summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorJosé Bollo <jose.bollo@iot.bzh>2016-10-14 13:25:07 +0200
committerJosé Bollo <jose.bollo@iot.bzh>2016-10-24 09:49:39 +0200
commiteadecc11aac1b0de7a0841213f647e35ccf5a6a1 (patch)
treedb443902bd5ce9b9081373c81458ee1d1cbf6585
parente05a392cf438438bf5636dfc31f95c40b27b67a8 (diff)
FWK: Adaptations for jethro
Since introduction of ambient capabilities, systemd deprecated the use of Capabilities. With systemd 229 activated with krogoth, the use of Capabilities does nothing. This commits avoids to use SecureBits and Capabilities. It now relies on the fact that post installations are setting the capabilities to the file: - setcap cap_mac_override,cap_dac_override=ep afm-system-daemon - setcap cap_mac_override,cap_mac_admin,cap_setgid=ep afm-user-daemon Using p (permitted) instead of i (inherited) that was previously used. It also includes evolutions of the security model to be synchronized with the deletion of 'User'. The recommended version to use now is the commit 20bbb97f6d5400b126ae96ef446c3e60c7e16285. Change-Id: Id24ce7c7651e2fdf8d66b6e8286268e7d88508a0 Signed-off-by: José Bollo <jose.bollo@iot.bzh>
-rw-r--r--meta-app-framework/recipes-core/af-main/af-main_1.0.bb20
-rw-r--r--meta-app-framework/recipes-core/af-main/af-main_1.0.inc2
-rw-r--r--meta-app-framework/recipes-core/security-manager/security-manager/0001-Adapt-rules-to-AGL.patch50
-rw-r--r--meta-app-framework/recipes-core/security-manager/security-manager_%.bbappend4
4 files changed, 71 insertions, 5 deletions
diff --git a/meta-app-framework/recipes-core/af-main/af-main_1.0.bb b/meta-app-framework/recipes-core/af-main/af-main_1.0.bb
index 75cdcc3..d8d7af4 100644
--- a/meta-app-framework/recipes-core/af-main/af-main_1.0.bb
+++ b/meta-app-framework/recipes-core/af-main/af-main_1.0.bb
@@ -52,18 +52,30 @@ do_install_append() {
fi
}
+do_install_append_smack () {
+ install -d ${D}/${sysconfdir}/smack/accesses.d
+ cat > ${D}/${sysconfdir}/smack/accesses.d/default-access-domains-no-user <<EOF
+System User::App-Shared rwxat
+System User::Home rwxat
+EOF
+ chmod 0644 ${D}/${sysconfdir}/smack/accesses.d/default-access-domains-no-user
+ install -d ${D}/${sysconfdir}/skel/app-data
+ chsmack -a 'User::Home' -t -D ${D}/${sysconfdir}/skel
+ chsmack -a 'User::App-Shared' -D ${D}/${sysconfdir}/skel/app-data
+}
+
pkg_postinst_${PN}() {
mkdir -p $D${afm_datadir}/applications $D${afm_datadir}/icons
- setcap cap_mac_override,cap_dac_override=ie $D${bindir}/afm-system-daemon
- setcap cap_mac_override,cap_mac_admin,cap_setgid=ie $D${bindir}/afm-user-daemon
+ setcap cap_mac_override,cap_dac_override=ep $D${bindir}/afm-system-daemon
+ setcap cap_mac_override,cap_mac_admin,cap_setgid=ep $D${bindir}/afm-user-daemon
}
pkg_postinst_${PN}_smack() {
mkdir -p $D${afm_datadir}/applications $D${afm_datadir}/icons
chown ${afm_name}:${afm_name} $D${afm_datadir} $D${afm_datadir}/applications $D${afm_datadir}/icons
chsmack -a 'System::Shared' -t $D${afm_datadir} $D${afm_datadir}/applications $D${afm_datadir}/icons
- setcap cap_mac_override,cap_dac_override=ie $D${bindir}/afm-system-daemon
- setcap cap_mac_override,cap_mac_admin,cap_setgid=ie $D${bindir}/afm-user-daemon
+ setcap cap_mac_override,cap_dac_override=ep $D${bindir}/afm-system-daemon
+ setcap cap_mac_override,cap_mac_admin,cap_setgid=ep $D${bindir}/afm-user-daemon
}
PACKAGES =+ "${PN}-binding ${PN}-binding-dbg"
diff --git a/meta-app-framework/recipes-core/af-main/af-main_1.0.inc b/meta-app-framework/recipes-core/af-main/af-main_1.0.inc
index aff685f..880654e 100644
--- a/meta-app-framework/recipes-core/af-main/af-main_1.0.inc
+++ b/meta-app-framework/recipes-core/af-main/af-main_1.0.inc
@@ -14,7 +14,7 @@ SRC_URI = "${SRC_URI_git} \
${SRC_URI_files} \
"
-SRCREV = "970a20a55d3a7dba32360ce596e61a2b32c9f4ee"
+SRCREV = "c31038db1cff938d7fa1f12f757c1c57ab51c0bd"
S = "${WORKDIR}/git"
diff --git a/meta-app-framework/recipes-core/security-manager/security-manager/0001-Adapt-rules-to-AGL.patch b/meta-app-framework/recipes-core/security-manager/security-manager/0001-Adapt-rules-to-AGL.patch
new file mode 100644
index 0000000..4c91f7f
--- /dev/null
+++ b/meta-app-framework/recipes-core/security-manager/security-manager/0001-Adapt-rules-to-AGL.patch
@@ -0,0 +1,50 @@
+From 935e4e4e746b5ffcda80c80097dc75c2581c1a89 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Jos=C3=A9=20Bollo?= <jose.bollo@iot.bzh>
+Date: Wed, 19 Oct 2016 13:45:54 +0200
+Subject: [PATCH] Adapt rules to AGL
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+AGL distribution uses the repository https://github.com/01org/meta-intel-iot-security.git
+as basis for the integration of security framework. The security framework
+that it provides is an evolution of the security framework of tizen refited
+to the distribution Ostro of Intel. This refit took the decision to simplify
+the model by removing the running label "User". More can be viewed here:
+https://github.com/01org/meta-intel-iot-security/pull/116
+
+This commits adapt the template to the rules that are now needed
+after this evolution.
+
+It also integrates one other evolutions: the shared label becomes User::App-Shared instead
+of User::App::Shared to avoid collision with application of id "Shared".
+
+Change-Id: Ieb566b63f8c8e691b5f75e06499a3b576d042546
+Signed-off-by: José Bollo <jose.bollo@iot.bzh>
+---
+ policy/app-rules-template.smack | 8 ++++----
+ 1 file changed, 4 insertions(+), 4 deletions(-)
+
+diff --git a/policy/app-rules-template.smack b/policy/app-rules-template.smack
+index 1311169..b4cd2e3 100644
+--- a/policy/app-rules-template.smack
++++ b/policy/app-rules-template.smack
+@@ -1,12 +1,10 @@
+-System ~APP~ rwx
++System ~APP~ rwxa
++System ~PKG~ rwxat
+ ~APP~ System wx
+ ~APP~ System::Shared rx
+ ~APP~ System::Run rwxat
+ ~APP~ System::Log rwxa
+ ~APP~ _ l
+-User ~APP~ rwxa
+-User ~PKG~ rwxat
+-~APP~ User wx
+ ~APP~ User::Home rxl
+-~APP~ User::App::Shared rwxat
++~APP~ User::App-Shared rwxat
+ ~APP~ ~PKG~ rwxat
+--
+2.7.4
+
diff --git a/meta-app-framework/recipes-core/security-manager/security-manager_%.bbappend b/meta-app-framework/recipes-core/security-manager/security-manager_%.bbappend
new file mode 100644
index 0000000..d3a110d
--- /dev/null
+++ b/meta-app-framework/recipes-core/security-manager/security-manager_%.bbappend
@@ -0,0 +1,4 @@
+FILESEXTRAPATHS_prepend := "${THISDIR}/security-manager:"
+
+SRC_URI += " file://0001-Adapt-rules-to-AGL.patch "
+