diff options
author | Jan-Simon Moeller <jsmoeller@linuxfoundation.org> | 2020-12-08 11:12:45 +0100 |
---|---|---|
committer | Jan-Simon Moeller <jsmoeller@linuxfoundation.org> | 2020-12-17 13:59:52 +0000 |
commit | 1c3c06842ac1b9c089d0a08e91c60f44e4844fac (patch) | |
tree | 21e97368be8f78a3e76b66dfda24c1d5e774519f /meta-security/recipes-connectivity | |
parent | c1e048fc05542d859115990312e0753ce2dea72e (diff) |
SPEC-3723: restructure meta-agl
Goal is to reach a minimal meta-agl-core as base for IVI and IC work at the same time.
Trim dependencies and move most 'demo' related recipes to meta-agl-demo.
v2: changed to bbapend + .inc , added description
v3: testbuild of all images
v4: restore -test packagegroup and -qa images, compare manifests and adapt packagegroups.
v5: rebased
v6: merged meta-agl-distro into meta-agl-core,
due to dependency on meta-oe, moved -test packagegroup and -qa images
to own layer meta-agl-core-test
v7: Fixed comments from Paul Barker
v8: Update the markdown files
v9: restore wayland/weston/agl-compositor recipes/appends, reworked to
move app f/w specific changes to bbappends in meta-app-framework and
only demo specific weston-init changes to meta-agl-demo
v10: fix s/agldemo/aglcore/ missed in weston-init.bbappend
Description:
This patch is part 1 out of 2 large patches that implement the layer rework
discussed during the previous workshop. Essentially meta-agl-core is the
small but versatile new core layer of AGL serving as basis for
the work done by the IC and IVI EGs.
All demo related work is moved to meta-agl-demo in the 2nd patchset.
This should be applied together as atomic change.
The resulting meta-agl/* follows these guidelines:
- only bsp adaptations in meta-agl-bsp
- remove the agl-profile-* layers for simplicity
-- the packagegroup-agl(-profile)-graphical and so on
have been kept in meta-agl-demo
- meta-agl-profile-core is now meta-agl-core
- meta-agl-core does pass yocto-check-layer
-- therefore use the bbappend + conditional + .inc file
construct found in meta-virtualization
- meta-agl/meta-security has been merged into meta-agl/meta-app-framework
- meta-netboot does pass yocto-check-layer
- meta-pipewire does pass yocto-check-layer
Migration:
All packagegroups are preserved but they're now enabled by 'agl-demo'.
Bug-AGL: SPEC-3723
Signed-off-by: Jan-Simon Moeller <jsmoeller@linuxfoundation.org>
Signed-off-by: Scott Murray <scott.murray@konsulko.com>
Change-Id: Ia6c6e5e6ce2b4ffa69ea94959cdc57c310ba7c53
Reviewed-on: https://gerrit.automotivelinux.org/gerrit/c/AGL/meta-agl/+/25769
Diffstat (limited to 'meta-security/recipes-connectivity')
4 files changed, 0 insertions, 95 deletions
diff --git a/meta-security/recipes-connectivity/bluez5/bluez5_%.bbappend b/meta-security/recipes-connectivity/bluez5/bluez5_%.bbappend deleted file mode 100644 index 3767681b0..000000000 --- a/meta-security/recipes-connectivity/bluez5/bluez5_%.bbappend +++ /dev/null @@ -1,55 +0,0 @@ -# Recent bluez5 releases started limiting the capabilities of -# bluetoothd. When running on a Smack-enabled system, that change has the -# effect that bluetoothd can no longer create the input device under -# /sys because bluez5 running with label "System" has no write -# access to that. -# -# It works when running as normal root with unrestricted capabilities -# because then CAP_MAC_OVERRIDE (a Smack-specific capability) allows -# the process to ignore Smack rules. -# -# We need to ensure that bluetoothd still has that capability. -# -# To fix the issue, Patick and Casey(the Smack architect) had a talk -# about it in Ostro dev mail list. Casey has some ideas about the issue: -# "Turning off privilege is a great thing to do *so long as you don't -# really need the privilege*. In this case you really need it. -# The application package isn't written to account for Smack's use of -# CAP_MAC_OVERRIDE as the mechanism for controlling this dangerous operation. -# Yes, it would be possible to change /proc to change the Smack label on -# that particular file, but that might open other paths for exploit. -# I say give the program the required capability. The program maintainer -# may well say change the kernel handling of /proc. You're stuck in the -# middle, as both work the way they're intended and hence the system -# doesn't work. :( There isn't a way to make this work without "loosening" -# something." -# Therefore, when we we run the program with CAP_MAC_OVERRIDE, -# the whole reason for having capabilities is so the we can give a -# process the ability to bypass one kind of check without giving it the -# ability to bypass other, unrelated checks. A process with -# CAP_MAC_OVERRIDE is still constrained by the file mode bits. -# We was overly worried about granting that capability. -# When it has no other effect than excluding a process from Smack MAC enforcement, -# then adding to the process seems like the right solution for now. -# -# The conclusion from Patick and Casey is that the Smack architect give the key point -# that this is the solution preferred. -# -# Because the solution is to some extend specific to the environment -# in which connmand runs, this change is not submitted upstream -# and it can be overridden by a distro via FIX_BLUEZ5_CAPABILITIES. -# -# The related patch has been submitted to upstream too. -# upstream link: http://permalink.gmane.org/gmane.linux.bluez.kernel/67993 - -FILESEXTRAPATHS_prepend := "${THISDIR}/files:" - -SRC_URI_append_with-lsm-smack = "\ - file://bluetooth.service.conf \ -" - -FILES_${PN} += "${systemd_unitdir}" - -do_install_append_with-lsm-smack() { - install -Dm0644 ${WORKDIR}/bluetooth.service.conf ${D}${systemd_unitdir}/system/bluetooth.service.d/smack.conf -} diff --git a/meta-security/recipes-connectivity/bluez5/files/bluetooth.service.conf b/meta-security/recipes-connectivity/bluez5/files/bluetooth.service.conf deleted file mode 100644 index b93ab4fee..000000000 --- a/meta-security/recipes-connectivity/bluez5/files/bluetooth.service.conf +++ /dev/null @@ -1,2 +0,0 @@ -[Service] -CapabilityBoundingSet=CAP_MAC_OVERRIDE diff --git a/meta-security/recipes-connectivity/connman/connman_%.bbappend b/meta-security/recipes-connectivity/connman/connman_%.bbappend deleted file mode 100644 index 3b010490d..000000000 --- a/meta-security/recipes-connectivity/connman/connman_%.bbappend +++ /dev/null @@ -1,34 +0,0 @@ -# Recent ConnMan releases started limiting the capabilities of -# ConnMan. When running on a Smack-enabled system, that change has the -# effect that connmand can no longer change network settings under -# /proc/net because the Smack label of /proc is "_", and connmand -# running with label "System" has no write access to that. -# -# It works when running as normal root with unrestricted capabilities -# because then CAP_MAC_OVERRIDE (a Smack-specific capability) allows -# the process to ignore Smack rules. -# -# We need to ensure that connmand still has that capability. -# -# The alternative would be to set up fine-grained labelling of -# /proc with corresponding rules, which is considerably more work -# and also may depend on kernel changes (like supporting smackfsroot -# for procfs, which seems to be missing at the moment). -# -# Because the solution is to some extend specific to the environment -# in which connmand runs, this change is not submitted upstream -# and it can be overridden by a distro via FIX_CONNMAN_CAPABILITIES. - -FILESEXTRAPATHS_prepend := "${THISDIR}/files:" - -SRC_URI_append_with-lsm-smack = "\ - file://connman.service.conf \ -" - -RDEPENDS_${PN}_append_with-lsm-smack = " smack" - -FILES_${PN} += "${systemd_unitdir}" - -do_install_append_with-lsm-smack() { - install -Dm0644 ${WORKDIR}/connman.service.conf ${D}${systemd_unitdir}/system/connman.service.d/smack.conf -} diff --git a/meta-security/recipes-connectivity/connman/files/connman.service.conf b/meta-security/recipes-connectivity/connman/files/connman.service.conf deleted file mode 100644 index 6ebbf6ad1..000000000 --- a/meta-security/recipes-connectivity/connman/files/connman.service.conf +++ /dev/null @@ -1,4 +0,0 @@ -[Service] -CapabilityBoundingSet=CAP_MAC_OVERRIDE -ExecStartPre=+-/bin/mkdir -p /run/connman -ExecStartPre=+-/usr/bin/chsmack -t -a System::Shared /run/connman |