mirror of
https://git.yoctoproject.org/meta-security
synced 2026-01-12 03:10:13 +00:00
ea062563aa
Also, rearrange the runtime-dependencies a little so clamav-freshclam is installed later than clamav. The issue is that clamav-freshclam ships /var/lib/clamav and the main clamav package uses chown in pkg_postinst to set the ownership of this directory. But pkg_postinst is not marked as "ontarget" so this chown only took effect when upgrading or reinstalling the package. So when clamav is part of an OS image out of the box, freshclamd cannot populate this directory since it's running under the clamav user. Fix this by creating /var/lib/clamav with the proper ownership in do_install and rearrange runtime-dependencies, so clamav-freshclam RDEPENDS on clamav and clamav relaxes its runtime-dependency into RRECOMMENDS so clamav-freshclam is installed later than clamav, avoiding these warnings: Installing : clamav-freshclam-... 487/1954 warning: user clamav does not exist - using root warning: group clamav does not exist - using root Signed-off-by: Zoltán Böszörményi <zboszor@gmail.com> Signed-off-by: Armin Kuster <akuster808@gmail.com>
Meta-security
=============
The bbappend files for some recipes (e.g. linux-yocto) in this layer need
to have 'security' in DISTRO_FEATURES to have effect.
To enable them, add in configuration file the following line.
DISTRO_FEATURES:append = " security"
If meta-security is included, but security is not enabled as a
distro feature a warning is printed at parse time:
You have included the meta-security layer, but
'security' has not been enabled in your DISTRO_FEATURES. Some bbappend files
and preferred version setting may not take effect.
If you know what you are doing, this warning can be disabled by setting the following
variable in your configuration:
SKIP_META_SECURITY_SANITY_CHECK = 1
This layer provides security tools, hardening tools for Linux kernels
and libraries for implementing security mechanisms.
Dependencies
============
This layer depends on:
URI: git://git.openembedded.org/openembedded-core
branch: master
URI: git://git.openembedded.org/meta-openembedded/meta-oe
branch: master
URI: git://git.openembedded.org/meta-openembedded/meta-perl
branch: master
URI: git://git.openembedded.org/meta-openembedded/meta-python
branch: master
URI: git://git.openembedded.org/meta-openembedded/meta-networking
branch: master
Adding the security layer to your build
========================================
In order to use this layer, you need to make the build system aware of
it.
Assuming the security layer exists at the top-level of your
yocto build tree, you can add it to the build system by adding the
location of the security layer to bblayers.conf, along with any
other layers needed. e.g.:
BBLAYERS ?= " \
/path/to/oe-core/meta \
/path/to/meta-openembedded/meta-oe \
/path/to/meta-openembedded/meta-perl \
/path/to/meta-openembedded/meta-python \
/path/to/meta-openembedded/meta-networking \
/path/to/layer/meta-security "
Optional Rust dependancy
======================================
If you want to use the latest Suricata that needs rust, you will need to clone
URI: https://github.com/meta-rust/meta-rust.git
branch: master
BBLAYERS += "/path/to/layer/meta-rust"
This will activate the dynamic-layer mechanism and pull in the newer suricata
Maintenance
======================================
Send pull requests, patches, comments or questions to yocto@lists.yoctoproject.org
When sending single patches, please using something like:
'git send-email -1 --to yocto@lists.yoctoproject.org --subject-prefix=meta-security][PATCH'
These values can be set as defaults for this repository:
$ git config sendemail.to yocto@lists.yoctoproject.org
$ git config format.subjectPrefix meta-security][PATCH
Now you can just do 'git send-email origin/master' to send all local patches.
For pull requests, please use create-pull-request and send-pull-request.
Maintainers: Armin Kuster <akuster808@gmail.com>
License
=======
All metadata is MIT licensed unless otherwise stated. Source code included
in tree for individual recipes is under the LICENSE stated in each recipe
(.bb file) unless otherwise stated.