[meta-security,1/7] meta-security: add sanity check

Submitted by Armin Kuster on June 5, 2021, 10:02 p.m. | Patch ID: 179858

Details

Message ID 20210605220258.414233-2-akuster808@gmail.com
State New
Headers show

Commit Message

Armin Kuster June 5, 2021, 10:02 p.m.
Signed-off-by: Armin Kuster <akuster808@gmail.com>
---
 README                               | 18 ++++++++++++++++++
 classes/sanity-meta-security.bbclass | 10 ++++++++++
 conf/layer.conf                      |  4 ++++
 3 files changed, 32 insertions(+)
 create mode 100644 classes/sanity-meta-security.bbclass

Patch hide | download patch | download mbox

diff --git a/README b/README
index eb15366..4047b86 100644
--- a/README
+++ b/README
@@ -1,6 +1,24 @@ 
 Meta-security
 =============
 
+The bbappend files for some recipes (e.g. linux-yocto) in this layer need
+to have 'security' in DISTRO_FEATURES to have effect.
+To enable them, add in configuration file the following line.
+
+  DISTRO_FEATURES_append = " security"
+
+If meta-security is included, but security  is not enabled as a
+distro feature a warning is printed at parse time:
+
+    You have included the meta-security layer, but
+    'security' has not been enabled in your DISTRO_FEATURES. Some bbappend files
+    and preferred version setting may not take effect.
+
+If you know what you are doing, this warning can be disabled by setting the following
+variable in your configuration:
+
+  SKIP_META_SECURITY_SANITY_CHECK = 1
+
 This layer provides security tools, hardening tools for Linux kernels
 and libraries for implementing security mechanisms.
 
diff --git a/classes/sanity-meta-security.bbclass b/classes/sanity-meta-security.bbclass
new file mode 100644
index 0000000..b6c6b9c
--- /dev/null
+++ b/classes/sanity-meta-security.bbclass
@@ -0,0 +1,10 @@ 
+addhandler security_bbappend_distrocheck
+security_bbappend_distrocheck[eventmask] = "bb.event.SanityCheck"
+python security_bbappend_distrocheck() {
+    skip_check = e.data.getVar('SKIP_META_SECUIRTY_SANITY_CHECK') == "1"
+    if 'security' not in e.data.getVar('DISTRO_FEATURES').split() and not skip_check:
+        bb.warn("You have included the meta-security layer, but \
+'security' has not been enabled in your DISTRO_FEATURES. Some bbappend files \
+and preferred version setting may not take effect. See the meta-security README \
+for details on enabling security support.")
+}
diff --git a/conf/layer.conf b/conf/layer.conf
index 906e024..7853d6e 100644
--- a/conf/layer.conf
+++ b/conf/layer.conf
@@ -13,6 +13,10 @@  LAYERSERIES_COMPAT_security = "hardknott"
 
 LAYERDEPENDS_security = "core openembedded-layer perl-layer networking-layer meta-python"
 
+# Sanity check for meta-security layer.
+# Setting SKIP_META_SECURITY_SANITY_CHECK to "1" would skip the bbappend files check.
+INHERIT += "sanity-meta-security"
+
 BBFILES_DYNAMIC += " \
 rust-layer:${LAYERDIR}/dynamic-layers/meta-rust/recipes-*/*/*.bb  \
 "