meta-security: add sanity check

Signed-off-by: Armin Kuster <akuster808@gmail.com>
2026-01-12 03:10:13 +00:00 · 2021-06-02 02:05:05 +00:00
parent 34d6b479b8
commit c1235f6aff
3 changed files with 32 additions and 0 deletions
--- a/18
+++ b/18
@@ -1,6 +1,24 @@
 Meta-security
 =============

+The bbappend files for some recipes (e.g. linux-yocto) in this layer need
+to have 'security' in DISTRO_FEATURES to have effect.
+To enable them, add in configuration file the following line.
+
+  DISTRO_FEATURES_append = " security"
+
+If meta-security is included, but security  is not enabled as a
+distro feature a warning is printed at parse time:
+
+    You have included the meta-security layer, but
+    'security' has not been enabled in your DISTRO_FEATURES. Some bbappend files
+    and preferred version setting may not take effect.
+
+If you know what you are doing, this warning can be disabled by setting the following
+variable in your configuration:
+
+  SKIP_META_SECURITY_SANITY_CHECK = 1
+
 This layer provides security tools, hardening tools for Linux kernels
 and libraries for implementing security mechanisms.

--- a/classes/sanity-meta-security.bbclass
+++ b/classes/sanity-meta-security.bbclass
@@ -0,0 +1,10 @@
+addhandler security_bbappend_distrocheck
+security_bbappend_distrocheck[eventmask] = "bb.event.SanityCheck"
+python security_bbappend_distrocheck() {
+    skip_check = e.data.getVar('SKIP_META_SECUIRTY_SANITY_CHECK') == "1"
+    if 'security' not in e.data.getVar('DISTRO_FEATURES').split() and not skip_check:
+        bb.warn("You have included the meta-security layer, but \
+'security' has not been enabled in your DISTRO_FEATURES. Some bbappend files \
+and preferred version setting may not take effect. See the meta-security README \
+for details on enabling security support.")
+}
--- a/conf/layer.conf
+++ b/conf/layer.conf
@@ -13,6 +13,10 @@ LAYERSERIES_COMPAT_security = "hardknott"

 LAYERDEPENDS_security = "core openembedded-layer perl-layer networking-layer meta-python"

+# Sanity check for meta-security layer.
+# Setting SKIP_META_SECURITY_SANITY_CHECK to "1" would skip the bbappend files check.
+INHERIT += "sanity-meta-security"
+
 BBFILES_DYNAMIC += " \
 rust-layer:${LAYERDIR}/dynamic-layers/meta-rust/recipes-*/*/*.bb  \
 "