[yocto] [meta-security][PATCH 00/14] Port over meta-integrity
Copied meta-integrity from meta-intel-iot-security that Intel created, to carry on maintenance. This update that code base to work on master. runtime test passes on Arm H/w and qemux86-64 Armin Kuster (14): meta-integrity: port over from meta-intel-iot-security layer.conf: add LAYERSERIES_COMPAT README: update ima-evm-utils: cleanup and update to tip ima.cfg: update to 5.0 kernel linux: update bbappend base-files: add appending to automount securityfs ima-policy-hashed: add new recipe ima_policy_simple: add another sample policy policy: add ima appraise all policy data: remove policies initramfs: clean up to pull in packages. runtime qa: moderize ima test image: add image for testing meta-integrity/README.md | 250 ++ meta-integrity/classes/ima-evm-rootfs.bbclass | 92 +++ meta-integrity/conf/layer.conf| 24 ++ .../data/debug-keys/privkey_ima.pem | 16 ++ meta-integrity/data/debug-keys/x509_ima.der | Bin 0 -> 707 bytes meta-integrity/lib/oeqa/runtime/cases/ima.py | 129 + .../base-files/base-files-ima.inc | 5 + .../base-files/base-files_%.bbappend | 1 + .../images/integrity-image-minimal.bb | 22 ++ .../initrdscripts/initramfs-framework-ima.bb | 28 ++ .../initrdscripts/initramfs-framework-ima/ima | 52 .../packagegroup-ima-evm-utils.bb | 9 + .../systemd/files/machine-id-commit-sync.conf | 2 + .../systemd/files/random-seed-sync.conf | 3 + .../recipes-core/systemd/systemd_%.bbappend | 13 + .../recipes-kernel/linux/linux-%.bbappend | 3 + .../0001-ima-fix-ima_inode_post_setattr.patch | 51 ...for-creating-files-using-the-mknodat.patch | 138 ++ ...-file-hash-setting-by-user-to-fix-an.patch | 60 + .../recipes-kernel/linux/linux/ima.cfg| 18 ++ .../linux/linux/ima_evm_root_ca.cfg | 3 + ...link-to-libcrypto-instead-of-OpenSSL.patch | 65 + ...ls-replace-INCLUDES-with-AM_CPPFLAGS.patch | 43 +++ ...clude-hash-info.gen-into-distributio.patch | 31 +++ ...ma-evm-utils-update-.gitignore-files.patch | 34 +++ ...nd-line-apply-operation-to-all-paths.patch | 68 + .../ima-evm-utils/disable-doc-creation.patch | 50 ...t-depend-on-xattr.h-with-IMA-defines.patch | 47 .../ima-evm-utils/ima-evm-utils_git.bb| 41 +++ .../files/ima_policy_appraise_all | 29 ++ .../ima-policy-appraise-all_1.0.bb| 18 ++ .../ima_policy_hashed/files/ima_policy_hashed | 77 ++ .../ima-policy-hashed_1.0.bb | 20 ++ .../ima_policy_simple/files/ima_policy_simple | 4 + .../ima-policy-simple_1.0.bb | 18 ++ meta-integrity/scripts/ima-gen-CA-signed.sh | 48 meta-integrity/scripts/ima-gen-local-ca.sh| 42 +++ meta-integrity/scripts/ima-gen-self-signed.sh | 41 +++ 38 files changed, 1595 insertions(+) create mode 100644 meta-integrity/README.md create mode 100644 meta-integrity/classes/ima-evm-rootfs.bbclass create mode 100644 meta-integrity/conf/layer.conf create mode 100644 meta-integrity/data/debug-keys/privkey_ima.pem create mode 100644 meta-integrity/data/debug-keys/x509_ima.der create mode 100644 meta-integrity/lib/oeqa/runtime/cases/ima.py create mode 100644 meta-integrity/recipes-core/base-files/base-files-ima.inc create mode 100644 meta-integrity/recipes-core/base-files/base-files_%.bbappend create mode 100644 meta-integrity/recipes-core/images/integrity-image-minimal.bb create mode 100644 meta-integrity/recipes-core/initrdscripts/initramfs-framework-ima.bb create mode 100644 meta-integrity/recipes-core/initrdscripts/initramfs-framework-ima/ima create mode 100644 meta-integrity/recipes-core/packagegroups/packagegroup-ima-evm-utils.bb create mode 100644 meta-integrity/recipes-core/systemd/files/machine-id-commit-sync.conf create mode 100644 meta-integrity/recipes-core/systemd/files/random-seed-sync.conf create mode 100644 meta-integrity/recipes-core/systemd/systemd_%.bbappend create mode 100644 meta-integrity/recipes-kernel/linux/linux-%.bbappend create mode 100644 meta-integrity/recipes-kernel/linux/linux/0001-ima-fix-ima_inode_post_setattr.patch create mode 100644 meta-integrity/recipes-kernel/linux/linux/0002-ima-add-support-for-creating-files-using-the-mknodat.patch create mode 100644 meta-integrity/recipes-kernel/linux/linux/Revert-ima-limit-file-hash-setting-by-user-to-fix-an.patch create mode 100644 meta-integrity/recipes-kernel/linux/linux/ima.cfg create mode 100644 meta-integrity/recipes-kernel/linux/linux/ima_evm_root_ca.cfg create mode 100644 meta-integrity/recipes-security/ima-evm-utils/ima-evm-utils/0001-ima-evm-utils-link-to-libcrypto-instead-of-OpenSSL.patch create mode 100644 meta-integrity/recipes-security/ima-evm-utils/ima-evm-utils/0002-ima-evm-utils-replace-INCLUDES-with-AM_CPPFLAGS.patch create mode 100644 meta-integrity/recipes-securit
[yocto] [meta-security][PATCH 02/14] layer.conf: add LAYERSERIES_COMPAT
Signed-off-by: Armin Kuster --- meta-integrity/conf/layer.conf | 2 ++ 1 file changed, 2 insertions(+) diff --git a/meta-integrity/conf/layer.conf b/meta-integrity/conf/layer.conf index e8bb268..2f696cf 100644 --- a/meta-integrity/conf/layer.conf +++ b/meta-integrity/conf/layer.conf @@ -20,3 +20,5 @@ IMA_EVM_BASE := '${LAYERDIR}' # dependent on location of the layer). Exporting it to just the # interactive shell is enough. OE_TERMINAL_EXPORTS += "IMA_EVM_BASE" + +LAYERSERIES_COMPAT_integrity = "warrior" -- 2.17.1 -- ___ yocto mailing list yocto@yoctoproject.org https://lists.yoctoproject.org/listinfo/yocto
[yocto] [meta-security][PATCH 03/14] README: update
Signed-off-by: Armin Kuster --- meta-integrity/README.md | 5 + 1 file changed, 1 insertion(+), 4 deletions(-) diff --git a/meta-integrity/README.md b/meta-integrity/README.md index ba96d8e..5bef76e 100644 --- a/meta-integrity/README.md +++ b/meta-integrity/README.md @@ -24,12 +24,9 @@ This layer depends on: Patches === -Please submit any patches against the integrity layer via Github -pull requests. - For discussion or patch submission via email, use the yocto@yoctoproject.org mailing list. When submitting patches that way, -make sure to copy the maintainer and add a "[meta-]" +make sure to copy the maintainer and add a "[meta-integrity]" prefix to the subject of the mails. Maintainer: Armin Kuster -- 2.17.1 -- ___ yocto mailing list yocto@yoctoproject.org https://lists.yoctoproject.org/listinfo/yocto
[yocto] [meta-security][PATCH 05/14] ima.cfg: update to 5.0 kernel
Signed-off-by: Armin Kuster --- .../recipes-kernel/linux/linux/ima.cfg| 28 ++- .../linux/linux/ima_evm_root_ca.cfg | 6 ++-- 2 files changed, 18 insertions(+), 16 deletions(-) diff --git a/meta-integrity/recipes-kernel/linux/linux/ima.cfg b/meta-integrity/recipes-kernel/linux/linux/ima.cfg index 02381aa..b3e47ba 100644 --- a/meta-integrity/recipes-kernel/linux/linux/ima.cfg +++ b/meta-integrity/recipes-kernel/linux/linux/ima.cfg @@ -1,16 +1,18 @@ -# Enable bare minimum IMA measurement and appraisal as needed by this layer. - -CONFIG_SECURITY=y -CONFIG_INTEGRITY=y - -# measurement CONFIG_IMA=y - -# appraisal +CONFIG_IMA_MEASURE_PCR_IDX=10 +CONFIG_IMA_NG_TEMPLATE=y +CONFIG_IMA_DEFAULT_TEMPLATE="ima-ng" +CONFIG_IMA_DEFAULT_HASH_SHA1=y +CONFIG_IMA_DEFAULT_HASH="sha1" CONFIG_IMA_APPRAISE=y -CONFIG_INTEGRITY_SIGNATURE=y -CONFIG_INTEGRITY_ASYMMETRIC_KEYS=y - -# Kernel will get built with embedded X.509 root CA key and all keys -# need to be signed with that. +CONFIG_IMA_APPRAISE_BOOTPARAM=y CONFIG_IMA_TRUSTED_KEYRING=y +CONFIG_SIGNATURE=y +CONFIG_IMA_WRITE_POLICY=y +CONFIG_IMA_READ_POLICY=y +CONFIG_IMA_LOAD_X509=y +CONFIG_IMA_X509_PATH="/etc/keys/x509_ima.der" + +#CONFIG_INTEGRITY_SIGNATURE=y +#CONFIG_INTEGRITY_ASYMMETRIC_KEYS=y +#CONFIG_INTEGRITY_TRUSTED_KEYRING=y diff --git a/meta-integrity/recipes-kernel/linux/linux/ima_evm_root_ca.cfg b/meta-integrity/recipes-kernel/linux/linux/ima_evm_root_ca.cfg index 7338232..9a45425 100644 --- a/meta-integrity/recipes-kernel/linux/linux/ima_evm_root_ca.cfg +++ b/meta-integrity/recipes-kernel/linux/linux/ima_evm_root_ca.cfg @@ -1,3 +1,3 @@ -CONFIG_KEYS=y -CONFIG_SYSTEM_TRUSTED_KEYRING=y -CONFIG_SYSTEM_TRUSTED_KEYS="" +# CONFIG_IMA_APPRAISE_SIGNED_INIT is not set +CONFIG_EVM_LOAD_X509=y +CONFIG_EVM_X509_PATH="/etc/keys/x509_evm.der" -- 2.17.1 -- ___ yocto mailing list yocto@yoctoproject.org https://lists.yoctoproject.org/listinfo/yocto
[yocto] [meta-security][PATCH 04/14] ima-evm-utils: cleanup and update to tip
update to tip backported patches to fix build issues. fix native support Signed-off-by: Armin Kuster --- .../ima-evm-utils/ima-evm-utils.inc | 19 -- ...link-to-libcrypto-instead-of-OpenSSL.patch | 65 +++ ...ls-replace-INCLUDES-with-AM_CPPFLAGS.patch | 43 ...clude-hash-info.gen-into-distributio.patch | 31 + ...ma-evm-utils-update-.gitignore-files.patch | 34 ++ .../ima-evm-utils/ima-evm-utils_git.bb| 30 - 6 files changed, 200 insertions(+), 22 deletions(-) delete mode 100644 meta-integrity/recipes-security/ima-evm-utils/ima-evm-utils.inc create mode 100644 meta-integrity/recipes-security/ima-evm-utils/ima-evm-utils/0001-ima-evm-utils-link-to-libcrypto-instead-of-OpenSSL.patch create mode 100644 meta-integrity/recipes-security/ima-evm-utils/ima-evm-utils/0002-ima-evm-utils-replace-INCLUDES-with-AM_CPPFLAGS.patch create mode 100644 meta-integrity/recipes-security/ima-evm-utils/ima-evm-utils/0003-ima-evm-utils-include-hash-info.gen-into-distributio.patch create mode 100644 meta-integrity/recipes-security/ima-evm-utils/ima-evm-utils/0004-ima-evm-utils-update-.gitignore-files.patch diff --git a/meta-integrity/recipes-security/ima-evm-utils/ima-evm-utils.inc b/meta-integrity/recipes-security/ima-evm-utils/ima-evm-utils.inc deleted file mode 100644 index 72a13f7..000 --- a/meta-integrity/recipes-security/ima-evm-utils/ima-evm-utils.inc +++ /dev/null @@ -1,19 +0,0 @@ -DESCRIPTION = "IMA/EVM control utility" -LICENSE = "GPL-2.0-with-OpenSSL-exception" -LIC_FILES_CHKSUM = "file://COPYING;md5=b234ee4d69f5fce4486a80fdaf4a4263" - -DEPENDS = " \ -openssl \ -attr \ -keyutils \ -pkgconfig \ -" - -# blkid is called by evmctl when creating evm checksums. -# This is less useful when signing files on the build host, -# so disable it when compiling on the host. -RDEPENDS_${PN}_append_class-target = " util-linux-blkid" - -inherit autotools - -BBCLASSEXTEND = "native" diff --git a/meta-integrity/recipes-security/ima-evm-utils/ima-evm-utils/0001-ima-evm-utils-link-to-libcrypto-instead-of-OpenSSL.patch b/meta-integrity/recipes-security/ima-evm-utils/ima-evm-utils/0001-ima-evm-utils-link-to-libcrypto-instead-of-OpenSSL.patch new file mode 100644 index 000..5ccb73d --- /dev/null +++ b/meta-integrity/recipes-security/ima-evm-utils/ima-evm-utils/0001-ima-evm-utils-link-to-libcrypto-instead-of-OpenSSL.patch @@ -0,0 +1,65 @@ +From 4feaf9b61f93e4043eca26b4ec9f9f68d0cf5e68 Mon Sep 17 00:00:00 2001 +From: Dmitry Eremin-Solenikov +Date: Wed, 6 Mar 2019 01:08:43 +0300 +Subject: [PATCH 1/4] ima-evm-utils: link to libcrypto instead of OpenSSL + +There is no need to link to full libssl. evmctl uses functions from +libcrypto, so let's link only against that library. + +Signed-off-by: Dmitry Eremin-Solenikov +--- + configure.ac| 4 +--- + src/Makefile.am | 9 - + 2 files changed, 5 insertions(+), 8 deletions(-) + +diff --git a/configure.ac b/configure.ac +index 60f3684..32e8d85 100644 +--- a/configure.ac b/configure.ac +@@ -24,9 +24,7 @@ LT_INIT + # Checks for header files. + AC_HEADER_STDC + +-PKG_CHECK_MODULES(OPENSSL, [ openssl >= 0.9.8 ]) +-AC_SUBST(OPENSSL_CFLAGS) +-AC_SUBST(OPENSSL_LIBS) ++PKG_CHECK_MODULES(LIBCRYPTO, [libcrypto >= 0.9.8 ]) + AC_SUBST(KERNEL_HEADERS) + AC_CHECK_HEADER(unistd.h) + AC_CHECK_HEADERS(openssl/conf.h) +diff --git a/src/Makefile.am b/src/Makefile.am +index d74fc6f..b81281a 100644 +--- a/src/Makefile.am b/src/Makefile.am +@@ -1,11 +1,11 @@ + lib_LTLIBRARIES = libimaevm.la + + libimaevm_la_SOURCES = libimaevm.c +-libimaevm_la_CPPFLAGS = $(OPENSSL_CFLAGS) ++libimaevm_la_CPPFLAGS = $(LIBCRYPTO_CFLAGS) + # current[:revision[:age]] + # result: [current-age].age.revision + libimaevm_la_LDFLAGS = -version-info 0:0:0 +-libimaevm_la_LIBADD = $(OPENSSL_LIBS) ++libimaevm_la_LIBADD = $(LIBCRYPTO_LIBS) + + include_HEADERS = imaevm.h + +@@ -17,12 +17,11 @@ hash_info.h: Makefile + bin_PROGRAMS = evmctl + + evmctl_SOURCES = evmctl.c +-evmctl_CPPFLAGS = $(OPENSSL_CFLAGS) ++evmctl_CPPFLAGS = $(LIBCRYPTO_CFLAGS) + evmctl_LDFLAGS = $(LDFLAGS_READLINE) +-evmctl_LDADD = $(OPENSSL_LIBS) -lkeyutils libimaevm.la ++evmctl_LDADD = $(LIBCRYPTO_LIBS) -lkeyutils libimaevm.la + + INCLUDES = -I$(top_srcdir) -include config.h + + CLEANFILES = hash_info.h + DISTCLEANFILES = @DISTCLEANFILES@ +- +-- +2.17.1 + diff --git a/meta-integrity/recipes-security/ima-evm-utils/ima-evm-utils/0002-ima-evm-utils-replace-INCLUDES-with-AM_CPPFLAGS.patch b/meta-integrity/recipes-security/ima-evm-utils/ima-evm-utils/0002-ima-evm-utils-replace-INCLUDES-with-AM_CPPFLAGS.patch new file mode 100644 index 000..8237274 --- /dev/null +++ b/meta-integrity/recipes-security/ima-evm-utils/ima-evm-utils/0002-ima-evm-utils-replace-INCLUDES-with-AM_CPPFLAGS.patch @@ -0,0 +1,43 @@ +From 5bb10f3da420f4c46e44423276a9da0d4bc1b691 Mon Sep 17 00:00:00 2001 +From: Dmitry Eremin-Solenikov +Date: Wed, 6 Mar 2019 01:17:12 +0300 +Subject: [PATCH
[yocto] [meta-security][PATCH 01/14] meta-integrity: port over from meta-intel-iot-security
Signed-off-by: Armin Kuster --- meta-integrity/README.md | 253 ++ meta-integrity/classes/ima-evm-rootfs.bbclass | 92 +++ meta-integrity/conf/layer.conf| 22 ++ .../data/debug-keys/privkey_ima.pem | 16 ++ meta-integrity/data/debug-keys/x509_ima.der | Bin 0 -> 707 bytes meta-integrity/data/ima_policy_appraise_all | 29 ++ meta-integrity/data/ima_policy_hashed | 77 ++ meta-integrity/data/ima_policy_simple | 4 + meta-integrity/lib/oeqa/runtime/__init__.py | 0 meta-integrity/lib/oeqa/runtime/ima.py| 82 ++ .../initrdscripts/initramfs-framework-ima.bb | 32 +++ .../initrdscripts/initramfs-framework-ima/ima | 52 .../packagegroup-ima-evm-utils.bb | 9 + .../systemd/files/machine-id-commit-sync.conf | 2 + .../systemd/files/random-seed-sync.conf | 3 + .../recipes-core/systemd/systemd_%.bbappend | 13 + .../recipes-kernel/linux/linux-%.bbappend | 116 .../0001-ima-fix-ima_inode_post_setattr.patch | 51 ...for-creating-files-using-the-mknodat.patch | 138 ++ ...-file-hash-setting-by-user-to-fix-an.patch | 60 + .../recipes-kernel/linux/linux/ima.cfg| 16 ++ .../linux/linux/ima_evm_root_ca.cfg | 3 + .../ima-evm-utils/ima-evm-utils.inc | 19 ++ ...nd-line-apply-operation-to-all-paths.patch | 68 + .../ima-evm-utils/disable-doc-creation.patch | 50 ...t-depend-on-xattr.h-with-IMA-defines.patch | 47 .../ima-evm-utils/ima-evm-utils_git.bb| 17 ++ meta-integrity/scripts/ima-gen-CA-signed.sh | 48 meta-integrity/scripts/ima-gen-local-ca.sh| 42 +++ meta-integrity/scripts/ima-gen-self-signed.sh | 41 +++ 30 files changed, 1402 insertions(+) create mode 100644 meta-integrity/README.md create mode 100644 meta-integrity/classes/ima-evm-rootfs.bbclass create mode 100644 meta-integrity/conf/layer.conf create mode 100644 meta-integrity/data/debug-keys/privkey_ima.pem create mode 100644 meta-integrity/data/debug-keys/x509_ima.der create mode 100644 meta-integrity/data/ima_policy_appraise_all create mode 100644 meta-integrity/data/ima_policy_hashed create mode 100644 meta-integrity/data/ima_policy_simple create mode 100644 meta-integrity/lib/oeqa/runtime/__init__.py create mode 100644 meta-integrity/lib/oeqa/runtime/ima.py create mode 100644 meta-integrity/recipes-core/initrdscripts/initramfs-framework-ima.bb create mode 100644 meta-integrity/recipes-core/initrdscripts/initramfs-framework-ima/ima create mode 100644 meta-integrity/recipes-core/packagegroups/packagegroup-ima-evm-utils.bb create mode 100644 meta-integrity/recipes-core/systemd/files/machine-id-commit-sync.conf create mode 100644 meta-integrity/recipes-core/systemd/files/random-seed-sync.conf create mode 100644 meta-integrity/recipes-core/systemd/systemd_%.bbappend create mode 100644 meta-integrity/recipes-kernel/linux/linux-%.bbappend create mode 100644 meta-integrity/recipes-kernel/linux/linux/0001-ima-fix-ima_inode_post_setattr.patch create mode 100644 meta-integrity/recipes-kernel/linux/linux/0002-ima-add-support-for-creating-files-using-the-mknodat.patch create mode 100644 meta-integrity/recipes-kernel/linux/linux/Revert-ima-limit-file-hash-setting-by-user-to-fix-an.patch create mode 100644 meta-integrity/recipes-kernel/linux/linux/ima.cfg create mode 100644 meta-integrity/recipes-kernel/linux/linux/ima_evm_root_ca.cfg create mode 100644 meta-integrity/recipes-security/ima-evm-utils/ima-evm-utils.inc create mode 100644 meta-integrity/recipes-security/ima-evm-utils/ima-evm-utils/command-line-apply-operation-to-all-paths.patch create mode 100644 meta-integrity/recipes-security/ima-evm-utils/ima-evm-utils/disable-doc-creation.patch create mode 100644 meta-integrity/recipes-security/ima-evm-utils/ima-evm-utils/evmctl.c-do-not-depend-on-xattr.h-with-IMA-defines.patch create mode 100644 meta-integrity/recipes-security/ima-evm-utils/ima-evm-utils_git.bb create mode 100755 meta-integrity/scripts/ima-gen-CA-signed.sh create mode 100755 meta-integrity/scripts/ima-gen-local-ca.sh create mode 100755 meta-integrity/scripts/ima-gen-self-signed.sh diff --git a/meta-integrity/README.md b/meta-integrity/README.md new file mode 100644 index 000..ba96d8e --- /dev/null +++ b/meta-integrity/README.md @@ -0,0 +1,253 @@ +This README file contains information on the contents of the +integrity layer. + +Please see the corresponding sections below for details. + + +Dependencies + + +This layer depends on: + +URI: git://git.openembedded.org/bitbake +branch: master + +URI: git://git.openembedded.org/openembedded-core +layers: meta +branch: master + +URI: git://github.com/01org/meta-security/meta-integrate +layers: security-framework +branch: master + + +Patches +=== + +Please submit any patches against the integrity layer via Github +p
[yocto] [meta-security][PATCH 07/14] base-files: add appending to automount securityfs
Signed-off-by: Armin Kuster --- meta-integrity/recipes-core/base-files/base-files-ima.inc| 5 + meta-integrity/recipes-core/base-files/base-files_%.bbappend | 1 + 2 files changed, 6 insertions(+) create mode 100644 meta-integrity/recipes-core/base-files/base-files-ima.inc create mode 100644 meta-integrity/recipes-core/base-files/base-files_%.bbappend diff --git a/meta-integrity/recipes-core/base-files/base-files-ima.inc b/meta-integrity/recipes-core/base-files/base-files-ima.inc new file mode 100644 index 000..7e9e210 --- /dev/null +++ b/meta-integrity/recipes-core/base-files/base-files-ima.inc @@ -0,0 +1,5 @@ +# Append iversion option for auto types +do_install_append() { +sed -i 's/\s*auto\s*defaults/&,iversion/' "${D}${sysconfdir}/fstab" +echo 'securityfs /sys/kernel/security securityfs defaults 0 0' >> "${D}${sysconfdir}/fstab" +} diff --git a/meta-integrity/recipes-core/base-files/base-files_%.bbappend b/meta-integrity/recipes-core/base-files/base-files_%.bbappend new file mode 100644 index 000..c006f0e --- /dev/null +++ b/meta-integrity/recipes-core/base-files/base-files_%.bbappend @@ -0,0 +1 @@ +require ${@bb.utils.contains('DISTRO_FEATURES', 'ima', 'base-files-ima.inc', '', d)} -- 2.17.1 -- ___ yocto mailing list yocto@yoctoproject.org https://lists.yoctoproject.org/listinfo/yocto
[yocto] [meta-security][PATCH 10/14] policy: add ima appraise all policy
Signed-off-by: Armin Kuster --- .../files/ima_policy_appraise_all | 29 +++ .../ima-policy-appraise-all_1.0.bb| 18 2 files changed, 47 insertions(+) create mode 100644 meta-integrity/recipes-security/ima_policy_appraise_all/files/ima_policy_appraise_all create mode 100644 meta-integrity/recipes-security/ima_policy_appraise_all/ima-policy-appraise-all_1.0.bb diff --git a/meta-integrity/recipes-security/ima_policy_appraise_all/files/ima_policy_appraise_all b/meta-integrity/recipes-security/ima_policy_appraise_all/files/ima_policy_appraise_all new file mode 100644 index 000..36e71a7 --- /dev/null +++ b/meta-integrity/recipes-security/ima_policy_appraise_all/files/ima_policy_appraise_all @@ -0,0 +1,29 @@ +# +# Integrity measure policy (http://sourceforge.net/p/linux-ima/wiki/Home/#measure-nothing-appraise-everything) +# +# Do not measure anything, but appraise everything +# +# PROC_SUPER_MAGIC +dont_appraise fsmagic=0x9fa0 +# SYSFS_MAGIC +dont_appraise fsmagic=0x62656572 +# DEBUGFS_MAGIC +dont_appraise fsmagic=0x64626720 +# TMPFS_MAGIC +dont_appraise fsmagic=0x01021994 +# RAMFS_MAGIC +dont_appraise fsmagic=0x858458f6 +# DEVPTS_SUPER_MAGIC +dont_appraise fsmagic=0x1cd1 +# BIFMT +dont_appraise fsmagic=0x42494e4d +# SECURITYFS_MAGIC +dont_appraise fsmagic=0x73636673 +# SELINUXFS_MAGIC +dont_appraise fsmagic=0xf97cff8c +# NSFS_MAGIC (introduced in 3.19, see cd025f7 and e149ed2 in the upstream Linux kernel) +dont_appraise fsmagic=0x6e736673 +# EFIVARFS_MAGIC +dont_appraise fsmagic=0xde5e81e4 + +appraise diff --git a/meta-integrity/recipes-security/ima_policy_appraise_all/ima-policy-appraise-all_1.0.bb b/meta-integrity/recipes-security/ima_policy_appraise_all/ima-policy-appraise-all_1.0.bb new file mode 100644 index 000..b58d3fe --- /dev/null +++ b/meta-integrity/recipes-security/ima_policy_appraise_all/ima-policy-appraise-all_1.0.bb @@ -0,0 +1,18 @@ +SUMMARY = "IMA sample simple appraise policy " +LICENSE = "MIT" +LIC_FILES_CHKSUM = "file://${COREBASE}/meta/COPYING.MIT;md5=3da9cfbcb788c80a0384361b4de20420" + +# This policy file will get installed as /etc/ima/ima-policy. +# It is located via the normal file search path, so a .bbappend +# to this recipe can just point towards one of its own files. +IMA_POLICY ?= "ima_policy_appraise_all" + +SRC_URI = " file://${IMA_POLICY}" + +do_install () { +install -d ${D}/${sysconfdir}/ima +install ${WORKDIR}/${IMA_POLICY} ${D}/${sysconfdir}/ima/ima-policy +} + +FILES_${PN} = "${sysconfdir}/ima" +RDEPENDS_${PN} = "ima-evm-utils" -- 2.17.1 -- ___ yocto mailing list yocto@yoctoproject.org https://lists.yoctoproject.org/listinfo/yocto
[yocto] [meta-security][PATCH 08/14] ima-policy-hashed: add new recipe
Signed-off-by: Armin Kuster --- .../ima_policy_hashed/files/ima_policy_hashed | 77 +++ .../ima-policy-hashed_1.0.bb | 20 + 2 files changed, 97 insertions(+) create mode 100644 meta-integrity/recipes-security/ima_policy_hashed/files/ima_policy_hashed create mode 100644 meta-integrity/recipes-security/ima_policy_hashed/ima-policy-hashed_1.0.bb diff --git a/meta-integrity/recipes-security/ima_policy_hashed/files/ima_policy_hashed b/meta-integrity/recipes-security/ima_policy_hashed/files/ima_policy_hashed new file mode 100644 index 000..7f89c8d --- /dev/null +++ b/meta-integrity/recipes-security/ima_policy_hashed/files/ima_policy_hashed @@ -0,0 +1,77 @@ +# With this policy, all files on regular partitions are +# appraised. Files with signed IMA hash and normal hash are +# accepted. Signed files cannot be modified while hashed files can be +# (which will also update the hash). However, signed files can +# be deleted, so in practice it is still possible to replace them +# with a modified version. +# +# Without EVM, this is obviously not very secure, so this policy is +# just an example and/or basis for further improvements. For that +# purpose, some comments show what could be added to make the policy +# more secure. +# +# With EVM the situation might be different because access +# to the EVM key can be restricted. +# +# Files which are appraised are also measured. This allows +# debugging whether a file is in policy by looking at +# /sys/kernel/security/ima/ascii_runtime_measurements + +# PROC_SUPER_MAGIC +dont_appraise fsmagic=0x9fa0 +dont_measure fsmagic=0x9fa0 +# SYSFS_MAGIC +dont_appraise fsmagic=0x62656572 +dont_measure fsmagic=0x62656572 +# DEBUGFS_MAGIC +dont_appraise fsmagic=0x64626720 +dont_measure fsmagic=0x64626720 +# TMPFS_MAGIC +dont_appraise fsmagic=0x01021994 +dont_measure fsmagic=0x01021994 +# RAMFS_MAGIC +dont_appraise fsmagic=0x858458f6 +dont_measure fsmagic=0x858458f6 +# DEVPTS_SUPER_MAGIC +dont_appraise fsmagic=0x1cd1 +dont_measure fsmagic=0x1cd1 +# BIFMT +dont_appraise fsmagic=0x42494e4d +dont_measure fsmagic=0x42494e4d +# SECURITYFS_MAGIC +dont_appraise fsmagic=0x73636673 +dont_measure fsmagic=0x73636673 +# SELINUXFS_MAGIC +dont_appraise fsmagic=0xf97cff8c +dont_measure fsmagic=0xf97cff8c +# NSFS_MAGIC (introduced in 3.19, see cd025f7 and e149ed2 in the upstream Linux kernel) +dont_appraise fsmagic=0x6e736673 +dont_measure fsmagic=0x6e736673 +# SMACK_MAGIC +dont_appraise fsmagic=0x43415d53 +dont_measure fsmagic=0x43415d53 +# CGROUP_SUPER_MAGIC +dont_appraise fsmagic=0x27e0eb +dont_measure fsmagic=0x27e0eb +# EFIVARFS_MAGIC +dont_appraise fsmagic=0xde5e81e4 +dont_measure fsmagic=0xde5e81e4 + +# Special partition, no checking done. +# dont_measure fsuuid=a11234... +# dont_appraise fsuuid=a11243... + +# Special immutable group. +# appraise appraise_type=imasig func=FILE_CHECK mask=MAY_READ fgroup=200 + +# All executables must be signed - too strict, we need to +# allow installing executables on the device. +# appraise appraise_type=imasig func=FILE_MMAP mask=MAY_EXEC +# appraise appraise_type=imasig func=BPRM_CHECK mask=MAY_EXEC + +# Default rule. Would be needed also when other rules were added that +# determine what to do in case of reading (mask=MAY_READ or +# mask=MAY_EXEC) because otherwise writing does not update the file +# hash. +appraise +measure diff --git a/meta-integrity/recipes-security/ima_policy_hashed/ima-policy-hashed_1.0.bb b/meta-integrity/recipes-security/ima_policy_hashed/ima-policy-hashed_1.0.bb new file mode 100644 index 000..3352daa --- /dev/null +++ b/meta-integrity/recipes-security/ima_policy_hashed/ima-policy-hashed_1.0.bb @@ -0,0 +1,20 @@ +SUMMARY = "IMA sample hash policy" +LICENSE = "MIT" +LIC_FILES_CHKSUM = "file://${COREBASE}/meta/COPYING.MIT;md5=3da9cfbcb788c80a0384361b4de20420" + +# This policy file will get installed as /etc/ima/ima-policy. +# It is located via the normal file search path, so a .bbappend +# to this recipe can just point towards one of its own files. +IMA_POLICY ?= "ima_policy_hashed" + +SRC_URI = " \ +file://${IMA_POLICY} \ +" + +do_install () { +install -d ${D}/${sysconfdir}/ima +install ${WORKDIR}/${IMA_POLICY} ${D}/${sysconfdir}/ima/ima-policy +} + +FILES_${PN} = "${sysconfdir}/ima" +RDEPENDS_${PN} = "ima-evm-utils" -- 2.17.1 -- ___ yocto mailing list yocto@yoctoproject.org https://lists.yoctoproject.org/listinfo/yocto
[yocto] [meta-security][PATCH 13/14] runtime qa: moderize ima test
Signed-off-by: Armin Kuster --- meta-integrity/lib/oeqa/runtime/__init__.py | 0 meta-integrity/lib/oeqa/runtime/cases/ima.py | 129 +++ meta-integrity/lib/oeqa/runtime/ima.py | 82 3 files changed, 129 insertions(+), 82 deletions(-) delete mode 100644 meta-integrity/lib/oeqa/runtime/__init__.py create mode 100644 meta-integrity/lib/oeqa/runtime/cases/ima.py delete mode 100644 meta-integrity/lib/oeqa/runtime/ima.py diff --git a/meta-integrity/lib/oeqa/runtime/__init__.py b/meta-integrity/lib/oeqa/runtime/__init__.py deleted file mode 100644 index e69de29..000 diff --git a/meta-integrity/lib/oeqa/runtime/cases/ima.py b/meta-integrity/lib/oeqa/runtime/cases/ima.py new file mode 100644 index 000..0c8617a --- /dev/null +++ b/meta-integrity/lib/oeqa/runtime/cases/ima.py @@ -0,0 +1,129 @@ +#!/usr/bin/env python +# +# Authors: Cristina Moraru +# Alexandru Cornea + +import string +from time import sleep +from oeqa.runtime.case import OERuntimeTestCase +from oeqa.core.decorator.depends import OETestDepends +from oeqa.runtime.decorator.package import OEHasPackage +from oeqa.core.decorator.data import skipIfNotFeature +from oeqa.core.decorator.data import skipIfDataVar, skipIfNotDataVar +import bb +blacklist = ["/usr/bin/uz", "/bin/su.shadow"] + +class IMACheck(OERuntimeTestCase): + +@classmethod +def setUpClass(cls): +locations = ["/bin", "/usr/bin"] +cls.binaries = [] +for l in locations: +status, output = cls.tc.target.run("find %s -type f" % l) +cls.binaries.extend(output.split("\n")) + +cls.total = len(cls.binaries) + + +@OETestDepends(['ssh.SSHTest.test_ssh']) +def test_ima_enabled(self): +''' Test if IMA policy is loaded before systemd starts''' + +ima_search = "ima: " +systemd_search = "systemd .* running" +status, output = self.target.run("dmesg | grep -n '%s'" % ima_search) +self.assertEqual( status, 0, "Did not find '%s' in dmesg" % ima_search) + + +@skipIfNotFeature('systemd', + 'Test requires systemd to be in DISTRO_FEATURES') +@skipIfNotDataVar('VIRTUAL-RUNTIME_init_manager', 'systemd', + 'systemd is not the init manager for this image') +@OETestDepends(['ima.IMACheck.test_ima_enabled']) +def test_ima_before_systemd(self): +''' Test if IMA policy is loaded before systemd starts''' +ima_search = "ima: " +systemd_search = "systemd .* running" +status, output = self.target.run("dmesg | grep -n '%s'" % ima_search) +self.assertEqual( status, 0, "Did not find '%s' in dmesg" % ima_search) +ima_id = int(output.split(":")[0]) +status, output = self.target.run("dmesg | grep -n '%s'" % systemd_search) +self.assertEqual(status, 0, "Did not find '%s' in dmesg" % systemd_search) +init_id = int(output.split(":")[0]) +if ima_id > init_id: +self.fail("IMA does not start before systemd") + + +@OETestDepends(['ima.IMACheck.test_ima_enabled']) +def test_ima_hash(self): +''' Test if IMA stores correct file hash ''' +filename = "/etc/filetest" +ima_measure_file = "/sys/kernel/security/ima/ascii_runtime_measurements" +status, output = self.target.run("echo test > %s" % filename) +self.assertEqual(status, 0, "Cannot create file %s on target" % filename) + +# wait for the IMA system to update the entry +maximum_tries = 30 +tries = 0 +status, output = self.target.run("sha1sum %s" %filename) +sleep(2) +current_hash = output.split()[0] +ima_hash = "" + +while tries < maximum_tries: +status, output = self.target.run("cat %s | grep %s" \ +% (ima_measure_file, filename)) +# get last entry, 4th field +if status == 0: +tokens = output.split("\n")[-1].split()[3] +ima_hash = tokens.split(":")[1] +if ima_hash == current_hash: +break + +tries += 1 +sleep(1) + +# clean target +self.target.run("rm %s" % filename) +if ima_hash != current_hash: +self.fail("Hash stored by IMA does not match actual hash") + + +@OETestDepends(['ima.IMACheck.test_ima_enabled']) +def test_ima_signature(self): +''' Test if IMA stores correct signature for system binaries''' +passed = 0 +failed = 0 +for b in self.binaries: +if b in blacklist: +continue +status, output = self.target.run("evmctl ima_verify %s" % b) +if status != 0: +failed += 1 +else: +passed += 1 + +if failed == self.total: + self.fail("Signature verifications failed (%s)" % self.total) + +#bb.warn("pass: %s, fail: %s, Total:
[yocto] [meta-security][PATCH 09/14] ima_policy_simple: add another sample policy
Signed-off-by: Armin Kuster --- .../ima_policy_simple/files/ima_policy_simple | 4 .../ima_policy_simple/ima-policy-simple_1.0.bb | 18 ++ 2 files changed, 22 insertions(+) create mode 100644 meta-integrity/recipes-security/ima_policy_simple/files/ima_policy_simple create mode 100644 meta-integrity/recipes-security/ima_policy_simple/ima-policy-simple_1.0.bb diff --git a/meta-integrity/recipes-security/ima_policy_simple/files/ima_policy_simple b/meta-integrity/recipes-security/ima_policy_simple/files/ima_policy_simple new file mode 100644 index 000..38ca8f5 --- /dev/null +++ b/meta-integrity/recipes-security/ima_policy_simple/files/ima_policy_simple @@ -0,0 +1,4 @@ +# Very simple policy demonstrating the systemd policy loading bug +# (policy with one line works, two lines don't). +dont_appraise fsmagic=0x9fa0 +dont_appraise fsmagic=0x62656572 diff --git a/meta-integrity/recipes-security/ima_policy_simple/ima-policy-simple_1.0.bb b/meta-integrity/recipes-security/ima_policy_simple/ima-policy-simple_1.0.bb new file mode 100644 index 000..17132aa --- /dev/null +++ b/meta-integrity/recipes-security/ima_policy_simple/ima-policy-simple_1.0.bb @@ -0,0 +1,18 @@ +SUMMARY = "IMA sample simple policy" +LICENSE = "MIT" +LIC_FILES_CHKSUM = "file://${COREBASE}/meta/COPYING.MIT;md5=3da9cfbcb788c80a0384361b4de20420" + +# This policy file will get installed as /etc/ima/ima-policy. +# It is located via the normal file search path, so a .bbappend +# to this recipe can just point towards one of its own files. +IMA_POLICY ?= "ima_policy_simple" + +SRC_URI = " file://${IMA_POLICY}" + +do_install () { +install -d ${D}/${sysconfdir}/ima +install ${WORKDIR}/${IMA_POLICY} ${D}/${sysconfdir}/ima/ima-policy +} + +FILES_${PN} = "${sysconfdir}/ima" +RDEPENDS_${PN} = "ima-evm-utils" -- 2.17.1 -- ___ yocto mailing list yocto@yoctoproject.org https://lists.yoctoproject.org/listinfo/yocto
[yocto] [meta-security][PATCH 14/14] image: add image for testing
Signed-off-by: Armin Kuster --- .../images/integrity-image-minimal.bb | 22 +++ 1 file changed, 22 insertions(+) create mode 100644 meta-integrity/recipes-core/images/integrity-image-minimal.bb diff --git a/meta-integrity/recipes-core/images/integrity-image-minimal.bb b/meta-integrity/recipes-core/images/integrity-image-minimal.bb new file mode 100644 index 000..6ed724d --- /dev/null +++ b/meta-integrity/recipes-core/images/integrity-image-minimal.bb @@ -0,0 +1,22 @@ +DESCRIPTION = "An image as an exmaple for Ima support" + +IMAGE_FEATURES += "ssh-server-openssh" + + +IMAGE_INSTALL = "\ +packagegroup-base \ +packagegroup-core-boot \ +packagegroup-ima-evm-utils \ +os-release" + + +LICENSE = "MIT" + +inherit core-image + +export IMAGE_BASENAME = "integrity-image-minimal" + +INHERIT += "ima-evm-rootfs" +IMA_EVM_KEY_DIR = "${IMA_EVM_BASE}/data/debug-keys" + +QB_KERNEL_CMDLINE_APPEND_append = " ima_appraise=fix ima_policy=tcb ima_policy=appraise_tcb" -- 2.17.1 -- ___ yocto mailing list yocto@yoctoproject.org https://lists.yoctoproject.org/listinfo/yocto
[yocto] [meta-security][PATCH 06/14] linux: update bbappend
remove untested code Signed-off-by: Armin Kuster --- .../recipes-kernel/linux/linux-%.bbappend | 117 +- 1 file changed, 2 insertions(+), 115 deletions(-) diff --git a/meta-integrity/recipes-kernel/linux/linux-%.bbappend b/meta-integrity/recipes-kernel/linux/linux-%.bbappend index 48560b1..931854e 100644 --- a/meta-integrity/recipes-kernel/linux/linux-%.bbappend +++ b/meta-integrity/recipes-kernel/linux/linux-%.bbappend @@ -1,116 +1,3 @@ -IMA_ENABLED_HERE := "${@'yes' if bb.data.inherits_class('kernel', d) and 'ima' in d.getVar('DISTRO_FEATURES', True).split() else 'no'}" +FILESEXTRAPATHS_prepend := "${THISDIR}/linux:" -IMA_FILESEXTRAPATHS_yes := "${THISDIR}/linux:" -IMA_FILESEXTRAPATHS_no := "" -FILESEXTRAPATHS_prepend := "${IMA_FILESEXTRAPATHS_${IMA_ENABLED_HERE}}" - -# These two patches are necessary to unpack archives with security.ima xattr -# such that security.ima is taken from the archive. If the policy -# allows hashing, unpatched kernels (at least up to 4.3) will replace -# a signed hash in security.ima with a locally computed hash. -# -# Note that only bsdtar/libarchive are known to work; GNU tar sets -# the security.ima on an empty file and the tries re-opening it for -# writing its content, which then fails due to the IMA hash mismatch. -# -# Kernels >= 4.7 have the patches, while older kernels are likely to -# need the patches. So apply them by default. To avoid that, -# set IMA_EVM_SETATTR_PATCH_x.y.z (where x.y.z == linux kernel version) -# to an empty string (to avoid patching) or some other patch files -# suitable for that kernel. -def ima_evm_setattr_patch(d): -result = [] -linux_version = d.getVar('LINUX_VERSION', True) or '' -# These two patches are known to be included upstream. -if bb.utils.vercmp_string_op(linux_version, '4.7', '<'): -patches = d.getVar('IMA_EVM_SETATTR_PATCH_' + linux_version, True) -if patches != None: -# Patches explicitly chosen, may be empty. -result.append(patches) -else: -# Enabled by default. -result.append('file://0001-ima-fix-ima_inode_post_setattr.patch file://0002-ima-add-support-for-creating-files-using-the-mknodat.patch') -# This one addresses a problem added in 4.2. The upstream revert will land -# in some future kernel. We need to extend version check once we know -# which kernels have the patch. -if bb.utils.vercmp_string_op(linux_version, '4.2', '>='): -patches = d.getVar('IMA_EVM_SETATTR_REVERT_PATCH_' + linux_version, True) -if patches != None: -# Patches explicitly chosen, may be empty. -result.append(patches) -else: -# Enabled by default. - result.append('file://Revert-ima-limit-file-hash-setting-by-user-to-fix-an.patch') -return ' '.join(result) - -# Edison kernel too old, patch not applicable -> swupd is broken in Ostro OS for Edison. -IMA_EVM_SETATTR_PATCH_3.10.98 = "" - -# Kernel config fragment enabling IMA/EVM and (where necessary and possible) -# also patching the kernel. -IMA_EVM_CFG_yes = " file://ima.cfg \ -${@ ima_evm_setattr_patch(d)} \ - " -IMA_EVM_CFG_no = "" -SRC_URI_append = "${IMA_EVM_CFG_${IMA_ENABLED_HERE}}" - -# IMA_EVM_ROOT_CA, if set, is the absolute path to a der-encoded -# x509 CA certificate which will get compiled into the kernel. -# The kernel will then use it to validate additional certificates, -# like the one loaded dynamically for IMA. -# -# Depending on the kernel version, there are two ways to add the -# CA certificate: -# - For Linux < 4.3, we put the x509 file into the source directory -# where the kernel compilation will find it automatically -# (http://lxr.free-electrons.com/source/kernel/Makefile?v=4.2#L115). -# - For Linux >= 4.3, we set SYSTEM_TRUSTED_KEYS -# (http://lxr.free-electrons.com/source/certs/Kconfig?v=4.3#L29). -# The ima_evm_root_ca.cfg only contains a blank file name. -# The actual file name gets patched in after the file was used -# to configure the kernel (see do_kernel_configme_append). -# This has to point to a single file, i.e. using it for IMA has to -# be coordinated with other usages. -# -# The IMA_EVM_ROOT_CA default is set globally in ima-evm-rootfs.bbclass. -# Need weaker default here in case that ima-evm-rootfs.bbclass is not -# inherited. -IMA_EVM_ROOT_CA ??= "" - -# Add CONFIG_SYSTEM_TRUSTED_KEYS (for recent kernels) and -# copy the root certificate into the build directory. By using -# the normal fetcher mechanism for the certificate we ensure that -# a rebuild is triggered when the file name or content change. -# -# Recompiling on name change is a bit too aggressive and causes -# unnecessary rebuilds when only the location of the file, but not its -# content change. This may need further work, should it become a problem -# in practice. For example, IMA_EVM_ROOT_CA could be redefined as -# an URL that then gets found v
[yocto] [meta-security][PATCH 11/14] data: remove policies
Signed-off-by: Armin Kuster --- meta-integrity/data/ima_policy_appraise_all | 29 meta-integrity/data/ima_policy_hashed | 77 - meta-integrity/data/ima_policy_simple | 4 -- 3 files changed, 110 deletions(-) delete mode 100644 meta-integrity/data/ima_policy_appraise_all delete mode 100644 meta-integrity/data/ima_policy_hashed delete mode 100644 meta-integrity/data/ima_policy_simple diff --git a/meta-integrity/data/ima_policy_appraise_all b/meta-integrity/data/ima_policy_appraise_all deleted file mode 100644 index 36e71a7..000 --- a/meta-integrity/data/ima_policy_appraise_all +++ /dev/null @@ -1,29 +0,0 @@ -# -# Integrity measure policy (http://sourceforge.net/p/linux-ima/wiki/Home/#measure-nothing-appraise-everything) -# -# Do not measure anything, but appraise everything -# -# PROC_SUPER_MAGIC -dont_appraise fsmagic=0x9fa0 -# SYSFS_MAGIC -dont_appraise fsmagic=0x62656572 -# DEBUGFS_MAGIC -dont_appraise fsmagic=0x64626720 -# TMPFS_MAGIC -dont_appraise fsmagic=0x01021994 -# RAMFS_MAGIC -dont_appraise fsmagic=0x858458f6 -# DEVPTS_SUPER_MAGIC -dont_appraise fsmagic=0x1cd1 -# BIFMT -dont_appraise fsmagic=0x42494e4d -# SECURITYFS_MAGIC -dont_appraise fsmagic=0x73636673 -# SELINUXFS_MAGIC -dont_appraise fsmagic=0xf97cff8c -# NSFS_MAGIC (introduced in 3.19, see cd025f7 and e149ed2 in the upstream Linux kernel) -dont_appraise fsmagic=0x6e736673 -# EFIVARFS_MAGIC -dont_appraise fsmagic=0xde5e81e4 - -appraise diff --git a/meta-integrity/data/ima_policy_hashed b/meta-integrity/data/ima_policy_hashed deleted file mode 100644 index 7f89c8d..000 --- a/meta-integrity/data/ima_policy_hashed +++ /dev/null @@ -1,77 +0,0 @@ -# With this policy, all files on regular partitions are -# appraised. Files with signed IMA hash and normal hash are -# accepted. Signed files cannot be modified while hashed files can be -# (which will also update the hash). However, signed files can -# be deleted, so in practice it is still possible to replace them -# with a modified version. -# -# Without EVM, this is obviously not very secure, so this policy is -# just an example and/or basis for further improvements. For that -# purpose, some comments show what could be added to make the policy -# more secure. -# -# With EVM the situation might be different because access -# to the EVM key can be restricted. -# -# Files which are appraised are also measured. This allows -# debugging whether a file is in policy by looking at -# /sys/kernel/security/ima/ascii_runtime_measurements - -# PROC_SUPER_MAGIC -dont_appraise fsmagic=0x9fa0 -dont_measure fsmagic=0x9fa0 -# SYSFS_MAGIC -dont_appraise fsmagic=0x62656572 -dont_measure fsmagic=0x62656572 -# DEBUGFS_MAGIC -dont_appraise fsmagic=0x64626720 -dont_measure fsmagic=0x64626720 -# TMPFS_MAGIC -dont_appraise fsmagic=0x01021994 -dont_measure fsmagic=0x01021994 -# RAMFS_MAGIC -dont_appraise fsmagic=0x858458f6 -dont_measure fsmagic=0x858458f6 -# DEVPTS_SUPER_MAGIC -dont_appraise fsmagic=0x1cd1 -dont_measure fsmagic=0x1cd1 -# BIFMT -dont_appraise fsmagic=0x42494e4d -dont_measure fsmagic=0x42494e4d -# SECURITYFS_MAGIC -dont_appraise fsmagic=0x73636673 -dont_measure fsmagic=0x73636673 -# SELINUXFS_MAGIC -dont_appraise fsmagic=0xf97cff8c -dont_measure fsmagic=0xf97cff8c -# NSFS_MAGIC (introduced in 3.19, see cd025f7 and e149ed2 in the upstream Linux kernel) -dont_appraise fsmagic=0x6e736673 -dont_measure fsmagic=0x6e736673 -# SMACK_MAGIC -dont_appraise fsmagic=0x43415d53 -dont_measure fsmagic=0x43415d53 -# CGROUP_SUPER_MAGIC -dont_appraise fsmagic=0x27e0eb -dont_measure fsmagic=0x27e0eb -# EFIVARFS_MAGIC -dont_appraise fsmagic=0xde5e81e4 -dont_measure fsmagic=0xde5e81e4 - -# Special partition, no checking done. -# dont_measure fsuuid=a11234... -# dont_appraise fsuuid=a11243... - -# Special immutable group. -# appraise appraise_type=imasig func=FILE_CHECK mask=MAY_READ fgroup=200 - -# All executables must be signed - too strict, we need to -# allow installing executables on the device. -# appraise appraise_type=imasig func=FILE_MMAP mask=MAY_EXEC -# appraise appraise_type=imasig func=BPRM_CHECK mask=MAY_EXEC - -# Default rule. Would be needed also when other rules were added that -# determine what to do in case of reading (mask=MAY_READ or -# mask=MAY_EXEC) because otherwise writing does not update the file -# hash. -appraise -measure diff --git a/meta-integrity/data/ima_policy_simple b/meta-integrity/data/ima_policy_simple deleted file mode 100644 index 38ca8f5..000 --- a/meta-integrity/data/ima_policy_simple +++ /dev/null @@ -1,4 +0,0 @@ -# Very simple policy demonstrating the systemd policy loading bug -# (policy with one line works, two lines don't). -dont_appraise fsmagic=0x9fa0 -dont_appraise fsmagic=0x62656572 -- 2.17.1 -- ___ yocto mailing list yocto@yoctoproject.org https://lists.yoctoproject.org/listinfo/yocto
[yocto] [meta-security][PATCH 12/14] initramfs: clean up to pull in packages.
Signed-off-by: Armin Kuster --- .../initrdscripts/initramfs-framework-ima.bb | 12 1 file changed, 4 insertions(+), 8 deletions(-) diff --git a/meta-integrity/recipes-core/initrdscripts/initramfs-framework-ima.bb b/meta-integrity/recipes-core/initrdscripts/initramfs-framework-ima.bb index aca38b7..6057e8d 100644 --- a/meta-integrity/recipes-core/initrdscripts/initramfs-framework-ima.bb +++ b/meta-integrity/recipes-core/initrdscripts/initramfs-framework-ima.bb @@ -8,25 +8,21 @@ SUMMARY = "IMA module for the modular initramfs system" LICENSE = "MIT" LIC_FILES_CHKSUM = "file://${COREBASE}/meta/COPYING.MIT;md5=3da9cfbcb788c80a0384361b4de20420" -RDEPENDS_${PN} += "initramfs-framework-base" # This policy file will get installed as /etc/ima/ima-policy. # It is located via the normal file search path, so a .bbappend # to this recipe can just point towards one of its own files. IMA_POLICY ?= "ima_policy_hashed" -FILESEXTRAPATHS =. "${IMA_EVM_BASE}/data:" -SRC_URI = " \ -file://${IMA_POLICY} \ -file://ima \ -" +SRC_URI = " file://ima" do_install () { install -d ${D}/${sysconfdir}/ima -install ${WORKDIR}/${IMA_POLICY} ${D}/${sysconfdir}/ima-policy install -d ${D}/init.d install ${WORKDIR}/ima ${D}/init.d/20-ima } FILES_${PN} = "/init.d ${sysconfdir}" -RDEPENDS_${PN} = "keyutils" + +RDEPENDS_${PN} = "keyutils ${IMA_POLICY}" +RDEPENDS_${PN} += "initramfs-framework-base" -- 2.17.1 -- ___ yocto mailing list yocto@yoctoproject.org https://lists.yoctoproject.org/listinfo/yocto
[yocto] [meta-cgl][PATCH 1/2] crmsh: do not use unstable github archive tarballs
Since commit [21f84fc insane: add sanity checks to SRC_URI] applied in oe-core, do not use unstable github archive tarballs Signed-off-by: Hongxu Jia --- meta-cgl-common/recipes-cgl/crmsh/crmsh_3.0.3.bb | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/meta-cgl-common/recipes-cgl/crmsh/crmsh_3.0.3.bb b/meta-cgl-common/recipes-cgl/crmsh/crmsh_3.0.3.bb index b28a826..7563c99 100644 --- a/meta-cgl-common/recipes-cgl/crmsh/crmsh_3.0.3.bb +++ b/meta-cgl-common/recipes-cgl/crmsh/crmsh_3.0.3.bb @@ -13,12 +13,12 @@ DEPENDS = "asciidoc-native \ " RDEPENDS_${PN} = "pacemaker python-lxml gawk" -SRC_URI = "https://github.com/ClusterLabs/crmsh/archive/${PV}.tar.gz;downloadfilename=${BP}.tar.gz \ +S = "${WORKDIR}/git" +SRC_URI = "git://github.com/ClusterLabs/${BPN}.git;branch=crmsh-3.0 \ file://tweaks_for_build.patch \ " -SRC_URI[md5sum] = "563b463155a652820c8d1319418e88b7" -SRC_URI[sha256sum] = "364fadb0d0c9619676e10bb75f4ea833a49019aa77ddb26229bc9d1c435585c0" +SRCREV = "41845ca5511b844593cf25ae4eb7f307aa78c5be" inherit autotools-brokensep distutils-base -- 2.7.4 -- ___ yocto mailing list yocto@yoctoproject.org https://lists.yoctoproject.org/listinfo/yocto
[yocto] [meta-selinux][PATCH] setools: do not use unstable github archive tarballs
Since commit [21f84fc insane: add sanity checks to SRC_URI] applied in oe-core, do not use unstable github archive tarballs Signed-off-by: Hongxu Jia --- recipes-security/setools/setools_4.1.1.bb | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/recipes-security/setools/setools_4.1.1.bb b/recipes-security/setools/setools_4.1.1.bb index c5a2d34..8bdbfba 100644 --- a/recipes-security/setools/setools_4.1.1.bb +++ b/recipes-security/setools/setools_4.1.1.bb @@ -8,14 +8,14 @@ SETools." SECTION = "base" LICENSE = "GPLv2 & LGPLv2.1" -SRC_URI = "https://github.com/TresysTechnology/setools/archive/${PV}.tar.gz;downloadfilename=setools-${PV}.tar.gz \ +S = "${WORKDIR}/git" +SRC_URI = "git://github.com/TresysTechnology/${BPN}.git;branch=4.1 \ file://setools4-fixes-for-cross-compiling.patch \ file://setools4-fix-cross-compiling-errors-for-powerpc-mips.patch \ file://Fix-build-failure-with-GCC-7-due-to-possible-truncat.patch \ " -SRC_URI[md5sum] = "54cf5c0ca2aa4ef7c6ac153981af34cd" -SRC_URI[sha256sum] = "46a927ea2b163cbe1d35cc35da43e45853e13720c7e02d4cf75a498783c19610" +SRCREV = "e03617eb7ab5a035633bff66500b95d25232e331" LIC_FILES_CHKSUM = "file://${S}/COPYING;md5=83a5eb6974c11f30785e90d0eeccf40c \ file://${S}/COPYING.GPL;md5=b234ee4d69f5fce4486a80fdaf4a4263 \ -- 2.7.4 -- ___ yocto mailing list yocto@yoctoproject.org https://lists.yoctoproject.org/listinfo/yocto
[yocto] [meta-cgl][PATCH 2/2] pacemaker: do not use unstable github archive tarballs
Since commit [21f84fc insane: add sanity checks to SRC_URI] applied in oe-core, do not use unstable github archive tarballs Signed-off-by: Hongxu Jia --- meta-cgl-common/recipes-cgl/pacemaker/pacemaker_1.1.19.bb | 7 +++ 1 file changed, 3 insertions(+), 4 deletions(-) diff --git a/meta-cgl-common/recipes-cgl/pacemaker/pacemaker_1.1.19.bb b/meta-cgl-common/recipes-cgl/pacemaker/pacemaker_1.1.19.bb index 00893d1..a7c38df 100644 --- a/meta-cgl-common/recipes-cgl/pacemaker/pacemaker_1.1.19.bb +++ b/meta-cgl-common/recipes-cgl/pacemaker/pacemaker_1.1.19.bb @@ -13,7 +13,7 @@ LIC_FILES_CHKSUM = "file://COPYING;md5=19a64afd3a35d044a80579d7aafc30ff" DEPENDS = "corosync libxslt libxml2 gnutls resource-agents libqb python-native" -SRC_URI = "https://github.com/ClusterLabs/${BPN}/archive/Pacemaker-${PV}.zip \ +SRC_URI = "git://github.com/ClusterLabs/${BPN}.git;branch=1.1 \ file://0001-pacemaker-fix-xml-config.patch \ file://0002-pacemaker-search-header-from-STAGING_INCDIR-to-walka.patch \ file://0003-pacemaker-fix-header-defs-lookup.patch \ @@ -28,12 +28,11 @@ SRC_URI = "https://github.com/ClusterLabs/${BPN}/archive/Pacemaker-${PV}.zip \ SRC_URI_append_libc-musl = "file://0001-pacemaker-fix-compile-error-of-musl-libc.patch" -SRC_URI[md5sum] = "deb7017c5a9d3f39895d9ea2c34bc8eb" -SRC_URI[sha256sum] = "6e222046487c2dc6ae61d49089ecbf6a0bcb495e8cdcb76d115fd987d0df8f7f" +SRCREV = "c3c624ea3d98a74a8a287671a156db126c99a7bb" inherit autotools-brokensep pkgconfig systemd python-dir useradd -S="${WORKDIR}/pacemaker-Pacemaker-${PV}" +S = "${WORKDIR}/git" CLEANBROKEN = "1" -- 2.7.4 -- ___ yocto mailing list yocto@yoctoproject.org https://lists.yoctoproject.org/listinfo/yocto