diff options
author | Jan-Simon Moeller <jsmoeller@linuxfoundation.org> | 2020-12-08 11:12:45 +0100 |
---|---|---|
committer | Jan-Simon Moeller <jsmoeller@linuxfoundation.org> | 2020-12-17 13:59:52 +0000 |
commit | 1c3c06842ac1b9c089d0a08e91c60f44e4844fac (patch) | |
tree | 21e97368be8f78a3e76b66dfda24c1d5e774519f /meta-agl-core/recipes-kernel/linux/linux-4.14 | |
parent | c1e048fc05542d859115990312e0753ce2dea72e (diff) |
SPEC-3723: restructure meta-agl
Goal is to reach a minimal meta-agl-core as base for IVI and IC work at the same time.
Trim dependencies and move most 'demo' related recipes to meta-agl-demo.
v2: changed to bbapend + .inc , added description
v3: testbuild of all images
v4: restore -test packagegroup and -qa images, compare manifests and adapt packagegroups.
v5: rebased
v6: merged meta-agl-distro into meta-agl-core,
due to dependency on meta-oe, moved -test packagegroup and -qa images
to own layer meta-agl-core-test
v7: Fixed comments from Paul Barker
v8: Update the markdown files
v9: restore wayland/weston/agl-compositor recipes/appends, reworked to
move app f/w specific changes to bbappends in meta-app-framework and
only demo specific weston-init changes to meta-agl-demo
v10: fix s/agldemo/aglcore/ missed in weston-init.bbappend
Description:
This patch is part 1 out of 2 large patches that implement the layer rework
discussed during the previous workshop. Essentially meta-agl-core is the
small but versatile new core layer of AGL serving as basis for
the work done by the IC and IVI EGs.
All demo related work is moved to meta-agl-demo in the 2nd patchset.
This should be applied together as atomic change.
The resulting meta-agl/* follows these guidelines:
- only bsp adaptations in meta-agl-bsp
- remove the agl-profile-* layers for simplicity
-- the packagegroup-agl(-profile)-graphical and so on
have been kept in meta-agl-demo
- meta-agl-profile-core is now meta-agl-core
- meta-agl-core does pass yocto-check-layer
-- therefore use the bbappend + conditional + .inc file
construct found in meta-virtualization
- meta-agl/meta-security has been merged into meta-agl/meta-app-framework
- meta-netboot does pass yocto-check-layer
- meta-pipewire does pass yocto-check-layer
Migration:
All packagegroups are preserved but they're now enabled by 'agl-demo'.
Bug-AGL: SPEC-3723
Signed-off-by: Jan-Simon Moeller <jsmoeller@linuxfoundation.org>
Signed-off-by: Scott Murray <scott.murray@konsulko.com>
Change-Id: Ia6c6e5e6ce2b4ffa69ea94959cdc57c310ba7c53
Reviewed-on: https://gerrit.automotivelinux.org/gerrit/c/AGL/meta-agl/+/25769
Diffstat (limited to 'meta-agl-core/recipes-kernel/linux/linux-4.14')
3 files changed, 174 insertions, 0 deletions
diff --git a/meta-agl-core/recipes-kernel/linux/linux-4.14/Smack-Handle-CGROUP2-in-the-same-way-that-CGROUP.patch b/meta-agl-core/recipes-kernel/linux/linux-4.14/Smack-Handle-CGROUP2-in-the-same-way-that-CGROUP.patch new file mode 100644 index 000000000..c595dfdf5 --- /dev/null +++ b/meta-agl-core/recipes-kernel/linux/linux-4.14/Smack-Handle-CGROUP2-in-the-same-way-that-CGROUP.patch @@ -0,0 +1,40 @@ +From 63f5acdf097b7baca8d0f7056a037f8811b48aaa Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Jos=C3=A9=20Bollo?= <jose.bollo@iot.bzh> +Date: Tue, 27 Feb 2018 17:06:21 +0100 +Subject: [PATCH] Smack: Handle CGROUP2 in the same way that CGROUP +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +The new file system CGROUP2 isn't actually handled +by smack. This changes makes Smack treat equally +CGROUP and CGROUP2 items. + +Signed-off-by: José Bollo <jose.bollo@iot.bzh> +--- + security/smack/smack_lsm.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/security/smack/smack_lsm.c b/security/smack/smack_lsm.c +index 03fdecba93bb..5d77ed04422c 100644 +--- a/security/smack/smack_lsm.c ++++ b/security/smack/smack_lsm.c +@@ -3431,6 +3431,7 @@ static void smack_d_instantiate(struct dentry *opt_dentry, struct inode *inode) + if (opt_dentry->d_parent == opt_dentry) { + switch (sbp->s_magic) { + case CGROUP_SUPER_MAGIC: ++ case CGROUP2_SUPER_MAGIC: + /* + * The cgroup filesystem is never mounted, + * so there's no opportunity to set the mount +@@ -3474,6 +3475,7 @@ static void smack_d_instantiate(struct dentry *opt_dentry, struct inode *inode) + switch (sbp->s_magic) { + case SMACK_MAGIC: + case CGROUP_SUPER_MAGIC: ++ case CGROUP2_SUPER_MAGIC: + /* + * Casey says that it's a little embarrassing + * that the smack file system doesn't do +-- +2.14.3 + diff --git a/meta-agl-core/recipes-kernel/linux/linux-4.14/Smack-Privilege-check-on-key-operations.patch b/meta-agl-core/recipes-kernel/linux/linux-4.14/Smack-Privilege-check-on-key-operations.patch new file mode 100644 index 000000000..4100bb8fd --- /dev/null +++ b/meta-agl-core/recipes-kernel/linux/linux-4.14/Smack-Privilege-check-on-key-operations.patch @@ -0,0 +1,109 @@ +Smack: Privilege check on key operations + +Operations on key objects are subjected to Smack policy +even if the process is privileged. This is inconsistent +with the general behavior of Smack and may cause issues +with authentication by privileged daemons. This patch +allows processes with CAP_MAC_OVERRIDE to access keys +even if the Smack rules indicate otherwise. + +Reported-by: Jose Bollo <jobol@nonadev.net> +Signed-off-by: Casey Schaufler <casey@schaufler-ca.com> +--- + security/smack/smack.h | 1 + + security/smack/smack_access.c | 40 +++++++++++++++++++++++++++++----------- + security/smack/smack_lsm.c | 4 ++++ + 3 files changed, 34 insertions(+), 11 deletions(-) + +diff --git a/security/smack/smack.h b/security/smack/smack.h +index 6a71fc7..f7db791 100644 +--- a/security/smack/smack.h ++++ b/security/smack/smack.h +@@ -321,6 +321,7 @@ struct smack_known *smk_import_entry(const char *, int); + void smk_insert_entry(struct smack_known *skp); + struct smack_known *smk_find_entry(const char *); + bool smack_privileged(int cap); ++bool smack_privileged_cred(int cap, const struct cred *cred); + void smk_destroy_label_list(struct list_head *list); + + /* +diff --git a/security/smack/smack_access.c b/security/smack/smack_access.c +index 1a30041..141ffac 100644 +--- a/security/smack/smack_access.c ++++ b/security/smack/smack_access.c +@@ -623,26 +623,24 @@ struct smack_known *smack_from_secid(const u32 secid) + LIST_HEAD(smack_onlycap_list); + DEFINE_MUTEX(smack_onlycap_lock); + +-/* ++/** ++ * smack_privileged_cred - are all privilege requirements met by cred ++ * @cap: The requested capability ++ * @cred: the credential to use ++ * + * Is the task privileged and allowed to be privileged + * by the onlycap rule. + * + * Returns true if the task is allowed to be privileged, false if it's not. + */ +-bool smack_privileged(int cap) ++bool smack_privileged_cred(int cap, const struct cred *cred) + { +- struct smack_known *skp = smk_of_current(); ++ struct task_smack *tsp = cred->security; ++ struct smack_known *skp = tsp->smk_task; + struct smack_known_list_elem *sklep; + int rc; + +- /* +- * All kernel tasks are privileged +- */ +- if (unlikely(current->flags & PF_KTHREAD)) +- return true; +- +- rc = cap_capable(current_cred(), &init_user_ns, cap, +- SECURITY_CAP_AUDIT); ++ rc = cap_capable(cred, &init_user_ns, cap, SECURITY_CAP_AUDIT); + if (rc) + return false; + +@@ -662,3 +660,23 @@ bool smack_privileged(int cap) + + return false; + } ++ ++/** ++ * smack_privileged - are all privilege requirements met ++ * @cap: The requested capability ++ * ++ * Is the task privileged and allowed to be privileged ++ * by the onlycap rule. ++ * ++ * Returns true if the task is allowed to be privileged, false if it's not. ++ */ ++bool smack_privileged(int cap) ++{ ++ /* ++ * All kernel tasks are privileged ++ */ ++ if (unlikely(current->flags & PF_KTHREAD)) ++ return true; ++ ++ return smack_privileged_cred(cap, current_cred()); ++} +diff --git a/security/smack/smack_lsm.c b/security/smack/smack_lsm.c +index 30f2c3d..03fdecb 100644 +--- a/security/smack/smack_lsm.c ++++ b/security/smack/smack_lsm.c +@@ -4369,6 +4369,10 @@ static int smack_key_permission(key_ref_t key_ref, + */ + if (tkp == NULL) + return -EACCES; ++ ++ if (smack_privileged_cred(CAP_MAC_OVERRIDE, cred)) ++ return 0; ++ + #ifdef CONFIG_AUDIT + smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_KEY); + ad.a.u.key_struct.key = keyp->serial; + diff --git a/meta-agl-core/recipes-kernel/linux/linux-4.14/net-sch_generic-add-if_afp.h-header-to-get-ARPHRD_CA.patch b/meta-agl-core/recipes-kernel/linux/linux-4.14/net-sch_generic-add-if_afp.h-header-to-get-ARPHRD_CA.patch new file mode 100644 index 000000000..7c34fb306 --- /dev/null +++ b/meta-agl-core/recipes-kernel/linux/linux-4.14/net-sch_generic-add-if_afp.h-header-to-get-ARPHRD_CA.patch @@ -0,0 +1,25 @@ +From 17d0075d95b5087d5df553444cca390fa479bad9 Mon Sep 17 00:00:00 2001 +From: Matt Ranostay <matt.ranostay@konsulko.com> +Date: Tue, 10 Mar 2020 22:27:28 -0700 +Subject: [PATCH] net: sch_generic: add if_afp.h header to get ARPHRD_CAN macro + +Signed-off-by: Matt Ranostay <matt.ranostay@konsulko.com> +--- + net/sched/sch_generic.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/net/sched/sch_generic.c b/net/sched/sch_generic.c +index bf8c81e07c70..1845ef8c7dbd 100644 +--- a/net/sched/sch_generic.c ++++ b/net/sched/sch_generic.c +@@ -25,6 +25,7 @@ + #include <linux/rcupdate.h> + #include <linux/list.h> + #include <linux/slab.h> ++#include <linux/if_arp.h> + #include <linux/if_vlan.h> + #include <net/sch_generic.h> + #include <net/pkt_sched.h> +-- +2.25.0 + |