The original source URL is unavailable, so it has been replaced with the
official GitHub repository.
Signed-off-by: Jiaying Song <jiaying.song.cn@windriver.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Major upstream changes (not a minor release update in terms of features):
- RISCV support
- New "-a" option: autodetect and check the security hardening options of the running kernel
You can now just run "kernel-hardening-checker -a"
- Require Python 3.9
- Replace setup.py by pyproject.toml
- Many fixes and new features
Signed-off-by: Michael Opdenacker <michael.opdenacker@rootcommit.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
0001-Adapt-for-protobuf-30.0-API-changes.patch
removed since it's included in 1.1.4
Signed-off-by: Wang Mingyu <wangmy@fujitsu.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Please see
https://git.yoctoproject.org/poky/commit/?id=4dd321f8b83afecd962393101b2a6861275b5265
for what changes are needed, and sed commands that can be used to make them en masse.
I've verified that bitbake -c patch world works with these, but did not run a world
build; the majority of recipes shouldn't need further fixups, but if there are
some that still fall out, they can be fixed in followups.
Signed-off-by: Alexander Kanavin <alex@linutronix.de>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
ChangeLog:
- auditctl: update io_uring operations table
- update syscall table for 6.15
- auditd.cron.5: Describe time-based log rotation setup
- auditd: Broadcast a warning on startup if a system halt is possible
- Fix audisp-remote segfault on connection error
- Improve locating last event if ausearch is using checkpointing
- af_unix plugin: fix string mode support
- Remove const from audit_rule_fieldpair_data &
audit_rule_interfield_comp_data
- Add various updates to the experimental ids plugin
- Add glibc memory statistics to auditd state report
Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
This fixes an issue where running the test_machine_signatures
yocto-layer-check tst case fails when using a BSP layer that depends on
meta-oe.
e.g.
bitbake-diffsigs -t kernel-hardening-checker do_create_package_spdx -s 6397093de4edf0eb568d56526704b178944f788bf0d0bdc8f6ce1b181ee00baa 8adadf9e2c0461de5c377b9a0590f6c05b03ff8c1b8eb89fff94e5c3235a0c9a
Hash for task dependency linux-cip:do_create_spdx changed from 4db4e1b424d7969ba80c8e03450ec70e88bab266b1e43054381ab1c572cf580a to bfebcc3195aa0106630e2d3cf7fc8335df8768ad059143d54f715b399eea8b69
Hash for task dependency linux-cip:do_collect_spdx_deps changed from ae22171bab2f456b4743fb0ca05de91a16b65fe6bbddd4cb97d2ed04e5d4f651 to e43ed3f2cee8198d91535ce38057d996cdb8e72c10d7509c2542e6676782ebdc
Hash for task dependency linux-cip:do_unpack changed from 6cf2e7fd1e1d67578f6bed761378953f91a8a58df0107698cc259c1989674da1 to 5d98fa31606f06f0e4416f9df82f97fdc6f63799b65486912dc4a3fc7f871f3c
basehash changed from 556fad4e4426a9390de6ccdcc631aeb35d391ccc9676f6a4810237e2f501cf85 to 72beced62420cc92f276f8a31cd4de3d6f9e3877b14fff9d82ff7d863855b7da
Variable MACHINE value changed from 'hihope-rzg2h' to 'hihope-rzg2m'
Link: https://lists.openembedded.org/g/openembedded-devel/topic/issue_meta_oe_walnascar/113168928
Signed-off-by: Chris Paterson <chris.paterson2@renesas.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
This fixes an issue where running the test_machine_signatures
yocto-layer-check tst case fails when using a BSP layer that depends on
meta-oe.
e.g.
bitbake-diffsigs -t spectre-meltdown-checker do_package_write_rpm -s 3efb5226ab4e83ef90cf33f0a474314d345c675707b3476dde1d3c42f79cc3d0 e268e68c02265542bf80fd51f8c4f26f63b668746639826fbdb870d91e2ba2fd
Hash for task dependency linux-cip:do_packagedata changed from 7feeecd5cbda152da452be41a8b0babe91e48f3097c4e5bb33f6dc426dd203e3 to f466574a3f8a32b23393fe4154b4fb6d172bb75d82ea5424405386d00c30b57d
Hash for task dependency linux-cip:do_package changed from 2281027d1d4da253d371c2c0aebb829aa262b9b2a563247a3bd95621621abdb6 to a8d245eb965ab2f20b4a9d620e5c3af1e4437a5e08665b05f5c52706454642eb
Hash for task dependency linux-cip:do_install changed from 75e91702bbcdd891ada3b08d884f6842fa94c01dcb52917dc0d0e85239799569 to 2cb117e47f68e5e1ba21b19934e1be2a14501d9ec72e0565f409dbbdd024ff24
Hash for task dependency linux-cip:do_compile changed from 015e60756358bf4b46b1c2570d70c334285b38c54d8c515c1fd301044a73e123 to ce97c36a37c0438254ad429e9c53a7520abade5e513180bc52850b683de4df5c
Hash for task dependency linux-cip:do_configure changed from 188050940f59e4ec4a20bea82f6a9b8261126e716fec07bacbeadbb9f5989882 to 111fa8c18085e992ce52a0bb1ee53276e36720092288dead4f70cf3a64f8fb05
Hash for task dependency linux-cip:do_deploy_source_date_epoch changed from 5e39db86fcde43fb0d0afd08e2d22c4c2e6b2fbf1e2e9017f1cc6f541c6798b0 to f621317487884d32348672899270c7841f7d4739140e35eb09d2378fccd90213
Hash for task dependency linux-cip:do_patch changed from a8da5639ab6a39a57122a59758aad964d199a10ce0ae5a3e36f17e6830ee3f97 to 77fbb8bbb5e3c0141b731b3afc001370f28ba796f09b6361de04c93ec2f165b9
Hash for task dependency linux-cip:do_kernel_metadata changed from 0099cc1d4d35547ff1e4b1d448934304c1708ecfc42abaf38de23abdaf986310 to 08b1d5c2fe80e6a074b8ac8a27370caf0f8713eae85ca0d861140d28e443c59c
Hash for task dependency linux-cip:do_kernel_checkout changed from aa1bb0aeef7b4aa5ec2d01d3a99d7addd3a262b496962c9bfea9345bbccfac1e to ffb0021b913cdad6ab0bdd7e7a51c49c4afbc24087d4b410aa097faa73bf2e8b
Hash for task dependency linux-cip:do_symlink_kernsrc changed from 14695f6b8d892af536305c58a130d67fdca751a0dabeba2edf708787d067c8ba to 9d9d7511d5feed853c5e450dd93994e0f0b263c9e6d5d389e8c85471696e5df2
Hash for task dependency linux-cip:do_unpack changed from 6cf2e7fd1e1d67578f6bed761378953f91a8a58df0107698cc259c1989674da1 to 5d98fa31606f06f0e4416f9df82f97fdc6f63799b65486912dc4a3fc7f871f3c
basehash changed from 556fad4e4426a9390de6ccdcc631aeb35d391ccc9676f6a4810237e2f501cf85 to 72beced62420cc92f276f8a31cd4de3d6f9e3877b14fff9d82ff7d863855b7da
Variable MACHINE value changed from 'hihope-rzg2h' to 'hihope-rzg2m'
Link: https://lists.openembedded.org/g/openembedded-devel/topic/issue_meta_oe_walnascar/113168928
Signed-off-by: Chris Paterson <chris.paterson2@renesas.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
The nmap has changed its license to NPSL (Nmap Public Source License)
since 7.90[1][2]. See [3] for a discussion of this license.
According to [1] and [4], 7.92 is the last dual-licensed (GPL-2.0 and
NPSL)version:
"Note that some releases of Nmap may fall under a previous version of
this license, or a different license entirely. The exact terms for a
given version of Nmap can be found in the included LICENSE or COPYING
file. To ease the transition to the NPSL, the first three Nmap releases
made under that license (Nmap 7.90, 7.91, and 7.92) may also be used
under the previous Nmap license terms by anyone who prefers those. "
Add 7.92 recipe with GPLv2 license.
[1] https://nmap.org/npsl/
[2] https://lwn.net/Articles/842436/
[3] https://github.com/nmap/nmap/issues/2199
[4] https://nmap.org/changelog.html#7.92
Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Nmap has switched from GPLv2 to their own "Nmap Public Source
License" since a few release. Set it in the recipe accordingly.
The NPSL file in the license firectory has been downloaded
directly from https://svn.nmap.org/nmap/LICENSE
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Set UPSTREAM_CHECK_REGEX to check the correct latest stable verison.
Before the fix:
$ devtool latest-version nmap
INFO: Current version: 7.95
INFO: Latest version: 7.95-1
After the fix:
$ devtool latest-version nmap
INFO: Current version: 7.95
INFO: Latest version: 7.95
Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Remove empty directory when enable multilib.
Fixes:
ERROR: audit-4.0.3-r0 do_package: QA Issue: audit: Files/directories
were installed but not shipped in any package:
/usr/lib
Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Building with ndiff PACKAGECONFIG failed with the following error:
| File "/yocto/sandbox/build/tmp/work/cortexa53-poky-linux/nmap/7.95/nmap-7.95/ndiff/setup.py", line 11, in <module>
| import setuptools.command.install
| ModuleNotFoundError: No module named 'setuptools'
Fix it by adding the missing dependency.
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
multilib builds fail with:
install: cannot stat 'lib32-spectre-meltdown-checker/0.46/sources-unpack/git/lib32-spectre-meltdown-checker.sh': No such file or directory
Signed-off-by: Martin Jansa <martin.jansa@gmail.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
ChangeLog:
- Remove a RHEL4 flag table since it's been unsupported for a while
- Change dependency from Requires to Wants for audit-rules.service
- Disable ProtectKernelModules by default in auditd.service
- Skip plugin configs that do not have .conf suffix
- audisp-filter: iterate records correctly when forwarding
- Update syscall table for missing syscalls
- Modify ausearch checkpoint code to address 64 inode and device numbers
- Fix potential segfault interpreting relative paths
- Add audit_set_enabled & audit_is_enabled back to the libaudit python bindings
- Log runlevel changes to console during boot
- Add audit-tmpfiles.conf to ensure /var/log/audit exists
- Propagate event format to the audisp-af_unix plugin
- Add support for RISC-V - riscv32, riscv64
* Enable riscv support
* Use its own volatile file for systemd.
Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Currently softhsm will try to access deleted obejcts due to the order of
atexit handler implementations. Add a patch which adds a global variable
to track whether objects are deleted and prevents access if this is the
case.
This fixes a failure with the signing.bbclass where when signing
multiple fitimage configurations the second signing operation will lead
to a segfault.
Signed-off-by: Rouven Czerwinski <r.czerwinski@pengutronix.de>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Fix "audit" set in CVE_PRODUCT to "linux:audit" to detect only vulnerabilities where the vendor is "linux".
Currently, CVE_PRODUCT also detects vulnerabilities where the vendor is "visionsoft",
which are unrelated to the "audit" in this recipe.
https://www.opencve.io/cve?vendor=visionsoft&product=audit
In addition, all the vulnerabilities currently detected in "audit" have the vendor of "visionsoft" or "linux".
Therefore, fix "audit" set in CVE_PRODUCT to "linux:audit".
Signed-off-by: Shinji Matsunaga <shin.matsunaga@fujitsu.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
* switched to libpcre2 in:
828ab48764
* in builds hwere libpcre2 isn't pulled by some other dependency it was failing with:
| service_scan.h:74:10: fatal error: pcre2.h: No such file or directory | 74 | #include <pcre2.h> | | ^~~~~~~~~|
Signed-off-by: Martin Jansa <martin.jansa@gmail.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
License-Update: Use full file for checksum ( COPYING -> LICENSE )
Use system libpcre
Drop py3 support patches, its default now
Signed-off-by: Khem Raj <raj.khem@gmail.com>
ChangeLog:
- Fix musl C builds
- Many code cleanups
- Use atomic variables if available for signal related flags
- Dont rotate audit logs when auditd is in debug mode
- Fix a couple memory leaks on error paths
- Correct output when displaying rules with exe/path/dir
- Fix auparse lookup test to not use the system libaupaurse
- Improve auparse metrics
- Update auparse normalizer for recent syscalls
- Make status report uniform
Drop 0001-Replace-__attribute_malloc__-with-__attribute__-__ma.patch as
the issue has been fixed upstream.
Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Drop patch 0001-include-missing-cstdint.patch because it was merged
upstream. See this commit in usbguard:
* 22b1e08 Fix build for GCC 13 + make GitHub Actions cover build with GCC 13 (#586)
Signed-off-by: Christophe Vu-Brugier <christophe.vu-brugier@seagate.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Changelog:
===========
- Fix a double-close on error reading from --args, --seccomp or --add-seccomp-fd argument
- Improve memory allocation behaviour
- Silence various compiler warnings
- Silence an Automake warning
- Fix a test failure when running as uid 0 in a container
- Fix a test failure when /mnt is a symlink
- Fix a test failure on NixOS
- Add --argv0
Signed-off-by: Wang Mingyu <wangmy@fujitsu.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Replace references of WORKDIR with UNPACKDIR where it makes sense to do
so in preparation for changing the default value of UNPACKDIR.
Signed-off-by: Khem Raj <raj.khem@gmail.com>
The following paths have been replaced with PYTHON_SITEPACKAGES_DIR:
- "${libdir}/${PYTHON_DIR}/site-packages"
- "${libdir}/python${PYTHON_BASEVERSION}/site-packages"
- "${libdir}/python*/site-packages"
- "${libdir}/python3.*/site-packages"
Signed-off-by: alperak <alperyasinak1@gmail.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
ChangeLog:
https://github.com/linux-audit/audit-userspace/releases/tag/v4.0.1
Update TRUSTED_APP interpretation to look for known fields;
In auditd plugins, allow variable amount of arguments;
Fix augenrules to work correctly when kernel is in immutable mode;
Add audisp-filter plugin;
Improve sorting speed of aureport --summary reports;
Auditd & audit-rules.service pick up paths automatically.
* Drop backport patch.
* Specify runstatedir.
Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
ChangeLog:
https://github.com/linux-audit/audit-userspace/releases/tag/v4.0
Major changes:
Separate loading rules and logging events into separate services,
audit-rules.service and auditd.service.
Drop support for python2 and SysVinit.
The auvirt and autrace programs have been dropped.
The syscall and interpretation tables have been updated for the 6.8
kernel.
* Backport patch to fix build error with musl
* Clean up configure options
* Use its own systemd service files
* Refresh patches
* Fix indentation
Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
[Edited Message Follows]
[Reason: include softhsm2.module only in FILES if pk11 is set in PACKAGECONFIG]
From 216dba6552f2b3a65c3fc9b586736d93132a0166 Mon Sep 17 00:00:00 2001
From: "Gassner, Tobias.ext" <tobias.gassner.ext@karlstorz.com>
Date: Thu, 18 Jan 2024 12:50:22 +0100
Subject: [PATCH] softhsm_2.6.1.bb fixing p11-kit module path, adding
softhsm2.module to FILES
In order for the softhsm module to be discoverable by p11-kit proxy the
softhsm2.module file must be deployed to ${datadir}/p11-kit/modules.
This was previously not the case. Also the p11-kit module path
(--with-p11-kit) seemed to point to the wrong directory and had a syntax
error (two == instead one =).
Signed-off-by: Gassner, Tobias.ext <tobias.gassner.ext@karlstorz.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
In 7.80 this requires distutils (no longer provided in python 3.12).
This may be resolved in newer nmap versions, so if you care about it
please provide a version update: https://nmap.org/dist/
Signed-off-by: Alexander Kanavin <alex@linutronix.de>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
makefile-add-ldflags.patch
refreshed for 2.0.3
Changelog:
===========
-Added pkg-config file.
-Changed enforce=users to support "chpasswd" PAM service in addition to
traditionally supported "passwd".
Signed-off-by: Wang Mingyu <wangmy@fujitsu.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
There is new patch-status QA check in oe-core:
https://git.openembedded.org/openembedded-core/commit/?id=76a685bfcf927593eac67157762a53259089ea8a
This is temporary work around just to hide _many_ warnings from
optional patch-status (if you add it to WARN_QA).
This just added
Upstream-Status: Pending
everywhere without actually investigating what's the proper status.
This is just to hide current QA warnings and to catch new .patch files being
added without Upstream-Status, but the number of Pending patches is now terrible:
5 (26%) meta-xfce
6 (50%) meta-perl
15 (42%) meta-webserver
21 (36%) meta-gnome
25 (57%) meta-filesystems
26 (43%) meta-initramfs
45 (45%) meta-python
47 (55%) meta-multimedia
312 (63%) meta-networking
756 (61%) meta-oe
Signed-off-by: Martin Jansa <Martin.Jansa@gmail.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
