meta-security: subtree update:30ea7a89dc..d75dc96fa3
Armin Kuster (11):
python-scapy: drop py2 package
packagegroup-core-security-ptest: only included if ptest is enabled
packagegroup-core-security: update package name
busybox: fix sig changes when layer added
initramfs-framework-ima: correct IMA_POLICY name
apparmor: drop lsb RDEPENDS
openscap: Drop nostamp
scap-security-guide: add depends on openscap-native do_install
cryptsetup-tpm-incubator: fix QA error RDEPENDS
oe-scap: Fix QA RDEPENDS error
suricata: update to 4.1.4
Stefan Agner (1):
libseccomp: build static library always
Change-Id: Ia2f8aec978de4f3d20c13be3c12b70a7badc29d5
Signed-off-by: Brad Bishop <bradleyb@fuzziesquirrel.com>
diff --git a/meta-security/meta-integrity/recipes-core/initrdscripts/initramfs-framework-ima.bb b/meta-security/meta-integrity/recipes-core/initrdscripts/initramfs-framework-ima.bb
index 6057e8d..95c853a 100644
--- a/meta-security/meta-integrity/recipes-core/initrdscripts/initramfs-framework-ima.bb
+++ b/meta-security/meta-integrity/recipes-core/initrdscripts/initramfs-framework-ima.bb
@@ -12,7 +12,7 @@
# This policy file will get installed as /etc/ima/ima-policy.
# It is located via the normal file search path, so a .bbappend
# to this recipe can just point towards one of its own files.
-IMA_POLICY ?= "ima_policy_hashed"
+IMA_POLICY ?= "ima-policy-hashed"
SRC_URI = " file://ima"
diff --git a/meta-security/meta-security-compliance/recipes-openscap/oe-scap/oe-scap_1.0.bb b/meta-security/meta-security-compliance/recipes-openscap/oe-scap/oe-scap_1.0.bb
index e84ed30..fd53fcb 100644
--- a/meta-security/meta-security-compliance/recipes-openscap/oe-scap/oe-scap_1.0.bb
+++ b/meta-security/meta-security-compliance/recipes-openscap/oe-scap/oe-scap_1.0.bb
@@ -30,4 +30,4 @@
FILES_${PN} += "${datadir}/oe-scap"
-RDEPENDS_${PN} = "openscap"
+RDEPENDS_${PN} = "openscap bash"
diff --git a/meta-security/meta-security-compliance/recipes-openscap/openscap/openscap.inc b/meta-security/meta-security-compliance/recipes-openscap/openscap/openscap.inc
index ed8d8ff..afa576a 100644
--- a/meta-security/meta-security-compliance/recipes-openscap/openscap/openscap.inc
+++ b/meta-security/meta-security-compliance/recipes-openscap/openscap/openscap.inc
@@ -40,15 +40,14 @@
sed -i 's:OSCAP_DEFAULT_XSLT_PATH.*$:OSCAP_DEFAULT_XSLT_PATH "${STAGING_OSCAP_BUILDDIR}${datadir_native}/openscap/xsl":' ${B}/config.h
}
-do_clean[cleandirs] += "${STAGING_OSCAP_BUILDDIR}"
-do_install[nostamp] = "1"
-
+do_install_class-native[cleandirs] += " ${STAGING_OSCAP_BUILDDIR}"
do_install_append_class-native () {
oscapdir=${STAGING_OSCAP_BUILDDIR}/${datadir_native}
install -d $oscapdir
cp -a ${D}/${STAGING_DATADIR_NATIVE}/openscap $oscapdir
}
+
FILES_${PN} += "${PYTHON_SITEPACKAGES_DIR}"
RDEPENDS_${PN} += "libxml2 python3-core libgcc bash"
diff --git a/meta-security/meta-security-compliance/recipes-openscap/scap-security-guide/scap-security-guide.inc b/meta-security/meta-security-compliance/recipes-openscap/scap-security-guide/scap-security-guide.inc
index 341721a..3212310 100644
--- a/meta-security/meta-security-compliance/recipes-openscap/scap-security-guide/scap-security-guide.inc
+++ b/meta-security/meta-security-compliance/recipes-openscap/scap-security-guide/scap-security-guide.inc
@@ -7,14 +7,11 @@
LICENSE = "LGPL-2.1"
DEPENDS = "openscap-native python3 python3-pyyaml-native python3-jinja2-native libxml2-native"
-RDEPENDS_${PN} = "openscap"
S = "${WORKDIR}/git"
inherit cmake pkgconfig python3native
-#PARALLEL_MAKE = ""
-
STAGING_OSCAP_BUILDDIR = "${TMPDIR}/work-shared/openscap/oscap-build-artifacts"
OECMAKE_GENERATOR = "Unix Makefiles"
@@ -23,9 +20,13 @@
B = "${S}/build"
+do_configure[depends] += "openscap-native:do_install"
+
do_configure_prepend () {
sed -i -e 's:NAMES\ sed:NAMES\ ${HOSTTOOLS_DIR}/sed:g' ${S}/CMakeLists.txt
sed -i -e 's:NAMES\ grep:NAMES\ ${HOSTTOOLS_DIR}/grep:g' ${S}/CMakeLists.txt
}
FILES_${PN} += "${datadir}/xml"
+
+RDEPENDS_${PN} = "openscap"
diff --git a/meta-security/meta-tpm/recipes-tpm2/cryptsetup-tpm-incubator/cryptsetup-tpm-incubator_0.9.9.bb b/meta-security/meta-tpm/recipes-tpm2/cryptsetup-tpm-incubator/cryptsetup-tpm-incubator_0.9.9.bb
index 8b50445..8385c94 100644
--- a/meta-security/meta-tpm/recipes-tpm2/cryptsetup-tpm-incubator/cryptsetup-tpm-incubator_0.9.9.bb
+++ b/meta-security/meta-tpm/recipes-tpm2/cryptsetup-tpm-incubator/cryptsetup-tpm-incubator_0.9.9.bb
@@ -32,7 +32,7 @@
kernel-module-xts \
"
-RDEPENDS_${PN} += "lvm2"
+RDEPENDS_${PN} += "lvm2 libdevmapper"
RRECOMMENDS_${PN} += "lvm2-udevrules"
RREPLACES_${PN} = "cryptsetup"
diff --git a/meta-security/recipes-core/busybox/busybox_%.bbappend b/meta-security/recipes-core/busybox/busybox_%.bbappend
index 8bb0706..27a2482 100644
--- a/meta-security/recipes-core/busybox/busybox_%.bbappend
+++ b/meta-security/recipes-core/busybox/busybox_%.bbappend
@@ -1,3 +1 @@
-FILESEXTRAPATHS_prepend := "${THISDIR}/${PN}:"
-
-SRC_URI += "file://head.cfg"
+require ${@bb.utils.contains('DISTRO_FEATURES', 'ptest', 'busybox_libsecomp.inc', '', d)}
diff --git a/meta-security/recipes-core/busybox/busybox_libsecomp.inc b/meta-security/recipes-core/busybox/busybox_libsecomp.inc
new file mode 100644
index 0000000..4af22ce
--- /dev/null
+++ b/meta-security/recipes-core/busybox/busybox_libsecomp.inc
@@ -0,0 +1,3 @@
+FILESEXTRAPATHS_prepend := "${THISDIR}/busybox:"
+
+SRC_URI_append = " file://head.cfg"
diff --git a/meta-security/recipes-ids/suricata/files/0001-af-packet-fix-build-on-recent-Linux-kernels.patch b/meta-security/recipes-ids/suricata/files/0001-af-packet-fix-build-on-recent-Linux-kernels.patch
new file mode 100644
index 0000000..74e9a56
--- /dev/null
+++ b/meta-security/recipes-ids/suricata/files/0001-af-packet-fix-build-on-recent-Linux-kernels.patch
@@ -0,0 +1,26 @@
+From b37554e0bc3cf383e6547c5c6a69c6f6849c09e3 Mon Sep 17 00:00:00 2001
+From: Eric Leblond <eric@regit.org>
+Date: Wed, 17 Jul 2019 12:35:12 +0200
+Subject: [PATCH] af-packet: fix build on recent Linux kernels
+
+Upstream-Status: Backport
+Signed-off-by: Armin kuster <akuster808@gmail.com>
+---
+ src/source-af-packet.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+Index: suricata-4.1.4/src/source-af-packet.c
+===================================================================
+--- suricata-4.1.4.orig/src/source-af-packet.c
++++ suricata-4.1.4/src/source-af-packet.c
+@@ -64,6 +64,10 @@
+ #include <sys/ioctl.h>
+ #endif
+
++#if HAVE_LINUX_SOCKIOS_H
++#include <linux/sockios.h>
++#endif
++
+ #ifdef HAVE_PACKET_EBPF
+ #include "util-ebpf.h"
+ #include <bpf/libbpf.h>
diff --git a/meta-security/recipes-ids/suricata/libhtp_0.5.29.bb b/meta-security/recipes-ids/suricata/libhtp_0.5.30.bb
similarity index 100%
rename from meta-security/recipes-ids/suricata/libhtp_0.5.29.bb
rename to meta-security/recipes-ids/suricata/libhtp_0.5.30.bb
diff --git a/meta-security/recipes-ids/suricata/suricata.inc b/meta-security/recipes-ids/suricata/suricata.inc
index 7be403c..54f91c5 100644
--- a/meta-security/recipes-ids/suricata/suricata.inc
+++ b/meta-security/recipes-ids/suricata/suricata.inc
@@ -2,8 +2,8 @@
SECTION = "security Monitor/Admin"
LICENSE = "GPLv2"
-VER = "4.1.3"
+VER = "4.1.4"
SRC_URI = "http://www.openinfosecfoundation.org/download/suricata-${VER}.tar.gz"
-SRC_URI[md5sum] = "35c4a8e6be3910831649a073950195df"
-SRC_URI[sha256sum] = "6cda6c80b753ce36483c6be535358b971f3890b9aa27a58c2d2f7e89dd6c6aa0"
+SRC_URI[md5sum] = "cb8bf6b8330c44ae78dfb5b083a6fe82"
+SRC_URI[sha256sum] = "2da50d91f92adf8b1af930f388361f76424420b88f553f610e2780e4240f2009"
diff --git a/meta-security/recipes-ids/suricata/suricata_4.1.3.bb b/meta-security/recipes-ids/suricata/suricata_4.1.4.bb
similarity index 95%
rename from meta-security/recipes-ids/suricata/suricata_4.1.3.bb
rename to meta-security/recipes-ids/suricata/suricata_4.1.4.bb
index d6f5937..f860af9 100644
--- a/meta-security/recipes-ids/suricata/suricata_4.1.3.bb
+++ b/meta-security/recipes-ids/suricata/suricata_4.1.4.bb
@@ -7,11 +7,12 @@
SRC_URI += "file://emerging.rules.tar.gz;name=rules"
SRC_URI += " \
- file://volatiles.03_suricata \
- file://suricata.yaml \
- file://suricata.service \
- file://run-ptest \
- "
+ file://volatiles.03_suricata \
+ file://suricata.yaml \
+ file://suricata.service \
+ file://run-ptest \
+ file://0001-af-packet-fix-build-on-recent-Linux-kernels.patch \
+ "
SRC_URI[rules.md5sum] = "205c5e5b54e489207ed892c03ad75b33"
SRC_URI[rules.sha256sum] = "4aa81011b246875a57181c6a0569ca887845e366904bcaf0043220f33bd69798"
diff --git a/meta-security/recipes-mac/AppArmor/apparmor_2.13.3.bb b/meta-security/recipes-mac/AppArmor/apparmor_2.13.3.bb
index 9322018..8484404 100644
--- a/meta-security/recipes-mac/AppArmor/apparmor_2.13.3.bb
+++ b/meta-security/recipes-mac/AppArmor/apparmor_2.13.3.bb
@@ -160,7 +160,7 @@
FILES_${PN} += "/lib/apparmor/ ${sysconfdir}/apparmor ${PYTHON_SITEPACKAGES_DIR}"
FILES_mod-${PN} = "${libdir}/apache2/modules/*"
-RDEPENDS_${PN} += "bash lsb"
+RDEPENDS_${PN} += "bash"
RDEPENDS_${PN} += "${@bb.utils.contains('PACKAGECONFIG','python','python3-core python3-modules','', d)}"
RDEPENDS_${PN}_remove += "${@bb.utils.contains('PACKAGECONFIG','perl','','perl', d)}"
RDEPENDS_${PN}-ptest += "perl coreutils dbus-lib bash"
diff --git a/meta-security/recipes-mac/AppArmor/files/apparmor b/meta-security/recipes-mac/AppArmor/files/apparmor
index ac3ab9a..604e48d 100644
--- a/meta-security/recipes-mac/AppArmor/files/apparmor
+++ b/meta-security/recipes-mac/AppArmor/files/apparmor
@@ -47,7 +47,6 @@
}
. /lib/apparmor/functions
-. /lib/lsb/init-functions
usage() {
echo "Usage: $0 {start|stop|restart|reload|force-reload|status|recache}"
diff --git a/meta-security/recipes-security/libseccomp/libseccomp_2.4.1.bb b/meta-security/recipes-security/libseccomp/libseccomp_2.4.1.bb
index dba1be5..37a7982 100644
--- a/meta-security/recipes-security/libseccomp/libseccomp_2.4.1.bb
+++ b/meta-security/recipes-security/libseccomp/libseccomp_2.4.1.bb
@@ -17,6 +17,8 @@
PACKAGECONFIG ??= ""
PACKAGECONFIG[python] = "--enable-python, --disable-python, python"
+DISABLE_STATIC = ""
+
do_compile_ptest() {
oe_runmake -C tests check-build
}
diff --git a/meta-security/recipes-security/packagegroup/packagegroup-core-security-ptest.bb b/meta-security/recipes-security/packagegroup/packagegroup-core-security-ptest.bb
index ddcf208..39873b8 100644
--- a/meta-security/recipes-security/packagegroup/packagegroup-core-security-ptest.bb
+++ b/meta-security/recipes-security/packagegroup/packagegroup-core-security-ptest.bb
@@ -3,6 +3,10 @@
LIC_FILES_CHKSUM = "file://${COMMON_LICENSE_DIR}/MIT;md5=0835ade698e0bcf8506ecda2f7b4f302 \
file://${COREBASE}/meta/COPYING.MIT;md5=3da9cfbcb788c80a0384361b4de20420"
+inherit distro_features_check
+
+REQUIRED_DISTRO_FEATURES = "ptest"
+
PACKAGES = "\
${PN} \
"
@@ -15,7 +19,7 @@
samhain-standalone-ptest \
keyutils-ptest \
libseccomp-ptest \
- python-scapy-ptest \
+ python3-scapy-ptest \
suricata-ptest \
tripwire-ptest \
python-fail2ban-ptest \
diff --git a/meta-security/recipes-security/packagegroup/packagegroup-core-security.bb b/meta-security/recipes-security/packagegroup/packagegroup-core-security.bb
index 20ba46f..e0a9d05 100644
--- a/meta-security/recipes-security/packagegroup/packagegroup-core-security.bb
+++ b/meta-security/recipes-security/packagegroup/packagegroup-core-security.bb
@@ -11,7 +11,6 @@
packagegroup-security-scanners \
packagegroup-security-ids \
packagegroup-security-mac \
- ${@bb.utils.contains("MACHINE_FEATURES", "tpm", "packagegroup-security-tpm", "",d)} \
"
RDEPENDS_packagegroup-core-security = "\
@@ -19,7 +18,6 @@
packagegroup-security-scanners \
packagegroup-security-ids \
packagegroup-security-mac \
- ${@bb.utils.contains("MACHINE_FEATURES", "tpm", "packagegroup-security-tpm", "",d)} \
"
SUMMARY_packagegroup-security-utils = "Security utilities"
@@ -27,7 +25,7 @@
checksec \
nmap \
pinentry \
- python-scapy \
+ python3-scapy \
ding-libs \
keyutils \
libseccomp \
diff --git a/meta-security/recipes-security/scapy/files/run-ptest b/meta-security/recipes-security/scapy/files/run-ptest
index 91b29f9..797d8ec 100644
--- a/meta-security/recipes-security/scapy/files/run-ptest
+++ b/meta-security/recipes-security/scapy/files/run-ptest
@@ -1,4 +1,4 @@
#!/bin/sh
-UTscapy -t regression.uts -f text -l -C \
+UTscapy3 -t regression.uts -f text -l -C \
-o @PTEST_PATH@/scapy_ptest_$(date +%Y%m%d-%H%M%S).log \
2>&1 | sed -e 's/^passed None/PASS:/' -e 's/^failed None/FAIL:/'
diff --git a/meta-security/recipes-security/scapy/python-scapy.inc b/meta-security/recipes-security/scapy/python-scapy.inc
deleted file mode 100644
index 28e13f2..0000000
--- a/meta-security/recipes-security/scapy/python-scapy.inc
+++ /dev/null
@@ -1,22 +0,0 @@
-SUMMARY = "Network scanning and manipulation tool"
-DESCRIPTION = "Scapy is a powerful interactive packet manipulation program. It is able to forge or decode packets of a wide number of protocols, send them on the wire, capture them, match requests and replies, and much more. It can easily handle most classical tasks like scanning, tracerouting, probing, unit tests, attacks or network discovery (it can replace hping, 85% of nmap, arpspoof, arp-sk, arping, tcpdump, tethereal, p0f, etc.). It also performs very well at a lot of other specific tasks that most other tools can't handle, like sending invalid frames, injecting your own 802.11 frames, combining technics (VLAN hopping+ARP cache poisoning, VOIP decoding on WEP encrypted channel, ...), etc."
-SECTION = "security"
-LICENSE = "GPLv2"
-
-LIC_FILES_CHKSUM = "file://LICENSE;md5=b234ee4d69f5fce4486a80fdaf4a4263"
-
-S = "${WORKDIR}/git"
-
-SRCREV = "3047580162a9407ef05fe981983cacfa698f1159"
-SRC_URI = "git://github.com/secdev/scapy.git"
-
-inherit ptest
-
-do_install_ptest() {
- install -m 0644 ${S}/test/regression.uts ${D}${PTEST_PATH}
- sed -i 's,@PTEST_PATH@,${PTEST_PATH},' ${D}${PTEST_PATH}/run-ptest
-}
-
-RDEPENDS_${PN} = "tcpdump ${PYTHON_PN}-compression ${PYTHON_PN}-cryptography ${PYTHON_PN}-netclient \
- ${PYTHON_PN}-netserver ${PYTHON_PN}-pydoc ${PYTHON_PN}-pkgutil ${PYTHON_PN}-shell \
- ${PYTHON_PN}-threading ${PYTHON_PN}-numbers ${PYTHON_PN}-pycrypto"
diff --git a/meta-security/recipes-security/scapy/python-scapy_2.4.3.bb b/meta-security/recipes-security/scapy/python-scapy_2.4.3.bb
deleted file mode 100644
index 982620e..0000000
--- a/meta-security/recipes-security/scapy/python-scapy_2.4.3.bb
+++ /dev/null
@@ -1,11 +0,0 @@
-inherit setuptools
-require python-scapy.inc
-
-SRC_URI += "file://run-ptest"
-
-RDEPENDS_${PN} += "${PYTHON_PN}-subprocess"
-
-do_install_append() {
- mv ${D}${bindir}/scapy ${D}${bindir}/scapy2
- mv ${D}${bindir}/UTscapy ${D}${bindir}/UTscapy2
-}
diff --git a/meta-security/recipes-security/scapy/python3-scapy_2.4.3.bb b/meta-security/recipes-security/scapy/python3-scapy_2.4.3.bb
index abcaeeb..925f188 100644
--- a/meta-security/recipes-security/scapy/python3-scapy_2.4.3.bb
+++ b/meta-security/recipes-security/scapy/python3-scapy_2.4.3.bb
@@ -1,9 +1,30 @@
-inherit setuptools3
-require python-scapy.inc
+SUMMARY = "Network scanning and manipulation tool"
+DESCRIPTION = "Scapy is a powerful interactive packet manipulation program. It is able to forge or decode packets of a wide number of protocols, send them on the wire, capture them, match requests and replies, and much more. It can easily handle most classical tasks like scanning, tracerouting, probing, unit tests, attacks or network discovery (it can replace hping, 85% of nmap, arpspoof, arp-sk, arping, tcpdump, tethereal, p0f, etc.). It also performs very well at a lot of other specific tasks that most other tools can't handle, like sending invalid frames, injecting your own 802.11 frames, combining technics (VLAN hopping+ARP cache poisoning, VOIP decoding on WEP encrypted channel, ...), etc."
+SECTION = "security"
+LICENSE = "GPLv2"
-SRC_URI += "file://run-ptest"
+LIC_FILES_CHKSUM = "file://LICENSE;md5=b234ee4d69f5fce4486a80fdaf4a4263"
+
+S = "${WORKDIR}/git"
+
+SRCREV = "3047580162a9407ef05fe981983cacfa698f1159"
+SRC_URI = "git://github.com/secdev/scapy.git \
+ file://run-ptest"
+
+S = "${WORKDIR}/git"
+
+inherit setuptools3 ptest
do_install_append() {
mv ${D}${bindir}/scapy ${D}${bindir}/scapy3
mv ${D}${bindir}/UTscapy ${D}${bindir}/UTscapy3
}
+
+do_install_ptest() {
+ install -m 0644 ${S}/test/regression.uts ${D}${PTEST_PATH}
+ sed -i 's,@PTEST_PATH@,${PTEST_PATH},' ${D}${PTEST_PATH}/run-ptest
+}
+
+RDEPENDS_${PN} = "tcpdump ${PYTHON_PN}-compression ${PYTHON_PN}-cryptography ${PYTHON_PN}-netclient \
+ ${PYTHON_PN}-netserver ${PYTHON_PN}-pydoc ${PYTHON_PN}-pkgutil ${PYTHON_PN}-shell \
+ ${PYTHON_PN}-threading ${PYTHON_PN}-numbers ${PYTHON_PN}-pycrypto"