aboutsummaryrefslogtreecommitdiffstats
path: root/meta-security/recipes-security/cynara
diff options
context:
space:
mode:
authorJosé Bollo <jose.bollo@iot.bzh>2018-01-24 11:38:43 +0100
committerJosé Bollo <jose.bollo@iot.bzh>2018-02-13 11:02:00 +0100
commitf70d712e4f505f5c5b50ae17f4f023d20a667568 (patch)
tree57b0aaa702651012e1adfc07f9b6b6c580506f66 /meta-security/recipes-security/cynara
parent3f962c7d202055777dd0238f12dbcf70f09ac07d (diff)
Integrate parts of meta-intel-iot-security
Adds the recipes of the sub layers - meta-security-framework - meta-security-smack Change-Id: I618608008a3b3d1d34adb6e38048110f13ac0643 Signed-off-by: José Bollo <jose.bollo@iot.bzh>
Diffstat (limited to 'meta-security/recipes-security/cynara')
-rw-r--r--meta-security/recipes-security/cynara/cynara.inc158
-rw-r--r--meta-security/recipes-security/cynara/cynara/cmake-Improves-directories-and-libsystemd.patch119
-rw-r--r--meta-security/recipes-security/cynara/cynara/cynara-db-migration-abort-on-errors.patch31
-rw-r--r--meta-security/recipes-security/cynara/cynara/gmock-pthread-linking.patch31
-rwxr-xr-xmeta-security/recipes-security/cynara/cynara/run-ptest4
-rw-r--r--meta-security/recipes-security/cynara/cynara_git.bb11
6 files changed, 354 insertions, 0 deletions
diff --git a/meta-security/recipes-security/cynara/cynara.inc b/meta-security/recipes-security/cynara/cynara.inc
new file mode 100644
index 000000000..0e823edcc
--- /dev/null
+++ b/meta-security/recipes-security/cynara/cynara.inc
@@ -0,0 +1,158 @@
+DESCRIPTION = "Cynara service with client libraries"
+LICENSE = "Apache-2.0"
+LIC_FILES_CHKSUM = "file://LICENSE;md5=86d3f3a95c324c9479bd8986968f4327;beginline=3"
+
+DEPENDS = " \
+dbus \
+glib-2.0 \
+systemd \
+zip \
+"
+
+# For testing:
+# DEPENDS += "gmock"
+
+PACKAGECONFIG ??= ""
+# Use debug mode to increase logging. Beware, also compiles with less optimization
+# and thus has to disable FORTIFY_SOURCE below.
+PACKAGECONFIG[debug] = "-DCMAKE_BUILD_TYPE=DEBUG,-DCMAKE_BUILD_TYPE=RELEASE,libunwind elfutils"
+
+inherit cmake
+
+CXXFLAGS_append = " \
+-DCYNARA_STATE_PATH=\\\\\"${localstatedir}/cynara/\\\\\" \
+-DCYNARA_LIB_PATH=\\\\\"${prefix}/lib/cynara/\\\\\" \
+-DCYNARA_TESTS_DIR=\\\\\"${prefix}/share/cynara/tests/\\\\\" \
+-DCYNARA_CONFIGURATION_DIR=\\\\\"${sysconfdir}/cynara/\\\\\" \
+${@bb.utils.contains('PACKAGECONFIG', 'debug', '-Wp,-U_FORTIFY_SOURCE', '', d)} \
+"
+
+EXTRA_OECMAKE += " \
+-DCMAKE_VERBOSE_MAKEFILE=ON \
+-DBUILD_WITH_SYSTEMD=ON \
+-DSYSTEMD_UNIT_DIR=${systemd_unitdir}/system \
+-DSOCKET_DIR=/run/cynara \
+"
+
+# Explicitly package empty directory. Otherwise Cynara prints warnings
+# at runtime:
+# cyad[198]: Couldn't scan for plugins in </usr/lib/cynara/plugin/service/> : <No such file or directory>
+FILES_${PN}_append = " \
+${libdir}/cynara/plugin/service \
+${libdir}/cynara/plugin/client \
+"
+
+# Testing depends on gmock and gtest. They can be found in meta-oe
+# and are not necessarily available, so this feature is off by default.
+# If gmock from meta-oe is used, then a workaround is needed to avoid
+# a link error (libgmock.a calls pthread functions without libpthread
+# being listed in the .pc file).
+PACKAGECONFIG[tests] = "-DBUILD_TESTS:BOOL=ON,-DBUILD_TESTS:BOOL=OFF,gmock gtest,"
+SRC_URI_append = "${@bb.utils.contains('PACKAGECONFIG', 'tests', ' file://gmock-pthread-linking.patch file://run-ptest', '', d)}"
+
+# Will be empty if no tests were built.
+inherit ptest
+FILES_${PN}-ptest += "${bindir}/cynara-tests ${bindir}/cynara-db-migration-tests ${datadir}/cynara/tests"
+do_install_ptest () {
+ if ${@bb.utils.contains('PACKAGECONFIG', 'tests', 'true', 'false', d)}; then
+ mkdir -p ${D}/${datadir}/cynara/tests
+ cp -r ${S}/test/db/* ${D}/${datadir}/cynara/tests
+ fi
+}
+
+do_compile_prepend () {
+ # en_US.UTF8 is not available, causing cynara-tests parser.getKeyAndValue to fail.
+ # Submitted upstream: https://github.com/Samsung/cynara/issues/10
+ sed -i -e 's/std::locale("en_US.UTF8")/std::locale::classic()/g' ${S}/test/credsCommons/parser/Parser.cpp
+}
+
+inherit useradd
+USERADD_PACKAGES = "${PN}"
+GROUPADD_PARAM_${PN} = "-r cynara"
+USERADD_PARAM_${PN} = "\
+--system --home ${localstatedir}/lib/empty \
+--no-create-home --shell /bin/false \
+--gid cynara cynara \
+"
+
+# Causes deadlock during booting, see workaround in postinst below.
+#inherit systemd
+#SYSTEMD_SERVICE_${PN} = "cynara.service"
+
+do_install_append () {
+ chmod a+rx ${D}/${sbindir}/cynara-db-migration
+
+ install -d ${D}${sysconfdir}/cynara/
+ install -m 644 ${S}/conf/creds.conf ${D}/${sysconfdir}/cynara/creds.conf
+
+ # No need to create empty directories except for those which
+ # Cynara expects to find.
+ # install -d ${D}${localstatedir}/cynara/
+ # install -d ${D}${prefix}/share/cynara/tests/empty_db
+ install -d ${D}${libdir}/cynara/plugin/client
+ install -d ${D}${libdir}/cynara/plugin/service
+
+ # install db* ${D}${prefix}/share/cynara/tests/
+
+ install -d ${D}${systemd_unitdir}/system/sockets.target.wants
+ ln -s ../cynara.socket ${D}${systemd_unitdir}/system/sockets.target.wants/cynara.socket
+ ln -s ../cynara-admin.socket ${D}${systemd_unitdir}/system/sockets.target.wants/cynara-admin.socket
+ ln -s ../cynara-agent.socket ${D}${systemd_unitdir}/system/sockets.target.wants/cynara-agent.socket
+}
+
+FILES_${PN} += "${systemd_unitdir}/system"
+
+# Cynara itself has no dependency on Smack. Only its installation
+# is Smack-aware in the sense that it sets Smack labels. Do not
+# depend on smack userspace unless we really need Smack labels.
+#
+# The Tizen .spec file calls cynara-db-migration in a %pre section.
+# That only works when cynara-db-migration is packaged separately
+# (overly complex) and does not seem necessary: perhaps there is a
+# time window where cynara might already get activated before
+# the postinst completes, but that is a general problem. It gets
+# avoided entirely when calling this script while building the
+# rootfs.
+RDEPENDS_${PN}_append_with-lsm-smack = " smack-userspace"
+DEPENDS_append_with-lsm-smack = " smack-userspace-native"
+CHSMACK_with-lsm-smack = "chsmack"
+CHSMACK = "true"
+pkg_postinst_${PN} () {
+ # Fail on error.
+ set -e
+
+ # It would be nice to run the code below while building an image,
+ # but currently the calls to cynara-db-chsgen (a binary) in
+ # cynara-db-migration (a script) prevent that. Rely instead
+ # on OE's support for running failed postinst scripts at first boot.
+ if [ x"$D" != "x" ]; then
+ exit 1
+ fi
+
+ mkdir -p $D${sysconfdir}/cynara
+ ${CHSMACK} -a System $D${sysconfdir}/cynara
+
+ # Strip git patch level information, the version comparison code
+ # in cynara-db-migration only expect major.minor.patch version numbers.
+ VERSION=${@bb.data.getVar('PV',d,1).split('+git')[0]}
+ if [ -d $D${localstatedir}/cynara ] ; then
+ # upgrade
+ echo "NOTE: updating cynara DB to version $VERSION"
+ $D${sbindir}/cynara-db-migration upgrade -f 0.0.0 -t $VERSION
+ else
+ # install
+ echo "NOTE: creating cynara DB for version $VERSION"
+ mkdir -p $D${localstatedir}/cynara
+ ${CHSMACK} -a System $D${localstatedir}/cynara
+ $D${sbindir}/cynara-db-migration install -t $VERSION
+ fi
+
+ # Workaround for systemd.bbclass issue: it would call
+ # "systemctl start" without "--no-block", but because
+ # the service is not ready to run at the time when
+ # this scripts gets executed by run-postinsts.service,
+ # booting deadlocks.
+ echo "NOTE: enabling and starting cynara service"
+ systemctl enable cynara
+ systemctl start --no-block cynara
+}
diff --git a/meta-security/recipes-security/cynara/cynara/cmake-Improves-directories-and-libsystemd.patch b/meta-security/recipes-security/cynara/cynara/cmake-Improves-directories-and-libsystemd.patch
new file mode 100644
index 000000000..7ad94ed40
--- /dev/null
+++ b/meta-security/recipes-security/cynara/cynara/cmake-Improves-directories-and-libsystemd.patch
@@ -0,0 +1,119 @@
+From 9d1ba2f7c5d72436b17d0f3982a00380c72a58f8 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Jos=C3=A9=20Bollo?= <jose.bollo@iot.bzh>
+Date: Mon, 4 Jul 2016 13:54:59 +0200
+Subject: [PATCH] cmake: Improves directories and libsystemd
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+The previous implementation was not fully compliant with
+standards. It was missing some of the predefined variable
+DATAROOTDIR, it was missing specificity of
+CMAKE_INSTALL_FULL_SYSCONFDIR. It also was not compatible
+with yocto build system bitbake.
+
+The library systemd is changing. The previous previous
+pkg-config files 'libsystemd-daemon' and 'libsystemd-journal'
+are now deprecated in favour of 'libsystemd'.
+
+Upstream-status: Submitted [https://github.com/Samsung/cynara/pull/16]
+
+Signed-off-by: José Bollo <jose.bollo@iot.bzh>
+---
+ CMakeLists.txt | 46 ++++++++++++++++++++--------------------------
+ 1 file changed, 20 insertions(+), 26 deletions(-)
+
+diff --git a/CMakeLists.txt b/CMakeLists.txt
+index b0ee75f..6a439e2 100644
+--- a/CMakeLists.txt
++++ b/CMakeLists.txt
+@@ -43,66 +43,60 @@ ENDIF (NOT BUILD_COMMONS AND NOT BUILD_SERVICE AND NOT BUILD_DBUS)
+
+ ########################## search for packages ################################
+
+-#1st case. User choose to build with systemd.
+-IF (DEFINED BUILD_WITH_SYSTEMD AND BUILD_WITH_SYSTEMD)
+- PKG_CHECK_MODULES(SYSTEMD_DEP
+- REQUIRED
+- libsystemd-daemon
+- libsystemd-journal
+- )
+-ENDIF (DEFINED BUILD_WITH_SYSTEMD AND BUILD_WITH_SYSTEMD)
++#Search the new libsystemd package
++PKG_CHECK_MODULES(SYSTEMD_DEP QUIET libsystemd)
+
+-#2nd case. User choose not to build with systemd. Noting to do in this case.
+-#IF (DEFINED BUILD_WITH_SYSTEMD AND NOT BUILD_WITH_SYSTEMD)
+-#ENDIF (DEFINED BUILD_WITH_SYSTEMD AND NOT BUILD_WITH_SYSTEMD)
+-
+-#3rd case. User did not choose. If we can we will use systemd.
+-IF (NOT DEFINED BUILD_WITH_SYSTEMD)
++#Fallback ot the oldest libsystemd packages
++IF(NOT SYSTEMD_DEP_FOUND)
+ PKG_CHECK_MODULES(SYSTEMD_DEP
+ QUIET
+ libsystemd-daemon
+ libsystemd-journal
+ )
+-
+- IF (SYSTEMD_DEP_FOUND)
+- SET(BUILD_WITH_SYSTEMD ON)
+- ENDIF (SYSTEMD_DEP_FOUND)
+-ENDIF (NOT DEFINED BUILD_WITH_SYSTEMD)
++ENDIF(NOT SYSTEMD_DEP_FOUND)
++
++#Enforce and check
++IF(SYSTEMD_DEP_FOUND)
++ #Enforce use of systemd if present
++ SET(BUILD_WITH_SYSTEMD ON)
++ELSEIF(BUILD_WITH_SYSTEMD)
++ MESSAGE(FATAL_ERROR "Can't find libsystemd")
++ENDIF()
+
+ ######################## directory configuration ############################
+
+ SET(LIB_DIR
+- "${CMAKE_INSTALL_PREFIX}/${CMAKE_INSTALL_LIBDIR}"
++ "${CMAKE_INSTALL_FULL_LIBDIR}"
+ CACHE PATH
+ "Object code libraries directory")
+
+ SET(BIN_DIR
+- "${CMAKE_INSTALL_PREFIX}/${CMAKE_INSTALL_BINDIR}"
++ "${CMAKE_INSTALL_FULL_BINDIR}"
+ CACHE PATH
+ "User executables directory")
+
+ SET(SBIN_DIR
+- "${CMAKE_INSTALL_PREFIX}/${CMAKE_INSTALL_SBINDIR}"
++ "${CMAKE_INSTALL_FULL_SBINDIR}"
+ CACHE PATH
+ "System admin executables directory")
+
+ SET(SYS_CONFIG_DIR
+- "${CMAKE_INSTALL_PREFIX}/${CMAKE_INSTALL_SYSCONFDIR}"
++ "${CMAKE_INSTALL_FULL_SYSCONFDIR}"
+ CACHE PATH
+ "Read-only single-machine data directory")
+
+ SET(INCLUDE_DIR
+- "${CMAKE_INSTALL_PREFIX}/${CMAKE_INSTALL_INCLUDEDIR}"
++ "${CMAKE_INSTALL_FULL_INCLUDEDIR}"
+ CACHE PATH
+ "Header files directory")
+
+ SET(LOCAL_STATE_DIR
+- "${CMAKE_INSTALL_PREFIX}/${CMAKE_INSTALL_LOCALSTATEDIR}"
++ "${CMAKE_INSTALL_FULL_LOCALSTATEDIR}"
+ CACHE PATH
+ "Modifiable single-machine data directory")
+
+ SET(DATA_ROOT_DIR
+- "${CMAKE_INSTALL_PREFIX}/share"
++ "${CMAKE_INSTALL_FULL_DATAROOTDIR}"
+ CACHE PATH
+ "Read-only architecture-independent data root directory")
+
+--
+2.5.5
+
diff --git a/meta-security/recipes-security/cynara/cynara/cynara-db-migration-abort-on-errors.patch b/meta-security/recipes-security/cynara/cynara/cynara-db-migration-abort-on-errors.patch
new file mode 100644
index 000000000..cbf372ad9
--- /dev/null
+++ b/meta-security/recipes-security/cynara/cynara/cynara-db-migration-abort-on-errors.patch
@@ -0,0 +1,31 @@
+From 297774fa4d01156c0327d6e6380a7ecae30bf875 Mon Sep 17 00:00:00 2001
+From: Patrick Ohly <patrick.ohly@intel.com>
+Date: Mon, 23 Mar 2015 15:01:39 -0700
+Subject: [PATCH 1/2] cynara-db-migration.in: abort on errors
+
+"set -e" enables error checking for all commands invoked by the script.
+Previously, errors were silently ignored.
+
+Upstream-status: Submitted [https://github.com/Samsung/cynara/pull/8]
+
+Signed-off-by: Patrick Ohly <patrick.ohly@intel.com>
+---
+ migration/cynara-db-migration | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/migration/cynara-db-migration.in b/migration/cynara-db-migration.in
+index ff9bd61..f6e7f94 100644
+--- a/migration/cynara-db-migration.in
++++ b/migration/cynara-db-migration.in
+@@ -19,6 +19,8 @@
+ # @brief Migration tool for Cynara's database
+ #
+
++set -e
++
+ ##### Constants (these must not be modified by shell)
+
+ STATE_PATH='@LOCAL_STATE_DIR@/@PROJECT_NAME@'
+--
+1.8.4.5
+
diff --git a/meta-security/recipes-security/cynara/cynara/gmock-pthread-linking.patch b/meta-security/recipes-security/cynara/cynara/gmock-pthread-linking.patch
new file mode 100644
index 000000000..1a204eb14
--- /dev/null
+++ b/meta-security/recipes-security/cynara/cynara/gmock-pthread-linking.patch
@@ -0,0 +1,31 @@
+From 80cc04091410d6a322fee1a2922fdf867395f00a Mon Sep 17 00:00:00 2001
+From: Patrick Ohly <patrick.ohly@intel.com>
+Date: Fri, 29 May 2015 10:21:57 +0200
+Subject: [PATCH] work around gmock pthread dependency
+
+In meta-oe, gmock's .pc file does not declare that users of
+gmock must link against pthread. Let's work around that
+here by always linking tests against libpthread.
+
+Upstream-status: Inappropriate [embedded specific]
+
+Signed-off-by: Patrick Ohly <patrick.ohly@intel.com>
+---
+ test/CMakeLists.txt | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/test/CMakeLists.txt b/test/CMakeLists.txt
+index 25a70db..f490a24 100644
+--- a/test/CMakeLists.txt
++++ b/test/CMakeLists.txt
+@@ -138,6 +138,7 @@ ADD_EXECUTABLE(${TARGET_CYNARA_TESTS}
+ TARGET_LINK_LIBRARIES(${TARGET_CYNARA_TESTS}
+ ${PKGS_LDFLAGS}
+ ${PKGS_LIBRARIES}
++ pthread
+ crypt
+ )
+ INSTALL(TARGETS ${TARGET_CYNARA_TESTS} DESTINATION ${BIN_INSTALL_DIR})
+--
+2.1.4
+
diff --git a/meta-security/recipes-security/cynara/cynara/run-ptest b/meta-security/recipes-security/cynara/cynara/run-ptest
new file mode 100755
index 000000000..f8dd5d8b4
--- /dev/null
+++ b/meta-security/recipes-security/cynara/cynara/run-ptest
@@ -0,0 +1,4 @@
+#!/bin/sh
+
+cynara-tests | sed -e 's/^\[ *OK *\] \(\S*\)$/PASS: \1/' -e 's/^\[ *FAILED *\] \(\S*\)$/FAIL: \1/'
+sh /usr/bin/cynara-db-migration-tests | sed -e 's/^Test .*(\([^)]*\)).*passed.*/PASS: \1/' -e 's/^Test .*(\([^)]*\)).*failed.*/FAIL: \1/'
diff --git a/meta-security/recipes-security/cynara/cynara_git.bb b/meta-security/recipes-security/cynara/cynara_git.bb
new file mode 100644
index 000000000..6e387d41e
--- /dev/null
+++ b/meta-security/recipes-security/cynara/cynara_git.bb
@@ -0,0 +1,11 @@
+require cynara.inc
+
+PV = "0.11.0+git${SRCPV}"
+SRCREV = "973765e329f8a84c1549cb2b0c65ccb1cce3c2d3"
+SRC_URI = "git://github.com/Samsung/cynara.git"
+S = "${WORKDIR}/git"
+
+SRC_URI += " \
+file://cynara-db-migration-abort-on-errors.patch \
+file://cmake-Improves-directories-and-libsystemd.patch \
+"