Fixes:
WARNING: openssl-tpm-engine_0.5.0.bb: CFLAGS:append += is not a
recommended operator combination, please replace it.
Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
Fix warning for apparmor:
| WARNING: /path/to/meta-security/recipes-mac/AppArmor/apparmor_3.0.1.bb:
| RDEPENDS:${PN}:remove += is not a recommended operator combination,
| please replace it.
Signed-off-by: Kai Kang <kai.kang@windriver.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
Fixes:
ERROR: python3-fail2ban-0.11.2-r0 do_package_qa: QA Issue: python3-fail2ban installs files in /run, but it is expected to be empty [empty-dirs]
Signed-off-by: Armin Kuster <akuster808@gmail.com>
/var/log is normally a link to /var/volatile/log and /var/volatile is a
tmpfs mount. So anything created in /var/log will not be available when
the tmpfs is mounted.
[Thanks to Peter Kjellerstedt for example]
Signed-off-by: Armin Kuster <akuster808@gmail.com>
When enabling fapi, the build breaks with:
| configure: error: Package requirements (libcurl) were not met:
| No package 'libcurl' found
This adds the missing dependency and bundles the additional config files
in the base package.
Signed-off-by: Stefan Müller-Klieser <s.mueller-klieser@phytec.de>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
This patch updates SRC_URIs using git to include branch=master if no branch is set
and also to use protocol=https for github urls as generated by the conversion script
in OE-Core.
Signed-off-by: Armin Kuster <akuster808@gmail.com>
ERROR: openssl-tpm-engine-0.5.0-r0 do_package: QA Issue: openssl-tpm-engine: Files/directories were installed but not shipped in any package:
/usr/lib/engines-3/tpm.so
fix engine locations
Signed-off-by: Armin Kuster <akuster808@gmail.com>
Rust is now in core. No need to include the layer referenece.
Drop Priority and ref from repo definition. Not used
Signed-off-by: Armin Kuster <akuster808@gmail.com>
[v2]
fixup mailing list
It packages all file in ${libdir} to package sssd, including the .so
symlink files. Then it causes QA issues:
| ERROR: QA Issue: sssd rdepends on dbus-dev [dev-deps]
| ERROR: QA Issue: sssd rdepends on ding-libs-dev [dev-deps]
So re-package sssd then the .so symlink files and .pc files are packaged
to sssd-dev which should be.
File ${libdir}/libsss_sudo.so is not a symlink file but packaged to
sssd-dev too. Then causes another QA issue:
| ERROR: sssd-2.5.2-r0 do_package_qa: QA Issue:
-dev package sssd-dev contains non-symlink .so '/usr/lib/libsss_sudo.so' [dev-elf]
So create a new sub-package libsss-sudo to package file libsss_sudo.so
and make sssd rdepends on it.
Signed-off-by: Kai Kang <kai.kang@windriver.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
Fixes:
error in fail2ban setup command: use_2to3 is invalid.
ERROR: 'python3 setup.py build ' execution failed.
drop custom fail2ban_setup.py
remove pyhton-fail2ban as its a symlink to python3
Update to tip for 11.2 branch
Signed-off-by: Armin Kuster <akuster808@gmail.com>
Add chipsec, tools to dump and analyzing hardware, system firmware
components, like PCH register, ioport or iomem configuration space.
Signed-off-by: Liwei Song <liwei.song@windriver.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
Also, rearrange the runtime-dependencies a little so
clamav-freshclam is installed later than clamav.
The issue is that clamav-freshclam ships /var/lib/clamav
and the main clamav package uses chown in pkg_postinst to set
the ownership of this directory. But pkg_postinst is not
marked as "ontarget" so this chown only took effect when
upgrading or reinstalling the package.
So when clamav is part of an OS image out of the box, freshclamd
cannot populate this directory since it's running under the clamav
user.
Fix this by creating /var/lib/clamav with the proper ownership
in do_install and rearrange runtime-dependencies, so clamav-freshclam
RDEPENDS on clamav and clamav relaxes its runtime-dependency into
RRECOMMENDS so clamav-freshclam is installed later than clamav,
avoiding these warnings:
Installing : clamav-freshclam-... 487/1954
warning: user clamav does not exist - using root
warning: group clamav does not exist - using root
Signed-off-by: Zoltán Böszörményi <zboszor@gmail.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
DATA_BLOCK_SIZE variable was set in dm-verity-img.bbclass at build
time but the initrdscript was not updated to pass the DATA_BLOCK_SIZE
to the veritysetup. Now the functionality is complete.
Signed-off-by: Paulo Neves <paulo.neves1@inter.ikea.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
fscrypt is a high-level tool for the management of Linux
filesystem encryption. fscrypt manages metadata, key generation,
key wrapping, PAM integration, and provides a uniform interface
for creating and modifying encrypted directories.
Add recipe for the same in 'recipes-security'.
Signed-off-by: Bhupesh Sharma <bhupesh.sharma@linaro.org>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
SSSD 2.5.2 Highlights
* General information
- originalADgidNumber attribute in the SSSD cache is now indexed
* New features
- Debug messages in data provider include a unique request ID that can
be used to track the request from its start to its end (requires
libtevent >= 0.11.0)
* Important fixes
- Update large files in the files provider in batches to avoid timeouts
* Configuration changes
- Add new config option fallback_to_nss
Full release notes:
* https://sssd.io/release-notes/sssd-2.5.2.html
And backport patch to fix CVE-2021-3621.
CVE: CVE-2021-3621
Signed-off-by: Kai Kang <kai.kang@windriver.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
Add DM_VERITY_IMAGE_DATA_BLOCK_SIZE to be able to set the
--data-block-size used in veritysetup. Tuning this value effects the
performance and size of the resulting image.
Signed-off-by: Christer Fletcher <christer.fletcher@inter.ikea.com>
Signed-off-by: Paulo Neves <paulo.neves1@inter.ikea.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
Fix the variable spelling errors
s/SKIP_META_SECUIRTY_SANITY_CHECK/SKIP_META_SECURITY_SANITY_CHECK
Signed-off-by: George Liu <liuxiwei@inspur.com>
Acked-by: Martin Jansa <Martin.Jansa@gmail.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
Assign a weak default value for MODSIGN_KEY_DIR so the other layers can
set a default value for them as well.
Signed-off-by: Daiane Angolini <daiane.angolini@foundries.io>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
A number of typo fixes:
- tmp->tpm in the DISTRO_FEATURES
- update the mailing list address as it was out of date
- update the distro name in the subject
Signed-off-by: Marta Rybczynska <rybczynska@gmail.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
The address included in the meta-hardening documentation
does not work and was changed in other places in 2019.
Signed-off-by: Marta Rybczynska <rybczynska@gmail.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
Armin Kuster
Yi Zhao
Kai Kang
Stefan Mueller-Klieser
Anton Antonov
Liwei Song
Kristian Klausen
Zoltán Böszörményi
Christer Fletcher
Bhupesh Sharma
George Liu
Daiane Angolini
Marta Rybczynska