mirrors/meta-security
1
0
Fork 0
mirror of https://git.yoctoproject.org/meta-security synced 2026-05-09 05:29:56 +00:00
Code Issues Projects Releases Wiki Activity
1,707 Commits 39 Branches 0 Tags
c3ddb212cf514b20317598d657d691779a3d4b78
Commit Graph

1707 Commits

This Branch
This Branch
All Branches
Author SHA1 Message Date
Armin Kuster f9fdf97730 layer.conf: Add hardknott to LAYERSERIES_COMPAT 
Thats codename for 3.3

Signed-off-by: Armin Kuster <akuster808@gmail.com>
 2021-03-18 08:01:19 -07:00
Ming Liu 6ada80aa3e ima-evm-keys: add file-checksums to IMA_EVM_X509 
This ensures when a end user change the IMA_EVM_X509 key file,
ima-evm-keys recipe will be rebuilt.

Signed-off-by: Ming Liu <liu.ming50@gmail.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
 2021-03-18 08:01:19 -07:00
Kai Kang db86cfad19 samhain: fix compile error on powerpc 
It fails to comile samhain for powerpc(qemuppc):

| x_sh_dbIO.c: In function 'swap_short':
| x_sh_dbIO.c:229:36: error: initializer element is not constant
|   229 |       static unsigned short ooop = *iptr;
|       |                                    ^

Assign after initialization of the static variable to avoid the failure.

Signed-off-by: Kai Kang <kai.kang@windriver.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
 2021-03-18 08:01:19 -07:00
lukasz plachno d4e7769be2 fscryptctl: Fix installation path 
- Without the patch fscryptctl is installed in
   /usr/bin/usr/local/bin instead of /usr/bin.

Signed-off-by: Armin Kuster <akuster808@gmail.com>
 2021-03-18 08:01:19 -07:00
Armin Kuster fffd85ac87 python3-fail2ban: fix building with ptest enabled 
Use new structure for testing.

Signed-off-by: Armin Kuster <akuster808@gmail.com>
 2021-03-09 08:52:21 -08:00
Armin Kuster 77b17e6865 tpm-tools: update to 1.3.9.1 
drop patch included in update

Signed-off-by: Armin Kuster <akuster808@gmail.com>
 2021-03-09 08:52:21 -08:00
Armin Kuster 31aa858948 trousers: update to 0.3.15 
includes: CVE-2020-24332, CVE-2020-24330, CVE-2020-24331

Signed-off-by: Armin Kuster <akuster808@gmail.com>
 2021-03-09 08:52:21 -08:00
Armin Kuster b6e41623f6 tpm2-topt: update 0.3.0 
Signed-off-by: Armin Kuster <akuster808@gmail.com>
 2021-03-09 08:52:21 -08:00
Armin Kuster c8c31f0c1e tpm2-pkcs11: update to 1.5.0 
Signed-off-by: Armin Kuster <akuster808@gmail.com>
 2021-03-09 08:52:21 -08:00
Armin Kuster b246b2d696 tpm2-tss: update to 3.0.3 
include automate 2.70 fix

Signed-off-by: Armin Kuster <akuster808@gmail.com>
 2021-03-09 08:52:21 -08:00
Armin Kuster ef93f8c906 tpm2-tools: update to 5.0 
Signed-off-by: Armin Kuster <akuster808@gmail.com>
 2021-03-09 08:52:21 -08:00
Armin Kuster caa7a1b527 tpm2-abrmd: update to 2.4.0 
Signed-off-by: Armin Kuster <akuster808@gmail.com>
 2021-03-09 08:52:21 -08:00
Armin Kuster dff404dc36 ibmtpm2tss: update to 1.6.0 
Signed-off-by: Armin Kuster <akuster808@gmail.com>
 2021-03-09 08:52:21 -08:00
Armin Kuster 7e4ceed4f5 libtpm: update to 0.8.2 
Signed-off-by: Armin Kuster <akuster808@gmail.com>

--
V2]
let include the updated changes
 2021-03-09 08:51:51 -08:00
Ming Liu 9504d02694 ima-policy-hashed: add CGROUP2_SUPER_MAGIC fsmagic 
This fixes following systemd boot issues:
[    7.455580] systemd[1]: Failed to create /init.scope control group: Permission denied
[    7.457677] systemd[1]: Failed to allocate manager object: Permission denied
[!!!!!!] Failed to allocate manager object.
[    7.459270] systemd[1]: Freezing execution.

Signed-off-by: Ming Liu <liu.ming50@gmail.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
 2021-03-02 11:56:27 -08:00
Armin Kuster 6d81042860 python3-fail2ban: update to 0.11.2 
drop hard python3 patch and create it dufing compile.

Signed-off-by: Armin Kuster <akuster808@gmail.com>
 2021-03-02 11:56:27 -08:00
Armin Kuster 0085b2cda9 suricata: update to 4.10.0 
This is the last 4.x. Will need rust support to move to 6.x

Signed-off-by: Armin Kuster <akuster808@gmail.com>
 2021-03-02 11:56:27 -08:00
Armin Kuster 7d3704b22c opendnssec: update to 2.1.8 
refresh libdns_conf_fix.patch
Drop fix_fprint.patch includd in update

Signed-off-by: Armin Kuster <akuster808@gmail.com>
 2021-03-02 11:56:27 -08:00
Armin Kuster dc28e175e3 samhain: update to 4.4.3 
Signed-off-by: Armin Kuster <akuster808@gmail.com>
 2021-03-02 11:56:27 -08:00
Armin Kuster 53b59e1551 python3-scapy: upgrade 2.4.3 -> 2.4.4 2021-03-02 11:56:27 -08:00
Armin Kuster 5c9ea6bd3b python3-privacyidea: upgrade 3.3 -> 3.5.1 2021-03-02 11:56:27 -08:00
Armin Kuster 9bb7fa51a5 libseccomp: upgrade 2.5.0 -> 2.5.1 
drop patch merged  in update
 2021-03-02 11:56:27 -08:00
Armin Kuster d7391ab934 fscryptctl: upgrade 0.1.0 -> 1.0.0 2021-03-02 11:56:27 -08:00
Armin Kuster 0b9dba242f ding-libs: upgrade 0.5.0 -> 0.6.1 2021-03-02 11:56:27 -08:00
Armin Kuster d172529675 checksec: upgrade 2.1.0 -> 2.4.0 
LIC_FILES_CHKSUM update do to yr change
 2021-03-02 11:56:27 -08:00
Armin Kuster b1d0346eb8 arpwatch: upgrade 3.0 -> 3.1 
LIC_FILES_CHKSUM update do to yr change
 2021-03-02 11:56:27 -08:00
Armin Kuster f97a8bef14 kas-security-base.yml: drop DL_DIR 
Signed-off-by: Armin Kuster <akuster808@gmail.com>
 2021-03-02 11:56:27 -08:00
Armin Kuster a107721960 kas-security-base.yml: build setting updates 
Signed-off-by: Armin Kuster <akuster808@gmail.com>
 2021-02-23 20:34:51 -08:00
Armin Kuster b6d0148899 nikito: Update common-licenses references to match new names 
Signed-off-by: Armin Kuster <akuster808@gmail.com>
 2021-02-23 20:34:51 -08:00
Armin Kuster adcd7c4371 scap-security-guide: Inherit python3targetconfig 
Signed-off-by: Armin Kuster <akuster808@gmail.com>
 2021-02-23 20:34:51 -08:00
Armin Kuster be7f9bda1d openscap: Inherit python3targetconfig 
Signed-off-by: Armin Kuster <akuster808@gmail.com>
 2021-02-23 20:34:51 -08:00
Armin Kuster 8f51c5b9a2 python3-suricata-update: Inherit python3targetconfig 
Signed-off-by: Armin Kuster <akuster808@gmail.com>
 2021-02-23 20:34:51 -08:00
Armin Kuster 725526e0ea apparmor: Inherit python3targetconfig 
Signed-off-by: Armin Kuster <akuster808@gmail.com>
 2021-02-23 20:34:51 -08:00
Ming Liu 6612bf719f ima-evm-rootfs.bbclass: avoid generating /etc/fstab for wic 
Or else wic will fail without "--no-fstab-update" option.

Signed-off-by: Ming Liu <liu.ming50@gmail.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
 2021-02-23 20:34:51 -08:00
Ming Liu ffab25f929 initramfs-framework-ima: let ima_enabled return 0 
Otherwise, ima script would not run as intended.

Signed-off-by: Ming Liu <liu.ming50@gmail.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
 2021-02-23 20:34:51 -08:00
Ming Liu 4dc646c8ce README.md: update according to the refactoring in ima-evm-rootfs.bbclass 
Signed-off-by: Ming Liu <liu.ming50@gmail.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
 2021-02-23 20:34:51 -08:00
Ming Liu 76d1e3ecad meta: refactor IMA/EVM sign rootfs 
The current logic in ima-evm-rootfs.bbclass does not guarantee
ima_evm_sign_rootfs is the last function in IMAGE_PREPROCESS_COMMAND
by appending to it, for instance, if there are other "_append" being
used as it's the case in openembedded-core/meta/classes/image.bbclass:

| IMAGE_PREPROCESS_COMMAND_append = " ${@ 'systemd_preset_all;' \
| if bb.utils.contains('DISTRO_FEATURES', 'systemd', True, False, d) \
| and not bb.utils.contains('IMAGE_FEATURES', 'stateless-rootfs', True,
| False, d) else ''} reproducible_final_image_task; "

and ima-evm-rootfs should be in IMAGE_CLASSES instead of in INHERIT
since that would impact all recipes but not only image recipes.

To fix the above issues, we introduce a ima_evm_sign_handler setting
IMA/EVM rootfs signing requirements/dependencies in event
bb.event.RecipePreFinalise, it checks 'ima' distro feature to decide if
IMA/EVM rootfs signing logic should be applied or not.

Also add ima-evm-keys to IMAGE_INSTALL.

Signed-off-by: Ming Liu <liu.ming50@gmail.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
 2021-02-23 20:34:51 -08:00
Ming Liu 52bfc654e8 initramfs-framework-ima: RDEPENDS on ima-evm-keys 
Signed-off-by: Ming Liu <liu.ming50@gmail.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
 2021-02-23 20:34:51 -08:00
Ming Liu f70207e1c1 ima-evm-keys: add recipe 
Create a recipe to package IMA/EMV public keys.

Signed-off-by: Ming Liu <liu.ming50@gmail.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
 2021-02-23 20:34:51 -08:00
Ming Liu 0f34b25763 initramfs-framework-ima: fix a wrong path 
/etc/ima-policy > /etc/ima/ima-policy.

Signed-off-by: Ming Liu <liu.ming50@gmail.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
 2021-02-23 20:34:51 -08:00
Ming Liu ca1c2086ad ima-evm-utils: set native REQUIRED_DISTRO_FEATURES to empty 
'ima' does not have to be in native DISTRO_FEATURES, unset it to avoid
sanity check for ima-evm-utils-native.

Signed-off-by: Ming Liu <liu.ming50@gmail.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
 2021-02-23 20:34:51 -08:00
Armin Kuster f13c3fb6cb softhsm: drop pkg as meta-oe has it 
Signed-off-by: Armin Kuster <akuster808@gmail.com>
 2021-02-23 20:34:51 -08:00
Jate Sujjavanich 16ee7308c9 scap-security-guide: Fix openembedded platform tests and build 
Add patches to fix openembedded nodistro tests and openembedded build within
ssg metadata.

Signed-Off-By: Jate Sujjavanich <jatedev@gmail.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
 2021-02-14 16:31:00 -08:00
Yi Zhao 0a3c0f3499 ibmswtpm2: disable camellia algorithm 
The openssl in oe-core has disabled several deprecated algorithms
including camellia. Disable this algorithm to fix the build error.

Fixes:
TpmToOsslSym.h:185:42: error: unknown type name 'CAMELLIA_KEY'
  185 | #define tpmKeyScheduleCAMELLIA           CAMELLIA_KEY
      |                                          ^~~~~~~~~~~~

Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
 2021-01-23 15:19:33 -08:00
Adrian Ratiu 6053e8b8e2 tpm2-pkcs11: build and package python tools 
Signed-off-by: Adrian Ratiu <adrian.ratiu@collabora.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
 2020-12-24 14:40:04 -08:00
Armin Kuster 3b81fca1cd .gitlab-ci: drop script 
Signed-off-by: Armin Kuster <akuster808@gmail.com>
 2020-11-17 08:28:11 -08:00
Armin Kuster d2ceb5e438 kas-security-base: Don't create local SSTATE mirror 
Signed-off-by: Armin Kuster <akuster808@gmail.com>
 2020-11-15 11:03:52 -08:00
Yi Zhao 080778ca97 scap-security-guide: fix build with Python 3.9 
The getchildren and getiterator functions are deprecated in Python 3.9.
Backport 3 patches to fix the build issue.

Fixes:
File
"/build/tmp/work/cortexa8hf-neon-poky-linux-gnueabi/scap-security-guide/0.1.44+gitAUTOINC+5fdfdcb2e9-r0/git/ssg/build_stig.py",
line 41, in add_references
    index = rule.getchildren().index(ref)
AttributeError: 'xml.etree.ElementTree.Element' object has no attribute 'getchildren'

Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
 2020-11-15 11:03:39 -08:00
Armin Kuster c40e8f8d9d samhain: update to 4.4.2 
refresh a few patches too

Signed-off-by: Armin Kuster <akuster808@gmail.com>
 2020-11-03 15:16:53 -08:00
Yi Zhao ab133ef3f6 clamav: unify volatiles file name 
Make the volatiles file name starts with digital.

Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
 2020-11-03 15:16:23 -08:00