aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorJosé Bollo <jose.bollo@iot.bzh>2018-09-12 09:58:03 +0200
committerJan-Simon Moeller <jsmoeller@linuxfoundation.org>2019-11-07 15:59:26 +0000
commit61e6b5d03992bb72deb00f6ee518fc122fee59ef (patch)
tree62c83e9717d149a28f49c9e74f90e5207fb4f5ae
parent06dccd49fe33d10320e5c9c7dbbd1a6d2a260533 (diff)
Cynagora: Replace cynara with cynagora
Shift from the permission database cynara to cynagora permission database with a compatibility library. The cache size required by dbus-cynara is updated because that size is now a count of bytes, not a count of entries. Bug-AGL: SPEC-2844 Change-Id: I9a81de6e3b8bcb94adc0bb05c63183c2eda3f310 Signed-off-by: José Bollo <jose.bollo@iot.bzh>
-rw-r--r--meta-agl-profile-core/files/group2
-rw-r--r--meta-agl-profile-core/files/passwd2
-rw-r--r--meta-agl-profile-core/recipes-devtools/run-agl-postinsts/run-agl-postinsts_1.0.bb2
-rw-r--r--meta-app-framework/conf/include/agl-appfw-smack.inc2
-rw-r--r--meta-app-framework/recipes-platform/packagegroups/packagegroup-agl-core-security.bbappend2
-rw-r--r--meta-security/recipes-core/dbus-cynara/dbus-cynara/0001-Integration-of-Cynara-asynchronous-security-checks.patch2
-rw-r--r--meta-security/recipes-core/packagegroups/packagegroup-security-framework.bb2
-rw-r--r--meta-security/recipes-security/cynagora/cynagora-cynara-compat_2.0.bb30
-rwxr-xr-xmeta-security/recipes-security/cynagora/cynagora/run-ptest4
-rw-r--r--meta-security/recipes-security/cynagora/cynagora_2.0.bb38
-rw-r--r--meta-security/recipes-security/cynara/cynara/0001-Add-fallthrough-tags.patch57
-rw-r--r--meta-security/recipes-security/cynara/cynara/0001-fix-fallthrough-in-cmdlineparser.patch35
-rw-r--r--meta-security/recipes-security/cynara/cynara/0002-gcc-7-requires-include-functional-for-std-function.patch36
-rw-r--r--meta-security/recipes-security/cynara/cynara/0003-Avoid-warning-when-compiling-without-smack.patch43
-rw-r--r--meta-security/recipes-security/cynara/cynara/0004-Fix-mode-of-sockets.patch42
-rw-r--r--meta-security/recipes-security/cynara/cynara/0005-Allow-to-tune-sockets.patch237
-rw-r--r--meta-security/recipes-security/cynara/cynara/0006-Install-socket-activation-by-default.patch78
-rw-r--r--meta-security/recipes-security/cynara/cynara/cynara-db-migration-abort-on-errors.patch29
-rwxr-xr-xmeta-security/recipes-security/cynara/cynara/run-ptest4
-rw-r--r--meta-security/recipes-security/cynara/cynara_0.14.10.bb157
20 files changed, 79 insertions, 725 deletions
diff --git a/meta-agl-profile-core/files/group b/meta-agl-profile-core/files/group
index 596815200..c309f6a05 100644
--- a/meta-agl-profile-core/files/group
+++ b/meta-agl-profile-core/files/group
@@ -39,7 +39,7 @@ games::60:
shutdown::70:
users::100:
nogroup::65534:
-cynara::999:
+cynagora::999:
dhcp::998:
avahi::997:
tracing::1000:
diff --git a/meta-agl-profile-core/files/passwd b/meta-agl-profile-core/files/passwd
index b2e8b92db..ac70c0f9b 100644
--- a/meta-agl-profile-core/files/passwd
+++ b/meta-agl-profile-core/files/passwd
@@ -16,7 +16,7 @@ list::38:38:::
irc::39:39:::
gnats::41:41:::
nobody::65534:65534:::
-cynara::999:999:::
+cynagora::999:999:::
dhcp::998:998:::
avahi::997:997:::
sshd::996:996:::
diff --git a/meta-agl-profile-core/recipes-devtools/run-agl-postinsts/run-agl-postinsts_1.0.bb b/meta-agl-profile-core/recipes-devtools/run-agl-postinsts/run-agl-postinsts_1.0.bb
index b1ecccf85..38bc66df8 100644
--- a/meta-agl-profile-core/recipes-devtools/run-agl-postinsts/run-agl-postinsts_1.0.bb
+++ b/meta-agl-profile-core/recipes-devtools/run-agl-postinsts/run-agl-postinsts_1.0.bb
@@ -13,7 +13,7 @@ inherit allarch systemd
SYSTEMD_SERVICE_${PN} = "run-agl-postinsts.service"
-SYSTEMD_SERVICE_AFTER ?= "dbus.service cynara.service"
+SYSTEMD_SERVICE_AFTER ?= "dbus.service cynagora.service"
SYSTEMD_SERVICE_BEFORE ?= "systemd-user-sessions.service"
diff --git a/meta-app-framework/conf/include/agl-appfw-smack.inc b/meta-app-framework/conf/include/agl-appfw-smack.inc
index b6b998a9b..b91ed64a0 100644
--- a/meta-app-framework/conf/include/agl-appfw-smack.inc
+++ b/meta-app-framework/conf/include/agl-appfw-smack.inc
@@ -1,4 +1,4 @@
-# enable security features (smack, cynara) - required by Application Framework
+# enable security features (smack, cynagora) - required by Application Framework
OVERRIDES .= ":with-lsm-smack"
DISTRO_FEATURES_append = " smack xattr"
diff --git a/meta-app-framework/recipes-platform/packagegroups/packagegroup-agl-core-security.bbappend b/meta-app-framework/recipes-platform/packagegroups/packagegroup-agl-core-security.bbappend
index 19af9117b..8445a9edd 100644
--- a/meta-app-framework/recipes-platform/packagegroups/packagegroup-agl-core-security.bbappend
+++ b/meta-app-framework/recipes-platform/packagegroups/packagegroup-agl-core-security.bbappend
@@ -1,7 +1,7 @@
RDEPENDS_${PN} += "\
smack-system-setup \
xmlsec1 \
- cynara \
+ cynagora \
security-manager \
security-manager-policy \
agl-users \
diff --git a/meta-security/recipes-core/dbus-cynara/dbus-cynara/0001-Integration-of-Cynara-asynchronous-security-checks.patch b/meta-security/recipes-core/dbus-cynara/dbus-cynara/0001-Integration-of-Cynara-asynchronous-security-checks.patch
index 3dbfa8a88..69d13ac35 100644
--- a/meta-security/recipes-core/dbus-cynara/dbus-cynara/0001-Integration-of-Cynara-asynchronous-security-checks.patch
+++ b/meta-security/recipes-core/dbus-cynara/dbus-cynara/0001-Integration-of-Cynara-asynchronous-security-checks.patch
@@ -1197,7 +1197,7 @@ index 0000000..57a4c45
+
+#define USE_CYNARA_CACHE 1
+#ifdef USE_CYNARA_CACHE
-+#define CYNARA_CACHE_SIZE 1000
++#define CYNARA_CACHE_SIZE 7000
+#endif
+
+static dbus_bool_t bus_cynara_watch_callback(DBusWatch *watch,
diff --git a/meta-security/recipes-core/packagegroups/packagegroup-security-framework.bb b/meta-security/recipes-core/packagegroups/packagegroup-security-framework.bb
index 6dd575df5..bc708600f 100644
--- a/meta-security/recipes-core/packagegroups/packagegroup-security-framework.bb
+++ b/meta-security/recipes-core/packagegroups/packagegroup-security-framework.bb
@@ -15,7 +15,7 @@ inherit packagegroup
# the policy packaged from the upstream source code here. Adapting
# it for the distro can be done by patching that source.
RDEPENDS_${PN}_append_with-lsm-smack = " \
- cynara \
+ cynagora \
security-manager \
security-manager-policy \
smacknet \
diff --git a/meta-security/recipes-security/cynagora/cynagora-cynara-compat_2.0.bb b/meta-security/recipes-security/cynagora/cynagora-cynara-compat_2.0.bb
new file mode 100644
index 000000000..fa5cdbadc
--- /dev/null
+++ b/meta-security/recipes-security/cynagora/cynagora-cynara-compat_2.0.bb
@@ -0,0 +1,30 @@
+DESCRIPTION = "Cynara service with client libraries"
+LICENSE = "Apache-2.0"
+LIC_FILES_CHKSUM = "file://Apache-2.0;md5=3b83ef96387f14655fc854ddc3c6bd57"
+
+SRC_URI = "git://gerrit.automotivelinux.org/gerrit/src/cynagora;protocol=https;branch=${AGL_BRANCH}"
+SRCREV = "6c88efcb7b1361ba6389753e520e26fc556b7d79"
+PV = "2.0+git${SRCPV}"
+
+S = "${WORKDIR}/git"
+
+inherit cmake
+
+PROVIDES = "cynara"
+RPROVIDES_${PN} = "cynara"
+DEPENDS = "libcap"
+RDEPENDS_${PN} = "cynagora"
+
+EXTRA_OECMAKE += " \
+ -DWITH_SYSTEMD=OFF \
+ -DWITH_CYNARA_COMPAT=ON \
+ -DDIRECT_CYNARA_COMPAT=ON \
+"
+
+do_install_append() {
+ # remove cynagora stuff
+ rm $(find ${D} -name '*cynagora*')
+ # remove stupid test
+ rm -r ${D}${bindir}
+}
+
diff --git a/meta-security/recipes-security/cynagora/cynagora/run-ptest b/meta-security/recipes-security/cynagora/cynagora/run-ptest
new file mode 100755
index 000000000..f95f0725b
--- /dev/null
+++ b/meta-security/recipes-security/cynagora/cynagora/run-ptest
@@ -0,0 +1,4 @@
+#!/bin/sh
+
+# test access to cynagora server
+cynagora-admin list > /dev/null
diff --git a/meta-security/recipes-security/cynagora/cynagora_2.0.bb b/meta-security/recipes-security/cynagora/cynagora_2.0.bb
new file mode 100644
index 000000000..77af839d8
--- /dev/null
+++ b/meta-security/recipes-security/cynagora/cynagora_2.0.bb
@@ -0,0 +1,38 @@
+DESCRIPTION = "Cynara service with client libraries"
+LICENSE = "Apache-2.0"
+LIC_FILES_CHKSUM = "file://Apache-2.0;md5=3b83ef96387f14655fc854ddc3c6bd57"
+
+SRC_URI = "git://gerrit.automotivelinux.org/gerrit/src/cynagora;protocol=https;branch=${AGL_BRANCH}"
+SRCREV = "6c88efcb7b1361ba6389753e520e26fc556b7d79"
+PV = "2.0+git${SRCPV}"
+
+S = "${WORKDIR}/git"
+
+DEPENDS = "systemd libcap"
+
+inherit cmake
+
+EXTRA_OECMAKE += " \
+ -DSYSTEMD_UNIT_DIR=${systemd_system_unitdir} \
+ -DWITH_SYSTEMD=ON \
+ -DWITH_CYNARA_COMPAT=OFF \
+"
+
+inherit useradd
+USERADD_PACKAGES = "${PN}"
+GROUPADD_PARAM_${PN} = "-r cynagora"
+USERADD_PARAM_${PN} = "\
+--system --home ${localstatedir}/lib/empty \
+--no-create-home --shell /bin/false \
+--gid cynagora cynagora \
+"
+
+FILES_${PN} += "${systemd_system_unitdir}"
+
+PACKAGES =+ "${PN}-tools"
+FILES_${PN}-tools += "${bindir}/cynagora-admin ${bindir}/cynagora-agent"
+RDEPENDS_${PN}_append_agl-devel = " ${PN}-tools"
+
+inherit ptest
+SRC_URI_append = " file://run-ptest"
+RDEPENDS_${PN}-ptest_append = " ${PN}-tools"
diff --git a/meta-security/recipes-security/cynara/cynara/0001-Add-fallthrough-tags.patch b/meta-security/recipes-security/cynara/cynara/0001-Add-fallthrough-tags.patch
deleted file mode 100644
index e1d0cfac9..000000000
--- a/meta-security/recipes-security/cynara/cynara/0001-Add-fallthrough-tags.patch
+++ /dev/null
@@ -1,57 +0,0 @@
-From 8bf90bf3e7a821dbd3b7029d87aa592eec6f1754 Mon Sep 17 00:00:00 2001
-From: =?UTF-8?q?Jos=C3=A9=20Bollo?= <jose.bollo@iot.bzh>
-Date: Thu, 25 Jan 2018 12:00:18 +0100
-Subject: [PATCH] Add fallthrough tags
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-GCC 7 emits a warning when the tag /*@fallthrough@*/
-doesn't appear in a switch case when a case continue
-to the next after some processing.
-
-Change-Id: I420e3788a4c0a6d910a1214964c5480bbd12708c
-Signed-off-by: José Bollo <jose.bollo@iot.bzh>
-
----
- src/admin/api/admin-api.cpp | 1 +
- src/client-async/logic/Logic.cpp | 1 +
- src/common/sockets/SocketClient.cpp | 1 +
- 3 files changed, 3 insertions(+)
-
-diff --git a/src/admin/api/admin-api.cpp b/src/admin/api/admin-api.cpp
-index c638f41..aafa45e 100644
---- a/src/admin/api/admin-api.cpp
-+++ b/src/admin/api/admin-api.cpp
-@@ -146,6 +146,7 @@ int cynara_admin_set_policies(struct cynara_admin *p_cynara_admin,
- case CYNARA_ADMIN_BUCKET:
- if (!isStringValid(policy->result_extra))
- return CYNARA_API_INVALID_PARAM;
-+ /*@fallthrough@*/
- default:
- {
- std::string extraStr = policy->result_extra ? policy->result_extra : "";
-diff --git a/src/client-async/logic/Logic.cpp b/src/client-async/logic/Logic.cpp
-index 5ae0251..c1d6c33 100644
---- a/src/client-async/logic/Logic.cpp
-+++ b/src/client-async/logic/Logic.cpp
-@@ -233,6 +233,7 @@ bool Logic::processOut(void) {
- case Socket::SendStatus::ALL_DATA_SENT:
- onStatusChange(m_socketClient.getSockFd(),
- cynara_async_status::CYNARA_STATUS_FOR_READ);
-+ /*@fallthrough@*/
- case Socket::SendStatus::PARTIAL_DATA_SENT:
- return true;
- default:
-diff --git a/src/common/sockets/SocketClient.cpp b/src/common/sockets/SocketClient.cpp
-index b1ca4f7..f4394e5 100644
---- a/src/common/sockets/SocketClient.cpp
-+++ b/src/common/sockets/SocketClient.cpp
-@@ -45,6 +45,7 @@ bool SocketClient::connect(void) {
- LOGW("Error connecting to Cynara. Service not available.");
- return false;
- }
-+ /*@fallthrough@*/
- default:
- return true;
- }
diff --git a/meta-security/recipes-security/cynara/cynara/0001-fix-fallthrough-in-cmdlineparser.patch b/meta-security/recipes-security/cynara/cynara/0001-fix-fallthrough-in-cmdlineparser.patch
deleted file mode 100644
index 40e11ce5d..000000000
--- a/meta-security/recipes-security/cynara/cynara/0001-fix-fallthrough-in-cmdlineparser.patch
+++ /dev/null
@@ -1,35 +0,0 @@
-From ca28ec4a0781a1ab9ec5f015387436beb51adfc3 Mon Sep 17 00:00:00 2001
-From: =?UTF-8?q?Jan-Simon=20M=C3=B6ller?= <jsmoeller@linuxfoundation.org>
-Date: Fri, 19 Oct 2018 08:09:28 +0000
-Subject: [PATCH] fix fallthrough in cmdlineparser
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-Signed-off-by: Jan-Simon Möller <jsmoeller@linuxfoundation.org>
-
----
- src/service/main/CmdlineParser.cpp | 3 +++
- 1 file changed, 3 insertions(+)
-
-diff --git a/src/service/main/CmdlineParser.cpp b/src/service/main/CmdlineParser.cpp
-index ca56e39..e07ea52 100644
---- a/src/service/main/CmdlineParser.cpp
-+++ b/src/service/main/CmdlineParser.cpp
-@@ -112,13 +112,16 @@ struct CmdLineOptions handleCmdlineOptions(int argc, char * const *argv) {
- case ':': // Missing argument
- ret.m_error = true;
- ret.m_exit = true;
-+ /*@fallthrough@*/
- switch (optopt) {
- case CmdlineOpt::Mask:
- case CmdlineOpt::User:
- case CmdlineOpt::Group:
- printMissingArgument(execName, argv[optind - 1]);
- return ret;
-+ /*@fallthrough@*/
- }
-+ /*@fallthrough@*/
- //intentional fall to Unknown option
- case '?': // Unknown option
- default:
diff --git a/meta-security/recipes-security/cynara/cynara/0002-gcc-7-requires-include-functional-for-std-function.patch b/meta-security/recipes-security/cynara/cynara/0002-gcc-7-requires-include-functional-for-std-function.patch
deleted file mode 100644
index b8dbfac4d..000000000
--- a/meta-security/recipes-security/cynara/cynara/0002-gcc-7-requires-include-functional-for-std-function.patch
+++ /dev/null
@@ -1,36 +0,0 @@
-From e2d8414b0d1c6c59baf1bb73e856e93aaabaf955 Mon Sep 17 00:00:00 2001
-From: Changhyeok Bae <changhyeok.bae@gmail.com>
-Date: Sun, 17 Dec 2017 15:28:28 +0000
-Subject: [PATCH] gcc-7 requires include <functional> for std::function
-
-Signed-off-by: Changhyeok Bae <changhyeok.bae@gmail.com>
-
----
- src/common/types/PolicyBucket.h | 1 +
- src/cyad/AdminPolicyParser.h | 1 +
- 2 files changed, 2 insertions(+)
-
-diff --git a/src/common/types/PolicyBucket.h b/src/common/types/PolicyBucket.h
-index 029d3dd..1bceeca 100644
---- a/src/common/types/PolicyBucket.h
-+++ b/src/common/types/PolicyBucket.h
-@@ -30,6 +30,7 @@
- #include <set>
- #include <string>
- #include <vector>
-+#include <functional>
-
- #include <exceptions/NotImplementedException.h>
- #include <types/pointers.h>
-diff --git a/src/cyad/AdminPolicyParser.h b/src/cyad/AdminPolicyParser.h
-index 53dde23..f38c194 100644
---- a/src/cyad/AdminPolicyParser.h
-+++ b/src/cyad/AdminPolicyParser.h
-@@ -25,6 +25,7 @@
-
- #include <istream>
- #include <memory>
-+#include <functional>
-
- #include <cyad/CynaraAdminPolicies.h>
-
diff --git a/meta-security/recipes-security/cynara/cynara/0003-Avoid-warning-when-compiling-without-smack.patch b/meta-security/recipes-security/cynara/cynara/0003-Avoid-warning-when-compiling-without-smack.patch
deleted file mode 100644
index 1b105a00c..000000000
--- a/meta-security/recipes-security/cynara/cynara/0003-Avoid-warning-when-compiling-without-smack.patch
+++ /dev/null
@@ -1,43 +0,0 @@
-From fdcf2a68a4bfec588b1c6c969caa0be20961b807 Mon Sep 17 00:00:00 2001
-From: =?UTF-8?q?Jos=C3=A9=20Bollo?= <jose.bollo@iot.bzh>
-Date: Thu, 25 Jan 2018 11:38:16 +0100
-Subject: [PATCH] Avoid warning when compiling without smack
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-When DB_FILES_SMACK_LABEL is not defined, cmake complains
-with the following message:
-
-> -- Checking for modules ''
-> Please specify at least one package name on the command line.
-
-Change-Id: Ie837cae81114d096f951ec0ee4ada4173fb60190
-Signed-off-by: José Bollo <jose.bollo@iot.bzh>
-
----
- src/admin/CMakeLists.txt | 10 +++++-----
- 1 file changed, 5 insertions(+), 5 deletions(-)
-
-diff --git a/src/admin/CMakeLists.txt b/src/admin/CMakeLists.txt
-index e4f354a..38b8669 100644
---- a/src/admin/CMakeLists.txt
-+++ b/src/admin/CMakeLists.txt
-@@ -23,12 +23,12 @@ IF (DB_FILES_SMACK_LABEL)
- SET(SMACK "smack")
- SET(LIBSMACK "libsmack")
- ADD_DEFINITIONS("-DDB_FILES_SMACK_LABEL=\"${DB_FILES_SMACK_LABEL}\"")
--ENDIF (DB_FILES_SMACK_LABEL)
-
--PKG_CHECK_MODULES(CYNARA_ADMIN_API_DEP
-- REQUIRED
-- ${LIBSMACK}
-- )
-+ PKG_CHECK_MODULES(CYNARA_ADMIN_API_DEP
-+ REQUIRED
-+ ${LIBSMACK}
-+ )
-+ENDIF (DB_FILES_SMACK_LABEL)
-
- SET(CYNARA_LIB_CYNARA_ADMIN_PATH ${CYNARA_PATH}/admin)
-
diff --git a/meta-security/recipes-security/cynara/cynara/0004-Fix-mode-of-sockets.patch b/meta-security/recipes-security/cynara/cynara/0004-Fix-mode-of-sockets.patch
deleted file mode 100644
index f19cdfb50..000000000
--- a/meta-security/recipes-security/cynara/cynara/0004-Fix-mode-of-sockets.patch
+++ /dev/null
@@ -1,42 +0,0 @@
-From 233fb8a93343c3c9c04914e1148ef5ab87a808a1 Mon Sep 17 00:00:00 2001
-From: =?UTF-8?q?Jos=C3=A9=20Bollo?= <jose.bollo@iot.bzh>
-Date: Thu, 25 Jan 2018 12:52:39 +0100
-Subject: [PATCH] Fix mode of sockets
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-Setting execution bit on the socket serves nothing.
-
-Change-Id: I2ca1ea8e0c369ee5517878e92073ace0e50f9f10
-Signed-off-by: José Bollo <jose.bollo@iot.bzh>
-
----
- systemd/cynara-admin.socket | 2 +-
- systemd/cynara.socket | 2 +-
- 2 files changed, 2 insertions(+), 2 deletions(-)
-
-diff --git a/systemd/cynara-admin.socket b/systemd/cynara-admin.socket
-index 2d1aea4..ed38386 100644
---- a/systemd/cynara-admin.socket
-+++ b/systemd/cynara-admin.socket
-@@ -1,6 +1,6 @@
- [Socket]
- ListenStream=/run/cynara/cynara-admin.socket
--SocketMode=0700
-+SocketMode=0600
- SmackLabelIPIn=@
- SmackLabelIPOut=@
-
-diff --git a/systemd/cynara.socket b/systemd/cynara.socket
-index 9f2a870..fad2745 100644
---- a/systemd/cynara.socket
-+++ b/systemd/cynara.socket
-@@ -1,6 +1,6 @@
- [Socket]
- ListenStream=/run/cynara/cynara.socket
--SocketMode=0777
-+SocketMode=0666
- SmackLabelIPIn=*
- SmackLabelIPOut=@
-
diff --git a/meta-security/recipes-security/cynara/cynara/0005-Allow-to-tune-sockets.patch b/meta-security/recipes-security/cynara/cynara/0005-Allow-to-tune-sockets.patch
deleted file mode 100644
index e954c7f21..000000000
--- a/meta-security/recipes-security/cynara/cynara/0005-Allow-to-tune-sockets.patch
+++ /dev/null
@@ -1,237 +0,0 @@
-From ebde8e9fdba7bc1c8152f7e45c551030a36ece82 Mon Sep 17 00:00:00 2001
-From: =?UTF-8?q?Jos=C3=A9=20Bollo?= <jose.bollo@iot.bzh>
-Date: Thu, 25 Jan 2018 13:47:37 +0100
-Subject: [PATCH] Allow to tune sockets
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-Allow to change the directory of sockets
-through a true integration of SOCKET_DIR
-
-Allow to override the socket's group of
- - /run/cynara/cynara-agent.socket
- - /run/cynara/cynara-monitor-get.socket
-
-through the newly defined variable CYNARA_ADMIN_SOCKET_GROUP
-
-Change-Id: I7d58854c328e948e3d6d7fa3fc00569fd08f8aef
-Signed-off-by: José Bollo <jose.bollo@iot.bzh>
-
----
- systemd/CMakeLists.txt | 19 +++++++++++++++----
- systemd/cynara-admin.socket | 14 --------------
- systemd/cynara-admin.socket.in | 14 ++++++++++++++
- systemd/cynara-agent.socket | 15 ---------------
- systemd/cynara-agent.socket.in | 15 +++++++++++++++
- systemd/cynara-monitor-get.socket | 15 ---------------
- systemd/cynara-monitor-get.socket.in | 15 +++++++++++++++
- systemd/cynara.socket | 14 --------------
- systemd/cynara.socket.in | 14 ++++++++++++++
- 9 files changed, 73 insertions(+), 62 deletions(-)
- delete mode 100644 systemd/cynara-admin.socket
- create mode 100644 systemd/cynara-admin.socket.in
- delete mode 100644 systemd/cynara-agent.socket
- create mode 100644 systemd/cynara-agent.socket.in
- delete mode 100644 systemd/cynara-monitor-get.socket
- create mode 100644 systemd/cynara-monitor-get.socket.in
- delete mode 100644 systemd/cynara.socket
- create mode 100644 systemd/cynara.socket.in
-
-diff --git a/systemd/CMakeLists.txt b/systemd/CMakeLists.txt
-index 20accf0..1b75c12 100644
---- a/systemd/CMakeLists.txt
-+++ b/systemd/CMakeLists.txt
-@@ -16,13 +16,24 @@
- # @author Lukasz Wojciechowski <l.wojciechow@partner.samsung.com>
- #
-
-+SET(CYNARA_ADMIN_SOCKET_GROUP
-+ "security_fw"
-+ CACHE STRING
-+ "Group to apply on administrative sockets")
-+
-+
-+CONFIGURE_FILE(cynara.socket.in cynara.socket @ONLY)
-+CONFIGURE_FILE(cynara-admin.socket.in cynara-admin.socket @ONLY)
-+CONFIGURE_FILE(cynara-agent.socket.in cynara-agent.socket @ONLY)
-+CONFIGURE_FILE(cynara-monitor-get.socket.in cynara-monitor-get.socket @ONLY)
-+
- INSTALL(FILES
- ${CMAKE_SOURCE_DIR}/systemd/cynara.service
- ${CMAKE_SOURCE_DIR}/systemd/cynara.target
-- ${CMAKE_SOURCE_DIR}/systemd/cynara.socket
-- ${CMAKE_SOURCE_DIR}/systemd/cynara-admin.socket
-- ${CMAKE_SOURCE_DIR}/systemd/cynara-agent.socket
-- ${CMAKE_SOURCE_DIR}/systemd/cynara-monitor-get.socket
-+ ${CMAKE_BINARY_DIR}/systemd/cynara.socket
-+ ${CMAKE_BINARY_DIR}/systemd/cynara-admin.socket
-+ ${CMAKE_BINARY_DIR}/systemd/cynara-agent.socket
-+ ${CMAKE_BINARY_DIR}/systemd/cynara-monitor-get.socket
- DESTINATION
- ${SYSTEMD_UNIT_DIR}
- )
-diff --git a/systemd/cynara-admin.socket b/systemd/cynara-admin.socket
-deleted file mode 100644
-index ed38386..0000000
---- a/systemd/cynara-admin.socket
-+++ /dev/null
-@@ -1,14 +0,0 @@
--[Socket]
--ListenStream=/run/cynara/cynara-admin.socket
--SocketMode=0600
--SmackLabelIPIn=@
--SmackLabelIPOut=@
--
--Service=cynara.service
--
--[Unit]
--Wants=cynara.target
--Before=cynara.target
--
--[Install]
--WantedBy=sockets.target
-diff --git a/systemd/cynara-admin.socket.in b/systemd/cynara-admin.socket.in
-new file mode 100644
-index 0000000..2364c3e
---- /dev/null
-+++ b/systemd/cynara-admin.socket.in
-@@ -0,0 +1,14 @@
-+[Socket]
-+ListenStream=@SOCKET_DIR@/cynara-admin.socket
-+SocketMode=0600
-+SmackLabelIPIn=@
-+SmackLabelIPOut=@
-+
-+Service=cynara.service
-+
-+[Unit]
-+Wants=cynara.target
-+Before=cynara.target
-+
-+[Install]
-+WantedBy=sockets.target
-diff --git a/systemd/cynara-agent.socket b/systemd/cynara-agent.socket
-deleted file mode 100644
-index 5a677e0..0000000
---- a/systemd/cynara-agent.socket
-+++ /dev/null
-@@ -1,15 +0,0 @@
--[Socket]
--ListenStream=/run/cynara/cynara-agent.socket
--SocketGroup=security_fw
--SocketMode=0060
--SmackLabelIPIn=*
--SmackLabelIPOut=@
--
--Service=cynara.service
--
--[Unit]
--Wants=cynara.target
--Before=cynara.target
--
--[Install]
--WantedBy=sockets.target
-diff --git a/systemd/cynara-agent.socket.in b/systemd/cynara-agent.socket.in
-new file mode 100644
-index 0000000..4f86c9d
---- /dev/null
-+++ b/systemd/cynara-agent.socket.in
-@@ -0,0 +1,15 @@
-+[Socket]
-+ListenStream=@SOCKET_DIR@/cynara-agent.socket
-+SocketGroup=@CYNARA_ADMIN_SOCKET_GROUP@
-+SocketMode=0060
-+SmackLabelIPIn=*
-+SmackLabelIPOut=@
-+
-+Service=cynara.service
-+
-+[Unit]
-+Wants=cynara.target
-+Before=cynara.target
-+
-+[Install]
-+WantedBy=sockets.target
-diff --git a/systemd/cynara-monitor-get.socket b/systemd/cynara-monitor-get.socket
-deleted file mode 100644
-index a50feeb..0000000
---- a/systemd/cynara-monitor-get.socket
-+++ /dev/null
-@@ -1,15 +0,0 @@
--[Socket]
--ListenStream=/run/cynara/cynara-monitor-get.socket
--SocketGroup=security_fw
--SocketMode=0060
--SmackLabelIPIn=@
--SmackLabelIPOut=@
--
--Service=cynara.service
--
--[Unit]
--Wants=cynara.target
--Before=cynara.target
--
--[Install]
--WantedBy=sockets.target
-diff --git a/systemd/cynara-monitor-get.socket.in b/systemd/cynara-monitor-get.socket.in
-new file mode 100644
-index 0000000..b88dbf7
---- /dev/null
-+++ b/systemd/cynara-monitor-get.socket.in
-@@ -0,0 +1,15 @@
-+[Socket]
-+ListenStream=@SOCKET_DIR@/cynara-monitor-get.socket
-+SocketGroup=@CYNARA_ADMIN_SOCKET_GROUP@
-+SocketMode=0060
-+SmackLabelIPIn=@
-+SmackLabelIPOut=@
-+
-+Service=cynara.service
-+
-+[Unit]
-+Wants=cynara.target
-+Before=cynara.target
-+
-+[Install]
-+WantedBy=sockets.target
-diff --git a/systemd/cynara.socket b/systemd/cynara.socket
-deleted file mode 100644
-index fad2745..0000000
---- a/systemd/cynara.socket
-+++ /dev/null
-@@ -1,14 +0,0 @@
--[Socket]
--ListenStream=/run/cynara/cynara.socket
--SocketMode=0666
--SmackLabelIPIn=*
--SmackLabelIPOut=@
--
--Service=cynara.service
--
--[Unit]
--Wants=cynara.target
--Before=cynara.target
--
--[Install]
--WantedBy=sockets.target
-diff --git a/systemd/cynara.socket.in b/systemd/cynara.socket.in
-new file mode 100644
-index 0000000..ba76549
---- /dev/null
-+++ b/systemd/cynara.socket.in
-@@ -0,0 +1,14 @@
-+[Socket]
-+ListenStream=@SOCKET_DIR@/cynara.socket
-+SocketMode=0666
-+SmackLabelIPIn=*
-+SmackLabelIPOut=@
-+
-+Service=cynara.service
-+
-+[Unit]
-+Wants=cynara.target
-+Before=cynara.target
-+
-+[Install]
-+WantedBy=sockets.target
diff --git a/meta-security/recipes-security/cynara/cynara/0006-Install-socket-activation-by-default.patch b/meta-security/recipes-security/cynara/cynara/0006-Install-socket-activation-by-default.patch
deleted file mode 100644
index 68864f1ed..000000000
--- a/meta-security/recipes-security/cynara/cynara/0006-Install-socket-activation-by-default.patch
+++ /dev/null
@@ -1,78 +0,0 @@
-From 23f1a7cb34dd4ef88bac5a43057feaf7f50559aa Mon Sep 17 00:00:00 2001
-From: =?UTF-8?q?Jos=C3=A9=20Bollo?= <jose.bollo@iot.bzh>
-Date: Thu, 25 Jan 2018 14:09:23 +0100
-Subject: [PATCH] Install socket activation by default
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-Change-Id: Ifd10c3800486689ed0ed6271df59760ccfbf6caf
-Signed-off-by: José Bollo <jose.bollo@iot.bzh>
-
----
- packaging/cynara.spec | 5 -----
- systemd/CMakeLists.txt | 7 +++++++
- systemd/sockets.target.wants/cynara-admin.socket | 1 +
- systemd/sockets.target.wants/cynara-agent.socket | 1 +
- systemd/sockets.target.wants/cynara.socket | 1 +
- 5 files changed, 10 insertions(+), 5 deletions(-)
- create mode 120000 systemd/sockets.target.wants/cynara-admin.socket
- create mode 120000 systemd/sockets.target.wants/cynara-agent.socket
- create mode 120000 systemd/sockets.target.wants/cynara.socket
-
-diff --git a/packaging/cynara.spec b/packaging/cynara.spec
-index d2e0b80..2c5b326 100644
---- a/packaging/cynara.spec
-+++ b/packaging/cynara.spec
-@@ -72,12 +72,7 @@ make %{?jobs:-j%jobs}
- rm -rf %{buildroot}
- %make_install
-
--mkdir -p %{buildroot}%{_unitdir}/sockets.target.wants
- mkdir -p %{buildroot}%{_unitdir}/multi-user.target.wants
--ln -s ../cynara.socket %{buildroot}%{_unitdir}/sockets.target.wants/cynara.socket
--ln -s ../cynara-admin.socket %{buildroot}%{_unitdir}/sockets.target.wants/cynara-admin.socket
--ln -s ../cynara-agent.socket %{buildroot}%{_unitdir}/sockets.target.wants/cynara-agent.socket
--ln -s ../cynara-monitor-get.socket %{buildroot}%{_unitdir}/sockets.target.wants/cynara-monitor-get.socket
- ln -s ../cynara.service %{buildroot}%{_unitdir}/multi-user.target.wants/cynara.service
-
- %post
-diff --git a/systemd/CMakeLists.txt b/systemd/CMakeLists.txt
-index 1b75c12..9a2d70d 100644
---- a/systemd/CMakeLists.txt
-+++ b/systemd/CMakeLists.txt
-@@ -38,3 +38,10 @@ INSTALL(FILES
- ${SYSTEMD_UNIT_DIR}
- )
-
-+INSTALL(DIRECTORY
-+ ${CMAKE_SOURCE_DIR}/systemd/sockets.target.wants
-+ DESTINATION
-+ ${SYSTEMD_UNIT_DIR}
-+)
-+
-+
-diff --git a/systemd/sockets.target.wants/cynara-admin.socket b/systemd/sockets.target.wants/cynara-admin.socket
-new file mode 120000
-index 0000000..3d0b1ce
---- /dev/null
-+++ b/systemd/sockets.target.wants/cynara-admin.socket
-@@ -0,0 +1 @@
-+../cynara-admin.socket
-\ No newline at end of file
-diff --git a/systemd/sockets.target.wants/cynara-agent.socket b/systemd/sockets.target.wants/cynara-agent.socket
-new file mode 120000
-index 0000000..22b37dd
---- /dev/null
-+++ b/systemd/sockets.target.wants/cynara-agent.socket
-@@ -0,0 +1 @@
-+../cynara-agent.socket
-\ No newline at end of file
-diff --git a/systemd/sockets.target.wants/cynara.socket b/systemd/sockets.target.wants/cynara.socket
-new file mode 120000
-index 0000000..c0e5a5b
---- /dev/null
-+++ b/systemd/sockets.target.wants/cynara.socket
-@@ -0,0 +1 @@
-+../cynara.socket
-\ No newline at end of file
diff --git a/meta-security/recipes-security/cynara/cynara/cynara-db-migration-abort-on-errors.patch b/meta-security/recipes-security/cynara/cynara/cynara-db-migration-abort-on-errors.patch
deleted file mode 100644
index c14418923..000000000
--- a/meta-security/recipes-security/cynara/cynara/cynara-db-migration-abort-on-errors.patch
+++ /dev/null
@@ -1,29 +0,0 @@
-From 3605e9f8a3ea1252d1cf221398431e0d7a3ea34d Mon Sep 17 00:00:00 2001
-From: Patrick Ohly <patrick.ohly@intel.com>
-Date: Mon, 23 Mar 2015 15:01:39 -0700
-Subject: [PATCH] cynara-db-migration.in: abort on errors
-
-"set -e" enables error checking for all commands invoked by the script.
-Previously, errors were silently ignored.
-
-Upstream-status: Submitted [https://github.com/Samsung/cynara/pull/8]
-
-Signed-off-by: Patrick Ohly <patrick.ohly@intel.com>
-
----
- migration/cynara-db-migration.in | 2 ++
- 1 file changed, 2 insertions(+)
-
-diff --git a/migration/cynara-db-migration.in b/migration/cynara-db-migration.in
-index 7b666d4..0682df6 100644
---- a/migration/cynara-db-migration.in
-+++ b/migration/cynara-db-migration.in
-@@ -19,6 +19,8 @@
- # @brief Migration tool for Cynara's database
- #
-
-+set -e
-+
- ##### Constants (these must not be modified by shell)
-
- PATH=/bin:/usr/bin:/sbin:/usr/sbin
diff --git a/meta-security/recipes-security/cynara/cynara/run-ptest b/meta-security/recipes-security/cynara/cynara/run-ptest
deleted file mode 100755
index f8dd5d8b4..000000000
--- a/meta-security/recipes-security/cynara/cynara/run-ptest
+++ /dev/null
@@ -1,4 +0,0 @@
-#!/bin/sh
-
-cynara-tests | sed -e 's/^\[ *OK *\] \(\S*\)$/PASS: \1/' -e 's/^\[ *FAILED *\] \(\S*\)$/FAIL: \1/'
-sh /usr/bin/cynara-db-migration-tests | sed -e 's/^Test .*(\([^)]*\)).*passed.*/PASS: \1/' -e 's/^Test .*(\([^)]*\)).*failed.*/FAIL: \1/'
diff --git a/meta-security/recipes-security/cynara/cynara_0.14.10.bb b/meta-security/recipes-security/cynara/cynara_0.14.10.bb
deleted file mode 100644
index 765c17bca..000000000
--- a/meta-security/recipes-security/cynara/cynara_0.14.10.bb
+++ /dev/null
@@ -1,157 +0,0 @@
-DESCRIPTION = "Cynara service with client libraries"
-LICENSE = "Apache-2.0"
-LIC_FILES_CHKSUM = "file://LICENSE;md5=86d3f3a95c324c9479bd8986968f4327;beginline=3"
-
-PV = "0.14.10+git${SRCPV}"
-SRCREV = "be455dcaf1400bec0272a6ce90852b9147393a60"
-SRC_URI = "git://github.com/Samsung/cynara.git"
-S = "${WORKDIR}/git"
-
-SRC_URI += " \
- file://cynara-db-migration-abort-on-errors.patch \
- file://0001-Add-fallthrough-tags.patch \
- file://0002-gcc-7-requires-include-functional-for-std-function.patch \
- file://0003-Avoid-warning-when-compiling-without-smack.patch \
- file://0004-Fix-mode-of-sockets.patch \
- file://0005-Allow-to-tune-sockets.patch \
- file://0006-Install-socket-activation-by-default.patch \
- file://0001-fix-fallthrough-in-cmdlineparser.patch \
-"
-
-DEPENDS = " \
-systemd \
-"
-
-PACKAGECONFIG ??= ""
-# Use debug mode to increase logging. Beware, also compiles with less optimization
-# and thus has to disable FORTIFY_SOURCE below.
-PACKAGECONFIG[debug] = "-DCMAKE_BUILD_TYPE=DEBUG,-DCMAKE_BUILD_TYPE=RELEASE,libunwind elfutils"
-
-inherit cmake
-
-EXTRA_OECMAKE += " \
- -DCMAKE_VERBOSE_MAKEFILE=ON \
- -DBUILD_WITH_SYSTEMD_DAEMON=ON \
- -DBUILD_WITH_SYSTEMD_JOURNAL=ON \
- -DSYSTEMD_UNIT_DIR=${systemd_system_unitdir} \
- -DSOCKET_DIR=/run/cynara \
- -DBUILD_COMMONS=ON \
- -DBUILD_SERVICE=ON \
- -DBUILD_DBUS=OFF \
- -DCYNARA_ADMIN_SOCKET_GROUP=cynara \
-"
-
-# Explicitly package empty directory. Otherwise Cynara prints warnings
-# at runtime:
-# cyad[198]: Couldn't scan for plugins in </usr/lib/cynara/plugin/service/> : <No such file or directory>
-FILES_${PN}_append = " \
-${libdir}/cynara/plugin/service \
-${libdir}/cynara/plugin/client \
-"
-
-inherit useradd
-USERADD_PACKAGES = "${PN}"
-GROUPADD_PARAM_${PN} = "-r cynara"
-USERADD_PARAM_${PN} = "\
---system --home ${localstatedir}/lib/empty \
---no-create-home --shell /bin/false \
---gid cynara cynara \
-"
-
-# Causes deadlock during booting, see workaround in postinst below.
-#inherit systemd
-#SYSTEMD_SERVICE_${PN} = "cynara.service"
-
-#do_install_append () {
-# chmod a+rx ${D}/${sbindir}/cynara-db-migration
-#
-# install -d ${D}${sysconfdir}/cynara/
-# install -m 644 ${S}/conf/creds.conf ${D}/${sysconfdir}/cynara/creds.conf
-#
-# # No need to create empty directories except for those which
-# # Cynara expects to find.
-# # install -d ${D}${localstatedir}/cynara/
-# # install -d ${D}${prefix}/share/cynara/tests/empty_db
-# install -d ${D}${libdir}/cynara/plugin/client
-# install -d ${D}${libdir}/cynara/plugin/service
-#
-# # install db* ${D}${prefix}/share/cynara/tests/
-#
-# install -d ${D}${systemd_system_unitdir}/sockets.target.wants
-# ln -s ../cynara.socket ${D}${systemd_system_unitdir}/sockets.target.wants/cynara.socket
-# ln -s ../cynara-admin.socket ${D}${systemd_system_unitdir}/sockets.target.wants/cynara-admin.socket
-# ln -s ../cynara-agent.socket ${D}${systemd_system_unitdir}/sockets.target.wants/cynara-agent.socket
-#}
-
-# We want the post-install logic to create and label /var/cynara, so
-# it should not be in the package.
-do_install_append () {
- rmdir ${D}${localstatedir}/cynara
-}
-
-FILES_${PN} += "${systemd_system_unitdir}"
-
-# Cynara itself has no dependency on Smack. Only its installation
-# is Smack-aware in the sense that it sets Smack labels. Do not
-# depend on smack userspace unless we really need Smack labels.
-#
-# The Tizen .spec file calls cynara-db-migration in a %pre section.
-# That only works when cynara-db-migration is packaged separately
-# (overly complex) and does not seem necessary: perhaps there is a
-# time window where cynara might already get activated before
-# the postinst completes, but that is a general problem. It gets
-# avoided entirely when calling this script while building the
-# rootfs.
-DEPENDS_append_with-lsm-smack = " smack smack-native"
-EXTRA_OECMAKE_append_with-lsm-smack = " -DDB_FILES_SMACK_LABEL=System"
-CHSMACK_with-lsm-smack = "chsmack"
-CHSMACK = "true"
-pkg_postinst_ontarget_${PN} () {
- mkdir -p $D${sysconfdir}/cynara
- ${CHSMACK} -a System $D${sysconfdir}/cynara
-
- # Strip git patch level information, the version comparison code
- # in cynara-db-migration only expect major.minor.patch version numbers.
- VERSION=${@d.getVar('PV',d,1).split('+git')[0]}
- if [ -d $D${localstatedir}/cynara ] ; then
- # upgrade
- echo "NOTE: updating cynara DB to version $VERSION"
- $D${sbindir}/cynara-db-migration upgrade -f 0.0.0 -t $VERSION
- else
- # install
- echo "NOTE: creating cynara DB for version $VERSION"
- mkdir -p $D${localstatedir}/cynara
- ${CHSMACK} -a System $D${localstatedir}/cynara
- $D${sbindir}/cynara-db-migration install -t $VERSION
- fi
-
- # Workaround for systemd.bbclass issue: it would call
- # "systemctl start" without "--no-block", but because
- # the service is not ready to run at the time when
- # this scripts gets executed by run-postinsts.service,
- # booting deadlocks.
- echo "NOTE: enabling and starting cynara service"
- systemctl enable cynara
- systemctl start --no-block cynara
-}
-
-# Testing depends on gmock and gtest. They can be found in meta-oe
-# and are not necessarily available, so this feature is off by default.
-# If gmock from meta-oe is used, then a workaround is needed to avoid
-# a link error (libgmock.a calls pthread functions without libpthread
-# being listed in the .pc file).
-DEPENDS_append = "${@bb.utils.contains('PACKAGECONFIG', 'tests', ' gmock', '', d)}"
-LDFLAGS_append = "${@bb.utils.contains('PACKAGECONFIG', 'tests', ' -lpthread', '', d)}"
-SRC_URI_append = "${@bb.utils.contains('PACKAGECONFIG', 'tests', ' file://run-ptest', '', d)}"
-PACKAGECONFIG[tests] = "-DBUILD_TESTS:BOOL=ON,-DBUILD_TESTS:BOOL=OFF,gmock gtest,"
-
-# Will be empty if no tests were built.
-inherit ptest
-FILES_${PN}-ptest += "${bindir}/cynara-tests ${bindir}/cynara-db-migration-tests ${datadir}/cynara/tests"
-do_install_ptest () {
- if ${@bb.utils.contains('PACKAGECONFIG', 'tests', 'true', 'false', d)}; then
- mkdir -p ${D}/${datadir}/cynara/tests
- cp -r ${S}/test/db/* ${D}/${datadir}/cynara/tests
- fi
-}
-