* [meta-lts-security][whinlatter][PATCH 0/3] Assorted updates 01/19
@ 2026-01-19 20:31 Scott Murray
2026-01-19 20:31 ` [meta-lts-security][whinlatter][PATCH 1/3] lynis: upgrade to 3.1.6 Scott Murray
` (2 more replies)
0 siblings, 3 replies; 4+ messages in thread
From: Scott Murray @ 2026-01-19 20:31 UTC (permalink / raw)
To: yocto-patches; +Cc: Marta Rybczynska
This patch series rolls up the contributed patches from the past couple
weeks, plus a lynis update from myself. These changes are queued on
the whinlatter-next branch if you would like to check them out to test
yourself. I intend to merge these to master branch at end of day
tomorrow (Eastern Time, Jan. 20) unless there are objections.
Scott
Changes:
Clayton Casciato (1):
suricata: add PACKAGECONFIG[seccomp] - MemoryDenyWriteExecute
Scott Murray (1):
lynis: upgrade to 3.1.6
Stephan Wurm (1):
dm-verity-img.bbclass: filter units from value part
classes/dm-verity-img.bbclass | 4 ++--
.../lynis/{lynis_3.1.5.bb => lynis_3.1.6.bb} | 2 +-
recipes-ids/suricata/files/suricata.service | 1 +
recipes-ids/suricata/suricata_7.0.13.bb | 15 ++++++++++++++-
4 files changed, 18 insertions(+), 4 deletions(-)
rename recipes-compliance/lynis/{lynis_3.1.5.bb => lynis_3.1.6.bb} (96%)
--
2.51.0
^ permalink raw reply [flat|nested] 4+ messages in thread
* [meta-lts-security][whinlatter][PATCH 1/3] lynis: upgrade to 3.1.6
2026-01-19 20:31 [meta-lts-security][whinlatter][PATCH 0/3] Assorted updates 01/19 Scott Murray
@ 2026-01-19 20:31 ` Scott Murray
2026-01-19 20:31 ` [meta-lts-security][whinlatter][PATCH 2/3] suricata: add PACKAGECONFIG[seccomp] - MemoryDenyWriteExecute Scott Murray
2026-01-19 20:31 ` [meta-lts-security][whinlatter][PATCH 3/3] dm-verity-img.bbclass: filter units from value part Scott Murray
2 siblings, 0 replies; 4+ messages in thread
From: Scott Murray @ 2026-01-19 20:31 UTC (permalink / raw)
To: yocto-patches; +Cc: Marta Rybczynska
Release notes:
https://github.com/CISOfy/lynis/releases/tag/3.1.6
Signed-off-by: Scott Murray <scott.murray@konsulko.com>
---
recipes-compliance/lynis/{lynis_3.1.5.bb => lynis_3.1.6.bb} | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
rename recipes-compliance/lynis/{lynis_3.1.5.bb => lynis_3.1.6.bb} (96%)
diff --git a/recipes-compliance/lynis/lynis_3.1.5.bb b/recipes-compliance/lynis/lynis_3.1.6.bb
similarity index 96%
rename from recipes-compliance/lynis/lynis_3.1.5.bb
rename to recipes-compliance/lynis/lynis_3.1.6.bb
index 51414c0..722072f 100644
--- a/recipes-compliance/lynis/lynis_3.1.5.bb
+++ b/recipes-compliance/lynis/lynis_3.1.6.bb
@@ -8,7 +8,7 @@ LIC_FILES_CHKSUM = "file://LICENSE;md5=3edd6782854304fd11da4975ab9799c1"
SRC_URI = "git://github.com/CISOfy/lynis.git;branch=master;protocol=https"
-SRCREV = "380b414e09bbca70be59a1b7ddccfaed4c30e1aa"
+SRCREV = "06153321ea50d53a27446084e646d9f43fe46e0e"
#UPSTREAM_CHECK = "https://downloads.cisofy.com/lynis"
--
2.51.0
^ permalink raw reply related [flat|nested] 4+ messages in thread
* [meta-lts-security][whinlatter][PATCH 2/3] suricata: add PACKAGECONFIG[seccomp] - MemoryDenyWriteExecute
2026-01-19 20:31 [meta-lts-security][whinlatter][PATCH 0/3] Assorted updates 01/19 Scott Murray
2026-01-19 20:31 ` [meta-lts-security][whinlatter][PATCH 1/3] lynis: upgrade to 3.1.6 Scott Murray
@ 2026-01-19 20:31 ` Scott Murray
2026-01-19 20:31 ` [meta-lts-security][whinlatter][PATCH 3/3] dm-verity-img.bbclass: filter units from value part Scott Murray
2 siblings, 0 replies; 4+ messages in thread
From: Scott Murray @ 2026-01-19 20:31 UTC (permalink / raw)
To: yocto-patches; +Cc: Marta Rybczynska
From: Clayton Casciato <majortomtosourcecontrol@gmail.com>
Add option to prevent memory mappings that are both writable and
executable.
https://www.freedesktop.org/software/systemd/man/255/systemd.exec.html#MemoryDenyWriteExecute=
Core Suricata developer:
https://github.com/jasonish/suricata-rpms/blob/a606a810325dd0a4f3ee45b2756b96bda28e590b/7.0/suricata-4.1.1-service.patch#L23
Fedora:
https://src.fedoraproject.org/rpms/suricata/c/cfb3b996f54d28018cd01f9c6b9ecb77e59f344d
Resolve SELinux AVC denial:
type=PROCTITLE proctitle=/usr/bin/suricata
-c /etc/suricata/suricata.yaml -i eth0
type=SYSCALL arch=aarch64 syscall=mprotect success=no
exit=EACCES(Permission denied) a0=0x7fffa7d04000 a1=0x4000
a2=PROT_READ|PROT_WRITE|PROT_EXEC a3=0x21 items=0 ppid=1 pid=283
auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root
sgid=root fsgid=root tty=(none) ses=unset comm=Suricata-Main
exe=/usr/bin/suricata subj=system_u:system_r:initrc_t:s0 key=(null)
type=AVC avc: denied { execmem } for pid=283 comm=Suricata-Main
scontext=system_u:system_r:initrc_t:s0
tcontext=system_u:system_r:initrc_t:s0 tclass=process
Signed-off-by: Clayton Casciato <majortomtosourcecontrol@gmail.com>
Signed-off-by: Scott Murray <scott.murray@konsulko.com>
---
recipes-ids/suricata/files/suricata.service | 1 +
recipes-ids/suricata/suricata_7.0.13.bb | 15 ++++++++++++++-
2 files changed, 15 insertions(+), 1 deletion(-)
diff --git a/recipes-ids/suricata/files/suricata.service b/recipes-ids/suricata/files/suricata.service
index bd7010d..4b774f4 100644
--- a/recipes-ids/suricata/files/suricata.service
+++ b/recipes-ids/suricata/files/suricata.service
@@ -14,6 +14,7 @@ ExecReload=/bin/kill -HUP $MAINPID
PrivateTmp=yes
ProtectHome=yes
ProtectSystem=yes
+MemoryDenyWriteExecute=no
[Install]
WantedBy=multi-user.target
diff --git a/recipes-ids/suricata/suricata_7.0.13.bb b/recipes-ids/suricata/suricata_7.0.13.bb
index 469e42d..b0d2c82 100644
--- a/recipes-ids/suricata/suricata_7.0.13.bb
+++ b/recipes-ids/suricata/suricata_7.0.13.bb
@@ -38,7 +38,15 @@ CARGO_BUILD_FLAGS:append = " --offline"
B = "${S}"
# nfnetlink has a dependancy to meta-networking
-PACKAGECONFIG ??= "file pcre2 yaml python pcap cap-ng net"
+PACKAGECONFIG ??= "file \
+ pcre2 \
+ yaml \
+ python \
+ pcap \
+ cap-ng \
+ net \
+ ${@bb.utils.filter('DISTRO_FEATURES', 'seccomp', d)} \
+ "
PACKAGECONFIG:append = " ${@bb.utils.contains('DISTRO_FEATURES', 'ptest', 'unittests', '', d)}"
PACKAGECONFIG[pcre2] = "--with-libpcre2-includes=${STAGING_INCDIR} --with-libpcre2-libraries=${STAGING_LIBDIR}, ,libpcre2 ,"
@@ -51,6 +59,7 @@ PACKAGECONFIG[nfq] = "--enable-nfqueue, --disable-nfqueue,libnetfilter-queue,"
PACKAGECONFIG[file] = ",,file, file"
PACKAGECONFIG[python] = "--enable-python, --disable-python, python3, python3-core"
+PACKAGECONFIG[seccomp] = ""
PACKAGECONFIG[unittests] = "--enable-unittests, --disable-unittests,"
export logdir = "${localstatedir}/log"
@@ -115,6 +124,10 @@ do_install () {
-e s:/bin/kill:${base_bindir}/kill:g \
-e s:/usr/lib:${libdir}:g \
${UNPACKDIR}/suricata.service > ${D}${systemd_unitdir}/system/suricata.service
+
+ if ${@bb.utils.contains('PACKAGECONFIG', 'seccomp', 'true', 'false', d)}; then
+ sed -i -e 's/^MemoryDenyWriteExecute=no$/MemoryDenyWriteExecute=yes/' ${D}${systemd_unitdir}/system/suricata.service
+ fi
fi
# Remove /var/run as it is created on startup
--
2.51.0
^ permalink raw reply related [flat|nested] 4+ messages in thread
* [meta-lts-security][whinlatter][PATCH 3/3] dm-verity-img.bbclass: filter units from value part
2026-01-19 20:31 [meta-lts-security][whinlatter][PATCH 0/3] Assorted updates 01/19 Scott Murray
2026-01-19 20:31 ` [meta-lts-security][whinlatter][PATCH 1/3] lynis: upgrade to 3.1.6 Scott Murray
2026-01-19 20:31 ` [meta-lts-security][whinlatter][PATCH 2/3] suricata: add PACKAGECONFIG[seccomp] - MemoryDenyWriteExecute Scott Murray
@ 2026-01-19 20:31 ` Scott Murray
2 siblings, 0 replies; 4+ messages in thread
From: Scott Murray @ 2026-01-19 20:31 UTC (permalink / raw)
To: yocto-patches; +Cc: Marta Rybczynska
From: Stephan Wurm <stephan.wurm@a-eberle.de>
This is necessary for cryptsetup starting from v2.8.0 which introduced
"[units]" in its output breaking the parsing of veritysetup output.
VERITY header information for image-poky-20250701085433.squashfs-zst.verity.
UUID: 5dc16c55-79b8-4988-9d79-900f8e143f98
Hash type: 1
Data blocks: 40091
Data block size: 4096 [bytes]
Hash blocks: 318
Hash block size: 4096 [bytes]
Hash algorithm: sha256
Salt: f670bf67a32f4f5a22e052d7bf84830f8d35ea24e2d52f585f6275207899153b
Root hash: a7eab55b7933e347650671611e4b2a10571f2a28a1fb0fc8eae409f7a0d86693
This extends the value filter to remove the "[units]" from the .env file,
while retaining compatibility to older cryptsetup releases.
Signed-off-by: Stephan Wurm <stephan.wurm@a-eberle.de>
Signed-off-by: Scott Murray <scott.murray@konsulko.com>
---
classes/dm-verity-img.bbclass | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/classes/dm-verity-img.bbclass b/classes/dm-verity-img.bbclass
index 47f698c..48557e9 100644
--- a/classes/dm-verity-img.bbclass
+++ b/classes/dm-verity-img.bbclass
@@ -71,12 +71,12 @@ process_verity() {
# two parts into separate variables and process them separately. For the
# key part: convert the names to upper case and replace spaces with
# underscores to create correct shell variable names. For the value part:
- # just trim all white-spaces.
+ # just trim all white-spaces and remove units.
IFS=":"
while read KEY VAL; do
printf '%s=%s\n' \
"$(echo "$KEY" | tr '[:lower:]' '[:upper:]' | sed 's/ /_/g')" \
- "$(echo "$VAL" | tr -d ' \t')" >> $ENV
+ "$(echo "$VAL" | tr -d ' \t' | sed 's/\[.*\]//')" >> $ENV
done
# Add partition size
--
2.51.0
^ permalink raw reply related [flat|nested] 4+ messages in thread
end of thread, other threads:[~2026-01-19 20:32 UTC | newest]
Thread overview: 4+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2026-01-19 20:31 [meta-lts-security][whinlatter][PATCH 0/3] Assorted updates 01/19 Scott Murray
2026-01-19 20:31 ` [meta-lts-security][whinlatter][PATCH 1/3] lynis: upgrade to 3.1.6 Scott Murray
2026-01-19 20:31 ` [meta-lts-security][whinlatter][PATCH 2/3] suricata: add PACKAGECONFIG[seccomp] - MemoryDenyWriteExecute Scott Murray
2026-01-19 20:31 ` [meta-lts-security][whinlatter][PATCH 3/3] dm-verity-img.bbclass: filter units from value part Scott Murray
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.