From patchwork Mon Jan 19 20:31:51 2026 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Scott Murray X-Patchwork-Id: 79101 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 5C631D2ECE5 for ; Mon, 19 Jan 2026 20:32:03 +0000 (UTC) Received: from mail-qk1-f180.google.com (mail-qk1-f180.google.com [209.85.222.180]) by mx.groups.io with SMTP id smtpd.msgproc01-g2.44162.1768854721030174665 for ; Mon, 19 Jan 2026 12:32:01 -0800 Authentication-Results: mx.groups.io; dkim=pass header.i=@konsulko.com header.s=google header.b=RiUVsBN3; spf=pass (domain: konsulko.com, ip: 209.85.222.180, mailfrom: scott.murray@konsulko.com) Received: by mail-qk1-f180.google.com with SMTP id af79cd13be357-8c5320536bfso495577585a.1 for ; Mon, 19 Jan 2026 12:32:00 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=konsulko.com; s=google; t=1768854720; x=1769459520; darn=lists.yoctoproject.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=gbm/s9a0TuF3OSTJ6hovUZIJmzQ3SjBPJVAQyNRxaTo=; b=RiUVsBN3EP/ZM1TObI1k19j7hNInKcc+EwCdmVZhPxA4Ly2JvHverN/dJwWL5jOkfF danajN75p1t5okB7OMPTYGClIovDoAQVgJKD/adCXwSOWV938A+kZTfEe8QJswqNvUPx 2f/tfPon0vzwDJkF89i+ntTceFQkfy6jZ8xfo= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1768854720; x=1769459520; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-gg:x-gm-message-state:from :to:cc:subject:date:message-id:reply-to; bh=gbm/s9a0TuF3OSTJ6hovUZIJmzQ3SjBPJVAQyNRxaTo=; b=lKJSzgONisQMXWHyX4r6RPSuK3wySH/NBiTGPbvkQpLGB5wG+NPbxfFpAGoeolkpyx /HArUWAzQwgG62QWgM2ZTIjmMLcklKajJwHS/NORpp4KSoGpY9PkCa0rSWH2Fvx0VNQs 3iKSthOkem40+awmkBeD/QKg4Q24kyHx2E+dKqNxsrLxD31rFaP+hS1ABONlYiFWgh0a zNvgaXcfnIRA/X7J29MxXo6DOt7QaecDHlX4sJO72ZkYi+HNWRBlj2BowHqfHUw1ma86 PVn26fnNihBXsorDMFs0pTy03XN08Q9EISkWWCnB7yPcyhCRwXyDuOV7m+EN8xDW09wK qTxg== X-Gm-Message-State: AOJu0Yy6KXt57smh0Uak2elzkV10gcHv8JsyWEkl2xEoESCMxvunEGiQ mK07Fd6+P33/gZV9xKcj8qLP913YfuGS+0Y+tBo5e/7qk4MWNqqByVcLtYw8qO64QuHCSrmoYE0 kLz1F X-Gm-Gg: AY/fxX453ukWhOchDdCDYbGe7x2N2ThYkXhTbkYEm26+I9qPB0xd1gx77DFdjmStngO U1ooXKMykzccG13br6bmS1rYsvIr/WvF3n7Lt0N1WvR9DkuTShuFxfROHonfc7NTsmVkFKg1aYw QQtqkZeQUq+5XfdeKSbzh+S2h8VvU8DZvCdVV5QLf/D1T3G5FROOoTQti8gQOhAKUcEser0eGSl NAVTElt2TC5/2CVTrNEQEO6qgahXR7P06XX5aFZ2h7llRRLRmfKhiRNdvkff3rQwXxlZ4YNHqEf Zd0wS8kzAVTP1++pEOuMnhyuTEdlTw8xjrA4UklAlcad2saIG/vXVu7UTCbRnBlz8Toacxw+/RZ 0teN6DS85pd1ACoxCGqKdnw2ePbcHu9+U9+T9wN0w9NOTPedf2PP2pyHHH0+A4TYJizWfipAbXd xj9xBbkRWDdUsvgSSFwjggOd7WkxLg5upxX8ZoqFMjScQJvdflpxIwmXHbogDlLdxeaW7iZpb0s K5oDRWwtmn/Rb3XUkoH5kg9AXhZ8k4ZFZ6sYsjMje509fNVx7lm X-Received: by 2002:a05:620a:7014:b0:8b2:ea2b:923c with SMTP id af79cd13be357-8c6a66e90afmr1739391185a.14.1768854719843; Mon, 19 Jan 2026 12:31:59 -0800 (PST) Received: from ghidorah.spiteful.org (107-179-213-3.cpe.teksavvy.com. [107.179.213.3]) by smtp.gmail.com with ESMTPSA id af79cd13be357-8c6a7248dcfsm860337485a.25.2026.01.19.12.31.59 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 19 Jan 2026 12:31:59 -0800 (PST) From: Scott Murray To: yocto-patches@lists.yoctoproject.org Cc: Marta Rybczynska Subject: [meta-lts-security][whinlatter][PATCH 1/3] lynis: upgrade to 3.1.6 Date: Mon, 19 Jan 2026 15:31:51 -0500 Message-ID: <0a448b7bc73b26aeb659bc1fdd4c90049d7d51bb.1768854613.git.scott.murray@konsulko.com> X-Mailer: git-send-email 2.51.0 In-Reply-To: References: MIME-Version: 1.0 List-Id: X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com [45.33.107.173] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Mon, 19 Jan 2026 20:32:03 -0000 X-Groupsio-URL: https://lists.yoctoproject.org/g/yocto-patches/message/3019 Release notes: https://github.com/CISOfy/lynis/releases/tag/3.1.6 Signed-off-by: Scott Murray --- recipes-compliance/lynis/{lynis_3.1.5.bb => lynis_3.1.6.bb} | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) rename recipes-compliance/lynis/{lynis_3.1.5.bb => lynis_3.1.6.bb} (96%) diff --git a/recipes-compliance/lynis/lynis_3.1.5.bb b/recipes-compliance/lynis/lynis_3.1.6.bb similarity index 96% rename from recipes-compliance/lynis/lynis_3.1.5.bb rename to recipes-compliance/lynis/lynis_3.1.6.bb index 51414c0..722072f 100644 --- a/recipes-compliance/lynis/lynis_3.1.5.bb +++ b/recipes-compliance/lynis/lynis_3.1.6.bb @@ -8,7 +8,7 @@ LIC_FILES_CHKSUM = "file://LICENSE;md5=3edd6782854304fd11da4975ab9799c1" SRC_URI = "git://github.com/CISOfy/lynis.git;branch=master;protocol=https" -SRCREV = "380b414e09bbca70be59a1b7ddccfaed4c30e1aa" +SRCREV = "06153321ea50d53a27446084e646d9f43fe46e0e" #UPSTREAM_CHECK = "https://downloads.cisofy.com/lynis" From patchwork Mon Jan 19 20:31:52 2026 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Scott Murray X-Patchwork-Id: 79103 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 4B186D2ECE0 for ; Mon, 19 Jan 2026 20:32:03 +0000 (UTC) Received: from mail-qk1-f180.google.com (mail-qk1-f180.google.com [209.85.222.180]) by mx.groups.io with SMTP id smtpd.msgproc01-g2.44164.1768854722002903918 for ; Mon, 19 Jan 2026 12:32:02 -0800 Authentication-Results: mx.groups.io; dkim=pass header.i=@konsulko.com header.s=google header.b=czxee89h; spf=pass (domain: konsulko.com, ip: 209.85.222.180, mailfrom: scott.murray@konsulko.com) Received: by mail-qk1-f180.google.com with SMTP id af79cd13be357-8c52c67f64cso496809485a.0 for ; Mon, 19 Jan 2026 12:32:01 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=konsulko.com; s=google; t=1768854721; x=1769459521; darn=lists.yoctoproject.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=sG9WQ72C7eXpo4d0eRDXDrqmNRigG8E1WcVwNewoU0E=; b=czxee89hS93ikmqWyFv6CLz9FQ58U/+GMpq1WTjaGQX8IcnMovD6Rw4OOvWB4xKPdR Ht4GKWsOoD603s51QjepXiTPaI7cCC/wY9TW5vwNNUo96CEQhW+1Hg5CYD2ysslV0IfD 40iuwkfC5aXDD3FINqzfivwnA84AVyNF/JQXs= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1768854721; x=1769459521; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-gg:x-gm-message-state:from :to:cc:subject:date:message-id:reply-to; bh=sG9WQ72C7eXpo4d0eRDXDrqmNRigG8E1WcVwNewoU0E=; b=SrK3V3pYNcvOw0VEHp1vN8OBDMIpFw8I9b5jYWJLtu1g7n45ZuypJkXurcUQmOL4YP h8fsY/5jbRXml7U4PzTv6/A3QIgVqxYn5YbA04KoKi72qqW8RQj7RMu+51WjcZvYQv8u MuaN+kZJwmBZHTTDevDufp8DnX+99V2fCMMU2H08l6o7MDFH8SUCa6YtKrhEpAdqYzwY Wqoe8TArT5RWa6tLyo9tz0uZq/p8WLnDHeSyVQfOs993YxrrwS7pOjt0dJTl5KjoJiNN GtOT31iqy0itOf0kNwMcv+g6PWO9mMeGtw0eL/WtnflRUxl23HhvF2ZptWtc0tJ/jzgU hxlw== X-Gm-Message-State: AOJu0Yx1HljuRL5Dmo0fcIIUO6frbUK4/OVsDPJbFc06sKuVERZ77lXB 8QsESQ5USvFQ9pLICFxxVy8oZO27UeqOB5xIUb3HcNUYJn28CyfYnmuBWNamxeW5vYPOKDZ0l8T WoczF X-Gm-Gg: AY/fxX4mOji+H8afeAADOAMSQv9eAQpIT/PnO7peTVMgM4gzA8x4N1vTRCn+swh2C8f BJzln3/MeOkSKz3G48Ic7P6Bq7KesRcqeHaVA81HmQVPxxDUkjoFloDCbWDleKiYV8eA5tKlcXe OPuemnQkoNW31ezI2MlZUKiCBDkfU8sCb26Jg47h/jfzuZ2ssJlud7qoMc5aiSLbF2VsZuwuDGJ aViNCizsrLLji9DTUi4yuUC2/cmfrV/snA6Yzcbswgwtg4bWATAA0aOOpFFBfylxPd3gXMS0FyI RP2ud9jjvfK9687vo1/rEGC8CKir5INbYh2eCmMFGO1/rrWur8Xpw9HCo9my98O9jJZsr70fOvF GvT5H93yDss7LDVDKwTmZGl9RRFc+9mYtjpLExOx1lIPvLm439YfJs6HUtsYAPCRzpc4T58bxx7 seKBBJ4hvSip8iph2vpRIXoyfmBzYRa3UXFaYG00Do3La/xSmoN/6K2Cr/fwexaFF1tOLQajT7s Q9tVc2T10cmtxlbGSFBx8GgPXHmqFSJ0zfdjqowGDc/g/+5kckc X-Received: by 2002:a05:620a:2947:b0:897:56e7:6aa3 with SMTP id af79cd13be357-8c6a676db0amr1705991885a.56.1768854720714; Mon, 19 Jan 2026 12:32:00 -0800 (PST) Received: from ghidorah.spiteful.org (107-179-213-3.cpe.teksavvy.com. [107.179.213.3]) by smtp.gmail.com with ESMTPSA id af79cd13be357-8c6a7248dcfsm860337485a.25.2026.01.19.12.32.00 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 19 Jan 2026 12:32:00 -0800 (PST) From: Scott Murray To: yocto-patches@lists.yoctoproject.org Cc: Marta Rybczynska Subject: [meta-lts-security][whinlatter][PATCH 2/3] suricata: add PACKAGECONFIG[seccomp] - MemoryDenyWriteExecute Date: Mon, 19 Jan 2026 15:31:52 -0500 Message-ID: <252f97af420cd170c37f3c33c2c1e86afeaa25f5.1768854613.git.scott.murray@konsulko.com> X-Mailer: git-send-email 2.51.0 In-Reply-To: References: MIME-Version: 1.0 List-Id: X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com [45.33.107.173] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Mon, 19 Jan 2026 20:32:03 -0000 X-Groupsio-URL: https://lists.yoctoproject.org/g/yocto-patches/message/3020 From: Clayton Casciato Add option to prevent memory mappings that are both writable and executable. https://www.freedesktop.org/software/systemd/man/255/systemd.exec.html#MemoryDenyWriteExecute= Core Suricata developer: https://github.com/jasonish/suricata-rpms/blob/a606a810325dd0a4f3ee45b2756b96bda28e590b/7.0/suricata-4.1.1-service.patch#L23 Fedora: https://src.fedoraproject.org/rpms/suricata/c/cfb3b996f54d28018cd01f9c6b9ecb77e59f344d Resolve SELinux AVC denial: type=PROCTITLE proctitle=/usr/bin/suricata -c /etc/suricata/suricata.yaml -i eth0 type=SYSCALL arch=aarch64 syscall=mprotect success=no exit=EACCES(Permission denied) a0=0x7fffa7d04000 a1=0x4000 a2=PROT_READ|PROT_WRITE|PROT_EXEC a3=0x21 items=0 ppid=1 pid=283 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=Suricata-Main exe=/usr/bin/suricata subj=system_u:system_r:initrc_t:s0 key=(null) type=AVC avc: denied { execmem } for pid=283 comm=Suricata-Main scontext=system_u:system_r:initrc_t:s0 tcontext=system_u:system_r:initrc_t:s0 tclass=process Signed-off-by: Clayton Casciato Signed-off-by: Scott Murray --- recipes-ids/suricata/files/suricata.service | 1 + recipes-ids/suricata/suricata_7.0.13.bb | 15 ++++++++++++++- 2 files changed, 15 insertions(+), 1 deletion(-) diff --git a/recipes-ids/suricata/files/suricata.service b/recipes-ids/suricata/files/suricata.service index bd7010d..4b774f4 100644 --- a/recipes-ids/suricata/files/suricata.service +++ b/recipes-ids/suricata/files/suricata.service @@ -14,6 +14,7 @@ ExecReload=/bin/kill -HUP $MAINPID PrivateTmp=yes ProtectHome=yes ProtectSystem=yes +MemoryDenyWriteExecute=no [Install] WantedBy=multi-user.target diff --git a/recipes-ids/suricata/suricata_7.0.13.bb b/recipes-ids/suricata/suricata_7.0.13.bb index 469e42d..b0d2c82 100644 --- a/recipes-ids/suricata/suricata_7.0.13.bb +++ b/recipes-ids/suricata/suricata_7.0.13.bb @@ -38,7 +38,15 @@ CARGO_BUILD_FLAGS:append = " --offline" B = "${S}" # nfnetlink has a dependancy to meta-networking -PACKAGECONFIG ??= "file pcre2 yaml python pcap cap-ng net" +PACKAGECONFIG ??= "file \ + pcre2 \ + yaml \ + python \ + pcap \ + cap-ng \ + net \ + ${@bb.utils.filter('DISTRO_FEATURES', 'seccomp', d)} \ + " PACKAGECONFIG:append = " ${@bb.utils.contains('DISTRO_FEATURES', 'ptest', 'unittests', '', d)}" PACKAGECONFIG[pcre2] = "--with-libpcre2-includes=${STAGING_INCDIR} --with-libpcre2-libraries=${STAGING_LIBDIR}, ,libpcre2 ," @@ -51,6 +59,7 @@ PACKAGECONFIG[nfq] = "--enable-nfqueue, --disable-nfqueue,libnetfilter-queue," PACKAGECONFIG[file] = ",,file, file" PACKAGECONFIG[python] = "--enable-python, --disable-python, python3, python3-core" +PACKAGECONFIG[seccomp] = "" PACKAGECONFIG[unittests] = "--enable-unittests, --disable-unittests," export logdir = "${localstatedir}/log" @@ -115,6 +124,10 @@ do_install () { -e s:/bin/kill:${base_bindir}/kill:g \ -e s:/usr/lib:${libdir}:g \ ${UNPACKDIR}/suricata.service > ${D}${systemd_unitdir}/system/suricata.service + + if ${@bb.utils.contains('PACKAGECONFIG', 'seccomp', 'true', 'false', d)}; then + sed -i -e 's/^MemoryDenyWriteExecute=no$/MemoryDenyWriteExecute=yes/' ${D}${systemd_unitdir}/system/suricata.service + fi fi # Remove /var/run as it is created on startup From patchwork Mon Jan 19 20:31:53 2026 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Scott Murray X-Patchwork-Id: 79102 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 4FA6AD2ECE3 for ; Mon, 19 Jan 2026 20:32:03 +0000 (UTC) Received: from mail-qk1-f194.google.com (mail-qk1-f194.google.com [209.85.222.194]) by mx.groups.io with SMTP id smtpd.msgproc02-g2.44400.1768854722860861582 for ; Mon, 19 Jan 2026 12:32:03 -0800 Authentication-Results: mx.groups.io; dkim=pass header.i=@konsulko.com header.s=google header.b=uHSYGFLV; spf=pass (domain: konsulko.com, ip: 209.85.222.194, mailfrom: scott.murray@konsulko.com) Received: by mail-qk1-f194.google.com with SMTP id af79cd13be357-8c5384ee23fso505553785a.1 for ; Mon, 19 Jan 2026 12:32:02 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=konsulko.com; s=google; t=1768854722; x=1769459522; darn=lists.yoctoproject.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=KIp53e4wLwyAMivLd+6OyCTeURFJ7r5eBjzgCvqJMt8=; b=uHSYGFLV6TrR3snBUCdOnTr7bToDkEyLEl5nFKcxunPeggRObc9PF/2KlSZFuwKWd4 gz+52KvXmnduL19wlXqgD3u7ArmqybYtgBTeqMoPWomO1W3uqvQX0eVHmSXY0cB58T1q xUeIa3UJquuLMKiMU8x5jHpSBPioFx3/8/OsU= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1768854722; x=1769459522; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-gg:x-gm-message-state:from :to:cc:subject:date:message-id:reply-to; bh=KIp53e4wLwyAMivLd+6OyCTeURFJ7r5eBjzgCvqJMt8=; b=Sa0O2oi/AsZfFqoDYJA7hc/BFQDEen06ZlO7HkZKf/elj4KijZy6lGtqunPMqQ9WVh o/FqSAWe+OHWTAMRbXbqCA39ONf5hRvBrNTPCb8zbrKQGl/QvDineO325ew1jwRDtWI0 ebQHqgF1Clm65pgvpXMcOJDwhqiGMKKKH/GW0eYgvT3mq25Mq+jUnx2yRpUJHR+coH1x e6BGKnDR3ciVofbOjy922UdtL/YZj2h+kIJZEalOLhOiHt1BC2xorBNe+Gr+IvW5Ckrv FHqBEHurKHIzrAKCryzgfDglFxNixRxGFYbmdu+YXRbmKmmHw0rv1UUUuC5sLI2LU3Qs 2MCQ== X-Gm-Message-State: AOJu0Yzf4cSqHAMivUfZ4LV6NngkBhMY1y/l+t8FmjANqXtHbNWd2RnI grniEITfgwWAxj30nPFU21/36zteiQSTKXgGMBm0kSwnd8zQd4PIEvpDbhS+/L0YIJJqSSBz8sU NM9+AYi4= X-Gm-Gg: AY/fxX6I5CSNs1iNtpsQ4eswXgzVBZpqhN3OkZaYDH9Ann6pLxKUpoenWNZh+aRiX18 /hS9RHumLOVoBsmLZQ76i4pE+eqxGuh96oqrO2cPb2oQLRRLK3CeuwD6OiwtpAxj1Hbh6JjYA6F SMhTwHugi/0bpFjIVh5BuKT9L6JSjZ0rGLMvoyLooObwhyrYEGE05Gae4AsdR0vOW778j4awEW1 auz74eUdSXjFwL3v9QwOLES9WLizJIK4p7ABDMzeodzlyqv3ESooHA200WOQFD+J+3RJGOW97+t RX4Q0DI7Gc7yl4i8KKEGSibJ1imo8lnIJcGufPoyCdXO5e1oyI5Bu48hppoC75GIIbeEN11KKA/ EWFW8EcpDk1aN13gAM99wk6mlXg0aj9ZtuHNs4nfwDA4H9n+t0cv3OXXvsW/ZhrzJEBfPxBA33W cWUStgyjUcR650MP4N1+g8shlA58Se9ZAd8r8vmQ3Wwch40ckBWchaCSN0Dgm8EvLyA6dmjPt1F siPfGzbMLp6vHcWtzTLW5dW7Ygdh872pbKvgb9r5biToQYu2KU0I2e/skQYraw= X-Received: by 2002:a05:620a:4805:b0:8a4:4156:17b with SMTP id af79cd13be357-8c6a694861amr1606891285a.70.1768854721649; Mon, 19 Jan 2026 12:32:01 -0800 (PST) Received: from ghidorah.spiteful.org (107-179-213-3.cpe.teksavvy.com. [107.179.213.3]) by smtp.gmail.com with ESMTPSA id af79cd13be357-8c6a7248dcfsm860337485a.25.2026.01.19.12.32.00 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 19 Jan 2026 12:32:01 -0800 (PST) From: Scott Murray To: yocto-patches@lists.yoctoproject.org Cc: Marta Rybczynska Subject: [meta-lts-security][whinlatter][PATCH 3/3] dm-verity-img.bbclass: filter units from value part Date: Mon, 19 Jan 2026 15:31:53 -0500 Message-ID: <18c6a7b5d836cc35c5131e33449b786111eceaf5.1768854613.git.scott.murray@konsulko.com> X-Mailer: git-send-email 2.51.0 In-Reply-To: References: MIME-Version: 1.0 List-Id: X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com [45.33.107.173] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Mon, 19 Jan 2026 20:32:03 -0000 X-Groupsio-URL: https://lists.yoctoproject.org/g/yocto-patches/message/3021 From: Stephan Wurm This is necessary for cryptsetup starting from v2.8.0 which introduced "[units]" in its output breaking the parsing of veritysetup output. VERITY header information for image-poky-20250701085433.squashfs-zst.verity. UUID: 5dc16c55-79b8-4988-9d79-900f8e143f98 Hash type: 1 Data blocks: 40091 Data block size: 4096 [bytes] Hash blocks: 318 Hash block size: 4096 [bytes] Hash algorithm: sha256 Salt: f670bf67a32f4f5a22e052d7bf84830f8d35ea24e2d52f585f6275207899153b Root hash: a7eab55b7933e347650671611e4b2a10571f2a28a1fb0fc8eae409f7a0d86693 This extends the value filter to remove the "[units]" from the .env file, while retaining compatibility to older cryptsetup releases. Signed-off-by: Stephan Wurm Signed-off-by: Scott Murray --- classes/dm-verity-img.bbclass | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/classes/dm-verity-img.bbclass b/classes/dm-verity-img.bbclass index 47f698c..48557e9 100644 --- a/classes/dm-verity-img.bbclass +++ b/classes/dm-verity-img.bbclass @@ -71,12 +71,12 @@ process_verity() { # two parts into separate variables and process them separately. For the # key part: convert the names to upper case and replace spaces with # underscores to create correct shell variable names. For the value part: - # just trim all white-spaces. + # just trim all white-spaces and remove units. IFS=":" while read KEY VAL; do printf '%s=%s\n' \ "$(echo "$KEY" | tr '[:lower:]' '[:upper:]' | sed 's/ /_/g')" \ - "$(echo "$VAL" | tr -d ' \t')" >> $ENV + "$(echo "$VAL" | tr -d ' \t' | sed 's/\[.*\]//')" >> $ENV done # Add partition size