Add modern ClamAV 1.4.3 recipe with comprehensive improvements over
the legacy 0.104.4 version. Remove the end-of-life 0.104.4 recipe and
associated patches as they are superseded by this version.
Major changes in 1.4.3:
- Upgraded core engine with improved threat detection capabilities
- Added Rust components requiring cross-compilation support
- Updated CMake build system replacing legacy autotools
- Modernized library dependencies (LLVM, JSON-C, PCre2)
- Added comprehensive license compliance for multi-component package
- Enhanced cross-compilation support for all target architectures
The recipe includes dynamic Cargo configuration using Yocto variables
to support cross-compilation to any target architecture supported by
the build system.
Runtime configuration improvements:
- Set APP_CONFIG_DIRECTORY to ${sysconfdir}/clamav for proper config paths
- Added volatiles/tmpfiles support for /var/lib/clamav and /var/log/clamav
- Added pkg_postinst scripts to ensure correct directory ownership
- Implemented CMake cache variables for cross-compilation
- Updated all license checksums for compliance
- Added Rust toolchain integration with automatic environment setup
- Use Cargo vendoring with cargo + cargo-update-recipe-crates classes
Security rationale:
- ClamAV 0.104.4 reached end-of-life and is no longer maintained
- Upstream strongly recommends migration to 1.4.x for security updates
Signed-off-by: Hemant Jadhav <hemant.jadhav@emerson.com>
(regenerated diff, fixed building with systemd,
fixed target Rust configuration, disabled for 32-bit targets)
Signed-off-by: Scott Murray <scott.murray@konsulko.com>
Add basic openscap test. This looks for an existing profile and run a basic scan.
Openscap scans return 1 in case of failure, 0 in case of success and 2 when a
vulnerability has been found. As this does not aim to check openscap reports, 2 is
considered as a successful test.
Signed-off-by: Louis Rannou <louis.rannou@non.se.com>
(added to test image)
Signed-off-by: Scott Murray <scott.murray@konsulko.com>
Changes:
- Add libmhash and libgssglue so they will get tested by CI.
- Switch to MACHINE_ARCH to facilitate the above, but it makes sense
anyway due to all the machine overrides used in the packagegroup
definition.
- Add the recently added python3-suricata-update so it will get
tested by CI.
Signed-off-by: Scott Murray <scott.murray@konsulko.com>
Remove the paxctl recipe since it has seemingly been broken for a
while without anyone noticing, and there likely have been no actual
users since grsecurity stopped doing public releases in 2017.
Signed-off-by: Scott Murray <scott.murray@konsulko.com>
Aide currently doesn't compile with musl because of copied getopt prototypes
and implementation.
Signed-off-by: Marta Rybczynska <marta.rybczynska@ygreky.com>
The package choice was using TUNE_FEATURES that doesn't work anymore
with multiple sub-architectures of RISCV. Instead use the overrides
and make sure to take into account also qemu versions.
Only riscv32/riscv64 does not work, fail on RDEPEND for qemu targets.
Signed-off-by: Marta Rybczynska <marta.rybczynska@ygreky.com>
* WORKDIR -> UNPACKDIR transition
* Switch away from S = WORKDIR
Signed-off-by: Changqing Li <changqing.li@windriver.com>
[Fixed up the smack changes due to prior patch]
Signed-off-by: Armin Kuster <akuster808@gmail.com>
libseccomp requires DISTRO_FEATURE seccomp enabled. This one
is automatically removed for riscv, so we do not need to add
an additional condition.
This change is necessary for cve-check on world with meta-security
Signed-off-by: Marta Rybczynska <marta.rybczynska@syslinbit.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
According to the Yocto reference manual [1], the IMAGE_NAME_SUFFIX should
be set to empty for the initramfs image. Otherwise, we may incur a build
error like following due to the initrd check in live-vm-common.bbclass:
ERROR: core-image-minimal-1.0-r0 do_bootimg: build-test/tmp/deploy/images/genericx86-64/dm-verity-image-initramfs-genericx86-64.cpio.gz is invalid. initrd image creation failed.
ERROR: core-image-minimal-1.0-r0 do_bootimg: ExecutionError('build-test/tmp/work/genericx86_64-poky-linux/core-image-minimal/1.0/temp/run.build_hddimg.1961965', 1, None, None)
ERROR: Logfile of failure stored in: build-test/tmp/work/genericx86_64-poky-linux/core-image-minimal/1.0/temp/log.do_bootimg.1961965
ERROR: Task (poky/meta/recipes-core/images/core-image-minimal.bb:do_bootimg) failed with exit code '1'
[1] https://docs.yoctoproject.org/ref-manual/variables.html#term-IMAGE_NAME_SUFFIX
Signed-off-by: Kevin Hao <kexin.hao@windriver.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
Using <DM_VERITY_IMAGE_TYPE> in the depends variable does not work for
compressed image types like squashfs-zst, as the resulting task
dependency still contains the incompatible dash. Replacing the dash by
an underscore resolves this issue.
Signed-off-by: Stephan Wurm <stephan.wurm@a-eberle.de>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
The prior commits create the separate hash so now it is time to update
the initramfs framework so that veritysetup, which is responsible for
binding the data and hash, is aware of when separate hash is in use,
and can react accordingly.
The added code follows the existing appended hash code style, but is
considerably smaller because it doesn't have the large case statement
that supports all possible identification schemes (label, UUID, ...).
With the root hash split in two to create the respective partition
UUIDs, we know exactly how to identify it, and the UUIDs used.
Signed-off-by: Paul Gortmaker <paul.gortmaker@windriver.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
If we use a non PARTUUID root parameter, we would always get a error
like below:
realpath: /dev/disk/by-partuuid//dev/mmcblk0p2: No such file or directory
This seems pretty confusion and it also seems no need to emit this kind
of error when we are waiting for the root device. So suppress all the
realpath errors.
Signed-off-by: Kevin Hao <kexin.hao@windriver.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
Generic Low Overhead Message Exchange (GLOME) is a protocol providing
secure authentication and authorization for low dependency environments.
Signed-off-by: John Edward Broadbent <jebr@google.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
This is to simplify tesing to build one image and include pkgs depending on the
layers included in the BBLAYERS.
Signed-off-by: Armin Kuster <akuster808@gmail.com>
DATA_BLOCK_SIZE variable was set in dm-verity-img.bbclass at build
time but the initrdscript was not updated to pass the DATA_BLOCK_SIZE
to the veritysetup. Now the functionality is complete.
Signed-off-by: Paulo Neves <paulo.neves1@inter.ikea.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
Fixes:
ERROR: initramfs-framework-1.0-r4 do_fetch: Fetcher failure for URL: 'file://dmverity'. Unable to fetch URL from any source.
Signed-off-by: Armin Kuster <akuster808@gmail.com>
