summaryrefslogtreecommitdiffstats
path: root/meta-security/recipes-security/smacknet
diff options
context:
space:
mode:
authorJan-Simon Möller <jsmoeller@linuxfoundation.org>2018-02-14 10:55:35 +0100
committerJan-Simon Möller <jsmoeller@linuxfoundation.org>2018-02-14 10:55:35 +0100
commit317c8a08a6b5943517e67c5ea80b0a9a83a10d63 (patch)
treebf2b27dc9068924b59b46d2e153936c77be954c3 /meta-security/recipes-security/smacknet
parentb6dc44f585b839ab1a2f0133b74958037fe1cb64 (diff)
parentc9ce37905acd879db107eafe309678053073e086 (diff)
Merge remote-tracking branch 'agl/sandbox/ronan/rocko' into HEAD
* agl/sandbox/ronan/rocko: (58 commits) Update ulcb conf file Remove unsed gstreamer backport [GEN3] add preferred version on omx package run-(agl-)postinst: Emit progress to console meta-security: Remove unused content Upgrade wayland-ivi-extension Revert "Fix kernel gcc7 issue" remove backport commit Revert "Fix CVE-2017-1000364 by backporting the patches for gen3" Remove fix for optee-os Remove gcc 6 fix Update rcar gen3 kernel bbappend version Update rcar gen3 driver Remove porter machine dbus-cynara: Upgrade to 1.10.20 xmlsec1: switch to meta-security version systemd: earlier smack label switch cynara: upgrade to 0.14.10 Remove smack recipe Integrate parts of meta-intel-iot-security ... Bug-AGL: SPEC-1181 Signed-off-by: Jan-Simon Möller <jsmoeller@linuxfoundation.org> Conflicts: meta-app-framework/recipes-security/cynara/cynara_git.bbappend Change-Id: I9875fcb31e960038ce6c23165c99b52a3bd1a1c0
Diffstat (limited to 'meta-security/recipes-security/smacknet')
-rw-r--r--meta-security/recipes-security/smacknet/files/smacknet184
-rw-r--r--meta-security/recipes-security/smacknet/files/smacknet.service11
-rw-r--r--meta-security/recipes-security/smacknet/smacknet.bb29
3 files changed, 224 insertions, 0 deletions
diff --git a/meta-security/recipes-security/smacknet/files/smacknet b/meta-security/recipes-security/smacknet/files/smacknet
new file mode 100644
index 000000000..3818d30ae
--- /dev/null
+++ b/meta-security/recipes-security/smacknet/files/smacknet
@@ -0,0 +1,184 @@
+#!/usr/bin/python
+# Copyright (c) 2012, 2013, Intel Corporation
+# Copyright (c) 2009 David Wolinsky <davidiw@ufl.edu), University of Florida
+# All rights reserved.
+#
+# Redistribution and use in source and binary forms, with or without
+# modification, are permitted provided that the following conditions
+# are met:
+# 1. Redistributions of source code must retain the above copyright
+# notice, this list of conditions and the following disclaimer.
+# 2. Redistributions in binary form must reproduce the above copyright
+# notice, this list of conditions and the following disclaimer in the
+# documentation and/or other materials provided with the distribution.
+# 3. The name of the author may not be used to endorse or promote products
+# derived from this software without specific prior written permission.
+#
+# THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
+# IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
+# OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
+# IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
+# INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+# NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
+# DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
+# THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+# (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
+# THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+
+import socket,fcntl, struct, thread
+import os.path
+import sys
+
+SMACKFS_LOAD="/sys/fs/smackfs/load2"
+SMACKFS_NETLABEL="/sys/fs/smackfs/netlabel"
+SIOCGIFADDR = 0x8915
+SIOCGIFNETMASK = 0x891b
+
+def get_ip_address(ifname):
+ s = socket.socket(socket.AF_INET, socket.SOCK_DGRAM)
+ return fcntl.ioctl(s.fileno(), SIOCGIFADDR,
+ struct.pack('256s', ifname.encode("utf-8")))[20:24]
+
+def get_netmask(ifname):
+ s = socket.socket(socket.AF_INET, socket.SOCK_DGRAM)
+ return fcntl.ioctl(s.fileno(), SIOCGIFNETMASK,
+ struct.pack('256s', ifname.encode("utf-8")))[20:24]
+
+def applynetlabeltags(interface, addr):
+ if not interface.startswith("lo"):
+ bmask = get_netmask(interface.encode("utf-8"))
+ prefix = bin(struct.unpack(">L", bmask)[0]).count("1")
+ tags = [
+ addr+"/"+str(prefix)+" Network::Local\n",
+ "0.0.0.0/0 Network::Cloud\n",
+ "127.0.0.1/8 -CIPSO\n"]
+ smackfs_netlabel(tags)
+
+def loadnetlabelrules():
+ rulesSystem = [
+ "System Network::Cloud w\n",
+ "System Network::Local w\n",
+ "Network::Cloud System w\n",
+ "Network::Local System w\n"]
+ smackfs_load2(rulesSystem)
+
+def smackfs_load2 (rules):
+ with open(SMACKFS_LOAD, "w") as load2:
+ for rule in rules:
+ load2.write(rule)
+
+def smackfs_netlabel (tags):
+ for tag in tags:
+ with open(SMACKFS_NETLABEL, "w") as netlabel:
+ netlabel.write(tag)
+
+"""
+ Source of: Class ip monitor, and other functions named bellow.
+ Original author: David Wolinsky <davidiw@ufl.edu
+ Copied from: https://github.com/davidiw/Grid-Appliance/blob/master/scripts/ip_monitor.py
+
+"""
+
+"""4 byte alignment"""
+
+def align(inc):
+ diff = inc % 4
+ return inc + ((4 - diff) % 4)
+
+class ifaddr:
+ """Parse an ifaddr packet"""
+ LOCAL = 2
+ LABEL = 3
+
+ def __init__(self, packet):
+ self.family, self.prefixlen, self.flags, self.scope, self.index = \
+ struct.unpack("BBBBI", packet[:8])
+
+class rtattr:
+ """Parse a rtattr packet"""
+ GRP_IPV4_IFADDR = 0x10
+
+ NEWADDR = 20
+ DELADDR = 21
+ GETADDR = 22
+
+ def __init__(self, packet):
+ self.len, self.type = struct.unpack("HH", packet[:4])
+ if self.type == ifaddr.LOCAL:
+ addr = struct.unpack("BBBB", packet[4:self.len])
+ self.payload = "%s.%s.%s.%s" % (addr[0], addr[1], addr[2], addr[3])
+ elif self.type == ifaddr.LABEL:
+ self.payload = packet[4:self.len].strip("\0")
+ else:
+ self.payload = packet[4:self.len]
+
+class netlink:
+ """Parse a netlink packet"""
+ REQUEST = 1
+ ROOT = 0x100
+ MATCH = 0x200
+ DONE = 3
+
+ def __init__(self, packet):
+ self.msglen, self.msgtype, self.flags, self.seq, self.pid = \
+ struct.unpack("IHHII", packet[:16])
+ self.ifa = None
+ try:
+ self.ifa = ifaddr(packet[16:24])
+ except:
+ return
+
+ self.rtas = {}
+ pos = 24
+ while pos < self.msglen:
+ try:
+ rta = rtattr(packet[pos:])
+ except:
+ break
+ pos += align(rta.len)
+ self.rtas[rta.type] = rta.payload
+
+class ip_monitor:
+ def __init__(self, callback = None):
+ if callback == None:
+ callback = self.print_cb
+ self._callback = callback
+
+ def print_cb(self, label, addr):
+ print (label + " => " + addr)
+
+ def request_addrs(self, sock):
+ sock.send(struct.pack("IHHIIBBBBI", 24, rtattr.GETADDR, \
+ netlink.REQUEST | netlink.ROOT | netlink.MATCH, 0, sock.getsockname()[0], \
+ socket.AF_INET, 0, 0, 0, 0))
+
+ def start_thread(self):
+ thread.start_new_thread(self.run, ())
+
+ def run(self):
+ sock = socket.socket(socket.AF_NETLINK, socket.SOCK_RAW, socket.NETLINK_ROUTE)
+ sock.bind((0, rtattr.GRP_IPV4_IFADDR))
+ self.request_addrs(sock)
+
+ while True:
+ data = sock.recv(4096)
+ pos = 0
+ while pos < len(data):
+ nl = netlink(data[pos:])
+ if nl.msgtype == netlink.DONE:
+ break
+ pos += align(nl.msglen)
+ if nl.msgtype != rtattr.NEWADDR:
+ continue
+ self._callback(nl.rtas[ifaddr.LABEL], nl.rtas[ifaddr.LOCAL])
+
+def main():
+ if not os.path.isfile(SMACKFS_LOAD):
+ print ("Smack not found.")
+ return -1
+ loadnetlabelrules()
+
+ ip_monitor(applynetlabeltags).run()
+
+if __name__ == "__main__":
+ main()
diff --git a/meta-security/recipes-security/smacknet/files/smacknet.service b/meta-security/recipes-security/smacknet/files/smacknet.service
new file mode 100644
index 000000000..218d8b896
--- /dev/null
+++ b/meta-security/recipes-security/smacknet/files/smacknet.service
@@ -0,0 +1,11 @@
+[Unit]
+Description=netlabels configuration for SMACK
+Wants=network.target network-online.target
+After=network.target network-online.target
+
+[Service]
+TimeoutStartSec=0
+ExecStart=@BINDIR@/smacknet
+
+[Install]
+WantedBy=multi-user.target
diff --git a/meta-security/recipes-security/smacknet/smacknet.bb b/meta-security/recipes-security/smacknet/smacknet.bb
new file mode 100644
index 000000000..553456aee
--- /dev/null
+++ b/meta-security/recipes-security/smacknet/smacknet.bb
@@ -0,0 +1,29 @@
+#SMACKNET Description
+SUMMARY = "Smack network labels configuration"
+DESCRIPTION = "Provide service that will be labeling the network rules"
+LICENSE = "BSD-3-Clause"
+LIC_FILES_CHKSUM = "file://${COMMON_LICENSE_DIR}/BSD-3-Clause;md5=550794465ba0ec5312d6919e203a55f9"
+RDEPENDS_${PN} = "python"
+
+SRC_URI += "file://smacknet \
+ file://smacknet.service \
+ "
+S = "${WORKDIR}"
+
+inherit systemd
+
+inherit distro_features_check
+REQUIRED_DISTRO_FEATURES = "smack"
+
+#netlabel configuration service
+SYSTEMD_SERVICE_${PN} = "smacknet.service"
+SYSTEMD_AUTO_ENABLE = "enable"
+do_install(){
+ install -d ${D}${bindir}
+ install -m 0551 ${WORKDIR}/smacknet ${D}${bindir}
+
+ install -d -m 755 ${D}${systemd_unitdir}/system
+ install -m 644 ${WORKDIR}/smacknet.service ${D}${systemd_unitdir}/system
+ sed -i -e 's,@BINDIR@,${bindir},g' ${D}${systemd_unitdir}/system/smacknet.service
+}
+