diff options
author | José Bollo <jose.bollo@iot.bzh> | 2019-11-26 15:21:18 +0100 |
---|---|---|
committer | Jan-Simon Moeller <jsmoeller@linuxfoundation.org> | 2019-12-03 16:44:27 +0000 |
commit | a13d8ad3225f316fc7d7edaf2805b6cf2e3b5dd1 (patch) | |
tree | 81211b592eaa332473f3dee50ae756b91335bb87 /meta-app-framework | |
parent | 2fa5dae62868c63781568eeb5435ed3296c2ddc2 (diff) |
security-manager: Improve integration
This fixes some issues encountered by the current
integration of the security-manager:
- its recipes is spread in too much directories (see SPEC-2092)
- its initialization should be checked (see SPEC-2091)
- the location of the database has to be changed
(see SPEC-1717 that provided a workaround)
All in one, I decided to create that ticket that summarize
the work that can be quickly achieved to answer all this
issues that are tightly coupled.
Bug-AGL: SPEC-2972
Bug-AGL: SPEC-2092
Bug-AGL: SPEC-2091
Bug-AGL: SPEC-1717
Change-Id: I7af941c25cfa1624d76c2e8f512f6535918912f0
Signed-off-by: José Bollo <jose.bollo@iot.bzh>
Diffstat (limited to 'meta-app-framework')
8 files changed, 3 insertions, 369 deletions
diff --git a/meta-app-framework/recipes-core/security-manager/security-manager/0001-Fix-Cmake-conf-for-gcc6-build.patch b/meta-app-framework/recipes-core/security-manager/security-manager/0001-Fix-Cmake-conf-for-gcc6-build.patch deleted file mode 100644 index 43a3ee103..000000000 --- a/meta-app-framework/recipes-core/security-manager/security-manager/0001-Fix-Cmake-conf-for-gcc6-build.patch +++ /dev/null @@ -1,40 +0,0 @@ -From 19c99315a5dcba3b696c30d1fdd42a1dcd574a80 Mon Sep 17 00:00:00 2001 -From: Ronan <ronan.lemartret@iot.bzh> -Date: Thu, 13 Oct 2016 11:37:47 +0200 -Subject: [PATCH] Fix Cmake conf for gcc6 build - -Signed-off-by: Ronan <ronan.lemartret@iot.bzh> ---- - src/cmd/CMakeLists.txt | 4 +--- - src/server/CMakeLists.txt | 1 - - 2 files changed, 1 insertion(+), 4 deletions(-) - -diff --git a/src/cmd/CMakeLists.txt b/src/cmd/CMakeLists.txt -index ee9a160..aa7a12c 100644 ---- a/src/cmd/CMakeLists.txt -+++ b/src/cmd/CMakeLists.txt -@@ -1,8 +1,6 @@ - FIND_PACKAGE(Boost REQUIRED COMPONENTS program_options) - --INCLUDE_DIRECTORIES(SYSTEM -- ${Boost_INCLUDE_DIRS} -- ) -+ - - INCLUDE_DIRECTORIES( - ${INCLUDE_PATH} -diff --git a/src/server/CMakeLists.txt b/src/server/CMakeLists.txt -index 753eb96..8eef25d 100644 ---- a/src/server/CMakeLists.txt -+++ b/src/server/CMakeLists.txt -@@ -8,7 +8,6 @@ FIND_PACKAGE(Threads REQUIRED) - - INCLUDE_DIRECTORIES(SYSTEM - ${SERVER_DEP_INCLUDE_DIRS} -- ${Boost_INCLUDE_DIRS} - ${Threads_INCLUDE_DIRS} - ) - --- -2.6.6 - diff --git a/meta-app-framework/recipes-core/security-manager/security-manager/0001-Fix-gcc6-build.patch b/meta-app-framework/recipes-core/security-manager/security-manager/0001-Fix-gcc6-build.patch deleted file mode 100644 index 1b3c8c427..000000000 --- a/meta-app-framework/recipes-core/security-manager/security-manager/0001-Fix-gcc6-build.patch +++ /dev/null @@ -1,38 +0,0 @@ -From cb9acc2b723b297ee373bf814282711f02657aa5 Mon Sep 17 00:00:00 2001 -From: Ronan <ronan.lemartret@iot.bzh> -Date: Wed, 12 Oct 2016 17:48:55 +0200 -Subject: [PATCH] Fix gcc6 build - -Signed-off-by: ronan <ronan@ot.bzh> ---- - src/client/client-security-manager.cpp | 1 + - src/common/include/privilege_db.h | 1 + - 2 files changed, 2 insertions(+) - -diff --git a/src/client/client-security-manager.cpp b/src/client/client-security-manager.cpp -index 74a6b30..347cddd 100644 ---- a/src/client/client-security-manager.cpp -+++ b/src/client/client-security-manager.cpp -@@ -46,6 +46,7 @@ - #include <service_impl.h> - #include <security-manager.h> - #include <client-offline.h> -+#include <linux/xattr.h> - - static const char *EMPTY = ""; - -diff --git a/src/common/include/privilege_db.h b/src/common/include/privilege_db.h -index 03c6680..8dd39a1 100644 ---- a/src/common/include/privilege_db.h -+++ b/src/common/include/privilege_db.h -@@ -32,6 +32,7 @@ - #include <map> - #include <stdbool.h> - #include <string> -+#include <vector> - - #include <dpl/db/sql_connection.h> - --- -2.6.6 - diff --git a/meta-app-framework/recipes-core/security-manager/security-manager/0001-gcc-7-requires-include-functional-for-std-function.patch b/meta-app-framework/recipes-core/security-manager/security-manager/0001-gcc-7-requires-include-functional-for-std-function.patch deleted file mode 100644 index 7b6845abc..000000000 --- a/meta-app-framework/recipes-core/security-manager/security-manager/0001-gcc-7-requires-include-functional-for-std-function.patch +++ /dev/null @@ -1,51 +0,0 @@ -From ed1c105db9d7b1ceb52ec16f35b0a2c959c19c6d Mon Sep 17 00:00:00 2001 -From: Changhyeok Bae <changhyeok.bae@gmail.com> -Date: Sun, 17 Dec 2017 15:40:58 +0000 -Subject: [PATCH] gcc-7 requires include <functional> for std::function - -Signed-off-by: Changhyeok Bae <changhyeok.bae@gmail.com> ---- - src/client/client-common.cpp | 1 + - src/common/smack-labels.cpp | 1 + - src/dpl/core/src/binary_queue.cpp | 1 + - 3 files changed, 3 insertions(+) - -diff --git a/src/client/client-common.cpp b/src/client/client-common.cpp -index 883ab8d..1babdf7 100644 ---- a/src/client/client-common.cpp -+++ b/src/client/client-common.cpp -@@ -31,6 +31,7 @@ - #include <sys/xattr.h> - #include <linux/xattr.h> - #include <unistd.h> -+#include <functional> - - #include <dpl/log/log.h> - #include <dpl/serialization.h> -diff --git a/src/common/smack-labels.cpp b/src/common/smack-labels.cpp -index 0294a42..1598099 100644 ---- a/src/common/smack-labels.cpp -+++ b/src/common/smack-labels.cpp -@@ -29,6 +29,7 @@ - #include <sys/xattr.h> - #include <linux/xattr.h> - #include <memory> -+#include <functional> - #include <fts.h> - #include <cstring> - #include <string> -diff --git a/src/dpl/core/src/binary_queue.cpp b/src/dpl/core/src/binary_queue.cpp -index 72817a6..838409f 100644 ---- a/src/dpl/core/src/binary_queue.cpp -+++ b/src/dpl/core/src/binary_queue.cpp -@@ -26,6 +26,7 @@ - #include <malloc.h> - #include <cstring> - #include <new> -+#include <functional> - - namespace SecurityManager { - BinaryQueue::BinaryQueue() : --- -2.7.4 - diff --git a/meta-app-framework/recipes-core/security-manager/security-manager/Removing-tizen-platform-config.patch b/meta-app-framework/recipes-core/security-manager/security-manager/Removing-tizen-platform-config.patch deleted file mode 100644 index bea3516d8..000000000 --- a/meta-app-framework/recipes-core/security-manager/security-manager/Removing-tizen-platform-config.patch +++ /dev/null @@ -1,196 +0,0 @@ -From 72e66d0e42f3bb6efd689ce33b1df407d94b3c60 Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?Jos=C3=A9=20Bollo?= <jose.bollo@iot.bzh> -Date: Mon, 16 Nov 2015 14:26:25 +0100 -Subject: [PATCH] Removing tizen-platform-config - -Change-Id: Ic832a2b75229517b09faba969c27fb1a4b490121 ---- - policy/security-manager-policy-reload | 2 +- - src/common/file-lock.cpp | 4 +--- - src/common/include/file-lock.h | 1 - - src/common/include/privilege_db.h | 3 +-- - src/common/service_impl.cpp | 39 +++++++++++------------------------ - src/common/smack-rules.cpp | 12 ++++------- - 6 files changed, 19 insertions(+), 42 deletions(-) - -diff --git a/policy/security-manager-policy-reload b/policy/security-manager-policy-reload -index 6f211c6..ed8047a 100755 ---- a/policy/security-manager-policy-reload -+++ b/policy/security-manager-policy-reload -@@ -2,7 +2,7 @@ - - POLICY_PATH=/usr/share/security-manager/policy - PRIVILEGE_GROUP_MAPPING=$POLICY_PATH/privilege-group.list --DB_FILE=`tzplatform-get TZ_SYS_DB | cut -d= -f2`/.security-manager.db -+DB_FILE=/var/local/db/security-manager/.security-manager.db - - # Create default buckets - while read bucket default_policy -diff --git a/src/common/file-lock.cpp b/src/common/file-lock.cpp -index 6f3996c..1dada17 100644 ---- a/src/common/file-lock.cpp -+++ b/src/common/file-lock.cpp -@@ -30,9 +30,7 @@ - - namespace SecurityManager { - --char const * const SERVICE_LOCK_FILE = tzplatform_mkpath3(TZ_SYS_RUN, -- "lock", -- "security-manager.lock"); -+char const * const SERVICE_LOCK_FILE = "/var/run/lock/security-manager.lock"; - - FileLocker::FileLocker(const std::string &lockFile, bool blocking) - { -diff --git a/src/common/include/file-lock.h b/src/common/include/file-lock.h -index 604b019..21a86a0 100644 ---- a/src/common/include/file-lock.h -+++ b/src/common/include/file-lock.h -@@ -29,7 +29,6 @@ - - #include <dpl/exception.h> - #include <dpl/noncopyable.h> --#include <tzplatform_config.h> - - namespace SecurityManager { - -diff --git a/src/common/include/privilege_db.h b/src/common/include/privilege_db.h -index 4d73d90..03c6680 100644 ---- a/src/common/include/privilege_db.h -+++ b/src/common/include/privilege_db.h -@@ -34,14 +34,13 @@ - #include <string> - - #include <dpl/db/sql_connection.h> --#include <tzplatform_config.h> - - #ifndef PRIVILEGE_DB_H_ - #define PRIVILEGE_DB_H_ - - namespace SecurityManager { - --const char *const PRIVILEGE_DB_PATH = tzplatform_mkpath(TZ_SYS_DB, ".security-manager.db"); -+const char *const PRIVILEGE_DB_PATH = "/var/local/db/security-manager/.security-manager.db"; - - enum class QueryType { - EGetPkgPrivileges, -diff --git a/src/common/service_impl.cpp b/src/common/service_impl.cpp -index ae305d3..65cc8b5 100644 ---- a/src/common/service_impl.cpp -+++ b/src/common/service_impl.cpp -@@ -32,7 +32,6 @@ - #include <algorithm> - - #include <dpl/log/log.h> --#include <tzplatform_config.h> - - #include "protocols.h" - #include "privilege_db.h" -@@ -131,7 +130,13 @@ static inline int validatePolicy(policy_entry &policyEntry, std::string uidStr, - - static uid_t getGlobalUserId(void) - { -- static uid_t globaluid = tzplatform_getuid(TZ_SYS_GLOBALAPP_USER); -+ static uid_t globaluid = 0; -+ if (!globaluid) { -+ struct passwd pw, *p; -+ char buf[4096]; -+ int rc = getpwnam_r("afm", &pw, buf, sizeof buf, &p); -+ globaluid = (rc || p == NULL) ? 555 : p->pw_uid; -+ } - return globaluid; - } - -@@ -161,37 +166,17 @@ static inline bool isSubDir(const char *parent, const char *subdir) - - static bool getUserAppDir(const uid_t &uid, std::string &userAppDir) - { -- struct tzplatform_context *tz_ctx = nullptr; -- -- if (tzplatform_context_create(&tz_ctx)) -- return false; -- -- if (tzplatform_context_set_user(tz_ctx, uid)) { -- tzplatform_context_destroy(tz_ctx); -- tz_ctx = nullptr; -+ struct passwd pw, *p; -+ char buf[4096]; -+ int rc = getpwuid_r(uid, &pw, buf, sizeof buf, &p); -+ if (rc || p == NULL) - return false; -- } -- -- enum tzplatform_variable id = -- (uid == getGlobalUserId()) ? TZ_SYS_RW_APP : TZ_USER_APP; -- const char *appDir = tzplatform_context_getenv(tz_ctx, id); -- if (!appDir) { -- tzplatform_context_destroy(tz_ctx); -- tz_ctx = nullptr; -- return false; -- } -- -- userAppDir = appDir; -- -- tzplatform_context_destroy(tz_ctx); -- tz_ctx = nullptr; -- -+ userAppDir = p->pw_dir; - return true; - } - - static inline bool installRequestAuthCheck(const app_inst_req &req, uid_t uid, bool &isCorrectPath, std::string &appPath) - { -- std::string userHome; - std::string userAppDir; - std::stringstream correctPath; - -diff --git a/src/common/smack-rules.cpp b/src/common/smack-rules.cpp -index d834e42..8b5728b 100644 ---- a/src/common/smack-rules.cpp -+++ b/src/common/smack-rules.cpp -@@ -34,7 +34,6 @@ - #include <memory> - - #include <dpl/log/log.h> --#include <tzplatform_config.h> - - #include "smack-labels.h" - #include "smack-rules.h" -@@ -43,7 +42,7 @@ namespace SecurityManager { - - const char *const SMACK_APP_LABEL_TEMPLATE = "~APP~"; - const char *const SMACK_PKG_LABEL_TEMPLATE = "~PKG~"; --const char *const APP_RULES_TEMPLATE_FILE_PATH = tzplatform_mkpath4(TZ_SYS_SHARE, "security-manager", "policy", "app-rules-template.smack"); -+const char *const APP_RULES_TEMPLATE_FILE_PATH = "/usr/share/security-manager/policy/app-rules-template.smack"; - const char *const SMACK_APP_IN_PACKAGE_PERMS = "rwxat"; - - SmackRules::SmackRules() -@@ -237,14 +236,12 @@ void SmackRules::generatePackageCrossDeps(const std::vector<std::string> &pkgCon - - std::string SmackRules::getPackageRulesFilePath(const std::string &pkgId) - { -- std::string path(tzplatform_mkpath3(TZ_SYS_SMACK, "accesses.d", ("pkg_" + pkgId).c_str())); -- return path; -+ return "/etc/smack/accesses.d/pkg_" + pkgId; - } - - std::string SmackRules::getApplicationRulesFilePath(const std::string &appId) - { -- std::string path(tzplatform_mkpath3(TZ_SYS_SMACK, "accesses.d", ("app_" + appId).c_str())); -- return path; -+ return "/etc/smack/accesses.d/app_" + appId; - } - void SmackRules::installApplicationPrivilegesRules(const std::string &appId, const std::string &pkgId, - const std::vector<std::string> &pkgContents, const std::vector<std::string> &privileges) -@@ -256,8 +253,7 @@ void SmackRules::installApplicationPrivilegesRules(const std::string &appId, con - for (auto privilege : privileges) { - if (privilege.empty()) - continue; -- std::string fprivilege ( privilege + "-template.smack"); -- std::string path(tzplatform_mkpath4(TZ_SYS_SHARE, "security-manager", "policy", fprivilege.c_str())); -+ std::string path = "/usr/share/security-manager/policy/" + privilege + "-template.smack"; - if( stat(path.c_str(), &buffer) == 0) - smackRules.addFromTemplateFile(appId, pkgId, path); - } --- -2.1.4 - diff --git a/meta-app-framework/recipes-core/security-manager/security-manager/init-security-manager-db.service b/meta-app-framework/recipes-core/security-manager/security-manager/init-security-manager-db.service deleted file mode 100644 index 8ed5e8601..000000000 --- a/meta-app-framework/recipes-core/security-manager/security-manager/init-security-manager-db.service +++ /dev/null @@ -1,15 +0,0 @@ -# -# Install security-manager DB to /var - -[Unit] -Description=Install Security Manager database -After=sysinit.target -Before=security-manager.service - -[Install] -WantedBy=default.target - -[Service] -Type=oneshot -User=root -ExecStart=/usr/bin/init-security-manager-db.sh diff --git a/meta-app-framework/recipes-core/security-manager/security-manager/init-security-manager-db.sh b/meta-app-framework/recipes-core/security-manager/security-manager/init-security-manager-db.sh deleted file mode 100644 index f90192a84..000000000 --- a/meta-app-framework/recipes-core/security-manager/security-manager/init-security-manager-db.sh +++ /dev/null @@ -1,6 +0,0 @@ -#!/bin/sh - -if [ ! -e "/var/local/db/security-manager" ]; then - mkdir -p /var/local/db - cp -ra /usr/dbspace/ /var/local/db/security-manager -fi diff --git a/meta-app-framework/recipes-core/security-manager/security-manager_%.bbappend b/meta-app-framework/recipes-core/security-manager/security-manager_%.bbappend index 61c933a7e..3306d4c72 100644 --- a/meta-app-framework/recipes-core/security-manager/security-manager_%.bbappend +++ b/meta-app-framework/recipes-core/security-manager/security-manager_%.bbappend @@ -1,25 +1,7 @@ FILESEXTRAPATHS_prepend := "${THISDIR}/security-manager:" -PACKAGE_WRITE_DEPS_append_with-lsm-smack = " smack-native" - -SRC_URI += " file://0001-Adapt-rules-to-AGL.patch \ - file://init-security-manager-db.service \ - file://init-security-manager-db.sh \ - file://0001-Fix-gcc6-build.patch \ - file://0001-Fix-Cmake-conf-for-gcc6-build.patch \ - file://0001-gcc-7-requires-include-functional-for-std-function.patch \ -" - -FILES_${PN}_append = "${bindir}/init-security-manager-db.sh \ - ${@bb.utils.contains('DISTRO_FEATURES', 'systemd', '${systemd_unitdir}/system/init-security-manager-db.service', '', d)} \ +EXTRA_OECMAKE =+ " -DGLOBALUSER=afm" +SRC_URI += " \ + file://0001-Adapt-rules-to-AGL.patch \ " -do_install_append () { - install -p -D ${WORKDIR}/init-security-manager-db.sh ${D}${bindir}/init-security-manager-db.sh - if ${@bb.utils.contains('DISTRO_FEATURES', 'systemd', 'true', 'false', d)}; then - mkdir -p ${D}${systemd_unitdir}/system - mkdir -p ${D}${sysconfdir}/systemd/system/default.target.wants - install -m 644 -p -D ${WORKDIR}/init-security-manager-db.service ${D}${systemd_unitdir}/system/init-security-manager-db.service - ln -sf ${systemd_unitdir}/system/init-security-manager-db.service ${D}${sysconfdir}/systemd/system/default.target.wants - fi -} diff --git a/meta-app-framework/recipes-security/security-manager/security-manager_git.bbappend b/meta-app-framework/recipes-security/security-manager/security-manager_git.bbappend deleted file mode 100644 index 424b49358..000000000 --- a/meta-app-framework/recipes-security/security-manager/security-manager_git.bbappend +++ /dev/null @@ -1,2 +0,0 @@ -do_patch[depends] += "quilt-native:do_populate_sysroot libcap:do_populate_sysroot" -APPLY = "no" |