diff options
-rw-r--r-- | classes/dm-verity-img.bbclass | 9 | ||||
-rw-r--r-- | meta-integrity/classes/kernel-modsign.bbclass | 2 | ||||
-rw-r--r-- | meta-tpm/lib/oeqa/runtime/cases/tpm2.py | 27 | ||||
-rw-r--r-- | meta-tpm/recipes-tpm2/tpm2-tss/tpm2-tss_3.2.2.bb (renamed from meta-tpm/recipes-tpm2/tpm2-tss/tpm2-tss_3.2.0.bb) | 10 | ||||
-rw-r--r-- | recipes-mac/AppArmor/apparmor_3.0.4.bb | 2 | ||||
-rw-r--r-- | recipes-mac/smack/smack-test/notroot.py | 12 | ||||
-rw-r--r-- | recipes-mac/smack/smack-test/smack_test_file_access.sh | 10 | ||||
-rw-r--r-- | recipes-mac/smack/smack-test_1.0.bb | 2 | ||||
-rw-r--r-- | recipes-perl/perl/lib-perl_0.63.bb | 7 | ||||
-rw-r--r-- | recipes-scanners/clamav/clamav_0.104.0.bb | 2 | ||||
-rw-r--r-- | recipes-security/libmhash/libmhash_0.9.9.9.bb | 6 | ||||
-rw-r--r-- | recipes-security/mfa/python3-privacyidea_3.6.2.bb | 2 | ||||
-rw-r--r-- | recipes-security/sssd/sssd_2.5.2.bb | 4 |
13 files changed, 63 insertions, 32 deletions
diff --git a/classes/dm-verity-img.bbclass b/classes/dm-verity-img.bbclass index 93f667d..e5946bc 100644 --- a/classes/dm-verity-img.bbclass +++ b/classes/dm-verity-img.bbclass @@ -63,7 +63,12 @@ verity_setup() { veritysetup --data-block-size=${DM_VERITY_IMAGE_DATA_BLOCK_SIZE} --hash-offset=$SIZE format $OUTPUT $OUTPUT | tail -n +2 | process_verity } -VERITY_TYPES = "ext2.verity ext3.verity ext4.verity btrfs.verity" +VERITY_TYPES = " \ + ext2.verity ext3.verity ext4.verity \ + btrfs.verity \ + erofs.verity erofs-lz4.verity erofs-lz4hc.verity \ + squashfs.verity squashfs-xz.verity squashfs-lzo.verity squashfs-lz4.verity squashfs-zst.verity \ +" IMAGE_TYPES += "${VERITY_TYPES}" CONVERSIONTYPES += "verity" CONVERSION_CMD:verity = "verity_setup ${type}" @@ -90,6 +95,6 @@ python __anonymous() { # If we're using wic: we'll have to use partition images and not the rootfs # source plugin so add the appropriate dependency. if 'wic' in image_fstypes: - dep = ' %s:do_image_%s' % (pn, verity_type) + dep = ' %s:do_image_%s' % (pn, verity_type.replace("-", "_")) d.appendVarFlag('do_image_wic', 'depends', dep) } diff --git a/meta-integrity/classes/kernel-modsign.bbclass b/meta-integrity/classes/kernel-modsign.bbclass index 093c358..d3aa7fb 100644 --- a/meta-integrity/classes/kernel-modsign.bbclass +++ b/meta-integrity/classes/kernel-modsign.bbclass @@ -13,7 +13,9 @@ MODSIGN_PRIVKEY ?= "${MODSIGN_KEY_DIR}/privkey_modsign.pem" MODSIGN_X509 ?= "${MODSIGN_KEY_DIR}/x509_modsign.crt" # If this class is enabled, disable stripping signatures from modules +# as well disable the debug symbols split INHIBIT_PACKAGE_STRIP = "1" +INHIBIT_PACKAGE_DEBUG_SPLIT = "1" kernel_do_configure:prepend() { if [ -f "${MODSIGN_PRIVKEY}" -a -f "${MODSIGN_X509}" ]; then diff --git a/meta-tpm/lib/oeqa/runtime/cases/tpm2.py b/meta-tpm/lib/oeqa/runtime/cases/tpm2.py index c2c95e7..8e90dc9 100644 --- a/meta-tpm/lib/oeqa/runtime/cases/tpm2.py +++ b/meta-tpm/lib/oeqa/runtime/cases/tpm2.py @@ -1,11 +1,21 @@ -# Copyright (C) 2019 Armin Kuster <akuster808@gmail.com> +# Copyright (C) 2019 - 2022 Armin Kuster <akuster808@gmail.com> # from oeqa.runtime.case import OERuntimeTestCase from oeqa.core.decorator.depends import OETestDepends from oeqa.runtime.decorator.package import OEHasPackage - +from oeqa.core.decorator.data import skipIfNotFeature class Tpm2Test(OERuntimeTestCase): + @classmethod + def setUpClass(cls): + cls.tc.target.run('swtpm_ioctl -s --tcp :2322') + cls.tc.target.run('mkdir /tmp/myvtpm2') + + @classmethod + def tearDownClass(cls): + cls.tc.target.run('swtpm_ioctl -s --tcp :2322') + cls.tc.target.run('rm -fr /tmp/myvtpm2') + def check_endlines(self, results, expected_endlines): for line in results.splitlines(): for el in expected_endlines: @@ -19,20 +29,19 @@ class Tpm2Test(OERuntimeTestCase): @OEHasPackage(['tpm2-tools']) @OEHasPackage(['tpm2-abrmd']) @OEHasPackage(['swtpm']) + @skipIfNotFeature('tpm2','Test tpm2_startup requires tpm2 to be in DISTRO_FEATURES') @OETestDepends(['ssh.SSHTest.test_ssh']) - def test_tpm2_swtpm_socket(self): + def test_tpm2_startup(self): cmds = [ - 'mkdir /tmp/myvtpm', - 'swtpm socket --tpmstate dir=/tmp/myvtpm --tpm2 --ctrl type=tcp,port=2322 --server type=tcp,port=2321 --flags not-need-init &', - 'export TPM2TOOLS_TCTI="swtpm:port=2321"', - 'tpm2_startup -c' + 'swtpm socket -d --tpmstate dir=/tmp/myvtpm2 --tpm2 --ctrl type=tcp,port=2322 --server type=tcp,port=2321 --flags not-need-init', + 'tpm2_startup -c -T "swtpm:port=2321"', ] for cmd in cmds: status, output = self.target.run(cmd) self.assertEqual(status, 0, msg='\n'.join([cmd, output])) - @OETestDepends(['tpm2.Tpm2Test.test_tpm2_swtpm_socket']) + @OETestDepends(['tpm2.Tpm2Test.test_tpm2_startup']) def test_tpm2_pcrread(self): (status, output) = self.target.run('tpm2_pcrread') expected_endlines = [] @@ -49,7 +58,7 @@ class Tpm2Test(OERuntimeTestCase): @OEHasPackage(['p11-kit']) @OEHasPackage(['tpm2-pkcs11']) - @OETestDepends(['tpm2.Tpm2Test.test_tpm2_swtpm_socket']) + @OETestDepends(['tpm2.Tpm2Test.test_tpm2_pcrread']) def test_tpm2_pkcs11(self): (status, output) = self.target.run('p11-kit list-modules -v') self.assertEqual(status, 0, msg="Modules missing: %s" % output) diff --git a/meta-tpm/recipes-tpm2/tpm2-tss/tpm2-tss_3.2.0.bb b/meta-tpm/recipes-tpm2/tpm2-tss/tpm2-tss_3.2.2.bb index 8440bb9..4d2c911 100644 --- a/meta-tpm/recipes-tpm2/tpm2-tss/tpm2-tss_3.2.0.bb +++ b/meta-tpm/recipes-tpm2/tpm2-tss/tpm2-tss_3.2.2.bb @@ -10,7 +10,7 @@ SRC_URI = "https://github.com/tpm2-software/${BPN}/releases/download/${PV}/${BPN file://fixup_hosttools.patch \ " -SRC_URI[sha256sum] = "48305e4144dcf6d10f3b25b7bccf0189fd2d1186feafd8cd68c6b17ecf0d7912" +SRC_URI[sha256sum] = "ba9e52117f254f357ff502e7d60fce652b3bfb26327d236bbf5ab634235e40f1" inherit autotools pkgconfig systemd useradd @@ -26,11 +26,6 @@ USERADD_PACKAGES = "${PN}" GROUPADD_PARAM:${PN} = "--system tss" USERADD_PARAM:${PN} = "--system -M -d /var/lib/tpm -s /bin/false -g tss tss" -do_configure:prepend() { - # do not extract the version number from git - sed -i -e 's/m4_esyscmd_s(\[git describe --tags --always --dirty\])/${PV}/' ${S}/configure.ac -} - do_install:append() { # Remove /run as it is created on startup rm -rf ${D}/run @@ -93,3 +88,6 @@ FILES:${PN} = "\ ${sysconfdir}/sysusers.d" RDEPENDS:libtss2 = "libgcrypt" + +# This is patched in 3.2.2, NVD DB was not updated to reflect this backport +CVE_CHECK_IGNORE += "CVE-2023-22745" diff --git a/recipes-mac/AppArmor/apparmor_3.0.4.bb b/recipes-mac/AppArmor/apparmor_3.0.4.bb index 046a3a0..896abfe 100644 --- a/recipes-mac/AppArmor/apparmor_3.0.4.bb +++ b/recipes-mac/AppArmor/apparmor_3.0.4.bb @@ -101,6 +101,8 @@ do_install () { if ${@bb.utils.contains('DISTRO_FEATURES','systemd','true','false',d)}; then oe_runmake -C ${B}/parser DESTDIR="${D}" install-systemd fi + chown root:root -R ${D}/${sysconfdir}/apparmor.d + chown root:root -R ${D}/${datadir}/apparmor } #Building ptest on arm fails. diff --git a/recipes-mac/smack/smack-test/notroot.py b/recipes-mac/smack/smack-test/notroot.py index f0eb0b5..89f83f4 100644 --- a/recipes-mac/smack/smack-test/notroot.py +++ b/recipes-mac/smack/smack-test/notroot.py @@ -1,4 +1,4 @@ -#!/usr/bin/env python +#!/usr/bin/env python3 # # Script used for running executables with custom labels, as well as custom uid/gid # Process label is changed by writing to /proc/self/attr/curent @@ -9,8 +9,8 @@ # """By default, each user in Debian GNU/Linux is given a corresponding group # with the same name. """ # -# Usage: root@desk:~# python notroot.py <uid> <label> <full_path_to_executable> [arguments ..] -# eg: python notroot.py 1000 User::Label /bin/ping -c 3 192.168.1.1 +# Usage: root@desk:~# python3 notroot.py <uid> <label> <full_path_to_executable> [arguments ..] +# eg: python3 notroot.py 1000 User::Label /bin/ping -c 3 192.168.1.1 # # Author: Alexandru Cornea <alexandru.cornea@intel.com> import os @@ -28,6 +28,6 @@ try: os.setuid(uid) os.execv(path,sys.argv) -except Exception,e: - print e.message - sys.exit(1) +except Exception as e: + print(e.strerror) + sys.exit(-1) diff --git a/recipes-mac/smack/smack-test/smack_test_file_access.sh b/recipes-mac/smack/smack-test/smack_test_file_access.sh index 5a0ce84..598f1df 100644 --- a/recipes-mac/smack/smack-test/smack_test_file_access.sh +++ b/recipes-mac/smack/smack-test/smack_test_file_access.sh @@ -8,7 +8,7 @@ CAT=`which cat` ECHO=`which echo` uid=1000 initial_label=`cat /proc/self/attr/current` -python $TMP/notroot.py $uid "TheOther" $ECHO 'TEST' > $test_file +python3 $TMP/notroot.py $uid "TheOther" $ECHO 'TEST' > $test_file chsmack -a "TheOther" $test_file # 12345678901234567890123456789012345678901234567890123456 @@ -17,7 +17,7 @@ rule_ro="TheOne TheOther r----" # Remove pre-existent rules for "TheOne TheOther <access>" echo -n "$delrule" > $SMACK_PATH/load -python $TMP/notroot.py $uid "TheOne" $CAT $test_file 2>&1 1>/dev/null | grep -q "Permission denied" || RC=$? +python3 $TMP/notroot.py $uid "TheOne" $CAT $test_file 2>&1 1>/dev/null | grep -q "Permission denied" || RC=$? if [ $RC -ne 0 ]; then echo "Process with different label than the test file and no read access on it can read it" exit $RC @@ -25,7 +25,7 @@ fi # adding read access echo -n "$rule_ro" > $SMACK_PATH/load -python $TMP/notroot.py $uid "TheOne" $CAT $test_file | grep -q "TEST" || RC=$? +python3 $TMP/notroot.py $uid "TheOne" $CAT $test_file | grep -q "TEST" || RC=$? if [ $RC -ne 0 ]; then echo "Process with different label than the test file but with read access on it cannot read it" exit $RC @@ -36,7 +36,7 @@ echo -n "$delrule" > $SMACK_PATH/load # changing label of test file to * # according to SMACK documentation, read access on a * object is always permitted chsmack -a '*' $test_file -python $TMP/notroot.py $uid "TheOne" $CAT $test_file | grep -q "TEST" || RC=$? +python3 $TMP/notroot.py $uid "TheOne" $CAT $test_file | grep -q "TEST" || RC=$? if [ $RC -ne 0 ]; then echo "Process cannot read file with * label" exit $RC @@ -45,7 +45,7 @@ fi # changing subject label to * # according to SMACK documentation, every access requested by a star labeled subject is rejected TOUCH=`which touch` -python $TMP/notroot.py $uid '*' $TOUCH $TMP/test_file_2 +python3 $TMP/notroot.py $uid '*' $TOUCH $TMP/test_file_2 ls -la $TMP/test_file_2 2>&1 | grep -q 'No such file or directory' || RC=$? if [ $RC -ne 0 ];then echo "Process with label '*' should not have any access" diff --git a/recipes-mac/smack/smack-test_1.0.bb b/recipes-mac/smack/smack-test_1.0.bb index d7824ae..3ab57c6 100644 --- a/recipes-mac/smack/smack-test_1.0.bb +++ b/recipes-mac/smack/smack-test_1.0.bb @@ -22,4 +22,4 @@ do_install() { install -m 0755 *.sh ${D}${sbindir} } -RDEPENDS:${PN} = "smack python mmap-smack-test tcp-smack-test udp-smack-test" +RDEPENDS:${PN} = "smack python3-core mmap-smack-test tcp-smack-test udp-smack-test" diff --git a/recipes-perl/perl/lib-perl_0.63.bb b/recipes-perl/perl/lib-perl_0.63.bb index 4c964d5..25d0890 100644 --- a/recipes-perl/perl/lib-perl_0.63.bb +++ b/recipes-perl/perl/lib-perl_0.63.bb @@ -26,3 +26,10 @@ do_compile() { export LIBC="$(find ${STAGING_DIR_TARGET}/${base_libdir}/ -name 'libc-*.so')" cpan_do_compile } + +do_install:append() { + # Man pages here conflict wtih the main perl documentation + for page in ${D}${mandir}/man*/*; do + mv $page $(dirname $page)/${BPN}-$(basename $page) + done +} diff --git a/recipes-scanners/clamav/clamav_0.104.0.bb b/recipes-scanners/clamav/clamav_0.104.0.bb index 3bcb5eb..18e8329 100644 --- a/recipes-scanners/clamav/clamav_0.104.0.bb +++ b/recipes-scanners/clamav/clamav_0.104.0.bb @@ -56,7 +56,7 @@ export OECMAKE_C_FLAGS += " -I${STAGING_INCDIR} -L ${RECIPE_SYSROOT}${nonarch_li do_install:append () { install -d ${D}/${sysconfdir} - install -d -o ${CLAMAV_UID} -g ${CLAMAV_GID} ${D}/${localstatedir}/lib/clamav + install -d -o ${PN} -g ${CLAMAV_GID} ${D}/${localstatedir}/lib/clamav install -d ${D}${sysconfdir}/clamav ${D}${sysconfdir}/default/volatiles install -m 644 ${WORKDIR}/clamd.conf ${D}/${prefix}/${sysconfdir} diff --git a/recipes-security/libmhash/libmhash_0.9.9.9.bb b/recipes-security/libmhash/libmhash_0.9.9.9.bb index 35c5ff8..cd465e4 100644 --- a/recipes-security/libmhash/libmhash_0.9.9.9.bb +++ b/recipes-security/libmhash/libmhash_0.9.9.9.bb @@ -23,7 +23,11 @@ SRC_URI = "${SOURCEFORGE_MIRROR}/mhash/mhash-${PV}.tar.bz2 \ SRC_URI[md5sum] = "f91c74f9ccab2b574a98be5bc31eb280" SRC_URI[sha256sum] = "56521c52a9033779154432d0ae47ad7198914785265e1f570cee21ab248dfef0" -inherit autotools-brokensep ptest +inherit autotools-brokensep ptest multilib_header + +do_install:append () { + oe_multilib_header mutils/mhash_config.h +} do_compile_ptest() { if [ ! -d ${S}/demo ]; then mkdir ${S}/demo; fi diff --git a/recipes-security/mfa/python3-privacyidea_3.6.2.bb b/recipes-security/mfa/python3-privacyidea_3.6.2.bb index 40f6d15..8b6af5e 100644 --- a/recipes-security/mfa/python3-privacyidea_3.6.2.bb +++ b/recipes-security/mfa/python3-privacyidea_3.6.2.bb @@ -19,7 +19,7 @@ GROUPADD_PARAM:${PN} = "--system privacyidea" USERADD_PARAM:${PN} = "--system -g privacyidea -o -r -d /opt/${BPN} \ --shell /bin/false privacyidea" -FILES:${PN} += " ${prefix}/etc/privacyidea/* ${datadir}/lib/privacyidea/*" +FILES:${PN} += " ${prefix}/etc/privacyidea/* ${prefix}/lib/privacyidea/*" RDEPENDS:${PN} += " bash perl freeradius-mysql freeradius-utils" diff --git a/recipes-security/sssd/sssd_2.5.2.bb b/recipes-security/sssd/sssd_2.5.2.bb index 9f1d627..4c75e0a 100644 --- a/recipes-security/sssd/sssd_2.5.2.bb +++ b/recipes-security/sssd/sssd_2.5.2.bb @@ -28,6 +28,10 @@ SRC_URI = "https://github.com/SSSD/sssd/releases/download/${PV}/sssd-${PV}.tar.g SRC_URI[sha256sum] = "5e21b3c7b4a2f1063d0fbdd3216d29886b6eaba153b44fb5961698367f399a0f" +CVE_CHECK_IGNORE += "\ + CVE-2018-16838 \ +" + inherit autotools pkgconfig gettext python3-dir features_check systemd REQUIRED_DISTRO_FEATURES = "pam" |