[meta-oe,v4] usbguard: Initial recipe

Submitted by Ayoub Zaki on July 29, 2019, 8:04 a.m. | Patch ID: 163472

Details

Message ID 20190729080432.20866-1-ayoub.zaki@embexus.com
State Changes Requested
Headers show

Commit Message

Ayoub Zaki July 29, 2019, 8:04 a.m.
Introduce the USBGuard software framework that helps to protect against rogue USB devices (a.k.a. BadUSB)
by implementing basic whitelisting and blacklisting capabilities based on device attributes.
---
 ...kgconfig-instead-of-libgcrypt-config.patch | 25 +++++++++++++
 .../usbguard/usbguard_0.7.4.bb                | 37 +++++++++++++++++++
 2 files changed, 62 insertions(+)
 create mode 100644 meta-oe/recipes-security/usbguard/usbguard/0001-Use-pkgconfig-instead-of-libgcrypt-config.patch
 create mode 100644 meta-oe/recipes-security/usbguard/usbguard_0.7.4.bb

Patch hide | download patch | download mbox

diff --git a/meta-oe/recipes-security/usbguard/usbguard/0001-Use-pkgconfig-instead-of-libgcrypt-config.patch b/meta-oe/recipes-security/usbguard/usbguard/0001-Use-pkgconfig-instead-of-libgcrypt-config.patch
new file mode 100644
index 000000000..022320b40
--- /dev/null
+++ b/meta-oe/recipes-security/usbguard/usbguard/0001-Use-pkgconfig-instead-of-libgcrypt-config.patch
@@ -0,0 +1,25 @@ 
+From 85a3c46fa0bcf05d824b86b7e5412ec65924e86a Mon Sep 17 00:00:00 2001
+From: Ayoub Zaki <ayoub.zaki@embexus.com>
+Date: Mon, 29 Jul 2019 09:46:56 +0200
+Subject: [PATCH 1/1] Use pkgconfig instead of libgcrypt-config
+
+---
+ m4/libgcrypt.m4 | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/m4/libgcrypt.m4 b/m4/libgcrypt.m4
+index 6cf482f..d674eae 100644
+--- a/m4/libgcrypt.m4
++++ b/m4/libgcrypt.m4
+@@ -28,7 +28,7 @@ AC_DEFUN([AM_PATH_LIBGCRYPT],
+      libgcrypt_config_prefix="$withval", libgcrypt_config_prefix="")
+   if test x$libgcrypt_config_prefix != x ; then
+      if test x${LIBGCRYPT_CONFIG+set} != xset ; then
+-        LIBGCRYPT_CONFIG=$libgcrypt_config_prefix/bin/libgcrypt-config
++        LIBGCRYPT_CONFIG=$(shell pkg-config libgcrypt)
+      fi
+   fi
+ 
+-- 
+2.17.1
+
diff --git a/meta-oe/recipes-security/usbguard/usbguard_0.7.4.bb b/meta-oe/recipes-security/usbguard/usbguard_0.7.4.bb
new file mode 100644
index 000000000..75ab62c3a
--- /dev/null
+++ b/meta-oe/recipes-security/usbguard/usbguard_0.7.4.bb
@@ -0,0 +1,37 @@ 
+DESCRIPTION="USBGuard framework helps to protect against BadUSB."
+HOMEPAGE="https://github.com/dkopecek/usbguard"
+LICENSE="GPLv2"
+LIC_FILES_CHKSUM = "file://LICENSE;md5=8264535c0c4e9c6c335635c4026a8022"
+
+SRCREV = "0ab32d7fa092067030fcbef530968b5cc237b08c"
+SRC_URI = "git://git@github.com/USBGuard/usbguard.git;protocol=https;branch=master \
+           file://0001-Use-pkgconfig-instead-of-libgcrypt-config.patch \
+          "
+
+inherit autotools pkgconfig systemd bash-completion
+
+S = "${WORKDIR}/git"
+
+DEPENDS = "protobuf-native libxml2-native libxslt-native xmlto-native glib-2.0-native \
+	dbus dbus-glib libqb libcap-ng libgcrypt libsodium protobuf pegtl"
+
+EXTRA_OECONF += "--with-bundled-catch"
+
+PACKAGECONFIG ??= "libsodium \
+	${@bb.utils.filter('DISTRO_FEATURES', 'systemd', d)} \
+	${@bb.utils.filter('DISTRO_FEATURES', 'polkit', d)}"
+
+PACKAGECONFIG[systemd]   = "--enable-systemd,--disable-systemd"
+PACKAGECONFIG[libsodium] = "--with-crypto-library=sodium"
+PACKAGECONFIG[libgcrypt] = "--with-crypto-library=gcrypt"
+PACKAGECONFIG[polkit]    = "--with-polkit,--without-polkit"
+PACKAGECONFIG[dbus]      = "--with-dbus,--without-dbus"
+
+SYSTEMD_SERVICE_${PN} = "${PN}.service"
+SYSTEMD_PACKAGES += "${PN}"
+
+do_install_append(){
+	
+	sed -i 's|/var/log/usbguard/usbguard-audit.log|/var/log/usbguard-audit.log|g' \ 
+						${D}${sysconfdir}/usbguard/usbguard-daemon.conf
+}

Comments

Khem Raj July 29, 2019, 2:14 p.m.
On Mon, Jul 29, 2019 at 1:04 AM Ayoub Zaki <ayoub.zaki@embexus.com> wrote:
>
> Introduce the USBGuard software framework that helps to protect against rogue USB devices (a.k.a. BadUSB)
> by implementing basic whitelisting and blacklisting capabilities based on device attributes.
> ---
>  ...kgconfig-instead-of-libgcrypt-config.patch | 25 +++++++++++++
>  .../usbguard/usbguard_0.7.4.bb                | 37 +++++++++++++++++++
>  2 files changed, 62 insertions(+)
>  create mode 100644 meta-oe/recipes-security/usbguard/usbguard/0001-Use-pkgconfig-instead-of-libgcrypt-config.patch
>  create mode 100644 meta-oe/recipes-security/usbguard/usbguard_0.7.4.bb
>
> diff --git a/meta-oe/recipes-security/usbguard/usbguard/0001-Use-pkgconfig-instead-of-libgcrypt-config.patch b/meta-oe/recipes-security/usbguard/usbguard/0001-Use-pkgconfig-instead-of-libgcrypt-config.patch
> new file mode 100644
> index 000000000..022320b40
> --- /dev/null
> +++ b/meta-oe/recipes-security/usbguard/usbguard/0001-Use-pkgconfig-instead-of-libgcrypt-config.patch
> @@ -0,0 +1,25 @@
> +From 85a3c46fa0bcf05d824b86b7e5412ec65924e86a Mon Sep 17 00:00:00 2001
> +From: Ayoub Zaki <ayoub.zaki@embexus.com>
> +Date: Mon, 29 Jul 2019 09:46:56 +0200
> +Subject: [PATCH 1/1] Use pkgconfig instead of libgcrypt-config
> +
> +---
> + m4/libgcrypt.m4 | 2 +-
> + 1 file changed, 1 insertion(+), 1 deletion(-)
> +
> +diff --git a/m4/libgcrypt.m4 b/m4/libgcrypt.m4
> +index 6cf482f..d674eae 100644
> +--- a/m4/libgcrypt.m4
> ++++ b/m4/libgcrypt.m4
> +@@ -28,7 +28,7 @@ AC_DEFUN([AM_PATH_LIBGCRYPT],
> +      libgcrypt_config_prefix="$withval", libgcrypt_config_prefix="")
> +   if test x$libgcrypt_config_prefix != x ; then
> +      if test x${LIBGCRYPT_CONFIG+set} != xset ; then
> +-        LIBGCRYPT_CONFIG=$libgcrypt_config_prefix/bin/libgcrypt-config
> ++        LIBGCRYPT_CONFIG=$(shell pkg-config libgcrypt)
> +      fi
> +   fi
> +
> +--
> +2.17.1
> +
> diff --git a/meta-oe/recipes-security/usbguard/usbguard_0.7.4.bb b/meta-oe/recipes-security/usbguard/usbguard_0.7.4.bb
> new file mode 100644
> index 000000000..75ab62c3a
> --- /dev/null
> +++ b/meta-oe/recipes-security/usbguard/usbguard_0.7.4.bb
> @@ -0,0 +1,37 @@
> +DESCRIPTION="USBGuard framework helps to protect against BadUSB."
> +HOMEPAGE="https://github.com/dkopecek/usbguard"
> +LICENSE="GPLv2"
> +LIC_FILES_CHKSUM = "file://LICENSE;md5=8264535c0c4e9c6c335635c4026a8022"
> +
> +SRCREV = "0ab32d7fa092067030fcbef530968b5cc237b08c"
> +SRC_URI = "git://git@github.com/USBGuard/usbguard.git;protocol=https;branch=master \
> +           file://0001-Use-pkgconfig-instead-of-libgcrypt-config.patch \
> +          "
> +
> +inherit autotools pkgconfig systemd bash-completion
> +
> +S = "${WORKDIR}/git"
> +
> +DEPENDS = "protobuf-native libxml2-native libxslt-native xmlto-native glib-2.0-native \
> +       dbus dbus-glib libqb libcap-ng libgcrypt libsodium protobuf pegtl"
> +

make it +=

> +EXTRA_OECONF += "--with-bundled-catch"
> +

we do have catch package recipe, have you considered using that

> +PACKAGECONFIG ??= "libsodium \
> +       ${@bb.utils.filter('DISTRO_FEATURES', 'systemd', d)} \
> +       ${@bb.utils.filter('DISTRO_FEATURES', 'polkit', d)}"
> +
> +PACKAGECONFIG[systemd]   = "--enable-systemd,--disable-systemd"
> +PACKAGECONFIG[libsodium] = "--with-crypto-library=sodium"
> +PACKAGECONFIG[libgcrypt] = "--with-crypto-library=gcrypt"
> +PACKAGECONFIG[polkit]    = "--with-polkit,--without-polkit"
> +PACKAGECONFIG[dbus]      = "--with-dbus,--without-dbus"
> +

I think the dependencies added unconditionally above should be added
via packageconfigs.

> +SYSTEMD_SERVICE_${PN} = "${PN}.service"
> +SYSTEMD_PACKAGES += "${PN}"

Using PN on right hand side will fail for multilib builds. May be use BPN

> +
> +do_install_append(){
> +
> +       sed -i 's|/var/log/usbguard/usbguard-audit.log|/var/log/usbguard-audit.log|g' \
> +                                               ${D}${sysconfdir}/usbguard/usbguard-daemon.conf
> +}
> --
> 2.17.1
>
> --
> _______________________________________________
> Openembedded-devel mailing list
> Openembedded-devel@lists.openembedded.org
> http://lists.openembedded.org/mailman/listinfo/openembedded-devel
Khem Raj July 29, 2019, 2:40 p.m.
there are build failures still

https://errors.yoctoproject.org/Errors/Details/255457/

On Mon, Jul 29, 2019 at 7:14 AM Khem Raj <raj.khem@gmail.com> wrote:
>
> On Mon, Jul 29, 2019 at 1:04 AM Ayoub Zaki <ayoub.zaki@embexus.com> wrote:
> >
> > Introduce the USBGuard software framework that helps to protect against rogue USB devices (a.k.a. BadUSB)
> > by implementing basic whitelisting and blacklisting capabilities based on device attributes.
> > ---
> >  ...kgconfig-instead-of-libgcrypt-config.patch | 25 +++++++++++++
> >  .../usbguard/usbguard_0.7.4.bb                | 37 +++++++++++++++++++
> >  2 files changed, 62 insertions(+)
> >  create mode 100644 meta-oe/recipes-security/usbguard/usbguard/0001-Use-pkgconfig-instead-of-libgcrypt-config.patch
> >  create mode 100644 meta-oe/recipes-security/usbguard/usbguard_0.7.4.bb
> >
> > diff --git a/meta-oe/recipes-security/usbguard/usbguard/0001-Use-pkgconfig-instead-of-libgcrypt-config.patch b/meta-oe/recipes-security/usbguard/usbguard/0001-Use-pkgconfig-instead-of-libgcrypt-config.patch
> > new file mode 100644
> > index 000000000..022320b40
> > --- /dev/null
> > +++ b/meta-oe/recipes-security/usbguard/usbguard/0001-Use-pkgconfig-instead-of-libgcrypt-config.patch
> > @@ -0,0 +1,25 @@
> > +From 85a3c46fa0bcf05d824b86b7e5412ec65924e86a Mon Sep 17 00:00:00 2001
> > +From: Ayoub Zaki <ayoub.zaki@embexus.com>
> > +Date: Mon, 29 Jul 2019 09:46:56 +0200
> > +Subject: [PATCH 1/1] Use pkgconfig instead of libgcrypt-config
> > +
> > +---
> > + m4/libgcrypt.m4 | 2 +-
> > + 1 file changed, 1 insertion(+), 1 deletion(-)
> > +
> > +diff --git a/m4/libgcrypt.m4 b/m4/libgcrypt.m4
> > +index 6cf482f..d674eae 100644
> > +--- a/m4/libgcrypt.m4
> > ++++ b/m4/libgcrypt.m4
> > +@@ -28,7 +28,7 @@ AC_DEFUN([AM_PATH_LIBGCRYPT],
> > +      libgcrypt_config_prefix="$withval", libgcrypt_config_prefix="")
> > +   if test x$libgcrypt_config_prefix != x ; then
> > +      if test x${LIBGCRYPT_CONFIG+set} != xset ; then
> > +-        LIBGCRYPT_CONFIG=$libgcrypt_config_prefix/bin/libgcrypt-config
> > ++        LIBGCRYPT_CONFIG=$(shell pkg-config libgcrypt)
> > +      fi
> > +   fi
> > +
> > +--
> > +2.17.1
> > +
> > diff --git a/meta-oe/recipes-security/usbguard/usbguard_0.7.4.bb b/meta-oe/recipes-security/usbguard/usbguard_0.7.4.bb
> > new file mode 100644
> > index 000000000..75ab62c3a
> > --- /dev/null
> > +++ b/meta-oe/recipes-security/usbguard/usbguard_0.7.4.bb
> > @@ -0,0 +1,37 @@
> > +DESCRIPTION="USBGuard framework helps to protect against BadUSB."
> > +HOMEPAGE="https://github.com/dkopecek/usbguard"
> > +LICENSE="GPLv2"
> > +LIC_FILES_CHKSUM = "file://LICENSE;md5=8264535c0c4e9c6c335635c4026a8022"
> > +
> > +SRCREV = "0ab32d7fa092067030fcbef530968b5cc237b08c"
> > +SRC_URI = "git://git@github.com/USBGuard/usbguard.git;protocol=https;branch=master \
> > +           file://0001-Use-pkgconfig-instead-of-libgcrypt-config.patch \
> > +          "
> > +
> > +inherit autotools pkgconfig systemd bash-completion
> > +
> > +S = "${WORKDIR}/git"
> > +
> > +DEPENDS = "protobuf-native libxml2-native libxslt-native xmlto-native glib-2.0-native \
> > +       dbus dbus-glib libqb libcap-ng libgcrypt libsodium protobuf pegtl"
> > +
>
> make it +=
>
> > +EXTRA_OECONF += "--with-bundled-catch"
> > +
>
> we do have catch package recipe, have you considered using that
>
> > +PACKAGECONFIG ??= "libsodium \
> > +       ${@bb.utils.filter('DISTRO_FEATURES', 'systemd', d)} \
> > +       ${@bb.utils.filter('DISTRO_FEATURES', 'polkit', d)}"
> > +
> > +PACKAGECONFIG[systemd]   = "--enable-systemd,--disable-systemd"
> > +PACKAGECONFIG[libsodium] = "--with-crypto-library=sodium"
> > +PACKAGECONFIG[libgcrypt] = "--with-crypto-library=gcrypt"
> > +PACKAGECONFIG[polkit]    = "--with-polkit,--without-polkit"
> > +PACKAGECONFIG[dbus]      = "--with-dbus,--without-dbus"
> > +
>
> I think the dependencies added unconditionally above should be added
> via packageconfigs.
>
> > +SYSTEMD_SERVICE_${PN} = "${PN}.service"
> > +SYSTEMD_PACKAGES += "${PN}"
>
> Using PN on right hand side will fail for multilib builds. May be use BPN
>
> > +
> > +do_install_append(){
> > +
> > +       sed -i 's|/var/log/usbguard/usbguard-audit.log|/var/log/usbguard-audit.log|g' \
> > +                                               ${D}${sysconfdir}/usbguard/usbguard-daemon.conf
> > +}
> > --
> > 2.17.1
> >
> > --
> > _______________________________________________
> > Openembedded-devel mailing list
> > Openembedded-devel@lists.openembedded.org
> > http://lists.openembedded.org/mailman/listinfo/openembedded-devel
Adrian Bunk July 30, 2019, 10:55 a.m.
On Mon, Jul 29, 2019 at 07:40:43AM -0700, Khem Raj wrote:
> there are build failures still
> 
> https://errors.yoctoproject.org/Errors/Details/255457/

+DEPENDS = "protobuf-native libxml2-native libxslt-native xmlto-native glib-2.0-native \
+       dbus dbus-glib libqb libcap-ng libgcrypt libsodium protobuf pegtl"
...
+PACKAGECONFIG ??= "libsodium \
+       ${@bb.utils.filter('DISTRO_FEATURES', 'systemd', d)} \
+       ${@bb.utils.filter('DISTRO_FEATURES', 'polkit', d)}"
+
+PACKAGECONFIG[systemd]   = "--enable-systemd,--disable-systemd"
+PACKAGECONFIG[libsodium] = "--with-crypto-library=sodium"
+PACKAGECONFIG[libgcrypt] = "--with-crypto-library=gcrypt"
+PACKAGECONFIG[polkit]    = "--with-polkit,--without-polkit"
+PACKAGECONFIG[dbus]      = "--with-dbus,--without-dbus"

The problem is that dependencies should be added as third parameter to 
PACKAGECONFIG, which is missing here for polkit.

Note that there is also the (less harmful) opposite problem here:
The libsodium, libgcrypt and dbus/dbus-glib dependencies are likely only 
required when the corresponding functionality is enabled via PACKAGECONFIG.

cu
Adrian