From f70d712e4f505f5c5b50ae17f4f023d20a667568 Mon Sep 17 00:00:00 2001 From: José Bollo Date: Wed, 24 Jan 2018 11:38:43 +0100 Subject: Integrate parts of meta-intel-iot-security MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Adds the recipes of the sub layers - meta-security-framework - meta-security-smack Change-Id: I618608008a3b3d1d34adb6e38048110f13ac0643 Signed-off-by: José Bollo --- .../libcap-ng/libcap-ng/CVE-2014-3215.patch | 79 ++++++++++++++++++++++ .../libcap-ng/libcap-ng/python.patch | 39 +++++++++++ .../recipes-security/libcap-ng/libcap-ng_0.7.3.bb | 39 +++++++++++ 3 files changed, 157 insertions(+) create mode 100644 meta-security/recipes-security/libcap-ng/libcap-ng/CVE-2014-3215.patch create mode 100644 meta-security/recipes-security/libcap-ng/libcap-ng/python.patch create mode 100644 meta-security/recipes-security/libcap-ng/libcap-ng_0.7.3.bb (limited to 'meta-security/recipes-security/libcap-ng') diff --git a/meta-security/recipes-security/libcap-ng/libcap-ng/CVE-2014-3215.patch b/meta-security/recipes-security/libcap-ng/libcap-ng/CVE-2014-3215.patch new file mode 100644 index 000000000..d7a868d2c --- /dev/null +++ b/meta-security/recipes-security/libcap-ng/libcap-ng/CVE-2014-3215.patch @@ -0,0 +1,79 @@ +Upstream-Status: Pending + +diff --git a/docs/capng_lock.3 b/docs/capng_lock.3 +index 7683119..a070c1e 100644 +--- a/docs/capng_lock.3 ++++ b/docs/capng_lock.3 +@@ -8,12 +8,13 @@ int capng_lock(void); + + .SH "DESCRIPTION" + +-capng_lock will take steps to prevent children of the current process to regain full privileges if the uid is 0. This should be called while possessing the CAP_SETPCAP capability in the kernel. This function will do the following if permitted by the kernel: Set the NOROOT option on for PR_SET_SECUREBITS, set the NOROOT_LOCKED option to on for PR_SET_SECUREBITS, set the PR_NO_SETUID_FIXUP option on for PR_SET_SECUREBITS, and set the PR_NO_SETUID_FIXUP_LOCKED option on for PR_SET_SECUREBITS. ++capng_lock will take steps to prevent children of the current process from gaining privileges by executing setuid programs. This should be called while possessing the CAP_SETPCAP capability in the kernel. + ++This function will do the following if permitted by the kernel: If the kernel supports PR_SET_NO_NEW_PRIVS, it will use it. Otherwise it will set the NOROOT option on for PR_SET_SECUREBITS, set the NOROOT_LOCKED option to on for PR_SET_SECUREBITS, set the PR_NO_SETUID_FIXUP option on for PR_SET_SECUREBITS, and set the PR_NO_SETUID_FIXUP_LOCKED option on for PR_SET_SECUREBITS. If both fail, it will return an error. + + .SH "RETURN VALUE" + +-This returns 0 on success and a negative number on failure. -1 means a failure setting any of the PR_SET_SECUREBITS options. ++This returns 0 on success and a negative number on failure. -1 means a failure to use PR_SET_NO_NEW_PRIVS and a failure setting any of the PR_SET_SECUREBITS options. + + .SH "SEE ALSO" + +diff --git a/src/cap-ng.c b/src/cap-ng.c +index bd105ba..422f2bc 100644 +--- a/src/cap-ng.c ++++ b/src/cap-ng.c +@@ -45,6 +45,7 @@ + * 2.6.24 kernel XATTR_NAME_CAPS + * 2.6.25 kernel PR_CAPBSET_DROP, CAPABILITY_VERSION_2 + * 2.6.26 kernel PR_SET_SECUREBITS, SECURE_*_LOCKED, VERSION_3 ++ * 3.5 kernel PR_SET_NO_NEW_PRIVS + */ + + /* External syscall prototypes */ +@@ -122,6 +123,14 @@ extern int capget(cap_user_header_t header, const cap_user_data_t data); + #define SECURE_NO_SETUID_FIXUP_LOCKED 3 /* make bit-2 immutable */ + #endif + ++/* prctl values that we use */ ++#ifndef PR_SET_SECUREBITS ++#define PR_SET_SECUREBITS 28 ++#endif ++#ifndef PR_SET_NO_NEW_PRIVS ++#define PR_SET_NO_NEW_PRIVS 38 ++#endif ++ + // States: new, allocated, initted, updated, applied + typedef enum { CAPNG_NEW, CAPNG_ERROR, CAPNG_ALLOCATED, CAPNG_INIT, + CAPNG_UPDATED, CAPNG_APPLIED } capng_states_t; +@@ -663,15 +672,22 @@ int capng_change_id(int uid, int gid, capng_flags_t flag) + + int capng_lock(void) + { +-#ifdef PR_SET_SECUREBITS +- int rc = prctl(PR_SET_SECUREBITS, +- 1 << SECURE_NOROOT | +- 1 << SECURE_NOROOT_LOCKED | +- 1 << SECURE_NO_SETUID_FIXUP | +- 1 << SECURE_NO_SETUID_FIXUP_LOCKED, 0, 0, 0); ++ int rc; ++ ++ // On Linux 3.5 and up, we can directly prevent ourselves and ++ // our descendents from gaining privileges. ++ if (prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0) == 0) ++ return 0; ++ ++ // This kernel is too old or otherwise doesn't support ++ // PR_SET_NO_NEW_PRIVS. Fall back to using securebits. ++ rc = prctl(PR_SET_SECUREBITS, ++ 1 << SECURE_NOROOT | ++ 1 << SECURE_NOROOT_LOCKED | ++ 1 << SECURE_NO_SETUID_FIXUP | ++ 1 << SECURE_NO_SETUID_FIXUP_LOCKED, 0, 0, 0); + if (rc) + return -1; +-#endif + + return 0; + } diff --git a/meta-security/recipes-security/libcap-ng/libcap-ng/python.patch b/meta-security/recipes-security/libcap-ng/libcap-ng/python.patch new file mode 100644 index 000000000..d82ceb454 --- /dev/null +++ b/meta-security/recipes-security/libcap-ng/libcap-ng/python.patch @@ -0,0 +1,39 @@ +configure.ac - Avoid an incorrect check for python. +Makefile.am - avoid hard coded host include paths. + +Signed-off-by: Mark Hatle + +--- libcap-ng-0.6.5/configure.ac.orig 2012-01-17 13:59:03.645898989 -0600 ++++ libcap-ng-0.6.5/configure.ac 2012-01-17 13:59:46.353959252 -0600 +@@ -120,17 +120,8 @@ + else + AC_MSG_RESULT(testing) + AM_PATH_PYTHON +-if test -f /usr/include/python${am_cv_python_version}/Python.h ; then +- python_found="yes" +- AC_MSG_NOTICE(Python bindings will be built) +-else +- python_found="no" +- if test x$use_python = xyes ; then +- AC_MSG_ERROR([Python explicitly required and python headers found]) +- else +- AC_MSG_WARN("Python headers not found - python bindings will not be made") +- fi +-fi ++python_found="yes" ++AC_MSG_NOTICE(Python bindings will be built) + fi + AM_CONDITIONAL(HAVE_PYTHON, test ${python_found} = "yes") + +--- libcap-ng-0.6.5/bindings/python/Makefile.am.orig 2010-11-03 12:31:59.000000000 -0500 ++++ libcap-ng-0.6.5/bindings/python/Makefile.am 2012-01-17 14:05:50.199834467 -0600 +@@ -24,7 +24,8 @@ + CONFIG_CLEAN_FILES = *.loT *.rej *.orig + AM_CFLAGS = -fPIC -DPIC + PYLIBVER ?= python$(PYTHON_VERSION) +-INCLUDES = -I. -I$(top_builddir) -I/usr/include/$(PYLIBVER) ++PYINC ?= /usr/include/$(PYLIBVER) ++INCLUDES = -I. -I$(top_builddir) -I$(PYINC) + LIBS = $(top_builddir)/src/libcap-ng.la + pyexec_PYTHON = capng.py + pyexec_LTLIBRARIES = _capng.la diff --git a/meta-security/recipes-security/libcap-ng/libcap-ng_0.7.3.bb b/meta-security/recipes-security/libcap-ng/libcap-ng_0.7.3.bb new file mode 100644 index 000000000..e729518e9 --- /dev/null +++ b/meta-security/recipes-security/libcap-ng/libcap-ng_0.7.3.bb @@ -0,0 +1,39 @@ +SUMMARY = "An alternate posix capabilities library" +DESCRIPTION = "The libcap-ng library is intended to make programming \ +with POSIX capabilities much easier than the traditional libcap library." +HOMEPAGE = "http://freecode.com/projects/libcap-ng" +SECTION = "base" +LICENSE = "GPLv2+ & LGPLv2.1+" +LIC_FILES_CHKSUM = "file://COPYING;md5=94d55d512a9ba36caa9b7df079bae19f \ + file://COPYING.LIB;md5=e3eda01d9815f8d24aae2dbd89b68b06" + +SRC_URI = "http://people.redhat.com/sgrubb/libcap-ng/libcap-ng-${PV}.tar.gz \ + file://python.patch \ + file://CVE-2014-3215.patch \ + " + +inherit lib_package autotools pythonnative + +SRC_URI[md5sum] = "610afb774f80a8032b711281df126283" +SRC_URI[sha256sum] = "5ca441c8d3a1e4cfe8a8151907977662679457311ccaa7eaac91447c33a35bb1" + +DEPENDS += "swig-native python" + +EXTRA_OEMAKE += "PYLIBVER='python${PYTHON_BASEVERSION}' PYINC='${STAGING_INCDIR}/${PYLIBVER}'" + +PACKAGES += "${PN}-python" + +FILES_${PN}-dbg += "${libdir}/python${PYTHON_BASEVERSION}/*/.debug" +FILES_${PN}-python = "${libdir}/python${PYTHON_BASEVERSION}" + +BBCLASSEXTEND = "native" + +do_install_append() { + # Moving libcap-ng to base_libdir + if [ ! ${D}${libdir} -ef ${D}${base_libdir} ]; then + mkdir -p ${D}/${base_libdir}/ + mv -f ${D}${libdir}/libcap-ng.so.* ${D}${base_libdir}/ + relpath=${@os.path.relpath("${base_libdir}", "${libdir}")} + ln -sf ${relpath}/libcap-ng.so.0.0.0 ${D}${libdir}/libcap-ng.so + fi +} -- cgit 1.2.3-korg