meta-security: subtree update:6053e8b8e2..9504d02694

Armin Kuster (19):
      softhsm: drop pkg as meta-oe has it
      apparmor: Inherit python3targetconfig
      python3-suricata-update: Inherit python3targetconfig
      openscap: Inherit python3targetconfig
      scap-security-guide: Inherit python3targetconfig
      nikito: Update common-licenses references to match new names
      kas-security-base.yml: build setting updates
      kas-security-base.yml: drop DL_DIR
      arpwatch: upgrade 3.0 -> 3.1
      checksec: upgrade 2.1.0 -> 2.4.0
      ding-libs: upgrade 0.5.0 -> 0.6.1
      fscryptctl: upgrade 0.1.0 -> 1.0.0
      libseccomp: upgrade 2.5.0 -> 2.5.1
      python3-privacyidea: upgrade 3.3 -> 3.5.1
      python3-scapy: upgrade 2.4.3 -> 2.4.4
      samhain: update to 4.4.3
      opendnssec: update to 2.1.8
      suricata: update to 4.10.0
      python3-fail2ban: update to 0.11.2

Jate Sujjavanich (1):
      scap-security-guide: Fix openembedded platform tests and build

Ming Liu (9):
      ima-evm-utils: set native REQUIRED_DISTRO_FEATURES to empty
      initramfs-framework-ima: fix a wrong path
      ima-evm-keys: add recipe
      initramfs-framework-ima: RDEPENDS on ima-evm-keys
      meta: refactor IMA/EVM sign rootfs
      README.md: update according to the refactoring in ima-evm-rootfs.bbclass
      initramfs-framework-ima: let ima_enabled return 0
      ima-evm-rootfs.bbclass: avoid generating /etc/fstab for wic
      ima-policy-hashed: add CGROUP2_SUPER_MAGIC fsmagic

Yi Zhao (1):
      ibmswtpm2: disable camellia algorithm

Signed-off-by: Andrew Geissler <geissonator@yahoo.com>
Change-Id: Ic7dc6f5425a1493ac0534e10ed682662d109e60c

2 files changed, 3 insertions, 2 deletions

diff --git a/meta-security/meta-integrity/recipes-core/initrdscripts/initramfs-framework-ima.bb b/meta-security/meta-integrity/recipes-core/initrdscripts/initramfs-framework-ima.bb
index dacdc8bf0..77f6f7cff 100644
--- a/meta-security/meta-integrity/recipes-core/initrdscripts/initramfs-framework-ima.bb
+++ b/meta-security/meta-integrity/recipes-core/initrdscripts/initramfs-framework-ima.bb
@@ -27,5 +27,5 @@ do_install () {
 
 FILES_${PN} = "/init.d ${sysconfdir}"
 
-RDEPENDS_${PN} = "keyutils ${IMA_POLICY}"
+RDEPENDS_${PN} = "keyutils ima-evm-keys ${IMA_POLICY}"
 RDEPENDS_${PN} += "initramfs-framework-base"
diff --git a/meta-security/meta-integrity/recipes-core/initrdscripts/initramfs-framework-ima/ima b/meta-security/meta-integrity/recipes-core/initrdscripts/initramfs-framework-ima/ima
index 8616f9924..cff26a335 100644
--- a/meta-security/meta-integrity/recipes-core/initrdscripts/initramfs-framework-ima/ima
+++ b/meta-security/meta-integrity/recipes-core/initrdscripts/initramfs-framework-ima/ima
@@ -6,6 +6,7 @@ ima_enabled() {
     if [ "$bootparam_no_ima" = "true" ]; then
         return 1
     fi
+    return 0
 }
 
 ima_run() {
@@ -46,7 +47,7 @@ ima_run() {
     # ("[Linux-ima-user] IMA policy loading via cat") and we get better error reporting when
     # checking the write of each line. To minimize the risk of policy loading going wrong we
     # also remove comments and blank lines ourselves.
-    if ! (set -e; while read i; do if echo "$i" | grep -q -e '^#' -e '^ *$'; then debug "Skipping IMA policy: $i"; else debug "Writing IMA policy: $i"; if echo $i; then sleep ${bootparam_ima_delay:-0}; else fatal "Invalid line in IMA policy: $i"; exit 1; fi; fi; done) </etc/ima-policy >/sys/kernel/security/ima/policy; then
+    if ! (set -e; while read i; do if echo "$i" | grep -q -e '^#' -e '^ *$'; then debug "Skipping IMA policy: $i"; else debug "Writing IMA policy: $i"; if echo $i; then sleep ${bootparam_ima_delay:-0}; else fatal "Invalid line in IMA policy: $i"; exit 1; fi; fi; done) </etc/ima/ima-policy >/sys/kernel/security/ima/policy; then
         fatal "Could not load IMA policy."
     fi
 }