meta-security: subtree update:066a04425c..787ba6faea
Armin Kuster (10):
lynis: update to 3.0.0
security images: Move to recipe-core
security packagegroups: move to recipes-core
packagegroup-security-tpm: add more packages for building
packagegroup-core-security: remove clamav for riscv*
libsecomp: rv32/rv64 target builds are not supported yet
packagegroup-core-security: remove libseccomp for riscv*
libseccomp: update to 2.5.0
packagegroup-core-security: restore riscv64 for libssecomp
trousers: Several Security fixes
Charlie Davies (1):
clamav: add INSTALL_CLAMAV_CVD flag to do_install
Kai Kang (1):
libseccomp: fix cross compile error for mips
Yi Zhao (1):
ibmswtpm2: upgrade 1563 -> 1628
Signed-off-by: Andrew Geissler <geissonator@yahoo.com>
Change-Id: I0341c0d4cd61fb6ef7db6a29f9fc60de3caa822f
diff --git a/meta-security/recipes-security/images/security-build-image.bb b/meta-security/recipes-security/images/security-build-image.bb
deleted file mode 100644
index a8757f9..0000000
--- a/meta-security/recipes-security/images/security-build-image.bb
+++ /dev/null
@@ -1,19 +0,0 @@
-DESCRIPTION = "A small image for building meta-security packages"
-
-IMAGE_FEATURES += "ssh-server-openssh"
-
-IMAGE_INSTALL = "\
- packagegroup-base \
- packagegroup-core-boot \
- packagegroup-core-security \
- os-release"
-
-IMAGE_LINGUAS ?= " "
-
-LICENSE = "MIT"
-
-inherit core-image
-
-export IMAGE_BASENAME = "security-build-image"
-
-IMAGE_ROOTFS_EXTRA_SPACE = "5242880"
diff --git a/meta-security/recipes-security/images/security-client-image.bb b/meta-security/recipes-security/images/security-client-image.bb
deleted file mode 100644
index f4ebc69..0000000
--- a/meta-security/recipes-security/images/security-client-image.bb
+++ /dev/null
@@ -1,16 +0,0 @@
-DESCRIPTION = "A Client side Security example"
-
-IMAGE_INSTALL = "\
- packagegroup-base \
- packagegroup-core-boot \
- os-release \
- samhain-client \
- ${@bb.utils.contains("DISTRO_FEATURES", "x11", "packagegroup-xfce-base", "", d)}"
-
-IMAGE_LINGUAS ?= " "
-
-LICENSE = "MIT"
-
-inherit core-image
-
-export IMAGE_BASENAME = "security-client-image"
diff --git a/meta-security/recipes-security/images/security-server-image.bb b/meta-security/recipes-security/images/security-server-image.bb
deleted file mode 100644
index 4927e0e..0000000
--- a/meta-security/recipes-security/images/security-server-image.bb
+++ /dev/null
@@ -1,19 +0,0 @@
-DESCRIPTION = "A Serve side image for Security example "
-
-IMAGE_FEATURES += "ssh-server-openssh"
-
-IMAGE_INSTALL = "\
- packagegroup-base \
- packagegroup-core-boot \
- samhain-server \
- os-release "
-
-IMAGE_LINGUAS ?= " "
-
-LICENSE = "MIT"
-
-inherit core-image
-
-export IMAGE_BASENAME = "security-server-image"
-
-IMAGE_ROOTFS_EXTRA_SPACE = "5242880"
diff --git a/meta-security/recipes-security/images/security-test-image.bb b/meta-security/recipes-security/images/security-test-image.bb
deleted file mode 100644
index c71d726..0000000
--- a/meta-security/recipes-security/images/security-test-image.bb
+++ /dev/null
@@ -1,33 +0,0 @@
-DESCRIPTION = "A small image for testing meta-security packages"
-
-IMAGE_FEATURES += "ssh-server-openssh"
-
-TEST_SUITES = "ssh ping ptest apparmor clamav samhain sssd tripwire checksec smack suricata"
-
-INSTALL_CLAMAV_CVD = "1"
-
-IMAGE_INSTALL = "\
- packagegroup-base \
- packagegroup-core-boot \
- packagegroup-core-security-ptest \
- clamav \
- tripwire \
- checksec \
- suricata \
- samhain-standalone \
- ${@bb.utils.contains("DISTRO_FEATURES", "pam", "sssd", "",d)} \
- ${@bb.utils.contains("DISTRO_FEATURES", "apparmor", "apparmor", "",d)} \
- ${@bb.utils.contains("DISTRO_FEATURES", "smack", "smack-test", "",d)} \
- os-release \
- "
-
-
-IMAGE_LINGUAS ?= " "
-
-LICENSE = "MIT"
-
-inherit core-image
-
-export IMAGE_BASENAME = "security-test-image"
-
-IMAGE_ROOTFS_EXTRA_SPACE = "5242880"
diff --git a/meta-security/recipes-security/libseccomp/files/fix-mips-build-failure.patch b/meta-security/recipes-security/libseccomp/files/fix-mips-build-failure.patch
new file mode 100644
index 0000000..7d17a03
--- /dev/null
+++ b/meta-security/recipes-security/libseccomp/files/fix-mips-build-failure.patch
@@ -0,0 +1,49 @@
+Backport patch to fix cross compile error for mips:
+
+| syscalls.h:44:6: error: expected identifier or '(' before numeric constant
+| 44 | int mips;
+| | ^~~~
+
+Upstream-Status: Submitted [https://github.com/seccomp/libseccomp/pull/279/commits/04c519e5]
+
+Signed-off-by: Kai Kang <kai.kang@windriver.com>
+
+From 04c519e5b1de53592e98307813e5c6db7418f91b Mon Sep 17 00:00:00 2001
+From: Paul Moore <paul@paul-moore.com>
+Date: Sun, 2 Aug 2020 09:57:39 -0400
+Subject: [PATCH] build: undefine "mips" to prevent build problems for MIPS
+ targets
+
+It turns out that the MIPS GCC compiler defines a "mips" cpp macro
+which was resulting in build failures on MIPS so we need to
+undefine the "mips" macro during build. As this should be safe
+to do in all architectures, just add it to the compiler flags by
+default.
+
+This was reported in the following GH issue:
+* https://github.com/seccomp/libseccomp/issues/274
+
+Reported-by: Rongwei Zhang <pudh4418@gmail.com>
+Suggested-by: Rongwei Zhang <pudh4418@gmail.com>
+Signed-off-by: Paul Moore <paul@paul-moore.com>
+---
+ configure.ac | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/configure.ac b/configure.ac
+index 40d9dcbb..3e877348 100644
+--- a/configure.ac
++++ b/configure.ac
+@@ -65,9 +65,11 @@ m4_ifdef([AM_SILENT_RULES], [AM_SILENT_RULES([yes])])
+
+ dnl ####
+ dnl build flags
++dnl NOTE: the '-Umips' is here because MIPS GCC compilers "helpfully" define it
++dnl for us which wreaks havoc on the build
+ dnl ####
+ AM_CPPFLAGS="-I\${top_srcdir}/include -I\${top_builddir}/include"
+-AM_CFLAGS="-Wall"
++AM_CFLAGS="-Wall -Umips"
+ AM_LDFLAGS="-Wl,-z -Wl,relro"
+ AC_SUBST([AM_CPPFLAGS])
+ AC_SUBST([AM_CFLAGS])
diff --git a/meta-security/recipes-security/libseccomp/libseccomp_2.4.3.bb b/meta-security/recipes-security/libseccomp/libseccomp_2.5.0.bb
similarity index 87%
rename from meta-security/recipes-security/libseccomp/libseccomp_2.4.3.bb
rename to meta-security/recipes-security/libseccomp/libseccomp_2.5.0.bb
index 9ca41e6..35365d5 100644
--- a/meta-security/recipes-security/libseccomp/libseccomp_2.4.3.bb
+++ b/meta-security/recipes-security/libseccomp/libseccomp_2.5.0.bb
@@ -4,18 +4,23 @@
LICENSE = "LGPL-2.1"
LIC_FILES_CHKSUM = "file://LICENSE;beginline=0;endline=1;md5=8eac08d22113880357ceb8e7c37f989f"
-SRCREV = "1dde9d94e0848e12da20602ca38032b91d521427"
+DEPENDS += "gperf-native"
-SRC_URI = "git://github.com/seccomp/libseccomp.git;branch=release-2.4 \
+SRCREV = "f13f58efc690493fe7aa69f54cb52a118f3769c1"
+
+SRC_URI = "git://github.com/seccomp/libseccomp.git;branch=release-2.5 \
file://run-ptest \
+ file://fix-mips-build-failure.patch \
"
+COMPATIBLE_HOST_riscv32 = "null"
+
S = "${WORKDIR}/git"
inherit autotools-brokensep pkgconfig ptest
PACKAGECONFIG ??= ""
-PACKAGECONFIG[python] = "--enable-python, --disable-python, python"
+PACKAGECONFIG[python] = "--enable-python, --disable-python, python3"
DISABLE_STATIC = ""
diff --git a/meta-security/recipes-security/packagegroup/packagegroup-core-security-ptest.bb b/meta-security/recipes-security/packagegroup/packagegroup-core-security-ptest.bb
deleted file mode 100644
index cf34ded..0000000
--- a/meta-security/recipes-security/packagegroup/packagegroup-core-security-ptest.bb
+++ /dev/null
@@ -1,28 +0,0 @@
-DESCRIPTION = "Security ptest packagegroup"
-LICENSE = "MIT"
-LIC_FILES_CHKSUM = "file://${COMMON_LICENSE_DIR}/MIT;md5=0835ade698e0bcf8506ecda2f7b4f302 \
- file://${COREBASE}/meta/COPYING.MIT;md5=3da9cfbcb788c80a0384361b4de20420"
-
-inherit features_check
-
-REQUIRED_DISTRO_FEATURES = "ptest"
-
-PACKAGES = "\
- ${PN} \
- "
-
-ALLOW_EMPTY_${PN} = "1"
-
-SUMMARY_${PN} = "Security packages with ptests"
-RDEPENDS_${PN} = " \
- ptest-runner \
- samhain-standalone-ptest \
- keyutils-ptest \
- libseccomp-ptest \
- python3-scapy-ptest \
- suricata-ptest \
- tripwire-ptest \
- python3-fail2ban-ptest \
- ${@bb.utils.contains("DISTRO_FEATURES", "apparmor", "apparmor-ptest", "",d)} \
- ${@bb.utils.contains("DISTRO_FEATURES", "smack", "smack-ptest", "",d)} \
- "
diff --git a/meta-security/recipes-security/packagegroup/packagegroup-core-security.bb b/meta-security/recipes-security/packagegroup/packagegroup-core-security.bb
deleted file mode 100644
index e0a9d05..0000000
--- a/meta-security/recipes-security/packagegroup/packagegroup-core-security.bb
+++ /dev/null
@@ -1,68 +0,0 @@
-DESCRIPTION = "Security packagegroup for Poky"
-LICENSE = "MIT"
-LIC_FILES_CHKSUM = "file://${COMMON_LICENSE_DIR}/MIT;md5=0835ade698e0bcf8506ecda2f7b4f302 \
- file://${COREBASE}/meta/COPYING.MIT;md5=3da9cfbcb788c80a0384361b4de20420"
-
-inherit packagegroup
-
-PACKAGES = "\
- packagegroup-core-security \
- packagegroup-security-utils \
- packagegroup-security-scanners \
- packagegroup-security-ids \
- packagegroup-security-mac \
- "
-
-RDEPENDS_packagegroup-core-security = "\
- packagegroup-security-utils \
- packagegroup-security-scanners \
- packagegroup-security-ids \
- packagegroup-security-mac \
- "
-
-SUMMARY_packagegroup-security-utils = "Security utilities"
-RDEPENDS_packagegroup-security-utils = "\
- checksec \
- nmap \
- pinentry \
- python3-scapy \
- ding-libs \
- keyutils \
- libseccomp \
- ${@bb.utils.contains("DISTRO_FEATURES", "pam", "sssd", "",d)} \
- ${@bb.utils.contains("DISTRO_FEATURES", "pax", "pax-utils", "",d)} \
- "
-
-SUMMARY_packagegroup-security-scanners = "Security scanners"
-RDEPENDS_packagegroup-security-scanners = "\
- nikto \
- checksecurity \
- clamav \
- clamav-freshclam \
- clamav-cvd \
- "
-
-SUMMARY_packagegroup-security-audit = "Security Audit tools "
-RDEPENDS_packagegroup-security-audit = " \
- buck-security \
- redhat-security \
- "
-
-SUMMARY_packagegroup-security-hardening = "Security Hardening tools"
-RDEPENDS_packagegroup-security-hardening = " \
- bastille \
- "
-
-SUMMARY_packagegroup-security-ids = "Security Intrusion Detection systems"
-RDEPENDS_packagegroup-security-ids = " \
- tripwire \
- samhain-standalone \
- suricata \
- "
-
-SUMMARY_packagegroup-security-mac = "Security Mandatory Access Control systems"
-RDEPENDS_packagegroup-security-mac = " \
- ${@bb.utils.contains("DISTRO_FEATURES", "tomoyo", "ccs-tools", "",d)} \
- ${@bb.utils.contains("DISTRO_FEATURES", "apparmor", "apparmor", "",d)} \
- ${@bb.utils.contains("DISTRO_FEATURES", "smack", "smack", "",d)} \
- "