aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
-rw-r--r--README5
-rw-r--r--conf/layer.conf2
-rw-r--r--meta-integrity/conf/layer.conf2
-rw-r--r--meta-security-compliance/conf/layer.conf2
-rw-r--r--meta-security-compliance/recipes-auditors/lynis/lynis_2.7.5.bb2
-rw-r--r--meta-security-compliance/recipes-openscap/openscap-daemon/openscap-daemon_0.1.10.bb5
-rw-r--r--meta-security-compliance/recipes-openscap/scap-security-guide/scap-security-guide.inc3
-rw-r--r--meta-security-isafw/.gitignore2
-rw-r--r--meta-security-isafw/COPYING.MIT17
-rw-r--r--meta-security-isafw/README.md92
-rw-r--r--meta-security-isafw/conf/layer.conf17
-rw-r--r--meta-security-isafw/lib/isafw/__init__.py40
-rw-r--r--meta-security-isafw/lib/isafw/isafw.py158
-rw-r--r--meta-security-isafw/lib/isafw/isaplugins/ISA_cfa_plugin.py392
-rw-r--r--meta-security-isafw/lib/isafw/isaplugins/ISA_cve_plugin.py217
-rw-r--r--meta-security-isafw/lib/isafw/isaplugins/ISA_fsa_plugin.py185
-rw-r--r--meta-security-isafw/lib/isafw/isaplugins/ISA_kca_plugin.py323
-rw-r--r--meta-security-isafw/lib/isafw/isaplugins/ISA_la_plugin.py273
-rw-r--r--meta-security-isafw/lib/isafw/isaplugins/__init__.py42
-rw-r--r--meta-security-isafw/lib/isafw/isaplugins/configs/__init__.py0
-rw-r--r--meta-security-isafw/lib/isafw/isaplugins/configs/kca/__init__.py0
-rw-r--r--meta-security-isafw/lib/isafw/isaplugins/configs/kca/arm.py24
-rw-r--r--meta-security-isafw/lib/isafw/isaplugins/configs/kca/common.py242
-rw-r--r--meta-security-isafw/lib/isafw/isaplugins/configs/kca/x86.py38
-rw-r--r--meta-security-isafw/lib/isafw/isaplugins/configs/la/approved-non-osi43
-rw-r--r--meta-security-isafw/lib/isafw/isaplugins/configs/la/exceptions0
-rw-r--r--meta-security-isafw/lib/isafw/isaplugins/configs/la/licenses105
-rw-r--r--meta-security-isafw/lib/isafw/isaplugins/configs/la/violations7
-rw-r--r--meta-security-isafw/recipes-devtools/checksec/checksec_1.5-1.bb25
-rw-r--r--meta-security-isfafw/classes/isafw.bbclass318
-rw-r--r--meta-tpm/conf/layer.conf2
-rw-r--r--meta-tpm/recipes-kernel/linux/linux-yocto_5.%.bbappend (renamed from meta-tpm/recipes-kernel/linux/linux-yocto_4.%.bbappend)0
-rw-r--r--meta-tpm/recipes-tpm/libtpm/libtpm_0.7.0.bb2
-rw-r--r--recipes-kernel/linux/linux-yocto_5.%.bbappend (renamed from recipes-kernel/linux/linux-yocto_4.%.bbappend)0
-rw-r--r--recipes-mac/AppArmor/apparmor_2.13.3.bb2
-rw-r--r--recipes-scanners/arpwatch/arpwatch_3.0.bb79
-rw-r--r--recipes-scanners/arpwatch/files/arpwatch.conf23
-rw-r--r--recipes-scanners/arpwatch/files/arpwatch.default7
-rw-r--r--recipes-scanners/arpwatch/files/arpwatch_init123
-rw-r--r--recipes-scanners/arpwatch/files/host_contam_fix.patch21
-rw-r--r--recipes-scanners/arpwatch/files/postfix_workaround.patch91
-rw-r--r--recipes-scanners/buck-security/buck-security_0.7.bb (renamed from recipes-security/buck-security/buck-security_0.7.bb)0
-rw-r--r--recipes-scanners/checksec/checksec_2.1.0.bb (renamed from recipes-security/checksec/checksec_2.1.0.bb)0
-rw-r--r--recipes-scanners/checksecurity/checksecurity_2.0.15.bb (renamed from recipes-security/checksecurity/checksecurity_2.0.15.bb)0
-rw-r--r--recipes-scanners/checksecurity/files/check-setuid-use-more-portable-find-args.patch (renamed from recipes-security/checksecurity/files/check-setuid-use-more-portable-find-args.patch)0
-rw-r--r--recipes-scanners/checksecurity/files/setuid-log-folder.patch (renamed from recipes-security/checksecurity/files/setuid-log-folder.patch)0
-rw-r--r--recipes-scanners/clamav/clamav_0.101.5.bb (renamed from recipes-security/clamav/clamav_0.101.5.bb)4
-rw-r--r--recipes-scanners/clamav/files/clamav-freshclam.service (renamed from recipes-security/clamav/files/clamav-freshclam.service)0
-rw-r--r--recipes-scanners/clamav/files/clamav-milter.conf.sample (renamed from recipes-security/clamav/files/clamav-milter.conf.sample)0
-rw-r--r--recipes-scanners/clamav/files/clamav.service (renamed from recipes-security/clamav/files/clamav.service)0
-rw-r--r--recipes-scanners/clamav/files/clamd.conf (renamed from recipes-security/clamav/files/clamd.conf)0
-rw-r--r--recipes-scanners/clamav/files/freshclam-native.conf (renamed from recipes-security/clamav/files/freshclam-native.conf)0
-rw-r--r--recipes-scanners/clamav/files/freshclam.conf (renamed from recipes-security/clamav/files/freshclam.conf)0
-rw-r--r--recipes-scanners/clamav/files/tmpfiles.clamav (renamed from recipes-security/clamav/files/tmpfiles.clamav)0
-rw-r--r--recipes-scanners/clamav/files/volatiles.03_clamav (renamed from recipes-security/clamav/files/volatiles.03_clamav)0
-rw-r--r--recipes-scanners/rootkits/chkrootkit_0.53.bb48
-rw-r--r--recipes-security/fail2ban/python3-fail2ban_0.10.4.0.bb4
-rw-r--r--recipes-security/images/security-client-image.bb3
-rw-r--r--recipes-security/images/security-server-image.bb3
-rw-r--r--recipes-security/libseccomp/files/0001-tests-rely-on-__SNR_xxx-instead-of-__NR_xxx-for-sysc.patch45
-rw-r--r--recipes-security/libseccomp/libseccomp_2.4.3.bb (renamed from recipes-security/libseccomp/libseccomp_2.4.2.bb)3
-rw-r--r--recipes-security/sssd/files/fix-ldblibdir.patch25
-rw-r--r--recipes-security/sssd/files/volatiles.99_sssd1
-rw-r--r--recipes-security/sssd/sssd_1.16.4.bb74
64 files changed, 3060 insertions, 81 deletions
diff --git a/README b/README
index 7cc5f48..f223fee 100644
--- a/README
+++ b/README
@@ -24,6 +24,11 @@ This layer depends on:
revision: HEAD
prio: default
+ URI: git://git.openembedded.org/meta-openembedded/meta-python
+ branch: master
+ revision: HEAD
+ prio: default
+
URI: git://git.openembedded.org/meta-openembedded/meta-networking
branch: master
revision: HEAD
diff --git a/conf/layer.conf b/conf/layer.conf
index 3e890e1..2c3bd96 100644
--- a/conf/layer.conf
+++ b/conf/layer.conf
@@ -9,6 +9,6 @@ BBFILE_COLLECTIONS += "security"
BBFILE_PATTERN_security = "^${LAYERDIR}/"
BBFILE_PRIORITY_security = "8"
-LAYERSERIES_COMPAT_security = "zeus"
+LAYERSERIES_COMPAT_security = "dunfell"
LAYERDEPENDS_security = "core openembedded-layer perl-layer networking-layer meta-python"
diff --git a/meta-integrity/conf/layer.conf b/meta-integrity/conf/layer.conf
index bfc9c6f..b4edac3 100644
--- a/meta-integrity/conf/layer.conf
+++ b/meta-integrity/conf/layer.conf
@@ -21,7 +21,7 @@ INTEGRITY_BASE := '${LAYERDIR}'
# interactive shell is enough.
OE_TERMINAL_EXPORTS += "INTEGRITY_BASE"
-LAYERSERIES_COMPAT_integrity = "zeus"
+LAYERSERIES_COMPAT_integrity = "dunfell"
# ima-evm-utils depends on keyutils from meta-oe
LAYERDEPENDS_integrity = "core openembedded-layer"
diff --git a/meta-security-compliance/conf/layer.conf b/meta-security-compliance/conf/layer.conf
index 8572a1f..965c837 100644
--- a/meta-security-compliance/conf/layer.conf
+++ b/meta-security-compliance/conf/layer.conf
@@ -8,7 +8,7 @@ BBFILE_COLLECTIONS += "scanners-layer"
BBFILE_PATTERN_scanners-layer = "^${LAYERDIR}/"
BBFILE_PRIORITY_scanners-layer = "10"
-LAYERSERIES_COMPAT_scanners-layer = "zeus"
+LAYERSERIES_COMPAT_scanners-layer = "dunfell"
LAYERDEPENDS_scanners-layer = "core openembedded-layer meta-python"
diff --git a/meta-security-compliance/recipes-auditors/lynis/lynis_2.7.5.bb b/meta-security-compliance/recipes-auditors/lynis/lynis_2.7.5.bb
index 21e4517..245761c 100644
--- a/meta-security-compliance/recipes-auditors/lynis/lynis_2.7.5.bb
+++ b/meta-security-compliance/recipes-auditors/lynis/lynis_2.7.5.bb
@@ -38,4 +38,4 @@ do_install () {
FILES_${PN} += "${sysconfdir}/developer.prf ${sysconfdir}/default.prf"
FILES_${PN}-doc += "lynis.8 FAQ README CHANGELOG.md CONTRIBUTIONS.md CONTRIBUTORS.md"
-RDEPENDS_${PN} += "procps"
+RDEPENDS_${PN} += "procps findutils"
diff --git a/meta-security-compliance/recipes-openscap/openscap-daemon/openscap-daemon_0.1.10.bb b/meta-security-compliance/recipes-openscap/openscap-daemon/openscap-daemon_0.1.10.bb
index ca6e030..a775021 100644
--- a/meta-security-compliance/recipes-openscap/openscap-daemon/openscap-daemon_0.1.10.bb
+++ b/meta-security-compliance/recipes-openscap/openscap-daemon/openscap-daemon_0.1.10.bb
@@ -17,4 +17,7 @@ inherit setuptools3
S = "${WORKDIR}/git"
-RDEPENDS_${PN} = "python"
+RDEPENDS_${PN} = "openscap scap-security-guide \
+ python3-core python3-dbus \
+ python3-pygobject \
+ "
diff --git a/meta-security-compliance/recipes-openscap/scap-security-guide/scap-security-guide.inc b/meta-security-compliance/recipes-openscap/scap-security-guide/scap-security-guide.inc
index 3212310..66c2623 100644
--- a/meta-security-compliance/recipes-openscap/scap-security-guide/scap-security-guide.inc
+++ b/meta-security-compliance/recipes-openscap/scap-security-guide/scap-security-guide.inc
@@ -13,6 +13,9 @@ S = "${WORKDIR}/git"
inherit cmake pkgconfig python3native
STAGING_OSCAP_BUILDDIR = "${TMPDIR}/work-shared/openscap/oscap-build-artifacts"
+export OSCAP_CPE_PATH="${STAGING_OSCAP_BUILDDIR}${datadir_native}/openscap/cpe"
+export OSCAP_SCHEMA_PATH="${STAGING_OSCAP_BUILDDIR}${datadir_native}/openscap/schemas"
+export OSCAP_XSLT_PATH="${STAGING_OSCAP_BUILDDIR}${datadir_native}/openscap/xsl"
OECMAKE_GENERATOR = "Unix Makefiles"
diff --git a/meta-security-isafw/.gitignore b/meta-security-isafw/.gitignore
new file mode 100644
index 0000000..2f836aa
--- /dev/null
+++ b/meta-security-isafw/.gitignore
@@ -0,0 +1,2 @@
+*~
+*.pyc
diff --git a/meta-security-isafw/COPYING.MIT b/meta-security-isafw/COPYING.MIT
new file mode 100644
index 0000000..fb950dc
--- /dev/null
+++ b/meta-security-isafw/COPYING.MIT
@@ -0,0 +1,17 @@
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in
+all copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
+THE SOFTWARE.
diff --git a/meta-security-isafw/README.md b/meta-security-isafw/README.md
new file mode 100644
index 0000000..16041cb
--- /dev/null
+++ b/meta-security-isafw/README.md
@@ -0,0 +1,92 @@
+**meta-security-isafw** is an OE layer that allows enabling the Image
+Security Analysis Framework (isafw) for your image builds.
+
+The primary purpose of isafw is to provide an extensible
+framework for analysing different security aspects of images
+during the build process.
+
+The isafw project itself can be found at
+ https://github.com/01org/isafw
+
+The framework supports a number of callbacks (such as
+process_package(), process_filesystem(), and etc.) that are invoked
+by the bitbake during different stages of package and image build.
+These callbacks are then forwarded for processing to the avaliable
+ISA FW plugins that have registered for these callbacks.
+Plugins can do their own processing on each stage of the build
+process and produce security reports.
+
+Dependencies
+------------
+
+The **meta-security-isafw** layer depends on the Open Embeeded
+core layer:
+
+ git://git.openembedded.org/openembedded-core
+
+
+Usage
+-----
+
+In order to enable the isafw during the image build, please add
+the following line to your build/conf/local.conf file:
+
+```python
+INHERIT += "isafw"
+```
+
+Next you need to update your build/conf/bblayers.conf file with the
+location of meta-security-isafw layer on your filesystem along with
+any other layers needed. e.g.:
+
+```python
+BBLAYERS ?= " \
+ /OE/oe-core/meta \
+ /OE/meta-security/meta-security-isafw \
+ "
+```
+
+Also, some isafw plugins require network connection, so in case of a
+proxy setup please make sure to export http_proxy variable into your
+environment.
+
+In order to produce image reports, you can execute image build
+normally. For example:
+
+```shell
+bitbake core-image-minimal
+```
+
+If you are only interested to produce a report based on packages
+and without building an image, please use:
+
+```shell
+bitbake -c analyse_sources_all core-image-minimal
+```
+
+
+Logs
+----
+
+All isafw plugins by default create their logs under the
+${LOG_DIR}/isafw-report/ directory, where ${LOG_DIR} is a bitbake
+default location for log files. If you wish to change this location,
+please define ISAFW_REPORTDIR variable in your local.conf file.
+
+Patches
+-------
+end pull requests, patches, comments or questions to yocto@lists.yoctoproject.org
+
+When sending single patches, please using something like:
+'git send-email -1 --to yocto@lists.yoctoproject.org --subject-prefix=meta-security-isafw][PATCH'
+
+These values can be set as defaults for this repository:
+
+$ git config sendemail.to yocto@lists.yoctoproject.org
+$ git config format.subjectPrefix meta-security-isafw][PATCH
+
+Now you can just do 'git send-email origin/master' to send all local patches.
+
+For pull requests, please use create-pull-request and send-pull-request.
+
+Maintainers: Armin Kuster <akuster808@gmail.com>
diff --git a/meta-security-isafw/conf/layer.conf b/meta-security-isafw/conf/layer.conf
new file mode 100644
index 0000000..63f990a
--- /dev/null
+++ b/meta-security-isafw/conf/layer.conf
@@ -0,0 +1,17 @@
+# We have a conf and classes directory, add to BBPATH
+BBPATH .= ":${LAYERDIR}"
+
+# We have recipes-* directories, add to BBFILES
+BBFILES += "${LAYERDIR}/recipes-*/*/*.bb ${LAYERDIR}/recipes-*/*/*.bbappend"
+
+BBFILE_COLLECTIONS += "security-isafw"
+BBFILE_PATTERN_security-isafw = "^${LAYERDIR}/"
+BBFILE_PRIORITY_security-isafw = "6"
+
+# This should only be incremented on significant changes that will
+# cause compatibility issues with other layers
+LAYERVERSION_security-isafw = "1"
+
+LAYERDEPENDS_security-isafw = "core"
+
+LAYERSERIES_COMPAT_security-isafw = "dunfell"
diff --git a/meta-security-isafw/lib/isafw/__init__.py b/meta-security-isafw/lib/isafw/__init__.py
new file mode 100644
index 0000000..50527fb
--- /dev/null
+++ b/meta-security-isafw/lib/isafw/__init__.py
@@ -0,0 +1,40 @@
+#
+# __init__.py - part of ISA FW
+#
+# Copyright (c) 2015 - 2016, Intel Corporation
+#
+# Redistribution and use in source and binary forms, with or without
+# modification, are permitted provided that the following conditions are met:
+#
+# * Redistributions of source code must retain the above copyright notice,
+# this list of conditions and the following disclaimer.
+# * Redistributions in binary form must reproduce the above copyright
+# notice, this list of conditions and the following disclaimer in the
+# documentation and/or other materials provided with the distribution.
+# * Neither the name of Intel Corporation nor the names of its contributors
+# may be used to endorse or promote products derived from this software
+# without specific prior written permission.
+#
+# THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
+# AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
+# DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE
+# FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+# DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
+# SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
+# CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY,
+# OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
+# OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+
+"""isafw
+
+Current Contents:
+
+* isafw.py - main class
+* plugins - ISA plugins
+* plugins/configs - configuration data for the plugins
+"""
+
+__all__ = [
+ 'isafw',
+]
diff --git a/meta-security-isafw/lib/isafw/isafw.py b/meta-security-isafw/lib/isafw/isafw.py
new file mode 100644
index 0000000..a1a76b8
--- /dev/null
+++ b/meta-security-isafw/lib/isafw/isafw.py
@@ -0,0 +1,158 @@
+#
+# isafw.py - Main classes for ISA FW
+#
+# Copyright (c) 2015 - 2016, Intel Corporation
+#
+# Redistribution and use in source and binary forms, with or without
+# modification, are permitted provided that the following conditions are met:
+#
+# * Redistributions of source code must retain the above copyright notice,
+# this list of conditions and the following disclaimer.
+# * Redistributions in binary form must reproduce the above copyright
+# notice, this list of conditions and the following disclaimer in the
+# documentation and/or other materials provided with the distribution.
+# * Neither the name of Intel Corporation nor the names of its contributors
+# may be used to endorse or promote products derived from this software
+# without specific prior written permission.
+#
+# THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
+# AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
+# DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE
+# FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+# DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
+# SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
+# CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY,
+# OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
+# OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+
+from __future__ import absolute_import, print_function
+
+import sys
+import traceback
+try:
+ # absolute import
+ import isafw.isaplugins as isaplugins
+except ImportError:
+ # relative import when installing as separate modules
+ import isaplugins
+try:
+ from bb import error
+except ImportError:
+ error = print
+
+__all__ = [
+ 'ISA_package',
+ 'ISA_pkg_list',
+ 'ISA_kernel',
+ 'ISA_filesystem',
+ 'ISA_config',
+ 'ISA',
+]
+
+# classes for representing objects for ISA plugins
+
+# source package
+
+
+class ISA_package:
+ # pkg name (mandatory argument)
+ name = ""
+ # full version (mandatory argument)
+ version = ""
+ licenses = [] # list of licences for all subpackages
+ aliases = [] # list of alias names for packages if exist
+ source_files = [] # list of strings of source files
+ patch_files = [] # list of patch files to be applied
+ path_to_sources = "" # path to the source files
+
+# package list
+
+
+class ISA_pkg_list:
+ # image name (mandatory argument)
+ img_name = ""
+ # path to the pkg list file (mandatory argument)
+ path_to_list = ""
+
+# kernel
+
+
+class ISA_kernel:
+ # image name (mandatory argument)
+ img_name = ""
+ # path to the kernel config file (mandatory argument)
+ path_to_config = ""
+
+# filesystem
+
+
+class ISA_filesystem:
+ # image name (mandatory argument)
+ img_name = ""
+ type = "" # filesystem type
+ # path to the fs location (mandatory argument)
+ path_to_fs = ""
+
+# configuration of ISAFW
+# if both whitelist and blacklist is empty, all avaliable plugins will be used
+# if whitelist has entries, then only whitelisted plugins will be used from a set of avaliable plugins
+# if blacklist has entries, then the specified plugins won't be used even
+# if avaliable and even if specified in whitelist
+
+
+class ISA_config:
+ plugin_whitelist = "" # comma separated list of plugins to whitelist
+ plugin_blacklist = "" # comma separated list of plugins to blacklist
+ cacert = None # If set, a CA certificate file that replaces the system default one
+ reportdir = "" # location of produced reports
+ logdir = "" # location of produced logs
+ timestamp = "" # timestamp of the build provided by build system
+ full_reports = False # produce full reports for plugins, False by default
+ machine = "" # name of machine build is produced for
+ la_plugin_image_whitelist = ""# whitelist of images for violating license checks
+ la_plugin_image_blacklist = ""# blacklist of images for violating license checks
+ arch = "" # target architecture
+
+class ISA:
+ def call_plugins(self, methodname, *parameters, **keywords):
+ for name in isaplugins.__all__:
+ plugin = getattr(isaplugins, name)
+ method = getattr(plugin, methodname, None)
+ if not method:
+ # Not having init() is an error, everything else is optional.
+ if methodname == "init":
+ error("No init() defined for plugin %s.\n"
+ "Skipping this plugin." %
+ (methodname, plugin.getPluginName()))
+ continue
+ if self.ISA_config.plugin_whitelist and plugin.getPluginName() not in self.ISA_config.plugin_whitelist:
+ continue
+ if self.ISA_config.plugin_blacklist and plugin.getPluginName() in self.ISA_config.plugin_blacklist:
+ continue
+ try:
+ method(*parameters, **keywords)
+ except:
+ error("Exception in plugin %s %s():\n%s" %
+ (plugin.getPluginName(),
+ methodname,
+ traceback.format_exc()))
+
+ def __init__(self, ISA_config):
+ self.ISA_config = ISA_config
+ self.call_plugins("init", ISA_config)
+
+ def process_package(self, ISA_package):
+ self.call_plugins("process_package", ISA_package)
+
+ def process_pkg_list(self, ISA_pkg_list):
+ self.call_plugins("process_pkg_list", ISA_pkg_list)
+
+ def process_kernel(self, ISA_kernel):
+ self.call_plugins("process_kernel", ISA_kernel)
+
+ def process_filesystem(self, ISA_filesystem):
+ self.call_plugins("process_filesystem", ISA_filesystem)
+
+ def process_report(self):
+ self.call_plugins("process_report")
diff --git a/meta-security-isafw/lib/isafw/isaplugins/ISA_cfa_plugin.py b/meta-security-isafw/lib/isafw/isaplugins/ISA_cfa_plugin.py
new file mode 100644
index 0000000..daecba1
--- /dev/null
+++ b/meta-security-isafw/lib/isafw/isaplugins/ISA_cfa_plugin.py
@@ -0,0 +1,392 @@
+#
+# ISA_cfa_plugin.py - Compile flag analyzer plugin, part of ISA FW
+# Main functionality is based on build_comp script from Clear linux project
+#
+# Copyright (c) 2015 - 2016, Intel Corporation
+#
+# Redistribution and use in source and binary forms, with or without
+# modification, are permitted provided that the following conditions are met:
+#
+# * Redistributions of source code must retain the above copyright notice,
+# this list of conditions and the following disclaimer.
+# * Redistributions in binary form must reproduce the above copyright
+# notice, this list of conditions and the following disclaimer in the
+# documentation and/or other materials provided with the distribution.
+# * Neither the name of Intel Corporation nor the names of its contributors
+# may be used to endorse or promote products derived from this software
+# without specific prior written permission.
+#
+# THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
+# AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
+# DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE
+# FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+# DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
+# SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
+# CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY,
+# OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
+# OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+
+import subprocess
+import os
+import sys
+import re
+import copy
+try:
+ from lxml import etree
+except ImportError:
+ try:
+ import xml.etree.cElementTree as etree
+ except ImportError:
+ import xml.etree.ElementTree as etree
+
+
+CFChecker = None
+
+
+class ISA_CFChecker():
+ initialized = False
+ no_relro = []
+ partial_relro = []
+ no_canary = []
+ no_pie = []
+ execstack = []
+ execstack_not_defined = []
+ nodrop_groups = []
+ no_mpx = []
+
+ def __init__(self, ISA_config):
+ self.logfile = ISA_config.logdir + "/isafw_cfalog"
+ self.full_report_name = ISA_config.reportdir + "/cfa_full_report_" + \
+ ISA_config.machine + "_" + ISA_config.timestamp
+ self.problems_report_name = ISA_config.reportdir + \
+ "/cfa_problems_report_" + ISA_config.machine + "_" + ISA_config.timestamp
+ self.full_reports = ISA_config.full_reports
+ self.ISA_filesystem = ""
+ # check that checksec and other tools are installed
+ tools_errors = _check_tools()
+ if tools_errors:
+ with open(self.logfile, 'w') as flog:
+ flog.write(tools_errors)
+ return
+ self.initialized = True
+ with open(self.logfile, 'w') as flog:
+ flog.write("\nPlugin ISA_CFChecker initialized!\n")
+ return
+
+ def process_filesystem(self, ISA_filesystem):
+ self.ISA_filesystem = ISA_filesystem
+ fs_path = self.ISA_filesystem.path_to_fs
+ img_name = self.ISA_filesystem.img_name
+ if (self.initialized):
+ if (img_name and fs_path):
+ with open(self.logfile, 'a') as flog:
+ flog.write("\n\nFilesystem path is: " + fs_path)
+ if self.full_reports:
+ with open(self.full_report_name + "_" + img_name, 'w') as ffull_report:
+ ffull_report.write(
+ "Security-relevant flags for executables for image: " + img_name + '\n')
+ ffull_report.write("With rootfs location at " + fs_path + "\n\n")
+ files = self.find_files(fs_path)
+ import multiprocessing
+ pool = multiprocessing.Pool()
+ results = pool.imap(process_file_wrapper, files)
+ pool.close()
+ pool.join()
+ self.process_results(results)
+ else:
+ with open(self.logfile, 'a') as flog:
+ flog.write(
+ "Mandatory arguments such as image name and path to the filesystem are not provided!\n")
+ flog.write("Not performing the call.\n")
+ else:
+ with open(self.logfile, 'a') as flog:
+ flog.write("Plugin hasn't initialized! Not performing the call.\n")
+
+ def process_results(self, results):
+ fs_path = self.ISA_filesystem.path_to_fs
+ for result in results:
+ if not result:
+ with open(self.logfile, 'a') as flog:
+ flog.write("\nError in returned result")
+ continue
+ with open(self.logfile, 'a') as flog:
+ flog.write("\n\nFor file: " + str(result[0]) + "\nlog is: " + str(result[5]))
+ if result[1]:
+ with open(self.logfile, 'a') as flog:
+ flog.write("\n\nsec_field: " + str(result[1]))
+ if "No RELRO" in result[1]:
+ self.no_relro.append(result[0].replace(fs_path, ""))
+ elif "Partial RELRO" in result[1]:
+ self.partial_relro.append(result[0].replace(fs_path, ""))
+ if "No canary found" in result[1]:
+ self.no_canary.append(result[0].replace(fs_path, ""))
+ if "No PIE" in result[1]:
+ self.no_pie.append(result[0].replace(fs_path, ""))
+ if result[2]:
+ if result[2] == "execstack":
+ self.execstack.append(result[0].replace(fs_path, ""))
+ elif result[2] == "not_defined":
+ self.execstack_not_defined.append(result[0].replace(fs_path, ""))
+ if result[3] and (result[3] == True):
+ self.nodrop_groups.append(result[0].replace(fs_path, ""))
+ if result[4] and (result[4] == True):
+ self.no_mpx.append(result[0].replace(fs_path, ""))
+ self.write_full_report(result)
+ self.write_report()
+ self.write_report_xml()
+
+ def write_full_report(self, result):
+ if not self.full_reports:
+ return
+ fs_path = self.ISA_filesystem.path_to_fs
+ img_name = self.ISA_filesystem.img_name
+ with open(self.full_report_name + "_" + img_name, 'a') as ffull_report:
+ ffull_report.write('\nFile: ' + result[0].replace(fs_path, ""))
+ ffull_report.write('\nsecurity flags: ' + str(result[1]))
+ ffull_report.write('\nexecstack: ' + str(result[2]))
+ ffull_report.write('\nnodrop_groups: ' + str(result[3]))
+ ffull_report.write('\nno mpx: ' + str(result[4]))
+ ffull_report.write('\n')
+
+ def write_report(self):
+ fs_path = self.ISA_filesystem.path_to_fs
+ img_name = self.ISA_filesystem.img_name
+ with open(self.problems_report_name + "_" + img_name, 'w') as fproblems_report:
+ fproblems_report.write("Report for image: " + img_name + '\n')
+ fproblems_report.write("With rootfs location at " + fs_path + "\n\n")
+ fproblems_report.write("Relocation Read-Only\n")
+ fproblems_report.write("More information about RELRO and how to enable it:")
+ fproblems_report.write(
+ " http://tk-blog.blogspot.de/2009/02/relro-not-so-well-known-memory.html\n")
+ fproblems_report.write("Files with no RELRO:\n")
+ for item in self.no_relro:
+ fproblems_report.write(item + '\n')
+ fproblems_report.write("Files with partial RELRO:\n")
+ for item in self.partial_relro:
+ fproblems_report.write(item + '\n')
+ fproblems_report.write("\n\nStack protection\n")
+ fproblems_report.write(
+ "More information about canary stack protection and how to enable it:")
+ fproblems_report.write("https://lwn.net/Articles/584225/ \n")
+ fproblems_report.write("Files with no canary:\n")
+ for item in self.no_canary:
+ fproblems_report.write(item + '\n')
+ fproblems_report.write("\n\nPosition Independent Executable\n")
+ fproblems_report.write("More information about PIE protection and how to enable it:")
+ fproblems_report.write(
+ "https://securityblog.redhat.com/2012/11/28/position-independent-executables-pie/\n")
+ fproblems_report.write("Files with no PIE:\n")
+ for item in self.no_pie:
+ fproblems_report.write(item + '\n')
+ fproblems_report.write("\n\nNon-executable stack\n")
+ fproblems_report.write("Files with executable stack enabled:\n")
+ for item in self.execstack:
+ fproblems_report.write(item + '\n')
+ fproblems_report.write("\n\nFiles with no ability to fetch executable stack status:\n")
+ for item in self.execstack_not_defined:
+ fproblems_report.write(item + '\n')
+ fproblems_report.write("\n\nGrop initialization:\n")
+ fproblems_report.write(
+ "If using setuid/setgid calls in code, one must call initgroups or setgroups\n")
+ fproblems_report.write(
+ "Files that don't initialize groups while using setuid/setgid:\n")
+ for item in self.nodrop_groups:
+ fproblems_report.write(item + '\n')
+ fproblems_report.write("\n\nMemory Protection Extensions\n")
+ fproblems_report.write("More information about MPX protection and how to enable it:")
+ fproblems_report.write(
+ "https://software.intel.com/sites/default/files/managed/9d/f6/Intel_MPX_EnablingGuide.pdf\n")
+ fproblems_report.write("Files that don't have MPX protection enabled:\n")
+ for item in self.no_mpx:
+ fproblems_report.write(item + '\n')
+
+ def write_report_xml(self):
+ numTests = len(self.no_relro) + len(self.partial_relro) + len(self.no_canary) + len(self.no_pie) + \
+ len(self.execstack) + len(self.execstack_not_defined) + \
+ len(self.nodrop_groups) + len(self.no_mpx)
+ root = etree.Element('testsuite', name='ISA_CFChecker', tests=str(numTests))
+ if self.no_relro:
+ for item in self.no_relro:
+ tcase1 = etree.SubElement(
+ root, 'testcase', classname='files_with_no_RELRO', name=item)
+ etree.SubElement(tcase1, 'failure', message=item, type='violation')
+ if self.partial_relro:
+ for item in self.partial_relro:
+ tcase1 = etree.SubElement(
+ root, 'testcase', classname='files_with_partial_RELRO', name=item)
+ etree.SubElement(tcase1, 'failure', message=item, type='violation')
+ if self.no_canary:
+ for item in self.no_canary:
+ tcase2 = etree.SubElement(
+ root, 'testcase', classname='files_with_no_canary', name=item)
+ etree.SubElement(tcase2, 'failure', message=item, type='violation')
+ if self.no_pie:
+ for item in self.no_pie:
+ tcase3 = etree.SubElement(
+ root, 'testcase', classname='files_with_no_PIE', name=item)
+ etree.SubElement(tcase3, 'failure', message=item, type='violation')
+ if self.execstack:
+ for item in self.execstack:
+ tcase5 = etree.SubElement(
+ root, 'testcase', classname='files_with_execstack', name=item)
+ etree.SubElement(tcase5, 'failure', message=item, type='violation')
+ if self.execstack_not_defined:
+ for item in self.execstack_not_defined:
+ tcase6 = etree.SubElement(
+ root, 'testcase', classname='files_with_execstack_not_defined', name=item)
+ etree.SubElement(tcase6, 'failure', message=item, type='violation')
+ if self.nodrop_groups:
+ for item in self.nodrop_groups:
+ tcase7 = etree.SubElement(
+ root, 'testcase', classname='files_with_nodrop_groups', name=item)
+ etree.SubElement(tcase7, 'failure', message=item, type='violation')
+ if self.no_mpx:
+ for item in self.no_mpx:
+ tcase8 = etree.SubElement(
+ root, 'testcase', classname='files_with_no_mpx', name=item)
+ etree.SubElement(tcase8, 'failure', message=item, type='violation')
+ tree = etree.ElementTree(root)
+ output = self.problems_report_name + "_" + self.ISA_filesystem.img_name + '.xml'
+ try:
+ tree.write(output, encoding='UTF-8', pretty_print=True, xml_declaration=True)
+ except TypeError:
+ tree.write(output, encoding='UTF-8', xml_declaration=True)
+
+ def find_files(self, init_path):
+ list_of_files = []
+ for (dirpath, dirnames, filenames) in os.walk(init_path):
+ for f in filenames:
+ list_of_files.append(str(dirpath + "/" + f)[:])
+ return list_of_files
+
+
+def _check_tools():
+
+ def _is_in_path(executable):
+ "Check for presence of executable in PATH"
+ for path in os.environ["PATH"].split(os.pathsep):
+ path = path.strip('"')
+ if (os.path.isfile(os.path.join(path, executable)) and
+ os.access(os.path.join(path, executable), os.X_OK)):
+ return True
+ return False
+
+ tools = {
+ "checksec.sh": "Please install checksec from http://www.trapkit.de/tools/checksec.html\n",
+ "execstack": "Please install execstack from prelink package\n",
+ "readelf": "Please install binutils\n",
+ "objdump": "Please install binutils\n",
+ }
+ output = ""
+ for tool in tools:
+ if not _is_in_path(tool):
+ output += tools[tool]
+ return output
+
+
+def get_info(tool, args, file_name):
+ env = copy.deepcopy(os.environ)
+ env['PSEUDO_UNLOAD'] = "1"
+ cmd = [tool, args, file_name]
+ with open(os.devnull, 'wb') as DEVNULL:
+ try:
+ result = subprocess.check_output(cmd, stderr=DEVNULL, env=env).decode('utf-8')
+ except:
+ return ""
+ else:
+ return result
+
+def get_security_flags(file_name):
+ env = copy.deepcopy(os.environ)
+ env['PSEUDO_UNLOAD'] = "1"
+ cmd = ['checksec.sh', '--file', file_name]
+ try:
+ result = subprocess.check_output(cmd, env=env).decode('utf-8').splitlines()[1]
+ except:
+ return "Not able to fetch flags"
+ else:
+ # remove ansi escape color sequences
+ result = re.sub(r'\x1b[^m]*m', '', result)
+ return re.split(r' {2,}', result)[:-1]
+
+
+def process_file(file):
+ log = "File from map " + file
+ fun_results = [file, [], "", False, False, log]
+ if not os.path.isfile(file):
+ return fun_results
+ env = copy.deepcopy(os.environ)
+ env['PSEUDO_UNLOAD'] = "1"
+ # getting file type
+ cmd = ['file', '--mime-type', file]
+ try:
+ result = subprocess.check_output(cmd, env=env).decode('utf-8')
+ except:
+ fun_results[-1] += "\nNot able to decode mime type"
+ return fun_results
+ file_type = result.split()[-1]
+ # looking for links
+ if "symlink" in file_type:
+ file = os.path.realpath(file)
+ cmd = ['file', '--mime-type', file]
+ try:
+ result = subprocess.check_output(cmd, env=env).decode('utf-8')
+ except:
+ fun_results[-1] += "\nNot able to decode mime type"
+ return fun_results
+ file_type = result.split()[-1]
+ # checking security flags if applies
+ if "application" not in file_type:
+ return fun_results
+ fun_results[-1] += "\nFile type: " + file_type
+ if (("octet-stream" in file_type) or ("dosexec" in file_type) or
+ ("archive" in file_type) or ("xml" in file_type) or
+ ("gzip" in file_type) or ("postscript" in file_type) or
+ ("pdf" in file_type)):
+ return fun_results
+ fun_results[1] = get_security_flags(file)
+ tmp = get_info("execstack", '-q', file)
+ if tmp.startswith("X "):
+ fun_results[2] = "execstack"
+ elif tmp.startswith("? "):
+ fun_results[2] = "not_defined"
+ tmp = get_info("readelf", '-s', file)
+ if ("setgid@GLIBC" in tmp) or ("setegid@GLIBC" in tmp) or ("setresgid@GLIBC" in tmp):
+ if ("setuid@GLIBC" in tmp) or ("seteuid@GLIBC" in tmp) or ("setresuid@GLIBC" in tmp):
+ if ("setgroups@GLIBC" not in tmp) and ("initgroups@GLIBC" not in tmp):
+ fun_results[3] = True
+ tmp = get_info("objdump", '-d', file)
+ if ("bndcu" not in tmp) and ("bndcl" not in tmp) and ("bndmov" not in tmp):
+ fun_results[4] = True
+ return fun_results
+
+def process_file_wrapper(file):
+ # Ensures that exceptions get logged with the original backtrace.
+ # Without this, they appear with a backtrace rooted in
+ # the code which transfers back the result to process_results().
+ try:
+ return process_file(file)
+ except:
+ from isafw import isafw
+ import traceback
+ isafw.error('Internal error:\n%s' % traceback.format_exc())
+ raise
+
+# ======== supported callbacks from ISA ============ #
+
+
+def init(ISA_config):
+ global CFChecker
+ CFChecker = ISA_CFChecker(ISA_config)
+
+
+def getPluginName():
+ return "ISA_CFChecker"
+
+
+def process_filesystem(ISA_filesystem):
+ global CFChecker
+ return CFChecker.process_filesystem(ISA_filesystem)
+
+# =================================================== #
diff --git a/meta-security-isafw/lib/isafw/isaplugins/ISA_cve_plugin.py b/meta-security-isafw/lib/isafw/isaplugins/ISA_cve_plugin.py
new file mode 100644
index 0000000..268aa45
--- /dev/null
+++ b/meta-security-isafw/lib/isafw/isaplugins/ISA_cve_plugin.py
@@ -0,0 +1,217 @@
+#
+# ISA_cve_plugin.py - CVE checker plugin, part of ISA FW
+#
+# Copyright (c) 2015 - 2016, Intel Corporation
+#
+# Redistribution and use in source and binary forms, with or without
+# modification, are permitted provided that the following conditions are met:
+#
+# * Redistributions of source code must retain the above copyright notice,
+# this list of conditions and the following disclaimer.
+# * Redistributions in binary form must reproduce the above copyright
+# notice, this list of conditions and the following disclaimer in the
+# documentation and/or other materials provided with the distribution.
+# * Neither the name of Intel Corporation nor the names of its contributors
+# may be used to endorse or promote products derived from this software
+# without specific prior written permission.
+#
+# THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
+# AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
+# DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE
+# FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+# DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
+# SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
+# CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY,
+# OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
+# OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+
+import subprocess
+import os, sys
+import re
+
+CVEChecker = None
+pkglist = "/cve_check_tool_pkglist"
+
+
+class ISA_CVEChecker:
+ initialized = False
+
+ def __init__(self, ISA_config):
+ self.cacert = ISA_config.cacert
+ self.reportdir = ISA_config.reportdir
+ self.timestamp = ISA_config.timestamp
+ self.logfile = ISA_config.logdir + "/isafw_cvelog"
+ self.report_name = ISA_config.reportdir + "/cve_report_" + \
+ ISA_config.machine + "_" + ISA_config.timestamp
+ self.initialized = True
+ with open(self.logfile, 'a') as flog:
+ flog.write("\nPlugin ISA_CVEChecker initialized!\n")
+ output = ""
+ # check that cve-check-tool is installed
+
+ def process_package(self, ISA_pkg):
+ if (self.initialized):
+ if (ISA_pkg.name and ISA_pkg.version and ISA_pkg.patch_files):
+ alias_pkgs_faux = []
+ # need to compose faux format line for cve-check-tool
+ cve_patch_info = self.process_patch_list(ISA_pkg.patch_files)
+ pkgline_faux = ISA_pkg.name + "," + ISA_pkg.version + "," + cve_patch_info + ",\n"
+ if ISA_pkg.aliases:
+ for a in ISA_pkg.aliases:
+ alias_pkgs_faux.append(
+ a + "," + ISA_pkg.version + "," + cve_patch_info + ",\n")
+ pkglist_faux = pkglist + "_" + self.timestamp + ".faux"
+ with open(self.reportdir + pkglist_faux, 'a') as fauxfile:
+ fauxfile.write(pkgline_faux)
+ for a in alias_pkgs_faux:
+ fauxfile.write(a)
+
+ with open(self.logfile, 'a') as flog:
+ flog.write("\npkg info: " + pkgline_faux)
+ else:
+ self.initialized = False
+ with open(self.logfile, 'a') as flog:
+ flog.write(
+ "Mandatory arguments such as pkg name, version and list of patches are not provided!\n")
+ flog.write("Not performing the call.\n")
+ else:
+ with open(self.logfile, 'a') as flog:
+ flog.write(
+ "Plugin hasn't initialized! Not performing the call.\n")
+
+ def process_report(self):
+ if not os.path.isfile(self.reportdir + pkglist + "_" + self.timestamp + ".faux"):
+ return
+ if (self.initialized):
+ with open(self.logfile, 'a') as flog:
+ flog.write("Creating report in HTML format.\n")
+ result = self.process_report_type("html")
+
+ with open(self.logfile, 'a') as flog:
+ flog.write("Creating report in CSV format.\n")
+ result = self.process_report_type("csv")
+
+ pkglist_faux = pkglist + "_" + self.timestamp + ".faux"
+ os.remove(self.reportdir + pkglist_faux)
+
+ with open(self.logfile, 'a') as flog:
+ flog.write("Creating report in XML format.\n")
+ self.write_report_xml(result)
+
+ def write_report_xml(self, result):
+ try:
+ from lxml import etree
+ except ImportError:
+ try:
+ import xml.etree.cElementTree as etree
+ except ImportError:
+ import xml.etree.ElementTree as etree
+ num_tests = 0
+ root = etree.Element('testsuite', name='CVE_Plugin', tests='1')
+
+ if result :
+ num_tests = 1
+ tcase = etree.SubElement(
+ root, 'testcase', classname='ISA_CVEChecker', name="Error in cve-check-tool")
+ etree.SubElement( tcase, 'failure', message=result, type='violation')
+ else:
+ with open(self.report_name + ".csv", 'r') as f:
+ for line in f:
+ num_tests += 1
+ line = line.strip()
+ line_sp = line.split(',', 2)
+ if (len(line_sp) >= 3) and (line_sp[2].startswith('CVE')):
+ tcase = etree.SubElement(
+ root, 'testcase', classname='ISA_CVEChecker', name=line.split(',', 1)[0])
+ etree.SubElement(
+ tcase, 'failure', message=line, type='violation')
+ else:
+ tcase = etree.SubElement(
+ root, 'testcase', classname='ISA_CVEChecker', name=line.split(',', 1)[0])
+
+ root.set('tests', str(num_tests))
+ tree = etree.ElementTree(root)
+ output = self.report_name + '.xml'
+ try:
+ tree.write(output, encoding='UTF-8',
+ pretty_print=True, xml_declaration=True)
+ except TypeError:
+ tree.write(output, encoding='UTF-8', xml_declaration=True)
+
+ def process_report_type(self, rtype):
+ # now faux file is ready and we can process it
+ args = ""
+ result = ""
+ tool_stderr_value = ""
+ args += "cve-check-tool "
+ if self.cacert:
+ args += "--cacert '%s' " % self.cacert
+ if rtype != "html":
+ args += "-c "
+ rtype = "csv"
+ pkglist_faux = pkglist + "_" + self.timestamp + ".faux"
+ args += "-a -t faux '" + self.reportdir + pkglist_faux + "'"
+ with open(self.logfile, 'a') as flog:
+ flog.write("Args: " + args)
+ try:
+ popen = subprocess.Popen(
+ args, shell=True, env=os.environ, stdout=subprocess.PIPE, stderr=subprocess.PIPE)
+ result = popen.communicate()
+ except:
+ tool_stderr_value = "Error in executing cve-check-tool" + str(sys.exc_info())
+ with open(self.logfile, 'a') as flog:
+ flog.write("Error in executing cve-check-tool: " +
+ str(sys.exc_info()))
+ else:
+ stdout_value = result[0]
+ tool_stderr_value = result[1].decode('utf-8')
+ if not tool_stderr_value and popen.returncode == 0:
+ report = self.report_name + "." + rtype
+ with open(report, 'wb') as freport:
+ freport.write(stdout_value)
+ else:
+ tool_stderr_value = tool_stderr_value + \
+ "\ncve-check-tool terminated with exit code " + str(popen.returncode)
+ return tool_stderr_value
+
+ def process_patch_list(self, patch_files):
+ patch_info = ""
+ for patch in patch_files:
+ patch1 = patch.partition("cve")
+ if (patch1[0] == patch):
+ # no cve substring, try CVE
+ patch1 = patch.partition("CVE")
+ if (patch1[0] == patch):
+ continue
+ patchstripped = patch1[2].split('-')
+ try:
+ patch_info += " CVE-" + \
+ patchstripped[1] + "-" + re.findall('\d+', patchstripped[2])[0]
+ except IndexError:
+ # string parsing attempt failed, so just skip this patch
+ continue
+ return patch_info
+
+# ======== supported callbacks from ISA ============= #
+
+
+def init(ISA_config):
+ global CVEChecker
+ CVEChecker = ISA_CVEChecker(ISA_config)
+
+
+def getPluginName():
+ return "ISA_CVEChecker"
+
+
+def process_package(ISA_pkg):
+ global CVEChecker
+ return CVEChecker.process_package(ISA_pkg)
+
+
+def process_report():
+ global CVEChecker
+ return CVEChecker.process_report()
+
+# ==================================================== #
diff --git a/meta-security-isafw/lib/isafw/isaplugins/ISA_fsa_plugin.py b/meta-security-isafw/lib/isafw/isaplugins/ISA_fsa_plugin.py
new file mode 100644
index 0000000..0909756
--- /dev/null
+++ b/meta-security-isafw/lib/isafw/isaplugins/ISA_fsa_plugin.py
@@ -0,0 +1,185 @@
+#
+# ISA_fsa_plugin.py - Filesystem analyser plugin, part of ISA FW
+#
+# Copyright (c) 2015 - 2016, Intel Corporation
+#
+# Redistribution and use in source and binary forms, with or without
+# modification, are permitted provided that the following conditions are met:
+#
+# * Redistributions of source code must retain the above copyright notice,
+# this list of conditions and the following disclaimer.
+# * Redistributions in binary form must reproduce the above copyright
+# notice, this list of conditions and the following disclaimer in the
+# documentation and/or other materials provided with the distribution.
+# * Neither the name of Intel Corporation nor the names of its contributors
+# may be used to endorse or promote products derived from this software
+# without specific prior written permission.
+#
+# THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
+# AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
+# DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE
+# FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+# DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
+# SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
+# CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY,
+# OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
+# OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+import os
+from stat import *
+try:
+ from lxml import etree
+except ImportError:
+ try:
+ import xml.etree.cElementTree as etree
+ except ImportError:
+ import xml.etree.ElementTree as etree
+
+
+FSAnalyzer = None
+
+
+class ISA_FSChecker():
+ initialized = False
+
+ def __init__(self, ISA_config):
+ self.logfile = ISA_config.logdir + "/isafw_fsalog"
+ self.full_report_name = ISA_config.reportdir + "/fsa_full_report_" + \
+ ISA_config.machine + "_" + ISA_config.timestamp
+ self.problems_report_name = ISA_config.reportdir + \
+ "/fsa_problems_report_" + ISA_config.machine + "_" + ISA_config.timestamp
+ self.full_reports = ISA_config.full_reports
+ self.initialized = True
+ self.setuid_files = []
+ self.setgid_files = []
+ self.ww_files = []
+ self.no_sticky_bit_ww_dirs = []
+ with open(self.logfile, 'w') as flog:
+ flog.write("\nPlugin ISA_FSChecker initialized!\n")
+
+ def process_filesystem(self, ISA_filesystem):
+ if (self.initialized):
+ if (ISA_filesystem.img_name and ISA_filesystem.path_to_fs):
+ with open(self.logfile, 'a') as flog:
+ flog.write("Analyzing filesystem at: " + ISA_filesystem.path_to_fs +
+ " for the image: " + ISA_filesystem.img_name + "\n")
+ self.files = self.find_fsobjects(ISA_filesystem.path_to_fs)
+ with open(self.logfile, 'a') as flog:
+ flog.write("\nFilelist is: " + str(self.files))
+ if self.full_reports:
+ with open(self.full_report_name + "_" + ISA_filesystem.img_name, 'w') as ffull_report:
+ ffull_report.write(
+ "Report for image: " + ISA_filesystem.img_name + '\n')
+ ffull_report.write(
+ "With rootfs location at " + ISA_filesystem.path_to_fs + "\n\n")
+ for f in self.files:
+ st = os.lstat(f)
+ i = f.replace(ISA_filesystem.path_to_fs, "")
+ if self.full_reports:
+ with open(self.full_report_name + "_" + ISA_filesystem.img_name, 'a') as ffull_report:
+ ffull_report.write("File: " + i + ' mode: ' + str(oct(st.st_mode)) +
+ " uid: " + str(st.st_uid) + " gid: " + str(st.st_gid) + '\n')
+ if ((st.st_mode & S_ISUID) == S_ISUID):
+ self.setuid_files.append(i)
+ if ((st.st_mode & S_ISGID) == S_ISGID):
+ self.setgid_files.append(i)
+ if ((st.st_mode & S_IWOTH) == S_IWOTH):
+ if (((st.st_mode & S_IFDIR) == S_IFDIR) and ((st.st_mode & S_ISVTX) != S_ISVTX)):
+ self.no_sticky_bit_ww_dirs.append(i)
+ if (((st.st_mode & S_IFREG) == S_IFREG) and ((st.st_mode & S_IFLNK) != S_IFLNK)):
+ self.ww_files.append(i)
+ self.write_problems_report(ISA_filesystem)
+ self.write_problems_report_xml(ISA_filesystem)
+ else:
+ with open(self.logfile, 'a') as flog:
+ flog.write(
+ "Mandatory arguments such as image name and path to the filesystem are not provided!\n")
+ flog.write("Not performing the call.\n")
+ else:
+ with open(self.logfile, 'a') as flog:
+ flog.write(
+ "Plugin hasn't initialized! Not performing the call.\n")
+
+ def write_problems_report(self, ISA_filesystem):
+ with open(self.problems_report_name + "_" + ISA_filesystem.img_name, 'w') as fproblems_report:
+ fproblems_report.write(
+ "Report for image: " + ISA_filesystem.img_name + '\n')
+ fproblems_report.write(
+ "With rootfs location at " + ISA_filesystem.path_to_fs + "\n\n")
+ fproblems_report.write("Files with SETUID bit set:\n")
+ for item in self.setuid_files:
+ fproblems_report.write(item + '\n')
+ fproblems_report.write("\n\nFiles with SETGID bit set:\n")
+ for item in self.setgid_files:
+ fproblems_report.write(item + '\n')
+ fproblems_report.write("\n\nWorld-writable files:\n")
+ for item in self.ww_files:
+ fproblems_report.write(item + '\n')
+ fproblems_report.write(
+ "\n\nWorld-writable dirs with no sticky bit:\n")
+ for item in self.no_sticky_bit_ww_dirs:
+ fproblems_report.write(item + '\n')
+
+ def write_problems_report_xml(self, ISA_filesystem):
+ num_tests = len(self.setuid_files) + len(self.setgid_files) + \
+ len(self.ww_files) + len(self.no_sticky_bit_ww_dirs)
+ root = etree.Element(
+ 'testsuite', name='FSA_Plugin', tests=str(num_tests))
+ if self.setuid_files:
+ for item in self.setuid_files:
+ tcase1 = etree.SubElement(
+ root, 'testcase', classname='Files_with_SETUID_bit_set', name=item)
+ etree.SubElement(
+ tcase1, 'failure', message=item, type='violation')
+ if self.setgid_files:
+ for item in self.setgid_files:
+ tcase2 = etree.SubElement(
+ root, 'testacase', classname='Files_with_SETGID_bit_set', name=item)
+ etree.SubElement(
+ tcase2, 'failure', message=item, type='violation')
+ if self.ww_files:
+ for item in self.ww_files:
+ tcase3 = etree.SubElement(
+ root, 'testase', classname='World-writable_files', name=item)
+ etree.SubElement(
+ tcase3, 'failure', message=item, type='violation')
+ if self.no_sticky_bit_ww_dirs:
+ for item in self.no_sticky_bit_ww_dirs:
+ tcase4 = etree.SubElement(
+ root, 'testcase', classname='World-writable_dirs_with_no_sticky_bit', name=item)
+ etree.SubElement(
+ tcase4, 'failure', message=item, type='violation')
+ tree = etree.ElementTree(root)
+ output = self.problems_report_name + "_" + ISA_filesystem.img_name + '.xml'
+ try:
+ tree.write(output, encoding='UTF-8',
+ pretty_print=True, xml_declaration=True)
+ except TypeError:
+ tree.write(output, encoding='UTF-8', xml_declaration=True)
+
+ def find_fsobjects(self, init_path):
+ list_of_files = []
+ for (dirpath, dirnames, filenames) in os.walk(init_path):
+ if (dirpath != init_path):
+ list_of_files.append(str(dirpath)[:])
+ for f in filenames:
+ list_of_files.append(str(dirpath + "/" + f)[:])
+ return list_of_files
+
+# ======== supported callbacks from ISA ============= #
+
+
+def init(ISA_config):
+ global FSAnalyzer
+ FSAnalyzer = ISA_FSChecker(ISA_config)
+
+
+def getPluginName():
+ return "ISA_FSChecker"
+
+
+def process_filesystem(ISA_filesystem):
+ global FSAnalyzer
+ return FSAnalyzer.process_filesystem(ISA_filesystem)
+
+# ==================================================== #
diff --git a/meta-security-isafw/lib/isafw/isaplugins/ISA_kca_plugin.py b/meta-security-isafw/lib/isafw/isaplugins/ISA_kca_plugin.py
new file mode 100644
index 0000000..ba09819
--- /dev/null
+++ b/meta-security-isafw/lib/isafw/isaplugins/ISA_kca_plugin.py
@@ -0,0 +1,323 @@
+#
+# ISA_kca_plugin.py - Kernel config options analyzer plugin, part of ISA FW
+#
+# Copyright (c) 2015 - 2016, Intel Corporation
+#
+# Redistribution and use in source and binary forms, with or without
+# modification, are permitted provided that the following conditions are met:
+#
+# * Redistributions of source code must retain the above copyright notice,
+# this list of conditions and the following disclaimer.
+# * Redistributions in binary form must reproduce the above copyright
+# notice, this list of conditions and the following disclaimer in the
+# documentation and/or other materials provided with the distribution.
+# * Neither the name of Intel Corporation nor the names of its contributors
+# may be used to endorse or promote products derived from this software
+# without specific prior written permission.
+#
+# THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
+# AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
+# DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE
+# FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+# DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
+# SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
+# CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY,
+# OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
+# OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+
+try:
+ from lxml import etree
+except ImportError:
+ try:
+ import xml.etree.cElementTree as etree
+ except ImportError:
+ import xml.etree.ElementTree as etree
+import importlib
+
+KCAnalyzer = None
+
+
+class ISA_KernelChecker():
+ initialized = False
+
+ def __init__(self, ISA_config):
+ self.logfile = ISA_config.logdir + "/isafw_kcalog"
+ self.full_report_name = ISA_config.reportdir + "/kca_full_report_" + \
+ ISA_config.machine + "_" + ISA_config.timestamp
+ self.problems_report_name = ISA_config.reportdir + \
+ "/kca_problems_report_" + ISA_config.machine + "_" + ISA_config.timestamp
+ self.full_reports = ISA_config.full_reports
+ self.initialized = True
+ self.arch = ISA_config.arch
+ with open(self.logfile, 'w') as flog:
+ flog.write("\nPlugin ISA_KernelChecker initialized!\n")
+
+ def append_recommendation(self, report, key, value):
+ report.write("Recommended value:\n")
+ report.write(key + ' : ' + str(value) + '\n')
+ comment = self.comments.get(key, '')
+ if comment != '':
+ report.write("Comment:\n")
+ report.write(comment + '\n')
+
+ def process_kernel(self, ISA_kernel):
+ if (self.initialized):
+ if (ISA_kernel.img_name and ISA_kernel.path_to_config):
+ # Merging common and arch configs
+ common_config_module = importlib.import_module('isafw.isaplugins.configs.kca.{}'.format('common'))
+ arch_config_module = importlib.import_module('isafw.isaplugins.configs.kca.{}'.format(self.arch))
+
+ for c in ["hardening_kco", "keys_kco", "security_kco", "integrity_kco",
+ "hardening_kco_ref", "keys_kco_ref", "security_kco_ref", "integrity_kco_ref",
+ "comments"]:
+ setattr(self, c, merge_config(getattr(arch_config_module, c), getattr(common_config_module, c)))
+ with open(self.logfile, 'a') as flog:
+ flog.write("Analyzing kernel config file at: " + ISA_kernel.path_to_config +
+ " for the image: " + ISA_kernel.img_name + "\n")
+ with open(ISA_kernel.path_to_config, 'r') as fkernel_conf:
+ for line in fkernel_conf:
+ line = line.strip('\n')
+ for key in self.hardening_kco:
+ if key + '=' in line:
+ self.hardening_kco[key] = line.split('=')[1]
+ for key in self.keys_kco:
+ if key + '=' in line:
+ self.keys_kco[key] = line.split('=')[1]
+ for key in self.security_kco:
+ if key + '=' in line:
+ self.security_kco[key] = line.split('=')[1]
+ for key in self.integrity_kco:
+ if key + '=' in line:
+ self.integrity_kco[key] = line.split('=')[1]
+ with open(self.logfile, 'a') as flog:
+ flog.write("\n\nhardening_kco values: " +
+ str(self.hardening_kco))
+ flog.write("\n\nkeys_kco values: " + str(self.keys_kco))
+ flog.write("\n\nsecurity_kco values: " +
+ str(self.security_kco))
+ flog.write("\n\nintegrity_kco values: " +
+ str(self.integrity_kco))
+ self.write_full_report(ISA_kernel)
+ self.write_problems_report(ISA_kernel)
+
+ else:
+ with open(self.logfile, 'a') as flog:
+ flog.write(
+ "Mandatory arguments such as image name and path to config are not provided!\n")
+ flog.write("Not performing the call.\n")
+ else:
+ with open(self.logfile, 'a') as flog:
+ flog.write(
+ "Plugin hasn't initialized! Not performing the call!\n")
+
+ def write_full_report(self, ISA_kernel):
+ if self.full_reports:
+ with open(self.full_report_name + "_" + ISA_kernel.img_name, 'w') as freport:
+ freport.write("Report for image: " +
+ ISA_kernel.img_name + '\n')
+ freport.write("With the kernel conf at: " +
+ ISA_kernel.path_to_config + '\n\n')
+ freport.write("Hardening options:\n")
+ for key in sorted(self.hardening_kco):
+ freport.write(
+ key + ' : ' + str(self.hardening_kco[key]) + '\n')
+ freport.write("\nKey-related options:\n")
+ for key in sorted(self.keys_kco):
+ freport.write(key + ' : ' + str(self.keys_kco[key]) + '\n')
+ freport.write("\nSecurity options:\n")
+ for key in sorted(self.security_kco):
+ freport.write(
+ key + ' : ' + str(self.security_kco[key]) + '\n')
+ freport.write("\nIntegrity options:\n")
+ for key in sorted(self.integrity_kco):
+ freport.write(
+ key + ' : ' + str(self.integrity_kco[key]) + '\n')
+
+ def write_problems_report(self, ISA_kernel):
+ self.write_text_problems_report(ISA_kernel)
+ self.write_xml_problems_report(ISA_kernel)
+
+ def write_text_problems_report(self, ISA_kernel):
+ with open(self.problems_report_name + "_" + ISA_kernel.img_name, 'w') as freport:
+ freport.write("Report for image: " + ISA_kernel.img_name + '\n')
+ freport.write("With the kernel conf at: " +
+ ISA_kernel.path_to_config + '\n\n')
+ freport.write("Hardening options that need improvement:\n")
+ for key in sorted(self.hardening_kco):
+ if (self.hardening_kco[key] != self.hardening_kco_ref[key]):
+ valid = False
+ if (key == "CONFIG_CMDLINE"):
+ if (len(self.hardening_kco['CONFIG_CMDLINE']) > 0):
+ valid = True
+ if (key == "CONFIG_DEBUG_STRICT_USER_COPY_CHECKS"):
+ if (self.hardening_kco['CONFIG_ARCH_HAS_DEBUG_STRICT_USER_COPY_CHECKS'] == 'y'):
+ valid = True
+ if (key == "CONFIG_RANDOMIZE_BASE_MAX_OFFSET"):
+ options = self.hardening_kco_ref[key].split(',')
+ for option in options:
+ if (option == self.hardening_kco[key]):
+ valid = True
+ break
+ if not valid:
+ freport.write("\nActual value:\n")
+ freport.write(
+ key + ' : ' + str(self.hardening_kco[key]) + '\n')
+ self.append_recommendation(freport, key, self.hardening_kco_ref[key])
+ freport.write("\nKey-related options that need improvement:\n")
+ for key in sorted(self.keys_kco):
+ if (self.keys_kco[key] != self.keys_kco_ref[key]):
+ freport.write("\nActual value:\n")
+ freport.write(key + ' : ' + str(self.keys_kco[key]) + '\n')
+ self.append_recommendation(freport, key, self.keys_kco_ref[key])
+ freport.write("\nSecurity options that need improvement:\n")
+ for key in sorted(self.security_kco):
+ if (self.security_kco[key] != self.security_kco_ref[key]):
+ valid = False
+ if (key == "CONFIG_DEFAULT_SECURITY"):
+ options = self.security_kco_ref[key].split(',')
+ for option in options:
+ if (option == self.security_kco[key]):
+ valid = True
+ break
+ if ((key == "CONFIG_SECURITY_SELINUX") or
+ (key == "CONFIG_SECURITY_SMACK") or
+ (key == "CONFIG_SECURITY_APPARMOR") or
+ (key == "CONFIG_SECURITY_TOMOYO")):
+ if ((self.security_kco['CONFIG_SECURITY_SELINUX'] == 'y') or
+ (self.security_kco['CONFIG_SECURITY_SMACK'] == 'y') or
+ (self.security_kco['CONFIG_SECURITY_APPARMOR'] == 'y') or
+ (self.security_kco['CONFIG_SECURITY_TOMOYO'] == 'y')):
+ valid = True
+ if not valid:
+ freport.write("\nActual value:\n")
+ freport.write(
+ key + ' : ' + str(self.security_kco[key]) + '\n')
+ self.append_recommendation(freport, key, self.security_kco_ref[key])
+ freport.write("\nIntegrity options that need improvement:\n")
+ for key in sorted(self.integrity_kco):
+ if (self.integrity_kco[key] != self.integrity_kco_ref[key]):
+ valid = False
+ if ((key == "CONFIG_IMA_DEFAULT_HASH_SHA1") or
+ (key == "CONFIG_IMA_DEFAULT_HASH_SHA256") or
+ (key == "CONFIG_IMA_DEFAULT_HASH_SHA512") or
+ (key == "CONFIG_IMA_DEFAULT_HASH_WP512")):
+ if ((self.integrity_kco['CONFIG_IMA_DEFAULT_HASH_SHA256'] == 'y') or
+ (self.integrity_kco['CONFIG_IMA_DEFAULT_HASH_SHA512'] == 'y')):
+ valid = True
+ if not valid:
+ freport.write("\nActual value:\n")
+ freport.write(
+ key + ' : ' + str(self.integrity_kco[key]) + '\n')
+ self.append_recommendation(freport, key, self.integrity_kco_ref[key])
+
+ def write_xml_problems_report(self, ISA_kernel):
+ # write_problems_report_xml
+ num_tests = len(self.hardening_kco) + len(self.keys_kco) + \
+ len(self.security_kco) + len(self.integrity_kco)
+ root = etree.Element(
+ 'testsuite', name='KCA_Plugin', tests=str(num_tests))
+ for key in sorted(self.hardening_kco):
+ tcase1 = etree.SubElement(
+ root, 'testcase', classname='Hardening options', name=key)
+ if (self.hardening_kco[key] != self.hardening_kco_ref[key]):
+ valid = False
+ if (key == "CONFIG_CMDLINE"):
+ if (len(self.hardening_kco['CONFIG_CMDLINE']) > 0):
+ valid = True
+ if (key == "CONFIG_DEBUG_STRICT_USER_COPY_CHECKS"):
+ if (self.hardening_kco['CONFIG_ARCH_HAS_DEBUG_STRICT_USER_COPY_CHECKS'] == 'y'):
+ valid = True
+ if (key == "CONFIG_RANDOMIZE_BASE_MAX_OFFSET"):
+ options = self.hardening_kco_ref[key].split(',')
+ for option in options:
+ if (option == self.hardening_kco[key]):
+ valid = True
+ break
+ if not valid:
+ msg1 = 'current=' + key + ' is ' + \
+ str(self.hardening_kco[
+ key]) + ', recommended=' + key + ' is ' + str(self.hardening_kco_ref[key])
+ etree.SubElement(
+ tcase1, 'failure', message=msg1, type='violation')
+ for key in sorted(self.keys_kco):
+ tcase2 = etree.SubElement(
+ root, 'testcase', classname='Key-related options', name=key)
+ if (self.keys_kco[key] != self.keys_kco_ref[key]):
+ msg2 = 'current=' + key + ' is ' + \
+ str(self.keys_kco[key] + ', recommended=' +
+ key + ' is ' + str(self.keys_kco_ref[key]))
+ etree.SubElement(
+ tcase2, 'failure', message=msg2, type='violation')
+ for key in sorted(self.security_kco):
+ tcase3 = etree.SubElement(
+ root, 'testcase', classname='Security options', name=key)
+ if (self.security_kco[key] != self.security_kco_ref[key]):
+ valid = False
+ if (key == "CONFIG_DEFAULT_SECURITY"):
+ options = self.security_kco_ref[key].split(',')
+ for option in options:
+ if (option == self.security_kco[key]):
+ valid = True
+ break
+ if ((key == "CONFIG_SECURITY_SELINUX") or
+ (key == "CONFIG_SECURITY_SMACK") or
+ (key == "CONFIG_SECURITY_APPARMOR") or
+ (key == "CONFIG_SECURITY_TOMOYO")):
+ if ((self.security_kco['CONFIG_SECURITY_SELINUX'] == 'y') or
+ (self.security_kco['CONFIG_SECURITY_SMACK'] == 'y') or
+ (self.security_kco['CONFIG_SECURITY_APPARMOR'] == 'y') or
+ (self.security_kco['CONFIG_SECURITY_TOMOYO'] == 'y')):
+ valid = True
+ if not valid:
+ msg3 = 'current=' + key + ' is ' + \
+ str(self.security_kco[key]) + ', recommended=' + \
+ key + ' is ' + str(self.security_kco_ref[key])
+ etree.SubElement(
+ tcase3, 'failure', message=msg3, type='violation')
+ for key in sorted(self.integrity_kco):
+ tcase4 = etree.SubElement(
+ root, 'testcase', classname='Integrity options', name=key)
+ if (self.integrity_kco[key] != self.integrity_kco_ref[key]):
+ valid = False
+ if ((key == "CONFIG_IMA_DEFAULT_HASH_SHA1") or
+ (key == "CONFIG_IMA_DEFAULT_HASH_SHA256") or
+ (key == "CONFIG_IMA_DEFAULT_HASH_SHA512") or
+ (key == "CONFIG_IMA_DEFAULT_HASH_WP512")):
+ if ((self.integrity_kco['CONFIG_IMA_DEFAULT_HASH_SHA256'] == 'y') or
+ (self.integrity_kco['CONFIG_IMA_DEFAULT_HASH_SHA512'] == 'y')):
+ valid = True
+ if not valid:
+ msg4 = 'current=' + key + ' is ' + \
+ str(self.integrity_kco[
+ key]) + ', recommended=' + key + ' is ' + str(self.integrity_kco_ref[key])
+ etree.SubElement(
+ tcase4, 'failure', message=msg4, type='violation')
+ tree = etree.ElementTree(root)
+ output = self.problems_report_name + "_" + ISA_kernel.img_name + '.xml'
+ try:
+ tree.write(output, encoding='UTF-8',
+ pretty_print=True, xml_declaration=True)
+ except TypeError:
+ tree.write(output, encoding='UTF-8', xml_declaration=True)
+
+
+def merge_config(arch_kco, common_kco):
+ merged = arch_kco.copy()
+ merged.update(common_kco)
+ return merged
+
+# ======== supported callbacks from ISA ============= #
+def init(ISA_config):
+ global KCAnalyzer
+ KCAnalyzer = ISA_KernelChecker(ISA_config)
+
+
+def getPluginName():
+ return "ISA_KernelChecker"
+
+
+def process_kernel(ISA_kernel):
+ global KCAnalyzer
+ return KCAnalyzer.process_kernel(ISA_kernel)
+# ==================================================== #
diff --git a/meta-security-isafw/lib/isafw/isaplugins/ISA_la_plugin.py b/meta-security-isafw/lib/isafw/isaplugins/ISA_la_plugin.py
new file mode 100644
index 0000000..20e7e26
--- /dev/null
+++ b/meta-security-isafw/lib/isafw/isaplugins/ISA_la_plugin.py
@@ -0,0 +1,273 @@
+#
+# ISA_la_plugin.py - License analyzer plugin, part of ISA FW
+# Functionality is based on similar scripts from Clear linux project
+#
+# Copyright (c) 2015 - 2016, Intel Corporation
+#
+# Redistribution and use in source and binary forms, with or without
+# modification, are permitted provided that the following conditions are met:
+#
+# * Redistributions of source code must retain the above copyright notice,
+# this list of conditions and the following disclaimer.
+# * Redistributions in binary form must reproduce the above copyright
+# notice, this list of conditions and the following disclaimer in the
+# documentation and/or other materials provided with the distribution.
+# * Neither the name of Intel Corporation nor the names of its contributors
+# may be used to endorse or promote products derived from this software
+# without specific prior written permission.
+#
+# THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
+# AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
+# DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE
+# FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+# DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
+# SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
+# CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY,
+# OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
+# OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+
+import subprocess
+import os, sys
+
+LicenseChecker = None
+
+flicenses = "/configs/la/licenses"
+fapproved_non_osi = "/configs/la/approved-non-osi"
+fexceptions = "/configs/la/exceptions"
+funwanted = "/configs/la/violations"
+
+
+class ISA_LicenseChecker():
+ initialized = False
+ rpm_present = False
+
+ def __init__(self, ISA_config):
+ self.logfile = ISA_config.logdir + "/isafw_lalog"
+ self.unwanted = []
+ self.report_name = ISA_config.reportdir + "/la_problems_report_" + \
+ ISA_config.machine + "_" + ISA_config.timestamp
+ self.image_pkg_list = ISA_config.reportdir + "/pkglist"
+ self.image_pkgs = []
+ self.la_plugin_image_whitelist = ISA_config.la_plugin_image_whitelist
+ self.la_plugin_image_blacklist = ISA_config.la_plugin_image_blacklist
+ self.initialized = True
+ with open(self.logfile, 'a') as flog:
+ flog.write("\nPlugin ISA_LA initialized!\n")
+ # check that rpm is installed (supporting only rpm packages for now)
+ DEVNULL = open(os.devnull, 'wb')
+ rc = subprocess.call(["which", "rpm"], stdout=DEVNULL, stderr=DEVNULL)
+ DEVNULL.close()
+ if rc == 0:
+ self.rpm_present = True
+ else:
+ with open(self.logfile, 'a') as flog:
+ flog.write("rpm tool is missing! Licence info is expected from build system\n")
+
+ def process_package(self, ISA_pkg):
+ if (self.initialized):
+ if ISA_pkg.name:
+ if (not ISA_pkg.licenses):
+ # need to determine licenses first
+ # for this we need rpm tool to be present
+ if (not self.rpm_present):
+ with open(self.logfile, 'a') as flog:
+ flog.write("rpm tool is missing and licence info is not provided. Cannot proceed.\n")
+ return;
+ if (not ISA_pkg.source_files):
+ if (not ISA_pkg.path_to_sources):
+ self.initialized = False
+ with open(self.logfile, 'a') as flog:
+ flog.write(
+ "No path to sources or source file list is provided!")
+ flog.write(
+ "\nNot able to determine licenses for package: " + ISA_pkg.name)
+ return
+ # need to build list of source files
+ ISA_pkg.source_files = self.find_files(
+ ISA_pkg.path_to_sources)
+ for i in ISA_pkg.source_files:
+ if (i.endswith(".spec")):# supporting rpm only for now
+ args = ("rpm", "-q", "--queryformat",
+ "%{LICENSE} ", "--specfile", i)
+ try:
+ popen = subprocess.Popen(
+ args, stdout=subprocess.PIPE)
+ popen.wait()
+ ISA_pkg.licenses = popen.stdout.read().split()
+ except:
+ self.initialized = False
+ with open(self.logfile, 'a') as flog:
+ flog.write(
+ "Error in executing rpm query: " + str(sys.exc_info()))
+ flog.write(
+ "\nNot able to process package: " + ISA_pkg.name)
+ return
+ for l in ISA_pkg.licenses:
+ if (not self.check_license(l, flicenses) and
+ not self.check_license(l, fapproved_non_osi) and
+ not self.check_exceptions(ISA_pkg.name, l, fexceptions)):
+ # log the package as not following correct license
+ with open(self.report_name, 'a') as freport:
+ freport.write(l + "\n")
+ if (self.check_license(l, funwanted)):
+ # log the package as having license that should not be
+ # used
+ with open(self.report_name + "_unwanted", 'a') as freport:
+ freport.write(l + "\n")
+ else:
+ self.initialized = False
+ with open(self.logfile, 'a') as flog:
+ flog.write(
+ "Mandatory argument package name is not provided!\n")
+ flog.write("Not performing the call.\n")
+ else:
+ with open(self.logfile, 'a') as flog:
+ flog.write(
+ "Plugin hasn't initialized! Not performing the call.")
+
+ def process_report(self):
+ if (self.initialized):
+ with open(self.logfile, 'a') as flog:
+ flog.write("Creating report with violating licenses.\n")
+ self.process_pkg_list()
+ self.write_report_unwanted()
+ with open(self.logfile, 'a') as flog:
+ flog.write("Creating report in XML format.\n")
+ self.write_report_xml()
+
+ def process_pkg_list(self):
+ if os.path.isfile (self.image_pkg_list):
+ img_name = ""
+ with open(self.image_pkg_list, 'r') as finput:
+ for line in finput:
+ line = line.strip()
+ if not line:
+ continue
+ if line.startswith("Packages "):
+ img_name = line.split()[3]
+ with open(self.logfile, 'a') as flog:
+ flog.write("img_name: " + img_name + "\n")
+ continue
+ package_info = line.split()
+ pkg_name = package_info[0]
+ orig_pkg_name = package_info[2]
+ if (not self.image_pkgs) or ((pkg_name + " from " + img_name) not in self.image_pkgs):
+ self.image_pkgs.append(pkg_name + " from " + img_name + " " + orig_pkg_name)
+
+ def write_report_xml(self):
+ try:
+ from lxml import etree
+ except ImportError:
+ try:
+ import xml.etree.cElementTree as etree
+ except ImportError:
+ import xml.etree.ElementTree as etree
+ num_tests = 0
+ root = etree.Element('testsuite', name='LA_Plugin', tests='2')
+ if os.path.isfile(self.report_name):
+ with open(self.report_name, 'r') as f:
+ class_name = "Non-approved-licenses"
+ for line in f:
+ line = line.strip()
+ if line == "":
+ continue
+ if line.startswith("Packages that "):
+ class_name = "Violating-licenses"
+ continue
+ num_tests += 1
+ tcase1 = etree.SubElement(
+ root, 'testcase', classname=class_name, name=line.split(':', 1)[0])
+ etree.SubElement(
+ tcase1, 'failure', message=line, type='violation')
+ else:
+ tcase1 = etree.SubElement(
+ root, 'testcase', classname='ISA_LAChecker', name='none')
+ num_tests = 1
+ root.set('tests', str(num_tests))
+ tree = etree.ElementTree(root)
+ output = self.report_name + '.xml'
+ try:
+ tree.write(output, encoding='UTF-8',
+ pretty_print=True, xml_declaration=True)
+ except TypeError:
+ tree.write(output, encoding='UTF-8', xml_declaration=True)
+
+ def write_report_unwanted(self):
+ if os.path.isfile(self.report_name + "_unwanted"):
+ with open(self.logfile, 'a') as flog:
+ flog.write("image_pkgs: " + str(self.image_pkgs) + "\n")
+ flog.write("self.la_plugin_image_whitelist: " + str(self.la_plugin_image_whitelist) + "\n")
+ flog.write("self.la_plugin_image_blacklist: " + str(self.la_plugin_image_blacklist) + "\n")
+ with open(self.report_name, 'a') as fout:
+ with open(self.report_name + "_unwanted", 'r') as f:
+ fout.write(
+ "\n\nPackages that violate mandatory license requirements:\n")
+ for line in f:
+ line = line.strip()
+ pkg_name = line.split(':',1)[0]
+ if (not self.image_pkgs):
+ fout.write(line + " from image name not available \n")
+ continue
+ for pkg_info in self.image_pkgs:
+ image_pkg_name = pkg_info.split()[0]
+ image_name = pkg_info.split()[2]
+ image_orig_pkg_name = pkg_info.split()[3]
+ if ((image_pkg_name == pkg_name) or (image_orig_pkg_name == pkg_name)):
+ if self.la_plugin_image_whitelist and (image_name not in self.la_plugin_image_whitelist):
+ continue
+ if self.la_plugin_image_blacklist and (image_name in self.la_plugin_image_blacklist):
+ continue
+ fout.write(line + " from image " + image_name)
+ if (image_pkg_name != image_orig_pkg_name):
+ fout.write(" binary_pkg_name " + image_pkg_name + "\n")
+ continue
+ fout.write("\n")
+ os.remove(self.report_name + "_unwanted")
+
+ def find_files(self, init_path):
+ list_of_files = []
+ for (dirpath, dirnames, filenames) in os.walk(init_path):
+ for f in filenames:
+ list_of_files.append(str(dirpath + "/" + f)[:])
+ return list_of_files
+
+ def check_license(self, license, file_path):
+ with open(os.path.dirname(__file__) + file_path, 'r') as f:
+ for line in f:
+ s = line.rstrip()
+ curr_license = license.split(':',1)[1]
+ if s == curr_license:
+ return True
+ return False
+
+ def check_exceptions(self, pkg_name, license, file_path):
+ with open(os.path.dirname(__file__) + file_path, 'r') as f:
+ for line in f:
+ s = line.rstrip()
+ curr_license = license.split(':',1)[1]
+ if s == pkg_name + " " + curr_license:
+ return True
+ return False
+
+# ======== supported callbacks from ISA ============= #
+
+def init(ISA_config):
+ global LicenseChecker
+ LicenseChecker = ISA_LicenseChecker(ISA_config)
+
+
+def getPluginName():
+ return "ISA_LicenseChecker"
+
+
+def process_package(ISA_pkg):
+ global LicenseChecker
+ return LicenseChecker.process_package(ISA_pkg)
+
+
+def process_report():
+ global LicenseChecker
+ return LicenseChecker.process_report()
+
+# ==================================================== #
diff --git a/meta-security-isafw/lib/isafw/isaplugins/__init__.py b/meta-security-isafw/lib/isafw/isaplugins/__init__.py
new file mode 100644
index 0000000..ad1997d
--- /dev/null
+++ b/meta-security-isafw/lib/isafw/isaplugins/__init__.py
@@ -0,0 +1,42 @@
+#
+# __init__.py - part of ISA FW
+#
+# Copyright (c) 2015 - 2016, Intel Corporation
+#
+# Redistribution and use in source and binary forms, with or without
+# modification, are permitted provided that the following conditions are met:
+#
+# * Redistributions of source code must retain the above copyright notice,
+# this list of conditions and the following disclaimer.
+# * Redistributions in binary form must reproduce the above copyright
+# notice, this list of conditions and the following disclaimer in the
+# documentation and/or other materials provided with the distribution.
+# * Neither the name of Intel Corporation nor the names of its contributors
+# may be used to endorse or promote products derived from this software
+# without specific prior written permission.
+#
+# THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
+# AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
+# DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE
+# FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+# DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
+# SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
+# CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY,
+# OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
+# OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+
+import glob
+import keyword
+import os
+import sys
+
+basedir = os.path.dirname(__file__)
+
+__all__ = []
+for name in glob.glob(os.path.join(basedir, '*.py')):
+ module = os.path.splitext(os.path.split(name)[-1])[0]
+ if not module.startswith('_') and not keyword.iskeyword(module):
+ __import__(__name__ + '.' + module)
+ __all__.append(module)
+__all__.sort()
diff --git a/meta-security-isafw/lib/isafw/isaplugins/configs/__init__.py b/meta-security-isafw/lib/isafw/isaplugins/configs/__init__.py
new file mode 100644
index 0000000..e69de29
--- /dev/null
+++ b/meta-security-isafw/lib/isafw/isaplugins/configs/__init__.py
diff --git a/meta-security-isafw/lib/isafw/isaplugins/configs/kca/__init__.py b/meta-security-isafw/lib/isafw/isaplugins/configs/kca/__init__.py
new file mode 100644
index 0000000..e69de29
--- /dev/null
+++ b/meta-security-isafw/lib/isafw/isaplugins/configs/kca/__init__.py
diff --git a/meta-security-isafw/lib/isafw/isaplugins/configs/kca/arm.py b/meta-security-isafw/lib/isafw/isaplugins/configs/kca/arm.py
new file mode 100644
index 0000000..d47ba9f
--- /dev/null
+++ b/meta-security-isafw/lib/isafw/isaplugins/configs/kca/arm.py
@@ -0,0 +1,24 @@
+############################################################################################
+# Kernel Hardening Configurations
+############################################################################################
+hardening_kco = {'CONFIG_DEFAULT_MMAP_MIN_ADDR': 'not set',}
+hardening_kco_ref = {'CONFIG_DEFAULT_MMAP_MIN_ADDR': '32768',}
+############################################################################################
+# Keys Kernel Configuration
+############################################################################################
+keys_kco = {}
+keys_kco_ref = {}
+############################################################################################
+# Security Kernel Configuration
+############################################################################################
+security_kco = {'CONFIG_LSM_MMAP_MIN_ADDR': 'not set',}
+security_kco_ref = {'CONFIG_LSM_MMAP_MIN_ADDR': '32768',}
+############################################################################################
+# Integrity Kernel Configuration
+############################################################################################
+integrity_kco = {}
+integrity_kco_ref = {}
+############################################################################################
+# Comments
+############################################################################################
+comments = {'CONFIG_DEFAULT_MMAP_MIN_ADDR': 'Defines the portion of low virtual memory that should be protected from userspace allocation. Keeping a user from writing to low pages can help reduce the impact of kernel NULL pointer bugs.'}
diff --git a/meta-security-isafw/lib/isafw/isaplugins/configs/kca/common.py b/meta-security-isafw/lib/isafw/isaplugins/configs/kca/common.py
new file mode 100644
index 0000000..faa388c
--- /dev/null
+++ b/meta-security-isafw/lib/isafw/isaplugins/configs/kca/common.py
@@ -0,0 +1,242 @@
+############################################################################################
+# Kernel Hardening Configurations
+############################################################################################
+hardening_kco = {'CONFIG_SERIAL_8250_CONSOLE': 'not set',
+ 'CONFIG_SERIAL_CORE': 'not set',
+ 'CONFIG_SERIAL_CORE_CONSOLE': 'not set',
+ 'CONFIG_CMDLINE_BOOL': 'not set',
+ 'CONFIG_CMDLINE': 'not set',
+ 'CONFIG_CMDLINE_OVERRIDE': 'not set',
+ 'CONFIG_DEBUG_INFO': 'not set',
+ 'CONFIG_KGDB': 'not set',
+ 'CONFIG_KPROBES': 'not set',
+ 'CONFIG_FTRACE': 'not set',
+ 'CONFIG_OPROFILE': 'not set',
+ 'CONFIG_PROFILING': 'not set',
+ 'CONFIG_MAGIC_SYSRQ': 'not set',
+ 'CONFIG_DEBUG_BUGVERBOSE': 'not set',
+ 'CONFIG_IP_PNP': 'not set',
+ 'CONFIG_IKCONFIG': 'not set',
+ 'CONFIG_SWAP': 'not set',
+ 'CONFIG_NAMESPACES': 'not set',
+ 'CONFIG_NFSD': 'not set',
+ 'CONFIG_NFS_FS': 'not set',
+ 'CONFIG_BINFMT_MISC': 'not set',
+ 'CONFIG_KALLSYMS': 'not set',
+ 'CONFIG_KALLSYMS_ALL': 'not set',
+ 'CONFIG_BUG': 'not set',
+ 'CONFIG_SYSCTL_SYSCALL': 'not set',
+ 'CONFIG_MODULE_UNLOAD': 'not set',
+ 'CONFIG_MODULE_FORCE_LOAD': 'not set',
+ 'CONFIG_DEVMEM': 'not set',
+ 'CONFIG_COREDUMP': 'not set',
+ 'CONFIG_CROSS_MEMORY_ATTACH': 'not set',
+ 'CONFIG_UNIX_DIAG': 'not set',
+ 'CONFIG_CHECKPOINT_RESTORE': 'not set',
+ 'CONFIG_PANIC_ON_OOPS': 'not set',
+ 'CONFIG_PACKET_DIAG': 'not set',
+ 'CONFIG_FW_LOADER_USER_HELPER': 'not set',
+ 'CONFIG_BPF_JIT': 'not set',
+ 'CONFIG_USELIB': 'not set',
+ 'CONFIG_CC_STACKPROTECTOR': 'not set',
+ 'CONFIG_KEXEC': 'not set',
+ 'CONFIG_PROC_KCORE': 'not set',
+ 'CONFIG_SECURITY_DMESG_RESTRICT': 'not set',
+ 'CONFIG_DEBUG_STACKOVERFLOW': 'not set',
+ 'CONFIG_DEBUG_STRICT_USER_COPY_CHECKS': 'not set',
+ 'CONFIG_ARCH_HAS_DEBUG_STRICT_USER_COPY_CHECKS': 'not set',
+ 'CONFIG_IKCONFIG_PROC': 'not set',
+ 'CONFIG_RANDOMIZE_BASE': 'not set',
+ 'CONFIG_DEBUG_RODATA': 'not set',
+ 'CONFIG_STRICT_DEVMEM': 'not set',
+ 'CONFIG_DEVKMEM': 'not set',
+ 'CONFIG_ARCH_BINFMT_ELF_RANDOMIZE_PIE': 'not set',
+ 'CONFIG_DEBUG_KERNEL': 'not set',
+ 'CONFIG_DEBUG_FS': 'not set',
+ 'CONFIG_MODULE_SIG_FORCE': 'not set',
+ }
+hardening_kco_ref = {'CONFIG_SERIAL_8250_CONSOLE': 'not set',
+ 'CONFIG_SERIAL_CORE': 'not set',
+ 'CONFIG_SERIAL_CORE_CONSOLE': 'not set',
+ 'CONFIG_CMDLINE_BOOL': 'y',
+ 'CONFIG_CMDLINE': '"cmd_line"',
+ 'CONFIG_CMDLINE_OVERRIDE': 'y',
+ 'CONFIG_DEBUG_INFO': 'not set',
+ 'CONFIG_KGDB': 'not set',
+ 'CONFIG_KPROBES': 'not set',
+ 'CONFIG_FTRACE': 'not set',
+ 'CONFIG_OPROFILE': 'not set',
+ 'CONFIG_PROFILING': 'not set',
+ 'CONFIG_MAGIC_SYSRQ': 'not set',
+ 'CONFIG_DEBUG_BUGVERBOSE': 'not set',
+ 'CONFIG_IP_PNP': 'not set',
+ 'CONFIG_IKCONFIG': 'not set',
+ 'CONFIG_SWAP': 'not set',
+ 'CONFIG_NAMESPACES': 'not set',
+ 'CONFIG_NFSD': 'not set',
+ 'CONFIG_NFS_FS': 'not set',
+ 'CONFIG_BINFMT_MISC': 'not set',
+ 'CONFIG_KALLSYMS': 'not set',
+ 'CONFIG_KALLSYMS_ALL': 'not set',
+ 'CONFIG_BUG': 'not set',
+ 'CONFIG_SYSCTL_SYSCALL': 'not set',
+ 'CONFIG_MODULE_UNLOAD': 'not set',
+ 'CONFIG_MODULE_FORCE_LOAD': 'not set',
+ 'CONFIG_DEVMEM': 'not set',
+ 'CONFIG_COREDUMP': 'not set',
+ 'CONFIG_CROSS_MEMORY_ATTACH': 'not set',
+ 'CONFIG_UNIX_DIAG': 'not set',
+ 'CONFIG_CHECKPOINT_RESTORE': 'not set',
+ 'CONFIG_PANIC_ON_OOPS': 'y',
+ 'CONFIG_PACKET_DIAG': 'not set',
+ 'CONFIG_FW_LOADER_USER_HELPER': 'not set',
+ 'CONFIG_BPF_JIT': 'not set',
+ 'CONFIG_USELIB': 'not set',
+ 'CONFIG_CC_STACKPROTECTOR': 'y',
+ 'CONFIG_KEXEC': 'not set',
+ 'CONFIG_PROC_KCORE': 'not set',
+ 'CONFIG_SECURITY_DMESG_RESTRICT': 'y',
+ 'CONFIG_DEBUG_STACKOVERFLOW': 'y',
+ 'CONFIG_DEBUG_STRICT_USER_COPY_CHECKS': 'y',
+ 'CONFIG_ARCH_HAS_DEBUG_STRICT_USER_COPY_CHECKS': 'y',
+ 'CONFIG_IKCONFIG_PROC': 'not set',
+ 'CONFIG_RANDOMIZE_BASE': 'y',
+ 'CONFIG_DEBUG_RODATA': 'y',
+ 'CONFIG_STRICT_DEVMEM': 'y',
+ 'CONFIG_DEVKMEM': 'not set',
+ 'CONFIG_ARCH_BINFMT_ELF_RANDOMIZE_PIE': 'y',
+ 'CONFIG_DEBUG_KERNEL': 'not set',
+ 'CONFIG_DEBUG_FS': 'not set',
+ 'CONFIG_MODULE_SIG_FORCE': 'y',
+ }
+############################################################################################
+# Keys Kernel Configuration
+############################################################################################
+keys_kco = {'CONFIG_KEYS': 'not set',
+ 'CONFIG_TRUSTED_KEYS': 'not set',
+ 'CONFIG_ENCRYPTED_KEYS': 'not set',
+ 'CONFIG_KEYS_DEBUG_PROC_KEYS': 'not set'
+ }
+keys_kco_ref = {'CONFIG_KEYS': 'y',
+ 'CONFIG_TRUSTED_KEYS': 'y',
+ 'CONFIG_ENCRYPTED_KEYS': 'y',
+ 'CONFIG_KEYS_DEBUG_PROC_KEYS': 'not set'
+ }
+############################################################################################
+# Security Kernel Configuration
+############################################################################################
+security_kco = {'CONFIG_SECURITY': 'not set',
+ 'CONFIG_SECURITYFS': 'not set',
+ 'CONFIG_SECURITY_NETWORKING': 'not set',
+ 'CONFIG_DEFAULT_SECURITY': 'not set',
+ 'CONFIG_SECURITY_SELINUX': 'not set',
+ 'CONFIG_SECURITY_SMACK': 'not set',
+ 'CONFIG_SECURITY_TOMOYO': 'not set',
+ 'CONFIG_SECURITY_APPARMOR': 'not set',
+ 'CONFIG_SECURITY_YAMA': 'not set',
+ 'CONFIG_SECURITY_YAMA_STACKED': 'not set'
+ }
+security_kco_ref = {'CONFIG_SECURITY': 'y',
+ 'CONFIG_SECURITYFS': 'y',
+ 'CONFIG_SECURITY_NETWORKING': 'y',
+ 'CONFIG_DEFAULT_SECURITY': '"selinux","smack","apparmor","tomoyo"',
+ 'CONFIG_SECURITY_SELINUX': 'y',
+ 'CONFIG_SECURITY_SMACK': 'y',
+ 'CONFIG_SECURITY_TOMOYO': 'y',
+ 'CONFIG_SECURITY_APPARMOR': 'y',
+ 'CONFIG_SECURITY_YAMA': 'y',
+ 'CONFIG_SECURITY_YAMA_STACKED': 'y'
+ }
+############################################################################################
+# Integrity Kernel Configuration
+############################################################################################
+integrity_kco = {'CONFIG_INTEGRITY': 'not set',
+ 'CONFIG_INTEGRITY_SIGNATURE': 'not set',
+ 'CONFIG_INTEGRITY_AUDIT': 'not set',
+ 'CONFIG_IMA': 'not set',
+ 'CONFIG_IMA_LSM_RULES': 'not set',
+ 'CONFIG_IMA_APPRAISE': 'not set',
+ 'CONFIG_IMA_TRUSTED_KEYRING': 'not set',
+ 'CONFIG_IMA_APPRAISE_SIGNED_INIT': 'not set',
+ 'CONFIG_EVM': 'not set',
+ 'CONFIG_EVM_ATTR_FSUUID': 'not set',
+ 'CONFIG_EVM_EXTRA_SMACK_XATTRS': 'not set',
+ 'CONFIG_IMA_DEFAULT_HASH_SHA1': 'not set',
+ 'CONFIG_IMA_DEFAULT_HASH_SHA256': 'not set',
+ 'CONFIG_IMA_DEFAULT_HASH_SHA512': 'not set',
+ 'CONFIG_IMA_DEFAULT_HASH_WP512': 'not set'
+ }
+integrity_kco_ref = {'CONFIG_INTEGRITY': 'y',
+ 'CONFIG_INTEGRITY_SIGNATURE': 'y',
+ 'CONFIG_INTEGRITY_AUDIT': 'y',
+ 'CONFIG_IMA': 'y',
+ 'CONFIG_IMA_LSM_RULES': 'y',
+ 'CONFIG_IMA_APPRAISE': 'y',
+ 'CONFIG_IMA_TRUSTED_KEYRING': 'y',
+ 'CONFIG_IMA_APPRAISE_SIGNED_INIT': 'y',
+ 'CONFIG_EVM': 'y',
+ 'CONFIG_EVM_ATTR_FSUUID': 'y',
+ 'CONFIG_EVM_EXTRA_SMACK_XATTRS': 'y',
+ 'CONFIG_IMA_DEFAULT_HASH_SHA1': 'not set',
+ 'CONFIG_IMA_DEFAULT_HASH_SHA256': 'y',
+ 'CONFIG_IMA_DEFAULT_HASH_SHA512': 'y',
+ 'CONFIG_IMA_DEFAULT_HASH_WP512': 'not set'
+ }
+############################################################################################
+# Comments
+############################################################################################
+comments = { # Kernel Hardening Configurations
+ 'CONFIG_SERIAL_8250_CONSOLE': 'Enables the serial console. Providing access to the serial console would assist an attacker in discovering attack vectors.',
+ 'CONFIG_SERIAL_CORE': 'Enables the serial console. Providing access to the serial console would assist an attacker in discovering attack vectors.',
+ 'CONFIG_SERIAL_CORE_CONSOLE': 'Enables the serial console. Providing access to the serial console would assist an attacker in discovering attack vectors.',
+ 'CONFIG_CMDLINE_BOOL': 'Enables the kernel command line to be hardcoded directly into the kernel. Hardcoding the command line allows tighter control over kernel command line options.',
+ 'CONFIG_CMDLINE': 'Defines the kernel command line to be hardcoded into the kernel. Hardcoding the command line allows tighter control over kernel command line options.',
+ 'CONFIG_CMDLINE_OVERRIDE': 'Enables the kernel to ignore the boot loader command line and to use only the hardcoded command line. Hardcoding the command line allows tighter control over kernel command line options.',
+ 'CONFIG_DEBUG_INFO': 'Enables debug symbols in the kernel. Providing debug symbols would assist an attacker in discovering attack vectors.',
+ 'CONFIG_KGDB': 'Enables KGDB over USB and console ports. Providing KGDB would assist an attacker in discovering attack vectors.',
+ 'CONFIG_KPROBES': 'Enables Kernel Dynamic Probes. Providing kprobes allows the attacker to collect debug and performance information.',
+ 'CONFIG_FTRACE': 'Enables the kernel to trace every function. Providing kernel trace functionality would assist an attacker in discovering attack vectors.',
+ 'CONFIG_OPROFILE': 'Enables a profiling system capable of profiling kernel and kernel modules. Providing profiling functionality would assist an attacker in discovering attack vectors.',
+ 'CONFIG_PROFILING': 'Enables a profiling system capable of profiling kernel and kernel modules. Providing profiling functionality would assist an attacker in discovering attack vectors.',
+ 'CONFIG_MAGIC_SYSRQ': 'Enables a console device to interpret special characters as SysRQ system commands. SysRQ commands are an immediate attack vector as they provide the ability to dump information or reboot the device.',
+ 'CONFIG_DEBUG_BUGVERBOSE': 'Enables verbose logging for BUG() panics. Verbose logging would assist an attacker in discovering attack vectors.',
+ 'CONFIG_IP_PNP': 'Enables automatic configuration of IP addresses of devices and of the routing table during kernel boot. Providing networking functionality before the system has come up would assist an attacker in discovering attack vectors.',
+ 'CONFIG_IKCONFIG': 'Enables access to the kernel config through /proc/config.gz. Leaking the kernel configuration would assist an attacker in discovering attack vectors.',
+ 'CONFIG_SWAP': 'Enables swap files for kernel. The ability to read kernel memory pages in swap files would assist an attacker in discovering attack vectors.',
+ 'CONFIG_NAMESPACES': 'Enabling this can result in duplicates of dev nodes, pids and mount points, which can be useful to attackers trying to spoof running environments on devices.',
+ 'CONFIG_NFSD': 'Enables remote access to files residing on this system using Sun\'s Network File System protocol. Providing remote access to the file system would assist an attacker in discovering attack vectors.',
+ 'CONFIG_NFS_FS': 'Enables remote access to files residing on this system using Sun\'s Network File System protocol. Providing remote access to the file system would assist an attacker in discovering attack vectors.',
+ 'CONFIG_BINFMT_MISC': 'Enables support for binary formats other than ELF. Providing the ability to use alternate interpreters would assist an attacker in discovering attack vectors.',
+ 'CONFIG_KALLSYMS': 'Enables printing of symbolic crash information and symbolic stack backtraces. Verbose logging would assist an attacker in discovering attack vectors.',
+ 'CONFIG_KALLSYMS_ALL': 'Enables printing of symbolic crash information and symbolic stack backtraces. Verbose logging would assist an attacker in discovering attack vectors.',
+ 'CONFIG_BUG': 'Enables display of backtrace and register information for BUGs and WARNs in kernel space. Verbose logging would assist an attacker in discovering attack vectors.',
+ 'CONFIG_SYSCTL_SYSCALL': 'Enables sysctl to read and write kernel parameters. Use of deprecated and unmaintained features is not recommended.',
+ 'CONFIG_MODULE_UNLOAD': 'Enables the ability to unload a kernel module. Allowing module unloading enables the attacker to disable security modules.',
+ 'CONFIG_MODULE_FORCE_LOAD': 'Enables forced loading of modules without version information. Providing an attacker with the ability to force load a module assists in discovering attack vectors.',
+ 'CONFIG_DEVMEM': 'Enables mem device, which provides access to physical memory. Providing a view into physical memory would assist an attacker in discovering attack vectors.',
+ 'CONFIG_COREDUMP': 'Enables support for performing core dumps. Providing core dumps would assist an attacker in discovering attack vectors.',
+ 'CONFIG_CROSS_MEMORY_ATTACH': 'Enables cross-process virtual memory access. Providing virtual memory access to and from a hostile process would assist an attacker in discovering attack vectors.',
+ 'CONFIG_UNIX_DIAG': 'Enables support for socket monitoring interface. Allows the attacker to inspect shared file descriptors on Unix Domain sockets or traffic on \'localhost\'.',
+ 'CONFIG_CHECKPOINT_RESTORE': 'Enables the checkpoint/restore service which can freeze and migrate processes. Providing a method for manipulating process state would assist an attacker in discovering attack vectors.',
+ 'CONFIG_PANIC_ON_OOPS': 'Enables conversion of kernel OOPs to PANIC. When fuzzing the kernel or attempting kernel exploits, attackers are likely to trigger kernel OOPSes. Setting the behavior on OOPS to PANIC can impede their progress.',
+ 'CONFIG_PACKET_DIAG': 'Enables support for socket monitoring interface. Allows the attacker to inspect shared file descriptors on Unix Domain sockets or traffic on \'localhost\'.',
+ 'CONFIG_FW_LOADER_USER_HELPER': 'Enables the invocation of user-helper (e.g. udev) for loading firmware files as a fallback after the direct file loading in kernel fails. Providing firmware auto loader functionality would assist an attacker in discovering attack vectors.',
+ 'CONFIG_BPF_JIT': 'Enables Berkeley Packet Filter filtering capabilities. The BPF JIT can be used to create kernel-payloads from firewall table rules which assist an attacker in discovering attack vectors.',
+ 'CONFIG_USELIB': 'Enables the uselib syscall. The uselib system call has no valid use in any libc6 or uclibc system. Legacy features would assist an attacker in discovering attack vectors.',
+ 'CONFIG_CC_STACKPROTECTOR': 'Enables the stack protector GCC feature which defends against stack-based buffer overflows',
+ 'CONFIG_KEXEC': 'Enables the ability to shutdown your current kernel, and start another one. If enabled, this can be used as a way to bypass signed kernels.',
+ 'CONFIG_PROC_KCORE': 'Enables access to a kernel core dump from userspace. Providing access to core dumps of the kernel would assist an attacker in discovering attack vectors.',
+ 'CONFIG_SECURITY_DMESG_RESTRICT': 'Enables restrictions on unprivileged users reading the kernel syslog via dmesg(8). Unrestricted access to kernel syslogs would assist an attacker in discovering attack vectors.',
+ 'CONFIG_DEBUG_STACKOVERFLOW': 'Enables messages to be printed if free stack space drops below a certain limit. Leaking information about resources used by the kernel would assist an attacker in discovering attack vectors.',
+ 'CONFIG_DEBUG_STRICT_USER_COPY_CHECKS': 'Converts a certain set of sanity checks for user copy operations into compile time failures. The copy_from_user() etc checks help test if there are sufficient security checks on the length argument of the copy operation by having gcc prove that the argument is within bounds.',
+ 'CONFIG_ARCH_HAS_DEBUG_STRICT_USER_COPY_CHECKS': 'Required to enable DEBUG_STRICT_USER_COPY_CHECKS, but alone does not provide security.',
+ 'CONFIG_IKCONFIG_PROC': 'Enables access to the kernel config through /proc/config.gz. Leaking the kernel configuration would assist an attacker in discovering attack vectors.',
+ 'CONFIG_RANDOMIZE_BASE': 'Enables Kernel Address Space Layout randomization (kASLR). This hinders some types of security attacks by making it more difficult for an attacker to predict target addresses.',
+ 'CONFIG_DEBUG_RODATA': 'Sets kernel text and rodata sections as read-only and write-protected. This guards against malicious attempts to change the kernel\'s executable code.',
+ 'CONFIG_STRICT_DEVMEM': 'Enables restriction of userspace access to kernel memory. Failure to enable this option provides an immediate attack vector.',
+ 'CONFIG_DEVKMEM': 'Enables kmem device, which direct maps kernel memory. Providing a view into kernel memory would assist an attacker in discovering attack vectors.',
+ 'CONFIG_ARCH_BINFMT_ELF_RANDOMIZE_PIE': 'Enables randomization of PIE load address for ELF binaries. This hinders some types of security attacks by making it more difficult for an attacker to predict target addresses.',
+ 'CONFIG_DEBUG_KERNEL': 'Enables sysfs output intended to assist with debugging a kernel. The information output to sysfs would assist an attacker in discovering attack vectors.',
+ 'CONFIG_DEBUG_FS': 'Enables the kernel debug filesystem. The kernel debug filesystem presents a lot of useful information and means of manipulation of the kernel to an attacker.',
+ 'CONFIG_MODULE_SIG_FORCE': 'Enables validation of module signature. Disabling this option enables an attacker to load unsigned modules.',
+}
diff --git a/meta-security-isafw/lib/isafw/isaplugins/configs/kca/x86.py b/meta-security-isafw/lib/isafw/isaplugins/configs/kca/x86.py
new file mode 100644
index 0000000..cbaddf8
--- /dev/null
+++ b/meta-security-isafw/lib/isafw/isaplugins/configs/kca/x86.py
@@ -0,0 +1,38 @@
+############################################################################################
+# Kernel Hardening Configurations
+############################################################################################
+hardening_kco = {'CONFIG_DEFAULT_MMAP_MIN_ADDR': 'not set',
+ 'CONFIG_RANDOMIZE_BASE_MAX_OFFSET': 'not set',
+ 'CONFIG_X86_INTEL_MPX': 'not set',
+ 'CONFIG_X86_MSR': 'not set'
+ }
+hardening_kco_ref = {'CONFIG_DEFAULT_MMAP_MIN_ADDR': '65536', # x86 specific
+ 'CONFIG_RANDOMIZE_BASE_MAX_OFFSET': '0x20000000,0x40000000', # x86 specific
+ 'CONFIG_X86_INTEL_MPX': 'y', # x86 and certain HW variants specific
+ 'CONFIG_X86_MSR': 'not set'
+ }
+############################################################################################
+# Keys Kernel Configuration
+############################################################################################
+keys_kco = {}
+keys_kco_ref = {}
+############################################################################################
+# Security Kernel Configuration
+############################################################################################
+security_kco = {'CONFIG_LSM_MMAP_MIN_ADDR': 'not set',
+ 'CONFIG_INTEL_TXT': 'not set'}
+security_kco_ref = {'CONFIG_LSM_MMAP_MIN_ADDR': '65536', # x86 specific
+ 'CONFIG_INTEL_TXT': 'y'}
+############################################################################################
+# Integrity Kernel Configuration
+############################################################################################
+integrity_kco = {}
+integrity_kco_ref = {}
+############################################################################################
+# Comments
+############################################################################################
+comments = {'CONFIG_DEFAULT_MMAP_MIN_ADDR': 'Defines the portion of low virtual memory that should be protected from userspace allocation. Keeping a user from writing to low pages can help reduce the impact of kernel NULL pointer bugs.',
+ 'CONFIG_RANDOMIZE_BASE_MAX_OFFSET': 'Defines the maximal offset in bytes that will be applied to the kernel when kernel Address Space Layout Randomization (kASLR) is active.',
+ 'CONFIG_X86_INTEL_MPX': 'Enables MPX hardware features that can be used with compiler-instrumented code to check memory references. It is designed to detect buffer overflow or underflow bugs.',
+ 'CONFIG_X86_MSR': 'Enables privileged processes access to the x86 Model-Specific Registers (MSRs). MSR accesses are directed to a specific CPU on multi-processor systems. This alone does not provide security.'
+ }
diff --git a/meta-security-isafw/lib/isafw/isaplugins/configs/la/approved-non-osi b/meta-security-isafw/lib/isafw/isaplugins/configs/la/approved-non-osi
new file mode 100644
index 0000000..5e7a69f
--- /dev/null
+++ b/meta-security-isafw/lib/isafw/isaplugins/configs/la/approved-non-osi
@@ -0,0 +1,43 @@
+Artistic-1.0-perl
+BSD-2-Clause-FreeBSD
+BSD-3-Clause-Clear
+BSD-4-Clause
+BSD-4-Clause-UC
+bzip2-1.0.5
+bzip2-1.0.6
+CC0-1.0
+CC-BY-SA-3.0
+ErlPL-1.1
+FTL
+GFDL-1.1
+GFDL-1.1+
+GFDL-1.2
+GFDL-1.2+
+GFDL-1.3
+GFDL-1.3+
+GPL-1.0
+GPL-1.0+
+ICU
+IJG
+Libpng
+libtiff
+MIT-feh
+MIT-Opengroup
+mpich2
+Muddy-MIT
+OFL-1.0
+OLDAP-2.0.1
+OLDAP-2.8
+OpenSSL
+PHP-3.01
+Qhull
+Ruby
+SGI-B-2.0
+TCL
+Vim
+X11
+Zend-2.0
+zlib-acknowledgement
+ZPL-1.1
+ZPL-2.0
+ZPL-2.1
diff --git a/meta-security-isafw/lib/isafw/isaplugins/configs/la/exceptions b/meta-security-isafw/lib/isafw/isaplugins/configs/la/exceptions
new file mode 100644
index 0000000..e69de29
--- /dev/null
+++ b/meta-security-isafw/lib/isafw/isaplugins/configs/la/exceptions
diff --git a/meta-security-isafw/lib/isafw/isaplugins/configs/la/licenses b/meta-security-isafw/lib/isafw/isaplugins/configs/la/licenses
new file mode 100644
index 0000000..8fff0b1
--- /dev/null
+++ b/meta-security-isafw/lib/isafw/isaplugins/configs/la/licenses
@@ -0,0 +1,105 @@
+AFL-1.1
+AFL-1.2
+AFL-2.0
+AFL-2.1
+AFL-3.0
+APL-1.0
+Apache-1.1
+Apache-2.0
+APSL-1.0
+APSL-1.1
+APSL-1.2
+APSL-2.0
+Artistic-1.0
+Artistic-1.0-Perl
+Artistic-1.0-cl8
+Artistic-2.0
+AAL
+BSL-1.0
+BSD-2-Clause
+BSD-3-Clause
+CNRI-Python
+CDDL-1.0
+CPAL-1.0
+CPL-1.0
+CATOSL-1.1
+CUA-OPL-1.0
+EPL-1.0
+ECL-1.0
+ECL-2.0
+EFL-1.0
+EFL-2.0
+Entessa
+EUDatagrid
+EUPL-1.1
+Fair
+Frameworx-1.0
+AGPL-3.0
+GPL-2.0
+GPL-2.0+
+GPL-2.0-with-autoconf-exception
+GPL-2.0-with-bison-exception
+GPL-2.0-with-classpath-exception
+GPL-2.0-with-font-exception
+GPL-2.0-with-GCC-exception
+GPL-3.0
+GPL-3.0+
+GPL-3.0-with-autoconf-exception
+GPL-3.0-with-GCC-exception
+LGPL-2.1
+LGPL-2.1+
+LGPL-3.0
+LGPL-3.0+
+LGPL-2.0
+LGPL-2.0+
+HPND
+IPL-1.0
+Intel
+IPA
+ISC
+LPPL-1.3c
+LPL-1.02
+LPL-1.0
+MS-PL
+MS-RL
+MirOS
+MIT
+Motosoto
+MPL-1.0
+MPL-1.1
+MPL-2.0
+MPL-2.0-no-copyleft-exception
+Multics
+NASA-1.3
+Naumen
+NGPL
+Nokia
+NPOSL-3.0
+NTP
+OCLC-2.0
+OGTSL
+OSL-1.0
+OSL-2.0
+OSL-2.1
+OSL-3.0
+PHP-3.0
+PostgreSQL
+Python-2.0
+QPL-1.0
+RPSL-1.0
+RPL-1.1
+RPL-1.5
+RSCPL
+OFL-1.1
+SimPL-2.0
+Sleepycat
+SISSL
+SPL-1.0
+Watcom-1.0
+NCSA
+VSL-1.0
+W3C
+WXwindows
+Xnet
+Zlib
+ZPL-2.0
diff --git a/meta-security-isafw/lib/isafw/isaplugins/configs/la/violations b/meta-security-isafw/lib/isafw/isaplugins/configs/la/violations
new file mode 100644
index 0000000..5da203b
--- /dev/null
+++ b/meta-security-isafw/lib/isafw/isaplugins/configs/la/violations
@@ -0,0 +1,7 @@
+GPL-3.0
+GPL-3.0+
+GPL-3.0-with-autoconf-exception
+GPL-3.0-with-GCC-exception
+LGPL-3.0
+LGPL-3.0+
+
diff --git a/meta-security-isafw/recipes-devtools/checksec/checksec_1.5-1.bb b/meta-security-isafw/recipes-devtools/checksec/checksec_1.5-1.bb
new file mode 100644
index 0000000..247ec76
--- /dev/null
+++ b/meta-security-isafw/recipes-devtools/checksec/checksec_1.5-1.bb
@@ -0,0 +1,25 @@
+SUMMARY = "Checksec tool"
+DESCRIPTION = "The checksec.sh script is designed to test what standard Linux OS and PaX security features are being used."
+SECTION = "security"
+LICENSE = "BSD-3-Clause"
+HOMEPAGE="http://www.trapkit.de/tools/checksec.html"
+
+LIC_FILES_CHKSUM = "file://checksec-${PV}.sh;beginline=3;endline=34;md5=6dab14470bfdf12634b866dbdd7a04b0"
+
+SRC_URI = "http://www.trapkit.de/tools/checksec.sh;downloadfilename=checksec-${PV}.sh"
+
+SRC_URI[md5sum] = "57cc3fbbbe48e8ebd4672c569954374d"
+SRC_URI[sha256sum] = "05822cd8668589038d20650faa0e56f740911d8ad06f7005b3d12a5c76591b90"
+
+
+S = "${WORKDIR}"
+
+do_install() {
+ install -d ${D}${bindir}
+ install -m 0755 ${WORKDIR}/checksec-${PV}.sh ${D}${bindir}/checksec.sh
+ sed -i 's/\r//' ${D}${bindir}/checksec.sh
+}
+
+RDEPENDS_${PN} = "bash binutils"
+
+BBCLASSEXTEND = "native"
diff --git a/meta-security-isfafw/classes/isafw.bbclass b/meta-security-isfafw/classes/isafw.bbclass
new file mode 100644
index 0000000..146acdf
--- /dev/null
+++ b/meta-security-isfafw/classes/isafw.bbclass
@@ -0,0 +1,318 @@
+# Security scanning class
+#
+# Based in part on buildhistory.bbclass which was in turn based on
+# testlab.bbclass and packagehistory.bbclass
+#
+# Copyright (C) 2011-2015 Intel Corporation
+# Copyright (C) 2007-2011 Koen Kooi <koen@openembedded.org>
+#
+
+LICENSE = "MIT"
+
+require conf/distro/include/distro_alias.inc
+
+ISAFW_WORKDIR = "${WORKDIR}/isafw"
+ISAFW_REPORTDIR ?= "${LOG_DIR}/isafw-report"
+ISAFW_LOGDIR ?= "${LOG_DIR}/isafw-logs"
+
+ISAFW_PLUGINS_WHITELIST ?= ""
+ISAFW_PLUGINS_BLACKLIST ?= ""
+
+ISAFW_LA_PLUGIN_IMAGE_WHITELIST ?= ""
+ISAFW_LA_PLUGIN_IMAGE_BLACKLIST ?= ""
+
+# First, code to handle scanning each recipe that goes into the build
+
+do_analysesource[nostamp] = "1"
+do_analysesource[cleandirs] = "${ISAFW_WORKDIR}"
+
+python do_analysesource() {
+ from isafw import isafw
+
+ imageSecurityAnalyser = isafw_init(isafw, d)
+
+ if not d.getVar('SRC_URI', True):
+ # Recipe didn't fetch any sources, nothing to do here I assume?
+ return
+
+ recipe = isafw.ISA_package()
+ recipe.name = d.getVar('BPN', True)
+ recipe.version = d.getVar('PV', True)
+ recipe.version = recipe.version.split('+git', 1)[0]
+
+ for p in d.getVar('PACKAGES', True).split():
+ license = str(d.getVar('LICENSE_' + p, True))
+ if license == "None":
+ license = d.getVar('LICENSE', True)
+ license = license.replace("(", "")
+ license = license.replace(")", "")
+ licenses = license.split()
+ while '|' in licenses:
+ licenses.remove('|')
+ while '&' in licenses:
+ licenses.remove('&')
+ for l in licenses:
+ recipe.licenses.append(p + ":" + canonical_license(d, l))
+
+ aliases = d.getVar('DISTRO_PN_ALIAS', True)
+ if aliases:
+ recipe.aliases = aliases.split()
+ faliases = []
+ for a in recipe.aliases:
+ if (a != "OSPDT") and (not (a.startswith("upstream="))):
+ faliases.append(a.split('=', 1)[-1])
+ # remove possible duplicates in pkg names
+ faliases = list(set(faliases))
+ recipe.aliases = faliases
+
+ for patch in src_patches(d):
+ _,_,local,_,_,_=bb.fetch.decodeurl(patch)
+ recipe.patch_files.append(os.path.basename(local))
+ if (not recipe.patch_files) :
+ recipe.patch_files.append("None")
+
+ # Pass the recipe object to the security framework
+ bb.debug(1, '%s: analyse sources' % (d.getVar('PN', True)))
+ imageSecurityAnalyser.process_package(recipe)
+
+ return
+}
+
+addtask do_analysesource before do_build
+
+# This task intended to be called after default task to process reports
+
+PR_ORIG_TASK := "${BB_DEFAULT_TASK}"
+addhandler process_reports_handler
+process_reports_handler[eventmask] = "bb.event.BuildCompleted"
+
+python process_reports_handler() {
+ from isafw import isafw
+
+ dd = d.createCopy()
+ target_sysroot = dd.expand("${STAGING_DIR}/${MACHINE}")
+ native_sysroot = dd.expand("${STAGING_DIR}/${BUILD_ARCH}")
+ staging_populate_sysroot_dir(target_sysroot, native_sysroot, True, dd)
+
+ dd.setVar("STAGING_DIR_NATIVE", native_sysroot)
+ savedenv = os.environ.copy()
+ os.environ["PATH"] = dd.getVar("PATH", True)
+
+ imageSecurityAnalyser = isafw_init(isafw, dd)
+ bb.debug(1, 'isafw: process reports')
+ imageSecurityAnalyser.process_report()
+
+ os.environ["PATH"] = savedenv["PATH"]
+}
+
+do_build[depends] += "cve-update-db-native:do_populate_cve_db ca-certificates-native:do_populate_sysroot"
+do_build[depends] += "python3-lxml-native:do_populate_sysroot"
+
+# These tasks are intended to be called directly by the user (e.g. bitbake -c)
+
+addtask do_analyse_sources after do_analysesource
+do_analyse_sources[doc] = "Produce ISAFW reports based on given package without building it"
+do_analyse_sources[nostamp] = "1"
+do_analyse_sources() {
+ :
+}
+
+addtask do_analyse_sources_all after do_analysesource
+do_analyse_sources_all[doc] = "Produce ISAFW reports for all packages in given target without building them"
+do_analyse_sources_all[recrdeptask] = "do_analyse_sources_all do_analysesource"
+do_analyse_sources_all[recideptask] = "do_${PR_ORIG_TASK}"
+do_analyse_sources_all[nostamp] = "1"
+do_analyse_sources_all() {
+ :
+}
+
+python() {
+ # We probably don't need to scan these
+ if bb.data.inherits_class('native', d) or \
+ bb.data.inherits_class('nativesdk', d) or \
+ bb.data.inherits_class('cross', d) or \
+ bb.data.inherits_class('crosssdk', d) or \
+ bb.data.inherits_class('cross-canadian', d) or \
+ bb.data.inherits_class('packagegroup', d) or \
+ bb.data.inherits_class('image', d):
+ bb.build.deltask('do_analysesource', d)
+}
+
+fakeroot python do_analyse_image() {
+
+ from isafw import isafw
+
+ imageSecurityAnalyser = isafw_init(isafw, d)
+
+ # Directory where the image's entire contents can be examined
+ rootfsdir = d.getVar('IMAGE_ROOTFS', True)
+
+ imagebasename = d.getVar('IMAGE_BASENAME', True)
+
+ kernelconf = d.getVar('STAGING_KERNEL_BUILDDIR', True) + "/.config"
+ if os.path.exists(kernelconf):
+ kernel = isafw.ISA_kernel()
+ kernel.img_name = imagebasename
+ kernel.path_to_config = kernelconf
+ bb.debug(1, 'do kernel conf analysis on %s' % kernelconf)
+ imageSecurityAnalyser.process_kernel(kernel)
+ else:
+ bb.debug(1, 'Kernel configuration file is missing. Not performing analysis on %s' % kernelconf)
+
+ pkglist = manifest2pkglist(d)
+
+ imagebasename = d.getVar('IMAGE_BASENAME', True)
+
+ if (pkglist):
+ pkg_list = isafw.ISA_pkg_list()
+ pkg_list.img_name = imagebasename
+ pkg_list.path_to_list = pkglist
+ bb.debug(1, 'do pkg list analysis on %s' % pkglist)
+ imageSecurityAnalyser.process_pkg_list(pkg_list)
+
+ fs = isafw.ISA_filesystem()
+ fs.img_name = imagebasename
+ fs.path_to_fs = rootfsdir
+
+ bb.debug(1, 'do image analysis on %s' % rootfsdir)
+ imageSecurityAnalyser.process_filesystem(fs)
+}
+
+do_rootfs[depends] += "checksec-native:do_populate_sysroot ca-certificates-native:do_populate_sysroot"
+do_rootfs[depends] += "prelink-native:do_populate_sysroot"
+do_rootfs[depends] += "python3-lxml-native:do_populate_sysroot"
+
+isafw_init[vardepsexclude] = "DATETIME"
+def isafw_init(isafw, d):
+ import re, errno
+
+ isafw_config = isafw.ISA_config()
+ # Override the builtin default in curl-native (used by cve-update-db-nativ)
+ # because that default is a path that may not be valid: when curl-native gets
+ # installed from sstate, we end up with the sysroot path as it was on the
+ # original build host, which is not necessarily the same path used now
+ # (see https://bugzilla.yoctoproject.org/show_bug.cgi?id=9883).
+ #
+ # Can't use ${sysconfdir} here, it already includes ${STAGING_DIR_NATIVE}
+ # when the current recipe is native.
+ isafw_config.cacert = d.expand('${STAGING_DIR_NATIVE}/etc/ssl/certs/ca-certificates.crt')
+
+ bb.utils.export_proxies(d)
+
+ isafw_config.machine = d.getVar('MACHINE', True)
+ isafw_config.timestamp = d.getVar('DATETIME', True)
+ isafw_config.reportdir = d.getVar('ISAFW_REPORTDIR', True) + "_" + isafw_config.timestamp
+ if not os.path.exists(os.path.dirname(isafw_config.reportdir + "/test")):
+ try:
+ os.makedirs(os.path.dirname(isafw_config.reportdir + "/test"))
+ except OSError as exc:
+ if exc.errno == errno.EEXIST and os.path.isdir(isafw_config.reportdir):
+ pass
+ else: raise
+ isafw_config.logdir = d.getVar('ISAFW_LOGDIR', True)
+ # Adding support for arm
+ # TODO: Add support for other platforms
+ isafw_config.arch = d.getVar('TARGET_ARCH', True)
+ if ( isafw_config.arch != "arm" ):
+ isafw_config.arch = "x86"
+
+ whitelist = d.getVar('ISAFW_PLUGINS_WHITELIST', True)
+ blacklist = d.getVar('ISAFW_PLUGINS_BLACKLIST', True)
+ if whitelist:
+ isafw_config.plugin_whitelist = re.split(r'[,\s]*', whitelist)
+ if blacklist:
+ isafw_config.plugin_blacklist = re.split(r'[,\s]*', blacklist)
+
+ la_image_whitelist = d.getVar('ISAFW_LA_PLUGIN_IMAGE_WHITELIST', True)
+ la_image_blacklist = d.getVar('ISAFW_LA_PLUGIN_IMAGE_BLACKLIST', True)
+ if la_image_whitelist:
+ isafw_config.la_plugin_image_whitelist = re.split(r'[,\s]*', la_image_whitelist)
+ if la_image_blacklist:
+ isafw_config.la_plugin_image_blacklist = re.split(r'[,\s]*', la_image_blacklist)
+
+ return isafw.ISA(isafw_config)
+
+# based on toaster.bbclass _toaster_load_pkgdatafile function
+def binary2source(dirpath, filepath):
+ import re
+ originPkg = ""
+ with open(os.path.join(dirpath, filepath), "r") as fin:
+ for line in fin:
+ try:
+ kn, kv = line.strip().split(": ", 1)
+ m = re.match(r"^PKG_([^A-Z:]*)", kn)
+ if m:
+ originPkg = str(m.group(1))
+ except ValueError:
+ pass # ignore lines without valid key: value pairs:
+ if not originPkg:
+ originPkg = "UNKNOWN"
+ return originPkg
+
+manifest2pkglist[vardepsexclude] = "DATETIME"
+def manifest2pkglist(d):
+ import glob
+
+ manifest_file = d.getVar('IMAGE_MANIFEST', True)
+ imagebasename = d.getVar('IMAGE_BASENAME', True)
+ reportdir = d.getVar('ISAFW_REPORTDIR', True) + "_" + d.getVar('DATETIME', True)
+ pkgdata_dir = d.getVar("PKGDATA_DIR", True)
+ rr_dir = "%s/runtime-reverse/" % pkgdata_dir
+ pkglist = reportdir + "/pkglist"
+
+ with open(pkglist, 'a') as foutput:
+ foutput.write("Packages for image " + imagebasename + "\n")
+ try:
+ with open(manifest_file, 'r') as finput:
+ for line in finput:
+ items = line.split()
+ if items and (len(items) >= 3):
+ pkgnames = map(os.path.basename, glob.glob(os.path.join(rr_dir, items[0])))
+ for pkgname in pkgnames:
+ originPkg = binary2source(rr_dir, pkgname)
+ version = items[2]
+ if not version:
+ version = "undetermined"
+ foutput.write(pkgname + " " + version + " " + originPkg + "\n")
+ except IOError:
+ bb.debug(1, 'isafw: manifest file not found. Skip pkg list analysis')
+ return "";
+
+
+ return pkglist
+
+# NOTE: by the time IMAGE_POSTPROCESS_COMMAND items are called, the image
+# has been stripped of the package manager database (if runtime package management
+# is not enabled, i.e. 'package-management' is not in IMAGE_FEATURES). If you
+# do want to be using the package manager to operate on the image contents, you'll
+# need to call your function from ROOTFS_POSTINSTALL_COMMAND or
+# ROOTFS_POSTUNINSTALL_COMMAND instead - however if you do that you should then be
+# aware that what you'll be looking at isn't exactly what you will see in the image
+# at runtime (there will be other postprocessing functions called after yours).
+#
+# do_analyse_image does not need the package manager database. Making it
+# a separate task instead of a IMAGE_POSTPROCESS_COMMAND has several
+# advantages:
+# - all other image commands are guaranteed to have completed
+# - it can run in parallel to other tasks which depend on the complete
+# image, instead of blocking those other tasks
+# - meta-swupd helper images do not need to be analysed and won't be
+# because nothing depends on their "do_build" task, only on
+# do_image_complete
+python () {
+ if bb.data.inherits_class('image', d):
+ bb.build.addtask('do_analyse_image', 'do_build', 'do_image_complete', d)
+}
+
+python isafwreport_handler () {
+
+ import shutil
+
+ logdir = e.data.getVar('ISAFW_LOGDIR', True)
+ if os.path.exists(os.path.dirname(logdir+"/test")):
+ shutil.rmtree(logdir)
+ os.makedirs(os.path.dirname(logdir+"/test"))
+
+}
+addhandler isafwreport_handler
+isafwreport_handler[eventmask] = "bb.event.BuildStarted"
diff --git a/meta-tpm/conf/layer.conf b/meta-tpm/conf/layer.conf
index 175eba8..c3372c7 100644
--- a/meta-tpm/conf/layer.conf
+++ b/meta-tpm/conf/layer.conf
@@ -8,7 +8,7 @@ BBFILE_COLLECTIONS += "tpm-layer"
BBFILE_PATTERN_tpm-layer = "^${LAYERDIR}/"
BBFILE_PRIORITY_tpm-layer = "10"
-LAYERSERIES_COMPAT_tpm-layer = "zeus"
+LAYERSERIES_COMPAT_tpm-layer = "dunfell"
LAYERDEPENDS_tpm-layer = " \
core \
diff --git a/meta-tpm/recipes-kernel/linux/linux-yocto_4.%.bbappend b/meta-tpm/recipes-kernel/linux/linux-yocto_5.%.bbappend
index cea8b1b..cea8b1b 100644
--- a/meta-tpm/recipes-kernel/linux/linux-yocto_4.%.bbappend
+++ b/meta-tpm/recipes-kernel/linux/linux-yocto_5.%.bbappend
diff --git a/meta-tpm/recipes-tpm/libtpm/libtpm_0.7.0.bb b/meta-tpm/recipes-tpm/libtpm/libtpm_0.7.0.bb
index d9863fa..4588c8d 100644
--- a/meta-tpm/recipes-tpm/libtpm/libtpm_0.7.0.bb
+++ b/meta-tpm/recipes-tpm/libtpm/libtpm_0.7.0.bb
@@ -8,7 +8,7 @@ SRC_URI = "git://github.com/stefanberger/libtpms.git;branch=stable-${PV}"
PE = "1"
S = "${WORKDIR}/git"
-inherit autotools-brokensep pkgconfig
+inherit autotools-brokensep pkgconfig perlnative
PACKAGECONFIG ?= "openssl"
PACKAGECONFIG[openssl] = "--with-openssl, --without-openssl, openssl"
diff --git a/recipes-kernel/linux/linux-yocto_4.%.bbappend b/recipes-kernel/linux/linux-yocto_5.%.bbappend
index 39d4e6f..39d4e6f 100644
--- a/recipes-kernel/linux/linux-yocto_4.%.bbappend
+++ b/recipes-kernel/linux/linux-yocto_5.%.bbappend
diff --git a/recipes-mac/AppArmor/apparmor_2.13.3.bb b/recipes-mac/AppArmor/apparmor_2.13.3.bb
index fa60752..11c931d 100644
--- a/recipes-mac/AppArmor/apparmor_2.13.3.bb
+++ b/recipes-mac/AppArmor/apparmor_2.13.3.bb
@@ -25,7 +25,7 @@ SRC_URI = " \
file://run-ptest \
"
-SRCREV = "2f9d9ea7e01a115b29858455d3b1b5c6a0bab75c"
+SRCREV = "d779dbf88a664f06c1265b9e27b93f87de4cfe44"
S = "${WORKDIR}/git"
PARALLEL_MAKE = ""
diff --git a/recipes-scanners/arpwatch/arpwatch_3.0.bb b/recipes-scanners/arpwatch/arpwatch_3.0.bb
new file mode 100644
index 0000000..9be319a
--- /dev/null
+++ b/recipes-scanners/arpwatch/arpwatch_3.0.bb
@@ -0,0 +1,79 @@
+SUMARRY = "The ethernet monitor program; for keeping track of ethernet/ip address pairings"
+LICENSE = "BSD-4-Clause"
+HOME_PAGE = "http://ee.lbl.gov/"
+LIC_FILES_CHKSUM = "file://configure;md5=212742e55562cf47527d31c2a492411a"
+
+DEPENDS += "libpcap postfix"
+
+SRC_URI = "https://ee.lbl.gov/downloads/arpwatch/${BP}.tar.gz \
+ file://arpwatch.conf \
+ file://arpwatch.default \
+ file://arpwatch_init \
+ file://postfix_workaround.patch \
+ file://host_contam_fix.patch "
+
+SRC_URI[sha256sum] = "82e137e104aca8b1280f5cca0ebe61b978f10eadcbb4c4802c181522ad02b25b"
+
+inherit autotools-brokensep update-rc.d useradd
+
+ARPWATCH_UID ?= "arpwatch"
+ARPWATCH_GID ?= "arpwatch"
+APRWATCH_FROM ?= "root "
+ARPWATH_REPLY ?= "${ARPWATCH_UID}"
+
+EXTRA_OECONF = " --srcdir=${S} --with-watcher=email=${APRWATCH_FROM} --with-watchee=email=${ARPWATH_REPLY}"
+
+CONFIGUREOPTS = " --build=${BUILD_SYS} \
+ --host=${HOST_SYS} \
+ --target=${TARGET_SYS} \
+ --prefix=${prefix} \
+ --exec_prefix=${exec_prefix} \
+ --bindir=${bindir} \
+ --sbindir=${sbindir} \
+ --libexecdir=${libexecdir} \
+ --datadir=${datadir} \
+ --sysconfdir=${sysconfdir} \
+ --sharedstatedir=${sharedstatedir} \
+ --localstatedir=${localstatedir} \
+ --libdir=${libdir} \
+ --includedir=${includedir} \
+ --oldincludedir=${oldincludedir} \
+ --infodir=${infodir} \
+ --mandir=${mandir} \
+ "
+
+do_configure () {
+ ${S}/configure ${CONFIGUREOPTS} ${EXTRA_OECONF}
+}
+
+do_install () {
+ install -d ${D}${bindir}
+ install -d ${D}${sbindir}
+ install -d ${D}${mandir}
+ install -d ${D}${sysconfdir}
+ install -d ${D}${sysconfdir}/default
+ install -d ${D}${sysconfdir}/init.d
+ install -d ${D}${prefix}/etc/rc.d
+ install -d ${D}/var/lib/arpwatch
+
+ oe_runmake install DESTDIR=${D}
+ install -m 644 ${WORKDIR}/arpwatch.conf ${D}${sysconfdir}
+ install -m 655 ${WORKDIR}/arpwatch_init ${D}${sysconfdir}/init.d/arpwatch
+ install -m 644 ${WORKDIR}/arpwatch.default ${D}${sysconfdir}/default
+}
+
+INITSCRIPT_NAME = "arpwatch"
+INITSCRIPT_PARAMS = "start 02 2 3 4 5 . stop 20 0 1 6 ."
+
+USERADD_PACKAGES = "${PN}"
+GROUPADD_PARAM_${PN} = "--system ${ARPWATCH_UID}"
+USERADD_PARAM_${PN} = "--system -g ${ARPWATCH_GID} --home-dir \
+ ${localstatedir}/spool/${BPN} \
+ --no-create-home --shell /bin/false ${BPN}"
+
+CONFFILE_FILES = "${sysconfdir}/${PN}.conf"
+
+FILES_${PN} = "${bindir} ${sbindir} ${prefix}/etc/rc.d \
+ ${sysconfdir} /var/lib/arpwatch"
+
+RDEPENDS_${PN} = "libpcap postfix postfix-cfg"
diff --git a/recipes-scanners/arpwatch/files/arpwatch.conf b/recipes-scanners/arpwatch/files/arpwatch.conf
new file mode 100644
index 0000000..67213c9
--- /dev/null
+++ b/recipes-scanners/arpwatch/files/arpwatch.conf
@@ -0,0 +1,23 @@
+# /etc/arpwatch.conf: Debian-specific way to watch multiple interfaces.
+# Format of this configuration file is:
+#
+#<dev1> <arpwatch options for dev1>
+#<dev2> <arpwatch options for dev2>
+#...
+#<devN> <arpwatch options for devN>
+#
+# You can set global options for all interfaces by editing
+# /etc/default/arpwatch
+
+# For example:
+
+eth0
+#eth0 -m root
+#eth1 -m root
+#eth2 -m root
+
+# or, if you have an MTA configured for plussed addressing:
+#
+#eth0 -m root+eth0
+#eth1 -m root+eth1
+#eth2 -m root+eth2
diff --git a/recipes-scanners/arpwatch/files/arpwatch.default b/recipes-scanners/arpwatch/files/arpwatch.default
new file mode 100644
index 0000000..b0a7d8f
--- /dev/null
+++ b/recipes-scanners/arpwatch/files/arpwatch.default
@@ -0,0 +1,7 @@
+# Global options for arpwatch(8).
+
+# Debian: don't report bogons, don't use PROMISC.
+ARGS="-N -p"
+
+# Debian: run as `arpwatch' user. Empty this to run as root.
+RUNAS="arpwatch"
diff --git a/recipes-scanners/arpwatch/files/arpwatch_init b/recipes-scanners/arpwatch/files/arpwatch_init
new file mode 100644
index 0000000..9860c65
--- /dev/null
+++ b/recipes-scanners/arpwatch/files/arpwatch_init
@@ -0,0 +1,123 @@
+#!/bin/sh
+
+PATH=/sbin:/bin:/usr/sbin:/usr/bin
+NAME=arpwatch
+DAEMON=/usr/sbin/$NAME
+DESC="Ethernet/FDDI station monitor daemon"
+DATADIR=/var/lib/$NAME
+RETVAL=0
+
+. /etc/init.d/functions
+
+### You shouldn't touch anything below unless you know what you are doing.
+
+[ -f /etc/default/arpwatch ] && . /etc/default/arpwatch
+
+# Decide whether we have to deal with multiple interfaces.
+CONF=/etc/arpwatch.conf
+MULTIPLE=0
+if [ -r $CONF ]; then
+ grep -c '^[a-z]' $CONF 2>&1 >/dev/null && MULTIPLE=1
+fi
+
+# Check whether we have to drop privileges.
+if [ -n "$RUNAS" ]; then
+ if getent passwd "$RUNAS" >/dev/null; then
+ ARGS="-u ${RUNAS} $ARGS"
+ else
+ RUNAS=""
+ fi
+fi
+
+start_instance () {
+ IFACE=$1
+ INSTANCE=${NAME}-${IFACE}
+ DATAFILE=$DATADIR/${IFACE}.dat
+ IFACE_OPTS="-P /var/run/${INSTANCE}.pid -i ${IFACE} -f ${DATAFILE} $2"
+
+ echo -n "Starting $DESC: "
+ if [ ! -f $DATAFILE ]; then
+ echo -n "(creating $DATAFILE) " :> $DATAFILE
+ fi
+ if [ -n "$RUNAS" ]; then
+ echo -n "(chown $RUNAS $DATAFILE) "
+ chown $RUNAS $DATAFILE
+ fi
+ start-stop-daemon --start --quiet \
+ --pidfile /var/run/${INSTANCE}.pid \
+ --exec $DAEMON -- $IFACE_OPTS $ARGS
+ echo "${INSTANCE}."
+ ps h -C $NAME -o pid,args | \
+ awk "/$IFACE/ { print \$1 }" > /var/run/${INSTANCE}.pid
+}
+
+stop_instance () {
+ IFACE=$1
+ INSTANCE=${NAME}-${IFACE}
+ [ -f /var/run/${INSTANCE}.pid ] || return 0
+ echo -n "Stopping $DESC: "
+ start-stop-daemon --stop --quiet --oknodo \
+ --pidfile /var/run/${INSTANCE}.pid
+ echo "${INSTANCE}."
+ rm -f /var/run/${INSTANCE}.pid
+}
+
+process_loop_break_line () {
+ __IFACE=$1
+ shift
+ __IOPTS="$@"
+}
+
+process_loop () {
+ OPERATION=$1
+ grep '^[a-z]' $CONF 2>/dev/null | \
+ while read LINE
+ do
+ process_loop_break_line $LINE
+ I=$__IFACE
+ I_OPTS="$__IOPTS"
+ $OPERATION $I "$I_OPTS"
+ done
+}
+
+startup () {
+ process_loop start_instance
+}
+
+shutdown () {
+ process_loop stop_instance
+}
+
+case "$1" in
+ start)
+ startup
+ ;;
+ stop)
+ shutdown
+ ;;
+ reload)
+ echo "Reload operation not supported -- use restart."
+ RETVAL=2
+ ;;
+ restart|force-reload)
+ #
+ # If the "reload" option is implemented, move the "force-reload"
+ # option to the "reload" entry above. If not, "force-reload" is
+ # just the same as "restart".
+ #
+ shutdown
+ sleep 1
+ startup
+ ;;
+ status)
+ status_of_proc $DAEMON $NAME
+ ;;
+ *)
+ N=/etc/init.d/$NAME
+ # echo "Usage: $N {start|stop|restart|reload|force-reload}" >&2
+ echo "Usage: $N {start|stop|restart|force-reload}" >&2
+ RETVAL=2
+ ;;
+esac
+
+exit $RETVAL
diff --git a/recipes-scanners/arpwatch/files/host_contam_fix.patch b/recipes-scanners/arpwatch/files/host_contam_fix.patch
new file mode 100644
index 0000000..7d7ffac
--- /dev/null
+++ b/recipes-scanners/arpwatch/files/host_contam_fix.patch
@@ -0,0 +1,21 @@
+This removes the host contamination
+
+Upstream-Status: Inappropriate [embedded specific]
+
+Signed-off-by: Armin Kuster <akuster808@gmail.com>
+
+Index: arpwatch-3.0/configure
+===================================================================
+--- arpwatch-3.0.orig/configure
++++ arpwatch-3.0/configure
+@@ -4349,8 +4349,8 @@ fi
+ CC=cc
+ export CC
+ fi
+- V_INCLS="$V_INCLS -I/usr/local/include"
+- LDFLAGS="$LDFLAGS -L/usr/local/lib"
++ V_INCLS="$V_INCLS "
++ LDFLAGS="$LDFLAGS "
+ if test "$GCC" != yes ; then
+ { $as_echo "$as_me:${as_lineno-$LINENO}: checking that $CC handles ansi prototypes" >&5
+ $as_echo_n "checking that $CC handles ansi prototypes... " >&6; }
diff --git a/recipes-scanners/arpwatch/files/postfix_workaround.patch b/recipes-scanners/arpwatch/files/postfix_workaround.patch
new file mode 100644
index 0000000..95213f2
--- /dev/null
+++ b/recipes-scanners/arpwatch/files/postfix_workaround.patch
@@ -0,0 +1,91 @@
+Sendmail exists after the system boots. We are using postfix
+so no need to check if it exists.
+
+Upstream-Status: Inappropriate [embedded specific]
+
+Signed-off-by: Armin Kuster <akuster808@gmail.com>
+
+Index: arpwatch-3.0/configure
+===================================================================
+--- arpwatch-3.0.orig/configure
++++ arpwatch-3.0/configure
+@@ -636,7 +636,6 @@ LBL_LIBS
+ HAVE_FREEBSD_TRUE
+ HAVE_FREEBSD_FALSE
+ PYTHON
+-V_SENDMAIL
+ LIBOBJS
+ INSTALL_DATA
+ INSTALL_SCRIPT
+@@ -5573,53 +5572,6 @@ fi
+ done
+
+
+-# Extract the first word of "sendmail", so it can be a program name with args.
+-set dummy sendmail; ac_word=$2
+-{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for $ac_word" >&5
+-$as_echo_n "checking for $ac_word... " >&6; }
+-if ${ac_cv_path_V_SENDMAIL+:} false; then :
+- $as_echo_n "(cached) " >&6
+-else
+- case $V_SENDMAIL in
+- [\\/]* | ?:[\\/]*)
+- ac_cv_path_V_SENDMAIL="$V_SENDMAIL" # Let the user override the test with a path.
+- ;;
+- *)
+- as_save_IFS=$IFS; IFS=$PATH_SEPARATOR
+-as_dummy="$PATH:/usr/sbin:/usr/lib:/usr/bin:/usr/ucblib:/usr/local/etc"
+-for as_dir in $as_dummy
+-do
+- IFS=$as_save_IFS
+- test -z "$as_dir" && as_dir=.
+- for ac_exec_ext in '' $ac_executable_extensions; do
+- if as_fn_executable_p "$as_dir/$ac_word$ac_exec_ext"; then
+- ac_cv_path_V_SENDMAIL="$as_dir/$ac_word$ac_exec_ext"
+- $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5
+- break 2
+- fi
+-done
+- done
+-IFS=$as_save_IFS
+-
+- ;;
+-esac
+-fi
+-V_SENDMAIL=$ac_cv_path_V_SENDMAIL
+-if test -n "$V_SENDMAIL"; then
+- { $as_echo "$as_me:${as_lineno-$LINENO}: result: $V_SENDMAIL" >&5
+-$as_echo "$V_SENDMAIL" >&6; }
+-else
+- { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5
+-$as_echo "no" >&6; }
+-fi
+-
+-
+-
+-if test -z "${V_SENDMAIL}" ; then
+- as_fn_error $? "Can't find sendmail" "$LINENO" 5
+-fi
+-
+-
+ python=${PYTHON:-python}
+ # Extract the first word of "${python}", so it can be a program name with args.
+ set dummy ${python}; ac_word=$2
+Index: arpwatch-3.0/configure.in
+===================================================================
+--- arpwatch-3.0.orig/configure.in
++++ arpwatch-3.0/configure.in
+@@ -76,13 +76,6 @@ AC_LBL_UNION_WAIT
+ AC_CHECK_LIB(resolv, res_query)
+ AC_LBL_LIBPCAP(V_PCAPDEP, V_INCLS)
+
+-AC_PATH_PROG(V_SENDMAIL, sendmail,,
+- $PATH:/usr/sbin:/usr/lib:/usr/bin:/usr/ucblib:/usr/local/etc)
+-
+-if test -z "${V_SENDMAIL}" ; then
+- AC_MSG_ERROR([Can't find sendmail])
+-fi
+-
+ dnl AC_LBL_CHECK_TYPE(int32_t, int)
+ dnl AC_LBL_CHECK_TYPE(u_int32_t, u_int)
+
diff --git a/recipes-security/buck-security/buck-security_0.7.bb b/recipes-scanners/buck-security/buck-security_0.7.bb
index f6cbe3c..f6cbe3c 100644
--- a/recipes-security/buck-security/buck-security_0.7.bb
+++ b/recipes-scanners/buck-security/buck-security_0.7.bb
diff --git a/recipes-security/checksec/checksec_2.1.0.bb b/recipes-scanners/checksec/checksec_2.1.0.bb
index b67c98b..b67c98b 100644
--- a/recipes-security/checksec/checksec_2.1.0.bb
+++ b/recipes-scanners/checksec/checksec_2.1.0.bb
diff --git a/recipes-security/checksecurity/checksecurity_2.0.15.bb b/recipes-scanners/checksecurity/checksecurity_2.0.15.bb
index 204123d..204123d 100644
--- a/recipes-security/checksecurity/checksecurity_2.0.15.bb
+++ b/recipes-scanners/checksecurity/checksecurity_2.0.15.bb
diff --git a/recipes-security/checksecurity/files/check-setuid-use-more-portable-find-args.patch b/recipes-scanners/checksecurity/files/check-setuid-use-more-portable-find-args.patch
index f1fe8ed..f1fe8ed 100644
--- a/recipes-security/checksecurity/files/check-setuid-use-more-portable-find-args.patch
+++ b/recipes-scanners/checksecurity/files/check-setuid-use-more-portable-find-args.patch
diff --git a/recipes-security/checksecurity/files/setuid-log-folder.patch b/recipes-scanners/checksecurity/files/setuid-log-folder.patch
index 540ea9c..540ea9c 100644
--- a/recipes-security/checksecurity/files/setuid-log-folder.patch
+++ b/recipes-scanners/checksecurity/files/setuid-log-folder.patch
diff --git a/recipes-security/clamav/clamav_0.101.5.bb b/recipes-scanners/clamav/clamav_0.101.5.bb
index a4c32e1..f4625b1 100644
--- a/recipes-security/clamav/clamav_0.101.5.bb
+++ b/recipes-scanners/clamav/clamav_0.101.5.bb
@@ -4,8 +4,8 @@ HOMEPAGE = "http://www.clamav.net/index.html"
SECTION = "security"
LICENSE = "LGPL-2.1"
-DEPENDS = "libtool db libxml2 openssl zlib curl llvm clamav-native libmspack"
-DEPENDS_class-native = "db-native openssl-native zlib-native llvm-native curl-native"
+DEPENDS = "libtool db libxml2 openssl zlib curl llvm clamav-native libmspack bison-native"
+DEPENDS_class-native = "db-native openssl-native zlib-native llvm-native curl-native bison-native"
LIC_FILES_CHKSUM = "file://COPYING.LGPL;beginline=2;endline=3;md5=4b89c05acc71195e9a06edfa2fa7d092"
diff --git a/recipes-security/clamav/files/clamav-freshclam.service b/recipes-scanners/clamav/files/clamav-freshclam.service
index 0c909fb..0c909fb 100644
--- a/recipes-security/clamav/files/clamav-freshclam.service
+++ b/recipes-scanners/clamav/files/clamav-freshclam.service
diff --git a/recipes-security/clamav/files/clamav-milter.conf.sample b/recipes-scanners/clamav/files/clamav-milter.conf.sample
index ed0d519..ed0d519 100644
--- a/recipes-security/clamav/files/clamav-milter.conf.sample
+++ b/recipes-scanners/clamav/files/clamav-milter.conf.sample
diff --git a/recipes-security/clamav/files/clamav.service b/recipes-scanners/clamav/files/clamav.service
index f13191f..f13191f 100644
--- a/recipes-security/clamav/files/clamav.service
+++ b/recipes-scanners/clamav/files/clamav.service
diff --git a/recipes-security/clamav/files/clamd.conf b/recipes-scanners/clamav/files/clamd.conf
index 0457785..0457785 100644
--- a/recipes-security/clamav/files/clamd.conf
+++ b/recipes-scanners/clamav/files/clamd.conf
diff --git a/recipes-security/clamav/files/freshclam-native.conf b/recipes-scanners/clamav/files/freshclam-native.conf
index aaa8cf4..aaa8cf4 100644
--- a/recipes-security/clamav/files/freshclam-native.conf
+++ b/recipes-scanners/clamav/files/freshclam-native.conf
diff --git a/recipes-security/clamav/files/freshclam.conf b/recipes-scanners/clamav/files/freshclam.conf
index 100724f..100724f 100644
--- a/recipes-security/clamav/files/freshclam.conf
+++ b/recipes-scanners/clamav/files/freshclam.conf
diff --git a/recipes-security/clamav/files/tmpfiles.clamav b/recipes-scanners/clamav/files/tmpfiles.clamav
index fd5adfe..fd5adfe 100644
--- a/recipes-security/clamav/files/tmpfiles.clamav
+++ b/recipes-scanners/clamav/files/tmpfiles.clamav
diff --git a/recipes-security/clamav/files/volatiles.03_clamav b/recipes-scanners/clamav/files/volatiles.03_clamav
index ee2153c..ee2153c 100644
--- a/recipes-security/clamav/files/volatiles.03_clamav
+++ b/recipes-scanners/clamav/files/volatiles.03_clamav
diff --git a/recipes-scanners/rootkits/chkrootkit_0.53.bb b/recipes-scanners/rootkits/chkrootkit_0.53.bb
new file mode 100644
index 0000000..4536be3
--- /dev/null
+++ b/recipes-scanners/rootkits/chkrootkit_0.53.bb
@@ -0,0 +1,48 @@
+DESCRIPTION = "rootkit detector"
+SUMMARY = "locally checks for signs of a rootkit"
+HOMEPAGE = "http://www.chkrootkit.org/"
+SECTION = "security"
+LICENSE = "BSD-2-Clause"
+LIC_FILES_CHKSUM = "file://COPYRIGHT;md5=fdbe53788f7081c63387d8087273f5ff"
+
+SRC_URI = "ftp://ftp.pangeia.com.br/pub/seg/pac/${BPN}.tar.gz"
+SRC_URI[sha256sum] = "7262dae33b338976828b5d156b70d159e0043c0db43ada8dee66c97387cf45b5"
+
+
+inherit autotools-brokensep
+
+TARGET_CC_ARCH += "${LDFLAGS}"
+
+do_configure () {
+ sed -i 's/@strip.*$//' ${S}/Makefile
+}
+
+do_compile () {
+ make CC="${CC}" LDFLAGS="${LDFLAGS}" sense
+ gzip -9vkf ACKNOWLEDGMENTS
+ gzip -9vkf README
+}
+
+do_install () {
+ install -d ${D}/${libdir}/${PN}
+ install -d ${D}/${sbindir}
+ install -d ${D}/${docdir}/${PN}
+
+ install -m 644 ${B}/chkdirs ${D}/${libdir}/${PN}
+ install -m 644 ${B}/chklastlog ${D}/${libdir}/${PN}
+ install -m 644 ${B}/chkproc ${D}/${libdir}/${PN}
+ install -m 644 ${B}/chkutmp ${D}/${libdir}/${PN}
+ install -m 644 ${B}/chkwtmp ${D}/${libdir}/${PN}
+ install -m 644 ${B}/ifpromisc ${D}/${libdir}/${PN}
+ install -m 644 ${B}/strings-static ${D}/${libdir}/${PN}
+
+ install -m 755 ${B}/chklastlog ${D}/${sbindir}
+ install -m 755 ${B}/chkrootkit ${D}/${sbindir}
+ install -m 755 ${B}/chkwtmp ${D}/${sbindir}
+
+ install -m 644 ${B}/ACKNOWLEDGMENTS.gz ${D}/${docdir}/${PN}
+ install -m 644 ${B}/README.chklastlog ${D}/${docdir}/${PN}
+ install -m 644 ${B}/README.chkwtmp ${D}/${docdir}/${PN}
+ install -m 644 ${B}/README.gz ${D}/${docdir}/${PN}
+ install -m 644 ${B}/COPYRIGHT ${D}/${docdir}/${PN}
+}
diff --git a/recipes-security/fail2ban/python3-fail2ban_0.10.4.0.bb b/recipes-security/fail2ban/python3-fail2ban_0.10.4.0.bb
index 8673c10..e737f50 100644
--- a/recipes-security/fail2ban/python3-fail2ban_0.10.4.0.bb
+++ b/recipes-security/fail2ban/python3-fail2ban_0.10.4.0.bb
@@ -46,6 +46,6 @@ INITSCRIPT_PARAMS = "defaults 25"
INSANE_SKIP_${PN}_append = "already-stripped"
-RDEPENDS_${PN} = "sysklogd iptables sqlite3 python3-core python3-pyinotify python3-logging python3-fcntl"
-RDEPENDS_${PN} += " python3-json "
+RDEPENDS_${PN} = "${VIRTUAL-RUNTIME_base-utils-syslog} iptables sqlite3 python3-core python3-pyinotify"
+RDEPENDS_${PN} += " python3-logging python3-fcntl python3-json"
RDEPENDS_${PN}-ptest = "python3-core python3-io python3-modules python3-fail2ban"
diff --git a/recipes-security/images/security-client-image.bb b/recipes-security/images/security-client-image.bb
index 1a92479..f4ebc69 100644
--- a/recipes-security/images/security-client-image.bb
+++ b/recipes-security/images/security-client-image.bb
@@ -5,8 +5,7 @@ IMAGE_INSTALL = "\
packagegroup-core-boot \
os-release \
samhain-client \
- ${@bb.utils.contains("DISTRO_FEATURES", "x11", "packagegroup-xfce-base", "", d)} \
- ${ROOTFS_PKGMANAGE_BOOTSTRAP} ${CORE_IMAGE_EXTRA_INSTALL}"
+ ${@bb.utils.contains("DISTRO_FEATURES", "x11", "packagegroup-xfce-base", "", d)}"
IMAGE_LINGUAS ?= " "
diff --git a/recipes-security/images/security-server-image.bb b/recipes-security/images/security-server-image.bb
index 502b5c1..4927e0e 100644
--- a/recipes-security/images/security-server-image.bb
+++ b/recipes-security/images/security-server-image.bb
@@ -6,8 +6,7 @@ IMAGE_INSTALL = "\
packagegroup-base \
packagegroup-core-boot \
samhain-server \
- os-release \
- ${ROOTFS_PKGMANAGE_BOOTSTRAP} ${CORE_IMAGE_EXTRA_INSTALL}"
+ os-release "
IMAGE_LINGUAS ?= " "
diff --git a/recipes-security/libseccomp/files/0001-tests-rely-on-__SNR_xxx-instead-of-__NR_xxx-for-sysc.patch b/recipes-security/libseccomp/files/0001-tests-rely-on-__SNR_xxx-instead-of-__NR_xxx-for-sysc.patch
deleted file mode 100644
index a53433f..0000000
--- a/recipes-security/libseccomp/files/0001-tests-rely-on-__SNR_xxx-instead-of-__NR_xxx-for-sysc.patch
+++ /dev/null
@@ -1,45 +0,0 @@
-From 1ecdddb2a5b61cf527d1f238f88a9d129239f87a Mon Sep 17 00:00:00 2001
-From: Paul Moore <paul@paul-moore.com>
-Date: Tue, 5 Nov 2019 15:11:11 -0500
-Subject: [PATCH] tests: rely on __SNR_xxx instead of __NR_xxx for syscalls
-
-We recently changed how libseccomp handles syscall numbers that are
-not defined natively, but we missed test #15.
-
-Acked-by: Tom Hromatka <tom.hromatka@oracle.com>
-Signed-off-by: Paul Moore <paul@paul-moore.com>
-
-Upstream-Status: Backport
-[https://github.com/seccomp/libseccomp/commit/1ecdddb2a5b61cf527d1f238f88a9d129239f87a]
-
-Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
----
- tests/15-basic-resolver.c | 6 +++---
- 1 file changed, 3 insertions(+), 3 deletions(-)
-
-diff --git a/tests/15-basic-resolver.c b/tests/15-basic-resolver.c
-index 6badef1..0c1eefe 100644
---- a/tests/15-basic-resolver.c
-+++ b/tests/15-basic-resolver.c
-@@ -55,15 +55,15 @@ int main(int argc, char *argv[])
- unsigned int arch;
- char *name = NULL;
-
-- if (seccomp_syscall_resolve_name("open") != __NR_open)
-+ if (seccomp_syscall_resolve_name("open") != __SNR_open)
- goto fail;
-- if (seccomp_syscall_resolve_name("read") != __NR_read)
-+ if (seccomp_syscall_resolve_name("read") != __SNR_read)
- goto fail;
- if (seccomp_syscall_resolve_name("INVALID") != __NR_SCMP_ERROR)
- goto fail;
-
- rc = seccomp_syscall_resolve_name_rewrite(SCMP_ARCH_NATIVE, "openat");
-- if (rc != __NR_openat)
-+ if (rc != __SNR_openat)
- goto fail;
-
- while ((arch = arch_list[iter++]) != -1) {
---
-2.17.1
-
diff --git a/recipes-security/libseccomp/libseccomp_2.4.2.bb b/recipes-security/libseccomp/libseccomp_2.4.3.bb
index 07db82a..9ca41e6 100644
--- a/recipes-security/libseccomp/libseccomp_2.4.2.bb
+++ b/recipes-security/libseccomp/libseccomp_2.4.3.bb
@@ -4,10 +4,9 @@ SECTION = "security"
LICENSE = "LGPL-2.1"
LIC_FILES_CHKSUM = "file://LICENSE;beginline=0;endline=1;md5=8eac08d22113880357ceb8e7c37f989f"
-SRCREV = "1b6cfd1fc0b7499a28c24299a93a80bd18619563"
+SRCREV = "1dde9d94e0848e12da20602ca38032b91d521427"
SRC_URI = "git://github.com/seccomp/libseccomp.git;branch=release-2.4 \
- file://0001-tests-rely-on-__SNR_xxx-instead-of-__NR_xxx-for-sysc.patch \
file://run-ptest \
"
diff --git a/recipes-security/sssd/files/fix-ldblibdir.patch b/recipes-security/sssd/files/fix-ldblibdir.patch
new file mode 100644
index 0000000..e350baf
--- /dev/null
+++ b/recipes-security/sssd/files/fix-ldblibdir.patch
@@ -0,0 +1,25 @@
+When calculate value of ldblibdir, it checks whether the directory of
+$ldblibdir exists. If not, it assigns ldblibdir with ${libdir}/ldb. It is not
+suitable for cross compile. Fix it that only re-assign ldblibdir when its value
+is empty.
+
+Upstream-Status: Inappropriate [cross compile specific]
+
+Signed-off-by: Kai Kang <kai.kang@windriver.com>
+---
+ src/external/libldb.m4 | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/src/external/libldb.m4 b/src/external/libldb.m4
+index c400add..5e5f06d 100644
+--- a/src/external/libldb.m4
++++ b/src/external/libldb.m4
+@@ -19,7 +19,7 @@ if test x"$with_ldb_lib_dir" != x; then
+ ldblibdir=$with_ldb_lib_dir
+ else
+ ldblibdir="`$PKG_CONFIG --variable=modulesdir ldb`"
+- if ! test -d $ldblibdir; then
++ if test -z $ldblibdir; then
+ ldblibdir="${libdir}/ldb"
+ fi
+ fi
diff --git a/recipes-security/sssd/files/volatiles.99_sssd b/recipes-security/sssd/files/volatiles.99_sssd
new file mode 100644
index 0000000..2a82413
--- /dev/null
+++ b/recipes-security/sssd/files/volatiles.99_sssd
@@ -0,0 +1 @@
+d root root 0750 /var/log/sssd none
diff --git a/recipes-security/sssd/sssd_1.16.4.bb b/recipes-security/sssd/sssd_1.16.4.bb
index c381c32..7ea1586 100644
--- a/recipes-security/sssd/sssd_1.16.4.bb
+++ b/recipes-security/sssd/sssd_1.16.4.bb
@@ -8,13 +8,21 @@ LIC_FILES_CHKSUM = "file://COPYING;md5=d32239bcb673463ab874e80d47fae504"
DEPENDS = "openldap cyrus-sasl libtdb ding-libs libpam c-ares krb5 autoconf-archive"
DEPENDS += "libldb dbus libtalloc libpcre glib-2.0 popt e2fsprogs libtevent"
-SRC_URI = "https://releases.pagure.org/SSSD/${BPN}/${BP}.tar.gz\
- file://sssd.conf "
+# If no crypto has been selected, default to DEPEND on nss, since that's what
+# sssd will pick if no active choice is made during configure
+DEPENDS += "${@bb.utils.contains('PACKAGECONFIG', 'nss', '', \
+ bb.utils.contains('PACKAGECONFIG', 'crypto', '', 'nss', d), d)}"
+
+SRC_URI = "https://releases.pagure.org/SSSD/${BPN}/${BP}.tar.gz \
+ file://sssd.conf \
+ file://volatiles.99_sssd \
+ file://fix-ldblibdir.patch \
+ "
SRC_URI[md5sum] = "757bbb6f15409d8d075f4f06cb678d50"
SRC_URI[sha256sum] = "6bb212cd6b75b918e945c24e7c3f95a486fb54d7f7d489a9334cfa1a1f3bf959"
-inherit autotools pkgconfig gettext python3-dir features_check
+inherit autotools pkgconfig gettext python3-dir features_check systemd
REQUIRED_DISTRO_FEATURES = "pam"
@@ -25,24 +33,34 @@ CACHED_CONFIGUREVARS = "ac_cv_member_struct_ldap_conncb_lc_arg=no \
ac_cv_path_NSUPDATE=${bindir} ac_cv_prog_HAVE_PYTHON3=${PYTHON_DIR} \
"
-PACKAGECONFIG ?="nss nscd"
+PACKAGECONFIG ?="nss nscd autofs sudo infopipe"
PACKAGECONFIG += "${@bb.utils.contains('DISTRO_FEATURES', 'selinux', 'selinux', '', d)}"
PACKAGECONFIG += "${@bb.utils.contains('DISTRO_FEATURES', 'systemd', 'systemd', '', d)}"
-PACKAGECONFIG[ssh] = "--with-ssh, --with-ssh=no, "
-PACKAGECONFIG[samba] = "--with-samba, --with-samba=no, samba"
-PACKAGECONFIG[selinux] = "--with-selinux, --with-selinux=no --with-semanage=no, libselinux"
+PACKAGECONFIG[autofs] = "--with-autofs, --with-autofs=no"
+PACKAGECONFIG[crypto] = "--with-crypto=libcrypto, , libcrypto"
+PACKAGECONFIG[curl] = "--with-secrets --with-kcm, --without-secrets --without-kcm, curl jansson"
+PACKAGECONFIG[http] = "--with-secrets, --without-secrets, apache2"
+PACKAGECONFIG[infopipe] = "--with-infopipe, --with-infopipe=no, "
PACKAGECONFIG[manpages] = "--with-manpages, --with-manpages=no"
-PACKAGECONFIG[python3] = "--with-python3-bindings, --without-python3-bindings"
-PACKAGECONFIG[nss] = "--with-crypto=nss, ,nss,"
-PACKAGECONFIG[cyrpto] = "--with-crypto=libcrypto, , libcrypto"
-PACKAGECONFIG[nscd] = "--with-nscd=${sbindir}, --with-nscd=no "
PACKAGECONFIG[nl] = "--with-libnl, --with-libnl=no, libnl"
-PACKAGECONFIG[systemd] = "--with-systemdunitdir=${systemd_unitdir}/system/, --with-systemdunitdir="
-PACKAGECONFIG[http] = "--with-secrets, --without-secrets, apache2"
-PACKAGECONFIG[curl] = "--with-secrets --with-kcm, --without-secrets --without-kcm, curl"
-
-EXTRA_OECONF += "--disable-cifs-idmap-plugin --without-nfsv4-idmapd-plugin --without-ipa-getkeytab"
+PACKAGECONFIG[nscd] = "--with-nscd=${sbindir}, --with-nscd=no "
+PACKAGECONFIG[nss] = "--with-crypto=nss, ,nss,"
+PACKAGECONFIG[python3] = "--with-python3-bindings, --without-python3-bindings"
+PACKAGECONFIG[samba] = "--with-samba, --with-samba=no, samba"
+PACKAGECONFIG[selinux] = "--with-selinux, --with-selinux=no --with-semanage=no, libselinux"
+PACKAGECONFIG[ssh] = "--with-ssh, --with-ssh=no, "
+PACKAGECONFIG[sudo] = "--with-sudo, --with-sudo=no, "
+PACKAGECONFIG[systemd] = "--with-initscript=systemd,--with-initscript=sysv"
+
+EXTRA_OECONF += " \
+ --disable-cifs-idmap-plugin \
+ --without-nfsv4-idmapd-plugin \
+ --without-ipa-getkeytab \
+ --without-python2-bindings \
+ --enable-pammoddir=${base_libdir}/security \
+ --without-python2-bindings \
+"
do_configure_prepend() {
mkdir -p ${AUTOTOOLS_AUXDIR}/build
@@ -57,6 +75,12 @@ do_install () {
rmdir --ignore-fail-on-non-empty "${D}/${bindir}"
install -d ${D}/${sysconfdir}/${BPN}
install -m 600 ${WORKDIR}/${BPN}.conf ${D}/${sysconfdir}/${BPN}
+ install -D -m 644 ${WORKDIR}/volatiles.99_sssd ${D}/${sysconfdir}/default/volatiles/99_sssd
+
+ if ${@bb.utils.contains('DISTRO_FEATURES', 'systemd', 'true', 'false', d)}; then
+ install -d ${D}${sysconfdir}/tmpfiles.d
+ echo "d /var/log/sssd 0750 - - - -" > ${D}${sysconfdir}/tmpfiles.d/sss.conf
+ fi
# Remove /var/run as it is created on startup
rm -rf ${D}${localstatedir}/run
@@ -74,10 +98,24 @@ CONFFILES_${PN} = "${sysconfdir}/${BPN}/${BPN}.conf"
INITSCRIPT_NAME = "sssd"
INITSCRIPT_PARAMS = "start 02 5 3 2 . stop 20 0 1 6 ."
-SYSTEMD_SERVICE_${PN} = "${BPN}.service"
+SYSTEMD_SERVICE_${PN} = " \
+ ${@bb.utils.contains('PACKAGECONFIG', 'autofs', 'sssd-autofs.service sssd-autofs.socket', '', d)} \
+ ${@bb.utils.contains('PACKAGECONFIG', 'curl', 'sssd-kcm.service sssd-kcm.socket', '', d)} \
+ ${@bb.utils.contains('PACKAGECONFIG', 'infopipe', 'sssd-ifp.service ', '', d)} \
+ ${@bb.utils.contains('PACKAGECONFIG', 'ssh', 'sssd-ssh.service sssd-ssh.socket', '', d)} \
+ ${@bb.utils.contains('PACKAGECONFIG', 'sudo', 'sssd-sudo.service sssd-sudo.socket', '', d)} \
+ sssd-nss.service \
+ sssd-nss.socket \
+ sssd-pam-priv.socket \
+ sssd-pam.service \
+ sssd-pam.socket \
+ sssd-secrets.service \
+ sssd-secrets.socket \
+ sssd.service \
+"
SYSTEMD_AUTO_ENABLE = "disable"
-FILES_${PN} += "${libdir} ${datadir} /run ${libdir}/*.so* "
+FILES_${PN} += "${libdir} ${datadir} ${base_libdir}/security/pam_sss.so"
FILES_${PN}-dev = " ${includedir}/* ${libdir}/*la ${libdir}/*/*la"
# The package contains symlinks that trip up insane