meta-security: add sanity check

Signed-off-by: Armin Kuster <akuster808@gmail.com>
author: Armin Kuster <akuster808@gmail.com> 2021-06-02 02:05:05 +0000
committer: Armin Kuster <akuster808@gmail.com> 2021-06-06 13:03:37 -0700
commit: c1235f6affb5c38e64b3a04533b8388969b194b2 (patch)
tree: 08bc2b43e6b96e1f9b775de06240010586548272
parent: 34d6b479b894441931d8819d1f7a4a43e1fbee2e (diff)
download: meta-security-c1235f6affb5c38e64b3a04533b8388969b194b2.tar.gz
3 files changed, 32 insertions, 0 deletions
diff --git a/README b/README
index eb15366..4047b86 100644
--- a/README
+++ b/README
@@ -1,6 +1,24 @@
 Meta-security
 =============
+The bbappend files for some recipes (e.g. linux-yocto) in this layer need
+to have 'security' in DISTRO_FEATURES to have effect.
+To enable them, add in configuration file the following line.
+  DISTRO_FEATURES_append = " security"
+If meta-security is included, but security  is not enabled as a
+distro feature a warning is printed at parse time:
+    You have included the meta-security layer, but
+    'security' has not been enabled in your DISTRO_FEATURES. Some bbappend files
+    and preferred version setting may not take effect.
+If you know what you are doing, this warning can be disabled by setting the following
+variable in your configuration:
+  SKIP_META_SECURITY_SANITY_CHECK = 1
 This layer provides security tools, hardening tools for Linux kernels
 and libraries for implementing security mechanisms.
diff --git a/classes/sanity-meta-security.bbclass b/classes/sanity-meta-security.bbclass
new file mode 100644
index 0000000..b6c6b9c
--- /dev/null
+++ b/classes/sanity-meta-security.bbclass
@@ -0,0 +1,10 @@
+addhandler security_bbappend_distrocheck
+security_bbappend_distrocheck[eventmask] = "bb.event.SanityCheck"
+python security_bbappend_distrocheck() {
+    skip_check = e.data.getVar('SKIP_META_SECUIRTY_SANITY_CHECK') == "1"
+    if 'security' not in e.data.getVar('DISTRO_FEATURES').split() and not skip_check:
+        bb.warn("You have included the meta-security layer, but \
+'security' has not been enabled in your DISTRO_FEATURES. Some bbappend files \
+and preferred version setting may not take effect. See the meta-security README \
+for details on enabling security support.")
+}
diff --git a/conf/layer.conf b/conf/layer.conf
index 906e024..7853d6e 100644
--- a/conf/layer.conf
+++ b/conf/layer.conf
@@ -13,6 +13,10 @@ LAYERSERIES_COMPAT_security = "hardknott"
 LAYERDEPENDS_security = "core openembedded-layer perl-layer networking-layer meta-python"
+# Sanity check for meta-security layer.
+# Setting SKIP_META_SECURITY_SANITY_CHECK to "1" would skip the bbappend files check.
+INHERIT += "sanity-meta-security"
 BBFILES_DYNAMIC += " \
 rust-layer:${LAYERDIR}/dynamic-layers/meta-rust/recipes-*/*/*.bb  \
 "
author	Armin Kuster <akuster808@gmail.com>	2021-06-02 02:05:05 +0000
committer	Armin Kuster <akuster808@gmail.com>	2021-06-06 13:03:37 -0700
commit	c1235f6affb5c38e64b3a04533b8388969b194b2 (patch)
tree	08bc2b43e6b96e1f9b775de06240010586548272
parent	34d6b479b894441931d8819d1f7a4a43e1fbee2e (diff)
download	meta-security-c1235f6affb5c38e64b3a04533b8388969b194b2.tar.gz

diff --git a/README b/README index eb15366..4047b86 100644 --- a/README +++ b/README
@@ -1,6 +1,24 @@
1	Meta-security	1	Meta-security
2	=============	2	=============
3		3
		4	The bbappend files for some recipes (e.g. linux-yocto) in this layer need
		5	to have 'security' in DISTRO_FEATURES to have effect.
		6	To enable them, add in configuration file the following line.
		7
		8	DISTRO_FEATURES_append = " security"
		9
		10	If meta-security is included, but security is not enabled as a
		11	distro feature a warning is printed at parse time:
		12
		13	You have included the meta-security layer, but
		14	'security' has not been enabled in your DISTRO_FEATURES. Some bbappend files
		15	and preferred version setting may not take effect.
		16
		17	If you know what you are doing, this warning can be disabled by setting the following
		18	variable in your configuration:
		19
		20	SKIP_META_SECURITY_SANITY_CHECK = 1
		21
4	This layer provides security tools, hardening tools for Linux kernels	22	This layer provides security tools, hardening tools for Linux kernels
5	and libraries for implementing security mechanisms.	23	and libraries for implementing security mechanisms.
6		24


diff --git a/classes/sanity-meta-security.bbclass b/classes/sanity-meta-security.bbclass new file mode 100644 index 0000000..b6c6b9c --- /dev/null +++ b/classes/sanity-meta-security.bbclass
@@ -0,0 +1,10 @@
		1	addhandler security_bbappend_distrocheck
		2	security_bbappend_distrocheck[eventmask] = "bb.event.SanityCheck"
		3	python security_bbappend_distrocheck() {
		4	skip_check = e.data.getVar('SKIP_META_SECUIRTY_SANITY_CHECK') == "1"
		5	if 'security' not in e.data.getVar('DISTRO_FEATURES').split() and not skip_check:
		6	bb.warn("You have included the meta-security layer, but \
		7	'security' has not been enabled in your DISTRO_FEATURES. Some bbappend files \
		8	and preferred version setting may not take effect. See the meta-security README \
		9	for details on enabling security support.")
		10	}


diff --git a/conf/layer.conf b/conf/layer.conf index 906e024..7853d6e 100644 --- a/conf/layer.conf +++ b/conf/layer.conf
@@ -13,6 +13,10 @@ LAYERSERIES_COMPAT_security = "hardknott"
13		13
14	LAYERDEPENDS_security = "core openembedded-layer perl-layer networking-layer meta-python"	14	LAYERDEPENDS_security = "core openembedded-layer perl-layer networking-layer meta-python"
15		15
		16	# Sanity check for meta-security layer.
		17	# Setting SKIP_META_SECURITY_SANITY_CHECK to "1" would skip the bbappend files check.
		18	INHERIT += "sanity-meta-security"
		19
16	BBFILES_DYNAMIC += " \	20	BBFILES_DYNAMIC += " \
17	rust-layer:${LAYERDIR}/dynamic-layers/meta-rust/recipes-//*.bb \	21	rust-layer:${LAYERDIR}/dynamic-layers/meta-rust/recipes-//*.bb \
18	"	22	"