[meta-security][PATCH 1/7] meta-security: add sanity check


Armin Kuster
 

Signed-off-by: Armin Kuster <akuster808@gmail.com>
---
README | 18 ++++++++++++++++++
classes/sanity-meta-security.bbclass | 10 ++++++++++
conf/layer.conf | 4 ++++
3 files changed, 32 insertions(+)
create mode 100644 classes/sanity-meta-security.bbclass

diff --git a/README b/README
index eb15366..4047b86 100644
--- a/README
+++ b/README
@@ -1,6 +1,24 @@
Meta-security
=============

+The bbappend files for some recipes (e.g. linux-yocto) in this layer need
+to have 'security' in DISTRO_FEATURES to have effect.
+To enable them, add in configuration file the following line.
+
+ DISTRO_FEATURES_append = " security"
+
+If meta-security is included, but security is not enabled as a
+distro feature a warning is printed at parse time:
+
+ You have included the meta-security layer, but
+ 'security' has not been enabled in your DISTRO_FEATURES. Some bbappend files
+ and preferred version setting may not take effect.
+
+If you know what you are doing, this warning can be disabled by setting the following
+variable in your configuration:
+
+ SKIP_META_SECURITY_SANITY_CHECK = 1
+
This layer provides security tools, hardening tools for Linux kernels
and libraries for implementing security mechanisms.

diff --git a/classes/sanity-meta-security.bbclass b/classes/sanity-meta-security.bbclass
new file mode 100644
index 0000000..b6c6b9c
--- /dev/null
+++ b/classes/sanity-meta-security.bbclass
@@ -0,0 +1,10 @@
+addhandler security_bbappend_distrocheck
+security_bbappend_distrocheck[eventmask] = "bb.event.SanityCheck"
+python security_bbappend_distrocheck() {
+ skip_check = e.data.getVar('SKIP_META_SECUIRTY_SANITY_CHECK') == "1"
+ if 'security' not in e.data.getVar('DISTRO_FEATURES').split() and not skip_check:
+ bb.warn("You have included the meta-security layer, but \
+'security' has not been enabled in your DISTRO_FEATURES. Some bbappend files \
+and preferred version setting may not take effect. See the meta-security README \
+for details on enabling security support.")
+}
diff --git a/conf/layer.conf b/conf/layer.conf
index 906e024..7853d6e 100644
--- a/conf/layer.conf
+++ b/conf/layer.conf
@@ -13,6 +13,10 @@ LAYERSERIES_COMPAT_security = "hardknott"

LAYERDEPENDS_security = "core openembedded-layer perl-layer networking-layer meta-python"

+# Sanity check for meta-security layer.
+# Setting SKIP_META_SECURITY_SANITY_CHECK to "1" would skip the bbappend files check.
+INHERIT += "sanity-meta-security"
+
BBFILES_DYNAMIC += " \
rust-layer:${LAYERDIR}/dynamic-layers/meta-rust/recipes-*/*/*.bb \
"
--
2.25.1

Join yocto@lists.yoctoproject.org to automatically receive all group messages.