@@ -187,7 +187,7 @@ IMA policy loading became broken in systemd 2.18. The modified systemd
changes. To activate policy loading via systemd, place a policy file
in `/etc/ima/ima-policy`, for example with:
- IMA_EVM_POLICY = "${INTEGRITY_BASE}/data/ima_policy_simple"
+ IMA_EVM_POLICY_SYSTEMD = "${INTEGRITY_BASE}/data/ima_policy_simple"
To check that measuring works, look at `/sys/kernel/security/ima/ascii_runtime_measurements`
@@ -69,10 +69,10 @@ ima_evm_sign_rootfs () {
find ${IMA_EVM_ROOTFS_HASHED} | xargs -d "\n" --no-run-if-empty --verbose evmctl ima_hash
# Optionally install custom policy for loading by systemd.
- if [ "${IMA_EVM_POLICY}" ]; then
+ if [ "${IMA_EVM_POLICY_SYSTEMD}" ]; then
install -d ./${sysconfdir}/ima
rm -f ./${sysconfdir}/ima/ima-policy
- install "${IMA_EVM_POLICY}" ./${sysconfdir}/ima/ima-policy
+ install "${IMA_EVM_POLICY_SYSTEMD}" ./${sysconfdir}/ima/ima-policy
fi
}
This reverts commit 292b49342cb47da59525a44227598cf136311e1b. The full patchset are overriding the do_configure task and also added a kernel patch on meta-integrity/recipes-kernel/linux/linux_ima.inc and this file is included in every recipe that follows the pattern pattern starting by linux- (recipes-kernel/linux/linux-%.bbappend). So the patch fails in some recipes and also do_configure task doesn't make sense. This breaks many recipes like linux-firmware and maybe others. Signed-off-by: Jose Quaresma <jose.quaresma@foundries.io> --- meta-integrity/README.md | 2 +- meta-integrity/classes/ima-evm-rootfs.bbclass | 4 ++-- 2 files changed, 3 insertions(+), 3 deletions(-)