summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorArmin Kuster <akuster808@gmail.com>2023-06-17 15:20:22 -0400
committerArmin Kuster <akuster808@gmail.com>2023-06-20 11:07:20 -0400
commitca8bd5faf85542f6d9e859c27aac1f0aeb2a05e9 (patch)
tree3a153fab2573019a3718ca6749323eecbaed12cd
parent97ab23ef6401ae9bcb2c4cfd4fb01b3ca6522c79 (diff)
downloadmeta-security-ca8bd5faf85542f6d9e859c27aac1f0aeb2a05e9.tar.gz
meta-security-isafw: drop layer isafw project archived
Signed-off-by: Armin Kuster <akuster808@gmail.com>
Diffstat
-rw-r--r--meta-security-isafw/.gitignore2
-rw-r--r--meta-security-isafw/COPYING.MIT17
-rw-r--r--meta-security-isafw/README.md92
-rw-r--r--meta-security-isafw/classes/isafw.bbclass317
-rw-r--r--meta-security-isafw/conf/layer.conf17
-rw-r--r--meta-security-isafw/lib/isafw/__init__.py40
-rw-r--r--meta-security-isafw/lib/isafw/isafw.py158
-rw-r--r--meta-security-isafw/lib/isafw/isaplugins/ISA_cfa_plugin.py392
-rw-r--r--meta-security-isafw/lib/isafw/isaplugins/ISA_cve_plugin.py217
-rw-r--r--meta-security-isafw/lib/isafw/isaplugins/ISA_fsa_plugin.py185
-rw-r--r--meta-security-isafw/lib/isafw/isaplugins/ISA_kca_plugin.py323
-rw-r--r--meta-security-isafw/lib/isafw/isaplugins/ISA_la_plugin.py273
-rw-r--r--meta-security-isafw/lib/isafw/isaplugins/__init__.py42
-rw-r--r--meta-security-isafw/lib/isafw/isaplugins/configs/__init__.py0
-rw-r--r--meta-security-isafw/lib/isafw/isaplugins/configs/kca/__init__.py0
-rw-r--r--meta-security-isafw/lib/isafw/isaplugins/configs/kca/arm.py24
-rw-r--r--meta-security-isafw/lib/isafw/isaplugins/configs/kca/common.py242
-rw-r--r--meta-security-isafw/lib/isafw/isaplugins/configs/kca/x86.py38
-rw-r--r--meta-security-isafw/lib/isafw/isaplugins/configs/la/approved-non-osi43
-rw-r--r--meta-security-isafw/lib/isafw/isaplugins/configs/la/exceptions0
-rw-r--r--meta-security-isafw/lib/isafw/isaplugins/configs/la/licenses105
-rw-r--r--meta-security-isafw/lib/isafw/isaplugins/configs/la/violations7
-rw-r--r--meta-security-isafw/recipes-devtools/checksec/checksec_1.5-1.bb25
23 files changed, 0 insertions, 2559 deletions
diff --git a/meta-security-isafw/.gitignore b/meta-security-isafw/.gitignore
deleted file mode 100644
index 2f836aa..0000000
--- a/meta-security-isafw/.gitignore
+++ /dev/null
@@ -1,2 +0,0 @@
1*~
2*.pyc
diff --git a/meta-security-isafw/COPYING.MIT b/meta-security-isafw/COPYING.MIT
deleted file mode 100644
index fb950dc..0000000
--- a/meta-security-isafw/COPYING.MIT
+++ /dev/null
@@ -1,17 +0,0 @@
1Permission is hereby granted, free of charge, to any person obtaining a copy
2of this software and associated documentation files (the "Software"), to deal
3in the Software without restriction, including without limitation the rights
4to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
5copies of the Software, and to permit persons to whom the Software is
6furnished to do so, subject to the following conditions:
7
8The above copyright notice and this permission notice shall be included in
9all copies or substantial portions of the Software.
10
11THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
12IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
13FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
14AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
15LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
16OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
17THE SOFTWARE.
diff --git a/meta-security-isafw/README.md b/meta-security-isafw/README.md
deleted file mode 100644
index 16041cb..0000000
--- a/meta-security-isafw/README.md
+++ /dev/null
@@ -1,92 +0,0 @@
1**meta-security-isafw** is an OE layer that allows enabling the Image
2Security Analysis Framework (isafw) for your image builds.
3
4The primary purpose of isafw is to provide an extensible
5framework for analysing different security aspects of images
6during the build process.
7
8The isafw project itself can be found at
9 https://github.com/01org/isafw
10
11The framework supports a number of callbacks (such as
12process_package(), process_filesystem(), and etc.) that are invoked
13by the bitbake during different stages of package and image build.
14These callbacks are then forwarded for processing to the avaliable
15ISA FW plugins that have registered for these callbacks.
16Plugins can do their own processing on each stage of the build
17process and produce security reports.
18
19Dependencies
20------------
21
22The **meta-security-isafw** layer depends on the Open Embeeded
23core layer:
24
25 git://git.openembedded.org/openembedded-core
26
27
28Usage
29-----
30
31In order to enable the isafw during the image build, please add
32the following line to your build/conf/local.conf file:
33
34```python
35INHERIT += "isafw"
36```
37
38Next you need to update your build/conf/bblayers.conf file with the
39location of meta-security-isafw layer on your filesystem along with
40any other layers needed. e.g.:
41
42```python
43BBLAYERS ?= " \
44 /OE/oe-core/meta \
45 /OE/meta-security/meta-security-isafw \
46 "
47```
48
49Also, some isafw plugins require network connection, so in case of a
50proxy setup please make sure to export http_proxy variable into your
51environment.
52
53In order to produce image reports, you can execute image build
54normally. For example:
55
56```shell
57bitbake core-image-minimal
58```
59
60If you are only interested to produce a report based on packages
61and without building an image, please use:
62
63```shell
64bitbake -c analyse_sources_all core-image-minimal
65```
66
67
68Logs
69----
70
71All isafw plugins by default create their logs under the
72${LOG_DIR}/isafw-report/ directory, where ${LOG_DIR} is a bitbake
73default location for log files. If you wish to change this location,
74please define ISAFW_REPORTDIR variable in your local.conf file.
75
76Patches
77-------
78end pull requests, patches, comments or questions to yocto@lists.yoctoproject.org
79
80When sending single patches, please using something like:
81'git send-email -1 --to yocto@lists.yoctoproject.org --subject-prefix=meta-security-isafw][PATCH'
82
83These values can be set as defaults for this repository:
84
85$ git config sendemail.to yocto@lists.yoctoproject.org
86$ git config format.subjectPrefix meta-security-isafw][PATCH
87
88Now you can just do 'git send-email origin/master' to send all local patches.
89
90For pull requests, please use create-pull-request and send-pull-request.
91
92Maintainers: Armin Kuster <akuster808@gmail.com>
diff --git a/meta-security-isafw/classes/isafw.bbclass b/meta-security-isafw/classes/isafw.bbclass
deleted file mode 100644
index 3854c0f..0000000
--- a/meta-security-isafw/classes/isafw.bbclass
+++ /dev/null
@@ -1,317 +0,0 @@
1# Security scanning class
2#
3# Based in part on buildhistory.bbclass which was in turn based on
4# testlab.bbclass and packagehistory.bbclass
5#
6# Copyright (C) 2011-2015 Intel Corporation
7# Copyright (C) 2007-2011 Koen Kooi <koen@openembedded.org>
8#
9
10LICENSE = "MIT"
11
12require conf/distro/include/distro_alias.inc
13
14ISAFW_WORKDIR = "${WORKDIR}/isafw"
15ISAFW_REPORTDIR ?= "${LOG_DIR}/isafw-report"
16ISAFW_LOGDIR ?= "${LOG_DIR}/isafw-logs"
17
18ISAFW_PLUGINS_WHITELIST ?= ""
19ISAFW_PLUGINS_BLACKLIST ?= ""
20
21ISAFW_LA_PLUGIN_IMAGE_WHITELIST ?= ""
22ISAFW_LA_PLUGIN_IMAGE_BLACKLIST ?= ""
23
24# First, code to handle scanning each recipe that goes into the build
25
26do_analysesource[nostamp] = "1"
27do_analysesource[cleandirs] = "${ISAFW_WORKDIR}"
28
29python do_analysesource() {
30 from isafw import isafw
31
32 imageSecurityAnalyser = isafw_init(isafw, d)
33
34 if not d.getVar('SRC_URI', True):
35 # Recipe didn't fetch any sources, nothing to do here I assume?
36 return
37
38 recipe = isafw.ISA_package()
39 recipe.name = d.getVar('BPN', True)
40 recipe.version = d.getVar('PV', True)
41 recipe.version = recipe.version.split('+git', 1)[0]
42
43 for p in d.getVar('PACKAGES', True).split():
44 license = str(d.getVar('LICENSE:' + p, True))
45 if license == "None":
46 license = d.getVar('LICENSE', True)
47 license = license.replace("(", "")
48 license = license.replace(")", "")
49 licenses = license.split()
50 while '|' in licenses:
51 licenses.remove('|')
52 while '&' in licenses:
53 licenses.remove('&')
54 for l in licenses:
55 recipe.licenses.append(p + ":" + canonical_license(d, l))
56
57 aliases = d.getVar('DISTRO_PN_ALIAS', True)
58 if aliases:
59 recipe.aliases = aliases.split()
60 faliases = []
61 for a in recipe.aliases:
62 if (a != "OSPDT") and (not (a.startswith("upstream="))):
63 faliases.append(a.split('=', 1)[-1])
64 # remove possible duplicates in pkg names
65 faliases = list(set(faliases))
66 recipe.aliases = faliases
67
68 for patch in src_patches(d):
69 _,_,local,_,_,_=bb.fetch.decodeurl(patch)
70 recipe.patch_files.append(os.path.basename(local))
71 if (not recipe.patch_files) :
72 recipe.patch_files.append("None")
73
74 # Pass the recipe object to the security framework
75 bb.debug(1, '%s: analyse sources' % (d.getVar('PN', True)))
76 imageSecurityAnalyser.process_package(recipe)
77
78 return
79}
80
81addtask do_analysesource before do_build
82
83# This task intended to be called after default task to process reports
84
85PR_ORIG_TASK := "${BB_DEFAULT_TASK}"
86addhandler process_reports_handler
87process_reports_handler[eventmask] = "bb.event.BuildCompleted"
88
89python process_reports_handler() {
90 from isafw import isafw
91
92 dd = d.createCopy()
93 target_sysroot = dd.expand("${STAGING_DIR}/${MACHINE}")
94 native_sysroot = dd.expand("${STAGING_DIR}/${BUILD_ARCH}")
95 staging_populate_sysroot_dir(target_sysroot, native_sysroot, True, dd)
96
97 dd.setVar("STAGING_DIR_NATIVE", native_sysroot)
98 savedenv = os.environ.copy()
99 os.environ["PATH"] = dd.getVar("PATH", True)
100
101 imageSecurityAnalyser = isafw_init(isafw, dd)
102 bb.debug(1, 'isafw: process reports')
103 imageSecurityAnalyser.process_report()
104
105 os.environ["PATH"] = savedenv["PATH"]
106}
107
108do_build[depends] += "cve-update-db-native:do_fetch ca-certificates-native:do_populate_sysroot"
109do_build[depends] += "python3-lxml-native:do_populate_sysroot"
110
111# These tasks are intended to be called directly by the user (e.g. bitbake -c)
112
113addtask do_analyse_sources after do_analysesource
114do_analyse_sources[doc] = "Produce ISAFW reports based on given package without building it"
115do_analyse_sources[nostamp] = "1"
116do_analyse_sources() {
117 :
118}
119
120addtask do_analyse_sources_all after do_analysesource
121do_analyse_sources_all[doc] = "Produce ISAFW reports for all packages in given target without building them"
122do_analyse_sources_all[recrdeptask] = "do_analyse_sources_all do_analysesource"
123do_analyse_sources_all[recideptask] = "do_${PR_ORIG_TASK}"
124do_analyse_sources_all[nostamp] = "1"
125do_analyse_sources_all() {
126 :
127}
128
129python() {
130 # We probably don't need to scan these
131 if bb.data.inherits_class('native', d) or \
132 bb.data.inherits_class('nativesdk', d) or \
133 bb.data.inherits_class('cross', d) or \
134 bb.data.inherits_class('crosssdk', d) or \
135 bb.data.inherits_class('cross-canadian', d) or \
136 bb.data.inherits_class('packagegroup', d) or \
137 bb.data.inherits_class('image', d):
138 bb.build.deltask('do_analysesource', d)
139}
140
141fakeroot python do_analyse_image() {
142
143 from isafw import isafw
144
145 imageSecurityAnalyser = isafw_init(isafw, d)
146
147 # Directory where the image's entire contents can be examined
148 rootfsdir = d.getVar('IMAGE_ROOTFS', True)
149
150 imagebasename = d.getVar('IMAGE_BASENAME', True)
151
152 kernelconf = d.getVar('STAGING_KERNEL_BUILDDIR', True) + "/.config"
153 if os.path.exists(kernelconf):
154 kernel = isafw.ISA_kernel()
155 kernel.img_name = imagebasename
156 kernel.path_to_config = kernelconf
157 bb.debug(1, 'do kernel conf analysis on %s' % kernelconf)
158 imageSecurityAnalyser.process_kernel(kernel)
159 else:
160 bb.debug(1, 'Kernel configuration file is missing. Not performing analysis on %s' % kernelconf)
161
162 pkglist = manifest2pkglist(d)
163
164 imagebasename = d.getVar('IMAGE_BASENAME', True)
165
166 if (pkglist):
167 pkg_list = isafw.ISA_pkg_list()
168 pkg_list.img_name = imagebasename
169 pkg_list.path_to_list = pkglist
170 bb.debug(1, 'do pkg list analysis on %s' % pkglist)
171 imageSecurityAnalyser.process_pkg_list(pkg_list)
172
173 fs = isafw.ISA_filesystem()
174 fs.img_name = imagebasename
175 fs.path_to_fs = rootfsdir
176
177 bb.debug(1, 'do image analysis on %s' % rootfsdir)
178 imageSecurityAnalyser.process_filesystem(fs)
179}
180
181do_rootfs[depends] += "checksec-native:do_populate_sysroot ca-certificates-native:do_populate_sysroot"
182do_rootfs[depends] += "python3-lxml-native:do_populate_sysroot"
183
184isafw_init[vardepsexclude] = "DATETIME"
185def isafw_init(isafw, d):
186 import re, errno
187
188 isafw_config = isafw.ISA_config()
189 # Override the builtin default in curl-native (used by cve-update-db-nativ)
190 # because that default is a path that may not be valid: when curl-native gets
191 # installed from sstate, we end up with the sysroot path as it was on the
192 # original build host, which is not necessarily the same path used now
193 # (see https://bugzilla.yoctoproject.org/show_bug.cgi?id=9883).
194 #
195 # Can't use ${sysconfdir} here, it already includes ${STAGING_DIR_NATIVE}
196 # when the current recipe is native.
197 isafw_config.cacert = d.expand('${STAGING_DIR_NATIVE}/etc/ssl/certs/ca-certificates.crt')
198
199 bb.utils.export_proxies(d)
200
201 isafw_config.machine = d.getVar('MACHINE', True)
202 isafw_config.timestamp = d.getVar('DATETIME', True)
203 isafw_config.reportdir = d.getVar('ISAFW_REPORTDIR', True) + "_" + isafw_config.timestamp
204 if not os.path.exists(os.path.dirname(isafw_config.reportdir + "/test")):
205 try:
206 os.makedirs(os.path.dirname(isafw_config.reportdir + "/test"))
207 except OSError as exc:
208 if exc.errno == errno.EEXIST and os.path.isdir(isafw_config.reportdir):
209 pass
210 else: raise
211 isafw_config.logdir = d.getVar('ISAFW_LOGDIR', True)
212 # Adding support for arm
213 # TODO: Add support for other platforms
214 isafw_config.arch = d.getVar('TARGET_ARCH', True)
215 if ( isafw_config.arch != "arm" ):
216 isafw_config.arch = "x86"
217
218 whitelist = d.getVar('ISAFW_PLUGINS_WHITELIST', True)
219 blacklist = d.getVar('ISAFW_PLUGINS_BLACKLIST', True)
220 if whitelist:
221 isafw_config.plugin_whitelist = re.split(r'[,\s]*', whitelist)
222 if blacklist:
223 isafw_config.plugin_blacklist = re.split(r'[,\s]*', blacklist)
224
225 la_image_whitelist = d.getVar('ISAFW_LA_PLUGIN_IMAGE_WHITELIST', True)
226 la_image_blacklist = d.getVar('ISAFW_LA_PLUGIN_IMAGE_BLACKLIST', True)
227 if la_image_whitelist:
228 isafw_config.la_plugin_image_whitelist = re.split(r'[,\s]*', la_image_whitelist)
229 if la_image_blacklist:
230 isafw_config.la_plugin_image_blacklist = re.split(r'[,\s]*', la_image_blacklist)
231
232 return isafw.ISA(isafw_config)
233
234# based on toaster.bbclass _toaster_load_pkgdatafile function
235def binary2source(dirpath, filepath):
236 import re
237 originPkg = ""
238 with open(os.path.join(dirpath, filepath), "r") as fin:
239 for line in fin:
240 try:
241 kn, kv = line.strip().split(": ", 1)
242 m = re.match(r"^PKG_([^A-Z:]*)", kn)
243 if m:
244 originPkg = str(m.group(1))
245 except ValueError:
246 pass # ignore lines without valid key: value pairs:
247 if not originPkg:
248 originPkg = "UNKNOWN"
249 return originPkg
250
251manifest2pkglist[vardepsexclude] = "DATETIME"
252def manifest2pkglist(d):
253 import glob
254
255 manifest_file = d.getVar('IMAGE_MANIFEST', True)
256 imagebasename = d.getVar('IMAGE_BASENAME', True)
257 reportdir = d.getVar('ISAFW_REPORTDIR', True) + "_" + d.getVar('DATETIME', True)
258 pkgdata_dir = d.getVar("PKGDATA_DIR", True)
259 rr_dir = "%s/runtime-reverse/" % pkgdata_dir
260 pkglist = reportdir + "/pkglist"
261
262 with open(pkglist, 'a') as foutput:
263 foutput.write("Packages for image " + imagebasename + "\n")
264 try:
265 with open(manifest_file, 'r') as finput:
266 for line in finput:
267 items = line.split()
268 if items and (len(items) >= 3):
269 pkgnames = map(os.path.basename, glob.glob(os.path.join(rr_dir, items[0])))
270 for pkgname in pkgnames:
271 originPkg = binary2source(rr_dir, pkgname)
272 version = items[2]
273 if not version:
274 version = "undetermined"
275 foutput.write(pkgname + " " + version + " " + originPkg + "\n")
276 except IOError:
277 bb.debug(1, 'isafw: manifest file not found. Skip pkg list analysis')
278 return "";
279
280
281 return pkglist
282
283# NOTE: by the time IMAGE_POSTPROCESS_COMMAND items are called, the image
284# has been stripped of the package manager database (if runtime package management
285# is not enabled, i.e. 'package-management' is not in IMAGE_FEATURES). If you
286# do want to be using the package manager to operate on the image contents, you'll
287# need to call your function from ROOTFS_POSTINSTALL_COMMAND or
288# ROOTFS_POSTUNINSTALL_COMMAND instead - however if you do that you should then be
289# aware that what you'll be looking at isn't exactly what you will see in the image
290# at runtime (there will be other postprocessing functions called after yours).
291#
292# do_analyse_image does not need the package manager database. Making it
293# a separate task instead of a IMAGE_POSTPROCESS_COMMAND has several
294# advantages:
295# - all other image commands are guaranteed to have completed
296# - it can run in parallel to other tasks which depend on the complete
297# image, instead of blocking those other tasks
298# - meta-swupd helper images do not need to be analysed and won't be
299# because nothing depends on their "do_build" task, only on
300# do_image_complete
301python () {
302 if bb.data.inherits_class('image', d):
303 bb.build.addtask('do_analyse_image', 'do_build', 'do_image_complete', d)
304}
305
306python isafwreport_handler () {
307
308 import shutil
309
310 logdir = e.data.getVar('ISAFW_LOGDIR', True)
311 if os.path.exists(os.path.dirname(logdir+"/test")):
312 shutil.rmtree(logdir)
313 os.makedirs(os.path.dirname(logdir+"/test"))
314
315}
316addhandler isafwreport_handler
317isafwreport_handler[eventmask] = "bb.event.BuildStarted"
diff --git a/meta-security-isafw/conf/layer.conf b/meta-security-isafw/conf/layer.conf
deleted file mode 100644
index 550cced..0000000
--- a/meta-security-isafw/conf/layer.conf
+++ /dev/null
@@ -1,17 +0,0 @@
1# We have a conf and classes directory, add to BBPATH
2BBPATH .= ":${LAYERDIR}"
3
4# We have recipes-* directories, add to BBFILES
5BBFILES += "${LAYERDIR}/recipes-*/*/*.bb ${LAYERDIR}/recipes-*/*/*.bbappend"
6
7BBFILE_COLLECTIONS += "security-isafw"
8BBFILE_PATTERN_security-isafw = "^${LAYERDIR}/"
9BBFILE_PRIORITY_security-isafw = "6"
10
11# This should only be incremented on significant changes that will
12# cause compatibility issues with other layers
13LAYERVERSION_security-isafw = "1"
14
15LAYERDEPENDS_security-isafw = "core"
16
17LAYERSERIES_COMPAT_security-isafw = "mickledore"
diff --git a/meta-security-isafw/lib/isafw/__init__.py b/meta-security-isafw/lib/isafw/__init__.py
deleted file mode 100644
index 50527fb..0000000
--- a/meta-security-isafw/lib/isafw/__init__.py
+++ /dev/null
@@ -1,40 +0,0 @@
1#
2# __init__.py - part of ISA FW
3#
4# Copyright (c) 2015 - 2016, Intel Corporation
5#
6# Redistribution and use in source and binary forms, with or without
7# modification, are permitted provided that the following conditions are met:
8#
9# * Redistributions of source code must retain the above copyright notice,
10# this list of conditions and the following disclaimer.
11# * Redistributions in binary form must reproduce the above copyright
12# notice, this list of conditions and the following disclaimer in the
13# documentation and/or other materials provided with the distribution.
14# * Neither the name of Intel Corporation nor the names of its contributors
15# may be used to endorse or promote products derived from this software
16# without specific prior written permission.
17#
18# THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
19# AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
20# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
21# DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE
22# FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
23# DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
24# SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
25# CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY,
26# OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
27# OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
28
29"""isafw
30
31Current Contents:
32
33* isafw.py - main class
34* plugins - ISA plugins
35* plugins/configs - configuration data for the plugins
36"""
37
38__all__ = [
39 'isafw',
40]
diff --git a/meta-security-isafw/lib/isafw/isafw.py b/meta-security-isafw/lib/isafw/isafw.py
deleted file mode 100644
index a1a76b8..0000000
--- a/meta-security-isafw/lib/isafw/isafw.py
+++ /dev/null
@@ -1,158 +0,0 @@
1#
2# isafw.py - Main classes for ISA FW
3#
4# Copyright (c) 2015 - 2016, Intel Corporation
5#
6# Redistribution and use in source and binary forms, with or without
7# modification, are permitted provided that the following conditions are met:
8#
9# * Redistributions of source code must retain the above copyright notice,
10# this list of conditions and the following disclaimer.
11# * Redistributions in binary form must reproduce the above copyright
12# notice, this list of conditions and the following disclaimer in the
13# documentation and/or other materials provided with the distribution.
14# * Neither the name of Intel Corporation nor the names of its contributors
15# may be used to endorse or promote products derived from this software
16# without specific prior written permission.
17#
18# THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
19# AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
20# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
21# DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE
22# FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
23# DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
24# SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
25# CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY,
26# OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
27# OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
28
29from __future__ import absolute_import, print_function
30
31import sys
32import traceback
33try:
34 # absolute import
35 import isafw.isaplugins as isaplugins
36except ImportError:
37 # relative import when installing as separate modules
38 import isaplugins
39try:
40 from bb import error
41except ImportError:
42 error = print
43
44__all__ = [
45 'ISA_package',
46 'ISA_pkg_list',
47 'ISA_kernel',
48 'ISA_filesystem',
49 'ISA_config',
50 'ISA',
51]
52
53# classes for representing objects for ISA plugins
54
55# source package
56
57
58class ISA_package:
59 # pkg name (mandatory argument)
60 name = ""
61 # full version (mandatory argument)
62 version = ""
63 licenses = [] # list of licences for all subpackages
64 aliases = [] # list of alias names for packages if exist
65 source_files = [] # list of strings of source files
66 patch_files = [] # list of patch files to be applied
67 path_to_sources = "" # path to the source files
68
69# package list
70
71
72class ISA_pkg_list:
73 # image name (mandatory argument)
74 img_name = ""
75 # path to the pkg list file (mandatory argument)
76 path_to_list = ""
77
78# kernel
79
80
81class ISA_kernel:
82 # image name (mandatory argument)
83 img_name = ""
84 # path to the kernel config file (mandatory argument)
85 path_to_config = ""
86
87# filesystem
88
89
90class ISA_filesystem:
91 # image name (mandatory argument)
92 img_name = ""
93 type = "" # filesystem type
94 # path to the fs location (mandatory argument)
95 path_to_fs = ""
96
97# configuration of ISAFW
98# if both whitelist and blacklist is empty, all avaliable plugins will be used
99# if whitelist has entries, then only whitelisted plugins will be used from a set of avaliable plugins
100# if blacklist has entries, then the specified plugins won't be used even
101# if avaliable and even if specified in whitelist
102
103
104class ISA_config:
105 plugin_whitelist = "" # comma separated list of plugins to whitelist
106 plugin_blacklist = "" # comma separated list of plugins to blacklist
107 cacert = None # If set, a CA certificate file that replaces the system default one
108 reportdir = "" # location of produced reports
109 logdir = "" # location of produced logs
110 timestamp = "" # timestamp of the build provided by build system
111 full_reports = False # produce full reports for plugins, False by default
112 machine = "" # name of machine build is produced for
113 la_plugin_image_whitelist = ""# whitelist of images for violating license checks
114 la_plugin_image_blacklist = ""# blacklist of images for violating license checks
115 arch = "" # target architecture
116
117class ISA:
118 def call_plugins(self, methodname, *parameters, **keywords):
119 for name in isaplugins.__all__:
120 plugin = getattr(isaplugins, name)
121 method = getattr(plugin, methodname, None)
122 if not method:
123 # Not having init() is an error, everything else is optional.
124 if methodname == "init":
125 error("No init() defined for plugin %s.\n"
126 "Skipping this plugin." %
127 (methodname, plugin.getPluginName()))
128 continue
129 if self.ISA_config.plugin_whitelist and plugin.getPluginName() not in self.ISA_config.plugin_whitelist:
130 continue
131 if self.ISA_config.plugin_blacklist and plugin.getPluginName() in self.ISA_config.plugin_blacklist:
132 continue
133 try:
134 method(*parameters, **keywords)
135 except:
136 error("Exception in plugin %s %s():\n%s" %
137 (plugin.getPluginName(),
138 methodname,
139 traceback.format_exc()))
140
141 def __init__(self, ISA_config):
142 self.ISA_config = ISA_config
143 self.call_plugins("init", ISA_config)
144
145 def process_package(self, ISA_package):
146 self.call_plugins("process_package", ISA_package)
147
148 def process_pkg_list(self, ISA_pkg_list):
149 self.call_plugins("process_pkg_list", ISA_pkg_list)
150
151 def process_kernel(self, ISA_kernel):
152 self.call_plugins("process_kernel", ISA_kernel)
153
154 def process_filesystem(self, ISA_filesystem):
155 self.call_plugins("process_filesystem", ISA_filesystem)
156
157 def process_report(self):
158 self.call_plugins("process_report")
diff --git a/meta-security-isafw/lib/isafw/isaplugins/ISA_cfa_plugin.py b/meta-security-isafw/lib/isafw/isaplugins/ISA_cfa_plugin.py
deleted file mode 100644
index daecba1..0000000
--- a/meta-security-isafw/lib/isafw/isaplugins/ISA_cfa_plugin.py
+++ /dev/null
@@ -1,392 +0,0 @@
1#
2# ISA_cfa_plugin.py - Compile flag analyzer plugin, part of ISA FW
3# Main functionality is based on build_comp script from Clear linux project
4#
5# Copyright (c) 2015 - 2016, Intel Corporation
6#
7# Redistribution and use in source and binary forms, with or without
8# modification, are permitted provided that the following conditions are met:
9#
10# * Redistributions of source code must retain the above copyright notice,
11# this list of conditions and the following disclaimer.
12# * Redistributions in binary form must reproduce the above copyright
13# notice, this list of conditions and the following disclaimer in the
14# documentation and/or other materials provided with the distribution.
15# * Neither the name of Intel Corporation nor the names of its contributors
16# may be used to endorse or promote products derived from this software
17# without specific prior written permission.
18#
19# THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
20# AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
21# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
22# DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE
23# FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
24# DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
25# SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
26# CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY,
27# OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
28# OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
29
30import subprocess
31import os
32import sys
33import re
34import copy
35try:
36 from lxml import etree
37except ImportError:
38 try:
39 import xml.etree.cElementTree as etree
40 except ImportError:
41 import xml.etree.ElementTree as etree
42
43
44CFChecker = None
45
46
47class ISA_CFChecker():
48 initialized = False
49 no_relro = []
50 partial_relro = []
51 no_canary = []
52 no_pie = []
53 execstack = []
54 execstack_not_defined = []
55 nodrop_groups = []
56 no_mpx = []
57
58 def __init__(self, ISA_config):
59 self.logfile = ISA_config.logdir + "/isafw_cfalog"
60 self.full_report_name = ISA_config.reportdir + "/cfa_full_report_" + \
61 ISA_config.machine + "_" + ISA_config.timestamp
62 self.problems_report_name = ISA_config.reportdir + \
63 "/cfa_problems_report_" + ISA_config.machine + "_" + ISA_config.timestamp
64 self.full_reports = ISA_config.full_reports
65 self.ISA_filesystem = ""
66 # check that checksec and other tools are installed
67 tools_errors = _check_tools()
68 if tools_errors:
69 with open(self.logfile, 'w') as flog:
70 flog.write(tools_errors)
71 return
72 self.initialized = True
73 with open(self.logfile, 'w') as flog:
74 flog.write("\nPlugin ISA_CFChecker initialized!\n")
75 return
76
77 def process_filesystem(self, ISA_filesystem):
78 self.ISA_filesystem = ISA_filesystem
79 fs_path = self.ISA_filesystem.path_to_fs
80 img_name = self.ISA_filesystem.img_name
81 if (self.initialized):
82 if (img_name and fs_path):
83 with open(self.logfile, 'a') as flog:
84 flog.write("\n\nFilesystem path is: " + fs_path)
85 if self.full_reports:
86 with open(self.full_report_name + "_" + img_name, 'w') as ffull_report:
87 ffull_report.write(
88 "Security-relevant flags for executables for image: " + img_name + '\n')
89 ffull_report.write("With rootfs location at " + fs_path + "\n\n")
90 files = self.find_files(fs_path)
91 import multiprocessing
92 pool = multiprocessing.Pool()
93 results = pool.imap(process_file_wrapper, files)
94 pool.close()
95 pool.join()
96 self.process_results(results)
97 else:
98 with open(self.logfile, 'a') as flog:
99 flog.write(
100 "Mandatory arguments such as image name and path to the filesystem are not provided!\n")
101 flog.write("Not performing the call.\n")
102 else:
103 with open(self.logfile, 'a') as flog:
104 flog.write("Plugin hasn't initialized! Not performing the call.\n")
105
106 def process_results(self, results):
107 fs_path = self.ISA_filesystem.path_to_fs
108 for result in results:
109 if not result:
110 with open(self.logfile, 'a') as flog:
111 flog.write("\nError in returned result")
112 continue
113 with open(self.logfile, 'a') as flog:
114 flog.write("\n\nFor file: " + str(result[0]) + "\nlog is: " + str(result[5]))
115 if result[1]:
116 with open(self.logfile, 'a') as flog:
117 flog.write("\n\nsec_field: " + str(result[1]))
118 if "No RELRO" in result[1]:
119 self.no_relro.append(result[0].replace(fs_path, ""))
120 elif "Partial RELRO" in result[1]:
121 self.partial_relro.append(result[0].replace(fs_path, ""))
122 if "No canary found" in result[1]:
123 self.no_canary.append(result[0].replace(fs_path, ""))
124 if "No PIE" in result[1]:
125 self.no_pie.append(result[0].replace(fs_path, ""))
126 if result[2]:
127 if result[2] == "execstack":
128 self.execstack.append(result[0].replace(fs_path, ""))
129 elif result[2] == "not_defined":
130 self.execstack_not_defined.append(result[0].replace(fs_path, ""))
131 if result[3] and (result[3] == True):
132 self.nodrop_groups.append(result[0].replace(fs_path, ""))
133 if result[4] and (result[4] == True):
134 self.no_mpx.append(result[0].replace(fs_path, ""))
135 self.write_full_report(result)
136 self.write_report()
137 self.write_report_xml()
138
139 def write_full_report(self, result):
140 if not self.full_reports:
141 return
142 fs_path = self.ISA_filesystem.path_to_fs
143 img_name = self.ISA_filesystem.img_name
144 with open(self.full_report_name + "_" + img_name, 'a') as ffull_report:
145 ffull_report.write('\nFile: ' + result[0].replace(fs_path, ""))
146 ffull_report.write('\nsecurity flags: ' + str(result[1]))
147 ffull_report.write('\nexecstack: ' + str(result[2]))
148 ffull_report.write('\nnodrop_groups: ' + str(result[3]))
149 ffull_report.write('\nno mpx: ' + str(result[4]))
150 ffull_report.write('\n')
151
152 def write_report(self):
153 fs_path = self.ISA_filesystem.path_to_fs
154 img_name = self.ISA_filesystem.img_name
155 with open(self.problems_report_name + "_" + img_name, 'w') as fproblems_report:
156 fproblems_report.write("Report for image: " + img_name + '\n')
157 fproblems_report.write("With rootfs location at " + fs_path + "\n\n")
158 fproblems_report.write("Relocation Read-Only\n")
159 fproblems_report.write("More information about RELRO and how to enable it:")
160 fproblems_report.write(
161 " http://tk-blog.blogspot.de/2009/02/relro-not-so-well-known-memory.html\n")
162 fproblems_report.write("Files with no RELRO:\n")
163 for item in self.no_relro:
164 fproblems_report.write(item + '\n')
165 fproblems_report.write("Files with partial RELRO:\n")
166 for item in self.partial_relro:
167 fproblems_report.write(item + '\n')
168 fproblems_report.write("\n\nStack protection\n")
169 fproblems_report.write(
170 "More information about canary stack protection and how to enable it:")
171 fproblems_report.write("https://lwn.net/Articles/584225/ \n")
172 fproblems_report.write("Files with no canary:\n")
173 for item in self.no_canary:
174 fproblems_report.write(item + '\n')
175 fproblems_report.write("\n\nPosition Independent Executable\n")
176 fproblems_report.write("More information about PIE protection and how to enable it:")
177 fproblems_report.write(
178 "https://securityblog.redhat.com/2012/11/28/position-independent-executables-pie/\n")
179 fproblems_report.write("Files with no PIE:\n")
180 for item in self.no_pie:
181 fproblems_report.write(item + '\n')
182 fproblems_report.write("\n\nNon-executable stack\n")
183 fproblems_report.write("Files with executable stack enabled:\n")
184 for item in self.execstack:
185 fproblems_report.write(item + '\n')
186 fproblems_report.write("\n\nFiles with no ability to fetch executable stack status:\n")
187 for item in self.execstack_not_defined:
188 fproblems_report.write(item + '\n')
189 fproblems_report.write("\n\nGrop initialization:\n")
190 fproblems_report.write(
191 "If using setuid/setgid calls in code, one must call initgroups or setgroups\n")
192 fproblems_report.write(
193 "Files that don't initialize groups while using setuid/setgid:\n")
194 for item in self.nodrop_groups:
195 fproblems_report.write(item + '\n')
196 fproblems_report.write("\n\nMemory Protection Extensions\n")
197 fproblems_report.write("More information about MPX protection and how to enable it:")
198 fproblems_report.write(
199 "https://software.intel.com/sites/default/files/managed/9d/f6/Intel_MPX_EnablingGuide.pdf\n")
200 fproblems_report.write("Files that don't have MPX protection enabled:\n")
201 for item in self.no_mpx:
202 fproblems_report.write(item + '\n')
203
204 def write_report_xml(self):
205 numTests = len(self.no_relro) + len(self.partial_relro) + len(self.no_canary) + len(self.no_pie) + \
206 len(self.execstack) + len(self.execstack_not_defined) + \
207 len(self.nodrop_groups) + len(self.no_mpx)
208 root = etree.Element('testsuite', name='ISA_CFChecker', tests=str(numTests))
209 if self.no_relro:
210 for item in self.no_relro:
211 tcase1 = etree.SubElement(
212 root, 'testcase', classname='files_with_no_RELRO', name=item)
213 etree.SubElement(tcase1, 'failure', message=item, type='violation')
214 if self.partial_relro:
215 for item in self.partial_relro:
216 tcase1 = etree.SubElement(
217 root, 'testcase', classname='files_with_partial_RELRO', name=item)
218 etree.SubElement(tcase1, 'failure', message=item, type='violation')
219 if self.no_canary:
220 for item in self.no_canary:
221 tcase2 = etree.SubElement(
222 root, 'testcase', classname='files_with_no_canary', name=item)
223 etree.SubElement(tcase2, 'failure', message=item, type='violation')
224 if self.no_pie:
225 for item in self.no_pie:
226 tcase3 = etree.SubElement(
227 root, 'testcase', classname='files_with_no_PIE', name=item)
228 etree.SubElement(tcase3, 'failure', message=item, type='violation')
229 if self.execstack:
230 for item in self.execstack:
231 tcase5 = etree.SubElement(
232 root, 'testcase', classname='files_with_execstack', name=item)
233 etree.SubElement(tcase5, 'failure', message=item, type='violation')
234 if self.execstack_not_defined:
235 for item in self.execstack_not_defined:
236 tcase6 = etree.SubElement(
237 root, 'testcase', classname='files_with_execstack_not_defined', name=item)
238 etree.SubElement(tcase6, 'failure', message=item, type='violation')
239 if self.nodrop_groups:
240 for item in self.nodrop_groups:
241 tcase7 = etree.SubElement(
242 root, 'testcase', classname='files_with_nodrop_groups', name=item)
243 etree.SubElement(tcase7, 'failure', message=item, type='violation')
244 if self.no_mpx:
245 for item in self.no_mpx:
246 tcase8 = etree.SubElement(
247 root, 'testcase', classname='files_with_no_mpx', name=item)
248 etree.SubElement(tcase8, 'failure', message=item, type='violation')
249 tree = etree.ElementTree(root)
250 output = self.problems_report_name + "_" + self.ISA_filesystem.img_name + '.xml'
251 try:
252 tree.write(output, encoding='UTF-8', pretty_print=True, xml_declaration=True)
253 except TypeError:
254 tree.write(output, encoding='UTF-8', xml_declaration=True)
255
256 def find_files(self, init_path):
257 list_of_files = []
258 for (dirpath, dirnames, filenames) in os.walk(init_path):
259 for f in filenames:
260 list_of_files.append(str(dirpath + "/" + f)[:])
261 return list_of_files
262
263
264def _check_tools():
265
266 def _is_in_path(executable):
267 "Check for presence of executable in PATH"
268 for path in os.environ["PATH"].split(os.pathsep):
269 path = path.strip('"')
270 if (os.path.isfile(os.path.join(path, executable)) and
271 os.access(os.path.join(path, executable), os.X_OK)):
272 return True
273 return False
274
275 tools = {
276 "checksec.sh": "Please install checksec from http://www.trapkit.de/tools/checksec.html\n",
277 "execstack": "Please install execstack from prelink package\n",
278 "readelf": "Please install binutils\n",
279 "objdump": "Please install binutils\n",
280 }
281 output = ""
282 for tool in tools:
283 if not _is_in_path(tool):
284 output += tools[tool]
285 return output
286
287
288def get_info(tool, args, file_name):
289 env = copy.deepcopy(os.environ)
290 env['PSEUDO_UNLOAD'] = "1"
291 cmd = [tool, args, file_name]
292 with open(os.devnull, 'wb') as DEVNULL:
293 try:
294 result = subprocess.check_output(cmd, stderr=DEVNULL, env=env).decode('utf-8')
295 except:
296 return ""
297 else:
298 return result
299
300def get_security_flags(file_name):
301 env = copy.deepcopy(os.environ)
302 env['PSEUDO_UNLOAD'] = "1"
303 cmd = ['checksec.sh', '--file', file_name]
304 try:
305 result = subprocess.check_output(cmd, env=env).decode('utf-8').splitlines()[1]
306 except:
307 return "Not able to fetch flags"
308 else:
309 # remove ansi escape color sequences
310 result = re.sub(r'\x1b[^m]*m', '', result)
311 return re.split(r' {2,}', result)[:-1]
312
313
314def process_file(file):
315 log = "File from map " + file
316 fun_results = [file, [], "", False, False, log]
317 if not os.path.isfile(file):
318 return fun_results
319 env = copy.deepcopy(os.environ)
320 env['PSEUDO_UNLOAD'] = "1"
321 # getting file type
322 cmd = ['file', '--mime-type', file]
323 try:
324 result = subprocess.check_output(cmd, env=env).decode('utf-8')
325 except:
326 fun_results[-1] += "\nNot able to decode mime type"
327 return fun_results
328 file_type = result.split()[-1]
329 # looking for links
330 if "symlink" in file_type:
331 file = os.path.realpath(file)
332 cmd = ['file', '--mime-type', file]
333 try:
334 result = subprocess.check_output(cmd, env=env).decode('utf-8')
335 except:
336 fun_results[-1] += "\nNot able to decode mime type"
337 return fun_results
338 file_type = result.split()[-1]
339 # checking security flags if applies
340 if "application" not in file_type:
341 return fun_results
342 fun_results[-1] += "\nFile type: " + file_type
343 if (("octet-stream" in file_type) or ("dosexec" in file_type) or
344 ("archive" in file_type) or ("xml" in file_type) or
345 ("gzip" in file_type) or ("postscript" in file_type) or
346 ("pdf" in file_type)):
347 return fun_results
348 fun_results[1] = get_security_flags(file)
349 tmp = get_info("execstack", '-q', file)
350 if tmp.startswith("X "):
351 fun_results[2] = "execstack"
352 elif tmp.startswith("? "):
353 fun_results[2] = "not_defined"
354 tmp = get_info("readelf", '-s', file)
355 if ("setgid@GLIBC" in tmp) or ("setegid@GLIBC" in tmp) or ("setresgid@GLIBC" in tmp):
356 if ("setuid@GLIBC" in tmp) or ("seteuid@GLIBC" in tmp) or ("setresuid@GLIBC" in tmp):
357 if ("setgroups@GLIBC" not in tmp) and ("initgroups@GLIBC" not in tmp):
358 fun_results[3] = True
359 tmp = get_info("objdump", '-d', file)
360 if ("bndcu" not in tmp) and ("bndcl" not in tmp) and ("bndmov" not in tmp):
361 fun_results[4] = True
362 return fun_results
363
364def process_file_wrapper(file):
365 # Ensures that exceptions get logged with the original backtrace.
366 # Without this, they appear with a backtrace rooted in
367 # the code which transfers back the result to process_results().
368 try:
369 return process_file(file)
370 except:
371 from isafw import isafw
372 import traceback
373 isafw.error('Internal error:\n%s' % traceback.format_exc())
374 raise
375
376# ======== supported callbacks from ISA ============ #
377
378
379def init(ISA_config):
380 global CFChecker
381 CFChecker = ISA_CFChecker(ISA_config)
382
383
384def getPluginName():
385 return "ISA_CFChecker"
386
387
388def process_filesystem(ISA_filesystem):
389 global CFChecker
390 return CFChecker.process_filesystem(ISA_filesystem)
391
392# =================================================== #
diff --git a/meta-security-isafw/lib/isafw/isaplugins/ISA_cve_plugin.py b/meta-security-isafw/lib/isafw/isaplugins/ISA_cve_plugin.py
deleted file mode 100644
index 268aa45..0000000
--- a/meta-security-isafw/lib/isafw/isaplugins/ISA_cve_plugin.py
+++ /dev/null
@@ -1,217 +0,0 @@
1#
2# ISA_cve_plugin.py - CVE checker plugin, part of ISA FW
3#
4# Copyright (c) 2015 - 2016, Intel Corporation
5#
6# Redistribution and use in source and binary forms, with or without
7# modification, are permitted provided that the following conditions are met:
8#
9# * Redistributions of source code must retain the above copyright notice,
10# this list of conditions and the following disclaimer.
11# * Redistributions in binary form must reproduce the above copyright
12# notice, this list of conditions and the following disclaimer in the
13# documentation and/or other materials provided with the distribution.
14# * Neither the name of Intel Corporation nor the names of its contributors
15# may be used to endorse or promote products derived from this software
16# without specific prior written permission.
17#
18# THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
19# AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
20# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
21# DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE
22# FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
23# DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
24# SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
25# CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY,
26# OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
27# OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
28
29import subprocess
30import os, sys
31import re
32
33CVEChecker = None
34pkglist = "/cve_check_tool_pkglist"
35
36
37class ISA_CVEChecker:
38 initialized = False
39
40 def __init__(self, ISA_config):
41 self.cacert = ISA_config.cacert
42 self.reportdir = ISA_config.reportdir
43 self.timestamp = ISA_config.timestamp
44 self.logfile = ISA_config.logdir + "/isafw_cvelog"
45 self.report_name = ISA_config.reportdir + "/cve_report_" + \
46 ISA_config.machine + "_" + ISA_config.timestamp
47 self.initialized = True
48 with open(self.logfile, 'a') as flog:
49 flog.write("\nPlugin ISA_CVEChecker initialized!\n")
50 output = ""
51 # check that cve-check-tool is installed
52
53 def process_package(self, ISA_pkg):
54 if (self.initialized):
55 if (ISA_pkg.name and ISA_pkg.version and ISA_pkg.patch_files):
56 alias_pkgs_faux = []
57 # need to compose faux format line for cve-check-tool
58 cve_patch_info = self.process_patch_list(ISA_pkg.patch_files)
59 pkgline_faux = ISA_pkg.name + "," + ISA_pkg.version + "," + cve_patch_info + ",\n"
60 if ISA_pkg.aliases:
61 for a in ISA_pkg.aliases:
62 alias_pkgs_faux.append(
63 a + "," + ISA_pkg.version + "," + cve_patch_info + ",\n")
64 pkglist_faux = pkglist + "_" + self.timestamp + ".faux"
65 with open(self.reportdir + pkglist_faux, 'a') as fauxfile:
66 fauxfile.write(pkgline_faux)
67 for a in alias_pkgs_faux:
68 fauxfile.write(a)
69
70 with open(self.logfile, 'a') as flog:
71 flog.write("\npkg info: " + pkgline_faux)
72 else:
73 self.initialized = False
74 with open(self.logfile, 'a') as flog:
75 flog.write(
76 "Mandatory arguments such as pkg name, version and list of patches are not provided!\n")
77 flog.write("Not performing the call.\n")
78 else:
79 with open(self.logfile, 'a') as flog:
80 flog.write(
81 "Plugin hasn't initialized! Not performing the call.\n")
82
83 def process_report(self):
84 if not os.path.isfile(self.reportdir + pkglist + "_" + self.timestamp + ".faux"):
85 return
86 if (self.initialized):
87 with open(self.logfile, 'a') as flog:
88 flog.write("Creating report in HTML format.\n")
89 result = self.process_report_type("html")
90
91 with open(self.logfile, 'a') as flog:
92 flog.write("Creating report in CSV format.\n")
93 result = self.process_report_type("csv")
94
95 pkglist_faux = pkglist + "_" + self.timestamp + ".faux"
96 os.remove(self.reportdir + pkglist_faux)
97
98 with open(self.logfile, 'a') as flog:
99 flog.write("Creating report in XML format.\n")
100 self.write_report_xml(result)
101
102 def write_report_xml(self, result):
103 try:
104 from lxml import etree
105 except ImportError:
106 try:
107 import xml.etree.cElementTree as etree
108 except ImportError:
109 import xml.etree.ElementTree as etree
110 num_tests = 0
111 root = etree.Element('testsuite', name='CVE_Plugin', tests='1')
112
113 if result :
114 num_tests = 1
115 tcase = etree.SubElement(
116 root, 'testcase', classname='ISA_CVEChecker', name="Error in cve-check-tool")
117 etree.SubElement( tcase, 'failure', message=result, type='violation')
118 else:
119 with open(self.report_name + ".csv", 'r') as f:
120 for line in f:
121 num_tests += 1
122 line = line.strip()
123 line_sp = line.split(',', 2)
124 if (len(line_sp) >= 3) and (line_sp[2].startswith('CVE')):
125 tcase = etree.SubElement(
126 root, 'testcase', classname='ISA_CVEChecker', name=line.split(',', 1)[0])
127 etree.SubElement(
128 tcase, 'failure', message=line, type='violation')
129 else:
130 tcase = etree.SubElement(
131 root, 'testcase', classname='ISA_CVEChecker', name=line.split(',', 1)[0])
132
133 root.set('tests', str(num_tests))
134 tree = etree.ElementTree(root)
135 output = self.report_name + '.xml'
136 try:
137 tree.write(output, encoding='UTF-8',
138 pretty_print=True, xml_declaration=True)
139 except TypeError:
140 tree.write(output, encoding='UTF-8', xml_declaration=True)
141
142 def process_report_type(self, rtype):
143 # now faux file is ready and we can process it
144 args = ""
145 result = ""
146 tool_stderr_value = ""
147 args += "cve-check-tool "
148 if self.cacert:
149 args += "--cacert '%s' " % self.cacert
150 if rtype != "html":
151 args += "-c "
152 rtype = "csv"
153 pkglist_faux = pkglist + "_" + self.timestamp + ".faux"
154 args += "-a -t faux '" + self.reportdir + pkglist_faux + "'"
155 with open(self.logfile, 'a') as flog:
156 flog.write("Args: " + args)
157 try:
158 popen = subprocess.Popen(
159 args, shell=True, env=os.environ, stdout=subprocess.PIPE, stderr=subprocess.PIPE)
160 result = popen.communicate()
161 except:
162 tool_stderr_value = "Error in executing cve-check-tool" + str(sys.exc_info())
163 with open(self.logfile, 'a') as flog:
164 flog.write("Error in executing cve-check-tool: " +
165 str(sys.exc_info()))
166 else:
167 stdout_value = result[0]
168 tool_stderr_value = result[1].decode('utf-8')
169 if not tool_stderr_value and popen.returncode == 0:
170 report = self.report_name + "." + rtype
171 with open(report, 'wb') as freport:
172 freport.write(stdout_value)
173 else:
174 tool_stderr_value = tool_stderr_value + \
175 "\ncve-check-tool terminated with exit code " + str(popen.returncode)
176 return tool_stderr_value
177
178 def process_patch_list(self, patch_files):
179 patch_info = ""
180 for patch in patch_files:
181 patch1 = patch.partition("cve")
182 if (patch1[0] == patch):
183 # no cve substring, try CVE
184 patch1 = patch.partition("CVE")
185 if (patch1[0] == patch):
186 continue
187 patchstripped = patch1[2].split('-')
188 try:
189 patch_info += " CVE-" + \
190 patchstripped[1] + "-" + re.findall('\d+', patchstripped[2])[0]
191 except IndexError:
192 # string parsing attempt failed, so just skip this patch
193 continue
194 return patch_info
195
196# ======== supported callbacks from ISA ============= #
197
198
199def init(ISA_config):
200 global CVEChecker
201 CVEChecker = ISA_CVEChecker(ISA_config)
202
203
204def getPluginName():
205 return "ISA_CVEChecker"
206
207
208def process_package(ISA_pkg):
209 global CVEChecker
210 return CVEChecker.process_package(ISA_pkg)
211
212
213def process_report():
214 global CVEChecker
215 return CVEChecker.process_report()
216
217# ==================================================== #
diff --git a/meta-security-isafw/lib/isafw/isaplugins/ISA_fsa_plugin.py b/meta-security-isafw/lib/isafw/isaplugins/ISA_fsa_plugin.py
deleted file mode 100644
index 0909756..0000000
--- a/meta-security-isafw/lib/isafw/isaplugins/ISA_fsa_plugin.py
+++ /dev/null
@@ -1,185 +0,0 @@
1#
2# ISA_fsa_plugin.py - Filesystem analyser plugin, part of ISA FW
3#
4# Copyright (c) 2015 - 2016, Intel Corporation
5#
6# Redistribution and use in source and binary forms, with or without
7# modification, are permitted provided that the following conditions are met:
8#
9# * Redistributions of source code must retain the above copyright notice,
10# this list of conditions and the following disclaimer.
11# * Redistributions in binary form must reproduce the above copyright
12# notice, this list of conditions and the following disclaimer in the
13# documentation and/or other materials provided with the distribution.
14# * Neither the name of Intel Corporation nor the names of its contributors
15# may be used to endorse or promote products derived from this software
16# without specific prior written permission.
17#
18# THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
19# AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
20# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
21# DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE
22# FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
23# DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
24# SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
25# CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY,
26# OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
27# OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
28import os
29from stat import *
30try:
31 from lxml import etree
32except ImportError:
33 try:
34 import xml.etree.cElementTree as etree
35 except ImportError:
36 import xml.etree.ElementTree as etree
37
38
39FSAnalyzer = None
40
41
42class ISA_FSChecker():
43 initialized = False
44
45 def __init__(self, ISA_config):
46 self.logfile = ISA_config.logdir + "/isafw_fsalog"
47 self.full_report_name = ISA_config.reportdir + "/fsa_full_report_" + \
48 ISA_config.machine + "_" + ISA_config.timestamp
49 self.problems_report_name = ISA_config.reportdir + \
50 "/fsa_problems_report_" + ISA_config.machine + "_" + ISA_config.timestamp
51 self.full_reports = ISA_config.full_reports
52 self.initialized = True
53 self.setuid_files = []
54 self.setgid_files = []
55 self.ww_files = []
56 self.no_sticky_bit_ww_dirs = []
57 with open(self.logfile, 'w') as flog:
58 flog.write("\nPlugin ISA_FSChecker initialized!\n")
59
60 def process_filesystem(self, ISA_filesystem):
61 if (self.initialized):
62 if (ISA_filesystem.img_name and ISA_filesystem.path_to_fs):
63 with open(self.logfile, 'a') as flog:
64 flog.write("Analyzing filesystem at: " + ISA_filesystem.path_to_fs +
65 " for the image: " + ISA_filesystem.img_name + "\n")
66 self.files = self.find_fsobjects(ISA_filesystem.path_to_fs)
67 with open(self.logfile, 'a') as flog:
68 flog.write("\nFilelist is: " + str(self.files))
69 if self.full_reports:
70 with open(self.full_report_name + "_" + ISA_filesystem.img_name, 'w') as ffull_report:
71 ffull_report.write(
72 "Report for image: " + ISA_filesystem.img_name + '\n')
73 ffull_report.write(
74 "With rootfs location at " + ISA_filesystem.path_to_fs + "\n\n")
75 for f in self.files:
76 st = os.lstat(f)
77 i = f.replace(ISA_filesystem.path_to_fs, "")
78 if self.full_reports:
79 with open(self.full_report_name + "_" + ISA_filesystem.img_name, 'a') as ffull_report:
80 ffull_report.write("File: " + i + ' mode: ' + str(oct(st.st_mode)) +
81 " uid: " + str(st.st_uid) + " gid: " + str(st.st_gid) + '\n')
82 if ((st.st_mode & S_ISUID) == S_ISUID):
83 self.setuid_files.append(i)
84 if ((st.st_mode & S_ISGID) == S_ISGID):
85 self.setgid_files.append(i)
86 if ((st.st_mode & S_IWOTH) == S_IWOTH):
87 if (((st.st_mode & S_IFDIR) == S_IFDIR) and ((st.st_mode & S_ISVTX) != S_ISVTX)):
88 self.no_sticky_bit_ww_dirs.append(i)
89 if (((st.st_mode & S_IFREG) == S_IFREG) and ((st.st_mode & S_IFLNK) != S_IFLNK)):
90 self.ww_files.append(i)
91 self.write_problems_report(ISA_filesystem)
92 self.write_problems_report_xml(ISA_filesystem)
93 else:
94 with open(self.logfile, 'a') as flog:
95 flog.write(
96 "Mandatory arguments such as image name and path to the filesystem are not provided!\n")
97 flog.write("Not performing the call.\n")
98 else:
99 with open(self.logfile, 'a') as flog:
100 flog.write(
101 "Plugin hasn't initialized! Not performing the call.\n")
102
103 def write_problems_report(self, ISA_filesystem):
104 with open(self.problems_report_name + "_" + ISA_filesystem.img_name, 'w') as fproblems_report:
105 fproblems_report.write(
106 "Report for image: " + ISA_filesystem.img_name + '\n')
107 fproblems_report.write(
108 "With rootfs location at " + ISA_filesystem.path_to_fs + "\n\n")
109 fproblems_report.write("Files with SETUID bit set:\n")
110 for item in self.setuid_files:
111 fproblems_report.write(item + '\n')
112 fproblems_report.write("\n\nFiles with SETGID bit set:\n")
113 for item in self.setgid_files:
114 fproblems_report.write(item + '\n')
115 fproblems_report.write("\n\nWorld-writable files:\n")
116 for item in self.ww_files:
117 fproblems_report.write(item + '\n')
118 fproblems_report.write(
119 "\n\nWorld-writable dirs with no sticky bit:\n")
120 for item in self.no_sticky_bit_ww_dirs:
121 fproblems_report.write(item + '\n')
122
123 def write_problems_report_xml(self, ISA_filesystem):
124 num_tests = len(self.setuid_files) + len(self.setgid_files) + \
125 len(self.ww_files) + len(self.no_sticky_bit_ww_dirs)
126 root = etree.Element(
127 'testsuite', name='FSA_Plugin', tests=str(num_tests))
128 if self.setuid_files:
129 for item in self.setuid_files:
130 tcase1 = etree.SubElement(
131 root, 'testcase', classname='Files_with_SETUID_bit_set', name=item)
132 etree.SubElement(
133 tcase1, 'failure', message=item, type='violation')
134 if self.setgid_files:
135 for item in self.setgid_files:
136 tcase2 = etree.SubElement(
137 root, 'testacase', classname='Files_with_SETGID_bit_set', name=item)
138 etree.SubElement(
139 tcase2, 'failure', message=item, type='violation')
140 if self.ww_files:
141 for item in self.ww_files:
142 tcase3 = etree.SubElement(
143 root, 'testase', classname='World-writable_files', name=item)
144 etree.SubElement(
145 tcase3, 'failure', message=item, type='violation')
146 if self.no_sticky_bit_ww_dirs:
147 for item in self.no_sticky_bit_ww_dirs:
148 tcase4 = etree.SubElement(
149 root, 'testcase', classname='World-writable_dirs_with_no_sticky_bit', name=item)
150 etree.SubElement(
151 tcase4, 'failure', message=item, type='violation')
152 tree = etree.ElementTree(root)
153 output = self.problems_report_name + "_" + ISA_filesystem.img_name + '.xml'
154 try:
155 tree.write(output, encoding='UTF-8',
156 pretty_print=True, xml_declaration=True)
157 except TypeError:
158 tree.write(output, encoding='UTF-8', xml_declaration=True)
159
160 def find_fsobjects(self, init_path):
161 list_of_files = []
162 for (dirpath, dirnames, filenames) in os.walk(init_path):
163 if (dirpath != init_path):
164 list_of_files.append(str(dirpath)[:])
165 for f in filenames:
166 list_of_files.append(str(dirpath + "/" + f)[:])
167 return list_of_files
168
169# ======== supported callbacks from ISA ============= #
170
171
172def init(ISA_config):
173 global FSAnalyzer
174 FSAnalyzer = ISA_FSChecker(ISA_config)
175
176
177def getPluginName():
178 return "ISA_FSChecker"
179
180
181def process_filesystem(ISA_filesystem):
182 global FSAnalyzer
183 return FSAnalyzer.process_filesystem(ISA_filesystem)
184
185# ==================================================== #
diff --git a/meta-security-isafw/lib/isafw/isaplugins/ISA_kca_plugin.py b/meta-security-isafw/lib/isafw/isaplugins/ISA_kca_plugin.py
deleted file mode 100644
index ba09819..0000000
--- a/meta-security-isafw/lib/isafw/isaplugins/ISA_kca_plugin.py
+++ /dev/null
@@ -1,323 +0,0 @@
1#
2# ISA_kca_plugin.py - Kernel config options analyzer plugin, part of ISA FW
3#
4# Copyright (c) 2015 - 2016, Intel Corporation
5#
6# Redistribution and use in source and binary forms, with or without
7# modification, are permitted provided that the following conditions are met:
8#
9# * Redistributions of source code must retain the above copyright notice,
10# this list of conditions and the following disclaimer.
11# * Redistributions in binary form must reproduce the above copyright
12# notice, this list of conditions and the following disclaimer in the
13# documentation and/or other materials provided with the distribution.
14# * Neither the name of Intel Corporation nor the names of its contributors
15# may be used to endorse or promote products derived from this software
16# without specific prior written permission.
17#
18# THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
19# AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
20# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
21# DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE
22# FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
23# DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
24# SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
25# CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY,
26# OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
27# OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
28
29try:
30 from lxml import etree
31except ImportError:
32 try:
33 import xml.etree.cElementTree as etree
34 except ImportError:
35 import xml.etree.ElementTree as etree
36import importlib
37
38KCAnalyzer = None
39
40
41class ISA_KernelChecker():
42 initialized = False
43
44 def __init__(self, ISA_config):
45 self.logfile = ISA_config.logdir + "/isafw_kcalog"
46 self.full_report_name = ISA_config.reportdir + "/kca_full_report_" + \
47 ISA_config.machine + "_" + ISA_config.timestamp
48 self.problems_report_name = ISA_config.reportdir + \
49 "/kca_problems_report_" + ISA_config.machine + "_" + ISA_config.timestamp
50 self.full_reports = ISA_config.full_reports
51 self.initialized = True
52 self.arch = ISA_config.arch
53 with open(self.logfile, 'w') as flog:
54 flog.write("\nPlugin ISA_KernelChecker initialized!\n")
55
56 def append_recommendation(self, report, key, value):
57 report.write("Recommended value:\n")
58 report.write(key + ' : ' + str(value) + '\n')
59 comment = self.comments.get(key, '')
60 if comment != '':
61 report.write("Comment:\n")
62 report.write(comment + '\n')
63
64 def process_kernel(self, ISA_kernel):
65 if (self.initialized):
66 if (ISA_kernel.img_name and ISA_kernel.path_to_config):
67 # Merging common and arch configs
68 common_config_module = importlib.import_module('isafw.isaplugins.configs.kca.{}'.format('common'))
69 arch_config_module = importlib.import_module('isafw.isaplugins.configs.kca.{}'.format(self.arch))
70
71 for c in ["hardening_kco", "keys_kco", "security_kco", "integrity_kco",
72 "hardening_kco_ref", "keys_kco_ref", "security_kco_ref", "integrity_kco_ref",
73 "comments"]:
74 setattr(self, c, merge_config(getattr(arch_config_module, c), getattr(common_config_module, c)))
75 with open(self.logfile, 'a') as flog:
76 flog.write("Analyzing kernel config file at: " + ISA_kernel.path_to_config +
77 " for the image: " + ISA_kernel.img_name + "\n")
78 with open(ISA_kernel.path_to_config, 'r') as fkernel_conf:
79 for line in fkernel_conf:
80 line = line.strip('\n')
81 for key in self.hardening_kco:
82 if key + '=' in line:
83 self.hardening_kco[key] = line.split('=')[1]
84 for key in self.keys_kco:
85 if key + '=' in line:
86 self.keys_kco[key] = line.split('=')[1]
87 for key in self.security_kco:
88 if key + '=' in line:
89 self.security_kco[key] = line.split('=')[1]
90 for key in self.integrity_kco:
91 if key + '=' in line:
92 self.integrity_kco[key] = line.split('=')[1]
93 with open(self.logfile, 'a') as flog:
94 flog.write("\n\nhardening_kco values: " +
95 str(self.hardening_kco))
96 flog.write("\n\nkeys_kco values: " + str(self.keys_kco))
97 flog.write("\n\nsecurity_kco values: " +
98 str(self.security_kco))
99 flog.write("\n\nintegrity_kco values: " +
100 str(self.integrity_kco))
101 self.write_full_report(ISA_kernel)
102 self.write_problems_report(ISA_kernel)
103
104 else:
105 with open(self.logfile, 'a') as flog:
106 flog.write(
107 "Mandatory arguments such as image name and path to config are not provided!\n")
108 flog.write("Not performing the call.\n")
109 else:
110 with open(self.logfile, 'a') as flog:
111 flog.write(
112 "Plugin hasn't initialized! Not performing the call!\n")
113
114 def write_full_report(self, ISA_kernel):
115 if self.full_reports:
116 with open(self.full_report_name + "_" + ISA_kernel.img_name, 'w') as freport:
117 freport.write("Report for image: " +
118 ISA_kernel.img_name + '\n')
119 freport.write("With the kernel conf at: " +
120 ISA_kernel.path_to_config + '\n\n')
121 freport.write("Hardening options:\n")
122 for key in sorted(self.hardening_kco):
123 freport.write(
124 key + ' : ' + str(self.hardening_kco[key]) + '\n')
125 freport.write("\nKey-related options:\n")
126 for key in sorted(self.keys_kco):
127 freport.write(key + ' : ' + str(self.keys_kco[key]) + '\n')
128 freport.write("\nSecurity options:\n")
129 for key in sorted(self.security_kco):
130 freport.write(
131 key + ' : ' + str(self.security_kco[key]) + '\n')
132 freport.write("\nIntegrity options:\n")
133 for key in sorted(self.integrity_kco):
134 freport.write(
135 key + ' : ' + str(self.integrity_kco[key]) + '\n')
136
137 def write_problems_report(self, ISA_kernel):
138 self.write_text_problems_report(ISA_kernel)
139 self.write_xml_problems_report(ISA_kernel)
140
141 def write_text_problems_report(self, ISA_kernel):
142 with open(self.problems_report_name + "_" + ISA_kernel.img_name, 'w') as freport:
143 freport.write("Report for image: " + ISA_kernel.img_name + '\n')
144 freport.write("With the kernel conf at: " +
145 ISA_kernel.path_to_config + '\n\n')
146 freport.write("Hardening options that need improvement:\n")
147 for key in sorted(self.hardening_kco):
148 if (self.hardening_kco[key] != self.hardening_kco_ref[key]):
149 valid = False
150 if (key == "CONFIG_CMDLINE"):
151 if (len(self.hardening_kco['CONFIG_CMDLINE']) > 0):
152 valid = True
153 if (key == "CONFIG_DEBUG_STRICT_USER_COPY_CHECKS"):
154 if (self.hardening_kco['CONFIG_ARCH_HAS_DEBUG_STRICT_USER_COPY_CHECKS'] == 'y'):
155 valid = True
156 if (key == "CONFIG_RANDOMIZE_BASE_MAX_OFFSET"):
157 options = self.hardening_kco_ref[key].split(',')
158 for option in options:
159 if (option == self.hardening_kco[key]):
160 valid = True
161 break
162 if not valid:
163 freport.write("\nActual value:\n")
164 freport.write(
165 key + ' : ' + str(self.hardening_kco[key]) + '\n')
166 self.append_recommendation(freport, key, self.hardening_kco_ref[key])
167 freport.write("\nKey-related options that need improvement:\n")
168 for key in sorted(self.keys_kco):
169 if (self.keys_kco[key] != self.keys_kco_ref[key]):
170 freport.write("\nActual value:\n")
171 freport.write(key + ' : ' + str(self.keys_kco[key]) + '\n')
172 self.append_recommendation(freport, key, self.keys_kco_ref[key])
173 freport.write("\nSecurity options that need improvement:\n")
174 for key in sorted(self.security_kco):
175 if (self.security_kco[key] != self.security_kco_ref[key]):
176 valid = False
177 if (key == "CONFIG_DEFAULT_SECURITY"):
178 options = self.security_kco_ref[key].split(',')
179 for option in options:
180 if (option == self.security_kco[key]):
181 valid = True
182 break
183 if ((key == "CONFIG_SECURITY_SELINUX") or
184 (key == "CONFIG_SECURITY_SMACK") or
185 (key == "CONFIG_SECURITY_APPARMOR") or
186 (key == "CONFIG_SECURITY_TOMOYO")):
187 if ((self.security_kco['CONFIG_SECURITY_SELINUX'] == 'y') or
188 (self.security_kco['CONFIG_SECURITY_SMACK'] == 'y') or
189 (self.security_kco['CONFIG_SECURITY_APPARMOR'] == 'y') or
190 (self.security_kco['CONFIG_SECURITY_TOMOYO'] == 'y')):
191 valid = True
192 if not valid:
193 freport.write("\nActual value:\n")
194 freport.write(
195 key + ' : ' + str(self.security_kco[key]) + '\n')
196 self.append_recommendation(freport, key, self.security_kco_ref[key])
197 freport.write("\nIntegrity options that need improvement:\n")
198 for key in sorted(self.integrity_kco):
199 if (self.integrity_kco[key] != self.integrity_kco_ref[key]):
200 valid = False
201 if ((key == "CONFIG_IMA_DEFAULT_HASH_SHA1") or
202 (key == "CONFIG_IMA_DEFAULT_HASH_SHA256") or
203 (key == "CONFIG_IMA_DEFAULT_HASH_SHA512") or
204 (key == "CONFIG_IMA_DEFAULT_HASH_WP512")):
205 if ((self.integrity_kco['CONFIG_IMA_DEFAULT_HASH_SHA256'] == 'y') or
206 (self.integrity_kco['CONFIG_IMA_DEFAULT_HASH_SHA512'] == 'y')):
207 valid = True
208 if not valid:
209 freport.write("\nActual value:\n")
210 freport.write(
211 key + ' : ' + str(self.integrity_kco[key]) + '\n')
212 self.append_recommendation(freport, key, self.integrity_kco_ref[key])
213
214 def write_xml_problems_report(self, ISA_kernel):
215 # write_problems_report_xml
216 num_tests = len(self.hardening_kco) + len(self.keys_kco) + \
217 len(self.security_kco) + len(self.integrity_kco)
218 root = etree.Element(
219 'testsuite', name='KCA_Plugin', tests=str(num_tests))
220 for key in sorted(self.hardening_kco):
221 tcase1 = etree.SubElement(
222 root, 'testcase', classname='Hardening options', name=key)
223 if (self.hardening_kco[key] != self.hardening_kco_ref[key]):
224 valid = False
225 if (key == "CONFIG_CMDLINE"):
226 if (len(self.hardening_kco['CONFIG_CMDLINE']) > 0):
227 valid = True
228 if (key == "CONFIG_DEBUG_STRICT_USER_COPY_CHECKS"):
229 if (self.hardening_kco['CONFIG_ARCH_HAS_DEBUG_STRICT_USER_COPY_CHECKS'] == 'y'):
230 valid = True
231 if (key == "CONFIG_RANDOMIZE_BASE_MAX_OFFSET"):
232 options = self.hardening_kco_ref[key].split(',')
233 for option in options:
234 if (option == self.hardening_kco[key]):
235 valid = True
236 break
237 if not valid:
238 msg1 = 'current=' + key + ' is ' + \
239 str(self.hardening_kco[
240 key]) + ', recommended=' + key + ' is ' + str(self.hardening_kco_ref[key])
241 etree.SubElement(
242 tcase1, 'failure', message=msg1, type='violation')
243 for key in sorted(self.keys_kco):
244 tcase2 = etree.SubElement(
245 root, 'testcase', classname='Key-related options', name=key)
246 if (self.keys_kco[key] != self.keys_kco_ref[key]):
247 msg2 = 'current=' + key + ' is ' + \
248 str(self.keys_kco[key] + ', recommended=' +
249 key + ' is ' + str(self.keys_kco_ref[key]))
250 etree.SubElement(
251 tcase2, 'failure', message=msg2, type='violation')
252 for key in sorted(self.security_kco):
253 tcase3 = etree.SubElement(
254 root, 'testcase', classname='Security options', name=key)
255 if (self.security_kco[key] != self.security_kco_ref[key]):
256 valid = False
257 if (key == "CONFIG_DEFAULT_SECURITY"):
258 options = self.security_kco_ref[key].split(',')
259 for option in options:
260 if (option == self.security_kco[key]):
261 valid = True
262 break
263 if ((key == "CONFIG_SECURITY_SELINUX") or
264 (key == "CONFIG_SECURITY_SMACK") or
265 (key == "CONFIG_SECURITY_APPARMOR") or
266 (key == "CONFIG_SECURITY_TOMOYO")):
267 if ((self.security_kco['CONFIG_SECURITY_SELINUX'] == 'y') or
268 (self.security_kco['CONFIG_SECURITY_SMACK'] == 'y') or
269 (self.security_kco['CONFIG_SECURITY_APPARMOR'] == 'y') or
270 (self.security_kco['CONFIG_SECURITY_TOMOYO'] == 'y')):
271 valid = True
272 if not valid:
273 msg3 = 'current=' + key + ' is ' + \
274 str(self.security_kco[key]) + ', recommended=' + \
275 key + ' is ' + str(self.security_kco_ref[key])
276 etree.SubElement(
277 tcase3, 'failure', message=msg3, type='violation')
278 for key in sorted(self.integrity_kco):
279 tcase4 = etree.SubElement(
280 root, 'testcase', classname='Integrity options', name=key)
281 if (self.integrity_kco[key] != self.integrity_kco_ref[key]):
282 valid = False
283 if ((key == "CONFIG_IMA_DEFAULT_HASH_SHA1") or
284 (key == "CONFIG_IMA_DEFAULT_HASH_SHA256") or
285 (key == "CONFIG_IMA_DEFAULT_HASH_SHA512") or
286 (key == "CONFIG_IMA_DEFAULT_HASH_WP512")):
287 if ((self.integrity_kco['CONFIG_IMA_DEFAULT_HASH_SHA256'] == 'y') or
288 (self.integrity_kco['CONFIG_IMA_DEFAULT_HASH_SHA512'] == 'y')):
289 valid = True
290 if not valid:
291 msg4 = 'current=' + key + ' is ' + \
292 str(self.integrity_kco[
293 key]) + ', recommended=' + key + ' is ' + str(self.integrity_kco_ref[key])
294 etree.SubElement(
295 tcase4, 'failure', message=msg4, type='violation')
296 tree = etree.ElementTree(root)
297 output = self.problems_report_name + "_" + ISA_kernel.img_name + '.xml'
298 try:
299 tree.write(output, encoding='UTF-8',
300 pretty_print=True, xml_declaration=True)
301 except TypeError:
302 tree.write(output, encoding='UTF-8', xml_declaration=True)
303
304
305def merge_config(arch_kco, common_kco):
306 merged = arch_kco.copy()
307 merged.update(common_kco)
308 return merged
309
310# ======== supported callbacks from ISA ============= #
311def init(ISA_config):
312 global KCAnalyzer
313 KCAnalyzer = ISA_KernelChecker(ISA_config)
314
315
316def getPluginName():
317 return "ISA_KernelChecker"
318
319
320def process_kernel(ISA_kernel):
321 global KCAnalyzer
322 return KCAnalyzer.process_kernel(ISA_kernel)
323# ==================================================== #
diff --git a/meta-security-isafw/lib/isafw/isaplugins/ISA_la_plugin.py b/meta-security-isafw/lib/isafw/isaplugins/ISA_la_plugin.py
deleted file mode 100644
index 20e7e26..0000000
--- a/meta-security-isafw/lib/isafw/isaplugins/ISA_la_plugin.py
+++ /dev/null
@@ -1,273 +0,0 @@
1#
2# ISA_la_plugin.py - License analyzer plugin, part of ISA FW
3# Functionality is based on similar scripts from Clear linux project
4#
5# Copyright (c) 2015 - 2016, Intel Corporation
6#
7# Redistribution and use in source and binary forms, with or without
8# modification, are permitted provided that the following conditions are met:
9#
10# * Redistributions of source code must retain the above copyright notice,
11# this list of conditions and the following disclaimer.
12# * Redistributions in binary form must reproduce the above copyright
13# notice, this list of conditions and the following disclaimer in the
14# documentation and/or other materials provided with the distribution.
15# * Neither the name of Intel Corporation nor the names of its contributors
16# may be used to endorse or promote products derived from this software
17# without specific prior written permission.
18#
19# THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
20# AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
21# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
22# DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE
23# FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
24# DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
25# SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
26# CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY,
27# OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
28# OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
29
30import subprocess
31import os, sys
32
33LicenseChecker = None
34
35flicenses = "/configs/la/licenses"
36fapproved_non_osi = "/configs/la/approved-non-osi"
37fexceptions = "/configs/la/exceptions"
38funwanted = "/configs/la/violations"
39
40
41class ISA_LicenseChecker():
42 initialized = False
43 rpm_present = False
44
45 def __init__(self, ISA_config):
46 self.logfile = ISA_config.logdir + "/isafw_lalog"
47 self.unwanted = []
48 self.report_name = ISA_config.reportdir + "/la_problems_report_" + \
49 ISA_config.machine + "_" + ISA_config.timestamp
50 self.image_pkg_list = ISA_config.reportdir + "/pkglist"
51 self.image_pkgs = []
52 self.la_plugin_image_whitelist = ISA_config.la_plugin_image_whitelist
53 self.la_plugin_image_blacklist = ISA_config.la_plugin_image_blacklist
54 self.initialized = True
55 with open(self.logfile, 'a') as flog:
56 flog.write("\nPlugin ISA_LA initialized!\n")
57 # check that rpm is installed (supporting only rpm packages for now)
58 DEVNULL = open(os.devnull, 'wb')
59 rc = subprocess.call(["which", "rpm"], stdout=DEVNULL, stderr=DEVNULL)
60 DEVNULL.close()
61 if rc == 0:
62 self.rpm_present = True
63 else:
64 with open(self.logfile, 'a') as flog:
65 flog.write("rpm tool is missing! Licence info is expected from build system\n")
66
67 def process_package(self, ISA_pkg):
68 if (self.initialized):
69 if ISA_pkg.name:
70 if (not ISA_pkg.licenses):
71 # need to determine licenses first
72 # for this we need rpm tool to be present
73 if (not self.rpm_present):
74 with open(self.logfile, 'a') as flog:
75 flog.write("rpm tool is missing and licence info is not provided. Cannot proceed.\n")
76 return;
77 if (not ISA_pkg.source_files):
78 if (not ISA_pkg.path_to_sources):
79 self.initialized = False
80 with open(self.logfile, 'a') as flog:
81 flog.write(
82 "No path to sources or source file list is provided!")
83 flog.write(
84 "\nNot able to determine licenses for package: " + ISA_pkg.name)
85 return
86 # need to build list of source files
87 ISA_pkg.source_files = self.find_files(
88 ISA_pkg.path_to_sources)
89 for i in ISA_pkg.source_files:
90 if (i.endswith(".spec")):# supporting rpm only for now
91 args = ("rpm", "-q", "--queryformat",
92 "%{LICENSE} ", "--specfile", i)
93 try:
94 popen = subprocess.Popen(
95 args, stdout=subprocess.PIPE)
96 popen.wait()
97 ISA_pkg.licenses = popen.stdout.read().split()
98 except:
99 self.initialized = False
100 with open(self.logfile, 'a') as flog:
101 flog.write(
102 "Error in executing rpm query: " + str(sys.exc_info()))
103 flog.write(
104 "\nNot able to process package: " + ISA_pkg.name)
105 return
106 for l in ISA_pkg.licenses:
107 if (not self.check_license(l, flicenses) and
108 not self.check_license(l, fapproved_non_osi) and
109 not self.check_exceptions(ISA_pkg.name, l, fexceptions)):
110 # log the package as not following correct license
111 with open(self.report_name, 'a') as freport:
112 freport.write(l + "\n")
113 if (self.check_license(l, funwanted)):
114 # log the package as having license that should not be
115 # used
116 with open(self.report_name + "_unwanted", 'a') as freport:
117 freport.write(l + "\n")
118 else:
119 self.initialized = False
120 with open(self.logfile, 'a') as flog:
121 flog.write(
122 "Mandatory argument package name is not provided!\n")
123 flog.write("Not performing the call.\n")
124 else:
125 with open(self.logfile, 'a') as flog:
126 flog.write(
127 "Plugin hasn't initialized! Not performing the call.")
128
129 def process_report(self):
130 if (self.initialized):
131 with open(self.logfile, 'a') as flog:
132 flog.write("Creating report with violating licenses.\n")
133 self.process_pkg_list()
134 self.write_report_unwanted()
135 with open(self.logfile, 'a') as flog:
136 flog.write("Creating report in XML format.\n")
137 self.write_report_xml()
138
139 def process_pkg_list(self):
140 if os.path.isfile (self.image_pkg_list):
141 img_name = ""
142 with open(self.image_pkg_list, 'r') as finput:
143 for line in finput:
144 line = line.strip()
145 if not line:
146 continue
147 if line.startswith("Packages "):
148 img_name = line.split()[3]
149 with open(self.logfile, 'a') as flog:
150 flog.write("img_name: " + img_name + "\n")
151 continue
152 package_info = line.split()
153 pkg_name = package_info[0]
154 orig_pkg_name = package_info[2]
155 if (not self.image_pkgs) or ((pkg_name + " from " + img_name) not in self.image_pkgs):
156 self.image_pkgs.append(pkg_name + " from " + img_name + " " + orig_pkg_name)
157
158 def write_report_xml(self):
159 try:
160 from lxml import etree
161 except ImportError:
162 try:
163 import xml.etree.cElementTree as etree
164 except ImportError:
165 import xml.etree.ElementTree as etree
166 num_tests = 0
167 root = etree.Element('testsuite', name='LA_Plugin', tests='2')
168 if os.path.isfile(self.report_name):
169 with open(self.report_name, 'r') as f:
170 class_name = "Non-approved-licenses"
171 for line in f:
172 line = line.strip()
173 if line == "":
174 continue
175 if line.startswith("Packages that "):
176 class_name = "Violating-licenses"
177 continue
178 num_tests += 1
179 tcase1 = etree.SubElement(
180 root, 'testcase', classname=class_name, name=line.split(':', 1)[0])
181 etree.SubElement(
182 tcase1, 'failure', message=line, type='violation')
183 else:
184 tcase1 = etree.SubElement(
185 root, 'testcase', classname='ISA_LAChecker', name='none')
186 num_tests = 1
187 root.set('tests', str(num_tests))
188 tree = etree.ElementTree(root)
189 output = self.report_name + '.xml'
190 try:
191 tree.write(output, encoding='UTF-8',
192 pretty_print=True, xml_declaration=True)
193 except TypeError:
194 tree.write(output, encoding='UTF-8', xml_declaration=True)
195
196 def write_report_unwanted(self):
197 if os.path.isfile(self.report_name + "_unwanted"):
198 with open(self.logfile, 'a') as flog:
199 flog.write("image_pkgs: " + str(self.image_pkgs) + "\n")
200 flog.write("self.la_plugin_image_whitelist: " + str(self.la_plugin_image_whitelist) + "\n")
201 flog.write("self.la_plugin_image_blacklist: " + str(self.la_plugin_image_blacklist) + "\n")
202 with open(self.report_name, 'a') as fout:
203 with open(self.report_name + "_unwanted", 'r') as f:
204 fout.write(
205 "\n\nPackages that violate mandatory license requirements:\n")
206 for line in f:
207 line = line.strip()
208 pkg_name = line.split(':',1)[0]
209 if (not self.image_pkgs):
210 fout.write(line + " from image name not available \n")
211 continue
212 for pkg_info in self.image_pkgs:
213 image_pkg_name = pkg_info.split()[0]
214 image_name = pkg_info.split()[2]
215 image_orig_pkg_name = pkg_info.split()[3]
216 if ((image_pkg_name == pkg_name) or (image_orig_pkg_name == pkg_name)):
217 if self.la_plugin_image_whitelist and (image_name not in self.la_plugin_image_whitelist):
218 continue
219 if self.la_plugin_image_blacklist and (image_name in self.la_plugin_image_blacklist):
220 continue
221 fout.write(line + " from image " + image_name)
222 if (image_pkg_name != image_orig_pkg_name):
223 fout.write(" binary_pkg_name " + image_pkg_name + "\n")
224 continue
225 fout.write("\n")
226 os.remove(self.report_name + "_unwanted")
227
228 def find_files(self, init_path):
229 list_of_files = []
230 for (dirpath, dirnames, filenames) in os.walk(init_path):
231 for f in filenames:
232 list_of_files.append(str(dirpath + "/" + f)[:])
233 return list_of_files
234
235 def check_license(self, license, file_path):
236 with open(os.path.dirname(__file__) + file_path, 'r') as f:
237 for line in f:
238 s = line.rstrip()
239 curr_license = license.split(':',1)[1]
240 if s == curr_license:
241 return True
242 return False
243
244 def check_exceptions(self, pkg_name, license, file_path):
245 with open(os.path.dirname(__file__) + file_path, 'r') as f:
246 for line in f:
247 s = line.rstrip()
248 curr_license = license.split(':',1)[1]
249 if s == pkg_name + " " + curr_license:
250 return True
251 return False
252
253# ======== supported callbacks from ISA ============= #
254
255def init(ISA_config):
256 global LicenseChecker
257 LicenseChecker = ISA_LicenseChecker(ISA_config)
258
259
260def getPluginName():
261 return "ISA_LicenseChecker"
262
263
264def process_package(ISA_pkg):
265 global LicenseChecker
266 return LicenseChecker.process_package(ISA_pkg)
267
268
269def process_report():
270 global LicenseChecker
271 return LicenseChecker.process_report()
272
273# ==================================================== #
diff --git a/meta-security-isafw/lib/isafw/isaplugins/__init__.py b/meta-security-isafw/lib/isafw/isaplugins/__init__.py
deleted file mode 100644
index ad1997d..0000000
--- a/meta-security-isafw/lib/isafw/isaplugins/__init__.py
+++ /dev/null
@@ -1,42 +0,0 @@
1#
2# __init__.py - part of ISA FW
3#
4# Copyright (c) 2015 - 2016, Intel Corporation
5#
6# Redistribution and use in source and binary forms, with or without
7# modification, are permitted provided that the following conditions are met:
8#
9# * Redistributions of source code must retain the above copyright notice,
10# this list of conditions and the following disclaimer.
11# * Redistributions in binary form must reproduce the above copyright
12# notice, this list of conditions and the following disclaimer in the
13# documentation and/or other materials provided with the distribution.
14# * Neither the name of Intel Corporation nor the names of its contributors
15# may be used to endorse or promote products derived from this software
16# without specific prior written permission.
17#
18# THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
19# AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
20# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
21# DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE
22# FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
23# DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
24# SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
25# CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY,
26# OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
27# OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
28
29import glob
30import keyword
31import os
32import sys
33
34basedir = os.path.dirname(__file__)
35
36__all__ = []
37for name in glob.glob(os.path.join(basedir, '*.py')):
38 module = os.path.splitext(os.path.split(name)[-1])[0]
39 if not module.startswith('_') and not keyword.iskeyword(module):
40 __import__(__name__ + '.' + module)
41 __all__.append(module)
42__all__.sort()
diff --git a/meta-security-isafw/lib/isafw/isaplugins/configs/__init__.py b/meta-security-isafw/lib/isafw/isaplugins/configs/__init__.py
deleted file mode 100644
index e69de29..0000000
--- a/meta-security-isafw/lib/isafw/isaplugins/configs/__init__.py
+++ /dev/null
diff --git a/meta-security-isafw/lib/isafw/isaplugins/configs/kca/__init__.py b/meta-security-isafw/lib/isafw/isaplugins/configs/kca/__init__.py
deleted file mode 100644
index e69de29..0000000
--- a/meta-security-isafw/lib/isafw/isaplugins/configs/kca/__init__.py
+++ /dev/null
diff --git a/meta-security-isafw/lib/isafw/isaplugins/configs/kca/arm.py b/meta-security-isafw/lib/isafw/isaplugins/configs/kca/arm.py
deleted file mode 100644
index d47ba9f..0000000
--- a/meta-security-isafw/lib/isafw/isaplugins/configs/kca/arm.py
+++ /dev/null
@@ -1,24 +0,0 @@
1############################################################################################
2# Kernel Hardening Configurations
3############################################################################################
4hardening_kco = {'CONFIG_DEFAULT_MMAP_MIN_ADDR': 'not set',}
5hardening_kco_ref = {'CONFIG_DEFAULT_MMAP_MIN_ADDR': '32768',}
6############################################################################################
7# Keys Kernel Configuration
8############################################################################################
9keys_kco = {}
10keys_kco_ref = {}
11############################################################################################
12# Security Kernel Configuration
13############################################################################################
14security_kco = {'CONFIG_LSM_MMAP_MIN_ADDR': 'not set',}
15security_kco_ref = {'CONFIG_LSM_MMAP_MIN_ADDR': '32768',}
16############################################################################################
17# Integrity Kernel Configuration
18############################################################################################
19integrity_kco = {}
20integrity_kco_ref = {}
21############################################################################################
22# Comments
23############################################################################################
24comments = {'CONFIG_DEFAULT_MMAP_MIN_ADDR': 'Defines the portion of low virtual memory that should be protected from userspace allocation. Keeping a user from writing to low pages can help reduce the impact of kernel NULL pointer bugs.'}
diff --git a/meta-security-isafw/lib/isafw/isaplugins/configs/kca/common.py b/meta-security-isafw/lib/isafw/isaplugins/configs/kca/common.py
deleted file mode 100644
index faa388c..0000000
--- a/meta-security-isafw/lib/isafw/isaplugins/configs/kca/common.py
+++ /dev/null
@@ -1,242 +0,0 @@
1############################################################################################
2# Kernel Hardening Configurations
3############################################################################################
4hardening_kco = {'CONFIG_SERIAL_8250_CONSOLE': 'not set',
5 'CONFIG_SERIAL_CORE': 'not set',
6 'CONFIG_SERIAL_CORE_CONSOLE': 'not set',
7 'CONFIG_CMDLINE_BOOL': 'not set',
8 'CONFIG_CMDLINE': 'not set',
9 'CONFIG_CMDLINE_OVERRIDE': 'not set',
10 'CONFIG_DEBUG_INFO': 'not set',
11 'CONFIG_KGDB': 'not set',
12 'CONFIG_KPROBES': 'not set',
13 'CONFIG_FTRACE': 'not set',
14 'CONFIG_OPROFILE': 'not set',
15 'CONFIG_PROFILING': 'not set',
16 'CONFIG_MAGIC_SYSRQ': 'not set',
17 'CONFIG_DEBUG_BUGVERBOSE': 'not set',
18 'CONFIG_IP_PNP': 'not set',
19 'CONFIG_IKCONFIG': 'not set',
20 'CONFIG_SWAP': 'not set',
21 'CONFIG_NAMESPACES': 'not set',
22 'CONFIG_NFSD': 'not set',
23 'CONFIG_NFS_FS': 'not set',
24 'CONFIG_BINFMT_MISC': 'not set',
25 'CONFIG_KALLSYMS': 'not set',
26 'CONFIG_KALLSYMS_ALL': 'not set',
27 'CONFIG_BUG': 'not set',
28 'CONFIG_SYSCTL_SYSCALL': 'not set',
29 'CONFIG_MODULE_UNLOAD': 'not set',
30 'CONFIG_MODULE_FORCE_LOAD': 'not set',
31 'CONFIG_DEVMEM': 'not set',
32 'CONFIG_COREDUMP': 'not set',
33 'CONFIG_CROSS_MEMORY_ATTACH': 'not set',
34 'CONFIG_UNIX_DIAG': 'not set',
35 'CONFIG_CHECKPOINT_RESTORE': 'not set',
36 'CONFIG_PANIC_ON_OOPS': 'not set',
37 'CONFIG_PACKET_DIAG': 'not set',
38 'CONFIG_FW_LOADER_USER_HELPER': 'not set',
39 'CONFIG_BPF_JIT': 'not set',
40 'CONFIG_USELIB': 'not set',
41 'CONFIG_CC_STACKPROTECTOR': 'not set',
42 'CONFIG_KEXEC': 'not set',
43 'CONFIG_PROC_KCORE': 'not set',
44 'CONFIG_SECURITY_DMESG_RESTRICT': 'not set',
45 'CONFIG_DEBUG_STACKOVERFLOW': 'not set',
46 'CONFIG_DEBUG_STRICT_USER_COPY_CHECKS': 'not set',
47 'CONFIG_ARCH_HAS_DEBUG_STRICT_USER_COPY_CHECKS': 'not set',
48 'CONFIG_IKCONFIG_PROC': 'not set',
49 'CONFIG_RANDOMIZE_BASE': 'not set',
50 'CONFIG_DEBUG_RODATA': 'not set',
51 'CONFIG_STRICT_DEVMEM': 'not set',
52 'CONFIG_DEVKMEM': 'not set',
53 'CONFIG_ARCH_BINFMT_ELF_RANDOMIZE_PIE': 'not set',
54 'CONFIG_DEBUG_KERNEL': 'not set',
55 'CONFIG_DEBUG_FS': 'not set',
56 'CONFIG_MODULE_SIG_FORCE': 'not set',
57 }
58hardening_kco_ref = {'CONFIG_SERIAL_8250_CONSOLE': 'not set',
59 'CONFIG_SERIAL_CORE': 'not set',
60 'CONFIG_SERIAL_CORE_CONSOLE': 'not set',
61 'CONFIG_CMDLINE_BOOL': 'y',
62 'CONFIG_CMDLINE': '"cmd_line"',
63 'CONFIG_CMDLINE_OVERRIDE': 'y',
64 'CONFIG_DEBUG_INFO': 'not set',
65 'CONFIG_KGDB': 'not set',
66 'CONFIG_KPROBES': 'not set',
67 'CONFIG_FTRACE': 'not set',
68 'CONFIG_OPROFILE': 'not set',
69 'CONFIG_PROFILING': 'not set',
70 'CONFIG_MAGIC_SYSRQ': 'not set',
71 'CONFIG_DEBUG_BUGVERBOSE': 'not set',
72 'CONFIG_IP_PNP': 'not set',
73 'CONFIG_IKCONFIG': 'not set',
74 'CONFIG_SWAP': 'not set',
75 'CONFIG_NAMESPACES': 'not set',
76 'CONFIG_NFSD': 'not set',
77 'CONFIG_NFS_FS': 'not set',
78 'CONFIG_BINFMT_MISC': 'not set',
79 'CONFIG_KALLSYMS': 'not set',
80 'CONFIG_KALLSYMS_ALL': 'not set',
81 'CONFIG_BUG': 'not set',
82 'CONFIG_SYSCTL_SYSCALL': 'not set',
83 'CONFIG_MODULE_UNLOAD': 'not set',
84 'CONFIG_MODULE_FORCE_LOAD': 'not set',
85 'CONFIG_DEVMEM': 'not set',
86 'CONFIG_COREDUMP': 'not set',
87 'CONFIG_CROSS_MEMORY_ATTACH': 'not set',
88 'CONFIG_UNIX_DIAG': 'not set',
89 'CONFIG_CHECKPOINT_RESTORE': 'not set',
90 'CONFIG_PANIC_ON_OOPS': 'y',
91 'CONFIG_PACKET_DIAG': 'not set',
92 'CONFIG_FW_LOADER_USER_HELPER': 'not set',
93 'CONFIG_BPF_JIT': 'not set',
94 'CONFIG_USELIB': 'not set',
95 'CONFIG_CC_STACKPROTECTOR': 'y',
96 'CONFIG_KEXEC': 'not set',
97 'CONFIG_PROC_KCORE': 'not set',
98 'CONFIG_SECURITY_DMESG_RESTRICT': 'y',
99 'CONFIG_DEBUG_STACKOVERFLOW': 'y',
100 'CONFIG_DEBUG_STRICT_USER_COPY_CHECKS': 'y',
101 'CONFIG_ARCH_HAS_DEBUG_STRICT_USER_COPY_CHECKS': 'y',
102 'CONFIG_IKCONFIG_PROC': 'not set',
103 'CONFIG_RANDOMIZE_BASE': 'y',
104 'CONFIG_DEBUG_RODATA': 'y',
105 'CONFIG_STRICT_DEVMEM': 'y',
106 'CONFIG_DEVKMEM': 'not set',
107 'CONFIG_ARCH_BINFMT_ELF_RANDOMIZE_PIE': 'y',
108 'CONFIG_DEBUG_KERNEL': 'not set',
109 'CONFIG_DEBUG_FS': 'not set',
110 'CONFIG_MODULE_SIG_FORCE': 'y',
111 }
112############################################################################################
113# Keys Kernel Configuration
114############################################################################################
115keys_kco = {'CONFIG_KEYS': 'not set',
116 'CONFIG_TRUSTED_KEYS': 'not set',
117 'CONFIG_ENCRYPTED_KEYS': 'not set',
118 'CONFIG_KEYS_DEBUG_PROC_KEYS': 'not set'
119 }
120keys_kco_ref = {'CONFIG_KEYS': 'y',
121 'CONFIG_TRUSTED_KEYS': 'y',
122 'CONFIG_ENCRYPTED_KEYS': 'y',
123 'CONFIG_KEYS_DEBUG_PROC_KEYS': 'not set'
124 }
125############################################################################################
126# Security Kernel Configuration
127############################################################################################
128security_kco = {'CONFIG_SECURITY': 'not set',
129 'CONFIG_SECURITYFS': 'not set',
130 'CONFIG_SECURITY_NETWORKING': 'not set',
131 'CONFIG_DEFAULT_SECURITY': 'not set',
132 'CONFIG_SECURITY_SELINUX': 'not set',
133 'CONFIG_SECURITY_SMACK': 'not set',
134 'CONFIG_SECURITY_TOMOYO': 'not set',
135 'CONFIG_SECURITY_APPARMOR': 'not set',
136 'CONFIG_SECURITY_YAMA': 'not set',
137 'CONFIG_SECURITY_YAMA_STACKED': 'not set'
138 }
139security_kco_ref = {'CONFIG_SECURITY': 'y',
140 'CONFIG_SECURITYFS': 'y',
141 'CONFIG_SECURITY_NETWORKING': 'y',
142 'CONFIG_DEFAULT_SECURITY': '"selinux","smack","apparmor","tomoyo"',
143 'CONFIG_SECURITY_SELINUX': 'y',
144 'CONFIG_SECURITY_SMACK': 'y',
145 'CONFIG_SECURITY_TOMOYO': 'y',
146 'CONFIG_SECURITY_APPARMOR': 'y',
147 'CONFIG_SECURITY_YAMA': 'y',
148 'CONFIG_SECURITY_YAMA_STACKED': 'y'
149 }
150############################################################################################
151# Integrity Kernel Configuration
152############################################################################################
153integrity_kco = {'CONFIG_INTEGRITY': 'not set',
154 'CONFIG_INTEGRITY_SIGNATURE': 'not set',
155 'CONFIG_INTEGRITY_AUDIT': 'not set',
156 'CONFIG_IMA': 'not set',
157 'CONFIG_IMA_LSM_RULES': 'not set',
158 'CONFIG_IMA_APPRAISE': 'not set',
159 'CONFIG_IMA_TRUSTED_KEYRING': 'not set',
160 'CONFIG_IMA_APPRAISE_SIGNED_INIT': 'not set',
161 'CONFIG_EVM': 'not set',
162 'CONFIG_EVM_ATTR_FSUUID': 'not set',
163 'CONFIG_EVM_EXTRA_SMACK_XATTRS': 'not set',
164 'CONFIG_IMA_DEFAULT_HASH_SHA1': 'not set',
165 'CONFIG_IMA_DEFAULT_HASH_SHA256': 'not set',
166 'CONFIG_IMA_DEFAULT_HASH_SHA512': 'not set',
167 'CONFIG_IMA_DEFAULT_HASH_WP512': 'not set'
168 }
169integrity_kco_ref = {'CONFIG_INTEGRITY': 'y',
170 'CONFIG_INTEGRITY_SIGNATURE': 'y',
171 'CONFIG_INTEGRITY_AUDIT': 'y',
172 'CONFIG_IMA': 'y',
173 'CONFIG_IMA_LSM_RULES': 'y',
174 'CONFIG_IMA_APPRAISE': 'y',
175 'CONFIG_IMA_TRUSTED_KEYRING': 'y',
176 'CONFIG_IMA_APPRAISE_SIGNED_INIT': 'y',
177 'CONFIG_EVM': 'y',
178 'CONFIG_EVM_ATTR_FSUUID': 'y',
179 'CONFIG_EVM_EXTRA_SMACK_XATTRS': 'y',
180 'CONFIG_IMA_DEFAULT_HASH_SHA1': 'not set',
181 'CONFIG_IMA_DEFAULT_HASH_SHA256': 'y',
182 'CONFIG_IMA_DEFAULT_HASH_SHA512': 'y',
183 'CONFIG_IMA_DEFAULT_HASH_WP512': 'not set'
184 }
185############################################################################################
186# Comments
187############################################################################################
188comments = { # Kernel Hardening Configurations
189 'CONFIG_SERIAL_8250_CONSOLE': 'Enables the serial console. Providing access to the serial console would assist an attacker in discovering attack vectors.',
190 'CONFIG_SERIAL_CORE': 'Enables the serial console. Providing access to the serial console would assist an attacker in discovering attack vectors.',
191 'CONFIG_SERIAL_CORE_CONSOLE': 'Enables the serial console. Providing access to the serial console would assist an attacker in discovering attack vectors.',
192 'CONFIG_CMDLINE_BOOL': 'Enables the kernel command line to be hardcoded directly into the kernel. Hardcoding the command line allows tighter control over kernel command line options.',
193 'CONFIG_CMDLINE': 'Defines the kernel command line to be hardcoded into the kernel. Hardcoding the command line allows tighter control over kernel command line options.',
194 'CONFIG_CMDLINE_OVERRIDE': 'Enables the kernel to ignore the boot loader command line and to use only the hardcoded command line. Hardcoding the command line allows tighter control over kernel command line options.',
195 'CONFIG_DEBUG_INFO': 'Enables debug symbols in the kernel. Providing debug symbols would assist an attacker in discovering attack vectors.',
196 'CONFIG_KGDB': 'Enables KGDB over USB and console ports. Providing KGDB would assist an attacker in discovering attack vectors.',
197 'CONFIG_KPROBES': 'Enables Kernel Dynamic Probes. Providing kprobes allows the attacker to collect debug and performance information.',
198 'CONFIG_FTRACE': 'Enables the kernel to trace every function. Providing kernel trace functionality would assist an attacker in discovering attack vectors.',
199 'CONFIG_OPROFILE': 'Enables a profiling system capable of profiling kernel and kernel modules. Providing profiling functionality would assist an attacker in discovering attack vectors.',
200 'CONFIG_PROFILING': 'Enables a profiling system capable of profiling kernel and kernel modules. Providing profiling functionality would assist an attacker in discovering attack vectors.',
201 'CONFIG_MAGIC_SYSRQ': 'Enables a console device to interpret special characters as SysRQ system commands. SysRQ commands are an immediate attack vector as they provide the ability to dump information or reboot the device.',
202 'CONFIG_DEBUG_BUGVERBOSE': 'Enables verbose logging for BUG() panics. Verbose logging would assist an attacker in discovering attack vectors.',
203 'CONFIG_IP_PNP': 'Enables automatic configuration of IP addresses of devices and of the routing table during kernel boot. Providing networking functionality before the system has come up would assist an attacker in discovering attack vectors.',
204 'CONFIG_IKCONFIG': 'Enables access to the kernel config through /proc/config.gz. Leaking the kernel configuration would assist an attacker in discovering attack vectors.',
205 'CONFIG_SWAP': 'Enables swap files for kernel. The ability to read kernel memory pages in swap files would assist an attacker in discovering attack vectors.',
206 'CONFIG_NAMESPACES': 'Enabling this can result in duplicates of dev nodes, pids and mount points, which can be useful to attackers trying to spoof running environments on devices.',
207 'CONFIG_NFSD': 'Enables remote access to files residing on this system using Sun\'s Network File System protocol. Providing remote access to the file system would assist an attacker in discovering attack vectors.',
208 'CONFIG_NFS_FS': 'Enables remote access to files residing on this system using Sun\'s Network File System protocol. Providing remote access to the file system would assist an attacker in discovering attack vectors.',
209 'CONFIG_BINFMT_MISC': 'Enables support for binary formats other than ELF. Providing the ability to use alternate interpreters would assist an attacker in discovering attack vectors.',
210 'CONFIG_KALLSYMS': 'Enables printing of symbolic crash information and symbolic stack backtraces. Verbose logging would assist an attacker in discovering attack vectors.',
211 'CONFIG_KALLSYMS_ALL': 'Enables printing of symbolic crash information and symbolic stack backtraces. Verbose logging would assist an attacker in discovering attack vectors.',
212 'CONFIG_BUG': 'Enables display of backtrace and register information for BUGs and WARNs in kernel space. Verbose logging would assist an attacker in discovering attack vectors.',
213 'CONFIG_SYSCTL_SYSCALL': 'Enables sysctl to read and write kernel parameters. Use of deprecated and unmaintained features is not recommended.',
214 'CONFIG_MODULE_UNLOAD': 'Enables the ability to unload a kernel module. Allowing module unloading enables the attacker to disable security modules.',
215 'CONFIG_MODULE_FORCE_LOAD': 'Enables forced loading of modules without version information. Providing an attacker with the ability to force load a module assists in discovering attack vectors.',
216 'CONFIG_DEVMEM': 'Enables mem device, which provides access to physical memory. Providing a view into physical memory would assist an attacker in discovering attack vectors.',
217 'CONFIG_COREDUMP': 'Enables support for performing core dumps. Providing core dumps would assist an attacker in discovering attack vectors.',
218 'CONFIG_CROSS_MEMORY_ATTACH': 'Enables cross-process virtual memory access. Providing virtual memory access to and from a hostile process would assist an attacker in discovering attack vectors.',
219 'CONFIG_UNIX_DIAG': 'Enables support for socket monitoring interface. Allows the attacker to inspect shared file descriptors on Unix Domain sockets or traffic on \'localhost\'.',
220 'CONFIG_CHECKPOINT_RESTORE': 'Enables the checkpoint/restore service which can freeze and migrate processes. Providing a method for manipulating process state would assist an attacker in discovering attack vectors.',
221 'CONFIG_PANIC_ON_OOPS': 'Enables conversion of kernel OOPs to PANIC. When fuzzing the kernel or attempting kernel exploits, attackers are likely to trigger kernel OOPSes. Setting the behavior on OOPS to PANIC can impede their progress.',
222 'CONFIG_PACKET_DIAG': 'Enables support for socket monitoring interface. Allows the attacker to inspect shared file descriptors on Unix Domain sockets or traffic on \'localhost\'.',
223 'CONFIG_FW_LOADER_USER_HELPER': 'Enables the invocation of user-helper (e.g. udev) for loading firmware files as a fallback after the direct file loading in kernel fails. Providing firmware auto loader functionality would assist an attacker in discovering attack vectors.',
224 'CONFIG_BPF_JIT': 'Enables Berkeley Packet Filter filtering capabilities. The BPF JIT can be used to create kernel-payloads from firewall table rules which assist an attacker in discovering attack vectors.',
225 'CONFIG_USELIB': 'Enables the uselib syscall. The uselib system call has no valid use in any libc6 or uclibc system. Legacy features would assist an attacker in discovering attack vectors.',
226 'CONFIG_CC_STACKPROTECTOR': 'Enables the stack protector GCC feature which defends against stack-based buffer overflows',
227 'CONFIG_KEXEC': 'Enables the ability to shutdown your current kernel, and start another one. If enabled, this can be used as a way to bypass signed kernels.',
228 'CONFIG_PROC_KCORE': 'Enables access to a kernel core dump from userspace. Providing access to core dumps of the kernel would assist an attacker in discovering attack vectors.',
229 'CONFIG_SECURITY_DMESG_RESTRICT': 'Enables restrictions on unprivileged users reading the kernel syslog via dmesg(8). Unrestricted access to kernel syslogs would assist an attacker in discovering attack vectors.',
230 'CONFIG_DEBUG_STACKOVERFLOW': 'Enables messages to be printed if free stack space drops below a certain limit. Leaking information about resources used by the kernel would assist an attacker in discovering attack vectors.',
231 'CONFIG_DEBUG_STRICT_USER_COPY_CHECKS': 'Converts a certain set of sanity checks for user copy operations into compile time failures. The copy_from_user() etc checks help test if there are sufficient security checks on the length argument of the copy operation by having gcc prove that the argument is within bounds.',
232 'CONFIG_ARCH_HAS_DEBUG_STRICT_USER_COPY_CHECKS': 'Required to enable DEBUG_STRICT_USER_COPY_CHECKS, but alone does not provide security.',
233 'CONFIG_IKCONFIG_PROC': 'Enables access to the kernel config through /proc/config.gz. Leaking the kernel configuration would assist an attacker in discovering attack vectors.',
234 'CONFIG_RANDOMIZE_BASE': 'Enables Kernel Address Space Layout randomization (kASLR). This hinders some types of security attacks by making it more difficult for an attacker to predict target addresses.',
235 'CONFIG_DEBUG_RODATA': 'Sets kernel text and rodata sections as read-only and write-protected. This guards against malicious attempts to change the kernel\'s executable code.',
236 'CONFIG_STRICT_DEVMEM': 'Enables restriction of userspace access to kernel memory. Failure to enable this option provides an immediate attack vector.',
237 'CONFIG_DEVKMEM': 'Enables kmem device, which direct maps kernel memory. Providing a view into kernel memory would assist an attacker in discovering attack vectors.',
238 'CONFIG_ARCH_BINFMT_ELF_RANDOMIZE_PIE': 'Enables randomization of PIE load address for ELF binaries. This hinders some types of security attacks by making it more difficult for an attacker to predict target addresses.',
239 'CONFIG_DEBUG_KERNEL': 'Enables sysfs output intended to assist with debugging a kernel. The information output to sysfs would assist an attacker in discovering attack vectors.',
240 'CONFIG_DEBUG_FS': 'Enables the kernel debug filesystem. The kernel debug filesystem presents a lot of useful information and means of manipulation of the kernel to an attacker.',
241 'CONFIG_MODULE_SIG_FORCE': 'Enables validation of module signature. Disabling this option enables an attacker to load unsigned modules.',
242}
diff --git a/meta-security-isafw/lib/isafw/isaplugins/configs/kca/x86.py b/meta-security-isafw/lib/isafw/isaplugins/configs/kca/x86.py
deleted file mode 100644
index cbaddf8..0000000
--- a/meta-security-isafw/lib/isafw/isaplugins/configs/kca/x86.py
+++ /dev/null
@@ -1,38 +0,0 @@
1############################################################################################
2# Kernel Hardening Configurations
3############################################################################################
4hardening_kco = {'CONFIG_DEFAULT_MMAP_MIN_ADDR': 'not set',
5 'CONFIG_RANDOMIZE_BASE_MAX_OFFSET': 'not set',
6 'CONFIG_X86_INTEL_MPX': 'not set',
7 'CONFIG_X86_MSR': 'not set'
8 }
9hardening_kco_ref = {'CONFIG_DEFAULT_MMAP_MIN_ADDR': '65536', # x86 specific
10 'CONFIG_RANDOMIZE_BASE_MAX_OFFSET': '0x20000000,0x40000000', # x86 specific
11 'CONFIG_X86_INTEL_MPX': 'y', # x86 and certain HW variants specific
12 'CONFIG_X86_MSR': 'not set'
13 }
14############################################################################################
15# Keys Kernel Configuration
16############################################################################################
17keys_kco = {}
18keys_kco_ref = {}
19############################################################################################
20# Security Kernel Configuration
21############################################################################################
22security_kco = {'CONFIG_LSM_MMAP_MIN_ADDR': 'not set',
23 'CONFIG_INTEL_TXT': 'not set'}
24security_kco_ref = {'CONFIG_LSM_MMAP_MIN_ADDR': '65536', # x86 specific
25 'CONFIG_INTEL_TXT': 'y'}
26############################################################################################
27# Integrity Kernel Configuration
28############################################################################################
29integrity_kco = {}
30integrity_kco_ref = {}
31############################################################################################
32# Comments
33############################################################################################
34comments = {'CONFIG_DEFAULT_MMAP_MIN_ADDR': 'Defines the portion of low virtual memory that should be protected from userspace allocation. Keeping a user from writing to low pages can help reduce the impact of kernel NULL pointer bugs.',
35 'CONFIG_RANDOMIZE_BASE_MAX_OFFSET': 'Defines the maximal offset in bytes that will be applied to the kernel when kernel Address Space Layout Randomization (kASLR) is active.',
36 'CONFIG_X86_INTEL_MPX': 'Enables MPX hardware features that can be used with compiler-instrumented code to check memory references. It is designed to detect buffer overflow or underflow bugs.',
37 'CONFIG_X86_MSR': 'Enables privileged processes access to the x86 Model-Specific Registers (MSRs). MSR accesses are directed to a specific CPU on multi-processor systems. This alone does not provide security.'
38 }
diff --git a/meta-security-isafw/lib/isafw/isaplugins/configs/la/approved-non-osi b/meta-security-isafw/lib/isafw/isaplugins/configs/la/approved-non-osi
deleted file mode 100644
index 5e7a69f..0000000
--- a/meta-security-isafw/lib/isafw/isaplugins/configs/la/approved-non-osi
+++ /dev/null
@@ -1,43 +0,0 @@
1Artistic-1.0-perl
2BSD-2-Clause-FreeBSD
3BSD-3-Clause-Clear
4BSD-4-Clause
5BSD-4-Clause-UC
6bzip2-1.0.5
7bzip2-1.0.6
8CC0-1.0
9CC-BY-SA-3.0
10ErlPL-1.1
11FTL
12GFDL-1.1
13GFDL-1.1+
14GFDL-1.2
15GFDL-1.2+
16GFDL-1.3
17GFDL-1.3+
18GPL-1.0
19GPL-1.0+
20ICU
21IJG
22Libpng
23libtiff
24MIT-feh
25MIT-Opengroup
26mpich2
27Muddy-MIT
28OFL-1.0
29OLDAP-2.0.1
30OLDAP-2.8
31OpenSSL
32PHP-3.01
33Qhull
34Ruby
35SGI-B-2.0
36TCL
37Vim
38X11
39Zend-2.0
40zlib-acknowledgement
41ZPL-1.1
42ZPL-2.0
43ZPL-2.1
diff --git a/meta-security-isafw/lib/isafw/isaplugins/configs/la/exceptions b/meta-security-isafw/lib/isafw/isaplugins/configs/la/exceptions
deleted file mode 100644
index e69de29..0000000
--- a/meta-security-isafw/lib/isafw/isaplugins/configs/la/exceptions
+++ /dev/null
diff --git a/meta-security-isafw/lib/isafw/isaplugins/configs/la/licenses b/meta-security-isafw/lib/isafw/isaplugins/configs/la/licenses
deleted file mode 100644
index 8fff0b1..0000000
--- a/meta-security-isafw/lib/isafw/isaplugins/configs/la/licenses
+++ /dev/null
@@ -1,105 +0,0 @@
1AFL-1.1
2AFL-1.2
3AFL-2.0
4AFL-2.1
5AFL-3.0
6APL-1.0
7Apache-1.1
8Apache-2.0
9APSL-1.0
10APSL-1.1
11APSL-1.2
12APSL-2.0
13Artistic-1.0
14Artistic-1.0-Perl
15Artistic-1.0-cl8
16Artistic-2.0
17AAL
18BSL-1.0
19BSD-2-Clause
20BSD-3-Clause
21CNRI-Python
22CDDL-1.0
23CPAL-1.0
24CPL-1.0
25CATOSL-1.1
26CUA-OPL-1.0
27EPL-1.0
28ECL-1.0
29ECL-2.0
30EFL-1.0
31EFL-2.0
32Entessa
33EUDatagrid
34EUPL-1.1
35Fair
36Frameworx-1.0
37AGPL-3.0
38GPL-2.0
39GPL-2.0+
40GPL-2.0-with-autoconf-exception
41GPL-2.0-with-bison-exception
42GPL-2.0-with-classpath-exception
43GPL-2.0-with-font-exception
44GPL-2.0-with-GCC-exception
45GPL-3.0
46GPL-3.0+
47GPL-3.0-with-autoconf-exception
48GPL-3.0-with-GCC-exception
49LGPL-2.1
50LGPL-2.1+
51LGPL-3.0
52LGPL-3.0+
53LGPL-2.0
54LGPL-2.0+
55HPND
56IPL-1.0
57Intel
58IPA
59ISC
60LPPL-1.3c
61LPL-1.02
62LPL-1.0
63MS-PL
64MS-RL
65MirOS
66MIT
67Motosoto
68MPL-1.0
69MPL-1.1
70MPL-2.0
71MPL-2.0-no-copyleft-exception
72Multics
73NASA-1.3
74Naumen
75NGPL
76Nokia
77NPOSL-3.0
78NTP
79OCLC-2.0
80OGTSL
81OSL-1.0
82OSL-2.0
83OSL-2.1
84OSL-3.0
85PHP-3.0
86PostgreSQL
87Python-2.0
88QPL-1.0
89RPSL-1.0
90RPL-1.1
91RPL-1.5
92RSCPL
93OFL-1.1
94SimPL-2.0
95Sleepycat
96SISSL
97SPL-1.0
98Watcom-1.0
99NCSA
100VSL-1.0
101W3C
102WXwindows
103Xnet
104Zlib
105ZPL-2.0
diff --git a/meta-security-isafw/lib/isafw/isaplugins/configs/la/violations b/meta-security-isafw/lib/isafw/isaplugins/configs/la/violations
deleted file mode 100644
index 5da203b..0000000
--- a/meta-security-isafw/lib/isafw/isaplugins/configs/la/violations
+++ /dev/null
@@ -1,7 +0,0 @@
1GPL-3.0
2GPL-3.0+
3GPL-3.0-with-autoconf-exception
4GPL-3.0-with-GCC-exception
5LGPL-3.0
6LGPL-3.0+
7
diff --git a/meta-security-isafw/recipes-devtools/checksec/checksec_1.5-1.bb b/meta-security-isafw/recipes-devtools/checksec/checksec_1.5-1.bb
deleted file mode 100644
index 74f5d39..0000000
--- a/meta-security-isafw/recipes-devtools/checksec/checksec_1.5-1.bb
+++ /dev/null
@@ -1,25 +0,0 @@
1SUMMARY = "Checksec tool"
2DESCRIPTION = "The checksec.sh script is designed to test what standard Linux OS and PaX security features are being used."
3SECTION = "security"
4LICENSE = "BSD-3-Clause"
5HOMEPAGE="http://www.trapkit.de/tools/checksec.html"
6
7LIC_FILES_CHKSUM = "file://checksec-${PV}.sh;beginline=3;endline=34;md5=6dab14470bfdf12634b866dbdd7a04b0"
8
9SRC_URI = "http://www.trapkit.de/tools/checksec.sh;downloadfilename=checksec-${PV}.sh"
10
11SRC_URI[md5sum] = "57cc3fbbbe48e8ebd4672c569954374d"
12SRC_URI[sha256sum] = "05822cd8668589038d20650faa0e56f740911d8ad06f7005b3d12a5c76591b90"
13
14
15S = "${WORKDIR}"
16
17do_install() {
18 install -d ${D}${bindir}
19 install -m 0755 ${WORKDIR}/checksec-${PV}.sh ${D}${bindir}/checksec.sh
20 sed -i 's/\r//' ${D}${bindir}/checksec.sh
21}
22
23RDEPENDS:${PN} = "bash binutils"
24
25BBCLASSEXTEND = "native"
generated by cgit v1.2.3-54-g00ecf (git 2.39.0) at 2025-07-25 23:07:31 +0000