diff options
author | Jan-Simon Möller <jsmoeller@linuxfoundation.org> | 2018-02-14 10:55:35 +0100 |
---|---|---|
committer | Jan-Simon Möller <jsmoeller@linuxfoundation.org> | 2018-02-14 10:55:35 +0100 |
commit | 317c8a08a6b5943517e67c5ea80b0a9a83a10d63 (patch) | |
tree | bf2b27dc9068924b59b46d2e153936c77be954c3 /meta-security/recipes-security/smacknet | |
parent | b6dc44f585b839ab1a2f0133b74958037fe1cb64 (diff) | |
parent | c9ce37905acd879db107eafe309678053073e086 (diff) |
Merge remote-tracking branch 'agl/sandbox/ronan/rocko' into HEAD
* agl/sandbox/ronan/rocko: (58 commits)
Update ulcb conf file
Remove unsed gstreamer backport
[GEN3] add preferred version on omx package
run-(agl-)postinst: Emit progress to console
meta-security: Remove unused content
Upgrade wayland-ivi-extension
Revert "Fix kernel gcc7 issue"
remove backport commit
Revert "Fix CVE-2017-1000364 by backporting the patches for gen3"
Remove fix for optee-os
Remove gcc 6 fix
Update rcar gen3 kernel bbappend version
Update rcar gen3 driver
Remove porter machine
dbus-cynara: Upgrade to 1.10.20
xmlsec1: switch to meta-security version
systemd: earlier smack label switch
cynara: upgrade to 0.14.10
Remove smack recipe
Integrate parts of meta-intel-iot-security
...
Bug-AGL: SPEC-1181
Signed-off-by: Jan-Simon Möller <jsmoeller@linuxfoundation.org>
Conflicts:
meta-app-framework/recipes-security/cynara/cynara_git.bbappend
Change-Id: I9875fcb31e960038ce6c23165c99b52a3bd1a1c0
Diffstat (limited to 'meta-security/recipes-security/smacknet')
3 files changed, 224 insertions, 0 deletions
diff --git a/meta-security/recipes-security/smacknet/files/smacknet b/meta-security/recipes-security/smacknet/files/smacknet new file mode 100644 index 000000000..3818d30ae --- /dev/null +++ b/meta-security/recipes-security/smacknet/files/smacknet @@ -0,0 +1,184 @@ +#!/usr/bin/python +# Copyright (c) 2012, 2013, Intel Corporation +# Copyright (c) 2009 David Wolinsky <davidiw@ufl.edu), University of Florida +# All rights reserved. +# +# Redistribution and use in source and binary forms, with or without +# modification, are permitted provided that the following conditions +# are met: +# 1. Redistributions of source code must retain the above copyright +# notice, this list of conditions and the following disclaimer. +# 2. Redistributions in binary form must reproduce the above copyright +# notice, this list of conditions and the following disclaimer in the +# documentation and/or other materials provided with the distribution. +# 3. The name of the author may not be used to endorse or promote products +# derived from this software without specific prior written permission. +# +# THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR +# IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES +# OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. +# IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, +# INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT +# NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, +# DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY +# THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT +# (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF +# THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. + +import socket,fcntl, struct, thread +import os.path +import sys + +SMACKFS_LOAD="/sys/fs/smackfs/load2" +SMACKFS_NETLABEL="/sys/fs/smackfs/netlabel" +SIOCGIFADDR = 0x8915 +SIOCGIFNETMASK = 0x891b + +def get_ip_address(ifname): + s = socket.socket(socket.AF_INET, socket.SOCK_DGRAM) + return fcntl.ioctl(s.fileno(), SIOCGIFADDR, + struct.pack('256s', ifname.encode("utf-8")))[20:24] + +def get_netmask(ifname): + s = socket.socket(socket.AF_INET, socket.SOCK_DGRAM) + return fcntl.ioctl(s.fileno(), SIOCGIFNETMASK, + struct.pack('256s', ifname.encode("utf-8")))[20:24] + +def applynetlabeltags(interface, addr): + if not interface.startswith("lo"): + bmask = get_netmask(interface.encode("utf-8")) + prefix = bin(struct.unpack(">L", bmask)[0]).count("1") + tags = [ + addr+"/"+str(prefix)+" Network::Local\n", + "0.0.0.0/0 Network::Cloud\n", + "127.0.0.1/8 -CIPSO\n"] + smackfs_netlabel(tags) + +def loadnetlabelrules(): + rulesSystem = [ + "System Network::Cloud w\n", + "System Network::Local w\n", + "Network::Cloud System w\n", + "Network::Local System w\n"] + smackfs_load2(rulesSystem) + +def smackfs_load2 (rules): + with open(SMACKFS_LOAD, "w") as load2: + for rule in rules: + load2.write(rule) + +def smackfs_netlabel (tags): + for tag in tags: + with open(SMACKFS_NETLABEL, "w") as netlabel: + netlabel.write(tag) + +""" + Source of: Class ip monitor, and other functions named bellow. + Original author: David Wolinsky <davidiw@ufl.edu + Copied from: https://github.com/davidiw/Grid-Appliance/blob/master/scripts/ip_monitor.py + +""" + +"""4 byte alignment""" + +def align(inc): + diff = inc % 4 + return inc + ((4 - diff) % 4) + +class ifaddr: + """Parse an ifaddr packet""" + LOCAL = 2 + LABEL = 3 + + def __init__(self, packet): + self.family, self.prefixlen, self.flags, self.scope, self.index = \ + struct.unpack("BBBBI", packet[:8]) + +class rtattr: + """Parse a rtattr packet""" + GRP_IPV4_IFADDR = 0x10 + + NEWADDR = 20 + DELADDR = 21 + GETADDR = 22 + + def __init__(self, packet): + self.len, self.type = struct.unpack("HH", packet[:4]) + if self.type == ifaddr.LOCAL: + addr = struct.unpack("BBBB", packet[4:self.len]) + self.payload = "%s.%s.%s.%s" % (addr[0], addr[1], addr[2], addr[3]) + elif self.type == ifaddr.LABEL: + self.payload = packet[4:self.len].strip("\0") + else: + self.payload = packet[4:self.len] + +class netlink: + """Parse a netlink packet""" + REQUEST = 1 + ROOT = 0x100 + MATCH = 0x200 + DONE = 3 + + def __init__(self, packet): + self.msglen, self.msgtype, self.flags, self.seq, self.pid = \ + struct.unpack("IHHII", packet[:16]) + self.ifa = None + try: + self.ifa = ifaddr(packet[16:24]) + except: + return + + self.rtas = {} + pos = 24 + while pos < self.msglen: + try: + rta = rtattr(packet[pos:]) + except: + break + pos += align(rta.len) + self.rtas[rta.type] = rta.payload + +class ip_monitor: + def __init__(self, callback = None): + if callback == None: + callback = self.print_cb + self._callback = callback + + def print_cb(self, label, addr): + print (label + " => " + addr) + + def request_addrs(self, sock): + sock.send(struct.pack("IHHIIBBBBI", 24, rtattr.GETADDR, \ + netlink.REQUEST | netlink.ROOT | netlink.MATCH, 0, sock.getsockname()[0], \ + socket.AF_INET, 0, 0, 0, 0)) + + def start_thread(self): + thread.start_new_thread(self.run, ()) + + def run(self): + sock = socket.socket(socket.AF_NETLINK, socket.SOCK_RAW, socket.NETLINK_ROUTE) + sock.bind((0, rtattr.GRP_IPV4_IFADDR)) + self.request_addrs(sock) + + while True: + data = sock.recv(4096) + pos = 0 + while pos < len(data): + nl = netlink(data[pos:]) + if nl.msgtype == netlink.DONE: + break + pos += align(nl.msglen) + if nl.msgtype != rtattr.NEWADDR: + continue + self._callback(nl.rtas[ifaddr.LABEL], nl.rtas[ifaddr.LOCAL]) + +def main(): + if not os.path.isfile(SMACKFS_LOAD): + print ("Smack not found.") + return -1 + loadnetlabelrules() + + ip_monitor(applynetlabeltags).run() + +if __name__ == "__main__": + main() diff --git a/meta-security/recipes-security/smacknet/files/smacknet.service b/meta-security/recipes-security/smacknet/files/smacknet.service new file mode 100644 index 000000000..218d8b896 --- /dev/null +++ b/meta-security/recipes-security/smacknet/files/smacknet.service @@ -0,0 +1,11 @@ +[Unit] +Description=netlabels configuration for SMACK +Wants=network.target network-online.target +After=network.target network-online.target + +[Service] +TimeoutStartSec=0 +ExecStart=@BINDIR@/smacknet + +[Install] +WantedBy=multi-user.target diff --git a/meta-security/recipes-security/smacknet/smacknet.bb b/meta-security/recipes-security/smacknet/smacknet.bb new file mode 100644 index 000000000..553456aee --- /dev/null +++ b/meta-security/recipes-security/smacknet/smacknet.bb @@ -0,0 +1,29 @@ +#SMACKNET Description +SUMMARY = "Smack network labels configuration" +DESCRIPTION = "Provide service that will be labeling the network rules" +LICENSE = "BSD-3-Clause" +LIC_FILES_CHKSUM = "file://${COMMON_LICENSE_DIR}/BSD-3-Clause;md5=550794465ba0ec5312d6919e203a55f9" +RDEPENDS_${PN} = "python" + +SRC_URI += "file://smacknet \ + file://smacknet.service \ + " +S = "${WORKDIR}" + +inherit systemd + +inherit distro_features_check +REQUIRED_DISTRO_FEATURES = "smack" + +#netlabel configuration service +SYSTEMD_SERVICE_${PN} = "smacknet.service" +SYSTEMD_AUTO_ENABLE = "enable" +do_install(){ + install -d ${D}${bindir} + install -m 0551 ${WORKDIR}/smacknet ${D}${bindir} + + install -d -m 755 ${D}${systemd_unitdir}/system + install -m 644 ${WORKDIR}/smacknet.service ${D}${systemd_unitdir}/system + sed -i -e 's,@BINDIR@,${bindir},g' ${D}${systemd_unitdir}/system/smacknet.service +} + |