meta-security: subtree update:775870980b..ca9264b1e1
Anton Antonov (4):
Use libest "main" branch instead of "master".
Add meta-parsec layer into meta-security.
Define secure images with parsec-service and parsec-tool included and add the images into gitlab CI
Clearly define clang toolchain in Parsec recipes
Armin Kuster (16):
packagegroup-core-security: drop clamav-cvd
clamav: upgrade 104.0
python3-privacyidea: upgrade 3.5.1 -> 3.5.2
clamav: fix systemd service install
swtpm: now need python-cryptography, pull in layer
swtpm: file pip3 issue
swtpm: fix check for tscd deamon on host
python3-suricata-update: update to 1.2.1
suricata: update to 6.0.2
layer.conf: add dynamic-layer for rust pkg
README: cleanup
.gitlab-ci.yml: reorder to speed up builds
kas-security-base.yml: tweek build vars
gitlab-ci: fine tune order
clamav: remove rest of mirror.dat ref
lkrg-module: Add Linux Kernel Runtime Guard
Ming Liu (2):
meta: drop IMA_POLICY from policy recipes
initramfs-framework-ima: introduce IMA_FORCE
Signed-off-by: Andrew Geissler <geissonator@yahoo.com>
Change-Id: Ifac35a0d7b7e724f1e30dce5f6634d5d4fc9b5b9
diff --git a/meta-security/recipes-scanners/clamav/files/headers_fixup.patch b/meta-security/recipes-scanners/clamav/files/headers_fixup.patch
new file mode 100644
index 0000000..9de0a26
--- /dev/null
+++ b/meta-security/recipes-scanners/clamav/files/headers_fixup.patch
@@ -0,0 +1,58 @@
+Fixes checks not needed do to glibc 2.33
+
+Upstream-Status: Pending
+Signed-off-by: Armin Kuster <akuster808@gmail.com>
+
+Index: git/CMakeLists.txt
+===================================================================
+--- git.orig/CMakeLists.txt
++++ git/CMakeLists.txt
+@@ -374,8 +373,6 @@ check_include_file("stdlib.h"
+ check_include_file("string.h" HAVE_STRING_H)
+ check_include_file("strings.h" HAVE_STRINGS_H)
+ check_include_file("sys/cdefs.h" HAVE_SYS_CDEFS_H)
+-check_include_file("sys/dl.h" HAVE_SYS_DL_H)
+-check_include_file("sys/fileio.h" HAVE_SYS_FILIO_H)
+ check_include_file("sys/mman.h" HAVE_SYS_MMAN_H)
+ check_include_file("sys/param.h" HAVE_SYS_PARAM_H)
+ check_include_file("sys/queue.h" HAVE_SYS_QUEUE_H)
+@@ -410,8 +407,6 @@ endif()
+
+ # int-types variants
+ check_include_file("inttypes.h" HAVE_INTTYPES_H)
+-check_include_file("sys/inttypes.h" HAVE_SYS_INTTYPES_H)
+-check_include_file("sys/int_types.h" HAVE_SYS_INT_TYPES_H)
+ check_include_file("stdint.h" HAVE_STDINT_H)
+
+ # this hack required to silence warnings on systems with inttypes.h
+@@ -539,17 +528,11 @@ check_type_size("time_t" SIZEOF_TIME_T)
+ # Checks for library functions.
+ include(CheckSymbolExists)
+ check_symbol_exists(_Exit "stdlib.h" HAVE__EXIT)
+-check_symbol_exists(accept4 "sys/types.h" HAVE_ACCEPT4)
+ check_symbol_exists(snprintf "stdio.h" HAVE_SNPRINTF)
+-check_symbol_exists(stat64 "sys/stat.h" HAVE_STAT64)
+-check_symbol_exists(strcasestr "string.h" HAVE_STRCASESTR)
+ check_symbol_exists(strerror_r "string.h" HAVE_STRERROR_R)
+-check_symbol_exists(strlcat "string.h" HAVE_STRLCAT)
+-check_symbol_exists(strlcpy "string.h" HAVE_STRLCPY)
+ check_symbol_exists(strndup "string.h" HAVE_STRNDUP)
+ check_symbol_exists(strnlen "string.h" HAVE_STRNLEN)
+-check_symbol_exists(strnstr "string.h" HAVE_STRNSTR)
+-check_symbol_exists(sysctlbyname "sysctl.h" HAVE_SYSCTLBYNAME)
++check_symbol_exists(strcasecmp "string.h" HAVE_STRNCMP)
+ check_symbol_exists(timegm "time.h" HAVE_TIMEGM)
+ check_symbol_exists(vsnprintf "stdio.h" HAVE_VSNPRINTF)
+
+@@ -563,10 +546,9 @@ else()
+ check_symbol_exists(fseeko "stdio.h" HAVE_FSEEKO)
+ check_symbol_exists(getaddrinfo "netdb.h" HAVE_GETADDRINFO)
+ check_symbol_exists(getpagesize "unistd.h" HAVE_GETPAGESIZE)
+- check_symbol_exists(mkstemp "unistd.h" HAVE_MKSTEMP)
+ check_symbol_exists(poll "poll.h" HAVE_POLL)
+- check_symbol_exists(setgroups "unistd.h" HAVE_SETGROUPS)
+ check_symbol_exists(setsid "unistd.h" HAVE_SETSID)
++ set(HAVE_SYSCONF_SC_PAGESIZE 1)
+ endif()
+
+ include(CheckSymbolExists)
diff --git a/meta-security/recipes-scanners/clamav/files/oe_cmake_fixup.patch b/meta-security/recipes-scanners/clamav/files/oe_cmake_fixup.patch
new file mode 100644
index 0000000..b284915
--- /dev/null
+++ b/meta-security/recipes-scanners/clamav/files/oe_cmake_fixup.patch
@@ -0,0 +1,39 @@
+Issue with rpath including /usr/lib and crosscompile checkes causing oe configure to fail
+
+Use oe's cmake rpath framework and exclude some of the cmake checks that fail in our env
+
+Upstream-Status: Inappropriate [configuration]
+Singed-off-by: Armin Kuster <akuster808@gmail.com>
+
+Index: git/CMakeLists.txt
+===================================================================
+--- git.orig/CMakeLists.txt
++++ git/CMakeLists.txt
+@@ -162,12 +162,6 @@ endif()
+
+ include(GNUInstallDirs)
+
+-if(CMAKE_INSTALL_FULL_LIBDIR)
+- set(CMAKE_INSTALL_RPATH "${CMAKE_INSTALL_FULL_LIBDIR}")
+-else()
+- set(CMAKE_INSTALL_RPATH "${CMAKE_INSTALL_PREFIX}/lib")
+-endif()
+-
+ if(C_LINUX)
+ if(CMAKE_COMPILER_IS_GNUCXX)
+ # Set _GNU_SOURCE for O_LARGEFILE, O_CLOEXEC, O_DIRECTORY, O_NOFOLLOW, etc flags on older systems
+@@ -512,14 +506,8 @@ include(TestInline)
+ include(CheckFileOffsetBits)
+ # Determine how to pack structs on this platform.
+ include(CheckStructPacking)
+-# Check for signed right shift implementation.
+-include(CheckSignedRightShift)
+ # Check if systtem fts implementation available
+ include(CheckFTS)
+-# Check if uname(2) follows POSIX standard.
+-include(CheckUnamePosix)
+-# Check support for file descriptor passing
+-include(CheckFDPassing)
+
+ # Check if big-endian
+ include(TestBigEndian)