diff options
| author |   takeshi_hoshina <takeshi_hoshina@mail.toyota.co.jp> | 2020-11-02 11:07:33 +0900 |
|---|---|---|
| committer | takeshi_hoshina <takeshi_hoshina@mail.toyota.co.jp> | 2020-11-02 11:07:33 +0900 |
| commit | 1c7d6584a7811b7785ae5c1e378f14b5ba0971cf (patch) | |
| tree | cd70a267a5ef105ba32f200aa088e281fbd85747 /external/meta-security | |
| parent | 4204309872da5cb401cbb2729d9e2d4869a87f42 (diff) | |
basesystem-jjsandbox/ToshikazuOhiwa/master-jj
recipes
Diffstat (limited to 'external/meta-security')
280 files changed, 11063 insertions, 2338 deletions
diff --git a/external/meta-security/README b/external/meta-security/README index e238271a..f223feef 100644 --- a/external/meta-security/README +++ b/external/meta-security/README @@ -24,6 +24,11 @@ This layer depends on: revision: HEAD prio: default + URI: git://git.openembedded.org/meta-openembedded/meta-python + branch: master + revision: HEAD + prio: default + URI: git://git.openembedded.org/meta-openembedded/meta-networking branch: master revision: HEAD @@ -52,13 +57,21 @@ other layers needed. e.g.: Maintenance ----------- -Send pull requests, patches, comments or questions to yocto@yoctoproject.org +Send pull requests, patches, comments or questions to yocto@lists.yoctoproject.org When sending single patches, please using something like: -'git send-email -1 --to yocto@yoctoproject.org --subject-prefix=meta-security][PATCH' +'git send-email -1 --to yocto@lists.yoctoproject.org --subject-prefix=meta-security][PATCH' + +These values can be set as defaults for this repository: + +$ git config sendemail.to yocto@lists.yoctoproject.org +$ git config format.subjectPrefix meta-security][PATCH + +Now you can just do 'git send-email origin/master' to send all local patches. + +For pull requests, please use create-pull-request and send-pull-request. Maintainers: Armin Kuster <akuster808@gmail.com> - Saul Wold <sgw@linux.intel.com> License diff --git a/external/meta-security/classes/dm-verity-img.bbclass b/external/meta-security/classes/dm-verity-img.bbclass new file mode 100644 index 00000000..1c0e29b6 --- /dev/null +++ b/external/meta-security/classes/dm-verity-img.bbclass @@ -0,0 +1,88 @@ +# SPDX-License-Identifier: MIT +# +# Copyright (C) 2020 BayLibre SAS +# Author: Bartosz Golaszewski <bgolaszewski@baylibre.com> +# +# This bbclass allows creating of dm-verity protected partition images. It +# generates a device image file with dm-verity hash data appended at the end +# plus the corresponding .env file containing additional information needed +# to mount the image such as the root hash in the form of ell variables. To +# assure data integrity, the root hash must be stored in a trusted location +# or cryptographically signed and verified. +# +# Usage: +# DM_VERITY_IMAGE = "core-image-full-cmdline" # or other image +# DM_VERITY_IMAGE_TYPE = "ext4" # or ext2, ext3 & btrfs +# IMAGE_CLASSES += "dm-verity-img" +# +# The resulting image can then be used to implement the device mapper block +# integrity checking on the target device. + +# Process the output from veritysetup and generate the corresponding .env +# file. The output from veritysetup is not very machine-friendly so we need to +# convert it to some better format. Let's drop the first line (doesn't contain +# any useful info) and feed the rest to a script. +process_verity() { + local ENV="$OUTPUT.env" + + # Each line contains a key and a value string delimited by ':'. Read the + # two parts into separate variables and process them separately. For the + # key part: convert the names to upper case and replace spaces with + # underscores to create correct shell variable names. For the value part: + # just trim all white-spaces. + IFS=":" + while read KEY VAL; do + echo -ne "$KEY" | tr '[:lower:]' '[:upper:]' | sed 's/ /_/g' >> $ENV + echo -ne "=" >> $ENV + echo "$VAL" | tr -d " \t" >> $ENV + done + + # Add partition size + echo "DATA_SIZE=$SIZE" >> $ENV + + ln -sf $ENV ${IMAGE_BASENAME}-${MACHINE}.$TYPE.verity.env +} + +verity_setup() { + local TYPE=$1 + local INPUT=${IMAGE_NAME}${IMAGE_NAME_SUFFIX}.$TYPE + local SIZE=$(stat --printf="%s" $INPUT) + local OUTPUT=$INPUT.verity + + cp -a $INPUT $OUTPUT + + # Let's drop the first line of output (doesn't contain any useful info) + # and feed the rest to another function. + veritysetup --data-block-size=1024 --hash-offset=$SIZE format $OUTPUT $OUTPUT | tail -n +2 | process_verity +} + +VERITY_TYPES = "ext2.verity ext3.verity ext4.verity btrfs.verity" +IMAGE_TYPES += "${VERITY_TYPES}" +CONVERSIONTYPES += "verity" +CONVERSION_CMD_verity = "verity_setup ${type}" +CONVERSION_DEPENDS_verity = "cryptsetup-native" + +python __anonymous() { + verity_image = d.getVar('DM_VERITY_IMAGE') + verity_type = d.getVar('DM_VERITY_IMAGE_TYPE') + image_fstypes = d.getVar('IMAGE_FSTYPES') + pn = d.getVar('PN') + + if verity_image != pn: + return # This doesn't concern this image + + if not verity_image or not verity_type: + bb.warn('dm-verity-img class inherited but not used') + return + + if len(verity_type.split()) is not 1: + bb.fatal('DM_VERITY_IMAGE_TYPE must contain exactly one type') + + d.appendVar('IMAGE_FSTYPES', ' %s.verity' % verity_type) + + # If we're using wic: we'll have to use partition images and not the rootfs + # source plugin so add the appropriate dependency. + if 'wic' in image_fstypes: + dep = ' %s:do_image_%s' % (pn, verity_type) + d.appendVarFlag('do_image_wic', 'depends', dep) +} diff --git a/external/meta-security/conf/distro/include/maintainers.inc b/external/meta-security/conf/distro/include/maintainers.inc new file mode 100644 index 00000000..7b82ef74 --- /dev/null +++ b/external/meta-security/conf/distro/include/maintainers.inc @@ -0,0 +1,57 @@ +# meta-securiyt Maintainers File +# +# This file contains a list of recipe maintainers. +# +# Please submit any patches against recipes in meta to the +# Yocto mail list (yocto@yoctoproject.org) +# +# If you have problems with or questions about a particular recipe, feel +# free to contact the maintainer directly (cc:ing the appropriate mailing list +# puts it in the archive and helps other people who might have the same +# questions in the future), but please try to do the following first: +# +# - look in the Yocto Project Bugzilla +# (http://bugzilla.yoctoproject.org/) to see if a problem has +# already been reported +# +# The format is as a bitbake variable override for each recipe +# +# RECIPE_MAINTAINER_pn-<recipe name> = "Full Name <address@domain>" +# +# Please keep this list in alphabetical order. +RECIPE_MAINTAINER_pn-aircrack-ng = "Armin Kuster <akuster808@gmail.com>" +RECIPE_MAINTAINER_pn-apparmor = "Armin Kuster <akuster808@gmail.com>" +RECIPE_MAINTAINER_pn-bastille = "Armin Kuster <akuster808@gmail.com>" +RECIPE_MAINTAINER_pn-buck-security = "Armin Kuster <akuster808@gmail.com>" +RECIPE_MAINTAINER_pn-ccs-tools = "Armin Kuster <akuster808@gmail.com>" +RECIPE_MAINTAINER_pn-checksec = "Armin Kuster <akuster808@gmail.com>" +RECIPE_MAINTAINER_pn-checksecurity = "Armin Kuster <akuster808@gmail.com>" +RECIPE_MAINTAINER_pn-clamav = "Armin Kuster <akuster808@gmail.com>" +RECIPE_MAINTAINER_pn-ding-libs = "Armin Kuster <akuster808@gmail.com>" +RECIPE_MAINTAINER_pn-ecryptfs-utils = "Armin Kuster <akuster808@gmail.com>" +RECIPE_MAINTAINER_pn-fscryptctl = "Armin Kuster <akuster808@gmail.com>" +RECIPE_MAINTAINER_pn-google-authenticator-libpam = "Armin Kuster <akuster808@gmail.com>" +RECIPE_MAINTAINER_pn-hash-perl = "Armin Kuster <akuster808@gmail.com>" +RECIPE_MAINTAINER_pn-isic = "Armin Kuster <akuster808@gmail.com>" +RECIPE_MAINTAINER_pn-keyutils = "Armin Kuster <akuster808@gmail.com>" +RECIPE_MAINTAINER_pn-libaes-siv = "Armin Kuster <akuster808@gmail.com>" +RECIPE_MAINTAINER_pn-libgssglue = "Armin Kuster <akuster808@gmail.com>" +RECIPE_MAINTAINER_pn-libhtp = "Armin Kuster <akuster808@gmail.com>" +RECIPE_MAINTAINER_pn-libmhash = "Armin Kuster <akuster808@gmail.com>" +RECIPE_MAINTAINER_pn-libmspack = "Armin Kuster <akuster808@gmail.com>" +RECIPE_MAINTAINER_pn-lib-perl = "Armin Kuster <akuster808@gmail.com>" +RECIPE_MAINTAINER_pn-libseccomp = "Armin Kuster <akuster808@gmail.com>" +RECIPE_MAINTAINER_pn-libwhisker2-perl = "Armin Kuster <akuster808@gmail.com>" +RECIPE_MAINTAINER_pn-ncrack = "Armin Kuster <akuster808@gmail.com>" +RECIPE_MAINTAINER_pn-nikto = "Armin Kuster <akuster808@gmail.com>" +RECIPE_MAINTAINER_pn-paxctl = "Armin Kuster <akuster808@gmail.com>" +RECIPE_MAINTAINER_pn-python3-fail2ban = "Armin Kuster <akuster808@gmail.com>" +RECIPE_MAINTAINER_pn-python3-scapy = "Armin Kuster <akuster808@gmail.com>" +RECIPE_MAINTAINER_pn-python-fail2ban = "Armin Kuster <akuster808@gmail.com>" +RECIPE_MAINTAINER_pn-python-scapy = "Armin Kuster <akuster808@gmail.com>" +RECIPE_MAINTAINER_pn-redhat-security = "Armin Kuster <akuster808@gmail.com>" +RECIPE_MAINTAINER_pn-samhain = "Armin Kuster <akuster808@gmail.com>" +RECIPE_MAINTAINER_pn-smack = "Armin Kuster <akuster808@gmail.com>" +RECIPE_MAINTAINER_pn-sssd = "Armin Kuster <akuster808@gmail.com>" +RECIPE_MAINTAINER_pn-suricata = "Armin Kuster <akuster808@gmail.com>" +RECIPE_MAINTAINER_pn-tripwire = "Armin Kuster <akuster808@gmail.com>" diff --git a/external/meta-security/conf/layer.conf b/external/meta-security/conf/layer.conf index 19e647e7..2c3bd965 100644 --- a/external/meta-security/conf/layer.conf +++ b/external/meta-security/conf/layer.conf @@ -9,8 +9,6 @@ BBFILE_COLLECTIONS += "security" BBFILE_PATTERN_security = "^${LAYERDIR}/" BBFILE_PRIORITY_security = "8" -LAYERSERIES_COMPAT_security = "thud" +LAYERSERIES_COMPAT_security = "dunfell" LAYERDEPENDS_security = "core openembedded-layer perl-layer networking-layer meta-python" - -DEFAULT_TEST_SUITES_pn-security-build-image = " ${PTESTTESTSUITE}" diff --git a/external/meta-security/lib/oeqa/runtime/cases/apparmor.py b/external/meta-security/lib/oeqa/runtime/cases/apparmor.py new file mode 100644 index 00000000..b6a9537e --- /dev/null +++ b/external/meta-security/lib/oeqa/runtime/cases/apparmor.py @@ -0,0 +1,46 @@ +# Copyright (C) 2019 Armin Kuster <akuster808@gmail.com> +# +import re + +from oeqa.runtime.case import OERuntimeTestCase +from oeqa.core.decorator.depends import OETestDepends +from oeqa.runtime.decorator.package import OEHasPackage + + +class ApparmorTest(OERuntimeTestCase): + + @OEHasPackage(['apparmor']) + @OETestDepends(['ssh.SSHTest.test_ssh']) + def test_apparmor_help(self): + status, output = self.target.run('aa-status --help') + msg = ('apparmor command does not work as expected. ' + 'Status and output:%s and %s' % (status, output)) + self.assertEqual(status, 0, msg = msg) + + @OETestDepends(['apparmor.ApparmorTest.test_apparmor_help']) + def test_apparmor_aa_status(self): + status, output = self.target.run('aa-status') + match = re.search('apparmor module is loaded.', output) + if not match: + msg = ('aa-status failed. ' + 'Status and output:%s and %s' % (status, output)) + self.assertEqual(status, 0, msg = msg) + + @OETestDepends(['apparmor.ApparmorTest.test_apparmor_aa_status']) + def test_apparmor_aa_complain(self): + status, output = self.target.run('aa-complain /etc/apparmor.d/*') + match = re.search('apparmor module is loaded.', output) + if not match: + msg = ('aa-complain failed. ' + 'Status and output:%s and %s' % (status, output)) + self.assertEqual(status, 0, msg = msg) + + @OETestDepends(['apparmor.ApparmorTest.test_apparmor_aa_complain']) + def test_apparmor_aa_enforce(self): + status, output = self.target.run('aa-enforce /etc/apparmor.d/*') + match = re.search('apparmor module is loaded.', output) + if not match: + msg = ('aa-enforce failed. ' + 'Status and output:%s and %s' % (status, output)) + self.assertEqual(status, 0, msg = msg) + diff --git a/external/meta-security/lib/oeqa/runtime/cases/checksec.py b/external/meta-security/lib/oeqa/runtime/cases/checksec.py new file mode 100644 index 00000000..e46744c6 --- /dev/null +++ b/external/meta-security/lib/oeqa/runtime/cases/checksec.py @@ -0,0 +1,34 @@ +# Copyright (C) 2019 Armin Kuster <akuster808@gmail.com> +# +import re + +from oeqa.runtime.case import OERuntimeTestCase +from oeqa.core.decorator.depends import OETestDepends +from oeqa.runtime.decorator.package import OEHasPackage + + +class CheckSecTest(OERuntimeTestCase): + + @OEHasPackage(['checksec']) + @OETestDepends(['ssh.SSHTest.test_ssh']) + def test_checksec_help(self): + status, output = self.target.run('checksec --help ') + msg = ('checksec command does not work as expected. ' + 'Status and output:%s and %s' % (status, output)) + self.assertEqual(status, 0, msg = msg) + + @OETestDepends(['checksec.CheckSecTest.test_checksec_help']) + def test_checksec_xml(self): + status, output = self.target.run('checksec --format xml --proc-all') + msg = ('checksec xml failed. Output: %s' % output) + self.assertEqual(status, 0, msg = msg) + + @OETestDepends(['checksec.CheckSecTest.test_checksec_xml']) + @OEHasPackage(['binutils']) + def test_checksec_fortify(self): + status, output = self.target.run('checksec --fortify-proc 1') + match = re.search('FORTIFY_SOURCE support:', output) + if not match: + msg = ('checksec : fortify-proc failed. ' + 'Status and output:%s and %s' % (status, output)) + self.assertEqual(status, 1, msg = msg) diff --git a/external/meta-security/lib/oeqa/runtime/cases/clamav.py b/external/meta-security/lib/oeqa/runtime/cases/clamav.py new file mode 100644 index 00000000..cf839373 --- /dev/null +++ b/external/meta-security/lib/oeqa/runtime/cases/clamav.py @@ -0,0 +1,68 @@ +# Copyright (C) 2019 Armin Kuster <akuster808@gmail.com> +# +import re +from tempfile import mkstemp + +from oeqa.runtime.case import OERuntimeTestCase +from oeqa.core.decorator.depends import OETestDepends +from oeqa.runtime.decorator.package import OEHasPackage + + +class ClamavTest(OERuntimeTestCase): + + @classmethod + def setUpClass(cls): + cls.tmp_fd, cls.tmp_path = mkstemp() + with os.fdopen(cls.tmp_fd, 'w') as f: + # use gooled public dns + f.write("nameserver 8.8.8.8") + f.write(os.linesep) + f.write("nameserver 8.8.4.4") + f.write(os.linesep) + f.write("nameserver 127.0.0.1") + f.write(os.linesep) + + @classmethod + def tearDownClass(cls): + os.remove(cls.tmp_path) + + @OEHasPackage(['clamav']) + @OETestDepends(['ssh.SSHTest.test_ssh']) + def test_freshclam_help(self): + status, output = self.target.run('freshclam --help ') + msg = ('freshclam --hlep command does not work as expected. ', + 'Status and output:%s and %s' % (status, output)) + self.assertEqual(status, 0, msg = msg) + + @OETestDepends(['clamav.ClamavTest.test_freshclam_help']) + @OEHasPackage(['openssh-scp', 'dropbear']) + def test_ping_clamav_net(self): + dst = '/etc/resolv.conf' + self.tc.target.run('rm -f %s' % dst) + (status, output) = self.tc.target.copyTo(self.tmp_path, dst) + msg = 'File could not be copied. Output: %s' % output + self.assertEqual(status, 0, msg=msg) + + status, output = self.target.run('ping -c 1 database.clamav.net') + msg = ('ping database.clamav.net failed: output is:\n%s' % output) + self.assertEqual(status, 0, msg = msg) + + @OETestDepends(['clamav.ClamavTest.test_ping_clamav_net']) + def test_freshclam_check_mirrors(self): + status, output = self.target.run('freshclam --list-mirrors') + match = re.search('Failures: 0', output) + if not match: + msg = ('freshclam --list-mirrors: failed. ' + 'Status and output:%s and %s' % (status, output)) + self.assertEqual(status, 1, msg = msg) + + @OETestDepends(['clamav.ClamavTest.test_freshclam_check_mirrors']) + def test_freshclam_download(self): + status, output = self.target.run('freshclam --show-progress') + match = re.search('Database updated', output) + #match = re.search('main.cvd is up to date', output) + if not match: + msg = ('freshclam : DB dowbload failed. ' + 'Status and output:%s and %s' % (status, output)) + self.assertEqual(status, 1, msg = msg) + diff --git a/external/meta-security/lib/oeqa/runtime/cases/samhain.py b/external/meta-security/lib/oeqa/runtime/cases/samhain.py new file mode 100644 index 00000000..5043a38c --- /dev/null +++ b/external/meta-security/lib/oeqa/runtime/cases/samhain.py @@ -0,0 +1,43 @@ +# Copyright (C) 2019 Armin Kuster <akuster808@gmail.com> +# +import re +import os + +from oeqa.runtime.case import OERuntimeTestCase +from oeqa.core.decorator.depends import OETestDepends +from oeqa.runtime.decorator.package import OEHasPackage + + +class SamhainTest(OERuntimeTestCase): + + @OEHasPackage(['samhain-standalone']) + @OETestDepends(['ssh.SSHTest.test_ssh']) + def test_samhain_help(self): + machine = self.td.get('MACHINE', '') + status, output = self.target.run('echo "127.0.0.1 %s.localdomain %s" >> /etc/hosts' % (machine, machine)) + msg = ("samhain can't append hosts. " + 'Status and output:%s and %s' % (status, output)) + self.assertEqual(status, 0, msg = msg) + + status, output = self.target.run('samhain --help') + msg = ('samhain command does not work as expected. ' + 'Status and output:%s and %s' % (status, output)) + self.assertEqual(status, 0, msg = msg) + + @OETestDepends(['samhain.SamhainTest.test_samhain_help']) + def test_samhain_init_db(self): + status, output = self.target.run('samhain -t init') + match = re.search('FAILED: 0 ', output) + if not match: + msg = ('samhain database init had an unexpected failure. ' + 'Status and output:%s and %s' % (status, output)) + self.assertEqual(status, 0, msg = msg) + + @OETestDepends(['samhain.SamhainTest.test_samhain_init_db']) + def test_samhain_db_check(self): + status, output = self.target.run('samhain -t check') + match = re.search('FAILED: 0 ', output) + if not match: + msg = ('samhain errors found in db. ' + 'Status and output:%s and %s' % (status, output)) + self.assertEqual(status, 0, msg = msg) diff --git a/external/meta-security/lib/oeqa/runtime/cases/smack.py b/external/meta-security/lib/oeqa/runtime/cases/smack.py new file mode 100644 index 00000000..35e87ef3 --- /dev/null +++ b/external/meta-security/lib/oeqa/runtime/cases/smack.py @@ -0,0 +1,529 @@ +import unittest +import re +import os +import string +from oeqa.runtime.case import OERuntimeTestCase +from oeqa.core.decorator.depends import OETestDepends +from oeqa.runtime.decorator.package import OEHasPackage +from oeqa.core.decorator.data import skipIfNotFeature + +MAX_LABEL_LEN = 255 +LABEL = "a" * MAX_LABEL_LEN + +class SmackBasicTest(OERuntimeTestCase): + ''' base smack test ''' + + @classmethod + def setUpClass(cls): + cls.smack_path = "" + cls.current_label = "" + cls.uid = 1000 + + @skipIfNotFeature('smack', + 'Test requires smack to be in DISTRO_FEATURES') + @OEHasPackage(['smack-test']) + @OETestDepends(['ssh.SSHTest.test_ssh']) + def test_smack_basic(self): + status, output = self.target.run("grep smack /proc/mounts | awk '{print $2}'") + self.smack_path = output + status,output = self.target.run("cat /proc/self/attr/current") + self.current_label = output.strip() + +class SmackAccessLabel(SmackBasicTest): + + @OETestDepends(['smack.SmackBasicTest.test_smack_basic']) + def test_add_access_label(self): + ''' Test if chsmack can correctly set a SMACK label ''' + filename = "/tmp/test_access_label" + self.target.run("touch %s" %filename) + status, output = self.target.run("chsmack -a %s %s" %(LABEL, filename)) + self.assertEqual( + status, 0, + "Cannot set smack access label. " + "Status and output: %d %s" %(status, output)) + status, output = self.target.run("chsmack %s" %filename) + self.target.run("rm %s" %filename) + m = re.search('(?<=access=")\S+(?=")', output) + if m is None: + self.fail("Did not find access attribute") + else: + label_retrieved = m .group(0) + self.assertEqual( + LABEL, label_retrieved, + "label not set correctly. expected and gotten: " + "%s %s" %(LABEL,label_retrieved)) + + +class SmackExecLabel(SmackBasicTest): + + @OETestDepends(['smack.SmackBasicTest.test_smack_basic']) + def test_add_exec_label(self): + '''Test if chsmack can correctly set a SMACK Exec label''' + filename = "/tmp/test_exec_label" + self.target.run("touch %s" %filename) + status, output = self.target.run("chsmack -e %s %s" %(LABEL, filename)) + self.assertEqual( + status, 0, + "Cannot set smack exec label. " + "Status and output: %d %s" %(status, output)) + status, output = self.target.run("chsmack %s" %filename) + self.target.run("rm %s" %filename) + m= re.search('(?<=execute=")\S+(?=")', output) + if m is None: + self.fail("Did not find execute attribute") + else: + label_retrieved = m.group(0) + self.assertEqual( + LABEL, label_retrieved, + "label not set correctly. expected and gotten: " + + "%s %s" %(LABEL,label_retrieved)) + + +class SmackMmapLabel(SmackBasicTest): + + @OETestDepends(['smack.SmackBasicTest.test_smack_basic']) + def test_add_mmap_label(self): + '''Test if chsmack can correctly set a SMACK mmap label''' + filename = "/tmp/test_exec_label" + self.target.run("touch %s" %filename) + status, output = self.target.run("chsmack -m %s %s" %(LABEL, filename)) + self.assertEqual( + status, 0, + "Cannot set smack mmap label. " + "Status and output: %d %s" %(status, output)) + status, output = self.target.run("chsmack %s" %filename) + self.target.run("rm %s" %filename) + m = re.search('(?<=mmap=")\S+(?=")', output) + if m is None: + self.fail("Did not find mmap attribute") + else: + label_retrieved = m.group(0) + self.assertEqual( + LABEL, label_retrieved, + "label not set correctly. expected and gotten: " + + "%s %s" %(LABEL,label_retrieved)) + + +class SmackTransmutable(SmackBasicTest): + + @OETestDepends(['smack.SmackBasicTest.test_smack_basic']) + def test_add_transmutable(self): + '''Test if chsmack can correctly set a SMACK transmutable mode''' + + directory = "~/test_transmutable" + self.target.run("mkdir -p %s" %directory) + status, output = self.target.run("chsmack -t %s" %directory) + self.assertEqual(status, 0, "Cannot set smack transmutable. " + "Status and output: %d %s" %(status, output)) + status, output = self.target.run("chsmack %s" %directory) + self.target.run("rmdir %s" %directory) + m = re.search('(?<=transmute=")\S+(?=")', output) + if m is None: + self.fail("Did not find transmute attribute") + else: + label_retrieved = m.group(0) + self.assertEqual( + "TRUE", label_retrieved, + "label not set correctly. expected and gotten: " + + "%s %s" %(LABEL,label_retrieved)) + + +class SmackChangeSelfLabelPrivilege(SmackBasicTest): + + @OETestDepends(['smack.SmackBasicTest.test_smack_basic']) + def test_privileged_change_self_label(self): + '''Test if privileged process (with CAP_MAC_ADMIN privilege) + can change its label. + ''' + + labelf = "/proc/self/attr/current" + command = "/bin/sh -c 'echo PRIVILEGED >%s; cat %s'" %(labelf, labelf) + + status, output = self.target.run( + "notroot.py 0 %s %s" %(self.current_label, command)) + + self.assertIn("PRIVILEGED", output, + "Privilege process did not change label.Output: %s" %output) + +class SmackChangeSelfLabelUnprivilege(SmackBasicTest): + + @OETestDepends(['smack.SmackBasicTest.test_smack_basic']) + def test_unprivileged_change_self_label(self): + '''Test if unprivileged process (without CAP_MAC_ADMIN privilege) + cannot change its label''' + + command = "/bin/sh -c 'echo %s >/proc/self/attr/current'" %LABEL + status, output = self.target.run( + "notroot.py %d %s %s" + %(self.uid, self.current_label, command) + + " 2>&1 | grep 'Operation not permitted'" ) + + self.assertEqual( + status, 0, + "Unprivileged process should not be able to change its label") + + +class SmackChangeFileLabelPrivilege(SmackBasicTest): + + @OETestDepends(['smack.SmackBasicTest.test_smack_basic']) + def test_unprivileged_change_file_label(self): + '''Test if unprivileged process cannot change file labels''' + + status, chsmack = self.target.run("which chsmack") + status, touch = self.target.run("which touch") + filename = "/tmp/test_unprivileged_change_file_label" + + self.target.run("touch %s" % filename) + self.target.run("notroot.py %d %s" %(self.uid, self.current_label)) + status, output = self.target.run( + "notroot.py " + + "%d unprivileged %s -a %s %s 2>&1 " %(self.uid, chsmack, LABEL, filename) + + "| grep 'Operation not permitted'" ) + + self.target.run("rm %s" % filename) + self.assertEqual( status, 0, "Unprivileged process changed label for %s" %filename) + +class SmackLoadRule(SmackBasicTest): + + @OETestDepends(['smack.SmackBasicTest.test_smack_basic']) + def test_load_smack_rule(self): + '''Test if new smack access rules can be loaded''' + + # old 23 character format requires special spaces formatting + # 12345678901234567890123456789012345678901234567890123 + ruleA="TheOne TheOther rwxat" + ruleB="TheOne TheOther r----" + clean="TheOne TheOther -----" + modeA = "rwxat" + modeB = "r" + + status, output = self.target.run('echo -n "%s" > %s/load' %(ruleA, self.smack_path)) + status, output = self.target.run( 'cat %s/load | grep "^TheOne" | grep " TheOther "' %self.smack_path) + self.assertEqual(status, 0, "Rule A was not added") + mode = list(filter(bool, output.split(" ")))[2].strip() + self.assertEqual( mode, modeA, "Mode A was not set correctly; mode: %s" %mode) + + status, output = self.target.run( 'echo -n "%s" > %s/load' %(ruleB, self.smack_path)) + status, output = self.target.run( 'cat %s/load | grep "^TheOne" | grep " TheOther "' %self.smack_path) + mode = list(filter(bool, output.split(" ")))[2].strip() + self.assertEqual( mode, modeB, "Mode B was not set correctly; mode: %s" %mode) + + self.target.run('echo -n "%s" > %s/load' %(clean, self.smack_path)) + + +class SmackOnlycap(SmackBasicTest): + + @OETestDepends(['smack.SmackBasicTest.test_smack_basic']) + def test_smack_onlycap(self): + '''Test if smack onlycap label can be set + + test needs to change the running label of the current process, + so whole test takes places on image + ''' + status, output = self.target.run("sh /usr/sbin/test_smack_onlycap.sh") + self.assertEqual(status, 0, output) + +class SmackNetlabel(SmackBasicTest): + + @OETestDepends(['smack.SmackBasicTest.test_smack_basic']) + def test_smack_netlabel(self): + + test_label="191.191.191.191 TheOne" + expected_label="191.191.191.191/32 TheOne" + + status, output = self.target.run( "echo -n '%s' > %s/netlabel" %(test_label, self.smack_path)) + self.assertEqual( status, 0, "Netlabel /32 could not be set. Output: %s" %output) + + status, output = self.target.run("cat %s/netlabel" %self.smack_path) + self.assertIn( expected_label, output, "Did not find expected label in output: %s" %output) + + test_label="253.253.253.0/24 TheOther" + status, output = self.target.run( "echo -n '%s' > %s/netlabel" %(test_label, self.smack_path)) + self.assertEqual( status, 0, "Netlabel /24 could not be set. Output: %s" %output) + + status, output = self.target.run("cat %s/netlabel" %self.smack_path) + self.assertIn( + test_label, output, + "Did not find expected label in output: %s" %output) + +class SmackCipso(SmackBasicTest): + + @OETestDepends(['smack.SmackBasicTest.test_smack_basic']) + def test_smack_cipso(self): + '''Test if smack cipso rules can be set''' + # 12345678901234567890123456789012345678901234567890123456 + ruleA="TheOneA 2 0 " + ruleB="TheOneB 3 1 55 " + ruleC="TheOneC 4 2 17 33 " + + status, output = self.target.run( + "echo -n '%s' > %s/cipso" %(ruleA, self.smack_path)) + self.assertEqual(status, 0, + "Could not set cipso label A. Ouput: %s" %output) + + status, output = self.target.run( + "cat %s/cipso | grep '^TheOneA'" %self.smack_path) + self.assertEqual(status, 0, "Cipso rule A was not set") + self.assertIn(" 2", output, "Rule A was not set correctly") + + status, output = self.target.run( + "echo -n '%s' > %s/cipso" %(ruleB, self.smack_path)) + self.assertEqual(status, 0, + "Could not set cipso label B. Ouput: %s" %output) + + status, output = self.target.run( + "cat %s/cipso | grep '^TheOneB'" %self.smack_path) + self.assertEqual(status, 0, "Cipso rule B was not set") + self.assertIn("/55", output, "Rule B was not set correctly") + + status, output = self.target.run( + "echo -n '%s' > %s/cipso" %(ruleC, self.smack_path)) + self.assertEqual( + status, 0, + "Could not set cipso label C. Ouput: %s" %output) + + status, output = self.target.run( + "cat %s/cipso | grep '^TheOneC'" %self.smack_path) + self.assertEqual(status, 0, "Cipso rule C was not set") + self.assertIn("/17,33", output, "Rule C was not set correctly") + +class SmackDirect(SmackBasicTest): + + @OETestDepends(['smack.SmackBasicTest.test_smack_basic']) + def test_smack_direct(self): + status, initial_direct = self.target.run( + "cat %s/direct" %self.smack_path) + + test_direct="17" + status, output = self.target.run( + "echo '%s' > %s/direct" %(test_direct, self.smack_path)) + self.assertEqual(status, 0 , + "Could not set smack direct. Output: %s" %output) + status, new_direct = self.target.run("cat %s/direct" %self.smack_path) + # initial label before checking + status, output = self.target.run( + "echo '%s' > %s/direct" %(initial_direct, self.smack_path)) + self.assertEqual( + test_direct, new_direct.strip(), + "Smack direct label does not match.") + + +class SmackAmbient(SmackBasicTest): + + @OETestDepends(['smack.SmackBasicTest.test_smack_basic']) + def test_smack_ambient(self): + test_ambient = "test_ambient" + status, initial_ambient = self.target.run("cat %s/ambient" %self.smack_path) + status, output = self.target.run( + "echo '%s' > %s/ambient" %(test_ambient, self.smack_path)) + self.assertEqual(status, 0, + "Could not set smack ambient. Output: %s" %output) + + status, output = self.target.run("cat %s/ambient" %self.smack_path) + # Filter '\x00', which is sometimes added to the ambient label + new_ambient = ''.join(filter(lambda x: x in string.printable, output)) + initial_ambient = ''.join(filter(lambda x: x in string.printable, initial_ambient)) + status, output = self.target.run( + "echo '%s' > %s/ambient" %(initial_ambient, self.smack_path)) + self.assertEqual( + test_ambient, new_ambient.strip(), + "Ambient label does not match") + + +class SmackloadBinary(SmackBasicTest): + + @OETestDepends(['smack.SmackBasicTest.test_smack_basic']) + def test_smackload(self): + '''Test if smackload command works''' + rule="testobject testsubject rwx" + + status, output = self.target.run("echo -n '%s' > /tmp/rules" %rule) + status, output = self.target.run("smackload /tmp/rules") + self.assertEqual( status, 0, "Smackload failed to load rule. Output: %s" %output) + + status, output = self.target.run( "cat %s/load | grep '%s'" %(self.smack_path, rule)) + self.assertEqual(status, 0, "Smackload rule was loaded correctly") + + +class SmackcipsoBinary(SmackBasicTest): + + @OETestDepends(['smack.SmackBasicTest.test_smack_basic']) + def test_smackcipso(self): + '''Test if smackcipso command works''' + # 12345678901234567890123456789012345678901234567890123456 + rule="cipsolabel 2 2 " + + status, output = self.target.run("echo '%s' | smackcipso" %rule) + self.assertEqual( status, 0, "Smackcipso failed to load rule. Output: %s" %output) + + status, output = self.target.run( + "cat %s/cipso | grep 'cipsolabel'" %self.smack_path) + self.assertEqual(status, 0, "smackcipso rule was loaded correctly") + self.assertIn( "2/2", output, "Rule was not set correctly. Got: %s" %output) + + +class SmackEnforceFileAccess(SmackBasicTest): + + @OETestDepends(['smack.SmackBasicTest.test_smack_basic']) + def test_smack_enforce_file_access(self): + '''Test if smack file access is enforced (rwx) + + test needs to change the running label of the current process, + so whole test takes places on image + ''' + status, output = self.target.run("sh /usr/sbin/smack_test_file_access.sh") + self.assertEqual(status, 0, output) + + +class SmackEnforceMmap(SmackBasicTest): + + @OETestDepends(['smack.SmackBasicTest.test_smack_basic']) + def test_smack_mmap_enforced(self): + '''Test if smack mmap access is enforced''' + raise unittest.SkipTest("Depends on mmap_test, which was removed from the layer while investigating its license.") + + # 12345678901234567890123456789012345678901234567890123456 + delr1="mmap_label mmap_test_label1 -----" + delr2="mmap_label mmap_test_label2 -----" + delr3="mmap_file_label mmap_test_label1 -----" + delr4="mmap_file_label mmap_test_label2 -----" + + RuleA="mmap_label mmap_test_label1 rw---" + RuleB="mmap_label mmap_test_label2 r--at" + RuleC="mmap_file_label mmap_test_label1 rw---" + RuleD="mmap_file_label mmap_test_label2 rwxat" + + mmap_label="mmap_label" + file_label="mmap_file_label" + test_file = "/usr/sbin/smack_test_mmap" + mmap_exe = "/tmp/mmap_test" + status, echo = self.target.run("which echo") + status, output = self.target.run( + "notroot.py %d %s %s 'test' > %s" \ + %(self.uid, self.current_label, echo, test_file)) + status, output = self.target.run("ls %s" %test_file) + self.assertEqual(status, 0, "Could not create mmap test file") + self.target.run("chsmack -m %s %s" %(file_label, test_file)) + self.target.run("chsmack -e %s %s" %(mmap_label, mmap_exe)) + + # test with no rules with mmap label or exec label as subject + # access should be granted + self.target.run('echo -n "%s" > %s/load' %(delr1, self.smack_path)) + self.target.run('echo -n "%s" > %s/load' %(delr2, self.smack_path)) + self.target.run('echo -n "%s" > %s/load' %(delr3, self.smack_path)) + self.target.run('echo -n "%s" > %s/load' %(delr4, self.smack_path)) + status, output = self.target.run("%s %s 0 2" % (mmap_exe, test_file)) + self.assertEqual( + status, 0, + "Should have mmap access without rules. Output: %s" %output) + + # add rules that do not match access required + self.target.run('echo -n "%s" > %s/load' %(RuleA, self.smack_path)) + self.target.run('echo -n "%s" > %s/load' %(RuleB, self.smack_path)) + status, output = self.target.run("%s %s 0 2" % (mmap_exe, test_file)) + self.assertNotEqual( + status, 0, + "Should not have mmap access with unmatching rules. " + + "Output: %s" %output) + self.assertIn( + "Permission denied", output, + "Mmap access should be denied with unmatching rules") + + # add rule to match only partially (one way) + self.target.run('echo -n "%s" > %s/load' %(RuleC, self.smack_path)) + status, output = self.target.run("%s %s 0 2" %(mmap_exe, test_file)) + self.assertNotEqual( + status, 0, + "Should not have mmap access with partial matching rules. " + + "Output: %s" %output) + self.assertIn( + "Permission denied", output, + "Mmap access should be denied with partial matching rules") + + # add rule to match fully + self.target.run('echo -n "%s" > %s/load' %(RuleD, self.smack_path)) + status, output = self.target.run("%s %s 0 2" %(mmap_exe, test_file)) + self.assertEqual( + status, 0, + "Should have mmap access with full matching rules." + + "Output: %s" %output) + + +class SmackEnforceTransmutable(SmackBasicTest): + + @OETestDepends(['smack.SmackBasicTest.test_smack_basic']) + def test_smack_transmute_dir(self): + '''Test if smack transmute attribute works + + test needs to change the running label of the current process, + so whole test takes places on image + ''' + test_dir = "/tmp/smack_transmute_dir" + label="transmute_label" + status, initial_label = self.target.run("cat /proc/self/attr/current") + + self.target.run("mkdir -p %s" % test_dir) + self.target.run("chsmack -a %s %s" % (label, test_dir)) + self.target.run("chsmack -t %s" % test_dir) + self.target.run("echo -n '%s %s rwxat' | smackload" %(initial_label, label) ) + + self.target.run("touch %s/test" % test_dir) + status, output = self.target.run("chsmack %s/test" % test_dir) + self.assertIn( 'access="%s"' %label, output, + "Did not get expected label. Output: %s" % output) + + +class SmackTcpSockets(SmackBasicTest): + + @OETestDepends(['smack.SmackBasicTest.test_smack_basic']) + def test_smack_tcp_sockets(self): + '''Test if smack is enforced on tcp sockets + + whole test takes places on image, depends on tcp_server/tcp_client''' + + status, output = self.target.run("sh /usr/sbin/test_smack_tcp_sockets.sh") + self.assertEqual(status, 0, output) + + +class SmackUdpSockets(SmackBasicTest): + + @OETestDepends(['smack.SmackBasicTest.test_smack_basic']) + def test_smack_udp_sockets(self): + '''Test if smack is enforced on udp sockets + + whole test takes places on image, depends on udp_server/udp_client''' + + status, output = self.target.run("sh /usr/sbin/test_smack_udp_sockets.sh") + self.assertEqual(status, 0, output) + + +class SmackFileLabels(SmackBasicTest): + + @OETestDepends(['smack.SmackBasicTest.test_smack_basic']) + def test_smack_labels(self): + '''Check for correct Smack labels.''' + expected = ''' +/tmp/ access="*" +/etc/ access="System::Shared" transmute="TRUE" +/etc/passwd access="System::Shared" +/etc/terminfo access="System::Shared" transmute="TRUE" +/etc/skel/ access="System::Shared" transmute="TRUE" +/etc/skel/.profile access="System::Shared" +/var/log/ access="System::Log" transmute="TRUE" +/var/tmp/ access="*" +''' + files = ' '.join([x.split()[0] for x in expected.split('\n') if x]) + files_wildcard = ' '.join([x + '/*' for x in files.split()]) + # Auxiliary information. + status, output = self.target.run( + 'set -x; mount; ls -l -d %s; find %s | xargs ls -d -l; find %s | xargs chsmack' % ( + ' '.join([x.rstrip('/') for x in files.split()]), files, files + ) + ) + msg = "File status:\n" + output + status, output = self.target.run('chsmack %s' % files) + self.assertEqual( + status, 0, msg="status and output: %s and %s\n%s" % (status,output, msg)) + self.longMessage = True + self.maxDiff = None + self.assertEqual(output.strip().split('\n'), expected.strip().split('\n'), msg=msg) diff --git a/external/meta-security/lib/oeqa/runtime/cases/sssd.py b/external/meta-security/lib/oeqa/runtime/cases/sssd.py new file mode 100644 index 00000000..46448362 --- /dev/null +++ b/external/meta-security/lib/oeqa/runtime/cases/sssd.py @@ -0,0 +1,37 @@ +# Copyright (C) 2019 Armin Kuster <akuster808@gmail.com> +# +import re + +from oeqa.runtime.case import OERuntimeTestCase +from oeqa.core.decorator.depends import OETestDepends +from oeqa.runtime.decorator.package import OEHasPackage + + +class SSSDTest(OERuntimeTestCase): + + @OEHasPackage(['sssd']) + @OETestDepends(['ssh.SSHTest.test_ssh']) + def test_sssd_help(self): + status, output = self.target.run('sssctl --help') + msg = ('sssctl command does not work as expected. ' + 'Status and output:%s and %s' % (status, output)) + self.assertEqual(status, 1, msg = msg) + + @OETestDepends(['sssd.SSSDTest.test_sssd_help']) + def test_sssd_sssctl_conf_perms_chk(self): + status, output = self.target.run('sssctl domain-status') + match = re.search('ConfDB initialization has failed', output) + if match: + msg = ('sssctl domain-status failed, check sssd.conf perms. ' + 'Status and output:%s and %s' % (status, output)) + self.assertEqual(status, 0, msg = msg) + + @OETestDepends(['sssd.SSSDTest.test_sssd_sssctl_conf_perms_chk']) + def test_sssd_sssctl_deamon(self): + status, output = self.target.run('sssctl domain-status') + match = re.search('No domains configured, fatal error!', output) + if match: + msg = ('sssctl domain-status failed, sssd.conf not setup correctly. ' + 'Status and output:%s and %s' % (status, output)) + self.assertEqual(status, 0, msg = msg) + diff --git a/external/meta-security/lib/oeqa/runtime/cases/suricata.py b/external/meta-security/lib/oeqa/runtime/cases/suricata.py new file mode 100644 index 00000000..7f052ecd --- /dev/null +++ b/external/meta-security/lib/oeqa/runtime/cases/suricata.py @@ -0,0 +1,76 @@ +# Copyright (C) 2019 Armin Kuster <akuster808@gmail.com> +# +import re +from tempfile import mkstemp + +from oeqa.runtime.case import OERuntimeTestCase +from oeqa.core.decorator.depends import OETestDepends +from oeqa.runtime.decorator.package import OEHasPackage + + +class SuricataTest(OERuntimeTestCase): + + @classmethod + def setUpClass(cls): + cls.tmp_fd, cls.tmp_path = mkstemp() + with os.fdopen(cls.tmp_fd, 'w') as f: + # use google public dns + f.write("nameserver 8.8.8.8") + f.write(os.linesep) + f.write("nameserver 8.8.4.4") + f.write(os.linesep) + f.write("nameserver 127.0.0.1") + f.write(os.linesep) + + @classmethod + def tearDownClass(cls): + os.remove(cls.tmp_path) + + @OEHasPackage(['suricata']) + @OETestDepends(['ssh.SSHTest.test_ssh']) + def test_suricata_help(self): + status, output = self.target.run('suricata --help') + msg = ('suricata command does not work as expected. ' + 'Status and output:%s and %s' % (status, output)) + self.assertEqual(status, 1, msg = msg) + + @OETestDepends(['suricata.SuricataTest.test_suricata_help']) + def test_ping_openinfosecfoundation_org(self): + dst = '/etc/resolv.conf' + self.tc.target.run('rm -f %s' % dst) + (status, output) = self.tc.target.copyTo(self.tmp_path, dst) + msg = 'File could not be copied. Output: %s' % output + self.assertEqual(status, 0, msg=msg) + + status, output = self.target.run('ping -c 1 openinfosecfoundation.org') + msg = ('ping openinfosecfoundation.org failed: output is:\n%s' % output) + self.assertEqual(status, 0, msg = msg) + + @OEHasPackage(['python3-suricata-update']) + @OETestDepends(['suricata.SuricataTest.test_ping_openinfosecfoundation_org']) + def test_suricata_update(self): + status, output = self.tc.target.run('suricata-update') + msg = ('suricata-update had an unexpected failure. ' + 'Status and output:%s and %s' % (status, output)) + self.assertEqual(status, 0, msg = msg) + + @OETestDepends(['suricata.SuricataTest.test_suricata_update']) + def test_suricata_update_sources_list(self): + status, output = self.tc.target.run('suricata-update list-sources') + msg = ('suricata-update list-sources had an unexpected failure. ' + 'Status and output:%s and %s' % (status, output)) + self.assertEqual(status, 0, msg = msg) + + @OETestDepends(['suricata.SuricataTest.test_suricata_update_sources_list']) + def test_suricata_update_sources(self): + status, output = self.tc.target.run('suricata-update update-sources') + msg = ('suricata-update update-sources had an unexpected failure. ' + 'Status and output:%s and %s' % (status, output)) + self.assertEqual(status, 0, msg = msg) + + @OETestDepends(['suricata.SuricataTest.test_suricata_update_sources']) + def test_suricata_update_enable_source(self): + status, output = self.tc.target.run('suricata-update enable-source oisf/trafficid') + msg = ('suricata-update enable-source oisf/trafficid had an unexpected failure. ' + 'Status and output:%s and %s' % (status, output)) + self.assertEqual(status, 0, msg = msg) diff --git a/external/meta-security/lib/oeqa/runtime/cases/tripwire.py b/external/meta-security/lib/oeqa/runtime/cases/tripwire.py new file mode 100644 index 00000000..659724d0 --- /dev/null +++ b/external/meta-security/lib/oeqa/runtime/cases/tripwire.py @@ -0,0 +1,47 @@ +# Copyright (C) 2019 Armin Kuster <akuster808@gmail.com> +# +import re + +from oeqa.runtime.case import OERuntimeTestCase +from oeqa.core.decorator.depends import OETestDepends +from oeqa.runtime.decorator.package import OEHasPackage + + +class TripwireTest(OERuntimeTestCase): + + @OEHasPackage(['tripwire']) + @OETestDepends(['ssh.SSHTest.test_ssh']) + def test_tripwire_help(self): + status, output = self.target.run('tripwire --help') + msg = ('tripwire command does not work as expected. ' + 'Status and output:%s and %s' % (status, output)) + self.assertEqual(status, 8, msg = msg) + + @OETestDepends(['tripwire.TripwireTest.test_tripwire_help']) + def test_tripwire_twinstall(self): + status, output = self.target.run('/etc/tripwire/twinstall.sh') + match = re.search('The database was successfully generated.', output) + if not match: + msg = ('/etc/tripwire/twinstall.sh failed. ' + 'Status and output:%s and %s' % (status, output)) + self.assertEqual(status, 0, msg = msg) + + @OETestDepends(['tripwire.TripwireTest.test_tripwire_twinstall']) + def test_tripwire_twadmin(self): + status, output = self.target.run('twadmin --create-cfgfile --cfgfile /etc/tripwire/twcfg.enc --site-keyfile /etc/tripwire/site.key -Q tripwire /etc/tripwire/twcfg.txt') + status, output = self.target.run('twadmin --create-polfile --cfgfile /etc/tripwire/twcfg.enc --polfile /etc/tripwire/twpol.enc --site-keyfile /etc/tripwire/site.key -Q tripwire /etc/tripwire/twpol.txt') + match = re.search('Wrote policy file: /etc/tripwire/twpol.enc', output) + if not match: + msg = ('twadmin --create-profile ; failed. ' + 'Status and output:%s and %s' % (status, output)) + self.assertEqual(status, 0, msg = msg) + + @OETestDepends(['tripwire.TripwireTest.test_tripwire_twadmin']) + def test_tripwire_init(self): + status, hostname = self.target.run('hostname') + status, output = self.target.run('tripwire --init --cfgfile /etc/tripwire/twcfg.enc --polfile /etc/tripwire/tw.pol --site-keyfile /etc/tripwire/site.key --local-keyfile /etc/tripwire/%s-local.key -P tripwire' % hostname) + match = re.search('The database was successfully generated.', output) + if not match: + msg = ('tripwire --init; Failed for host: %s. ' + 'Status and output:%s and %s' % (hostname, status, output)) + self.assertEqual(status, 0, msg = msg) diff --git a/external/meta-security/lib/oeqa/selftest/cases/cvechecker.py b/external/meta-security/lib/oeqa/selftest/cases/cvechecker.py new file mode 100644 index 00000000..23ca7d22 --- /dev/null +++ b/external/meta-security/lib/oeqa/selftest/cases/cvechecker.py @@ -0,0 +1,27 @@ +import os +import re + +from oeqa.selftest.case import OESelftestTestCase +from oeqa.utils.commands import bitbake, get_bb_var + +class CveCheckerTests(OESelftestTestCase): + def test_cve_checker(self): + image = "core-image-sato" + + deploy_dir = get_bb_var("DEPLOY_DIR_IMAGE") + image_link_name = get_bb_var('IMAGE_LINK_NAME', image) + + manifest_link = os.path.join(deploy_dir, "%s.cve" % image_link_name) + + self.logger.info('CVE_CHECK_MANIFEST = "%s"' % manifest_link) + if (not 'cve-check' in get_bb_var('INHERIT')): + add_cve_check_config = 'INHERIT += "cve-check"' + self.append_config(add_cve_check_config) + self.append_config('CVE_CHECK_MANIFEST = "%s"' % manifest_link) + result = bitbake("-k -c cve_check %s" % image, ignore_status=True) + if (not 'cve-check' in get_bb_var('INHERIT')): + self.remove_config(add_cve_check_config) + + isfile = os.path.isfile(manifest_link) + self.assertEqual(True, isfile, 'Failed to create cve data file : %s' % manifest_link) + diff --git a/external/meta-security/meta-integrity/README.md b/external/meta-security/meta-integrity/README.md new file mode 100644 index 00000000..46079487 --- /dev/null +++ b/external/meta-security/meta-integrity/README.md @@ -0,0 +1,250 @@ +This README file contains information on the contents of the +integrity layer. + +Please see the corresponding sections below for details. + + +Dependencies +============ + +This layer depends on: + + URI: git://git.openembedded.org/bitbake + branch: master + + URI: git://git.openembedded.org/openembedded-core + layers: meta + branch: master + + URI: git://github.com/01org/meta-security/meta-integrate + layers: security-framework + branch: master + + +Patches +======= + +For discussion or patch submission via email, use the +yocto@yoctoproject.org mailing list. When submitting patches that way, +make sure to copy the maintainer and add a "[meta-integrity]" +prefix to the subject of the mails. + +Maintainer: Armin Kuster <akuster808@gmail.com> + + +Table of Contents +================= + +1. Adding the integrity layer to your build +2. Usage +3. Known Issues + + +1. Adding the integrity layer to your build +=========================================== + +In order to use this layer, you need to make the build system aware of +it. + +Assuming the security repository exists at the top-level of your +yocto build tree, you can add it to the build system by adding the +location of the integrity layer to bblayers.conf, along with any +other layers needed. e.g.: + + BBLAYERS ?= " \ + /path/to/yocto/meta \ + /path/to/yocto/meta-yocto \ + /path/to/yocto/meta-yocto-bsp \ + /path/to/yocto/meta-security/meta-integrity \ + " + +It has some dependencies on a suitable BSP; in particular the kernel +must have a recent enough IMA/EVM subsystem. The layer was tested with +Linux 3.19 and uses some features (like loading X509 certificates +directly from the kernel) which were added in that release. Your +mileage may vary with older kernels. + +The necessary kernel configuration parameters are added to all kernel +versions by this layer. Watch out for QA warnings about unused kernel +configuration parameters: those indicate that the kernel used by the BSP +does not have the necessary IMA/EVM features. + +Adding the layer only enables IMA (see below regarding EVM) during +compilation of the Linux kernel. To also activate it when building +the image, enable image signing in the local.conf like this: + + INHERIT += "ima-evm-rootfs" + IMA_EVM_KEY_DIR = "${INTEGRITY_BASE}/data/debug-keys" + +This uses the default keys provided in the "data" directory of the layer. +Because everyone has access to these private keys, such an image +should never be used in production! + +For that, create your own keys first. All tools and scripts required +for that are included in the layer. This is also how the +``debug-keys`` were generated: + + # Choose a directory for storing keys. Preserve this + # across builds and keep its private keys secret! + export IMA_EVM_KEY_DIR=/tmp/imaevm + mkdir -p $IMA_EVM_KEY_DIR + # Build the required tools. + bitbake openssl-native + # Set up shell for use of the tools. + bitbake -c devshell openssl-native + cd $IMA_EVM_KEY_DIR + # In that shell, create the keys. Several options exist: + + # 1. Self-signed keys. + $INTEGRITY_BASE/scripts/ima-gen-self-signed.sh + + # 2. Keys signed by a new CA. + # When asked for a PEM passphrase, that will be for the root CA. + # Signing images then will not require entering that passphrase, + # only creating new certificates does. Most likely the default + # attributes for these certificates need to be adapted; modify + # the scripts as needed. + # $INTEGRITY_BASE/scripts/ima-gen-local-ca.sh + # $INTEGRITY_BASE/scripts/ima-gen-CA-signed.sh + + # 3. Keys signed by an existing CA. + # $INTEGRITY_BASE/scripts/ima-gen-CA-signed.sh <CA.pem> <CA.priv> + exit + +When using ``ima-self-signed.sh`` as described above, self-signed keys +are created. Alternatively, one can also use keys signed by a CA. The +``ima-gen-local-ca.sh`` and ``ima-gen.sh`` scripts create a root CA +and sign the signing keys with it. The ``ima-evm-rootfs.bbclass`` then +supports adding tha CA's public key to the kernel's system keyring by +compiling it directly into the kernel. Because it is unknown whether +that is necessary (for example, the CA might also get added to the +system key ring via UEFI Secure Boot), one has to enable compilation +into the kernel explicitly in a local.conf with: + + IMA_EVM_ROOT_CA = "<path to .x509 file, for example the ima-local-ca.x509 created by ima-gen-local-ca.sh>" + + + + +To use the personal keys, override the default IMA_EVM_KEY_DIR in your +local.conf and/or override the individual variables from +ima-evm-rootfs.bbclass: + + IMA_EVM_KEY_DIR = "<full path>" + IMA_EVM_PRIVKEY = "<some other path/privkey_ima.pem>" + +By default, the entire file system gets signed. When using a policy which +does not require that, the set of files to be labelled can be chosen +by overriding the default "find" expression, for example like this: + + IMA_EVM_ROOTFS_FILES = "usr sbin bin lib -type f" + + +2. Usage +======== + +After creating an image with IMA/EVM enabled, one needs to enable +the built-in policies before IMA/EVM is active at runtime. To do this, +add one or both of these boot parameters: + + ima_tcb # measures all files read as root and all files executed + ima_appraise_tcb # appraises all files owned by root, beware of + # the known issue mentioned below + +Instead of booting with default policies, one can also activate custom +policies in different ways. First, boot without any IMA policy and +then cat a policy file into +`/sys/kernel/security/ima/policy`. This can only be done once +after booting and is useful for debugging. + +In production, the long term goal is to load a verified policy +directly from the kernel, using a patch which still needs to be +included upstream ("ima: load policy from the kernel", +<https://lwn.net/Articles/595759/>). + +Loading via systemd also works with systemd, but is considered less +secure (policy file is not checked before activating it). Beware that +IMA policy loading became broken in systemd 2.18. The modified systemd +2.19 in meta-security-smack has a patch reverting the broken +changes. To activate policy loading via systemd, place a policy file +in `/etc/ima/ima-policy`, for example with: + + IMA_EVM_POLICY_SYSTEMD = "${INTEGRITY_BASE}/data/ima_policy_simple" + +To check that measuring works, look at `/sys/kernel/security/ima/ascii_runtime_measurements` + +To check that appraisal works, try modifying executables and ensure +that executing them fails: + + echo "foobar" >>/usr/bin/rpm + evmctl ima_verify /usr/bin/rpm + rpm --version + +Depending on the current appraisal policy, the `echo` command may +already fail because writing is not allowed. If the file was modified +and the current appraisal policy allows reading, then `evmctl` will +report (the errno value seems to be printed always and is unrelated to +the actual verification failure here): + + Verification failed: 35 + errno: No such file or directory (2) + +After enabling a suitable IMA appraisal policy, reading and/or +executing the file is no longer allowed: + + # evmctl ima_verify /usr/bin/rpm + Failed to open: /usr/bin/rpm + errno: Permission denied (13) + # rpm --version + -sh: /usr/bin/rpm: Permission denied + +Enabling the audit kernel subsystem may help to debug appraisal +issues. Enable it by adding the meta-security-framework layer and +changing your local.conf: + SRC_URI_append_pn-linux-yocto = " file://audit.cfg" + CORE_IMAGE_EXTRA_INSTALL += "auditd" + +Then boot with "ima_appraise=log ima_appraise_tcb". + +Adding auditd is not strictly necessary but helps to capture a +more complete set of events in /var/log/audit/ and search in +them with ausearch. + + +3. Known Issues +=============== + +EVM is not enabled, for multiple reasons: +* Signing files in advance with a X509 certificate and then not having + any confidential keys on the device would be the most useful mode, + but is not supported by EVM [1]. +* EVM signing in advance would only work on the final file system and thus + will require further integration work with image creation. The content + of the files can be signed for IMA in the rootfs, with the extended + attributes remaining valid when copying the files to the final image. + But for EVM that copy operation changes relevant parameters (for example, + inode) and thus invalidates the EVM hash. +* On device creation of EVM hashes depends on secure key handling on the + device (TPM) and booting at least once in a special mode (file system + writable, evm=fix as boot parameter, reboot after opening all files); + such a mode is too device specific to be implemented in a generic way. + +IMA appraisal with "ima_appraise_tcb" enables rules which are too strict +for most distros. For example, systemd needs to write certain files +as root, which is prevented by the ima_appraise_tcb appraise rules. As +a result, the system fails to boot: + + [FAILED] Failed to start Commit a transient machine-id on disk. + See "systemctl status systemd-machine-id-commit.service" for details. + ... + [FAILED] Failed to start Network Service. + See "systemctl status systemd-networkd.service" for details. + [FAILED] Failed to start Login Service. + See "systemctl status systemd-logind.service" for details. + +No package manager is integrated with IMA/EVM. When updating packages, +files will end up getting installed without correct IMA/EVM attributes +and thus will not be usable when appraisal is turned on. + +[1] http://permalink.gmane.org/gmane.comp.handhelds.tizen.devel/6281 +[2] http://permalink.gmane.org/gmane.comp.handhelds.tizen.devel/6275 diff --git a/external/meta-security/meta-integrity/classes/ima-evm-rootfs.bbclass b/external/meta-security/meta-integrity/classes/ima-evm-rootfs.bbclass new file mode 100644 index 00000000..d6ade3bf --- /dev/null +++ b/external/meta-security/meta-integrity/classes/ima-evm-rootfs.bbclass @@ -0,0 +1,92 @@ +# No default! Either this or IMA_EVM_PRIVKEY/IMA_EVM_X509 have to be +# set explicitly in a local.conf before activating ima-evm-rootfs. +# To use the insecure (because public) example keys, use +# IMA_EVM_KEY_DIR = "${INTEGRITY_BASE}/data/debug-keys" +IMA_EVM_KEY_DIR ?= "IMA_EVM_KEY_DIR_NOT_SET" + +# Private key for IMA signing. The default is okay when +# using the example key directory. +IMA_EVM_PRIVKEY ?= "${IMA_EVM_KEY_DIR}/privkey_ima.pem" + +# Public part of certificates (used for both IMA and EVM). +# The default is okay when using the example key directory. +IMA_EVM_X509 ?= "${IMA_EVM_KEY_DIR}/x509_ima.der" + +# Root CA to be compiled into the kernel, none by default. +# Must be the absolute path to a der-encoded x509 CA certificate +# with a .x509 suffix. See linux-%.bbappend for details. +# +# ima-local-ca.x509 is what ima-gen-local-ca.sh creates. +IMA_EVM_ROOT_CA ?= "" + +# Sign all regular files by default. +IMA_EVM_ROOTFS_SIGNED ?= ". -type f" +# Hash nothing by default. +IMA_EVM_ROOTFS_HASHED ?= ". -depth 0 -false" + +# Mount these file systems (identified via their mount point) with +# the iversion flags (needed by IMA when allowing writing). +IMA_EVM_ROOTFS_IVERSION ?= "" + +ima_evm_sign_rootfs () { + cd ${IMAGE_ROOTFS} + + # Beware that all operations below must also work when + # ima_evm_sign_rootfs was already called earlier for the same + # rootfs. That's because do_image might again run for various + # reasons (including a change of the signing keys) without also + # re-running do_rootfs. + + # Copy file(s) which must be on the device. Note that + # evmctl uses x509_evm.der also for "ima_verify", which is probably + # a bug (should default to x509_ima.der). Does not matter for us + # because we use the same key for both. + install -d ./${sysconfdir}/keys + rm -f ./${sysconfdir}/keys/x509_evm.der + install "${IMA_EVM_X509}" ./${sysconfdir}/keys/x509_evm.der + ln -sf x509_evm.der ./${sysconfdir}/keys/x509_ima.der + + # Fix /etc/fstab: it must include the "i_version" mount option for + # those file systems where writing files is allowed, otherwise + # these changes will not get detected at runtime. + # + # Note that "i_version" is documented in "man mount" only for ext4, + # whereas "iversion" is said to be filesystem-independent. In practice, + # there is only one MS_I_VERSION flag in the syscall and ext2/ext3/ext4 + # all support it. + # + # coreutils translates "iversion" into MS_I_VERSION. busybox rejects + # "iversion" and only understands "i_version". systemd only understands + # "iversion". We pick "iversion" here for systemd, whereas rootflags + # for initramfs must use "i_version" for busybox. + # + # Deduplicates iversion in case that this gets called more than once. + if [ -f etc/fstab ]; then + perl -pi -e 's;(\S+)(\s+)(${@"|".join((d.getVar("IMA_EVM_ROOTFS_IVERSION", True) or "no-such-mount-point").split())})(\s+)(\S+)(\s+)(\S+);\1\2\3\4\5\6\7,iversion;; s/(,iversion)+/,iversion/;' etc/fstab + fi + + # Sign file with private IMA key. EVM not supported at the moment. + bbnote "IMA/EVM: signing files 'find ${IMA_EVM_ROOTFS_SIGNED}' with private key '${IMA_EVM_PRIVKEY}'" + find ${IMA_EVM_ROOTFS_SIGNED} | xargs -d "\n" --no-run-if-empty --verbose evmctl ima_sign --key ${IMA_EVM_PRIVKEY} + bbnote "IMA/EVM: hashing files 'find ${IMA_EVM_ROOTFS_HASHED}'" + find ${IMA_EVM_ROOTFS_HASHED} | xargs -d "\n" --no-run-if-empty --verbose evmctl ima_hash + + # Optionally install custom policy for loading by systemd. + if [ "${IMA_EVM_POLICY_SYSTEMD}" ]; then + install -d ./${sysconfdir}/ima + rm -f ./${sysconfdir}/ima/ima-policy + install "${IMA_EVM_POLICY_SYSTEMD}" ./${sysconfdir}/ima/ima-policy + fi +} + +# Signing must run as late as possible in the do_rootfs task. +# IMAGE_PREPROCESS_COMMAND runs after ROOTFS_POSTPROCESS_COMMAND, so +# append (not prepend!) to IMAGE_PREPROCESS_COMMAND, and do it with +# _append instead of += because _append gets evaluated later. In +# particular, we must run after prelink_image in +# IMAGE_PREPROCESS_COMMAND, because prelinking changes executables. + +IMAGE_PREPROCESS_COMMAND_append = " ima_evm_sign_rootfs ; " + +# evmctl must have been installed first. +do_rootfs[depends] += "ima-evm-utils-native:do_populate_sysroot" diff --git a/external/meta-security/meta-integrity/classes/kernel-modsign.bbclass b/external/meta-security/meta-integrity/classes/kernel-modsign.bbclass new file mode 100644 index 00000000..09025baa --- /dev/null +++ b/external/meta-security/meta-integrity/classes/kernel-modsign.bbclass @@ -0,0 +1,29 @@ +# No default! Either this or MODSIGN_PRIVKEY/MODSIGN_X509 have to be +# set explicitly in a local.conf before activating kernel-modsign. +# To use the insecure (because public) example keys, use +# MODSIGN_KEY_DIR = "${INTEGRITY_BASE}/data/debug-keys" +MODSIGN_KEY_DIR ?= "MODSIGN_KEY_DIR_NOT_SET" + +# Private key for modules signing. The default is okay when +# using the example key directory. +MODSIGN_PRIVKEY ?= "${MODSIGN_KEY_DIR}/privkey_modsign.pem" + +# Public part of certificates used for modules signing. +# The default is okay when using the example key directory. +MODSIGN_X509 ?= "${MODSIGN_KEY_DIR}/x509_modsign.crt" + +# If this class is enabled, disable stripping signatures from modules +INHIBIT_PACKAGE_STRIP = "1" + +kernel_do_configure_prepend() { + if [ -f "${MODSIGN_PRIVKEY}" -a -f "${MODSIGN_X509}" ]; then + cat "${MODSIGN_PRIVKEY}" "${MODSIGN_X509}" \ + > "${B}/modsign_key.pem" + else + bberror "Either modsign key or certificate are invalid" + fi +} + +do_shared_workdir_append() { + cp modsign_key.pem $kerneldir/ +} diff --git a/external/meta-security/meta-integrity/conf/layer.conf b/external/meta-security/meta-integrity/conf/layer.conf new file mode 100644 index 00000000..b4edac38 --- /dev/null +++ b/external/meta-security/meta-integrity/conf/layer.conf @@ -0,0 +1,28 @@ +# We have a conf and classes directory, add to BBPATH +BBPATH =. "${LAYERDIR}:" + +# We have a packages directory, add to BBFILES +BBFILES := "${BBFILES} \ + ${LAYERDIR}/recipes-*/*/*.bb \ + ${LAYERDIR}/recipes-*/*/*.bbappend" + +BBFILE_COLLECTIONS += "integrity" +BBFILE_PATTERN_integrity := "^${LAYERDIR}/" +BBFILE_PRIORITY_integrity = "6" + +# Set a variable to get to the top of the metadata location. Needed +# for finding scripts (when following the README.md instructions) and +# default debug keys (in ima-evm-rootfs.bbclass). +INTEGRITY_BASE := '${LAYERDIR}' + +# We must not export this path to all shell scripts (as in "export +# INTEGRITY_BASE"), because that causes problems with sstate (becames +# dependent on location of the layer). Exporting it to just the +# interactive shell is enough. +OE_TERMINAL_EXPORTS += "INTEGRITY_BASE" + +LAYERSERIES_COMPAT_integrity = "dunfell" +# ima-evm-utils depends on keyutils from meta-oe +LAYERDEPENDS_integrity = "core openembedded-layer" + +BBLAYERS_LAYERINDEX_NAME_integrity = "meta-integrity" diff --git a/external/meta-security/meta-integrity/data/debug-keys/privkey_ima.pem b/external/meta-security/meta-integrity/data/debug-keys/privkey_ima.pem new file mode 100644 index 00000000..502a0b68 --- /dev/null +++ b/external/meta-security/meta-integrity/data/debug-keys/privkey_ima.pem @@ -0,0 +1,16 @@ +-----BEGIN PRIVATE KEY----- +MIICdQIBADANBgkqhkiG9w0BAQEFAASCAl8wggJbAgEAAoGBAJw2G3d0fM36rcQU +Bt8V/SapJe0lxWJ+CY+HcMx8AhWY9XQ66AXcqBsRHiUnYCaFGXFI35VKGC6d/Gs6 +IWlHgI0tcTyzy5eul+BKRLy/3PNjkK2jJETlbetQy+gE6gUtg4RmPV5ALGksK74p +OrAfKnahoMi82NVIiBitwmRimms1AgMBAAECgYBTxciRFU1hAVBy2PKebKJoO0n1 +lc329fSWnmHlp5NOlcr8XCLWEfGtIk7ySd2MitCMKjKNU0EIrv0RXAlS9l9/gBYW +HY+eEaa6l80sp8q4aPKImSi0pb3LVNqWKXJg8qr4AZ45/TEL/fzILFv5QcY8xDjV +aj6DOlEnNDjlBlBbQQJBAMyYDlKItes/Rnmtp9roXj3XUfiBDHTLY2HVgDBe87sA +TOSnbgIv+6urd1h9XvBmJlRYH7YKJmBSZWcSlfdC6XkCQQDDdfkUMxQZo9PC/Eue +WYzytx4xUm3ItWcuKILtFgcNh3c4s4dMx4X/WhQj5/H/nVOIWDioQ0mrW3ap/qcb +SBydAkAf/gb/UPFhf9t9W3JMANn7wZfHzCYufT9lJQWOisqCC2H6v1Osc+Rey8k1 +xST7Yn3L4pvS03N8zGWe4IEi0QvBAkAWdTWbNos2rvYjzy05Enz5XkTf0eK/Tuh+ +CzWP3BoPWeM+5pHDJqGkx0rNHVdW0VLJtak83A5Y2/d0bMfygISZAkBFGui4HW+Q +1BlpmDeslsE11wm5jSmm6Ti12a2dVKGFo9QLQcSj4bfgxtqU2dQaYRmajXtSBrGQ +3vVaxg2EfqB1 +-----END PRIVATE KEY----- diff --git a/external/meta-security/meta-integrity/data/debug-keys/privkey_modsign.pem b/external/meta-security/meta-integrity/data/debug-keys/privkey_modsign.pem new file mode 100644 index 00000000..4cac00ae --- /dev/null +++ b/external/meta-security/meta-integrity/data/debug-keys/privkey_modsign.pem @@ -0,0 +1,28 @@ +-----BEGIN PRIVATE KEY----- +MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQDEWsJjB2pA5Ih6 +EelXvVjwWY1ix1azMciNRNPPQN1AMXF0K/VUkfOYbaPajg1cQYEf9gk3q7OZ5Axk +UY/e5piZORaPcsmj0lV0L+NSlRYydR5M/QxtEz26585FgqRGdAe6umStPmVKdqa2 +d68O4PgQgJJtVuz6ndm+0uNEUDCVLwhkGQSwNB3qBbZAUX9escZ/a8eUiBfMYKaO +k8JRyM+2br9dgpTFg4UfBYexgNSQo8g5TIBGc8KgQiKCuFj1fQEhV5z4RusHthjc +NYXa3RHmdclxyrGeYr5ZRc47HqE1gd5NDR0WeHn4C4YKcfK1rZZz/2+6hfsIRfGx +6cQKk23hAgMBAAECggEAJ0ULiWirPG04SkmYxF5vEiqm1zGMymvTc0VnoxSS60q4 +KQa9mvtRn5OV6JjuXRwQqga30zV4xvdP7yRMxMSTkllThL7tSuE/C+yj5xlABjlc +JQOa35mwh9fibg5xslF0Vkj+55MKCPlv4CBRl4Uwt4QvRMTUwk6dhMeCgmATR1J1 +2/7AipjtfFYreDx7sLbRVvSzUhmZS0iCbNOhtTWPLNW+9YKHTOffKa04HzNtnAXq +OjJ0IRZD/C6LfkBUsnHg2eEiA97QXh/Srsl9nc8DaUK1IXRywEdmYIoNMWMav2Hm +RO8kkU30BqKW+/EO2ZbH2GmkxvwWd0ocBnLC3FRWEQKBgQDu4T8CB3YsOcVjqem4 +iBlaSht/b46YQc7A1SOqZCimehmmXNSxQOkapIG3wlIr5edtXQA+xv09+WrproUB +SjAnqaH6pYeCvbNlY5k344gtYs+Kco2rq5GYa+LumAeX2Sam8F7u4LxvEogCecX7 +e4rnG3lt3AVuuRE7zpCQtaWcJQKBgQDSbUvea9pcYli9pssTl+ijQKkgG9DdaYbA +I5w5bY1TPYZ/Ocysljefv/ssaHFh4DPxE1MQ5JHwZgZRo1EICxxYzGsLjyR/fmjz +1c/NJlTtalCNtLvWaf7b02ag/abnP8neiSpLL5xqHvGo5ikWwgYQD+9HVKGvL3S1 +kI7x/ziADQKBgQCqFbkuMa/jh3LTJp0iZc1fa1qu3vhx0pFq3Zeab9w9xLxUps5O +MwCGltFBzNuDJBwm00wkZrzTjq6gGkHbjD5DT1XkyE13OqjsLQFgOOKyJiPN2Qik +TfHJzC91YMwvQ09xF78QaPXiRBiRYrEkAXACY56PKVS45I6vvcFTN/Ll/QKBgA9m +KDMyuVwhZlUaq6nXaBLqXHYZEwPhARd2g6xANCNvUTRmSnAm3hM2vW7WhdWfzq1J +uL53u6ZYEQZQaVGpXn2xF/RUmVsrKQsPDpH4yCZHrXVxUH20bA4yPkRxy5EIvgEn +EI1IAq5RbWXq0f70W/U49U3HB74GPwg6d/uFreDRAoGAN+v9gMQA6A1vM7LvbYR8 +5CwwyqS/CfI9zKPLn53QstguXC/ObafIYQzVRqGb9lCQgtlmmKw4jMY0B/lDzpcH +zS8rqoyvDj/m7i17NYkqXErJKLRQ0ptXKdLXHlG0u185e7Y5p4O3Z5dk8bACkpHi +hp764y+BtU4qIcVaPsPK4uU= +-----END PRIVATE KEY----- diff --git a/external/meta-security/meta-integrity/data/debug-keys/x509_ima.der b/external/meta-security/meta-integrity/data/debug-keys/x509_ima.der Binary files differnew file mode 100644 index 00000000..087ca6be --- /dev/null +++ b/external/meta-security/meta-integrity/data/debug-keys/x509_ima.der diff --git a/external/meta-security/meta-integrity/data/debug-keys/x509_modsign.crt b/external/meta-security/meta-integrity/data/debug-keys/x509_modsign.crt new file mode 100644 index 00000000..5fa2a906 --- /dev/null +++ b/external/meta-security/meta-integrity/data/debug-keys/x509_modsign.crt @@ -0,0 +1,22 @@ +-----BEGIN CERTIFICATE----- +MIIDnjCCAoagAwIBAgIUUqmBj5Q8edHMMTXsoGVGEEKdwV4wDQYJKoZIhvcNAQEL +BQAwZzEqMCgGA1UEAxMhbWV0YS1zZWN1cml0eSBtb2R1bGVzIHNpZ25pbmcga2V5 +MRQwEgYDVQQKEwtleGFtcGxlLmNvbTEjMCEGCSqGSIb3DQEJARYUam9obi5kb2VA +ZXhhbXBsZS5jb20wIBcNMTkwNzI3MjIzOTA3WhgPMjExOTA3MjcyMjM5MTVaMGcx +KjAoBgNVBAMTIW1ldGEtc2VjdXJpdHkgbW9kdWxlcyBzaWduaW5nIGtleTEUMBIG +A1UEChMLZXhhbXBsZS5jb20xIzAhBgkqhkiG9w0BCQEWFGpvaG4uZG9lQGV4YW1w +bGUuY29tMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAxFrCYwdqQOSI +ehHpV71Y8FmNYsdWszHIjUTTz0DdQDFxdCv1VJHzmG2j2o4NXEGBH/YJN6uzmeQM +ZFGP3uaYmTkWj3LJo9JVdC/jUpUWMnUeTP0MbRM9uufORYKkRnQHurpkrT5lSnam +tnevDuD4EICSbVbs+p3ZvtLjRFAwlS8IZBkEsDQd6gW2QFF/XrHGf2vHlIgXzGCm +jpPCUcjPtm6/XYKUxYOFHwWHsYDUkKPIOUyARnPCoEIigrhY9X0BIVec+EbrB7YY +3DWF2t0R5nXJccqxnmK+WUXOOx6hNYHeTQ0dFnh5+AuGCnHyta2Wc/9vuoX7CEXx +senECpNt4QIDAQABo0AwPjAMBgNVHRMBAf8EAjAAMA8GA1UdDwEB/wQFAwMHgAAw +HQYDVR0OBBYEFDa35X9LnPlrd76inh/cYgeXh6X4MA0GCSqGSIb3DQEBCwUAA4IB +AQBTPTh7zY9BrfZW9Izk9JSZYNigwUDwjrhNBSLr5NKi2A/LmZ0jjdCDkwaCn5io +xrAq5oxPCAkwlzKwY2ootcL3+En4Pq2e5U+n9kRrpDpKKiR5/0S0d9vpgg4eZR0R +kxqE9APCQ5SFU3PgnJ5H5y2SPXzle3bgUsWxNGD81zXFn5clJj4XHvJDWTQ/jG7C +FTQ1o1HXtzda4EmKIzrSU/ayVbpPg5fPEBJjk/hHPT45kfzVZBuxwBLXVbe/YyWi +NTFWCbJwjZwVRKrsQ3HFpYMWvugtcsSHo7vGi06FvUHcS2sUZH5sFn7hulcIGICt +EztTO8Q+yhZujZbmEyJmxqZv +-----END CERTIFICATE----- diff --git a/external/meta-security/meta-integrity/lib/oeqa/runtime/cases/ima.py b/external/meta-security/meta-integrity/lib/oeqa/runtime/cases/ima.py new file mode 100644 index 00000000..0c8617a5 --- /dev/null +++ b/external/meta-security/meta-integrity/lib/oeqa/runtime/cases/ima.py @@ -0,0 +1,129 @@ +#!/usr/bin/env python +# +# Authors: Cristina Moraru <cristina.moraru@intel.com> +# Alexandru Cornea <alexandru.cornea@intel.com> + +import string +from time import sleep +from oeqa.runtime.case import OERuntimeTestCase +from oeqa.core.decorator.depends import OETestDepends +from oeqa.runtime.decorator.package import OEHasPackage +from oeqa.core.decorator.data import skipIfNotFeature +from oeqa.core.decorator.data import skipIfDataVar, skipIfNotDataVar +import bb +blacklist = ["/usr/bin/uz", "/bin/su.shadow"] + +class IMACheck(OERuntimeTestCase): + + @classmethod + def setUpClass(cls): + locations = ["/bin", "/usr/bin"] + cls.binaries = [] + for l in locations: + status, output = cls.tc.target.run("find %s -type f" % l) + cls.binaries.extend(output.split("\n")) + + cls.total = len(cls.binaries) + + + @OETestDepends(['ssh.SSHTest.test_ssh']) + def test_ima_enabled(self): + ''' Test if IMA policy is loaded before systemd starts''' + + ima_search = "ima: " + systemd_search = "systemd .* running" + status, output = self.target.run("dmesg | grep -n '%s'" % ima_search) + self.assertEqual( status, 0, "Did not find '%s' in dmesg" % ima_search) + + + @skipIfNotFeature('systemd', + 'Test requires systemd to be in DISTRO_FEATURES') + @skipIfNotDataVar('VIRTUAL-RUNTIME_init_manager', 'systemd', + 'systemd is not the init manager for this image') + @OETestDepends(['ima.IMACheck.test_ima_enabled']) + def test_ima_before_systemd(self): + ''' Test if IMA policy is loaded before systemd starts''' + ima_search = "ima: " + systemd_search = "systemd .* running" + status, output = self.target.run("dmesg | grep -n '%s'" % ima_search) + self.assertEqual( status, 0, "Did not find '%s' in dmesg" % ima_search) + ima_id = int(output.split(":")[0]) + status, output = self.target.run("dmesg | grep -n '%s'" % systemd_search) + self.assertEqual(status, 0, "Did not find '%s' in dmesg" % systemd_search) + init_id = int(output.split(":")[0]) + if ima_id > init_id: + self.fail("IMA does not start before systemd") + + + @OETestDepends(['ima.IMACheck.test_ima_enabled']) + def test_ima_hash(self): + ''' Test if IMA stores correct file hash ''' + filename = "/etc/filetest" + ima_measure_file = "/sys/kernel/security/ima/ascii_runtime_measurements" + status, output = self.target.run("echo test > %s" % filename) + self.assertEqual(status, 0, "Cannot create file %s on target" % filename) + + # wait for the IMA system to update the entry + maximum_tries = 30 + tries = 0 + status, output = self.target.run("sha1sum %s" %filename) + sleep(2) + current_hash = output.split()[0] + ima_hash = "" + + while tries < maximum_tries: + status, output = self.target.run("cat %s | grep %s" \ + % (ima_measure_file, filename)) + # get last entry, 4th field + if status == 0: + tokens = output.split("\n")[-1].split()[3] + ima_hash = tokens.split(":")[1] + if ima_hash == current_hash: + break + + tries += 1 + sleep(1) + + # clean target + self.target.run("rm %s" % filename) + if ima_hash != current_hash: + self.fail("Hash stored by IMA does not match actual hash") + + + @OETestDepends(['ima.IMACheck.test_ima_enabled']) + def test_ima_signature(self): + ''' Test if IMA stores correct signature for system binaries''' + passed = 0 + failed = 0 + for b in self.binaries: + if b in blacklist: + continue + status, output = self.target.run("evmctl ima_verify %s" % b) + if status != 0: + failed += 1 + else: + passed += 1 + + if failed == self.total: + self.fail("Signature verifications failed (%s)" % self.total) + + #bb.warn("pass: %s, fail: %s, Total: %s" % (passed, failed, total)) + + @OETestDepends(['ima.IMACheck.test_ima_enabled']) + def test_ima_overwrite(self): + ''' Test if IMA prevents overwriting signed files ''' + passed = 0 + failed = 0 + for b in self.binaries: + if b in blacklist: + continue + self.target.run("echo 'foo' >> %s" % b ) + status, output = self.target.run("evmctl ima_verify %s" % b) + + if status != 0: + failed += 1 + else: + passed += 1 + + if failed == self.total: + self.fail("Overwritting verifications failed (%s)" % self.total) diff --git a/external/meta-security/meta-integrity/recipes-core/base-files/base-files-ima.inc b/external/meta-security/meta-integrity/recipes-core/base-files/base-files-ima.inc new file mode 100644 index 00000000..7e9e2108 --- /dev/null +++ b/external/meta-security/meta-integrity/recipes-core/base-files/base-files-ima.inc @@ -0,0 +1,5 @@ +# Append iversion option for auto types +do_install_append() { + sed -i 's/\s*auto\s*defaults/&,iversion/' "${D}${sysconfdir}/fstab" + echo 'securityfs /sys/kernel/security securityfs defaults 0 0' >> "${D}${sysconfdir}/fstab" +} diff --git a/external/meta-security/meta-integrity/recipes-core/base-files/base-files_%.bbappend b/external/meta-security/meta-integrity/recipes-core/base-files/base-files_%.bbappend new file mode 100644 index 00000000..c006f0e6 --- /dev/null +++ b/external/meta-security/meta-integrity/recipes-core/base-files/base-files_%.bbappend @@ -0,0 +1 @@ +require ${@bb.utils.contains('DISTRO_FEATURES', 'ima', 'base-files-ima.inc', '', d)} diff --git a/external/meta-security/meta-integrity/recipes-core/images/integrity-image-minimal.bb b/external/meta-security/meta-integrity/recipes-core/images/integrity-image-minimal.bb new file mode 100644 index 00000000..1a3a30a1 --- /dev/null +++ b/external/meta-security/meta-integrity/recipes-core/images/integrity-image-minimal.bb @@ -0,0 +1,21 @@ +DESCRIPTION = "An image as an exmaple for Ima support" + +IMAGE_FEATURES += "ssh-server-openssh" + + +IMAGE_INSTALL = "\ + packagegroup-base \ + packagegroup-core-boot \ + packagegroup-ima-evm-utils \ + os-release" + + +LICENSE = "MIT" + +inherit core-image + +export IMAGE_BASENAME = "integrity-image-minimal" + +INHERIT += "ima-evm-rootfs" + +QB_KERNEL_CMDLINE_APPEND_append = " ima_appraise=fix ima_policy=tcb ima_policy=appraise_tcb" diff --git a/external/meta-security/meta-integrity/recipes-core/initrdscripts/initramfs-framework-ima.bb b/external/meta-security/meta-integrity/recipes-core/initrdscripts/initramfs-framework-ima.bb new file mode 100644 index 00000000..dacdc8bf --- /dev/null +++ b/external/meta-security/meta-integrity/recipes-core/initrdscripts/initramfs-framework-ima.bb @@ -0,0 +1,31 @@ +# This recipe creates a module for the initramfs-framework in OE-core +# which initializes IMA by loading a policy before transferring +# control to the init process in the rootfs. The advantage over having +# that init process doing the policy loading (which systemd could do) +# is that already the integrity of the init binary itself will be +# checked by the kernel. + +SUMMARY = "IMA module for the modular initramfs system" +LICENSE = "MIT" +LIC_FILES_CHKSUM = "file://${COREBASE}/meta/COPYING.MIT;md5=3da9cfbcb788c80a0384361b4de20420" + +# This policy file will get installed as /etc/ima/ima-policy. +# It is located via the normal file search path, so a .bbappend +# to this recipe can just point towards one of its own files. +IMA_POLICY ?= "ima-policy-hashed" + +SRC_URI = " file://ima" + +inherit features_check +REQUIRED_DISTRO_FEATURES = "ima" + +do_install () { + install -d ${D}/${sysconfdir}/ima + install -d ${D}/init.d + install ${WORKDIR}/ima ${D}/init.d/20-ima +} + +FILES_${PN} = "/init.d ${sysconfdir}" + +RDEPENDS_${PN} = "keyutils ${IMA_POLICY}" +RDEPENDS_${PN} += "initramfs-framework-base" diff --git a/external/meta-security/meta-integrity/recipes-core/initrdscripts/initramfs-framework-ima/ima b/external/meta-security/meta-integrity/recipes-core/initrdscripts/initramfs-framework-ima/ima new file mode 100644 index 00000000..8616f992 --- /dev/null +++ b/external/meta-security/meta-integrity/recipes-core/initrdscripts/initramfs-framework-ima/ima @@ -0,0 +1,52 @@ +#!/bin/sh +# +# Loads IMA policy into the kernel. + +ima_enabled() { + if [ "$bootparam_no_ima" = "true" ]; then + return 1 + fi +} + +ima_run() { + info "Initializing IMA (can be skipped with no_ima boot parameter)." + if ! grep -w securityfs /proc/mounts >/dev/null; then + if ! mount -t securityfs securityfs /sys/kernel/security; then + fatal "Could not mount securityfs." + fi + fi + if [ ! -d /sys/kernel/security/ima ]; then + fatal "No /sys/kernel/security/ima. Cannot proceed without IMA enabled in the kernel." + fi + + # Instead of depending on the kernel to load the IMA X.509 certificate, + # use keyctl. This avoids a bug in certain kernels (https://lkml.org/lkml/2015/9/10/492) + # where the loaded key was not checked sufficiently. We use keyctl here because it is + # slightly smaller than evmctl and is needed anyway. + # (see http://sourceforge.net/p/linux-ima/ima-evm-utils/ci/v0.9/tree/README#l349). + for kind in ima evm; do + key=/etc/keys/x509_$kind.der + if [ -s $key ]; then + id=$(grep -w -e "\.$kind" /proc/keys | cut -d ' ' -f1 | head -n 1) + if [ "$id" ]; then + id=$(printf "%d" 0x$id) + fi + if [ -z "$id" ]; then + id=`keyctl search @u keyring _$kind 2>/dev/null` + if [ -z "$id" ]; then + id=`keyctl newring _$kind @u` + fi + fi + info "Loading $key into $kind keyring $id" + keyctl padd asymmetric "" $id <$key + fi + done + + # In theory, a simple "cat" should be enough. In practice, loading sometimes fails randomly + # ("[Linux-ima-user] IMA policy loading via cat") and we get better error reporting when + # checking the write of each line. To minimize the risk of policy loading going wrong we + # also remove comments and blank lines ourselves. + if ! (set -e; while read i; do if echo "$i" | grep -q -e '^#' -e '^ *$'; then debug "Skipping IMA policy: $i"; else debug "Writing IMA policy: $i"; if echo $i; then sleep ${bootparam_ima_delay:-0}; else fatal "Invalid line in IMA policy: $i"; exit 1; fi; fi; done) </etc/ima-policy >/sys/kernel/security/ima/policy; then + fatal "Could not load IMA policy." + fi +} diff --git a/external/meta-security/meta-integrity/recipes-core/packagegroups/packagegroup-ima-evm-utils.bb b/external/meta-security/meta-integrity/recipes-core/packagegroups/packagegroup-ima-evm-utils.bb new file mode 100644 index 00000000..8196edb2 --- /dev/null +++ b/external/meta-security/meta-integrity/recipes-core/packagegroups/packagegroup-ima-evm-utils.bb @@ -0,0 +1,11 @@ +SUMMARY = "IMA/EVM userspace tools" +LICENSE = "MIT" + +inherit packagegroup features_check + +REQUIRED_DISTRO_FEATURES = "ima" + +# Only one at the moment, but perhaps more will come in the future. +RDEPENDS_${PN} = " \ + ima-evm-utils \ +" diff --git a/external/meta-security/meta-integrity/recipes-core/systemd/files/machine-id-commit-sync.conf b/external/meta-security/meta-integrity/recipes-core/systemd/files/machine-id-commit-sync.conf new file mode 100644 index 00000000..d6d3240f --- /dev/null +++ b/external/meta-security/meta-integrity/recipes-core/systemd/files/machine-id-commit-sync.conf @@ -0,0 +1,2 @@ +[Service] +ExecStartPost=/bin/sync diff --git a/external/meta-security/meta-integrity/recipes-core/systemd/files/random-seed-sync.conf b/external/meta-security/meta-integrity/recipes-core/systemd/files/random-seed-sync.conf new file mode 100644 index 00000000..f4c170bd --- /dev/null +++ b/external/meta-security/meta-integrity/recipes-core/systemd/files/random-seed-sync.conf @@ -0,0 +1,3 @@ +[Service] +ExecStopPost=/bin/sync +ExecStartPost=/bin/sync diff --git a/external/meta-security/meta-integrity/recipes-core/systemd/systemd_%.bbappend b/external/meta-security/meta-integrity/recipes-core/systemd/systemd_%.bbappend new file mode 100644 index 00000000..3b455416 --- /dev/null +++ b/external/meta-security/meta-integrity/recipes-core/systemd/systemd_%.bbappend @@ -0,0 +1,13 @@ +FILESEXTRAPATHS_prepend := "${THISDIR}/files:" + +SRC_URI += " \ + file://machine-id-commit-sync.conf \ + file://random-seed-sync.conf \ +" + +do_install_append () { + for i in machine-id-commit random-seed; do + install -d ${D}/${systemd_system_unitdir}/systemd-$i.service.d + install -m 0644 ${WORKDIR}/$i-sync.conf ${D}/${systemd_system_unitdir}/systemd-$i.service.d + done +} diff --git a/external/meta-security/meta-integrity/recipes-kernel/linux/linux-%.bbappend b/external/meta-security/meta-integrity/recipes-kernel/linux/linux-%.bbappend new file mode 100644 index 00000000..f9a48cd0 --- /dev/null +++ b/external/meta-security/meta-integrity/recipes-kernel/linux/linux-%.bbappend @@ -0,0 +1,5 @@ +KERNEL_FEATURES_append = " ${@bb.utils.contains("DISTRO_FEATURES", "ima", " features/ima/ima.scc", "" ,d)}" + +KERNEL_FEATURES_append = " ${@bb.utils.contains('DISTRO_FEATURES', 'modsign', ' features/ima/modsign.scc', '', d)}" + +inherit ${@bb.utils.contains('DISTRO_FEATURES', 'modsign', 'kernel-modsign', '', d)} diff --git a/external/meta-security/meta-integrity/recipes-kernel/linux/linux/0001-ima-fix-ima_inode_post_setattr.patch b/external/meta-security/meta-integrity/recipes-kernel/linux/linux/0001-ima-fix-ima_inode_post_setattr.patch new file mode 100644 index 00000000..64016dd3 --- /dev/null +++ b/external/meta-security/meta-integrity/recipes-kernel/linux/linux/0001-ima-fix-ima_inode_post_setattr.patch @@ -0,0 +1,51 @@ +From 45ea681ebc0dd44aaec5d3cc4143b9722070d3ac Mon Sep 17 00:00:00 2001 +From: Mimi Zohar <zohar@linux.vnet.ibm.com> +Date: Tue, 8 Mar 2016 16:43:55 -0500 +Subject: [PATCH] ima: fix ima_inode_post_setattr + +Changing file metadata (eg. uid, guid) could result in having to +re-appraise a file's integrity, but does not change the "new file" +status nor the security.ima xattr. The IMA_PERMIT_DIRECTIO and +IMA_DIGSIG_REQUIRED flags are policy rule specific. This patch +only resets these flags, not the IMA_NEW_FILE or IMA_DIGSIG flags. + +With this patch, changing the file timestamp will not remove the +file signature on new files. + +Upstream-Status: Accepted [https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/security/integrity/ima/ima_appraise.c?id=42a4c603198f0d45b7aa936d3ac6ba1b8bd14a1b] + +Reported-by: Dmitry Rozhkov <dmitry.rozhkov@linux.intel.com> +Signed-off-by: Mimi Zohar <zohar@linux.vnet.ibm.com> +--- + security/integrity/ima/ima_appraise.c | 2 +- + security/integrity/integrity.h | 1 + + 2 files changed, 2 insertions(+), 1 deletion(-) + +diff --git a/security/integrity/ima/ima_appraise.c b/security/integrity/ima/ima_appraise.c +index 4df493e..a384ba1 100644 +--- a/security/integrity/ima/ima_appraise.c ++++ b/security/integrity/ima/ima_appraise.c +@@ -327,7 +327,7 @@ void ima_inode_post_setattr(struct dentry *dentry) + if (iint) { + iint->flags &= ~(IMA_APPRAISE | IMA_APPRAISED | + IMA_APPRAISE_SUBMASK | IMA_APPRAISED_SUBMASK | +- IMA_ACTION_FLAGS); ++ IMA_ACTION_RULE_FLAGS); + if (must_appraise) + iint->flags |= IMA_APPRAISE; + } +diff --git a/security/integrity/integrity.h b/security/integrity/integrity.h +index 0fc9519..f9decae 100644 +--- a/security/integrity/integrity.h ++++ b/security/integrity/integrity.h +@@ -28,6 +28,7 @@ + + /* iint cache flags */ + #define IMA_ACTION_FLAGS 0xff000000 ++#define IMA_ACTION_RULE_FLAGS 0x06000000 + #define IMA_DIGSIG 0x01000000 + #define IMA_DIGSIG_REQUIRED 0x02000000 + #define IMA_PERMIT_DIRECTIO 0x04000000 +-- +2.5.0 + diff --git a/external/meta-security/meta-integrity/recipes-kernel/linux/linux/0002-ima-add-support-for-creating-files-using-the-mknodat.patch b/external/meta-security/meta-integrity/recipes-kernel/linux/linux/0002-ima-add-support-for-creating-files-using-the-mknodat.patch new file mode 100644 index 00000000..6ab7ce27 --- /dev/null +++ b/external/meta-security/meta-integrity/recipes-kernel/linux/linux/0002-ima-add-support-for-creating-files-using-the-mknodat.patch @@ -0,0 +1,138 @@ +From baaec960e9e7be0b526eaf831b079ddfe5c15124 Mon Sep 17 00:00:00 2001 +From: Mimi Zohar <zohar@linux.vnet.ibm.com> +Date: Thu, 10 Mar 2016 18:19:20 +0200 +Subject: [PATCH] ima: add support for creating files using the mknodat + syscall + +Commit 3034a14 "ima: pass 'opened' flag to identify newly created files" +stopped identifying empty files as new files. However new empty files +can be created using the mknodat syscall. On systems with IMA-appraisal +enabled, these empty files are not labeled with security.ima extended +attributes properly, preventing them from subsequently being opened in +order to write the file data contents. This patch marks these empty +files, created using mknodat, as new in order to allow the file data +contents to be written. + +Files with security.ima xattrs containing a file signature are considered +"immutable" and can not be modified. The file contents need to be +written, before signing the file. This patch relaxes this requirement +for new files, allowing the file signature to be written before the file +contents. + +Upstream-Status: Accepted [https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/security/integrity/ima/ima_appraise.c?id=05d1a717ec0430c916a749b94eb90ab74bbfa356] + +Signed-off-by: Mimi Zohar <zohar@linux.vnet.ibm.com> +--- + fs/namei.c | 2 ++ + include/linux/ima.h | 7 ++++++- + security/integrity/ima/ima_appraise.c | 3 +++ + security/integrity/ima/ima_main.c | 32 +++++++++++++++++++++++++++++++- + 4 files changed, 42 insertions(+), 2 deletions(-) + +diff --git a/fs/namei.c b/fs/namei.c +index ccd7f98..19502da 100644 +--- a/fs/namei.c ++++ b/fs/namei.c +@@ -3526,6 +3526,8 @@ retry: + switch (mode & S_IFMT) { + case 0: case S_IFREG: + error = vfs_create(path.dentry->d_inode,dentry,mode,true); ++ if (!error) ++ ima_post_path_mknod(dentry); + break; + case S_IFCHR: case S_IFBLK: + error = vfs_mknod(path.dentry->d_inode,dentry,mode, +diff --git a/include/linux/ima.h b/include/linux/ima.h +index 120ccc5..7f51971 100644 +--- a/include/linux/ima.h ++++ b/include/linux/ima.h +@@ -20,7 +20,7 @@ extern void ima_file_free(struct file *file); + extern int ima_file_mmap(struct file *file, unsigned long prot); + extern int ima_module_check(struct file *file); + extern int ima_fw_from_file(struct file *file, char *buf, size_t size); +- ++extern void ima_post_path_mknod(struct dentry *dentry); + #else + static inline int ima_bprm_check(struct linux_binprm *bprm) + { +@@ -52,6 +52,11 @@ static inline int ima_fw_from_file(struct file *file, char *buf, size_t size) + return 0; + } + ++static inline void ima_post_path_mknod(struct dentry *dentry) ++{ ++ return; ++} ++ + #endif /* CONFIG_IMA */ + + #ifdef CONFIG_IMA_APPRAISE +diff --git a/security/integrity/ima/ima_appraise.c b/security/integrity/ima/ima_appraise.c +index 4df493e..20806ea 100644 +--- a/security/integrity/ima/ima_appraise.c ++++ b/security/integrity/ima/ima_appraise.c +@@ -274,6 +274,11 @@ out: + xattr_value->type != EVM_IMA_XATTR_DIGSIG)) { + if (!ima_fix_xattr(dentry, iint)) + status = INTEGRITY_PASS; ++ } else if ((inode->i_size == 0) && ++ (iint->flags & IMA_NEW_FILE) && ++ (xattr_value && ++ xattr_value->type == EVM_IMA_XATTR_DIGSIG)) { ++ status = INTEGRITY_PASS; + } + integrity_audit_msg(AUDIT_INTEGRITY_DATA, inode, filename, + op, cause, rc, 0); +diff --git a/security/integrity/ima/ima_main.c b/security/integrity/ima/ima_main.c +index eeee00dc..705bf78 100644 +--- a/security/integrity/ima/ima_main.c ++++ b/security/integrity/ima/ima_main.c +@@ -242,7 +242,8 @@ static int process_measurement(struct file *file, int mask, int function, + ima_audit_measurement(iint, pathname); + + out_digsig: +- if ((mask & MAY_WRITE) && (iint->flags & IMA_DIGSIG)) ++ if ((mask & MAY_WRITE) && (iint->flags & IMA_DIGSIG) && ++ !(iint->flags & IMA_NEW_FILE)) + rc = -EACCES; + kfree(xattr_value); + out_free: +@@ -310,6 +311,35 @@ int ima_file_check(struct file *file, int mask, int opened) + EXPORT_SYMBOL_GPL(ima_file_check); + + /** ++ * ima_post_path_mknod - mark as a new inode ++ * @dentry: newly created dentry ++ * ++ * Mark files created via the mknodat syscall as new, so that the ++ * file data can be written later. ++ */ ++void ima_post_path_mknod(struct dentry *dentry) ++{ ++ struct integrity_iint_cache *iint; ++ struct inode *inode; ++ int must_appraise; ++ ++ if (!dentry || !dentry->d_inode) ++ return; ++ ++ inode = dentry->d_inode; ++ if (inode->i_size != 0) ++ return; ++ ++ must_appraise = ima_must_appraise(inode, MAY_ACCESS, FILE_CHECK); ++ if (!must_appraise) ++ return; ++ ++ iint = integrity_inode_get(inode); ++ if (iint) ++ iint->flags |= IMA_NEW_FILE; ++} ++ ++/** + * ima_module_check - based on policy, collect/store/appraise measurement. + * @file: pointer to the file to be measured/appraised + * +-- +2.5.0 + diff --git a/external/meta-security/meta-integrity/recipes-kernel/linux/linux/Revert-ima-limit-file-hash-setting-by-user-to-fix-an.patch b/external/meta-security/meta-integrity/recipes-kernel/linux/linux/Revert-ima-limit-file-hash-setting-by-user-to-fix-an.patch new file mode 100644 index 00000000..157c007b --- /dev/null +++ b/external/meta-security/meta-integrity/recipes-kernel/linux/linux/Revert-ima-limit-file-hash-setting-by-user-to-fix-an.patch @@ -0,0 +1,60 @@ +From a34d61850b680c152e1dcc958ee83c3ab3261c3d Mon Sep 17 00:00:00 2001 +From: Patrick Ohly <patrick.ohly@intel.com> +Date: Tue, 15 Nov 2016 10:10:23 +0100 +Subject: [PATCH] Revert "ima: limit file hash setting by user to fix and log + modes" + +This reverts commit c68ed80c97d9720f51ef31fe91560fdd1e121533. + +The original motivation was security hardening ("File hashes are +automatically set and updated and should not be manually set.") + +However, that hardening ignores and breaks some valid use cases: +- File hashes might not be set because the file is currently + outside of the policy and therefore have to be set by the + creator. Examples: + - Booting into an initramfs with an IMA-enabled kernel but + without setting an IMA policy, then installing + the OS onto the target partition by unpacking a rootfs archive + which has the file hashes pre-computed. + - Unpacking a file into a staging area with meta data (like owner) + that leaves the file outside of the current policy, then changing + the meta data such that it becomes part of the current policy. +- "should not be set manually" implies that the creator is aware + of IMA semantic, the current system's configuration, and then + skips setting file hashes in security.ima if (and only if) the + kernel would prevent it. That's not the case for standard, unmodified + tools. Example: unpacking an archive with security.ima xattrs with + bsdtar or GNU tar. + +Upstream-Status: Submitted [https://sourceforge.net/p/linux-ima/mailman/message/35492824/] + +Signed-off-by: Patrick Ohly <patrick.ohly@intel.com> +--- + security/integrity/ima/ima_appraise.c | 8 ++------ + 1 file changed, 2 insertions(+), 6 deletions(-) + +diff --git a/security/integrity/ima/ima_appraise.c b/security/integrity/ima/ima_appraise.c +index 4b9b4a4..b8b2dd9 100644 +--- a/security/integrity/ima/ima_appraise.c ++++ b/security/integrity/ima/ima_appraise.c +@@ -385,14 +385,10 @@ int ima_inode_setxattr(struct dentry *dentry, const char *xattr_name, + result = ima_protect_xattr(dentry, xattr_name, xattr_value, + xattr_value_len); + if (result == 1) { +- bool digsig; +- + if (!xattr_value_len || (xvalue->type >= IMA_XATTR_LAST)) + return -EINVAL; +- digsig = (xvalue->type == EVM_IMA_XATTR_DIGSIG); +- if (!digsig && (ima_appraise & IMA_APPRAISE_ENFORCE)) +- return -EPERM; +- ima_reset_appraise_flags(d_backing_inode(dentry), digsig); ++ ima_reset_appraise_flags(d_backing_inode(dentry), ++ (xvalue->type == EVM_IMA_XATTR_DIGSIG) ? 1 : 0); + result = 0; + } + return result; +-- +2.1.4 + diff --git a/external/meta-security/meta-integrity/recipes-security/ima-evm-utils/ima-evm-utils/command-line-apply-operation-to-all-paths.patch b/external/meta-security/meta-integrity/recipes-security/ima-evm-utils/ima-evm-utils/command-line-apply-operation-to-all-paths.patch new file mode 100644 index 00000000..35c31627 --- /dev/null +++ b/external/meta-security/meta-integrity/recipes-security/ima-evm-utils/ima-evm-utils/command-line-apply-operation-to-all-paths.patch @@ -0,0 +1,68 @@ +From 5834216fb3aa4e5e59ee13e871c70db1b4e13f02 Mon Sep 17 00:00:00 2001 +From: Patrick Ohly <patrick.ohly@intel.com> +Date: Fri, 30 Sep 2016 10:22:16 +0200 +Subject: [PATCH] command line: apply operation to all paths + +Previously, invocations like "evmctl ima_hash foo bar" silently +ignored all parameters after the first path name ("foo" in this +example). + +Now evmctl iterates over all specified paths. It aborts with an +error as soon as the selected operation fails for a path. + +Supporting more than one parameter is useful in combination with +"find" and "xargs" because it is noticably faster than invoking +evmutil separately for each file, in particular when run under pseudo +(a fakeroot environment used by the OpenEmbedded build system). + +This complements the recursive mode and can be used when more control +over file selection is needed. + +Signed-off-by: Patrick Ohly <patrick.ohly@intel.com> +--- + src/evmctl.c | 21 ++++++++++++--------- + 1 file changed, 12 insertions(+), 9 deletions(-) + +diff --git a/src/evmctl.c b/src/evmctl.c +index 23cf54c..2072034 100644 +--- a/src/evmctl.c ++++ b/src/evmctl.c +@@ -626,7 +626,7 @@ static int get_file_type(const char *path, const char *search_type) + static int do_cmd(struct command *cmd, find_cb_t func) + { + char *path = g_argv[optind++]; +- int err, dts = REG_MASK; /* only regular files by default */ ++ int err = 0, dts = REG_MASK; /* only regular files by default */ + + if (!path) { + log_err("Parameters missing\n"); +@@ -634,15 +634,18 @@ static int do_cmd(struct command *cmd, find_cb_t func) + return -1; + } + +- if (recursive) { +- if (search_type) { +- dts = get_file_type(path, search_type); +- if (dts < 0) +- return dts; ++ while (path && !err) { ++ if (recursive) { ++ if (search_type) { ++ dts = get_file_type(path, search_type); ++ if (dts < 0) ++ return dts; ++ } ++ err = find(path, dts, func); ++ } else { ++ err = func(path); + } +- err = find(path, dts, func); +- } else { +- err = func(path); ++ path = g_argv[optind++]; + } + + return err; +-- +2.1.4 + diff --git a/external/meta-security/meta-integrity/recipes-security/ima-evm-utils/ima-evm-utils/disable-doc-creation.patch b/external/meta-security/meta-integrity/recipes-security/ima-evm-utils/ima-evm-utils/disable-doc-creation.patch new file mode 100644 index 00000000..75076f52 --- /dev/null +++ b/external/meta-security/meta-integrity/recipes-security/ima-evm-utils/ima-evm-utils/disable-doc-creation.patch @@ -0,0 +1,50 @@ +From 321a602098d11ee712ebd01f51033b5fd369eae9 Mon Sep 17 00:00:00 2001 +From: Patrick Ohly <patrick.ohly@intel.com> +Date: Wed, 13 May 2015 03:41:02 -0700 +Subject: [PATCH] Makefile.am: disable man page creation + +Depends on asciidoc, which is not available. + +Upstream-Status: Inappropriate [embedded specific] + +Signed-off-by: Patrick Ohly <patrick.ohly@intel.com> +--- + Makefile.am | 19 ++++++++++++++++++- + 1 file changed, 18 insertions(+), 1 deletion(-) + +diff --git a/Makefile.am b/Makefile.am +index 06ebf59..4ddd52c 100644 +--- a/Makefile.am ++++ b/Makefile.am +@@ -1,5 +1,5 @@ + SUBDIRS = src +-dist_man_MANS = evmctl.1 ++# dist_man_MANS = evmctl.1 + + doc_DATA = examples/ima-genkey-self.sh examples/ima-genkey.sh examples/ima-gen-local-ca.sh + EXTRA_DIST = autogen.sh $(doc_DATA) +@@ -39,4 +39,21 @@ rmman: + + doc: evmctl.1.html rmman evmctl.1 + ++# requires asciidoc, xslproc, docbook-xsl ++# FIXME Disabled until docbook-xsl is unavaliable on tizen.org ++#MANPAGE_DOCBOOK_XSL = /usr/share/xml/docbook/stylesheet/docbook-xsl/manpages/docbook.xsl ++# ++#evmctl.1.html: README ++# @asciidoc -o $@ $< ++# ++#evmctl.1: ++# asciidoc -d manpage -b docbook -o evmctl.1.xsl README ++# xsltproc --nonet -o $@ $(MANPAGE_DOCBOOK_XSL) evmctl.1.xsl ++# rm -f evmctl.1.xsl ++# ++#rmman: ++# rm -f evmctl.1 ++# ++#doc: evmctl.1.html rmman evmctl.1 ++ + .PHONY: $(tarname) +-- +1.8.4.5 + diff --git a/external/meta-security/meta-integrity/recipes-security/ima-evm-utils/ima-evm-utils/evmctl.c-do-not-depend-on-xattr.h-with-IMA-defines.patch b/external/meta-security/meta-integrity/recipes-security/ima-evm-utils/ima-evm-utils/evmctl.c-do-not-depend-on-xattr.h-with-IMA-defines.patch new file mode 100644 index 00000000..ffa65dfb --- /dev/null +++ b/external/meta-security/meta-integrity/recipes-security/ima-evm-utils/ima-evm-utils/evmctl.c-do-not-depend-on-xattr.h-with-IMA-defines.patch @@ -0,0 +1,47 @@ +From 2dec9199f8a8a2c84b25a3d3e7e2f41b71e07834 Mon Sep 17 00:00:00 2001 +From: Patrick Ohly <patrick.ohly@intel.com> +Date: Wed, 17 Jun 2015 14:28:18 +0200 +Subject: [PATCH 20/20] evmctl.c: do not depend on xattr.h with IMA defines + +Compilation on older Linux distros (like Ubuntu 12.04) fails +because linux/xattr.h does not yet have the IMA defines. Compiling +there makes sense when only the tools are needed, for example when +signing an image in cross-compile mode. + +To support this, add fallbacks for the two defines which are needed. +Their value is part of the Linux ABI and thus fixed. + +Upstream-status: Submitted [linux-ima-devel@lists.sourceforge.net] + +Signed-off-by: Patrick Ohly <patrick.ohly@intel.com> + +--- + src/evmctl.c | 12 ++++++++++++ + 1 file changed, 12 insertions(+) + +diff --git a/src/evmctl.c b/src/evmctl.c +index c54efbb..23cf54c 100644 +--- a/src/evmctl.c ++++ b/src/evmctl.c +@@ -57,6 +57,18 @@ + #include <termios.h> + #include <assert.h> + ++/* ++ * linux/xattr.h might be old to have this. Allow compilation on older ++ * Linux distros (like Ubuntu 12.04) by falling back to our own ++ * definition. ++ */ ++#ifndef XATTR_IMA_SUFFIX ++# define XATTR_IMA_SUFFIX "ima" ++#endif ++#ifndef XATTR_NAME_IMA ++# define XATTR_NAME_IMA XATTR_SECURITY_PREFIX XATTR_IMA_SUFFIX ++#endif ++ + #include <openssl/sha.h> + #include <openssl/pem.h> + #include <openssl/hmac.h> +-- +2.1.4 + diff --git a/external/meta-security/meta-integrity/recipes-security/ima-evm-utils/ima-evm-utils_git.bb b/external/meta-security/meta-integrity/recipes-security/ima-evm-utils/ima-evm-utils_git.bb new file mode 100644 index 00000000..7f649c2d --- /dev/null +++ b/external/meta-security/meta-integrity/recipes-security/ima-evm-utils/ima-evm-utils_git.bb @@ -0,0 +1,37 @@ +DESCRIPTION = "IMA/EVM control utility" +LICENSE = "GPL-2.0-with-OpenSSL-exception" +LIC_FILES_CHKSUM = "file://COPYING;md5=b234ee4d69f5fce4486a80fdaf4a4263" + +DEPENDS += "openssl attr keyutils" + +DEPENDS_class-native += "openssl-native keyutils-native" + +PV = "1.2.1+git${SRCPV}" +SRCREV = "3eab1f93b634249c1720f65fcb495b1996f0256e" +SRC_URI = "git://git.code.sf.net/p/linux-ima/ima-evm-utils;branch=ima-evm-utils-1.2.y" + +# Documentation depends on asciidoc, which we do not have, so +# do not build documentation. +SRC_URI += "file://disable-doc-creation.patch" + +# Workaround for upstream incompatibility with older Linux distros. +# Relevant for us when compiling ima-evm-utils-native. +SRC_URI += "file://evmctl.c-do-not-depend-on-xattr.h-with-IMA-defines.patch" + +# Required for xargs with more than one path as argument (better for performance). +SRC_URI += "file://command-line-apply-operation-to-all-paths.patch" + +S = "${WORKDIR}/git" + +inherit pkgconfig autotools features_check + +REQUIRED_DISTRO_FEATURES = "ima" + +EXTRA_OECONF_append_class-target = " --with-kernel-headers=${STAGING_KERNEL_BUILDDIR}" + +# blkid is called by evmctl when creating evm checksums. +# This is less useful when signing files on the build host, +# so disable it when compiling on the host. +RDEPENDS_${PN}_append_class-target = " util-linux-blkid libcrypto attr libattr keyutils" + +BBCLASSEXTEND = "native nativesdk" diff --git a/external/meta-security/meta-integrity/recipes-security/ima_policy_appraise_all/files/ima_policy_appraise_all b/external/meta-security/meta-integrity/recipes-security/ima_policy_appraise_all/files/ima_policy_appraise_all new file mode 100644 index 00000000..36e71a7d --- /dev/null +++ b/external/meta-security/meta-integrity/recipes-security/ima_policy_appraise_all/files/ima_policy_appraise_all @@ -0,0 +1,29 @@ +# +# Integrity measure policy (http://sourceforge.net/p/linux-ima/wiki/Home/#measure-nothing-appraise-everything) +# +# Do not measure anything, but appraise everything +# +# PROC_SUPER_MAGIC +dont_appraise fsmagic=0x9fa0 +# SYSFS_MAGIC +dont_appraise fsmagic=0x62656572 +# DEBUGFS_MAGIC +dont_appraise fsmagic=0x64626720 +# TMPFS_MAGIC +dont_appraise fsmagic=0x01021994 +# RAMFS_MAGIC +dont_appraise fsmagic=0x858458f6 +# DEVPTS_SUPER_MAGIC +dont_appraise fsmagic=0x1cd1 +# BIFMT +dont_appraise fsmagic=0x42494e4d +# SECURITYFS_MAGIC +dont_appraise fsmagic=0x73636673 +# SELINUXFS_MAGIC +dont_appraise fsmagic=0xf97cff8c +# NSFS_MAGIC (introduced in 3.19, see cd025f7 and e149ed2 in the upstream Linux kernel) +dont_appraise fsmagic=0x6e736673 +# EFIVARFS_MAGIC +dont_appraise fsmagic=0xde5e81e4 + +appraise diff --git a/external/meta-security/meta-integrity/recipes-security/ima_policy_appraise_all/ima-policy-appraise-all_1.0.bb b/external/meta-security/meta-integrity/recipes-security/ima_policy_appraise_all/ima-policy-appraise-all_1.0.bb new file mode 100644 index 00000000..da62a4cf --- /dev/null +++ b/external/meta-security/meta-integrity/recipes-security/ima_policy_appraise_all/ima-policy-appraise-all_1.0.bb @@ -0,0 +1,21 @@ +SUMMARY = "IMA sample simple appraise policy " +LICENSE = "MIT" +LIC_FILES_CHKSUM = "file://${COREBASE}/meta/COPYING.MIT;md5=3da9cfbcb788c80a0384361b4de20420" + +# This policy file will get installed as /etc/ima/ima-policy. +# It is located via the normal file search path, so a .bbappend +# to this recipe can just point towards one of its own files. +IMA_POLICY ?= "ima_policy_appraise_all" + +SRC_URI = " file://${IMA_POLICY}" + +inherit features_check +REQUIRED_DISTRO_FEATURES = "ima" + +do_install () { + install -d ${D}/${sysconfdir}/ima + install ${WORKDIR}/${IMA_POLICY} ${D}/${sysconfdir}/ima/ima-policy +} + +FILES_${PN} = "${sysconfdir}/ima" +RDEPENDS_${PN} = "ima-evm-utils" diff --git a/external/meta-security/meta-integrity/recipes-security/ima_policy_hashed/files/ima_policy_hashed b/external/meta-security/meta-integrity/recipes-security/ima_policy_hashed/files/ima_policy_hashed new file mode 100644 index 00000000..7f89c8d9 --- /dev/null +++ b/external/meta-security/meta-integrity/recipes-security/ima_policy_hashed/files/ima_policy_hashed @@ -0,0 +1,77 @@ +# With this policy, all files on regular partitions are +# appraised. Files with signed IMA hash and normal hash are +# accepted. Signed files cannot be modified while hashed files can be +# (which will also update the hash). However, signed files can +# be deleted, so in practice it is still possible to replace them +# with a modified version. +# +# Without EVM, this is obviously not very secure, so this policy is +# just an example and/or basis for further improvements. For that +# purpose, some comments show what could be added to make the policy +# more secure. +# +# With EVM the situation might be different because access +# to the EVM key can be restricted. +# +# Files which are appraised are also measured. This allows +# debugging whether a file is in policy by looking at +# /sys/kernel/security/ima/ascii_runtime_measurements + +# PROC_SUPER_MAGIC +dont_appraise fsmagic=0x9fa0 +dont_measure fsmagic=0x9fa0 +# SYSFS_MAGIC +dont_appraise fsmagic=0x62656572 +dont_measure fsmagic=0x62656572 +# DEBUGFS_MAGIC +dont_appraise fsmagic=0x64626720 +dont_measure fsmagic=0x64626720 +# TMPFS_MAGIC +dont_appraise fsmagic=0x01021994 +dont_measure fsmagic=0x01021994 +# RAMFS_MAGIC +dont_appraise fsmagic=0x858458f6 +dont_measure fsmagic=0x858458f6 +# DEVPTS_SUPER_MAGIC +dont_appraise fsmagic=0x1cd1 +dont_measure fsmagic=0x1cd1 +# BIFMT +dont_appraise fsmagic=0x42494e4d +dont_measure fsmagic=0x42494e4d +# SECURITYFS_MAGIC +dont_appraise fsmagic=0x73636673 +dont_measure fsmagic=0x73636673 +# SELINUXFS_MAGIC +dont_appraise fsmagic=0xf97cff8c +dont_measure fsmagic=0xf97cff8c +# NSFS_MAGIC (introduced in 3.19, see cd025f7 and e149ed2 in the upstream Linux kernel) +dont_appraise fsmagic=0x6e736673 +dont_measure fsmagic=0x6e736673 +# SMACK_MAGIC +dont_appraise fsmagic=0x43415d53 +dont_measure fsmagic=0x43415d53 +# CGROUP_SUPER_MAGIC +dont_appraise fsmagic=0x27e0eb +dont_measure fsmagic=0x27e0eb +# EFIVARFS_MAGIC +dont_appraise fsmagic=0xde5e81e4 +dont_measure fsmagic=0xde5e81e4 + +# Special partition, no checking done. +# dont_measure fsuuid=a11234... +# dont_appraise fsuuid=a11243... + +# Special immutable group. +# appraise appraise_type=imasig func=FILE_CHECK mask=MAY_READ fgroup=200 + +# All executables must be signed - too strict, we need to +# allow installing executables on the device. +# appraise appraise_type=imasig func=FILE_MMAP mask=MAY_EXEC +# appraise appraise_type=imasig func=BPRM_CHECK mask=MAY_EXEC + +# Default rule. Would be needed also when other rules were added that +# determine what to do in case of reading (mask=MAY_READ or +# mask=MAY_EXEC) because otherwise writing does not update the file +# hash. +appraise +measure diff --git a/external/meta-security/meta-integrity/recipes-security/ima_policy_hashed/ima-policy-hashed_1.0.bb b/external/meta-security/meta-integrity/recipes-security/ima_policy_hashed/ima-policy-hashed_1.0.bb new file mode 100644 index 00000000..ebb04264 --- /dev/null +++ b/external/meta-security/meta-integrity/recipes-security/ima_policy_hashed/ima-policy-hashed_1.0.bb @@ -0,0 +1,23 @@ +SUMMARY = "IMA sample hash policy" +LICENSE = "MIT" +LIC_FILES_CHKSUM = "file://${COREBASE}/meta/COPYING.MIT;md5=3da9cfbcb788c80a0384361b4de20420" + +# This policy file will get installed as /etc/ima/ima-policy. +# It is located via the normal file search path, so a .bbappend +# to this recipe can just point towards one of its own files. +IMA_POLICY ?= "ima_policy_hashed" + +SRC_URI = " \ + file://${IMA_POLICY} \ +" + +inherit features_check +REQUIRED_DISTRO_FEATURES = "ima" + +do_install () { + install -d ${D}/${sysconfdir}/ima + install ${WORKDIR}/${IMA_POLICY} ${D}/${sysconfdir}/ima/ima-policy +} + +FILES_${PN} = "${sysconfdir}/ima" +RDEPENDS_${PN} = "ima-evm-utils" diff --git a/external/meta-security/meta-integrity/recipes-security/ima_policy_simple/files/ima_policy_simple b/external/meta-security/meta-integrity/recipes-security/ima_policy_simple/files/ima_policy_simple new file mode 100644 index 00000000..38ca8f53 --- /dev/null +++ b/external/meta-security/meta-integrity/recipes-security/ima_policy_simple/files/ima_policy_simple @@ -0,0 +1,4 @@ +# Very simple policy demonstrating the systemd policy loading bug +# (policy with one line works, two lines don't). +dont_appraise fsmagic=0x9fa0 +dont_appraise fsmagic=0x62656572 diff --git a/external/meta-security/meta-integrity/recipes-security/ima_policy_simple/ima-policy-simple_1.0.bb b/external/meta-security/meta-integrity/recipes-security/ima_policy_simple/ima-policy-simple_1.0.bb new file mode 100644 index 00000000..cb4b6b8a --- /dev/null +++ b/external/meta-security/meta-integrity/recipes-security/ima_policy_simple/ima-policy-simple_1.0.bb @@ -0,0 +1,21 @@ +SUMMARY = "IMA sample simple policy" +LICENSE = "MIT" +LIC_FILES_CHKSUM = "file://${COREBASE}/meta/COPYING.MIT;md5=3da9cfbcb788c80a0384361b4de20420" + +# This policy file will get installed as /etc/ima/ima-policy. +# It is located via the normal file search path, so a .bbappend +# to this recipe can just point towards one of its own files. +IMA_POLICY ?= "ima_policy_simple" + +SRC_URI = " file://${IMA_POLICY}" + +inherit features_check +REQUIRED_DISTRO_FEATURES = "ima" + +do_install () { + install -d ${D}/${sysconfdir}/ima + install ${WORKDIR}/${IMA_POLICY} ${D}/${sysconfdir}/ima/ima-policy +} + +FILES_${PN} = "${sysconfdir}/ima" +RDEPENDS_${PN} = "ima-evm-utils" diff --git a/external/meta-security/meta-integrity/scripts/ima-gen-CA-signed.sh b/external/meta-security/meta-integrity/scripts/ima-gen-CA-signed.sh new file mode 100755 index 00000000..5f3a728f --- /dev/null +++ b/external/meta-security/meta-integrity/scripts/ima-gen-CA-signed.sh @@ -0,0 +1,48 @@ +#!/bin/sh +# +# Copied from ima-evm-utils. +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of the GNU General Public License +# version 2 as published by the Free Software Foundation. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program. If not, see <http://www.gnu.org/licenses/>. + +GENKEY=ima.genkey +CA=${1:-ima-local-ca.pem} +CAKEY=${2:-ima-local-ca.priv} + +cat << __EOF__ >$GENKEY +[ req ] +default_bits = 1024 +distinguished_name = req_distinguished_name +prompt = no +string_mask = utf8only +x509_extensions = v3_usr + +[ req_distinguished_name ] +O = example.com +CN = meta-intel-iot-security example signing key +emailAddress = john.doe@example.com + +[ v3_usr ] +basicConstraints=critical,CA:FALSE +#basicConstraints=CA:FALSE +keyUsage=digitalSignature +#keyUsage = nonRepudiation, digitalSignature, keyEncipherment +subjectKeyIdentifier=hash +authorityKeyIdentifier=keyid +#authorityKeyIdentifier=keyid,issuer +__EOF__ + +openssl req -new -nodes -utf8 -sha1 -days 365 -batch -config $GENKEY \ + -out csr_ima.pem -keyout privkey_ima.pem +openssl x509 -req -in csr_ima.pem -days 365 -extfile $GENKEY -extensions v3_usr \ + -CA $CA -CAkey $CAKEY -CAcreateserial \ + -outform DER -out x509_ima.der diff --git a/external/meta-security/meta-integrity/scripts/ima-gen-local-ca.sh b/external/meta-security/meta-integrity/scripts/ima-gen-local-ca.sh new file mode 100755 index 00000000..b6007614 --- /dev/null +++ b/external/meta-security/meta-integrity/scripts/ima-gen-local-ca.sh @@ -0,0 +1,42 @@ +#!/bin/sh +# +# Copied from ima-evm-utils. +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of the GNU General Public License +# version 2 as published by the Free Software Foundation. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program. If not, see <http://www.gnu.org/licenses/>. + +GENKEY=ima-local-ca.genkey + +cat << __EOF__ >$GENKEY +[ req ] +default_bits = 2048 +distinguished_name = req_distinguished_name +prompt = no +string_mask = utf8only +x509_extensions = v3_ca + +[ req_distinguished_name ] +O = example.com +CN = meta-intel-iot-security example certificate signing key +emailAddress = john.doe@example.com + +[ v3_ca ] +basicConstraints=CA:TRUE +subjectKeyIdentifier=hash +authorityKeyIdentifier=keyid:always,issuer +# keyUsage = cRLSign, keyCertSign +__EOF__ + +openssl req -new -x509 -utf8 -sha1 -days 3650 -batch -config $GENKEY \ + -outform DER -out ima-local-ca.x509 -keyout ima-local-ca.priv + +openssl x509 -inform DER -in ima-local-ca.x509 -out ima-local-ca.pem diff --git a/external/meta-security/meta-integrity/scripts/ima-gen-self-signed.sh b/external/meta-security/meta-integrity/scripts/ima-gen-self-signed.sh new file mode 100755 index 00000000..5ee876c0 --- /dev/null +++ b/external/meta-security/meta-integrity/scripts/ima-gen-self-signed.sh @@ -0,0 +1,41 @@ +#!/bin/sh +# +# Copied from ima-evm-utils. +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of the GNU General Public License +# version 2 as published by the Free Software Foundation. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program. If not, see <http://www.gnu.org/licenses/>. + +GENKEY=ima.genkey + +cat << __EOF__ >$GENKEY +[ req ] +default_bits = 1024 +distinguished_name = req_distinguished_name +prompt = no +string_mask = utf8only +x509_extensions = myexts + +[ req_distinguished_name ] +O = example.com +CN = meta-intel-iot-security example signing key +emailAddress = john.doe@example.com + +[ myexts ] +basicConstraints=critical,CA:FALSE +keyUsage=digitalSignature +subjectKeyIdentifier=hash +authorityKeyIdentifier=keyid +__EOF__ + +openssl req -new -nodes -utf8 -sha1 -days 36500 -batch \ + -x509 -config $GENKEY \ + -outform DER -out x509_ima.der -keyout privkey_ima.pem diff --git a/external/meta-security/meta-security-compliance/README b/external/meta-security/meta-security-compliance/README index b29c143b..320f8567 100644 --- a/external/meta-security/meta-security-compliance/README +++ b/external/meta-security/meta-security-compliance/README @@ -28,9 +28,9 @@ Maintenance Send pull requests, patches, comments or questions to yocto@yoctoproject.org When sending single patches, please using something like: -'git send-email -1 --to yocto@yoctoproject.org --subject-prefix=meta-security][PATCH' +'git send-email -1 --to yocto@yoctoproject.org --subject-prefix=meta-security-compliance][PATCH' -Layer Maintainer: Armin Kuster <akuster@mvista.com> +Layer Maintainer: Armin Kuster <akuster808@gmail.com> License diff --git a/external/meta-security/meta-security-compliance/conf/layer.conf b/external/meta-security/meta-security-compliance/conf/layer.conf index fcc5cd6c..965c8379 100644 --- a/external/meta-security/meta-security-compliance/conf/layer.conf +++ b/external/meta-security/meta-security-compliance/conf/layer.conf @@ -8,8 +8,8 @@ BBFILE_COLLECTIONS += "scanners-layer" BBFILE_PATTERN_scanners-layer = "^${LAYERDIR}/" BBFILE_PRIORITY_scanners-layer = "10" -LAYERSERIES_COMPAT_scanners-layer = "thud" +LAYERSERIES_COMPAT_scanners-layer = "dunfell" -LAYERDEPENDS_scanners-layer = " \ - core \ -" +LAYERDEPENDS_scanners-layer = "core openembedded-layer meta-python" + +BBLAYERS_LAYERINDEX_NAME_scanners-layer = "meta-security-compliance" diff --git a/external/meta-security/meta-security-compliance/recipes-auditors/lynis/lynis_2.6.8.bb b/external/meta-security/meta-security-compliance/recipes-auditors/lynis/lynis_2.7.5.bb index 28a44691..245761c3 100644 --- a/external/meta-security/meta-security-compliance/recipes-auditors/lynis/lynis_2.6.8.bb +++ b/external/meta-security/meta-security-compliance/recipes-auditors/lynis/lynis_2.7.5.bb @@ -8,8 +8,8 @@ LIC_FILES_CHKSUM = "file://LICENSE;md5=3edd6782854304fd11da4975ab9799c1" SRC_URI = "https://cisofy.com/files/${BPN}-${PV}.tar.gz" -SRC_URI[md5sum] = "91a538055bfb682733ef8e4fe7eb0902" -SRC_URI[sha256sum] = "2e4c5157a4f2d9bb37d3f0f1f5bea03f92233a2a7d4df6eddf231a784087dfac" +SRC_URI[md5sum] = "fb527b6976e70a6bcd57036c9cddc242" +SRC_URI[sha256sum] = "3d27ade73a5c1248925ad9c060024940ce5d2029f40aaa901f43314888fe324d" S = "${WORKDIR}/${BPN}" @@ -38,4 +38,4 @@ do_install () { FILES_${PN} += "${sysconfdir}/developer.prf ${sysconfdir}/default.prf" FILES_${PN}-doc += "lynis.8 FAQ README CHANGELOG.md CONTRIBUTIONS.md CONTRIBUTORS.md" -RDEPENDS_${PN} += "procps" +RDEPENDS_${PN} += "procps findutils" diff --git a/external/meta-security/meta-security-compliance/recipes-openscap/oe-scap/oe-scap_1.0.bb b/external/meta-security/meta-security-compliance/recipes-openscap/oe-scap/oe-scap_1.0.bb index 5b613756..fd53fcba 100644 --- a/external/meta-security/meta-security-compliance/recipes-openscap/oe-scap/oe-scap_1.0.bb +++ b/external/meta-security/meta-security-compliance/recipes-openscap/oe-scap/oe-scap_1.0.bb @@ -8,12 +8,11 @@ LICENSE = "MIT" SRCREV = "7147871d7f37d408c0dd7720ef0fd3ec1b54ad98" SRC_URI = "git://github.com/akuster/oe-scap.git" SRC_URI += " \ - file://run_cve.sh \ - file://run_test.sh \ - file://OpenEmbedded_nodistro_0.xml \ - file://OpenEmbedded_nodistro_0.xccdf.xml \ -" - + file://run_cve.sh \ + file://run_test.sh \ + file://OpenEmbedded_nodistro_0.xml \ + file://OpenEmbedded_nodistro_0.xccdf.xml \ + " S = "${WORKDIR}/git" @@ -31,4 +30,4 @@ do_install () { FILES_${PN} += "${datadir}/oe-scap" -RDEPENDS_${PN} = "openscap" +RDEPENDS_${PN} = "openscap bash" diff --git a/external/meta-security/meta-security-compliance/recipes-openscap/openscap-daemon/files/0001-Renamed-module-and-variables-to-get-rid-of-async.patch b/external/meta-security/meta-security-compliance/recipes-openscap/openscap-daemon/files/0001-Renamed-module-and-variables-to-get-rid-of-async.patch new file mode 100644 index 00000000..2a518bfe --- /dev/null +++ b/external/meta-security/meta-security-compliance/recipes-openscap/openscap-daemon/files/0001-Renamed-module-and-variables-to-get-rid-of-async.patch @@ -0,0 +1,130 @@ +From c34349720a57997d30946286756e2ba9dbab6ace Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Mat=C4=9Bj=20T=C3=BD=C4=8D?= <matyc@redhat.com> +Date: Mon, 2 Jul 2018 11:21:19 +0200 +Subject: [PATCH] Renamed module and variables to get rid of async. + +async is a reserved word in Python 3.7. + +Upstream-Status: Backport +[https://github.com/OpenSCAP/openscap-daemon/commit/c34349720a57997d30946286756e2ba9dbab6ace] + +Signed-off-by: Yi Zhao <yi.zhao@windriver.com> +--- + openscap_daemon/{async.py => async_tools.py} | 0 + openscap_daemon/dbus_daemon.py | 2 +- + openscap_daemon/system.py | 16 ++++++++-------- + tests/unit/test_basic_update.py | 3 ++- + 4 files changed, 11 insertions(+), 10 deletions(-) + rename openscap_daemon/{async.py => async_tools.py} (100%) + +diff --git a/openscap_daemon/async.py b/openscap_daemon/async_tools.py +similarity index 100% +rename from openscap_daemon/async.py +rename to openscap_daemon/async_tools.py +diff --git a/openscap_daemon/dbus_daemon.py b/openscap_daemon/dbus_daemon.py +index e6eadf9..cb6a8b6 100644 +--- a/openscap_daemon/dbus_daemon.py ++++ b/openscap_daemon/dbus_daemon.py +@@ -81,7 +81,7 @@ class OpenSCAPDaemonDbus(dbus.service.Object): + @dbus.service.method(dbus_interface=dbus_utils.DBUS_INTERFACE, + in_signature="", out_signature="a(xsi)") + def GetAsyncActionsStatus(self): +- return self.system.async.get_status() ++ return self.system.async_manager.get_status() + + @dbus.service.method(dbus_interface=dbus_utils.DBUS_INTERFACE, + in_signature="s", out_signature="(sssn)") +diff --git a/openscap_daemon/system.py b/openscap_daemon/system.py +index 2012f6e..85c2680 100644 +--- a/openscap_daemon/system.py ++++ b/openscap_daemon/system.py +@@ -26,7 +26,7 @@ import logging + from openscap_daemon.task import Task + from openscap_daemon.config import Configuration + from openscap_daemon import oscap_helpers +-from openscap_daemon import async ++from openscap_daemon import async_tools + + + class ResultsNotAvailable(Exception): +@@ -40,7 +40,7 @@ TASK_ACTION_PRIORITY = 10 + + class System(object): + def __init__(self, config_file): +- self.async = async.AsyncManager() ++ self.async_manager = async_tools.AsyncManager() + + logging.info("Loading configuration from '%s'.", config_file) + self.config = Configuration() +@@ -90,7 +90,7 @@ class System(object): + input_file, tailoring_file, None + ) + +- class AsyncEvaluateSpecAction(async.AsyncAction): ++ class AsyncEvaluateSpecAction(async_tools.AsyncAction): + def __init__(self, system, spec): + super(System.AsyncEvaluateSpecAction, self).__init__() + +@@ -113,7 +113,7 @@ class System(object): + return "Evaluate Spec '%s'" % (self.spec) + + def evaluate_spec_async(self, spec): +- return self.async.enqueue( ++ return self.async_manager.enqueue( + System.AsyncEvaluateSpecAction( + self, + spec +@@ -488,7 +488,7 @@ class System(object): + + return ret + +- class AsyncUpdateTaskAction(async.AsyncAction): ++ class AsyncUpdateTaskAction(async_tools.AsyncAction): + def __init__(self, system, task_id, reference_datetime): + super(System.AsyncUpdateTaskAction, self).__init__() + +@@ -536,7 +536,7 @@ class System(object): + + if task.should_be_updated(reference_datetime): + self.tasks_scheduled.add(task.id_) +- self.async.enqueue( ++ self.async_manager.enqueue( + System.AsyncUpdateTaskAction( + self, + task.id_, +@@ -662,7 +662,7 @@ class System(object): + fix_type + ) + +- class AsyncEvaluateCVEScannerWorkerAction(async.AsyncAction): ++ class AsyncEvaluateCVEScannerWorkerAction(async_tools.AsyncAction): + def __init__(self, system, worker): + super(System.AsyncEvaluateCVEScannerWorkerAction, self).__init__() + +@@ -680,7 +680,7 @@ class System(object): + return "Evaluate CVE Scanner Worker '%s'" % (self.worker) + + def evaluate_cve_scanner_worker_async(self, worker): +- return self.async.enqueue( ++ return self.async_manager.enqueue( + System.AsyncEvaluateCVEScannerWorkerAction( + self, + worker +diff --git a/tests/unit/test_basic_update.py b/tests/unit/test_basic_update.py +index 6f683e6..7f953f7 100755 +--- a/tests/unit/test_basic_update.py ++++ b/tests/unit/test_basic_update.py +@@ -37,8 +37,9 @@ class BasicUpdateTest(unit_test_harness.APITest): + print(self.system.tasks) + self.system.schedule_tasks() + +- while len(self.system.async.actions) > 0: ++ while len(self.system.async_manager.actions) > 0: + time.sleep(1) + ++ + if __name__ == "__main__": + BasicUpdateTest.run() +-- +2.7.4 + diff --git a/external/meta-security/meta-security-compliance/recipes-openscap/openscap-daemon/openscap-daemon_0.1.10.bb b/external/meta-security/meta-security-compliance/recipes-openscap/openscap-daemon/openscap-daemon_0.1.10.bb index a6a9373e..a7750214 100644 --- a/external/meta-security/meta-security-compliance/recipes-openscap/openscap-daemon/openscap-daemon_0.1.10.bb +++ b/external/meta-security/meta-security-compliance/recipes-openscap/openscap-daemon/openscap-daemon_0.1.10.bb @@ -9,10 +9,15 @@ LICENSE = "LGPL-2.1" DEPENDS = "python3-dbus" SRCREV = "f25b16afb6ac761fea13132ff406fba4cdfd2b76" -SRC_URI = "git://github.com/OpenSCAP/openscap-daemon.git" +SRC_URI = "git://github.com/OpenSCAP/openscap-daemon.git \ + file://0001-Renamed-module-and-variables-to-get-rid-of-async.patch \ + " inherit setuptools3 S = "${WORKDIR}/git" -RDEPENDS_${PN} = "python" +RDEPENDS_${PN} = "openscap scap-security-guide \ + python3-core python3-dbus \ + python3-pygobject \ + " diff --git a/external/meta-security/meta-security-compliance/recipes-openscap/openscap/files/crypto_pkgconfig.patch b/external/meta-security/meta-security-compliance/recipes-openscap/openscap/files/crypto_pkgconfig.patch deleted file mode 100644 index 2d70855a..00000000 --- a/external/meta-security/meta-security-compliance/recipes-openscap/openscap/files/crypto_pkgconfig.patch +++ /dev/null @@ -1,36 +0,0 @@ -Index: git/configure.ac -=================================================================== ---- git.orig/configure.ac -+++ git/configure.ac -@@ -360,25 +360,13 @@ case "${with_crypto}" in - AC_DEFINE([HAVE_NSS3], [1], [Define to 1 if you have 'NSS' library.]) - ;; - gcrypt) -- SAVE_LIBS=$LIBS -- AC_CHECK_LIB([gcrypt], [gcry_check_version], -- [crapi_CFLAGS=`libgcrypt-config --cflags`; -- crapi_LIBS=`libgcrypt-config --libs`; -- crapi_libname="GCrypt";], -- [AC_MSG_ERROR([library 'gcrypt' is required for GCrypt.])], -- []) -- AC_DEFINE([HAVE_GCRYPT], [1], [Define to 1 if you have 'gcrypt' library.]) -- AC_CACHE_CHECK([for GCRYCTL_SET_ENFORCED_FIPS_FLAG], -- [ac_cv_gcryctl_set_enforced_fips_flag], -- [AC_COMPILE_IFELSE([AC_LANG_PROGRAM([#include<gcrypt.h>], -- [return GCRYCTL_SET_ENFORCED_FIPS_FLAG;])], -- [ac_cv_gcryctl_set_enforced_fips_flag=yes], -- [ac_cv_gcryctl_set_enforced_fips_flag=no])]) -+ PKG_CHECK_MODULES([libgcrypt], [libgcrypt >= 1.7.9],[], -+ AC_MSG_FAILURE([libgcrypt devel support is missing])) - -- if test "${ac_cv_gcryctl_set_enforced_fips_flag}" == "yes"; then -- AC_DEFINE([HAVE_GCRYCTL_SET_ENFORCED_FIPS_FLAG], [1], [Define to 1 if you have 'gcrypt' library with GCRYCTL_SET_ENFORCED_FIPS_FLAG.]) -- fi -- LIBS=$SAVE_LIBS -+ crapi_libname="libgcrypt" -+ crapi_CFLAGS=$libgcrypt_CFLAGS -+ crapi_LIBS=$libgcrypt_LIBS -+ AC_DEFINE([HAVE_GCRYPT], [1], [Define to 1 if you have 'libgcrypt' library.]) - ;; - *) - AC_MSG_ERROR([unknown crypto backend]) diff --git a/external/meta-security/meta-security-compliance/recipes-openscap/openscap/files/probe_dir_fixup.patch b/external/meta-security/meta-security-compliance/recipes-openscap/openscap/files/probe_dir_fixup.patch deleted file mode 100644 index ecbe6026..00000000 --- a/external/meta-security/meta-security-compliance/recipes-openscap/openscap/files/probe_dir_fixup.patch +++ /dev/null @@ -1,17 +0,0 @@ -Index: git/configure.ac -=================================================================== ---- git.orig/configure.ac -+++ git/configure.ac -@@ -1109,11 +1109,7 @@ AC_ARG_WITH([crypto], - [], - [crypto=gcrypt]) - --if test "x${libexecdir}" = xNONE; then -- probe_dir="/usr/local/libexec/openscap" --else -- EXPAND_DIR(probe_dir,"${libexecdir}/openscap") --fi -+probe_dir="/usr/local/libexec/openscap" - - AC_SUBST(probe_dir) - diff --git a/external/meta-security/meta-security-compliance/recipes-openscap/openscap/files/run-ptest b/external/meta-security/meta-security-compliance/recipes-openscap/openscap/files/run-ptest deleted file mode 100644 index 454a6a3c..00000000 --- a/external/meta-security/meta-security-compliance/recipes-openscap/openscap/files/run-ptest +++ /dev/null @@ -1,3 +0,0 @@ -#!/bin/sh -cd tests -make -k check diff --git a/external/meta-security/meta-security-compliance/recipes-openscap/openscap/openscap.inc b/external/meta-security/meta-security-compliance/recipes-openscap/openscap/openscap.inc index e9589b6b..afa576a9 100644 --- a/external/meta-security/meta-security-compliance/recipes-openscap/openscap/openscap.inc +++ b/external/meta-security/meta-security-compliance/recipes-openscap/openscap/openscap.inc @@ -1,2 +1,55 @@ +# Copyright (C) 2017 Armin Kuster <akuster808@gmail.com> +# Released under the MIT license (see COPYING.MIT for the terms) + +SUMARRY = "NIST Certified SCAP 1.2 toolkit" +HOME_URL = "https://www.open-scap.org/tools/openscap-base/" +LIC_FILES_CHKSUM = "file://COPYING;md5=fbc093901857fcd118f065f900982c24" +LICENSE = "LGPL-2.1" + +DEPENDS = "dbus acl bzip2 pkgconfig gconf procps curl libxml2 libxslt libcap swig" +DEPENDS_class-native = "pkgconfig-native swig-native curl-native libxml2-native libxslt-native libcap-native" + +S = "${WORKDIR}/git" + +inherit cmake pkgconfig python3native perlnative + +PACKAGECONFIG ?= "python3 rpm perl gcrypt ${@bb.utils.contains('DISTRO_FEATURES', 'selinux', 'selinux', '', d)}" +PACKAGECONFIG[python3] = "-DENABLE_PYTHON3=ON, ,python3, python3" +PACKAGECONFIG[perl] = "-DENABLE_PERL=ON, ,perl, perl" +PACKAGECONFIG[rpm] = "-DENABLE_OSCAP_UTIL_AS_RPM=ON, ,rpm, rpm" +PACKAGECONFIG[gcrypt] = "-DWITH_CRYPTO=gcrypt, ,libgcrypt" +PACKAGECONFIG[nss3] = "-DWITH_CRYPTO=nss3, ,nss" +PACKAGECONFIG[selinux] = ", ,libselinux" + +EXTRA_OECMAKE += "-DENABLE_PROBES_LINUX=ON -DENABLE_PROBES_UNIX=ON \ + -DENABLE_PROBES_SOLARIS=OFF -DENABLE_PROBES_INDEPENDENT=ON \ + -DENABLE_OSCAP_UTIL=ON -DENABLE_OSCAP_UTIL_SSH=ON \ + -DENABLE_OSCAP_UTIL_DOCKER=OFF -DENABLE_OSCAP_UTIL_CHROOT=OFF \ + -DENABLE_OSCAP_UTIL_PODMAN=OFF -DENABLE_OSCAP_UTIL_VM=OFF \ + -DENABLE_PROBES_WINDOWS=OFF -DENABLE_VALGRIND=OFF \ + -DENABLE_SCE=ON -DENABLE_MITRE=OFF -DENABLE_TESTS=OFF \ + -DCMAKE_SKIP_INSTALL_RPATH=ON -DCMAKE_SKIP_RPATH=ON \ + " + STAGING_OSCAP_DIR = "${TMPDIR}/work-shared/${MACHINE}/oscap-source" STAGING_OSCAP_BUILDDIR = "${TMPDIR}/work-shared/openscap/oscap-build-artifacts" + +do_configure_append_class-native () { + sed -i 's:OSCAP_DEFAULT_CPE_PATH.*$:OSCAP_DEFAULT_CPE_PATH "${STAGING_OSCAP_BUILDDIR}${datadir_native}/openscap/cpe":' ${B}/config.h + sed -i 's:OSCAP_DEFAULT_SCHEMA_PATH.*$:OSCAP_DEFAULT_SCHEMA_PATH "${STAGING_OSCAP_BUILDDIR}${datadir_native}/openscap/schemas":' ${B}/config.h + sed -i 's:OSCAP_DEFAULT_XSLT_PATH.*$:OSCAP_DEFAULT_XSLT_PATH "${STAGING_OSCAP_BUILDDIR}${datadir_native}/openscap/xsl":' ${B}/config.h +} + +do_install_class-native[cleandirs] += " ${STAGING_OSCAP_BUILDDIR}" +do_install_append_class-native () { + oscapdir=${STAGING_OSCAP_BUILDDIR}/${datadir_native} + install -d $oscapdir + cp -a ${D}/${STAGING_DATADIR_NATIVE}/openscap $oscapdir +} + + +FILES_${PN} += "${PYTHON_SITEPACKAGES_DIR}" + +RDEPENDS_${PN} += "libxml2 python3-core libgcc bash" + +BBCLASSEXTEND = "native" diff --git a/external/meta-security/meta-security-compliance/recipes-openscap/openscap/openscap_1.2.17.bb b/external/meta-security/meta-security-compliance/recipes-openscap/openscap/openscap_1.2.17.bb deleted file mode 100644 index e2a4fa2e..00000000 --- a/external/meta-security/meta-security-compliance/recipes-openscap/openscap/openscap_1.2.17.bb +++ /dev/null @@ -1,87 +0,0 @@ -# Copyright (C) 2017 Armin Kuster <akuster808@gmail.com> -# Released under the MIT license (see COPYING.MIT for the terms) - -SUMARRY = "NIST Certified SCAP 1.2 toolkit" -HOME_URL = "https://www.open-scap.org/tools/openscap-base/" -LIC_FILES_CHKSUM = "file://COPYING;md5=fbc093901857fcd118f065f900982c24" -LICENSE = "LGPL-2.1" - -DEPENDS = "autoconf-archive pkgconfig gconf procps curl libxml2 rpm \ - libxslt libcap swig swig-native" - -DEPENDS_class-native = "autoconf-archive-native pkgconfig-native swig-native curl-native libxml2-native libxslt-native dpkg-native libgcrypt-native nss-native" - -SRCREV = "59c234b3e9907480c89dfbd1b466a6bf72a2d2ed" -SRC_URI = "git://github.com/akuster/openscap.git;branch=oe \ - file://crypto_pkgconfig.patch \ - file://run-ptest \ -" - -inherit autotools-brokensep pkgconfig python3native perlnative ptest - -S = "${WORKDIR}/git" - -PACKAGECONFIG ?= "nss3 pcre rpm" -PACKAGECONFIG[pcre] = ",--enable-regex-posix, libpcre" -PACKAGECONFIG[gcrypt] = "--with-crypto=gcrypt,, libgcrypt " -PACKAGECONFIG[nss3] = "--with-crypto=nss3,, nss" -PACKAGECONFIG[python] = "--enable-python, --disable-python, python, python" -PACKAGECONFIG[python3] = "--enable-python3, --disable-python3, python3, python3" -PACKAGECONFIG[perl] = "--enable-perl, --disable-perl, perl, perl" -PACKAGECONFIG[rpm] = " --enable-util-scap-as-rpm, --disable-util-scap-as-rpm, rpm, rpm" - -export LDFLAGS += " -ldl" - -EXTRA_OECONF += "--enable-probes-independent --enable-probes-linux \ - --enable-probes-solaris --enable-probes-unix --disable-util-oscap-docker\ - --enable-util-oscap-ssh --enable-util-oscap --enable-ssp --enable-sce \ -" - -EXTRA_OECONF_class-native += "--disable-probes-independent --enable-probes-linux \ - --disable-probes-solaris --disable-probes-unix \ - --enable-util-oscap \ -" - -do_configure_prepend () { - sed -i 's:-I/usr/include:-I${STAGING_INCDIR}:' ${S}/swig/perl/Makefile.am - sed -i 's:-I/usr/include:-I${STAGING_INCDIR}:' ${S}/swig/python3/Makefile.am - sed -i 's:-I/usr/include:-I${STAGING_INCDIR}:' ${S}/swig/python2/Makefile.am - sed -i 's:python2:python:' ${S}/utils/scap-as-rpm -} - - -include openscap.inc - -do_configure_append_class-native () { - sed -i 's:OSCAP_DEFAULT_CPE_PATH.*$:OSCAP_DEFAULT_CPE_PATH "${STAGING_OSCAP_BUILDDIR}${datadir_native}/openscap/cpe":' ${S}/config.h - sed -i 's:OSCAP_DEFAULT_SCHEMA_PATH.*$:OSCAP_DEFAULT_SCHEMA_PATH "${STAGING_OSCAP_BUILDDIR}${datadir_native}/openscap/schemas":' ${S}/config.h - sed -i 's:OSCAP_DEFAULT_XSLT_PATH.*$:OSCAP_DEFAULT_XSLT_PATH "${STAGING_OSCAP_BUILDDIR}${datadir_native}/openscap/xsl":' ${S}/config.h -} - -do_clean[cleandirs] += " ${STAGING_OSCAP_BUILDDIR}" - -do_install_append_class-native () { - oscapdir=${STAGING_OSCAP_BUILDDIR}/${datadir_native} - install -d $oscapdir - cp -a ${D}/${STAGING_DATADIR_NATIVE}/openscap $oscapdir -} - -TESTDIR = "tests" - -do_compile_ptest() { - sed -i 's:python2:python:' ${S}/${TESTDIR}/nist/test_worker.py - echo 'buildtest-TESTS: $(check)' >> ${TESTDIR}/Makefile - oe_runmake -C ${TESTDIR} buildtest-TESTS -} - -do_install_ptest() { - # install the tests - cp -rf ${B}/${TESTDIR} ${D}${PTEST_PATH} -} - -FILES_${PN} += "${PYTHON_SITEPACKAGES_DIR}" - -RDEPENDS_${PN} += "libxml2 python libgcc" -RDEPENDS_${PN}-ptest = "bash perl python" - -BBCLASSEXTEND = "native" diff --git a/external/meta-security/meta-security-compliance/recipes-openscap/openscap/openscap_1.3.1.bb b/external/meta-security/meta-security-compliance/recipes-openscap/openscap/openscap_1.3.1.bb new file mode 100644 index 00000000..ad29efda --- /dev/null +++ b/external/meta-security/meta-security-compliance/recipes-openscap/openscap/openscap_1.3.1.bb @@ -0,0 +1,9 @@ +SUMARRY = "NIST Certified SCAP 1.2 toolkit" + +require openscap.inc + +SRCREV = "3a4c635691380fa990a226acc8558db35d7ebabc" +SRC_URI = "git://github.com/OpenSCAP/openscap.git;branch=maint-1.3 \ +" + +DEFAULT_PREFERENCE = "-1" diff --git a/external/meta-security/meta-security-compliance/recipes-openscap/openscap/openscap_git.bb b/external/meta-security/meta-security-compliance/recipes-openscap/openscap/openscap_git.bb new file mode 100644 index 00000000..963d3dec --- /dev/null +++ b/external/meta-security/meta-security-compliance/recipes-openscap/openscap/openscap_git.bb @@ -0,0 +1,12 @@ +# Copyright (C) 2017 Armin Kuster <akuster808@gmail.com> +# Released under the MIT license (see COPYING.MIT for the terms) + +SUMARRY = "NIST Certified SCAP 1.2 toolkit with OE changes" + +include openscap.inc + +SRCREV = "4bbdb46ff651f809d5b38ca08d769790c4bfff90" +SRC_URI = "git://github.com/akuster/openscap.git;branch=oe-1.3 \ +" + +PV = "1.3.1+git${SRCPV}" diff --git a/external/meta-security/meta-security-compliance/recipes-openscap/scap-security-guide/files/0001-Fix-XML-parsing-of-the-remediation-functions-file.patch b/external/meta-security/meta-security-compliance/recipes-openscap/scap-security-guide/files/0001-Fix-XML-parsing-of-the-remediation-functions-file.patch new file mode 100644 index 00000000..c0b93e41 --- /dev/null +++ b/external/meta-security/meta-security-compliance/recipes-openscap/scap-security-guide/files/0001-Fix-XML-parsing-of-the-remediation-functions-file.patch @@ -0,0 +1,39 @@ +From 174293162e5840684d967e36840fc1f9f57c90be Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Mat=C4=9Bj=20T=C3=BD=C4=8D?= <matyc@redhat.com> +Date: Thu, 5 Dec 2019 15:02:05 +0100 +Subject: [PATCH] Fix XML "parsing" of the remediation functions file. + +A proper fix is not worth the effort, as we aim to kill shared Bash remediation +with Jinja2 macros. + +Upstream-Status: Backport +[https://github.com/ComplianceAsCode/content/commit/174293162e5840684d967e36840fc1f9f57c90be] + +Signed-off-by: Yi Zhao <yi.zhao@windriver.com> +--- + ssg/build_remediations.py | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +diff --git a/ssg/build_remediations.py b/ssg/build_remediations.py +index 7da807bd6..13e90f732 100644 +--- a/ssg/build_remediations.py ++++ b/ssg/build_remediations.py +@@ -56,11 +56,11 @@ def get_available_functions(build_dir): + remediation_functions = [] + with codecs.open(xmlfilepath, "r", encoding="utf-8") as xmlfile: + filestring = xmlfile.read() +- # This regex looks implementation dependent but we can rely on +- # ElementTree sorting XML attrs alphabetically. Hidden is guaranteed +- # to be the first attr and ID is guaranteed to be second. ++ # This regex looks implementation dependent but we can rely on the element attributes ++ # being present on one line. ++ # We can't rely on ElementTree sorting XML attrs in any way since Python 3.7. + remediation_functions = re.findall( +- r'<Value hidden=\"true\" id=\"function_(\S+)\"', ++ r'<Value.*id=\"function_(\S+)\"', + filestring, re.DOTALL + ) + +-- +2.17.1 + diff --git a/external/meta-security/meta-security-compliance/recipes-openscap/scap-security-guide/files/0002-Fixed-the-broken-fix-when-greedy-regex-ate-the-whole.patch b/external/meta-security/meta-security-compliance/recipes-openscap/scap-security-guide/files/0002-Fixed-the-broken-fix-when-greedy-regex-ate-the-whole.patch new file mode 100644 index 00000000..f0c9909c --- /dev/null +++ b/external/meta-security/meta-security-compliance/recipes-openscap/scap-security-guide/files/0002-Fixed-the-broken-fix-when-greedy-regex-ate-the-whole.patch @@ -0,0 +1,35 @@ +From 28a35d63a0cc6b7beb51c77d93bb30778e6960cd Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Mat=C4=9Bj=20T=C3=BD=C4=8D?= <matyc@redhat.com> +Date: Mon, 9 Dec 2019 13:41:47 +0100 +Subject: [PATCH] Fixed the broken fix, when greedy regex ate the whole file. + +We want to match attributes in an XML element, not in the whole file. + +Upstream-Status: Backport +[https://github.com/ComplianceAsCode/content/commit/28a35d63a0cc6b7beb51c77d93bb30778e6960cd] + +Signed-off-by: Yi Zhao <yi.zhao@windriver.com> +--- + ssg/build_remediations.py | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/ssg/build_remediations.py b/ssg/build_remediations.py +index 13e90f732..edf31c0cf 100644 +--- a/ssg/build_remediations.py ++++ b/ssg/build_remediations.py +@@ -57,10 +57,10 @@ def get_available_functions(build_dir): + with codecs.open(xmlfilepath, "r", encoding="utf-8") as xmlfile: + filestring = xmlfile.read() + # This regex looks implementation dependent but we can rely on the element attributes +- # being present on one line. ++ # being present. Beware, DOTALL means we go through the whole file at once. + # We can't rely on ElementTree sorting XML attrs in any way since Python 3.7. + remediation_functions = re.findall( +- r'<Value.*id=\"function_(\S+)\"', ++ r'<Value[^>]+id=\"function_(\S+)\"', + filestring, re.DOTALL + ) + +-- +2.17.1 + diff --git a/external/meta-security/meta-security-compliance/recipes-openscap/scap-security-guide/scap-security-guide.inc b/external/meta-security/meta-security-compliance/recipes-openscap/scap-security-guide/scap-security-guide.inc new file mode 100644 index 00000000..66c26230 --- /dev/null +++ b/external/meta-security/meta-security-compliance/recipes-openscap/scap-security-guide/scap-security-guide.inc @@ -0,0 +1,35 @@ +# Copyright (C) 2017 Armin Kuster <akuster808@gmail.com> +# Released under the MIT license (see COPYING.MIT for the terms) + +SUMARRY = "SCAP content for various platforms" +HOME_URL = "https://www.open-scap.org/security-policies/scap-security-guide/" +LIC_FILES_CHKSUM = "file://LICENSE;md5=97662e4486d9a1d09f358851d9f41a1a" +LICENSE = "LGPL-2.1" + +DEPENDS = "openscap-native python3 python3-pyyaml-native python3-jinja2-native libxml2-native" + +S = "${WORKDIR}/git" + +inherit cmake pkgconfig python3native + +STAGING_OSCAP_BUILDDIR = "${TMPDIR}/work-shared/openscap/oscap-build-artifacts" +export OSCAP_CPE_PATH="${STAGING_OSCAP_BUILDDIR}${datadir_native}/openscap/cpe" +export OSCAP_SCHEMA_PATH="${STAGING_OSCAP_BUILDDIR}${datadir_native}/openscap/schemas" +export OSCAP_XSLT_PATH="${STAGING_OSCAP_BUILDDIR}${datadir_native}/openscap/xsl" + +OECMAKE_GENERATOR = "Unix Makefiles" + +EXTRA_OECMAKE += "-DENABLE_PYTHON_COVERAGE=OFF" + +B = "${S}/build" + +do_configure[depends] += "openscap-native:do_install" + +do_configure_prepend () { + sed -i -e 's:NAMES\ sed:NAMES\ ${HOSTTOOLS_DIR}/sed:g' ${S}/CMakeLists.txt + sed -i -e 's:NAMES\ grep:NAMES\ ${HOSTTOOLS_DIR}/grep:g' ${S}/CMakeLists.txt +} + +FILES_${PN} += "${datadir}/xml" + +RDEPENDS_${PN} = "openscap" diff --git a/external/meta-security/meta-security-compliance/recipes-openscap/scap-security-guide/scap-security-guide_0.1.33.bb b/external/meta-security/meta-security-compliance/recipes-openscap/scap-security-guide/scap-security-guide_0.1.33.bb deleted file mode 100644 index 7fa417de..00000000 --- a/external/meta-security/meta-security-compliance/recipes-openscap/scap-security-guide/scap-security-guide_0.1.33.bb +++ /dev/null @@ -1,57 +0,0 @@ -# Copyright (C) 2017 Armin Kuster <akuster808@gmail.com> -# Released under the MIT license (see COPYING.MIT for the terms) - -SUMARRY = "SCAP content for various platforms" -HOME_URL = "https://www.open-scap.org/security-policies/scap-security-guide/" -LIC_FILES_CHKSUM = "file://LICENSE;md5=236e81befc8154d18c93c848185d7e52" -LICENSE = "LGPL-2.1" - -DEPENDS = "openscap-native" - -SRCREV = "423d9f40021a03abd018bef7818a3a9fe91a083c" -SRC_URI = "git://github.com/akuster/scap-security-guide.git;branch=oe;" - -inherit cmake - -PARALLEL_MAKE = "" - -S = "${WORKDIR}/git" - -STAGING_OSCAP_BUILDDIR = "${TMPDIR}/work-shared/openscap/oscap-build-artifacts" - -EXTRA_OECMAKE += "-DSSG_PRODUCT_CHROMIUM:BOOL=OFF" -EXTRA_OECMAKE += "-DSSG_PRODUCT_DEBIAN8:BOOL=OFF" -EXTRA_OECMAKE += "-DSSG_PRODUCT_FEDORA:BOOL=OFF" -EXTRA_OECMAKE += "-DSSG_PRODUCT_FIREFOX:BOOL=OFF" -EXTRA_OECMAKE += "-DSSG_PRODUCT_JBOSS_EAP5:BOOL=OFF" -EXTRA_OECMAKE += "-DSSG_PRODUCT_JBOSS_FUSE6:BOOL=OFF" -EXTRA_OECMAKE += "-DSSG_PRODUCT_JRE:BOOL=OFF" -EXTRA_OECMAKE += "-DSSG_PRODUCT_OPENSUSE:BOOL=OFF" -EXTRA_OECMAKE += "-DSSG_PRODUCT_OSP7:BOOL=OFF" -EXTRA_OECMAKE += "-DSSG_PRODUCT_RHEL5:BOOL=OFF" -EXTRA_OECMAKE += "-DSSG_PRODUCT_RHEL6:BOOL=OFF" -EXTRA_OECMAKE += "-DSSG_PRODUCT_RHEL7:BOOL=OFF" -EXTRA_OECMAKE += "-DSSG_PRODUCT_RHEV3:BOOL=OFF" -EXTRA_OECMAKE += "-DSSG_PRODUCT_SUSE11:BOOL=OFF" -EXTRA_OECMAKE += "-DSSG_PRODUCT_SUSE12:BOOL=OFF" -EXTRA_OECMAKE += "-DSSG_PRODUCT_UBUNTU1404:BOOL=OFF" -EXTRA_OECMAKE += "-DSSG_PRODUCT_UBUNTU1604:BOOL=OFF" -EXTRA_OECMAKE += "-DSSG_PRODUCT_WRLINUX:BOOL=OFF" -EXTRA_OECMAKE += "-DSSG_PRODUCT_WEBMIN:BOOL=OFF" - -do_configure_prepend () { - sed -i -e 's:NAMES\ sed:NAMES\ ${HOSTTOOLS_DIR}/sed:g' ${S}/CMakeLists.txt - sed -i 's:/usr/share/openscap/:${STAGING_OSCAP_BUILDDIR}${datadir_native}/openscap/:g' ${S}/cmake/SSGCommon.cmake -} - -do_compile () { - cd ${B} - make openembedded -} - -do_install () { - cd ${B} - make DESTDIR=${D} install -} -FILES_${PN} += "${datadir}/xml" -RDEPNEDS_${PN} = "openscap" diff --git a/external/meta-security/meta-security-compliance/recipes-openscap/scap-security-guide/scap-security-guide_0.1.44.bb b/external/meta-security/meta-security-compliance/recipes-openscap/scap-security-guide/scap-security-guide_0.1.44.bb new file mode 100644 index 00000000..d80ecd7e --- /dev/null +++ b/external/meta-security/meta-security-compliance/recipes-openscap/scap-security-guide/scap-security-guide_0.1.44.bb @@ -0,0 +1,8 @@ +SUMARRY = "SCAP content for various platforms, upstream version" + +SRCREV = "8cb2d0f351faff5440742258782281164953b0a6" +SRC_URI = "git://github.com/ComplianceAsCode/content.git" + +DEFAULT_PREFERENCE = "-1" + +require scap-security-guide.inc diff --git a/external/meta-security/meta-security-compliance/recipes-openscap/scap-security-guide/scap-security-guide_git.bb b/external/meta-security/meta-security-compliance/recipes-openscap/scap-security-guide/scap-security-guide_git.bb new file mode 100644 index 00000000..f35d7691 --- /dev/null +++ b/external/meta-security/meta-security-compliance/recipes-openscap/scap-security-guide/scap-security-guide_git.bb @@ -0,0 +1,12 @@ +SUMARRY = "SCAP content for various platforms, OE changes" + +SRCREV = "5fdfdcb2e95afbd86ace555beca5d20cbf1043ed" +SRC_URI = "git://github.com/akuster/scap-security-guide.git;branch=oe-0.1.44; \ + file://0001-Fix-XML-parsing-of-the-remediation-functions-file.patch \ + file://0002-Fixed-the-broken-fix-when-greedy-regex-ate-the-whole.patch \ + " +PV = "0.1.44+git${SRCPV}" + +require scap-security-guide.inc + +EXTRA_OECMAKE += "-DSSG_PRODUCT_OPENEMBEDDED=ON" diff --git a/external/meta-security/meta-security-isafw/.gitignore b/external/meta-security/meta-security-isafw/.gitignore new file mode 100644 index 00000000..2f836aac --- /dev/null +++ b/external/meta-security/meta-security-isafw/.gitignore @@ -0,0 +1,2 @@ +*~ +*.pyc diff --git a/external/meta-security/meta-security-isafw/COPYING.MIT b/external/meta-security/meta-security-isafw/COPYING.MIT new file mode 100644 index 00000000..fb950dc6 --- /dev/null +++ b/external/meta-security/meta-security-isafw/COPYING.MIT @@ -0,0 +1,17 @@ +Permission is hereby granted, free of charge, to any person obtaining a copy +of this software and associated documentation files (the "Software"), to deal +in the Software without restriction, including without limitation the rights +to use, copy, modify, merge, publish, distribute, sublicense, and/or sell +copies of the Software, and to permit persons to whom the Software is +furnished to do so, subject to the following conditions: + +The above copyright notice and this permission notice shall be included in +all copies or substantial portions of the Software. + +THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR +IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, +FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE +AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER +LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, +OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN +THE SOFTWARE. diff --git a/external/meta-security/meta-security-isafw/README.md b/external/meta-security/meta-security-isafw/README.md new file mode 100644 index 00000000..16041cbf --- /dev/null +++ b/external/meta-security/meta-security-isafw/README.md @@ -0,0 +1,92 @@ +**meta-security-isafw** is an OE layer that allows enabling the Image +Security Analysis Framework (isafw) for your image builds. + +The primary purpose of isafw is to provide an extensible +framework for analysing different security aspects of images +during the build process. + +The isafw project itself can be found at + https://github.com/01org/isafw + +The framework supports a number of callbacks (such as +process_package(), process_filesystem(), and etc.) that are invoked +by the bitbake during different stages of package and image build. +These callbacks are then forwarded for processing to the avaliable +ISA FW plugins that have registered for these callbacks. +Plugins can do their own processing on each stage of the build +process and produce security reports. + +Dependencies +------------ + +The **meta-security-isafw** layer depends on the Open Embeeded +core layer: + + git://git.openembedded.org/openembedded-core + + +Usage +----- + +In order to enable the isafw during the image build, please add +the following line to your build/conf/local.conf file: + +```python +INHERIT += "isafw" +``` + +Next you need to update your build/conf/bblayers.conf file with the +location of meta-security-isafw layer on your filesystem along with +any other layers needed. e.g.: + +```python +BBLAYERS ?= " \ + /OE/oe-core/meta \ + /OE/meta-security/meta-security-isafw \ + " +``` + +Also, some isafw plugins require network connection, so in case of a +proxy setup please make sure to export http_proxy variable into your +environment. + +In order to produce image reports, you can execute image build +normally. For example: + +```shell +bitbake core-image-minimal +``` + +If you are only interested to produce a report based on packages +and without building an image, please use: + +```shell +bitbake -c analyse_sources_all core-image-minimal +``` + + +Logs +---- + +All isafw plugins by default create their logs under the +${LOG_DIR}/isafw-report/ directory, where ${LOG_DIR} is a bitbake +default location for log files. If you wish to change this location, +please define ISAFW_REPORTDIR variable in your local.conf file. + +Patches +------- +end pull requests, patches, comments or questions to yocto@lists.yoctoproject.org + +When sending single patches, please using something like: +'git send-email -1 --to yocto@lists.yoctoproject.org --subject-prefix=meta-security-isafw][PATCH' + +These values can be set as defaults for this repository: + +$ git config sendemail.to yocto@lists.yoctoproject.org +$ git config format.subjectPrefix meta-security-isafw][PATCH + +Now you can just do 'git send-email origin/master' to send all local patches. + +For pull requests, please use create-pull-request and send-pull-request. + +Maintainers: Armin Kuster <akuster808@gmail.com> diff --git a/external/meta-security/meta-security-isafw/classes/isafw.bbclass b/external/meta-security/meta-security-isafw/classes/isafw.bbclass new file mode 100644 index 00000000..146acdfb --- /dev/null +++ b/external/meta-security/meta-security-isafw/classes/isafw.bbclass @@ -0,0 +1,318 @@ +# Security scanning class +# +# Based in part on buildhistory.bbclass which was in turn based on +# testlab.bbclass and packagehistory.bbclass +# +# Copyright (C) 2011-2015 Intel Corporation +# Copyright (C) 2007-2011 Koen Kooi <koen@openembedded.org> +# + +LICENSE = "MIT" + +require conf/distro/include/distro_alias.inc + +ISAFW_WORKDIR = "${WORKDIR}/isafw" +ISAFW_REPORTDIR ?= "${LOG_DIR}/isafw-report" +ISAFW_LOGDIR ?= "${LOG_DIR}/isafw-logs" + +ISAFW_PLUGINS_WHITELIST ?= "" +ISAFW_PLUGINS_BLACKLIST ?= "" + +ISAFW_LA_PLUGIN_IMAGE_WHITELIST ?= "" +ISAFW_LA_PLUGIN_IMAGE_BLACKLIST ?= "" + +# First, code to handle scanning each recipe that goes into the build + +do_analysesource[nostamp] = "1" +do_analysesource[cleandirs] = "${ISAFW_WORKDIR}" + +python do_analysesource() { + from isafw import isafw + + imageSecurityAnalyser = isafw_init(isafw, d) + + if not d.getVar('SRC_URI', True): + # Recipe didn't fetch any sources, nothing to do here I assume? + return + + recipe = isafw.ISA_package() + recipe.name = d.getVar('BPN', True) + recipe.version = d.getVar('PV', True) + recipe.version = recipe.version.split('+git', 1)[0] + + for p in d.getVar('PACKAGES', True).split(): + license = str(d.getVar('LICENSE_' + p, True)) + if license == "None": + license = d.getVar('LICENSE', True) + license = license.replace("(", "") + license = license.replace(")", "") + licenses = license.split() + while '|' in licenses: + licenses.remove('|') + while '&' in licenses: + licenses.remove('&') + for l in licenses: + recipe.licenses.append(p + ":" + canonical_license(d, l)) + + aliases = d.getVar('DISTRO_PN_ALIAS', True) + if aliases: + recipe.aliases = aliases.split() + faliases = [] + for a in recipe.aliases: + if (a != "OSPDT") and (not (a.startswith("upstream="))): + faliases.append(a.split('=', 1)[-1]) + # remove possible duplicates in pkg names + faliases = list(set(faliases)) + recipe.aliases = faliases + + for patch in src_patches(d): + _,_,local,_,_,_=bb.fetch.decodeurl(patch) + recipe.patch_files.append(os.path.basename(local)) + if (not recipe.patch_files) : + recipe.patch_files.append("None") + + # Pass the recipe object to the security framework + bb.debug(1, '%s: analyse sources' % (d.getVar('PN', True))) + imageSecurityAnalyser.process_package(recipe) + + return +} + +addtask do_analysesource before do_build + +# This task intended to be called after default task to process reports + +PR_ORIG_TASK := "${BB_DEFAULT_TASK}" +addhandler process_reports_handler +process_reports_handler[eventmask] = "bb.event.BuildCompleted" + +python process_reports_handler() { + from isafw import isafw + + dd = d.createCopy() + target_sysroot = dd.expand("${STAGING_DIR}/${MACHINE}") + native_sysroot = dd.expand("${STAGING_DIR}/${BUILD_ARCH}") + staging_populate_sysroot_dir(target_sysroot, native_sysroot, True, dd) + + dd.setVar("STAGING_DIR_NATIVE", native_sysroot) + savedenv = os.environ.copy() + os.environ["PATH"] = dd.getVar("PATH", True) + + imageSecurityAnalyser = isafw_init(isafw, dd) + bb.debug(1, 'isafw: process reports') + imageSecurityAnalyser.process_report() + + os.environ["PATH"] = savedenv["PATH"] +} + +do_build[depends] += "cve-update-db-native:do_populate_cve_db ca-certificates-native:do_populate_sysroot" +do_build[depends] += "python3-lxml-native:do_populate_sysroot" + +# These tasks are intended to be called directly by the user (e.g. bitbake -c) + +addtask do_analyse_sources after do_analysesource +do_analyse_sources[doc] = "Produce ISAFW reports based on given package without building it" +do_analyse_sources[nostamp] = "1" +do_analyse_sources() { + : +} + +addtask do_analyse_sources_all after do_analysesource +do_analyse_sources_all[doc] = "Produce ISAFW reports for all packages in given target without building them" +do_analyse_sources_all[recrdeptask] = "do_analyse_sources_all do_analysesource" +do_analyse_sources_all[recideptask] = "do_${PR_ORIG_TASK}" +do_analyse_sources_all[nostamp] = "1" +do_analyse_sources_all() { + : +} + +python() { + # We probably don't need to scan these + if bb.data.inherits_class('native', d) or \ + bb.data.inherits_class('nativesdk', d) or \ + bb.data.inherits_class('cross', d) or \ + bb.data.inherits_class('crosssdk', d) or \ + bb.data.inherits_class('cross-canadian', d) or \ + bb.data.inherits_class('packagegroup', d) or \ + bb.data.inherits_class('image', d): + bb.build.deltask('do_analysesource', d) +} + +fakeroot python do_analyse_image() { + + from isafw import isafw + + imageSecurityAnalyser = isafw_init(isafw, d) + + # Directory where the image's entire contents can be examined + rootfsdir = d.getVar('IMAGE_ROOTFS', True) + + imagebasename = d.getVar('IMAGE_BASENAME', True) + + kernelconf = d.getVar('STAGING_KERNEL_BUILDDIR', True) + "/.config" + if os.path.exists(kernelconf): + kernel = isafw.ISA_kernel() + kernel.img_name = imagebasename + kernel.path_to_config = kernelconf + bb.debug(1, 'do kernel conf analysis on %s' % kernelconf) + imageSecurityAnalyser.process_kernel(kernel) + else: + bb.debug(1, 'Kernel configuration file is missing. Not performing analysis on %s' % kernelconf) + + pkglist = manifest2pkglist(d) + + imagebasename = d.getVar('IMAGE_BASENAME', True) + + if (pkglist): + pkg_list = isafw.ISA_pkg_list() + pkg_list.img_name = imagebasename + pkg_list.path_to_list = pkglist + bb.debug(1, 'do pkg list analysis on %s' % pkglist) + imageSecurityAnalyser.process_pkg_list(pkg_list) + + fs = isafw.ISA_filesystem() + fs.img_name = imagebasename + fs.path_to_fs = rootfsdir + + bb.debug(1, 'do image analysis on %s' % rootfsdir) + imageSecurityAnalyser.process_filesystem(fs) +} + +do_rootfs[depends] += "checksec-native:do_populate_sysroot ca-certificates-native:do_populate_sysroot" +do_rootfs[depends] += "prelink-native:do_populate_sysroot" +do_rootfs[depends] += "python3-lxml-native:do_populate_sysroot" + +isafw_init[vardepsexclude] = "DATETIME" +def isafw_init(isafw, d): + import re, errno + + isafw_config = isafw.ISA_config() + # Override the builtin default in curl-native (used by cve-update-db-nativ) + # because that default is a path that may not be valid: when curl-native gets + # installed from sstate, we end up with the sysroot path as it was on the + # original build host, which is not necessarily the same path used now + # (see https://bugzilla.yoctoproject.org/show_bug.cgi?id=9883). + # + # Can't use ${sysconfdir} here, it already includes ${STAGING_DIR_NATIVE} + # when the current recipe is native. + isafw_config.cacert = d.expand('${STAGING_DIR_NATIVE}/etc/ssl/certs/ca-certificates.crt') + + bb.utils.export_proxies(d) + + isafw_config.machine = d.getVar('MACHINE', True) + isafw_config.timestamp = d.getVar('DATETIME', True) + isafw_config.reportdir = d.getVar('ISAFW_REPORTDIR', True) + "_" + isafw_config.timestamp + if not os.path.exists(os.path.dirname(isafw_config.reportdir + "/test")): + try: + os.makedirs(os.path.dirname(isafw_config.reportdir + "/test")) + except OSError as exc: + if exc.errno == errno.EEXIST and os.path.isdir(isafw_config.reportdir): + pass + else: raise + isafw_config.logdir = d.getVar('ISAFW_LOGDIR', True) + # Adding support for arm + # TODO: Add support for other platforms + isafw_config.arch = d.getVar('TARGET_ARCH', True) + if ( isafw_config.arch != "arm" ): + isafw_config.arch = "x86" + + whitelist = d.getVar('ISAFW_PLUGINS_WHITELIST', True) + blacklist = d.getVar('ISAFW_PLUGINS_BLACKLIST', True) + if whitelist: + isafw_config.plugin_whitelist = re.split(r'[,\s]*', whitelist) + if blacklist: + isafw_config.plugin_blacklist = re.split(r'[,\s]*', blacklist) + + la_image_whitelist = d.getVar('ISAFW_LA_PLUGIN_IMAGE_WHITELIST', True) + la_image_blacklist = d.getVar('ISAFW_LA_PLUGIN_IMAGE_BLACKLIST', True) + if la_image_whitelist: + isafw_config.la_plugin_image_whitelist = re.split(r'[,\s]*', la_image_whitelist) + if la_image_blacklist: + isafw_config.la_plugin_image_blacklist = re.split(r'[,\s]*', la_image_blacklist) + + return isafw.ISA(isafw_config) + +# based on toaster.bbclass _toaster_load_pkgdatafile function +def binary2source(dirpath, filepath): + import re + originPkg = "" + with open(os.path.join(dirpath, filepath), "r") as fin: + for line in fin: + try: + kn, kv = line.strip().split(": ", 1) + m = re.match(r"^PKG_([^A-Z:]*)", kn) + if m: + originPkg = str(m.group(1)) + except ValueError: + pass # ignore lines without valid key: value pairs: + if not originPkg: + originPkg = "UNKNOWN" + return originPkg + +manifest2pkglist[vardepsexclude] = "DATETIME" +def manifest2pkglist(d): + import glob + + manifest_file = d.getVar('IMAGE_MANIFEST', True) + imagebasename = d.getVar('IMAGE_BASENAME', True) + reportdir = d.getVar('ISAFW_REPORTDIR', True) + "_" + d.getVar('DATETIME', True) + pkgdata_dir = d.getVar("PKGDATA_DIR", True) + rr_dir = "%s/runtime-reverse/" % pkgdata_dir + pkglist = reportdir + "/pkglist" + + with open(pkglist, 'a') as foutput: + foutput.write("Packages for image " + imagebasename + "\n") + try: + with open(manifest_file, 'r') as finput: + for line in finput: + items = line.split() + if items and (len(items) >= 3): + pkgnames = map(os.path.basename, glob.glob(os.path.join(rr_dir, items[0]))) + for pkgname in pkgnames: + originPkg = binary2source(rr_dir, pkgname) + version = items[2] + if not version: + version = "undetermined" + foutput.write(pkgname + " " + version + " " + originPkg + "\n") + except IOError: + bb.debug(1, 'isafw: manifest file not found. Skip pkg list analysis') + return ""; + + + return pkglist + +# NOTE: by the time IMAGE_POSTPROCESS_COMMAND items are called, the image +# has been stripped of the package manager database (if runtime package management +# is not enabled, i.e. 'package-management' is not in IMAGE_FEATURES). If you +# do want to be using the package manager to operate on the image contents, you'll +# need to call your function from ROOTFS_POSTINSTALL_COMMAND or +# ROOTFS_POSTUNINSTALL_COMMAND instead - however if you do that you should then be +# aware that what you'll be looking at isn't exactly what you will see in the image +# at runtime (there will be other postprocessing functions called after yours). +# +# do_analyse_image does not need the package manager database. Making it +# a separate task instead of a IMAGE_POSTPROCESS_COMMAND has several +# advantages: +# - all other image commands are guaranteed to have completed +# - it can run in parallel to other tasks which depend on the complete +# image, instead of blocking those other tasks +# - meta-swupd helper images do not need to be analysed and won't be +# because nothing depends on their "do_build" task, only on +# do_image_complete +python () { + if bb.data.inherits_class('image', d): + bb.build.addtask('do_analyse_image', 'do_build', 'do_image_complete', d) +} + +python isafwreport_handler () { + + import shutil + + logdir = e.data.getVar('ISAFW_LOGDIR', True) + if os.path.exists(os.path.dirname(logdir+"/test")): + shutil.rmtree(logdir) + os.makedirs(os.path.dirname(logdir+"/test")) + +} +addhandler isafwreport_handler +isafwreport_handler[eventmask] = "bb.event.BuildStarted" diff --git a/external/meta-security/meta-security-isafw/conf/layer.conf b/external/meta-security/meta-security-isafw/conf/layer.conf new file mode 100644 index 00000000..63f990a8 --- /dev/null +++ b/external/meta-security/meta-security-isafw/conf/layer.conf @@ -0,0 +1,17 @@ +# We have a conf and classes directory, add to BBPATH +BBPATH .= ":${LAYERDIR}" + +# We have recipes-* directories, add to BBFILES +BBFILES += "${LAYERDIR}/recipes-*/*/*.bb ${LAYERDIR}/recipes-*/*/*.bbappend" + +BBFILE_COLLECTIONS += "security-isafw" +BBFILE_PATTERN_security-isafw = "^${LAYERDIR}/" +BBFILE_PRIORITY_security-isafw = "6" + +# This should only be incremented on significant changes that will +# cause compatibility issues with other layers +LAYERVERSION_security-isafw = "1" + +LAYERDEPENDS_security-isafw = "core" + +LAYERSERIES_COMPAT_security-isafw = "dunfell" diff --git a/external/meta-security/meta-security-isafw/lib/isafw/__init__.py b/external/meta-security/meta-security-isafw/lib/isafw/__init__.py new file mode 100644 index 00000000..50527fbe --- /dev/null +++ b/external/meta-security/meta-security-isafw/lib/isafw/__init__.py @@ -0,0 +1,40 @@ +# +# __init__.py - part of ISA FW +# +# Copyright (c) 2015 - 2016, Intel Corporation +# +# Redistribution and use in source and binary forms, with or without +# modification, are permitted provided that the following conditions are met: +# +# * Redistributions of source code must retain the above copyright notice, +# this list of conditions and the following disclaimer. +# * Redistributions in binary form must reproduce the above copyright +# notice, this list of conditions and the following disclaimer in the +# documentation and/or other materials provided with the distribution. +# * Neither the name of Intel Corporation nor the names of its contributors +# may be used to endorse or promote products derived from this software +# without specific prior written permission. +# +# THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" +# AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE +# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE +# DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE +# FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL +# DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR +# SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER +# CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, +# OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE +# OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. + +"""isafw + +Current Contents: + +* isafw.py - main class +* plugins - ISA plugins +* plugins/configs - configuration data for the plugins +""" + +__all__ = [ + 'isafw', +] diff --git a/external/meta-security/meta-security-isafw/lib/isafw/isafw.py b/external/meta-security/meta-security-isafw/lib/isafw/isafw.py new file mode 100644 index 00000000..a1a76b8a --- /dev/null +++ b/external/meta-security/meta-security-isafw/lib/isafw/isafw.py @@ -0,0 +1,158 @@ +# +# isafw.py - Main classes for ISA FW +# +# Copyright (c) 2015 - 2016, Intel Corporation +# +# Redistribution and use in source and binary forms, with or without +# modification, are permitted provided that the following conditions are met: +# +# * Redistributions of source code must retain the above copyright notice, +# this list of conditions and the following disclaimer. +# * Redistributions in binary form must reproduce the above copyright +# notice, this list of conditions and the following disclaimer in the +# documentation and/or other materials provided with the distribution. +# * Neither the name of Intel Corporation nor the names of its contributors +# may be used to endorse or promote products derived from this software +# without specific prior written permission. +# +# THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" +# AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE +# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE +# DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE +# FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL +# DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR +# SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER +# CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, +# OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE +# OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. + +from __future__ import absolute_import, print_function + +import sys +import traceback +try: + # absolute import + import isafw.isaplugins as isaplugins +except ImportError: + # relative import when installing as separate modules + import isaplugins +try: + from bb import error +except ImportError: + error = print + +__all__ = [ + 'ISA_package', + 'ISA_pkg_list', + 'ISA_kernel', + 'ISA_filesystem', + 'ISA_config', + 'ISA', +] + +# classes for representing objects for ISA plugins + +# source package + + +class ISA_package: + # pkg name (mandatory argument) + name = "" + # full version (mandatory argument) + version = "" + licenses = [] # list of licences for all subpackages + aliases = [] # list of alias names for packages if exist + source_files = [] # list of strings of source files + patch_files = [] # list of patch files to be applied + path_to_sources = "" # path to the source files + +# package list + + +class ISA_pkg_list: + # image name (mandatory argument) + img_name = "" + # path to the pkg list file (mandatory argument) + path_to_list = "" + +# kernel + + +class ISA_kernel: + # image name (mandatory argument) + img_name = "" + # path to the kernel config file (mandatory argument) + path_to_config = "" + +# filesystem + + +class ISA_filesystem: + # image name (mandatory argument) + img_name = "" + type = "" # filesystem type + # path to the fs location (mandatory argument) + path_to_fs = "" + +# configuration of ISAFW +# if both whitelist and blacklist is empty, all avaliable plugins will be used +# if whitelist has entries, then only whitelisted plugins will be used from a set of avaliable plugins +# if blacklist has entries, then the specified plugins won't be used even +# if avaliable and even if specified in whitelist + + +class ISA_config: + plugin_whitelist = "" # comma separated list of plugins to whitelist + plugin_blacklist = "" # comma separated list of plugins to blacklist + cacert = None # If set, a CA certificate file that replaces the system default one + reportdir = "" # location of produced reports + logdir = "" # location of produced logs + timestamp = "" # timestamp of the build provided by build system + full_reports = False # produce full reports for plugins, False by default + machine = "" # name of machine build is produced for + la_plugin_image_whitelist = ""# whitelist of images for violating license checks + la_plugin_image_blacklist = ""# blacklist of images for violating license checks + arch = "" # target architecture + +class ISA: + def call_plugins(self, methodname, *parameters, **keywords): + for name in isaplugins.__all__: + plugin = getattr(isaplugins, name) + method = getattr(plugin, methodname, None) + if not method: + # Not having init() is an error, everything else is optional. + if methodname == "init": + error("No init() defined for plugin %s.\n" + "Skipping this plugin." % + (methodname, plugin.getPluginName())) + continue + if self.ISA_config.plugin_whitelist and plugin.getPluginName() not in self.ISA_config.plugin_whitelist: + continue + if self.ISA_config.plugin_blacklist and plugin.getPluginName() in self.ISA_config.plugin_blacklist: + continue + try: + method(*parameters, **keywords) + except: + error("Exception in plugin %s %s():\n%s" % + (plugin.getPluginName(), + methodname, + traceback.format_exc())) + + def __init__(self, ISA_config): + self.ISA_config = ISA_config + self.call_plugins("init", ISA_config) + + def process_package(self, ISA_package): + self.call_plugins("process_package", ISA_package) + + def process_pkg_list(self, ISA_pkg_list): + self.call_plugins("process_pkg_list", ISA_pkg_list) + + def process_kernel(self, ISA_kernel): + self.call_plugins("process_kernel", ISA_kernel) + + def process_filesystem(self, ISA_filesystem): + self.call_plugins("process_filesystem", ISA_filesystem) + + def process_report(self): + self.call_plugins("process_report") diff --git a/external/meta-security/meta-security-isafw/lib/isafw/isaplugins/ISA_cfa_plugin.py b/external/meta-security/meta-security-isafw/lib/isafw/isaplugins/ISA_cfa_plugin.py new file mode 100644 index 00000000..daecba1c --- /dev/null +++ b/external/meta-security/meta-security-isafw/lib/isafw/isaplugins/ISA_cfa_plugin.py @@ -0,0 +1,392 @@ +# +# ISA_cfa_plugin.py - Compile flag analyzer plugin, part of ISA FW +# Main functionality is based on build_comp script from Clear linux project +# +# Copyright (c) 2015 - 2016, Intel Corporation +# +# Redistribution and use in source and binary forms, with or without +# modification, are permitted provided that the following conditions are met: +# +# * Redistributions of source code must retain the above copyright notice, +# this list of conditions and the following disclaimer. +# * Redistributions in binary form must reproduce the above copyright +# notice, this list of conditions and the following disclaimer in the +# documentation and/or other materials provided with the distribution. +# * Neither the name of Intel Corporation nor the names of its contributors +# may be used to endorse or promote products derived from this software +# without specific prior written permission. +# +# THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" +# AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE +# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE +# DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE +# FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL +# DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR +# SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER +# CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, +# OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE +# OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. + +import subprocess +import os +import sys +import re +import copy +try: + from lxml import etree +except ImportError: + try: + import xml.etree.cElementTree as etree + except ImportError: + import xml.etree.ElementTree as etree + + +CFChecker = None + + +class ISA_CFChecker(): + initialized = False + no_relro = [] + partial_relro = [] + no_canary = [] + no_pie = [] + execstack = [] + execstack_not_defined = [] + nodrop_groups = [] + no_mpx = [] + + def __init__(self, ISA_config): + self.logfile = ISA_config.logdir + "/isafw_cfalog" + self.full_report_name = ISA_config.reportdir + "/cfa_full_report_" + \ + ISA_config.machine + "_" + ISA_config.timestamp + self.problems_report_name = ISA_config.reportdir + \ + "/cfa_problems_report_" + ISA_config.machine + "_" + ISA_config.timestamp + self.full_reports = ISA_config.full_reports + self.ISA_filesystem = "" + # check that checksec and other tools are installed + tools_errors = _check_tools() + if tools_errors: + with open(self.logfile, 'w') as flog: + flog.write(tools_errors) + return + self.initialized = True + with open(self.logfile, 'w') as flog: + flog.write("\nPlugin ISA_CFChecker initialized!\n") + return + + def process_filesystem(self, ISA_filesystem): + self.ISA_filesystem = ISA_filesystem + fs_path = self.ISA_filesystem.path_to_fs + img_name = self.ISA_filesystem.img_name + if (self.initialized): + if (img_name and fs_path): + with open(self.logfile, 'a') as flog: + flog.write("\n\nFilesystem path is: " + fs_path) + if self.full_reports: + with open(self.full_report_name + "_" + img_name, 'w') as ffull_report: + ffull_report.write( + "Security-relevant flags for executables for image: " + img_name + '\n') + ffull_report.write("With rootfs location at " + fs_path + "\n\n") + files = self.find_files(fs_path) + import multiprocessing + pool = multiprocessing.Pool() + results = pool.imap(process_file_wrapper, files) + pool.close() + pool.join() + self.process_results(results) + else: + with open(self.logfile, 'a') as flog: + flog.write( + "Mandatory arguments such as image name and path to the filesystem are not provided!\n") + flog.write("Not performing the call.\n") + else: + with open(self.logfile, 'a') as flog: + flog.write("Plugin hasn't initialized! Not performing the call.\n") + + def process_results(self, results): + fs_path = self.ISA_filesystem.path_to_fs + for result in results: + if not result: + with open(self.logfile, 'a') as flog: + flog.write("\nError in returned result") + continue + with open(self.logfile, 'a') as flog: + flog.write("\n\nFor file: " + str(result[0]) + "\nlog is: " + str(result[5])) + if result[1]: + with open(self.logfile, 'a') as flog: + flog.write("\n\nsec_field: " + str(result[1])) + if "No RELRO" in result[1]: + self.no_relro.append(result[0].replace(fs_path, "")) + elif "Partial RELRO" in result[1]: + self.partial_relro.append(result[0].replace(fs_path, "")) + if "No canary found" in result[1]: + self.no_canary.append(result[0].replace(fs_path, "")) + if "No PIE" in result[1]: + self.no_pie.append(result[0].replace(fs_path, "")) + if result[2]: + if result[2] == "execstack": + self.execstack.append(result[0].replace(fs_path, "")) + elif result[2] == "not_defined": + self.execstack_not_defined.append(result[0].replace(fs_path, "")) + if result[3] and (result[3] == True): + self.nodrop_groups.append(result[0].replace(fs_path, "")) + if result[4] and (result[4] == True): + self.no_mpx.append(result[0].replace(fs_path, "")) + self.write_full_report(result) + self.write_report() + self.write_report_xml() + + def write_full_report(self, result): + if not self.full_reports: + return + fs_path = self.ISA_filesystem.path_to_fs + img_name = self.ISA_filesystem.img_name + with open(self.full_report_name + "_" + img_name, 'a') as ffull_report: + ffull_report.write('\nFile: ' + result[0].replace(fs_path, "")) + ffull_report.write('\nsecurity flags: ' + str(result[1])) + ffull_report.write('\nexecstack: ' + str(result[2])) + ffull_report.write('\nnodrop_groups: ' + str(result[3])) + ffull_report.write('\nno mpx: ' + str(result[4])) + ffull_report.write('\n') + + def write_report(self): + fs_path = self.ISA_filesystem.path_to_fs + img_name = self.ISA_filesystem.img_name + with open(self.problems_report_name + "_" + img_name, 'w') as fproblems_report: + fproblems_report.write("Report for image: " + img_name + '\n') + fproblems_report.write("With rootfs location at " + fs_path + "\n\n") + fproblems_report.write("Relocation Read-Only\n") + fproblems_report.write("More information about RELRO and how to enable it:") + fproblems_report.write( + " http://tk-blog.blogspot.de/2009/02/relro-not-so-well-known-memory.html\n") + fproblems_report.write("Files with no RELRO:\n") + for item in self.no_relro: + fproblems_report.write(item + '\n') + fproblems_report.write("Files with partial RELRO:\n") + for item in self.partial_relro: + fproblems_report.write(item + '\n') + fproblems_report.write("\n\nStack protection\n") + fproblems_report.write( + "More information about canary stack protection and how to enable it:") + fproblems_report.write("https://lwn.net/Articles/584225/ \n") + fproblems_report.write("Files with no canary:\n") + for item in self.no_canary: + fproblems_report.write(item + '\n') + fproblems_report.write("\n\nPosition Independent Executable\n") + fproblems_report.write("More information about PIE protection and how to enable it:") + fproblems_report.write( + "https://securityblog.redhat.com/2012/11/28/position-independent-executables-pie/\n") + fproblems_report.write("Files with no PIE:\n") + for item in self.no_pie: + fproblems_report.write(item + '\n') + fproblems_report.write("\n\nNon-executable stack\n") + fproblems_report.write("Files with executable stack enabled:\n") + for item in self.execstack: + fproblems_report.write(item + '\n') + fproblems_report.write("\n\nFiles with no ability to fetch executable stack status:\n") + for item in self.execstack_not_defined: + fproblems_report.write(item + '\n') + fproblems_report.write("\n\nGrop initialization:\n") + fproblems_report.write( + "If using setuid/setgid calls in code, one must call initgroups or setgroups\n") + fproblems_report.write( + "Files that don't initialize groups while using setuid/setgid:\n") + for item in self.nodrop_groups: + fproblems_report.write(item + '\n') + fproblems_report.write("\n\nMemory Protection Extensions\n") + fproblems_report.write("More information about MPX protection and how to enable it:") + fproblems_report.write( + "https://software.intel.com/sites/default/files/managed/9d/f6/Intel_MPX_EnablingGuide.pdf\n") + fproblems_report.write("Files that don't have MPX protection enabled:\n") + for item in self.no_mpx: + fproblems_report.write(item + '\n') + + def write_report_xml(self): + numTests = len(self.no_relro) + len(self.partial_relro) + len(self.no_canary) + len(self.no_pie) + \ + len(self.execstack) + len(self.execstack_not_defined) + \ + len(self.nodrop_groups) + len(self.no_mpx) + root = etree.Element('testsuite', name='ISA_CFChecker', tests=str(numTests)) + if self.no_relro: + for item in self.no_relro: + tcase1 = etree.SubElement( + root, 'testcase', classname='files_with_no_RELRO', name=item) + etree.SubElement(tcase1, 'failure', message=item, type='violation') + if self.partial_relro: + for item in self.partial_relro: + tcase1 = etree.SubElement( + root, 'testcase', classname='files_with_partial_RELRO', name=item) + etree.SubElement(tcase1, 'failure', message=item, type='violation') + if self.no_canary: + for item in self.no_canary: + tcase2 = etree.SubElement( + root, 'testcase', classname='files_with_no_canary', name=item) + etree.SubElement(tcase2, 'failure', message=item, type='violation') + if self.no_pie: + for item in self.no_pie: + tcase3 = etree.SubElement( + root, 'testcase', classname='files_with_no_PIE', name=item) + etree.SubElement(tcase3, 'failure', message=item, type='violation') + if self.execstack: + for item in self.execstack: + tcase5 = etree.SubElement( + root, 'testcase', classname='files_with_execstack', name=item) + etree.SubElement(tcase5, 'failure', message=item, type='violation') + if self.execstack_not_defined: + for item in self.execstack_not_defined: + tcase6 = etree.SubElement( + root, 'testcase', classname='files_with_execstack_not_defined', name=item) + etree.SubElement(tcase6, 'failure', message=item, type='violation') + if self.nodrop_groups: + for item in self.nodrop_groups: + tcase7 = etree.SubElement( + root, 'testcase', classname='files_with_nodrop_groups', name=item) + etree.SubElement(tcase7, 'failure', message=item, type='violation') + if self.no_mpx: + for item in self.no_mpx: + tcase8 = etree.SubElement( + root, 'testcase', classname='files_with_no_mpx', name=item) + etree.SubElement(tcase8, 'failure', message=item, type='violation') + tree = etree.ElementTree(root) + output = self.problems_report_name + "_" + self.ISA_filesystem.img_name + '.xml' + try: + tree.write(output, encoding='UTF-8', pretty_print=True, xml_declaration=True) + except TypeError: + tree.write(output, encoding='UTF-8', xml_declaration=True) + + def find_files(self, init_path): + list_of_files = [] + for (dirpath, dirnames, filenames) in os.walk(init_path): + for f in filenames: + list_of_files.append(str(dirpath + "/" + f)[:]) + return list_of_files + + +def _check_tools(): + + def _is_in_path(executable): + "Check for presence of executable in PATH" + for path in os.environ["PATH"].split(os.pathsep): + path = path.strip('"') + if (os.path.isfile(os.path.join(path, executable)) and + os.access(os.path.join(path, executable), os.X_OK)): + return True + return False + + tools = { + "checksec.sh": "Please install checksec from http://www.trapkit.de/tools/checksec.html\n", + "execstack": "Please install execstack from prelink package\n", + "readelf": "Please install binutils\n", + "objdump": "Please install binutils\n", + } + output = "" + for tool in tools: + if not _is_in_path(tool): + output += tools[tool] + return output + + +def get_info(tool, args, file_name): + env = copy.deepcopy(os.environ) + env['PSEUDO_UNLOAD'] = "1" + cmd = [tool, args, file_name] + with open(os.devnull, 'wb') as DEVNULL: + try: + result = subprocess.check_output(cmd, stderr=DEVNULL, env=env).decode('utf-8') + except: + return "" + else: + return result + +def get_security_flags(file_name): + env = copy.deepcopy(os.environ) + env['PSEUDO_UNLOAD'] = "1" + cmd = ['checksec.sh', '--file', file_name] + try: + result = subprocess.check_output(cmd, env=env).decode('utf-8').splitlines()[1] + except: + return "Not able to fetch flags" + else: + # remove ansi escape color sequences + result = re.sub(r'\x1b[^m]*m', '', result) + return re.split(r' {2,}', result)[:-1] + + +def process_file(file): + log = "File from map " + file + fun_results = [file, [], "", False, False, log] + if not os.path.isfile(file): + return fun_results + env = copy.deepcopy(os.environ) + env['PSEUDO_UNLOAD'] = "1" + # getting file type + cmd = ['file', '--mime-type', file] + try: + result = subprocess.check_output(cmd, env=env).decode('utf-8') + except: + fun_results[-1] += "\nNot able to decode mime type" + return fun_results + file_type = result.split()[-1] + # looking for links + if "symlink" in file_type: + file = os.path.realpath(file) + cmd = ['file', '--mime-type', file] + try: + result = subprocess.check_output(cmd, env=env).decode('utf-8') + except: + fun_results[-1] += "\nNot able to decode mime type" + return fun_results + file_type = result.split()[-1] + # checking security flags if applies + if "application" not in file_type: + return fun_results + fun_results[-1] += "\nFile type: " + file_type + if (("octet-stream" in file_type) or ("dosexec" in file_type) or + ("archive" in file_type) or ("xml" in file_type) or + ("gzip" in file_type) or ("postscript" in file_type) or + ("pdf" in file_type)): + return fun_results + fun_results[1] = get_security_flags(file) + tmp = get_info("execstack", '-q', file) + if tmp.startswith("X "): + fun_results[2] = "execstack" + elif tmp.startswith("? "): + fun_results[2] = "not_defined" + tmp = get_info("readelf", '-s', file) + if ("setgid@GLIBC" in tmp) or ("setegid@GLIBC" in tmp) or ("setresgid@GLIBC" in tmp): + if ("setuid@GLIBC" in tmp) or ("seteuid@GLIBC" in tmp) or ("setresuid@GLIBC" in tmp): + if ("setgroups@GLIBC" not in tmp) and ("initgroups@GLIBC" not in tmp): + fun_results[3] = True + tmp = get_info("objdump", '-d', file) + if ("bndcu" not in tmp) and ("bndcl" not in tmp) and ("bndmov" not in tmp): + fun_results[4] = True + return fun_results + +def process_file_wrapper(file): + # Ensures that exceptions get logged with the original backtrace. + # Without this, they appear with a backtrace rooted in + # the code which transfers back the result to process_results(). + try: + return process_file(file) + except: + from isafw import isafw + import traceback + isafw.error('Internal error:\n%s' % traceback.format_exc()) + raise + +# ======== supported callbacks from ISA ============ # + + +def init(ISA_config): + global CFChecker + CFChecker = ISA_CFChecker(ISA_config) + + +def getPluginName(): + return "ISA_CFChecker" + + +def process_filesystem(ISA_filesystem): + global CFChecker + return CFChecker.process_filesystem(ISA_filesystem) + +# =================================================== # diff --git a/external/meta-security/meta-security-isafw/lib/isafw/isaplugins/ISA_cve_plugin.py b/external/meta-security/meta-security-isafw/lib/isafw/isaplugins/ISA_cve_plugin.py new file mode 100644 index 00000000..268aa45c --- /dev/null +++ b/external/meta-security/meta-security-isafw/lib/isafw/isaplugins/ISA_cve_plugin.py @@ -0,0 +1,217 @@ +# +# ISA_cve_plugin.py - CVE checker plugin, part of ISA FW +# +# Copyright (c) 2015 - 2016, Intel Corporation +# +# Redistribution and use in source and binary forms, with or without +# modification, are permitted provided that the following conditions are met: +# +# * Redistributions of source code must retain the above copyright notice, +# this list of conditions and the following disclaimer. +# * Redistributions in binary form must reproduce the above copyright +# notice, this list of conditions and the following disclaimer in the +# documentation and/or other materials provided with the distribution. +# * Neither the name of Intel Corporation nor the names of its contributors +# may be used to endorse or promote products derived from this software +# without specific prior written permission. +# +# THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" +# AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE +# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE +# DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE +# FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL +# DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR +# SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER +# CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, +# OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE +# OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. + +import subprocess +import os, sys +import re + +CVEChecker = None +pkglist = "/cve_check_tool_pkglist" + + +class ISA_CVEChecker: + initialized = False + + def __init__(self, ISA_config): + self.cacert = ISA_config.cacert + self.reportdir = ISA_config.reportdir + self.timestamp = ISA_config.timestamp + self.logfile = ISA_config.logdir + "/isafw_cvelog" + self.report_name = ISA_config.reportdir + "/cve_report_" + \ + ISA_config.machine + "_" + ISA_config.timestamp + self.initialized = True + with open(self.logfile, 'a') as flog: + flog.write("\nPlugin ISA_CVEChecker initialized!\n") + output = "" + # check that cve-check-tool is installed + + def process_package(self, ISA_pkg): + if (self.initialized): + if (ISA_pkg.name and ISA_pkg.version and ISA_pkg.patch_files): + alias_pkgs_faux = [] + # need to compose faux format line for cve-check-tool + cve_patch_info = self.process_patch_list(ISA_pkg.patch_files) + pkgline_faux = ISA_pkg.name + "," + ISA_pkg.version + "," + cve_patch_info + ",\n" + if ISA_pkg.aliases: + for a in ISA_pkg.aliases: + alias_pkgs_faux.append( + a + "," + ISA_pkg.version + "," + cve_patch_info + ",\n") + pkglist_faux = pkglist + "_" + self.timestamp + ".faux" + with open(self.reportdir + pkglist_faux, 'a') as fauxfile: + fauxfile.write(pkgline_faux) + for a in alias_pkgs_faux: + fauxfile.write(a) + + with open(self.logfile, 'a') as flog: + flog.write("\npkg info: " + pkgline_faux) + else: + self.initialized = False + with open(self.logfile, 'a') as flog: + flog.write( + "Mandatory arguments such as pkg name, version and list of patches are not provided!\n") + flog.write("Not performing the call.\n") + else: + with open(self.logfile, 'a') as flog: + flog.write( + "Plugin hasn't initialized! Not performing the call.\n") + + def process_report(self): + if not os.path.isfile(self.reportdir + pkglist + "_" + self.timestamp + ".faux"): + return + if (self.initialized): + with open(self.logfile, 'a') as flog: + flog.write("Creating report in HTML format.\n") + result = self.process_report_type("html") + + with open(self.logfile, 'a') as flog: + flog.write("Creating report in CSV format.\n") + result = self.process_report_type("csv") + + pkglist_faux = pkglist + "_" + self.timestamp + ".faux" + os.remove(self.reportdir + pkglist_faux) + + with open(self.logfile, 'a') as flog: + flog.write("Creating report in XML format.\n") + self.write_report_xml(result) + + def write_report_xml(self, result): + try: + from lxml import etree + except ImportError: + try: + import xml.etree.cElementTree as etree + except ImportError: + import xml.etree.ElementTree as etree + num_tests = 0 + root = etree.Element('testsuite', name='CVE_Plugin', tests='1') + + if result : + num_tests = 1 + tcase = etree.SubElement( + root, 'testcase', classname='ISA_CVEChecker', name="Error in cve-check-tool") + etree.SubElement( tcase, 'failure', message=result, type='violation') + else: + with open(self.report_name + ".csv", 'r') as f: + for line in f: + num_tests += 1 + line = line.strip() + line_sp = line.split(',', 2) + if (len(line_sp) >= 3) and (line_sp[2].startswith('CVE')): + tcase = etree.SubElement( + root, 'testcase', classname='ISA_CVEChecker', name=line.split(',', 1)[0]) + etree.SubElement( + tcase, 'failure', message=line, type='violation') + else: + tcase = etree.SubElement( + root, 'testcase', classname='ISA_CVEChecker', name=line.split(',', 1)[0]) + + root.set('tests', str(num_tests)) + tree = etree.ElementTree(root) + output = self.report_name + '.xml' + try: + tree.write(output, encoding='UTF-8', + pretty_print=True, xml_declaration=True) + except TypeError: + tree.write(output, encoding='UTF-8', xml_declaration=True) + + def process_report_type(self, rtype): + # now faux file is ready and we can process it + args = "" + result = "" + tool_stderr_value = "" + args += "cve-check-tool " + if self.cacert: + args += "--cacert '%s' " % self.cacert + if rtype != "html": + args += "-c " + rtype = "csv" + pkglist_faux = pkglist + "_" + self.timestamp + ".faux" + args += "-a -t faux '" + self.reportdir + pkglist_faux + "'" + with open(self.logfile, 'a') as flog: + flog.write("Args: " + args) + try: + popen = subprocess.Popen( + args, shell=True, env=os.environ, stdout=subprocess.PIPE, stderr=subprocess.PIPE) + result = popen.communicate() + except: + tool_stderr_value = "Error in executing cve-check-tool" + str(sys.exc_info()) + with open(self.logfile, 'a') as flog: + flog.write("Error in executing cve-check-tool: " + + str(sys.exc_info())) + else: + stdout_value = result[0] + tool_stderr_value = result[1].decode('utf-8') + if not tool_stderr_value and popen.returncode == 0: + report = self.report_name + "." + rtype + with open(report, 'wb') as freport: + freport.write(stdout_value) + else: + tool_stderr_value = tool_stderr_value + \ + "\ncve-check-tool terminated with exit code " + str(popen.returncode) + return tool_stderr_value + + def process_patch_list(self, patch_files): + patch_info = "" + for patch in patch_files: + patch1 = patch.partition("cve") + if (patch1[0] == patch): + # no cve substring, try CVE + patch1 = patch.partition("CVE") + if (patch1[0] == patch): + continue + patchstripped = patch1[2].split('-') + try: + patch_info += " CVE-" + \ + patchstripped[1] + "-" + re.findall('\d+', patchstripped[2])[0] + except IndexError: + # string parsing attempt failed, so just skip this patch + continue + return patch_info + +# ======== supported callbacks from ISA ============= # + + +def init(ISA_config): + global CVEChecker + CVEChecker = ISA_CVEChecker(ISA_config) + + +def getPluginName(): + return "ISA_CVEChecker" + + +def process_package(ISA_pkg): + global CVEChecker + return CVEChecker.process_package(ISA_pkg) + + +def process_report(): + global CVEChecker + return CVEChecker.process_report() + +# ==================================================== # diff --git a/external/meta-security/meta-security-isafw/lib/isafw/isaplugins/ISA_fsa_plugin.py b/external/meta-security/meta-security-isafw/lib/isafw/isaplugins/ISA_fsa_plugin.py new file mode 100644 index 00000000..09097566 --- /dev/null +++ b/external/meta-security/meta-security-isafw/lib/isafw/isaplugins/ISA_fsa_plugin.py @@ -0,0 +1,185 @@ +# +# ISA_fsa_plugin.py - Filesystem analyser plugin, part of ISA FW +# +# Copyright (c) 2015 - 2016, Intel Corporation +# +# Redistribution and use in source and binary forms, with or without +# modification, are permitted provided that the following conditions are met: +# +# * Redistributions of source code must retain the above copyright notice, +# this list of conditions and the following disclaimer. +# * Redistributions in binary form must reproduce the above copyright +# notice, this list of conditions and the following disclaimer in the +# documentation and/or other materials provided with the distribution. +# * Neither the name of Intel Corporation nor the names of its contributors +# may be used to endorse or promote products derived from this software +# without specific prior written permission. +# +# THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" +# AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE +# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE +# DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE +# FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL +# DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR +# SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER +# CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, +# OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE +# OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. +import os +from stat import * +try: + from lxml import etree +except ImportError: + try: + import xml.etree.cElementTree as etree + except ImportError: + import xml.etree.ElementTree as etree + + +FSAnalyzer = None + + +class ISA_FSChecker(): + initialized = False + + def __init__(self, ISA_config): + self.logfile = ISA_config.logdir + "/isafw_fsalog" + self.full_report_name = ISA_config.reportdir + "/fsa_full_report_" + \ + ISA_config.machine + "_" + ISA_config.timestamp + self.problems_report_name = ISA_config.reportdir + \ + "/fsa_problems_report_" + ISA_config.machine + "_" + ISA_config.timestamp + self.full_reports = ISA_config.full_reports + self.initialized = True + self.setuid_files = [] + self.setgid_files = [] + self.ww_files = [] + self.no_sticky_bit_ww_dirs = [] + with open(self.logfile, 'w') as flog: + flog.write("\nPlugin ISA_FSChecker initialized!\n") + + def process_filesystem(self, ISA_filesystem): + if (self.initialized): + if (ISA_filesystem.img_name and ISA_filesystem.path_to_fs): + with open(self.logfile, 'a') as flog: + flog.write("Analyzing filesystem at: " + ISA_filesystem.path_to_fs + + " for the image: " + ISA_filesystem.img_name + "\n") + self.files = self.find_fsobjects(ISA_filesystem.path_to_fs) + with open(self.logfile, 'a') as flog: + flog.write("\nFilelist is: " + str(self.files)) + if self.full_reports: + with open(self.full_report_name + "_" + ISA_filesystem.img_name, 'w') as ffull_report: + ffull_report.write( + "Report for image: " + ISA_filesystem.img_name + '\n') + ffull_report.write( + "With rootfs location at " + ISA_filesystem.path_to_fs + "\n\n") + for f in self.files: + st = os.lstat(f) + i = f.replace(ISA_filesystem.path_to_fs, "") + if self.full_reports: + with open(self.full_report_name + "_" + ISA_filesystem.img_name, 'a') as ffull_report: + ffull_report.write("File: " + i + ' mode: ' + str(oct(st.st_mode)) + + " uid: " + str(st.st_uid) + " gid: " + str(st.st_gid) + '\n') + if ((st.st_mode & S_ISUID) == S_ISUID): + self.setuid_files.append(i) + if ((st.st_mode & S_ISGID) == S_ISGID): + self.setgid_files.append(i) + if ((st.st_mode & S_IWOTH) == S_IWOTH): + if (((st.st_mode & S_IFDIR) == S_IFDIR) and ((st.st_mode & S_ISVTX) != S_ISVTX)): + self.no_sticky_bit_ww_dirs.append(i) + if (((st.st_mode & S_IFREG) == S_IFREG) and ((st.st_mode & S_IFLNK) != S_IFLNK)): + self.ww_files.append(i) + self.write_problems_report(ISA_filesystem) + self.write_problems_report_xml(ISA_filesystem) + else: + with open(self.logfile, 'a') as flog: + flog.write( + "Mandatory arguments such as image name and path to the filesystem are not provided!\n") + flog.write("Not performing the call.\n") + else: + with open(self.logfile, 'a') as flog: + flog.write( + "Plugin hasn't initialized! Not performing the call.\n") + + def write_problems_report(self, ISA_filesystem): + with open(self.problems_report_name + "_" + ISA_filesystem.img_name, 'w') as fproblems_report: + fproblems_report.write( + "Report for image: " + ISA_filesystem.img_name + '\n') + fproblems_report.write( + "With rootfs location at " + ISA_filesystem.path_to_fs + "\n\n") + fproblems_report.write("Files with SETUID bit set:\n") + for item in self.setuid_files: + fproblems_report.write(item + '\n') + fproblems_report.write("\n\nFiles with SETGID bit set:\n") + for item in self.setgid_files: + fproblems_report.write(item + '\n') + fproblems_report.write("\n\nWorld-writable files:\n") + for item in self.ww_files: + fproblems_report.write(item + '\n') + fproblems_report.write( + "\n\nWorld-writable dirs with no sticky bit:\n") + for item in self.no_sticky_bit_ww_dirs: + fproblems_report.write(item + '\n') + + def write_problems_report_xml(self, ISA_filesystem): + num_tests = len(self.setuid_files) + len(self.setgid_files) + \ + len(self.ww_files) + len(self.no_sticky_bit_ww_dirs) + root = etree.Element( + 'testsuite', name='FSA_Plugin', tests=str(num_tests)) + if self.setuid_files: + for item in self.setuid_files: + tcase1 = etree.SubElement( + root, 'testcase', classname='Files_with_SETUID_bit_set', name=item) + etree.SubElement( + tcase1, 'failure', message=item, type='violation') + if self.setgid_files: + for item in self.setgid_files: + tcase2 = etree.SubElement( + root, 'testacase', classname='Files_with_SETGID_bit_set', name=item) + etree.SubElement( + tcase2, 'failure', message=item, type='violation') + if self.ww_files: + for item in self.ww_files: + tcase3 = etree.SubElement( + root, 'testase', classname='World-writable_files', name=item) + etree.SubElement( + tcase3, 'failure', message=item, type='violation') + if self.no_sticky_bit_ww_dirs: + for item in self.no_sticky_bit_ww_dirs: + tcase4 = etree.SubElement( + root, 'testcase', classname='World-writable_dirs_with_no_sticky_bit', name=item) + etree.SubElement( + tcase4, 'failure', message=item, type='violation') + tree = etree.ElementTree(root) + output = self.problems_report_name + "_" + ISA_filesystem.img_name + '.xml' + try: + tree.write(output, encoding='UTF-8', + pretty_print=True, xml_declaration=True) + except TypeError: + tree.write(output, encoding='UTF-8', xml_declaration=True) + + def find_fsobjects(self, init_path): + list_of_files = [] + for (dirpath, dirnames, filenames) in os.walk(init_path): + if (dirpath != init_path): + list_of_files.append(str(dirpath)[:]) + for f in filenames: + list_of_files.append(str(dirpath + "/" + f)[:]) + return list_of_files + +# ======== supported callbacks from ISA ============= # + + +def init(ISA_config): + global FSAnalyzer + FSAnalyzer = ISA_FSChecker(ISA_config) + + +def getPluginName(): + return "ISA_FSChecker" + + +def process_filesystem(ISA_filesystem): + global FSAnalyzer + return FSAnalyzer.process_filesystem(ISA_filesystem) + +# ==================================================== # diff --git a/external/meta-security/meta-security-isafw/lib/isafw/isaplugins/ISA_kca_plugin.py b/external/meta-security/meta-security-isafw/lib/isafw/isaplugins/ISA_kca_plugin.py new file mode 100644 index 00000000..ba09819d --- /dev/null +++ b/external/meta-security/meta-security-isafw/lib/isafw/isaplugins/ISA_kca_plugin.py @@ -0,0 +1,323 @@ +# +# ISA_kca_plugin.py - Kernel config options analyzer plugin, part of ISA FW +# +# Copyright (c) 2015 - 2016, Intel Corporation +# +# Redistribution and use in source and binary forms, with or without +# modification, are permitted provided that the following conditions are met: +# +# * Redistributions of source code must retain the above copyright notice, +# this list of conditions and the following disclaimer. +# * Redistributions in binary form must reproduce the above copyright +# notice, this list of conditions and the following disclaimer in the +# documentation and/or other materials provided with the distribution. +# * Neither the name of Intel Corporation nor the names of its contributors +# may be used to endorse or promote products derived from this software +# without specific prior written permission. +# +# THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" +# AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE +# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE +# DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE +# FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL +# DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR +# SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER +# CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, +# OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE +# OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. + +try: + from lxml import etree +except ImportError: + try: + import xml.etree.cElementTree as etree + except ImportError: + import xml.etree.ElementTree as etree +import importlib + +KCAnalyzer = None + + +class ISA_KernelChecker(): + initialized = False + + def __init__(self, ISA_config): + self.logfile = ISA_config.logdir + "/isafw_kcalog" + self.full_report_name = ISA_config.reportdir + "/kca_full_report_" + \ + ISA_config.machine + "_" + ISA_config.timestamp + self.problems_report_name = ISA_config.reportdir + \ + "/kca_problems_report_" + ISA_config.machine + "_" + ISA_config.timestamp + self.full_reports = ISA_config.full_reports + self.initialized = True + self.arch = ISA_config.arch + with open(self.logfile, 'w') as flog: + flog.write("\nPlugin ISA_KernelChecker initialized!\n") + + def append_recommendation(self, report, key, value): + report.write("Recommended value:\n") + report.write(key + ' : ' + str(value) + '\n') + comment = self.comments.get(key, '') + if comment != '': + report.write("Comment:\n") + report.write(comment + '\n') + + def process_kernel(self, ISA_kernel): + if (self.initialized): + if (ISA_kernel.img_name and ISA_kernel.path_to_config): + # Merging common and arch configs + common_config_module = importlib.import_module('isafw.isaplugins.configs.kca.{}'.format('common')) + arch_config_module = importlib.import_module('isafw.isaplugins.configs.kca.{}'.format(self.arch)) + + for c in ["hardening_kco", "keys_kco", "security_kco", "integrity_kco", + "hardening_kco_ref", "keys_kco_ref", "security_kco_ref", "integrity_kco_ref", + "comments"]: + setattr(self, c, merge_config(getattr(arch_config_module, c), getattr(common_config_module, c))) + with open(self.logfile, 'a') as flog: + flog.write("Analyzing kernel config file at: " + ISA_kernel.path_to_config + + " for the image: " + ISA_kernel.img_name + "\n") + with open(ISA_kernel.path_to_config, 'r') as fkernel_conf: + for line in fkernel_conf: + line = line.strip('\n') + for key in self.hardening_kco: + if key + '=' in line: + self.hardening_kco[key] = line.split('=')[1] + for key in self.keys_kco: + if key + '=' in line: + self.keys_kco[key] = line.split('=')[1] + for key in self.security_kco: + if key + '=' in line: + self.security_kco[key] = line.split('=')[1] + for key in self.integrity_kco: + if key + '=' in line: + self.integrity_kco[key] = line.split('=')[1] + with open(self.logfile, 'a') as flog: + flog.write("\n\nhardening_kco values: " + + str(self.hardening_kco)) + flog.write("\n\nkeys_kco values: " + str(self.keys_kco)) + flog.write("\n\nsecurity_kco values: " + + str(self.security_kco)) + flog.write("\n\nintegrity_kco values: " + + str(self.integrity_kco)) + self.write_full_report(ISA_kernel) + self.write_problems_report(ISA_kernel) + + else: + with open(self.logfile, 'a') as flog: + flog.write( + "Mandatory arguments such as image name and path to config are not provided!\n") + flog.write("Not performing the call.\n") + else: + with open(self.logfile, 'a') as flog: + flog.write( + "Plugin hasn't initialized! Not performing the call!\n") + + def write_full_report(self, ISA_kernel): + if self.full_reports: + with open(self.full_report_name + "_" + ISA_kernel.img_name, 'w') as freport: + freport.write("Report for image: " + + ISA_kernel.img_name + '\n') + freport.write("With the kernel conf at: " + + ISA_kernel.path_to_config + '\n\n') + freport.write("Hardening options:\n") + for key in sorted(self.hardening_kco): + freport.write( + key + ' : ' + str(self.hardening_kco[key]) + '\n') + freport.write("\nKey-related options:\n") + for key in sorted(self.keys_kco): + freport.write(key + ' : ' + str(self.keys_kco[key]) + '\n') + freport.write("\nSecurity options:\n") + for key in sorted(self.security_kco): + freport.write( + key + ' : ' + str(self.security_kco[key]) + '\n') + freport.write("\nIntegrity options:\n") + for key in sorted(self.integrity_kco): + freport.write( + key + ' : ' + str(self.integrity_kco[key]) + '\n') + + def write_problems_report(self, ISA_kernel): + self.write_text_problems_report(ISA_kernel) + self.write_xml_problems_report(ISA_kernel) + + def write_text_problems_report(self, ISA_kernel): + with open(self.problems_report_name + "_" + ISA_kernel.img_name, 'w') as freport: + freport.write("Report for image: " + ISA_kernel.img_name + '\n') + freport.write("With the kernel conf at: " + + ISA_kernel.path_to_config + '\n\n') + freport.write("Hardening options that need improvement:\n") + for key in sorted(self.hardening_kco): + if (self.hardening_kco[key] != self.hardening_kco_ref[key]): + valid = False + if (key == "CONFIG_CMDLINE"): + if (len(self.hardening_kco['CONFIG_CMDLINE']) > 0): + valid = True + if (key == "CONFIG_DEBUG_STRICT_USER_COPY_CHECKS"): + if (self.hardening_kco['CONFIG_ARCH_HAS_DEBUG_STRICT_USER_COPY_CHECKS'] == 'y'): + valid = True + if (key == "CONFIG_RANDOMIZE_BASE_MAX_OFFSET"): + options = self.hardening_kco_ref[key].split(',') + for option in options: + if (option == self.hardening_kco[key]): + valid = True + break + if not valid: + freport.write("\nActual value:\n") + freport.write( + key + ' : ' + str(self.hardening_kco[key]) + '\n') + self.append_recommendation(freport, key, self.hardening_kco_ref[key]) + freport.write("\nKey-related options that need improvement:\n") + for key in sorted(self.keys_kco): + if (self.keys_kco[key] != self.keys_kco_ref[key]): + freport.write("\nActual value:\n") + freport.write(key + ' : ' + str(self.keys_kco[key]) + '\n') + self.append_recommendation(freport, key, self.keys_kco_ref[key]) + freport.write("\nSecurity options that need improvement:\n") + for key in sorted(self.security_kco): + if (self.security_kco[key] != self.security_kco_ref[key]): + valid = False + if (key == "CONFIG_DEFAULT_SECURITY"): + options = self.security_kco_ref[key].split(',') + for option in options: + if (option == self.security_kco[key]): + valid = True + break + if ((key == "CONFIG_SECURITY_SELINUX") or + (key == "CONFIG_SECURITY_SMACK") or + (key == "CONFIG_SECURITY_APPARMOR") or + (key == "CONFIG_SECURITY_TOMOYO")): + if ((self.security_kco['CONFIG_SECURITY_SELINUX'] == 'y') or + (self.security_kco['CONFIG_SECURITY_SMACK'] == 'y') or + (self.security_kco['CONFIG_SECURITY_APPARMOR'] == 'y') or + (self.security_kco['CONFIG_SECURITY_TOMOYO'] == 'y')): + valid = True + if not valid: + freport.write("\nActual value:\n") + freport.write( + key + ' : ' + str(self.security_kco[key]) + '\n') + self.append_recommendation(freport, key, self.security_kco_ref[key]) + freport.write("\nIntegrity options that need improvement:\n") + for key in sorted(self.integrity_kco): + if (self.integrity_kco[key] != self.integrity_kco_ref[key]): + valid = False + if ((key == "CONFIG_IMA_DEFAULT_HASH_SHA1") or + (key == "CONFIG_IMA_DEFAULT_HASH_SHA256") or + (key == "CONFIG_IMA_DEFAULT_HASH_SHA512") or + (key == "CONFIG_IMA_DEFAULT_HASH_WP512")): + if ((self.integrity_kco['CONFIG_IMA_DEFAULT_HASH_SHA256'] == 'y') or + (self.integrity_kco['CONFIG_IMA_DEFAULT_HASH_SHA512'] == 'y')): + valid = True + if not valid: + freport.write("\nActual value:\n") + freport.write( + key + ' : ' + str(self.integrity_kco[key]) + '\n') + self.append_recommendation(freport, key, self.integrity_kco_ref[key]) + + def write_xml_problems_report(self, ISA_kernel): + # write_problems_report_xml + num_tests = len(self.hardening_kco) + len(self.keys_kco) + \ + len(self.security_kco) + len(self.integrity_kco) + root = etree.Element( + 'testsuite', name='KCA_Plugin', tests=str(num_tests)) + for key in sorted(self.hardening_kco): + tcase1 = etree.SubElement( + root, 'testcase', classname='Hardening options', name=key) + if (self.hardening_kco[key] != self.hardening_kco_ref[key]): + valid = False + if (key == "CONFIG_CMDLINE"): + if (len(self.hardening_kco['CONFIG_CMDLINE']) > 0): + valid = True + if (key == "CONFIG_DEBUG_STRICT_USER_COPY_CHECKS"): + if (self.hardening_kco['CONFIG_ARCH_HAS_DEBUG_STRICT_USER_COPY_CHECKS'] == 'y'): + valid = True + if (key == "CONFIG_RANDOMIZE_BASE_MAX_OFFSET"): + options = self.hardening_kco_ref[key].split(',') + for option in options: + if (option == self.hardening_kco[key]): + valid = True + break + if not valid: + msg1 = 'current=' + key + ' is ' + \ + str(self.hardening_kco[ + key]) + ', recommended=' + key + ' is ' + str(self.hardening_kco_ref[key]) + etree.SubElement( + tcase1, 'failure', message=msg1, type='violation') + for key in sorted(self.keys_kco): + tcase2 = etree.SubElement( + root, 'testcase', classname='Key-related options', name=key) + if (self.keys_kco[key] != self.keys_kco_ref[key]): + msg2 = 'current=' + key + ' is ' + \ + str(self.keys_kco[key] + ', recommended=' + + key + ' is ' + str(self.keys_kco_ref[key])) + etree.SubElement( + tcase2, 'failure', message=msg2, type='violation') + for key in sorted(self.security_kco): + tcase3 = etree.SubElement( + root, 'testcase', classname='Security options', name=key) + if (self.security_kco[key] != self.security_kco_ref[key]): + valid = False + if (key == "CONFIG_DEFAULT_SECURITY"): + options = self.security_kco_ref[key].split(',') + for option in options: + if (option == self.security_kco[key]): + valid = True + break + if ((key == "CONFIG_SECURITY_SELINUX") or + (key == "CONFIG_SECURITY_SMACK") or + (key == "CONFIG_SECURITY_APPARMOR") or + (key == "CONFIG_SECURITY_TOMOYO")): + if ((self.security_kco['CONFIG_SECURITY_SELINUX'] == 'y') or + (self.security_kco['CONFIG_SECURITY_SMACK'] == 'y') or + (self.security_kco['CONFIG_SECURITY_APPARMOR'] == 'y') or + (self.security_kco['CONFIG_SECURITY_TOMOYO'] == 'y')): + valid = True + if not valid: + msg3 = 'current=' + key + ' is ' + \ + str(self.security_kco[key]) + ', recommended=' + \ + key + ' is ' + str(self.security_kco_ref[key]) + etree.SubElement( + tcase3, 'failure', message=msg3, type='violation') + for key in sorted(self.integrity_kco): + tcase4 = etree.SubElement( + root, 'testcase', classname='Integrity options', name=key) + if (self.integrity_kco[key] != self.integrity_kco_ref[key]): + valid = False + if ((key == "CONFIG_IMA_DEFAULT_HASH_SHA1") or + (key == "CONFIG_IMA_DEFAULT_HASH_SHA256") or + (key == "CONFIG_IMA_DEFAULT_HASH_SHA512") or + (key == "CONFIG_IMA_DEFAULT_HASH_WP512")): + if ((self.integrity_kco['CONFIG_IMA_DEFAULT_HASH_SHA256'] == 'y') or + (self.integrity_kco['CONFIG_IMA_DEFAULT_HASH_SHA512'] == 'y')): + valid = True + if not valid: + msg4 = 'current=' + key + ' is ' + \ + str(self.integrity_kco[ + key]) + ', recommended=' + key + ' is ' + str(self.integrity_kco_ref[key]) + etree.SubElement( + tcase4, 'failure', message=msg4, type='violation') + tree = etree.ElementTree(root) + output = self.problems_report_name + "_" + ISA_kernel.img_name + '.xml' + try: + tree.write(output, encoding='UTF-8', + pretty_print=True, xml_declaration=True) + except TypeError: + tree.write(output, encoding='UTF-8', xml_declaration=True) + + +def merge_config(arch_kco, common_kco): + merged = arch_kco.copy() + merged.update(common_kco) + return merged + +# ======== supported callbacks from ISA ============= # +def init(ISA_config): + global KCAnalyzer + KCAnalyzer = ISA_KernelChecker(ISA_config) + + +def getPluginName(): + return "ISA_KernelChecker" + + +def process_kernel(ISA_kernel): + global KCAnalyzer + return KCAnalyzer.process_kernel(ISA_kernel) +# ==================================================== # diff --git a/external/meta-security/meta-security-isafw/lib/isafw/isaplugins/ISA_la_plugin.py b/external/meta-security/meta-security-isafw/lib/isafw/isaplugins/ISA_la_plugin.py new file mode 100644 index 00000000..20e7e26b --- /dev/null +++ b/external/meta-security/meta-security-isafw/lib/isafw/isaplugins/ISA_la_plugin.py @@ -0,0 +1,273 @@ +# +# ISA_la_plugin.py - License analyzer plugin, part of ISA FW +# Functionality is based on similar scripts from Clear linux project +# +# Copyright (c) 2015 - 2016, Intel Corporation +# +# Redistribution and use in source and binary forms, with or without +# modification, are permitted provided that the following conditions are met: +# +# * Redistributions of source code must retain the above copyright notice, +# this list of conditions and the following disclaimer. +# * Redistributions in binary form must reproduce the above copyright +# notice, this list of conditions and the following disclaimer in the +# documentation and/or other materials provided with the distribution. +# * Neither the name of Intel Corporation nor the names of its contributors +# may be used to endorse or promote products derived from this software +# without specific prior written permission. +# +# THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" +# AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE +# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE +# DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE +# FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL +# DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR +# SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER +# CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, +# OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE +# OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. + +import subprocess +import os, sys + +LicenseChecker = None + +flicenses = "/configs/la/licenses" +fapproved_non_osi = "/configs/la/approved-non-osi" +fexceptions = "/configs/la/exceptions" +funwanted = "/configs/la/violations" + + +class ISA_LicenseChecker(): + initialized = False + rpm_present = False + + def __init__(self, ISA_config): + self.logfile = ISA_config.logdir + "/isafw_lalog" + self.unwanted = [] + self.report_name = ISA_config.reportdir + "/la_problems_report_" + \ + ISA_config.machine + "_" + ISA_config.timestamp + self.image_pkg_list = ISA_config.reportdir + "/pkglist" + self.image_pkgs = [] + self.la_plugin_image_whitelist = ISA_config.la_plugin_image_whitelist + self.la_plugin_image_blacklist = ISA_config.la_plugin_image_blacklist + self.initialized = True + with open(self.logfile, 'a') as flog: + flog.write("\nPlugin ISA_LA initialized!\n") + # check that rpm is installed (supporting only rpm packages for now) + DEVNULL = open(os.devnull, 'wb') + rc = subprocess.call(["which", "rpm"], stdout=DEVNULL, stderr=DEVNULL) + DEVNULL.close() + if rc == 0: + self.rpm_present = True + else: + with open(self.logfile, 'a') as flog: + flog.write("rpm tool is missing! Licence info is expected from build system\n") + + def process_package(self, ISA_pkg): + if (self.initialized): + if ISA_pkg.name: + if (not ISA_pkg.licenses): + # need to determine licenses first + # for this we need rpm tool to be present + if (not self.rpm_present): + with open(self.logfile, 'a') as flog: + flog.write("rpm tool is missing and licence info is not provided. Cannot proceed.\n") + return; + if (not ISA_pkg.source_files): + if (not ISA_pkg.path_to_sources): + self.initialized = False + with open(self.logfile, 'a') as flog: + flog.write( + "No path to sources or source file list is provided!") + flog.write( + "\nNot able to determine licenses for package: " + ISA_pkg.name) + return + # need to build list of source files + ISA_pkg.source_files = self.find_files( + ISA_pkg.path_to_sources) + for i in ISA_pkg.source_files: + if (i.endswith(".spec")):# supporting rpm only for now + args = ("rpm", "-q", "--queryformat", + "%{LICENSE} ", "--specfile", i) + try: + popen = subprocess.Popen( + args, stdout=subprocess.PIPE) + popen.wait() + ISA_pkg.licenses = popen.stdout.read().split() + except: + self.initialized = False + with open(self.logfile, 'a') as flog: + flog.write( + "Error in executing rpm query: " + str(sys.exc_info())) + flog.write( + "\nNot able to process package: " + ISA_pkg.name) + return + for l in ISA_pkg.licenses: + if (not self.check_license(l, flicenses) and + not self.check_license(l, fapproved_non_osi) and + not self.check_exceptions(ISA_pkg.name, l, fexceptions)): + # log the package as not following correct license + with open(self.report_name, 'a') as freport: + freport.write(l + "\n") + if (self.check_license(l, funwanted)): + # log the package as having license that should not be + # used + with open(self.report_name + "_unwanted", 'a') as freport: + freport.write(l + "\n") + else: + self.initialized = False + with open(self.logfile, 'a') as flog: + flog.write( + "Mandatory argument package name is not provided!\n") + flog.write("Not performing the call.\n") + else: + with open(self.logfile, 'a') as flog: + flog.write( + "Plugin hasn't initialized! Not performing the call.") + + def process_report(self): + if (self.initialized): + with open(self.logfile, 'a') as flog: + flog.write("Creating report with violating licenses.\n") + self.process_pkg_list() + self.write_report_unwanted() + with open(self.logfile, 'a') as flog: + flog.write("Creating report in XML format.\n") + self.write_report_xml() + + def process_pkg_list(self): + if os.path.isfile (self.image_pkg_list): + img_name = "" + with open(self.image_pkg_list, 'r') as finput: + for line in finput: + line = line.strip() + if not line: + continue + if line.startswith("Packages "): + img_name = line.split()[3] + with open(self.logfile, 'a') as flog: + flog.write("img_name: " + img_name + "\n") + continue + package_info = line.split() + pkg_name = package_info[0] + orig_pkg_name = package_info[2] + if (not self.image_pkgs) or ((pkg_name + " from " + img_name) not in self.image_pkgs): + self.image_pkgs.append(pkg_name + " from " + img_name + " " + orig_pkg_name) + + def write_report_xml(self): + try: + from lxml import etree + except ImportError: + try: + import xml.etree.cElementTree as etree + except ImportError: + import xml.etree.ElementTree as etree + num_tests = 0 + root = etree.Element('testsuite', name='LA_Plugin', tests='2') + if os.path.isfile(self.report_name): + with open(self.report_name, 'r') as f: + class_name = "Non-approved-licenses" + for line in f: + line = line.strip() + if line == "": + continue + if line.startswith("Packages that "): + class_name = "Violating-licenses" + continue + num_tests += 1 + tcase1 = etree.SubElement( + root, 'testcase', classname=class_name, name=line.split(':', 1)[0]) + etree.SubElement( + tcase1, 'failure', message=line, type='violation') + else: + tcase1 = etree.SubElement( + root, 'testcase', classname='ISA_LAChecker', name='none') + num_tests = 1 + root.set('tests', str(num_tests)) + tree = etree.ElementTree(root) + output = self.report_name + '.xml' + try: + tree.write(output, encoding='UTF-8', + pretty_print=True, xml_declaration=True) + except TypeError: + tree.write(output, encoding='UTF-8', xml_declaration=True) + + def write_report_unwanted(self): + if os.path.isfile(self.report_name + "_unwanted"): + with open(self.logfile, 'a') as flog: + flog.write("image_pkgs: " + str(self.image_pkgs) + "\n") + flog.write("self.la_plugin_image_whitelist: " + str(self.la_plugin_image_whitelist) + "\n") + flog.write("self.la_plugin_image_blacklist: " + str(self.la_plugin_image_blacklist) + "\n") + with open(self.report_name, 'a') as fout: + with open(self.report_name + "_unwanted", 'r') as f: + fout.write( + "\n\nPackages that violate mandatory license requirements:\n") + for line in f: + line = line.strip() + pkg_name = line.split(':',1)[0] + if (not self.image_pkgs): + fout.write(line + " from image name not available \n") + continue + for pkg_info in self.image_pkgs: + image_pkg_name = pkg_info.split()[0] + image_name = pkg_info.split()[2] + image_orig_pkg_name = pkg_info.split()[3] + if ((image_pkg_name == pkg_name) or (image_orig_pkg_name == pkg_name)): + if self.la_plugin_image_whitelist and (image_name not in self.la_plugin_image_whitelist): + continue + if self.la_plugin_image_blacklist and (image_name in self.la_plugin_image_blacklist): + continue + fout.write(line + " from image " + image_name) + if (image_pkg_name != image_orig_pkg_name): + fout.write(" binary_pkg_name " + image_pkg_name + "\n") + continue + fout.write("\n") + os.remove(self.report_name + "_unwanted") + + def find_files(self, init_path): + list_of_files = [] + for (dirpath, dirnames, filenames) in os.walk(init_path): + for f in filenames: + list_of_files.append(str(dirpath + "/" + f)[:]) + return list_of_files + + def check_license(self, license, file_path): + with open(os.path.dirname(__file__) + file_path, 'r') as f: + for line in f: + s = line.rstrip() + curr_license = license.split(':',1)[1] + if s == curr_license: + return True + return False + + def check_exceptions(self, pkg_name, license, file_path): + with open(os.path.dirname(__file__) + file_path, 'r') as f: + for line in f: + s = line.rstrip() + curr_license = license.split(':',1)[1] + if s == pkg_name + " " + curr_license: + return True + return False + +# ======== supported callbacks from ISA ============= # + +def init(ISA_config): + global LicenseChecker + LicenseChecker = ISA_LicenseChecker(ISA_config) + + +def getPluginName(): + return "ISA_LicenseChecker" + + +def process_package(ISA_pkg): + global LicenseChecker + return LicenseChecker.process_package(ISA_pkg) + + +def process_report(): + global LicenseChecker + return LicenseChecker.process_report() + +# ==================================================== # diff --git a/external/meta-security/meta-security-isafw/lib/isafw/isaplugins/__init__.py b/external/meta-security/meta-security-isafw/lib/isafw/isaplugins/__init__.py new file mode 100644 index 00000000..ad1997d0 --- /dev/null +++ b/external/meta-security/meta-security-isafw/lib/isafw/isaplugins/__init__.py @@ -0,0 +1,42 @@ +# +# __init__.py - part of ISA FW +# +# Copyright (c) 2015 - 2016, Intel Corporation +# +# Redistribution and use in source and binary forms, with or without +# modification, are permitted provided that the following conditions are met: +# +# * Redistributions of source code must retain the above copyright notice, +# this list of conditions and the following disclaimer. +# * Redistributions in binary form must reproduce the above copyright +# notice, this list of conditions and the following disclaimer in the +# documentation and/or other materials provided with the distribution. +# * Neither the name of Intel Corporation nor the names of its contributors +# may be used to endorse or promote products derived from this software +# without specific prior written permission. +# +# THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" +# AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE +# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE +# DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE +# FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL +# DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR +# SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER +# CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, +# OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE +# OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. + +import glob +import keyword +import os +import sys + +basedir = os.path.dirname(__file__) + +__all__ = [] +for name in glob.glob(os.path.join(basedir, '*.py')): + module = os.path.splitext(os.path.split(name)[-1])[0] + if not module.startswith('_') and not keyword.iskeyword(module): + __import__(__name__ + '.' + module) + __all__.append(module) +__all__.sort() diff --git a/external/meta-security/meta-security-isafw/lib/isafw/isaplugins/configs/__init__.py b/external/meta-security/meta-security-isafw/lib/isafw/isaplugins/configs/__init__.py new file mode 100644 index 00000000..e69de29b --- /dev/null +++ b/external/meta-security/meta-security-isafw/lib/isafw/isaplugins/configs/__init__.py diff --git a/external/meta-security/meta-security-isafw/lib/isafw/isaplugins/configs/kca/__init__.py b/external/meta-security/meta-security-isafw/lib/isafw/isaplugins/configs/kca/__init__.py new file mode 100644 index 00000000..e69de29b --- /dev/null +++ b/external/meta-security/meta-security-isafw/lib/isafw/isaplugins/configs/kca/__init__.py diff --git a/external/meta-security/meta-security-isafw/lib/isafw/isaplugins/configs/kca/arm.py b/external/meta-security/meta-security-isafw/lib/isafw/isaplugins/configs/kca/arm.py new file mode 100644 index 00000000..d47ba9f1 --- /dev/null +++ b/external/meta-security/meta-security-isafw/lib/isafw/isaplugins/configs/kca/arm.py @@ -0,0 +1,24 @@ +############################################################################################ +# Kernel Hardening Configurations +############################################################################################ +hardening_kco = {'CONFIG_DEFAULT_MMAP_MIN_ADDR': 'not set',} +hardening_kco_ref = {'CONFIG_DEFAULT_MMAP_MIN_ADDR': '32768',} +############################################################################################ +# Keys Kernel Configuration +############################################################################################ +keys_kco = {} +keys_kco_ref = {} +############################################################################################ +# Security Kernel Configuration +############################################################################################ +security_kco = {'CONFIG_LSM_MMAP_MIN_ADDR': 'not set',} +security_kco_ref = {'CONFIG_LSM_MMAP_MIN_ADDR': '32768',} +############################################################################################ +# Integrity Kernel Configuration +############################################################################################ +integrity_kco = {} +integrity_kco_ref = {} +############################################################################################ +# Comments +############################################################################################ +comments = {'CONFIG_DEFAULT_MMAP_MIN_ADDR': 'Defines the portion of low virtual memory that should be protected from userspace allocation. Keeping a user from writing to low pages can help reduce the impact of kernel NULL pointer bugs.'} diff --git a/external/meta-security/meta-security-isafw/lib/isafw/isaplugins/configs/kca/common.py b/external/meta-security/meta-security-isafw/lib/isafw/isaplugins/configs/kca/common.py new file mode 100644 index 00000000..faa388ca --- /dev/null +++ b/external/meta-security/meta-security-isafw/lib/isafw/isaplugins/configs/kca/common.py @@ -0,0 +1,242 @@ +############################################################################################ +# Kernel Hardening Configurations +############################################################################################ +hardening_kco = {'CONFIG_SERIAL_8250_CONSOLE': 'not set', + 'CONFIG_SERIAL_CORE': 'not set', + 'CONFIG_SERIAL_CORE_CONSOLE': 'not set', + 'CONFIG_CMDLINE_BOOL': 'not set', + 'CONFIG_CMDLINE': 'not set', + 'CONFIG_CMDLINE_OVERRIDE': 'not set', + 'CONFIG_DEBUG_INFO': 'not set', + 'CONFIG_KGDB': 'not set', + 'CONFIG_KPROBES': 'not set', + 'CONFIG_FTRACE': 'not set', + 'CONFIG_OPROFILE': 'not set', + 'CONFIG_PROFILING': 'not set', + 'CONFIG_MAGIC_SYSRQ': 'not set', + 'CONFIG_DEBUG_BUGVERBOSE': 'not set', + 'CONFIG_IP_PNP': 'not set', + 'CONFIG_IKCONFIG': 'not set', + 'CONFIG_SWAP': 'not set', + 'CONFIG_NAMESPACES': 'not set', + 'CONFIG_NFSD': 'not set', + 'CONFIG_NFS_FS': 'not set', + 'CONFIG_BINFMT_MISC': 'not set', + 'CONFIG_KALLSYMS': 'not set', + 'CONFIG_KALLSYMS_ALL': 'not set', + 'CONFIG_BUG': 'not set', + 'CONFIG_SYSCTL_SYSCALL': 'not set', + 'CONFIG_MODULE_UNLOAD': 'not set', + 'CONFIG_MODULE_FORCE_LOAD': 'not set', + 'CONFIG_DEVMEM': 'not set', + 'CONFIG_COREDUMP': 'not set', + 'CONFIG_CROSS_MEMORY_ATTACH': 'not set', + 'CONFIG_UNIX_DIAG': 'not set', + 'CONFIG_CHECKPOINT_RESTORE': 'not set', + 'CONFIG_PANIC_ON_OOPS': 'not set', + 'CONFIG_PACKET_DIAG': 'not set', + 'CONFIG_FW_LOADER_USER_HELPER': 'not set', + 'CONFIG_BPF_JIT': 'not set', + 'CONFIG_USELIB': 'not set', + 'CONFIG_CC_STACKPROTECTOR': 'not set', + 'CONFIG_KEXEC': 'not set', + 'CONFIG_PROC_KCORE': 'not set', + 'CONFIG_SECURITY_DMESG_RESTRICT': 'not set', + 'CONFIG_DEBUG_STACKOVERFLOW': 'not set', + 'CONFIG_DEBUG_STRICT_USER_COPY_CHECKS': 'not set', + 'CONFIG_ARCH_HAS_DEBUG_STRICT_USER_COPY_CHECKS': 'not set', + 'CONFIG_IKCONFIG_PROC': 'not set', + 'CONFIG_RANDOMIZE_BASE': 'not set', + 'CONFIG_DEBUG_RODATA': 'not set', + 'CONFIG_STRICT_DEVMEM': 'not set', + 'CONFIG_DEVKMEM': 'not set', + 'CONFIG_ARCH_BINFMT_ELF_RANDOMIZE_PIE': 'not set', + 'CONFIG_DEBUG_KERNEL': 'not set', + 'CONFIG_DEBUG_FS': 'not set', + 'CONFIG_MODULE_SIG_FORCE': 'not set', + } +hardening_kco_ref = {'CONFIG_SERIAL_8250_CONSOLE': 'not set', + 'CONFIG_SERIAL_CORE': 'not set', + 'CONFIG_SERIAL_CORE_CONSOLE': 'not set', + 'CONFIG_CMDLINE_BOOL': 'y', + 'CONFIG_CMDLINE': '"cmd_line"', + 'CONFIG_CMDLINE_OVERRIDE': 'y', + 'CONFIG_DEBUG_INFO': 'not set', + 'CONFIG_KGDB': 'not set', + 'CONFIG_KPROBES': 'not set', + 'CONFIG_FTRACE': 'not set', + 'CONFIG_OPROFILE': 'not set', + 'CONFIG_PROFILING': 'not set', + 'CONFIG_MAGIC_SYSRQ': 'not set', + 'CONFIG_DEBUG_BUGVERBOSE': 'not set', + 'CONFIG_IP_PNP': 'not set', + 'CONFIG_IKCONFIG': 'not set', + 'CONFIG_SWAP': 'not set', + 'CONFIG_NAMESPACES': 'not set', + 'CONFIG_NFSD': 'not set', + 'CONFIG_NFS_FS': 'not set', + 'CONFIG_BINFMT_MISC': 'not set', + 'CONFIG_KALLSYMS': 'not set', + 'CONFIG_KALLSYMS_ALL': 'not set', + 'CONFIG_BUG': 'not set', + 'CONFIG_SYSCTL_SYSCALL': 'not set', + 'CONFIG_MODULE_UNLOAD': 'not set', + 'CONFIG_MODULE_FORCE_LOAD': 'not set', + 'CONFIG_DEVMEM': 'not set', + 'CONFIG_COREDUMP': 'not set', + 'CONFIG_CROSS_MEMORY_ATTACH': 'not set', + 'CONFIG_UNIX_DIAG': 'not set', + 'CONFIG_CHECKPOINT_RESTORE': 'not set', + 'CONFIG_PANIC_ON_OOPS': 'y', + 'CONFIG_PACKET_DIAG': 'not set', + 'CONFIG_FW_LOADER_USER_HELPER': 'not set', + 'CONFIG_BPF_JIT': 'not set', + 'CONFIG_USELIB': 'not set', + 'CONFIG_CC_STACKPROTECTOR': 'y', + 'CONFIG_KEXEC': 'not set', + 'CONFIG_PROC_KCORE': 'not set', + 'CONFIG_SECURITY_DMESG_RESTRICT': 'y', + 'CONFIG_DEBUG_STACKOVERFLOW': 'y', + 'CONFIG_DEBUG_STRICT_USER_COPY_CHECKS': 'y', + 'CONFIG_ARCH_HAS_DEBUG_STRICT_USER_COPY_CHECKS': 'y', + 'CONFIG_IKCONFIG_PROC': 'not set', + 'CONFIG_RANDOMIZE_BASE': 'y', + 'CONFIG_DEBUG_RODATA': 'y', + 'CONFIG_STRICT_DEVMEM': 'y', + 'CONFIG_DEVKMEM': 'not set', + 'CONFIG_ARCH_BINFMT_ELF_RANDOMIZE_PIE': 'y', + 'CONFIG_DEBUG_KERNEL': 'not set', + 'CONFIG_DEBUG_FS': 'not set', + 'CONFIG_MODULE_SIG_FORCE': 'y', + } +############################################################################################ +# Keys Kernel Configuration +############################################################################################ +keys_kco = {'CONFIG_KEYS': 'not set', + 'CONFIG_TRUSTED_KEYS': 'not set', + 'CONFIG_ENCRYPTED_KEYS': 'not set', + 'CONFIG_KEYS_DEBUG_PROC_KEYS': 'not set' + } +keys_kco_ref = {'CONFIG_KEYS': 'y', + 'CONFIG_TRUSTED_KEYS': 'y', + 'CONFIG_ENCRYPTED_KEYS': 'y', + 'CONFIG_KEYS_DEBUG_PROC_KEYS': 'not set' + } +############################################################################################ +# Security Kernel Configuration +############################################################################################ +security_kco = {'CONFIG_SECURITY': 'not set', + 'CONFIG_SECURITYFS': 'not set', + 'CONFIG_SECURITY_NETWORKING': 'not set', + 'CONFIG_DEFAULT_SECURITY': 'not set', + 'CONFIG_SECURITY_SELINUX': 'not set', + 'CONFIG_SECURITY_SMACK': 'not set', + 'CONFIG_SECURITY_TOMOYO': 'not set', + 'CONFIG_SECURITY_APPARMOR': 'not set', + 'CONFIG_SECURITY_YAMA': 'not set', + 'CONFIG_SECURITY_YAMA_STACKED': 'not set' + } +security_kco_ref = {'CONFIG_SECURITY': 'y', + 'CONFIG_SECURITYFS': 'y', + 'CONFIG_SECURITY_NETWORKING': 'y', + 'CONFIG_DEFAULT_SECURITY': '"selinux","smack","apparmor","tomoyo"', + 'CONFIG_SECURITY_SELINUX': 'y', + 'CONFIG_SECURITY_SMACK': 'y', + 'CONFIG_SECURITY_TOMOYO': 'y', + 'CONFIG_SECURITY_APPARMOR': 'y', + 'CONFIG_SECURITY_YAMA': 'y', + 'CONFIG_SECURITY_YAMA_STACKED': 'y' + } +############################################################################################ +# Integrity Kernel Configuration +############################################################################################ +integrity_kco = {'CONFIG_INTEGRITY': 'not set', + 'CONFIG_INTEGRITY_SIGNATURE': 'not set', + 'CONFIG_INTEGRITY_AUDIT': 'not set', + 'CONFIG_IMA': 'not set', + 'CONFIG_IMA_LSM_RULES': 'not set', + 'CONFIG_IMA_APPRAISE': 'not set', + 'CONFIG_IMA_TRUSTED_KEYRING': 'not set', + 'CONFIG_IMA_APPRAISE_SIGNED_INIT': 'not set', + 'CONFIG_EVM': 'not set', + 'CONFIG_EVM_ATTR_FSUUID': 'not set', + 'CONFIG_EVM_EXTRA_SMACK_XATTRS': 'not set', + 'CONFIG_IMA_DEFAULT_HASH_SHA1': 'not set', + 'CONFIG_IMA_DEFAULT_HASH_SHA256': 'not set', + 'CONFIG_IMA_DEFAULT_HASH_SHA512': 'not set', + 'CONFIG_IMA_DEFAULT_HASH_WP512': 'not set' + } +integrity_kco_ref = {'CONFIG_INTEGRITY': 'y', + 'CONFIG_INTEGRITY_SIGNATURE': 'y', + 'CONFIG_INTEGRITY_AUDIT': 'y', + 'CONFIG_IMA': 'y', + 'CONFIG_IMA_LSM_RULES': 'y', + 'CONFIG_IMA_APPRAISE': 'y', + 'CONFIG_IMA_TRUSTED_KEYRING': 'y', + 'CONFIG_IMA_APPRAISE_SIGNED_INIT': 'y', + 'CONFIG_EVM': 'y', + 'CONFIG_EVM_ATTR_FSUUID': 'y', + 'CONFIG_EVM_EXTRA_SMACK_XATTRS': 'y', + 'CONFIG_IMA_DEFAULT_HASH_SHA1': 'not set', + 'CONFIG_IMA_DEFAULT_HASH_SHA256': 'y', + 'CONFIG_IMA_DEFAULT_HASH_SHA512': 'y', + 'CONFIG_IMA_DEFAULT_HASH_WP512': 'not set' + } +############################################################################################ +# Comments +############################################################################################ +comments = { # Kernel Hardening Configurations + 'CONFIG_SERIAL_8250_CONSOLE': 'Enables the serial console. Providing access to the serial console would assist an attacker in discovering attack vectors.', + 'CONFIG_SERIAL_CORE': 'Enables the serial console. Providing access to the serial console would assist an attacker in discovering attack vectors.', + 'CONFIG_SERIAL_CORE_CONSOLE': 'Enables the serial console. Providing access to the serial console would assist an attacker in discovering attack vectors.', + 'CONFIG_CMDLINE_BOOL': 'Enables the kernel command line to be hardcoded directly into the kernel. Hardcoding the command line allows tighter control over kernel command line options.', + 'CONFIG_CMDLINE': 'Defines the kernel command line to be hardcoded into the kernel. Hardcoding the command line allows tighter control over kernel command line options.', + 'CONFIG_CMDLINE_OVERRIDE': 'Enables the kernel to ignore the boot loader command line and to use only the hardcoded command line. Hardcoding the command line allows tighter control over kernel command line options.', + 'CONFIG_DEBUG_INFO': 'Enables debug symbols in the kernel. Providing debug symbols would assist an attacker in discovering attack vectors.', + 'CONFIG_KGDB': 'Enables KGDB over USB and console ports. Providing KGDB would assist an attacker in discovering attack vectors.', + 'CONFIG_KPROBES': 'Enables Kernel Dynamic Probes. Providing kprobes allows the attacker to collect debug and performance information.', + 'CONFIG_FTRACE': 'Enables the kernel to trace every function. Providing kernel trace functionality would assist an attacker in discovering attack vectors.', + 'CONFIG_OPROFILE': 'Enables a profiling system capable of profiling kernel and kernel modules. Providing profiling functionality would assist an attacker in discovering attack vectors.', + 'CONFIG_PROFILING': 'Enables a profiling system capable of profiling kernel and kernel modules. Providing profiling functionality would assist an attacker in discovering attack vectors.', + 'CONFIG_MAGIC_SYSRQ': 'Enables a console device to interpret special characters as SysRQ system commands. SysRQ commands are an immediate attack vector as they provide the ability to dump information or reboot the device.', + 'CONFIG_DEBUG_BUGVERBOSE': 'Enables verbose logging for BUG() panics. Verbose logging would assist an attacker in discovering attack vectors.', + 'CONFIG_IP_PNP': 'Enables automatic configuration of IP addresses of devices and of the routing table during kernel boot. Providing networking functionality before the system has come up would assist an attacker in discovering attack vectors.', + 'CONFIG_IKCONFIG': 'Enables access to the kernel config through /proc/config.gz. Leaking the kernel configuration would assist an attacker in discovering attack vectors.', + 'CONFIG_SWAP': 'Enables swap files for kernel. The ability to read kernel memory pages in swap files would assist an attacker in discovering attack vectors.', + 'CONFIG_NAMESPACES': 'Enabling this can result in duplicates of dev nodes, pids and mount points, which can be useful to attackers trying to spoof running environments on devices.', + 'CONFIG_NFSD': 'Enables remote access to files residing on this system using Sun\'s Network File System protocol. Providing remote access to the file system would assist an attacker in discovering attack vectors.', + 'CONFIG_NFS_FS': 'Enables remote access to files residing on this system using Sun\'s Network File System protocol. Providing remote access to the file system would assist an attacker in discovering attack vectors.', + 'CONFIG_BINFMT_MISC': 'Enables support for binary formats other than ELF. Providing the ability to use alternate interpreters would assist an attacker in discovering attack vectors.', + 'CONFIG_KALLSYMS': 'Enables printing of symbolic crash information and symbolic stack backtraces. Verbose logging would assist an attacker in discovering attack vectors.', + 'CONFIG_KALLSYMS_ALL': 'Enables printing of symbolic crash information and symbolic stack backtraces. Verbose logging would assist an attacker in discovering attack vectors.', + 'CONFIG_BUG': 'Enables display of backtrace and register information for BUGs and WARNs in kernel space. Verbose logging would assist an attacker in discovering attack vectors.', + 'CONFIG_SYSCTL_SYSCALL': 'Enables sysctl to read and write kernel parameters. Use of deprecated and unmaintained features is not recommended.', + 'CONFIG_MODULE_UNLOAD': 'Enables the ability to unload a kernel module. Allowing module unloading enables the attacker to disable security modules.', + 'CONFIG_MODULE_FORCE_LOAD': 'Enables forced loading of modules without version information. Providing an attacker with the ability to force load a module assists in discovering attack vectors.', + 'CONFIG_DEVMEM': 'Enables mem device, which provides access to physical memory. Providing a view into physical memory would assist an attacker in discovering attack vectors.', + 'CONFIG_COREDUMP': 'Enables support for performing core dumps. Providing core dumps would assist an attacker in discovering attack vectors.', + 'CONFIG_CROSS_MEMORY_ATTACH': 'Enables cross-process virtual memory access. Providing virtual memory access to and from a hostile process would assist an attacker in discovering attack vectors.', + 'CONFIG_UNIX_DIAG': 'Enables support for socket monitoring interface. Allows the attacker to inspect shared file descriptors on Unix Domain sockets or traffic on \'localhost\'.', + 'CONFIG_CHECKPOINT_RESTORE': 'Enables the checkpoint/restore service which can freeze and migrate processes. Providing a method for manipulating process state would assist an attacker in discovering attack vectors.', + 'CONFIG_PANIC_ON_OOPS': 'Enables conversion of kernel OOPs to PANIC. When fuzzing the kernel or attempting kernel exploits, attackers are likely to trigger kernel OOPSes. Setting the behavior on OOPS to PANIC can impede their progress.', + 'CONFIG_PACKET_DIAG': 'Enables support for socket monitoring interface. Allows the attacker to inspect shared file descriptors on Unix Domain sockets or traffic on \'localhost\'.', + 'CONFIG_FW_LOADER_USER_HELPER': 'Enables the invocation of user-helper (e.g. udev) for loading firmware files as a fallback after the direct file loading in kernel fails. Providing firmware auto loader functionality would assist an attacker in discovering attack vectors.', + 'CONFIG_BPF_JIT': 'Enables Berkeley Packet Filter filtering capabilities. The BPF JIT can be used to create kernel-payloads from firewall table rules which assist an attacker in discovering attack vectors.', + 'CONFIG_USELIB': 'Enables the uselib syscall. The uselib system call has no valid use in any libc6 or uclibc system. Legacy features would assist an attacker in discovering attack vectors.', + 'CONFIG_CC_STACKPROTECTOR': 'Enables the stack protector GCC feature which defends against stack-based buffer overflows', + 'CONFIG_KEXEC': 'Enables the ability to shutdown your current kernel, and start another one. If enabled, this can be used as a way to bypass signed kernels.', + 'CONFIG_PROC_KCORE': 'Enables access to a kernel core dump from userspace. Providing access to core dumps of the kernel would assist an attacker in discovering attack vectors.', + 'CONFIG_SECURITY_DMESG_RESTRICT': 'Enables restrictions on unprivileged users reading the kernel syslog via dmesg(8). Unrestricted access to kernel syslogs would assist an attacker in discovering attack vectors.', + 'CONFIG_DEBUG_STACKOVERFLOW': 'Enables messages to be printed if free stack space drops below a certain limit. Leaking information about resources used by the kernel would assist an attacker in discovering attack vectors.', + 'CONFIG_DEBUG_STRICT_USER_COPY_CHECKS': 'Converts a certain set of sanity checks for user copy operations into compile time failures. The copy_from_user() etc checks help test if there are sufficient security checks on the length argument of the copy operation by having gcc prove that the argument is within bounds.', + 'CONFIG_ARCH_HAS_DEBUG_STRICT_USER_COPY_CHECKS': 'Required to enable DEBUG_STRICT_USER_COPY_CHECKS, but alone does not provide security.', + 'CONFIG_IKCONFIG_PROC': 'Enables access to the kernel config through /proc/config.gz. Leaking the kernel configuration would assist an attacker in discovering attack vectors.', + 'CONFIG_RANDOMIZE_BASE': 'Enables Kernel Address Space Layout randomization (kASLR). This hinders some types of security attacks by making it more difficult for an attacker to predict target addresses.', + 'CONFIG_DEBUG_RODATA': 'Sets kernel text and rodata sections as read-only and write-protected. This guards against malicious attempts to change the kernel\'s executable code.', + 'CONFIG_STRICT_DEVMEM': 'Enables restriction of userspace access to kernel memory. Failure to enable this option provides an immediate attack vector.', + 'CONFIG_DEVKMEM': 'Enables kmem device, which direct maps kernel memory. Providing a view into kernel memory would assist an attacker in discovering attack vectors.', + 'CONFIG_ARCH_BINFMT_ELF_RANDOMIZE_PIE': 'Enables randomization of PIE load address for ELF binaries. This hinders some types of security attacks by making it more difficult for an attacker to predict target addresses.', + 'CONFIG_DEBUG_KERNEL': 'Enables sysfs output intended to assist with debugging a kernel. The information output to sysfs would assist an attacker in discovering attack vectors.', + 'CONFIG_DEBUG_FS': 'Enables the kernel debug filesystem. The kernel debug filesystem presents a lot of useful information and means of manipulation of the kernel to an attacker.', + 'CONFIG_MODULE_SIG_FORCE': 'Enables validation of module signature. Disabling this option enables an attacker to load unsigned modules.', +} diff --git a/external/meta-security/meta-security-isafw/lib/isafw/isaplugins/configs/kca/x86.py b/external/meta-security/meta-security-isafw/lib/isafw/isaplugins/configs/kca/x86.py new file mode 100644 index 00000000..cbaddf87 --- /dev/null +++ b/external/meta-security/meta-security-isafw/lib/isafw/isaplugins/configs/kca/x86.py @@ -0,0 +1,38 @@ +############################################################################################ +# Kernel Hardening Configurations +############################################################################################ +hardening_kco = {'CONFIG_DEFAULT_MMAP_MIN_ADDR': 'not set', + 'CONFIG_RANDOMIZE_BASE_MAX_OFFSET': 'not set', + 'CONFIG_X86_INTEL_MPX': 'not set', + 'CONFIG_X86_MSR': 'not set' + } +hardening_kco_ref = {'CONFIG_DEFAULT_MMAP_MIN_ADDR': '65536', # x86 specific + 'CONFIG_RANDOMIZE_BASE_MAX_OFFSET': '0x20000000,0x40000000', # x86 specific + 'CONFIG_X86_INTEL_MPX': 'y', # x86 and certain HW variants specific + 'CONFIG_X86_MSR': 'not set' + } +############################################################################################ +# Keys Kernel Configuration +############################################################################################ +keys_kco = {} +keys_kco_ref = {} +############################################################################################ +# Security Kernel Configuration +############################################################################################ +security_kco = {'CONFIG_LSM_MMAP_MIN_ADDR': 'not set', + 'CONFIG_INTEL_TXT': 'not set'} +security_kco_ref = {'CONFIG_LSM_MMAP_MIN_ADDR': '65536', # x86 specific + 'CONFIG_INTEL_TXT': 'y'} +############################################################################################ +# Integrity Kernel Configuration +############################################################################################ +integrity_kco = {} +integrity_kco_ref = {} +############################################################################################ +# Comments +############################################################################################ +comments = {'CONFIG_DEFAULT_MMAP_MIN_ADDR': 'Defines the portion of low virtual memory that should be protected from userspace allocation. Keeping a user from writing to low pages can help reduce the impact of kernel NULL pointer bugs.', + 'CONFIG_RANDOMIZE_BASE_MAX_OFFSET': 'Defines the maximal offset in bytes that will be applied to the kernel when kernel Address Space Layout Randomization (kASLR) is active.', + 'CONFIG_X86_INTEL_MPX': 'Enables MPX hardware features that can be used with compiler-instrumented code to check memory references. It is designed to detect buffer overflow or underflow bugs.', + 'CONFIG_X86_MSR': 'Enables privileged processes access to the x86 Model-Specific Registers (MSRs). MSR accesses are directed to a specific CPU on multi-processor systems. This alone does not provide security.' + } diff --git a/external/meta-security/meta-security-isafw/lib/isafw/isaplugins/configs/la/approved-non-osi b/external/meta-security/meta-security-isafw/lib/isafw/isaplugins/configs/la/approved-non-osi new file mode 100644 index 00000000..5e7a69f5 --- /dev/null +++ b/external/meta-security/meta-security-isafw/lib/isafw/isaplugins/configs/la/approved-non-osi @@ -0,0 +1,43 @@ +Artistic-1.0-perl +BSD-2-Clause-FreeBSD +BSD-3-Clause-Clear +BSD-4-Clause +BSD-4-Clause-UC +bzip2-1.0.5 +bzip2-1.0.6 +CC0-1.0 +CC-BY-SA-3.0 +ErlPL-1.1 +FTL +GFDL-1.1 +GFDL-1.1+ +GFDL-1.2 +GFDL-1.2+ +GFDL-1.3 +GFDL-1.3+ +GPL-1.0 +GPL-1.0+ +ICU +IJG +Libpng +libtiff +MIT-feh +MIT-Opengroup +mpich2 +Muddy-MIT +OFL-1.0 +OLDAP-2.0.1 +OLDAP-2.8 +OpenSSL +PHP-3.01 +Qhull +Ruby +SGI-B-2.0 +TCL +Vim +X11 +Zend-2.0 +zlib-acknowledgement +ZPL-1.1 +ZPL-2.0 +ZPL-2.1 diff --git a/external/meta-security/meta-security-isafw/lib/isafw/isaplugins/configs/la/exceptions b/external/meta-security/meta-security-isafw/lib/isafw/isaplugins/configs/la/exceptions new file mode 100644 index 00000000..e69de29b --- /dev/null +++ b/external/meta-security/meta-security-isafw/lib/isafw/isaplugins/configs/la/exceptions diff --git a/external/meta-security/meta-security-isafw/lib/isafw/isaplugins/configs/la/licenses b/external/meta-security/meta-security-isafw/lib/isafw/isaplugins/configs/la/licenses new file mode 100644 index 00000000..8fff0b1c --- /dev/null +++ b/external/meta-security/meta-security-isafw/lib/isafw/isaplugins/configs/la/licenses @@ -0,0 +1,105 @@ +AFL-1.1 +AFL-1.2 +AFL-2.0 +AFL-2.1 +AFL-3.0 +APL-1.0 +Apache-1.1 +Apache-2.0 +APSL-1.0 +APSL-1.1 +APSL-1.2 +APSL-2.0 +Artistic-1.0 +Artistic-1.0-Perl +Artistic-1.0-cl8 +Artistic-2.0 +AAL +BSL-1.0 +BSD-2-Clause +BSD-3-Clause +CNRI-Python +CDDL-1.0 +CPAL-1.0 +CPL-1.0 +CATOSL-1.1 +CUA-OPL-1.0 +EPL-1.0 +ECL-1.0 +ECL-2.0 +EFL-1.0 +EFL-2.0 +Entessa +EUDatagrid +EUPL-1.1 +Fair +Frameworx-1.0 +AGPL-3.0 +GPL-2.0 +GPL-2.0+ +GPL-2.0-with-autoconf-exception +GPL-2.0-with-bison-exception +GPL-2.0-with-classpath-exception +GPL-2.0-with-font-exception +GPL-2.0-with-GCC-exception +GPL-3.0 +GPL-3.0+ +GPL-3.0-with-autoconf-exception +GPL-3.0-with-GCC-exception +LGPL-2.1 +LGPL-2.1+ +LGPL-3.0 +LGPL-3.0+ +LGPL-2.0 +LGPL-2.0+ +HPND +IPL-1.0 +Intel +IPA +ISC +LPPL-1.3c +LPL-1.02 +LPL-1.0 +MS-PL +MS-RL +MirOS +MIT +Motosoto +MPL-1.0 +MPL-1.1 +MPL-2.0 +MPL-2.0-no-copyleft-exception +Multics +NASA-1.3 +Naumen +NGPL +Nokia +NPOSL-3.0 +NTP +OCLC-2.0 +OGTSL +OSL-1.0 +OSL-2.0 +OSL-2.1 +OSL-3.0 +PHP-3.0 +PostgreSQL +Python-2.0 +QPL-1.0 +RPSL-1.0 +RPL-1.1 +RPL-1.5 +RSCPL +OFL-1.1 +SimPL-2.0 +Sleepycat +SISSL +SPL-1.0 +Watcom-1.0 +NCSA +VSL-1.0 +W3C +WXwindows +Xnet +Zlib +ZPL-2.0 diff --git a/external/meta-security/meta-security-isafw/lib/isafw/isaplugins/configs/la/violations b/external/meta-security/meta-security-isafw/lib/isafw/isaplugins/configs/la/violations new file mode 100644 index 00000000..5da203b0 --- /dev/null +++ b/external/meta-security/meta-security-isafw/lib/isafw/isaplugins/configs/la/violations @@ -0,0 +1,7 @@ +GPL-3.0 +GPL-3.0+ +GPL-3.0-with-autoconf-exception +GPL-3.0-with-GCC-exception +LGPL-3.0 +LGPL-3.0+ + diff --git a/external/meta-security/meta-security-isafw/recipes-devtools/checksec/checksec_1.5-1.bb b/external/meta-security/meta-security-isafw/recipes-devtools/checksec/checksec_1.5-1.bb new file mode 100644 index 00000000..247ec763 --- /dev/null +++ b/external/meta-security/meta-security-isafw/recipes-devtools/checksec/checksec_1.5-1.bb @@ -0,0 +1,25 @@ +SUMMARY = "Checksec tool" +DESCRIPTION = "The checksec.sh script is designed to test what standard Linux OS and PaX security features are being used." +SECTION = "security" +LICENSE = "BSD-3-Clause" +HOMEPAGE="http://www.trapkit.de/tools/checksec.html" + +LIC_FILES_CHKSUM = "file://checksec-${PV}.sh;beginline=3;endline=34;md5=6dab14470bfdf12634b866dbdd7a04b0" + +SRC_URI = "http://www.trapkit.de/tools/checksec.sh;downloadfilename=checksec-${PV}.sh" + +SRC_URI[md5sum] = "57cc3fbbbe48e8ebd4672c569954374d" +SRC_URI[sha256sum] = "05822cd8668589038d20650faa0e56f740911d8ad06f7005b3d12a5c76591b90" + + +S = "${WORKDIR}" + +do_install() { + install -d ${D}${bindir} + install -m 0755 ${WORKDIR}/checksec-${PV}.sh ${D}${bindir}/checksec.sh + sed -i 's/\r//' ${D}${bindir}/checksec.sh +} + +RDEPENDS_${PN} = "bash binutils" + +BBCLASSEXTEND = "native" diff --git a/external/meta-security/meta-tpm/README b/external/meta-security/meta-tpm/README index bbc70bba..dd662b3d 100644 --- a/external/meta-security/meta-tpm/README +++ b/external/meta-security/meta-tpm/README @@ -2,3 +2,60 @@ meta-tpm layer ============== This layer contains base TPM recipes. + +Dependencies +============ + +This layer depends on: + + URI: git://git.openembedded.org/openembedded-core + branch: master + revision: HEAD + prio: default + + URI: git://git.openembedded.org/meta-openembedded/meta-oe + branch: master + revision: HEAD + prio: default + +Adding the meta-tpm layer to your build +======================================== + +In order to use this layer, you need to make the build system aware of +it. + +Assuming this layer exists at the top-level of your +yocto build tree, you can add it to the build system by adding the +location of the meta-tpm layer to bblayers.conf, along with any +other layers needed. e.g.: + + BBLAYERS ?= " \ + /path/to/oe-core/meta \ + /path/to/meta-openembedded/meta-oe \ + /path/to/layer/meta-tpm \ + + +Maintenance +----------- + +Send pull requests, patches, comments or questions to yocto@yoctoproject.org + +When sending single patches, please using something like: +'git send-email -1 --to yocto@yoctoproject.org --subject-prefix=meta-security][PATCH' + +These values can be set as defaults for this repository: + +$ git config sendemail.to yocto@yoctoproject.org +$ git config format.subjectPrefix meta-security][PATCH + +Now you can just do 'git send-email origin/master' to send all local patches. + +Maintainers: Armin Kuster <akuster808@gmail.com> + + +License +======= + +All metadata is MIT licensed unless otherwise stated. Source code included +in tree for individual recipes is under the LICENSE stated in each recipe +(.bb file) unless otherwise stated. diff --git a/external/meta-security/meta-tpm/conf/distro/include/maintainers.inc b/external/meta-security/meta-tpm/conf/distro/include/maintainers.inc new file mode 100644 index 00000000..74c1a181 --- /dev/null +++ b/external/meta-security/meta-tpm/conf/distro/include/maintainers.inc @@ -0,0 +1,39 @@ +# meta-tpm Maintainers File +# +# This file contains a list of recipe maintainers. +# +# Please submit any patches against recipes in meta to the +# Yocto mail list (yocto@yoctoproject.org) +# +# If you have problems with or questions about a particular recipe, feel +# free to contact the maintainer directly (cc:ing the appropriate mailing list +# puts it in the archive and helps other people who might have the same +# questions in the future), but please try to do the following first: +# +# - look in the Yocto Project Bugzilla +# (http://bugzilla.yoctoproject.org/) to see if a problem has +# already been reported +# +# The format is as a bitbake variable override for each recipe +# +# RECIPE_MAINTAINER_pn-<recipe name> = "Full Name <address@domain>" +# +# Please keep this list in alphabetical order. +RECIPE_MAINTAINER_pn-aircrack-ng = "Armin Kuster <akuster808@gmail.com>" +RECIPE_MAINTAINER_pn-pcr-extend = "Armin Kuster <akuster808@gmail.com>" +RECIPE_MAINTAINER_pn-tpm-quote-tools = "Armin Kuster <akuster808@gmail.com>" +RECIPE_MAINTAINER_pn-libtpm = "Armin Kuster <akuster808@gmail.com>" +RECIPE_MAINTAINER_pn-trousers = "Armin Kuster <akuster808@gmail.com>" +RECIPE_MAINTAINER_pn-swtpm = "Armin Kuster <akuster808@gmail.com>" +RECIPE_MAINTAINER_pn-openssl-tpm-engine = "Armin Kuster <akuster808@gmail.com>" +RECIPE_MAINTAINER_pn-tpm-tools = "Armin Kuster <akuster808@gmail.com>" +RECIPE_MAINTAINER_pn-tpm2-abrmd = "Armin Kuster <akuster808@gmail.com>" +RECIPE_MAINTAINER_pn-tpm2-totp = "Armin Kuster <akuster808@gmail.com>" +RECIPE_MAINTAINER_pn-tpm2-tcti-uefi = "Armin Kuster <akuster808@gmail.com>" +RECIPE_MAINTAINER_pn-tpm2-tss-engine = "Armin Kuster <akuster808@gmail.com>" +RECIPE_MAINTAINER_pn-tpm2-pkcs11 = "Armin Kuster <akuster808@gmail.com>" +RECIPE_MAINTAINER_pn-tpm2-tss = "Armin Kuster <akuster808@gmail.com>" +RECIPE_MAINTAINER_pn-cryptsetup-tpm-incubator = "Armin Kuster <akuster808@gmail.com>" +RECIPE_MAINTAINER_pn-tpm2-tools = "Armin Kuster <akuster808@gmail.com>" +RECIPE_MAINTAINER_pn-ibmswtpm2 = "Armin Kuster <akuster808@gmail.com>" + diff --git a/external/meta-security/meta-tpm/conf/layer.conf b/external/meta-security/meta-tpm/conf/layer.conf index 1b5f7d58..c3372c70 100644 --- a/external/meta-security/meta-tpm/conf/layer.conf +++ b/external/meta-security/meta-tpm/conf/layer.conf @@ -8,8 +8,10 @@ BBFILE_COLLECTIONS += "tpm-layer" BBFILE_PATTERN_tpm-layer = "^${LAYERDIR}/" BBFILE_PRIORITY_tpm-layer = "10" -LAYERSERIES_COMPAT_tpm-layer = "thud" +LAYERSERIES_COMPAT_tpm-layer = "dunfell" LAYERDEPENDS_tpm-layer = " \ core \ + openembedded-layer \ " +BBLAYERS_LAYERINDEX_NAME_tpm-layer = "meta-tpm" diff --git a/external/meta-security/meta-tpm/lib/oeqa/runtime/cases/tpm2.py b/external/meta-security/meta-tpm/lib/oeqa/runtime/cases/tpm2.py new file mode 100644 index 00000000..c6f9d922 --- /dev/null +++ b/external/meta-security/meta-tpm/lib/oeqa/runtime/cases/tpm2.py @@ -0,0 +1,43 @@ +# Copyright (C) 2019 Armin Kuster <akuster808@gmail.com> +# +from oeqa.runtime.case import OERuntimeTestCase +from oeqa.core.decorator.depends import OETestDepends +from oeqa.runtime.decorator.package import OEHasPackage + + +class Tpm2Test(OERuntimeTestCase): + def check_endlines(self, results, expected_endlines): + for line in results.splitlines(): + for el in expected_endlines: + if line == el: + expected_endlines.remove(el) + break + + if expected_endlines: + self.fail('Missing expected line endings:\n %s' % '\n '.join(expected_endlines)) + + @OEHasPackage(['tpm2-tss']) + @OEHasPackage(['tpm2-abrmd']) + @OEHasPackage(['tpm2-tools']) + @OEHasPackage(['ibmswtpm2']) + @OETestDepends(['ssh.SSHTest.test_ssh']) + def test_tpm2_sim(self): + cmds = [ + 'tpm_server &', + 'tpm2-abrmd --allow-root --tcti=mssim &' + ] + + for cmd in cmds: + status, output = self.target.run(cmd) + self.assertEqual(status, 0, msg='\n'.join([cmd, output])) + + @OETestDepends(['tpm2.Tpm2Test.test_tpm2_sim']) + def test_tpm2(self): + (status, output) = self.target.run('tpm2_pcrlist') + expected_endlines = [] + expected_endlines.append('sha1 :') + expected_endlines.append(' 0 : 0000000000000000000000000000000000000003') + expected_endlines.append(' 1 : 0000000000000000000000000000000000000000') + + self.check_endlines(output, expected_endlines) + diff --git a/external/meta-security/meta-tpm/recipes-core/images/security-tpm-image.bb b/external/meta-security/meta-tpm/recipes-core/images/security-tpm-image.bb index a337076d..dbdd309c 100644 --- a/external/meta-security/meta-tpm/recipes-core/images/security-tpm-image.bb +++ b/external/meta-security/meta-tpm/recipes-core/images/security-tpm-image.bb @@ -1,14 +1,13 @@ -DESCRIPTION = "A small image for building meta-security packages" +DESCRIPTION = "A small image for building a tpm image for testing" IMAGE_FEATURES += "ssh-server-openssh" IMAGE_INSTALL = "\ packagegroup-base \ packagegroup-core-boot \ - ${@bb.utils.contains('MACHINE_FEATURES', 'tpm', 'packagegroup-security-tpm', '', d)} \ - ${@bb.utils.contains('MACHINE_FEATURES', 'tpm2', 'packagegroup-security-tpm2', '', d)} \ + packagegroup-security-tpm \ os-release \ - ${CORE_IMAGE_EXTRA_INSTALL}" +" IMAGE_LINGUAS ?= " " diff --git a/external/meta-security/meta-tpm/recipes-core/images/security-tpm2-image.bb b/external/meta-security/meta-tpm/recipes-core/images/security-tpm2-image.bb new file mode 100644 index 00000000..7e047d12 --- /dev/null +++ b/external/meta-security/meta-tpm/recipes-core/images/security-tpm2-image.bb @@ -0,0 +1,18 @@ +DESCRIPTION = "A small image for building a tpm2 image for testing" + +IMAGE_FEATURES += "ssh-server-openssh" + +IMAGE_INSTALL = "\ + packagegroup-base \ + packagegroup-core-boot \ + packagegroup-security-tpm2 \ + os-release \ +" + +IMAGE_LINGUAS ?= " " + +LICENSE = "MIT" + +inherit core-image + +export IMAGE_BASENAME = "security-tpm2-image" diff --git a/external/meta-security/meta-tpm/recipes-core/packagegroup/packagegroup-security-tpm2.bb b/external/meta-security/meta-tpm/recipes-core/packagegroup/packagegroup-security-tpm2.bb index c4c8fb22..a553a63d 100644 --- a/external/meta-security/meta-tpm/recipes-core/packagegroup/packagegroup-security-tpm2.bb +++ b/external/meta-security/meta-tpm/recipes-core/packagegroup/packagegroup-security-tpm2.bb @@ -5,14 +5,20 @@ LIC_FILES_CHKSUM = "file://${COMMON_LICENSE_DIR}/MIT;md5=0835ade698e0bcf8506ecda inherit packagegroup -PACKAGES = "packagegroup-security-tpm2" +PACKAGES = "${PN}" +PREFERRED_PROVIDER_cryptsetup ?= "cryptsetup-tpm-incubator" SUMMARY_packagegroup-security-tpm2 = "Security TPM 2.0 support" RDEPENDS_packagegroup-security-tpm2 = " \ - tpm2.0-tools \ + tpm2-tools \ trousers \ + tpm2-tss \ libtss2 \ + libtss2-mu \ libtss2-tcti-device \ libtss2-tcti-mssim \ tpm2-abrmd \ + tpm2-pkcs11 \ + ibmswtpm2 \ + ${PREFERRED_PROVIDER_cryptsetup} \ " diff --git a/external/meta-security/meta-tpm/recipes-kernel/linux/linux-yocto_4.%.bbappend b/external/meta-security/meta-tpm/recipes-kernel/linux/linux-yocto_5.%.bbappend index cea8b1b2..cea8b1b2 100644 --- a/external/meta-security/meta-tpm/recipes-kernel/linux/linux-yocto_4.%.bbappend +++ b/external/meta-security/meta-tpm/recipes-kernel/linux/linux-yocto_5.%.bbappend diff --git a/external/meta-security/meta-tpm/recipes-tpm/libtpm/libtpm_1.0.bb b/external/meta-security/meta-tpm/recipes-tpm/libtpm/libtpm_0.7.0.bb index a930d7bc..4588c8d0 100644 --- a/external/meta-security/meta-tpm/recipes-tpm/libtpm/libtpm_1.0.bb +++ b/external/meta-security/meta-tpm/recipes-tpm/libtpm/libtpm_0.7.0.bb @@ -2,15 +2,15 @@ SUMMARY = "LIBPM - Software TPM Library" LICENSE = "BSD-3-Clause" LIC_FILES_CHKSUM = "file://LICENSE;md5=e73f0786a936da3814896df06ad225a9" -SRCREV = "4111bd1bcf721e6e7b5f11ed9c2b93083677aa25" -SRC_URI = "git://github.com/stefanberger/libtpms.git" +SRCREV = "c26e8f7b08b19a69cea9e8f1f1e6639c7951fb01" +SRC_URI = "git://github.com/stefanberger/libtpms.git;branch=stable-${PV}" + +PE = "1" S = "${WORKDIR}/git" -inherit autotools-brokensep pkgconfig +inherit autotools-brokensep pkgconfig perlnative PACKAGECONFIG ?= "openssl" PACKAGECONFIG[openssl] = "--with-openssl, --without-openssl, openssl" -PV = "1.0+git${SRCPV}" - BBCLASSEXTEND = "native" diff --git a/external/meta-security/meta-tpm/recipes-tpm/swtpm/swtpm_1.0.bb b/external/meta-security/meta-tpm/recipes-tpm/swtpm/swtpm_0.2.0.bb index 3fe1393a..35c77c80 100644 --- a/external/meta-security/meta-tpm/recipes-tpm/swtpm/swtpm_1.0.bb +++ b/external/meta-security/meta-tpm/recipes-tpm/swtpm/swtpm_0.2.0.bb @@ -9,11 +9,12 @@ DEPENDS = "libtasn1 expect socat glib-2.0 net-tools-native libtpm libtpm-native" # then swtpm_setup needs them at runtime DEPENDS += "tpm-tools-native expect-native socat-native" -SRCREV = "94bb9f2d716d09bcc6cd2a2e033018f8592008e7" -SRC_URI = "git://github.com/stefanberger/swtpm.git;branch=tpm2-preview.v2 \ +SRCREV = "39673a0139b0ee14a0109aba50a0635592c672c4" +SRC_URI = "git://github.com/stefanberger/swtpm.git;branch=stable-${PV} \ file://fix_fcntl_h.patch \ file://ioctl_h.patch \ " +PE = "1" S = "${WORKDIR}/git" @@ -23,12 +24,14 @@ PARALLEL_MAKE = "" TSS_USER="tss" TSS_GROUP="tss" -PACKAGECONFIG ?= "openssl cuse" +PACKAGECONFIG ?= "openssl" PACKAGECONFIG += "${@bb.utils.contains('DISTRO_FEATURES', 'selinux', 'selinux', '', d)}" +PACKAGECONFIG += "${@bb.utils.contains('BBFILE_COLLECTIONS', 'filesystems-layer', 'cuse', '', d)}" PACKAGECONFIG[openssl] = "--with-openssl, --without-openssl, openssl" PACKAGECONFIG[gnutls] = "--with-gnutls, --without-gnutls, gnutls" PACKAGECONFIG[selinux] = "--with-selinux, --without-selinux, libselinux" PACKAGECONFIG[cuse] = "--with-cuse, --without-cuse, fuse" +PACKAGECONFIG[seccomp] = "--with-seccomp, --without-seccomp, libseccomp" EXTRA_OECONF += "--with-tss-user=${TSS_USER} --with-tss-group=${TSS_GROUP}" @@ -39,12 +42,11 @@ GROUPADD_PARAM_${PN} = "--system ${TSS_USER}" USERADD_PARAM_${PN} = "--system -g ${TSS_GROUP} --home-dir \ --no-create-home --shell /bin/false ${BPN}" +PACKAGE_BEFORE_PN = "${PN}-cuse" +FILES_${PN}-cuse = "${bindir}/swtpm_cuse" + +INSANE_SKIP_${PN} += "dev-so" + RDEPENDS_${PN} = "libtpm expect socat bash tpm-tools" BBCLASSEXTEND = "native nativesdk" - -python() { - if 'cuse' in d.getVar('PACKAGECONFIG') and \ - 'filesystems-layer' not in d.getVar('BBFILE_COLLECTIONS').split(): - raise bb.parse.SkipRecipe('Cuse enabled which requires meta-filesystems to be present.') -} diff --git a/external/meta-security/meta-tpm/recipes-tpm/tpm2.0-tools/tpm2.0-tools_3.1.2.bb b/external/meta-security/meta-tpm/recipes-tpm/tpm2.0-tools/tpm2.0-tools_3.1.2.bb deleted file mode 100644 index 3f40eb70..00000000 --- a/external/meta-security/meta-tpm/recipes-tpm/tpm2.0-tools/tpm2.0-tools_3.1.2.bb +++ /dev/null @@ -1,15 +0,0 @@ -SUMMARY = "Tools for TPM2." -DESCRIPTION = "tpm2.0-tools" -LICENSE = "BSD" -LIC_FILES_CHKSUM = "file://LICENSE;md5=91b7c548d73ea16537799e8060cea819" -SECTION = "tpm" - -DEPENDS = "pkgconfig tpm2.0-tss openssl curl autoconf-archive" - -SRCREV = "5e2f1aafc58e60c5050f85147a14914561f28ad9" - -SRC_URI = "git://github.com/01org/tpm2.0-tools.git;name=tpm2.0-tools;destsuffix=tpm2.0-tools;branch=3.X" - -S = "${WORKDIR}/tpm2.0-tools" - -inherit autotools pkgconfig diff --git a/external/meta-security/meta-tpm/recipes-tpm/tpm2simulator/tpm2simulator_138.bb b/external/meta-security/meta-tpm/recipes-tpm/tpm2simulator/tpm2simulator_138.bb deleted file mode 100644 index 866791c2..00000000 --- a/external/meta-security/meta-tpm/recipes-tpm/tpm2simulator/tpm2simulator_138.bb +++ /dev/null @@ -1,22 +0,0 @@ -SUMMARY = "TPM 2.0 Simulator Extraction Script" -LICENSE = "BSD-2-Clause" -LIC_FILES_CHKSUM = "file://LICENSE;md5=1415f7be284540b81d9d28c67c1a6b8b" - -DEPENDS = "python" - -SRCREV = "e45324eba268723d39856111e7933c5c76238481" -SRC_URI = "git://github.com/stwagnr/tpm2simulator.git" - -S = "${WORKDIR}/git" -OECMAKE_SOURCEPATH = "${S}/cmake" - -inherit native lib_package cmake - -EXTRA_OECMAKE = " \ - -DCMAKE_BUILD_TYPE=Debug \ - -DSPEC_VERSION=138 \ -" - -do_configure_prepend () { - sed -i 's/^SET = False/SET = True/' ${S}/scripts/settings.py -} diff --git a/external/meta-security/meta-tpm/recipes-tpm2/cryptsetup-tpm-incubator/cryptsetup-tpm-incubator_0.9.9.bb b/external/meta-security/meta-tpm/recipes-tpm2/cryptsetup-tpm-incubator/cryptsetup-tpm-incubator_0.9.9.bb new file mode 100644 index 00000000..26171623 --- /dev/null +++ b/external/meta-security/meta-tpm/recipes-tpm2/cryptsetup-tpm-incubator/cryptsetup-tpm-incubator_0.9.9.bb @@ -0,0 +1,47 @@ +SUMMARY = "An extension to cryptsetup/LUKS that enables use of the TPM 2.0 via tpm2-tss" +DESCRIPTION = "Cryptsetup is utility used to conveniently setup disk encryption based on DMCrypt kernel module." + +SECTION = "security/tpm" +LICENSE = "LGPL-2.1 | GPL-2.0" +LIC_FILES_CHKSUM = "file://COPYING;md5=32107dd283b1dfeb66c9b3e6be312326 \ + file://COPYING.LGPL;md5=1960515788100ce5f9c98ea78a65dc52 \ + " + +DEPENDS = "autoconf-archive pkgconfig gettext libtss2-dev libdevmapper popt libgcrypt json-c" + +SRC_URI = "git://github.com/AndreasFuchsSIT/cryptsetup-tpm-incubator.git;branch=luks2tpm \ + file://configure_fix.patch " + +SRCREV = "15c283195f19f1d980e39ba45448683d5e383179" + +S = "${WORKDIR}/git" + +inherit autotools pkgconfig gettext + +PACKAGECONFIG ??= "openssl" +PACKAGECONFIG[openssl] = "--with-crypto_backend=openssl,,openssl" +PACKAGECONFIG[gcrypt] = "--with-crypto_backend=gcrypt,,libgcrypt" + +EXTRA_OECONF = "--enable-static" + +RRECOMMENDS_${PN} = "kernel-module-aes-generic \ + kernel-module-dm-crypt \ + kernel-module-md5 \ + kernel-module-cbc \ + kernel-module-sha256-generic \ + kernel-module-xts \ + " + +FILES_${PN} += "${libdir}/tmpfiles.d" +RDEPENDS_${PN} += "lvm2 libdevmapper" +RRECOMMENDS_${PN} += "lvm2-udevrules" + +RPROVIDES_${PN} = "cryptsetup" +RREPLACES_${PN} = "cryptsetup" +RCONFLICTS_${PN} ="cryptsetup" + +RPROVIDES_${PN}-dev = "cryptsetup-dev" +RREPLACES_${PN}-dev = "cryptsetup-dev" +RCONFLICTS_${PN}-dev ="cryptsetup-dev" + +BBCLASSEXTEND = "native nativesdk" diff --git a/external/meta-security/meta-tpm/recipes-tpm2/cryptsetup-tpm-incubator/files/configure_fix.patch b/external/meta-security/meta-tpm/recipes-tpm2/cryptsetup-tpm-incubator/files/configure_fix.patch new file mode 100644 index 00000000..8c7b6da4 --- /dev/null +++ b/external/meta-security/meta-tpm/recipes-tpm2/cryptsetup-tpm-incubator/files/configure_fix.patch @@ -0,0 +1,16 @@ +Upstream-Status: OE specific +Signed-off-by: Armin Kuster <akuster808@gmail.com> + +Index: git/configure.ac +=================================================================== +--- git.orig/configure.ac ++++ git/configure.ac +@@ -16,7 +16,7 @@ AC_CONFIG_HEADERS([config.h:config.h.in] + + # For old automake use this + #AM_INIT_AUTOMAKE(dist-xz subdir-objects) +-AM_INIT_AUTOMAKE([dist-xz 1.12 serial-tests subdir-objects]) ++AM_INIT_AUTOMAKE([dist-xz 1.12 serial-tests subdir-objects foreign]) + + if test "x$prefix" = "xNONE"; then + sysconfdir=/etc diff --git a/external/meta-security/meta-tpm/recipes-tpm2/ibmswtpm2/files/remove_optimization.patch b/external/meta-security/meta-tpm/recipes-tpm2/ibmswtpm2/files/remove_optimization.patch new file mode 100644 index 00000000..2919e2e5 --- /dev/null +++ b/external/meta-security/meta-tpm/recipes-tpm2/ibmswtpm2/files/remove_optimization.patch @@ -0,0 +1,26 @@ +Allow recipe to overide optimization. + +fixes: + +397 | # warning _FORTIFY_SOURCE requires compiling with optimization (-O) +| | ^~~~~~~ +| cc1: all warnings being treated as errors + + +Upstream-Status: OE specific + +Signed-off-by: Armin Kuster <akuster808@gmail.com> + +Index: src/makefile +=================================================================== +--- src.orig/makefile ++++ src/makefile +@@ -43,7 +43,7 @@ CC = /usr/bin/gcc + CCFLAGS = -Wall \ + -Wmissing-declarations -Wmissing-prototypes -Wnested-externs \ + -Werror -Wsign-compare \ +- -c -ggdb -O0 \ ++ -c -ggdb -O \ + -DTPM_POSIX \ + -D_POSIX_ \ + -DTPM_NUVOTON diff --git a/external/meta-security/meta-tpm/recipes-tpm2/ibmswtpm2/ibmswtpm2_1563.bb b/external/meta-security/meta-tpm/recipes-tpm2/ibmswtpm2/ibmswtpm2_1563.bb new file mode 100644 index 00000000..80542269 --- /dev/null +++ b/external/meta-security/meta-tpm/recipes-tpm2/ibmswtpm2/ibmswtpm2_1563.bb @@ -0,0 +1,27 @@ +SUMMARY = "IBM's Software TPM 2.0" +LICENSE = "BSD" +SECTION = "securty/tpm" +LIC_FILES_CHKSUM = "file://../LICENSE;md5=1e023f61454ac828b4aa1bc4293f7d5f" + +DEPENDS = "openssl" + +SRC_URI = "https://sourceforge.net/projects/ibmswtpm2/files/ibmtpm${PV}.tar.gz \ + file://remove_optimization.patch \ + " +SRC_URI[md5sum] = "13013612b3a13dc935fefe1a5684179c" +SRC_URI[sha256sum] = "fc3a17f8315c1f47670764f2384943afc0d3ba1e9a0422dacb08d455733bd1e9" +SRC_URI[sha1sum] = "a2a5335024a2edc1739f08b99e716fa355be627d" +SRC_URI[sha384sum] = "b1f278acabe2198aa79c0fe8aa0182733fe701336cbf54a88058be0b574cab768f59f9315882d0e689e634678d05b79f" +SRC_URI[sha512sum] = "ff0b9e5f0d0070eb572b23641f7a0e70a8bc65cbf4b59dca1778be3bb014124011221a492147d4c492584e87af23e2f842ca6307641b3919f67a3f27f09312c0" + +S = "${WORKDIR}/src" + +do_compile () { + make CC='${CC}' +} + +do_install () { + install -d ${D}/${bindir} + install -m 0755 tpm_server ${D}/${bindir} +} + diff --git a/external/meta-security/meta-tpm/recipes-tpm/tpm2-abrmd/files/tpm2-abrmd-init.sh b/external/meta-security/meta-tpm/recipes-tpm2/tpm2-abrmd/files/tpm2-abrmd-init.sh index c8dfb7de..9bb7da97 100644 --- a/external/meta-security/meta-tpm/recipes-tpm/tpm2-abrmd/files/tpm2-abrmd-init.sh +++ b/external/meta-security/meta-tpm/recipes-tpm2/tpm2-abrmd/files/tpm2-abrmd-init.sh @@ -27,7 +27,7 @@ case "${1}" in start) echo -n "Starting $DESC: " - if [ ! -e /dev/tpm* ] + if [ ! -e /dev/tpm? ] then echo "device driver not loaded, skipping." exit 0 diff --git a/external/meta-security/meta-tpm/recipes-tpm/tpm2-abrmd/files/tpm2-abrmd.default b/external/meta-security/meta-tpm/recipes-tpm2/tpm2-abrmd/files/tpm2-abrmd.default index 987978a6..b4b3c207 100644 --- a/external/meta-security/meta-tpm/recipes-tpm/tpm2-abrmd/files/tpm2-abrmd.default +++ b/external/meta-security/meta-tpm/recipes-tpm2/tpm2-abrmd/files/tpm2-abrmd.default @@ -1 +1 @@ -DAEMON_OPTS="--tcti=device --logger=syslog --max-connections=20 --max-transient-objects=20 --fail-on-loaded-trans" +DAEMON_OPTS="--tcti=device --logger=syslog --max-connections=20 --max-transients=20 --flush-all" diff --git a/external/meta-security/meta-tpm/recipes-tpm/tpm2-abrmd/tpm2-abrmd_2.0.2.bb b/external/meta-security/meta-tpm/recipes-tpm2/tpm2-abrmd/tpm2-abrmd_2.3.0.bb index 63473790..991364ad 100644 --- a/external/meta-security/meta-tpm/recipes-tpm/tpm2-abrmd/tpm2-abrmd_2.0.2.bb +++ b/external/meta-security/meta-tpm/recipes-tpm2/tpm2-abrmd/tpm2-abrmd_2.3.0.bb @@ -9,16 +9,16 @@ SECTION = "security/tpm" LICENSE = "BSD-2-Clause" LIC_FILES_CHKSUM = "file://${S}/LICENSE;md5=500b2e742befc3da00684d8a1d5fd9da" -DEPENDS = "autoconf-archive dbus glib-2.0 tpm2.0-tss glib-2.0-native \ +DEPENDS = "autoconf-archive dbus glib-2.0 tpm2-tss glib-2.0-native \ libtss2 libtss2-mu libtss2-tcti-device libtss2-tcti-mssim" - SRC_URI = "\ - git://github.com/01org/tpm2-abrmd.git \ + git://github.com/tpm2-software/tpm2-abrmd.git \ file://tpm2-abrmd-init.sh \ file://tpm2-abrmd.default \ " -SRCREV = "d0120ace58d97bc9520c0d558657eaca87ae73b1" + +SRCREV = "ac82192df1158cb58eac02777cf15c965b02cfbc" S = "${WORKDIR}/git" @@ -49,6 +49,6 @@ do_install_append() { FILES_${PN} += "${libdir}/systemd/system-preset \ ${datadir}/dbus-1" -RDEPENDS_${PN} += "tpm2.0-tss" +RDEPENDS_${PN} += "tpm2-tss" BBCLASSEXTEND = "native" diff --git a/external/meta-security/meta-tpm/recipes-tpm2/tpm2-pkcs11/files/bootstrap_fixup.patch b/external/meta-security/meta-tpm/recipes-tpm2/tpm2-pkcs11/files/bootstrap_fixup.patch new file mode 100644 index 00000000..d38e2377 --- /dev/null +++ b/external/meta-security/meta-tpm/recipes-tpm2/tpm2-pkcs11/files/bootstrap_fixup.patch @@ -0,0 +1,12 @@ +Upstream-Status: OE specific +Signed-off-by: Armin Kuster <akuster808@gmail.com> + +Index: git/bootstrap +=================================================================== +--- git.orig/bootstrap ++++ git/bootstrap +@@ -27,4 +27,3 @@ echo "Generating file lists: ${VARS_FILE + ) > ${VARS_FILE} + + mkdir -p m4 +-${AUTORECONF} --install --sym $@ diff --git a/external/meta-security/meta-tpm/recipes-tpm2/tpm2-pkcs11/tpm2-pkcs11_0.9.9.bb b/external/meta-security/meta-tpm/recipes-tpm2/tpm2-pkcs11/tpm2-pkcs11_0.9.9.bb new file mode 100644 index 00000000..351e03e5 --- /dev/null +++ b/external/meta-security/meta-tpm/recipes-tpm2/tpm2-pkcs11/tpm2-pkcs11_0.9.9.bb @@ -0,0 +1,21 @@ +SUMMARY = "A PKCS#11 interface for TPM2 hardware" +DESCRIPTION = "PKCS #11 is a Public-Key Cryptography Standard that defines a standard method to access cryptographic services from tokens/ devices such as hardware security modules (HSM), smart cards, etc. In this project we intend to use a TPM2 device as the cryptographic token." +SECTION = "security/tpm" +LICENSE = "BSD-2-Clause" +LIC_FILES_CHKSUM = "file://LICENSE;md5=93645981214b60a02688745c14f93c95" + +DEPENDS = "autoconf-archive pkgconfig dstat sqlite3 openssl libtss2-dev tpm2-tools" + +SRC_URI = "git://github.com/tpm2-software/tpm2-pkcs11.git \ + file://bootstrap_fixup.patch \ + " + +SRCREV = "6de3f6f9c6e0a4983f3fb90e35feb34906f8aea7" + +S = "${WORKDIR}/git" + +inherit autotools-brokensep pkgconfig + +do_configure_prepend () { + ${S}/bootstrap +} diff --git a/external/meta-security/meta-tpm/recipes-tpm2/tpm2-tcti-uefi/files/configure_oe_fixup.patch b/external/meta-security/meta-tpm/recipes-tpm2/tpm2-tcti-uefi/files/configure_oe_fixup.patch new file mode 100644 index 00000000..8a216cd4 --- /dev/null +++ b/external/meta-security/meta-tpm/recipes-tpm2/tpm2-tcti-uefi/files/configure_oe_fixup.patch @@ -0,0 +1,27 @@ +Upstream-Status: OE specific +Signed-off-by: Armin Kuster <akuster808@gmail.com> + +Index: git/configure.ac +=================================================================== +--- git.orig/configure.ac ++++ git/configure.ac +@@ -84,9 +84,6 @@ AC_ARG_WITH([efi-lds], + AS_HELP_STRING([--with-efi-lds=LDS_PATH],[Path to gnu-efi lds file.]), + [], + [with_efi_lds="/usr/lib/elf_${ARCH}_efi.lds"]) +-AC_CHECK_FILE(["${with_efi_lds}"], +- [], +- [AC_MSG_ERROR([Missing file: ${with_efi_lds}.])]) + EXTRA_LDFLAGS="-L /usr/lib -L /usr/lib64 -Wl,--script=${with_efi_lds}" + + # path to object file from gnu-efi +@@ -94,9 +91,6 @@ AC_ARG_WITH([efi-crt0], + AS_HELP_STRING([--with-efi-crt0=OBJ_PATH],[Path to gnu-efi crt0 object file.]), + [], + [with_efi_crt0="/usr/lib/crt0-efi-${ARCH}.o"]) +-AC_CHECK_FILE(["${with_efi_crt0}"], +- [], +- [AC_MSG_ERROR([Missing ${with_efi_crt0} file.])]) + EXTRA_LDLIBS="${with_efi_crt0}" + + # check for efi and gnuefi libraries diff --git a/external/meta-security/meta-tpm/recipes-tpm2/tpm2-tcti-uefi/files/fix_header_file.patch b/external/meta-security/meta-tpm/recipes-tpm2/tpm2-tcti-uefi/files/fix_header_file.patch new file mode 100644 index 00000000..fc730e14 --- /dev/null +++ b/external/meta-security/meta-tpm/recipes-tpm2/tpm2-tcti-uefi/files/fix_header_file.patch @@ -0,0 +1,25 @@ +Error building for i386 target in cross env + +#include <efi/x86_64/efibind.h> + +ARCH is host arch, not target arch + +Upstream-Status: Submitted + +Signed-off-by: Armin Kuster <akuster808@gmail.com> +Index: git/src/uefi-types.h +=================================================================== +--- git.orig/src/uefi-types.h ++++ git/src/uefi-types.h +@@ -3,9 +3,9 @@ + #define UEFI_TYPES_H + + #ifndef EDK2_BUILD +-#if ARCH == x86_64 ++#if defined(__x86_64__) + #include <efi/x86_64/efibind.h> +-#elif ARCH == ia32 ++#elif defined(__i386__) + #include <efi/ia32/efibind.h> + #else + #error "Unsupported ARCH." diff --git a/external/meta-security/meta-tpm/recipes-tpm2/tpm2-tcti-uefi/files/tpm2-get-caps-fixed.patch b/external/meta-security/meta-tpm/recipes-tpm2/tpm2-tcti-uefi/files/tpm2-get-caps-fixed.patch new file mode 100644 index 00000000..bc70913e --- /dev/null +++ b/external/meta-security/meta-tpm/recipes-tpm2/tpm2-tcti-uefi/files/tpm2-get-caps-fixed.patch @@ -0,0 +1,23 @@ +Fix defined to match tpm2-tools 4.1.1 + +Upstream-Status: Submitted https://github.com/tpm2-software/tpm2-tcti-uefi/pull/81 +Signed-off-by: Armin Kuster <akuster808@gmail.com> + +Index: git/example/tpm2-get-caps-fixed.c +=================================================================== +--- git.orig/example/tpm2-get-caps-fixed.c ++++ git/example/tpm2-get-caps-fixed.c +@@ -140,11 +140,11 @@ dump_tpm_properties_fixed (TPMS_TAGGED_P + Print (L"TPM2_PT_INPUT_BUFFER:\n" + " value: 0x%X\n", value); + break; +- case TPM2_PT_HR_TRANSIENT_MIN: ++ case TPM2_PT_TPM2_HR_TRANSIENT_MIN: + Print (L"TPM2_PT_TPM2_HR_TRANSIENT_MIN:\n" + " value: 0x%X\n", value); + break; +- case TPM2_PT_HR_PERSISTENT_MIN: ++ case TPM2_PT_TPM2_HR_PERSISTENT_MIN: + Print (L"TPM2_PT_TPM2_HR_PERSISTENT_MIN:\n" + " value: 0x%X\n", value); + break; diff --git a/external/meta-security/meta-tpm/recipes-tpm2/tpm2-tcti-uefi/tpm2-tcti-uefi/0001-configure.ac-stop-inserting-host-directories-into-co.patch b/external/meta-security/meta-tpm/recipes-tpm2/tpm2-tcti-uefi/tpm2-tcti-uefi/0001-configure.ac-stop-inserting-host-directories-into-co.patch new file mode 100644 index 00000000..b3f22872 --- /dev/null +++ b/external/meta-security/meta-tpm/recipes-tpm2/tpm2-tcti-uefi/tpm2-tcti-uefi/0001-configure.ac-stop-inserting-host-directories-into-co.patch @@ -0,0 +1,38 @@ +From b74837184cfdefb45e48f3fdc974fc67691fc861 Mon Sep 17 00:00:00 2001 +From: Dmitry Eremin-Solenikov <dmitry_eremin-solenikov@mentor.com> +Date: Wed, 3 Jul 2019 19:16:35 +0300 +Subject: [PATCH] configure.ac: stop inserting host directories into compile + path + +Do not insert /usr/lib and /usr/lib64 into library search path. + +Upstream-Status: OE specific +Signed-off-by: Dmitry Eremin-Solenikov <dmitry_eremin-solenikov@mentor.com> +--- + configure.ac | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +Index: git/configure.ac +=================================================================== +--- git.orig/configure.ac ++++ git/configure.ac +@@ -70,10 +70,6 @@ EXTRA_CFLAGS+="-I${with_efi_includedir} + # compiler flags / search path + CFLAGS_TMP="$CFLAGS" + CFLAGS="$CFLAGS $EXTRA_CFLAGS" +-AC_CHECK_HEADERS([efi.h efilib.h], +- [], +- [AC_MSG_ERROR([Missing gnu-efi headers.])], +- [#include <efi.h>]) + CFLAGS="$CFLAGS_TMP" + + # path to linker script from gnu-efi +@@ -81,7 +77,7 @@ AC_ARG_WITH([efi-lds], + AS_HELP_STRING([--with-efi-lds=LDS_PATH],[Path to gnu-efi lds file.]), + [], + [with_efi_lds="/usr/lib/elf_${ARCH}_efi.lds"]) +-EXTRA_LDFLAGS="-L /usr/lib -L /usr/lib64 -Wl,--script=${with_efi_lds}" ++EXTRA_LDFLAGS="-Wl,--script=${with_efi_lds}" + + # path to object file from gnu-efi + AC_ARG_WITH([efi-crt0], diff --git a/external/meta-security/meta-tpm/recipes-tpm2/tpm2-tcti-uefi/tpm2-tcti-uefi_0.9.9.bb b/external/meta-security/meta-tpm/recipes-tpm2/tpm2-tcti-uefi/tpm2-tcti-uefi_0.9.9.bb new file mode 100644 index 00000000..67b36b78 --- /dev/null +++ b/external/meta-security/meta-tpm/recipes-tpm2/tpm2-tcti-uefi/tpm2-tcti-uefi_0.9.9.bb @@ -0,0 +1,45 @@ +SUMMARY = "TCTI module for use with TSS2 libraries in UEFI environment" +SECTION = "security/tpm" +LICENSE = "BSD-2-Clause" +LIC_FILES_CHKSUM = "file://LICENSE;md5=500b2e742befc3da00684d8a1d5fd9da" +DEPENDS = "libtss2-dev libtss2-mu-dev gnu-efi-native gnu-efi pkgconfig autoconf-archive-native" + +SRC_URI = "git://github.com/tpm2-software/tpm2-tcti-uefi.git \ + file://configure_oe_fixup.patch \ + file://0001-configure.ac-stop-inserting-host-directories-into-co.patch \ + file://tpm2-get-caps-fixed.patch \ + file://fix_header_file.patch \ + " +SRCREV = "0241b08f069f0fdb3612f5c1b938144dbe9be811" + +S = "${WORKDIR}/git" + +inherit autotools pkgconfig + +EFIDIR ?= "/EFI/BOOT" + +EFI_ARCH_x86 = "ia32" +EFI_ARCH_x86-64 = "x86_64" + +CFLAGS_append = " -I${STAGING_INCDIR}/efi -I${STAGING_INCDIR}/efi/${EFI_ARCH}" + +EXTRA_OECONF_append = " \ + --with-efi-includedir=${STAGING_INCDIR} \ + --with-efi-crt0=${STAGING_LIBDIR}/crt0-efi-${EFI_ARCH}.o \ + --with-efi-lds=${STAGING_LIBDIR}/elf_${EFI_ARCH}_efi.lds \ +" + +do_compile_append() { + oe_runmake example +} + +do_install_append() { + install -d "${D}${EFIDIR}" + install -m 0755 "${B}"/example/*.efi "${D}${EFIDIR}" +} + +COMPATIBLE_HOST = "(i.86|x86_64).*-linux" + +FILES_${PN} += "${EFIDIR}" + +RDEPENDS_${PN} = "gnu-efi libtss2-mu" diff --git a/external/meta-security/meta-tpm/recipes-tpm2/tpm2-tools/tpm2-tools_4.1.1.bb b/external/meta-security/meta-tpm/recipes-tpm2/tpm2-tools/tpm2-tools_4.1.1.bb new file mode 100644 index 00000000..e90dcfe6 --- /dev/null +++ b/external/meta-security/meta-tpm/recipes-tpm2/tpm2-tools/tpm2-tools_4.1.1.bb @@ -0,0 +1,17 @@ +SUMMARY = "Tools for TPM2." +DESCRIPTION = "tpm2-tools" +LICENSE = "BSD" +LIC_FILES_CHKSUM = "file://LICENSE;md5=0eb1216e46938bd723098d93a23c3bcc" +SECTION = "tpm" + +DEPENDS = "tpm2-abrmd tpm2-tss openssl curl autoconf-archive" + +SRC_URI = "https://github.com/tpm2-software/${BPN}/releases/download/${PV}/${BPN}-${PV}.tar.gz" + +SRC_URI[md5sum] = "701ae9e8c8cbdd37d89c8ad774f55395" +SRC_URI[sha256sum] = "40b9263d8b949bd2bc03a3cd60fa242e27116727467f9bbdd0b5f2539a25a7b1" +SRC_URI[sha1sum] = "d097d321237983435f05c974533ad90e6f20acef" +SRC_URI[sha384sum] = "396547f400e4f5626d7741d77ec543f312d94e6697899f4c36260d15fab3f4f971ad2c0487e6eaa2d60256f3cf68f85f" +SRC_URI[sha512sum] = "25952cf947f0acd16b1a8dbd3ac8573bce85ff970a7e24c290c4f9cd29418e77a3e48ac82c932fbd250887a9303ab301ff92db594c2fffaba47b873382444d26" + +inherit autotools pkgconfig bash-completion diff --git a/external/meta-security/meta-tpm/recipes-tpm2/tpm2-totp/tpm2-totp_0.2.0.bb b/external/meta-security/meta-tpm/recipes-tpm2/tpm2-totp/tpm2-totp_0.2.0.bb new file mode 100644 index 00000000..0dad6730 --- /dev/null +++ b/external/meta-security/meta-tpm/recipes-tpm2/tpm2-totp/tpm2-totp_0.2.0.bb @@ -0,0 +1,18 @@ +SUMMARY = "Attest the trustworthiness of a device against a human using time-based one-time passwords" + +LICENSE = "BSD-3-Clause" +LIC_FILES_CHKSUM = "file://LICENSE;md5=ed23833e93c95173c8d8913745e4b4e1" + +SECTION = "security/tpm" + +DEPENDS = "autoconf-archive libtss2-dev qrencode" + +PE = "1" + +SRCREV = "994b4203e4769baefa6e7719915629bc8210e90a" +SRC_URI = "git://github.com/tpm2-software/tpm2-totp.git;branch=v0.2.x \ + " + +inherit autotools-brokensep pkgconfig + +S = "${WORKDIR}/git" diff --git a/external/meta-security/meta-tpm/recipes-tpm2/tpm2-tss-engine/tpm2-tss-engine_1.0.1.bb b/external/meta-security/meta-tpm/recipes-tpm2/tpm2-tss-engine/tpm2-tss-engine_1.0.1.bb new file mode 100644 index 00000000..3641b1b7 --- /dev/null +++ b/external/meta-security/meta-tpm/recipes-tpm2/tpm2-tss-engine/tpm2-tss-engine_1.0.1.bb @@ -0,0 +1,23 @@ +SUMMARY = "The tpm2-tss-engine project implements a cryptographic engine for OpenSSL." +DESCRIPTION = "The tpm2-tss-engine project implements a cryptographic engine for OpenSSL for Trusted Platform Module (TPM 2.0) using the tpm2-tss software stack that follows the Trusted Computing Groups (TCG) TPM Software Stack (TSS 2.0). It uses the Enhanced System API (ESAPI) interface of the TSS 2.0 for downwards communication. It supports RSA decryption and signatures as well as ECDSA signatures." + +LICENSE = "BSD-2-Clause" +LIC_FILES_CHKSUM = "file://LICENSE;md5=7b3ab643b9ce041de515d1ed092a36d4" + +SECTION = "security/tpm" + +DEPENDS = "autoconf-archive-native bash-completion libtss2 libgcrypt openssl" + +SRCREV = "fdc8f65dfc8bad8b5a3aed181fae338267308f70" +SRC_URI = "git://github.com/tpm2-software/tpm2-tss-engine.git" + +inherit autotools-brokensep pkgconfig systemd + +S = "${WORKDIR}/git" + +PACKAGES += "${PN}-engines ${PN}-engines-staticdev ${PN}-bash-completion" + +FILES_${PN}-dev = "${libdir}/engines-1.1/tpm2tss.so ${includedir}/*" +FILES_${PN}-engines = "${libdir}/engines-1.1/lib*.so*" +FILES_${PN}-engines-staticdev = "${libdir}/engines-1.1/libtpm2tss.a" +FILES_${PN}-bash-completion += "${datadir}/bash-completion/completions" diff --git a/external/meta-security/meta-tpm/recipes-tpm/tpm2.0-tss/tpm2.0-tss/ax_pthread.m4 b/external/meta-security/meta-tpm/recipes-tpm2/tpm2-tss/tpm2-tss/ax_pthread.m4 index d383ad5c..d383ad5c 100644 --- a/external/meta-security/meta-tpm/recipes-tpm/tpm2.0-tss/tpm2.0-tss/ax_pthread.m4 +++ b/external/meta-security/meta-tpm/recipes-tpm2/tpm2-tss/tpm2-tss/ax_pthread.m4 diff --git a/external/meta-security/meta-tpm/recipes-tpm/tpm2.0-tss/tpm2.0-tss/fix_musl_select_include.patch b/external/meta-security/meta-tpm/recipes-tpm2/tpm2-tss/tpm2-tss/fix_musl_select_include.patch index ecaca6ea..ecaca6ea 100644 --- a/external/meta-security/meta-tpm/recipes-tpm/tpm2.0-tss/tpm2.0-tss/fix_musl_select_include.patch +++ b/external/meta-security/meta-tpm/recipes-tpm2/tpm2-tss/tpm2-tss/fix_musl_select_include.patch diff --git a/external/meta-security/meta-tpm/recipes-tpm/tpm2.0-tss/tpm2.0-tss_2.0.1.bb b/external/meta-security/meta-tpm/recipes-tpm2/tpm2-tss/tpm2-tss_2.3.2.bb index 9d1ff72f..135efed8 100644 --- a/external/meta-security/meta-tpm/recipes-tpm/tpm2.0-tss/tpm2.0-tss_2.0.1.bb +++ b/external/meta-security/meta-tpm/recipes-tpm2/tpm2-tss/tpm2-tss_2.3.2.bb @@ -1,24 +1,29 @@ SUMMARY = "Software stack for TPM2." -DESCRIPTION = "tpm2.0-tss like woah." +DESCRIPTION = "OSS implementation of the TCG TPM2 Software Stack (TSS2) " LICENSE = "BSD-2-Clause" -LIC_FILES_CHKSUM = "file://LICENSE;md5=0b1d631c4218b72f6b05cb58613606f4" +LIC_FILES_CHKSUM = "file://LICENSE;md5=500b2e742befc3da00684d8a1d5fd9da" SECTION = "tpm" -DEPENDS = "autoconf-archive-native libgcrypt" +DEPENDS = "autoconf-archive-native libgcrypt openssl" -SRCREV = "dc31e8dca9dbc77d16e419dc514ce8c526cd3351" +SRCREV = "a99e733ba66c359502689a9c42fd5e02ed1dd7d6" -SRC_URI = "git://github.com/tpm2-software/tpm2-tss.git;branch=2.0.x" +SRC_URI = "https://github.com/tpm2-software/${BPN}/releases/download/${PV}/${BPN}-${PV}.tar.gz" +SRC_URI[md5sum] = "fb7e6d371959a65dc6d129af81739742" +SRC_URI[sha256sum] = "82929a0611f39246e09202702a61b54c980ab694626c1f5823520ddf75024fa6" +SRC_URI[sha1sum] = "c24ce8b20a8686ada775239389292f6d78020668" +SRC_URI[sha384sum] = "a0c023c024efb6c9906df1e143d692f44433de332b616dc0584c9b4cd4fb0ad544308f291892e91c5a52ef1a4b2abf7f" +SRC_URI[sha512sum] = "7b679b54f3478c3adee5b6c3135cbe491ffd9f4712991f465edbd6c7d2831e5f1537038ec36f288e9545c719d5d167b61116c924cf5d816220615d0b58a1d436" -inherit autotools-brokensep pkgconfig systemd +inherit autotools pkgconfig systemd extrausers -S = "${WORKDIR}/git" +PACKAGECONFIG ??= "" +PACKAGECONFIG[oxygen] = ",--disable-doxygen-doc, " + +EXTRA_OECONF += "--enable-static --with-udevrulesdir=${base_prefix}/lib/udev/rules.d/" +EXTRA_OECONF_remove = " --disable-static" -do_configure_prepend () { - ./bootstrap -} -INHERIT += "extrausers" EXTRA_USERS_PARAMS = "\ useradd -p '' tss; \ groupadd tss; \ @@ -71,4 +76,6 @@ FILES_libtss2-dev = " \ ${libdir}/libtss2*so" FILES_libtss2-staticdev = "${libdir}/libtss*a" -FILES_${PN} = "${libdir}/udev" +FILES_${PN} = "${libdir}/udev ${base_prefix}/lib/udev" + +RDEPENDS_libtss2 = "libgcrypt" diff --git a/external/meta-security/recipes-core/busybox/busybox_%.bbappend b/external/meta-security/recipes-core/busybox/busybox_%.bbappend index 8bb0706e..27a24824 100644 --- a/external/meta-security/recipes-core/busybox/busybox_%.bbappend +++ b/external/meta-security/recipes-core/busybox/busybox_%.bbappend @@ -1,3 +1 @@ -FILESEXTRAPATHS_prepend := "${THISDIR}/${PN}:" - -SRC_URI += "file://head.cfg" +require ${@bb.utils.contains('DISTRO_FEATURES', 'ptest', 'busybox_libsecomp.inc', '', d)} diff --git a/external/meta-security/recipes-core/busybox/busybox_libsecomp.inc b/external/meta-security/recipes-core/busybox/busybox_libsecomp.inc new file mode 100644 index 00000000..4af22ce3 --- /dev/null +++ b/external/meta-security/recipes-core/busybox/busybox_libsecomp.inc @@ -0,0 +1,3 @@ +FILESEXTRAPATHS_prepend := "${THISDIR}/busybox:" + +SRC_URI_append = " file://head.cfg" diff --git a/external/meta-security/recipes-core/images/dm-verity-image-initramfs.bb b/external/meta-security/recipes-core/images/dm-verity-image-initramfs.bb new file mode 100644 index 00000000..f9ea3762 --- /dev/null +++ b/external/meta-security/recipes-core/images/dm-verity-image-initramfs.bb @@ -0,0 +1,26 @@ +DESCRIPTION = "Simple initramfs image for mounting the rootfs over the verity device mapper." + +# We want a clean, minimal image. +IMAGE_FEATURES = "" + +PACKAGE_INSTALL = " \ + initramfs-dm-verity \ + base-files \ + busybox \ + util-linux-mount \ + udev \ + cryptsetup \ + lvm2-udevrules \ +" + +# Can we somehow inspect reverse dependencies to avoid these variables? +do_rootfs[depends] += "${DM_VERITY_IMAGE}:do_image_${DM_VERITY_IMAGE_TYPE}" + +IMAGE_FSTYPES = "${INITRAMFS_FSTYPES}" + +inherit core-image + +deploy_verity_hash() { + install -D -m 0644 ${DEPLOY_DIR_IMAGE}/${DM_VERITY_IMAGE}-${MACHINE}.${DM_VERITY_IMAGE_TYPE}.verity.env ${IMAGE_ROOTFS}/${datadir}/dm-verity.env +} +ROOTFS_POSTPROCESS_COMMAND += "deploy_verity_hash;" diff --git a/external/meta-security/recipes-core/initrdscripts/initramfs-dm-verity.bb b/external/meta-security/recipes-core/initrdscripts/initramfs-dm-verity.bb new file mode 100644 index 00000000..b6149565 --- /dev/null +++ b/external/meta-security/recipes-core/initrdscripts/initramfs-dm-verity.bb @@ -0,0 +1,13 @@ +SUMMARY = "Simple init script that uses devmapper to mount the rootfs in read-only mode protected by dm-verity" +LICENSE = "MIT" +LIC_FILES_CHKSUM = "file://${COREBASE}/meta/COPYING.MIT;md5=3da9cfbcb788c80a0384361b4de20420" + +SRC_URI = "file://init-dm-verity.sh" + +do_install() { + install -m 0755 ${WORKDIR}/init-dm-verity.sh ${D}/init + install -d ${D}/dev + mknod -m 622 ${D}/dev/console c 5 1 +} + +FILES_${PN} = "/init /dev/console" diff --git a/external/meta-security/recipes-core/initrdscripts/initramfs-dm-verity/init-dm-verity.sh b/external/meta-security/recipes-core/initrdscripts/initramfs-dm-verity/init-dm-verity.sh new file mode 100644 index 00000000..307d2c74 --- /dev/null +++ b/external/meta-security/recipes-core/initrdscripts/initramfs-dm-verity/init-dm-verity.sh @@ -0,0 +1,46 @@ +#!/bin/sh + +PATH=/sbin:/bin:/usr/sbin:/usr/bin +RDEV="" +ROOT_DIR="/new_root" + +mkdir -p /proc +mkdir -p /sys +mkdir -p /run +mkdir -p /tmp +mount -t proc proc /proc +mount -t sysfs sysfs /sys +mount -t devtmpfs none /dev + +udevd --daemon +udevadm trigger --type=subsystems --action=add +udevadm trigger --type=devices --action=add +udevadm settle --timeout=10 + +for PARAM in $(cat /proc/cmdline); do + case $PARAM in + root=*) + RDEV=${PARAM#root=} + ;; + esac +done + +if ! [ -b $RDEV ]; then + echo "Missing root command line argument!" + exit 1 +fi + +case $RDEV in + UUID=*) + RDEV=$(realpath /dev/disk/by-uuid/${RDEV#UUID=}) + ;; +esac + +. /usr/share/dm-verity.env + +echo "Mounting $RDEV over dm-verity as the root filesystem" + +veritysetup --data-block-size=1024 --hash-offset=$DATA_SIZE create rootfs $RDEV $RDEV $ROOT_HASH +mkdir -p $ROOT_DIR +mount -o ro /dev/mapper/rootfs $ROOT_DIR +exec switch_root $ROOT_DIR /sbin/init diff --git a/external/meta-security/recipes-ids/samhain/files/fix-build-with-new-version-attr.patch b/external/meta-security/recipes-ids/samhain/files/fix-build-with-new-version-attr.patch new file mode 100644 index 00000000..eaf30dbb --- /dev/null +++ b/external/meta-security/recipes-ids/samhain/files/fix-build-with-new-version-attr.patch @@ -0,0 +1,73 @@ +From e67acafa62f71f0015ed548918b98ed0b1ded128 Mon Sep 17 00:00:00 2001 +From: Yi Zhao <yi.zhao@windriver.com> +Date: Sun, 19 Jan 2020 15:53:48 +0800 +Subject: [PATCH] fix build with new version attr + +The attr/xattr.h has been removed from attr 2.4.48 with commit: +http://git.savannah.nongnu.org/cgit/attr.git/commit/include?id=7921157890d07858d092f4003ca4c6bae9fd2c38 +The xattr syscalls are provided by sys/xattr.h from glibc now. +Remove the checking code to adapt it. + +Upstream-Status: Pending + +Signed-off-by: Yi Zhao <yi.zhao@windriver.com> +--- + aclocal.m4 | 26 +++++++++++--------------- + src/sh_unix.c | 2 +- + 2 files changed, 12 insertions(+), 16 deletions(-) + +diff --git a/aclocal.m4 b/aclocal.m4 +index ee5b204..38cef8e 100644 +--- a/aclocal.m4 ++++ b/aclocal.m4 +@@ -1453,23 +1453,19 @@ AC_DEFUN([sh_CHECK_POSIX_ACL], + + AC_DEFUN([sh_CHECK_XATTR], + [ +- AC_CHECK_HEADERS(attr/xattr.h) +- if test $ac_cv_header_attr_xattr_h = yes; then +- +- AC_CHECK_LIB([attr], [getxattr], sh_lattr=yes, sh_lattr=no) +- if test x"$sh_lattr" = xyes; then +- LIBATTR=-lattr +- else +- LIBATTR= +- fi +- +- OLDLIBS="$LIBS" +- LIBS="$LIBS $LIBATTR" +- AC_CHECK_FUNCS([getxattr lgetxattr fgetxattr], +- [sh_fattr=yes],[sh_fattr=no]) +- LIBS="$OLDLIBS" ++ AC_CHECK_LIB([attr], [getxattr], sh_lattr=yes, sh_lattr=no) ++ if test x"$sh_lattr" = xyes; then ++ LIBATTR=-lattr ++ else ++ LIBATTR= + fi + ++ OLDLIBS="$LIBS" ++ LIBS="$LIBS $LIBATTR" ++ AC_CHECK_FUNCS([getxattr lgetxattr fgetxattr], ++ [sh_fattr=yes],[sh_fattr=no]) ++ LIBS="$OLDLIBS" ++ + if test x"$sh_fattr" = xyes; then + AC_DEFINE(USE_XATTR, 1, [Define if you want extended attributes support.]) + LIBS="$LIBS $LIBATTR" +diff --git a/src/sh_unix.c b/src/sh_unix.c +index 3ede57f..ef236e9 100644 +--- a/src/sh_unix.c ++++ b/src/sh_unix.c +@@ -3681,7 +3681,7 @@ static char * sh_unix_getinfo_acl (char * path, int fd, struct stat * buf) + + #ifdef USE_XATTR + +-#include <attr/xattr.h> ++#include <sys/xattr.h> + static char * sh_unix_getinfo_xattr_int (char * path, int fd, char * name) + { + char * out = NULL; +-- +2.7.4 + diff --git a/external/meta-security/recipes-security/samhain/files/run-ptest b/external/meta-security/recipes-ids/samhain/files/run-ptest index 2a4a7653..2a4a7653 100755 --- a/external/meta-security/recipes-security/samhain/files/run-ptest +++ b/external/meta-security/recipes-ids/samhain/files/run-ptest diff --git a/external/meta-security/recipes-security/samhain/files/samhain-add-LDFLAGS-variable-for-samhain_setpwd.patch b/external/meta-security/recipes-ids/samhain/files/samhain-add-LDFLAGS-variable-for-samhain_setpwd.patch index 088a938e..088a938e 100644 --- a/external/meta-security/recipes-security/samhain/files/samhain-add-LDFLAGS-variable-for-samhain_setpwd.patch +++ b/external/meta-security/recipes-ids/samhain/files/samhain-add-LDFLAGS-variable-for-samhain_setpwd.patch diff --git a/external/meta-security/recipes-security/samhain/files/samhain-avoid-searching-host-for-postgresql.patch b/external/meta-security/recipes-ids/samhain/files/samhain-avoid-searching-host-for-postgresql.patch index 6bf67e09..6bf67e09 100644 --- a/external/meta-security/recipes-security/samhain/files/samhain-avoid-searching-host-for-postgresql.patch +++ b/external/meta-security/recipes-ids/samhain/files/samhain-avoid-searching-host-for-postgresql.patch diff --git a/external/meta-security/recipes-security/samhain/files/samhain-client.default b/external/meta-security/recipes-ids/samhain/files/samhain-client.default index 9899577a..9899577a 100644 --- a/external/meta-security/recipes-security/samhain/files/samhain-client.default +++ b/external/meta-security/recipes-ids/samhain/files/samhain-client.default diff --git a/external/meta-security/recipes-security/samhain/files/samhain-client.init b/external/meta-security/recipes-ids/samhain/files/samhain-client.init index d5fabede..d5fabede 100644 --- a/external/meta-security/recipes-security/samhain/files/samhain-client.init +++ b/external/meta-security/recipes-ids/samhain/files/samhain-client.init diff --git a/external/meta-security/recipes-security/samhain/files/samhain-configure-add-option-for-ps.patch b/external/meta-security/recipes-ids/samhain/files/samhain-configure-add-option-for-ps.patch index 8de0735f..8de0735f 100644 --- a/external/meta-security/recipes-security/samhain/files/samhain-configure-add-option-for-ps.patch +++ b/external/meta-security/recipes-ids/samhain/files/samhain-configure-add-option-for-ps.patch diff --git a/external/meta-security/recipes-security/samhain/files/samhain-mips64-aarch64-dnmalloc-hash-fix.patch b/external/meta-security/recipes-ids/samhain/files/samhain-mips64-aarch64-dnmalloc-hash-fix.patch index 06086606..06086606 100644 --- a/external/meta-security/recipes-security/samhain/files/samhain-mips64-aarch64-dnmalloc-hash-fix.patch +++ b/external/meta-security/recipes-ids/samhain/files/samhain-mips64-aarch64-dnmalloc-hash-fix.patch diff --git a/external/meta-security/recipes-security/samhain/files/samhain-not-run-ptest-on-host.patch b/external/meta-security/recipes-ids/samhain/files/samhain-not-run-ptest-on-host.patch index 52843131..52843131 100644 --- a/external/meta-security/recipes-security/samhain/files/samhain-not-run-ptest-on-host.patch +++ b/external/meta-security/recipes-ids/samhain/files/samhain-not-run-ptest-on-host.patch diff --git a/external/meta-security/recipes-security/samhain/files/samhain-pid-path.patch b/external/meta-security/recipes-ids/samhain/files/samhain-pid-path.patch index 592bd165..592bd165 100644 --- a/external/meta-security/recipes-security/samhain/files/samhain-pid-path.patch +++ b/external/meta-security/recipes-ids/samhain/files/samhain-pid-path.patch diff --git a/external/meta-security/recipes-security/samhain/files/samhain-samhainrc-fix-files-dirs-path.patch b/external/meta-security/recipes-ids/samhain/files/samhain-samhainrc-fix-files-dirs-path.patch index dad6b150..dad6b150 100644 --- a/external/meta-security/recipes-security/samhain/files/samhain-samhainrc-fix-files-dirs-path.patch +++ b/external/meta-security/recipes-ids/samhain/files/samhain-samhainrc-fix-files-dirs-path.patch diff --git a/external/meta-security/recipes-security/samhain/files/samhain-samhainrc.patch b/external/meta-security/recipes-ids/samhain/files/samhain-samhainrc.patch index 145700a0..145700a0 100644 --- a/external/meta-security/recipes-security/samhain/files/samhain-samhainrc.patch +++ b/external/meta-security/recipes-ids/samhain/files/samhain-samhainrc.patch diff --git a/external/meta-security/recipes-security/samhain/files/samhain-server-volatiles b/external/meta-security/recipes-ids/samhain/files/samhain-server-volatiles index 6b807093..6b807093 100644 --- a/external/meta-security/recipes-security/samhain/files/samhain-server-volatiles +++ b/external/meta-security/recipes-ids/samhain/files/samhain-server-volatiles diff --git a/external/meta-security/recipes-ids/samhain/files/samhain-server-volatiles.conf b/external/meta-security/recipes-ids/samhain/files/samhain-server-volatiles.conf new file mode 100644 index 00000000..f2ea3903 --- /dev/null +++ b/external/meta-security/recipes-ids/samhain/files/samhain-server-volatiles.conf @@ -0,0 +1 @@ +d /var/log/yule 0775 daemon daemon - diff --git a/external/meta-security/recipes-security/samhain/files/samhain-server.default b/external/meta-security/recipes-ids/samhain/files/samhain-server.default index bc3d67cd..bc3d67cd 100644 --- a/external/meta-security/recipes-security/samhain/files/samhain-server.default +++ b/external/meta-security/recipes-ids/samhain/files/samhain-server.default diff --git a/external/meta-security/recipes-security/samhain/files/samhain-server.init b/external/meta-security/recipes-ids/samhain/files/samhain-server.init index c456e51c..c456e51c 100644 --- a/external/meta-security/recipes-security/samhain/files/samhain-server.init +++ b/external/meta-security/recipes-ids/samhain/files/samhain-server.init diff --git a/external/meta-security/recipes-security/samhain/files/samhain-sha256-big-endian.patch b/external/meta-security/recipes-ids/samhain/files/samhain-sha256-big-endian.patch index 3065c730..3065c730 100644 --- a/external/meta-security/recipes-security/samhain/files/samhain-sha256-big-endian.patch +++ b/external/meta-security/recipes-ids/samhain/files/samhain-sha256-big-endian.patch diff --git a/external/meta-security/recipes-security/samhain/files/samhain-standalone.default b/external/meta-security/recipes-ids/samhain/files/samhain-standalone.default index 507a59f2..507a59f2 100644 --- a/external/meta-security/recipes-security/samhain/files/samhain-standalone.default +++ b/external/meta-security/recipes-ids/samhain/files/samhain-standalone.default diff --git a/external/meta-security/recipes-security/samhain/files/samhain-standalone.init b/external/meta-security/recipes-ids/samhain/files/samhain-standalone.init index 2f23bffd..2f23bffd 100644 --- a/external/meta-security/recipes-security/samhain/files/samhain-standalone.init +++ b/external/meta-security/recipes-ids/samhain/files/samhain-standalone.init diff --git a/external/meta-security/recipes-security/samhain/files/samhain.service b/external/meta-security/recipes-ids/samhain/files/samhain.service index e4f216ab..e4f216ab 100644 --- a/external/meta-security/recipes-security/samhain/files/samhain.service +++ b/external/meta-security/recipes-ids/samhain/files/samhain.service diff --git a/external/meta-security/recipes-security/samhain/samhain-client_4.3.0.bb b/external/meta-security/recipes-ids/samhain/samhain-client.bb index 812408e5..0f53a8cd 100644 --- a/external/meta-security/recipes-security/samhain/samhain-client_4.3.0.bb +++ b/external/meta-security/recipes-ids/samhain/samhain-client.bb @@ -9,3 +9,4 @@ EXTRA_OECONF += " \ " RDEPENDS_${PN} = "acl zlib attr bash" +RCONFLICTS_${PN} = "samhain-standalone" diff --git a/external/meta-security/recipes-ids/samhain/samhain-server.bb b/external/meta-security/recipes-ids/samhain/samhain-server.bb new file mode 100644 index 00000000..e7a3aa62 --- /dev/null +++ b/external/meta-security/recipes-ids/samhain/samhain-server.bb @@ -0,0 +1,29 @@ +INITSCRIPT_PARAMS = "defaults 14 86" + +require samhain.inc + +DEPENDS = "gmp" + +SRC_URI += "file://samhain-server-volatiles \ + file://samhain-server-volatiles.conf \ + " + +TARGET_CC_ARCH += "${LDFLAGS}" + +do_install_append() { + if ${@bb.utils.contains('DISTRO_FEATURES', 'systemd', 'true', 'false', d)}; then + install -d ${D}${sysconfdir}/tmpfiles.d + install -m 0644 ${WORKDIR}/samhain-server-volatiles.conf \ + ${D}${sysconfdir}/tmpfiles.d/samhain-server.conf + else + install -d ${D}${sysconfdir}/default/volatiles + install -m 0644 ${WORKDIR}/samhain-server-volatiles \ + ${D}${sysconfdir}/default/volatiles/samhain-server + fi + + install -m 700 samhain-install.sh init/samhain.startLinux \ + init/samhain.startLSB ${D}/var/lib/samhain +} + +RDEPENDS_${PN} += "gmp bash perl" +RCONFLICTS_${PN} = "samhain-standalone" diff --git a/external/meta-security/recipes-security/samhain/samhain-standalone_4.3.0.bb b/external/meta-security/recipes-ids/samhain/samhain-standalone.bb index 4fed9e9e..4fed9e9e 100644 --- a/external/meta-security/recipes-security/samhain/samhain-standalone_4.3.0.bb +++ b/external/meta-security/recipes-ids/samhain/samhain-standalone.bb diff --git a/external/meta-security/recipes-security/samhain/samhain.inc b/external/meta-security/recipes-ids/samhain/samhain.inc index 944bf0d0..b867bbc4 100644 --- a/external/meta-security/recipes-security/samhain/samhain.inc +++ b/external/meta-security/recipes-ids/samhain/samhain.inc @@ -3,9 +3,9 @@ HOMEPAGE = "http://www.la-samhna.de/samhain/" LICENSE = "GPLv2" LIC_FILES_CHKSUM = "file://LICENSE;md5=8ca43cbc842c2336e835926c2166c28b" +PV = "4.3.3" SRC_URI = "http://la-samhna.de/archive/samhain_signed-${PV}.tar.gz \ - file://samhain-cross-compile.patch \ file://samhain-mips64-aarch64-dnmalloc-hash-fix.patch \ file://samhain-samhainrc.patch \ file://samhain-samhainrc-fix-files-dirs-path.patch \ @@ -14,13 +14,14 @@ SRC_URI = "http://la-samhna.de/archive/samhain_signed-${PV}.tar.gz \ file://samhain-configure-add-option-for-ps.patch \ file://samhain-avoid-searching-host-for-postgresql.patch \ file://samhain-add-LDFLAGS-variable-for-samhain_setpwd.patch \ + file://fix-build-with-new-version-attr.patch \ file://${INITSCRIPT_NAME}.init \ file://${INITSCRIPT_NAME}.default \ file://samhain.service \ " -SRC_URI[md5sum] = "a00e99375675fc6e50cca3e208f5207e" -SRC_URI[sha256sum] = "8551dc3b0851889a2b979097e9c02309b40d48b4659f02efe7fe525ce8361a0d" +SRC_URI[md5sum] = "7be46ae7d03f53ba21afafd41cff8926" +SRC_URI[sha256sum] = "33ad4bc3dad4699694553bd9635a6b5827939f965d1f0f05fce0b4e9cdadf21b" UPSTREAM_CHECK_URI = "https://www.la-samhna.de/samhain/archive.html" UPSTREAM_CHECK_REGEX = "samhain_signed-(?P<pver>(\d+(\.\d+)+))\.tar" @@ -66,6 +67,9 @@ PACKAGECONFIG[acl] = " --enable-posix-acl , --disable-posix-acl, acl" PACKAGECONFIG[audit] = "ac_cv_header_auparse_h=yes,ac_cv_header_auparse_h=no,audit" PACKAGECONFIG[ps] = "--with-ps-path=${base_bindir}/ps,,,procps" +EXTRA_OEMAKE_append_aarch64 = " CPPFLAGS+=-DCONFIG_ARCH_AARCH64=1" +EXTRA_OEMAKE_append_mips64 = " CPPFLAGS+=-DCONFIG_ARCH_MIPS64=1" + do_unpack_samhain() { cd ${WORKDIR} tar -xzvf samhain-${PV}.tar.gz @@ -157,6 +161,8 @@ do_install_append () { if [ -d ${D}${localstatedir}/run ]; then rmdir ${D}${localstatedir}/run fi + + rm -rf ${D}${localstatedir}/log } FILES_${PN} += "${systemd_system_unitdir}" diff --git a/external/meta-security/recipes-ids/suricata/files/0001-af-packet-fix-build-on-recent-Linux-kernels.patch b/external/meta-security/recipes-ids/suricata/files/0001-af-packet-fix-build-on-recent-Linux-kernels.patch new file mode 100644 index 00000000..530568b1 --- /dev/null +++ b/external/meta-security/recipes-ids/suricata/files/0001-af-packet-fix-build-on-recent-Linux-kernels.patch @@ -0,0 +1,26 @@ +From b37554e0bc3cf383e6547c5c6a69c6f6849c09e3 Mon Sep 17 00:00:00 2001 +From: Eric Leblond <eric@regit.org> +Date: Wed, 17 Jul 2019 12:35:12 +0200 +Subject: [PATCH] af-packet: fix build on recent Linux kernels + +Upstream-Status: Backport +Signed-off-by: Armin kuster <akuster808@gmail.com> +--- + src/source-af-packet.c | 4 ++++ + 1 file changed, 4 insertions(+) + +Index: suricata-4.1.5/src/source-af-packet.c +=================================================================== +--- suricata-4.1.5.orig/src/source-af-packet.c ++++ suricata-4.1.5/src/source-af-packet.c +@@ -68,6 +68,10 @@ + #include <linux/sockios.h> + #endif + ++#if HAVE_LINUX_SOCKIOS_H ++#include <linux/sockios.h> ++#endif ++ + #ifdef HAVE_PACKET_EBPF + #include "util-ebpf.h" + #include <bpf/libbpf.h> diff --git a/external/meta-security/recipes-security/suricata/files/no_libhtp_build.patch b/external/meta-security/recipes-ids/suricata/files/no_libhtp_build.patch index 2ebf021f..2ebf021f 100644 --- a/external/meta-security/recipes-security/suricata/files/no_libhtp_build.patch +++ b/external/meta-security/recipes-ids/suricata/files/no_libhtp_build.patch diff --git a/external/meta-security/recipes-security/suricata/files/run-ptest b/external/meta-security/recipes-ids/suricata/files/run-ptest index 666ba9c9..666ba9c9 100644 --- a/external/meta-security/recipes-security/suricata/files/run-ptest +++ b/external/meta-security/recipes-ids/suricata/files/run-ptest diff --git a/external/meta-security/recipes-security/suricata/files/suricata.service b/external/meta-security/recipes-ids/suricata/files/suricata.service index a99a76ef..a99a76ef 100644 --- a/external/meta-security/recipes-security/suricata/files/suricata.service +++ b/external/meta-security/recipes-ids/suricata/files/suricata.service diff --git a/external/meta-security/recipes-security/suricata/files/suricata.yaml b/external/meta-security/recipes-ids/suricata/files/suricata.yaml index 8d06a274..8d06a274 100644 --- a/external/meta-security/recipes-security/suricata/files/suricata.yaml +++ b/external/meta-security/recipes-ids/suricata/files/suricata.yaml diff --git a/external/meta-security/recipes-ids/suricata/files/tmpfiles.suricata b/external/meta-security/recipes-ids/suricata/files/tmpfiles.suricata new file mode 100644 index 00000000..fbf37848 --- /dev/null +++ b/external/meta-security/recipes-ids/suricata/files/tmpfiles.suricata @@ -0,0 +1,2 @@ +#Type Path Mode UID GID Age Argument +d /var/log/suricata 0755 root root diff --git a/external/meta-security/recipes-security/suricata/files/volatiles.03_suricata b/external/meta-security/recipes-ids/suricata/files/volatiles.03_suricata index 4627bd3b..4627bd3b 100644 --- a/external/meta-security/recipes-security/suricata/files/volatiles.03_suricata +++ b/external/meta-security/recipes-ids/suricata/files/volatiles.03_suricata diff --git a/external/meta-security/recipes-security/suricata/libhtp_0.5.27.bb b/external/meta-security/recipes-ids/suricata/libhtp_0.5.32.bb index 8305f701..8305f701 100644 --- a/external/meta-security/recipes-security/suricata/libhtp_0.5.27.bb +++ b/external/meta-security/recipes-ids/suricata/libhtp_0.5.32.bb diff --git a/external/meta-security/recipes-ids/suricata/python3-suricata-update_1.1.1.bb b/external/meta-security/recipes-ids/suricata/python3-suricata-update_1.1.1.bb new file mode 100644 index 00000000..0070b5bc --- /dev/null +++ b/external/meta-security/recipes-ids/suricata/python3-suricata-update_1.1.1.bb @@ -0,0 +1,15 @@ +SUMMARY = "The tool for updating your Suricata rules. " +HOMEPAGE = "http://suricata-ids.org/" +SECTION = "security Monitor/Admin" +LICENSE = "GPLv2" + +LIC_FILES_CHKSUM = "file://LICENSE;beginline=1;endline=2;md5=c70d8d3310941dcdfcd1e02800a1f548" + +SRCREV = "9630630ffc493ca26299d174ee2066aa1405b2d4" +SRC_URI = "git://github.com/OISF/suricata-update;branch='master-1.1.x'" + +S = "${WORKDIR}/git" + +inherit python3native setuptools3 + +RDEPENDS_${PN} = "python3-pyyaml" diff --git a/external/meta-security/recipes-security/suricata/suricata.inc b/external/meta-security/recipes-ids/suricata/suricata.inc index 1f421210..3adbcf6d 100644 --- a/external/meta-security/recipes-security/suricata/suricata.inc +++ b/external/meta-security/recipes-ids/suricata/suricata.inc @@ -2,8 +2,8 @@ HOMEPAGE = "http://suricata-ids.org/" SECTION = "security Monitor/Admin" LICENSE = "GPLv2" -VER = "4.0.5" +VER = "4.1.6" SRC_URI = "http://www.openinfosecfoundation.org/download/suricata-${VER}.tar.gz" -SRC_URI[md5sum] = "ea0cb823d6a86568152f75ade6de442f" -SRC_URI[sha256sum] = "74dacb4359d57fbd3452e384eeeb1dd77b6ae00f02e9994ad5a7b461d5f4c6c2" +SRC_URI[md5sum] = "da5de1e8053f05cbd295793210117d34" +SRC_URI[sha256sum] = "8441ac89016106459ade2112fcde58b3f789e4beb2fd8bfa081ffb75eec75fe0" diff --git a/external/meta-security/recipes-security/suricata/suricata_4.0.5.bb b/external/meta-security/recipes-ids/suricata/suricata_4.1.6.bb index 6c0a109b..9b7122b9 100644 --- a/external/meta-security/recipes-security/suricata/suricata_4.0.5.bb +++ b/external/meta-security/recipes-ids/suricata/suricata_4.1.6.bb @@ -4,19 +4,15 @@ require suricata.inc LIC_FILES_CHKSUM = "file://LICENSE;beginline=1;endline=2;md5=c70d8d3310941dcdfcd1e02800a1f548" -SRC_URI += "file://emerging.rules.tar.gz;name=rules" - SRC_URI += " \ - file://volatiles.03_suricata \ - file://suricata.yaml \ - file://suricata.service \ - file://run-ptest \ - " - -SRC_URI[rules.md5sum] = "205c5e5b54e489207ed892c03ad75b33" -SRC_URI[rules.sha256sum] = "4aa81011b246875a57181c6a0569ca887845e366904bcaf0043220f33bd69798" + file://volatiles.03_suricata \ + file://tmpfiles.suricata \ + file://suricata.yaml \ + file://suricata.service \ + file://run-ptest \ + " -inherit autotools-brokensep pkgconfig python-dir systemd ptest +inherit autotools-brokensep pkgconfig python3-dir systemd ptest CFLAGS += "-D_DEFAULT_SOURCE" @@ -26,6 +22,7 @@ CACHED_CONFIGUREVARS = "ac_cv_header_htp_htp_h=yes ac_cv_lib_htp_htp_conn_create EXTRA_OECONF += " --disable-debug \ --enable-non-bundled-htp \ --disable-gccmarch-native \ + --disable-suricata-update \ " PACKAGECONFIG ??= "htp jansson file pcre yaml pcap cap-ng net nfnetlink nss nspr" @@ -44,7 +41,7 @@ PACKAGECONFIG[jansson] = "--with-libjansson-includes=${STAGING_INCDIR} --with-li PACKAGECONFIG[file] = ",,file, file" PACKAGECONFIG[nss] = "--with-libnss-includes=${STAGING_INCDIR} --with-libnss-libraries=${STAGING_LIBDIR}, nss, nss," PACKAGECONFIG[nspr] = "--with-libnspr-includes=${STAGING_INCDIR} --with-libnspr-libraries=${STAGING_LIBDIR}, nspr, nspr," -PACKAGECONFIG[python] = "--enable-python, --disable-python, python, python" +PACKAGECONFIG[python] = "--enable-python, --disable-python, python3, python3" PACKAGECONFIG[unittests] = "--enable-unittests, --disable-unittests," export logdir = "${localstatedir}/log" @@ -55,9 +52,6 @@ do_install_append () { oe_runmake install-conf DESTDIR=${D} - # mimic move of downloaded rules to e_sysconfrulesdir - cp -rf ${WORKDIR}/rules ${D}${sysconfdir}/suricata - oe_runmake install-rules DESTDIR=${D} install -d ${D}${sysconfdir}/suricata ${D}${sysconfdir}/default/volatiles @@ -65,14 +59,19 @@ do_install_append () { install -m 0644 ${S}/threshold.config ${D}${sysconfdir}/suricata - install -d ${D}${systemd_unitdir}/system - sed -e s:/etc:${sysconfdir}:g \ - -e s:/var/run:/run:g \ - -e s:/var:${localstatedir}:g \ - -e s:/usr/bin:${bindir}:g \ - -e s:/bin/kill:${base_bindir}/kill:g \ - -e s:/usr/lib:${libdir}:g \ - ${WORKDIR}/suricata.service > ${D}${systemd_unitdir}/system/suricata.service + if ${@bb.utils.contains('DISTRO_FEATURES', 'systemd', 'true', 'false', d)}; then + install -d ${D}${sysconfdir}/tmpfiles.d + install -m 0644 ${WORKDIR}/tmpfiles.suricata ${D}${sysconfdir}/tmpfiles.d/suricata.conf + + install -d ${D}${systemd_unitdir}/system + sed -e s:/etc:${sysconfdir}:g \ + -e s:/var/run:/run:g \ + -e s:/var:${localstatedir}:g \ + -e s:/usr/bin:${bindir}:g \ + -e s:/bin/kill:${base_bindir}/kill:g \ + -e s:/usr/lib:${libdir}:g \ + ${WORKDIR}/suricata.service > ${D}${systemd_unitdir}/system/suricata.service + fi # Remove /var/run as it is created on startup rm -rf ${D}${localstatedir}/run @@ -80,7 +79,9 @@ do_install_append () { } pkg_postinst_ontarget_${PN} () { -if [ -e /etc/init.d/populate-volatile.sh ] ; then +if command -v systemd-tmpfiles >/dev/null; then + systemd-tmpfiles --create ${sysconfdir}/tmpfiles.d/suricata.conf +elif [ -e ${sysconfdir}/init.d/populate-volatile.sh ]; then ${sysconfdir}/init.d/populate-volatile.sh update fi } @@ -88,7 +89,7 @@ fi SYSTEMD_PACKAGES = "${PN}" PACKAGES =+ "${PN}-socketcontrol" -FILES_${PN} += "${systemd_unitdir}" +FILES_${PN} += "${systemd_unitdir} ${sysconfdir}/tmpfiles.d" FILES_${PN}-socketcontrol = "${bindir}/suricatasc ${PYTHON_SITEPACKAGES_DIR}" CONFFILES_${PN} = "${sysconfdir}/suricata/suricata.yaml" diff --git a/external/meta-security/recipes-security/tripwire/files/add_armeb_arch.patch b/external/meta-security/recipes-ids/tripwire/files/add_armeb_arch.patch index 2379d665..2379d665 100644 --- a/external/meta-security/recipes-security/tripwire/files/add_armeb_arch.patch +++ b/external/meta-security/recipes-ids/tripwire/files/add_armeb_arch.patch diff --git a/external/meta-security/recipes-security/tripwire/files/run-ptest b/external/meta-security/recipes-ids/tripwire/files/run-ptest index aedfddc5..aedfddc5 100644 --- a/external/meta-security/recipes-security/tripwire/files/run-ptest +++ b/external/meta-security/recipes-ids/tripwire/files/run-ptest diff --git a/external/meta-security/recipes-security/tripwire/files/tripwire.cron b/external/meta-security/recipes-ids/tripwire/files/tripwire.cron index 2035508d..2035508d 100644 --- a/external/meta-security/recipes-security/tripwire/files/tripwire.cron +++ b/external/meta-security/recipes-ids/tripwire/files/tripwire.cron diff --git a/external/meta-security/recipes-security/tripwire/files/tripwire.sh b/external/meta-security/recipes-ids/tripwire/files/tripwire.sh index 4276d10e..4276d10e 100644 --- a/external/meta-security/recipes-security/tripwire/files/tripwire.sh +++ b/external/meta-security/recipes-ids/tripwire/files/tripwire.sh diff --git a/external/meta-security/recipes-security/tripwire/files/tripwire.txt b/external/meta-security/recipes-ids/tripwire/files/tripwire.txt index 332d0042..332d0042 100644 --- a/external/meta-security/recipes-security/tripwire/files/tripwire.txt +++ b/external/meta-security/recipes-ids/tripwire/files/tripwire.txt diff --git a/external/meta-security/recipes-security/tripwire/files/twcfg.txt b/external/meta-security/recipes-ids/tripwire/files/twcfg.txt index 224e9201..224e9201 100644 --- a/external/meta-security/recipes-security/tripwire/files/twcfg.txt +++ b/external/meta-security/recipes-ids/tripwire/files/twcfg.txt diff --git a/external/meta-security/recipes-security/tripwire/files/twinstall.sh b/external/meta-security/recipes-ids/tripwire/files/twinstall.sh index 7d1b63fe..7d1b63fe 100644 --- a/external/meta-security/recipes-security/tripwire/files/twinstall.sh +++ b/external/meta-security/recipes-ids/tripwire/files/twinstall.sh diff --git a/external/meta-security/recipes-security/tripwire/files/twpol-yocto.txt b/external/meta-security/recipes-ids/tripwire/files/twpol-yocto.txt index 65f5f750..65f5f750 100644 --- a/external/meta-security/recipes-security/tripwire/files/twpol-yocto.txt +++ b/external/meta-security/recipes-ids/tripwire/files/twpol-yocto.txt diff --git a/external/meta-security/recipes-security/tripwire/tripwire_2.4.3.6.bb b/external/meta-security/recipes-ids/tripwire/tripwire_2.4.3.7.bb index 59d1f35c..4f50bff7 100644 --- a/external/meta-security/recipes-security/tripwire/tripwire_2.4.3.6.bb +++ b/external/meta-security/recipes-ids/tripwire/tripwire_2.4.3.7.bb @@ -6,7 +6,7 @@ SECTION = "security Monitor/Admin" LICENSE = "GPLv2" LIC_FILES_CHKSUM = "file://COPYING;md5=1c069be8dbbe48e89b580ab4ed86c127" -SRCREV = "80db91b4c1ca4be9efafd2286e3b2ad32ba4c34c" +SRCREV = "6e64a9e5b70a909ec439bc5a099e3fcf38c614b0" SRC_URI = "\ git://github.com/Tripwire/tripwire-open-source.git \ @@ -52,6 +52,7 @@ do_install () { install -m 0644 ${S}/man/man4/* ${D}${mandir}/man4 install -m 0644 ${S}/man/man5/* ${D}${mandir}/man5 install -m 0644 ${S}/man/man8/* ${D}${mandir}/man8 + rm ${D}${mandir}/man*/Makefile* install -m 0644 ${S}/policy/templates/* ${D}${docdir}/${BPN}/templates install -m 0644 ${S}/policy/*txt ${D}${docdir}/${BPN} install -m 0644 ${S}/COPYING ${D}${docdir}/${BPN} @@ -62,6 +63,7 @@ do_install () { do_install_ptest_append () { install -d ${D}${PTEST_PATH}/tests cp -a ${S}/src/test-harness/* ${D}${PTEST_PATH} + sed -i -e 's@../../../../bin@${sbindir}@' ${D}${PTEST_PATH}/twtools.pm } FILES_${PN} += "${libdir} ${docdir}/${PN}/*" @@ -70,4 +72,4 @@ FILES_${PN}-staticdev += "${localstatedir}/lib/${PN}/lib*.a" FILES_${PN}-ptest += "${PTEST_PATH}/tests " RDEPENDS_${PN} += " perl nano msmtp cronie" -RDEPENDS_${PN}-ptest = " perl lib-perl" +RDEPENDS_${PN}-ptest = " perl lib-perl perl-modules " diff --git a/external/meta-security/recipes-kernel/linux/linux-%_5.%.bbappend b/external/meta-security/recipes-kernel/linux/linux-%_5.%.bbappend new file mode 100644 index 00000000..76b5df55 --- /dev/null +++ b/external/meta-security/recipes-kernel/linux/linux-%_5.%.bbappend @@ -0,0 +1,4 @@ +KERNEL_FEATURES_append = " ${@bb.utils.contains("DISTRO_FEATURES", "apparmor", " features/apparmor/apparmor.scc", "" ,d)}" +KERNEL_FEATURES_append = " ${@bb.utils.contains("DISTRO_FEATURES", "smack", " features/smack/smack.scc", "" ,d)}" +KERNEL_FEATURES_append = " ${@bb.utils.contains("DISTRO_FEATURES", "yama", " features/yama/yama.scc", "" ,d)}" + diff --git a/external/meta-security/recipes-kernel/linux/linux-yocto-dev.bbappend b/external/meta-security/recipes-kernel/linux/linux-yocto-dev.bbappend new file mode 100644 index 00000000..39d4e6f5 --- /dev/null +++ b/external/meta-security/recipes-kernel/linux/linux-yocto-dev.bbappend @@ -0,0 +1,2 @@ +KERNEL_FEATURES_append = " ${@bb.utils.contains("DISTRO_FEATURES", "apparmor", " features/apparmor/apparmor.scc", "" ,d)}" +KERNEL_FEATURES_append = " ${@bb.utils.contains("DISTRO_FEATURES", "smack", " features/smack/smack.scc", "" ,d)}" diff --git a/external/meta-security/recipes-kernel/linux/linux-yocto/apparmor.cfg b/external/meta-security/recipes-kernel/linux/linux-yocto/apparmor.cfg deleted file mode 100644 index 1dc4168e..00000000 --- a/external/meta-security/recipes-kernel/linux/linux-yocto/apparmor.cfg +++ /dev/null @@ -1,13 +0,0 @@ -CONFIG_AUDIT=y -CONFIG_AUDITSYSCALL=y -CONFIG_AUDIT_WATCH=y -CONFIG_AUDIT_TREE=y -# CONFIG_NETFILTER_XT_TARGET_AUDIT is not set -CONFIG_SECURITY_PATH=y -# CONFIG_SECURITY_SELINUX is not set -CONFIG_SECURITY_APPARMOR=y -CONFIG_SECURITY_APPARMOR_BOOTPARAM_VALUE=1 -CONFIG_SECURITY_APPARMOR_HASH=y -CONFIG_SECURITY_APPARMOR_HASH_DEFAULT=y -CONFIG_INTEGRITY_AUDIT=y -# CONFIG_DEFAULT_SECURITY_APPARMOR is not set diff --git a/external/meta-security/recipes-kernel/linux/linux-yocto/smack-default-lsm.cfg b/external/meta-security/recipes-kernel/linux/linux-yocto/smack-default-lsm.cfg deleted file mode 100644 index b5c48454..00000000 --- a/external/meta-security/recipes-kernel/linux/linux-yocto/smack-default-lsm.cfg +++ /dev/null @@ -1,2 +0,0 @@ -CONFIG_DEFAULT_SECURITY="smack" -CONFIG_DEFAULT_SECURITY_SMACK=y diff --git a/external/meta-security/recipes-kernel/linux/linux-yocto/smack.cfg b/external/meta-security/recipes-kernel/linux/linux-yocto/smack.cfg deleted file mode 100644 index 62f465a4..00000000 --- a/external/meta-security/recipes-kernel/linux/linux-yocto/smack.cfg +++ /dev/null @@ -1,8 +0,0 @@ -CONFIG_IP_NF_SECURITY=m -CONFIG_IP6_NF_SECURITY=m -CONFIG_EXT2_FS_SECURITY=y -CONFIG_EXT3_FS_SECURITY=y -CONFIG_EXT4_FS_SECURITY=y -CONFIG_SECURITY=y -CONFIG_SECURITY_SMACK=y -CONFIG_TMPFS_XATTR=y diff --git a/external/meta-security/recipes-kernel/linux/linux-yocto_4.%.bbappend b/external/meta-security/recipes-kernel/linux/linux-yocto_4.%.bbappend deleted file mode 100644 index 067be8fe..00000000 --- a/external/meta-security/recipes-kernel/linux/linux-yocto_4.%.bbappend +++ /dev/null @@ -1,10 +0,0 @@ -FILESEXTRAPATHS_prepend := "${THISDIR}/${PN}:" - -SRC_URI += "\ - ${@bb.utils.contains('DISTRO_FEATURES', 'apparmor', ' file://apparmor.cfg', '', d)} \ -" - -SRC_URI += "\ - ${@bb.utils.contains('DISTRO_FEATURES', 'smack', ' file://smack.cfg', '', d)} \ - ${@bb.utils.contains('DISTRO_FEATURES', 'smack', ' file://smack-default-lsm.cfg', '', d)} \ -" diff --git a/external/meta-security/recipes-kernel/linux/linux-yocto_5.%.bbappend b/external/meta-security/recipes-kernel/linux/linux-yocto_5.%.bbappend new file mode 100644 index 00000000..39d4e6f5 --- /dev/null +++ b/external/meta-security/recipes-kernel/linux/linux-yocto_5.%.bbappend @@ -0,0 +1,2 @@ +KERNEL_FEATURES_append = " ${@bb.utils.contains("DISTRO_FEATURES", "apparmor", " features/apparmor/apparmor.scc", "" ,d)}" +KERNEL_FEATURES_append = " ${@bb.utils.contains("DISTRO_FEATURES", "smack", " features/smack/smack.scc", "" ,d)}" diff --git a/external/meta-security/recipes-security/AppArmor/apparmor_2.12.bb b/external/meta-security/recipes-mac/AppArmor/apparmor_2.13.4.bb index e3f8dc99..552cac70 100644 --- a/external/meta-security/recipes-security/AppArmor/apparmor_2.12.bb +++ b/external/meta-security/recipes-mac/AppArmor/apparmor_2.13.4.bb @@ -14,44 +14,42 @@ LIC_FILES_CHKSUM = "file://${S}/LICENSE;md5=fd57a4b0bc782d7b80fd431f10bbf9d0" DEPENDS = "bison-native apr gettext-native coreutils-native" SRC_URI = " \ - http://archive.ubuntu.com/ubuntu/pool/main/a/${BPN}/${BPN}_${PV}.orig.tar.gz \ + git://gitlab.com/apparmor/apparmor.git;protocol=https;branch=apparmor-2.13 \ file://disable_perl_h_check.patch \ file://crosscompile_perl_bindings.patch \ file://apparmor.rc \ file://functions \ file://apparmor \ file://apparmor.service \ + file://0001-Makefile.am-suppress-perllocal.pod.patch \ file://run-ptest \ " -SRC_URI[md5sum] = "49054f58042f8e51ea92cc866575a833" -SRC_URI[sha256sum] = "8a2b0cd083faa4d0640f579024be3a629faa7db3b99540798a1a050e2eaba056" +SRCREV = "df0ac742f7a1146181d8734d03334494f2015134" +S = "${WORKDIR}/git" PARALLEL_MAKE = "" -inherit pkgconfig autotools-brokensep update-rc.d python3native perlnative ptest cpan -inherit ${@bb.utils.contains('VIRTUAL-RUNTIME_init_manager','systemd','systemd','', d)} +inherit pkgconfig autotools-brokensep update-rc.d python3native perlnative ptest cpan manpages systemd features_check +REQUIRED_DISTRO_FEATURES = "apparmor" -S = "${WORKDIR}/apparmor-${PV}" - -PACKAGECONFIG ?="man python perl" -PACKAGECONFIG[man] = "--enable-man-pages, --disable-man-pages" +PACKAGECONFIG ??= "python perl aa-decode" +PACKAGECONFIG[manpages] = "--enable-man-pages, --disable-man-pages" PACKAGECONFIG[python] = "--with-python, --without-python, python3 swig-native" PACKAGECONFIG[perl] = "--with-perl, --without-perl, perl perl-native swig-native" PACKAGECONFIG[apache2] = ",,apache2," +PACKAGECONFIG[aa-decode] = ",,,bash" PAMLIB="${@bb.utils.contains('DISTRO_FEATURES', 'pam', '1', '0', d)}" HTTPD="${@bb.utils.contains('PACKAGECONFIG', 'apache2', '1', '0', d)}" - python() { if 'apache2' in d.getVar('PACKAGECONFIG').split() and \ 'webserver' not in d.getVar('BBFILE_COLLECTIONS').split(): raise bb.parse.SkipRecipe('Requires meta-webserver to be present.') } -CONFIGUREOPTS_remove = "--disable-static" -EXTRA_OECONF_append = " --enable-static" +DISABLE_STATIC = "" do_configure() { cd ${S}/libraries/libapparmor @@ -60,11 +58,16 @@ do_configure() { libtoolize --automake -c --force automake -ac ./configure ${CONFIGUREOPTS} ${EXTRA_OECONF} - sed -i -e 's#^YACC.*#YACC := bison#' ${S}/parser/Makefile - sed -i -e 's#^LEX.*#LEX := flex#' ${S}/parser/Makefile } do_compile () { + # Fixes: + # | sed -ie 's///g' Makefile.perl + # | sed: -e expression #1, char 0: no previous regular expression + #| Makefile:478: recipe for target 'Makefile.perl' failed + sed -i "s@sed -ie 's///g' Makefile.perl@@" ${S}/libraries/libapparmor/swig/perl/Makefile + + oe_runmake -C ${B}/libraries/libapparmor oe_runmake -C ${B}/binutils oe_runmake -C ${B}/utils @@ -83,13 +86,21 @@ do_compile () { do_install () { install -d ${D}/${INIT_D_DIR} install -d ${D}/lib/apparmor - oe_runmake -C ${B}/libraries/libapparmor DESTDIR="${D}" install oe_runmake -C ${B}/binutils DESTDIR="${D}" install oe_runmake -C ${B}/utils DESTDIR="${D}" install oe_runmake -C ${B}/parser DESTDIR="${D}" install oe_runmake -C ${B}/profiles DESTDIR="${D}" install + # If perl is disabled this script won't be any good + if ! ${@bb.utils.contains('PACKAGECONFIG','perl','true','false', d)}; then + rm -f ${D}${sbindir}/aa-notify + fi + + if ! ${@bb.utils.contains('PACKAGECONFIG','aa-decode','true','false', d)}; then + rm -f ${D}${sbindir}/aa-decode + fi + if test -z "${HTTPD}" ; then oe_runmake -C ${B}/changehat/mod_apparmor DESTDIR="${D}" install fi @@ -104,13 +115,24 @@ do_install () { install ${WORKDIR}/apparmor ${D}/${INIT_D_DIR}/apparmor install ${WORKDIR}/functions ${D}/lib/apparmor - if [ "${VIRTUAL-RUNTIME_init_manager}" = "systemd" ]; then + sed -i -e 's/getconf _NPROCESSORS_ONLN/nproc/' ${D}/lib/apparmor/functions + sed -i -e 's/ls -AU/ls -A/' ${D}/lib/apparmor/functions + + if ${@bb.utils.contains('DISTRO_FEATURES','systemd','true','false',d)}; then install -d ${D}${systemd_system_unitdir} - install ${WORKDIR}/apparmor.service \ - ${D}${systemd_system_unitdir} + install -m 0644 ${WORKDIR}/apparmor.service ${D}${systemd_system_unitdir} fi } +#Building ptest on arm fails. +do_compile_ptest_aarch64 () { + : +} + +do_compile_ptest_arm () { + : +} + do_compile_ptest () { oe_runmake -C ${B}/tests/regression/apparmor oe_runmake -C ${B}/parser/tst @@ -138,22 +160,40 @@ do_install_ptest () { cp -rf ${B}/binutils ${t} } +#Building ptest on arm fails. +do_install_ptest_aarch64 () { + : +} + +do_install_ptest_arm() { + : +} + +pkg_postinst_ontarget_${PN} () { +if [ ! -d /etc/apparmor.d/cache ] ; then + mkdir /etc/apparmor.d/cache +fi +} + +# We need the init script so don't rm it +RMINITDIR_class-target_remove = " rm_sysvinit_initddir" + INITSCRIPT_PACKAGES = "${PN}" INITSCRIPT_NAME = "apparmor" INITSCRIPT_PARAMS = "start 16 2 3 4 5 . stop 35 0 1 6 ." SYSTEMD_PACKAGES = "${PN}" SYSTEMD_SERVICE_${PN} = "apparmor.service" -SYSTEMD_AUTO_ENABLE = "disable" +SYSTEMD_AUTO_ENABLE ?= "enable" -PACKAGES += "${@bb.utils.contains('PACKAGECONFIG', 'apache2', 'mod-${PN}', '', d)}" +PACKAGES += "mod-${PN}" FILES_${PN} += "/lib/apparmor/ ${sysconfdir}/apparmor ${PYTHON_SITEPACKAGES_DIR}" FILES_mod-${PN} = "${libdir}/apache2/modules/*" -ALLOW_EMPTY_${PN} = "1" - -RDEPENDS_${PN} += "bash lsb" -RDEPENDS_${PN} += "${@bb.utils.contains('PACKAGECONFIG','python','python3 python3-modules','', d)}" +# Add coreutils and findutils only if sysvinit scripts are in use +RDEPENDS_${PN} += "${@["coreutils findutils", ""][(d.getVar('VIRTUAL-RUNTIME_init_manager') == 'systemd')]} ${@bb.utils.contains('PACKAGECONFIG','python','python3-core python3-modules','', d)}" RDEPENDS_${PN}_remove += "${@bb.utils.contains('PACKAGECONFIG','perl','','perl', d)}" -RDEPENDS_${PN}-ptest += "perl coreutils dbus-lib" +RDEPENDS_${PN}-ptest += "perl coreutils dbus-lib bash" + +PRIVATE_LIBS_${PN}-ptest = "libapparmor.so*" diff --git a/external/meta-security/recipes-mac/AppArmor/files/0001-Makefile.am-suppress-perllocal.pod.patch b/external/meta-security/recipes-mac/AppArmor/files/0001-Makefile.am-suppress-perllocal.pod.patch new file mode 100644 index 00000000..9807be12 --- /dev/null +++ b/external/meta-security/recipes-mac/AppArmor/files/0001-Makefile.am-suppress-perllocal.pod.patch @@ -0,0 +1,28 @@ +From 9f9cfbf07214ac68a55372a3c2777192765cbeb9 Mon Sep 17 00:00:00 2001 +From: Naveen Saini <naveen.kumar.saini@intel.com> +Date: Fri, 20 Sep 2019 18:53:53 +0800 +Subject: [PATCH] Makefile.am: suppress perllocal.pod + +Upstream-Status: Inappropriate [OE-Specific] + +Signed-off-by: Naveen Saini <naveen.kumar.saini@intel.com> +--- + libraries/libapparmor/swig/perl/Makefile.am | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/libraries/libapparmor/swig/perl/Makefile.am b/libraries/libapparmor/swig/perl/Makefile.am +index 6ae4e30c..be00dc7f 100644 +--- a/libraries/libapparmor/swig/perl/Makefile.am ++++ b/libraries/libapparmor/swig/perl/Makefile.am +@@ -11,7 +11,7 @@ MOSTLYCLEANFILES=libapparmor_wrap.c LibAppArmor.pm + LibAppArmor.pm: libapparmor_wrap.c + + Makefile.perl: Makefile.PL LibAppArmor.pm +- $(PERL) $< PREFIX=$(prefix) MAKEFILE=$@ ++ $(PERL) $< PREFIX=$(prefix) MAKEFILE=$@ NO_PERLLOCAL=1 + sed -ie 's/LD_RUN_PATH="\x24(LD_RUN_PATH)"//g' Makefile.perl + sed -ie 's/^LD_RUN_PATH.*//g' Makefile.perl + +-- +2.17.1 + diff --git a/external/meta-security/recipes-security/AppArmor/files/apparmor b/external/meta-security/recipes-mac/AppArmor/files/apparmor index ac3ab9a4..604e48d5 100644 --- a/external/meta-security/recipes-security/AppArmor/files/apparmor +++ b/external/meta-security/recipes-mac/AppArmor/files/apparmor @@ -47,7 +47,6 @@ log_end_msg () { } . /lib/apparmor/functions -. /lib/lsb/init-functions usage() { echo "Usage: $0 {start|stop|restart|reload|force-reload|status|recache}" diff --git a/external/meta-security/recipes-security/AppArmor/files/apparmor.rc b/external/meta-security/recipes-mac/AppArmor/files/apparmor.rc index 1507d7b5..1507d7b5 100644 --- a/external/meta-security/recipes-security/AppArmor/files/apparmor.rc +++ b/external/meta-security/recipes-mac/AppArmor/files/apparmor.rc diff --git a/external/meta-security/recipes-security/AppArmor/files/apparmor.service b/external/meta-security/recipes-mac/AppArmor/files/apparmor.service index e66afe4e..e66afe4e 100644 --- a/external/meta-security/recipes-security/AppArmor/files/apparmor.service +++ b/external/meta-security/recipes-mac/AppArmor/files/apparmor.service diff --git a/external/meta-security/recipes-security/AppArmor/files/crosscompile_perl_bindings.patch b/external/meta-security/recipes-mac/AppArmor/files/crosscompile_perl_bindings.patch index ef55de71..ef55de71 100644 --- a/external/meta-security/recipes-security/AppArmor/files/crosscompile_perl_bindings.patch +++ b/external/meta-security/recipes-mac/AppArmor/files/crosscompile_perl_bindings.patch diff --git a/external/meta-security/recipes-security/AppArmor/files/disable_pdf.patch b/external/meta-security/recipes-mac/AppArmor/files/disable_pdf.patch index c6b4bddc..c6b4bddc 100644 --- a/external/meta-security/recipes-security/AppArmor/files/disable_pdf.patch +++ b/external/meta-security/recipes-mac/AppArmor/files/disable_pdf.patch diff --git a/external/meta-security/recipes-security/AppArmor/files/disable_perl_h_check.patch b/external/meta-security/recipes-mac/AppArmor/files/disable_perl_h_check.patch index cf2640fc..cf2640fc 100644 --- a/external/meta-security/recipes-security/AppArmor/files/disable_perl_h_check.patch +++ b/external/meta-security/recipes-mac/AppArmor/files/disable_perl_h_check.patch diff --git a/external/meta-security/recipes-security/AppArmor/files/functions b/external/meta-security/recipes-mac/AppArmor/files/functions index cef8cfe7..cef8cfe7 100644 --- a/external/meta-security/recipes-security/AppArmor/files/functions +++ b/external/meta-security/recipes-mac/AppArmor/files/functions diff --git a/external/meta-security/recipes-security/AppArmor/files/run-ptest b/external/meta-security/recipes-mac/AppArmor/files/run-ptest index 3b8e427e..3b8e427e 100644 --- a/external/meta-security/recipes-security/AppArmor/files/run-ptest +++ b/external/meta-security/recipes-mac/AppArmor/files/run-ptest diff --git a/external/meta-security/recipes-security/ccs-tools/README b/external/meta-security/recipes-mac/ccs-tools/README index 4a4faa71..4a4faa71 100644 --- a/external/meta-security/recipes-security/ccs-tools/README +++ b/external/meta-security/recipes-mac/ccs-tools/README diff --git a/external/meta-security/recipes-security/ccs-tools/ccs-tools_1.8.4.bb b/external/meta-security/recipes-mac/ccs-tools/ccs-tools_1.8.4.bb index 189504a5..79af6a5d 100644 --- a/external/meta-security/recipes-security/ccs-tools/ccs-tools_1.8.4.bb +++ b/external/meta-security/recipes-mac/ccs-tools/ccs-tools_1.8.4.bb @@ -13,9 +13,9 @@ SRC_URI = "http://osdn.dl.sourceforge.jp/tomoyo/49693/${BPN}-${PV}-${DS}.tar.gz" SRC_URI[md5sum] = "eeee8eb96a7680bfa9c8f6de55502c44" SRC_URI[sha256sum] = "c358b80a2ea77a9dda79dc2a056dae3acaf3a72fcb8481cfb1cd1f16746324b4" -S = "${WORKDIR}/${PN}" +S = "${WORKDIR}/${BPN}" -inherit distro_features_check +inherit features_check do_make(){ oe_runmake USRLIBDIR=${libdir} all diff --git a/external/meta-security/recipes-mac/smack/mmap-smack-test/mmap.c b/external/meta-security/recipes-mac/smack/mmap-smack-test/mmap.c new file mode 100644 index 00000000..f358d27b --- /dev/null +++ b/external/meta-security/recipes-mac/smack/mmap-smack-test/mmap.c @@ -0,0 +1,7 @@ +#include <stdio.h> + +int main(int argc, char **argv) +{ + printf("Original test program removed while investigating its license.\n"); + return 1; +} diff --git a/external/meta-security/recipes-mac/smack/mmap-smack-test_1.0.bb b/external/meta-security/recipes-mac/smack/mmap-smack-test_1.0.bb new file mode 100644 index 00000000..9d11509d --- /dev/null +++ b/external/meta-security/recipes-mac/smack/mmap-smack-test_1.0.bb @@ -0,0 +1,16 @@ +SUMMARY = "Mmap binary used to test smack mmap attribute" +DESCRIPTION = "Mmap binary used to test smack mmap attribute" +LICENSE = "MIT" +LIC_FILES_CHKSUM = "file://${COMMON_LICENSE_DIR}/MIT;md5=0835ade698e0bcf8506ecda2f7b4f302" + +SRC_URI = "file://mmap.c" + +S = "${WORKDIR}" +do_compile() { + ${CC} mmap.c ${LDFLAGS} -o mmap_test +} + +do_install() { + install -d ${D}${bindir} + install -m 0755 mmap_test ${D}${bindir} +} diff --git a/external/meta-security/recipes-mac/smack/smack-test/notroot.py b/external/meta-security/recipes-mac/smack/smack-test/notroot.py new file mode 100644 index 00000000..f0eb0b5b --- /dev/null +++ b/external/meta-security/recipes-mac/smack/smack-test/notroot.py @@ -0,0 +1,33 @@ +#!/usr/bin/env python +# +# Script used for running executables with custom labels, as well as custom uid/gid +# Process label is changed by writing to /proc/self/attr/curent +# +# Script expects user id and group id to exist, and be the same. +# +# From adduser manual: +# """By default, each user in Debian GNU/Linux is given a corresponding group +# with the same name. """ +# +# Usage: root@desk:~# python notroot.py <uid> <label> <full_path_to_executable> [arguments ..] +# eg: python notroot.py 1000 User::Label /bin/ping -c 3 192.168.1.1 +# +# Author: Alexandru Cornea <alexandru.cornea@intel.com> +import os +import sys + +try: + uid = int(sys.argv[1]) + sys.argv.pop(1) + label = sys.argv[1] + sys.argv.pop(1) + open("/proc/self/attr/current", "w").write(label) + path=sys.argv[1] + sys.argv.pop(0) + os.setgid(uid) + os.setuid(uid) + os.execv(path,sys.argv) + +except Exception,e: + print e.message + sys.exit(1) diff --git a/external/meta-security/recipes-mac/smack/smack-test/smack_test_file_access.sh b/external/meta-security/recipes-mac/smack/smack-test/smack_test_file_access.sh new file mode 100644 index 00000000..5a0ce84f --- /dev/null +++ b/external/meta-security/recipes-mac/smack/smack-test/smack_test_file_access.sh @@ -0,0 +1,54 @@ +#!/bin/sh + +SMACK_PATH=`grep smack /proc/mounts | awk '{print $2}' ` +RC=0 +TMP="/tmp" +test_file=$TMP/smack_test_access_file +CAT=`which cat` +ECHO=`which echo` +uid=1000 +initial_label=`cat /proc/self/attr/current` +python $TMP/notroot.py $uid "TheOther" $ECHO 'TEST' > $test_file +chsmack -a "TheOther" $test_file + +# 12345678901234567890123456789012345678901234567890123456 +delrule="TheOne TheOther -----" +rule_ro="TheOne TheOther r----" + +# Remove pre-existent rules for "TheOne TheOther <access>" +echo -n "$delrule" > $SMACK_PATH/load +python $TMP/notroot.py $uid "TheOne" $CAT $test_file 2>&1 1>/dev/null | grep -q "Permission denied" || RC=$? +if [ $RC -ne 0 ]; then + echo "Process with different label than the test file and no read access on it can read it" + exit $RC +fi + +# adding read access +echo -n "$rule_ro" > $SMACK_PATH/load +python $TMP/notroot.py $uid "TheOne" $CAT $test_file | grep -q "TEST" || RC=$? +if [ $RC -ne 0 ]; then + echo "Process with different label than the test file but with read access on it cannot read it" + exit $RC +fi + +# Remove pre-existent rules for "TheOne TheOther <access>" +echo -n "$delrule" > $SMACK_PATH/load +# changing label of test file to * +# according to SMACK documentation, read access on a * object is always permitted +chsmack -a '*' $test_file +python $TMP/notroot.py $uid "TheOne" $CAT $test_file | grep -q "TEST" || RC=$? +if [ $RC -ne 0 ]; then + echo "Process cannot read file with * label" + exit $RC +fi + +# changing subject label to * +# according to SMACK documentation, every access requested by a star labeled subject is rejected +TOUCH=`which touch` +python $TMP/notroot.py $uid '*' $TOUCH $TMP/test_file_2 +ls -la $TMP/test_file_2 2>&1 | grep -q 'No such file or directory' || RC=$? +if [ $RC -ne 0 ];then + echo "Process with label '*' should not have any access" + exit $RC +fi +exit 0 diff --git a/external/meta-security/recipes-mac/smack/smack-test/test_privileged_change_self_label.sh b/external/meta-security/recipes-mac/smack/smack-test/test_privileged_change_self_label.sh new file mode 100644 index 00000000..26d9e9d2 --- /dev/null +++ b/external/meta-security/recipes-mac/smack/smack-test/test_privileged_change_self_label.sh @@ -0,0 +1,18 @@ +#!/bin/sh + +initial_label=`cat /proc/self/attr/current 2>/dev/null` +modified_label="test_label" + +echo "$modified_label" >/proc/self/attr/current 2>/dev/null + +new_label=`cat /proc/self/attr/current 2>/dev/null` + +if [ "$new_label" != "$modified_label" ]; then + # restore proper label + echo $initial_label >/proc/self/attr/current + echo "Privileged process could not change its label" + exit 1 +fi + +echo "$initial_label" >/proc/self/attr/current 2>/dev/null +exit 0
\ No newline at end of file diff --git a/external/meta-security/recipes-mac/smack/smack-test/test_smack_onlycap.sh b/external/meta-security/recipes-mac/smack/smack-test/test_smack_onlycap.sh new file mode 100644 index 00000000..1c4a93ab --- /dev/null +++ b/external/meta-security/recipes-mac/smack/smack-test/test_smack_onlycap.sh @@ -0,0 +1,27 @@ +#!/bin/sh +RC=0 +SMACK_PATH=`grep smack /proc/mounts | awk '{print $2}'` +test_label="test_label" +onlycap_initial=`cat $SMACK_PATH/onlycap` +smack_initial=`cat /proc/self/attr/current` + +# need to set out label to be the same as onlycap, otherwise we lose our smack privileges +# even if we are root +echo "$test_label" > /proc/self/attr/current + +echo "$test_label" > $SMACK_PATH/onlycap || RC=$? +if [ $RC -ne 0 ]; then + echo "Onlycap label could not be set" + return $RC +fi + +if [ `cat $SMACK_PATH/onlycap` != "$test_label" ]; then + echo "Onlycap label was not set correctly." + return 1 +fi + +# resetting original onlycap label +echo "$onlycap_initial" > $SMACK_PATH/onlycap 2>/dev/null + +# resetting our initial's process label +echo "$smack_initial" > /proc/self/attr/current diff --git a/external/meta-security/recipes-mac/smack/smack-test_1.0.bb b/external/meta-security/recipes-mac/smack/smack-test_1.0.bb new file mode 100644 index 00000000..d5de6076 --- /dev/null +++ b/external/meta-security/recipes-mac/smack/smack-test_1.0.bb @@ -0,0 +1,25 @@ +SUMMARY = "Smack test scripts" +DESCRIPTION = "Smack scripts" +LICENSE = "MIT" +LIC_FILES_CHKSUM = "file://${COMMON_LICENSE_DIR}/MIT;md5=0835ade698e0bcf8506ecda2f7b4f302" + +SRC_URI = " \ + file://notroot.py \ + file://smack_test_file_access.sh \ + file://test_privileged_change_self_label.sh \ + file://test_smack_onlycap.sh \ +" + +S = "${WORKDIR}" + +inherit features_check + +REQUIRED_DISTRO_FEATURES = "smack" + +do_install() { + install -d ${D}${sbindir} + install -m 0755 notroot.py ${D}${sbindir} + install -m 0755 *.sh ${D}${sbindir} +} + +RDEPENDS_${PN} = "smack python mmap-smack-test tcp-smack-test udp-smack-test" diff --git a/external/meta-security/recipes-security/smack/files/run-ptest b/external/meta-security/recipes-mac/smack/smack/run-ptest index 049a9b47..049a9b47 100644 --- a/external/meta-security/recipes-security/smack/files/run-ptest +++ b/external/meta-security/recipes-mac/smack/smack/run-ptest diff --git a/external/meta-security/recipes-security/smack/files/smack_generator_make_fixup.patch b/external/meta-security/recipes-mac/smack/smack/smack_generator_make_fixup.patch index 4d677e75..4d677e75 100644 --- a/external/meta-security/recipes-security/smack/files/smack_generator_make_fixup.patch +++ b/external/meta-security/recipes-mac/smack/smack/smack_generator_make_fixup.patch diff --git a/external/meta-security/recipes-security/smack/smack_1.3.1.bb b/external/meta-security/recipes-mac/smack/smack_1.3.1.bb index 246562af..b1ea4e9f 100644 --- a/external/meta-security/recipes-security/smack/smack_1.3.1.bb +++ b/external/meta-security/recipes-mac/smack/smack_1.3.1.bb @@ -13,7 +13,12 @@ SRC_URI = " \ PV = "1.3.1" -inherit autotools update-rc.d pkgconfig ptest ${@bb.utils.contains('VIRTUAL-RUNTIME_init_manager','systemd','systemd','', d)} +inherit autotools update-rc.d pkgconfig ptest +inherit ${@bb.utils.contains('VIRTUAL-RUNTIME_init_manager','systemd','systemd','', d)} +inherit features_check + +REQUIRED_DISTRO_FEATURES = "smack" + S = "${WORKDIR}/git" @@ -48,7 +53,7 @@ INITSCRIPT_PARAMS = "start 16 2 3 4 5 . stop 35 0 1 6 ." FILES_${PN} += "${sysconfdir}/init.d/smack" FILES_${PN}-ptest += "generator" -RDEPENDS_${PN} += "coreutils" +RDEPENDS_${PN} += "coreutils python3-core" RDEPENDS_${PN}-ptest += "make bash bc" BBCLASSEXTEND = "native" diff --git a/external/meta-security/recipes-mac/smack/tcp-smack-test/tcp_client.c b/external/meta-security/recipes-mac/smack/tcp-smack-test/tcp_client.c new file mode 100644 index 00000000..185f9738 --- /dev/null +++ b/external/meta-security/recipes-mac/smack/tcp-smack-test/tcp_client.c @@ -0,0 +1,111 @@ +// (C) Copyright 2015 Intel Corporation
+//
+// Permission is hereby granted, free of charge, to any person obtaining a copy
+// of this software and associated documentation files (the "Software"), to deal
+// in the Software without restriction, including without limitation the rights
+// to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+// copies of the Software, and to permit persons to whom the Software is
+// furnished to do so, subject to the following conditions:
+//
+// The above copyright notice and this permission notice shall be included in
+// all copies or substantial portions of the Software.
+//
+// THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+// IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+// FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+// AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+// LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+// OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
+// THE SOFTWARE.
+#include <stdio.h>
+#include <sys/socket.h>
+#include <sys/types.h>
+#include <errno.h>
+#include <netinet/in.h>
+#include <unistd.h>
+#include <netdb.h>
+#include <string.h>
+#include <sys/xattr.h>
+
+int main(int argc, char* argv[])
+{
+
+ int sock;
+ char message[255] = "hello";
+ struct sockaddr_in server_addr;
+ char* label_in;
+ char* label_out;
+ char* attr_out = "security.SMACK64IPOUT";
+ char* attr_in = "security.SMACK64IPIN";
+ char out[256];
+ int port;
+
+ struct timeval timeout;
+ timeout.tv_sec = 15;
+ timeout.tv_usec = 0;
+
+ struct hostent* host = gethostbyname("localhost");
+
+ if (argc != 4)
+ {
+ perror("Client: Arguments missing, please provide socket labels");
+ return 2;
+ }
+
+ port = atoi(argv[1]);
+ label_in = argv[2];
+ label_out = argv[3];
+
+ if((sock = socket(AF_INET, SOCK_STREAM, 0)) < 0)
+ {
+ perror("Client: Socket failure");
+ return 2;
+ }
+
+
+ if(fsetxattr(sock, attr_out, label_out, strlen(label_out), 0) < 0)
+ {
+ perror("Client: Unable to set attribute SMACK64IPOUT");
+ return 2;
+ }
+
+ if(fsetxattr(sock, attr_in, label_in, strlen(label_in), 0) < 0)
+ {
+ perror("Client: Unable to set attribute SMACK64IPIN");
+ return 2;
+ }
+
+ server_addr.sin_family = AF_INET;
+ server_addr.sin_port = htons(port);
+ bcopy((char*) host->h_addr, (char*) &server_addr.sin_addr.s_addr,host->h_length);
+ bzero(&(server_addr.sin_zero),8);
+
+ if(setsockopt(sock, SOL_SOCKET, SO_SNDTIMEO, &timeout, sizeof(timeout)) < 0)
+ {
+ perror("Client: Set timeout failed\n");
+ return 2;
+ }
+
+ if (connect(sock, (struct sockaddr *)&server_addr,sizeof(struct sockaddr)) == -1)
+ {
+ perror("Client: Connection failure");
+ close(sock);
+ return 1;
+ }
+
+
+ if(write(sock, message, strlen(message)) < 0)
+ {
+ perror("Client: Error sending data\n");
+ close(sock);
+ return 1;
+ }
+ close(sock);
+ return 0;
+}
+
+
+
+
+
+
diff --git a/external/meta-security/recipes-mac/smack/tcp-smack-test/tcp_server.c b/external/meta-security/recipes-mac/smack/tcp-smack-test/tcp_server.c new file mode 100644 index 00000000..9285dc69 --- /dev/null +++ b/external/meta-security/recipes-mac/smack/tcp-smack-test/tcp_server.c @@ -0,0 +1,118 @@ +// (C) Copyright 2015 Intel Corporation
+//
+// Permission is hereby granted, free of charge, to any person obtaining a copy
+// of this software and associated documentation files (the "Software"), to deal
+// in the Software without restriction, including without limitation the rights
+// to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+// copies of the Software, and to permit persons to whom the Software is
+// furnished to do so, subject to the following conditions:
+//
+// The above copyright notice and this permission notice shall be included in
+// all copies or substantial portions of the Software.
+//
+// THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+// IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+// FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+// AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+// LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+// OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
+// THE SOFTWARE.
+#include <stdio.h>
+#include <sys/socket.h>
+#include <sys/types.h>
+#include <errno.h>
+#include <netinet/in.h>
+#include <unistd.h>
+#include <string.h>
+
+int main(int argc, char* argv[])
+{
+
+ int sock;
+ int clientsock;
+ char message[255];
+ socklen_t client_length;
+ struct sockaddr_in server_addr, client_addr;
+ char* label_in;
+ char* attr_in = "security.SMACK64IPIN";
+ int port;
+
+ struct timeval timeout;
+ timeout.tv_sec = 15;
+ timeout.tv_usec = 0;
+
+ if (argc != 3)
+ {
+ perror("Server: Argument missing please provide port and label for SMACK64IPIN");
+ return 2;
+ }
+
+ port = atoi(argv[1]);
+ label_in = argv[2];
+ bzero(message,255);
+
+
+ if((sock = socket(AF_INET, SOCK_STREAM, 0)) < 0)
+ {
+ perror("Server: Socket failure");
+ return 2;
+ }
+
+
+ if(fsetxattr(sock, attr_in, label_in, strlen(label_in),0) < 0)
+ {
+ perror("Server: Unable to set attribute ipin 2");
+ return 2;
+ }
+
+ server_addr.sin_family = AF_INET;
+ server_addr.sin_port = htons(port);
+ server_addr.sin_addr.s_addr = INADDR_ANY;
+ bzero(&(server_addr.sin_zero),8);
+
+ if(setsockopt(sock, SOL_SOCKET, SO_RCVTIMEO, &timeout, sizeof(timeout)) < 0)
+ {
+ perror("Server: Set timeout failed\n");
+ return 2;
+ }
+
+ if(bind(sock, (struct sockaddr*) &server_addr, sizeof(server_addr)) < 0)
+ {
+ perror("Server: Bind failure ");
+ return 2;
+ }
+
+ listen(sock, 1);
+ client_length = sizeof(client_addr);
+
+ clientsock = accept(sock,(struct sockaddr*) &client_addr, &client_length);
+
+ if (clientsock < 0)
+ {
+ perror("Server: Connection failed");
+ close(sock);
+ return 1;
+ }
+
+
+ if(fsetxattr(clientsock, "security.SMACK64IPIN", label_in, strlen(label_in),0) < 0)
+ {
+ perror(" Server: Unable to set attribute ipin 2");
+ close(sock);
+ return 2;
+ }
+
+ if(read(clientsock, message, 254) < 0)
+ {
+ perror("Server: Error when reading from socket");
+ close(clientsock);
+ close(sock);
+ return 1;
+ }
+
+
+ close(clientsock);
+ close(sock);
+
+ return 0;
+}
diff --git a/external/meta-security/recipes-mac/smack/tcp-smack-test/test_smack_tcp_sockets.sh b/external/meta-security/recipes-mac/smack/tcp-smack-test/test_smack_tcp_sockets.sh new file mode 100644 index 00000000..ed18f237 --- /dev/null +++ b/external/meta-security/recipes-mac/smack/tcp-smack-test/test_smack_tcp_sockets.sh @@ -0,0 +1,108 @@ +#!/bin/sh +RC=0 +test_file=/tmp/smack_socket_tcp +SMACK_PATH=`grep smack /proc/mounts | awk '{print $2}' ` +# make sure no access is granted +# 12345678901234567890123456789012345678901234567890123456 +echo -n "label1 label2 -----" > $SMACK_PATH/load + +tcp_server=`which tcp_server` +if [ -z $tcp_server ]; then + if [ -f "/tmp/tcp_server" ]; then + tcp_server="/tmp/tcp_server" + else + echo "tcp_server binary not found" + exit 1 + fi +fi +tcp_client=`which tcp_client` +if [ -z $tcp_client ]; then + if [ -f "/tmp/tcp_client" ]; then + tcp_client="/tmp/tcp_client" + else + echo "tcp_client binary not found" + exit 1 + fi +fi + +# checking access for sockets with different labels +$tcp_server 50016 label1 &>/dev/null & +server_pid=$! +sleep 2 +$tcp_client 50016 label2 label1 &>/dev/null & +client_pid=$! + +wait $server_pid +server_rv=$? +wait $client_pid +client_rv=$? + +if [ $server_rv -eq 0 -o $client_rv -eq 0 ]; then + echo "Sockets with different labels should not communicate on tcp" + exit 1 +fi + +# granting access between different labels +# 12345678901234567890123456789012345678901234567890123456 +echo -n "label1 label2 rw---" > $SMACK_PATH/load +# checking access for sockets with different labels, but having a rule granting rw +$tcp_server 50017 label1 2>$test_file & +server_pid=$! +sleep 1 +$tcp_client 50017 label2 label1 2>$test_file & +client_pid=$! +wait $server_pid +server_rv=$? +wait $client_pid +client_rv=$? +if [ $server_rv -ne 0 -o $client_rv -ne 0 ]; then + echo "Sockets with different labels, but having rw access, should communicate on tcp" + exit 1 +fi + +# checking access for sockets with the same label +$tcp_server 50018 label1 2>$test_file & +server_pid=$! +sleep 1 +$tcp_client 50018 label1 label1 2>$test_file & +client_pid=$! +wait $server_pid +server_rv=$? +wait $client_pid +client_rv=$? +if [ $server_rv -ne 0 -o $client_rv -ne 0 ]; then + echo "Sockets with same labels should communicate on tcp" + exit 1 +fi + +# checking access on socket labeled star (*) +# should always be permitted +$tcp_server 50019 \* 2>$test_file & +server_pid=$! +sleep 1 +$tcp_client 50019 label1 label1 2>$test_file & +client_pid=$! +wait $server_pid +server_rv=$? +wait $client_pid +client_rv=$? +if [ $server_rv -ne 0 -o $client_rv -ne 0 ]; then + echo "Should have access on tcp socket labeled star (*)" + exit 1 +fi + +# checking access from socket labeled star (*) +# all access from subject star should be denied +$tcp_server 50020 label1 2>$test_file & +server_pid=$! +sleep 1 +$tcp_client 50020 label1 \* 2>$test_file & +client_pid=$! +wait $server_pid +server_rv=$? +wait $client_pid +client_rv=$? +if [ $server_rv -eq 0 -o $client_rv -eq 0 ]; then + echo "Socket labeled star should not have access to any tcp socket" + exit 1 +fi diff --git a/external/meta-security/recipes-mac/smack/tcp-smack-test_1.0.bb b/external/meta-security/recipes-mac/smack/tcp-smack-test_1.0.bb new file mode 100644 index 00000000..d2b3f6b3 --- /dev/null +++ b/external/meta-security/recipes-mac/smack/tcp-smack-test_1.0.bb @@ -0,0 +1,24 @@ +SUMMARY = "Binary used to test smack tcp sockets" +DESCRIPTION = "Server and client binaries used to test smack attributes on TCP sockets" +LICENSE = "MIT" +LIC_FILES_CHKSUM = "file://${COMMON_LICENSE_DIR}/MIT;md5=0835ade698e0bcf8506ecda2f7b4f302" + +SRC_URI = "file://tcp_server.c \ + file://tcp_client.c \ + file://test_smack_tcp_sockets.sh \ +" + +S = "${WORKDIR}" + +do_compile() { + ${CC} tcp_client.c ${LDFLAGS} -o tcp_client + ${CC} tcp_server.c ${LDFLAGS} -o tcp_server +} + +do_install() { + install -d ${D}${bindir} + install -d ${D}${sbindir} + install -m 0755 tcp_server ${D}${bindir} + install -m 0755 tcp_client ${D}${bindir} + install -m 0755 test_smack_tcp_sockets.sh ${D}${sbindir} +} diff --git a/external/meta-security/recipes-mac/smack/udp-smack-test/test_smack_udp_sockets.sh b/external/meta-security/recipes-mac/smack/udp-smack-test/test_smack_udp_sockets.sh new file mode 100644 index 00000000..419ab9f9 --- /dev/null +++ b/external/meta-security/recipes-mac/smack/udp-smack-test/test_smack_udp_sockets.sh @@ -0,0 +1,107 @@ +#!/bin/sh +RC=0 +test_file="/tmp/smack_socket_udp" +SMACK_PATH=`grep smack /proc/mounts | awk '{print $2}' ` + +udp_server=`which udp_server` +if [ -z $udp_server ]; then + if [ -f "/tmp/udp_server" ]; then + udp_server="/tmp/udp_server" + else + echo "udp_server binary not found" + exit 1 + fi +fi +udp_client=`which udp_client` +if [ -z $udp_client ]; then + if [ -f "/tmp/udp_client" ]; then + udp_client="/tmp/udp_client" + else + echo "udp_client binary not found" + exit 1 + fi +fi + +# make sure no access is granted +# 12345678901234567890123456789012345678901234567890123456 +echo -n "label1 label2 -----" > $SMACK_PATH/load + +# checking access for sockets with different labels +$udp_server 50021 label2 2>$test_file & +server_pid=$! +sleep 1 +$udp_client 50021 label1 2>$test_file & +client_pid=$! +wait $server_pid +server_rv=$? +wait $client_pid +client_rv=$? +if [ $server_rv -eq 0 ]; then + echo "Sockets with different labels should not communicate on udp" + exit 1 +fi + +# granting access between different labels +# 12345678901234567890123456789012345678901234567890123456 +echo -n "label1 label2 rw---" > $SMACK_PATH/load +# checking access for sockets with different labels, but having a rule granting rw +$udp_server 50022 label2 2>$test_file & +server_pid=$! +sleep 1 +$udp_client 50022 label1 2>$test_file & +client_pid=$! +wait $server_pid +server_rv=$? +wait $client_pid +client_rv=$? +if [ $server_rv -ne 0 -o $client_rv -ne 0 ]; then + echo "Sockets with different labels, but having rw access, should communicate on udp" + exit 1 +fi + +# checking access for sockets with the same label +$udp_server 50023 label1 & +server_pid=$! +sleep 1 +$udp_client 50023 label1 2>$test_file & +client_pid=$! +wait $server_pid +server_rv=$? +wait $client_pid +client_rv=$? +if [ $server_rv -ne 0 -o $client_rv -ne 0 ]; then + echo "Sockets with same labels should communicate on udp" + exit 1 +fi + +# checking access on socket labeled star (*) +# should always be permitted +$udp_server 50024 \* 2>$test_file & +server_pid=$! +sleep 1 +$udp_client 50024 label1 2>$test_file & +client_pid=$! +wait $server_pid +server_rv=$? +wait $client_pid +client_rv=$? +if [ $server_rv -ne 0 -o $client_rv -ne 0 ]; then + echo "Should have access on udp socket labeled star (*)" + exit 1 +fi + +# checking access from socket labeled star (*) +# all access from subject star should be denied +$udp_server 50025 label1 2>$test_file & +server_pid=$! +sleep 1 +$udp_client 50025 \* 2>$test_file & +client_pid=$! +wait $server_pid +server_rv=$? +wait $client_pid +client_rv=$? +if [ $server_rv -eq 0 ]; then + echo "Socket labeled star should not have access to any udp socket" + exit 1 +fi diff --git a/external/meta-security/recipes-mac/smack/udp-smack-test/udp_client.c b/external/meta-security/recipes-mac/smack/udp-smack-test/udp_client.c new file mode 100644 index 00000000..4d3afbe6 --- /dev/null +++ b/external/meta-security/recipes-mac/smack/udp-smack-test/udp_client.c @@ -0,0 +1,75 @@ +// (C) Copyright 2015 Intel Corporation
+//
+// Permission is hereby granted, free of charge, to any person obtaining a copy
+// of this software and associated documentation files (the "Software"), to deal
+// in the Software without restriction, including without limitation the rights
+// to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+// copies of the Software, and to permit persons to whom the Software is
+// furnished to do so, subject to the following conditions:
+//
+// The above copyright notice and this permission notice shall be included in
+// all copies or substantial portions of the Software.
+//
+// THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+// IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+// FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+// AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+// LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+// OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
+// THE SOFTWARE.
+#include <sys/socket.h>
+#include <stdio.h>
+#include <netinet/in.h>
+#include <netdb.h>
+#include <string.h>
+
+int main(int argc, char* argv[])
+{
+ char* message = "hello";
+ int sock, ret;
+ struct sockaddr_in server_addr;
+ struct hostent* host = gethostbyname("localhost");
+ char* label;
+ char* attr = "security.SMACK64IPOUT";
+ int port;
+ if (argc != 3)
+ {
+ perror("Client: Argument missing, please provide port and label for SMACK64IPOUT");
+ return 2;
+ }
+
+ port = atoi(argv[1]);
+ label = argv[2];
+ sock = socket(AF_INET, SOCK_DGRAM,0);
+ if(sock < 0)
+ {
+ perror("Client: Socket failure");
+ return 2;
+ }
+
+
+ if(fsetxattr(sock, attr, label, strlen(label),0) < 0)
+ {
+ perror("Client: Unable to set attribute ");
+ return 2;
+ }
+
+
+ server_addr.sin_family = AF_INET;
+ server_addr.sin_port = htons(port);
+ bcopy((char*) host->h_addr, (char*) &server_addr.sin_addr.s_addr,host->h_length);
+ bzero(&(server_addr.sin_zero),8);
+
+ ret = sendto(sock, message, strlen(message),0,(const struct sockaddr*)&server_addr,
+ sizeof(struct sockaddr_in));
+
+ close(sock);
+ if(ret < 0)
+ {
+ perror("Client: Error sending message\n");
+ return 1;
+ }
+
+ return 0;
+}
+
diff --git a/external/meta-security/recipes-mac/smack/udp-smack-test/udp_server.c b/external/meta-security/recipes-mac/smack/udp-smack-test/udp_server.c new file mode 100644 index 00000000..cbab71e6 --- /dev/null +++ b/external/meta-security/recipes-mac/smack/udp-smack-test/udp_server.c @@ -0,0 +1,93 @@ +// (C) Copyright 2015 Intel Corporation
+//
+// Permission is hereby granted, free of charge, to any person obtaining a copy
+// of this software and associated documentation files (the "Software"), to deal
+// in the Software without restriction, including without limitation the rights
+// to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+// copies of the Software, and to permit persons to whom the Software is
+// furnished to do so, subject to the following conditions:
+//
+// The above copyright notice and this permission notice shall be included in
+// all copies or substantial portions of the Software.
+//
+// THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+// IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+// FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+// AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+// LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+// OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
+// THE SOFTWARE.
+#include <sys/socket.h>
+#include <stdio.h>
+#include <netinet/in.h>
+#include <netdb.h>
+#include <string.h>
+
+int main(int argc, char* argv[])
+{
+ int sock,ret;
+ struct sockaddr_in server_addr, client_addr;
+ socklen_t len;
+ char message[5];
+ char* label;
+ char* attr = "security.SMACK64IPIN";
+ int port;
+
+ if(argc != 3)
+ {
+ perror("Server: Argument missing, please provide port and label for SMACK64IPIN");
+ return 2;
+ }
+
+ port = atoi(argv[1]);
+ label = argv[2];
+
+ struct timeval timeout;
+ timeout.tv_sec = 15;
+ timeout.tv_usec = 0;
+
+ sock = socket(AF_INET,SOCK_DGRAM,0);
+ if(sock < 0)
+ {
+ perror("Server: Socket error");
+ return 2;
+ }
+
+
+ if(fsetxattr(sock, attr, label, strlen(label), 0) < 0)
+ {
+ perror("Server: Unable to set attribute ");
+ return 2;
+ }
+
+ server_addr.sin_family = AF_INET;
+ server_addr.sin_port = htons(port);
+ server_addr.sin_addr.s_addr = INADDR_ANY;
+ bzero(&(server_addr.sin_zero),8);
+
+
+ if(setsockopt(sock, SOL_SOCKET, SO_RCVTIMEO, &timeout, sizeof(timeout)) < 0)
+ {
+ perror("Server: Set timeout failed\n");
+ return 2;
+ }
+
+ if(bind(sock, (struct sockaddr*) &server_addr, sizeof(server_addr)) < 0)
+ {
+ perror("Server: Bind failure");
+ return 2;
+ }
+
+ len = sizeof(client_addr);
+ ret = recvfrom(sock, message, sizeof(message), 0, (struct sockaddr*)&client_addr,
+ &len);
+ close(sock);
+ if(ret < 0)
+ {
+ perror("Server: Error receiving");
+ return 1;
+
+ }
+ return 0;
+}
+
diff --git a/external/meta-security/recipes-mac/smack/udp-smack-test_1.0.bb b/external/meta-security/recipes-mac/smack/udp-smack-test_1.0.bb new file mode 100644 index 00000000..9193f898 --- /dev/null +++ b/external/meta-security/recipes-mac/smack/udp-smack-test_1.0.bb @@ -0,0 +1,23 @@ +SUMMARY = "Binary used to test smack udp sockets" +DESCRIPTION = "Server and client binaries used to test smack attributes on UDP sockets" +LICENSE = "MIT" +LIC_FILES_CHKSUM = "file://${COMMON_LICENSE_DIR}/MIT;md5=0835ade698e0bcf8506ecda2f7b4f302" + +SRC_URI = "file://udp_server.c \ + file://udp_client.c \ + file://test_smack_udp_sockets.sh \ +" + +S = "${WORKDIR}" +do_compile() { + ${CC} udp_client.c ${LDFLAGS} -o udp_client + ${CC} udp_server.c ${LDFLAGS} -o udp_server +} + +do_install() { + install -d ${D}${bindir} + install -d ${D}${sbindir} + install -m 0755 udp_server ${D}${bindir} + install -m 0755 udp_client ${D}${bindir} + install -m 0755 test_smack_udp_sockets.sh ${D}${sbindir} +} diff --git a/external/meta-security/recipes-perl/perl/libenv-perl_1.04.bb b/external/meta-security/recipes-perl/perl/libenv-perl_1.04.bb deleted file mode 100644 index dd8e1159..00000000 --- a/external/meta-security/recipes-perl/perl/libenv-perl_1.04.bb +++ /dev/null @@ -1,21 +0,0 @@ -SUMMARY = "Perl module that imports environment variables as scalars or arrays" -DESCRIPTION = "Perl maintains environment variables in a special hash named %ENV. \ -For when this access method is inconvenient, the Perl module Env allows environment \ -variables to be treated as scalar or array variables." - -HOMEPAGE = "http://search.cpan.org/~flora/Env/" -SECTION = "libs" -LICENSE = "Artistic-1.0 | GPL-1.0+" - -LIC_FILES_CHKSUM = "file://LICENSE;md5=76c1cbf18db56b3340d91cb947943bd3" - -SRC_URI = "http://search.cpan.org/CPAN/authors/id/F/FL/FLORA/Env-${PV}.tar.gz" - -SRC_URI[md5sum] = "fdba5c0690e66972c96fee112cf5f25c" -SRC_URI[sha256sum] = "d94a3d412df246afdc31a2199cbd8ae915167a3f4684f7b7014ce1200251ebb0" - -S = "${WORKDIR}/Env-${PV}" - -inherit cpan - -BBCLASSEXTEND = "native" diff --git a/external/meta-security/recipes-perl/perl/libwhisker2-perl_2.5.bb b/external/meta-security/recipes-perl/perl/libwhisker2-perl_2.5.bb index d9af4300..71857ab3 100644 --- a/external/meta-security/recipes-perl/perl/libwhisker2-perl_2.5.bb +++ b/external/meta-security/recipes-perl/perl/libwhisker2-perl_2.5.bb @@ -24,4 +24,6 @@ do_install() { oe_runmake install DESTDIR=${D} INSTALLDIR=${PERLLIBDIRS}/vendor_perl/${PERLVERSION} MANDIR=${datadir}/perl/${PERLVERSION} } +FILES_${PN} += "${datadir}/perl" + BBCLASSEXTEND = "native" diff --git a/external/meta-security/recipes-scanners/arpwatch/arpwatch_3.0.bb b/external/meta-security/recipes-scanners/arpwatch/arpwatch_3.0.bb new file mode 100644 index 00000000..9be319ad --- /dev/null +++ b/external/meta-security/recipes-scanners/arpwatch/arpwatch_3.0.bb @@ -0,0 +1,79 @@ +SUMARRY = "The ethernet monitor program; for keeping track of ethernet/ip address pairings" +LICENSE = "BSD-4-Clause" +HOME_PAGE = "http://ee.lbl.gov/" +LIC_FILES_CHKSUM = "file://configure;md5=212742e55562cf47527d31c2a492411a" + +DEPENDS += "libpcap postfix" + +SRC_URI = "https://ee.lbl.gov/downloads/arpwatch/${BP}.tar.gz \ + file://arpwatch.conf \ + file://arpwatch.default \ + file://arpwatch_init \ + file://postfix_workaround.patch \ + file://host_contam_fix.patch " + +SRC_URI[sha256sum] = "82e137e104aca8b1280f5cca0ebe61b978f10eadcbb4c4802c181522ad02b25b" + +inherit autotools-brokensep update-rc.d useradd + +ARPWATCH_UID ?= "arpwatch" +ARPWATCH_GID ?= "arpwatch" +APRWATCH_FROM ?= "root " +ARPWATH_REPLY ?= "${ARPWATCH_UID}" + +EXTRA_OECONF = " --srcdir=${S} --with-watcher=email=${APRWATCH_FROM} --with-watchee=email=${ARPWATH_REPLY}" + +CONFIGUREOPTS = " --build=${BUILD_SYS} \ + --host=${HOST_SYS} \ + --target=${TARGET_SYS} \ + --prefix=${prefix} \ + --exec_prefix=${exec_prefix} \ + --bindir=${bindir} \ + --sbindir=${sbindir} \ + --libexecdir=${libexecdir} \ + --datadir=${datadir} \ + --sysconfdir=${sysconfdir} \ + --sharedstatedir=${sharedstatedir} \ + --localstatedir=${localstatedir} \ + --libdir=${libdir} \ + --includedir=${includedir} \ + --oldincludedir=${oldincludedir} \ + --infodir=${infodir} \ + --mandir=${mandir} \ + " + +do_configure () { + ${S}/configure ${CONFIGUREOPTS} ${EXTRA_OECONF} +} + +do_install () { + install -d ${D}${bindir} + install -d ${D}${sbindir} + install -d ${D}${mandir} + install -d ${D}${sysconfdir} + install -d ${D}${sysconfdir}/default + install -d ${D}${sysconfdir}/init.d + install -d ${D}${prefix}/etc/rc.d + install -d ${D}/var/lib/arpwatch + + oe_runmake install DESTDIR=${D} + install -m 644 ${WORKDIR}/arpwatch.conf ${D}${sysconfdir} + install -m 655 ${WORKDIR}/arpwatch_init ${D}${sysconfdir}/init.d/arpwatch + install -m 644 ${WORKDIR}/arpwatch.default ${D}${sysconfdir}/default +} + +INITSCRIPT_NAME = "arpwatch" +INITSCRIPT_PARAMS = "start 02 2 3 4 5 . stop 20 0 1 6 ." + +USERADD_PACKAGES = "${PN}" +GROUPADD_PARAM_${PN} = "--system ${ARPWATCH_UID}" +USERADD_PARAM_${PN} = "--system -g ${ARPWATCH_GID} --home-dir \ + ${localstatedir}/spool/${BPN} \ + --no-create-home --shell /bin/false ${BPN}" + +CONFFILE_FILES = "${sysconfdir}/${PN}.conf" + +FILES_${PN} = "${bindir} ${sbindir} ${prefix}/etc/rc.d \ + ${sysconfdir} /var/lib/arpwatch" + +RDEPENDS_${PN} = "libpcap postfix postfix-cfg" diff --git a/external/meta-security/recipes-scanners/arpwatch/files/arpwatch.conf b/external/meta-security/recipes-scanners/arpwatch/files/arpwatch.conf new file mode 100644 index 00000000..67213c97 --- /dev/null +++ b/external/meta-security/recipes-scanners/arpwatch/files/arpwatch.conf @@ -0,0 +1,23 @@ +# /etc/arpwatch.conf: Debian-specific way to watch multiple interfaces. +# Format of this configuration file is: +# +#<dev1> <arpwatch options for dev1> +#<dev2> <arpwatch options for dev2> +#... +#<devN> <arpwatch options for devN> +# +# You can set global options for all interfaces by editing +# /etc/default/arpwatch + +# For example: + +eth0 +#eth0 -m root +#eth1 -m root +#eth2 -m root + +# or, if you have an MTA configured for plussed addressing: +# +#eth0 -m root+eth0 +#eth1 -m root+eth1 +#eth2 -m root+eth2 diff --git a/external/meta-security/recipes-scanners/arpwatch/files/arpwatch.default b/external/meta-security/recipes-scanners/arpwatch/files/arpwatch.default new file mode 100644 index 00000000..b0a7d8f9 --- /dev/null +++ b/external/meta-security/recipes-scanners/arpwatch/files/arpwatch.default @@ -0,0 +1,7 @@ +# Global options for arpwatch(8). + +# Debian: don't report bogons, don't use PROMISC. +ARGS="-N -p" + +# Debian: run as `arpwatch' user. Empty this to run as root. +RUNAS="arpwatch" diff --git a/external/meta-security/recipes-scanners/arpwatch/files/arpwatch_init b/external/meta-security/recipes-scanners/arpwatch/files/arpwatch_init new file mode 100644 index 00000000..9860c65a --- /dev/null +++ b/external/meta-security/recipes-scanners/arpwatch/files/arpwatch_init @@ -0,0 +1,123 @@ +#!/bin/sh + +PATH=/sbin:/bin:/usr/sbin:/usr/bin +NAME=arpwatch +DAEMON=/usr/sbin/$NAME +DESC="Ethernet/FDDI station monitor daemon" +DATADIR=/var/lib/$NAME +RETVAL=0 + +. /etc/init.d/functions + +### You shouldn't touch anything below unless you know what you are doing. + +[ -f /etc/default/arpwatch ] && . /etc/default/arpwatch + +# Decide whether we have to deal with multiple interfaces. +CONF=/etc/arpwatch.conf +MULTIPLE=0 +if [ -r $CONF ]; then + grep -c '^[a-z]' $CONF 2>&1 >/dev/null && MULTIPLE=1 +fi + +# Check whether we have to drop privileges. +if [ -n "$RUNAS" ]; then + if getent passwd "$RUNAS" >/dev/null; then + ARGS="-u ${RUNAS} $ARGS" + else + RUNAS="" + fi +fi + +start_instance () { + IFACE=$1 + INSTANCE=${NAME}-${IFACE} + DATAFILE=$DATADIR/${IFACE}.dat + IFACE_OPTS="-P /var/run/${INSTANCE}.pid -i ${IFACE} -f ${DATAFILE} $2" + + echo -n "Starting $DESC: " + if [ ! -f $DATAFILE ]; then + echo -n "(creating $DATAFILE) " :> $DATAFILE + fi + if [ -n "$RUNAS" ]; then + echo -n "(chown $RUNAS $DATAFILE) " + chown $RUNAS $DATAFILE + fi + start-stop-daemon --start --quiet \ + --pidfile /var/run/${INSTANCE}.pid \ + --exec $DAEMON -- $IFACE_OPTS $ARGS + echo "${INSTANCE}." + ps h -C $NAME -o pid,args | \ + awk "/$IFACE/ { print \$1 }" > /var/run/${INSTANCE}.pid +} + +stop_instance () { + IFACE=$1 + INSTANCE=${NAME}-${IFACE} + [ -f /var/run/${INSTANCE}.pid ] || return 0 + echo -n "Stopping $DESC: " + start-stop-daemon --stop --quiet --oknodo \ + --pidfile /var/run/${INSTANCE}.pid + echo "${INSTANCE}." + rm -f /var/run/${INSTANCE}.pid +} + +process_loop_break_line () { + __IFACE=$1 + shift + __IOPTS="$@" +} + +process_loop () { + OPERATION=$1 + grep '^[a-z]' $CONF 2>/dev/null | \ + while read LINE + do + process_loop_break_line $LINE + I=$__IFACE + I_OPTS="$__IOPTS" + $OPERATION $I "$I_OPTS" + done +} + +startup () { + process_loop start_instance +} + +shutdown () { + process_loop stop_instance +} + +case "$1" in + start) + startup + ;; + stop) + shutdown + ;; + reload) + echo "Reload operation not supported -- use restart." + RETVAL=2 + ;; + restart|force-reload) + # + # If the "reload" option is implemented, move the "force-reload" + # option to the "reload" entry above. If not, "force-reload" is + # just the same as "restart". + # + shutdown + sleep 1 + startup + ;; + status) + status_of_proc $DAEMON $NAME + ;; + *) + N=/etc/init.d/$NAME + # echo "Usage: $N {start|stop|restart|reload|force-reload}" >&2 + echo "Usage: $N {start|stop|restart|force-reload}" >&2 + RETVAL=2 + ;; +esac + +exit $RETVAL diff --git a/external/meta-security/recipes-scanners/arpwatch/files/host_contam_fix.patch b/external/meta-security/recipes-scanners/arpwatch/files/host_contam_fix.patch new file mode 100644 index 00000000..7d7ffacf --- /dev/null +++ b/external/meta-security/recipes-scanners/arpwatch/files/host_contam_fix.patch @@ -0,0 +1,21 @@ +This removes the host contamination + +Upstream-Status: Inappropriate [embedded specific] + +Signed-off-by: Armin Kuster <akuster808@gmail.com> + +Index: arpwatch-3.0/configure +=================================================================== +--- arpwatch-3.0.orig/configure ++++ arpwatch-3.0/configure +@@ -4349,8 +4349,8 @@ fi + CC=cc + export CC + fi +- V_INCLS="$V_INCLS -I/usr/local/include" +- LDFLAGS="$LDFLAGS -L/usr/local/lib" ++ V_INCLS="$V_INCLS " ++ LDFLAGS="$LDFLAGS " + if test "$GCC" != yes ; then + { $as_echo "$as_me:${as_lineno-$LINENO}: checking that $CC handles ansi prototypes" >&5 + $as_echo_n "checking that $CC handles ansi prototypes... " >&6; } diff --git a/external/meta-security/recipes-scanners/arpwatch/files/postfix_workaround.patch b/external/meta-security/recipes-scanners/arpwatch/files/postfix_workaround.patch new file mode 100644 index 00000000..95213f2b --- /dev/null +++ b/external/meta-security/recipes-scanners/arpwatch/files/postfix_workaround.patch @@ -0,0 +1,91 @@ +Sendmail exists after the system boots. We are using postfix +so no need to check if it exists. + +Upstream-Status: Inappropriate [embedded specific] + +Signed-off-by: Armin Kuster <akuster808@gmail.com> + +Index: arpwatch-3.0/configure +=================================================================== +--- arpwatch-3.0.orig/configure ++++ arpwatch-3.0/configure +@@ -636,7 +636,6 @@ LBL_LIBS + HAVE_FREEBSD_TRUE + HAVE_FREEBSD_FALSE + PYTHON +-V_SENDMAIL + LIBOBJS + INSTALL_DATA + INSTALL_SCRIPT +@@ -5573,53 +5572,6 @@ fi + done + + +-# Extract the first word of "sendmail", so it can be a program name with args. +-set dummy sendmail; ac_word=$2 +-{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for $ac_word" >&5 +-$as_echo_n "checking for $ac_word... " >&6; } +-if ${ac_cv_path_V_SENDMAIL+:} false; then : +- $as_echo_n "(cached) " >&6 +-else +- case $V_SENDMAIL in +- [\\/]* | ?:[\\/]*) +- ac_cv_path_V_SENDMAIL="$V_SENDMAIL" # Let the user override the test with a path. +- ;; +- *) +- as_save_IFS=$IFS; IFS=$PATH_SEPARATOR +-as_dummy="$PATH:/usr/sbin:/usr/lib:/usr/bin:/usr/ucblib:/usr/local/etc" +-for as_dir in $as_dummy +-do +- IFS=$as_save_IFS +- test -z "$as_dir" && as_dir=. +- for ac_exec_ext in '' $ac_executable_extensions; do +- if as_fn_executable_p "$as_dir/$ac_word$ac_exec_ext"; then +- ac_cv_path_V_SENDMAIL="$as_dir/$ac_word$ac_exec_ext" +- $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5 +- break 2 +- fi +-done +- done +-IFS=$as_save_IFS +- +- ;; +-esac +-fi +-V_SENDMAIL=$ac_cv_path_V_SENDMAIL +-if test -n "$V_SENDMAIL"; then +- { $as_echo "$as_me:${as_lineno-$LINENO}: result: $V_SENDMAIL" >&5 +-$as_echo "$V_SENDMAIL" >&6; } +-else +- { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5 +-$as_echo "no" >&6; } +-fi +- +- +- +-if test -z "${V_SENDMAIL}" ; then +- as_fn_error $? "Can't find sendmail" "$LINENO" 5 +-fi +- +- + python=${PYTHON:-python} + # Extract the first word of "${python}", so it can be a program name with args. + set dummy ${python}; ac_word=$2 +Index: arpwatch-3.0/configure.in +=================================================================== +--- arpwatch-3.0.orig/configure.in ++++ arpwatch-3.0/configure.in +@@ -76,13 +76,6 @@ AC_LBL_UNION_WAIT + AC_CHECK_LIB(resolv, res_query) + AC_LBL_LIBPCAP(V_PCAPDEP, V_INCLS) + +-AC_PATH_PROG(V_SENDMAIL, sendmail,, +- $PATH:/usr/sbin:/usr/lib:/usr/bin:/usr/ucblib:/usr/local/etc) +- +-if test -z "${V_SENDMAIL}" ; then +- AC_MSG_ERROR([Can't find sendmail]) +-fi +- + dnl AC_LBL_CHECK_TYPE(int32_t, int) + dnl AC_LBL_CHECK_TYPE(u_int32_t, u_int) + diff --git a/external/meta-security/recipes-security/buck-security/buck-security_0.7.bb b/external/meta-security/recipes-scanners/buck-security/buck-security_0.7.bb index 3733c88b..179eedae 100644 --- a/external/meta-security/recipes-security/buck-security/buck-security_0.7.bb +++ b/external/meta-security/recipes-scanners/buck-security/buck-security_0.7.bb @@ -4,33 +4,6 @@ system. This enables you to quickly overview the security status of your Linux s SECTION = "security" LICENSE = "GPL-2.0" LIC_FILES_CHKSUM = "file://${COMMON_LICENSE_DIR}/GPL-2.0;md5=801f80980d171dd6425610833a22dbe6" -RDEPENDS_${PN} = "coreutils \ - gnupg \ - net-tools \ - perl \ - perl-module-data-dumper \ - perl-module-file-basename \ - perl-module-file-spec \ - perl-module-getopt-long \ - perl-module-lib \ - perl-module-posix \ - perl-module-term-ansicolor \ - perl-module-time-localtime \ - pinentry \ - " - -RDEPENDS_${PN}_class-native = "coreutils \ - net-tools \ - perl \ - perl-module-data-dumper \ - perl-module-file-basename \ - perl-module-file-spec \ - perl-module-getopt-long \ - perl-module-lib \ - perl-module-posix \ - perl-module-term-ansicolor \ - perl-module-time-localtime \ - " SRC_URI = "http://sourceforge.net/projects/buck-security/files/buck-security/buck-security_${PV}/${BPN}_${PV}.tar.gz" @@ -39,13 +12,8 @@ SRC_URI[sha256sum] = "c533c6631ec3554dd8d39d2d1c3ed44badbbf50810ebb75469c74639fa S = "${WORKDIR}/${BPN}_${PV}" -do_configure() { - : -} - -do_compile() { - : -} +do_configure[noexec] = "1" +do_compile[noexec] = "1" do_install() { install -d ${D}${bindir}/buck @@ -60,4 +28,18 @@ do_install() { FILES_${PN} = "${bindir}/*" +RDEPENDS_${PN} = "coreutils gnupg net-tools perl perl-module-data-dumper \ + perl-module-file-basename perl-module-file-spec perl-module-getopt-long \ + perl-module-lib perl-module-posix perl-module-term-ansicolor \ + perl-module-time-localtime pinentry perl-module-pod-usage \ + perl-module-pod-text perl-module-file-glob \ + " + +RDEPENDS_${PN}_class-native = "coreutils net-tools perl perl-module-data-dumper \ + perl-module-file-basename perl-module-file-spec perl-module-getopt-long \ + perl-module-lib perl-module-posix perl-module-term-ansicolor \ + perl-module-time-localtime perl-module-file-glob\ + " + + BBCLASSEXTEND = "native" diff --git a/external/meta-security/recipes-scanners/checksec/checksec_2.1.0.bb b/external/meta-security/recipes-scanners/checksec/checksec_2.1.0.bb new file mode 100644 index 00000000..b67c98bb --- /dev/null +++ b/external/meta-security/recipes-scanners/checksec/checksec_2.1.0.bb @@ -0,0 +1,19 @@ +SUMMARY = "Linux system security checks" +DESCRIPTION = "The checksec script is designed to test what standard Linux OS and PaX security features are being used." +SECTION = "security" +LICENSE = "BSD" +HOMEPAGE="https://github.com/slimm609/checksec.sh" + +LIC_FILES_CHKSUM = "file://LICENSE.txt;md5=93fddcca19f6c897871f9b5f9a035f4a" + +SRCREV = "04582bad41589ad479ca8b1f0170ed317475b5a5" +SRC_URI = "git://github.com/slimm609/checksec.sh" + +S = "${WORKDIR}/git" + +do_install() { + install -d ${D}${bindir} + install -m 0755 ${S}/checksec ${D}${bindir} +} + +RDEPENDS_${PN} = "bash openssl-bin binutils" diff --git a/external/meta-security/recipes-security/checksecurity/checksecurity_2.0.15.bb b/external/meta-security/recipes-scanners/checksecurity/checksecurity_2.0.15.bb index a9616911..204123d8 100644 --- a/external/meta-security/recipes-security/checksecurity/checksecurity_2.0.15.bb +++ b/external/meta-security/recipes-scanners/checksecurity/checksecurity_2.0.15.bb @@ -5,7 +5,8 @@ LICENSE = "GPL-2.0" LIC_FILES_CHKSUM = "file://${COMMON_LICENSE_DIR}/GPL-2.0;md5=801f80980d171dd6425610833a22dbe6" SRC_URI = "http://ftp.de.debian.org/debian/pool/main/c/checksecurity/checksecurity_${PV}.tar.gz \ - file://setuid-log-folder.patch" + file://setuid-log-folder.patch \ + file://check-setuid-use-more-portable-find-args.patch" SRC_URI[md5sum] = "a30161c3e24d3be710b2fd13fcd1f32f" SRC_URI[sha256sum] = "67abe3d6391c96146e96f376d3fd6eb7a9418b0f7fe205b465219889791dba32" @@ -17,4 +18,4 @@ do_install() { oe_runmake PREFIX=${D} } -RDEPENDS_${PN} = "perl libenv-perl perl-module-tie-array perl-module-getopt-long perl-module-file-glob util-linux findutils coreutils" +RDEPENDS_${PN} = "perl libenv-perl perl-module-tie-array perl-module-getopt-long perl-module-file-glob perl-module-carp perl-module-env perl-module-tap-parser-iterator-array util-linux findutils coreutils" diff --git a/external/meta-security/recipes-scanners/checksecurity/files/check-setuid-use-more-portable-find-args.patch b/external/meta-security/recipes-scanners/checksecurity/files/check-setuid-use-more-portable-find-args.patch new file mode 100644 index 00000000..f1fe8edc --- /dev/null +++ b/external/meta-security/recipes-scanners/checksecurity/files/check-setuid-use-more-portable-find-args.patch @@ -0,0 +1,23 @@ +From f3073b8e06a607677d47ad9a19533b2e33408a4f Mon Sep 17 00:00:00 2001 +From: Christopher Larson <chris_larson@mentor.com> +Date: Wed, 5 Sep 2018 23:21:43 +0500 +Subject: [PATCH] check-setuid: use more portable find args + +Signed-off-by: Christopher Larson <chris_larson@mentor.com> +--- + plugins/check-setuid | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +Index: checksecurity-2.0.15/plugins/check-setuid +=================================================================== +--- checksecurity-2.0.15.orig/plugins/check-setuid 2018-09-06 00:49:23.930934294 +0500 ++++ checksecurity-2.0.15/plugins/check-setuid 2018-09-06 00:49:49.694934757 +0500 +@@ -99,7 +99,7 @@ + ionice -t -c3 \ + find `mount | grep -vE "$CHECKSECURITY_FILTER" | cut -d ' ' -f 3` \ + -xdev $PATHCHK \ +- \( -type f -perm +06000 -o \( \( -type b -o -type c \) \ ++ \( -type f \( -perm -4000 -o -perm -2000 \) -o \( \( -type b -o -type c \) \ + $DEVCHK \) \) \ + -ignore_readdir_race \ + -printf "%8i %5m %3n %-10u %-10g %9s %t %h/%f\n" | diff --git a/external/meta-security/recipes-security/checksecurity/files/setuid-log-folder.patch b/external/meta-security/recipes-scanners/checksecurity/files/setuid-log-folder.patch index 540ea9c3..540ea9c3 100644 --- a/external/meta-security/recipes-security/checksecurity/files/setuid-log-folder.patch +++ b/external/meta-security/recipes-scanners/checksecurity/files/setuid-log-folder.patch diff --git a/external/meta-security/recipes-security/clamav/clamav_0.99.4.bb b/external/meta-security/recipes-scanners/clamav/clamav_0.101.5.bb index 8c2c2fa2..2ea2c9bd 100644 --- a/external/meta-security/recipes-security/clamav/clamav_0.99.4.bb +++ b/external/meta-security/recipes-scanners/clamav/clamav_0.101.5.bb @@ -4,81 +4,82 @@ HOMEPAGE = "http://www.clamav.net/index.html" SECTION = "security" LICENSE = "LGPL-2.1" -DEPENDS = "libtool db libmspack chrpath-replacement-native" - +DEPENDS = "libtool db libxml2 openssl zlib curl llvm clamav-native libmspack bison-native" +DEPENDS_class-native = "db-native openssl-native zlib-native llvm-native curl-native bison-native" + LIC_FILES_CHKSUM = "file://COPYING.LGPL;beginline=2;endline=3;md5=4b89c05acc71195e9a06edfa2fa7d092" -SRCREV = "b66e5e27b48c0a07494f9df9b809ed933cede047" +SRCREV = "482fcd413b07e9fd3ef9850e6d01a45f4e187108" -SRC_URI = "git://github.com/vrtadmin/clamav-devel;branch=rel/0.99 \ +SRC_URI = "git://github.com/vrtadmin/clamav-devel;branch=rel/0.101 \ file://clamd.conf \ file://freshclam.conf \ file://volatiles.03_clamav \ + file://tmpfiles.clamav \ file://${BPN}.service \ + file://freshclam-native.conf \ " S = "${WORKDIR}/git" LEAD_SONAME = "libclamav.so" -SO_VER = "7.1.1" - -EXTRANATIVEPATH += "chrpath-native" - -inherit autotools-brokensep pkgconfig useradd systemd +SO_VER = "9.0.2" -UID = "clamav" -GID = "clamav" +inherit autotools pkgconfig useradd systemd multilib_header multilib_script -# Clamav has a built llvm version 2 but does not build with gcc 6.x, -# disable the internal one. This is a known issue -# If you want LLVM support, use meta-oe llvm3.3 to build for GCC 6.X, -# as defined below +CLAMAV_UID ?= "clamav" +CLAMAV_GID ?= "clamav" +INSTALL_CLAMAV_CVD ?= "1" -CLAMAV_LLVM ?= "oellvm" -CLAMAV_LLVM_RELEASE ?= "6.0" +CLAMAV_USR_DIR = "${STAGING_DIR_NATIVE}/usr" +CLAMAV_USR_DIR_class-target = "${STAGING_DIR_HOST}/usr" -PACKAGECONFIG ?= "ncurses openssl bz2 zlib ${CLAMAV_LLVM}" -PACKAGECONFIG += " ${@bb.utils.contains("DISTRO_FEATURES", "ipv6", "ipv6", "", d)}" -PACKAGECONFIG += "${@bb.utils.contains('DISTRO_FEATURES', 'systemd', 'systemd', '', d)}" - -PACKAGECONFIG[oellvm] = "--with-system-llvm --with-llvm-linking=dynamic --disable-llvm, ,llvm${CLAMAV_LLVM_RELEASE}" +PACKAGECONFIG_class-target ?= "ncurses bz2" +PACKAGECONFIG_class-target += " ${@bb.utils.contains("DISTRO_FEATURES", "ipv6", "ipv6", "", d)}" +PACKAGECONFIG_class-target += "${@bb.utils.contains('DISTRO_FEATURES', 'systemd', 'systemd', '', d)}" PACKAGECONFIG[pcre] = "--with-pcre=${STAGING_LIBDIR}, --without-pcre, libpcre" -PACKAGECONFIG[xml] = "--with-xml=${STAGING_LIBDIR}/.., --with-xml=no, libxml2," -PACKAGECONFIG[json] = "--with-libjson=${STAGING_LIBDIR}, --without-libjson, json," -PACKAGECONFIG[curl] = "--with-libcurl=${STAGING_LIBDIR}, --without-libcurl, curl," +PACKAGECONFIG[json] = "--with-libjson=${STAGING_LIBDIR}, --without-libjson, json-c," PACKAGECONFIG[ipv6] = "--enable-ipv6, --disable-ipv6" -PACKAGECONFIG[openssl] = "--with-openssl=${STAGING_DIR_HOST}/usr, --without-openssl, openssl, openssl" -PACKAGECONFIG[zlib] = "--with-zlib=${STAGING_DIR_HOST}/usr --disable-zlib-vcheck , --without-zlib, zlib, " -PACKAGECONFIG[bz2] = "--with-libbz2-prefix=${STAGING_LIBDIR}/.., --without-libbz2-prefix, " -PACKAGECONFIG[ncurses] = "--with-libncurses-prefix=${STAGING_LIBDIR}/.., --without-libncurses-prefix, ncurses, " +PACKAGECONFIG[bz2] = "--with-libbz2-prefix=${CLAMAV_USR_DIR}, --disable-bzip2, bzip2" +PACKAGECONFIG[ncurses] = "--with-libncurses-prefix=${CLAMAV_USR_DIR}, --without-libncurses-prefix, ncurses, " PACKAGECONFIG[systemd] = "--with-systemdsystemunitdir=${systemd_unitdir}/system/, --without-systemdsystemunitdir, " -EXTRA_OECONF += " --with-user=${UID} --with-group=${GID} \ - --without-libcheck-prefix --disable-unrar \ +MULTILIB_SCRIPTS = "${PN}-dev:${bindir}/clamav-config ${PN}-cvd:${localstatedir}/lib/clamav/mirrors.dat" + +EXTRA_OECONF_CLAMAV = "--without-libcheck-prefix --disable-unrar \ --disable-mempool \ --program-prefix="" \ - --disable-yara \ - --disable-rpath \ + --disable-zlib-vcheck \ + --with-xml=${CLAMAV_USR_DIR} \ + --with-zlib=${CLAMAV_USR_DIR} \ + --with-openssl=${CLAMAV_USR_DIR} \ + --with-libcurl=${CLAMAV_USR_DIR} \ + --with-system-libmspack=${CLAMAV_USR_DIR} \ + --with-iconv=no \ + --enable-check=no \ " +EXTRA_OECONF_class-native += "${EXTRA_OECONF_CLAMAV}" +EXTRA_OECONF_class-target += "--with-user=${CLAMAV_UID} --with-group=${CLAMAV_GID} ${EXTRA_OECONF_CLAMAV}" + do_configure () { - cd ${S} - ./configure ${CONFIGUREOPTS} ${EXTRA_OECONF} + ${S}/configure ${CONFIGUREOPTS} ${EXTRA_OECONF} } -do_compile_append() { - # brute force removing RPATH - chrpath -d ${B}/libclamav/.libs/libclamav.so.${SO_VER} - chrpath -d ${B}/sigtool/.libs/sigtool - chrpath -d ${B}/clambc/.libs/clambc - chrpath -d ${B}/clamscan/.libs/clamscan - chrpath -d ${B}/clamconf/.libs/clamconf - chrpath -d ${B}/clamd/.libs/clamd - chrpath -d ${B}/freshclam/.libs/freshclam +do_configure_class-native () { + ${S}/configure ${CONFIGUREOPTS} ${EXTRA_OECONF} } -do_install_append() { +do_compile_append_class-target() { + if [ "${INSTALL_CLAMAV_CVD}" = "1" ]; then + bbnote "CLAMAV creating cvd" + install -d ${S}/clamav_db + ${STAGING_BINDIR_NATIVE}/freshclam --datadir=${S}/clamav_db --config=${WORKDIR}/freshclam-native.conf + fi +} + +do_install_append_class-target () { install -d ${D}/${sysconfdir} install -d ${D}/${localstatedir}/lib/clamav install -d ${D}${sysconfdir}/clamav ${D}${sysconfdir}/default/volatiles @@ -88,20 +89,27 @@ do_install_append() { install -m 0644 ${WORKDIR}/volatiles.03_clamav ${D}${sysconfdir}/default/volatiles/volatiles.03_clamav sed -i -e 's#${STAGING_DIR_HOST}##g' ${D}${libdir}/pkgconfig/libclamav.pc rm ${D}/${libdir}/libclamav.so + install -m 666 ${S}/clamav_db/* ${D}/${localstatedir}/lib/clamav/. if ${@bb.utils.contains('DISTRO_FEATURES','systemd','true','false',d)};then install -D -m 0644 ${WORKDIR}/clamav.service ${D}${systemd_unitdir}/system/clamav.service + install -d ${D}${sysconfdir}/tmpfiles.d + install -m 0644 ${WORKDIR}/tmpfiles.clamav ${D}${sysconfdir}/tmpfiles.d/clamav.conf fi + oe_multilib_header clamav-types.h } pkg_postinst_ontarget_${PN} () { - if [ -e /etc/init.d/populate-volatile.sh ] ; then + if command -v systemd-tmpfiles >/dev/null; then + systemd-tmpfiles --create ${sysconfdir}/tmpfiles.d/clamav.conf + elif [ -e ${sysconfdir}/init.d/populate-volatile.sh ]; then ${sysconfdir}/init.d/populate-volatile.sh update fi - chown ${UID}:${GID} ${localstatedir}/lib/clamav + mkdir -p ${localstatedir}/lib/clamav + chown -R ${CLAMAV_UID}:${CLAMAV_GID} ${localstatedir}/lib/clamav } -PACKAGES = "${PN} ${PN}-dev ${PN}-dbg ${PN}-daemon ${PN}-doc \ +PACKAGES = "${PN} ${PN}-dev ${PN}-dbg ${PN}-daemon ${PN}-doc ${PN}-cvd \ ${PN}-clamdscan ${PN}-freshclam ${PN}-libclamav ${PN}-staticdev" FILES_${PN} = "${bindir}/clambc ${bindir}/clamscan ${bindir}/clamsubmit \ @@ -125,6 +133,7 @@ FILES_${PN}-daemon = "${bindir}/clamconf ${bindir}/clamdtop ${sbindir}/clamd \ FILES_${PN}-freshclam = "${bindir}/freshclam \ ${sysconfdir}/freshclam.conf* \ ${sysconfdir}/clamav ${sysconfdir}/default/volatiles \ + ${sysconfdir}/tmpfiles.d/*.conf \ ${localstatedir}/lib/clamav \ ${docdir}/${PN}-freshclam ${mandir}/man1/freshclam.* \ ${mandir}/man5/freshclam.conf.* \ @@ -137,16 +146,18 @@ FILES_${PN}-dev = " ${bindir}/clamav-config ${libdir}/*.la \ FILES_${PN}-staticdev = "${libdir}/*.a" -FILES_${PN}-libclamav = "${libdir}/libclamav.so* ${libdir}/libmspack.so*\ +FILES_${PN}-libclamav = "${libdir}/libclamav.so* ${libdir}/libclammspack.so*\ ${docdir}/libclamav/* " FILES_${PN}-doc = "${mandir}/man/* \ ${datadir}/man/* \ ${docdir}/* " +FILES_${PN}-cvd = "${localstatedir}/lib/clamav/*.cvd ${localstatedir}/lib/clamav/*.dat" + USERADD_PACKAGES = "${PN}" -GROUPADD_PARAM_${PN} = "--system ${UID}" -USERADD_PARAM_${PN} = "--system -g ${GID} --home-dir \ +GROUPADD_PARAM_${PN} = "--system ${CLAMAV_UID}" +USERADD_PARAM_${PN} = "--system -g ${CLAMAV_GID} --home-dir \ ${localstatedir}/spool/${BPN} \ --no-create-home --shell /bin/false ${BPN}" @@ -155,4 +166,7 @@ RREPLACES_${PN} += "${PN}-systemd" RCONFLICTS_${PN} += "${PN}-systemd" SYSTEMD_SERVICE_${PN} = "${BPN}.service" -RDEPENDS_${PN} += "openssl ncurses-libncurses libbz2 ncurses-libtinfo clamav-freshclam clamav-libclamav" +RDEPENDS_${PN} = "openssl ncurses-libncurses libxml2 libbz2 ncurses-libtinfo curl libpcre2 clamav-freshclam clamav-libclamav" +RDEPENDS_${PN}_class-native = "" + +BBCLASSEXTEND = "native" diff --git a/external/meta-security/recipes-security/clamav/files/clamav-freshclam.service b/external/meta-security/recipes-scanners/clamav/files/clamav-freshclam.service index 0c909fb3..0c909fb3 100644 --- a/external/meta-security/recipes-security/clamav/files/clamav-freshclam.service +++ b/external/meta-security/recipes-scanners/clamav/files/clamav-freshclam.service diff --git a/external/meta-security/recipes-security/clamav/files/clamav-milter.conf.sample b/external/meta-security/recipes-scanners/clamav/files/clamav-milter.conf.sample index ed0d519f..ed0d519f 100644 --- a/external/meta-security/recipes-security/clamav/files/clamav-milter.conf.sample +++ b/external/meta-security/recipes-scanners/clamav/files/clamav-milter.conf.sample diff --git a/external/meta-security/recipes-security/clamav/files/clamav.service b/external/meta-security/recipes-scanners/clamav/files/clamav.service index f13191fc..f13191fc 100644 --- a/external/meta-security/recipes-security/clamav/files/clamav.service +++ b/external/meta-security/recipes-scanners/clamav/files/clamav.service diff --git a/external/meta-security/recipes-security/clamav/files/clamd.conf b/external/meta-security/recipes-scanners/clamav/files/clamd.conf index 04577850..04577850 100644 --- a/external/meta-security/recipes-security/clamav/files/clamd.conf +++ b/external/meta-security/recipes-scanners/clamav/files/clamd.conf diff --git a/external/meta-security/recipes-scanners/clamav/files/freshclam-native.conf b/external/meta-security/recipes-scanners/clamav/files/freshclam-native.conf new file mode 100644 index 00000000..aaa8cf46 --- /dev/null +++ b/external/meta-security/recipes-scanners/clamav/files/freshclam-native.conf @@ -0,0 +1,224 @@ +# Path to the database directory. +# WARNING: It must match clamd.conf's directive! +# Default: hardcoded (depends on installation options) +#DatabaseDirectory /var/lib/clamav + +# Path to the log file (make sure it has proper permissions) +# Default: disabled +#UpdateLogFile /var/log/clamav/freshclam.log + +# Maximum size of the log file. +# Value of 0 disables the limit. +# You may use 'M' or 'm' for megabytes (1M = 1m = 1048576 bytes) +# and 'K' or 'k' for kilobytes (1K = 1k = 1024 bytes). +# in bytes just don't use modifiers. If LogFileMaxSize is enabled, +# log rotation (the LogRotate option) will always be enabled. +# Default: 1M +LogFileMaxSize 2M + +# Log time with each message. +# Default: no +LogTime yes + +# Enable verbose logging. +# Default: no +#LogVerbose yes + +# Use system logger (can work together with UpdateLogFile). +# Default: no +#LogSyslog yes + +# Specify the type of syslog messages - please refer to 'man syslog' +# for facility names. +# Default: LOG_LOCAL6 +#LogFacility LOG_MAIL + +# Enable log rotation. Always enabled when LogFileMaxSize is enabled. +# Default: no +#LogRotate yes + +# This option allows you to save the process identifier of the daemon +# Default: disabled +#PidFile /var/run/freshclam.pid + +# By default when started freshclam drops privileges and switches to the +# "clamav" user. This directive allows you to change the database owner. +# Default: clamav (may depend on installation options) +DatabaseOwner clamav + +# Initialize supplementary group access (freshclam must be started by root). +# Default: no +#AllowSupplementaryGroups yes + +# Use DNS to verify virus database version. Freshclam uses DNS TXT records +# to verify database and software versions. With this directive you can change +# the database verification domain. +# WARNING: Do not touch it unless you're configuring freshclam to use your +# own database verification domain. +# Default: current.cvd.clamav.net +#DNSDatabaseInfo current.cvd.clamav.net + +# Uncomment the following line and replace XY with your country +# code. See http://www.iana.org/cctld/cctld-whois.htm for the full list. +# You can use db.XY.ipv6.clamav.net for IPv6 connections. +#DatabaseMirror db.XY.clamav.net + +# database.clamav.net is a round-robin record which points to our most +# reliable mirrors. It's used as a fall back in case db.XY.clamav.net is +# not working. DO NOT TOUCH the following line unless you know what you +# are doing. +DatabaseMirror database.clamav.net + +# How many attempts to make before giving up. +# Default: 3 (per mirror) +#MaxAttempts 5 + +# With this option you can control scripted updates. It's highly recommended +# to keep it enabled. +# Default: yes +#ScriptedUpdates yes + +# By default freshclam will keep the local databases (.cld) uncompressed to +# make their handling faster. With this option you can enable the compression; +# the change will take effect with the next database update. +# Default: no +#CompressLocalDatabase no + +# With this option you can provide custom sources (http:// or file://) for +# database files. This option can be used multiple times. +# Default: no custom URLs +#DatabaseCustomURL http://myserver.com/mysigs.ndb +#DatabaseCustomURL file:///mnt/nfs/local.hdb + +# This option allows you to easily point freshclam to private mirrors. +# If PrivateMirror is set, freshclam does not attempt to use DNS +# to determine whether its databases are out-of-date, instead it will +# use the If-Modified-Since request or directly check the headers of the +# remote database files. For each database, freshclam first attempts +# to download the CLD file. If that fails, it tries to download the +# CVD file. This option overrides DatabaseMirror, DNSDatabaseInfo +# and ScriptedUpdates. It can be used multiple times to provide +# fall-back mirrors. +# Default: disabled +#PrivateMirror mirror1.mynetwork.com +#PrivateMirror mirror2.mynetwork.com + +# Number of database checks per day. +# Default: 12 (every two hours) +#Checks 24 + +# Proxy settings +# Default: disabled +#HTTPProxyServer myproxy.com +#HTTPProxyPort 1234 +#HTTPProxyUsername myusername +#HTTPProxyPassword mypass + +# If your servers are behind a firewall/proxy which applies User-Agent +# filtering you can use this option to force the use of a different +# User-Agent header. +# Default: clamav/version_number +#HTTPUserAgent SomeUserAgentIdString + +# Use aaa.bbb.ccc.ddd as client address for downloading databases. Useful for +# multi-homed systems. +# Default: Use OS'es default outgoing IP address. +#LocalIPAddress aaa.bbb.ccc.ddd + +# Send the RELOAD command to clamd. +# Default: no +#NotifyClamd /path/to/clamd.conf + +# Run command after successful database update. +# Default: disabled +#OnUpdateExecute command + +# Run command when database update process fails. +# Default: disabled +#OnErrorExecute command + +# Run command when freshclam reports outdated version. +# In the command string %v will be replaced by the new version number. +# Default: disabled +#OnOutdatedExecute command + +# Don't fork into background. +# Default: no +#Foreground yes + +# Enable debug messages in libclamav. +# Default: no +#Debug yes + +# Timeout in seconds when connecting to database server. +# Default: 30 +#ConnectTimeout 60 + +# Timeout in seconds when reading from database server. +# Default: 30 +#ReceiveTimeout 60 + +# With this option enabled, freshclam will attempt to load new +# databases into memory to make sure they are properly handled +# by libclamav before replacing the old ones. +# Default: yes +#TestDatabases yes + +# When enabled freshclam will submit statistics to the ClamAV Project about +# the latest virus detections in your environment. The ClamAV maintainers +# will then use this data to determine what types of malware are the most +# detected in the field and in what geographic area they are. +# Freshclam will connect to clamd in order to get recent statistics. +# Default: no +#SubmitDetectionStats /path/to/clamd.conf + +# Country of origin of malware/detection statistics (for statistical +# purposes only). The statistics collector at ClamAV.net will look up +# your IP address to determine the geographical origin of the malware +# reported by your installation. If this installation is mainly used to +# scan data which comes from a different location, please enable this +# option and enter a two-letter code (see http://www.iana.org/domains/root/db/) +# of the country of origin. +# Default: disabled +#DetectionStatsCountry country-code + +# This option enables support for our "Personal Statistics" service. +# When this option is enabled, the information on malware detected by +# your clamd installation is made available to you through our website. +# To get your HostID, log on http://www.stats.clamav.net and add a new +# host to your host list. Once you have the HostID, uncomment this option +# and paste the HostID here. As soon as your freshclam starts submitting +# information to our stats collecting service, you will be able to view +# the statistics of this clamd installation by logging into +# http://www.stats.clamav.net with the same credentials you used to +# generate the HostID. For more information refer to: +# http://www.clamav.net/documentation.html#cctts +# This feature requires SubmitDetectionStats to be enabled. +# Default: disabled +#DetectionStatsHostID unique-id + +# This option enables support for Google Safe Browsing. When activated for +# the first time, freshclam will download a new database file (safebrowsing.cvd) +# which will be automatically loaded by clamd and clamscan during the next +# reload, provided that the heuristic phishing detection is turned on. This +# database includes information about websites that may be phishing sites or +# possible sources of malware. When using this option, it's mandatory to run +# freshclam at least every 30 minutes. +# Freshclam uses the ClamAV's mirror infrastructure to distribute the +# database and its updates but all the contents are provided under Google's +# terms of use. See http://www.google.com/transparencyreport/safebrowsing +# and http://www.clamav.net/documentation.html#safebrowsing +# for more information. +# Default: disabled +#SafeBrowsing yes + +# This option enables downloading of bytecode.cvd, which includes additional +# detection mechanisms and improvements to the ClamAV engine. +# Default: enabled +#Bytecode yes + +# Download an additional 3rd party signature database distributed through +# the ClamAV mirrors. +# This option can be used multiple times. +#ExtraDatabase dbname1 +#ExtraDatabase dbname2 diff --git a/external/meta-security/recipes-security/clamav/files/freshclam.conf b/external/meta-security/recipes-scanners/clamav/files/freshclam.conf index 100724f1..100724f1 100644 --- a/external/meta-security/recipes-security/clamav/files/freshclam.conf +++ b/external/meta-security/recipes-scanners/clamav/files/freshclam.conf diff --git a/external/meta-security/recipes-scanners/clamav/files/tmpfiles.clamav b/external/meta-security/recipes-scanners/clamav/files/tmpfiles.clamav new file mode 100644 index 00000000..fd5adfee --- /dev/null +++ b/external/meta-security/recipes-scanners/clamav/files/tmpfiles.clamav @@ -0,0 +1,3 @@ +#Type Path Mode UID GID Age Argument +d /var/log/clamav 0755 clamav clamav - +f /var/log/clamav/freshclam.log 0644 clamav clamav - diff --git a/external/meta-security/recipes-security/clamav/files/volatiles.03_clamav b/external/meta-security/recipes-scanners/clamav/files/volatiles.03_clamav index ee2153ca..ee2153ca 100644 --- a/external/meta-security/recipes-security/clamav/files/volatiles.03_clamav +++ b/external/meta-security/recipes-scanners/clamav/files/volatiles.03_clamav diff --git a/external/meta-security/recipes-scanners/rootkits/chkrootkit_0.53.bb b/external/meta-security/recipes-scanners/rootkits/chkrootkit_0.53.bb new file mode 100644 index 00000000..4536be39 --- /dev/null +++ b/external/meta-security/recipes-scanners/rootkits/chkrootkit_0.53.bb @@ -0,0 +1,48 @@ +DESCRIPTION = "rootkit detector" +SUMMARY = "locally checks for signs of a rootkit" +HOMEPAGE = "http://www.chkrootkit.org/" +SECTION = "security" +LICENSE = "BSD-2-Clause" +LIC_FILES_CHKSUM = "file://COPYRIGHT;md5=fdbe53788f7081c63387d8087273f5ff" + +SRC_URI = "ftp://ftp.pangeia.com.br/pub/seg/pac/${BPN}.tar.gz" +SRC_URI[sha256sum] = "7262dae33b338976828b5d156b70d159e0043c0db43ada8dee66c97387cf45b5" + + +inherit autotools-brokensep + +TARGET_CC_ARCH += "${LDFLAGS}" + +do_configure () { + sed -i 's/@strip.*$//' ${S}/Makefile +} + +do_compile () { + make CC="${CC}" LDFLAGS="${LDFLAGS}" sense + gzip -9vkf ACKNOWLEDGMENTS + gzip -9vkf README +} + +do_install () { + install -d ${D}/${libdir}/${PN} + install -d ${D}/${sbindir} + install -d ${D}/${docdir}/${PN} + + install -m 644 ${B}/chkdirs ${D}/${libdir}/${PN} + install -m 644 ${B}/chklastlog ${D}/${libdir}/${PN} + install -m 644 ${B}/chkproc ${D}/${libdir}/${PN} + install -m 644 ${B}/chkutmp ${D}/${libdir}/${PN} + install -m 644 ${B}/chkwtmp ${D}/${libdir}/${PN} + install -m 644 ${B}/ifpromisc ${D}/${libdir}/${PN} + install -m 644 ${B}/strings-static ${D}/${libdir}/${PN} + + install -m 755 ${B}/chklastlog ${D}/${sbindir} + install -m 755 ${B}/chkrootkit ${D}/${sbindir} + install -m 755 ${B}/chkwtmp ${D}/${sbindir} + + install -m 644 ${B}/ACKNOWLEDGMENTS.gz ${D}/${docdir}/${PN} + install -m 644 ${B}/README.chklastlog ${D}/${docdir}/${PN} + install -m 644 ${B}/README.chkwtmp ${D}/${docdir}/${PN} + install -m 644 ${B}/README.gz ${D}/${docdir}/${PN} + install -m 644 ${B}/COPYRIGHT ${D}/${docdir}/${PN} +} diff --git a/external/meta-security/recipes-security/bastille/bastille_3.2.1.bb b/external/meta-security/recipes-security/bastille/bastille_3.2.1.bb index 152c03ae..0290cae2 100644 --- a/external/meta-security/recipes-security/bastille/bastille_3.2.1.bb +++ b/external/meta-security/recipes-security/bastille/bastille_3.2.1.bb @@ -9,8 +9,6 @@ DEPENDS = "virtual/kernel" RDEPENDS_${PN} = "perl bash tcl perl-module-getopt-long perl-module-text-wrap lib-perl perl-module-file-path perl-module-mime-base64 perl-module-file-find perl-module-errno perl-module-file-glob perl-module-tie-hash-namedcapture perl-module-file-copy perl-module-english perl-module-exporter perl-module-cwd libcurses-perl coreutils" FILES_${PN} += "/run/lock/subsys/bastille" -inherit module-base - SRC_URI = "http://sourceforge.net/projects/bastille-linux/files/bastille-linux/3.2.1/Bastille-3.2.1.tar.bz2 \ file://AccountPermission.pm \ file://FileContent.pm \ @@ -41,8 +39,7 @@ S = "${WORKDIR}/Bastille" do_install () { install -d ${D}${sbindir} - install -d ${D}${libdir}/perl/site_perl/Curses - ln -sf perl ${D}/${libdir}/perl5 + install -d ${D}${libdir}/perl5/site_perl/Curses install -d ${D}${libdir}/Bastille install -d ${D}${libdir}/Bastille/API @@ -51,7 +48,6 @@ do_install () { install -d ${D}${datadir}/Bastille/OSMap/Modules install -d ${D}${datadir}/Bastille/Questions install -d ${D}${datadir}/Bastille/FKL/configs/ - install -d ${D}${localstatedir}/lock/subsys/bastille install -d ${D}${localstatedir}/log/Bastille install -d ${D}${sysconfdir}/Bastille install -m 0755 AutomatedBastille ${D}${sbindir} diff --git a/external/meta-security/recipes-security/bastille/files/set_required_questions.py b/external/meta-security/recipes-security/bastille/files/set_required_questions.py index 4a28358c..f306109d 100755 --- a/external/meta-security/recipes-security/bastille/files/set_required_questions.py +++ b/external/meta-security/recipes-security/bastille/files/set_required_questions.py @@ -1,4 +1,4 @@ -#!/usr/bin/env python +#!/usr/bin/env python3 #Signed-off-by: Anne Mulhern <mulhern@yoctoproject.org> @@ -83,7 +83,7 @@ def xform_file(qfile, distro, qlabel): @param name qlabel The question label for which the distro is to be added. """ questions_in = open(qfile) - questions_out = tempfile.NamedTemporaryFile(delete=False) + questions_out = tempfile.NamedTemporaryFile(mode="w+", delete=False) for l in add_requires(qlabel, distro, questions_in): questions_out.write(l) questions_out.close() diff --git a/external/meta-security/recipes-security/checksec/checksec_1.5.bb b/external/meta-security/recipes-security/checksec/checksec_1.5.bb deleted file mode 100644 index 07f0f7c7..00000000 --- a/external/meta-security/recipes-security/checksec/checksec_1.5.bb +++ /dev/null @@ -1,18 +0,0 @@ -SUMMARY = "Program radominization" -DESCRIPTION = "The checksec.sh script is designed to test what standard Linux OS and PaX security features are being used." -SECTION = "security" -LICENSE = "BSD" -HOMEPAGE="http://www.trapkit.de/tools/checksec.html" - -LIC_FILES_CHKSUM = "file://checksec.sh;md5=075996be339ab16ad7b94d6de3ee07bd" - -SRC_URI = "file://checksec.sh" - -S = "${WORKDIR}" - -do_install() { - install -d ${D}${bindir} - install -m 0755 ${WORKDIR}/checksec.sh ${D}${bindir} -} - -RDEPENDS_${PN} = "bash" diff --git a/external/meta-security/recipes-security/checksec/files/checksec.sh b/external/meta-security/recipes-security/checksec/files/checksec.sh deleted file mode 100644 index dd1f72e5..00000000 --- a/external/meta-security/recipes-security/checksec/files/checksec.sh +++ /dev/null @@ -1,882 +0,0 @@ -#!/bin/bash -# -# The BSD License (http://www.opensource.org/licenses/bsd-license.php) -# specifies the terms and conditions of use for checksec.sh: -# -# Copyright (c) 2009-2011, Tobias Klein. -# All rights reserved. -# -# Redistribution and use in source and binary forms, with or without -# modification, are permitted provided that the following conditions -# are met: -# -# * Redistributions of source code must retain the above copyright -# notice, this list of conditions and the following disclaimer. -# * Redistributions in binary form must reproduce the above copyright -# notice, this list of conditions and the following disclaimer in -# the documentation and/or other materials provided with the -# distribution. -# * Neither the name of Tobias Klein nor the name of trapkit.de may be -# used to endorse or promote products derived from this software -# without specific prior written permission. -# -# THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS -# "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT -# LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS -# FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE -# COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, -# INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, -# BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS -# OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED -# AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, -# OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF -# THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH -# DAMAGE. -# -# Name : checksec.sh -# Version : 1.5 -# Author : Tobias Klein -# Date : November 2011 -# Download: http://www.trapkit.de/tools/checksec.html -# Changes : http://www.trapkit.de/tools/checksec_changes.txt -# -# Description: -# -# Modern Linux distributions offer some mitigation techniques to make it -# harder to exploit software vulnerabilities reliably. Mitigations such -# as RELRO, NoExecute (NX), Stack Canaries, Address Space Layout -# Randomization (ASLR) and Position Independent Executables (PIE) have -# made reliably exploiting any vulnerabilities that do exist far more -# challenging. The checksec.sh script is designed to test what *standard* -# Linux OS and PaX (http://pax.grsecurity.net/) security features are being -# used. -# -# As of version 1.3 the script also lists the status of various Linux kernel -# protection mechanisms. -# -# Credits: -# -# Thanks to Brad Spengler (grsecurity.net) for the PaX support. -# Thanks to Jon Oberheide (jon.oberheide.org) for the kernel support. -# Thanks to Ollie Whitehouse (Research In Motion) for rpath/runpath support. -# -# Others that contributed to checksec.sh (in no particular order): -# -# Simon Ruderich, Denis Scherbakov, Stefan Kuttler, Radoslaw Madej, -# Anthony G. Basile, Martin Vaeth and Brian Davis. -# - -# global vars -have_readelf=1 -verbose=false - -# FORTIFY_SOURCE vars -FS_end=_chk -FS_cnt_total=0 -FS_cnt_checked=0 -FS_cnt_unchecked=0 -FS_chk_func_libc=0 -FS_functions=0 -FS_libc=0 - -# version information -version() { - echo "checksec v1.5, Tobias Klein, www.trapkit.de, November 2011" - echo -} - -# help -help() { - echo "Usage: checksec [OPTION]" - echo - echo "Options:" - echo - echo " --file <executable-file>" - echo " --dir <directory> [-v]" - echo " --proc <process name>" - echo " --proc-all" - echo " --proc-libs <process ID>" - echo " --kernel" - echo " --fortify-file <executable-file>" - echo " --fortify-proc <process ID>" - echo " --version" - echo " --help" - echo - echo "For more information, see:" - echo " http://www.trapkit.de/tools/checksec.html" - echo -} - -# check if command exists -command_exists () { - type $1 > /dev/null 2>&1; -} - -# check if directory exists -dir_exists () { - if [ -d $1 ] ; then - return 0 - else - return 1 - fi -} - -# check user privileges -root_privs () { - if [ $(/usr/bin/id -u) -eq 0 ] ; then - return 0 - else - return 1 - fi -} - -# check if input is numeric -isNumeric () { - echo "$@" | grep -q -v "[^0-9]" -} - -# check if input is a string -isString () { - echo "$@" | grep -q -v "[^A-Za-z]" -} - -# check file(s) -filecheck() { - # check for RELRO support - if readelf -l $1 2>/dev/null | grep -q 'GNU_RELRO'; then - if readelf -d $1 2>/dev/null | grep -q 'BIND_NOW'; then - echo -n -e '\033[32mFull RELRO \033[m ' - else - echo -n -e '\033[33mPartial RELRO\033[m ' - fi - else - echo -n -e '\033[31mNo RELRO \033[m ' - fi - - # check for stack canary support - if readelf -s $1 2>/dev/null | grep -q '__stack_chk_fail'; then - echo -n -e '\033[32mCanary found \033[m ' - else - echo -n -e '\033[31mNo canary found\033[m ' - fi - - # check for NX support - if readelf -W -l $1 2>/dev/null | grep 'GNU_STACK' | grep -q 'RWE'; then - echo -n -e '\033[31mNX disabled\033[m ' - else - echo -n -e '\033[32mNX enabled \033[m ' - fi - - # check for PIE support - if readelf -h $1 2>/dev/null | grep -q 'Type:[[:space:]]*EXEC'; then - echo -n -e '\033[31mNo PIE \033[m ' - elif readelf -h $1 2>/dev/null | grep -q 'Type:[[:space:]]*DYN'; then - if readelf -d $1 2>/dev/null | grep -q '(DEBUG)'; then - echo -n -e '\033[32mPIE enabled \033[m ' - else - echo -n -e '\033[33mDSO \033[m ' - fi - else - echo -n -e '\033[33mNot an ELF file\033[m ' - fi - - # check for rpath / run path - if readelf -d $1 2>/dev/null | grep -q 'rpath'; then - echo -n -e '\033[31mRPATH \033[m ' - else - echo -n -e '\033[32mNo RPATH \033[m ' - fi - - if readelf -d $1 2>/dev/null | grep -q 'runpath'; then - echo -n -e '\033[31mRUNPATH \033[m ' - else - echo -n -e '\033[32mNo RUNPATH \033[m ' - fi -} - -# check process(es) -proccheck() { - # check for RELRO support - if readelf -l $1/exe 2>/dev/null | grep -q 'Program Headers'; then - if readelf -l $1/exe 2>/dev/null | grep -q 'GNU_RELRO'; then - if readelf -d $1/exe 2>/dev/null | grep -q 'BIND_NOW'; then - echo -n -e '\033[32mFull RELRO \033[m ' - else - echo -n -e '\033[33mPartial RELRO \033[m ' - fi - else - echo -n -e '\033[31mNo RELRO \033[m ' - fi - else - echo -n -e '\033[31mPermission denied (please run as root)\033[m\n' - exit 1 - fi - - # check for stack canary support - if readelf -s $1/exe 2>/dev/null | grep -q 'Symbol table'; then - if readelf -s $1/exe 2>/dev/null | grep -q '__stack_chk_fail'; then - echo -n -e '\033[32mCanary found \033[m ' - else - echo -n -e '\033[31mNo canary found \033[m ' - fi - else - if [ "$1" != "1" ] ; then - echo -n -e '\033[33mPermission denied \033[m ' - else - echo -n -e '\033[33mNo symbol table found\033[m ' - fi - fi - - # first check for PaX support - if cat $1/status 2> /dev/null | grep -q 'PaX:'; then - pageexec=( $(cat $1/status 2> /dev/null | grep 'PaX:' | cut -b6) ) - segmexec=( $(cat $1/status 2> /dev/null | grep 'PaX:' | cut -b10) ) - mprotect=( $(cat $1/status 2> /dev/null | grep 'PaX:' | cut -b8) ) - randmmap=( $(cat $1/status 2> /dev/null | grep 'PaX:' | cut -b9) ) - if [[ "$pageexec" = "P" || "$segmexec" = "S" ]] && [[ "$mprotect" = "M" && "$randmmap" = "R" ]] ; then - echo -n -e '\033[32mPaX enabled\033[m ' - elif [[ "$pageexec" = "p" && "$segmexec" = "s" && "$randmmap" = "R" ]] ; then - echo -n -e '\033[33mPaX ASLR only\033[m ' - elif [[ "$pageexec" = "P" || "$segmexec" = "S" ]] && [[ "$mprotect" = "m" && "$randmmap" = "R" ]] ; then - echo -n -e '\033[33mPaX mprot off \033[m' - elif [[ "$pageexec" = "P" || "$segmexec" = "S" ]] && [[ "$mprotect" = "M" && "$randmmap" = "r" ]] ; then - echo -n -e '\033[33mPaX ASLR off\033[m ' - elif [[ "$pageexec" = "P" || "$segmexec" = "S" ]] && [[ "$mprotect" = "m" && "$randmmap" = "r" ]] ; then - echo -n -e '\033[33mPaX NX only\033[m ' - else - echo -n -e '\033[31mPaX disabled\033[m ' - fi - # fallback check for NX support - elif readelf -W -l $1/exe 2>/dev/null | grep 'GNU_STACK' | grep -q 'RWE'; then - echo -n -e '\033[31mNX disabled\033[m ' - else - echo -n -e '\033[32mNX enabled \033[m ' - fi - - # check for PIE support - if readelf -h $1/exe 2>/dev/null | grep -q 'Type:[[:space:]]*EXEC'; then - echo -n -e '\033[31mNo PIE \033[m ' - elif readelf -h $1/exe 2>/dev/null | grep -q 'Type:[[:space:]]*DYN'; then - if readelf -d $1/exe 2>/dev/null | grep -q '(DEBUG)'; then - echo -n -e '\033[32mPIE enabled \033[m ' - else - echo -n -e '\033[33mDynamic Shared Object\033[m ' - fi - else - echo -n -e '\033[33mNot an ELF file \033[m ' - fi -} - -# check mapped libraries -libcheck() { - libs=( $(awk '{ print $6 }' /proc/$1/maps | grep '/' | sort -u | xargs file | grep ELF | awk '{ print $1 }' | sed 's/:/ /') ) - - printf "\n* Loaded libraries (file information, # of mapped files: ${#libs[@]}):\n\n" - - for element in $(seq 0 $((${#libs[@]} - 1))) - do - echo " ${libs[$element]}:" - echo -n " " - filecheck ${libs[$element]} - printf "\n\n" - done -} - -# check for system-wide ASLR support -aslrcheck() { - # PaX ASLR support - if !(cat /proc/1/status 2> /dev/null | grep -q 'Name:') ; then - echo -n -e ':\033[33m insufficient privileges for PaX ASLR checks\033[m\n' - echo -n -e ' Fallback to standard Linux ASLR check' - fi - - if cat /proc/1/status 2> /dev/null | grep -q 'PaX:'; then - printf ": " - if cat /proc/1/status 2> /dev/null | grep 'PaX:' | grep -q 'R'; then - echo -n -e '\033[32mPaX ASLR enabled\033[m\n\n' - else - echo -n -e '\033[31mPaX ASLR disabled\033[m\n\n' - fi - else - # standard Linux 'kernel.randomize_va_space' ASLR support - # (see the kernel file 'Documentation/sysctl/kernel.txt' for a detailed description) - printf " (kernel.randomize_va_space): " - if /sbin/sysctl -a 2>/dev/null | grep -q 'kernel.randomize_va_space = 1'; then - echo -n -e '\033[33mOn (Setting: 1)\033[m\n\n' - printf " Description - Make the addresses of mmap base, stack and VDSO page randomized.\n" - printf " This, among other things, implies that shared libraries will be loaded to \n" - printf " random addresses. Also for PIE-linked binaries, the location of code start\n" - printf " is randomized. Heap addresses are *not* randomized.\n\n" - elif /sbin/sysctl -a 2>/dev/null | grep -q 'kernel.randomize_va_space = 2'; then - echo -n -e '\033[32mOn (Setting: 2)\033[m\n\n' - printf " Description - Make the addresses of mmap base, heap, stack and VDSO page randomized.\n" - printf " This, among other things, implies that shared libraries will be loaded to random \n" - printf " addresses. Also for PIE-linked binaries, the location of code start is randomized.\n\n" - elif /sbin/sysctl -a 2>/dev/null | grep -q 'kernel.randomize_va_space = 0'; then - echo -n -e '\033[31mOff (Setting: 0)\033[m\n' - else - echo -n -e '\033[31mNot supported\033[m\n' - fi - printf " See the kernel file 'Documentation/sysctl/kernel.txt' for more details.\n\n" - fi -} - -# check cpu nx flag -nxcheck() { - if grep -q nx /proc/cpuinfo; then - echo -n -e '\033[32mYes\033[m\n\n' - else - echo -n -e '\033[31mNo\033[m\n\n' - fi -} - -# check for kernel protection mechanisms -kernelcheck() { - printf " Description - List the status of kernel protection mechanisms. Rather than\n" - printf " inspect kernel mechanisms that may aid in the prevention of exploitation of\n" - printf " userspace processes, this option lists the status of kernel configuration\n" - printf " options that harden the kernel itself against attack.\n\n" - printf " Kernel config: " - - if [ -f /proc/config.gz ] ; then - kconfig="zcat /proc/config.gz" - printf "\033[32m/proc/config.gz\033[m\n\n" - elif [ -f /boot/config-`uname -r` ] ; then - kconfig="cat /boot/config-`uname -r`" - printf "\033[33m/boot/config-`uname -r`\033[m\n\n" - printf " Warning: The config on disk may not represent running kernel config!\n\n"; - elif [ -f "${KBUILD_OUTPUT:-/usr/src/linux}"/.config ] ; then - kconfig="cat ${KBUILD_OUTPUT:-/usr/src/linux}/.config" - printf "\033[33m%s\033[m\n\n" "${KBUILD_OUTPUT:-/usr/src/linux}/.config" - printf " Warning: The config on disk may not represent running kernel config!\n\n"; - else - printf "\033[31mNOT FOUND\033[m\n\n" - exit 0 - fi - - printf " GCC stack protector support: " - if $kconfig | grep -qi 'CONFIG_CC_STACKPROTECTOR=y'; then - printf "\033[32mEnabled\033[m\n" - else - printf "\033[31mDisabled\033[m\n" - fi - - printf " Strict user copy checks: " - if $kconfig | grep -qi 'CONFIG_DEBUG_STRICT_USER_COPY_CHECKS=y'; then - printf "\033[32mEnabled\033[m\n" - else - printf "\033[31mDisabled\033[m\n" - fi - - printf " Enforce read-only kernel data: " - if $kconfig | grep -qi 'CONFIG_DEBUG_RODATA=y'; then - printf "\033[32mEnabled\033[m\n" - else - printf "\033[31mDisabled\033[m\n" - fi - printf " Restrict /dev/mem access: " - if $kconfig | grep -qi 'CONFIG_STRICT_DEVMEM=y'; then - printf "\033[32mEnabled\033[m\n" - else - printf "\033[31mDisabled\033[m\n" - fi - - printf " Restrict /dev/kmem access: " - if $kconfig | grep -qi 'CONFIG_DEVKMEM=y'; then - printf "\033[31mDisabled\033[m\n" - else - printf "\033[32mEnabled\033[m\n" - fi - - printf "\n" - printf "* grsecurity / PaX: " - - if $kconfig | grep -qi 'CONFIG_GRKERNSEC=y'; then - if $kconfig | grep -qi 'CONFIG_GRKERNSEC_HIGH=y'; then - printf "\033[32mHigh GRKERNSEC\033[m\n\n" - elif $kconfig | grep -qi 'CONFIG_GRKERNSEC_MEDIUM=y'; then - printf "\033[33mMedium GRKERNSEC\033[m\n\n" - elif $kconfig | grep -qi 'CONFIG_GRKERNSEC_LOW=y'; then - printf "\033[31mLow GRKERNSEC\033[m\n\n" - else - printf "\033[33mCustom GRKERNSEC\033[m\n\n" - fi - - printf " Non-executable kernel pages: " - if $kconfig | grep -qi 'CONFIG_PAX_KERNEXEC=y'; then - printf "\033[32mEnabled\033[m\n" - else - printf "\033[31mDisabled\033[m\n" - fi - - printf " Prevent userspace pointer deref: " - if $kconfig | grep -qi 'CONFIG_PAX_MEMORY_UDEREF=y'; then - printf "\033[32mEnabled\033[m\n" - else - printf "\033[31mDisabled\033[m\n" - fi - - printf " Prevent kobject refcount overflow: " - if $kconfig | grep -qi 'CONFIG_PAX_REFCOUNT=y'; then - printf "\033[32mEnabled\033[m\n" - else - printf "\033[31mDisabled\033[m\n" - fi - - printf " Bounds check heap object copies: " - if $kconfig | grep -qi 'CONFIG_PAX_USERCOPY=y'; then - printf "\033[32mEnabled\033[m\n" - else - printf "\033[31mDisabled\033[m\n" - fi - - printf " Disable writing to kmem/mem/port: " - if $kconfig | grep -qi 'CONFIG_GRKERNSEC_KMEM=y'; then - printf "\033[32mEnabled\033[m\n" - else - printf "\033[31mDisabled\033[m\n" - fi - - printf " Disable privileged I/O: " - if $kconfig | grep -qi 'CONFIG_GRKERNSEC_IO=y'; then - printf "\033[32mEnabled\033[m\n" - else - printf "\033[31mDisabled\033[m\n" - fi - - printf " Harden module auto-loading: " - if $kconfig | grep -qi 'CONFIG_GRKERNSEC_MODHARDEN=y'; then - printf "\033[32mEnabled\033[m\n" - else - printf "\033[31mDisabled\033[m\n" - fi - - printf " Hide kernel symbols: " - if $kconfig | grep -qi 'CONFIG_GRKERNSEC_HIDESYM=y'; then - printf "\033[32mEnabled\033[m\n" - else - printf "\033[31mDisabled\033[m\n" - fi - else - printf "\033[31mNo GRKERNSEC\033[m\n\n" - printf " The grsecurity / PaX patchset is available here:\n" - printf " http://grsecurity.net/\n" - fi - - printf "\n" - printf "* Kernel Heap Hardening: " - - if $kconfig | grep -qi 'CONFIG_KERNHEAP=y'; then - if $kconfig | grep -qi 'CONFIG_KERNHEAP_FULLPOISON=y'; then - printf "\033[32mFull KERNHEAP\033[m\n\n" - else - printf "\033[33mPartial KERNHEAP\033[m\n\n" - fi - else - printf "\033[31mNo KERNHEAP\033[m\n\n" - printf " The KERNHEAP hardening patchset is available here:\n" - printf " https://www.subreption.com/kernheap/\n\n" - fi -} - -# --- FORTIFY_SOURCE subfunctions (start) --- - -# is FORTIFY_SOURCE supported by libc? -FS_libc_check() { - printf "* FORTIFY_SOURCE support available (libc) : " - - if [ "${#FS_chk_func_libc[@]}" != "0" ] ; then - printf "\033[32mYes\033[m\n" - else - printf "\033[31mNo\033[m\n" - exit 1 - fi -} - -# was the binary compiled with FORTIFY_SOURCE? -FS_binary_check() { - printf "* Binary compiled with FORTIFY_SOURCE support: " - - for FS_elem_functions in $(seq 0 $((${#FS_functions[@]} - 1))) - do - if [[ ${FS_functions[$FS_elem_functions]} =~ _chk ]] ; then - printf "\033[32mYes\033[m\n" - return - fi - done - printf "\033[31mNo\033[m\n" - exit 1 -} - -FS_comparison() { - echo - printf " ------ EXECUTABLE-FILE ------- . -------- LIBC --------\n" - printf " FORTIFY-able library functions | Checked function names\n" - printf " -------------------------------------------------------\n" - - for FS_elem_libc in $(seq 0 $((${#FS_chk_func_libc[@]} - 1))) - do - for FS_elem_functions in $(seq 0 $((${#FS_functions[@]} - 1))) - do - FS_tmp_func=${FS_functions[$FS_elem_functions]} - FS_tmp_libc=${FS_chk_func_libc[$FS_elem_libc]} - - if [[ $FS_tmp_func =~ ^$FS_tmp_libc$ ]] ; then - printf " \033[31m%-30s\033[m | __%s%s\n" $FS_tmp_func $FS_tmp_libc $FS_end - let FS_cnt_total++ - let FS_cnt_unchecked++ - elif [[ $FS_tmp_func =~ ^$FS_tmp_libc(_chk) ]] ; then - printf " \033[32m%-30s\033[m | __%s%s\n" $FS_tmp_func $FS_tmp_libc $FS_end - let FS_cnt_total++ - let FS_cnt_checked++ - fi - - done - done -} - -FS_summary() { - echo - printf "SUMMARY:\n\n" - printf "* Number of checked functions in libc : ${#FS_chk_func_libc[@]}\n" - printf "* Total number of library functions in the executable: ${#FS_functions[@]}\n" - printf "* Number of FORTIFY-able functions in the executable : %s\n" $FS_cnt_total - printf "* Number of checked functions in the executable : \033[32m%s\033[m\n" $FS_cnt_checked - printf "* Number of unchecked functions in the executable : \033[31m%s\033[m\n" $FS_cnt_unchecked - echo -} - -# --- FORTIFY_SOURCE subfunctions (end) --- - -if !(command_exists readelf) ; then - printf "\033[31mWarning: 'readelf' not found! It's required for most checks.\033[m\n\n" - have_readelf=0 -fi - -# parse command-line arguments -case "$1" in - - --version) - version - exit 0 - ;; - - --help) - help - exit 0 - ;; - - --dir) - if [ "$3" = "-v" ] ; then - verbose=true - fi - if [ $have_readelf -eq 0 ] ; then - exit 1 - fi - if [ -z "$2" ] ; then - printf "\033[31mError: Please provide a valid directory.\033[m\n\n" - exit 1 - fi - # remove trailing slashes - tempdir=`echo $2 | sed -e "s/\/*$//"` - if [ ! -d $tempdir ] ; then - printf "\033[31mError: The directory '$tempdir' does not exist.\033[m\n\n" - exit 1 - fi - cd $tempdir - printf "RELRO STACK CANARY NX PIE RPATH RUNPATH FILE\n" - for N in [A-Za-z]*; do - if [ "$N" != "[A-Za-z]*" ]; then - # read permissions? - if [ ! -r $N ]; then - printf "\033[31mError: No read permissions for '$tempdir/$N' (run as root).\033[m\n" - else - # ELF executable? - out=`file $N` - if [[ ! $out =~ ELF ]] ; then - if [ "$verbose" = "true" ] ; then - printf "\033[34m*** Not an ELF file: $tempdir/" - file $N - printf "\033[m" - fi - else - filecheck $N - if [ `find $tempdir/$N \( -perm -004000 -o -perm -002000 \) -type f -print` ]; then - printf "\033[37;41m%s%s\033[m" $2 $N - else - printf "%s%s" $tempdir/ $N - fi - echo - fi - fi - fi - done - exit 0 - ;; - - --file) - if [ $have_readelf -eq 0 ] ; then - exit 1 - fi - if [ -z "$2" ] ; then - printf "\033[31mError: Please provide a valid file.\033[m\n\n" - exit 1 - fi - # does the file exist? - if [ ! -e $2 ] ; then - printf "\033[31mError: The file '$2' does not exist.\033[m\n\n" - exit 1 - fi - # read permissions? - if [ ! -r $2 ] ; then - printf "\033[31mError: No read permissions for '$2' (run as root).\033[m\n\n" - exit 1 - fi - # ELF executable? - out=`file $2` - if [[ ! $out =~ ELF ]] ; then - printf "\033[31mError: Not an ELF file: " - file $2 - printf "\033[m\n" - exit 1 - fi - printf "RELRO STACK CANARY NX PIE RPATH RUNPATH FILE\n" - filecheck $2 - if [ `find $2 \( -perm -004000 -o -perm -002000 \) -type f -print` ] ; then - printf "\033[37;41m%s%s\033[m" $2 $N - else - printf "%s" $2 - fi - echo - exit 0 - ;; - - --proc-all) - if [ $have_readelf -eq 0 ] ; then - exit 1 - fi - cd /proc - printf "* System-wide ASLR" - aslrcheck - printf "* Does the CPU support NX: " - nxcheck - printf " COMMAND PID RELRO STACK CANARY NX/PaX PIE\n" - for N in [1-9]*; do - if [ $N != $$ ] && readlink -q $N/exe > /dev/null; then - printf "%16s" `head -1 $N/status | cut -b 7-` - printf "%7d " $N - proccheck $N - echo - fi - done - if [ ! -e /usr/bin/id ] ; then - printf "\n\033[33mNote: If you are running 'checksec.sh' as an unprivileged user, you\n" - printf " will not see all processes. Please run the script as root.\033[m\n\n" - else - if !(root_privs) ; then - printf "\n\033[33mNote: You are running 'checksec.sh' as an unprivileged user.\n" - printf " Too see all processes, please run the script as root.\033[m\n\n" - fi - fi - exit 0 - ;; - - --proc) - if [ $have_readelf -eq 0 ] ; then - exit 1 - fi - if [ -z "$2" ] ; then - printf "\033[31mError: Please provide a valid process name.\033[m\n\n" - exit 1 - fi - if !(isString "$2") ; then - printf "\033[31mError: Please provide a valid process name.\033[m\n\n" - exit 1 - fi - cd /proc - printf "* System-wide ASLR" - aslrcheck - printf "* Does the CPU support NX: " - nxcheck - printf " COMMAND PID RELRO STACK CANARY NX/PaX PIE\n" - for N in `ps -Ao pid,comm | grep $2 | cut -b1-6`; do - if [ -d $N ] ; then - printf "%16s" `head -1 $N/status | cut -b 7-` - printf "%7d " $N - # read permissions? - if [ ! -r $N/exe ] ; then - if !(root_privs) ; then - printf "\033[31mNo read permissions for '/proc/$N/exe' (run as root).\033[m\n\n" - exit 1 - fi - if [ ! `readlink $N/exe` ] ; then - printf "\033[31mPermission denied. Requested process ID belongs to a kernel thread.\033[m\n\n" - exit 1 - fi - exit 1 - fi - proccheck $N - echo - fi - done - exit 0 - ;; - - --proc-libs) - if [ $have_readelf -eq 0 ] ; then - exit 1 - fi - if [ -z "$2" ] ; then - printf "\033[31mError: Please provide a valid process ID.\033[m\n\n" - exit 1 - fi - if !(isNumeric "$2") ; then - printf "\033[31mError: Please provide a valid process ID.\033[m\n\n" - exit 1 - fi - cd /proc - printf "* System-wide ASLR" - aslrcheck - printf "* Does the CPU support NX: " - nxcheck - printf "* Process information:\n\n" - printf " COMMAND PID RELRO STACK CANARY NX/PaX PIE\n" - N=$2 - if [ -d $N ] ; then - printf "%16s" `head -1 $N/status | cut -b 7-` - printf "%7d " $N - # read permissions? - if [ ! -r $N/exe ] ; then - if !(root_privs) ; then - printf "\033[31mNo read permissions for '/proc/$N/exe' (run as root).\033[m\n\n" - exit 1 - fi - if [ ! `readlink $N/exe` ] ; then - printf "\033[31mPermission denied. Requested process ID belongs to a kernel thread.\033[m\n\n" - exit 1 - fi - exit 1 - fi - proccheck $N - echo - libcheck $N - fi - exit 0 - ;; - - --kernel) - cd /proc - printf "* Kernel protection information:\n\n" - kernelcheck - exit 0 - ;; - - --fortify-file) - if [ $have_readelf -eq 0 ] ; then - exit 1 - fi - if [ -z "$2" ] ; then - printf "\033[31mError: Please provide a valid file.\033[m\n\n" - exit 1 - fi - # does the file exist? - if [ ! -e $2 ] ; then - printf "\033[31mError: The file '$2' does not exist.\033[m\n\n" - exit 1 - fi - # read permissions? - if [ ! -r $2 ] ; then - printf "\033[31mError: No read permissions for '$2' (run as root).\033[m\n\n" - exit 1 - fi - # ELF executable? - out=`file $2` - if [[ ! $out =~ ELF ]] ; then - printf "\033[31mError: Not an ELF file: " - file $2 - printf "\033[m\n" - exit 1 - fi - if [ -e /lib/libc.so.6 ] ; then - FS_libc=/lib/libc.so.6 - elif [ -e /lib64/libc.so.6 ] ; then - FS_libc=/lib64/libc.so.6 - elif [ -e /lib/i386-linux-gnu/libc.so.6 ] ; then - FS_libc=/lib/i386-linux-gnu/libc.so.6 - elif [ -e /lib/x86_64-linux-gnu/libc.so.6 ] ; then - FS_libc=/lib/x86_64-linux-gnu/libc.so.6 - else - printf "\033[31mError: libc not found.\033[m\n\n" - exit 1 - fi - - FS_chk_func_libc=( $(readelf -s $FS_libc | grep _chk@@ | awk '{ print $8 }' | cut -c 3- | sed -e 's/_chk@.*//') ) - FS_functions=( $(readelf -s $2 | awk '{ print $8 }' | sed 's/_*//' | sed -e 's/@.*//') ) - - FS_libc_check - FS_binary_check - FS_comparison - FS_summary - - exit 0 - ;; - - --fortify-proc) - if [ $have_readelf -eq 0 ] ; then - exit 1 - fi - if [ -z "$2" ] ; then - printf "\033[31mError: Please provide a valid process ID.\033[m\n\n" - exit 1 - fi - if !(isNumeric "$2") ; then - printf "\033[31mError: Please provide a valid process ID.\033[m\n\n" - exit 1 - fi - cd /proc - N=$2 - if [ -d $N ] ; then - # read permissions? - if [ ! -r $N/exe ] ; then - if !(root_privs) ; then - printf "\033[31mNo read permissions for '/proc/$N/exe' (run as root).\033[m\n\n" - exit 1 - fi - if [ ! `readlink $N/exe` ] ; then - printf "\033[31mPermission denied. Requested process ID belongs to a kernel thread.\033[m\n\n" - exit 1 - fi - exit 1 - fi - if [ -e /lib/libc.so.6 ] ; then - FS_libc=/lib/libc.so.6 - elif [ -e /lib64/libc.so.6 ] ; then - FS_libc=/lib64/libc.so.6 - elif [ -e /lib/i386-linux-gnu/libc.so.6 ] ; then - FS_libc=/lib/i386-linux-gnu/libc.so.6 - elif [ -e /lib/x86_64-linux-gnu/libc.so.6 ] ; then - FS_libc=/lib/x86_64-linux-gnu/libc.so.6 - else - printf "\033[31mError: libc not found.\033[m\n\n" - exit 1 - fi - printf "* Process name (PID) : %s (%d)\n" `head -1 $N/status | cut -b 7-` $N - FS_chk_func_libc=( $(readelf -s $FS_libc | grep _chk@@ | awk '{ print $8 }' | cut -c 3- | sed -e 's/_chk@.*//') ) - FS_functions=( $(readelf -s $2/exe | awk '{ print $8 }' | sed 's/_*//' | sed -e 's/@.*//') ) - - FS_libc_check - FS_binary_check - FS_comparison - FS_summary - fi - exit 0 - ;; - - *) - if [ "$#" != "0" ] ; then - printf "\033[31mError: Unknown option '$1'.\033[m\n\n" - fi - help - exit 1 - ;; -esac diff --git a/external/meta-security/recipes-security/ecryptfs-utils/ecryptfs-utils_111.bb b/external/meta-security/recipes-security/ecryptfs-utils/ecryptfs-utils_111.bb index 1f780f9e..d8cd06f8 100644 --- a/external/meta-security/recipes-security/ecryptfs-utils/ecryptfs-utils_111.bb +++ b/external/meta-security/recipes-security/ecryptfs-utils/ecryptfs-utils_111.bb @@ -14,6 +14,7 @@ DEPENDS = "keyutils libgcrypt intltool-native glib-2.0-native" SRC_URI = "\ https://launchpad.net/ecryptfs/trunk/${PV}/+download/${BPN}_${PV}.orig.tar.gz \ file://ecryptfs-utils-CVE-2016-6224.patch \ + file://0001-avoid-race-condition.patch \ file://ecryptfs.service \ " @@ -30,17 +31,17 @@ EXTRA_OECONF = "\ --disable-pywrap \ --disable-nls \ --with-pamdir=${base_libdir}/security \ + --disable-openssl \ " PACKAGECONFIG ??= "nss \ ${@bb.utils.filter('DISTRO_FEATURES', 'pam', d)} \ " PACKAGECONFIG[nss] = "--enable-nss,--disable-nss,nss," -PACKAGECONFIG[openssl] = "--enable-openssl,--disable-openssl,openssl," PACKAGECONFIG[pam] = "--enable-pam,--disable-pam,libpam," do_configure_prepend() { - export NSS_CFLAGS="-I${STAGING_INCDIR}/nspr4 -I${STAGING_INCDIR}/nss3" + export NSS_CFLAGS="-I${STAGING_INCDIR}/nspr -I${STAGING_INCDIR}/nss3" export NSS_LIBS="-L${STAGING_BASELIBDIR} -lssl3 -lsmime3 -lnss3 -lsoftokn3 -lnssutil3" export KEYUTILS_CFLAGS="-I${STAGING_INCDIR}" export KEYUTILS_LIBS="-L${STAGING_LIBDIR} -lkeyutils" diff --git a/external/meta-security/recipes-security/ecryptfs-utils/files/0001-avoid-race-condition.patch b/external/meta-security/recipes-security/ecryptfs-utils/files/0001-avoid-race-condition.patch new file mode 100644 index 00000000..af28d581 --- /dev/null +++ b/external/meta-security/recipes-security/ecryptfs-utils/files/0001-avoid-race-condition.patch @@ -0,0 +1,32 @@ +From ab671b02e3aaf65dd1fd279789ea933b8140fe52 Mon Sep 17 00:00:00 2001 +From: Chen Qi <Qi.Chen@windriver.com> +Date: Tue, 27 Aug 2019 16:08:00 +0800 +Subject: [PATCH] avoid race condition + +The rootsbin directory is self defined. The install-rootsbinPROGRAMS +is actually treated as part of install-data. + +This would avoid race condition which causes install failure. + +Upstream-Status: Pending + +Signed-off-by: Chen Qi <Qi.Chen@windriver.com> +--- + src/utils/Makefile.am | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/src/utils/Makefile.am b/src/utils/Makefile.am +index 83cf851..344883a 100644 +--- a/src/utils/Makefile.am ++++ b/src/utils/Makefile.am +@@ -67,6 +67,6 @@ ecryptfs_stat_LDADD = $(top_builddir)/src/libecryptfs/libecryptfs.la + test_SOURCES = test.c io.c + test_LDADD = $(top_builddir)/src/libecryptfs/libecryptfs.la + +-install-exec-hook: install-rootsbinPROGRAMS ++install-data-hook: install-rootsbinPROGRAMS + -rm -f "$(DESTDIR)/$(rootsbindir)/umount.ecryptfs_private" + $(LN_S) "mount.ecryptfs_private" "$(DESTDIR)/$(rootsbindir)/umount.ecryptfs_private" +-- +2.17.1 + diff --git a/external/meta-security/recipes-security/fail2ban/files/0001-To-fix-build-error-of-xrang.patch b/external/meta-security/recipes-security/fail2ban/files/0001-To-fix-build-error-of-xrang.patch new file mode 100644 index 00000000..7f0812c4 --- /dev/null +++ b/external/meta-security/recipes-security/fail2ban/files/0001-To-fix-build-error-of-xrang.patch @@ -0,0 +1,28 @@ +From fe3436d65518099d35c643848cba50253abc249c Mon Sep 17 00:00:00 2001 +From: Lei Maohui <leimaohui@cn.fujitsu.com> +Date: Thu, 9 May 2019 14:44:51 +0900 +Subject: [PATCH] To fix build error of xrange. + +NameError: name 'xrange' is not defined + +Signed-off-by: Lei Maohui <leimaohui@cn.fujitsu.com> +--- + fail2ban/__init__.py | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/fail2ban/__init__.py b/fail2ban/__init__.py +index fa6dcf7..61789a4 100644 +--- a/fail2ban/__init__.py ++++ b/fail2ban/__init__.py +@@ -82,7 +82,7 @@ strptime("2012", "%Y") + + # short names for pure numeric log-level ("Level 25" could be truncated by short formats): + def _init(): +- for i in xrange(50): ++ for i in range(50): + if logging.getLevelName(i).startswith('Level'): + logging.addLevelName(i, '#%02d-Lev.' % i) + _init() +-- +2.7.4 + diff --git a/external/meta-security/recipes-security/fail2ban/files/0001-python3-fail2ban-2-3-conversion.patch b/external/meta-security/recipes-security/fail2ban/files/0001-python3-fail2ban-2-3-conversion.patch new file mode 100644 index 00000000..ee872ec4 --- /dev/null +++ b/external/meta-security/recipes-security/fail2ban/files/0001-python3-fail2ban-2-3-conversion.patch @@ -0,0 +1,2527 @@ +From abaa20435bac7decffa69e6f965aac9ce29aff6a Mon Sep 17 00:00:00 2001 +From: Armin Kuster <akuster808@gmail.com> +Date: Wed, 12 Feb 2020 17:19:15 +0000 +Subject: [PATCH] python3-fail2ban: 2-3 conversion + +Upstream-Status: OE specific. + +fail2ban handles py3 via a 2-3 conversion utility. + +Signed-off-by: Armin Kuster <akuster808@gmail.com> +--- + fail2ban/client/actionreader.py | 4 +- + fail2ban/client/configparserinc.py | 10 +- + fail2ban/client/configreader.py | 4 +- + fail2ban/client/csocket.py | 4 +- + fail2ban/client/fail2banclient.py | 4 +- + fail2ban/client/fail2banregex.py | 20 +- + fail2ban/client/filterreader.py | 2 +- + fail2ban/client/jailreader.py | 4 +- + fail2ban/helpers.py | 15 +- + fail2ban/server/action.py | 19 +- + fail2ban/server/actions.py | 24 +- + fail2ban/server/asyncserver.py | 4 +- + fail2ban/server/banmanager.py | 18 +- + fail2ban/server/database.py | 6 +- + fail2ban/server/failmanager.py | 8 +- + fail2ban/server/failregex.py | 9 +- + fail2ban/server/filter.py | 12 +- + fail2ban/server/filterpoll.py | 2 +- + fail2ban/server/filterpyinotify.py | 6 +- + fail2ban/server/ipdns.py | 16 +- + fail2ban/server/jail.py | 14 +- + fail2ban/server/mytime.py | 2 +- + fail2ban/server/server.py | 18 +- + fail2ban/server/strptime.py | 6 +- + fail2ban/server/ticket.py | 14 +- + fail2ban/server/transmitter.py | 2 +- + fail2ban/server/utils.py | 6 +- + fail2ban/tests/action_d/test_badips.py | 2 +- + fail2ban/tests/actiontestcase.py | 4 +- + fail2ban/tests/clientreadertestcase.py | 4 +- + fail2ban/tests/databasetestcase.py | 16 +- + fail2ban/tests/datedetectortestcase.py | 6 +- + fail2ban/tests/fail2banclienttestcase.py | 8 +- + fail2ban/tests/failmanagertestcase.py | 10 +- + .../tests/files/config/apache-auth/digest.py | 20 +- + fail2ban/tests/filtertestcase.py | 92 ++--- + fail2ban/tests/misctestcase.py | 22 +- + fail2ban/tests/observertestcase.py | 34 +- + fail2ban/tests/samplestestcase.py | 8 +- + fail2ban/tests/servertestcase.py | 28 +- + fail2ban/tests/sockettestcase.py | 2 +- + fail2ban/tests/utils.py | 22 +- + setup.py | 326 ------------------ + 43 files changed, 264 insertions(+), 593 deletions(-) + delete mode 100755 setup.py + +diff --git a/fail2ban/client/actionreader.py b/fail2ban/client/actionreader.py +index 80617a50..ecf323c5 100644 +--- a/fail2ban/client/actionreader.py ++++ b/fail2ban/client/actionreader.py +@@ -90,11 +90,11 @@ class ActionReader(DefinitionInitConfigReader): + stream = list() + stream.append(head + ["addaction", self._name]) + multi = [] +- for opt, optval in opts.iteritems(): ++ for opt, optval in opts.items(): + if opt in self._configOpts and not opt.startswith('known/'): + multi.append([opt, optval]) + if self._initOpts: +- for opt, optval in self._initOpts.iteritems(): ++ for opt, optval in self._initOpts.items(): + if opt not in self._configOpts and not opt.startswith('known/'): + multi.append([opt, optval]) + if len(multi) > 1: +diff --git a/fail2ban/client/configparserinc.py b/fail2ban/client/configparserinc.py +index e0f39579..45c77437 100644 +--- a/fail2ban/client/configparserinc.py ++++ b/fail2ban/client/configparserinc.py +@@ -62,7 +62,7 @@ if sys.version_info >= (3,2): + parser, option, accum, rest, section, map, *args, **kwargs) + + else: # pragma: no cover +- from ConfigParser import SafeConfigParser, \ ++ from configparser import SafeConfigParser, \ + InterpolationMissingOptionError, NoOptionError, NoSectionError + + # Interpolate missing known/option as option from default section +@@ -327,7 +327,7 @@ after = 1.conf + # mix it with defaults: + return set(opts.keys()) | set(self._defaults) + # only own option names: +- return opts.keys() ++ return list(opts.keys()) + + def read(self, filenames, get_includes=True): + if not isinstance(filenames, list): +@@ -356,7 +356,7 @@ after = 1.conf + ret += i + # merge defaults and all sections to self: + alld.update(cfg.get_defaults()) +- for n, s in cfg.get_sections().iteritems(): ++ for n, s in cfg.get_sections().items(): + # conditional sections + cond = SafeConfigParserWithIncludes.CONDITIONAL_RE.match(n) + if cond: +@@ -366,7 +366,7 @@ after = 1.conf + del(s['__name__']) + except KeyError: + pass +- for k in s.keys(): ++ for k in list(s.keys()): + v = s.pop(k) + s[k + cond] = v + s2 = alls.get(n) +@@ -399,7 +399,7 @@ after = 1.conf + sec.update(options) + return + sk = {} +- for k, v in options.iteritems(): ++ for k, v in options.items(): + if not k.startswith(pref) and k != '__name__': + sk[pref+k] = v + sec.update(sk) +diff --git a/fail2ban/client/configreader.py b/fail2ban/client/configreader.py +index 20709b72..b5167409 100644 +--- a/fail2ban/client/configreader.py ++++ b/fail2ban/client/configreader.py +@@ -26,7 +26,7 @@ __license__ = "GPL" + + import glob + import os +-from ConfigParser import NoOptionError, NoSectionError ++from configparser import NoOptionError, NoSectionError + + from .configparserinc import sys, SafeConfigParserWithIncludes, logLevel + from ..helpers import getLogger, _as_bool, _merge_dicts, substituteRecursiveTags +@@ -197,7 +197,7 @@ class ConfigReaderUnshared(SafeConfigParserWithIncludes): + config_files += sorted(glob.glob('%s/*.local' % config_dir)) + + # choose only existing ones +- config_files = filter(os.path.exists, config_files) ++ config_files = list(filter(os.path.exists, config_files)) + + if len(config_files): + # at least one config exists and accessible +diff --git a/fail2ban/client/csocket.py b/fail2ban/client/csocket.py +index ab3e294b..9417cde9 100644 +--- a/fail2ban/client/csocket.py ++++ b/fail2ban/client/csocket.py +@@ -47,7 +47,7 @@ class CSocket: + + def send(self, msg, nonblocking=False, timeout=None): + # Convert every list member to string +- obj = dumps(map(CSocket.convert, msg), HIGHEST_PROTOCOL) ++ obj = dumps(list(map(CSocket.convert, msg)), HIGHEST_PROTOCOL) + self.__csock.send(obj + CSPROTO.END) + return self.receive(self.__csock, nonblocking, timeout) + +@@ -71,7 +71,7 @@ class CSocket: + @staticmethod + def convert(m): + """Convert every "unexpected" member of message to string""" +- if isinstance(m, (basestring, bool, int, float, list, dict, set)): ++ if isinstance(m, (str, bool, int, float, list, dict, set)): + return m + else: # pragma: no cover + return str(m) +diff --git a/fail2ban/client/fail2banclient.py b/fail2ban/client/fail2banclient.py +index 7c90ca40..7eb11684 100755 +--- a/fail2ban/client/fail2banclient.py ++++ b/fail2ban/client/fail2banclient.py +@@ -45,7 +45,7 @@ def _thread_name(): + return threading.current_thread().__class__.__name__ + + def input_command(): # pragma: no cover +- return raw_input(PROMPT) ++ return input(PROMPT) + + ## + # +@@ -444,7 +444,7 @@ class Fail2banClient(Fail2banCmdLine, Thread): + return False + finally: + self._alive = False +- for s, sh in _prev_signals.iteritems(): ++ for s, sh in _prev_signals.items(): + signal.signal(s, sh) + + +diff --git a/fail2ban/client/fail2banregex.py b/fail2ban/client/fail2banregex.py +index 513b765d..4a71b3c0 100644 +--- a/fail2ban/client/fail2banregex.py ++++ b/fail2ban/client/fail2banregex.py +@@ -41,10 +41,10 @@ import shlex + import sys + import time + import time +-import urllib ++import urllib.request, urllib.parse, urllib.error + from optparse import OptionParser, Option + +-from ConfigParser import NoOptionError, NoSectionError, MissingSectionHeaderError ++from configparser import NoOptionError, NoSectionError, MissingSectionHeaderError + + try: # pragma: no cover + from ..server.filtersystemd import FilterSystemd +@@ -68,7 +68,7 @@ def debuggexURL(sample, regex, multiline=False, useDns="yes"): + 'flavor': 'python' + } + if multiline: args['flags'] = 'm' +- return 'https://www.debuggex.com/?' + urllib.urlencode(args) ++ return 'https://www.debuggex.com/?' + urllib.parse.urlencode(args) + + def output(args): # pragma: no cover (overriden in test-cases) + print(args) +@@ -244,7 +244,7 @@ class Fail2banRegex(object): + + def __init__(self, opts): + # set local protected members from given options: +- self.__dict__.update(dict(('_'+o,v) for o,v in opts.__dict__.iteritems())) ++ self.__dict__.update(dict(('_'+o,v) for o,v in opts.__dict__.items())) + self._opts = opts + self._maxlines_set = False # so we allow to override maxlines in cmdline + self._datepattern_set = False +@@ -304,7 +304,7 @@ class Fail2banRegex(object): + realopts = {} + combopts = reader.getCombined() + # output all options that are specified in filter-argument as well as some special (mostly interested): +- for k in ['logtype', 'datepattern'] + fltOpt.keys(): ++ for k in ['logtype', 'datepattern'] + list(fltOpt.keys()): + # combined options win, but they contain only a sub-set in filter expected keys, + # so get the rest from definition section: + try: +@@ -424,7 +424,7 @@ class Fail2banRegex(object): + self.output( "Use %11s line : %s" % (regex, shortstr(value)) ) + regex_values = {regextype: [RegexStat(value)]} + +- for regextype, regex_values in regex_values.iteritems(): ++ for regextype, regex_values in regex_values.items(): + regex = regextype + 'regex' + setattr(self, "_" + regex, regex_values) + for regex in regex_values: +@@ -523,10 +523,10 @@ class Fail2banRegex(object): + output(ret[1]) + elif self._opts.out == 'msg': + for ret in ret: +- output('\n'.join(map(lambda v:''.join(v for v in v), ret[3].get('matches')))) ++ output('\n'.join([''.join(v for v in v) for v in ret[3].get('matches')])) + elif self._opts.out == 'row': + for ret in ret: +- output('[%r,\t%r,\t%r],' % (ret[1],ret[2],dict((k,v) for k, v in ret[3].iteritems() if k != 'matches'))) ++ output('[%r,\t%r,\t%r],' % (ret[1],ret[2],dict((k,v) for k, v in ret[3].items() if k != 'matches'))) + else: + for ret in ret: + output(ret[3].get(self._opts.out)) +@@ -565,9 +565,9 @@ class Fail2banRegex(object): + ans = [[]] + for arg in [l, regexlist]: + ans = [ x + [y] for x in ans for y in arg ] +- b = map(lambda a: a[0] + ' | ' + a[1].getFailRegex() + ' | ' + ++ b = [a[0] + ' | ' + a[1].getFailRegex() + ' | ' + + debuggexURL(self.encode_line(a[0]), a[1].getFailRegex(), +- multiline, self._opts.usedns), ans) ++ multiline, self._opts.usedns) for a in ans] + pprint_list([x.rstrip() for x in b], header) + else: + output( "%s too many to print. Use --print-all-%s " \ +diff --git a/fail2ban/client/filterreader.py b/fail2ban/client/filterreader.py +index 413f125e..4f0cc4cf 100644 +--- a/fail2ban/client/filterreader.py ++++ b/fail2ban/client/filterreader.py +@@ -71,7 +71,7 @@ class FilterReader(DefinitionInitConfigReader): + @staticmethod + def _fillStream(stream, opts, jailName): + prio0idx = 0 +- for opt, value in opts.iteritems(): ++ for opt, value in opts.items(): + if opt in ("failregex", "ignoreregex"): + if value is None: continue + multi = [] +diff --git a/fail2ban/client/jailreader.py b/fail2ban/client/jailreader.py +index 50c1d047..969d0bc0 100644 +--- a/fail2ban/client/jailreader.py ++++ b/fail2ban/client/jailreader.py +@@ -117,7 +117,7 @@ class JailReader(ConfigReader): + } + _configOpts.update(FilterReader._configOpts) + +- _ignoreOpts = set(['action', 'filter', 'enabled'] + FilterReader._configOpts.keys()) ++ _ignoreOpts = set(['action', 'filter', 'enabled'] + list(FilterReader._configOpts.keys())) + + def getOptions(self): + +@@ -236,7 +236,7 @@ class JailReader(ConfigReader): + stream.extend(self.__filter.convert()) + # and using options from jail: + FilterReader._fillStream(stream, self.__opts, self.__name) +- for opt, value in self.__opts.iteritems(): ++ for opt, value in self.__opts.items(): + if opt == "logpath": + if self.__opts.get('backend', '').startswith("systemd"): continue + found_files = 0 +diff --git a/fail2ban/helpers.py b/fail2ban/helpers.py +index 6f2bcdd7..7e563696 100644 +--- a/fail2ban/helpers.py ++++ b/fail2ban/helpers.py +@@ -31,6 +31,7 @@ import traceback + from threading import Lock + + from .server.mytime import MyTime ++import importlib + + try: + import ctypes +@@ -63,7 +64,7 @@ if sys.version_info < (3,): # pragma: 3.x no cover + from imp import load_dynamic as __ldm + _sys = __ldm('_sys', 'sys') + except ImportError: # pragma: no cover - only if load_dynamic fails +- reload(sys) ++ importlib.reload(sys) + _sys = sys + if hasattr(_sys, "setdefaultencoding"): + _sys.setdefaultencoding(encoding) +@@ -101,7 +102,7 @@ if sys.version_info >= (3,): # pragma: 2.x no cover + else: # pragma: 3.x no cover + def uni_decode(x, enc=PREFER_ENC, errors='strict'): + try: +- if isinstance(x, unicode): ++ if isinstance(x, str): + return x.encode(enc, errors) + return x + except (UnicodeDecodeError, UnicodeEncodeError): # pragma: no cover - unsure if reachable +@@ -110,7 +111,7 @@ else: # pragma: 3.x no cover + return x.encode(enc, 'replace') + if sys.getdefaultencoding().upper() != 'UTF-8': # pragma: no cover - utf-8 is default encoding now + def uni_string(x): +- if not isinstance(x, unicode): ++ if not isinstance(x, str): + return str(x) + return x.encode(PREFER_ENC, 'replace') + else: +@@ -118,7 +119,7 @@ else: # pragma: 3.x no cover + + + def _as_bool(val): +- return bool(val) if not isinstance(val, basestring) \ ++ return bool(val) if not isinstance(val, str) \ + else val.lower() in ('1', 'on', 'true', 'yes') + + +@@ -326,7 +327,7 @@ def splitwords(s): + """ + if not s: + return [] +- return filter(bool, map(lambda v: v.strip(), re.split('[ ,\n]+', s))) ++ return list(filter(bool, [v.strip() for v in re.split('[ ,\n]+', s)])) + + if sys.version_info >= (3,5): + eval(compile(r'''if 1: +@@ -436,7 +437,7 @@ def substituteRecursiveTags(inptags, conditional='', + while True: + repFlag = False + # substitute each value: +- for tag in tags.iterkeys(): ++ for tag in tags.keys(): + # ignore escaped or already done (or in ignore list): + if tag in ignore or tag in done: continue + # ignore replacing callable items from calling map - should be converted on demand only (by get): +@@ -476,7 +477,7 @@ def substituteRecursiveTags(inptags, conditional='', + m = tre_search(value, m.end()) + continue + # if calling map - be sure we've string: +- if not isinstance(repl, basestring): repl = uni_string(repl) ++ if not isinstance(repl, str): repl = uni_string(repl) + value = value.replace('<%s>' % rtag, repl) + #logSys.log(5, 'value now: %s' % value) + # increment reference count: +diff --git a/fail2ban/server/action.py b/fail2ban/server/action.py +index 5c817fc0..81d50689 100644 +--- a/fail2ban/server/action.py ++++ b/fail2ban/server/action.py +@@ -111,9 +111,9 @@ class CallingMap(MutableMapping, object): + def _asdict(self, calculated=False, checker=None): + d = dict(self.data, **self.storage) + if not calculated: +- return dict((n,v) for n,v in d.iteritems() \ ++ return dict((n,v) for n,v in d.items() \ + if not callable(v) or n in self.CM_REPR_ITEMS) +- for n,v in d.items(): ++ for n,v in list(d.items()): + if callable(v): + try: + # calculate: +@@ -179,7 +179,7 @@ class CallingMap(MutableMapping, object): + return self.__class__(_merge_copy_dicts(self.data, self.storage)) + + +-class ActionBase(object): ++class ActionBase(object, metaclass=ABCMeta): + """An abstract base class for actions in Fail2Ban. + + Action Base is a base definition of what methods need to be in +@@ -209,7 +209,6 @@ class ActionBase(object): + Any additional arguments specified in `jail.conf` or passed + via `fail2ban-client` will be passed as keyword arguments. + """ +- __metaclass__ = ABCMeta + + @classmethod + def __subclasshook__(cls, C): +@@ -420,7 +419,7 @@ class CommandAction(ActionBase): + if not callable(family): # pragma: no cover + return self.__substCache.get(key, {}).get(family) + # family as expression - use it to filter values: +- return [v for f, v in self.__substCache.get(key, {}).iteritems() if family(f)] ++ return [v for f, v in self.__substCache.get(key, {}).items() if family(f)] + cmd = args[0] + if cmd: # set: + try: +@@ -432,7 +431,7 @@ class CommandAction(ActionBase): + try: + famd = self.__substCache[key] + cmd = famd.pop(family) +- for family, v in famd.items(): ++ for family, v in list(famd.items()): + if v == cmd: + del famd[family] + except KeyError: # pragma: no cover +@@ -448,7 +447,7 @@ class CommandAction(ActionBase): + res = True + err = 'Script error' + if not family: # all started: +- family = [famoper for (famoper,v) in self.__started.iteritems() if v] ++ family = [famoper for (famoper,v) in self.__started.items() if v] + for famoper in family: + try: + cmd = self._getOperation(tag, famoper) +@@ -617,7 +616,7 @@ class CommandAction(ActionBase): + and executes the resulting command. + """ + # collect started families, may be started on demand (conditional): +- family = [f for (f,v) in self.__started.iteritems() if v & 3 == 3]; # started and contains items ++ family = [f for (f,v) in self.__started.items() if v & 3 == 3]; # started and contains items + # if nothing contains items: + if not family: return True + # flush: +@@ -642,7 +641,7 @@ class CommandAction(ActionBase): + """ + # collect started families, if started on demand (conditional): + if family is None: +- family = [f for (f,v) in self.__started.iteritems() if v] ++ family = [f for (f,v) in self.__started.items() if v] + # if no started (on demand) actions: + if not family: return True + self.__started = {} +@@ -676,7 +675,7 @@ class CommandAction(ActionBase): + ret = True + # for each started family: + if self.actioncheck: +- for (family, started) in self.__started.items(): ++ for (family, started) in list(self.__started.items()): + if started and not self._invariantCheck(family, beforeRepair): + # reset started flag and command of executed operation: + self.__started[family] = 0 +diff --git a/fail2ban/server/actions.py b/fail2ban/server/actions.py +index 24fea838..94b9c3ed 100644 +--- a/fail2ban/server/actions.py ++++ b/fail2ban/server/actions.py +@@ -156,11 +156,11 @@ class Actions(JailThread, Mapping): + else: + if hasattr(self, '_reload_actions'): + # reload actions after all parameters set via stream: +- for name, initOpts in self._reload_actions.iteritems(): ++ for name, initOpts in self._reload_actions.items(): + if name in self._actions: + self._actions[name].reload(**(initOpts if initOpts else {})) + # remove obsolete actions (untouched by reload process): +- delacts = OrderedDict((name, action) for name, action in self._actions.iteritems() ++ delacts = OrderedDict((name, action) for name, action in self._actions.items() + if name not in self._reload_actions) + if len(delacts): + # unban all tickets using removed actions only: +@@ -289,7 +289,7 @@ class Actions(JailThread, Mapping): + """ + if actions is None: + actions = self._actions +- revactions = actions.items() ++ revactions = list(actions.items()) + revactions.reverse() + for name, action in revactions: + try: +@@ -314,7 +314,7 @@ class Actions(JailThread, Mapping): + True when the thread exits nicely. + """ + cnt = 0 +- for name, action in self._actions.iteritems(): ++ for name, action in self._actions.items(): + try: + action.start() + except Exception as e: +@@ -474,7 +474,7 @@ class Actions(JailThread, Mapping): + Observers.Main.add('banFound', bTicket, self._jail, btime) + logSys.notice("[%s] %sBan %s", self._jail.name, ('' if not bTicket.restored else 'Restore '), ip) + # do actions : +- for name, action in self._actions.iteritems(): ++ for name, action in self._actions.items(): + try: + if ticket.restored and getattr(action, 'norestored', False): + continue +@@ -511,13 +511,13 @@ class Actions(JailThread, Mapping): + if bTicket.banEpoch == self.banEpoch and diftm > 3: + # avoid too often checks: + if not rebanacts and MyTime.time() > self.__lastConsistencyCheckTM + 3: +- for action in self._actions.itervalues(): ++ for action in self._actions.values(): + action.consistencyCheck() + self.__lastConsistencyCheckTM = MyTime.time() + # check epoch in order to reban it: + if bTicket.banEpoch < self.banEpoch: + if not rebanacts: rebanacts = dict( +- (name, action) for name, action in self._actions.iteritems() ++ (name, action) for name, action in self._actions.items() + if action.banEpoch > bTicket.banEpoch) + cnt += self.__reBan(bTicket, actions=rebanacts) + else: # pragma: no cover - unexpected: ticket is not banned for some reasons - reban using all actions: +@@ -542,8 +542,8 @@ class Actions(JailThread, Mapping): + ip = ticket.getIP() + aInfo = self.__getActionInfo(ticket) + if log: +- logSys.notice("[%s] Reban %s%s", self._jail.name, aInfo["ip"], (', action %r' % actions.keys()[0] if len(actions) == 1 else '')) +- for name, action in actions.iteritems(): ++ logSys.notice("[%s] Reban %s%s", self._jail.name, aInfo["ip"], (', action %r' % list(actions.keys())[0] if len(actions) == 1 else '')) ++ for name, action in actions.items(): + try: + logSys.debug("[%s] action %r: reban %s", self._jail.name, name, ip) + if not aInfo.immutable: aInfo.reset() +@@ -567,7 +567,7 @@ class Actions(JailThread, Mapping): + if not self.__banManager._inBanList(ticket): return + # do actions : + aInfo = None +- for name, action in self._actions.iteritems(): ++ for name, action in self._actions.items(): + try: + if ticket.restored and getattr(action, 'norestored', False): + continue +@@ -616,7 +616,7 @@ class Actions(JailThread, Mapping): + cnt = 0 + # first we'll execute flush for actions supporting this operation: + unbactions = {} +- for name, action in (actions if actions is not None else self._actions).iteritems(): ++ for name, action in (actions if actions is not None else self._actions).items(): + try: + if hasattr(action, 'flush') and (not isinstance(action, CommandAction) or action.actionflush): + logSys.notice("[%s] Flush ticket(s) with %s", self._jail.name, name) +@@ -671,7 +671,7 @@ class Actions(JailThread, Mapping): + aInfo = self.__getActionInfo(ticket) + if log: + logSys.notice("[%s] Unban %s", self._jail.name, aInfo["ip"]) +- for name, action in unbactions.iteritems(): ++ for name, action in unbactions.items(): + try: + logSys.debug("[%s] action %r: unban %s", self._jail.name, name, ip) + if not aInfo.immutable: aInfo.reset() +diff --git a/fail2ban/server/asyncserver.py b/fail2ban/server/asyncserver.py +index e3400737..f5f9740b 100644 +--- a/fail2ban/server/asyncserver.py ++++ b/fail2ban/server/asyncserver.py +@@ -178,7 +178,7 @@ def loop(active, timeout=None, use_poll=False, err_count=None): + elif err_count['listen'] > 100: # pragma: no cover - normally unreachable + if ( + e.args[0] == errno.EMFILE # [Errno 24] Too many open files +- or sum(err_count.itervalues()) > 1000 ++ or sum(err_count.values()) > 1000 + ): + logSys.critical("Too many errors - critical count reached %r", err_count) + break +@@ -220,7 +220,7 @@ class AsyncServer(asyncore.dispatcher): + elif self.__errCount['accept'] > 100: + if ( + (isinstance(e, socket.error) and e.args[0] == errno.EMFILE) # [Errno 24] Too many open files +- or sum(self.__errCount.itervalues()) > 1000 ++ or sum(self.__errCount.values()) > 1000 + ): + logSys.critical("Too many errors - critical count reached %r", self.__errCount) + self.stop() +diff --git a/fail2ban/server/banmanager.py b/fail2ban/server/banmanager.py +index 5770bfd7..9bb44971 100644 +--- a/fail2ban/server/banmanager.py ++++ b/fail2ban/server/banmanager.py +@@ -105,9 +105,9 @@ class BanManager: + def getBanList(self, ordered=False, withTime=False): + with self.__lock: + if not ordered: +- return self.__banList.keys() ++ return list(self.__banList.keys()) + lst = [] +- for ticket in self.__banList.itervalues(): ++ for ticket in self.__banList.values(): + eob = ticket.getEndOfBanTime(self.__banTime) + lst.append((ticket,eob)) + lst.sort(key=lambda t: t[1]) +@@ -126,7 +126,7 @@ class BanManager: + + def __iter__(self): + with self.__lock: +- return self.__banList.itervalues() ++ return iter(self.__banList.values()) + + ## + # Returns normalized value +@@ -165,7 +165,7 @@ class BanManager: + return return_dict + # get ips in lock: + with self.__lock: +- banIPs = [banData.getIP() for banData in self.__banList.values()] ++ banIPs = [banData.getIP() for banData in list(self.__banList.values())] + # get cymru info: + try: + for ip in banIPs: +@@ -341,7 +341,7 @@ class BanManager: + # Gets the list of ticket to remove (thereby correct next unban time). + unBanList = {} + nextUnbanTime = BanTicket.MAX_TIME +- for fid,ticket in self.__banList.iteritems(): ++ for fid,ticket in self.__banList.items(): + # current time greater as end of ban - timed out: + eob = ticket.getEndOfBanTime(self.__banTime) + if time > eob: +@@ -357,15 +357,15 @@ class BanManager: + if len(unBanList): + if len(unBanList) / 2.0 <= len(self.__banList) / 3.0: + # few as 2/3 should be removed - remove particular items: +- for fid in unBanList.iterkeys(): ++ for fid in unBanList.keys(): + del self.__banList[fid] + else: + # create new dictionary without items to be deleted: +- self.__banList = dict((fid,ticket) for fid,ticket in self.__banList.iteritems() \ ++ self.__banList = dict((fid,ticket) for fid,ticket in self.__banList.items() \ + if fid not in unBanList) + + # return list of tickets: +- return unBanList.values() ++ return list(unBanList.values()) + + ## + # Flush the ban list. +@@ -375,7 +375,7 @@ class BanManager: + + def flushBanList(self): + with self.__lock: +- uBList = self.__banList.values() ++ uBList = list(self.__banList.values()) + self.__banList = dict() + return uBList + +diff --git a/fail2ban/server/database.py b/fail2ban/server/database.py +index ed736a7a..0e8c9aec 100644 +--- a/fail2ban/server/database.py ++++ b/fail2ban/server/database.py +@@ -67,13 +67,13 @@ if sys.version_info >= (3,): # pragma: 2.x no cover + else: # pragma: 3.x no cover + def _normalize(x): + if isinstance(x, dict): +- return dict((_normalize(k), _normalize(v)) for k, v in x.iteritems()) ++ return dict((_normalize(k), _normalize(v)) for k, v in x.items()) + elif isinstance(x, (list, set)): + return [_normalize(element) for element in x] +- elif isinstance(x, unicode): ++ elif isinstance(x, str): + # in 2.x default text_factory is unicode - so return proper unicode here: + return x.encode(PREFER_ENC, 'replace').decode(PREFER_ENC) +- elif isinstance(x, basestring): ++ elif isinstance(x, str): + return x.decode(PREFER_ENC, 'replace') + return x + +diff --git a/fail2ban/server/failmanager.py b/fail2ban/server/failmanager.py +index 93c028fb..a9c6b5f6 100644 +--- a/fail2ban/server/failmanager.py ++++ b/fail2ban/server/failmanager.py +@@ -57,7 +57,7 @@ class FailManager: + def getFailCount(self): + # may be slow on large list of failures, should be used for test purposes only... + with self.__lock: +- return len(self.__failList), sum([f.getRetry() for f in self.__failList.values()]) ++ return len(self.__failList), sum([f.getRetry() for f in list(self.__failList.values())]) + + def getFailTotal(self): + with self.__lock: +@@ -125,7 +125,7 @@ class FailManager: + # in case of having many active failures, it should be ran only + # if debug level is "low" enough + failures_summary = ', '.join(['%s:%d' % (k, v.getRetry()) +- for k,v in self.__failList.iteritems()]) ++ for k,v in self.__failList.items()]) + logSys.log(logLevel, "Total # of detected failures: %d. Current failures from %d IPs (IP:count): %s" + % (self.__failTotal, len(self.__failList), failures_summary)) + +@@ -138,7 +138,7 @@ class FailManager: + + def cleanup(self, time): + with self.__lock: +- todelete = [fid for fid,item in self.__failList.iteritems() \ ++ todelete = [fid for fid,item in self.__failList.items() \ + if item.getLastTime() + self.__maxTime <= time] + if len(todelete) == len(self.__failList): + # remove all: +@@ -152,7 +152,7 @@ class FailManager: + del self.__failList[fid] + else: + # create new dictionary without items to be deleted: +- self.__failList = dict((fid,item) for fid,item in self.__failList.iteritems() \ ++ self.__failList = dict((fid,item) for fid,item in self.__failList.items() \ + if item.getLastTime() + self.__maxTime > time) + self.__bgSvc.service() + +diff --git a/fail2ban/server/failregex.py b/fail2ban/server/failregex.py +index f7dafbef..fb75187d 100644 +--- a/fail2ban/server/failregex.py ++++ b/fail2ban/server/failregex.py +@@ -128,10 +128,7 @@ class Regex: + self._regexObj = re.compile(regex, re.MULTILINE if multiline else 0) + self._regex = regex + self._altValues = {} +- for k in filter( +- lambda k: len(k) > len(ALTNAME_PRE) and k.startswith(ALTNAME_PRE), +- self._regexObj.groupindex +- ): ++ for k in [k for k in self._regexObj.groupindex if len(k) > len(ALTNAME_PRE) and k.startswith(ALTNAME_PRE)]: + n = ALTNAME_CRE.match(k).group(1) + self._altValues[k] = n + self._altValues = list(self._altValues.items()) if len(self._altValues) else None +@@ -211,7 +208,7 @@ class Regex: + # + @staticmethod + def _tupleLinesBuf(tupleLines): +- return "\n".join(map(lambda v: "".join(v[::2]), tupleLines)) + "\n" ++ return "\n".join(["".join(v[::2]) for v in tupleLines]) + "\n" + + ## + # Searches the regular expression. +@@ -223,7 +220,7 @@ class Regex: + + def search(self, tupleLines, orgLines=None): + buf = tupleLines +- if not isinstance(tupleLines, basestring): ++ if not isinstance(tupleLines, str): + buf = Regex._tupleLinesBuf(tupleLines) + self._matchCache = self._regexObj.search(buf) + if self._matchCache: +diff --git a/fail2ban/server/filter.py b/fail2ban/server/filter.py +index 998fe298..d181fd38 100644 +--- a/fail2ban/server/filter.py ++++ b/fail2ban/server/filter.py +@@ -292,7 +292,7 @@ class Filter(JailThread): + dd = DateDetector() + dd.default_tz = self.__logtimezone + if not isinstance(pattern, (list, tuple)): +- pattern = filter(bool, map(str.strip, re.split('\n+', pattern))) ++ pattern = list(filter(bool, list(map(str.strip, re.split('\n+', pattern))))) + for pattern in pattern: + dd.appendTemplate(pattern) + self.dateDetector = dd +@@ -987,7 +987,7 @@ class FileFilter(Filter): + # @return log paths + + def getLogPaths(self): +- return self.__logs.keys() ++ return list(self.__logs.keys()) + + ## + # Get the log containers +@@ -995,7 +995,7 @@ class FileFilter(Filter): + # @return log containers + + def getLogs(self): +- return self.__logs.values() ++ return list(self.__logs.values()) + + ## + # Get the count of log containers +@@ -1021,7 +1021,7 @@ class FileFilter(Filter): + + def setLogEncoding(self, encoding): + encoding = super(FileFilter, self).setLogEncoding(encoding) +- for log in self.__logs.itervalues(): ++ for log in self.__logs.values(): + log.setEncoding(encoding) + + def getLog(self, path): +@@ -1183,7 +1183,7 @@ class FileFilter(Filter): + """Status of Filter plus files being monitored. + """ + ret = super(FileFilter, self).status(flavor=flavor) +- path = self.__logs.keys() ++ path = list(self.__logs.keys()) + ret.append(("File list", path)) + return ret + +@@ -1191,7 +1191,7 @@ class FileFilter(Filter): + """Stop monitoring of log-file(s) + """ + # stop files monitoring: +- for path in self.__logs.keys(): ++ for path in list(self.__logs.keys()): + self.delLogPath(path) + # stop thread: + super(Filter, self).stop() +diff --git a/fail2ban/server/filterpoll.py b/fail2ban/server/filterpoll.py +index 228a2c8b..d49315cc 100644 +--- a/fail2ban/server/filterpoll.py ++++ b/fail2ban/server/filterpoll.py +@@ -176,4 +176,4 @@ class FilterPoll(FileFilter): + return False + + def getPendingPaths(self): +- return self.__file404Cnt.keys() ++ return list(self.__file404Cnt.keys()) +diff --git a/fail2ban/server/filterpyinotify.py b/fail2ban/server/filterpyinotify.py +index ca6b253f..b683b860 100644 +--- a/fail2ban/server/filterpyinotify.py ++++ b/fail2ban/server/filterpyinotify.py +@@ -158,7 +158,7 @@ class FilterPyinotify(FileFilter): + except KeyError: pass + + def getPendingPaths(self): +- return self.__pending.keys() ++ return list(self.__pending.keys()) + + def _checkPending(self): + if not self.__pending: +@@ -168,7 +168,7 @@ class FilterPyinotify(FileFilter): + return + found = {} + minTime = 60 +- for path, (retardTM, isDir) in self.__pending.iteritems(): ++ for path, (retardTM, isDir) in self.__pending.items(): + if ntm - self.__pendingChkTime < retardTM: + if minTime > retardTM: minTime = retardTM + continue +@@ -184,7 +184,7 @@ class FilterPyinotify(FileFilter): + self.__pendingChkTime = time.time() + self.__pendingMinTime = minTime + # process now because we've missed it in monitoring: +- for path, isDir in found.iteritems(): ++ for path, isDir in found.items(): + self._delPending(path) + # refresh monitoring of this: + self._refreshWatcher(path, isDir=isDir) +diff --git a/fail2ban/server/ipdns.py b/fail2ban/server/ipdns.py +index 6648dac6..fe8f8db8 100644 +--- a/fail2ban/server/ipdns.py ++++ b/fail2ban/server/ipdns.py +@@ -275,7 +275,7 @@ class IPAddr(object): + raise ValueError("invalid ipstr %r, too many plen representation" % (ipstr,)) + if "." in s[1] or ":" in s[1]: # 255.255.255.0 resp. ffff:: style mask + s[1] = IPAddr.masktoplen(s[1]) +- s[1] = long(s[1]) ++ s[1] = int(s[1]) + return s + + def __init(self, ipstr, cidr=CIDR_UNSPEC): +@@ -309,7 +309,7 @@ class IPAddr(object): + + # mask out host portion if prefix length is supplied + if cidr is not None and cidr >= 0: +- mask = ~(0xFFFFFFFFL >> cidr) ++ mask = ~(0xFFFFFFFF >> cidr) + self._addr &= mask + self._plen = cidr + +@@ -321,13 +321,13 @@ class IPAddr(object): + + # mask out host portion if prefix length is supplied + if cidr is not None and cidr >= 0: +- mask = ~(0xFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFL >> cidr) ++ mask = ~(0xFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF >> cidr) + self._addr &= mask + self._plen = cidr + + # if IPv6 address is a IPv4-compatible, make instance a IPv4 + elif self.isInNet(IPAddr.IP6_4COMPAT): +- self._addr = lo & 0xFFFFFFFFL ++ self._addr = lo & 0xFFFFFFFF + self._family = socket.AF_INET + self._plen = 32 + else: +@@ -445,7 +445,7 @@ class IPAddr(object): + elif self.isIPv6: + # convert network to host byte order + hi = self._addr >> 64 +- lo = self._addr & 0xFFFFFFFFFFFFFFFFL ++ lo = self._addr & 0xFFFFFFFFFFFFFFFF + binary = struct.pack("!QQ", hi, lo) + if self._plen and self._plen < 128: + add = "/%d" % self._plen +@@ -503,9 +503,9 @@ class IPAddr(object): + if self.family != net.family: + return False + if self.isIPv4: +- mask = ~(0xFFFFFFFFL >> net.plen) ++ mask = ~(0xFFFFFFFF >> net.plen) + elif self.isIPv6: +- mask = ~(0xFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFL >> net.plen) ++ mask = ~(0xFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF >> net.plen) + else: + return False + +@@ -517,7 +517,7 @@ class IPAddr(object): + m4 = (1 << 32)-1 + mmap = {m6: 128, m4: 32, 0: 0} + m = 0 +- for i in xrange(0, 128): ++ for i in range(0, 128): + m |= 1 << i + if i < 32: + mmap[m ^ m4] = 32-1-i +diff --git a/fail2ban/server/jail.py b/fail2ban/server/jail.py +index ce9968a8..5fa5ef10 100644 +--- a/fail2ban/server/jail.py ++++ b/fail2ban/server/jail.py +@@ -26,7 +26,7 @@ __license__ = "GPL" + import logging + import math + import random +-import Queue ++import queue + + from .actions import Actions + from ..helpers import getLogger, _as_bool, extractOptions, MyTime +@@ -76,7 +76,7 @@ class Jail(object): + "might not function correctly. Please shorten" + % name) + self.__name = name +- self.__queue = Queue.Queue() ++ self.__queue = queue.Queue() + self.__filter = None + # Extra parameters for increase ban time + self._banExtra = {}; +@@ -127,25 +127,25 @@ class Jail(object): + "Failed to initialize any backend for Jail %r" % self.name) + + def _initPolling(self, **kwargs): +- from filterpoll import FilterPoll ++ from .filterpoll import FilterPoll + logSys.info("Jail '%s' uses poller %r" % (self.name, kwargs)) + self.__filter = FilterPoll(self, **kwargs) + + def _initGamin(self, **kwargs): + # Try to import gamin +- from filtergamin import FilterGamin ++ from .filtergamin import FilterGamin + logSys.info("Jail '%s' uses Gamin %r" % (self.name, kwargs)) + self.__filter = FilterGamin(self, **kwargs) + + def _initPyinotify(self, **kwargs): + # Try to import pyinotify +- from filterpyinotify import FilterPyinotify ++ from .filterpyinotify import FilterPyinotify + logSys.info("Jail '%s' uses pyinotify %r" % (self.name, kwargs)) + self.__filter = FilterPyinotify(self, **kwargs) + + def _initSystemd(self, **kwargs): # pragma: systemd no cover + # Try to import systemd +- from filtersystemd import FilterSystemd ++ from .filtersystemd import FilterSystemd + logSys.info("Jail '%s' uses systemd %r" % (self.name, kwargs)) + self.__filter = FilterSystemd(self, **kwargs) + +@@ -213,7 +213,7 @@ class Jail(object): + try: + ticket = self.__queue.get(False) + return ticket +- except Queue.Empty: ++ except queue.Empty: + return False + + def setBanTimeExtra(self, opt, value): +diff --git a/fail2ban/server/mytime.py b/fail2ban/server/mytime.py +index 98b69bd4..24bba5cf 100644 +--- a/fail2ban/server/mytime.py ++++ b/fail2ban/server/mytime.py +@@ -162,7 +162,7 @@ class MyTime: + + @returns number (calculated seconds from expression "val") + """ +- if isinstance(val, (int, long, float, complex)): ++ if isinstance(val, (int, float, complex)): + return val + # replace together standing abbreviations, example '1d12h' -> '1d 12h': + val = MyTime._str2sec_prep.sub(r" \1", val) +diff --git a/fail2ban/server/server.py b/fail2ban/server/server.py +index 159f6506..fc948e8c 100644 +--- a/fail2ban/server/server.py ++++ b/fail2ban/server/server.py +@@ -97,7 +97,7 @@ class Server: + + def start(self, sock, pidfile, force=False, observer=True, conf={}): + # First set the mask to only allow access to owner +- os.umask(0077) ++ os.umask(0o077) + # Second daemonize before logging etc, because it will close all handles: + if self.__daemon: # pragma: no cover + logSys.info("Starting in daemon mode") +@@ -190,7 +190,7 @@ class Server: + + # Restore default signal handlers: + if _thread_name() == '_MainThread': +- for s, sh in self.__prev_signals.iteritems(): ++ for s, sh in self.__prev_signals.items(): + signal.signal(s, sh) + + # Give observer a small chance to complete its work before exit +@@ -268,10 +268,10 @@ class Server: + logSys.info("Stopping all jails") + with self.__lock: + # 1st stop all jails (signal and stop actions/filter thread): +- for name in self.__jails.keys(): ++ for name in list(self.__jails.keys()): + self.delJail(name, stop=True, join=False) + # 2nd wait for end and delete jails: +- for name in self.__jails.keys(): ++ for name in list(self.__jails.keys()): + self.delJail(name, stop=False, join=True) + + def reloadJails(self, name, opts, begin): +@@ -302,7 +302,7 @@ class Server: + if "--restart" in opts: + self.stopAllJail() + # first set all affected jail(s) to idle and reset filter regex and other lists/dicts: +- for jn, jail in self.__jails.iteritems(): ++ for jn, jail in self.__jails.items(): + if name == '--all' or jn == name: + jail.idle = True + self.__reload_state[jn] = jail +@@ -313,7 +313,7 @@ class Server: + # end reload, all affected (or new) jails have already all new parameters (via stream) and (re)started: + with self.__lock: + deljails = [] +- for jn, jail in self.__jails.iteritems(): ++ for jn, jail in self.__jails.items(): + # still in reload state: + if jn in self.__reload_state: + # remove jails that are not reloaded (untouched, so not in new configuration) +@@ -513,7 +513,7 @@ class Server: + jails = [self.__jails[name]] + else: + # in all jails: +- jails = self.__jails.values() ++ jails = list(self.__jails.values()) + # unban given or all (if value is None): + cnt = 0 + ifexists |= (name is None) +@@ -551,7 +551,7 @@ class Server: + def isAlive(self, jailnum=None): + if jailnum is not None and len(self.__jails) != jailnum: + return 0 +- for jail in self.__jails.values(): ++ for jail in list(self.__jails.values()): + if not jail.isAlive(): + return 0 + return 1 +@@ -759,7 +759,7 @@ class Server: + return "flushed" + + def setThreadOptions(self, value): +- for o, v in value.iteritems(): ++ for o, v in value.items(): + if o == 'stacksize': + threading.stack_size(int(v)*1024) + else: # pragma: no cover +diff --git a/fail2ban/server/strptime.py b/fail2ban/server/strptime.py +index 498d284b..a5579fdc 100644 +--- a/fail2ban/server/strptime.py ++++ b/fail2ban/server/strptime.py +@@ -79,7 +79,7 @@ timeRE['ExY'] = r"(?P<Y>%s\d)" % _getYearCentRE(cent=(0,3), distance=3) + timeRE['Exy'] = r"(?P<y>%s\d)" % _getYearCentRE(cent=(2,3), distance=3) + + def getTimePatternRE(): +- keys = timeRE.keys() ++ keys = list(timeRE.keys()) + patt = (r"%%(%%|%s|[%s])" % ( + "|".join([k for k in keys if len(k) > 1]), + "".join([k for k in keys if len(k) == 1]), +@@ -134,7 +134,7 @@ def zone2offset(tz, dt): + """ + if isinstance(tz, int): + return tz +- if isinstance(tz, basestring): ++ if isinstance(tz, str): + return validateTimeZone(tz) + tz, tzo = tz + if tzo is None or tzo == '': # without offset +@@ -171,7 +171,7 @@ def reGroupDictStrptime(found_dict, msec=False, default_tz=None): + year = month = day = hour = minute = tzoffset = \ + weekday = julian = week_of_year = None + second = fraction = 0 +- for key, val in found_dict.iteritems(): ++ for key, val in found_dict.items(): + if val is None: continue + # Directives not explicitly handled below: + # c, x, X +diff --git a/fail2ban/server/ticket.py b/fail2ban/server/ticket.py +index f67e0d23..f0b727c2 100644 +--- a/fail2ban/server/ticket.py ++++ b/fail2ban/server/ticket.py +@@ -55,7 +55,7 @@ class Ticket(object): + self._time = time if time is not None else MyTime.time() + self._data = {'matches': matches or [], 'failures': 0} + if data is not None: +- for k,v in data.iteritems(): ++ for k,v in data.items(): + if v is not None: + self._data[k] = v + if ticket: +@@ -89,7 +89,7 @@ class Ticket(object): + + def setIP(self, value): + # guarantee using IPAddr instead of unicode, str for the IP +- if isinstance(value, basestring): ++ if isinstance(value, str): + value = IPAddr(value) + self._ip = value + +@@ -181,7 +181,7 @@ class Ticket(object): + if len(args) == 1: + # todo: if support >= 2.7 only: + # self._data = {k:v for k,v in args[0].iteritems() if v is not None} +- self._data = dict([(k,v) for k,v in args[0].iteritems() if v is not None]) ++ self._data = dict([(k,v) for k,v in args[0].items() if v is not None]) + # add k,v list or dict (merge): + elif len(args) == 2: + self._data.update((args,)) +@@ -192,7 +192,7 @@ class Ticket(object): + # filter (delete) None values: + # todo: if support >= 2.7 only: + # self._data = {k:v for k,v in self._data.iteritems() if v is not None} +- self._data = dict([(k,v) for k,v in self._data.iteritems() if v is not None]) ++ self._data = dict([(k,v) for k,v in self._data.items() if v is not None]) + + def getData(self, key=None, default=None): + # return whole data dict: +@@ -201,17 +201,17 @@ class Ticket(object): + # return default if not exists: + if not self._data: + return default +- if not isinstance(key,(str,unicode,type(None),int,float,bool,complex)): ++ if not isinstance(key,(str,type(None),int,float,bool,complex)): + # return filtered by lambda/function: + if callable(key): + # todo: if support >= 2.7 only: + # return {k:v for k,v in self._data.iteritems() if key(k)} +- return dict([(k,v) for k,v in self._data.iteritems() if key(k)]) ++ return dict([(k,v) for k,v in self._data.items() if key(k)]) + # return filtered by keys: + if hasattr(key, '__iter__'): + # todo: if support >= 2.7 only: + # return {k:v for k,v in self._data.iteritems() if k in key} +- return dict([(k,v) for k,v in self._data.iteritems() if k in key]) ++ return dict([(k,v) for k,v in self._data.items() if k in key]) + # return single value of data: + return self._data.get(key, default) + +diff --git a/fail2ban/server/transmitter.py b/fail2ban/server/transmitter.py +index f83e9d5f..80726cb4 100644 +--- a/fail2ban/server/transmitter.py ++++ b/fail2ban/server/transmitter.py +@@ -475,7 +475,7 @@ class Transmitter: + opt = command[1][len("bantime."):] + return self.__server.getBanTimeExtra(name, opt) + elif command[1] == "actions": +- return self.__server.getActions(name).keys() ++ return list(self.__server.getActions(name).keys()) + elif command[1] == "action": + actionname = command[2] + actionvalue = command[3] +diff --git a/fail2ban/server/utils.py b/fail2ban/server/utils.py +index d4461a7d..13c24e76 100644 +--- a/fail2ban/server/utils.py ++++ b/fail2ban/server/utils.py +@@ -57,7 +57,7 @@ _RETCODE_HINTS = { + + # Dictionary to lookup signal name from number + signame = dict((num, name) +- for name, num in signal.__dict__.iteritems() if name.startswith("SIG")) ++ for name, num in signal.__dict__.items() if name.startswith("SIG")) + + class Utils(): + """Utilities provide diverse static methods like executes OS shell commands, etc. +@@ -109,7 +109,7 @@ class Utils(): + break + else: # pragma: 3.x no cover (dict is in 2.6 only) + remlst = [] +- for (ck, cv) in cache.iteritems(): ++ for (ck, cv) in cache.items(): + # if expired: + if cv[1] <= t: + remlst.append(ck) +@@ -152,7 +152,7 @@ class Utils(): + if not isinstance(realCmd, list): + realCmd = [realCmd] + i = len(realCmd)-1 +- for k, v in varsDict.iteritems(): ++ for k, v in varsDict.items(): + varsStat += "%s=$%s " % (k, i) + realCmd.append(v) + i += 1 +diff --git a/fail2ban/tests/action_d/test_badips.py b/fail2ban/tests/action_d/test_badips.py +index 013c0fdb..3c35e4d7 100644 +--- a/fail2ban/tests/action_d/test_badips.py ++++ b/fail2ban/tests/action_d/test_badips.py +@@ -32,7 +32,7 @@ from ..utils import LogCaptureTestCase, CONFIG_DIR + if sys.version_info >= (3, ): # pragma: 2.x no cover + from urllib.error import HTTPError, URLError + else: # pragma: 3.x no cover +- from urllib2 import HTTPError, URLError ++ from urllib.error import HTTPError, URLError + + def skip_if_not_available(f): + """Helper to decorate tests to skip in case of timeout/http-errors like "502 bad gateway". +diff --git a/fail2ban/tests/actiontestcase.py b/fail2ban/tests/actiontestcase.py +index 1a00c040..ecd09246 100644 +--- a/fail2ban/tests/actiontestcase.py ++++ b/fail2ban/tests/actiontestcase.py +@@ -244,14 +244,14 @@ class CommandActionTest(LogCaptureTestCase): + setattr(self.__action, 'ab', "<ac>") + setattr(self.__action, 'x?family=inet6', "") + # produce self-referencing properties except: +- self.assertRaisesRegexp(ValueError, r"properties contain self referencing definitions", ++ self.assertRaisesRegex(ValueError, r"properties contain self referencing definitions", + lambda: self.__action.replaceTag("<a><b>", + self.__action._properties, conditional="family=inet4") + ) + # remore self-referencing in props: + delattr(self.__action, 'ac') + # produce self-referencing query except: +- self.assertRaisesRegexp(ValueError, r"possible self referencing definitions in query", ++ self.assertRaisesRegex(ValueError, r"possible self referencing definitions in query", + lambda: self.__action.replaceTag("<x<x<x<x<x<x<x<x<x<x<x<x<x<x<x<x<x<x<x<x<x>>>>>>>>>>>>>>>>>>>>>", + self.__action._properties, conditional="family=inet6") + ) +diff --git a/fail2ban/tests/clientreadertestcase.py b/fail2ban/tests/clientreadertestcase.py +index 2c1d0a0e..aa7908c4 100644 +--- a/fail2ban/tests/clientreadertestcase.py ++++ b/fail2ban/tests/clientreadertestcase.py +@@ -390,7 +390,7 @@ class JailReaderTest(LogCaptureTestCase): + # And multiple groups (`][` instead of `,`) + result = extractOptions(option.replace(',', '][')) + expected2 = (expected[0], +- dict((k, v.replace(',', '][')) for k, v in expected[1].iteritems()) ++ dict((k, v.replace(',', '][')) for k, v in expected[1].items()) + ) + self.assertEqual(expected2, result) + +@@ -975,7 +975,7 @@ filter = testfilter1 + self.assertEqual(add_actions[-1][-1], "{}") + + def testLogPathFileFilterBackend(self): +- self.assertRaisesRegexp(ValueError, r"Have not found any log file for .* jail", ++ self.assertRaisesRegex(ValueError, r"Have not found any log file for .* jail", + self._testLogPath, backend='polling') + + def testLogPathSystemdBackend(self): +diff --git a/fail2ban/tests/databasetestcase.py b/fail2ban/tests/databasetestcase.py +index 9a5e9fa1..562461a6 100644 +--- a/fail2ban/tests/databasetestcase.py ++++ b/fail2ban/tests/databasetestcase.py +@@ -67,7 +67,7 @@ class DatabaseTest(LogCaptureTestCase): + + @property + def db(self): +- if isinstance(self._db, basestring) and self._db == ':auto-create-in-memory:': ++ if isinstance(self._db, str) and self._db == ':auto-create-in-memory:': + self._db = getFail2BanDb(self.dbFilename) + return self._db + @db.setter +@@ -159,7 +159,7 @@ class DatabaseTest(LogCaptureTestCase): + self.db = Fail2BanDb(self.dbFilename) + self.assertEqual(self.db.getJailNames(), set(['DummyJail #29162448 with 0 tickets'])) + self.assertEqual(self.db.getLogPaths(), set(['/tmp/Fail2BanDb_pUlZJh.log'])) +- ticket = FailTicket("127.0.0.1", 1388009242.26, [u"abc\n"]) ++ ticket = FailTicket("127.0.0.1", 1388009242.26, ["abc\n"]) + self.assertEqual(self.db.getBans()[0], ticket) + + self.assertEqual(self.db.updateDb(Fail2BanDb.__version__), Fail2BanDb.__version__) +@@ -185,9 +185,9 @@ class DatabaseTest(LogCaptureTestCase): + self.assertEqual(len(bans), 2) + # compare first ticket completely: + ticket = FailTicket("1.2.3.7", 1417595494, [ +- u'Dec 3 09:31:08 f2btest test:auth[27658]: pam_unix(test:auth): authentication failure; logname= uid=0 euid=0 tty=test ruser= rhost=1.2.3.7', +- u'Dec 3 09:31:32 f2btest test:auth[27671]: pam_unix(test:auth): authentication failure; logname= uid=0 euid=0 tty=test ruser= rhost=1.2.3.7', +- u'Dec 3 09:31:34 f2btest test:auth[27673]: pam_unix(test:auth): authentication failure; logname= uid=0 euid=0 tty=test ruser= rhost=1.2.3.7' ++ 'Dec 3 09:31:08 f2btest test:auth[27658]: pam_unix(test:auth): authentication failure; logname= uid=0 euid=0 tty=test ruser= rhost=1.2.3.7', ++ 'Dec 3 09:31:32 f2btest test:auth[27671]: pam_unix(test:auth): authentication failure; logname= uid=0 euid=0 tty=test ruser= rhost=1.2.3.7', ++ 'Dec 3 09:31:34 f2btest test:auth[27673]: pam_unix(test:auth): authentication failure; logname= uid=0 euid=0 tty=test ruser= rhost=1.2.3.7' + ]) + ticket.setAttempt(3) + self.assertEqual(bans[0], ticket) +@@ -286,11 +286,11 @@ class DatabaseTest(LogCaptureTestCase): + # invalid + valid, invalid + valid unicode, invalid + valid dual converted (like in filter:readline by fallback) ... + tickets = [ + FailTicket("127.0.0.1", 0, ['user "test"', 'user "\xd1\xe2\xe5\xf2\xe0"', 'user "\xc3\xa4\xc3\xb6\xc3\xbc\xc3\x9f"']), +- FailTicket("127.0.0.2", 0, ['user "test"', u'user "\xd1\xe2\xe5\xf2\xe0"', u'user "\xc3\xa4\xc3\xb6\xc3\xbc\xc3\x9f"']), ++ FailTicket("127.0.0.2", 0, ['user "test"', 'user "\xd1\xe2\xe5\xf2\xe0"', 'user "\xc3\xa4\xc3\xb6\xc3\xbc\xc3\x9f"']), + FailTicket("127.0.0.3", 0, ['user "test"', b'user "\xd1\xe2\xe5\xf2\xe0"', b'user "\xc3\xa4\xc3\xb6\xc3\xbc\xc3\x9f"']), +- FailTicket("127.0.0.4", 0, ['user "test"', 'user "\xd1\xe2\xe5\xf2\xe0"', u'user "\xe4\xf6\xfc\xdf"']), ++ FailTicket("127.0.0.4", 0, ['user "test"', 'user "\xd1\xe2\xe5\xf2\xe0"', 'user "\xe4\xf6\xfc\xdf"']), + FailTicket("127.0.0.5", 0, ['user "test"', 'unterminated \xcf']), +- FailTicket("127.0.0.6", 0, ['user "test"', u'unterminated \xcf']), ++ FailTicket("127.0.0.6", 0, ['user "test"', 'unterminated \xcf']), + FailTicket("127.0.0.7", 0, ['user "test"', b'unterminated \xcf']) + ] + for ticket in tickets: +diff --git a/fail2ban/tests/datedetectortestcase.py b/fail2ban/tests/datedetectortestcase.py +index 458f76ef..49ada60d 100644 +--- a/fail2ban/tests/datedetectortestcase.py ++++ b/fail2ban/tests/datedetectortestcase.py +@@ -279,7 +279,7 @@ class DateDetectorTest(LogCaptureTestCase): + self.assertEqual(logTime, mu) + self.assertEqual(logMatch.group(1), '2012/10/11 02:37:17') + # confuse it with year being at the end +- for i in xrange(10): ++ for i in range(10): + ( logTime, logMatch ) = self.datedetector.getTime('11/10/2012 02:37:17 [error] 18434#0') + self.assertEqual(logTime, mu) + self.assertEqual(logMatch.group(1), '11/10/2012 02:37:17') +@@ -505,7 +505,7 @@ class CustomDateFormatsTest(unittest.TestCase): + date = dd.getTime(line) + if matched: + self.assertTrue(date) +- if isinstance(matched, basestring): ++ if isinstance(matched, str): + self.assertEqual(matched, date[1].group(1)) + else: + self.assertEqual(matched, date[0]) +@@ -537,7 +537,7 @@ class CustomDateFormatsTest(unittest.TestCase): + date = dd.getTime(line) + if matched: + self.assertTrue(date) +- if isinstance(matched, basestring): # pragma: no cover ++ if isinstance(matched, str): # pragma: no cover + self.assertEqual(matched, date[1].group(1)) + else: + self.assertEqual(matched, date[0]) +diff --git a/fail2ban/tests/fail2banclienttestcase.py b/fail2ban/tests/fail2banclienttestcase.py +index 95f73ed3..bba354fa 100644 +--- a/fail2ban/tests/fail2banclienttestcase.py ++++ b/fail2ban/tests/fail2banclienttestcase.py +@@ -367,10 +367,10 @@ def with_foreground_server_thread(startextra={}): + # several commands to server in body of decorated function: + return f(self, tmp, startparams, *args, **kwargs) + except Exception as e: # pragma: no cover +- print('=== Catch an exception: %s' % e) ++ print(('=== Catch an exception: %s' % e)) + log = self.getLog() + if log: +- print('=== Error of server, log: ===\n%s===' % log) ++ print(('=== Error of server, log: ===\n%s===' % log)) + self.pruneLog() + raise + finally: +@@ -440,7 +440,7 @@ class Fail2banClientServerBase(LogCaptureTestCase): + ) + except: # pragma: no cover + if _inherited_log(startparams): +- print('=== Error by wait fot server, log: ===\n%s===' % self.getLog()) ++ print(('=== Error by wait fot server, log: ===\n%s===' % self.getLog())) + self.pruneLog() + log = pjoin(tmp, "f2b.log") + if isfile(log): +@@ -1610,6 +1610,6 @@ class Fail2banServerTest(Fail2banClientServerBase): + self.stopAndWaitForServerEnd(SUCCESS) + + def testServerStartStop(self): +- for i in xrange(2000): ++ for i in range(2000): + self._testServerStartStop() + +diff --git a/fail2ban/tests/failmanagertestcase.py b/fail2ban/tests/failmanagertestcase.py +index a5425286..2a94cc82 100644 +--- a/fail2ban/tests/failmanagertestcase.py ++++ b/fail2ban/tests/failmanagertestcase.py +@@ -45,11 +45,11 @@ class AddFailure(unittest.TestCase): + super(AddFailure, self).tearDown() + + def _addDefItems(self): +- self.__items = [[u'193.168.0.128', 1167605999.0], +- [u'193.168.0.128', 1167605999.0], +- [u'193.168.0.128', 1167605999.0], +- [u'193.168.0.128', 1167605999.0], +- [u'193.168.0.128', 1167605999.0], ++ self.__items = [['193.168.0.128', 1167605999.0], ++ ['193.168.0.128', 1167605999.0], ++ ['193.168.0.128', 1167605999.0], ++ ['193.168.0.128', 1167605999.0], ++ ['193.168.0.128', 1167605999.0], + ['87.142.124.10', 1167605999.0], + ['87.142.124.10', 1167605999.0], + ['87.142.124.10', 1167605999.0], +diff --git a/fail2ban/tests/files/config/apache-auth/digest.py b/fail2ban/tests/files/config/apache-auth/digest.py +index 03588594..e2297ab3 100755 +--- a/fail2ban/tests/files/config/apache-auth/digest.py ++++ b/fail2ban/tests/files/config/apache-auth/digest.py +@@ -41,7 +41,7 @@ def auth(v): + response="%s" + """ % ( username, algorithm, realm, url, nonce, qop, response ) + # opaque="%s", +- print(p.method, p.url, p.headers) ++ print((p.method, p.url, p.headers)) + s = requests.Session() + return s.send(p) + +@@ -76,18 +76,18 @@ r = auth(v) + + # [Sun Jul 28 21:41:20 2013] [error] [client 127.0.0.1] Digest: unknown algorithm `super funky chicken' received: /digest/ + +-print(r.status_code,r.headers, r.text) ++print((r.status_code,r.headers, r.text)) + v['algorithm'] = algorithm + + + r = auth(v) +-print(r.status_code,r.headers, r.text) ++print((r.status_code,r.headers, r.text)) + + nonce = v['nonce'] + v['nonce']=v['nonce'][5:-5] + + r = auth(v) +-print(r.status_code,r.headers, r.text) ++print((r.status_code,r.headers, r.text)) + + # [Sun Jul 28 21:05:31.178340 2013] [auth_digest:error] [pid 24224:tid 139895539455744] [client 127.0.0.1:56906] AH01793: invalid qop `auth' received: /digest/qop_none/ + +@@ -95,7 +95,7 @@ print(r.status_code,r.headers, r.text) + v['nonce']=nonce[0:11] + 'ZZZ' + nonce[14:] + + r = auth(v) +-print(r.status_code,r.headers, r.text) ++print((r.status_code,r.headers, r.text)) + + #[Sun Jul 28 21:18:11.769228 2013] [auth_digest:error] [pid 24752:tid 139895505884928] [client 127.0.0.1:56964] AH01776: invalid nonce b9YAiJDiBAZZZ1b1abe02d20063ea3b16b544ea1b0d981c1bafe received - hash is not d42d824dee7aaf50c3ba0a7c6290bd453e3dd35b + +@@ -107,7 +107,7 @@ import time + time.sleep(1) + + r = auth(v) +-print(r.status_code,r.headers, r.text) ++print((r.status_code,r.headers, r.text)) + + # Obtained by putting the following code in modules/aaa/mod_auth_digest.c + # in the function initialize_secret +@@ -137,7 +137,7 @@ s = sha.sha(apachesecret) + + v=preauth() + +-print(v['nonce']) ++print((v['nonce'])) + realm = v['Digest realm'][1:-1] + + (t,) = struct.unpack('l',base64.b64decode(v['nonce'][1:13])) +@@ -156,13 +156,13 @@ print(v) + + r = auth(v) + #[Mon Jul 29 02:12:55.539813 2013] [auth_digest:error] [pid 9647:tid 139895522670336] [client 127.0.0.1:58474] AH01777: invalid nonce 59QJppTiBAA=b08983fd166ade9840407df1b0f75b9e6e07d88d received - user attempted time travel +-print(r.status_code,r.headers, r.text) ++print((r.status_code,r.headers, r.text)) + + url='/digest_onetime/' + v=preauth() + + # Need opaque header handling in auth + r = auth(v) +-print(r.status_code,r.headers, r.text) ++print((r.status_code,r.headers, r.text)) + r = auth(v) +-print(r.status_code,r.headers, r.text) ++print((r.status_code,r.headers, r.text)) +diff --git a/fail2ban/tests/filtertestcase.py b/fail2ban/tests/filtertestcase.py +index 35785a58..8eeb6902 100644 +--- a/fail2ban/tests/filtertestcase.py ++++ b/fail2ban/tests/filtertestcase.py +@@ -22,7 +22,7 @@ + __copyright__ = "Copyright (c) 2004 Cyril Jaquier; 2012 Yaroslav Halchenko" + __license__ = "GPL" + +-from __builtin__ import open as fopen ++from builtins import open as fopen + import unittest + import os + import re +@@ -204,7 +204,7 @@ def _copy_lines_between_files(in_, fout, n=None, skip=0, mode='a', terminal_line + else: + fin = in_ + # Skip +- for i in xrange(skip): ++ for i in range(skip): + fin.readline() + # Read + i = 0 +@@ -244,7 +244,7 @@ def _copy_lines_to_journal(in_, fields={},n=None, skip=0, terminal_line=""): # p + # Required for filtering + fields.update(TEST_JOURNAL_FIELDS) + # Skip +- for i in xrange(skip): ++ for i in range(skip): + fin.readline() + # Read/Write + i = 0 +@@ -306,18 +306,18 @@ class BasicFilter(unittest.TestCase): + def testTest_tm(self): + unittest.F2B.SkipIfFast() + ## test function "_tm" works correct (returns the same as slow strftime): +- for i in xrange(1417512352, (1417512352 // 3600 + 3) * 3600): ++ for i in range(1417512352, (1417512352 // 3600 + 3) * 3600): + tm = MyTime.time2str(i) + if _tm(i) != tm: # pragma: no cover - never reachable + self.assertEqual((_tm(i), i), (tm, i)) + + def testWrongCharInTupleLine(self): + ## line tuple has different types (ascii after ascii / unicode): +- for a1 in ('', u'', b''): +- for a2 in ('2016-09-05T20:18:56', u'2016-09-05T20:18:56', b'2016-09-05T20:18:56'): ++ for a1 in ('', '', b''): ++ for a2 in ('2016-09-05T20:18:56', '2016-09-05T20:18:56', b'2016-09-05T20:18:56'): + for a3 in ( + 'Fail for "g\xc3\xb6ran" from 192.0.2.1', +- u'Fail for "g\xc3\xb6ran" from 192.0.2.1', ++ 'Fail for "g\xc3\xb6ran" from 192.0.2.1', + b'Fail for "g\xc3\xb6ran" from 192.0.2.1' + ): + # join should work if all arguments have the same type: +@@ -435,7 +435,7 @@ class IgnoreIP(LogCaptureTestCase): + + def testAddAttempt(self): + self.filter.setMaxRetry(3) +- for i in xrange(1, 1+3): ++ for i in range(1, 1+3): + self.filter.addAttempt('192.0.2.1') + self.assertLogged('Attempt 192.0.2.1', '192.0.2.1:%d' % i, all=True, wait=True) + self.jail.actions._Actions__checkBan() +@@ -472,7 +472,7 @@ class IgnoreIP(LogCaptureTestCase): + # like both test-cases above, just cached (so once per key)... + self.filter.ignoreCache = {"key":"<ip>"} + self.filter.ignoreCommand = 'if [ "<ip>" = "10.0.0.1" ]; then exit 0; fi; exit 1' +- for i in xrange(5): ++ for i in range(5): + self.pruneLog() + self.assertTrue(self.filter.inIgnoreIPList("10.0.0.1")) + self.assertFalse(self.filter.inIgnoreIPList("10.0.0.0")) +@@ -483,7 +483,7 @@ class IgnoreIP(LogCaptureTestCase): + # by host of IP: + self.filter.ignoreCache = {"key":"<ip-host>"} + self.filter.ignoreCommand = 'if [ "<ip-host>" = "test-host" ]; then exit 0; fi; exit 1' +- for i in xrange(5): ++ for i in range(5): + self.pruneLog() + self.assertTrue(self.filter.inIgnoreIPList(FailTicket("2001:db8::1"))) + self.assertFalse(self.filter.inIgnoreIPList(FailTicket("2001:db8::ffff"))) +@@ -495,7 +495,7 @@ class IgnoreIP(LogCaptureTestCase): + self.filter.ignoreCache = {"key":"<F-USER>", "max-count":"10", "max-time":"1h"} + self.assertEqual(self.filter.ignoreCache, ["<F-USER>", 10, 60*60]) + self.filter.ignoreCommand = 'if [ "<F-USER>" = "tester" ]; then exit 0; fi; exit 1' +- for i in xrange(5): ++ for i in range(5): + self.pruneLog() + self.assertTrue(self.filter.inIgnoreIPList(FailTicket("tester", data={'user': 'tester'}))) + self.assertFalse(self.filter.inIgnoreIPList(FailTicket("root", data={'user': 'root'}))) +@@ -644,7 +644,7 @@ class LogFileFilterPoll(unittest.TestCase): + fc = FileContainer(fname, self.filter.getLogEncoding()) + fc.open() + # no time - nothing should be found : +- for i in xrange(10): ++ for i in range(10): + f.write("[sshd] error: PAM: failure len 1\n") + f.flush() + fc.setPos(0); self.filter.seekToTime(fc, time) +@@ -718,14 +718,14 @@ class LogFileFilterPoll(unittest.TestCase): + # variable length of file (ca 45K or 450K before and hereafter): + # write lines with smaller as search time: + t = time - count - 1 +- for i in xrange(count): ++ for i in range(count): + f.write("%s [sshd] error: PAM: failure\n" % _tm(t)) + t += 1 + f.flush() + fc.setPos(0); self.filter.seekToTime(fc, time) + self.assertEqual(fc.getPos(), 47*count) + # write lines with exact search time: +- for i in xrange(10): ++ for i in range(10): + f.write("%s [sshd] error: PAM: failure\n" % _tm(time)) + f.flush() + fc.setPos(0); self.filter.seekToTime(fc, time) +@@ -734,8 +734,8 @@ class LogFileFilterPoll(unittest.TestCase): + self.assertEqual(fc.getPos(), 47*count) + # write lines with greater as search time: + t = time+1 +- for i in xrange(count//500): +- for j in xrange(500): ++ for i in range(count//500): ++ for j in range(500): + f.write("%s [sshd] error: PAM: failure\n" % _tm(t)) + t += 1 + f.flush() +@@ -1488,10 +1488,10 @@ def get_monitor_failures_journal_testcase(Filter_): # pragma: systemd no cover + # Add direct utf, unicode, blob: + for l in ( + "error: PAM: Authentication failure for \xe4\xf6\xfc\xdf from 192.0.2.1", +- u"error: PAM: Authentication failure for \xe4\xf6\xfc\xdf from 192.0.2.1", ++ "error: PAM: Authentication failure for \xe4\xf6\xfc\xdf from 192.0.2.1", + b"error: PAM: Authentication failure for \xe4\xf6\xfc\xdf from 192.0.2.1".decode('utf-8', 'replace'), + "error: PAM: Authentication failure for \xc3\xa4\xc3\xb6\xc3\xbc\xc3\x9f from 192.0.2.2", +- u"error: PAM: Authentication failure for \xc3\xa4\xc3\xb6\xc3\xbc\xc3\x9f from 192.0.2.2", ++ "error: PAM: Authentication failure for \xc3\xa4\xc3\xb6\xc3\xbc\xc3\x9f from 192.0.2.2", + b"error: PAM: Authentication failure for \xc3\xa4\xc3\xb6\xc3\xbc\xc3\x9f from 192.0.2.2".decode('utf-8', 'replace') + ): + fields = self.journal_fields +@@ -1520,7 +1520,7 @@ class GetFailures(LogCaptureTestCase): + + # so that they could be reused by other tests + FAILURES_01 = ('193.168.0.128', 3, 1124013599.0, +- [u'Aug 14 11:59:59 [sshd] error: PAM: Authentication failure for kevin from 193.168.0.128']*3) ++ ['Aug 14 11:59:59 [sshd] error: PAM: Authentication failure for kevin from 193.168.0.128']*3) + + def setUp(self): + """Call before every test case.""" +@@ -1595,8 +1595,8 @@ class GetFailures(LogCaptureTestCase): + + def testGetFailures02(self): + output = ('141.3.81.106', 4, 1124013539.0, +- [u'Aug 14 11:%d:59 i60p295 sshd[12365]: Failed publickey for roehl from ::ffff:141.3.81.106 port 51332 ssh2' +- % m for m in 53, 54, 57, 58]) ++ ['Aug 14 11:%d:59 i60p295 sshd[12365]: Failed publickey for roehl from ::ffff:141.3.81.106 port 51332 ssh2' ++ % m for m in (53, 54, 57, 58)]) + + self.filter.addLogPath(GetFailures.FILENAME_02, autoSeek=0) + self.filter.addFailRegex(r"Failed .* from <HOST>") +@@ -1691,17 +1691,17 @@ class GetFailures(LogCaptureTestCase): + # We should still catch failures with usedns = no ;-) + output_yes = ( + ('93.184.216.34', 2, 1124013539.0, +- [u'Aug 14 11:54:59 i60p295 sshd[12365]: Failed publickey for roehl from example.com port 51332 ssh2', +- u'Aug 14 11:58:59 i60p295 sshd[12365]: Failed publickey for roehl from ::ffff:93.184.216.34 port 51332 ssh2'] ++ ['Aug 14 11:54:59 i60p295 sshd[12365]: Failed publickey for roehl from example.com port 51332 ssh2', ++ 'Aug 14 11:58:59 i60p295 sshd[12365]: Failed publickey for roehl from ::ffff:93.184.216.34 port 51332 ssh2'] + ), + ('2606:2800:220:1:248:1893:25c8:1946', 1, 1124013299.0, +- [u'Aug 14 11:54:59 i60p295 sshd[12365]: Failed publickey for roehl from example.com port 51332 ssh2'] ++ ['Aug 14 11:54:59 i60p295 sshd[12365]: Failed publickey for roehl from example.com port 51332 ssh2'] + ), + ) + + output_no = ( + ('93.184.216.34', 1, 1124013539.0, +- [u'Aug 14 11:58:59 i60p295 sshd[12365]: Failed publickey for roehl from ::ffff:93.184.216.34 port 51332 ssh2'] ++ ['Aug 14 11:58:59 i60p295 sshd[12365]: Failed publickey for roehl from ::ffff:93.184.216.34 port 51332 ssh2'] + ) + ) + +@@ -1807,9 +1807,9 @@ class DNSUtilsTests(unittest.TestCase): + self.assertTrue(c.get('a') is None) + self.assertEqual(c.get('a', 'test'), 'test') + # exact 5 elements : +- for i in xrange(5): ++ for i in range(5): + c.set(i, i) +- for i in xrange(5): ++ for i in range(5): + self.assertEqual(c.get(i), i) + # remove unavailable key: + c.unset('a'); c.unset('a') +@@ -1817,30 +1817,30 @@ class DNSUtilsTests(unittest.TestCase): + def testCacheMaxSize(self): + c = Utils.Cache(maxCount=5, maxTime=60) + # exact 5 elements : +- for i in xrange(5): ++ for i in range(5): + c.set(i, i) +- self.assertEqual([c.get(i) for i in xrange(5)], [i for i in xrange(5)]) +- self.assertNotIn(-1, (c.get(i, -1) for i in xrange(5))) ++ self.assertEqual([c.get(i) for i in range(5)], [i for i in range(5)]) ++ self.assertNotIn(-1, (c.get(i, -1) for i in range(5))) + # add one - too many: + c.set(10, i) + # one element should be removed : +- self.assertIn(-1, (c.get(i, -1) for i in xrange(5))) ++ self.assertIn(-1, (c.get(i, -1) for i in range(5))) + # test max size (not expired): +- for i in xrange(10): ++ for i in range(10): + c.set(i, 1) + self.assertEqual(len(c), 5) + + def testCacheMaxTime(self): + # test max time (expired, timeout reached) : + c = Utils.Cache(maxCount=5, maxTime=0.0005) +- for i in xrange(10): ++ for i in range(10): + c.set(i, 1) + st = time.time() + self.assertTrue(Utils.wait_for(lambda: time.time() >= st + 0.0005, 1)) + # we have still 5 elements (or fewer if too slow test mashine): + self.assertTrue(len(c) <= 5) + # but all that are expiered also: +- for i in xrange(10): ++ for i in range(10): + self.assertTrue(c.get(i) is None) + # here the whole cache should be empty: + self.assertEqual(len(c), 0) +@@ -1861,7 +1861,7 @@ class DNSUtilsTests(unittest.TestCase): + c = count + while c: + c -= 1 +- s = xrange(0, 256, 1) if forw else xrange(255, -1, -1) ++ s = range(0, 256, 1) if forw else range(255, -1, -1) + if random: shuffle([i for i in s]) + for i in s: + IPAddr('192.0.2.'+str(i), IPAddr.FAM_IPv4) +@@ -1983,15 +1983,15 @@ class DNSUtilsNetworkTests(unittest.TestCase): + + def testAddr2bin(self): + res = IPAddr('10.0.0.0') +- self.assertEqual(res.addr, 167772160L) ++ self.assertEqual(res.addr, 167772160) + res = IPAddr('10.0.0.0', cidr=None) +- self.assertEqual(res.addr, 167772160L) +- res = IPAddr('10.0.0.0', cidr=32L) +- self.assertEqual(res.addr, 167772160L) +- res = IPAddr('10.0.0.1', cidr=32L) +- self.assertEqual(res.addr, 167772161L) +- res = IPAddr('10.0.0.1', cidr=31L) +- self.assertEqual(res.addr, 167772160L) ++ self.assertEqual(res.addr, 167772160) ++ res = IPAddr('10.0.0.0', cidr=32) ++ self.assertEqual(res.addr, 167772160) ++ res = IPAddr('10.0.0.1', cidr=32) ++ self.assertEqual(res.addr, 167772161) ++ res = IPAddr('10.0.0.1', cidr=31) ++ self.assertEqual(res.addr, 167772160) + + self.assertEqual(IPAddr('10.0.0.0').hexdump, '0a000000') + self.assertEqual(IPAddr('1::2').hexdump, '00010000000000000000000000000002') +@@ -2067,9 +2067,9 @@ class DNSUtilsNetworkTests(unittest.TestCase): + '93.184.216.34': 'ip4-test', + '2606:2800:220:1:248:1893:25c8:1946': 'ip6-test' + } +- d2 = dict([(IPAddr(k), v) for k, v in d.iteritems()]) +- self.assertTrue(isinstance(d.keys()[0], basestring)) +- self.assertTrue(isinstance(d2.keys()[0], IPAddr)) ++ d2 = dict([(IPAddr(k), v) for k, v in d.items()]) ++ self.assertTrue(isinstance(list(d.keys())[0], str)) ++ self.assertTrue(isinstance(list(d2.keys())[0], IPAddr)) + self.assertEqual(d.get(ip4[2], ''), 'ip4-test') + self.assertEqual(d.get(ip6[2], ''), 'ip6-test') + self.assertEqual(d2.get(str(ip4[2]), ''), 'ip4-test') +diff --git a/fail2ban/tests/misctestcase.py b/fail2ban/tests/misctestcase.py +index 9b986f53..94f7a8de 100644 +--- a/fail2ban/tests/misctestcase.py ++++ b/fail2ban/tests/misctestcase.py +@@ -29,9 +29,9 @@ import tempfile + import shutil + import fnmatch + from glob import glob +-from StringIO import StringIO ++from io import StringIO + +-from utils import LogCaptureTestCase, logSys as DefLogSys ++from .utils import LogCaptureTestCase, logSys as DefLogSys + + from ..helpers import formatExceptionInfo, mbasename, TraceBack, FormatterWithTraceBack, getLogger, \ + splitwords, uni_decode, uni_string +@@ -67,7 +67,7 @@ class HelpersTest(unittest.TestCase): + self.assertEqual(splitwords(' 1\n 2'), ['1', '2']) + self.assertEqual(splitwords(' 1\n 2, 3'), ['1', '2', '3']) + # string as unicode: +- self.assertEqual(splitwords(u' 1\n 2, 3'), ['1', '2', '3']) ++ self.assertEqual(splitwords(' 1\n 2, 3'), ['1', '2', '3']) + + + if sys.version_info >= (2,7): +@@ -197,11 +197,11 @@ class TestsUtilsTest(LogCaptureTestCase): + + def testUniConverters(self): + self.assertRaises(Exception, uni_decode, +- (b'test' if sys.version_info >= (3,) else u'test'), 'f2b-test::non-existing-encoding') +- uni_decode((b'test\xcf' if sys.version_info >= (3,) else u'test\xcf')) ++ (b'test' if sys.version_info >= (3,) else 'test'), 'f2b-test::non-existing-encoding') ++ uni_decode((b'test\xcf' if sys.version_info >= (3,) else 'test\xcf')) + uni_string(b'test\xcf') + uni_string('test\xcf') +- uni_string(u'test\xcf') ++ uni_string('test\xcf') + + def testSafeLogging(self): + # logging should be exception-safe, to avoid possible errors (concat, str. conversion, representation failures, etc) +@@ -213,7 +213,7 @@ class TestsUtilsTest(LogCaptureTestCase): + if self.err: + raise Exception('no represenation for test!') + else: +- return u'conv-error (\xf2\xf0\xe5\xf2\xe8\xe9), unterminated utf \xcf' ++ return 'conv-error (\xf2\xf0\xe5\xf2\xe8\xe9), unterminated utf \xcf' + test = Test() + logSys.log(logging.NOTICE, "test 1a: %r", test) + self.assertLogged("Traceback", "no represenation for test!") +@@ -261,7 +261,7 @@ class TestsUtilsTest(LogCaptureTestCase): + func_raise() + + try: +- print deep_function(3) ++ print(deep_function(3)) + except ValueError: + s = tb() + +@@ -278,7 +278,7 @@ class TestsUtilsTest(LogCaptureTestCase): + self.assertIn(':', s) + + def _testAssertionErrorRE(self, regexp, fun, *args, **kwargs): +- self.assertRaisesRegexp(AssertionError, regexp, fun, *args, **kwargs) ++ self.assertRaisesRegex(AssertionError, regexp, fun, *args, **kwargs) + + def testExtendedAssertRaisesRE(self): + ## test _testAssertionErrorRE several fail cases: +@@ -316,13 +316,13 @@ class TestsUtilsTest(LogCaptureTestCase): + self._testAssertionErrorRE(r"'a' unexpectedly found in 'cba'", + self.assertNotIn, 'a', 'cba') + self._testAssertionErrorRE(r"1 unexpectedly found in \[0, 1, 2\]", +- self.assertNotIn, 1, xrange(3)) ++ self.assertNotIn, 1, range(3)) + self._testAssertionErrorRE(r"'A' unexpectedly found in \['C', 'A'\]", + self.assertNotIn, 'A', (c.upper() for c in 'cba' if c != 'b')) + self._testAssertionErrorRE(r"'a' was not found in 'xyz'", + self.assertIn, 'a', 'xyz') + self._testAssertionErrorRE(r"5 was not found in \[0, 1, 2\]", +- self.assertIn, 5, xrange(3)) ++ self.assertIn, 5, range(3)) + self._testAssertionErrorRE(r"'A' was not found in \['C', 'B'\]", + self.assertIn, 'A', (c.upper() for c in 'cba' if c != 'a')) + ## assertLogged, assertNotLogged positive case: +diff --git a/fail2ban/tests/observertestcase.py b/fail2ban/tests/observertestcase.py +index 8e944454..ed520286 100644 +--- a/fail2ban/tests/observertestcase.py ++++ b/fail2ban/tests/observertestcase.py +@@ -69,7 +69,7 @@ class BanTimeIncr(LogCaptureTestCase): + a.setBanTimeExtra('multipliers', multipliers) + # test algorithm and max time 24 hours : + self.assertEqual( +- [a.calcBanTime(600, i) for i in xrange(1, 11)], ++ [a.calcBanTime(600, i) for i in range(1, 11)], + [1200, 2400, 4800, 9600, 19200, 38400, 76800, 86400, 86400, 86400] + ) + # with extra large max time (30 days): +@@ -81,38 +81,38 @@ class BanTimeIncr(LogCaptureTestCase): + if multcnt < 11: + arr = arr[0:multcnt-1] + ([arr[multcnt-2]] * (11-multcnt)) + self.assertEqual( +- [a.calcBanTime(600, i) for i in xrange(1, 11)], ++ [a.calcBanTime(600, i) for i in range(1, 11)], + arr + ) + a.setBanTimeExtra('maxtime', '1d') + # change factor : + a.setBanTimeExtra('factor', '2'); + self.assertEqual( +- [a.calcBanTime(600, i) for i in xrange(1, 11)], ++ [a.calcBanTime(600, i) for i in range(1, 11)], + [2400, 4800, 9600, 19200, 38400, 76800, 86400, 86400, 86400, 86400] + ) + # factor is float : + a.setBanTimeExtra('factor', '1.33'); + self.assertEqual( +- [int(a.calcBanTime(600, i)) for i in xrange(1, 11)], ++ [int(a.calcBanTime(600, i)) for i in range(1, 11)], + [1596, 3192, 6384, 12768, 25536, 51072, 86400, 86400, 86400, 86400] + ) + a.setBanTimeExtra('factor', None); + # change max time : + a.setBanTimeExtra('maxtime', '12h') + self.assertEqual( +- [a.calcBanTime(600, i) for i in xrange(1, 11)], ++ [a.calcBanTime(600, i) for i in range(1, 11)], + [1200, 2400, 4800, 9600, 19200, 38400, 43200, 43200, 43200, 43200] + ) + a.setBanTimeExtra('maxtime', '24h') + ## test randomization - not possibe all 10 times we have random = 0: + a.setBanTimeExtra('rndtime', '5m') + self.assertTrue( +- False in [1200 in [a.calcBanTime(600, 1) for i in xrange(10)] for c in xrange(10)] ++ False in [1200 in [a.calcBanTime(600, 1) for i in range(10)] for c in range(10)] + ) + a.setBanTimeExtra('rndtime', None) + self.assertFalse( +- False in [1200 in [a.calcBanTime(600, 1) for i in xrange(10)] for c in xrange(10)] ++ False in [1200 in [a.calcBanTime(600, 1) for i in range(10)] for c in range(10)] + ) + # restore default: + a.setBanTimeExtra('multipliers', None) +@@ -124,7 +124,7 @@ class BanTimeIncr(LogCaptureTestCase): + # this multipliers has the same values as default formula, we test stop growing after count 9: + self.testDefault('1 2 4 8 16 32 64 128 256') + # this multipliers has exactly the same values as default formula, test endless growing (stops by count 31 only): +- self.testDefault(' '.join([str(1<<i) for i in xrange(31)])) ++ self.testDefault(' '.join([str(1<<i) for i in range(31)])) + + def testFormula(self): + a = self.__jail; +@@ -136,38 +136,38 @@ class BanTimeIncr(LogCaptureTestCase): + a.setBanTimeExtra('multipliers', None) + # test algorithm and max time 24 hours : + self.assertEqual( +- [int(a.calcBanTime(600, i)) for i in xrange(1, 11)], ++ [int(a.calcBanTime(600, i)) for i in range(1, 11)], + [1200, 2400, 4800, 9600, 19200, 38400, 76800, 86400, 86400, 86400] + ) + # with extra large max time (30 days): + a.setBanTimeExtra('maxtime', '30d') + self.assertEqual( +- [int(a.calcBanTime(600, i)) for i in xrange(1, 11)], ++ [int(a.calcBanTime(600, i)) for i in range(1, 11)], + [1200, 2400, 4800, 9600, 19200, 38400, 76800, 153601, 307203, 614407] + ) + a.setBanTimeExtra('maxtime', '24h') + # change factor : + a.setBanTimeExtra('factor', '1'); + self.assertEqual( +- [int(a.calcBanTime(600, i)) for i in xrange(1, 11)], ++ [int(a.calcBanTime(600, i)) for i in range(1, 11)], + [1630, 4433, 12051, 32758, 86400, 86400, 86400, 86400, 86400, 86400] + ) + a.setBanTimeExtra('factor', '2.0 / 2.885385') + # change max time : + a.setBanTimeExtra('maxtime', '12h') + self.assertEqual( +- [int(a.calcBanTime(600, i)) for i in xrange(1, 11)], ++ [int(a.calcBanTime(600, i)) for i in range(1, 11)], + [1200, 2400, 4800, 9600, 19200, 38400, 43200, 43200, 43200, 43200] + ) + a.setBanTimeExtra('maxtime', '24h') + ## test randomization - not possibe all 10 times we have random = 0: + a.setBanTimeExtra('rndtime', '5m') + self.assertTrue( +- False in [1200 in [int(a.calcBanTime(600, 1)) for i in xrange(10)] for c in xrange(10)] ++ False in [1200 in [int(a.calcBanTime(600, 1)) for i in range(10)] for c in range(10)] + ) + a.setBanTimeExtra('rndtime', None) + self.assertFalse( +- False in [1200 in [int(a.calcBanTime(600, 1)) for i in xrange(10)] for c in xrange(10)] ++ False in [1200 in [int(a.calcBanTime(600, 1)) for i in range(10)] for c in range(10)] + ) + # restore default: + a.setBanTimeExtra('factor', None); +@@ -230,7 +230,7 @@ class BanTimeIncrDB(LogCaptureTestCase): + ticket = FailTicket(ip, stime, []) + # test ticket not yet found + self.assertEqual( +- [self.incrBanTime(ticket, 10) for i in xrange(3)], ++ [self.incrBanTime(ticket, 10) for i in range(3)], + [10, 10, 10] + ) + # add a ticket banned +@@ -285,7 +285,7 @@ class BanTimeIncrDB(LogCaptureTestCase): + ) + # increase ban multiple times: + lastBanTime = 20 +- for i in xrange(10): ++ for i in range(10): + ticket.setTime(stime + lastBanTime + 5) + banTime = self.incrBanTime(ticket, 10) + self.assertEqual(banTime, lastBanTime * 2) +@@ -481,7 +481,7 @@ class BanTimeIncrDB(LogCaptureTestCase): + ticket = FailTicket(ip, stime-120, []) + failManager = FailManager() + failManager.setMaxRetry(3) +- for i in xrange(3): ++ for i in range(3): + failManager.addFailure(ticket) + obs.add('failureFound', failManager, jail, ticket) + obs.wait_empty(5) +diff --git a/fail2ban/tests/samplestestcase.py b/fail2ban/tests/samplestestcase.py +index 0bbd05f5..479b564a 100644 +--- a/fail2ban/tests/samplestestcase.py ++++ b/fail2ban/tests/samplestestcase.py +@@ -138,7 +138,7 @@ class FilterSamplesRegex(unittest.TestCase): + + @staticmethod + def _filterOptions(opts): +- return dict((k, v) for k, v in opts.iteritems() if not k.startswith('test.')) ++ return dict((k, v) for k, v in opts.items() if not k.startswith('test.')) + + def testSampleRegexsFactory(name, basedir): + def testFilter(self): +@@ -249,10 +249,10 @@ def testSampleRegexsFactory(name, basedir): + self.assertTrue(faildata.get('match', False), + "Line matched when shouldn't have") + self.assertEqual(len(ret), 1, +- "Multiple regexs matched %r" % (map(lambda x: x[0], ret))) ++ "Multiple regexs matched %r" % ([x[0] for x in ret])) + + # Verify match captures (at least fid/host) and timestamp as expected +- for k, v in faildata.iteritems(): ++ for k, v in faildata.items(): + if k not in ("time", "match", "desc", "filter"): + fv = fail.get(k, None) + if fv is None: +@@ -294,7 +294,7 @@ def testSampleRegexsFactory(name, basedir): + '\n'.join(pprint.pformat(fail).splitlines()))) + + # check missing samples for regex using each filter-options combination: +- for fltName, flt in self._filters.iteritems(): ++ for fltName, flt in self._filters.items(): + flt, regexsUsedIdx = flt + regexList = flt.getFailRegex() + for failRegexIndex, failRegex in enumerate(regexList): +diff --git a/fail2ban/tests/servertestcase.py b/fail2ban/tests/servertestcase.py +index 55e72455..7925ab1e 100644 +--- a/fail2ban/tests/servertestcase.py ++++ b/fail2ban/tests/servertestcase.py +@@ -124,14 +124,14 @@ class TransmitterBase(LogCaptureTestCase): + self.transm.proceed(["get", jail, cmd]), (0, [])) + for n, value in enumerate(values): + ret = self.transm.proceed(["set", jail, cmdAdd, value]) +- self.assertSortedEqual((ret[0], map(str, ret[1])), (0, map(str, values[:n+1])), level=2) ++ self.assertSortedEqual((ret[0], list(map(str, ret[1]))), (0, list(map(str, values[:n+1]))), level=2) + ret = self.transm.proceed(["get", jail, cmd]) +- self.assertSortedEqual((ret[0], map(str, ret[1])), (0, map(str, values[:n+1])), level=2) ++ self.assertSortedEqual((ret[0], list(map(str, ret[1]))), (0, list(map(str, values[:n+1]))), level=2) + for n, value in enumerate(values): + ret = self.transm.proceed(["set", jail, cmdDel, value]) +- self.assertSortedEqual((ret[0], map(str, ret[1])), (0, map(str, values[n+1:])), level=2) ++ self.assertSortedEqual((ret[0], list(map(str, ret[1]))), (0, list(map(str, values[n+1:]))), level=2) + ret = self.transm.proceed(["get", jail, cmd]) +- self.assertSortedEqual((ret[0], map(str, ret[1])), (0, map(str, values[n+1:])), level=2) ++ self.assertSortedEqual((ret[0], list(map(str, ret[1]))), (0, list(map(str, values[n+1:]))), level=2) + + def jailAddDelRegexTest(self, cmd, inValues, outValues, jail): + cmdAdd = "add" + cmd +@@ -930,7 +930,7 @@ class TransmitterLogging(TransmitterBase): + + def testLogTarget(self): + logTargets = [] +- for _ in xrange(3): ++ for _ in range(3): + tmpFile = tempfile.mkstemp("fail2ban", "transmitter") + logTargets.append(tmpFile[1]) + os.close(tmpFile[0]) +@@ -1003,26 +1003,26 @@ class TransmitterLogging(TransmitterBase): + self.assertEqual(self.transm.proceed(["flushlogs"]), (0, "rolled over")) + l.warning("After flushlogs") + with open(fn2,'r') as f: +- line1 = f.next() ++ line1 = next(f) + if line1.find('Changed logging target to') >= 0: +- line1 = f.next() ++ line1 = next(f) + self.assertTrue(line1.endswith("Before file moved\n")) +- line2 = f.next() ++ line2 = next(f) + self.assertTrue(line2.endswith("After file moved\n")) + try: +- n = f.next() ++ n = next(f) + if n.find("Command: ['flushlogs']") >=0: +- self.assertRaises(StopIteration, f.next) ++ self.assertRaises(StopIteration, f.__next__) + else: + self.fail("Exception StopIteration or Command: ['flushlogs'] expected. Got: %s" % n) + except StopIteration: + pass # on higher debugging levels this is expected + with open(fn,'r') as f: +- line1 = f.next() ++ line1 = next(f) + if line1.find('rollover performed on') >= 0: +- line1 = f.next() ++ line1 = next(f) + self.assertTrue(line1.endswith("After flushlogs\n")) +- self.assertRaises(StopIteration, f.next) ++ self.assertRaises(StopIteration, f.__next__) + f.close() + finally: + os.remove(fn2) +@@ -1185,7 +1185,7 @@ class LoggingTests(LogCaptureTestCase): + os.remove(f) + + +-from clientreadertestcase import ActionReader, JailsReader, CONFIG_DIR ++from .clientreadertestcase import ActionReader, JailsReader, CONFIG_DIR + + class ServerConfigReaderTests(LogCaptureTestCase): + +diff --git a/fail2ban/tests/sockettestcase.py b/fail2ban/tests/sockettestcase.py +index 69bf8d8b..60f49e57 100644 +--- a/fail2ban/tests/sockettestcase.py ++++ b/fail2ban/tests/sockettestcase.py +@@ -153,7 +153,7 @@ class Socket(LogCaptureTestCase): + org_handler = RequestHandler.found_terminator + try: + RequestHandler.found_terminator = lambda self: self.close() +- self.assertRaisesRegexp(RuntimeError, r"socket connection broken", ++ self.assertRaisesRegex(RuntimeError, r"socket connection broken", + lambda: client.send(testMessage, timeout=unittest.F2B.maxWaitTime(10))) + finally: + RequestHandler.found_terminator = org_handler +diff --git a/fail2ban/tests/utils.py b/fail2ban/tests/utils.py +index fcfddba7..cb234e0d 100644 +--- a/fail2ban/tests/utils.py ++++ b/fail2ban/tests/utils.py +@@ -35,7 +35,7 @@ import time + import threading + import unittest + +-from cStringIO import StringIO ++from io import StringIO + from functools import wraps + + from ..helpers import getLogger, str2LogLevel, getVerbosityFormat, uni_decode +@@ -174,8 +174,8 @@ def initProcess(opts): + + # Let know the version + if opts.verbosity != 0: +- print("Fail2ban %s test suite. Python %s. Please wait..." \ +- % (version, str(sys.version).replace('\n', ''))) ++ print(("Fail2ban %s test suite. Python %s. Please wait..." \ ++ % (version, str(sys.version).replace('\n', '')))) + + return opts; + +@@ -322,7 +322,7 @@ def initTests(opts): + c = DNSUtils.CACHE_ipToName + # increase max count and max time (too many entries, long time testing): + c.setOptions(maxCount=10000, maxTime=5*60) +- for i in xrange(256): ++ for i in range(256): + c.set('192.0.2.%s' % i, None) + c.set('198.51.100.%s' % i, None) + c.set('203.0.113.%s' % i, None) +@@ -541,8 +541,8 @@ def gatherTests(regexps=None, opts=None): + import difflib, pprint + if not hasattr(unittest.TestCase, 'assertDictEqual'): + def assertDictEqual(self, d1, d2, msg=None): +- self.assert_(isinstance(d1, dict), 'First argument is not a dictionary') +- self.assert_(isinstance(d2, dict), 'Second argument is not a dictionary') ++ self.assertTrue(isinstance(d1, dict), 'First argument is not a dictionary') ++ self.assertTrue(isinstance(d2, dict), 'Second argument is not a dictionary') + if d1 != d2: + standardMsg = '%r != %r' % (d1, d2) + diff = ('\n' + '\n'.join(difflib.ndiff( +@@ -560,7 +560,7 @@ def assertSortedEqual(self, a, b, level=1, nestedOnly=True, key=repr, msg=None): + # used to recognize having element as nested dict, list or tuple: + def _is_nested(v): + if isinstance(v, dict): +- return any(isinstance(v, (dict, list, tuple)) for v in v.itervalues()) ++ return any(isinstance(v, (dict, list, tuple)) for v in v.values()) + return any(isinstance(v, (dict, list, tuple)) for v in v) + # level comparison routine: + def _assertSortedEqual(a, b, level, nestedOnly, key): +@@ -573,7 +573,7 @@ def assertSortedEqual(self, a, b, level=1, nestedOnly=True, key=repr, msg=None): + return + raise ValueError('%r != %r' % (a, b)) + if isinstance(a, dict) and isinstance(b, dict): # compare dict's: +- for k, v1 in a.iteritems(): ++ for k, v1 in a.items(): + v2 = b[k] + if isinstance(v1, (dict, list, tuple)) and isinstance(v2, (dict, list, tuple)): + _assertSortedEqual(v1, v2, level-1 if level != 0 else 0, nestedOnly, key) +@@ -608,14 +608,14 @@ if not hasattr(unittest.TestCase, 'assertRaisesRegexp'): + self.fail('\"%s\" does not match \"%s\"' % (regexp, e)) + else: + self.fail('%s not raised' % getattr(exccls, '__name__')) +- unittest.TestCase.assertRaisesRegexp = assertRaisesRegexp ++ unittest.TestCase.assertRaisesRegex = assertRaisesRegexp + + # always custom following methods, because we use atm better version of both (support generators) + if True: ## if not hasattr(unittest.TestCase, 'assertIn'): + def assertIn(self, a, b, msg=None): + bb = b + wrap = False +- if msg is None and hasattr(b, '__iter__') and not isinstance(b, basestring): ++ if msg is None and hasattr(b, '__iter__') and not isinstance(b, str): + b, bb = itertools.tee(b) + wrap = True + if a not in b: +@@ -626,7 +626,7 @@ if True: ## if not hasattr(unittest.TestCase, 'assertIn'): + def assertNotIn(self, a, b, msg=None): + bb = b + wrap = False +- if msg is None and hasattr(b, '__iter__') and not isinstance(b, basestring): ++ if msg is None and hasattr(b, '__iter__') and not isinstance(b, str): + b, bb = itertools.tee(b) + wrap = True + if a in b: +diff --git a/setup.py b/setup.py +deleted file mode 100755 +index ce1eedf6..00000000 +--- a/setup.py ++++ /dev/null +@@ -1,326 +0,0 @@ +-#!/usr/bin/env python +-# emacs: -*- mode: python; py-indent-offset: 4; indent-tabs-mode: t -*- +-# vi: set ft=python sts=4 ts=4 sw=4 noet : +- +-# This file is part of Fail2Ban. +-# +-# Fail2Ban is free software; you can redistribute it and/or modify +-# it under the terms of the GNU General Public License as published by +-# the Free Software Foundation; either version 2 of the License, or +-# (at your option) any later version. +-# +-# Fail2Ban is distributed in the hope that it will be useful, +-# but WITHOUT ANY WARRANTY; without even the implied warranty of +-# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +-# GNU General Public License for more details. +-# +-# You should have received a copy of the GNU General Public License +-# along with Fail2Ban; if not, write to the Free Software +-# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA. +- +-__author__ = "Cyril Jaquier, Steven Hiscocks, Yaroslav Halchenko" +-__copyright__ = "Copyright (c) 2004 Cyril Jaquier, 2008-2016 Fail2Ban Contributors" +-__license__ = "GPL" +- +-import platform +- +-try: +- import setuptools +- from setuptools import setup +- from setuptools.command.install import install +- from setuptools.command.install_scripts import install_scripts +-except ImportError: +- setuptools = None +- from distutils.core import setup +- +-# all versions +-from distutils.command.build_py import build_py +-from distutils.command.build_scripts import build_scripts +-if setuptools is None: +- from distutils.command.install import install +- from distutils.command.install_scripts import install_scripts +-try: +- # python 3.x +- from distutils.command.build_py import build_py_2to3 +- from distutils.command.build_scripts import build_scripts_2to3 +- _2to3 = True +-except ImportError: +- # python 2.x +- _2to3 = False +- +-import os +-from os.path import isfile, join, isdir, realpath +-import re +-import sys +-import warnings +-from glob import glob +- +-from fail2ban.setup import updatePyExec +- +- +-source_dir = os.path.realpath(os.path.dirname( +- # __file__ seems to be overwritten sometimes on some python versions (e.g. bug of 2.6 by running under cProfile, etc.): +- sys.argv[0] if os.path.basename(sys.argv[0]) == 'setup.py' else __file__ +-)) +- +-# Wrapper to install python binding (to current python version): +-class install_scripts_f2b(install_scripts): +- +- def get_outputs(self): +- outputs = install_scripts.get_outputs(self) +- # setup.py --dry-run install: +- dry_run = not outputs +- self.update_scripts(dry_run) +- if dry_run: +- #bindir = self.install_dir +- bindir = self.build_dir +- print('creating fail2ban-python binding -> %s (dry-run, real path can be different)' % (bindir,)) +- print('Copying content of %s to %s' % (self.build_dir, self.install_dir)); +- return outputs +- fn = None +- for fn in outputs: +- if os.path.basename(fn) == 'fail2ban-server': +- break +- bindir = os.path.dirname(fn) +- print('creating fail2ban-python binding -> %s' % (bindir,)) +- updatePyExec(bindir) +- return outputs +- +- def update_scripts(self, dry_run=False): +- buildroot = os.path.dirname(self.build_dir) +- install_dir = self.install_dir +- try: +- # remove root-base from install scripts path: +- root = self.distribution.command_options['install']['root'][1] +- if install_dir.startswith(root): +- install_dir = install_dir[len(root):] +- except: # pragma: no cover +- print('WARNING: Cannot find root-base option, check the bin-path to fail2ban-scripts in "fail2ban.service".') +- print('Creating %s/fail2ban.service (from fail2ban.service.in): @BINDIR@ -> %s' % (buildroot, install_dir)) +- with open(os.path.join(source_dir, 'files/fail2ban.service.in'), 'r') as fn: +- lines = fn.readlines() +- fn = None +- if not dry_run: +- fn = open(os.path.join(buildroot, 'fail2ban.service'), 'w') +- try: +- for ln in lines: +- ln = re.sub(r'@BINDIR@', lambda v: install_dir, ln) +- if dry_run: +- sys.stdout.write(' | ' + ln) +- continue +- fn.write(ln) +- finally: +- if fn: fn.close() +- if dry_run: +- print(' `') +- +- +-# Wrapper to specify fail2ban own options: +-class install_command_f2b(install): +- user_options = install.user_options + [ +- ('disable-2to3', None, 'Specify to deactivate 2to3, e.g. if the install runs from fail2ban test-cases.'), +- ('without-tests', None, 'without tests files installation'), +- ] +- def initialize_options(self): +- self.disable_2to3 = None +- self.without_tests = None +- install.initialize_options(self) +- def finalize_options(self): +- global _2to3 +- ## in the test cases 2to3 should be already done (fail2ban-2to3): +- if self.disable_2to3: +- _2to3 = False +- if _2to3: +- cmdclass = self.distribution.cmdclass +- cmdclass['build_py'] = build_py_2to3 +- cmdclass['build_scripts'] = build_scripts_2to3 +- if self.without_tests: +- self.distribution.scripts.remove('bin/fail2ban-testcases') +- +- self.distribution.packages.remove('fail2ban.tests') +- self.distribution.packages.remove('fail2ban.tests.action_d') +- +- del self.distribution.package_data['fail2ban.tests'] +- install.finalize_options(self) +- def run(self): +- install.run(self) +- +- +-# Update fail2ban-python env to current python version (where f2b-modules located/installed) +-updatePyExec(os.path.join(source_dir, 'bin')) +- +-if setuptools and "test" in sys.argv: +- import logging +- logSys = logging.getLogger("fail2ban") +- hdlr = logging.StreamHandler(sys.stdout) +- fmt = logging.Formatter("%(asctime)-15s %(message)s") +- hdlr.setFormatter(fmt) +- logSys.addHandler(hdlr) +- if set(["-q", "--quiet"]) & set(sys.argv): +- logSys.setLevel(logging.CRITICAL) +- warnings.simplefilter("ignore") +- sys.warnoptions.append("ignore") +- elif set(["-v", "--verbose"]) & set(sys.argv): +- logSys.setLevel(logging.DEBUG) +- else: +- logSys.setLevel(logging.INFO) +-elif "test" in sys.argv: +- print("python distribute required to execute fail2ban tests") +- print("") +- +-longdesc = ''' +-Fail2Ban scans log files like /var/log/pwdfail or +-/var/log/apache/error_log and bans IP that makes +-too many password failures. It updates firewall rules +-to reject the IP address or executes user defined +-commands.''' +- +-if setuptools: +- setup_extra = { +- 'test_suite': "fail2ban.tests.utils.gatherTests", +- 'use_2to3': True, +- } +-else: +- setup_extra = {} +- +-data_files_extra = [] +-if os.path.exists('/var/run'): +- # if we are on the system with /var/run -- we are to use it for having fail2ban/ +- # directory there for socket file etc. +- # realpath is used to possibly resolve /var/run -> /run symlink +- data_files_extra += [(realpath('/var/run/fail2ban'), '')] +- +-# Installing documentation files only under Linux or other GNU/ systems +-# (e.g. GNU/kFreeBSD), since others might have protective mechanisms forbidding +-# installation there (see e.g. #1233) +-platform_system = platform.system().lower() +-doc_files = ['README.md', 'DEVELOP', 'FILTERS', 'doc/run-rootless.txt'] +-if platform_system in ('solaris', 'sunos'): +- doc_files.append('README.Solaris') +-if platform_system in ('linux', 'solaris', 'sunos') or platform_system.startswith('gnu'): +- data_files_extra.append( +- ('/usr/share/doc/fail2ban', doc_files) +- ) +- +-# Get version number, avoiding importing fail2ban. +-# This is due to tests not functioning for python3 as 2to3 takes place later +-exec(open(join("fail2ban", "version.py")).read()) +- +-setup( +- name = "fail2ban", +- version = version, +- description = "Ban IPs that make too many password failures", +- long_description = longdesc, +- author = "Cyril Jaquier & Fail2Ban Contributors", +- author_email = "cyril.jaquier@fail2ban.org", +- url = "http://www.fail2ban.org", +- license = "GPL", +- platforms = "Posix", +- cmdclass = { +- 'build_py': build_py, 'build_scripts': build_scripts, +- 'install_scripts': install_scripts_f2b, 'install': install_command_f2b +- }, +- scripts = [ +- 'bin/fail2ban-client', +- 'bin/fail2ban-server', +- 'bin/fail2ban-regex', +- 'bin/fail2ban-testcases', +- # 'bin/fail2ban-python', -- link (binary), will be installed via install_scripts_f2b wrapper +- ], +- packages = [ +- 'fail2ban', +- 'fail2ban.client', +- 'fail2ban.server', +- 'fail2ban.tests', +- 'fail2ban.tests.action_d', +- ], +- package_data = { +- 'fail2ban.tests': +- [ join(w[0], f).replace("fail2ban/tests/", "", 1) +- for w in os.walk('fail2ban/tests/files') +- for f in w[2]] + +- [ join(w[0], f).replace("fail2ban/tests/", "", 1) +- for w in os.walk('fail2ban/tests/config') +- for f in w[2]] + +- [ join(w[0], f).replace("fail2ban/tests/", "", 1) +- for w in os.walk('fail2ban/tests/action_d') +- for f in w[2]] +- }, +- data_files = [ +- ('/etc/fail2ban', +- glob("config/*.conf") +- ), +- ('/etc/fail2ban/filter.d', +- glob("config/filter.d/*.conf") +- ), +- ('/etc/fail2ban/filter.d/ignorecommands', +- [p for p in glob("config/filter.d/ignorecommands/*") if isfile(p)] +- ), +- ('/etc/fail2ban/action.d', +- glob("config/action.d/*.conf") + +- glob("config/action.d/*.py") +- ), +- ('/etc/fail2ban/fail2ban.d', +- '' +- ), +- ('/etc/fail2ban/jail.d', +- '' +- ), +- ('/var/lib/fail2ban', +- '' +- ), +- ] + data_files_extra, +- **setup_extra +-) +- +-# Do some checks after installation +-# Search for obsolete files. +-obsoleteFiles = [] +-elements = { +- "/etc/": +- [ +- "fail2ban.conf" +- ], +- "/usr/bin/": +- [ +- "fail2ban.py" +- ], +- "/usr/lib/fail2ban/": +- [ +- "version.py", +- "protocol.py" +- ] +-} +- +-for directory in elements: +- for f in elements[directory]: +- path = join(directory, f) +- if isfile(path): +- obsoleteFiles.append(path) +- +-if obsoleteFiles: +- print("") +- print("Obsolete files from previous Fail2Ban versions were found on " +- "your system.") +- print("Please delete them:") +- print("") +- for f in obsoleteFiles: +- print("\t" + f) +- print("") +- +-if isdir("/usr/lib/fail2ban"): +- print("") +- print("Fail2ban is not installed under /usr/lib anymore. The new " +- "location is under /usr/share. Please remove the directory " +- "/usr/lib/fail2ban and everything under this directory.") +- print("") +- +-# Update config file +-if sys.argv[1] == "install": +- print("") +- print("Please do not forget to update your configuration files.") +- print("They are in \"/etc/fail2ban/\".") +- print("") +- print("You can also install systemd service-unit file from \"build/fail2ban.service\"") +- print("resp. corresponding init script from \"files/*-initd\".") +- print("") +-- +2.17.1 + diff --git a/external/meta-security/recipes-security/fail2ban/files/fail2ban_setup.py b/external/meta-security/recipes-security/fail2ban/files/fail2ban_setup.py index a5d4ed6c..e2319498 100755 --- a/external/meta-security/recipes-security/fail2ban/files/fail2ban_setup.py +++ b/external/meta-security/recipes-security/fail2ban/files/fail2ban_setup.py @@ -1,4 +1,3 @@ -#!/usr/bin/env python # emacs: -*- mode: python; py-indent-offset: 4; indent-tabs-mode: t -*- # vi: set ft=python sts=4 ts=4 sw=4 noet : diff --git a/external/meta-security/recipes-security/fail2ban/files/initd b/external/meta-security/recipes-security/fail2ban/files/initd index 4f4b394c..586b3dac 100644 --- a/external/meta-security/recipes-security/fail2ban/files/initd +++ b/external/meta-security/recipes-security/fail2ban/files/initd @@ -39,9 +39,9 @@ start() { RETVAL=$? if [ $RETVAL = 0 ]; then touch ${lockfile} - echo_success + success else - echo_failure + failure fi echo return $RETVAL @@ -53,9 +53,9 @@ stop() { RETVAL=$? if [ $RETVAL = 0 ]; then rm -f ${lockfile} ${pidfile} - echo_success + success else - echo_failure + failure fi echo return $RETVAL diff --git a/external/meta-security/recipes-security/fail2ban/python-fail2ban_0.10.3.1.bb b/external/meta-security/recipes-security/fail2ban/python-fail2ban_0.10.3.1.bb deleted file mode 100644 index 17a7dd8d..00000000 --- a/external/meta-security/recipes-security/fail2ban/python-fail2ban_0.10.3.1.bb +++ /dev/null @@ -1,4 +0,0 @@ -inherit setuptools -require python-fail2ban.inc - -RDEPENDS_${PN}-ptest = "python python-modules python-fail2ban" diff --git a/external/meta-security/recipes-security/fail2ban/python3-fail2ban_0.10.3.1.bb b/external/meta-security/recipes-security/fail2ban/python3-fail2ban_0.10.3.1.bb deleted file mode 100644 index 5c887e85..00000000 --- a/external/meta-security/recipes-security/fail2ban/python3-fail2ban_0.10.3.1.bb +++ /dev/null @@ -1,4 +0,0 @@ -inherit setuptools3 -require python-fail2ban.inc - -RDEPENDS_${PN}-ptest = "python3-core python3-io python3-modules python3-fail2ban" diff --git a/external/meta-security/recipes-security/fail2ban/python-fail2ban.inc b/external/meta-security/recipes-security/fail2ban/python3-fail2ban_0.10.4.0.bb index 9245f17b..e737f502 100644 --- a/external/meta-security/recipes-security/fail2ban/python-fail2ban.inc +++ b/external/meta-security/recipes-security/fail2ban/python3-fail2ban_0.10.4.0.bb @@ -9,41 +9,43 @@ HOMEPAGE = "http://www.fail2ban.org" LICENSE = "GPL-2.0" LIC_FILES_CHKSUM = "file://COPYING;md5=ecabc31e90311da843753ba772885d9f" -SRCREV ="ac0d441fd68852ffda7b15c71f16b7f4fde1a7ee" -SRC_URI = " \ - git://github.com/fail2ban/fail2ban.git;branch=0.11 \ - file://initd \ +SRCREV ="3befbb177017957869425c81a560edb8e27db75a" +SRC_URI = " git://github.com/fail2ban/fail2ban.git;branch=0.11 \ + file://initd \ file://fail2ban_setup.py \ file://run-ptest \ + file://0001-python3-fail2ban-2-3-conversion.patch \ " -inherit update-rc.d ptest +inherit update-rc.d ptest setuptools3 S = "${WORKDIR}/git" -INITSCRIPT_PACKAGES = "${PN}" -INITSCRIPT_NAME = "fail2ban-server" -INITSCRIPT_PARAMS = "defaults 25" - do_compile_prepend () { cp ${WORKDIR}/fail2ban_setup.py ${S}/setup.py } do_install_append () { - install -d ${D}/${sysconfdir}/fail2ban - install -d ${D}/${sysconfdir}/init.d - install -m 0755 ${WORKDIR}/initd ${D}${sysconfdir}/init.d/fail2ban-server - chown -R root:root ${D}/${bindir} + install -d ${D}/${sysconfdir}/fail2ban + install -d ${D}/${sysconfdir}/init.d + install -m 0755 ${WORKDIR}/initd ${D}${sysconfdir}/init.d/fail2ban-server + chown -R root:root ${D}/${bindir} } do_install_ptest_append () { - install -d ${D}${PTEST_PATH} - sed -i -e 's/##PYTHON##/${PYTHON_PN}/g' ${D}${PTEST_PATH}/run-ptest - install -D ${S}/bin/fail2ban-testcases ${D}${PTEST_PATH} + install -d ${D}${PTEST_PATH} + sed -i -e 's/##PYTHON##/${PYTHON_PN}/g' ${D}${PTEST_PATH}/run-ptest + install -D ${S}/bin/fail2ban-testcases ${D}${PTEST_PATH} } FILES_${PN} += "/run" +INITSCRIPT_PACKAGES = "${PN}" +INITSCRIPT_NAME = "fail2ban-server" +INITSCRIPT_PARAMS = "defaults 25" + INSANE_SKIP_${PN}_append = "already-stripped" -RDEPENDS_${PN} = "sysklogd iptables sqlite3 ${PYTHON_PN} ${PYTHON_PN}-pyinotify" +RDEPENDS_${PN} = "${VIRTUAL-RUNTIME_base-utils-syslog} iptables sqlite3 python3-core python3-pyinotify" +RDEPENDS_${PN} += " python3-logging python3-fcntl python3-json" +RDEPENDS_${PN}-ptest = "python3-core python3-io python3-modules python3-fail2ban" diff --git a/external/meta-security/recipes-security/google-authenticator-libpam/google-authenticator-libpam_1.05.bb b/external/meta-security/recipes-security/google-authenticator-libpam/google-authenticator-libpam_1.08.bb index 73b802fb..f9ca0926 100644 --- a/external/meta-security/recipes-security/google-authenticator-libpam/google-authenticator-libpam_1.05.bb +++ b/external/meta-security/recipes-security/google-authenticator-libpam/google-authenticator-libpam_1.08.bb @@ -4,17 +4,20 @@ LIC_FILES_CHKSUM = "file://LICENSE;md5=3b83ef96387f14655fc854ddc3c6bd57" LICENSE = "Apache-2.0" SRC_URI = "git://github.com/google/google-authenticator-libpam.git" -SRCREV = "7365ed10d54393fb4c100cac063ae8edb744eac6" +SRCREV = "2c7415d950fb0b4a7f779f045910666447b100ef" DEPENDS = "libpam" S = "${WORKDIR}/git" -inherit autotools distro_features_check +inherit autotools features_check REQUIRED_DISTRO_FEATURES = "pam" +# Use the same dir location as PAM +EXTRA_OECONF = "--libdir=${base_libdir}" + PACKAGES += "pam-google-authenticator" -FILES_pam-google-authenticator = "${libdir}/security/pam_google_authenticator.so" +FILES_pam-google-authenticator = "${base_libdir}/security/pam_google_authenticator.so" RDEPNEDS_pam-google-authenticator = "libpam" diff --git a/external/meta-security/recipes-security/images/security-client-image.bb b/external/meta-security/recipes-security/images/security-client-image.bb index 1a924797..f4ebc697 100644 --- a/external/meta-security/recipes-security/images/security-client-image.bb +++ b/external/meta-security/recipes-security/images/security-client-image.bb @@ -5,8 +5,7 @@ IMAGE_INSTALL = "\ packagegroup-core-boot \ os-release \ samhain-client \ - ${@bb.utils.contains("DISTRO_FEATURES", "x11", "packagegroup-xfce-base", "", d)} \ - ${ROOTFS_PKGMANAGE_BOOTSTRAP} ${CORE_IMAGE_EXTRA_INSTALL}" + ${@bb.utils.contains("DISTRO_FEATURES", "x11", "packagegroup-xfce-base", "", d)}" IMAGE_LINGUAS ?= " " diff --git a/external/meta-security/recipes-security/images/security-server-image.bb b/external/meta-security/recipes-security/images/security-server-image.bb index 502b5c14..4927e0ee 100644 --- a/external/meta-security/recipes-security/images/security-server-image.bb +++ b/external/meta-security/recipes-security/images/security-server-image.bb @@ -6,8 +6,7 @@ IMAGE_INSTALL = "\ packagegroup-base \ packagegroup-core-boot \ samhain-server \ - os-release \ - ${ROOTFS_PKGMANAGE_BOOTSTRAP} ${CORE_IMAGE_EXTRA_INSTALL}" + os-release " IMAGE_LINGUAS ?= " " diff --git a/external/meta-security/recipes-security/images/security-test-image.bb b/external/meta-security/recipes-security/images/security-test-image.bb new file mode 100644 index 00000000..c71d7267 --- /dev/null +++ b/external/meta-security/recipes-security/images/security-test-image.bb @@ -0,0 +1,33 @@ +DESCRIPTION = "A small image for testing meta-security packages" + +IMAGE_FEATURES += "ssh-server-openssh" + +TEST_SUITES = "ssh ping ptest apparmor clamav samhain sssd tripwire checksec smack suricata" + +INSTALL_CLAMAV_CVD = "1" + +IMAGE_INSTALL = "\ + packagegroup-base \ + packagegroup-core-boot \ + packagegroup-core-security-ptest \ + clamav \ + tripwire \ + checksec \ + suricata \ + samhain-standalone \ + ${@bb.utils.contains("DISTRO_FEATURES", "pam", "sssd", "",d)} \ + ${@bb.utils.contains("DISTRO_FEATURES", "apparmor", "apparmor", "",d)} \ + ${@bb.utils.contains("DISTRO_FEATURES", "smack", "smack-test", "",d)} \ + os-release \ + " + + +IMAGE_LINGUAS ?= " " + +LICENSE = "MIT" + +inherit core-image + +export IMAGE_BASENAME = "security-test-image" + +IMAGE_ROOTFS_EXTRA_SPACE = "5242880" diff --git a/external/meta-security/recipes-security/keyutils/files/keyutils-fix-error-report-by-adding-default-message.patch b/external/meta-security/recipes-security/keyutils/files/keyutils-fix-error-report-by-adding-default-message.patch deleted file mode 100644 index acd91c01..00000000 --- a/external/meta-security/recipes-security/keyutils/files/keyutils-fix-error-report-by-adding-default-message.patch +++ /dev/null @@ -1,42 +0,0 @@ -fix keyutils test error report - -Upstream-Status: Pending - -"Permission denied" may be the reason of EKEYEXPIRED and EKEYREVOKED. -"Required key not available" may be the reason of EKEYREVOKED. -EXPIRED and REVOKED are 2 status of kernel security keys features. -But the userspace keyutils lib will output the error message, which may -have several reasons. - -Signed-off-by: Han Chao <chan@windriver.com> - -diff --git a/tests/toolbox.inc.sh b/tests/toolbox.inc.sh -index bbca00a..739e9d0 100644 ---- a/tests/toolbox.inc.sh -+++ b/tests/toolbox.inc.sh -@@ -227,11 +227,12 @@ function expect_error () - ;; - EKEYEXPIRED) - my_err="Key has expired" -- alt_err="Unknown error 127" -+ alt_err="Permission denied" - ;; - EKEYREVOKED) - my_err="Key has been revoked" -- alt_err="Unknown error 128" -+ alt_err="Permission denied" -+ alt2_err="Required key not available" - ;; - EKEYREJECTED) - my_err="Key has been rejected" -@@ -249,6 +250,9 @@ function expect_error () - elif [ "x$alt_err" != "x" ] && expr "$my_errmsg" : ".*: $alt_err" >&/dev/null - then - : -+ elif [ "x$alt2_err" != "x" ] && expr "$my_errmsg" : ".*: $alt2_err" >&/dev/null -+ then -+ : - elif [ "x$old_err" != "x" ] && expr "$my_errmsg" : ".*: $old_err" >&/dev/null - then - : - diff --git a/external/meta-security/recipes-security/keyutils/files/keyutils-test-fix-output-format.patch b/external/meta-security/recipes-security/keyutils/files/keyutils-test-fix-output-format.patch deleted file mode 100644 index a4ffd50c..00000000 --- a/external/meta-security/recipes-security/keyutils/files/keyutils-test-fix-output-format.patch +++ /dev/null @@ -1,41 +0,0 @@ -From 49b6321368e4bd3cd233d045cd09004ddd7968b2 Mon Sep 17 00:00:00 2001 -From: Jackie Huang <jackie.huang@windriver.com> -Date: Mon, 15 May 2017 14:52:00 +0800 -Subject: [PATCH] keyutils: fix output format - -keyutils ptest output format is incorrect, according to yocto -Development Manual -(http://www.yoctoproject.org/docs/latest/dev-manual/dev-manual.html#testing-packages-with-ptest) -5.10.6. Testing Packages With ptestThe test generates output in the format used by Automake: -<result>: <testname> -where the result can be PASS, FAIL, or SKIP, and the testname can be any -identifying string. -So we should change the test result format to match yocto ptest rules. - -Upstream-Status: Inappropriate [OE ptest specific] - -Signed-off-by: Li Wang <li.wang@windriver.com> -Signed-off-by: Jackie Huang <jackie.huang@windriver.com> ---- - tests/runtest.sh | 5 +++++ - 1 file changed, 5 insertions(+) - -diff --git a/tests/runtest.sh b/tests/runtest.sh -index b6eaa7c..84263fb 100644 ---- a/tests/runtest.sh -+++ b/tests/runtest.sh -@@ -21,6 +21,11 @@ for i in ${TESTS}; do - echo "### RUNNING TEST $i" - if [[ $AUTOMATED != 0 ]] ; then - bash ./runtest.sh -+ if [ $? != 0 ]; then -+ echo "FAIL: $i" -+ else -+ echo "PASS: $i" -+ fi - else - bash ./runtest.sh || exit 1 - fi --- -2.11.0 - diff --git a/external/meta-security/recipes-security/keyutils/files/keyutils-use-relative-path-for-link.patch b/external/meta-security/recipes-security/keyutils/files/keyutils-use-relative-path-for-link.patch deleted file mode 100644 index dde1af44..00000000 --- a/external/meta-security/recipes-security/keyutils/files/keyutils-use-relative-path-for-link.patch +++ /dev/null @@ -1,28 +0,0 @@ -Subject: [PATCH] keyutils: use relative path for link - -The absolute path of the symlink will be invalid -when populated in sysroot, so use relative path instead. - -Upstream-Status: Pending - -Signed-off-by: Jackie Huang <jackie.huang@windriver.com> ---- - Makefile | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/Makefile b/Makefile -index 824bbbf..8ce3a13 100644 ---- a/Makefile -+++ b/Makefile -@@ -167,7 +167,7 @@ ifeq ($(NO_SOLIB),0) - $(INSTALL) -D $(LIBNAME) $(DESTDIR)$(LIBDIR)/$(LIBNAME) - $(LNS) $(LIBNAME) $(DESTDIR)$(LIBDIR)/$(SONAME) - mkdir -p $(DESTDIR)$(USRLIBDIR) -- $(LNS) $(LIBDIR)/$(SONAME) $(DESTDIR)$(USRLIBDIR)/$(DEVELLIB) -+ $(LNS) $(SONAME) $(DESTDIR)$(USRLIBDIR)/$(DEVELLIB) - endif - $(INSTALL) -D keyctl $(DESTDIR)$(BINDIR)/keyctl - $(INSTALL) -D request-key $(DESTDIR)$(SBINDIR)/request-key --- -2.11.0 - diff --git a/external/meta-security/recipes-security/keyutils/files/run-ptest b/external/meta-security/recipes-security/keyutils/files/run-ptest deleted file mode 100755 index 305707f6..00000000 --- a/external/meta-security/recipes-security/keyutils/files/run-ptest +++ /dev/null @@ -1,3 +0,0 @@ -#!/bin/sh -export AUTOMATED=1 -make -C tests run diff --git a/external/meta-security/recipes-security/keyutils/keyutils_1.5.10.bb b/external/meta-security/recipes-security/keyutils/keyutils_1.5.10.bb deleted file mode 100644 index a4222b9e..00000000 --- a/external/meta-security/recipes-security/keyutils/keyutils_1.5.10.bb +++ /dev/null @@ -1,47 +0,0 @@ -SUMMARY = "Linux Key Management Utilities" -DESCRIPTION = "\ - Utilities to control the kernel key management facility and to provide \ - a mechanism by which the kernel call back to userspace to get a key \ - instantiated. \ - " -HOMEPAGE = "http://people.redhat.com/dhowells/keyutils" -SECTION = "base" - -LICENSE = "LGPLv2.1+ & GPLv2.0+" - -LIC_FILES_CHKSUM = "file://LICENCE.GPL;md5=5f6e72824f5da505c1f4a7197f004b45 \ - file://LICENCE.LGPL;md5=7d1cacaa3ea752b72ea5e525df54a21f" - - -inherit siteinfo ptest - -SRC_URI = "http://people.redhat.com/dhowells/keyutils/${BP}.tar.bz2 \ - file://keyutils-use-relative-path-for-link.patch \ - file://keyutils-test-fix-output-format.patch \ - file://keyutils-fix-error-report-by-adding-default-message.patch \ - file://run-ptest \ - " - -SRC_URI[md5sum] = "3771676319bc7b84b1549b5c63ff5243" -SRC_URI[sha256sum] = "115c3deae7f181778fd0e0ffaa2dad1bf1fe2f5677cf2e0e348cdb7a1c93afb6" - -EXTRA_OEMAKE = "'CFLAGS=${CFLAGS} -Wall' \ - NO_ARLIB=1 \ - BINDIR=${base_bindir} \ - SBINDIR=${base_sbindir} \ - LIBDIR=${base_libdir} \ - USRLIBDIR=${base_libdir} \ - BUILDFOR=${SITEINFO_BITS}-bit \ - NO_GLIBC_KEYERR=1 \ - " - -do_install () { - oe_runmake DESTDIR=${D} install -} - -do_install_ptest () { - cp -r ${S}/tests ${D}${PTEST_PATH}/ - sed -i -e 's/OSDIST=Unknown/OSDIST=${DISTRO}/' ${D}${PTEST_PATH}/tests/prepare.inc.sh -} - -RDEPENDS_${PN}-ptest += "glibc-utils" diff --git a/external/meta-security/recipes-security/libmspack/libmspack_0.5.bb b/external/meta-security/recipes-security/libmspack/libmspack_1.9.1.bb index 80db23ce..8c288bee 100644 --- a/external/meta-security/recipes-security/libmspack/libmspack_0.5.bb +++ b/external/meta-security/recipes-security/libmspack/libmspack_1.9.1.bb @@ -6,11 +6,11 @@ DEPENDS = "" LIC_FILES_CHKSUM = "file://COPYING.LIB;beginline=1;endline=2;md5=5b1fd1f66ef926b3c8a5bb00a72a28dd" -SRC_URI = "${DEBIAN_MIRROR}/main/libm/${BPN}/${BPN}_${PV}.orig.tar.gz\ -" -SRC_URI[md5sum] = "3aa3f6b9ef101463270c085478fda1da" -SRC_URI[sha256sum] = "8967f275525f5067b364cee43b73e44d0433668c39f9376dfff19f653d1c8110" +SRCREV = "63d3faf90423a4a6c174539a7d32111a840adadc" +SRC_URI = "git://github.com/kyz/libmspack.git" inherit autotools -S = "${WORKDIR}/${BP}alpha" +S = "${WORKDIR}/git/${BPN}" + +inherit autotools diff --git a/external/meta-security/recipes-security/libseccomp/libseccomp_2.3.3.bb b/external/meta-security/recipes-security/libseccomp/libseccomp_2.4.3.bb index 9c66db68..9ca41e65 100644 --- a/external/meta-security/recipes-security/libseccomp/libseccomp_2.3.3.bb +++ b/external/meta-security/recipes-security/libseccomp/libseccomp_2.4.3.bb @@ -4,9 +4,9 @@ SECTION = "security" LICENSE = "LGPL-2.1" LIC_FILES_CHKSUM = "file://LICENSE;beginline=0;endline=1;md5=8eac08d22113880357ceb8e7c37f989f" -SRCREV = "74b190e1aa05f07da0c61fb9a30dbc9c18ce2c9d" +SRCREV = "1dde9d94e0848e12da20602ca38032b91d521427" -SRC_URI = "git://github.com/seccomp/libseccomp.git;branch=release-2.3 \ +SRC_URI = "git://github.com/seccomp/libseccomp.git;branch=release-2.4 \ file://run-ptest \ " @@ -17,6 +17,8 @@ inherit autotools-brokensep pkgconfig ptest PACKAGECONFIG ??= "" PACKAGECONFIG[python] = "--enable-python, --disable-python, python" +DISABLE_STATIC = "" + do_compile_ptest() { oe_runmake -C tests check-build } diff --git a/external/meta-security/recipes-security/ncrack/ncrack_0.7.bb b/external/meta-security/recipes-security/ncrack/ncrack_0.7.bb new file mode 100644 index 00000000..ba269657 --- /dev/null +++ b/external/meta-security/recipes-security/ncrack/ncrack_0.7.bb @@ -0,0 +1,18 @@ +SUMMARY = "Network authentication cracking tool" +DESCRIPTION = "Ncrack is designed for high-speed parallel testing of network devices for poor passwords." +HOMEPAGE = "https://nmap.org/ncrack" +SECTION = "security" + +LICENSE = "GPL-2.0" +LIC_FILES_CHKSUM = "file://COPYING;beginline=7;endline=12;md5=66938a7e5b4c118eda78271de14874c2" + +SRCREV = "dc570e7e3cec1fb176c0168eaedc723084bd0426" +SRC_URI = "git://github.com/nmap/ncrack.git" + +DEPENDS = "openssl zlib" + +inherit autotools-brokensep + +S = "${WORKDIR}/git" + +INSANE_SKIP_${PN} = "already-stripped" diff --git a/external/meta-security/recipes-security/nikto/files/CVE-2018-11652.patch b/external/meta-security/recipes-security/nikto/files/CVE-2018-11652.patch deleted file mode 100644 index 5ddb1692..00000000 --- a/external/meta-security/recipes-security/nikto/files/CVE-2018-11652.patch +++ /dev/null @@ -1,106 +0,0 @@ -From e759b3300aace5314fe3d30800c8bd83c81c29f7 Mon Sep 17 00:00:00 2001 -From: sullo <sullo@cirt.net> -Date: Thu, 31 May 2018 23:30:03 -0400 -Subject: [PATCH] Fix CSV injection issue if server responds with a malicious - Server string & CSV output is opened in Excel or other spreadsheet app. - Potentially malicious cell start characters are now prefaced with a ' mark. - Thanks to Adam (@bytesoverbombs) for letting me know! - -Also fixed a crash in the outdated plugin if the $sepr field ends up being something that triggers a panic in split(). - -CVE: CVE-2018-11652 -Upstream-Status: Backport -Signed-off-by: Nagalakshmi Veeramallu <nveeramallu@mvista.com> ---- - plugins/nikto_outdated.plugin | 2 +- - plugins/nikto_report_csv.plugin | 42 +++++++++++++++++++++++++++++------------ - 2 files changed, 31 insertions(+), 13 deletions(-) - -diff --git a/plugins/nikto_outdated.plugin b/plugins/nikto_outdated.plugin -index 72379cc..eb1d889 100644 ---- a/plugins/nikto_outdated.plugin -+++ b/plugins/nikto_outdated.plugin -@@ -83,7 +83,7 @@ sub nikto_outdated { - $sepr = substr($sepr, (length($sepr) - 1), 1); - - # break up ID string on $sepr -- my @T = split(/$sepr/, $mark->{'banner'}); -+ my @T = split(/\\$sepr/, $mark->{'banner'}); - - # assume last is version... - for ($i = 0 ; $i < $#T ; $i++) { $MATCHSTRING .= "$T[$i] "; } -diff --git a/plugins/nikto_report_csv.plugin b/plugins/nikto_report_csv.plugin -index d13acab..b942e78 100644 ---- a/plugins/nikto_report_csv.plugin -+++ b/plugins/nikto_report_csv.plugin -@@ -52,10 +52,12 @@ sub csv_open { - sub csv_host_start { - my ($handle, $mark) = @_; - $mark->{'banner'} =~ s/"/\\"/g; -- print OUT "\"$mark->{'hostname'}\"," -- . "\"$mark->{'ip'}\"," -- . "\"$mark->{'port'}\"," . "\"\"," . "\"\"," . "\"\"," -- . "\"$mark->{'banner'}\"\n"; -+ print $handle "\"" . csv_safecell($hostname) . "\"," -+ . "\"" . csv_safecell($mark->{'ip'}) . "\"," -+ . "\"" . csv_safecell($mark->{'port'}) . "\"," . "\"\"," . "\"\"," . "\"\"," -+ #. "\"" . $mark->{'banner'} . "\"\n"; -+ . "\"" . csv_safecell($mark->{'banner'}) . "\"\n"; -+ - return; - } - -@@ -65,26 +67,42 @@ sub csv_item { - my ($handle, $mark, $item) = @_; - foreach my $uri (split(' ', $item->{'uri'})) { - my $line = ''; -- $line .= "\"$item->{'mark'}->{'hostname'}\","; -- $line .= "\"$item->{'mark'}->{'ip'}\","; -- $line .= "\"$item->{'mark'}->{'port'}\","; -+ $line .= "\"" . csv_safecell($hostname) . "\","; -+ $line .= "\"" . csv_safecell($item->{'mark'}->{'ip'}) . \","; -+ $line .= "\"" . csv_safecell($item->{'mark'}->{'port'}) . "\","; - - $line .= "\""; - if ($item->{'osvdb'} ne '') { $line .= "OSVDB-" . $item->{'osvdb'}; } - $line .= "\","; - - $line .= "\""; -- if ($item->{'method'} ne '') { $line .= $item->{'method'}; } -+ if ($item->{'method'} ne '') { $line .= csv_safecell($item->{'method'}); } - $line .= "\","; - - $line .= "\""; -- if ($uri ne '') { $line .= $mark->{'root'} . $uri; } -+ { $line .= csv_safecell($mark->{'root'}) . $uri; } -+ else { $line .= csv_safecell($ur - $line .= "\","; - -- $item->{'message'} =~ s/"/\\"/g; -- $line .= "\"$item->{'message'}\""; -- print $handle "$line\n"; -+ my $msg = $item->{'message'}; -+ $uri=quotemeta($uri); -+ my $root = quotemeta($mark->{'root'}); -+ $msg =~ s/^$uri:\s//; -+ $msg =~ s/^$root$uri:\s//; -+ $msg =~ s/"/\\"/g; -+ $line .= "\"" . csv_safecell($msg) ."\""; -+ print $handle "$line\n"; -+ - } - } - -+############################################################################### -+# prevent CSV injection attacks -+sub csv_safecell { -+ my $celldata = $_[0] || return; -+ if ($celldata =~ /^[=+@-]/) { $celldata = "'" . $celldata; } -+ return $celldata; -+} -+ -+ - 1; --- -2.6.4 - diff --git a/external/meta-security/recipes-security/nikto/files/location.patch b/external/meta-security/recipes-security/nikto/files/location.patch index a95b0629..edaa2047 100644 --- a/external/meta-security/recipes-security/nikto/files/location.patch +++ b/external/meta-security/recipes-security/nikto/files/location.patch @@ -1,36 +1,36 @@ -From e10b9b1f6704057ace39956ae1dc5c7caca07ff1 Mon Sep 17 00:00:00 2001 -From: Andrei Dinu <andrei.adrianx.dinu@intel.com> -Date: Mon, 8 Jul 2013 11:53:54 +0300 -Subject: [PATCH] Setting the location of nikto on the image +From d1cb702d5147abea0d3208a4d554c61a6f2decd6 Mon Sep 17 00:00:00 2001 +From: Scott Ellis <scott@jumpnowtek.com> +Date: Fri, 28 Dec 2018 11:08:25 -0500 +Subject: [PATCH] Set custom paths -Upstream Status: Inapropriate +Upstream Status: Inappropriate -Signed-off-by: Andrei Dinu <andrei.adrianx.dinu@intel.com> +Signed-off-by: Scott Ellis <scott@jumpnowtek.com> --- - nikto.conf | 10 +++++----- + nikto.conf | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) -diff --git a/nikto.conf b/nikto.conf -index 25b784d..9577033 100644 +diff --git a/program/nikto.conf b/program/nikto.conf +index bf36c58..8c55415 100644 --- a/nikto.conf +++ b/nikto.conf -@@ -61,11 +61,11 @@ CIRT=174.142.17.165 +@@ -61,11 +61,11 @@ CIRT=107.170.99.251 CHECKMETHODS=HEAD GET # If you want to specify the location of any of the files, specify them here -# EXECDIR=/opt/nikto # Location of Nikto -# PLUGINDIR=/opt/nikto/plugins # Location of plugin dir --# DBDIR=/opt/nikto/databases # Location of plugin dir --# TEMPLATEDIR=/opt/nikto/templates # Location of tempmlate dir +-# DBDIR=/opt/nikto/databases # Location of database dir +-# TEMPLATEDIR=/opt/nikto/templates # Location of template dir -# DOCDIR=/opt/nikto/docs # Location of docs dir +EXECDIR=/usr/bin/nikto # Location of Nikto +PLUGINDIR=/etc/nikto/plugins # Location of plugin dir -+DBDIR=/etc/nikto/databases # Location of plugin dir -+TEMPLATEDIR=/etc/nikto/templates # Location of tempmlate dir ++DBDIR=/etc/nikto/databases # Location of database dir ++TEMPLATEDIR=/etc/nikto/templates # Location of template dir +DOCDIR=/usr/share/doc/nikto # Location of docs dir # Default plugin macros - @@MUTATE=dictionary;subdomain + # Remove plugins designed to be run standalone -- -1.7.9.5 +2.7.4 diff --git a/external/meta-security/recipes-security/nikto/nikto_2.1.5.bb b/external/meta-security/recipes-security/nikto/nikto_2.1.5.bb deleted file mode 100644 index 19eb14f3..00000000 --- a/external/meta-security/recipes-security/nikto/nikto_2.1.5.bb +++ /dev/null @@ -1,108 +0,0 @@ -SUMMARY = "web server scanner" -DESCRIPTION = "Nikto is an Open Source (GPL) web server scanner which performs comprehensive tests against web servers for multiple items, including over 6500 potentially dangerous \ - files/CGIs, checks for outdated versions of over 1250 servers, and version specific problems on over 270 servers." -SECTION = "security" -LICENSE = "GPLv2" - -LIC_FILES_CHKSUM = "file://${COMMON_LICENSE_DIR}/GPL-2.0;md5=801f80980d171dd6425610833a22dbe6" - -SRC_URI = "http://cirt.net/nikto/${BP}.tar.gz \ - file://location.patch \ - file://CVE-2018-11652.patch" - -SRC_URI[md5sum] = "efcc98a918becb77471ee9a5df0a7b1e" -SRC_URI[sha256sum] = "0e672a6a46bf2abde419a0e8ea846696d7f32e99ad18a6b405736ee6af07509f" - -do_install() { - install -d ${D}${bindir} - install -d ${D}${datadir} - install -d ${D}${datadir}/man/man1 - install -d ${D}${datadir}/doc/nikto - install -d ${D}${sysconfdir}/nikto - install -d ${D}${sysconfdir}/nikto/databases - install -d ${D}${sysconfdir}/nikto/plugins - install -d ${D}${sysconfdir}/nikto/templates - - install -m 0644 databases/db_404_strings ${D}${sysconfdir}/nikto/databases - install -m 0644 databases/db_content_search ${D}${sysconfdir}/nikto/databases - install -m 0644 databases/db_dictionary ${D}${sysconfdir}/nikto/databases - install -m 0644 databases/db_embedded ${D}${sysconfdir}/nikto/databases - install -m 0644 databases/db_favicon ${D}${sysconfdir}/nikto/databases - install -m 0644 databases/db_headers ${D}${sysconfdir}/nikto/databases - install -m 0644 databases/db_httpoptions ${D}${sysconfdir}/nikto/databases - install -m 0644 databases/db_multiple_index ${D}${sysconfdir}/nikto/databases - install -m 0644 databases/db_outdated ${D}${sysconfdir}/nikto/databases - install -m 0644 databases/db_parked_strings ${D}${sysconfdir}/nikto/databases - install -m 0644 databases/db_realms ${D}${sysconfdir}/nikto/databases - install -m 0644 databases/db_server_msgs ${D}${sysconfdir}/nikto/databases - install -m 0644 databases/db_subdomains ${D}${sysconfdir}/nikto/databases - install -m 0644 databases/db_tests ${D}${sysconfdir}/nikto/databases - install -m 0644 databases/db_variables ${D}${sysconfdir}/nikto/databases - - install -m 0644 plugins/JSON-PP.pm ${D}${sysconfdir}/nikto/plugins - install -m 0644 plugins/LW2.pm ${D}${sysconfdir}/nikto/plugins - install -m 0644 plugins/nikto_apache_expect_xss.plugin ${D}${sysconfdir}/nikto/plugins - install -m 0644 plugins/nikto_apacheusers.plugin ${D}${sysconfdir}/nikto/plugins - install -m 0644 plugins/nikto_auth.plugin ${D}${sysconfdir}/nikto/plugins - install -m 0644 plugins/nikto_cgi.plugin ${D}${sysconfdir}/nikto/plugins - install -m 0644 plugins/nikto_clientaccesspolicy.plugin ${D}${sysconfdir}/nikto/plugins - install -m 0644 plugins/nikto_content_search.plugin ${D}${sysconfdir}/nikto/plugins - install -m 0644 plugins/nikto_cookies.plugin ${D}${sysconfdir}/nikto/plugins - install -m 0644 plugins/nikto_core.plugin ${D}${sysconfdir}/nikto/plugins - install -m 0644 plugins/nikto_dictionary_attack.plugin ${D}${sysconfdir}/nikto/plugins - install -m 0644 plugins/nikto_embedded.plugin ${D}${sysconfdir}/nikto/plugins - install -m 0644 plugins/nikto_favicon.plugin ${D}${sysconfdir}/nikto/plugins - install -m 0644 plugins/nikto_fileops.plugin ${D}${sysconfdir}/nikto/plugins - install -m 0644 plugins/nikto_headers.plugin ${D}${sysconfdir}/nikto/plugins - install -m 0644 plugins/nikto_httpoptions.plugin ${D}${sysconfdir}/nikto/plugins - install -m 0644 plugins/nikto_msgs.plugin ${D}${sysconfdir}/nikto/plugins - install -m 0644 plugins/nikto_multiple_index.plugin ${D}${sysconfdir}/nikto/plugins - install -m 0644 plugins/nikto_outdated.plugin ${D}${sysconfdir}/nikto/plugins - install -m 0644 plugins/nikto_parked.plugin ${D}${sysconfdir}/nikto/plugins - install -m 0644 plugins/nikto_paths.plugin ${D}${sysconfdir}/nikto/plugins - install -m 0644 plugins/nikto_put_del_test.plugin ${D}${sysconfdir}/nikto/plugins - install -m 0644 plugins/nikto_report_csv.plugin ${D}${sysconfdir}/nikto/plugins - install -m 0644 plugins/nikto_report_html.plugin ${D}${sysconfdir}/nikto/plugins - install -m 0644 plugins/nikto_report_msf.plugin ${D}${sysconfdir}/nikto/plugins - install -m 0644 plugins/nikto_report_nbe.plugin ${D}${sysconfdir}/nikto/plugins - install -m 0644 plugins/nikto_report_text.plugin ${D}${sysconfdir}/nikto/plugins - install -m 0644 plugins/nikto_report_xml.plugin ${D}${sysconfdir}/nikto/plugins - install -m 0644 plugins/nikto_robots.plugin ${D}${sysconfdir}/nikto/plugins - install -m 0644 plugins/nikto_siebel.plugin ${D}${sysconfdir}/nikto/plugins - install -m 0644 plugins/nikto_ssl.plugin ${D}${sysconfdir}/nikto/plugins - install -m 0644 plugins/nikto_subdomain.plugin ${D}${sysconfdir}/nikto/plugins - install -m 0644 plugins/nikto_tests.plugin ${D}${sysconfdir}/nikto/plugins - - install -m 0644 templates/htm_close.tmpl ${D}${sysconfdir}/nikto/templates - install -m 0644 templates/htm_end.tmpl ${D}${sysconfdir}/nikto/templates - install -m 0644 templates/htm_host_head.tmpl ${D}${sysconfdir}/nikto/templates - install -m 0644 templates/htm_host_im.tmpl ${D}${sysconfdir}/nikto/templates - install -m 0644 templates/htm_host_item.tmpl ${D}${sysconfdir}/nikto/templates - install -m 0644 templates/htm_start.tmpl ${D}${sysconfdir}/nikto/templates - install -m 0644 templates/htm_stop.tmpl ${D}${sysconfdir}/nikto/templates - install -m 0644 templates/htm_start.tmpl ${D}${sysconfdir}/nikto/templates - install -m 0644 templates/htm_summary.tmpl ${D}${sysconfdir}/nikto/templates - install -m 0644 templates/xml_end.tmpl ${D}${sysconfdir}/nikto/templates - install -m 0644 templates/xml_host_head.tmpl ${D}${sysconfdir}/nikto/templates - install -m 0644 templates/xml_host_im.tmpl ${D}${sysconfdir}/nikto/templates - install -m 0644 templates/xml_host_item.tmpl ${D}${sysconfdir}/nikto/templates - install -m 0644 templates/xml_start.tmpl ${D}${sysconfdir}/nikto/templates - install -m 0644 templates/xml_summary.tmpl ${D}${sysconfdir}/nikto/templates - - install -m 0644 nikto.conf ${D}${sysconfdir} - - install -m 0755 nikto.pl ${D}${bindir}/nikto - install -m 0644 replay.pl ${D}${bindir} - install -m 0644 docs/nikto.1 ${D}${datadir}/man/man1 - - install -m 0644 docs/CHANGES.txt ${D}${datadir}/doc/nikto - install -m 0644 docs/LICENSE.txt ${D}${datadir}/doc/nikto - install -m 0644 docs/nikto.dtd ${D}${datadir}/doc/nikto - install -m 0644 docs/nikto_manual.html ${D}${datadir}/doc/nikto -} - -RDEPENDS_${PN} = "perl libnet-ssleay-perl libwhisker2-perl \ - perl-module-getopt-long perl-module-time-local \ - perl-module-io-socket perl-module-overloading \ - perl-module-base perl-module-b perl-module-bytes \ - nikto-doc" diff --git a/external/meta-security/recipes-security/nikto/nikto_2.1.6.bb b/external/meta-security/recipes-security/nikto/nikto_2.1.6.bb new file mode 100644 index 00000000..2d2c46ca --- /dev/null +++ b/external/meta-security/recipes-security/nikto/nikto_2.1.6.bb @@ -0,0 +1,118 @@ +SUMMARY = "web server scanner" +DESCRIPTION = "Nikto is an Open Source web server scanner which performs comprehensive tests against web servers" +SECTION = "security" +HOMEPAGE = "https://cirt.net/Nikto2" + +LICENSE = "GPLv2" +LIC_FILES_CHKSUM = "file://${COMMON_LICENSE_DIR}/GPL-2.0;md5=801f80980d171dd6425610833a22dbe6" + +SRCREV = "f1bbd1a8756c076c8fd4f4dd0bc34a8ef215ae79" +SRC_URI = "git://github.com/sullo/nikto.git \ + file://location.patch" + +S = "${WORKDIR}/git/program" + +do_install() { + install -d ${D}${bindir} + install -d ${D}${datadir} + install -d ${D}${datadir}/man/man1 + install -d ${D}${datadir}/doc/nikto + install -d ${D}${sysconfdir}/nikto + install -d ${D}${sysconfdir}/nikto/databases + install -d ${D}${sysconfdir}/nikto/plugins + install -d ${D}${sysconfdir}/nikto/templates + + install -m 0644 databases/db_404_strings ${D}${sysconfdir}/nikto/databases + install -m 0644 databases/db_content_search ${D}${sysconfdir}/nikto/databases + install -m 0644 databases/db_dictionary ${D}${sysconfdir}/nikto/databases + install -m 0644 databases/db_dir_traversal ${D}${sysconfdir}/nikto/databases + install -m 0644 databases/db_domino ${D}${sysconfdir}/nikto/databases + install -m 0644 databases/db_drupal ${D}${sysconfdir}/nikto/databases + install -m 0644 databases/db_embedded ${D}${sysconfdir}/nikto/databases + install -m 0644 databases/db_favicon ${D}${sysconfdir}/nikto/databases + install -m 0644 databases/db_headers ${D}${sysconfdir}/nikto/databases + install -m 0644 databases/db_httpoptions ${D}${sysconfdir}/nikto/databases + install -m 0644 databases/db_multiple_index ${D}${sysconfdir}/nikto/databases + install -m 0644 databases/db_outdated ${D}${sysconfdir}/nikto/databases + install -m 0644 databases/db_parked_strings ${D}${sysconfdir}/nikto/databases + install -m 0644 databases/db_realms ${D}${sysconfdir}/nikto/databases + install -m 0644 databases/db_server_msgs ${D}${sysconfdir}/nikto/databases + install -m 0644 databases/db_tests ${D}${sysconfdir}/nikto/databases + install -m 0644 databases/db_variables ${D}${sysconfdir}/nikto/databases + + install -m 0644 plugins/LW2.pm ${D}${sysconfdir}/nikto/plugins + install -m 0644 plugins/nikto_apache_expect_xss.plugin ${D}${sysconfdir}/nikto/plugins + install -m 0644 plugins/nikto_apacheusers.plugin ${D}${sysconfdir}/nikto/plugins + install -m 0644 plugins/nikto_auth.plugin ${D}${sysconfdir}/nikto/plugins + install -m 0644 plugins/nikto_cgi.plugin ${D}${sysconfdir}/nikto/plugins + install -m 0644 plugins/nikto_clientaccesspolicy.plugin ${D}${sysconfdir}/nikto/plugins + install -m 0644 plugins/nikto_content_search.plugin ${D}${sysconfdir}/nikto/plugins + install -m 0644 plugins/nikto_cookies.plugin ${D}${sysconfdir}/nikto/plugins + install -m 0644 plugins/nikto_core.plugin ${D}${sysconfdir}/nikto/plugins + install -m 0644 plugins/nikto_dictionary_attack.plugin ${D}${sysconfdir}/nikto/plugins + install -m 0644 plugins/nikto_dir_traversal.plugin ${D}${sysconfdir}/nikto/plugins + install -m 0644 plugins/nikto_dishwasher.plugin ${D}${sysconfdir}/nikto/plugins + install -m 0644 plugins/nikto_docker_registry.plugin ${D}${sysconfdir}/nikto/plugins + install -m 0644 plugins/nikto_domino.plugin ${D}${sysconfdir}/nikto/plugins + install -m 0644 plugins/nikto_drupal.plugin ${D}${sysconfdir}/nikto/plugins + install -m 0644 plugins/nikto_embedded.plugin ${D}${sysconfdir}/nikto/plugins + install -m 0644 plugins/nikto_favicon.plugin ${D}${sysconfdir}/nikto/plugins + install -m 0644 plugins/nikto_fileops.plugin ${D}${sysconfdir}/nikto/plugins + install -m 0644 plugins/nikto_headers.plugin ${D}${sysconfdir}/nikto/plugins + install -m 0644 plugins/nikto_httpoptions.plugin ${D}${sysconfdir}/nikto/plugins + install -m 0644 plugins/nikto_ms10_070.plugin ${D}${sysconfdir}/nikto/plugins + install -m 0644 plugins/nikto_msgs.plugin ${D}${sysconfdir}/nikto/plugins + install -m 0644 plugins/nikto_multiple_index.plugin ${D}${sysconfdir}/nikto/plugins + install -m 0644 plugins/nikto_negotiate.plugin ${D}${sysconfdir}/nikto/plugins + install -m 0644 plugins/nikto_origin_reflection.plugin ${D}${sysconfdir}/nikto/plugins + install -m 0644 plugins/nikto_outdated.plugin ${D}${sysconfdir}/nikto/plugins + install -m 0644 plugins/nikto_parked.plugin ${D}${sysconfdir}/nikto/plugins + install -m 0644 plugins/nikto_paths.plugin ${D}${sysconfdir}/nikto/plugins + install -m 0644 plugins/nikto_put_del_test.plugin ${D}${sysconfdir}/nikto/plugins + install -m 0644 plugins/nikto_report_csv.plugin ${D}${sysconfdir}/nikto/plugins + install -m 0644 plugins/nikto_report_html.plugin ${D}${sysconfdir}/nikto/plugins + install -m 0644 plugins/nikto_report_json.plugin ${D}${sysconfdir}/nikto/plugins + install -m 0644 plugins/nikto_report_nbe.plugin ${D}${sysconfdir}/nikto/plugins + install -m 0644 plugins/nikto_report_sqlg.plugin ${D}${sysconfdir}/nikto/plugins + install -m 0644 plugins/nikto_report_text.plugin ${D}${sysconfdir}/nikto/plugins + install -m 0644 plugins/nikto_report_xml.plugin ${D}${sysconfdir}/nikto/plugins + install -m 0644 plugins/nikto_robots.plugin ${D}${sysconfdir}/nikto/plugins + install -m 0644 plugins/nikto_siebel.plugin ${D}${sysconfdir}/nikto/plugins + install -m 0644 plugins/nikto_sitefiles.plugin ${D}${sysconfdir}/nikto/plugins + install -m 0644 plugins/nikto_ssl.plugin ${D}${sysconfdir}/nikto/plugins + install -m 0644 plugins/nikto_strutshock.plugin ${D}${sysconfdir}/nikto/plugins + install -m 0644 plugins/nikto_tests.plugin ${D}${sysconfdir}/nikto/plugins + + install -m 0644 templates/htm_close.tmpl ${D}${sysconfdir}/nikto/templates + install -m 0644 templates/htm_end.tmpl ${D}${sysconfdir}/nikto/templates + install -m 0644 templates/htm_host_head.tmpl ${D}${sysconfdir}/nikto/templates + install -m 0644 templates/htm_host_im.tmpl ${D}${sysconfdir}/nikto/templates + install -m 0644 templates/htm_host_item.tmpl ${D}${sysconfdir}/nikto/templates + install -m 0644 templates/htm_start.tmpl ${D}${sysconfdir}/nikto/templates + install -m 0644 templates/htm_stop.tmpl ${D}${sysconfdir}/nikto/templates + install -m 0644 templates/htm_start.tmpl ${D}${sysconfdir}/nikto/templates + install -m 0644 templates/htm_summary.tmpl ${D}${sysconfdir}/nikto/templates + install -m 0644 templates/xml_end.tmpl ${D}${sysconfdir}/nikto/templates + install -m 0644 templates/xml_host_head.tmpl ${D}${sysconfdir}/nikto/templates + install -m 0644 templates/xml_host_im.tmpl ${D}${sysconfdir}/nikto/templates + install -m 0644 templates/xml_host_item.tmpl ${D}${sysconfdir}/nikto/templates + install -m 0644 templates/xml_start.tmpl ${D}${sysconfdir}/nikto/templates + install -m 0644 templates/xml_summary.tmpl ${D}${sysconfdir}/nikto/templates + + install -m 0644 nikto.conf ${D}${sysconfdir} + + install -m 0755 nikto.pl ${D}${bindir}/nikto + install -m 0644 replay.pl ${D}${bindir} + install -m 0644 docs/nikto.1 ${D}${datadir}/man/man1 + + install -m 0644 docs/CHANGES.txt ${D}${datadir}/doc/nikto + install -m 0644 docs/LICENSE.txt ${D}${datadir}/doc/nikto + install -m 0644 docs/nikto.dtd ${D}${datadir}/doc/nikto + install -m 0644 docs/nikto_manual.html ${D}${datadir}/doc/nikto +} + +RDEPENDS_${PN} = "perl libnet-ssleay-perl libwhisker2-perl \ + perl-module-getopt-long perl-module-time-local \ + perl-module-io-socket perl-module-overloading \ + perl-module-base perl-module-b perl-module-bytes" + diff --git a/external/meta-security/recipes-security/packagegroup/packagegroup-core-security-ptest.bb b/external/meta-security/recipes-security/packagegroup/packagegroup-core-security-ptest.bb new file mode 100644 index 00000000..83a9ed83 --- /dev/null +++ b/external/meta-security/recipes-security/packagegroup/packagegroup-core-security-ptest.bb @@ -0,0 +1,28 @@ +DESCRIPTION = "Security ptest packagegroup" +LICENSE = "MIT" +LIC_FILES_CHKSUM = "file://${COMMON_LICENSE_DIR}/MIT;md5=0835ade698e0bcf8506ecda2f7b4f302 \ + file://${COREBASE}/meta/COPYING.MIT;md5=3da9cfbcb788c80a0384361b4de20420" + +inherit features_check + +REQUIRED_DISTRO_FEATURES = "ptest" + +PACKAGES = "\ + ${PN} \ + " + +ALLOW_EMPTY_${PN} = "1" + +SUMMARY_${PN} = "Security packages with ptests" +RDEPENDS_${PN} = " \ + ptest-runner \ + samhain-standalone-ptest \ + keyutils-ptest \ + libseccomp-ptest \ + python3-scapy-ptest \ + suricata-ptest \ + tripwire-ptest \ + python-fail2ban-ptest \ + ${@bb.utils.contains("DISTRO_FEATURES", "apparmor", "apparmor-ptest", "",d)} \ + ${@bb.utils.contains("DISTRO_FEATURES", "smack", "smack-ptest", "",d)} \ + " diff --git a/external/meta-security/recipes-security/packagegroup/packagegroup-core-security.bb b/external/meta-security/recipes-security/packagegroup/packagegroup-core-security.bb index e847847b..e0a9d053 100644 --- a/external/meta-security/recipes-security/packagegroup/packagegroup-core-security.bb +++ b/external/meta-security/recipes-security/packagegroup/packagegroup-core-security.bb @@ -11,8 +11,6 @@ PACKAGES = "\ packagegroup-security-scanners \ packagegroup-security-ids \ packagegroup-security-mac \ - ${@bb.utils.contains("MACHINE_FEATURES", "tpm", "packagegroup-security-tpm", "",d)} \ - ${@bb.utils.contains("DISTRO_FEATURES", "ptest", "packagegroup-security-ptest", "", d)} \ " RDEPENDS_packagegroup-core-security = "\ @@ -20,8 +18,6 @@ RDEPENDS_packagegroup-core-security = "\ packagegroup-security-scanners \ packagegroup-security-ids \ packagegroup-security-mac \ - ${@bb.utils.contains("MACHINE_FEATURES", "tpm", "packagegroup-security-tpm", "",d)} \ - ${@bb.utils.contains("DISTRO_FEATURES", "ptest", "packagegroup-security-ptest", "", d)} \ " SUMMARY_packagegroup-security-utils = "Security utilities" @@ -29,11 +25,11 @@ RDEPENDS_packagegroup-security-utils = "\ checksec \ nmap \ pinentry \ - python-scapy \ + python3-scapy \ ding-libs \ - xmlsec1 \ keyutils \ libseccomp \ + ${@bb.utils.contains("DISTRO_FEATURES", "pam", "sssd", "",d)} \ ${@bb.utils.contains("DISTRO_FEATURES", "pax", "pax-utils", "",d)} \ " @@ -42,6 +38,8 @@ RDEPENDS_packagegroup-security-scanners = "\ nikto \ checksecurity \ clamav \ + clamav-freshclam \ + clamav-cvd \ " SUMMARY_packagegroup-security-audit = "Security Audit tools " @@ -68,18 +66,3 @@ RDEPENDS_packagegroup-security-mac = " \ ${@bb.utils.contains("DISTRO_FEATURES", "apparmor", "apparmor", "",d)} \ ${@bb.utils.contains("DISTRO_FEATURES", "smack", "smack", "",d)} \ " - -SUMMARY_packagegroup-security-ptest = "Security packages with ptests" -RDEPENDS_packagegroup-security-ptest = " \ - samhain-standalone-ptest \ - xmlsec1-ptest \ - keyutils-ptest \ - libseccomp-ptest \ - python-scapy-ptest \ - suricata-ptest \ - tripwire-ptest \ - python3-fail2ban-ptest \ - ${@bb.utils.contains("DISTRO_FEATURES", "apparmor", "apparmor-ptest", "",d)} \ - ${@bb.utils.contains("DISTRO_FEATURES", "smack", "smack-ptest", "",d)} \ - ptest-runner \ - " diff --git a/external/meta-security/recipes-security/samhain/files/samhain-cross-compile.patch b/external/meta-security/recipes-security/samhain/files/samhain-cross-compile.patch deleted file mode 100644 index 7f80a5c6..00000000 --- a/external/meta-security/recipes-security/samhain/files/samhain-cross-compile.patch +++ /dev/null @@ -1,51 +0,0 @@ -From f63908427b2adb1792c59edbe38618e14ef5bc7b Mon Sep 17 00:00:00 2001 -From: Jackie Huang <jackie.huang@windriver.com> -Date: Fri, 15 Jan 2016 00:48:58 -0500 -Subject: [PATCH] Enable obfuscating binaries natively. - -Enable obfuscating binaries natively. - -The samhain build process involves an obfuscation step that attempts to -defeat decompilation or other binary analysis techniques which might reveal -secret information that should be known only to the system administrator. -The obfuscation step builds several applications which run on the build host -and then generate target code, which is then built into target binaries. - -This patch creates a basic infrastructure that supports building the -obfuscation binaries natively then cross-compiling the target code by adding -a special configure option. In the absence of this option the old behaviour -is preserved. - -Upstream-Status: Inappropriate [cross compile specific] - -Signed-off-by: Aws Ismail <aws.ismail@windriver.com> -Signed-off-by: Jackie Huang <jackie.huang@windriver.com> ---- - Makefile.in | 4 +--- - 1 file changed, 1 insertion(+), 3 deletions(-) - -diff --git a/Makefile.in b/Makefile.in -index 684e92b..fb090e2 100644 ---- a/Makefile.in -+++ b/Makefile.in -@@ -54,7 +54,7 @@ selectconfig = @selectconfig@ - top_builddir = . - - INSTALL = @INSTALL@ --INSTALL_PROGRAM = @INSTALL@ -s -m 700 -+INSTALL_PROGRAM = @INSTALL@ -m 700 - INSTALL_SHELL = @INSTALL@ -m 700 - INSTALL_DATA = @INSTALL@ -m 600 - INSTALL_MAN = @INSTALL@ -m 644 -@@ -525,8 +525,6 @@ install-program: $(PROGRAMS) sstrip - echo " $(INSTALL_PROGRAM) $$p $$target"; \ - $(INSTALL_PROGRAM) $$p $$target; \ - chmod 0700 $$target; \ -- echo " ./sstrip $$target"; \ -- ./sstrip $$target; \ - else \ - echo " $(INSTALL_SHELL) $$p $$target"; \ - $(INSTALL_SHELL) $$p $$target; \ --- -1.9.1 - diff --git a/external/meta-security/recipes-security/samhain/samhain-server_4.3.0.bb b/external/meta-security/recipes-security/samhain/samhain-server_4.3.0.bb deleted file mode 100644 index 9341d444..00000000 --- a/external/meta-security/recipes-security/samhain/samhain-server_4.3.0.bb +++ /dev/null @@ -1,20 +0,0 @@ -INITSCRIPT_PARAMS = "defaults 14 86" - -require samhain.inc - -DEPENDS = "gmp" - -SRC_URI += "file://samhain-server-volatiles" - -TARGET_CC_ARCH += "${LDFLAGS}" - -do_install_append() { - install -d ${D}${sysconfdir}/default/volatiles - install -m 0644 ${WORKDIR}/samhain-server-volatiles \ - ${D}${sysconfdir}/default/volatiles/samhain-server - - install -m 700 samhain-install.sh init/samhain.startLinux \ - init/samhain.startLSB ${D}/var/lib/samhain -} - -RDEPENDS_${PN} += "gmp bash perl" diff --git a/external/meta-security/recipes-security/scapy/files/run-ptest b/external/meta-security/recipes-security/scapy/files/run-ptest index 91b29f90..797d8ecf 100755..100644 --- a/external/meta-security/recipes-security/scapy/files/run-ptest +++ b/external/meta-security/recipes-security/scapy/files/run-ptest @@ -1,4 +1,4 @@ #!/bin/sh -UTscapy -t regression.uts -f text -l -C \ +UTscapy3 -t regression.uts -f text -l -C \ -o @PTEST_PATH@/scapy_ptest_$(date +%Y%m%d-%H%M%S).log \ 2>&1 | sed -e 's/^passed None/PASS:/' -e 's/^failed None/FAIL:/' diff --git a/external/meta-security/recipes-security/scapy/python-scapy_2.4.0.bb b/external/meta-security/recipes-security/scapy/python-scapy_2.4.0.bb deleted file mode 100644 index 98db1fd6..00000000 --- a/external/meta-security/recipes-security/scapy/python-scapy_2.4.0.bb +++ /dev/null @@ -1,6 +0,0 @@ -inherit setuptools -require python-scapy.inc - -SRC_URI += "file://run-ptest" - -RDEPENDS_${PN} += "${PYTHON_PN}-subprocess" diff --git a/external/meta-security/recipes-security/scapy/python3-scapy_2.4.0.bb b/external/meta-security/recipes-security/scapy/python3-scapy_2.4.0.bb deleted file mode 100644 index 93ca7be8..00000000 --- a/external/meta-security/recipes-security/scapy/python3-scapy_2.4.0.bb +++ /dev/null @@ -1,4 +0,0 @@ -inherit setuptools3 -require python-scapy.inc - -SRC_URI += "file://run-ptest" diff --git a/external/meta-security/recipes-security/scapy/python-scapy.inc b/external/meta-security/recipes-security/scapy/python3-scapy_2.4.3.bb index 5abe7db7..925f188c 100644 --- a/external/meta-security/recipes-security/scapy/python-scapy.inc +++ b/external/meta-security/recipes-security/scapy/python3-scapy_2.4.3.bb @@ -3,18 +3,28 @@ DESCRIPTION = "Scapy is a powerful interactive packet manipulation program. It i SECTION = "security" LICENSE = "GPLv2" -LIC_FILES_CHKSUM = "file://bin/scapy;beginline=9;endline=13;md5=1d5249872cc54cd4ca3d3879262d0c69" +LIC_FILES_CHKSUM = "file://LICENSE;md5=b234ee4d69f5fce4486a80fdaf4a4263" -SRC_URI[md5sum] = "d7d3c4294f5a718e234775d38dbeb7ec" -SRC_URI[sha256sum] = "452f714f5c2eac6fd0a6146b1dbddfc24dd5f4103f3ed76227995a488cfb2b73" +S = "${WORKDIR}/git" -inherit pypi ptest +SRCREV = "3047580162a9407ef05fe981983cacfa698f1159" +SRC_URI = "git://github.com/secdev/scapy.git \ + file://run-ptest" + +S = "${WORKDIR}/git" + +inherit setuptools3 ptest + +do_install_append() { + mv ${D}${bindir}/scapy ${D}${bindir}/scapy3 + mv ${D}${bindir}/UTscapy ${D}${bindir}/UTscapy3 +} do_install_ptest() { install -m 0644 ${S}/test/regression.uts ${D}${PTEST_PATH} sed -i 's,@PTEST_PATH@,${PTEST_PATH},' ${D}${PTEST_PATH}/run-ptest } -RDEPENDS_${PN} = "tcpdump ${PYTHON_PN}-compression ${PYTHON_PN}-netclient \ +RDEPENDS_${PN} = "tcpdump ${PYTHON_PN}-compression ${PYTHON_PN}-cryptography ${PYTHON_PN}-netclient \ ${PYTHON_PN}-netserver ${PYTHON_PN}-pydoc ${PYTHON_PN}-pkgutil ${PYTHON_PN}-shell \ ${PYTHON_PN}-threading ${PYTHON_PN}-numbers ${PYTHON_PN}-pycrypto" diff --git a/external/meta-security/recipes-security/sssd/files/fix-ldblibdir.patch b/external/meta-security/recipes-security/sssd/files/fix-ldblibdir.patch new file mode 100644 index 00000000..e350bafc --- /dev/null +++ b/external/meta-security/recipes-security/sssd/files/fix-ldblibdir.patch @@ -0,0 +1,25 @@ +When calculate value of ldblibdir, it checks whether the directory of +$ldblibdir exists. If not, it assigns ldblibdir with ${libdir}/ldb. It is not +suitable for cross compile. Fix it that only re-assign ldblibdir when its value +is empty. + +Upstream-Status: Inappropriate [cross compile specific] + +Signed-off-by: Kai Kang <kai.kang@windriver.com> +--- + src/external/libldb.m4 | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/src/external/libldb.m4 b/src/external/libldb.m4 +index c400add..5e5f06d 100644 +--- a/src/external/libldb.m4 ++++ b/src/external/libldb.m4 +@@ -19,7 +19,7 @@ if test x"$with_ldb_lib_dir" != x; then + ldblibdir=$with_ldb_lib_dir + else + ldblibdir="`$PKG_CONFIG --variable=modulesdir ldb`" +- if ! test -d $ldblibdir; then ++ if test -z $ldblibdir; then + ldblibdir="${libdir}/ldb" + fi + fi diff --git a/external/meta-security/recipes-security/sssd/files/volatiles.99_sssd b/external/meta-security/recipes-security/sssd/files/volatiles.99_sssd new file mode 100644 index 00000000..2a82413f --- /dev/null +++ b/external/meta-security/recipes-security/sssd/files/volatiles.99_sssd @@ -0,0 +1 @@ +d root root 0750 /var/log/sssd none diff --git a/external/meta-security/recipes-security/sssd/sssd_1.16.3.bb b/external/meta-security/recipes-security/sssd/sssd_1.16.3.bb deleted file mode 100644 index 8f7f805f..00000000 --- a/external/meta-security/recipes-security/sssd/sssd_1.16.3.bb +++ /dev/null @@ -1,73 +0,0 @@ -SUMMARY = "system security services daemon" -DESCRIPTION = "SSSD is a system security services daemon" -HOMEPAGE = "https://pagure.io/SSSD/sssd/" -SECTION = "base" -LICENSE = "GPLv3+" -LIC_FILES_CHKSUM = "file://COPYING;md5=d32239bcb673463ab874e80d47fae504" - -DEPENDS = "openldap cyrus-sasl libtdb ding-libs libpam c-ares krb5 autoconf-archive" -DEPENDS += "libldb dbus libtalloc libpcre glib-2.0 popt e2fsprogs libtevent" - -SRC_URI = "https://releases.pagure.org/SSSD/${BPN}/${BP}.tar.gz\ - file://sssd.conf " - -SRC_URI[md5sum] = "af4288c9d1f9953e3b3b6e0b165a5ece" -SRC_URI[sha256sum] = "ee5d17a0c663c09819cbab9364085b9e57faeca02406cc30efe14cc0cfc04ec4" - -inherit autotools pkgconfig gettext update-rc.d python-dir distro_features_check - -REQUIRED_DISTRO_FEATURES = "pam" - -CACHED_CONFIGUREVARS = "ac_cv_member_struct_ldap_conncb_lc_arg=no \ - ac_cv_path_NSUPDATE=${bindir} \ - ac_cv_path_PYTHON2=${PYTHON_DIR} ac_cv_prog_HAVE_PYTHON3=${PYTHON_DIR} \ - " - -PACKAGECONFIG ?="nss nscd" -PACKAGECONFIG += "${@bb.utils.contains('DISTRO_FEATURES', 'selinux', 'selinux', '', d)}" - -PACKAGECONFIG[ssh] = "--with-ssh, --with-ssh=no, " -PACKAGECONFIG[samba] = "--with-samba, --with-samba=no, samba" -PACKAGECONFIG[selinux] = "--with-selinux, --with-selinux=no --with-semanage=no, libselinux" -PACKAGECONFIG[manpages] = "--with-manpages, --with-manpages=no" -PACKAGECONFIG[python2] = "--with-python2-bindings, --without-python2-bindings" -PACKAGECONFIG[python3] = "--with-python3-bindings, --without-python3-bindings" -PACKAGECONFIG[nss] = "--with-crypto=nss, ,nss," -PACKAGECONFIG[cyrpto] = "--with-crypto=libcrypto, , libcrypto" -PACKAGECONFIG[nscd] = "--with-nscd=${sbindir}, --with-nscd=no " -PACKAGECONFIG[nl] = "--with-libnl, --with-libnl=no, libnl" -PACKAGECONFIG[systemd] = "--with-systemdunitdir=${systemd_unitdir}/system/, --with-systemdunitdir=" -PACKAGECONFIG[http] = "--with-secrets, --without-secrets, apache2" -PACKAGECONFIG[curl] = "--with-secrets --with-kcm, --without-secrets --without-kcm, curl" - -EXTRA_OECONF += "--disable-cifs-idmap-plugin --without-nfsv4-idmapd-plugin --without-ipa-getkeytab" - -do_configure_prepend() { - mkdir -p ${AUTOTOOLS_AUXDIR}/build - cp ${STAGING_DATADIR_NATIVE}/gettext/config.rpath ${AUTOTOOLS_AUXDIR}/build/ - - # libresove has host path, remove it - sed -i -e "s#\$sss_extra_libdir##" ${S}/src/external/libresolv.m4 -} - -do_install () { - oe_runmake install DESTDIR="${D}" - rmdir --ignore-fail-on-non-empty "${D}/${bindir}" - install -d ${D}/${sysconfdir}/${BPN} - install -m 600 ${WORKDIR}/${BPN}.conf ${D}/${sysconfdir}/${BPN} -} - -CONFFILES_${PN} = "${sysconfdir}/${BPN}/${BPN}.conf" - -INITSCRIPT_NAME = "sssd" -INITSCRIPT_PARAMS = "start 02 5 3 2 . stop 20 0 1 6 ." -SYSTEMD_SERVICE_${PN} = "${BPN}.service" -SYSTEMD_AUTO_ENABLE = "disable" - -FILES_${PN} += "${libdir} ${datadir} /run ${libdir}/*.so* " -FILES_${PN}-dev = " ${includedir}/* ${libdir}/*la ${libdir}/*/*la" - -# The package contains symlinks that trip up insane -INSANE_SKIP_${PN} = "dev-so" - -RDEPENDS_${PN} += "bind dbus" diff --git a/external/meta-security/recipes-security/sssd/sssd_1.16.4.bb b/external/meta-security/recipes-security/sssd/sssd_1.16.4.bb new file mode 100644 index 00000000..7ea1586b --- /dev/null +++ b/external/meta-security/recipes-security/sssd/sssd_1.16.4.bb @@ -0,0 +1,124 @@ +SUMMARY = "system security services daemon" +DESCRIPTION = "SSSD is a system security services daemon" +HOMEPAGE = "https://pagure.io/SSSD/sssd/" +SECTION = "base" +LICENSE = "GPLv3+" +LIC_FILES_CHKSUM = "file://COPYING;md5=d32239bcb673463ab874e80d47fae504" + +DEPENDS = "openldap cyrus-sasl libtdb ding-libs libpam c-ares krb5 autoconf-archive" +DEPENDS += "libldb dbus libtalloc libpcre glib-2.0 popt e2fsprogs libtevent" + +# If no crypto has been selected, default to DEPEND on nss, since that's what +# sssd will pick if no active choice is made during configure +DEPENDS += "${@bb.utils.contains('PACKAGECONFIG', 'nss', '', \ + bb.utils.contains('PACKAGECONFIG', 'crypto', '', 'nss', d), d)}" + +SRC_URI = "https://releases.pagure.org/SSSD/${BPN}/${BP}.tar.gz \ + file://sssd.conf \ + file://volatiles.99_sssd \ + file://fix-ldblibdir.patch \ + " + +SRC_URI[md5sum] = "757bbb6f15409d8d075f4f06cb678d50" +SRC_URI[sha256sum] = "6bb212cd6b75b918e945c24e7c3f95a486fb54d7f7d489a9334cfa1a1f3bf959" + +inherit autotools pkgconfig gettext python3-dir features_check systemd + +REQUIRED_DISTRO_FEATURES = "pam" + +SSSD_UID ?= "root" +SSSD_GID ?= "root" + +CACHED_CONFIGUREVARS = "ac_cv_member_struct_ldap_conncb_lc_arg=no \ + ac_cv_path_NSUPDATE=${bindir} ac_cv_prog_HAVE_PYTHON3=${PYTHON_DIR} \ + " + +PACKAGECONFIG ?="nss nscd autofs sudo infopipe" +PACKAGECONFIG += "${@bb.utils.contains('DISTRO_FEATURES', 'selinux', 'selinux', '', d)}" +PACKAGECONFIG += "${@bb.utils.contains('DISTRO_FEATURES', 'systemd', 'systemd', '', d)}" + +PACKAGECONFIG[autofs] = "--with-autofs, --with-autofs=no" +PACKAGECONFIG[crypto] = "--with-crypto=libcrypto, , libcrypto" +PACKAGECONFIG[curl] = "--with-secrets --with-kcm, --without-secrets --without-kcm, curl jansson" +PACKAGECONFIG[http] = "--with-secrets, --without-secrets, apache2" +PACKAGECONFIG[infopipe] = "--with-infopipe, --with-infopipe=no, " +PACKAGECONFIG[manpages] = "--with-manpages, --with-manpages=no" +PACKAGECONFIG[nl] = "--with-libnl, --with-libnl=no, libnl" +PACKAGECONFIG[nscd] = "--with-nscd=${sbindir}, --with-nscd=no " +PACKAGECONFIG[nss] = "--with-crypto=nss, ,nss," +PACKAGECONFIG[python3] = "--with-python3-bindings, --without-python3-bindings" +PACKAGECONFIG[samba] = "--with-samba, --with-samba=no, samba" +PACKAGECONFIG[selinux] = "--with-selinux, --with-selinux=no --with-semanage=no, libselinux" +PACKAGECONFIG[ssh] = "--with-ssh, --with-ssh=no, " +PACKAGECONFIG[sudo] = "--with-sudo, --with-sudo=no, " +PACKAGECONFIG[systemd] = "--with-initscript=systemd,--with-initscript=sysv" + +EXTRA_OECONF += " \ + --disable-cifs-idmap-plugin \ + --without-nfsv4-idmapd-plugin \ + --without-ipa-getkeytab \ + --without-python2-bindings \ + --enable-pammoddir=${base_libdir}/security \ + --without-python2-bindings \ +" + +do_configure_prepend() { + mkdir -p ${AUTOTOOLS_AUXDIR}/build + cp ${STAGING_DATADIR_NATIVE}/gettext/config.rpath ${AUTOTOOLS_AUXDIR}/build/ + + # libresove has host path, remove it + sed -i -e "s#\$sss_extra_libdir##" ${S}/src/external/libresolv.m4 +} + +do_install () { + oe_runmake install DESTDIR="${D}" + rmdir --ignore-fail-on-non-empty "${D}/${bindir}" + install -d ${D}/${sysconfdir}/${BPN} + install -m 600 ${WORKDIR}/${BPN}.conf ${D}/${sysconfdir}/${BPN} + install -D -m 644 ${WORKDIR}/volatiles.99_sssd ${D}/${sysconfdir}/default/volatiles/99_sssd + + if ${@bb.utils.contains('DISTRO_FEATURES', 'systemd', 'true', 'false', d)}; then + install -d ${D}${sysconfdir}/tmpfiles.d + echo "d /var/log/sssd 0750 - - - -" > ${D}${sysconfdir}/tmpfiles.d/sss.conf + fi + + # Remove /var/run as it is created on startup + rm -rf ${D}${localstatedir}/run + +} + +pkg_postinst_ontarget_${PN} () { +if [ -e /etc/init.d/populate-volatile.sh ] ; then + ${sysconfdir}/init.d/populate-volatile.sh update +fi + chown ${SSSD_UID}:${SSSD_GID} ${sysconfdir}/${BPN}/${BPN}.conf +} + +CONFFILES_${PN} = "${sysconfdir}/${BPN}/${BPN}.conf" + +INITSCRIPT_NAME = "sssd" +INITSCRIPT_PARAMS = "start 02 5 3 2 . stop 20 0 1 6 ." +SYSTEMD_SERVICE_${PN} = " \ + ${@bb.utils.contains('PACKAGECONFIG', 'autofs', 'sssd-autofs.service sssd-autofs.socket', '', d)} \ + ${@bb.utils.contains('PACKAGECONFIG', 'curl', 'sssd-kcm.service sssd-kcm.socket', '', d)} \ + ${@bb.utils.contains('PACKAGECONFIG', 'infopipe', 'sssd-ifp.service ', '', d)} \ + ${@bb.utils.contains('PACKAGECONFIG', 'ssh', 'sssd-ssh.service sssd-ssh.socket', '', d)} \ + ${@bb.utils.contains('PACKAGECONFIG', 'sudo', 'sssd-sudo.service sssd-sudo.socket', '', d)} \ + sssd-nss.service \ + sssd-nss.socket \ + sssd-pam-priv.socket \ + sssd-pam.service \ + sssd-pam.socket \ + sssd-secrets.service \ + sssd-secrets.socket \ + sssd.service \ +" +SYSTEMD_AUTO_ENABLE = "disable" + +FILES_${PN} += "${libdir} ${datadir} ${base_libdir}/security/pam_sss.so" +FILES_${PN}-dev = " ${includedir}/* ${libdir}/*la ${libdir}/*/*la" + +# The package contains symlinks that trip up insane +INSANE_SKIP_${PN} = "dev-so" + +RDEPENDS_${PN} = "bind dbus libldb libpam" diff --git a/external/meta-security/recipes-security/suricata/files/emerging.rules.tar.gz b/external/meta-security/recipes-security/suricata/files/emerging.rules.tar.gz Binary files differdeleted file mode 100644 index aed37547..00000000 --- a/external/meta-security/recipes-security/suricata/files/emerging.rules.tar.gz +++ /dev/null diff --git a/external/meta-security/recipes-security/xmlsec1/xmlsec1/change-finding-path-of-nss.patch b/external/meta-security/recipes-security/xmlsec1/xmlsec1/change-finding-path-of-nss.patch deleted file mode 100644 index 1cec47fc..00000000 --- a/external/meta-security/recipes-security/xmlsec1/xmlsec1/change-finding-path-of-nss.patch +++ /dev/null @@ -1,67 +0,0 @@ -From c1c980a95d85bcaf8802524d6148783522b300d7 Mon Sep 17 00:00:00 2001 -From: Yulong Pei <Yulong.pei@windriver.com> -Date: Wed, 21 Jul 2010 22:33:43 +0800 -Subject: [PATCH] change finding path of nss and nspr - -Upstream-Status: Pending - -Signed-off-by: Yulong Pei <Yulong.pei@windriver.com> -Signed-off-by: Mingli Yu <Mingli.Yu@windriver.com> -Signed-off-by: Yi Zhao <yi.zhao@windriver.com> ---- - configure.ac | 20 ++++++++++---------- - 1 file changed, 10 insertions(+), 10 deletions(-) - -diff --git a/configure.ac b/configure.ac -index 951b3eb..1fdeb0f 100644 ---- a/configure.ac -+++ b/configure.ac -@@ -866,10 +866,10 @@ MOZILLA_MIN_VERSION="1.4" - NSS_CRYPTO_LIB="$XMLSEC_PACKAGE-nss" - NSPR_PACKAGE=mozilla-nspr - NSS_PACKAGE=mozilla-nss --NSPR_INCLUDE_MARKER="nspr/nspr.h" -+NSPR_INCLUDE_MARKER="nspr.h" - NSPR_LIB_MARKER="libnspr4$shrext" - NSPR_LIBS_LIST="-lnspr4 -lplds4 -lplc4" --NSS_INCLUDE_MARKER="nss/nss.h" -+NSS_INCLUDE_MARKER="nss3/nss.h" - NSS_LIB_MARKER="libnss3$shrext" - NSS_LIBS_LIST="-lnss3 -lsmime3" - -@@ -898,24 +898,24 @@ fi - dnl Priority 1: User specifies the path to installation - if test "z$NSPR_FOUND" = "zno" -a "z$with_nspr" != "z" -a "z$with_nspr" != "zyes" ; then - AC_MSG_CHECKING(for nspr library installation in "$with_nspr" folder) -- if test -f "$with_nspr/include/$NSPR_INCLUDE_MARKER" -a -f "$with_nspr/lib/$NSPR_LIB_MARKER" ; then -- NSPR_INCLUDE_PATH="$with_nspr/include" -- NSPR_LIB_PATH="$with_nspr/lib" -+ if test -f "$with_nspr/usr/include/$NSPR_INCLUDE_MARKER" -a -f "$with_nspr/${libdir}/$NSPR_LIB_MARKER" ; then -+ NSPR_INCLUDE_PATH="$with_nspr/usr/include" -+ NSPR_LIB_PATH="$with_nspr/${libdir}" - NSPR_FOUND="yes" - AC_MSG_RESULT([yes]) - else -- AC_MSG_ERROR([not found: "$with_nspr/include/$NSPR_INCLUDE_MARKER" and/or "$with_nspr/lib/$NSPR_LIB_MARKER" files don't exist), typo?]) -+ AC_MSG_ERROR([not found: "$with_nspr/usr/include/$NSPR_INCLUDE_MARKER" and/or "$with_nspr/${libdir}/$NSPR_LIB_MARKER" files don't exist), typo?]) - fi - fi - if test "z$NSS_FOUND" = "zno" -a "z$with_nss" != "z" -a "z$with_nss" != "zyes" ; then - AC_MSG_CHECKING(for nss library installation in "$with_nss" folder) -- if test -f "$with_nss/include/$NSS_INCLUDE_MARKER" -a -f "$with_nss/lib/$NSS_LIB_MARKER" ; then -- NSS_INCLUDE_PATH="$with_nss/include" -- NSS_LIB_PATH="$with_nss/lib" -+ if test -f "$with_nss/usr/include/$NSS_INCLUDE_MARKER" -a -f "$with_nss/${libdir}/$NSS_LIB_MARKER" ; then -+ NSS_INCLUDE_PATH="$with_nss/usr/include/nss3" -+ NSS_LIB_PATH="$with_nss/${libdir}" - NSS_FOUND="yes" - AC_MSG_RESULT([yes]) - else -- AC_MSG_ERROR([not found: "$with_nss/include/$NSS_INCLUDE_MARKER" and/or "$with_nss/lib/$NSS_LIB_MARKER" files don't exist), typo?]) -+ AC_MSG_ERROR([not found: "$with_nss/usr/include/$NSS_INCLUDE_MARKER" and/or "$with_nss/${libdir}/$NSS_LIB_MARKER" files don't exist), typo?]) - fi - fi - --- -2.7.4 - diff --git a/external/meta-security/recipes-security/xmlsec1/xmlsec1/fix-ltmain.sh.patch b/external/meta-security/recipes-security/xmlsec1/xmlsec1/fix-ltmain.sh.patch deleted file mode 100644 index af598fe7..00000000 --- a/external/meta-security/recipes-security/xmlsec1/xmlsec1/fix-ltmain.sh.patch +++ /dev/null @@ -1,26 +0,0 @@ -From 847dc52f5a50e34ee4d6e3dc2c708711747a58ca Mon Sep 17 00:00:00 2001 -From: Yulong Pei <Yulong.pei@windriver.com> -Date: Thu, 21 Jan 2010 14:11:20 +0800 -Subject: [PATCH] force to use our own libtool - -Upstream-Status: Inappropriate [ OE specific ] - -Signed-off-by: Yulong Pei <Yulong.pei@windriver.com> - ---- - ltmain.sh | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/ltmain.sh b/ltmain.sh -index 147d758..a61f16b 100644 ---- a/ltmain.sh -+++ b/ltmain.sh -@@ -6969,7 +6969,7 @@ func_mode_link () - dir=$func_resolve_sysroot_result - # We need an absolute path. - case $dir in -- [\\/]* | [A-Za-z]:[\\/]*) ;; -+ =* | [\\/]* | [A-Za-z]:[\\/]*) ;; - *) - absdir=`cd "$dir" && pwd` - test -z "$absdir" && \ diff --git a/external/meta-security/recipes-security/xmlsec1/xmlsec1/makefile-ptest.patch b/external/meta-security/recipes-security/xmlsec1/xmlsec1/makefile-ptest.patch deleted file mode 100644 index d4535692..00000000 --- a/external/meta-security/recipes-security/xmlsec1/xmlsec1/makefile-ptest.patch +++ /dev/null @@ -1,40 +0,0 @@ -From 83a1381e1d6bd1b5ec3df6f7c4bc1f4fe4f860b6 Mon Sep 17 00:00:00 2001 -From: Jackie Huang <jackie.huang@windriver.com> -Date: Thu, 15 Jun 2017 14:44:01 +0800 -Subject: [PATCH] xmlsec1: add new recipe - -This enables the building of the examples directory -and it's installed as ptest. - -Upstream-Status: Inappropriate [ OE ptest specific ] - -Signed-off-by: Jackie Huang <jackie.huang@windriver.com> - ---- - examples/Makefile | 12 ++++++++++-- - 1 file changed, 10 insertions(+), 2 deletions(-) - -diff --git a/examples/Makefile b/examples/Makefile -index 89b1d61..c1cbcca 100644 ---- a/examples/Makefile -+++ b/examples/Makefile -@@ -8,9 +8,17 @@ PROGRAMS = \ - decrypt1 decrypt2 decrypt3 \ - xmldsigverify - -+ifndef CC - CC = gcc --CFLAGS += -g $(shell xmlsec1-config --cflags) -DUNIX_SOCKETS --LDLIBS += -g $(shell xmlsec1-config --libs) -+endif -+ -+CFLAGS += -I../include -g $(shell PKG_CONFIG_PATH=.. pkg-config --cflags xmlsec1 ) -DUNIX_SOCKETS -+LDLIBS += -L../src/.libs -g $(shell PKG_CONFIG_PATH=.. pkg-config --libs xmlsec1 ) -+ -+DESTDIR = /usr/share/xmlsec1 -+install-ptest: -+ if [ ! -d $(DESTDIR) ]; then mkdir -p $(DESTDIR); fi -+ cp * $(DESTDIR) - - all: $(PROGRAMS) - diff --git a/external/meta-security/recipes-security/xmlsec1/xmlsec1/run-ptest b/external/meta-security/recipes-security/xmlsec1/xmlsec1/run-ptest deleted file mode 100755 index a203c38f..00000000 --- a/external/meta-security/recipes-security/xmlsec1/xmlsec1/run-ptest +++ /dev/null @@ -1,85 +0,0 @@ -#!/bin/sh - -check_return() { - if [ $? == 0 ]; then - echo -e "PASS: $1\n" - else - echo -e "FAIL: $1\n" - fi -} - -echo "---------------------------------------------------" -echo "Signing a template file..." -./sign1 sign1-tmpl.xml rsakey.pem > sign1-res.xml -./verify1 sign1-res.xml rsapub.pem -check_return sign-tmpl - -echo "---------------------------------------------------" -echo "Signing a dynamicaly created template..." -./sign2 sign2-doc.xml rsakey.pem > sign2-res.xml -./verify1 sign2-res.xml rsapub.pem -check_return sign-dynamic-templ - -echo "---------------------------------------------------" -echo "Signing with X509 certificate..." -./sign3 sign3-doc.xml rsakey.pem rsacert.pem > sign3-res.xml -./verify3 sign3-res.xml ca2cert.pem cacert.pem -check_return sign-x509 - -echo "---------------------------------------------------" -echo "Verifying a signature with a single key..." -./verify1 sign1-res.xml rsapub.pem -./verify1 sign2-res.xml rsapub.pem -check_return verify-single-key - -echo "---------------------------------------------------" -echo "Verifying a signature with keys manager..." -./verify2 sign1-res.xml rsapub.pem -./verify2 sign2-res.xml rsapub.pem -check_return verify-keys-manager - -echo "---------------------------------------------------" -echo "Verifying a signature with X509 certificates..." -./verify3 sign3-res.xml ca2cert.pem cacert.pem -check_return verify-x509 - -echo "---------------------------------------------------" -echo "Verifying a signature with additional restrictions..." -./verify4 verify4-res.xml ca2cert.pem cacert.pem -check_return verify-res - -echo "---------------------------------------------------" -echo "Encrypting data with a template file..." -./encrypt1 encrypt1-tmpl.xml deskey.bin > encrypt1-res.xml -./decrypt1 encrypt1-res.xml deskey.bin -check_return encrypt-tmpl - -echo "---------------------------------------------------" -echo "Encrypting data with a dynamicaly created template..." -./encrypt2 encrypt2-doc.xml deskey.bin > encrypt2-res.xml -./decrypt1 encrypt2-res.xml deskey.bin -check_return encrypt-dynamic-tmpl - -echo "---------------------------------------------------" -echo "Encrypting data with a session key..." -./encrypt3 encrypt3-doc.xml rsakey.pem > encrypt3-res.xml -./decrypt3 encrypt3-res.xml -check_return encrypt-session-key - -echo "---------------------------------------------------" -echo "Decrypting data with a single key..." -./decrypt1 encrypt1-res.xml deskey.bin -./decrypt1 encrypt2-res.xml deskey.bin -check_return encrypt-single-key - -echo "---------------------------------------------------" -echo "Decrypting data with keys manager..." -./decrypt2 encrypt1-res.xml deskey.bin -./decrypt2 encrypt2-res.xml deskey.bin -check_return encrypt-keys-manager - -echo "---------------------------------------------------" -echo "Writing a custom keys manager..." -./decrypt3 encrypt1-res.xml -./decrypt3 encrypt2-res.xml -check_return write-keys-manager diff --git a/external/meta-security/recipes-security/xmlsec1/xmlsec1/xmlsec1-examples-allow-build-in-separate-dir.patch b/external/meta-security/recipes-security/xmlsec1/xmlsec1/xmlsec1-examples-allow-build-in-separate-dir.patch deleted file mode 100644 index 8b2533ed..00000000 --- a/external/meta-security/recipes-security/xmlsec1/xmlsec1/xmlsec1-examples-allow-build-in-separate-dir.patch +++ /dev/null @@ -1,30 +0,0 @@ -From 0c38c6864e7ba8f53a657d87894f24374a6a4932 Mon Sep 17 00:00:00 2001 -From: Jackie Huang <jackie.huang@windriver.com> -Date: Tue, 30 Dec 2014 11:18:17 +0800 -Subject: [PATCH] examples: allow build in separate dir - -Upstream-Status: Inappropriate [ OE specific ] - -Signed-off-by: Jackie Huang <jackie.huang@windriver.com> - ---- - examples/Makefile | 6 ++++-- - 1 file changed, 4 insertions(+), 2 deletions(-) - -diff --git a/examples/Makefile b/examples/Makefile -index c1cbcca..3f1bd14 100644 ---- a/examples/Makefile -+++ b/examples/Makefile -@@ -12,8 +12,10 @@ ifndef CC - CC = gcc - endif - --CFLAGS += -I../include -g $(shell PKG_CONFIG_PATH=.. pkg-config --cflags xmlsec1 ) -DUNIX_SOCKETS --LDLIBS += -L../src/.libs -g $(shell PKG_CONFIG_PATH=.. pkg-config --libs xmlsec1 ) -+top_srcdir = .. -+top_builddir = .. -+CFLAGS += -I$(top_srcdir)/include -g $(shell PKG_CONFIG_PATH=$(top_srcdir) pkg-config --cflags xmlsec1 ) -DUNIX_SOCKETS -+LDLIBS += -L$(top_builddir)/src/.libs -g $(shell PKG_CONFIG_PATH=$(top_srcdir) pkg-config --libs xmlsec1 ) - - DESTDIR = /usr/share/xmlsec1 - install-ptest: diff --git a/external/meta-security/recipes-security/xmlsec1/xmlsec1_1.2.26.bb b/external/meta-security/recipes-security/xmlsec1/xmlsec1_1.2.26.bb deleted file mode 100644 index 2dbbf331..00000000 --- a/external/meta-security/recipes-security/xmlsec1/xmlsec1_1.2.26.bb +++ /dev/null @@ -1,56 +0,0 @@ -SUMMARY = "XML Security Library is a C library based on LibXML2" -DESCRIPTION = "\ - XML Security Library is a C library based on \ - LibXML2 and OpenSSL. The library was created with a goal to support major \ - XML security standards "XML Digital Signature" and "XML Encryption". \ - " -HOMEPAGE = "http://www.aleksey.com/xmlsec/" -DEPENDS = "libtool libxml2 libxslt openssl zlib libgcrypt gnutls nss nspr libgpg-error" - -LICENSE = "MIT" -LIC_FILES_CHKSUM = "file://COPYING;md5=352791d62092ea8104f085042de7f4d0" - -SECTION = "libs" - -SRC_URI = "http://www.aleksey.com/xmlsec/download/${BP}.tar.gz \ - file://fix-ltmain.sh.patch \ - file://change-finding-path-of-nss.patch \ - file://makefile-ptest.patch \ - file://xmlsec1-examples-allow-build-in-separate-dir.patch \ - file://run-ptest \ - " - -SRC_URI[md5sum] = "9c4aaf9ff615a73921b9e3bf4988d878" -SRC_URI[sha256sum] = "8d8276c9c720ca42a3b0023df8b7ae41a2d6c5f9aa8d20ed1672d84cc8982d50" - -inherit autotools-brokensep ptest pkgconfig - -CFLAGS += "-I${STAGING_INCDIR}/nspr4 -I${STAGING_INCDIR}/nss3" -CPPFLAGS += "-I${STAGING_INCDIR}/nspr4 -I${STAGING_INCDIR}/nss3" - -EXTRA_OECONF = "\ - --with-nss=${STAGING_LIBDIR}/../.. --with-nspr=${STAGING_LIBDIR}/../.. \ - " - -FILES_${PN}-dev += "${libdir}/xmlsec1Conf.sh" -FILES_${PN}-dbg += "${PTEST_PATH}/.debug/*" - -RDEPENDS_${PN}-ptest += "${PN}-dev" -INSANE_SKIP_${PN}-ptest += "dev-deps" - -PTEST_EXTRA_ARGS = "top_srcdir=${S} top_builddir=${B}" - -do_compile_ptest () { - oe_runmake -C ${S}/examples ${PTEST_EXTRA_ARGS} all -} - -do_install_append() { - for i in ${bindir}/xmlsec1-config ${libdir}/xmlsec1Conf.sh \ - ${libdir}/pkgconfig/xmlsec1-openssl.pc; do - sed -i -e "s@${RECIPE_SYSROOT}@@g" ${D}$i - done -} - -do_install_ptest () { - oe_runmake -C ${S}/examples DESTDIR=${D}${PTEST_PATH} ${PTEST_EXTRA_ARGS} install-ptest -} diff --git a/external/meta-security/wic/beaglebone-yocto-verity.wks.in b/external/meta-security/wic/beaglebone-yocto-verity.wks.in new file mode 100644 index 00000000..cd1702e1 --- /dev/null +++ b/external/meta-security/wic/beaglebone-yocto-verity.wks.in @@ -0,0 +1,15 @@ +# SPDX-License-Identifier: MIT +# +# Copyright (C) 2020 BayLibre SAS +# Author: Bartosz Golaszewski <bgolaszewski@baylibre.com> +# +# A dm-verity variant of the regular wks for beaglebone black. We need to fetch +# the partition images from the DEPLOY_DIR_IMAGE as the rootfs source plugin will +# not recreate the exact block device corresponding with the hash tree. We must +# not alter the label or any other setting on the image. +# +# This .wks only works with the dm-verity-img class. + +part /boot --source bootimg-partition --ondisk mmcblk0 --fstype=vfat --label boot --active --align 4 --size 16 --sourceparams="loader=u-boot" --use-uuid +part / --source rawcopy --ondisk mmcblk0 --sourceparams="file=${DEPLOY_DIR_IMAGE}/${DM_VERITY_IMAGE}-${MACHINE}.${DM_VERITY_IMAGE_TYPE}.verity" +bootloader --append="console=ttyS0,115200" |