diff options
83 files changed, 2332 insertions, 444 deletions
diff --git a/.gitignore b/.gitignore new file mode 100644 index 0000000..c01df45 --- /dev/null +++ b/.gitignore @@ -0,0 +1,7 @@ +*.pyc +*.pyo +/*.patch +*.swp +*.orig +*.rej +*~ diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml new file mode 100644 index 0000000..50bfe4f --- /dev/null +++ b/.gitlab-ci.yml @@ -0,0 +1,144 @@ +stages: + - build + +.build: + stage: build + image: crops/poky + before_script: + - echo "$ERR_REPORT_USERNAME" > ~/.oe-send-error + - echo "$ERR_REPORT_EMAIL" >> ~/.oe-send-error + - export PATH=~/.local/bin:$PATH + - wget https://bootstrap.pypa.io/get-pip.py + - python3 get-pip.py + - python3 -m pip install kas + after_script: + - cd $CI_PROJECT_DIR/poky + - . ./oe-init-build-env $CI_PROJECT_DIR/build + - for x in `ls $CI_PROJECT_DIR/build/tmp/log/error-report/ | grep error_report_`; do + - send-error-report -y tmp/log/error-report/$x + - done + - cd $CI_PROJECT_DIR + - rm -rf build + - $CI_PROJECT_DIR/scripts/ci-cleanup.sh + cache: + paths: + - layers + +qemux86: + extends: .build + script: + - kas build --target security-build-image kas/$CI_JOB_NAME.yml + +qemux86-64: + extends: .build + script: + - kas build --target security-build-image kas/$CI_JOB_NAME.yml + +qemuarm: + extends: .build + script: + - kas build --target security-build-image kas/$CI_JOB_NAME.yml + +qemuarm64: + extends: .build + script: + - kas build --target security-build-image kas/$CI_JOB_NAME.yml + +qemuppc: + extends: .build + script: + - kas build --target security-build-image kas/$CI_JOB_NAME.yml + +qemumips64: + extends: .build + script: + - kas build --target security-build-image kas/$CI_JOB_NAME.yml + +qemuriscv64: + extends: .build + script: + - kas build --target security-build-image kas/$CI_JOB_NAME.yml + +qemux86-64-tpm: + extends: .build + script: + - kas build --target security-tpm-image kas/$CI_JOB_NAME.yml + +qemux86-64-tpm2: + extends: .build + script: + - kas build --target security-tpm2-image kas/$CI_JOB_NAME.yml + +qemuarm64-tpm2: + extends: .build + script: + - kas build --target security-tpm2-image kas/$CI_JOB_NAME.yml + +qemux86-ima: + extends: .build + script: + - kas build --target integrity-image-minimal kas/$CI_JOB_NAME.yml + +qemux86-64-ima: + extends: .build + script: + - kas build --target integrity-image-minimal kas/$CI_JOB_NAME.yml + +qemuarm64-ima: + extends: .build + script: + - kas build --target integrity-image-minimal kas/$CI_JOB_NAME.yml + +qemux86-64-dm-verify: + extends: .build + script: + - kas build --target core-image-minimal kas/qemux86-64.yml + - kas build --target dm-verity-image-initramfs kas/$CI_JOB_NAME.yml + + +qemuarm64-alt: + extends: .build + script: + - kas build --target security-build-image kas/$CI_JOB_NAME.yml + +qemuarm64-multi: + extends: .build + script: + - kas build --target security-build-image kas/$CI_JOB_NAME.yml + +qemumips64-alt: + extends: .build + script: + - kas build --target security-build-image kas/$CI_JOB_NAME.yml + +qemumips64-multi: + extends: .build + script: + - kas build --target security-build-image kas/$CI_JOB_NAME.yml + +qemux86-64-alt: + extends: .build + script: + - kas build --target security-build-image kas/$CI_JOB_NAME.yml + +qemux86-64-multi: + extends: .build + script: + - kas build --target security-build-image kas/$CI_JOB_NAME.yml + +qemux86-musl: + extends: .build + script: + - kas build --target security-build-image kas/$CI_JOB_NAME.yml + +qemuarm64-musl: + extends: .build + script: + - kas build --target security-build-image kas/$CI_JOB_NAME.yml + +qemux86-test: + extends: .build + allow_failure: true + script: + - kas build --target security-test-image kas/$CI_JOB_NAME.yml + - kas build -c testimage --target security-test-image kas/$CI_JOB_NAME.yml @@ -10,27 +10,27 @@ Dependencies This layer depends on: URI: git://git.openembedded.org/openembedded-core - branch: master + branch: dunfell revision: HEAD prio: default URI: git://git.openembedded.org/meta-openembedded/meta-oe - branch: master + branch: dunfell revision: HEAD prio: default URI: git://git.openembedded.org/meta-openembedded/meta-perl - branch: master + branch: dunfell revision: HEAD prio: default URI: git://git.openembedded.org/meta-openembedded/meta-python - branch: master + branch: dunfell revision: HEAD prio: default URI: git://git.openembedded.org/meta-openembedded/meta-networking - branch: master + branch: dunfell revision: HEAD prio: default @@ -60,7 +60,7 @@ Maintenance Send pull requests, patches, comments or questions to yocto@lists.yoctoproject.org When sending single patches, please using something like: -'git send-email -1 --to yocto@lists.yoctoproject.org --subject-prefix=meta-security][PATCH' +'git send-email -1 --to yocto@lists.yoctoproject.org --subject-prefix=meta-security][dunfell][PATCH' These values can be set as defaults for this repository: diff --git a/classes/dm-verity-img.bbclass b/classes/dm-verity-img.bbclass index 1c0e29b..16d395b 100644 --- a/classes/dm-verity-img.bbclass +++ b/classes/dm-verity-img.bbclass @@ -18,12 +18,18 @@ # The resulting image can then be used to implement the device mapper block # integrity checking on the target device. +# Define the location where the DM_VERITY_IMAGE specific dm-verity root hash +# is stored where it can be installed into associated initramfs rootfs. +STAGING_VERITY_DIR ?= "${TMPDIR}/work-shared/${MACHINE}/dm-verity" + # Process the output from veritysetup and generate the corresponding .env # file. The output from veritysetup is not very machine-friendly so we need to # convert it to some better format. Let's drop the first line (doesn't contain # any useful info) and feed the rest to a script. process_verity() { - local ENV="$OUTPUT.env" + local ENV="${STAGING_VERITY_DIR}/${IMAGE_BASENAME}.$TYPE.verity.env" + install -d ${STAGING_VERITY_DIR} + rm -f $ENV # Each line contains a key and a value string delimited by ':'. Read the # two parts into separate variables and process them separately. For the @@ -32,15 +38,13 @@ process_verity() { # just trim all white-spaces. IFS=":" while read KEY VAL; do - echo -ne "$KEY" | tr '[:lower:]' '[:upper:]' | sed 's/ /_/g' >> $ENV - echo -ne "=" >> $ENV - echo "$VAL" | tr -d " \t" >> $ENV + printf '%s=%s\n' \ + "$(echo "$KEY" | tr '[:lower:]' '[:upper:]' | sed 's/ /_/g')" \ + "$(echo "$VAL" | tr -d ' \t')" >> $ENV done # Add partition size echo "DATA_SIZE=$SIZE" >> $ENV - - ln -sf $ENV ${IMAGE_BASENAME}-${MACHINE}.$TYPE.verity.env } verity_setup() { @@ -68,13 +72,13 @@ python __anonymous() { image_fstypes = d.getVar('IMAGE_FSTYPES') pn = d.getVar('PN') - if verity_image != pn: - return # This doesn't concern this image - if not verity_image or not verity_type: bb.warn('dm-verity-img class inherited but not used') return + if verity_image != pn: + return # This doesn't concern this image + if len(verity_type.split()) is not 1: bb.fatal('DM_VERITY_IMAGE_TYPE must contain exactly one type') diff --git a/kas/kas-security-alt.yml b/kas/kas-security-alt.yml new file mode 100644 index 0000000..309acaa --- /dev/null +++ b/kas/kas-security-alt.yml @@ -0,0 +1,8 @@ +header: + version: 9 + includes: + - kas-security-base.yml + +local_conf_header: + alt: | + DISTRO_FEATURES_append = " apparmor pam smack systemd" diff --git a/kas/kas-security-base.yml b/kas/kas-security-base.yml new file mode 100644 index 0000000..4bb2037 --- /dev/null +++ b/kas/kas-security-base.yml @@ -0,0 +1,62 @@ +header: + version: 8 + +distro: poky + +repos: + meta-security: + layers: + ../meta-security: + meta-tpm: + meta-integrity: + meta-security-compliance: + + poky: + url: https://git.yoctoproject.org/git/poky + refspec: dunfell + layers: + meta: + meta-poky: + meta-yocto-bsp: + + meta-openembedded: + url: http://git.openembedded.org/meta-openembedded + refspec: dunfell + layers: + meta-oe: + meta-perl: + meta-python: + meta-networking: + +local_conf_header: + base: | + CONF_VERSION = "1" + SOURCE_MIRROR_URL = "http://downloads.yoctoproject.org/mirror/sources/" + SSTATE_MIRRORS = "file://.* http://sstate.yoctoproject.org/dev/PATH;downloadfilename=PATH \n" + BB_HASHSERVE = "auto" + BB_SIGNATURE_HANDLER = "OEEquivHash" + INHERIT += "buildstats buildstats-summary buildhistory" + INHERIT += "report-error" + INHERIT += "testimage" + TEST_QEMUBOOT_TIMEOUT = "1500" + EXTRA_IMAGE_FEATURES ?= "debug-tweaks" + PACKAGE_CLASSES = "package_ipk" + + + diskmon: | + BB_DISKMON_DIRS = "\ + STOPTASKS,${TMPDIR},1G,100K \ + STOPTASKS,${DL_DIR},1G,100K \ + STOPTASKS,${SSTATE_DIR},1G,100K \ + STOPTASKS,/tmp,100M,100K \ + ABORT,${TMPDIR},100M,1K \ + ABORT,${DL_DIR},100M,1K \ + ABORT,${SSTATE_DIR},100M,1K \ + ABORT,/tmp,10M,1K" + +bblayers_conf_header: + base: | + POKY_BBLAYERS_CONF_VERSION = "2" + BBPATH = "${TOPDIR}" + BBFILES ?= "" + diff --git a/kas/kas-security-dm.yml b/kas/kas-security-dm.yml new file mode 100644 index 0000000..7ce0e9d --- /dev/null +++ b/kas/kas-security-dm.yml @@ -0,0 +1,13 @@ +header: + version: 9 + includes: + - kas-security-base.yml + +local_conf_header: + dm-verify: | + DM_VERITY_IMAGE = "core-image-minimal" + DM_VERITY_IMAGE_TYPE = "ext4" + IMAGE_CLASSES += "dm-verity-img" + INITRAMFS_IMAGE_BUNDLE = "1" + INITRAMFS_IMAGE = "dm-verity-image-initramfs" + diff --git a/kas/qemuarm.yml b/kas/qemuarm.yml new file mode 100644 index 0000000..f51abac --- /dev/null +++ b/kas/qemuarm.yml @@ -0,0 +1,6 @@ +header: + version: 8 + includes: + - kas-security-base.yml + +machine: qemuarm diff --git a/kas/qemuarm64-alt.yml b/kas/qemuarm64-alt.yml new file mode 100644 index 0000000..48e688c --- /dev/null +++ b/kas/qemuarm64-alt.yml @@ -0,0 +1,6 @@ +header: + version: 8 + includes: + - kas-security-alt.yml + +machine: qemuarm64 diff --git a/kas/qemuarm64-ima.yml b/kas/qemuarm64-ima.yml new file mode 100644 index 0000000..b478472 --- /dev/null +++ b/kas/qemuarm64-ima.yml @@ -0,0 +1,10 @@ +header: + version: 8 + includes: + - kas-security-base.yml + +local_conf_header: + meta-security: | + DISTRO_FEATURES_append = " ima" + +machine: qemuarm64 diff --git a/kas/qemuarm64-multi.yml b/kas/qemuarm64-multi.yml new file mode 100644 index 0000000..d79142c --- /dev/null +++ b/kas/qemuarm64-multi.yml @@ -0,0 +1,12 @@ +header: + version: 8 + includes: + - kas-security-base.yml + +local_conf_header: + multi: | + require conf/multilib.conf + MULTILIBS = "multilib:lib32" + DEFAULTTUNE_virtclass-multilib-lib32 = "armv7athf-neon" + +machine: qemuarm64 diff --git a/kas/qemuarm64-musl.yml b/kas/qemuarm64-musl.yml new file mode 100644 index 0000000..b353eb4 --- /dev/null +++ b/kas/qemuarm64-musl.yml @@ -0,0 +1,10 @@ +header: + version: 8 + includes: + - kas-security-base.yml + +local_conf_header: + musl: | + TCLIBC = "musl" + +machine: qemuarm64 diff --git a/kas/qemuarm64-tpm2.yml b/kas/qemuarm64-tpm2.yml new file mode 100644 index 0000000..3a8d8fc --- /dev/null +++ b/kas/qemuarm64-tpm2.yml @@ -0,0 +1,10 @@ +header: + version: 8 + includes: + - kas-security-base.yml + +local_conf_header: + meta-security: | + DISTRO_FEATURES_append = " tpm2" + +machine: qemuarm64 diff --git a/kas/qemuarm64.yml b/kas/qemuarm64.yml new file mode 100644 index 0000000..a0c2d1a --- /dev/null +++ b/kas/qemuarm64.yml @@ -0,0 +1,6 @@ +header: + version: 8 + includes: + - kas-security-base.yml + +machine: qemuarm64 diff --git a/kas/qemumips64-alt.yml b/kas/qemumips64-alt.yml new file mode 100644 index 0000000..923c213 --- /dev/null +++ b/kas/qemumips64-alt.yml @@ -0,0 +1,10 @@ +header: + version: 8 + includes: + - kas-security-base.yml + +local_conf_header: + alt: | + DISTRO_FEATURES_append = " pam systmed" + +machine: qemumips64 diff --git a/kas/qemumips64-multi.yml b/kas/qemumips64-multi.yml new file mode 100644 index 0000000..c8cf94b --- /dev/null +++ b/kas/qemumips64-multi.yml @@ -0,0 +1,14 @@ +header: + version: 8 + includes: + - kas-security-base.yml + +local_conf_header: + multi: | + require conf/multilib.conf + MULTILIBS = "multilib:lib64 multilib:lib32" + DEFAULTTUNE = "mips64-n32" + DEFAULTTUNE_virtclass-multilib-lib64 = "mips64" + DEFAULTTUNE_virtclass-multilib-lib32 = "mips32r2" + +machine: qemumips64 diff --git a/kas/qemumips64.yml b/kas/qemumips64.yml new file mode 100644 index 0000000..64e52f7 --- /dev/null +++ b/kas/qemumips64.yml @@ -0,0 +1,6 @@ +header: + version: 8 + includes: + - kas-security-base.yml + +machine: qemumips64 diff --git a/kas/qemuppc.yml b/kas/qemuppc.yml new file mode 100644 index 0000000..3dad81c --- /dev/null +++ b/kas/qemuppc.yml @@ -0,0 +1,6 @@ +header: + version: 8 + includes: + - kas-security-base.yml + +machine: qemuppc diff --git a/kas/qemuriscv64.yml b/kas/qemuriscv64.yml new file mode 100644 index 0000000..e1b1e49 --- /dev/null +++ b/kas/qemuriscv64.yml @@ -0,0 +1,6 @@ +header: + version: 8 + includes: + - kas-security-base.yml + +machine: qemuriscv64 diff --git a/kas/qemux86-64-alt.yml b/kas/qemux86-64-alt.yml new file mode 100644 index 0000000..f0d6b27 --- /dev/null +++ b/kas/qemux86-64-alt.yml @@ -0,0 +1,6 @@ +header: + version: 8 + includes: + - kas-security-alt.yml + +machine: qemux86-64 diff --git a/kas/qemux86-64-dm-verify.yml b/kas/qemux86-64-dm-verify.yml new file mode 100644 index 0000000..1f26008 --- /dev/null +++ b/kas/qemux86-64-dm-verify.yml @@ -0,0 +1,6 @@ +header: + version: 8 + includes: + - kas-security-dm.yml + +machine: qemux86-64 diff --git a/kas/qemux86-64-ima.yml b/kas/qemux86-64-ima.yml new file mode 100644 index 0000000..e64931c --- /dev/null +++ b/kas/qemux86-64-ima.yml @@ -0,0 +1,10 @@ +header: + version: 8 + includes: + - kas-security-base.yml + +local_conf_header: + meta-security: | + DISTRO_FEATURES_append = " ima" + +machine: qemux86-64 diff --git a/kas/qemux86-64-multi.yml b/kas/qemux86-64-multi.yml new file mode 100644 index 0000000..711ce28 --- /dev/null +++ b/kas/qemux86-64-multi.yml @@ -0,0 +1,12 @@ +header: + version: 8 + includes: + - kas-security-base.yml + +local_conf_header: + multi: | + require conf/multilib.conf + MULTILIBS = "multilib:lib32" + DEFAULTTUNE_virtclass-multilib-lib32 = "x86" + +machine: qemux86-64 diff --git a/kas/qemux86-64-tpm.yml b/kas/qemux86-64-tpm.yml new file mode 100644 index 0000000..565b423 --- /dev/null +++ b/kas/qemux86-64-tpm.yml @@ -0,0 +1,10 @@ +header: + version: 8 + includes: + - kas-security-base.yml + +local_conf_header: + meta-security: | + DISTRO_FEATURES_append = " tpm" + +machine: qemux86-64 diff --git a/kas/qemux86-64-tpm2.yml b/kas/qemux86-64-tpm2.yml new file mode 100644 index 0000000..a43693e --- /dev/null +++ b/kas/qemux86-64-tpm2.yml @@ -0,0 +1,10 @@ +header: + version: 8 + includes: + - kas-security-base.yml + +local_conf_header: + meta-security: | + DISTRO_FEATURES_append = " tpm2" + +machine: qemux86-64 diff --git a/kas/qemux86-64.yml b/kas/qemux86-64.yml new file mode 100644 index 0000000..4ba2b66 --- /dev/null +++ b/kas/qemux86-64.yml @@ -0,0 +1,6 @@ +header: + version: 8 + includes: + - kas-security-base.yml + +machine: qemux86-64 diff --git a/kas/qemux86-ima.yml b/kas/qemux86-ima.yml new file mode 100644 index 0000000..6528ba6 --- /dev/null +++ b/kas/qemux86-ima.yml @@ -0,0 +1,10 @@ +header: + version: 8 + includes: + - kas-security-base.yml + +local_conf_header: + meta-security: | + DISTRO_FEATURES_append = " ima" + +machine: qemux86 diff --git a/kas/qemux86-musl.yml b/kas/qemux86-musl.yml new file mode 100644 index 0000000..61d9572 --- /dev/null +++ b/kas/qemux86-musl.yml @@ -0,0 +1,10 @@ +header: + version: 8 + includes: + - kas-security-base.yml + +local_conf_header: + musl: | + TCLIBC = "musl" + +machine: qemux86 diff --git a/kas/qemux86-test.yml b/kas/qemux86-test.yml new file mode 100644 index 0000000..7b5f451 --- /dev/null +++ b/kas/qemux86-test.yml @@ -0,0 +1,11 @@ +header: + version: 8 + includes: + - kas-security-base.yml + + +local_conf_header: + meta-security: | + DISTRO_FEATURES_append = " apparmor smack pam" + +machine: qemux86 diff --git a/kas/qemux86.yml b/kas/qemux86.yml new file mode 100644 index 0000000..83a5353 --- /dev/null +++ b/kas/qemux86.yml @@ -0,0 +1,6 @@ +header: + version: 8 + includes: + - kas-security-base.yml + +machine: qemux86 diff --git a/meta-integrity/README.md b/meta-integrity/README.md index 4607948..8f525a6 100644 --- a/meta-integrity/README.md +++ b/meta-integrity/README.md @@ -10,15 +10,11 @@ Dependencies This layer depends on: URI: git://git.openembedded.org/bitbake - branch: master + branch: dunfell URI: git://git.openembedded.org/openembedded-core layers: meta - branch: master - - URI: git://github.com/01org/meta-security/meta-integrate - layers: security-framework - branch: master + branch: dunfell Patches @@ -73,8 +69,10 @@ Adding the layer only enables IMA (see below regarding EVM) during compilation of the Linux kernel. To also activate it when building the image, enable image signing in the local.conf like this: - INHERIT += "ima-evm-rootfs" + IMAGE_CLASSES += "ima-evm-rootfs" IMA_EVM_KEY_DIR = "${INTEGRITY_BASE}/data/debug-keys" + IMA_EVM_PRIVKEY = "${IMA_EVM_KEY_DIR}/privkey_ima.pem" + IMA_EVM_X509 = "${IMA_EVM_KEY_DIR}/x509_ima.der" This uses the default keys provided in the "data" directory of the layer. Because everyone has access to these private keys, such an image diff --git a/meta-integrity/classes/ima-evm-rootfs.bbclass b/meta-integrity/classes/ima-evm-rootfs.bbclass index d6ade3b..0acd6e7 100644 --- a/meta-integrity/classes/ima-evm-rootfs.bbclass +++ b/meta-integrity/classes/ima-evm-rootfs.bbclass @@ -28,6 +28,9 @@ IMA_EVM_ROOTFS_HASHED ?= ". -depth 0 -false" # the iversion flags (needed by IMA when allowing writing). IMA_EVM_ROOTFS_IVERSION ?= "" +# Avoid re-generating fstab when ima is enabled. +WIC_CREATE_EXTRA_ARGS_append = "${@bb.utils.contains('DISTRO_FEATURES', 'ima', ' --no-fstab-update', '', d)}" + ima_evm_sign_rootfs () { cd ${IMAGE_ROOTFS} @@ -37,15 +40,6 @@ ima_evm_sign_rootfs () { # reasons (including a change of the signing keys) without also # re-running do_rootfs. - # Copy file(s) which must be on the device. Note that - # evmctl uses x509_evm.der also for "ima_verify", which is probably - # a bug (should default to x509_ima.der). Does not matter for us - # because we use the same key for both. - install -d ./${sysconfdir}/keys - rm -f ./${sysconfdir}/keys/x509_evm.der - install "${IMA_EVM_X509}" ./${sysconfdir}/keys/x509_evm.der - ln -sf x509_evm.der ./${sysconfdir}/keys/x509_ima.der - # Fix /etc/fstab: it must include the "i_version" mount option for # those file systems where writing files is allowed, otherwise # these changes will not get detected at runtime. @@ -80,13 +74,16 @@ ima_evm_sign_rootfs () { } # Signing must run as late as possible in the do_rootfs task. -# IMAGE_PREPROCESS_COMMAND runs after ROOTFS_POSTPROCESS_COMMAND, so -# append (not prepend!) to IMAGE_PREPROCESS_COMMAND, and do it with -# _append instead of += because _append gets evaluated later. In -# particular, we must run after prelink_image in -# IMAGE_PREPROCESS_COMMAND, because prelinking changes executables. +# To guarantee that, we append it to IMAGE_PREPROCESS_COMMAND in +# RecipePreFinalise event handler, this ensures it's the last +# function in IMAGE_PREPROCESS_COMMAND. +python ima_evm_sign_handler () { + if not e.data or 'ima' not in e.data.getVar('DISTRO_FEATURES').split(): + return -IMAGE_PREPROCESS_COMMAND_append = " ima_evm_sign_rootfs ; " - -# evmctl must have been installed first. -do_rootfs[depends] += "ima-evm-utils-native:do_populate_sysroot" + e.data.appendVar('IMAGE_PREPROCESS_COMMAND', ' ima_evm_sign_rootfs; ') + e.data.appendVar('IMAGE_INSTALL', ' ima-evm-keys') + e.data.appendVarFlag('do_rootfs', 'depends', ' ima-evm-utils-native:do_populate_sysroot') +} +addhandler ima_evm_sign_handler +ima_evm_sign_handler[eventmask] = "bb.event.RecipePreFinalise" diff --git a/meta-integrity/conf/layer.conf b/meta-integrity/conf/layer.conf index b4edac3..6072e6d 100644 --- a/meta-integrity/conf/layer.conf +++ b/meta-integrity/conf/layer.conf @@ -2,8 +2,7 @@ BBPATH =. "${LAYERDIR}:" # We have a packages directory, add to BBFILES -BBFILES := "${BBFILES} \ - ${LAYERDIR}/recipes-*/*/*.bb \ +BBFILES += "${LAYERDIR}/recipes-*/*/*.bb \ ${LAYERDIR}/recipes-*/*/*.bbappend" BBFILE_COLLECTIONS += "integrity" diff --git a/meta-integrity/recipes-core/initrdscripts/initramfs-framework-ima.bb b/meta-integrity/recipes-core/initrdscripts/initramfs-framework-ima.bb index dacdc8b..6471c53 100644 --- a/meta-integrity/recipes-core/initrdscripts/initramfs-framework-ima.bb +++ b/meta-integrity/recipes-core/initrdscripts/initramfs-framework-ima.bb @@ -14,6 +14,9 @@ LIC_FILES_CHKSUM = "file://${COREBASE}/meta/COPYING.MIT;md5=3da9cfbcb788c80a0384 # to this recipe can just point towards one of its own files. IMA_POLICY ?= "ima-policy-hashed" +# Force proceed IMA procedure even 'no_ima' boot parameter is available. +IMA_FORCE ?= "false" + SRC_URI = " file://ima" inherit features_check @@ -23,9 +26,11 @@ do_install () { install -d ${D}/${sysconfdir}/ima install -d ${D}/init.d install ${WORKDIR}/ima ${D}/init.d/20-ima + + sed -i "s/@@FORCE_IMA@@/${IMA_FORCE}/g" ${D}/init.d/20-ima } FILES_${PN} = "/init.d ${sysconfdir}" -RDEPENDS_${PN} = "keyutils ${IMA_POLICY}" +RDEPENDS_${PN} = "keyutils ima-evm-keys ${IMA_POLICY}" RDEPENDS_${PN} += "initramfs-framework-base" diff --git a/meta-integrity/recipes-core/initrdscripts/initramfs-framework-ima/ima b/meta-integrity/recipes-core/initrdscripts/initramfs-framework-ima/ima index 8616f99..8971494 100644 --- a/meta-integrity/recipes-core/initrdscripts/initramfs-framework-ima/ima +++ b/meta-integrity/recipes-core/initrdscripts/initramfs-framework-ima/ima @@ -2,9 +2,15 @@ # # Loads IMA policy into the kernel. +force_ima=@@FORCE_IMA@@ + ima_enabled() { - if [ "$bootparam_no_ima" = "true" ]; then + if [ "$force_ima" = "true" ]; then + return 0 + elif [ "$bootparam_no_ima" = "true" ]; then return 1 + else + return 0 fi } @@ -46,7 +52,7 @@ ima_run() { # ("[Linux-ima-user] IMA policy loading via cat") and we get better error reporting when # checking the write of each line. To minimize the risk of policy loading going wrong we # also remove comments and blank lines ourselves. - if ! (set -e; while read i; do if echo "$i" | grep -q -e '^#' -e '^ *$'; then debug "Skipping IMA policy: $i"; else debug "Writing IMA policy: $i"; if echo $i; then sleep ${bootparam_ima_delay:-0}; else fatal "Invalid line in IMA policy: $i"; exit 1; fi; fi; done) </etc/ima-policy >/sys/kernel/security/ima/policy; then + if ! (set -e; while read i; do if echo "$i" | grep -q -e '^#' -e '^ *$'; then debug "Skipping IMA policy: $i"; else debug "Writing IMA policy: $i"; if echo $i; then sleep ${bootparam_ima_delay:-0}; else fatal "Invalid line in IMA policy: $i"; exit 1; fi; fi; done) </etc/ima/ima-policy >/sys/kernel/security/ima/policy; then fatal "Could not load IMA policy." fi } diff --git a/meta-integrity/recipes-security/ima-evm-keys/ima-evm-keys_1.0.bb b/meta-integrity/recipes-security/ima-evm-keys/ima-evm-keys_1.0.bb new file mode 100644 index 0000000..7708aef --- /dev/null +++ b/meta-integrity/recipes-security/ima-evm-keys/ima-evm-keys_1.0.bb @@ -0,0 +1,17 @@ +SUMMARY = "IMA/EMV public keys" +LICENSE = "MIT" +LIC_FILES_CHKSUM = "file://${COREBASE}/meta/COPYING.MIT;md5=3da9cfbcb788c80a0384361b4de20420" + +inherit features_check +REQUIRED_DISTRO_FEATURES = "ima" + +ALLOW_EMPTY_${PN} = "1" + +do_install () { + if [ -e "${IMA_EVM_X509}" ]; then + install -d ${D}/${sysconfdir}/keys + install "${IMA_EVM_X509}" ${D}${sysconfdir}/keys/x509_evm.der + lnr ${D}${sysconfdir}/keys/x509_evm.der ${D}${sysconfdir}/keys/x509_ima.der + fi +} +do_install[file-checksums] += "${@'${IMA_EVM_X509}:%s' % os.path.exists('${IMA_EVM_X509}')}" diff --git a/meta-integrity/recipes-security/ima-evm-utils/ima-evm-utils_git.bb b/meta-integrity/recipes-security/ima-evm-utils/ima-evm-utils_git.bb index 7f649c2..bd85583 100644 --- a/meta-integrity/recipes-security/ima-evm-utils/ima-evm-utils_git.bb +++ b/meta-integrity/recipes-security/ima-evm-utils/ima-evm-utils_git.bb @@ -26,6 +26,7 @@ S = "${WORKDIR}/git" inherit pkgconfig autotools features_check REQUIRED_DISTRO_FEATURES = "ima" +REQUIRED_DISTRO_FEATURES_class-native = "" EXTRA_OECONF_append_class-target = " --with-kernel-headers=${STAGING_KERNEL_BUILDDIR}" diff --git a/meta-integrity/recipes-security/ima_policy_appraise_all/ima-policy-appraise-all_1.0.bb b/meta-integrity/recipes-security/ima_policy_appraise_all/ima-policy-appraise-all_1.0.bb index da62a4c..84ea161 100644 --- a/meta-integrity/recipes-security/ima_policy_appraise_all/ima-policy-appraise-all_1.0.bb +++ b/meta-integrity/recipes-security/ima_policy_appraise_all/ima-policy-appraise-all_1.0.bb @@ -2,19 +2,14 @@ SUMMARY = "IMA sample simple appraise policy " LICENSE = "MIT" LIC_FILES_CHKSUM = "file://${COREBASE}/meta/COPYING.MIT;md5=3da9cfbcb788c80a0384361b4de20420" -# This policy file will get installed as /etc/ima/ima-policy. -# It is located via the normal file search path, so a .bbappend -# to this recipe can just point towards one of its own files. -IMA_POLICY ?= "ima_policy_appraise_all" - -SRC_URI = " file://${IMA_POLICY}" +SRC_URI = " file://ima_policy_appraise_all" inherit features_check REQUIRED_DISTRO_FEATURES = "ima" do_install () { install -d ${D}/${sysconfdir}/ima - install ${WORKDIR}/${IMA_POLICY} ${D}/${sysconfdir}/ima/ima-policy + install ${WORKDIR}/ima_policy_appraise_all ${D}/${sysconfdir}/ima/ima-policy } FILES_${PN} = "${sysconfdir}/ima" diff --git a/meta-integrity/recipes-security/ima_policy_hashed/files/ima_policy_hashed b/meta-integrity/recipes-security/ima_policy_hashed/files/ima_policy_hashed index 7f89c8d..4d9e4ca 100644 --- a/meta-integrity/recipes-security/ima_policy_hashed/files/ima_policy_hashed +++ b/meta-integrity/recipes-security/ima_policy_hashed/files/ima_policy_hashed @@ -53,6 +53,9 @@ dont_measure fsmagic=0x43415d53 # CGROUP_SUPER_MAGIC dont_appraise fsmagic=0x27e0eb dont_measure fsmagic=0x27e0eb +# CGROUP2_SUPER_MAGIC +dont_appraise fsmagic=0x63677270 +dont_measure fsmagic=0x63677270 # EFIVARFS_MAGIC dont_appraise fsmagic=0xde5e81e4 dont_measure fsmagic=0xde5e81e4 diff --git a/meta-integrity/recipes-security/ima_policy_hashed/ima-policy-hashed_1.0.bb b/meta-integrity/recipes-security/ima_policy_hashed/ima-policy-hashed_1.0.bb index ebb0426..ff7169e 100644 --- a/meta-integrity/recipes-security/ima_policy_hashed/ima-policy-hashed_1.0.bb +++ b/meta-integrity/recipes-security/ima_policy_hashed/ima-policy-hashed_1.0.bb @@ -2,13 +2,8 @@ SUMMARY = "IMA sample hash policy" LICENSE = "MIT" LIC_FILES_CHKSUM = "file://${COREBASE}/meta/COPYING.MIT;md5=3da9cfbcb788c80a0384361b4de20420" -# This policy file will get installed as /etc/ima/ima-policy. -# It is located via the normal file search path, so a .bbappend -# to this recipe can just point towards one of its own files. -IMA_POLICY ?= "ima_policy_hashed" - SRC_URI = " \ - file://${IMA_POLICY} \ + file://ima_policy_hashed \ " inherit features_check @@ -16,7 +11,7 @@ REQUIRED_DISTRO_FEATURES = "ima" do_install () { install -d ${D}/${sysconfdir}/ima - install ${WORKDIR}/${IMA_POLICY} ${D}/${sysconfdir}/ima/ima-policy + install ${WORKDIR}/ima_policy_hashed ${D}/${sysconfdir}/ima/ima-policy } FILES_${PN} = "${sysconfdir}/ima" diff --git a/meta-integrity/recipes-security/ima_policy_simple/ima-policy-simple_1.0.bb b/meta-integrity/recipes-security/ima_policy_simple/ima-policy-simple_1.0.bb index cb4b6b8..0e56aec 100644 --- a/meta-integrity/recipes-security/ima_policy_simple/ima-policy-simple_1.0.bb +++ b/meta-integrity/recipes-security/ima_policy_simple/ima-policy-simple_1.0.bb @@ -2,19 +2,14 @@ SUMMARY = "IMA sample simple policy" LICENSE = "MIT" LIC_FILES_CHKSUM = "file://${COREBASE}/meta/COPYING.MIT;md5=3da9cfbcb788c80a0384361b4de20420" -# This policy file will get installed as /etc/ima/ima-policy. -# It is located via the normal file search path, so a .bbappend -# to this recipe can just point towards one of its own files. -IMA_POLICY ?= "ima_policy_simple" - -SRC_URI = " file://${IMA_POLICY}" +SRC_URI = " file://ima_policy_simple" inherit features_check REQUIRED_DISTRO_FEATURES = "ima" do_install () { install -d ${D}/${sysconfdir}/ima - install ${WORKDIR}/${IMA_POLICY} ${D}/${sysconfdir}/ima/ima-policy + install ${WORKDIR}/ima_policy_simple ${D}/${sysconfdir}/ima/ima-policy } FILES_${PN} = "${sysconfdir}/ima" diff --git a/meta-security-compliance/README b/meta-security-compliance/README index 320f856..86a95fb 100644 --- a/meta-security-compliance/README +++ b/meta-security-compliance/README @@ -9,16 +9,16 @@ Dependencies This layer depends on: URI: git://git.openembedded.org/bitbake - branch: master + branch: 1.48 URI: git://git.openembedded.org/openembedded-core layers: meta - branch: master + branch: dunfell or URI: git://git.yoctoproject.org/poky - branch: master + branch: dunfell @@ -28,7 +28,7 @@ Maintenance Send pull requests, patches, comments or questions to yocto@yoctoproject.org When sending single patches, please using something like: -'git send-email -1 --to yocto@yoctoproject.org --subject-prefix=meta-security-compliance][PATCH' +'git send-email -1 --to yocto@yoctoproject.org --subject-prefix=meta-security-compliance][dunfell][PATCH' Layer Maintainer: Armin Kuster <akuster808@gmail.com> diff --git a/meta-security-compliance/recipes-openscap/scap-security-guide/scap-security-guide.inc b/meta-security-compliance/recipes-openscap/scap-security-guide/scap-security-guide.inc index 66c2623..32fce0f 100644 --- a/meta-security-compliance/recipes-openscap/scap-security-guide/scap-security-guide.inc +++ b/meta-security-compliance/recipes-openscap/scap-security-guide/scap-security-guide.inc @@ -6,7 +6,7 @@ HOME_URL = "https://www.open-scap.org/security-policies/scap-security-guide/" LIC_FILES_CHKSUM = "file://LICENSE;md5=97662e4486d9a1d09f358851d9f41a1a" LICENSE = "LGPL-2.1" -DEPENDS = "openscap-native python3 python3-pyyaml-native python3-jinja2-native libxml2-native" +DEPENDS = "openscap-native python3 python3-pyyaml-native python3-jinja2-native libxml2-native expat-native" S = "${WORKDIR}/git" diff --git a/meta-security-isafw/README.md b/meta-security-isafw/README.md index 16041cb..48db167 100644 --- a/meta-security-isafw/README.md +++ b/meta-security-isafw/README.md @@ -78,12 +78,12 @@ Patches end pull requests, patches, comments or questions to yocto@lists.yoctoproject.org When sending single patches, please using something like: -'git send-email -1 --to yocto@lists.yoctoproject.org --subject-prefix=meta-security-isafw][PATCH' +'git send-email -1 --to yocto@lists.yoctoproject.org --subject-prefix=meta-security-isafw][dunfell][PATCH' These values can be set as defaults for this repository: $ git config sendemail.to yocto@lists.yoctoproject.org -$ git config format.subjectPrefix meta-security-isafw][PATCH +$ git config format.subjectPrefix meta-security-isafw][dunfell][PATCH Now you can just do 'git send-email origin/master' to send all local patches. diff --git a/meta-security-isfafw/classes/isafw.bbclass b/meta-security-isafw/classes/isafw.bbclass index 146acdf..146acdf 100644 --- a/meta-security-isfafw/classes/isafw.bbclass +++ b/meta-security-isafw/classes/isafw.bbclass diff --git a/meta-tpm/README b/meta-tpm/README index dd662b3..90e211c 100644 --- a/meta-tpm/README +++ b/meta-tpm/README @@ -9,12 +9,12 @@ Dependencies This layer depends on: URI: git://git.openembedded.org/openembedded-core - branch: master + branch: dunfell revision: HEAD prio: default URI: git://git.openembedded.org/meta-openembedded/meta-oe - branch: master + branch: dunfell revision: HEAD prio: default @@ -41,12 +41,12 @@ Maintenance Send pull requests, patches, comments or questions to yocto@yoctoproject.org When sending single patches, please using something like: -'git send-email -1 --to yocto@yoctoproject.org --subject-prefix=meta-security][PATCH' +'git send-email -1 --to yocto@yoctoproject.org --subject-prefix=meta-security][dunfell][PATCH' These values can be set as defaults for this repository: $ git config sendemail.to yocto@yoctoproject.org -$ git config format.subjectPrefix meta-security][PATCH +$ git config format.subjectPrefix meta-security][dunfell][PATCH Now you can just do 'git send-email origin/master' to send all local patches. diff --git a/meta-tpm/recipes-core/packagegroup/packagegroup-security-tpm2.bb b/meta-tpm/recipes-core/packagegroup/packagegroup-security-tpm2.bb index 8f5c537..a553a63 100644 --- a/meta-tpm/recipes-core/packagegroup/packagegroup-security-tpm2.bb +++ b/meta-tpm/recipes-core/packagegroup/packagegroup-security-tpm2.bb @@ -7,6 +7,7 @@ inherit packagegroup PACKAGES = "${PN}" +PREFERRED_PROVIDER_cryptsetup ?= "cryptsetup-tpm-incubator" SUMMARY_packagegroup-security-tpm2 = "Security TPM 2.0 support" RDEPENDS_packagegroup-security-tpm2 = " \ tpm2-tools \ @@ -19,5 +20,5 @@ RDEPENDS_packagegroup-security-tpm2 = " \ tpm2-abrmd \ tpm2-pkcs11 \ ibmswtpm2 \ - cryptsetup-tpm-incubator \ + ${PREFERRED_PROVIDER_cryptsetup} \ " diff --git a/meta-tpm/recipes-tpm/tpm-tools/tpm-tools_1.3.9.1.bb b/meta-tpm/recipes-tpm/tpm-tools/tpm-tools_1.3.9.1.bb index 88ef19f..658283f 100644 --- a/meta-tpm/recipes-tpm/tpm-tools/tpm-tools_1.3.9.1.bb +++ b/meta-tpm/recipes-tpm/tpm-tools/tpm-tools_1.3.9.1.bb @@ -9,17 +9,17 @@ SECTION = "tpm" LICENSE = "CPL-1.0" LIC_FILES_CHKSUM = "file://LICENSE;md5=059e8cd6165cb4c31e351f2b69388fd9" -DEPENDS = "libtspi openssl" +DEPENDS = "libtspi openssl perl" DEPENDS_class-native = "trousers-native" SRCREV = "bdf9f1bc8f63cd6fc370c2deb58d03ac55079e84" SRC_URI = " \ - git://git.code.sf.net/p/trousers/tpm-tools \ - file://tpm-tools-extendpcr.patch \ - file://04-fix-FTBFS-clang.patch \ - file://05-openssl1.1_fix_data_mgmt.patch \ - file://openssl1.1_fix.patch \ - " + git://git.code.sf.net/p/trousers/tpm-tools \ + file://tpm-tools-extendpcr.patch \ + file://04-fix-FTBFS-clang.patch \ + file://05-openssl1.1_fix_data_mgmt.patch \ + file://openssl1.1_fix.patch \ + " inherit autotools-brokensep gettext diff --git a/meta-tpm/recipes-tpm/trousers/files/0001-Correct-multiple-security-issues-that-are-present-if.patch b/meta-tpm/recipes-tpm/trousers/files/0001-Correct-multiple-security-issues-that-are-present-if.patch new file mode 100644 index 0000000..72c81d1 --- /dev/null +++ b/meta-tpm/recipes-tpm/trousers/files/0001-Correct-multiple-security-issues-that-are-present-if.patch @@ -0,0 +1,94 @@ +From e74dd1d96753b0538192143adf58d04fcd3b242b Mon Sep 17 00:00:00 2001 +From: Matthias Gerstner <mgerstner@suse.de> +Date: Fri, 14 Aug 2020 22:14:36 -0700 +Subject: [PATCH] Correct multiple security issues that are present if the tcsd + is started by root instead of the tss user. + +Patch fixes the following 3 CVEs: + +CVE-2020-24332 +If the tcsd daemon is started with root privileges, +the creation of the system.data file is prone to symlink attacks + +CVE-2020-24330 +If the tcsd daemon is started with root privileges, +it fails to drop the root gid after it is no longer needed + +CVE-2020-24331 +If the tcsd daemon is started with root privileges, +the tss user has read and write access to the /etc/tcsd.conf file + +Authored-by: Matthias Gerstner <mgerstner@suse.de> +Signed-off-by: Debora Velarde Babb <debora@linux.ibm.com> + +Upstream-Status: Backport +CVE: CVE-2020-24332 +CVE: CVE-2020-24330 +CVE: CVE-2020-24331 + +Signed-off-by: Armin Kuster <akuster@mvista.com> + +--- + src/tcs/ps/tcsps.c | 2 +- + src/tcsd/svrside.c | 1 + + src/tcsd/tcsd_conf.c | 10 +++++----- + 3 files changed, 7 insertions(+), 6 deletions(-) + +Index: git/src/tcs/ps/tcsps.c +=================================================================== +--- git.orig/src/tcs/ps/tcsps.c ++++ git/src/tcs/ps/tcsps.c +@@ -72,7 +72,7 @@ get_file() + } + + /* open and lock the file */ +- system_ps_fd = open(tcsd_options.system_ps_file, O_CREAT|O_RDWR, 0600); ++ system_ps_fd = open(tcsd_options.system_ps_file, O_CREAT|O_RDWR|O_NOFOLLOW, 0600); + if (system_ps_fd < 0) { + LogError("system PS: open() of %s failed: %s", + tcsd_options.system_ps_file, strerror(errno)); +Index: git/src/tcsd/svrside.c +=================================================================== +--- git.orig/src/tcsd/svrside.c ++++ git/src/tcsd/svrside.c +@@ -473,6 +473,7 @@ main(int argc, char **argv) + } + return TCSERR(TSS_E_INTERNAL_ERROR); + } ++ setgid(pwd->pw_gid); + setuid(pwd->pw_uid); + #endif + #endif +Index: git/src/tcsd/tcsd_conf.c +=================================================================== +--- git.orig/src/tcsd/tcsd_conf.c ++++ git/src/tcsd/tcsd_conf.c +@@ -743,7 +743,7 @@ conf_file_init(struct tcsd_config *conf) + #ifndef SOLARIS + struct group *grp; + struct passwd *pw; +- mode_t mode = (S_IRUSR|S_IWUSR); ++ mode_t mode = (S_IRUSR|S_IWUSR|S_IRGRP); + #endif /* SOLARIS */ + TSS_RESULT result; + +@@ -798,15 +798,15 @@ conf_file_init(struct tcsd_config *conf) + } + + /* make sure user/group TSS owns the conf file */ +- if (pw->pw_uid != stat_buf.st_uid || grp->gr_gid != stat_buf.st_gid) { ++ if (stat_buf.st_uid != 0 || grp->gr_gid != stat_buf.st_gid) { + LogError("TCSD config file (%s) must be user/group %s/%s", tcsd_config_file, +- TSS_USER_NAME, TSS_GROUP_NAME); ++ "root", TSS_GROUP_NAME); + return TCSERR(TSS_E_INTERNAL_ERROR); + } + +- /* make sure only the tss user can manipulate the config file */ ++ /* make sure only the tss user can read (but not manipulate) the config file */ + if (((stat_buf.st_mode & 0777) ^ mode) != 0) { +- LogError("TCSD config file (%s) must be mode 0600", tcsd_config_file); ++ LogError("TCSD config file (%s) must be mode 0640", tcsd_config_file); + return TCSERR(TSS_E_INTERNAL_ERROR); + } + #endif /* SOLARIS */ diff --git a/meta-tpm/recipes-tpm/trousers/trousers_git.bb b/meta-tpm/recipes-tpm/trousers/trousers_git.bb index fe8f557..95e821b 100644 --- a/meta-tpm/recipes-tpm/trousers/trousers_git.bb +++ b/meta-tpm/recipes-tpm/trousers/trousers_git.bb @@ -16,6 +16,7 @@ SRC_URI = " \ file://tcsd.service \ file://get-user-ps-path-use-POSIX-getpwent-instead-of-getpwe.patch \ file://0001-build-don-t-override-localstatedir-mandir-sysconfdir.patch \ + file://0001-Correct-multiple-security-issues-that-are-present-if.patch \ " S = "${WORKDIR}/git" diff --git a/meta-tpm/recipes-tpm2/cryptsetup-tpm-incubator/cryptsetup-tpm-incubator_0.9.9.bb b/meta-tpm/recipes-tpm2/cryptsetup-tpm-incubator/cryptsetup-tpm-incubator_0.9.9.bb index b706d15..2617162 100644 --- a/meta-tpm/recipes-tpm2/cryptsetup-tpm-incubator/cryptsetup-tpm-incubator_0.9.9.bb +++ b/meta-tpm/recipes-tpm2/cryptsetup-tpm-incubator/cryptsetup-tpm-incubator_0.9.9.bb @@ -36,7 +36,12 @@ FILES_${PN} += "${libdir}/tmpfiles.d" RDEPENDS_${PN} += "lvm2 libdevmapper" RRECOMMENDS_${PN} += "lvm2-udevrules" +RPROVIDES_${PN} = "cryptsetup" RREPLACES_${PN} = "cryptsetup" RCONFLICTS_${PN} ="cryptsetup" +RPROVIDES_${PN}-dev = "cryptsetup-dev" +RREPLACES_${PN}-dev = "cryptsetup-dev" +RCONFLICTS_${PN}-dev ="cryptsetup-dev" + BBCLASSEXTEND = "native nativesdk" diff --git a/meta-tpm/recipes-tpm2/ibmswtpm2/ibmswtpm2_1563.bb b/meta-tpm/recipes-tpm2/ibmswtpm2/ibmswtpm2_1563.bb index 8054226..a892761 100644 --- a/meta-tpm/recipes-tpm2/ibmswtpm2/ibmswtpm2_1563.bb +++ b/meta-tpm/recipes-tpm2/ibmswtpm2/ibmswtpm2_1563.bb @@ -16,6 +16,8 @@ SRC_URI[sha512sum] = "ff0b9e5f0d0070eb572b23641f7a0e70a8bc65cbf4b59dca1778be3bb0 S = "${WORKDIR}/src" +INSANE_SKIP_${PN} += "ldflags" + do_compile () { make CC='${CC}' } @@ -24,4 +26,3 @@ do_install () { install -d ${D}/${bindir} install -m 0755 tpm_server ${D}/${bindir} } - diff --git a/meta-tpm/recipes-tpm2/tpm2-tools/tpm2-tools/0001-tpm2_import-fix-fixed-AES-key-CVE-2021-3565.patch b/meta-tpm/recipes-tpm2/tpm2-tools/tpm2-tools/0001-tpm2_import-fix-fixed-AES-key-CVE-2021-3565.patch new file mode 100644 index 0000000..3832063 --- /dev/null +++ b/meta-tpm/recipes-tpm2/tpm2-tools/tpm2-tools/0001-tpm2_import-fix-fixed-AES-key-CVE-2021-3565.patch @@ -0,0 +1,48 @@ +From 784be35c52a7083b9535bad2fcca416ff9cfd26b Mon Sep 17 00:00:00 2001 +From: William Roberts <william.c.roberts@intel.com> +Date: Fri, 21 May 2021 12:22:31 -0500 +Subject: [PATCH] tpm2_import: fix fixed AES key CVE-2021-3565 + +tpm2_import used a fixed AES key for the inner wrapper, which means that +a MITM attack would be able to unwrap the imported key. Even the +use of an encrypted session will not prevent this. The TPM only +encrypts the first parameter which is the fixed symmetric key. + +To fix this, ensure the key size is 16 bytes or bigger and use +OpenSSL to generate a secure random AES key. + +Fixes: #2738 + +Signed-off-by: William Roberts <william.c.roberts@intel.com> + +Upstream-Status: Backport +https://github.com/tpm2-software/tpm2-tools/commit/c069e4f179d5e6653a84fb236816c375dca82515 +CVE: CVE-2021-3565 +Signed-off-by: Ralph Siemsen <ralph.siemsen@linaro.org> +--- + tools/tpm2_import.c | 12 +++++++++++- + 1 file changed, 11 insertions(+), 1 deletion(-) + +diff --git a/tools/tpm2_import.c b/tools/tpm2_import.c +index 6404cac..acd8ac8 100644 +--- a/tools/tpm2_import.c ++++ b/tools/tpm2_import.c +@@ -146,7 +146,17 @@ static tool_rc key_import(ESYS_CONTEXT *ectx, TPM2B_PUBLIC *parent_pub, + TPM2B_DATA enc_sensitive_key = { + .size = parent_pub->publicArea.parameters.rsaDetail.symmetric.keyBits.sym / 8 + }; +- memset(enc_sensitive_key.buffer, 0xFF, enc_sensitive_key.size); ++ ++ if(enc_sensitive_key.size < 16) { ++ LOG_ERR("Calculated wrapping keysize is less than 16 bytes, got: %u", enc_sensitive_key.size); ++ return tool_rc_general_error; ++ } ++ ++ int ossl_rc = RAND_bytes(enc_sensitive_key.buffer, enc_sensitive_key.size); ++ if (ossl_rc != 1) { ++ LOG_ERR("RAND_bytes failed: %s", ERR_error_string(ERR_get_error(), NULL)); ++ return tool_rc_general_error; ++ } + + /* + * Calculate the object name. diff --git a/meta-tpm/recipes-tpm2/tpm2-tools/tpm2-tools_4.1.1.bb b/meta-tpm/recipes-tpm2/tpm2-tools/tpm2-tools_4.1.1.bb deleted file mode 100644 index e90dcfe..0000000 --- a/meta-tpm/recipes-tpm2/tpm2-tools/tpm2-tools_4.1.1.bb +++ /dev/null @@ -1,17 +0,0 @@ -SUMMARY = "Tools for TPM2." -DESCRIPTION = "tpm2-tools" -LICENSE = "BSD" -LIC_FILES_CHKSUM = "file://LICENSE;md5=0eb1216e46938bd723098d93a23c3bcc" -SECTION = "tpm" - -DEPENDS = "tpm2-abrmd tpm2-tss openssl curl autoconf-archive" - -SRC_URI = "https://github.com/tpm2-software/${BPN}/releases/download/${PV}/${BPN}-${PV}.tar.gz" - -SRC_URI[md5sum] = "701ae9e8c8cbdd37d89c8ad774f55395" -SRC_URI[sha256sum] = "40b9263d8b949bd2bc03a3cd60fa242e27116727467f9bbdd0b5f2539a25a7b1" -SRC_URI[sha1sum] = "d097d321237983435f05c974533ad90e6f20acef" -SRC_URI[sha384sum] = "396547f400e4f5626d7741d77ec543f312d94e6697899f4c36260d15fab3f4f971ad2c0487e6eaa2d60256f3cf68f85f" -SRC_URI[sha512sum] = "25952cf947f0acd16b1a8dbd3ac8573bce85ff970a7e24c290c4f9cd29418e77a3e48ac82c932fbd250887a9303ab301ff92db594c2fffaba47b873382444d26" - -inherit autotools pkgconfig bash-completion diff --git a/meta-tpm/recipes-tpm2/tpm2-tools/tpm2-tools_4.1.3.bb b/meta-tpm/recipes-tpm2/tpm2-tools/tpm2-tools_4.1.3.bb new file mode 100644 index 0000000..39854d5 --- /dev/null +++ b/meta-tpm/recipes-tpm2/tpm2-tools/tpm2-tools_4.1.3.bb @@ -0,0 +1,20 @@ +SUMMARY = "Tools for TPM2." +DESCRIPTION = "tpm2-tools" +LICENSE = "BSD" +LIC_FILES_CHKSUM = "file://LICENSE;md5=0eb1216e46938bd723098d93a23c3bcc" +SECTION = "tpm" + +DEPENDS = "tpm2-abrmd tpm2-tss openssl curl autoconf-archive" + +FILESEXTRAPATHS_prepend := "${THISDIR}/${PN}:" + +SRC_URI = "https://github.com/tpm2-software/${BPN}/releases/download/${PV}/${BPN}-${PV}.tar.gz" +SRC_URI += "file://0001-tpm2_import-fix-fixed-AES-key-CVE-2021-3565.patch" + +SRC_URI[md5sum] = "48e0f58232b6a86fe4d007acf12af283" +SRC_URI[sha256sum] = "bb5d3310620e75468fe33dbd530bd73dd648c70ec707b4579c74d9f63fc82704" +SRC_URI[sha1sum] = "b2cef4d06817a6859082d50863464a858a493a63" +SRC_URI[sha384sum] = "996c33201c92bcbdbf8f11f84d25a8e2938c330fb7fb66a47eafb3c5a41fab9bcb9a769dc20226accdea2486b626bd68" +SRC_URI[sha512sum] = "bf1ba9f8a4e12c71987650b309710574cc796e78d26c5de1cae77b0e150cea0f3b3695e56415be1994c4a6ad90e8f991d5db603138933fd21c46f7b86148a9b4" + +inherit autotools pkgconfig bash-completion diff --git a/recipes-core/images/dm-verity-image-initramfs.bb b/recipes-core/images/dm-verity-image-initramfs.bb index f9ea376..187aeae 100644 --- a/recipes-core/images/dm-verity-image-initramfs.bb +++ b/recipes-core/images/dm-verity-image-initramfs.bb @@ -1,26 +1,34 @@ DESCRIPTION = "Simple initramfs image for mounting the rootfs over the verity device mapper." -# We want a clean, minimal image. -IMAGE_FEATURES = "" +inherit core-image PACKAGE_INSTALL = " \ - initramfs-dm-verity \ base-files \ + base-passwd \ busybox \ - util-linux-mount \ - udev \ cryptsetup \ + initramfs-module-dmverity \ + initramfs-module-udev \ lvm2-udevrules \ + udev \ + util-linux-mount \ " +# We want a clean, minimal image. +IMAGE_FEATURES = "" +IMAGE_LINGUAS = "" + # Can we somehow inspect reverse dependencies to avoid these variables? -do_rootfs[depends] += "${DM_VERITY_IMAGE}:do_image_${DM_VERITY_IMAGE_TYPE}" +do_image[depends] += "${DM_VERITY_IMAGE}:do_image_${DM_VERITY_IMAGE_TYPE}" -IMAGE_FSTYPES = "${INITRAMFS_FSTYPES}" +# Ensure dm-verity.env is updated also when rebuilding DM_VERITY_IMAGE +do_image[nostamp] = "1" -inherit core-image +IMAGE_FSTYPES = "${INITRAMFS_FSTYPES}" deploy_verity_hash() { - install -D -m 0644 ${DEPLOY_DIR_IMAGE}/${DM_VERITY_IMAGE}-${MACHINE}.${DM_VERITY_IMAGE_TYPE}.verity.env ${IMAGE_ROOTFS}/${datadir}/dm-verity.env + install -D -m 0644 \ + ${STAGING_VERITY_DIR}/${DM_VERITY_IMAGE}.${DM_VERITY_IMAGE_TYPE}.verity.env \ + ${IMAGE_ROOTFS}${datadir}/misc/dm-verity.env } -ROOTFS_POSTPROCESS_COMMAND += "deploy_verity_hash;" +IMAGE_PREPROCESS_COMMAND += "deploy_verity_hash;" diff --git a/recipes-core/initrdscripts/initramfs-dm-verity.bb b/recipes-core/initrdscripts/initramfs-dm-verity.bb deleted file mode 100644 index b614956..0000000 --- a/recipes-core/initrdscripts/initramfs-dm-verity.bb +++ /dev/null @@ -1,13 +0,0 @@ -SUMMARY = "Simple init script that uses devmapper to mount the rootfs in read-only mode protected by dm-verity" -LICENSE = "MIT" -LIC_FILES_CHKSUM = "file://${COREBASE}/meta/COPYING.MIT;md5=3da9cfbcb788c80a0384361b4de20420" - -SRC_URI = "file://init-dm-verity.sh" - -do_install() { - install -m 0755 ${WORKDIR}/init-dm-verity.sh ${D}/init - install -d ${D}/dev - mknod -m 622 ${D}/dev/console c 5 1 -} - -FILES_${PN} = "/init /dev/console" diff --git a/recipes-core/initrdscripts/initramfs-dm-verity/init-dm-verity.sh b/recipes-core/initrdscripts/initramfs-dm-verity/init-dm-verity.sh deleted file mode 100644 index 307d2c7..0000000 --- a/recipes-core/initrdscripts/initramfs-dm-verity/init-dm-verity.sh +++ /dev/null @@ -1,46 +0,0 @@ -#!/bin/sh - -PATH=/sbin:/bin:/usr/sbin:/usr/bin -RDEV="" -ROOT_DIR="/new_root" - -mkdir -p /proc -mkdir -p /sys -mkdir -p /run -mkdir -p /tmp -mount -t proc proc /proc -mount -t sysfs sysfs /sys -mount -t devtmpfs none /dev - -udevd --daemon -udevadm trigger --type=subsystems --action=add -udevadm trigger --type=devices --action=add -udevadm settle --timeout=10 - -for PARAM in $(cat /proc/cmdline); do - case $PARAM in - root=*) - RDEV=${PARAM#root=} - ;; - esac -done - -if ! [ -b $RDEV ]; then - echo "Missing root command line argument!" - exit 1 -fi - -case $RDEV in - UUID=*) - RDEV=$(realpath /dev/disk/by-uuid/${RDEV#UUID=}) - ;; -esac - -. /usr/share/dm-verity.env - -echo "Mounting $RDEV over dm-verity as the root filesystem" - -veritysetup --data-block-size=1024 --hash-offset=$DATA_SIZE create rootfs $RDEV $RDEV $ROOT_HASH -mkdir -p $ROOT_DIR -mount -o ro /dev/mapper/rootfs $ROOT_DIR -exec switch_root $ROOT_DIR /sbin/init diff --git a/recipes-core/initrdscripts/initramfs-framework/dmverity b/recipes-core/initrdscripts/initramfs-framework/dmverity new file mode 100644 index 0000000..888052c --- /dev/null +++ b/recipes-core/initrdscripts/initramfs-framework/dmverity @@ -0,0 +1,63 @@ +#!/bin/sh + +dmverity_enabled() { + return 0 +} + +dmverity_run() { + DATA_SIZE="__not_set__" + ROOT_HASH="__not_set__" + + . /usr/share/misc/dm-verity.env + + C=0 + delay=${bootparam_rootdelay:-1} + timeout=${bootparam_roottimeout:-5} + RDEV="$(realpath /dev/disk/by-partuuid/${bootparam_root#PARTUUID=})" + while [ ! -b "${RDEV}" ]; do + if [ $(( $C * $delay )) -gt $timeout ]; then + fatal "Root device resolution failed" + exit 1 + fi + + case "${bootparam_root}" in + ID=*) + RDEV="$(realpath /dev/disk/by-id/${bootparam_root#ID=})" + ;; + LABEL=*) + RDEV="$(realpath /dev/disk/by-label/${bootparam_root#LABEL=})" + ;; + PARTLABEL=*) + RDEV="$(realpath /dev/disk/by-partlabel/${bootparam_root#PARTLABEL=})" + ;; + PARTUUID=*) + RDEV="$(realpath /dev/disk/by-partuuid/${bootparam_root#PARTUUID=})" + ;; + PATH=*) + RDEV="$(realpath /dev/disk/by-path/${bootparam_root#PATH=})" + ;; + UUID=*) + RDEV="$(realpath /dev/disk/by-uuid/${bootparam_root#UUID=})" + ;; + *) + RDEV="${bootparam_root}" + esac + debug "Sleeping for $delay second(s) to wait root to settle..." + sleep $delay + C=$(( $C + 1 )) + + done + + veritysetup \ + --data-block-size=1024 \ + --hash-offset=${DATA_SIZE} \ + create rootfs \ + ${RDEV} \ + ${RDEV} \ + ${ROOT_HASH} + + mount \ + -o ro \ + /dev/mapper/rootfs \ + ${ROOTFS_DIR} || exit 2 +} diff --git a/recipes-core/initrdscripts/initramfs-framework_1.0.bbappend b/recipes-core/initrdscripts/initramfs-framework_1.0.bbappend new file mode 100644 index 0000000..dad9c96 --- /dev/null +++ b/recipes-core/initrdscripts/initramfs-framework_1.0.bbappend @@ -0,0 +1,16 @@ +FILESEXTRAPATHS_prepend := "${THISDIR}/${PN}:" + +SRC_URI_append = "\ + file://dmverity \ +" + +do_install_append() { + # dm-verity + install ${WORKDIR}/dmverity ${D}/init.d/80-dmverity +} + +PACKAGES_append = " initramfs-module-dmverity" + +SUMMARY_initramfs-module-dmverity = "initramfs dm-verity rootfs support" +RDEPENDS_initramfs-module-dmverity = "${PN}-base" +FILES_initramfs-module-dmverity = "/init.d/80-dmverity" diff --git a/recipes-ids/samhain/samhain.inc b/recipes-ids/samhain/samhain.inc index 0a5e432..b867bbc 100644 --- a/recipes-ids/samhain/samhain.inc +++ b/recipes-ids/samhain/samhain.inc @@ -67,6 +67,9 @@ PACKAGECONFIG[acl] = " --enable-posix-acl , --disable-posix-acl, acl" PACKAGECONFIG[audit] = "ac_cv_header_auparse_h=yes,ac_cv_header_auparse_h=no,audit" PACKAGECONFIG[ps] = "--with-ps-path=${base_bindir}/ps,,,procps" +EXTRA_OEMAKE_append_aarch64 = " CPPFLAGS+=-DCONFIG_ARCH_AARCH64=1" +EXTRA_OEMAKE_append_mips64 = " CPPFLAGS+=-DCONFIG_ARCH_MIPS64=1" + do_unpack_samhain() { cd ${WORKDIR} tar -xzvf samhain-${PV}.tar.gz @@ -118,7 +121,6 @@ do_configure () { --enable-network=${SAMHAIN_MODE} \ --with-pid-file=${localstatedir}/run/samhain.pid \ --with-data-file=${localstatedir}/lib/samhain/samhain_file \ - --disable-dnmalloc \ ${EXTRA_OECONF} } diff --git a/recipes-ids/tripwire/tripwire_2.4.3.7.bb b/recipes-ids/tripwire/tripwire_2.4.3.7.bb index c26392a..4f50bff 100644 --- a/recipes-ids/tripwire/tripwire_2.4.3.7.bb +++ b/recipes-ids/tripwire/tripwire_2.4.3.7.bb @@ -52,6 +52,7 @@ do_install () { install -m 0644 ${S}/man/man4/* ${D}${mandir}/man4 install -m 0644 ${S}/man/man5/* ${D}${mandir}/man5 install -m 0644 ${S}/man/man8/* ${D}${mandir}/man8 + rm ${D}${mandir}/man*/Makefile* install -m 0644 ${S}/policy/templates/* ${D}${docdir}/${BPN}/templates install -m 0644 ${S}/policy/*txt ${D}${docdir}/${BPN} install -m 0644 ${S}/COPYING ${D}${docdir}/${BPN} diff --git a/recipes-kernel/linux/linux-%_5.%.bbappend b/recipes-kernel/linux/linux-%_5.%.bbappend deleted file mode 100644 index 76b5df5..0000000 --- a/recipes-kernel/linux/linux-%_5.%.bbappend +++ /dev/null @@ -1,4 +0,0 @@ -KERNEL_FEATURES_append = " ${@bb.utils.contains("DISTRO_FEATURES", "apparmor", " features/apparmor/apparmor.scc", "" ,d)}" -KERNEL_FEATURES_append = " ${@bb.utils.contains("DISTRO_FEATURES", "smack", " features/smack/smack.scc", "" ,d)}" -KERNEL_FEATURES_append = " ${@bb.utils.contains("DISTRO_FEATURES", "yama", " features/yama/yama.scc", "" ,d)}" - diff --git a/recipes-kernel/linux/linux-yocto-dev.bbappend b/recipes-kernel/linux/linux-yocto-dev.bbappend index 39d4e6f..fa536d0 100644 --- a/recipes-kernel/linux/linux-yocto-dev.bbappend +++ b/recipes-kernel/linux/linux-yocto-dev.bbappend @@ -1,2 +1,3 @@ KERNEL_FEATURES_append = " ${@bb.utils.contains("DISTRO_FEATURES", "apparmor", " features/apparmor/apparmor.scc", "" ,d)}" KERNEL_FEATURES_append = " ${@bb.utils.contains("DISTRO_FEATURES", "smack", " features/smack/smack.scc", "" ,d)}" +KERNEL_FEATURES_append = " ${@bb.utils.contains("IMAGE_CLASSES", "dm-verity-img", " features/device-mapper/dm-verity.scc", "" ,d)}" diff --git a/recipes-kernel/linux/linux-yocto_5.%.bbappend b/recipes-kernel/linux/linux-yocto_5.%.bbappend index 39d4e6f..fa536d0 100644 --- a/recipes-kernel/linux/linux-yocto_5.%.bbappend +++ b/recipes-kernel/linux/linux-yocto_5.%.bbappend @@ -1,2 +1,3 @@ KERNEL_FEATURES_append = " ${@bb.utils.contains("DISTRO_FEATURES", "apparmor", " features/apparmor/apparmor.scc", "" ,d)}" KERNEL_FEATURES_append = " ${@bb.utils.contains("DISTRO_FEATURES", "smack", " features/smack/smack.scc", "" ,d)}" +KERNEL_FEATURES_append = " ${@bb.utils.contains("IMAGE_CLASSES", "dm-verity-img", " features/device-mapper/dm-verity.scc", "" ,d)}" diff --git a/recipes-mac/AppArmor/apparmor_2.13.4.bb b/recipes-mac/AppArmor/apparmor_2.13.4.bb deleted file mode 100644 index d6f61b3..0000000 --- a/recipes-mac/AppArmor/apparmor_2.13.4.bb +++ /dev/null @@ -1,198 +0,0 @@ -SUMMARY = "AppArmor another MAC control system" -DESCRIPTION = "user-space parser utility for AppArmor \ - This provides the system initialization scripts needed to use the \ - AppArmor Mandatory Access Control system, including the AppArmor Parser \ - which is required to convert AppArmor text profiles into machine-readable \ - policies that are loaded into the kernel for use with the AppArmor Linux \ - Security Module." -HOMEAPAGE = "http://apparmor.net/" -SECTION = "admin" - -LICENSE = "GPLv2 & GPLv2+ & BSD-3-Clause & LGPLv2.1+" -LIC_FILES_CHKSUM = "file://${S}/LICENSE;md5=fd57a4b0bc782d7b80fd431f10bbf9d0" - -DEPENDS = "bison-native apr gettext-native coreutils-native" - -SRC_URI = " \ - git://gitlab.com/apparmor/apparmor.git;protocol=https;branch=apparmor-2.13 \ - file://disable_perl_h_check.patch \ - file://crosscompile_perl_bindings.patch \ - file://apparmor.rc \ - file://functions \ - file://apparmor \ - file://apparmor.service \ - file://0001-Makefile.am-suppress-perllocal.pod.patch \ - file://run-ptest \ - " - -SRCREV = "df0ac742f7a1146181d8734d03334494f2015134" -S = "${WORKDIR}/git" - -PARALLEL_MAKE = "" - -inherit pkgconfig autotools-brokensep update-rc.d python3native perlnative ptest cpan manpages systemd features_check -REQUIRED_DISTRO_FEATURES = "apparmor" - -PACKAGECONFIG ??= "python perl aa-decode" -PACKAGECONFIG[manpages] = "--enable-man-pages, --disable-man-pages" -PACKAGECONFIG[python] = "--with-python, --without-python, python3 swig-native" -PACKAGECONFIG[perl] = "--with-perl, --without-perl, perl perl-native swig-native" -PACKAGECONFIG[apache2] = ",,apache2," -PACKAGECONFIG[aa-decode] = ",,,bash" - -PAMLIB="${@bb.utils.contains('DISTRO_FEATURES', 'pam', '1', '0', d)}" -HTTPD="${@bb.utils.contains('PACKAGECONFIG', 'apache2', '1', '0', d)}" - -python() { - if 'apache2' in d.getVar('PACKAGECONFIG').split() and \ - 'webserver' not in d.getVar('BBFILE_COLLECTIONS').split(): - raise bb.parse.SkipRecipe('Requires meta-webserver to be present.') -} - -DISABLE_STATIC = "" - -do_configure() { - cd ${S}/libraries/libapparmor - aclocal - autoconf --force - libtoolize --automake -c --force - automake -ac - ./configure ${CONFIGUREOPTS} ${EXTRA_OECONF} -} - -do_compile () { - # Fixes: - # | sed -ie 's///g' Makefile.perl - # | sed: -e expression #1, char 0: no previous regular expression - #| Makefile:478: recipe for target 'Makefile.perl' failed - sed -i "s@sed -ie 's///g' Makefile.perl@@" ${S}/libraries/libapparmor/swig/perl/Makefile - - - oe_runmake -C ${B}/libraries/libapparmor - oe_runmake -C ${B}/binutils - oe_runmake -C ${B}/utils - oe_runmake -C ${B}/parser - oe_runmake -C ${B}/profiles - - if test -z "${HTTPD}" ; then - oe_runmake -C ${B}/changehat/mod_apparmor - fi - - if test -z "${PAMLIB}" ; then - oe_runmake -C ${B}/changehat/pam_apparmor - fi -} - -do_install () { - install -d ${D}/${INIT_D_DIR} - install -d ${D}/lib/apparmor - oe_runmake -C ${B}/libraries/libapparmor DESTDIR="${D}" install - oe_runmake -C ${B}/binutils DESTDIR="${D}" install - oe_runmake -C ${B}/utils DESTDIR="${D}" install - oe_runmake -C ${B}/parser DESTDIR="${D}" install - oe_runmake -C ${B}/profiles DESTDIR="${D}" install - - # If perl is disabled this script won't be any good - if ! ${@bb.utils.contains('PACKAGECONFIG','perl','true','false', d)}; then - rm -f ${D}${sbindir}/aa-notify - fi - - if ! ${@bb.utils.contains('PACKAGECONFIG','aa-decode','true','false', d)}; then - rm -f ${D}${sbindir}/aa-decode - fi - - if test -z "${HTTPD}" ; then - oe_runmake -C ${B}/changehat/mod_apparmor DESTDIR="${D}" install - fi - - if test -z "${PAMLIB}" ; then - oe_runmake -C ${B}/changehat/pam_apparmor DESTDIR="${D}" install - fi - - # aa-easyprof is installed by python-tools-setup.py, fix it up - sed -i -e 's:/usr/bin/env.*:/usr/bin/python3:' ${D}${bindir}/aa-easyprof - chmod 0755 ${D}${bindir}/aa-easyprof - - install ${WORKDIR}/apparmor ${D}/${INIT_D_DIR}/apparmor - install ${WORKDIR}/functions ${D}/lib/apparmor - sed -i -e 's/getconf _NPROCESSORS_ONLN/nproc/' ${D}/lib/apparmor/functions - sed -i -e 's/ls -AU/ls -A/' ${D}/lib/apparmor/functions - - if ${@bb.utils.contains('DISTRO_FEATURES','systemd','true','false',d)}; then - install -d ${D}${systemd_system_unitdir} - install -m 0644 ${WORKDIR}/apparmor.service ${D}${systemd_system_unitdir} - fi -} - -#Building ptest on arm fails. -do_compile_ptest_aarch64 () { - : -} - -do_compile_ptest_arm () { - : -} - -do_compile_ptest () { - oe_runmake -C ${B}/tests/regression/apparmor - oe_runmake -C ${B}/parser/tst - oe_runmake -C ${B}/libraries/libapparmor -} - -do_install_ptest () { - t=${D}/${PTEST_PATH}/testsuite - install -d ${t} - install -d ${t}/tests/regression/apparmor - cp -rf ${B}/tests/regression/apparmor ${t}/tests/regression - - install -d ${t}/parser/tst - cp -rf ${B}/parser/tst ${t}/parser - cp ${B}/parser/apparmor_parser ${t}/parser - cp ${B}/parser/frob_slack_rc ${t}/parser - - install -d ${t}/libraries/libapparmor - cp -rf ${B}/libraries/libapparmor ${t}/libraries - - install -d ${t}/common - cp -rf ${B}/common ${t} - - install -d ${t}/binutils - cp -rf ${B}/binutils ${t} -} - -#Building ptest on arm fails. -do_install_ptest_aarch64 () { - : -} - -do_install_ptest_arm() { - : -} - -pkg_postinst_ontarget_${PN} () { -if [ ! -d /etc/apparmor.d/cache ] ; then - mkdir /etc/apparmor.d/cache -fi -} - -# We need the init script so don't rm it -RMINITDIR_class-target_remove = " rm_sysvinit_initddir" - -INITSCRIPT_PACKAGES = "${PN}" -INITSCRIPT_NAME = "apparmor" -INITSCRIPT_PARAMS = "start 16 2 3 4 5 . stop 35 0 1 6 ." - -SYSTEMD_PACKAGES = "${PN}" -SYSTEMD_SERVICE_${PN} = "apparmor.service" -SYSTEMD_AUTO_ENABLE ?= "enable" - -PACKAGES += "mod-${PN}" - -FILES_${PN} += "/lib/apparmor/ ${sysconfdir}/apparmor ${PYTHON_SITEPACKAGES_DIR}" -FILES_mod-${PN} = "${libdir}/apache2/modules/*" - -RDEPENDS_${PN} += "coreutils findutils ${@bb.utils.contains('PACKAGECONFIG','python','python3-core python3-modules','', d)}" -RDEPENDS_${PN}_remove += "${@bb.utils.contains('PACKAGECONFIG','perl','','perl', d)}" -RDEPENDS_${PN}-ptest += "perl coreutils dbus-lib bash" - -PRIVATE_LIBS_${PN}-ptest = "libapparmor.so*" diff --git a/recipes-mac/AppArmor/apparmor_2.13.6.bb b/recipes-mac/AppArmor/apparmor_2.13.6.bb new file mode 100644 index 0000000..bc14545 --- /dev/null +++ b/recipes-mac/AppArmor/apparmor_2.13.6.bb @@ -0,0 +1,201 @@ +SUMMARY = "AppArmor another MAC control system" +DESCRIPTION = "user-space parser utility for AppArmor \ + This provides the system initialization scripts needed to use the \ + AppArmor Mandatory Access Control system, including the AppArmor Parser \ + which is required to convert AppArmor text profiles into machine-readable \ + policies that are loaded into the kernel for use with the AppArmor Linux \ + Security Module." +HOMEAPAGE = "http://apparmor.net/" +SECTION = "admin" + +LICENSE = "GPLv2 & GPLv2+ & BSD-3-Clause & LGPLv2.1+" +LIC_FILES_CHKSUM = "file://${S}/LICENSE;md5=fd57a4b0bc782d7b80fd431f10bbf9d0" + +DEPENDS = "bison-native apr gettext-native coreutils-native" + +SRC_URI = " \ + git://gitlab.com/apparmor/apparmor.git;protocol=https;branch=apparmor-2.13 \ + file://disable_perl_h_check.patch \ + file://crosscompile_perl_bindings.patch \ + file://apparmor.rc \ + file://functions \ + file://apparmor \ + file://apparmor.service \ + file://0001-Makefile.am-suppress-perllocal.pod.patch \ + file://0001-Use-build-environment-C-preprocessor.patch \ + file://0002-Correctly-escape-in-Makefile.patch \ + file://run-ptest \ + " + +SRCREV = "c16fff8cb487cf150e3e5ad536b7ff2d4cb4f784" +S = "${WORKDIR}/git" + +PARALLEL_MAKE = "" + +COMPATIBLE_MACHINE_mips64 = "(!.*mips64).*" + +inherit pkgconfig autotools-brokensep update-rc.d python3native python3targetconfig perlnative ptest cpan manpages systemd features_check +REQUIRED_DISTRO_FEATURES = "apparmor" + +PACKAGECONFIG ??= "python perl aa-decode" +PACKAGECONFIG[manpages] = "--enable-man-pages, --disable-man-pages" +PACKAGECONFIG[python] = "--with-python, --without-python, python3 swig-native" +PACKAGECONFIG[perl] = "--with-perl, --without-perl, perl perl-native swig-native" +PACKAGECONFIG[apache2] = ",,apache2," +PACKAGECONFIG[aa-decode] = ",,,bash" + +PAMLIB="${@bb.utils.contains('DISTRO_FEATURES', 'pam', '1', '0', d)}" +HTTPD="${@bb.utils.contains('PACKAGECONFIG', 'apache2', '1', '0', d)}" + +python() { + if 'apache2' in d.getVar('PACKAGECONFIG').split() and \ + 'webserver' not in d.getVar('BBFILE_COLLECTIONS').split(): + raise bb.parse.SkipRecipe('Requires meta-webserver to be present.') +} + +DISABLE_STATIC = "" + +do_configure() { + cd ${S}/libraries/libapparmor + aclocal + autoconf --force + libtoolize --automake -c --force + automake -ac + ./configure ${CONFIGUREOPTS} ${EXTRA_OECONF} +} + +do_compile () { + # Fixes: + # | sed -ie 's///g' Makefile.perl + # | sed: -e expression #1, char 0: no previous regular expression + #| Makefile:478: recipe for target 'Makefile.perl' failed + sed -i "s@sed -ie 's///g' Makefile.perl@@" ${S}/libraries/libapparmor/swig/perl/Makefile + + + oe_runmake -C ${B}/libraries/libapparmor + oe_runmake -C ${B}/binutils + oe_runmake -C ${B}/utils + oe_runmake -C ${B}/parser + oe_runmake -C ${B}/profiles + + if test -z "${HTTPD}" ; then + oe_runmake -C ${B}/changehat/mod_apparmor + fi + + if test -z "${PAMLIB}" ; then + oe_runmake -C ${B}/changehat/pam_apparmor + fi +} + +do_install () { + install -d ${D}/${INIT_D_DIR} + install -d ${D}/lib/apparmor + oe_runmake -C ${B}/libraries/libapparmor DESTDIR="${D}" install + oe_runmake -C ${B}/binutils DESTDIR="${D}" install + oe_runmake -C ${B}/utils DESTDIR="${D}" install + oe_runmake -C ${B}/parser DESTDIR="${D}" install + oe_runmake -C ${B}/profiles DESTDIR="${D}" install + + # If perl is disabled this script won't be any good + if ! ${@bb.utils.contains('PACKAGECONFIG','perl','true','false', d)}; then + rm -f ${D}${sbindir}/aa-notify + fi + + if ! ${@bb.utils.contains('PACKAGECONFIG','aa-decode','true','false', d)}; then + rm -f ${D}${sbindir}/aa-decode + fi + + if test -z "${HTTPD}" ; then + oe_runmake -C ${B}/changehat/mod_apparmor DESTDIR="${D}" install + fi + + if test -z "${PAMLIB}" ; then + oe_runmake -C ${B}/changehat/pam_apparmor DESTDIR="${D}" install + fi + + # aa-easyprof is installed by python-tools-setup.py, fix it up + sed -i -e 's:/usr/bin/env.*:/usr/bin/python3:' ${D}${bindir}/aa-easyprof + chmod 0755 ${D}${bindir}/aa-easyprof + + install ${WORKDIR}/apparmor ${D}/${INIT_D_DIR}/apparmor + install ${WORKDIR}/functions ${D}/lib/apparmor + sed -i -e 's/getconf _NPROCESSORS_ONLN/nproc/' ${D}/lib/apparmor/functions + sed -i -e 's/ls -AU/ls -A/' ${D}/lib/apparmor/functions + + if ${@bb.utils.contains('DISTRO_FEATURES','systemd','true','false',d)}; then + install -d ${D}${systemd_system_unitdir} + install -m 0644 ${WORKDIR}/apparmor.service ${D}${systemd_system_unitdir} + fi +} + +#Building ptest on arm fails. +do_compile_ptest_aarch64 () { + : +} + +do_compile_ptest_arm () { + : +} + +do_compile_ptest () { + sed -i -e 's/cpp \-dM/${HOST_PREFIX}gcc \-dM/' ${B}/tests/regression/apparmor/Makefile + oe_runmake -C ${B}/tests/regression/apparmor + oe_runmake -C ${B}/libraries/libapparmor +} + +do_install_ptest () { + t=${D}/${PTEST_PATH}/testsuite + install -d ${t} + install -d ${t}/tests/regression/apparmor + cp -rf ${B}/tests/regression/apparmor ${t}/tests/regression + + cp ${B}/parser/apparmor_parser ${t}/parser + cp ${B}/parser/frob_slack_rc ${t}/parser + + install -d ${t}/libraries/libapparmor + cp -rf ${B}/libraries/libapparmor ${t}/libraries + + install -d ${t}/common + cp -rf ${B}/common ${t} + + install -d ${t}/binutils + cp -rf ${B}/binutils ${t} +} + +#Building ptest on arm fails. +do_install_ptest_aarch64 () { + : +} + +do_install_ptest_arm() { + : +} + +pkg_postinst_ontarget_${PN} () { +if [ ! -d /etc/apparmor.d/cache ] ; then + mkdir /etc/apparmor.d/cache +fi +} + +# We need the init script so don't rm it +RMINITDIR_class-target_remove = " rm_sysvinit_initddir" + +INITSCRIPT_PACKAGES = "${PN}" +INITSCRIPT_NAME = "apparmor" +INITSCRIPT_PARAMS = "start 16 2 3 4 5 . stop 35 0 1 6 ." + +SYSTEMD_PACKAGES = "${PN}" +SYSTEMD_SERVICE_${PN} = "apparmor.service" +SYSTEMD_AUTO_ENABLE ?= "enable" + +PACKAGES += "mod-${PN}" + +FILES_${PN} += "/lib/apparmor/ ${systemd_system_unitdir} ${sysconfdir}/apparmor ${PYTHON_SITEPACKAGES_DIR}" +FILES_mod-${PN} = "${libdir}/apache2/modules/*" + +# Add coreutils and findutils only if sysvinit scripts are in use +RDEPENDS_${PN} += "${@["coreutils findutils", ""][(d.getVar('VIRTUAL-RUNTIME_init_manager') == 'systemd')]} ${@bb.utils.contains('PACKAGECONFIG','python','python3-core python3-modules','', d)}" +RDEPENDS_${PN}_remove += "${@bb.utils.contains('PACKAGECONFIG','perl','','perl', d)}" +RDEPENDS_${PN}-ptest += "perl coreutils dbus-lib bash" + +PRIVATE_LIBS_${PN}-ptest = "libapparmor.so*" diff --git a/recipes-mac/AppArmor/files/0001-Use-build-environment-C-preprocessor.patch b/recipes-mac/AppArmor/files/0001-Use-build-environment-C-preprocessor.patch new file mode 100644 index 0000000..76e334a --- /dev/null +++ b/recipes-mac/AppArmor/files/0001-Use-build-environment-C-preprocessor.patch @@ -0,0 +1,39 @@ +From b19d65886263cee40c7283d329ff05f43cbb2047 Mon Sep 17 00:00:00 2001 +From: Omer Akram <omer@thing.com> +Date: Mon, 12 Apr 2021 22:24:13 +0500 +Subject: [PATCH] Use build environment C preprocessor + +--- + common/list_af_names.sh | 2 +- + common/list_capabilities.sh | 2 +- + 2 files changed, 2 insertions(+), 2 deletions(-) + +diff --git a/common/list_af_names.sh b/common/list_af_names.sh +index d7987537..23d9ba7f 100755 +--- a/common/list_af_names.sh ++++ b/common/list_af_names.sh +@@ -11,7 +11,7 @@ + # rewrite as "AF_". + + echo "#include <sys/socket.h>" | \ +- cpp -dM | \ ++ ${CPP} -dM - | \ + LC_ALL=C sed -n \ + -e '/PF_UNIX/d' \ + -e 's/PF_LOCAL/PF_UNIX/' \ +diff --git a/common/list_capabilities.sh b/common/list_capabilities.sh +index 4e37cda7..d07111de 100755 +--- a/common/list_capabilities.sh ++++ b/common/list_capabilities.sh +@@ -7,7 +7,7 @@ + # ===================== + + echo "#include <linux/capability.h>" | \ +- cpp -dM | \ ++ ${CPP} -dM - | \ + LC_ALL=C sed -n \ + -e '/CAP_EMPTY_SET/d' \ + -e 's/^\#define[ \t]\+CAP_\([A-Z0-9_]\+\)[ \t]\+\([0-9xa-f]\+\)\(.*\)$/CAP_\1/p' | \ +-- +2.25.1 + diff --git a/recipes-mac/AppArmor/files/0002-Correctly-escape-in-Makefile.patch b/recipes-mac/AppArmor/files/0002-Correctly-escape-in-Makefile.patch new file mode 100644 index 0000000..f3cae7d --- /dev/null +++ b/recipes-mac/AppArmor/files/0002-Correctly-escape-in-Makefile.patch @@ -0,0 +1,25 @@ +From 4ffd666a2cedeabc8eef42371c03be52fc2a3d66 Mon Sep 17 00:00:00 2001 +From: Omer Akram <omer@thing.com> +Date: Mon, 12 Apr 2021 22:54:52 +0500 +Subject: [PATCH] Correctly escape # in Makefile + +--- + tests/regression/apparmor/Makefile | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/tests/regression/apparmor/Makefile b/tests/regression/apparmor/Makefile +index c3d0cfb7..b41dbe47 100644 +--- a/tests/regression/apparmor/Makefile ++++ b/tests/regression/apparmor/Makefile +@@ -69,7 +69,7 @@ endif # USE_SYSTEM + + CFLAGS += -g -O0 -Wall -Wstrict-prototypes + +-USE_SYSCTL:=$(shell echo "#include <sys/sysctl.h>" | cpp -dM >/dev/null 2>/dev/null && echo true) ++USE_SYSCTL:=$(shell echo "\#include <sys/sysctl.h>" | cpp -dM >/dev/null 2>/dev/null && echo true) + + + SRC=access.c \ +-- +2.25.1 + diff --git a/recipes-mac/AppArmor/files/disable_pdf.patch b/recipes-mac/AppArmor/files/disable_pdf.patch deleted file mode 100644 index c6b4bdd..0000000 --- a/recipes-mac/AppArmor/files/disable_pdf.patch +++ /dev/null @@ -1,33 +0,0 @@ -Index: apparmor-2.10.95/parser/Makefile -=================================================================== ---- apparmor-2.10.95.orig/parser/Makefile -+++ apparmor-2.10.95/parser/Makefile -@@ -139,17 +139,6 @@ export Q VERBOSE BUILD_OUTPUT - po/${NAME}.pot: ${SRCS} ${HDRS} - $(MAKE) -C po ${NAME}.pot NAME=${NAME} SOURCES="${SRCS} ${HDRS}" - --techdoc.pdf: techdoc.tex -- timestamp=$(shell date --utc "+%Y%m%d%H%M%S%z" -r $< );\ -- while pdflatex "\def\fixedpdfdate{$$timestamp}\input $<" ${BUILD_OUTPUT} || exit 1 ; \ -- grep -q "Label(s) may have changed" techdoc.log; \ -- do :; done -- --techdoc/index.html: techdoc.pdf -- latex2html -show_section_numbers -split 0 -noinfo -nonavigation -noaddress techdoc.tex ${BUILD_OUTPUT} -- --techdoc.txt: techdoc/index.html -- w3m -dump $< > $@ - - # targets arranged this way so that people who don't want full docs can - # pick specific targets they want. -@@ -159,9 +148,7 @@ manpages: $(MANPAGES) - - htmlmanpages: $(HTMLMANPAGES) - --pdf: techdoc.pdf -- --docs: manpages htmlmanpages pdf -+docs: manpages htmlmanpages - - indep: docs - $(Q)$(MAKE) -C po all diff --git a/recipes-mac/ccs-tools/ccs-tools_1.8.4.bb b/recipes-mac/ccs-tools/ccs-tools_1.8.4.bb index 2e37c0b..79af6a5 100644 --- a/recipes-mac/ccs-tools/ccs-tools_1.8.4.bb +++ b/recipes-mac/ccs-tools/ccs-tools_1.8.4.bb @@ -13,7 +13,7 @@ SRC_URI = "http://osdn.dl.sourceforge.jp/tomoyo/49693/${BPN}-${PV}-${DS}.tar.gz" SRC_URI[md5sum] = "eeee8eb96a7680bfa9c8f6de55502c44" SRC_URI[sha256sum] = "c358b80a2ea77a9dda79dc2a056dae3acaf3a72fcb8481cfb1cd1f16746324b4" -S = "${WORKDIR}/${PN}" +S = "${WORKDIR}/${BPN}" inherit features_check diff --git a/recipes-scanners/clamav/clamav_0.101.5.bb b/recipes-scanners/clamav/clamav_0.101.5.bb index f4625b1..5fc9ac3 100644 --- a/recipes-scanners/clamav/clamav_0.101.5.bb +++ b/recipes-scanners/clamav/clamav_0.101.5.bb @@ -23,13 +23,13 @@ SRC_URI = "git://github.com/vrtadmin/clamav-devel;branch=rel/0.101 \ S = "${WORKDIR}/git" LEAD_SONAME = "libclamav.so" -SO_VER = "9.0.2" +SO_VER = "9.0.4" -inherit autotools pkgconfig useradd systemd +inherit autotools pkgconfig useradd systemd multilib_header multilib_script CLAMAV_UID ?= "clamav" CLAMAV_GID ?= "clamav" -INSTALL_CLAMAV_CVD ?= "1" +INSTALL_CLAMAV_CVD ?= "0" CLAMAV_USR_DIR = "${STAGING_DIR_NATIVE}/usr" CLAMAV_USR_DIR_class-target = "${STAGING_DIR_HOST}/usr" @@ -45,6 +45,8 @@ PACKAGECONFIG[bz2] = "--with-libbz2-prefix=${CLAMAV_USR_DIR}, --disable-bzip2, b PACKAGECONFIG[ncurses] = "--with-libncurses-prefix=${CLAMAV_USR_DIR}, --without-libncurses-prefix, ncurses, " PACKAGECONFIG[systemd] = "--with-systemdsystemunitdir=${systemd_unitdir}/system/, --without-systemdsystemunitdir, " +MULTILIB_SCRIPTS = "${PN}-dev:${bindir}/clamav-config" + EXTRA_OECONF_CLAMAV = "--without-libcheck-prefix --disable-unrar \ --disable-mempool \ --program-prefix="" \ @@ -69,14 +71,6 @@ do_configure_class-native () { ${S}/configure ${CONFIGUREOPTS} ${EXTRA_OECONF} } -do_compile_append_class-target() { - if [ "${INSTALL_CLAMAV_CVD}" = "1" ]; then - bbnote "CLAMAV creating cvd" - install -d ${S}/clamav_db - ${STAGING_BINDIR_NATIVE}/freshclam --datadir=${S}/clamav_db --config=${WORKDIR}/freshclam-native.conf - fi -} - do_install_append_class-target () { install -d ${D}/${sysconfdir} install -d ${D}/${localstatedir}/lib/clamav @@ -87,12 +81,15 @@ do_install_append_class-target () { install -m 0644 ${WORKDIR}/volatiles.03_clamav ${D}${sysconfdir}/default/volatiles/volatiles.03_clamav sed -i -e 's#${STAGING_DIR_HOST}##g' ${D}${libdir}/pkgconfig/libclamav.pc rm ${D}/${libdir}/libclamav.so - install -m 666 ${S}/clamav_db/* ${D}/${localstatedir}/lib/clamav/. + if [ "${INSTALL_CLAMAV_CVD}" = "1" ]; then + install -m 666 ${S}/clamav_db/* ${D}/${localstatedir}/lib/clamav/. + fi if ${@bb.utils.contains('DISTRO_FEATURES','systemd','true','false',d)};then install -D -m 0644 ${WORKDIR}/clamav.service ${D}${systemd_unitdir}/system/clamav.service install -d ${D}${sysconfdir}/tmpfiles.d install -m 0644 ${WORKDIR}/tmpfiles.clamav ${D}${sysconfdir}/tmpfiles.d/clamav.conf fi + oe_multilib_header clamav-types.h } pkg_postinst_ontarget_${PN} () { @@ -106,7 +103,7 @@ pkg_postinst_ontarget_${PN} () { } -PACKAGES = "${PN} ${PN}-dev ${PN}-dbg ${PN}-daemon ${PN}-doc ${PN}-cvd \ +PACKAGES = "${PN} ${PN}-dev ${PN}-dbg ${PN}-daemon ${PN}-doc \ ${PN}-clamdscan ${PN}-freshclam ${PN}-libclamav ${PN}-staticdev" FILES_${PN} = "${bindir}/clambc ${bindir}/clamscan ${bindir}/clamsubmit \ @@ -150,8 +147,6 @@ FILES_${PN}-doc = "${mandir}/man/* \ ${datadir}/man/* \ ${docdir}/* " -FILES_${PN}-cvd = "${localstatedir}/lib/clamav/*.cvd ${localstatedir}/lib/clamav/*.dat" - USERADD_PACKAGES = "${PN}" GROUPADD_PARAM_${PN} = "--system ${CLAMAV_UID}" USERADD_PARAM_${PN} = "--system -g ${CLAMAV_GID} --home-dir \ diff --git a/recipes-scanners/rootkits/chkrootkit_0.53.bb b/recipes-scanners/rootkits/chkrootkit_0.53.bb index 4536be3..8d4b3b5 100644 --- a/recipes-scanners/rootkits/chkrootkit_0.53.bb +++ b/recipes-scanners/rootkits/chkrootkit_0.53.bb @@ -5,7 +5,7 @@ SECTION = "security" LICENSE = "BSD-2-Clause" LIC_FILES_CHKSUM = "file://COPYRIGHT;md5=fdbe53788f7081c63387d8087273f5ff" -SRC_URI = "ftp://ftp.pangeia.com.br/pub/seg/pac/${BPN}.tar.gz" +SRC_URI = "http://archive.ubuntu.com/ubuntu/pool/universe/c/${BPN}/${BPN}_${PV}.orig.tar.gz" SRC_URI[sha256sum] = "7262dae33b338976828b5d156b70d159e0043c0db43ada8dee66c97387cf45b5" diff --git a/recipes-security/bastille/bastille_3.2.1.bb b/recipes-security/bastille/bastille_3.2.1.bb index e9accb5..0290cae 100644 --- a/recipes-security/bastille/bastille_3.2.1.bb +++ b/recipes-security/bastille/bastille_3.2.1.bb @@ -9,8 +9,6 @@ DEPENDS = "virtual/kernel" RDEPENDS_${PN} = "perl bash tcl perl-module-getopt-long perl-module-text-wrap lib-perl perl-module-file-path perl-module-mime-base64 perl-module-file-find perl-module-errno perl-module-file-glob perl-module-tie-hash-namedcapture perl-module-file-copy perl-module-english perl-module-exporter perl-module-cwd libcurses-perl coreutils" FILES_${PN} += "/run/lock/subsys/bastille" -inherit module-base - SRC_URI = "http://sourceforge.net/projects/bastille-linux/files/bastille-linux/3.2.1/Bastille-3.2.1.tar.bz2 \ file://AccountPermission.pm \ file://FileContent.pm \ diff --git a/recipes-security/libseccomp/libseccomp_2.4.3.bb b/recipes-security/libseccomp/libseccomp_2.4.3.bb index 9ca41e6..37d3573 100644 --- a/recipes-security/libseccomp/libseccomp_2.4.3.bb +++ b/recipes-security/libseccomp/libseccomp_2.4.3.bb @@ -10,6 +10,9 @@ SRC_URI = "git://github.com/seccomp/libseccomp.git;branch=release-2.4 \ file://run-ptest \ " +COMPATIBLE_HOST_riscv64 = "null" +COMPATIBLE_HOST_riscv32 = "null" + S = "${WORKDIR}/git" inherit autotools-brokensep pkgconfig ptest diff --git a/recipes-security/packagegroup/packagegroup-core-security-ptest.bb b/recipes-security/packagegroup/packagegroup-core-security-ptest.bb index 83a9ed8..cf34ded 100644 --- a/recipes-security/packagegroup/packagegroup-core-security-ptest.bb +++ b/recipes-security/packagegroup/packagegroup-core-security-ptest.bb @@ -22,7 +22,7 @@ RDEPENDS_${PN} = " \ python3-scapy-ptest \ suricata-ptest \ tripwire-ptest \ - python-fail2ban-ptest \ + python3-fail2ban-ptest \ ${@bb.utils.contains("DISTRO_FEATURES", "apparmor", "apparmor-ptest", "",d)} \ ${@bb.utils.contains("DISTRO_FEATURES", "smack", "smack-ptest", "",d)} \ " diff --git a/recipes-security/packagegroup/packagegroup-core-security.bb b/recipes-security/packagegroup/packagegroup-core-security.bb index e0a9d05..bd9abcc 100644 --- a/recipes-security/packagegroup/packagegroup-core-security.bb +++ b/recipes-security/packagegroup/packagegroup-core-security.bb @@ -28,7 +28,7 @@ RDEPENDS_packagegroup-security-utils = "\ python3-scapy \ ding-libs \ keyutils \ - libseccomp \ + ${@bb.utils.contains_any("TUNE_FEATURES", "riscv32 riscv64", "", " libseccomp",d)} \ ${@bb.utils.contains("DISTRO_FEATURES", "pam", "sssd", "",d)} \ ${@bb.utils.contains("DISTRO_FEATURES", "pax", "pax-utils", "",d)} \ " @@ -37,10 +37,9 @@ SUMMARY_packagegroup-security-scanners = "Security scanners" RDEPENDS_packagegroup-security-scanners = "\ nikto \ checksecurity \ - clamav \ - clamav-freshclam \ - clamav-cvd \ + ${@bb.utils.contains_any("TUNE_FEATURES", "riscv32 riscv64", "", " clamav clamav-freshclam",d)} \ " +RDEPENDS_packagegroup-security-scanners_remove_libc-musl = "clamav clamav-freshclam" SUMMARY_packagegroup-security-audit = "Security Audit tools " RDEPENDS_packagegroup-security-audit = " \ @@ -57,7 +56,7 @@ SUMMARY_packagegroup-security-ids = "Security Intrusion Detection systems" RDEPENDS_packagegroup-security-ids = " \ tripwire \ samhain-standalone \ - suricata \ + ${@bb.utils.contains_any("TUNE_FEATURES", "ppc7400 riscv32 riscv64", "", " suricata",d)} \ " SUMMARY_packagegroup-security-mac = "Security Mandatory Access Control systems" diff --git a/recipes-security/sssd/files/0001-build-Don-t-use-AC_CHECK_FILE-when-building-manpages.patch b/recipes-security/sssd/files/0001-build-Don-t-use-AC_CHECK_FILE-when-building-manpages.patch new file mode 100644 index 0000000..b64670c --- /dev/null +++ b/recipes-security/sssd/files/0001-build-Don-t-use-AC_CHECK_FILE-when-building-manpages.patch @@ -0,0 +1,34 @@ +From d54aa109600bcd02bf72cfe64c01935890a102a1 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Jonatan=20P=C3=A5lsson?= <jonatan.p@gmail.com> +Date: Fri, 21 Aug 2020 14:45:10 +0200 +Subject: [PATCH] build: Don't use AC_CHECK_FILE when building manpages +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +AC_CHECK_FILE does not support cross-compilation, and will only check +the host rootfs. Replace AC_CHECK_FILE with a 'test -f <FILE>' instead, +to allow building manpages when cross-compiling. + +Upstream-status: Submitted [https://github.com/SSSD/sssd/pull/5289] +Signed-off-by: Jonatan PÃ¥lsson <jonatan.p@gmail.com> +--- + src/external/docbook.m4 | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/src/external/docbook.m4 b/src/external/docbook.m4 +index deb8632fa..acdc89a68 100644 +--- a/src/external/docbook.m4 ++++ b/src/external/docbook.m4 +@@ -18,7 +18,7 @@ dnl Checks if the XML catalog given by FILE exists and + dnl if a particular URI appears in the XML catalog + AC_DEFUN([CHECK_STYLESHEET], + [ +- AC_CHECK_FILE($1, [], [AC_MSG_ERROR([could not find XML catalog])]) ++ AS_IF([test -f "$1"], [], [AC_MSG_ERROR([could not find XML catalog])]) + + AC_MSG_CHECKING([for ifelse([$3],,[$2],[$3]) in XML catalog]) + if AC_RUN_LOG([$XSLTPROC --catalogs --nonet --noout "$2" >&2]); then +-- +2.26.1 + diff --git a/recipes-security/sssd/files/CVE-2022-4254-1.patch b/recipes-security/sssd/files/CVE-2022-4254-1.patch new file mode 100644 index 0000000..a52ce1a --- /dev/null +++ b/recipes-security/sssd/files/CVE-2022-4254-1.patch @@ -0,0 +1,515 @@ +From 1c40208aa1e0f9a17cc4f336c99bcaa6977592d3 Mon Sep 17 00:00:00 2001 +From: Sumit Bose <sbose@redhat.com> +Date: Tue, 27 Nov 2018 16:40:01 +0100 +Subject: [PATCH] certmap: add sss_certmap_display_cert_content() + +To make debugging and writing certificate mapping and matching rules +more easy a new function is added to libsss_certmap to display the +certificate content as seen by libsss_certmap. Please note that the +actual output might change in future. + +Reviewed-by: Jakub Hrozek <jhrozek@redhat.com> + +CVE: CVE-2022-4254 +Upstream-Status: Backport [https://github.com/SSSD/sssd/commit/1c40208aa1e0f9a17cc4f336c99bcaa6977592d3] +Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com> +--- + Makefile.am | 2 +- + src/lib/certmap/sss_certmap.c | 142 ++++++++++++++++++++++ + src/lib/certmap/sss_certmap.exports | 5 + + src/lib/certmap/sss_certmap.h | 18 +++ + src/lib/certmap/sss_certmap_int.h | 31 ++++- + src/lib/certmap/sss_certmap_krb5_match.c | 145 +++++++++++------------ + 6 files changed, 261 insertions(+), 82 deletions(-) + +diff --git a/Makefile.am b/Makefile.am +index 4475b3d..29cd93c 100644 +--- a/Makefile.am ++++ b/Makefile.am +@@ -1835,7 +1835,7 @@ libsss_certmap_la_LIBADD = \ + $(NULL) + libsss_certmap_la_LDFLAGS = \ + -Wl,--version-script,$(srcdir)/src/lib/certmap/sss_certmap.exports \ +- -version-info 0:0:0 ++ -version-info 1:0:1 + + if HAVE_NSS + libsss_certmap_la_SOURCES += \ +diff --git a/src/lib/certmap/sss_certmap.c b/src/lib/certmap/sss_certmap.c +index f6f6f98..c60ac24 100644 +--- a/src/lib/certmap/sss_certmap.c ++++ b/src/lib/certmap/sss_certmap.c +@@ -914,3 +914,145 @@ void sss_certmap_free_filter_and_domains(char *filter, char **domains) + talloc_free(filter); + talloc_free(domains); + } ++ ++static const char *sss_eku_oid2name(const char *oid) ++{ ++ size_t c; ++ ++ for (c = 0; sss_ext_key_usage[c].name != NULL; c++) { ++ if (strcmp(sss_ext_key_usage[c].oid, oid) == 0) { ++ return sss_ext_key_usage[c].name; ++ } ++ } ++ ++ return NULL; ++} ++ ++struct parsed_template san_parsed_template[] = { ++ { NULL, NULL, NULL }, /* SAN_OTHER_NAME handled separately */ ++ { "subject_rfc822_name", NULL, NULL}, ++ { "subject_dns_name", NULL, NULL}, ++ { "subject_x400_address", NULL, NULL}, ++ { "subject_directory_name", NULL, NULL}, ++ { "subject_ediparty_name", NULL, NULL}, ++ { "subject_uri", NULL, NULL}, ++ { "subject_ip_address", NULL, NULL}, ++ { "subject_registered_id", NULL, NULL}, ++ { "subject_pkinit_principal", NULL, NULL}, ++ { "subject_nt_principal", NULL, NULL}, ++ { "subject_principal", NULL, NULL}, ++ { NULL, NULL, NULL }, /* SAN_STRING_OTHER_NAME handled separately */ ++ { NULL, NULL, NULL } /* SAN_END */ ++}; ++ ++int sss_cert_dump_content(TALLOC_CTX *mem_ctx, struct sss_cert_content *c, ++ char **content_str) ++{ ++ char *out = NULL; ++ size_t o; ++ struct san_list *s; ++ struct sss_certmap_ctx *ctx = NULL; ++ char *expanded = NULL; ++ int ret; ++ char *b64 = NULL; ++ const char *eku_str = NULL; ++ ++ ret = sss_certmap_init(mem_ctx, NULL, NULL, &ctx); ++ if (ret != EOK) { ++ return ret; ++ } ++ ++ out = talloc_strdup(mem_ctx, "sss cert content (format might change):\n"); ++ if (out == NULL) return ENOMEM; ++ ++ out = talloc_asprintf_append(out, "Issuer: %s\n", c->issuer_str != NULL ++ ? c->issuer_str ++ : "- not available -"); ++ if (out == NULL) return ENOMEM; ++ out = talloc_asprintf_append(out, "Subject: %s\n", c->subject_str != NULL ++ ? c->subject_str ++ : "- not available -"); ++ if (out == NULL) return ENOMEM; ++ ++ out = talloc_asprintf_append(out, "Key Usage: %u(0x%04x)", c->key_usage, ++ c->key_usage); ++ if (out == NULL) return ENOMEM; ++ ++ if (c->key_usage != 0) { ++ out = talloc_asprintf_append(out, " ("); ++ if (out == NULL) return ENOMEM; ++ for (o = 0; sss_key_usage[o].name != NULL; o++) { ++ if ((c->key_usage & sss_key_usage[o].flag) != 0) { ++ out = talloc_asprintf_append(out, "%s%s", ++ o == 0 ? "" : ",", ++ sss_key_usage[o].name); ++ if (out == NULL) return ENOMEM; ++ } ++ } ++ out = talloc_asprintf_append(out, ")"); ++ if (out == NULL) return ENOMEM; ++ } ++ out = talloc_asprintf_append(out, "\n"); ++ if (out == NULL) return ENOMEM; ++ ++ for (o = 0; c->extended_key_usage_oids[o] != NULL; o++) { ++ eku_str = sss_eku_oid2name(c->extended_key_usage_oids[o]); ++ out = talloc_asprintf_append(out, "Extended Key Usage #%zu: %s%s%s%s\n", ++ o, c->extended_key_usage_oids[o], ++ eku_str == NULL ? "" : " (", ++ eku_str == NULL ? "" : eku_str, ++ eku_str == NULL ? "" : ")"); ++ if (out == NULL) return ENOMEM; ++ } ++ ++ DLIST_FOR_EACH(s, c->san_list) { ++ out = talloc_asprintf_append(out, "SAN type: %s\n", ++ s->san_opt < SAN_END ++ ? sss_san_names[s->san_opt].name ++ : "- unsupported -"); ++ if (out == NULL) return ENOMEM; ++ ++ if (san_parsed_template[s->san_opt].name != NULL) { ++ ret = expand_san(ctx, &san_parsed_template[s->san_opt], c->san_list, ++ &expanded); ++ if (ret != EOK) { ++ return ret; ++ } ++ out = talloc_asprintf_append(out, " %s=%s\n\n", ++ san_parsed_template[s->san_opt].name, ++ expanded); ++ talloc_free(expanded); ++ if (out == NULL) return ENOMEM; ++ } else if (s->san_opt == SAN_STRING_OTHER_NAME) { ++ b64 = sss_base64_encode(mem_ctx, s->bin_val, s->bin_val_len); ++ out = talloc_asprintf_append(out, " %s=%s\n\n", s->other_name_oid, ++ b64 != NULL ? b64 ++ : "- cannot encode -"); ++ talloc_free(b64); ++ } ++ } ++ ++ *content_str = out; ++ ++ return EOK; ++} ++ ++int sss_certmap_display_cert_content(TALLOC_CTX *mem_cxt, ++ const uint8_t *der_cert, size_t der_size, ++ char **desc) ++{ ++ int ret; ++ struct sss_cert_content *content; ++ ++ ret = sss_cert_get_content(mem_cxt, der_cert, der_size, &content); ++ if (ret != EOK) { ++ return ret; ++ } ++ ++ ret = sss_cert_dump_content(mem_cxt, content, desc); ++ if (ret != EOK) { ++ return ret; ++ } ++ ++ return 0; ++} +diff --git a/src/lib/certmap/sss_certmap.exports b/src/lib/certmap/sss_certmap.exports +index 8b5d536..a9e48d6 100644 +--- a/src/lib/certmap/sss_certmap.exports ++++ b/src/lib/certmap/sss_certmap.exports +@@ -11,3 +11,8 @@ SSS_CERTMAP_0.0 { + local: + *; + }; ++ ++SSS_CERTMAP_0.1 { ++ global: ++ sss_certmap_display_cert_content; ++} SSS_CERTMAP_0.0; +diff --git a/src/lib/certmap/sss_certmap.h b/src/lib/certmap/sss_certmap.h +index 646e0f3..7da2d1c 100644 +--- a/src/lib/certmap/sss_certmap.h ++++ b/src/lib/certmap/sss_certmap.h +@@ -146,6 +146,24 @@ int sss_certmap_get_search_filter(struct sss_certmap_ctx *ctx, + */ + void sss_certmap_free_filter_and_domains(char *filter, char **domains); + ++/** ++ * @brief Get a string with the content of the certificate used by the library ++ * ++ * @param[in] mem_ctx Talloc memory context, may be NULL ++ * @param[in] der_cert binary blog with the DER encoded certificate ++ * @param[in] der_size size of the certificate blob ++ * @param[out] desc Multiline string showing the certificate content ++ * which is used by libsss_certmap ++ * ++ * @return ++ * - 0: success ++ * - EINVAL: certificate cannot be parsed ++ * - ENOMEM: memory allocation failure ++ */ ++int sss_certmap_display_cert_content(TALLOC_CTX *mem_cxt, ++ const uint8_t *der_cert, size_t der_size, ++ char **desc); ++ + /** + * @} + */ +diff --git a/src/lib/certmap/sss_certmap_int.h b/src/lib/certmap/sss_certmap_int.h +index 479cc16..b1155e2 100644 +--- a/src/lib/certmap/sss_certmap_int.h ++++ b/src/lib/certmap/sss_certmap_int.h +@@ -101,9 +101,9 @@ enum comp_type { + }; + + struct parsed_template { +- char *name; +- char *attr_name; +- char *conversion; ++ const char *name; ++ const char *attr_name; ++ const char *conversion; + }; + + struct ldap_mapping_rule_comp { +@@ -166,6 +166,28 @@ struct san_list { + #define SSS_KU_ENCIPHER_ONLY 0x0001 + #define SSS_KU_DECIPHER_ONLY 0x8000 + ++struct sss_key_usage { ++ const char *name; ++ uint32_t flag; ++}; ++ ++extern const struct sss_key_usage sss_key_usage[]; ++ ++struct sss_ext_key_usage { ++ const char *name; ++ const char *oid; ++}; ++ ++extern const struct sss_ext_key_usage sss_ext_key_usage[]; ++ ++struct sss_san_name { ++ const char *name; ++ enum san_opt san_opt; ++ bool is_string; ++}; ++ ++extern const struct sss_san_name sss_san_names[]; ++ + struct sss_cert_content { + char *issuer_str; + const char **issuer_rdn_list; +@@ -183,6 +205,9 @@ int sss_cert_get_content(TALLOC_CTX *mem_ctx, + const uint8_t *der_blob, size_t der_size, + struct sss_cert_content **content); + ++int sss_cert_dump_content(TALLOC_CTX *mem_ctx, struct sss_cert_content *c, ++ char **content_str); ++ + char *check_ad_attr_name(TALLOC_CTX *mem_ctx, const char *rdn); + + char *openssl_2_nss_attr_name(const char *attr); +diff --git a/src/lib/certmap/sss_certmap_krb5_match.c b/src/lib/certmap/sss_certmap_krb5_match.c +index 125e925..398d3d2 100644 +--- a/src/lib/certmap/sss_certmap_krb5_match.c ++++ b/src/lib/certmap/sss_certmap_krb5_match.c +@@ -29,6 +29,59 @@ + #include "lib/certmap/sss_certmap.h" + #include "lib/certmap/sss_certmap_int.h" + ++const struct sss_key_usage sss_key_usage[] = { ++ {"digitalSignature" , SSS_KU_DIGITAL_SIGNATURE}, ++ {"nonRepudiation" , SSS_KU_NON_REPUDIATION}, ++ {"keyEncipherment" , SSS_KU_KEY_ENCIPHERMENT}, ++ {"dataEncipherment" , SSS_KU_DATA_ENCIPHERMENT}, ++ {"keyAgreement" , SSS_KU_KEY_AGREEMENT}, ++ {"keyCertSign" , SSS_KU_KEY_CERT_SIGN}, ++ {"cRLSign" , SSS_KU_CRL_SIGN}, ++ {"encipherOnly" , SSS_KU_ENCIPHER_ONLY}, ++ {"decipherOnly" , SSS_KU_DECIPHER_ONLY}, ++ {NULL ,0} ++}; ++ ++const struct sss_ext_key_usage sss_ext_key_usage[] = { ++ /* RFC 3280 section 4.2.1.13 */ ++ {"serverAuth", "1.3.6.1.5.5.7.3.1"}, ++ {"clientAuth", "1.3.6.1.5.5.7.3.2"}, ++ {"codeSigning", "1.3.6.1.5.5.7.3.3"}, ++ {"emailProtection", "1.3.6.1.5.5.7.3.4"}, ++ {"timeStamping", "1.3.6.1.5.5.7.3.8"}, ++ {"OCSPSigning", "1.3.6.1.5.5.7.3.9"}, ++ ++ /* RFC 4556 section 3.2.2 */ ++ {"KPClientAuth", "1.3.6.1.5.2.3.4"}, ++ {"pkinit", "1.3.6.1.5.2.3.4"}, ++ ++ /* https://support.microsoft.com/en-us/help/287547/object-ids-associated-with-microsoft-cryptography*/ ++ {"msScLogin", "1.3.6.1.4.1.311.20.2.2"}, ++ ++ {NULL ,0} ++}; ++ ++const struct sss_san_name sss_san_names[] = { ++ /* https://www.ietf.org/rfc/rfc3280.txt section 4.2.1.7 */ ++ {"otherName", SAN_OTHER_NAME, false}, ++ {"rfc822Name", SAN_RFC822_NAME, true}, ++ {"dNSName", SAN_DNS_NAME, true}, ++ {"x400Address", SAN_X400_ADDRESS, false}, ++ {"directoryName", SAN_DIRECTORY_NAME, true}, ++ {"ediPartyName", SAN_EDIPART_NAME, false}, ++ {"uniformResourceIdentifier", SAN_URI, true}, ++ {"iPAddress", SAN_IP_ADDRESS, true}, ++ {"registeredID", SAN_REGISTERED_ID, true}, ++ /* https://www.ietf.org/rfc/rfc4556.txt section 3.2.2 */ ++ {"pkinitSAN", SAN_PKINIT, true}, ++ /* https://support.microsoft.com/en-us/help/287547/object-ids-associated-with-microsoft-cryptography */ ++ {"ntPrincipalName", SAN_NT, true}, ++ /* both previous principal types */ ++ {"Principal", SAN_PRINCIPAL, true}, ++ {"stringOtherName", SAN_STRING_OTHER_NAME, true}, ++ {NULL, SAN_END, false} ++}; ++ + static bool is_dotted_decimal(const char *s, size_t len) + { + size_t c = 0; +@@ -145,28 +198,6 @@ static int parse_krb5_get_eku_value(TALLOC_CTX *mem_ctx, + size_t e = 0; + int eku_list_size; + +- struct ext_key_usage { +- const char *name; +- const char *oid; +- } ext_key_usage[] = { +- /* RFC 3280 section 4.2.1.13 */ +- {"serverAuth", "1.3.6.1.5.5.7.3.1"}, +- {"clientAuth", "1.3.6.1.5.5.7.3.2"}, +- {"codeSigning", "1.3.6.1.5.5.7.3.3"}, +- {"emailProtection", "1.3.6.1.5.5.7.3.4"}, +- {"timeStamping", "1.3.6.1.5.5.7.3.8"}, +- {"OCSPSigning", "1.3.6.1.5.5.7.3.9"}, +- +- /* RFC 4556 section 3.2.2 */ +- {"KPClientAuth", "1.3.6.1.5.2.3.4"}, +- {"pkinit", "1.3.6.1.5.2.3.4"}, +- +- /* https://support.microsoft.com/en-us/help/287547/object-ids-associated-with-microsoft-cryptography*/ +- {"msScLogin", "1.3.6.1.4.1.311.20.2.2"}, +- +- {NULL ,0} +- }; +- + ret = get_comp_value(mem_ctx, ctx, cur, &comp); + if (ret != 0) { + CM_DEBUG(ctx, "Failed to parse regexp."); +@@ -188,11 +219,11 @@ static int parse_krb5_get_eku_value(TALLOC_CTX *mem_ctx, + } + + for (c = 0; eku_list[c] != NULL; c++) { +- for (k = 0; ext_key_usage[k].name != NULL; k++) { +-CM_DEBUG(ctx, "[%s][%s].", eku_list[c], ext_key_usage[k].name); +- if (strcasecmp(eku_list[c], ext_key_usage[k].name) == 0) { ++ for (k = 0; sss_ext_key_usage[k].name != NULL; k++) { ++CM_DEBUG(ctx, "[%s][%s].", eku_list[c], sss_ext_key_usage[k].name); ++ if (strcasecmp(eku_list[c], sss_ext_key_usage[k].name) == 0) { + comp->eku_oid_list[e] = talloc_strdup(comp->eku_oid_list, +- ext_key_usage[k].oid); ++ sss_ext_key_usage[k].oid); + if (comp->eku_oid_list[e] == NULL) { + ret = ENOMEM; + goto done; +@@ -202,7 +233,7 @@ CM_DEBUG(ctx, "[%s][%s].", eku_list[c], ext_key_usage[k].name); + } + } + +- if (ext_key_usage[k].name == NULL) { ++ if (sss_ext_key_usage[k].name == NULL) { + /* check for an dotted-decimal OID */ + if (*(eku_list[c]) != '.') { + o = eku_list[c]; +@@ -252,23 +283,6 @@ static int parse_krb5_get_ku_value(TALLOC_CTX *mem_ctx, + size_t c; + size_t k; + +- struct key_usage { +- const char *name; +- uint32_t flag; +- } key_usage[] = { +- {"digitalSignature" , SSS_KU_DIGITAL_SIGNATURE}, +- {"nonRepudiation" , SSS_KU_NON_REPUDIATION}, +- {"keyEncipherment" , SSS_KU_KEY_ENCIPHERMENT}, +- {"dataEncipherment" , SSS_KU_DATA_ENCIPHERMENT}, +- {"keyAgreement" , SSS_KU_KEY_AGREEMENT}, +- {"keyCertSign" , SSS_KU_KEY_CERT_SIGN}, +- {"cRLSign" , SSS_KU_CRL_SIGN}, +- {"encipherOnly" , SSS_KU_ENCIPHER_ONLY}, +- {"decipherOnly" , SSS_KU_DECIPHER_ONLY}, +- {NULL ,0} +- }; +- +- + ret = get_comp_value(mem_ctx, ctx, cur, &comp); + if (ret != 0) { + CM_DEBUG(ctx, "Failed to get value."); +@@ -283,14 +297,14 @@ static int parse_krb5_get_ku_value(TALLOC_CTX *mem_ctx, + } + + for (c = 0; ku_list[c] != NULL; c++) { +- for (k = 0; key_usage[k].name != NULL; k++) { +- if (strcasecmp(ku_list[c], key_usage[k].name) == 0) { +- comp->ku |= key_usage[k].flag; ++ for (k = 0; sss_key_usage[k].name != NULL; k++) { ++ if (strcasecmp(ku_list[c], sss_key_usage[k].name) == 0) { ++ comp->ku |= sss_key_usage[k].flag; + break; + } + } + +- if (key_usage[k].name == NULL) { ++ if (sss_key_usage[k].name == NULL) { + /* FIXME: add check for numerical ku */ + CM_DEBUG(ctx, "No matching key usage found."); + ret = EINVAL; +@@ -342,31 +356,6 @@ done: + return ret; + } + +-struct san_name { +- const char *name; +- enum san_opt san_opt; +- bool is_string; +-} san_names[] = { +- /* https://www.ietf.org/rfc/rfc3280.txt section 4.2.1.7 */ +- {"otherName", SAN_OTHER_NAME, false}, +- {"rfc822Name", SAN_RFC822_NAME,true}, +- {"dNSName", SAN_DNS_NAME, true}, +- {"x400Address", SAN_X400_ADDRESS, false}, +- {"directoryName", SAN_DIRECTORY_NAME, true}, +- {"ediPartyName", SAN_EDIPART_NAME, false}, +- {"uniformResourceIdentifier", SAN_URI, true}, +- {"iPAddress", SAN_IP_ADDRESS, true}, +- {"registeredID", SAN_REGISTERED_ID, true}, +- /* https://www.ietf.org/rfc/rfc4556.txt section 3.2.2 */ +- {"pkinitSAN", SAN_PKINIT, true}, +- /* https://support.microsoft.com/en-us/help/287547/object-ids-associated-with-microsoft-cryptography */ +- {"ntPrincipalName", SAN_NT, true}, +- /* both previous principal types */ +- {"Principal", SAN_PRINCIPAL, true}, +- {"stringOtherName", SAN_STRING_OTHER_NAME, true}, +- {NULL, SAN_END, false} +-}; +- + static int parse_krb5_get_san_option(TALLOC_CTX *mem_ctx, + struct sss_certmap_ctx *ctx, + const char **cur, +@@ -388,12 +377,12 @@ static int parse_krb5_get_san_option(TALLOC_CTX *mem_ctx, + if (len == 0) { + c= SAN_PRINCIPAL; + } else { +- for (c = 0; san_names[c].name != NULL; c++) { +- if (strncasecmp(*cur, san_names[c].name, len) == 0) { ++ for (c = 0; sss_san_names[c].name != NULL; c++) { ++ if (strncasecmp(*cur, sss_san_names[c].name, len) == 0) { + break; + } + } +- if (san_names[c].name == NULL) { ++ if (sss_san_names[c].name == NULL) { + if (is_dotted_decimal(*cur, len)) { + c = SAN_STRING_OTHER_NAME; + *str_other_name_oid = talloc_strndup(mem_ctx, *cur, len); +@@ -408,7 +397,7 @@ static int parse_krb5_get_san_option(TALLOC_CTX *mem_ctx, + } + } + +- *option = san_names[c].san_opt; ++ *option = sss_san_names[c].san_opt; + *cur = end + 1; + + return 0; +@@ -432,7 +421,7 @@ static int parse_krb5_get_san_value(TALLOC_CTX *mem_ctx, + } + } + +- if (san_names[san_opt].is_string) { ++ if (sss_san_names[san_opt].is_string) { + ret = parse_krb5_get_component_value(mem_ctx, ctx, cur, &comp); + if (ret != 0) { + goto done; +-- +2.25.1 + diff --git a/recipes-security/sssd/files/CVE-2022-4254-2.patch b/recipes-security/sssd/files/CVE-2022-4254-2.patch new file mode 100644 index 0000000..018b95c --- /dev/null +++ b/recipes-security/sssd/files/CVE-2022-4254-2.patch @@ -0,0 +1,655 @@ +From a2b9a84460429181f2a4fa7e2bb5ab49fd561274 Mon Sep 17 00:00:00 2001 +From: Sumit Bose <sbose@redhat.com> +Date: Mon, 9 Dec 2019 11:31:14 +0100 +Subject: [PATCH] certmap: sanitize LDAP search filter + +The sss_certmap_get_search_filter() will now sanitize the values read +from the certificates before adding them to a search filter. To be able +to get the plain values as well sss_certmap_expand_mapping_rule() is +added. + +Resolves: +https://github.com/SSSD/sssd/issues/5135 + +Reviewed-by: Alexey Tikhonov <atikhono@redhat.com> + +CVE: CVE-2022-4254 +Upstream-Status: Backport [https://github.com/SSSD/sssd/commit/a2b9a84460429181f2a4fa7e2bb5ab49fd561274] +Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com> +--- + Makefile.am | 2 +- + src/lib/certmap/sss_certmap.c | 42 ++++++++++-- + src/lib/certmap/sss_certmap.exports | 5 ++ + src/lib/certmap/sss_certmap.h | 35 ++++++++-- + src/responder/pam/pamsrv_p11.c | 5 +- + src/tests/cmocka/test_certmap.c | 98 +++++++++++++++++++++++++++- + src/util/util.c | 94 --------------------------- + src/util/util_ext.c | 99 +++++++++++++++++++++++++++++ + 8 files changed, 272 insertions(+), 108 deletions(-) + +diff --git a/Makefile.am b/Makefile.am +index 29cd93c..dd6add2 100644 +--- a/Makefile.am ++++ b/Makefile.am +@@ -1835,7 +1835,7 @@ libsss_certmap_la_LIBADD = \ + $(NULL) + libsss_certmap_la_LDFLAGS = \ + -Wl,--version-script,$(srcdir)/src/lib/certmap/sss_certmap.exports \ +- -version-info 1:0:1 ++ -version-info 2:0:2 + + if HAVE_NSS + libsss_certmap_la_SOURCES += \ +diff --git a/src/lib/certmap/sss_certmap.c b/src/lib/certmap/sss_certmap.c +index c60ac24..d7bc992 100644 +--- a/src/lib/certmap/sss_certmap.c ++++ b/src/lib/certmap/sss_certmap.c +@@ -441,10 +441,12 @@ static int expand_san(struct sss_certmap_ctx *ctx, + static int expand_template(struct sss_certmap_ctx *ctx, + struct parsed_template *parsed_template, + struct sss_cert_content *cert_content, ++ bool sanitize, + char **expanded) + { + int ret; + char *exp = NULL; ++ char *exp_sanitized = NULL; + + if (strcmp("issuer_dn", parsed_template->name) == 0) { + ret = rdn_list_2_dn_str(ctx, parsed_template->conversion, +@@ -455,6 +457,8 @@ static int expand_template(struct sss_certmap_ctx *ctx, + } else if (strncmp("subject_", parsed_template->name, 8) == 0) { + ret = expand_san(ctx, parsed_template, cert_content->san_list, &exp); + } else if (strcmp("cert", parsed_template->name) == 0) { ++ /* cert blob is already sanitized */ ++ sanitize = false; + ret = expand_cert(ctx, parsed_template, cert_content, &exp); + } else { + CM_DEBUG(ctx, "Unsupported template name."); +@@ -471,6 +475,16 @@ static int expand_template(struct sss_certmap_ctx *ctx, + goto done; + } + ++ if (sanitize) { ++ ret = sss_filter_sanitize(ctx, exp, &exp_sanitized); ++ if (ret != EOK) { ++ CM_DEBUG(ctx, "Failed to sanitize expanded template."); ++ goto done; ++ } ++ talloc_free(exp); ++ exp = exp_sanitized; ++ } ++ + ret = 0; + + done: +@@ -485,7 +499,7 @@ done: + + static int get_filter(struct sss_certmap_ctx *ctx, + struct ldap_mapping_rule *parsed_mapping_rule, +- struct sss_cert_content *cert_content, ++ struct sss_cert_content *cert_content, bool sanitize, + char **filter) + { + struct ldap_mapping_rule_comp *comp; +@@ -503,7 +517,7 @@ static int get_filter(struct sss_certmap_ctx *ctx, + result = talloc_strdup_append(result, comp->val); + } else if (comp->type == comp_template) { + ret = expand_template(ctx, comp->parsed_template, cert_content, +- &expanded); ++ sanitize, &expanded); + if (ret != 0) { + CM_DEBUG(ctx, "Failed to expanded template."); + goto done; +@@ -791,8 +805,9 @@ done: + return ret; + } + +-int sss_certmap_get_search_filter(struct sss_certmap_ctx *ctx, ++static int expand_mapping_rule_ex(struct sss_certmap_ctx *ctx, + const uint8_t *der_cert, size_t der_size, ++ bool sanitize, + char **_filter, char ***_domains) + { + int ret; +@@ -819,7 +834,8 @@ int sss_certmap_get_search_filter(struct sss_certmap_ctx *ctx, + return EINVAL; + } + +- ret = get_filter(ctx, ctx->default_mapping_rule, cert_content, &filter); ++ ret = get_filter(ctx, ctx->default_mapping_rule, cert_content, sanitize, ++ &filter); + goto done; + } + +@@ -829,7 +845,7 @@ int sss_certmap_get_search_filter(struct sss_certmap_ctx *ctx, + if (ret == 0) { + /* match */ + ret = get_filter(ctx, r->parsed_mapping_rule, cert_content, +- &filter); ++ sanitize, &filter); + if (ret != 0) { + CM_DEBUG(ctx, "Failed to get filter"); + goto done; +@@ -873,6 +889,22 @@ done: + return ret; + } + ++int sss_certmap_get_search_filter(struct sss_certmap_ctx *ctx, ++ const uint8_t *der_cert, size_t der_size, ++ char **_filter, char ***_domains) ++{ ++ return expand_mapping_rule_ex(ctx, der_cert, der_size, true, ++ _filter, _domains); ++} ++ ++int sss_certmap_expand_mapping_rule(struct sss_certmap_ctx *ctx, ++ const uint8_t *der_cert, size_t der_size, ++ char **_expanded, char ***_domains) ++{ ++ return expand_mapping_rule_ex(ctx, der_cert, der_size, false, ++ _expanded, _domains); ++} ++ + int sss_certmap_init(TALLOC_CTX *mem_ctx, + sss_certmap_ext_debug *debug, void *debug_priv, + struct sss_certmap_ctx **ctx) +diff --git a/src/lib/certmap/sss_certmap.exports b/src/lib/certmap/sss_certmap.exports +index a9e48d6..7d76677 100644 +--- a/src/lib/certmap/sss_certmap.exports ++++ b/src/lib/certmap/sss_certmap.exports +@@ -16,3 +16,8 @@ SSS_CERTMAP_0.1 { + global: + sss_certmap_display_cert_content; + } SSS_CERTMAP_0.0; ++ ++SSS_CERTMAP_0.2 { ++ global: ++ sss_certmap_expand_mapping_rule; ++} SSS_CERTMAP_0.1; +diff --git a/src/lib/certmap/sss_certmap.h b/src/lib/certmap/sss_certmap.h +index 7da2d1c..058d4f9 100644 +--- a/src/lib/certmap/sss_certmap.h ++++ b/src/lib/certmap/sss_certmap.h +@@ -103,7 +103,7 @@ int sss_certmap_add_rule(struct sss_certmap_ctx *ctx, + * + * @param[in] ctx certmap context previously initialized with + * @ref sss_certmap_init +- * @param[in] der_cert binary blog with the DER encoded certificate ++ * @param[in] der_cert binary blob with the DER encoded certificate + * @param[in] der_size size of the certificate blob + * + * @return +@@ -119,10 +119,11 @@ int sss_certmap_match_cert(struct sss_certmap_ctx *ctx, + * + * @param[in] ctx certmap context previously initialized with + * @ref sss_certmap_init +- * @param[in] der_cert binary blog with the DER encoded certificate ++ * @param[in] der_cert binary blob with the DER encoded certificate + * @param[in] der_size size of the certificate blob +- * @param[out] filter LDAP filter string, caller should free the data by +- * calling sss_certmap_free_filter_and_domains ++ * @param[out] filter LDAP filter string, expanded templates are sanitized, ++ * caller should free the data by calling ++ * sss_certmap_free_filter_and_domains + * @param[out] domains NULL-terminated array of strings with the domains the + * rule applies, caller should free the data by calling + * sss_certmap_free_filter_and_domains +@@ -136,8 +137,32 @@ int sss_certmap_get_search_filter(struct sss_certmap_ctx *ctx, + const uint8_t *der_cert, size_t der_size, + char **filter, char ***domains); + ++/** ++ * @brief Expand the mapping rule by replacing the templates ++ * ++ * @param[in] ctx certmap context previously initialized with ++ * @ref sss_certmap_init ++ * @param[in] der_cert binary blob with the DER encoded certificate ++ * @param[in] der_size size of the certificate blob ++ * @param[out] expanded expanded mapping rule, templates are filled in ++ * verbatim in contrast to sss_certmap_get_search_filter, ++ * caller should free the data by ++ * calling sss_certmap_free_filter_and_domains ++ * @param[out] domains NULL-terminated array of strings with the domains the ++ * rule applies, caller should free the data by calling ++ * sss_certmap_free_filter_and_domains ++ * ++ * @return ++ * - 0: certificate matches a rule ++ * - ENOENT: certificate does not match ++ * - EINVAL: internal error ++ */ ++int sss_certmap_expand_mapping_rule(struct sss_certmap_ctx *ctx, ++ const uint8_t *der_cert, size_t der_size, ++ char **_expanded, char ***_domains); + /** + * @brief Free data returned by @ref sss_certmap_get_search_filter ++ * and @ref sss_certmap_expand_mapping_rule + * + * @param[in] filter LDAP filter strings returned by + * sss_certmap_get_search_filter +@@ -150,7 +175,7 @@ void sss_certmap_free_filter_and_domains(char *filter, char **domains); + * @brief Get a string with the content of the certificate used by the library + * + * @param[in] mem_ctx Talloc memory context, may be NULL +- * @param[in] der_cert binary blog with the DER encoded certificate ++ * @param[in] der_cert binary blob with the DER encoded certificate + * @param[in] der_size size of the certificate blob + * @param[out] desc Multiline string showing the certificate content + * which is used by libsss_certmap +diff --git a/src/responder/pam/pamsrv_p11.c b/src/responder/pam/pamsrv_p11.c +index c7e57be..b9f6787 100644 +--- a/src/responder/pam/pamsrv_p11.c ++++ b/src/responder/pam/pamsrv_p11.c +@@ -1023,9 +1023,10 @@ static char *get_cert_prompt(TALLOC_CTX *mem_ctx, + goto done; + } + +- ret = sss_certmap_get_search_filter(ctx, der, der_size, &filter, &domains); ++ ret = sss_certmap_expand_mapping_rule(ctx, der, der_size, ++ &filter, &domains); + if (ret != 0) { +- DEBUG(SSSDBG_OP_FAILURE, "sss_certmap_get_search_filter failed.\n"); ++ DEBUG(SSSDBG_OP_FAILURE, "sss_certmap_expand_mapping_rule failed.\n"); + goto done; + } + +diff --git a/src/tests/cmocka/test_certmap.c b/src/tests/cmocka/test_certmap.c +index 3091e1a..abf1dba 100644 +--- a/src/tests/cmocka/test_certmap.c ++++ b/src/tests/cmocka/test_certmap.c +@@ -1387,6 +1387,15 @@ static void test_sss_certmap_get_search_filter(void **state) + &filter, &domains); + assert_int_equal(ret, 0); + assert_non_null(filter); ++ assert_string_equal(filter, "rule100=<I>CN=Certificate\\20Authority,O=IPA.DEVEL" ++ "<S>CN=ipa-devel.ipa.devel,O=IPA.DEVEL"); ++ assert_null(domains); ++ ++ ret = sss_certmap_expand_mapping_rule(ctx, discard_const(test_cert_der), ++ sizeof(test_cert_der), ++ &filter, &domains); ++ assert_int_equal(ret, 0); ++ assert_non_null(filter); + assert_string_equal(filter, "rule100=<I>CN=Certificate Authority,O=IPA.DEVEL" + "<S>CN=ipa-devel.ipa.devel,O=IPA.DEVEL"); + assert_null(domains); +@@ -1401,6 +1410,17 @@ static void test_sss_certmap_get_search_filter(void **state) + &filter, &domains); + assert_int_equal(ret, 0); + assert_non_null(filter); ++ assert_string_equal(filter, "rule99=<I>CN=Certificate\\20Authority,O=IPA.DEVEL" ++ "<S>CN=ipa-devel.ipa.devel,O=IPA.DEVEL"); ++ assert_non_null(domains); ++ assert_string_equal(domains[0], "test.dom"); ++ assert_null(domains[1]); ++ ++ ret = sss_certmap_expand_mapping_rule(ctx, discard_const(test_cert_der), ++ sizeof(test_cert_der), ++ &filter, &domains); ++ assert_int_equal(ret, 0); ++ assert_non_null(filter); + assert_string_equal(filter, "rule99=<I>CN=Certificate Authority,O=IPA.DEVEL" + "<S>CN=ipa-devel.ipa.devel,O=IPA.DEVEL"); + assert_non_null(domains); +@@ -1422,6 +1442,16 @@ static void test_sss_certmap_get_search_filter(void **state) + assert_string_equal(domains[0], "test.dom"); + assert_null(domains[1]); + ++ ret = sss_certmap_expand_mapping_rule(ctx, discard_const(test_cert_der), ++ sizeof(test_cert_der), ++ &filter, &domains); ++ assert_int_equal(ret, 0); ++ assert_non_null(filter); ++ assert_string_equal(filter, "rule98=userCertificate;binary=" TEST_CERT_BIN); ++ assert_non_null(domains); ++ assert_string_equal(domains[0], "test.dom"); ++ assert_null(domains[1]); ++ + ret = sss_certmap_add_rule(ctx, 97, + "KRB5:<ISSUER>CN=Certificate Authority,O=IPA.DEVEL", + "LDAP:rule97=<I>{issuer_dn!nss_x500}<S>{subject_dn}", +@@ -1432,6 +1462,17 @@ static void test_sss_certmap_get_search_filter(void **state) + &filter, &domains); + assert_int_equal(ret, 0); + assert_non_null(filter); ++ assert_string_equal(filter, "rule97=<I>O=IPA.DEVEL,CN=Certificate\\20Authority" ++ "<S>CN=ipa-devel.ipa.devel,O=IPA.DEVEL"); ++ assert_non_null(domains); ++ assert_string_equal(domains[0], "test.dom"); ++ assert_null(domains[1]); ++ ++ ret = sss_certmap_expand_mapping_rule(ctx, discard_const(test_cert_der), ++ sizeof(test_cert_der), ++ &filter, &domains); ++ assert_int_equal(ret, 0); ++ assert_non_null(filter); + assert_string_equal(filter, "rule97=<I>O=IPA.DEVEL,CN=Certificate Authority" + "<S>CN=ipa-devel.ipa.devel,O=IPA.DEVEL"); + assert_non_null(domains); +@@ -1448,6 +1489,17 @@ static void test_sss_certmap_get_search_filter(void **state) + &filter, &domains); + assert_int_equal(ret, 0); + assert_non_null(filter); ++ assert_string_equal(filter, "rule96=<I>O=IPA.DEVEL,CN=Certificate\\20Authority" ++ "<S>O=IPA.DEVEL,CN=ipa-devel.ipa.devel"); ++ assert_non_null(domains); ++ assert_string_equal(domains[0], "test.dom"); ++ assert_null(domains[1]); ++ ++ ret = sss_certmap_expand_mapping_rule(ctx, discard_const(test_cert_der), ++ sizeof(test_cert_der), ++ &filter, &domains); ++ assert_int_equal(ret, 0); ++ assert_non_null(filter); + assert_string_equal(filter, "rule96=<I>O=IPA.DEVEL,CN=Certificate Authority" + "<S>O=IPA.DEVEL,CN=ipa-devel.ipa.devel"); + assert_non_null(domains); +@@ -1466,6 +1518,14 @@ static void test_sss_certmap_get_search_filter(void **state) + assert_string_equal(filter, "(userCertificate;binary=" TEST_CERT_BIN ")"); + assert_null(domains); + ++ ret = sss_certmap_expand_mapping_rule(ctx, discard_const(test_cert_der), ++ sizeof(test_cert_der), ++ &filter, &domains); ++ assert_int_equal(ret, 0); ++ assert_non_null(filter); ++ assert_string_equal(filter, "(userCertificate;binary=" TEST_CERT_BIN ")"); ++ assert_null(domains); ++ + ret = sss_certmap_add_rule(ctx, 94, + "KRB5:<ISSUER>CN=Certificate Authority,O=IPA.DEVEL", + "LDAP:rule94=<I>{issuer_dn!ad_x500}<S>{subject_dn!ad_x500}", +@@ -1476,12 +1536,22 @@ static void test_sss_certmap_get_search_filter(void **state) + &filter, &domains); + assert_int_equal(ret, 0); + assert_non_null(filter); +- assert_string_equal(filter, "rule94=<I>O=IPA.DEVEL,CN=Certificate Authority" ++ assert_string_equal(filter, "rule94=<I>O=IPA.DEVEL,CN=Certificate\\20Authority" + "<S>O=IPA.DEVEL,CN=ipa-devel.ipa.devel"); + assert_non_null(domains); + assert_string_equal(domains[0], "test.dom"); + assert_null(domains[1]); + ++ ret = sss_certmap_expand_mapping_rule(ctx, discard_const(test_cert_der), ++ sizeof(test_cert_der), ++ &filter, &domains); ++ assert_int_equal(ret, 0); ++ assert_non_null(filter); ++ assert_string_equal(filter, "rule94=<I>O=IPA.DEVEL,CN=Certificate Authority" ++ "<S>O=IPA.DEVEL,CN=ipa-devel.ipa.devel"); ++ assert_non_null(domains); ++ assert_string_equal(domains[0], "test.dom"); ++ assert_null(domains[1]); + + ret = sss_certmap_add_rule(ctx, 89, NULL, + "(rule89={subject_nt_principal})", +@@ -1495,6 +1565,14 @@ static void test_sss_certmap_get_search_filter(void **state) + assert_string_equal(filter, "(rule89=tu1@ad.devel)"); + assert_null(domains); + ++ ret = sss_certmap_expand_mapping_rule(ctx, discard_const(test_cert2_der), ++ sizeof(test_cert2_der), ++ &filter, &domains); ++ assert_int_equal(ret, 0); ++ assert_non_null(filter); ++ assert_string_equal(filter, "(rule89=tu1@ad.devel)"); ++ assert_null(domains); ++ + ret = sss_certmap_add_rule(ctx, 88, NULL, + "(rule88={subject_nt_principal.short_name})", + NULL); +@@ -1516,6 +1594,15 @@ static void test_sss_certmap_get_search_filter(void **state) + &filter, &domains); + assert_int_equal(ret, 0); + assert_non_null(filter); ++ assert_string_equal(filter, "rule87=<I>DC=devel,DC=ad,CN=ad-AD-SERVER-CA" ++ "<S>DC=devel,DC=ad,CN=Users,CN=t\\20u,E=test.user@email.domain"); ++ assert_null(domains); ++ ++ ret = sss_certmap_expand_mapping_rule(ctx, discard_const(test_cert2_der), ++ sizeof(test_cert2_der), ++ &filter, &domains); ++ assert_int_equal(ret, 0); ++ assert_non_null(filter); + assert_string_equal(filter, "rule87=<I>DC=devel,DC=ad,CN=ad-AD-SERVER-CA" + "<S>DC=devel,DC=ad,CN=Users,CN=t u,E=test.user@email.domain"); + assert_null(domains); +@@ -1529,6 +1616,15 @@ static void test_sss_certmap_get_search_filter(void **state) + &filter, &domains); + assert_int_equal(ret, 0); + assert_non_null(filter); ++ assert_string_equal(filter, "rule86=<I>DC=devel,DC=ad,CN=ad-AD-SERVER-CA" ++ "<S>DC=devel,DC=ad,CN=Users,CN=t\\20u,E=test.user@email.domain"); ++ assert_null(domains); ++ ++ ret = sss_certmap_expand_mapping_rule(ctx, discard_const(test_cert2_der), ++ sizeof(test_cert2_der), ++ &filter, &domains); ++ assert_int_equal(ret, 0); ++ assert_non_null(filter); + assert_string_equal(filter, "rule86=<I>DC=devel,DC=ad,CN=ad-AD-SERVER-CA" + "<S>DC=devel,DC=ad,CN=Users,CN=t u,E=test.user@email.domain"); + assert_null(domains); +diff --git a/src/util/util.c b/src/util/util.c +index e3efa7f..0653638 100644 +--- a/src/util/util.c ++++ b/src/util/util.c +@@ -436,100 +436,6 @@ errno_t sss_hash_create(TALLOC_CTX *mem_ctx, unsigned long count, + return sss_hash_create_ex(mem_ctx, count, tbl, 0, 0, 0, 0, NULL, NULL); + } + +-errno_t sss_filter_sanitize_ex(TALLOC_CTX *mem_ctx, +- const char *input, +- char **sanitized, +- const char *ignore) +-{ +- char *output; +- size_t i = 0; +- size_t j = 0; +- char *allowed; +- +- /* Assume the worst-case. We'll resize it later, once */ +- output = talloc_array(mem_ctx, char, strlen(input) * 3 + 1); +- if (!output) { +- return ENOMEM; +- } +- +- while (input[i]) { +- /* Even though this character might have a special meaning, if it's +- * expliticly allowed, just copy it and move on +- */ +- if (ignore == NULL) { +- allowed = NULL; +- } else { +- allowed = strchr(ignore, input[i]); +- } +- if (allowed) { +- output[j++] = input[i++]; +- continue; +- } +- +- switch(input[i]) { +- case '\t': +- output[j++] = '\\'; +- output[j++] = '0'; +- output[j++] = '9'; +- break; +- case ' ': +- output[j++] = '\\'; +- output[j++] = '2'; +- output[j++] = '0'; +- break; +- case '*': +- output[j++] = '\\'; +- output[j++] = '2'; +- output[j++] = 'a'; +- break; +- case '(': +- output[j++] = '\\'; +- output[j++] = '2'; +- output[j++] = '8'; +- break; +- case ')': +- output[j++] = '\\'; +- output[j++] = '2'; +- output[j++] = '9'; +- break; +- case '\\': +- output[j++] = '\\'; +- output[j++] = '5'; +- output[j++] = 'c'; +- break; +- case '\r': +- output[j++] = '\\'; +- output[j++] = '0'; +- output[j++] = 'd'; +- break; +- case '\n': +- output[j++] = '\\'; +- output[j++] = '0'; +- output[j++] = 'a'; +- break; +- default: +- output[j++] = input[i]; +- } +- +- i++; +- } +- output[j] = '\0'; +- *sanitized = talloc_realloc(mem_ctx, output, char, j+1); +- if (!*sanitized) { +- talloc_free(output); +- return ENOMEM; +- } +- +- return EOK; +-} +- +-errno_t sss_filter_sanitize(TALLOC_CTX *mem_ctx, +- const char *input, +- char **sanitized) +-{ +- return sss_filter_sanitize_ex(mem_ctx, input, sanitized, NULL); +-} +- + char * + sss_escape_ip_address(TALLOC_CTX *mem_ctx, int family, const char *addr) + { +diff --git a/src/util/util_ext.c b/src/util/util_ext.c +index 04dc02a..a89b60f 100644 +--- a/src/util/util_ext.c ++++ b/src/util/util_ext.c +@@ -29,6 +29,11 @@ + + #define EOK 0 + ++#ifndef HAVE_ERRNO_T ++#define HAVE_ERRNO_T ++typedef int errno_t; ++#endif ++ + int split_on_separator(TALLOC_CTX *mem_ctx, const char *str, + const char sep, bool trim, bool skip_empty, + char ***_list, int *size) +@@ -141,3 +146,97 @@ bool string_in_list(const char *string, char **list, bool case_sensitive) + + return false; + } ++ ++errno_t sss_filter_sanitize_ex(TALLOC_CTX *mem_ctx, ++ const char *input, ++ char **sanitized, ++ const char *ignore) ++{ ++ char *output; ++ size_t i = 0; ++ size_t j = 0; ++ char *allowed; ++ ++ /* Assume the worst-case. We'll resize it later, once */ ++ output = talloc_array(mem_ctx, char, strlen(input) * 3 + 1); ++ if (!output) { ++ return ENOMEM; ++ } ++ ++ while (input[i]) { ++ /* Even though this character might have a special meaning, if it's ++ * explicitly allowed, just copy it and move on ++ */ ++ if (ignore == NULL) { ++ allowed = NULL; ++ } else { ++ allowed = strchr(ignore, input[i]); ++ } ++ if (allowed) { ++ output[j++] = input[i++]; ++ continue; ++ } ++ ++ switch(input[i]) { ++ case '\t': ++ output[j++] = '\\'; ++ output[j++] = '0'; ++ output[j++] = '9'; ++ break; ++ case ' ': ++ output[j++] = '\\'; ++ output[j++] = '2'; ++ output[j++] = '0'; ++ break; ++ case '*': ++ output[j++] = '\\'; ++ output[j++] = '2'; ++ output[j++] = 'a'; ++ break; ++ case '(': ++ output[j++] = '\\'; ++ output[j++] = '2'; ++ output[j++] = '8'; ++ break; ++ case ')': ++ output[j++] = '\\'; ++ output[j++] = '2'; ++ output[j++] = '9'; ++ break; ++ case '\\': ++ output[j++] = '\\'; ++ output[j++] = '5'; ++ output[j++] = 'c'; ++ break; ++ case '\r': ++ output[j++] = '\\'; ++ output[j++] = '0'; ++ output[j++] = 'd'; ++ break; ++ case '\n': ++ output[j++] = '\\'; ++ output[j++] = '0'; ++ output[j++] = 'a'; ++ break; ++ default: ++ output[j++] = input[i]; ++ } ++ ++ i++; ++ } ++ output[j] = '\0'; ++ *sanitized = talloc_realloc(mem_ctx, output, char, j+1); ++ if (!*sanitized) { ++ talloc_free(output); ++ return ENOMEM; ++ } ++ ++ return EOK; ++} ++ ++errno_t sss_filter_sanitize(TALLOC_CTX *mem_ctx, ++ const char *input, ++ char **sanitized) ++{ ++ return sss_filter_sanitize_ex(mem_ctx, input, sanitized, NULL); ++} +-- +2.25.1 + diff --git a/recipes-security/sssd/sssd_1.16.4.bb b/recipes-security/sssd/sssd_1.16.4.bb index 7ea1586..e512dbf 100644 --- a/recipes-security/sssd/sssd_1.16.4.bb +++ b/recipes-security/sssd/sssd_1.16.4.bb @@ -17,6 +17,9 @@ SRC_URI = "https://releases.pagure.org/SSSD/${BPN}/${BP}.tar.gz \ file://sssd.conf \ file://volatiles.99_sssd \ file://fix-ldblibdir.patch \ + file://0001-build-Don-t-use-AC_CHECK_FILE-when-building-manpages.patch \ + file://CVE-2022-4254-1.patch \ + file://CVE-2022-4254-2.patch \ " SRC_URI[md5sum] = "757bbb6f15409d8d075f4f06cb678d50" @@ -39,10 +42,9 @@ PACKAGECONFIG += "${@bb.utils.contains('DISTRO_FEATURES', 'systemd', 'systemd', PACKAGECONFIG[autofs] = "--with-autofs, --with-autofs=no" PACKAGECONFIG[crypto] = "--with-crypto=libcrypto, , libcrypto" -PACKAGECONFIG[curl] = "--with-secrets --with-kcm, --without-secrets --without-kcm, curl jansson" -PACKAGECONFIG[http] = "--with-secrets, --without-secrets, apache2" +PACKAGECONFIG[curl] = "--with-kcm, --without-kcm, curl jansson" PACKAGECONFIG[infopipe] = "--with-infopipe, --with-infopipe=no, " -PACKAGECONFIG[manpages] = "--with-manpages, --with-manpages=no" +PACKAGECONFIG[manpages] = "--with-manpages, --with-manpages=no, libxslt-native docbook-xml-dtd4-native docbook-xsl-stylesheets-native" PACKAGECONFIG[nl] = "--with-libnl, --with-libnl=no, libnl" PACKAGECONFIG[nscd] = "--with-nscd=${sbindir}, --with-nscd=no " PACKAGECONFIG[nss] = "--with-crypto=nss, ,nss," @@ -60,6 +62,8 @@ EXTRA_OECONF += " \ --without-python2-bindings \ --enable-pammoddir=${base_libdir}/security \ --without-python2-bindings \ + --without-secrets \ + --with-xml-catalog-path=${STAGING_ETCDIR_NATIVE}/xml/catalog \ " do_configure_prepend() { @@ -85,6 +89,7 @@ do_install () { # Remove /var/run as it is created on startup rm -rf ${D}${localstatedir}/run + rm -f ${D}${systemd_system_unitdir}/sssd-secrets.* } pkg_postinst_ontarget_${PN} () { @@ -109,16 +114,21 @@ SYSTEMD_SERVICE_${PN} = " \ sssd-pam-priv.socket \ sssd-pam.service \ sssd-pam.socket \ - sssd-secrets.service \ - sssd-secrets.socket \ sssd.service \ " SYSTEMD_AUTO_ENABLE = "disable" -FILES_${PN} += "${libdir} ${datadir} ${base_libdir}/security/pam_sss.so" -FILES_${PN}-dev = " ${includedir}/* ${libdir}/*la ${libdir}/*/*la" +PACKAGES =+ "libsss-sudo libsss-autofs" +ALLOW_EMPTY_libsss-sudo = "1" +ALLOW_EMPTY_libsss-autofs = "1" -# The package contains symlinks that trip up insane -INSANE_SKIP_${PN} = "dev-so" +FILES_${PN}-dev += "${libdir}/sssd/modules/lib*.so" +FILES_${PN} += "${base_libdir}/security/pam_sss*.so \ + ${datadir}/dbus-1/system-services/*.service \ + ${libdir}/krb5/* \ + ${libdir}/ldb/* \ + " +FILES_libsss-autofs = "${libdir}/sssd/modules/libsss_autofs.so" +FILES_libsss-sudo = "${libdir}/libsss_sudo.so" -RDEPENDS_${PN} = "bind dbus libldb libpam" +RDEPENDS_${PN} = "bind dbus libldb libpam libsss-sudo libsss-autofs" diff --git a/wic/beaglebone-yocto-verity.wks.in b/wic/beaglebone-yocto-verity.wks.in index cd1702e..658018b 100644 --- a/wic/beaglebone-yocto-verity.wks.in +++ b/wic/beaglebone-yocto-verity.wks.in @@ -11,5 +11,5 @@ # This .wks only works with the dm-verity-img class. part /boot --source bootimg-partition --ondisk mmcblk0 --fstype=vfat --label boot --active --align 4 --size 16 --sourceparams="loader=u-boot" --use-uuid -part / --source rawcopy --ondisk mmcblk0 --sourceparams="file=${DEPLOY_DIR_IMAGE}/${DM_VERITY_IMAGE}-${MACHINE}.${DM_VERITY_IMAGE_TYPE}.verity" +part / --source rawcopy --ondisk mmcblk0 --sourceparams="file=${IMGDEPLOYDIR}/${DM_VERITY_IMAGE}-${MACHINE}.${DM_VERITY_IMAGE_TYPE}.verity" bootloader --append="console=ttyS0,115200" diff --git a/wic/systemd-bootdisk-dmverity.wks.in b/wic/systemd-bootdisk-dmverity.wks.in new file mode 100644 index 0000000..ef114ca --- /dev/null +++ b/wic/systemd-bootdisk-dmverity.wks.in @@ -0,0 +1,15 @@ +# A dm-verity variant of the regular wks for IA machines. We need to fetch +# the partition images from the IMGDEPLOYDIR as the rootfs source plugin will +# not recreate the exact block device corresponding with the hash tree. We must +# not alter the label or any other setting on the image. +# Based on OE-core's systemd-bootdisk.wks and meta-security's beaglebone-yocto-verity.wks.in file +# +# This .wks only works with the dm-verity-img class. + +part /boot --source bootimg-efi --sourceparams="loader=systemd-boot,initrd=microcode.cpio" --ondisk sda --label msdos --active --align 1024 --use-uuid + +part / --source rawcopy --ondisk sda --sourceparams="file=${IMGDEPLOYDIR}/${DM_VERITY_IMAGE}-${MACHINE}.${DM_VERITY_IMAGE_TYPE}.verity" --use-uuid + +part swap --ondisk sda --size 44 --label swap1 --fstype=swap --use-uuid + +bootloader --ptable gpt --timeout=5 --append=" " |