summaryrefslogtreecommitdiffstats
path: root/recipes-core
Commit message (Collapse)AuthorAgeFilesLines
* packagegroup-core-security: Add missing packagesScott Murray2026-04-271-0/+4
| | | | | | | Add aircrack-ng, crowdsec, ncrack, and opendnssec where appropriate now that they have been updated to build again. Signed-off-by: Scott Murray <scott.murray@konsulko.com>
* libmhash: RemoveScott Murray2026-04-271-1/+0
| | | | | | Remove libmhash, as it is no longer required to build aide. Signed-off-by: Scott Murray <scott.murray@konsulko.com>
* clamav: Add recipe for version 1.4.3Hemant Jadhav2025-12-221-2/+4
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Add modern ClamAV 1.4.3 recipe with comprehensive improvements over the legacy 0.104.4 version. Remove the end-of-life 0.104.4 recipe and associated patches as they are superseded by this version. Major changes in 1.4.3: - Upgraded core engine with improved threat detection capabilities - Added Rust components requiring cross-compilation support - Updated CMake build system replacing legacy autotools - Modernized library dependencies (LLVM, JSON-C, PCre2) - Added comprehensive license compliance for multi-component package - Enhanced cross-compilation support for all target architectures The recipe includes dynamic Cargo configuration using Yocto variables to support cross-compilation to any target architecture supported by the build system. Runtime configuration improvements: - Set APP_CONFIG_DIRECTORY to ${sysconfdir}/clamav for proper config paths - Added volatiles/tmpfiles support for /var/lib/clamav and /var/log/clamav - Added pkg_postinst scripts to ensure correct directory ownership - Implemented CMake cache variables for cross-compilation - Updated all license checksums for compliance - Added Rust toolchain integration with automatic environment setup - Use Cargo vendoring with cargo + cargo-update-recipe-crates classes Security rationale: - ClamAV 0.104.4 reached end-of-life and is no longer maintained - Upstream strongly recommends migration to 1.4.x for security updates Signed-off-by: Hemant Jadhav <hemant.jadhav@emerson.com> (regenerated diff, fixed building with systemd, fixed target Rust configuration, disabled for 32-bit targets) Signed-off-by: Scott Murray <scott.murray@konsulko.com>
* oeqa: openscap testLouis Rannou2025-11-211-1/+1
| | | | | | | | | | | | Add basic openscap test. This looks for an existing profile and run a basic scan. Openscap scans return 1 in case of failure, 0 in case of success and 2 when a vulnerability has been found. As this does not aim to check openscap reports, 2 is considered as a successful test. Signed-off-by: Louis Rannou <louis.rannou@non.se.com> (added to test image) Signed-off-by: Scott Murray <scott.murray@konsulko.com>
* packagegroup-core-security: update for recent changesScott Murray2025-10-081-5/+10
| | | | | | | | | | | | Changes: - Add libmhash and libgssglue so they will get tested by CI. - Switch to MACHINE_ARCH to facilitate the above, but it makes sense anyway due to all the machine overrides used in the packagegroup definition. - Add the recently added python3-suricata-update so it will get tested by CI. Signed-off-by: Scott Murray <scott.murray@konsulko.com>
* paxctl: Remove recipeScott Murray2025-10-081-1/+0
| | | | | | | | Remove the paxctl recipe since it has seemingly been broken for a while without anyone noticing, and there likely have been no actual users since grsecurity stopped doing public releases in 2017. Signed-off-by: Scott Murray <scott.murray@konsulko.com>
* chipsec: disable until 6.16 support is fixedMarta Rybczynska2025-10-081-2/+2
| | | | | | | | | | The 1.13.16 version does not work on the kernel 6.16 for now [1]. Disable when waiting for the fix. [1] https://github.com/chipsec/chipsec/issues/2563 Signed-off-by: Marta Rybczynska <marta.rybczynska@ygreky.com>
* aide: remove for muslMarta Rybczynska2025-07-231-0/+1
| | | | | | | Aide currently doesn't compile with musl because of copied getopt prototypes and implementation. Signed-off-by: Marta Rybczynska <marta.rybczynska@ygreky.com>
* packagegroup-core-security: unify conditional adding of packages on RISCVMarta Rybczynska2025-07-231-2/+12
| | | | | | | | | | The package choice was using TUNE_FEATURES that doesn't work anymore with multiple sub-architectures of RISCV. Instead use the overrides and make sure to take into account also qemu versions. Only riscv32/riscv64 does not work, fail on RDEPEND for qemu targets. Signed-off-by: Marta Rybczynska <marta.rybczynska@ygreky.com>
* packagegroup-core-security: drop firejail for muslArmin Kuster2025-01-061-1/+1
| | | | | | | appears to be a known issue: https://bugs.gentoo.org/937374 Signed-off-by: Armin Kuster <akuster808@gmail.com>
* dm-verity-image-initramfs: drop lvm2-udevrulesYi Zhao2024-11-241-1/+1
| | | | | | | | | | Drop lvm2-udevrules as it has been removed in meta-openembedded commit[1]. [1] https://git.openembedded.org/meta-openembedded/commit/?h=master&id=c37c867e1adddd6fa39cf3f3d4c6688ea6dc825a Signed-off-by: Yi Zhao <yi.zhao@windriver.com> Signed-off-by: Armin Kuster <akuster808@gmail.com>
* recipes: WORKDIR -> UNPACKDIR transitionChangqing Li2024-06-171-1/+1
| | | | | | | | | * WORKDIR -> UNPACKDIR transition * Switch away from S = WORKDIR Signed-off-by: Changqing Li <changqing.li@windriver.com> [Fixed up the smack changes due to prior patch] Signed-off-by: Armin Kuster <akuster808@gmail.com>
* packagegroup-core-security: update libseccomp dependenciesMarta Rybczynska2024-05-081-1/+1
| | | | | | | | | | | libseccomp requires DISTRO_FEATURE seccomp enabled. This one is automatically removed for riscv, so we do not need to add an additional condition. This change is necessary for cve-check on world with meta-security Signed-off-by: Marta Rybczynska <marta.rybczynska@syslinbit.com> Signed-off-by: Armin Kuster <akuster808@gmail.com>
* dm-verity-image-initramfs: Set IMAGE_NAME_SUFFIX to emptyKevin Hao2024-03-271-0/+2
| | | | | | | | | | | | | | | According to the Yocto reference manual [1], the IMAGE_NAME_SUFFIX should be set to empty for the initramfs image. Otherwise, we may incur a build error like following due to the initrd check in live-vm-common.bbclass: ERROR: core-image-minimal-1.0-r0 do_bootimg: build-test/tmp/deploy/images/genericx86-64/dm-verity-image-initramfs-genericx86-64.cpio.gz is invalid. initrd image creation failed. ERROR: core-image-minimal-1.0-r0 do_bootimg: ExecutionError('build-test/tmp/work/genericx86_64-poky-linux/core-image-minimal/1.0/temp/run.build_hddimg.1961965', 1, None, None) ERROR: Logfile of failure stored in: build-test/tmp/work/genericx86_64-poky-linux/core-image-minimal/1.0/temp/log.do_bootimg.1961965 ERROR: Task (poky/meta/recipes-core/images/core-image-minimal.bb:do_bootimg) failed with exit code '1' [1] https://docs.yoctoproject.org/ref-manual/variables.html#term-IMAGE_NAME_SUFFIX Signed-off-by: Kevin Hao <kexin.hao@windriver.com> Signed-off-by: Armin Kuster <akuster808@gmail.com>
* dm-verity-image-initramfs: Allow compressed image typesWurm, Stephan2023-08-061-1/+8
| | | | | | | | | | Using <DM_VERITY_IMAGE_TYPE> in the depends variable does not work for compressed image types like squashfs-zst, as the resulting task dependency still contains the incompatible dash. Replacing the dash by an underscore resolves this issue. Signed-off-by: Stephan Wurm <stephan.wurm@a-eberle.de> Signed-off-by: Armin Kuster <akuster808@gmail.com>
* packagegroup-core-security: only include firejail x86-64 and arch64Armin Kuster2023-07-311-4/+2
| | | | Signed-off-by: Armin Kuster <akuster808@gmail.com>
* qemu: move qemu setting to image and out of layer.confArmin Kuster2023-07-311-0/+5
| | | | | | I suspect its better form to have these in the image definition. Signed-off-by: Armin Kuster <akuster808@gmail.com>
* packagegroup-core-security: add os-releaseArmin Kuster2023-06-251-0/+4
| | | | | | | | Exclude openscap and scap-security-guide if musl Fix RDEPENDS list to include compliance packages. Signed-off-by: Armin Kuster <akuster808@gmail.com>
* dm-verity: hook separate hash into initramfs frameworkPaul Gortmaker2023-06-251-0/+29
| | | | | | | | | | | | | | | | | The prior commits create the separate hash so now it is time to update the initramfs framework so that veritysetup, which is responsible for binding the data and hash, is aware of when separate hash is in use, and can react accordingly. The added code follows the existing appended hash code style, but is considerably smaller because it doesn't have the large case statement that supports all possible identification schemes (label, UUID, ...). With the root hash split in two to create the respective partition UUIDs, we know exactly how to identify it, and the UUIDs used. Signed-off-by: Paul Gortmaker <paul.gortmaker@windriver.com> Signed-off-by: Armin Kuster <akuster808@gmail.com>
* packagegroup-core-security: add compliance pkg groupArmin Kuster2023-06-201-0/+8
| | | | | | | | Signed-off-by: Armin Kuster <akuster808@gmail.com> --- v2] Missed to include trailing \
* dmverity: Suppress the realpath errorsKevin Hao2023-06-111-7/+7
| | | | | | | | | | | | | If we use a non PARTUUID root parameter, we would always get a error like below: realpath: /dev/disk/by-partuuid//dev/mmcblk0p2: No such file or directory This seems pretty confusion and it also seems no need to emit this kind of error when we are waiting for the root device. So suppress all the realpath errors. Signed-off-by: Kevin Hao <kexin.hao@windriver.com> Signed-off-by: Armin Kuster <akuster808@gmail.com>
* packagegroup-core-security: refactor the inclusion of krillArmin Kuster2023-03-221-6/+6
| | | | Signed-off-by: Armin Kuster <akuster808@gmail.com>
* meta-security: Add recipe for GlomeJohn Edward Broadbent2022-08-121-0/+1
| | | | | | | | Generic Low Overhead Message Exchange (GLOME) is a protocol providing secure authentication and authorization for low dependency environments. Signed-off-by: John Edward Broadbent <jebr@google.com> Signed-off-by: Armin Kuster <akuster808@gmail.com>
* packagegroup-core-security: add pkg to grpArmin Kuster2022-08-121-0/+1
| | | | Signed-off-by: Armin Kuster <akuster808@gmail.com>
* packagegroup-core-security: add space for appendsArmin Kuster2022-08-061-2/+2
| | | | Signed-off-by: Armin Kuster <akuster808@gmail.com>
* packagegroup-core-security: remove krill for some archsArmin Kuster2022-08-021-1/+4
| | | | Signed-off-by: Armin Kuster <akuster808@gmail.com>
* packagegroup-core-security: add chipsec pkg to grpArmin Kuster2022-08-021-0/+2
| | | | Signed-off-by: Armin Kuster <akuster808@gmail.com>
* packagegroup-core-security: add krill to pkg grpsArmin Kuster2022-08-021-1/+1
| | | | Signed-off-by: Armin Kuster <akuster808@gmail.com>
* packagegroup-core-security.bb: add bubblewrap to pkg grpArmin Kuster2022-07-301-0/+1
| | | | Signed-off-by: Armin Kuster <akuster808@gmail.com>
* security-build-image: add lkrg-module to build imageArmin Kuster2022-06-231-0/+1
| | | | Signed-off-by: Armin Kuster <akuster808@gmail.com>
* packagegroup-core-security: skip mips firejailArmin Kuster2022-06-231-0/+2
| | | | Signed-off-by: Armin Kuster <akuster808@gmail.com>
* security-test-image: add firejail and aide test suitesArmin Kuster2022-06-231-1/+1
| | | | Signed-off-by: Armin Kuster <akuster808@gmail.com>
* packagegroup-core-security: add firejailArmin Kuster2022-06-231-0/+1
| | | | Signed-off-by: Armin Kuster <akuster808@gmail.com>
* security-test-image: auto include layers if present.Armin Kuster2022-06-181-1/+10
| | | | | | | This is to simplify tesing to build one image and include pkgs depending on the layers included in the BBLAYERS. Signed-off-by: Armin Kuster <akuster808@gmail.com>
* packagegroup-core-security: drop sssdArmin Kuster2022-06-181-1/+1
| | | | Signed-off-by: Armin Kuster <akuster808@gmail.com>
* packagegroup-core-security: don't include aprwatch for muslArmin Kuster2022-06-071-0/+1
| | | | Signed-off-by: Armin Kuster <akuster808@gmail.com>
* packagegroup-core-security: drop arpwatch for riscv from pkg grpArmin Kuster2022-06-071-1/+1
| | | | Signed-off-by: Armin Kuster <akuster808@gmail.com>
* packagegroup-core-security: add arpwatch and chkrootkit to pkg grpArmin Kuster2022-06-071-0/+2
| | | | Signed-off-by: Armin Kuster <akuster808@gmail.com>
* packagegroup-core-security.bb: fix suricata inclusionArmin Kuster2022-05-141-1/+1
| | | | Signed-off-by: Armin Kuster <akuster808@gmail.com>
* packagegroup-core-security: remove pkgsArmin Kuster2022-05-141-12/+0
| | | | Signed-off-by: Armin Kuster <akuster808@gmail.com>
* libest: does not build with openssl 3.xArmin Kuster2021-12-251-1/+0
| | | | | | blacklist for now. Remove from pkg grp Signed-off-by: Armin Kuster <akuster808@gmail.com>
* opendnssec: blacklist do to ldns being blacklistedArmin Kuster2021-10-241-1/+0
| | | | Signed-off-by: Armin Kuster <akuster808@gmail.com>
* dmverity: Make use of DATA_BLOCK_SIZE variable in initrdscript.Christer Fletcher2021-09-281-1/+2
| | | | | | | | | DATA_BLOCK_SIZE variable was set in dm-verity-img.bbclass at build time but the initrdscript was not updated to pass the DATA_BLOCK_SIZE to the veritysetup. Now the functionality is complete. Signed-off-by: Paulo Neves <paulo.neves1@inter.ikea.com> Signed-off-by: Armin Kuster <akuster808@gmail.com>
* packagegroup-core-security.bb: only include suricat-ptest if rust is includedArmin Kuster2021-08-011-2/+13
| | | | Signed-off-by: Armin Kuster <akuster808@gmail.com>
* meta-security: Convert to new override syntaxArmin Kuster2021-08-012-24/+24
| | | | Signed-off-by: Armin Kuster <akuster808@gmail.com>
* packagegroup-core-security.bb: fix suricat-ptest inclusionArmin Kuster2021-07-281-2/+1
| | | | | | drop libseccomp ptest Signed-off-by: Armin Kuster <akuster808@gmail.com>
* initramfs-framework: rename files dirArmin Kuster2021-06-292-1/+1
| | | | | | | Fixes: ERROR: initramfs-framework-1.0-r4 do_fetch: Fetcher failure for URL: 'file://dmverity'. Unable to fetch URL from any source. Signed-off-by: Armin Kuster <akuster808@gmail.com>
* packagegroup-core-security: add sshguardArmin Kuster2021-06-291-0/+1
| | | | Signed-off-by: Armin Kuster <akuster808@gmail.com>
* initramfs-framework: fix typo in conditionalArmin Kuster2021-06-291-1/+1
| | | | Signed-off-by: Armin Kuster <akuster808@gmail.com>
* packagegroup-core-security: drop python3-scapyArmin Kuster2021-06-051-2/+0
| | | | Signed-off-by: Armin Kuster <akuster808@gmail.com>