diff options
| author |   Jan-Simon Moeller <jsmoeller@linuxfoundation.org> | 2020-12-08 11:12:45 +0100 |
|---|---|---|
| committer | Jan-Simon Moeller <jsmoeller@linuxfoundation.org> | 2020-12-17 13:59:52 +0000 |
| commit | 1c3c06842ac1b9c089d0a08e91c60f44e4844fac (patch) | |
| tree | 21e97368be8f78a3e76b66dfda24c1d5e774519f /meta-app-framework/recipes-security | |
| parent | c1e048fc05542d859115990312e0753ce2dea72e (diff) | |
SPEC-3723: restructure meta-agl
Goal is to reach a minimal meta-agl-core as base for IVI and IC work at the same time.
Trim dependencies and move most 'demo' related recipes to meta-agl-demo.
v2: changed to bbapend + .inc , added description
v3: testbuild of all images
v4: restore -test packagegroup and -qa images, compare manifests and adapt packagegroups.
v5: rebased
v6: merged meta-agl-distro into meta-agl-core,
due to dependency on meta-oe, moved -test packagegroup and -qa images
to own layer meta-agl-core-test
v7: Fixed comments from Paul Barker
v8: Update the markdown files
v9: restore wayland/weston/agl-compositor recipes/appends, reworked to
move app f/w specific changes to bbappends in meta-app-framework and
only demo specific weston-init changes to meta-agl-demo
v10: fix s/agldemo/aglcore/ missed in weston-init.bbappend
Description:
This patch is part 1 out of 2 large patches that implement the layer rework
discussed during the previous workshop. Essentially meta-agl-core is the
small but versatile new core layer of AGL serving as basis for
the work done by the IC and IVI EGs.
All demo related work is moved to meta-agl-demo in the 2nd patchset.
This should be applied together as atomic change.
The resulting meta-agl/* follows these guidelines:
- only bsp adaptations in meta-agl-bsp
- remove the agl-profile-* layers for simplicity
-- the packagegroup-agl(-profile)-graphical and so on
have been kept in meta-agl-demo
- meta-agl-profile-core is now meta-agl-core
- meta-agl-core does pass yocto-check-layer
-- therefore use the bbappend + conditional + .inc file
construct found in meta-virtualization
- meta-agl/meta-security has been merged into meta-agl/meta-app-framework
- meta-netboot does pass yocto-check-layer
- meta-pipewire does pass yocto-check-layer
Migration:
All packagegroups are preserved but they're now enabled by 'agl-demo'.
Bug-AGL: SPEC-3723
Signed-off-by: Jan-Simon Moeller <jsmoeller@linuxfoundation.org>
Signed-off-by: Scott Murray <scott.murray@konsulko.com>
Change-Id: Ia6c6e5e6ce2b4ffa69ea94959cdc57c310ba7c53
Reviewed-on: https://gerrit.automotivelinux.org/gerrit/c/AGL/meta-agl/+/25769
Diffstat (limited to 'meta-app-framework/recipes-security')
32 files changed, 1830 insertions, 4 deletions
diff --git a/meta-app-framework/recipes-security/audit/audit/0001-lib-i386_table.h-add-new-syscall.patch b/meta-app-framework/recipes-security/audit/audit/0001-lib-i386_table.h-add-new-syscall.patch new file mode 100644 index 000000000..6e1827c08 --- /dev/null +++ b/meta-app-framework/recipes-security/audit/audit/0001-lib-i386_table.h-add-new-syscall.patch @@ -0,0 +1,42 @@ +From df878b92e01f4d1c3de7f7d8229cea6a431509eb Mon Sep 17 00:00:00 2001 +From: Mingli Yu <mingli.yu@windriver.com> +Date: Wed, 19 Feb 2020 15:23:40 +0800 +Subject: [PATCH] lib/i386_table.h: add new syscall + +On 32bit system, +After upgrade glibc to 2.31 + # strace -o /tmp/test.log date -s 09:16:45 + # tail -f /tmp/test.log + close(3) = 0 + stat64("/etc/localtime", {st_mode=S_IFREG|0644, st_size=114, ...}) = 0 + clock_settime64(CLOCK_REALTIME, {tv_sec=1582103805, tv_nsec=0}) = 0 + fstat64(1, {st_mode=S_IFCHR|0600, st_rdev=makedev(0x4, 0x40), ...}) = 0 + ioctl(1, TCGETS, {B115200 opost isig icanon echo ...}) = 0 + write(1, "Wed Feb 19 09:16:45 UTC 2020\n", 29) = 29 + close(1) = 0 + close(2) = 0 + exit_group(0) = ? + +++ exited with 0 +++ + +It means the clock_settime64 syscall is used, so +add the syscall. + +Upstream-Status: Submitted [https://github.com/linux-audit/audit-userspace/pull/116] + +Signed-off-by: Mingli Yu <mingli.yu@windriver.com> +--- + lib/i386_table.h | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/lib/i386_table.h b/lib/i386_table.h +index 1a64c88..65fd4d9 100644 +--- a/lib/i386_table.h ++++ b/lib/i386_table.h +@@ -405,3 +405,4 @@ _S(383, "statx") + _S(384, "arch_prctl") + _S(385, "io_pgetevents") + _S(386, "rseq") ++_S(404, "clock_settime64") +-- +2.7.4 + diff --git a/meta-app-framework/recipes-security/audit/audit/Add-substitue-functions-for-strndupa-rawmemchr.patch b/meta-app-framework/recipes-security/audit/audit/Add-substitue-functions-for-strndupa-rawmemchr.patch new file mode 100644 index 000000000..bb6c61e80 --- /dev/null +++ b/meta-app-framework/recipes-security/audit/audit/Add-substitue-functions-for-strndupa-rawmemchr.patch @@ -0,0 +1,133 @@ +From bdcdc3dff4469aac88e718bd15958d5ed4b9392a Mon Sep 17 00:00:00 2001 +From: Steve Grubb <sgrubb@redhat.com> +Date: Tue, 26 Feb 2019 18:33:33 -0500 +Subject: [PATCH] Add substitue functions for strndupa & rawmemchr + +Upstream-Status: Backport +[https://github.com/linux-audit/audit-userspace/commit/d579a08bb1cde71f939c13ac6b2261052ae9f77e] +--- + auparse/auparse.c | 12 +++++++++++- + auparse/interpret.c | 9 ++++++++- + configure.ac | 14 +++++++++++++- + src/ausearch-lol.c | 12 +++++++++++- + 4 files changed, 43 insertions(+), 4 deletions(-) + +diff --git a/auparse/auparse.c b/auparse/auparse.c +index 650db02..2e1c737 100644 +--- a/auparse/auparse.c ++++ b/auparse/auparse.c +@@ -1,5 +1,5 @@ + /* auparse.c -- +- * Copyright 2006-08,2012-17 Red Hat Inc., Durham, North Carolina. ++ * Copyright 2006-08,2012-19 Red Hat Inc., Durham, North Carolina. + * All Rights Reserved. + * + * This library is free software; you can redistribute it and/or +@@ -1118,6 +1118,16 @@ static int str2event(char *s, au_event_t *e) + return 0; + } + ++#ifndef HAVE_STRNDUPA ++static inline char *strndupa(const char *old, size_t n) ++{ ++ size_t len = strnlen(old, n); ++ char *tmp = alloca(len + 1); ++ tmp[len] = 0; ++ return memcpy(tmp, old, len); ++} ++#endif ++ + /* Returns 0 on success and 1 on error */ + static int extract_timestamp(const char *b, au_event_t *e) + { +diff --git a/auparse/interpret.c b/auparse/interpret.c +index 51c4a5e..67b7b77 100644 +--- a/auparse/interpret.c ++++ b/auparse/interpret.c +@@ -853,6 +853,13 @@ err_out: + return print_escaped(id->val); + } + ++// rawmemchr is faster. Let's use it if we have it. ++#ifdef HAVE_RAWMEMCHR ++#define STRCHR rawmemchr ++#else ++#define STRCHR strchr ++#endif ++ + static const char *print_proctitle(const char *val) + { + char *out = (char *)print_escaped(val); +@@ -863,7 +870,7 @@ static const char *print_proctitle(const char *val) + // Proctitle has arguments separated by NUL bytes + // We need to write over the NUL bytes with a space + // so that we can see the arguments +- while ((ptr = rawmemchr(ptr, '\0'))) { ++ while ((ptr = STRCHR(ptr, '\0'))) { + if (ptr >= end) + break; + *ptr = ' '; +diff --git a/configure.ac b/configure.ac +index 54bdbf1..aef07fb 100644 +--- a/configure.ac ++++ b/configure.ac +@@ -1,7 +1,7 @@ + dnl + define([AC_INIT_NOTICE], + [### Generated automatically using autoconf version] AC_ACVERSION [ +-### Copyright 2005-18 Steve Grubb <sgrubb@redhat.com> ++### Copyright 2005-19 Steve Grubb <sgrubb@redhat.com> + ### + ### Permission is hereby granted, free of charge, to any person obtaining a + ### copy of this software and associated documentation files (the "Software"), +@@ -72,6 +72,18 @@ dnl; posix_fallocate is used in audisp-remote + AC_CHECK_FUNCS([posix_fallocate]) + dnl; signalfd is needed for libev + AC_CHECK_FUNC([signalfd], [], [ AC_MSG_ERROR([The signalfd system call is necessary for auditd]) ]) ++dnl; check if rawmemchr is available ++AC_CHECK_FUNCS([rawmemchr]) ++dnl; check if strndupa is available ++AC_LINK_IFELSE( ++ [AC_LANG_SOURCE( ++ [[ ++ #define _GNU_SOURCE ++ #include <string.h> ++ int main() { (void) strndupa("test", 10); return 0; }]])], ++ [AC_DEFINE(HAVE_STRNDUPA, 1, [Let us know if we have it or not])], ++ [] ++) + + ALLWARNS="" + ALLDEBUG="-g" +diff --git a/src/ausearch-lol.c b/src/ausearch-lol.c +index 5d17a72..758c33e 100644 +--- a/src/ausearch-lol.c ++++ b/src/ausearch-lol.c +@@ -1,6 +1,6 @@ + /* + * ausearch-lol.c - linked list of linked lists library +-* Copyright (c) 2008,2010,2014,2016 Red Hat Inc., Durham, North Carolina. ++* Copyright (c) 2008,2010,2014,2016,2019 Red Hat Inc., Durham, North Carolina. + * All Rights Reserved. + * + * This software may be freely redistributed and/or modified under the +@@ -152,6 +152,16 @@ static int compare_event_time(event *e1, event *e2) + return 0; + } + ++#ifndef HAVE_STRNDUPA ++static inline char *strndupa(const char *old, size_t n) ++{ ++ size_t len = strnlen(old, n); ++ char *tmp = alloca(len + 1); ++ tmp[len] = 0; ++ return memcpy(tmp, old, len); ++} ++#endif ++ + /* + * This function will look at the line and pick out pieces of it. + */ +-- +2.7.4 + diff --git a/meta-app-framework/recipes-security/audit/audit/Fixed-swig-host-contamination-issue.patch b/meta-app-framework/recipes-security/audit/audit/Fixed-swig-host-contamination-issue.patch new file mode 100644 index 000000000..7c2699540 --- /dev/null +++ b/meta-app-framework/recipes-security/audit/audit/Fixed-swig-host-contamination-issue.patch @@ -0,0 +1,57 @@ +From a07271f1cce82122610b622bcea4a8a37528f321 Mon Sep 17 00:00:00 2001 +From: Li xin <lixin.fnst@cn.fujitsu.com> +Date: Sun, 19 Jul 2015 02:42:58 +0900 +Subject: [PATCH] audit: Fixed swig host contamination issue + +The audit build uses swig to generate a python wrapper. +Unfortunately, the swig info file references host include +directories. Some of these were previously noticed and +eliminated, but the one fixed here was not. + +Upstream-Status: Inappropriate [embedded specific] + +Signed-off-by: Anders Hedlund <anders.hedlund@windriver.com> +Signed-off-by: Joe Slater <jslater@windriver.com> +Signed-off-by: Yi Zhao <yi.zhao@windriver.com> +--- + bindings/swig/python3/Makefile.am | 3 ++- + bindings/swig/src/auditswig.i | 2 +- + 2 files changed, 3 insertions(+), 2 deletions(-) + +diff --git a/bindings/swig/python3/Makefile.am b/bindings/swig/python3/Makefile.am +index 9938418..fa46aac 100644 +--- a/bindings/swig/python3/Makefile.am ++++ b/bindings/swig/python3/Makefile.am +@@ -22,6 +22,7 @@ + CONFIG_CLEAN_FILES = *.loT *.rej *.orig + AM_CFLAGS = -fPIC -DPIC -fno-strict-aliasing $(PYTHON3_CFLAGS) + AM_CPPFLAGS = -I. -I$(top_builddir) -I${top_srcdir}/lib $(PYTHON3_INCLUDES) ++STDINC ?= /usr/include + LIBS = $(top_builddir)/lib/libaudit.la + SWIG_FLAGS = -python -py3 -modern + SWIG_INCLUDES = -I. -I$(top_builddir) -I${top_srcdir}/lib $(PYTHON3_INCLUDES) +@@ -37,7 +38,7 @@ _audit_la_DEPENDENCIES =${top_srcdir}/lib/libaudit.h ${top_builddir}/lib/libaudi + _audit_la_LIBADD = ${top_builddir}/lib/libaudit.la + nodist__audit_la_SOURCES = audit_wrap.c + audit.py audit_wrap.c: ${srcdir}/../src/auditswig.i +- swig -o audit_wrap.c ${SWIG_FLAGS} ${SWIG_INCLUDES} ${srcdir}/../src/auditswig.i ++ swig -o audit_wrap.c ${SWIG_FLAGS} ${SWIG_INCLUDES} -I$(STDINC) ${srcdir}/../src/auditswig.i + + CLEANFILES = audit.py* audit_wrap.c *~ + +diff --git a/bindings/swig/src/auditswig.i b/bindings/swig/src/auditswig.i +index 7ebb373..424fb68 100644 +--- a/bindings/swig/src/auditswig.i ++++ b/bindings/swig/src/auditswig.i +@@ -39,7 +39,7 @@ signed + #define __attribute(X) /*nothing*/ + typedef unsigned __u32; + typedef unsigned uid_t; +-%include "/usr/include/linux/audit.h" ++%include "linux/audit.h" + #define __extension__ /*nothing*/ + #include <stdint.h> + %include "../lib/libaudit.h" +-- +2.7.4 + diff --git a/meta-app-framework/recipes-security/audit/audit/audit-volatile.conf b/meta-app-framework/recipes-security/audit/audit/audit-volatile.conf new file mode 100644 index 000000000..9cbe1547a --- /dev/null +++ b/meta-app-framework/recipes-security/audit/audit/audit-volatile.conf @@ -0,0 +1 @@ +d /var/log/audit 0750 root root - diff --git a/meta-app-framework/recipes-security/audit/audit/auditd b/meta-app-framework/recipes-security/audit/audit/auditd new file mode 100755 index 000000000..cda2e43d4 --- /dev/null +++ b/meta-app-framework/recipes-security/audit/audit/auditd @@ -0,0 +1,153 @@ +#! /bin/sh +### BEGIN INIT INFO +# Provides: auditd +# Required-Start: $local_fs +# Required-Stop: $local_fs +# Default-Start: 2 3 4 5 +# Default-Stop: 0 1 6 +# Short-Description: Audit Daemon +# Description: Collects audit information from Linux 2.6 Kernels. +### END INIT INFO + +# Author: Philipp Matthias Hahn <pmhahn@debian.org> +# Based on Debians /etc/init.d/skeleton and Auditds init.d/auditd.init + +# June, 2012: Adopted for yocto <amy.fong@windriver.com> + +# PATH should only include /usr/* if it runs after the mountnfs.sh script +PATH=/sbin:/bin:/usr/sbin:/usr/bin +DESC="audit daemon" +NAME=auditd +DAEMON=/sbin/auditd +PIDFILE=/var/run/"$NAME".pid +SCRIPTNAME=/etc/init.d/"$NAME" + +# Exit if the package is not installed +[ -x "$DAEMON" ] || exit 0 + +# Read configuration variable file if it is present +[ -r /etc/default/"$NAME" ] && . /etc/default/"$NAME" + +. /etc/default/rcS + +. /etc/init.d/functions + +# +# Function that starts the daemon/service +# +do_start() +{ + # Return + # 0 if daemon has been started + # 1 if daemon was already running + # 2 if daemon could not be started + start-stop-daemon -S --quiet --pidfile "$PIDFILE" --exec "$DAEMON" --test > /dev/null \ + || return 1 + start-stop-daemon -S --quiet --pidfile "$PIDFILE" --exec "$DAEMON" -- \ + $EXTRAOPTIONS \ + || return 2 + if [ -f /etc/audit/audit.rules ] + then + /sbin/auditctl -R /etc/audit/audit.rules >/dev/null + fi +} + +# +# Function that stops the daemon/service +# +do_stop() +{ + # Return + # 0 if daemon has been stopped + # 1 if daemon was already stopped + # 2 if daemon could not be stopped + # other if a failure occurred + start-stop-daemon -K --quiet --pidfile "$PIDFILE" --name "$NAME" + RETVAL="$?" + [ "$RETVAL" = 2 ] && return 2 + # Many daemons don't delete their pidfiles when they exit. + rm -f "$PIDFILE" + rm -f /var/run/audit_events + # Remove watches so shutdown works cleanly + case "$AUDITD_CLEAN_STOP" in + no|NO) ;; + *) /sbin/auditctl -D >/dev/null ;; + esac + return "$RETVAL" +} + +# +# Function that sends a SIGHUP to the daemon/service +# +do_reload() { + start-stop-daemon -K --signal HUP --quiet --pidfile $PIDFILE --name $NAME + return 0 +} + +if [ ! -e /var/log/audit ]; then + mkdir -p /var/log/audit + [ -x /sbin/restorecon ] && /sbin/restorecon -F /var/log/audit +fi + +case "$1" in + start) + [ "$VERBOSE" != no ] && echo "Starting $DESC" "$NAME" + do_start + case "$?" in + 0|1) [ "$VERBOSE" != no ] && echo 0 ;; + 2) [ "$VERBOSE" != no ] && echo 1 ;; + esac + ;; + stop) + [ "$VERBOSE" != no ] && echo "Stopping $DESC" "$NAME" + do_stop + case "$?" in + 0|1) [ "$VERBOSE" != no ] && echo 0 ;; + 2) [ "$VERBOSE" != no ] && echo 1 ;; + esac + ;; + reload|force-reload) + echo "Reloading $DESC" "$NAME" + do_reload + echo $? + ;; + restart) + echo "Restarting $DESC" "$NAME" + do_stop + case "$?" in + 0|1) + do_start + case "$?" in + 0) echo 0 ;; + 1) echo 1 ;; # Old process is still running + *) echo 1 ;; # Failed to start + esac + ;; + *) + # Failed to stop + echo 1 + ;; + esac + ;; + rotate) + echo "Rotating $DESC logs" "$NAME" + start-stop-daemon -K --signal USR1 --quiet --pidfile "$PIDFILE" --name "$NAME" + echo $? + ;; + status) + pidofproc "$DAEMON" >/dev/null + status=$? + if [ $status -eq 0 ]; then + echo "$NAME is running." + else + echo "$NAME is not running." + fi + exit $status + ;; + *) + echo "Usage: $SCRIPTNAME {start|stop|restart|reload|force-reload|rotate|status}" >&2 + exit 3 + ;; +esac + +: diff --git a/meta-app-framework/recipes-security/audit/audit/auditd.service b/meta-app-framework/recipes-security/audit/audit/auditd.service new file mode 100644 index 000000000..ebc079897 --- /dev/null +++ b/meta-app-framework/recipes-security/audit/audit/auditd.service @@ -0,0 +1,20 @@ +[Unit] +Description=Security Auditing Service +DefaultDependencies=no +After=local-fs.target +Conflicts=shutdown.target +Before=sysinit.target shutdown.target +After=systemd-tmpfiles-setup.service + +[Service] +ExecStart=/sbin/auditd -n +## To use augenrules, copy this file to /etc/systemd/system/auditd.service +## and uncomment the next line and delete/comment out the auditctl line. +## Then copy existing rules to /etc/audit/rules.d/ +## Not doing this last step can cause loss of existing rules +#ExecStartPost=-/sbin/augenrules --load +ExecStartPost=-/sbin/auditctl -R /etc/audit/audit.rules +ExecReload=/bin/kill -HUP $MAINPID + +[Install] +WantedBy=multi-user.target diff --git a/meta-app-framework/recipes-security/audit/audit_2.8.5.bb b/meta-app-framework/recipes-security/audit/audit_2.8.5.bb new file mode 100644 index 000000000..af36ed5e2 --- /dev/null +++ b/meta-app-framework/recipes-security/audit/audit_2.8.5.bb @@ -0,0 +1,106 @@ +SUMMARY = "User space tools for kernel auditing" +DESCRIPTION = "The audit package contains the user space utilities for \ +storing and searching the audit records generated by the audit subsystem \ +in the Linux kernel." +HOMEPAGE = "http://people.redhat.com/sgrubb/audit/" +SECTION = "base" +LICENSE = "GPLv2+ & LGPLv2+" +LIC_FILES_CHKSUM = "file://COPYING;md5=94d55d512a9ba36caa9b7df079bae19f" + +SRC_URI = "git://github.com/linux-audit/${BPN}-userspace.git;branch=2.8_maintenance \ + file://Add-substitue-functions-for-strndupa-rawmemchr.patch \ + file://Fixed-swig-host-contamination-issue.patch \ + file://0001-lib-i386_table.h-add-new-syscall.patch \ + file://auditd \ + file://auditd.service \ + file://audit-volatile.conf \ +" + +S = "${WORKDIR}/git" +SRCREV = "5fae55c1ad15b3cefe6890eba7311af163e9133c" + +inherit autotools python3native update-rc.d systemd + +UPDATERCPN = "auditd" +INITSCRIPT_NAME = "auditd" +INITSCRIPT_PARAMS = "defaults" + +SYSTEMD_PACKAGES = "auditd" +SYSTEMD_SERVICE_auditd = "auditd.service" + +DEPENDS += "python3 tcp-wrappers libcap-ng linux-libc-headers swig-native" + +EXTRA_OECONF += "--without-prelude \ + --with-libwrap \ + --enable-gssapi-krb5=no \ + --with-libcap-ng=yes \ + --with-python3=yes \ + --libdir=${base_libdir} \ + --sbindir=${base_sbindir} \ + --without-python \ + --without-golang \ + --disable-zos-remote \ + " +EXTRA_OECONF_append_arm = " --with-arm=yes" +EXTRA_OECONF_append_aarch64 = " --with-aarch64=yes" + +EXTRA_OEMAKE += "PYLIBVER='python${PYTHON_BASEVERSION}' \ + PYINC='${STAGING_INCDIR}/$(PYLIBVER)' \ + pyexecdir=${libdir}/python${PYTHON_BASEVERSION}/site-packages \ + STDINC='${STAGING_INCDIR}' \ + pkgconfigdir=${libdir}/pkgconfig \ + " + +SUMMARY_audispd-plugins = "Plugins for the audit event dispatcher" +DESCRIPTION_audispd-plugins = "The audispd-plugins package provides plugins for the real-time \ +interface to the audit system, audispd. These plugins can do things \ +like relay events to remote machines or analyze events for suspicious \ +behavior." + +PACKAGES =+ "audispd-plugins" +PACKAGES += "auditd ${PN}-python" + +FILES_${PN} = "${sysconfdir}/libaudit.conf ${base_libdir}/libaudit.so.1* ${base_libdir}/libauparse.so.*" +FILES_auditd += "${bindir}/* ${base_sbindir}/* ${sysconfdir}/*" +FILES_audispd-plugins += "${sysconfdir}/audisp/audisp-remote.conf \ + ${sysconfdir}/audisp/plugins.d/au-remote.conf \ + ${sbindir}/audisp-remote ${localstatedir}/spool/audit \ + " +FILES_${PN}-dbg += "${libdir}/python${PYTHON_BASEVERSION}/*/.debug" +FILES_${PN}-python = "${libdir}/python${PYTHON_BASEVERSION}" + +CONFFILES_auditd += "${sysconfdir}/audit/audit.rules" +RDEPENDS_auditd += "bash" + +do_install_append() { + rm -f ${D}/${libdir}/python${PYTHON_BASEVERSION}/site-packages/*.a + rm -f ${D}/${libdir}/python${PYTHON_BASEVERSION}/site-packages/*.la + + # reuse auditd config + [ ! -e ${D}/etc/default ] && mkdir ${D}/etc/default + mv ${D}/etc/sysconfig/auditd ${D}/etc/default + rmdir ${D}/etc/sysconfig/ + + # replace init.d + install -D -m 0755 ${WORKDIR}/auditd ${D}/etc/init.d/auditd + rm -rf ${D}/etc/rc.d + + if ${@bb.utils.contains('DISTRO_FEATURES', 'systemd', 'true', 'false', d)}; then + install -d ${D}${sysconfdir}/tmpfiles.d/ + install -m 0644 ${WORKDIR}/audit-volatile.conf ${D}${sysconfdir}/tmpfiles.d/ + fi + + # install systemd unit files + install -d ${D}${systemd_unitdir}/system + install -m 0644 ${WORKDIR}/auditd.service ${D}${systemd_unitdir}/system + + # audit-2.5 doesn't install any rules by default, so we do that here + mkdir -p ${D}/etc/audit ${D}/etc/audit/rules.d + cp ${S}/rules/10-base-config.rules ${D}/etc/audit/rules.d/audit.rules + + chmod 750 ${D}/etc/audit ${D}/etc/audit/rules.d + chmod 640 ${D}/etc/audit/auditd.conf ${D}/etc/audit/rules.d/audit.rules + + # Based on the audit.spec "Copy default rules into place on new installation" + cp ${D}/etc/audit/rules.d/audit.rules ${D}/etc/audit/audit.rules +} diff --git a/meta-app-framework/recipes-security/cynagoauth/cynagoauth_0.1.bb b/meta-app-framework/recipes-security/cynagoauth/cynagoauth_0.1.bb new file mode 100644 index 000000000..c77c99189 --- /dev/null +++ b/meta-app-framework/recipes-security/cynagoauth/cynagoauth_0.1.bb @@ -0,0 +1,23 @@ +DESCRIPTION = "OAuth server using cynagora backend" +LICENSE = "Apache-2.0" +LIC_FILES_CHKSUM = "file://LICENSE.txt;md5=3b83ef96387f14655fc854ddc3c6bd57" + +SRC_URI = "git://gerrit.automotivelinux.org/gerrit/src/cynagoauth.git;protocol=https;branch=${AGL_BRANCH}" +SRCREV = "26a5dbddf3a9bfde481a6fcd2aae16c7ecba665f" +PV = "0.1+git${SRCPV}" + +S = "${WORKDIR}/git" + +DEPENDS = "json-c libmicrohttpd openssl cynagora" + +inherit cmake + +EXTRA_OECMAKE += " \ + -DDEFAULTHOSTS=:7777 \ + -DDEFAULTURL=http://localhost:7777/tok \ + -DUNITDIR_SYSTEM=${systemd_system_unitdir} \ +" + +FILES_${PN} += "${systemd_system_unitdir}" + + diff --git a/meta-app-framework/recipes-security/cynagora/cynagora-cynara-compat_2.1.bb b/meta-app-framework/recipes-security/cynagora/cynagora-cynara-compat_2.1.bb new file mode 100644 index 000000000..f146051cd --- /dev/null +++ b/meta-app-framework/recipes-security/cynagora/cynagora-cynara-compat_2.1.bb @@ -0,0 +1,30 @@ +DESCRIPTION = "Cynara service with client libraries" +LICENSE = "Apache-2.0" +LIC_FILES_CHKSUM = "file://Apache-2.0;md5=3b83ef96387f14655fc854ddc3c6bd57" + +SRC_URI = "git://gerrit.automotivelinux.org/gerrit/src/cynagora;protocol=https;branch=${AGL_BRANCH}" +SRCREV = "7d7907651c42c5c32deabc17b639e0e1765eae60" +PV = "2.1+git${SRCPV}" + +S = "${WORKDIR}/git" + +inherit cmake + +PROVIDES = "cynara" +RPROVIDES_${PN} = "cynara" +DEPENDS = "libcap" +RDEPENDS_${PN} = "cynagora" + +EXTRA_OECMAKE += " \ + -DWITH_SYSTEMD=OFF \ + -DWITH_CYNARA_COMPAT=ON \ + -DDIRECT_CYNARA_COMPAT=ON \ +" + +do_install_append() { + # remove cynagora stuff + rm $(find ${D} -name '*cynagora*') + # remove stupid test + rm -r ${D}${bindir} +} + diff --git a/meta-app-framework/recipes-security/cynagora/cynagora/run-ptest b/meta-app-framework/recipes-security/cynagora/cynagora/run-ptest new file mode 100755 index 000000000..f95f0725b --- /dev/null +++ b/meta-app-framework/recipes-security/cynagora/cynagora/run-ptest @@ -0,0 +1,4 @@ +#!/bin/sh + +# test access to cynagora server +cynagora-admin list > /dev/null diff --git a/meta-app-framework/recipes-security/cynagora/cynagora_2.1.bb b/meta-app-framework/recipes-security/cynagora/cynagora_2.1.bb new file mode 100644 index 000000000..73f2f0949 --- /dev/null +++ b/meta-app-framework/recipes-security/cynagora/cynagora_2.1.bb @@ -0,0 +1,38 @@ +DESCRIPTION = "Cynagora service and client libraries" +LICENSE = "Apache-2.0" +LIC_FILES_CHKSUM = "file://Apache-2.0;md5=3b83ef96387f14655fc854ddc3c6bd57" + +SRC_URI = "git://gerrit.automotivelinux.org/gerrit/src/cynagora;protocol=https;branch=${AGL_BRANCH}" +SRCREV = "7d7907651c42c5c32deabc17b639e0e1765eae60" +PV = "2.1+git${SRCPV}" + +S = "${WORKDIR}/git" + +DEPENDS = "systemd libcap" + +inherit cmake + +EXTRA_OECMAKE += " \ + -DSYSTEMD_UNIT_DIR=${systemd_system_unitdir} \ + -DWITH_SYSTEMD=ON \ + -DWITH_CYNARA_COMPAT=OFF \ +" + +inherit useradd +USERADD_PACKAGES = "${PN}" +GROUPADD_PARAM_${PN} = "-r cynagora" +USERADD_PARAM_${PN} = "\ +--system --home ${localstatedir}/lib/empty \ +--no-create-home --shell /bin/false \ +--gid cynagora cynagora \ +" + +FILES_${PN} += "${systemd_system_unitdir}" + +PACKAGES =+ "${PN}-tools" +FILES_${PN}-tools += "${bindir}/cynagora-admin ${bindir}/cynagora-agent" +RDEPENDS_${PN}_append_agl-devel = " ${PN}-tools" + +inherit ptest +SRC_URI_append = " file://run-ptest" +RDEPENDS_${PN}-ptest_append = " ${PN}-tools" diff --git a/meta-app-framework/recipes-security/security-manager/security-manager.inc b/meta-app-framework/recipes-security/security-manager/security-manager.inc new file mode 100644 index 000000000..e1d1f4011 --- /dev/null +++ b/meta-app-framework/recipes-security/security-manager/security-manager.inc @@ -0,0 +1,83 @@ +DESCRIPTION = "Security manager and utilities" +LICENSE = "Apache-2.0" +LIC_FILES_CHKSUM = "file://LICENSE;md5=86d3f3a95c324c9479bd8986968f4327;beginline=3" + +inherit cmake + +B = "${S}" + +DEPENDS = " \ + attr \ + boost \ + cynara \ + icu \ + libcap \ + smack \ + sqlite3 \ + systemd \ +" + +PACKAGECONFIG ??= "" +PACKAGECONFIG[debug] = "-DCMAKE_BUILD_TYPE=DEBUG,-DCMAKE_BUILD_TYPE=RELEASE" + +TZ_SYS_DB ?= "/var/db/security-manager" + +EXTRA_OECMAKE = " \ + -DCMAKE_VERBOSE_MAKEFILE=ON \ + -DVERSION=${PV} \ + -DSYSTEMD_INSTALL_DIR=${systemd_unitdir}/system \ + -DBIN_INSTALL_DIR=${bindir} \ + -DDB_INSTALL_DIR=${TZ_SYS_DB} \ + -DLIB_INSTALL_DIR=${libdir} \ + -DSHARE_INSTALL_PREFIX=${datadir} \ + -DINCLUDE_INSTALL_DIR=${includedir} \ +" + +inherit systemd +SYSTEMD_SERVICE_${PN} = "security-manager.service" + +inherit features_check +REQUIRED_DISTRO_FEATURES += "smack" + +# The upstream source code contains the Tizen-specific policy configuration files. +# To replace them, create a security-manager.bbappend and set the following variable to a +# space-separated list of policy file names (not URIs!), for example: +# SECURITY_MANAGER_POLICY = "privilege-group.list usertype-system.profile" +# +# Leave it empty to use the upstream Tizen policy. +SECURITY_MANAGER_POLICY ?= "" +SRC_URI_append = " ${@' '.join(['file://' + x for x in d.getVar('SECURITY_MANAGER_POLICY', True).split()])}" +python do_patch_append () { + import os + import shutil + import glob + files = d.getVar('SECURITY_MANAGER_POLICY', True).split() + if files: + s = d.getVar('S', True) + workdir = d.getVar('WORKDIR', True) + for pattern in ['*.profile', '*.list']: + for old_file in glob.glob(s + '/policy/' + pattern): + os.unlink(old_file) + for file in files: + shutil.copy(file, s + '/policy') +} + +do_install_append () { + install -d ${D}/${systemd_unitdir}/system/multi-user.target.wants + ln -s ../security-manager.service ${D}/${systemd_unitdir}/system/multi-user.target.wants/security-manager.service + install -d ${D}/${systemd_unitdir}/system/sockets.target.wants + ln -s ../security-manager.socket ${D}/${systemd_unitdir}/system/sockets.target.wants/security-manager.socket +} + +RDEPENDS_${PN} += "sqlite3 cynara" +FILES_${PN} += " \ + ${systemd_unitdir} \ + ${TZ_SYS_DB} \ + ${bindir}/.security-manager-setup \ +" + +PACKAGES =+ "${PN}-policy" +FILES_${PN}-policy = " \ + ${datadir}/${PN} \ + ${bindir}/security-manager-policy-reload \ +" diff --git a/meta-app-framework/recipes-security/security-manager/security-manager/0001-Adapt-rules-to-AGL.patch b/meta-app-framework/recipes-security/security-manager/security-manager/0001-Adapt-rules-to-AGL.patch new file mode 100644 index 000000000..4c91f7fa3 --- /dev/null +++ b/meta-app-framework/recipes-security/security-manager/security-manager/0001-Adapt-rules-to-AGL.patch @@ -0,0 +1,50 @@ +From 935e4e4e746b5ffcda80c80097dc75c2581c1a89 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Jos=C3=A9=20Bollo?= <jose.bollo@iot.bzh> +Date: Wed, 19 Oct 2016 13:45:54 +0200 +Subject: [PATCH] Adapt rules to AGL +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +AGL distribution uses the repository https://github.com/01org/meta-intel-iot-security.git +as basis for the integration of security framework. The security framework +that it provides is an evolution of the security framework of tizen refited +to the distribution Ostro of Intel. This refit took the decision to simplify +the model by removing the running label "User". More can be viewed here: +https://github.com/01org/meta-intel-iot-security/pull/116 + +This commits adapt the template to the rules that are now needed +after this evolution. + +It also integrates one other evolutions: the shared label becomes User::App-Shared instead +of User::App::Shared to avoid collision with application of id "Shared". + +Change-Id: Ieb566b63f8c8e691b5f75e06499a3b576d042546 +Signed-off-by: José Bollo <jose.bollo@iot.bzh> +--- + policy/app-rules-template.smack | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +diff --git a/policy/app-rules-template.smack b/policy/app-rules-template.smack +index 1311169..b4cd2e3 100644 +--- a/policy/app-rules-template.smack ++++ b/policy/app-rules-template.smack +@@ -1,12 +1,10 @@ +-System ~APP~ rwx ++System ~APP~ rwxa ++System ~PKG~ rwxat + ~APP~ System wx + ~APP~ System::Shared rx + ~APP~ System::Run rwxat + ~APP~ System::Log rwxa + ~APP~ _ l +-User ~APP~ rwxa +-User ~PKG~ rwxat +-~APP~ User wx + ~APP~ User::Home rxl +-~APP~ User::App::Shared rwxat ++~APP~ User::App-Shared rwxat + ~APP~ ~PKG~ rwxat +-- +2.7.4 + diff --git a/meta-app-framework/recipes-security/security-manager/security-manager/0001-systemd-stop-using-compat-libs.patch b/meta-app-framework/recipes-security/security-manager/security-manager/0001-systemd-stop-using-compat-libs.patch new file mode 100644 index 000000000..91ce81963 --- /dev/null +++ b/meta-app-framework/recipes-security/security-manager/security-manager/0001-systemd-stop-using-compat-libs.patch @@ -0,0 +1,47 @@ +From 3d9d1d83fe298a364f51ad752c17aad461beded3 Mon Sep 17 00:00:00 2001 +From: Patrick Ohly <patrick.ohly@intel.com> +Date: Tue, 24 Mar 2015 04:54:03 -0700 +Subject: [PATCH 01/14] systemd: stop using compat libs + +libsystemd-journal and libsystemd-daemon are considered obsolete +in systemd since 2.09 and may not be available (not compiled +by default). + +The code works fine with the current libsystemd, so just +use that. + +Signed-off-by: Patrick Ohly <patrick.ohly@intel.com> +Upstream-Status: Submitted (https://github.com/Samsung/security-manager/pull/1 +--- + src/common/CMakeLists.txt | 2 +- + src/server/CMakeLists.txt | 2 +- + 2 files changed, 2 insertions(+), 2 deletions(-) + +diff --git a/src/common/CMakeLists.txt b/src/common/CMakeLists.txt +index 2da9c3e..968c7c1 100644 +--- a/src/common/CMakeLists.txt ++++ b/src/common/CMakeLists.txt +@@ -3,7 +3,7 @@ SET(COMMON_VERSION ${COMMON_VERSION_MAJOR}.0.2) + + PKG_CHECK_MODULES(COMMON_DEP + REQUIRED +- libsystemd-journal ++ libsystemd + libsmack + db-util + cynara-admin +diff --git a/src/server/CMakeLists.txt b/src/server/CMakeLists.txt +index 753eb96..6849d76 100644 +--- a/src/server/CMakeLists.txt ++++ b/src/server/CMakeLists.txt +@@ -1,6 +1,6 @@ + PKG_CHECK_MODULES(SERVER_DEP + REQUIRED +- libsystemd-daemon ++ libsystemd + ) + + FIND_PACKAGE(Boost REQUIRED) +-- +2.21.0 + diff --git a/meta-app-framework/recipes-security/security-manager/security-manager/0002-security-manager-policy-reload-do-not-depend-on-GNU-.patch b/meta-app-framework/recipes-security/security-manager/security-manager/0002-security-manager-policy-reload-do-not-depend-on-GNU-.patch new file mode 100644 index 000000000..b6346480b --- /dev/null +++ b/meta-app-framework/recipes-security/security-manager/security-manager/0002-security-manager-policy-reload-do-not-depend-on-GNU-.patch @@ -0,0 +1,36 @@ +From a90515613f09140049b2bdf471fa83d5dd7bad1c Mon Sep 17 00:00:00 2001 +From: Patrick Ohly <patrick.ohly@intel.com> +Date: Wed, 19 Aug 2015 15:02:32 +0200 +Subject: [PATCH 02/14] security-manager-policy-reload: do not depend on GNU + sed + +\U (= make replacement uppercase) is a GNU sed extension which is not +supported by other sed implementation's (like the one from +busybox). When using busybox, the bucket for user profiles became +USER_TYPE_Uadmin instead USER_TYPE_ADMIN. + +To make SecurityManager more portable, better use tr to turn the +bucket name into uppercase. + +Signed-off-by: Patrick Ohly <patrick.ohly@intel.com> +Upstream-Status: Submitted (https://github.com/Samsung/security-manager/pull/1 +--- + policy/security-manager-policy-reload | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/policy/security-manager-policy-reload b/policy/security-manager-policy-reload +index 274c49c..6f211c6 100755 +--- a/policy/security-manager-policy-reload ++++ b/policy/security-manager-policy-reload +@@ -33,7 +33,7 @@ END + find "$POLICY_PATH" -name "usertype-*.profile" | + while read file + do +- bucket="`echo $file | sed -r 's|.*/usertype-(.*).profile$|USER_TYPE_\U\1|'`" ++ bucket="`echo $file | sed -r 's|.*/usertype-(.*).profile$|USER_TYPE_\1|' | tr '[:lower:]' '[:upper:]'`" + + # Re-create the bucket with empty contents + cyad --delete-bucket=$bucket || true +-- +2.21.0 + diff --git a/meta-app-framework/recipes-security/security-manager/security-manager/0003-Smack-rules-create-two-new-functions.patch b/meta-app-framework/recipes-security/security-manager/security-manager/0003-Smack-rules-create-two-new-functions.patch new file mode 100644 index 000000000..d79345e01 --- /dev/null +++ b/meta-app-framework/recipes-security/security-manager/security-manager/0003-Smack-rules-create-two-new-functions.patch @@ -0,0 +1,117 @@ +From a80e33bc0a10fa4bed5d0b7bf29f45dd2565d309 Mon Sep 17 00:00:00 2001 +From: Alejandro Joya <alejandro.joya.cruz@intel.com> +Date: Wed, 4 Nov 2015 19:01:35 -0600 +Subject: [PATCH 03/14] Smack-rules: create two new functions + +It let to smack-rules to create multiple set of rules +related with the privileges. + +It runs from the same bases than for a static set of rules on the +template, but let you add 1 or many templates for different cases. + +Change-Id: I14f8d4e914ad5a7ba34c96f3cb5589f0b15292de +Signed-off-by: Alejandro Joya <alejandro.joya.cruz@intel.com> +--- + src/common/include/smack-rules.h | 15 +++++++++++ + src/common/smack-rules.cpp | 44 ++++++++++++++++++++++++++++++++ + 2 files changed, 59 insertions(+) + +diff --git a/src/common/include/smack-rules.h b/src/common/include/smack-rules.h +index 91446a7..3ad9dd4 100644 +--- a/src/common/include/smack-rules.h ++++ b/src/common/include/smack-rules.h +@@ -47,6 +47,8 @@ public: + void addFromTemplate(const std::vector<std::string> &templateRules, + const std::string &appId, const std::string &pkgId); + void addFromTemplateFile(const std::string &appId, const std::string &pkgId); ++ void addFromTemplateFile(const std::string &appId, const std::string &pkgId, ++ const std::string &path); + + void apply() const; + void clear() const; +@@ -74,6 +76,19 @@ public: + */ + static void installApplicationRules(const std::string &appId, const std::string &pkgId, + const std::vector<std::string> &pkgContents); ++ /** ++ * Install privileges-specific smack rules. ++ * ++ * Function creates smack rules using predefined template. Rules are applied ++ * to the kernel and saved on persistent storage so they are loaded on system boot. ++ * ++ * @param[in] appId - application id that is beeing installed ++ * @param[in] pkgId - package id that the application is in ++ * @param[in] pkgContents - a list of all applications in the package ++ * @param[in] privileges - a list of all prvileges ++ */ ++ static void installApplicationPrivilegesRules(const std::string &appId, const std::string &pkgId, ++ const std::vector<std::string> &pkgContents, const std::vector<std::string> &privileges); + /** + * Uninstall package-specific smack rules. + * +diff --git a/src/common/smack-rules.cpp b/src/common/smack-rules.cpp +index 3629e0f..922a56f 100644 +--- a/src/common/smack-rules.cpp ++++ b/src/common/smack-rules.cpp +@@ -135,6 +135,29 @@ void SmackRules::saveToFile(const std::string &path) const + } + } + ++void SmackRules::addFromTemplateFile(const std::string &appId, ++ const std::string &pkgId, const std::string &path) ++{ ++ std::vector<std::string> templateRules; ++ std::string line; ++ std::ifstream templateRulesFile(path); ++ ++ if (!templateRulesFile.is_open()) { ++ LogError("Cannot open rules template file: " << path); ++ ThrowMsg(SmackException::FileError, "Cannot open rules template file: " << path); ++ } ++ ++ while (std::getline(templateRulesFile, line)) { ++ templateRules.push_back(line); ++ } ++ ++ if (templateRulesFile.bad()) { ++ LogError("Error reading template file: " << APP_RULES_TEMPLATE_FILE_PATH); ++ ThrowMsg(SmackException::FileError, "Error reading template file: " << APP_RULES_TEMPLATE_FILE_PATH); ++ } ++ ++ addFromTemplate(templateRules, appId, pkgId); ++} + + void SmackRules::addFromTemplateFile(const std::string &appId, + const std::string &pkgId) +@@ -223,7 +246,28 @@ std::string SmackRules::getApplicationRulesFilePath(const std::string &appId) + std::string path(tzplatform_mkpath3(TZ_SYS_SMACK, "accesses.d", ("app_" + appId).c_str())); + return path; + } ++void SmackRules::installApplicationPrivilegesRules(const std::string &appId, const std::string &pkgId, ++ const std::vector<std::string> &pkgContents, const std::vector<std::string> &privileges) ++{ ++ SmackRules smackRules; ++ std::string appPath = getApplicationRulesFilePath(appId); ++ smackRules.loadFromFile(appPath); ++ struct stat buffer; ++ for (auto privilege : privileges) { ++ if (privilege.empty()) ++ continue; ++ std::string fprivilege ( privilege + "-template.smack"); ++ std::string path(tzplatform_mkpath4(TZ_SYS_SHARE, "security-manager", "policy", fprivilege.c_str())); ++ if( stat(path.c_str(), &buffer) == 0) ++ smackRules.addFromTemplateFile(appId, pkgId, path); ++ } ++ ++ if (smack_smackfs_path() != NULL) ++ smackRules.apply(); + ++ smackRules.saveToFile(appPath); ++ updatePackageRules(pkgId, pkgContents); ++} + void SmackRules::installApplicationRules(const std::string &appId, const std::string &pkgId, + const std::vector<std::string> &pkgContents) + { +-- +2.21.0 + diff --git a/meta-app-framework/recipes-security/security-manager/security-manager/0004-app-install-implement-multiple-set-of-smack-rules.patch b/meta-app-framework/recipes-security/security-manager/security-manager/0004-app-install-implement-multiple-set-of-smack-rules.patch new file mode 100644 index 000000000..59d4971ff --- /dev/null +++ b/meta-app-framework/recipes-security/security-manager/security-manager/0004-app-install-implement-multiple-set-of-smack-rules.patch @@ -0,0 +1,34 @@ +From a5979d9d674e400ecd7fcdf5d7589cfa0cfeb492 Mon Sep 17 00:00:00 2001 +From: Alejandro Joya <alejandro.joya.cruz@intel.com> +Date: Wed, 4 Nov 2015 19:06:23 -0600 +Subject: [PATCH 04/14] app-install: implement multiple set of smack-rules + +If it's need it could create load multiple set of smack rules +related with the privileges. +It wouldn't affect the case that only the default set of rules is need it. + +Signed-off-by: Alejandro Joya <alejandro.joya.cruz@intel.com> +--- + src/common/service_impl.cpp | 6 ++++++ + 1 file changed, 6 insertions(+) + +diff --git a/src/common/service_impl.cpp b/src/common/service_impl.cpp +index 7fd621c..ae305d3 100644 +--- a/src/common/service_impl.cpp ++++ b/src/common/service_impl.cpp +@@ -338,6 +338,12 @@ int appInstall(const app_inst_req &req, uid_t uid) + LogDebug("Adding Smack rules for new appId: " << req.appId << " with pkgId: " + << req.pkgId << ". Applications in package: " << pkgContents.size()); + SmackRules::installApplicationRules(req.appId, req.pkgId, pkgContents); ++ /*Setup for privileges custom rules*/ ++ LogDebug("Adding Smack rules for new appId: " << req.appId << " with pkgId: " ++ << req.pkgId << ". Applications in package: " << pkgContents.size() ++ << " and Privileges"); ++ SmackRules::installApplicationPrivilegesRules(req.appId, req.pkgId, ++ pkgContents,req.privileges); + } catch (const SmackException::Base &e) { + LogError("Error while applying Smack policy for application: " << e.DumpToString()); + return SECURITY_MANAGER_API_ERROR_SETTING_FILE_LABEL_FAILED; +-- +2.21.0 + diff --git a/meta-app-framework/recipes-security/security-manager/security-manager/0005-c-11-replace-deprecated-auto_ptr.patch b/meta-app-framework/recipes-security/security-manager/security-manager/0005-c-11-replace-deprecated-auto_ptr.patch new file mode 100644 index 000000000..0739f28c7 --- /dev/null +++ b/meta-app-framework/recipes-security/security-manager/security-manager/0005-c-11-replace-deprecated-auto_ptr.patch @@ -0,0 +1,32 @@ +From 198ba9b9782fda19803e94d2afeff91189ac27af Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Jos=C3=A9=20Bollo?= <jobol@nonadev.net> +Date: Wed, 13 Jan 2016 17:30:06 +0100 +Subject: [PATCH 05/14] c++11: replace deprecated auto_ptr +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Upstream-Status: Submitted [https://review.tizen.org/gerrit/#/c/56940/] + +Change-Id: Id793c784c9674eef48f346226c094bdd9f7bbda8 +Signed-off-by: José Bollo <jobol@nonadev.net> +--- + src/dpl/core/include/dpl/binary_queue.h | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/src/dpl/core/include/dpl/binary_queue.h b/src/dpl/core/include/dpl/binary_queue.h +index dd03f5e..185b6c7 100644 +--- a/src/dpl/core/include/dpl/binary_queue.h ++++ b/src/dpl/core/include/dpl/binary_queue.h +@@ -33,7 +33,7 @@ namespace SecurityManager { + * Binary queue auto pointer + */ + class BinaryQueue; +-typedef std::auto_ptr<BinaryQueue> BinaryQueueAutoPtr; ++typedef std::unique_ptr<BinaryQueue> BinaryQueueAutoPtr; + + /** + * Binary stream implemented as constant size bucket list +-- +2.21.0 + diff --git a/meta-app-framework/recipes-security/security-manager/security-manager/0006-socket-manager-removes-tizen-specific-call.patch b/meta-app-framework/recipes-security/security-manager/security-manager/0006-socket-manager-removes-tizen-specific-call.patch new file mode 100644 index 000000000..3b8aad98c --- /dev/null +++ b/meta-app-framework/recipes-security/security-manager/security-manager/0006-socket-manager-removes-tizen-specific-call.patch @@ -0,0 +1,47 @@ +From ec098bf03cea23350ca7d1ea2ad88b9c88228943 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Jos=C3=A9=20Bollo?= <jose.bollo@iot.bzh> +Date: Fri, 8 Jan 2016 16:53:46 +0100 +Subject: [PATCH 06/14] socket-manager: removes tizen specific call +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +The function 'smack_fgetlabel' is specific to Tizen +and is no more maintained upstream. + +Upstream-Status: Accepted [https://review.tizen.org/gerrit/#/c/56507/] + +Change-Id: I3802742b1758efe37b33e6d968ff727d68f2fd1f +Signed-off-by: José Bollo <jobol@nonadev.net> +--- + src/server/main/socket-manager.cpp | 7 ++++--- + 1 file changed, 4 insertions(+), 3 deletions(-) + +diff --git a/src/server/main/socket-manager.cpp b/src/server/main/socket-manager.cpp +index 94c54c6..5e1a79b 100644 +--- a/src/server/main/socket-manager.cpp ++++ b/src/server/main/socket-manager.cpp +@@ -30,6 +30,7 @@ + #include <sys/types.h> + #include <sys/socket.h> + #include <sys/smack.h> ++#include <linux/xattr.h> + #include <sys/un.h> + #include <sys/stat.h> + #include <unistd.h> +@@ -493,9 +494,9 @@ int SocketManager::CreateDomainSocketHelp( + if (smack_check()) { + LogInfo("Set up smack label: " << desc.smackLabel); + +- if (0 != smack_fsetlabel(sockfd, desc.smackLabel.c_str(), SMACK_LABEL_IPIN)) { +- LogError("Error in smack_fsetlabel"); +- ThrowMsg(Exception::InitFailed, "Error in smack_fsetlabel"); ++ if (0 != smack_set_label_for_file(sockfd, XATTR_NAME_SMACKIPIN, desc.smackLabel.c_str())) { ++ LogError("Error in smack_set_label_for_file"); ++ ThrowMsg(Exception::InitFailed, "Error in smack_set_label_for_file"); + } + } else { + LogInfo("No smack on platform. Socket won't be securied with smack label!"); +-- +2.21.0 + diff --git a/meta-app-framework/recipes-security/security-manager/security-manager/0007-removes-dependency-to-libslp-db-utils.patch b/meta-app-framework/recipes-security/security-manager/security-manager/0007-removes-dependency-to-libslp-db-utils.patch new file mode 100644 index 000000000..bad99d25a --- /dev/null +++ b/meta-app-framework/recipes-security/security-manager/security-manager/0007-removes-dependency-to-libslp-db-utils.patch @@ -0,0 +1,78 @@ +From 9d0791dab4b4df086374c5c0ba2a6558e10e81c1 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Jos=C3=A9=20Bollo?= <jose.bollo@iot.bzh> +Date: Mon, 16 Nov 2015 15:56:27 +0100 +Subject: [PATCH 07/14] removes dependency to libslp-db-utils + +Change-Id: I90471e77d20e04bae58cc42eb2639e4aef97fdec +--- + src/common/CMakeLists.txt | 3 ++- + src/dpl/db/src/sql_connection.cpp | 17 +---------------- + 2 files changed, 3 insertions(+), 17 deletions(-) + +diff --git a/src/common/CMakeLists.txt b/src/common/CMakeLists.txt +index 968c7c1..9ae376f 100644 +--- a/src/common/CMakeLists.txt ++++ b/src/common/CMakeLists.txt +@@ -5,7 +5,8 @@ PKG_CHECK_MODULES(COMMON_DEP + REQUIRED + libsystemd + libsmack +- db-util ++ sqlite3 ++ icu-i18n + cynara-admin + cynara-client + ) +diff --git a/src/dpl/db/src/sql_connection.cpp b/src/dpl/db/src/sql_connection.cpp +index fdb4fe4..f49a6dc 100644 +--- a/src/dpl/db/src/sql_connection.cpp ++++ b/src/dpl/db/src/sql_connection.cpp +@@ -26,7 +26,6 @@ + #include <memory> + #include <dpl/noncopyable.h> + #include <dpl/assert.h> +-#include <db-util.h> + #include <unistd.h> + #include <cstdio> + #include <cstdarg> +@@ -606,16 +605,7 @@ void SqlConnection::Connect(const std::string &address, + + // Connect to database + int result; +- if (type & Flag::UseLucene) { +- result = db_util_open_with_options( +- address.c_str(), +- &m_connection, +- flag, +- NULL); +- +- m_usingLucene = true; +- LogPedantic("Lucene index enabled"); +- } else { ++ (void)type; + result = sqlite3_open_v2( + address.c_str(), + &m_connection, +@@ -624,7 +614,6 @@ void SqlConnection::Connect(const std::string &address, + + m_usingLucene = false; + LogPedantic("Lucene index disabled"); +- } + + if (result == SQLITE_OK) { + LogPedantic("Connected to DB"); +@@ -653,11 +642,7 @@ void SqlConnection::Disconnect() + + int result; + +- if (m_usingLucene) { +- result = db_util_close(m_connection); +- } else { + result = sqlite3_close(m_connection); +- } + + if (result != SQLITE_OK) { + const char *error = sqlite3_errmsg(m_connection); +-- +2.21.0 + diff --git a/meta-app-framework/recipes-security/security-manager/security-manager/0008-Fix-gcc6-build.patch b/meta-app-framework/recipes-security/security-manager/security-manager/0008-Fix-gcc6-build.patch new file mode 100644 index 000000000..5ece7ef4f --- /dev/null +++ b/meta-app-framework/recipes-security/security-manager/security-manager/0008-Fix-gcc6-build.patch @@ -0,0 +1,38 @@ +From a1d9b40b4fa2e73d31a53e398c286bffeaae1732 Mon Sep 17 00:00:00 2001 +From: Ronan <ronan.lemartret@iot.bzh> +Date: Wed, 12 Oct 2016 17:48:55 +0200 +Subject: [PATCH 08/14] Fix gcc6 build + +Signed-off-by: ronan <ronan@ot.bzh> +--- + src/client/client-security-manager.cpp | 1 + + src/common/include/privilege_db.h | 1 + + 2 files changed, 2 insertions(+) + +diff --git a/src/client/client-security-manager.cpp b/src/client/client-security-manager.cpp +index 74a6b30..347cddd 100644 +--- a/src/client/client-security-manager.cpp ++++ b/src/client/client-security-manager.cpp +@@ -46,6 +46,7 @@ + #include <service_impl.h> + #include <security-manager.h> + #include <client-offline.h> ++#include <linux/xattr.h> + + static const char *EMPTY = ""; + +diff --git a/src/common/include/privilege_db.h b/src/common/include/privilege_db.h +index 4d73d90..08fb9d6 100644 +--- a/src/common/include/privilege_db.h ++++ b/src/common/include/privilege_db.h +@@ -32,6 +32,7 @@ + #include <map> + #include <stdbool.h> + #include <string> ++#include <vector> + + #include <dpl/db/sql_connection.h> + #include <tzplatform_config.h> +-- +2.21.0 + diff --git a/meta-app-framework/recipes-security/security-manager/security-manager/0009-Fix-Cmake-conf-for-gcc6-build.patch b/meta-app-framework/recipes-security/security-manager/security-manager/0009-Fix-Cmake-conf-for-gcc6-build.patch new file mode 100644 index 000000000..706eb1a93 --- /dev/null +++ b/meta-app-framework/recipes-security/security-manager/security-manager/0009-Fix-Cmake-conf-for-gcc6-build.patch @@ -0,0 +1,40 @@ +From 382379d74221bcc60a0ab70d63430a1c0587b2ec Mon Sep 17 00:00:00 2001 +From: Ronan <ronan.lemartret@iot.bzh> +Date: Thu, 13 Oct 2016 11:37:47 +0200 +Subject: [PATCH 09/14] Fix Cmake conf for gcc6 build + +Signed-off-by: Ronan <ronan.lemartret@iot.bzh> +--- + src/cmd/CMakeLists.txt | 4 +--- + src/server/CMakeLists.txt | 1 - + 2 files changed, 1 insertion(+), 4 deletions(-) + +diff --git a/src/cmd/CMakeLists.txt b/src/cmd/CMakeLists.txt +index ee9a160..aa7a12c 100644 +--- a/src/cmd/CMakeLists.txt ++++ b/src/cmd/CMakeLists.txt +@@ -1,8 +1,6 @@ + FIND_PACKAGE(Boost REQUIRED COMPONENTS program_options) + +-INCLUDE_DIRECTORIES(SYSTEM +- ${Boost_INCLUDE_DIRS} +- ) ++ + + INCLUDE_DIRECTORIES( + ${INCLUDE_PATH} +diff --git a/src/server/CMakeLists.txt b/src/server/CMakeLists.txt +index 6849d76..9598037 100644 +--- a/src/server/CMakeLists.txt ++++ b/src/server/CMakeLists.txt +@@ -8,7 +8,6 @@ FIND_PACKAGE(Threads REQUIRED) + + INCLUDE_DIRECTORIES(SYSTEM + ${SERVER_DEP_INCLUDE_DIRS} +- ${Boost_INCLUDE_DIRS} + ${Threads_INCLUDE_DIRS} + ) + +-- +2.21.0 + diff --git a/meta-app-framework/recipes-security/security-manager/security-manager/0010-gcc-7-requires-include-functional-for-std-function.patch b/meta-app-framework/recipes-security/security-manager/security-manager/0010-gcc-7-requires-include-functional-for-std-function.patch new file mode 100644 index 000000000..0f48c5f68 --- /dev/null +++ b/meta-app-framework/recipes-security/security-manager/security-manager/0010-gcc-7-requires-include-functional-for-std-function.patch @@ -0,0 +1,51 @@ +From 8e93699c0f225716f3cd5eff790270ae9e3880f9 Mon Sep 17 00:00:00 2001 +From: Changhyeok Bae <changhyeok.bae@gmail.com> +Date: Sun, 17 Dec 2017 15:40:58 +0000 +Subject: [PATCH 10/14] gcc-7 requires include <functional> for std::function + +Signed-off-by: Changhyeok Bae <changhyeok.bae@gmail.com> +--- + src/client/client-common.cpp | 1 + + src/common/smack-labels.cpp | 1 + + src/dpl/core/src/binary_queue.cpp | 1 + + 3 files changed, 3 insertions(+) + +diff --git a/src/client/client-common.cpp b/src/client/client-common.cpp +index 883ab8d..1babdf7 100644 +--- a/src/client/client-common.cpp ++++ b/src/client/client-common.cpp +@@ -31,6 +31,7 @@ + #include <sys/xattr.h> + #include <linux/xattr.h> + #include <unistd.h> ++#include <functional> + + #include <dpl/log/log.h> + #include <dpl/serialization.h> +diff --git a/src/common/smack-labels.cpp b/src/common/smack-labels.cpp +index 0294a42..1598099 100644 +--- a/src/common/smack-labels.cpp ++++ b/src/common/smack-labels.cpp +@@ -29,6 +29,7 @@ + #include <sys/xattr.h> + #include <linux/xattr.h> + #include <memory> ++#include <functional> + #include <fts.h> + #include <cstring> + #include <string> +diff --git a/src/dpl/core/src/binary_queue.cpp b/src/dpl/core/src/binary_queue.cpp +index 72817a6..838409f 100644 +--- a/src/dpl/core/src/binary_queue.cpp ++++ b/src/dpl/core/src/binary_queue.cpp +@@ -26,6 +26,7 @@ + #include <malloc.h> + #include <cstring> + #include <new> ++#include <functional> + + namespace SecurityManager { + BinaryQueue::BinaryQueue() : +-- +2.21.0 + diff --git a/meta-app-framework/recipes-security/security-manager/security-manager/0011-Fix-gcc8-warning-error-Werror-catch-value.patch b/meta-app-framework/recipes-security/security-manager/security-manager/0011-Fix-gcc8-warning-error-Werror-catch-value.patch new file mode 100644 index 000000000..5c679fc26 --- /dev/null +++ b/meta-app-framework/recipes-security/security-manager/security-manager/0011-Fix-gcc8-warning-error-Werror-catch-value.patch @@ -0,0 +1,32 @@ +From 243b7ffee16558d7cb9b411f49380138efeffca9 Mon Sep 17 00:00:00 2001 +From: Stephane Desneux <stephane.desneux@iot.bzh> +Date: Fri, 1 Feb 2019 12:26:17 +0000 +Subject: [PATCH 11/14] Fix gcc8 warning/error [-Werror=catch-value=] + +Fixes the following warning/error during compile: + +src/dpl/core/src/assert.cpp:61:14: error: catching polymorphic type 'class SecurityManager::Exception' by value [-Werror=catch-value=] +| } catch (Exception) { +| ^~~~~~~~~ + +Signed-off-by: Stephane Desneux <stephane.desneux@iot.bzh> +--- + src/dpl/core/src/assert.cpp | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/src/dpl/core/src/assert.cpp b/src/dpl/core/src/assert.cpp +index 63538a2..fc60ce9 100644 +--- a/src/dpl/core/src/assert.cpp ++++ b/src/dpl/core/src/assert.cpp +@@ -58,7 +58,7 @@ void AssertProc(const char *condition, + INTERNAL_LOG("### Function: " << function); + INTERNAL_LOG( + "################################################################################"); +- } catch (Exception) { ++ } catch (Exception const&) { + // Just ignore possible double errors + } + +-- +2.21.0 + diff --git a/meta-app-framework/recipes-security/security-manager/security-manager/0012-Avoid-casting-from-const-T-to-void.patch b/meta-app-framework/recipes-security/security-manager/security-manager/0012-Avoid-casting-from-const-T-to-void.patch new file mode 100644 index 000000000..91ccf9ee2 --- /dev/null +++ b/meta-app-framework/recipes-security/security-manager/security-manager/0012-Avoid-casting-from-const-T-to-void.patch @@ -0,0 +1,122 @@ +From 5ee51d38575f289c2bf37ed817ef680ed47bb320 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Jos=C3=A9=20Bollo?= <jose.bollo@iot.bzh> +Date: Fri, 1 Feb 2019 15:37:44 +0100 +Subject: [PATCH 12/14] Avoid casting from "const T&" to "void*" +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Latest version of g++ refuse the cast + + reinterpret_cast<void (Service::*)(void*)>(serviceFunction) + +I made no investigation to know if the problem +is coming from the const or not. + +Signed-off-by: José Bollo <jose.bollo@iot.bzh> +--- + src/server/main/include/service-thread.h | 42 ++++++++++-------------- + 1 file changed, 18 insertions(+), 24 deletions(-) + +diff --git a/src/server/main/include/service-thread.h b/src/server/main/include/service-thread.h +index 964d168..61fdda8 100644 +--- a/src/server/main/include/service-thread.h ++++ b/src/server/main/include/service-thread.h +@@ -94,7 +94,7 @@ public: + Join(); + while (!m_eventQueue.empty()){ + auto front = m_eventQueue.front(); +- delete front.eventPtr; ++ delete front; + m_eventQueue.pop(); + } + } +@@ -104,34 +104,28 @@ public: + Service *servicePtr, + void (Service::*serviceFunction)(const T &)) + { +- EventDescription description; +- description.serviceFunctionPtr = +- reinterpret_cast<void (Service::*)(void*)>(serviceFunction); +- description.servicePtr = servicePtr; +- description.eventFunctionPtr = &ServiceThread::EventCall<T>; +- description.eventPtr = new T(event); ++ EventCallerBase *ec = new EventCaller<T>(event, servicePtr, serviceFunction); + { + std::lock_guard<std::mutex> lock(m_eventQueueMutex); +- m_eventQueue.push(description); ++ m_eventQueue.push(ec); + } + m_waitCondition.notify_one(); + } + + protected: + +- struct EventDescription { +- void (Service::*serviceFunctionPtr)(void *); +- Service *servicePtr; +- void (ServiceThread::*eventFunctionPtr)(const EventDescription &event); +- GenericEvent* eventPtr; ++ struct EventCallerBase { ++ virtual void fire() = 0; ++ virtual ~EventCallerBase() {} + }; + + template <class T> +- void EventCall(const EventDescription &desc) { +- auto fun = reinterpret_cast<void (Service::*)(const T&)>(desc.serviceFunctionPtr); +- const T& eventLocale = *(static_cast<T*>(desc.eventPtr)); +- (desc.servicePtr->*fun)(eventLocale); +- } ++ struct EventCaller : public EventCallerBase { ++ T *event; Service *target; void (Service::*function)(const T&); ++ EventCaller(const T &e, Service *c, void (Service::*f)(const T&)) : event(new T(e)), target(c), function(f) {} ++ ~EventCaller() { delete event; } ++ void fire() { (target->*function)(*event); } ++ }; + + static void ThreadLoopStatic(ServiceThread *ptr) { + ptr->ThreadLoop(); +@@ -139,33 +133,33 @@ protected: + + void ThreadLoop(){ + for (;;) { +- EventDescription description = {NULL, NULL, NULL, NULL}; ++ EventCallerBase *ec = NULL; + { + std::unique_lock<std::mutex> ulock(m_eventQueueMutex); + if (m_quit) + return; + if (!m_eventQueue.empty()) { +- description = m_eventQueue.front(); ++ ec = m_eventQueue.front(); + m_eventQueue.pop(); + } else { + m_waitCondition.wait(ulock); + } + } + +- if (description.eventPtr != NULL) { ++ if (ec != NULL) { + UNHANDLED_EXCEPTION_HANDLER_BEGIN + { +- (this->*description.eventFunctionPtr)(description); +- delete description.eventPtr; ++ ec->fire(); + } + UNHANDLED_EXCEPTION_HANDLER_END ++ delete ec; + } + } + } + + std::thread m_thread; + std::mutex m_eventQueueMutex; +- std::queue<EventDescription> m_eventQueue; ++ std::queue<EventCallerBase*> m_eventQueue; + std::condition_variable m_waitCondition; + + State m_state; +-- +2.21.0 + diff --git a/meta-app-framework/recipes-security/security-manager/security-manager/0013-Removing-tizen-platform-config.patch b/meta-app-framework/recipes-security/security-manager/security-manager/0013-Removing-tizen-platform-config.patch new file mode 100644 index 000000000..fb6215923 --- /dev/null +++ b/meta-app-framework/recipes-security/security-manager/security-manager/0013-Removing-tizen-platform-config.patch @@ -0,0 +1,259 @@ +From 6c96a39ba7a7763ccd47e379dbfd8d376164985f Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Jos=C3=A9=20Bollo?= <jose.bollo@iot.bzh> +Date: Mon, 16 Nov 2015 14:26:25 +0100 +Subject: [PATCH 13/14] Removing tizen-platform-config + +Change-Id: Ic832a2b75229517b09faba969c27fb1a4b490121 +--- + CMakeLists.txt | 16 +++++++- + db/CMakeLists.txt | 2 +- + policy/CMakeLists.txt | 1 + + ...load => security-manager-policy-reload.in} | 4 +- + src/common/file-lock.cpp | 4 +- + src/common/include/file-lock.h | 1 - + src/common/include/privilege_db.h | 3 +- + src/common/service_impl.cpp | 39 ++++++------------- + src/common/smack-rules.cpp | 12 ++---- + 9 files changed, 37 insertions(+), 45 deletions(-) + rename policy/{security-manager-policy-reload => security-manager-policy-reload.in} (94%) + +diff --git a/CMakeLists.txt b/CMakeLists.txt +index 28790d8..37a43cc 100644 +--- a/CMakeLists.txt ++++ b/CMakeLists.txt +@@ -49,7 +49,7 @@ ADD_DEFINITIONS("-Wall") # Generate all warnings + ADD_DEFINITIONS("-Wextra") # Generate even more extra warnings + + STRING(REGEX MATCH "([^.]*)" API_VERSION "${VERSION}") +-ADD_DEFINITIONS("-DAPI_VERSION=\"$(API_VERSION)\"") ++ADD_DEFINITIONS("-DAPI_VERSION=\"${API_VERSION}\"") + + ADD_DEFINITIONS("-DSMACK_ENABLED") + +@@ -58,6 +58,20 @@ IF (CMAKE_BUILD_TYPE MATCHES "DEBUG") + ADD_DEFINITIONS("-DBUILD_TYPE_DEBUG") + ENDIF (CMAKE_BUILD_TYPE MATCHES "DEBUG") + ++SET(DATADIR "/usr/share/security-manager" CACHE STRING "path to data directory") ++SET(SMACKRULESDIR "/etc/smack/accesses.d" CACHE STRING "path to Smack rules directory") ++SET(LOCKDIR "/var/run/lock" CACHE STRING "path to lock directory") ++SET(DB_INSTALL_DIR "/var/db/security-manager" CACHE STRING "path to database directory") ++SET(DB_FILENAME ".security-manager.db" CACHE STRING "basename of database") ++SET(GLOBALUSER "userapp" CACHE STRING "name of the global user") ++ ++ADD_DEFINITIONS("-DDATADIR=\"${DATADIR}\"") ++ADD_DEFINITIONS("-DSMACKRULESDIR=\"${SMACKRULESDIR}\"") ++ADD_DEFINITIONS("-DLOCKDIR=\"${LOCKDIR}\"") ++ADD_DEFINITIONS("-DDB_INSTALL_DIR=\"${DB_INSTALL_DIR}\"") ++ADD_DEFINITIONS("-DDB_FILENAME=\"${DB_FILENAME}\"") ++ADD_DEFINITIONS("-DGLOBALUSER=\"${GLOBALUSER}\"") ++ + ADD_SUBDIRECTORY(src) + ADD_SUBDIRECTORY(pc) + ADD_SUBDIRECTORY(systemd) +diff --git a/db/CMakeLists.txt b/db/CMakeLists.txt +index 9e8ffcc..d7af1a0 100644 +--- a/db/CMakeLists.txt ++++ b/db/CMakeLists.txt +@@ -1,4 +1,4 @@ +-SET(TARGET_DB ".security-manager.db") ++SET(TARGET_DB "$(DB_FILENAME)") + + ADD_CUSTOM_COMMAND( + OUTPUT ${TARGET_DB} ${TARGET_DB}-journal +diff --git a/policy/CMakeLists.txt b/policy/CMakeLists.txt +index bd08edc..626a2bd 100644 +--- a/policy/CMakeLists.txt ++++ b/policy/CMakeLists.txt +@@ -1,4 +1,5 @@ + FILE(GLOB USERTYPE_POLICY_FILES usertype-*.profile) ++CONFIGURE_FILE(security-manager-policy-reload.in security-manager-policy-reload @ONLY) + INSTALL(FILES ${USERTYPE_POLICY_FILES} DESTINATION ${SHARE_INSTALL_PREFIX}/security-manager/policy) + INSTALL(FILES "app-rules-template.smack" DESTINATION ${SHARE_INSTALL_PREFIX}/security-manager/policy) + INSTALL(FILES "privilege-group.list" DESTINATION ${SHARE_INSTALL_PREFIX}/security-manager/policy) +diff --git a/policy/security-manager-policy-reload b/policy/security-manager-policy-reload.in +similarity index 94% +rename from policy/security-manager-policy-reload +rename to policy/security-manager-policy-reload.in +index 6f211c6..c1bc4e2 100755 +--- a/policy/security-manager-policy-reload ++++ b/policy/security-manager-policy-reload.in +@@ -1,8 +1,8 @@ + #!/bin/sh -e + +-POLICY_PATH=/usr/share/security-manager/policy ++POLICY_PATH=@DATADIR@/policy + PRIVILEGE_GROUP_MAPPING=$POLICY_PATH/privilege-group.list +-DB_FILE=`tzplatform-get TZ_SYS_DB | cut -d= -f2`/.security-manager.db ++DB_FILE=@DB_INSTALL_DIR@/@DB_FILENAME@ + + # Create default buckets + while read bucket default_policy +diff --git a/src/common/file-lock.cpp b/src/common/file-lock.cpp +index 6f3996c..88d2092 100644 +--- a/src/common/file-lock.cpp ++++ b/src/common/file-lock.cpp +@@ -30,9 +30,7 @@ + + namespace SecurityManager { + +-char const * const SERVICE_LOCK_FILE = tzplatform_mkpath3(TZ_SYS_RUN, +- "lock", +- "security-manager.lock"); ++char const * const SERVICE_LOCK_FILE = LOCKDIR "/security-manager.lock"; + + FileLocker::FileLocker(const std::string &lockFile, bool blocking) + { +diff --git a/src/common/include/file-lock.h b/src/common/include/file-lock.h +index 604b019..21a86a0 100644 +--- a/src/common/include/file-lock.h ++++ b/src/common/include/file-lock.h +@@ -29,7 +29,6 @@ + + #include <dpl/exception.h> + #include <dpl/noncopyable.h> +-#include <tzplatform_config.h> + + namespace SecurityManager { + +diff --git a/src/common/include/privilege_db.h b/src/common/include/privilege_db.h +index 08fb9d6..3344987 100644 +--- a/src/common/include/privilege_db.h ++++ b/src/common/include/privilege_db.h +@@ -35,14 +35,13 @@ + #include <vector> + + #include <dpl/db/sql_connection.h> +-#include <tzplatform_config.h> + + #ifndef PRIVILEGE_DB_H_ + #define PRIVILEGE_DB_H_ + + namespace SecurityManager { + +-const char *const PRIVILEGE_DB_PATH = tzplatform_mkpath(TZ_SYS_DB, ".security-manager.db"); ++const char *const PRIVILEGE_DB_PATH = DB_INSTALL_DIR "/" DB_FILENAME; + + enum class QueryType { + EGetPkgPrivileges, +diff --git a/src/common/service_impl.cpp b/src/common/service_impl.cpp +index ae305d3..42150fe 100644 +--- a/src/common/service_impl.cpp ++++ b/src/common/service_impl.cpp +@@ -32,7 +32,6 @@ + #include <algorithm> + + #include <dpl/log/log.h> +-#include <tzplatform_config.h> + + #include "protocols.h" + #include "privilege_db.h" +@@ -131,7 +130,13 @@ static inline int validatePolicy(policy_entry &policyEntry, std::string uidStr, + + static uid_t getGlobalUserId(void) + { +- static uid_t globaluid = tzplatform_getuid(TZ_SYS_GLOBALAPP_USER); ++ static uid_t globaluid = 0; ++ if (!globaluid) { ++ struct passwd pw, *p; ++ char buf[4096]; ++ int rc = getpwnam_r(GLOBALUSER, &pw, buf, sizeof buf, &p); ++ globaluid = (rc || p == NULL) ? 555 : p->pw_uid; ++ } + return globaluid; + } + +@@ -161,37 +166,17 @@ static inline bool isSubDir(const char *parent, const char *subdir) + + static bool getUserAppDir(const uid_t &uid, std::string &userAppDir) + { +- struct tzplatform_context *tz_ctx = nullptr; +- +- if (tzplatform_context_create(&tz_ctx)) +- return false; +- +- if (tzplatform_context_set_user(tz_ctx, uid)) { +- tzplatform_context_destroy(tz_ctx); +- tz_ctx = nullptr; ++ struct passwd pw, *p; ++ char buf[4096]; ++ int rc = getpwuid_r(uid, &pw, buf, sizeof buf, &p); ++ if (rc || p == NULL) + return false; +- } +- +- enum tzplatform_variable id = +- (uid == getGlobalUserId()) ? TZ_SYS_RW_APP : TZ_USER_APP; +- const char *appDir = tzplatform_context_getenv(tz_ctx, id); +- if (!appDir) { +- tzplatform_context_destroy(tz_ctx); +- tz_ctx = nullptr; +- return false; +- } +- +- userAppDir = appDir; +- +- tzplatform_context_destroy(tz_ctx); +- tz_ctx = nullptr; +- ++ userAppDir = p->pw_dir; + return true; + } + + static inline bool installRequestAuthCheck(const app_inst_req &req, uid_t uid, bool &isCorrectPath, std::string &appPath) + { +- std::string userHome; + std::string userAppDir; + std::stringstream correctPath; + +diff --git a/src/common/smack-rules.cpp b/src/common/smack-rules.cpp +index 922a56f..c2e0041 100644 +--- a/src/common/smack-rules.cpp ++++ b/src/common/smack-rules.cpp +@@ -34,7 +34,6 @@ + #include <memory> + + #include <dpl/log/log.h> +-#include <tzplatform_config.h> + + #include "smack-labels.h" + #include "smack-rules.h" +@@ -43,7 +42,7 @@ namespace SecurityManager { + + const char *const SMACK_APP_LABEL_TEMPLATE = "~APP~"; + const char *const SMACK_PKG_LABEL_TEMPLATE = "~PKG~"; +-const char *const APP_RULES_TEMPLATE_FILE_PATH = tzplatform_mkpath4(TZ_SYS_SHARE, "security-manager", "policy", "app-rules-template.smack"); ++const char *const APP_RULES_TEMPLATE_FILE_PATH = DATADIR "/policy/app-rules-template.smack"; + const char *const SMACK_APP_IN_PACKAGE_PERMS = "rwxat"; + + SmackRules::SmackRules() +@@ -237,14 +236,12 @@ void SmackRules::generatePackageCrossDeps(const std::vector<std::string> &pkgCon + + std::string SmackRules::getPackageRulesFilePath(const std::string &pkgId) + { +- std::string path(tzplatform_mkpath3(TZ_SYS_SMACK, "accesses.d", ("pkg_" + pkgId).c_str())); +- return path; ++ return SMACKRULESDIR "/pkg_" + pkgId; + } + + std::string SmackRules::getApplicationRulesFilePath(const std::string &appId) + { +- std::string path(tzplatform_mkpath3(TZ_SYS_SMACK, "accesses.d", ("app_" + appId).c_str())); +- return path; ++ return SMACKRULESDIR "/app_" + appId; + } + void SmackRules::installApplicationPrivilegesRules(const std::string &appId, const std::string &pkgId, + const std::vector<std::string> &pkgContents, const std::vector<std::string> &privileges) +@@ -256,8 +253,7 @@ void SmackRules::installApplicationPrivilegesRules(const std::string &appId, con + for (auto privilege : privileges) { + if (privilege.empty()) + continue; +- std::string fprivilege ( privilege + "-template.smack"); +- std::string path(tzplatform_mkpath4(TZ_SYS_SHARE, "security-manager", "policy", fprivilege.c_str())); ++ std::string path = DATADIR "/policy/" + privilege + "-template.smack"; + if( stat(path.c_str(), &buffer) == 0) + smackRules.addFromTemplateFile(appId, pkgId, path); + } +-- +2.21.0 + diff --git a/meta-app-framework/recipes-security/security-manager/security-manager/0014-Ensure-post-install-initialization-of-database.patch b/meta-app-framework/recipes-security/security-manager/security-manager/0014-Ensure-post-install-initialization-of-database.patch new file mode 100644 index 000000000..542a387d2 --- /dev/null +++ b/meta-app-framework/recipes-security/security-manager/security-manager/0014-Ensure-post-install-initialization-of-database.patch @@ -0,0 +1,78 @@ +From c7f9d14e38a1b6d40b2fffa01433a3025eff9abd Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Jos=C3=A9=20Bollo?= <jose.bollo@iot.bzh> +Date: Tue, 26 Nov 2019 12:34:39 +0100 +Subject: [PATCH 14/14] Ensure post install initialization of database +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Creation of the database was made during image creation, +leading to issue with SOTA. This adds the creation on +need before launching the service. + +Change-Id: Idfd0676bd87d39f7c10eaafd63f3a318f675c972 +Signed-off-by: José Bollo <jose.bollo@iot.bzh> +--- + db/CMakeLists.txt | 14 ++++++-------- + db/security-manager-setup | 14 ++++++++++++++ + systemd/security-manager.service.in | 1 + + 3 files changed, 21 insertions(+), 8 deletions(-) + create mode 100644 db/security-manager-setup + +diff --git a/db/CMakeLists.txt b/db/CMakeLists.txt +index d7af1a0..dcf5bc8 100644 +--- a/db/CMakeLists.txt ++++ b/db/CMakeLists.txt +@@ -1,12 +1,10 @@ +-SET(TARGET_DB "$(DB_FILENAME)") +- + ADD_CUSTOM_COMMAND( +- OUTPUT ${TARGET_DB} ${TARGET_DB}-journal +- COMMAND sqlite3 ${TARGET_DB} <db.sql +- ) ++ OUTPUT .security-manager-setup ++ COMMAND sed '/--DB\.SQL--/r db.sql' security-manager-setup > .security-manager-setup ++ DEPENDS security-manager-setup db.sql ++) + + # Add a dummy build target to trigger building of ${TARGET_DB} +-ADD_CUSTOM_TARGET(DB ALL DEPENDS ${TARGET_DB}) ++ADD_CUSTOM_TARGET(DB ALL DEPENDS .security-manager-setup) + +-INSTALL(FILES ${TARGET_DB} DESTINATION ${DB_INSTALL_DIR}) +-INSTALL(FILES ${TARGET_DB}-journal DESTINATION ${DB_INSTALL_DIR}) ++INSTALL(PROGRAMS .security-manager-setup DESTINATION ${BIN_INSTALL_DIR}) +diff --git a/db/security-manager-setup b/db/security-manager-setup +new file mode 100644 +index 0000000..5675baf +--- /dev/null ++++ b/db/security-manager-setup +@@ -0,0 +1,14 @@ ++#!/bin/sh ++ ++if test -f "$1"; then exit; fi ++set -e ++dbdir="$(dirname "$1")" ++dbfile="$(basename "$1")" ++test -n "$dbfile" ++test -n "$dbdir" ++mkdir -p "$dbdir" ++cd "$dbdir" ++sqlite3 "$dbfile" << END-OF-CAT ++--DB.SQL-- ++END-OF-CAT ++ +diff --git a/systemd/security-manager.service.in b/systemd/security-manager.service.in +index 23fd1b2..2bf97d7 100644 +--- a/systemd/security-manager.service.in ++++ b/systemd/security-manager.service.in +@@ -3,5 +3,6 @@ Description=Start the security manager + + [Service] + Type=notify ++ExecStartPre=@BIN_INSTALL_DIR@/.security-manager-setup @DB_INSTALL_DIR@/@DB_FILENAME@ + ExecStart=@BIN_INSTALL_DIR@/security-manager + Sockets=security-manager.socket +-- +2.21.0 + diff --git a/meta-app-framework/recipes-security/security-manager/security-manager/0015-Restrict-socket-accesses.patch b/meta-app-framework/recipes-security/security-manager/security-manager/0015-Restrict-socket-accesses.patch new file mode 100644 index 000000000..d9949193b --- /dev/null +++ b/meta-app-framework/recipes-security/security-manager/security-manager/0015-Restrict-socket-accesses.patch @@ -0,0 +1,34 @@ +From 7cffcd61378a9d7c0e7db5691b2da3a37448c969 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Jos=C3=A9=20Bollo?= <jose.bollo@iot.bzh> +Date: Thu, 30 Jan 2020 09:19:25 +0100 +Subject: [PATCH 15/15] Restrict socket accesses +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Ensure that only members of the group and the owner can access +the security manager. + +Bug-AGL: SPEC-3146 + +Change-Id: I68ce6523db4bfd4707c3680555c3cb0cf8858ef2 +Signed-off-by: José Bollo <jose.bollo@iot.bzh> +--- + systemd/security-manager.socket | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/systemd/security-manager.socket b/systemd/security-manager.socket +index af1c1da..b401f77 100644 +--- a/systemd/security-manager.socket ++++ b/systemd/security-manager.socket +@@ -1,6 +1,6 @@ + [Socket] + ListenStream=/run/security-manager.socket +-SocketMode=0777 ++SocketMode=0660 + SmackLabelIPIn=* + SmackLabelIPOut=@ + +-- +2.21.1 + diff --git a/meta-app-framework/recipes-security/security-manager/security-manager_%.bbappend b/meta-app-framework/recipes-security/security-manager/security-manager_%.bbappend new file mode 100644 index 000000000..ec8435369 --- /dev/null +++ b/meta-app-framework/recipes-security/security-manager/security-manager_%.bbappend @@ -0,0 +1,13 @@ +FILESEXTRAPATHS_prepend := "${THISDIR}/security-manager:" + +EXTRA_OECMAKE =+ " -DGLOBALUSER=afm" + +SRC_URI += " \ + file://0001-Adapt-rules-to-AGL.patch \ +" + +do_install_append() { + # Needed for wayland-0 socket access and memfd usage + echo "~APP~ System::Weston rw" >> ${D}${datadir}/security-manager/policy/app-rules-template.smack + echo "System::Weston ~APP~ rw" >> ${D}${datadir}/security-manager/policy/app-rules-template.smack +} diff --git a/meta-app-framework/recipes-security/security-manager/security-manager_git.bb b/meta-app-framework/recipes-security/security-manager/security-manager_git.bb new file mode 100644 index 000000000..b34973519 --- /dev/null +++ b/meta-app-framework/recipes-security/security-manager/security-manager_git.bb @@ -0,0 +1,27 @@ +require security-manager.inc + +PV = "1.0.2+git${SRCPV}" +SRCREV = "860305a595d681d650024ad07b3b0977e1fcb0a6" +SRC_URI += "git://github.com/Samsung/security-manager.git" +S = "${WORKDIR}/git" + +SRC_URI += " \ + file://0001-systemd-stop-using-compat-libs.patch \ + file://0002-security-manager-policy-reload-do-not-depend-on-GNU-.patch \ + file://0003-Smack-rules-create-two-new-functions.patch \ + file://0004-app-install-implement-multiple-set-of-smack-rules.patch \ + file://0005-c-11-replace-deprecated-auto_ptr.patch \ + file://0006-socket-manager-removes-tizen-specific-call.patch \ + file://0007-removes-dependency-to-libslp-db-utils.patch \ + file://0008-Fix-gcc6-build.patch \ + file://0009-Fix-Cmake-conf-for-gcc6-build.patch \ + file://0010-gcc-7-requires-include-functional-for-std-function.patch \ + file://0011-Fix-gcc8-warning-error-Werror-catch-value.patch \ + file://0012-Avoid-casting-from-const-T-to-void.patch \ + file://0013-Removing-tizen-platform-config.patch \ + file://0014-Ensure-post-install-initialization-of-database.patch \ + file://0015-Restrict-socket-accesses.patch \ +" + +# Use make with cmake and not ninja +OECMAKE_GENERATOR = "Unix Makefiles" diff --git a/meta-app-framework/recipes-security/xmlsec1/xmlsec1_1.%.bbappend b/meta-app-framework/recipes-security/xmlsec1/xmlsec1_1.%.bbappend index 09820be2f..afbc16c30 100644 --- a/meta-app-framework/recipes-security/xmlsec1/xmlsec1_1.%.bbappend +++ b/meta-app-framework/recipes-security/xmlsec1/xmlsec1_1.%.bbappend @@ -1,4 +1 @@ -# Disable nss to avoid build issues on native -PACKAGECONFIG = "gnutls libgcrypt openssl des" - -BBCLASSEXTEND = "native nativesdk" +require ${@bb.utils.contains('APPFW_ENABLED', '1', 'xmlsec1_appfw.inc', '', d)} diff --git a/meta-app-framework/recipes-security/xmlsec1/xmlsec1_appfw.inc b/meta-app-framework/recipes-security/xmlsec1/xmlsec1_appfw.inc new file mode 100644 index 000000000..09820be2f --- /dev/null +++ b/meta-app-framework/recipes-security/xmlsec1/xmlsec1_appfw.inc @@ -0,0 +1,4 @@ +# Disable nss to avoid build issues on native +PACKAGECONFIG = "gnutls libgcrypt openssl des" + +BBCLASSEXTEND = "native nativesdk" |