Alberto Planas Dominguez
aac8831159
- actix-web update moves rustls as feature (bsc#1223234, CVE-2024-32650) - Update to version 0.2.4~39: * build(deps): bump openssl from 0.10.63 to 0.10.64 * build(deps): bump h2 from 0.3.24 to 0.3.26 * build(deps): bump serde_json from 1.0.107 to 1.0.116 * build(deps): bump actix-web from 4.4.1 to 4.5.1 * crypto: Enable TLS 1.3 * build(deps): bump tempfile from 3.9.0 to 3.10.1 * build(deps): bump mio from 0.8.4 to 0.8.11 * enable hex values to be used for tpm_ownerpassword * config: Support IPv6 with or without brackets * keylime: Implement a simple IP parser to remove brackets * crypto: Implement CertificateBuilder to generate certificates * tests: Fix coverage download by supporting arbitrary URL * cargo: Add testing feature to keylime library * Set X509 SAN with local DNSname/IP/IPv6 * Include newest Node20 versions for Github actions * tpm: Add unit test for uncovered public functions * crypto: Implement ECC key generation support * crypto: Add test for match_cert_to_template() * Fix minor typo, format and remove end whitespaces * crypto: Make error types less specific * tests/run.sh: Run tarpaulin with a single thread * payloads: Remove explicit drop of channel transmitter * crypto: Move to keylime library * crypto: Add specific type for every possible error * tpm: Rename origin of error as source in structures * list_parser: Add source for error for backtrace * algorithms: Make errors more specific * typo fix for default path to measured boot log file * README: remove mentions of libarchive as a dependency * Dockerfile.wolfi: Update clang to version 17 * docker: Remove libarchive as a dependency * rpm: Remove libarchive from dependencies * cargo: Replace compress-tools with zip crate * cargo: Bump ahash to version 0.8.7 * build(deps): bump serde from 1.0.195 to 1.0.196 * build(deps): bump libc from 0.2.152 to 0.2.153 * build(deps): bump reqwest from 0.11.23 to 0.11.24 * docker: Install configuration file in the correct path * config: Make IAK/IDevID disabled by default OBS-URL: https://build.opensuse.org/request/show/1171003 OBS-URL: https://build.opensuse.org/package/show/security/rust-keylime?expand=0&rev=67
# Notes about the IMA policy This IMA policy is provided as an example that can be later adapted to more specific usage. This was generated from a default tcb IMA policy from a 6.1.12 Linux kernel, and extended with SELinux file types to filter out the part of the system that we usually do not want to measure. To use this policy, we need to copy it in "/etc/ima/ima-policy" and systemd will load it after the SELinux policy has been loaded. For this example, we used the initial set of SELinux attributes, that group the file types under categories. From that list we selected some of those attribute to deep more into the types that can be relevant for the IMA policy: seinfo -a The current selection cover full or partially the types under those attributes: base_file_type base_ro_file_type configfile file_type files_unconfined_type init_script_file_type init_sock_file_type lockfile logfile non_auth_file_type non_security_file_type openshift_file_type pidfile pulseaudio_tmpfsfile security_file_type setfiles_domain spoolfile svirt_file_type systemd_unit_file_type tmpfile tmpfsfile Special mention to non_auth_file_type and non_security_file_type (among other liske logfile or tmpfile), that should cover the most relevant types of the dynamic part of the system. The list should also include types from other attributes like virt_image_type and others (see the policy file comments from a complete list). Sometimes is important to see what files are labeled under a specific type, and for that we can use this: semanage fcontext -l | grep $TYPE