mirrors/meta-security
1
0
Fork 0
mirror of https://git.yoctoproject.org/meta-security synced 2026-01-12 03:10:13 +00:00
Code Issues Projects Releases Wiki Activity
1,533 Commits 37 Branches 0 Tags
bcbe3fd60aa5b1d7d711b24b6ea72b5eee15a637
Commit Graph

1533 Commits

This Branch
This Branch
All Branches
Author SHA1 Message Date
Mikko Rapeli
bcbe3fd60a ima-policy-hashed: set S 
Build with latest poky fails without

Signed-off-by: Mikko Rapeli <mikko.rapeli@linaro.org>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
 2024-07-31 21:10:13 -04:00
Mikko Rapeli
139d3e6487 ima-policy-simple: UNPACKDIR fix 
New poky uses UNPACKDIR instead of WORKDIR

Signed-off-by: Mikko Rapeli <mikko.rapeli@linaro.org>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
 2024-07-31 21:10:13 -04:00
Mikko Rapeli
0edcbd0b82 ima-policy-appraise-all: UNPACKDIR fix 
New poky uses UNPACKDIR instead of WORKDIR

Signed-off-by: Mikko Rapeli <mikko.rapeli@linaro.org>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
 2024-07-31 21:10:13 -04:00
Mikko Rapeli
7028cd2266 initramfs-framework-ima: UNPACKDIR fix 
New poky uses UNPACKDIR instead of WORKDIR

Signed-off-by: Mikko Rapeli <mikko.rapeli@linaro.org>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
 2024-07-31 21:10:13 -04:00
Armin Kuster
52c381af17 tpm-tools: fix QA and compile errors. 
Signed-off-by: Armin Kuster <akuster808@gmail.com>
 2024-07-31 21:10:13 -04:00
Rasmus Villemoes
a2ec4fc275 fail2ban: update to 1.1.0+ 
Current 1.0.2 version does not work with scarthgap or later releases,
as the asynchat module has been removed (as scheduled) from python's
stdlib as of v3.12.

fail2ban 1.1.0 also does not work out-of-the-box, as the distutils
module which the pyinotify and systemd backends depend has also been
removed.

So update the recipe to point at commit ac62658c10f4, which fixes
those two backends to no longer depend on distutils.

Upstream's out-of-the-box ban action now uses the 'nft'
command. People can still override and customize that in
jail.conf/jail.local, but to make the recipe useful without
customizing things back to use iptables, change the dependency
iptables->nftables.

Since 1.1.0, fail2ban has been python3-only, so the recipe becomes
somewhat simpler since the whole do_compile preparation step can be
removed.

Signed-off-by: Rasmus Villemoes <rasmus.villemoes@prevas.dk>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
 2024-07-31 21:10:05 -04:00
Armin Kuster
db91051c6a chipsec: Fix QA Warnings 
ERROR: chipsec-1.9.1-r0 do_package_qa: QA Issue: File /usr/lib/python3.12/site-packages/chipsec/helper/linux/chipsec.ko in package chipsec contains reference to TMPDIR [buildpaths]
ERROR: chipsec-1.9.1-r0 do_package_qa: QA Issue: File /usr/lib/python3.12/site-packages/chipsec/helper/linux/.debug/chipsec.ko in package chipsec-dbg contains reference to TMPDIR [buildpaths]

Signed-off-by: Armin Kuster <akuster808@gmail.com>
 2024-07-29 20:07:01 -04:00
Mikko Rapeli
f261a2b95a bastille: UNPACKDIR fixes 
New poky version uses UNPACKDIR instead of WORKDIR

Signed-off-by: Mikko Rapeli <mikko.rapeli@linaro.org>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
 2024-07-29 20:07:01 -04:00
Mikko Rapeli
58daab21b7 parsec-service: UNPACKDIR fixes 
New poky uses UNPACKDIR instead of WORKDIR

Signed-off-by: Mikko Rapeli <mikko.rapeli@linaro.org>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
 2024-07-29 20:07:01 -04:00
Armin Kuster
24da916254 arpwatch: Fix compile error 
| ./dns.c:118:24: error: implicit declaration of function '_getshort'; did you mean '__putshort'? [-Wimplicit-function-declaration]

upon others

Signed-off-by: Armin Kuster <akuster808@gmail.com>
 2024-07-29 20:07:01 -04:00
Armin Kuster
2e21e54812 isic: Fix config error 
configure: error: installation or configuration problem: C compiler cannot create executables.
| NOTE: The following config.log files may provide further information.

Signed-off-by: Armin Kuster <akuster808@gmail.com>
 2024-07-29 20:07:01 -04:00
Armin Kuster
c0e3fecc3b suricata: fix QA warnings 
ERROR: suricata-7.0.0-r0 do_package: QA Issue: File '/usr/bin/suricata' from suricata was already stripped, this will prevent future debugging! [already-stripped]

Signed-off-by: Armin Kuster <akuster808@gmail.com>
 2024-07-29 20:07:01 -04:00
Armin Kuster
2aa07876ba krill: Fix QA warnings 
ERROR: krill-0.12.3-r0 do_package_qa: QA Issue: File /usr/bin/.debug/krill in package krill-dbg contains reference to TMPDIR
File /usr/bin/.debug/krillc in package krill-dbg contains reference to TMPDIR
File /usr/bin/.debug/krillup in package krill-dbg contains reference to TMPDIR [buildpaths]

Signed-off-by: Armin Kuster <akuster808@gmail.com>
 2024-07-29 20:07:01 -04:00
Armin Kuster
fce3cf312d python3-fail2ban: convert WORKDIR->UNPACKDIR 
Signed-off-by: Armin Kuster <akuster808@gmail.com>
 2024-07-29 20:07:01 -04:00
Armin Kuster
9d38b8754f apparmor: fix QA Warnings 
RROR: apparmor-3.1.3-r0 do_package_qa: QA Issue: File /usr/src/debug/apparmor/3.1.3/libraries/libapparmor/swig/perl/libapparmor_wrap.c in package apparmor-src contains reference to TMPDIR [buildpaths]
ERROR: apparmor-3.1.3-r0 do_package_qa: QA Issue: File /usr/lib/python3.12/site-packages/LibAppArmor/.debug/_LibAppArmor.cpython-312-aarch64-linux-gnu.so in package apparmor-dbg contains reference to TMPDIR [buildpaths]
ERROR: apparmor-3.1.3-r0 do_package_qa: QA Issue: File /usr/lib/perl5/vendor_perl/5.38.2/aarch64-linux/auto/LibAppArmor/.packlist in package apparmor contains reference to TMPDIR [buildpaths]
ERROR: apparmor-3.1.3-r0 do_package_qa: Fatal QA errors were found, failing task.

Signed-off-by: Armin Kuster <akuster808@gmail.com>
 2024-07-29 20:07:01 -04:00
Hitendra Prajapati
ecdd682b92 sssd: Fix CVE-2023-3758 
A race condition flaw was found in sssd where the GPO policy is
not consistently applied for authenticated users. This may lead
to improper authorization issues, granting or denying access to
resources inappropriately.

References:
https://nvd.nist.gov/vuln/detail/CVE-2023-3758

Upstream-patch:
f4ebe1408e

Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
 2024-07-29 20:07:01 -04:00
Mikko Rapeli
8d50defcdf python3-tpm2-pytss: update from 2.1.0 to 2.3.0 
Upstream changlog shows that python 3.12 support
was added/fixed in version 2.2.0:

https://github.com/tpm2-software/tpm2-pytss/blob/master/CHANGELOG.md

To fix build error:

| DEBUG: Executing python function autotools_aclocals
| DEBUG: SITE files ['endian-little', 'bit-64', 'arm-common', 'arm-64', 'common-linux', 'common-glibc', 'aarch64-linux', 'common']
| DEBUG: Python function autotools_aclocals finished
| DEBUG: Executing shell function do_compile
| /home/builder/src/base/build/tmp_trs-qemuarm64/work/cortexa57-trs-linux/python3-tpm2-pytss/2.1.0/recipe-sysroot-native/usr/lib/python3.12/site-packages/setuptools/__init__.py:80: _DeprecatedInstaller: setuptools.installer and fetch_build_eggs are deprecated.
| !!
|
|         ********************************************************************************
|         Requirements should be satisfied by a PEP 517 installer.
|         If you are using pip, you can try `pip install --use-pep517`.
|         ********************************************************************************
|
| !!
|   dist.fetch_build_eggs(dist.setup_requires)
| /home/builder/src/base/build/tmp_trs-qemuarm64/work/cortexa57-trs-linux/python3-tpm2-pytss/2.1.0/tpm2-pytss-2.1.0/scripts/prepare_headers.py:27: SyntaxWarning: invalid escape sequence '\('
|   s = re.sub("#define TSS2_RC_LAYER\(level\).*", "", s)
| /home/builder/src/base/build/tmp_trs-qemuarm64/work/cortexa57-trs-linux/python3-tpm2-pytss/2.1.0/tpm2-pytss-2.1.0/scripts/prepare_headers.py:28: SyntaxWarning: invalid escape sequence '\('
|   s = re.sub("(#define.*)TSS2_RC_LAYER\(0xff\)", "\g<1>0xff0000", s)
| /home/builder/src/base/build/tmp_trs-qemuarm64/work/cortexa57-trs-linux/python3-tpm2-pytss/2.1.0/tpm2-pytss-2.1.0/scripts/prepare_headers.py:28: SyntaxWarning: invalid escape sequence '\g'
|   s = re.sub("(#define.*)TSS2_RC_LAYER\(0xff\)", "\g<1>0xff0000", s)
| /home/builder/src/base/build/tmp_trs-qemuarm64/work/cortexa57-trs-linux/python3-tpm2-pytss/2.1.0/tpm2-pytss-2.1.0/scripts/prepare_headers.py:31: SyntaxWarning: invalid escape sequence '\*'
|   s = re.sub("/\*.*?\*/", "", s, flags=re.MULTILINE)
| /home/builder/src/base/build/tmp_trs-qemuarm64/work/cortexa57-trs-linux/python3-tpm2-pytss/2.1.0/tpm2-pytss-2.1.0/scripts/prepare_headers.py:34: SyntaxWarning: invalid escape sequence '\('
|   s = re.sub("(#define [A-Za-z0-9_]+) +\(\(.*?\) \(.*?\)\)", "\g<1>...", s)
| /home/builder/src/base/build/tmp_trs-qemuarm64/work/cortexa57-trs-linux/python3-tpm2-pytss/2.1.0/tpm2-pytss-2.1.0/scripts/prepare_headers.py:34: SyntaxWarning: invalid escape sequence '\g'
|   s = re.sub("(#define [A-Za-z0-9_]+) +\(\(.*?\) \(.*?\)\)", "\g<1>...", s)
| /home/builder/src/base/build/tmp_trs-qemuarm64/work/cortexa57-trs-linux/python3-tpm2-pytss/2.1.0/tpm2-pytss-2.1.0/scripts/prepare_headers.py:35: SyntaxWarning: invalid escape sequence '\('
|   s = re.sub("(#define [A-Za-z0-9_]+) +\(\(.*?\).*?\) ", "\g<1>...", s)
| /home/builder/src/base/build/tmp_trs-qemuarm64/work/cortexa57-trs-linux/python3-tpm2-pytss/2.1.0/tpm2-pytss-2.1.0/scripts/prepare_headers.py:35: SyntaxWarning: invalid escape sequence '\g'
|   s = re.sub("(#define [A-Za-z0-9_]+) +\(\(.*?\).*?\) ", "\g<1>...", s)
| /home/builder/src/base/build/tmp_trs-qemuarm64/work/cortexa57-trs-linux/python3-tpm2-pytss/2.1.0/tpm2-pytss-2.1.0/scripts/prepare_headers.py:37: SyntaxWarning: invalid escape sequence '\)'
|   "(#define [A-Za-z0-9_]+) .*\n.*?.*\)\)", "\g<1>...", s, flags=re.MULTILINE
| /home/builder/src/base/build/tmp_trs-qemuarm64/work/cortexa57-trs-linux/python3-tpm2-pytss/2.1.0/tpm2-pytss-2.1.0/scripts/prepare_headers.py:37: SyntaxWarning: invalid escape sequence '\g'
|   "(#define [A-Za-z0-9_]+) .*\n.*?.*\)\)", "\g<1>...", s, flags=re.MULTILINE
| /home/builder/src/base/build/tmp_trs-qemuarm64/work/cortexa57-trs-linux/python3-tpm2-pytss/2.1.0/tpm2-pytss-2.1.0/scripts/prepare_headers.py:39: SyntaxWarning: invalid escape sequence '\g'
|   s = re.sub("(#define [A-Za-z0-9_]+) .*", "\g<1>...", s)
| /home/builder/src/base/build/tmp_trs-qemuarm64/work/cortexa57-trs-linux/python3-tpm2-pytss/2.1.0/tpm2-pytss-2.1.0/scripts/prepare_headers.py:42: SyntaxWarning: invalid escape sequence '\['
|   s = re.sub("\[.+?\]", "[...]", s)
| /home/builder/src/base/build/tmp_trs-qemuarm64/work/cortexa57-trs-linux/python3-tpm2-pytss/2.1.0/tpm2-pytss-2.1.0/scripts/prepare_headers.py:77: SyntaxWarning: invalid escape sequence '\)'
|   "#define TPM2_MAX_TAGGED_POLICIES.*\n.*TPMS_TAGGED_POLICY\)\)",
| /home/builder/src/base/build/tmp_trs-qemuarm64/work/cortexa57-trs-linux/python3-tpm2-pytss/2.1.0/tpm2-pytss-2.1.0/scripts/prepare_headers.py:262: SyntaxWarning: invalid escape sequence '\s'
|   "TSS2_RC\s+Tss2_MU_BYTE_Marshal\(.+?\);", s, re.DOTALL | re.MULTILINE
| /home/builder/src/base/build/tmp_trs-qemuarm64/work/cortexa57-trs-linux/python3-tpm2-pytss/2.1.0/tpm2-pytss-2.1.0/scripts/prepare_headers.py:266: SyntaxWarning: invalid escape sequence '\s'
|   "TSS2_RC\s+Tss2_MU_BYTE_Marshal\(.+?\);", "", s, 1, re.DOTALL | re.MULTILINE
| /home/builder/src/base/build/tmp_trs-qemuarm64/work/cortexa57-trs-linux/python3-tpm2-pytss/2.1.0/tpm2-pytss-2.1.0/scripts/prepare_headers.py:270: SyntaxWarning: invalid escape sequence '\s'
|   "TSS2_RC\s+Tss2_MU_BYTE_Unmarshal\(.+?\);", s, re.DOTALL | re.MULTILINE
| /home/builder/src/base/build/tmp_trs-qemuarm64/work/cortexa57-trs-linux/python3-tpm2-pytss/2.1.0/tpm2-pytss-2.1.0/scripts/prepare_headers.py:274: SyntaxWarning: invalid escape sequence '\s'
|   "TSS2_RC\s+Tss2_MU_BYTE_Unmarshal\(.+?\);",
| adding path: /home/builder/src/base/build/tmp_trs-qemuarm64/work/cortexa57-trs-linux/python3-tpm2-pytss/2.1.0/tpm2-pytss-2.1.0/scripts
| Traceback (most recent call last):
|   File "/home/builder/src/base/build/tmp_trs-qemuarm64/work/cortexa57-trs-linux/python3-tpm2-pytss/2.1.0/tpm2-pytss-2.1.0/setup.py", line 280, in <module>
|     setup(
|   File "/home/builder/src/base/build/tmp_trs-qemuarm64/work/cortexa57-trs-linux/python3-tpm2-pytss/2.1.0/recipe-sysroot-native/usr/lib/python3.12/site-packages/setuptools/__init__.py", line 103, in setup
|     return distutils.core.setup(**attrs)
|            ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
|   File "/home/builder/src/base/build/tmp_trs-qemuarm64/work/cortexa57-trs-linux/python3-tpm2-pytss/2.1.0/recipe-sysroot-native/usr/lib/python3.12/site-packages/setuptools/_distutils/core.py", line 146, in setup
|     _setup_distribution = dist = klass(attrs)
|                                  ^^^^^^^^^^^^
|   File "/home/builder/src/base/build/tmp_trs-qemuarm64/work/cortexa57-trs-linux/python3-tpm2-pytss/2.1.0/recipe-sysroot-native/usr/lib/python3.12/site-packages/setuptools/dist.py", line 307, in __init__
|     _Distribution.__init__(self, dist_attrs)
|   File "/home/builder/src/base/build/tmp_trs-qemuarm64/work/cortexa57-trs-linux/python3-tpm2-pytss/2.1.0/recipe-sysroot-native/usr/lib/python3.12/site-packages/setuptools/_distutils/dist.py", line 286, in __init__
|     self.finalize_options()
|   File "/home/builder/src/base/build/tmp_trs-qemuarm64/work/cortexa57-trs-linux/python3-tpm2-pytss/2.1.0/recipe-sysroot-native/usr/lib/python3.12/site-packages/setuptools/dist.py", line 659, in finalize_options
|     ep(self)
|   File "/home/builder/src/base/build/tmp_trs-qemuarm64/work/cortexa57-trs-linux/python3-tpm2-pytss/2.1.0/recipe-sysroot-native/usr/lib/python3.12/site-packages/setuptools/dist.py", line 679, in _finalize_setup_keywords
|     ep.load()(self, ep.name, value)
|   File "/home/builder/src/base/build/tmp_trs-qemuarm64/work/cortexa57-trs-linux/python3-tpm2-pytss/2.1.0/recipe-sysroot-native/usr/lib/python3.12/site-packages/cffi/setuptools_ext.py", line 216, in cffi_modules
|     add_cffi_module(dist, cffi_module)
|   File "/home/builder/src/base/build/tmp_trs-qemuarm64/work/cortexa57-trs-linux/python3-tpm2-pytss/2.1.0/recipe-sysroot-native/usr/lib/python3.12/site-packages/cffi/setuptools_ext.py", line 49, in add_cffi_module
|     execfile(build_file_name, mod_vars)
|   File "/home/builder/src/base/build/tmp_trs-qemuarm64/work/cortexa57-trs-linux/python3-tpm2-pytss/2.1.0/recipe-sysroot-native/usr/lib/python3.12/site-packages/cffi/setuptools_ext.py", line 25, in execfile
|     exec(code, glob, glob)
|   File "scripts/libtss2_build.py", line 69, in <module>
|     ffibuilder.cdef(open("libesys.h").read())
|   File "/home/builder/src/base/build/tmp_trs-qemuarm64/work/cortexa57-trs-linux/python3-tpm2-pytss/2.1.0/recipe-sysroot-native/usr/lib/python3.12/site-packages/cffi/api.py", line 112, in cdef
|     self._cdef(csource, override=override, packed=packed, pack=pack)
|   File "/home/builder/src/base/build/tmp_trs-qemuarm64/work/cortexa57-trs-linux/python3-tpm2-pytss/2.1.0/recipe-sysroot-native/usr/lib/python3.12/site-packages/cffi/api.py", line 126, in _cdef
|     self._parser.parse(csource, override=override, **options)
|   File "/home/builder/src/base/build/tmp_trs-qemuarm64/work/cortexa57-trs-linux/python3-tpm2-pytss/2.1.0/recipe-sysroot-native/usr/lib/python3.12/site-packages/cffi/cparser.py", line 389, in parse
|     self._internal_parse(csource)
|   File "/home/builder/src/base/build/tmp_trs-qemuarm64/work/cortexa57-trs-linux/python3-tpm2-pytss/2.1.0/recipe-sysroot-native/usr/lib/python3.12/site-packages/cffi/cparser.py", line 396, in _internal_parse
|     self._process_macros(macros)
|   File "/home/builder/src/base/build/tmp_trs-qemuarm64/work/cortexa57-trs-linux/python3-tpm2-pytss/2.1.0/recipe-sysroot-native/usr/lib/python3.12/site-packages/cffi/cparser.py", line 479, in _process_macros
|     raise CDefError(
| cffi.CDefError: only supports one of the following syntax:
|   #define TPM2_HR_PCR ...     (literally dot-dot-dot)
|   #define TPM2_HR_PCR NUMBER  (with NUMBER an integer constant, decimal/hex/octal)
| got:
|   #define TPM2_HR_PCR ...<< TPM2_HR_SHIFT)
| ERROR: 'python3 setup.py build ' execution failed.
| WARNING: /home/builder/src/base/build/tmp_trs-qemuarm64/work/cortexa57-trs-linux/python3-tpm2-pytss/2.1.0/temp/run.do_compile.2430604:190 exit 1 from 'exit 1'
| WARNING: Backtrace (BB generated script):
| 	#1: bbfatal_log, /home/builder/src/base/build/tmp_trs-qemuarm64/work/cortexa57-trs-linux/python3-tpm2-pytss/2.1.0/temp/run.do_compile.2430604, line 190
| 	#2: setuptools3_legacy_do_compile, /home/builder/src/base/build/tmp_trs-qemuarm64/work/cortexa57-trs-linux/python3-tpm2-pytss/2.1.0/temp/run.do_compile.2430604, line 180
| 	#3: do_compile, /home/builder/src/base/build/tmp_trs-qemuarm64/work/cortexa57-trs-linux/python3-tpm2-pytss/2.1.0/temp/run.do_compile.2430604, line 162
| 	#4: main, /home/builder/src/base/build/tmp_trs-qemuarm64/work/cortexa57-trs-linux/python3-tpm2-pytss/2.1.0/temp/run.do_compile.2430604, line 194
NOTE: recipe python3-tpm2-pytss-2.1.0-r0: task do_compile: Failed
ERROR: Task (/home/builder/src/base/build/../meta-security/meta-tpm/recipes-tpm2/tpm2-pytss/python3-tpm2-pytss_2.1.0.bb:do_compile) failed with exit code '1'

Signed-off-by: Mikko Rapeli <mikko.rapeli@linaro.org>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
 2024-07-29 20:07:01 -04:00
Armin Kuster
ca10975033 recipes-*: convert WORKDIR->UNPACKDIR 
Signed-off-by: Armin Kuster <akuster808@gmail.com>
 2024-07-29 20:07:01 -04:00
Siddharth Doshi
f0deac3787 Suricata: Security Fix for CVE-2024-37151, CVE-2024-38534, CVE-2024-38535, CVE-2024-38536 
Upstream-Status: Backport from [aab7f35c76, a753cdbe84, c82fa5ca0d, 2bd3bd0e31]

CVE's Fixed:
CVE-2024-37151 suricata: suricata: packet reassembly failure, which can lead to policy bypass
CVE-2024-38534 suricata: suricata: Crafted modbus traffic can lead to unlimited resource accumulation within a flow
CVE-2024-38535 suricata: Suricata: can run out of memory when parsing crafted HTTP/2 traffic
CVE-2024-38536 suricata: NULL pointer dereference when http.memcap is reached

Signed-off-by: Siddharth Doshi <sdoshi@mvista.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
 2024-07-29 20:07:01 -04:00
Wang Mingyu
6880ab150e trousers: Start WORKDIR -> UNPACKDIR transition 
Replace references of WORKDIR with UNPACKDIR where it makes sense to do so in preparation for changing the default value of UNPACKDIR.

Signed-off-by: Wang Mingyu <wangmy@fujitsu.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
 2024-07-29 20:07:01 -04:00
Yi Zhao
61f2428158 openscap: fix PACKAGECONFIG[remediate_service] 
* Fix typo: remdediate_service -> remediate_service
* No need to manually install oscap-remediate.service, as it is already
  installed when ENABLE_OSCAP_REMEDIATE_SERVICE=ON is set.
* Add a patch to fix installation directory for systemd service file.

Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
 2024-07-01 07:07:58 -04:00
Ricardo Salveti
5f5e00ec4e tpm2-tss: drop libgcrypt 
Upstream removed gcrypt backend as part of the 3.0.0 release
(https://github.com/tpm2-software/tpm2-tss/pull/1781), but it was not
removed from the recipe during the update.

Signed-off-by: Ricardo Salveti <ricardo@foundries.io>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
 2024-07-01 07:07:58 -04:00
Stefan Berger
37e5a930d7 meta-integrity: Enable passing private key password 
Allow users to pass the private key password using
IMA_EVM_EVMCTL_KEY_PASSWORD.

Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
 2024-07-01 07:07:58 -04:00
Stefan Berger
06bd46276f meta-integrity: Add IMA_EVM_PRIVKEY_KEY_OPT to pass options to evmctl 
Introduce IMA_EVM_PRIVKEY_KEY_OPT to pass additional options to evmctl
when signing files. An example is --keyid <id> that makes evmctl use
a specific key id when signing files.

Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
 2024-07-01 07:07:58 -04:00
Stefan Berger
d2d125de92 meta-integrity: Remove stale variables and documentation 
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
 2024-07-01 07:07:58 -04:00
Martin Jansa
81d5a6edc7 README.md: fix sendemail.to value 
* other places were updated to use yocto-patches, but not this one

Signed-off-by: Armin Kuster <akuster808@gmail.com>
 2024-07-01 07:07:58 -04:00
Martin Jansa
e674c91b65 {tcp,udp}-smack-test: fix few more implicit-function-declaration issues fatal with gcc-14 
tcp-smack-test:
tcp_server.c: In function 'main':
tcp_server.c:50:16: error: implicit declaration of function 'atoi' [-Wimplicit-function-declaration]
   50 |         port = atoi(argv[1]);
      |                ^~~~
tcp_server.c:62:12: error: implicit declaration of function 'fsetxattr' [-Wimplicit-function-declaration]
   62 |         if(fsetxattr(sock, attr_in, label_in, strlen(label_in),0) < 0)
      |            ^~~~~~~~~

udp-smack-test:
udp_client.c: In function 'main':
udp_client.c:52:12: error: implicit declaration of function 'fsetxattr' [-Wimplicit-function-declaration]
   52 |         if(fsetxattr(sock, attr, label, strlen(label),0) < 0)
      |            ^~~~~~~~~
udp_client.c:67:9: error: implicit declaration of function 'close'; did you mean 'pclose'? [-Wimplicit-function-declaration]
   67 |         close(sock);
      |         ^~~~~
      |         pclose

udp_server.c: In function 'main':
udp_server.c:42:16: error: implicit declaration of function 'atoi' [-Wimplicit-function-declaration]
   42 |         port = atoi(argv[1]);
      |                ^~~~
udp_server.c:57:12: error: implicit declaration of function 'fsetxattr' [-Wimplicit-function-declaration]
   57 |         if(fsetxattr(sock, attr, label, strlen(label), 0) < 0)
      |            ^~~~~~~~~
udp_server.c:84:9: error: implicit declaration of function 'close'; did you mean 'pclose'? [-Wimplicit-function-declaration]
   84 |         close(sock);
      |         ^~~~~
      |         pclose

Signed-off-by: Martin Jansa <martin.jansa@gmail.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
 2024-07-01 07:07:49 -04:00
Wang Mingyu
abfa203aa6 suricata: Start WORKDIR -> UNPACKDIR transition 
Replace references of WORKDIR with UNPACKDIR where it makes sense to do so in preparation for changing the default value of UNPACKDIR.

Signed-off-by: Wang Mingyu <wangmy@fujitsu.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
 2024-06-17 08:29:11 -04:00
Wang Mingyu
cc775387a1 ima-policy-hashed: Start WORKDIR -> UNPACKDIR transition 
Replace references of WORKDIR with UNPACKDIR where it makes sense to do so in preparation for changing the default value of UNPACKDIR.

Signed-off-by: Wang Mingyu <wangmy@fujitsu.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
 2024-06-17 08:29:08 -04:00
Changqing Li
b4a8bc606f scap-security-guide: WORKDIR -> UNPACKDIR 
Signed-off-by: Changqing Li <changqing.li@windriver.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
 2024-06-17 08:25:25 -04:00
Changqing Li
ceb47a8a39 recipes: WORKDIR -> UNPACKDIR transition 
* WORKDIR -> UNPACKDIR transition
* Switch away from S = WORKDIR

Signed-off-by: Changqing Li <changqing.li@windriver.com>
[Fixed up the smack changes due to prior patch]
Signed-off-by: Armin Kuster <akuster808@gmail.com>
 2024-06-17 08:25:25 -04:00
Yi Zhao
651767d028 scap-security-guide: upgrade 0.1.72 -> 0.1.73 
ChangeLog:
https://github.com/ComplianceAsCode/content/releases/tag/v0.1.73

Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
 2024-06-17 08:25:25 -04:00
Gael PORTAY
0883649439 sssd: remove duplicate option --without-python2-bindings 
The option --without-python2-bindings was added twice, by the commit
4375507f39, and then after python2 was
deprecated with the commit 96737082ad.

This removes the latter.

Signed-off-by: Gaël PORTAY <gael.portay@rtone.fr>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
 2024-06-17 08:25:25 -04:00
Martin Jansa
51b4468933 mmap-smack-test, smack-test, tcp-smack-test, udp-smack-test: don't use S = ${WORKDIR} 
* fixes:
  Parsing recipes...
  ERROR: meta-security/recipes-mac/smack/mmap-smack-test_1.0.bb: Using S = ${WORKDIR} is no longer supported
  ERROR: meta-security/recipes-mac/smack/tcp-smack-test_1.0.bb: Using S = ${WORKDIR} is no longer supported
  ERROR: meta-security/recipes-mac/smack/udp-smack-test_1.0.bb: Using S = ${WORKDIR} is no longer supported
  ERROR: meta-security/recipes-mac/smack/smack-test_1.0.bb: Using S = ${WORKDIR} is no longer supported
  ERROR: Parsing halted due to errors, see error messages above

* see:
  https://lists.openembedded.org/g/openembedded-architecture/message/2007

* it's fatal error since:
  https://git.openembedded.org/openembedded-core/commit/?h=master&id=32cba1cc916ad530c5e6630a927e74ca6f06289b

Signed-off-by: Martin Jansa <martin.jansa@gmail.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
 2024-06-17 08:25:25 -04:00
Martin Jansa
e4425bca52 {tcp,udp}-smack-test: fix implicit-function-declaration issues fatal with gcc-14 
tcp-smack-test:
http://errors.yoctoproject.org/Errors/Details/766925/
  tcp_client.c:55:16: error: implicit declaration of function 'atoi' [-Wimplicit-function-declaration]

udp-client-tests:
http://errors.yoctoproject.org/Errors/Details/766927/
  udp_client.c:41:16: error: implicit declaration of function 'atoi' [-Wimplicit-function-declaration]
  udp_client.c:51:12: error: implicit declaration of function 'fsetxattr' [-Wimplicit-function-declaration]
  udp_client.c:66:9: error: implicit declaration of function 'close'; did you mean 'pclose'? [-Wimplicit-function-declaration]

Signed-off-by: Martin Jansa <martin.jansa@gmail.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
 2024-06-17 08:25:25 -04:00
Valentin Kunin
03b522f859 tpm2-tss: upgrade 4.0.1 -> 4.1.2 
Bump tpm2-tss library version from 4.0.1 to 4.1.2.

This simply involves renaming the recipe and chaning the target SHA256
library file hash.

Also update the fixup_hosttools.patch to apply to the new version of the
library. It stays the same functionally, but some line numbers needed to
be updated to apply cleanly.

Signed-off-by: Valentin Kunin <kunin@google.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
 2024-06-17 08:25:25 -04:00
Gowtham Suresh Kumar
defb35fecb meta-parsec: Update parsec-service to 1.4.1 
Signed-off-by: Gowtham Suresh Kumar <gowtham.sureshkumar@arm.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
 2024-05-28 13:07:14 -04:00
Tim Orling
7ce0f88317 tpm2-tss: BBCLASSEXTEND nativesdk 
Dependency for nativesdk-swtpm

Signed-off-by: Tim Orling <tim.orling@konsulko.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
 2024-05-08 22:07:11 -04:00
Tim Orling
c690e29327 libtpm: BBCLASSEXTEND nativesdk 
nativesdk-swtpm needs nativesdk-libtpm

Signed-off-by: Tim Orling <tim.orling@konsulko.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
 2024-05-08 22:06:37 -04:00
Tim Orling
1e4c3ba4c0 tpm2-tools: BBCLASSEXTEND native and nativesdk 
tpm2-pkcs11-tools-native needs tpm2-tools-native

Signed-off-by: Tim Orling <tim.orling@konsulko.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
 2024-05-08 22:06:10 -04:00
Tim Orling
cd729862f6 tpm2-pkcs11: BBCLASSEXTEND native and nativesdk 
swtpm-native requires tpm2-pkcs11-tools-native for gnutls PACKAGECONFIG

Signed-off-by: Tim Orling <tim.orling@konsulko.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
 2024-05-08 22:05:40 -04:00
Tim Orling
9c43b073a2 swtpm: upgrade 0.8.1 -> 0.8.2 
version 0.8.2:
  - swtpm:
    - cuse: Lock file_ops_lock before reading tpm_running
  - build-sys:
    - Add support for --disable-tests to disable tests

https://github.com/stefanberger/swtpm/compare/v0.8.1...v0.8.2

Signed-off-by: Tim Orling <tim.orling@konsulko.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
 2024-05-08 22:04:47 -04:00
Yi Zhao
063a629ac2 scap-security-guide: upgrade 0.1.71 -> 0.1.72 
ChangeLog:
https://github.com/ComplianceAsCode/content/releases/tag/v0.1.72

Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
 2024-05-08 22:04:13 -04:00
Yi Zhao
fca6068f2a openscap: upgrade 1.3.9 -> 1.3.10 
ChangeLog:
https://github.com/OpenSCAP/openscap/releases/tag/1.3.10

Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
 2024-05-08 22:03:43 -04:00
Marta Rybczynska
3a88379610 packagegroup-core-security: update libseccomp dependencies 
libseccomp requires DISTRO_FEATURE seccomp enabled. This one
is automatically removed for riscv, so we do not need to add
an additional condition.

This change is necessary for cve-check on world with meta-security

Signed-off-by: Marta Rybczynska <marta.rybczynska@syslinbit.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
 2024-05-08 22:03:13 -04:00
Yi Zhao
7346f5996c scap-security-guide: remove __pycache__ in ptest directory 
Remove __pycache__ directories as they contain references to TMPDIR.

Fix QA warnings:
WARNING: scap-security-guide-0.1.71-r0 do_package_qa: QA Issue: File
/usr/lib64/scap-security-guide/ptest/git/utils/_pycache_/gen_reference_table.cpython-312.pyc
in package scap-security-guide-ptest contains reference to TMPDIR

Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
 2024-05-08 22:02:48 -04:00
Yi Zhao
11ea91192d ibmtpm2tss: upgrade 1661 -> 2.2.0 
* Refresh patch
* Fix UPSTREAM_CHECK_GITTAGREGEX

Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
 2024-04-22 08:00:01 -04:00
Wang Mingyu
93239b90ac lynis: upgrade 3.0.9 -> 3.1.1 
0001-osdetection-add-OpenEmbedded-and-Poky.patch
removed since it's included in 3.1.1.

Signed-off-by: Wang Mingyu <wangmy@fujitsu.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
 2024-04-22 07:51:05 -04:00
Yi Zhao
fb28801eee ibmswtpm2: upgrade 164-2020-192.1 -> 183-2024-03-27 
Remove '-DALG_CAMELLIA=ALG_NO' from CFLAGS to fix compile error:
| TpmProfile_Common.h:109: error: "ALG_CAMELLIA" redefined [-Werror]
|   109 | #define ALG_CAMELLIA                ALG_YES
|       |

Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
 2024-04-16 09:43:15 -04:00
Armin Kuster
d1522af21d README.md: update to new patches mailing list 
Signed-off-by: Armin Kuster <akuster808@gmail.com>
 2024-04-09 11:31:35 -04:00