Prepare master for new framework integration

During the last workshop the transition to the new framework was presented. This change essentially deprecates the SMACK-based application framework. To prepare the integration of it, we remove the deprecated components: - meta-agl-core: remove Smack kernel patches - meta-app-framework - meta-pipewire/dynamic-layers/meta-app-framework/ v2: rebased Bug-AGL: SPEC-4121 Signed-off-by: Jan-Simon Moeller <jsmoeller@linuxfoundation.org> Change-Id: Icdaeadfb5d2193f3a4c535168c88da6073423e67 Reviewed-on: https://gerrit.automotivelinux.org/gerrit/c/AGL/meta-agl/+/26752
author: Jan-Simon Moeller <jsmoeller@linuxfoundation.org> 2021-10-18 14:07:53 +0200
committer: Jan-Simon Moeller <jsmoeller@linuxfoundation.org> 2021-11-04 14:24:17 +0000
commit: d468ce3b3d602f7c8a88d67126a32900b76fd433 (patch)
tree: ef7543ddb14168c2b3d8725b95399d2ecaba9f2a /meta-agl-core
parent: abc4742a714cfc60a868c0912432a6f59fd41b77 (diff)
5 files changed, 2 insertions, 167 deletions
diff --git a/meta-agl-core/recipes-kernel/linux/linux-4.14/Smack-Handle-CGROUP2-in-the-same-way-that-CGROUP.patch b/meta-agl-core/recipes-kernel/linux/linux-4.14/Smack-Handle-CGROUP2-in-the-same-way-that-CGROUP.patch
deleted file mode 100644
index c595dfdf5..000000000
--- a/meta-agl-core/recipes-kernel/linux/linux-4.14/Smack-Handle-CGROUP2-in-the-same-way-that-CGROUP.patch
+++ /dev/null
@@ -1,40 +0,0 @@
-From 63f5acdf097b7baca8d0f7056a037f8811b48aaa Mon Sep 17 00:00:00 2001
-From: =?UTF-8?q?Jos=C3=A9=20Bollo?= <jose.bollo@iot.bzh>
-Date: Tue, 27 Feb 2018 17:06:21 +0100
-Subject: [PATCH] Smack: Handle CGROUP2 in the same way that CGROUP
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-The new file system CGROUP2 isn't actually handled
-by smack. This changes makes Smack treat equally
-CGROUP and CGROUP2 items.
-
-Signed-off-by: José Bollo <jose.bollo@iot.bzh>
----
- security/smack/smack_lsm.c | 2 ++
- 1 file changed, 2 insertions(+)
-
-diff --git a/security/smack/smack_lsm.c b/security/smack/smack_lsm.c
-index 03fdecba93bb..5d77ed04422c 100644
---- a/security/smack/smack_lsm.c
-+++ b/security/smack/smack_lsm.c
-@@ -3431,6 +3431,7 @@ static void smack_d_instantiate(struct dentry *opt_dentry, struct inode *inode)
- 	if (opt_dentry->d_parent == opt_dentry) {
- 		switch (sbp->s_magic) {
- 		case CGROUP_SUPER_MAGIC:
-+		case CGROUP2_SUPER_MAGIC:
- 			/*
- 			 * The cgroup filesystem is never mounted,
- 			 * so there's no opportunity to set the mount
-@@ -3474,6 +3475,7 @@ static void smack_d_instantiate(struct dentry *opt_dentry, struct inode *inode)
- 	switch (sbp->s_magic) {
- 	case SMACK_MAGIC:
- 	case CGROUP_SUPER_MAGIC:
-+	case CGROUP2_SUPER_MAGIC:
- 		/*
- 		 * Casey says that it's a little embarrassing
- 		 * that the smack file system doesn't do
--- 
-2.14.3
-
diff --git a/meta-agl-core/recipes-kernel/linux/linux-4.14/Smack-Privilege-check-on-key-operations.patch b/meta-agl-core/recipes-kernel/linux/linux-4.14/Smack-Privilege-check-on-key-operations.patch
deleted file mode 100644
index 4100bb8fd..000000000
--- a/meta-agl-core/recipes-kernel/linux/linux-4.14/Smack-Privilege-check-on-key-operations.patch
+++ /dev/null
@@ -1,109 +0,0 @@
-Smack: Privilege check on key operations
-
-Operations on key objects are subjected to Smack policy
-even if the process is privileged. This is inconsistent
-with the general behavior of Smack and may cause issues
-with authentication by privileged daemons. This patch
-allows processes with CAP_MAC_OVERRIDE to access keys
-even if the Smack rules indicate otherwise.
-
-Reported-by: Jose Bollo <jobol@nonadev.net>
-Signed-off-by: Casey Schaufler <casey@schaufler-ca.com>
----
- security/smack/smack.h        |  1 +
- security/smack/smack_access.c | 40 +++++++++++++++++++++++++++++-----------
- security/smack/smack_lsm.c    |  4 ++++
- 3 files changed, 34 insertions(+), 11 deletions(-)
-
-diff --git a/security/smack/smack.h b/security/smack/smack.h
-index 6a71fc7..f7db791 100644
---- a/security/smack/smack.h
-+++ b/security/smack/smack.h
-@@ -321,6 +321,7 @@ struct smack_known *smk_import_entry(const char *, int);
- void smk_insert_entry(struct smack_known *skp);
- struct smack_known *smk_find_entry(const char *);
- bool smack_privileged(int cap);
-+bool smack_privileged_cred(int cap, const struct cred *cred);
- void smk_destroy_label_list(struct list_head *list);
- 
- /*
-diff --git a/security/smack/smack_access.c b/security/smack/smack_access.c
-index 1a30041..141ffac 100644
---- a/security/smack/smack_access.c
-+++ b/security/smack/smack_access.c
-@@ -623,26 +623,24 @@ struct smack_known *smack_from_secid(const u32 secid)
- LIST_HEAD(smack_onlycap_list);
- DEFINE_MUTEX(smack_onlycap_lock);
- 
--/*
-+/**
-+ * smack_privileged_cred - are all privilege requirements met by cred
-+ * @cap: The requested capability
-+ * @cred: the credential to use
-+ *
-  * Is the task privileged and allowed to be privileged
-  * by the onlycap rule.
-  *
-  * Returns true if the task is allowed to be privileged, false if it's not.
-  */
--bool smack_privileged(int cap)
-+bool smack_privileged_cred(int cap, const struct cred *cred)
- {
--	struct smack_known *skp = smk_of_current();
-+	struct task_smack *tsp = cred->security;
-+	struct smack_known *skp = tsp->smk_task;
- 	struct smack_known_list_elem *sklep;
- 	int rc;
- 
--	/*
--	 * All kernel tasks are privileged
--	 */
--	if (unlikely(current->flags & PF_KTHREAD))
--		return true;
--
--	rc = cap_capable(current_cred(), &init_user_ns, cap,
--				SECURITY_CAP_AUDIT);
-+	rc = cap_capable(cred, &init_user_ns, cap, SECURITY_CAP_AUDIT);
- 	if (rc)
- 		return false;
- 
-@@ -662,3 +660,23 @@ bool smack_privileged(int cap)
- 
- 	return false;
- }
-+
-+/**
-+ * smack_privileged - are all privilege requirements met
-+ * @cap: The requested capability
-+ *
-+ * Is the task privileged and allowed to be privileged
-+ * by the onlycap rule.
-+ *
-+ * Returns true if the task is allowed to be privileged, false if it's not.
-+ */
-+bool smack_privileged(int cap)
-+{
-+	/*
-+	 * All kernel tasks are privileged
-+	 */
-+	if (unlikely(current->flags & PF_KTHREAD))
-+		return true;
-+
-+	return smack_privileged_cred(cap, current_cred());
-+}
-diff --git a/security/smack/smack_lsm.c b/security/smack/smack_lsm.c
-index 30f2c3d..03fdecb 100644
---- a/security/smack/smack_lsm.c
-+++ b/security/smack/smack_lsm.c
-@@ -4369,6 +4369,10 @@ static int smack_key_permission(key_ref_t key_ref,
- 	 */
- 	if (tkp == NULL)
- 		return -EACCES;
-+
-+	if (smack_privileged_cred(CAP_MAC_OVERRIDE, cred))
-+		return 0;
-+
- #ifdef CONFIG_AUDIT
- 	smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_KEY);
- 	ad.a.u.key_struct.key = keyp->serial;
-
diff --git a/meta-agl-core/recipes-kernel/linux/linux-agl-4.14.inc b/meta-agl-core/recipes-kernel/linux/linux-agl-4.14.inc
index 8476f343b..9ab3d34af 100644
--- a/meta-agl-core/recipes-kernel/linux/linux-agl-4.14.inc
+++ b/meta-agl-core/recipes-kernel/linux/linux-agl-4.14.inc
@@ -1,13 +1,5 @@
 FILESEXTRAPATHS:prepend := "${THISDIR}/linux-4.14:"
 
-#-------------------------------------------------------------------------
-# smack patches for kernels keys
-
-SRC_URI:append:with-lsm-smack = "\
-       file://Smack-Privilege-check-on-key-operations.patch \
-       file://Smack-Handle-CGROUP2-in-the-same-way-that-CGROUP.patch \
-       "
-
 SRC_URI:append = "\
        file://net-sch_generic-add-if_afp.h-header-to-get-ARPHRD_CA.patch \
        file://net-sch_generic-Use-pfifo_fast-as-fallback-scheduler.patch \
diff --git a/meta-agl-core/scripts/run-yocto-check-layer-feature-enabled.sh b/meta-agl-core/scripts/run-yocto-check-layer-feature-enabled.sh
index fec73069e..e0e9d17a4 100755
--- a/meta-agl-core/scripts/run-yocto-check-layer-feature-enabled.sh
+++ b/meta-agl-core/scripts/run-yocto-check-layer-feature-enabled.sh
@@ -20,14 +20,10 @@ AGL_EXTRA_IMAGE_FSTYPES ?= ""
 
 # important settings imported from poky-agl.conf
 # we do not import 
-DISTRO_FEATURES:append = " systemd smack"
+DISTRO_FEATURES:append = " systemd"
 DISTRO_FEATURES_BACKFILL_CONSIDERED:append = " sysvinit"
 VIRTUAL-RUNTIME_init_manager = "systemd"
 
-# workaround:
-# ERROR: Nothing PROVIDES 'smack' (but /home/dl9pf/AGL/master-newlayout/external/meta-openembedded/meta-oe/recipes-extended/ostree/ostree_2020.3.bb DEPENDS on or otherwise requires it)
-BBMASK += "meta-openembedded/meta-oe/recipes-extended/ostree/ostree_2020.3.bb"
-
 AGL_FEATURES += "aglcore"
 
 EOF
diff --git a/meta-agl-core/scripts/run-yocto-check-layer.sh b/meta-agl-core/scripts/run-yocto-check-layer.sh
index 369ed98b4..3af61bc19 100755
--- a/meta-agl-core/scripts/run-yocto-check-layer.sh
+++ b/meta-agl-core/scripts/run-yocto-check-layer.sh
@@ -20,14 +20,10 @@ AGL_EXTRA_IMAGE_FSTYPES ?= ""
 
 # important settings imported from poky-agl.conf
 # we do not import 
-DISTRO_FEATURES:append = " systemd smack"
+DISTRO_FEATURES:append = " systemd"
 DISTRO_FEATURES_BACKFILL_CONSIDERED:append = " sysvinit"
 VIRTUAL-RUNTIME_init_manager = "systemd"
 
-# workaround:
-# ERROR: Nothing PROVIDES 'smack' (but /home/dl9pf/AGL/master-newlayout/external/meta-openembedded/meta-oe/recipes-extended/ostree/ostree_2020.3.bb DEPENDS on or otherwise requires it)
-BBMASK += "meta-openembedded/meta-oe/recipes-extended/ostree/ostree_2020.3.bb"
-
 EOF
author	Jan-Simon Moeller <jsmoeller@linuxfoundation.org>	2021-10-18 14:07:53 +0200
committer	Jan-Simon Moeller <jsmoeller@linuxfoundation.org>	2021-11-04 14:24:17 +0000
commit	d468ce3b3d602f7c8a88d67126a32900b76fd433 (patch)
tree	ef7543ddb14168c2b3d8725b95399d2ecaba9f2a /meta-agl-core
parent	abc4742a714cfc60a868c0912432a6f59fd41b77 (diff)