aboutsummaryrefslogtreecommitdiffstats
path: root/meta-app-framework/recipes-core/security-manager
diff options
context:
space:
mode:
authorJosé Bollo <jose.bollo@iot.bzh>2019-11-26 15:21:18 +0100
committerJan-Simon Moeller <jsmoeller@linuxfoundation.org>2019-12-03 16:44:27 +0000
commita13d8ad3225f316fc7d7edaf2805b6cf2e3b5dd1 (patch)
tree81211b592eaa332473f3dee50ae756b91335bb87 /meta-app-framework/recipes-core/security-manager
parent2fa5dae62868c63781568eeb5435ed3296c2ddc2 (diff)
security-manager: Improve integration
This fixes some issues encountered by the current integration of the security-manager: - its recipes is spread in too much directories (see SPEC-2092) - its initialization should be checked (see SPEC-2091) - the location of the database has to be changed (see SPEC-1717 that provided a workaround) All in one, I decided to create that ticket that summarize the work that can be quickly achieved to answer all this issues that are tightly coupled. Bug-AGL: SPEC-2972 Bug-AGL: SPEC-2092 Bug-AGL: SPEC-2091 Bug-AGL: SPEC-1717 Change-Id: I7af941c25cfa1624d76c2e8f512f6535918912f0 Signed-off-by: José Bollo <jose.bollo@iot.bzh>
Diffstat (limited to 'meta-app-framework/recipes-core/security-manager')
-rw-r--r--meta-app-framework/recipes-core/security-manager/security-manager/0001-Fix-Cmake-conf-for-gcc6-build.patch40
-rw-r--r--meta-app-framework/recipes-core/security-manager/security-manager/0001-Fix-gcc6-build.patch38
-rw-r--r--meta-app-framework/recipes-core/security-manager/security-manager/0001-gcc-7-requires-include-functional-for-std-function.patch51
-rw-r--r--meta-app-framework/recipes-core/security-manager/security-manager/Removing-tizen-platform-config.patch196
-rw-r--r--meta-app-framework/recipes-core/security-manager/security-manager/init-security-manager-db.service15
-rw-r--r--meta-app-framework/recipes-core/security-manager/security-manager/init-security-manager-db.sh6
-rw-r--r--meta-app-framework/recipes-core/security-manager/security-manager_%.bbappend24
7 files changed, 3 insertions, 367 deletions
diff --git a/meta-app-framework/recipes-core/security-manager/security-manager/0001-Fix-Cmake-conf-for-gcc6-build.patch b/meta-app-framework/recipes-core/security-manager/security-manager/0001-Fix-Cmake-conf-for-gcc6-build.patch
deleted file mode 100644
index 43a3ee103..000000000
--- a/meta-app-framework/recipes-core/security-manager/security-manager/0001-Fix-Cmake-conf-for-gcc6-build.patch
+++ /dev/null
@@ -1,40 +0,0 @@
-From 19c99315a5dcba3b696c30d1fdd42a1dcd574a80 Mon Sep 17 00:00:00 2001
-From: Ronan <ronan.lemartret@iot.bzh>
-Date: Thu, 13 Oct 2016 11:37:47 +0200
-Subject: [PATCH] Fix Cmake conf for gcc6 build
-
-Signed-off-by: Ronan <ronan.lemartret@iot.bzh>
----
- src/cmd/CMakeLists.txt | 4 +---
- src/server/CMakeLists.txt | 1 -
- 2 files changed, 1 insertion(+), 4 deletions(-)
-
-diff --git a/src/cmd/CMakeLists.txt b/src/cmd/CMakeLists.txt
-index ee9a160..aa7a12c 100644
---- a/src/cmd/CMakeLists.txt
-+++ b/src/cmd/CMakeLists.txt
-@@ -1,8 +1,6 @@
- FIND_PACKAGE(Boost REQUIRED COMPONENTS program_options)
-
--INCLUDE_DIRECTORIES(SYSTEM
-- ${Boost_INCLUDE_DIRS}
-- )
-+
-
- INCLUDE_DIRECTORIES(
- ${INCLUDE_PATH}
-diff --git a/src/server/CMakeLists.txt b/src/server/CMakeLists.txt
-index 753eb96..8eef25d 100644
---- a/src/server/CMakeLists.txt
-+++ b/src/server/CMakeLists.txt
-@@ -8,7 +8,6 @@ FIND_PACKAGE(Threads REQUIRED)
-
- INCLUDE_DIRECTORIES(SYSTEM
- ${SERVER_DEP_INCLUDE_DIRS}
-- ${Boost_INCLUDE_DIRS}
- ${Threads_INCLUDE_DIRS}
- )
-
---
-2.6.6
-
diff --git a/meta-app-framework/recipes-core/security-manager/security-manager/0001-Fix-gcc6-build.patch b/meta-app-framework/recipes-core/security-manager/security-manager/0001-Fix-gcc6-build.patch
deleted file mode 100644
index 1b3c8c427..000000000
--- a/meta-app-framework/recipes-core/security-manager/security-manager/0001-Fix-gcc6-build.patch
+++ /dev/null
@@ -1,38 +0,0 @@
-From cb9acc2b723b297ee373bf814282711f02657aa5 Mon Sep 17 00:00:00 2001
-From: Ronan <ronan.lemartret@iot.bzh>
-Date: Wed, 12 Oct 2016 17:48:55 +0200
-Subject: [PATCH] Fix gcc6 build
-
-Signed-off-by: ronan <ronan@ot.bzh>
----
- src/client/client-security-manager.cpp | 1 +
- src/common/include/privilege_db.h | 1 +
- 2 files changed, 2 insertions(+)
-
-diff --git a/src/client/client-security-manager.cpp b/src/client/client-security-manager.cpp
-index 74a6b30..347cddd 100644
---- a/src/client/client-security-manager.cpp
-+++ b/src/client/client-security-manager.cpp
-@@ -46,6 +46,7 @@
- #include <service_impl.h>
- #include <security-manager.h>
- #include <client-offline.h>
-+#include <linux/xattr.h>
-
- static const char *EMPTY = "";
-
-diff --git a/src/common/include/privilege_db.h b/src/common/include/privilege_db.h
-index 03c6680..8dd39a1 100644
---- a/src/common/include/privilege_db.h
-+++ b/src/common/include/privilege_db.h
-@@ -32,6 +32,7 @@
- #include <map>
- #include <stdbool.h>
- #include <string>
-+#include <vector>
-
- #include <dpl/db/sql_connection.h>
-
---
-2.6.6
-
diff --git a/meta-app-framework/recipes-core/security-manager/security-manager/0001-gcc-7-requires-include-functional-for-std-function.patch b/meta-app-framework/recipes-core/security-manager/security-manager/0001-gcc-7-requires-include-functional-for-std-function.patch
deleted file mode 100644
index 7b6845abc..000000000
--- a/meta-app-framework/recipes-core/security-manager/security-manager/0001-gcc-7-requires-include-functional-for-std-function.patch
+++ /dev/null
@@ -1,51 +0,0 @@
-From ed1c105db9d7b1ceb52ec16f35b0a2c959c19c6d Mon Sep 17 00:00:00 2001
-From: Changhyeok Bae <changhyeok.bae@gmail.com>
-Date: Sun, 17 Dec 2017 15:40:58 +0000
-Subject: [PATCH] gcc-7 requires include <functional> for std::function
-
-Signed-off-by: Changhyeok Bae <changhyeok.bae@gmail.com>
----
- src/client/client-common.cpp | 1 +
- src/common/smack-labels.cpp | 1 +
- src/dpl/core/src/binary_queue.cpp | 1 +
- 3 files changed, 3 insertions(+)
-
-diff --git a/src/client/client-common.cpp b/src/client/client-common.cpp
-index 883ab8d..1babdf7 100644
---- a/src/client/client-common.cpp
-+++ b/src/client/client-common.cpp
-@@ -31,6 +31,7 @@
- #include <sys/xattr.h>
- #include <linux/xattr.h>
- #include <unistd.h>
-+#include <functional>
-
- #include <dpl/log/log.h>
- #include <dpl/serialization.h>
-diff --git a/src/common/smack-labels.cpp b/src/common/smack-labels.cpp
-index 0294a42..1598099 100644
---- a/src/common/smack-labels.cpp
-+++ b/src/common/smack-labels.cpp
-@@ -29,6 +29,7 @@
- #include <sys/xattr.h>
- #include <linux/xattr.h>
- #include <memory>
-+#include <functional>
- #include <fts.h>
- #include <cstring>
- #include <string>
-diff --git a/src/dpl/core/src/binary_queue.cpp b/src/dpl/core/src/binary_queue.cpp
-index 72817a6..838409f 100644
---- a/src/dpl/core/src/binary_queue.cpp
-+++ b/src/dpl/core/src/binary_queue.cpp
-@@ -26,6 +26,7 @@
- #include <malloc.h>
- #include <cstring>
- #include <new>
-+#include <functional>
-
- namespace SecurityManager {
- BinaryQueue::BinaryQueue() :
---
-2.7.4
-
diff --git a/meta-app-framework/recipes-core/security-manager/security-manager/Removing-tizen-platform-config.patch b/meta-app-framework/recipes-core/security-manager/security-manager/Removing-tizen-platform-config.patch
deleted file mode 100644
index bea3516d8..000000000
--- a/meta-app-framework/recipes-core/security-manager/security-manager/Removing-tizen-platform-config.patch
+++ /dev/null
@@ -1,196 +0,0 @@
-From 72e66d0e42f3bb6efd689ce33b1df407d94b3c60 Mon Sep 17 00:00:00 2001
-From: =?UTF-8?q?Jos=C3=A9=20Bollo?= <jose.bollo@iot.bzh>
-Date: Mon, 16 Nov 2015 14:26:25 +0100
-Subject: [PATCH] Removing tizen-platform-config
-
-Change-Id: Ic832a2b75229517b09faba969c27fb1a4b490121
----
- policy/security-manager-policy-reload | 2 +-
- src/common/file-lock.cpp | 4 +---
- src/common/include/file-lock.h | 1 -
- src/common/include/privilege_db.h | 3 +--
- src/common/service_impl.cpp | 39 +++++++++++------------------------
- src/common/smack-rules.cpp | 12 ++++-------
- 6 files changed, 19 insertions(+), 42 deletions(-)
-
-diff --git a/policy/security-manager-policy-reload b/policy/security-manager-policy-reload
-index 6f211c6..ed8047a 100755
---- a/policy/security-manager-policy-reload
-+++ b/policy/security-manager-policy-reload
-@@ -2,7 +2,7 @@
-
- POLICY_PATH=/usr/share/security-manager/policy
- PRIVILEGE_GROUP_MAPPING=$POLICY_PATH/privilege-group.list
--DB_FILE=`tzplatform-get TZ_SYS_DB | cut -d= -f2`/.security-manager.db
-+DB_FILE=/var/local/db/security-manager/.security-manager.db
-
- # Create default buckets
- while read bucket default_policy
-diff --git a/src/common/file-lock.cpp b/src/common/file-lock.cpp
-index 6f3996c..1dada17 100644
---- a/src/common/file-lock.cpp
-+++ b/src/common/file-lock.cpp
-@@ -30,9 +30,7 @@
-
- namespace SecurityManager {
-
--char const * const SERVICE_LOCK_FILE = tzplatform_mkpath3(TZ_SYS_RUN,
-- "lock",
-- "security-manager.lock");
-+char const * const SERVICE_LOCK_FILE = "/var/run/lock/security-manager.lock";
-
- FileLocker::FileLocker(const std::string &lockFile, bool blocking)
- {
-diff --git a/src/common/include/file-lock.h b/src/common/include/file-lock.h
-index 604b019..21a86a0 100644
---- a/src/common/include/file-lock.h
-+++ b/src/common/include/file-lock.h
-@@ -29,7 +29,6 @@
-
- #include <dpl/exception.h>
- #include <dpl/noncopyable.h>
--#include <tzplatform_config.h>
-
- namespace SecurityManager {
-
-diff --git a/src/common/include/privilege_db.h b/src/common/include/privilege_db.h
-index 4d73d90..03c6680 100644
---- a/src/common/include/privilege_db.h
-+++ b/src/common/include/privilege_db.h
-@@ -34,14 +34,13 @@
- #include <string>
-
- #include <dpl/db/sql_connection.h>
--#include <tzplatform_config.h>
-
- #ifndef PRIVILEGE_DB_H_
- #define PRIVILEGE_DB_H_
-
- namespace SecurityManager {
-
--const char *const PRIVILEGE_DB_PATH = tzplatform_mkpath(TZ_SYS_DB, ".security-manager.db");
-+const char *const PRIVILEGE_DB_PATH = "/var/local/db/security-manager/.security-manager.db";
-
- enum class QueryType {
- EGetPkgPrivileges,
-diff --git a/src/common/service_impl.cpp b/src/common/service_impl.cpp
-index ae305d3..65cc8b5 100644
---- a/src/common/service_impl.cpp
-+++ b/src/common/service_impl.cpp
-@@ -32,7 +32,6 @@
- #include <algorithm>
-
- #include <dpl/log/log.h>
--#include <tzplatform_config.h>
-
- #include "protocols.h"
- #include "privilege_db.h"
-@@ -131,7 +130,13 @@ static inline int validatePolicy(policy_entry &policyEntry, std::string uidStr,
-
- static uid_t getGlobalUserId(void)
- {
-- static uid_t globaluid = tzplatform_getuid(TZ_SYS_GLOBALAPP_USER);
-+ static uid_t globaluid = 0;
-+ if (!globaluid) {
-+ struct passwd pw, *p;
-+ char buf[4096];
-+ int rc = getpwnam_r("afm", &pw, buf, sizeof buf, &p);
-+ globaluid = (rc || p == NULL) ? 555 : p->pw_uid;
-+ }
- return globaluid;
- }
-
-@@ -161,37 +166,17 @@ static inline bool isSubDir(const char *parent, const char *subdir)
-
- static bool getUserAppDir(const uid_t &uid, std::string &userAppDir)
- {
-- struct tzplatform_context *tz_ctx = nullptr;
--
-- if (tzplatform_context_create(&tz_ctx))
-- return false;
--
-- if (tzplatform_context_set_user(tz_ctx, uid)) {
-- tzplatform_context_destroy(tz_ctx);
-- tz_ctx = nullptr;
-+ struct passwd pw, *p;
-+ char buf[4096];
-+ int rc = getpwuid_r(uid, &pw, buf, sizeof buf, &p);
-+ if (rc || p == NULL)
- return false;
-- }
--
-- enum tzplatform_variable id =
-- (uid == getGlobalUserId()) ? TZ_SYS_RW_APP : TZ_USER_APP;
-- const char *appDir = tzplatform_context_getenv(tz_ctx, id);
-- if (!appDir) {
-- tzplatform_context_destroy(tz_ctx);
-- tz_ctx = nullptr;
-- return false;
-- }
--
-- userAppDir = appDir;
--
-- tzplatform_context_destroy(tz_ctx);
-- tz_ctx = nullptr;
--
-+ userAppDir = p->pw_dir;
- return true;
- }
-
- static inline bool installRequestAuthCheck(const app_inst_req &req, uid_t uid, bool &isCorrectPath, std::string &appPath)
- {
-- std::string userHome;
- std::string userAppDir;
- std::stringstream correctPath;
-
-diff --git a/src/common/smack-rules.cpp b/src/common/smack-rules.cpp
-index d834e42..8b5728b 100644
---- a/src/common/smack-rules.cpp
-+++ b/src/common/smack-rules.cpp
-@@ -34,7 +34,6 @@
- #include <memory>
-
- #include <dpl/log/log.h>
--#include <tzplatform_config.h>
-
- #include "smack-labels.h"
- #include "smack-rules.h"
-@@ -43,7 +42,7 @@ namespace SecurityManager {
-
- const char *const SMACK_APP_LABEL_TEMPLATE = "~APP~";
- const char *const SMACK_PKG_LABEL_TEMPLATE = "~PKG~";
--const char *const APP_RULES_TEMPLATE_FILE_PATH = tzplatform_mkpath4(TZ_SYS_SHARE, "security-manager", "policy", "app-rules-template.smack");
-+const char *const APP_RULES_TEMPLATE_FILE_PATH = "/usr/share/security-manager/policy/app-rules-template.smack";
- const char *const SMACK_APP_IN_PACKAGE_PERMS = "rwxat";
-
- SmackRules::SmackRules()
-@@ -237,14 +236,12 @@ void SmackRules::generatePackageCrossDeps(const std::vector<std::string> &pkgCon
-
- std::string SmackRules::getPackageRulesFilePath(const std::string &pkgId)
- {
-- std::string path(tzplatform_mkpath3(TZ_SYS_SMACK, "accesses.d", ("pkg_" + pkgId).c_str()));
-- return path;
-+ return "/etc/smack/accesses.d/pkg_" + pkgId;
- }
-
- std::string SmackRules::getApplicationRulesFilePath(const std::string &appId)
- {
-- std::string path(tzplatform_mkpath3(TZ_SYS_SMACK, "accesses.d", ("app_" + appId).c_str()));
-- return path;
-+ return "/etc/smack/accesses.d/app_" + appId;
- }
- void SmackRules::installApplicationPrivilegesRules(const std::string &appId, const std::string &pkgId,
- const std::vector<std::string> &pkgContents, const std::vector<std::string> &privileges)
-@@ -256,8 +253,7 @@ void SmackRules::installApplicationPrivilegesRules(const std::string &appId, con
- for (auto privilege : privileges) {
- if (privilege.empty())
- continue;
-- std::string fprivilege ( privilege + "-template.smack");
-- std::string path(tzplatform_mkpath4(TZ_SYS_SHARE, "security-manager", "policy", fprivilege.c_str()));
-+ std::string path = "/usr/share/security-manager/policy/" + privilege + "-template.smack";
- if( stat(path.c_str(), &buffer) == 0)
- smackRules.addFromTemplateFile(appId, pkgId, path);
- }
---
-2.1.4
-
diff --git a/meta-app-framework/recipes-core/security-manager/security-manager/init-security-manager-db.service b/meta-app-framework/recipes-core/security-manager/security-manager/init-security-manager-db.service
deleted file mode 100644
index 8ed5e8601..000000000
--- a/meta-app-framework/recipes-core/security-manager/security-manager/init-security-manager-db.service
+++ /dev/null
@@ -1,15 +0,0 @@
-#
-# Install security-manager DB to /var
-
-[Unit]
-Description=Install Security Manager database
-After=sysinit.target
-Before=security-manager.service
-
-[Install]
-WantedBy=default.target
-
-[Service]
-Type=oneshot
-User=root
-ExecStart=/usr/bin/init-security-manager-db.sh
diff --git a/meta-app-framework/recipes-core/security-manager/security-manager/init-security-manager-db.sh b/meta-app-framework/recipes-core/security-manager/security-manager/init-security-manager-db.sh
deleted file mode 100644
index f90192a84..000000000
--- a/meta-app-framework/recipes-core/security-manager/security-manager/init-security-manager-db.sh
+++ /dev/null
@@ -1,6 +0,0 @@
-#!/bin/sh
-
-if [ ! -e "/var/local/db/security-manager" ]; then
- mkdir -p /var/local/db
- cp -ra /usr/dbspace/ /var/local/db/security-manager
-fi
diff --git a/meta-app-framework/recipes-core/security-manager/security-manager_%.bbappend b/meta-app-framework/recipes-core/security-manager/security-manager_%.bbappend
index 61c933a7e..3306d4c72 100644
--- a/meta-app-framework/recipes-core/security-manager/security-manager_%.bbappend
+++ b/meta-app-framework/recipes-core/security-manager/security-manager_%.bbappend
@@ -1,25 +1,7 @@
FILESEXTRAPATHS_prepend := "${THISDIR}/security-manager:"
-PACKAGE_WRITE_DEPS_append_with-lsm-smack = " smack-native"
-
-SRC_URI += " file://0001-Adapt-rules-to-AGL.patch \
- file://init-security-manager-db.service \
- file://init-security-manager-db.sh \
- file://0001-Fix-gcc6-build.patch \
- file://0001-Fix-Cmake-conf-for-gcc6-build.patch \
- file://0001-gcc-7-requires-include-functional-for-std-function.patch \
-"
-
-FILES_${PN}_append = "${bindir}/init-security-manager-db.sh \
- ${@bb.utils.contains('DISTRO_FEATURES', 'systemd', '${systemd_unitdir}/system/init-security-manager-db.service', '', d)} \
+EXTRA_OECMAKE =+ " -DGLOBALUSER=afm"
+SRC_URI += " \
+ file://0001-Adapt-rules-to-AGL.patch \
"
-do_install_append () {
- install -p -D ${WORKDIR}/init-security-manager-db.sh ${D}${bindir}/init-security-manager-db.sh
- if ${@bb.utils.contains('DISTRO_FEATURES', 'systemd', 'true', 'false', d)}; then
- mkdir -p ${D}${systemd_unitdir}/system
- mkdir -p ${D}${sysconfdir}/systemd/system/default.target.wants
- install -m 644 -p -D ${WORKDIR}/init-security-manager-db.service ${D}${systemd_unitdir}/system/init-security-manager-db.service
- ln -sf ${systemd_unitdir}/system/init-security-manager-db.service ${D}${sysconfdir}/systemd/system/default.target.wants
- fi
-}