diff options
Diffstat (limited to 'meta-oe/recipes-security')
23 files changed, 677 insertions, 442 deletions
diff --git a/meta-oe/recipes-security/audit/audit/Fixed-swig-host-contamination-issue.patch b/meta-oe/recipes-security/audit/audit/0001-Fixed-swig-host-contamination-issue.patch index 740bcb5a7f..f2755d5c08 100644 --- a/meta-oe/recipes-security/audit/audit/Fixed-swig-host-contamination-issue.patch +++ b/meta-oe/recipes-security/audit/audit/0001-Fixed-swig-host-contamination-issue.patch @@ -1,7 +1,7 @@ -From 3d13f92c1bb293523670ba01aea7e655b00a6709 Mon Sep 17 00:00:00 2001 +From 5cdc667aeb7a014cdc1f8c7df8f8080408773dbe Mon Sep 17 00:00:00 2001 From: Li xin <lixin.fnst@cn.fujitsu.com> Date: Sun, 19 Jul 2015 02:42:58 +0900 -Subject: [PATCH] audit: Fixed swig host contamination issue +Subject: [PATCH] Fixed swig host contamination issue The audit build uses swig to generate a python wrapper. Unfortunately, the swig info file references host include @@ -19,18 +19,18 @@ Signed-off-by: Yi Zhao <yi.zhao@windriver.com> 2 files changed, 3 insertions(+), 2 deletions(-) diff --git a/bindings/swig/python3/Makefile.am b/bindings/swig/python3/Makefile.am -index dd9d934..61b486d 100644 +index c2c6def4..bcc2836c 100644 --- a/bindings/swig/python3/Makefile.am +++ b/bindings/swig/python3/Makefile.am -@@ -22,6 +22,7 @@ +@@ -23,6 +23,7 @@ CONFIG_CLEAN_FILES = *.loT *.rej *.orig AM_CFLAGS = -fPIC -DPIC -fno-strict-aliasing $(PYTHON3_CFLAGS) AM_CPPFLAGS = -I. -I$(top_builddir) -I${top_srcdir}/lib $(PYTHON3_INCLUDES) +STDINC ?= /usr/include LIBS = $(top_builddir)/lib/libaudit.la - SWIG_FLAGS = -python -py3 -modern + SWIG_FLAGS = -python SWIG_INCLUDES = -I. -I$(top_builddir) -I${top_srcdir}/lib $(PYTHON3_INCLUDES) -@@ -36,7 +37,7 @@ _audit_la_DEPENDENCIES =${top_srcdir}/lib/libaudit.h ${top_builddir}/lib/libaudi +@@ -37,7 +38,7 @@ _audit_la_DEPENDENCIES =${top_srcdir}/lib/audit_logging.h ${top_builddir}/lib/li _audit_la_LIBADD = ${top_builddir}/lib/libaudit.la nodist__audit_la_SOURCES = audit_wrap.c audit.py audit_wrap.c: ${srcdir}/../src/auditswig.i @@ -40,18 +40,18 @@ index dd9d934..61b486d 100644 CLEANFILES = audit.py* audit_wrap.c *~ diff --git a/bindings/swig/src/auditswig.i b/bindings/swig/src/auditswig.i -index 21aafca..dd0f62c 100644 +index 6b267844..5a4e442f 100644 --- a/bindings/swig/src/auditswig.i +++ b/bindings/swig/src/auditswig.i -@@ -39,7 +39,7 @@ signed - #define __attribute(X) /*nothing*/ - typedef unsigned __u32; - typedef unsigned uid_t; +@@ -50,7 +50,7 @@ typedef unsigned uid_t; + */ + %ignore audit_rule_data::buf; + -%include "/usr/include/linux/audit.h" -+%include "linux/audit.h" ++%include "../lib/audit.h" #define __extension__ /*nothing*/ %include <stdint.i> - %include "../lib/libaudit.h" + %include "../lib/audit-records.h" -- -2.17.1 +2.25.1 diff --git a/meta-oe/recipes-security/audit/audit/0001-Replace-__attribute_malloc__-with-__attribute__-__ma.patch b/meta-oe/recipes-security/audit/audit/0001-Replace-__attribute_malloc__-with-__attribute__-__ma.patch new file mode 100644 index 0000000000..b1f324f22d --- /dev/null +++ b/meta-oe/recipes-security/audit/audit/0001-Replace-__attribute_malloc__-with-__attribute__-__ma.patch @@ -0,0 +1,49 @@ +From 88c9b2c5cebebf13f90890baebbadc60d9fe8d16 Mon Sep 17 00:00:00 2001 +From: Khem Raj <raj.khem@gmail.com> +Date: Tue, 9 Aug 2022 23:57:03 -0700 +Subject: [PATCH] Replace __attribute_malloc__ with __attribute__((__malloc__)) + +__attribute_malloc__ is not available on musl + +Fixes +| ../../git/auparse/auparse.h:54:2: error: expected function body after function declarator +| __attribute_malloc__ __attr_dealloc (auparse_destroy, 1); +| ^ + +Upstream-Status: Pending + +Signed-off-by: Khem Raj <raj.khem@gmail.com> +--- + audisp/plugins/remote/queue.h | 2 +- + auparse/auparse.h | 2 +- + 2 files changed, 2 insertions(+), 2 deletions(-) + +diff --git a/audisp/plugins/remote/queue.h b/audisp/plugins/remote/queue.h +index 36b70d04..031507dc 100644 +--- a/audisp/plugins/remote/queue.h ++++ b/audisp/plugins/remote/queue.h +@@ -53,7 +53,7 @@ void q_close(struct queue *q); + * On error, return NULL and set errno. */ + struct queue *q_open(int q_flags, const char *path, size_t num_entries, + size_t entry_size) +- __attribute_malloc__ __attr_dealloc (q_close, 1) __wur; ++ __attribute__((__malloc__)) __attr_dealloc (q_close, 1) __wur; + + /* Add DATA to tail of Q. Return 0 on success, -1 on error and set errno. */ + int q_append(struct queue *q, const char *data); +diff --git a/auparse/auparse.h b/auparse/auparse.h +index c27f1ff9..87c52965 100644 +--- a/auparse/auparse.h ++++ b/auparse/auparse.h +@@ -55,7 +55,7 @@ typedef void (*auparse_callback_ptr)(auparse_state_t *au, + void auparse_destroy(auparse_state_t *au); + void auparse_destroy_ext(auparse_state_t *au, auparse_destroy_what_t what); + auparse_state_t *auparse_init(ausource_t source, const void *b) +- __attribute_malloc__ __attr_dealloc (auparse_destroy, 1); ++ __attribute__((__malloc__)) __attr_dealloc (auparse_destroy, 1); + int auparse_new_buffer(auparse_state_t *au, const char *data, size_t data_len) + __attr_access ((__read_only__, 2, 3)); + int auparse_feed(auparse_state_t *au, const char *data, size_t data_len) +-- +2.25.1 + diff --git a/meta-oe/recipes-security/audit/audit/Add-substitue-functions-for-strndupa-rawmemchr.patch b/meta-oe/recipes-security/audit/audit/Add-substitue-functions-for-strndupa-rawmemchr.patch deleted file mode 100644 index bb6c61e805..0000000000 --- a/meta-oe/recipes-security/audit/audit/Add-substitue-functions-for-strndupa-rawmemchr.patch +++ /dev/null @@ -1,133 +0,0 @@ -From bdcdc3dff4469aac88e718bd15958d5ed4b9392a Mon Sep 17 00:00:00 2001 -From: Steve Grubb <sgrubb@redhat.com> -Date: Tue, 26 Feb 2019 18:33:33 -0500 -Subject: [PATCH] Add substitue functions for strndupa & rawmemchr - -Upstream-Status: Backport -[https://github.com/linux-audit/audit-userspace/commit/d579a08bb1cde71f939c13ac6b2261052ae9f77e] ---- - auparse/auparse.c | 12 +++++++++++- - auparse/interpret.c | 9 ++++++++- - configure.ac | 14 +++++++++++++- - src/ausearch-lol.c | 12 +++++++++++- - 4 files changed, 43 insertions(+), 4 deletions(-) - -diff --git a/auparse/auparse.c b/auparse/auparse.c -index 650db02..2e1c737 100644 ---- a/auparse/auparse.c -+++ b/auparse/auparse.c -@@ -1,5 +1,5 @@ - /* auparse.c -- -- * Copyright 2006-08,2012-17 Red Hat Inc., Durham, North Carolina. -+ * Copyright 2006-08,2012-19 Red Hat Inc., Durham, North Carolina. - * All Rights Reserved. - * - * This library is free software; you can redistribute it and/or -@@ -1118,6 +1118,16 @@ static int str2event(char *s, au_event_t *e) - return 0; - } - -+#ifndef HAVE_STRNDUPA -+static inline char *strndupa(const char *old, size_t n) -+{ -+ size_t len = strnlen(old, n); -+ char *tmp = alloca(len + 1); -+ tmp[len] = 0; -+ return memcpy(tmp, old, len); -+} -+#endif -+ - /* Returns 0 on success and 1 on error */ - static int extract_timestamp(const char *b, au_event_t *e) - { -diff --git a/auparse/interpret.c b/auparse/interpret.c -index 51c4a5e..67b7b77 100644 ---- a/auparse/interpret.c -+++ b/auparse/interpret.c -@@ -853,6 +853,13 @@ err_out: - return print_escaped(id->val); - } - -+// rawmemchr is faster. Let's use it if we have it. -+#ifdef HAVE_RAWMEMCHR -+#define STRCHR rawmemchr -+#else -+#define STRCHR strchr -+#endif -+ - static const char *print_proctitle(const char *val) - { - char *out = (char *)print_escaped(val); -@@ -863,7 +870,7 @@ static const char *print_proctitle(const char *val) - // Proctitle has arguments separated by NUL bytes - // We need to write over the NUL bytes with a space - // so that we can see the arguments -- while ((ptr = rawmemchr(ptr, '\0'))) { -+ while ((ptr = STRCHR(ptr, '\0'))) { - if (ptr >= end) - break; - *ptr = ' '; -diff --git a/configure.ac b/configure.ac -index 54bdbf1..aef07fb 100644 ---- a/configure.ac -+++ b/configure.ac -@@ -1,7 +1,7 @@ - dnl - define([AC_INIT_NOTICE], - [### Generated automatically using autoconf version] AC_ACVERSION [ --### Copyright 2005-18 Steve Grubb <sgrubb@redhat.com> -+### Copyright 2005-19 Steve Grubb <sgrubb@redhat.com> - ### - ### Permission is hereby granted, free of charge, to any person obtaining a - ### copy of this software and associated documentation files (the "Software"), -@@ -72,6 +72,18 @@ dnl; posix_fallocate is used in audisp-remote - AC_CHECK_FUNCS([posix_fallocate]) - dnl; signalfd is needed for libev - AC_CHECK_FUNC([signalfd], [], [ AC_MSG_ERROR([The signalfd system call is necessary for auditd]) ]) -+dnl; check if rawmemchr is available -+AC_CHECK_FUNCS([rawmemchr]) -+dnl; check if strndupa is available -+AC_LINK_IFELSE( -+ [AC_LANG_SOURCE( -+ [[ -+ #define _GNU_SOURCE -+ #include <string.h> -+ int main() { (void) strndupa("test", 10); return 0; }]])], -+ [AC_DEFINE(HAVE_STRNDUPA, 1, [Let us know if we have it or not])], -+ [] -+) - - ALLWARNS="" - ALLDEBUG="-g" -diff --git a/src/ausearch-lol.c b/src/ausearch-lol.c -index 5d17a72..758c33e 100644 ---- a/src/ausearch-lol.c -+++ b/src/ausearch-lol.c -@@ -1,6 +1,6 @@ - /* - * ausearch-lol.c - linked list of linked lists library --* Copyright (c) 2008,2010,2014,2016 Red Hat Inc., Durham, North Carolina. -+* Copyright (c) 2008,2010,2014,2016,2019 Red Hat Inc., Durham, North Carolina. - * All Rights Reserved. - * - * This software may be freely redistributed and/or modified under the -@@ -152,6 +152,16 @@ static int compare_event_time(event *e1, event *e2) - return 0; - } - -+#ifndef HAVE_STRNDUPA -+static inline char *strndupa(const char *old, size_t n) -+{ -+ size_t len = strnlen(old, n); -+ char *tmp = alloca(len + 1); -+ tmp[len] = 0; -+ return memcpy(tmp, old, len); -+} -+#endif -+ - /* - * This function will look at the line and pick out pieces of it. - */ --- -2.7.4 - diff --git a/meta-oe/recipes-security/audit/audit/auditd.service b/meta-oe/recipes-security/audit/audit/auditd.service deleted file mode 100644 index 06c63f0e5e..0000000000 --- a/meta-oe/recipes-security/audit/audit/auditd.service +++ /dev/null @@ -1,28 +0,0 @@ -[Unit] -Description=Security Auditing Service -DefaultDependencies=no -After=local-fs.target systemd-tmpfiles-setup.service -Before=sysinit.target shutdown.target -Conflicts=shutdown.target -ConditionKernelCommandLine=!audit=0 - -[Service] -Type=forking -PIDFile=/run/auditd.pid -ExecStart=/sbin/auditd -## To use augenrules, uncomment the next line and comment/delete the auditctl line. -## NOTE: augenrules expect any rules to be added to /etc/audit/rules.d/ -#ExecStartPost=-/sbin/augenrules --load -ExecStartPost=-/sbin/auditctl -R /etc/audit/audit.rules -# By default we don't clear the rules on exit. -# To enable this, uncomment the next line. -#ExecStopPost=/sbin/auditctl -R /etc/audit/audit-stop.rules - -### Security Settings ### -MemoryDenyWriteExecute=true -LockPersonality=true -ProtectControlGroups=true -ProtectKernelModules=true - -[Install] -WantedBy=multi-user.target diff --git a/meta-oe/recipes-security/audit/audit_2.8.5.bb b/meta-oe/recipes-security/audit/audit_2.8.5.bb deleted file mode 100644 index ee3b3b5e08..0000000000 --- a/meta-oe/recipes-security/audit/audit_2.8.5.bb +++ /dev/null @@ -1,105 +0,0 @@ -SUMMARY = "User space tools for kernel auditing" -DESCRIPTION = "The audit package contains the user space utilities for \ -storing and searching the audit records generated by the audit subsystem \ -in the Linux kernel." -HOMEPAGE = "http://people.redhat.com/sgrubb/audit/" -SECTION = "base" -LICENSE = "GPLv2+ & LGPLv2+" -LIC_FILES_CHKSUM = "file://COPYING;md5=94d55d512a9ba36caa9b7df079bae19f" - -SRC_URI = "git://github.com/linux-audit/${BPN}-userspace.git;branch=2.8_maintenance \ - file://Add-substitue-functions-for-strndupa-rawmemchr.patch \ - file://Fixed-swig-host-contamination-issue.patch \ - file://auditd \ - file://auditd.service \ - file://audit-volatile.conf \ -" - -S = "${WORKDIR}/git" -SRCREV = "5fae55c1ad15b3cefe6890eba7311af163e9133c" - -inherit autotools python3native update-rc.d systemd - -UPDATERCPN = "auditd" -INITSCRIPT_NAME = "auditd" -INITSCRIPT_PARAMS = "defaults" - -SYSTEMD_PACKAGES = "auditd" -SYSTEMD_SERVICE_auditd = "auditd.service" - -DEPENDS += "python3 tcp-wrappers libcap-ng linux-libc-headers swig-native" - -EXTRA_OECONF += "--without-prelude \ - --with-libwrap \ - --enable-gssapi-krb5=no \ - --with-libcap-ng=yes \ - --with-python3=yes \ - --libdir=${base_libdir} \ - --sbindir=${base_sbindir} \ - --without-python \ - --without-golang \ - --disable-zos-remote \ - " -EXTRA_OECONF_append_arm = " --with-arm=yes" -EXTRA_OECONF_append_aarch64 = " --with-aarch64=yes" - -EXTRA_OEMAKE += "PYLIBVER='python${PYTHON_BASEVERSION}' \ - PYINC='${STAGING_INCDIR}/$(PYLIBVER)' \ - pyexecdir=${libdir}/python${PYTHON_BASEVERSION}/site-packages \ - STDINC='${STAGING_INCDIR}' \ - pkgconfigdir=${libdir}/pkgconfig \ - " - -SUMMARY_audispd-plugins = "Plugins for the audit event dispatcher" -DESCRIPTION_audispd-plugins = "The audispd-plugins package provides plugins for the real-time \ -interface to the audit system, audispd. These plugins can do things \ -like relay events to remote machines or analyze events for suspicious \ -behavior." - -PACKAGES =+ "audispd-plugins" -PACKAGES += "auditd ${PN}-python" - -FILES_${PN} = "${sysconfdir}/libaudit.conf ${base_libdir}/libaudit.so.1* ${base_libdir}/libauparse.so.*" -FILES_auditd += "${bindir}/* ${base_sbindir}/* ${sysconfdir}/*" -FILES_audispd-plugins += "${sysconfdir}/audisp/audisp-remote.conf \ - ${sysconfdir}/audisp/plugins.d/au-remote.conf \ - ${sbindir}/audisp-remote ${localstatedir}/spool/audit \ - " -FILES_${PN}-dbg += "${libdir}/python${PYTHON_BASEVERSION}/*/.debug" -FILES_${PN}-python = "${libdir}/python${PYTHON_BASEVERSION}" - -CONFFILES_auditd += "${sysconfdir}/audit/audit.rules" -RDEPENDS_auditd += "bash" - -do_install_append() { - rm -f ${D}/${libdir}/python${PYTHON_BASEVERSION}/site-packages/*.a - rm -f ${D}/${libdir}/python${PYTHON_BASEVERSION}/site-packages/*.la - - # reuse auditd config - [ ! -e ${D}/etc/default ] && mkdir ${D}/etc/default - mv ${D}/etc/sysconfig/auditd ${D}/etc/default - rmdir ${D}/etc/sysconfig/ - - # replace init.d - install -D -m 0755 ${WORKDIR}/auditd ${D}/etc/init.d/auditd - rm -rf ${D}/etc/rc.d - - if ${@bb.utils.contains('DISTRO_FEATURES', 'systemd', 'true', 'false', d)}; then - install -d ${D}${sysconfdir}/tmpfiles.d/ - install -m 0644 ${WORKDIR}/audit-volatile.conf ${D}${sysconfdir}/tmpfiles.d/ - fi - - # install systemd unit files - install -d ${D}${systemd_unitdir}/system - install -m 0644 ${WORKDIR}/auditd.service ${D}${systemd_unitdir}/system - - # audit-2.5 doesn't install any rules by default, so we do that here - mkdir -p ${D}/etc/audit ${D}/etc/audit/rules.d - cp ${S}/rules/10-base-config.rules ${D}/etc/audit/rules.d/audit.rules - - chmod 750 ${D}/etc/audit ${D}/etc/audit/rules.d - chmod 640 ${D}/etc/audit/auditd.conf ${D}/etc/audit/rules.d/audit.rules - - # Based on the audit.spec "Copy default rules into place on new installation" - cp ${D}/etc/audit/rules.d/audit.rules ${D}/etc/audit/audit.rules -} diff --git a/meta-oe/recipes-security/audit/audit_3.0.1.bb b/meta-oe/recipes-security/audit/audit_3.0.1.bb deleted file mode 100644 index ba24d360ed..0000000000 --- a/meta-oe/recipes-security/audit/audit_3.0.1.bb +++ /dev/null @@ -1,109 +0,0 @@ -SUMMARY = "User space tools for kernel auditing" -DESCRIPTION = "The audit package contains the user space utilities for \ -storing and searching the audit records generated by the audit subsystem \ -in the Linux kernel." -HOMEPAGE = "http://people.redhat.com/sgrubb/audit/" -SECTION = "base" -LICENSE = "GPLv2+ & LGPLv2+" -LIC_FILES_CHKSUM = "file://COPYING;md5=94d55d512a9ba36caa9b7df079bae19f" - -SRC_URI = "git://github.com/linux-audit/${BPN}-userspace.git;branch=master \ - file://Fixed-swig-host-contamination-issue.patch \ - file://auditd \ - file://auditd.service \ - file://audit-volatile.conf \ -" - -S = "${WORKDIR}/git" -SRCREV = "46cb7d92443c9ec7b3af15fb0baa65f65f6415d3" - -inherit autotools python3native update-rc.d systemd - -UPDATERCPN = "auditd" -INITSCRIPT_NAME = "auditd" -INITSCRIPT_PARAMS = "defaults" - -SYSTEMD_PACKAGES = "auditd" -SYSTEMD_SERVICE_auditd = "auditd.service" - -DEPENDS = "python3 tcp-wrappers libcap-ng linux-libc-headers swig-native" - -EXTRA_OECONF = " --with-libwrap \ - --enable-gssapi-krb5=no \ - --with-libcap-ng=yes \ - --with-python3=yes \ - --libdir=${base_libdir} \ - --sbindir=${base_sbindir} \ - --without-python \ - --without-golang \ - --disable-zos-remote \ - --with-arm=yes \ - --with-aarch64=yes \ - " - -EXTRA_OEMAKE = "PYLIBVER='python${PYTHON_BASEVERSION}' \ - PYINC='${STAGING_INCDIR}/$(PYLIBVER)' \ - pyexecdir=${libdir}/python${PYTHON_BASEVERSION}/site-packages \ - STDINC='${STAGING_INCDIR}' \ - pkgconfigdir=${libdir}/pkgconfig \ - " - -SUMMARY_audispd-plugins = "Plugins for the audit event dispatcher" -DESCRIPTION_audispd-plugins = "The audispd-plugins package provides plugins for the real-time \ -interface to the audit system, audispd. These plugins can do things \ -like relay events to remote machines or analyze events for suspicious \ -behavior." - -PACKAGES =+ "audispd-plugins" -PACKAGES += "auditd ${PN}-python" - -FILES_${PN} = "${sysconfdir}/libaudit.conf ${base_libdir}/libaudit.so.1* ${base_libdir}/libauparse.so.*" -FILES_auditd = "${bindir}/* ${base_sbindir}/* ${sysconfdir}/* ${datadir}/audit/*" -FILES_audispd-plugins = "${sysconfdir}/audit/audisp-remote.conf \ - ${sysconfdir}/audit/plugins.d/au-remote.conf \ - ${sysconfdir}/audit/plugins.d/syslog.conf \ - ${base_sbindir}/audisp-remote \ - ${base_sbindir}/audisp-syslog \ - ${localstatedir}/spool/audit \ - " -FILES_${PN}-dbg += "${libdir}/python${PYTHON_BASEVERSION}/*/.debug" -FILES_${PN}-python = "${libdir}/python${PYTHON_BASEVERSION}" - -CONFFILES_auditd = "${sysconfdir}/audit/audit.rules" -RDEPENDS_auditd = "bash" - -do_install_append() { - rm -f ${D}/${libdir}/python${PYTHON_BASEVERSION}/site-packages/*.a - rm -f ${D}/${libdir}/python${PYTHON_BASEVERSION}/site-packages/*.la - - # reuse auditd config - [ ! -e ${D}/etc/default ] && mkdir ${D}/etc/default - mv ${D}/etc/sysconfig/auditd ${D}/etc/default - rmdir ${D}/etc/sysconfig/ - - # replace init.d - install -D -m 0755 ${WORKDIR}/auditd ${D}/etc/init.d/auditd - rm -rf ${D}/etc/rc.d - - if ${@bb.utils.contains('DISTRO_FEATURES', 'systemd', 'true', 'false', d)}; then - # install systemd unit files - install -d ${D}${systemd_unitdir}/system - install -m 0644 ${WORKDIR}/auditd.service ${D}${systemd_unitdir}/system - - install -d ${D}${sysconfdir}/tmpfiles.d/ - install -m 0644 ${WORKDIR}/audit-volatile.conf ${D}${sysconfdir}/tmpfiles.d/ - fi - - # audit-2.5 doesn't install any rules by default, so we do that here - mkdir -p ${D}/etc/audit ${D}/etc/audit/rules.d - cp ${S}/rules/10-base-config.rules ${D}/etc/audit/rules.d/audit.rules - - chmod 750 ${D}/etc/audit ${D}/etc/audit/rules.d - chmod 640 ${D}/etc/audit/auditd.conf ${D}/etc/audit/rules.d/audit.rules - - # Based on the audit.spec "Copy default rules into place on new installation" - cp ${D}/etc/audit/rules.d/audit.rules ${D}/etc/audit/audit.rules - - # Create /var/spool/audit directory for audisp-remote - install -m 0700 -d ${D}${localstatedir}/spool/audit -} diff --git a/meta-oe/recipes-security/audit/audit_4.0.1.bb b/meta-oe/recipes-security/audit/audit_4.0.1.bb new file mode 100644 index 0000000000..a37ae3bb84 --- /dev/null +++ b/meta-oe/recipes-security/audit/audit_4.0.1.bb @@ -0,0 +1,103 @@ +SUMMARY = "User space tools for kernel auditing" +DESCRIPTION = "The audit package contains the user space utilities for \ +storing and searching the audit records generated by the audit subsystem \ +in the Linux kernel." +HOMEPAGE = "http://people.redhat.com/sgrubb/audit/" +SECTION = "base" +LICENSE = "GPL-2.0-or-later & LGPL-2.0-or-later" +LIC_FILES_CHKSUM = "file://COPYING;md5=94d55d512a9ba36caa9b7df079bae19f" + +SRC_URI = "git://github.com/linux-audit/${BPN}-userspace.git;branch=master;protocol=https \ + file://0001-Fixed-swig-host-contamination-issue.patch \ + file://auditd \ + file://audit-volatile.conf \ + " + +SRC_URI:append:libc-musl = " file://0001-Replace-__attribute_malloc__-with-__attribute__-__ma.patch" + +S = "${WORKDIR}/git" +SRCREV = "22ccbd984e493524050ac445f796e9a7e90e1149" + +inherit autotools python3targetconfig update-rc.d systemd + +UPDATERCPN = "auditd" +INITSCRIPT_NAME = "auditd" +INITSCRIPT_PARAMS = "defaults" + +SYSTEMD_PACKAGES = "auditd" +SYSTEMD_SERVICE:auditd = "auditd.service audit-rules.service" + +DEPENDS = "python3 tcp-wrappers libcap-ng linux-libc-headers swig-native python3-setuptools-native coreutils-native" + +EXTRA_OECONF = " \ + --with-libwrap \ + --with-libcap-ng \ + --with-python3 \ + --with-arm \ + --with-aarch64 \ + --without-golang \ + --disable-gssapi-krb5 \ + --disable-zos-remote \ + --sbindir=${base_sbindir} \ + --runstatedir=/run \ + " + +EXTRA_OEMAKE = " \ + PYTHON=python3 \ + pythondir=${PYTHON_SITEPACKAGES_DIR} \ + pyexecdir=${PYTHON_SITEPACKAGES_DIR} \ + STDINC='${STAGING_INCDIR}' \ + " + +SUMMARY:audispd-plugins = "Plugins for the audit event dispatcher" +DESCRIPTION:audispd-plugins = "The audispd-plugins package provides plugins for the real-time \ +interface to the audit system, audispd. These plugins can do things \ +like relay events to remote machines or analyze events for suspicious \ +behavior." + +PACKAGES =+ "audispd-plugins" +PACKAGES += "auditd ${PN}-python" + +FILES:${PN} = "${sysconfdir}/libaudit.conf ${libdir}/libau*.so.*" +FILES:auditd = "${bindir}/* ${base_sbindir}/* ${sysconfdir}/* ${datadir}/audit-rules/* ${libexecdir}/*" +FILES:audispd-plugins = "${sysconfdir}/audit/audisp-remote.conf \ + ${sysconfdir}/audit/plugins.d/au-remote.conf \ + ${sysconfdir}/audit/plugins.d/syslog.conf \ + ${base_sbindir}/audisp-remote \ + ${base_sbindir}/audisp-syslog \ + ${localstatedir}/spool/audit \ + " +FILES:${PN}-dbg += "${libdir}/python${PYTHON_BASEVERSION}/*/.debug" +FILES:${PN}-python = "${libdir}/python${PYTHON_BASEVERSION}" + +CONFFILES:auditd = "${sysconfdir}/audit/audit.rules" + +do_configure:prepend() { + sed -e 's|buf\[];|buf[0];|g' ${STAGING_INCDIR}/linux/audit.h > ${S}/lib/audit.h + sed -i -e 's|#include <linux/audit.h>|#include "audit.h"|g' ${S}/lib/libaudit.h +} + +do_install:append() { + sed -i -e 's|#include "audit.h"|#include <linux/audit.h>|g' ${D}${includedir}/libaudit.h + + # Install default rules + install -d -m 750 ${D}/etc/audit + install -d -m 750 ${D}/etc/audit/rules.d + + install -m 0640 ${S}/rules/10-base-config.rules ${D}/etc/audit/rules.d/audit.rules + + # Based on the audit.spec "Copy default rules into place on new installation" + install -m 0640 ${D}/etc/audit/rules.d/audit.rules ${D}/etc/audit/audit.rules + + if ${@bb.utils.contains('DISTRO_FEATURES', 'systemd', 'true', 'false', d)}; then + install -D -m 0644 ${WORKDIR}/audit-volatile.conf ${D}${sysconfdir}/tmpfiles.d/audit.conf + fi + + if ${@bb.utils.contains('DISTRO_FEATURES', 'sysvinit', 'true', 'false', d)}; then + install -D -m 0755 ${WORKDIR}/auditd ${D}/etc/init.d/auditd + rm -rf ${D}${libdir}/systemd + fi + + # Create /var/spool/audit directory for audisp-remote + install -d -m 0700 ${D}${localstatedir}/spool/audit +} diff --git a/meta-oe/recipes-security/bubblewrap/bubblewrap_0.8.0.bb b/meta-oe/recipes-security/bubblewrap/bubblewrap_0.8.0.bb new file mode 100644 index 0000000000..06c42addbf --- /dev/null +++ b/meta-oe/recipes-security/bubblewrap/bubblewrap_0.8.0.bb @@ -0,0 +1,24 @@ +DESCRIPTION = "Unprivileged sandboxing tool" +HOMEPAGE = "https://github.com/containers/bubblewrap" +LICENSE = "LGPL-2.0-or-later" +LIC_FILES_CHKSUM = "file://COPYING;md5=5f30f0716dfdd0d91eb439ebec522ec2" + +DEPENDS = "libcap" + +SRC_URI = "https://github.com/containers/${BPN}/releases/download/v${PV}/${BP}.tar.xz" +SRC_URI[sha256sum] = "957ad1149db9033db88e988b12bcebe349a445e1efc8a9b59ad2939a113d333a" + +inherit autotools bash-completion github-releases manpages pkgconfig + +GITHUB_BASE_URI = "https://github.com/containers/${BPN}/releases/" + +PACKAGECONFIG ?= "${@bb.utils.filter('DISTRO_FEATURES', 'selinux', d)}" +PACKAGECONFIG[manpages] = "--enable-man,--disable-man,libxslt-native docbook-xsl-stylesheets-native xmlto-native" +PACKAGECONFIG[selinux] = "--enable-selinux,--disable-selinux,libselinux" +PACKAGECONFIG[setuid] = "--with-priv-mode=setuid,--with-priv-mode=none" + +PACKAGES += "${PN}-zsh-completion" + +FILES:${PN}-zsh-completion = "${datadir}/zsh/site-functions" + +BBCLASSEXTEND = "native" diff --git a/meta-oe/recipes-security/keyutils/files/0001-Adhere-to-the-SOURCE_DATE_EPOCH-standard.patch b/meta-oe/recipes-security/keyutils/files/0001-Adhere-to-the-SOURCE_DATE_EPOCH-standard.patch new file mode 100644 index 0000000000..ecc5b00967 --- /dev/null +++ b/meta-oe/recipes-security/keyutils/files/0001-Adhere-to-the-SOURCE_DATE_EPOCH-standard.patch @@ -0,0 +1,32 @@ +From 3f7f70c746277e1a89978166533374a8b9bd5407 Mon Sep 17 00:00:00 2001 +From: Alex Kiernan <alex.kiernan@gmail.com> +Date: Wed, 25 Jan 2023 17:05:25 +0000 +Subject: [PATCH] Adhere to the SOURCE_DATE_EPOCH standard + +Adhere to the SOURCE_DATE_EPOCH standard and use it's date when set +otherwise fall back to the default behaviour. + +Signed-off-by: Jelle van der Waa <jelle@vdwaa.nl> +Signed-off-by: Alex Kiernan <alex.kiernan@gmail.com> +--- +Upstream-Status: Pending + + Makefile | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/Makefile b/Makefile +index 599b1452a05a..7776b0f0d63d 100644 +--- a/Makefile ++++ b/Makefile +@@ -109,7 +109,7 @@ all: keyctl request-key key.dns_resolver cxx + ############################################################################### + #RPATH = -Wl,-rpath,$(LIBDIR) + +-VCPPFLAGS := -DPKGBUILD="\"$(shell date -u +%F)\"" ++VCPPFLAGS := -DPKGBUILD="\"$(date --utc --date="@${SOURCE_DATE_EPOCH:-$(date +%s)}" +%F)\"" + VCPPFLAGS += -DPKGVERSION="\"keyutils-$(VERSION)\"" + VCPPFLAGS += -DAPIVERSION="\"libkeyutils-$(APIVERSION)\"" + +-- +2.39.0 + diff --git a/meta-oe/recipes-security/keyutils/files/0001-tests-builtin_trusted-Failure-command-is-failed.patch b/meta-oe/recipes-security/keyutils/files/0001-tests-builtin_trusted-Failure-command-is-failed.patch new file mode 100644 index 0000000000..b78d7f7f28 --- /dev/null +++ b/meta-oe/recipes-security/keyutils/files/0001-tests-builtin_trusted-Failure-command-is-failed.patch @@ -0,0 +1,27 @@ +From 714542f009860e1652bc06d05ab939290374a114 Mon Sep 17 00:00:00 2001 +From: Alex Kiernan <alex.kiernan@gmail.com> +Date: Thu, 26 Jan 2023 08:27:12 +0000 +Subject: [PATCH 1/2] tests: builtin_trusted: Failure command is `failed` + +Upstream-Status: Pending +Signed-off-by: Alex Kiernan <alex.kiernan@gmail.com> +--- + tests/features/builtin_trusted/runtest.sh | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/tests/features/builtin_trusted/runtest.sh b/tests/features/builtin_trusted/runtest.sh +index 27910b5fa8e7..437f5ad1d6b2 100644 +--- a/tests/features/builtin_trusted/runtest.sh ++++ b/tests/features/builtin_trusted/runtest.sh +@@ -24,7 +24,7 @@ id_key --to=blk %:.blacklist + # There should be at least one built-in trusted key for module signing. + list_keyring $btk + expect_keyring_rlist bkeys +-if [ `echo $bkeys | wc -w` = 0 ]; then fail; fi ++if [ `echo $bkeys | wc -w` = 0 ]; then failed; fi + + # Check we can't add random keys to those keyrings + marker "TRY ADDING USER KEYS" +-- +2.39.0 + diff --git a/meta-oe/recipes-security/keyutils/files/0001-tests-toolbox.inc.sh-update-regex-for-getting-endian.patch b/meta-oe/recipes-security/keyutils/files/0001-tests-toolbox.inc.sh-update-regex-for-getting-endian.patch new file mode 100644 index 0000000000..314487aef6 --- /dev/null +++ b/meta-oe/recipes-security/keyutils/files/0001-tests-toolbox.inc.sh-update-regex-for-getting-endian.patch @@ -0,0 +1,35 @@ +From b84ecc2e3e56a25a3efd56c8942ad6bab3ff9ba1 Mon Sep 17 00:00:00 2001 +From: Changqing Li <changqing.li@windriver.com> +Date: Fri, 2 Dec 2022 15:35:40 +0800 +Subject: [PATCH] tests/toolbox.inc.sh: update regex for getting endian + +Update regex for getting endian in following condition: +/proc/777/exe: ELF 64-bit LSB pie executable, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2 + +Upstream-Status: Submitted [Submitted to keyrings@vger.kernel.org ] + +Signed-off-by: Changqing Li <changqing.li@windriver.com> +--- + tests/toolbox.inc.sh | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/tests/toolbox.inc.sh b/tests/toolbox.inc.sh +index 8bf0db6f6d87..7ea2f253ba7d 100644 +--- a/tests/toolbox.inc.sh ++++ b/tests/toolbox.inc.sh +@@ -13,10 +13,10 @@ + echo === $OUTPUTFILE === + + endian=`file -L /proc/$$/exe` +-if expr "$endian" : '.* MSB \+\(pie executable\|executable\|shared object\).*' >&/dev/null ++if expr "$endian" : '.* MSB .*\(pie executable\|executable\|shared object\).*' >&/dev/null + then + endian=BE +-elif expr "$endian" : '.* LSB \+\(pie executable\|executable\|shared object\).*' >&/dev/null ++elif expr "$endian" : '.* LSB .*\(pie executable\|executable\|shared object\).*' >&/dev/null + then + endian=LE + else +-- +2.39.0 + diff --git a/meta-oe/recipes-security/keyutils/files/0002-tests-Use-head-n1-for-busybox-compatibility.patch b/meta-oe/recipes-security/keyutils/files/0002-tests-Use-head-n1-for-busybox-compatibility.patch new file mode 100644 index 0000000000..900f2f0ec9 --- /dev/null +++ b/meta-oe/recipes-security/keyutils/files/0002-tests-Use-head-n1-for-busybox-compatibility.patch @@ -0,0 +1,64 @@ +From 5e660f246bb04560692ac9fc144574732c7e19e7 Mon Sep 17 00:00:00 2001 +From: Alex Kiernan <alex.kiernan@gmail.com> +Date: Thu, 26 Jan 2023 08:28:16 +0000 +Subject: [PATCH 2/2] tests: Use `head -n1` for busybox compatibility + +Upstream-Status: Pending +Signed-off-by: Alex Kiernan <alex.kiernan@gmail.com> +--- + tests/keyctl/session/valid/runtest.sh | 4 ++-- + tests/keyctl/show/noargs/runtest.sh | 2 +- + tests/toolbox.inc.sh | 2 +- + 3 files changed, 4 insertions(+), 4 deletions(-) + +diff --git a/tests/keyctl/session/valid/runtest.sh b/tests/keyctl/session/valid/runtest.sh +index 4c831314c0b0..456e9f32de23 100644 +--- a/tests/keyctl/session/valid/runtest.sh ++++ b/tests/keyctl/session/valid/runtest.sh +@@ -17,7 +17,7 @@ then + expect_key_rdesc rdesc "keyring@.*@.*@.*@_ses[^@]*\$" + + # check the session keyring ID is shown +- seskeyring="`tail -2 $OUTPUTFILE | head -1`" ++ seskeyring="`tail -2 $OUTPUTFILE | head -n1`" + if ! expr "$seskeyring" : "Joined session keyring: [0-9]*" >&/dev/null + then + failed +@@ -30,7 +30,7 @@ new_session qwerty keyctl rdescribe @s "@" + expect_key_rdesc rdesc "keyring@.*@.*@.*@qwerty" + + # check the session keyring ID is shown +-seskeyring="`tail -2 $OUTPUTFILE | head -1`" ++seskeyring="`tail -2 $OUTPUTFILE | head -n1`" + if ! expr "$seskeyring" : "Joined session keyring: [0-9]*" >&/dev/null + then + failed +diff --git a/tests/keyctl/show/noargs/runtest.sh b/tests/keyctl/show/noargs/runtest.sh +index d5072716c76a..a6d8b6b585c4 100644 +--- a/tests/keyctl/show/noargs/runtest.sh ++++ b/tests/keyctl/show/noargs/runtest.sh +@@ -31,7 +31,7 @@ then + fi + + # the first key listed (line 2) should be a keying (the session keyring) ... +-keyring1="`grep -n keyring $OUTPUTFILE | cut -d: -f1 | head -1`" ++keyring1="`grep -n keyring $OUTPUTFILE | cut -d: -f1 | head -n1`" + if [ "$keyring1" != "4" ] + then + failed +diff --git a/tests/toolbox.inc.sh b/tests/toolbox.inc.sh +index 7ea2f253ba7d..a461a73daaa3 100644 +--- a/tests/toolbox.inc.sh ++++ b/tests/toolbox.inc.sh +@@ -229,7 +229,7 @@ function check_notify () + if [ "$1" = "-2" ] + then + shift +- my_logline="`tail -2 $watch_log | head -1`" ++ my_logline="`tail -2 $watch_log | head -n1`" + else + my_logline="`tail -1 $watch_log`" + fi +-- +2.39.0 + diff --git a/meta-oe/recipes-security/keyutils/keyutils_1.6.1.bb b/meta-oe/recipes-security/keyutils/keyutils_1.6.3.bb index 0a8c2e4834..7b3d728216 100644 --- a/meta-oe/recipes-security/keyutils/keyutils_1.6.1.bb +++ b/meta-oe/recipes-security/keyutils/keyutils_1.6.3.bb @@ -7,22 +7,29 @@ DESCRIPTION = "\ HOMEPAGE = "http://people.redhat.com/dhowells/keyutils" SECTION = "base" -LICENSE = "LGPLv2.1+ & GPLv2.0+" +LICENSE = "LGPL-2.1-or-later & GPL-2.0-or-later" LIC_FILES_CHKSUM = "file://LICENCE.GPL;md5=5f6e72824f5da505c1f4a7197f004b45 \ file://LICENCE.LGPL;md5=7d1cacaa3ea752b72ea5e525df54a21f" -inherit siteinfo autotools-brokensep ptest +inherit manpages ptest -SRC_URI = "http://people.redhat.com/dhowells/keyutils/${BP}.tar.bz2 \ +SRC_URI = "git://git.kernel.org/pub/scm/linux/kernel/git/dhowells/keyutils.git;protocol=https;branch=master \ file://keyutils-test-fix-output-format.patch \ file://keyutils-fix-error-report-by-adding-default-message.patch \ file://run-ptest \ file://fix_library_install_path.patch \ + file://0001-tests-toolbox.inc.sh-update-regex-for-getting-endian.patch \ + file://0001-Adhere-to-the-SOURCE_DATE_EPOCH-standard.patch \ + file://0001-tests-builtin_trusted-Failure-command-is-failed.patch \ + file://0002-tests-Use-head-n1-for-busybox-compatibility.patch \ " +SRCREV = "cb3bb194cca88211cbfcdde2f10c0f43c3fb8ec3" -SRC_URI[md5sum] = "919af7f33576816b423d537f8a8692e8" -SRC_URI[sha256sum] = "c8b15722ae51d95b9ad76cc6d49a4c2cc19b0c60f72f61fb9bf43eea7cbd64ce" +S = "${WORKDIR}/git" + +PACKAGECONFIG ?= "" +PACKAGECONFIG[manpages] = "" EXTRA_OEMAKE = "'CFLAGS=${CFLAGS} -Wall' \ NO_ARLIB=1 \ @@ -31,35 +38,25 @@ EXTRA_OEMAKE = "'CFLAGS=${CFLAGS} -Wall' \ LIBDIR=${libdir} \ USRLIBDIR=${libdir} \ INCLUDEDIR=${includedir} \ + ETCDIR=${sysconfdir} \ + SHAREDIR=${datadir}/keyutils \ + MANDIR=${datadir}/man \ BUILDFOR=${SITEINFO_BITS}-bit \ NO_GLIBC_KEYERR=1 \ " do_install () { - install -d ${D}/${libdir}/pkgconfig oe_runmake DESTDIR=${D} install } -do_install_append_class-nativesdk() { - install -d ${D}${datadir} - src_dir="${D}${target_datadir}" - mv $src_dir/* ${D}${datadir} - par_dir=`dirname $src_dir` - rmdir $src_dir $par_dir - - install -d ${D}${sysconfdir} - mv ${D}/etc/* ${D}${sysconfdir}/ - rmdir ${D}/etc -} - do_install_ptest () { cp -r ${S}/tests ${D}${PTEST_PATH}/ sed -i -e 's/OSDIST=Unknown/OSDIST=${DISTRO}/' ${D}${PTEST_PATH}/tests/prepare.inc.sh } -RDEPENDS_${PN}-ptest += "lsb-release" -RDEPENDS_${PN}-ptest_append_libc-glibc = " glibc-utils" -RDEPENDS_${PN}-ptest_append_libc-musl = " musl-utils" +RDEPENDS:${PN}-ptest += "bash file lsb-release make" +RDEPENDS:${PN}-ptest:append:libc-glibc = " glibc-utils" +RDEPENDS:${PN}-ptest:append:libc-musl = " musl-utils" BBCLASSEXTEND = "native nativesdk" diff --git a/meta-oe/recipes-security/nmap/files/0001-Include-time.h-header-to-pass-clang-compilation.patch b/meta-oe/recipes-security/nmap/files/0001-Include-time.h-header-to-pass-clang-compilation.patch index f93af2d793..5ee28031b8 100644 --- a/meta-oe/recipes-security/nmap/files/0001-Include-time.h-header-to-pass-clang-compilation.patch +++ b/meta-oe/recipes-security/nmap/files/0001-Include-time.h-header-to-pass-clang-compilation.patch @@ -4,6 +4,8 @@ Date: Fri, 20 Sep 2019 15:02:45 -0400 Subject: [PATCH] Include time.h header to pass clang compilation --- +Upstream-Status: Pending + nmap_error.cc | 11 +---------- nping/EchoServer.cc | 1 + osscan2.cc | 1 + diff --git a/meta-oe/recipes-security/nmap/nmap_7.80.bb b/meta-oe/recipes-security/nmap/nmap_7.80.bb index 17bc40911d..f9fe82a91d 100644 --- a/meta-oe/recipes-security/nmap/nmap_7.80.bb +++ b/meta-oe/recipes-security/nmap/nmap_7.80.bb @@ -1,7 +1,7 @@ SUMMARY = "network auditing tool" DESCRIPTION = "Nmap ("Network Mapper") is a free and open source (license) utility for network discovery and security auditing.\nGui support via appending to IMAGE_FEATURES x11-base in local.conf" SECTION = "security" -LICENSE = "GPL-2.0" +LICENSE = "GPL-2.0-only" LIC_FILES_CHKSUM = "file://COPYING;beginline=7;endline=12;md5=66938a7e5b4c118eda78271de14874c2" @@ -19,7 +19,7 @@ SRC_URI[sha256sum] = "fcfa5a0e42099e12e4bf7a68ebe6fde05553383a682e816a7ec9256ab4 inherit autotools-brokensep pkgconfig python3native -PACKAGECONFIG ?= "ncat nping ndiff pcap" +PACKAGECONFIG ?= "ncat nping pcap" PACKAGECONFIG[pcap] = "--with-pcap=linux, --without-pcap, libpcap, libpcap" PACKAGECONFIG[pcre] = "--with-libpcre=${STAGING_LIBDIR}/.., --with-libpcre=included, libpcre" @@ -49,7 +49,7 @@ do_configure() { oe_runconf } -do_install_append() { +do_install:append() { for f in ndiff uninstall_ndiff; do if [ -f ${D}${bindir}/$f ]; then sed -i 's@^#!.*$@#!/usr/bin/env python3@g' ${D}${bindir}/$f @@ -57,6 +57,10 @@ do_install_append() { done } -FILES_${PN} += "${PYTHON_SITEPACKAGES_DIR} ${datadir}/ncat" +FILES:${PN} += "${PYTHON_SITEPACKAGES_DIR} ${datadir}/ncat" -RDEPENDS_${PN} += "python3-core" +RDEPENDS:${PN} += " \ + python3-difflib \ + python3-asyncio \ + python3-xml \ +" diff --git a/meta-oe/recipes-security/passwdqc/passwdqc/makefile-add-ldflags.patch b/meta-oe/recipes-security/passwdqc/passwdqc/makefile-add-ldflags.patch index e9023492e0..4e9659aa58 100644 --- a/meta-oe/recipes-security/passwdqc/passwdqc/makefile-add-ldflags.patch +++ b/meta-oe/recipes-security/passwdqc/passwdqc/makefile-add-ldflags.patch @@ -3,29 +3,38 @@ Add LDFLAGS variable to Makefile so that extra linker flags can be sent via this Upstream-Status: Pending Signed-off-by: Yi Zhao <yi.zhao@windriver.com> +--- + Makefile | 5 ++--- + 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/Makefile b/Makefile -index 49d622d..cd17334 100644 +index 404f036..a9b18f0 100644 --- a/Makefile +++ b/Makefile -@@ -48,18 +48,17 @@ CFLAGS = -Wall -W -O2 - CFLAGS_lib = $(CFLAGS) -fPIC - CFLAGS_bin = $(CFLAGS) -fomit-frame-pointer +@@ -75,13 +75,12 @@ XGETTEXT = xgettext + XGETTEXT_OPTS = --keyword=_ --keyword=P2_:1,1 --keyword=P3_:1,2 --language=C --add-comments + MSGMERGE = msgmerge -LDFLAGS = - LDFLAGS_shared = --shared - LDFLAGS_shared_LINUX = --shared - LDFLAGS_shared_SUN = -G - LDFLAGS_shared_HP = -b + LDFLAGS_shared = $(LDFLAGS) --shared + LDFLAGS_shared_LINUX = $(LDFLAGS) --shared + LDFLAGS_shared_SUN = $(LDFLAGS) -G + LDFLAGS_shared_HP = $(LDFLAGS) -b LDFLAGS_lib = $(LDFLAGS_shared) -LDFLAGS_lib_LINUX = $(LDFLAGS_shared_LINUX) \ +LDFLAGS_lib_LINUX = $(LDFLAGS) $(LDFLAGS_shared_LINUX) \ -Wl,--soname,$(SHARED_LIB),--version-script,$(MAP_LIB) LDFLAGS_lib_SUN = $(LDFLAGS_shared_SUN) LDFLAGS_lib_HP = $(LDFLAGS_shared_HP) +@@ -90,7 +89,7 @@ LDFLAGS_lib_CYGWIN = $(LDFLAGS_shared) \ + -Wl,--export-all-symbols \ + -Wl,--enable-auto-import LDFLAGS_pam = $(LDFLAGS_shared) -LDFLAGS_pam_LINUX = $(LDFLAGS_shared_LINUX) \ +LDFLAGS_pam_LINUX = $(LDFLAGS) $(LDFLAGS_shared_LINUX) \ -Wl,--version-script,$(MAP_PAM) LDFLAGS_pam_SUN = $(LDFLAGS_shared_SUN) LDFLAGS_pam_HP = $(LDFLAGS_shared_HP) +-- +2.34.1 + diff --git a/meta-oe/recipes-security/passwdqc/passwdqc_1.3.1.bb b/meta-oe/recipes-security/passwdqc/passwdqc_2.0.3.bb index dd302506d7..8694052e61 100644 --- a/meta-oe/recipes-security/passwdqc/passwdqc_1.3.1.bb +++ b/meta-oe/recipes-security/passwdqc/passwdqc_2.0.3.bb @@ -25,17 +25,16 @@ inherit features_check REQUIRED_DISTRO_FEATURES = "pam" LICENSE = "BSD-1-Clause" -LIC_FILES_CHKSUM = "file://LICENSE;md5=1b4af6f3d4ee079a38107366e93b334d" +LIC_FILES_CHKSUM = "file://LICENSE;md5=ac99c8678577a1c2f9f04cccee411d5d" SRC_URI = "http://www.openwall.com/${BPN}/${BP}.tar.gz \ file://makefile-add-ldflags.patch \ " -SRC_URI[md5sum] = "3878b57bcd3fdbcf3d4b362dbc6228b9" -SRC_URI[sha256sum] = "d1fedeaf759e8a0f32d28b5811ef11b5a5365154849190f4b7fab670a70ffb14" +SRC_URI[sha256sum] = "53b0f4bc49369f06195e9e13abb6cff352d5acb79e861004ec95973896488cf4" # explicitly define LINUX_PAM in case DISTRO_FEATURES no pam # this package's pam_passwdqc.so needs pam -CFLAGS_append = " -Wall -fPIC -DHAVE_SHADOW -DLINUX_PAM" +CFLAGS:append = " -Wall -fPIC -DHAVE_SHADOW -DLINUX_PAM" # -e is no longer default setting in bitbake.conf EXTRA_OEMAKE = "-e" @@ -58,9 +57,9 @@ do_install() { PROVIDES += "pam-${BPN}" PACKAGES =+ "lib${BPN} pam-${BPN}" -FILES_lib${BPN} = "${base_libdir}/libpasswdqc.so.0" -FILES_pam-${BPN} = "${base_libdir}/security/pam_passwdqc.so" -FILES_${PN}-dbg += "${base_libdir}/security/.debug" +FILES:lib${BPN} = "${base_libdir}/libpasswdqc.so.1" +FILES:pam-${BPN} = "${base_libdir}/security/pam_passwdqc.so" +FILES:${PN}-dbg += "${base_libdir}/security/.debug" -RDEPENDS_${PN} = "lib${BPN} pam-${BPN}" -RDEPENDS_pam-${BPN} = "lib${BPN}" +RDEPENDS:${PN} = "lib${BPN} pam-${BPN}" +RDEPENDS:pam-${BPN} = "lib${BPN}" diff --git a/meta-oe/recipes-security/softhsm/files/0001-avoid-unnecessary-check-for-sqlite3-binary.patch b/meta-oe/recipes-security/softhsm/files/0001-avoid-unnecessary-check-for-sqlite3-binary.patch new file mode 100644 index 0000000000..7dddcdb78b --- /dev/null +++ b/meta-oe/recipes-security/softhsm/files/0001-avoid-unnecessary-check-for-sqlite3-binary.patch @@ -0,0 +1,40 @@ +From 88d968346184058df18dc69171dcd4fd612c2341 Mon Sep 17 00:00:00 2001 +From: Jan Luebbe <sho@stratum0.net> +Date: Mon, 30 Jan 2023 12:48:23 +0100 +Subject: [PATCH] avoid unnecessary check for sqlite3 binary + +Only the library is used, not the sqlite3 binary. Drop this check to simplify +cross-compilation (as no native sqlite3 binary is needed). + +Upstream-Status: Submitted [https://github.com/opendnssec/SoftHSMv2/pull/694] +--- + m4/acx_sqlite3.m4 | 6 ------ + 1 file changed, 6 deletions(-) + +diff --git a/m4/acx_sqlite3.m4 b/m4/acx_sqlite3.m4 +index fd942a75e1a6..17c126d161f5 100644 +--- a/m4/acx_sqlite3.m4 ++++ b/m4/acx_sqlite3.m4 +@@ -4,19 +4,13 @@ AC_DEFUN([ACX_SQLITE3],[ + [ + SQLITE3_INCLUDES="-I$withval/include" + SQLITE3_LIBDIRS="-L$withval/lib" +- AC_PATH_PROGS(SQLITE3, sqlite3, sqlite3, $withval/bin) + + ],[ + SQLITE3_INCLUDES="" + SQLITE3_LIBDIRS="" +- AC_PATH_PROGS(SQLITE3, sqlite3, sqlite3, $PATH) + ]) + + +- if ! test -x "$SQLITE3"; then +- AC_MSG_ERROR([sqlite3 command not found]) +- fi +- + AC_MSG_CHECKING(what are the SQLite3 includes) + AC_MSG_RESULT($SQLITE3_INCLUDES) + +-- +2.30.2 + diff --git a/meta-oe/recipes-security/softhsm/softhsm_2.6.1.bb b/meta-oe/recipes-security/softhsm/softhsm_2.6.1.bb index aa91ab37f2..930bca96ff 100644 --- a/meta-oe/recipes-security/softhsm/softhsm_2.6.1.bb +++ b/meta-oe/recipes-security/softhsm/softhsm_2.6.1.bb @@ -5,12 +5,15 @@ LIC_FILES_CHKSUM = "file://LICENSE;md5=ef3f77a3507c3d91e75b9f2bdaee4210" DEPENDS = "sqlite3" -SRC_URI = "https://dist.opendnssec.org/source/softhsm-2.6.1.tar.gz" +SRC_URI = "https://dist.opendnssec.org/source/softhsm-2.6.1.tar.gz \ + file://0001-avoid-unnecessary-check-for-sqlite3-binary.patch \ +" SRC_URI[sha256sum] = "61249473054bcd1811519ef9a989a880a7bdcc36d317c9c25457fc614df475f2" inherit autotools pkgconfig siteinfo EXTRA_OECONF += " --with-sqlite3=${STAGING_DIR_HOST}/usr" +EXTRA_OECONF += " --with-objectstore-backend-db" EXTRA_OECONF += "${@oe.utils.conditional('SITEINFO_BITS', '64', ' --enable-64bit', '', d)}" PACKAGECONFIG ?= "ecc eddsa pk11 openssl" @@ -24,7 +27,9 @@ PACKAGECONFIG[notvisable] = "--disable-visibility" PACKAGECONFIG[openssl] = "--with-openssl=${STAGING_DIR_HOST}/usr --with-crypto-backend=openssl, --without-openssl, openssl, openssl" PACKAGECONFIG[botan] = "--with-botan=${STAGING_DIR_HOST}/usr --with-crypto-backend=botan, --without-botan, botan" PACKAGECONFIG[migrate] = "--with-migrate" -PACKAGECONFIG[pk11] = "--enable-p11-kit --with-p11-kit==${STAGING_DIR_HOST}/usr, --without-p11-kit, p11-kit, p11-kit" +PACKAGECONFIG[pk11] = "--enable-p11-kit --with-p11-kit=${datadir}/p11-kit/modules, --without-p11-kit, p11-kit, p11-kit" -RDEPENDS_${PN} = "sqlite3" +FILES:${PN} += "${@bb.utils.contains('PACKAGECONFIG', 'pk11', '${datadir}/p11-kit/modules/softhsm2.module', '', d)}" + +RDEPENDS:${PN} = "sqlite3" BBCLASSEXTEND = "native nativesdk" diff --git a/meta-oe/recipes-security/tomoyo-tools/tomoyo-tools_2.5.0.bb b/meta-oe/recipes-security/tomoyo-tools/tomoyo-tools_2.6.1.bb index f362775999..86acdc7aa1 100644 --- a/meta-oe/recipes-security/tomoyo-tools/tomoyo-tools_2.5.0.bb +++ b/meta-oe/recipes-security/tomoyo-tools/tomoyo-tools_2.6.1.bb @@ -5,17 +5,16 @@ being useful purely as a system analysis tool." HOMEPAGE = "http://tomoyo.sourceforge.jp/" SECTION = "System Environment/Kernel" -SRC_URI = "http://jaist.dl.sourceforge.jp/tomoyo/53357/${BP}-20170102.tar.gz" -SRC_URI[md5sum] = "888804d58742452fe213a68f7eadd0ad" -SRC_URI[sha256sum] = "00fedfac5e514321250bbe69eaccc732c8a8158596f77a785c2e3ae9f9968283" +SRC_URI = "http://jaist.dl.sourceforge.jp/tomoyo/70710/${BP}-20210910.tar.gz" +SRC_URI[sha256sum] = "47a12cdb1fe7bbd0b2e3486150fe1e754fa9c869aeefd42fd311c4022b78010a" S = "${WORKDIR}/${BPN}" -LICENSE = "GPLv2" +LICENSE = "GPL-2.0-only" LIC_FILES_CHKSUM = "file://COPYING.tomoyo;md5=751419260aa954499f7abaabaa882bbe" -FILES_${PN} += "${libdir}/tomoyo" -FILES_${PN}-dbg += "${libdir}/tomoyo/.debug" +FILES:${PN} += "${libdir}/tomoyo" +FILES:${PN}-dbg += "${libdir}/tomoyo/.debug" DEPENDS = "linux-libc-headers ncurses" @@ -26,5 +25,5 @@ do_compile () { } do_install() { - oe_runmake install INSTALLDIR=${D} + oe_runmake install SBINDIR=${base_sbindir} INSTALLDIR=${D} } diff --git a/meta-oe/recipes-security/usbguard/usbguard/0001-Add-and-use-pkgconfig-instead-of-libgcrypt-config.patch b/meta-oe/recipes-security/usbguard/usbguard/0001-Add-and-use-pkgconfig-instead-of-libgcrypt-config.patch new file mode 100644 index 0000000000..a7a3eb043d --- /dev/null +++ b/meta-oe/recipes-security/usbguard/usbguard/0001-Add-and-use-pkgconfig-instead-of-libgcrypt-config.patch @@ -0,0 +1,106 @@ +From e36cbf9d7a32de9945a8b6c62ad29dfb60358081 Mon Sep 17 00:00:00 2001 +From: "Anu Deepthika, Nandipati" <Nandipati.AnuDeepthika@philips.com> +Date: Wed, 9 Mar 2022 02:03:51 +0530 +Subject: [PATCH] Add and use pkgconfig instead of libgcrypt-config + +Upstream-Status: Pending + +Signed-off-by: Anu Deepthika, Nandipati <Nandipati.AnuDeepthika@philips.com> +--- + m4/libgcrypt.m4 | 56 ++----------------------------------------------- + 1 file changed, 2 insertions(+), 54 deletions(-) + +diff --git a/m4/libgcrypt.m4 b/m4/libgcrypt.m4 +index 9a29eb5..465fe24 100644 +--- a/m4/libgcrypt.m4 ++++ b/m4/libgcrypt.m4 +@@ -22,17 +22,7 @@ dnl with a changed API. + dnl + AC_DEFUN([AM_PATH_LIBGCRYPT], + [ AC_REQUIRE([AC_CANONICAL_HOST]) +- AC_ARG_WITH(libgcrypt-prefix, +- AS_HELP_STRING([--with-libgcrypt-prefix=PFX], +- [prefix where LIBGCRYPT is installed (optional)]), +- libgcrypt_config_prefix="$withval", libgcrypt_config_prefix="") +- if test x$libgcrypt_config_prefix != x ; then +- if test x${LIBGCRYPT_CONFIG+set} != xset ; then +- LIBGCRYPT_CONFIG=$libgcrypt_config_prefix/bin/libgcrypt-config +- fi +- fi + +- AC_PATH_TOOL(LIBGCRYPT_CONFIG, libgcrypt-config, no) + tmp=ifelse([$1], ,1:1.2.0,$1) + if echo "$tmp" | grep ':' >/dev/null 2>/dev/null ; then + req_libgcrypt_api=`echo "$tmp" | sed 's/\(.*\):\(.*\)/\1/'` +@@ -41,44 +31,8 @@ AC_DEFUN([AM_PATH_LIBGCRYPT], + req_libgcrypt_api=0 + min_libgcrypt_version="$tmp" + fi ++ PKG_CHECK_MODULES(LIBGCRYPT, [libgcrypt >= $min_libgcrypt_version], [ok=yes], [ok=no]) + +- AC_MSG_CHECKING(for LIBGCRYPT - version >= $min_libgcrypt_version) +- ok=no +- if test "$LIBGCRYPT_CONFIG" != "no" ; then +- req_major=`echo $min_libgcrypt_version | \ +- sed 's/\([[0-9]]*\)\.\([[0-9]]*\)\.\([[0-9]]*\)/\1/'` +- req_minor=`echo $min_libgcrypt_version | \ +- sed 's/\([[0-9]]*\)\.\([[0-9]]*\)\.\([[0-9]]*\)/\2/'` +- req_micro=`echo $min_libgcrypt_version | \ +- sed 's/\([[0-9]]*\)\.\([[0-9]]*\)\.\([[0-9]]*\)/\3/'` +- libgcrypt_config_version=`$LIBGCRYPT_CONFIG --version` +- major=`echo $libgcrypt_config_version | \ +- sed 's/\([[0-9]]*\)\.\([[0-9]]*\)\.\([[0-9]]*\).*/\1/'` +- minor=`echo $libgcrypt_config_version | \ +- sed 's/\([[0-9]]*\)\.\([[0-9]]*\)\.\([[0-9]]*\).*/\2/'` +- micro=`echo $libgcrypt_config_version | \ +- sed 's/\([[0-9]]*\)\.\([[0-9]]*\)\.\([[0-9]]*\).*/\3/'` +- if test "$major" -gt "$req_major"; then +- ok=yes +- else +- if test "$major" -eq "$req_major"; then +- if test "$minor" -gt "$req_minor"; then +- ok=yes +- else +- if test "$minor" -eq "$req_minor"; then +- if test "$micro" -ge "$req_micro"; then +- ok=yes +- fi +- fi +- fi +- fi +- fi +- fi +- if test $ok = yes; then +- AC_MSG_RESULT([yes ($libgcrypt_config_version)]) +- else +- AC_MSG_RESULT(no) +- fi + if test $ok = yes; then + # If we have a recent libgcrypt, we should also check that the + # API is compatible +@@ -96,10 +50,8 @@ AC_DEFUN([AM_PATH_LIBGCRYPT], + fi + fi + if test $ok = yes; then +- LIBGCRYPT_CFLAGS=`$LIBGCRYPT_CONFIG --cflags` +- LIBGCRYPT_LIBS=`$LIBGCRYPT_CONFIG --libs` + ifelse([$2], , :, [$2]) +- libgcrypt_config_host=`$LIBGCRYPT_CONFIG --host 2>/dev/null || echo none` ++ libgcrypt_config_host=`$PKG_CONFIG --variable=host libgcrypt` + if test x"$libgcrypt_config_host" != xnone ; then + if test x"$libgcrypt_config_host" != x"$host" ; then + AC_MSG_WARN([[ +@@ -112,10 +64,6 @@ AC_DEFUN([AM_PATH_LIBGCRYPT], + ***]]) + fi + fi +- else +- LIBGCRYPT_CFLAGS="" +- LIBGCRYPT_LIBS="" +- ifelse([$3], , :, [$3]) + fi + AC_SUBST(LIBGCRYPT_CFLAGS) + AC_SUBST(LIBGCRYPT_LIBS) +-- +2.25.1 + diff --git a/meta-oe/recipes-security/usbguard/usbguard/0001-include-missing-cstdint.patch b/meta-oe/recipes-security/usbguard/usbguard/0001-include-missing-cstdint.patch new file mode 100644 index 0000000000..5cbe64091c --- /dev/null +++ b/meta-oe/recipes-security/usbguard/usbguard/0001-include-missing-cstdint.patch @@ -0,0 +1,45 @@ +From 1da0cfbb9ae978822d961d8b22d8d5125c11247a Mon Sep 17 00:00:00 2001 +From: Khem Raj <raj.khem@gmail.com> +Date: Thu, 26 Jan 2023 23:46:56 -0800 +Subject: [PATCH] include missing <cstdint> + +gcc 13 moved some includes around and as a result <cstdint> is no +longer transitively included [1]. Explicitly include it for +uint8_t. + +[1] https://gcc.gnu.org/gcc-13/porting_to.html#header-dep-changes + +Upstream-Status: Submitted [https://github.com/USBGuard/usbguard/pull/583] +Signed-off-by: Khem Raj <raj.khem@gmail.com> +--- + src/Library/Base64.cpp | 1 - + src/Library/Base64.hpp | 1 + + 2 files changed, 1 insertion(+), 1 deletion(-) + +diff --git a/src/Library/Base64.cpp b/src/Library/Base64.cpp +index ddb28dc..0246a13 100644 +--- a/src/Library/Base64.cpp ++++ b/src/Library/Base64.cpp +@@ -22,7 +22,6 @@ + + #include "Base64.hpp" + #include <stdexcept> +-#include <cstdint> + + namespace usbguard + { +diff --git a/src/Library/Base64.hpp b/src/Library/Base64.hpp +index 0947f21..e0c745c 100644 +--- a/src/Library/Base64.hpp ++++ b/src/Library/Base64.hpp +@@ -23,6 +23,7 @@ + #endif + + #include <string> ++#include <cstdint> + #include <cstddef> + + namespace usbguard +-- +2.39.1 + diff --git a/meta-oe/recipes-security/usbguard/usbguard_1.1.2.bb b/meta-oe/recipes-security/usbguard/usbguard_1.1.2.bb new file mode 100644 index 0000000000..c062f27059 --- /dev/null +++ b/meta-oe/recipes-security/usbguard/usbguard_1.1.2.bb @@ -0,0 +1,70 @@ +# Copyright (c) 2021 Koninklijke Philips N.V. +# +# SPDX-License-Identifier: MIT +# +SUMMARY = "USBGuard daemon for blacklisting and whitelisting of USB devices" +DESCRIPTION = "The USBGuard software framework helps to protect your computer against \ +rogue USB devices (a.k.a. Bad USB) by implementing basic whitelisting and blacklisting \ +capabilities based on device attributes. This recipe takes OpenSSL as crypto-backend for \ +computing device hashes (Supported values are sodium, gcrypt, openssl)." +HOMEPAGE = "https://usbguard.github.io/" +LICENSE = "GPL-2.0-only" +LIC_FILES_CHKSUM = "file://LICENSE;md5=b234ee4d69f5fce4486a80fdaf4a4263" + +SRC_URI = "https://github.com/USBGuard/usbguard/releases/download/${BPN}-${PV}/${BPN}-${PV}.tar.gz \ + file://0001-include-missing-cstdint.patch \ + file://0001-Add-and-use-pkgconfig-instead-of-libgcrypt-config.patch" + +SRC_URI[sha256sum] = "dcf5c90f3f93030e04df1baeb8d388b678c40dd48b135ea12a7be7dee8944934" + +inherit autotools-brokensep bash-completion pkgconfig systemd github-releases + +DEPENDS = "glib-2.0-native libcap-ng libqb libxml2-native libxslt-native protobuf protobuf-native xmlto-native" + +UPSTREAM_CHECK_REGEX = "releases/tag/usbguard-(?P<pver>\d+(\.\d+)+)" + +EXTRA_OECONF += "\ + --with-bundled-catch \ + --with-bundled-pegtl \ +" + +PACKAGECONFIG ?= "\ + openssl \ + ${@bb.utils.filter('DISTRO_FEATURES', 'polkit', d)} \ + ${@bb.utils.filter('DISTRO_FEATURES', 'seccomp', d)} \ + ${@bb.utils.filter('DISTRO_FEATURES', 'systemd', d)} \ +" + +# USBGuard has made polkit mandatory to configure with-dbus +PACKAGECONFIG[dbus] = "--with-dbus,--without-dbus,dbus-glib polkit" +PACKAGECONFIG[libgcrypt] = "--with-crypto-library=gcrypt,,libgcrypt,,,libsodium openssl" +PACKAGECONFIG[libsodium] = "--with-crypto-library=sodium,,libsodium,,,libgcrypt openssl" +PACKAGECONFIG[openssl] = "--with-crypto-library=openssl,,openssl,,,libgcrypt libsodium" +PACKAGECONFIG[polkit] = "--with-polkit,--without-polkit,polkit" +PACKAGECONFIG[seccomp] = "--enable-seccomp,--disable-seccomp,libseccomp" +PACKAGECONFIG[systemd] = "--enable-systemd,--disable-systemd,systemd" + +SYSTEMD_PACKAGES = "${PN}" + +SYSTEMD_SERVICE:${PN} = "usbguard.service ${@bb.utils.contains('PACKAGECONFIG', 'dbus', 'usbguard-dbus.service', '', d)}" + +FILES:${PN} += "\ + ${systemd_unitdir}/system/usbguard.service \ + ${systemd_unitdir}/system/usbguard-dbus.service \ + ${datadir}/polkit-1 \ + ${datadir}/dbus-1 \ + ${nonarch_libdir}/tmpfiles.d \ +" + +do_install:append() { +# Create /var/log/usbguard in runtime. + if [ "${@bb.utils.filter('DISTRO_FEATURES', 'systemd', d)}" ]; then + install -d ${D}${nonarch_libdir}/tmpfiles.d + echo "d ${localstatedir}/log/${BPN} 0755 root root -" > ${D}${nonarch_libdir}/tmpfiles.d/${BPN}.conf + fi + if [ "${@bb.utils.filter('DISTRO_FEATURES', 'sysvinit', d)}" ]; then + install -d ${D}${sysconfdir}/default/volatiles + echo "d root root 0755 ${localstatedir}/log/${BPN} none" > ${D}${sysconfdir}/default/volatiles/99_${BPN} + fi + rm -rf ${D}${localstatedir}/log +} |