Following the update on master.
This version reports more hardening issues:
128 "failures" instead of 113 on the same kernel.
Signed-off-by: Michael Opdenacker <michael.opdenacker@rootcommit.com>
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
The enum PCAP_SOCKET conflicts with the PCAP_SOCKET macro introduced in
libpcap 1.10.5. Use ifdefs to handle both old and new libpcap versions,
renaming the enum to NM_PCAP_SOCKET when the PCAP_SOCKET macro is defined.
Signed-off-by: Jinfeng Wang <jinfeng.wang.cn@windriver.com>
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
Fix "audit" set in CVE_PRODUCT to "linux:audit" to detect only vulnerabilities where the vendor is "linux".
Currently, CVE_PRODUCT also detects vulnerabilities where the vendor is "visionsoft",
which are unrelated to the "audit" in this recipe.
https://www.opencve.io/cve?vendor=visionsoft&product=audit
In addition, all the vulnerabilities currently detected in "audit" have the vendor of "visionsoft" or "linux".
Therefore, fix "audit" set in CVE_PRODUCT to "linux:audit".
Signed-off-by: Shinji Matsunaga <shin.matsunaga@fujitsu.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
(cherry picked from commit e87e51da49)
Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com>
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
ChangeLog:
- Fix musl C builds
- Many code cleanups
- Use atomic variables if available for signal related flags
- Dont rotate audit logs when auditd is in debug mode
- Fix a couple memory leaks on error paths
- Correct output when displaying rules with exe/path/dir
- Fix auparse lookup test to not use the system libaupaurse
- Improve auparse metrics
- Update auparse normalizer for recent syscalls
- Make status report uniform
Drop 0001-Replace-__attribute_malloc__-with-__attribute__-__ma.patch as
the issue has been fixed upstream.
Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
(cherry picked from commit f7e691ff43)
Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com>
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
This recipe is a Scarthgap backport of kernel-hardening-checker_0.6.10.2.bb
in the master branch as of August 19, 2025.
Tested on qemux86-64 and on beaglebone-yocto
Signed-off-by: Michael Opdenacker <michael.opdenacker@rootcommit.com>
Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>
The following paths have been replaced with PYTHON_SITEPACKAGES_DIR:
- "${libdir}/${PYTHON_DIR}/site-packages"
- "${libdir}/python${PYTHON_BASEVERSION}/site-packages"
- "${libdir}/python*/site-packages"
- "${libdir}/python3.*/site-packages"
Signed-off-by: alperak <alperyasinak1@gmail.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
ChangeLog:
https://github.com/linux-audit/audit-userspace/releases/tag/v4.0.1
Update TRUSTED_APP interpretation to look for known fields;
In auditd plugins, allow variable amount of arguments;
Fix augenrules to work correctly when kernel is in immutable mode;
Add audisp-filter plugin;
Improve sorting speed of aureport --summary reports;
Auditd & audit-rules.service pick up paths automatically.
* Drop backport patch.
* Specify runstatedir.
Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
ChangeLog:
https://github.com/linux-audit/audit-userspace/releases/tag/v4.0
Major changes:
Separate loading rules and logging events into separate services,
audit-rules.service and auditd.service.
Drop support for python2 and SysVinit.
The auvirt and autrace programs have been dropped.
The syscall and interpretation tables have been updated for the 6.8
kernel.
* Backport patch to fix build error with musl
* Clean up configure options
* Use its own systemd service files
* Refresh patches
* Fix indentation
Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
[Edited Message Follows]
[Reason: include softhsm2.module only in FILES if pk11 is set in PACKAGECONFIG]
From 216dba6552f2b3a65c3fc9b586736d93132a0166 Mon Sep 17 00:00:00 2001
From: "Gassner, Tobias.ext" <tobias.gassner.ext@karlstorz.com>
Date: Thu, 18 Jan 2024 12:50:22 +0100
Subject: [PATCH] softhsm_2.6.1.bb fixing p11-kit module path, adding
softhsm2.module to FILES
In order for the softhsm module to be discoverable by p11-kit proxy the
softhsm2.module file must be deployed to ${datadir}/p11-kit/modules.
This was previously not the case. Also the p11-kit module path
(--with-p11-kit) seemed to point to the wrong directory and had a syntax
error (two == instead one =).
Signed-off-by: Gassner, Tobias.ext <tobias.gassner.ext@karlstorz.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
In 7.80 this requires distutils (no longer provided in python 3.12).
This may be resolved in newer nmap versions, so if you care about it
please provide a version update: https://nmap.org/dist/
Signed-off-by: Alexander Kanavin <alex@linutronix.de>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
makefile-add-ldflags.patch
refreshed for 2.0.3
Changelog:
===========
-Added pkg-config file.
-Changed enforce=users to support "chpasswd" PAM service in addition to
traditionally supported "passwd".
Signed-off-by: Wang Mingyu <wangmy@fujitsu.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
There is new patch-status QA check in oe-core:
https://git.openembedded.org/openembedded-core/commit/?id=76a685bfcf927593eac67157762a53259089ea8a
This is temporary work around just to hide _many_ warnings from
optional patch-status (if you add it to WARN_QA).
This just added
Upstream-Status: Pending
everywhere without actually investigating what's the proper status.
This is just to hide current QA warnings and to catch new .patch files being
added without Upstream-Status, but the number of Pending patches is now terrible:
5 (26%) meta-xfce
6 (50%) meta-perl
15 (42%) meta-webserver
21 (36%) meta-gnome
25 (57%) meta-filesystems
26 (43%) meta-initramfs
45 (45%) meta-python
47 (55%) meta-multimedia
312 (63%) meta-networking
756 (61%) meta-oe
Signed-off-by: Martin Jansa <Martin.Jansa@gmail.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Changelog:
=========
- Add user friendly keywords for signals to auditctl
- In ausearch, parse up URINGOP and DM_CTRL records
- Harden auparse to better handle corrupt logs
- Fix a CFLAGS propogation problem in the common directory
- Move the audispd af_unix plugin to a standalone program
Signed-off-by: Wang Mingyu <wangmy@fujitsu.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Removed version 2.8.5, as the 2.8 series is no longer maintained since
2020.
Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
We already depend on sqlite, but the objectstore backend using it is not
enabled by default. Add the necessary configure option.
The db backend is more robust when accessing the objectstore from many
parallel processes (such as during kernel module signing).
Signed-off-by: Jan Luebbe <jlu@pengutronix.de>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
SoftHSMv2 actually only uses the sqlite library. With the check for the
sqlite3 binary, building with the DB backend would mean depending on
sqlite-native.
Signed-off-by: Jan Luebbe <jlu@pengutronix.de>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Move SRC_URI to git as there's no tarball for 1.6.3. Fix failing tests
when busybox is providing `head`. Pull in reproducibility fix from Arch
Linux. Remove autoconf inherit as this is a simple Makefile package. Add
manpages support via inherit so man-db is updated. Add missing ptest
dependencies.
Signed-off-by: Alex Kiernan <alex.kiernan@gmail.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Using `DEPENDS = "pegtl"` with `--with-bundled-pegtl` doesn't make
sense, so drop the DEPENDS.
Also add github-releases checking for newer versions.
Drop redundant setting of `S` to the default.
Signed-off-by: Alex Kiernan <alex.kiernan@gmail.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
All the ptest cases are failed since error "+++ Can't Determine Endianness",
update the regex for matching the endianness to fix this issue.
Signed-off-by: Changqing Li <changqing.li@windriver.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
It uses python3-config during build to grok the python specific
includedirs, therefore its important to ensure that target specific
python3-config is used, otherwise currently it defaults to native
python3-config which ends up adding native python3 include paths
which might work out ok but is exposed when target is 32bit + lfs
enabled, the headers don't match between native and target python
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Changelog:
===========
In auditd, release the async flush lock on stop
Don't allow auditd to log directly into /var/log when log_group is non-zero
Cleanup krb5 memory leaks on error paths
Update auditd.cron to use auditctl --signal
In auparse, if too many fields, realloc array bigger (Paul Wolneykien)
In auparse, special case kernel module name interpretation
If overflow_action is ignore, don't treat as an error
Signed-off-by: Wang Mingyu <wangmy@fujitsu.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Fix below compile errors
1. Fix build with linux 5.17+
audit errors out due to swig munging it does with kernel headers
| audit_wrap.c: In function '_wrap_audit_rule_data_buf_set':
| audit_wrap.c:4701:17: error: cast specifies array type
| 4701 | arg1->buf = (char [])(char *)memcpy(malloc((size)*sizeof(char)), (const char *)(arg2), sizeof(char)*(size));
| | ^
| audit_wrap.c:4701:15: error: invalid use of flexible array member
| 4701 | arg1->buf = (char [])(char *)memcpy(malloc((size)*sizeof(char)), (const char *)(arg2), sizeof(char)*(size));
| | ^
| audit_wrap.c:4703:15: error: invalid use of flexible array member
| 4703 | arg1->buf = 0;
| | ^
These errors are due to VLAIS from kernel headers, so we copy
linux/audit.h and make the needed change in local audit.h and make
needed arrangements in build to use it when building audit package
Take reference of upstream commit
ee3c680c3 audit: Upgrade to 3.0.8 and fix build with linux 5.17+
Update 0002-Fixed-swig-host-contamination-issue.patch
2. Fix ipx.h missing file bug for kernel 5.15
ipx.h header file is removed in kernel 5.15
Link: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/include/net?id=6c9b40844751ea30c72f7a2f92f4d704bc6b2927
which is causing below error for system with kernel equal and
higher than 5.15
| ../../git/auparse/interpret.c:48:10: fatal error: linux/ipx.h: No such file or directory
| 48 | #include <linux/ipx.h>
| | ^~~~~~~~~~~~~
Add below patch to fix this issue.
0001-Make-IPX-packet-interpretation-dependent-on-the-ipx-header.patch
Link: https://github.com/linux-audit/audit-userspace/commit/6b09724c69d91668418ddb3af00da6db6755208c
Signed-off-by: Akash Hadke <akash.hadke@kpit.com>
Signed-off-by: Akash Hadke <hadkeakash4@gmail.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
The actual file name is now libpasswdqc.so.1 instead of libpasswdqc.so.0.
This fixes the following error when installing passwdqc:
nothing provides libpasswdqc needed by passwdqc-2.0.2-r0
Signed-off-by: Chen Qi <Qi.Chen@windriver.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
License-Update: install-dependencies.sh and run-build-and-tests.sh are
mentioned under GPL-2.0 but they are not included in release tarball
Signed-off-by: Khem Raj <raj.khem@gmail.com>
This tweak is needed for building audit but not the interfaces it may
expose via the headers, therefore undo the tweak before packaging things
up
Reported-By: Scott Murray <scott.murray@konsulko.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
audit errors out due to swig munging it does with kernel headers
| audit_wrap.c: In function '_wrap_audit_rule_data_buf_set':
| audit_wrap.c:4701:17: error: cast specifies array type
| 4701 | arg1->buf = (char [])(char *)memcpy(malloc((size)*sizeof(char)), (const char *)(arg2), sizeof(char)*(size));
| | ^
| audit_wrap.c:4701:15: error: invalid use of flexible array member
| 4701 | arg1->buf = (char [])(char *)memcpy(malloc((size)*sizeof(char)), (const char *)(arg2), sizeof(char)*(size));
| | ^
| audit_wrap.c:4703:15: error: invalid use of flexible array member
| 4703 | arg1->buf = 0;
| | ^
These errors are due to VLAIS from kernel headers, so we copy
linux/audit.h and make the needed change in local audit.h and make
needed arrangements in build to use it when building audit package
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Cc: Bruce Ashfield <bruce.ashfield@gmail.com>
Set one crypto-backend library at a time
OpenSSL is the crypto-backend library set for device hashing
Override PACKAGECONFIG to replace it with libsodium or libgcrypt
Signed-off-by: Anu Deepthika, Nandipati <Nandipati.AnuDeepthika@philips.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
This patch updates SRC_URIs using git to include branch=master if no branch is set
and also to use protocol=https for github urls as generated by the conversion script
in OE-Core.
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Michael Opdenacker
Jinfeng Wang
Armin Kuster
Shinji Matsunaga
Yi Zhao
Guocai He
alperak
Khem Raj
Gassner, Tobias.ext
Alexander Kanavin
Wang Mingyu
Martin Jansa
Bartosz Golaszewski
Jan Luebbe
Alex Kiernan
Markus Volk
Changqing Li
Akash Hadke
Chen Qi
Anu Deepthika, Nandipati
Richard Purdie