diff options
author | Scott Murray <scott.murray@konsulko.com> | 2019-02-08 10:53:08 -0500 |
---|---|---|
committer | Stephane Desneux <stephane.desneux@iot.bzh> | 2019-04-04 18:02:11 +0200 |
commit | 7faccb97d69c7581e338f88ce3a2153cdd69fd16 (patch) | |
tree | 57dd664e04593af6eed43cb6ecffab438d93d860 /meta-security/recipes-security/cynara | |
parent | e978a20f40916eac57a5e1af8f65b6ed9f719e50 (diff) |
Upgrade to thud
Changes include:
- Add LAYERSERIES_COMPAT definitions to layer.conf files
- Remove now unnecessary SECURITY_*FLAGS over-rides from distro
configuration
- Set intel-corei7-64 preferred kernel version to 4.19 to match
latest linux-intel kernel available in meta-intel
- Update qemuarm preferred kernel version to 4.18 to match latest
linux-yocto
- Update firmware package and devicetree file names for raspberrypi3
- Remove linux-firmware bbappend specific to raspberrypi, it seems no
longer required and breaks the cross SDK build
- Update linux-intel bbappend to 4.19, remove now unnecessary patch
- Remove now unnecessary lttng-modules backport
- Update linux-raspberrypi bbappend to 4.14 kernel
- Added kernel configuration fragment for raspberrypi to disable
Kprobes. This is required until linux-raspberrypi is updated to
greater than 4.14.104 to avoid a build failure in lttng-modules
related to a check for known breakage in the kernel CONFIG_OPTPROBES
code.
- Replace obsolete base_conditional usage with oe.utils.conditional
- Add gstreamer1.0-plugins-bad bbappend for raspberrypi3 to disable
faad PACKAGECONFIG to avoid commercial license issues
- Remove unused and unbuildable Vayu gstreamer recipes
- Update linux-ti-staging bbappend for new BSP kernel
- Regen dcan2_pinmux_enable.patch for linux-ti-staging to remove fuzz
warning, and remove upstreamed fix_dcan_addresses.patch
- Remove ipumm-fw from meta-agl-bsp/meta-ti, as newer version is
available in the upstream BSP
- Update meta-agl-bsp/meta-ti weston patch to apply against 5.0.0
- Update meta-agl-bsp/meta-ti wayland-ivi-extension patch to apply
against 2.2.0
- Add ti-sgx-ddk-km patch to add AGL toolchain configuration file
- Remove now unnecessary fdtoverlay recipe
- Update core.cfg and ivishell.cfg in weston-ini-conf recipe to handle
move of ivi-controller.so configuration in Weston 5.0.0
- Update connman-ncurses patch to remove fuzz warning
- Add installation of systemd over-ride file for run-postinsts.service
in run-postinsts bbappend to workaround race condition between
ldconfig.service and the /sbin/ldconfig invocations in the
post-install scripts run by run-postinsts.service. The observed
failure was cynara's post-install script failing and its database
not being created.
- Remove now unnecessary valgrind backport
- Add patches to fix most driver compilation against newer kernels
- Update libmicrohttpd bbappend
- Remove libssp-dev from agl-image-graphical-qt5-crosssdk and
agl-demo-platform-html5-crosssdk, upstream have removed it from
non-mingw32 platform SDKs
- Update wayland-ivi-extension recipe to build 2.2.0, and update
local patches
- Update weston patches for 5.0.0. Patches:
0016-ivi-shell_add_screen_remove_layer_api.patch
0017-ivi-shell-register-ivi_layout_interface.patch
have been removed as they have been applied upstream and are no longer
necessary. Patches:
0018-compositor-add-output-type-to-weston_output.patch
0019-compositor-drm-introduce-drm_get_dmafd_from_view.patch
(both related to Waltham) have been disabled for now as they need
significant rework.
- Remove weston-conf RRECOMMENDS in weston bbappend to avoid conflict
with weston-ini-conf
- Add OECMAKE_GENERATOR = "Unix Makefiles" to aglwgt.bbclass to work
around CMake+ninja issue in cmake-apps-module
- Update dbus cynara patches for 1.12.10
- Add do_install_append in cynara recipe to remove /var/cynara from
cynara package so the directory creation and labelling in the
post-install scriptlet will function as intended
- Remove now unnecessary e2fsprogs backport
- Remove now unnecessary libcap-ng backport
- Update pulseaudio patches to remove fuzz warnings
- Update neardal patch to remove fuzz warning
- Update freetype patch to remove fuzz warning
- Rename opencv bbappend to 3.% to handle 3.x backports in upstream
- Updated qtwayland patch to remove fuzz warning
Changes from Stephane Desneux <stephane.desneux@iot.bzh>:
- Remove wayland-ivi-extension PREFERRED_VERSION
- Remove now unnecessary nativesdk-cmake patch
- Remove now unnecessary ptest-runner patches
- Remove now unnecessary harfbuzz patches
- Disable waltham-transmitter as it does not build against weston 5.0.0
- Update af-main, cynara, and security-manager to use pkg_postinst_ontarget
- Bump connman-ncurses revision to avoid deprecated ncurses functions
- Update libva package usage with new intel-vaapi-driver name
- Add patches to security-manager to fix compilation with gcc8
- Updated systemd bbappend
Changes from Jan-Simon Möller <jsmoeller@linuxfoundation.org>:
- Remove meta-agl-bsp/ROCKO.FIXMEs
- Remove linux-yocto_4.12.bbappend and now unnecessary associated
patch
- Remove now unneeded kern-tools-native patch
- Bump gstreamer PREFERRED_VERSIONs to 1.14.x
- Remove latencytop from packagegroup-agl-core-devel, it has been
dropped by upstream
- Remove now unnecessary rpm patches
- Update pulseaudio bbappend to 12.2
- Update opencv bbappend to 3.4
- Update freetype bbappend to 2.9.1
- Update dbus bbappend to 1.12.10
- Update weston bbappend to 5.0.0
- Update cynara patches to remove fuzz warnings
- Add patch to cynara to fix compilation with gcc8
- Add xmlsec1 bbappend to clear EXTRA_OECONF to fix compilation on
sumo or newer
Changes from Ronan Le Martet <ronan.lemartet@iot.bzh>:
- Update meta-rcar-gen3-adas layer gstreamer1.0-plugin-vspfilter
bbappend to version 1.0.1
Known issues (marked with FIXME):
- CMake+ninja issue in cmake-apps-module has been worked around with
OECMAKE_GENERATOR
- waltham-transmitter and the patches to weston related to it have been
disabled
- Currently unclear if patch to libcap-native is actually required or
not
Bug-AGL: SPEC-1837
Change-Id: I7b8b9ef667aec2d229952eace6663dfc761654d0
Signed-off-by: Scott Murray <scott.murray@konsulko.com>
Diffstat (limited to 'meta-security/recipes-security/cynara')
9 files changed, 233 insertions, 104 deletions
diff --git a/meta-security/recipes-security/cynara/cynara/0001-Add-fallthrough-tags.patch b/meta-security/recipes-security/cynara/cynara/0001-Add-fallthrough-tags.patch index 11387b98b..e1d0cfac9 100644 --- a/meta-security/recipes-security/cynara/cynara/0001-Add-fallthrough-tags.patch +++ b/meta-security/recipes-security/cynara/cynara/0001-Add-fallthrough-tags.patch @@ -1,7 +1,7 @@ -From 3d387993b5a4283e8aebd8e777b2ccd45d233959 Mon Sep 17 00:00:00 2001 +From 8bf90bf3e7a821dbd3b7029d87aa592eec6f1754 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Jos=C3=A9=20Bollo?= <jose.bollo@iot.bzh> Date: Thu, 25 Jan 2018 12:00:18 +0100 -Subject: [PATCH 1/6] Add fallthrough tags +Subject: [PATCH] Add fallthrough tags MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit @@ -12,6 +12,7 @@ to the next after some processing. Change-Id: I420e3788a4c0a6d910a1214964c5480bbd12708c Signed-off-by: José Bollo <jose.bollo@iot.bzh> + --- src/admin/api/admin-api.cpp | 1 + src/client-async/logic/Logic.cpp | 1 + @@ -54,6 +55,3 @@ index b1ca4f7..f4394e5 100644 default: return true; } --- -2.14.3 - diff --git a/meta-security/recipes-security/cynara/cynara/0001-fix-fallthrough-in-cmdlineparser.patch b/meta-security/recipes-security/cynara/cynara/0001-fix-fallthrough-in-cmdlineparser.patch new file mode 100644 index 000000000..40e11ce5d --- /dev/null +++ b/meta-security/recipes-security/cynara/cynara/0001-fix-fallthrough-in-cmdlineparser.patch @@ -0,0 +1,35 @@ +From ca28ec4a0781a1ab9ec5f015387436beb51adfc3 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Jan-Simon=20M=C3=B6ller?= <jsmoeller@linuxfoundation.org> +Date: Fri, 19 Oct 2018 08:09:28 +0000 +Subject: [PATCH] fix fallthrough in cmdlineparser +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Signed-off-by: Jan-Simon Möller <jsmoeller@linuxfoundation.org> + +--- + src/service/main/CmdlineParser.cpp | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/src/service/main/CmdlineParser.cpp b/src/service/main/CmdlineParser.cpp +index ca56e39..e07ea52 100644 +--- a/src/service/main/CmdlineParser.cpp ++++ b/src/service/main/CmdlineParser.cpp +@@ -112,13 +112,16 @@ struct CmdLineOptions handleCmdlineOptions(int argc, char * const *argv) { + case ':': // Missing argument + ret.m_error = true; + ret.m_exit = true; ++ /*@fallthrough@*/ + switch (optopt) { + case CmdlineOpt::Mask: + case CmdlineOpt::User: + case CmdlineOpt::Group: + printMissingArgument(execName, argv[optind - 1]); + return ret; ++ /*@fallthrough@*/ + } ++ /*@fallthrough@*/ + //intentional fall to Unknown option + case '?': // Unknown option + default: diff --git a/meta-security/recipes-security/cynara/cynara/0002-gcc-7-requires-include-functional-for-std-function.patch b/meta-security/recipes-security/cynara/cynara/0002-gcc-7-requires-include-functional-for-std-function.patch index 760a1c5b2..b8dbfac4d 100644 --- a/meta-security/recipes-security/cynara/cynara/0002-gcc-7-requires-include-functional-for-std-function.patch +++ b/meta-security/recipes-security/cynara/cynara/0002-gcc-7-requires-include-functional-for-std-function.patch @@ -1,9 +1,10 @@ -From b18e66ce7f81c56e3a97ed075cb60d5a43b2e57c Mon Sep 17 00:00:00 2001 +From e2d8414b0d1c6c59baf1bb73e856e93aaabaf955 Mon Sep 17 00:00:00 2001 From: Changhyeok Bae <changhyeok.bae@gmail.com> Date: Sun, 17 Dec 2017 15:28:28 +0000 -Subject: [PATCH 2/6] gcc-7 requires include <functional> for std::function +Subject: [PATCH] gcc-7 requires include <functional> for std::function Signed-off-by: Changhyeok Bae <changhyeok.bae@gmail.com> + --- src/common/types/PolicyBucket.h | 1 + src/cyad/AdminPolicyParser.h | 1 + @@ -33,6 +34,3 @@ index 53dde23..f38c194 100644 #include <cyad/CynaraAdminPolicies.h> --- -2.14.3 - diff --git a/meta-security/recipes-security/cynara/cynara/0003-Avoid-warning-when-compiling-without-smack.patch b/meta-security/recipes-security/cynara/cynara/0003-Avoid-warning-when-compiling-without-smack.patch index 8c47c3b26..1b105a00c 100644 --- a/meta-security/recipes-security/cynara/cynara/0003-Avoid-warning-when-compiling-without-smack.patch +++ b/meta-security/recipes-security/cynara/cynara/0003-Avoid-warning-when-compiling-without-smack.patch @@ -1,7 +1,7 @@ -From 6ad54c5e732e7cf0a29f29f48fa757e3e56d6860 Mon Sep 17 00:00:00 2001 +From fdcf2a68a4bfec588b1c6c969caa0be20961b807 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Jos=C3=A9=20Bollo?= <jose.bollo@iot.bzh> Date: Thu, 25 Jan 2018 11:38:16 +0100 -Subject: [PATCH 3/6] Avoid warning when compiling without smack +Subject: [PATCH] Avoid warning when compiling without smack MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit @@ -14,6 +14,7 @@ with the following message: Change-Id: Ie837cae81114d096f951ec0ee4ada4173fb60190 Signed-off-by: José Bollo <jose.bollo@iot.bzh> + --- src/admin/CMakeLists.txt | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) @@ -40,6 +41,3 @@ index e4f354a..38b8669 100644 SET(CYNARA_LIB_CYNARA_ADMIN_PATH ${CYNARA_PATH}/admin) --- -2.14.3 - diff --git a/meta-security/recipes-security/cynara/cynara/0004-Fix-mode-of-sockets.patch b/meta-security/recipes-security/cynara/cynara/0004-Fix-mode-of-sockets.patch index 164542899..f19cdfb50 100644 --- a/meta-security/recipes-security/cynara/cynara/0004-Fix-mode-of-sockets.patch +++ b/meta-security/recipes-security/cynara/cynara/0004-Fix-mode-of-sockets.patch @@ -1,7 +1,7 @@ -From 2bd62bca98a8a8cf194fb2b68aed68d982f58520 Mon Sep 17 00:00:00 2001 +From 233fb8a93343c3c9c04914e1148ef5ab87a808a1 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Jos=C3=A9=20Bollo?= <jose.bollo@iot.bzh> Date: Thu, 25 Jan 2018 12:52:39 +0100 -Subject: [PATCH 4/6] Fix mode of sockets +Subject: [PATCH] Fix mode of sockets MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit @@ -10,6 +10,7 @@ Setting execution bit on the socket serves nothing. Change-Id: I2ca1ea8e0c369ee5517878e92073ace0e50f9f10 Signed-off-by: José Bollo <jose.bollo@iot.bzh> + --- systemd/cynara-admin.socket | 2 +- systemd/cynara.socket | 2 +- @@ -39,6 +40,3 @@ index 9f2a870..fad2745 100644 SmackLabelIPIn=* SmackLabelIPOut=@ --- -2.14.3 - diff --git a/meta-security/recipes-security/cynara/cynara/0005-Allow-to-tune-sockets.patch b/meta-security/recipes-security/cynara/cynara/0005-Allow-to-tune-sockets.patch index b4a2d74e8..e954c7f21 100644 --- a/meta-security/recipes-security/cynara/cynara/0005-Allow-to-tune-sockets.patch +++ b/meta-security/recipes-security/cynara/cynara/0005-Allow-to-tune-sockets.patch @@ -1,7 +1,7 @@ -From d919b110a2fbccdce084c651f4d7d7de66f2f869 Mon Sep 17 00:00:00 2001 +From ebde8e9fdba7bc1c8152f7e45c551030a36ece82 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Jos=C3=A9=20Bollo?= <jose.bollo@iot.bzh> Date: Thu, 25 Jan 2018 13:47:37 +0100 -Subject: [PATCH 5/6] Allow to tune sockets +Subject: [PATCH] Allow to tune sockets MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit @@ -17,17 +17,26 @@ through the newly defined variable CYNARA_ADMIN_SOCKET_GROUP Change-Id: I7d58854c328e948e3d6d7fa3fc00569fd08f8aef Signed-off-by: José Bollo <jose.bollo@iot.bzh> + --- - systemd/CMakeLists.txt | 19 +++++++++++++++---- - .../{cynara-admin.socket => cynara-admin.socket.in} | 2 +- - .../{cynara-agent.socket => cynara-agent.socket.in} | 4 ++-- - ...onitor-get.socket => cynara-monitor-get.socket.in} | 4 ++-- - systemd/{cynara.socket => cynara.socket.in} | 2 +- - 5 files changed, 21 insertions(+), 10 deletions(-) - rename systemd/{cynara-admin.socket => cynara-admin.socket.in} (78%) - rename systemd/{cynara-agent.socket => cynara-agent.socket.in} (66%) - rename systemd/{cynara-monitor-get.socket => cynara-monitor-get.socket.in} (64%) - rename systemd/{cynara.socket => cynara.socket.in} (80%) + systemd/CMakeLists.txt | 19 +++++++++++++++---- + systemd/cynara-admin.socket | 14 -------------- + systemd/cynara-admin.socket.in | 14 ++++++++++++++ + systemd/cynara-agent.socket | 15 --------------- + systemd/cynara-agent.socket.in | 15 +++++++++++++++ + systemd/cynara-monitor-get.socket | 15 --------------- + systemd/cynara-monitor-get.socket.in | 15 +++++++++++++++ + systemd/cynara.socket | 14 -------------- + systemd/cynara.socket.in | 14 ++++++++++++++ + 9 files changed, 73 insertions(+), 62 deletions(-) + delete mode 100644 systemd/cynara-admin.socket + create mode 100644 systemd/cynara-admin.socket.in + delete mode 100644 systemd/cynara-agent.socket + create mode 100644 systemd/cynara-agent.socket.in + delete mode 100644 systemd/cynara-monitor-get.socket + create mode 100644 systemd/cynara-monitor-get.socket.in + delete mode 100644 systemd/cynara.socket + create mode 100644 systemd/cynara.socket.in diff --git a/systemd/CMakeLists.txt b/systemd/CMakeLists.txt index 20accf0..1b75c12 100644 @@ -62,66 +71,167 @@ index 20accf0..1b75c12 100644 DESTINATION ${SYSTEMD_UNIT_DIR} ) -diff --git a/systemd/cynara-admin.socket b/systemd/cynara-admin.socket.in -similarity index 78% -rename from systemd/cynara-admin.socket -rename to systemd/cynara-admin.socket.in -index ed38386..2364c3e 100644 +diff --git a/systemd/cynara-admin.socket b/systemd/cynara-admin.socket +deleted file mode 100644 +index ed38386..0000000 --- a/systemd/cynara-admin.socket -+++ b/systemd/cynara-admin.socket.in -@@ -1,5 +1,5 @@ - [Socket] ++++ /dev/null +@@ -1,14 +0,0 @@ +-[Socket] -ListenStream=/run/cynara/cynara-admin.socket +-SocketMode=0600 +-SmackLabelIPIn=@ +-SmackLabelIPOut=@ +- +-Service=cynara.service +- +-[Unit] +-Wants=cynara.target +-Before=cynara.target +- +-[Install] +-WantedBy=sockets.target +diff --git a/systemd/cynara-admin.socket.in b/systemd/cynara-admin.socket.in +new file mode 100644 +index 0000000..2364c3e +--- /dev/null ++++ b/systemd/cynara-admin.socket.in +@@ -0,0 +1,14 @@ ++[Socket] +ListenStream=@SOCKET_DIR@/cynara-admin.socket - SocketMode=0600 - SmackLabelIPIn=@ - SmackLabelIPOut=@ -diff --git a/systemd/cynara-agent.socket b/systemd/cynara-agent.socket.in -similarity index 66% -rename from systemd/cynara-agent.socket -rename to systemd/cynara-agent.socket.in -index 5a677e0..4f86c9d 100644 ++SocketMode=0600 ++SmackLabelIPIn=@ ++SmackLabelIPOut=@ ++ ++Service=cynara.service ++ ++[Unit] ++Wants=cynara.target ++Before=cynara.target ++ ++[Install] ++WantedBy=sockets.target +diff --git a/systemd/cynara-agent.socket b/systemd/cynara-agent.socket +deleted file mode 100644 +index 5a677e0..0000000 --- a/systemd/cynara-agent.socket -+++ b/systemd/cynara-agent.socket.in -@@ -1,6 +1,6 @@ - [Socket] ++++ /dev/null +@@ -1,15 +0,0 @@ +-[Socket] -ListenStream=/run/cynara/cynara-agent.socket -SocketGroup=security_fw +-SocketMode=0060 +-SmackLabelIPIn=* +-SmackLabelIPOut=@ +- +-Service=cynara.service +- +-[Unit] +-Wants=cynara.target +-Before=cynara.target +- +-[Install] +-WantedBy=sockets.target +diff --git a/systemd/cynara-agent.socket.in b/systemd/cynara-agent.socket.in +new file mode 100644 +index 0000000..4f86c9d +--- /dev/null ++++ b/systemd/cynara-agent.socket.in +@@ -0,0 +1,15 @@ ++[Socket] +ListenStream=@SOCKET_DIR@/cynara-agent.socket +SocketGroup=@CYNARA_ADMIN_SOCKET_GROUP@ - SocketMode=0060 - SmackLabelIPIn=* - SmackLabelIPOut=@ -diff --git a/systemd/cynara-monitor-get.socket b/systemd/cynara-monitor-get.socket.in -similarity index 64% -rename from systemd/cynara-monitor-get.socket -rename to systemd/cynara-monitor-get.socket.in -index a50feeb..b88dbf7 100644 ++SocketMode=0060 ++SmackLabelIPIn=* ++SmackLabelIPOut=@ ++ ++Service=cynara.service ++ ++[Unit] ++Wants=cynara.target ++Before=cynara.target ++ ++[Install] ++WantedBy=sockets.target +diff --git a/systemd/cynara-monitor-get.socket b/systemd/cynara-monitor-get.socket +deleted file mode 100644 +index a50feeb..0000000 --- a/systemd/cynara-monitor-get.socket -+++ b/systemd/cynara-monitor-get.socket.in -@@ -1,6 +1,6 @@ - [Socket] ++++ /dev/null +@@ -1,15 +0,0 @@ +-[Socket] -ListenStream=/run/cynara/cynara-monitor-get.socket -SocketGroup=security_fw +-SocketMode=0060 +-SmackLabelIPIn=@ +-SmackLabelIPOut=@ +- +-Service=cynara.service +- +-[Unit] +-Wants=cynara.target +-Before=cynara.target +- +-[Install] +-WantedBy=sockets.target +diff --git a/systemd/cynara-monitor-get.socket.in b/systemd/cynara-monitor-get.socket.in +new file mode 100644 +index 0000000..b88dbf7 +--- /dev/null ++++ b/systemd/cynara-monitor-get.socket.in +@@ -0,0 +1,15 @@ ++[Socket] +ListenStream=@SOCKET_DIR@/cynara-monitor-get.socket +SocketGroup=@CYNARA_ADMIN_SOCKET_GROUP@ - SocketMode=0060 - SmackLabelIPIn=@ - SmackLabelIPOut=@ -diff --git a/systemd/cynara.socket b/systemd/cynara.socket.in -similarity index 80% -rename from systemd/cynara.socket -rename to systemd/cynara.socket.in -index fad2745..ba76549 100644 ++SocketMode=0060 ++SmackLabelIPIn=@ ++SmackLabelIPOut=@ ++ ++Service=cynara.service ++ ++[Unit] ++Wants=cynara.target ++Before=cynara.target ++ ++[Install] ++WantedBy=sockets.target +diff --git a/systemd/cynara.socket b/systemd/cynara.socket +deleted file mode 100644 +index fad2745..0000000 --- a/systemd/cynara.socket -+++ b/systemd/cynara.socket.in -@@ -1,5 +1,5 @@ - [Socket] ++++ /dev/null +@@ -1,14 +0,0 @@ +-[Socket] -ListenStream=/run/cynara/cynara.socket +-SocketMode=0666 +-SmackLabelIPIn=* +-SmackLabelIPOut=@ +- +-Service=cynara.service +- +-[Unit] +-Wants=cynara.target +-Before=cynara.target +- +-[Install] +-WantedBy=sockets.target +diff --git a/systemd/cynara.socket.in b/systemd/cynara.socket.in +new file mode 100644 +index 0000000..ba76549 +--- /dev/null ++++ b/systemd/cynara.socket.in +@@ -0,0 +1,14 @@ ++[Socket] +ListenStream=@SOCKET_DIR@/cynara.socket - SocketMode=0666 - SmackLabelIPIn=* - SmackLabelIPOut=@ --- -2.14.3 - ++SocketMode=0666 ++SmackLabelIPIn=* ++SmackLabelIPOut=@ ++ ++Service=cynara.service ++ ++[Unit] ++Wants=cynara.target ++Before=cynara.target ++ ++[Install] ++WantedBy=sockets.target diff --git a/meta-security/recipes-security/cynara/cynara/0006-Install-socket-activation-by-default.patch b/meta-security/recipes-security/cynara/cynara/0006-Install-socket-activation-by-default.patch index 0cfc785c1..68864f1ed 100644 --- a/meta-security/recipes-security/cynara/cynara/0006-Install-socket-activation-by-default.patch +++ b/meta-security/recipes-security/cynara/cynara/0006-Install-socket-activation-by-default.patch @@ -1,13 +1,14 @@ -From d54e425b0685c9e3e06f5b4efcbd206950d14f3c Mon Sep 17 00:00:00 2001 +From 23f1a7cb34dd4ef88bac5a43057feaf7f50559aa Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Jos=C3=A9=20Bollo?= <jose.bollo@iot.bzh> Date: Thu, 25 Jan 2018 14:09:23 +0100 -Subject: [PATCH 6/6] Install socket activation by default +Subject: [PATCH] Install socket activation by default MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Change-Id: Ifd10c3800486689ed0ed6271df59760ccfbf6caf Signed-off-by: José Bollo <jose.bollo@iot.bzh> + --- packaging/cynara.spec | 5 ----- systemd/CMakeLists.txt | 7 +++++++ @@ -75,6 +76,3 @@ index 0000000..c0e5a5b @@ -0,0 +1 @@ +../cynara.socket \ No newline at end of file --- -2.14.3 - diff --git a/meta-security/recipes-security/cynara/cynara/cynara-db-migration-abort-on-errors.patch b/meta-security/recipes-security/cynara/cynara/cynara-db-migration-abort-on-errors.patch index cbf372ad9..c14418923 100644 --- a/meta-security/recipes-security/cynara/cynara/cynara-db-migration-abort-on-errors.patch +++ b/meta-security/recipes-security/cynara/cynara/cynara-db-migration-abort-on-errors.patch @@ -1,7 +1,7 @@ -From 297774fa4d01156c0327d6e6380a7ecae30bf875 Mon Sep 17 00:00:00 2001 +From 3605e9f8a3ea1252d1cf221398431e0d7a3ea34d Mon Sep 17 00:00:00 2001 From: Patrick Ohly <patrick.ohly@intel.com> Date: Mon, 23 Mar 2015 15:01:39 -0700 -Subject: [PATCH 1/2] cynara-db-migration.in: abort on errors +Subject: [PATCH] cynara-db-migration.in: abort on errors "set -e" enables error checking for all commands invoked by the script. Previously, errors were silently ignored. @@ -9,12 +9,13 @@ Previously, errors were silently ignored. Upstream-status: Submitted [https://github.com/Samsung/cynara/pull/8] Signed-off-by: Patrick Ohly <patrick.ohly@intel.com> + --- - migration/cynara-db-migration | 2 ++ + migration/cynara-db-migration.in | 2 ++ 1 file changed, 2 insertions(+) diff --git a/migration/cynara-db-migration.in b/migration/cynara-db-migration.in -index ff9bd61..f6e7f94 100644 +index 7b666d4..0682df6 100644 --- a/migration/cynara-db-migration.in +++ b/migration/cynara-db-migration.in @@ -19,6 +19,8 @@ @@ -25,7 +26,4 @@ index ff9bd61..f6e7f94 100644 + ##### Constants (these must not be modified by shell) - STATE_PATH='@LOCAL_STATE_DIR@/@PROJECT_NAME@' --- -1.8.4.5 - + PATH=/bin:/usr/bin:/sbin:/usr/sbin diff --git a/meta-security/recipes-security/cynara/cynara_0.14.10.bb b/meta-security/recipes-security/cynara/cynara_0.14.10.bb index 6c187fced..d2a09c693 100644 --- a/meta-security/recipes-security/cynara/cynara_0.14.10.bb +++ b/meta-security/recipes-security/cynara/cynara_0.14.10.bb @@ -15,6 +15,7 @@ SRC_URI += " \ file://0004-Fix-mode-of-sockets.patch \ file://0005-Allow-to-tune-sockets.patch \ file://0006-Install-socket-activation-by-default.patch \ + file://0001-fix-fallthrough-in-cmdlineparser.patch \ " DEPENDS = " \ @@ -84,6 +85,12 @@ USERADD_PARAM_${PN} = "\ # ln -s ../cynara-agent.socket ${D}${systemd_system_unitdir}/sockets.target.wants/cynara-agent.socket #} +# We want the post-install logic to create and label /var/cynara, so +# it should not be in the package. +do_install_append () { + rmdir ${D}${localstatedir}/cynara +} + FILES_${PN} += "${systemd_system_unitdir}" # Cynara itself has no dependency on Smack. Only its installation @@ -101,18 +108,7 @@ DEPENDS_append_with-lsm-smack = " smack smack-native" EXTRA_OECMAKE_append_with-lsm-smack = " -DDB_FILES_SMACK_LABEL=System" CHSMACK_with-lsm-smack = "chsmack" CHSMACK = "true" -pkg_postinst_${PN} () { - # Fail on error. - set -e - - # It would be nice to run the code below while building an image, - # but currently the calls to cynara-db-chsgen (a binary) in - # cynara-db-migration (a script) prevent that. Rely instead - # on OE's support for running failed postinst scripts at first boot. - if [ x"$D" != "x" ]; then - exit 1 - fi - +pkg_postinst_ontarget_${PN} () { mkdir -p $D${sysconfdir}/cynara ${CHSMACK} -a System $D${sysconfdir}/cynara |