aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorAnton Gerasimov <anton@advancedtelematic.com>2016-12-14 14:08:16 +0100
committerStephane Desneux <stephane.desneux@iot.bzh>2017-03-27 15:33:39 +0200
commited0ec649f38a3044aaf3d36222be0391872cf2f5 (patch)
tree18ffecc1c35f5a1c2f84c44675da16177218e783
parentf947f34b2acab8fb55007c5bf5ddc677338e7c12 (diff)
Move all writable data used by security-manager and appfw to /var
The purpose of these changes is to make OSTree and AppFw update domains compatible with each other. Some intergation code is also needed to deploy initial data to writable area (see SPEC-359 in Jira). Bug-AGL: SPEC-359 Change-Id: Iccba1e9916c569167df2922ad5e2d90cc33f06fe Signed-off-by: Anton Gerasimov <anton@advancedtelematic.com> Signed-off-by: Stephane Desneux <stephane.desneux@iot.bzh>
-rw-r--r--meta-app-framework/recipes-core/af-main/af-main/init-afm-dirs.service15
-rw-r--r--meta-app-framework/recipes-core/af-main/af-main/init-afm-dirs.sh7
-rw-r--r--meta-app-framework/recipes-core/af-main/af-main_1.0.bb22
-rw-r--r--meta-app-framework/recipes-core/af-main/nativesdk-af-main_1.0.bb2
-rw-r--r--meta-app-framework/recipes-core/security-manager/security-manager/Removing-tizen-platform-config.patch196
-rw-r--r--meta-app-framework/recipes-core/security-manager/security-manager/init-security-manager-db.service15
-rw-r--r--meta-app-framework/recipes-core/security-manager/security-manager/init-security-manager-db.sh6
-rw-r--r--meta-app-framework/recipes-core/security-manager/security-manager_%.bbappend14
-rw-r--r--meta-app-framework/recipes-example/afm-client/files/afm-client.service2
9 files changed, 270 insertions, 9 deletions
diff --git a/meta-app-framework/recipes-core/af-main/af-main/init-afm-dirs.service b/meta-app-framework/recipes-core/af-main/af-main/init-afm-dirs.service
new file mode 100644
index 000000000..7e3b9e4e8
--- /dev/null
+++ b/meta-app-framework/recipes-core/af-main/af-main/init-afm-dirs.service
@@ -0,0 +1,15 @@
+#
+# Install security-manager DB to /var
+
+[Unit]
+Description=Deploy AFM directories to /var
+After=sysinit.target
+Before=afm-system-daemon.service
+Before=afm-user-daemon.service
+
+[Install]
+WantedBy=default.target
+
+[Service]
+Type=oneshot
+ExecStart=/usr/bin/init-afm-dirs.sh
diff --git a/meta-app-framework/recipes-core/af-main/af-main/init-afm-dirs.sh b/meta-app-framework/recipes-core/af-main/af-main/init-afm-dirs.sh
new file mode 100644
index 000000000..97cf272f2
--- /dev/null
+++ b/meta-app-framework/recipes-core/af-main/af-main/init-afm-dirs.sh
@@ -0,0 +1,7 @@
+#!/bin/sh
+
+if [ ! -e "/var/lib/afm" ]; then
+ mkdir -p /var/lib
+ cp -ra /usr/share/afm /var/lib
+fi
+
diff --git a/meta-app-framework/recipes-core/af-main/af-main_1.0.bb b/meta-app-framework/recipes-core/af-main/af-main_1.0.bb
index 611307fb0..834e293fa 100644
--- a/meta-app-framework/recipes-core/af-main/af-main_1.0.bb
+++ b/meta-app-framework/recipes-core/af-main/af-main_1.0.bb
@@ -16,7 +16,8 @@ DEPENDS_class-native = "openssl libxml2 xmlsec1 libzip"
afm_name = "afm"
afm_confdir = "${sysconfdir}/${afm_name}"
-afm_datadir = "${datadir}/${afm_name}"
+afm_datadir = "/var/lib/${afm_name}"
+afm_init_datadir = "${datadir}/${afm_name}"
afb_binding_dir = "${libdir}/afb"
EXTRA_OECMAKE_class-native = "\
@@ -46,8 +47,12 @@ GROUPADD_PARAM_${PN} = "-r ${afm_name}"
SYSTEMD_SERVICE_${PN} = "afm-system-daemon.service"
SYSTEMD_AUTO_ENABLE = "enable"
+SRC_URI_append = "file://init-afm-dirs.sh \
+ ${@bb.utils.contains('DISTRO_FEATURES', 'systemd', 'file://init-afm-dirs.service', '', d)}"
+
FILES_${PN} += "\
- ${@bb.utils.contains('DISTRO_FEATURES', 'systemd', '${systemd_user_unitdir}/afm-user-daemon.service', '', d)} \
+ ${bindir}/init-afm-dirs.sh \
+ ${@bb.utils.contains('DISTRO_FEATURES', 'systemd', '${systemd_user_unitdir}/afm-user-daemon.service ${systemd_unitdir}/system/init-afm-dirs.service', '', d)} \
"
RDEPENDS_${PN}_append_smack = " smack-userspace"
@@ -60,9 +65,14 @@ SRC_URI += "\
"
do_install_append() {
+ install -d ${D}${bindir}
+ install -m 0755 ${WORKDIR}/init-afm-dirs.sh ${D}${bindir}
if ${@bb.utils.contains('DISTRO_FEATURES', 'systemd', 'true', 'false', d)}; then
mkdir -p ${D}${sysconfdir}/systemd/user/default.target.wants
+ mkdir -p ${D}${sysconfdir}/systemd/system/default.target.wants
ln -sf ${systemd_user_unitdir}/afm-user-daemon.service ${D}${sysconfdir}/systemd/user/default.target.wants
+ install -p -D ${WORKDIR}/init-afm-dirs.service ${D}${systemd_unitdir}/system/init-afm-dirs.service
+ ln -sf ${systemd_unitdir}/system/init-afm-dirs.service ${D}${sysconfdir}/systemd/system/default.target.wants
fi
}
@@ -79,15 +89,15 @@ EOF
}
pkg_postinst_${PN}() {
- mkdir -p $D${afm_datadir}/applications $D${afm_datadir}/icons
+ mkdir -p $D${afm_init_datadir}/applications $D${afm_init_datadir}/icons
setcap cap_mac_override,cap_dac_override=ep $D${bindir}/afm-system-daemon
setcap cap_mac_override,cap_mac_admin,cap_setgid=ep $D${bindir}/afm-user-daemon
}
pkg_postinst_${PN}_smack() {
- mkdir -p $D${afm_datadir}/applications $D${afm_datadir}/icons
- chown ${afm_name}:${afm_name} $D${afm_datadir} $D${afm_datadir}/applications $D${afm_datadir}/icons
- chsmack -a 'System::Shared' -t $D${afm_datadir} $D${afm_datadir}/applications $D${afm_datadir}/icons
+ mkdir -p $D${afm_init_datadir}/applications $D${afm_init_datadir}/icons
+ chown ${afm_name}:${afm_name} $D${afm_init_datadir} $D${afm_init_datadir}/applications $D${afm_init_datadir}/icons
+ chsmack -a 'System::Shared' -t $D${afm_init_datadir} $D${afm_init_datadir}/applications $D${afm_init_datadir}/icons
setcap cap_mac_override,cap_dac_override=ep $D${bindir}/afm-system-daemon
setcap cap_mac_override,cap_mac_admin,cap_setgid=ep $D${bindir}/afm-user-daemon
}
diff --git a/meta-app-framework/recipes-core/af-main/nativesdk-af-main_1.0.bb b/meta-app-framework/recipes-core/af-main/nativesdk-af-main_1.0.bb
index 0169e6b1a..ba70c59ab 100644
--- a/meta-app-framework/recipes-core/af-main/nativesdk-af-main_1.0.bb
+++ b/meta-app-framework/recipes-core/af-main/nativesdk-af-main_1.0.bb
@@ -8,7 +8,7 @@ DEPENDS = "nativesdk-openssl nativesdk-libxml2 nativesdk-xmlsec1 nativesdk-libzi
afm_name = "afm"
afm_confdir = "${sysconfdir}/${afm_name}"
-afm_datadir = "${datadir}/${afm_name}"
+afm_datadir = "/var/lib/${afm_name}"
EXTRA_OECMAKE = "\
-DUSE_LIBZIP=1 \
diff --git a/meta-app-framework/recipes-core/security-manager/security-manager/Removing-tizen-platform-config.patch b/meta-app-framework/recipes-core/security-manager/security-manager/Removing-tizen-platform-config.patch
new file mode 100644
index 000000000..4830db2a8
--- /dev/null
+++ b/meta-app-framework/recipes-core/security-manager/security-manager/Removing-tizen-platform-config.patch
@@ -0,0 +1,196 @@
+From 72e66d0e42f3bb6efd689ce33b1df407d94b3c60 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Jos=C3=A9=20Bollo?= <jose.bollo@iot.bzh>
+Date: Mon, 16 Nov 2015 14:26:25 +0100
+Subject: [PATCH] Removing tizen-platform-config
+
+Change-Id: Ic832a2b75229517b09faba969c27fb1a4b490121
+---
+ policy/security-manager-policy-reload | 2 +-
+ src/common/file-lock.cpp | 4 +---
+ src/common/include/file-lock.h | 1 -
+ src/common/include/privilege_db.h | 3 +--
+ src/common/service_impl.cpp | 39 +++++++++++------------------------
+ src/common/smack-rules.cpp | 12 ++++-------
+ 6 files changed, 19 insertions(+), 42 deletions(-)
+
+diff --git a/policy/security-manager-policy-reload b/policy/security-manager-policy-reload
+index 6f211c6..ed8047a 100755
+--- a/policy/security-manager-policy-reload
++++ b/policy/security-manager-policy-reload
+@@ -2,7 +2,7 @@
+
+ POLICY_PATH=/usr/share/security-manager/policy
+ PRIVILEGE_GROUP_MAPPING=$POLICY_PATH/privilege-group.list
+-DB_FILE=`tzplatform-get TZ_SYS_DB | cut -d= -f2`/.security-manager.db
++DB_FILE=/var/db/security-manager/.security-manager.db
+
+ # Create default buckets
+ while read bucket default_policy
+diff --git a/src/common/file-lock.cpp b/src/common/file-lock.cpp
+index 6f3996c..1dada17 100644
+--- a/src/common/file-lock.cpp
++++ b/src/common/file-lock.cpp
+@@ -30,9 +30,7 @@
+
+ namespace SecurityManager {
+
+-char const * const SERVICE_LOCK_FILE = tzplatform_mkpath3(TZ_SYS_RUN,
+- "lock",
+- "security-manager.lock");
++char const * const SERVICE_LOCK_FILE = "/var/run/lock/security-manager.lock";
+
+ FileLocker::FileLocker(const std::string &lockFile, bool blocking)
+ {
+diff --git a/src/common/include/file-lock.h b/src/common/include/file-lock.h
+index 604b019..21a86a0 100644
+--- a/src/common/include/file-lock.h
++++ b/src/common/include/file-lock.h
+@@ -29,7 +29,6 @@
+
+ #include <dpl/exception.h>
+ #include <dpl/noncopyable.h>
+-#include <tzplatform_config.h>
+
+ namespace SecurityManager {
+
+diff --git a/src/common/include/privilege_db.h b/src/common/include/privilege_db.h
+index 4d73d90..03c6680 100644
+--- a/src/common/include/privilege_db.h
++++ b/src/common/include/privilege_db.h
+@@ -34,14 +34,13 @@
+ #include <string>
+
+ #include <dpl/db/sql_connection.h>
+-#include <tzplatform_config.h>
+
+ #ifndef PRIVILEGE_DB_H_
+ #define PRIVILEGE_DB_H_
+
+ namespace SecurityManager {
+
+-const char *const PRIVILEGE_DB_PATH = tzplatform_mkpath(TZ_SYS_DB, ".security-manager.db");
++const char *const PRIVILEGE_DB_PATH = "/var/db/security-manager/.security-manager.db";
+
+ enum class QueryType {
+ EGetPkgPrivileges,
+diff --git a/src/common/service_impl.cpp b/src/common/service_impl.cpp
+index ae305d3..65cc8b5 100644
+--- a/src/common/service_impl.cpp
++++ b/src/common/service_impl.cpp
+@@ -32,7 +32,6 @@
+ #include <algorithm>
+
+ #include <dpl/log/log.h>
+-#include <tzplatform_config.h>
+
+ #include "protocols.h"
+ #include "privilege_db.h"
+@@ -131,7 +130,13 @@ static inline int validatePolicy(policy_entry &policyEntry, std::string uidStr,
+
+ static uid_t getGlobalUserId(void)
+ {
+- static uid_t globaluid = tzplatform_getuid(TZ_SYS_GLOBALAPP_USER);
++ static uid_t globaluid = 0;
++ if (!globaluid) {
++ struct passwd pw, *p;
++ char buf[4096];
++ int rc = getpwnam_r("userapp", &pw, buf, sizeof buf, &p);
++ globaluid = (rc || p == NULL) ? 555 : p->pw_uid;
++ }
+ return globaluid;
+ }
+
+@@ -161,37 +166,17 @@ static inline bool isSubDir(const char *parent, const char *subdir)
+
+ static bool getUserAppDir(const uid_t &uid, std::string &userAppDir)
+ {
+- struct tzplatform_context *tz_ctx = nullptr;
+-
+- if (tzplatform_context_create(&tz_ctx))
+- return false;
+-
+- if (tzplatform_context_set_user(tz_ctx, uid)) {
+- tzplatform_context_destroy(tz_ctx);
+- tz_ctx = nullptr;
++ struct passwd pw, *p;
++ char buf[4096];
++ int rc = getpwuid_r(uid, &pw, buf, sizeof buf, &p);
++ if (rc || p == NULL)
+ return false;
+- }
+-
+- enum tzplatform_variable id =
+- (uid == getGlobalUserId()) ? TZ_SYS_RW_APP : TZ_USER_APP;
+- const char *appDir = tzplatform_context_getenv(tz_ctx, id);
+- if (!appDir) {
+- tzplatform_context_destroy(tz_ctx);
+- tz_ctx = nullptr;
+- return false;
+- }
+-
+- userAppDir = appDir;
+-
+- tzplatform_context_destroy(tz_ctx);
+- tz_ctx = nullptr;
+-
++ userAppDir = p->pw_dir;
+ return true;
+ }
+
+ static inline bool installRequestAuthCheck(const app_inst_req &req, uid_t uid, bool &isCorrectPath, std::string &appPath)
+ {
+- std::string userHome;
+ std::string userAppDir;
+ std::stringstream correctPath;
+
+diff --git a/src/common/smack-rules.cpp b/src/common/smack-rules.cpp
+index d834e42..8b5728b 100644
+--- a/src/common/smack-rules.cpp
++++ b/src/common/smack-rules.cpp
+@@ -34,7 +34,6 @@
+ #include <memory>
+
+ #include <dpl/log/log.h>
+-#include <tzplatform_config.h>
+
+ #include "smack-labels.h"
+ #include "smack-rules.h"
+@@ -43,7 +42,7 @@ namespace SecurityManager {
+
+ const char *const SMACK_APP_LABEL_TEMPLATE = "~APP~";
+ const char *const SMACK_PKG_LABEL_TEMPLATE = "~PKG~";
+-const char *const APP_RULES_TEMPLATE_FILE_PATH = tzplatform_mkpath4(TZ_SYS_SHARE, "security-manager", "policy", "app-rules-template.smack");
++const char *const APP_RULES_TEMPLATE_FILE_PATH = "/usr/share/security-manager/policy/app-rules-template.smack";
+ const char *const SMACK_APP_IN_PACKAGE_PERMS = "rwxat";
+
+ SmackRules::SmackRules()
+@@ -237,14 +236,12 @@ void SmackRules::generatePackageCrossDeps(const std::vector<std::string> &pkgCon
+
+ std::string SmackRules::getPackageRulesFilePath(const std::string &pkgId)
+ {
+- std::string path(tzplatform_mkpath3(TZ_SYS_SMACK, "accesses.d", ("pkg_" + pkgId).c_str()));
+- return path;
++ return "/etc/smack/accesses.d/pkg_" + pkgId;
+ }
+
+ std::string SmackRules::getApplicationRulesFilePath(const std::string &appId)
+ {
+- std::string path(tzplatform_mkpath3(TZ_SYS_SMACK, "accesses.d", ("app_" + appId).c_str()));
+- return path;
++ return "/etc/smack/accesses.d/app_" + appId;
+ }
+ void SmackRules::installApplicationPrivilegesRules(const std::string &appId, const std::string &pkgId,
+ const std::vector<std::string> &pkgContents, const std::vector<std::string> &privileges)
+@@ -256,8 +253,7 @@ void SmackRules::installApplicationPrivilegesRules(const std::string &appId, con
+ for (auto privilege : privileges) {
+ if (privilege.empty())
+ continue;
+- std::string fprivilege ( privilege + "-template.smack");
+- std::string path(tzplatform_mkpath4(TZ_SYS_SHARE, "security-manager", "policy", fprivilege.c_str()));
++ std::string path = "/usr/share/security-manager/policy/" + privilege + "-template.smack";
+ if( stat(path.c_str(), &buffer) == 0)
+ smackRules.addFromTemplateFile(appId, pkgId, path);
+ }
+--
+2.1.4
+
diff --git a/meta-app-framework/recipes-core/security-manager/security-manager/init-security-manager-db.service b/meta-app-framework/recipes-core/security-manager/security-manager/init-security-manager-db.service
new file mode 100644
index 000000000..8ed5e8601
--- /dev/null
+++ b/meta-app-framework/recipes-core/security-manager/security-manager/init-security-manager-db.service
@@ -0,0 +1,15 @@
+#
+# Install security-manager DB to /var
+
+[Unit]
+Description=Install Security Manager database
+After=sysinit.target
+Before=security-manager.service
+
+[Install]
+WantedBy=default.target
+
+[Service]
+Type=oneshot
+User=root
+ExecStart=/usr/bin/init-security-manager-db.sh
diff --git a/meta-app-framework/recipes-core/security-manager/security-manager/init-security-manager-db.sh b/meta-app-framework/recipes-core/security-manager/security-manager/init-security-manager-db.sh
new file mode 100644
index 000000000..ef41286c8
--- /dev/null
+++ b/meta-app-framework/recipes-core/security-manager/security-manager/init-security-manager-db.sh
@@ -0,0 +1,6 @@
+#!/bin/sh
+
+if [ ! -e "/var/db/security-manager" ]; then
+ mkdir -p /var/db
+ cp -ra /usr/dbspace/ /var/db/security-manager
+fi
diff --git a/meta-app-framework/recipes-core/security-manager/security-manager_%.bbappend b/meta-app-framework/recipes-core/security-manager/security-manager_%.bbappend
index d3a110de5..b4b5e01c4 100644
--- a/meta-app-framework/recipes-core/security-manager/security-manager_%.bbappend
+++ b/meta-app-framework/recipes-core/security-manager/security-manager_%.bbappend
@@ -1,4 +1,16 @@
FILESEXTRAPATHS_prepend := "${THISDIR}/security-manager:"
-SRC_URI += " file://0001-Adapt-rules-to-AGL.patch "
+SRC_URI += " file://0001-Adapt-rules-to-AGL.patch \
+ file://init-security-manager-db.service \
+ file://init-security-manager-db.sh"
+SYSTEMD_SERVICE_${PN} = "init-security-manager-db.service"
+
+FILES_${PN}_append = "${bindir}/init-security-manager-db.sh"
+
+do_install_append () {
+ install -p -D ${WORKDIR}/init-security-manager-db.sh ${D}${bindir}/init-security-manager-db.sh
+ if ${@bb.utils.contains('DISTRO_FEATURES', 'systemd', 'true', 'false', d)}; then
+ install -p -D ${WORKDIR}/init-security-manager-db.service ${D}${systemd_unitdir}/system/init-security-manager-db.service
+ fi
+}
diff --git a/meta-app-framework/recipes-example/afm-client/files/afm-client.service b/meta-app-framework/recipes-example/afm-client/files/afm-client.service
index 688c91fd8..735717439 100644
--- a/meta-app-framework/recipes-example/afm-client/files/afm-client.service
+++ b/meta-app-framework/recipes-example/afm-client/files/afm-client.service
@@ -2,7 +2,7 @@
Description=Simplest application manager
[Service]
-ExecStart=/usr/bin/afb-daemon --mode=remote --port=1234 --token='' --sessiondir=/home/root/.afb-daemon --rootdir=/usr/share/agl/afm-client --alias=/icons:/usr/share/afm/icons
+ExecStart=/usr/bin/afb-daemon --mode=remote --port=1234 --token='' --sessiondir=/home/root/.afb-daemon --rootdir=/usr/share/agl/afm-client --alias=/icons:/var/lib/afm/icons
Restart=on-failure
RestartSec=5