From d444b7d7dad2c3b7c86b17dc0eff3500111b427f Mon Sep 17 00:00:00 2001
From: Leon Anavi <leon.anavi@konsulko.com>
Date: Wed, 31 Jan 2024 16:28:57 +0200
Subject: [PATCH] linux-yocto%.bbappend: Add audit.cfg

Add audit.cfg configuration fragment. By default it is not appended
to SRC_URI. It allows enabling the audit kernel subsystem which may
help to debug appraisal issues. Boot with "integrity_audit=1" to
capture a more complete set of events in /var/log/audit/.

Previously the same configuration fragment was provided by layer
meta-security-framework but it is no longer maintained therefore it
makes sense to have audit.cfg in layer meta-integrity.

Signed-off-by: Leon Anavi <leon.anavi@konsulko.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
---
 meta-integrity/README.md                                  | 8 ++++++--
 meta-integrity/recipes-kernel/linux/linux-yocto%.bbappend | 2 ++
 meta-integrity/recipes-kernel/linux/linux/audit.cfg       | 2 ++
 3 files changed, 10 insertions(+), 2 deletions(-)
 create mode 100644 meta-integrity/recipes-kernel/linux/linux/audit.cfg

diff --git a/meta-integrity/README.md b/meta-integrity/README.md
index 1a37280..2f30e78 100644
--- a/meta-integrity/README.md
+++ b/meta-integrity/README.md
@@ -219,12 +219,16 @@ executing the file is no longer allowed:
     -sh: /usr/bin/rpm: Permission denied
 
 Enabling the audit kernel subsystem may help to debug appraisal
-issues. Enable it by adding the meta-security-framework layer and
+issues. Enable it by adding a kernel configuration fragment and
 changing your local.conf:
     SRC_URI:append:pn-linux-yocto = " file://audit.cfg"
     CORE_IMAGE_EXTRA_INSTALL += "auditd"
 
-Then boot with "ima_appraise=log ima_appraise_tcb".
+Then boot with "ima_appraise=log ima_appraise_tcb integrity_audit=1".
+For example, for QEMU by changing variable QB_KERNEL_CMDLINE_APPEND
+in your local.conf:
+    QB_KERNEL_CMDLINE_APPEND:remove:pn-integrity-image-minimal = "ima_policy=tcb ima_appraise=fix"
+    QB_KERNEL_CMDLINE_APPEND:append:pn-integrity-image-minimal = " ima_appraise=log ima_appraise_tcb integrity_audit=1"
 
 Adding auditd is not strictly necessary but helps to capture a
 more complete set of events in /var/log/audit/ and search in
diff --git a/meta-integrity/recipes-kernel/linux/linux-yocto%.bbappend b/meta-integrity/recipes-kernel/linux/linux-yocto%.bbappend
index be60bfe..9c599aa 100644
--- a/meta-integrity/recipes-kernel/linux/linux-yocto%.bbappend
+++ b/meta-integrity/recipes-kernel/linux/linux-yocto%.bbappend
@@ -1 +1,3 @@
+FILESEXTRAPATHS:prepend := "${THISDIR}/linux:"
+
 require ${@bb.utils.contains_any('DISTRO_FEATURES', 'integrity ', 'linux_ima.inc', '', d)}
diff --git a/meta-integrity/recipes-kernel/linux/linux/audit.cfg b/meta-integrity/recipes-kernel/linux/linux/audit.cfg
new file mode 100644
index 0000000..214dbe3
--- /dev/null
+++ b/meta-integrity/recipes-kernel/linux/linux/audit.cfg
@@ -0,0 +1,2 @@
+CONFIG_AUDIT=y
+CONFIG_AUDITSYSCALL=y