From c1235f6affb5c38e64b3a04533b8388969b194b2 Mon Sep 17 00:00:00 2001 From: Armin Kuster Date: Wed, 2 Jun 2021 02:05:05 +0000 Subject: [PATCH] meta-security: add sanity check Signed-off-by: Armin Kuster --- README | 18 ++++++++++++++++++ classes/sanity-meta-security.bbclass | 10 ++++++++++ conf/layer.conf | 4 ++++ 3 files changed, 32 insertions(+) create mode 100644 classes/sanity-meta-security.bbclass diff --git a/README b/README index eb15366..4047b86 100644 --- a/README +++ b/README @@ -1,6 +1,24 @@ Meta-security ============= +The bbappend files for some recipes (e.g. linux-yocto) in this layer need +to have 'security' in DISTRO_FEATURES to have effect. +To enable them, add in configuration file the following line. + + DISTRO_FEATURES_append = " security" + +If meta-security is included, but security is not enabled as a +distro feature a warning is printed at parse time: + + You have included the meta-security layer, but + 'security' has not been enabled in your DISTRO_FEATURES. Some bbappend files + and preferred version setting may not take effect. + +If you know what you are doing, this warning can be disabled by setting the following +variable in your configuration: + + SKIP_META_SECURITY_SANITY_CHECK = 1 + This layer provides security tools, hardening tools for Linux kernels and libraries for implementing security mechanisms. diff --git a/classes/sanity-meta-security.bbclass b/classes/sanity-meta-security.bbclass new file mode 100644 index 0000000..b6c6b9c --- /dev/null +++ b/classes/sanity-meta-security.bbclass @@ -0,0 +1,10 @@ +addhandler security_bbappend_distrocheck +security_bbappend_distrocheck[eventmask] = "bb.event.SanityCheck" +python security_bbappend_distrocheck() { + skip_check = e.data.getVar('SKIP_META_SECUIRTY_SANITY_CHECK') == "1" + if 'security' not in e.data.getVar('DISTRO_FEATURES').split() and not skip_check: + bb.warn("You have included the meta-security layer, but \ +'security' has not been enabled in your DISTRO_FEATURES. Some bbappend files \ +and preferred version setting may not take effect. See the meta-security README \ +for details on enabling security support.") +} diff --git a/conf/layer.conf b/conf/layer.conf index 906e024..7853d6e 100644 --- a/conf/layer.conf +++ b/conf/layer.conf @@ -13,6 +13,10 @@ LAYERSERIES_COMPAT_security = "hardknott" LAYERDEPENDS_security = "core openembedded-layer perl-layer networking-layer meta-python" +# Sanity check for meta-security layer. +# Setting SKIP_META_SECURITY_SANITY_CHECK to "1" would skip the bbappend files check. +INHERIT += "sanity-meta-security" + BBFILES_DYNAMIC += " \ rust-layer:${LAYERDIR}/dynamic-layers/meta-rust/recipes-*/*/*.bb \ "