diff options
Diffstat (limited to 'meta-security')
135 files changed, 1429 insertions, 2473 deletions
diff --git a/meta-security/.gitlab-ci.yml b/meta-security/.gitlab-ci.yml index 762ba66e1..a4137cb0e 100644 --- a/meta-security/.gitlab-ci.yml +++ b/meta-security/.gitlab-ci.yml @@ -17,7 +17,6 @@ stages: - base - parsec - - multi - musl - test @@ -35,14 +34,6 @@ stages: after_script: - *after-my-script - -.multi: - before_script: - - *before-my-script - stage: multi - after_script: - - *after-my-script - .musl: before_script: - *before-my-script @@ -97,12 +88,6 @@ qemux86-64-parsec: script: - kas build --target security-build-image kas/$CI_JOB_NAME.yml -qemux86-64-multi: - extends: .multi - needs: ['qemux86-64'] - script: - - kas build --target security-build-image kas/$CI_JOB_NAME.yml - qemuarm: extends: .base script: @@ -120,12 +105,6 @@ qemuarm64: - kas shell kas/$CI_JOB_NAME.yml -c "bitbake -k security-build-image security-tpm2-image integrity-image-minimal" - kas build --target security-build-image kas/$CI_JOB_NAME-alt.yml -qemuarm64-multi: - extends: .multi - needs: ['qemuarm64'] - script: - - kas build --target security-build-image kas/$CI_JOB_NAME.yml - qemuarm64-musl: extends: .musl needs: ['qemuarm64'] @@ -138,28 +117,11 @@ qemuarm64-parsec: script: - kas build --target security-build-image kas/$CI_JOB_NAME.yml -qemuppc: - extends: .base - script: - - kas build --target security-build-image kas/$CI_JOB_NAME.yml - -qemuppc-parsec: - extends: .parsec - needs: ['qemuppc'] - script: - - kas build --target security-build-image kas/$CI_JOB_NAME.yml - qemumips64: extends: .base script: - kas build --target security-build-image kas/$CI_JOB_NAME.yml -qemumips64-multi: - extends: .multi - needs: ['qemumips64'] - script: - - kas build --target security-build-image kas/$CI_JOB_NAME.yml - qemuriscv64: extends: .base script: diff --git a/meta-security/README b/meta-security/README index 4047b86c3..081669f6b 100644 --- a/meta-security/README +++ b/meta-security/README @@ -5,7 +5,7 @@ The bbappend files for some recipes (e.g. linux-yocto) in this layer need to have 'security' in DISTRO_FEATURES to have effect. To enable them, add in configuration file the following line. - DISTRO_FEATURES_append = " security" + DISTRO_FEATURES:append = " security" If meta-security is included, but security is not enabled as a distro feature a warning is printed at parse time: diff --git a/meta-security/conf/distro/include/maintainers.inc b/meta-security/conf/distro/include/maintainers.inc index e02b9037d..f623d7058 100644 --- a/meta-security/conf/distro/include/maintainers.inc +++ b/meta-security/conf/distro/include/maintainers.inc @@ -16,42 +16,42 @@ # # The format is as a bitbake variable override for each recipe # -# RECIPE_MAINTAINER_pn-<recipe name> = "Full Name <address@domain>" +# RECIPE_MAINTAINER:pn-<recipe name> = "Full Name <address@domain>" # # Please keep this list in alphabetical order. -RECIPE_MAINTAINER_pn-aircrack-ng = "Armin Kuster <akuster808@gmail.com>" -RECIPE_MAINTAINER_pn-apparmor = "Armin Kuster <akuster808@gmail.com>" -RECIPE_MAINTAINER_pn-bastille = "Armin Kuster <akuster808@gmail.com>" -RECIPE_MAINTAINER_pn-buck-security = "Armin Kuster <akuster808@gmail.com>" -RECIPE_MAINTAINER_pn-ccs-tools = "Armin Kuster <akuster808@gmail.com>" -RECIPE_MAINTAINER_pn-checksec = "Armin Kuster <akuster808@gmail.com>" -RECIPE_MAINTAINER_pn-checksecurity = "Armin Kuster <akuster808@gmail.com>" -RECIPE_MAINTAINER_pn-clamav = "Armin Kuster <akuster808@gmail.com>" -RECIPE_MAINTAINER_pn-ding-libs = "Armin Kuster <akuster808@gmail.com>" -RECIPE_MAINTAINER_pn-ecryptfs-utils = "Armin Kuster <akuster808@gmail.com>" -RECIPE_MAINTAINER_pn-fscryptctl = "Armin Kuster <akuster808@gmail.com>" -RECIPE_MAINTAINER_pn-google-authenticator-libpam = "Armin Kuster <akuster808@gmail.com>" -RECIPE_MAINTAINER_pn-hash-perl = "Armin Kuster <akuster808@gmail.com>" -RECIPE_MAINTAINER_pn-isic = "Armin Kuster <akuster808@gmail.com>" -RECIPE_MAINTAINER_pn-keyutils = "Armin Kuster <akuster808@gmail.com>" -RECIPE_MAINTAINER_pn-libaes-siv = "Armin Kuster <akuster808@gmail.com>" -RECIPE_MAINTAINER_pn-libgssglue = "Armin Kuster <akuster808@gmail.com>" -RECIPE_MAINTAINER_pn-libhtp = "Armin Kuster <akuster808@gmail.com>" -RECIPE_MAINTAINER_pn-libmhash = "Armin Kuster <akuster808@gmail.com>" -RECIPE_MAINTAINER_pn-libmspack = "Armin Kuster <akuster808@gmail.com>" -RECIPE_MAINTAINER_pn-lib-perl = "Armin Kuster <akuster808@gmail.com>" -RECIPE_MAINTAINER_pn-libseccomp = "Armin Kuster <akuster808@gmail.com>" -RECIPE_MAINTAINER_pn-libwhisker2-perl = "Armin Kuster <akuster808@gmail.com>" -RECIPE_MAINTAINER_pn-ncrack = "Armin Kuster <akuster808@gmail.com>" -RECIPE_MAINTAINER_pn-nikto = "Armin Kuster <akuster808@gmail.com>" -RECIPE_MAINTAINER_pn-paxctl = "Armin Kuster <akuster808@gmail.com>" -RECIPE_MAINTAINER_pn-python3-fail2ban = "Armin Kuster <akuster808@gmail.com>" -RECIPE_MAINTAINER_pn-python3-scapy = "Armin Kuster <akuster808@gmail.com>" -RECIPE_MAINTAINER_pn-python-fail2ban = "Armin Kuster <akuster808@gmail.com>" -RECIPE_MAINTAINER_pn-python-scapy = "Armin Kuster <akuster808@gmail.com>" -RECIPE_MAINTAINER_pn-redhat-security = "Armin Kuster <akuster808@gmail.com>" -RECIPE_MAINTAINER_pn-samhain = "Armin Kuster <akuster808@gmail.com>" -RECIPE_MAINTAINER_pn-smack = "Armin Kuster <akuster808@gmail.com>" -RECIPE_MAINTAINER_pn-sssd = "Armin Kuster <akuster808@gmail.com>" -RECIPE_MAINTAINER_pn-suricata = "Armin Kuster <akuster808@gmail.com>" -RECIPE_MAINTAINER_pn-tripwire = "Armin Kuster <akuster808@gmail.com>" +RECIPE_MAINTAINER:pn-aircrack-ng = "Armin Kuster <akuster808@gmail.com>" +RECIPE_MAINTAINER:pn-apparmor = "Armin Kuster <akuster808@gmail.com>" +RECIPE_MAINTAINER:pn-bastille = "Armin Kuster <akuster808@gmail.com>" +RECIPE_MAINTAINER:pn-buck-security = "Armin Kuster <akuster808@gmail.com>" +RECIPE_MAINTAINER:pn-ccs-tools = "Armin Kuster <akuster808@gmail.com>" +RECIPE_MAINTAINER:pn-checksec = "Armin Kuster <akuster808@gmail.com>" +RECIPE_MAINTAINER:pn-checksecurity = "Armin Kuster <akuster808@gmail.com>" +RECIPE_MAINTAINER:pn-clamav = "Armin Kuster <akuster808@gmail.com>" +RECIPE_MAINTAINER:pn-ding-libs = "Armin Kuster <akuster808@gmail.com>" +RECIPE_MAINTAINER:pn-ecryptfs-utils = "Armin Kuster <akuster808@gmail.com>" +RECIPE_MAINTAINER:pn-fscryptctl = "Armin Kuster <akuster808@gmail.com>" +RECIPE_MAINTAINER:pn-google-authenticator-libpam = "Armin Kuster <akuster808@gmail.com>" +RECIPE_MAINTAINER:pn-hash-perl = "Armin Kuster <akuster808@gmail.com>" +RECIPE_MAINTAINER:pn-isic = "Armin Kuster <akuster808@gmail.com>" +RECIPE_MAINTAINER:pn-keyutils = "Armin Kuster <akuster808@gmail.com>" +RECIPE_MAINTAINER:pn-libaes-siv = "Armin Kuster <akuster808@gmail.com>" +RECIPE_MAINTAINER:pn-libgssglue = "Armin Kuster <akuster808@gmail.com>" +RECIPE_MAINTAINER:pn-libhtp = "Armin Kuster <akuster808@gmail.com>" +RECIPE_MAINTAINER:pn-libmhash = "Armin Kuster <akuster808@gmail.com>" +RECIPE_MAINTAINER:pn-libmspack = "Armin Kuster <akuster808@gmail.com>" +RECIPE_MAINTAINER:pn-lib-perl = "Armin Kuster <akuster808@gmail.com>" +RECIPE_MAINTAINER:pn-libseccomp = "Armin Kuster <akuster808@gmail.com>" +RECIPE_MAINTAINER:pn-libwhisker2-perl = "Armin Kuster <akuster808@gmail.com>" +RECIPE_MAINTAINER:pn-ncrack = "Armin Kuster <akuster808@gmail.com>" +RECIPE_MAINTAINER:pn-nikto = "Armin Kuster <akuster808@gmail.com>" +RECIPE_MAINTAINER:pn-paxctl = "Armin Kuster <akuster808@gmail.com>" +RECIPE_MAINTAINER:pn-python3-fail2ban = "Armin Kuster <akuster808@gmail.com>" +RECIPE_MAINTAINER:pn-python3-scapy = "Armin Kuster <akuster808@gmail.com>" +RECIPE_MAINTAINER:pn-python-fail2ban = "Armin Kuster <akuster808@gmail.com>" +RECIPE_MAINTAINER:pn-python-scapy = "Armin Kuster <akuster808@gmail.com>" +RECIPE_MAINTAINER:pn-redhat-security = "Armin Kuster <akuster808@gmail.com>" +RECIPE_MAINTAINER:pn-samhain = "Armin Kuster <akuster808@gmail.com>" +RECIPE_MAINTAINER:pn-smack = "Armin Kuster <akuster808@gmail.com>" +RECIPE_MAINTAINER:pn-sssd = "Armin Kuster <akuster808@gmail.com>" +RECIPE_MAINTAINER:pn-suricata = "Armin Kuster <akuster808@gmail.com>" +RECIPE_MAINTAINER:pn-tripwire = "Armin Kuster <akuster808@gmail.com>" diff --git a/meta-security/conf/layer.conf b/meta-security/conf/layer.conf index 7853d6e8e..cdcfaeec7 100644 --- a/meta-security/conf/layer.conf +++ b/meta-security/conf/layer.conf @@ -9,7 +9,7 @@ BBFILE_COLLECTIONS += "security" BBFILE_PATTERN_security = "^${LAYERDIR}/" BBFILE_PRIORITY_security = "8" -LAYERSERIES_COMPAT_security = "hardknott" +LAYERSERIES_COMPAT_security = "honister" LAYERDEPENDS_security = "core openembedded-layer perl-layer networking-layer meta-python" diff --git a/meta-security/dynamic-layers/meta-rust/recipes-ids/suricata/libhtp_0.5.38.bb b/meta-security/dynamic-layers/meta-rust/recipes-ids/suricata/libhtp_0.5.38.bb index 38dece9b1..2a0c93ccc 100644 --- a/meta-security/dynamic-layers/meta-rust/recipes-ids/suricata/libhtp_0.5.38.bb +++ b/meta-security/dynamic-layers/meta-rust/recipes-ids/suricata/libhtp_0.5.38.bb @@ -23,5 +23,5 @@ do_configure () { oe_runconf } -RDEPENDS_${PN} += "zlib" +RDEPENDS:${PN} += "zlib" diff --git a/meta-security/dynamic-layers/meta-rust/recipes-ids/suricata/suricata.inc b/meta-security/dynamic-layers/meta-rust/recipes-ids/suricata/suricata.inc index 7d3509aa9..5754617fb 100644 --- a/meta-security/dynamic-layers/meta-rust/recipes-ids/suricata/suricata.inc +++ b/meta-security/dynamic-layers/meta-rust/recipes-ids/suricata/suricata.inc @@ -1,3 +1,5 @@ HOMEPAGE = "http://suricata-ids.org/" SECTION = "security Monitor/Admin" LICENSE = "GPLv2" + +COMPATIBLE_HOST:powerpc = 'null' diff --git a/meta-security/dynamic-layers/meta-rust/recipes-ids/suricata/suricata_6.0.3.bb b/meta-security/dynamic-layers/meta-rust/recipes-ids/suricata/suricata_6.0.3.bb index 632f1d874..ca9e03e32 100644 --- a/meta-security/dynamic-layers/meta-rust/recipes-ids/suricata/suricata_6.0.3.bb +++ b/meta-security/dynamic-layers/meta-rust/recipes-ids/suricata/suricata_6.0.3.bb @@ -122,7 +122,7 @@ CARGO_SRC_DIR = "rust" B = "${S}" PACKAGECONFIG ??= "jansson file pcre yaml python pcap cap-ng net nfnetlink nss nspr " -PACKAGECONFIG_append = " ${@bb.utils.contains('DISTRO_FEATURES', 'ptest', 'unittests', '', d)}" +PACKAGECONFIG:append = " ${@bb.utils.contains('DISTRO_FEATURES', 'ptest', 'unittests', '', d)}" PACKAGECONFIG[pcre] = "--with-libpcre-includes=${STAGING_INCDIR} --with-libpcre-libraries=${STAGING_LIBDIR}, ,libpcre ," PACKAGECONFIG[yaml] = "--with-libyaml-includes=${STAGING_INCDIR} --with-libyaml-libraries=${STAGING_LIBDIR}, ,libyaml ," @@ -143,7 +143,7 @@ export logdir = "${localstatedir}/log" CACHED_CONFIGUREVARS = "ac_cv_func_malloc_0_nonnull=yes ac_cv_func_realloc_0_nonnull=yes" -do_configure_prepend () { +do_configure:prepend () { oe_runconf } @@ -189,7 +189,7 @@ do_install () { sed -i -e "s:#!.*$:#!${USRBINPATH}/env ${PYTHON_PN}:g" ${D}${bindir}/suricatactl } -pkg_postinst_ontarget_${PN} () { +pkg_postinst_ontarget:${PN} () { if command -v systemd-tmpfiles >/dev/null; then systemd-tmpfiles --create ${sysconfdir}/tmpfiles.d/suricata.conf elif [ -e ${sysconfdir}/init.d/populate-volatile.sh ]; then @@ -200,7 +200,7 @@ fi SYSTEMD_PACKAGES = "${PN}" PACKAGES =+ "${PN}-python" -FILES_${PN} += "${systemd_unitdir} ${sysconfdir}/tmpfiles.d" -FILES_${PN}-python = "${bindir}/suricatasc ${PYTHON_SITEPACKAGES_DIR}" +FILES:${PN} += "${systemd_unitdir} ${sysconfdir}/tmpfiles.d" +FILES:${PN}-python = "${bindir}/suricatasc ${PYTHON_SITEPACKAGES_DIR}" -CONFFILES_${PN} = "${sysconfdir}/suricata/suricata.yaml" +CONFFILES:${PN} = "${sysconfdir}/suricata/suricata.yaml" diff --git a/meta-security/dynamic-layers/meta-rust/recipes-security/krill/files/panic_workaround.patch b/meta-security/dynamic-layers/meta-rust/recipes-security/krill/files/panic_workaround.patch new file mode 100644 index 000000000..9b08cb5ce --- /dev/null +++ b/meta-security/dynamic-layers/meta-rust/recipes-security/krill/files/panic_workaround.patch @@ -0,0 +1,16 @@ +Upstream-Status: OE specific +Signed-off-by: Armin Kuster <akuster808@gmail.com> + +Index: git/Cargo.toml +=================================================================== +--- git.orig/Cargo.toml ++++ git/Cargo.toml +@@ -71,7 +71,7 @@ static-openssl = [ "openssl/vendored" ] + # Make sure that Krill crashes on panics, rather than losing threads and + # limping on in a bad state. + [profile.release] +-panic = "abort" ++#panic = "abort" + + [dev-dependencies] + # for user management diff --git a/meta-security/dynamic-layers/meta-rust/recipes-security/krill/krill.inc b/meta-security/dynamic-layers/meta-rust/recipes-security/krill/krill.inc new file mode 100644 index 000000000..f86468b96 --- /dev/null +++ b/meta-security/dynamic-layers/meta-rust/recipes-security/krill/krill.inc @@ -0,0 +1,325 @@ +# please note if you have entries that do not begin with crate:// +# you must change them to how that package can be fetched +SRC_URI += " \ + crate://crates.io/addr2line/0.14.1 \ + crate://crates.io/adler/1.0.2 \ + crate://crates.io/adler32/1.2.0 \ + crate://crates.io/aho-corasick/0.7.15 \ + crate://crates.io/ansi_term/0.11.0 \ + crate://crates.io/ansi_term/0.12.1 \ + crate://crates.io/arrayref/0.3.6 \ + crate://crates.io/arrayvec/0.5.2 \ + crate://crates.io/ascii-canvas/2.0.0 \ + crate://crates.io/ascii/1.0.0 \ + crate://crates.io/atty/0.2.14 \ + crate://crates.io/autocfg/0.1.7 \ + crate://crates.io/autocfg/1.0.1 \ + crate://crates.io/backtrace/0.3.56 \ + crate://crates.io/base64/0.10.1 \ + crate://crates.io/base64/0.12.3 \ + crate://crates.io/base64/0.13.0 \ + crate://crates.io/basic-cookies/0.1.4 \ + crate://crates.io/bcder/0.5.1 \ + crate://crates.io/bit-set/0.5.2 \ + crate://crates.io/bit-vec/0.6.3 \ + crate://crates.io/bitflags/1.2.1 \ + crate://crates.io/blake2b_simd/0.5.11 \ + crate://crates.io/block-buffer/0.9.0 \ + crate://crates.io/bumpalo/3.6.1 \ + crate://crates.io/byteorder/1.4.3 \ + crate://crates.io/bytes/0.4.12 \ + crate://crates.io/bytes/0.5.6 \ + crate://crates.io/bytes/1.0.1 \ + crate://crates.io/cc/1.0.67 \ + crate://crates.io/cfg-if/0.1.10 \ + crate://crates.io/cfg-if/1.0.0 \ + crate://crates.io/chrono/0.4.19 \ + crate://crates.io/chunked_transfer/1.4.0 \ + crate://crates.io/cipher/0.2.5 \ + crate://crates.io/clap/2.33.3 \ + crate://crates.io/clokwerk/0.3.4 \ + crate://crates.io/cloudabi/0.0.3 \ + crate://crates.io/constant_time_eq/0.1.5 \ + crate://crates.io/cookie/0.12.0 \ + crate://crates.io/cookie_store/0.7.0 \ + crate://crates.io/core-foundation-sys/0.8.2 \ + crate://crates.io/core-foundation/0.9.1 \ + crate://crates.io/cpuid-bool/0.1.2 \ + crate://crates.io/crc32fast/1.2.1 \ + crate://crates.io/crossbeam-deque/0.7.3 \ + crate://crates.io/crossbeam-epoch/0.8.2 \ + crate://crates.io/crossbeam-queue/0.2.3 \ + crate://crates.io/crossbeam-utils/0.7.2 \ + crate://crates.io/crossbeam-utils/0.8.3 \ + crate://crates.io/crunchy/0.2.2 \ + crate://crates.io/crypto-mac/0.10.0 \ + crate://crates.io/ctrlc/3.1.9 \ + crate://crates.io/deunicode/0.4.3 \ + crate://crates.io/diff/0.1.12 \ + crate://crates.io/digest/0.9.0 \ + crate://crates.io/dirs/1.0.5 \ + crate://crates.io/dtoa/0.4.8 \ + crate://crates.io/either/1.6.1 \ + crate://crates.io/ena/0.14.0 \ + crate://crates.io/encoding_rs/0.8.28 \ + crate://crates.io/error-chain/0.11.0 \ + crate://crates.io/failure/0.1.8 \ + crate://crates.io/failure_derive/0.1.8 \ + crate://crates.io/fern/0.5.9 \ + crate://crates.io/fixedbitset/0.2.0 \ + crate://crates.io/flate2/1.0.20 \ + crate://crates.io/fnv/1.0.7 \ + crate://crates.io/foreign-types-shared/0.1.1 \ + crate://crates.io/foreign-types/0.3.2 \ + crate://crates.io/form_urlencoded/1.0.1 \ + crate://crates.io/fuchsia-cprng/0.1.1 \ + crate://crates.io/fuchsia-zircon-sys/0.3.3 \ + crate://crates.io/fuchsia-zircon/0.3.3 \ + crate://crates.io/futures-channel/0.3.14 \ + crate://crates.io/futures-core/0.3.14 \ + crate://crates.io/futures-cpupool/0.1.8 \ + crate://crates.io/futures-executor/0.3.14 \ + crate://crates.io/futures-io/0.3.14 \ + crate://crates.io/futures-macro/0.3.14 \ + crate://crates.io/futures-sink/0.3.14 \ + crate://crates.io/futures-task/0.3.14 \ + crate://crates.io/futures-util/0.3.14 \ + crate://crates.io/futures/0.1.31 \ + crate://crates.io/futures/0.3.14 \ + crate://crates.io/generic-array/0.14.4 \ + crate://crates.io/getrandom/0.1.16 \ + crate://crates.io/getrandom/0.2.2 \ + crate://crates.io/gimli/0.23.0 \ + crate://crates.io/h2/0.1.26 \ + crate://crates.io/h2/0.2.7 \ + crate://crates.io/hashbrown/0.9.1 \ + crate://crates.io/hermit-abi/0.1.18 \ + crate://crates.io/hex/0.4.3 \ + crate://crates.io/hmac/0.10.1 \ + crate://crates.io/http-body/0.1.0 \ + crate://crates.io/http-body/0.3.1 \ + crate://crates.io/http/0.1.21 \ + crate://crates.io/http/0.2.4 \ + crate://crates.io/httparse/1.3.6 \ + crate://crates.io/httpdate/0.3.2 \ + crate://crates.io/hyper-tls/0.3.2 \ + crate://crates.io/hyper-tls/0.4.3 \ + crate://crates.io/hyper/0.12.36 \ + crate://crates.io/hyper/0.13.10 \ + crate://crates.io/idna/0.1.5 \ + crate://crates.io/idna/0.2.2 \ + crate://crates.io/impl-trait-for-tuples/0.2.1 \ + crate://crates.io/indexmap/1.6.2 \ + crate://crates.io/intervaltree/0.2.6 \ + crate://crates.io/iovec/0.1.4 \ + crate://crates.io/ipnet/2.3.0 \ + crate://crates.io/itertools/0.10.0 \ + crate://crates.io/itertools/0.9.0 \ + crate://crates.io/itoa/0.4.7 \ + crate://crates.io/jmespatch/0.3.0 \ + crate://crates.io/js-sys/0.3.50 \ + crate://crates.io/kernel32-sys/0.2.2 \ + crate://crates.io/lalrpop-util/0.19.5 \ + crate://crates.io/lalrpop/0.19.5 \ + crate://crates.io/lazy_static/1.4.0 \ + crate://crates.io/libc/0.2.93 \ + crate://crates.io/libflate/1.0.4 \ + crate://crates.io/libflate_lz77/1.0.0 \ + crate://crates.io/lock_api/0.3.4 \ + crate://crates.io/log/0.4.14 \ + crate://crates.io/maplit/1.0.2 \ + crate://crates.io/matchers/0.0.1 \ + crate://crates.io/matches/0.1.8 \ + crate://crates.io/maybe-uninit/2.0.0 \ + crate://crates.io/memchr/2.3.4 \ + crate://crates.io/memoffset/0.5.6 \ + crate://crates.io/mime/0.3.16 \ + crate://crates.io/mime_guess/2.0.3 \ + crate://crates.io/miniz_oxide/0.4.4 \ + crate://crates.io/mio/0.6.23 \ + crate://crates.io/miow/0.2.2 \ + crate://crates.io/native-tls/0.2.7 \ + crate://crates.io/net2/0.2.37 \ + crate://crates.io/new_debug_unreachable/1.0.4 \ + crate://crates.io/nix/0.20.0 \ + crate://crates.io/num-integer/0.1.44 \ + crate://crates.io/num-traits/0.2.14 \ + crate://crates.io/num_cpus/1.13.0 \ + crate://crates.io/oauth2/4.0.0 \ + crate://crates.io/object/0.23.0 \ + crate://crates.io/once_cell/1.7.2 \ + crate://crates.io/opaque-debug/0.3.0 \ + crate://crates.io/openidconnect/2.0.0 \ + crate://crates.io/openssl-probe/0.1.2 \ + crate://crates.io/openssl-src/111.15.0+1.1.1k \ + crate://crates.io/openssl-sys/0.9.61 \ + crate://crates.io/openssl/0.10.33 \ + crate://crates.io/ordered-float/1.1.1 \ + crate://crates.io/oso/0.12.0 \ + crate://crates.io/parking_lot/0.9.0 \ + crate://crates.io/parking_lot_core/0.6.2 \ + crate://crates.io/pbkdf2/0.7.5 \ + crate://crates.io/percent-encoding/1.0.1 \ + crate://crates.io/percent-encoding/2.1.0 \ + crate://crates.io/petgraph/0.5.1 \ + crate://crates.io/phf_shared/0.8.0 \ + crate://crates.io/pico-args/0.4.0 \ + crate://crates.io/pin-project-internal/1.0.6 \ + crate://crates.io/pin-project-lite/0.1.12 \ + crate://crates.io/pin-project-lite/0.2.6 \ + crate://crates.io/pin-project/1.0.6 \ + crate://crates.io/pin-utils/0.1.0 \ + crate://crates.io/pkg-config/0.3.19 \ + crate://crates.io/polar-core/0.12.0 \ + crate://crates.io/ppv-lite86/0.2.10 \ + crate://crates.io/precomputed-hash/0.1.1 \ + crate://crates.io/proc-macro-hack/0.5.19 \ + crate://crates.io/proc-macro-nested/0.1.7 \ + crate://crates.io/proc-macro2/1.0.26 \ + crate://crates.io/publicsuffix/1.5.6 \ + crate://crates.io/quick-xml/0.19.0 \ + crate://crates.io/quote/1.0.9 \ + crate://crates.io/rand/0.6.5 \ + crate://crates.io/rand/0.7.3 \ + crate://crates.io/rand/0.8.3 \ + crate://crates.io/rand_chacha/0.1.1 \ + crate://crates.io/rand_chacha/0.2.2 \ + crate://crates.io/rand_chacha/0.3.0 \ + crate://crates.io/rand_core/0.3.1 \ + crate://crates.io/rand_core/0.4.2 \ + crate://crates.io/rand_core/0.5.1 \ + crate://crates.io/rand_core/0.6.2 \ + crate://crates.io/rand_hc/0.1.0 \ + crate://crates.io/rand_hc/0.2.0 \ + crate://crates.io/rand_hc/0.3.0 \ + crate://crates.io/rand_isaac/0.1.1 \ + crate://crates.io/rand_jitter/0.1.4 \ + crate://crates.io/rand_os/0.1.3 \ + crate://crates.io/rand_pcg/0.1.2 \ + crate://crates.io/rand_xorshift/0.1.1 \ + crate://crates.io/rdrand/0.4.0 \ + crate://crates.io/redox_syscall/0.1.57 \ + crate://crates.io/redox_syscall/0.2.5 \ + crate://crates.io/redox_users/0.3.5 \ + crate://crates.io/regex-automata/0.1.9 \ + crate://crates.io/regex-syntax/0.6.23 \ + crate://crates.io/regex/1.4.5 \ + crate://crates.io/remove_dir_all/0.5.3 \ + crate://crates.io/reqwest/0.10.10 \ + crate://crates.io/reqwest/0.9.24 \ + crate://crates.io/ring/0.16.20 \ + crate://crates.io/rle-decode-fast/1.0.1 \ + crate://crates.io/rpassword/5.0.1 \ + crate://crates.io/rpki/0.10.1 \ + crate://crates.io/rust-argon2/0.8.3 \ + crate://crates.io/rustc-demangle/0.1.18 \ + crate://crates.io/rustc_version/0.2.3 \ + crate://crates.io/rustls/0.18.1 \ + crate://crates.io/ryu/1.0.5 \ + crate://crates.io/salsa20/0.7.2 \ + crate://crates.io/schannel/0.1.19 \ + crate://crates.io/scopeguard/1.1.0 \ + crate://crates.io/scrypt/0.6.5 \ + crate://crates.io/sct/0.6.1 \ + crate://crates.io/security-framework-sys/2.2.0 \ + crate://crates.io/security-framework/2.2.0 \ + crate://crates.io/semver-parser/0.7.0 \ + crate://crates.io/semver/0.9.0 \ + crate://crates.io/serde-value/0.6.0 \ + crate://crates.io/serde/1.0.125 \ + crate://crates.io/serde_derive/1.0.125 \ + crate://crates.io/serde_json/1.0.64 \ + crate://crates.io/serde_path_to_error/0.1.4 \ + crate://crates.io/serde_urlencoded/0.5.5 \ + crate://crates.io/serde_urlencoded/0.7.0 \ + crate://crates.io/sha2/0.9.3 \ + crate://crates.io/sharded-slab/0.1.1 \ + crate://crates.io/siphasher/0.3.5 \ + crate://crates.io/slab/0.4.2 \ + crate://crates.io/slug/0.1.4 \ + crate://crates.io/smallvec/0.6.14 \ + crate://crates.io/smallvec/1.6.1 \ + crate://crates.io/socket2/0.3.19 \ + crate://crates.io/spin/0.5.2 \ + crate://crates.io/string/0.2.1 \ + crate://crates.io/string_cache/0.8.1 \ + crate://crates.io/strsim/0.8.0 \ + crate://crates.io/subtle/2.4.0 \ + crate://crates.io/syn/1.0.69 \ + crate://crates.io/synstructure/0.12.4 \ + crate://crates.io/syslog/4.0.1 \ + crate://crates.io/tempfile/3.2.0 \ + crate://crates.io/term/0.5.2 \ + crate://crates.io/textwrap/0.11.0 \ + crate://crates.io/thiserror-impl/1.0.24 \ + crate://crates.io/thiserror/1.0.24 \ + crate://crates.io/thread_local/1.1.3 \ + crate://crates.io/time/0.1.44 \ + crate://crates.io/tiny-keccak/2.0.2 \ + crate://crates.io/tiny_http/0.8.0 \ + crate://crates.io/tinyvec/1.2.0 \ + crate://crates.io/tinyvec_macros/0.1.0 \ + crate://crates.io/tokio-buf/0.1.1 \ + crate://crates.io/tokio-current-thread/0.1.7 \ + crate://crates.io/tokio-executor/0.1.10 \ + crate://crates.io/tokio-io/0.1.13 \ + crate://crates.io/tokio-macros/0.2.6 \ + crate://crates.io/tokio-reactor/0.1.12 \ + crate://crates.io/tokio-rustls/0.14.1 \ + crate://crates.io/tokio-sync/0.1.8 \ + crate://crates.io/tokio-tcp/0.1.4 \ + crate://crates.io/tokio-threadpool/0.1.18 \ + crate://crates.io/tokio-timer/0.2.13 \ + crate://crates.io/tokio-tls/0.3.1 \ + crate://crates.io/tokio-util/0.3.1 \ + crate://crates.io/tokio/0.1.22 \ + crate://crates.io/tokio/0.2.25 \ + crate://crates.io/toml/0.5.8 \ + crate://crates.io/tower-service/0.3.1 \ + crate://crates.io/tracing-attributes/0.1.15 \ + crate://crates.io/tracing-core/0.1.17 \ + crate://crates.io/tracing-futures/0.2.5 \ + crate://crates.io/tracing-log/0.1.2 \ + crate://crates.io/tracing-serde/0.1.2 \ + crate://crates.io/tracing-subscriber/0.2.17 \ + crate://crates.io/tracing/0.1.25 \ + crate://crates.io/try-lock/0.2.3 \ + crate://crates.io/try_from/0.3.2 \ + crate://crates.io/typenum/1.13.0 \ + crate://crates.io/unicase/2.6.0 \ + crate://crates.io/unicode-bidi/0.3.5 \ + crate://crates.io/unicode-normalization/0.1.17 \ + crate://crates.io/unicode-width/0.1.8 \ + crate://crates.io/unicode-xid/0.2.1 \ + crate://crates.io/untrusted/0.7.1 \ + crate://crates.io/unwrap/1.2.1 \ + crate://crates.io/url/1.7.2 \ + crate://crates.io/url/2.2.1 \ + crate://crates.io/urlparse/0.7.3 \ + crate://crates.io/uuid/0.7.4 \ + crate://crates.io/uuid/0.8.2 \ + crate://crates.io/vcpkg/0.2.11 \ + crate://crates.io/vec_map/0.8.2 \ + crate://crates.io/version_check/0.9.3 \ + crate://crates.io/want/0.2.0 \ + crate://crates.io/want/0.3.0 \ + crate://crates.io/wasi/0.10.0+wasi-snapshot-preview1 \ + crate://crates.io/wasi/0.9.0+wasi-snapshot-preview1 \ + crate://crates.io/wasm-bindgen-backend/0.2.73 \ + crate://crates.io/wasm-bindgen-futures/0.4.23 \ + crate://crates.io/wasm-bindgen-macro-support/0.2.73 \ + crate://crates.io/wasm-bindgen-macro/0.2.73 \ + crate://crates.io/wasm-bindgen-shared/0.2.73 \ + crate://crates.io/wasm-bindgen/0.2.73 \ + crate://crates.io/web-sys/0.3.50 \ + crate://crates.io/webpki/0.21.4 \ + crate://crates.io/winapi-build/0.1.1 \ + crate://crates.io/winapi-i686-pc-windows-gnu/0.4.0 \ + crate://crates.io/winapi-x86_64-pc-windows-gnu/0.4.0 \ + crate://crates.io/winapi/0.2.8 \ + crate://crates.io/winapi/0.3.9 \ + crate://crates.io/winreg/0.6.2 \ + crate://crates.io/winreg/0.7.0 \ + crate://crates.io/ws2_32-sys/0.2.1 \ + crate://crates.io/xml-rs/0.8.3 \ +" diff --git a/meta-security/dynamic-layers/meta-rust/recipes-security/krill/krill_0.9.1.bb b/meta-security/dynamic-layers/meta-rust/recipes-security/krill/krill_0.9.1.bb new file mode 100644 index 000000000..4dc61cfb3 --- /dev/null +++ b/meta-security/dynamic-layers/meta-rust/recipes-security/krill/krill_0.9.1.bb @@ -0,0 +1,39 @@ +SUMMARY = "Resource Public Key Infrastructure (RPKI) daemon" +HOMEPAGE = "https://www.nlnetlabs.nl/projects/rpki/krill/" +LICENSE = "MPL-2.0" +LIC_FILES_CHKSUM = "file://LICENSE;md5=9741c346eef56131163e13b9db1241b3" + +DEPENDS = "openssl" + +include krill.inc + +# SRC_URI += "crate://crates.io/krill/0.9.1" +SRC_URI += "git://github.com/NLnetLabs/krill.git;protocol=https;nobranch=1;branch=main" +SRCREV = "d6c03b6f0199b1d10d252750a19a92b84576eb30" + +SRC_URI += "file://panic_workaround.patch" + +S = "${WORKDIR}/git" +CARGO_SRC_DIR = "" + +inherit pkgconfig useradd systemd cargo + + +do_install:append () { + install -d ${D}${sysconfdir} + install -d ${D}${datadir}/krill + + install -m 664 ${S}/defaults/krill.conf ${D}${sysconfdir}/. + install ${S}/defaults/* ${D}${datadir}/krill/. +} + +KRILL_UID ?= "krill" +KRILL_GID ?= "krill" + +USERADD_PACKAGES = "${PN}" +GROUPADD_PARAM:${PN} = "--system ${KRILL_UID}" +USERADD_PARAM:${PN} = "--system -g ${KRILL_GID} --home-dir \ + /var/lib/krill/ --no-create-home \ + --shell /sbin/nologin ${BPN}" + +FILES:${PN} += "{sysconfdir}/defaults ${datadir}" diff --git a/meta-security/kas/kas-security-alt.yml b/meta-security/kas/kas-security-alt.yml index 25384dfba..f073216cd 100644 --- a/meta-security/kas/kas-security-alt.yml +++ b/meta-security/kas/kas-security-alt.yml @@ -10,4 +10,4 @@ repos: local_conf_header: alt: | - DISTRO_FEATURES_append = " systemd" + DISTRO_FEATURES:append = " systemd" diff --git a/meta-security/kas/kas-security-base.yml b/meta-security/kas/kas-security-base.yml index c6cc4fc8e..b9ce493be 100644 --- a/meta-security/kas/kas-security-base.yml +++ b/meta-security/kas/kas-security-base.yml @@ -30,6 +30,12 @@ repos: meta-networking: meta-filesystems: + meta-rust: + url: https://github.com/meta-rust/meta-rust.git + refspec: master + + + local_conf_header: base: | CONF_VERSION = "1" @@ -51,8 +57,8 @@ local_conf_header: EXTRA_IMAGE_FEATURES ?= "debug-tweaks" PACKAGE_CLASSES = "package_ipk" - DISTRO_FEATURES_append = " pam apparmor smack ima" - MACHINE_FEATURES_append = " tpm tpm2" + DISTRO_FEATURES:append = " pam apparmor smack ima" + MACHINE_FEATURES:append = " tpm tpm2" diskmon: | BB_DISKMON_DIRS = "\ diff --git a/meta-security/kas/kas-security-parsec.yml b/meta-security/kas/kas-security-parsec.yml index 6152f0c1d..22ef5dd82 100644 --- a/meta-security/kas/kas-security-parsec.yml +++ b/meta-security/kas/kas-security-parsec.yml @@ -18,4 +18,4 @@ repos: local_conf_header: meta-parsec: | - IMAGE_INSTALL_append = " parsec-service parsec-tool" + IMAGE_INSTALL:append = " parsec-service parsec-tool" diff --git a/meta-security/kas/qemuarm64-multi.yml b/meta-security/kas/qemuarm64-multi.yml deleted file mode 100644 index d79142c37..000000000 --- a/meta-security/kas/qemuarm64-multi.yml +++ /dev/null @@ -1,12 +0,0 @@ -header: - version: 8 - includes: - - kas-security-base.yml - -local_conf_header: - multi: | - require conf/multilib.conf - MULTILIBS = "multilib:lib32" - DEFAULTTUNE_virtclass-multilib-lib32 = "armv7athf-neon" - -machine: qemuarm64 diff --git a/meta-security/kas/qemumips64-multi.yml b/meta-security/kas/qemumips64-multi.yml index c8cf94b71..6ef8b3984 100644 --- a/meta-security/kas/qemumips64-multi.yml +++ b/meta-security/kas/qemumips64-multi.yml @@ -8,7 +8,7 @@ local_conf_header: require conf/multilib.conf MULTILIBS = "multilib:lib64 multilib:lib32" DEFAULTTUNE = "mips64-n32" - DEFAULTTUNE_virtclass-multilib-lib64 = "mips64" - DEFAULTTUNE_virtclass-multilib-lib32 = "mips32r2" + DEFAULTTUNE:virtclass-multilib-lib64 = "mips64" + DEFAULTTUNE:virtclass-multilib-lib32 = "mips32r2" machine: qemumips64 diff --git a/meta-security/kas/qemuppc-parsec.yml b/meta-security/kas/qemuppc-parsec.yml deleted file mode 100644 index 1176d1369..000000000 --- a/meta-security/kas/qemuppc-parsec.yml +++ /dev/null @@ -1,6 +0,0 @@ -header: - version: 8 - includes: - - kas-security-parsec.yml - -machine: qemuppc diff --git a/meta-security/kas/qemuppc.yml b/meta-security/kas/qemuppc.yml deleted file mode 100644 index 3dad81c27..000000000 --- a/meta-security/kas/qemuppc.yml +++ /dev/null @@ -1,6 +0,0 @@ -header: - version: 8 - includes: - - kas-security-base.yml - -machine: qemuppc diff --git a/meta-security/kas/qemux86-64-multi.yml b/meta-security/kas/qemux86-64-multi.yml deleted file mode 100644 index 711ce2863..000000000 --- a/meta-security/kas/qemux86-64-multi.yml +++ /dev/null @@ -1,12 +0,0 @@ -header: - version: 8 - includes: - - kas-security-base.yml - -local_conf_header: - multi: | - require conf/multilib.conf - MULTILIBS = "multilib:lib32" - DEFAULTTUNE_virtclass-multilib-lib32 = "x86" - -machine: qemux86-64 diff --git a/meta-security/kas/qemux86-comp.yml b/meta-security/kas/qemux86-comp.yml index 14c5dcabf..478d63187 100644 --- a/meta-security/kas/qemux86-comp.yml +++ b/meta-security/kas/qemux86-comp.yml @@ -5,7 +5,7 @@ header: local_conf_header: meta-compliance: | - IMAGE_INSTALL_append = " lynis" - IMAGE_INSTALL_append = " openscap openscap-daemon scap-security-guide" + IMAGE_INSTALL:append = " lynis" + IMAGE_INSTALL:append = " openscap openscap-daemon scap-security-guide" machine: qemux86 diff --git a/meta-security/meta-hardening/conf/distro/harden.conf b/meta-security/meta-hardening/conf/distro/harden.conf index 66db9b797..1a5eb3da7 100644 --- a/meta-security/meta-hardening/conf/distro/harden.conf +++ b/meta-security/meta-hardening/conf/distro/harden.conf @@ -6,6 +6,6 @@ DISTRO_FEATURES = " acl xattr pci ext2 pam ipv4 ipv6 ipsec largefile usbhost" VIRTUAL-RUNTIME_base-utils-syslog ?= "rsyslog" IMAGE_ROOTFS_EXTRA_SPACE = "524288" -EXTRA_IMAGE_FEATURES_remove = "debug-tweaks" +EXTRA_IMAGE_FEATURES:remove = "debug-tweaks" DISABLE_ROOT ?= "True" diff --git a/meta-security/meta-hardening/conf/layer.conf b/meta-security/meta-hardening/conf/layer.conf index 085ea45c5..1cd6f4f08 100644 --- a/meta-security/meta-hardening/conf/layer.conf +++ b/meta-security/meta-hardening/conf/layer.conf @@ -8,6 +8,6 @@ BBFILE_COLLECTIONS += "harden-layer" BBFILE_PATTERN_harden-layer = "^${LAYERDIR}/" BBFILE_PRIORITY_harden-layer = "10" -LAYERSERIES_COMPAT_harden-layer = "hardknott" +LAYERSERIES_COMPAT_harden-layer = "honister" LAYERDEPENDS_harden-layer = "core openembedded-layer" diff --git a/meta-security/meta-hardening/recipes-connectivity/openssh/openssh_%.bbappend b/meta-security/meta-hardening/recipes-connectivity/openssh/openssh_%.bbappend index 67be3f313..17c06ed40 100644 --- a/meta-security/meta-hardening/recipes-connectivity/openssh/openssh_%.bbappend +++ b/meta-security/meta-hardening/recipes-connectivity/openssh/openssh_%.bbappend @@ -1,4 +1,4 @@ -do_install_append_harden () { +do_install:append_harden () { # to hardend sed -i -e 's:#AllowTcpForwarding yes:AllowTcpForwarding no:' ${D}${sysconfdir}/ssh/sshd_config sed -i -e 's:ClientAliveCountMax 4:ClientAliveCountMax 2:' ${D}${sysconfdir}/ssh/sshd_config diff --git a/meta-security/meta-hardening/recipes-core/base-files/base-files_%.bbappend b/meta-security/meta-hardening/recipes-core/base-files/base-files_%.bbappend index 395630460..0f0384fe3 100644 --- a/meta-security/meta-hardening/recipes-core/base-files/base-files_%.bbappend +++ b/meta-security/meta-hardening/recipes-core/base-files/base-files_%.bbappend @@ -1,4 +1,4 @@ -do_install_append_harden () { +do_install:append_harden () { sed -i 's/umask.*/umask 027/g' ${D}/${sysconfdir}/profile } diff --git a/meta-security/meta-hardening/recipes-core/images/harden-image-minimal.bb b/meta-security/meta-hardening/recipes-core/images/harden-image-minimal.bb index daed3fbcc..c35c2577e 100644 --- a/meta-security/meta-hardening/recipes-core/images/harden-image-minimal.bb +++ b/meta-security/meta-hardening/recipes-core/images/harden-image-minimal.bb @@ -1,7 +1,7 @@ SUMMARY = "A small image for an example hardening OE." IMAGE_INSTALL = "packagegroup-core-boot packagegroup-hardening" -IMAGE_INSTALL_append = " os-release" +IMAGE_INSTALL:append = " os-release" IMAGE_FEATURES = "" IMAGE_LINGUAS = " " diff --git a/meta-security/meta-hardening/recipes-core/initscripts/initscripts_1.0.bbappend b/meta-security/meta-hardening/recipes-core/initscripts/initscripts_1.0.bbappend index f943cb371..b27dee9d0 100644 --- a/meta-security/meta-hardening/recipes-core/initscripts/initscripts_1.0.bbappend +++ b/meta-security/meta-hardening/recipes-core/initscripts/initscripts_1.0.bbappend @@ -1,8 +1,8 @@ -FILESEXTRAPATHS_prepend_harden := "${THISDIR}/files:" +FILESEXTRAPATHS:prepend_harden := "${THISDIR}/files:" -SRC_URI_append_harden = " file://mountall.sh" +SRC_URI:append_harden = " file://mountall.sh" -do_install_append_harden() { +do_install:append_harden() { install -d ${D}${sysconfdir}/init.d install -m 0755 ${WORKDIR}/mountall.sh ${D}${sysconfdir}/init.d } diff --git a/meta-security/meta-hardening/recipes-core/packagegroups/packagegroup-hardening.bb b/meta-security/meta-hardening/recipes-core/packagegroups/packagegroup-hardening.bb index 1dcd5fc3d..51676b22d 100644 --- a/meta-security/meta-hardening/recipes-core/packagegroups/packagegroup-hardening.bb +++ b/meta-security/meta-hardening/recipes-core/packagegroups/packagegroup-hardening.bb @@ -11,7 +11,7 @@ PACKAGES = "${PN} \ packagegroup-${PN} \ " -RDEPENDS_${PN} = "\ +RDEPENDS:${PN} = "\ init-ifupdown \ ${VIRTUAL-RUNTIME_base-utils-syslog} \ sudo \ diff --git a/meta-security/meta-hardening/recipes-extended/shadow/shadow_%.bbappend b/meta-security/meta-hardening/recipes-extended/shadow/shadow_%.bbappend index 3f363f069..3058b5582 100644 --- a/meta-security/meta-hardening/recipes-extended/shadow/shadow_%.bbappend +++ b/meta-security/meta-hardening/recipes-extended/shadow/shadow_%.bbappend @@ -1,4 +1,4 @@ -do_install_append_harden () { +do_install:append_harden () { # to hardend sed -i -e 's:UMASK.*:UMASK 027:' ${D}${sysconfdir}/login.defs sed -i -e 's:PASS_MAX_DAYS.*:PASS_MAX_DAYS 365:' ${D}${sysconfdir}/login.defs diff --git a/meta-security/meta-hardening/recipes-extended/sudo/sudo_%.bbappend b/meta-security/meta-hardening/recipes-extended/sudo/sudo_%.bbappend index a31c081fe..97c5f492b 100644 --- a/meta-security/meta-hardening/recipes-extended/sudo/sudo_%.bbappend +++ b/meta-security/meta-hardening/recipes-extended/sudo/sudo_%.bbappend @@ -1,6 +1,6 @@ -PACKAGECONFIG_append_harden = " pam-wheel" -do_install_append_harden () { +PACKAGECONFIG:append_harden = " pam-wheel" +do_install:append_harden () { if [ "${@bb.utils.contains('DISABLE_ROOT', 'True', 'yes', 'no', d)}" = "yes" ]; then sed -i -e 's:root ALL=(ALL) ALL:#root ALL=(ALL) ALL:' ${D}${sysconfdir}/sudoers fi diff --git a/meta-security/meta-integrity/README.md b/meta-security/meta-integrity/README.md index 8254b0d94..eae1c57ea 100644 --- a/meta-security/meta-integrity/README.md +++ b/meta-security/meta-integrity/README.md @@ -6,7 +6,7 @@ The bbappend files for some recipes (e.g. linux-yocto) in this layer need to have 'integrity' in DISTRO_FEATURES to have effect. To enable them, add in configuration file the following line. - DISTRO_FEATURES_append = " integrity" + DISTRO_FEATURES:append = " integrity" If meta-integrity is included, but integrity is not enabled as a distro feature a warning is printed at parse time: @@ -219,7 +219,7 @@ executing the file is no longer allowed: Enabling the audit kernel subsystem may help to debug appraisal issues. Enable it by adding the meta-security-framework layer and changing your local.conf: - SRC_URI_append_pn-linux-yocto = " file://audit.cfg" + SRC_URI:append:pn-linux-yocto = " file://audit.cfg" CORE_IMAGE_EXTRA_INSTALL += "auditd" Then boot with "ima_appraise=log ima_appraise_tcb". diff --git a/meta-security/meta-integrity/classes/ima-evm-rootfs.bbclass b/meta-security/meta-integrity/classes/ima-evm-rootfs.bbclass index 0acd6e7aa..57de2f60a 100644 --- a/meta-security/meta-integrity/classes/ima-evm-rootfs.bbclass +++ b/meta-security/meta-integrity/classes/ima-evm-rootfs.bbclass @@ -29,7 +29,7 @@ IMA_EVM_ROOTFS_HASHED ?= ". -depth 0 -false" IMA_EVM_ROOTFS_IVERSION ?= "" # Avoid re-generating fstab when ima is enabled. -WIC_CREATE_EXTRA_ARGS_append = "${@bb.utils.contains('DISTRO_FEATURES', 'ima', ' --no-fstab-update', '', d)}" +WIC_CREATE_EXTRA_ARGS:append = "${@bb.utils.contains('DISTRO_FEATURES', 'ima', ' --no-fstab-update', '', d)}" ima_evm_sign_rootfs () { cd ${IMAGE_ROOTFS} diff --git a/meta-security/meta-integrity/classes/kernel-modsign.bbclass b/meta-security/meta-integrity/classes/kernel-modsign.bbclass index 09025baa7..cf5d3ebe2 100644 --- a/meta-security/meta-integrity/classes/kernel-modsign.bbclass +++ b/meta-security/meta-integrity/classes/kernel-modsign.bbclass @@ -15,7 +15,7 @@ MODSIGN_X509 ?= "${MODSIGN_KEY_DIR}/x509_modsign.crt" # If this class is enabled, disable stripping signatures from modules INHIBIT_PACKAGE_STRIP = "1" -kernel_do_configure_prepend() { +kernel_do_configure:prepend() { if [ -f "${MODSIGN_PRIVKEY}" -a -f "${MODSIGN_X509}" ]; then cat "${MODSIGN_PRIVKEY}" "${MODSIGN_X509}" \ > "${B}/modsign_key.pem" @@ -24,6 +24,6 @@ kernel_do_configure_prepend() { fi } -do_shared_workdir_append() { +do_shared_workdir:append() { cp modsign_key.pem $kerneldir/ } diff --git a/meta-security/meta-integrity/conf/layer.conf b/meta-security/meta-integrity/conf/layer.conf index 37776f818..e9446e6cd 100644 --- a/meta-security/meta-integrity/conf/layer.conf +++ b/meta-security/meta-integrity/conf/layer.conf @@ -20,7 +20,7 @@ INTEGRITY_BASE := '${LAYERDIR}' # interactive shell is enough. OE_TERMINAL_EXPORTS += "INTEGRITY_BASE" -LAYERSERIES_COMPAT_integrity = "hardknott" +LAYERSERIES_COMPAT_integrity = "honister" # ima-evm-utils depends on keyutils from meta-oe LAYERDEPENDS_integrity = "core openembedded-layer" diff --git a/meta-security/meta-integrity/dynamic-layers/meta-networking/recipes-support/strongswan/strongswan-ima.inc b/meta-security/meta-integrity/dynamic-layers/meta-networking/recipes-support/strongswan/strongswan-ima.inc index a45182e51..807075ca8 100644 --- a/meta-security/meta-integrity/dynamic-layers/meta-networking/recipes-support/strongswan/strongswan-ima.inc +++ b/meta-security/meta-integrity/dynamic-layers/meta-networking/recipes-support/strongswan/strongswan-ima.inc @@ -1,8 +1,8 @@ -FILESEXTRAPATHS_prepend := "${THISDIR}/files:" +FILESEXTRAPATHS:prepend := "${THISDIR}/files:" DEPENDS = "libtspi" -SRC_URI_append = " file://0001-xfrmi-Only-build-if-libcharon-is-built.patch" +SRC_URI:append = " file://0001-xfrmi-Only-build-if-libcharon-is-built.patch" PACKAGECONFIG += " \ aikgen \ diff --git a/meta-security/meta-integrity/recipes-core/base-files/base-files-ima.inc b/meta-security/meta-integrity/recipes-core/base-files/base-files-ima.inc index 7e9e2108d..cfa65a2ac 100644 --- a/meta-security/meta-integrity/recipes-core/base-files/base-files-ima.inc +++ b/meta-security/meta-integrity/recipes-core/base-files/base-files-ima.inc @@ -1,5 +1,5 @@ # Append iversion option for auto types -do_install_append() { +do_install:append() { sed -i 's/\s*auto\s*defaults/&,iversion/' "${D}${sysconfdir}/fstab" echo 'securityfs /sys/kernel/security securityfs defaults 0 0' >> "${D}${sysconfdir}/fstab" } diff --git a/meta-security/meta-integrity/recipes-core/images/integrity-image-minimal.bb b/meta-security/meta-integrity/recipes-core/images/integrity-image-minimal.bb index 1a3a30a19..f40e8670f 100644 --- a/meta-security/meta-integrity/recipes-core/images/integrity-image-minimal.bb +++ b/meta-security/meta-integrity/recipes-core/images/integrity-image-minimal.bb @@ -18,4 +18,4 @@ export IMAGE_BASENAME = "integrity-image-minimal" INHERIT += "ima-evm-rootfs" -QB_KERNEL_CMDLINE_APPEND_append = " ima_appraise=fix ima_policy=tcb ima_policy=appraise_tcb" +QB_KERNEL_CMDLINE_APPEND:append = " ima_appraise=fix ima_policy=tcb ima_policy=appraise_tcb" diff --git a/meta-security/meta-integrity/recipes-core/initrdscripts/initramfs-framework-ima.bb b/meta-security/meta-integrity/recipes-core/initrdscripts/initramfs-framework-ima.bb index 6471c532c..58cbe6e95 100644 --- a/meta-security/meta-integrity/recipes-core/initrdscripts/initramfs-framework-ima.bb +++ b/meta-security/meta-integrity/recipes-core/initrdscripts/initramfs-framework-ima.bb @@ -30,7 +30,7 @@ do_install () { sed -i "s/@@FORCE_IMA@@/${IMA_FORCE}/g" ${D}/init.d/20-ima } -FILES_${PN} = "/init.d ${sysconfdir}" +FILES:${PN} = "/init.d ${sysconfdir}" -RDEPENDS_${PN} = "keyutils ima-evm-keys ${IMA_POLICY}" -RDEPENDS_${PN} += "initramfs-framework-base" +RDEPENDS:${PN} = "keyutils ima-evm-keys ${IMA_POLICY}" +RDEPENDS:${PN} += "initramfs-framework-base" diff --git a/meta-security/meta-integrity/recipes-core/packagegroups/packagegroup-ima-evm-utils.bb b/meta-security/meta-integrity/recipes-core/packagegroups/packagegroup-ima-evm-utils.bb index 8196edb20..484859f7c 100644 --- a/meta-security/meta-integrity/recipes-core/packagegroups/packagegroup-ima-evm-utils.bb +++ b/meta-security/meta-integrity/recipes-core/packagegroups/packagegroup-ima-evm-utils.bb @@ -6,6 +6,6 @@ inherit packagegroup features_check REQUIRED_DISTRO_FEATURES = "ima" # Only one at the moment, but perhaps more will come in the future. -RDEPENDS_${PN} = " \ +RDEPENDS:${PN} = " \ ima-evm-utils \ " diff --git a/meta-security/meta-integrity/recipes-core/systemd/systemd_%.bbappend b/meta-security/meta-integrity/recipes-core/systemd/systemd_%.bbappend index 3b4554162..57b3684c9 100644 --- a/meta-security/meta-integrity/recipes-core/systemd/systemd_%.bbappend +++ b/meta-security/meta-integrity/recipes-core/systemd/systemd_%.bbappend @@ -1,11 +1,11 @@ -FILESEXTRAPATHS_prepend := "${THISDIR}/files:" +FILESEXTRAPATHS:prepend := "${THISDIR}/files:" SRC_URI += " \ file://machine-id-commit-sync.conf \ file://random-seed-sync.conf \ " -do_install_append () { +do_install:append () { for i in machine-id-commit random-seed; do install -d ${D}/${systemd_system_unitdir}/systemd-$i.service.d install -m 0644 ${WORKDIR}/$i-sync.conf ${D}/${systemd_system_unitdir}/systemd-$i.service.d diff --git a/meta-security/meta-integrity/recipes-kernel/linux/linux_ima.inc b/meta-security/meta-integrity/recipes-kernel/linux/linux_ima.inc index f9a48cd05..3ab53e5de 100644 --- a/meta-security/meta-integrity/recipes-kernel/linux/linux_ima.inc +++ b/meta-security/meta-integrity/recipes-kernel/linux/linux_ima.inc @@ -1,5 +1,5 @@ -KERNEL_FEATURES_append = " ${@bb.utils.contains("DISTRO_FEATURES", "ima", " features/ima/ima.scc", "" ,d)}" +KERNEL_FEATURES:append = " ${@bb.utils.contains("DISTRO_FEATURES", "ima", " features/ima/ima.scc", "" ,d)}" -KERNEL_FEATURES_append = " ${@bb.utils.contains('DISTRO_FEATURES', 'modsign', ' features/ima/modsign.scc', '', d)}" +KERNEL_FEATURES:append = " ${@bb.utils.contains('DISTRO_FEATURES', 'modsign', ' features/ima/modsign.scc', '', d)}" inherit ${@bb.utils.contains('DISTRO_FEATURES', 'modsign', 'kernel-modsign', '', d)} diff --git a/meta-security/meta-integrity/recipes-security/ima-evm-keys/ima-evm-keys_1.0.bb b/meta-security/meta-integrity/recipes-security/ima-evm-keys/ima-evm-keys_1.0.bb index 7708aef2c..dd32397a6 100644 --- a/meta-security/meta-integrity/recipes-security/ima-evm-keys/ima-evm-keys_1.0.bb +++ b/meta-security/meta-integrity/recipes-security/ima-evm-keys/ima-evm-keys_1.0.bb @@ -5,7 +5,7 @@ LIC_FILES_CHKSUM = "file://${COREBASE}/meta/COPYING.MIT;md5=3da9cfbcb788c80a0384 inherit features_check REQUIRED_DISTRO_FEATURES = "ima" -ALLOW_EMPTY_${PN} = "1" +ALLOW_EMPTY:${PN} = "1" do_install () { if [ -e "${IMA_EVM_X509}" ]; then diff --git a/meta-security/meta-integrity/recipes-security/ima-evm-utils/ima-evm-utils_git.bb b/meta-security/meta-integrity/recipes-security/ima-evm-utils/ima-evm-utils_git.bb index bd8558303..fc7a2d61a 100644 --- a/meta-security/meta-integrity/recipes-security/ima-evm-utils/ima-evm-utils_git.bb +++ b/meta-security/meta-integrity/recipes-security/ima-evm-utils/ima-evm-utils_git.bb @@ -4,7 +4,7 @@ LIC_FILES_CHKSUM = "file://COPYING;md5=b234ee4d69f5fce4486a80fdaf4a4263" DEPENDS += "openssl attr keyutils" -DEPENDS_class-native += "openssl-native keyutils-native" +DEPENDS:class-native += "openssl-native keyutils-native" PV = "1.2.1+git${SRCPV}" SRCREV = "3eab1f93b634249c1720f65fcb495b1996f0256e" @@ -26,13 +26,13 @@ S = "${WORKDIR}/git" inherit pkgconfig autotools features_check REQUIRED_DISTRO_FEATURES = "ima" -REQUIRED_DISTRO_FEATURES_class-native = "" +REQUIRED_DISTRO_FEATURES:class-native = "" -EXTRA_OECONF_append_class-target = " --with-kernel-headers=${STAGING_KERNEL_BUILDDIR}" +EXTRA_OECONF:append:class-target = " --with-kernel-headers=${STAGING_KERNEL_BUILDDIR}" # blkid is called by evmctl when creating evm checksums. # This is less useful when signing files on the build host, # so disable it when compiling on the host. -RDEPENDS_${PN}_append_class-target = " util-linux-blkid libcrypto attr libattr keyutils" +RDEPENDS:${PN}:append:class-target = " util-linux-blkid libcrypto attr libattr keyutils" BBCLASSEXTEND = "native nativesdk" diff --git a/meta-security/meta-integrity/recipes-security/ima_policy_appraise_all/ima-policy-appraise-all_1.0.bb b/meta-security/meta-integrity/recipes-security/ima_policy_appraise_all/ima-policy-appraise-all_1.0.bb index 84ea16120..5f2244edc 100644 --- a/meta-security/meta-integrity/recipes-security/ima_policy_appraise_all/ima-policy-appraise-all_1.0.bb +++ b/meta-security/meta-integrity/recipes-security/ima_policy_appraise_all/ima-policy-appraise-all_1.0.bb @@ -12,5 +12,5 @@ do_install () { install ${WORKDIR}/ima_policy_appraise_all ${D}/${sysconfdir}/ima/ima-policy } -FILES_${PN} = "${sysconfdir}/ima" -RDEPENDS_${PN} = "ima-evm-utils" +FILES:${PN} = "${sysconfdir}/ima" +RDEPENDS:${PN} = "ima-evm-utils" diff --git a/meta-security/meta-integrity/recipes-security/ima_policy_hashed/ima-policy-hashed_1.0.bb b/meta-security/meta-integrity/recipes-security/ima_policy_hashed/ima-policy-hashed_1.0.bb index ff7169ef5..57c06400b 100644 --- a/meta-security/meta-integrity/recipes-security/ima_policy_hashed/ima-policy-hashed_1.0.bb +++ b/meta-security/meta-integrity/recipes-security/ima_policy_hashed/ima-policy-hashed_1.0.bb @@ -14,5 +14,5 @@ do_install () { install ${WORKDIR}/ima_policy_hashed ${D}/${sysconfdir}/ima/ima-policy } -FILES_${PN} = "${sysconfdir}/ima" -RDEPENDS_${PN} = "ima-evm-utils" +FILES:${PN} = "${sysconfdir}/ima" +RDEPENDS:${PN} = "ima-evm-utils" diff --git a/meta-security/meta-integrity/recipes-security/ima_policy_simple/ima-policy-simple_1.0.bb b/meta-security/meta-integrity/recipes-security/ima_policy_simple/ima-policy-simple_1.0.bb index 0e56aec51..8fed41006 100644 --- a/meta-security/meta-integrity/recipes-security/ima_policy_simple/ima-policy-simple_1.0.bb +++ b/meta-security/meta-integrity/recipes-security/ima_policy_simple/ima-policy-simple_1.0.bb @@ -12,5 +12,5 @@ do_install () { install ${WORKDIR}/ima_policy_simple ${D}/${sysconfdir}/ima/ima-policy } -FILES_${PN} = "${sysconfdir}/ima" -RDEPENDS_${PN} = "ima-evm-utils" +FILES:${PN} = "${sysconfdir}/ima" +RDEPENDS:${PN} = "ima-evm-utils" diff --git a/meta-security/meta-parsec/README.md b/meta-security/meta-parsec/README.md index a2736b694..24958ac0a 100644 --- a/meta-security/meta-parsec/README.md +++ b/meta-security/meta-parsec/README.md @@ -53,7 +53,7 @@ other layers needed. e.g.: To include the Parsec service into your image add following into the local.conf: - IMAGE_INSTALL_append = " parsec-service" + IMAGE_INSTALL:append = " parsec-service" The Parsec service will be deployed into the image built with all the supported providers and with the default config file from the Parsec repository: @@ -86,7 +86,7 @@ Manual testing with runqemu This layer also contains a recipe for pasec-tool which can be used for manual testing of the Parsec service: - IMAGE_INSTALL_append += " parsec-tools" + IMAGE_INSTALL:append += " parsec-tools" There are a series of Parsec Demo videos showing how to use parsec-tool to test the Parsec service base functionality: @@ -103,7 +103,7 @@ enabled. No changes required for manual testing. The Software HSM can be used for manual testing of the provider by including it into your test image: - IMAGE_INSTALL_append += " softhsm" + IMAGE_INSTALL:append += " softhsm" Inside the running VM: - Stop Parsec @@ -134,7 +134,7 @@ systemctl start parsec The IBM Software TPM service can be used for manual testing of the provider by including it into your test image: - IMAGE_INSTALL_append += " ibmswtpm2 tpm2-tools libtss2 libtss2-tcti-mssim" + IMAGE_INSTALL:append += " ibmswtpm2 tpm2-tools libtss2 libtss2-tcti-mssim" Inside the running VM: - Stop Parsec diff --git a/meta-security/meta-parsec/conf/layer.conf b/meta-security/meta-parsec/conf/layer.conf index 2d4aa12fb..86d41b22b 100644 --- a/meta-security/meta-parsec/conf/layer.conf +++ b/meta-security/meta-parsec/conf/layer.conf @@ -8,7 +8,7 @@ BBFILE_COLLECTIONS += "parsec-layer" BBFILE_PATTERN_parsec-layer = "^${LAYERDIR}/" BBFILE_PRIORITY_parsec-layer = "5" -LAYERSERIES_COMPAT_parsec-layer = "hardknott gatesgarth" +LAYERSERIES_COMPAT_parsec-layer = "honister" LAYERDEPENDS_parsec-layer = "core rust-layer clang-layer tpm-layer" BBLAYERS_LAYERINDEX_NAME_parsec-layer = "meta-parsec" diff --git a/meta-security/meta-parsec/recipes-parsec/parsec-service/parsec-service_0.7.0.bb b/meta-security/meta-parsec/recipes-parsec/parsec-service/parsec-service_0.7.0.bb index d57a43a5a..5f7a99b42 100644 --- a/meta-security/meta-parsec/recipes-parsec/parsec-service/parsec-service_0.7.0.bb +++ b/meta-security/meta-parsec/recipes-parsec/parsec-service/parsec-service_0.7.0.bb @@ -15,7 +15,7 @@ DEPENDS = "tpm2-tss clang-native" CARGO_BUILD_FLAGS += " --features all-providers,cryptoki/generate-bindings,tss-esapi/generate-bindings" inherit systemd -SYSTEMD_SERVICE_${PN} = "parsec.service" +SYSTEMD_SERVICE:${PN} = "parsec.service" inherit update-rc.d INITSCRIPT_NAME = "parsec" @@ -24,7 +24,7 @@ INITSCRIPT_NAME = "parsec" # The file should also be included into SRC_URI then PARSEC_CONFIG ?= "${S}/config.toml" -do_install_append () { +do_install:append () { # Binaries install -d -m 700 -o parsec -g parsec "${D}${libexecdir}/parsec" install -m 700 -o parsec -g parsec "${WORKDIR}/build/target/${CARGO_TARGET_SUBDIR}/parsec" ${D}${libexecdir}/parsec/parsec @@ -52,10 +52,10 @@ do_install_append () { inherit useradd USERADD_PACKAGES = "${PN}" -USERADD_PARAM_${PN} = "-r -g parsec -s /bin/false -d ${localstatedir}/lib/parsec parsec" -GROUPADD_PARAM_${PN} = "-r parsec" +USERADD_PARAM:${PN} = "-r -g parsec -s /bin/false -d ${localstatedir}/lib/parsec parsec" +GROUPADD_PARAM:${PN} = "-r parsec" -FILES_${PN} += " \ +FILES:${PN} += " \ ${sysconfdir}/parsec/config.toml \ ${libexecdir}/parsec/parsec \ ${systemd_unitdir}/system/parsec.service \ diff --git a/meta-security/meta-security-compliance/conf/layer.conf b/meta-security/meta-security-compliance/conf/layer.conf index 2024d4a5f..ec4fd47d2 100644 --- a/meta-security/meta-security-compliance/conf/layer.conf +++ b/meta-security/meta-security-compliance/conf/layer.conf @@ -8,7 +8,7 @@ BBFILE_COLLECTIONS += "scanners-layer" BBFILE_PATTERN_scanners-layer = "^${LAYERDIR}/" BBFILE_PRIORITY_scanners-layer = "10" -LAYERSERIES_COMPAT_scanners-layer = "hardknott" +LAYERSERIES_COMPAT_scanners-layer = "honister" LAYERDEPENDS_scanners-layer = "core openembedded-layer meta-python" diff --git a/meta-security/meta-security-compliance/recipes-auditors/lynis/lynis_3.0.0.bb b/meta-security/meta-security-compliance/recipes-auditors/lynis/lynis_3.0.0.bb index 2d5962362..947c27e36 100644 --- a/meta-security/meta-security-compliance/recipes-auditors/lynis/lynis_3.0.0.bb +++ b/meta-security/meta-security-compliance/recipes-auditors/lynis/lynis_3.0.0.bb @@ -34,7 +34,7 @@ do_install () { cp ${S}/*.prf ${D}/${sysconfdir}/lynis } -FILES_${PN} += "${sysconfdir}/developer.prf ${sysconfdir}/default.prf" -FILES_${PN}-doc += "lynis.8 FAQ README CHANGELOG.md CONTRIBUTIONS.md CONTRIBUTORS.md" +FILES:${PN} += "${sysconfdir}/developer.prf ${sysconfdir}/default.prf" +FILES:${PN}-doc += "lynis.8 FAQ README CHANGELOG.md CONTRIBUTIONS.md CONTRIBUTORS.md" -RDEPENDS_${PN} += "procps findutils" +RDEPENDS:${PN} += "procps findutils" diff --git a/meta-security/meta-security-compliance/recipes-openscap/oe-scap/oe-scap_1.0.bb b/meta-security/meta-security-compliance/recipes-openscap/oe-scap/oe-scap_1.0.bb index fd53fcba5..0fef23397 100644 --- a/meta-security/meta-security-compliance/recipes-openscap/oe-scap/oe-scap_1.0.bb +++ b/meta-security/meta-security-compliance/recipes-openscap/oe-scap/oe-scap_1.0.bb @@ -28,6 +28,6 @@ do_install () { cp ${S}/* ${D}/${datadir}/oe-scap/. } -FILES_${PN} += "${datadir}/oe-scap" +FILES:${PN} += "${datadir}/oe-scap" -RDEPENDS_${PN} = "openscap bash" +RDEPENDS:${PN} = "openscap bash" diff --git a/meta-security/meta-security-compliance/recipes-openscap/openscap-daemon/openscap-daemon_0.1.10.bb b/meta-security/meta-security-compliance/recipes-openscap/openscap-daemon/openscap-daemon_0.1.10.bb index a77502143..f10956621 100644 --- a/meta-security/meta-security-compliance/recipes-openscap/openscap-daemon/openscap-daemon_0.1.10.bb +++ b/meta-security/meta-security-compliance/recipes-openscap/openscap-daemon/openscap-daemon_0.1.10.bb @@ -17,7 +17,7 @@ inherit setuptools3 S = "${WORKDIR}/git" -RDEPENDS_${PN} = "openscap scap-security-guide \ +RDEPENDS:${PN} = "openscap scap-security-guide \ python3-core python3-dbus \ python3-pygobject \ " diff --git a/meta-security/meta-security-compliance/recipes-openscap/openscap/openscap.inc b/meta-security/meta-security-compliance/recipes-openscap/openscap/openscap.inc index 812ea9f3a..c23664174 100644 --- a/meta-security/meta-security-compliance/recipes-openscap/openscap/openscap.inc +++ b/meta-security/meta-security-compliance/recipes-openscap/openscap/openscap.inc @@ -7,7 +7,7 @@ LIC_FILES_CHKSUM = "file://COPYING;md5=fbc093901857fcd118f065f900982c24" LICENSE = "LGPL-2.1" DEPENDS = "dbus acl bzip2 pkgconfig gconf procps curl libxml2 libxslt libcap swig" -DEPENDS_class-native = "pkgconfig-native swig-native curl-native libxml2-native libxslt-native libcap-native" +DEPENDS:class-native = "pkgconfig-native swig-native curl-native libxml2-native libxslt-native libcap-native" S = "${WORKDIR}/git" @@ -34,22 +34,22 @@ EXTRA_OECMAKE += "-DENABLE_PROBES_LINUX=ON -DENABLE_PROBES_UNIX=ON \ STAGING_OSCAP_DIR = "${TMPDIR}/work-shared/${MACHINE}/oscap-source" STAGING_OSCAP_BUILDDIR = "${TMPDIR}/work-shared/openscap/oscap-build-artifacts" -do_configure_append_class-native () { +do_configure:append:class-native () { sed -i 's:OSCAP_DEFAULT_CPE_PATH.*$:OSCAP_DEFAULT_CPE_PATH "${STAGING_OSCAP_BUILDDIR}${datadir_native}/openscap/cpe":' ${B}/config.h sed -i 's:OSCAP_DEFAULT_SCHEMA_PATH.*$:OSCAP_DEFAULT_SCHEMA_PATH "${STAGING_OSCAP_BUILDDIR}${datadir_native}/openscap/schemas":' ${B}/config.h sed -i 's:OSCAP_DEFAULT_XSLT_PATH.*$:OSCAP_DEFAULT_XSLT_PATH "${STAGING_OSCAP_BUILDDIR}${datadir_native}/openscap/xsl":' ${B}/config.h } -do_install_class-native[cleandirs] += " ${STAGING_OSCAP_BUILDDIR}" -do_install_append_class-native () { +do_install:class-native[cleandirs] += " ${STAGING_OSCAP_BUILDDIR}" +do_install:append:class-native () { oscapdir=${STAGING_OSCAP_BUILDDIR}/${datadir_native} install -d $oscapdir cp -a ${D}/${STAGING_DATADIR_NATIVE}/openscap $oscapdir } -FILES_${PN} += "${PYTHON_SITEPACKAGES_DIR}" +FILES:${PN} += "${PYTHON_SITEPACKAGES_DIR}" -RDEPENDS_${PN} += "libxml2 python3-core libgcc bash" +RDEPENDS:${PN} += "libxml2 python3-core libgcc bash" BBCLASSEXTEND = "native" diff --git a/meta-security/meta-security-compliance/recipes-openscap/scap-security-guide/scap-security-guide.inc b/meta-security/meta-security-compliance/recipes-openscap/scap-security-guide/scap-security-guide.inc index d1a9511f3..0c651f16f 100644 --- a/meta-security/meta-security-compliance/recipes-openscap/scap-security-guide/scap-security-guide.inc +++ b/meta-security/meta-security-compliance/recipes-openscap/scap-security-guide/scap-security-guide.inc @@ -25,11 +25,11 @@ B = "${S}/build" do_configure[depends] += "openscap-native:do_install" -do_configure_prepend () { +do_configure:prepend () { sed -i -e 's:NAMES\ sed:NAMES\ ${HOSTTOOLS_DIR}/sed:g' ${S}/CMakeLists.txt sed -i -e 's:NAMES\ grep:NAMES\ ${HOSTTOOLS_DIR}/grep:g' ${S}/CMakeLists.txt } -FILES_${PN} += "${datadir}/xml" +FILES:${PN} += "${datadir}/xml" -RDEPENDS_${PN} = "openscap" +RDEPENDS:${PN} = "openscap" diff --git a/meta-security/meta-security-isafw/classes/isafw.bbclass b/meta-security/meta-security-isafw/classes/isafw.bbclass index 146acdfbf..da6bf7639 100644 --- a/meta-security/meta-security-isafw/classes/isafw.bbclass +++ b/meta-security/meta-security-isafw/classes/isafw.bbclass @@ -41,7 +41,7 @@ python do_analysesource() { recipe.version = recipe.version.split('+git', 1)[0] for p in d.getVar('PACKAGES', True).split(): - license = str(d.getVar('LICENSE_' + p, True)) + license = str(d.getVar('LICENSE:' + p, True)) if license == "None": license = d.getVar('LICENSE', True) license = license.replace("(", "") diff --git a/meta-security/meta-security-isafw/conf/layer.conf b/meta-security/meta-security-isafw/conf/layer.conf index 1f1095f07..86b0d4b1f 100644 --- a/meta-security/meta-security-isafw/conf/layer.conf +++ b/meta-security/meta-security-isafw/conf/layer.conf @@ -14,4 +14,4 @@ LAYERVERSION_security-isafw = "1" LAYERDEPENDS_security-isafw = "core" -LAYERSERIES_COMPAT_security-isafw = "hardknott" +LAYERSERIES_COMPAT_security-isafw = "honister" diff --git a/meta-security/meta-security-isafw/recipes-devtools/checksec/checksec_1.5-1.bb b/meta-security/meta-security-isafw/recipes-devtools/checksec/checksec_1.5-1.bb index 247ec763a..74f5d3923 100644 --- a/meta-security/meta-security-isafw/recipes-devtools/checksec/checksec_1.5-1.bb +++ b/meta-security/meta-security-isafw/recipes-devtools/checksec/checksec_1.5-1.bb @@ -20,6 +20,6 @@ do_install() { sed -i 's/\r//' ${D}${bindir}/checksec.sh } -RDEPENDS_${PN} = "bash binutils" +RDEPENDS:${PN} = "bash binutils" BBCLASSEXTEND = "native" diff --git a/meta-security/meta-tpm/README b/meta-security/meta-tpm/README index 59d2ee3ad..4441dd293 100644 --- a/meta-security/meta-tpm/README +++ b/meta-security/meta-tpm/README @@ -5,7 +5,7 @@ The bbappend files for some recipes (e.g. linux-yocto) in this layer need to have 'tpm' in DISTRO_FEATURES to have effect. To enable them, add in configuration file the following line. - DISTRO_FEATURES_append = " tmp" + DISTRO_FEATURES:append = " tmp" If meta-tpm is included, but tpm is not enabled as a distro feature a warning is printed at parse time: diff --git a/meta-security/meta-tpm/conf/distro/include/maintainers.inc b/meta-security/meta-tpm/conf/distro/include/maintainers.inc index dcf53d0cc..e7b216d8f 100644 --- a/meta-security/meta-tpm/conf/distro/include/maintainers.inc +++ b/meta-security/meta-tpm/conf/distro/include/maintainers.inc @@ -16,23 +16,23 @@ # # The format is as a bitbake variable override for each recipe # -# RECIPE_MAINTAINER_pn-<recipe name> = "Full Name <address@domain>" +# RECIPE_MAINTAINER:pn-<recipe name> = "Full Name <address@domain>" # # Please keep this list in alphabetical order. -RECIPE_MAINTAINER_pn-aircrack-ng = "Armin Kuster <akuster808@gmail.com>" -RECIPE_MAINTAINER_pn-pcr-extend = "Armin Kuster <akuster808@gmail.com>" -RECIPE_MAINTAINER_pn-tpm-quote-tools = "Armin Kuster <akuster808@gmail.com>" -RECIPE_MAINTAINER_pn-libtpm = "Armin Kuster <akuster808@gmail.com>" -RECIPE_MAINTAINER_pn-trousers = "Armin Kuster <akuster808@gmail.com>" -RECIPE_MAINTAINER_pn-swtpm = "Armin Kuster <akuster808@gmail.com>" -RECIPE_MAINTAINER_pn-openssl-tpm-engine = "Armin Kuster <akuster808@gmail.com>" -RECIPE_MAINTAINER_pn-tpm-tools = "Armin Kuster <akuster808@gmail.com>" -RECIPE_MAINTAINER_pn-tpm2-abrmd = "Armin Kuster <akuster808@gmail.com>" -RECIPE_MAINTAINER_pn-tpm2-totp = "Armin Kuster <akuster808@gmail.com>" -RECIPE_MAINTAINER_pn-tpm2-tcti-uefi = "Armin Kuster <akuster808@gmail.com>" -RECIPE_MAINTAINER_pn-tpm2-tss-engine = "Armin Kuster <akuster808@gmail.com>" -RECIPE_MAINTAINER_pn-tpm2-pkcs11 = "Armin Kuster <akuster808@gmail.com>" -RECIPE_MAINTAINER_pn-tpm2-tss = "Armin Kuster <akuster808@gmail.com>" -RECIPE_MAINTAINER_pn-tpm2-tools = "Armin Kuster <akuster808@gmail.com>" -RECIPE_MAINTAINER_pn-ibmswtpm2 = "Armin Kuster <akuster808@gmail.com>" +RECIPE_MAINTAINER:pn-aircrack-ng = "Armin Kuster <akuster808@gmail.com>" +RECIPE_MAINTAINER:pn-pcr-extend = "Armin Kuster <akuster808@gmail.com>" +RECIPE_MAINTAINER:pn-tpm-quote-tools = "Armin Kuster <akuster808@gmail.com>" +RECIPE_MAINTAINER:pn-libtpm = "Armin Kuster <akuster808@gmail.com>" +RECIPE_MAINTAINER:pn-trousers = "Armin Kuster <akuster808@gmail.com>" +RECIPE_MAINTAINER:pn-swtpm = "Armin Kuster <akuster808@gmail.com>" +RECIPE_MAINTAINER:pn-openssl-tpm-engine = "Armin Kuster <akuster808@gmail.com>" +RECIPE_MAINTAINER:pn-tpm-tools = "Armin Kuster <akuster808@gmail.com>" +RECIPE_MAINTAINER:pn-tpm2-abrmd = "Armin Kuster <akuster808@gmail.com>" +RECIPE_MAINTAINER:pn-tpm2-totp = "Armin Kuster <akuster808@gmail.com>" +RECIPE_MAINTAINER:pn-tpm2-tcti-uefi = "Armin Kuster <akuster808@gmail.com>" +RECIPE_MAINTAINER:pn-tpm2-tss-engine = "Armin Kuster <akuster808@gmail.com>" +RECIPE_MAINTAINER:pn-tpm2-pkcs11 = "Armin Kuster <akuster808@gmail.com>" +RECIPE_MAINTAINER:pn-tpm2-tss = "Armin Kuster <akuster808@gmail.com>" +RECIPE_MAINTAINER:pn-tpm2-tools = "Armin Kuster <akuster808@gmail.com>" +RECIPE_MAINTAINER:pn-ibmswtpm2 = "Armin Kuster <akuster808@gmail.com>" diff --git a/meta-security/meta-tpm/conf/layer.conf b/meta-security/meta-tpm/conf/layer.conf index 0b102c533..b00dd3c43 100644 --- a/meta-security/meta-tpm/conf/layer.conf +++ b/meta-security/meta-tpm/conf/layer.conf @@ -8,7 +8,7 @@ BBFILE_COLLECTIONS += "tpm-layer" BBFILE_PATTERN_tpm-layer = "^${LAYERDIR}/" BBFILE_PRIORITY_tpm-layer = "10" -LAYERSERIES_COMPAT_tpm-layer = "hardknott" +LAYERSERIES_COMPAT_tpm-layer = "honister" LAYERDEPENDS_tpm-layer = " \ core \ diff --git a/meta-security/meta-tpm/dynamic-layers/meta-networking/recipes-support/strongswan/strongswan-tpm.inc b/meta-security/meta-tpm/dynamic-layers/meta-networking/recipes-support/strongswan/strongswan-tpm.inc index d8604e116..497474fd3 100644 --- a/meta-security/meta-tpm/dynamic-layers/meta-networking/recipes-support/strongswan/strongswan-tpm.inc +++ b/meta-security/meta-tpm/dynamic-layers/meta-networking/recipes-support/strongswan/strongswan-tpm.inc @@ -1,8 +1,8 @@ -FILESEXTRAPATHS_prepend := "${THISDIR}/files:" +FILESEXTRAPATHS:prepend := "${THISDIR}/files:" DEPENDS = "libtspi" -SRC_URI_append = " file://0001-xfrmi-Only-build-if-libcharon-is-built.patch" +SRC_URI:append = " file://0001-xfrmi-Only-build-if-libcharon-is-built.patch" PACKAGECONFIG += "aikgen tpm" diff --git a/meta-security/meta-tpm/recipes-core/packagegroup/packagegroup-security-tpm-i2c.bb b/meta-security/meta-tpm/recipes-core/packagegroup/packagegroup-security-tpm-i2c.bb index 3b9d271b5..e3de797ce 100644 --- a/meta-security/meta-tpm/recipes-core/packagegroup/packagegroup-security-tpm-i2c.bb +++ b/meta-security/meta-tpm/recipes-core/packagegroup/packagegroup-security-tpm-i2c.bb @@ -7,8 +7,8 @@ inherit packagegroup PACKAGES = "packagegroup-security-tpm-i2c" -SUMMARY_packagegroup-security-tpm-i2c = "Security TPM i2c support" -RDEPENDS_packagegroup-security-tpm-i2c = " \ +SUMMARY:packagegroup-security-tpm-i2c = "Security TPM i2c support" +RDEPENDS:packagegroup-security-tpm-i2c = " \ ${@bb.utils.contains('MACHINE_FEATURES', 'tpm', 'packagegroup-security-tpm', '', d)} \ ${@bb.utils.contains('MACHINE_FEATURES', 'tpm2', 'packagegroup-security-tpm2', '', d)} \ kernel-module-tpm-i2c-atmel \ diff --git a/meta-security/meta-tpm/recipes-core/packagegroup/packagegroup-security-tpm.bb b/meta-security/meta-tpm/recipes-core/packagegroup/packagegroup-security-tpm.bb index 3844c7f9f..bfe6e3af0 100644 --- a/meta-security/meta-tpm/recipes-core/packagegroup/packagegroup-security-tpm.bb +++ b/meta-security/meta-tpm/recipes-core/packagegroup/packagegroup-security-tpm.bb @@ -7,8 +7,8 @@ inherit packagegroup PACKAGES = "packagegroup-security-tpm" -SUMMARY_packagegroup-security-tpm = "Security TPM support" -RDEPENDS_packagegroup-security-tpm = " \ +SUMMARY:packagegroup-security-tpm = "Security TPM support" +RDEPENDS:packagegroup-security-tpm = " \ tpm-tools \ trousers \ pcr-extend \ @@ -21,13 +21,13 @@ RDEPENDS_packagegroup-security-tpm = " \ X86_TPM_MODULES ?= "" -X86_TPM_MODULES_x86 = " \ +X86_TPM_MODULES:x86 = " \ kernel-module-tpm-atmel \ kernel-module-tpm-infineon \ kernel-module-tpm-nsc \ " -X86_TPM_MODULES_x86-64 = " \ +X86_TPM_MODULES:x86-64 = " \ kernel-module-tpm-atmel \ kernel-module-tpm-infineon \ kernel-module-tpm-nsc \ diff --git a/meta-security/meta-tpm/recipes-core/packagegroup/packagegroup-security-tpm2.bb b/meta-security/meta-tpm/recipes-core/packagegroup/packagegroup-security-tpm2.bb index 8b6f03023..764b2e5e4 100644 --- a/meta-security/meta-tpm/recipes-core/packagegroup/packagegroup-security-tpm2.bb +++ b/meta-security/meta-tpm/recipes-core/packagegroup/packagegroup-security-tpm2.bb @@ -7,8 +7,8 @@ inherit packagegroup PACKAGES = "${PN}" -SUMMARY_packagegroup-security-tpm2 = "Security TPM 2.0 support" -RDEPENDS_packagegroup-security-tpm2 = " \ +SUMMARY:packagegroup-security-tpm2 = "Security TPM 2.0 support" +RDEPENDS:packagegroup-security-tpm2 = " \ tpm2-tools \ trousers \ tpm2-tss \ diff --git a/meta-security/meta-tpm/recipes-core/packagegroup/packagegroup-security-vtpm.bb b/meta-security/meta-tpm/recipes-core/packagegroup/packagegroup-security-vtpm.bb index 2e9394f4b..3a8f2fa7e 100644 --- a/meta-security/meta-tpm/recipes-core/packagegroup/packagegroup-security-vtpm.bb +++ b/meta-security/meta-tpm/recipes-core/packagegroup/packagegroup-security-vtpm.bb @@ -7,8 +7,8 @@ inherit packagegroup PACKAGES = "packagegroup-security-vtpm" -SUMMARY_packagegroup-security-vtpm = "Security Software vTPM support" -RDEPENDS_packagegroup-security-vtpm = " \ +SUMMARY:packagegroup-security-vtpm = "Security Software vTPM support" +RDEPENDS:packagegroup-security-vtpm = " \ libtpm \ swtpm \ " diff --git a/meta-security/meta-tpm/recipes-kernel/linux/linux-yocto_tpm.inc b/meta-security/meta-tpm/recipes-kernel/linux/linux-yocto_tpm.inc index cea8b1b2a..909c42daf 100644 --- a/meta-security/meta-tpm/recipes-kernel/linux/linux-yocto_tpm.inc +++ b/meta-security/meta-tpm/recipes-kernel/linux/linux-yocto_tpm.inc @@ -1,12 +1,12 @@ -FILESEXTRAPATHS_prepend := "${THISDIR}/linux-yocto:" +FILESEXTRAPATHS:prepend := "${THISDIR}/linux-yocto:" # Enable tpm in kernel -SRC_URI_append_x86 = " \ +SRC_URI:append:x86 = " \ ${@bb.utils.contains('MACHINE_FEATURES', 'tpm', 'file://tpm.scc', '', d)} \ ${@bb.utils.contains('MACHINE_FEATURES', 'tpm2', 'file://tpm2.scc', '', d)} \ " -SRC_URI_append_x86-64 = " \ +SRC_URI:append:x86-64 = " \ ${@bb.utils.contains('MACHINE_FEATURES', 'tpm', 'file://tpm.scc', '', d)} \ ${@bb.utils.contains('MACHINE_FEATURES', 'tpm2', 'file://tpm2.scc', '', d)} \ " diff --git a/meta-security/meta-tpm/recipes-tpm/openssl-tpm-engine/openssl-tpm-engine_0.5.0.bb b/meta-security/meta-tpm/recipes-tpm/openssl-tpm-engine/openssl-tpm-engine_0.5.0.bb index 0f98b79f2..9ad8967f5 100644 --- a/meta-security/meta-tpm/recipes-tpm/openssl-tpm-engine/openssl-tpm-engine_0.5.0.bb +++ b/meta-security/meta-tpm/recipes-tpm/openssl-tpm-engine/openssl-tpm-engine_0.5.0.bb @@ -35,31 +35,31 @@ inherit autotools-brokensep pkgconfig srk_dec_pw ?= "\\"\\\x1\\"\\"nc\\"\\"\\\x3\\"\\"nd\\"\\"\\\x1\\"\\"a\\"" srk_dec_salt ?= "\\"r\\"\\"\\\x00\\\x00\\"\\"t\\"" -CFLAGS_append += "-DSRK_DEC_PW=${srk_dec_pw} -DSRK_DEC_SALT=${srk_dec_salt}" +CFLAGS:append += "-DSRK_DEC_PW=${srk_dec_pw} -DSRK_DEC_SALT=${srk_dec_salt}" # Uncomment below line if using the plain srk password for development #CFLAGS_append += "-DTPM_SRK_PLAIN_PW" -do_configure_prepend() { +do_configure:prepend() { cd ${B} cp LICENSE COPYING touch NEWS AUTHORS ChangeLog README } -FILES_${PN}-staticdev += "${libdir}/ssl/engines-1.1/tpm.la" -FILES_${PN}-dbg += "\ +FILES:${PN}-staticdev += "${libdir}/ssl/engines-1.1/tpm.la" +FILES:${PN}-dbg += "\ ${libdir}/ssl/engines-1.1/.debug \ ${libdir}/engines-1.1/.debug \ ${prefix}/local/ssl/lib/engines-1.1/.debug \ " -FILES_${PN} += "\ +FILES:${PN} += "\ ${libdir}/ssl/engines-1.1/tpm.so* \ ${libdir}/engines-1.1/tpm.so* \ ${libdir}/libtpm.so* \ ${prefix}/local/ssl/lib/engines-1.1/tpm.so* \ " -RDEPENDS_${PN} += "libcrypto libtspi" +RDEPENDS:${PN} += "libcrypto libtspi" -INSANE_SKIP_${PN} = "libdir" -INSANE_SKIP_${PN}-dbg = "libdir" +INSANE_SKIP:${PN} = "libdir" +INSANE_SKIP:${PN}-dbg = "libdir" diff --git a/meta-security/meta-tpm/recipes-tpm/swtpm/swtpm_0.5.2.bb b/meta-security/meta-tpm/recipes-tpm/swtpm/swtpm_0.5.2.bb index caf99e823..912e939a1 100644 --- a/meta-security/meta-tpm/recipes-tpm/swtpm/swtpm_0.5.2.bb +++ b/meta-security/meta-tpm/recipes-tpm/swtpm/swtpm_0.5.2.bb @@ -7,7 +7,7 @@ DEPENDS = "libtasn1 coreutils-native expect socat glib-2.0 net-tools-native libt # configure checks for the tools already during compilation and # then swtpm_setup needs them at runtime -DEPENDS_append = " tpm-tools-native expect-native socat-native python3-pip-native python3-cryptography-native" +DEPENDS:append = " tpm-tools-native expect-native socat-native python3-pip-native python3-cryptography-native" SRCREV = "e59c0c1a7b4c8d652dbb280fd6126895a7057464" SRC_URI = "git://github.com/stefanberger/swtpm.git;branch=stable-0.5 \ @@ -36,19 +36,19 @@ PACKAGECONFIG[seccomp] = "--with-seccomp, --without-seccomp, libseccomp" EXTRA_OECONF += "--with-tss-user=${TSS_USER} --with-tss-group=${TSS_GROUP}" USERADD_PACKAGES = "${PN}" -GROUPADD_PARAM_${PN} = "--system ${TSS_USER}" -USERADD_PARAM_${PN} = "--system -g ${TSS_GROUP} --home-dir \ +GROUPADD_PARAM:${PN} = "--system ${TSS_USER}" +USERADD_PARAM:${PN} = "--system -g ${TSS_GROUP} --home-dir \ --no-create-home --shell /bin/false ${BPN}" PACKAGES =+ "${PN}-python" -FILES_${PN}-python = "${PYTHON_SITEPACKAGES_DIR}" +FILES:${PN}-python = "${PYTHON_SITEPACKAGES_DIR}" PACKAGE_BEFORE_PN = "${PN}-cuse" -FILES_${PN}-cuse = "${bindir}/swtpm_cuse" +FILES:${PN}-cuse = "${bindir}/swtpm_cuse" -INSANE_SKIP_${PN} += "dev-so" +INSANE_SKIP:${PN} += "dev-so" -RDEPENDS_${PN} = "libtpm expect socat bash tpm-tools python3 python3-cryptography python3-twisted" +RDEPENDS:${PN} = "libtpm expect socat bash tpm-tools python3 python3-cryptography python3-twisted" BBCLASSEXTEND = "native nativesdk" diff --git a/meta-security/meta-tpm/recipes-tpm/tpm-tools/tpm-tools_1.3.9.2.bb b/meta-security/meta-tpm/recipes-tpm/tpm-tools/tpm-tools_1.3.9.2.bb index 9e0a6862b..dbe1647d2 100644 --- a/meta-security/meta-tpm/recipes-tpm/tpm-tools/tpm-tools_1.3.9.2.bb +++ b/meta-security/meta-tpm/recipes-tpm/tpm-tools/tpm-tools_1.3.9.2.bb @@ -10,7 +10,7 @@ LICENSE = "CPL-1.0" LIC_FILES_CHKSUM = "file://LICENSE;md5=059e8cd6165cb4c31e351f2b69388fd9" DEPENDS = "libtspi openssl perl" -DEPENDS_class-native = "trousers-native" +DEPENDS:class-native = "trousers-native" SRCREV = "bf43837575c5f7d31865562dce7778eae970052e" SRC_URI = " \ @@ -24,7 +24,7 @@ inherit autotools-brokensep gettext S = "${WORKDIR}/git" -do_configure_prepend () { +do_configure:prepend () { mkdir -p po mkdir -p m4 cp -R po_/* po/ diff --git a/meta-security/meta-tpm/recipes-tpm/trousers/trousers_git.bb b/meta-security/meta-tpm/recipes-tpm/trousers/trousers_git.bb index 32c9a4976..a746103de 100644 --- a/meta-security/meta-tpm/recipes-tpm/trousers/trousers_git.bb +++ b/meta-security/meta-tpm/recipes-tpm/trousers/trousers_git.bb @@ -30,7 +30,7 @@ do_install () { oe_runmake DESTDIR=${D} install } -do_install_append() { +do_install:append() { install -d ${D}${sysconfdir}/init.d install -m 0755 ${WORKDIR}/trousers.init.sh ${D}${sysconfdir}/init.d/trousers install -d ${D}${sysconfdir}/udev/rules.d @@ -43,7 +43,7 @@ do_install_append() { fi } -CONFFILES_${PN} += "${sysconfig}/tcsd.conf" +CONFFILES:${PN} += "${sysconfig}/tcsd.conf" PROVIDES = "${PACKAGES}" PACKAGES = " \ @@ -59,39 +59,39 @@ PACKAGES = " \ # libtspi needs tcsd for most (all?) operations, so suggest to # install that. -RRECOMMENDS_libtspi = "${PN}" +RRECOMMENDS:libtspi = "${PN}" -FILES_libtspi = " \ +FILES:libtspi = " \ ${libdir}/*.so.1 \ ${libdir}/*.so.1.2.0 \ " -FILES_libtspi-dbg = " \ +FILES:libtspi-dbg = " \ ${libdir}/.debug \ ${prefix}/src/debug/${PN}/${PV}-${PR}/git/src/tspi \ ${prefix}/src/debug/${PN}/${PV}-${PR}/git/src/trspi \ ${prefix}/src/debug/${PN}/${PV}-${PR}/git/src/include/*.h \ ${prefix}/src/debug/${PN}/${PV}-${PR}/git/src/include/tss \ " -FILES_libtspi-dev = " \ +FILES:libtspi-dev = " \ ${includedir} \ ${libdir}/*.so \ " -FILES_libtspi-doc = " \ +FILES:libtspi-doc = " \ ${mandir}/man3 \ " -FILES_libtspi-staticdev = " \ +FILES:libtspi-staticdev = " \ ${libdir}/*.la \ ${libdir}/*.a \ " -FILES_${PN} = " \ +FILES:${PN} = " \ ${sbindir}/tcsd \ ${sysconfdir} \ ${localstatedir} \ " -FILES_${PN}-dev += "${libdir}/trousers" +FILES:${PN}-dev += "${libdir}/trousers" -FILES_${PN}-dbg = " \ +FILES:${PN}-dbg = " \ ${sbindir}/.debug \ ${prefix}/src/debug/${PN}/${PV}-${PR}/git/src/tcs \ ${prefix}/src/debug/${PN}/${PV}-${PR}/git/src/tcsd \ @@ -99,22 +99,22 @@ FILES_${PN}-dbg = " \ ${prefix}/src/debug/${PN}/${PV}-${PR}/git/src/trousers \ ${prefix}/src/debug/${PN}/${PV}-${PR}/git/src/include/trousers \ " -FILES_${PN}-doc = " \ +FILES:${PN}-doc = " \ ${mandir}/man5 \ ${mandir}/man8 \ " -FILES_${PN} += "${systemd_unitdir}/*" +FILES:${PN} += "${systemd_unitdir}/*" INITSCRIPT_NAME = "trousers" INITSCRIPT_PARAMS = "start 99 2 3 4 5 . stop 19 0 1 6 ." USERADD_PACKAGES = "${PN}" -GROUPADD_PARAM_${PN} = "--system tss" -USERADD_PARAM_${PN} = "--system -M -d /var/lib/tpm -s /bin/false -g tss tss" +GROUPADD_PARAM:${PN} = "--system tss" +USERADD_PARAM:${PN} = "--system -M -d /var/lib/tpm -s /bin/false -g tss tss" SYSTEMD_PACKAGES = "${PN}" -SYSTEMD_SERVICE_${PN} = "tcsd.service" +SYSTEMD_SERVICE:${PN} = "tcsd.service" SYSTEMD_AUTO_ENABLE = "disable" BBCLASSEXTEND = "native" diff --git a/meta-security/meta-tpm/recipes-tpm2/tpm2-abrmd/tpm2-abrmd_2.4.0.bb b/meta-security/meta-tpm/recipes-tpm2/tpm2-abrmd/tpm2-abrmd_2.4.0.bb index edfcce9d1..b80ef7973 100644 --- a/meta-security/meta-tpm/recipes-tpm2/tpm2-abrmd/tpm2-abrmd_2.4.0.bb +++ b/meta-security/meta-tpm/recipes-tpm2/tpm2-abrmd/tpm2-abrmd_2.4.0.bb @@ -25,20 +25,20 @@ S = "${WORKDIR}/git" inherit autotools pkgconfig systemd update-rc.d useradd SYSTEMD_PACKAGES += "${PN}" -SYSTEMD_SERVICE_${PN} = "tpm2-abrmd.service" -SYSTEMD_AUTO_ENABLE_${PN} = "disable" +SYSTEMD_SERVICE:${PN} = "tpm2-abrmd.service" +SYSTEMD_AUTO_ENABLE:${PN} = "disable" INITSCRIPT_NAME = "${PN}" INITSCRIPT_PARAMS = "start 99 2 3 4 5 . stop 19 0 1 6 ." USERADD_PACKAGES = "${PN}" -GROUPADD_PARAM_${PN} = "tss" -USERADD_PARAM_${PN} = "--system -M -d /var/lib/tpm -s /bin/false -g tss tss" +GROUPADD_PARAM:${PN} = "tss" +USERADD_PARAM:${PN} = "--system -M -d /var/lib/tpm -s /bin/false -g tss tss" PACKAGECONFIG ?="${@bb.utils.contains('DISTRO_FEATURES','systemd','systemd', '', d)}" PACKAGECONFIG[systemd] = "--with-systemdsystemunitdir=${systemd_system_unitdir}, --with-systemdsystemunitdir=no" -do_install_append() { +do_install:append() { install -d "${D}${sysconfdir}/init.d" install -m 0755 "${WORKDIR}/tpm2-abrmd-init.sh" "${D}${sysconfdir}/init.d/tpm2-abrmd" @@ -46,9 +46,9 @@ do_install_append() { install -m 0644 "${WORKDIR}/tpm2-abrmd.default" "${D}${sysconfdir}/default/tpm2-abrmd" } -FILES_${PN} += "${libdir}/systemd/system-preset \ +FILES:${PN} += "${libdir}/systemd/system-preset \ ${datadir}/dbus-1" -RDEPENDS_${PN} += "tpm2-tss" +RDEPENDS:${PN} += "tpm2-tss" BBCLASSEXTEND = "native" diff --git a/meta-security/meta-tpm/recipes-tpm2/tpm2-pkcs11/tpm2-pkcs11_1.6.0.bb b/meta-security/meta-tpm/recipes-tpm2/tpm2-pkcs11/tpm2-pkcs11_1.6.0.bb index 63ec18d94..fdeda269e 100644 --- a/meta-security/meta-tpm/recipes-tpm2/tpm2-pkcs11/tpm2-pkcs11_1.6.0.bb +++ b/meta-security/meta-tpm/recipes-tpm2/tpm2-pkcs11/tpm2-pkcs11_1.6.0.bb @@ -18,16 +18,16 @@ S = "${WORKDIR}/git" inherit autotools-brokensep pkgconfig python3native -do_configure_prepend () { +do_configure:prepend () { ${S}/bootstrap } -do_compile_append() { +do_compile:append() { cd ${S}/tools python3 setup.py build } -do_install_append() { +do_install:append() { install -d ${D}${libdir}/pkcs11 install -d ${D}${datadir}/p11-kit rm -f ${D}${libdir}/pkcs11/libtpm2_pkcs11.so @@ -41,15 +41,15 @@ do_install_append() { PACKAGES =+ "${PN}-tools" -FILES_${PN}-tools = "\ +FILES:${PN}-tools = "\ ${bindir}/tpm2_ptool \ ${libdir}/${PYTHON_DIR}/* \ " -FILES_${PN} += "\ +FILES:${PN} += "\ ${libdir}/pkcs11/* \ ${datadir}/p11-kit/* \ " RDEPNDS_${PN} = "tpm2-tools" -RDEPENDS_${PN}-tools += "${PYTHON_PN}-setuptools ${PYTHON_PN}-pyyaml ${PYTHON_PN}-cryptography ${PYTHON_PN}-pyasn1-modules" +RDEPENDS:${PN}-tools += "${PYTHON_PN}-setuptools ${PYTHON_PN}-pyyaml ${PYTHON_PN}-cryptography ${PYTHON_PN}-pyasn1-modules" diff --git a/meta-security/meta-tpm/recipes-tpm2/tpm2-tcti-uefi/tpm2-tcti-uefi_0.9.9.bb b/meta-security/meta-tpm/recipes-tpm2/tpm2-tcti-uefi/tpm2-tcti-uefi_0.9.9.bb index a67e3c34d..47113d25a 100644 --- a/meta-security/meta-tpm/recipes-tpm2/tpm2-tcti-uefi/tpm2-tcti-uefi_0.9.9.bb +++ b/meta-security/meta-tpm/recipes-tpm2/tpm2-tcti-uefi/tpm2-tcti-uefi_0.9.9.bb @@ -18,28 +18,28 @@ inherit autotools pkgconfig EFIDIR ?= "/EFI/BOOT" -EFI_ARCH_x86 = "ia32" -EFI_ARCH_x86-64 = "x86_64" +EFI_ARCH:x86 = "ia32" +EFI_ARCH:x86-64 = "x86_64" -CFLAGS_append = " -I${STAGING_INCDIR}/efi -I${STAGING_INCDIR}/efi/${EFI_ARCH}" +CFLAGS:append = " -I${STAGING_INCDIR}/efi -I${STAGING_INCDIR}/efi/${EFI_ARCH}" -EXTRA_OECONF_append = " \ +EXTRA_OECONF:append = " \ --with-efi-includedir=${STAGING_INCDIR} \ --with-efi-crt0=${STAGING_LIBDIR}/crt0-efi-${EFI_ARCH}.o \ --with-efi-lds=${STAGING_LIBDIR}/elf_${EFI_ARCH}_efi.lds \ " -do_compile_append() { +do_compile:append() { oe_runmake example } -do_install_append() { +do_install:append() { install -d "${D}${EFIDIR}" install -m 0755 "${B}"/example/*.efi "${D}${EFIDIR}" } COMPATIBLE_HOST = "(i.86|x86_64).*-linux" -FILES_${PN} += "${EFIDIR}" +FILES:${PN} += "${EFIDIR}" -RDEPENDS_${PN} = "gnu-efi libtss2-mu" +RDEPENDS:${PN} = "gnu-efi libtss2-mu" diff --git a/meta-security/meta-tpm/recipes-tpm2/tpm2-tss-engine/tpm2-tss-engine_1.1.0.bb b/meta-security/meta-tpm/recipes-tpm2/tpm2-tss-engine/tpm2-tss-engine_1.1.0.bb index 539569572..3069b1f19 100644 --- a/meta-security/meta-tpm/recipes-tpm2/tpm2-tss-engine/tpm2-tss-engine_1.1.0.bb +++ b/meta-security/meta-tpm/recipes-tpm2/tpm2-tss-engine/tpm2-tss-engine_1.1.0.bb @@ -17,7 +17,7 @@ S = "${WORKDIR}/git" PACKAGES += "${PN}-engines ${PN}-engines-staticdev ${PN}-bash-completion" -FILES_${PN}-dev = "${libdir}/engines-1.1/tpm2tss.so ${includedir}/*" -FILES_${PN}-engines = "${libdir}/engines-1.1/lib*.so*" -FILES_${PN}-engines-staticdev = "${libdir}/engines-1.1/libtpm2tss.a" -FILES_${PN}-bash-completion += "${datadir}/bash-completion/completions" +FILES:${PN}-dev = "${libdir}/engines-1.1/tpm2tss.so ${includedir}/*" +FILES:${PN}-engines = "${libdir}/engines-1.1/lib*.so*" +FILES:${PN}-engines-staticdev = "${libdir}/engines-1.1/libtpm2tss.a" +FILES:${PN}-bash-completion += "${datadir}/bash-completion/completions" diff --git a/meta-security/meta-tpm/recipes-tpm2/tpm2-tss/tpm2-tss_3.0.3.bb b/meta-security/meta-tpm/recipes-tpm2/tpm2-tss/tpm2-tss_3.0.3.bb index cc4f191a2..64708791f 100644 --- a/meta-security/meta-tpm/recipes-tpm2/tpm2-tss/tpm2-tss_3.0.3.bb +++ b/meta-security/meta-tpm/recipes-tpm2/tpm2-tss/tpm2-tss_3.0.3.bb @@ -18,7 +18,7 @@ PACKAGECONFIG[oxygen] = ",--disable-doxygen-doc, " PACKAGECONFIG[fapi] = "--enable-fapi,--disable-fapi,json-c " EXTRA_OECONF += "--enable-static --with-udevrulesdir=${nonarch_base_libdir}/udev/rules.d/" -EXTRA_OECONF_remove = " --disable-static" +EXTRA_OECONF:remove = " --disable-static" EXTRA_USERS_PARAMS = "\ @@ -45,34 +45,34 @@ PACKAGES = " \ libtss2-staticdev \ " -FILES_libtss2-tcti-device = "${libdir}/libtss2-tcti-device.so.*" -FILES_libtss2-tcti-device-dev = " \ +FILES:libtss2-tcti-device = "${libdir}/libtss2-tcti-device.so.*" +FILES:libtss2-tcti-device-dev = " \ ${includedir}/tss2/tss2_tcti_device.h \ ${libdir}/pkgconfig/tss2-tcti-device.pc \ ${libdir}/libtss2-tcti-device.so" -FILES_libtss2-tcti-device-staticdev = "${libdir}/libtss2-tcti-device.*a" +FILES:libtss2-tcti-device-staticdev = "${libdir}/libtss2-tcti-device.*a" -FILES_libtss2-tcti-mssim = "${libdir}/libtss2-tcti-mssim.so.*" -FILES_libtss2-tcti-mssim-dev = " \ +FILES:libtss2-tcti-mssim = "${libdir}/libtss2-tcti-mssim.so.*" +FILES:libtss2-tcti-mssim-dev = " \ ${includedir}/tss2/tss2_tcti_mssim.h \ ${libdir}/pkgconfig/tss2-tcti-mssim.pc \ ${libdir}/libtss2-tcti-mssim.so" -FILES_libtss2-tcti-mssim-staticdev = "${libdir}/libtss2-tcti-mssim.*a" +FILES:libtss2-tcti-mssim-staticdev = "${libdir}/libtss2-tcti-mssim.*a" -FILES_libtss2-mu = "${libdir}/libtss2-mu.so.*" -FILES_libtss2-mu-dev = " \ +FILES:libtss2-mu = "${libdir}/libtss2-mu.so.*" +FILES:libtss2-mu-dev = " \ ${includedir}/tss2/tss2_mu.h \ ${libdir}/pkgconfig/tss2-mu.pc \ ${libdir}/libtss2-mu.so" -FILES_libtss2-mu-staticdev = "${libdir}/libtss2-mu.*a" +FILES:libtss2-mu-staticdev = "${libdir}/libtss2-mu.*a" -FILES_libtss2 = "${libdir}/libtss2*so.*" -FILES_libtss2-dev = " \ +FILES:libtss2 = "${libdir}/libtss2*so.*" +FILES:libtss2-dev = " \ ${includedir} \ ${libdir}/pkgconfig \ ${libdir}/libtss2*so" -FILES_libtss2-staticdev = "${libdir}/libtss*a" +FILES:libtss2-staticdev = "${libdir}/libtss*a" -FILES_${PN} = "${libdir}/udev ${nonarch_base_libdir}/udev" +FILES:${PN} = "${libdir}/udev ${nonarch_base_libdir}/udev" -RDEPENDS_libtss2 = "libgcrypt" +RDEPENDS:libtss2 = "libgcrypt" diff --git a/meta-security/recipes-core/initrdscripts/initramfs-framework.inc b/meta-security/recipes-core/initrdscripts/initramfs-framework.inc index 12010bf34..1a724d6ef 100644 --- a/meta-security/recipes-core/initrdscripts/initramfs-framework.inc +++ b/meta-security/recipes-core/initrdscripts/initramfs-framework.inc @@ -1,16 +1,16 @@ -FILESEXTRAPATHS_prepend := "${THISDIR}/initramfs-framework-dm:" +FILESEXTRAPATHS:prepend := "${THISDIR}/initramfs-framework-dm:" -SRC_URI_append = "\ +SRC_URI:append = "\ file://dmverity \ " -do_install_append() { +do_install:append() { # dm-verity install ${WORKDIR}/dmverity ${D}/init.d/80-dmverity } -PACKAGES_append = " initramfs-module-dmverity" +PACKAGES:append = " initramfs-module-dmverity" -SUMMARY_initramfs-module-dmverity = "initramfs dm-verity rootfs support" -RDEPENDS_initramfs-module-dmverity = "${PN}-base" -FILES_initramfs-module-dmverity = "/init.d/80-dmverity" +SUMMARY:initramfs-module-dmverity = "initramfs dm-verity rootfs support" +RDEPENDS:initramfs-module-dmverity = "${PN}-base" +FILES:initramfs-module-dmverity = "/init.d/80-dmverity" diff --git a/meta-security/recipes-core/packagegroup/packagegroup-core-security.bb b/meta-security/recipes-core/packagegroup/packagegroup-core-security.bb index 8e06f30bc..6375e246e 100644 --- a/meta-security/recipes-core/packagegroup/packagegroup-core-security.bb +++ b/meta-security/recipes-core/packagegroup/packagegroup-core-security.bb @@ -16,7 +16,7 @@ PACKAGES = "\ ${@bb.utils.contains("DISTRO_FEATURES", "ptest", "packagegroup-meta-security-ptest-packages", "", d)} \ " -RDEPENDS_packagegroup-core-security = "\ +RDEPENDS:packagegroup-core-security = "\ packagegroup-security-utils \ packagegroup-security-scanners \ packagegroup-security-audit \ @@ -26,8 +26,8 @@ RDEPENDS_packagegroup-core-security = "\ ${@bb.utils.contains("DISTRO_FEATURES", "ptest", "packagegroup-meta-security-ptest-packages", "", d)} \ " -SUMMARY_packagegroup-security-utils = "Security utilities" -RDEPENDS_packagegroup-security-utils = "\ +SUMMARY:packagegroup-security-utils = "Security utilities" +RDEPENDS:packagegroup-security-utils = "\ checksec \ ding-libs \ ecryptfs-utils \ @@ -46,50 +46,60 @@ RDEPENDS_packagegroup-security-utils = "\ ${@bb.utils.contains("DISTRO_FEATURES", "pax", "pax-utils packctl", "",d)} \ " -SUMMARY_packagegroup-security-scanners = "Security scanners" -RDEPENDS_packagegroup-security-scanners = "\ +SUMMARY:packagegroup-security-scanners = "Security scanners" +RDEPENDS:packagegroup-security-scanners = "\ isic \ nikto \ checksecurity \ ${@bb.utils.contains_any("TUNE_FEATURES", "riscv32 riscv64", "", " clamav clamav-daemon clamav-freshclam",d)} \ " -RDEPENDS_packagegroup-security-scanners_remove_libc-musl = "clamav clamav-daemon clamav-freshclam" +RDEPENDS:packagegroup-security-scanners:remove:libc-musl = "clamav clamav-daemon clamav-freshclam" -SUMMARY_packagegroup-security-audit = "Security Audit tools " -RDEPENDS_packagegroup-security-audit = " \ +SUMMARY:packagegroup-security-audit = "Security Audit tools " +RDEPENDS:packagegroup-security-audit = " \ buck-security \ redhat-security \ " -SUMMARY_packagegroup-security-hardening = "Security Hardening tools" -RDEPENDS_packagegroup-security-hardening = " \ +SUMMARY:packagegroup-security-hardening = "Security Hardening tools" +RDEPENDS:packagegroup-security-hardening = " \ bastille \ " -SUMMARY_packagegroup-security-ids = "Security Intrusion Detection systems" -RDEPENDS_packagegroup-security-ids = " \ +SUMMARY:packagegroup-security-ids = "Security Intrusion Detection systems" +RDEPENDS:packagegroup-security-ids = " \ samhain-standalone \ - ${@bb.utils.contains_any("TUNE_FEATURES", "ppc7400 riscv32 riscv64", "", " suricata",d)} \ + ${@bb.utils.contains("BBLAYERS", "meta-rust", "suricata","", d)} \ ossec-hids \ aide \ " -RDEPENDS_packagegroup-security-ids_remove_libc-musl = "ossec-hids" +RDEPENDS:packagegroup-security-ids:remove:powerpc = "suricata" +RDEPENDS:packagegroup-security-ids:remove:powerpc64le = "suricata" +RDEPENDS:packagegroup-security-ids:remove:powerpc64 = "suricata" +RDEPENDS:packagegroup-security-ids:remove:riscv32 = "suricata" +RDEPENDS:packagegroup-security-ids:remove:riscv64 = "suricata" +RDEPENDS:packagegroup-security-ids:remove:libc-musl = "ossec-hids" -SUMMARY_packagegroup-security-mac = "Security Mandatory Access Control systems" -RDEPENDS_packagegroup-security-mac = " \ +SUMMARY:packagegroup-security-mac = "Security Mandatory Access Control systems" +RDEPENDS:packagegroup-security-mac = " \ ${@bb.utils.contains("DISTRO_FEATURES", "tomoyo", "ccs-tools", "",d)} \ ${@bb.utils.contains("DISTRO_FEATURES", "apparmor", "apparmor", "",d)} \ ${@bb.utils.contains("DISTRO_FEATURES", "smack", "smack", "",d)} \ " -RDEPENDS_packagegroup-security-mac_remove_mipsarch = "apparmor" +RDEPENDS:packagegroup-security-mac:remove:mipsarch = "apparmor" -RDEPENDS_packagegroup-meta-security-ptest-packages = "\ +RDEPENDS:packagegroup-meta-security-ptest-packages = "\ ptest-runner \ samhain-standalone-ptest \ - libseccomp-ptest \ - suricata-ptest \ + ${@bb.utils.contains("BBLAYERS", "meta-rust", "suricata-ptest","", d)} \ python3-fail2ban-ptest \ ${@bb.utils.contains("DISTRO_FEATURES", "smack", "smack-ptest", "",d)} \ " + +RDEPENDS:packagegroup-security-ptest-packages:remove:powerpc = "suricata-ptest" +RDEPENDS:packagegroup-security-ptest-packages:remove:powerpc64le = "suricata-ptest" +RDEPENDS:packagegroup-security-ptest-packages:remove:powerpc64 = "suricata-ptest" +RDEPENDS:packagegroup-security-ptest-packages:remove:riscv32 = "suricata-ptest" +RDEPENDS:packagegroup-security-ptest-packages:remove:riscv64 = "suricata-ptest" diff --git a/meta-security/recipes-ids/aide/aide_0.17.3.bb b/meta-security/recipes-ids/aide/aide_0.17.3.bb index 522cd85fe..fbfa8a7d0 100644 --- a/meta-security/recipes-ids/aide/aide_0.17.3.bb +++ b/meta-security/recipes-ids/aide/aide_0.17.3.bb @@ -25,7 +25,7 @@ PACKAGECONFIG[gcrypt] = "--with-gcrypt, --without-gcrypt, libgcrypt, libgcrypt" PACKAGECONFIG[mhash] = "--with-mhash, --without-mhash, libmhash, libmhash" PACKAGECONFIG[e2fsattrs] = "--with-e2fsattrs, --without-e2fsattrs, e2fsprogs, e2fsprogs" -do_install_append () { +do_install:append () { install -d ${D}${libdir}/${PN}/logs install -d ${D}${sysconfdir} install ${WORKDIR}/aide.conf ${D}${sysconfdir}/ @@ -33,9 +33,9 @@ do_install_append () { CONF_FILE = "${sysconfdir}/aide.conf" -FILES_${PN} += "${libdir}/${PN} ${sysconfdir}/aide.conf" +FILES:${PN} += "${libdir}/${PN} ${sysconfdir}/aide.conf" -pkg_postinst_ontarget_${PN} () { +pkg_postinst_ontarget:${PN} () { /usr/bin/aide -i } RDPENDS_${PN} = "bison, libpcre" diff --git a/meta-security/recipes-ids/crowdsec/crowdsec_1.1.1.bb b/meta-security/recipes-ids/crowdsec/crowdsec_1.1.1.bb new file mode 100644 index 000000000..887c75df8 --- /dev/null +++ b/meta-security/recipes-ids/crowdsec/crowdsec_1.1.1.bb @@ -0,0 +1,42 @@ +SUMMARY = "CrowdSec is a free, modern & collaborative behavior detection engine, coupled with a global IP reputation network." + +LICENSE = "MIT" +LIC_FILES_CHKSUM = "file://src/import/LICENSE;md5=105e75b680b2ab82fa5718661b41f3bf" + +SRC_URI = "git://github.com/crowdsecurity/crowdsec.git;branch=master" +SRCREV = "73e0bbaf93070f4a640eb5a22212b5dcf26699de" + +DEPENDS = "jq-native" + +GO_IMPORT = "import" + +inherit go + +S = "${WORKDIR}/git" + +do_compile() { + export GOARCH="${TARGET_GOARCH}" + export GOROOT="${STAGING_LIBDIR_NATIVE}/${TARGET_SYS}/go" + + # Pass the needed cflags/ldflags so that cgo + # can find the needed headers files and libraries + export CGO_ENABLED="1" + export CFLAGS="" + export LDFLAGS="" + export CGO_CFLAGS="${BUILDSDK_CFLAGS} --sysroot=${STAGING_DIR_TARGET}" + export CGO_LDFLAGS="${BUILDSDK_LDFLAGS} --sysroot=${STAGING_DIR_TARGET}" + + cd ${S}/src/import + oe_runmake release +} + +do_install_ () { + chmod +x -R --silent ${B}/pkg +} + + +INSANE_SKIP:${PN} = "already-stripped" +INSANE_SKIP:${PN}-dev = "ldflags" + +RDEPENDS:${PN} = "go" +RDEPENDS:${PN}-dev = "bash" diff --git a/meta-security/recipes-ids/ossec/ossec-hids_3.6.0.bb b/meta-security/recipes-ids/ossec/ossec-hids_3.6.0.bb index 778278b47..309ca5234 100644 --- a/meta-security/recipes-ids/ossec/ossec-hids_3.6.0.bb +++ b/meta-security/recipes-ids/ossec/ossec-hids_3.6.0.bb @@ -44,7 +44,7 @@ do_install(){ install -m 640 ${D}/${sysconfdir}/ossec-init.conf ${D}/var/ossec/${sysconfdir}/ossec-init.conf } -pkg_postinst_ontarget_${PN} () { +pkg_postinst_ontarget:${PN} () { DIR="/var/ossec" usermod -g ossec -G ossec -a root @@ -157,9 +157,9 @@ pkg_postinst_ontarget_${PN} () { } USERADD_PACKAGES = "${PN}" -USERADD_PARAM_${PN} = "--system --home-dir /var/ossec -g ossec --shell /bin/false ossec" -GROUPADD_PARAM_${PN} = "--system ossec" +USERADD_PARAM:${PN} = "--system --home-dir /var/ossec -g ossec --shell /bin/false ossec" +GROUPADD_PARAM:${PN} = "--system ossec" -RDEPENDS_${PN} = "openssl bash" +RDEPENDS:${PN} = "openssl bash" -COMPATIBLE_HOST_libc-musl = "null" +COMPATIBLE_HOST:libc-musl = "null" diff --git a/meta-security/recipes-ids/samhain/samhain-client.bb b/meta-security/recipes-ids/samhain/samhain-client.bb index 0f53a8cde..2b99e2016 100644 --- a/meta-security/recipes-ids/samhain/samhain-client.bb +++ b/meta-security/recipes-ids/samhain/samhain-client.bb @@ -8,5 +8,5 @@ EXTRA_OECONF += " \ --with-port=${SAMHAIN_PORT} \ " -RDEPENDS_${PN} = "acl zlib attr bash" -RCONFLICTS_${PN} = "samhain-standalone" +RDEPENDS:${PN} = "acl zlib attr bash" +RCONFLICTS:${PN} = "samhain-standalone" diff --git a/meta-security/recipes-ids/samhain/samhain-server.bb b/meta-security/recipes-ids/samhain/samhain-server.bb index e7a3aa623..51bce07cd 100644 --- a/meta-security/recipes-ids/samhain/samhain-server.bb +++ b/meta-security/recipes-ids/samhain/samhain-server.bb @@ -10,7 +10,7 @@ SRC_URI += "file://samhain-server-volatiles \ TARGET_CC_ARCH += "${LDFLAGS}" -do_install_append() { +do_install:append() { if ${@bb.utils.contains('DISTRO_FEATURES', 'systemd', 'true', 'false', d)}; then install -d ${D}${sysconfdir}/tmpfiles.d install -m 0644 ${WORKDIR}/samhain-server-volatiles.conf \ @@ -25,5 +25,5 @@ do_install_append() { init/samhain.startLSB ${D}/var/lib/samhain } -RDEPENDS_${PN} += "gmp bash perl" -RCONFLICTS_${PN} = "samhain-standalone" +RDEPENDS:${PN} += "gmp bash perl" +RCONFLICTS:${PN} = "samhain-standalone" diff --git a/meta-security/recipes-ids/samhain/samhain-standalone.bb b/meta-security/recipes-ids/samhain/samhain-standalone.bb index 4fed9e9e9..445cb99b7 100644 --- a/meta-security/recipes-ids/samhain/samhain-standalone.bb +++ b/meta-security/recipes-ids/samhain/samhain-standalone.bb @@ -6,7 +6,7 @@ SRC_URI += "file://samhain-not-run-ptest-on-host.patch \ PROVIDES += "samhain" -SYSTEMD_SERVICE_${PN} = "samhain.service" +SYSTEMD_SERVICE:${PN} = "samhain.service" inherit ptest @@ -18,7 +18,7 @@ do_compile() { oe_runmake "$@" } -do_install_append() { +do_install:append() { ln -sf ${INITSCRIPT_NAME} ${D}${sysconfdir}/init.d/samhain } @@ -27,5 +27,5 @@ do_install_ptest() { install ${S}/cutest ${D}${PTEST_PATH} } -RPROVIDES_${PN} += "samhain" -RCONFLICTS_${PN} = "samhain-client samhain-server" +RPROVIDES:${PN} += "samhain" +RCONFLICTS:${PN} = "samhain-client samhain-server" diff --git a/meta-security/recipes-ids/samhain/samhain.inc b/meta-security/recipes-ids/samhain/samhain.inc index 0148e46cf..97f5f2ddc 100644 --- a/meta-security/recipes-ids/samhain/samhain.inc +++ b/meta-security/recipes-ids/samhain/samhain.inc @@ -37,7 +37,7 @@ INITSCRIPT_NAME = "${BPN}" INITSCRIPT_PARAMS ?= "defaults" SYSTEMD_PACKAGES = "${PN}" -SYSTEMD_SERVICE_${PN} = "${INITSCRIPT_NAME}.service" +SYSTEMD_SERVICE:${PN} = "${INITSCRIPT_NAME}.service" SYSTEMD_AUTO_ENABLE = "disable" # mode mapping: @@ -67,23 +67,23 @@ PACKAGECONFIG[acl] = " --enable-posix-acl , --disable-posix-acl, acl" PACKAGECONFIG[audit] = "ac_cv_header_auparse_h=yes,ac_cv_header_auparse_h=no,audit" PACKAGECONFIG[ps] = "--with-ps-path=${base_bindir}/ps,,,procps" -EXTRA_OEMAKE_append_aarch64 = " CPPFLAGS+=-DCONFIG_ARCH_AARCH64=1" -EXTRA_OEMAKE_append_mips64 = " CPPFLAGS+=-DCONFIG_ARCH_MIPS64=1" +EXTRA_OEMAKE:append:aarch64 = " CPPFLAGS+=-DCONFIG_ARCH_AARCH64=1" +EXTRA_OEMAKE:append:mips64 = " CPPFLAGS+=-DCONFIG_ARCH_MIPS64=1" do_unpack_samhain() { cd ${WORKDIR} tar -xzvf samhain-${PV}.tar.gz } -python do_unpack_append() { +python do_unpack:append() { bb.build.exec_func('do_unpack_samhain', d) } -do_configure_prepend_arm() { +do_configure:prepend:arm() { export sh_cv___va_copy=yes } -do_configure_prepend_aarch64() { +do_configure:prepend:aarch64() { export sh_cv___va_copy=yes } @@ -91,7 +91,7 @@ do_configure_prepend_aarch64() { # use the prefix --oldincludedir=/usr/include which is not # recognized by Samhain's configure script and would invariably # throw back the error "unrecognized option: --oldincludedir=/usr/include" -do_configure_prepend () { +do_configure:prepend () { cat << EOF > ${S}/config-site.${BP} ssp_cv_lib=no sh_cv_va_copy=yes @@ -124,13 +124,13 @@ do_configure () { ${EXTRA_OECONF} } -do_compile_prepend_libc-musl () { +do_compile:prepend:libc-musl () { sed -i 's/^#define HAVE_MALLOC_H.*//' ${B}/config.h } # Install the init script, it's default file, and the extraneous # documentation. -do_install_append () { +do_install:append () { oe_runmake install DESTDIR='${D}' INSTALL=install-boot install -D -m 755 ${WORKDIR}/${INITSCRIPT_NAME}.init \ @@ -165,4 +165,4 @@ do_install_append () { rm -rf ${D}${localstatedir}/log } -FILES_${PN} += "${systemd_system_unitdir}" +FILES:${PN} += "${systemd_system_unitdir}" diff --git a/meta-security/recipes-ids/suricata/files/0001-af-packet-fix-build-on-recent-Linux-kernels.patch b/meta-security/recipes-ids/suricata/files/0001-af-packet-fix-build-on-recent-Linux-kernels.patch deleted file mode 100644 index 530568b19..000000000 --- a/meta-security/recipes-ids/suricata/files/0001-af-packet-fix-build-on-recent-Linux-kernels.patch +++ /dev/null @@ -1,26 +0,0 @@ -From b37554e0bc3cf383e6547c5c6a69c6f6849c09e3 Mon Sep 17 00:00:00 2001 -From: Eric Leblond <eric@regit.org> -Date: Wed, 17 Jul 2019 12:35:12 +0200 -Subject: [PATCH] af-packet: fix build on recent Linux kernels - -Upstream-Status: Backport -Signed-off-by: Armin kuster <akuster808@gmail.com> ---- - src/source-af-packet.c | 4 ++++ - 1 file changed, 4 insertions(+) - -Index: suricata-4.1.5/src/source-af-packet.c -=================================================================== ---- suricata-4.1.5.orig/src/source-af-packet.c -+++ suricata-4.1.5/src/source-af-packet.c -@@ -68,6 +68,10 @@ - #include <linux/sockios.h> - #endif - -+#if HAVE_LINUX_SOCKIOS_H -+#include <linux/sockios.h> -+#endif -+ - #ifdef HAVE_PACKET_EBPF - #include "util-ebpf.h" - #include <bpf/libbpf.h> diff --git a/meta-security/recipes-ids/suricata/files/no_libhtp_build.patch b/meta-security/recipes-ids/suricata/files/no_libhtp_build.patch deleted file mode 100644 index 2ebf021fc..000000000 --- a/meta-security/recipes-ids/suricata/files/no_libhtp_build.patch +++ /dev/null @@ -1,38 +0,0 @@ -Upstream-Status: Inappropriate [configuration] - -Signed-of_by: Armin Kuster <akuster808@gmail.com> - -Index: suricata-2.0.5/Makefile.am -=================================================================== ---- suricata-2.0.5.orig/Makefile.am -+++ suricata-2.0.5/Makefile.am -@@ -5,7 +5,7 @@ ACLOCAL_AMFLAGS = -I m4 - EXTRA_DIST = ChangeLog COPYING LICENSE suricata.yaml.in \ - classification.config threshold.config \ - reference.config --SUBDIRS = $(HTP_DIR) src qa rules doc contrib scripts -+SUBDIRS = src qa rules doc contrib scripts - - CLEANFILES = stamp-h[0-9]* - -Index: suricata-2.0.5/Makefile.in -=================================================================== ---- suricata-2.0.5.orig/Makefile.in -+++ suricata-2.0.5/Makefile.in -@@ -229,7 +229,6 @@ HAVE_PCAP_CONFIG = @HAVE_PCAP_CONFIG@ - HAVE_PKG_CONFIG = @HAVE_PKG_CONFIG@ - HAVE_PYTHON_CONFIG = @HAVE_PYTHON_CONFIG@ - HAVE_WGET = @HAVE_WGET@ --HTP_DIR = @HTP_DIR@ - HTP_LDADD = @HTP_LDADD@ - INSTALL = @INSTALL@ - INSTALL_DATA = @INSTALL_DATA@ -@@ -369,7 +368,7 @@ EXTRA_DIST = ChangeLog COPYING LICENSE s - classification.config threshold.config \ - reference.config - --SUBDIRS = $(HTP_DIR) src qa rules doc contrib scripts -+SUBDIRS = src qa rules doc contrib scripts - CLEANFILES = stamp-h[0-9]* - all: config.h - $(MAKE) $(AM_MAKEFLAGS) all-recursive diff --git a/meta-security/recipes-ids/suricata/files/run-ptest b/meta-security/recipes-ids/suricata/files/run-ptest deleted file mode 100644 index 666ba9c95..000000000 --- a/meta-security/recipes-ids/suricata/files/run-ptest +++ /dev/null @@ -1,3 +0,0 @@ -#!/bin/sh - -suricata -u diff --git a/meta-security/recipes-ids/suricata/files/suricata.service b/meta-security/recipes-ids/suricata/files/suricata.service deleted file mode 100644 index a99a76ef8..000000000 --- a/meta-security/recipes-ids/suricata/files/suricata.service +++ /dev/null @@ -1,20 +0,0 @@ -[Unit] -Description=Suricata IDS/IDP daemon -After=network.target -Requires=network.target -Documentation=man:suricata(8) man:suricatasc(8) -Documentation=https://redmine.openinfosecfoundation.org/projects/suricata/wiki - -[Service] -Type=simple -CapabilityBoundingSet=CAP_NET_ADMIN CAP_NET_RAW -RestrictAddressFamilies= -ExecStart=/usr/bin/suricata -c /etc/suricata/suricata.yaml eth0 -ExecReload=/bin/kill -HUP $MAINPID -PrivateTmp=yes -ProtectHome=yes -ProtectSystem=yes - -[Install] -WantedBy=multi-user.target - diff --git a/meta-security/recipes-ids/suricata/files/suricata.yaml b/meta-security/recipes-ids/suricata/files/suricata.yaml deleted file mode 100644 index 8d06a2744..000000000 --- a/meta-security/recipes-ids/suricata/files/suricata.yaml +++ /dev/null @@ -1,1326 +0,0 @@ -%YAML 1.1 ---- - -# Suricata configuration file. In addition to the comments describing all -# options in this file, full documentation can be found at: -# https://redmine.openinfosecfoundation.org/projects/suricata/wiki/Suricatayaml - - -# Number of packets allowed to be processed simultaneously. Default is a -# conservative 1024. A higher number will make sure CPU's/CPU cores will be -# more easily kept busy, but may negatively impact caching. -# -# If you are using the CUDA pattern matcher (mpm-algo: ac-cuda), different rules -# apply. In that case try something like 60000 or more. This is because the CUDA -# pattern matcher buffers and scans as many packets as possible in parallel. -#max-pending-packets: 1024 - -# Runmode the engine should use. Please check --list-runmodes to get the available -# runmodes for each packet acquisition method. Defaults to "autofp" (auto flow pinned -# load balancing). -#runmode: autofp - -# Specifies the kind of flow load balancer used by the flow pinned autofp mode. -# -# Supported schedulers are: -# -# round-robin - Flows assigned to threads in a round robin fashion. -# active-packets - Flows assigned to threads that have the lowest number of -# unprocessed packets (default). -# hash - Flow alloted usihng the address hash. More of a random -# technique. Was the default in Suricata 1.2.1 and older. -# -#autofp-scheduler: active-packets - -# If suricata box is a router for the sniffed networks, set it to 'router'. If -# it is a pure sniffing setup, set it to 'sniffer-only'. -# If set to auto, the variable is internally switch to 'router' in IPS mode -# and 'sniffer-only' in IDS mode. -# This feature is currently only used by the reject* keywords. -host-mode: auto - -# Run suricata as user and group. -#run-as: -# user: suri -# group: suri - -# Default pid file. -# Will use this file if no --pidfile in command options. -#pid-file: /var/run/suricata.pid - -# Daemon working directory -# Suricata will change directory to this one if provided -# Default: "/" -#daemon-directory: "/" - -# Preallocated size for packet. Default is 1514 which is the classical -# size for pcap on ethernet. You should adjust this value to the highest -# packet size (MTU + hardware header) on your system. -#default-packet-size: 1514 - -# The default logging directory. Any log or output file will be -# placed here if its not specified with a full path name. This can be -# overridden with the -l command line parameter. -default-log-dir: /var/log/suricata/ - -# Unix command socket can be used to pass commands to suricata. -# An external tool can then connect to get information from suricata -# or trigger some modifications of the engine. Set enabled to yes -# to activate the feature. You can use the filename variable to set -# the file name of the socket. -unix-command: - enabled: no - #filename: custom.socket - -# Configure the type of alert (and other) logging you would like. -outputs: - - # a line based alerts log similar to Snort's fast.log - - fast: - enabled: yes - filename: fast.log - append: yes - #filetype: regular # 'regular', 'unix_stream' or 'unix_dgram' - - # Extensible Event Format (nicknamed EVE) event log in JSON format - - eve-log: - enabled: yes - type: file #file|syslog|unix_dgram|unix_stream - filename: eve.json - # the following are valid when type: syslog above - #identity: "suricata" - #facility: local5 - #level: Info ## possible levels: Emergency, Alert, Critical, - ## Error, Warning, Notice, Info, Debug - types: - - alert - - http: - extended: yes # enable this for extended logging information - # custom allows additional http fields to be included in eve-log - # the example below adds three additional fields when uncommented - #custom: [Accept-Encoding, Accept-Language, Authorization] - - dns - - tls: - extended: yes # enable this for extended logging information - - files: - force-magic: no # force logging magic on all logged files - force-md5: no # force logging of md5 checksums - #- drop - - ssh - - # alert output for use with Barnyard2 - - unified2-alert: - enabled: yes - filename: unified2.alert - - # File size limit. Can be specified in kb, mb, gb. Just a number - # is parsed as bytes. - #limit: 32mb - - # Sensor ID field of unified2 alerts. - #sensor-id: 0 - - # HTTP X-Forwarded-For support by adding the unified2 extra header that - # will contain the actual client IP address or by overwriting the source - # IP address (helpful when inspecting traffic that is being reversed - # proxied). - xff: - enabled: no - # Two operation modes are available, "extra-data" and "overwrite". Note - # that in the "overwrite" mode, if the reported IP address in the HTTP - # X-Forwarded-For header is of a different version of the packet - # received, it will fall-back to "extra-data" mode. - mode: extra-data - # Header name were the actual IP address will be reported, if more than - # one IP address is present, the last IP address will be the one taken - # into consideration. - header: X-Forwarded-For - - # a line based log of HTTP requests (no alerts) - - http-log: - enabled: yes - filename: http.log - append: yes - #extended: yes # enable this for extended logging information - #custom: yes # enabled the custom logging format (defined by customformat) - #customformat: "%{%D-%H:%M:%S}t.%z %{X-Forwarded-For}i %H %m %h %u %s %B %a:%p -> %A:%P" - #filetype: regular # 'regular', 'unix_stream' or 'unix_dgram' - - # a line based log of TLS handshake parameters (no alerts) - - tls-log: - enabled: no # Log TLS connections. - filename: tls.log # File to store TLS logs. - append: yes - #filetype: regular # 'regular', 'unix_stream' or 'unix_dgram' - #extended: yes # Log extended information like fingerprint - certs-log-dir: certs # directory to store the certificates files - - # a line based log of DNS requests and/or replies (no alerts) - - dns-log: - enabled: no - filename: dns.log - append: yes - #filetype: regular # 'regular', 'unix_stream' or 'unix_dgram' - - # a line based log to used with pcap file study. - # this module is dedicated to offline pcap parsing (empty output - # if used with another kind of input). It can interoperate with - # pcap parser like wireshark via the suriwire plugin. - - pcap-info: - enabled: no - - # Packet log... log packets in pcap format. 2 modes of operation: "normal" - # and "sguil". - # - # In normal mode a pcap file "filename" is created in the default-log-dir, - # or are as specified by "dir". In Sguil mode "dir" indicates the base directory. - # In this base dir the pcaps are created in th directory structure Sguil expects: - # - # $sguil-base-dir/YYYY-MM-DD/$filename.<timestamp> - # - # By default all packets are logged except: - # - TCP streams beyond stream.reassembly.depth - # - encrypted streams after the key exchange - # - - pcap-log: - enabled: no - filename: log.pcap - - # File size limit. Can be specified in kb, mb, gb. Just a number - # is parsed as bytes. - limit: 1000mb - - # If set to a value will enable ring buffer mode. Will keep Maximum of "max-files" of size "limit" - max-files: 2000 - - mode: normal # normal or sguil. - #sguil-base-dir: /nsm_data/ - #ts-format: usec # sec or usec second format (default) is filename.sec usec is filename.sec.usec - use-stream-depth: no #If set to "yes" packets seen after reaching stream inspection depth are ignored. "no" logs all packets - - # a full alerts log containing much information for signature writers - # or for investigating suspected false positives. - - alert-debug: - enabled: no - filename: alert-debug.log - append: yes - #filetype: regular # 'regular', 'unix_stream' or 'unix_dgram' - - # alert output to prelude (http://www.prelude-technologies.com/) only - # available if Suricata has been compiled with --enable-prelude - - alert-prelude: - enabled: no - profile: suricata - log-packet-content: no - log-packet-header: yes - - # Stats.log contains data from various counters of the suricata engine. - # The interval field (in seconds) tells after how long output will be written - # on the log file. - - stats: - enabled: yes - filename: stats.log - interval: 8 - - # a line based alerts log similar to fast.log into syslog - - syslog: - enabled: no - # reported identity to syslog. If ommited the program name (usually - # suricata) will be used. - #identity: "suricata" - facility: local5 - #level: Info ## possible levels: Emergency, Alert, Critical, - ## Error, Warning, Notice, Info, Debug - - # a line based information for dropped packets in IPS mode - - drop: - enabled: no - filename: drop.log - append: yes - #filetype: regular # 'regular', 'unix_stream' or 'unix_dgram' - - # output module to store extracted files to disk - # - # The files are stored to the log-dir in a format "file.<id>" where <id> is - # an incrementing number starting at 1. For each file "file.<id>" a meta - # file "file.<id>.meta" is created. - # - # File extraction depends on a lot of things to be fully done: - # - stream reassembly depth. For optimal results, set this to 0 (unlimited) - # - http request / response body sizes. Again set to 0 for optimal results. - # - rules that contain the "filestore" keyword. - - file-store: - enabled: no # set to yes to enable - log-dir: files # directory to store the files - force-magic: no # force logging magic on all stored files - force-md5: no # force logging of md5 checksums - #waldo: file.waldo # waldo file to store the file_id across runs - - # output module to log files tracked in a easily parsable json format - - file-log: - enabled: no - filename: files-json.log - append: yes - #filetype: regular # 'regular', 'unix_stream' or 'unix_dgram' - - force-magic: no # force logging magic on all logged files - force-md5: no # force logging of md5 checksums - -# Magic file. The extension .mgc is added to the value here. -#magic-file: /usr/share/file/magic -magic-file: /usr/share/misc/magic.mgc - -# When running in NFQ inline mode, it is possible to use a simulated -# non-terminal NFQUEUE verdict. -# This permit to do send all needed packet to suricata via this a rule: -# iptables -I FORWARD -m mark ! --mark $MARK/$MASK -j NFQUEUE -# And below, you can have your standard filtering ruleset. To activate -# this mode, you need to set mode to 'repeat' -# If you want packet to be sent to another queue after an ACCEPT decision -# set mode to 'route' and set next-queue value. -# On linux >= 3.1, you can set batchcount to a value > 1 to improve performance -# by processing several packets before sending a verdict (worker runmode only). -# On linux >= 3.6, you can set the fail-open option to yes to have the kernel -# accept the packet if suricata is not able to keep pace. -nfq: -# mode: accept -# repeat-mark: 1 -# repeat-mask: 1 -# route-queue: 2 -# batchcount: 20 -# fail-open: yes - -#nflog support -nflog: - # netlink multicast group - # (the same as the iptables --nflog-group param) - # Group 0 is used by the kernel, so you can't use it - - group: 2 - # netlink buffer size - buffer-size: 18432 - # put default value here - - group: default - # set number of packet to queue inside kernel - qthreshold: 1 - # set the delay before flushing packet in the queue inside kernel - qtimeout: 100 - # netlink max buffer size - max-size: 20000 - -# af-packet support -# Set threads to > 1 to use PACKET_FANOUT support -af-packet: - - interface: eth0 - # Number of receive threads (>1 will enable experimental flow pinned - # runmode) - threads: 1 - # Default clusterid. AF_PACKET will load balance packets based on flow. - # All threads/processes that will participate need to have the same - # clusterid. - cluster-id: 99 - # Default AF_PACKET cluster type. AF_PACKET can load balance per flow or per hash. - # This is only supported for Linux kernel > 3.1 - # possible value are: - # * cluster_round_robin: round robin load balancing - # * cluster_flow: all packets of a given flow are send to the same socket - # * cluster_cpu: all packets treated in kernel by a CPU are send to the same socket - cluster-type: cluster_flow - # In some fragmentation case, the hash can not be computed. If "defrag" is set - # to yes, the kernel will do the needed defragmentation before sending the packets. - defrag: yes - # To use the ring feature of AF_PACKET, set 'use-mmap' to yes - use-mmap: yes - # Ring size will be computed with respect to max_pending_packets and number - # of threads. You can set manually the ring size in number of packets by setting - # the following value. If you are using flow cluster-type and have really network - # intensive single-flow you could want to set the ring-size independantly of the number - # of threads: - #ring-size: 2048 - # On busy system, this could help to set it to yes to recover from a packet drop - # phase. This will result in some packets (at max a ring flush) being non treated. - #use-emergency-flush: yes - # recv buffer size, increase value could improve performance - # buffer-size: 32768 - # Set to yes to disable promiscuous mode - # disable-promisc: no - # Choose checksum verification mode for the interface. At the moment - # of the capture, some packets may be with an invalid checksum due to - # offloading to the network card of the checksum computation. - # Possible values are: - # - kernel: use indication sent by kernel for each packet (default) - # - yes: checksum validation is forced - # - no: checksum validation is disabled - # - auto: suricata uses a statistical approach to detect when - # checksum off-loading is used. - # Warning: 'checksum-validation' must be set to yes to have any validation - #checksum-checks: kernel - # BPF filter to apply to this interface. The pcap filter syntax apply here. - #bpf-filter: port 80 or udp - # You can use the following variables to activate AF_PACKET tap od IPS mode. - # If copy-mode is set to ips or tap, the traffic coming to the current - # interface will be copied to the copy-iface interface. If 'tap' is set, the - # copy is complete. If 'ips' is set, the packet matching a 'drop' action - # will not be copied. - #copy-mode: ips - #copy-iface: eth1 - - interface: eth1 - threads: 1 - cluster-id: 98 - cluster-type: cluster_flow - defrag: yes - # buffer-size: 32768 - # disable-promisc: no - # Put default values here - - interface: default - #threads: 2 - #use-mmap: yes - -legacy: - uricontent: enabled - -# You can specify a threshold config file by setting "threshold-file" -# to the path of the threshold config file: -# threshold-file: /etc/suricata/threshold.config - -# The detection engine builds internal groups of signatures. The engine -# allow us to specify the profile to use for them, to manage memory on an -# efficient way keeping a good performance. For the profile keyword you -# can use the words "low", "medium", "high" or "custom". If you use custom -# make sure to define the values at "- custom-values" as your convenience. -# Usually you would prefer medium/high/low. -# -# "sgh mpm-context", indicates how the staging should allot mpm contexts for -# the signature groups. "single" indicates the use of a single context for -# all the signature group heads. "full" indicates a mpm-context for each -# group head. "auto" lets the engine decide the distribution of contexts -# based on the information the engine gathers on the patterns from each -# group head. -# -# The option inspection-recursion-limit is used to limit the recursive calls -# in the content inspection code. For certain payload-sig combinations, we -# might end up taking too much time in the content inspection code. -# If the argument specified is 0, the engine uses an internally defined -# default limit. On not specifying a value, we use no limits on the recursion. -detect-engine: - - profile: medium - - custom-values: - toclient-src-groups: 2 - toclient-dst-groups: 2 - toclient-sp-groups: 2 - toclient-dp-groups: 3 - toserver-src-groups: 2 - toserver-dst-groups: 4 - toserver-sp-groups: 2 - toserver-dp-groups: 25 - - sgh-mpm-context: auto - - inspection-recursion-limit: 3000 - # When rule-reload is enabled, sending a USR2 signal to the Suricata process - # will trigger a live rule reload. Experimental feature, use with care. - #- rule-reload: true - # If set to yes, the loading of signatures will be made after the capture - # is started. This will limit the downtime in IPS mode. - #- delayed-detect: yes - -# Suricata is multi-threaded. Here the threading can be influenced. -threading: - # On some cpu's/architectures it is beneficial to tie individual threads - # to specific CPU's/CPU cores. In this case all threads are tied to CPU0, - # and each extra CPU/core has one "detect" thread. - # - # On Intel Core2 and Nehalem CPU's enabling this will degrade performance. - # - set-cpu-affinity: no - # Tune cpu affinity of suricata threads. Each family of threads can be bound - # on specific CPUs. - cpu-affinity: - - management-cpu-set: - cpu: [ 0 ] # include only these cpus in affinity settings - - receive-cpu-set: - cpu: [ 0 ] # include only these cpus in affinity settings - - decode-cpu-set: - cpu: [ 0, 1 ] - mode: "balanced" - - stream-cpu-set: - cpu: [ "0-1" ] - - detect-cpu-set: - cpu: [ "all" ] - mode: "exclusive" # run detect threads in these cpus - # Use explicitely 3 threads and don't compute number by using - # detect-thread-ratio variable: - # threads: 3 - prio: - low: [ 0 ] - medium: [ "1-2" ] - high: [ 3 ] - default: "medium" - - verdict-cpu-set: - cpu: [ 0 ] - prio: - default: "high" - - reject-cpu-set: - cpu: [ 0 ] - prio: - default: "low" - - output-cpu-set: - cpu: [ "all" ] - prio: - default: "medium" - # - # By default Suricata creates one "detect" thread per available CPU/CPU core. - # This setting allows controlling this behaviour. A ratio setting of 2 will - # create 2 detect threads for each CPU/CPU core. So for a dual core CPU this - # will result in 4 detect threads. If values below 1 are used, less threads - # are created. So on a dual core CPU a setting of 0.5 results in 1 detect - # thread being created. Regardless of the setting at a minimum 1 detect - # thread will always be created. - # - detect-thread-ratio: 1.5 - -# Cuda configuration. -cuda: - # The "mpm" profile. On not specifying any of these parameters, the engine's - # internal default values are used, which are same as the ones specified in - # in the default conf file. - mpm: - # The minimum length required to buffer data to the gpu. - # Anything below this is MPM'ed on the CPU. - # Can be specified in kb, mb, gb. Just a number indicates it's in bytes. - # A value of 0 indicates there's no limit. - data-buffer-size-min-limit: 0 - # The maximum length for data that we would buffer to the gpu. - # Anything over this is MPM'ed on the CPU. - # Can be specified in kb, mb, gb. Just a number indicates it's in bytes. - data-buffer-size-max-limit: 1500 - # The ring buffer size used by the CudaBuffer API to buffer data. - cudabuffer-buffer-size: 500mb - # The max chunk size that can be sent to the gpu in a single go. - gpu-transfer-size: 50mb - # The timeout limit for batching of packets in microseconds. - batching-timeout: 2000 - # The device to use for the mpm. Currently we don't support load balancing - # on multiple gpus. In case you have multiple devices on your system, you - # can specify the device to use, using this conf. By default we hold 0, to - # specify the first device cuda sees. To find out device-id associated with - # the card(s) on the system run "suricata --list-cuda-cards". - device-id: 0 - # No of Cuda streams used for asynchronous processing. All values > 0 are valid. - # For this option you need a device with Compute Capability > 1.0. - cuda-streams: 2 - -# Select the multi pattern algorithm you want to run for scan/search the -# in the engine. The supported algorithms are b2g, b2gc, b2gm, b3g, wumanber, -# ac and ac-gfbs. -# -# The mpm you choose also decides the distribution of mpm contexts for -# signature groups, specified by the conf - "detect-engine.sgh-mpm-context". -# Selecting "ac" as the mpm would require "detect-engine.sgh-mpm-context" -# to be set to "single", because of ac's memory requirements, unless the -# ruleset is small enough to fit in one's memory, in which case one can -# use "full" with "ac". Rest of the mpms can be run in "full" mode. -# -# There is also a CUDA pattern matcher (only available if Suricata was -# compiled with --enable-cuda: b2g_cuda. Make sure to update your -# max-pending-packets setting above as well if you use b2g_cuda. - -mpm-algo: ac - -# The memory settings for hash size of these algorithms can vary from lowest -# (2048) - low (4096) - medium (8192) - high (16384) - higher (32768) - max -# (65536). The bloomfilter sizes of these algorithms can vary from low (512) - -# medium (1024) - high (2048). -# -# For B2g/B3g algorithms, there is a support for two different scan/search -# algorithms. For B2g the scan algorithms are B2gScan & B2gScanBNDMq, and -# search algorithms are B2gSearch & B2gSearchBNDMq. For B3g scan algorithms -# are B3gScan & B3gScanBNDMq, and search algorithms are B3gSearch & -# B3gSearchBNDMq. -# -# For B2g the different scan/search algorithms and, hash and bloom -# filter size settings. For B3g the different scan/search algorithms and, hash -# and bloom filter size settings. For wumanber the hash and bloom filter size -# settings. - -pattern-matcher: - - b2gc: - search-algo: B2gSearchBNDMq - hash-size: low - bf-size: medium - - b2gm: - search-algo: B2gSearchBNDMq - hash-size: low - bf-size: medium - - b2g: - search-algo: B2gSearchBNDMq - hash-size: low - bf-size: medium - - b3g: - search-algo: B3gSearchBNDMq - hash-size: low - bf-size: medium - - wumanber: - hash-size: low - bf-size: medium - -# Defrag settings: - -defrag: - memcap: 32mb - hash-size: 65536 - trackers: 65535 # number of defragmented flows to follow - max-frags: 65535 # number of fragments to keep (higher than trackers) - prealloc: yes - timeout: 60 - -# Enable defrag per host settings -# host-config: -# -# - dmz: -# timeout: 30 -# address: [192.168.1.0/24, 127.0.0.0/8, 1.1.1.0/24, 2.2.2.0/24, "1.1.1.1", "2.2.2.2", "::1"] -# -# - lan: -# timeout: 45 -# address: -# - 192.168.0.0/24 -# - 192.168.10.0/24 -# - 172.16.14.0/24 - -# Flow settings: -# By default, the reserved memory (memcap) for flows is 32MB. This is the limit -# for flow allocation inside the engine. You can change this value to allow -# more memory usage for flows. -# The hash-size determine the size of the hash used to identify flows inside -# the engine, and by default the value is 65536. -# At the startup, the engine can preallocate a number of flows, to get a better -# performance. The number of flows preallocated is 10000 by default. -# emergency-recovery is the percentage of flows that the engine need to -# prune before unsetting the emergency state. The emergency state is activated -# when the memcap limit is reached, allowing to create new flows, but -# prunning them with the emergency timeouts (they are defined below). -# If the memcap is reached, the engine will try to prune flows -# with the default timeouts. If it doens't find a flow to prune, it will set -# the emergency bit and it will try again with more agressive timeouts. -# If that doesn't work, then it will try to kill the last time seen flows -# not in use. -# The memcap can be specified in kb, mb, gb. Just a number indicates it's -# in bytes. - -flow: - memcap: 64mb - hash-size: 65536 - prealloc: 10000 - emergency-recovery: 30 - -# This option controls the use of vlan ids in the flow (and defrag) -# hashing. Normally this should be enabled, but in some (broken) -# setups where both sides of a flow are not tagged with the same vlan -# tag, we can ignore the vlan id's in the flow hashing. -vlan: - use-for-tracking: true - -# Specific timeouts for flows. Here you can specify the timeouts that the -# active flows will wait to transit from the current state to another, on each -# protocol. The value of "new" determine the seconds to wait after a hanshake or -# stream startup before the engine free the data of that flow it doesn't -# change the state to established (usually if we don't receive more packets -# of that flow). The value of "established" is the amount of -# seconds that the engine will wait to free the flow if it spend that amount -# without receiving new packets or closing the connection. "closed" is the -# amount of time to wait after a flow is closed (usually zero). -# -# There's an emergency mode that will become active under attack circumstances, -# making the engine to check flow status faster. This configuration variables -# use the prefix "emergency-" and work similar as the normal ones. -# Some timeouts doesn't apply to all the protocols, like "closed", for udp and -# icmp. - -flow-timeouts: - - default: - new: 30 - established: 300 - closed: 0 - emergency-new: 10 - emergency-established: 100 - emergency-closed: 0 - tcp: - new: 60 - established: 3600 - closed: 120 - emergency-new: 10 - emergency-established: 300 - emergency-closed: 20 - udp: - new: 30 - established: 300 - emergency-new: 10 - emergency-established: 100 - icmp: - new: 30 - established: 300 - emergency-new: 10 - emergency-established: 100 - -# Stream engine settings. Here the TCP stream tracking and reassembly -# engine is configured. -# -# stream: -# memcap: 32mb # Can be specified in kb, mb, gb. Just a -# # number indicates it's in bytes. -# checksum-validation: yes # To validate the checksum of received -# # packet. If csum validation is specified as -# # "yes", then packet with invalid csum will not -# # be processed by the engine stream/app layer. -# # Warning: locally generated trafic can be -# # generated without checksum due to hardware offload -# # of checksum. You can control the handling of checksum -# # on a per-interface basis via the 'checksum-checks' -# # option -# prealloc-sessions: 2k # 2k sessions prealloc'd per stream thread -# midstream: false # don't allow midstream session pickups -# async-oneside: false # don't enable async stream handling -# inline: no # stream inline mode -# max-synack-queued: 5 # Max different SYN/ACKs to queue -# -# reassembly: -# memcap: 64mb # Can be specified in kb, mb, gb. Just a number -# # indicates it's in bytes. -# depth: 1mb # Can be specified in kb, mb, gb. Just a number -# # indicates it's in bytes. -# toserver-chunk-size: 2560 # inspect raw stream in chunks of at least -# # this size. Can be specified in kb, mb, -# # gb. Just a number indicates it's in bytes. -# # The max acceptable size is 4024 bytes. -# toclient-chunk-size: 2560 # inspect raw stream in chunks of at least -# # this size. Can be specified in kb, mb, -# # gb. Just a number indicates it's in bytes. -# # The max acceptable size is 4024 bytes. -# randomize-chunk-size: yes # Take a random value for chunk size around the specified value. -# # This lower the risk of some evasion technics but could lead -# # detection change between runs. It is set to 'yes' by default. -# randomize-chunk-range: 10 # If randomize-chunk-size is active, the value of chunk-size is -# # a random value between (1 - randomize-chunk-range/100)*randomize-chunk-size -# # and (1 + randomize-chunk-range/100)*randomize-chunk-size. Default value -# # of randomize-chunk-range is 10. -# -# raw: yes # 'Raw' reassembly enabled or disabled. -# # raw is for content inspection by detection -# # engine. -# -# chunk-prealloc: 250 # Number of preallocated stream chunks. These -# # are used during stream inspection (raw). -# segments: # Settings for reassembly segment pool. -# - size: 4 # Size of the (data)segment for a pool -# prealloc: 256 # Number of segments to prealloc and keep -# # in the pool. -# -stream: - memcap: 32mb - checksum-validation: yes # reject wrong csums - inline: auto # auto will use inline mode in IPS mode, yes or no set it statically - reassembly: - memcap: 128mb - depth: 1mb # reassemble 1mb into a stream - toserver-chunk-size: 2560 - toclient-chunk-size: 2560 - randomize-chunk-size: yes - #randomize-chunk-range: 10 - #raw: yes - #chunk-prealloc: 250 - #segments: - # - size: 4 - # prealloc: 256 - # - size: 16 - # prealloc: 512 - # - size: 112 - # prealloc: 512 - # - size: 248 - # prealloc: 512 - # - size: 512 - # prealloc: 512 - # - size: 768 - # prealloc: 1024 - # - size: 1448 - # prealloc: 1024 - # - size: 65535 - # prealloc: 128 - -# Host table: -# -# Host table is used by tagging and per host thresholding subsystems. -# -host: - hash-size: 4096 - prealloc: 1000 - memcap: 16777216 - -# Logging configuration. This is not about logging IDS alerts, but -# IDS output about what its doing, errors, etc. -logging: - - # The default log level, can be overridden in an output section. - # Note that debug level logging will only be emitted if Suricata was - # compiled with the --enable-debug configure option. - # - # This value is overriden by the SC_LOG_LEVEL env var. - default-log-level: notice - - # The default output format. Optional parameter, should default to - # something reasonable if not provided. Can be overriden in an - # output section. You can leave this out to get the default. - # - # This value is overriden by the SC_LOG_FORMAT env var. - #default-log-format: "[%i] %t - (%f:%l) <%d> (%n) -- " - - # A regex to filter output. Can be overridden in an output section. - # Defaults to empty (no filter). - # - # This value is overriden by the SC_LOG_OP_FILTER env var. - default-output-filter: - - # Define your logging outputs. If none are defined, or they are all - # disabled you will get the default - console output. - outputs: - - console: - enabled: yes - - file: - enabled: no - filename: /var/log/suricata.log - - syslog: - enabled: yes - facility: local5 - format: "[%i] <%d> -- " - -# Tilera mpipe configuration. for use on Tilera TILE-Gx. -mpipe: - - # Load balancing modes: "static", "dynamic", "sticky", or "round-robin". - load-balance: dynamic - - # Number of Packets in each ingress packet queue. Must be 128, 512, 2028 or 65536 - iqueue-packets: 2048 - - # List of interfaces we will listen on. - inputs: - - interface: xgbe2 - - interface: xgbe3 - - interface: xgbe4 - - - # Relative weight of memory for packets of each mPipe buffer size. - stack: - size128: 0 - size256: 9 - size512: 0 - size1024: 0 - size1664: 7 - size4096: 0 - size10386: 0 - size16384: 0 - -# PF_RING configuration. for use with native PF_RING support -# for more info see http://www.ntop.org/PF_RING.html -pfring: - - interface: eth0 - # Number of receive threads (>1 will enable experimental flow pinned - # runmode) - threads: 1 - - # Default clusterid. PF_RING will load balance packets based on flow. - # All threads/processes that will participate need to have the same - # clusterid. - cluster-id: 99 - - # Default PF_RING cluster type. PF_RING can load balance per flow or per hash. - # This is only supported in versions of PF_RING > 4.1.1. - cluster-type: cluster_flow - # bpf filter for this interface - #bpf-filter: tcp - # Choose checksum verification mode for the interface. At the moment - # of the capture, some packets may be with an invalid checksum due to - # offloading to the network card of the checksum computation. - # Possible values are: - # - rxonly: only compute checksum for packets received by network card. - # - yes: checksum validation is forced - # - no: checksum validation is disabled - # - auto: suricata uses a statistical approach to detect when - # checksum off-loading is used. (default) - # Warning: 'checksum-validation' must be set to yes to have any validation - #checksum-checks: auto - # Second interface - #- interface: eth1 - # threads: 3 - # cluster-id: 93 - # cluster-type: cluster_flow - # Put default values here - - interface: default - #threads: 2 - -pcap: - - interface: eth0 - # On Linux, pcap will try to use mmaped capture and will use buffer-size - # as total of memory used by the ring. So set this to something bigger - # than 1% of your bandwidth. - #buffer-size: 16777216 - #bpf-filter: "tcp and port 25" - # Choose checksum verification mode for the interface. At the moment - # of the capture, some packets may be with an invalid checksum due to - # offloading to the network card of the checksum computation. - # Possible values are: - # - yes: checksum validation is forced - # - no: checksum validation is disabled - # - auto: suricata uses a statistical approach to detect when - # checksum off-loading is used. (default) - # Warning: 'checksum-validation' must be set to yes to have any validation - #checksum-checks: auto - # With some accelerator cards using a modified libpcap (like myricom), you - # may want to have the same number of capture threads as the number of capture - # rings. In this case, set up the threads variable to N to start N threads - # listening on the same interface. - #threads: 16 - # set to no to disable promiscuous mode: - #promisc: no - # set snaplen, if not set it defaults to MTU if MTU can be known - # via ioctl call and to full capture if not. - #snaplen: 1518 - # Put default values here - - interface: default - #checksum-checks: auto - -pcap-file: - # Possible values are: - # - yes: checksum validation is forced - # - no: checksum validation is disabled - # - auto: suricata uses a statistical approach to detect when - # checksum off-loading is used. (default) - # Warning: 'checksum-validation' must be set to yes to have checksum tested - checksum-checks: auto - -# For FreeBSD ipfw(8) divert(4) support. -# Please make sure you have ipfw_load="YES" and ipdivert_load="YES" -# in /etc/loader.conf or kldload'ing the appropriate kernel modules. -# Additionally, you need to have an ipfw rule for the engine to see -# the packets from ipfw. For Example: -# -# ipfw add 100 divert 8000 ip from any to any -# -# The 8000 above should be the same number you passed on the command -# line, i.e. -d 8000 -# -ipfw: - - # Reinject packets at the specified ipfw rule number. This config - # option is the ipfw rule number AT WHICH rule processing continues - # in the ipfw processing system after the engine has finished - # inspecting the packet for acceptance. If no rule number is specified, - # accepted packets are reinjected at the divert rule which they entered - # and IPFW rule processing continues. No check is done to verify - # this will rule makes sense so care must be taken to avoid loops in ipfw. - # - ## The following example tells the engine to reinject packets - # back into the ipfw firewall AT rule number 5500: - # - # ipfw-reinjection-rule-number: 5500 - -# Set the default rule path here to search for the files. -# if not set, it will look at the current working dir -default-rule-path: /etc/suricata/rules -rule-files: - - botcc.rules - - ciarmy.rules - - compromised.rules - - drop.rules - - dshield.rules - - emerging-activex.rules - - emerging-attack_response.rules - - emerging-chat.rules - - emerging-current_events.rules - - emerging-dns.rules - - emerging-dos.rules - - emerging-exploit.rules - - emerging-ftp.rules - - emerging-games.rules - - emerging-icmp_info.rules -# - emerging-icmp.rules - - emerging-imap.rules - - emerging-inappropriate.rules - - emerging-malware.rules - - emerging-misc.rules - - emerging-mobile_malware.rules - - emerging-netbios.rules - - emerging-p2p.rules - - emerging-policy.rules - - emerging-pop3.rules - - emerging-rpc.rules - - emerging-scada.rules - - emerging-scan.rules - - emerging-shellcode.rules - - emerging-smtp.rules - - emerging-snmp.rules - - emerging-sql.rules - - emerging-telnet.rules - - emerging-tftp.rules - - emerging-trojan.rules - - emerging-user_agents.rules - - emerging-voip.rules - - emerging-web_client.rules - - emerging-web_server.rules - - emerging-web_specific_apps.rules - - emerging-worm.rules - - tor.rules - - decoder-events.rules # available in suricata sources under rules dir - - stream-events.rules # available in suricata sources under rules dir - - http-events.rules # available in suricata sources under rules dir - - smtp-events.rules # available in suricata sources under rules dir - - dns-events.rules # available in suricata sources under rules dir - - tls-events.rules # available in suricata sources under rules dir - -classification-file: /etc/suricata/classification.config -reference-config-file: /etc/suricata/reference.config - -# Holds variables that would be used by the engine. -vars: - - # Holds the address group vars that would be passed in a Signature. - # These would be retrieved during the Signature address parsing stage. - address-groups: - - HOME_NET: "[192.168.0.0/16,10.0.0.0/8,172.16.0.0/12]" - - EXTERNAL_NET: "!$HOME_NET" - - HTTP_SERVERS: "$HOME_NET" - - SMTP_SERVERS: "$HOME_NET" - - SQL_SERVERS: "$HOME_NET" - - DNS_SERVERS: "$HOME_NET" - - TELNET_SERVERS: "$HOME_NET" - - AIM_SERVERS: "$EXTERNAL_NET" - - DNP3_SERVER: "$HOME_NET" - - DNP3_CLIENT: "$HOME_NET" - - MODBUS_CLIENT: "$HOME_NET" - - MODBUS_SERVER: "$HOME_NET" - - ENIP_CLIENT: "$HOME_NET" - - ENIP_SERVER: "$HOME_NET" - - # Holds the port group vars that would be passed in a Signature. - # These would be retrieved during the Signature port parsing stage. - port-groups: - - HTTP_PORTS: "80" - - SHELLCODE_PORTS: "!80" - - ORACLE_PORTS: 1521 - - SSH_PORTS: 22 - - DNP3_PORTS: 20000 - -# Set the order of alerts bassed on actions -# The default order is pass, drop, reject, alert -action-order: - - pass - - drop - - reject - - alert - -# IP Reputation -#reputation-categories-file: /etc/suricata/iprep/categories.txt -#default-reputation-path: /etc/suricata/iprep -#reputation-files: -# - reputation.list - -# Host specific policies for defragmentation and TCP stream -# reassembly. The host OS lookup is done using a radix tree, just -# like a routing table so the most specific entry matches. -host-os-policy: - # Make the default policy windows. - windows: [0.0.0.0/0] - bsd: [] - bsd-right: [] - old-linux: [] - linux: [10.0.0.0/8, 192.168.1.100, "8762:2352:6241:7245:E000:0000:0000:0000"] - old-solaris: [] - solaris: ["::1"] - hpux10: [] - hpux11: [] - irix: [] - macos: [] - vista: [] - windows2k3: [] - - -# Limit for the maximum number of asn1 frames to decode (default 256) -asn1-max-frames: 256 - -# When run with the option --engine-analysis, the engine will read each of -# the parameters below, and print reports for each of the enabled sections -# and exit. The reports are printed to a file in the default log dir -# given by the parameter "default-log-dir", with engine reporting -# subsection below printing reports in its own report file. -engine-analysis: - # enables printing reports for fast-pattern for every rule. - rules-fast-pattern: yes - # enables printing reports for each rule - rules: yes - -#recursion and match limits for PCRE where supported -pcre: - match-limit: 3500 - match-limit-recursion: 1500 - -# Holds details on the app-layer. The protocols section details each protocol. -# Under each protocol, the default value for detection-enabled and " -# parsed-enabled is yes, unless specified otherwise. -# Each protocol covers enabling/disabling parsers for all ipprotos -# the app-layer protocol runs on. For example "dcerpc" refers to the tcp -# version of the protocol as well as the udp version of the protocol. -# The option "enabled" takes 3 values - "yes", "no", "detection-only". -# "yes" enables both detection and the parser, "no" disables both, and -# "detection-only" enables detection only(parser disabled). -app-layer: - protocols: - tls: - enabled: yes - detection-ports: - dp: 443 - - #no-reassemble: yes - dcerpc: - enabled: yes - ftp: - enabled: yes - ssh: - enabled: yes - smtp: - enabled: yes - imap: - enabled: detection-only - msn: - enabled: detection-only - smb: - enabled: yes - detection-ports: - dp: 139 - # smb2 detection is disabled internally inside the engine. - #smb2: - # enabled: yes - dns: - # memcaps. Globally and per flow/state. - #global-memcap: 16mb - #state-memcap: 512kb - - # How many unreplied DNS requests are considered a flood. - # If the limit is reached, app-layer-event:dns.flooded; will match. - #request-flood: 500 - - tcp: - enabled: yes - detection-ports: - dp: 53 - udp: - enabled: yes - detection-ports: - dp: 53 - http: - enabled: yes - # memcap: 64mb - - ########################################################################### - # Configure libhtp. - # - # - # default-config: Used when no server-config matches - # personality: List of personalities used by default - # request-body-limit: Limit reassembly of request body for inspection - # by http_client_body & pcre /P option. - # response-body-limit: Limit reassembly of response body for inspection - # by file_data, http_server_body & pcre /Q option. - # double-decode-path: Double decode path section of the URI - # double-decode-query: Double decode query section of the URI - # - # server-config: List of server configurations to use if address matches - # address: List of ip addresses or networks for this block - # personalitiy: List of personalities used by this block - # request-body-limit: Limit reassembly of request body for inspection - # by http_client_body & pcre /P option. - # response-body-limit: Limit reassembly of response body for inspection - # by file_data, http_server_body & pcre /Q option. - # double-decode-path: Double decode path section of the URI - # double-decode-query: Double decode query section of the URI - # - # uri-include-all: Include all parts of the URI. By default the - # 'scheme', username/password, hostname and port - # are excluded. Setting this option to true adds - # all of them to the normalized uri as inspected - # by http_uri, urilen, pcre with /U and the other - # keywords that inspect the normalized uri. - # Note that this does not affect http_raw_uri. - # Also, note that including all was the default in - # 1.4 and 2.0beta1. - # - # meta-field-limit: Hard size limit for request and response size - # limits. Applies to request line and headers, - # response line and headers. Does not apply to - # request or response bodies. Default is 18k. - # If this limit is reached an event is raised. - # - # Currently Available Personalities: - # Minimal - # Generic - # IDS (default) - # IIS_4_0 - # IIS_5_0 - # IIS_5_1 - # IIS_6_0 - # IIS_7_0 - # IIS_7_5 - # Apache_2 - ########################################################################### - libhtp: - - default-config: - personality: IDS - - # Can be specified in kb, mb, gb. Just a number indicates - # it's in bytes. - request-body-limit: 3072 - response-body-limit: 3072 - - # inspection limits - request-body-minimal-inspect-size: 32kb - request-body-inspect-window: 4kb - response-body-minimal-inspect-size: 32kb - response-body-inspect-window: 4kb - # Take a random value for inspection sizes around the specified value. - # This lower the risk of some evasion technics but could lead - # detection change between runs. It is set to 'yes' by default. - #randomize-inspection-sizes: yes - # If randomize-inspection-sizes is active, the value of various - # inspection size will be choosen in the [1 - range%, 1 + range%] - # range - # Default value of randomize-inspection-range is 10. - #randomize-inspection-range: 10 - - # decoding - double-decode-path: no - double-decode-query: no - - server-config: - - #- apache: - # address: [192.168.1.0/24, 127.0.0.0/8, "::1"] - # personality: Apache_2 - # # Can be specified in kb, mb, gb. Just a number indicates - # # it's in bytes. - # request-body-limit: 4096 - # response-body-limit: 4096 - # double-decode-path: no - # double-decode-query: no - - #- iis7: - # address: - # - 192.168.0.0/24 - # - 192.168.10.0/24 - # personality: IIS_7_0 - # # Can be specified in kb, mb, gb. Just a number indicates - # # it's in bytes. - # request-body-limit: 4096 - # response-body-limit: 4096 - # double-decode-path: no - # double-decode-query: no - -# Profiling settings. Only effective if Suricata has been built with the -# the --enable-profiling configure flag. -# -profiling: - # Run profiling for every xth packet. The default is 1, which means we - # profile every packet. If set to 1000, one packet is profiled for every - # 1000 received. - #sample-rate: 1000 - - # rule profiling - rules: - - # Profiling can be disabled here, but it will still have a - # performance impact if compiled in. - enabled: yes - filename: rule_perf.log - append: yes - - # Sort options: ticks, avgticks, checks, matches, maxticks - sort: avgticks - - # Limit the number of items printed at exit. - limit: 100 - - # per keyword profiling - keywords: - enabled: yes - filename: keyword_perf.log - append: yes - - # packet profiling - packets: - - # Profiling can be disabled here, but it will still have a - # performance impact if compiled in. - enabled: yes - filename: packet_stats.log - append: yes - - # per packet csv output - csv: - - # Output can be disabled here, but it will still have a - # performance impact if compiled in. - enabled: no - filename: packet_stats.csv - - # profiling of locking. Only available when Suricata was built with - # --enable-profiling-locks. - locks: - enabled: no - filename: lock_stats.log - append: yes - -# Suricata core dump configuration. Limits the size of the core dump file to -# approximately max-dump. The actual core dump size will be a multiple of the -# page size. Core dumps that would be larger than max-dump are truncated. On -# Linux, the actual core dump size may be a few pages larger than max-dump. -# Setting max-dump to 0 disables core dumping. -# Setting max-dump to 'unlimited' will give the full core dump file. -# On 32-bit Linux, a max-dump value >= ULONG_MAX may cause the core dump size -# to be 'unlimited'. - -coredump: - max-dump: unlimited - -napatech: - # The Host Buffer Allowance for all streams - # (-1 = OFF, 1 - 100 = percentage of the host buffer that can be held back) - hba: -1 - - # use_all_streams set to "yes" will query the Napatech service for all configured - # streams and listen on all of them. When set to "no" the streams config array - # will be used. - use-all-streams: yes - - # The streams to listen on - streams: [1, 2, 3] - -# Includes. Files included here will be handled as if they were -# inlined in this configuration file. -#include: include1.yaml -#include: include2.yaml diff --git a/meta-security/recipes-ids/suricata/files/tmpfiles.suricata b/meta-security/recipes-ids/suricata/files/tmpfiles.suricata deleted file mode 100644 index fbf37848e..000000000 --- a/meta-security/recipes-ids/suricata/files/tmpfiles.suricata +++ /dev/null @@ -1,2 +0,0 @@ -#Type Path Mode UID GID Age Argument -d /var/log/suricata 0755 root root diff --git a/meta-security/recipes-ids/suricata/files/volatiles.03_suricata b/meta-security/recipes-ids/suricata/files/volatiles.03_suricata deleted file mode 100644 index 4627bd3b0..000000000 --- a/meta-security/recipes-ids/suricata/files/volatiles.03_suricata +++ /dev/null @@ -1,2 +0,0 @@ -# <type> <owner> <group> <mode> <path> <linksource> -d root root 0755 /var/log/suricata none diff --git a/meta-security/recipes-ids/suricata/libhtp_0.5.36.bb b/meta-security/recipes-ids/suricata/libhtp_0.5.36.bb deleted file mode 100644 index 8305f7010..000000000 --- a/meta-security/recipes-ids/suricata/libhtp_0.5.36.bb +++ /dev/null @@ -1,15 +0,0 @@ -SUMMARY = "LibHTP is a security-aware parser for the HTTP protocol and the related bits and pieces." - -require suricata.inc - -LIC_FILES_CHKSUM = "file://../LICENSE;beginline=1;endline=2;md5=c70d8d3310941dcdfcd1e02800a1f548" - -DEPENDS = "zlib" - -inherit autotools pkgconfig - -CFLAGS += "-D_DEFAULT_SOURCE" - -S = "${WORKDIR}/suricata-${VER}/${BPN}" - -RDEPENDS_${PN} += "zlib" diff --git a/meta-security/recipes-ids/suricata/python3-suricata-update_1.2.1.bb b/meta-security/recipes-ids/suricata/python3-suricata-update_1.2.1.bb deleted file mode 100644 index bbdce69ab..000000000 --- a/meta-security/recipes-ids/suricata/python3-suricata-update_1.2.1.bb +++ /dev/null @@ -1,17 +0,0 @@ -SUMMARY = "The tool for updating your Suricata rules. " -HOMEPAGE = "http://suricata-ids.org/" -SECTION = "security Monitor/Admin" -LICENSE = "GPLv2" - -LIC_FILES_CHKSUM = "file://LICENSE;beginline=1;endline=2;md5=c70d8d3310941dcdfcd1e02800a1f548" - -SRCREV = "50e857f75e576e239d8306a6ac55946a1ce252a6" -SRC_URI = "git://github.com/OISF/suricata-update;branch='master-1.2.x'" - -S = "${WORKDIR}/git" - -inherit python3native python3targetconfig setuptools3 - -RDEPENDS_${PN} = "python3-pyyaml python3-logging python3-compression" - -BBCLASSEXTEND = "native nativesdk" diff --git a/meta-security/recipes-ids/suricata/suricata.inc b/meta-security/recipes-ids/suricata/suricata.inc deleted file mode 100644 index 1ce0d74a8..000000000 --- a/meta-security/recipes-ids/suricata/suricata.inc +++ /dev/null @@ -1,8 +0,0 @@ -HOMEPAGE = "http://suricata-ids.org/" -SECTION = "security Monitor/Admin" -LICENSE = "GPLv2" - -VER = "4.1.10" -SRC_URI = "http://www.openinfosecfoundation.org/download/suricata-${VER}.tar.gz" - -SRC_URI[sha256sum] = "4013cb13a2f3f7854328cf072319bba41896fad86d6b85b1cff4004f82aa7276" diff --git a/meta-security/recipes-ids/suricata/suricata_4.1.10.bb b/meta-security/recipes-ids/suricata/suricata_4.1.10.bb deleted file mode 100644 index bf088433a..000000000 --- a/meta-security/recipes-ids/suricata/suricata_4.1.10.bb +++ /dev/null @@ -1,99 +0,0 @@ -SUMMARY = "The Suricata Engine is an Open Source Next Generation Intrusion Detection and Prevention Engine" - -require suricata.inc - -LIC_FILES_CHKSUM = "file://LICENSE;beginline=1;endline=2;md5=c70d8d3310941dcdfcd1e02800a1f548" - -SRC_URI += " \ - file://volatiles.03_suricata \ - file://tmpfiles.suricata \ - file://suricata.yaml \ - file://suricata.service \ - file://run-ptest \ - " - -UPSTREAM_CHECK_URI = "www.openinfosecfoundation.org/download" - -inherit autotools-brokensep pkgconfig python3-dir systemd ptest - -CFLAGS += "-D_DEFAULT_SOURCE -fcommon" - -CACHED_CONFIGUREVARS = "ac_cv_header_htp_htp_h=yes ac_cv_lib_htp_htp_conn_create=yes \ - ac_cv_path_HAVE_WGET=no ac_cv_path_HAVE_CURL=no " - -EXTRA_OECONF += " --disable-debug \ - --enable-non-bundled-htp \ - --disable-gccmarch-native \ - --disable-suricata-update \ - " - -PACKAGECONFIG ??= "htp jansson file pcre yaml pcap cap-ng net nfnetlink nss nspr" -PACKAGECONFIG_append = " ${@bb.utils.contains('DISTRO_FEATURES', 'ptest', 'unittests', '', d)}" - -PACKAGECONFIG[htp] = "--with-libhtp-includes=${STAGING_INCDIR} --with-libhtp-libraries=${STAGING_LIBDIR}, ,libhtp," -PACKAGECONFIG[pcre] = "--with-libpcre-includes=${STAGING_INCDIR} --with-libpcre-libraries=${STAGING_LIBDIR}, ,libpcre ," -PACKAGECONFIG[yaml] = "--with-libyaml-includes=${STAGING_INCDIR} --with-libyaml-libraries=${STAGING_LIBDIR}, ,libyaml ," -PACKAGECONFIG[pcap] = "--with-libpcap-includes=${STAGING_INCDIR} --with-libpcap-libraries=${STAGING_LIBDIR}, ,libpcap ," -PACKAGECONFIG[cap-ng] = "--with-libcap_ng-includes=${STAGING_INCDIR} --with-libcap_ng-libraries=${STAGING_LIBDIR}, ,libcap-ng , " -PACKAGECONFIG[net] = "--with-libnet-includes=${STAGING_INCDIR} --with-libnet-libraries=${STAGING_LIBDIR}, , libnet," -PACKAGECONFIG[nfnetlink] = "--with-libnfnetlink-includes=${STAGING_INCDIR} --with-libnfnetlink-libraries=${STAGING_LIBDIR}, ,libnfnetlink ," -PACKAGECONFIG[nfq] = "--enable-nfqueue, --disable-nfqueue,libnetfilter-queue," - -PACKAGECONFIG[jansson] = "--with-libjansson-includes=${STAGING_INCDIR} --with-libjansson-libraries=${STAGING_LIBDIR},,jansson, jansson" -PACKAGECONFIG[file] = ",,file, file" -PACKAGECONFIG[nss] = "--with-libnss-includes=${STAGING_INCDIR} --with-libnss-libraries=${STAGING_LIBDIR}, nss, nss," -PACKAGECONFIG[nspr] = "--with-libnspr-includes=${STAGING_INCDIR} --with-libnspr-libraries=${STAGING_LIBDIR}, nspr, nspr," -PACKAGECONFIG[python] = "--enable-python, --disable-python, python3, python3" -PACKAGECONFIG[unittests] = "--enable-unittests, --disable-unittests," - -export logdir = "${localstatedir}/log" - -do_install_append () { - - install -d ${D}${sysconfdir}/suricata - - oe_runmake install-conf DESTDIR=${D} - - oe_runmake install-rules DESTDIR=${D} - - install -d ${D}${sysconfdir}/suricata ${D}${sysconfdir}/default/volatiles - install -m 0644 ${WORKDIR}/volatiles.03_suricata ${D}${sysconfdir}/default/volatiles/03_suricata - - install -m 0644 ${S}/threshold.config ${D}${sysconfdir}/suricata - - if ${@bb.utils.contains('DISTRO_FEATURES', 'systemd', 'true', 'false', d)}; then - install -d ${D}${sysconfdir}/tmpfiles.d - install -m 0644 ${WORKDIR}/tmpfiles.suricata ${D}${sysconfdir}/tmpfiles.d/suricata.conf - - install -d ${D}${systemd_unitdir}/system - sed -e s:/etc:${sysconfdir}:g \ - -e s:/var/run:/run:g \ - -e s:/var:${localstatedir}:g \ - -e s:/usr/bin:${bindir}:g \ - -e s:/bin/kill:${base_bindir}/kill:g \ - -e s:/usr/lib:${libdir}:g \ - ${WORKDIR}/suricata.service > ${D}${systemd_unitdir}/system/suricata.service - fi - - # Remove /var/run as it is created on startup - rm -rf ${D}${localstatedir}/run - -} - -pkg_postinst_ontarget_${PN} () { -if command -v systemd-tmpfiles >/dev/null; then - systemd-tmpfiles --create ${sysconfdir}/tmpfiles.d/suricata.conf -elif [ -e ${sysconfdir}/init.d/populate-volatile.sh ]; then - ${sysconfdir}/init.d/populate-volatile.sh update -fi -} - -SYSTEMD_PACKAGES = "${PN}" - -PACKAGES =+ "${PN}-socketcontrol" -FILES_${PN} += "${systemd_unitdir} ${sysconfdir}/tmpfiles.d" -FILES_${PN}-socketcontrol = "${bindir}/suricatasc ${PYTHON_SITEPACKAGES_DIR}" - -CONFFILES_${PN} = "${sysconfdir}/suricata/suricata.yaml" - -RDEPENDS_${PN}-python = "python" diff --git a/meta-security/recipes-ids/tripwire/tripwire_2.4.3.7.bb b/meta-security/recipes-ids/tripwire/tripwire_2.4.3.7.bb index 36e5d00b7..3a9bc1de2 100644 --- a/meta-security/recipes-ids/tripwire/tripwire_2.4.3.7.bb +++ b/meta-security/recipes-ids/tripwire/tripwire_2.4.3.7.bb @@ -60,18 +60,18 @@ do_install () { install -m 0644 ${WORKDIR}/tripwire.txt ${D}${docdir}/${BPN} } -do_install_ptest_append () { +do_install_ptest:append () { install -d ${D}${PTEST_PATH}/tests cp -a ${S}/src/test-harness/* ${D}${PTEST_PATH} sed -i -e 's@../../../../bin@${sbindir}@' ${D}${PTEST_PATH}/twtools.pm } -FILES_${PN} += "${libdir} ${docdir}/${PN}/*" -FILES_${PN}-dbg += "${sysconfdir}/${PN}/.debug" -FILES_${PN}-staticdev += "${localstatedir}/lib/${PN}/lib*.a" -FILES_${PN}-ptest += "${PTEST_PATH}/tests " +FILES:${PN} += "${libdir} ${docdir}/${PN}/*" +FILES:${PN}-dbg += "${sysconfdir}/${PN}/.debug" +FILES:${PN}-staticdev += "${localstatedir}/lib/${PN}/lib*.a" +FILES:${PN}-ptest += "${PTEST_PATH}/tests " -RDEPENDS_${PN} += " perl nano msmtp cronie" -RDEPENDS_${PN}-ptest = " perl lib-perl perl-modules " +RDEPENDS:${PN} += " perl nano msmtp cronie" +RDEPENDS:${PN}-ptest = " perl lib-perl perl-modules " PNBLACKLIST[tripwire] ?= "Upsteram project appears to be abondoned, fails to build with gcc11" diff --git a/meta-security/recipes-kernel/linux/linux-yocto_security.inc b/meta-security/recipes-kernel/linux/linux-yocto_security.inc index fa536d095..defca570c 100644 --- a/meta-security/recipes-kernel/linux/linux-yocto_security.inc +++ b/meta-security/recipes-kernel/linux/linux-yocto_security.inc @@ -1,3 +1,3 @@ -KERNEL_FEATURES_append = " ${@bb.utils.contains("DISTRO_FEATURES", "apparmor", " features/apparmor/apparmor.scc", "" ,d)}" -KERNEL_FEATURES_append = " ${@bb.utils.contains("DISTRO_FEATURES", "smack", " features/smack/smack.scc", "" ,d)}" -KERNEL_FEATURES_append = " ${@bb.utils.contains("IMAGE_CLASSES", "dm-verity-img", " features/device-mapper/dm-verity.scc", "" ,d)}" +KERNEL_FEATURES:append = " ${@bb.utils.contains("DISTRO_FEATURES", "apparmor", " features/apparmor/apparmor.scc", "" ,d)}" +KERNEL_FEATURES:append = " ${@bb.utils.contains("DISTRO_FEATURES", "smack", " features/smack/smack.scc", "" ,d)}" +KERNEL_FEATURES:append = " ${@bb.utils.contains("IMAGE_CLASSES", "dm-verity-img", " features/device-mapper/dm-verity.scc", "" ,d)}" diff --git a/meta-security/recipes-kernel/lkrg/lkrg-module_0.9.1.bb b/meta-security/recipes-kernel/lkrg/lkrg-module_0.9.1.bb index 287b4e82b..782c6e317 100644 --- a/meta-security/recipes-kernel/lkrg/lkrg-module_0.9.1.bb +++ b/meta-security/recipes-kernel/lkrg/lkrg-module_0.9.1.bb @@ -28,6 +28,6 @@ module_do_install() { ${D}${nonarch_base_libdir}/modules/${KERNEL_VERSION}/kernel/${MODULE_NAME}/${MODULE_NAME}.ko } -RPROVIDES_${PN} += "kernel-module-lkrg" +RPROVIDES:${PN} += "kernel-module-lkrg" COMPATIBLE_HOST = "(i.86|x86_64|arm|aarch64).*-linux" diff --git a/meta-security/recipes-mac/AppArmor/apparmor_3.0.1.bb b/meta-security/recipes-mac/AppArmor/apparmor_3.0.1.bb index ff5b39b05..dca53a385 100644 --- a/meta-security/recipes-mac/AppArmor/apparmor_3.0.1.bb +++ b/meta-security/recipes-mac/AppArmor/apparmor_3.0.1.bb @@ -29,7 +29,7 @@ S = "${WORKDIR}/git" PARALLEL_MAKE = "" -COMPATIBLE_MACHINE_mips64 = "(!.*mips64).*" +COMPATIBLE_MACHINE:mips64 = "(!.*mips64).*" inherit pkgconfig autotools-brokensep update-rc.d python3native python3targetconfig perlnative cpan systemd features_check bash-completion @@ -106,11 +106,11 @@ do_install () { } #Building ptest on arm fails. -do_compile_ptest_aarch64 () { +do_compile_ptest:aarch64 () { : } -do_compile_ptest_arm () { +do_compile_ptest:arm () { : } @@ -140,11 +140,11 @@ do_install_ptest () { } #Building ptest on arm fails. -do_install_ptest_aarch64 () { +do_install_ptest:aarch64 () { : } -do_install_ptest_arm() { +do_install_ptest:arm() { : } @@ -153,23 +153,23 @@ INITSCRIPT_NAME = "apparmor" INITSCRIPT_PARAMS = "start 16 2 3 4 5 . stop 35 0 1 6 ." SYSTEMD_PACKAGES = "${PN}" -SYSTEMD_SERVICE_${PN} = "apparmor.service" +SYSTEMD_SERVICE:${PN} = "apparmor.service" SYSTEMD_AUTO_ENABLE ?= "enable" PACKAGES += "mod-${PN}" -FILES_${PN} += "${nonarch_base_libdir}/apparmor/ ${base_libdir}/security/ ${sysconfdir}/apparmor ${nonarch_libdir}/${PYTHON_DIR}/site-packages" -FILES_mod-${PN} = "${libdir}/apache2/modules/*" -FILES_${PN}-dbg += "${base_libdir}/security/.debug" +FILES:${PN} += "${nonarch_base_libdir}/apparmor/ ${base_libdir}/security/ ${sysconfdir}/apparmor ${nonarch_libdir}/${PYTHON_DIR}/site-packages" +FILES:mod-${PN} = "${libdir}/apache2/modules/*" +FILES:${PN}-dbg += "${base_libdir}/security/.debug" -DEPENDS_append_libc-musl = " fts " -RDEPENDS_${PN}_libc-musl += "musl-utils" -RDEPENDS_${PN}_libc-glibc += "glibc-utils" +DEPENDS:append:libc-musl = " fts " +RDEPENDS:${PN}:libc-musl += "musl-utils" +RDEPENDS:${PN}:libc-glibc += "glibc-utils" # Add coreutils and findutils only if sysvinit scripts are in use -RDEPENDS_${PN} += "${@["coreutils findutils", ""][(d.getVar('VIRTUAL-RUNTIME_init_manager') == 'systemd')]} ${@bb.utils.contains('PACKAGECONFIG','python','python3-core python3-modules','', d)}" -RDEPENDS_${PN}_remove += "${@bb.utils.contains('PACKAGECONFIG','perl','','perl', d)}" -RDEPENDS_${PN}-ptest += "perl coreutils dbus-lib bash" +RDEPENDS:${PN} += "${@["coreutils findutils", ""][(d.getVar('VIRTUAL-RUNTIME_init_manager') == 'systemd')]} ${@bb.utils.contains('PACKAGECONFIG','python','python3-core python3-modules','', d)}" +RDEPENDS:${PN}:remove += "${@bb.utils.contains('PACKAGECONFIG','perl','','perl', d)}" +RDEPENDS:${PN}-ptest += "perl coreutils dbus-lib bash" -INSANE_SKIP_${PN} = "ldflags" -PRIVATE_LIBS_${PN}-ptest = "libapparmor.so*" +INSANE_SKIP:${PN} = "ldflags" +PRIVATE_LIBS:${PN}-ptest = "libapparmor.so*" diff --git a/meta-security/recipes-mac/ccs-tools/README b/meta-security/recipes-mac/ccs-tools/README index 4a4faa715..0381814c3 100644 --- a/meta-security/recipes-mac/ccs-tools/README +++ b/meta-security/recipes-mac/ccs-tools/README @@ -9,4 +9,4 @@ To start via command line add: To initialize: /usr/lib/ccs/init_policy -DISTRO_FEATURES_append = " tomoyo" +DISTRO_FEATURES:append = " tomoyo" diff --git a/meta-security/recipes-mac/ccs-tools/ccs-tools_1.8.4.bb b/meta-security/recipes-mac/ccs-tools/ccs-tools_1.8.4.bb index 79af6a5d1..08da24ad2 100644 --- a/meta-security/recipes-mac/ccs-tools/ccs-tools_1.8.4.bb +++ b/meta-security/recipes-mac/ccs-tools/ccs-tools_1.8.4.bb @@ -29,17 +29,17 @@ do_install(){ PACKAGE="${PN} ${PN}-dbg ${PN}-doc" -FILES_${PN} = "\ +FILES:${PN} = "\ ${sbindir}/* \ ${base_sbindir}/* \ ${libdir}/* \ " -FILES_${PN}-doc = "\ +FILES:${PN}-doc = "\ ${mandir}/man8/* \ " -FILES_${PN}-dbg = "\ +FILES:${PN}-dbg = "\ ${base_sbindir}/.debug/* \ ${sbindir}/.debug/* \ ${libdir}/.debug/* \ diff --git a/meta-security/recipes-mac/smack/smack-test_1.0.bb b/meta-security/recipes-mac/smack/smack-test_1.0.bb index d5de6076a..d7824aef6 100644 --- a/meta-security/recipes-mac/smack/smack-test_1.0.bb +++ b/meta-security/recipes-mac/smack/smack-test_1.0.bb @@ -22,4 +22,4 @@ do_install() { install -m 0755 *.sh ${D}${sbindir} } -RDEPENDS_${PN} = "smack python mmap-smack-test tcp-smack-test udp-smack-test" +RDEPENDS:${PN} = "smack python mmap-smack-test tcp-smack-test udp-smack-test" diff --git a/meta-security/recipes-mac/smack/smack_1.3.1.bb b/meta-security/recipes-mac/smack/smack_1.3.1.bb index 88ae56cde..6c2f04108 100644 --- a/meta-security/recipes-mac/smack/smack_1.3.1.bb +++ b/meta-security/recipes-mac/smack/smack_1.3.1.bb @@ -28,15 +28,15 @@ REQUIRED_DISTRO_FEATURES = "smack" S = "${WORKDIR}/git" PACKAGECONFIG ??= "" -PACKAGECONFIG_append = " ${@bb.utils.contains('DISTRO_FEATURES', 'systemd', 'systemd', '', d)}" +PACKAGECONFIG:append = " ${@bb.utils.contains('DISTRO_FEATURES', 'systemd', 'systemd', '', d)}" PACKAGECONFIG[systemd] = "--with-systemdsystemunitdir=${systemd_system_unitdir}, --without-systemdsystemunitdir, systemd" -do_compile_append () { +do_compile:append () { oe_runmake -C ${S}/tests generator } -do_install_append () { +do_install:append () { install -d ${D}${sysconfdir}/init.d install -d ${D}${sysconfdir}/smack install -d ${D}${sysconfdir}/smack/accesses.d @@ -55,10 +55,10 @@ INITSCRIPT_PACKAGES = "${PN}" INITSCRIPT_NAME = "smack" INITSCRIPT_PARAMS = "start 16 2 3 4 5 . stop 35 0 1 6 ." -FILES_${PN} += "${sysconfdir}/init.d/smack" -FILES_${PN}-ptest += "generator" +FILES:${PN} += "${sysconfdir}/init.d/smack" +FILES:${PN}-ptest += "generator" -RDEPENDS_${PN} += "coreutils python3-core" -RDEPENDS_${PN}-ptest += "make bash bc" +RDEPENDS:${PN} += "coreutils python3-core" +RDEPENDS:${PN}-ptest += "make bash bc" BBCLASSEXTEND = "native" diff --git a/meta-security/recipes-mac/smack/tcp-smack-test/tcp_client.c b/meta-security/recipes-mac/smack/tcp-smack-test/tcp_client.c index 185f97380..6c0a47481 100644 --- a/meta-security/recipes-mac/smack/tcp-smack-test/tcp_client.c +++ b/meta-security/recipes-mac/smack/tcp-smack-test/tcp_client.c @@ -1,111 +1,111 @@ -// (C) Copyright 2015 Intel Corporation
-//
-// Permission is hereby granted, free of charge, to any person obtaining a copy
-// of this software and associated documentation files (the "Software"), to deal
-// in the Software without restriction, including without limitation the rights
-// to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
-// copies of the Software, and to permit persons to whom the Software is
-// furnished to do so, subject to the following conditions:
-//
-// The above copyright notice and this permission notice shall be included in
-// all copies or substantial portions of the Software.
-//
-// THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
-// IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
-// FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
-// AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
-// LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
-// OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
-// THE SOFTWARE.
-#include <stdio.h>
-#include <sys/socket.h>
-#include <sys/types.h>
-#include <errno.h>
-#include <netinet/in.h>
-#include <unistd.h>
-#include <netdb.h>
-#include <string.h>
-#include <sys/xattr.h>
-
-int main(int argc, char* argv[])
-{
-
- int sock;
- char message[255] = "hello";
- struct sockaddr_in server_addr;
- char* label_in;
- char* label_out;
- char* attr_out = "security.SMACK64IPOUT";
- char* attr_in = "security.SMACK64IPIN";
- char out[256];
- int port;
-
- struct timeval timeout;
- timeout.tv_sec = 15;
- timeout.tv_usec = 0;
-
- struct hostent* host = gethostbyname("localhost");
-
- if (argc != 4)
- {
- perror("Client: Arguments missing, please provide socket labels");
- return 2;
- }
-
- port = atoi(argv[1]);
- label_in = argv[2];
- label_out = argv[3];
-
- if((sock = socket(AF_INET, SOCK_STREAM, 0)) < 0)
- {
- perror("Client: Socket failure");
- return 2;
- }
-
-
- if(fsetxattr(sock, attr_out, label_out, strlen(label_out), 0) < 0)
- {
- perror("Client: Unable to set attribute SMACK64IPOUT");
- return 2;
- }
-
- if(fsetxattr(sock, attr_in, label_in, strlen(label_in), 0) < 0)
- {
- perror("Client: Unable to set attribute SMACK64IPIN");
- return 2;
- }
-
- server_addr.sin_family = AF_INET;
- server_addr.sin_port = htons(port);
- bcopy((char*) host->h_addr, (char*) &server_addr.sin_addr.s_addr,host->h_length);
- bzero(&(server_addr.sin_zero),8);
-
- if(setsockopt(sock, SOL_SOCKET, SO_SNDTIMEO, &timeout, sizeof(timeout)) < 0)
- {
- perror("Client: Set timeout failed\n");
- return 2;
- }
-
- if (connect(sock, (struct sockaddr *)&server_addr,sizeof(struct sockaddr)) == -1)
- {
- perror("Client: Connection failure");
- close(sock);
- return 1;
- }
-
-
- if(write(sock, message, strlen(message)) < 0)
- {
- perror("Client: Error sending data\n");
- close(sock);
- return 1;
- }
- close(sock);
- return 0;
-}
-
-
-
-
-
-
+// (C) Copyright 2015 Intel Corporation +// +// Permission is hereby granted, free of charge, to any person obtaining a copy +// of this software and associated documentation files (the "Software"), to deal +// in the Software without restriction, including without limitation the rights +// to use, copy, modify, merge, publish, distribute, sublicense, and/or sell +// copies of the Software, and to permit persons to whom the Software is +// furnished to do so, subject to the following conditions: +// +// The above copyright notice and this permission notice shall be included in +// all copies or substantial portions of the Software. +// +// THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR +// IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, +// FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE +// AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER +// LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, +// OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN +// THE SOFTWARE. +#include <stdio.h> +#include <sys/socket.h> +#include <sys/types.h> +#include <errno.h> +#include <netinet/in.h> +#include <unistd.h> +#include <netdb.h> +#include <string.h> +#include <sys/xattr.h> + +int main(int argc, char* argv[]) +{ + + int sock; + char message[255] = "hello"; + struct sockaddr_in server_addr; + char* label_in; + char* label_out; + char* attr_out = "security.SMACK64IPOUT"; + char* attr_in = "security.SMACK64IPIN"; + char out[256]; + int port; + + struct timeval timeout; + timeout.tv_sec = 15; + timeout.tv_usec = 0; + + struct hostent* host = gethostbyname("localhost"); + + if (argc != 4) + { + perror("Client: Arguments missing, please provide socket labels"); + return 2; + } + + port = atoi(argv[1]); + label_in = argv[2]; + label_out = argv[3]; + + if((sock = socket(AF_INET, SOCK_STREAM, 0)) < 0) + { + perror("Client: Socket failure"); + return 2; + } + + + if(fsetxattr(sock, attr_out, label_out, strlen(label_out), 0) < 0) + { + perror("Client: Unable to set attribute SMACK64IPOUT"); + return 2; + } + + if(fsetxattr(sock, attr_in, label_in, strlen(label_in), 0) < 0) + { + perror("Client: Unable to set attribute SMACK64IPIN"); + return 2; + } + + server_addr.sin_family = AF_INET; + server_addr.sin_port = htons(port); + bcopy((char*) host->h_addr, (char*) &server_addr.sin_addr.s_addr,host->h_length); + bzero(&(server_addr.sin_zero),8); + + if(setsockopt(sock, SOL_SOCKET, SO_SNDTIMEO, &timeout, sizeof(timeout)) < 0) + { + perror("Client: Set timeout failed\n"); + return 2; + } + + if (connect(sock, (struct sockaddr *)&server_addr,sizeof(struct sockaddr)) == -1) + { + perror("Client: Connection failure"); + close(sock); + return 1; + } + + + if(write(sock, message, strlen(message)) < 0) + { + perror("Client: Error sending data\n"); + close(sock); + return 1; + } + close(sock); + return 0; +} + + + + + + diff --git a/meta-security/recipes-mac/smack/tcp-smack-test/tcp_server.c b/meta-security/recipes-mac/smack/tcp-smack-test/tcp_server.c index 9285dc695..3c8921f13 100644 --- a/meta-security/recipes-mac/smack/tcp-smack-test/tcp_server.c +++ b/meta-security/recipes-mac/smack/tcp-smack-test/tcp_server.c @@ -1,118 +1,118 @@ -// (C) Copyright 2015 Intel Corporation
-//
-// Permission is hereby granted, free of charge, to any person obtaining a copy
-// of this software and associated documentation files (the "Software"), to deal
-// in the Software without restriction, including without limitation the rights
-// to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
-// copies of the Software, and to permit persons to whom the Software is
-// furnished to do so, subject to the following conditions:
-//
-// The above copyright notice and this permission notice shall be included in
-// all copies or substantial portions of the Software.
-//
-// THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
-// IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
-// FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
-// AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
-// LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
-// OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
-// THE SOFTWARE.
-#include <stdio.h>
-#include <sys/socket.h>
-#include <sys/types.h>
-#include <errno.h>
-#include <netinet/in.h>
-#include <unistd.h>
-#include <string.h>
-
-int main(int argc, char* argv[])
-{
-
- int sock;
- int clientsock;
- char message[255];
- socklen_t client_length;
- struct sockaddr_in server_addr, client_addr;
- char* label_in;
- char* attr_in = "security.SMACK64IPIN";
- int port;
-
- struct timeval timeout;
- timeout.tv_sec = 15;
- timeout.tv_usec = 0;
-
- if (argc != 3)
- {
- perror("Server: Argument missing please provide port and label for SMACK64IPIN");
- return 2;
- }
-
- port = atoi(argv[1]);
- label_in = argv[2];
- bzero(message,255);
-
-
- if((sock = socket(AF_INET, SOCK_STREAM, 0)) < 0)
- {
- perror("Server: Socket failure");
- return 2;
- }
-
-
- if(fsetxattr(sock, attr_in, label_in, strlen(label_in),0) < 0)
- {
- perror("Server: Unable to set attribute ipin 2");
- return 2;
- }
-
- server_addr.sin_family = AF_INET;
- server_addr.sin_port = htons(port);
- server_addr.sin_addr.s_addr = INADDR_ANY;
- bzero(&(server_addr.sin_zero),8);
-
- if(setsockopt(sock, SOL_SOCKET, SO_RCVTIMEO, &timeout, sizeof(timeout)) < 0)
- {
- perror("Server: Set timeout failed\n");
- return 2;
- }
-
- if(bind(sock, (struct sockaddr*) &server_addr, sizeof(server_addr)) < 0)
- {
- perror("Server: Bind failure ");
- return 2;
- }
-
- listen(sock, 1);
- client_length = sizeof(client_addr);
-
- clientsock = accept(sock,(struct sockaddr*) &client_addr, &client_length);
-
- if (clientsock < 0)
- {
- perror("Server: Connection failed");
- close(sock);
- return 1;
- }
-
-
- if(fsetxattr(clientsock, "security.SMACK64IPIN", label_in, strlen(label_in),0) < 0)
- {
- perror(" Server: Unable to set attribute ipin 2");
- close(sock);
- return 2;
- }
-
- if(read(clientsock, message, 254) < 0)
- {
- perror("Server: Error when reading from socket");
- close(clientsock);
- close(sock);
- return 1;
- }
-
-
- close(clientsock);
- close(sock);
-
- return 0;
-}
+// (C) Copyright 2015 Intel Corporation +// +// Permission is hereby granted, free of charge, to any person obtaining a copy +// of this software and associated documentation files (the "Software"), to deal +// in the Software without restriction, including without limitation the rights +// to use, copy, modify, merge, publish, distribute, sublicense, and/or sell +// copies of the Software, and to permit persons to whom the Software is +// furnished to do so, subject to the following conditions: +// +// The above copyright notice and this permission notice shall be included in +// all copies or substantial portions of the Software. +// +// THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR +// IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, +// FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE +// AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER +// LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, +// OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN +// THE SOFTWARE. +#include <stdio.h> +#include <sys/socket.h> +#include <sys/types.h> +#include <errno.h> +#include <netinet/in.h> +#include <unistd.h> +#include <string.h> + +int main(int argc, char* argv[]) +{ + + int sock; + int clientsock; + char message[255]; + socklen_t client_length; + struct sockaddr_in server_addr, client_addr; + char* label_in; + char* attr_in = "security.SMACK64IPIN"; + int port; + + struct timeval timeout; + timeout.tv_sec = 15; + timeout.tv_usec = 0; + + if (argc != 3) + { + perror("Server: Argument missing please provide port and label for SMACK64IPIN"); + return 2; + } + + port = atoi(argv[1]); + label_in = argv[2]; + bzero(message,255); + + + if((sock = socket(AF_INET, SOCK_STREAM, 0)) < 0) + { + perror("Server: Socket failure"); + return 2; + } + + + if(fsetxattr(sock, attr_in, label_in, strlen(label_in),0) < 0) + { + perror("Server: Unable to set attribute ipin 2"); + return 2; + } + + server_addr.sin_family = AF_INET; + server_addr.sin_port = htons(port); + server_addr.sin_addr.s_addr = INADDR_ANY; + bzero(&(server_addr.sin_zero),8); + + if(setsockopt(sock, SOL_SOCKET, SO_RCVTIMEO, &timeout, sizeof(timeout)) < 0) + { + perror("Server: Set timeout failed\n"); + return 2; + } + + if(bind(sock, (struct sockaddr*) &server_addr, sizeof(server_addr)) < 0) + { + perror("Server: Bind failure "); + return 2; + } + + listen(sock, 1); + client_length = sizeof(client_addr); + + clientsock = accept(sock,(struct sockaddr*) &client_addr, &client_length); + + if (clientsock < 0) + { + perror("Server: Connection failed"); + close(sock); + return 1; + } + + + if(fsetxattr(clientsock, "security.SMACK64IPIN", label_in, strlen(label_in),0) < 0) + { + perror(" Server: Unable to set attribute ipin 2"); + close(sock); + return 2; + } + + if(read(clientsock, message, 254) < 0) + { + perror("Server: Error when reading from socket"); + close(clientsock); + close(sock); + return 1; + } + + + close(clientsock); + close(sock); + + return 0; +} diff --git a/meta-security/recipes-mac/smack/udp-smack-test/udp_client.c b/meta-security/recipes-mac/smack/udp-smack-test/udp_client.c index 4d3afbe6c..23f3e0004 100644 --- a/meta-security/recipes-mac/smack/udp-smack-test/udp_client.c +++ b/meta-security/recipes-mac/smack/udp-smack-test/udp_client.c @@ -1,75 +1,75 @@ -// (C) Copyright 2015 Intel Corporation
-//
-// Permission is hereby granted, free of charge, to any person obtaining a copy
-// of this software and associated documentation files (the "Software"), to deal
-// in the Software without restriction, including without limitation the rights
-// to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
-// copies of the Software, and to permit persons to whom the Software is
-// furnished to do so, subject to the following conditions:
-//
-// The above copyright notice and this permission notice shall be included in
-// all copies or substantial portions of the Software.
-//
-// THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
-// IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
-// FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
-// AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
-// LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
-// OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
-// THE SOFTWARE.
-#include <sys/socket.h>
-#include <stdio.h>
-#include <netinet/in.h>
-#include <netdb.h>
-#include <string.h>
-
-int main(int argc, char* argv[])
-{
- char* message = "hello";
- int sock, ret;
- struct sockaddr_in server_addr;
- struct hostent* host = gethostbyname("localhost");
- char* label;
- char* attr = "security.SMACK64IPOUT";
- int port;
- if (argc != 3)
- {
- perror("Client: Argument missing, please provide port and label for SMACK64IPOUT");
- return 2;
- }
-
- port = atoi(argv[1]);
- label = argv[2];
- sock = socket(AF_INET, SOCK_DGRAM,0);
- if(sock < 0)
- {
- perror("Client: Socket failure");
- return 2;
- }
-
-
- if(fsetxattr(sock, attr, label, strlen(label),0) < 0)
- {
- perror("Client: Unable to set attribute ");
- return 2;
- }
-
-
- server_addr.sin_family = AF_INET;
- server_addr.sin_port = htons(port);
- bcopy((char*) host->h_addr, (char*) &server_addr.sin_addr.s_addr,host->h_length);
- bzero(&(server_addr.sin_zero),8);
-
- ret = sendto(sock, message, strlen(message),0,(const struct sockaddr*)&server_addr,
- sizeof(struct sockaddr_in));
-
- close(sock);
- if(ret < 0)
- {
- perror("Client: Error sending message\n");
- return 1;
- }
-
- return 0;
-}
-
+// (C) Copyright 2015 Intel Corporation +// +// Permission is hereby granted, free of charge, to any person obtaining a copy +// of this software and associated documentation files (the "Software"), to deal +// in the Software without restriction, including without limitation the rights +// to use, copy, modify, merge, publish, distribute, sublicense, and/or sell +// copies of the Software, and to permit persons to whom the Software is +// furnished to do so, subject to the following conditions: +// +// The above copyright notice and this permission notice shall be included in +// all copies or substantial portions of the Software. +// +// THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR +// IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, +// FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE +// AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER +// LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, +// OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN +// THE SOFTWARE. +#include <sys/socket.h> +#include <stdio.h> +#include <netinet/in.h> +#include <netdb.h> +#include <string.h> + +int main(int argc, char* argv[]) +{ + char* message = "hello"; + int sock, ret; + struct sockaddr_in server_addr; + struct hostent* host = gethostbyname("localhost"); + char* label; + char* attr = "security.SMACK64IPOUT"; + int port; + if (argc != 3) + { + perror("Client: Argument missing, please provide port and label for SMACK64IPOUT"); + return 2; + } + + port = atoi(argv[1]); + label = argv[2]; + sock = socket(AF_INET, SOCK_DGRAM,0); + if(sock < 0) + { + perror("Client: Socket failure"); + return 2; + } + + + if(fsetxattr(sock, attr, label, strlen(label),0) < 0) + { + perror("Client: Unable to set attribute "); + return 2; + } + + + server_addr.sin_family = AF_INET; + server_addr.sin_port = htons(port); + bcopy((char*) host->h_addr, (char*) &server_addr.sin_addr.s_addr,host->h_length); + bzero(&(server_addr.sin_zero),8); + + ret = sendto(sock, message, strlen(message),0,(const struct sockaddr*)&server_addr, + sizeof(struct sockaddr_in)); + + close(sock); + if(ret < 0) + { + perror("Client: Error sending message\n"); + return 1; + } + + return 0; +} + diff --git a/meta-security/recipes-mac/smack/udp-smack-test/udp_server.c b/meta-security/recipes-mac/smack/udp-smack-test/udp_server.c index cbab71e65..7d2fcf525 100644 --- a/meta-security/recipes-mac/smack/udp-smack-test/udp_server.c +++ b/meta-security/recipes-mac/smack/udp-smack-test/udp_server.c @@ -1,93 +1,93 @@ -// (C) Copyright 2015 Intel Corporation
-//
-// Permission is hereby granted, free of charge, to any person obtaining a copy
-// of this software and associated documentation files (the "Software"), to deal
-// in the Software without restriction, including without limitation the rights
-// to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
-// copies of the Software, and to permit persons to whom the Software is
-// furnished to do so, subject to the following conditions:
-//
-// The above copyright notice and this permission notice shall be included in
-// all copies or substantial portions of the Software.
-//
-// THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
-// IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
-// FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
-// AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
-// LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
-// OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
-// THE SOFTWARE.
-#include <sys/socket.h>
-#include <stdio.h>
-#include <netinet/in.h>
-#include <netdb.h>
-#include <string.h>
-
-int main(int argc, char* argv[])
-{
- int sock,ret;
- struct sockaddr_in server_addr, client_addr;
- socklen_t len;
- char message[5];
- char* label;
- char* attr = "security.SMACK64IPIN";
- int port;
-
- if(argc != 3)
- {
- perror("Server: Argument missing, please provide port and label for SMACK64IPIN");
- return 2;
- }
-
- port = atoi(argv[1]);
- label = argv[2];
-
- struct timeval timeout;
- timeout.tv_sec = 15;
- timeout.tv_usec = 0;
-
- sock = socket(AF_INET,SOCK_DGRAM,0);
- if(sock < 0)
- {
- perror("Server: Socket error");
- return 2;
- }
-
-
- if(fsetxattr(sock, attr, label, strlen(label), 0) < 0)
- {
- perror("Server: Unable to set attribute ");
- return 2;
- }
-
- server_addr.sin_family = AF_INET;
- server_addr.sin_port = htons(port);
- server_addr.sin_addr.s_addr = INADDR_ANY;
- bzero(&(server_addr.sin_zero),8);
-
-
- if(setsockopt(sock, SOL_SOCKET, SO_RCVTIMEO, &timeout, sizeof(timeout)) < 0)
- {
- perror("Server: Set timeout failed\n");
- return 2;
- }
-
- if(bind(sock, (struct sockaddr*) &server_addr, sizeof(server_addr)) < 0)
- {
- perror("Server: Bind failure");
- return 2;
- }
-
- len = sizeof(client_addr);
- ret = recvfrom(sock, message, sizeof(message), 0, (struct sockaddr*)&client_addr,
- &len);
- close(sock);
- if(ret < 0)
- {
- perror("Server: Error receiving");
- return 1;
-
- }
- return 0;
-}
-
+// (C) Copyright 2015 Intel Corporation +// +// Permission is hereby granted, free of charge, to any person obtaining a copy +// of this software and associated documentation files (the "Software"), to deal +// in the Software without restriction, including without limitation the rights +// to use, copy, modify, merge, publish, distribute, sublicense, and/or sell +// copies of the Software, and to permit persons to whom the Software is +// furnished to do so, subject to the following conditions: +// +// The above copyright notice and this permission notice shall be included in +// all copies or substantial portions of the Software. +// +// THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR +// IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, +// FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE +// AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER +// LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, +// OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN +// THE SOFTWARE. +#include <sys/socket.h> +#include <stdio.h> +#include <netinet/in.h> +#include <netdb.h> +#include <string.h> + +int main(int argc, char* argv[]) +{ + int sock,ret; + struct sockaddr_in server_addr, client_addr; + socklen_t len; + char message[5]; + char* label; + char* attr = "security.SMACK64IPIN"; + int port; + + if(argc != 3) + { + perror("Server: Argument missing, please provide port and label for SMACK64IPIN"); + return 2; + } + + port = atoi(argv[1]); + label = argv[2]; + + struct timeval timeout; + timeout.tv_sec = 15; + timeout.tv_usec = 0; + + sock = socket(AF_INET,SOCK_DGRAM,0); + if(sock < 0) + { + perror("Server: Socket error"); + return 2; + } + + + if(fsetxattr(sock, attr, label, strlen(label), 0) < 0) + { + perror("Server: Unable to set attribute "); + return 2; + } + + server_addr.sin_family = AF_INET; + server_addr.sin_port = htons(port); + server_addr.sin_addr.s_addr = INADDR_ANY; + bzero(&(server_addr.sin_zero),8); + + + if(setsockopt(sock, SOL_SOCKET, SO_RCVTIMEO, &timeout, sizeof(timeout)) < 0) + { + perror("Server: Set timeout failed\n"); + return 2; + } + + if(bind(sock, (struct sockaddr*) &server_addr, sizeof(server_addr)) < 0) + { + perror("Server: Bind failure"); + return 2; + } + + len = sizeof(client_addr); + ret = recvfrom(sock, message, sizeof(message), 0, (struct sockaddr*)&client_addr, + &len); + close(sock); + if(ret < 0) + { + perror("Server: Error receiving"); + return 1; + + } + return 0; +} + diff --git a/meta-security/recipes-perl/perl/libwhisker2-perl_2.5.bb b/meta-security/recipes-perl/perl/libwhisker2-perl_2.5.bb index 71857ab3e..5889a058e 100644 --- a/meta-security/recipes-perl/perl/libwhisker2-perl_2.5.bb +++ b/meta-security/recipes-perl/perl/libwhisker2-perl_2.5.bb @@ -24,6 +24,6 @@ do_install() { oe_runmake install DESTDIR=${D} INSTALLDIR=${PERLLIBDIRS}/vendor_perl/${PERLVERSION} MANDIR=${datadir}/perl/${PERLVERSION} } -FILES_${PN} += "${datadir}/perl" +FILES:${PN} += "${datadir}/perl" BBCLASSEXTEND = "native" diff --git a/meta-security/recipes-python/python/python3-oauth2client_4.1.3.bb b/meta-security/recipes-python/python/python3-oauth2client_4.1.3.bb index ca25d1459..3a074614a 100644 --- a/meta-security/recipes-python/python/python3-oauth2client_4.1.3.bb +++ b/meta-security/recipes-python/python/python3-oauth2client_4.1.3.bb @@ -8,4 +8,4 @@ SRC_URI[sha256sum] = "d486741e451287f69568a4d26d70d9acd73a2bbfa275746c535b420989 inherit pypi setuptools3 -RDEPENDS_${PN} = "python3-six python3-rsa python3-httplib2 python3-pyasn1 python3-pyasn1-modules" +RDEPENDS:${PN} = "python3-six python3-rsa python3-httplib2 python3-pyasn1 python3-pyasn1-modules" diff --git a/meta-security/recipes-scanners/arpwatch/arpwatch_3.1.bb b/meta-security/recipes-scanners/arpwatch/arpwatch_3.1.bb index 44aeca015..c152b8c5c 100644 --- a/meta-security/recipes-scanners/arpwatch/arpwatch_3.1.bb +++ b/meta-security/recipes-scanners/arpwatch/arpwatch_3.1.bb @@ -66,14 +66,14 @@ INITSCRIPT_NAME = "arpwatch" INITSCRIPT_PARAMS = "start 02 2 3 4 5 . stop 20 0 1 6 ." USERADD_PACKAGES = "${PN}" -GROUPADD_PARAM_${PN} = "--system ${ARPWATCH_UID}" -USERADD_PARAM_${PN} = "--system -g ${ARPWATCH_GID} --home-dir \ +GROUPADD_PARAM:${PN} = "--system ${ARPWATCH_UID}" +USERADD_PARAM:${PN} = "--system -g ${ARPWATCH_GID} --home-dir \ ${localstatedir}/spool/${BPN} \ --no-create-home --shell /bin/false ${BPN}" CONFFILE_FILES = "${sysconfdir}/${PN}.conf" -FILES_${PN} = "${bindir} ${sbindir} ${prefix}/etc/rc.d \ +FILES:${PN} = "${bindir} ${sbindir} ${prefix}/etc/rc.d \ ${sysconfdir} /var/lib/arpwatch" -RDEPENDS_${PN} = "libpcap postfix postfix-cfg" +RDEPENDS:${PN} = "libpcap postfix postfix-cfg" diff --git a/meta-security/recipes-scanners/buck-security/buck-security_0.7.bb b/meta-security/recipes-scanners/buck-security/buck-security_0.7.bb index 20a1fb026..63e4d7a8b 100644 --- a/meta-security/recipes-scanners/buck-security/buck-security_0.7.bb +++ b/meta-security/recipes-scanners/buck-security/buck-security_0.7.bb @@ -26,16 +26,16 @@ do_install() { } -FILES_${PN} = "${bindir}/*" +FILES:${PN} = "${bindir}/*" -RDEPENDS_${PN} = "coreutils gnupg net-tools perl perl-module-data-dumper \ +RDEPENDS:${PN} = "coreutils gnupg net-tools perl perl-module-data-dumper \ perl-module-file-basename perl-module-file-spec perl-module-getopt-long \ perl-module-lib perl-module-posix perl-module-term-ansicolor \ perl-module-time-localtime pinentry perl-module-pod-usage \ perl-module-pod-text perl-module-file-glob \ " -RDEPENDS_${PN}_class-native = "coreutils net-tools perl perl-module-data-dumper \ +RDEPENDS:${PN}:class-native = "coreutils net-tools perl perl-module-data-dumper \ perl-module-file-basename perl-module-file-spec perl-module-getopt-long \ perl-module-lib perl-module-posix perl-module-term-ansicolor \ perl-module-time-localtime perl-module-file-glob\ diff --git a/meta-security/recipes-scanners/checksec/checksec_2.4.0.bb b/meta-security/recipes-scanners/checksec/checksec_2.4.0.bb index 52bcf7cfb..000e3bb73 100644 --- a/meta-security/recipes-scanners/checksec/checksec_2.4.0.bb +++ b/meta-security/recipes-scanners/checksec/checksec_2.4.0.bb @@ -16,4 +16,4 @@ do_install() { install -m 0755 ${S}/checksec ${D}${bindir} } -RDEPENDS_${PN} = "bash openssl-bin binutils" +RDEPENDS:${PN} = "bash openssl-bin binutils" diff --git a/meta-security/recipes-scanners/checksecurity/checksecurity_2.0.15.bb b/meta-security/recipes-scanners/checksecurity/checksecurity_2.0.15.bb index 0161b4cc2..9a1d77a0c 100644 --- a/meta-security/recipes-scanners/checksecurity/checksecurity_2.0.15.bb +++ b/meta-security/recipes-scanners/checksecurity/checksecurity_2.0.15.bb @@ -18,4 +18,4 @@ do_install() { oe_runmake PREFIX=${D} } -RDEPENDS_${PN} = "perl libenv-perl perl-module-tie-array perl-module-getopt-long perl-module-file-glob perl-module-carp perl-module-env perl-module-tap-parser-iterator-array util-linux findutils coreutils" +RDEPENDS:${PN} = "perl libenv-perl perl-module-tie-array perl-module-getopt-long perl-module-file-glob perl-module-carp perl-module-env perl-module-tap-parser-iterator-array util-linux findutils coreutils" diff --git a/meta-security/recipes-scanners/clamav/clamav_0.104.0.bb b/meta-security/recipes-scanners/clamav/clamav_0.104.0.bb index 4f203095c..0d3a678e2 100644 --- a/meta-security/recipes-scanners/clamav/clamav_0.104.0.bb +++ b/meta-security/recipes-scanners/clamav/clamav_0.104.0.bb @@ -8,10 +8,10 @@ DEPENDS = "glibc llvm libtool db openssl zlib curl libxml2 bison pcre2 json-c li LIC_FILES_CHKSUM = "file://COPYING.txt;beginline=2;endline=3;md5=f7029fbbc5898b273d5902896f7bbe17" -# May 15th -SRCREV = "fe96de86bb90c489aa509ee9135f776b7a2a7eb4" +# July 27th +SRCREV = "c389dfa4c3af92b006ada4f7595bbc3e6df3f356" -SRC_URI = "git://github.com/vrtadmin/clamav-devel;branch=dev/0.104 \ +SRC_URI = "git://github.com/vrtadmin/clamav-devel;branch=rel/0.104 \ file://clamd.conf \ file://freshclam.conf \ file://volatiles.03_clamav \ @@ -52,7 +52,7 @@ PACKAGECONFIG[systemd] = "-DENABLE_SYSTEMD=ON -DSYSTEMD_UNIT_DIR=${systemd_syste export OECMAKE_C_FLAGS += " -I${STAGING_INCDIR} -L ${RECIPE_SYSROOT}${nonarch_libdir} -L${STAGING_LIBDIR} -lpthread" -do_install_append () { +do_install:append () { install -d ${D}/${sysconfdir} install -d ${D}/${localstatedir}/lib/clamav install -d ${D}${sysconfdir}/clamav ${D}${sysconfdir}/default/volatiles @@ -76,7 +76,7 @@ do_install_append () { oe_multilib_header clamav-types.h } -pkg_postinst_${PN} () { +pkg_postinst:${PN} () { if [ -z "$D" ]; then if command -v systemd-tmpfiles >/dev/null; then systemd-tmpfiles --create ${sysconfdir}/tmpfiles.d/clamav.conf @@ -89,17 +89,17 @@ pkg_postinst_${PN} () { PACKAGES += "${PN}-daemon ${PN}-clamdscan ${PN}-freshclam ${PN}-libclamav" -FILES_${PN} = "${bindir}/clambc ${bindir}/clamscan ${bindir}/clamsubmit ${sbindir}/clamonacc \ +FILES:${PN} = "${bindir}/clambc ${bindir}/clamscan ${bindir}/clamsubmit ${sbindir}/clamonacc \ ${bindir}/*sigtool ${mandir}/man1/clambc* ${mandir}/man1/clamscan* \ ${mandir}/man1/sigtool* ${mandir}/man1/clambsubmit* \ ${docdir}/clamav/*" -FILES_${PN}-clamdscan = " ${bindir}/clamdscan \ +FILES:${PN}-clamdscan = " ${bindir}/clamdscan \ ${docdir}/clamdscan/* \ ${mandir}/man1/clamdscan* \ " -FILES_${PN}-daemon = "${bindir}/clamconf ${bindir}/clamdtop ${sbindir}/clamd \ +FILES:${PN}-daemon = "${bindir}/clamconf ${bindir}/clamdtop ${sbindir}/clamd \ ${mandir}/man1/clamconf* ${mandir}/man1/clamdtop* \ ${mandir}/man5/clamd* ${mandir}/man8/clamd* \ ${sysconfdir}/clamd.conf* \ @@ -111,7 +111,7 @@ FILES_${PN}-daemon = "${bindir}/clamconf ${bindir}/clamdtop ${sbindir}/clamd \ ${systemd_system_unitdir}/clamav-clamonacc.service \ " -FILES_${PN}-freshclam = "${bindir}/freshclam \ +FILES:${PN}-freshclam = "${bindir}/freshclam \ ${sysconfdir}/freshclam.conf* \ /usr/etc/freshclam.conf* \ ${sysconfdir}/clamav ${sysconfdir}/default/volatiles \ @@ -121,33 +121,33 @@ FILES_${PN}-freshclam = "${bindir}/freshclam \ ${mandir}/man5/freshclam.conf.* \ ${systemd_system_unitdir}/clamav-freshclam.service" -FILES_${PN}-dev = " ${bindir}/clamav-config ${libdir}/*.la \ +FILES:${PN}-dev = " ${bindir}/clamav-config ${libdir}/*.la \ ${libdir}/pkgconfig/*.pc \ ${mandir}/man1/clamav-config.* \ ${includedir}/*.h ${docdir}/libclamav* " -FILES_${PN}-staticdev = "${libdir}/*.a" +FILES:${PN}-staticdev = "${libdir}/*.a" -FILES_${PN}-libclamav = "${libdir}/libclamav.so* ${libdir}/libclammspack.so* \ +FILES:${PN}-libclamav = "${libdir}/libclamav.so* ${libdir}/libclammspack.so* \ ${libdir}/libfreshclam.so* ${docdir}/libclamav/* \ ${libdir}/libmspack* " -FILES_${PN}-doc = "${mandir}/man/* \ +FILES:${PN}-doc = "${mandir}/man/* \ ${datadir}/man/* \ ${docdir}/* " USERADD_PACKAGES = "${PN}" -GROUPADD_PARAM_${PN} = "--system ${CLAMAV_UID}" -USERADD_PARAM_${PN} = "--system -g ${CLAMAV_GID} --home-dir \ +GROUPADD_PARAM:${PN} = "--system ${CLAMAV_UID}" +USERADD_PARAM:${PN} = "--system -g ${CLAMAV_GID} --home-dir \ ${localstatedir}/lib/${BPN} \ --no-create-home --shell /sbin/nologin ${BPN}" -RPROVIDES_${PN} += "${PN}-systemd" -RREPLACES_${PN} += "${PN}-systemd" -RCONFLICTS_${PN} += "${PN}-systemd" +RPROVIDES:${PN} += "${PN}-systemd" +RREPLACES:${PN} += "${PN}-systemd" +RCONFLICTS:${PN} += "${PN}-systemd" SYSTEMD_PACKAGES = "${PN}-daemon ${PN}-freshclam" -SYSTEMD_SERVICE_${PN}-daemon = "clamav-daemon.service" -SYSTEMD_SERVICE_${PN}-freshclam = "clamav-freshclam.service" +SYSTEMD_SERVICE:${PN}-daemon = "clamav-daemon.service" +SYSTEMD_SERVICE:${PN}-freshclam = "clamav-freshclam.service" -RDEPENDS_${PN} = "openssl ncurses-libncurses libxml2 libbz2 ncurses-libtinfo curl libpcre2 clamav-freshclam clamav-libclamav" -RDEPENDS_${PN}-daemon = "clamav" +RDEPENDS:${PN} = "openssl ncurses-libncurses libxml2 libbz2 ncurses-libtinfo curl libpcre2 clamav-freshclam clamav-libclamav" +RDEPENDS:${PN}-daemon = "clamav" diff --git a/meta-security/recipes-scanners/clamav/files/fix2_libcurl_check.patch b/meta-security/recipes-scanners/clamav/files/fix2_libcurl_check.patch new file mode 100644 index 000000000..46406e9d0 --- /dev/null +++ b/meta-security/recipes-scanners/clamav/files/fix2_libcurl_check.patch @@ -0,0 +1,122 @@ +clamav .102.2 tries to find clamav using culf_config. Use EO pkg_config instead + +Upstream-Status: OE specific +Signed-off-by: Armin Kuster <akuster808@gmail.com> + +Index: git/configure +=================================================================== +--- git.orig/configure ++++ git/configure +@@ -28850,39 +28850,14 @@ $as_echo_n "checking for libcurl install + if test "${with_libcurl+set}" = set; then : + withval=$with_libcurl; + find_curl="no" +-if test "X$withval" = "Xyes"; then +- find_curl="yes" +-else +- if test "X$withval" != "Xno"; then +- if test -f "${withval}/bin/curl-config"; then +- LIBCURL_HOME="$withval" +- have_curl="yes" +- fi +- fi +-fi +- +-else +- find_curl="yes" +-fi +- +- +-if test "X$find_curl" = "Xyes"; then +- for p in /usr/local /usr ; do +- if test -f "${p}/bin/curl-config"; then +- LIBCURL_HOME=$p +- have_curl="yes" +- fi +- done +-fi +- +-if test "X$have_curl" = "Xyes"; then +- { $as_echo "$as_me:${as_lineno-$LINENO}: result: $LIBCURL_HOME" >&5 +-$as_echo "$LIBCURL_HOME" >&6; } +- if test -f "$LIBCURL_HOME/bin/curl-config"; then ++ #save_LDFLAGS="$LDFLAGS" ++ if test "X$withval" != "Xno"; then ++ LIBCURL_HOME="$withval" ++ if test "${PKG_CONFIG} libcurl --exists"; then + CURL_LDFLAGS="$LDFLAGS" +- CURL_LIBS=$($LIBCURL_HOME/bin/curl-config --libs) +- CURL_CPPFLAGS=$($LIBCURL_HOME/bin/curl-config --cflags) +- else ++ CURL_LIBS=$($PKG_CONFIG libcurl --libs) ++ CURL_CPPFLAGS=$($PKG_CONFIG libcurl --cflags) ++ else + if test "$LIBCURL_HOME" != "/usr"; then + CURL_LDFLAGS="-L$LIBCURL_HOME/lib" + CURL_CPPFLAGS="-I$LIBCURL_HOME/include" +@@ -28891,60 +28866,12 @@ $as_echo "$LIBCURL_HOME" >&6; } + CURL_CPPFLAGS="" + fi + CURL_LIBS="-lcurl" +- fi +- save_LDFLAGS="$LDFLAGS" +- LDFLAGS="$CURL_LDFLAGS $CURL_LIBS" +- { $as_echo "$as_me:${as_lineno-$LINENO}: checking for curl_easy_init in -lcurl" >&5 +-$as_echo_n "checking for curl_easy_init in -lcurl... " >&6; } +-if ${ac_cv_lib_curl_curl_easy_init+:} false; then : +- $as_echo_n "(cached) " >&6 +-else +- ac_check_lib_save_LIBS=$LIBS +-LIBS="-lcurl $CURL_LIBS +- $LIBS" +-cat confdefs.h - <<_ACEOF >conftest.$ac_ext +-/* end confdefs.h. */ +- +-/* Override any GCC internal prototype to avoid an error. +- Use char because int might match the return type of a GCC +- builtin and then its argument prototype would still apply. */ +-#ifdef __cplusplus +-extern "C" +-#endif +-char curl_easy_init (); +-int +-main () +-{ +-return curl_easy_init (); +- ; +- return 0; +-} +-_ACEOF +-if ac_fn_c_try_link "$LINENO"; then : +- ac_cv_lib_curl_curl_easy_init=yes +-else +- ac_cv_lib_curl_curl_easy_init=no +-fi +-rm -f core conftest.err conftest.$ac_objext \ +- conftest$ac_exeext conftest.$ac_ext +-LIBS=$ac_check_lib_save_LIBS +-fi +-{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_lib_curl_curl_easy_init" >&5 +-$as_echo "$ac_cv_lib_curl_curl_easy_init" >&6; } +-if test "x$ac_cv_lib_curl_curl_easy_init" = xyes; then : +- +- curl_msg=""; +- have_curl="yes"; +- CLAMSUBMIT_LIBS="$CLAMSUBMIT_LIBS $CURL_LDFLAGS $CURL_LIBS"; +- CLAMSUBMIT_CFLAGS="$CLAMSUBMIT_CFLAGS $CURL_CPPFLAGS"; +- FRESHCLAM_LIBS="$FRESHCLAM_LIBS $CURL_LDFLAGS $CURL_LIBS"; +- FRESHCLAM_CPPFLAGS="$FRESHCLAM_CPPFLAGS $CURL_CPPFLAGS" +- +-else +- +- as_fn_error $? "Your libcurl is misconfigured. libcurl (e.g. libcurl-devel) is required in order to build freshclam and clamsubmit." "$LINENO" 5 ++ fi + +-fi ++ have_curl="yes" ++ LDFLAGS="$save_LDFLAGS" ++ LDFLAGS="$CURL_LDFLAGS $CURL_LIBS" ++ fi + + LDFLAGS="$save_LDFLAGS" + else diff --git a/meta-security/recipes-scanners/clamav/files/fix_systemd_socket.patch b/meta-security/recipes-scanners/clamav/files/fix_systemd_socket.patch index 3e9abe236..334777028 100644 --- a/meta-security/recipes-scanners/clamav/files/fix_systemd_socket.patch +++ b/meta-security/recipes-scanners/clamav/files/fix_systemd_socket.patch @@ -12,9 +12,9 @@ Index: git/clamd/CMakeLists.txt =================================================================== --- git.orig/clamd/CMakeLists.txt +++ git/clamd/CMakeLists.txt -@@ -54,4 +54,10 @@ if(SYSTEMD_FOUND) +@@ -60,4 +60,10 @@ if(SYSTEMD_FOUND) install( - FILES ${CMAKE_CURRENT_BINARY_DIR}/clamav-daemon.service + FILES ${CMAKE_CURRENT_BINARY_DIR}/clamav-daemon.socket DESTINATION ${SYSTEMD_UNIT_DIR}) + configure_file( + ${CMAKE_CURRENT_SOURCE_DIR}/clamav-daemon.socket.in diff --git a/meta-security/recipes-scanners/clamav/files/headers_fixup.patch b/meta-security/recipes-scanners/clamav/files/headers_fixup.patch index 9de0a26db..369aa588e 100644 --- a/meta-security/recipes-scanners/clamav/files/headers_fixup.patch +++ b/meta-security/recipes-scanners/clamav/files/headers_fixup.patch @@ -7,7 +7,7 @@ Index: git/CMakeLists.txt =================================================================== --- git.orig/CMakeLists.txt +++ git/CMakeLists.txt -@@ -374,8 +373,6 @@ check_include_file("stdlib.h" +@@ -443,8 +443,6 @@ check_include_file("stdlib.h" check_include_file("string.h" HAVE_STRING_H) check_include_file("strings.h" HAVE_STRINGS_H) check_include_file("sys/cdefs.h" HAVE_SYS_CDEFS_H) @@ -16,7 +16,7 @@ Index: git/CMakeLists.txt check_include_file("sys/mman.h" HAVE_SYS_MMAN_H) check_include_file("sys/param.h" HAVE_SYS_PARAM_H) check_include_file("sys/queue.h" HAVE_SYS_QUEUE_H) -@@ -410,8 +407,6 @@ endif() +@@ -479,8 +477,6 @@ endif() # int-types variants check_include_file("inttypes.h" HAVE_INTTYPES_H) @@ -25,7 +25,7 @@ Index: git/CMakeLists.txt check_include_file("stdint.h" HAVE_STDINT_H) # this hack required to silence warnings on systems with inttypes.h -@@ -539,17 +528,11 @@ check_type_size("time_t" SIZEOF_TIME_T) +@@ -608,17 +604,11 @@ check_type_size("time_t" SIZEOF_TIME_T) # Checks for library functions. include(CheckSymbolExists) check_symbol_exists(_Exit "stdlib.h" HAVE__EXIT) @@ -44,7 +44,7 @@ Index: git/CMakeLists.txt check_symbol_exists(timegm "time.h" HAVE_TIMEGM) check_symbol_exists(vsnprintf "stdio.h" HAVE_VSNPRINTF) -@@ -563,10 +546,9 @@ else() +@@ -632,10 +622,9 @@ else() check_symbol_exists(fseeko "stdio.h" HAVE_FSEEKO) check_symbol_exists(getaddrinfo "netdb.h" HAVE_GETADDRINFO) check_symbol_exists(getpagesize "unistd.h" HAVE_GETPAGESIZE) diff --git a/meta-security/recipes-scanners/clamav/files/oe_cmake_fixup.patch b/meta-security/recipes-scanners/clamav/files/oe_cmake_fixup.patch index b284915b8..c9c88b930 100644 --- a/meta-security/recipes-scanners/clamav/files/oe_cmake_fixup.patch +++ b/meta-security/recipes-scanners/clamav/files/oe_cmake_fixup.patch @@ -22,7 +22,7 @@ Index: git/CMakeLists.txt if(C_LINUX) if(CMAKE_COMPILER_IS_GNUCXX) # Set _GNU_SOURCE for O_LARGEFILE, O_CLOEXEC, O_DIRECTORY, O_NOFOLLOW, etc flags on older systems -@@ -512,14 +506,8 @@ include(TestInline) +@@ -581,14 +575,8 @@ include(TestInline) include(CheckFileOffsetBits) # Determine how to pack structs on this platform. include(CheckStructPacking) diff --git a/meta-security/recipes-scanners/clamav/files/test.patch b/meta-security/recipes-scanners/clamav/files/test.patch new file mode 100644 index 000000000..a22b45def --- /dev/null +++ b/meta-security/recipes-scanners/clamav/files/test.patch @@ -0,0 +1,24 @@ +Index: clamav-0.103.0/Makefile.am +=================================================================== +--- clamav-0.103.0.orig/Makefile.am ++++ clamav-0.103.0/Makefile.am +@@ -28,7 +28,6 @@ else + SUBDIRS = libltdl libclamav shared libfreshclam clamscan clamd clamdscan freshclam sigtool clamconf database docs etc clamav-milter test clamdtop clambc unit_tests + EXTRA_DIST = examples shared libclamav.pc.in COPYING.bzip2 COPYING.lzma COPYING.unrar COPYING.LGPL COPYING.llvm COPYING.file COPYING.zlib COPYING.getopt COPYING.regex COPYING.YARA COPYING.pcre platform.h.in libclamunrar libclamunrar_iface libclammspack clamdscan/clamdscan.map win32 ChangeLog.md INSTALL.cmake.md INSTALL.autotools.md NEWS.md README.md cmake CMakeLists.txt CMakeOptions.cmake $(top_srcdir)/**/CMakeLists.txt libclammspack/config.h.in.cmake clamav-config.h.cmake.in target.h.cmake.in autogen.sh + +-bin_SCRIPTS=clamav-config + + if BUILD_CLAMONACC + SUBDIRS += clamonacc +Index: clamav-0.103.0/Makefile.in +=================================================================== +--- clamav-0.103.0.orig/Makefile.in ++++ clamav-0.103.0/Makefile.in +@@ -641,7 +641,6 @@ ACLOCAL_AMFLAGS = -I m4 + @BUILD_LIBCLAMAV_ONLY_TRUE@SUBDIRS = libclamav $(am__append_1) \ + @BUILD_LIBCLAMAV_ONLY_TRUE@ $(am__append_2) $(am__append_3) + @BUILD_LIBCLAMAV_ONLY_FALSE@bin_SCRIPTS = clamav-config +-@BUILD_LIBCLAMAV_ONLY_TRUE@bin_SCRIPTS = clamav-config + @BUILD_LIBCLAMAV_ONLY_FALSE@EXTRA_DIST = examples shared libclamav.pc.in COPYING.bzip2 COPYING.lzma COPYING.unrar COPYING.LGPL COPYING.llvm COPYING.file COPYING.zlib COPYING.getopt COPYING.regex COPYING.YARA COPYING.pcre platform.h.in libclamunrar libclamunrar_iface libclammspack clamdscan/clamdscan.map win32 ChangeLog.md INSTALL.cmake.md INSTALL.autotools.md NEWS.md README.md cmake CMakeLists.txt CMakeOptions.cmake $(top_srcdir)/**/CMakeLists.txt libclammspack/config.h.in.cmake clamav-config.h.cmake.in target.h.cmake.in autogen.sh + pkgconfigdir = $(libdir)/pkgconfig + pkgconfig_DATA = libclamav.pc diff --git a/meta-security/recipes-security/aircrack-ng/aircrack-ng_1.6.bb b/meta-security/recipes-security/aircrack-ng/aircrack-ng_1.6.bb index 8d3b5311f..f76f1df29 100644 --- a/meta-security/recipes-security/aircrack-ng/aircrack-ng_1.6.bb +++ b/meta-security/recipes-security/aircrack-ng/aircrack-ng_1.6.bb @@ -29,8 +29,8 @@ do_install () { make DESTDIR=${D} ${OEMAKE_EXTRA} ext_scripts=true install } -FILES_${PN} += "${libdir}/*.so" +FILES:${PN} += "${libdir}/*.so" FILES_SOLIBSDEV = "" -INSANE_SKIP_${PN} += "dev-so" +INSANE_SKIP:${PN} += "dev-so" -RDEPENDS_${PN} = "libpcap" +RDEPENDS:${PN} = "libpcap" diff --git a/meta-security/recipes-security/bastille/bastille_3.2.1.bb b/meta-security/recipes-security/bastille/bastille_3.2.1.bb index 0290cae2e..72281c537 100644 --- a/meta-security/recipes-security/bastille/bastille_3.2.1.bb +++ b/meta-security/recipes-security/bastille/bastille_3.2.1.bb @@ -6,8 +6,8 @@ LICENSE = "GPLv2" LIC_FILES_CHKSUM = "file://${S}/COPYING;md5=c93c0550bd3173f4504b2cbd8991e50b" # Bash is needed for set +o privileged (check busybox), might also need ncurses DEPENDS = "virtual/kernel" -RDEPENDS_${PN} = "perl bash tcl perl-module-getopt-long perl-module-text-wrap lib-perl perl-module-file-path perl-module-mime-base64 perl-module-file-find perl-module-errno perl-module-file-glob perl-module-tie-hash-namedcapture perl-module-file-copy perl-module-english perl-module-exporter perl-module-cwd libcurses-perl coreutils" -FILES_${PN} += "/run/lock/subsys/bastille" +RDEPENDS:${PN} = "perl bash tcl perl-module-getopt-long perl-module-text-wrap lib-perl perl-module-file-path perl-module-mime-base64 perl-module-file-find perl-module-errno perl-module-file-glob perl-module-tie-hash-namedcapture perl-module-file-copy perl-module-english perl-module-exporter perl-module-cwd libcurses-perl coreutils" +FILES:${PN} += "/run/lock/subsys/bastille" SRC_URI = "http://sourceforge.net/projects/bastille-linux/files/bastille-linux/3.2.1/Bastille-3.2.1.tar.bz2 \ file://AccountPermission.pm \ @@ -150,4 +150,4 @@ do_install () { ln -s RevertBastille ${D}${sbindir}/UndoBastille } -FILES_${PN} += "${datadir}/Bastille ${libdir}/Bastille ${libdir}/perl* ${sysconfdir}/*" +FILES:${PN} += "${datadir}/Bastille ${libdir}/Bastille ${libdir}/perl* ${sysconfdir}/*" diff --git a/meta-security/recipes-security/bastille/files/AccountPermission.pm b/meta-security/recipes-security/bastille/files/AccountPermission.pm index cfbaab1d9..132b30ccb 100644 --- a/meta-security/recipes-security/bastille/files/AccountPermission.pm +++ b/meta-security/recipes-security/bastille/files/AccountPermission.pm @@ -16,7 +16,7 @@ B_chgrp B_chgrp_link B_userdel B_groupdel -B_remove_user_from_group +B:remove_user_from_group B_check_owner_group B_is_unowned_file B_is_ungrouped_file @@ -28,7 +28,7 @@ B_is_suid B_is_sgid B_get_user_list B_get_group_list -B_remove_suid +B:remove_suid ); our @EXPORT = @EXPORT_OK; @@ -74,7 +74,7 @@ sub B_chmod($$) { if ($new_perm =~ /([ugo]+)([+-]{1})([rwxst]+)/) { $symbolic = 1; $chmod_noun = $1; - $add_remove = $2; + $add:remove = $2; $capability = $3; } @@ -466,7 +466,7 @@ sub B_chgrp_link($$) { # # In the future, we may also choose to make a B_lock_account routine. # -# This routine depends on B_remove_user_from_group. +# This routine depends on B:remove_user_from_group. ########################################################################### sub B_userdel($) { @@ -506,7 +506,7 @@ sub B_userdel($) { # # Next find out what groups the user is in, so we can call - # B_remove_user_from_group($user,$group) + # B:remove_user_from_group($user,$group) # # TODO: add this to the helper functions for the test suite. # @@ -586,7 +586,7 @@ sub B_groupdel($) { ########################################################################### -# B_remove_user_from_group($user,$group) removes $user from $group, +# B:remove_user_from_group($user,$group) removes $user from $group, # by modifying $group's /etc/group line, pulling the user out. This # uses B_chunk_replace thrice to replace these patterns: # @@ -595,7 +595,7 @@ sub B_groupdel($) { # ########################################################################### -sub B_remove_user_from_group($$) { +sub B:remove_user_from_group($$) { my ($user_to_remove,$group) = @_; @@ -1022,7 +1022,7 @@ sub B_get_group_list() # ########################################################################### -sub B_remove_suid($) { +sub B:remove_suid($) { my $file_expr = $_[0]; &B_log("ACTION","Removing SUID bit from \"$file_expr\"."); diff --git a/meta-security/recipes-security/bastille/files/FileContent.pm b/meta-security/recipes-security/bastille/files/FileContent.pm index 0a5d6096c..1ef89dd76 100644 --- a/meta-security/recipes-security/bastille/files/FileContent.pm +++ b/meta-security/recipes-security/bastille/files/FileContent.pm @@ -10,8 +10,8 @@ B_blank_file B_insert_line_after B_insert_line_before B_insert_line -B_append_line -B_prepend_line +B:append_line +B:prepend_line B_replace_line B_replace_lines B_replace_pattern @@ -262,7 +262,7 @@ sub B_insert_line($$$$) { # # Additionally, if $pattern is set equal to "", the line is always appended. # -# B_append_line uses B_open_plus and B_close_plus, so that the file +# B:append_line uses B_open_plus and B_close_plus, so that the file # modified is backed up... # # Here's examples of where you might use this: @@ -273,7 +273,7 @@ sub B_insert_line($$$$) { # ########################################################################### -sub B_append_line($$$) { +sub B:append_line($$$) { my ($filename,$pattern,$line_to_append) = @_; @@ -308,11 +308,11 @@ sub B_append_line($$$) { ########################################################################### # &B_prepend_line ($filename,$pattern,$line_to_prepend) modifies $filename, -# pre-pending $line_to_prepend unless one or more lines in the file matches +# pre-pending $line_to:prepend unless one or more lines in the file matches # $pattern. This is an enhancement to the prepend_line_if_no_such_line_exists # idea. # -# B_prepend_line uses B_open_plus and B_close_plus, so that the file +# B:prepend_line uses B_open_plus and B_close_plus, so that the file # modified is backed up... # # Here's examples of where you might use this: @@ -322,7 +322,7 @@ sub B_append_line($$$) { # ########################################################################### -sub B_prepend_line($$$) { +sub B:prepend_line($$$) { my ($filename,$pattern,$line_to_prepend) = @_; @@ -348,7 +348,7 @@ sub B_prepend_line($$$) { # Log the action &B_log("ACTION","Pre-pended the following line to $filename:\n"); - &B_log("ACTION","$line_to_prepend"); + &B_log("ACTION","$line_to:prepend"); } else { $retval=0; diff --git a/meta-security/recipes-security/ecryptfs-utils/ecryptfs-utils_111.bb b/meta-security/recipes-security/ecryptfs-utils/ecryptfs-utils_111.bb index 4a99b5af4..9aefc32cf 100644 --- a/meta-security/recipes-security/ecryptfs-utils/ecryptfs-utils_111.bb +++ b/meta-security/recipes-security/ecryptfs-utils/ecryptfs-utils_111.bb @@ -25,7 +25,7 @@ SRC_URI[sha256sum] = "112cb3e37e81a1ecd8e39516725dec0ce55c5f3df6284e0f4cc0f11875 inherit autotools pkgconfig systemd SYSTEMD_PACKAGES = "${PN}" -SYSTEMD_SERVICE_${PN} = "ecryptfs.service" +SYSTEMD_SERVICE:${PN} = "ecryptfs.service" EXTRA_OECONF = "\ --libdir=${base_libdir} \ @@ -41,7 +41,7 @@ PACKAGECONFIG ??= "nss \ PACKAGECONFIG[nss] = "--enable-nss,--disable-nss,nss," PACKAGECONFIG[pam] = "--enable-pam,--disable-pam,libpam," -do_configure_prepend() { +do_configure:prepend() { export NSS_CFLAGS="-I${STAGING_INCDIR}/nspr -I${STAGING_INCDIR}/nss3" export NSS_LIBS="-L${STAGING_BASELIBDIR} -lssl3 -lsmime3 -lnss3 -lsoftokn3 -lnssutil3" export KEYUTILS_CFLAGS="-I${STAGING_INCDIR}" @@ -49,7 +49,7 @@ do_configure_prepend() { sed -i -e "s;rootsbindir=\"/sbin\";rootsbindir=\"\${base_sbindir}\";g" ${S}/configure.ac } -do_install_append() { +do_install:append() { chmod 4755 ${D}${base_sbindir}/mount.ecryptfs_private # ${base_libdir} is identical to ${libdir} when usrmerge enabled if ! ${@bb.utils.contains('DISTRO_FEATURES','usrmerge','true','false',d)}; then @@ -64,7 +64,7 @@ do_install_append() { fi } -FILES_${PN} += "${base_libdir}/security/* ${base_libdir}/ecryptfs/*" +FILES:${PN} += "${base_libdir}/security/* ${base_libdir}/ecryptfs/*" -RDEPENDS_${PN} += "cryptsetup" -RRECOMMENDS_${PN} = "gettext-runtime" +RDEPENDS:${PN} += "cryptsetup" +RRECOMMENDS:${PN} = "gettext-runtime" diff --git a/meta-security/recipes-security/fail2ban/python3-fail2ban_0.11.2.bb b/meta-security/recipes-security/fail2ban/python3-fail2ban_0.11.2.bb index b480c76d5..ed75a0e7d 100644 --- a/meta-security/recipes-security/fail2ban/python3-fail2ban_0.11.2.bb +++ b/meta-security/recipes-security/fail2ban/python3-fail2ban_0.11.2.bb @@ -20,34 +20,34 @@ inherit update-rc.d ptest setuptools3 S = "${WORKDIR}/git" -do_compile_prepend () { +do_compile:prepend () { cp ${WORKDIR}/fail2ban_setup.py ${S}/setup.py cd ${S} ./fail2ban-2to3 } -do_install_append () { +do_install:append () { install -d ${D}/${sysconfdir}/fail2ban install -d ${D}/${sysconfdir}/init.d install -m 0755 ${WORKDIR}/initd ${D}${sysconfdir}/init.d/fail2ban-server chown -R root:root ${D}/${bindir} } -do_install_ptest_append () { +do_install_ptest:append () { install -d ${D}${PTEST_PATH} install -d ${D}${PTEST_PATH}/bin sed -i -e 's/##PYTHON##/${PYTHON_PN}/g' ${D}${PTEST_PATH}/run-ptest install -D ${S}/bin/* ${D}${PTEST_PATH}/bin } -FILES_${PN} += "/run" +FILES:${PN} += "/run" INITSCRIPT_PACKAGES = "${PN}" INITSCRIPT_NAME = "fail2ban-server" INITSCRIPT_PARAMS = "defaults 25" -INSANE_SKIP_${PN}_append = "already-stripped" +INSANE_SKIP:${PN}:append = "already-stripped" -RDEPENDS_${PN} = "${VIRTUAL-RUNTIME_base-utils-syslog} iptables sqlite3 python3-core python3-pyinotify" -RDEPENDS_${PN} += " python3-logging python3-fcntl python3-json" -RDEPENDS_${PN}-ptest = "python3-core python3-io python3-modules python3-fail2ban" +RDEPENDS:${PN} = "${VIRTUAL-RUNTIME_base-utils-syslog} iptables sqlite3 python3-core python3-pyinotify" +RDEPENDS:${PN} += " python3-logging python3-fcntl python3-json" +RDEPENDS:${PN}-ptest = "python3-core python3-io python3-modules python3-fail2ban" diff --git a/meta-security/recipes-security/fscryptctl/fscryptctl_1.0.0.bb b/meta-security/recipes-security/fscryptctl/fscryptctl_1.0.0.bb index df76a3d9a..26f549b6c 100644 --- a/meta-security/recipes-security/fscryptctl/fscryptctl_1.0.0.bb +++ b/meta-security/recipes-security/fscryptctl/fscryptctl_1.0.0.bb @@ -18,7 +18,7 @@ do_install() { oe_runmake DESTDIR=${D} PREFIX=/usr install } -RRECOMMENDS_${PN} += "\ +RRECOMMENDS:${PN} += "\ keyutils \ kernel-module-cbc \ kernel-module-cts \ diff --git a/meta-security/recipes-security/google-authenticator-libpam/google-authenticator-libpam_1.08.bb b/meta-security/recipes-security/google-authenticator-libpam/google-authenticator-libpam_1.08.bb index f9ca09268..4ab837485 100644 --- a/meta-security/recipes-security/google-authenticator-libpam/google-authenticator-libpam_1.08.bb +++ b/meta-security/recipes-security/google-authenticator-libpam/google-authenticator-libpam_1.08.bb @@ -18,6 +18,6 @@ REQUIRED_DISTRO_FEATURES = "pam" EXTRA_OECONF = "--libdir=${base_libdir}" PACKAGES += "pam-google-authenticator" -FILES_pam-google-authenticator = "${base_libdir}/security/pam_google_authenticator.so" +FILES:pam-google-authenticator = "${base_libdir}/security/pam_google_authenticator.so" RDEPNEDS_pam-google-authenticator = "libpam" diff --git a/meta-security/recipes-security/libest/libest_3.2.0.bb b/meta-security/recipes-security/libest/libest_3.2.0.bb index 5b6dc995c..fda2df4c9 100644 --- a/meta-security/recipes-security/libest/libest_3.2.0.bb +++ b/meta-security/recipes-security/libest/libest_3.2.0.bb @@ -11,17 +11,17 @@ SRC_URI = "git://github.com/cisco/libest;branch=main" DEPENDS = "openssl" #fatal error: execinfo.h: No such file or directory -DEPENDS_append_libc-musl = " libexecinfo" +DEPENDS:append:libc-musl = " libexecinfo" inherit autotools-brokensep EXTRA_OECONF = "--disable-pthreads --with-ssl-dir=${STAGING_LIBDIR}" CFLAGS += "-fcommon" -LDFLAGS_append_libc-musl = " -lexecinfo" +LDFLAGS:append:libc-musl = " -lexecinfo" S = "${WORKDIR}/git" PACKAGES = "${PN} ${PN}-dbg ${PN}-dev" -FILES_${PN} = "${bindir}/* ${libdir}/libest-3.2.0p.so" +FILES:${PN} = "${bindir}/* ${libdir}/libest-3.2.0p.so" diff --git a/meta-security/recipes-security/libgssglue/libgssglue_0.4.bb b/meta-security/recipes-security/libgssglue/libgssglue_0.4.bb index 88c58ed26..3085ee628 100644 --- a/meta-security/recipes-security/libgssglue/libgssglue_0.4.bb +++ b/meta-security/recipes-security/libgssglue/libgssglue_0.4.bb @@ -33,11 +33,11 @@ SRC_URI[md5sum] = "5ce81940965fa68c7635c42dcafcddfe" SRC_URI[sha256sum] = "bb47b2de78409f461811d0db8595c66e6631a9879c3621a35e4434b104ee52f5" # gssglue can use krb5, spkm3... as gssapi library, configurable -RRECOMMENDS_${PN} += "krb5" +RRECOMMENDS:${PN} += "krb5" inherit autotools -do_install_append() { +do_install:append() { # install some docs install -d -m 0755 ${D}${docdir}/${BPN} install -m 0644 ${S}/AUTHORS ${S}/ChangeLog ${S}/NEWS ${S}/README ${D}${docdir}/${BPN} diff --git a/meta-security/recipes-security/mfa/python3-privacyidea_3.5.2.bb b/meta-security/recipes-security/mfa/python3-privacyidea_3.5.2.bb index cd0acf869..a4ab59d5d 100644 --- a/meta-security/recipes-security/mfa/python3-privacyidea_3.5.2.bb +++ b/meta-security/recipes-security/mfa/python3-privacyidea_3.5.2.bb @@ -10,31 +10,31 @@ SRC_URI[sha256sum] = "26aeb0d353af1f212c4df476202516953c20f7f31566cfe0b67cbb553d inherit pypi setuptools3 -do_install_append () { +do_install:append () { #install ${D}/var/log/privacyidea rm -fr ${D}${libdir}/${PYTHON_DIR}/site-packages/tests } USERADD_PACKAGES = "${PN}" -GROUPADD_PARAM_${PN} = "--system privacyidea" -USERADD_PARAM_${PN} = "--system -g privacyidea -o -r -d /opt/${BPN} \ +GROUPADD_PARAM:${PN} = "--system privacyidea" +USERADD_PARAM:${PN} = "--system -g privacyidea -o -r -d /opt/${BPN} \ --shell /bin/false privacyidea" -FILES_${PN} += " ${datadir}/etc/privacyidea/* ${datadir}/lib/privacyidea/*" - -RDEPENDS_${PN} += " bash perl freeradius-mysql freeradius-utils" - -RDEPENDS_${PN} += "python3 python3-alembic python3-babel python3-backports-functools-lru-cache python3-bcrypt" -RDEPENDS_${PN} += "python3-beautifulsoup4 python3-cbor2 python3-certifi python3-cffi python3-chardet" -RDEPENDS_${PN} += "python3-click python3-configobj python3-croniter python3-cryptography python3-defusedxml" -RDEPENDS_${PN} += "python3-ecdsa python3-flask python3-flask-babel python3-flask-migrate" -RDEPENDS_${PN} += "python3-flask-script python3-flask-sqlalchemy python3-flask-versioned" -RDEPENDS_${PN} += "python3-future python3-httplib2 python3-huey python3-idna python3-ipaddress" -RDEPENDS_${PN} += "python3-itsdangerous python3-jinja2 python3-ldap python3-lxml python3-mako" -RDEPENDS_${PN} += "python3-markupsafe python3-netaddr python3-oauth2client python3-passlib python3-pillow" -RDEPENDS_${PN} += "python3-pyasn1 python3-pyasn1-modules python3-pycparser python3-pyjwt python3-pymysql" -RDEPENDS_${PN} += "python3-pyopenssl python3-pyrad python3-dateutil python3-editor python3-gnupg" -RDEPENDS_${PN} += "python3-pytz python3-pyyaml python3-qrcode python3-redis python3-requests python3-rsa" -RDEPENDS_${PN} += "python3-six python3-smpplib python3-soupsieve python3-soupsieve " -RDEPENDS_${PN} += "python3-sqlalchemy python3-sqlsoup python3-urllib3 python3-werkzeug" +FILES:${PN} += " ${datadir}/etc/privacyidea/* ${datadir}/lib/privacyidea/*" + +RDEPENDS:${PN} += " bash perl freeradius-mysql freeradius-utils" + +RDEPENDS:${PN} += "python3 python3-alembic python3-babel python3-backports-functools-lru-cache python3-bcrypt" +RDEPENDS:${PN} += "python3-beautifulsoup4 python3-cbor2 python3-certifi python3-cffi python3-chardet" +RDEPENDS:${PN} += "python3-click python3-configobj python3-croniter python3-cryptography python3-defusedxml" +RDEPENDS:${PN} += "python3-ecdsa python3-flask python3-flask-babel python3-flask-migrate" +RDEPENDS:${PN} += "python3-flask-script python3-flask-sqlalchemy python3-flask-versioned" +RDEPENDS:${PN} += "python3-future python3-httplib2 python3-huey python3-idna python3-ipaddress" +RDEPENDS:${PN} += "python3-itsdangerous python3-jinja2 python3-ldap python3-lxml python3-mako" +RDEPENDS:${PN} += "python3-markupsafe python3-netaddr python3-oauth2client python3-passlib python3-pillow" +RDEPENDS:${PN} += "python3-pyasn1 python3-pyasn1-modules python3-pycparser python3-pyjwt python3-pymysql" +RDEPENDS:${PN} += "python3-pyopenssl python3-pyrad python3-dateutil python3-editor python3-gnupg" +RDEPENDS:${PN} += "python3-pytz python3-pyyaml python3-qrcode python3-redis python3-requests python3-rsa" +RDEPENDS:${PN} += "python3-six python3-smpplib python3-soupsieve python3-soupsieve " +RDEPENDS:${PN} += "python3-sqlalchemy python3-sqlsoup python3-urllib3 python3-werkzeug" diff --git a/meta-security/recipes-security/ncrack/ncrack_0.7.bb b/meta-security/recipes-security/ncrack/ncrack_0.7.bb index ba269657f..8b221e53c 100644 --- a/meta-security/recipes-security/ncrack/ncrack_0.7.bb +++ b/meta-security/recipes-security/ncrack/ncrack_0.7.bb @@ -15,4 +15,4 @@ inherit autotools-brokensep S = "${WORKDIR}/git" -INSANE_SKIP_${PN} = "already-stripped" +INSANE_SKIP:${PN} = "already-stripped" diff --git a/meta-security/recipes-security/nikto/nikto_2.1.6.bb b/meta-security/recipes-security/nikto/nikto_2.1.6.bb index 615cc30b9..242f3acc5 100644 --- a/meta-security/recipes-security/nikto/nikto_2.1.6.bb +++ b/meta-security/recipes-security/nikto/nikto_2.1.6.bb @@ -111,7 +111,7 @@ do_install() { install -m 0644 docs/nikto_manual.html ${D}${datadir}/doc/nikto } -RDEPENDS_${PN} = "perl libnet-ssleay-perl libwhisker2-perl \ +RDEPENDS:${PN} = "perl libnet-ssleay-perl libwhisker2-perl \ perl-module-getopt-long perl-module-time-local \ perl-module-io-socket perl-module-overloading \ perl-module-base perl-module-b perl-module-bytes" diff --git a/meta-security/recipes-security/opendnssec/opendnssec_2.1.9.bb b/meta-security/recipes-security/opendnssec/opendnssec_2.1.9.bb index 2b79609fa..8e368121a 100644 --- a/meta-security/recipes-security/opendnssec/opendnssec_2.1.9.bb +++ b/meta-security/recipes-security/opendnssec/opendnssec_2.1.9.bb @@ -27,8 +27,8 @@ PACKAGECONFIG[mysql] = "--with-mysql=yes, , mariadb, mariadb" PACKAGECONFIG[readline] = "--with-readline, --without-readline, readline" PACKAGECONFIG[unwind] = "--with-libunwind, --without-libunwind" -do_install_append () { +do_install:append () { rm -rf ${D}${localstatedir}/run } -RDEPENDS_${PN} = "softhsm" +RDEPENDS:${PN} = "softhsm" diff --git a/meta-security/recipes-security/paxctl/paxctl_0.9.bb b/meta-security/recipes-security/paxctl/paxctl_0.9.bb index 3c04141ee..55a0dcac9 100644 --- a/meta-security/recipes-security/paxctl/paxctl_0.9.bb +++ b/meta-security/recipes-security/paxctl/paxctl_0.9.bb @@ -24,7 +24,7 @@ do_install() { # install: cannot change ownership of '.../sbin/paxctl': \ # Operation not permitted # Drop '--owner 0 --group 0' to fix the issue. -do_install_class-native() { +do_install:class-native() { local PROG=paxctl install -d ${D}${base_sbindir} install -d ${D}${mandir}/man1 @@ -33,6 +33,6 @@ do_install_class-native() { } # Avoid QA Issue: No GNU_HASH in the elf binary -INSANE_SKIP_${PN} = "ldflags" +INSANE_SKIP:${PN} = "ldflags" BBCLASSEXTEND = "native" diff --git a/meta-security/recipes-security/redhat-security/redhat-security_1.0.bb b/meta-security/recipes-security/redhat-security/redhat-security_1.0.bb index 0d70dc6ee..d6d4cea18 100644 --- a/meta-security/recipes-security/redhat-security/redhat-security_1.0.bb +++ b/meta-security/recipes-security/redhat-security/redhat-security_1.0.bb @@ -37,4 +37,4 @@ do_install() { install -m 0755 ${WORKDIR}/selinux-ls-unconfined.sh ${D}${bindir} } -RDEPENDS_${PN} = "file libcap-ng procps findutils" +RDEPENDS:${PN} = "file libcap-ng procps findutils" diff --git a/meta-security/recipes-security/sssd/sssd_2.5.1.bb b/meta-security/recipes-security/sssd/sssd_2.5.1.bb index 92058437d..1c77480eb 100644 --- a/meta-security/recipes-security/sssd/sssd_2.5.1.bb +++ b/meta-security/recipes-security/sssd/sssd_2.5.1.bb @@ -6,9 +6,9 @@ LICENSE = "GPLv3+" LIC_FILES_CHKSUM = "file://COPYING;md5=d32239bcb673463ab874e80d47fae504" DEPENDS = "acl attr openldap cyrus-sasl libtdb ding-libs libpam c-ares krb5 autoconf-archive" -DEPENDS_append = " libldb dbus libtalloc libpcre glib-2.0 popt e2fsprogs libtevent bind p11-kit" +DEPENDS:append = " libldb dbus libtalloc libpcre glib-2.0 popt e2fsprogs libtevent bind p11-kit" -DEPENDS_append_libc-musl = " musl-nscd" +DEPENDS:append:libc-musl = " musl-nscd" # If no crypto has been selected, default to DEPEND on nss, since that's what # sssd will pick if no active choice is made during configure @@ -69,7 +69,7 @@ EXTRA_OECONF += " \ --with-pid-path=/run \ " -do_configure_prepend() { +do_configure:prepend() { mkdir -p ${AUTOTOOLS_AUXDIR}/build cp ${STAGING_DATADIR_NATIVE}/gettext/config.rpath ${AUTOTOOLS_AUXDIR}/build/ @@ -77,7 +77,7 @@ do_configure_prepend() { sed -i -e "s#\$sss_extra_libdir##" ${S}/src/external/libresolv.m4 } -do_compile_prepend () { +do_compile:prepend () { echo '#define NSUPDATE_PATH "${bindir}"' >> ${B}/config.h } do_install () { @@ -98,18 +98,18 @@ do_install () { rm -f ${D}${systemd_system_unitdir}/sssd-secrets.* } -pkg_postinst_ontarget_${PN} () { +pkg_postinst_ontarget:${PN} () { if [ -e /etc/init.d/populate-volatile.sh ] ; then ${sysconfdir}/init.d/populate-volatile.sh update fi chown ${SSSD_UID}:${SSSD_GID} ${sysconfdir}/${BPN}/${BPN}.conf } -CONFFILES_${PN} = "${sysconfdir}/${BPN}/${BPN}.conf" +CONFFILES:${PN} = "${sysconfdir}/${BPN}/${BPN}.conf" INITSCRIPT_NAME = "sssd" INITSCRIPT_PARAMS = "start 02 5 3 2 . stop 20 0 1 6 ." -SYSTEMD_SERVICE_${PN} = " \ +SYSTEMD_SERVICE:${PN} = " \ ${@bb.utils.contains('PACKAGECONFIG', 'autofs', 'sssd-autofs.service sssd-autofs.socket', '', d)} \ ${@bb.utils.contains('PACKAGECONFIG', 'curl', 'sssd-kcm.service sssd-kcm.socket', '', d)} \ ${@bb.utils.contains('PACKAGECONFIG', 'infopipe', 'sssd-ifp.service ', '', d)} \ @@ -124,10 +124,10 @@ SYSTEMD_SERVICE_${PN} = " \ " SYSTEMD_AUTO_ENABLE = "disable" -FILES_${PN} += "${libdir} ${datadir} ${base_libdir}/security/pam_sss*.so" -FILES_${PN}-dev = " ${includedir}/* ${libdir}/*la ${libdir}/*/*la" +FILES:${PN} += "${libdir} ${datadir} ${base_libdir}/security/pam_sss*.so" +FILES:${PN}-dev = " ${includedir}/* ${libdir}/*la ${libdir}/*/*la" # The package contains symlinks that trip up insane -INSANE_SKIP_${PN} = "dev-so" +INSANE_SKIP:${PN} = "dev-so" -RDEPENDS_${PN} = "bind bind-utils dbus libldb libpam" +RDEPENDS:${PN} = "bind bind-utils dbus libldb libpam" |