meta-security: subtree update:775870980b..ca9264b1e1

Anton Antonov (4):
      Use libest "main" branch instead of "master".
      Add meta-parsec layer into meta-security.
      Define secure images with parsec-service and parsec-tool included and add the images into gitlab CI
      Clearly define clang toolchain in Parsec recipes

Armin Kuster (16):
      packagegroup-core-security: drop clamav-cvd
      clamav: upgrade 104.0
      python3-privacyidea: upgrade 3.5.1 -> 3.5.2
      clamav: fix systemd service install
      swtpm: now need python-cryptography, pull in layer
      swtpm: file pip3 issue
      swtpm: fix check for tscd deamon on host
      python3-suricata-update: update to 1.2.1
      suricata: update to 6.0.2
      layer.conf: add dynamic-layer for rust pkg
      README: cleanup
      .gitlab-ci.yml: reorder to speed up builds
      kas-security-base.yml: tweek build vars
      gitlab-ci: fine tune order
      clamav: remove rest of mirror.dat ref
      lkrg-module: Add Linux Kernel Runtime Guard

Ming Liu (2):
      meta: drop IMA_POLICY from policy recipes
      initramfs-framework-ima: introduce IMA_FORCE

Signed-off-by: Andrew Geissler <[email protected]>
Change-Id: Ifac35a0d7b7e724f1e30dce5f6634d5d4fc9b5b9

meta-security/.gitlab-ci.yml

@@ -26,128 +26,104 @@ stages:
 qemux86:
   extends: .build
   script:
-  - kas build --target security-build-image kas/$CI_JOB_NAME.yml 
+  - kas build --target security-build-image kas/$CI_JOB_NAME.yml
+  - kas build --target security-build-image kas/$CI_JOB_NAME-parsec.yml
+  - kas build --target security-build-image kas/$CI_JOB_NAME-comp.yml
+  - kas build --target harden-image-minimal kas/$CI_JOB_NAME-harden.yml
+  - kas build --target integrity-image-minimal kas/$CI_JOB_NAME-ima.yml
 
 qemux86-64:
   extends: .build
   script:
-  - kas build --target security-build-image kas/$CI_JOB_NAME.yml 
+  - kas build --target security-build-image kas/$CI_JOB_NAME.yml
+  - kas build --target security-build-image kas/$CI_JOB_NAME-parsec.yml
+  - kas build --target dm-verity-image-initramfs kas/$CI_JOB_NAME-dm-verify.yml
+  - kas build --target integrity-image-minimal kas/$CI_JOB_NAME-ima.yml
 
 qemuarm:
   extends: .build
   script:
-  - kas build --target security-build-image kas/$CI_JOB_NAME.yml 
+  - kas build --target security-build-image kas/$CI_JOB_NAME.yml
+  - kas build --target security-build-image kas/$CI_JOB_NAME-parsec.yml
 
 qemuarm64:
   extends: .build
   script:
-  - kas build --target security-build-image kas/$CI_JOB_NAME.yml 
+  - kas build --target security-build-image kas/$CI_JOB_NAME.yml
+  - kas build --target security-build-image kas/$CI_JOB_NAME-parsec.yml
+  - kas build --target integrity-image-minimal kas/$CI_JOB_NAME-ima.yml
 
 qemuppc:
   extends: .build
   script:
-  - kas build --target security-build-image kas/$CI_JOB_NAME.yml 
+  - kas build --target security-build-image kas/$CI_JOB_NAME.yml
+  - kas build --target security-build-image kas/$CI_JOB_NAME-parsec.yml
 
 qemumips64:
   extends: .build
   script:
-  - kas build --target security-build-image kas/$CI_JOB_NAME.yml 
+  - kas build --target security-build-image kas/$CI_JOB_NAME.yml
 
 qemuriscv64:
   extends: .build
   script:
-  - kas build --target security-build-image kas/$CI_JOB_NAME.yml 
+  - kas build --target security-build-image kas/$CI_JOB_NAME.yml
 
 qemux86-64-tpm:
   extends: .build
   script:
-  - kas build --target security-tpm-image kas/$CI_JOB_NAME.yml 
-
-qemux86-64-tpm2:
-  extends: .build
-  script:
-  - kas build --target security-tpm2-image kas/$CI_JOB_NAME.yml 
+  - kas build --target security-tpm-image kas/$CI_JOB_NAME.yml
+  - kas build --target security-tpm2-image kas/$CI_JOB_NAME2.yml
 
 qemuarm64-tpm2:
   extends: .build
   script:
-  - kas build --target security-tpm2-image kas/$CI_JOB_NAME.yml 
-
-qemux86-ima:
-  extends: .build
-  script:
-  - kas build --target integrity-image-minimal kas/$CI_JOB_NAME.yml 
-
-qemux86-64-ima:
-  extends: .build
-  script:
-  - kas build --target integrity-image-minimal kas/$CI_JOB_NAME.yml 
-
-qemuarm64-ima:
-  extends: .build
-  script:
-  - kas build --target integrity-image-minimal kas/$CI_JOB_NAME.yml 
-
-qemux86-64-dm-verify:
-  extends: .build
-  script:
-  - kas build --target core-image-minimal kas/qemux86-64.yml 
-  - kas build --target dm-verity-image-initramfs kas/$CI_JOB_NAME.yml 
-
+  - kas build --target security-tpm2-image kas/$CI_JOB_NAME.yml
 
 qemuarm64-alt:
   extends: .build
   script:
-  - kas build --target security-build-image kas/$CI_JOB_NAME.yml 
+  - kas build --target security-build-image kas/$CI_JOB_NAME.yml
 
 qemuarm64-multi:
   extends: .build
   script:
-  - kas build --target security-build-image kas/$CI_JOB_NAME.yml 
+  - kas build --target security-build-image kas/$CI_JOB_NAME.yml
 
 qemumips64-alt:
   extends: .build
   script:
-  - kas build --target security-build-image kas/$CI_JOB_NAME.yml 
+  - kas build --target security-build-image kas/$CI_JOB_NAME.yml
 
 qemumips64-multi:
   extends: .build
   script:
-  - kas build --target security-build-image kas/$CI_JOB_NAME.yml 
+  - kas build --target security-build-image kas/$CI_JOB_NAME.yml
 
 qemux86-64-alt:
   extends: .build
   script:
-  - kas build --target security-build-image kas/$CI_JOB_NAME.yml 
+  - kas build --target security-build-image kas/$CI_JOB_NAME.yml
 
 qemux86-64-multi:
   extends: .build
   script:
-  - kas build --target security-build-image kas/$CI_JOB_NAME.yml 
+  - kas build --target security-build-image kas/$CI_JOB_NAME.yml
 
 qemux86-musl:
   extends: .build
   script:
-  - kas build --target security-build-image kas/$CI_JOB_NAME.yml 
+  - kas build --target security-build-image kas/$CI_JOB_NAME.yml
 
 qemuarm64-musl:
   extends: .build
   script:
-  - kas build --target security-build-image kas/$CI_JOB_NAME.yml 
-
-qemux86-harden:
-  extends: .build
-  script:
-  - kas build --target harden-image-minimal kas/$CI_JOB_NAME.yml 
-
-qemux86-comp:
-  extends: .build
-  script:
-  - kas build --target security-build-image kas/$CI_JOB_NAME.yml 
+  - kas build --target security-build-image kas/$CI_JOB_NAME.yml
 
 qemux86-test:
   extends: .build
   allow_failure: true
   script:
-  - kas build --target security-test-image kas/$CI_JOB_NAME.yml 
-  - kas build -c testimage --target security-test-image kas/$CI_JOB_NAME.yml 
+  - kas build --target security-test-image kas/$CI_JOB_NAME.yml
+  - kas build -c testimage --target security-test-image kas/$CI_JOB_NAME.yml
+

meta-security/README

@@ -11,28 +11,19 @@ This layer depends on:
 
   URI: git://git.openembedded.org/openembedded-core
   branch: master
-  revision: HEAD
-  prio: default
 
   URI: git://git.openembedded.org/meta-openembedded/meta-oe
   branch: master
-  revision: HEAD
-  prio: default
 
   URI: git://git.openembedded.org/meta-openembedded/meta-perl
   branch: master
-  revision: HEAD
-  prio: default
 
   URI: git://git.openembedded.org/meta-openembedded/meta-python
   branch: master
-  revision: HEAD
-  prio: default
 
   URI: git://git.openembedded.org/meta-openembedded/meta-networking
   branch: master
-  revision: HEAD
-  prio: default
+
 
 Adding the security layer to your build
 ========================================
@@ -51,11 +42,23 @@ other layers needed. e.g.:
     /path/to/meta-openembedded/meta-perl \
     /path/to/meta-openembedded/meta-python \
     /path/to/meta-openembedded/meta-networking \
-    /path/to/layer/meta-security \
+    /path/to/layer/meta-security "
+
+Optional Rust dependancy
+======================================
+If you want to use the latest Suricata that needs rust, you will need to clone
+
+  URI: https://github.com/meta-rust/meta-rust.git
+  branch: master
+
+  BBLAYERS += "/path/to/layer/meta-rust"
+
+This will activate the dynamic-layer mechanism and pull in the newer suricata
+
 
 
 Maintenance
------------
+======================================
 
 Send pull requests, patches, comments or questions to [email protected]
 

meta-security/conf/layer.conf

@@ -12,3 +12,7 @@ BBFILE_PRIORITY_security = "8"
 LAYERSERIES_COMPAT_security = "hardknott"
 
 LAYERDEPENDS_security = "core openembedded-layer perl-layer networking-layer meta-python"
+
+BBFILES_DYNAMIC += " \
+rust-layer:${LAYERDIR}/dynamic-layers/meta-rust/recipes-*/*/*.bb  \
+"

meta-security/dynamic-layers/meta-rust/recipes-ids/suricata/files/fixup.patch

@@ -0,0 +1,32 @@
+Skip pkg Makefile from using its own rust steps
+
+Upstream-Status: OE Specific
+
+Signed-off-by: Armin Kuster <[email protected]>
+
+Index: suricata-6.0.2/Makefile.am
+===================================================================
+--- suricata-6.0.2.orig/Makefile.am
++++ suricata-6.0.2/Makefile.am
+@@ -7,7 +7,7 @@ EXTRA_DIST = ChangeLog COPYING LICENSE s
+              $(SURICATA_UPDATE_DIR) \
+ 	     lua \
+ 	     acsite.m4
+-SUBDIRS = $(HTP_DIR) rust src qa rules doc contrib etc python ebpf \
++SUBDIRS = $(HTP_DIR) src qa rules doc contrib etc python ebpf \
+           $(SURICATA_UPDATE_DIR)
+
+ CLEANFILES = stamp-h[0-9]*
+Index: suricata-6.0.2/Makefile.in
+===================================================================
+--- suricata-6.0.2.orig/Makefile.in
++++ suricata-6.0.2/Makefile.in
+@@ -426,7 +426,7 @@ EXTRA_DIST = ChangeLog COPYING LICENSE s
+ 	     lua \
+ 	     acsite.m4
+
+-SUBDIRS = $(HTP_DIR) rust src qa rules doc contrib etc python ebpf \
++SUBDIRS = $(HTP_DIR) src qa rules doc contrib etc python ebpf \
+           $(SURICATA_UPDATE_DIR)
+
+ CLEANFILES = stamp-h[0-9]*

meta-security/dynamic-layers/meta-rust/recipes-ids/suricata/files/run-ptest

@@ -0,0 +1,3 @@
+#!/bin/sh
+
+suricata -u

meta-security/dynamic-layers/meta-rust/recipes-ids/suricata/files/suricata.service

@@ -0,0 +1,20 @@
+[Unit]
+Description=Suricata IDS/IDP daemon
+After=network.target
+Requires=network.target
+Documentation=man:suricata(8) man:suricatasc(8)
+Documentation=https://redmine.openinfosecfoundation.org/projects/suricata/wiki
+
+[Service]
+Type=simple
+CapabilityBoundingSet=CAP_NET_ADMIN CAP_NET_RAW
+RestrictAddressFamilies=
+ExecStart=/usr/bin/suricata -c /etc/suricata/suricata.yaml eth0
+ExecReload=/bin/kill -HUP $MAINPID
+PrivateTmp=yes
+ProtectHome=yes
+ProtectSystem=yes
+
+[Install]
+WantedBy=multi-user.target
+