diff options
author | Jan-Simon Moeller <jsmoeller@linuxfoundation.org> | 2016-12-14 18:24:09 +0000 |
---|---|---|
committer | Gerrit Code Review <gerrit@automotivelinux.org> | 2016-12-14 18:24:09 +0000 |
commit | 6bcddb9900436c82b08039fa97de9bb057810c4e (patch) | |
tree | fb578d47ca75f50352b72f83f314091a98fe47d2 | |
parent | b6960b346e4efc0f74a0618744d4decc05358258 (diff) | |
parent | 524e55787139d2eb728106871499023daa95aba6 (diff) |
Merge "Move all writable data used by security-manager and appfw to /var"
9 files changed, 270 insertions, 9 deletions
diff --git a/meta-app-framework/recipes-core/af-main/af-main/init-afm-dirs.service b/meta-app-framework/recipes-core/af-main/af-main/init-afm-dirs.service new file mode 100644 index 0000000..7e3b9e4 --- /dev/null +++ b/meta-app-framework/recipes-core/af-main/af-main/init-afm-dirs.service @@ -0,0 +1,15 @@ +# +# Install security-manager DB to /var + +[Unit] +Description=Deploy AFM directories to /var +After=sysinit.target +Before=afm-system-daemon.service +Before=afm-user-daemon.service + +[Install] +WantedBy=default.target + +[Service] +Type=oneshot +ExecStart=/usr/bin/init-afm-dirs.sh diff --git a/meta-app-framework/recipes-core/af-main/af-main/init-afm-dirs.sh b/meta-app-framework/recipes-core/af-main/af-main/init-afm-dirs.sh new file mode 100644 index 0000000..97cf272 --- /dev/null +++ b/meta-app-framework/recipes-core/af-main/af-main/init-afm-dirs.sh @@ -0,0 +1,7 @@ +#!/bin/sh + +if [ ! -e "/var/lib/afm" ]; then + mkdir -p /var/lib + cp -ra /usr/share/afm /var/lib +fi + diff --git a/meta-app-framework/recipes-core/af-main/af-main_1.0.bb b/meta-app-framework/recipes-core/af-main/af-main_1.0.bb index 611307f..834e293 100644 --- a/meta-app-framework/recipes-core/af-main/af-main_1.0.bb +++ b/meta-app-framework/recipes-core/af-main/af-main_1.0.bb @@ -16,7 +16,8 @@ DEPENDS_class-native = "openssl libxml2 xmlsec1 libzip" afm_name = "afm" afm_confdir = "${sysconfdir}/${afm_name}" -afm_datadir = "${datadir}/${afm_name}" +afm_datadir = "/var/lib/${afm_name}" +afm_init_datadir = "${datadir}/${afm_name}" afb_binding_dir = "${libdir}/afb" EXTRA_OECMAKE_class-native = "\ @@ -46,8 +47,12 @@ GROUPADD_PARAM_${PN} = "-r ${afm_name}" SYSTEMD_SERVICE_${PN} = "afm-system-daemon.service" SYSTEMD_AUTO_ENABLE = "enable" +SRC_URI_append = "file://init-afm-dirs.sh \ + ${@bb.utils.contains('DISTRO_FEATURES', 'systemd', 'file://init-afm-dirs.service', '', d)}" + FILES_${PN} += "\ - ${@bb.utils.contains('DISTRO_FEATURES', 'systemd', '${systemd_user_unitdir}/afm-user-daemon.service', '', d)} \ + ${bindir}/init-afm-dirs.sh \ + ${@bb.utils.contains('DISTRO_FEATURES', 'systemd', '${systemd_user_unitdir}/afm-user-daemon.service ${systemd_unitdir}/system/init-afm-dirs.service', '', d)} \ " RDEPENDS_${PN}_append_smack = " smack-userspace" @@ -60,9 +65,14 @@ SRC_URI += "\ " do_install_append() { + install -d ${D}${bindir} + install -m 0755 ${WORKDIR}/init-afm-dirs.sh ${D}${bindir} if ${@bb.utils.contains('DISTRO_FEATURES', 'systemd', 'true', 'false', d)}; then mkdir -p ${D}${sysconfdir}/systemd/user/default.target.wants + mkdir -p ${D}${sysconfdir}/systemd/system/default.target.wants ln -sf ${systemd_user_unitdir}/afm-user-daemon.service ${D}${sysconfdir}/systemd/user/default.target.wants + install -p -D ${WORKDIR}/init-afm-dirs.service ${D}${systemd_unitdir}/system/init-afm-dirs.service + ln -sf ${systemd_unitdir}/system/init-afm-dirs.service ${D}${sysconfdir}/systemd/system/default.target.wants fi } @@ -79,15 +89,15 @@ EOF } pkg_postinst_${PN}() { - mkdir -p $D${afm_datadir}/applications $D${afm_datadir}/icons + mkdir -p $D${afm_init_datadir}/applications $D${afm_init_datadir}/icons setcap cap_mac_override,cap_dac_override=ep $D${bindir}/afm-system-daemon setcap cap_mac_override,cap_mac_admin,cap_setgid=ep $D${bindir}/afm-user-daemon } pkg_postinst_${PN}_smack() { - mkdir -p $D${afm_datadir}/applications $D${afm_datadir}/icons - chown ${afm_name}:${afm_name} $D${afm_datadir} $D${afm_datadir}/applications $D${afm_datadir}/icons - chsmack -a 'System::Shared' -t $D${afm_datadir} $D${afm_datadir}/applications $D${afm_datadir}/icons + mkdir -p $D${afm_init_datadir}/applications $D${afm_init_datadir}/icons + chown ${afm_name}:${afm_name} $D${afm_init_datadir} $D${afm_init_datadir}/applications $D${afm_init_datadir}/icons + chsmack -a 'System::Shared' -t $D${afm_init_datadir} $D${afm_init_datadir}/applications $D${afm_init_datadir}/icons setcap cap_mac_override,cap_dac_override=ep $D${bindir}/afm-system-daemon setcap cap_mac_override,cap_mac_admin,cap_setgid=ep $D${bindir}/afm-user-daemon } diff --git a/meta-app-framework/recipes-core/af-main/nativesdk-af-main_1.0.bb b/meta-app-framework/recipes-core/af-main/nativesdk-af-main_1.0.bb index 0169e6b..ba70c59 100644 --- a/meta-app-framework/recipes-core/af-main/nativesdk-af-main_1.0.bb +++ b/meta-app-framework/recipes-core/af-main/nativesdk-af-main_1.0.bb @@ -8,7 +8,7 @@ DEPENDS = "nativesdk-openssl nativesdk-libxml2 nativesdk-xmlsec1 nativesdk-libzi afm_name = "afm" afm_confdir = "${sysconfdir}/${afm_name}" -afm_datadir = "${datadir}/${afm_name}" +afm_datadir = "/var/lib/${afm_name}" EXTRA_OECMAKE = "\ -DUSE_LIBZIP=1 \ diff --git a/meta-app-framework/recipes-core/security-manager/security-manager/Removing-tizen-platform-config.patch b/meta-app-framework/recipes-core/security-manager/security-manager/Removing-tizen-platform-config.patch new file mode 100644 index 0000000..4830db2 --- /dev/null +++ b/meta-app-framework/recipes-core/security-manager/security-manager/Removing-tizen-platform-config.patch @@ -0,0 +1,196 @@ +From 72e66d0e42f3bb6efd689ce33b1df407d94b3c60 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Jos=C3=A9=20Bollo?= <jose.bollo@iot.bzh> +Date: Mon, 16 Nov 2015 14:26:25 +0100 +Subject: [PATCH] Removing tizen-platform-config + +Change-Id: Ic832a2b75229517b09faba969c27fb1a4b490121 +--- + policy/security-manager-policy-reload | 2 +- + src/common/file-lock.cpp | 4 +--- + src/common/include/file-lock.h | 1 - + src/common/include/privilege_db.h | 3 +-- + src/common/service_impl.cpp | 39 +++++++++++------------------------ + src/common/smack-rules.cpp | 12 ++++------- + 6 files changed, 19 insertions(+), 42 deletions(-) + +diff --git a/policy/security-manager-policy-reload b/policy/security-manager-policy-reload +index 6f211c6..ed8047a 100755 +--- a/policy/security-manager-policy-reload ++++ b/policy/security-manager-policy-reload +@@ -2,7 +2,7 @@ + + POLICY_PATH=/usr/share/security-manager/policy + PRIVILEGE_GROUP_MAPPING=$POLICY_PATH/privilege-group.list +-DB_FILE=`tzplatform-get TZ_SYS_DB | cut -d= -f2`/.security-manager.db ++DB_FILE=/var/db/security-manager/.security-manager.db + + # Create default buckets + while read bucket default_policy +diff --git a/src/common/file-lock.cpp b/src/common/file-lock.cpp +index 6f3996c..1dada17 100644 +--- a/src/common/file-lock.cpp ++++ b/src/common/file-lock.cpp +@@ -30,9 +30,7 @@ + + namespace SecurityManager { + +-char const * const SERVICE_LOCK_FILE = tzplatform_mkpath3(TZ_SYS_RUN, +- "lock", +- "security-manager.lock"); ++char const * const SERVICE_LOCK_FILE = "/var/run/lock/security-manager.lock"; + + FileLocker::FileLocker(const std::string &lockFile, bool blocking) + { +diff --git a/src/common/include/file-lock.h b/src/common/include/file-lock.h +index 604b019..21a86a0 100644 +--- a/src/common/include/file-lock.h ++++ b/src/common/include/file-lock.h +@@ -29,7 +29,6 @@ + + #include <dpl/exception.h> + #include <dpl/noncopyable.h> +-#include <tzplatform_config.h> + + namespace SecurityManager { + +diff --git a/src/common/include/privilege_db.h b/src/common/include/privilege_db.h +index 4d73d90..03c6680 100644 +--- a/src/common/include/privilege_db.h ++++ b/src/common/include/privilege_db.h +@@ -34,14 +34,13 @@ + #include <string> + + #include <dpl/db/sql_connection.h> +-#include <tzplatform_config.h> + + #ifndef PRIVILEGE_DB_H_ + #define PRIVILEGE_DB_H_ + + namespace SecurityManager { + +-const char *const PRIVILEGE_DB_PATH = tzplatform_mkpath(TZ_SYS_DB, ".security-manager.db"); ++const char *const PRIVILEGE_DB_PATH = "/var/db/security-manager/.security-manager.db"; + + enum class QueryType { + EGetPkgPrivileges, +diff --git a/src/common/service_impl.cpp b/src/common/service_impl.cpp +index ae305d3..65cc8b5 100644 +--- a/src/common/service_impl.cpp ++++ b/src/common/service_impl.cpp +@@ -32,7 +32,6 @@ + #include <algorithm> + + #include <dpl/log/log.h> +-#include <tzplatform_config.h> + + #include "protocols.h" + #include "privilege_db.h" +@@ -131,7 +130,13 @@ static inline int validatePolicy(policy_entry &policyEntry, std::string uidStr, + + static uid_t getGlobalUserId(void) + { +- static uid_t globaluid = tzplatform_getuid(TZ_SYS_GLOBALAPP_USER); ++ static uid_t globaluid = 0; ++ if (!globaluid) { ++ struct passwd pw, *p; ++ char buf[4096]; ++ int rc = getpwnam_r("userapp", &pw, buf, sizeof buf, &p); ++ globaluid = (rc || p == NULL) ? 555 : p->pw_uid; ++ } + return globaluid; + } + +@@ -161,37 +166,17 @@ static inline bool isSubDir(const char *parent, const char *subdir) + + static bool getUserAppDir(const uid_t &uid, std::string &userAppDir) + { +- struct tzplatform_context *tz_ctx = nullptr; +- +- if (tzplatform_context_create(&tz_ctx)) +- return false; +- +- if (tzplatform_context_set_user(tz_ctx, uid)) { +- tzplatform_context_destroy(tz_ctx); +- tz_ctx = nullptr; ++ struct passwd pw, *p; ++ char buf[4096]; ++ int rc = getpwuid_r(uid, &pw, buf, sizeof buf, &p); ++ if (rc || p == NULL) + return false; +- } +- +- enum tzplatform_variable id = +- (uid == getGlobalUserId()) ? TZ_SYS_RW_APP : TZ_USER_APP; +- const char *appDir = tzplatform_context_getenv(tz_ctx, id); +- if (!appDir) { +- tzplatform_context_destroy(tz_ctx); +- tz_ctx = nullptr; +- return false; +- } +- +- userAppDir = appDir; +- +- tzplatform_context_destroy(tz_ctx); +- tz_ctx = nullptr; +- ++ userAppDir = p->pw_dir; + return true; + } + + static inline bool installRequestAuthCheck(const app_inst_req &req, uid_t uid, bool &isCorrectPath, std::string &appPath) + { +- std::string userHome; + std::string userAppDir; + std::stringstream correctPath; + +diff --git a/src/common/smack-rules.cpp b/src/common/smack-rules.cpp +index d834e42..8b5728b 100644 +--- a/src/common/smack-rules.cpp ++++ b/src/common/smack-rules.cpp +@@ -34,7 +34,6 @@ + #include <memory> + + #include <dpl/log/log.h> +-#include <tzplatform_config.h> + + #include "smack-labels.h" + #include "smack-rules.h" +@@ -43,7 +42,7 @@ namespace SecurityManager { + + const char *const SMACK_APP_LABEL_TEMPLATE = "~APP~"; + const char *const SMACK_PKG_LABEL_TEMPLATE = "~PKG~"; +-const char *const APP_RULES_TEMPLATE_FILE_PATH = tzplatform_mkpath4(TZ_SYS_SHARE, "security-manager", "policy", "app-rules-template.smack"); ++const char *const APP_RULES_TEMPLATE_FILE_PATH = "/usr/share/security-manager/policy/app-rules-template.smack"; + const char *const SMACK_APP_IN_PACKAGE_PERMS = "rwxat"; + + SmackRules::SmackRules() +@@ -237,14 +236,12 @@ void SmackRules::generatePackageCrossDeps(const std::vector<std::string> &pkgCon + + std::string SmackRules::getPackageRulesFilePath(const std::string &pkgId) + { +- std::string path(tzplatform_mkpath3(TZ_SYS_SMACK, "accesses.d", ("pkg_" + pkgId).c_str())); +- return path; ++ return "/etc/smack/accesses.d/pkg_" + pkgId; + } + + std::string SmackRules::getApplicationRulesFilePath(const std::string &appId) + { +- std::string path(tzplatform_mkpath3(TZ_SYS_SMACK, "accesses.d", ("app_" + appId).c_str())); +- return path; ++ return "/etc/smack/accesses.d/app_" + appId; + } + void SmackRules::installApplicationPrivilegesRules(const std::string &appId, const std::string &pkgId, + const std::vector<std::string> &pkgContents, const std::vector<std::string> &privileges) +@@ -256,8 +253,7 @@ void SmackRules::installApplicationPrivilegesRules(const std::string &appId, con + for (auto privilege : privileges) { + if (privilege.empty()) + continue; +- std::string fprivilege ( privilege + "-template.smack"); +- std::string path(tzplatform_mkpath4(TZ_SYS_SHARE, "security-manager", "policy", fprivilege.c_str())); ++ std::string path = "/usr/share/security-manager/policy/" + privilege + "-template.smack"; + if( stat(path.c_str(), &buffer) == 0) + smackRules.addFromTemplateFile(appId, pkgId, path); + } +-- +2.1.4 + diff --git a/meta-app-framework/recipes-core/security-manager/security-manager/init-security-manager-db.service b/meta-app-framework/recipes-core/security-manager/security-manager/init-security-manager-db.service new file mode 100644 index 0000000..8ed5e86 --- /dev/null +++ b/meta-app-framework/recipes-core/security-manager/security-manager/init-security-manager-db.service @@ -0,0 +1,15 @@ +# +# Install security-manager DB to /var + +[Unit] +Description=Install Security Manager database +After=sysinit.target +Before=security-manager.service + +[Install] +WantedBy=default.target + +[Service] +Type=oneshot +User=root +ExecStart=/usr/bin/init-security-manager-db.sh diff --git a/meta-app-framework/recipes-core/security-manager/security-manager/init-security-manager-db.sh b/meta-app-framework/recipes-core/security-manager/security-manager/init-security-manager-db.sh new file mode 100644 index 0000000..ef41286 --- /dev/null +++ b/meta-app-framework/recipes-core/security-manager/security-manager/init-security-manager-db.sh @@ -0,0 +1,6 @@ +#!/bin/sh + +if [ ! -e "/var/db/security-manager" ]; then + mkdir -p /var/db + cp -ra /usr/dbspace/ /var/db/security-manager +fi diff --git a/meta-app-framework/recipes-core/security-manager/security-manager_%.bbappend b/meta-app-framework/recipes-core/security-manager/security-manager_%.bbappend index d3a110d..b4b5e01 100644 --- a/meta-app-framework/recipes-core/security-manager/security-manager_%.bbappend +++ b/meta-app-framework/recipes-core/security-manager/security-manager_%.bbappend @@ -1,4 +1,16 @@ FILESEXTRAPATHS_prepend := "${THISDIR}/security-manager:" -SRC_URI += " file://0001-Adapt-rules-to-AGL.patch " +SRC_URI += " file://0001-Adapt-rules-to-AGL.patch \ + file://init-security-manager-db.service \ + file://init-security-manager-db.sh" +SYSTEMD_SERVICE_${PN} = "init-security-manager-db.service" + +FILES_${PN}_append = "${bindir}/init-security-manager-db.sh" + +do_install_append () { + install -p -D ${WORKDIR}/init-security-manager-db.sh ${D}${bindir}/init-security-manager-db.sh + if ${@bb.utils.contains('DISTRO_FEATURES', 'systemd', 'true', 'false', d)}; then + install -p -D ${WORKDIR}/init-security-manager-db.service ${D}${systemd_unitdir}/system/init-security-manager-db.service + fi +} diff --git a/meta-app-framework/recipes-example/afm-client/files/afm-client.service b/meta-app-framework/recipes-example/afm-client/files/afm-client.service index 688c91f..7357174 100644 --- a/meta-app-framework/recipes-example/afm-client/files/afm-client.service +++ b/meta-app-framework/recipes-example/afm-client/files/afm-client.service @@ -2,7 +2,7 @@ Description=Simplest application manager [Service] -ExecStart=/usr/bin/afb-daemon --mode=remote --port=1234 --token='' --sessiondir=/home/root/.afb-daemon --rootdir=/usr/share/agl/afm-client --alias=/icons:/usr/share/afm/icons +ExecStart=/usr/bin/afb-daemon --mode=remote --port=1234 --token='' --sessiondir=/home/root/.afb-daemon --rootdir=/usr/share/agl/afm-client --alias=/icons:/var/lib/afm/icons Restart=on-failure RestartSec=5 |