From 497d7db5bfc71367c6393a09a2f768b812fce83f Mon Sep 17 00:00:00 2001 From: Stephane Desneux Date: Mon, 27 Mar 2017 15:37:07 +0200 Subject: Migrate meta-app-framework to meta-agl Application Framework is now part of core AGL components and has been moved from meta-agl-extra to meta-agl. Bug-AGL: SPEC-448 The commit history has been kept and the following commits have been moved from meta-agl-extra to meta-agl: e08fc10 2017-03-14 13:07:12 +0100 jose.bollo@iot.bzh Move to AGL framework on top of systemd 8bdc96f 2017-03-24 16:15:04 +0100 ronan.lemartret@iot.bzh Rename webruntime DISTRO_FEATURES 02faef6 2017-03-14 12:50:03 +0100 jose.bollo@iot.bzh Upgrade application framework 9731d66 2017-03-08 14:19:42 +0100 jose.bollo@iot.bzh base-files for the framework ed214a2 2017-03-06 17:19:16 +0100 jose.bollo@iot.bzh Ensure that eXtended Attributes are managed 2969a9f 2017-03-07 17:30:18 +0100 jose.bollo@iot.bzh shadow: 'useradd' copies root's extended attributes e159294 2017-03-08 13:15:58 +0100 jose.bollo@iot.bzh Removes systemd warnings d19db32 2017-03-06 17:11:33 +0100 ronan.lemartret@iot.bzh Add service dependency on run-agl-postinsts d3a02ef 2017-02-23 23:41:45 +0700 tranmanphong@gmail.com Fix the error of homescreen for QEMU x86-64 913a263 2017-02-23 11:03:08 +0100 ronan.lemartret@iot.bzh Update af-main d36e635 2017-02-17 14:35:31 +0100 stephane.desneux@iot.bzh aglwgt.bbclass: fix bashism 72265ee 2017-02-16 18:03:32 +0100 ronan.lemartret@iot.bzh Add dependency to images f3292e8 2017-02-15 17:02:52 +0100 ronan.lemartret@iot.bzh Allowed wgt app to auto-install at the first boot 347aa4d 2017-02-15 16:54:11 +0100 ronan.lemartret@iot.bzh Add afm-install used to install wgt at first boot 9153078 2017-01-20 16:30:39 +0100 ronan.lemartret@iot.bzh Move feature code into the meta recipes b5ce617 2017-01-16 19:43:03 +0100 jsmoeller@linuxfoundation.org Add missing DEPENDS to af-binder ba2ad47 2016-10-25 16:11:27 +0200 ronan.lemartret@iot.bzh fix for gcc6 build 8f15654 2016-10-14 14:21:15 +0200 ronan.lemartret@iot.bzh fix libcap patch 24b96c4 2017-01-03 11:46:04 +0100 jose.bollo@iot.bzh Activates threading and hook features f518d36 2017-01-02 17:10:24 +0100 ronan.lemartret@iot.bzh add fakeroot to aglwgt_deploy task 4c81238 2016-12-28 20:45:11 +0100 jsmoeller@linuxfoundation.org Be more precise in addtask a930811 2016-12-28 19:15:54 +0100 jsmoeller@linuxfoundation.org Fix whitespace in aglwgt bbclass de41ad3 2016-12-28 14:54:42 +0100 jsmoeller@linuxfoundation.org Add aglwgt class 5999238 2016-12-20 15:45:34 +0100 jose.bollo@iot.bzh Authorize the requested permissions a79a010 2016-12-16 12:37:44 +0100 anton@advancedtelematic.com Don't override SYSTEMD_SERVICE of original recipe. b6960b3 2016-12-14 16:34:29 +0100 stephane.desneux@iot.bzh af-main: remove --roothttp option from afm-launch.conf 524e557 2016-12-14 14:08:16 +0100 anton@advancedtelematic.com Move all writable data used by security-manager and appfw to /var d32c40a 2016-12-14 11:26:23 +0100 jose.bollo@iot.bzh af-main: fix exec flag and case sensitive ids 9e930f5 2016-12-07 19:58:18 +0100 ronan.lemartret@iot.bzh add native build for af-main 5b8d3a4 2016-12-05 10:16:12 +0100 stephane.desneux@iot.bzh agl-appfw-smack: remove dependency on meta-agl-security f45014a 2016-11-21 15:37:32 +0100 jose.bollo@iot.bzh Improves places for QT_WAYLAND_SHELL_INTEGRATION d1c5151 2016-11-17 16:26:32 +0100 jose.bollo@iot.bzh smack: removed already applied patch f0d8be8 2016-11-16 13:27:36 +0100 jose.bollo@iot.bzh appfwk: improvements 1d8243b 2016-11-10 12:46:59 +0100 stephane.desneux@iot.bzh meta-app-framework: fix unpackaged files in nativesdk-af-main 4da956c 2016-11-03 11:30:25 +0100 jose.bollo@iot.bzh Smack: add audit when smack is active c6b0317 2016-11-08 11:38:51 +0100 jose.bollo@iot.bzh web-runtime: provide IVI tuning for porter c294b3a 2016-11-08 17:27:51 +0100 jose.bollo@iot.bzh af-main: update c50805d 2016-11-03 11:26:17 +0100 jose.bollo@iot.bzh Smack: fixup of bluetooth socket labelling ce583cd 2016-11-01 15:52:09 +0100 ronan.lemartret@iot.bzh Allow build without meta-agl-demo eadecc1 2016-10-14 13:25:07 +0200 jose.bollo@iot.bzh FWK: Adaptations for jethro 111007a 2016-09-20 14:40:51 +0200 jose.bollo@iot.bzh app-framework: Improvements 53ae34d 2016-09-05 17:13:10 +0200 jose.bollo@iot.bzh app-framework: improvements 8303ea3 2016-08-29 23:25:25 +0200 jose.bollo@iot.bzh Improves the handling of upgrade for websockets 2b33f74 2016-08-10 18:44:15 +0200 jose.bollo@iot.bzh app-framework: fix minor bugs 73771f1 2016-07-18 15:48:59 +0000 mbc@iot.bzh meta-app-framework: install missing libafbwsc library edf0c91 2016-07-15 11:56:18 +0000 stephane.desneux@iot.bzh meta-app-framework: sync with latest af-main sources f848612 2016-07-12 14:17:37 +0000 stephane.desneux@iot.bzh meta-app-framework: sync with latest af-binder sources d277fb2 2016-07-11 21:05:55 +0000 stephane.desneux@iot.bzh meta-app-framework: add missing dependency between af-binder-dev and libafbwsc-dev 17fd881 2016-07-10 17:53:06 +0000 stephane.desneux@iot.bzh meta-app-framework: af-binder must create ${libdir}/afb at postinst time c664012 2016-07-08 15:08:25 +0000 stephane.desneux@iot.bzh meta-app-framework: add af-main-tools and dependencies in nativesdk-packagegroup-sdk-host d7a5a54 2016-07-08 14:24:51 +0000 stephane.desneux@iot.bzh meta-app-framework: af-binder source code update 68dde03 2016-07-05 16:04:51 +0000 stephane.desneux@iot.bzh meta-app-framework: build master branch f3b34f5 2016-06-28 22:13:58 +0000 stephane.desneux@iot.bzh add features agl-demo, agl-appfw-smack and agl-localdev f4b76be 2016-06-28 21:34:29 +0000 stephane.desneux@iot.bzh add feature agl-appfw-smack e80d00c 2016-06-24 11:01:25 +0200 jose.bollo@iot.bzh upgrade to new namings and bug fixes 7cd29bd 2016-06-23 16:00:59 +0000 stephane.desneux@iot.bzh add layer meta-app-framework Change-Id: I4ee34dfd8810ae6f10435308b1005e11e03bd05a Signed-off-by: Stephane Desneux --- .../recipes-kernel/linux/linux-%.bbappend | 3 - .../recipes-kernel/linux/linux-yocto_4.1.bbappend | 12 ---- .../recipes-kernel/linux/linux-yocto_4.4.bbappend | 11 ---- .../recipes-kernel/linux/linux/audit.cfg | 2 - .../0001-Smack-File-receive-for-sockets.patch | 62 --------------------- .../0002-smack-fix-cache-of-access-labels.patch | 43 -------------- ...ack-ignore-null-signal-in-smack_task_kill.patch | 39 ------------- ...n-smack_known_web-label-for-kernel-thread.patch | 49 ---------------- .../0001-Smack-File-receive-for-sockets.patch | 65 ---------------------- .../0002-smack-fix-cache-of-access-labels.patch | 43 -------------- ...ack-ignore-null-signal-in-smack_task_kill.patch | 39 ------------- ...n-smack_known_web-label-for-kernel-thread.patch | 49 ---------------- 12 files changed, 417 deletions(-) delete mode 100644 meta-app-framework/recipes-kernel/linux/linux-%.bbappend delete mode 100644 meta-app-framework/recipes-kernel/linux/linux-yocto_4.1.bbappend delete mode 100644 meta-app-framework/recipes-kernel/linux/linux-yocto_4.4.bbappend delete mode 100644 meta-app-framework/recipes-kernel/linux/linux/audit.cfg delete mode 100644 meta-app-framework/recipes-kernel/linux/linux/linux-yocto-4.1/0001-Smack-File-receive-for-sockets.patch delete mode 100644 meta-app-framework/recipes-kernel/linux/linux/linux-yocto-4.1/0002-smack-fix-cache-of-access-labels.patch delete mode 100644 meta-app-framework/recipes-kernel/linux/linux/linux-yocto-4.1/0003-Smack-ignore-null-signal-in-smack_task_kill.patch delete mode 100644 meta-app-framework/recipes-kernel/linux/linux/linux-yocto-4.1/0004-Smack-Assign-smack_known_web-label-for-kernel-thread.patch delete mode 100644 meta-app-framework/recipes-kernel/linux/linux/linux-yocto-4.4/0001-Smack-File-receive-for-sockets.patch delete mode 100644 meta-app-framework/recipes-kernel/linux/linux/linux-yocto-4.4/0002-smack-fix-cache-of-access-labels.patch delete mode 100644 meta-app-framework/recipes-kernel/linux/linux/linux-yocto-4.4/0003-Smack-ignore-null-signal-in-smack_task_kill.patch delete mode 100644 meta-app-framework/recipes-kernel/linux/linux/linux-yocto-4.4/0004-Smack-Assign-smack_known_web-label-for-kernel-thread.patch (limited to 'meta-app-framework/recipes-kernel') diff --git a/meta-app-framework/recipes-kernel/linux/linux-%.bbappend b/meta-app-framework/recipes-kernel/linux/linux-%.bbappend deleted file mode 100644 index 02595ef..0000000 --- a/meta-app-framework/recipes-kernel/linux/linux-%.bbappend +++ /dev/null @@ -1,3 +0,0 @@ -FILESEXTRAPATHS_prepend := "${THISDIR}/linux:" -SRC_URI_append_smack = " file://audit.cfg" - diff --git a/meta-app-framework/recipes-kernel/linux/linux-yocto_4.1.bbappend b/meta-app-framework/recipes-kernel/linux/linux-yocto_4.1.bbappend deleted file mode 100644 index c1c6572..0000000 --- a/meta-app-framework/recipes-kernel/linux/linux-yocto_4.1.bbappend +++ /dev/null @@ -1,12 +0,0 @@ -FILESEXTRAPATHS_prepend := "${THISDIR}/linux/linux-yocto-4.1:" - -#------------------------------------------------------------------------- -# smack patches for handling bluetooth - -SRC_URI_append_smack = "\ - file://0001-Smack-File-receive-for-sockets.patch \ - file://0002-smack-fix-cache-of-access-labels.patch \ - file://0003-Smack-ignore-null-signal-in-smack_task_kill.patch \ - file://0004-Smack-Assign-smack_known_web-label-for-kernel-thread.patch \ -" - diff --git a/meta-app-framework/recipes-kernel/linux/linux-yocto_4.4.bbappend b/meta-app-framework/recipes-kernel/linux/linux-yocto_4.4.bbappend deleted file mode 100644 index 51df087..0000000 --- a/meta-app-framework/recipes-kernel/linux/linux-yocto_4.4.bbappend +++ /dev/null @@ -1,11 +0,0 @@ -FILESEXTRAPATHS_prepend := "${THISDIR}/linux/linux-yocto-4.4:" - -#------------------------------------------------------------------------- -# smack patches for handling bluetooth - -SRC_URI_append_smack = "\ - file://0002-smack-fix-cache-of-access-labels.patch \ - file://0003-Smack-ignore-null-signal-in-smack_task_kill.patch \ - file://0004-Smack-Assign-smack_known_web-label-for-kernel-thread.patch \ -" - diff --git a/meta-app-framework/recipes-kernel/linux/linux/audit.cfg b/meta-app-framework/recipes-kernel/linux/linux/audit.cfg deleted file mode 100644 index 214dbe3..0000000 --- a/meta-app-framework/recipes-kernel/linux/linux/audit.cfg +++ /dev/null @@ -1,2 +0,0 @@ -CONFIG_AUDIT=y -CONFIG_AUDITSYSCALL=y diff --git a/meta-app-framework/recipes-kernel/linux/linux/linux-yocto-4.1/0001-Smack-File-receive-for-sockets.patch b/meta-app-framework/recipes-kernel/linux/linux/linux-yocto-4.1/0001-Smack-File-receive-for-sockets.patch deleted file mode 100644 index b0c5ee8..0000000 --- a/meta-app-framework/recipes-kernel/linux/linux/linux-yocto-4.1/0001-Smack-File-receive-for-sockets.patch +++ /dev/null @@ -1,62 +0,0 @@ -From 2e65b888820ea372984d412cee3bd7dcba05d7d2 Mon Sep 17 00:00:00 2001 -From: Casey Schaufler -Date: Mon, 7 Dec 2015 14:34:32 -0800 -Subject: [PATCH 1/4] Smack: File receive for sockets - -The existing file receive hook checks for access on -the file inode even for UDS. This is not right, as -the inode is not used by Smack to make access checks -for sockets. This change checks for an appropriate -access relationship between the receiving (current) -process and the socket. If the process can't write -to the socket's send label or the socket's receive -label can't write to the process fail. - -This will allow the legitimate cases, where the -socket sender and socket receiver can freely communicate. -Only strangly set socket labels should cause a problem. - -Signed-off-by: Casey Schaufler ---- - security/smack/smack_lsm.c | 22 ++++++++++++++++++++++ - 1 file changed, 22 insertions(+) - -diff --git a/security/smack/smack_lsm.c b/security/smack/smack_lsm.c -index b644757..487b2f3 100644 ---- a/security/smack/smack_lsm.c -+++ b/security/smack/smack_lsm.c -@@ -1672,9 +1672,31 @@ static int smack_file_receive(struct file *file) - int may = 0; - struct smk_audit_info ad; - struct inode *inode = file_inode(file); -+ struct socket *sock; -+ struct task_smack *tsp; -+ struct socket_smack *ssp; - - smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_PATH); - smk_ad_setfield_u_fs_path(&ad, file->f_path); -+ -+ if (S_ISSOCK(inode->i_mode)) { -+ sock = SOCKET_I(inode); -+ ssp = sock->sk->sk_security; -+ tsp = current_security(); -+ /* -+ * If the receiving process can't write to the -+ * passed socket or if the passed socket can't -+ * write to the receiving process don't accept -+ * the passed socket. -+ */ -+ rc = smk_access(tsp->smk_task, ssp->smk_out, MAY_WRITE, &ad); -+ rc = smk_bu_file(file, may, rc); -+ if (rc < 0) -+ return rc; -+ rc = smk_access(ssp->smk_in, tsp->smk_task, MAY_WRITE, &ad); -+ rc = smk_bu_file(file, may, rc); -+ return rc; -+ } - /* - * This code relies on bitmasks. - */ --- -2.7.4 - diff --git a/meta-app-framework/recipes-kernel/linux/linux/linux-yocto-4.1/0002-smack-fix-cache-of-access-labels.patch b/meta-app-framework/recipes-kernel/linux/linux/linux-yocto-4.1/0002-smack-fix-cache-of-access-labels.patch deleted file mode 100644 index 51c3b31..0000000 --- a/meta-app-framework/recipes-kernel/linux/linux/linux-yocto-4.1/0002-smack-fix-cache-of-access-labels.patch +++ /dev/null @@ -1,43 +0,0 @@ -From 5bcea0fc4e5360deca133e211fdc76717a1693a4 Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?Jos=C3=A9=20Bollo?= -Date: Tue, 12 Jan 2016 21:23:40 +0100 -Subject: [PATCH 2/4] smack: fix cache of access labels -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -Before this commit, removing the access property of -a file, aka, the extended attribute security.SMACK64 -was not effictive until the cache had been cleaned. - -This patch fixes that problem. - -Signed-off-by: José Bollo -Acked-by: Casey Schaufler ---- - security/smack/smack_lsm.c | 8 ++++++-- - 1 file changed, 6 insertions(+), 2 deletions(-) - -diff --git a/security/smack/smack_lsm.c b/security/smack/smack_lsm.c -index 487b2f3..b9393e3 100644 ---- a/security/smack/smack_lsm.c -+++ b/security/smack/smack_lsm.c -@@ -1256,9 +1256,13 @@ static int smack_inode_removexattr(struct dentry *dentry, const char *name) - * Don't do anything special for these. - * XATTR_NAME_SMACKIPIN - * XATTR_NAME_SMACKIPOUT -- * XATTR_NAME_SMACKEXEC - */ -- if (strcmp(name, XATTR_NAME_SMACK) == 0) -+ if (strcmp(name, XATTR_NAME_SMACK) == 0) { -+ struct super_block *sbp = d_backing_inode(dentry)->i_sb; -+ struct superblock_smack *sbsp = sbp->s_security; -+ -+ isp->smk_inode = sbsp->smk_default; -+ } else if (strcmp(name, XATTR_NAME_SMACKEXEC) == 0) - isp->smk_task = NULL; - else if (strcmp(name, XATTR_NAME_SMACKMMAP) == 0) - isp->smk_mmap = NULL; --- -2.7.4 - diff --git a/meta-app-framework/recipes-kernel/linux/linux/linux-yocto-4.1/0003-Smack-ignore-null-signal-in-smack_task_kill.patch b/meta-app-framework/recipes-kernel/linux/linux/linux-yocto-4.1/0003-Smack-ignore-null-signal-in-smack_task_kill.patch deleted file mode 100644 index 67761ae..0000000 --- a/meta-app-framework/recipes-kernel/linux/linux/linux-yocto-4.1/0003-Smack-ignore-null-signal-in-smack_task_kill.patch +++ /dev/null @@ -1,39 +0,0 @@ -From aa63c4f8ece0c54a9be735ac38667f11fcd6f44a Mon Sep 17 00:00:00 2001 -From: Rafal Krypa -Date: Mon, 4 Apr 2016 11:14:53 +0200 -Subject: [PATCH 3/4] Smack: ignore null signal in smack_task_kill - -Kill with signal number 0 is commonly used for checking PID existence. -Smack treated such cases like any other kills, although no signal is -actually delivered when sig == 0. - -Checking permissions when sig == 0 didn't prevent an unprivileged caller -from learning whether PID exists or not. When it existed, kernel returned -EPERM, when it didn't - ESRCH. The only effect of policy check in such -case is noise in audit logs. - -This change lets Smack silently ignore kill() invocations with sig == 0. - -Signed-off-by: Rafal Krypa -Acked-by: Casey Schaufler ---- - security/smack/smack_lsm.c | 3 +++ - 1 file changed, 3 insertions(+) - -diff --git a/security/smack/smack_lsm.c b/security/smack/smack_lsm.c -index b9393e3..c916f58 100644 ---- a/security/smack/smack_lsm.c -+++ b/security/smack/smack_lsm.c -@@ -2056,6 +2056,9 @@ static int smack_task_kill(struct task_struct *p, struct siginfo *info, - struct smack_known *tkp = smk_of_task_struct(p); - int rc; - -+ if (!sig) -+ return 0; /* null signal; existence test */ -+ - smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_TASK); - smk_ad_setfield_u_tsk(&ad, p); - /* --- -2.7.4 - diff --git a/meta-app-framework/recipes-kernel/linux/linux/linux-yocto-4.1/0004-Smack-Assign-smack_known_web-label-for-kernel-thread.patch b/meta-app-framework/recipes-kernel/linux/linux/linux-yocto-4.1/0004-Smack-Assign-smack_known_web-label-for-kernel-thread.patch deleted file mode 100644 index 4281c20..0000000 --- a/meta-app-framework/recipes-kernel/linux/linux/linux-yocto-4.1/0004-Smack-Assign-smack_known_web-label-for-kernel-thread.patch +++ /dev/null @@ -1,49 +0,0 @@ -From b2b9e7ec8e79ede841104f76464f4b77c057b011 Mon Sep 17 00:00:00 2001 -From: jooseong lee -Date: Thu, 3 Nov 2016 10:55:43 +0100 -Subject: [PATCH 4/4] Smack: Assign smack_known_web label for kernel thread's -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -Assign smack_known_web label for kernel thread's socket in the sk_alloc_security hook - -Creating struct sock by sk_alloc function in various kernel subsystems -like bluetooth dosen't call smack_socket_post_create(). In such case, -received sock label is the floor('_') label and makes access deny. - -Refers-to: https://review.tizen.org/gerrit/#/c/80717/4 - -Change-Id: I2e5c9359bfede84a988fd4d4d74cdb9dfdfc52d8 -Signed-off-by: jooseong lee -Signed-off-by: José Bollo ---- - security/smack/smack_lsm.c | 12 ++++++++++-- - 1 file changed, 10 insertions(+), 2 deletions(-) - -diff --git a/security/smack/smack_lsm.c b/security/smack/smack_lsm.c -index c916f58..cc6769b 100644 ---- a/security/smack/smack_lsm.c -+++ b/security/smack/smack_lsm.c -@@ -2138,8 +2138,16 @@ static int smack_sk_alloc_security(struct sock *sk, int family, gfp_t gfp_flags) - if (ssp == NULL) - return -ENOMEM; - -- ssp->smk_in = skp; -- ssp->smk_out = skp; -+ /* -+ * Sockets created by kernel threads receive web label. -+ */ -+ if (unlikely(current->flags & PF_KTHREAD)) { -+ ssp->smk_in = &smack_known_web; -+ ssp->smk_out = &smack_known_web; -+ } else { -+ ssp->smk_in = skp; -+ ssp->smk_out = skp; -+ } - ssp->smk_packet = NULL; - - sk->sk_security = ssp; --- -2.7.4 - diff --git a/meta-app-framework/recipes-kernel/linux/linux/linux-yocto-4.4/0001-Smack-File-receive-for-sockets.patch b/meta-app-framework/recipes-kernel/linux/linux/linux-yocto-4.4/0001-Smack-File-receive-for-sockets.patch deleted file mode 100644 index 4021e5d..0000000 --- a/meta-app-framework/recipes-kernel/linux/linux/linux-yocto-4.4/0001-Smack-File-receive-for-sockets.patch +++ /dev/null @@ -1,65 +0,0 @@ -From 2b206c36b16e72cfe41cd22448d8527359ffd962 Mon Sep 17 00:00:00 2001 -From: Casey Schaufler -Date: Mon, 7 Dec 2015 14:34:32 -0800 -Subject: [PATCH 1/4] Smack: File receive for sockets - -The existing file receive hook checks for access on -the file inode even for UDS. This is not right, as -the inode is not used by Smack to make access checks -for sockets. This change checks for an appropriate -access relationship between the receiving (current) -process and the socket. If the process can't write -to the socket's send label or the socket's receive -label can't write to the process fail. - -This will allow the legitimate cases, where the -socket sender and socket receiver can freely communicate. -Only strangly set socket labels should cause a problem. - -Signed-off-by: Casey Schaufler ---- - security/smack/smack_lsm.c | 22 ++++++++++++++++++++++ - 1 file changed, 22 insertions(+) - -diff --git a/security/smack/smack_lsm.c b/security/smack/smack_lsm.c -index ff81026..b20ef06 100644 ---- a/security/smack/smack_lsm.c -+++ b/security/smack/smack_lsm.c -@@ -1860,12 +1860,34 @@ static int smack_file_receive(struct file *file) - int may = 0; - struct smk_audit_info ad; - struct inode *inode = file_inode(file); -+ struct socket *sock; -+ struct task_smack *tsp; -+ struct socket_smack *ssp; - - if (unlikely(IS_PRIVATE(inode))) - return 0; - - smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_PATH); - smk_ad_setfield_u_fs_path(&ad, file->f_path); -+ -+ if (S_ISSOCK(inode->i_mode)) { -+ sock = SOCKET_I(inode); -+ ssp = sock->sk->sk_security; -+ tsp = current_security(); -+ /* -+ * If the receiving process can't write to the -+ * passed socket or if the passed socket can't -+ * write to the receiving process don't accept -+ * the passed socket. -+ */ -+ rc = smk_access(tsp->smk_task, ssp->smk_out, MAY_WRITE, &ad); -+ rc = smk_bu_file(file, may, rc); -+ if (rc < 0) -+ return rc; -+ rc = smk_access(ssp->smk_in, tsp->smk_task, MAY_WRITE, &ad); -+ rc = smk_bu_file(file, may, rc); -+ return rc; -+ } - /* - * This code relies on bitmasks. - */ --- -2.7.4 - diff --git a/meta-app-framework/recipes-kernel/linux/linux/linux-yocto-4.4/0002-smack-fix-cache-of-access-labels.patch b/meta-app-framework/recipes-kernel/linux/linux/linux-yocto-4.4/0002-smack-fix-cache-of-access-labels.patch deleted file mode 100644 index c516f3a..0000000 --- a/meta-app-framework/recipes-kernel/linux/linux/linux-yocto-4.4/0002-smack-fix-cache-of-access-labels.patch +++ /dev/null @@ -1,43 +0,0 @@ -From 99267706991ab84bd44ceaea9a7ec886bbdd58e0 Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?Jos=C3=A9=20Bollo?= -Date: Tue, 12 Jan 2016 21:23:40 +0100 -Subject: [PATCH 2/4] smack: fix cache of access labels -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -Before this commit, removing the access property of -a file, aka, the extended attribute security.SMACK64 -was not effictive until the cache had been cleaned. - -This patch fixes that problem. - -Signed-off-by: José Bollo -Acked-by: Casey Schaufler ---- - security/smack/smack_lsm.c | 8 ++++++-- - 1 file changed, 6 insertions(+), 2 deletions(-) - -diff --git a/security/smack/smack_lsm.c b/security/smack/smack_lsm.c -index b20ef06..b2bcb14 100644 ---- a/security/smack/smack_lsm.c -+++ b/security/smack/smack_lsm.c -@@ -1444,9 +1444,13 @@ static int smack_inode_removexattr(struct dentry *dentry, const char *name) - * Don't do anything special for these. - * XATTR_NAME_SMACKIPIN - * XATTR_NAME_SMACKIPOUT -- * XATTR_NAME_SMACKEXEC - */ -- if (strcmp(name, XATTR_NAME_SMACK) == 0) -+ if (strcmp(name, XATTR_NAME_SMACK) == 0) { -+ struct super_block *sbp = d_backing_inode(dentry)->i_sb; -+ struct superblock_smack *sbsp = sbp->s_security; -+ -+ isp->smk_inode = sbsp->smk_default; -+ } else if (strcmp(name, XATTR_NAME_SMACKEXEC) == 0) - isp->smk_task = NULL; - else if (strcmp(name, XATTR_NAME_SMACKMMAP) == 0) - isp->smk_mmap = NULL; --- -2.7.4 - diff --git a/meta-app-framework/recipes-kernel/linux/linux/linux-yocto-4.4/0003-Smack-ignore-null-signal-in-smack_task_kill.patch b/meta-app-framework/recipes-kernel/linux/linux/linux-yocto-4.4/0003-Smack-ignore-null-signal-in-smack_task_kill.patch deleted file mode 100644 index c9180bb..0000000 --- a/meta-app-framework/recipes-kernel/linux/linux/linux-yocto-4.4/0003-Smack-ignore-null-signal-in-smack_task_kill.patch +++ /dev/null @@ -1,39 +0,0 @@ -From ec4eb03af07b0fbc330aecca6ac4ebd6accd8825 Mon Sep 17 00:00:00 2001 -From: Rafal Krypa -Date: Mon, 4 Apr 2016 11:14:53 +0200 -Subject: [PATCH 3/4] Smack: ignore null signal in smack_task_kill - -Kill with signal number 0 is commonly used for checking PID existence. -Smack treated such cases like any other kills, although no signal is -actually delivered when sig == 0. - -Checking permissions when sig == 0 didn't prevent an unprivileged caller -from learning whether PID exists or not. When it existed, kernel returned -EPERM, when it didn't - ESRCH. The only effect of policy check in such -case is noise in audit logs. - -This change lets Smack silently ignore kill() invocations with sig == 0. - -Signed-off-by: Rafal Krypa -Acked-by: Casey Schaufler ---- - security/smack/smack_lsm.c | 3 +++ - 1 file changed, 3 insertions(+) - -diff --git a/security/smack/smack_lsm.c b/security/smack/smack_lsm.c -index b2bcb14..cf8a93f 100644 ---- a/security/smack/smack_lsm.c -+++ b/security/smack/smack_lsm.c -@@ -2239,6 +2239,9 @@ static int smack_task_kill(struct task_struct *p, struct siginfo *info, - struct smack_known *tkp = smk_of_task_struct(p); - int rc; - -+ if (!sig) -+ return 0; /* null signal; existence test */ -+ - smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_TASK); - smk_ad_setfield_u_tsk(&ad, p); - /* --- -2.7.4 - diff --git a/meta-app-framework/recipes-kernel/linux/linux/linux-yocto-4.4/0004-Smack-Assign-smack_known_web-label-for-kernel-thread.patch b/meta-app-framework/recipes-kernel/linux/linux/linux-yocto-4.4/0004-Smack-Assign-smack_known_web-label-for-kernel-thread.patch deleted file mode 100644 index a1eeac3..0000000 --- a/meta-app-framework/recipes-kernel/linux/linux/linux-yocto-4.4/0004-Smack-Assign-smack_known_web-label-for-kernel-thread.patch +++ /dev/null @@ -1,49 +0,0 @@ -From c8bbb0f916de54610513e376070aea531af19dd6 Mon Sep 17 00:00:00 2001 -From: jooseong lee -Date: Thu, 3 Nov 2016 10:55:43 +0100 -Subject: [PATCH 4/4] Smack: Assign smack_known_web label for kernel thread's -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -Assign smack_known_web label for kernel thread's socket in the sk_alloc_security hook - -Creating struct sock by sk_alloc function in various kernel subsystems -like bluetooth dosen't call smack_socket_post_create(). In such case, -received sock label is the floor('_') label and makes access deny. - -Refers-to: https://review.tizen.org/gerrit/#/c/80717/4 - -Change-Id: I2e5c9359bfede84a988fd4d4d74cdb9dfdfc52d8 -Signed-off-by: jooseong lee -Signed-off-by: José Bollo ---- - security/smack/smack_lsm.c | 12 ++++++++++-- - 1 file changed, 10 insertions(+), 2 deletions(-) - -diff --git a/security/smack/smack_lsm.c b/security/smack/smack_lsm.c -index cf8a93f..21651bc 100644 ---- a/security/smack/smack_lsm.c -+++ b/security/smack/smack_lsm.c -@@ -2321,8 +2321,16 @@ static int smack_sk_alloc_security(struct sock *sk, int family, gfp_t gfp_flags) - if (ssp == NULL) - return -ENOMEM; - -- ssp->smk_in = skp; -- ssp->smk_out = skp; -+ /* -+ * Sockets created by kernel threads receive web label. -+ */ -+ if (unlikely(current->flags & PF_KTHREAD)) { -+ ssp->smk_in = &smack_known_web; -+ ssp->smk_out = &smack_known_web; -+ } else { -+ ssp->smk_in = skp; -+ ssp->smk_out = skp; -+ } - ssp->smk_packet = NULL; - - sk->sk_security = ssp; --- -2.7.4 - -- cgit 1.2.3-korg