rv=$?
+if [ $server_rv -eq 0 ]; then
+ echo "Socket labeled star should not have access to any udp socket"
+ exit 1
+fi
diff --git a/meta-security/recipes-mac/smack/udp-smack-test/udp_client.c b/meta-security/recipes-mac/smack/udp-smack-test/udp_client.c
new file mode 100644
index 0000000..4d3afbe
--- /dev/null
+++ b/meta-security/recipes-mac/smack/udp-smack-test/udp_client.c
@@ -0,0 +1,75 @@
+// (C) Copyright 2015 Intel Corporation
+//
+// Permission is hereby granted, free of charge, to any person obtaining a copy
+// of this software and associated documentation files (the "Software"), to deal
+// in the Software without restriction, including without limitation the rights
+// to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+// copies of the Software, and to permit persons to whom the Software is
+// furnished to do so, subject to the following conditions:
+//
+// The above copyright notice and this permission notice shall be included in
+// all copies or substantial portions of the Software.
+//
+// THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+// IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+// FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+// AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+// LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+// OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
+// THE SOFTWARE.
+#include <sys/socket.h>
+#include <stdio.h>
+#include <netinet/in.h>
+#include <netdb.h>
+#include <string.h>
+
+int main(int argc, char* argv[])
+{
+ char* message = "hello";
+ int sock, ret;
+ struct sockaddr_in server_addr;
+ struct hostent* host = gethostbyname("localhost");
+ char* label;
+ char* attr = "security.SMACK64IPOUT";
+ int port;
+ if (argc != 3)
+ {
+ perror("Client: Argument missing, please provide port and label for SMACK64IPOUT");
+ return 2;
+ }
+
+ port = atoi(argv[1]);
+ label = argv[2];
+ sock = socket(AF_INET, SOCK_DGRAM,0);
+ if(sock < 0)
+ {
+ perror("Client: Socket failure");
+ return 2;
+ }
+
+
+ if(fsetxattr(sock, attr, label, strlen(label),0) < 0)
+ {
+ perror("Client: Unable to set attribute ");
+ return 2;
+ }
+
+
+ server_addr.sin_family = AF_INET;
+ server_addr.sin_port = htons(port);
+ bcopy((char*) host->h_addr, (char*) &server_addr.sin_addr.s_addr,host->h_length);
+ bzero(&(server_addr.sin_zero),8);
+
+ ret = sendto(sock, message, strlen(message),0,(const struct sockaddr*)&server_addr,
+ sizeof(struct sockaddr_in));
+
+ close(sock);
+ if(ret < 0)
+ {
+ perror("Client: Error sending message\n");
+ return 1;
+ }
+
+ return 0;
+}
+
diff --git a/meta-security/recipes-mac/smack/udp-smack-test/udp_server.c b/meta-security/recipes-mac/smack/udp-smack-test/udp_server.c
new file mode 100644
index 0000000..cbab71e
--- /dev/null
+++ b/meta-security/recipes-mac/smack/udp-smack-test/udp_server.c
@@ -0,0 +1,93 @@
+// (C) Copyright 2015 Intel Corporation
+//
+// Permission is hereby granted, free of charge, to any person obtaining a copy
+// of this software and associated documentation files (the "Software"), to deal
+// in the Software without restriction, including without limitation the rights
+// to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+// copies of the Software, and to permit persons to whom the Software is
+// furnished to do so, subject to the following conditions:
+//
+// The above copyright notice and this permission notice shall be included in
+// all copies or substantial portions of the Software.
+//
+// THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+// IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+// FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+// AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+// LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+// OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
+// THE SOFTWARE.
+#include <sys/socket.h>
+#include <stdio.h>
+#include <netinet/in.h>
+#include <netdb.h>
+#include <string.h>
+
+int main(int argc, char* argv[])
+{
+ int sock,ret;
+ struct sockaddr_in server_addr, client_addr;
+ socklen_t len;
+ char message[5];
+ char* label;
+ char* attr = "security.SMACK64IPIN";
+ int port;
+
+ if(argc != 3)
+ {
+ perror("Server: Argument missing, please provide port and label for SMACK64IPIN");
+ return 2;
+ }
+
+ port = atoi(argv[1]);
+ label = argv[2];
+
+ struct timeval timeout;
+ timeout.tv_sec = 15;
+ timeout.tv_usec = 0;
+
+ sock = socket(AF_INET,SOCK_DGRAM,0);
+ if(sock < 0)
+ {
+ perror("Server: Socket error");
+ return 2;
+ }
+
+
+ if(fsetxattr(sock, attr, label, strlen(label), 0) < 0)
+ {
+ perror("Server: Unable to set attribute ");
+ return 2;
+ }
+
+ server_addr.sin_family = AF_INET;
+ server_addr.sin_port = htons(port);
+ server_addr.sin_addr.s_addr = INADDR_ANY;
+ bzero(&(server_addr.sin_zero),8);
+
+
+ if(setsockopt(sock, SOL_SOCKET, SO_RCVTIMEO, &timeout, sizeof(timeout)) < 0)
+ {
+ perror("Server: Set timeout failed\n");
+ return 2;
+ }
+
+ if(bind(sock, (struct sockaddr*) &server_addr, sizeof(server_addr)) < 0)
+ {
+ perror("Server: Bind failure");
+ return 2;
+ }
+
+ len = sizeof(client_addr);
+ ret = recvfrom(sock, message, sizeof(message), 0, (struct sockaddr*)&client_addr,
+ &len);
+ close(sock);
+ if(ret < 0)
+ {
+ perror("Server: Error receiving");
+ return 1;
+
+ }
+ return 0;
+}
+
diff --git a/meta-security/recipes-mac/smack/udp-smack-test_1.0.bb b/meta-security/recipes-mac/smack/udp-smack-test_1.0.bb
new file mode 100644
index 0000000..9193f89
--- /dev/null
+++ b/meta-security/recipes-mac/smack/udp-smack-test_1.0.bb
@@ -0,0 +1,23 @@
+SUMMARY = "Binary used to test smack udp sockets"
+DESCRIPTION = "Server and client binaries used to test smack attributes on UDP sockets"
+LICENSE = "MIT"
+LIC_FILES_CHKSUM = "file://${COMMON_LICENSE_DIR}/MIT;md5=0835ade698e0bcf8506ecda2f7b4f302"
+
+SRC_URI = "file://udp_server.c \
+ file://udp_client.c \
+ file://test_smack_udp_sockets.sh \
+"
+
+S = "${WORKDIR}"
+do_compile() {
+ ${CC} udp_client.c ${LDFLAGS} -o udp_client
+ ${CC} udp_server.c ${LDFLAGS} -o udp_server
+}
+
+do_install() {
+ install -d ${D}${bindir}
+ install -d ${D}${sbindir}
+ install -m 0755 udp_server ${D}${bindir}
+ install -m 0755 udp_client ${D}${bindir}
+ install -m 0755 test_smack_udp_sockets.sh ${D}${sbindir}
+}
diff --git a/meta-security/recipes-security/clamav/clamav_0.99.4.bb b/meta-security/recipes-security/clamav/clamav_0.99.4.bb
index 6219d9e..7d8767e 100644
--- a/meta-security/recipes-security/clamav/clamav_0.99.4.bb
+++ b/meta-security/recipes-security/clamav/clamav_0.99.4.bb
@@ -4,8 +4,9 @@
SECTION = "security"
LICENSE = "LGPL-2.1"
-DEPENDS = "libtool db libmspack chrpath-replacement-native"
-
+DEPENDS = "libtool db libmspack openssl zlib llvm chrpath-replacement-native clamav-native"
+DEPENDS_class-native = "db-native openssl-native zlib-native"
+
LIC_FILES_CHKSUM = "file://COPYING.LGPL;beginline=2;endline=3;md5=4b89c05acc71195e9a06edfa2fa7d092"
SRCREV = "b66e5e27b48c0a07494f9df9b809ed933cede047"
@@ -15,6 +16,7 @@
file://freshclam.conf \
file://volatiles.03_clamav \
file://${BPN}.service \
+ file://freshclam-native.conf \
"
S = "${WORKDIR}/git"
@@ -28,42 +30,54 @@
UID = "clamav"
GID = "clamav"
+INSTALL_CLAMAV_CVD ?= "1"
# Clamav has a built llvm version 2 but does not build with gcc 6.x,
# disable the internal one. This is a known issue
# If you want LLVM support, use the one in core
-PACKAGECONFIG ?= "ncurses openssl bz2 zlib llvm"
-PACKAGECONFIG += " ${@bb.utils.contains("DISTRO_FEATURES", "ipv6", "ipv6", "", d)}"
-PACKAGECONFIG += "${@bb.utils.contains('DISTRO_FEATURES', 'systemd', 'systemd', '', d)}"
+CLAMAV_USR_DIR = "${STAGING_DIR_NATIVE}/usr"
+CLAMAV_USR_DIR_class-target = "${STAGING_DIR_HOST}/usr"
-PACKAGECONFIG[llvm] = "--with-system-llvm --with-llvm-linking=dynamic --disable-llvm, ,llvm8.0"
+PACKAGECONFIG_class-target ?= "ncurses bz2"
+PACKAGECONFIG_class-target += " ${@bb.utils.contains("DISTRO_FEATURES", "ipv6", "ipv6", "", d)}"
+PACKAGECONFIG_class-target += "${@bb.utils.contains('DISTRO_FEATURES', 'systemd', 'systemd', '', d)}"
PACKAGECONFIG[pcre] = "--with-pcre=${STAGING_LIBDIR}, --without-pcre, libpcre"
-PACKAGECONFIG[xml] = "--with-xml=${STAGING_LIBDIR}/.., --with-xml=no, libxml2,"
+PACKAGECONFIG[xml] = "--with-xml=${CLAMAV_USR_DIR}, --disable-xml, libxml2,"
PACKAGECONFIG[json] = "--with-libjson=${STAGING_LIBDIR}, --without-libjson, json,"
PACKAGECONFIG[curl] = "--with-libcurl=${STAGING_LIBDIR}, --without-libcurl, curl,"
PACKAGECONFIG[ipv6] = "--enable-ipv6, --disable-ipv6"
-PACKAGECONFIG[openssl] = "--with-openssl=${STAGING_DIR_HOST}/usr, --without-openssl, openssl, openssl"
-PACKAGECONFIG[zlib] = "--with-zlib=${STAGING_DIR_HOST}/usr --disable-zlib-vcheck , --without-zlib, zlib, "
-PACKAGECONFIG[bz2] = "--with-libbz2-prefix=${STAGING_LIBDIR}/.., --without-libbz2-prefix, "
-PACKAGECONFIG[ncurses] = "--with-libncurses-prefix=${STAGING_LIBDIR}/.., --without-libncurses-prefix, ncurses, "
+PACKAGECONFIG[bz2] = "--with-libbz2-prefix=${CLAMAV_USR_DIR}, --without-libbz2-prefix, "
+PACKAGECONFIG[ncurses] = "--with-libncurses-prefix=${CLAMAV_USR_DIR}, --without-libncurses-prefix, ncurses, "
PACKAGECONFIG[systemd] = "--with-systemdsystemunitdir=${systemd_unitdir}/system/, --without-systemdsystemunitdir, "
-EXTRA_OECONF += " --with-user=${UID} --with-group=${GID} \
- --without-libcheck-prefix --disable-unrar \
+EXTRA_OECONF_CLAMAV = "--without-libcheck-prefix --disable-unrar \
+ --with-system-llvm --with-llvm-linking=dynamic --disable-llvm \
--disable-mempool \
--program-prefix="" \
--disable-yara \
- --disable-rpath \
+ --disable-xml \
+ --with-openssl=${CLAMAV_USR_DIR} \
+ --with-zlib=${CLAMAV_USR_DIR} --disable-zlib-vcheck \
"
+EXTRA_OECONF_class-native += "${EXTRA_OECONF_CLAMAV}"
+EXTRA_OECONF_class-target += "--with-user=${UID} --with-group=${GID} --disable-rpath ${EXTRA_OECONF_CLAMAV}"
+
do_configure () {
cd ${S}
./configure ${CONFIGUREOPTS} ${EXTRA_OECONF}
+ install -d ${S}/clamav_db
}
-do_compile_append() {
+do_configure_class-native () {
+ cd ${S}
+ ./configure ${CONFIGUREOPTS} ${EXTRA_OECONF}
+}
+
+
+do_compile_append_class-target() {
# brute force removing RPATH
chrpath -d ${B}/libclamav/.libs/libclamav.so.${SO_VER}
chrpath -d ${B}/sigtool/.libs/sigtool
@@ -72,9 +86,14 @@
chrpath -d ${B}/clamconf/.libs/clamconf
chrpath -d ${B}/clamd/.libs/clamd
chrpath -d ${B}/freshclam/.libs/freshclam
+
+ if [ "${INSTALL_CLAMAV_CVD}" = "1" ]; then
+ bbnote "CLAMAV creating cvd"
+ ${STAGING_BINDIR_NATIVE}/freshclam --datadir=${S}/clamav_db --config=${WORKDIR}/freshclam-native.conf
+ fi
}
-do_install_append() {
+do_install_append_class-target () {
install -d ${D}/${sysconfdir}
install -d ${D}/${localstatedir}/lib/clamav
install -d ${D}${sysconfdir}/clamav ${D}${sysconfdir}/default/volatiles
@@ -84,6 +103,7 @@
install -m 0644 ${WORKDIR}/volatiles.03_clamav ${D}${sysconfdir}/default/volatiles/volatiles.03_clamav
sed -i -e 's#${STAGING_DIR_HOST}##g' ${D}${libdir}/pkgconfig/libclamav.pc
rm ${D}/${libdir}/libclamav.so
+ install -m 666 ${S}/clamav_db/* ${D}/${localstatedir}/lib/clamav/.
if ${@bb.utils.contains('DISTRO_FEATURES','systemd','true','false',d)};then
install -D -m 0644 ${WORKDIR}/clamav.service ${D}${systemd_unitdir}/system/clamav.service
fi
@@ -93,11 +113,12 @@
if [ -e /etc/init.d/populate-volatile.sh ] ; then
${sysconfdir}/init.d/populate-volatile.sh update
fi
- chown ${UID}:${GID} ${localstatedir}/lib/clamav
+ mkdir -p ${localstatedir}/lib/clamav
+ chown -R ${UID}:${GID} ${localstatedir}/lib/clamav
}
-PACKAGES = "${PN} ${PN}-dev ${PN}-dbg ${PN}-daemon ${PN}-doc \
+PACKAGES = "${PN} ${PN}-dev ${PN}-dbg ${PN}-daemon ${PN}-doc ${PN}-cvd \
${PN}-clamdscan ${PN}-freshclam ${PN}-libclamav ${PN}-staticdev"
FILES_${PN} = "${bindir}/clambc ${bindir}/clamscan ${bindir}/clamsubmit \
@@ -140,6 +161,8 @@
${datadir}/man/* \
${docdir}/* "
+FILES_${PN}-cvd = "${localstatedir}/lib/clamav/*.cvd ${localstatedir}/lib/clamav/*.dat"
+
USERADD_PACKAGES = "${PN}"
GROUPADD_PARAM_${PN} = "--system ${UID}"
USERADD_PARAM_${PN} = "--system -g ${GID} --home-dir \
@@ -151,4 +174,7 @@
RCONFLICTS_${PN} += "${PN}-systemd"
SYSTEMD_SERVICE_${PN} = "${BPN}.service"
-RDEPENDS_${PN} += "openssl ncurses-libncurses libbz2 ncurses-libtinfo clamav-freshclam clamav-libclamav"
+RDEPENDS_${PN} = "openssl ncurses-libncurses libbz2 ncurses-libtinfo clamav-freshclam clamav-libclamav"
+RDEPENDS_${PN}_class-native = ""
+
+BBCLASSEXTEND = "native"
diff --git a/meta-security/recipes-security/clamav/files/freshclam-native.conf b/meta-security/recipes-security/clamav/files/freshclam-native.conf
new file mode 100644
index 0000000..aaa8cf4
--- /dev/null
+++ b/meta-security/recipes-security/clamav/files/freshclam-native.conf
@@ -0,0 +1,224 @@
+# Path to the database directory.
+# WARNING: It must match clamd.conf's directive!
+# Default: hardcoded (depends on installation options)
+#DatabaseDirectory /var/lib/clamav
+
+# Path to the log file (make sure it has proper permissions)
+# Default: disabled
+#UpdateLogFile /var/log/clamav/freshclam.log
+
+# Maximum size of the log file.
+# Value of 0 disables the limit.
+# You may use 'M' or 'm' for megabytes (1M = 1m = 1048576 bytes)
+# and 'K' or 'k' for kilobytes (1K = 1k = 1024 bytes).
+# in bytes just don't use modifiers. If LogFileMaxSize is enabled,
+# log rotation (the LogRotate option) will always be enabled.
+# Default: 1M
+LogFileMaxSize 2M
+
+# Log time with each message.
+# Default: no
+LogTime yes
+
+# Enable verbose logging.
+# Default: no
+#LogVerbose yes
+
+# Use system logger (can work together with UpdateLogFile).
+# Default: no
+#LogSyslog yes
+
+# Specify the type of syslog messages - please refer to 'man syslog'
+# for facility names.
+# Default: LOG_LOCAL6
+#LogFacility LOG_MAIL
+
+# Enable log rotation. Always enabled when LogFileMaxSize is enabled.
+# Default: no
+#LogRotate yes
+
+# This option allows you to save the process identifier of the daemon
+# Default: disabled
+#PidFile /var/run/freshclam.pid
+
+# By default when started freshclam drops privileges and switches to the
+# "clamav" user. This directive allows you to change the database owner.
+# Default: clamav (may depend on installation options)
+DatabaseOwner clamav
+
+# Initialize supplementary group access (freshclam must be started by root).
+# Default: no
+#AllowSupplementaryGroups yes
+
+# Use DNS to verify virus database version. Freshclam uses DNS TXT records
+# to verify database and software versions. With this directive you can change
+# the database verification domain.
+# WARNING: Do not touch it unless you're configuring freshclam to use your
+# own database verification domain.
+# Default: current.cvd.clamav.net
+#DNSDatabaseInfo current.cvd.clamav.net
+
+# Uncomment the following line and replace XY with your country
+# code. See http://www.iana.org/cctld/cctld-whois.htm for the full list.
+# You can use db.XY.ipv6.clamav.net for IPv6 connections.
+#DatabaseMirror db.XY.clamav.net
+
+# database.clamav.net is a round-robin record which points to our most
+# reliable mirrors. It's used as a fall back in case db.XY.clamav.net is
+# not working. DO NOT TOUCH the following line unless you know what you
+# are doing.
+DatabaseMirror database.clamav.net
+
+# How many attempts to make before giving up.
+# Default: 3 (per mirror)
+#MaxAttempts 5
+
+# With this option you can control scripted updates. It's highly recommended
+# to keep it enabled.
+# Default: yes
+#ScriptedUpdates yes
+
+# By default freshclam will keep the local databases (.cld) uncompressed to
+# make their handling faster. With this option you can enable the compression;
+# the change will take effect with the next database update.
+# Default: no
+#CompressLocalDatabase no
+
+# With this option you can provide custom sources (http:// or file://) for
+# database files. This option can be used multiple times.
+# Default: no custom URLs
+#DatabaseCustomURL http://myserver.com/mysigs.ndb
+#DatabaseCustomURL file:///mnt/nfs/local.hdb
+
+# This option allows you to easily point freshclam to private mirrors.
+# If PrivateMirror is set, freshclam does not attempt to use DNS
+# to determine whether its databases are out-of-date, instead it will
+# use the If-Modified-Since request or directly check the headers of the
+# remote database files. For each database, freshclam first attempts
+# to download the CLD file. If that fails, it tries to download the
+# CVD file. This option overrides DatabaseMirror, DNSDatabaseInfo
+# and ScriptedUpdates. It can be used multiple times to provide
+# fall-back mirrors.
+# Default: disabled
+#PrivateMirror mirror1.mynetwork.com
+#PrivateMirror mirror2.mynetwork.com
+
+# Number of database checks per day.
+# Default: 12 (every two hours)
+#Checks 24
+
+# Proxy settings
+# Default: disabled
+#HTTPProxyServer myproxy.com
+#HTTPProxyPort 1234
+#HTTPProxyUsername myusername
+#HTTPProxyPassword mypass
+
+# If your servers are behind a firewall/proxy which applies User-Agent
+# filtering you can use this option to force the use of a different
+# User-Agent header.
+# Default: clamav/version_number
+#HTTPUserAgent SomeUserAgentIdString
+
+# Use aaa.bbb.ccc.ddd as client address for downloading databases. Useful for
+# multi-homed systems.
+# Default: Use OS'es default outgoing IP address.
+#LocalIPAddress aaa.bbb.ccc.ddd
+
+# Send the RELOAD command to clamd.
+# Default: no
+#NotifyClamd /path/to/clamd.conf
+
+# Run command after successful database update.
+# Default: disabled
+#OnUpdateExecute command
+
+# Run command when database update process fails.
+# Default: disabled
+#OnErrorExecute command
+
+# Run command when freshclam reports outdated version.
+# In the command string %v will be replaced by the new version number.
+# Default: disabled
+#OnOutdatedExecute command
+
+# Don't fork into background.
+# Default: no
+#Foreground yes
+
+# Enable debug messages in libclamav.
+# Default: no
+#Debug yes
+
+# Timeout in seconds when connecting to database server.
+# Default: 30
+#ConnectTimeout 60
+
+# Timeout in seconds when reading from database server.
+# Default: 30
+#ReceiveTimeout 60
+
+# With this option enabled, freshclam will attempt to load new
+# databases into memory to make sure they are properly handled
+# by libclamav before replacing the old ones.
+# Default: yes
+#TestDatabases yes
+
+# When enabled freshclam will submit statistics to the ClamAV Project about
+# the latest virus detections in your environment. The ClamAV maintainers
+# will then use this data to determine what types of malware are the most
+# detected in the field and in what geographic area they are.
+# Freshclam will connect to clamd in order to get recent statistics.
+# Default: no
+#SubmitDetectionStats /path/to/clamd.conf
+
+# Country of origin of malware/detection statistics (for statistical
+# purposes only). The statistics collector at ClamAV.net will look up
+# your IP address to determine the geographical origin of the malware
+# reported by your installation. If this installation is mainly used to
+# scan data which comes from a different location, please enable this
+# option and enter a two-letter code (see http://www.iana.org/domains/root/db/)
+# of the country of origin.
+# Default: disabled
+#DetectionStatsCountry country-code
+
+# This option enables support for our "Personal Statistics" service.
+# When this option is enabled, the information on malware detected by
+# your clamd installation is made available to you through our website.
+# To get your HostID, log on http://www.stats.clamav.net and add a new
+# host to your host list. Once you have the HostID, uncomment this option
+# and paste the HostID here. As soon as your freshclam starts submitting
+# information to our stats collecting service, you will be able to view
+# the statistics of this clamd installation by logging into
+# http://www.stats.clamav.net with the same credentials you used to
+# generate the HostID. For more information refer to:
+# http://www.clamav.net/documentation.html#cctts
+# This feature requires SubmitDetectionStats to be enabled.
+# Default: disabled
+#DetectionStatsHostID unique-id
+
+# This option enables support for Google Safe Browsing. When activated for
+# the first time, freshclam will download a new database file (safebrowsing.cvd)
+# which will be automatically loaded by clamd and clamscan during the next
+# reload, provided that the heuristic phishing detection is turned on. This
+# database includes information about websites that may be phishing sites or
+# possible sources of malware. When using this option, it's mandatory to run
+# freshclam at least every 30 minutes.
+# Freshclam uses the ClamAV's mirror infrastructure to distribute the
+# database and its updates but all the contents are provided under Google's
+# terms of use. See http://www.google.com/transparencyreport/safebrowsing
+# and http://www.clamav.net/documentation.html#safebrowsing
+# for more information.
+# Default: disabled
+#SafeBrowsing yes
+
+# This option enables downloading of bytecode.cvd, which includes additional
+# detection mechanisms and improvements to the ClamAV engine.
+# Default: enabled
+#Bytecode yes
+
+# Download an additional 3rd party signature database distributed through
+# the ClamAV mirrors.
+# This option can be used multiple times.
+#ExtraDatabase dbname1
+#ExtraDatabase dbname2
diff --git a/meta-security/recipes-security/libseccomp/libseccomp_2.4.0.bb b/meta-security/recipes-security/libseccomp/libseccomp_2.4.1.bb
similarity index 95%
rename from meta-security/recipes-security/libseccomp/libseccomp_2.4.0.bb
rename to meta-security/recipes-security/libseccomp/libseccomp_2.4.1.bb
index 41ffd62..dba1be5 100644
--- a/meta-security/recipes-security/libseccomp/libseccomp_2.4.0.bb
+++ b/meta-security/recipes-security/libseccomp/libseccomp_2.4.1.bb
@@ -4,7 +4,7 @@
LICENSE = "LGPL-2.1"
LIC_FILES_CHKSUM = "file://LICENSE;beginline=0;endline=1;md5=8eac08d22113880357ceb8e7c37f989f"
-SRCREV = "4d64011741375bb1a4ba7d71905ca37b97885083"
+SRCREV = "fb43972ea1aab24f2a70193fb7445c2674f594e3"
SRC_URI = "git://github.com/seccomp/libseccomp.git;branch=release-2.4 \
file://run-ptest \
diff --git a/meta-security/recipes-support/libldb/libldb/avoid-openldap-unless-wanted.patch b/meta-security/recipes-support/libldb/libldb/avoid-openldap-unless-wanted.patch
new file mode 100644
index 0000000..8ab094f
--- /dev/null
+++ b/meta-security/recipes-support/libldb/libldb/avoid-openldap-unless-wanted.patch
@@ -0,0 +1,13 @@
+--- a/wscript 2015-11-18 12:43:33.000000000 +0100
++++ b/wscript 2015-11-18 12:46:25.000000000 +0100
+@@ -58,9 +58,7 @@
+ if conf.env.standalone_ldb:
+ conf.CHECK_XSLTPROC_MANPAGES()
+
+- # we need this for the ldap backend
+- if conf.CHECK_FUNCS_IN('ber_flush ldap_open ldap_initialize', 'lber ldap', headers='lber.h ldap.h'):
+- conf.env.ENABLE_LDAP_BACKEND = True
++ conf.env.ENABLE_LDAP_BACKEND = False
+
+ # we don't want any libraries or modules to rely on runtime
+ # resolution of symbols
diff --git a/meta-security/recipes-support/libldb/libldb/do-not-import-target-module-while-cross-compile.patch b/meta-security/recipes-support/libldb/libldb/do-not-import-target-module-while-cross-compile.patch
new file mode 100755
index 0000000..fdd312c
--- /dev/null
+++ b/meta-security/recipes-support/libldb/libldb/do-not-import-target-module-while-cross-compile.patch
@@ -0,0 +1,58 @@
+Some modules such as dynamic library maybe cann't be imported while cross compile,
+we just check whether does the module exist.
+
+Signed-off-by: Bian Naimeng <biannm@cn.fujitsu.com>
+
+Index: ldb-1.1.26/buildtools/wafsamba/samba_bundled.py
+===================================================================
+--- ldb-1.1.26.orig/buildtools/wafsamba/samba_bundled.py
++++ ldb-1.1.26/buildtools/wafsamba/samba_bundled.py
+@@ -2,6 +2,7 @@
+
+ import sys
+ import Build, Options, Logs
++import imp, os
+ from Configure import conf
+ from samba_utils import TO_LIST
+
+@@ -230,17 +231,32 @@ def CHECK_BUNDLED_SYSTEM_PYTHON(conf, li
+ # versions
+ minversion = minimum_library_version(conf, libname, minversion)
+
+- try:
+- m = __import__(modulename)
+- except ImportError:
+- found = False
+- else:
++ # Find module in PYTHONPATH
++ stuff = imp.find_module(modulename, [os.environ["PYTHONPATH"]])
++ if stuff:
+ try:
+- version = m.__version__
+- except AttributeError:
++ m = imp.load_module(modulename, stuff[0], stuff[1], stuff[2])
++ except ImportError:
+ found = False
++
++ if conf.env.CROSS_COMPILE:
++ # Some modules such as dynamic library maybe cann't be imported
++ # while cross compile, we just check whether the module exist
++ Logs.warn('Cross module[%s] has been found, but can not be loaded.' % (stuff[1]))
++ found = True
+ else:
+- found = tuplize_version(version) >= tuplize_version(minversion)
++ try:
++ version = m.__version__
++ except AttributeError:
++ found = False
++ else:
++ found = tuplize_version(version) >= tuplize_version(minversion)
++ finally:
++ if stuff[0]:
++ stuff[0].close()
++ else:
++ found = False
++
+ if not found and not conf.LIB_MAY_BE_BUNDLED(libname):
+ Logs.error('ERROR: Python module %s of version %s not found, and bundling disabled' % (libname, minversion))
+ sys.exit(1)
diff --git a/meta-security/recipes-support/libldb/libldb/options-1.3.1.patch b/meta-security/recipes-support/libldb/libldb/options-1.3.1.patch
new file mode 100644
index 0000000..ffe253b
--- /dev/null
+++ b/meta-security/recipes-support/libldb/libldb/options-1.3.1.patch
@@ -0,0 +1,193 @@
+From a4da3ab4d76013aaa731d43d52ccca1ebd37c395 Mon Sep 17 00:00:00 2001
+From: Jackie Huang <jackie.huang@windriver.com>
+Date: Wed, 21 Sep 2016 10:06:39 +0800
+Subject: [PATCH 1/1] ldb: Add configure options for packages
+
+Add configure options for the following packages:
+ - acl
+ - attr
+ - libaio
+ - libbsd
+ - libcap
+ - valgrind
+
+Upstream-Status: Inappropriate [oe deterministic build specific]
+
+Signed-off-by: Jackie Huang <jackie.huang@windriver.com>
+---
+ lib/replace/system/wscript_configure | 6 ++-
+ lib/replace/wscript | 94 +++++++++++++++++++++++++++---------
+ wscript | 7 +++
+ 3 files changed, 83 insertions(+), 24 deletions(-)
+
+diff --git a/lib/replace/system/wscript_configure b/lib/replace/system/wscript_configure
+index 2035474..10f9ae7 100644
+--- a/lib/replace/system/wscript_configure
++++ b/lib/replace/system/wscript_configure
+@@ -1,6 +1,10 @@
+ #!/usr/bin/env python
+
+-conf.CHECK_HEADERS('sys/capability.h')
++import Options
++
++if Options.options.enable_libcap:
++ conf.CHECK_HEADERS('sys/capability.h')
++
+ conf.CHECK_FUNCS('getpwnam_r getpwuid_r getpwent_r')
+
+ # solaris varients of getXXent_r
+diff --git a/lib/replace/wscript b/lib/replace/wscript
+index 2f94d49..68b2d3a 100644
+--- a/lib/replace/wscript
++++ b/lib/replace/wscript
+@@ -23,6 +23,41 @@ def set_options(opt):
+ opt.PRIVATE_EXTENSION_DEFAULT('')
+ opt.RECURSE('buildtools/wafsamba')
+
++ opt.add_option('--with-acl',
++ help=("Enable use of acl"),
++ action="store_true", dest='enable_acl')
++ opt.add_option('--without-acl',
++ help=("Disable use of acl"),
++ action="store_false", dest='enable_acl', default=False)
++
++ opt.add_option('--with-attr',
++ help=("Enable use of attr"),
++ action="store_true", dest='enable_attr')
++ opt.add_option('--without-attr',
++ help=("Disable use of attr"),
++ action="store_false", dest='enable_attr', default=False)
++
++ opt.add_option('--with-libaio',
++ help=("Enable use of libaio"),
++ action="store_true", dest='enable_libaio')
++ opt.add_option('--without-libaio',
++ help=("Disable use of libaio"),
++ action="store_false", dest='enable_libaio', default=False)
++
++ opt.add_option('--with-libbsd',
++ help=("Enable use of libbsd"),
++ action="store_true", dest='enable_libbsd')
++ opt.add_option('--without-libbsd',
++ help=("Disable use of libbsd"),
++ action="store_false", dest='enable_libbsd', default=False)
++
++ opt.add_option('--with-libcap',
++ help=("Enable use of libcap"),
++ action="store_true", dest='enable_libcap')
++ opt.add_option('--without-libcap',
++ help=("Disable use of libcap"),
++ action="store_false", dest='enable_libcap', default=False)
++
+ @Utils.run_once
+ def configure(conf):
+ conf.RECURSE('buildtools/wafsamba')
+@@ -32,12 +67,25 @@ def configure(conf):
+ conf.DEFINE('HAVE_LIBREPLACE', 1)
+ conf.DEFINE('LIBREPLACE_NETWORK_CHECKS', 1)
+
+- conf.CHECK_HEADERS('linux/types.h crypt.h locale.h acl/libacl.h compat.h')
+- conf.CHECK_HEADERS('acl/libacl.h attr/xattr.h compat.h ctype.h dustat.h')
++ conf.CHECK_HEADERS('linux/types.h crypt.h locale.h compat.h')
++ conf.CHECK_HEADERS('compat.h ctype.h dustat.h')
+ conf.CHECK_HEADERS('fcntl.h fnmatch.h glob.h history.h krb5.h langinfo.h')
+- conf.CHECK_HEADERS('libaio.h locale.h ndir.h pwd.h')
+- conf.CHECK_HEADERS('shadow.h sys/acl.h')
+- conf.CHECK_HEADERS('sys/attributes.h attr/attributes.h sys/capability.h sys/dir.h sys/epoll.h')
++ conf.CHECK_HEADERS('locale.h ndir.h pwd.h')
++ conf.CHECK_HEADERS('shadow.h')
++ conf.CHECK_HEADERS('sys/attributes.h sys/dir.h sys/epoll.h')
++
++ if Options.options.enable_acl:
++ conf.CHECK_HEADERS('acl/libacl.h sys/acl.h')
++
++ if Options.options.enable_attr:
++ conf.CHECK_HEADERS('attr/attributes.h attr/xattr.h')
++
++ if Options.options.enable_libaio:
++ conf.CHECK_HEADERS('libaio.h')
++
++ if Options.options.enable_libcap:
++ conf.CHECK_HEADERS('sys/capability.h')
++
+ conf.CHECK_HEADERS('port.h')
+ conf.CHECK_HEADERS('sys/fcntl.h sys/filio.h sys/filsys.h sys/fs/s5param.h sys/fs/vx/quota.h')
+ conf.CHECK_HEADERS('sys/id.h sys/ioctl.h sys/ipc.h sys/mman.h sys/mode.h sys/ndir.h sys/priv.h')
+@@ -73,7 +121,9 @@ def configure(conf):
+
+ conf.CHECK_CODE('', headers='rpc/rpc.h rpcsvc/yp_prot.h', define='HAVE_RPCSVC_YP_PROT_H')
+
+- conf.CHECK_HEADERS('valgrind.h valgrind/valgrind.h valgrind/memcheck.h')
++ if Options.options.enable_valgrind:
++ conf.CHECK_HEADERS('valgrind.h valgrind/valgrind.h valgrind/memcheck.h')
++
+ conf.CHECK_HEADERS('nss_common.h nsswitch.h ns_api.h')
+ conf.CHECK_HEADERS('sys/extattr.h sys/ea.h sys/proplist.h sys/cdefs.h')
+ conf.CHECK_HEADERS('utmp.h utmpx.h lastlog.h')
+@@ -266,22 +316,20 @@ def configure(conf):
+
+ conf.CHECK_FUNCS('prctl dirname basename')
+
+- strlcpy_in_bsd = False
+-
+- # libbsd on some platforms provides strlcpy and strlcat
+- if not conf.CHECK_FUNCS('strlcpy strlcat'):
+- if conf.CHECK_FUNCS_IN('strlcpy strlcat', 'bsd', headers='bsd/string.h',
+- checklibc=True):
+- strlcpy_in_bsd = True
+- if not conf.CHECK_FUNCS('getpeereid'):
+- conf.CHECK_FUNCS_IN('getpeereid', 'bsd', headers='sys/types.h bsd/unistd.h')
+- if not conf.CHECK_FUNCS_IN('setproctitle', 'setproctitle', headers='setproctitle.h'):
+- conf.CHECK_FUNCS_IN('setproctitle', 'bsd', headers='sys/types.h bsd/unistd.h')
+- if not conf.CHECK_FUNCS('setproctitle_init'):
+- conf.CHECK_FUNCS_IN('setproctitle_init', 'bsd', headers='sys/types.h bsd/unistd.h')
+-
+- if not conf.CHECK_FUNCS('closefrom'):
+- conf.CHECK_FUNCS_IN('closefrom', 'bsd', headers='bsd/unistd.h')
++ if Options.options.enable_libbsd:
++ # libbsd on some platforms provides strlcpy and strlcat
++ if not conf.CHECK_FUNCS('strlcpy strlcat'):
++ conf.CHECK_FUNCS_IN('strlcpy strlcat', 'bsd', headers='bsd/string.h',
++ checklibc=True)
++ if not conf.CHECK_FUNCS('getpeereid'):
++ conf.CHECK_FUNCS_IN('getpeereid', 'bsd', headers='sys/types.h bsd/unistd.h')
++ if not conf.CHECK_FUNCS_IN('setproctitle', 'setproctitle', headers='setproctitle.h'):
++ conf.CHECK_FUNCS_IN('setproctitle', 'bsd', headers='sys/types.h bsd/unistd.h')
++ if not conf.CHECK_FUNCS('setproctitle_init'):
++ conf.CHECK_FUNCS_IN('setproctitle_init', 'bsd', headers='sys/types.h bsd/unistd.h')
++
++ if not conf.CHECK_FUNCS('closefrom'):
++ conf.CHECK_FUNCS_IN('closefrom', 'bsd', headers='bsd/unistd.h')
+
+ conf.CHECK_CODE('''
+ struct ucred cred;
+@@ -632,7 +680,7 @@ removeea setea
+ # look for a method of finding the list of network interfaces
+ for method in ['HAVE_IFACE_GETIFADDRS', 'HAVE_IFACE_AIX', 'HAVE_IFACE_IFCONF', 'HAVE_IFACE_IFREQ']:
+ bsd_for_strlcpy = ''
+- if strlcpy_in_bsd:
++ if Options.options.enable_libbsd:
+ bsd_for_strlcpy = ' bsd'
+ if conf.CHECK_CODE('''
+ #define %s 1
+diff --git a/wscript b/wscript
+index 8ae5be3..a178cc4 100644
+--- a/wscript
++++ b/wscript
+@@ -31,6 +31,13 @@ def set_options(opt):
+ opt.RECURSE('lib/replace')
+ opt.tool_options('python') # options for disabling pyc or pyo compilation
+
++ opt.add_option('--with-valgrind',
++ help=("enable use of valgrind"),
++ action="store_true", dest='enable_valgrind')
++ opt.add_option('--without-valgrind',
++ help=("disable use of valgrind"),
++ action="store_false", dest='enable_valgrind', default=False)
++
+ def configure(conf):
+ conf.RECURSE('lib/tdb')
+ conf.RECURSE('lib/tevent')
+--
+2.16.2
+
diff --git a/meta-security/recipes-support/libldb/libldb_1.3.1.bb b/meta-security/recipes-support/libldb/libldb_1.3.1.bb
new file mode 100644
index 0000000..c644b20
--- /dev/null
+++ b/meta-security/recipes-support/libldb/libldb_1.3.1.bb
@@ -0,0 +1,64 @@
+SUMMARY = "Hierarchical, reference counted memory pool system with destructors"
+HOMEPAGE = "http://ldb.samba.org"
+SECTION = "libs"
+LICENSE = "LGPL-3.0+ & LGPL-2.1+ & GPL-3.0+"
+
+DEPENDS += "libtdb libtalloc libtevent popt"
+RDEPENDS_pyldb += "python"
+
+SRC_URI = "http://samba.org/ftp/ldb/ldb-${PV}.tar.gz \
+ file://do-not-import-target-module-while-cross-compile.patch \
+ file://options-1.3.1.patch \
+ "
+
+PACKAGECONFIG ??= "\
+ ${@bb.utils.filter('DISTRO_FEATURES', 'acl', d)} \
+ ${@bb.utils.contains('DISTRO_FEATURES', 'xattr', 'attr', '', d)} \
+"
+PACKAGECONFIG[acl] = "--with-acl,--without-acl,acl"
+PACKAGECONFIG[attr] = "--with-attr,--without-attr,attr"
+PACKAGECONFIG[ldap] = ",,openldap"
+PACKAGECONFIG[libaio] = "--with-libaio,--without-libaio,libaio"
+PACKAGECONFIG[libbsd] = "--with-libbsd,--without-libbsd,libbsd"
+PACKAGECONFIG[libcap] = "--with-libcap,--without-libcap,libcap"
+PACKAGECONFIG[valgrind] = "--with-valgrind,--without-valgrind,valgrind"
+
+SRC_URI += "${@bb.utils.contains('PACKAGECONFIG', 'ldap', '', 'file://avoid-openldap-unless-wanted.patch', d)}"
+
+LIC_FILES_CHKSUM = "file://pyldb.h;endline=24;md5=dfbd238cecad76957f7f860fbe9adade \
+ file://man/ldb.3.xml;beginline=261;endline=262;md5=137f9fd61040c1505d1aa1019663fd08 \
+ file://tools/ldbdump.c;endline=19;md5=a7d4fc5d1f75676b49df491575a86a42"
+
+SRC_URI[md5sum] = "e5233f202bca27f6ce8474fb8ae65983"
+SRC_URI[sha256sum] = "b19f2c9f55ae0f46aa5ebaea0bf1a47ec1ac135e1d78af0f6318cf50bf62cbd2"
+
+CROSS_METHOD="exec"
+inherit waf-samba
+
+S = "${WORKDIR}/ldb-${PV}"
+
+EXTRA_OECONF += "--disable-rpath \
+ --disable-rpath-install \
+ --bundled-libraries=cmocka \
+ --builtin-libraries=replace \
+ --with-modulesdir=${libdir}/ldb/modules \
+ --with-privatelibdir=${libdir}/ldb \
+ --with-libiconv=${STAGING_DIR_HOST}${prefix}\
+ "
+
+PACKAGES =+ "pyldb pyldb-dbg pyldb-dev"
+
+NOAUTOPACKAGEDEBUG = "1"
+
+FILES_${PN} += "${libdir}/ldb/*"
+FILES_${PN}-dbg += "${bindir}/.debug/* \
+ ${libdir}/.debug/* \
+ ${libdir}/ldb/.debug/* \
+ ${libdir}/ldb/modules/ldb/.debug/*"
+
+FILES_pyldb = "${libdir}/python${PYTHON_BASEVERSION}/site-packages/* \
+ ${libdir}/libpyldb-util.so.* \
+ "
+FILES_pyldb-dbg = "${libdir}/python${PYTHON_BASEVERSION}/site-packages/.debug \
+ ${libdir}/.debug/libpyldb-util.so.*"
+FILES_pyldb-dev = "${libdir}/libpyldb-util.so"