meta-security: subtree update:b72cc7f87c..95fe86eb98
André Draszik (1):
linux-yocto: update the bbappend to 5.x
Armin Kuster (36):
README: add pull request option
sssd: drop py2 support
python3-fail2ban: update to latest
Apparmor: fix some runtime depends
linux-yocto-dev: remove "+"
checksecurity: fix runtime issues
buck-security: fix rdebends and minor style cleanup
swtpm: fix configure error
ecryptfs-utils: search nspr header files in ${STAGING_INCDIR}/nspr directory
bastille: convert to py3
tpm2-tools: update to 4.1.1
tpm2-tcti-uefi: fix build issue for i386 machine
tpm2-tss: update to 2.3.2
ibmswtpm2: update to 1563
python3-fail2ban: add 2-3 conversion changes
google-authenticator-libpam: install module in pam location
apparmor: update to tip
clamav: add bison-native to depend
meta-security-isafw: import layer from Intel
isafw: fix to work against master
layer.conf: add zeus
README.md: update to new maintainer
clamav-native: missed bison fix
secuirty*-image: remove dead var and minor cleanup
libtpm: fix build issue over pod2man
sssd: python2 not supported
libseccomp: update to 2.4.3
lynis: add missing rdepends
fail2ban: change hardcoded sysklogd to VIRTUAL-RUNTIME_base-utils-syslog
chkrootkit: add rootkit recipe
clamav: move to recipes-scanners
checksec: move to recipe-scanners
checksecurity: move to recipes-scanners
buck-security: move to recipes-scanners
arpwatch: add new recipe
buck-security: fix runtime issue with missing per module
Bartosz Golaszewski (3):
linux: drop the bbappend for linux v4.x series
classes: provide a class for generating dm-verity meta-data images
dm-verity: add a working example for BeagleBone Black
Haseeb Ashraf (1):
samhain: dnmalloc hash fix for aarch64 and mips64
Jan Luebbe (2):
apparmor: fix wrong executable permission on service file
apparmor: update to 2.13.4
Jonatan Pålsson (10):
README: Add meta-python to list of layer deps
sssd: Add PACKAGECONFIG for python2
sssd: Fix typo in PACKAGECONFIG. cyrpto -> crypto
sssd: DEPEND on nss if nothing else is chosen
sssd: Sort PACKAGECONFIG entries
sssd: Add autofs PACKAGECONFIG
sssd: Add sudo PACKAGECONFIG
sssd: Add missing files to SYSTEMD_SERVICE
sssd: Add missing DEPENDS on jansson
sssd: Add infopipe PACKAGECONFIG
Kai Kang (1):
sssd: fix for ldblibdir and systemd etc
Martin Jansa (1):
layer.conf: update LAYERSERIES_COMPAT for dunfell
Mingli Yu (1):
linux-yocto: update the bbappend to 5.x
Pierre-Jean Texier via Lists.Yoctoproject.Org (1):
google-authenticator-libpam: upgrade 1.07 -> 1.08
Yi Zhao (5):
samhain: fix build with new version attr
scap-security-guide: fix xml parsing error when build remediation files
scap-security-guide: pass the correct schema file path to openscap-native
openscap-daemon: add missing runtime dependencies
samhain-server: add volatile file for systemd
Change-Id: I3d4a4055cb9420e97d3eacf8436d9b048d34733f
Signed-off-by: Andrew Geissler <geissonator@yahoo.com>
diff --git a/meta-security/meta-security-isafw/lib/isafw/isafw.py b/meta-security/meta-security-isafw/lib/isafw/isafw.py
new file mode 100644
index 0000000..a1a76b8
--- /dev/null
+++ b/meta-security/meta-security-isafw/lib/isafw/isafw.py
@@ -0,0 +1,158 @@
+#
+# isafw.py - Main classes for ISA FW
+#
+# Copyright (c) 2015 - 2016, Intel Corporation
+#
+# Redistribution and use in source and binary forms, with or without
+# modification, are permitted provided that the following conditions are met:
+#
+# * Redistributions of source code must retain the above copyright notice,
+# this list of conditions and the following disclaimer.
+# * Redistributions in binary form must reproduce the above copyright
+# notice, this list of conditions and the following disclaimer in the
+# documentation and/or other materials provided with the distribution.
+# * Neither the name of Intel Corporation nor the names of its contributors
+# may be used to endorse or promote products derived from this software
+# without specific prior written permission.
+#
+# THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
+# AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
+# DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE
+# FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+# DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
+# SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
+# CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY,
+# OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
+# OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+
+from __future__ import absolute_import, print_function
+
+import sys
+import traceback
+try:
+ # absolute import
+ import isafw.isaplugins as isaplugins
+except ImportError:
+ # relative import when installing as separate modules
+ import isaplugins
+try:
+ from bb import error
+except ImportError:
+ error = print
+
+__all__ = [
+ 'ISA_package',
+ 'ISA_pkg_list',
+ 'ISA_kernel',
+ 'ISA_filesystem',
+ 'ISA_config',
+ 'ISA',
+]
+
+# classes for representing objects for ISA plugins
+
+# source package
+
+
+class ISA_package:
+ # pkg name (mandatory argument)
+ name = ""
+ # full version (mandatory argument)
+ version = ""
+ licenses = [] # list of licences for all subpackages
+ aliases = [] # list of alias names for packages if exist
+ source_files = [] # list of strings of source files
+ patch_files = [] # list of patch files to be applied
+ path_to_sources = "" # path to the source files
+
+# package list
+
+
+class ISA_pkg_list:
+ # image name (mandatory argument)
+ img_name = ""
+ # path to the pkg list file (mandatory argument)
+ path_to_list = ""
+
+# kernel
+
+
+class ISA_kernel:
+ # image name (mandatory argument)
+ img_name = ""
+ # path to the kernel config file (mandatory argument)
+ path_to_config = ""
+
+# filesystem
+
+
+class ISA_filesystem:
+ # image name (mandatory argument)
+ img_name = ""
+ type = "" # filesystem type
+ # path to the fs location (mandatory argument)
+ path_to_fs = ""
+
+# configuration of ISAFW
+# if both whitelist and blacklist is empty, all avaliable plugins will be used
+# if whitelist has entries, then only whitelisted plugins will be used from a set of avaliable plugins
+# if blacklist has entries, then the specified plugins won't be used even
+# if avaliable and even if specified in whitelist
+
+
+class ISA_config:
+ plugin_whitelist = "" # comma separated list of plugins to whitelist
+ plugin_blacklist = "" # comma separated list of plugins to blacklist
+ cacert = None # If set, a CA certificate file that replaces the system default one
+ reportdir = "" # location of produced reports
+ logdir = "" # location of produced logs
+ timestamp = "" # timestamp of the build provided by build system
+ full_reports = False # produce full reports for plugins, False by default
+ machine = "" # name of machine build is produced for
+ la_plugin_image_whitelist = ""# whitelist of images for violating license checks
+ la_plugin_image_blacklist = ""# blacklist of images for violating license checks
+ arch = "" # target architecture
+
+class ISA:
+ def call_plugins(self, methodname, *parameters, **keywords):
+ for name in isaplugins.__all__:
+ plugin = getattr(isaplugins, name)
+ method = getattr(plugin, methodname, None)
+ if not method:
+ # Not having init() is an error, everything else is optional.
+ if methodname == "init":
+ error("No init() defined for plugin %s.\n"
+ "Skipping this plugin." %
+ (methodname, plugin.getPluginName()))
+ continue
+ if self.ISA_config.plugin_whitelist and plugin.getPluginName() not in self.ISA_config.plugin_whitelist:
+ continue
+ if self.ISA_config.plugin_blacklist and plugin.getPluginName() in self.ISA_config.plugin_blacklist:
+ continue
+ try:
+ method(*parameters, **keywords)
+ except:
+ error("Exception in plugin %s %s():\n%s" %
+ (plugin.getPluginName(),
+ methodname,
+ traceback.format_exc()))
+
+ def __init__(self, ISA_config):
+ self.ISA_config = ISA_config
+ self.call_plugins("init", ISA_config)
+
+ def process_package(self, ISA_package):
+ self.call_plugins("process_package", ISA_package)
+
+ def process_pkg_list(self, ISA_pkg_list):
+ self.call_plugins("process_pkg_list", ISA_pkg_list)
+
+ def process_kernel(self, ISA_kernel):
+ self.call_plugins("process_kernel", ISA_kernel)
+
+ def process_filesystem(self, ISA_filesystem):
+ self.call_plugins("process_filesystem", ISA_filesystem)
+
+ def process_report(self):
+ self.call_plugins("process_report")