mirrors/meta-security
1
0
Fork 0
mirror of https://git.yoctoproject.org/meta-security synced 2026-01-11 15:00:34 +00:00
Code Issues Projects Releases Wiki Activity
877 Commits 37 Branches 0 Tags
gatesgarth
Commit Graph

877 Commits

This Branch
This Branch
All Branches
Author SHA1 Message Date
Ming Liu
3daf99fd13 ima-policy-hashed: add CGROUP2_SUPER_MAGIC fsmagic 
This fixes following systemd boot issues:
[    7.455580] systemd[1]: Failed to create /init.scope control group: Permission denied
[    7.457677] systemd[1]: Failed to allocate manager object: Permission denied
[!!!!!!] Failed to allocate manager object.
[    7.459270] systemd[1]: Freezing execution.

Signed-off-by: Ming Liu <liu.ming50@gmail.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
 2021-03-04 13:09:24 -08:00
Ming Liu
bf83dca254 ima-evm-rootfs.bbclass: avoid generating /etc/fstab for wic 
Or else wic will fail without "--no-fstab-update" option.

Signed-off-by: Ming Liu <liu.ming50@gmail.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
 2021-03-04 13:09:03 -08:00
Ming Liu
b263e0a19b initramfs-framework-ima: let ima_enabled return 0 
Otherwise, ima script would not run as intended.

Signed-off-by: Ming Liu <liu.ming50@gmail.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
 2021-03-04 13:09:03 -08:00
Ming Liu
5195ccdea1 README.md: update according to the refactoring in ima-evm-rootfs.bbclass 
Signed-off-by: Ming Liu <liu.ming50@gmail.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
 2021-03-04 13:09:03 -08:00
Ming Liu
23928ef425 meta: refactor IMA/EVM sign rootfs 
The current logic in ima-evm-rootfs.bbclass does not guarantee
ima_evm_sign_rootfs is the last function in IMAGE_PREPROCESS_COMMAND
by appending to it, for instance, if there are other "_append" being
used as it's the case in openembedded-core/meta/classes/image.bbclass:

| IMAGE_PREPROCESS_COMMAND_append = " ${@ 'systemd_preset_all;' \
| if bb.utils.contains('DISTRO_FEATURES', 'systemd', True, False, d) \
| and not bb.utils.contains('IMAGE_FEATURES', 'stateless-rootfs', True,
| False, d) else ''} reproducible_final_image_task; "

and ima-evm-rootfs should be in IMAGE_CLASSES instead of in INHERIT
since that would impact all recipes but not only image recipes.

To fix the above issues, we introduce a ima_evm_sign_handler setting
IMA/EVM rootfs signing requirements/dependencies in event
bb.event.RecipePreFinalise, it checks 'ima' distro feature to decide if
IMA/EVM rootfs signing logic should be applied or not.

Also add ima-evm-keys to IMAGE_INSTALL.

Signed-off-by: Ming Liu <liu.ming50@gmail.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
 2021-03-04 13:09:03 -08:00
Ming Liu
ea2aef0a1b initramfs-framework-ima: RDEPENDS on ima-evm-keys 
Signed-off-by: Ming Liu <liu.ming50@gmail.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
 2021-03-04 13:09:03 -08:00
Ming Liu
1ed3654327 ima-evm-keys: add recipe 
Create a recipe to package IMA/EMV public keys.

Signed-off-by: Ming Liu <liu.ming50@gmail.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
 2021-03-04 13:09:03 -08:00
Ming Liu
6608a19015 initramfs-framework-ima: fix a wrong path 
/etc/ima-policy > /etc/ima/ima-policy.

Signed-off-by: Ming Liu <liu.ming50@gmail.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
 2021-03-04 13:09:03 -08:00
Ming Liu
e25975dcb9 ima-evm-utils: set native REQUIRED_DISTRO_FEATURES to empty 
'ima' does not have to be in native DISTRO_FEATURES, unset it to avoid
sanity check for ima-evm-utils-native.

Signed-off-by: Ming Liu <liu.ming50@gmail.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
 2021-03-04 13:08:50 -08:00
Armin Kuster
0a7814bab3 kas-security-base: use gatesgarth name 
drop DL_DIR

Signed-off-by: Armin Kuster <akuster808@gmail.com>
 2021-02-24 21:22:22 -08:00
Armin Kuster
f6b484d0aa kas-security-base.yml: build setting updates 
Signed-off-by: Armin Kuster <akuster808@gmail.com>
 2021-02-24 15:15:43 -08:00
Armin Kuster
2485a83458 scap-security-guide: Inherit python3targetconfig 
Signed-off-by: Armin Kuster <akuster808@gmail.com>
 2021-02-24 07:37:49 -08:00
Armin Kuster
e629149b1d openscap: Inherit python3targetconfig 
Signed-off-by: Armin Kuster <akuster808@gmail.com>
 2021-02-24 07:37:49 -08:00
Armin Kuster
1ab620fb93 python3-suricata-update: Inherit python3targetconfig 
Signed-off-by: Armin Kuster <akuster808@gmail.com>
 2021-02-24 07:37:49 -08:00
Armin Kuster
c75a097acd apparmor: Inherit python3targetconfig 
Signed-off-by: Armin Kuster <akuster808@gmail.com>
 2021-02-24 07:36:08 -08:00
Armin Kuster
6a750a915e .gitlab-ci: drop script 
Signed-off-by: Armin Kuster <akuster808@gmail.com>
 2020-11-17 08:27:14 -08:00
Armin Kuster
4583ab9b08 kas-security-base: Don't create local SSTATE mirror 
Signed-off-by: Armin Kuster <akuster808@gmail.com>
 2020-11-15 11:07:00 -08:00
Yi Zhao
1a450e8177 scap-security-guide: fix build with Python 3.9 
The getchildren and getiterator functions are deprecated in Python 3.9.
Backport 3 patches to fix the build issue.

Fixes:
File
"/build/tmp/work/cortexa8hf-neon-poky-linux-gnueabi/scap-security-guide/0.1.44+gitAUTOINC+5fdfdcb2e9-r0/git/ssg/build_stig.py",
line 41, in add_references
    index = rule.getchildren().index(ref)
AttributeError: 'xml.etree.ElementTree.Element' object has no attribute 'getchildren'

Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
 2020-11-15 11:06:52 -08:00
Armin Kuster
d0adcbaa53 samhain: update to 4.4.2 
refresh a few patches too

Signed-off-by: Armin Kuster <akuster808@gmail.com>
 2020-11-04 07:33:51 -08:00
Yi Zhao
5351607c6d clamav: unify volatiles file name 
Make the volatiles file name starts with digital.

Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
 2020-11-04 07:33:51 -08:00
Yi Zhao
9abb0022f8 suricata: unify volatiles file name 
Make the volatiles file name starts with digital.

Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
 2020-11-04 07:33:43 -08:00
Armin Kuster
a67a0cb1bd gitlab-ci: add building meta-security-compliance pkgs 
Signed-off-by: Armin Kuster <akuster808@gmail.com>
 2020-10-19 18:09:16 -07:00
Armin Kuster
faf9a2c664 gitlab-ci: add meta-hardening build image 
Signed-off-by: Armin Kuster <akuster808@gmail.com>
 2020-10-19 18:09:09 -07:00
Armin Kuster
e780c32dae meta-security: Add gatesgarth to LAYERSERIES_COMPAT 
Signed-off-by: Armin Kuster <akuster808@gmail.com>
 2020-10-19 18:07:50 -07:00
Sajjad Ahmed
63e1cf3ffa layer.conf: use += instead of := to update BBFILES 
Updating BBFILES with := isn't the standard way and can break
parsing under certain conditions, instead use += which is widely used.

Signed-off-by: Sajjad Ahmed <sajjad_ahmed@mentor.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
 2020-10-15 21:40:02 -07:00
Mingli Yu
4c2f7ffd49 scap-security-guide: add expat-native to DEPENDS 
Add expat-native to DEPENDS to fix the below do_configure error:
| CMake Error at CMakeLists.txt:165 (message):
|  xmlwf is required!

Signed-off-by: Mingli Yu <mingli.yu@windriver.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
 2020-10-15 21:15:03 -07:00
Armin Kuster
0a07bf8046 tpm2-pkcs11: update to 1.4.0 
Signed-off-by: Armin Kuster <akuster808@gmail.com>
 2020-10-15 21:15:03 -07:00
Armin Kuster
02b62b859d tpm2-tools: update to 4.3.0 
LIC_FILES_CHKSUM changes do to added Copyright

Signed-off-by: Armin Kuster <akuster808@gmail.com>
 2020-10-15 21:15:03 -07:00
Armin Kuster
9d6e3ff0ed tpm2-abrmd: update to 2.3.3 
Signed-off-by: Armin Kuster <akuster808@gmail.com>
 2020-10-15 21:15:03 -07:00
Armin Kuster
8566325c96 tpm2-totp: update to 0.2.1 
Signed-off-by: Armin Kuster <akuster808@gmail.com>
 2020-10-15 21:15:03 -07:00
Armin Kuster
6c6e967b98 tpm2-tss: update to 2.4.3 
includes: CVE-2020-24455

Signed-off-by: Armin Kuster <akuster808@gmail.com>
 2020-10-15 21:15:03 -07:00
Armin Kuster
bf494f2114 gitlab-ci: add qemux86 and qemuarm64 musl builds 
Signed-off-by: Armin Kuster <akuster808@gmail.com>
 2020-10-15 21:15:03 -07:00
Armin Kuster
16ab6ce706 kas: fixup alt configs 
add smack

Signed-off-by: Armin Kuster <akuster808@gmail.com>
 2020-10-15 21:14:53 -07:00
Armin Kuster
3ce8b759c9 suricata: update to 4.1.9 
Signed-off-by: Armin Kuster <akuster808@gmail.com>
 2020-10-10 16:21:48 -07:00
Armin Kuster
496a734c14 packagegroup-core-security: remove clamav from musl image 
Signed-off-by: Armin Kuster <akuster808@gmail.com>
 2020-10-10 16:21:48 -07:00
Armin Kuster
c0e801f1e0 sssd: update to latest ltm 1.16.5 
fix musl support

Signed-off-by: Armin Kuster <akuster808@gmail.com>
 2020-10-10 16:21:48 -07:00
Armin Kuster
7578a8b2ed libest: fix musl build. 
fixes
 est.c:38:10: fatal error: execinfo.h: No such file or directory
|    38 | #include <execinfo.h>
|       |          ^~~~~~~~~~~~

Signed-off-by: Armin Kuster <akuster808@gmail.com>
 2020-10-10 16:21:48 -07:00
Armin Kuster
b3f10d2285 ecryptfs-utils: fix musl build 
Signed-off-by: Armin Kuster <akuster808@gmail.com>
 2020-10-10 16:21:48 -07:00
Armin Kuster
11dd919372 apparmor: fix build for on musl 
Signed-off-by: Armin Kuster <akuster808@gmail.com>
 2020-10-10 16:21:31 -07:00
Armin Kuster
c5b5737ef3 qemux86-test: add apparmor back 
Signed-off-by: Armin Kuster <akuster808@gmail.com>
 2020-10-10 16:21:31 -07:00
Armin Kuster
d3aff039c9 suricata: fix compiling on gcc10 
Signed-off-by: Armin Kuster <akuster808@gmail.com>
 2020-10-09 07:02:01 -07:00
Armin Kuster
8bab022533 packagegroup-core-security: apparmor 3.0 ptest does not build 
for now skip apparmor ptest

Signed-off-by: Armin Kuster <akuster808@gmail.com>
 2020-10-09 07:02:01 -07:00
Armin Kuster
b8c437bf70 apparmor: update to 3.0 
skip ptest for now, on todo list for fix.
Runtime test pass

remove patch now included in update: 0001-regression-tests-Don-t-build-syscall_sysctl-if-missi.patch

Signed-off-by: Armin Kuster <akuster808@gmail.com>
 2020-10-09 07:02:01 -07:00
Armin Kuster
21489a2942 security-test-image: tweak to get more tests to runn 
Signed-off-by: Armin Kuster <akuster808@gmail.com>
 2020-10-09 07:02:01 -07:00
Armin Kuster
2a7963df18 apparmor: fix build issue with ptest enabled. 
minor spacing cleanup

Signed-off-by: Armin Kuster <akuster808@gmail.com>
 2020-10-09 07:02:01 -07:00
Naveen Saini
d9feafe991 linux-%/5.x: Add dm-verity fragment as needed 
Add checks that include dm-verity specific kernel config fragment
when dm-verity-img.bbclass is used.

Signed-off-by: Naveen Saini <naveen.kumar.saini@intel.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
 2020-10-09 07:02:01 -07:00
Naveen Saini
0de4f3bfb7 wic: add wks.in for intel dm-verity 
Based on systemd-bootdisk-microcode.wks.in, this adds
the dm-verity image similar to the beaglebone wks
already in meta-security.

Signed-off-by: Naveen Saini <naveen.kumar.saini@intel.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
 2020-10-09 07:02:01 -07:00
Naveen Saini
e23767fc72 initramfs-framework/dmverity: add retry loop for slow boot devices 
Detection of USB devices by the kernel is slow enough. We need to
keep trying for a while (default: 5s seconds, controlled by roottimeout=<seconds>)
and sleep between each attempt (default: one second, rootdelay=<seconds>).

Fix is based on https://git.yoctoproject.org/cgit.cgi/poky/commit/meta/recipes-core/initrdscripts/initramfs-framework/rootfs?id=ee6a6c3461694ce09789bf4d852cea2e22fc95e4

Signed-off-by: Naveen Saini <naveen.kumar.saini@intel.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
 2020-10-09 07:01:47 -07:00
Armin Kuster
ab56b1df52 packagegroup-core-security-ptest: remove 
Signed-off-by: Armin Kuster <akuster808@gmail.com>
 2020-10-01 06:22:07 -07:00
Armin Kuster
b03d65ffe4 security-test-image: simplify 
Signed-off-by: Armin Kuster <akuster808@gmail.com>
 2020-10-01 06:22:07 -07:00