0.7.4
- In pscap, remove unused code
- Add CAPNG_INIT_SUPP_GRP to capng_change_id
- Drop CAP_COMPROMISE_KERNEL
- Update the autotools components
- Dynamically detect last capability (#895105)
- Add PR_SET_NO_NEW_PRIVS to capng_lock if kernel supports it
(CVE-2014-3215)
Signed-off-by: Armin Kuster <akuster808@gmail.com>
Add tripwire, samhain and checksec packages
fix ccs-tools to exclude if no kernel support
v2:
fixed missing "}"
Signed-off-by: Armin Kuster <akuster808@gmail.com>
I wanted to run the tests manually on a target. Tests are now
built and packaged.
to run: /usr/lib/libseccomp/tests/regression -a
will add ptest later.
Signed-off-by: Armin Kuster <akuster808@gmail.com>
update fixed:
* Fix bug in the CS_NFSAFS definition in etc/check-setuid.conf that prevents
the script from matching any filesystem. This bug was, actually, making the
script not do anything in the default configuration.
Signed-off-by: Armin Kuster <akuster808@gmail.com>
This adds the ISIC is a suite of utilities to exercise the stability of an IP and its component stacks (TCP/UDP/ICMP etc.) It generates piles of pseudo random packets with configurable tendancies, then sent to the target to penetrate its firewall rules or find bug
backported two patches from Redhat.
Signed-off-by: Armin Kuster <akuster808@gmail.com>
| configure: error: /bin/sh ./config.sub powerpc64-poky-linux failed
config.sub did not understand the powerpc64 par.
this patch adds that understanding.
Signed-off-by: Armin Kuster <akuster808@gmail.com>
Fixes:
WARNING: QA Issue: nmap rdepends on libpcap, but it isn't a build dependency? [build-deps]
nmap internal lua library does not compile with PPC so use OE version instead.
Changed PACKAGECONFIG assignment from "??=" to "=". It was empty when using
PPC.
Signed-off-by: Armin Kuster <akuster808@gmail.com>
Added pkgconfig support
Since most binaries provided by nmap can be excluded via configure
manage via pkgconfig
Aligned python packages with binaries so nmap-python is no longer needed
V2: Missed some options in EXTRA_OECONF changes
Signed-off-by: Armin Kuster <akuster808@gmail.com>
WARNING: QA Issue: nmap rdepends on libcrypto, but it isn't a build dependency? [build-deps]
WARNING: QA Issue: nmap rdepends on libssl, but it isn't a build dependency? [build-deps]
This fixes the above QA warnings.
Signed-off-by: Armin Kuster <akuster808@gmail.com>
| x_sh_error.c: In function 'sh_error_string':
| x_sh_error.c:1580:31: error: incompatible type for argument 1 of 'memmove'
| #define VA_COPY(ap1, ap2) memmove ((ap1), (ap2), sizeof (va_list))
| ^
| x_sh_error.c:1720:14: note: in expansion of macro 'VA_COPY'
| /*@i@*/VA_COPY(vl2, vl);
| ^
this patch fixes the arm build failure.
Signed-off-by: Armin Kuster <akuster808@gmail.com>
This fixes: WARNING: QA Issue: pinentry rdepends on libcap, but it isn't a build dependency? [build-deps]
Also add pkgconfig support.
Signed-off-by: Armin Kuster <akuster808@gmail.com>
Add userland support program ccs-tools
V2:
Added RDEPEND on systemd
Fixed Description
Moved man page to doc packaged
Added Requiered distro feature on kernel component.
Fixed typo in path for init program
Signed-off-by: Armin Kuster <akuster@mvista.com>
As far as I can tell, this is not used by any reciped in meta-security.
It does not build so I am Black listing it.
Signed-off-by: Armin Kuster <akuster@mvista.com>
This fixes;
ERROR: QA Issue: pinentry: The compile log indicates that host include and/or library paths were used.
Signed-off-by: Armin Kuster <akuster@mvista.com>
Updated to later version on nmap.
remove patch which is included in update
Added ndiff package
Include zenmap build changes but commented out for now and untested
Signed-off-by: Armin Kuster <akuster@mvista.com>
The problem is well known for 64 bits architectures and the solution
is offered in the same recibe but in the meta-selinux layer.
Signed-off-by: Alexandru.Vaduva <Alexandru.Vaduva at enea.com>
Signed-off-by: Armin Kuster <akuster@mvista.com>
A new stable version of libseccomp is available, so update the recipe. At
the same time, integrate the ptest support that's currently being
discussed on the libseccomp list.
Signed-off-by: Joe MacDonald <joe@deserted.net>
Signed-off-by: Saul Wold <sgw@linux.intel.com>
Since I am maintaining buck-security it has accepted the patch
take_root_dir.patch and the new version (0.7) contains the result of
applying the patch.
Signed-off-by: mulhern <mulhern@yoctoproject.org>
Inheriting the class will cause the check_security function to run on the
ROOTFS image. Currently the check_security function just invokes
buck-security-native on the root filesystem of the image.
buck-security hard-codes a number of file locations for the target system on
which it operates and also its own dependencies. These hard-coded dependencies
have been parameterized and a few other related changes have been made. The
changes are more fully explained below.
buck-security.bb:
* The RDEPENDS_${PN} variable has been made more orderly in anticipation of
subsequent changes. It also includes a few other perl modules required by
the changes to the application.
* The functionality.patch file has been removed and superseded by the
take_root_dir.patch patch.
* The definition of S is parameterized on BPN not PN; they are different if the
package has a native option.
* The install step replaces the use directives and an assignment in the
buck-security script in a more general way than previously.
* The recipes now allows the package to have a native version.
take_root_dir.patch:
* buck-security
* An additional flag, sysroot, that specifies the sysroot of the filesystem
that the buck-security utility inspects is added. If the sysroot can not
be located the script fails gracefully.
* An additional flag, no-sudo, which prevents the script from exiting
if it is not run by root is added.
* An additional flag, disable-checks, which accepts a comma-separated list
of checks to be disabled is added.
* The script checks whether there has been an error in parsing the
command-line arguments and fails with a usage message if there has.
* The log flag now optionally takes a log file name.
* The location of the configuration file is calculated relative to the
location of the main script and if it can not be found the script fails
gracefully.
* The various file locations specified in the buck-security configuration
file are made relative to the location of the buck-security script or the
sysroot as appropriate.
* If a log file has been specified the log is not also printed to stdout.
* The command actually executed is printed in the log.
* Some checks for mutually exclusive options are added.
* Output level 3 is now meaningless, so it has been removed.
* Various changes have been made to the report format.
* Results are sorted lexicographically and, if abspath, do not include
the sysroot.
* checks/*.pm files
* Wherever a directory had been hard-coded it is now parameterized on the
sysroot.
* In some cases, a test that had previously been run as a bash test was
converted to a perl test to allow better handling of results and errors.
* The output parameter is no longer accepted by the check procedure since
this value is global.
* All check procedures now accept an output_type parameter.
* The dangling URLs are removed from the help text.
* checks/lib/check.pm
* The CheckBash and CheckPerl functions have been adapted so that the
the filepaths are not hard-coded and so that the actual command is made
available to the logging component.
* A parameter indicating the outcome type is accepted and passed to the
exception checker.
* Error output is clearly distinguished from regular output.
* A failure in a test is clearly distinguished from an insecure result.
* The output is no longer formatted in the check functions.
* checks/lib/mkchecksum.pm
* The command no longer is run on non-existent directories.
* checks/lib/exceptions.pm
* The exception file path is located relative to the buck-security script.
* If the exceptions are pathnames, the sysroot is prepended.
* Correct wildcard semantics is observed.
* checks/lib/users.pm
* The passwd files are located relative to the sysroot.
* Reading from the password file is made more principle.
* The test experiences an error if files can not be found rather than
the script terminating.
* Some dead code is eliminated.
* conf/buck-security.conf
* The checksum_dir variable is a list instead of a string for easier
manipulation.
* The new configuration variable sysdir is added and the default is /.
* The ssh_config variable is added.
* All tests are included in the checks variable.
* checks/sshd.pm
* The ssh config file is set in the buck-security configuration file
instead of hard-coded here.
* checks/nopasswd.pm
* This is a duplicate of emptypasswd, so it is removed.
* RDEPENDS_${PN}_class-native variable is added as some tasks make no
sense when run externally. Since they will not be run, there is no point
[YOCTO #5177]
On some systems the bitbake install step failed. The failure was due to some
files that were being overwritten not having sufficient permissions.
The install script in the recipe is changed so that the
set_required_questions.py script is invoked on the files in the image
directory, which are guaranteed to have adequate permission. Previously, it had
been invoked on the files in the work directory.
The set_required_questions.py script is changed in the following
ways.
* The xform_file function now handles the overwriting of the files in a more
robust manner.
* The script now accepts a debug flag. When set this flag will cause the
script to display more developer friendly information on error.
* The xform_file function has a descriptive comment.
Signed-off-by: mulhern <mulhern@yoctoproject.org>
[YOCTO #5081]
The recipe meta-security/recipes-security/perl/curses-perl_1.28.bb is renamed
to libcurses-perl_1.28.bb to conform to accepted naming scheme.
The dependency in the Bastille recipe is updated accordingly.
Signed-off-by: mulhern <mulhern@yoctoproject.org>
[YOCTO #5081]
The recipe meta-security/recipes-security/env-perl_1.04.bb is removed since
there is a recipe for the same Perl module at
poky/meta/recipes-lsb4/perl/libenv-perl_1.04.bb. The dependency on env-perl
in the checksecurity recipe is updated to a recipe on libenv-perl.
[YOCTO #5084]
libcap has been removed from the list of DEPENDS packages. Since libcap was the
only package in the list the DEPENDS variable has been removed from the recipe
file.
Signed-off-by: mulhern <mulhern@yoctoproject.org>
The README file is updated to indicate the functionality of Bastille that is
actually available.
The recipe file is updated with a pointer to the README file.
An additional patch is added so that when Bastille is run in interactive mode
it will not attempt to make any changes to the system. This is better than
attempting to make the changes and making the screen flicker . The text on the
final screen has been updated appropriately.
Signed-off-by: mulhern <mulhern@yoctoproject.org>
The python script, set_required_questions.py reads the list of questions and
answers from the config file and edits the REQUIRE_DISTRO field for those
questions in the questions file so that it includes "Yocto" if it is not
already present. This has the effect of causing Bastille, when loading
questions for the Yocto distribution, to load only those that are answered
in the existing config file. Under the assumption that the exisitng config
file contains question/answer pairs that are relevant to the Yocto project,
this will cause the interactive question screen to have answers that are
relevant to the Yocto project.
Signed-off-by: mulhern <mulhern@yoctoproject.org>
[YOCTO #3867]
Five additional patches which cause the --os flag to be accepted and observed
are added. An additional distro, Yocto, is added. The individual patches
are described below.
upgrade_options_processing.patch: Changes setOptions procedure so that it
accepts named parameters for greater flexibility and adjusts all invocations
accordingly. Uses more precise specifications in invocatiosn of
Getop::Long::GetOptions. Omits code associated with a commented out flag.
accept_os_flag_in_backend.patch: Accepts and observes an additional --os
flag in BastilleBackEnd.
allow_os_with_assess.patch: No longer print a usage message and quit if
--assess or its related flags are specified along with the --os flag.
edit_usage_message.patch: Edit usage message to include the specification of
an --os flag with the specification of an --assess flag.
organize_distro_discovery.patch: Separates inferring the distro from
specifying the distro. Adds a "Yocto" distro among the other Linux
distros. Causes the specified distro to override the inferred
distro with a warning message when they are different. Previously if
either the inferred distro or the specified distro was not among supported
distros Bastille would quit with an error.
Signed-off-by: mulhern <mulhern@yoctoproject.org>
Armin Kuster
Armin Kuster
Alexandru.Vaduva
Nick D'Ademo
Saul Wold
Joe MacDonald
mulhern