summaryrefslogtreecommitdiffstats
path: root/meta-security/recipes-security/cynara
diff options
context:
space:
mode:
authorJan-Simon Möller <jsmoeller@linuxfoundation.org>2018-02-14 10:55:35 +0100
committerJan-Simon Möller <jsmoeller@linuxfoundation.org>2018-02-14 10:55:35 +0100
commit317c8a08a6b5943517e67c5ea80b0a9a83a10d63 (patch)
treebf2b27dc9068924b59b46d2e153936c77be954c3 /meta-security/recipes-security/cynara
parentb6dc44f585b839ab1a2f0133b74958037fe1cb64 (diff)
parentc9ce37905acd879db107eafe309678053073e086 (diff)
Merge remote-tracking branch 'agl/sandbox/ronan/rocko' into HEAD
* agl/sandbox/ronan/rocko: (58 commits) Update ulcb conf file Remove unsed gstreamer backport [GEN3] add preferred version on omx package run-(agl-)postinst: Emit progress to console meta-security: Remove unused content Upgrade wayland-ivi-extension Revert "Fix kernel gcc7 issue" remove backport commit Revert "Fix CVE-2017-1000364 by backporting the patches for gen3" Remove fix for optee-os Remove gcc 6 fix Update rcar gen3 kernel bbappend version Update rcar gen3 driver Remove porter machine dbus-cynara: Upgrade to 1.10.20 xmlsec1: switch to meta-security version systemd: earlier smack label switch cynara: upgrade to 0.14.10 Remove smack recipe Integrate parts of meta-intel-iot-security ... Bug-AGL: SPEC-1181 Signed-off-by: Jan-Simon Möller <jsmoeller@linuxfoundation.org> Conflicts: meta-app-framework/recipes-security/cynara/cynara_git.bbappend Change-Id: I9875fcb31e960038ce6c23165c99b52a3bd1a1c0
Diffstat (limited to 'meta-security/recipes-security/cynara')
-rw-r--r--meta-security/recipes-security/cynara/cynara/0001-Add-fallthrough-tags.patch59
-rw-r--r--meta-security/recipes-security/cynara/cynara/0002-gcc-7-requires-include-functional-for-std-function.patch38
-rw-r--r--meta-security/recipes-security/cynara/cynara/0003-Avoid-warning-when-compiling-without-smack.patch45
-rw-r--r--meta-security/recipes-security/cynara/cynara/0004-Fix-mode-of-sockets.patch44
-rw-r--r--meta-security/recipes-security/cynara/cynara/0005-Allow-to-tune-sockets.patch127
-rw-r--r--meta-security/recipes-security/cynara/cynara/0006-Install-socket-activation-by-default.patch80
-rw-r--r--meta-security/recipes-security/cynara/cynara/cynara-db-migration-abort-on-errors.patch31
-rwxr-xr-xmeta-security/recipes-security/cynara/cynara/run-ptest4
-rw-r--r--meta-security/recipes-security/cynara/cynara_0.14.10.bb163
9 files changed, 591 insertions, 0 deletions
diff --git a/meta-security/recipes-security/cynara/cynara/0001-Add-fallthrough-tags.patch b/meta-security/recipes-security/cynara/cynara/0001-Add-fallthrough-tags.patch
new file mode 100644
index 000000000..11387b98b
--- /dev/null
+++ b/meta-security/recipes-security/cynara/cynara/0001-Add-fallthrough-tags.patch
@@ -0,0 +1,59 @@
+From 3d387993b5a4283e8aebd8e777b2ccd45d233959 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Jos=C3=A9=20Bollo?= <jose.bollo@iot.bzh>
+Date: Thu, 25 Jan 2018 12:00:18 +0100
+Subject: [PATCH 1/6] Add fallthrough tags
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+GCC 7 emits a warning when the tag /*@fallthrough@*/
+doesn't appear in a switch case when a case continue
+to the next after some processing.
+
+Change-Id: I420e3788a4c0a6d910a1214964c5480bbd12708c
+Signed-off-by: José Bollo <jose.bollo@iot.bzh>
+---
+ src/admin/api/admin-api.cpp | 1 +
+ src/client-async/logic/Logic.cpp | 1 +
+ src/common/sockets/SocketClient.cpp | 1 +
+ 3 files changed, 3 insertions(+)
+
+diff --git a/src/admin/api/admin-api.cpp b/src/admin/api/admin-api.cpp
+index c638f41..aafa45e 100644
+--- a/src/admin/api/admin-api.cpp
++++ b/src/admin/api/admin-api.cpp
+@@ -146,6 +146,7 @@ int cynara_admin_set_policies(struct cynara_admin *p_cynara_admin,
+ case CYNARA_ADMIN_BUCKET:
+ if (!isStringValid(policy->result_extra))
+ return CYNARA_API_INVALID_PARAM;
++ /*@fallthrough@*/
+ default:
+ {
+ std::string extraStr = policy->result_extra ? policy->result_extra : "";
+diff --git a/src/client-async/logic/Logic.cpp b/src/client-async/logic/Logic.cpp
+index 5ae0251..c1d6c33 100644
+--- a/src/client-async/logic/Logic.cpp
++++ b/src/client-async/logic/Logic.cpp
+@@ -233,6 +233,7 @@ bool Logic::processOut(void) {
+ case Socket::SendStatus::ALL_DATA_SENT:
+ onStatusChange(m_socketClient.getSockFd(),
+ cynara_async_status::CYNARA_STATUS_FOR_READ);
++ /*@fallthrough@*/
+ case Socket::SendStatus::PARTIAL_DATA_SENT:
+ return true;
+ default:
+diff --git a/src/common/sockets/SocketClient.cpp b/src/common/sockets/SocketClient.cpp
+index b1ca4f7..f4394e5 100644
+--- a/src/common/sockets/SocketClient.cpp
++++ b/src/common/sockets/SocketClient.cpp
+@@ -45,6 +45,7 @@ bool SocketClient::connect(void) {
+ LOGW("Error connecting to Cynara. Service not available.");
+ return false;
+ }
++ /*@fallthrough@*/
+ default:
+ return true;
+ }
+--
+2.14.3
+
diff --git a/meta-security/recipes-security/cynara/cynara/0002-gcc-7-requires-include-functional-for-std-function.patch b/meta-security/recipes-security/cynara/cynara/0002-gcc-7-requires-include-functional-for-std-function.patch
new file mode 100644
index 000000000..760a1c5b2
--- /dev/null
+++ b/meta-security/recipes-security/cynara/cynara/0002-gcc-7-requires-include-functional-for-std-function.patch
@@ -0,0 +1,38 @@
+From b18e66ce7f81c56e3a97ed075cb60d5a43b2e57c Mon Sep 17 00:00:00 2001
+From: Changhyeok Bae <changhyeok.bae@gmail.com>
+Date: Sun, 17 Dec 2017 15:28:28 +0000
+Subject: [PATCH 2/6] gcc-7 requires include <functional> for std::function
+
+Signed-off-by: Changhyeok Bae <changhyeok.bae@gmail.com>
+---
+ src/common/types/PolicyBucket.h | 1 +
+ src/cyad/AdminPolicyParser.h | 1 +
+ 2 files changed, 2 insertions(+)
+
+diff --git a/src/common/types/PolicyBucket.h b/src/common/types/PolicyBucket.h
+index 029d3dd..1bceeca 100644
+--- a/src/common/types/PolicyBucket.h
++++ b/src/common/types/PolicyBucket.h
+@@ -30,6 +30,7 @@
+ #include <set>
+ #include <string>
+ #include <vector>
++#include <functional>
+
+ #include <exceptions/NotImplementedException.h>
+ #include <types/pointers.h>
+diff --git a/src/cyad/AdminPolicyParser.h b/src/cyad/AdminPolicyParser.h
+index 53dde23..f38c194 100644
+--- a/src/cyad/AdminPolicyParser.h
++++ b/src/cyad/AdminPolicyParser.h
+@@ -25,6 +25,7 @@
+
+ #include <istream>
+ #include <memory>
++#include <functional>
+
+ #include <cyad/CynaraAdminPolicies.h>
+
+--
+2.14.3
+
diff --git a/meta-security/recipes-security/cynara/cynara/0003-Avoid-warning-when-compiling-without-smack.patch b/meta-security/recipes-security/cynara/cynara/0003-Avoid-warning-when-compiling-without-smack.patch
new file mode 100644
index 000000000..8c47c3b26
--- /dev/null
+++ b/meta-security/recipes-security/cynara/cynara/0003-Avoid-warning-when-compiling-without-smack.patch
@@ -0,0 +1,45 @@
+From 6ad54c5e732e7cf0a29f29f48fa757e3e56d6860 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Jos=C3=A9=20Bollo?= <jose.bollo@iot.bzh>
+Date: Thu, 25 Jan 2018 11:38:16 +0100
+Subject: [PATCH 3/6] Avoid warning when compiling without smack
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+When DB_FILES_SMACK_LABEL is not defined, cmake complains
+with the following message:
+
+> -- Checking for modules ''
+> Please specify at least one package name on the command line.
+
+Change-Id: Ie837cae81114d096f951ec0ee4ada4173fb60190
+Signed-off-by: José Bollo <jose.bollo@iot.bzh>
+---
+ src/admin/CMakeLists.txt | 10 +++++-----
+ 1 file changed, 5 insertions(+), 5 deletions(-)
+
+diff --git a/src/admin/CMakeLists.txt b/src/admin/CMakeLists.txt
+index e4f354a..38b8669 100644
+--- a/src/admin/CMakeLists.txt
++++ b/src/admin/CMakeLists.txt
+@@ -23,12 +23,12 @@ IF (DB_FILES_SMACK_LABEL)
+ SET(SMACK "smack")
+ SET(LIBSMACK "libsmack")
+ ADD_DEFINITIONS("-DDB_FILES_SMACK_LABEL=\"${DB_FILES_SMACK_LABEL}\"")
+-ENDIF (DB_FILES_SMACK_LABEL)
+
+-PKG_CHECK_MODULES(CYNARA_ADMIN_API_DEP
+- REQUIRED
+- ${LIBSMACK}
+- )
++ PKG_CHECK_MODULES(CYNARA_ADMIN_API_DEP
++ REQUIRED
++ ${LIBSMACK}
++ )
++ENDIF (DB_FILES_SMACK_LABEL)
+
+ SET(CYNARA_LIB_CYNARA_ADMIN_PATH ${CYNARA_PATH}/admin)
+
+--
+2.14.3
+
diff --git a/meta-security/recipes-security/cynara/cynara/0004-Fix-mode-of-sockets.patch b/meta-security/recipes-security/cynara/cynara/0004-Fix-mode-of-sockets.patch
new file mode 100644
index 000000000..164542899
--- /dev/null
+++ b/meta-security/recipes-security/cynara/cynara/0004-Fix-mode-of-sockets.patch
@@ -0,0 +1,44 @@
+From 2bd62bca98a8a8cf194fb2b68aed68d982f58520 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Jos=C3=A9=20Bollo?= <jose.bollo@iot.bzh>
+Date: Thu, 25 Jan 2018 12:52:39 +0100
+Subject: [PATCH 4/6] Fix mode of sockets
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Setting execution bit on the socket serves nothing.
+
+Change-Id: I2ca1ea8e0c369ee5517878e92073ace0e50f9f10
+Signed-off-by: José Bollo <jose.bollo@iot.bzh>
+---
+ systemd/cynara-admin.socket | 2 +-
+ systemd/cynara.socket | 2 +-
+ 2 files changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/systemd/cynara-admin.socket b/systemd/cynara-admin.socket
+index 2d1aea4..ed38386 100644
+--- a/systemd/cynara-admin.socket
++++ b/systemd/cynara-admin.socket
+@@ -1,6 +1,6 @@
+ [Socket]
+ ListenStream=/run/cynara/cynara-admin.socket
+-SocketMode=0700
++SocketMode=0600
+ SmackLabelIPIn=@
+ SmackLabelIPOut=@
+
+diff --git a/systemd/cynara.socket b/systemd/cynara.socket
+index 9f2a870..fad2745 100644
+--- a/systemd/cynara.socket
++++ b/systemd/cynara.socket
+@@ -1,6 +1,6 @@
+ [Socket]
+ ListenStream=/run/cynara/cynara.socket
+-SocketMode=0777
++SocketMode=0666
+ SmackLabelIPIn=*
+ SmackLabelIPOut=@
+
+--
+2.14.3
+
diff --git a/meta-security/recipes-security/cynara/cynara/0005-Allow-to-tune-sockets.patch b/meta-security/recipes-security/cynara/cynara/0005-Allow-to-tune-sockets.patch
new file mode 100644
index 000000000..b4a2d74e8
--- /dev/null
+++ b/meta-security/recipes-security/cynara/cynara/0005-Allow-to-tune-sockets.patch
@@ -0,0 +1,127 @@
+From d919b110a2fbccdce084c651f4d7d7de66f2f869 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Jos=C3=A9=20Bollo?= <jose.bollo@iot.bzh>
+Date: Thu, 25 Jan 2018 13:47:37 +0100
+Subject: [PATCH 5/6] Allow to tune sockets
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Allow to change the directory of sockets
+through a true integration of SOCKET_DIR
+
+Allow to override the socket's group of
+ - /run/cynara/cynara-agent.socket
+ - /run/cynara/cynara-monitor-get.socket
+
+through the newly defined variable CYNARA_ADMIN_SOCKET_GROUP
+
+Change-Id: I7d58854c328e948e3d6d7fa3fc00569fd08f8aef
+Signed-off-by: José Bollo <jose.bollo@iot.bzh>
+---
+ systemd/CMakeLists.txt | 19 +++++++++++++++----
+ .../{cynara-admin.socket => cynara-admin.socket.in} | 2 +-
+ .../{cynara-agent.socket => cynara-agent.socket.in} | 4 ++--
+ ...onitor-get.socket => cynara-monitor-get.socket.in} | 4 ++--
+ systemd/{cynara.socket => cynara.socket.in} | 2 +-
+ 5 files changed, 21 insertions(+), 10 deletions(-)
+ rename systemd/{cynara-admin.socket => cynara-admin.socket.in} (78%)
+ rename systemd/{cynara-agent.socket => cynara-agent.socket.in} (66%)
+ rename systemd/{cynara-monitor-get.socket => cynara-monitor-get.socket.in} (64%)
+ rename systemd/{cynara.socket => cynara.socket.in} (80%)
+
+diff --git a/systemd/CMakeLists.txt b/systemd/CMakeLists.txt
+index 20accf0..1b75c12 100644
+--- a/systemd/CMakeLists.txt
++++ b/systemd/CMakeLists.txt
+@@ -16,13 +16,24 @@
+ # @author Lukasz Wojciechowski <l.wojciechow@partner.samsung.com>
+ #
+
++SET(CYNARA_ADMIN_SOCKET_GROUP
++ "security_fw"
++ CACHE STRING
++ "Group to apply on administrative sockets")
++
++
++CONFIGURE_FILE(cynara.socket.in cynara.socket @ONLY)
++CONFIGURE_FILE(cynara-admin.socket.in cynara-admin.socket @ONLY)
++CONFIGURE_FILE(cynara-agent.socket.in cynara-agent.socket @ONLY)
++CONFIGURE_FILE(cynara-monitor-get.socket.in cynara-monitor-get.socket @ONLY)
++
+ INSTALL(FILES
+ ${CMAKE_SOURCE_DIR}/systemd/cynara.service
+ ${CMAKE_SOURCE_DIR}/systemd/cynara.target
+- ${CMAKE_SOURCE_DIR}/systemd/cynara.socket
+- ${CMAKE_SOURCE_DIR}/systemd/cynara-admin.socket
+- ${CMAKE_SOURCE_DIR}/systemd/cynara-agent.socket
+- ${CMAKE_SOURCE_DIR}/systemd/cynara-monitor-get.socket
++ ${CMAKE_BINARY_DIR}/systemd/cynara.socket
++ ${CMAKE_BINARY_DIR}/systemd/cynara-admin.socket
++ ${CMAKE_BINARY_DIR}/systemd/cynara-agent.socket
++ ${CMAKE_BINARY_DIR}/systemd/cynara-monitor-get.socket
+ DESTINATION
+ ${SYSTEMD_UNIT_DIR}
+ )
+diff --git a/systemd/cynara-admin.socket b/systemd/cynara-admin.socket.in
+similarity index 78%
+rename from systemd/cynara-admin.socket
+rename to systemd/cynara-admin.socket.in
+index ed38386..2364c3e 100644
+--- a/systemd/cynara-admin.socket
++++ b/systemd/cynara-admin.socket.in
+@@ -1,5 +1,5 @@
+ [Socket]
+-ListenStream=/run/cynara/cynara-admin.socket
++ListenStream=@SOCKET_DIR@/cynara-admin.socket
+ SocketMode=0600
+ SmackLabelIPIn=@
+ SmackLabelIPOut=@
+diff --git a/systemd/cynara-agent.socket b/systemd/cynara-agent.socket.in
+similarity index 66%
+rename from systemd/cynara-agent.socket
+rename to systemd/cynara-agent.socket.in
+index 5a677e0..4f86c9d 100644
+--- a/systemd/cynara-agent.socket
++++ b/systemd/cynara-agent.socket.in
+@@ -1,6 +1,6 @@
+ [Socket]
+-ListenStream=/run/cynara/cynara-agent.socket
+-SocketGroup=security_fw
++ListenStream=@SOCKET_DIR@/cynara-agent.socket
++SocketGroup=@CYNARA_ADMIN_SOCKET_GROUP@
+ SocketMode=0060
+ SmackLabelIPIn=*
+ SmackLabelIPOut=@
+diff --git a/systemd/cynara-monitor-get.socket b/systemd/cynara-monitor-get.socket.in
+similarity index 64%
+rename from systemd/cynara-monitor-get.socket
+rename to systemd/cynara-monitor-get.socket.in
+index a50feeb..b88dbf7 100644
+--- a/systemd/cynara-monitor-get.socket
++++ b/systemd/cynara-monitor-get.socket.in
+@@ -1,6 +1,6 @@
+ [Socket]
+-ListenStream=/run/cynara/cynara-monitor-get.socket
+-SocketGroup=security_fw
++ListenStream=@SOCKET_DIR@/cynara-monitor-get.socket
++SocketGroup=@CYNARA_ADMIN_SOCKET_GROUP@
+ SocketMode=0060
+ SmackLabelIPIn=@
+ SmackLabelIPOut=@
+diff --git a/systemd/cynara.socket b/systemd/cynara.socket.in
+similarity index 80%
+rename from systemd/cynara.socket
+rename to systemd/cynara.socket.in
+index fad2745..ba76549 100644
+--- a/systemd/cynara.socket
++++ b/systemd/cynara.socket.in
+@@ -1,5 +1,5 @@
+ [Socket]
+-ListenStream=/run/cynara/cynara.socket
++ListenStream=@SOCKET_DIR@/cynara.socket
+ SocketMode=0666
+ SmackLabelIPIn=*
+ SmackLabelIPOut=@
+--
+2.14.3
+
diff --git a/meta-security/recipes-security/cynara/cynara/0006-Install-socket-activation-by-default.patch b/meta-security/recipes-security/cynara/cynara/0006-Install-socket-activation-by-default.patch
new file mode 100644
index 000000000..0cfc785c1
--- /dev/null
+++ b/meta-security/recipes-security/cynara/cynara/0006-Install-socket-activation-by-default.patch
@@ -0,0 +1,80 @@
+From d54e425b0685c9e3e06f5b4efcbd206950d14f3c Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Jos=C3=A9=20Bollo?= <jose.bollo@iot.bzh>
+Date: Thu, 25 Jan 2018 14:09:23 +0100
+Subject: [PATCH 6/6] Install socket activation by default
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Change-Id: Ifd10c3800486689ed0ed6271df59760ccfbf6caf
+Signed-off-by: José Bollo <jose.bollo@iot.bzh>
+---
+ packaging/cynara.spec | 5 -----
+ systemd/CMakeLists.txt | 7 +++++++
+ systemd/sockets.target.wants/cynara-admin.socket | 1 +
+ systemd/sockets.target.wants/cynara-agent.socket | 1 +
+ systemd/sockets.target.wants/cynara.socket | 1 +
+ 5 files changed, 10 insertions(+), 5 deletions(-)
+ create mode 120000 systemd/sockets.target.wants/cynara-admin.socket
+ create mode 120000 systemd/sockets.target.wants/cynara-agent.socket
+ create mode 120000 systemd/sockets.target.wants/cynara.socket
+
+diff --git a/packaging/cynara.spec b/packaging/cynara.spec
+index d2e0b80..2c5b326 100644
+--- a/packaging/cynara.spec
++++ b/packaging/cynara.spec
+@@ -72,12 +72,7 @@ make %{?jobs:-j%jobs}
+ rm -rf %{buildroot}
+ %make_install
+
+-mkdir -p %{buildroot}%{_unitdir}/sockets.target.wants
+ mkdir -p %{buildroot}%{_unitdir}/multi-user.target.wants
+-ln -s ../cynara.socket %{buildroot}%{_unitdir}/sockets.target.wants/cynara.socket
+-ln -s ../cynara-admin.socket %{buildroot}%{_unitdir}/sockets.target.wants/cynara-admin.socket
+-ln -s ../cynara-agent.socket %{buildroot}%{_unitdir}/sockets.target.wants/cynara-agent.socket
+-ln -s ../cynara-monitor-get.socket %{buildroot}%{_unitdir}/sockets.target.wants/cynara-monitor-get.socket
+ ln -s ../cynara.service %{buildroot}%{_unitdir}/multi-user.target.wants/cynara.service
+
+ %post
+diff --git a/systemd/CMakeLists.txt b/systemd/CMakeLists.txt
+index 1b75c12..9a2d70d 100644
+--- a/systemd/CMakeLists.txt
++++ b/systemd/CMakeLists.txt
+@@ -38,3 +38,10 @@ INSTALL(FILES
+ ${SYSTEMD_UNIT_DIR}
+ )
+
++INSTALL(DIRECTORY
++ ${CMAKE_SOURCE_DIR}/systemd/sockets.target.wants
++ DESTINATION
++ ${SYSTEMD_UNIT_DIR}
++)
++
++
+diff --git a/systemd/sockets.target.wants/cynara-admin.socket b/systemd/sockets.target.wants/cynara-admin.socket
+new file mode 120000
+index 0000000..3d0b1ce
+--- /dev/null
++++ b/systemd/sockets.target.wants/cynara-admin.socket
+@@ -0,0 +1 @@
++../cynara-admin.socket
+\ No newline at end of file
+diff --git a/systemd/sockets.target.wants/cynara-agent.socket b/systemd/sockets.target.wants/cynara-agent.socket
+new file mode 120000
+index 0000000..22b37dd
+--- /dev/null
++++ b/systemd/sockets.target.wants/cynara-agent.socket
+@@ -0,0 +1 @@
++../cynara-agent.socket
+\ No newline at end of file
+diff --git a/systemd/sockets.target.wants/cynara.socket b/systemd/sockets.target.wants/cynara.socket
+new file mode 120000
+index 0000000..c0e5a5b
+--- /dev/null
++++ b/systemd/sockets.target.wants/cynara.socket
+@@ -0,0 +1 @@
++../cynara.socket
+\ No newline at end of file
+--
+2.14.3
+
diff --git a/meta-security/recipes-security/cynara/cynara/cynara-db-migration-abort-on-errors.patch b/meta-security/recipes-security/cynara/cynara/cynara-db-migration-abort-on-errors.patch
new file mode 100644
index 000000000..cbf372ad9
--- /dev/null
+++ b/meta-security/recipes-security/cynara/cynara/cynara-db-migration-abort-on-errors.patch
@@ -0,0 +1,31 @@
+From 297774fa4d01156c0327d6e6380a7ecae30bf875 Mon Sep 17 00:00:00 2001
+From: Patrick Ohly <patrick.ohly@intel.com>
+Date: Mon, 23 Mar 2015 15:01:39 -0700
+Subject: [PATCH 1/2] cynara-db-migration.in: abort on errors
+
+"set -e" enables error checking for all commands invoked by the script.
+Previously, errors were silently ignored.
+
+Upstream-status: Submitted [https://github.com/Samsung/cynara/pull/8]
+
+Signed-off-by: Patrick Ohly <patrick.ohly@intel.com>
+---
+ migration/cynara-db-migration | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/migration/cynara-db-migration.in b/migration/cynara-db-migration.in
+index ff9bd61..f6e7f94 100644
+--- a/migration/cynara-db-migration.in
++++ b/migration/cynara-db-migration.in
+@@ -19,6 +19,8 @@
+ # @brief Migration tool for Cynara's database
+ #
+
++set -e
++
+ ##### Constants (these must not be modified by shell)
+
+ STATE_PATH='@LOCAL_STATE_DIR@/@PROJECT_NAME@'
+--
+1.8.4.5
+
diff --git a/meta-security/recipes-security/cynara/cynara/run-ptest b/meta-security/recipes-security/cynara/cynara/run-ptest
new file mode 100755
index 000000000..f8dd5d8b4
--- /dev/null
+++ b/meta-security/recipes-security/cynara/cynara/run-ptest
@@ -0,0 +1,4 @@
+#!/bin/sh
+
+cynara-tests | sed -e 's/^\[ *OK *\] \(\S*\)$/PASS: \1/' -e 's/^\[ *FAILED *\] \(\S*\)$/FAIL: \1/'
+sh /usr/bin/cynara-db-migration-tests | sed -e 's/^Test .*(\([^)]*\)).*passed.*/PASS: \1/' -e 's/^Test .*(\([^)]*\)).*failed.*/FAIL: \1/'
diff --git a/meta-security/recipes-security/cynara/cynara_0.14.10.bb b/meta-security/recipes-security/cynara/cynara_0.14.10.bb
new file mode 100644
index 000000000..6c187fced
--- /dev/null
+++ b/meta-security/recipes-security/cynara/cynara_0.14.10.bb
@@ -0,0 +1,163 @@
+DESCRIPTION = "Cynara service with client libraries"
+LICENSE = "Apache-2.0"
+LIC_FILES_CHKSUM = "file://LICENSE;md5=86d3f3a95c324c9479bd8986968f4327;beginline=3"
+
+PV = "0.14.10+git${SRCPV}"
+SRCREV = "be455dcaf1400bec0272a6ce90852b9147393a60"
+SRC_URI = "git://github.com/Samsung/cynara.git"
+S = "${WORKDIR}/git"
+
+SRC_URI += " \
+ file://cynara-db-migration-abort-on-errors.patch \
+ file://0001-Add-fallthrough-tags.patch \
+ file://0002-gcc-7-requires-include-functional-for-std-function.patch \
+ file://0003-Avoid-warning-when-compiling-without-smack.patch \
+ file://0004-Fix-mode-of-sockets.patch \
+ file://0005-Allow-to-tune-sockets.patch \
+ file://0006-Install-socket-activation-by-default.patch \
+"
+
+DEPENDS = " \
+glib-2.0 \
+systemd \
+zip \
+"
+
+PACKAGECONFIG ??= ""
+# Use debug mode to increase logging. Beware, also compiles with less optimization
+# and thus has to disable FORTIFY_SOURCE below.
+PACKAGECONFIG[debug] = "-DCMAKE_BUILD_TYPE=DEBUG,-DCMAKE_BUILD_TYPE=RELEASE,libunwind elfutils"
+
+inherit cmake
+
+EXTRA_OECMAKE += " \
+ -DCMAKE_VERBOSE_MAKEFILE=ON \
+ -DBUILD_WITH_SYSTEMD_DAEMON=ON \
+ -DBUILD_WITH_SYSTEMD_JOURNAL=ON \
+ -DSYSTEMD_UNIT_DIR=${systemd_system_unitdir} \
+ -DSOCKET_DIR=/run/cynara \
+ -DBUILD_COMMONS=ON \
+ -DBUILD_SERVICE=ON \
+ -DBUILD_DBUS=OFF \
+ -DCYNARA_ADMIN_SOCKET_GROUP=cynara \
+"
+
+# Explicitly package empty directory. Otherwise Cynara prints warnings
+# at runtime:
+# cyad[198]: Couldn't scan for plugins in </usr/lib/cynara/plugin/service/> : <No such file or directory>
+FILES_${PN}_append = " \
+${libdir}/cynara/plugin/service \
+${libdir}/cynara/plugin/client \
+"
+
+inherit useradd
+USERADD_PACKAGES = "${PN}"
+GROUPADD_PARAM_${PN} = "-r cynara"
+USERADD_PARAM_${PN} = "\
+--system --home ${localstatedir}/lib/empty \
+--no-create-home --shell /bin/false \
+--gid cynara cynara \
+"
+
+# Causes deadlock during booting, see workaround in postinst below.
+#inherit systemd
+#SYSTEMD_SERVICE_${PN} = "cynara.service"
+
+#do_install_append () {
+# chmod a+rx ${D}/${sbindir}/cynara-db-migration
+#
+# install -d ${D}${sysconfdir}/cynara/
+# install -m 644 ${S}/conf/creds.conf ${D}/${sysconfdir}/cynara/creds.conf
+#
+# # No need to create empty directories except for those which
+# # Cynara expects to find.
+# # install -d ${D}${localstatedir}/cynara/
+# # install -d ${D}${prefix}/share/cynara/tests/empty_db
+# install -d ${D}${libdir}/cynara/plugin/client
+# install -d ${D}${libdir}/cynara/plugin/service
+#
+# # install db* ${D}${prefix}/share/cynara/tests/
+#
+# install -d ${D}${systemd_system_unitdir}/sockets.target.wants
+# ln -s ../cynara.socket ${D}${systemd_system_unitdir}/sockets.target.wants/cynara.socket
+# ln -s ../cynara-admin.socket ${D}${systemd_system_unitdir}/sockets.target.wants/cynara-admin.socket
+# ln -s ../cynara-agent.socket ${D}${systemd_system_unitdir}/sockets.target.wants/cynara-agent.socket
+#}
+
+FILES_${PN} += "${systemd_system_unitdir}"
+
+# Cynara itself has no dependency on Smack. Only its installation
+# is Smack-aware in the sense that it sets Smack labels. Do not
+# depend on smack userspace unless we really need Smack labels.
+#
+# The Tizen .spec file calls cynara-db-migration in a %pre section.
+# That only works when cynara-db-migration is packaged separately
+# (overly complex) and does not seem necessary: perhaps there is a
+# time window where cynara might already get activated before
+# the postinst completes, but that is a general problem. It gets
+# avoided entirely when calling this script while building the
+# rootfs.
+DEPENDS_append_with-lsm-smack = " smack smack-native"
+EXTRA_OECMAKE_append_with-lsm-smack = " -DDB_FILES_SMACK_LABEL=System"
+CHSMACK_with-lsm-smack = "chsmack"
+CHSMACK = "true"
+pkg_postinst_${PN} () {
+ # Fail on error.
+ set -e
+
+ # It would be nice to run the code below while building an image,
+ # but currently the calls to cynara-db-chsgen (a binary) in
+ # cynara-db-migration (a script) prevent that. Rely instead
+ # on OE's support for running failed postinst scripts at first boot.
+ if [ x"$D" != "x" ]; then
+ exit 1
+ fi
+
+ mkdir -p $D${sysconfdir}/cynara
+ ${CHSMACK} -a System $D${sysconfdir}/cynara
+
+ # Strip git patch level information, the version comparison code
+ # in cynara-db-migration only expect major.minor.patch version numbers.
+ VERSION=${@d.getVar('PV',d,1).split('+git')[0]}
+ if [ -d $D${localstatedir}/cynara ] ; then
+ # upgrade
+ echo "NOTE: updating cynara DB to version $VERSION"
+ $D${sbindir}/cynara-db-migration upgrade -f 0.0.0 -t $VERSION
+ else
+ # install
+ echo "NOTE: creating cynara DB for version $VERSION"
+ mkdir -p $D${localstatedir}/cynara
+ ${CHSMACK} -a System $D${localstatedir}/cynara
+ $D${sbindir}/cynara-db-migration install -t $VERSION
+ fi
+
+ # Workaround for systemd.bbclass issue: it would call
+ # "systemctl start" without "--no-block", but because
+ # the service is not ready to run at the time when
+ # this scripts gets executed by run-postinsts.service,
+ # booting deadlocks.
+ echo "NOTE: enabling and starting cynara service"
+ systemctl enable cynara
+ systemctl start --no-block cynara
+}
+
+# Testing depends on gmock and gtest. They can be found in meta-oe
+# and are not necessarily available, so this feature is off by default.
+# If gmock from meta-oe is used, then a workaround is needed to avoid
+# a link error (libgmock.a calls pthread functions without libpthread
+# being listed in the .pc file).
+DEPENDS_append = "${@bb.utils.contains('PACKAGECONFIG', 'tests', ' gmock', '', d)}"
+LDFLAGS_append = "${@bb.utils.contains('PACKAGECONFIG', 'tests', ' -lpthread', '', d)}"
+SRC_URI_append = "${@bb.utils.contains('PACKAGECONFIG', 'tests', ' file://run-ptest', '', d)}"
+PACKAGECONFIG[tests] = "-DBUILD_TESTS:BOOL=ON,-DBUILD_TESTS:BOOL=OFF,gmock gtest,"
+
+# Will be empty if no tests were built.
+inherit ptest
+FILES_${PN}-ptest += "${bindir}/cynara-tests ${bindir}/cynara-db-migration-tests ${datadir}/cynara/tests"
+do_install_ptest () {
+ if ${@bb.utils.contains('PACKAGECONFIG', 'tests', 'true', 'false', d)}; then
+ mkdir -p ${D}/${datadir}/cynara/tests
+ cp -r ${S}/test/db/* ${D}/${datadir}/cynara/tests
+ fi
+}
+