markus.lehr/yoctor-layers
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

added my Recipes

Browse Source
This commit is contained in:
Markus Lehr
2024-07-11 14:16:35 +02:00
parent 38bc4f53ac
commit 09b621d929
7118 changed files with 525762 additions and 3 deletions
Download Patch File Download Diff File Expand all files Collapse all files

34
meta-openembedded/meta-oe/recipes-security/audit/audit/0001-Replace-__attribute_malloc__-with-__attribute__-__ma.patch Normal file
View File

@@ -0,0 +1,34 @@
From 79c8d6a2755c9dfa00a5e86378e89a94eef0504d Mon Sep 17 00:00:00 2001
From: Khem Raj <raj.khem@gmail.com>
Date: Tue, 9 Aug 2022 23:57:03 -0700
Subject: [PATCH] Replace __attribute_malloc__ with
__attribute__((__malloc__))
__attribute_malloc__ is not available on musl
Fixes
| ../../git/auparse/auparse.h:54:2: error: expected function body after function declarator
| __attribute_malloc__ __attr_dealloc (auparse_destroy, 1);
| ^
Signed-off-by: Khem Raj <raj.khem@gmail.com>
---
auparse/auparse.h | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/auparse/auparse.h b/auparse/auparse.h
index 95cf256d..c7dbe5ff 100644
--- a/auparse/auparse.h
+++ b/auparse/auparse.h
@@ -51,7 +51,7 @@ typedef void (*auparse_callback_ptr)(auparse_state_t *au,
void auparse_destroy(auparse_state_t *au);
void auparse_destroy_ext(auparse_state_t *au, auparse_destroy_what_t what);
auparse_state_t *auparse_init(ausource_t source, const void *b)
- __attribute_malloc__ __attr_dealloc (auparse_destroy, 1);
+ __attribute__((__malloc__)) __attr_dealloc (auparse_destroy, 1);
int auparse_new_buffer(auparse_state_t *au, const char *data, size_t data_len)
__attr_access ((__read_only__, 2, 3));
int auparse_feed(auparse_state_t *au, const char *data, size_t data_len)
--
2.37.1

50
meta-openembedded/meta-oe/recipes-security/audit/audit/Fixed-swig-host-contamination-issue.patch Normal file
View File

@@ -0,0 +1,50 @@
From 3d13f92c1bb293523670ba01aea7e655b00a6709 Mon Sep 17 00:00:00 2001
From: Li xin <lixin.fnst@cn.fujitsu.com>
Date: Sun, 19 Jul 2015 02:42:58 +0900
Subject: [PATCH] audit: Fixed swig host contamination issue
The audit build uses swig to generate a python wrapper.
Unfortunately, the swig info file references host include
directories. Some of these were previously noticed and
eliminated, but the one fixed here was not.
Upstream-Status: Inappropriate [embedded specific]
Signed-off-by: Anders Hedlund <anders.hedlund@windriver.com>
Signed-off-by: Joe Slater <jslater@windriver.com>
Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
---
bindings/swig/python3/Makefile.am | 3 ++-
bindings/swig/src/auditswig.i | 2 +-
2 files changed, 3 insertions(+), 2 deletions(-)
--- a/bindings/swig/python3/Makefile.am
+++ b/bindings/swig/python3/Makefile.am
@@ -23,6 +23,7 @@
CONFIG_CLEAN_FILES = *.loT *.rej *.orig
AM_CFLAGS = -fPIC -DPIC -fno-strict-aliasing $(PYTHON3_CFLAGS)
AM_CPPFLAGS = -I. -I$(top_builddir) -I${top_srcdir}/lib $(PYTHON3_INCLUDES)
+STDINC ?= /usr/include
LIBS = $(top_builddir)/lib/libaudit.la
SWIG_FLAGS = -python -py3 -modern
SWIG_INCLUDES = -I. -I$(top_builddir) -I${top_srcdir}/lib $(PYTHON3_INCLUDES)
@@ -37,7 +38,7 @@ _audit_la_DEPENDENCIES =${top_srcdir}/li
_audit_la_LIBADD = ${top_builddir}/lib/libaudit.la
nodist__audit_la_SOURCES = audit_wrap.c
audit.py audit_wrap.c: ${srcdir}/../src/auditswig.i
- swig -o audit_wrap.c ${SWIG_FLAGS} ${SWIG_INCLUDES} ${srcdir}/../src/auditswig.i
+ swig -o audit_wrap.c ${SWIG_FLAGS} ${SWIG_INCLUDES} -I$(STDINC) ${srcdir}/../src/auditswig.i
CLEANFILES = audit.py* audit_wrap.c *~
--- a/bindings/swig/src/auditswig.i
+++ b/bindings/swig/src/auditswig.i
@@ -39,7 +39,7 @@ signed
#define __attribute(X) /*nothing*/
typedef unsigned __u32;
typedef unsigned uid_t;
-%include "/usr/include/linux/audit.h"
+%include "../lib/audit.h"
#define __extension__ /*nothing*/
%include <stdint.i>
%include "../lib/libaudit.h"

1
meta-openembedded/meta-oe/recipes-security/audit/audit/audit-volatile.conf Normal file
View File

@@ -0,0 +1 @@
d /var/log/audit 0750 root root -

153
meta-openembedded/meta-oe/recipes-security/audit/audit/auditd Normal file
View File

@@ -0,0 +1,153 @@
#! /bin/sh
### BEGIN INIT INFO
# Provides: auditd
# Required-Start: $local_fs
# Required-Stop: $local_fs
# Default-Start: 2 3 4 5
# Default-Stop: 0 1 6
# Short-Description: Audit Daemon
# Description: Collects audit information from Linux 2.6 Kernels.
### END INIT INFO
# Author: Philipp Matthias Hahn <pmhahn@debian.org>
# Based on Debians /etc/init.d/skeleton and Auditds init.d/auditd.init
# June, 2012: Adopted for yocto <amy.fong@windriver.com>
# PATH should only include /usr/* if it runs after the mountnfs.sh script
PATH=/sbin:/bin:/usr/sbin:/usr/bin
DESC="audit daemon"
NAME=auditd
DAEMON=/sbin/auditd
PIDFILE=/var/run/"$NAME".pid
SCRIPTNAME=/etc/init.d/"$NAME"
# Exit if the package is not installed
[ -x "$DAEMON" ] || exit 0
# Read configuration variable file if it is present
[ -r /etc/default/"$NAME" ] && . /etc/default/"$NAME"
. /etc/default/rcS
. /etc/init.d/functions
#
# Function that starts the daemon/service
#
do_start()
{
# Return
# 0 if daemon has been started
# 1 if daemon was already running
# 2 if daemon could not be started
start-stop-daemon -S --quiet --pidfile "$PIDFILE" --exec "$DAEMON" --test > /dev/null \
|| return 1
start-stop-daemon -S --quiet --pidfile "$PIDFILE" --exec "$DAEMON" -- \
$EXTRAOPTIONS \
|| return 2
if [ -f /etc/audit/audit.rules ]
then
/sbin/auditctl -R /etc/audit/audit.rules >/dev/null
fi
}
#
# Function that stops the daemon/service
#
do_stop()
{
# Return
# 0 if daemon has been stopped
# 1 if daemon was already stopped
# 2 if daemon could not be stopped
# other if a failure occurred
start-stop-daemon -K --quiet --pidfile "$PIDFILE" --name "$NAME"
RETVAL="$?"
[ "$RETVAL" = 2 ] && return 2
# Many daemons don't delete their pidfiles when they exit.
rm -f "$PIDFILE"
rm -f /var/run/audit_events
# Remove watches so shutdown works cleanly
case "$AUDITD_CLEAN_STOP" in
no|NO) ;;
*) /sbin/auditctl -D >/dev/null ;;
esac
return "$RETVAL"
}
#
# Function that sends a SIGHUP to the daemon/service
#
do_reload() {
start-stop-daemon -K --signal HUP --quiet --pidfile $PIDFILE --name $NAME
return 0
}
if [ ! -e /var/log/audit ]; then
mkdir -p /var/log/audit
[ -x /sbin/restorecon ] && /sbin/restorecon -F $(readlink -f /var/log/audit)
fi
case "$1" in
start)
[ "$VERBOSE" != no ] && echo "Starting $DESC" "$NAME"
do_start
case "$?" in
0|1) [ "$VERBOSE" != no ] && echo 0 ;;
2) [ "$VERBOSE" != no ] && echo 1 ;;
esac
;;
stop)
[ "$VERBOSE" != no ] && echo "Stopping $DESC" "$NAME"
do_stop
case "$?" in
0|1) [ "$VERBOSE" != no ] && echo 0 ;;
2) [ "$VERBOSE" != no ] && echo 1 ;;
esac
;;
reload|force-reload)
echo "Reloading $DESC" "$NAME"
do_reload
echo $?
;;
restart)
echo "Restarting $DESC" "$NAME"
do_stop
case "$?" in
0|1)
do_start
case "$?" in
0) echo 0 ;;
1) echo 1 ;; # Old process is still running
*) echo 1 ;; # Failed to start
esac
;;
*)
# Failed to stop
echo 1
;;
esac
;;
rotate)
echo "Rotating $DESC logs" "$NAME"
start-stop-daemon -K --signal USR1 --quiet --pidfile "$PIDFILE" --name "$NAME"
echo $?
;;
status)
pidofproc "$DAEMON" >/dev/null
status=$?
if [ $status -eq 0 ]; then
echo "$NAME is running."
else
echo "$NAME is not running."
fi
exit $status
;;
*)
echo "Usage: $SCRIPTNAME {start|stop|restart|reload|force-reload|rotate|status}" >&2
exit 3
;;
esac
:

28
meta-openembedded/meta-oe/recipes-security/audit/audit/auditd.service Normal file
View File

@@ -0,0 +1,28 @@
[Unit]
Description=Security Auditing Service
DefaultDependencies=no
After=local-fs.target systemd-tmpfiles-setup.service
Before=sysinit.target shutdown.target
Conflicts=shutdown.target
ConditionKernelCommandLine=!audit=0
[Service]
Type=forking
PIDFile=/run/auditd.pid
ExecStart=/sbin/auditd
## To use augenrules, uncomment the next line and comment/delete the auditctl line.
## NOTE: augenrules expect any rules to be added to /etc/audit/rules.d/
#ExecStartPost=-/sbin/augenrules --load
ExecStartPost=-/sbin/auditctl -R /etc/audit/audit.rules
# By default we don't clear the rules on exit.
# To enable this, uncomment the next line.
#ExecStopPost=/sbin/auditctl -R /etc/audit/audit-stop.rules
### Security Settings ###
MemoryDenyWriteExecute=true
LockPersonality=true
ProtectControlGroups=true
ProtectKernelModules=true
[Install]
WantedBy=multi-user.target

116
meta-openembedded/meta-oe/recipes-security/audit/audit_3.1.bb Normal file
View File

@@ -0,0 +1,116 @@
SUMMARY = "User space tools for kernel auditing"
DESCRIPTION = "The audit package contains the user space utilities for \
storing and searching the audit records generated by the audit subsystem \
in the Linux kernel."
HOMEPAGE = "http://people.redhat.com/sgrubb/audit/"
SECTION = "base"
LICENSE = "GPL-2.0-or-later & LGPL-2.0-or-later"
LIC_FILES_CHKSUM = "file://COPYING;md5=94d55d512a9ba36caa9b7df079bae19f"
SRC_URI = "git://github.com/linux-audit/${BPN}-userspace.git;branch=master;protocol=https \
file://Fixed-swig-host-contamination-issue.patch \
file://0001-Replace-__attribute_malloc__-with-__attribute__-__ma.patch \
file://auditd \
file://auditd.service \
file://audit-volatile.conf \
"
S = "${WORKDIR}/git"
SRCREV = "81c813fc4ebb11bf1eca8b8bdb5b253dff31e68e"
inherit autotools python3targetconfig update-rc.d systemd
UPDATERCPN = "auditd"
INITSCRIPT_NAME = "auditd"
INITSCRIPT_PARAMS = "defaults"
SYSTEMD_PACKAGES = "auditd"
SYSTEMD_SERVICE:auditd = "auditd.service"
DEPENDS = "python3 tcp-wrappers libcap-ng linux-libc-headers swig-native"
EXTRA_OECONF = " --with-libwrap \
--enable-gssapi-krb5=no \
--with-libcap-ng=yes \
--with-python3=yes \
--libdir=${base_libdir} \
--sbindir=${base_sbindir} \
--without-python \
--without-golang \
--disable-zos-remote \
--with-arm=yes \
--with-aarch64=yes \
"
EXTRA_OEMAKE = "PYLIBVER='python${PYTHON_BASEVERSION}' \
PYINC='${STAGING_INCDIR}/$(PYLIBVER)' \
pyexecdir=${libdir}/python${PYTHON_BASEVERSION}/site-packages \
STDINC='${STAGING_INCDIR}' \
pkgconfigdir=${libdir}/pkgconfig \
"
SUMMARY:audispd-plugins = "Plugins for the audit event dispatcher"
DESCRIPTION:audispd-plugins = "The audispd-plugins package provides plugins for the real-time \
interface to the audit system, audispd. These plugins can do things \
like relay events to remote machines or analyze events for suspicious \
behavior."
PACKAGES =+ "audispd-plugins"
PACKAGES += "auditd ${PN}-python"
FILES:${PN} = "${sysconfdir}/libaudit.conf ${base_libdir}/libaudit.so.1* ${base_libdir}/libauparse.so.*"
FILES:auditd = "${bindir}/* ${base_sbindir}/* ${sysconfdir}/* ${datadir}/audit/*"
FILES:audispd-plugins = "${sysconfdir}/audit/audisp-remote.conf \
${sysconfdir}/audit/plugins.d/au-remote.conf \
${sysconfdir}/audit/plugins.d/syslog.conf \
${base_sbindir}/audisp-remote \
${base_sbindir}/audisp-syslog \
${localstatedir}/spool/audit \
"
FILES:${PN}-dbg += "${libdir}/python${PYTHON_BASEVERSION}/*/.debug"
FILES:${PN}-python = "${libdir}/python${PYTHON_BASEVERSION}"
CONFFILES:auditd = "${sysconfdir}/audit/audit.rules"
do_configure:prepend() {
sed -e 's|buf\[];|buf[0];|g' ${STAGING_INCDIR}/linux/audit.h > ${S}/lib/audit.h
sed -i -e 's|#include <linux/audit.h>|#include "audit.h"|g' ${S}/lib/libaudit.h
}
do_install:append() {
sed -i -e 's|#include "audit.h"|#include <linux/audit.h>|g' ${D}${includedir}/libaudit.h
rm -f ${D}/${libdir}/python${PYTHON_BASEVERSION}/site-packages/*.a
rm -f ${D}/${libdir}/python${PYTHON_BASEVERSION}/site-packages/*.la
# reuse auditd config
[ ! -e ${D}/etc/default ] && mkdir ${D}/etc/default
mv ${D}/etc/sysconfig/auditd ${D}/etc/default
rmdir ${D}/etc/sysconfig/
# replace init.d
install -D -m 0755 ${WORKDIR}/auditd ${D}/etc/init.d/auditd
rm -rf ${D}/etc/rc.d
if ${@bb.utils.contains('DISTRO_FEATURES', 'systemd', 'true', 'false', d)}; then
# install systemd unit files
install -d ${D}${systemd_unitdir}/system
install -m 0644 ${WORKDIR}/auditd.service ${D}${systemd_unitdir}/system
install -d ${D}${sysconfdir}/tmpfiles.d/
install -m 0644 ${WORKDIR}/audit-volatile.conf ${D}${sysconfdir}/tmpfiles.d/
fi
# audit-2.5 doesn't install any rules by default, so we do that here
mkdir -p ${D}/etc/audit ${D}/etc/audit/rules.d
cp ${S}/rules/10-base-config.rules ${D}/etc/audit/rules.d/audit.rules
chmod 750 ${D}/etc/audit ${D}/etc/audit/rules.d
chmod 640 ${D}/etc/audit/auditd.conf ${D}/etc/audit/rules.d/audit.rules
# Based on the audit.spec "Copy default rules into place on new installation"
cp ${D}/etc/audit/rules.d/audit.rules ${D}/etc/audit/audit.rules
# Create /var/spool/audit directory for audisp-remote
install -m 0700 -d ${D}${localstatedir}/spool/audit
}

24
meta-openembedded/meta-oe/recipes-security/bubblewrap/bubblewrap_0.8.0.bb Normal file
View File

@@ -0,0 +1,24 @@
DESCRIPTION = "Unprivileged sandboxing tool"
HOMEPAGE = "https://github.com/containers/bubblewrap"
LICENSE = "LGPL-2.0-or-later"
LIC_FILES_CHKSUM = "file://COPYING;md5=5f30f0716dfdd0d91eb439ebec522ec2"
DEPENDS = "libcap"
SRC_URI = "https://github.com/containers/${BPN}/releases/download/v${PV}/${BP}.tar.xz"
SRC_URI[sha256sum] = "957ad1149db9033db88e988b12bcebe349a445e1efc8a9b59ad2939a113d333a"
inherit autotools bash-completion github-releases manpages pkgconfig
GITHUB_BASE_URI = "https://github.com/containers/${BPN}/releases/"
PACKAGECONFIG ?= "${@bb.utils.filter('DISTRO_FEATURES', 'selinux', d)}"
PACKAGECONFIG[manpages] = "--enable-man,--disable-man,libxslt-native docbook-xsl-stylesheets-native xmlto-native"
PACKAGECONFIG[selinux] = "--enable-selinux,--disable-selinux,libselinux"
PACKAGECONFIG[setuid] = "--with-priv-mode=setuid,--with-priv-mode=none"
PACKAGES += "${PN}-zsh-completion"
FILES:${PN}-zsh-completion = "${datadir}/zsh/site-functions"
BBCLASSEXTEND = "native"

30
meta-openembedded/meta-oe/recipes-security/keyutils/files/0001-Adhere-to-the-SOURCE_DATE_EPOCH-standard.patch Normal file
View File

@@ -0,0 +1,30 @@
From 3f7f70c746277e1a89978166533374a8b9bd5407 Mon Sep 17 00:00:00 2001
From: Alex Kiernan <alex.kiernan@gmail.com>
Date: Wed, 25 Jan 2023 17:05:25 +0000
Subject: [PATCH] Adhere to the SOURCE_DATE_EPOCH standard
Adhere to the SOURCE_DATE_EPOCH standard and use it's date when set
otherwise fall back to the default behaviour.
Signed-off-by: Jelle van der Waa <jelle@vdwaa.nl>
Signed-off-by: Alex Kiernan <alex.kiernan@gmail.com>
---
Makefile | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/Makefile b/Makefile
index 599b1452a05a..7776b0f0d63d 100644
--- a/Makefile
+++ b/Makefile
@@ -109,7 +109,7 @@ all: keyctl request-key key.dns_resolver cxx
###############################################################################
#RPATH = -Wl,-rpath,$(LIBDIR)
-VCPPFLAGS := -DPKGBUILD="\"$(shell date -u +%F)\""
+VCPPFLAGS := -DPKGBUILD="\"$(date --utc --date="@${SOURCE_DATE_EPOCH:-$(date +%s)}" +%F)\""
VCPPFLAGS += -DPKGVERSION="\"keyutils-$(VERSION)\""
VCPPFLAGS += -DAPIVERSION="\"libkeyutils-$(APIVERSION)\""
--
2.39.0

27
meta-openembedded/meta-oe/recipes-security/keyutils/files/0001-tests-builtin_trusted-Failure-command-is-failed.patch Normal file
View File

@@ -0,0 +1,27 @@
From 714542f009860e1652bc06d05ab939290374a114 Mon Sep 17 00:00:00 2001
From: Alex Kiernan <alex.kiernan@gmail.com>
Date: Thu, 26 Jan 2023 08:27:12 +0000
Subject: [PATCH 1/2] tests: builtin_trusted: Failure command is `failed`
Upstream-Status: Pending
Signed-off-by: Alex Kiernan <alex.kiernan@gmail.com>
---
tests/features/builtin_trusted/runtest.sh | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/tests/features/builtin_trusted/runtest.sh b/tests/features/builtin_trusted/runtest.sh
index 27910b5fa8e7..437f5ad1d6b2 100644
--- a/tests/features/builtin_trusted/runtest.sh
+++ b/tests/features/builtin_trusted/runtest.sh
@@ -24,7 +24,7 @@ id_key --to=blk %:.blacklist
# There should be at least one built-in trusted key for module signing.
list_keyring $btk
expect_keyring_rlist bkeys
-if [ `echo $bkeys | wc -w` = 0 ]; then fail; fi
+if [ `echo $bkeys | wc -w` = 0 ]; then failed; fi
# Check we can't add random keys to those keyrings
marker "TRY ADDING USER KEYS"
--
2.39.0

35
meta-openembedded/meta-oe/recipes-security/keyutils/files/0001-tests-toolbox.inc.sh-update-regex-for-getting-endian.patch Normal file
View File

@@ -0,0 +1,35 @@
From b84ecc2e3e56a25a3efd56c8942ad6bab3ff9ba1 Mon Sep 17 00:00:00 2001
From: Changqing Li <changqing.li@windriver.com>
Date: Fri, 2 Dec 2022 15:35:40 +0800
Subject: [PATCH] tests/toolbox.inc.sh: update regex for getting endian
Update regex for getting endian in following condition:
/proc/777/exe: ELF 64-bit LSB pie executable, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2
Upstream-Status: Submitted [Submitted to keyrings@vger.kernel.org ]
Signed-off-by: Changqing Li <changqing.li@windriver.com>
---
tests/toolbox.inc.sh | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/tests/toolbox.inc.sh b/tests/toolbox.inc.sh
index 8bf0db6f6d87..7ea2f253ba7d 100644
--- a/tests/toolbox.inc.sh
+++ b/tests/toolbox.inc.sh
@@ -13,10 +13,10 @@
echo === $OUTPUTFILE ===
endian=`file -L /proc/$$/exe`
-if expr "$endian" : '.* MSB \+\(pie executable\|executable\|shared object\).*' >&/dev/null
+if expr "$endian" : '.* MSB .*\(pie executable\|executable\|shared object\).*' >&/dev/null
then
endian=BE
-elif expr "$endian" : '.* LSB \+\(pie executable\|executable\|shared object\).*' >&/dev/null
+elif expr "$endian" : '.* LSB .*\(pie executable\|executable\|shared object\).*' >&/dev/null
then
endian=LE
else
--
2.39.0

64
meta-openembedded/meta-oe/recipes-security/keyutils/files/0002-tests-Use-head-n1-for-busybox-compatibility.patch Normal file
View File

@@ -0,0 +1,64 @@
From 5e660f246bb04560692ac9fc144574732c7e19e7 Mon Sep 17 00:00:00 2001
From: Alex Kiernan <alex.kiernan@gmail.com>
Date: Thu, 26 Jan 2023 08:28:16 +0000
Subject: [PATCH 2/2] tests: Use `head -n1` for busybox compatibility
Upstream-Status: Pending
Signed-off-by: Alex Kiernan <alex.kiernan@gmail.com>
---
tests/keyctl/session/valid/runtest.sh | 4 ++--
tests/keyctl/show/noargs/runtest.sh | 2 +-
tests/toolbox.inc.sh | 2 +-
3 files changed, 4 insertions(+), 4 deletions(-)
diff --git a/tests/keyctl/session/valid/runtest.sh b/tests/keyctl/session/valid/runtest.sh
index 4c831314c0b0..456e9f32de23 100644
--- a/tests/keyctl/session/valid/runtest.sh
+++ b/tests/keyctl/session/valid/runtest.sh
@@ -17,7 +17,7 @@ then
expect_key_rdesc rdesc "keyring@.*@.*@.*@_ses[^@]*\$"
# check the session keyring ID is shown
- seskeyring="`tail -2 $OUTPUTFILE | head -1`"
+ seskeyring="`tail -2 $OUTPUTFILE | head -n1`"
if ! expr "$seskeyring" : "Joined session keyring: [0-9]*" >&/dev/null
then
failed
@@ -30,7 +30,7 @@ new_session qwerty keyctl rdescribe @s "@"
expect_key_rdesc rdesc "keyring@.*@.*@.*@qwerty"
# check the session keyring ID is shown
-seskeyring="`tail -2 $OUTPUTFILE | head -1`"
+seskeyring="`tail -2 $OUTPUTFILE | head -n1`"
if ! expr "$seskeyring" : "Joined session keyring: [0-9]*" >&/dev/null
then
failed
diff --git a/tests/keyctl/show/noargs/runtest.sh b/tests/keyctl/show/noargs/runtest.sh
index d5072716c76a..a6d8b6b585c4 100644
--- a/tests/keyctl/show/noargs/runtest.sh
+++ b/tests/keyctl/show/noargs/runtest.sh
@@ -31,7 +31,7 @@ then
fi
# the first key listed (line 2) should be a keying (the session keyring) ...
-keyring1="`grep -n keyring $OUTPUTFILE | cut -d: -f1 | head -1`"
+keyring1="`grep -n keyring $OUTPUTFILE | cut -d: -f1 | head -n1`"
if [ "$keyring1" != "4" ]
then
failed
diff --git a/tests/toolbox.inc.sh b/tests/toolbox.inc.sh
index 7ea2f253ba7d..a461a73daaa3 100644
--- a/tests/toolbox.inc.sh
+++ b/tests/toolbox.inc.sh
@@ -229,7 +229,7 @@ function check_notify ()
if [ "$1" = "-2" ]
then
shift
- my_logline="`tail -2 $watch_log | head -1`"
+ my_logline="`tail -2 $watch_log | head -n1`"
else
my_logline="`tail -1 $watch_log`"
fi
--
2.39.0

28
meta-openembedded/meta-oe/recipes-security/keyutils/files/fix_library_install_path.patch Normal file
View File

@@ -0,0 +1,28 @@
From b0355cc205543ffd33752874295139d57c4fbc3e Mon Sep 17 00:00:00 2001
From: Wenzong Fan <wenzong.fan@windriver.com>
Date: Tue, 26 Sep 2017 07:59:51 +0000
Subject: [PATCH] Subject: [PATCH] keyutils: use relative path for link
The absolute path of the symlink will be invalid
when populated in sysroot, so use relative path instead.
Upstream-Status: Pending
Signed-off-by: Jackie Huang <jackie.huang@windriver.com>
Signed-off-by: Wenzong Fan <wenzong.fan@windriver.com>
{rebased for 1.6]
Signed-off-by: Armin Kuster <akuster808@gmail.com>
Index: keyutils-1.6/Makefile
===================================================================
--- keyutils-1.6.orig/Makefile
+++ keyutils-1.6/Makefile
@@ -184,7 +184,7 @@ ifeq ($(NO_SOLIB),0)
$(INSTALL) -D $(LIBNAME) $(DESTDIR)$(LIBDIR)/$(LIBNAME)
$(LNS) $(LIBNAME) $(DESTDIR)$(LIBDIR)/$(SONAME)
mkdir -p $(DESTDIR)$(USRLIBDIR)
- $(LNS) $(LIBDIR)/$(SONAME) $(DESTDIR)$(USRLIBDIR)/$(DEVELLIB)
+ $(LNS) $(SONAME) $(DESTDIR)$(USRLIBDIR)/$(DEVELLIB)
sed \
-e 's,@VERSION\@,$(VERSION),g' \
-e 's,@prefix\@,$(PREFIX),g' \

42
meta-openembedded/meta-oe/recipes-security/keyutils/files/keyutils-fix-error-report-by-adding-default-message.patch Normal file
View File

@@ -0,0 +1,42 @@
fix keyutils test error report
Upstream-Status: Pending
"Permission denied" may be the reason of EKEYEXPIRED and EKEYREVOKED.
"Required key not available" may be the reason of EKEYREVOKED.
EXPIRED and REVOKED are 2 status of kernel security keys features.
But the userspace keyutils lib will output the error message, which may
have several reasons.
Signed-off-by: Han Chao <chan@windriver.com>
diff --git a/tests/toolbox.inc.sh b/tests/toolbox.inc.sh
index bbca00a..739e9d0 100644
--- a/tests/toolbox.inc.sh
+++ b/tests/toolbox.inc.sh
@@ -227,11 +227,12 @@ function expect_error ()
;;
EKEYEXPIRED)
my_err="Key has expired"
- alt_err="Unknown error 127"
+ alt_err="Permission denied"
;;
EKEYREVOKED)
my_err="Key has been revoked"
- alt_err="Unknown error 128"
+ alt_err="Permission denied"
+ alt2_err="Required key not available"
;;
EKEYREJECTED)
my_err="Key has been rejected"
@@ -249,6 +250,9 @@ function expect_error ()
elif [ "x$alt_err" != "x" ] && expr "$my_errmsg" : ".*: $alt_err" >&/dev/null
then
:
+ elif [ "x$alt2_err" != "x" ] && expr "$my_errmsg" : ".*: $alt2_err" >&/dev/null
+ then
+ :
elif [ "x$old_err" != "x" ] && expr "$my_errmsg" : ".*: $old_err" >&/dev/null
then
:

41
meta-openembedded/meta-oe/recipes-security/keyutils/files/keyutils-test-fix-output-format.patch Normal file
View File

@@ -0,0 +1,41 @@
From 49b6321368e4bd3cd233d045cd09004ddd7968b2 Mon Sep 17 00:00:00 2001
From: Jackie Huang <jackie.huang@windriver.com>
Date: Mon, 15 May 2017 14:52:00 +0800
Subject: [PATCH] keyutils: fix output format
keyutils ptest output format is incorrect, according to yocto
Development Manual
(http://www.yoctoproject.org/docs/latest/dev-manual/dev-manual.html#testing-packages-with-ptest)
5.10.6. Testing Packages With ptestThe test generates output in the format used by Automake:
<result>: <testname>
where the result can be PASS, FAIL, or SKIP, and the testname can be any
identifying string.
So we should change the test result format to match yocto ptest rules.
Upstream-Status: Inappropriate [OE ptest specific]
Signed-off-by: Li Wang <li.wang@windriver.com>
Signed-off-by: Jackie Huang <jackie.huang@windriver.com>
---
tests/runtest.sh | 5 +++++
1 file changed, 5 insertions(+)
diff --git a/tests/runtest.sh b/tests/runtest.sh
index b6eaa7c..84263fb 100644
--- a/tests/runtest.sh
+++ b/tests/runtest.sh
@@ -21,6 +21,11 @@ for i in ${TESTS}; do
echo "### RUNNING TEST $i"
if [[ $AUTOMATED != 0 ]] ; then
bash ./runtest.sh
+ if [ $? != 0 ]; then
+ echo "FAIL: $i"
+ else
+ echo "PASS: $i"
+ fi
else
bash ./runtest.sh || exit 1
fi
--
2.11.0

3
meta-openembedded/meta-oe/recipes-security/keyutils/files/run-ptest Executable file
View File

@@ -0,0 +1,3 @@
#!/bin/sh
export AUTOMATED=1
make -C tests run

62
meta-openembedded/meta-oe/recipes-security/keyutils/keyutils_1.6.3.bb Normal file
View File

@@ -0,0 +1,62 @@
SUMMARY = "Linux Key Management Utilities"
DESCRIPTION = "\
Utilities to control the kernel key management facility and to provide \
a mechanism by which the kernel call back to userspace to get a key \
instantiated. \
"
HOMEPAGE = "http://people.redhat.com/dhowells/keyutils"
SECTION = "base"
LICENSE = "LGPL-2.1-or-later & GPL-2.0-or-later"
LIC_FILES_CHKSUM = "file://LICENCE.GPL;md5=5f6e72824f5da505c1f4a7197f004b45 \
file://LICENCE.LGPL;md5=7d1cacaa3ea752b72ea5e525df54a21f"
inherit manpages ptest
SRC_URI = "git://git.kernel.org/pub/scm/linux/kernel/git/dhowells/keyutils.git;protocol=https;branch=master \
file://keyutils-test-fix-output-format.patch \
file://keyutils-fix-error-report-by-adding-default-message.patch \
file://run-ptest \
file://fix_library_install_path.patch \
file://0001-tests-toolbox.inc.sh-update-regex-for-getting-endian.patch \
file://0001-Adhere-to-the-SOURCE_DATE_EPOCH-standard.patch \
file://0001-tests-builtin_trusted-Failure-command-is-failed.patch \
file://0002-tests-Use-head-n1-for-busybox-compatibility.patch \
"
SRCREV = "cb3bb194cca88211cbfcdde2f10c0f43c3fb8ec3"
S = "${WORKDIR}/git"
PACKAGECONFIG ?= ""
PACKAGECONFIG[manpages] = ""
EXTRA_OEMAKE = "'CFLAGS=${CFLAGS} -Wall' \
NO_ARLIB=1 \
BINDIR=${base_bindir} \
SBINDIR=${base_sbindir} \
LIBDIR=${libdir} \
USRLIBDIR=${libdir} \
INCLUDEDIR=${includedir} \
ETCDIR=${sysconfdir} \
SHAREDIR=${datadir}/keyutils \
MANDIR=${datadir}/man \
BUILDFOR=${SITEINFO_BITS}-bit \
NO_GLIBC_KEYERR=1 \
"
do_install () {
oe_runmake DESTDIR=${D} install
}
do_install_ptest () {
cp -r ${S}/tests ${D}${PTEST_PATH}/
sed -i -e 's/OSDIST=Unknown/OSDIST=${DISTRO}/' ${D}${PTEST_PATH}/tests/prepare.inc.sh
}
RDEPENDS:${PN}-ptest += "bash lsb-release make"
RDEPENDS:${PN}-ptest:append:libc-glibc = " glibc-utils"
RDEPENDS:${PN}-ptest:append:libc-musl = " musl-utils"
BBCLASSEXTEND = "native nativesdk"

73
meta-openembedded/meta-oe/recipes-security/nmap/files/0001-Include-time.h-header-to-pass-clang-compilation.patch Normal file
View File

@@ -0,0 +1,73 @@
From a068952a20880fc864e8cb8b49f8a6b143a5ac30 Mon Sep 17 00:00:00 2001
From: Peiran Hong <peiran.hong@windriver.com>
Date: Fri, 20 Sep 2019 15:02:45 -0400
Subject: [PATCH] Include time.h header to pass clang compilation
---
nmap_error.cc | 11 +----------
nping/EchoServer.cc | 1 +
osscan2.cc | 1 +
service_scan.cc | 1 +
4 files changed, 4 insertions(+), 10 deletions(-)
diff --git a/nmap_error.cc b/nmap_error.cc
index 588b13c33..254107ff5 100644
--- a/nmap_error.cc
+++ b/nmap_error.cc
@@ -135,16 +135,7 @@
#include "xml.h"
#include <errno.h>
-#if TIME_WITH_SYS_TIME
-# include <sys/time.h>
-# include <time.h>
-#else
-# if HAVE_SYS_TIME_H
-# include <sys/time.h>
-# else
-# include <time.h>
-# endif
-#endif
+#include <time.h>
extern NmapOps o;
diff --git a/nping/EchoServer.cc b/nping/EchoServer.cc
index ccdcf9c2d..c403aeda5 100644
--- a/nping/EchoServer.cc
+++ b/nping/EchoServer.cc
@@ -137,6 +137,7 @@
#include "NpingOps.h"
#include "ProbeMode.h"
#include <signal.h>
+#include <time.h>
extern NpingOps o;
extern EchoServer es;
diff --git a/osscan2.cc b/osscan2.cc
index aa31feb12..89673e108 100644
--- a/osscan2.cc
+++ b/osscan2.cc
@@ -147,6 +147,7 @@
#include <list>
#include <math.h>
+#include <time.h>
extern NmapOps o;
#ifdef WIN32
diff --git a/service_scan.cc b/service_scan.cc
index 57a92ed28..ef277bb1f 100644
--- a/service_scan.cc
+++ b/service_scan.cc
@@ -145,6 +145,7 @@
#include "nmap_tty.h"
#include <errno.h>
+#include <time.h>
#if HAVE_OPENSSL
/* OpenSSL 1.0.0 needs _WINSOCKAPI_ to be defined, otherwise it loads
--
2.21.0

1720
meta-openembedded/meta-oe/recipes-security/nmap/files/0001-Make-ndiff-support-python3.patch Normal file
View File

File diff suppressed because it is too large Load Diff

48
meta-openembedded/meta-oe/recipes-security/nmap/files/0001-configure.ac-make-ndiff-depend-on-python3.patch Normal file
View File

@@ -0,0 +1,48 @@
From 562893e665a6c9e1b60c8b3242bab6fe78318b3b Mon Sep 17 00:00:00 2001
From: Mingli Yu <mingli.yu@windriver.com>
Date: Fri, 14 Feb 2020 08:19:54 +0000
Subject: [PATCH] configure.ac: make ndiff depend on python3
Python 2 ceased being maintained on the 1st January 2020.
We've already removed all users of it from oe-core, so
let ndiff depend on python3.
Upstream-Status: Pending
Signed-off-by: Mingli Yu <mingli.yu@windriver.com>
---
.../nmap/7.80-r0/nmap-7.80/configure.ac | 11 ++++++++---
1 file changed, 8 insertions(+), 3 deletions(-)
diff --git a/configure.ac b/configure.ac
index 9d2fff8..5ffdd55 100644
--- a/configure.ac
+++ b/configure.ac
@@ -237,16 +237,21 @@ if test $HAVE_PYTHON && test "x${PYTHON_VERSION%%.*}" = "x2"; then
HAVE_PYTHON2=true
fi
+HAVE_PYTHON3=false
+if test $HAVE_PYTHON && test "x${PYTHON_VERSION%%.*}" = "x3"; then
+ HAVE_PYTHON3=true
+fi
+
NDIFFDIR=ndiff
# Do they want Ndiff?
AC_ARG_WITH(ndiff, AC_HELP_STRING([--without-ndiff], [Skip installation of the Ndiff utility]), [], [with_ndiff=check])
-if $HAVE_PYTHON2 ; then : ;
+if $HAVE_PYTHON3 ; then : ;
else
if test "$with_ndiff" = "check" ; then
- AC_MSG_WARN([Not building Ndiff because Python 2.x with x>=4 was not found])
+ AC_MSG_WARN([Not building Ndiff because Python3 was not found])
elif test "$with_ndiff" = "yes"; then
- AC_MSG_FAILURE([--with-ndiff requires Python 2.x with x>=4])
+ AC_MSG_FAILURE([--with-ndiff requires Python3])
fi
with_ndiff=no
fi
--
2.24.1

76
meta-openembedded/meta-oe/recipes-security/nmap/files/0002-Fix-building-with-libc.patch Normal file
View File

@@ -0,0 +1,76 @@
From 2a361989b5f84ec23ba7ccb6e527a5590ff55deb Mon Sep 17 00:00:00 2001
From: Khem Raj <raj.khem@gmail.com>
Date: Sun, 20 Jan 2019 23:11:56 -0800
Subject: [PATCH] Fix building with libc++
Upstream-Status: Pending
Signed-off-by: Khem Raj <raj.khem@gmail.com>
---
nping/EchoServer.cc | 16 ++++++++--------
1 file changed, 8 insertions(+), 8 deletions(-)
diff --git a/nping/EchoServer.cc b/nping/EchoServer.cc
index 40cd4d6..04433e1 100644
--- a/nping/EchoServer.cc
+++ b/nping/EchoServer.cc
@@ -282,14 +282,14 @@ int EchoServer::nep_listen_socket(){
server_addr6.sin6_len = sizeof(struct sockaddr_in6);
#endif
/* Bind to local address and the specified port */
- if( bind(master_sd, (struct sockaddr *)&server_addr6, sizeof(server_addr6)) != 0 ){
+ if( ::bind(master_sd, (struct sockaddr *)&server_addr6, sizeof(server_addr6)) != 0 ){
nping_warning(QT_3, "Failed to bind to source address %s. Trying to bind to port %d...", IPtoa(server_addr6.sin6_addr), port);
/* If the bind failed for the supplied address, just try again with in6addr_any */
if( o.spoofSource() ){
server_addr6.sin6_addr = in6addr_any;
- if( bind(master_sd, (struct sockaddr *)&server_addr6, sizeof(server_addr6)) != 0 ){
+ if( ::bind(master_sd, (struct sockaddr *)&server_addr6, sizeof(server_addr6)) != 0 ){
nping_fatal(QT_3, "Could not bind to port %d (%s).", port, strerror(errno));
- }else{
+ }else{
nping_print(VB_1, "Server bound to port %d", port);
}
}
@@ -320,12 +320,12 @@ int EchoServer::nep_listen_socket(){
#endif
/* Bind to local address and the specified port */
- if( bind(master_sd, (struct sockaddr *)&server_addr4, sizeof(server_addr4)) != 0 ){
+ if( ::bind(master_sd, (struct sockaddr *)&server_addr4, sizeof(server_addr4)) != 0 ){
nping_warning(QT_3, "Failed to bind to source address %s. Trying to bind to port %d...", IPtoa(server_addr4.sin_addr), port);
/* If the bind failed for the supplied address, just try again with in6addr_any */
if( o.spoofSource() ){
server_addr4.sin_addr.s_addr=INADDR_ANY;
- if( bind(master_sd, (struct sockaddr *)&server_addr4, sizeof(server_addr4)) != 0 ){
+ if( ::bind(master_sd, (struct sockaddr *)&server_addr4, sizeof(server_addr4)) != 0 ){
nping_fatal(QT_3, "Could not bind to port %d (%s).", port, strerror(errno));
}else{
nping_print(VB_1, "Server bound to port %d", port);
@@ -561,7 +561,7 @@ clientid_t EchoServer::nep_match_headers(IPv4Header *ip4, IPv6Header *ip6, TCPHe
nping_print(DBG_3, ";");
/* The payload magic may affect the score only between
* zero and 4 bytes. This is done to prevent long
- * common strings like "GET / HTTP/1.1\r\n"
+ * common strings like "GET / HTTP/1.1\r\n"
* increasing the score a lot and cause problems for
* the matching logic. */
current_score+= MIN(4, fspec->len)*FACTOR_PAYLOAD_MAGIC;
@@ -571,7 +571,7 @@ clientid_t EchoServer::nep_match_headers(IPv4Header *ip4, IPv6Header *ip6, TCPHe
default:
nping_warning(QT_2, "Bogus field specifier found in client #%d context. Please report a bug", ctx->getIdentifier());
break;
- }
+ }
} /* End of field specifiers loop */
nping_print(DBG_3, "%s() current_score=%.02f candidate_score=%.02f", __func__, current_score, candidate_score);
@@ -650,7 +650,7 @@ clientid_t EchoServer::nep_match_packet(const u8 *pkt, size_t pktlen){
}else{
if( (tcplen=tcp.validate())==OP_FAILURE){
return CLIENT_NOT_FOUND;
- }else{
+ }else{
if( (int)pktlen > (iplen+tcplen) ){
if( payload.storeRecvData(pkt+iplen+tcplen, pktlen-iplen-tcplen)!=OP_FAILURE)
payload_included=true;

37
meta-openembedded/meta-oe/recipes-security/nmap/files/nmap-redefine-the-python-library-dir.patch Normal file
View File

@@ -0,0 +1,37 @@
[PATCH] redefine the python library install dir
Upstream-Status: Pending
If install-lib is not defined, it is always /usr/lib/, but it
maybe /usr/lib64 for multilib
Signed-off-by: Roy Li <rongqing.li@windriver.com>
---
Makefile.in | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/Makefile.in b/Makefile.in
index 1bb062c..cced2fb 100644
--- a/Makefile.in
+++ b/Makefile.in
@@ -311,7 +311,7 @@ build-zenmap: $(ZENMAPDIR)/setup.py $(ZENMAPDIR)/zenmapCore/Version.py
install-zenmap: $(ZENMAPDIR)/setup.py
$(INSTALL) -d $(DESTDIR)$(bindir) $(DESTDIR)$(mandir)/man1
- cd $(ZENMAPDIR) && $(PYTHON) setup.py --quiet install --prefix "$(prefix)" --force $(if $(DESTDIR),--root "$(DESTDIR)")
+ cd $(ZENMAPDIR) && $(PYTHON) setup.py --quiet install --prefix "$(prefix)" --install-lib="${PYTHON_SITEPACKAGES_DIR}" --force $(if $(DESTDIR),--root "$(DESTDIR)")
$(INSTALL) -c -m 644 docs/zenmap.1 $(DESTDIR)$(mandir)/man1/
# Create a symlink from nmapfe to zenmap if nmapfe doesn't exist or is
# already a link.
@@ -328,7 +328,7 @@ build-nping: $(NPINGDIR)/Makefile nbase_build nsock_build netutil_build $(NPINGD
@cd $(NPINGDIR) && $(MAKE)
install-ndiff:
- cd $(NDIFFDIR) && $(PYTHON) setup.py install --prefix "$(prefix)" $(if $(DESTDIR),--root "$(DESTDIR)")
+ cd $(NDIFFDIR) && $(PYTHON) setup.py install --prefix "$(prefix)" --install-lib="${PYTHON_SITEPACKAGES_DIR}" $(if $(DESTDIR),--root "$(DESTDIR)")
NSE_FILES = scripts/script.db scripts/*.nse
NSE_LIB_LUA_FILES = nselib/*.lua nselib/*.luadoc
--
1.9.1

48
meta-openembedded/meta-oe/recipes-security/nmap/files/nmap-replace-shtool-mkdir-with-coreutils-mkdir-command.patch Normal file
View File

@@ -0,0 +1,48 @@
[PATCH] replace "./shtool mkdir" with coreutils mkdir command
Upstream-Status: Pending
"./shtool mkdir" is used when mkdir has not -p parameter, but mkdir in today
most release has supportted the -p parameter, not need to use shtool, and it
can not fix the race if two process are running mkdir to create same dir
Signed-off-by: Roy Li <rongqing.li@windriver.com>
---
ncat/Makefile.in | 4 ++--
nmap-update/Makefile.in | 2 +-
2 files changed, 3 insertions(+), 3 deletions(-)
diff --git a/ncat/Makefile.in b/ncat/Makefile.in
index cfd306d..2166e08 100644
--- a/ncat/Makefile.in
+++ b/ncat/Makefile.in
@@ -163,11 +163,11 @@ $(NSOCKDIR)/libnsock.a: $(NSOCKDIR)/Makefile
install: $(TARGET)
@echo Installing Ncat;
- $(SHTOOL) mkdir -f -p -m 755 $(DESTDIR)$(bindir) $(DESTDIR)$(mandir)/man1
+ mkdir -p -m 755 $(DESTDIR)$(bindir) $(DESTDIR)$(mandir)/man1
$(INSTALL) -c -m 755 ncat $(DESTDIR)$(bindir)/ncat
$(STRIP) -x $(DESTDIR)$(bindir)/ncat
if [ -n "$(DATAFILES)" ]; then \
- $(SHTOOL) mkdir -f -p -m 755 $(DESTDIR)$(pkgdatadir); \
+ mkdir -p -m 755 $(DESTDIR)$(pkgdatadir); \
$(INSTALL) -c -m 644 $(DATAFILES) $(DESTDIR)$(pkgdatadir)/; \
fi
$(INSTALL) -c -m 644 docs/$(TARGET).1 $(DESTDIR)$(mandir)/man1/$(TARGET).1
diff --git a/nmap-update/Makefile.in b/nmap-update/Makefile.in
index 89ff928..93f48d8 100644
--- a/nmap-update/Makefile.in
+++ b/nmap-update/Makefile.in
@@ -37,7 +37,7 @@ $(NBASELIB):
cd $(NBASEDIR) && $(MAKE)
install: nmap-update
- $(SHTOOL) mkdir -f -p -m 755 $(DESTDIR)$(bindir) $(DESTDIR)$(mandir)/man1
+ mkdir -p -m 755 $(DESTDIR)$(bindir) $(DESTDIR)$(mandir)/man1
$(INSTALL) -c -m 755 nmap-update $(DESTDIR)$(bindir)
$(STRIP) -x $(DESTDIR)$(bindir)/nmap-update
$(INSTALL) -c -m 644 ../docs/nmap-update.1 $(DESTDIR)$(mandir)/man1/
--
1.9.1

62
meta-openembedded/meta-oe/recipes-security/nmap/nmap_7.80.bb Normal file
View File

@@ -0,0 +1,62 @@
SUMMARY = "network auditing tool"
DESCRIPTION = "Nmap ("Network Mapper") is a free and open source (license) utility for network discovery and security auditing.\nGui support via appending to IMAGE_FEATURES x11-base in local.conf"
SECTION = "security"
LICENSE = "GPL-2.0-only"
LIC_FILES_CHKSUM = "file://COPYING;beginline=7;endline=12;md5=66938a7e5b4c118eda78271de14874c2"
SRC_URI = "http://nmap.org/dist/${BP}.tar.bz2 \
file://nmap-redefine-the-python-library-dir.patch \
file://nmap-replace-shtool-mkdir-with-coreutils-mkdir-command.patch \
file://0001-Include-time.h-header-to-pass-clang-compilation.patch \
file://0002-Fix-building-with-libc.patch \
file://0001-Make-ndiff-support-python3.patch \
file://0001-configure.ac-make-ndiff-depend-on-python3.patch \
"
SRC_URI[md5sum] = "d37b75b06d1d40f27b76d60db420a1f5"
SRC_URI[sha256sum] = "fcfa5a0e42099e12e4bf7a68ebe6fde05553383a682e816a7ec9256ab4773faa"
inherit autotools-brokensep pkgconfig python3native
PACKAGECONFIG ?= "ncat nping ndiff pcap"
PACKAGECONFIG[pcap] = "--with-pcap=linux, --without-pcap, libpcap, libpcap"
PACKAGECONFIG[pcre] = "--with-libpcre=${STAGING_LIBDIR}/.., --with-libpcre=included, libpcre"
PACKAGECONFIG[ssl] = "--with-openssl=${STAGING_LIBDIR}/.., --without-openssl, openssl, openssl"
PACKAGECONFIG[ssh2] = "--with-openssh2=${STAGING_LIBDIR}/.., --without-openssh2, libssh2, libssh2"
PACKAGECONFIG[libz] = "--with-libz=${STAGING_LIBDIR}/.., --without-libz, zlib, zlib"
#disable/enable packages
PACKAGECONFIG[nping] = ",--without-nping,"
PACKAGECONFIG[ncat] = ",--without-ncat,"
PACKAGECONFIG[ndiff] = "--with-ndiff=yes,--without-ndiff,python3"
PACKAGECONFIG[update] = ",--without-nmap-update,"
EXTRA_OECONF = "--with-libdnet=included --with-liblinear=included --without-subversion --with-liblua=included"
# zenmap needs python-pygtk which has been removed
# it also only works with python2
# disable for now until py3 is supported
EXTRA_OECONF += "--without-zenmap"
export PYTHON_SITEPACKAGES_DIR
do_configure() {
autoconf
install -m 0755 ${STAGING_DATADIR_NATIVE}/gnu-config/config.guess ${S}
install -m 0755 ${STAGING_DATADIR_NATIVE}/gnu-config/config.sub ${S}
oe_runconf
}
do_install:append() {
for f in ndiff uninstall_ndiff; do
if [ -f ${D}${bindir}/$f ]; then
sed -i 's@^#!.*$@#!/usr/bin/env python3@g' ${D}${bindir}/$f
fi
done
}
FILES:${PN} += "${PYTHON_SITEPACKAGES_DIR} ${datadir}/ncat"
RDEPENDS:${PN} += "python3-core"

29
meta-openembedded/meta-oe/recipes-security/passwdqc/passwdqc/makefile-add-ldflags.patch Normal file
View File

@@ -0,0 +1,29 @@
Add LDFLAGS variable to Makefile so that extra linker flags can be sent via this variable.
Upstream-Status: Pending
Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
--- a/Makefile
+++ b/Makefile
@@ -68,18 +68,17 @@ XGETTEXT = xgettext
XGETTEXT_OPTS = --keyword=_ --keyword=P2_:1,1 --keyword=P3_:1,2 --language=C --add-comments
MSGMERGE = msgmerge
-LDFLAGS =
LDFLAGS_shared = $(LDFLAGS) --shared
LDFLAGS_shared_LINUX = $(LDFLAGS) --shared
LDFLAGS_shared_SUN = $(LDFLAGS) -G
LDFLAGS_shared_HP = $(LDFLAGS) -b
LDFLAGS_lib = $(LDFLAGS_shared)
-LDFLAGS_lib_LINUX = $(LDFLAGS_shared_LINUX) \
+LDFLAGS_lib_LINUX = $(LDFLAGS) $(LDFLAGS_shared_LINUX) \
-Wl,--soname,$(SHARED_LIB),--version-script,$(MAP_LIB)
LDFLAGS_lib_SUN = $(LDFLAGS_shared_SUN)
LDFLAGS_lib_HP = $(LDFLAGS_shared_HP)
LDFLAGS_pam = $(LDFLAGS_shared)
-LDFLAGS_pam_LINUX = $(LDFLAGS_shared_LINUX) \
+LDFLAGS_pam_LINUX = $(LDFLAGS) $(LDFLAGS_shared_LINUX) \
-Wl,--version-script,$(MAP_PAM)
LDFLAGS_pam_SUN = $(LDFLAGS_shared_SUN)
LDFLAGS_pam_HP = $(LDFLAGS_shared_HP)

65
meta-openembedded/meta-oe/recipes-security/passwdqc/passwdqc_2.0.2.bb Normal file
View File

@@ -0,0 +1,65 @@
SUMMARY = "A password/passphrase strength checking and enforcement toolset"
DESCRIPTION = "\
passwdqc is a password/passphrase strength checking and policy enforcement \
toolset, including an optional PAM module (pam_passwdqc), command-line \
programs (pwqcheck and pwqgen), and a library (libpasswdqc). \
pam_passwdqc is normally invoked on password changes by programs such as \
passwd(1). It is capable of checking password or passphrase strength, \
enforcing a policy, and offering randomly-generated passphrases, with \
all of these features being optional and easily (re-)configurable. \
\
pwqcheck and pwqgen are standalone password/passphrase strength checking \
and random passphrase generator programs, respectively, which are usable \
from scripts. \
\
libpasswdqc is the underlying library, which may also be used from \
third-party programs. \
"
HOMEPAGE = "http://www.openwall.com/passwdqc"
SECTION = "System Environment/Base"
DEPENDS += "libpam"
inherit features_check
REQUIRED_DISTRO_FEATURES = "pam"
LICENSE = "BSD-1-Clause"
LIC_FILES_CHKSUM = "file://LICENSE;md5=ac99c8678577a1c2f9f04cccee411d5d"
SRC_URI = "http://www.openwall.com/${BPN}/${BP}.tar.gz \
file://makefile-add-ldflags.patch \
"
SRC_URI[sha256sum] = "ff1f505764c020f6a4484b1e0cc4fdbf2e3f71b522926d90b4709104ca0604ab"
# explicitly define LINUX_PAM in case DISTRO_FEATURES no pam
# this package's pam_passwdqc.so needs pam
CFLAGS:append = " -Wall -fPIC -DHAVE_SHADOW -DLINUX_PAM"
# -e is no longer default setting in bitbake.conf
EXTRA_OEMAKE = "-e"
do_compile() {
# make sure sub make use environment to override variables in Makefile
# Linux) $(MAKE), there is a tab between
sed -i -e 's/Linux) $(MAKE) CFLAGS_lib/Linux) $(MAKE) -e CFLAGS_lib/' ${S}/Makefile
# LD_lib and LD must be CC because of Makefile
oe_runmake LD="${CC}"
}
do_install() {
oe_runmake install DESTDIR=${D} SHARED_LIBDIR=${base_libdir} \
DEVEL_LIBDIR=${libdir} SECUREDIR=${base_libdir}/security \
INSTALL="install -p"
}
PROVIDES += "pam-${BPN}"
PACKAGES =+ "lib${BPN} pam-${BPN}"
FILES:lib${BPN} = "${base_libdir}/libpasswdqc.so.1"
FILES:pam-${BPN} = "${base_libdir}/security/pam_passwdqc.so"
FILES:${PN}-dbg += "${base_libdir}/security/.debug"
RDEPENDS:${PN} = "lib${BPN} pam-${BPN}"
RDEPENDS:pam-${BPN} = "lib${BPN}"

40
meta-openembedded/meta-oe/recipes-security/softhsm/files/0001-avoid-unnecessary-check-for-sqlite3-binary.patch Normal file
View File

@@ -0,0 +1,40 @@
From 88d968346184058df18dc69171dcd4fd612c2341 Mon Sep 17 00:00:00 2001
From: Jan Luebbe <sho@stratum0.net>
Date: Mon, 30 Jan 2023 12:48:23 +0100
Subject: [PATCH] avoid unnecessary check for sqlite3 binary
Only the library is used, not the sqlite3 binary. Drop this check to simplify
cross-compilation (as no native sqlite3 binary is needed).
Upstream-Status: Submitted [https://github.com/opendnssec/SoftHSMv2/pull/694]
---
m4/acx_sqlite3.m4 | 6 ------
1 file changed, 6 deletions(-)
diff --git a/m4/acx_sqlite3.m4 b/m4/acx_sqlite3.m4
index fd942a75e1a6..17c126d161f5 100644
--- a/m4/acx_sqlite3.m4
+++ b/m4/acx_sqlite3.m4
@@ -4,19 +4,13 @@ AC_DEFUN([ACX_SQLITE3],[
[
SQLITE3_INCLUDES="-I$withval/include"
SQLITE3_LIBDIRS="-L$withval/lib"
- AC_PATH_PROGS(SQLITE3, sqlite3, sqlite3, $withval/bin)
],[
SQLITE3_INCLUDES=""
SQLITE3_LIBDIRS=""
- AC_PATH_PROGS(SQLITE3, sqlite3, sqlite3, $PATH)
])
- if ! test -x "$SQLITE3"; then
- AC_MSG_ERROR([sqlite3 command not found])
- fi
-
AC_MSG_CHECKING(what are the SQLite3 includes)
AC_MSG_RESULT($SQLITE3_INCLUDES)
--
2.30.2

33
meta-openembedded/meta-oe/recipes-security/softhsm/softhsm_2.6.1.bb Normal file
View File

@@ -0,0 +1,33 @@
SUMMARY = "PKCS#11 HSM/Token Emulator"
HOMEPAGE = "https://www.opendnssec.org/softhsm/"
LICENSE = "BSD-2-Clause & ISC"
LIC_FILES_CHKSUM = "file://LICENSE;md5=ef3f77a3507c3d91e75b9f2bdaee4210"
DEPENDS = "sqlite3"
SRC_URI = "https://dist.opendnssec.org/source/softhsm-2.6.1.tar.gz \
file://0001-avoid-unnecessary-check-for-sqlite3-binary.patch \
"
SRC_URI[sha256sum] = "61249473054bcd1811519ef9a989a880a7bdcc36d317c9c25457fc614df475f2"
inherit autotools pkgconfig siteinfo
EXTRA_OECONF += " --with-sqlite3=${STAGING_DIR_HOST}/usr"
EXTRA_OECONF += " --with-objectstore-backend-db"
EXTRA_OECONF += "${@oe.utils.conditional('SITEINFO_BITS', '64', ' --enable-64bit', '', d)}"
PACKAGECONFIG ?= "ecc eddsa pk11 openssl"
PACKAGECONFIG[npm] = ",--disable-non-paged-memory"
PACKAGECONFIG[ecc] = "--enable-ecc,--disable-ecc"
PACKAGECONFIG[gost] = "--enable-gost,--disable-gost"
PACKAGECONFIG[eddsa] = "--enable-eddsa, --disable-eddsa"
PACKAGECONFIG[fips] = "--enable-fips, --disable-fips"
PACKAGECONFIG[notvisable] = "--disable-visibility"
PACKAGECONFIG[openssl] = "--with-openssl=${STAGING_DIR_HOST}/usr --with-crypto-backend=openssl, --without-openssl, openssl, openssl"
PACKAGECONFIG[botan] = "--with-botan=${STAGING_DIR_HOST}/usr --with-crypto-backend=botan, --without-botan, botan"
PACKAGECONFIG[migrate] = "--with-migrate"
PACKAGECONFIG[pk11] = "--enable-p11-kit --with-p11-kit==${STAGING_DIR_HOST}/usr, --without-p11-kit, p11-kit, p11-kit"
RDEPENDS:${PN} = "sqlite3"
BBCLASSEXTEND = "native nativesdk"

29
meta-openembedded/meta-oe/recipes-security/tomoyo-tools/tomoyo-tools_2.5.0.bb Normal file
View File

@@ -0,0 +1,29 @@
SUMMARY = "TOMOYO Linux tools"
DESCRIPTION = "TOMOYO Linux is a Mandatory Access Control (MAC) implementation \
for Linux that can be used to increase the security of a system, while also \
being useful purely as a system analysis tool."
HOMEPAGE = "http://tomoyo.sourceforge.jp/"
SECTION = "System Environment/Kernel"
SRC_URI = "http://jaist.dl.sourceforge.jp/tomoyo/53357/${BP}-20170102.tar.gz"
SRC_URI[sha256sum] = "00fedfac5e514321250bbe69eaccc732c8a8158596f77a785c2e3ae9f9968283"
S = "${WORKDIR}/${BPN}"
LICENSE = "GPL-2.0-only"
LIC_FILES_CHKSUM = "file://COPYING.tomoyo;md5=751419260aa954499f7abaabaa882bbe"
FILES:${PN} += "${libdir}/tomoyo"
FILES:${PN}-dbg += "${libdir}/tomoyo/.debug"
DEPENDS = "linux-libc-headers ncurses"
EXTRA_OEMAKE = "-e USRLIBDIR=${libdir}"
do_compile () {
oe_runmake 'CC=${CC}'
}
do_install() {
oe_runmake install SBINDIR=${base_sbindir} INSTALLDIR=${D}
}

106
meta-openembedded/meta-oe/recipes-security/usbguard/usbguard/0001-Add-and-use-pkgconfig-instead-of-libgcrypt-config.patch Normal file
View File

@@ -0,0 +1,106 @@
From e36cbf9d7a32de9945a8b6c62ad29dfb60358081 Mon Sep 17 00:00:00 2001
From: "Anu Deepthika, Nandipati" <Nandipati.AnuDeepthika@philips.com>
Date: Wed, 9 Mar 2022 02:03:51 +0530
Subject: [PATCH] Add and use pkgconfig instead of libgcrypt-config
Upstream-Status: Pending
Signed-off-by: Anu Deepthika, Nandipati <Nandipati.AnuDeepthika@philips.com>
---
m4/libgcrypt.m4 | 56 ++-----------------------------------------------
1 file changed, 2 insertions(+), 54 deletions(-)
diff --git a/m4/libgcrypt.m4 b/m4/libgcrypt.m4
index 9a29eb5..465fe24 100644
--- a/m4/libgcrypt.m4
+++ b/m4/libgcrypt.m4
@@ -22,17 +22,7 @@ dnl with a changed API.
dnl
AC_DEFUN([AM_PATH_LIBGCRYPT],
[ AC_REQUIRE([AC_CANONICAL_HOST])
- AC_ARG_WITH(libgcrypt-prefix,
- AS_HELP_STRING([--with-libgcrypt-prefix=PFX],
- [prefix where LIBGCRYPT is installed (optional)]),
- libgcrypt_config_prefix="$withval", libgcrypt_config_prefix="")
- if test x$libgcrypt_config_prefix != x ; then
- if test x${LIBGCRYPT_CONFIG+set} != xset ; then
- LIBGCRYPT_CONFIG=$libgcrypt_config_prefix/bin/libgcrypt-config
- fi
- fi
- AC_PATH_TOOL(LIBGCRYPT_CONFIG, libgcrypt-config, no)
tmp=ifelse([$1], ,1:1.2.0,$1)
if echo "$tmp" | grep ':' >/dev/null 2>/dev/null ; then
req_libgcrypt_api=`echo "$tmp" | sed 's/\(.*\):\(.*\)/\1/'`
@@ -41,44 +31,8 @@ AC_DEFUN([AM_PATH_LIBGCRYPT],
req_libgcrypt_api=0
min_libgcrypt_version="$tmp"
fi
+ PKG_CHECK_MODULES(LIBGCRYPT, [libgcrypt >= $min_libgcrypt_version], [ok=yes], [ok=no])
- AC_MSG_CHECKING(for LIBGCRYPT - version >= $min_libgcrypt_version)
- ok=no
- if test "$LIBGCRYPT_CONFIG" != "no" ; then
- req_major=`echo $min_libgcrypt_version | \
- sed 's/\([[0-9]]*\)\.\([[0-9]]*\)\.\([[0-9]]*\)/\1/'`
- req_minor=`echo $min_libgcrypt_version | \
- sed 's/\([[0-9]]*\)\.\([[0-9]]*\)\.\([[0-9]]*\)/\2/'`
- req_micro=`echo $min_libgcrypt_version | \
- sed 's/\([[0-9]]*\)\.\([[0-9]]*\)\.\([[0-9]]*\)/\3/'`
- libgcrypt_config_version=`$LIBGCRYPT_CONFIG --version`
- major=`echo $libgcrypt_config_version | \
- sed 's/\([[0-9]]*\)\.\([[0-9]]*\)\.\([[0-9]]*\).*/\1/'`
- minor=`echo $libgcrypt_config_version | \
- sed 's/\([[0-9]]*\)\.\([[0-9]]*\)\.\([[0-9]]*\).*/\2/'`
- micro=`echo $libgcrypt_config_version | \
- sed 's/\([[0-9]]*\)\.\([[0-9]]*\)\.\([[0-9]]*\).*/\3/'`
- if test "$major" -gt "$req_major"; then
- ok=yes
- else
- if test "$major" -eq "$req_major"; then
- if test "$minor" -gt "$req_minor"; then
- ok=yes
- else
- if test "$minor" -eq "$req_minor"; then
- if test "$micro" -ge "$req_micro"; then
- ok=yes
- fi
- fi
- fi
- fi
- fi
- fi
- if test $ok = yes; then
- AC_MSG_RESULT([yes ($libgcrypt_config_version)])
- else
- AC_MSG_RESULT(no)
- fi
if test $ok = yes; then
# If we have a recent libgcrypt, we should also check that the
# API is compatible
@@ -96,10 +50,8 @@ AC_DEFUN([AM_PATH_LIBGCRYPT],
fi
fi
if test $ok = yes; then
- LIBGCRYPT_CFLAGS=`$LIBGCRYPT_CONFIG --cflags`
- LIBGCRYPT_LIBS=`$LIBGCRYPT_CONFIG --libs`
ifelse([$2], , :, [$2])
- libgcrypt_config_host=`$LIBGCRYPT_CONFIG --host 2>/dev/null || echo none`
+ libgcrypt_config_host=`$PKG_CONFIG --variable=host libgcrypt`
if test x"$libgcrypt_config_host" != xnone ; then
if test x"$libgcrypt_config_host" != x"$host" ; then
AC_MSG_WARN([[
@@ -112,10 +64,6 @@ AC_DEFUN([AM_PATH_LIBGCRYPT],
***]])
fi
fi
- else
- LIBGCRYPT_CFLAGS=""
- LIBGCRYPT_LIBS=""
- ifelse([$3], , :, [$3])
fi
AC_SUBST(LIBGCRYPT_CFLAGS)
AC_SUBST(LIBGCRYPT_LIBS)
--
2.25.1

45
meta-openembedded/meta-oe/recipes-security/usbguard/usbguard/0001-include-missing-cstdint.patch Normal file
View File

@@ -0,0 +1,45 @@
From 1da0cfbb9ae978822d961d8b22d8d5125c11247a Mon Sep 17 00:00:00 2001
From: Khem Raj <raj.khem@gmail.com>
Date: Thu, 26 Jan 2023 23:46:56 -0800
Subject: [PATCH] include missing <cstdint>
gcc 13 moved some includes around and as a result <cstdint> is no
longer transitively included [1]. Explicitly include it for
uint8_t.
[1] https://gcc.gnu.org/gcc-13/porting_to.html#header-dep-changes
Upstream-Status: Submitted [https://github.com/USBGuard/usbguard/pull/583]
Signed-off-by: Khem Raj <raj.khem@gmail.com>
---
src/Library/Base64.cpp | 1 -
src/Library/Base64.hpp | 1 +
2 files changed, 1 insertion(+), 1 deletion(-)
diff --git a/src/Library/Base64.cpp b/src/Library/Base64.cpp
index ddb28dc..0246a13 100644
--- a/src/Library/Base64.cpp
+++ b/src/Library/Base64.cpp
@@ -22,7 +22,6 @@
#include "Base64.hpp"
#include <stdexcept>
-#include <cstdint>
namespace usbguard
{
diff --git a/src/Library/Base64.hpp b/src/Library/Base64.hpp
index 0947f21..e0c745c 100644
--- a/src/Library/Base64.hpp
+++ b/src/Library/Base64.hpp
@@ -23,6 +23,7 @@
#endif
#include <string>
+#include <cstdint>
#include <cstddef>
namespace usbguard
--
2.39.1

69
meta-openembedded/meta-oe/recipes-security/usbguard/usbguard_1.1.2.bb Normal file
View File

@@ -0,0 +1,69 @@
# Copyright (c) 2021 Koninklijke Philips N.V.
#
# SPDX-License-Identifier: MIT
#
SUMMARY = "USBGuard daemon for blacklisting and whitelisting of USB devices"
DESCRIPTION = "The USBGuard software framework helps to protect your computer against \
rogue USB devices (a.k.a. Bad USB) by implementing basic whitelisting and blacklisting \
capabilities based on device attributes. This recipe takes OpenSSL as crypto-backend for \
computing device hashes (Supported values are sodium, gcrypt, openssl)."
HOMEPAGE = "https://usbguard.github.io/"
LICENSE = "GPL-2.0-only"
LIC_FILES_CHKSUM = "file://LICENSE;md5=b234ee4d69f5fce4486a80fdaf4a4263"
SRC_URI = "https://github.com/USBGuard/usbguard/releases/download/${BPN}-${PV}/${BPN}-${PV}.tar.gz \
file://0001-include-missing-cstdint.patch \
file://0001-Add-and-use-pkgconfig-instead-of-libgcrypt-config.patch"
SRC_URI[sha256sum] = "dcf5c90f3f93030e04df1baeb8d388b678c40dd48b135ea12a7be7dee8944934"
inherit autotools-brokensep bash-completion pkgconfig systemd github-releases
DEPENDS = "glib-2.0-native libcap-ng libqb libxml2-native libxslt-native protobuf protobuf-native xmlto-native"
UPSTREAM_CHECK_REGEX = "releases/tag/usbguard-(?P<pver>\d+(\.\d+)+)"
EXTRA_OECONF += "\
--with-bundled-catch \
--with-bundled-pegtl \
"
PACKAGECONFIG ?= "\
openssl \
${@bb.utils.filter('DISTRO_FEATURES', 'polkit', d)} \
${@bb.utils.filter('DISTRO_FEATURES', 'systemd', d)} \
"
# USBGuard has made polkit mandatory to configure with-dbus
PACKAGECONFIG[dbus] = "--with-dbus,--without-dbus,dbus-glib polkit"
PACKAGECONFIG[libgcrypt] = "--with-crypto-library=gcrypt,,libgcrypt,,,libsodium openssl"
PACKAGECONFIG[libsodium] = "--with-crypto-library=sodium,,libsodium,,,libgcrypt openssl"
PACKAGECONFIG[openssl] = "--with-crypto-library=openssl,,openssl,,,libgcrypt libsodium"
PACKAGECONFIG[polkit] = "--with-polkit,--without-polkit,polkit"
PACKAGECONFIG[seccomp] = "--enable-seccomp,--disable-seccomp,libseccomp"
PACKAGECONFIG[systemd] = "--enable-systemd,--disable-systemd,systemd"
SYSTEMD_PACKAGES = "${PN}"
SYSTEMD_SERVICE:${PN} = "usbguard.service ${@bb.utils.contains('PACKAGECONFIG', 'dbus', 'usbguard-dbus.service', '', d)}"
FILES:${PN} += "\
${systemd_unitdir}/system/usbguard.service \
${systemd_unitdir}/system/usbguard-dbus.service \
${datadir}/polkit-1 \
${datadir}/dbus-1 \
${nonarch_libdir}/tmpfiles.d \
"
do_install:append() {
# Create /var/log/usbguard in runtime.
if [ "${@bb.utils.filter('DISTRO_FEATURES', 'systemd', d)}" ]; then
install -d ${D}${nonarch_libdir}/tmpfiles.d
echo "d ${localstatedir}/log/${BPN} 0755 root root -" > ${D}${nonarch_libdir}/tmpfiles.d/${BPN}.conf
fi
if [ "${@bb.utils.filter('DISTRO_FEATURES', 'sysvinit', d)}" ]; then
install -d ${D}${sysconfdir}/default/volatiles
echo "d root root 0755 ${localstatedir}/log/${BPN} none" > ${D}${sysconfdir}/default/volatiles/99_${BPN}
fi
rm -rf ${D}${localstatedir}/log
}