* [meta-security][PATCH 2/3] clamav: add tmpfiles.d config
2019-11-25 16:41 [meta-security][PATCH 1/3] checksecurity: use more portable find args Christopher Larson
@ 2019-11-25 16:41 ` Christopher Larson
2019-11-25 16:41 ` [meta-security][PATCH 3/3] suricata: " Christopher Larson
2019-11-26 4:49 ` [yocto] [meta-security][PATCH 1/3] checksecurity: use more portable find args Armin Kuster
2 siblings, 0 replies; 4+ messages in thread
From: Christopher Larson @ 2019-11-25 16:41 UTC (permalink / raw)
To: yocto; +Cc: Christopher Larson
From: Christopher Larson <chris_larson@mentor.com>
This is needed to ensure freshclam's /var/log directory and file are
created when using systemd.
Signed-off-by: Christopher Larson <chris_larson@mentor.com>
---
recipes-security/clamav/clamav_0.99.4.bb | 8 +++++++-
recipes-security/clamav/files/tmpfiles.clamav | 3 +++
2 files changed, 10 insertions(+), 1 deletion(-)
create mode 100644 recipes-security/clamav/files/tmpfiles.clamav
diff --git a/recipes-security/clamav/clamav_0.99.4.bb b/recipes-security/clamav/clamav_0.99.4.bb
index 7f043377..a340b485 100644
--- a/recipes-security/clamav/clamav_0.99.4.bb
+++ b/recipes-security/clamav/clamav_0.99.4.bb
@@ -15,6 +15,7 @@ SRC_URI = "git://github.com/vrtadmin/clamav-devel;branch=rel/0.99 \
file://clamd.conf \
file://freshclam.conf \
file://volatiles.03_clamav \
+ file://tmpfiles.clamav \
file://${BPN}.service \
file://freshclam-native.conf \
"
@@ -104,11 +105,15 @@ do_install_append_class-target () {
install -m 666 ${S}/clamav_db/* ${D}/${localstatedir}/lib/clamav/.
if ${@bb.utils.contains('DISTRO_FEATURES','systemd','true','false',d)};then
install -D -m 0644 ${WORKDIR}/clamav.service ${D}${systemd_unitdir}/system/clamav.service
+ install -d ${D}${sysconfdir}/tmpfiles.d
+ install -m 0644 ${WORKDIR}/tmpfiles.clamav ${D}${sysconfdir}/tmpfiles.d/clamav.conf
fi
}
pkg_postinst_ontarget_${PN} () {
- if [ -e /etc/init.d/populate-volatile.sh ] ; then
+ if command -v systemd-tmpfiles >/dev/null; then
+ systemd-tmpfiles --create ${sysconfdir}/tmpfiles.d/clamav.conf
+ elif [ -e ${sysconfdir}/init.d/populate-volatile.sh ]; then
${sysconfdir}/init.d/populate-volatile.sh update
fi
mkdir -p ${localstatedir}/lib/clamav
@@ -140,6 +145,7 @@ FILES_${PN}-daemon = "${bindir}/clamconf ${bindir}/clamdtop ${sbindir}/clamd \
FILES_${PN}-freshclam = "${bindir}/freshclam \
${sysconfdir}/freshclam.conf* \
${sysconfdir}/clamav ${sysconfdir}/default/volatiles \
+ ${sysconfdir}/tmpfiles.d/*.conf \
${localstatedir}/lib/clamav \
${docdir}/${PN}-freshclam ${mandir}/man1/freshclam.* \
${mandir}/man5/freshclam.conf.* \
diff --git a/recipes-security/clamav/files/tmpfiles.clamav b/recipes-security/clamav/files/tmpfiles.clamav
new file mode 100644
index 00000000..fd5adfee
--- /dev/null
+++ b/recipes-security/clamav/files/tmpfiles.clamav
@@ -0,0 +1,3 @@
+#Type Path Mode UID GID Age Argument
+d /var/log/clamav 0755 clamav clamav -
+f /var/log/clamav/freshclam.log 0644 clamav clamav -
--
2.11.1
^ permalink raw reply related [flat|nested] 4+ messages in thread* [meta-security][PATCH 3/3] suricata: add tmpfiles.d config
2019-11-25 16:41 [meta-security][PATCH 1/3] checksecurity: use more portable find args Christopher Larson
2019-11-25 16:41 ` [meta-security][PATCH 2/3] clamav: add tmpfiles.d config Christopher Larson
@ 2019-11-25 16:41 ` Christopher Larson
2019-11-26 4:49 ` [yocto] [meta-security][PATCH 1/3] checksecurity: use more portable find args Armin Kuster
2 siblings, 0 replies; 4+ messages in thread
From: Christopher Larson @ 2019-11-25 16:41 UTC (permalink / raw)
To: yocto; +Cc: Christopher Larson
From: Christopher Larson <chris_larson@mentor.com>
This is needed to ensure our /var/log directory is created when using
systemd.
Signed-off-by: Christopher Larson <chris_larson@mentor.com>
---
recipes-ids/suricata/files/tmpfiles.suricata | 2 ++
recipes-ids/suricata/suricata_4.1.5.bb | 28 ++++++++++++++++++----------
2 files changed, 20 insertions(+), 10 deletions(-)
create mode 100644 recipes-ids/suricata/files/tmpfiles.suricata
diff --git a/recipes-ids/suricata/files/tmpfiles.suricata b/recipes-ids/suricata/files/tmpfiles.suricata
new file mode 100644
index 00000000..fbf37848
--- /dev/null
+++ b/recipes-ids/suricata/files/tmpfiles.suricata
@@ -0,0 +1,2 @@
+#Type Path Mode UID GID Age Argument
+d /var/log/suricata 0755 root root
diff --git a/recipes-ids/suricata/suricata_4.1.5.bb b/recipes-ids/suricata/suricata_4.1.5.bb
index e15a9a33..b2700d63 100644
--- a/recipes-ids/suricata/suricata_4.1.5.bb
+++ b/recipes-ids/suricata/suricata_4.1.5.bb
@@ -6,6 +6,7 @@ LIC_FILES_CHKSUM = "file://LICENSE;beginline=1;endline=2;md5=c70d8d3310941dcdfcd
SRC_URI += " \
file://volatiles.03_suricata \
+ file://tmpfiles.suricata \
file://suricata.yaml \
file://suricata.service \
file://run-ptest \
@@ -59,14 +60,19 @@ do_install_append () {
install -m 0644 ${S}/threshold.config ${D}${sysconfdir}/suricata
- install -d ${D}${systemd_unitdir}/system
- sed -e s:/etc:${sysconfdir}:g \
- -e s:/var/run:/run:g \
- -e s:/var:${localstatedir}:g \
- -e s:/usr/bin:${bindir}:g \
- -e s:/bin/kill:${base_bindir}/kill:g \
- -e s:/usr/lib:${libdir}:g \
- ${WORKDIR}/suricata.service > ${D}${systemd_unitdir}/system/suricata.service
+ if ${@bb.utils.contains('DISTRO_FEATURES', 'systemd', 'true', 'false', d)}; then
+ install -d ${D}${sysconfdir}/tmpfiles.d
+ install -m 0644 ${WORKDIR}/tmpfiles.suricata ${D}${sysconfdir}/tmpfiles.d/suricata.conf
+
+ install -d ${D}${systemd_unitdir}/system
+ sed -e s:/etc:${sysconfdir}:g \
+ -e s:/var/run:/run:g \
+ -e s:/var:${localstatedir}:g \
+ -e s:/usr/bin:${bindir}:g \
+ -e s:/bin/kill:${base_bindir}/kill:g \
+ -e s:/usr/lib:${libdir}:g \
+ ${WORKDIR}/suricata.service > ${D}${systemd_unitdir}/system/suricata.service
+ fi
# Remove /var/run as it is created on startup
rm -rf ${D}${localstatedir}/run
@@ -74,7 +80,9 @@ do_install_append () {
}
pkg_postinst_ontarget_${PN} () {
-if [ -e /etc/init.d/populate-volatile.sh ] ; then
+if command -v systemd-tmpfiles >/dev/null; then
+ systemd-tmpfiles --create ${sysconfdir}/tmpfiles.d/suricata.conf
+elif [ -e ${sysconfdir}/init.d/populate-volatile.sh ]; then
${sysconfdir}/init.d/populate-volatile.sh update
fi
}
@@ -82,7 +90,7 @@ fi
SYSTEMD_PACKAGES = "${PN}"
PACKAGES =+ "${PN}-socketcontrol"
-FILES_${PN} += "${systemd_unitdir}"
+FILES_${PN} += "${systemd_unitdir} ${sysconfdir}/tmpfiles.d"
FILES_${PN}-socketcontrol = "${bindir}/suricatasc ${PYTHON_SITEPACKAGES_DIR}"
CONFFILES_${PN} = "${sysconfdir}/suricata/suricata.yaml"
--
2.11.1
^ permalink raw reply related [flat|nested] 4+ messages in thread* Re: [yocto] [meta-security][PATCH 1/3] checksecurity: use more portable find args
2019-11-25 16:41 [meta-security][PATCH 1/3] checksecurity: use more portable find args Christopher Larson
2019-11-25 16:41 ` [meta-security][PATCH 2/3] clamav: add tmpfiles.d config Christopher Larson
2019-11-25 16:41 ` [meta-security][PATCH 3/3] suricata: " Christopher Larson
@ 2019-11-26 4:49 ` Armin Kuster
2 siblings, 0 replies; 4+ messages in thread
From: Armin Kuster @ 2019-11-26 4:49 UTC (permalink / raw)
To: Michael Halstead; +Cc: Christopher Larson, yocto, Christopher Larson
[-- Attachment #1: Type: text/plain, Size: 3379 bytes --]
Micheal,
On 11/25/19 8:41 AM, Christopher Larson wrote:
These patches did not land in patchwork. maybe something to do with the
mailing list change??
They are in the yocto archives.
- armin
> From: Christopher Larson <chris_larson@mentor.com>
>
> Signed-off-by: Christopher Larson <chris_larson@mentor.com>
> ---
> .../checksecurity/checksecurity_2.0.15.bb | 3 ++-
> .../check-setuid-use-more-portable-find-args.patch | 23 ++++++++++++++++++++++
> 2 files changed, 25 insertions(+), 1 deletion(-)
> create mode 100644 recipes-security/checksecurity/files/check-setuid-use-more-portable-find-args.patch
>
> diff --git a/recipes-security/checksecurity/checksecurity_2.0.15.bb b/recipes-security/checksecurity/checksecurity_2.0.15.bb
> index a9616911..030bf251 100644
> --- a/recipes-security/checksecurity/checksecurity_2.0.15.bb
> +++ b/recipes-security/checksecurity/checksecurity_2.0.15.bb
> @@ -5,7 +5,8 @@ LICENSE = "GPL-2.0"
> LIC_FILES_CHKSUM = "file://${COMMON_LICENSE_DIR}/GPL-2.0;md5=801f80980d171dd6425610833a22dbe6"
>
> SRC_URI = "http://ftp.de.debian.org/debian/pool/main/c/checksecurity/checksecurity_${PV}.tar.gz \
> - file://setuid-log-folder.patch"
> + file://setuid-log-folder.patch \
> + file://check-setuid-use-more-portable-find-args.patch"
>
> SRC_URI[md5sum] = "a30161c3e24d3be710b2fd13fcd1f32f"
> SRC_URI[sha256sum] = "67abe3d6391c96146e96f376d3fd6eb7a9418b0f7fe205b465219889791dba32"
> diff --git a/recipes-security/checksecurity/files/check-setuid-use-more-portable-find-args.patch b/recipes-security/checksecurity/files/check-setuid-use-more-portable-find-args.patch
> new file mode 100644
> index 00000000..f1fe8edc
> --- /dev/null
> +++ b/recipes-security/checksecurity/files/check-setuid-use-more-portable-find-args.patch
> @@ -0,0 +1,23 @@
> +From f3073b8e06a607677d47ad9a19533b2e33408a4f Mon Sep 17 00:00:00 2001
> +From: Christopher Larson <chris_larson@mentor.com>
> +Date: Wed, 5 Sep 2018 23:21:43 +0500
> +Subject: [PATCH] check-setuid: use more portable find args
> +
> +Signed-off-by: Christopher Larson <chris_larson@mentor.com>
> +---
> + plugins/check-setuid | 6 +++---
> + 1 file changed, 3 insertions(+), 3 deletions(-)
> +
> +Index: checksecurity-2.0.15/plugins/check-setuid
> +===================================================================
> +--- checksecurity-2.0.15.orig/plugins/check-setuid 2018-09-06 00:49:23.930934294 +0500
> ++++ checksecurity-2.0.15/plugins/check-setuid 2018-09-06 00:49:49.694934757 +0500
> +@@ -99,7 +99,7 @@
> + ionice -t -c3 \
> + find `mount | grep -vE "$CHECKSECURITY_FILTER" | cut -d ' ' -f 3` \
> + -xdev $PATHCHK \
> +- \( -type f -perm +06000 -o \( \( -type b -o -type c \) \
> ++ \( -type f \( -perm -4000 -o -perm -2000 \) -o \( \( -type b -o -type c \) \
> + $DEVCHK \) \) \
> + -ignore_readdir_race \
> + -printf "%8i %5m %3n %-10u %-10g %9s %t %h/%f\n" |
>
> -=-=-=-=-=-=-=-=-=-=-=-
> Links: You receive all messages sent to this group.
>
> View/Reply Online (#47410): https://lists.yoctoproject.org/g/yocto/message/47410
> Mute This Topic: https://lists.yoctoproject.org/mt/61943622/1024635
> Group Owner: yocto+owner@lists.yoctoproject.org
> Unsubscribe: https://lists.yoctoproject.org/g/yocto/unsub [akuster@mvista.com]
> -=-=-=-=-=-=-=-=-=-=-=-
[-- Attachment #2: Type: text/html, Size: 5055 bytes --]
^ permalink raw reply [flat|nested] 4+ messages in thread