aboutsummaryrefslogtreecommitdiffstats
AgeCommit message (Collapse)Author
38 hourspython3-pyinotify: Make asyncore support optional for Python 3HEADmasterMingli Yu
Simple fix for Python 3.12 since it dropped asyncore. Catches the import error instead of using a version check so that the user can install the compatibility package for any uses that can't be upgraded to asyncio or similar immediately. Fixes: # python3 Python 3.12.1 (main, Dec 7 2023, 20:45:44) [GCC 13.2.0] on linux Type "help", "copyright", "credits" or "license" for more information. >>> import pyinotify Traceback (most recent call last): File "<stdin>", line 1, in <module> File "/usr/lib64/python3.12/site-packages/pyinotify.py", line 71, in <module> import asyncore ModuleNotFoundError: No module named 'asyncore' >>> Signed-off-by: Mingli Yu <mingli.yu@windriver.com> Signed-off-by: Armin Kuster <akuster808@gmail.com>
38 hourslayer.conf: Update for the scarthgap release seriesMax Krummenacher
Signed-off-by: Max Krummenacher <max.krummenacher@toradex.com> Signed-off-by: Armin Kuster <akuster808@gmail.com>
38 hoursarpwatch: install man8 dirJeremy A. Puhlman
The install expects man8 directory to already exists. If not created the man page gets installed as "man8", which causes conflicts with other packages, that expect it to be a directory. 'arpsnmp' -> '/build/project/tmp/work/corei7-64-poky-linux/arpwatch/3.3/image/usr/sbin/arpsnmp' './arpwatch.8' -> '/build/project/tmp/work/corei7-64-poky-linux/arpwatch/3.3/image/usr/share/man/man8' removed '/build/project/tmp/work/corei7-64-poky-linux/arpwatch/3.3/image/usr/share/man/man8' './arpsnmp.8' -> '/build/project/tmp/work/corei7-64-poky-linux/arpwatch/3.3/image/usr/share/man/man8' Signed-off-by: Jeremy A. Puhlman <jpuhlman@mvista.com> Signed-off-by: Armin Kuster <akuster808@gmail.com>
38 hoursCheck for usrmerge before removing /usr/libJeremy A. Puhlman
Signed-off-by: Jeremy A. Puhlman <jpuhlman@mvista.com> Signed-off-by: Armin Kuster <akuster808@gmail.com>
38 hoursdm-verity-image-initramfs: Set IMAGE_NAME_SUFFIX to emptyKevin Hao
According to the Yocto reference manual [1], the IMAGE_NAME_SUFFIX should be set to empty for the initramfs image. Otherwise, we may incur a build error like following due to the initrd check in live-vm-common.bbclass: ERROR: core-image-minimal-1.0-r0 do_bootimg: build-test/tmp/deploy/images/genericx86-64/dm-verity-image-initramfs-genericx86-64.cpio.gz is invalid. initrd image creation failed. ERROR: core-image-minimal-1.0-r0 do_bootimg: ExecutionError('build-test/tmp/work/genericx86_64-poky-linux/core-image-minimal/1.0/temp/run.build_hddimg.1961965', 1, None, None) ERROR: Logfile of failure stored in: build-test/tmp/work/genericx86_64-poky-linux/core-image-minimal/1.0/temp/log.do_bootimg.1961965 ERROR: Task (poky/meta/recipes-core/images/core-image-minimal.bb:do_bootimg) failed with exit code '1' [1] https://docs.yoctoproject.org/ref-manual/variables.html#term-IMAGE_NAME_SUFFIX Signed-off-by: Kevin Hao <kexin.hao@windriver.com> Signed-off-by: Armin Kuster <akuster808@gmail.com>
38 hoursopenscap: update to tip to fix new build issue.Armin Kuster
drop patch now included. Signed-off-by: Armin Kuster <akuster808@gmail.com>
38 hoursaprwatch: Add path for sendmailJeremy A. Puhlman
Arpwatch won't build on a system without a sendmail provider installed with out this setting. Signed-off-by: Jeremy A. Puhlman <jpuhlman@mvista.com> Signed-off-by: Armin Kuster <akuster808@gmail.com>
38 hoursarpwatch: fix misspelling of PACKAGECONFIGJeremy A. Puhlman
Signed-off-by: Jeremy A. Puhlman <jpuhlman@mvista.com> Signed-off-by: Armin Kuster <akuster808@gmail.com>
38 hoursdm-verity: Set the IMAGE_FSTYPES correctly when dm-verity is enabledKevin Hao
After the using inherit_defer for the image classes in oe-core commit 451363438d38 ("classes/recipes: Switch to use inherit_defer"), the using of anonymous python function in dm-verity-img.bbclass to set the IMAGE_FSTYPES doesn't work anymore. The reason is that image.bbclass also use anonymous python function to add the do_image_xxx task for the corresponding filesystem type. The anonymous function in dm-verity-img.bbclass is evaluated much later than the one in image.bbclass. Then the task such as do_image_vhash will not be added as we expect. So we choose to use "+=" to set the IMAGE_FSTYPES. The populate_sdk_ext.bbclass may generate a dependency list like below: core-image-minimal.do_sdk_depends -> lib32-core-image-minimal.do_image_vhash So we also need to make sure the do_image_vhash task for the multilib filesystem is added. Signed-off-by: Kevin Hao <kexin.hao@windriver.com> Signed-off-by: Armin Kuster <akuster808@gmail.com>
38 hoursdm-verity: Adjust the image names according to the oe-core changeKevin Hao
After the oe-core commit 26d97acc7137 ("image-artifact-names: include ${IMAGE_NAME_SUFFIX} directly in both ${IMAGE_NAME} and ${IMAGE_LINK_NAME}"), the image names have changed from core-image-minimal-qemux86-64-20230307181808.rootfs.ext4 core-image-minimal-qemux86-64.ext4 to core-image-minimal-qemux86-64.rootfs-20230307181456.ext4 core-image-minimal-qemux86-64.rootfs.ext4 Adjust the images name used by dm-verity according to this change. Signed-off-by: Kevin Hao <kexin.hao@windriver.com> Signed-off-by: Armin Kuster <akuster808@gmail.com>
38 hoursdocs: dm-verity.txt: Fix a typoKevin Hao
Signed-off-by: Kevin Hao <kexin.hao@windriver.com> Signed-off-by: Armin Kuster <akuster808@gmail.com>
38 hoursmeta-security: Drop ${PYTHON_PN}Armin Kuster
Signed-off-by: Armin Kuster <akuster808@gmail.com> --- V2] Fix typo in python3-pyinotify changes
2024-02-20lynis: Add missing runtime dependenciesBELOUARGA Mohamed
Lynis tool needs ip, ss, tr and netstat. If they are missing Lynis skips some important audit tests. Signed-off-by: BELOUARGA Mohamed <m.belouarga@technologyandstrategy.com> Signed-off-by: Armin Kuster <akuster808@gmail.com>
2024-02-20checksec: Add more runtime dependencies to checksec toolBELOUARGA Mohamed
Checksec tool depends of commands "find, file and ps" Signed-off-by: BELOUARGA Mohamed <m.belouarga@technologyandstrategy.com> Signed-off-by: Armin Kuster <akuster808@gmail.com>
2024-02-20openscap: fix build with python 3.12Yi Zhao
Backport a patch to fix build with python 3.12: $ bitbake openscap-native Traceback (most recent call last): File "<string>", line 1, in <module> ModuleNotFoundError: No module named 'distutils' CMake Error at swig/python3/CMakeLists.txt:35 (install): install TARGETS given no LIBRARY DESTINATION for module target "_openscap_py". Signed-off-by: Yi Zhao <yi.zhao@windriver.com> Signed-off-by: Armin Kuster <akuster808@gmail.com>
2024-02-20integrity-image-minimal: Fix IMAGE_INSTALLLeon Anavi
Append to IMAGE_INSTALL rather than directly setting the variable and does it after inheriting core-image.bbclass because in it IMAGE_INSTALL is set with a default value CORE_IMAGE_BASE_INSTALL. Variable CORE_IMAGE_BASE_INSTALL includes CORE_IMAGE_EXTRA_INSTALL so the change allows adding auditd to CORE_IMAGE_EXTRA_INSTALL as per the instructions in meta-integrity/README.md. Signed-off-by: Leon Anavi <leon.anavi@konsulko.com> Signed-off-by: Armin Kuster <akuster808@gmail.com>
2024-02-20linux-yocto%.bbappend: Add audit.cfgLeon Anavi
Add audit.cfg configuration fragment. By default it is not appended to SRC_URI. It allows enabling the audit kernel subsystem which may help to debug appraisal issues. Boot with "integrity_audit=1" to capture a more complete set of events in /var/log/audit/. Previously the same configuration fragment was provided by layer meta-security-framework but it is no longer maintained therefore it makes sense to have audit.cfg in layer meta-integrity. Signed-off-by: Leon Anavi <leon.anavi@konsulko.com> Signed-off-by: Armin Kuster <akuster808@gmail.com>
2024-01-28scap-security-guide: update to 0.1.71Armin Kuster
change branch name to stable. Signed-off-by: Armin Kuster <akuster808@gmail.com>
2024-01-28python3-fail2ban: remove unused distutils dependencyArmin Kuster
Signed-off-by: Armin Kuster <akuster808@gmail.com>
2024-01-28python3-pyinotify: do not rely on smtpd moduleArmin Kuster
It's not mentioned anywhere in source code, and python 3.12 has removed it. Signed-off-by: Armin Kuster <akuster808@gmail.com>
2024-01-28meta-security: libhoth: SRCREV bump e520f8f...e482716Yushi Sun
Nicholas Nooney (1): Update error messages in htool_exec_hostcmd (#43) Royce (1): Add ability to process raw host commands (#41) Yoan Andreev (1): Payload getstatus (#40) daimeng (1): htool: Allow console snapshot on proxy channels (#42) Signed-off-by: Yushi Sun <yushis@google.com> Signed-off-by: Armin Kuster <akuster808@gmail.com>
2024-01-28parsec-tool: fix serialNumber checkMikko Rapeli
New openssl 3.2.0 version removed spaces around serialNumber in: Subject: CN=parallaxsecond.com, serialNumber=EZ4U2CIXL Fixes parsec-service oeqa test on qemu. Signed-off-by: Mikko Rapeli <mikko.rapeli@linaro.org> Signed-off-by: Armin Kuster <akuster808@gmail.com>
2023-12-29python3-pyinotify: fail2ban needs this moduleArmin Kuster
Signed-off-by: Armin Kuster <akuster808@gmail.com>
2023-12-29dm-verity-img.bbclass: add DM_VERITY_DEPLOY_DIRMikko Rapeli
If image recipe A wants to embed another image B which used dm-verity-img.bbclass and generated the .wks file, then recipe B must deploy everything to IMGDEPLOYDIR but recipe A finds the output from DM_VERITY_DEPLOY_DIR = "${DEPLOY_DIR_IMAGE}". Now both A and B images can use dm-verity-img.bbclass. Signed-off-by: Mikko Rapeli <mikko.rapeli@linaro.org> Reviewed-by: Erik Schilling <erik.schilling@linaro.org> Signed-off-by: Armin Kuster <akuster808@gmail.com>
2023-12-29dm-verity-img.bbclass: remove IMAGE_NAME_SUFFIXErik Schilling
It is embedded into IMAGE_NAME since poky master branch commit 6f6c79029bc2020907295858449c725952d560a1 Signed-off-by: Mikko Rapeli <mikko.rapeli@linaro.org> Signed-off-by: Erik Schilling <erik.schilling@linaro.org> Signed-off-by: Armin Kuster <akuster808@gmail.com>
2023-12-29dm-verity-img.bbclass: use bc-nativeErik Schilling
Build host may not have bc. Signed-off-by: Mikko Rapeli <mikko.rapeli@linaro.org> Signed-off-by: Erik Schilling <erik.schilling@linaro.org> Signed-off-by: Armin Kuster <akuster808@gmail.com>
2023-12-29tpm2-tss: support native buildsMikko Rapeli
systemd tool ukify https://www.freedesktop.org/software/systemd/man/latest/ukify.html depends on systemd-measure https://www.freedesktop.org/software/systemd/man/latest/systemd-measure.html which depends on tpm2-tss. So to support creating UKI images containing both kernel and initramfs with systemd-native, tpm2-tss support is needed for native too. Signed-off-by: Mikko Rapeli <mikko.rapeli@linaro.org> Reviewed-by: Erik Schilling <erik.schilling@linaro.org> Signed-off-by: Armin Kuster <akuster808@gmail.com>
2023-12-29arpwatch: adjust CONFIGURE params to allow to build again.Armin Kuster
drop EXTRA_OECONF Signed-off-by: Armin Kuster <akuster808@gmail.com>
2023-12-29layers: Move READMEs to markdown formatArmin Kuster
Signed-off-by: Armin Kuster <akuster808@gmail.com>
2023-12-29lynis: Update SRC_URI to improve updaterArmin Kuster
Signed-off-by: Armin Kuster <akuster808@gmail.com>
2023-12-29python3-privacyidea: Update to 3.9.1Armin Kuster
Signed-off-by: Armin Kuster <akuster808@gmail.com>
2023-12-29libhoth recipe updateDawid Dabrowski
Changelog: Dawid Dabrowski Add support for payload update protocol for generic Titan images. Nick Nooney Add BUILD rules to support using libhoth with external tools. Yoan Andreev Add spi passthrough enable and disable commands. Add arm_coordinated_reset. Signed-off-by: Armin Kuster <akuster808@gmail.com>
2023-12-29libgssglue: update to 0.8Armin Kuster
LICENSE changed Signed-off-by: Armin Kuster <akuster808@gmail.com>
2023-11-08ima,evm: Add two variables to write filenames and signatures intoStefan Berger
Add two variables IMA_FILE_SIGNATURES_FILE and EVM_FILE_SIGNATURES_FILE for filenames where the ima_evm_sign_rootfs script can write the names of files and their IMA or EVM signatures into. Both variables are optional. The content of the file with IMA signatures may look like this: /usr/bin/gpiodetect ima:0x0302046730eefd... /usr/bin/pwscore ima:0x0302046730eefd004... Having the filenames along with their signatures is useful for signing files in the initrd when the initrd is running out of a tmpfs filesystem that has support for xattrs. This allows to enable an IMA appraisal policy already in the initrd where files must be signed as soon as the policy becomes active. Signed-off-by: Stefan Berger <stefanb@linux.ibm.com> Signed-off-by: Armin Kuster <akuster808@gmail.com>
2023-11-08samhain: remove the buildpathMingli Yu
Fixes: WARNING: samhain-server-4.4.10-r0 do_package_qa: QA Issue: File /var/lib/samhain/samhain-install.sh in package samhain-server contains reference to TMPDIR [buildpaths] WARNING: samhain-server-4.4.10-r0 do_package_qa: QA Issue: File /usr/share/doc/samhain-server/scripts/samhain.ebuild-light in package samhain-server-doc contains reference to TMPDIR File /usr/share/doc/samhain-server/scripts/samhain.ebuild in package samhain-server-doc contains reference to TMPDIR [buildpaths] Signed-off-by: Mingli Yu <mingli.yu@windriver.com> Signed-off-by: Armin Kuster <akuster808@gmail.com>
2023-11-03Update parsec recipesGowtham Suresh Kumar
Parsec-service and parsec-tool recipes have been updated to use 1.3.0 and 0.7.0 versions respectively. Signed-off-by: Gowtham Suresh Kumar <gowtham.sureshkumar@arm.com> Signed-off-by: Armin Kuster <akuster808@gmail.com>
2023-10-08fail2ban: add useful recommendationsRasmus Villemoes
On a systemd-based system, one is likely to make use of 'backend=systemd', which requires the systemd module. Both the pyinotify and systemd backends require the distutils module. Signed-off-by: Rasmus Villemoes <rasmus.villemoes@prevas.dk> Signed-off-by: Armin Kuster <akuster808@gmail.com>
2023-10-08fail2ban: change sqlite3 dependency to python3-sqlite3Rasmus Villemoes
Currently, one gets Unable to import fail2ban database module as sqlite is not available So we need to ensure the sqlite3 python module is available. That will automatically pull in libsqlite3. Since fail2ban does not actually depend on the the CLI which the sqlite3 package provides, drop that dependency. Signed-off-by: Rasmus Villemoes <rasmus.villemoes@prevas.dk> Signed-off-by: Armin Kuster <akuster808@gmail.com>
2023-10-08fail2ban: add systemd supportRasmus Villemoes
fail2ban ships with a suitable .service file, so install that if systemd is in DISTRO_FEATURES. The logic in rm_sysvinit_initddir in systemd.bbclass will then take care of removing the sysvinit script if sysvinit is not in DISTRO_FEATURES. Signed-off-by: Rasmus Villemoes <rasmus.villemoes@prevas.dk> Signed-off-by: Armin Kuster <akuster808@gmail.com>
2023-09-25scap-security-guide: Drop Poky patch and update to tipArmin Kuster
The Poky patch has been accepted. Signed-off-by: Armin Kuster <akuster808@gmail.com>
2023-09-25libhoth: UpdateJohn Broadbent
Changelog: Royce Rajan 0e3eec6 Claim + Release USB connection when running `htool console` b36ebfc bazel: Stamp Git commit as version fd90feb meson: Stamp Git commit as version ba1403d Add get/clear panic record commands (#30) Chris Evans e34e9bd Update README.md for recently-added commands. Daimeng Wang 611381e htool: Implement authz_record read/erase/build/set aaed60f htool: Add authz_record command API ad68019 libhoth: MTD allows zero byte read Pai Peng 101f711 Add the 'statistics' command Signed-off-by: John Broadbent <jebr@google.com> Signed-off-by: Armin Kuster <akuster808@gmail.com>
2023-09-25lynis: Update to 3.0.9Armin Kuster
Signed-off-by: Armin Kuster <akuster808@gmail.com>
2023-09-25swtpm: update 0.8.1Armin Kuster
Signed-off-by: Armin Kuster <akuster808@gmail.com>
2023-09-25libhtp: update to 0.5.45Armin Kuster
Signed-off-by: Armin Kuster <akuster808@gmail.com>
2023-09-25lkrg-module: update to 0.9.7Armin Kuster
LIC_FILES_CHKSUM changed due to year update Signed-off-by: Armin Kuster <akuster808@gmail.com>
2023-09-25python3-privacyidea: update to 3.8.1Armin Kuster
Signed-off-by: Armin Kuster <akuster808@gmail.com>
2023-09-25openscap: update to 1.3.9Armin Kuster
Signed-off-by: Armin Kuster <akuster808@gmail.com>
2023-09-25sssd: Update to 2.9.2Armin Kuster
fixes musl build regarding time structs. Signed-off-by: Armin Kuster <akuster808@gmail.com>
2023-09-25suricata: Update to 7.0.0Armin Kuster
refersh patches update libhtp Signed-off-by: Armin Kuster <akuster808@gmail.com>
2023-09-12suricata: fix build issue.Armin Kuster
If you want to try to generate the lock file without accessing the network, remove the --frozen flag and use --offline instead. Signed-off-by: Armin Kuster <akuster808@gmail.com>