diff options
author | Armin Kuster <akuster808@gmail.com> | 2021-07-29 16:32:05 -0700 |
---|---|---|
committer | Armin Kuster <akuster808@gmail.com> | 2021-08-01 08:47:08 -0700 |
commit | b8554aae23cb66378866bff7d5ef6c6324fa486a (patch) | |
tree | 3cdbdbc9c1d52e0b4b0a4c7ed43789aba1b9aa4a | |
parent | c7632b927c4cb31d77caebe1390da21c630cfe0e (diff) | |
download | meta-security-b8554aae23cb66378866bff7d5ef6c6324fa486a.tar.gz |
meta-integrity: Convert to new override syntax
Signed-off-by: Armin Kuster <akuster808@gmail.com>
15 files changed, 28 insertions, 28 deletions
diff --git a/meta-integrity/README.md b/meta-integrity/README.md index 8254b0d..eae1c57 100644 --- a/meta-integrity/README.md +++ b/meta-integrity/README.md | |||
@@ -6,7 +6,7 @@ The bbappend files for some recipes (e.g. linux-yocto) in this layer need | |||
6 | to have 'integrity' in DISTRO_FEATURES to have effect. | 6 | to have 'integrity' in DISTRO_FEATURES to have effect. |
7 | To enable them, add in configuration file the following line. | 7 | To enable them, add in configuration file the following line. |
8 | 8 | ||
9 | DISTRO_FEATURES_append = " integrity" | 9 | DISTRO_FEATURES:append = " integrity" |
10 | 10 | ||
11 | If meta-integrity is included, but integrity is not enabled as a | 11 | If meta-integrity is included, but integrity is not enabled as a |
12 | distro feature a warning is printed at parse time: | 12 | distro feature a warning is printed at parse time: |
@@ -219,7 +219,7 @@ executing the file is no longer allowed: | |||
219 | Enabling the audit kernel subsystem may help to debug appraisal | 219 | Enabling the audit kernel subsystem may help to debug appraisal |
220 | issues. Enable it by adding the meta-security-framework layer and | 220 | issues. Enable it by adding the meta-security-framework layer and |
221 | changing your local.conf: | 221 | changing your local.conf: |
222 | SRC_URI_append_pn-linux-yocto = " file://audit.cfg" | 222 | SRC_URI:append:pn-linux-yocto = " file://audit.cfg" |
223 | CORE_IMAGE_EXTRA_INSTALL += "auditd" | 223 | CORE_IMAGE_EXTRA_INSTALL += "auditd" |
224 | 224 | ||
225 | Then boot with "ima_appraise=log ima_appraise_tcb". | 225 | Then boot with "ima_appraise=log ima_appraise_tcb". |
diff --git a/meta-integrity/classes/ima-evm-rootfs.bbclass b/meta-integrity/classes/ima-evm-rootfs.bbclass index 0acd6e7..57de2f6 100644 --- a/meta-integrity/classes/ima-evm-rootfs.bbclass +++ b/meta-integrity/classes/ima-evm-rootfs.bbclass | |||
@@ -29,7 +29,7 @@ IMA_EVM_ROOTFS_HASHED ?= ". -depth 0 -false" | |||
29 | IMA_EVM_ROOTFS_IVERSION ?= "" | 29 | IMA_EVM_ROOTFS_IVERSION ?= "" |
30 | 30 | ||
31 | # Avoid re-generating fstab when ima is enabled. | 31 | # Avoid re-generating fstab when ima is enabled. |
32 | WIC_CREATE_EXTRA_ARGS_append = "${@bb.utils.contains('DISTRO_FEATURES', 'ima', ' --no-fstab-update', '', d)}" | 32 | WIC_CREATE_EXTRA_ARGS:append = "${@bb.utils.contains('DISTRO_FEATURES', 'ima', ' --no-fstab-update', '', d)}" |
33 | 33 | ||
34 | ima_evm_sign_rootfs () { | 34 | ima_evm_sign_rootfs () { |
35 | cd ${IMAGE_ROOTFS} | 35 | cd ${IMAGE_ROOTFS} |
diff --git a/meta-integrity/classes/kernel-modsign.bbclass b/meta-integrity/classes/kernel-modsign.bbclass index 09025ba..cf5d3eb 100644 --- a/meta-integrity/classes/kernel-modsign.bbclass +++ b/meta-integrity/classes/kernel-modsign.bbclass | |||
@@ -15,7 +15,7 @@ MODSIGN_X509 ?= "${MODSIGN_KEY_DIR}/x509_modsign.crt" | |||
15 | # If this class is enabled, disable stripping signatures from modules | 15 | # If this class is enabled, disable stripping signatures from modules |
16 | INHIBIT_PACKAGE_STRIP = "1" | 16 | INHIBIT_PACKAGE_STRIP = "1" |
17 | 17 | ||
18 | kernel_do_configure_prepend() { | 18 | kernel_do_configure:prepend() { |
19 | if [ -f "${MODSIGN_PRIVKEY}" -a -f "${MODSIGN_X509}" ]; then | 19 | if [ -f "${MODSIGN_PRIVKEY}" -a -f "${MODSIGN_X509}" ]; then |
20 | cat "${MODSIGN_PRIVKEY}" "${MODSIGN_X509}" \ | 20 | cat "${MODSIGN_PRIVKEY}" "${MODSIGN_X509}" \ |
21 | > "${B}/modsign_key.pem" | 21 | > "${B}/modsign_key.pem" |
@@ -24,6 +24,6 @@ kernel_do_configure_prepend() { | |||
24 | fi | 24 | fi |
25 | } | 25 | } |
26 | 26 | ||
27 | do_shared_workdir_append() { | 27 | do_shared_workdir:append() { |
28 | cp modsign_key.pem $kerneldir/ | 28 | cp modsign_key.pem $kerneldir/ |
29 | } | 29 | } |
diff --git a/meta-integrity/dynamic-layers/meta-networking/recipes-support/strongswan/strongswan-ima.inc b/meta-integrity/dynamic-layers/meta-networking/recipes-support/strongswan/strongswan-ima.inc index a45182e..807075c 100644 --- a/meta-integrity/dynamic-layers/meta-networking/recipes-support/strongswan/strongswan-ima.inc +++ b/meta-integrity/dynamic-layers/meta-networking/recipes-support/strongswan/strongswan-ima.inc | |||
@@ -1,8 +1,8 @@ | |||
1 | FILESEXTRAPATHS_prepend := "${THISDIR}/files:" | 1 | FILESEXTRAPATHS:prepend := "${THISDIR}/files:" |
2 | 2 | ||
3 | DEPENDS = "libtspi" | 3 | DEPENDS = "libtspi" |
4 | 4 | ||
5 | SRC_URI_append = " file://0001-xfrmi-Only-build-if-libcharon-is-built.patch" | 5 | SRC_URI:append = " file://0001-xfrmi-Only-build-if-libcharon-is-built.patch" |
6 | 6 | ||
7 | PACKAGECONFIG += " \ | 7 | PACKAGECONFIG += " \ |
8 | aikgen \ | 8 | aikgen \ |
diff --git a/meta-integrity/recipes-core/base-files/base-files-ima.inc b/meta-integrity/recipes-core/base-files/base-files-ima.inc index 7e9e210..cfa65a2 100644 --- a/meta-integrity/recipes-core/base-files/base-files-ima.inc +++ b/meta-integrity/recipes-core/base-files/base-files-ima.inc | |||
@@ -1,5 +1,5 @@ | |||
1 | # Append iversion option for auto types | 1 | # Append iversion option for auto types |
2 | do_install_append() { | 2 | do_install:append() { |
3 | sed -i 's/\s*auto\s*defaults/&,iversion/' "${D}${sysconfdir}/fstab" | 3 | sed -i 's/\s*auto\s*defaults/&,iversion/' "${D}${sysconfdir}/fstab" |
4 | echo 'securityfs /sys/kernel/security securityfs defaults 0 0' >> "${D}${sysconfdir}/fstab" | 4 | echo 'securityfs /sys/kernel/security securityfs defaults 0 0' >> "${D}${sysconfdir}/fstab" |
5 | } | 5 | } |
diff --git a/meta-integrity/recipes-core/images/integrity-image-minimal.bb b/meta-integrity/recipes-core/images/integrity-image-minimal.bb index 1a3a30a..f40e867 100644 --- a/meta-integrity/recipes-core/images/integrity-image-minimal.bb +++ b/meta-integrity/recipes-core/images/integrity-image-minimal.bb | |||
@@ -18,4 +18,4 @@ export IMAGE_BASENAME = "integrity-image-minimal" | |||
18 | 18 | ||
19 | INHERIT += "ima-evm-rootfs" | 19 | INHERIT += "ima-evm-rootfs" |
20 | 20 | ||
21 | QB_KERNEL_CMDLINE_APPEND_append = " ima_appraise=fix ima_policy=tcb ima_policy=appraise_tcb" | 21 | QB_KERNEL_CMDLINE_APPEND:append = " ima_appraise=fix ima_policy=tcb ima_policy=appraise_tcb" |
diff --git a/meta-integrity/recipes-core/initrdscripts/initramfs-framework-ima.bb b/meta-integrity/recipes-core/initrdscripts/initramfs-framework-ima.bb index 6471c53..58cbe6e 100644 --- a/meta-integrity/recipes-core/initrdscripts/initramfs-framework-ima.bb +++ b/meta-integrity/recipes-core/initrdscripts/initramfs-framework-ima.bb | |||
@@ -30,7 +30,7 @@ do_install () { | |||
30 | sed -i "s/@@FORCE_IMA@@/${IMA_FORCE}/g" ${D}/init.d/20-ima | 30 | sed -i "s/@@FORCE_IMA@@/${IMA_FORCE}/g" ${D}/init.d/20-ima |
31 | } | 31 | } |
32 | 32 | ||
33 | FILES_${PN} = "/init.d ${sysconfdir}" | 33 | FILES:${PN} = "/init.d ${sysconfdir}" |
34 | 34 | ||
35 | RDEPENDS_${PN} = "keyutils ima-evm-keys ${IMA_POLICY}" | 35 | RDEPENDS:${PN} = "keyutils ima-evm-keys ${IMA_POLICY}" |
36 | RDEPENDS_${PN} += "initramfs-framework-base" | 36 | RDEPENDS:${PN} += "initramfs-framework-base" |
diff --git a/meta-integrity/recipes-core/packagegroups/packagegroup-ima-evm-utils.bb b/meta-integrity/recipes-core/packagegroups/packagegroup-ima-evm-utils.bb index 8196edb..484859f 100644 --- a/meta-integrity/recipes-core/packagegroups/packagegroup-ima-evm-utils.bb +++ b/meta-integrity/recipes-core/packagegroups/packagegroup-ima-evm-utils.bb | |||
@@ -6,6 +6,6 @@ inherit packagegroup features_check | |||
6 | REQUIRED_DISTRO_FEATURES = "ima" | 6 | REQUIRED_DISTRO_FEATURES = "ima" |
7 | 7 | ||
8 | # Only one at the moment, but perhaps more will come in the future. | 8 | # Only one at the moment, but perhaps more will come in the future. |
9 | RDEPENDS_${PN} = " \ | 9 | RDEPENDS:${PN} = " \ |
10 | ima-evm-utils \ | 10 | ima-evm-utils \ |
11 | " | 11 | " |
diff --git a/meta-integrity/recipes-core/systemd/systemd_%.bbappend b/meta-integrity/recipes-core/systemd/systemd_%.bbappend index 3b45541..57b3684 100644 --- a/meta-integrity/recipes-core/systemd/systemd_%.bbappend +++ b/meta-integrity/recipes-core/systemd/systemd_%.bbappend | |||
@@ -1,11 +1,11 @@ | |||
1 | FILESEXTRAPATHS_prepend := "${THISDIR}/files:" | 1 | FILESEXTRAPATHS:prepend := "${THISDIR}/files:" |
2 | 2 | ||
3 | SRC_URI += " \ | 3 | SRC_URI += " \ |
4 | file://machine-id-commit-sync.conf \ | 4 | file://machine-id-commit-sync.conf \ |
5 | file://random-seed-sync.conf \ | 5 | file://random-seed-sync.conf \ |
6 | " | 6 | " |
7 | 7 | ||
8 | do_install_append () { | 8 | do_install:append () { |
9 | for i in machine-id-commit random-seed; do | 9 | for i in machine-id-commit random-seed; do |
10 | install -d ${D}/${systemd_system_unitdir}/systemd-$i.service.d | 10 | install -d ${D}/${systemd_system_unitdir}/systemd-$i.service.d |
11 | install -m 0644 ${WORKDIR}/$i-sync.conf ${D}/${systemd_system_unitdir}/systemd-$i.service.d | 11 | install -m 0644 ${WORKDIR}/$i-sync.conf ${D}/${systemd_system_unitdir}/systemd-$i.service.d |
diff --git a/meta-integrity/recipes-kernel/linux/linux_ima.inc b/meta-integrity/recipes-kernel/linux/linux_ima.inc index f9a48cd..3ab53e5 100644 --- a/meta-integrity/recipes-kernel/linux/linux_ima.inc +++ b/meta-integrity/recipes-kernel/linux/linux_ima.inc | |||
@@ -1,5 +1,5 @@ | |||
1 | KERNEL_FEATURES_append = " ${@bb.utils.contains("DISTRO_FEATURES", "ima", " features/ima/ima.scc", "" ,d)}" | 1 | KERNEL_FEATURES:append = " ${@bb.utils.contains("DISTRO_FEATURES", "ima", " features/ima/ima.scc", "" ,d)}" |
2 | 2 | ||
3 | KERNEL_FEATURES_append = " ${@bb.utils.contains('DISTRO_FEATURES', 'modsign', ' features/ima/modsign.scc', '', d)}" | 3 | KERNEL_FEATURES:append = " ${@bb.utils.contains('DISTRO_FEATURES', 'modsign', ' features/ima/modsign.scc', '', d)}" |
4 | 4 | ||
5 | inherit ${@bb.utils.contains('DISTRO_FEATURES', 'modsign', 'kernel-modsign', '', d)} | 5 | inherit ${@bb.utils.contains('DISTRO_FEATURES', 'modsign', 'kernel-modsign', '', d)} |
diff --git a/meta-integrity/recipes-security/ima-evm-keys/ima-evm-keys_1.0.bb b/meta-integrity/recipes-security/ima-evm-keys/ima-evm-keys_1.0.bb index 7708aef..dd32397 100644 --- a/meta-integrity/recipes-security/ima-evm-keys/ima-evm-keys_1.0.bb +++ b/meta-integrity/recipes-security/ima-evm-keys/ima-evm-keys_1.0.bb | |||
@@ -5,7 +5,7 @@ LIC_FILES_CHKSUM = "file://${COREBASE}/meta/COPYING.MIT;md5=3da9cfbcb788c80a0384 | |||
5 | inherit features_check | 5 | inherit features_check |
6 | REQUIRED_DISTRO_FEATURES = "ima" | 6 | REQUIRED_DISTRO_FEATURES = "ima" |
7 | 7 | ||
8 | ALLOW_EMPTY_${PN} = "1" | 8 | ALLOW_EMPTY:${PN} = "1" |
9 | 9 | ||
10 | do_install () { | 10 | do_install () { |
11 | if [ -e "${IMA_EVM_X509}" ]; then | 11 | if [ -e "${IMA_EVM_X509}" ]; then |
diff --git a/meta-integrity/recipes-security/ima-evm-utils/ima-evm-utils_git.bb b/meta-integrity/recipes-security/ima-evm-utils/ima-evm-utils_git.bb index bd85583..fc7a2d6 100644 --- a/meta-integrity/recipes-security/ima-evm-utils/ima-evm-utils_git.bb +++ b/meta-integrity/recipes-security/ima-evm-utils/ima-evm-utils_git.bb | |||
@@ -4,7 +4,7 @@ LIC_FILES_CHKSUM = "file://COPYING;md5=b234ee4d69f5fce4486a80fdaf4a4263" | |||
4 | 4 | ||
5 | DEPENDS += "openssl attr keyutils" | 5 | DEPENDS += "openssl attr keyutils" |
6 | 6 | ||
7 | DEPENDS_class-native += "openssl-native keyutils-native" | 7 | DEPENDS:class-native += "openssl-native keyutils-native" |
8 | 8 | ||
9 | PV = "1.2.1+git${SRCPV}" | 9 | PV = "1.2.1+git${SRCPV}" |
10 | SRCREV = "3eab1f93b634249c1720f65fcb495b1996f0256e" | 10 | SRCREV = "3eab1f93b634249c1720f65fcb495b1996f0256e" |
@@ -26,13 +26,13 @@ S = "${WORKDIR}/git" | |||
26 | inherit pkgconfig autotools features_check | 26 | inherit pkgconfig autotools features_check |
27 | 27 | ||
28 | REQUIRED_DISTRO_FEATURES = "ima" | 28 | REQUIRED_DISTRO_FEATURES = "ima" |
29 | REQUIRED_DISTRO_FEATURES_class-native = "" | 29 | REQUIRED_DISTRO_FEATURES:class-native = "" |
30 | 30 | ||
31 | EXTRA_OECONF_append_class-target = " --with-kernel-headers=${STAGING_KERNEL_BUILDDIR}" | 31 | EXTRA_OECONF:append:class-target = " --with-kernel-headers=${STAGING_KERNEL_BUILDDIR}" |
32 | 32 | ||
33 | # blkid is called by evmctl when creating evm checksums. | 33 | # blkid is called by evmctl when creating evm checksums. |
34 | # This is less useful when signing files on the build host, | 34 | # This is less useful when signing files on the build host, |
35 | # so disable it when compiling on the host. | 35 | # so disable it when compiling on the host. |
36 | RDEPENDS_${PN}_append_class-target = " util-linux-blkid libcrypto attr libattr keyutils" | 36 | RDEPENDS:${PN}:append:class-target = " util-linux-blkid libcrypto attr libattr keyutils" |
37 | 37 | ||
38 | BBCLASSEXTEND = "native nativesdk" | 38 | BBCLASSEXTEND = "native nativesdk" |
diff --git a/meta-integrity/recipes-security/ima_policy_appraise_all/ima-policy-appraise-all_1.0.bb b/meta-integrity/recipes-security/ima_policy_appraise_all/ima-policy-appraise-all_1.0.bb index 84ea161..5f2244e 100644 --- a/meta-integrity/recipes-security/ima_policy_appraise_all/ima-policy-appraise-all_1.0.bb +++ b/meta-integrity/recipes-security/ima_policy_appraise_all/ima-policy-appraise-all_1.0.bb | |||
@@ -12,5 +12,5 @@ do_install () { | |||
12 | install ${WORKDIR}/ima_policy_appraise_all ${D}/${sysconfdir}/ima/ima-policy | 12 | install ${WORKDIR}/ima_policy_appraise_all ${D}/${sysconfdir}/ima/ima-policy |
13 | } | 13 | } |
14 | 14 | ||
15 | FILES_${PN} = "${sysconfdir}/ima" | 15 | FILES:${PN} = "${sysconfdir}/ima" |
16 | RDEPENDS_${PN} = "ima-evm-utils" | 16 | RDEPENDS:${PN} = "ima-evm-utils" |
diff --git a/meta-integrity/recipes-security/ima_policy_hashed/ima-policy-hashed_1.0.bb b/meta-integrity/recipes-security/ima_policy_hashed/ima-policy-hashed_1.0.bb index ff7169e..57c0640 100644 --- a/meta-integrity/recipes-security/ima_policy_hashed/ima-policy-hashed_1.0.bb +++ b/meta-integrity/recipes-security/ima_policy_hashed/ima-policy-hashed_1.0.bb | |||
@@ -14,5 +14,5 @@ do_install () { | |||
14 | install ${WORKDIR}/ima_policy_hashed ${D}/${sysconfdir}/ima/ima-policy | 14 | install ${WORKDIR}/ima_policy_hashed ${D}/${sysconfdir}/ima/ima-policy |
15 | } | 15 | } |
16 | 16 | ||
17 | FILES_${PN} = "${sysconfdir}/ima" | 17 | FILES:${PN} = "${sysconfdir}/ima" |
18 | RDEPENDS_${PN} = "ima-evm-utils" | 18 | RDEPENDS:${PN} = "ima-evm-utils" |
diff --git a/meta-integrity/recipes-security/ima_policy_simple/ima-policy-simple_1.0.bb b/meta-integrity/recipes-security/ima_policy_simple/ima-policy-simple_1.0.bb index 0e56aec..8fed410 100644 --- a/meta-integrity/recipes-security/ima_policy_simple/ima-policy-simple_1.0.bb +++ b/meta-integrity/recipes-security/ima_policy_simple/ima-policy-simple_1.0.bb | |||
@@ -12,5 +12,5 @@ do_install () { | |||
12 | install ${WORKDIR}/ima_policy_simple ${D}/${sysconfdir}/ima/ima-policy | 12 | install ${WORKDIR}/ima_policy_simple ${D}/${sysconfdir}/ima/ima-policy |
13 | } | 13 | } |
14 | 14 | ||
15 | FILES_${PN} = "${sysconfdir}/ima" | 15 | FILES:${PN} = "${sysconfdir}/ima" |
16 | RDEPENDS_${PN} = "ima-evm-utils" | 16 | RDEPENDS:${PN} = "ima-evm-utils" |