| Message ID | 20241208175318.833015-2-akuster808@gmail.com |
|---|---|
| State | New |
| Headers | show |
| Series | [meta-security,1/2] harden.conf: drop debug-tweaks | expand |
Hi, On Sun, Dec 08, 2024 at 12:53:18PM -0500, Armin Kuster via lists.yoctoproject.org wrote: > Signed-off-by: Armin Kuster <akuster808@gmail.com> > --- > kas/kas-security-base.yml | 1 - > 1 file changed, 1 deletion(-) > > diff --git a/kas/kas-security-base.yml b/kas/kas-security-base.yml > index fa7915c..bdd74b1 100644 > --- a/kas/kas-security-base.yml > +++ b/kas/kas-security-base.yml > @@ -43,7 +43,6 @@ local_conf_header: > BB_TASK_IONICE_LEVEL = '2.7' > BB_TASK_IONICE_LEVEL_task-testimage = '2.1' > TEST_QEMUBOOT_TIMEOUT = "1500" > - EXTRA_IMAGE_FEATURES ?= "debug-tweaks" For testing purposes this is needed: --- a/kas/kas-security-base.yml +++ b/kas/kas-security-base.yml @@ -43,7 +43,7 @@ local_conf_header: BB_TASK_IONICE_LEVEL = '2.7' BB_TASK_IONICE_LEVEL_task-testimage = '2.1' TEST_QEMUBOOT_TIMEOUT = "1500" - EXTRA_IMAGE_FEATURES ?= "debug-tweaks" + EXTRA_IMAGE_FEATURES += "allow-empty-password empty-root-password allow-root-login" PACKAGE_CLASSES = "package_ipk" DISTRO_FEATURES:append = " security pam apparmor smack ima tpm tpm2" Or is this to be replaced by something else? I'm trying come up with a set of patches which pass some of the runtime tests again. Cheers, -Mikko
On 12/9/24 2:52 AM, Mikko Rapeli via lists.yoctoproject.org wrote: > Hi, > > On Sun, Dec 08, 2024 at 12:53:18PM -0500, Armin Kuster via lists.yoctoproject.org wrote: >> Signed-off-by: Armin Kuster <akuster808@gmail.com> >> --- >> kas/kas-security-base.yml | 1 - >> 1 file changed, 1 deletion(-) >> >> diff --git a/kas/kas-security-base.yml b/kas/kas-security-base.yml >> index fa7915c..bdd74b1 100644 >> --- a/kas/kas-security-base.yml >> +++ b/kas/kas-security-base.yml >> @@ -43,7 +43,6 @@ local_conf_header: >> BB_TASK_IONICE_LEVEL = '2.7' >> BB_TASK_IONICE_LEVEL_task-testimage = '2.1' >> TEST_QEMUBOOT_TIMEOUT = "1500" >> - EXTRA_IMAGE_FEATURES ?= "debug-tweaks" > For testing purposes this is needed: > > --- a/kas/kas-security-base.yml > +++ b/kas/kas-security-base.yml > @@ -43,7 +43,7 @@ local_conf_header: > BB_TASK_IONICE_LEVEL = '2.7' > BB_TASK_IONICE_LEVEL_task-testimage = '2.1' > TEST_QEMUBOOT_TIMEOUT = "1500" > - EXTRA_IMAGE_FEATURES ?= "debug-tweaks" > + EXTRA_IMAGE_FEATURES += "allow-empty-password empty-root-password allow-root-login" > PACKAGE_CLASSES = "package_ipk" > > DISTRO_FEATURES:append = " security pam apparmor smack ima tpm tpm2" That looks correct. > Or is this to be replaced by something else? > > I'm trying come up with a set of patches which pass some of the runtime tests again. > > Cheers, > > -Mikko > > > -=-=-=-=-=-=-=-=-=-=-=- > Links: You receive all messages sent to this group. > View/Reply Online (#871): https://lists.yoctoproject.org/g/yocto-patches/message/871 > Mute This Topic: https://lists.yoctoproject.org/mt/109992719/3616698 > Group Owner: yocto-patches+owner@lists.yoctoproject.org > Unsubscribe: https://lists.yoctoproject.org/g/yocto-patches/leave/13197873/3616698/1325074317/xyzzy [akuster808@gmail.com] > -=-=-=-=-=-=-=-=-=-=-=- > >
On 12/9/24 2:52 AM, Mikko Rapeli via lists.yoctoproject.org wrote: > Hi, > > On Sun, Dec 08, 2024 at 12:53:18PM -0500, Armin Kuster via lists.yoctoproject.org wrote: >> Signed-off-by: Armin Kuster <akuster808@gmail.com> >> --- >> kas/kas-security-base.yml | 1 - >> 1 file changed, 1 deletion(-) >> >> diff --git a/kas/kas-security-base.yml b/kas/kas-security-base.yml >> index fa7915c..bdd74b1 100644 >> --- a/kas/kas-security-base.yml >> +++ b/kas/kas-security-base.yml >> @@ -43,7 +43,6 @@ local_conf_header: >> BB_TASK_IONICE_LEVEL = '2.7' >> BB_TASK_IONICE_LEVEL_task-testimage = '2.1' >> TEST_QEMUBOOT_TIMEOUT = "1500" >> - EXTRA_IMAGE_FEATURES ?= "debug-tweaks" > For testing purposes this is needed: > > --- a/kas/kas-security-base.yml > +++ b/kas/kas-security-base.yml > @@ -43,7 +43,7 @@ local_conf_header: > BB_TASK_IONICE_LEVEL = '2.7' > BB_TASK_IONICE_LEVEL_task-testimage = '2.1' > TEST_QEMUBOOT_TIMEOUT = "1500" > - EXTRA_IMAGE_FEATURES ?= "debug-tweaks" > + EXTRA_IMAGE_FEATURES += "allow-empty-password empty-root-password allow-root-login" I think the harden.conf will use: EXTRA_IMAGE_FEATURES:remove = "allow-empty-password empty-root-password allow-root-login" - armin > PACKAGE_CLASSES = "package_ipk" > > DISTRO_FEATURES:append = " security pam apparmor smack ima tpm tpm2" > > > Or is this to be replaced by something else? > > I'm trying come up with a set of patches which pass some of the runtime tests again. > > Cheers, > > -Mikko > > > -=-=-=-=-=-=-=-=-=-=-=- > Links: You receive all messages sent to this group. > View/Reply Online (#871): https://lists.yoctoproject.org/g/yocto-patches/message/871 > Mute This Topic: https://lists.yoctoproject.org/mt/109992719/3616698 > Group Owner: yocto-patches+owner@lists.yoctoproject.org > Unsubscribe: https://lists.yoctoproject.org/g/yocto-patches/leave/13197873/3616698/1325074317/xyzzy [akuster808@gmail.com] > -=-=-=-=-=-=-=-=-=-=-=- > >
diff --git a/kas/kas-security-base.yml b/kas/kas-security-base.yml index fa7915c..bdd74b1 100644 --- a/kas/kas-security-base.yml +++ b/kas/kas-security-base.yml @@ -43,7 +43,6 @@ local_conf_header: BB_TASK_IONICE_LEVEL = '2.7' BB_TASK_IONICE_LEVEL_task-testimage = '2.1' TEST_QEMUBOOT_TIMEOUT = "1500" - EXTRA_IMAGE_FEATURES ?= "debug-tweaks" PACKAGE_CLASSES = "package_ipk" DISTRO_FEATURES:append = " security pam apparmor smack ima tpm tpm2"
Signed-off-by: Armin Kuster <akuster808@gmail.com> --- kas/kas-security-base.yml | 1 - 1 file changed, 1 deletion(-)