Also, rearrange the runtime-dependencies a little so
clamav-freshclam is installed later than clamav.
The issue is that clamav-freshclam ships /var/lib/clamav
and the main clamav package uses chown in pkg_postinst to set
the ownership of this directory. But pkg_postinst is not
marked as "ontarget" so this chown only took effect when
upgrading or reinstalling the package.
So when clamav is part of an OS image out of the box, freshclamd
cannot populate this directory since it's running under the clamav
user.
Fix this by creating /var/lib/clamav with the proper ownership
in do_install and rearrange runtime-dependencies, so clamav-freshclam
RDEPENDS on clamav and clamav relaxes its runtime-dependency into
RRECOMMENDS so clamav-freshclam is installed later than clamav,
avoiding these warnings:
Installing : clamav-freshclam-... 487/1954
warning: user clamav does not exist - using root
warning: group clamav does not exist - using root
Signed-off-by: Zoltán Böszörményi <zboszor@gmail.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
DATA_BLOCK_SIZE variable was set in dm-verity-img.bbclass at build
time but the initrdscript was not updated to pass the DATA_BLOCK_SIZE
to the veritysetup. Now the functionality is complete.
Signed-off-by: Paulo Neves <paulo.neves1@inter.ikea.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
fscrypt is a high-level tool for the management of Linux
filesystem encryption. fscrypt manages metadata, key generation,
key wrapping, PAM integration, and provides a uniform interface
for creating and modifying encrypted directories.
Add recipe for the same in 'recipes-security'.
Signed-off-by: Bhupesh Sharma <bhupesh.sharma@linaro.org>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
SSSD 2.5.2 Highlights
* General information
- originalADgidNumber attribute in the SSSD cache is now indexed
* New features
- Debug messages in data provider include a unique request ID that can
be used to track the request from its start to its end (requires
libtevent >= 0.11.0)
* Important fixes
- Update large files in the files provider in batches to avoid timeouts
* Configuration changes
- Add new config option fallback_to_nss
Full release notes:
* https://sssd.io/release-notes/sssd-2.5.2.html
And backport patch to fix CVE-2021-3621.
CVE: CVE-2021-3621
Signed-off-by: Kai Kang <kai.kang@windriver.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
Add DM_VERITY_IMAGE_DATA_BLOCK_SIZE to be able to set the
--data-block-size used in veritysetup. Tuning this value effects the
performance and size of the resulting image.
Signed-off-by: Christer Fletcher <christer.fletcher@inter.ikea.com>
Signed-off-by: Paulo Neves <paulo.neves1@inter.ikea.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
Fix the variable spelling errors
s/SKIP_META_SECUIRTY_SANITY_CHECK/SKIP_META_SECURITY_SANITY_CHECK
Signed-off-by: George Liu <liuxiwei@inspur.com>
Acked-by: Martin Jansa <Martin.Jansa@gmail.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
Assign a weak default value for MODSIGN_KEY_DIR so the other layers can
set a default value for them as well.
Signed-off-by: Daiane Angolini <daiane.angolini@foundries.io>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
A number of typo fixes:
- tmp->tpm in the DISTRO_FEATURES
- update the mailing list address as it was out of date
- update the distro name in the subject
Signed-off-by: Marta Rybczynska <rybczynska@gmail.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
The address included in the meta-hardening documentation
does not work and was changed in other places in 2019.
Signed-off-by: Marta Rybczynska <rybczynska@gmail.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
This error occurs randomly.
/bin/bash: pod2man: command not found
[Yocto #14304]
minor space/tab cleanup
Signed-off-by: Armin Kuster <akuster808@gmail.com>
Cc: Ben <koncept1@gmail.com>
