Merge remote-tracking branch 'agl/sandbox/ronan/rocko' into HEAD

* agl/sandbox/ronan/rocko: (58 commits) Update ulcb conf file Remove unsed gstreamer backport [GEN3] add preferred version on omx package run-(agl-)postinst: Emit progress to console meta-security: Remove unused content Upgrade wayland-ivi-extension Revert "Fix kernel gcc7 issue" remove backport commit Revert "Fix CVE-2017-1000364 by backporting the patches for gen3" Remove fix for optee-os Remove gcc 6 fix Update rcar gen3 kernel bbappend version Update rcar gen3 driver Remove porter machine dbus-cynara: Upgrade to 1.10.20 xmlsec1: switch to meta-security version systemd: earlier smack label switch cynara: upgrade to 0.14.10 Remove smack recipe Integrate parts of meta-intel-iot-security ... Bug-AGL: SPEC-1181 Signed-off-by: Jan-Simon Möller <jsmoeller@linuxfoundation.org> Conflicts: meta-app-framework/recipes-security/cynara/cynara_git.bbappend Change-Id: I9875fcb31e960038ce6c23165c99b52a3bd1a1c0
author: Jan-Simon Möller <jsmoeller@linuxfoundation.org> 2018-02-14 10:55:35 +0100
committer: Jan-Simon Möller <jsmoeller@linuxfoundation.org> 2018-02-14 10:55:35 +0100
commit: 317c8a08a6b5943517e67c5ea80b0a9a83a10d63 (patch)
tree: bf2b27dc9068924b59b46d2e153936c77be954c3 /meta-security/recipes-security/security-manager/security-manager/0001-Smack-rules-create-two-new-functions.patch
parent: b6dc44f585b839ab1a2f0133b74958037fe1cb64 (diff)
parent: c9ce37905acd879db107eafe309678053073e086 (diff)
1 files changed, 116 insertions, 0 deletions
diff --git a/meta-security/recipes-security/security-manager/security-manager/0001-Smack-rules-create-two-new-functions.patch b/meta-security/recipes-security/security-manager/security-manager/0001-Smack-rules-create-two-new-functions.patch
new file mode 100644
index 000000000..b0e11afe4
--- /dev/null
+++ b/meta-security/recipes-security/security-manager/security-manager/0001-Smack-rules-create-two-new-functions.patch
@@ -0,0 +1,116 @@
+From d130a7384428a96f31ad5950ffbffadc0aa29a15 Mon Sep 17 00:00:00 2001
+From: Alejandro Joya <alejandro.joya.cruz@intel.com>
+Date: Wed, 4 Nov 2015 19:01:35 -0600
+Subject: [PATCH 1/2] Smack-rules: create two new functions
+
+It let to smack-rules to create multiple set of rules
+related with the privileges.
+
+It runs from the same bases than for a static set of rules on the
+template, but let you add 1 or many templates for different cases.
+
+Signed-off-by: Alejandro Joya <alejandro.joya.cruz@intel.com>
+---
+ src/common/include/smack-rules.h | 15 ++++++++++++++
+ src/common/smack-rules.cpp       | 44 ++++++++++++++++++++++++++++++++++++++++
+ 2 files changed, 59 insertions(+)
+
+diff --git a/src/common/include/smack-rules.h b/src/common/include/smack-rules.h
+index 91446a7..f9fa438 100644
+--- a/src/common/include/smack-rules.h
++++ b/src/common/include/smack-rules.h
+@@ -47,6 +47,8 @@ public:
+     void addFromTemplate(const std::vector<std::string> &templateRules,
+         const std::string &appId, const std::string &pkgId);
+     void addFromTemplateFile(const std::string &appId, const std::string &pkgId);
++    void addFromTemplateFile(const std::string &appId, const std::string &pkgId,
++	const std::string &path);
+ 
+     void apply() const;
+     void clear() const;
+@@ -75,6 +77,19 @@ public:
+     static void installApplicationRules(const std::string &appId, const std::string &pkgId,
+         const std::vector<std::string> &pkgContents);
+     /**
++     * Install privileges-specific smack rules.
++     *
++     * Function creates smack rules using predefined template. Rules are applied
++     * to the kernel and saved on persistent storage so they are loaded on system boot.
++     *
++     * @param[in] appId - application id that is beeing installed
++     * @param[in] pkgId - package id that the application is in
++     * @param[in] pkgContents - a list of all applications in the package
++     * @param[in] privileges - a list of all prvileges 
++     */
++    static void installApplicationPrivilegesRules(const std::string &appId, const std::string &pkgId,
++        const std::vector<std::string> &pkgContents, const std::vector<std::string> &privileges);
++    /**
+      * Uninstall package-specific smack rules.
+      *
+      * Function loads package-specific smack rules, revokes them from the kernel
+diff --git a/src/common/smack-rules.cpp b/src/common/smack-rules.cpp
+index 3629e0f..d834e42 100644
+--- a/src/common/smack-rules.cpp
++++ b/src/common/smack-rules.cpp
+@@ -135,6 +135,29 @@ void SmackRules::saveToFile(const std::string &path) const
+     }
+ }
+ 
++void SmackRules::addFromTemplateFile(const std::string &appId,
++        const std::string &pkgId, const std::string &path)
++{
++    std::vector<std::string> templateRules;
++    std::string line;
++    std::ifstream templateRulesFile(path);
++
++    if (!templateRulesFile.is_open()) {
++        LogError("Cannot open rules template file: " << path);
++        ThrowMsg(SmackException::FileError, "Cannot open rules template file: " << path);
++    }
++
++    while (std::getline(templateRulesFile, line)) {
++        templateRules.push_back(line);
++    }
++
++    if (templateRulesFile.bad()) {
++        LogError("Error reading template file: " << APP_RULES_TEMPLATE_FILE_PATH);
++        ThrowMsg(SmackException::FileError, "Error reading template file: " << APP_RULES_TEMPLATE_FILE_PATH);
++    }
++
++    addFromTemplate(templateRules, appId, pkgId);
++}
+ 
+ void SmackRules::addFromTemplateFile(const std::string &appId,
+         const std::string &pkgId)
+@@ -223,7 +246,28 @@ std::string SmackRules::getApplicationRulesFilePath(const std::string &appId)
+     std::string path(tzplatform_mkpath3(TZ_SYS_SMACK, "accesses.d", ("app_" +  appId).c_str()));
+     return path;
+ }
++void SmackRules::installApplicationPrivilegesRules(const std::string &appId, const std::string &pkgId,
++        const std::vector<std::string> &pkgContents, const std::vector<std::string> &privileges)
++{
++    SmackRules smackRules;
++    std::string appPath = getApplicationRulesFilePath(appId);
++    smackRules.loadFromFile(appPath);
++    struct stat buffer;
++    for (auto privilege : privileges) {
++        if (privilege.empty())
++            continue;
++        std::string fprivilege ( privilege + "-template.smack");
++        std::string path(tzplatform_mkpath4(TZ_SYS_SHARE, "security-manager", "policy", fprivilege.c_str()));
++        if( stat(path.c_str(), &buffer) == 0) 
++            smackRules.addFromTemplateFile(appId, pkgId, path);
++    }
++
++    if (smack_smackfs_path() != NULL)
++        smackRules.apply();
+ 
++    smackRules.saveToFile(appPath);
++    updatePackageRules(pkgId, pkgContents);
++}
+ void SmackRules::installApplicationRules(const std::string &appId, const std::string &pkgId,
+         const std::vector<std::string> &pkgContents)
+ {
+-- 
+2.1.0
+
author	Jan-Simon Möller <jsmoeller@linuxfoundation.org>	2018-02-14 10:55:35 +0100
committer	Jan-Simon Möller <jsmoeller@linuxfoundation.org>	2018-02-14 10:55:35 +0100
commit	317c8a08a6b5943517e67c5ea80b0a9a83a10d63 (patch)
tree	bf2b27dc9068924b59b46d2e153936c77be954c3 /meta-security/recipes-security/security-manager/security-manager/0001-Smack-rules-create-two-new-functions.patch
parent	b6dc44f585b839ab1a2f0133b74958037fe1cb64 (diff)
parent	c9ce37905acd879db107eafe309678053073e086 (diff)