[yocto] [meta-security][PATCH 01/13] os-release: remove OS_RELEASE

Discussion:

[yocto] [meta-security][PATCH 01/13] os-release: remove OS_RELEASE_FEILD extending

Armin Kuster

2018-10-28 18:50:16 UTC

depends on the OS_RELEASRE_FEILD os-release changes in core
otherwise yocto-check-layer will fail

Signed-off-by: Armin Kuster <***@gmail.com>
---
meta-security-compliance/recipes-core/os-release/os-release.bbappend | 3 ---
1 file changed, 3 deletions(-)

diff --git a/meta-security-compliance/recipes-core/os-release/os-release.bbappend b/meta-security-compliance/recipes-core/os-release/os-release.bbappend
index e9fd44a..604bacb 100644
--- a/meta-security-compliance/recipes-core/os-release/os-release.bbappend
+++ b/meta-security-compliance/recipes-core/os-release/os-release.bbappend
@@ -1,4 +1 @@
-OS_RELEASE_FIELDS += "CPE_NAME"
-
CPE_NAME="cpe:/o:openembedded:nodistro:0"
-

--
2.7.4

--

Armin Kuster

2018-10-28 18:50:17 UTC

Permalink

Signed-off-by: Armin Kuster <***@gmail.com>
---
.../tpm2-abrmd/{tpm2-abrmd_2.0.1.bb => tpm2-abrmd_2.0.2.bb} | 9 ++++-----
.../{tpm2simulator-native_138.bb => tpm2simulator_138.bb} | 0
2 files changed, 4 insertions(+), 5 deletions(-)
rename meta-tpm/recipes-tpm/tpm2-abrmd/{tpm2-abrmd_2.0.1.bb => tpm2-abrmd_2.0.2.bb} (86%)
rename meta-tpm/recipes-tpm/tpm2simulator/{tpm2simulator-native_138.bb => tpm2simulator_138.bb} (100%)

diff --git a/meta-tpm/recipes-tpm/tpm2-abrmd/tpm2-abrmd_2.0.1.bb b/meta-tpm/recipes-tpm/tpm2-abrmd/tpm2-abrmd_2.0.2.bb
similarity index 86%
rename from meta-tpm/recipes-tpm/tpm2-abrmd/tpm2-abrmd_2.0.1.bb
rename to meta-tpm/recipes-tpm/tpm2-abrmd/tpm2-abrmd_2.0.2.bb
index 31e90f8..951556d 100644
--- a/meta-tpm/recipes-tpm/tpm2-abrmd/tpm2-abrmd_2.0.1.bb
+++ b/meta-tpm/recipes-tpm/tpm2-abrmd/tpm2-abrmd_2.0.2.bb
@@ -9,15 +9,16 @@ SECTION = "security/tpm"
LICENSE = "BSD-2-Clause"
LIC_FILES_CHKSUM = "file://${S}/LICENSE;md5=500b2e742befc3da00684d8a1d5fd9da"

-DEPENDS += "autoconf-archive dbus glib-2.0 pkgconfig tpm2.0-tss glib-2.0-native \
+DEPENDS = "autoconf-archive dbus glib-2.0 tpm2.0-tss glib-2.0-native \
libtss2 libtss2-mu libtss2-tcti-device libtss2-tcti-mssim"

+
SRC_URI = "\
git://github.com/01org/tpm2-abrmd.git \
file://tpm2-abrmd-init.sh \
file://tpm2-abrmd.default \
"
-SRCREV = "80f8966b90d6394ad568e362d2936b333c2822bb"
+SRCREV = "d0120ace58d97bc9520c0d558657eaca87ae73b1"

S = "${WORKDIR}/git"

@@ -34,9 +35,7 @@ USERADD_PACKAGES = "${PN}"
GROUPADD_PARAM_${PN} = "tss"
USERADD_PARAM_${PN} = "--system -M -d /var/lib/tpm -s /bin/false -g tss tss"

-PACKAGECONFIG ?="udev"
-PACKAGECONFIG += "${@bb.utils.contains('DISTRO_FEATURES','systemd','systemd', '', d)}"
-
+PACKAGECONFIG ?="${@bb.utils.contains('DISTRO_FEATURES','systemd','systemd', '', d)}"
PACKAGECONFIG[systemd] = "--with-systemdsystemunitdir=${systemd_system_unitdir}, --with-systemdsystemunitdir=no"

do_install_append() {
diff --git a/meta-tpm/recipes-tpm/tpm2simulator/tpm2simulator-native_138.bb b/meta-tpm/recipes-tpm/tpm2simulator/tpm2simulator_138.bb
similarity index 100%
rename from meta-tpm/recipes-tpm/tpm2simulator/tpm2simulator-native_138.bb
rename to meta-tpm/recipes-tpm/tpm2simulator/tpm2simulator_138.bb

--
2.7.4

--

Armin Kuster

2018-10-28 18:50:18 UTC

Permalink

Signed-off-by: Armin Kuster <***@gmail.com>
---
meta-tpm/recipes-core/packagegroup/packagegroup-security-tpm2.bb | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/meta-tpm/recipes-core/packagegroup/packagegroup-security-tpm2.bb b/meta-tpm/recipes-core/packagegroup/packagegroup-security-tpm2.bb
index 099e01c..c4c8fb2 100644
--- a/meta-tpm/recipes-core/packagegroup/packagegroup-security-tpm2.bb
+++ b/meta-tpm/recipes-core/packagegroup/packagegroup-security-tpm2.bb
@@ -1,4 +1,4 @@
-DESCRIPTION = "Security packagegroup for Poky"
+DESCRIPTION = "TPM2 packagegroup for Security"
LICENSE = "MIT"
LIC_FILES_CHKSUM = "file://${COMMON_LICENSE_DIR}/MIT;md5=0835ade698e0bcf8506ecda2f7b4f302 \
file://${COREBASE}/meta/COPYING.MIT;md5=3da9cfbcb788c80a0384361b4de20420"
@@ -14,5 +14,5 @@ RDEPENDS_packagegroup-security-tpm2 = " \
libtss2 \
libtss2-tcti-device \
libtss2-tcti-mssim \
- resourcemgr \
+ tpm2-abrmd \
"

--
2.7.4

--

Armin Kuster

2018-10-28 18:50:20 UTC

Permalink

Signed-off-by: Armin Kuster <***@gmail.com>
---
recipes-security/packagegroup/packagegroup-core-security.bb | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/recipes-security/packagegroup/packagegroup-core-security.bb b/recipes-security/packagegroup/packagegroup-core-security.bb
index 653d87b..9cf233f 100644
--- a/recipes-security/packagegroup/packagegroup-core-security.bb
+++ b/recipes-security/packagegroup/packagegroup-core-security.bb
@@ -65,7 +65,7 @@ RDEPENDS_packagegroup-security-ids = " \
SUMMARY_packagegroup-security-mac = "Security Mandatory Access Control systems"
RDEPENDS_packagegroup-security-mac = " \
${@bb.utils.contains("DISTRO_FEATURES", "tomoyo", "ccs-tools", "",d)} \
- ${@bb.utils.contains("DISTRO_FEATURES", "apparmor", "", "",d)} \
+ ${@bb.utils.contains("DISTRO_FEATURES", "apparmor", "apparmor", "",d)} \
${@bb.utils.contains("DISTRO_FEATURES", "smack", "smack", "",d)} \
"

@@ -76,5 +76,7 @@ RDEPENDS_packagegroup-security-ptest = " \
keyutils-ptest \
libseccomp-ptest \
python-scapy-ptest \
+ ${@bb.utils.contains("DISTRO_FEATURES", "apparmor", "apparmor-ptest", "",d)} \
+ ${@bb.utils.contains("DISTRO_FEATURES", "smack", "smack-ptest", "",d)} \
ptest-runner \
"

--
2.7.4

--

Armin Kuster

2018-10-28 18:50:19 UTC

Permalink

Signed-off-by: Armin Kuster <***@gmail.com>
---
meta-tpm/recipes-tpm/swtpm/swtpm_1.0.bb | 22 +++++-----------------
1 file changed, 5 insertions(+), 17 deletions(-)

diff --git a/meta-tpm/recipes-tpm/swtpm/swtpm_1.0.bb b/meta-tpm/recipes-tpm/swtpm/swtpm_1.0.bb
index e0c5ffe..3fe1393 100644
--- a/meta-tpm/recipes-tpm/swtpm/swtpm_1.0.bb
+++ b/meta-tpm/recipes-tpm/swtpm/swtpm_1.0.bb
@@ -3,22 +3,21 @@ LICENSE = "BSD-3-Clause"
LIC_FILES_CHKSUM = "file://LICENSE;md5=fe8092c832b71ef20dfe4c6d3decb3a8"
SECTION = "apps"

-DEPENDS = "libtasn1 expect socat glib-2.0 libtpm libtpm-native"
+DEPENDS = "libtasn1 expect socat glib-2.0 net-tools-native libtpm libtpm-native"

# configure checks for the tools already during compilation and
# then swtpm_setup needs them at runtime
DEPENDS += "tpm-tools-native expect-native socat-native"

-SRCREV = "66b42f52ef363998cb57f039889d59381d20bdf1"
-SRC_URI = "git://github.com/stefanberger/swtpm.git \
- file://fix_lib_search_path.patch \
+SRCREV = "94bb9f2d716d09bcc6cd2a2e033018f8592008e7"
+SRC_URI = "git://github.com/stefanberger/swtpm.git;branch=tpm2-preview.v2 \
file://fix_fcntl_h.patch \
file://ioctl_h.patch \
"

S = "${WORKDIR}/git"

-inherit autotools-brokensep pkgconfig
+inherit autotools pkgconfig
PARALLEL_MAKE = ""

TSS_USER="tss"
@@ -35,21 +34,12 @@ EXTRA_OECONF += "--with-tss-user=${TSS_USER} --with-tss-group=${TSS_GROUP}"

export SEARCH_DIR = "${STAGING_LIBDIR_NATIVE}"

-# dup bootstrap
-do_configure_prepend () {
- libtoolize --force --copy
- autoheader
- aclocal
- automake --add-missing -c
- autoconf
-}
-
USERADD_PACKAGES = "${PN}"
GROUPADD_PARAM_${PN} = "--system ${TSS_USER}"
USERADD_PARAM_${PN} = "--system -g ${TSS_GROUP} --home-dir \
--no-create-home --shell /bin/false ${BPN}"

-RDEPENDS_${PN} = "libtpm expect socat bash"
+RDEPENDS_${PN} = "libtpm expect socat bash tpm-tools"

BBCLASSEXTEND = "native nativesdk"

@@ -58,5 +48,3 @@ python() {
'filesystems-layer' not in d.getVar('BBFILE_COLLECTIONS').split():
raise bb.parse.SkipRecipe('Cuse enabled which requires meta-filesystems to be present.')
}
-
-RDEPENDS_${PN} += "tpm-tools"

--
2.7.4

--

Armin Kuster

2018-10-28 18:50:21 UTC

Permalink

Signed-off-by: Armin Kuster <***@gmail.com>
---
recipes-security/suricata/files/run-ptest | 3 +++
recipes-security/suricata/suricata_4.0.5.bb | 6 +++++-
2 files changed, 8 insertions(+), 1 deletion(-)
create mode 100644 recipes-security/suricata/files/run-ptest

diff --git a/recipes-security/suricata/files/run-ptest b/recipes-security/suricata/files/run-ptest
new file mode 100644
index 0000000..666ba9c
--- /dev/null
+++ b/recipes-security/suricata/files/run-ptest
@@ -0,0 +1,3 @@
+#!/bin/sh
+
+suricata -u
diff --git a/recipes-security/suricata/suricata_4.0.5.bb b/recipes-security/suricata/suricata_4.0.5.bb
index 90b4638..6c0a109 100644
--- a/recipes-security/suricata/suricata_4.0.5.bb
+++ b/recipes-security/suricata/suricata_4.0.5.bb
@@ -10,12 +10,13 @@ SRC_URI += " \
file://volatiles.03_suricata \
file://suricata.yaml \
file://suricata.service \
+ file://run-ptest \
"

SRC_URI[rules.md5sum] = "205c5e5b54e489207ed892c03ad75b33"
SRC_URI[rules.sha256sum] = "4aa81011b246875a57181c6a0569ca887845e366904bcaf0043220f33bd69798"

-inherit autotools-brokensep pkgconfig python-dir systemd
+inherit autotools-brokensep pkgconfig python-dir systemd ptest

CFLAGS += "-D_DEFAULT_SOURCE"

@@ -28,6 +29,8 @@ EXTRA_OECONF += " --disable-debug \
"

PACKAGECONFIG ??= "htp jansson file pcre yaml pcap cap-ng net nfnetlink nss nspr"
+PACKAGECONFIG_append = " ${@bb.utils.contains('DISTRO_FEATURES', 'ptest', 'unittests', '', d)}"
+
PACKAGECONFIG[htp] = "--with-libhtp-includes=${STAGING_INCDIR} --with-libhtp-libraries=${STAGING_LIBDIR}, ,libhtp,"
PACKAGECONFIG[pcre] = "--with-libpcre-includes=${STAGING_INCDIR} --with-libpcre-libraries=${STAGING_LIBDIR}, ,libpcre ,"
PACKAGECONFIG[yaml] = "--with-libyaml-includes=${STAGING_INCDIR} --with-libyaml-libraries=${STAGING_LIBDIR}, ,libyaml ,"
@@ -42,6 +45,7 @@ PACKAGECONFIG[file] = ",,file, file"
PACKAGECONFIG[nss] = "--with-libnss-includes=${STAGING_INCDIR} --with-libnss-libraries=${STAGING_LIBDIR}, nss, nss,"
PACKAGECONFIG[nspr] = "--with-libnspr-includes=${STAGING_INCDIR} --with-libnspr-libraries=${STAGING_LIBDIR}, nspr, nspr,"
PACKAGECONFIG[python] = "--enable-python, --disable-python, python, python"
+PACKAGECONFIG[unittests] = "--enable-unittests, --disable-unittests,"

export logdir = "${localstatedir}/log"

--
2.7.4

--

Armin Kuster

2018-10-28 18:50:22 UTC

Permalink

Signed-off-by: Armin Kuster <***@gmail.com>
---
recipes-security/packagegroup/packagegroup-core-security.bb | 1 +
1 file changed, 1 insertion(+)

diff --git a/recipes-security/packagegroup/packagegroup-core-security.bb b/recipes-security/packagegroup/packagegroup-core-security.bb
index 9cf233f..5ee06e3 100644
--- a/recipes-security/packagegroup/packagegroup-core-security.bb
+++ b/recipes-security/packagegroup/packagegroup-core-security.bb
@@ -76,6 +76,7 @@ RDEPENDS_packagegroup-security-ptest = " \
keyutils-ptest \
libseccomp-ptest \
python-scapy-ptest \
+ suricata-ptest \
${@bb.utils.contains("DISTRO_FEATURES", "apparmor", "apparmor-ptest", "",d)} \
${@bb.utils.contains("DISTRO_FEATURES", "smack", "smack-ptest", "",d)} \
ptest-runner \

--
2.7.4

--

Armin Kuster

2018-10-28 18:50:23 UTC

Permalink

Signed-off-by: Armin Kuster <***@gmail.com>
---
recipes-security/images/security-build-image.bb | 4 +---
1 file changed, 1 insertion(+), 3 deletions(-)

diff --git a/recipes-security/images/security-build-image.bb b/recipes-security/images/security-build-image.bb
index 1a7af86..a8757f9 100644
--- a/recipes-security/images/security-build-image.bb
+++ b/recipes-security/images/security-build-image.bb
@@ -6,9 +6,7 @@ IMAGE_INSTALL = "\
packagegroup-base \
packagegroup-core-boot \
packagegroup-core-security \
- os-release \
- ${@bb.utils.contains("DISTRO_FEATURES", "x11", "packagegroup-xfce-base", "", d)} \
- ${CORE_IMAGE_EXTRA_INSTALL}"
+ os-release"

IMAGE_LINGUAS ?= " "

--
2.7.4

--

Armin Kuster

2018-10-28 18:50:24 UTC

Permalink

Signed-off-by: Armin Kuster <***@gmail.com>
---
recipes-security/tripwire/files/run-ptest | 3 +++
recipes-security/tripwire/tripwire_2.4.3.6.bb | 9 ++++++++-
2 files changed, 11 insertions(+), 1 deletion(-)
create mode 100644 recipes-security/tripwire/files/run-ptest

diff --git a/recipes-security/tripwire/files/run-ptest b/recipes-security/tripwire/files/run-ptest
new file mode 100644
index 0000000..aedfddc
--- /dev/null
+++ b/recipes-security/tripwire/files/run-ptest
@@ -0,0 +1,3 @@
+#!/bin/sh
+
+./twtest.pl
diff --git a/recipes-security/tripwire/tripwire_2.4.3.6.bb b/recipes-security/tripwire/tripwire_2.4.3.6.bb
index 465960f..59d1f35 100644
--- a/recipes-security/tripwire/tripwire_2.4.3.6.bb
+++ b/recipes-security/tripwire/tripwire_2.4.3.6.bb
@@ -16,11 +16,12 @@ SRC_URI = "\
file://twcfg.txt \
file://twinstall.sh \
file://twpol-yocto.txt \
+ file://run-ptest \
"

S = "${WORKDIR}/git"

-inherit autotools-brokensep update-rc.d
+inherit autotools-brokensep update-rc.d ptest

INITSCRIPT_NAME = "tripwire"
INITSCRIPT_PARAMS = "start 40 S ."
@@ -58,9 +59,15 @@ do_install () {
install -m 0644 ${WORKDIR}/tripwire.txt ${D}${docdir}/${BPN}
}

+do_install_ptest_append () {
+ install -d ${D}${PTEST_PATH}/tests
+ cp -a ${S}/src/test-harness/* ${D}${PTEST_PATH}
+}

FILES_${PN} += "${libdir} ${docdir}/${PN}/*"
FILES_${PN}-dbg += "${sysconfdir}/${PN}/.debug"
FILES_${PN}-staticdev += "${localstatedir}/lib/${PN}/lib*.a"
+FILES_${PN}-ptest += "${PTEST_PATH}/tests "

RDEPENDS_${PN} += " perl nano msmtp cronie"
+RDEPENDS_${PN}-ptest = " perl lib-perl"

--
2.7.4

--

Armin Kuster

2018-10-28 18:50:25 UTC

Permalink

Signed-off-by: Armin Kuster <***@gmail.com>
---
recipes-security/packagegroup/packagegroup-core-security.bb | 1 +
1 file changed, 1 insertion(+)

diff --git a/recipes-security/packagegroup/packagegroup-core-security.bb b/recipes-security/packagegroup/packagegroup-core-security.bb
index 5ee06e3..741ff5c 100644
--- a/recipes-security/packagegroup/packagegroup-core-security.bb
+++ b/recipes-security/packagegroup/packagegroup-core-security.bb
@@ -77,6 +77,7 @@ RDEPENDS_packagegroup-security-ptest = " \
libseccomp-ptest \
python-scapy-ptest \
suricata-ptest \
+ tripwire-ptest \
${@bb.utils.contains("DISTRO_FEATURES", "apparmor", "apparmor-ptest", "",d)} \
${@bb.utils.contains("DISTRO_FEATURES", "smack", "smack-ptest", "",d)} \
ptest-runner \

--
2.7.4

--

Armin Kuster

2018-10-28 18:50:26 UTC

Permalink

Signed-off-by: Armin Kuster <***@gmail.com>
---
recipes-security/fail2ban/files/run-ptest | 3 +++
recipes-security/fail2ban/python-fail2ban.inc | 9 ++++++++-
recipes-security/fail2ban/python-fail2ban_0.10.3.1.bb | 2 ++
recipes-security/fail2ban/python3-fail2ban_0.10.3.1.bb | 2 ++
4 files changed, 15 insertions(+), 1 deletion(-)
create mode 100644 recipes-security/fail2ban/files/run-ptest

diff --git a/recipes-security/fail2ban/files/run-ptest b/recipes-security/fail2ban/files/run-ptest
new file mode 100644
index 0000000..9f6aebe
--- /dev/null
+++ b/recipes-security/fail2ban/files/run-ptest
@@ -0,0 +1,3 @@
+#!/bin/sh
+
+##PYTHON## fail2ban-testcases
diff --git a/recipes-security/fail2ban/python-fail2ban.inc b/recipes-security/fail2ban/python-fail2ban.inc
index 0b88f83..9245f17 100644
--- a/recipes-security/fail2ban/python-fail2ban.inc
+++ b/recipes-security/fail2ban/python-fail2ban.inc
@@ -14,9 +14,10 @@ SRC_URI = " \
git://github.com/fail2ban/fail2ban.git;branch=0.11 \
file://initd \
file://fail2ban_setup.py \
+ file://run-ptest \
"

-inherit update-rc.d
+inherit update-rc.d ptest

S = "${WORKDIR}/git"

@@ -35,6 +36,12 @@ do_install_append () {
chown -R root:root ${D}/${bindir}
}

+do_install_ptest_append () {
+ install -d ${D}${PTEST_PATH}
+ sed -i -e 's/##PYTHON##/${PYTHON_PN}/g' ${D}${PTEST_PATH}/run-ptest
+ install -D ${S}/bin/fail2ban-testcases ${D}${PTEST_PATH}
+}
+
FILES_${PN} += "/run"

INSANE_SKIP_${PN}_append = "already-stripped"
diff --git a/recipes-security/fail2ban/python-fail2ban_0.10.3.1.bb b/recipes-security/fail2ban/python-fail2ban_0.10.3.1.bb
index 70c3bd9..17a7dd8 100644
--- a/recipes-security/fail2ban/python-fail2ban_0.10.3.1.bb
+++ b/recipes-security/fail2ban/python-fail2ban_0.10.3.1.bb
@@ -1,2 +1,4 @@
inherit setuptools
require python-fail2ban.inc
+
+RDEPENDS_${PN}-ptest = "python python-modules python-fail2ban"
diff --git a/recipes-security/fail2ban/python3-fail2ban_0.10.3.1.bb b/recipes-security/fail2ban/python3-fail2ban_0.10.3.1.bb
index bdb4146..5c887e8 100644
--- a/recipes-security/fail2ban/python3-fail2ban_0.10.3.1.bb
+++ b/recipes-security/fail2ban/python3-fail2ban_0.10.3.1.bb
@@ -1,2 +1,4 @@
inherit setuptools3
require python-fail2ban.inc
+
+RDEPENDS_${PN}-ptest = "python3-core python3-io python3-modules python3-fail2ban"

--
2.7.4

--

Armin Kuster

2018-10-28 18:50:27 UTC

Permalink

Signed-off-by: Armin Kuster <***@gmail.com>
---
recipes-security/packagegroup/packagegroup-core-security.bb | 1 +
1 file changed, 1 insertion(+)

diff --git a/recipes-security/packagegroup/packagegroup-core-security.bb b/recipes-security/packagegroup/packagegroup-core-security.bb
index 741ff5c..e847847 100644
--- a/recipes-security/packagegroup/packagegroup-core-security.bb
+++ b/recipes-security/packagegroup/packagegroup-core-security.bb
@@ -78,6 +78,7 @@ RDEPENDS_packagegroup-security-ptest = " \
python-scapy-ptest \
suricata-ptest \
tripwire-ptest \
+ python3-fail2ban-ptest \
${@bb.utils.contains("DISTRO_FEATURES", "apparmor", "apparmor-ptest", "",d)} \
${@bb.utils.contains("DISTRO_FEATURES", "smack", "smack-ptest", "",d)} \
ptest-runner \

--
2.7.4

--

Armin Kuster

2018-10-28 18:50:28 UTC

Permalink

Signed-off-by: Armin Kuster <***@gmail.com>
---
conf/layer.conf | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/conf/layer.conf b/conf/layer.conf
index 76f5bd6..19e647e 100644
--- a/conf/layer.conf
+++ b/conf/layer.conf
@@ -13,4 +13,4 @@ LAYERSERIES_COMPAT_security = "thud"

LAYERDEPENDS_security = "core openembedded-layer perl-layer networking-layer meta-python"

-DEFAULT_TEST_SUITES_pn-security-build-image = " ${MINTESTSUITE} ssh scp ptest"
+DEFAULT_TEST_SUITES_pn-security-build-image = " ${PTESTTESTSUITE}"

--
2.7.4

--