diff options
Diffstat (limited to 'meta-integrity/recipes-core')
6 files changed, 32 insertions, 18 deletions
diff --git a/meta-integrity/recipes-core/base-files/base-files-ima.inc b/meta-integrity/recipes-core/base-files/base-files-ima.inc index 7e9e210..cfa65a2 100644 --- a/meta-integrity/recipes-core/base-files/base-files-ima.inc +++ b/meta-integrity/recipes-core/base-files/base-files-ima.inc @@ -1,5 +1,5 @@ # Append iversion option for auto types -do_install_append() { +do_install:append() { sed -i 's/\s*auto\s*defaults/&,iversion/' "${D}${sysconfdir}/fstab" echo 'securityfs /sys/kernel/security securityfs defaults 0 0' >> "${D}${sysconfdir}/fstab" } diff --git a/meta-integrity/recipes-core/images/integrity-image-minimal.bb b/meta-integrity/recipes-core/images/integrity-image-minimal.bb index 1a3a30a..856249f 100644 --- a/meta-integrity/recipes-core/images/integrity-image-minimal.bb +++ b/meta-integrity/recipes-core/images/integrity-image-minimal.bb @@ -2,20 +2,18 @@ DESCRIPTION = "An image as an exmaple for Ima support" IMAGE_FEATURES += "ssh-server-openssh" +LICENSE = "MIT" + +inherit core-image -IMAGE_INSTALL = "\ +IMAGE_INSTALL += "\ packagegroup-base \ packagegroup-core-boot \ packagegroup-ima-evm-utils \ os-release" - -LICENSE = "MIT" - -inherit core-image - export IMAGE_BASENAME = "integrity-image-minimal" INHERIT += "ima-evm-rootfs" -QB_KERNEL_CMDLINE_APPEND_append = " ima_appraise=fix ima_policy=tcb ima_policy=appraise_tcb" +QB_KERNEL_CMDLINE_APPEND:append = " ima_policy=tcb ima_appraise=fix" diff --git a/meta-integrity/recipes-core/initrdscripts/initramfs-framework-ima.bb b/meta-integrity/recipes-core/initrdscripts/initramfs-framework-ima.bb index 95c853a..58cbe6e 100644 --- a/meta-integrity/recipes-core/initrdscripts/initramfs-framework-ima.bb +++ b/meta-integrity/recipes-core/initrdscripts/initramfs-framework-ima.bb @@ -14,15 +14,23 @@ LIC_FILES_CHKSUM = "file://${COREBASE}/meta/COPYING.MIT;md5=3da9cfbcb788c80a0384 # to this recipe can just point towards one of its own files. IMA_POLICY ?= "ima-policy-hashed" +# Force proceed IMA procedure even 'no_ima' boot parameter is available. +IMA_FORCE ?= "false" + SRC_URI = " file://ima" +inherit features_check +REQUIRED_DISTRO_FEATURES = "ima" + do_install () { install -d ${D}/${sysconfdir}/ima install -d ${D}/init.d install ${WORKDIR}/ima ${D}/init.d/20-ima + + sed -i "s/@@FORCE_IMA@@/${IMA_FORCE}/g" ${D}/init.d/20-ima } -FILES_${PN} = "/init.d ${sysconfdir}" +FILES:${PN} = "/init.d ${sysconfdir}" -RDEPENDS_${PN} = "keyutils ${IMA_POLICY}" -RDEPENDS_${PN} += "initramfs-framework-base" +RDEPENDS:${PN} = "keyutils ima-evm-keys ${IMA_POLICY}" +RDEPENDS:${PN} += "initramfs-framework-base" diff --git a/meta-integrity/recipes-core/initrdscripts/initramfs-framework-ima/ima b/meta-integrity/recipes-core/initrdscripts/initramfs-framework-ima/ima index 8616f99..8971494 100644 --- a/meta-integrity/recipes-core/initrdscripts/initramfs-framework-ima/ima +++ b/meta-integrity/recipes-core/initrdscripts/initramfs-framework-ima/ima @@ -2,9 +2,15 @@ # # Loads IMA policy into the kernel. +force_ima=@@FORCE_IMA@@ + ima_enabled() { - if [ "$bootparam_no_ima" = "true" ]; then + if [ "$force_ima" = "true" ]; then + return 0 + elif [ "$bootparam_no_ima" = "true" ]; then return 1 + else + return 0 fi } @@ -46,7 +52,7 @@ ima_run() { # ("[Linux-ima-user] IMA policy loading via cat") and we get better error reporting when # checking the write of each line. To minimize the risk of policy loading going wrong we # also remove comments and blank lines ourselves. - if ! (set -e; while read i; do if echo "$i" | grep -q -e '^#' -e '^ *$'; then debug "Skipping IMA policy: $i"; else debug "Writing IMA policy: $i"; if echo $i; then sleep ${bootparam_ima_delay:-0}; else fatal "Invalid line in IMA policy: $i"; exit 1; fi; fi; done) </etc/ima-policy >/sys/kernel/security/ima/policy; then + if ! (set -e; while read i; do if echo "$i" | grep -q -e '^#' -e '^ *$'; then debug "Skipping IMA policy: $i"; else debug "Writing IMA policy: $i"; if echo $i; then sleep ${bootparam_ima_delay:-0}; else fatal "Invalid line in IMA policy: $i"; exit 1; fi; fi; done) </etc/ima/ima-policy >/sys/kernel/security/ima/policy; then fatal "Could not load IMA policy." fi } diff --git a/meta-integrity/recipes-core/packagegroups/packagegroup-ima-evm-utils.bb b/meta-integrity/recipes-core/packagegroups/packagegroup-ima-evm-utils.bb index 18acc9d..484859f 100644 --- a/meta-integrity/recipes-core/packagegroups/packagegroup-ima-evm-utils.bb +++ b/meta-integrity/recipes-core/packagegroups/packagegroup-ima-evm-utils.bb @@ -1,9 +1,11 @@ SUMMARY = "IMA/EVM userspace tools" LICENSE = "MIT" -inherit packagegroup +inherit packagegroup features_check + +REQUIRED_DISTRO_FEATURES = "ima" # Only one at the moment, but perhaps more will come in the future. -RDEPENDS_${PN} = " \ +RDEPENDS:${PN} = " \ ima-evm-utils \ " diff --git a/meta-integrity/recipes-core/systemd/systemd_%.bbappend b/meta-integrity/recipes-core/systemd/systemd_%.bbappend index 3b45541..f140f02 100644 --- a/meta-integrity/recipes-core/systemd/systemd_%.bbappend +++ b/meta-integrity/recipes-core/systemd/systemd_%.bbappend @@ -1,13 +1,13 @@ -FILESEXTRAPATHS_prepend := "${THISDIR}/files:" +FILESEXTRAPATHS:prepend := "${THISDIR}/files:" SRC_URI += " \ file://machine-id-commit-sync.conf \ file://random-seed-sync.conf \ " -do_install_append () { +do_install:append () { for i in machine-id-commit random-seed; do install -d ${D}/${systemd_system_unitdir}/systemd-$i.service.d - install -m 0644 ${WORKDIR}/$i-sync.conf ${D}/${systemd_system_unitdir}/systemd-$i.service.d + install -m 0644 ${UNPACKDIR}/$i-sync.conf ${D}/${systemd_system_unitdir}/systemd-$i.service.d done } |