From 8b1392834def7d17263b45bd1aab35759235fb3e Mon Sep 17 00:00:00 2001 From: Andrew Geissler Date: Fri, 5 Mar 2021 15:22:30 -0600 Subject: meta-security: subtree update:6053e8b8e2..9504d02694 Armin Kuster (19): softhsm: drop pkg as meta-oe has it apparmor: Inherit python3targetconfig python3-suricata-update: Inherit python3targetconfig openscap: Inherit python3targetconfig scap-security-guide: Inherit python3targetconfig nikito: Update common-licenses references to match new names kas-security-base.yml: build setting updates kas-security-base.yml: drop DL_DIR arpwatch: upgrade 3.0 -> 3.1 checksec: upgrade 2.1.0 -> 2.4.0 ding-libs: upgrade 0.5.0 -> 0.6.1 fscryptctl: upgrade 0.1.0 -> 1.0.0 libseccomp: upgrade 2.5.0 -> 2.5.1 python3-privacyidea: upgrade 3.3 -> 3.5.1 python3-scapy: upgrade 2.4.3 -> 2.4.4 samhain: update to 4.4.3 opendnssec: update to 2.1.8 suricata: update to 4.10.0 python3-fail2ban: update to 0.11.2 Jate Sujjavanich (1): scap-security-guide: Fix openembedded platform tests and build Ming Liu (9): ima-evm-utils: set native REQUIRED_DISTRO_FEATURES to empty initramfs-framework-ima: fix a wrong path ima-evm-keys: add recipe initramfs-framework-ima: RDEPENDS on ima-evm-keys meta: refactor IMA/EVM sign rootfs README.md: update according to the refactoring in ima-evm-rootfs.bbclass initramfs-framework-ima: let ima_enabled return 0 ima-evm-rootfs.bbclass: avoid generating /etc/fstab for wic ima-policy-hashed: add CGROUP2_SUPER_MAGIC fsmagic Yi Zhao (1): ibmswtpm2: disable camellia algorithm Signed-off-by: Andrew Geissler Change-Id: Ic7dc6f5425a1493ac0534e10ed682662d109e60c --- .../recipes-core/initrdscripts/initramfs-framework-ima.bb | 2 +- .../recipes-core/initrdscripts/initramfs-framework-ima/ima | 3 ++- 2 files changed, 3 insertions(+), 2 deletions(-) (limited to 'meta-security/meta-integrity/recipes-core') diff --git a/meta-security/meta-integrity/recipes-core/initrdscripts/initramfs-framework-ima.bb b/meta-security/meta-integrity/recipes-core/initrdscripts/initramfs-framework-ima.bb index dacdc8bf0..77f6f7cff 100644 --- a/meta-security/meta-integrity/recipes-core/initrdscripts/initramfs-framework-ima.bb +++ b/meta-security/meta-integrity/recipes-core/initrdscripts/initramfs-framework-ima.bb @@ -27,5 +27,5 @@ do_install () { FILES_${PN} = "/init.d ${sysconfdir}" -RDEPENDS_${PN} = "keyutils ${IMA_POLICY}" +RDEPENDS_${PN} = "keyutils ima-evm-keys ${IMA_POLICY}" RDEPENDS_${PN} += "initramfs-framework-base" diff --git a/meta-security/meta-integrity/recipes-core/initrdscripts/initramfs-framework-ima/ima b/meta-security/meta-integrity/recipes-core/initrdscripts/initramfs-framework-ima/ima index 8616f9924..cff26a335 100644 --- a/meta-security/meta-integrity/recipes-core/initrdscripts/initramfs-framework-ima/ima +++ b/meta-security/meta-integrity/recipes-core/initrdscripts/initramfs-framework-ima/ima @@ -6,6 +6,7 @@ ima_enabled() { if [ "$bootparam_no_ima" = "true" ]; then return 1 fi + return 0 } ima_run() { @@ -46,7 +47,7 @@ ima_run() { # ("[Linux-ima-user] IMA policy loading via cat") and we get better error reporting when # checking the write of each line. To minimize the risk of policy loading going wrong we # also remove comments and blank lines ourselves. - if ! (set -e; while read i; do if echo "$i" | grep -q -e '^#' -e '^ *$'; then debug "Skipping IMA policy: $i"; else debug "Writing IMA policy: $i"; if echo $i; then sleep ${bootparam_ima_delay:-0}; else fatal "Invalid line in IMA policy: $i"; exit 1; fi; fi; done) /sys/kernel/security/ima/policy; then + if ! (set -e; while read i; do if echo "$i" | grep -q -e '^#' -e '^ *$'; then debug "Skipping IMA policy: $i"; else debug "Writing IMA policy: $i"; if echo $i; then sleep ${bootparam_ima_delay:-0}; else fatal "Invalid line in IMA policy: $i"; exit 1; fi; fi; done) /sys/kernel/security/ima/policy; then fatal "Could not load IMA policy." fi } -- cgit v1.2.3