* [meta-security][PATCH 1/3] checksecurity: use more portable find args
@ 2019-11-25 16:41 Christopher Larson
2019-11-25 16:41 ` [meta-security][PATCH 2/3] clamav: add tmpfiles.d config Christopher Larson
` (2 more replies)
0 siblings, 3 replies; 4+ messages in thread
From: Christopher Larson @ 2019-11-25 16:41 UTC (permalink / raw)
To: yocto; +Cc: Christopher Larson
From: Christopher Larson <chris_larson@mentor.com>
Signed-off-by: Christopher Larson <chris_larson@mentor.com>
---
.../checksecurity/checksecurity_2.0.15.bb | 3 ++-
.../check-setuid-use-more-portable-find-args.patch | 23 ++++++++++++++++++++++
2 files changed, 25 insertions(+), 1 deletion(-)
create mode 100644 recipes-security/checksecurity/files/check-setuid-use-more-portable-find-args.patch
diff --git a/recipes-security/checksecurity/checksecurity_2.0.15.bb b/recipes-security/checksecurity/checksecurity_2.0.15.bb
index a9616911..030bf251 100644
--- a/recipes-security/checksecurity/checksecurity_2.0.15.bb
+++ b/recipes-security/checksecurity/checksecurity_2.0.15.bb
@@ -5,7 +5,8 @@ LICENSE = "GPL-2.0"
LIC_FILES_CHKSUM = "file://${COMMON_LICENSE_DIR}/GPL-2.0;md5=801f80980d171dd6425610833a22dbe6"
SRC_URI = "http://ftp.de.debian.org/debian/pool/main/c/checksecurity/checksecurity_${PV}.tar.gz \
- file://setuid-log-folder.patch"
+ file://setuid-log-folder.patch \
+ file://check-setuid-use-more-portable-find-args.patch"
SRC_URI[md5sum] = "a30161c3e24d3be710b2fd13fcd1f32f"
SRC_URI[sha256sum] = "67abe3d6391c96146e96f376d3fd6eb7a9418b0f7fe205b465219889791dba32"
diff --git a/recipes-security/checksecurity/files/check-setuid-use-more-portable-find-args.patch b/recipes-security/checksecurity/files/check-setuid-use-more-portable-find-args.patch
new file mode 100644
index 00000000..f1fe8edc
--- /dev/null
+++ b/recipes-security/checksecurity/files/check-setuid-use-more-portable-find-args.patch
@@ -0,0 +1,23 @@
+From f3073b8e06a607677d47ad9a19533b2e33408a4f Mon Sep 17 00:00:00 2001
+From: Christopher Larson <chris_larson@mentor.com>
+Date: Wed, 5 Sep 2018 23:21:43 +0500
+Subject: [PATCH] check-setuid: use more portable find args
+
+Signed-off-by: Christopher Larson <chris_larson@mentor.com>
+---
+ plugins/check-setuid | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+Index: checksecurity-2.0.15/plugins/check-setuid
+===================================================================
+--- checksecurity-2.0.15.orig/plugins/check-setuid 2018-09-06 00:49:23.930934294 +0500
++++ checksecurity-2.0.15/plugins/check-setuid 2018-09-06 00:49:49.694934757 +0500
+@@ -99,7 +99,7 @@
+ ionice -t -c3 \
+ find `mount | grep -vE "$CHECKSECURITY_FILTER" | cut -d ' ' -f 3` \
+ -xdev $PATHCHK \
+- \( -type f -perm +06000 -o \( \( -type b -o -type c \) \
++ \( -type f \( -perm -4000 -o -perm -2000 \) -o \( \( -type b -o -type c \) \
+ $DEVCHK \) \) \
+ -ignore_readdir_race \
+ -printf "%8i %5m %3n %-10u %-10g %9s %t %h/%f\n" |
--
2.11.1
^ permalink raw reply related [flat|nested] 4+ messages in thread
* [meta-security][PATCH 2/3] clamav: add tmpfiles.d config
2019-11-25 16:41 [meta-security][PATCH 1/3] checksecurity: use more portable find args Christopher Larson
@ 2019-11-25 16:41 ` Christopher Larson
2019-11-25 16:41 ` [meta-security][PATCH 3/3] suricata: " Christopher Larson
2019-11-26 4:49 ` [yocto] [meta-security][PATCH 1/3] checksecurity: use more portable find args Armin Kuster
2 siblings, 0 replies; 4+ messages in thread
From: Christopher Larson @ 2019-11-25 16:41 UTC (permalink / raw)
To: yocto; +Cc: Christopher Larson
From: Christopher Larson <chris_larson@mentor.com>
This is needed to ensure freshclam's /var/log directory and file are
created when using systemd.
Signed-off-by: Christopher Larson <chris_larson@mentor.com>
---
recipes-security/clamav/clamav_0.99.4.bb | 8 +++++++-
recipes-security/clamav/files/tmpfiles.clamav | 3 +++
2 files changed, 10 insertions(+), 1 deletion(-)
create mode 100644 recipes-security/clamav/files/tmpfiles.clamav
diff --git a/recipes-security/clamav/clamav_0.99.4.bb b/recipes-security/clamav/clamav_0.99.4.bb
index 7f043377..a340b485 100644
--- a/recipes-security/clamav/clamav_0.99.4.bb
+++ b/recipes-security/clamav/clamav_0.99.4.bb
@@ -15,6 +15,7 @@ SRC_URI = "git://github.com/vrtadmin/clamav-devel;branch=rel/0.99 \
file://clamd.conf \
file://freshclam.conf \
file://volatiles.03_clamav \
+ file://tmpfiles.clamav \
file://${BPN}.service \
file://freshclam-native.conf \
"
@@ -104,11 +105,15 @@ do_install_append_class-target () {
install -m 666 ${S}/clamav_db/* ${D}/${localstatedir}/lib/clamav/.
if ${@bb.utils.contains('DISTRO_FEATURES','systemd','true','false',d)};then
install -D -m 0644 ${WORKDIR}/clamav.service ${D}${systemd_unitdir}/system/clamav.service
+ install -d ${D}${sysconfdir}/tmpfiles.d
+ install -m 0644 ${WORKDIR}/tmpfiles.clamav ${D}${sysconfdir}/tmpfiles.d/clamav.conf
fi
}
pkg_postinst_ontarget_${PN} () {
- if [ -e /etc/init.d/populate-volatile.sh ] ; then
+ if command -v systemd-tmpfiles >/dev/null; then
+ systemd-tmpfiles --create ${sysconfdir}/tmpfiles.d/clamav.conf
+ elif [ -e ${sysconfdir}/init.d/populate-volatile.sh ]; then
${sysconfdir}/init.d/populate-volatile.sh update
fi
mkdir -p ${localstatedir}/lib/clamav
@@ -140,6 +145,7 @@ FILES_${PN}-daemon = "${bindir}/clamconf ${bindir}/clamdtop ${sbindir}/clamd \
FILES_${PN}-freshclam = "${bindir}/freshclam \
${sysconfdir}/freshclam.conf* \
${sysconfdir}/clamav ${sysconfdir}/default/volatiles \
+ ${sysconfdir}/tmpfiles.d/*.conf \
${localstatedir}/lib/clamav \
${docdir}/${PN}-freshclam ${mandir}/man1/freshclam.* \
${mandir}/man5/freshclam.conf.* \
diff --git a/recipes-security/clamav/files/tmpfiles.clamav b/recipes-security/clamav/files/tmpfiles.clamav
new file mode 100644
index 00000000..fd5adfee
--- /dev/null
+++ b/recipes-security/clamav/files/tmpfiles.clamav
@@ -0,0 +1,3 @@
+#Type Path Mode UID GID Age Argument
+d /var/log/clamav 0755 clamav clamav -
+f /var/log/clamav/freshclam.log 0644 clamav clamav -
--
2.11.1
^ permalink raw reply related [flat|nested] 4+ messages in thread
* [meta-security][PATCH 3/3] suricata: add tmpfiles.d config
2019-11-25 16:41 [meta-security][PATCH 1/3] checksecurity: use more portable find args Christopher Larson
2019-11-25 16:41 ` [meta-security][PATCH 2/3] clamav: add tmpfiles.d config Christopher Larson
@ 2019-11-25 16:41 ` Christopher Larson
2019-11-26 4:49 ` [yocto] [meta-security][PATCH 1/3] checksecurity: use more portable find args Armin Kuster
2 siblings, 0 replies; 4+ messages in thread
From: Christopher Larson @ 2019-11-25 16:41 UTC (permalink / raw)
To: yocto; +Cc: Christopher Larson
From: Christopher Larson <chris_larson@mentor.com>
This is needed to ensure our /var/log directory is created when using
systemd.
Signed-off-by: Christopher Larson <chris_larson@mentor.com>
---
recipes-ids/suricata/files/tmpfiles.suricata | 2 ++
recipes-ids/suricata/suricata_4.1.5.bb | 28 ++++++++++++++++++----------
2 files changed, 20 insertions(+), 10 deletions(-)
create mode 100644 recipes-ids/suricata/files/tmpfiles.suricata
diff --git a/recipes-ids/suricata/files/tmpfiles.suricata b/recipes-ids/suricata/files/tmpfiles.suricata
new file mode 100644
index 00000000..fbf37848
--- /dev/null
+++ b/recipes-ids/suricata/files/tmpfiles.suricata
@@ -0,0 +1,2 @@
+#Type Path Mode UID GID Age Argument
+d /var/log/suricata 0755 root root
diff --git a/recipes-ids/suricata/suricata_4.1.5.bb b/recipes-ids/suricata/suricata_4.1.5.bb
index e15a9a33..b2700d63 100644
--- a/recipes-ids/suricata/suricata_4.1.5.bb
+++ b/recipes-ids/suricata/suricata_4.1.5.bb
@@ -6,6 +6,7 @@ LIC_FILES_CHKSUM = "file://LICENSE;beginline=1;endline=2;md5=c70d8d3310941dcdfcd
SRC_URI += " \
file://volatiles.03_suricata \
+ file://tmpfiles.suricata \
file://suricata.yaml \
file://suricata.service \
file://run-ptest \
@@ -59,14 +60,19 @@ do_install_append () {
install -m 0644 ${S}/threshold.config ${D}${sysconfdir}/suricata
- install -d ${D}${systemd_unitdir}/system
- sed -e s:/etc:${sysconfdir}:g \
- -e s:/var/run:/run:g \
- -e s:/var:${localstatedir}:g \
- -e s:/usr/bin:${bindir}:g \
- -e s:/bin/kill:${base_bindir}/kill:g \
- -e s:/usr/lib:${libdir}:g \
- ${WORKDIR}/suricata.service > ${D}${systemd_unitdir}/system/suricata.service
+ if ${@bb.utils.contains('DISTRO_FEATURES', 'systemd', 'true', 'false', d)}; then
+ install -d ${D}${sysconfdir}/tmpfiles.d
+ install -m 0644 ${WORKDIR}/tmpfiles.suricata ${D}${sysconfdir}/tmpfiles.d/suricata.conf
+
+ install -d ${D}${systemd_unitdir}/system
+ sed -e s:/etc:${sysconfdir}:g \
+ -e s:/var/run:/run:g \
+ -e s:/var:${localstatedir}:g \
+ -e s:/usr/bin:${bindir}:g \
+ -e s:/bin/kill:${base_bindir}/kill:g \
+ -e s:/usr/lib:${libdir}:g \
+ ${WORKDIR}/suricata.service > ${D}${systemd_unitdir}/system/suricata.service
+ fi
# Remove /var/run as it is created on startup
rm -rf ${D}${localstatedir}/run
@@ -74,7 +80,9 @@ do_install_append () {
}
pkg_postinst_ontarget_${PN} () {
-if [ -e /etc/init.d/populate-volatile.sh ] ; then
+if command -v systemd-tmpfiles >/dev/null; then
+ systemd-tmpfiles --create ${sysconfdir}/tmpfiles.d/suricata.conf
+elif [ -e ${sysconfdir}/init.d/populate-volatile.sh ]; then
${sysconfdir}/init.d/populate-volatile.sh update
fi
}
@@ -82,7 +90,7 @@ fi
SYSTEMD_PACKAGES = "${PN}"
PACKAGES =+ "${PN}-socketcontrol"
-FILES_${PN} += "${systemd_unitdir}"
+FILES_${PN} += "${systemd_unitdir} ${sysconfdir}/tmpfiles.d"
FILES_${PN}-socketcontrol = "${bindir}/suricatasc ${PYTHON_SITEPACKAGES_DIR}"
CONFFILES_${PN} = "${sysconfdir}/suricata/suricata.yaml"
--
2.11.1
^ permalink raw reply related [flat|nested] 4+ messages in thread
* Re: [yocto] [meta-security][PATCH 1/3] checksecurity: use more portable find args
2019-11-25 16:41 [meta-security][PATCH 1/3] checksecurity: use more portable find args Christopher Larson
2019-11-25 16:41 ` [meta-security][PATCH 2/3] clamav: add tmpfiles.d config Christopher Larson
2019-11-25 16:41 ` [meta-security][PATCH 3/3] suricata: " Christopher Larson
@ 2019-11-26 4:49 ` Armin Kuster
2 siblings, 0 replies; 4+ messages in thread
From: Armin Kuster @ 2019-11-26 4:49 UTC (permalink / raw)
To: Michael Halstead; +Cc: Christopher Larson, yocto, Christopher Larson
[-- Attachment #1: Type: text/plain, Size: 3379 bytes --]
Micheal,
On 11/25/19 8:41 AM, Christopher Larson wrote:
These patches did not land in patchwork. maybe something to do with the
mailing list change??
They are in the yocto archives.
- armin
> From: Christopher Larson <chris_larson@mentor.com>
>
> Signed-off-by: Christopher Larson <chris_larson@mentor.com>
> ---
> .../checksecurity/checksecurity_2.0.15.bb | 3 ++-
> .../check-setuid-use-more-portable-find-args.patch | 23 ++++++++++++++++++++++
> 2 files changed, 25 insertions(+), 1 deletion(-)
> create mode 100644 recipes-security/checksecurity/files/check-setuid-use-more-portable-find-args.patch
>
> diff --git a/recipes-security/checksecurity/checksecurity_2.0.15.bb b/recipes-security/checksecurity/checksecurity_2.0.15.bb
> index a9616911..030bf251 100644
> --- a/recipes-security/checksecurity/checksecurity_2.0.15.bb
> +++ b/recipes-security/checksecurity/checksecurity_2.0.15.bb
> @@ -5,7 +5,8 @@ LICENSE = "GPL-2.0"
> LIC_FILES_CHKSUM = "file://${COMMON_LICENSE_DIR}/GPL-2.0;md5=801f80980d171dd6425610833a22dbe6"
>
> SRC_URI = "http://ftp.de.debian.org/debian/pool/main/c/checksecurity/checksecurity_${PV}.tar.gz \
> - file://setuid-log-folder.patch"
> + file://setuid-log-folder.patch \
> + file://check-setuid-use-more-portable-find-args.patch"
>
> SRC_URI[md5sum] = "a30161c3e24d3be710b2fd13fcd1f32f"
> SRC_URI[sha256sum] = "67abe3d6391c96146e96f376d3fd6eb7a9418b0f7fe205b465219889791dba32"
> diff --git a/recipes-security/checksecurity/files/check-setuid-use-more-portable-find-args.patch b/recipes-security/checksecurity/files/check-setuid-use-more-portable-find-args.patch
> new file mode 100644
> index 00000000..f1fe8edc
> --- /dev/null
> +++ b/recipes-security/checksecurity/files/check-setuid-use-more-portable-find-args.patch
> @@ -0,0 +1,23 @@
> +From f3073b8e06a607677d47ad9a19533b2e33408a4f Mon Sep 17 00:00:00 2001
> +From: Christopher Larson <chris_larson@mentor.com>
> +Date: Wed, 5 Sep 2018 23:21:43 +0500
> +Subject: [PATCH] check-setuid: use more portable find args
> +
> +Signed-off-by: Christopher Larson <chris_larson@mentor.com>
> +---
> + plugins/check-setuid | 6 +++---
> + 1 file changed, 3 insertions(+), 3 deletions(-)
> +
> +Index: checksecurity-2.0.15/plugins/check-setuid
> +===================================================================
> +--- checksecurity-2.0.15.orig/plugins/check-setuid 2018-09-06 00:49:23.930934294 +0500
> ++++ checksecurity-2.0.15/plugins/check-setuid 2018-09-06 00:49:49.694934757 +0500
> +@@ -99,7 +99,7 @@
> + ionice -t -c3 \
> + find `mount | grep -vE "$CHECKSECURITY_FILTER" | cut -d ' ' -f 3` \
> + -xdev $PATHCHK \
> +- \( -type f -perm +06000 -o \( \( -type b -o -type c \) \
> ++ \( -type f \( -perm -4000 -o -perm -2000 \) -o \( \( -type b -o -type c \) \
> + $DEVCHK \) \) \
> + -ignore_readdir_race \
> + -printf "%8i %5m %3n %-10u %-10g %9s %t %h/%f\n" |
>
> -=-=-=-=-=-=-=-=-=-=-=-
> Links: You receive all messages sent to this group.
>
> View/Reply Online (#47410): https://lists.yoctoproject.org/g/yocto/message/47410
> Mute This Topic: https://lists.yoctoproject.org/mt/61943622/1024635
> Group Owner: yocto+owner@lists.yoctoproject.org
> Unsubscribe: https://lists.yoctoproject.org/g/yocto/unsub [akuster@mvista.com]
> -=-=-=-=-=-=-=-=-=-=-=-
[-- Attachment #2: Type: text/html, Size: 5055 bytes --]
^ permalink raw reply [flat|nested] 4+ messages in thread
end of thread, other threads:[~2019-11-26 4:49 UTC | newest]
Thread overview: 4+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2019-11-25 16:41 [meta-security][PATCH 1/3] checksecurity: use more portable find args Christopher Larson
2019-11-25 16:41 ` [meta-security][PATCH 2/3] clamav: add tmpfiles.d config Christopher Larson
2019-11-25 16:41 ` [meta-security][PATCH 3/3] suricata: " Christopher Larson
2019-11-26 4:49 ` [yocto] [meta-security][PATCH 1/3] checksecurity: use more portable find args Armin Kuster
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.