summaryrefslogtreecommitdiffstats
path: root/meta-security/recipes-security/smacknet
diff options
context:
space:
mode:
authorJan-Simon Moeller <jsmoeller@linuxfoundation.org>2020-12-08 11:12:45 +0100
committerJan-Simon Moeller <jsmoeller@linuxfoundation.org>2020-12-17 13:59:52 +0000
commit1c3c06842ac1b9c089d0a08e91c60f44e4844fac (patch)
tree21e97368be8f78a3e76b66dfda24c1d5e774519f /meta-security/recipes-security/smacknet
parentc1e048fc05542d859115990312e0753ce2dea72e (diff)
SPEC-3723: restructure meta-agl
Goal is to reach a minimal meta-agl-core as base for IVI and IC work at the same time. Trim dependencies and move most 'demo' related recipes to meta-agl-demo. v2: changed to bbapend + .inc , added description v3: testbuild of all images v4: restore -test packagegroup and -qa images, compare manifests and adapt packagegroups. v5: rebased v6: merged meta-agl-distro into meta-agl-core, due to dependency on meta-oe, moved -test packagegroup and -qa images to own layer meta-agl-core-test v7: Fixed comments from Paul Barker v8: Update the markdown files v9: restore wayland/weston/agl-compositor recipes/appends, reworked to move app f/w specific changes to bbappends in meta-app-framework and only demo specific weston-init changes to meta-agl-demo v10: fix s/agldemo/aglcore/ missed in weston-init.bbappend Description: This patch is part 1 out of 2 large patches that implement the layer rework discussed during the previous workshop. Essentially meta-agl-core is the small but versatile new core layer of AGL serving as basis for the work done by the IC and IVI EGs. All demo related work is moved to meta-agl-demo in the 2nd patchset. This should be applied together as atomic change. The resulting meta-agl/* follows these guidelines: - only bsp adaptations in meta-agl-bsp - remove the agl-profile-* layers for simplicity -- the packagegroup-agl(-profile)-graphical and so on have been kept in meta-agl-demo - meta-agl-profile-core is now meta-agl-core - meta-agl-core does pass yocto-check-layer -- therefore use the bbappend + conditional + .inc file construct found in meta-virtualization - meta-agl/meta-security has been merged into meta-agl/meta-app-framework - meta-netboot does pass yocto-check-layer - meta-pipewire does pass yocto-check-layer Migration: All packagegroups are preserved but they're now enabled by 'agl-demo'. Bug-AGL: SPEC-3723 Signed-off-by: Jan-Simon Moeller <jsmoeller@linuxfoundation.org> Signed-off-by: Scott Murray <scott.murray@konsulko.com> Change-Id: Ia6c6e5e6ce2b4ffa69ea94959cdc57c310ba7c53 Reviewed-on: https://gerrit.automotivelinux.org/gerrit/c/AGL/meta-agl/+/25769
Diffstat (limited to 'meta-security/recipes-security/smacknet')
-rw-r--r--meta-security/recipes-security/smacknet/files/smacknet184
-rw-r--r--meta-security/recipes-security/smacknet/files/smacknet.service11
-rw-r--r--meta-security/recipes-security/smacknet/smacknet.bb29
3 files changed, 0 insertions, 224 deletions
diff --git a/meta-security/recipes-security/smacknet/files/smacknet b/meta-security/recipes-security/smacknet/files/smacknet
deleted file mode 100644
index 3818d30ae..000000000
--- a/meta-security/recipes-security/smacknet/files/smacknet
+++ /dev/null
@@ -1,184 +0,0 @@
-#!/usr/bin/python
-# Copyright (c) 2012, 2013, Intel Corporation
-# Copyright (c) 2009 David Wolinsky <davidiw@ufl.edu), University of Florida
-# All rights reserved.
-#
-# Redistribution and use in source and binary forms, with or without
-# modification, are permitted provided that the following conditions
-# are met:
-# 1. Redistributions of source code must retain the above copyright
-# notice, this list of conditions and the following disclaimer.
-# 2. Redistributions in binary form must reproduce the above copyright
-# notice, this list of conditions and the following disclaimer in the
-# documentation and/or other materials provided with the distribution.
-# 3. The name of the author may not be used to endorse or promote products
-# derived from this software without specific prior written permission.
-#
-# THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
-# IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
-# OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
-# IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
-# INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
-# NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
-# DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
-# THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
-# (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
-# THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
-
-import socket,fcntl, struct, thread
-import os.path
-import sys
-
-SMACKFS_LOAD="/sys/fs/smackfs/load2"
-SMACKFS_NETLABEL="/sys/fs/smackfs/netlabel"
-SIOCGIFADDR = 0x8915
-SIOCGIFNETMASK = 0x891b
-
-def get_ip_address(ifname):
- s = socket.socket(socket.AF_INET, socket.SOCK_DGRAM)
- return fcntl.ioctl(s.fileno(), SIOCGIFADDR,
- struct.pack('256s', ifname.encode("utf-8")))[20:24]
-
-def get_netmask(ifname):
- s = socket.socket(socket.AF_INET, socket.SOCK_DGRAM)
- return fcntl.ioctl(s.fileno(), SIOCGIFNETMASK,
- struct.pack('256s', ifname.encode("utf-8")))[20:24]
-
-def applynetlabeltags(interface, addr):
- if not interface.startswith("lo"):
- bmask = get_netmask(interface.encode("utf-8"))
- prefix = bin(struct.unpack(">L", bmask)[0]).count("1")
- tags = [
- addr+"/"+str(prefix)+" Network::Local\n",
- "0.0.0.0/0 Network::Cloud\n",
- "127.0.0.1/8 -CIPSO\n"]
- smackfs_netlabel(tags)
-
-def loadnetlabelrules():
- rulesSystem = [
- "System Network::Cloud w\n",
- "System Network::Local w\n",
- "Network::Cloud System w\n",
- "Network::Local System w\n"]
- smackfs_load2(rulesSystem)
-
-def smackfs_load2 (rules):
- with open(SMACKFS_LOAD, "w") as load2:
- for rule in rules:
- load2.write(rule)
-
-def smackfs_netlabel (tags):
- for tag in tags:
- with open(SMACKFS_NETLABEL, "w") as netlabel:
- netlabel.write(tag)
-
-"""
- Source of: Class ip monitor, and other functions named bellow.
- Original author: David Wolinsky <davidiw@ufl.edu
- Copied from: https://github.com/davidiw/Grid-Appliance/blob/master/scripts/ip_monitor.py
-
-"""
-
-"""4 byte alignment"""
-
-def align(inc):
- diff = inc % 4
- return inc + ((4 - diff) % 4)
-
-class ifaddr:
- """Parse an ifaddr packet"""
- LOCAL = 2
- LABEL = 3
-
- def __init__(self, packet):
- self.family, self.prefixlen, self.flags, self.scope, self.index = \
- struct.unpack("BBBBI", packet[:8])
-
-class rtattr:
- """Parse a rtattr packet"""
- GRP_IPV4_IFADDR = 0x10
-
- NEWADDR = 20
- DELADDR = 21
- GETADDR = 22
-
- def __init__(self, packet):
- self.len, self.type = struct.unpack("HH", packet[:4])
- if self.type == ifaddr.LOCAL:
- addr = struct.unpack("BBBB", packet[4:self.len])
- self.payload = "%s.%s.%s.%s" % (addr[0], addr[1], addr[2], addr[3])
- elif self.type == ifaddr.LABEL:
- self.payload = packet[4:self.len].strip("\0")
- else:
- self.payload = packet[4:self.len]
-
-class netlink:
- """Parse a netlink packet"""
- REQUEST = 1
- ROOT = 0x100
- MATCH = 0x200
- DONE = 3
-
- def __init__(self, packet):
- self.msglen, self.msgtype, self.flags, self.seq, self.pid = \
- struct.unpack("IHHII", packet[:16])
- self.ifa = None
- try:
- self.ifa = ifaddr(packet[16:24])
- except:
- return
-
- self.rtas = {}
- pos = 24
- while pos < self.msglen:
- try:
- rta = rtattr(packet[pos:])
- except:
- break
- pos += align(rta.len)
- self.rtas[rta.type] = rta.payload
-
-class ip_monitor:
- def __init__(self, callback = None):
- if callback == None:
- callback = self.print_cb
- self._callback = callback
-
- def print_cb(self, label, addr):
- print (label + " => " + addr)
-
- def request_addrs(self, sock):
- sock.send(struct.pack("IHHIIBBBBI", 24, rtattr.GETADDR, \
- netlink.REQUEST | netlink.ROOT | netlink.MATCH, 0, sock.getsockname()[0], \
- socket.AF_INET, 0, 0, 0, 0))
-
- def start_thread(self):
- thread.start_new_thread(self.run, ())
-
- def run(self):
- sock = socket.socket(socket.AF_NETLINK, socket.SOCK_RAW, socket.NETLINK_ROUTE)
- sock.bind((0, rtattr.GRP_IPV4_IFADDR))
- self.request_addrs(sock)
-
- while True:
- data = sock.recv(4096)
- pos = 0
- while pos < len(data):
- nl = netlink(data[pos:])
- if nl.msgtype == netlink.DONE:
- break
- pos += align(nl.msglen)
- if nl.msgtype != rtattr.NEWADDR:
- continue
- self._callback(nl.rtas[ifaddr.LABEL], nl.rtas[ifaddr.LOCAL])
-
-def main():
- if not os.path.isfile(SMACKFS_LOAD):
- print ("Smack not found.")
- return -1
- loadnetlabelrules()
-
- ip_monitor(applynetlabeltags).run()
-
-if __name__ == "__main__":
- main()
diff --git a/meta-security/recipes-security/smacknet/files/smacknet.service b/meta-security/recipes-security/smacknet/files/smacknet.service
deleted file mode 100644
index 218d8b896..000000000
--- a/meta-security/recipes-security/smacknet/files/smacknet.service
+++ /dev/null
@@ -1,11 +0,0 @@
-[Unit]
-Description=netlabels configuration for SMACK
-Wants=network.target network-online.target
-After=network.target network-online.target
-
-[Service]
-TimeoutStartSec=0
-ExecStart=@BINDIR@/smacknet
-
-[Install]
-WantedBy=multi-user.target
diff --git a/meta-security/recipes-security/smacknet/smacknet.bb b/meta-security/recipes-security/smacknet/smacknet.bb
deleted file mode 100644
index 250cdb132..000000000
--- a/meta-security/recipes-security/smacknet/smacknet.bb
+++ /dev/null
@@ -1,29 +0,0 @@
-#SMACKNET Description
-SUMMARY = "Smack network labels configuration"
-DESCRIPTION = "Provide service that will be labeling the network rules"
-LICENSE = "BSD-3-Clause"
-LIC_FILES_CHKSUM = "file://${COMMON_LICENSE_DIR}/BSD-3-Clause;md5=550794465ba0ec5312d6919e203a55f9"
-RDEPENDS_${PN} = "python"
-
-SRC_URI += "file://smacknet \
- file://smacknet.service \
- "
-S = "${WORKDIR}"
-
-inherit systemd
-
-inherit features_check
-REQUIRED_DISTRO_FEATURES = "smack"
-
-#netlabel configuration service
-SYSTEMD_SERVICE_${PN} = "smacknet.service"
-SYSTEMD_AUTO_ENABLE = "enable"
-do_install(){
- install -d ${D}${bindir}
- install -m 0551 ${WORKDIR}/smacknet ${D}${bindir}
-
- install -d -m 755 ${D}${systemd_unitdir}/system
- install -m 644 ${WORKDIR}/smacknet.service ${D}${systemd_unitdir}/system
- sed -i -e 's,@BINDIR@,${bindir},g' ${D}${systemd_unitdir}/system/smacknet.service
-}
-