summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorJosé Bollo <jose.bollo@iot.bzh>2018-01-25 16:39:28 +0100
committerJosé Bollo <jose.bollo@iot.bzh>2018-02-13 11:02:00 +0100
commit98637b7b01106de98aacc2b531f92c0883b381ee (patch)
tree9235fa285395a4d88aa7eb5a562d0257d7c5240c
parentd9bac27cdb912b18b7fd8d5096c4612025493ef6 (diff)
cynara: upgrade to 0.14.10
Change-Id: I33caaa8a435e0b36afff43c4199428ae9336d612 Signed-off-by: José Bollo <jose.bollo@iot.bzh>
-rw-r--r--meta-app-framework/recipes-security/cynara/cynara_git.bbappend44
-rw-r--r--meta-security/recipes-security/cynara/cynara/0001-Add-fallthrough-tags.patch59
-rw-r--r--meta-security/recipes-security/cynara/cynara/0002-gcc-7-requires-include-functional-for-std-function.patch (renamed from meta-app-framework/recipes-security/cynara/cynara/0001-gcc-7-requires-include-functional-for-std-function.patch)6
-rw-r--r--meta-security/recipes-security/cynara/cynara/0003-Avoid-warning-when-compiling-without-smack.patch45
-rw-r--r--meta-security/recipes-security/cynara/cynara/0004-Fix-mode-of-sockets.patch44
-rw-r--r--meta-security/recipes-security/cynara/cynara/0005-Allow-to-tune-sockets.patch127
-rw-r--r--meta-security/recipes-security/cynara/cynara/0006-Install-socket-activation-by-default.patch80
-rw-r--r--meta-security/recipes-security/cynara/cynara/cmake-Improves-directories-and-libsystemd.patch119
-rw-r--r--meta-security/recipes-security/cynara/cynara/gmock-pthread-linking.patch31
-rw-r--r--meta-security/recipes-security/cynara/cynara_0.14.10.bb (renamed from meta-security/recipes-security/cynara/cynara.inc)133
-rw-r--r--meta-security/recipes-security/cynara/cynara_git.bb11
11 files changed, 427 insertions, 272 deletions
diff --git a/meta-app-framework/recipes-security/cynara/cynara_git.bbappend b/meta-app-framework/recipes-security/cynara/cynara_git.bbappend
deleted file mode 100644
index 4c38da1cc..000000000
--- a/meta-app-framework/recipes-security/cynara/cynara_git.bbappend
+++ /dev/null
@@ -1,44 +0,0 @@
-FILESEXTRAPATHS_prepend := "${THISDIR}/${BPN}:"
-SRC_URI_append = " file://0001-gcc-7-requires-include-functional-for-std-function.patch"
-
-CXXFLAGS_append = " -Wimplicit-fallthrough=0"
-
-pkg_postinst_${PN} () {
- # Fail on error.
- set -e
-
- # It would be nice to run the code below while building an image,
- # but currently the calls to cynara-db-chsgen (a binary) in
- # cynara-db-migration (a script) prevent that. Rely instead
- # on OE's support for running failed postinst scripts at first boot.
- if [ x"$D" != "x" ]; then
- exit 1
- fi
-
- mkdir -p $D${sysconfdir}/cynara
- ${CHSMACK} -a System $D${sysconfdir}/cynara
-
- # Strip git patch level information, the version comparison code
- # in cynara-db-migration only expect major.minor.patch version numbers.
- VERSION=${@d.getVar('PV',d,1).split('+git')[0]}
- if [ -d $D${localstatedir}/cynara ] ; then
- # upgrade
- echo "NOTE: updating cynara DB to version $VERSION"
- $D${sbindir}/cynara-db-migration upgrade -f 0.0.0 -t $VERSION
- else
- # install
- echo "NOTE: creating cynara DB for version $VERSION"
- mkdir -p $D${localstatedir}/cynara
- ${CHSMACK} -a System $D${localstatedir}/cynara
- $D${sbindir}/cynara-db-migration install -t $VERSION
- fi
-
- # Workaround for systemd.bbclass issue: it would call
- # "systemctl start" without "--no-block", but because
- # the service is not ready to run at the time when
- # this scripts gets executed by run-postinsts.service,
- # booting deadlocks.
- echo "NOTE: enabling and starting cynara service"
- systemctl enable cynara
- systemctl start --no-block cynara
-}
diff --git a/meta-security/recipes-security/cynara/cynara/0001-Add-fallthrough-tags.patch b/meta-security/recipes-security/cynara/cynara/0001-Add-fallthrough-tags.patch
new file mode 100644
index 000000000..11387b98b
--- /dev/null
+++ b/meta-security/recipes-security/cynara/cynara/0001-Add-fallthrough-tags.patch
@@ -0,0 +1,59 @@
+From 3d387993b5a4283e8aebd8e777b2ccd45d233959 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Jos=C3=A9=20Bollo?= <jose.bollo@iot.bzh>
+Date: Thu, 25 Jan 2018 12:00:18 +0100
+Subject: [PATCH 1/6] Add fallthrough tags
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+GCC 7 emits a warning when the tag /*@fallthrough@*/
+doesn't appear in a switch case when a case continue
+to the next after some processing.
+
+Change-Id: I420e3788a4c0a6d910a1214964c5480bbd12708c
+Signed-off-by: José Bollo <jose.bollo@iot.bzh>
+---
+ src/admin/api/admin-api.cpp | 1 +
+ src/client-async/logic/Logic.cpp | 1 +
+ src/common/sockets/SocketClient.cpp | 1 +
+ 3 files changed, 3 insertions(+)
+
+diff --git a/src/admin/api/admin-api.cpp b/src/admin/api/admin-api.cpp
+index c638f41..aafa45e 100644
+--- a/src/admin/api/admin-api.cpp
++++ b/src/admin/api/admin-api.cpp
+@@ -146,6 +146,7 @@ int cynara_admin_set_policies(struct cynara_admin *p_cynara_admin,
+ case CYNARA_ADMIN_BUCKET:
+ if (!isStringValid(policy->result_extra))
+ return CYNARA_API_INVALID_PARAM;
++ /*@fallthrough@*/
+ default:
+ {
+ std::string extraStr = policy->result_extra ? policy->result_extra : "";
+diff --git a/src/client-async/logic/Logic.cpp b/src/client-async/logic/Logic.cpp
+index 5ae0251..c1d6c33 100644
+--- a/src/client-async/logic/Logic.cpp
++++ b/src/client-async/logic/Logic.cpp
+@@ -233,6 +233,7 @@ bool Logic::processOut(void) {
+ case Socket::SendStatus::ALL_DATA_SENT:
+ onStatusChange(m_socketClient.getSockFd(),
+ cynara_async_status::CYNARA_STATUS_FOR_READ);
++ /*@fallthrough@*/
+ case Socket::SendStatus::PARTIAL_DATA_SENT:
+ return true;
+ default:
+diff --git a/src/common/sockets/SocketClient.cpp b/src/common/sockets/SocketClient.cpp
+index b1ca4f7..f4394e5 100644
+--- a/src/common/sockets/SocketClient.cpp
++++ b/src/common/sockets/SocketClient.cpp
+@@ -45,6 +45,7 @@ bool SocketClient::connect(void) {
+ LOGW("Error connecting to Cynara. Service not available.");
+ return false;
+ }
++ /*@fallthrough@*/
+ default:
+ return true;
+ }
+--
+2.14.3
+
diff --git a/meta-app-framework/recipes-security/cynara/cynara/0001-gcc-7-requires-include-functional-for-std-function.patch b/meta-security/recipes-security/cynara/cynara/0002-gcc-7-requires-include-functional-for-std-function.patch
index bd060b26d..760a1c5b2 100644
--- a/meta-app-framework/recipes-security/cynara/cynara/0001-gcc-7-requires-include-functional-for-std-function.patch
+++ b/meta-security/recipes-security/cynara/cynara/0002-gcc-7-requires-include-functional-for-std-function.patch
@@ -1,7 +1,7 @@
-From 2169344adbb42ff580856204e2b290e3b04fd447 Mon Sep 17 00:00:00 2001
+From b18e66ce7f81c56e3a97ed075cb60d5a43b2e57c Mon Sep 17 00:00:00 2001
From: Changhyeok Bae <changhyeok.bae@gmail.com>
Date: Sun, 17 Dec 2017 15:28:28 +0000
-Subject: [PATCH] gcc-7 requires include <functional> for std::function
+Subject: [PATCH 2/6] gcc-7 requires include <functional> for std::function
Signed-off-by: Changhyeok Bae <changhyeok.bae@gmail.com>
---
@@ -34,5 +34,5 @@ index 53dde23..f38c194 100644
#include <cyad/CynaraAdminPolicies.h>
--
-2.7.4
+2.14.3
diff --git a/meta-security/recipes-security/cynara/cynara/0003-Avoid-warning-when-compiling-without-smack.patch b/meta-security/recipes-security/cynara/cynara/0003-Avoid-warning-when-compiling-without-smack.patch
new file mode 100644
index 000000000..8c47c3b26
--- /dev/null
+++ b/meta-security/recipes-security/cynara/cynara/0003-Avoid-warning-when-compiling-without-smack.patch
@@ -0,0 +1,45 @@
+From 6ad54c5e732e7cf0a29f29f48fa757e3e56d6860 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Jos=C3=A9=20Bollo?= <jose.bollo@iot.bzh>
+Date: Thu, 25 Jan 2018 11:38:16 +0100
+Subject: [PATCH 3/6] Avoid warning when compiling without smack
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+When DB_FILES_SMACK_LABEL is not defined, cmake complains
+with the following message:
+
+> -- Checking for modules ''
+> Please specify at least one package name on the command line.
+
+Change-Id: Ie837cae81114d096f951ec0ee4ada4173fb60190
+Signed-off-by: José Bollo <jose.bollo@iot.bzh>
+---
+ src/admin/CMakeLists.txt | 10 +++++-----
+ 1 file changed, 5 insertions(+), 5 deletions(-)
+
+diff --git a/src/admin/CMakeLists.txt b/src/admin/CMakeLists.txt
+index e4f354a..38b8669 100644
+--- a/src/admin/CMakeLists.txt
++++ b/src/admin/CMakeLists.txt
+@@ -23,12 +23,12 @@ IF (DB_FILES_SMACK_LABEL)
+ SET(SMACK "smack")
+ SET(LIBSMACK "libsmack")
+ ADD_DEFINITIONS("-DDB_FILES_SMACK_LABEL=\"${DB_FILES_SMACK_LABEL}\"")
+-ENDIF (DB_FILES_SMACK_LABEL)
+
+-PKG_CHECK_MODULES(CYNARA_ADMIN_API_DEP
+- REQUIRED
+- ${LIBSMACK}
+- )
++ PKG_CHECK_MODULES(CYNARA_ADMIN_API_DEP
++ REQUIRED
++ ${LIBSMACK}
++ )
++ENDIF (DB_FILES_SMACK_LABEL)
+
+ SET(CYNARA_LIB_CYNARA_ADMIN_PATH ${CYNARA_PATH}/admin)
+
+--
+2.14.3
+
diff --git a/meta-security/recipes-security/cynara/cynara/0004-Fix-mode-of-sockets.patch b/meta-security/recipes-security/cynara/cynara/0004-Fix-mode-of-sockets.patch
new file mode 100644
index 000000000..164542899
--- /dev/null
+++ b/meta-security/recipes-security/cynara/cynara/0004-Fix-mode-of-sockets.patch
@@ -0,0 +1,44 @@
+From 2bd62bca98a8a8cf194fb2b68aed68d982f58520 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Jos=C3=A9=20Bollo?= <jose.bollo@iot.bzh>
+Date: Thu, 25 Jan 2018 12:52:39 +0100
+Subject: [PATCH 4/6] Fix mode of sockets
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Setting execution bit on the socket serves nothing.
+
+Change-Id: I2ca1ea8e0c369ee5517878e92073ace0e50f9f10
+Signed-off-by: José Bollo <jose.bollo@iot.bzh>
+---
+ systemd/cynara-admin.socket | 2 +-
+ systemd/cynara.socket | 2 +-
+ 2 files changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/systemd/cynara-admin.socket b/systemd/cynara-admin.socket
+index 2d1aea4..ed38386 100644
+--- a/systemd/cynara-admin.socket
++++ b/systemd/cynara-admin.socket
+@@ -1,6 +1,6 @@
+ [Socket]
+ ListenStream=/run/cynara/cynara-admin.socket
+-SocketMode=0700
++SocketMode=0600
+ SmackLabelIPIn=@
+ SmackLabelIPOut=@
+
+diff --git a/systemd/cynara.socket b/systemd/cynara.socket
+index 9f2a870..fad2745 100644
+--- a/systemd/cynara.socket
++++ b/systemd/cynara.socket
+@@ -1,6 +1,6 @@
+ [Socket]
+ ListenStream=/run/cynara/cynara.socket
+-SocketMode=0777
++SocketMode=0666
+ SmackLabelIPIn=*
+ SmackLabelIPOut=@
+
+--
+2.14.3
+
diff --git a/meta-security/recipes-security/cynara/cynara/0005-Allow-to-tune-sockets.patch b/meta-security/recipes-security/cynara/cynara/0005-Allow-to-tune-sockets.patch
new file mode 100644
index 000000000..b4a2d74e8
--- /dev/null
+++ b/meta-security/recipes-security/cynara/cynara/0005-Allow-to-tune-sockets.patch
@@ -0,0 +1,127 @@
+From d919b110a2fbccdce084c651f4d7d7de66f2f869 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Jos=C3=A9=20Bollo?= <jose.bollo@iot.bzh>
+Date: Thu, 25 Jan 2018 13:47:37 +0100
+Subject: [PATCH 5/6] Allow to tune sockets
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Allow to change the directory of sockets
+through a true integration of SOCKET_DIR
+
+Allow to override the socket's group of
+ - /run/cynara/cynara-agent.socket
+ - /run/cynara/cynara-monitor-get.socket
+
+through the newly defined variable CYNARA_ADMIN_SOCKET_GROUP
+
+Change-Id: I7d58854c328e948e3d6d7fa3fc00569fd08f8aef
+Signed-off-by: José Bollo <jose.bollo@iot.bzh>
+---
+ systemd/CMakeLists.txt | 19 +++++++++++++++----
+ .../{cynara-admin.socket => cynara-admin.socket.in} | 2 +-
+ .../{cynara-agent.socket => cynara-agent.socket.in} | 4 ++--
+ ...onitor-get.socket => cynara-monitor-get.socket.in} | 4 ++--
+ systemd/{cynara.socket => cynara.socket.in} | 2 +-
+ 5 files changed, 21 insertions(+), 10 deletions(-)
+ rename systemd/{cynara-admin.socket => cynara-admin.socket.in} (78%)
+ rename systemd/{cynara-agent.socket => cynara-agent.socket.in} (66%)
+ rename systemd/{cynara-monitor-get.socket => cynara-monitor-get.socket.in} (64%)
+ rename systemd/{cynara.socket => cynara.socket.in} (80%)
+
+diff --git a/systemd/CMakeLists.txt b/systemd/CMakeLists.txt
+index 20accf0..1b75c12 100644
+--- a/systemd/CMakeLists.txt
++++ b/systemd/CMakeLists.txt
+@@ -16,13 +16,24 @@
+ # @author Lukasz Wojciechowski <l.wojciechow@partner.samsung.com>
+ #
+
++SET(CYNARA_ADMIN_SOCKET_GROUP
++ "security_fw"
++ CACHE STRING
++ "Group to apply on administrative sockets")
++
++
++CONFIGURE_FILE(cynara.socket.in cynara.socket @ONLY)
++CONFIGURE_FILE(cynara-admin.socket.in cynara-admin.socket @ONLY)
++CONFIGURE_FILE(cynara-agent.socket.in cynara-agent.socket @ONLY)
++CONFIGURE_FILE(cynara-monitor-get.socket.in cynara-monitor-get.socket @ONLY)
++
+ INSTALL(FILES
+ ${CMAKE_SOURCE_DIR}/systemd/cynara.service
+ ${CMAKE_SOURCE_DIR}/systemd/cynara.target
+- ${CMAKE_SOURCE_DIR}/systemd/cynara.socket
+- ${CMAKE_SOURCE_DIR}/systemd/cynara-admin.socket
+- ${CMAKE_SOURCE_DIR}/systemd/cynara-agent.socket
+- ${CMAKE_SOURCE_DIR}/systemd/cynara-monitor-get.socket
++ ${CMAKE_BINARY_DIR}/systemd/cynara.socket
++ ${CMAKE_BINARY_DIR}/systemd/cynara-admin.socket
++ ${CMAKE_BINARY_DIR}/systemd/cynara-agent.socket
++ ${CMAKE_BINARY_DIR}/systemd/cynara-monitor-get.socket
+ DESTINATION
+ ${SYSTEMD_UNIT_DIR}
+ )
+diff --git a/systemd/cynara-admin.socket b/systemd/cynara-admin.socket.in
+similarity index 78%
+rename from systemd/cynara-admin.socket
+rename to systemd/cynara-admin.socket.in
+index ed38386..2364c3e 100644
+--- a/systemd/cynara-admin.socket
++++ b/systemd/cynara-admin.socket.in
+@@ -1,5 +1,5 @@
+ [Socket]
+-ListenStream=/run/cynara/cynara-admin.socket
++ListenStream=@SOCKET_DIR@/cynara-admin.socket
+ SocketMode=0600
+ SmackLabelIPIn=@
+ SmackLabelIPOut=@
+diff --git a/systemd/cynara-agent.socket b/systemd/cynara-agent.socket.in
+similarity index 66%
+rename from systemd/cynara-agent.socket
+rename to systemd/cynara-agent.socket.in
+index 5a677e0..4f86c9d 100644
+--- a/systemd/cynara-agent.socket
++++ b/systemd/cynara-agent.socket.in
+@@ -1,6 +1,6 @@
+ [Socket]
+-ListenStream=/run/cynara/cynara-agent.socket
+-SocketGroup=security_fw
++ListenStream=@SOCKET_DIR@/cynara-agent.socket
++SocketGroup=@CYNARA_ADMIN_SOCKET_GROUP@
+ SocketMode=0060
+ SmackLabelIPIn=*
+ SmackLabelIPOut=@
+diff --git a/systemd/cynara-monitor-get.socket b/systemd/cynara-monitor-get.socket.in
+similarity index 64%
+rename from systemd/cynara-monitor-get.socket
+rename to systemd/cynara-monitor-get.socket.in
+index a50feeb..b88dbf7 100644
+--- a/systemd/cynara-monitor-get.socket
++++ b/systemd/cynara-monitor-get.socket.in
+@@ -1,6 +1,6 @@
+ [Socket]
+-ListenStream=/run/cynara/cynara-monitor-get.socket
+-SocketGroup=security_fw
++ListenStream=@SOCKET_DIR@/cynara-monitor-get.socket
++SocketGroup=@CYNARA_ADMIN_SOCKET_GROUP@
+ SocketMode=0060
+ SmackLabelIPIn=@
+ SmackLabelIPOut=@
+diff --git a/systemd/cynara.socket b/systemd/cynara.socket.in
+similarity index 80%
+rename from systemd/cynara.socket
+rename to systemd/cynara.socket.in
+index fad2745..ba76549 100644
+--- a/systemd/cynara.socket
++++ b/systemd/cynara.socket.in
+@@ -1,5 +1,5 @@
+ [Socket]
+-ListenStream=/run/cynara/cynara.socket
++ListenStream=@SOCKET_DIR@/cynara.socket
+ SocketMode=0666
+ SmackLabelIPIn=*
+ SmackLabelIPOut=@
+--
+2.14.3
+
diff --git a/meta-security/recipes-security/cynara/cynara/0006-Install-socket-activation-by-default.patch b/meta-security/recipes-security/cynara/cynara/0006-Install-socket-activation-by-default.patch
new file mode 100644
index 000000000..0cfc785c1
--- /dev/null
+++ b/meta-security/recipes-security/cynara/cynara/0006-Install-socket-activation-by-default.patch
@@ -0,0 +1,80 @@
+From d54e425b0685c9e3e06f5b4efcbd206950d14f3c Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Jos=C3=A9=20Bollo?= <jose.bollo@iot.bzh>
+Date: Thu, 25 Jan 2018 14:09:23 +0100
+Subject: [PATCH 6/6] Install socket activation by default
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Change-Id: Ifd10c3800486689ed0ed6271df59760ccfbf6caf
+Signed-off-by: José Bollo <jose.bollo@iot.bzh>
+---
+ packaging/cynara.spec | 5 -----
+ systemd/CMakeLists.txt | 7 +++++++
+ systemd/sockets.target.wants/cynara-admin.socket | 1 +
+ systemd/sockets.target.wants/cynara-agent.socket | 1 +
+ systemd/sockets.target.wants/cynara.socket | 1 +
+ 5 files changed, 10 insertions(+), 5 deletions(-)
+ create mode 120000 systemd/sockets.target.wants/cynara-admin.socket
+ create mode 120000 systemd/sockets.target.wants/cynara-agent.socket
+ create mode 120000 systemd/sockets.target.wants/cynara.socket
+
+diff --git a/packaging/cynara.spec b/packaging/cynara.spec
+index d2e0b80..2c5b326 100644
+--- a/packaging/cynara.spec
++++ b/packaging/cynara.spec
+@@ -72,12 +72,7 @@ make %{?jobs:-j%jobs}
+ rm -rf %{buildroot}
+ %make_install
+
+-mkdir -p %{buildroot}%{_unitdir}/sockets.target.wants
+ mkdir -p %{buildroot}%{_unitdir}/multi-user.target.wants
+-ln -s ../cynara.socket %{buildroot}%{_unitdir}/sockets.target.wants/cynara.socket
+-ln -s ../cynara-admin.socket %{buildroot}%{_unitdir}/sockets.target.wants/cynara-admin.socket
+-ln -s ../cynara-agent.socket %{buildroot}%{_unitdir}/sockets.target.wants/cynara-agent.socket
+-ln -s ../cynara-monitor-get.socket %{buildroot}%{_unitdir}/sockets.target.wants/cynara-monitor-get.socket
+ ln -s ../cynara.service %{buildroot}%{_unitdir}/multi-user.target.wants/cynara.service
+
+ %post
+diff --git a/systemd/CMakeLists.txt b/systemd/CMakeLists.txt
+index 1b75c12..9a2d70d 100644
+--- a/systemd/CMakeLists.txt
++++ b/systemd/CMakeLists.txt
+@@ -38,3 +38,10 @@ INSTALL(FILES
+ ${SYSTEMD_UNIT_DIR}
+ )
+
++INSTALL(DIRECTORY
++ ${CMAKE_SOURCE_DIR}/systemd/sockets.target.wants
++ DESTINATION
++ ${SYSTEMD_UNIT_DIR}
++)
++
++
+diff --git a/systemd/sockets.target.wants/cynara-admin.socket b/systemd/sockets.target.wants/cynara-admin.socket
+new file mode 120000
+index 0000000..3d0b1ce
+--- /dev/null
++++ b/systemd/sockets.target.wants/cynara-admin.socket
+@@ -0,0 +1 @@
++../cynara-admin.socket
+\ No newline at end of file
+diff --git a/systemd/sockets.target.wants/cynara-agent.socket b/systemd/sockets.target.wants/cynara-agent.socket
+new file mode 120000
+index 0000000..22b37dd
+--- /dev/null
++++ b/systemd/sockets.target.wants/cynara-agent.socket
+@@ -0,0 +1 @@
++../cynara-agent.socket
+\ No newline at end of file
+diff --git a/systemd/sockets.target.wants/cynara.socket b/systemd/sockets.target.wants/cynara.socket
+new file mode 120000
+index 0000000..c0e5a5b
+--- /dev/null
++++ b/systemd/sockets.target.wants/cynara.socket
+@@ -0,0 +1 @@
++../cynara.socket
+\ No newline at end of file
+--
+2.14.3
+
diff --git a/meta-security/recipes-security/cynara/cynara/cmake-Improves-directories-and-libsystemd.patch b/meta-security/recipes-security/cynara/cynara/cmake-Improves-directories-and-libsystemd.patch
deleted file mode 100644
index 7ad94ed40..000000000
--- a/meta-security/recipes-security/cynara/cynara/cmake-Improves-directories-and-libsystemd.patch
+++ /dev/null
@@ -1,119 +0,0 @@
-From 9d1ba2f7c5d72436b17d0f3982a00380c72a58f8 Mon Sep 17 00:00:00 2001
-From: =?UTF-8?q?Jos=C3=A9=20Bollo?= <jose.bollo@iot.bzh>
-Date: Mon, 4 Jul 2016 13:54:59 +0200
-Subject: [PATCH] cmake: Improves directories and libsystemd
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-The previous implementation was not fully compliant with
-standards. It was missing some of the predefined variable
-DATAROOTDIR, it was missing specificity of
-CMAKE_INSTALL_FULL_SYSCONFDIR. It also was not compatible
-with yocto build system bitbake.
-
-The library systemd is changing. The previous previous
-pkg-config files 'libsystemd-daemon' and 'libsystemd-journal'
-are now deprecated in favour of 'libsystemd'.
-
-Upstream-status: Submitted [https://github.com/Samsung/cynara/pull/16]
-
-Signed-off-by: José Bollo <jose.bollo@iot.bzh>
----
- CMakeLists.txt | 46 ++++++++++++++++++++--------------------------
- 1 file changed, 20 insertions(+), 26 deletions(-)
-
-diff --git a/CMakeLists.txt b/CMakeLists.txt
-index b0ee75f..6a439e2 100644
---- a/CMakeLists.txt
-+++ b/CMakeLists.txt
-@@ -43,66 +43,60 @@ ENDIF (NOT BUILD_COMMONS AND NOT BUILD_SERVICE AND NOT BUILD_DBUS)
-
- ########################## search for packages ################################
-
--#1st case. User choose to build with systemd.
--IF (DEFINED BUILD_WITH_SYSTEMD AND BUILD_WITH_SYSTEMD)
-- PKG_CHECK_MODULES(SYSTEMD_DEP
-- REQUIRED
-- libsystemd-daemon
-- libsystemd-journal
-- )
--ENDIF (DEFINED BUILD_WITH_SYSTEMD AND BUILD_WITH_SYSTEMD)
-+#Search the new libsystemd package
-+PKG_CHECK_MODULES(SYSTEMD_DEP QUIET libsystemd)
-
--#2nd case. User choose not to build with systemd. Noting to do in this case.
--#IF (DEFINED BUILD_WITH_SYSTEMD AND NOT BUILD_WITH_SYSTEMD)
--#ENDIF (DEFINED BUILD_WITH_SYSTEMD AND NOT BUILD_WITH_SYSTEMD)
--
--#3rd case. User did not choose. If we can we will use systemd.
--IF (NOT DEFINED BUILD_WITH_SYSTEMD)
-+#Fallback ot the oldest libsystemd packages
-+IF(NOT SYSTEMD_DEP_FOUND)
- PKG_CHECK_MODULES(SYSTEMD_DEP
- QUIET
- libsystemd-daemon
- libsystemd-journal
- )
--
-- IF (SYSTEMD_DEP_FOUND)
-- SET(BUILD_WITH_SYSTEMD ON)
-- ENDIF (SYSTEMD_DEP_FOUND)
--ENDIF (NOT DEFINED BUILD_WITH_SYSTEMD)
-+ENDIF(NOT SYSTEMD_DEP_FOUND)
-+
-+#Enforce and check
-+IF(SYSTEMD_DEP_FOUND)
-+ #Enforce use of systemd if present
-+ SET(BUILD_WITH_SYSTEMD ON)
-+ELSEIF(BUILD_WITH_SYSTEMD)
-+ MESSAGE(FATAL_ERROR "Can't find libsystemd")
-+ENDIF()
-
- ######################## directory configuration ############################
-
- SET(LIB_DIR
-- "${CMAKE_INSTALL_PREFIX}/${CMAKE_INSTALL_LIBDIR}"
-+ "${CMAKE_INSTALL_FULL_LIBDIR}"
- CACHE PATH
- "Object code libraries directory")
-
- SET(BIN_DIR
-- "${CMAKE_INSTALL_PREFIX}/${CMAKE_INSTALL_BINDIR}"
-+ "${CMAKE_INSTALL_FULL_BINDIR}"
- CACHE PATH
- "User executables directory")
-
- SET(SBIN_DIR
-- "${CMAKE_INSTALL_PREFIX}/${CMAKE_INSTALL_SBINDIR}"
-+ "${CMAKE_INSTALL_FULL_SBINDIR}"
- CACHE PATH
- "System admin executables directory")
-
- SET(SYS_CONFIG_DIR
-- "${CMAKE_INSTALL_PREFIX}/${CMAKE_INSTALL_SYSCONFDIR}"
-+ "${CMAKE_INSTALL_FULL_SYSCONFDIR}"
- CACHE PATH
- "Read-only single-machine data directory")
-
- SET(INCLUDE_DIR
-- "${CMAKE_INSTALL_PREFIX}/${CMAKE_INSTALL_INCLUDEDIR}"
-+ "${CMAKE_INSTALL_FULL_INCLUDEDIR}"
- CACHE PATH
- "Header files directory")
-
- SET(LOCAL_STATE_DIR
-- "${CMAKE_INSTALL_PREFIX}/${CMAKE_INSTALL_LOCALSTATEDIR}"
-+ "${CMAKE_INSTALL_FULL_LOCALSTATEDIR}"
- CACHE PATH
- "Modifiable single-machine data directory")
-
- SET(DATA_ROOT_DIR
-- "${CMAKE_INSTALL_PREFIX}/share"
-+ "${CMAKE_INSTALL_FULL_DATAROOTDIR}"
- CACHE PATH
- "Read-only architecture-independent data root directory")
-
---
-2.5.5
-
diff --git a/meta-security/recipes-security/cynara/cynara/gmock-pthread-linking.patch b/meta-security/recipes-security/cynara/cynara/gmock-pthread-linking.patch
deleted file mode 100644
index 1a204eb14..000000000
--- a/meta-security/recipes-security/cynara/cynara/gmock-pthread-linking.patch
+++ /dev/null
@@ -1,31 +0,0 @@
-From 80cc04091410d6a322fee1a2922fdf867395f00a Mon Sep 17 00:00:00 2001
-From: Patrick Ohly <patrick.ohly@intel.com>
-Date: Fri, 29 May 2015 10:21:57 +0200
-Subject: [PATCH] work around gmock pthread dependency
-
-In meta-oe, gmock's .pc file does not declare that users of
-gmock must link against pthread. Let's work around that
-here by always linking tests against libpthread.
-
-Upstream-status: Inappropriate [embedded specific]
-
-Signed-off-by: Patrick Ohly <patrick.ohly@intel.com>
----
- test/CMakeLists.txt | 1 +
- 1 file changed, 1 insertion(+)
-
-diff --git a/test/CMakeLists.txt b/test/CMakeLists.txt
-index 25a70db..f490a24 100644
---- a/test/CMakeLists.txt
-+++ b/test/CMakeLists.txt
-@@ -138,6 +138,7 @@ ADD_EXECUTABLE(${TARGET_CYNARA_TESTS}
- TARGET_LINK_LIBRARIES(${TARGET_CYNARA_TESTS}
- ${PKGS_LDFLAGS}
- ${PKGS_LIBRARIES}
-+ pthread
- crypt
- )
- INSTALL(TARGETS ${TARGET_CYNARA_TESTS} DESTINATION ${BIN_INSTALL_DIR})
---
-2.1.4
-
diff --git a/meta-security/recipes-security/cynara/cynara.inc b/meta-security/recipes-security/cynara/cynara_0.14.10.bb
index 1e80b6163..6c187fced 100644
--- a/meta-security/recipes-security/cynara/cynara.inc
+++ b/meta-security/recipes-security/cynara/cynara_0.14.10.bb
@@ -2,16 +2,27 @@ DESCRIPTION = "Cynara service with client libraries"
LICENSE = "Apache-2.0"
LIC_FILES_CHKSUM = "file://LICENSE;md5=86d3f3a95c324c9479bd8986968f4327;beginline=3"
+PV = "0.14.10+git${SRCPV}"
+SRCREV = "be455dcaf1400bec0272a6ce90852b9147393a60"
+SRC_URI = "git://github.com/Samsung/cynara.git"
+S = "${WORKDIR}/git"
+
+SRC_URI += " \
+ file://cynara-db-migration-abort-on-errors.patch \
+ file://0001-Add-fallthrough-tags.patch \
+ file://0002-gcc-7-requires-include-functional-for-std-function.patch \
+ file://0003-Avoid-warning-when-compiling-without-smack.patch \
+ file://0004-Fix-mode-of-sockets.patch \
+ file://0005-Allow-to-tune-sockets.patch \
+ file://0006-Install-socket-activation-by-default.patch \
+"
+
DEPENDS = " \
-dbus \
glib-2.0 \
systemd \
zip \
"
-# For testing:
-# DEPENDS += "gmock"
-
PACKAGECONFIG ??= ""
# Use debug mode to increase logging. Beware, also compiles with less optimization
# and thus has to disable FORTIFY_SOURCE below.
@@ -19,19 +30,16 @@ PACKAGECONFIG[debug] = "-DCMAKE_BUILD_TYPE=DEBUG,-DCMAKE_BUILD_TYPE=RELEASE,libu
inherit cmake
-CXXFLAGS_append = " \
--DCYNARA_STATE_PATH=\\\\\"${localstatedir}/cynara/\\\\\" \
--DCYNARA_LIB_PATH=\\\\\"${prefix}/lib/cynara/\\\\\" \
--DCYNARA_TESTS_DIR=\\\\\"${prefix}/share/cynara/tests/\\\\\" \
--DCYNARA_CONFIGURATION_DIR=\\\\\"${sysconfdir}/cynara/\\\\\" \
-${@bb.utils.contains('PACKAGECONFIG', 'debug', '-Wp,-U_FORTIFY_SOURCE', '', d)} \
-"
-
EXTRA_OECMAKE += " \
--DCMAKE_VERBOSE_MAKEFILE=ON \
--DBUILD_WITH_SYSTEMD=ON \
--DSYSTEMD_UNIT_DIR=${systemd_unitdir}/system \
--DSOCKET_DIR=/run/cynara \
+ -DCMAKE_VERBOSE_MAKEFILE=ON \
+ -DBUILD_WITH_SYSTEMD_DAEMON=ON \
+ -DBUILD_WITH_SYSTEMD_JOURNAL=ON \
+ -DSYSTEMD_UNIT_DIR=${systemd_system_unitdir} \
+ -DSOCKET_DIR=/run/cynara \
+ -DBUILD_COMMONS=ON \
+ -DBUILD_SERVICE=ON \
+ -DBUILD_DBUS=OFF \
+ -DCYNARA_ADMIN_SOCKET_GROUP=cynara \
"
# Explicitly package empty directory. Otherwise Cynara prints warnings
@@ -42,30 +50,6 @@ ${libdir}/cynara/plugin/service \
${libdir}/cynara/plugin/client \
"
-# Testing depends on gmock and gtest. They can be found in meta-oe
-# and are not necessarily available, so this feature is off by default.
-# If gmock from meta-oe is used, then a workaround is needed to avoid
-# a link error (libgmock.a calls pthread functions without libpthread
-# being listed in the .pc file).
-PACKAGECONFIG[tests] = "-DBUILD_TESTS:BOOL=ON,-DBUILD_TESTS:BOOL=OFF,gmock gtest,"
-SRC_URI_append = "${@bb.utils.contains('PACKAGECONFIG', 'tests', ' file://gmock-pthread-linking.patch file://run-ptest', '', d)}"
-
-# Will be empty if no tests were built.
-inherit ptest
-FILES_${PN}-ptest += "${bindir}/cynara-tests ${bindir}/cynara-db-migration-tests ${datadir}/cynara/tests"
-do_install_ptest () {
- if ${@bb.utils.contains('PACKAGECONFIG', 'tests', 'true', 'false', d)}; then
- mkdir -p ${D}/${datadir}/cynara/tests
- cp -r ${S}/test/db/* ${D}/${datadir}/cynara/tests
- fi
-}
-
-do_compile_prepend () {
- # en_US.UTF8 is not available, causing cynara-tests parser.getKeyAndValue to fail.
- # Submitted upstream: https://github.com/Samsung/cynara/issues/10
- sed -i -e 's/std::locale("en_US.UTF8")/std::locale::classic()/g' ${S}/test/credsCommons/parser/Parser.cpp
-}
-
inherit useradd
USERADD_PACKAGES = "${PN}"
GROUPADD_PARAM_${PN} = "-r cynara"
@@ -79,28 +63,28 @@ USERADD_PARAM_${PN} = "\
#inherit systemd
#SYSTEMD_SERVICE_${PN} = "cynara.service"
-do_install_append () {
- chmod a+rx ${D}/${sbindir}/cynara-db-migration
-
- install -d ${D}${sysconfdir}/cynara/
- install -m 644 ${S}/conf/creds.conf ${D}/${sysconfdir}/cynara/creds.conf
-
- # No need to create empty directories except for those which
- # Cynara expects to find.
- # install -d ${D}${localstatedir}/cynara/
- # install -d ${D}${prefix}/share/cynara/tests/empty_db
- install -d ${D}${libdir}/cynara/plugin/client
- install -d ${D}${libdir}/cynara/plugin/service
-
- # install db* ${D}${prefix}/share/cynara/tests/
-
- install -d ${D}${systemd_unitdir}/system/sockets.target.wants
- ln -s ../cynara.socket ${D}${systemd_unitdir}/system/sockets.target.wants/cynara.socket
- ln -s ../cynara-admin.socket ${D}${systemd_unitdir}/system/sockets.target.wants/cynara-admin.socket
- ln -s ../cynara-agent.socket ${D}${systemd_unitdir}/system/sockets.target.wants/cynara-agent.socket
-}
+#do_install_append () {
+# chmod a+rx ${D}/${sbindir}/cynara-db-migration
+#
+# install -d ${D}${sysconfdir}/cynara/
+# install -m 644 ${S}/conf/creds.conf ${D}/${sysconfdir}/cynara/creds.conf
+#
+# # No need to create empty directories except for those which
+# # Cynara expects to find.
+# # install -d ${D}${localstatedir}/cynara/
+# # install -d ${D}${prefix}/share/cynara/tests/empty_db
+# install -d ${D}${libdir}/cynara/plugin/client
+# install -d ${D}${libdir}/cynara/plugin/service
+#
+# # install db* ${D}${prefix}/share/cynara/tests/
+#
+# install -d ${D}${systemd_system_unitdir}/sockets.target.wants
+# ln -s ../cynara.socket ${D}${systemd_system_unitdir}/sockets.target.wants/cynara.socket
+# ln -s ../cynara-admin.socket ${D}${systemd_system_unitdir}/sockets.target.wants/cynara-admin.socket
+# ln -s ../cynara-agent.socket ${D}${systemd_system_unitdir}/sockets.target.wants/cynara-agent.socket
+#}
-FILES_${PN} += "${systemd_unitdir}/system"
+FILES_${PN} += "${systemd_system_unitdir}"
# Cynara itself has no dependency on Smack. Only its installation
# is Smack-aware in the sense that it sets Smack labels. Do not
@@ -113,8 +97,8 @@ FILES_${PN} += "${systemd_unitdir}/system"
# the postinst completes, but that is a general problem. It gets
# avoided entirely when calling this script while building the
# rootfs.
-RDEPENDS_${PN}_append_with-lsm-smack = " smack"
-DEPENDS_append_with-lsm-smack = " smack-native"
+DEPENDS_append_with-lsm-smack = " smack smack-native"
+EXTRA_OECMAKE_append_with-lsm-smack = " -DDB_FILES_SMACK_LABEL=System"
CHSMACK_with-lsm-smack = "chsmack"
CHSMACK = "true"
pkg_postinst_${PN} () {
@@ -134,7 +118,7 @@ pkg_postinst_${PN} () {
# Strip git patch level information, the version comparison code
# in cynara-db-migration only expect major.minor.patch version numbers.
- VERSION=${@bb.data.getVar('PV',d,1).split('+git')[0]}
+ VERSION=${@d.getVar('PV',d,1).split('+git')[0]}
if [ -d $D${localstatedir}/cynara ] ; then
# upgrade
echo "NOTE: updating cynara DB to version $VERSION"
@@ -156,3 +140,24 @@ pkg_postinst_${PN} () {
systemctl enable cynara
systemctl start --no-block cynara
}
+
+# Testing depends on gmock and gtest. They can be found in meta-oe
+# and are not necessarily available, so this feature is off by default.
+# If gmock from meta-oe is used, then a workaround is needed to avoid
+# a link error (libgmock.a calls pthread functions without libpthread
+# being listed in the .pc file).
+DEPENDS_append = "${@bb.utils.contains('PACKAGECONFIG', 'tests', ' gmock', '', d)}"
+LDFLAGS_append = "${@bb.utils.contains('PACKAGECONFIG', 'tests', ' -lpthread', '', d)}"
+SRC_URI_append = "${@bb.utils.contains('PACKAGECONFIG', 'tests', ' file://run-ptest', '', d)}"
+PACKAGECONFIG[tests] = "-DBUILD_TESTS:BOOL=ON,-DBUILD_TESTS:BOOL=OFF,gmock gtest,"
+
+# Will be empty if no tests were built.
+inherit ptest
+FILES_${PN}-ptest += "${bindir}/cynara-tests ${bindir}/cynara-db-migration-tests ${datadir}/cynara/tests"
+do_install_ptest () {
+ if ${@bb.utils.contains('PACKAGECONFIG', 'tests', 'true', 'false', d)}; then
+ mkdir -p ${D}/${datadir}/cynara/tests
+ cp -r ${S}/test/db/* ${D}/${datadir}/cynara/tests
+ fi
+}
+
diff --git a/meta-security/recipes-security/cynara/cynara_git.bb b/meta-security/recipes-security/cynara/cynara_git.bb
deleted file mode 100644
index 6e387d41e..000000000
--- a/meta-security/recipes-security/cynara/cynara_git.bb
+++ /dev/null
@@ -1,11 +0,0 @@
-require cynara.inc
-
-PV = "0.11.0+git${SRCPV}"
-SRCREV = "973765e329f8a84c1549cb2b0c65ccb1cce3c2d3"
-SRC_URI = "git://github.com/Samsung/cynara.git"
-S = "${WORKDIR}/git"
-
-SRC_URI += " \
-file://cynara-db-migration-abort-on-errors.patch \
-file://cmake-Improves-directories-and-libsystemd.patch \
-"