From patchwork Mon Jan 19 20:28:21 2026 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Scott Murray X-Patchwork-Id: 79099 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 6008EFC619D for ; Mon, 19 Jan 2026 20:28:43 +0000 (UTC) Received: from mail-qt1-f174.google.com (mail-qt1-f174.google.com [209.85.160.174]) by mx.groups.io with SMTP id smtpd.msgproc02-g2.44329.1768854521380188930 for ; Mon, 19 Jan 2026 12:28:41 -0800 Authentication-Results: mx.groups.io; dkim=pass header.i=@konsulko.com header.s=google header.b=nwhelOnA; spf=pass (domain: konsulko.com, ip: 209.85.160.174, mailfrom: scott.murray@konsulko.com) Received: by mail-qt1-f174.google.com with SMTP id d75a77b69052e-5018ec2ae21so40487841cf.0 for ; Mon, 19 Jan 2026 12:28:41 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=konsulko.com; s=google; t=1768854520; x=1769459320; darn=lists.yoctoproject.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=gbm/s9a0TuF3OSTJ6hovUZIJmzQ3SjBPJVAQyNRxaTo=; b=nwhelOnAg0dFKEeZrrXFjtkFFeOMl62E6g+zVuofn5cZrnjLtq7wjeY1uM/TwmuunS wwP8wSEHDZo+skdSO/K1NZh9Y/uZrbEDo92WLr/AiBFjViFpZDquh+Kf/b9q7zncWj39 jf/LpBUDwm89CnBpdmrsdqOnh2iGcMmcb0j+U= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1768854520; x=1769459320; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-gg:x-gm-message-state:from :to:cc:subject:date:message-id:reply-to; bh=gbm/s9a0TuF3OSTJ6hovUZIJmzQ3SjBPJVAQyNRxaTo=; b=PIGBAPpcgA0CLHNq+OP/yPbLbl7CCp9YzSNzh8a2bRzPe6jSHiK+qDGuHQmfjpA/pK UfEek9/u9eIYYznqV0Vgsj81UfOofYTQjJI8mp/26LCErv//axjx7DuUcpD55kJxdUl4 MZiBFKrvE6DmZTSPPdX0t15odQ19HGCvAZtYuXfPgJjRMgFQU5KCOHRgJZQXuQElTIPb euEi5pPRgSkqwi3qEspxkqU+lPsAmCRJsimd0ziwsMPfLLpKs2lFs/wr8YuY/cqHrhcx 9UaZODH41BLdjDXGJSwmNuKoaLzeLt7fvJLAJPvFz0ccChqLnJ2V8vtnaixBVDcoZoxf Qztw== X-Gm-Message-State: AOJu0Yx8UmbEJk5bVYXDCKk+z5RRZcDlqNERT6emlgKq3JpyETyjaEY9 UvvlKVXIu3w4RasEiMWsxMY1huspzvK1DvqE/ZlBGVEM/189Bx/s1jzofPxpimFz0vp+xpVEkIh s/JzP X-Gm-Gg: AY/fxX5ag4/HcjXsEV/db+qqmYeODhxOD63iaE3IJK5Tm7uQlhr8N1BzLD79o4wcFkC QrH1V3xdShNc6zfjt6yrwGsb12w85fcWihTMGguoAMIOmGqRFDHa/s6n01cWzL5PLD8+ylQdSqI x+34noVFuCTecAY9aSAQ4fTte3woelEOkreaKifjhhFBkSmMuBB/KYuqSqVvXY+h8HsQfOL+BE9 pVefA325S0wKSX6Rgn0Ic61aiseUqKwB2UssgFnS03d0IqqjwPQzPmovmztbVNcQwI11/cqNqIr ++Z4hWCMNXZIu5/bkbmGwxXK6EazpseLrj65SYKpEdCHO/1OAsE0wk/eoWpTUelOwuldlUt5S4E pZiobYN2UF8ZrqH3efd5h4cxQuWi4S76u6/9nTo187ChK06hmM7C63z/vV9EtoEm+BPb2rPQ/cD RL2IUtAnAfZj22uKbIfAMBfC19rKV8wn+AePippxD3OI7Vjc28w7kdvVHSEc3H91f8tRGS/Pd35 OGfnqBdYDkzy6fl3Dex53h2k7+g0v/QnwZds3m7ePtxvUtGOtuA X-Received: by 2002:a05:622a:19a1:b0:502:9ad4:efda with SMTP id d75a77b69052e-502a16e9e03mr181022391cf.55.1768854520115; Mon, 19 Jan 2026 12:28:40 -0800 (PST) Received: from ghidorah.spiteful.org (107-179-213-3.cpe.teksavvy.com. [107.179.213.3]) by smtp.gmail.com with ESMTPSA id d75a77b69052e-502a1f21c9asm82661411cf.34.2026.01.19.12.28.39 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 19 Jan 2026 12:28:39 -0800 (PST) From: Scott Murray To: yocto-patches@lists.yoctoproject.org Cc: Marta Rybczynska Subject: [meta-lts-security][PATCH 1/3] lynis: upgrade to 3.1.6 Date: Mon, 19 Jan 2026 15:28:21 -0500 Message-ID: <80e20b6b7a1ce5ed3186a4d69870912b501817f3.1768854292.git.scott.murray@konsulko.com> X-Mailer: git-send-email 2.51.0 In-Reply-To: References: MIME-Version: 1.0 List-Id: X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com [45.33.107.173] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Mon, 19 Jan 2026 20:28:43 -0000 X-Groupsio-URL: https://lists.yoctoproject.org/g/yocto-patches/message/3015 Release notes: https://github.com/CISOfy/lynis/releases/tag/3.1.6 Signed-off-by: Scott Murray --- recipes-compliance/lynis/{lynis_3.1.5.bb => lynis_3.1.6.bb} | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) rename recipes-compliance/lynis/{lynis_3.1.5.bb => lynis_3.1.6.bb} (96%) diff --git a/recipes-compliance/lynis/lynis_3.1.5.bb b/recipes-compliance/lynis/lynis_3.1.6.bb similarity index 96% rename from recipes-compliance/lynis/lynis_3.1.5.bb rename to recipes-compliance/lynis/lynis_3.1.6.bb index 51414c0..722072f 100644 --- a/recipes-compliance/lynis/lynis_3.1.5.bb +++ b/recipes-compliance/lynis/lynis_3.1.6.bb @@ -8,7 +8,7 @@ LIC_FILES_CHKSUM = "file://LICENSE;md5=3edd6782854304fd11da4975ab9799c1" SRC_URI = "git://github.com/CISOfy/lynis.git;branch=master;protocol=https" -SRCREV = "380b414e09bbca70be59a1b7ddccfaed4c30e1aa" +SRCREV = "06153321ea50d53a27446084e646d9f43fe46e0e" #UPSTREAM_CHECK = "https://downloads.cisofy.com/lynis" From patchwork Mon Jan 19 20:28:22 2026 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Scott Murray X-Patchwork-Id: 79098 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 4EF73EEE26E for ; Mon, 19 Jan 2026 20:28:43 +0000 (UTC) Received: from mail-qt1-f181.google.com (mail-qt1-f181.google.com [209.85.160.181]) by mx.groups.io with SMTP id smtpd.msgproc01-g2.44081.1768854522337027954 for ; Mon, 19 Jan 2026 12:28:42 -0800 Authentication-Results: mx.groups.io; dkim=pass header.i=@konsulko.com header.s=google header.b=WGqaorMD; spf=pass (domain: konsulko.com, ip: 209.85.160.181, mailfrom: scott.murray@konsulko.com) Received: by mail-qt1-f181.google.com with SMTP id d75a77b69052e-4ffbea7fdf1so38930131cf.1 for ; Mon, 19 Jan 2026 12:28:42 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=konsulko.com; s=google; t=1768854521; x=1769459321; darn=lists.yoctoproject.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=sG9WQ72C7eXpo4d0eRDXDrqmNRigG8E1WcVwNewoU0E=; b=WGqaorMDq1W5MoY0eqPd6tDVwOxn/azKMiMSxcVXNeTpTRtQLOZEYJWNQNK3GbWHrG ZHafIZ+M4BnjmvRwrxbM7L4HHkYX0dmOqIbBAZPSJZVlm/BopvJldR50rtlHfbB5CUHR kAYw2+hmZivfdDdo34b/o5trIV4xngCkrSvTU= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1768854521; x=1769459321; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-gg:x-gm-message-state:from :to:cc:subject:date:message-id:reply-to; bh=sG9WQ72C7eXpo4d0eRDXDrqmNRigG8E1WcVwNewoU0E=; b=lrG8+Q9CabyGCyG/IzinyPURLixnZUjhkyzlLBHj5Zmw61XdrmeuYZPi52vcRyGQUt XxwhuVVmluEnj5kfgVQmonpwkBcDZK/DXTzFYvXbl93IU0Q4UN10Lrcf98z7X4FdDWrR wM+fm7AXaiWALVQ5ZPuOjjxa40Zi9tEQPhFAkb14tZCqpmass3d12kQecxiRVAD4aIRQ WXJUf25QCZPDD/tARpjC7m1JonllJjaEmH0HrHUuC2cax0VGGfH9tHGOWvLalAZKlm+e wKRuUpZzXW1UMFw/iAK7fvLFQy7vGk29RkMrSFjSzhyBILRe5YT9q1E3lMwpYJqCpz9f H0jw== X-Gm-Message-State: AOJu0Yy0rBcsSQTa/vhfPIn7meD0vLYXyMvgdOFbIbgzJVd0YmpgB0p6 4RzWyK5uM3197RZvuqPkix8xzrhzkwgL4BhMOrHjR6bA+nzYyMJHqwJ5DBYxkjTw0iqNg/WDkq/ qVOHL X-Gm-Gg: AY/fxX6EpWh6d7ibcfG7cVrV74uJdnq7XlVwRNFOQCSW5onQY6HZEhi0FkR9K5HTMwE 5tFQFDEL6CiYj9M69mg2UHebxFzyFp5wj43D/TEipItOhvWO6V1Q7CXO9H6KibTcnJsjlsoK+o+ gFlJu8oRD4KC81nRQnqjbcqV18pB4BrkwFdWeq0deDepymjz9IipCVpBYBa7nZOEJPuSCDRj4ZR uBCx0/NPkUspFGcYAflLwGI8UI91E3H+xDsfJME2+OvUJE1YdP4aPENPe3u2TI5DIjWWQvWF7aM zVDKuw63bzGBS78SCD8Bmcw+ScJesC1D3tDoumot6fBMC8arZ4V5OMI8SgTsVZUd4MTf59QKDAg cM/inBoO2SOx8vhVld6dOE3ZLeaHEiJQwbWfWFHdAGyD8XsGnVK6npOZ9rhah4mYi7VSgEaqQoF 2mcXEhkflAIRW1MFpg6M+ZIXqiEYZMQsOAzq2rI2n6x3gt5b1hN114agxc1pG2U+oFYf/kRNfmL dLpX2JPrNPpEwThi+csmTCA5MaV8rTn+ytdMS3saZb38Au8+2EWyz8R3RixcqY= X-Received: by 2002:ac8:5e11:0:b0:4ff:c894:3bad with SMTP id d75a77b69052e-502a1e24107mr178574671cf.19.1768854521046; Mon, 19 Jan 2026 12:28:41 -0800 (PST) Received: from ghidorah.spiteful.org (107-179-213-3.cpe.teksavvy.com. [107.179.213.3]) by smtp.gmail.com with ESMTPSA id d75a77b69052e-502a1f21c9asm82661411cf.34.2026.01.19.12.28.40 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 19 Jan 2026 12:28:40 -0800 (PST) From: Scott Murray To: yocto-patches@lists.yoctoproject.org Cc: Marta Rybczynska Subject: [meta-lts-security][PATCH 2/3] suricata: add PACKAGECONFIG[seccomp] - MemoryDenyWriteExecute Date: Mon, 19 Jan 2026 15:28:22 -0500 Message-ID: X-Mailer: git-send-email 2.51.0 In-Reply-To: References: MIME-Version: 1.0 List-Id: X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com [45.33.107.173] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Mon, 19 Jan 2026 20:28:43 -0000 X-Groupsio-URL: https://lists.yoctoproject.org/g/yocto-patches/message/3016 From: Clayton Casciato Add option to prevent memory mappings that are both writable and executable. https://www.freedesktop.org/software/systemd/man/255/systemd.exec.html#MemoryDenyWriteExecute= Core Suricata developer: https://github.com/jasonish/suricata-rpms/blob/a606a810325dd0a4f3ee45b2756b96bda28e590b/7.0/suricata-4.1.1-service.patch#L23 Fedora: https://src.fedoraproject.org/rpms/suricata/c/cfb3b996f54d28018cd01f9c6b9ecb77e59f344d Resolve SELinux AVC denial: type=PROCTITLE proctitle=/usr/bin/suricata -c /etc/suricata/suricata.yaml -i eth0 type=SYSCALL arch=aarch64 syscall=mprotect success=no exit=EACCES(Permission denied) a0=0x7fffa7d04000 a1=0x4000 a2=PROT_READ|PROT_WRITE|PROT_EXEC a3=0x21 items=0 ppid=1 pid=283 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=Suricata-Main exe=/usr/bin/suricata subj=system_u:system_r:initrc_t:s0 key=(null) type=AVC avc: denied { execmem } for pid=283 comm=Suricata-Main scontext=system_u:system_r:initrc_t:s0 tcontext=system_u:system_r:initrc_t:s0 tclass=process Signed-off-by: Clayton Casciato Signed-off-by: Scott Murray --- recipes-ids/suricata/files/suricata.service | 1 + recipes-ids/suricata/suricata_7.0.13.bb | 15 ++++++++++++++- 2 files changed, 15 insertions(+), 1 deletion(-) diff --git a/recipes-ids/suricata/files/suricata.service b/recipes-ids/suricata/files/suricata.service index bd7010d..4b774f4 100644 --- a/recipes-ids/suricata/files/suricata.service +++ b/recipes-ids/suricata/files/suricata.service @@ -14,6 +14,7 @@ ExecReload=/bin/kill -HUP $MAINPID PrivateTmp=yes ProtectHome=yes ProtectSystem=yes +MemoryDenyWriteExecute=no [Install] WantedBy=multi-user.target diff --git a/recipes-ids/suricata/suricata_7.0.13.bb b/recipes-ids/suricata/suricata_7.0.13.bb index 469e42d..b0d2c82 100644 --- a/recipes-ids/suricata/suricata_7.0.13.bb +++ b/recipes-ids/suricata/suricata_7.0.13.bb @@ -38,7 +38,15 @@ CARGO_BUILD_FLAGS:append = " --offline" B = "${S}" # nfnetlink has a dependancy to meta-networking -PACKAGECONFIG ??= "file pcre2 yaml python pcap cap-ng net" +PACKAGECONFIG ??= "file \ + pcre2 \ + yaml \ + python \ + pcap \ + cap-ng \ + net \ + ${@bb.utils.filter('DISTRO_FEATURES', 'seccomp', d)} \ + " PACKAGECONFIG:append = " ${@bb.utils.contains('DISTRO_FEATURES', 'ptest', 'unittests', '', d)}" PACKAGECONFIG[pcre2] = "--with-libpcre2-includes=${STAGING_INCDIR} --with-libpcre2-libraries=${STAGING_LIBDIR}, ,libpcre2 ," @@ -51,6 +59,7 @@ PACKAGECONFIG[nfq] = "--enable-nfqueue, --disable-nfqueue,libnetfilter-queue," PACKAGECONFIG[file] = ",,file, file" PACKAGECONFIG[python] = "--enable-python, --disable-python, python3, python3-core" +PACKAGECONFIG[seccomp] = "" PACKAGECONFIG[unittests] = "--enable-unittests, --disable-unittests," export logdir = "${localstatedir}/log" @@ -115,6 +124,10 @@ do_install () { -e s:/bin/kill:${base_bindir}/kill:g \ -e s:/usr/lib:${libdir}:g \ ${UNPACKDIR}/suricata.service > ${D}${systemd_unitdir}/system/suricata.service + + if ${@bb.utils.contains('PACKAGECONFIG', 'seccomp', 'true', 'false', d)}; then + sed -i -e 's/^MemoryDenyWriteExecute=no$/MemoryDenyWriteExecute=yes/' ${D}${systemd_unitdir}/system/suricata.service + fi fi # Remove /var/run as it is created on startup From patchwork Mon Jan 19 20:28:23 2026 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Scott Murray X-Patchwork-Id: 79100 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 2BE92FC619B for ; Mon, 19 Jan 2026 20:28:53 +0000 (UTC) Received: from mail-qv1-f66.google.com (mail-qv1-f66.google.com [209.85.219.66]) by mx.groups.io with SMTP id smtpd.msgproc02-g2.44330.1768854523314632464 for ; Mon, 19 Jan 2026 12:28:43 -0800 Authentication-Results: mx.groups.io; dkim=pass header.i=@konsulko.com header.s=google header.b=E23KIm8s; spf=pass (domain: konsulko.com, ip: 209.85.219.66, mailfrom: scott.murray@konsulko.com) Received: by mail-qv1-f66.google.com with SMTP id 6a1803df08f44-88888c41a13so64957046d6.3 for ; Mon, 19 Jan 2026 12:28:43 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=konsulko.com; s=google; t=1768854522; x=1769459322; darn=lists.yoctoproject.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=KIp53e4wLwyAMivLd+6OyCTeURFJ7r5eBjzgCvqJMt8=; b=E23KIm8s8xLGD4NkH0xk9ezvuJhfn5rOGkPve++l76FDvwTuWkqwWjs88LnWUhuJ5P pCOz/m6y4dRKZ/kJ1ajCS0o+5HjKwtJZt+C53O3fWRPD04IzzgYIotmFCyd3T70arJkS Nd2KSMCzUin+sOQieLmVdXdQwoxkv1WlwYNuE= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1768854522; x=1769459322; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-gg:x-gm-message-state:from :to:cc:subject:date:message-id:reply-to; bh=KIp53e4wLwyAMivLd+6OyCTeURFJ7r5eBjzgCvqJMt8=; b=Fw3/IKQJ7O5BON0CIIruN9Dfeop5Bt2gzFFfe1Dqh9PQM1xRuY/KNyGLR6jbOkJorF BZ9fBWOQ0xBjy2fkYFPulR8HHilGTqPFQ4cERVdEShWMb5w4GRi6HyWY/aJDopfCVHvA O9GPtT6gXoEp6RBoT5Vpjo45fTGo0f+eZWXIDlEaCw0WbdAVwp7Q8A9SxunG5VX21GSv AgDF3qJZpc63gzVLNs1nqPjMo5iQ0gYkr9JdmlvRqSWmfrUjbQT5XqYP4Xc2/RfWXxjF D7R6Qvvwlm/xrOm+ByJlILz1Jv8+7XMERkpFwSXZMAnySfYD4ijtvFsfzugYkFLIvh64 5csA== X-Gm-Message-State: AOJu0Yxo/TvGEvXxcNQ1JsTYa4qcg2tar2vz0+TYF5UbAWxaSwJ4eOvw T4hjxPOuhPoqJ/oAUjw5BmOnWV3pBUsS3lcpcKE0DmWobFBTJ+gaN3Ffg0gjayYDr3saWK6Qy/n rrLesBnc= X-Gm-Gg: AY/fxX7dvIz5H61dF9xz5p0B7NRfpyBFf/9++ZjGDuFayT/+dKzdr6kGbc7bd+pAOoD KqoyO/4HfktiUvGXDm1vNjtsOy9PqnFL5SBvqcF/rEVS5MkfTIFehvNdVSeGGaT7Vxz9UKFH6/2 QdycYWqvLpzVquYIGV6l1pmp9Re976wwF4DDNq1lbQHDzP4d9aIFcuRLx5QwZ0G3Jgb9D62aa4l JiW9fbPu0jaEiuX9lJeqplqmJ7lgi7cjHXsmWF9SoMvlDqIziPYguHtIodsyN2BU6Tqma6xiGqZ YF19Uq3KaSOqAe9Squ01U8YScH7cOIFosTCF0oJMCAICiJMkP5tiEbXppsr5ufF9UxgI/TV2dYb u7acxhl533SQLyL4g3vAvy6LjE6GogOAcXRKOkF6KPFSQgslWVT9s1XPCsBUqfC34dcI2GiZ16L cUv5aDsvMyC+Ckj0SYpYSgFW+vr+cUtJE+MNxu6mkS6V5KGZzKzP5rMf3EIaLeAUDelqhSiFLFj ZMfArIzI3Q1GQtOZPHsyj9urj3ObVcDsCqpUw7z2po3nDyYTPhf X-Received: by 2002:ac8:5810:0:b0:501:463a:20a1 with SMTP id d75a77b69052e-502a17d3611mr163269381cf.81.1768854521996; Mon, 19 Jan 2026 12:28:41 -0800 (PST) Received: from ghidorah.spiteful.org (107-179-213-3.cpe.teksavvy.com. [107.179.213.3]) by smtp.gmail.com with ESMTPSA id d75a77b69052e-502a1f21c9asm82661411cf.34.2026.01.19.12.28.41 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 19 Jan 2026 12:28:41 -0800 (PST) From: Scott Murray To: yocto-patches@lists.yoctoproject.org Cc: Marta Rybczynska Subject: [meta-lts-security][PATCH 3/3] dm-verity-img.bbclass: filter units from value part Date: Mon, 19 Jan 2026 15:28:23 -0500 Message-ID: <9e6d962250aab6e5319215f15b0201ef233c46cd.1768854292.git.scott.murray@konsulko.com> X-Mailer: git-send-email 2.51.0 In-Reply-To: References: MIME-Version: 1.0 List-Id: X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com [45.33.107.173] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Mon, 19 Jan 2026 20:28:53 -0000 X-Groupsio-URL: https://lists.yoctoproject.org/g/yocto-patches/message/3017 From: Stephan Wurm This is necessary for cryptsetup starting from v2.8.0 which introduced "[units]" in its output breaking the parsing of veritysetup output. VERITY header information for image-poky-20250701085433.squashfs-zst.verity. UUID: 5dc16c55-79b8-4988-9d79-900f8e143f98 Hash type: 1 Data blocks: 40091 Data block size: 4096 [bytes] Hash blocks: 318 Hash block size: 4096 [bytes] Hash algorithm: sha256 Salt: f670bf67a32f4f5a22e052d7bf84830f8d35ea24e2d52f585f6275207899153b Root hash: a7eab55b7933e347650671611e4b2a10571f2a28a1fb0fc8eae409f7a0d86693 This extends the value filter to remove the "[units]" from the .env file, while retaining compatibility to older cryptsetup releases. Signed-off-by: Stephan Wurm Signed-off-by: Scott Murray --- classes/dm-verity-img.bbclass | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/classes/dm-verity-img.bbclass b/classes/dm-verity-img.bbclass index 47f698c..48557e9 100644 --- a/classes/dm-verity-img.bbclass +++ b/classes/dm-verity-img.bbclass @@ -71,12 +71,12 @@ process_verity() { # two parts into separate variables and process them separately. For the # key part: convert the names to upper case and replace spaces with # underscores to create correct shell variable names. For the value part: - # just trim all white-spaces. + # just trim all white-spaces and remove units. IFS=":" while read KEY VAL; do printf '%s=%s\n' \ "$(echo "$KEY" | tr '[:lower:]' '[:upper:]' | sed 's/ /_/g')" \ - "$(echo "$VAL" | tr -d ' \t')" >> $ENV + "$(echo "$VAL" | tr -d ' \t' | sed 's/\[.*\]//')" >> $ENV done # Add partition size