A new stable version of libseccomp is available, so update the recipe. At
the same time, integrate the ptest support that's currently being
discussed on the libseccomp list.
Signed-off-by: Joe MacDonald <joe@deserted.net>
Signed-off-by: Saul Wold <sgw@linux.intel.com>
Since I am maintaining buck-security it has accepted the patch
take_root_dir.patch and the new version (0.7) contains the result of
applying the patch.
Signed-off-by: mulhern <mulhern@yoctoproject.org>
Inheriting the class will cause the check_security function to run on the
ROOTFS image. Currently the check_security function just invokes
buck-security-native on the root filesystem of the image.
buck-security hard-codes a number of file locations for the target system on
which it operates and also its own dependencies. These hard-coded dependencies
have been parameterized and a few other related changes have been made. The
changes are more fully explained below.
buck-security.bb:
* The RDEPENDS_${PN} variable has been made more orderly in anticipation of
subsequent changes. It also includes a few other perl modules required by
the changes to the application.
* The functionality.patch file has been removed and superseded by the
take_root_dir.patch patch.
* The definition of S is parameterized on BPN not PN; they are different if the
package has a native option.
* The install step replaces the use directives and an assignment in the
buck-security script in a more general way than previously.
* The recipes now allows the package to have a native version.
take_root_dir.patch:
* buck-security
* An additional flag, sysroot, that specifies the sysroot of the filesystem
that the buck-security utility inspects is added. If the sysroot can not
be located the script fails gracefully.
* An additional flag, no-sudo, which prevents the script from exiting
if it is not run by root is added.
* An additional flag, disable-checks, which accepts a comma-separated list
of checks to be disabled is added.
* The script checks whether there has been an error in parsing the
command-line arguments and fails with a usage message if there has.
* The log flag now optionally takes a log file name.
* The location of the configuration file is calculated relative to the
location of the main script and if it can not be found the script fails
gracefully.
* The various file locations specified in the buck-security configuration
file are made relative to the location of the buck-security script or the
sysroot as appropriate.
* If a log file has been specified the log is not also printed to stdout.
* The command actually executed is printed in the log.
* Some checks for mutually exclusive options are added.
* Output level 3 is now meaningless, so it has been removed.
* Various changes have been made to the report format.
* Results are sorted lexicographically and, if abspath, do not include
the sysroot.
* checks/*.pm files
* Wherever a directory had been hard-coded it is now parameterized on the
sysroot.
* In some cases, a test that had previously been run as a bash test was
converted to a perl test to allow better handling of results and errors.
* The output parameter is no longer accepted by the check procedure since
this value is global.
* All check procedures now accept an output_type parameter.
* The dangling URLs are removed from the help text.
* checks/lib/check.pm
* The CheckBash and CheckPerl functions have been adapted so that the
the filepaths are not hard-coded and so that the actual command is made
available to the logging component.
* A parameter indicating the outcome type is accepted and passed to the
exception checker.
* Error output is clearly distinguished from regular output.
* A failure in a test is clearly distinguished from an insecure result.
* The output is no longer formatted in the check functions.
* checks/lib/mkchecksum.pm
* The command no longer is run on non-existent directories.
* checks/lib/exceptions.pm
* The exception file path is located relative to the buck-security script.
* If the exceptions are pathnames, the sysroot is prepended.
* Correct wildcard semantics is observed.
* checks/lib/users.pm
* The passwd files are located relative to the sysroot.
* Reading from the password file is made more principle.
* The test experiences an error if files can not be found rather than
the script terminating.
* Some dead code is eliminated.
* conf/buck-security.conf
* The checksum_dir variable is a list instead of a string for easier
manipulation.
* The new configuration variable sysdir is added and the default is /.
* The ssh_config variable is added.
* All tests are included in the checks variable.
* checks/sshd.pm
* The ssh config file is set in the buck-security configuration file
instead of hard-coded here.
* checks/nopasswd.pm
* This is a duplicate of emptypasswd, so it is removed.
* RDEPENDS_${PN}_class-native variable is added as some tasks make no
sense when run externally. Since they will not be run, there is no point
[YOCTO #5177]
On some systems the bitbake install step failed. The failure was due to some
files that were being overwritten not having sufficient permissions.
The install script in the recipe is changed so that the
set_required_questions.py script is invoked on the files in the image
directory, which are guaranteed to have adequate permission. Previously, it had
been invoked on the files in the work directory.
The set_required_questions.py script is changed in the following
ways.
* The xform_file function now handles the overwriting of the files in a more
robust manner.
* The script now accepts a debug flag. When set this flag will cause the
script to display more developer friendly information on error.
* The xform_file function has a descriptive comment.
Signed-off-by: mulhern <mulhern@yoctoproject.org>
[YOCTO #5081]
The recipe meta-security/recipes-security/perl/curses-perl_1.28.bb is renamed
to libcurses-perl_1.28.bb to conform to accepted naming scheme.
The dependency in the Bastille recipe is updated accordingly.
Signed-off-by: mulhern <mulhern@yoctoproject.org>
[YOCTO #5081]
The recipe meta-security/recipes-security/env-perl_1.04.bb is removed since
there is a recipe for the same Perl module at
poky/meta/recipes-lsb4/perl/libenv-perl_1.04.bb. The dependency on env-perl
in the checksecurity recipe is updated to a recipe on libenv-perl.
[YOCTO #5084]
libcap has been removed from the list of DEPENDS packages. Since libcap was the
only package in the list the DEPENDS variable has been removed from the recipe
file.
Signed-off-by: mulhern <mulhern@yoctoproject.org>
The README file is updated to indicate the functionality of Bastille that is
actually available.
The recipe file is updated with a pointer to the README file.
An additional patch is added so that when Bastille is run in interactive mode
it will not attempt to make any changes to the system. This is better than
attempting to make the changes and making the screen flicker . The text on the
final screen has been updated appropriately.
Signed-off-by: mulhern <mulhern@yoctoproject.org>
The python script, set_required_questions.py reads the list of questions and
answers from the config file and edits the REQUIRE_DISTRO field for those
questions in the questions file so that it includes "Yocto" if it is not
already present. This has the effect of causing Bastille, when loading
questions for the Yocto distribution, to load only those that are answered
in the existing config file. Under the assumption that the exisitng config
file contains question/answer pairs that are relevant to the Yocto project,
this will cause the interactive question screen to have answers that are
relevant to the Yocto project.
Signed-off-by: mulhern <mulhern@yoctoproject.org>
[YOCTO #3867]
Five additional patches which cause the --os flag to be accepted and observed
are added. An additional distro, Yocto, is added. The individual patches
are described below.
upgrade_options_processing.patch: Changes setOptions procedure so that it
accepts named parameters for greater flexibility and adjusts all invocations
accordingly. Uses more precise specifications in invocatiosn of
Getop::Long::GetOptions. Omits code associated with a commented out flag.
accept_os_flag_in_backend.patch: Accepts and observes an additional --os
flag in BastilleBackEnd.
allow_os_with_assess.patch: No longer print a usage message and quit if
--assess or its related flags are specified along with the --os flag.
edit_usage_message.patch: Edit usage message to include the specification of
an --os flag with the specification of an --assess flag.
organize_distro_discovery.patch: Separates inferring the distro from
specifying the distro. Adds a "Yocto" distro among the other Linux
distros. Causes the specified distro to override the inferred
distro with a warning message when they are different. Previously if
either the inferred distro or the specified distro was not among supported
distros Bastille would quit with an error.
Signed-off-by: mulhern <mulhern@yoctoproject.org>
[YOCTO #3867]
bastille -l now reports existing configuration file paths even if it has
not previously been run. Previously, it exited with an error if it detected
an absence of log files indicating a previous run.
Signed-off-by: mulhern <mulhern@yoctoproject.org>
[YOCTO #3867]
Adds four additional small patches which address miscellaneous small problems
in Bastille.
The four patches are:
fix_missing_use_directives.patch: A number of use directives were missing from
several files. These were added as discovered.
fix_number_of_modules.patch: The curses interface includes a title for most
screens which gives a module, a module number, and the number of modules in the
series. Previously the last value was always 0, now it is simply
omitted. It would be more desirable to give the correct number, but this would
require a significant change to the code base.
remove_questions_text_file_references.patch: This version of Bastille does
not make use of a Questions.txt file, therefore the specification of the
location of this file in the OSMap/*.bastille files has been removed.
simplify_B_place.patch: This patch discards redundant variables, mostly
defined but not used cases, and makes the error reporting more informative.
Signed-off-by: mulhern <mulhern@yoctoproject.org>
[YOCTO #3867]
Renames existing patches and removes some changes.
Curses-and-IOLoader-changes.patch is renamed to call_output_config.patch. The
new patch omits the removal of the pruning step in Load_Questions but
retains the replacement of a call to a non-existant function with a call
to an appropriate implemented function.
yocto-standard-patch.patch is renamed to fixed_defined_warnings.patch. The
new patch omits the definition of a yocto distro but includes the defined
warnings fix.
The recipe file is changed to include the new patches and also to omit a
related action in the do_install script.
Signed-off-by: mulhern <mulhern@yoctoproject.org>
