diff options
Diffstat (limited to 'meta-security/meta-integrity/recipes-security')
14 files changed, 545 insertions, 0 deletions
diff --git a/meta-security/meta-integrity/recipes-security/ima-evm-utils/ima-evm-utils/0001-ima-evm-utils-link-to-libcrypto-instead-of-OpenSSL.patch b/meta-security/meta-integrity/recipes-security/ima-evm-utils/ima-evm-utils/0001-ima-evm-utils-link-to-libcrypto-instead-of-OpenSSL.patch new file mode 100644 index 000000000..5ccb73d9b --- /dev/null +++ b/meta-security/meta-integrity/recipes-security/ima-evm-utils/ima-evm-utils/0001-ima-evm-utils-link-to-libcrypto-instead-of-OpenSSL.patch @@ -0,0 +1,65 @@ +From 4feaf9b61f93e4043eca26b4ec9f9f68d0cf5e68 Mon Sep 17 00:00:00 2001 +From: Dmitry Eremin-Solenikov <dbaryshkov@gmail.com> +Date: Wed, 6 Mar 2019 01:08:43 +0300 +Subject: [PATCH 1/4] ima-evm-utils: link to libcrypto instead of OpenSSL + +There is no need to link to full libssl. evmctl uses functions from +libcrypto, so let's link only against that library. + +Signed-off-by: Dmitry Eremin-Solenikov <dbaryshkov@gmail.com> +--- + configure.ac | 4 +--- + src/Makefile.am | 9 ++++----- + 2 files changed, 5 insertions(+), 8 deletions(-) + +diff --git a/configure.ac b/configure.ac +index 60f3684..32e8d85 100644 +--- a/configure.ac ++++ b/configure.ac +@@ -24,9 +24,7 @@ LT_INIT + # Checks for header files. + AC_HEADER_STDC + +-PKG_CHECK_MODULES(OPENSSL, [ openssl >= 0.9.8 ]) +-AC_SUBST(OPENSSL_CFLAGS) +-AC_SUBST(OPENSSL_LIBS) ++PKG_CHECK_MODULES(LIBCRYPTO, [libcrypto >= 0.9.8 ]) + AC_SUBST(KERNEL_HEADERS) + AC_CHECK_HEADER(unistd.h) + AC_CHECK_HEADERS(openssl/conf.h) +diff --git a/src/Makefile.am b/src/Makefile.am +index d74fc6f..b81281a 100644 +--- a/src/Makefile.am ++++ b/src/Makefile.am +@@ -1,11 +1,11 @@ + lib_LTLIBRARIES = libimaevm.la + + libimaevm_la_SOURCES = libimaevm.c +-libimaevm_la_CPPFLAGS = $(OPENSSL_CFLAGS) ++libimaevm_la_CPPFLAGS = $(LIBCRYPTO_CFLAGS) + # current[:revision[:age]] + # result: [current-age].age.revision + libimaevm_la_LDFLAGS = -version-info 0:0:0 +-libimaevm_la_LIBADD = $(OPENSSL_LIBS) ++libimaevm_la_LIBADD = $(LIBCRYPTO_LIBS) + + include_HEADERS = imaevm.h + +@@ -17,12 +17,11 @@ hash_info.h: Makefile + bin_PROGRAMS = evmctl + + evmctl_SOURCES = evmctl.c +-evmctl_CPPFLAGS = $(OPENSSL_CFLAGS) ++evmctl_CPPFLAGS = $(LIBCRYPTO_CFLAGS) + evmctl_LDFLAGS = $(LDFLAGS_READLINE) +-evmctl_LDADD = $(OPENSSL_LIBS) -lkeyutils libimaevm.la ++evmctl_LDADD = $(LIBCRYPTO_LIBS) -lkeyutils libimaevm.la + + INCLUDES = -I$(top_srcdir) -include config.h + + CLEANFILES = hash_info.h + DISTCLEANFILES = @DISTCLEANFILES@ +- +-- +2.17.1 + diff --git a/meta-security/meta-integrity/recipes-security/ima-evm-utils/ima-evm-utils/0002-ima-evm-utils-replace-INCLUDES-with-AM_CPPFLAGS.patch b/meta-security/meta-integrity/recipes-security/ima-evm-utils/ima-evm-utils/0002-ima-evm-utils-replace-INCLUDES-with-AM_CPPFLAGS.patch new file mode 100644 index 000000000..8237274ca --- /dev/null +++ b/meta-security/meta-integrity/recipes-security/ima-evm-utils/ima-evm-utils/0002-ima-evm-utils-replace-INCLUDES-with-AM_CPPFLAGS.patch @@ -0,0 +1,43 @@ +From 5bb10f3da420f4c46e44423276a9da0d4bc1b691 Mon Sep 17 00:00:00 2001 +From: Dmitry Eremin-Solenikov <dbaryshkov@gmail.com> +Date: Wed, 6 Mar 2019 01:17:12 +0300 +Subject: [PATCH 2/4] ima-evm-utils: replace INCLUDES with AM_CPPFLAGS + +Replace INCLUDES variable with AM_CPPFLAGS to stop Automake from warning +about deprecated variable usage. + +Signed-off-by: Dmitry Eremin-Solenikov <dbaryshkov@gmail.com> +--- + src/Makefile.am | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +diff --git a/src/Makefile.am b/src/Makefile.am +index b81281a..164e7e4 100644 +--- a/src/Makefile.am ++++ b/src/Makefile.am +@@ -1,7 +1,7 @@ + lib_LTLIBRARIES = libimaevm.la + + libimaevm_la_SOURCES = libimaevm.c +-libimaevm_la_CPPFLAGS = $(LIBCRYPTO_CFLAGS) ++libimaevm_la_CPPFLAGS = $(AM_CPPFLAGS) $(LIBCRYPTO_CFLAGS) + # current[:revision[:age]] + # result: [current-age].age.revision + libimaevm_la_LDFLAGS = -version-info 0:0:0 +@@ -17,11 +17,11 @@ hash_info.h: Makefile + bin_PROGRAMS = evmctl + + evmctl_SOURCES = evmctl.c +-evmctl_CPPFLAGS = $(LIBCRYPTO_CFLAGS) ++evmctl_CPPFLAGS = $(AM_CPPFLAGS) $(LIBCRYPTO_CFLAGS) + evmctl_LDFLAGS = $(LDFLAGS_READLINE) + evmctl_LDADD = $(LIBCRYPTO_LIBS) -lkeyutils libimaevm.la + +-INCLUDES = -I$(top_srcdir) -include config.h ++AM_CPPFLAGS = -I$(top_srcdir) -include config.h + + CLEANFILES = hash_info.h + DISTCLEANFILES = @DISTCLEANFILES@ +-- +2.17.1 + diff --git a/meta-security/meta-integrity/recipes-security/ima-evm-utils/ima-evm-utils/0003-ima-evm-utils-include-hash-info.gen-into-distributio.patch b/meta-security/meta-integrity/recipes-security/ima-evm-utils/ima-evm-utils/0003-ima-evm-utils-include-hash-info.gen-into-distributio.patch new file mode 100644 index 000000000..3d250d2fc --- /dev/null +++ b/meta-security/meta-integrity/recipes-security/ima-evm-utils/ima-evm-utils/0003-ima-evm-utils-include-hash-info.gen-into-distributio.patch @@ -0,0 +1,31 @@ +From c587ec307a6259a990bfab727cea7db28dba4c23 Mon Sep 17 00:00:00 2001 +From: Dmitry Eremin-Solenikov <dbaryshkov@gmail.com> +Date: Wed, 6 Mar 2019 01:22:30 +0300 +Subject: [PATCH 3/4] ima-evm-utils: include hash-info.gen into distribution + +Include hash-info.gen into tarball and call it from the sourcedir to fix +out-of-tree build (and thus 'make distcheck'). + +Signed-off-by: Dmitry Eremin-Solenikov <dbaryshkov@gmail.com> +--- + src/Makefile.am | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/src/Makefile.am b/src/Makefile.am +index 164e7e4..9c037e2 100644 +--- a/src/Makefile.am ++++ b/src/Makefile.am +@@ -11,8 +11,9 @@ include_HEADERS = imaevm.h + + nodist_libimaevm_la_SOURCES = hash_info.h + BUILT_SOURCES = hash_info.h ++EXTRA_DIST = hash_info.gen + hash_info.h: Makefile +- ./hash_info.gen $(KERNEL_HEADERS) >$@ ++ $(srcdir)/hash_info.gen $(KERNEL_HEADERS) >$@ + + bin_PROGRAMS = evmctl + +-- +2.17.1 + diff --git a/meta-security/meta-integrity/recipes-security/ima-evm-utils/ima-evm-utils/0004-ima-evm-utils-update-.gitignore-files.patch b/meta-security/meta-integrity/recipes-security/ima-evm-utils/ima-evm-utils/0004-ima-evm-utils-update-.gitignore-files.patch new file mode 100644 index 000000000..4ada1a271 --- /dev/null +++ b/meta-security/meta-integrity/recipes-security/ima-evm-utils/ima-evm-utils/0004-ima-evm-utils-update-.gitignore-files.patch @@ -0,0 +1,34 @@ +From b9f327c5c513ccea9cb56d4bbd50c1f66d629099 Mon Sep 17 00:00:00 2001 +From: Dmitry Eremin-Solenikov <dbaryshkov@gmail.com> +Date: Wed, 6 Mar 2019 01:24:04 +0300 +Subject: [PATCH 4/4] ima-evm-utils: update .gitignore files + +Signed-off-by: Dmitry Eremin-Solenikov <dbaryshkov@gmail.com> +--- + .gitignore | 1 + + src/.gitignore | 1 + + 2 files changed, 2 insertions(+) + create mode 100644 src/.gitignore + +diff --git a/.gitignore b/.gitignore +index ca7a06e..cb82166 100644 +--- a/.gitignore ++++ b/.gitignore +@@ -45,6 +45,7 @@ cscope.* + ncscope.* + + # Generated documentation ++*.1 + *.8 + *.5 + manpage.links +diff --git a/src/.gitignore b/src/.gitignore +new file mode 100644 +index 0000000..38e8e3c +--- /dev/null ++++ b/src/.gitignore +@@ -0,0 +1 @@ ++hash_info.h +-- +2.17.1 + diff --git a/meta-security/meta-integrity/recipes-security/ima-evm-utils/ima-evm-utils/command-line-apply-operation-to-all-paths.patch b/meta-security/meta-integrity/recipes-security/ima-evm-utils/ima-evm-utils/command-line-apply-operation-to-all-paths.patch new file mode 100644 index 000000000..35c316270 --- /dev/null +++ b/meta-security/meta-integrity/recipes-security/ima-evm-utils/ima-evm-utils/command-line-apply-operation-to-all-paths.patch @@ -0,0 +1,68 @@ +From 5834216fb3aa4e5e59ee13e871c70db1b4e13f02 Mon Sep 17 00:00:00 2001 +From: Patrick Ohly <patrick.ohly@intel.com> +Date: Fri, 30 Sep 2016 10:22:16 +0200 +Subject: [PATCH] command line: apply operation to all paths + +Previously, invocations like "evmctl ima_hash foo bar" silently +ignored all parameters after the first path name ("foo" in this +example). + +Now evmctl iterates over all specified paths. It aborts with an +error as soon as the selected operation fails for a path. + +Supporting more than one parameter is useful in combination with +"find" and "xargs" because it is noticably faster than invoking +evmutil separately for each file, in particular when run under pseudo +(a fakeroot environment used by the OpenEmbedded build system). + +This complements the recursive mode and can be used when more control +over file selection is needed. + +Signed-off-by: Patrick Ohly <patrick.ohly@intel.com> +--- + src/evmctl.c | 21 ++++++++++++--------- + 1 file changed, 12 insertions(+), 9 deletions(-) + +diff --git a/src/evmctl.c b/src/evmctl.c +index 23cf54c..2072034 100644 +--- a/src/evmctl.c ++++ b/src/evmctl.c +@@ -626,7 +626,7 @@ static int get_file_type(const char *path, const char *search_type) + static int do_cmd(struct command *cmd, find_cb_t func) + { + char *path = g_argv[optind++]; +- int err, dts = REG_MASK; /* only regular files by default */ ++ int err = 0, dts = REG_MASK; /* only regular files by default */ + + if (!path) { + log_err("Parameters missing\n"); +@@ -634,15 +634,18 @@ static int do_cmd(struct command *cmd, find_cb_t func) + return -1; + } + +- if (recursive) { +- if (search_type) { +- dts = get_file_type(path, search_type); +- if (dts < 0) +- return dts; ++ while (path && !err) { ++ if (recursive) { ++ if (search_type) { ++ dts = get_file_type(path, search_type); ++ if (dts < 0) ++ return dts; ++ } ++ err = find(path, dts, func); ++ } else { ++ err = func(path); + } +- err = find(path, dts, func); +- } else { +- err = func(path); ++ path = g_argv[optind++]; + } + + return err; +-- +2.1.4 + diff --git a/meta-security/meta-integrity/recipes-security/ima-evm-utils/ima-evm-utils/disable-doc-creation.patch b/meta-security/meta-integrity/recipes-security/ima-evm-utils/ima-evm-utils/disable-doc-creation.patch new file mode 100644 index 000000000..75076f52f --- /dev/null +++ b/meta-security/meta-integrity/recipes-security/ima-evm-utils/ima-evm-utils/disable-doc-creation.patch @@ -0,0 +1,50 @@ +From 321a602098d11ee712ebd01f51033b5fd369eae9 Mon Sep 17 00:00:00 2001 +From: Patrick Ohly <patrick.ohly@intel.com> +Date: Wed, 13 May 2015 03:41:02 -0700 +Subject: [PATCH] Makefile.am: disable man page creation + +Depends on asciidoc, which is not available. + +Upstream-Status: Inappropriate [embedded specific] + +Signed-off-by: Patrick Ohly <patrick.ohly@intel.com> +--- + Makefile.am | 19 ++++++++++++++++++- + 1 file changed, 18 insertions(+), 1 deletion(-) + +diff --git a/Makefile.am b/Makefile.am +index 06ebf59..4ddd52c 100644 +--- a/Makefile.am ++++ b/Makefile.am +@@ -1,5 +1,5 @@ + SUBDIRS = src +-dist_man_MANS = evmctl.1 ++# dist_man_MANS = evmctl.1 + + doc_DATA = examples/ima-genkey-self.sh examples/ima-genkey.sh examples/ima-gen-local-ca.sh + EXTRA_DIST = autogen.sh $(doc_DATA) +@@ -39,4 +39,21 @@ rmman: + + doc: evmctl.1.html rmman evmctl.1 + ++# requires asciidoc, xslproc, docbook-xsl ++# FIXME Disabled until docbook-xsl is unavaliable on tizen.org ++#MANPAGE_DOCBOOK_XSL = /usr/share/xml/docbook/stylesheet/docbook-xsl/manpages/docbook.xsl ++# ++#evmctl.1.html: README ++# @asciidoc -o $@ $< ++# ++#evmctl.1: ++# asciidoc -d manpage -b docbook -o evmctl.1.xsl README ++# xsltproc --nonet -o $@ $(MANPAGE_DOCBOOK_XSL) evmctl.1.xsl ++# rm -f evmctl.1.xsl ++# ++#rmman: ++# rm -f evmctl.1 ++# ++#doc: evmctl.1.html rmman evmctl.1 ++ + .PHONY: $(tarname) +-- +1.8.4.5 + diff --git a/meta-security/meta-integrity/recipes-security/ima-evm-utils/ima-evm-utils/evmctl.c-do-not-depend-on-xattr.h-with-IMA-defines.patch b/meta-security/meta-integrity/recipes-security/ima-evm-utils/ima-evm-utils/evmctl.c-do-not-depend-on-xattr.h-with-IMA-defines.patch new file mode 100644 index 000000000..c0bdd9b49 --- /dev/null +++ b/meta-security/meta-integrity/recipes-security/ima-evm-utils/ima-evm-utils/evmctl.c-do-not-depend-on-xattr.h-with-IMA-defines.patch @@ -0,0 +1,47 @@ +From 2dec9199f8a8a2c84b25a3d3e7e2f41b71e07834 Mon Sep 17 00:00:00 2001 +From: Patrick Ohly <patrick.ohly@intel.com> +Date: Wed, 17 Jun 2015 14:28:18 +0200 +Subject: [PATCH 20/20] evmctl.c: do not depend on xattr.h with IMA defines + +Compilation on older Linux distros (like Ubuntu 12.04) fails +because linux/xattr.h does not yet have the IMA defines. Compiling +there makes sense when only the tools are needed, for example when +signing an image in cross-compile mode. + +To support this, add fallbacks for the two defines which are needed. +Their value is part of the Linux ABI and thus fixed. + +Upstream-status: Submitted [linux-ima-devel@lists.sourceforge.net] + +Signed-off-by: Patrick Ohly <patrick.ohly@intel.com> + +--- + src/evmctl.c | 12 ++++++++++++ + 1 file changed, 12 insertions(+) + +diff --git a/src/evmctl.c b/src/evmctl.c +index c54efbb..23cf54c 100644 +--- a/src/evmctl.c ++++ b/src/evmctl.c +@@ -56,6 +56,18 @@ + #include <ctype.h> + #include <termios.h> + ++/* ++ * linux/xattr.h might be old to have this. Allow compilation on older ++ * Linux distros (like Ubuntu 12.04) by falling back to our own ++ * definition. ++ */ ++#ifndef XATTR_IMA_SUFFIX ++# define XATTR_IMA_SUFFIX "ima" ++#endif ++#ifndef XATTR_NAME_IMA ++# define XATTR_NAME_IMA XATTR_SECURITY_PREFIX XATTR_IMA_SUFFIX ++#endif ++ + #include <openssl/sha.h> + #include <openssl/pem.h> + #include <openssl/hmac.h> +-- +2.1.4 + diff --git a/meta-security/meta-integrity/recipes-security/ima-evm-utils/ima-evm-utils_git.bb b/meta-security/meta-integrity/recipes-security/ima-evm-utils/ima-evm-utils_git.bb new file mode 100644 index 000000000..929d85348 --- /dev/null +++ b/meta-security/meta-integrity/recipes-security/ima-evm-utils/ima-evm-utils_git.bb @@ -0,0 +1,41 @@ +DESCRIPTION = "IMA/EVM control utility" +LICENSE = "GPL-2.0-with-OpenSSL-exception" +LIC_FILES_CHKSUM = "file://COPYING;md5=b234ee4d69f5fce4486a80fdaf4a4263" + +DEPENDS += "openssl attr keyutils" + +DEPENDS_class-native += "openssl-native keyutils-native" + +PV = "1.0+git${SRCPV}" +SRCREV = "0267fa16990fd0ddcc89984a8e55b27d43e80167" +SRC_URI = "git://git.code.sf.net/p/linux-ima/ima-evm-utils" + +# Documentation depends on asciidoc, which we do not have, so +# do not build documentation. +SRC_URI += "file://disable-doc-creation.patch" + +# Workaround for upstream incompatibility with older Linux distros. +# Relevant for us when compiling ima-evm-utils-native. +SRC_URI += "file://evmctl.c-do-not-depend-on-xattr.h-with-IMA-defines.patch" + +# Required for xargs with more than one path as argument (better for performance). +SRC_URI += "file://command-line-apply-operation-to-all-paths.patch" + +SRC_URI += "\ + file://0001-ima-evm-utils-link-to-libcrypto-instead-of-OpenSSL.patch \ + file://0002-ima-evm-utils-replace-INCLUDES-with-AM_CPPFLAGS.patch \ + file://0003-ima-evm-utils-include-hash-info.gen-into-distributio.patch \ + file://0004-ima-evm-utils-update-.gitignore-files.patch \ +" +S = "${WORKDIR}/git" + +inherit pkgconfig autotools + +EXTRA_OECONF_append_class-target = " --with-kernel-headers=${STAGING_KERNEL_BUILDDIR}" + +# blkid is called by evmctl when creating evm checksums. +# This is less useful when signing files on the build host, +# so disable it when compiling on the host. +RDEPENDS_${PN}_append_class-target = " util-linux-blkid libcrypto attr libattr keyutils" + +BBCLASSEXTEND = "native nativesdk" diff --git a/meta-security/meta-integrity/recipes-security/ima_policy_appraise_all/files/ima_policy_appraise_all b/meta-security/meta-integrity/recipes-security/ima_policy_appraise_all/files/ima_policy_appraise_all new file mode 100644 index 000000000..36e71a7d6 --- /dev/null +++ b/meta-security/meta-integrity/recipes-security/ima_policy_appraise_all/files/ima_policy_appraise_all @@ -0,0 +1,29 @@ +# +# Integrity measure policy (http://sourceforge.net/p/linux-ima/wiki/Home/#measure-nothing-appraise-everything) +# +# Do not measure anything, but appraise everything +# +# PROC_SUPER_MAGIC +dont_appraise fsmagic=0x9fa0 +# SYSFS_MAGIC +dont_appraise fsmagic=0x62656572 +# DEBUGFS_MAGIC +dont_appraise fsmagic=0x64626720 +# TMPFS_MAGIC +dont_appraise fsmagic=0x01021994 +# RAMFS_MAGIC +dont_appraise fsmagic=0x858458f6 +# DEVPTS_SUPER_MAGIC +dont_appraise fsmagic=0x1cd1 +# BIFMT +dont_appraise fsmagic=0x42494e4d +# SECURITYFS_MAGIC +dont_appraise fsmagic=0x73636673 +# SELINUXFS_MAGIC +dont_appraise fsmagic=0xf97cff8c +# NSFS_MAGIC (introduced in 3.19, see cd025f7 and e149ed2 in the upstream Linux kernel) +dont_appraise fsmagic=0x6e736673 +# EFIVARFS_MAGIC +dont_appraise fsmagic=0xde5e81e4 + +appraise diff --git a/meta-security/meta-integrity/recipes-security/ima_policy_appraise_all/ima-policy-appraise-all_1.0.bb b/meta-security/meta-integrity/recipes-security/ima_policy_appraise_all/ima-policy-appraise-all_1.0.bb new file mode 100644 index 000000000..b58d3fed9 --- /dev/null +++ b/meta-security/meta-integrity/recipes-security/ima_policy_appraise_all/ima-policy-appraise-all_1.0.bb @@ -0,0 +1,18 @@ +SUMMARY = "IMA sample simple appraise policy " +LICENSE = "MIT" +LIC_FILES_CHKSUM = "file://${COREBASE}/meta/COPYING.MIT;md5=3da9cfbcb788c80a0384361b4de20420" + +# This policy file will get installed as /etc/ima/ima-policy. +# It is located via the normal file search path, so a .bbappend +# to this recipe can just point towards one of its own files. +IMA_POLICY ?= "ima_policy_appraise_all" + +SRC_URI = " file://${IMA_POLICY}" + +do_install () { + install -d ${D}/${sysconfdir}/ima + install ${WORKDIR}/${IMA_POLICY} ${D}/${sysconfdir}/ima/ima-policy +} + +FILES_${PN} = "${sysconfdir}/ima" +RDEPENDS_${PN} = "ima-evm-utils" diff --git a/meta-security/meta-integrity/recipes-security/ima_policy_hashed/files/ima_policy_hashed b/meta-security/meta-integrity/recipes-security/ima_policy_hashed/files/ima_policy_hashed new file mode 100644 index 000000000..7f89c8d98 --- /dev/null +++ b/meta-security/meta-integrity/recipes-security/ima_policy_hashed/files/ima_policy_hashed @@ -0,0 +1,77 @@ +# With this policy, all files on regular partitions are +# appraised. Files with signed IMA hash and normal hash are +# accepted. Signed files cannot be modified while hashed files can be +# (which will also update the hash). However, signed files can +# be deleted, so in practice it is still possible to replace them +# with a modified version. +# +# Without EVM, this is obviously not very secure, so this policy is +# just an example and/or basis for further improvements. For that +# purpose, some comments show what could be added to make the policy +# more secure. +# +# With EVM the situation might be different because access +# to the EVM key can be restricted. +# +# Files which are appraised are also measured. This allows +# debugging whether a file is in policy by looking at +# /sys/kernel/security/ima/ascii_runtime_measurements + +# PROC_SUPER_MAGIC +dont_appraise fsmagic=0x9fa0 +dont_measure fsmagic=0x9fa0 +# SYSFS_MAGIC +dont_appraise fsmagic=0x62656572 +dont_measure fsmagic=0x62656572 +# DEBUGFS_MAGIC +dont_appraise fsmagic=0x64626720 +dont_measure fsmagic=0x64626720 +# TMPFS_MAGIC +dont_appraise fsmagic=0x01021994 +dont_measure fsmagic=0x01021994 +# RAMFS_MAGIC +dont_appraise fsmagic=0x858458f6 +dont_measure fsmagic=0x858458f6 +# DEVPTS_SUPER_MAGIC +dont_appraise fsmagic=0x1cd1 +dont_measure fsmagic=0x1cd1 +# BIFMT +dont_appraise fsmagic=0x42494e4d +dont_measure fsmagic=0x42494e4d +# SECURITYFS_MAGIC +dont_appraise fsmagic=0x73636673 +dont_measure fsmagic=0x73636673 +# SELINUXFS_MAGIC +dont_appraise fsmagic=0xf97cff8c +dont_measure fsmagic=0xf97cff8c +# NSFS_MAGIC (introduced in 3.19, see cd025f7 and e149ed2 in the upstream Linux kernel) +dont_appraise fsmagic=0x6e736673 +dont_measure fsmagic=0x6e736673 +# SMACK_MAGIC +dont_appraise fsmagic=0x43415d53 +dont_measure fsmagic=0x43415d53 +# CGROUP_SUPER_MAGIC +dont_appraise fsmagic=0x27e0eb +dont_measure fsmagic=0x27e0eb +# EFIVARFS_MAGIC +dont_appraise fsmagic=0xde5e81e4 +dont_measure fsmagic=0xde5e81e4 + +# Special partition, no checking done. +# dont_measure fsuuid=a11234... +# dont_appraise fsuuid=a11243... + +# Special immutable group. +# appraise appraise_type=imasig func=FILE_CHECK mask=MAY_READ fgroup=200 + +# All executables must be signed - too strict, we need to +# allow installing executables on the device. +# appraise appraise_type=imasig func=FILE_MMAP mask=MAY_EXEC +# appraise appraise_type=imasig func=BPRM_CHECK mask=MAY_EXEC + +# Default rule. Would be needed also when other rules were added that +# determine what to do in case of reading (mask=MAY_READ or +# mask=MAY_EXEC) because otherwise writing does not update the file +# hash. +appraise +measure diff --git a/meta-security/meta-integrity/recipes-security/ima_policy_hashed/ima-policy-hashed_1.0.bb b/meta-security/meta-integrity/recipes-security/ima_policy_hashed/ima-policy-hashed_1.0.bb new file mode 100644 index 000000000..3352daa03 --- /dev/null +++ b/meta-security/meta-integrity/recipes-security/ima_policy_hashed/ima-policy-hashed_1.0.bb @@ -0,0 +1,20 @@ +SUMMARY = "IMA sample hash policy" +LICENSE = "MIT" +LIC_FILES_CHKSUM = "file://${COREBASE}/meta/COPYING.MIT;md5=3da9cfbcb788c80a0384361b4de20420" + +# This policy file will get installed as /etc/ima/ima-policy. +# It is located via the normal file search path, so a .bbappend +# to this recipe can just point towards one of its own files. +IMA_POLICY ?= "ima_policy_hashed" + +SRC_URI = " \ + file://${IMA_POLICY} \ +" + +do_install () { + install -d ${D}/${sysconfdir}/ima + install ${WORKDIR}/${IMA_POLICY} ${D}/${sysconfdir}/ima/ima-policy +} + +FILES_${PN} = "${sysconfdir}/ima" +RDEPENDS_${PN} = "ima-evm-utils" diff --git a/meta-security/meta-integrity/recipes-security/ima_policy_simple/files/ima_policy_simple b/meta-security/meta-integrity/recipes-security/ima_policy_simple/files/ima_policy_simple new file mode 100644 index 000000000..38ca8f53d --- /dev/null +++ b/meta-security/meta-integrity/recipes-security/ima_policy_simple/files/ima_policy_simple @@ -0,0 +1,4 @@ +# Very simple policy demonstrating the systemd policy loading bug +# (policy with one line works, two lines don't). +dont_appraise fsmagic=0x9fa0 +dont_appraise fsmagic=0x62656572 diff --git a/meta-security/meta-integrity/recipes-security/ima_policy_simple/ima-policy-simple_1.0.bb b/meta-security/meta-integrity/recipes-security/ima_policy_simple/ima-policy-simple_1.0.bb new file mode 100644 index 000000000..17132aa22 --- /dev/null +++ b/meta-security/meta-integrity/recipes-security/ima_policy_simple/ima-policy-simple_1.0.bb @@ -0,0 +1,18 @@ +SUMMARY = "IMA sample simple policy" +LICENSE = "MIT" +LIC_FILES_CHKSUM = "file://${COREBASE}/meta/COPYING.MIT;md5=3da9cfbcb788c80a0384361b4de20420" + +# This policy file will get installed as /etc/ima/ima-policy. +# It is located via the normal file search path, so a .bbappend +# to this recipe can just point towards one of its own files. +IMA_POLICY ?= "ima_policy_simple" + +SRC_URI = " file://${IMA_POLICY}" + +do_install () { + install -d ${D}/${sysconfdir}/ima + install ${WORKDIR}/${IMA_POLICY} ${D}/${sysconfdir}/ima/ima-policy +} + +FILES_${PN} = "${sysconfdir}/ima" +RDEPENDS_${PN} = "ima-evm-utils" |