diff options
author | Andrew Geissler <geissonator@yahoo.com> | 2021-04-15 23:52:46 +0300 |
---|---|---|
committer | Brad Bishop <bradleyb@fuzziesquirrel.com> | 2021-04-19 16:32:18 +0300 |
commit | f1e440673465aa768f31e78c0c201002f9f767b7 (patch) | |
tree | 44dffb1d845b35c3f4bf0629a622d8ae04abda41 /meta-security/meta-integrity | |
parent | 636aaa195862ab9a5442c3178e38266debab3bff (diff) | |
download | openbmc-f1e440673465aa768f31e78c0c201002f9f767b7.tar.xz |
meta-security: subtree update:775870980b..ca9264b1e1
Anton Antonov (4):
Use libest "main" branch instead of "master".
Add meta-parsec layer into meta-security.
Define secure images with parsec-service and parsec-tool included and add the images into gitlab CI
Clearly define clang toolchain in Parsec recipes
Armin Kuster (16):
packagegroup-core-security: drop clamav-cvd
clamav: upgrade 104.0
python3-privacyidea: upgrade 3.5.1 -> 3.5.2
clamav: fix systemd service install
swtpm: now need python-cryptography, pull in layer
swtpm: file pip3 issue
swtpm: fix check for tscd deamon on host
python3-suricata-update: update to 1.2.1
suricata: update to 6.0.2
layer.conf: add dynamic-layer for rust pkg
README: cleanup
.gitlab-ci.yml: reorder to speed up builds
kas-security-base.yml: tweek build vars
gitlab-ci: fine tune order
clamav: remove rest of mirror.dat ref
lkrg-module: Add Linux Kernel Runtime Guard
Ming Liu (2):
meta: drop IMA_POLICY from policy recipes
initramfs-framework-ima: introduce IMA_FORCE
Signed-off-by: Andrew Geissler <geissonator@yahoo.com>
Change-Id: Ifac35a0d7b7e724f1e30dce5f6634d5d4fc9b5b9
Diffstat (limited to 'meta-security/meta-integrity')
5 files changed, 18 insertions, 23 deletions
diff --git a/meta-security/meta-integrity/recipes-core/initrdscripts/initramfs-framework-ima.bb b/meta-security/meta-integrity/recipes-core/initrdscripts/initramfs-framework-ima.bb index 77f6f7cffa..6471c532c7 100644 --- a/meta-security/meta-integrity/recipes-core/initrdscripts/initramfs-framework-ima.bb +++ b/meta-security/meta-integrity/recipes-core/initrdscripts/initramfs-framework-ima.bb @@ -14,6 +14,9 @@ LIC_FILES_CHKSUM = "file://${COREBASE}/meta/COPYING.MIT;md5=3da9cfbcb788c80a0384 # to this recipe can just point towards one of its own files. IMA_POLICY ?= "ima-policy-hashed" +# Force proceed IMA procedure even 'no_ima' boot parameter is available. +IMA_FORCE ?= "false" + SRC_URI = " file://ima" inherit features_check @@ -23,6 +26,8 @@ do_install () { install -d ${D}/${sysconfdir}/ima install -d ${D}/init.d install ${WORKDIR}/ima ${D}/init.d/20-ima + + sed -i "s/@@FORCE_IMA@@/${IMA_FORCE}/g" ${D}/init.d/20-ima } FILES_${PN} = "/init.d ${sysconfdir}" diff --git a/meta-security/meta-integrity/recipes-core/initrdscripts/initramfs-framework-ima/ima b/meta-security/meta-integrity/recipes-core/initrdscripts/initramfs-framework-ima/ima index cff26a3352..897149494e 100644 --- a/meta-security/meta-integrity/recipes-core/initrdscripts/initramfs-framework-ima/ima +++ b/meta-security/meta-integrity/recipes-core/initrdscripts/initramfs-framework-ima/ima @@ -2,11 +2,16 @@ # # Loads IMA policy into the kernel. +force_ima=@@FORCE_IMA@@ + ima_enabled() { - if [ "$bootparam_no_ima" = "true" ]; then + if [ "$force_ima" = "true" ]; then + return 0 + elif [ "$bootparam_no_ima" = "true" ]; then return 1 + else + return 0 fi - return 0 } ima_run() { diff --git a/meta-security/meta-integrity/recipes-security/ima_policy_appraise_all/ima-policy-appraise-all_1.0.bb b/meta-security/meta-integrity/recipes-security/ima_policy_appraise_all/ima-policy-appraise-all_1.0.bb index da62a4cf8c..84ea16120e 100644 --- a/meta-security/meta-integrity/recipes-security/ima_policy_appraise_all/ima-policy-appraise-all_1.0.bb +++ b/meta-security/meta-integrity/recipes-security/ima_policy_appraise_all/ima-policy-appraise-all_1.0.bb @@ -2,19 +2,14 @@ SUMMARY = "IMA sample simple appraise policy " LICENSE = "MIT" LIC_FILES_CHKSUM = "file://${COREBASE}/meta/COPYING.MIT;md5=3da9cfbcb788c80a0384361b4de20420" -# This policy file will get installed as /etc/ima/ima-policy. -# It is located via the normal file search path, so a .bbappend -# to this recipe can just point towards one of its own files. -IMA_POLICY ?= "ima_policy_appraise_all" - -SRC_URI = " file://${IMA_POLICY}" +SRC_URI = " file://ima_policy_appraise_all" inherit features_check REQUIRED_DISTRO_FEATURES = "ima" do_install () { install -d ${D}/${sysconfdir}/ima - install ${WORKDIR}/${IMA_POLICY} ${D}/${sysconfdir}/ima/ima-policy + install ${WORKDIR}/ima_policy_appraise_all ${D}/${sysconfdir}/ima/ima-policy } FILES_${PN} = "${sysconfdir}/ima" diff --git a/meta-security/meta-integrity/recipes-security/ima_policy_hashed/ima-policy-hashed_1.0.bb b/meta-security/meta-integrity/recipes-security/ima_policy_hashed/ima-policy-hashed_1.0.bb index ebb0426467..ff7169ef57 100644 --- a/meta-security/meta-integrity/recipes-security/ima_policy_hashed/ima-policy-hashed_1.0.bb +++ b/meta-security/meta-integrity/recipes-security/ima_policy_hashed/ima-policy-hashed_1.0.bb @@ -2,13 +2,8 @@ SUMMARY = "IMA sample hash policy" LICENSE = "MIT" LIC_FILES_CHKSUM = "file://${COREBASE}/meta/COPYING.MIT;md5=3da9cfbcb788c80a0384361b4de20420" -# This policy file will get installed as /etc/ima/ima-policy. -# It is located via the normal file search path, so a .bbappend -# to this recipe can just point towards one of its own files. -IMA_POLICY ?= "ima_policy_hashed" - SRC_URI = " \ - file://${IMA_POLICY} \ + file://ima_policy_hashed \ " inherit features_check @@ -16,7 +11,7 @@ REQUIRED_DISTRO_FEATURES = "ima" do_install () { install -d ${D}/${sysconfdir}/ima - install ${WORKDIR}/${IMA_POLICY} ${D}/${sysconfdir}/ima/ima-policy + install ${WORKDIR}/ima_policy_hashed ${D}/${sysconfdir}/ima/ima-policy } FILES_${PN} = "${sysconfdir}/ima" diff --git a/meta-security/meta-integrity/recipes-security/ima_policy_simple/ima-policy-simple_1.0.bb b/meta-security/meta-integrity/recipes-security/ima_policy_simple/ima-policy-simple_1.0.bb index cb4b6b8abc..0e56aec515 100644 --- a/meta-security/meta-integrity/recipes-security/ima_policy_simple/ima-policy-simple_1.0.bb +++ b/meta-security/meta-integrity/recipes-security/ima_policy_simple/ima-policy-simple_1.0.bb @@ -2,19 +2,14 @@ SUMMARY = "IMA sample simple policy" LICENSE = "MIT" LIC_FILES_CHKSUM = "file://${COREBASE}/meta/COPYING.MIT;md5=3da9cfbcb788c80a0384361b4de20420" -# This policy file will get installed as /etc/ima/ima-policy. -# It is located via the normal file search path, so a .bbappend -# to this recipe can just point towards one of its own files. -IMA_POLICY ?= "ima_policy_simple" - -SRC_URI = " file://${IMA_POLICY}" +SRC_URI = " file://ima_policy_simple" inherit features_check REQUIRED_DISTRO_FEATURES = "ima" do_install () { install -d ${D}/${sysconfdir}/ima - install ${WORKDIR}/${IMA_POLICY} ${D}/${sysconfdir}/ima/ima-policy + install ${WORKDIR}/ima_policy_simple ${D}/${sysconfdir}/ima/ima-policy } FILES_${PN} = "${sysconfdir}/ima" |