meta-security: subtree update:d6baccc068..4c2f7ffd49
Adrian (1):
gitignore added
Armin Kuster (31):
kas: build with ptest. remove apparmor
softHSM: add pkg
packagegroup-core-security: add softHSM
libest: add recipe
packagegroup-core-security: add libest package
opendnssec: add recipe
packagegroup-core-security: add opendnssec to pkg grp
gitlab-ci: allow test to fail
libseccomp: fix ptest failures.
packagegroup-core-security-ptest: remove keyutils-ptest
security-test-image: simplify
packagegroup-core-security-ptest: remove
apparmor: fix build issue with ptest enabled.
security-test-image: tweak to get more tests to runn
apparmor: update to 3.0
packagegroup-core-security: apparmor 3.0 ptest does not build
suricata: fix compiling on gcc10
qemux86-test: add apparmor back
apparmor: fix build for on musl
ecryptfs-utils: fix musl build
libest: fix musl build.
sssd: update to latest ltm 1.16.5
packagegroup-core-security: remove clamav from musl image
suricata: update to 4.1.9
kas: fixup alt configs
gitlab-ci: add qemux86 and qemuarm64 musl builds
tpm2-tss: update to 2.4.3
tpm2-totp: update to 0.2.1
tpm2-abrmd: update to 2.3.3
tpm2-tools: update to 4.3.0
tpm2-pkcs11: update to 1.4.0
Mingli Yu (1):
scap-security-guide: add expat-native to DEPENDS
Naveen Saini (3):
initramfs-framework/dmverity: add retry loop for slow boot devices
wic: add wks.in for intel dm-verity
linux-%/5.x: Add dm-verity fragment as needed
Signed-off-by: Andrew Geissler <geissonator@yahoo.com>
Change-Id: If3a721fdd99bb6e35c82cf4e7485f06cebaef905
diff --git a/meta-security/.gitignore b/meta-security/.gitignore
new file mode 100644
index 0000000..c01df45
--- /dev/null
+++ b/meta-security/.gitignore
@@ -0,0 +1,7 @@
+*.pyc
+*.pyo
+/*.patch
+*.swp
+*.orig
+*.rej
+*~
diff --git a/meta-security/.gitlab-ci.yml b/meta-security/.gitlab-ci.yml
index 46468fd..50bfe4f 100644
--- a/meta-security/.gitlab-ci.yml
+++ b/meta-security/.gitlab-ci.yml
@@ -126,9 +126,19 @@
script:
- kas build --target security-build-image kas/$CI_JOB_NAME.yml
+qemux86-musl:
+ extends: .build
+ script:
+ - kas build --target security-build-image kas/$CI_JOB_NAME.yml
+
+qemuarm64-musl:
+ extends: .build
+ script:
+ - kas build --target security-build-image kas/$CI_JOB_NAME.yml
qemux86-test:
extends: .build
+ allow_failure: true
script:
- kas build --target security-test-image kas/$CI_JOB_NAME.yml
- kas build -c testimage --target security-test-image kas/$CI_JOB_NAME.yml
diff --git a/meta-security/kas/kas-security-alt.yml b/meta-security/kas/kas-security-alt.yml
new file mode 100644
index 0000000..309acaa
--- /dev/null
+++ b/meta-security/kas/kas-security-alt.yml
@@ -0,0 +1,8 @@
+header:
+ version: 9
+ includes:
+ - kas-security-base.yml
+
+local_conf_header:
+ alt: |
+ DISTRO_FEATURES_append = " apparmor pam smack systemd"
diff --git a/meta-security/kas/kas-security-base.yml b/meta-security/kas/kas-security-base.yml
index cd87d1d..6a77af5 100644
--- a/meta-security/kas/kas-security-base.yml
+++ b/meta-security/kas/kas-security-base.yml
@@ -42,8 +42,7 @@
INHERIT += "testimage"
TEST_QEMUBOOT_TIMEOUT = "1500"
EXTRA_IMAGE_FEATURES ?= "debug-tweaks"
- DISTRO_FEATURES_remove = " ptest"
- PACKAGE_CLASSES = "package_rpm"
+ PACKAGE_CLASSES = "package_ipk"
diskmon: |
diff --git a/meta-security/kas/qemuarm64-alt.yml b/meta-security/kas/qemuarm64-alt.yml
index d23e38e..48e688c 100644
--- a/meta-security/kas/qemuarm64-alt.yml
+++ b/meta-security/kas/qemuarm64-alt.yml
@@ -1,10 +1,6 @@
header:
version: 8
includes:
- - kas-security-base.yml
-
-local_conf_header:
- alt: |
- DISTRO_FEATURES_append = " apparmor pam systemd"
+ - kas-security-alt.yml
machine: qemuarm64
diff --git a/meta-security/kas/qemuarm64-musl.yml b/meta-security/kas/qemuarm64-musl.yml
new file mode 100644
index 0000000..b353eb4
--- /dev/null
+++ b/meta-security/kas/qemuarm64-musl.yml
@@ -0,0 +1,10 @@
+header:
+ version: 8
+ includes:
+ - kas-security-base.yml
+
+local_conf_header:
+ musl: |
+ TCLIBC = "musl"
+
+machine: qemuarm64
diff --git a/meta-security/kas/qemux86-64-alt.yml b/meta-security/kas/qemux86-64-alt.yml
index 4364bf5..f0d6b27 100644
--- a/meta-security/kas/qemux86-64-alt.yml
+++ b/meta-security/kas/qemux86-64-alt.yml
@@ -1,10 +1,6 @@
header:
version: 8
includes:
- - kas-security-base.yml
-
-local_conf_header:
- alt: |
- DISTRO_FEATURES_append = " apparmor pam systmed"
+ - kas-security-alt.yml
machine: qemux86-64
diff --git a/meta-security/kas/qemux86-musl.yml b/meta-security/kas/qemux86-musl.yml
new file mode 100644
index 0000000..61d9572
--- /dev/null
+++ b/meta-security/kas/qemux86-musl.yml
@@ -0,0 +1,10 @@
+header:
+ version: 8
+ includes:
+ - kas-security-base.yml
+
+local_conf_header:
+ musl: |
+ TCLIBC = "musl"
+
+machine: qemux86
diff --git a/meta-security/kas/qemux86-test.yml b/meta-security/kas/qemux86-test.yml
index 823a8b2..7b5f451 100644
--- a/meta-security/kas/qemux86-test.yml
+++ b/meta-security/kas/qemux86-test.yml
@@ -6,6 +6,6 @@
local_conf_header:
meta-security: |
- DISTRO_FEATURES_append = " ptest apparmor pam"
+ DISTRO_FEATURES_append = " apparmor smack pam"
machine: qemux86
diff --git a/meta-security/meta-security-compliance/recipes-openscap/scap-security-guide/scap-security-guide.inc b/meta-security/meta-security-compliance/recipes-openscap/scap-security-guide/scap-security-guide.inc
index 66c2623..32fce0f 100644
--- a/meta-security/meta-security-compliance/recipes-openscap/scap-security-guide/scap-security-guide.inc
+++ b/meta-security/meta-security-compliance/recipes-openscap/scap-security-guide/scap-security-guide.inc
@@ -6,7 +6,7 @@
LIC_FILES_CHKSUM = "file://LICENSE;md5=97662e4486d9a1d09f358851d9f41a1a"
LICENSE = "LGPL-2.1"
-DEPENDS = "openscap-native python3 python3-pyyaml-native python3-jinja2-native libxml2-native"
+DEPENDS = "openscap-native python3 python3-pyyaml-native python3-jinja2-native libxml2-native expat-native"
S = "${WORKDIR}/git"
diff --git a/meta-security/meta-tpm/recipes-tpm2/tpm2-abrmd/tpm2-abrmd_2.3.0.bb b/meta-security/meta-tpm/recipes-tpm2/tpm2-abrmd/tpm2-abrmd_2.3.3.bb
similarity index 96%
rename from meta-security/meta-tpm/recipes-tpm2/tpm2-abrmd/tpm2-abrmd_2.3.0.bb
rename to meta-security/meta-tpm/recipes-tpm2/tpm2-abrmd/tpm2-abrmd_2.3.3.bb
index 991364a..d2a1c47 100644
--- a/meta-security/meta-tpm/recipes-tpm2/tpm2-abrmd/tpm2-abrmd_2.3.0.bb
+++ b/meta-security/meta-tpm/recipes-tpm2/tpm2-abrmd/tpm2-abrmd_2.3.3.bb
@@ -18,7 +18,7 @@
file://tpm2-abrmd.default \
"
-SRCREV = "ac82192df1158cb58eac02777cf15c965b02cfbc"
+SRCREV = "4cdda466010a3699ebe967d990ac715ae3de7d35"
S = "${WORKDIR}/git"
diff --git a/meta-security/meta-tpm/recipes-tpm2/tpm2-pkcs11/files/0001-remove-local-binary-checkes.patch b/meta-security/meta-tpm/recipes-tpm2/tpm2-pkcs11/files/0001-remove-local-binary-checkes.patch
new file mode 100644
index 0000000..9d3f073
--- /dev/null
+++ b/meta-security/meta-tpm/recipes-tpm2/tpm2-pkcs11/files/0001-remove-local-binary-checkes.patch
@@ -0,0 +1,77 @@
+From 9e3ef6f253f9427596baf3e7d748a79854cadfa9 Mon Sep 17 00:00:00 2001
+From: Armin Kuster <akuster808@gmail.com>
+Date: Wed, 14 Oct 2020 08:55:33 -0700
+Subject: [PATCH] remove local binary checkes
+
+Signed-off-by: Armin Kuster <akuster808@gmail.com>
+
+Upsteam-Status: Inappropriate
+These are only needed to run on the tartget so we add an RDPENDS.
+Not needed for building.
+
+---
+ configure.ac | 48 ------------------------------------------------
+ 1 file changed, 48 deletions(-)
+
+diff --git a/configure.ac b/configure.ac
+index 50e7d4b..2b9abcf 100644
+--- a/configure.ac
++++ b/configure.ac
+@@ -219,54 +219,6 @@ AX_PROG_JAVAC()
+ AX_PROG_JAVA()
+ m4_popdef([AC_MSG_ERROR])
+
+-AC_CHECK_PROG([tpm2_createprimary], [tpm2_createprimary], [yes], [no])
+- AS_IF([test "x$tpm2_createprimary" != "xyes"],
+- [AC_MSG_ERROR([tpm2_ptool requires tpm2_createprimary, but executable not found.])])
+-
+-AC_CHECK_PROG([tpm2_create], [tpm2_create], [yes], [no])
+- AS_IF([test "x$tpm2_create" != "xyes"],
+- [AC_MSG_ERROR([tpm2_ptool requires tpm2_create, but executable not found.])])
+-
+-AC_CHECK_PROG([tpm2_evictcontrol], [tpm2_evictcontrol], [yes], [no])
+- AS_IF([test "x$tpm2_evictcontrol" != "xyes"],
+- [AC_MSG_ERROR([tpm2_ptool requires tpm2_evictcontrol, but executable not found.])])
+-
+-AC_CHECK_PROG([tpm2_readpublic], [tpm2_readpublic], [yes], [no])
+- AS_IF([test "x$tpm2_readpublic" != "xyes"],
+- [AC_MSG_ERROR([tpm2_ptool requires tpm2_readpublic, but executable not found.])])
+-
+-AC_CHECK_PROG([tpm2_load], [tpm2_load], [yes], [no])
+- AS_IF([test "x$tpm2_load" != "xyes"],
+- [AC_MSG_ERROR([tpm2_ptool requires tpm2_load, but executable not found.])])
+-
+-AC_CHECK_PROG([tpm2_loadexternal], [tpm2_loadexternal], [yes], [no])
+- AS_IF([test "x$tpm2_loadexternal" != "xyes"],
+- [AC_MSG_ERROR([tpm2_ptool requires tpm2_loadexternal, but executable not found.])])
+-
+-AC_CHECK_PROG([tpm2_unseal], [tpm2_unseal], [yes], [no])
+- AS_IF([test "x$tpm2_unseal" != "xyes"],
+- [AC_MSG_ERROR([tpm2_ptool requires tpm2_unseal, but executable not found.])])
+-
+-AC_CHECK_PROG([tpm2_encryptdecrypt], [tpm2_encryptdecrypt], [yes], [no])
+- AS_IF([test "x$tpm2_encryptdecrypt" != "xyes"],
+- [AC_MSG_ERROR([tpm2_ptool requires tpm2_encryptdecrypt, but executable not found.])])
+-
+-AC_CHECK_PROG([tpm2_sign], [tpm2_sign], [yes], [no])
+- AS_IF([test "x$tpm2_sign" != "xyes"],
+- [AC_MSG_ERROR([tpm2_ptool requires tpm2_sign, but executable not found.])])
+-
+-AC_CHECK_PROG([tpm2_getcap], [tpm2_getcap], [yes], [no])
+- AS_IF([test "x$tpm2_getcap" != "xyes"],
+- [AC_MSG_ERROR([tpm2_ptool requires tpm2_getcap, but executable not found.])])
+-
+-AC_CHECK_PROG([tpm2_import], [tpm2_import], [yes], [no])
+- AS_IF([test "x$tpm2_import" != "xyes"],
+- [AC_MSG_ERROR([tpm2_ptool requires tpm2_import, but executable not found.])])
+-
+-AC_CHECK_PROG([tpm2_changeauth], [tpm2_changeauth], [yes], [no])
+- AS_IF([test "x$tpm2_changeauth" != "xyes"],
+- [AC_MSG_ERROR([tpm2_ptool requires tpm2_changeauth, but executable not found.])])
+-
+ AC_DEFUN([integration_test_checks], [
+
+ PKG_CHECK_MODULES([OPENSC_PKCS11],[opensc-pkcs11],,
+--
+2.17.1
+
diff --git a/meta-security/meta-tpm/recipes-tpm2/tpm2-pkcs11/tpm2-pkcs11_1.2.0.bb b/meta-security/meta-tpm/recipes-tpm2/tpm2-pkcs11/tpm2-pkcs11_1.4.0.bb
similarity index 79%
rename from meta-security/meta-tpm/recipes-tpm2/tpm2-pkcs11/tpm2-pkcs11_1.2.0.bb
rename to meta-security/meta-tpm/recipes-tpm2/tpm2-pkcs11/tpm2-pkcs11_1.4.0.bb
index ce2dac0..4865733 100644
--- a/meta-security/meta-tpm/recipes-tpm2/tpm2-pkcs11/tpm2-pkcs11_1.2.0.bb
+++ b/meta-security/meta-tpm/recipes-tpm2/tpm2-pkcs11/tpm2-pkcs11_1.4.0.bb
@@ -7,9 +7,10 @@
DEPENDS = "autoconf-archive pkgconfig dstat sqlite3 openssl libtss2-dev tpm2-tools libyaml"
SRC_URI = "git://github.com/tpm2-software/tpm2-pkcs11.git;branch=1.X \
- file://bootstrap_fixup.patch "
+ file://bootstrap_fixup.patch \
+ file://0001-remove-local-binary-checkes.patch"
-SRCREV = "8d8f137f65f1d61d66cc191947b59c378f23e97d"
+SRCREV = "78bbf6a0237351830d0c3923b25ba0b57ae0b7e9"
S = "${WORKDIR}/git"
@@ -18,3 +19,5 @@
do_configure_prepend () {
${S}/bootstrap
}
+
+RDEPNDS_${PN} = "tpm2-tools"
diff --git a/meta-security/meta-tpm/recipes-tpm2/tpm2-tools/tpm2-tools_4.1.3.bb b/meta-security/meta-tpm/recipes-tpm2/tpm2-tools/tpm2-tools_4.3.0.bb
similarity index 64%
rename from meta-security/meta-tpm/recipes-tpm2/tpm2-tools/tpm2-tools_4.1.3.bb
rename to meta-security/meta-tpm/recipes-tpm2/tpm2-tools/tpm2-tools_4.3.0.bb
index ae01d5e..5bd26ab 100644
--- a/meta-security/meta-tpm/recipes-tpm2/tpm2-tools/tpm2-tools_4.1.3.bb
+++ b/meta-security/meta-tpm/recipes-tpm2/tpm2-tools/tpm2-tools_4.3.0.bb
@@ -1,13 +1,13 @@
SUMMARY = "Tools for TPM2."
DESCRIPTION = "tpm2-tools"
LICENSE = "BSD-3-Clause"
-LIC_FILES_CHKSUM = "file://LICENSE;md5=0eb1216e46938bd723098d93a23c3bcc"
+LIC_FILES_CHKSUM = "file://doc/LICENSE;md5=a846608d090aa64494c45fc147cc12e3"
SECTION = "tpm"
DEPENDS = "tpm2-abrmd tpm2-tss openssl curl autoconf-archive"
SRC_URI = "https://github.com/tpm2-software/${BPN}/releases/download/${PV}/${BPN}-${PV}.tar.gz"
-SRC_URI[sha256sum] = "bb5d3310620e75468fe33dbd530bd73dd648c70ec707b4579c74d9f63fc82704"
+SRC_URI[sha256sum] = "ae009b3495b44a16faa3d94d41ac9c9d99c71723482efad53c5eea17eeed80fc"
inherit autotools pkgconfig bash-completion
diff --git a/meta-security/meta-tpm/recipes-tpm2/tpm2-totp/tpm2-totp_0.2.0.bb b/meta-security/meta-tpm/recipes-tpm2/tpm2-totp/tpm2-totp_0.2.1.bb
similarity index 84%
rename from meta-security/meta-tpm/recipes-tpm2/tpm2-totp/tpm2-totp_0.2.0.bb
rename to meta-security/meta-tpm/recipes-tpm2/tpm2-totp/tpm2-totp_0.2.1.bb
index 0dad673..264484f 100644
--- a/meta-security/meta-tpm/recipes-tpm2/tpm2-totp/tpm2-totp_0.2.0.bb
+++ b/meta-security/meta-tpm/recipes-tpm2/tpm2-totp/tpm2-totp_0.2.1.bb
@@ -9,9 +9,8 @@
PE = "1"
-SRCREV = "994b4203e4769baefa6e7719915629bc8210e90a"
-SRC_URI = "git://github.com/tpm2-software/tpm2-totp.git;branch=v0.2.x \
- "
+SRCREV = "bfd581986353edc1058604e77cac804bd8b0d30a"
+SRC_URI = "git://github.com/tpm2-software/tpm2-totp.git;branch=v0.2.x"
inherit autotools-brokensep pkgconfig
diff --git a/meta-security/meta-tpm/recipes-tpm2/tpm2-tss/tpm2-tss_2.4.1.bb b/meta-security/meta-tpm/recipes-tpm2/tpm2-tss/tpm2-tss_2.4.3.bb
similarity index 93%
rename from meta-security/meta-tpm/recipes-tpm2/tpm2-tss/tpm2-tss_2.4.1.bb
rename to meta-security/meta-tpm/recipes-tpm2/tpm2-tss/tpm2-tss_2.4.3.bb
index 22b961d..78be513 100644
--- a/meta-security/meta-tpm/recipes-tpm2/tpm2-tss/tpm2-tss_2.4.1.bb
+++ b/meta-security/meta-tpm/recipes-tpm2/tpm2-tss/tpm2-tss_2.4.3.bb
@@ -6,10 +6,8 @@
DEPENDS = "autoconf-archive-native libgcrypt openssl"
-SRCREV = "a99e733ba66c359502689a9c42fd5e02ed1dd7d6"
-
SRC_URI = "https://github.com/tpm2-software/${BPN}/releases/download/${PV}/${BPN}-${PV}.tar.gz"
-SRC_URI[sha256sum] = "58d7afcab9ff3daaafb5316e57d2c211118334b470d5a5bc6ceace6f89a1e60d"
+SRC_URI[sha256sum] = "e294677f8993234d0adfa191a5cbf9c5b83cc60c724c233e3d631c26712abea0"
inherit autotools pkgconfig systemd extrausers
diff --git a/meta-security/recipes-core/images/security-test-image.bb b/meta-security/recipes-core/images/security-test-image.bb
index c71d726..54d8978 100644
--- a/meta-security/recipes-core/images/security-test-image.bb
+++ b/meta-security/recipes-core/images/security-test-image.bb
@@ -1,33 +1,18 @@
DESCRIPTION = "A small image for testing meta-security packages"
+require security-build-image.bb
+
IMAGE_FEATURES += "ssh-server-openssh"
TEST_SUITES = "ssh ping ptest apparmor clamav samhain sssd tripwire checksec smack suricata"
INSTALL_CLAMAV_CVD = "1"
-IMAGE_INSTALL = "\
- packagegroup-base \
- packagegroup-core-boot \
- packagegroup-core-security-ptest \
- clamav \
- tripwire \
- checksec \
- suricata \
- samhain-standalone \
- ${@bb.utils.contains("DISTRO_FEATURES", "pam", "sssd", "",d)} \
- ${@bb.utils.contains("DISTRO_FEATURES", "apparmor", "apparmor", "",d)} \
- ${@bb.utils.contains("DISTRO_FEATURES", "smack", "smack-test", "",d)} \
- os-release \
- "
+IMAGE_OVERHEAD_FACTOR = "1.0"
+IMAGE_ROOTFS_EXTRA_SPACE = "1124288"
+# ptests need more memory than standard to avoid the OOM killer
+# also lttng-tools needs /tmp that has at least 1G
+QB_MEM = "-m 2048"
-IMAGE_LINGUAS ?= " "
-
-LICENSE = "MIT"
-
-inherit core-image
-
-export IMAGE_BASENAME = "security-test-image"
-
-IMAGE_ROOTFS_EXTRA_SPACE = "5242880"
+PTEST_EXPECT_FAILURE = "1"
diff --git a/meta-security/recipes-core/initrdscripts/initramfs-framework/dmverity b/meta-security/recipes-core/initrdscripts/initramfs-framework/dmverity
index bb07aab..888052c 100644
--- a/meta-security/recipes-core/initrdscripts/initramfs-framework/dmverity
+++ b/meta-security/recipes-core/initrdscripts/initramfs-framework/dmverity
@@ -10,33 +10,43 @@
. /usr/share/misc/dm-verity.env
- case "${bootparam_root}" in
- ID=*)
- RDEV="$(realpath /dev/disk/by-id/${bootparam_root#ID=})"
- ;;
- LABEL=*)
- RDEV="$(realpath /dev/disk/by-label/${bootparam_root#LABEL=})"
- ;;
- PARTLABEL=*)
- RDEV="$(realpath /dev/disk/by-partlabel/${bootparam_root#PARTLABEL=})"
- ;;
- PARTUUID=*)
- RDEV="$(realpath /dev/disk/by-partuuid/${bootparam_root#PARTUUID=})"
- ;;
- PATH=*)
- RDEV="$(realpath /dev/disk/by-path/${bootparam_root#PATH=})"
- ;;
- UUID=*)
- RDEV="$(realpath /dev/disk/by-uuid/${bootparam_root#UUID=})"
- ;;
- *)
- RDEV="${bootparam_root}"
- esac
+ C=0
+ delay=${bootparam_rootdelay:-1}
+ timeout=${bootparam_roottimeout:-5}
+ RDEV="$(realpath /dev/disk/by-partuuid/${bootparam_root#PARTUUID=})"
+ while [ ! -b "${RDEV}" ]; do
+ if [ $(( $C * $delay )) -gt $timeout ]; then
+ fatal "Root device resolution failed"
+ exit 1
+ fi
- if ! [ -b "${RDEV}" ]; then
- echo "Root device resolution failed"
- exit 1
- fi
+ case "${bootparam_root}" in
+ ID=*)
+ RDEV="$(realpath /dev/disk/by-id/${bootparam_root#ID=})"
+ ;;
+ LABEL=*)
+ RDEV="$(realpath /dev/disk/by-label/${bootparam_root#LABEL=})"
+ ;;
+ PARTLABEL=*)
+ RDEV="$(realpath /dev/disk/by-partlabel/${bootparam_root#PARTLABEL=})"
+ ;;
+ PARTUUID=*)
+ RDEV="$(realpath /dev/disk/by-partuuid/${bootparam_root#PARTUUID=})"
+ ;;
+ PATH=*)
+ RDEV="$(realpath /dev/disk/by-path/${bootparam_root#PATH=})"
+ ;;
+ UUID=*)
+ RDEV="$(realpath /dev/disk/by-uuid/${bootparam_root#UUID=})"
+ ;;
+ *)
+ RDEV="${bootparam_root}"
+ esac
+ debug "Sleeping for $delay second(s) to wait root to settle..."
+ sleep $delay
+ C=$(( $C + 1 ))
+
+ done
veritysetup \
--data-block-size=1024 \
diff --git a/meta-security/recipes-core/packagegroup/packagegroup-core-security-ptest.bb b/meta-security/recipes-core/packagegroup/packagegroup-core-security-ptest.bb
deleted file mode 100644
index cf34ded..0000000
--- a/meta-security/recipes-core/packagegroup/packagegroup-core-security-ptest.bb
+++ /dev/null
@@ -1,28 +0,0 @@
-DESCRIPTION = "Security ptest packagegroup"
-LICENSE = "MIT"
-LIC_FILES_CHKSUM = "file://${COMMON_LICENSE_DIR}/MIT;md5=0835ade698e0bcf8506ecda2f7b4f302 \
- file://${COREBASE}/meta/COPYING.MIT;md5=3da9cfbcb788c80a0384361b4de20420"
-
-inherit features_check
-
-REQUIRED_DISTRO_FEATURES = "ptest"
-
-PACKAGES = "\
- ${PN} \
- "
-
-ALLOW_EMPTY_${PN} = "1"
-
-SUMMARY_${PN} = "Security packages with ptests"
-RDEPENDS_${PN} = " \
- ptest-runner \
- samhain-standalone-ptest \
- keyutils-ptest \
- libseccomp-ptest \
- python3-scapy-ptest \
- suricata-ptest \
- tripwire-ptest \
- python3-fail2ban-ptest \
- ${@bb.utils.contains("DISTRO_FEATURES", "apparmor", "apparmor-ptest", "",d)} \
- ${@bb.utils.contains("DISTRO_FEATURES", "smack", "smack-ptest", "",d)} \
- "
diff --git a/meta-security/recipes-core/packagegroup/packagegroup-core-security.bb b/meta-security/recipes-core/packagegroup/packagegroup-core-security.bb
index 1d01800..0a4452e 100644
--- a/meta-security/recipes-core/packagegroup/packagegroup-core-security.bb
+++ b/meta-security/recipes-core/packagegroup/packagegroup-core-security.bb
@@ -13,6 +13,7 @@
packagegroup-security-hardening \
packagegroup-security-ids \
packagegroup-security-mac \
+ ${@bb.utils.contains("DISTRO_FEATURES", "ptest", "packagegroup-meta-security-ptest-packages", "", d)} \
"
RDEPENDS_packagegroup-core-security = "\
@@ -22,6 +23,7 @@
packagegroup-security-hardening \
packagegroup-security-ids \
packagegroup-security-mac \
+ ${@bb.utils.contains("DISTRO_FEATURES", "ptest", "packagegroup-meta-security-ptest-packages", "", d)} \
"
SUMMARY_packagegroup-security-utils = "Security utilities"
@@ -36,6 +38,9 @@
python3-privacyidea \
python3-fail2ban \
python3-scapy \
+ softhsm \
+ libest \
+ opendnssec \
${@bb.utils.contains_any("TUNE_FEATURES", "riscv32 ", "", " libseccomp",d)} \
${@bb.utils.contains("DISTRO_FEATURES", "pam", "sssd google-authenticator-libpam", "",d)} \
${@bb.utils.contains("DISTRO_FEATURES", "pax", "pax-utils packctl", "",d)} \
@@ -48,6 +53,7 @@
checksecurity \
${@bb.utils.contains_any("TUNE_FEATURES", "riscv32 riscv64", "", " clamav clamav-freshclam clamav-cvd",d)} \
"
+RDEPENDS_packagegroup-security-scanners_remove_libc-musl = "clamav clamav-freshclam clamav-cvd"
SUMMARY_packagegroup-security-audit = "Security Audit tools "
RDEPENDS_packagegroup-security-audit = " \
@@ -73,3 +79,14 @@
${@bb.utils.contains("DISTRO_FEATURES", "apparmor", "apparmor", "",d)} \
${@bb.utils.contains("DISTRO_FEATURES", "smack", "smack", "",d)} \
"
+
+RDEPENDS_packagegroup-meta-security-ptest-packages = "\
+ ptest-runner \
+ samhain-standalone-ptest \
+ libseccomp-ptest \
+ python3-scapy-ptest \
+ suricata-ptest \
+ tripwire-ptest \
+ python3-fail2ban-ptest \
+ ${@bb.utils.contains("DISTRO_FEATURES", "smack", "smack-ptest", "",d)} \
+"
diff --git a/meta-security/recipes-ids/suricata/libhtp_0.5.33.bb b/meta-security/recipes-ids/suricata/libhtp_0.5.35.bb
similarity index 100%
rename from meta-security/recipes-ids/suricata/libhtp_0.5.33.bb
rename to meta-security/recipes-ids/suricata/libhtp_0.5.35.bb
diff --git a/meta-security/recipes-ids/suricata/suricata.inc b/meta-security/recipes-ids/suricata/suricata.inc
index c9dd9aa..b94285f 100644
--- a/meta-security/recipes-ids/suricata/suricata.inc
+++ b/meta-security/recipes-ids/suricata/suricata.inc
@@ -2,7 +2,7 @@
SECTION = "security Monitor/Admin"
LICENSE = "GPLv2"
-VER = "4.1.8"
+VER = "4.1.9"
SRC_URI = "http://www.openinfosecfoundation.org/download/suricata-${VER}.tar.gz"
-SRC_URI[sha256sum] = "c8a83a05f57cedc0ef81d833ddcfdbbfdcdb6f459a91b1b15dc2d5671f1aecbb"
+SRC_URI[sha256sum] = "3440cd1065b1b3999dc101a37c49321fab2791b38f16e2f7fe27369dd007eea7"
diff --git a/meta-security/recipes-ids/suricata/suricata_4.1.8.bb b/meta-security/recipes-ids/suricata/suricata_4.1.9.bb
similarity index 98%
rename from meta-security/recipes-ids/suricata/suricata_4.1.8.bb
rename to meta-security/recipes-ids/suricata/suricata_4.1.9.bb
index 9b7122b..135871c 100644
--- a/meta-security/recipes-ids/suricata/suricata_4.1.8.bb
+++ b/meta-security/recipes-ids/suricata/suricata_4.1.9.bb
@@ -14,7 +14,7 @@
inherit autotools-brokensep pkgconfig python3-dir systemd ptest
-CFLAGS += "-D_DEFAULT_SOURCE"
+CFLAGS += "-D_DEFAULT_SOURCE -fcommon"
CACHED_CONFIGUREVARS = "ac_cv_header_htp_htp_h=yes ac_cv_lib_htp_htp_conn_create=yes \
ac_cv_path_HAVE_WGET=no ac_cv_path_HAVE_CURL=no "
diff --git a/meta-security/recipes-kernel/linux/linux-%_5.%.bbappend b/meta-security/recipes-kernel/linux/linux-%_5.%.bbappend
index 76b5df5..6bc40cd 100644
--- a/meta-security/recipes-kernel/linux/linux-%_5.%.bbappend
+++ b/meta-security/recipes-kernel/linux/linux-%_5.%.bbappend
@@ -1,4 +1,4 @@
KERNEL_FEATURES_append = " ${@bb.utils.contains("DISTRO_FEATURES", "apparmor", " features/apparmor/apparmor.scc", "" ,d)}"
KERNEL_FEATURES_append = " ${@bb.utils.contains("DISTRO_FEATURES", "smack", " features/smack/smack.scc", "" ,d)}"
KERNEL_FEATURES_append = " ${@bb.utils.contains("DISTRO_FEATURES", "yama", " features/yama/yama.scc", "" ,d)}"
-
+KERNEL_FEATURES_append = " ${@bb.utils.contains("IMAGE_CLASSES", "dm-verity-img", " features/device-mapper/dm-verity.scc", "" ,d)}"
diff --git a/meta-security/recipes-mac/AppArmor/apparmor_2.13.4.bb b/meta-security/recipes-mac/AppArmor/apparmor_2.13.4.bb
deleted file mode 100644
index dcdc1f7..0000000
--- a/meta-security/recipes-mac/AppArmor/apparmor_2.13.4.bb
+++ /dev/null
@@ -1,201 +0,0 @@
-SUMMARY = "AppArmor another MAC control system"
-DESCRIPTION = "user-space parser utility for AppArmor \
- This provides the system initialization scripts needed to use the \
- AppArmor Mandatory Access Control system, including the AppArmor Parser \
- which is required to convert AppArmor text profiles into machine-readable \
- policies that are loaded into the kernel for use with the AppArmor Linux \
- Security Module."
-HOMEAPAGE = "http://apparmor.net/"
-SECTION = "admin"
-
-LICENSE = "GPLv2 & GPLv2+ & BSD-3-Clause & LGPLv2.1+"
-LIC_FILES_CHKSUM = "file://${S}/LICENSE;md5=fd57a4b0bc782d7b80fd431f10bbf9d0"
-
-DEPENDS = "bison-native apr gettext-native coreutils-native"
-
-SRC_URI = " \
- git://gitlab.com/apparmor/apparmor.git;protocol=https;branch=apparmor-2.13 \
- file://disable_perl_h_check.patch \
- file://crosscompile_perl_bindings.patch \
- file://apparmor.rc \
- file://functions \
- file://apparmor \
- file://apparmor.service \
- file://0001-Makefile.am-suppress-perllocal.pod.patch \
- file://run-ptest \
- "
-
-SRCREV = "df0ac742f7a1146181d8734d03334494f2015134"
-S = "${WORKDIR}/git"
-
-PARALLEL_MAKE = ""
-
-COMPATIBLE_MACHINE_mips64 = "(!.*mips64).*"
-
-inherit pkgconfig autotools-brokensep update-rc.d python3native perlnative ptest cpan manpages systemd features_check
-REQUIRED_DISTRO_FEATURES = "apparmor"
-
-PACKAGECONFIG ??= "python perl aa-decode"
-PACKAGECONFIG[manpages] = "--enable-man-pages, --disable-man-pages"
-PACKAGECONFIG[python] = "--with-python, --without-python, python3 swig-native"
-PACKAGECONFIG[perl] = "--with-perl, --without-perl, perl perl-native swig-native"
-PACKAGECONFIG[apache2] = ",,apache2,"
-PACKAGECONFIG[aa-decode] = ",,,bash"
-
-PAMLIB="${@bb.utils.contains('DISTRO_FEATURES', 'pam', '1', '0', d)}"
-HTTPD="${@bb.utils.contains('PACKAGECONFIG', 'apache2', '1', '0', d)}"
-
-python() {
- if 'apache2' in d.getVar('PACKAGECONFIG').split() and \
- 'webserver' not in d.getVar('BBFILE_COLLECTIONS').split():
- raise bb.parse.SkipRecipe('Requires meta-webserver to be present.')
-}
-
-DISABLE_STATIC = ""
-
-do_configure() {
- cd ${S}/libraries/libapparmor
- aclocal
- autoconf --force
- libtoolize --automake -c --force
- automake -ac
- ./configure ${CONFIGUREOPTS} ${EXTRA_OECONF}
-}
-
-do_compile () {
- # Fixes:
- # | sed -ie 's///g' Makefile.perl
- # | sed: -e expression #1, char 0: no previous regular expression
- #| Makefile:478: recipe for target 'Makefile.perl' failed
- sed -i "s@sed -ie 's///g' Makefile.perl@@" ${S}/libraries/libapparmor/swig/perl/Makefile
-
-
- oe_runmake -C ${B}/libraries/libapparmor
- oe_runmake -C ${B}/binutils
- oe_runmake -C ${B}/utils
- oe_runmake -C ${B}/parser
- oe_runmake -C ${B}/profiles
-
- if test -z "${HTTPD}" ; then
- oe_runmake -C ${B}/changehat/mod_apparmor
- fi
-
- if test -z "${PAMLIB}" ; then
- oe_runmake -C ${B}/changehat/pam_apparmor
- fi
-}
-
-do_install () {
- install -d ${D}/${INIT_D_DIR}
- install -d ${D}/lib/apparmor
- oe_runmake -C ${B}/libraries/libapparmor DESTDIR="${D}" install
- oe_runmake -C ${B}/binutils DESTDIR="${D}" install
- oe_runmake -C ${B}/utils DESTDIR="${D}" install
- oe_runmake -C ${B}/parser DESTDIR="${D}" install
- oe_runmake -C ${B}/profiles DESTDIR="${D}" install
-
- # If perl is disabled this script won't be any good
- if ! ${@bb.utils.contains('PACKAGECONFIG','perl','true','false', d)}; then
- rm -f ${D}${sbindir}/aa-notify
- fi
-
- if ! ${@bb.utils.contains('PACKAGECONFIG','aa-decode','true','false', d)}; then
- rm -f ${D}${sbindir}/aa-decode
- fi
-
- if test -z "${HTTPD}" ; then
- oe_runmake -C ${B}/changehat/mod_apparmor DESTDIR="${D}" install
- fi
-
- if test -z "${PAMLIB}" ; then
- oe_runmake -C ${B}/changehat/pam_apparmor DESTDIR="${D}" install
- fi
-
- # aa-easyprof is installed by python-tools-setup.py, fix it up
- sed -i -e 's:/usr/bin/env.*:/usr/bin/python3:' ${D}${bindir}/aa-easyprof
- chmod 0755 ${D}${bindir}/aa-easyprof
-
- install ${WORKDIR}/apparmor ${D}/${INIT_D_DIR}/apparmor
- install ${WORKDIR}/functions ${D}/lib/apparmor
- sed -i -e 's/getconf _NPROCESSORS_ONLN/nproc/' ${D}/lib/apparmor/functions
- sed -i -e 's/ls -AU/ls -A/' ${D}/lib/apparmor/functions
-
- if ${@bb.utils.contains('DISTRO_FEATURES','systemd','true','false',d)}; then
- install -d ${D}${systemd_system_unitdir}
- install -m 0644 ${WORKDIR}/apparmor.service ${D}${systemd_system_unitdir}
- fi
-}
-
-#Building ptest on arm fails.
-do_compile_ptest_aarch64 () {
- :
-}
-
-do_compile_ptest_arm () {
- :
-}
-
-do_compile_ptest () {
- oe_runmake -C ${B}/tests/regression/apparmor
- oe_runmake -C ${B}/parser/tst
- oe_runmake -C ${B}/libraries/libapparmor
-}
-
-do_install_ptest () {
- t=${D}/${PTEST_PATH}/testsuite
- install -d ${t}
- install -d ${t}/tests/regression/apparmor
- cp -rf ${B}/tests/regression/apparmor ${t}/tests/regression
-
- install -d ${t}/parser/tst
- cp -rf ${B}/parser/tst ${t}/parser
- cp ${B}/parser/apparmor_parser ${t}/parser
- cp ${B}/parser/frob_slack_rc ${t}/parser
-
- install -d ${t}/libraries/libapparmor
- cp -rf ${B}/libraries/libapparmor ${t}/libraries
-
- install -d ${t}/common
- cp -rf ${B}/common ${t}
-
- install -d ${t}/binutils
- cp -rf ${B}/binutils ${t}
-}
-
-#Building ptest on arm fails.
-do_install_ptest_aarch64 () {
- :
-}
-
-do_install_ptest_arm() {
- :
-}
-
-pkg_postinst_ontarget_${PN} () {
-if [ ! -d /etc/apparmor.d/cache ] ; then
- mkdir /etc/apparmor.d/cache
-fi
-}
-
-# We need the init script so don't rm it
-RMINITDIR_class-target_remove = " rm_sysvinit_initddir"
-
-INITSCRIPT_PACKAGES = "${PN}"
-INITSCRIPT_NAME = "apparmor"
-INITSCRIPT_PARAMS = "start 16 2 3 4 5 . stop 35 0 1 6 ."
-
-SYSTEMD_PACKAGES = "${PN}"
-SYSTEMD_SERVICE_${PN} = "apparmor.service"
-SYSTEMD_AUTO_ENABLE ?= "enable"
-
-PACKAGES += "mod-${PN}"
-
-FILES_${PN} += "/lib/apparmor/ ${sysconfdir}/apparmor ${PYTHON_SITEPACKAGES_DIR}"
-FILES_mod-${PN} = "${libdir}/apache2/modules/*"
-
-# Add coreutils and findutils only if sysvinit scripts are in use
-RDEPENDS_${PN} += "${@["coreutils findutils", ""][(d.getVar('VIRTUAL-RUNTIME_init_manager') == 'systemd')]} ${@bb.utils.contains('PACKAGECONFIG','python','python3-core python3-modules','', d)}"
-RDEPENDS_${PN}_remove += "${@bb.utils.contains('PACKAGECONFIG','perl','','perl', d)}"
-RDEPENDS_${PN}-ptest += "perl coreutils dbus-lib bash"
-
-PRIVATE_LIBS_${PN}-ptest = "libapparmor.so*"
diff --git a/meta-security/recipes-mac/AppArmor/apparmor_3.0.bb b/meta-security/recipes-mac/AppArmor/apparmor_3.0.bb
new file mode 100644
index 0000000..35e95a0
--- /dev/null
+++ b/meta-security/recipes-mac/AppArmor/apparmor_3.0.bb
@@ -0,0 +1,193 @@
+SUMMARY = "AppArmor another MAC control system"
+DESCRIPTION = "user-space parser utility for AppArmor \
+ This provides the system initialization scripts needed to use the \
+ AppArmor Mandatory Access Control system, including the AppArmor Parser \
+ which is required to convert AppArmor text profiles into machine-readable \
+ policies that are loaded into the kernel for use with the AppArmor Linux \
+ Security Module."
+HOMEAPAGE = "http://apparmor.net/"
+SECTION = "admin"
+
+LICENSE = "GPLv2 & GPLv2+ & BSD-3-Clause & LGPLv2.1+"
+LIC_FILES_CHKSUM = "file://${S}/LICENSE;md5=fd57a4b0bc782d7b80fd431f10bbf9d0"
+
+DEPENDS = "bison-native apr gettext-native coreutils-native swig-native"
+
+SRC_URI = " \
+ git://gitlab.com/apparmor/apparmor.git;protocol=https;branch=apparmor-3.0 \
+ file://disable_perl_h_check.patch \
+ file://crosscompile_perl_bindings.patch \
+ file://apparmor.rc \
+ file://functions \
+ file://apparmor \
+ file://apparmor.service \
+ file://0001-Makefile.am-suppress-perllocal.pod.patch \
+ file://run-ptest \
+ file://0001-apparmor-fix-manpage-order.patch \
+ file://0001-Revert-profiles-Update-make-check-to-select-tools-ba.patch \
+ file://0001-libapparmor-add-missing-include-for-socklen_t.patch \
+ file://0002-libapparmor-add-aa_features_new_from_file-to-public-.patch \
+ file://0003-libapparmor-add-_aa_asprintf-to-private-symbols.patch \
+ file://0001-aa_status-Fix-build-issue-with-musl.patch \
+ file://0001-parser-Makefile-dont-force-host-cpp-to-detect-reallo.patch \
+ "
+
+SRCREV = "5d51483bfecf556183558644dc8958135397a7e2"
+S = "${WORKDIR}/git"
+
+PARALLEL_MAKE = ""
+
+COMPATIBLE_MACHINE_mips64 = "(!.*mips64).*"
+
+inherit pkgconfig autotools-brokensep update-rc.d python3native perlnative cpan systemd features_check bash-completion
+
+REQUIRED_DISTRO_FEATURES = "apparmor"
+
+PACKAGECONFIG ?= "python perl aa-decode"
+PACKAGECONFIG[manpages] = "--enable-man-pages, --disable-man-pages"
+PACKAGECONFIG[python] = "--with-python, --without-python, python3 , python3-core python3-modules"
+PACKAGECONFIG[perl] = "--with-perl, --without-perl, "
+PACKAGECONFIG[apache2] = ",,apache2,"
+PACKAGECONFIG[aa-decode] = ",,,bash"
+
+python() {
+ if 'apache2' in d.getVar('PACKAGECONFIG').split() and \
+ 'webserver' not in d.getVar('BBFILE_COLLECTIONS').split():
+ raise bb.parse.SkipRecipe('Requires meta-webserver to be present.')
+}
+
+DISABLE_STATIC = ""
+
+do_configure() {
+ cd ${S}/libraries/libapparmor
+ aclocal
+ autoconf --force
+ libtoolize --automake -c --force
+ automake -ac
+ ./configure ${CONFIGUREOPTS} ${EXTRA_OECONF}
+}
+
+do_compile () {
+ sed -i "s@sed -ie 's///g' Makefile.perl@@" ${S}/libraries/libapparmor/swig/perl/Makefile
+ oe_runmake -C ${B}/libraries/libapparmor
+ oe_runmake -C ${B}/binutils
+ oe_runmake -C ${B}/utils
+ oe_runmake -C ${B}/parser
+ oe_runmake -C ${B}/profiles
+
+ if ${@bb.utils.contains('PACKAGECONFIG','apache2','true','false', d)}; then
+ oe_runmake -C ${B}/changehat/mod_apparmor
+ fi
+
+ if ${@bb.utils.contains('DISTRO_FEATURES', 'pam', 'true', 'false', d)}; then
+ oe_runmake -C ${B}/changehat/pam_apparmor
+ fi
+}
+
+do_install () {
+ install -d ${D}/${INIT_D_DIR}
+ install -d ${D}/lib/apparmor
+ oe_runmake -C ${B}/libraries/libapparmor DESTDIR="${D}" install
+ oe_runmake -C ${B}/binutils DESTDIR="${D}" install
+ oe_runmake -C ${B}/utils DESTDIR="${D}" install
+ oe_runmake -C ${B}/parser DESTDIR="${D}" install
+ oe_runmake -C ${B}/profiles DESTDIR="${D}" install
+
+ if ! ${@bb.utils.contains('PACKAGECONFIG','aa-decode','true','false', d)}; then
+ rm -f ${D}${sbindir}/aa-decode
+ fi
+
+ if ${@bb.utils.contains('PACKAGECONFIG','apache2','true','false', d)}; then
+ oe_runmake -C ${B}/changehat/mod_apparmor DESTDIR="${D}" install
+ fi
+
+ if ${@bb.utils.contains('DISTRO_FEATURES', 'pam', 'true', 'false', d)}; then
+ install -d ${D}/lib/security
+ oe_runmake -C ${B}/changehat/pam_apparmor DESTDIR="${D}" install
+ fi
+
+ install -m 755 ${WORKDIR}/apparmor ${D}/${INIT_D_DIR}/apparmor
+ install -m 755 ${WORKDIR}/functions ${D}/lib/apparmor
+
+ if ${@bb.utils.contains('DISTRO_FEATURES','systemd','true','false',d)}; then
+ install -d ${D}${systemd_system_unitdir}
+ install -m 0644 ${WORKDIR}/apparmor.service ${D}${systemd_system_unitdir}
+ fi
+}
+
+#Building ptest on arm fails.
+do_compile_ptest_aarch64 () {
+ :
+}
+
+do_compile_ptest_arm () {
+ :
+}
+
+do_compile_ptest () {
+ sed -i -e 's/cpp \-dM/${HOST_PREFIX}gcc \-dM/' ${B}/tests/regression/apparmor/Makefile
+ oe_runmake -C ${B}/tests/regression/apparmor USE_SYSTEM=0
+ oe_runmake -C ${B}/libraries/libapparmor
+}
+
+do_install_ptest () {
+ t=${D}/${PTEST_PATH}/testsuite
+ install -d ${t}
+ install -d ${t}/tests/regression/apparmor
+ cp -rf ${B}/tests/regression/apparmor ${t}/tests/regression
+
+ cp ${B}/parser/apparmor_parser ${t}/parser
+ cp ${B}/parser/frob_slack_rc ${t}/parser
+
+ install -d ${t}/libraries/libapparmor
+ cp -rf ${B}/libraries/libapparmor ${t}/libraries
+
+ install -d ${t}/common
+ cp -rf ${B}/common ${t}
+
+ install -d ${t}/binutils
+ cp -rf ${B}/binutils ${t}
+}
+
+#Building ptest on arm fails.
+do_install_ptest_aarch64 () {
+ :
+}
+
+do_install_ptest_arm() {
+ :
+}
+
+pkg_postinst_ontarget_${PN} () {
+if [ ! -d /etc/apparmor.d/cache ] ; then
+ mkdir /etc/apparmor.d/cache
+fi
+}
+
+# We need the init script so don't rm it
+RMINITDIR_class-target_remove = " rm_sysvinit_initddir"
+
+INITSCRIPT_PACKAGES = "${PN}"
+INITSCRIPT_NAME = "apparmor"
+INITSCRIPT_PARAMS = "start 16 2 3 4 5 . stop 35 0 1 6 ."
+
+SYSTEMD_PACKAGES = "${PN}"
+SYSTEMD_SERVICE_${PN} = "apparmor.service"
+SYSTEMD_AUTO_ENABLE ?= "enable"
+
+PACKAGES += "mod-${PN}"
+
+FILES_${PN} += "/lib/apparmor/ /lib/security/ ${sysconfdir}/apparmor ${PYTHON_SITEPACKAGES_DIR}"
+FILES_mod-${PN} = "${libdir}/apache2/modules/*"
+
+DEPENDS_append_libc-musl = " fts "
+RDEPENDS_${PN}_libc-musl += "musl-utils"
+RDEPENDS_${PN}_libc-glibc += "glibc-utils"
+
+# Add coreutils and findutils only if sysvinit scripts are in use
+RDEPENDS_${PN} += "${@["coreutils findutils", ""][(d.getVar('VIRTUAL-RUNTIME_init_manager') == 'systemd')]} ${@bb.utils.contains('PACKAGECONFIG','python','python3-core python3-modules','', d)}"
+RDEPENDS_${PN}_remove += "${@bb.utils.contains('PACKAGECONFIG','perl','','perl', d)}"
+RDEPENDS_${PN}-ptest += "perl coreutils dbus-lib bash"
+
+INSANE_SKIP_${PN} = "ldflags"
+PRIVATE_LIBS_${PN}-ptest = "libapparmor.so*"
diff --git a/meta-security/recipes-mac/AppArmor/files/0001-Revert-profiles-Update-make-check-to-select-tools-ba.patch b/meta-security/recipes-mac/AppArmor/files/0001-Revert-profiles-Update-make-check-to-select-tools-ba.patch
new file mode 100644
index 0000000..791437d
--- /dev/null
+++ b/meta-security/recipes-mac/AppArmor/files/0001-Revert-profiles-Update-make-check-to-select-tools-ba.patch
@@ -0,0 +1,91 @@
+From 5ed21abbef4d4c2983e70bd2868fb817150e883e Mon Sep 17 00:00:00 2001
+From: Armin Kuster <akuster808@gmail.com>
+Date: Sat, 3 Oct 2020 11:26:46 -0700
+Subject: [PATCH] Revert "profiles: Update 'make check' to select tools based
+ on USE_SYSTEM"
+
+This reverts commit 6016f931ebf7b61e1358f19453ef262d9d184a4e.
+
+Upstream-Statue: OE specific
+These changes cause during packaging with perms changing.
+
+Signed-off-by: Armin Kuster <akuster808@gmail.com>
+
+---
+ profiles/Makefile | 50 ++++++++++-------------------------------------
+ 1 file changed, 10 insertions(+), 40 deletions(-)
+
+diff --git a/profiles/Makefile b/profiles/Makefile
+index ba47fc16..5384cb05 100644
+--- a/profiles/Makefile
++++ b/profiles/Makefile
+@@ -35,49 +35,9 @@ EXTRAS_SOURCE=./apparmor/profiles/extras/
+ SUBDIRS=$(shell find ${PROFILES_SOURCE} -type d -print)
+ TOPLEVEL_PROFILES=$(filter-out ${SUBDIRS}, $(wildcard ${PROFILES_SOURCE}/*))
+
+-ifdef USE_SYSTEM
+- PYTHONPATH=
+- PARSER?=apparmor_parser
+- LOGPROF?=aa-logprof
+-else
+- # PYTHON_DIST_BUILD_PATH based on libapparmor/swig/python/test/Makefile.am
+- PYTHON_DIST_BUILD_PATH = ../libraries/libapparmor/swig/python/build/$$($(PYTHON) -c "import distutils.util; import platform; print(\"lib.%s-%s\" %(distutils.util.get_platform(), platform.python_version()[:3]))")
+- LIBAPPARMOR_PATH=../libraries/libapparmor/src/.libs/
+- LD_LIBRARY_PATH=$(LIBAPPARMOR_PATH):$(PYTHON_DIST_BUILD_PATH)
+- PYTHONPATH=../utils/:$(PYTHON_DIST_BUILD_PATH)
+- PARSER?=../parser/apparmor_parser
+- # use ../utils logprof
+- LOGPROF?=LD_LIBRARY_PATH=$(LD_LIBRARY_PATH) PYTHONPATH=$(PYTHONPATH) $(PYTHON) ../utils/aa-logprof
+-endif
+-
+ # $(PWD) is wrong when using "make -C profiles" - explicitely set it here to get the right value
+ PWD=$(shell pwd)
+
+-.PHONY: test-dependencies
+-test-dependencies: __parser __libapparmor
+-
+-
+-.PHONY: __parser __libapparmor
+-__parser:
+-ifndef USE_SYSTEM
+- @if [ ! -f $(PARSER) ]; then \
+- echo "error: $(PARSER) is missing. Pick one of these possible solutions:" 1>&2; \
+- echo " 1) Test using the in-tree parser by building it first and then trying again. See the top-level README for help." 1>&2; \
+- echo " 2) Test using the system parser by adding USE_SYSTEM=1 to your make command." 1>&2; \
+- exit 1; \
+- fi
+-endif
+-
+-__libapparmor:
+-ifndef USE_SYSTEM
+- @if [ ! -f $(LIBAPPARMOR_PATH)libapparmor.so ]; then \
+- echo "error: $(LIBAPPARMOR_PATH)libapparmor.so is missing. Pick one of these possible solutions:" 1>&2; \
+- echo " 1) Build against the in-tree libapparmor by building it first and then trying again. See the top-level README for help." 1>&2; \
+- echo " 2) Build against the system libapparmor by adding USE_SYSTEM=1 to your make command." 1>&2; \
+- exit 1; \
+- fi
+-endif
+-
+ local:
+ for profile in ${TOPLEVEL_PROFILES}; do \
+ fn=$$(basename $$profile); \
+@@ -109,6 +69,16 @@ else
+ Q=
+ endif
+
++ifndef PARSER
++# use system parser
++PARSER=../parser/apparmor_parser
++endif
++
++ifndef LOGPROF
++# use ../utils logprof
++LOGPROF=PYTHONPATH=../utils $(PYTHON) ../utils/aa-logprof
++endif
++
+ .PHONY: docs
+ # docs: should we have some here?
+ docs:
+--
+2.17.1
+
diff --git a/meta-security/recipes-mac/AppArmor/files/0001-aa_status-Fix-build-issue-with-musl.patch b/meta-security/recipes-mac/AppArmor/files/0001-aa_status-Fix-build-issue-with-musl.patch
new file mode 100644
index 0000000..239562a
--- /dev/null
+++ b/meta-security/recipes-mac/AppArmor/files/0001-aa_status-Fix-build-issue-with-musl.patch
@@ -0,0 +1,31 @@
+From 2bf15cc68f31c9f41962bb60a669ab2b453a039b Mon Sep 17 00:00:00 2001
+From: Armin Kuster <akuster808@gmail.com>
+Date: Wed, 7 Oct 2020 08:27:11 -0700
+Subject: [PATCH] aa_status: Fix build issue with musl
+
+add limits.h
+
+aa_status.c:269:22: error: 'PATH_MAX' undeclared (first use in this function); did you mean 'AF_MAX'?
+| 269 | real_exe = calloc(PATH_MAX + 1, sizeof(char));
+
+Upstream-Status: Pending
+Signed-off-by: Armin Kuster <akuster808@gmail.com>
+---
+ binutils/aa_status.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/binutils/aa_status.c b/binutils/aa_status.c
+index 78b03409..41f1954e 100644
+--- a/binutils/aa_status.c
++++ b/binutils/aa_status.c
+@@ -10,6 +10,7 @@
+ #include <stdio.h>
+ #include <stdlib.h>
+ #include <string.h>
++#include <limits.h>
+ #include <sys/types.h>
+ #include <sys/stat.h>
+ #include <sys/wait.h>
+--
+2.17.1
+
diff --git a/meta-security/recipes-mac/AppArmor/files/0001-apparmor-fix-manpage-order.patch b/meta-security/recipes-mac/AppArmor/files/0001-apparmor-fix-manpage-order.patch
new file mode 100644
index 0000000..9f3dce4
--- /dev/null
+++ b/meta-security/recipes-mac/AppArmor/files/0001-apparmor-fix-manpage-order.patch
@@ -0,0 +1,43 @@
+From c9baef0c70122e1be33b627874772e6e9a5d7744 Mon Sep 17 00:00:00 2001
+From: Armin Kuster <akuster808@gmail.com>
+Date: Fri, 2 Oct 2020 19:43:44 -0700
+Subject: [PATCH] apparmor: fix manpage order
+
+It trys to create a symlink before the man pages are installed.
+
+ ln -sf aa-status.8 /(path}/apparmor/3.0-r0/image/usr/share/man/man8/apparmor_status.8
+ | ln: failed to create symbolic link '{path}/apparmor/3.0-r0/image/usr/share/man/man8/apparmor_status.8': No such file or directory
+
+Upstream-Status: Pending
+Signed-off-by: Armin Kuster <akuster808@gmail.com>
+
+...
+
+install -d /{path}/apparmor/3.0-r0/image/usr/share/man/man8 ; install -m 644 aa-status.8 /{path}/apparmor/3.0-r0/image/usr/share/man/man8;
+
+Signed-off-by: Armin Kuster <akuster@mvista.com>
+---
+ binutils/Makefile | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/binutils/Makefile b/binutils/Makefile
+index 99e54875..3f1d0011 100644
+--- a/binutils/Makefile
++++ b/binutils/Makefile
+@@ -156,12 +156,12 @@ install-arch: arch
+ install -m 755 -d ${SBINDIR}
+ ln -sf aa-status ${SBINDIR}/apparmor_status
+ install -m 755 ${SBINTOOLS} ${SBINDIR}
+- ln -sf aa-status.8 ${DESTDIR}/${MANDIR}/man8/apparmor_status.8
+
+ .PHONY: install-indep
+ install-indep: indep
+ $(MAKE) -C po install NAME=${NAME} DESTDIR=${DESTDIR}
+ $(MAKE) install_manpages DESTDIR=${DESTDIR}
++ ln -sf aa-status.8 ${DESTDIR}/${MANDIR}/man8/apparmor_status.8
+
+ ifndef VERBOSE
+ .SILENT: clean
+--
+2.17.1
+
diff --git a/meta-security/recipes-mac/AppArmor/files/0001-libapparmor-add-missing-include-for-socklen_t.patch b/meta-security/recipes-mac/AppArmor/files/0001-libapparmor-add-missing-include-for-socklen_t.patch
new file mode 100644
index 0000000..2a56d8b
--- /dev/null
+++ b/meta-security/recipes-mac/AppArmor/files/0001-libapparmor-add-missing-include-for-socklen_t.patch
@@ -0,0 +1,36 @@
+From 47263a3a74d7973e7a54b17db6aa903701468ffd Mon Sep 17 00:00:00 2001
+From: Patrick Steinhardt <ps@pks.im>
+Date: Sat, 3 Oct 2020 20:37:55 +0200
+Subject: [PATCH] libapparmor: add missing include for `socklen_t`
+
+While `include/sys/apparmor.h` makes use of `socklen_t`, it doesn't
+include the `<sys/socket.h>` header to make its declaration available.
+While this works on systems using glibc via transitive includes, it
+breaks compilation on musl libc.
+
+Fix the issue by including the header.
+
+Signed-off-by: Patrick Steinhardt <ps@pks.im>
+
+Upstream-Status: Backport
+Signed-off-by: Armin Kuster <akuster808@gmail.com>
+
+---
+ libraries/libapparmor/include/sys/apparmor.h | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/libraries/libapparmor/include/sys/apparmor.h b/libraries/libapparmor/include/sys/apparmor.h
+index 32892d06..d70eff94 100644
+--- a/libraries/libapparmor/include/sys/apparmor.h
++++ b/libraries/libapparmor/include/sys/apparmor.h
+@@ -21,6 +21,7 @@
+ #include <stdbool.h>
+ #include <stdint.h>
+ #include <unistd.h>
++#include <sys/socket.h>
+ #include <sys/types.h>
+
+ #ifdef __cplusplus
+--
+2.17.1
+
diff --git a/meta-security/recipes-mac/AppArmor/files/0001-parser-Makefile-dont-force-host-cpp-to-detect-reallo.patch b/meta-security/recipes-mac/AppArmor/files/0001-parser-Makefile-dont-force-host-cpp-to-detect-reallo.patch
new file mode 100644
index 0000000..9f7ad3c
--- /dev/null
+++ b/meta-security/recipes-mac/AppArmor/files/0001-parser-Makefile-dont-force-host-cpp-to-detect-reallo.patch
@@ -0,0 +1,37 @@
+From 965bb9c3e464f756b258a7c259a92bce3cde74e7 Mon Sep 17 00:00:00 2001
+From: Armin Kuster <akuster@mvista.com>
+Date: Wed, 7 Oct 2020 20:50:38 -0700
+Subject: [PATCH] parser/Makefile: dont force host cpp to detect reallocarray
+
+In cross build environments, using the hosts cpp gives incorrect
+detection of reallocarray. Change cpp to a variable.
+
+fixes:
+parser_misc.c: In function 'int capable_add_cap(const char*, int, unsigned int, capability_flags)':
+| parser_misc.c:297:37: error: 'reallocarray' was not declared in this scope
+| 297 | tmp = (struct capability_table *) reallocarray(cap_table, sizeof(struct capability_table), cap_table_size+1);
+
+Signed-off-by: Armin Kuster <akuster808@gmail.com>
+
+Upstream-Status: Pending
+
+---
+ parser/Makefile | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/parser/Makefile b/parser/Makefile
+index acef3d77..8250ac45 100644
+--- a/parser/Makefile
++++ b/parser/Makefile
+@@ -54,7 +54,7 @@ endif
+ CPPFLAGS += -D_GNU_SOURCE
+
+ STDLIB_INCLUDE:="\#include <stdlib.h>"
+-HAVE_REALLOCARRAY:=$(shell echo $(STDLIB_INCLUDE) | cpp ${CPPFLAGS} | grep -q reallocarray && echo true)
++HAVE_REALLOCARRAY:=$(shell echo $(STDLIB_INCLUDE) | ${CPP} ${CPPFLAGS} | grep -q reallocarray && echo true)
+
+ WARNINGS = -Wall
+ CXX_WARNINGS = ${WARNINGS} ${EXTRA_WARNINGS}
+--
+2.17.1
+
diff --git a/meta-security/recipes-mac/AppArmor/files/0002-libapparmor-add-aa_features_new_from_file-to-public-.patch b/meta-security/recipes-mac/AppArmor/files/0002-libapparmor-add-aa_features_new_from_file-to-public-.patch
new file mode 100644
index 0000000..333f40f
--- /dev/null
+++ b/meta-security/recipes-mac/AppArmor/files/0002-libapparmor-add-aa_features_new_from_file-to-public-.patch
@@ -0,0 +1,37 @@
+From c9255a03436e6a91bd4e410601da8d43a341ffc2 Mon Sep 17 00:00:00 2001
+From: Patrick Steinhardt <ps@pks.im>
+Date: Sat, 3 Oct 2020 20:58:45 +0200
+Subject: [PATCH] libapparmor: add `aa_features_new_from_file` to public
+ symbols
+
+With AppArmor release 3.0, a new function `aa_features_new_from_file`
+was added, but not added to the list of public symbols. As a result,
+it's not possible to make use of this function when linking against
+libapparmor.so.
+
+Fix the issue by adding it to the symbol map.
+
+Signed-off-by: Patrick Steinhardt <ps@pks.im>
+
+Upstream-Status: Backport
+Signed-off-by: Armin Kuster <akuster808@gmail.com>
+
+---
+ libraries/libapparmor/src/libapparmor.map | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/libraries/libapparmor/src/libapparmor.map b/libraries/libapparmor/src/libapparmor.map
+index bbff51f5..1579509a 100644
+--- a/libraries/libapparmor/src/libapparmor.map
++++ b/libraries/libapparmor/src/libapparmor.map
+@@ -117,6 +117,7 @@ APPARMOR_2.13.1 {
+
+ APPARMOR_3.0 {
+ global:
++ aa_features_new_from_file;
+ aa_features_write_to_fd;
+ aa_features_value;
+ local:
+--
+2.17.1
+
diff --git a/meta-security/recipes-mac/AppArmor/files/0003-libapparmor-add-_aa_asprintf-to-private-symbols.patch b/meta-security/recipes-mac/AppArmor/files/0003-libapparmor-add-_aa_asprintf-to-private-symbols.patch
new file mode 100644
index 0000000..543c7a1
--- /dev/null
+++ b/meta-security/recipes-mac/AppArmor/files/0003-libapparmor-add-_aa_asprintf-to-private-symbols.patch
@@ -0,0 +1,34 @@
+From 9a8fee6bf1c79c261374d928b838b5eb9244ee9b Mon Sep 17 00:00:00 2001
+From: Patrick Steinhardt <ps@pks.im>
+Date: Sat, 3 Oct 2020 21:04:57 +0200
+Subject: [PATCH] libapparmor: add _aa_asprintf to private symbols
+
+While `_aa_asprintf` is supposed to be of private visibility, it's used
+by apparmor_parser and thus required to be visible when linking. This
+commit thus adds it to the list of private symbols to make it available
+for linking in apparmor_parser.
+
+Signed-off-by: Patrick Steinhardt <ps@pks.im>
+
+Upstream-Status: Backport
+Signed-off-by: Armin Kuster <akuster808@gmail.com>
+
+---
+ libraries/libapparmor/src/libapparmor.map | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/libraries/libapparmor/src/libapparmor.map b/libraries/libapparmor/src/libapparmor.map
+index 1579509a..41e541ac 100644
+--- a/libraries/libapparmor/src/libapparmor.map
++++ b/libraries/libapparmor/src/libapparmor.map
+@@ -127,6 +127,7 @@ APPARMOR_3.0 {
+ PRIVATE {
+ global:
+ _aa_is_blacklisted;
++ _aa_asprintf;
+ _aa_autofree;
+ _aa_autoclose;
+ _aa_autofclose;
+--
+2.17.1
+
diff --git a/meta-security/recipes-mac/AppArmor/files/functions b/meta-security/recipes-mac/AppArmor/files/functions
index cef8cfe..e9e2bbf 100644
--- a/meta-security/recipes-mac/AppArmor/files/functions
+++ b/meta-security/recipes-mac/AppArmor/files/functions
@@ -144,7 +144,7 @@
read_features_dir()
{
- for f in `ls -AU "$1"` ; do
+ for f in `ls -A "$1"` ; do
if [ -f "$1/$f" ] ; then
read -r KF < "$1/$f" || true
echo -n "$f {$KF } "
diff --git a/meta-security/recipes-security/ecryptfs-utils/ecryptfs-utils_111.bb b/meta-security/recipes-security/ecryptfs-utils/ecryptfs-utils_111.bb
index d8cd06f..4a99b5a 100644
--- a/meta-security/recipes-security/ecryptfs-utils/ecryptfs-utils_111.bb
+++ b/meta-security/recipes-security/ecryptfs-utils/ecryptfs-utils_111.bb
@@ -16,6 +16,7 @@
file://ecryptfs-utils-CVE-2016-6224.patch \
file://0001-avoid-race-condition.patch \
file://ecryptfs.service \
+ file://define_musl_sword_type.patch \
"
SRC_URI[md5sum] = "83513228984f671930752c3518cac6fd"
diff --git a/meta-security/recipes-security/ecryptfs-utils/files/define_musl_sword_type.patch b/meta-security/recipes-security/ecryptfs-utils/files/define_musl_sword_type.patch
new file mode 100644
index 0000000..3b29be0
--- /dev/null
+++ b/meta-security/recipes-security/ecryptfs-utils/files/define_musl_sword_type.patch
@@ -0,0 +1,15 @@
+Index: ecryptfs-utils-111/src/utils/mount.ecryptfs_private.c
+===================================================================
+--- ecryptfs-utils-111.orig/src/utils/mount.ecryptfs_private.c
++++ ecryptfs-utils-111/src/utils/mount.ecryptfs_private.c
+@@ -45,6 +45,10 @@
+ #include <values.h>
+ #include "../include/ecryptfs.h"
+
++#ifndef __SWORD_TYPE
++typedef __typeof__( ((struct statfs *)0)->f_type ) __SWORD_TYPE;
++#endif
++
+ /* Perhaps a future version of this program will allow these to be configurable
+ * by the system administrator (or user?) at run time. For now, these are set
+ * to reasonable values to reduce the burden of input validation.
diff --git a/meta-security/recipes-security/libest/libest_3.2.0.bb b/meta-security/recipes-security/libest/libest_3.2.0.bb
new file mode 100644
index 0000000..f993bd6
--- /dev/null
+++ b/meta-security/recipes-security/libest/libest_3.2.0.bb
@@ -0,0 +1,27 @@
+SUMMARY = "EST is used for secure certificate \
+enrollment and is compatible with Suite B certs (as well as RSA \
+and DSA certificates)"
+
+LICENSE = "OpenSSL"
+LIC_FILES_CHKSUM = "file://LICENSE;md5=ecb78acde8e3b795de8ef6b61aed5885"
+
+SRCREV = "4ca02c6d7540f2b1bcea278a4fbe373daac7103b"
+SRC_URI = "git://github.com/cisco/libest"
+
+DEPENDS = "openssl"
+
+#fatal error: execinfo.h: No such file or directory
+DEPENDS_append_libc-musl = " libexecinfo"
+
+inherit autotools-brokensep
+
+EXTRA_OECONF = "--disable-pthreads --with-ssl-dir=${STAGING_LIBDIR}"
+
+CFLAGS += "-fcommon"
+LDFLAGS_append_libc-musl = " -lexecinfo"
+
+S = "${WORKDIR}/git"
+
+PACKAGES = "${PN} ${PN}-dbg ${PN}-dev"
+
+FILES_${PN} = "${bindir}/* ${libdir}/libest-3.2.0p.so"
diff --git a/meta-security/recipes-security/libseccomp/libseccomp_2.5.0.bb b/meta-security/recipes-security/libseccomp/libseccomp_2.5.0.bb
index 35365d5..0cf2d70 100644
--- a/meta-security/recipes-security/libseccomp/libseccomp_2.5.0.bb
+++ b/meta-security/recipes-security/libseccomp/libseccomp_2.5.0.bb
@@ -45,4 +45,4 @@
FILES_${PN} = "${bindir} ${libdir}/${BPN}.so*"
FILES_${PN}-dbg += "${libdir}/${PN}/tests/.debug/* ${libdir}/${PN}/tools/.debug"
-RDEPENDS_${PN}-ptest = "bash"
+RDEPENDS_${PN}-ptest = "coreutils bash"
diff --git a/meta-security/recipes-security/opendnssec/files/fix_fprint.patch b/meta-security/recipes-security/opendnssec/files/fix_fprint.patch
new file mode 100644
index 0000000..da0bcfe
--- /dev/null
+++ b/meta-security/recipes-security/opendnssec/files/fix_fprint.patch
@@ -0,0 +1,25 @@
+format not a string literal and no format arguments
+
+missing module_str in call
+
+Upstream-Status: Pending
+Signed-off-by: Armin Kuster <akuster808@gmail.com>
+
+../../../git/enforcer/src/keystate/keystate_ds.c:192:7: error: format not a string literal and no format arguments [-Werror=format-security]
+| 192 | ods_log_error_and_printf(sockfd, "Failed to run %s", cp_ds);
+| | ^~~~~~~~~~~~~~~~~~~~~~~~
+
+
+Index: git/enforcer/src/keystate/keystate_ds.c
+===================================================================
+--- git.orig/enforcer/src/keystate/keystate_ds.c
++++ git/enforcer/src/keystate/keystate_ds.c
+@@ -189,7 +189,7 @@ exec_dnskey_by_id(int sockfd, struct dbw
+ status = 0;
+ }
+ else {
+- ods_log_error_and_printf(sockfd, "Failed to run %s", cp_ds);
++ ods_log_error_and_printf(sockfd, module_str, "Failed to run %s", cp_ds);
+ status = 7;
+ }
+ }
diff --git a/meta-security/recipes-security/opendnssec/files/libdns_conf_fix.patch b/meta-security/recipes-security/opendnssec/files/libdns_conf_fix.patch
new file mode 100644
index 0000000..126e197
--- /dev/null
+++ b/meta-security/recipes-security/opendnssec/files/libdns_conf_fix.patch
@@ -0,0 +1,217 @@
+Configure does not work with OE pkg-config for the ldns option
+
+Upstream-Status: OE specific
+
+Signed-off-by: Armin Kuster <akuster808@gmail.com>
+
+Index: opendnssec-2.1.6/m4/acx_ldns.m4
+===================================================================
+--- opendnssec-2.1.6.orig/m4/acx_ldns.m4
++++ opendnssec-2.1.6/m4/acx_ldns.m4
+@@ -1,128 +1,65 @@
+-AC_DEFUN([ACX_LDNS],[
+- AC_ARG_WITH(ldns,
+- [AC_HELP_STRING([--with-ldns=PATH],[specify prefix of path of ldns library to use])],
+- [
+- LDNS_PATH="$withval"
+- AC_PATH_PROGS(LDNS_CONFIG, ldns-config, ldns-config, $LDNS_PATH/bin)
+- ],[
+- LDNS_PATH="/usr/local"
+- AC_PATH_PROGS(LDNS_CONFIG, ldns-config, ldns-config, $PATH)
+- ])
+-
+- if test -x "$LDNS_CONFIG"
+- then
+- AC_MSG_CHECKING(what are the ldns includes)
+- LDNS_INCLUDES="`$LDNS_CONFIG --cflags`"
+- AC_MSG_RESULT($LDNS_INCLUDES)
+-
+- AC_MSG_CHECKING(what are the ldns libs)
+- LDNS_LIBS="`$LDNS_CONFIG --libs`"
+- AC_MSG_RESULT($LDNS_LIBS)
+- else
+- AC_MSG_CHECKING(what are the ldns includes)
+- LDNS_INCLUDES="-I$LDNS_PATH/include"
+- AC_MSG_RESULT($LDNS_INCLUDES)
+-
+- AC_MSG_CHECKING(what are the ldns libs)
+- LDNS_LIBS="-L$LDNS_PATH/lib -lldns"
+- AC_MSG_RESULT($LDNS_LIBS)
+- fi
+-
+- tmp_CPPFLAGS=$CPPFLAGS
+- tmp_LIBS=$LIBS
+-
+- CPPFLAGS="$CPPFLAGS $LDNS_INCLUDES"
+- LIBS="$LIBS $LDNS_LIBS"
+-
+- AC_CHECK_LIB(ldns, ldns_rr_new,,[AC_MSG_ERROR([Can't find ldns library])])
+- LIBS=$tmp_LIBS
+-
+- AC_MSG_CHECKING([for ldns version])
+- CHECK_LDNS_VERSION=m4_format(0x%02x%02x%02x, $1, $2, $3)
+- AC_LANG_PUSH([C])
+- AC_RUN_IFELSE([
+- AC_LANG_SOURCE([[
+- #include <ldns/ldns.h>
+- int main()
+- {
+- #ifdef LDNS_REVISION
+- if (LDNS_REVISION >= $CHECK_LDNS_VERSION)
+- return 0;
+- #endif
+- return 1;
+- }
+- ]])
+- ],[
+- AC_MSG_RESULT([>= $1.$2.$3])
+- ],[
+- AC_MSG_RESULT([< $1.$2.$3])
+- AC_MSG_ERROR([ldns library too old ($1.$2.$3 or later required)])
+- ],[])
+- AC_LANG_POP([C])
++#serial 11
+
+- CPPFLAGS=$tmp_CPPFLAGS
+-
+- AC_SUBST(LDNS_INCLUDES)
+- AC_SUBST(LDNS_LIBS)
+-])
+-
+-
+-AC_DEFUN([ACX_LDNS_NOT],[
+- AC_ARG_WITH(ldns,
+- [AC_HELP_STRING([--with-ldns=PATH],[specify prefix of path of ldns library to use])],
+- [
+- LDNS_PATH="$withval"
+- AC_PATH_PROGS(LDNS_CONFIG, ldns-config, ldns-config, $LDNS_PATH/bin)
+- ],[
+- LDNS_PATH="/usr/local"
+- AC_PATH_PROGS(LDNS_CONFIG, ldns-config, ldns-config, $PATH)
+- ])
+-
+- if test -x "$LDNS_CONFIG"
+- then
+- AC_MSG_CHECKING(what are the ldns includes)
+- LDNS_INCLUDES="`$LDNS_CONFIG --cflags`"
+- AC_MSG_RESULT($LDNS_INCLUDES)
+-
+- AC_MSG_CHECKING(what are the ldns libs)
+- LDNS_LIBS="`$LDNS_CONFIG --libs`"
+- AC_MSG_RESULT($LDNS_LIBS)
+- else
+- AC_MSG_CHECKING(what are the ldns includes)
+- LDNS_INCLUDES="-I$LDNS_PATH/include"
+- AC_MSG_RESULT($LDNS_INCLUDES)
+-
+- AC_MSG_CHECKING(what are the ldns libs)
+- LDNS_LIBS="-L$LDNS_PATH/lib -lldns"
+- AC_MSG_RESULT($LDNS_LIBS)
+- fi
+-
+- tmp_CPPFLAGS=$CPPFLAGS
+-
+- CPPFLAGS="$CPPFLAGS $LDNS_INCLUDES"
+-
+- AC_MSG_CHECKING([for ldns version not $1.$2.$3])
+- CHECK_LDNS_VERSION=m4_format(0x%02x%02x%02x, $1, $2, $3)
+- AC_LANG_PUSH([C])
+- AC_RUN_IFELSE([
+- AC_LANG_SOURCE([[
+- #include <ldns/ldns.h>
+- int main()
+- {
+- #ifdef LDNS_REVISION
+- if (LDNS_REVISION != $CHECK_LDNS_VERSION)
+- return 0;
+- #endif
+- return 1;
+- }
+- ]])
+- ],[
+- AC_MSG_RESULT([ok])
+- ],[
+- AC_MSG_RESULT([no])
+- AC_MSG_ERROR([ldns version $1.$2.$3 is not compatible due to $4])
+- ],[])
+- AC_LANG_POP([C])
+-
+- CPPFLAGS=$tmp_CPPFLAGS
++AU_ALIAS([CHECK_LDNS], [ACX_LDNS])
++AC_DEFUN([ACX_LDNS], [
++ found=false
++ AC_ARG_WITH([ldns],
++ [AS_HELP_STRING([--with-ldns=DIR],
++ [root of the lnds directory])],
++ [
++ case "$withval" in
++ "" | y | ye | yes | n | no)
++ AC_MSG_ERROR([Invalid --with-lnds value])
++ ;;
++ *) ldnsdirs="$withval"
++ ;;
++ esac
++ ], [
++ # if pkg-config is installed and lnds has installed a .pc file,
++ # then use that information and don't search ldnsdirs
++ AC_CHECK_TOOL([PKG_CONFIG], [pkg-config])
++ if test x"$PKG_CONFIG" != x""; then
++ OPENSSL_LDFLAGS=`$PKG_CONFIG ldns --libs-only-L 2>/dev/null`
++ if test $? = 0; then
++ LDNS_LIBS=`$PKG_CONFIG ldns --libs-only-l 2>/dev/null`
++ LDNS_INCLUDES=`$PKG_CONFIG ldns --cflags-only-I 2>/dev/null`
++ found=true
++ fi
++ fi
++
++ # no such luck; use some default ldnsdirs
++ if ! $found; then
++ ldnsdirs="/usr/local/ldns /usr/lib/ldns /usr/ldns /usr/local /usr"
++ fi
++ ]
++ )
++
++
++ if ! $found; then
++ LDNS_INCLUDES=
++ for ldnsdir in $ldnsdirs; do
++ AC_MSG_CHECKING([for LDNS in $ldnsdir])
++ if test -f "$ldnsdir/include/ldns/dnssec.h"; then
++ LDNS_INCLUDES="-I$ldnsdir/include"
++ LDNS_LDFLAGS="-L$ldnsdir/lib"
++ LDNS_LIBS="-lldns"
++ found=true
++ AC_MSG_RESULT([yes])
++ break
++ else
++ AC_MSG_RESULT([no])
++ fi
++ done
++
++ # if the file wasn't found, well, go ahead and try the link anyway -- maybe
++ # it will just work!
++ fi
++
++ LDFLAGS="$LDFLAGS $OPENSSL_LDFLAGS"
++ LIBS="$LDNS_LIBS $LIBS"
++ CPPFLAGS="$LDNS_INCLUDES $CPPFLAGS"
++
++ AC_SUBST([LDNS_INCLUDES])
++ AC_SUBST([LDNS_LIBS])
++ AC_SUBST([LDNS_LDFLAGS])
+ ])
+Index: opendnssec-2.1.6/configure.ac
+===================================================================
+--- opendnssec-2.1.6.orig/configure.ac
++++ opendnssec-2.1.6/configure.ac
+@@ -138,9 +138,7 @@ AC_CHECK_MEMBER([struct sockaddr_un.sun_
+
+ # common dependencies
+ ACX_LIBXML2
+-ACX_LDNS(1,6,17)
+-ACX_LDNS_NOT(1,6,14, [binary incompatibility, see http://open.nlnetlabs.nl/pipermail/ldns-users/2012-October/000564.html])
+-ACX_LDNS_NOT(1,6,15, [fail to create NSEC3 bitmap for empty non-terminals, see http://www.nlnetlabs.nl/pipermail/ldns-users/2012-November/000565.html])
++ACX_LDNS(1.6.17)
+ ACX_PKCS11_MODULES
+ ACX_RT
+ ACX_LIBC
diff --git a/meta-security/recipes-security/opendnssec/files/libxml2_conf.patch b/meta-security/recipes-security/opendnssec/files/libxml2_conf.patch
new file mode 100644
index 0000000..b4ed430
--- /dev/null
+++ b/meta-security/recipes-security/opendnssec/files/libxml2_conf.patch
@@ -0,0 +1,112 @@
+configure does not work with OE pkg-config for the libxml2 option
+
+Upstream-Status: OE specific
+
+Signed-off-by: Armin Kuster <akuster808@gmail.com>
+
+Index: opendnssec-2.1.6/m4/acx_libxml2.m4
+===================================================================
+--- opendnssec-2.1.6.orig/m4/acx_libxml2.m4
++++ opendnssec-2.1.6/m4/acx_libxml2.m4
+@@ -1,37 +1,67 @@
++#serial 11
++AU_ALIAS([CHECK_XML2], [ACX_LIBXML2])
+ AC_DEFUN([ACX_LIBXML2],[
+- AC_ARG_WITH(libxml2,
+- [AS_HELP_STRING([--with-libxml2=DIR],[look for libxml2 in this dir])],
+- [
+- XML2_PATH="$withval"
+- AC_PATH_PROGS(XML2_CONFIG, xml2-config, xml2-config, $XML2_PATH/bin)
+- ],[
+- XML2_PATH="/usr/local"
+- AC_PATH_PROGS(XML2_CONFIG, xml2-config, xml2-config, $PATH)
+- ])
+- if test -x "$XML2_CONFIG"
+- then
+- AC_MSG_CHECKING(what are the xml2 includes)
+- XML2_INCLUDES="`$XML2_CONFIG --cflags`"
+- AC_MSG_RESULT($XML2_INCLUDES)
+-
+- AC_MSG_CHECKING(what are the xml2 libs)
+- XML2_LIBS="`$XML2_CONFIG --libs`"
+- AC_MSG_RESULT($XML2_LIBS)
+-
+- tmp_CPPFLAGS=$CPPFLAGS
+- tmp_LIBS=$LIBS
+-
+- CPPFLAGS="$CPPFLAGS $XML2_INCLUDES"
+- LIBS="$LIBS $XML2_LIBS"
+-
+- AC_CHECK_LIB(xml2, xmlDocGetRootElement,,[AC_MSG_ERROR([Can't find libxml2 library])])
+-
+- CPPFLAGS=$tmp_CPPFLAGS
+- LIBS=$tmp_LIBS
+- else
+- AC_MSG_ERROR([libxml2 required, but not found.])
+- fi
++ found=false
++ AC_ARG_WITH([libxml2],
++ [AS_HELP_STRING([--with-libxml2=DIR],
++ [root of the libxml directory])],
++ [
++ case "$withval" in
++ "" | y | ye | yes | n | no)
++ AC_MSG_ERROR([Invalid --with-libxml2 value])
++ ;;
++ *) xml2dirs="$withval"
++ ;;
++ esac
++ ], [
++ # if pkg-config is installed and openssl has installed a .pc file,
++ # then use that information and don't search ssldirs
++ AC_CHECK_TOOL([PKG_CONFIG], [pkg-config])
++ if test x"$PKG_CONFIG" != x""; then
++ XML2_LDFLAGS=`$PKG_CONFIG libxml-2.0 --libs-only-L 2>/dev/null`
++ if test $? = 0; then
++ XML2_LIBS=`$PKG_CONFIG libxml-2.0 --libs-only-l 2>/dev/null`
++ XML2_INCLUDES=`$PKG_CONFIG libxml-2.0 --cflags-only-I 2>/dev/null`
++ found=true
++ fi
++ fi
+
+- AC_SUBST(XML2_INCLUDES)
+- AC_SUBST(XML2_LIBS)
++ # no such luck; use some default ssldirs
++ if ! $found; then
++ xml2dirs="/usr/local/libxml /usr/lib/libxml /usr/libxml /usr/pkg /usr/local /usr"
++ fi
++ ]
++ )
++
++
++ # note that we #include <libxml/tree.h>, so the libxml2 headers have to be in
++ # an 'libxml' subdirectory
++
++ if ! $found; then
++ XML2_INCLUDES=
++ for xml2dir in $xml2dirs; do
++ AC_MSG_CHECKING([for XML2 in $xml2dir])
++ if test -f "$xml2dir/include/libxml2/libxml/tree.h"; then
++ XML2_INCLUDES="-I$xml2dir/include/libxml2"
++ XML2_LDFLAGS="-L$xml2dir/lib"
++ XML2_LIBS="-lxml2"
++ found=true
++ AC_MSG_RESULT([yes])
++ break
++ else
++ AC_MSG_RESULT([no])
++ fi
++ done
++
++ # if the file wasn't found, well, go ahead and try the link anyway -- maybe
++ # it will just work!
++ fi
++
++ LDFLAGS="$LDFLAGS $XML2_LDFLAGS"
++ LIBS="$XML2_LIBS $LIBS"
++ CPPFLAGS="$XML2_INCLUDES $CPPFLAGS"
++
++ AC_SUBST(XML2_INCLUDES)
++ AC_SUBST(XML2_LIBS)
++ AC_SUBST(XML2_LDFLAGS)
+ ])
diff --git a/meta-security/recipes-security/opendnssec/opendnssec_2.1.6.bb b/meta-security/recipes-security/opendnssec/opendnssec_2.1.6.bb
new file mode 100644
index 0000000..5e42ca8
--- /dev/null
+++ b/meta-security/recipes-security/opendnssec/opendnssec_2.1.6.bb
@@ -0,0 +1,37 @@
+SUMMARY = "OpenDNSSEC is a policy-based zone signer that automates the process of keeping track of DNSSEC keys and the signing of zones"
+
+LICENSE = "BSD"
+LIC_FILES_CHKSUM = "file://LICENSE;md5=b041dbe2da80d4efd951393fbba90937"
+
+DEPENDS = "libxml2 openssl ldns libmicrohttpd jansson libyaml "
+
+SRC_URI = "git://github.com/opendnssec/opendnssec;branch=develop \
+ file://libxml2_conf.patch \
+ file://libdns_conf_fix.patch \
+ file://fix_fprint.patch \
+ "
+
+SRCREV = "5876bccb38428790e2e9afc806ca68b029879874"
+
+inherit autotools pkgconfig perlnative
+
+S = "${WORKDIR}/git"
+
+EXTRA_OECONF = " --with-libxml2=${STAGING_DIR_HOST}/usr --with-ldns=${STAGING_DIR_HOST}/usr \
+ --with-ssl=${STAGING_DIR_HOST}/usr "
+
+CFLAGS += "-fcommon"
+
+PACKAGECONFIG ?= "sqlite3"
+
+PACKAGECONFIG[cunit] = "--with-cunit=${STAGING_DIR_HOST}/usr, --without-cunit,"
+PACKAGECONFIG[sqlite3] = "--with-sqlite3=${STAGING_DIR_HOST}/usr, ,sqlite3, sqlite3"
+PACKAGECONFIG[mysql] = "--with-mysql=yes, , mariadb, mariadb"
+PACKAGECONFIG[readline] = "--with-readline, --without-readline, readline"
+PACKAGECONFIG[unwind] = "--with-libunwind, --without-libunwind"
+
+do_install_append () {
+ rm -rf ${D}${localstatedir}/run
+}
+
+RDEPENDS_${PN} = "softhsm"
diff --git a/meta-security/recipes-security/softHSM/softhsm_2.6.1.bb b/meta-security/recipes-security/softHSM/softhsm_2.6.1.bb
new file mode 100644
index 0000000..74e837a
--- /dev/null
+++ b/meta-security/recipes-security/softHSM/softhsm_2.6.1.bb
@@ -0,0 +1,30 @@
+SUMMARY = "SoftHSM is an implementation of a cryptographic store accessible through a PKCS #11 interface."
+HOMEPAGE = "www.opendnssec.org"
+
+LICENSE = "BSD"
+LIC_FILES_CHKSUM = "file://LICENSE;md5=ef3f77a3507c3d91e75b9f2bdaee4210"
+
+DEPENDS = "sqlite3"
+
+SRC_URI = "https://dist.opendnssec.org/source/softhsm-2.6.1.tar.gz"
+SRC_URI[sha256sum] = "61249473054bcd1811519ef9a989a880a7bdcc36d317c9c25457fc614df475f2"
+
+inherit autotools pkgconfig siteinfo
+
+EXTRA_OECONF += " --with-sqlite3=${STAGING_DIR_HOST}/usr"
+EXTRA_OECONF += "${@oe.utils.conditional('SITEINFO_BITS', '64', ' --enable-64bit', '', d)}"
+
+PACKAGECONFIG ?= "pk11 openssl"
+
+PACKAGECONFIG[npm] = ",--disable-non-paged-memory"
+PACKAGECONFIG[ecc] = "--enable-ecc,--disable-ecc"
+PACKAGECONFIG[gost] = "--enable-gost,--disable-gost"
+PACKAGECONFIG[eddsa] = "--enable-eddsa, --disable-eddsa"
+PACKAGECONFIG[fips] = "--enable-fips, --disable-fips"
+PACKAGECONFIG[notvisable] = "--disable-visibility"
+PACKAGECONFIG[openssl] = "--with-openssl=${STAGING_DIR_HOST}/usr --with-crypto-backend=openssl, --without-openssl, openssl, openssl"
+PACKAGECONFIG[botan] = "--with-botan=${STAGING_DIR_HOST}/usr --with-crypto-backend=botan, --without-botan, botan"
+PACKAGECONFIG[migrate] = "--with-migrate"
+PACKAGECONFIG[pk11] = "--enable-p11-kit --with-p11-kit==${STAGING_DIR_HOST}/usr, --without-p11-kit, p11-kit, p11-kit"
+
+RDEPENDS_${PN} = "sqlite3"
diff --git a/meta-security/recipes-security/sssd/files/0002-Provide-missing-defines-which-otherwise-are-availabl.patch b/meta-security/recipes-security/sssd/files/0002-Provide-missing-defines-which-otherwise-are-availabl.patch
new file mode 100644
index 0000000..1a22332
--- /dev/null
+++ b/meta-security/recipes-security/sssd/files/0002-Provide-missing-defines-which-otherwise-are-availabl.patch
@@ -0,0 +1,32 @@
+From 37a0999e5a9f54e1c61a02a7fbab6fcd04738b3c Mon Sep 17 00:00:00 2001
+From: Armin Kuster <akuster808@gmail.com>
+Date: Thu, 8 Oct 2020 05:54:13 -0700
+Subject: [PATCH] Provide missing defines which otherwise are available on
+ glibc system headers
+
+Signed-off-by: Armin Kuster <akuster808@gmail.com>
+
+Upsteam-Status: Pending
+
+---
+ src/util/util.h | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+diff --git a/src/util/util.h b/src/util/util.h
+index 8a754dbfd..6e55b4bdc 100644
+--- a/src/util/util.h
++++ b/src/util/util.h
+@@ -76,6 +76,10 @@
+ #define MAX(a, b) (((a) > (b)) ? (a) : (b))
+ #endif
+
++#ifndef ALLPERMS
++# define ALLPERMS (S_ISUID|S_ISGID|S_ISVTX|S_IRWXU|S_IRWXG|S_IRWXO)/* 07777 */
++#endif
++
+ #define SSSD_MAIN_OPTS SSSD_DEBUG_OPTS
+
+ #define SSSD_SERVER_OPTS(uid, gid) \
+--
+2.17.1
+
diff --git a/meta-security/recipes-security/sssd/sssd_1.16.4.bb b/meta-security/recipes-security/sssd/sssd_1.16.5.bb
similarity index 94%
rename from meta-security/recipes-security/sssd/sssd_1.16.4.bb
rename to meta-security/recipes-security/sssd/sssd_1.16.5.bb
index e54fa98..9784ec7 100644
--- a/meta-security/recipes-security/sssd/sssd_1.16.4.bb
+++ b/meta-security/recipes-security/sssd/sssd_1.16.5.bb
@@ -6,7 +6,9 @@
LIC_FILES_CHKSUM = "file://COPYING;md5=d32239bcb673463ab874e80d47fae504"
DEPENDS = "openldap cyrus-sasl libtdb ding-libs libpam c-ares krb5 autoconf-archive"
-DEPENDS += "libldb dbus libtalloc libpcre glib-2.0 popt e2fsprogs libtevent"
+DEPENDS_append = " libldb dbus libtalloc libpcre glib-2.0 popt e2fsprogs libtevent"
+
+DEPENDS_append_libc-musl = " musl-nscd"
# If no crypto has been selected, default to DEPEND on nss, since that's what
# sssd will pick if no active choice is made during configure
@@ -19,10 +21,10 @@
file://fix-ldblibdir.patch \
file://0001-build-Don-t-use-AC_CHECK_FILE-when-building-manpages.patch \
file://0001-nss-Collision-with-external-nss-symbol.patch \
+ file://0002-Provide-missing-defines-which-otherwise-are-availabl.patch \
"
-SRC_URI[md5sum] = "757bbb6f15409d8d075f4f06cb678d50"
-SRC_URI[sha256sum] = "6bb212cd6b75b918e945c24e7c3f95a486fb54d7f7d489a9334cfa1a1f3bf959"
+SRC_URI[sha256sum] = "2e1a7bf036b583f686d35164f2d79bdf4857b98f51fe8b0d17aa0fa756e4d0c0"
inherit autotools pkgconfig gettext python3-dir features_check systemd
diff --git a/meta-security/wic/systemd-bootdisk-dmverity.wks.in b/meta-security/wic/systemd-bootdisk-dmverity.wks.in
new file mode 100644
index 0000000..ef114ca
--- /dev/null
+++ b/meta-security/wic/systemd-bootdisk-dmverity.wks.in
@@ -0,0 +1,15 @@
+# A dm-verity variant of the regular wks for IA machines. We need to fetch
+# the partition images from the IMGDEPLOYDIR as the rootfs source plugin will
+# not recreate the exact block device corresponding with the hash tree. We must
+# not alter the label or any other setting on the image.
+# Based on OE-core's systemd-bootdisk.wks and meta-security's beaglebone-yocto-verity.wks.in file
+#
+# This .wks only works with the dm-verity-img class.
+
+part /boot --source bootimg-efi --sourceparams="loader=systemd-boot,initrd=microcode.cpio" --ondisk sda --label msdos --active --align 1024 --use-uuid
+
+part / --source rawcopy --ondisk sda --sourceparams="file=${IMGDEPLOYDIR}/${DM_VERITY_IMAGE}-${MACHINE}.${DM_VERITY_IMAGE_TYPE}.verity" --use-uuid
+
+part swap --ondisk sda --size 44 --label swap1 --fstype=swap --use-uuid
+
+bootloader --ptable gpt --timeout=5 --append=" "