summaryrefslogtreecommitdiffstats
path: root/meta-security/recipes-security
AgeCommit message (Collapse)AuthorFilesLines
2020-04-27meta-security: update to audit 2.8.5Scott Murray11-3179/+266
Update audit recipe with version 2.8.5 recipe from meta-selinux (as of commit 03baa60) to fix build issues against dunfell related to python2 removal. Adding meta-selinux to the manifest for the one recipe seems like overkill for now; it might be worthwhile asking upstream about moving it to meta-security to allow dropping a local copy altogether. Bug-AGL: SPEC-3302 Signed-off-by: Scott Murray <scott.murray@konsulko.com> Change-Id: I83a2e65201f9f02fcce843f4bc6b65a2304ef899
2020-04-27Update distro_features_check usageScott Murray2-2/+2
Replace distro_features_check usage with features_check to work with dunfell, which has removed distro_features_check. Bug-AGL: SPEC-3302 Signed-off-by: Scott Murray <scott.murray@konsulko.com> Change-Id: I46ef0d0feaa5515dd664de4cc5a9691e2ebe109b
2020-02-21Merge remote-tracking branch 'agl/next'Jan-Simon Möller6-122/+0
* agl/next: meta-agl-bsp: Add CONFIG_LSM workaround for 5.1+ kernels meta-agl-profile-cluster-qt5: disable qtbase patches zeus updates for dragonboard-410c meta-security: activates dbus-cynagora recipes-graphics/wayland/weston: Expose weston_output_damage() meta-agl-profile-core: tweak udisks2 configuration for AGL meta-agl-bsp/meta-arago: update weston bbappend [RCAR] Update rcar driver weston 7 bsp 3.21.0 [RCAR] Update rcar driver weston 7 bsp 3.21.0 [RCAR] Split ADSP path for ulcb and ulcb-kf Fix nss-localuser post install meta-agl-bsp: meta-raspberrypi: handle zeus upgrade meta-agl-profile-core: add patch for systemd-udevd SECLABEL crash meta-security: disable dbus-cynara patches meta-agl-bsp: handle ptest-runner upgrade meta-agl-distro: Add inc file for next branch over-rides meta-agl-distro: BBMASK problematic upstream meta-security bbappend meta-agl-distro: prefer linux-yocto 4.19 LTS kernel meta-agl-profile-graphical-qt5: enable qt5location services meta-agl-profile-core: update most recipe meta-agl-profile-core: update neardal recipe Update base local.conf.sample meta-agl-profile-graphical: don't always build agl-compositor meta-agl-profile-graphical: update weston and weston-init meta-agl-profile-graphical: update wayland-ivi-extension for weston 7.0.0 meta-agl-distro: add polkit to DISTRO_FEATURES meta-agl-profile-core: update fontconfig bbappend meta-agl-profile-core: switch to udisks2 meta-security: handle systemd upgrade meta-agl-profile-graphical-qt5: handle qtwayland upgrade meta-agl-profile-core: handle freetype upgrade meta-agl-bsp meta-agl-profile-core: upgrade to opencv 4.x meta-agl-profile-core: update rtl-sdr recipe for zeus meta-security meta-app-framework: handle xmlsec1 upgrade meta-agl-profile-graphical: upgrade to gstreamer 1.16 meta-agl-profile-core: remove libmicrohttpd backport meta-agl-profile-core: remove backported curl and nghttp2 recipes meta-agl-profile-core: remove libnfc recipe meta-agl-profile-core: remove connman backport meta-agl-profile-graphical: remove weston 5.0.0 patches meta-agl-profile-core: remove old glibc patch meta-agl-bsp/meta-intel: remove linux-firmware_git.bbappend meta-agl-bsp: remove weston and wayland-protocols backports meta-app-framework: remove libzip recipe meta-security: remove keyutils recipe Declare layer compatibility with zeus Change-Id: Ie8ee1e37958279e7cf2d503c54ffacb46ba0c31c
2020-02-14cynagora: Fix protocol and start issuesJosé Bollo1-1/+1
Includes: * 384f2e7 Fix bug on unknown commands * 68ccab4 Fix a bug in protocol * 218dad2 Change cynagora service Bug-AGL: SPEC-3002 Bug-AGL: SPEC-3166 Bug-AGL: SPEC-3168 Change-Id: I671296d7f6512c1fcf2abda3bd707fbda1c63446 Signed-off-by: José Bollo <jose.bollo@iot.bzh>
2020-02-14security-manager: Restrict socket accessesJosé Bollo2-0/+35
Ensure that only members of the group and the owner can access the security manager. Bug-AGL: SPEC-3146 Change-Id: Ia529be6b4ef425d03be31f0d2e2d623fa6ac091e Signed-off-by: José Bollo <jose.bollo@iot.bzh>
2020-01-22meta-security meta-app-framework: handle xmlsec1 upgradeScott Murray1-3/+0
Remove now unneeded meta-security xmlsec1 bbappend, and update the bbappend in meta-app-framework to work with the new xmlsec1 1.2.28 recipe in oe-core. Bug-AGL: SPEC-2932 Change-Id: If57b7c9fa2a4d2b8f9470dd67e95b4579d1210c7 Signed-off-by: Scott Murray <scott.murray@konsulko.com>
2020-01-22meta-security: remove keyutils recipeScott Murray5-119/+0
Remove keyutils 1.5.8 recipe since meta-oe has a newer 1.6 recipe. Bug-AGL: SPEC-2932 Change-Id: I0a0d2507922c0d705eb064577c0a2a8fcc081d3f Signed-off-by: Scott Murray <scott.murray@konsulko.com>
2019-12-19cynagoauth: Add a basic OAuth serverJosé Bollo1-0/+23
cynagoauth is a basic OAuth2 server implementing delivery of tokens based on the Smack label of the client. Bug-AGL: SPEC-2550 Bug-AGL: SPEC-2968 Bug-AGL: SPEC-3032 Change-Id: I93aa1864ac68ec51963a25e80150879ea88a5766 Signed-off-by: José Bollo <jose.bollo@iot.bzh>
2019-12-19cynagora: Bump versionJosé Bollo1-2/+2
Includes: * 23bc103 agent-at: Move field separator from : to ; * c29761c Improve integration of cynagora Bug-AGL: SPEC-2968 Change-Id: I83af517b446f0a55de253568b17069b6231d3034 Signed-off-by: José Bollo <jose.bollo@iot.bzh>
2019-12-03security-manager: Improve integrationJosé Bollo18-208/+396
This fixes some issues encountered by the current integration of the security-manager: - its recipes is spread in too much directories (see SPEC-2092) - its initialization should be checked (see SPEC-2091) - the location of the database has to be changed (see SPEC-1717 that provided a workaround) All in one, I decided to create that ticket that summarize the work that can be quickly achieved to answer all this issues that are tightly coupled. Bug-AGL: SPEC-2972 Bug-AGL: SPEC-2092 Bug-AGL: SPEC-2091 Bug-AGL: SPEC-1717 Change-Id: I7af941c25cfa1624d76c2e8f512f6535918912f0 Signed-off-by: José Bollo <jose.bollo@iot.bzh>
2019-11-07Cynagora: Replace cynara with cynagoraJosé Bollo13-718/+72
Shift from the permission database cynara to cynagora permission database with a compatibility library. The cache size required by dbus-cynara is updated because that size is now a count of bytes, not a count of entries. Bug-AGL: SPEC-2844 Change-Id: I9a81de6e3b8bcb94adc0bb05c63183c2eda3f310 Signed-off-by: José Bollo <jose.bollo@iot.bzh>
2019-08-16dbus-cynara: Simplifies build recipeJosé Bollo1-2/+0
Simplifies the way of building dbus-cynara by removing the specific recipes in favour of a recipe for dbus that handles the class-target build feature. It requires to remove fake dependencies of cynara. This is a suggestion of Tom Rini. Bug-AGL: SPEC-1839 Change-Id: Id7a736eb4b73cdb679fa9dde30e9ad8e56c2894e Signed-off-by: José Bollo <jose.bollo@iot.bzh>
2019-04-04Upgrade to thudScott Murray17-267/+401
Changes include: - Add LAYERSERIES_COMPAT definitions to layer.conf files - Remove now unnecessary SECURITY_*FLAGS over-rides from distro configuration - Set intel-corei7-64 preferred kernel version to 4.19 to match latest linux-intel kernel available in meta-intel - Update qemuarm preferred kernel version to 4.18 to match latest linux-yocto - Update firmware package and devicetree file names for raspberrypi3 - Remove linux-firmware bbappend specific to raspberrypi, it seems no longer required and breaks the cross SDK build - Update linux-intel bbappend to 4.19, remove now unnecessary patch - Remove now unnecessary lttng-modules backport - Update linux-raspberrypi bbappend to 4.14 kernel - Added kernel configuration fragment for raspberrypi to disable Kprobes. This is required until linux-raspberrypi is updated to greater than 4.14.104 to avoid a build failure in lttng-modules related to a check for known breakage in the kernel CONFIG_OPTPROBES code. - Replace obsolete base_conditional usage with oe.utils.conditional - Add gstreamer1.0-plugins-bad bbappend for raspberrypi3 to disable faad PACKAGECONFIG to avoid commercial license issues - Remove unused and unbuildable Vayu gstreamer recipes - Update linux-ti-staging bbappend for new BSP kernel - Regen dcan2_pinmux_enable.patch for linux-ti-staging to remove fuzz warning, and remove upstreamed fix_dcan_addresses.patch - Remove ipumm-fw from meta-agl-bsp/meta-ti, as newer version is available in the upstream BSP - Update meta-agl-bsp/meta-ti weston patch to apply against 5.0.0 - Update meta-agl-bsp/meta-ti wayland-ivi-extension patch to apply against 2.2.0 - Add ti-sgx-ddk-km patch to add AGL toolchain configuration file - Remove now unnecessary fdtoverlay recipe - Update core.cfg and ivishell.cfg in weston-ini-conf recipe to handle move of ivi-controller.so configuration in Weston 5.0.0 - Update connman-ncurses patch to remove fuzz warning - Add installation of systemd over-ride file for run-postinsts.service in run-postinsts bbappend to workaround race condition between ldconfig.service and the /sbin/ldconfig invocations in the post-install scripts run by run-postinsts.service. The observed failure was cynara's post-install script failing and its database not being created. - Remove now unnecessary valgrind backport - Add patches to fix most driver compilation against newer kernels - Update libmicrohttpd bbappend - Remove libssp-dev from agl-image-graphical-qt5-crosssdk and agl-demo-platform-html5-crosssdk, upstream have removed it from non-mingw32 platform SDKs - Update wayland-ivi-extension recipe to build 2.2.0, and update local patches - Update weston patches for 5.0.0. Patches: 0016-ivi-shell_add_screen_remove_layer_api.patch 0017-ivi-shell-register-ivi_layout_interface.patch have been removed as they have been applied upstream and are no longer necessary. Patches: 0018-compositor-add-output-type-to-weston_output.patch 0019-compositor-drm-introduce-drm_get_dmafd_from_view.patch (both related to Waltham) have been disabled for now as they need significant rework. - Remove weston-conf RRECOMMENDS in weston bbappend to avoid conflict with weston-ini-conf - Add OECMAKE_GENERATOR = "Unix Makefiles" to aglwgt.bbclass to work around CMake+ninja issue in cmake-apps-module - Update dbus cynara patches for 1.12.10 - Add do_install_append in cynara recipe to remove /var/cynara from cynara package so the directory creation and labelling in the post-install scriptlet will function as intended - Remove now unnecessary e2fsprogs backport - Remove now unnecessary libcap-ng backport - Update pulseaudio patches to remove fuzz warnings - Update neardal patch to remove fuzz warning - Update freetype patch to remove fuzz warning - Rename opencv bbappend to 3.% to handle 3.x backports in upstream - Updated qtwayland patch to remove fuzz warning Changes from Stephane Desneux <stephane.desneux@iot.bzh>: - Remove wayland-ivi-extension PREFERRED_VERSION - Remove now unnecessary nativesdk-cmake patch - Remove now unnecessary ptest-runner patches - Remove now unnecessary harfbuzz patches - Disable waltham-transmitter as it does not build against weston 5.0.0 - Update af-main, cynara, and security-manager to use pkg_postinst_ontarget - Bump connman-ncurses revision to avoid deprecated ncurses functions - Update libva package usage with new intel-vaapi-driver name - Add patches to security-manager to fix compilation with gcc8 - Updated systemd bbappend Changes from Jan-Simon Möller <jsmoeller@linuxfoundation.org>: - Remove meta-agl-bsp/ROCKO.FIXMEs - Remove linux-yocto_4.12.bbappend and now unnecessary associated patch - Remove now unneeded kern-tools-native patch - Bump gstreamer PREFERRED_VERSIONs to 1.14.x - Remove latencytop from packagegroup-agl-core-devel, it has been dropped by upstream - Remove now unnecessary rpm patches - Update pulseaudio bbappend to 12.2 - Update opencv bbappend to 3.4 - Update freetype bbappend to 2.9.1 - Update dbus bbappend to 1.12.10 - Update weston bbappend to 5.0.0 - Update cynara patches to remove fuzz warnings - Add patch to cynara to fix compilation with gcc8 - Add xmlsec1 bbappend to clear EXTRA_OECONF to fix compilation on sumo or newer Changes from Ronan Le Martet <ronan.lemartet@iot.bzh>: - Update meta-rcar-gen3-adas layer gstreamer1.0-plugin-vspfilter bbappend to version 1.0.1 Known issues (marked with FIXME): - CMake+ninja issue in cmake-apps-module has been worked around with OECMAKE_GENERATOR - waltham-transmitter and the patches to weston related to it have been disabled - Currently unclear if patch to libcap-native is actually required or not Bug-AGL: SPEC-1837 Change-Id: I7b8b9ef667aec2d229952eace6663dfc761654d0 Signed-off-by: Scott Murray <scott.murray@konsulko.com>
2018-09-28Move security manager database under /var/localAnton Gerasimov1-1/+1
It is critical for agl-sota feature Bug-AGL: SPEC-1717 Change-Id: Ia4060721e3a092d13934d3af575199e67e356e71 Signed-off-by: Anton Gerasimov <anton.gerasimov@here.com>
2018-04-01Remove upstreamed patch for typo in verify3Jan-Simon Möller2-14/+0
Upstream recipe has fix included. Change-Id: Ice5b699c9fbd25ec9b1dceb0bdac8f669cec9b0f Signed-off-by: Jan-Simon Möller <jsmoeller@linuxfoundation.org>
2018-03-27xmlsec1: Fix compilation issue in examplesJosé Bollo2-0/+14
When the feature agl-ptest is selected, it leads to a compilation error due to an unexpected character in the file examples/verify3.c. Bug-AGL: SPEC-1353 Change-Id: Idcda2eed181636a9229b4a666a1ef31eddc6309c Signed-off-by: José Bollo <jose.bollo@iot.bzh>
2018-02-13cynara: upgrade to 0.14.10José Bollo10-225/+462
Change-Id: I33caaa8a435e0b36afff43c4199428ae9336d612 Signed-off-by: José Bollo <jose.bollo@iot.bzh>
2018-02-13Remove smack recipeJosé Bollo2-29/+2
smack user space library is provided by meta-security Change-Id: Ifb5e88e5f5a1aab3e695ab91a56d8c55c33fd004 Signed-off-by: José Bollo <jose.bollo@iot.bzh>
2018-02-13Integrate parts of meta-intel-iot-securityJosé Bollo40-0/+5079
Adds the recipes of the sub layers - meta-security-framework - meta-security-smack Change-Id: I618608008a3b3d1d34adb6e38048110f13ac0643 Signed-off-by: José Bollo <jose.bollo@iot.bzh>