Remove empty directory when enable multilib.
Fixes:
ERROR: audit-4.0.3-r0 do_package: QA Issue: audit: Files/directories
were installed but not shipped in any package:
/usr/lib
Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Building with ndiff PACKAGECONFIG failed with the following error:
| File "/yocto/sandbox/build/tmp/work/cortexa53-poky-linux/nmap/7.95/nmap-7.95/ndiff/setup.py", line 11, in <module>
| import setuptools.command.install
| ModuleNotFoundError: No module named 'setuptools'
Fix it by adding the missing dependency.
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
multilib builds fail with:
install: cannot stat 'lib32-spectre-meltdown-checker/0.46/sources-unpack/git/lib32-spectre-meltdown-checker.sh': No such file or directory
Signed-off-by: Martin Jansa <martin.jansa@gmail.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
ChangeLog:
- Remove a RHEL4 flag table since it's been unsupported for a while
- Change dependency from Requires to Wants for audit-rules.service
- Disable ProtectKernelModules by default in auditd.service
- Skip plugin configs that do not have .conf suffix
- audisp-filter: iterate records correctly when forwarding
- Update syscall table for missing syscalls
- Modify ausearch checkpoint code to address 64 inode and device numbers
- Fix potential segfault interpreting relative paths
- Add audit_set_enabled & audit_is_enabled back to the libaudit python bindings
- Log runlevel changes to console during boot
- Add audit-tmpfiles.conf to ensure /var/log/audit exists
- Propagate event format to the audisp-af_unix plugin
- Add support for RISC-V - riscv32, riscv64
* Enable riscv support
* Use its own volatile file for systemd.
Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Currently softhsm will try to access deleted obejcts due to the order of
atexit handler implementations. Add a patch which adds a global variable
to track whether objects are deleted and prevents access if this is the
case.
This fixes a failure with the signing.bbclass where when signing
multiple fitimage configurations the second signing operation will lead
to a segfault.
Signed-off-by: Rouven Czerwinski <r.czerwinski@pengutronix.de>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Fix "audit" set in CVE_PRODUCT to "linux:audit" to detect only vulnerabilities where the vendor is "linux".
Currently, CVE_PRODUCT also detects vulnerabilities where the vendor is "visionsoft",
which are unrelated to the "audit" in this recipe.
https://www.opencve.io/cve?vendor=visionsoft&product=audit
In addition, all the vulnerabilities currently detected in "audit" have the vendor of "visionsoft" or "linux".
Therefore, fix "audit" set in CVE_PRODUCT to "linux:audit".
Signed-off-by: Shinji Matsunaga <shin.matsunaga@fujitsu.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
License-Update: Use full file for checksum ( COPYING -> LICENSE )
Use system libpcre
Drop py3 support patches, its default now
Signed-off-by: Khem Raj <raj.khem@gmail.com>
ChangeLog:
- Fix musl C builds
- Many code cleanups
- Use atomic variables if available for signal related flags
- Dont rotate audit logs when auditd is in debug mode
- Fix a couple memory leaks on error paths
- Correct output when displaying rules with exe/path/dir
- Fix auparse lookup test to not use the system libaupaurse
- Improve auparse metrics
- Update auparse normalizer for recent syscalls
- Make status report uniform
Drop 0001-Replace-__attribute_malloc__-with-__attribute__-__ma.patch as
the issue has been fixed upstream.
Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Drop patch 0001-include-missing-cstdint.patch because it was merged
upstream. See this commit in usbguard:
* 22b1e08 Fix build for GCC 13 + make GitHub Actions cover build with GCC 13 (#586)
Signed-off-by: Christophe Vu-Brugier <christophe.vu-brugier@seagate.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Changelog:
===========
- Fix a double-close on error reading from --args, --seccomp or --add-seccomp-fd argument
- Improve memory allocation behaviour
- Silence various compiler warnings
- Silence an Automake warning
- Fix a test failure when running as uid 0 in a container
- Fix a test failure when /mnt is a symlink
- Fix a test failure on NixOS
- Add --argv0
Signed-off-by: Wang Mingyu <wangmy@fujitsu.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Replace references of WORKDIR with UNPACKDIR where it makes sense to do
so in preparation for changing the default value of UNPACKDIR.
Signed-off-by: Khem Raj <raj.khem@gmail.com>
The following paths have been replaced with PYTHON_SITEPACKAGES_DIR:
- "${libdir}/${PYTHON_DIR}/site-packages"
- "${libdir}/python${PYTHON_BASEVERSION}/site-packages"
- "${libdir}/python*/site-packages"
- "${libdir}/python3.*/site-packages"
Signed-off-by: alperak <alperyasinak1@gmail.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
ChangeLog:
https://github.com/linux-audit/audit-userspace/releases/tag/v4.0.1
Update TRUSTED_APP interpretation to look for known fields;
In auditd plugins, allow variable amount of arguments;
Fix augenrules to work correctly when kernel is in immutable mode;
Add audisp-filter plugin;
Improve sorting speed of aureport --summary reports;
Auditd & audit-rules.service pick up paths automatically.
* Drop backport patch.
* Specify runstatedir.
Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
ChangeLog:
https://github.com/linux-audit/audit-userspace/releases/tag/v4.0
Major changes:
Separate loading rules and logging events into separate services,
audit-rules.service and auditd.service.
Drop support for python2 and SysVinit.
The auvirt and autrace programs have been dropped.
The syscall and interpretation tables have been updated for the 6.8
kernel.
* Backport patch to fix build error with musl
* Clean up configure options
* Use its own systemd service files
* Refresh patches
* Fix indentation
Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
[Edited Message Follows]
[Reason: include softhsm2.module only in FILES if pk11 is set in PACKAGECONFIG]
From 216dba6552f2b3a65c3fc9b586736d93132a0166 Mon Sep 17 00:00:00 2001
From: "Gassner, Tobias.ext" <tobias.gassner.ext@karlstorz.com>
Date: Thu, 18 Jan 2024 12:50:22 +0100
Subject: [PATCH] softhsm_2.6.1.bb fixing p11-kit module path, adding
softhsm2.module to FILES
In order for the softhsm module to be discoverable by p11-kit proxy the
softhsm2.module file must be deployed to ${datadir}/p11-kit/modules.
This was previously not the case. Also the p11-kit module path
(--with-p11-kit) seemed to point to the wrong directory and had a syntax
error (two == instead one =).
Signed-off-by: Gassner, Tobias.ext <tobias.gassner.ext@karlstorz.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
In 7.80 this requires distutils (no longer provided in python 3.12).
This may be resolved in newer nmap versions, so if you care about it
please provide a version update: https://nmap.org/dist/
Signed-off-by: Alexander Kanavin <alex@linutronix.de>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
makefile-add-ldflags.patch
refreshed for 2.0.3
Changelog:
===========
-Added pkg-config file.
-Changed enforce=users to support "chpasswd" PAM service in addition to
traditionally supported "passwd".
Signed-off-by: Wang Mingyu <wangmy@fujitsu.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
There is new patch-status QA check in oe-core:
https://git.openembedded.org/openembedded-core/commit/?id=76a685bfcf927593eac67157762a53259089ea8a
This is temporary work around just to hide _many_ warnings from
optional patch-status (if you add it to WARN_QA).
This just added
Upstream-Status: Pending
everywhere without actually investigating what's the proper status.
This is just to hide current QA warnings and to catch new .patch files being
added without Upstream-Status, but the number of Pending patches is now terrible:
5 (26%) meta-xfce
6 (50%) meta-perl
15 (42%) meta-webserver
21 (36%) meta-gnome
25 (57%) meta-filesystems
26 (43%) meta-initramfs
45 (45%) meta-python
47 (55%) meta-multimedia
312 (63%) meta-networking
756 (61%) meta-oe
Signed-off-by: Martin Jansa <Martin.Jansa@gmail.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Changelog:
=========
- Add user friendly keywords for signals to auditctl
- In ausearch, parse up URINGOP and DM_CTRL records
- Harden auparse to better handle corrupt logs
- Fix a CFLAGS propogation problem in the common directory
- Move the audispd af_unix plugin to a standalone program
Signed-off-by: Wang Mingyu <wangmy@fujitsu.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Removed version 2.8.5, as the 2.8 series is no longer maintained since
2020.
Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
We already depend on sqlite, but the objectstore backend using it is not
enabled by default. Add the necessary configure option.
The db backend is more robust when accessing the objectstore from many
parallel processes (such as during kernel module signing).
Signed-off-by: Jan Luebbe <jlu@pengutronix.de>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
SoftHSMv2 actually only uses the sqlite library. With the check for the
sqlite3 binary, building with the DB backend would mean depending on
sqlite-native.
Signed-off-by: Jan Luebbe <jlu@pengutronix.de>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Move SRC_URI to git as there's no tarball for 1.6.3. Fix failing tests
when busybox is providing `head`. Pull in reproducibility fix from Arch
Linux. Remove autoconf inherit as this is a simple Makefile package. Add
manpages support via inherit so man-db is updated. Add missing ptest
dependencies.
Signed-off-by: Alex Kiernan <alex.kiernan@gmail.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Using `DEPENDS = "pegtl"` with `--with-bundled-pegtl` doesn't make
sense, so drop the DEPENDS.
Also add github-releases checking for newer versions.
Drop redundant setting of `S` to the default.
Signed-off-by: Alex Kiernan <alex.kiernan@gmail.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
All the ptest cases are failed since error "+++ Can't Determine Endianness",
update the regex for matching the endianness to fix this issue.
Signed-off-by: Changqing Li <changqing.li@windriver.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
It uses python3-config during build to grok the python specific
includedirs, therefore its important to ensure that target specific
python3-config is used, otherwise currently it defaults to native
python3-config which ends up adding native python3 include paths
which might work out ok but is exposed when target is 32bit + lfs
enabled, the headers don't match between native and target python
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Changelog:
===========
In auditd, release the async flush lock on stop
Don't allow auditd to log directly into /var/log when log_group is non-zero
Cleanup krb5 memory leaks on error paths
Update auditd.cron to use auditctl --signal
In auparse, if too many fields, realloc array bigger (Paul Wolneykien)
In auparse, special case kernel module name interpretation
If overflow_action is ignore, don't treat as an error
Signed-off-by: Wang Mingyu <wangmy@fujitsu.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
mark.yang
Khem Raj
Yi Zhao
Gyorgy Sarvari
Hongxu Jia
Martin Jansa
Jörg Sommer
Wang Mingyu
Armin Kuster
Rouven Czerwinski
Shinji Matsunaga
Markus Volk
Christophe Vu-Brugier
alperak
Gassner, Tobias.ext
Alexander Kanavin
Bartosz Golaszewski
Jan Luebbe
Alex Kiernan
Changqing Li