diff options
author | Scott Murray <scott.murray@konsulko.com> | 2019-02-08 10:53:08 -0500 |
---|---|---|
committer | Stephane Desneux <stephane.desneux@iot.bzh> | 2019-04-04 18:02:11 +0200 |
commit | 7faccb97d69c7581e338f88ce3a2153cdd69fd16 (patch) | |
tree | 57dd664e04593af6eed43cb6ecffab438d93d860 /meta-security | |
parent | e978a20f40916eac57a5e1af8f65b6ed9f719e50 (diff) |
Upgrade to thud
Changes include:
- Add LAYERSERIES_COMPAT definitions to layer.conf files
- Remove now unnecessary SECURITY_*FLAGS over-rides from distro
configuration
- Set intel-corei7-64 preferred kernel version to 4.19 to match
latest linux-intel kernel available in meta-intel
- Update qemuarm preferred kernel version to 4.18 to match latest
linux-yocto
- Update firmware package and devicetree file names for raspberrypi3
- Remove linux-firmware bbappend specific to raspberrypi, it seems no
longer required and breaks the cross SDK build
- Update linux-intel bbappend to 4.19, remove now unnecessary patch
- Remove now unnecessary lttng-modules backport
- Update linux-raspberrypi bbappend to 4.14 kernel
- Added kernel configuration fragment for raspberrypi to disable
Kprobes. This is required until linux-raspberrypi is updated to
greater than 4.14.104 to avoid a build failure in lttng-modules
related to a check for known breakage in the kernel CONFIG_OPTPROBES
code.
- Replace obsolete base_conditional usage with oe.utils.conditional
- Add gstreamer1.0-plugins-bad bbappend for raspberrypi3 to disable
faad PACKAGECONFIG to avoid commercial license issues
- Remove unused and unbuildable Vayu gstreamer recipes
- Update linux-ti-staging bbappend for new BSP kernel
- Regen dcan2_pinmux_enable.patch for linux-ti-staging to remove fuzz
warning, and remove upstreamed fix_dcan_addresses.patch
- Remove ipumm-fw from meta-agl-bsp/meta-ti, as newer version is
available in the upstream BSP
- Update meta-agl-bsp/meta-ti weston patch to apply against 5.0.0
- Update meta-agl-bsp/meta-ti wayland-ivi-extension patch to apply
against 2.2.0
- Add ti-sgx-ddk-km patch to add AGL toolchain configuration file
- Remove now unnecessary fdtoverlay recipe
- Update core.cfg and ivishell.cfg in weston-ini-conf recipe to handle
move of ivi-controller.so configuration in Weston 5.0.0
- Update connman-ncurses patch to remove fuzz warning
- Add installation of systemd over-ride file for run-postinsts.service
in run-postinsts bbappend to workaround race condition between
ldconfig.service and the /sbin/ldconfig invocations in the
post-install scripts run by run-postinsts.service. The observed
failure was cynara's post-install script failing and its database
not being created.
- Remove now unnecessary valgrind backport
- Add patches to fix most driver compilation against newer kernels
- Update libmicrohttpd bbappend
- Remove libssp-dev from agl-image-graphical-qt5-crosssdk and
agl-demo-platform-html5-crosssdk, upstream have removed it from
non-mingw32 platform SDKs
- Update wayland-ivi-extension recipe to build 2.2.0, and update
local patches
- Update weston patches for 5.0.0. Patches:
0016-ivi-shell_add_screen_remove_layer_api.patch
0017-ivi-shell-register-ivi_layout_interface.patch
have been removed as they have been applied upstream and are no longer
necessary. Patches:
0018-compositor-add-output-type-to-weston_output.patch
0019-compositor-drm-introduce-drm_get_dmafd_from_view.patch
(both related to Waltham) have been disabled for now as they need
significant rework.
- Remove weston-conf RRECOMMENDS in weston bbappend to avoid conflict
with weston-ini-conf
- Add OECMAKE_GENERATOR = "Unix Makefiles" to aglwgt.bbclass to work
around CMake+ninja issue in cmake-apps-module
- Update dbus cynara patches for 1.12.10
- Add do_install_append in cynara recipe to remove /var/cynara from
cynara package so the directory creation and labelling in the
post-install scriptlet will function as intended
- Remove now unnecessary e2fsprogs backport
- Remove now unnecessary libcap-ng backport
- Update pulseaudio patches to remove fuzz warnings
- Update neardal patch to remove fuzz warning
- Update freetype patch to remove fuzz warning
- Rename opencv bbappend to 3.% to handle 3.x backports in upstream
- Updated qtwayland patch to remove fuzz warning
Changes from Stephane Desneux <stephane.desneux@iot.bzh>:
- Remove wayland-ivi-extension PREFERRED_VERSION
- Remove now unnecessary nativesdk-cmake patch
- Remove now unnecessary ptest-runner patches
- Remove now unnecessary harfbuzz patches
- Disable waltham-transmitter as it does not build against weston 5.0.0
- Update af-main, cynara, and security-manager to use pkg_postinst_ontarget
- Bump connman-ncurses revision to avoid deprecated ncurses functions
- Update libva package usage with new intel-vaapi-driver name
- Add patches to security-manager to fix compilation with gcc8
- Updated systemd bbappend
Changes from Jan-Simon Möller <jsmoeller@linuxfoundation.org>:
- Remove meta-agl-bsp/ROCKO.FIXMEs
- Remove linux-yocto_4.12.bbappend and now unnecessary associated
patch
- Remove now unneeded kern-tools-native patch
- Bump gstreamer PREFERRED_VERSIONs to 1.14.x
- Remove latencytop from packagegroup-agl-core-devel, it has been
dropped by upstream
- Remove now unnecessary rpm patches
- Update pulseaudio bbappend to 12.2
- Update opencv bbappend to 3.4
- Update freetype bbappend to 2.9.1
- Update dbus bbappend to 1.12.10
- Update weston bbappend to 5.0.0
- Update cynara patches to remove fuzz warnings
- Add patch to cynara to fix compilation with gcc8
- Add xmlsec1 bbappend to clear EXTRA_OECONF to fix compilation on
sumo or newer
Changes from Ronan Le Martet <ronan.lemartet@iot.bzh>:
- Update meta-rcar-gen3-adas layer gstreamer1.0-plugin-vspfilter
bbappend to version 1.0.1
Known issues (marked with FIXME):
- CMake+ninja issue in cmake-apps-module has been worked around with
OECMAKE_GENERATOR
- waltham-transmitter and the patches to weston related to it have been
disabled
- Currently unclear if patch to libcap-native is actually required or
not
Bug-AGL: SPEC-1837
Change-Id: I7b8b9ef667aec2d229952eace6663dfc761654d0
Signed-off-by: Scott Murray <scott.murray@konsulko.com>
Diffstat (limited to 'meta-security')
36 files changed, 814 insertions, 1299 deletions
diff --git a/meta-security/conf/layer.conf b/meta-security/conf/layer.conf index 2da233a76..16dae3989 100644 --- a/meta-security/conf/layer.conf +++ b/meta-security/conf/layer.conf @@ -10,3 +10,5 @@ BBFILES += " ${LAYERDIR}/recipes-*/*/*.bb \ BBFILE_COLLECTIONS += "security-smack" BBFILE_PATTERN_security-smack := "^${LAYERDIR}/" BBFILE_PRIORITY_security-smack = "60" + +LAYERSERIES_COMPAT_security-smack = "thud" diff --git a/meta-security/recipes-core/dbus-cynara/dbus-cynara/0001-Integration-of-Cynara-asynchronous-security-checks.patch b/meta-security/recipes-core/dbus-cynara/dbus-cynara/0001-Integration-of-Cynara-asynchronous-security-checks.patch index 6a7e8a39d..d04c60cd9 100644 --- a/meta-security/recipes-core/dbus-cynara/dbus-cynara/0001-Integration-of-Cynara-asynchronous-security-checks.patch +++ b/meta-security/recipes-core/dbus-cynara/dbus-cynara/0001-Integration-of-Cynara-asynchronous-security-checks.patch @@ -19,46 +19,17 @@ Currently such return value results in message denial. Cherry picked from 4dcfb02f17247ff9de966b62182cd2e08f301238 by José Bollo. +Updated for dbus 1.10.20 by Scott Murray. + Change-Id: I9bcbce34577e5dc2a3cecf6233a0a2b0e43e1108 Signed-off-by: José Bollo <jose.bollo@iot.bzh> ---- - bus/Makefile.am | 6 + - bus/bus.c | 136 +++++--- - bus/bus.h | 32 +- - bus/check.c | 217 ++++++++++++ - bus/check.h | 68 ++++ - bus/config-parser-common.c | 6 + - bus/config-parser-common.h | 1 + - bus/config-parser.c | 71 +++- - bus/connection.c | 56 ++- - bus/connection.h | 4 + - bus/cynara.c | 374 +++++++++++++++++++++ - bus/cynara.h | 37 ++ - bus/dispatch.c | 44 ++- - bus/policy.c | 193 +++++++---- - bus/policy.h | 51 ++- - configure.ac | 12 + - test/Makefile.am | 1 + - test/data/invalid-config-files/badcheck-1.conf | 9 + - test/data/invalid-config-files/badcheck-2.conf | 9 + - test/data/valid-config-files/check-1.conf | 9 + - .../valid-config-files/debug-check-some.conf.in | 18 + - tools/dbus-send.c | 2 +- - 22 files changed, 1193 insertions(+), 163 deletions(-) - create mode 100644 bus/check.c - create mode 100644 bus/check.h - create mode 100644 bus/cynara.c - create mode 100644 bus/cynara.h - create mode 100644 test/data/invalid-config-files/badcheck-1.conf - create mode 100644 test/data/invalid-config-files/badcheck-2.conf - create mode 100644 test/data/valid-config-files/check-1.conf - create mode 100644 test/data/valid-config-files/debug-check-some.conf.in +Signed-off-by: Scott Murray <scott.murray@konsulko.com> diff --git a/bus/Makefile.am b/bus/Makefile.am -index 33af09b0..3f57cc48 100644 +index 9ae3071..46afb31 100644 --- a/bus/Makefile.am +++ b/bus/Makefile.am -@@ -9,6 +9,7 @@ DBUS_BUS_LIBS = \ +@@ -13,6 +13,7 @@ DBUS_BUS_LIBS = \ $(THREAD_LIBS) \ $(ADT_LIBS) \ $(NETWORK_libs) \ @@ -66,7 +37,7 @@ index 33af09b0..3f57cc48 100644 $(NULL) DBUS_LAUNCHER_LIBS = \ -@@ -24,6 +25,7 @@ AM_CPPFLAGS = \ +@@ -30,6 +31,7 @@ AM_CPPFLAGS = \ $(APPARMOR_CFLAGS) \ -DDBUS_SYSTEM_CONFIG_FILE=\""$(dbusdatadir)/system.conf"\" \ -DDBUS_COMPILATION \ @@ -74,15 +45,16 @@ index 33af09b0..3f57cc48 100644 $(NULL) # if assertions are enabled, improve backtraces -@@ -82,12 +84,16 @@ BUS_SOURCES= \ +@@ -90,6 +92,8 @@ BUS_SOURCES= \ audit.h \ bus.c \ bus.h \ + check.c \ + check.h \ + config-loader-expat.c \ config-parser.c \ config-parser.h \ - config-parser-common.c \ +@@ -97,6 +101,8 @@ BUS_SOURCES= \ config-parser-common.h \ connection.c \ connection.h \ @@ -91,19 +63,33 @@ index 33af09b0..3f57cc48 100644 desktop-file.c \ desktop-file.h \ $(DIR_WATCH_SOURCE) \ +diff --git a/bus/activation.c b/bus/activation.c +index 6f009f5..451179d 100644 +--- a/bus/activation.c ++++ b/bus/activation.c +@@ -1795,7 +1795,8 @@ bus_activation_activate_service (BusActivation *activation, + NULL, /* proposed recipient */ + activation_message, + entry, +- error)) ++ error, ++ NULL)) + { + _DBUS_ASSERT_ERROR_IS_SET (error); + _dbus_verbose ("activation not authorized: %s: %s\n", diff --git a/bus/bus.c b/bus/bus.c -index fd4ab9e4..c4008505 100644 +index 30ce4e1..237efe3 100644 --- a/bus/bus.c +++ b/bus/bus.c -@@ -37,6 +37,7 @@ +@@ -38,6 +38,7 @@ #include "apparmor.h" #include "audit.h" #include "dir-watch.h" +#include "check.h" + #include <dbus/dbus-auth.h> #include <dbus/dbus-list.h> #include <dbus/dbus-hash.h> - #include <dbus/dbus-credentials.h> -@@ -65,6 +66,7 @@ struct BusContext +@@ -67,6 +68,7 @@ struct BusContext BusRegistry *registry; BusPolicy *policy; BusMatchmaker *matchmaker; @@ -111,7 +97,7 @@ index fd4ab9e4..c4008505 100644 BusLimits limits; DBusRLimit *initial_fd_limit; unsigned int fork : 1; -@@ -988,6 +990,10 @@ bus_context_new (const DBusString *config_file, +@@ -1003,6 +1005,10 @@ bus_context_new (const DBusString *config_file, parser = NULL; } @@ -122,7 +108,7 @@ index fd4ab9e4..c4008505 100644 dbus_server_free_data_slot (&server_data_slot); return context; -@@ -1112,6 +1118,12 @@ bus_context_unref (BusContext *context) +@@ -1127,6 +1133,12 @@ bus_context_unref (BusContext *context) bus_context_shutdown (context); @@ -135,7 +121,7 @@ index fd4ab9e4..c4008505 100644 if (context->connections) { bus_connections_unref (context->connections); -@@ -1241,6 +1253,12 @@ bus_context_get_loop (BusContext *context) +@@ -1256,6 +1268,12 @@ bus_context_get_loop (BusContext *context) return context->loop; } @@ -148,7 +134,7 @@ index fd4ab9e4..c4008505 100644 dbus_bool_t bus_context_allow_unix_user (BusContext *context, unsigned long uid) -@@ -1456,6 +1474,7 @@ complain_about_message (BusContext *context, +@@ -1451,6 +1469,7 @@ complain_about_message (BusContext *context, DBusConnection *proposed_recipient, dbus_bool_t requested_reply, dbus_bool_t log, @@ -156,7 +142,7 @@ index fd4ab9e4..c4008505 100644 DBusError *error) { DBusError stack_error = DBUS_ERROR_INIT; -@@ -1485,7 +1504,8 @@ complain_about_message (BusContext *context, +@@ -1480,7 +1499,8 @@ complain_about_message (BusContext *context, dbus_set_error (&stack_error, error_name, "%s, %d matched rules; type=\"%s\", sender=\"%s\" (%s) " "interface=\"%s\" member=\"%s\" error name=\"%s\" " @@ -166,7 +152,7 @@ index fd4ab9e4..c4008505 100644 complaint, matched_rules, dbus_message_type_to_string (dbus_message_get_type (message)), -@@ -1496,7 +1516,8 @@ complain_about_message (BusContext *context, +@@ -1491,7 +1511,8 @@ complain_about_message (BusContext *context, nonnull (dbus_message_get_error_name (message), "(unset)"), requested_reply, nonnull (dbus_message_get_destination (message), DBUS_SERVICE_DBUS), @@ -176,26 +162,21 @@ index fd4ab9e4..c4008505 100644 /* If we hit OOM while setting the error, this will syslog "out of memory" * which is itself an indication that something is seriously wrong */ -@@ -1520,14 +1541,15 @@ complain_about_message (BusContext *context, +@@ -1519,7 +1540,7 @@ complain_about_message (BusContext *context, * NULL for addressed_recipient may mean the bus driver, or may mean * no destination was specified in the message (e.g. a signal). */ -dbus_bool_t --bus_context_check_security_policy (BusContext *context, -- BusTransaction *transaction, -- DBusConnection *sender, -- DBusConnection *addressed_recipient, -- DBusConnection *proposed_recipient, -- DBusMessage *message, -- DBusError *error) +BusResult -+bus_context_check_security_policy (BusContext *context, -+ BusTransaction *transaction, -+ DBusConnection *sender, -+ DBusConnection *addressed_recipient, -+ DBusConnection *proposed_recipient, -+ DBusMessage *message, -+ DBusError *error, + bus_context_check_security_policy (BusContext *context, + BusTransaction *transaction, + DBusConnection *sender, +@@ -1527,7 +1548,8 @@ bus_context_check_security_policy (BusContext *context, + DBusConnection *proposed_recipient, + DBusMessage *message, + BusActivationEntry *activation_entry, +- DBusError *error) ++ DBusError *error, + BusDeferredMessage **deferred_message) { const char *src, *dest; @@ -208,7 +189,7 @@ index fd4ab9e4..c4008505 100644 type = dbus_message_get_type (message); src = dbus_message_get_sender (message); -@@ -1564,7 +1587,7 @@ bus_context_check_security_policy (BusContext *context, +@@ -1565,7 +1588,7 @@ bus_context_check_security_policy (BusContext *context, dbus_set_error (error, DBUS_ERROR_ACCESS_DENIED, "Message bus will not accept messages of unknown type\n"); @@ -217,7 +198,7 @@ index fd4ab9e4..c4008505 100644 } requested_reply = FALSE; -@@ -1594,7 +1617,7 @@ bus_context_check_security_policy (BusContext *context, +@@ -1595,7 +1618,7 @@ bus_context_check_security_policy (BusContext *context, if (dbus_error_is_set (&error2)) { dbus_move_error (&error2, error); @@ -226,7 +207,7 @@ index fd4ab9e4..c4008505 100644 } } } -@@ -1621,11 +1644,11 @@ bus_context_check_security_policy (BusContext *context, +@@ -1624,11 +1647,11 @@ bus_context_check_security_policy (BusContext *context, complain_about_message (context, DBUS_ERROR_ACCESS_DENIED, "An SELinux policy prevents this sender from sending this " "message to this recipient", @@ -240,16 +221,16 @@ index fd4ab9e4..c4008505 100644 } /* next verify AppArmor access controls. If allowed then -@@ -1642,7 +1665,7 @@ bus_context_check_security_policy (BusContext *context, - dest ? dest : DBUS_SERVICE_DBUS, +@@ -1646,7 +1669,7 @@ bus_context_check_security_policy (BusContext *context, src ? src : DBUS_SERVICE_DBUS, + activation_entry, error)) - return FALSE; + return BUS_RESULT_FALSE; if (!bus_connection_is_active (sender)) { -@@ -1656,7 +1679,7 @@ bus_context_check_security_policy (BusContext *context, +@@ -1660,7 +1683,7 @@ bus_context_check_security_policy (BusContext *context, { _dbus_verbose ("security check allowing %s message\n", "Hello"); @@ -258,7 +239,7 @@ index fd4ab9e4..c4008505 100644 } else { -@@ -1667,7 +1690,7 @@ bus_context_check_security_policy (BusContext *context, +@@ -1671,7 +1694,7 @@ bus_context_check_security_policy (BusContext *context, "Client tried to send a message other than %s without being registered", "Hello"); @@ -267,7 +248,7 @@ index fd4ab9e4..c4008505 100644 } } } -@@ -1716,20 +1739,29 @@ bus_context_check_security_policy (BusContext *context, +@@ -1720,20 +1743,29 @@ bus_context_check_security_policy (BusContext *context, (proposed_recipient == NULL && recipient_policy == NULL)); log = FALSE; @@ -311,7 +292,7 @@ index fd4ab9e4..c4008505 100644 if (log) { -@@ -1738,23 +1770,29 @@ bus_context_check_security_policy (BusContext *context, +@@ -1742,23 +1774,29 @@ bus_context_check_security_policy (BusContext *context, complain_about_message (context, DBUS_ERROR_ACCESS_DENIED, "Would reject message", toggles, message, sender, proposed_recipient, requested_reply, @@ -355,7 +336,7 @@ index fd4ab9e4..c4008505 100644 } /* See if limits on size have been exceeded */ -@@ -1764,10 +1802,10 @@ bus_context_check_security_policy (BusContext *context, +@@ -1768,10 +1806,10 @@ bus_context_check_security_policy (BusContext *context, { complain_about_message (context, DBUS_ERROR_LIMITS_EXCEEDED, "Rejected: destination has a full message queue", @@ -368,7 +349,7 @@ index fd4ab9e4..c4008505 100644 } /* Record that we will allow a reply here in the future (don't -@@ -1784,11 +1822,11 @@ bus_context_check_security_policy (BusContext *context, +@@ -1792,11 +1830,11 @@ bus_context_check_security_policy (BusContext *context, message, error)) { _dbus_verbose ("Failed to record reply expectation or problem with the message expecting a reply\n"); @@ -383,13 +364,13 @@ index fd4ab9e4..c4008505 100644 void diff --git a/bus/bus.h b/bus/bus.h -index 3fab59ff..dab7791f 100644 +index 2e0de82..82c32c8 100644 --- a/bus/bus.h +++ b/bus/bus.h -@@ -44,6 +44,22 @@ typedef struct BusOwner BusOwner; - typedef struct BusTransaction BusTransaction; +@@ -45,6 +45,22 @@ typedef struct BusTransaction BusTransaction; typedef struct BusMatchmaker BusMatchmaker; typedef struct BusMatchRule BusMatchRule; + typedef struct BusActivationEntry BusActivationEntry; +typedef struct BusCheck BusCheck; +typedef struct BusDeferredMessage BusDeferredMessage; +typedef struct BusCynara BusCynara; @@ -409,7 +390,7 @@ index 3fab59ff..dab7791f 100644 typedef struct { -@@ -97,6 +113,7 @@ BusConnections* bus_context_get_connections (BusContext +@@ -101,6 +117,7 @@ BusConnections* bus_context_get_connections (BusContext BusActivation* bus_context_get_activation (BusContext *context); BusMatchmaker* bus_context_get_matchmaker (BusContext *context); DBusLoop* bus_context_get_loop (BusContext *context); @@ -417,31 +398,27 @@ index 3fab59ff..dab7791f 100644 dbus_bool_t bus_context_allow_unix_user (BusContext *context, unsigned long uid); dbus_bool_t bus_context_allow_windows_user (BusContext *context, -@@ -131,13 +148,14 @@ void bus_context_log_and_set_error (BusContext +@@ -136,14 +153,15 @@ void bus_context_log_and_set_error (BusContext const char *name, const char *msg, ...) _DBUS_GNUC_PRINTF (5, 6); -dbus_bool_t bus_context_check_security_policy (BusContext *context, -- BusTransaction *transaction, -- DBusConnection *sender, -- DBusConnection *addressed_recipient, -- DBusConnection *proposed_recipient, -- DBusMessage *message, ++BusResult bus_context_check_security_policy (BusContext *context, + BusTransaction *transaction, + DBusConnection *sender, + DBusConnection *addressed_recipient, + DBusConnection *proposed_recipient, + DBusMessage *message, + BusActivationEntry *activation_entry, - DBusError *error); -+BusResult bus_context_check_security_policy (BusContext *context, -+ BusTransaction *transaction, -+ DBusConnection *sender, -+ DBusConnection *addressed_recipient, -+ DBusConnection *proposed_recipient, -+ DBusMessage *message, -+ DBusError *error, ++ DBusError *error, + BusDeferredMessage **deferred_message); void bus_context_check_all_watches (BusContext *context); #endif /* BUS_BUS_H */ diff --git a/bus/check.c b/bus/check.c new file mode 100644 -index 00000000..5b72d31c +index 0000000..5b72d31 --- /dev/null +++ b/bus/check.c @@ -0,0 +1,217 @@ @@ -664,7 +641,7 @@ index 00000000..5b72d31c +} diff --git a/bus/check.h b/bus/check.h new file mode 100644 -index 00000000..c3fcaf90 +index 0000000..c3fcaf9 --- /dev/null +++ b/bus/check.h @@ -0,0 +1,68 @@ @@ -737,7 +714,7 @@ index 00000000..c3fcaf90 + BusResult result); +#endif /* BUS_CHECK_H */ diff --git a/bus/config-parser-common.c b/bus/config-parser-common.c -index 5db6b289..ea25f5e6 100644 +index c1c4191..e2f253d 100644 --- a/bus/config-parser-common.c +++ b/bus/config-parser-common.c @@ -75,6 +75,10 @@ bus_config_parser_element_name_to_type (const char *name) @@ -761,7 +738,7 @@ index 5db6b289..ea25f5e6 100644 return "fork"; case ELEMENT_PIDFILE: diff --git a/bus/config-parser-common.h b/bus/config-parser-common.h -index 382a0141..9e026d10 100644 +index 382a014..9e026d1 100644 --- a/bus/config-parser-common.h +++ b/bus/config-parser-common.h @@ -36,6 +36,7 @@ typedef enum @@ -773,10 +750,10 @@ index 382a0141..9e026d10 100644 ELEMENT_PIDFILE, ELEMENT_SERVICEDIR, diff --git a/bus/config-parser.c b/bus/config-parser.c -index d9f6042c..a8c4ca5d 100644 +index be27d38..b54b0e4 100644 --- a/bus/config-parser.c +++ b/bus/config-parser.c -@@ -1172,7 +1172,7 @@ append_rule_from_element (BusConfigParser *parser, +@@ -1318,7 +1318,7 @@ append_rule_from_element (BusConfigParser *parser, const char *element_name, const char **attribute_names, const char **attribute_values, @@ -785,15 +762,15 @@ index d9f6042c..a8c4ca5d 100644 DBusError *error) { const char *log; -@@ -1195,6 +1195,7 @@ append_rule_from_element (BusConfigParser *parser, +@@ -1360,6 +1360,7 @@ append_rule_from_element (BusConfigParser *parser, const char *own_prefix; const char *user; const char *group; + const char *privilege; BusPolicyRule *rule; - -@@ -1222,6 +1223,7 @@ append_rule_from_element (BusConfigParser *parser, + +@@ -1390,6 +1391,7 @@ append_rule_from_element (BusConfigParser *parser, "user", &user, "group", &group, "log", &log, @@ -801,15 +778,15 @@ index d9f6042c..a8c4ca5d 100644 NULL)) return FALSE; -@@ -1230,6 +1232,7 @@ append_rule_from_element (BusConfigParser *parser, - receive_interface || receive_member || receive_error || receive_sender || - receive_type || receive_path || eavesdrop || - send_requested_reply || receive_requested_reply || +@@ -1422,6 +1424,7 @@ append_rule_from_element (BusConfigParser *parser, + + if (!(any_send_attribute || + any_receive_attribute || + privilege || own || own_prefix || user || group)) { dbus_set_error (error, DBUS_ERROR_FAILED, -@@ -1246,7 +1249,30 @@ append_rule_from_element (BusConfigParser *parser, +@@ -1438,7 +1441,30 @@ append_rule_from_element (BusConfigParser *parser, element_name); return FALSE; } @@ -841,25 +818,25 @@ index d9f6042c..a8c4ca5d 100644 /* Allowed combinations of elements are: * * base, must be all send or all receive: -@@ -1420,7 +1446,7 @@ append_rule_from_element (BusConfigParser *parser, - return FALSE; - } - +@@ -1589,7 +1615,7 @@ append_rule_from_element (BusConfigParser *parser, + error)) + return FALSE; + - rule = bus_policy_rule_new (BUS_POLICY_RULE_SEND, allow); -+ rule = bus_policy_rule_new (BUS_POLICY_RULE_SEND, access); ++ rule = bus_policy_rule_new (BUS_POLICY_RULE_SEND, access); if (rule == NULL) goto nomem; -@@ -1502,7 +1528,7 @@ append_rule_from_element (BusConfigParser *parser, - return FALSE; - } - +@@ -1694,7 +1720,7 @@ append_rule_from_element (BusConfigParser *parser, + error)) + return FALSE; + - rule = bus_policy_rule_new (BUS_POLICY_RULE_RECEIVE, allow); -+ rule = bus_policy_rule_new (BUS_POLICY_RULE_RECEIVE, access); ++ rule = bus_policy_rule_new (BUS_POLICY_RULE_RECEIVE, access); if (rule == NULL) goto nomem; -@@ -1532,7 +1558,7 @@ append_rule_from_element (BusConfigParser *parser, +@@ -1726,7 +1752,7 @@ append_rule_from_element (BusConfigParser *parser, } else if (own || own_prefix) { @@ -868,7 +845,7 @@ index d9f6042c..a8c4ca5d 100644 if (rule == NULL) goto nomem; -@@ -1558,7 +1584,7 @@ append_rule_from_element (BusConfigParser *parser, +@@ -1752,7 +1778,7 @@ append_rule_from_element (BusConfigParser *parser, { if (IS_WILDCARD (user)) { @@ -877,7 +854,7 @@ index d9f6042c..a8c4ca5d 100644 if (rule == NULL) goto nomem; -@@ -1573,7 +1599,7 @@ append_rule_from_element (BusConfigParser *parser, +@@ -1767,7 +1793,7 @@ append_rule_from_element (BusConfigParser *parser, if (_dbus_parse_unix_user_from_config (&username, &uid)) { @@ -886,7 +863,7 @@ index d9f6042c..a8c4ca5d 100644 if (rule == NULL) goto nomem; -@@ -1590,7 +1616,7 @@ append_rule_from_element (BusConfigParser *parser, +@@ -1784,7 +1810,7 @@ append_rule_from_element (BusConfigParser *parser, { if (IS_WILDCARD (group)) { @@ -895,7 +872,7 @@ index d9f6042c..a8c4ca5d 100644 if (rule == NULL) goto nomem; -@@ -1605,7 +1631,7 @@ append_rule_from_element (BusConfigParser *parser, +@@ -1799,7 +1825,7 @@ append_rule_from_element (BusConfigParser *parser, if (_dbus_parse_unix_group_from_config (&groupname, &gid)) { @@ -904,7 +881,7 @@ index d9f6042c..a8c4ca5d 100644 if (rule == NULL) goto nomem; -@@ -1629,6 +1655,10 @@ append_rule_from_element (BusConfigParser *parser, +@@ -1823,6 +1849,10 @@ append_rule_from_element (BusConfigParser *parser, _dbus_assert (pe != NULL); _dbus_assert (pe->type == ELEMENT_POLICY); @@ -915,7 +892,7 @@ index d9f6042c..a8c4ca5d 100644 switch (pe->d.policy.type) { case POLICY_IGNORED: -@@ -1703,7 +1733,7 @@ start_policy_child (BusConfigParser *parser, +@@ -1898,7 +1928,7 @@ start_policy_child (BusConfigParser *parser, { if (!append_rule_from_element (parser, element_name, attribute_names, attribute_values, @@ -924,7 +901,7 @@ index d9f6042c..a8c4ca5d 100644 return FALSE; if (push_element (parser, ELEMENT_ALLOW) == NULL) -@@ -1718,7 +1748,7 @@ start_policy_child (BusConfigParser *parser, +@@ -1913,7 +1943,7 @@ start_policy_child (BusConfigParser *parser, { if (!append_rule_from_element (parser, element_name, attribute_names, attribute_values, @@ -933,7 +910,7 @@ index d9f6042c..a8c4ca5d 100644 return FALSE; if (push_element (parser, ELEMENT_DENY) == NULL) -@@ -1727,6 +1757,21 @@ start_policy_child (BusConfigParser *parser, +@@ -1922,6 +1952,21 @@ start_policy_child (BusConfigParser *parser, return FALSE; } @@ -955,7 +932,7 @@ index d9f6042c..a8c4ca5d 100644 return TRUE; } else -@@ -2088,6 +2133,7 @@ bus_config_parser_end_element (BusConfigParser *parser, +@@ -2284,6 +2329,7 @@ bus_config_parser_end_element (BusConfigParser *parser, case ELEMENT_POLICY: case ELEMENT_ALLOW: case ELEMENT_DENY: @@ -963,7 +940,7 @@ index d9f6042c..a8c4ca5d 100644 case ELEMENT_FORK: case ELEMENT_SYSLOG: case ELEMENT_KEEP_UMASK: -@@ -2397,6 +2443,7 @@ bus_config_parser_content (BusConfigParser *parser, +@@ -2600,6 +2646,7 @@ bus_config_parser_content (BusConfigParser *parser, case ELEMENT_POLICY: case ELEMENT_ALLOW: case ELEMENT_DENY: @@ -971,7 +948,7 @@ index d9f6042c..a8c4ca5d 100644 case ELEMENT_FORK: case ELEMENT_SYSLOG: case ELEMENT_KEEP_UMASK: -@@ -2862,6 +2909,8 @@ do_load (const DBusString *full_path, +@@ -3127,6 +3174,8 @@ do_load (const DBusString *full_path, dbus_error_init (&error); parser = bus_config_load (full_path, TRUE, NULL, &error); @@ -981,7 +958,7 @@ index d9f6042c..a8c4ca5d 100644 { _DBUS_ASSERT_ERROR_IS_SET (&error); diff --git a/bus/connection.c b/bus/connection.c -index 02d6c220..eea50ecd 100644 +index 53605fa..deebde3 100644 --- a/bus/connection.c +++ b/bus/connection.c @@ -36,6 +36,10 @@ @@ -1061,7 +1038,7 @@ index 02d6c220..eea50ecd 100644 } static void -@@ -451,6 +458,10 @@ free_connection_data (void *data) +@@ -448,6 +455,10 @@ free_connection_data (void *data) dbus_free (d->name); @@ -1072,7 +1049,7 @@ index 02d6c220..eea50ecd 100644 dbus_free (d); } -@@ -1063,6 +1074,22 @@ bus_connection_get_policy (DBusConnection *connection) +@@ -1078,6 +1089,22 @@ bus_connection_get_policy (DBusConnection *connection) return d->policy; } @@ -1095,7 +1072,7 @@ index 02d6c220..eea50ecd 100644 static dbus_bool_t foreach_active (BusConnections *connections, BusConnectionForeachFunction function, -@@ -2289,6 +2316,7 @@ bus_transaction_send_from_driver (BusTransaction *transaction, +@@ -2333,6 +2360,7 @@ bus_transaction_send_from_driver (BusTransaction *transaction, DBusMessage *message) { DBusError error = DBUS_ERROR_INIT; @@ -1103,22 +1080,24 @@ index 02d6c220..eea50ecd 100644 /* We have to set the sender to the driver, and have * to check security policy since it was not done in -@@ -2326,9 +2354,11 @@ bus_transaction_send_from_driver (BusTransaction *transaction, +@@ -2370,10 +2398,12 @@ bus_transaction_send_from_driver (BusTransaction *transaction, * if we're actively capturing messages, it's nice to log that we * tried to send it and did not allow ourselves to do so. */ - if (!bus_context_check_security_policy (bus_transaction_get_context (transaction), - transaction, -- NULL, connection, connection, message, &error)) +- NULL, connection, connection, +- message, NULL, &error)) + res = bus_context_check_security_policy (bus_transaction_get_context (transaction), + transaction, -+ NULL, connection, connection, message, &error, ++ NULL, connection, connection, ++ message, NULL, &error, + NULL); + if (res == BUS_RESULT_FALSE) { - if (!bus_transaction_capture_error_reply (transaction, &error, message)) - { -@@ -2342,6 +2372,12 @@ bus_transaction_send_from_driver (BusTransaction *transaction, + if (!bus_transaction_capture_error_reply (transaction, connection, + &error, message)) +@@ -2388,6 +2418,12 @@ bus_transaction_send_from_driver (BusTransaction *transaction, dbus_error_free (&error); return TRUE; } @@ -1132,7 +1111,7 @@ index 02d6c220..eea50ecd 100644 return bus_transaction_send (transaction, connection, message); } diff --git a/bus/connection.h b/bus/connection.h -index 8c68d0a0..a6e5dfde 100644 +index 9e253ae..71078ea 100644 --- a/bus/connection.h +++ b/bus/connection.h @@ -31,6 +31,7 @@ @@ -1143,7 +1122,7 @@ index 8c68d0a0..a6e5dfde 100644 BusConnections* bus_connections_new (BusContext *context); BusConnections* bus_connections_ref (BusConnections *connections); -@@ -122,6 +123,9 @@ dbus_bool_t bus_connection_be_monitor (DBusConnection *connection, +@@ -124,6 +125,9 @@ dbus_bool_t bus_connection_be_monitor (DBusConnection *connection, BusTransaction *transaction, DBusList **rules, DBusError *error); @@ -1155,7 +1134,7 @@ index 8c68d0a0..a6e5dfde 100644 diff --git a/bus/cynara.c b/bus/cynara.c new file mode 100644 -index 00000000..57a4c45c +index 0000000..57a4c45 --- /dev/null +++ b/bus/cynara.c @@ -0,0 +1,374 @@ @@ -1535,7 +1514,7 @@ index 00000000..57a4c45c +#endif /* DBUS_ENABLE_CYNARA */ diff --git a/bus/cynara.h b/bus/cynara.h new file mode 100644 -index 00000000..c4728bb7 +index 0000000..c4728bb --- /dev/null +++ b/bus/cynara.h @@ -0,0 +1,37 @@ @@ -1577,7 +1556,7 @@ index 00000000..c4728bb7 + BusDeferredMessageStatus check_type, + BusDeferredMessage **deferred_message); diff --git a/bus/dispatch.c b/bus/dispatch.c -index edfa1b44..05be3bdf 100644 +index 19228be..7e51bc1 100644 --- a/bus/dispatch.c +++ b/bus/dispatch.c @@ -25,6 +25,7 @@ @@ -1588,7 +1567,7 @@ index edfa1b44..05be3bdf 100644 #include "connection.h" #include "driver.h" #include "services.h" -@@ -64,13 +65,17 @@ send_one_message (DBusConnection *connection, +@@ -64,14 +65,18 @@ send_one_message (DBusConnection *connection, DBusError *error) { DBusError stack_error = DBUS_ERROR_INIT; @@ -1601,14 +1580,15 @@ index edfa1b44..05be3bdf 100644 addressed_recipient, connection, message, + NULL, - &stack_error)) + &stack_error, + &deferred_message); + if (result != BUS_RESULT_TRUE) { - if (!bus_transaction_capture_error_reply (transaction, &stack_error, - message)) -@@ -129,6 +134,7 @@ bus_dispatch_matches (BusTransaction *transaction, + if (!bus_transaction_capture_error_reply (transaction, sender, + &stack_error, message)) +@@ -130,6 +135,7 @@ bus_dispatch_matches (BusTransaction *transaction, BusMatchmaker *matchmaker; DBusList *link; BusContext *context; @@ -1616,19 +1596,19 @@ index edfa1b44..05be3bdf 100644 _DBUS_ASSERT_ERROR_IS_CLEAR (error); -@@ -144,11 +150,21 @@ bus_dispatch_matches (BusTransaction *transaction, +@@ -145,11 +151,21 @@ bus_dispatch_matches (BusTransaction *transaction, /* First, send the message to the addressed_recipient, if there is one. */ if (addressed_recipient != NULL) { - if (!bus_context_check_security_policy (context, transaction, - sender, addressed_recipient, - addressed_recipient, -- message, error)) +- message, NULL, error)) + BusResult res; + res = bus_context_check_security_policy (context, transaction, + sender, addressed_recipient, + addressed_recipient, -+ message, error, ++ message, NULL, error, + &deferred_message); + if (res == BUS_RESULT_FALSE) return FALSE; @@ -1642,16 +1622,25 @@ index edfa1b44..05be3bdf 100644 if (dbus_message_contains_unix_fds (message) && !dbus_connection_can_send_type (addressed_recipient, -@@ -379,12 +395,24 @@ bus_dispatch (DBusConnection *connection, +@@ -374,19 +390,32 @@ bus_dispatch (DBusConnection *connection, if (service_name && strcmp (service_name, DBUS_SERVICE_DBUS) == 0) /* to bus driver */ { -- if (!bus_context_check_security_policy (context, transaction, -- connection, NULL, NULL, message, &error)) + BusDeferredMessage *deferred_message; + BusResult res; ++ + if (!bus_transaction_capture (transaction, connection, NULL, message)) + { + BUS_SET_OOM (&error); + goto out; + } + +- if (!bus_context_check_security_policy (context, transaction, +- connection, NULL, NULL, message, +- NULL, &error)) + res = bus_context_check_security_policy (context, transaction, -+ connection, NULL, NULL, message, &error, ++ connection, NULL, NULL, message, ++ NULL, &error, + &deferred_message); + if (res == BUS_RESULT_FALSE) { @@ -1670,7 +1659,7 @@ index edfa1b44..05be3bdf 100644 _dbus_verbose ("Giving message to %s\n", DBUS_SERVICE_DBUS); if (!bus_driver_handle_message (connection, transaction, message, &error)) diff --git a/bus/policy.c b/bus/policy.c -index 082f3853..bcade176 100644 +index a37be80..7ee1ce5 100644 --- a/bus/policy.c +++ b/bus/policy.c @@ -22,6 +22,7 @@ @@ -1681,7 +1670,7 @@ index 082f3853..bcade176 100644 #include "policy.h" #include "services.h" #include "test.h" -@@ -32,7 +33,7 @@ +@@ -33,7 +34,7 @@ BusPolicyRule* bus_policy_rule_new (BusPolicyRuleType type, @@ -1690,7 +1679,7 @@ index 082f3853..bcade176 100644 { BusPolicyRule *rule; -@@ -42,7 +43,7 @@ bus_policy_rule_new (BusPolicyRuleType type, +@@ -43,7 +44,7 @@ bus_policy_rule_new (BusPolicyRuleType type, rule->type = type; rule->refcount = 1; @@ -1699,7 +1688,7 @@ index 082f3853..bcade176 100644 switch (rule->type) { -@@ -54,18 +55,19 @@ bus_policy_rule_new (BusPolicyRuleType type, +@@ -55,18 +56,19 @@ bus_policy_rule_new (BusPolicyRuleType type, break; case BUS_POLICY_RULE_SEND: rule->d.send.message_type = DBUS_MESSAGE_TYPE_INVALID; @@ -1722,9 +1711,9 @@ index 082f3853..bcade176 100644 break; case BUS_POLICY_RULE_OWN: break; -@@ -117,7 +119,8 @@ bus_policy_rule_unref (BusPolicyRule *rule) - case BUS_POLICY_RULE_GROUP: - break; +@@ -122,7 +124,8 @@ bus_policy_rule_unref (BusPolicyRule *rule) + default: + _dbus_assert_not_reached ("invalid rule"); } - + @@ -1732,7 +1721,7 @@ index 082f3853..bcade176 100644 dbus_free (rule); } } -@@ -427,7 +430,10 @@ list_allows_user (dbus_bool_t def, +@@ -435,7 +438,10 @@ list_allows_user (dbus_bool_t def, else continue; @@ -1744,7 +1733,7 @@ index 082f3853..bcade176 100644 } return allowed; -@@ -862,18 +868,23 @@ bus_client_policy_append_rule (BusClientPolicy *policy, +@@ -873,18 +879,23 @@ bus_client_policy_append_rule (BusClientPolicy *policy, return TRUE; } @@ -1778,7 +1767,7 @@ index 082f3853..bcade176 100644 /* policy->rules is in the order the rules appeared * in the config file, i.e. last rule that applies wins */ -@@ -881,7 +892,7 @@ bus_client_policy_check_can_send (BusClientPolicy *policy, +@@ -892,7 +903,7 @@ bus_client_policy_check_can_send (BusClientPolicy *policy, _dbus_verbose (" (policy) checking send rules\n"); *toggles = 0; @@ -1787,7 +1776,7 @@ index 082f3853..bcade176 100644 link = _dbus_list_get_first_link (&policy->rules); while (link != NULL) { -@@ -912,13 +923,14 @@ bus_client_policy_check_can_send (BusClientPolicy *policy, +@@ -923,13 +934,14 @@ bus_client_policy_check_can_send (BusClientPolicy *policy, /* If it's a reply, the requested_reply flag kicks in */ if (dbus_message_get_reply_serial (message) != 0) { @@ -1807,7 +1796,7 @@ index 082f3853..bcade176 100644 continue; } -@@ -926,7 +938,7 @@ bus_client_policy_check_can_send (BusClientPolicy *policy, +@@ -937,7 +949,7 @@ bus_client_policy_check_can_send (BusClientPolicy *policy, * when the reply was not requested. requested_reply=true means the * rule always applies. */ @@ -1816,7 +1805,7 @@ index 082f3853..bcade176 100644 { _dbus_verbose (" (policy) skipping deny rule since it only applies to unrequested replies\n"); continue; -@@ -949,13 +961,15 @@ bus_client_policy_check_can_send (BusClientPolicy *policy, +@@ -960,13 +972,15 @@ bus_client_policy_check_can_send (BusClientPolicy *policy, /* The interface is optional in messages. For allow rules, if the message * has no interface we want to skip the rule (and thus not allow); * for deny rules, if the message has no interface we want to use the @@ -1834,7 +1823,7 @@ index 082f3853..bcade176 100644 (!no_interface && strcmp (dbus_message_get_interface (message), rule->d.send.interface) != 0)) -@@ -1029,33 +1043,63 @@ bus_client_policy_check_can_send (BusClientPolicy *policy, +@@ -1079,33 +1093,63 @@ bus_client_policy_check_can_send (BusClientPolicy *policy, } /* Use this rule */ @@ -1912,7 +1901,7 @@ index 082f3853..bcade176 100644 eavesdropping = addressed_recipient != proposed_recipient && -@@ -1068,7 +1112,7 @@ bus_client_policy_check_can_receive (BusClientPolicy *policy, +@@ -1118,7 +1162,7 @@ bus_client_policy_check_can_receive (BusClientPolicy *policy, _dbus_verbose (" (policy) checking receive rules, eavesdropping = %d\n", eavesdropping); *toggles = 0; @@ -1921,7 +1910,7 @@ index 082f3853..bcade176 100644 link = _dbus_list_get_first_link (&policy->rules); while (link != NULL) { -@@ -1091,19 +1135,21 @@ bus_client_policy_check_can_receive (BusClientPolicy *policy, +@@ -1141,19 +1185,21 @@ bus_client_policy_check_can_receive (BusClientPolicy *policy, } } @@ -1948,7 +1937,7 @@ index 082f3853..bcade176 100644 { _dbus_verbose (" (policy) skipping deny rule since it only applies to eavesdropping\n"); continue; -@@ -1112,13 +1158,14 @@ bus_client_policy_check_can_receive (BusClientPolicy *policy, +@@ -1162,13 +1208,14 @@ bus_client_policy_check_can_receive (BusClientPolicy *policy, /* If it's a reply, the requested_reply flag kicks in */ if (dbus_message_get_reply_serial (message) != 0) { @@ -1968,7 +1957,7 @@ index 082f3853..bcade176 100644 continue; } -@@ -1126,7 +1173,7 @@ bus_client_policy_check_can_receive (BusClientPolicy *policy, +@@ -1176,7 +1223,7 @@ bus_client_policy_check_can_receive (BusClientPolicy *policy, * when the reply was not requested. requested_reply=true means the * rule always applies. */ @@ -1977,7 +1966,7 @@ index 082f3853..bcade176 100644 { _dbus_verbose (" (policy) skipping deny rule since it only applies to unrequested replies\n"); continue; -@@ -1149,13 +1196,13 @@ bus_client_policy_check_can_receive (BusClientPolicy *policy, +@@ -1199,13 +1246,13 @@ bus_client_policy_check_can_receive (BusClientPolicy *policy, /* The interface is optional in messages. For allow rules, if the message * has no interface we want to skip the rule (and thus not allow); * for deny rules, if the message has no interface we want to use the @@ -1993,9 +1982,9 @@ index 082f3853..bcade176 100644 (!no_interface && strcmp (dbus_message_get_interface (message), rule->d.receive.interface) != 0)) -@@ -1230,14 +1277,42 @@ bus_client_policy_check_can_receive (BusClientPolicy *policy, +@@ -1295,14 +1342,42 @@ bus_client_policy_check_can_receive (BusClientPolicy *policy, } - + /* Use this rule */ - allowed = rule->allow; + switch (rule->access) @@ -2040,7 +2029,7 @@ index 082f3853..bcade176 100644 } -@@ -1289,7 +1364,7 @@ bus_rules_check_can_own (DBusList *rules, +@@ -1354,7 +1429,7 @@ bus_rules_check_can_own (DBusList *rules, } /* Use this rule */ @@ -2050,12 +2039,12 @@ index 082f3853..bcade176 100644 return allowed; diff --git a/bus/policy.h b/bus/policy.h -index d1d3e72b..e9f193af 100644 +index ec43ffa..f306a3c 100644 --- a/bus/policy.h +++ b/bus/policy.h -@@ -39,6 +39,14 @@ typedef enum - BUS_POLICY_RULE_GROUP - } BusPolicyRuleType; +@@ -46,6 +46,14 @@ typedef enum + BUS_POLICY_TRISTATE_TRUE + } BusPolicyTristate; +typedef enum +{ @@ -2068,7 +2057,7 @@ index d1d3e72b..e9f193af 100644 /** determines whether the rule affects a connection, or some global item */ #define BUS_POLICY_RULE_IS_PER_CLIENT(rule) (!((rule)->type == BUS_POLICY_RULE_USER || \ (rule)->type == BUS_POLICY_RULE_GROUP)) -@@ -49,8 +57,9 @@ struct BusPolicyRule +@@ -56,8 +64,9 @@ struct BusPolicyRule BusPolicyRuleType type; @@ -2080,7 +2069,7 @@ index d1d3e72b..e9f193af 100644 union { struct -@@ -106,7 +115,7 @@ struct BusPolicyRule +@@ -118,7 +127,7 @@ struct BusPolicyRule }; BusPolicyRule* bus_policy_rule_new (BusPolicyRuleType type, @@ -2089,7 +2078,7 @@ index d1d3e72b..e9f193af 100644 BusPolicyRule* bus_policy_rule_ref (BusPolicyRule *rule); void bus_policy_rule_unref (BusPolicyRule *rule); -@@ -140,21 +149,27 @@ dbus_bool_t bus_policy_merge (BusPolicy *policy, +@@ -152,21 +161,27 @@ dbus_bool_t bus_policy_merge (BusPolicy *policy, BusClientPolicy* bus_client_policy_new (void); BusClientPolicy* bus_client_policy_ref (BusClientPolicy *policy); void bus_client_policy_unref (BusClientPolicy *policy); @@ -2133,10 +2122,10 @@ index d1d3e72b..e9f193af 100644 const DBusString *service_name); dbus_bool_t bus_client_policy_append_rule (BusClientPolicy *policy, diff --git a/configure.ac b/configure.ac -index 71e3515c..f3a2ffc1 100644 +index 80671b2..d975b04 100644 --- a/configure.ac +++ b/configure.ac -@@ -1873,6 +1873,17 @@ AC_ARG_ENABLE([user-session], +@@ -1761,6 +1761,17 @@ AC_ARG_ENABLE([user-session], AM_CONDITIONAL([DBUS_ENABLE_USER_SESSION], [test "x$enable_user_session" = xyes]) @@ -2154,7 +2143,7 @@ index 71e3515c..f3a2ffc1 100644 AC_CONFIG_FILES([ Doxyfile dbus/Version -@@ -1952,6 +1963,7 @@ echo " +@@ -1843,6 +1854,7 @@ echo " Building bus stats API: ${enable_stats} Building SELinux support: ${have_selinux} Building AppArmor support: ${have_apparmor} @@ -2163,20 +2152,20 @@ index 71e3515c..f3a2ffc1 100644 Building kqueue support: ${have_kqueue} Building systemd support: ${have_systemd} diff --git a/test/Makefile.am b/test/Makefile.am -index 914dd7f2..86882537 100644 +index 6a6e1a3..ce84dbc 100644 --- a/test/Makefile.am +++ b/test/Makefile.am -@@ -341,6 +341,7 @@ in_data = \ +@@ -439,6 +439,7 @@ in_data = \ data/valid-config-files/debug-allow-all.conf.in \ data/valid-config-files/finite-timeout.conf.in \ data/valid-config-files/forbidding.conf.in \ + data/valid-config-files/debug-check-some.conf.in \ data/valid-config-files/incoming-limit.conf.in \ - data/valid-config-files/multi-user.conf.in \ - data/valid-config-files/systemd-activation.conf.in \ + data/valid-config-files/max-completed-connections.conf.in \ + data/valid-config-files/max-connections-per-user.conf.in \ diff --git a/test/data/invalid-config-files/badcheck-1.conf b/test/data/invalid-config-files/badcheck-1.conf new file mode 100644 -index 00000000..fad9f502 +index 0000000..fad9f50 --- /dev/null +++ b/test/data/invalid-config-files/badcheck-1.conf @@ -0,0 +1,9 @@ @@ -2191,7 +2180,7 @@ index 00000000..fad9f502 +</busconfig> diff --git a/test/data/invalid-config-files/badcheck-2.conf b/test/data/invalid-config-files/badcheck-2.conf new file mode 100644 -index 00000000..63c7ef25 +index 0000000..63c7ef2 --- /dev/null +++ b/test/data/invalid-config-files/badcheck-2.conf @@ -0,0 +1,9 @@ @@ -2206,7 +2195,7 @@ index 00000000..63c7ef25 +</busconfig> diff --git a/test/data/valid-config-files/check-1.conf b/test/data/valid-config-files/check-1.conf new file mode 100644 -index 00000000..ad714733 +index 0000000..ad71473 --- /dev/null +++ b/test/data/valid-config-files/check-1.conf @@ -0,0 +1,9 @@ @@ -2221,7 +2210,7 @@ index 00000000..ad714733 +</busconfig> diff --git a/test/data/valid-config-files/debug-check-some.conf.in b/test/data/valid-config-files/debug-check-some.conf.in new file mode 100644 -index 00000000..47ee8548 +index 0000000..47ee854 --- /dev/null +++ b/test/data/valid-config-files/debug-check-some.conf.in @@ -0,0 +1,18 @@ @@ -2243,19 +2232,3 @@ index 00000000..47ee8548 + <check privilege="foo" send_interface="org.freedesktop.TestSuite" send_member="Echo"/> + </policy> +</busconfig> -diff --git a/tools/dbus-send.c b/tools/dbus-send.c -index 0dc1f5b3..76ddab3f 100644 ---- a/tools/dbus-send.c -+++ b/tools/dbus-send.c -@@ -458,7 +458,7 @@ main (int argc, char *argv[]) - char *arg; - char *c; - int type; -- int secondary_type; -+ int secondary_type = 0; - int container_type; - DBusMessageIter *target_iter; - DBusMessageIter container_iter; --- -2.14.3 - diff --git a/meta-security/recipes-core/dbus-cynara/dbus-cynara/0002-Disable-message-dispatching-when-send-rule-result-is.patch b/meta-security/recipes-core/dbus-cynara/dbus-cynara/0002-Disable-message-dispatching-when-send-rule-result-is.patch index b1c3f3fdc..4fd75510e 100644 --- a/meta-security/recipes-core/dbus-cynara/dbus-cynara/0002-Disable-message-dispatching-when-send-rule-result-is.patch +++ b/meta-security/recipes-core/dbus-cynara/dbus-cynara/0002-Disable-message-dispatching-when-send-rule-result-is.patch @@ -22,27 +22,16 @@ Change-Id: I57eccbf973525fd51369c7d4e58908292f44da80 Cherry-picked from b1b87ad9f20b2052c28431b48e81073078a745ce by Jose Bollo. +Updated for dbus 1.12.10 by Scott Murray. + Signed-off-by: José Bollo <jose.bollo@iot.bzh> ---- - bus/activation.c | 78 +++++++++++++++-- - bus/check.c | 109 ++++++++++++++++++++++-- - bus/check.h | 10 +++ - bus/cynara.c | 1 - - bus/dispatch.c | 184 ++++++++++++++++++++++++++++++++++++---- - bus/dispatch.h | 2 +- - bus/driver.c | 12 ++- - dbus/dbus-connection-internal.h | 15 ++++ - dbus/dbus-connection.c | 125 +++++++++++++++++++++++++-- - dbus/dbus-list.c | 29 +++++++ - dbus/dbus-list.h | 3 + - dbus/dbus-shared.h | 3 +- - 12 files changed, 528 insertions(+), 43 deletions(-) +Signed-off-by: Scott Murray <scott.murray@konsulko.com> diff --git a/bus/activation.c b/bus/activation.c -index 1a98af6d..343d3f22 100644 +index 451179d..5f02153 100644 --- a/bus/activation.c +++ b/bus/activation.c -@@ -31,6 +31,7 @@ +@@ -32,6 +32,7 @@ #include "services.h" #include "test.h" #include "utils.h" @@ -50,7 +39,7 @@ index 1a98af6d..343d3f22 100644 #include <dbus/dbus-internals.h> #include <dbus/dbus-hash.h> #include <dbus/dbus-list.h> -@@ -91,6 +92,8 @@ struct BusPendingActivationEntry +@@ -94,6 +95,8 @@ struct BusPendingActivationEntry DBusConnection *connection; dbus_bool_t auto_activation; @@ -59,7 +48,7 @@ index 1a98af6d..343d3f22 100644 }; typedef struct -@@ -1180,20 +1183,23 @@ bus_activation_send_pending_auto_activation_messages (BusActivation *activation +@@ -1241,20 +1244,23 @@ bus_activation_send_pending_auto_activation_messages (BusActivation *activation BusPendingActivationEntry *entry = link->data; DBusList *next = _dbus_list_get_next_link (&pending_activation->entries, link); @@ -88,7 +77,7 @@ index 1a98af6d..343d3f22 100644 { /* If permission is denied, we just want to return the error * to the original method invoker; in particular, we don't -@@ -1205,9 +1211,40 @@ bus_activation_send_pending_auto_activation_messages (BusActivation *activation +@@ -1266,9 +1272,40 @@ bus_activation_send_pending_auto_activation_messages (BusActivation *activation bus_connection_send_oom_error (entry->connection, entry->activation_message); } @@ -131,7 +120,7 @@ index 1a98af6d..343d3f22 100644 } } -@@ -1225,6 +1262,19 @@ bus_activation_send_pending_auto_activation_messages (BusActivation *activation +@@ -1286,6 +1323,19 @@ bus_activation_send_pending_auto_activation_messages (BusActivation *activation return TRUE; error: @@ -151,20 +140,22 @@ index 1a98af6d..343d3f22 100644 return FALSE; } -@@ -2028,13 +2078,23 @@ bus_activation_activate_service (BusActivation *activation, +@@ -2078,6 +2128,7 @@ bus_activation_activate_service (BusActivation *activation, if (service != NULL) { + BusResult res; bus_context_log (activation->context, - DBUS_SYSTEM_LOG_INFO, "Activating via systemd: service name='%s' unit='%s'", + DBUS_SYSTEM_LOG_INFO, "Activating via systemd: service name='%s' unit='%s' requested by '%s' (%s)", service_name, - entry->systemd_service); +@@ -2085,8 +2136,17 @@ bus_activation_activate_service (BusActivation *activation, + bus_connection_get_name (connection), + bus_connection_get_loginfo (connection)); /* Wonderful, systemd is connected, let's just send the msg */ -- retval = bus_dispatch_matches (activation_transaction, NULL, bus_service_get_primary_owners_connection (service), -- message, error); -+ res = bus_dispatch_matches (activation_transaction, NULL, bus_service_get_primary_owners_connection (service), -+ message, error); +- retval = bus_dispatch_matches (activation_transaction, NULL, +- systemd, message, error); ++ res = bus_dispatch_matches (activation_transaction, NULL, ++ systemd, message, error); + + if (res == BUS_RESULT_TRUE) + retval = TRUE; @@ -178,7 +169,7 @@ index 1a98af6d..343d3f22 100644 else { diff --git a/bus/check.c b/bus/check.c -index 5b72d31c..4b8a6994 100644 +index 5b72d31..4b8a699 100644 --- a/bus/check.c +++ b/bus/check.c @@ -55,6 +55,8 @@ typedef struct BusDeferredMessage @@ -348,7 +339,7 @@ index 5b72d31c..4b8a6994 100644 bus_deferred_message_response_received (BusDeferredMessage *deferred_message, BusResult result) diff --git a/bus/check.h b/bus/check.h -index c3fcaf90..d1775497 100644 +index c3fcaf9..d177549 100644 --- a/bus/check.h +++ b/bus/check.h @@ -55,6 +55,7 @@ BusResult bus_check_privilege (BusCheck *check, @@ -374,7 +365,7 @@ index c3fcaf90..d1775497 100644 + #endif /* BUS_CHECK_H */ diff --git a/bus/cynara.c b/bus/cynara.c -index 57a4c45c..77aed623 100644 +index 57a4c45..77aed62 100644 --- a/bus/cynara.c +++ b/bus/cynara.c @@ -36,7 +36,6 @@ @@ -386,7 +377,7 @@ index 57a4c45c..77aed623 100644 typedef struct BusCynara { diff --git a/bus/dispatch.c b/bus/dispatch.c -index 05be3bdf..7353501b 100644 +index 7e51bc1..0250b53 100644 --- a/bus/dispatch.c +++ b/bus/dispatch.c @@ -35,6 +35,7 @@ @@ -397,7 +388,7 @@ index 05be3bdf..7353501b 100644 #include <dbus/dbus-misc.h> #include <string.h> -@@ -121,7 +122,7 @@ send_one_message (DBusConnection *connection, +@@ -122,7 +123,7 @@ send_one_message (DBusConnection *connection, return TRUE; } @@ -406,8 +397,8 @@ index 05be3bdf..7353501b 100644 bus_dispatch_matches (BusTransaction *transaction, DBusConnection *sender, DBusConnection *addressed_recipient, -@@ -157,13 +158,29 @@ bus_dispatch_matches (BusTransaction *transaction, - message, error, +@@ -158,13 +159,29 @@ bus_dispatch_matches (BusTransaction *transaction, + message, NULL, error, &deferred_message); if (res == BUS_RESULT_FALSE) - return FALSE; @@ -441,7 +432,7 @@ index 05be3bdf..7353501b 100644 } if (dbus_message_contains_unix_fds (message) && -@@ -174,14 +191,14 @@ bus_dispatch_matches (BusTransaction *transaction, +@@ -175,14 +192,14 @@ bus_dispatch_matches (BusTransaction *transaction, DBUS_ERROR_NOT_SUPPORTED, "Tried to send message with Unix file descriptors" "to a client that doesn't support that."); @@ -459,7 +450,7 @@ index 05be3bdf..7353501b 100644 } } -@@ -196,7 +213,7 @@ bus_dispatch_matches (BusTransaction *transaction, +@@ -197,7 +214,7 @@ bus_dispatch_matches (BusTransaction *transaction, &recipients)) { BUS_SET_OOM (error); @@ -468,7 +459,7 @@ index 05be3bdf..7353501b 100644 } link = _dbus_list_get_first_link (&recipients); -@@ -218,10 +235,10 @@ bus_dispatch_matches (BusTransaction *transaction, +@@ -219,10 +236,10 @@ bus_dispatch_matches (BusTransaction *transaction, if (dbus_error_is_set (&tmp_error)) { dbus_move_error (&tmp_error, error); @@ -481,7 +472,7 @@ index 05be3bdf..7353501b 100644 } static DBusHandlerResult -@@ -407,10 +424,12 @@ bus_dispatch (DBusConnection *connection, +@@ -410,10 +427,12 @@ bus_dispatch (DBusConnection *connection, } else if (res == BUS_RESULT_LATER) { @@ -498,7 +489,7 @@ index 05be3bdf..7353501b 100644 goto out; } -@@ -475,8 +494,14 @@ bus_dispatch (DBusConnection *connection, +@@ -515,8 +534,14 @@ bus_dispatch (DBusConnection *connection, * addressed_recipient == NULL), and match it against other connections' * match rules. */ @@ -515,9 +506,9 @@ index 05be3bdf..7353501b 100644 out: if (dbus_error_is_set (&error)) -@@ -5001,9 +5026,132 @@ bus_dispatch_test_conf_fail (const DBusString *test_data_dir, - return TRUE; +@@ -5061,9 +5086,132 @@ bus_dispatch_test_conf_fail (const DBusString *test_data_dir, } + #endif +typedef struct { + DBusTimeout *timeout; @@ -649,7 +640,7 @@ index 05be3bdf..7353501b 100644 _dbus_verbose ("Normal activation tests\n"); if (!bus_dispatch_test_conf (test_data_dir, diff --git a/bus/dispatch.h b/bus/dispatch.h -index fb5ba7a5..afba6a24 100644 +index fb5ba7a..afba6a2 100644 --- a/bus/dispatch.h +++ b/bus/dispatch.h @@ -29,7 +29,7 @@ @@ -662,10 +653,10 @@ index fb5ba7a5..afba6a24 100644 DBusConnection *recipient, DBusMessage *message, diff --git a/bus/driver.c b/bus/driver.c -index b7e1a0a0..a5823d4d 100644 +index cd0a714..f414f64 100644 --- a/bus/driver.c +++ b/bus/driver.c -@@ -225,6 +225,7 @@ bus_driver_send_service_owner_changed (const char *service_name, +@@ -218,6 +218,7 @@ bus_driver_send_service_owner_changed (const char *service_name, { DBusMessage *message; dbus_bool_t retval; @@ -673,8 +664,8 @@ index b7e1a0a0..a5823d4d 100644 const char *null_service; _DBUS_ASSERT_ERROR_IS_CLEAR (error); -@@ -260,7 +261,16 @@ bus_driver_send_service_owner_changed (const char *service_name, - if (!bus_transaction_capture (transaction, NULL, message)) +@@ -253,7 +254,16 @@ bus_driver_send_service_owner_changed (const char *service_name, + if (!bus_transaction_capture (transaction, NULL, NULL, message)) goto oom; - retval = bus_dispatch_matches (transaction, NULL, NULL, message, error); @@ -692,7 +683,7 @@ index b7e1a0a0..a5823d4d 100644 return retval; diff --git a/dbus/dbus-connection-internal.h b/dbus/dbus-connection-internal.h -index 48357321..94b1c951 100644 +index 4835732..94b1c95 100644 --- a/dbus/dbus-connection-internal.h +++ b/dbus/dbus-connection-internal.h @@ -118,6 +118,21 @@ DBUS_PRIVATE_EXPORT @@ -718,7 +709,7 @@ index 48357321..94b1c951 100644 DBUS_PRIVATE_EXPORT void _dbus_connection_get_stats (DBusConnection *connection, diff --git a/dbus/dbus-connection.c b/dbus/dbus-connection.c -index 7f5b3292..ed0be70d 100644 +index c525b6d..f1b0ea0 100644 --- a/dbus/dbus-connection.c +++ b/dbus/dbus-connection.c @@ -311,7 +311,8 @@ struct DBusConnection @@ -771,7 +762,7 @@ index 7f5b3292..ed0be70d 100644 #ifdef DBUS_ENABLE_EMBEDDED_TESTS /** * Gets the locks so we can examine them -@@ -4070,6 +4104,82 @@ _dbus_connection_putback_message_link_unlocked (DBusConnection *connection, +@@ -4069,6 +4103,82 @@ _dbus_connection_putback_message_link_unlocked (DBusConnection *connection, "_dbus_connection_putback_message_link_unlocked"); } @@ -854,7 +845,7 @@ index 7f5b3292..ed0be70d 100644 /** * Returns the first-received message from the incoming message queue, * removing it from the queue. The caller owns a reference to the -@@ -4253,8 +4363,9 @@ static DBusDispatchStatus +@@ -4252,8 +4362,9 @@ static DBusDispatchStatus _dbus_connection_get_dispatch_status_unlocked (DBusConnection *connection) { HAVE_LOCK_CHECK (connection); @@ -866,7 +857,7 @@ index 7f5b3292..ed0be70d 100644 return DBUS_DISPATCH_DATA_REMAINS; else if (!_dbus_transport_queue_messages (connection->transport)) return DBUS_DISPATCH_NEED_MEMORY; -@@ -4717,6 +4828,8 @@ dbus_connection_dispatch (DBusConnection *connection) +@@ -4716,6 +4827,8 @@ dbus_connection_dispatch (DBusConnection *connection) CONNECTION_LOCK (connection); @@ -875,7 +866,7 @@ index 7f5b3292..ed0be70d 100644 if (result == DBUS_HANDLER_RESULT_NEED_MEMORY) { _dbus_verbose ("No memory\n"); -@@ -4839,9 +4952,11 @@ dbus_connection_dispatch (DBusConnection *connection) +@@ -4838,9 +4951,11 @@ dbus_connection_dispatch (DBusConnection *connection) connection); out: @@ -890,7 +881,7 @@ index 7f5b3292..ed0be70d 100644 /* Put message back, and we'll start over. * Yes this means handlers must be idempotent if they diff --git a/dbus/dbus-list.c b/dbus/dbus-list.c -index c4c1856f..f84918b1 100644 +index 8e713c0..32ea871 100644 --- a/dbus/dbus-list.c +++ b/dbus/dbus-list.c @@ -458,6 +458,35 @@ _dbus_list_remove_last (DBusList **list, @@ -930,7 +921,7 @@ index c4c1856f..f84918b1 100644 * Finds a value in the list. Returns the last link * with value equal to the given data pointer. diff --git a/dbus/dbus-list.h b/dbus/dbus-list.h -index 9350a0da..fee9f1bc 100644 +index 9350a0d..fee9f1b 100644 --- a/dbus/dbus-list.h +++ b/dbus/dbus-list.h @@ -68,6 +68,9 @@ DBUS_PRIVATE_EXPORT @@ -944,7 +935,7 @@ index 9350a0da..fee9f1bc 100644 void *data); DBUS_PRIVATE_EXPORT diff --git a/dbus/dbus-shared.h b/dbus/dbus-shared.h -index 7ab91035..e5bfbed6 100644 +index 7ab9103..e5bfbed 100644 --- a/dbus/dbus-shared.h +++ b/dbus/dbus-shared.h @@ -67,7 +67,8 @@ typedef enum @@ -957,6 +948,3 @@ index 7ab91035..e5bfbed6 100644 } DBusHandlerResult; /* Bus names */ --- -2.14.3 - diff --git a/meta-security/recipes-core/dbus-cynara/dbus-cynara/0003-Handle-unavailability-of-policy-results-for-broadcas.patch b/meta-security/recipes-core/dbus-cynara/dbus-cynara/0003-Handle-unavailability-of-policy-results-for-broadcas.patch index b797064ec..7f17bd00a 100644 --- a/meta-security/recipes-core/dbus-cynara/dbus-cynara/0003-Handle-unavailability-of-policy-results-for-broadcas.patch +++ b/meta-security/recipes-core/dbus-cynara/dbus-cynara/0003-Handle-unavailability-of-policy-results-for-broadcas.patch @@ -23,26 +23,16 @@ Change-Id: Iecd5395f75a4c7811fa97247a37d8fc4d42e8814 Cherry picked from 1e231194610892dd4360224998d91336097b05a1 by Jose Bollo +Updated for dbus 1.12.10 by Scott Murray. + Signed-off-by: José Bollo <jose.bollo@iot.bzh> ---- - bus/activation.c | 4 +- - bus/bus.c | 50 +++++++-- - bus/bus.h | 19 ++++ - bus/check.c | 307 +++++++++++++++++++++++++++++++++++++++++++++++++++++++ - bus/check.h | 25 +++++ - bus/connection.c | 169 ++++++++++++++++++++++++++++-- - bus/connection.h | 19 +++- - bus/dispatch.c | 121 ++++++++++++++++++---- - bus/dispatch.h | 11 +- - bus/driver.c | 2 +- - bus/policy.c | 6 ++ - 11 files changed, 686 insertions(+), 47 deletions(-) +Signed-off-by: Scott Murray <scott.murray@konsulko.com> diff --git a/bus/activation.c b/bus/activation.c -index 343d3f22..11bd8386 100644 +index 5f02153..f2981e1 100644 --- a/bus/activation.c +++ b/bus/activation.c -@@ -1198,7 +1198,7 @@ bus_activation_send_pending_auto_activation_messages (BusActivation *activation +@@ -1259,7 +1259,7 @@ bus_activation_send_pending_auto_activation_messages (BusActivation *activation res = bus_dispatch_matches (transaction, entry->connection, addressed_recipient, @@ -51,20 +41,20 @@ index 343d3f22..11bd8386 100644 if (res == BUS_RESULT_FALSE) { /* If permission is denied, we just want to return the error -@@ -2085,7 +2085,7 @@ bus_activation_activate_service (BusActivation *activation, - entry->systemd_service); +@@ -2137,7 +2137,7 @@ bus_activation_activate_service (BusActivation *activation, + bus_connection_get_loginfo (connection)); /* Wonderful, systemd is connected, let's just send the msg */ - res = bus_dispatch_matches (activation_transaction, NULL, bus_service_get_primary_owners_connection (service), -- message, error); -+ message, NULL, error); + res = bus_dispatch_matches (activation_transaction, NULL, +- systemd, message, error); ++ systemd, message, NULL, error); if (res == BUS_RESULT_TRUE) retval = TRUE; diff --git a/bus/bus.c b/bus/bus.c -index c4008505..911e2340 100644 +index 237efe3..5bb5637 100644 --- a/bus/bus.c +++ b/bus/bus.c -@@ -1796,17 +1796,9 @@ bus_context_check_security_policy (BusContext *context, +@@ -1800,17 +1800,9 @@ bus_context_check_security_policy (BusContext *context, } /* See if limits on size have been exceeded */ @@ -84,7 +74,7 @@ index c4008505..911e2340 100644 /* Record that we will allow a reply here in the future (don't * bother if the recipient is the bus or this is an eavesdropping -@@ -1861,3 +1853,41 @@ bus_context_check_all_watches (BusContext *context) +@@ -1869,3 +1861,41 @@ bus_context_check_all_watches (BusContext *context) _dbus_server_toggle_all_watches (server, enabled); } } @@ -127,10 +117,10 @@ index c4008505..911e2340 100644 + return TRUE; +} diff --git a/bus/bus.h b/bus/bus.h -index dab7791f..445165c9 100644 +index 82c32c8..1b08f7c 100644 --- a/bus/bus.h +++ b/bus/bus.h -@@ -158,4 +158,23 @@ BusResult bus_context_check_security_policy (BusContext +@@ -164,4 +164,23 @@ BusResult bus_context_check_security_policy (BusContext BusDeferredMessage **deferred_message); void bus_context_check_all_watches (BusContext *context); @@ -155,7 +145,7 @@ index dab7791f..445165c9 100644 + #endif /* BUS_BUS_H */ diff --git a/bus/check.c b/bus/check.c -index 4b8a6994..b8833349 100644 +index 4b8a699..f3d283f 100644 --- a/bus/check.c +++ b/bus/check.c @@ -49,6 +49,9 @@ typedef struct BusDeferredMessage @@ -370,7 +360,7 @@ index 4b8a6994..b8833349 100644 + deferred_message->sender, + deferred_message->addressed_recipient, + deferred_message->proposed_recipient, -+ deferred_message->message, NULL, ++ deferred_message->message, NULL, NULL, + &deferred_message2); + + if (result == BUS_RESULT_LATER) @@ -511,7 +501,7 @@ index 4b8a6994..b8833349 100644 } + diff --git a/bus/check.h b/bus/check.h -index d1775497..9c13c184 100644 +index d177549..9c13c18 100644 --- a/bus/check.h +++ b/bus/check.h @@ -64,12 +64,37 @@ BusDeferredMessage *bus_deferred_message_new (DBusMessage *messag @@ -553,7 +543,7 @@ index d1775497..9c13c184 100644 extern BusResult (*bus_check_test_override) (DBusConnection *connection, const char *privilege); diff --git a/bus/connection.c b/bus/connection.c -index eea50ecd..1c0bdffb 100644 +index deebde3..f9e563b 100644 --- a/bus/connection.c +++ b/bus/connection.c @@ -31,11 +31,13 @@ @@ -587,7 +577,7 @@ index eea50ecd..1c0bdffb 100644 bus_dispatch_remove_connection (connection); /* no more watching */ -@@ -2264,7 +2269,7 @@ bus_transaction_capture (BusTransaction *transaction, +@@ -2307,7 +2312,7 @@ bus_transaction_capture (BusTransaction *transaction, { DBusConnection *recipient = link->data; @@ -596,7 +586,7 @@ index eea50ecd..1c0bdffb 100644 goto out; } -@@ -2317,6 +2322,7 @@ bus_transaction_send_from_driver (BusTransaction *transaction, +@@ -2361,6 +2366,7 @@ bus_transaction_send_from_driver (BusTransaction *transaction, { DBusError error = DBUS_ERROR_INIT; BusResult res; @@ -604,17 +594,17 @@ index eea50ecd..1c0bdffb 100644 /* We have to set the sender to the driver, and have * to check security policy since it was not done in -@@ -2357,7 +2363,8 @@ bus_transaction_send_from_driver (BusTransaction *transaction, - res = bus_context_check_security_policy (bus_transaction_get_context (transaction), +@@ -2402,7 +2408,8 @@ bus_transaction_send_from_driver (BusTransaction *transaction, transaction, - NULL, connection, connection, message, &error, + NULL, connection, connection, + message, NULL, &error, - NULL); + &deferred_message); + if (res == BUS_RESULT_FALSE) { - if (!bus_transaction_capture_error_reply (transaction, &error, message)) -@@ -2374,18 +2381,20 @@ bus_transaction_send_from_driver (BusTransaction *transaction, + if (!bus_transaction_capture_error_reply (transaction, connection, +@@ -2420,18 +2427,20 @@ bus_transaction_send_from_driver (BusTransaction *transaction, } else if (res == BUS_RESULT_LATER) { @@ -639,7 +629,7 @@ index eea50ecd..1c0bdffb 100644 { MessageToSend *to_send; BusConnectionData *d; -@@ -2411,7 +2420,28 @@ bus_transaction_send (BusTransaction *transaction, +@@ -2457,7 +2466,28 @@ bus_transaction_send (BusTransaction *transaction, d = BUS_CONNECTION_DATA (connection); _dbus_assert (d != NULL); @@ -669,7 +659,7 @@ index eea50ecd..1c0bdffb 100644 to_send = dbus_new (MessageToSend, 1); if (to_send == NULL) { -@@ -2663,6 +2693,131 @@ bus_transaction_add_cancel_hook (BusTransaction *transaction, +@@ -2709,6 +2739,131 @@ bus_transaction_add_cancel_hook (BusTransaction *transaction, return TRUE; } @@ -802,10 +792,10 @@ index eea50ecd..1c0bdffb 100644 bus_connections_get_n_active (BusConnections *connections) { diff --git a/bus/connection.h b/bus/connection.h -index a6e5dfde..46e883e6 100644 +index 71078ea..97dae96 100644 --- a/bus/connection.h +++ b/bus/connection.h -@@ -83,6 +83,22 @@ dbus_bool_t bus_connection_preallocate_oom_error (DBusConnection *connection); +@@ -85,6 +85,22 @@ dbus_bool_t bus_connection_preallocate_oom_error (DBusConnection *connection); void bus_connection_send_oom_error (DBusConnection *connection, DBusMessage *in_reply_to); @@ -828,7 +818,7 @@ index a6e5dfde..46e883e6 100644 /* called by signals.c */ dbus_bool_t bus_connection_add_match_rule (DBusConnection *connection, BusMatchRule *rule); -@@ -135,7 +151,8 @@ BusTransaction* bus_transaction_new (BusContext * +@@ -137,7 +153,8 @@ BusTransaction* bus_transaction_new (BusContext * BusContext* bus_transaction_get_context (BusTransaction *transaction); dbus_bool_t bus_transaction_send (BusTransaction *transaction, DBusConnection *connection, @@ -837,9 +827,9 @@ index a6e5dfde..46e883e6 100644 + dbus_bool_t deferred_dispatch); dbus_bool_t bus_transaction_capture (BusTransaction *transaction, DBusConnection *connection, - DBusMessage *message); + DBusConnection *addressed_recipient, diff --git a/bus/dispatch.c b/bus/dispatch.c -index 7353501b..e32c9263 100644 +index 0250b53..1bdcbf0 100644 --- a/bus/dispatch.c +++ b/bus/dispatch.c @@ -33,6 +33,7 @@ @@ -850,16 +840,16 @@ index 7353501b..e32c9263 100644 #include "test.h" #include <dbus/dbus-internals.h> #include <dbus/dbus-connection-internal.h> -@@ -76,7 +77,7 @@ send_one_message (DBusConnection *connection, - message, +@@ -77,7 +78,7 @@ send_one_message (DBusConnection *connection, + NULL, &stack_error, &deferred_message); - if (result != BUS_RESULT_TRUE) + if (result == BUS_RESULT_FALSE) { - if (!bus_transaction_capture_error_reply (transaction, &stack_error, - message)) -@@ -111,9 +112,19 @@ send_one_message (DBusConnection *connection, + if (!bus_transaction_capture_error_reply (transaction, sender, + &stack_error, message)) +@@ -112,9 +113,19 @@ send_one_message (DBusConnection *connection, return TRUE; /* don't send it but don't return an error either */ } @@ -880,7 +870,7 @@ index 7353501b..e32c9263 100644 { BUS_SET_OOM (error); return FALSE; -@@ -123,11 +134,12 @@ send_one_message (DBusConnection *connection, +@@ -124,11 +135,12 @@ send_one_message (DBusConnection *connection, } BusResult @@ -898,7 +888,7 @@ index 7353501b..e32c9263 100644 { DBusError tmp_error; BusConnections *connections; -@@ -151,17 +163,78 @@ bus_dispatch_matches (BusTransaction *transaction, +@@ -152,17 +164,78 @@ bus_dispatch_matches (BusTransaction *transaction, /* First, send the message to the addressed_recipient, if there is one. */ if (addressed_recipient != NULL) { @@ -906,7 +896,7 @@ index 7353501b..e32c9263 100644 - res = bus_context_check_security_policy (context, transaction, - sender, addressed_recipient, - addressed_recipient, -- message, error, +- message, NULL, error, - &deferred_message); - if (res == BUS_RESULT_FALSE) + BusResult result; @@ -961,7 +951,7 @@ index 7353501b..e32c9263 100644 + + if (result == BUS_RESULT_LATER) + result = bus_context_check_security_policy(context, transaction, -+ sender, addressed_recipient, addressed_recipient, message, error, ++ sender, addressed_recipient, addressed_recipient, message, NULL, error, + &deferred_message); + + if (result == BUS_RESULT_FALSE) @@ -985,7 +975,7 @@ index 7353501b..e32c9263 100644 status = bus_deferred_message_get_status(deferred_message); if (status & BUS_DEFERRED_MESSAGE_CHECK_SEND) -@@ -172,13 +245,18 @@ bus_dispatch_matches (BusTransaction *transaction, +@@ -173,13 +246,18 @@ bus_dispatch_matches (BusTransaction *transaction, } else if (status & BUS_DEFERRED_MESSAGE_CHECK_RECEIVE) { @@ -1008,7 +998,7 @@ index 7353501b..e32c9263 100644 return BUS_RESULT_FALSE; } } -@@ -195,7 +273,8 @@ bus_dispatch_matches (BusTransaction *transaction, +@@ -196,7 +274,8 @@ bus_dispatch_matches (BusTransaction *transaction, } /* Dispatch the message */ @@ -1018,7 +1008,7 @@ index 7353501b..e32c9263 100644 { BUS_SET_OOM (error); return BUS_RESULT_FALSE; -@@ -495,7 +574,7 @@ bus_dispatch (DBusConnection *connection, +@@ -535,7 +614,7 @@ bus_dispatch (DBusConnection *connection, * match rules. */ if (BUS_RESULT_LATER == bus_dispatch_matches (transaction, connection, addressed_recipient, @@ -1028,7 +1018,7 @@ index 7353501b..e32c9263 100644 /* Roll back and dispatch the message once the policy result is available */ bus_transaction_cancel_and_free (transaction); diff --git a/bus/dispatch.h b/bus/dispatch.h -index afba6a24..f6102e80 100644 +index afba6a2..f6102e8 100644 --- a/bus/dispatch.h +++ b/bus/dispatch.h @@ -29,10 +29,11 @@ @@ -1049,11 +1039,11 @@ index afba6a24..f6102e80 100644 #endif /* BUS_DISPATCH_H */ diff --git a/bus/driver.c b/bus/driver.c -index a5823d4d..5acdd62a 100644 +index f414f64..d89a658 100644 --- a/bus/driver.c +++ b/bus/driver.c -@@ -261,7 +261,7 @@ bus_driver_send_service_owner_changed (const char *service_name, - if (!bus_transaction_capture (transaction, NULL, message)) +@@ -254,7 +254,7 @@ bus_driver_send_service_owner_changed (const char *service_name, + if (!bus_transaction_capture (transaction, NULL, NULL, message)) goto oom; - res = bus_dispatch_matches (transaction, NULL, NULL, message, error); @@ -1062,10 +1052,10 @@ index a5823d4d..5acdd62a 100644 retval = TRUE; else diff --git a/bus/policy.c b/bus/policy.c -index bcade176..47bd1a24 100644 +index 7ee1ce5..b1fab0d 100644 --- a/bus/policy.c +++ b/bus/policy.c -@@ -1071,6 +1071,9 @@ bus_client_policy_check_can_send (DBusConnection *sender, +@@ -1121,6 +1121,9 @@ bus_client_policy_check_can_send (DBusConnection *sender, result = bus_check_privilege(check, message, sender, addressed_recipient, receiver, privilege, BUS_DEFERRED_MESSAGE_CHECK_SEND, deferred_message); @@ -1075,7 +1065,7 @@ index bcade176..47bd1a24 100644 } else privilege = NULL; -@@ -1305,6 +1308,9 @@ bus_client_policy_check_can_receive (BusClientPolicy *policy, +@@ -1370,6 +1373,9 @@ bus_client_policy_check_can_receive (BusClientPolicy *policy, result = bus_check_privilege(check, message, sender, addressed_recipient, proposed_recipient, privilege, BUS_DEFERRED_MESSAGE_CHECK_RECEIVE, deferred_message); @@ -1085,6 +1075,3 @@ index bcade176..47bd1a24 100644 } else privilege = NULL; --- -2.14.3 - diff --git a/meta-security/recipes-core/dbus-cynara/dbus-cynara/0004-Add-own-rule-result-unavailability-handling.patch b/meta-security/recipes-core/dbus-cynara/dbus-cynara/0004-Add-own-rule-result-unavailability-handling.patch index 1086f5b12..bde785241 100644 --- a/meta-security/recipes-core/dbus-cynara/dbus-cynara/0004-Add-own-rule-result-unavailability-handling.patch +++ b/meta-security/recipes-core/dbus-cynara/dbus-cynara/0004-Add-own-rule-result-unavailability-handling.patch @@ -19,24 +19,16 @@ Change-Id: I4c2cbd4585e41fccd8a30f825a8f0d342ab56755 Cherry-picked from 35ef89cd6777ea2430077fc621d21bd01df92349 by Jose.bollo +Updated for dbus 1.12.10 by Scott Murray. + Signed-off-by: José Bollo <jose.bollo@iot.bzh> ---- - bus/dispatch.c | 11 ++- - bus/driver.c | 259 ++++++++++++++++++++++++++++++--------------------------- - bus/driver.h | 2 +- - bus/policy.c | 51 +++++++++--- - bus/policy.h | 6 +- - bus/services.c | 26 ++++-- - bus/services.h | 3 +- - bus/stats.c | 28 +++---- - bus/stats.h | 6 +- - 9 files changed, 229 insertions(+), 163 deletions(-) +Signed-off-by: Scott Murray <scott.murray@konsulko.com> diff --git a/bus/dispatch.c b/bus/dispatch.c -index e32c9263..4d57c556 100644 +index 1bdcbf0..625add5 100644 --- a/bus/dispatch.c +++ b/bus/dispatch.c -@@ -513,8 +513,17 @@ bus_dispatch (DBusConnection *connection, +@@ -516,8 +516,17 @@ bus_dispatch (DBusConnection *connection, } _dbus_verbose ("Giving message to %s\n", DBUS_SERVICE_DBUS); @@ -56,10 +48,10 @@ index e32c9263..4d57c556 100644 else if (!bus_connection_is_active (connection)) /* clients must talk to bus driver first */ { diff --git a/bus/driver.c b/bus/driver.c -index 5acdd62a..bc4ce0b5 100644 +index d89a658..5ee60cb 100644 --- a/bus/driver.c +++ b/bus/driver.c -@@ -427,7 +427,7 @@ create_unique_client_name (BusRegistry *registry, +@@ -420,7 +420,7 @@ create_unique_client_name (BusRegistry *registry, return TRUE; } @@ -68,7 +60,7 @@ index 5acdd62a..bc4ce0b5 100644 bus_driver_handle_hello (DBusConnection *connection, BusTransaction *transaction, DBusMessage *message, -@@ -435,7 +435,7 @@ bus_driver_handle_hello (DBusConnection *connection, +@@ -428,7 +428,7 @@ bus_driver_handle_hello (DBusConnection *connection, { DBusString unique_name; BusService *service; @@ -76,8 +68,8 @@ index 5acdd62a..bc4ce0b5 100644 + BusResult retval; BusRegistry *registry; BusConnections *connections; - -@@ -446,7 +446,7 @@ bus_driver_handle_hello (DBusConnection *connection, + DBusError tmp_error; +@@ -442,7 +442,7 @@ bus_driver_handle_hello (DBusConnection *connection, /* We already handled an Hello message for this connection. */ dbus_set_error (error, DBUS_ERROR_FAILED, "Already handled an Hello message"); @@ -86,10 +78,10 @@ index 5acdd62a..bc4ce0b5 100644 } /* Note that when these limits are exceeded we don't disconnect the -@@ -460,16 +460,16 @@ bus_driver_handle_hello (DBusConnection *connection, - error)) - { - _DBUS_ASSERT_ERROR_IS_SET (error); +@@ -464,16 +464,16 @@ bus_driver_handle_hello (DBusConnection *connection, + bus_context_log (context, DBUS_SYSTEM_LOG_WARNING, "%s (%s=%d)", + tmp_error.message, limit_name, limit); + dbus_move_error (&tmp_error, error); - return FALSE; + return BUS_RESULT_FALSE; } @@ -106,7 +98,7 @@ index 5acdd62a..bc4ce0b5 100644 registry = bus_connection_get_registry (connection); -@@ -502,7 +502,7 @@ bus_driver_handle_hello (DBusConnection *connection, +@@ -506,7 +506,7 @@ bus_driver_handle_hello (DBusConnection *connection, goto out_0; _dbus_assert (bus_connection_is_active (connection)); @@ -115,7 +107,7 @@ index 5acdd62a..bc4ce0b5 100644 out_0: _dbus_string_free (&unique_name); -@@ -554,7 +554,7 @@ bus_driver_send_welcome_message (DBusConnection *connection, +@@ -558,7 +558,7 @@ bus_driver_send_welcome_message (DBusConnection *connection, } } @@ -124,7 +116,7 @@ index 5acdd62a..bc4ce0b5 100644 bus_driver_handle_list_services (DBusConnection *connection, BusTransaction *transaction, DBusMessage *message, -@@ -576,14 +576,14 @@ bus_driver_handle_list_services (DBusConnection *connection, +@@ -580,14 +580,14 @@ bus_driver_handle_list_services (DBusConnection *connection, if (reply == NULL) { BUS_SET_OOM (error); @@ -141,7 +133,7 @@ index 5acdd62a..bc4ce0b5 100644 } dbus_message_iter_init_append (reply, &iter); -@@ -595,7 +595,7 @@ bus_driver_handle_list_services (DBusConnection *connection, +@@ -599,7 +599,7 @@ bus_driver_handle_list_services (DBusConnection *connection, dbus_free_string_array (services); dbus_message_unref (reply); BUS_SET_OOM (error); @@ -150,7 +142,7 @@ index 5acdd62a..bc4ce0b5 100644 } { -@@ -607,7 +607,7 @@ bus_driver_handle_list_services (DBusConnection *connection, +@@ -611,7 +611,7 @@ bus_driver_handle_list_services (DBusConnection *connection, dbus_free_string_array (services); dbus_message_unref (reply); BUS_SET_OOM (error); @@ -159,7 +151,7 @@ index 5acdd62a..bc4ce0b5 100644 } } -@@ -620,7 +620,7 @@ bus_driver_handle_list_services (DBusConnection *connection, +@@ -624,7 +624,7 @@ bus_driver_handle_list_services (DBusConnection *connection, dbus_free_string_array (services); dbus_message_unref (reply); BUS_SET_OOM (error); @@ -168,7 +160,7 @@ index 5acdd62a..bc4ce0b5 100644 } ++i; } -@@ -631,23 +631,23 @@ bus_driver_handle_list_services (DBusConnection *connection, +@@ -635,23 +635,23 @@ bus_driver_handle_list_services (DBusConnection *connection, { dbus_message_unref (reply); BUS_SET_OOM (error); @@ -196,7 +188,7 @@ index 5acdd62a..bc4ce0b5 100644 bus_driver_handle_list_activatable_services (DBusConnection *connection, BusTransaction *transaction, DBusMessage *message, -@@ -669,14 +669,14 @@ bus_driver_handle_list_activatable_services (DBusConnection *connection, +@@ -673,14 +673,14 @@ bus_driver_handle_list_activatable_services (DBusConnection *connection, if (reply == NULL) { BUS_SET_OOM (error); @@ -213,7 +205,7 @@ index 5acdd62a..bc4ce0b5 100644 } dbus_message_iter_init_append (reply, &iter); -@@ -688,7 +688,7 @@ bus_driver_handle_list_activatable_services (DBusConnection *connection, +@@ -692,7 +692,7 @@ bus_driver_handle_list_activatable_services (DBusConnection *connection, dbus_free_string_array (services); dbus_message_unref (reply); BUS_SET_OOM (error); @@ -222,7 +214,7 @@ index 5acdd62a..bc4ce0b5 100644 } { -@@ -700,7 +700,7 @@ bus_driver_handle_list_activatable_services (DBusConnection *connection, +@@ -704,7 +704,7 @@ bus_driver_handle_list_activatable_services (DBusConnection *connection, dbus_free_string_array (services); dbus_message_unref (reply); BUS_SET_OOM (error); @@ -231,7 +223,7 @@ index 5acdd62a..bc4ce0b5 100644 } } -@@ -713,7 +713,7 @@ bus_driver_handle_list_activatable_services (DBusConnection *connection, +@@ -717,7 +717,7 @@ bus_driver_handle_list_activatable_services (DBusConnection *connection, dbus_free_string_array (services); dbus_message_unref (reply); BUS_SET_OOM (error); @@ -240,7 +232,7 @@ index 5acdd62a..bc4ce0b5 100644 } ++i; } -@@ -724,23 +724,23 @@ bus_driver_handle_list_activatable_services (DBusConnection *connection, +@@ -728,23 +728,23 @@ bus_driver_handle_list_activatable_services (DBusConnection *connection, { dbus_message_unref (reply); BUS_SET_OOM (error); @@ -268,7 +260,7 @@ index 5acdd62a..bc4ce0b5 100644 bus_driver_handle_acquire_service (DBusConnection *connection, BusTransaction *transaction, DBusMessage *message, -@@ -751,7 +751,8 @@ bus_driver_handle_acquire_service (DBusConnection *connection, +@@ -755,7 +755,8 @@ bus_driver_handle_acquire_service (DBusConnection *connection, const char *name; dbus_uint32_t service_reply; dbus_uint32_t flags; @@ -278,7 +270,7 @@ index 5acdd62a..bc4ce0b5 100644 BusRegistry *registry; _DBUS_ASSERT_ERROR_IS_CLEAR (error); -@@ -762,20 +763,24 @@ bus_driver_handle_acquire_service (DBusConnection *connection, +@@ -766,20 +767,24 @@ bus_driver_handle_acquire_service (DBusConnection *connection, DBUS_TYPE_STRING, &name, DBUS_TYPE_UINT32, &flags, DBUS_TYPE_INVALID)) @@ -310,7 +302,7 @@ index 5acdd62a..bc4ce0b5 100644 reply = dbus_message_new_method_return (message); if (reply == NULL) -@@ -796,7 +801,7 @@ bus_driver_handle_acquire_service (DBusConnection *connection, +@@ -800,7 +805,7 @@ bus_driver_handle_acquire_service (DBusConnection *connection, goto out; } @@ -319,7 +311,7 @@ index 5acdd62a..bc4ce0b5 100644 out: if (reply) -@@ -804,7 +809,7 @@ bus_driver_handle_acquire_service (DBusConnection *connection, +@@ -808,7 +813,7 @@ bus_driver_handle_acquire_service (DBusConnection *connection, return retval; } @@ -328,7 +320,7 @@ index 5acdd62a..bc4ce0b5 100644 bus_driver_handle_release_service (DBusConnection *connection, BusTransaction *transaction, DBusMessage *message, -@@ -814,7 +819,7 @@ bus_driver_handle_release_service (DBusConnection *connection, +@@ -818,7 +823,7 @@ bus_driver_handle_release_service (DBusConnection *connection, DBusString service_name; const char *name; dbus_uint32_t service_reply; @@ -337,7 +329,7 @@ index 5acdd62a..bc4ce0b5 100644 BusRegistry *registry; _DBUS_ASSERT_ERROR_IS_CLEAR (error); -@@ -824,11 +829,11 @@ bus_driver_handle_release_service (DBusConnection *connection, +@@ -828,11 +833,11 @@ bus_driver_handle_release_service (DBusConnection *connection, if (!dbus_message_get_args (message, error, DBUS_TYPE_STRING, &name, DBUS_TYPE_INVALID)) @@ -351,7 +343,7 @@ index 5acdd62a..bc4ce0b5 100644 reply = NULL; _dbus_string_init_const (&service_name, name); -@@ -857,7 +862,7 @@ bus_driver_handle_release_service (DBusConnection *connection, +@@ -861,7 +866,7 @@ bus_driver_handle_release_service (DBusConnection *connection, goto out; } @@ -360,7 +352,7 @@ index 5acdd62a..bc4ce0b5 100644 out: if (reply) -@@ -865,7 +870,7 @@ bus_driver_handle_release_service (DBusConnection *connection, +@@ -869,7 +874,7 @@ bus_driver_handle_release_service (DBusConnection *connection, return retval; } @@ -369,7 +361,7 @@ index 5acdd62a..bc4ce0b5 100644 bus_driver_handle_service_exists (DBusConnection *connection, BusTransaction *transaction, DBusMessage *message, -@@ -876,7 +881,7 @@ bus_driver_handle_service_exists (DBusConnection *connection, +@@ -880,7 +885,7 @@ bus_driver_handle_service_exists (DBusConnection *connection, BusService *service; dbus_bool_t service_exists; const char *name; @@ -378,7 +370,7 @@ index 5acdd62a..bc4ce0b5 100644 BusRegistry *registry; _DBUS_ASSERT_ERROR_IS_CLEAR (error); -@@ -886,9 +891,9 @@ bus_driver_handle_service_exists (DBusConnection *connection, +@@ -890,9 +895,9 @@ bus_driver_handle_service_exists (DBusConnection *connection, if (!dbus_message_get_args (message, error, DBUS_TYPE_STRING, &name, DBUS_TYPE_INVALID)) @@ -390,7 +382,7 @@ index 5acdd62a..bc4ce0b5 100644 if (strcmp (name, DBUS_SERVICE_DBUS) == 0) { -@@ -922,7 +927,7 @@ bus_driver_handle_service_exists (DBusConnection *connection, +@@ -926,7 +931,7 @@ bus_driver_handle_service_exists (DBusConnection *connection, goto out; } @@ -399,7 +391,7 @@ index 5acdd62a..bc4ce0b5 100644 out: if (reply) -@@ -931,7 +936,7 @@ bus_driver_handle_service_exists (DBusConnection *connection, +@@ -935,7 +940,7 @@ bus_driver_handle_service_exists (DBusConnection *connection, return retval; } @@ -408,7 +400,7 @@ index 5acdd62a..bc4ce0b5 100644 bus_driver_handle_activate_service (DBusConnection *connection, BusTransaction *transaction, DBusMessage *message, -@@ -939,7 +944,7 @@ bus_driver_handle_activate_service (DBusConnection *connection, +@@ -943,7 +948,7 @@ bus_driver_handle_activate_service (DBusConnection *connection, { dbus_uint32_t flags; const char *name; @@ -417,7 +409,7 @@ index 5acdd62a..bc4ce0b5 100644 BusActivation *activation; _DBUS_ASSERT_ERROR_IS_CLEAR (error); -@@ -953,10 +958,10 @@ bus_driver_handle_activate_service (DBusConnection *connection, +@@ -957,10 +962,10 @@ bus_driver_handle_activate_service (DBusConnection *connection, { _DBUS_ASSERT_ERROR_IS_SET (error); _dbus_verbose ("No memory to get arguments to StartServiceByName\n"); @@ -430,7 +422,7 @@ index 5acdd62a..bc4ce0b5 100644 if (!bus_activation_activate_service (activation, connection, transaction, FALSE, message, name, error)) -@@ -966,7 +971,7 @@ bus_driver_handle_activate_service (DBusConnection *connection, +@@ -970,7 +975,7 @@ bus_driver_handle_activate_service (DBusConnection *connection, goto out; } @@ -439,7 +431,7 @@ index 5acdd62a..bc4ce0b5 100644 out: return retval; -@@ -1068,13 +1073,13 @@ bus_driver_send_or_activate (BusTransaction *transaction, +@@ -1072,13 +1077,13 @@ bus_driver_send_or_activate (BusTransaction *transaction, return TRUE; } @@ -455,25 +447,7 @@ index 5acdd62a..bc4ce0b5 100644 BusActivation *activation; BusContext *context; DBusMessageIter iter; -@@ -1090,7 +1095,7 @@ bus_driver_handle_update_activation_environment (DBusConnection *connection, - _DBUS_ASSERT_ERROR_IS_CLEAR (error); - - if (!bus_driver_check_message_is_for_us (message, error)) -- return FALSE; -+ return BUS_RESULT_FALSE; - - #ifdef DBUS_UNIX - { @@ -1100,7 +1105,7 @@ bus_driver_handle_update_activation_environment (DBusConnection *connection, - */ - if (!bus_driver_check_caller_is_privileged (connection, transaction, - message, error)) -- return FALSE; -+ return BUS_RESULT_FALSE; - } - #endif - -@@ -1111,7 +1116,7 @@ bus_driver_handle_update_activation_environment (DBusConnection *connection, dbus_set_error (error, DBUS_ERROR_ACCESS_DENIED, "Cannot change activation environment " "on a system bus."); @@ -482,7 +456,7 @@ index 5acdd62a..bc4ce0b5 100644 } activation = bus_connection_get_activation (connection); -@@ -1125,7 +1130,7 @@ bus_driver_handle_update_activation_environment (DBusConnection *connection, +@@ -1114,7 +1119,7 @@ bus_driver_handle_update_activation_environment (DBusConnection *connection, dbus_message_iter_recurse (&iter, &dict_iter); @@ -491,8 +465,8 @@ index 5acdd62a..bc4ce0b5 100644 systemd_message = NULL; /* Then loop through the sent dictionary, add the location of -@@ -1291,7 +1296,7 @@ bus_driver_handle_update_activation_environment (DBusConnection *connection, - message, error)) +@@ -1279,7 +1284,7 @@ bus_driver_handle_update_activation_environment (DBusConnection *connection, + if (!bus_driver_send_ack_reply (connection, transaction, message, error)) goto out; - retval = TRUE; @@ -500,7 +474,7 @@ index 5acdd62a..bc4ce0b5 100644 out: if (systemd_message != NULL) -@@ -1301,7 +1306,7 @@ bus_driver_handle_update_activation_environment (DBusConnection *connection, +@@ -1289,7 +1294,7 @@ bus_driver_handle_update_activation_environment (DBusConnection *connection, return retval; } @@ -509,7 +483,7 @@ index 5acdd62a..bc4ce0b5 100644 bus_driver_handle_add_match (DBusConnection *connection, BusTransaction *transaction, DBusMessage *message, -@@ -1367,16 +1372,16 @@ bus_driver_handle_add_match (DBusConnection *connection, +@@ -1371,16 +1376,16 @@ bus_driver_handle_add_match (DBusConnection *connection, bus_match_rule_unref (rule); @@ -529,7 +503,7 @@ index 5acdd62a..bc4ce0b5 100644 bus_driver_handle_remove_match (DBusConnection *connection, BusTransaction *transaction, DBusMessage *message, -@@ -1420,16 +1425,16 @@ bus_driver_handle_remove_match (DBusConnection *connection, +@@ -1423,16 +1428,16 @@ bus_driver_handle_remove_match (DBusConnection *connection, bus_match_rule_unref (rule); @@ -549,7 +523,7 @@ index 5acdd62a..bc4ce0b5 100644 bus_driver_handle_get_service_owner (DBusConnection *connection, BusTransaction *transaction, DBusMessage *message, -@@ -1499,7 +1504,7 @@ bus_driver_handle_get_service_owner (DBusConnection *connection, +@@ -1502,7 +1507,7 @@ bus_driver_handle_get_service_owner (DBusConnection *connection, dbus_message_unref (reply); @@ -558,7 +532,7 @@ index 5acdd62a..bc4ce0b5 100644 oom: BUS_SET_OOM (error); -@@ -1508,10 +1513,10 @@ bus_driver_handle_get_service_owner (DBusConnection *connection, +@@ -1511,10 +1516,10 @@ bus_driver_handle_get_service_owner (DBusConnection *connection, _DBUS_ASSERT_ERROR_IS_SET (error); if (reply) dbus_message_unref (reply); @@ -571,7 +545,7 @@ index 5acdd62a..bc4ce0b5 100644 bus_driver_handle_list_queued_owners (DBusConnection *connection, BusTransaction *transaction, DBusMessage *message, -@@ -1602,7 +1607,7 @@ bus_driver_handle_list_queued_owners (DBusConnection *connection, +@@ -1606,7 +1611,7 @@ bus_driver_handle_list_queued_owners (DBusConnection *connection, dbus_message_unref (reply); @@ -580,7 +554,7 @@ index 5acdd62a..bc4ce0b5 100644 oom: BUS_SET_OOM (error); -@@ -1615,10 +1620,10 @@ bus_driver_handle_list_queued_owners (DBusConnection *connection, +@@ -1619,10 +1624,10 @@ bus_driver_handle_list_queued_owners (DBusConnection *connection, if (base_names) _dbus_list_clear (&base_names); @@ -593,7 +567,7 @@ index 5acdd62a..bc4ce0b5 100644 bus_driver_handle_get_connection_unix_user (DBusConnection *connection, BusTransaction *transaction, DBusMessage *message, -@@ -1673,7 +1678,7 @@ bus_driver_handle_get_connection_unix_user (DBusConnection *connection, +@@ -1679,7 +1684,7 @@ bus_driver_handle_get_connection_unix_user (DBusConnection *connection, dbus_message_unref (reply); @@ -602,7 +576,7 @@ index 5acdd62a..bc4ce0b5 100644 oom: BUS_SET_OOM (error); -@@ -1682,10 +1687,10 @@ bus_driver_handle_get_connection_unix_user (DBusConnection *connection, +@@ -1688,10 +1693,10 @@ bus_driver_handle_get_connection_unix_user (DBusConnection *connection, _DBUS_ASSERT_ERROR_IS_SET (error); if (reply) dbus_message_unref (reply); @@ -615,7 +589,7 @@ index 5acdd62a..bc4ce0b5 100644 bus_driver_handle_get_connection_unix_process_id (DBusConnection *connection, BusTransaction *transaction, DBusMessage *message, -@@ -1740,7 +1745,7 @@ bus_driver_handle_get_connection_unix_process_id (DBusConnection *connection, +@@ -1748,7 +1753,7 @@ bus_driver_handle_get_connection_unix_process_id (DBusConnection *connection, dbus_message_unref (reply); @@ -624,7 +598,7 @@ index 5acdd62a..bc4ce0b5 100644 oom: BUS_SET_OOM (error); -@@ -1749,10 +1754,10 @@ bus_driver_handle_get_connection_unix_process_id (DBusConnection *connection, +@@ -1757,10 +1762,10 @@ bus_driver_handle_get_connection_unix_process_id (DBusConnection *connection, _DBUS_ASSERT_ERROR_IS_SET (error); if (reply) dbus_message_unref (reply); @@ -637,7 +611,7 @@ index 5acdd62a..bc4ce0b5 100644 bus_driver_handle_get_adt_audit_session_data (DBusConnection *connection, BusTransaction *transaction, DBusMessage *message, -@@ -1803,7 +1808,7 @@ bus_driver_handle_get_adt_audit_session_data (DBusConnection *connection, +@@ -1811,7 +1816,7 @@ bus_driver_handle_get_adt_audit_session_data (DBusConnection *connection, dbus_message_unref (reply); @@ -646,7 +620,7 @@ index 5acdd62a..bc4ce0b5 100644 oom: BUS_SET_OOM (error); -@@ -1812,10 +1817,10 @@ bus_driver_handle_get_adt_audit_session_data (DBusConnection *connection, +@@ -1820,10 +1825,10 @@ bus_driver_handle_get_adt_audit_session_data (DBusConnection *connection, _DBUS_ASSERT_ERROR_IS_SET (error); if (reply) dbus_message_unref (reply); @@ -659,7 +633,7 @@ index 5acdd62a..bc4ce0b5 100644 bus_driver_handle_get_connection_selinux_security_context (DBusConnection *connection, BusTransaction *transaction, DBusMessage *message, -@@ -1863,7 +1868,7 @@ bus_driver_handle_get_connection_selinux_security_context (DBusConnection *conne +@@ -1872,7 +1877,7 @@ bus_driver_handle_get_connection_selinux_security_context (DBusConnection *conne dbus_message_unref (reply); @@ -668,7 +642,7 @@ index 5acdd62a..bc4ce0b5 100644 oom: BUS_SET_OOM (error); -@@ -1872,10 +1877,10 @@ bus_driver_handle_get_connection_selinux_security_context (DBusConnection *conne +@@ -1881,10 +1886,10 @@ bus_driver_handle_get_connection_selinux_security_context (DBusConnection *conne _DBUS_ASSERT_ERROR_IS_SET (error); if (reply) dbus_message_unref (reply); @@ -681,7 +655,7 @@ index 5acdd62a..bc4ce0b5 100644 bus_driver_handle_get_connection_credentials (DBusConnection *connection, BusTransaction *transaction, DBusMessage *message, -@@ -1987,7 +1992,7 @@ bus_driver_handle_get_connection_credentials (DBusConnection *connection, +@@ -1998,7 +2003,7 @@ bus_driver_handle_get_connection_credentials (DBusConnection *connection, dbus_message_unref (reply); @@ -690,7 +664,7 @@ index 5acdd62a..bc4ce0b5 100644 oom: BUS_SET_OOM (error); -@@ -2001,10 +2006,10 @@ bus_driver_handle_get_connection_credentials (DBusConnection *connection, +@@ -2012,10 +2017,10 @@ bus_driver_handle_get_connection_credentials (DBusConnection *connection, dbus_message_unref (reply); } @@ -703,7 +677,7 @@ index 5acdd62a..bc4ce0b5 100644 bus_driver_handle_reload_config (DBusConnection *connection, BusTransaction *transaction, DBusMessage *message, -@@ -2029,7 +2034,7 @@ bus_driver_handle_reload_config (DBusConnection *connection, +@@ -2040,7 +2045,7 @@ bus_driver_handle_reload_config (DBusConnection *connection, goto oom; dbus_message_unref (reply); @@ -712,7 +686,7 @@ index 5acdd62a..bc4ce0b5 100644 oom: BUS_SET_OOM (error); -@@ -2038,11 +2043,11 @@ bus_driver_handle_reload_config (DBusConnection *connection, +@@ -2049,11 +2054,11 @@ bus_driver_handle_reload_config (DBusConnection *connection, _DBUS_ASSERT_ERROR_IS_SET (error); if (reply) dbus_message_unref (reply); @@ -726,7 +700,7 @@ index 5acdd62a..bc4ce0b5 100644 bus_driver_handle_enable_verbose (DBusConnection *connection, BusTransaction *transaction, DBusMessage *message, -@@ -2062,7 +2067,7 @@ bus_driver_handle_enable_verbose (DBusConnection *connection, +@@ -2073,7 +2078,7 @@ bus_driver_handle_enable_verbose (DBusConnection *connection, _dbus_set_verbose(TRUE); dbus_message_unref (reply); @@ -735,7 +709,7 @@ index 5acdd62a..bc4ce0b5 100644 oom: _DBUS_ASSERT_ERROR_IS_CLEAR (error); -@@ -2071,10 +2076,10 @@ bus_driver_handle_enable_verbose (DBusConnection *connection, +@@ -2082,10 +2087,10 @@ bus_driver_handle_enable_verbose (DBusConnection *connection, if (reply) dbus_message_unref (reply); @@ -748,7 +722,7 @@ index 5acdd62a..bc4ce0b5 100644 bus_driver_handle_disable_verbose (DBusConnection *connection, BusTransaction *transaction, DBusMessage *message, -@@ -2094,7 +2099,7 @@ bus_driver_handle_disable_verbose (DBusConnection *connection, +@@ -2105,7 +2110,7 @@ bus_driver_handle_disable_verbose (DBusConnection *connection, _dbus_set_verbose(FALSE); dbus_message_unref (reply); @@ -757,7 +731,7 @@ index 5acdd62a..bc4ce0b5 100644 oom: _DBUS_ASSERT_ERROR_IS_CLEAR (error); -@@ -2103,11 +2108,11 @@ bus_driver_handle_disable_verbose (DBusConnection *connection, +@@ -2114,11 +2119,11 @@ bus_driver_handle_disable_verbose (DBusConnection *connection, if (reply) dbus_message_unref (reply); @@ -771,7 +745,7 @@ index 5acdd62a..bc4ce0b5 100644 bus_driver_handle_get_id (DBusConnection *connection, BusTransaction *transaction, DBusMessage *message, -@@ -2123,7 +2128,7 @@ bus_driver_handle_get_id (DBusConnection *connection, +@@ -2134,7 +2139,7 @@ bus_driver_handle_get_id (DBusConnection *connection, if (!_dbus_string_init (&uuid)) { BUS_SET_OOM (error); @@ -780,7 +754,7 @@ index 5acdd62a..bc4ce0b5 100644 } reply = NULL; -@@ -2149,7 +2154,7 @@ bus_driver_handle_get_id (DBusConnection *connection, +@@ -2160,7 +2165,7 @@ bus_driver_handle_get_id (DBusConnection *connection, _dbus_string_free (&uuid); dbus_message_unref (reply); @@ -789,7 +763,7 @@ index 5acdd62a..bc4ce0b5 100644 oom: _DBUS_ASSERT_ERROR_IS_CLEAR (error); -@@ -2159,10 +2164,10 @@ bus_driver_handle_get_id (DBusConnection *connection, +@@ -2170,10 +2175,10 @@ bus_driver_handle_get_id (DBusConnection *connection, if (reply) dbus_message_unref (reply); _dbus_string_free (&uuid); @@ -802,7 +776,7 @@ index 5acdd62a..bc4ce0b5 100644 bus_driver_handle_become_monitor (DBusConnection *connection, BusTransaction *transaction, DBusMessage *message, -@@ -2178,7 +2183,7 @@ bus_driver_handle_become_monitor (DBusConnection *connection, +@@ -2189,7 +2194,7 @@ bus_driver_handle_become_monitor (DBusConnection *connection, int i; int n_match_rules; dbus_uint32_t flags; @@ -811,7 +785,7 @@ index 5acdd62a..bc4ce0b5 100644 _DBUS_ASSERT_ERROR_IS_CLEAR (error); -@@ -2258,10 +2263,10 @@ bus_driver_handle_become_monitor (DBusConnection *connection, +@@ -2262,10 +2267,10 @@ bus_driver_handle_become_monitor (DBusConnection *connection, if (!bus_connection_be_monitor (connection, transaction, &rules, error)) goto out; @@ -824,7 +798,7 @@ index 5acdd62a..bc4ce0b5 100644 _DBUS_ASSERT_ERROR_IS_CLEAR (error); else _DBUS_ASSERT_ERROR_IS_SET (error); -@@ -2282,10 +2287,10 @@ typedef struct +@@ -2389,10 +2394,10 @@ typedef struct const char *name; const char *in_args; const char *out_args; @@ -836,19 +810,19 @@ index 5acdd62a..bc4ce0b5 100644 + BusTransaction *transaction, + DBusMessage *message, + DBusError *error); + MethodFlags flags; } MessageHandler; - /* For speed it might be useful to sort this in order of -@@ -2370,7 +2375,7 @@ static const MessageHandler dbus_message_handlers[] = { - { NULL, NULL, NULL, NULL } +@@ -2511,7 +2516,7 @@ static const PropertyHandler dbus_property_handlers[] = { + { NULL, NULL, NULL } }; -static dbus_bool_t bus_driver_handle_introspect (DBusConnection *, +static BusResult bus_driver_handle_introspect (DBusConnection *, BusTransaction *, DBusMessage *, DBusError *); - static const MessageHandler introspectable_message_handlers[] = { -@@ -2514,7 +2519,7 @@ bus_driver_generate_introspect_string (DBusString *xml) + static const MessageHandler properties_message_handlers[] = { +@@ -2763,7 +2768,7 @@ bus_driver_generate_introspect_string (DBusString *xml, return TRUE; } @@ -857,7 +831,7 @@ index 5acdd62a..bc4ce0b5 100644 bus_driver_handle_introspect (DBusConnection *connection, BusTransaction *transaction, DBusMessage *message, -@@ -2534,13 +2539,13 @@ bus_driver_handle_introspect (DBusConnection *connection, +@@ -2784,13 +2789,13 @@ bus_driver_handle_introspect (DBusConnection *connection, DBUS_TYPE_INVALID)) { _DBUS_ASSERT_ERROR_IS_SET (error); @@ -872,8 +846,8 @@ index 5acdd62a..bc4ce0b5 100644 + return BUS_RESULT_FALSE; } - if (!bus_driver_generate_introspect_string (&xml)) -@@ -2563,7 +2568,7 @@ bus_driver_handle_introspect (DBusConnection *connection, + is_canonical_path = dbus_message_has_path (message, DBUS_PATH_DBUS); +@@ -2815,7 +2820,7 @@ bus_driver_handle_introspect (DBusConnection *connection, dbus_message_unref (reply); _dbus_string_free (&xml); @@ -882,7 +856,7 @@ index 5acdd62a..bc4ce0b5 100644 oom: BUS_SET_OOM (error); -@@ -2573,7 +2578,7 @@ bus_driver_handle_introspect (DBusConnection *connection, +@@ -2825,10 +2830,10 @@ bus_driver_handle_introspect (DBusConnection *connection, _dbus_string_free (&xml); @@ -890,25 +864,20 @@ index 5acdd62a..bc4ce0b5 100644 + return BUS_RESULT_FALSE; } - /* -@@ -2608,7 +2613,7 @@ bus_driver_check_message_is_for_us (DBusMessage *message, - return TRUE; - } - -dbus_bool_t +BusResult bus_driver_handle_message (DBusConnection *connection, BusTransaction *transaction, DBusMessage *message, -@@ -2618,6 +2623,7 @@ bus_driver_handle_message (DBusConnection *connection, - const InterfaceHandler *ih; +@@ -2839,6 +2844,7 @@ bus_driver_handle_message (DBusConnection *connection, const MessageHandler *mh; dbus_bool_t found_interface = FALSE; + dbus_bool_t is_canonical_path; + BusResult res; _DBUS_ASSERT_ERROR_IS_CLEAR (error); -@@ -2633,7 +2639,7 @@ bus_driver_handle_message (DBusConnection *connection, +@@ -2854,7 +2860,7 @@ bus_driver_handle_message (DBusConnection *connection, transaction, message, error)) @@ -917,7 +886,7 @@ index 5acdd62a..bc4ce0b5 100644 context = bus_connection_get_context (connection); systemd = bus_driver_get_owner_of_name (connection, -@@ -2650,7 +2656,7 @@ bus_driver_handle_message (DBusConnection *connection, +@@ -2871,7 +2877,7 @@ bus_driver_handle_message (DBusConnection *connection, attacker ? attacker : "(unauthenticated)", bus_connection_get_loginfo (connection)); /* ignore it */ @@ -926,7 +895,7 @@ index 5acdd62a..bc4ce0b5 100644 } if (!bus_context_get_systemd_activation (context)) -@@ -2658,16 +2664,16 @@ bus_driver_handle_message (DBusConnection *connection, +@@ -2879,16 +2885,16 @@ bus_driver_handle_message (DBusConnection *connection, bus_context_log (context, DBUS_SYSTEM_LOG_WARNING, "Ignoring unexpected ActivationFailure message " "while not using systemd activation"); @@ -946,7 +915,7 @@ index 5acdd62a..bc4ce0b5 100644 } /* may be NULL, which means "any interface will do" */ -@@ -2709,20 +2715,27 @@ bus_driver_handle_message (DBusConnection *connection, +@@ -2953,20 +2959,27 @@ bus_driver_handle_message (DBusConnection *connection, name, dbus_message_get_signature (message), mh->in_args); _DBUS_ASSERT_ERROR_IS_SET (error); @@ -979,7 +948,7 @@ index 5acdd62a..bc4ce0b5 100644 } } } -@@ -2734,7 +2747,7 @@ bus_driver_handle_message (DBusConnection *connection, +@@ -2978,7 +2991,7 @@ bus_driver_handle_message (DBusConnection *connection, "%s does not understand message %s", DBUS_SERVICE_DBUS, name); @@ -989,11 +958,11 @@ index 5acdd62a..bc4ce0b5 100644 void diff --git a/bus/driver.h b/bus/driver.h -index 201709c4..3ff4ff15 100644 +index ac1289d..183c28b 100644 --- a/bus/driver.h +++ b/bus/driver.h -@@ -28,7 +28,7 @@ - #include "connection.h" +@@ -35,7 +35,7 @@ typedef enum + } BusDriverFound; void bus_driver_remove_connection (DBusConnection *connection); -dbus_bool_t bus_driver_handle_message (DBusConnection *connection, @@ -1002,10 +971,10 @@ index 201709c4..3ff4ff15 100644 DBusMessage *message, DBusError *error); diff --git a/bus/policy.c b/bus/policy.c -index 47bd1a24..7244a46f 100644 +index b1fab0d..27b66d1 100644 --- a/bus/policy.c +++ b/bus/policy.c -@@ -1323,18 +1323,21 @@ bus_client_policy_check_can_receive (BusClientPolicy *policy, +@@ -1388,18 +1388,21 @@ bus_client_policy_check_can_receive (BusClientPolicy *policy, @@ -1031,7 +1000,7 @@ index 47bd1a24..7244a46f 100644 link = _dbus_list_get_first_link (&rules); while (link != NULL) { -@@ -1370,17 +1373,45 @@ bus_rules_check_can_own (DBusList *rules, +@@ -1435,17 +1438,45 @@ bus_rules_check_can_own (DBusList *rules, } /* Use this rule */ @@ -1082,7 +1051,7 @@ index 47bd1a24..7244a46f 100644 } #ifdef DBUS_ENABLE_EMBEDDED_TESTS -@@ -1388,7 +1419,7 @@ dbus_bool_t +@@ -1453,7 +1484,7 @@ dbus_bool_t bus_policy_check_can_own (BusPolicy *policy, const DBusString *service_name) { @@ -1092,10 +1061,10 @@ index 47bd1a24..7244a46f 100644 #endif /* DBUS_ENABLE_EMBEDDED_TESTS */ diff --git a/bus/policy.h b/bus/policy.h -index e9f193af..1f234310 100644 +index f306a3c..39d7cc5 100644 --- a/bus/policy.h +++ b/bus/policy.h -@@ -170,8 +170,10 @@ BusResult bus_client_policy_check_can_receive (BusClientPolicy *polic +@@ -182,8 +182,10 @@ BusResult bus_client_policy_check_can_receive (BusClientPolicy *polic dbus_int32_t *toggles, const char **privilege_param, BusDeferredMessage **deferred_message); @@ -1109,10 +1078,10 @@ index e9f193af..1f234310 100644 BusPolicyRule *rule); void bus_client_policy_optimize (BusClientPolicy *policy); diff --git a/bus/services.c b/bus/services.c -index 6a4c8848..fcc2d261 100644 +index 127edda..586af18 100644 --- a/bus/services.c +++ b/bus/services.c -@@ -376,24 +376,26 @@ bus_registry_list_services (BusRegistry *registry, +@@ -376,16 +376,17 @@ bus_registry_list_services (BusRegistry *registry, return FALSE; } @@ -1132,17 +1101,18 @@ index 6a4c8848..fcc2d261 100644 DBusConnection *old_owner_conn; BusClientPolicy *policy; BusService *service; - BusActivation *activation; +@@ -393,8 +394,9 @@ bus_registry_acquire_service (BusRegistry *registry, BusSELinuxID *sid; BusOwner *primary_owner; + int limit; + BusResult res; - + - retval = FALSE; + retval = BUS_RESULT_FALSE; if (!_dbus_validate_bus_name (service_name, 0, _dbus_string_get_length (service_name))) -@@ -466,7 +468,8 @@ bus_registry_acquire_service (BusRegistry *registry, +@@ -467,7 +469,8 @@ bus_registry_acquire_service (BusRegistry *registry, _dbus_string_get_const_data (service_name), error)) goto out; @@ -1152,7 +1122,7 @@ index 6a4c8848..fcc2d261 100644 { dbus_set_error (error, DBUS_ERROR_ACCESS_DENIED, "Connection \"%s\" is not allowed to own the service \"%s\" due " -@@ -477,6 +480,11 @@ bus_registry_acquire_service (BusRegistry *registry, +@@ -478,6 +481,11 @@ bus_registry_acquire_service (BusRegistry *registry, _dbus_string_get_const_data (service_name)); goto out; } @@ -1162,9 +1132,9 @@ index 6a4c8848..fcc2d261 100644 + goto out; + } - if (bus_connection_get_n_services_owned (connection) >= - bus_context_get_max_services_per_connection (registry->context)) -@@ -593,11 +601,13 @@ bus_registry_acquire_service (BusRegistry *registry, + limit = bus_context_get_max_services_per_connection (registry->context); + +@@ -603,11 +611,13 @@ bus_registry_acquire_service (BusRegistry *registry, } activation = bus_context_get_activation (registry->context); @@ -1183,7 +1153,7 @@ index 6a4c8848..fcc2d261 100644 out: return retval; diff --git a/bus/services.h b/bus/services.h -index 056dd9fa..3df3dd7d 100644 +index 056dd9f..3df3dd7 100644 --- a/bus/services.h +++ b/bus/services.h @@ -50,8 +50,9 @@ void bus_registry_foreach (BusRegistry *registry @@ -1198,7 +1168,7 @@ index 056dd9fa..3df3dd7d 100644 dbus_uint32_t flags, dbus_uint32_t *result, diff --git a/bus/stats.c b/bus/stats.c -index dace0e29..aab0e5c9 100644 +index 1582255..4ba72d6 100644 --- a/bus/stats.c +++ b/bus/stats.c @@ -36,7 +36,7 @@ @@ -1210,16 +1180,7 @@ index dace0e29..aab0e5c9 100644 bus_stats_handle_get_stats (DBusConnection *connection, BusTransaction *transaction, DBusMessage *message, -@@ -52,7 +52,7 @@ bus_stats_handle_get_stats (DBusConnection *connection, - _DBUS_ASSERT_ERROR_IS_CLEAR (error); - - if (!bus_driver_check_message_is_for_us (message, error)) -- return FALSE; -+ return BUS_RESULT_FALSE; - - context = bus_transaction_get_context (transaction); - connections = bus_context_get_connections (context); -@@ -107,17 +107,17 @@ bus_stats_handle_get_stats (DBusConnection *connection, +@@ -104,17 +104,17 @@ bus_stats_handle_get_stats (DBusConnection *connection, goto oom; dbus_message_unref (reply); @@ -1240,33 +1201,7 @@ index dace0e29..aab0e5c9 100644 bus_stats_handle_get_connection_stats (DBusConnection *caller_connection, BusTransaction *transaction, DBusMessage *message, -@@ -137,14 +137,14 @@ bus_stats_handle_get_connection_stats (DBusConnection *caller_connection, - _DBUS_ASSERT_ERROR_IS_CLEAR (error); - - if (!bus_driver_check_message_is_for_us (message, error)) -- return FALSE; -+ return BUS_RESULT_FALSE; - - registry = bus_connection_get_registry (caller_connection); - - if (! dbus_message_get_args (message, error, - DBUS_TYPE_STRING, &bus_name, - DBUS_TYPE_INVALID)) -- return FALSE; -+ return BUS_RESULT_FALSE; - - _dbus_string_init_const (&bus_name_str, bus_name); - service = bus_registry_lookup (registry, &bus_name_str); -@@ -153,7 +153,7 @@ bus_stats_handle_get_connection_stats (DBusConnection *caller_connection, - { - dbus_set_error (error, DBUS_ERROR_NAME_HAS_NO_OWNER, - "Bus name '%s' has no owner", bus_name); -- return FALSE; -+ return BUS_RESULT_FALSE; - } - - stats_connection = bus_service_get_primary_owners_connection (service); -@@ -215,18 +215,18 @@ bus_stats_handle_get_connection_stats (DBusConnection *caller_connection, +@@ -209,7 +209,7 @@ bus_stats_handle_get_connection_stats (DBusConnection *caller_connection, goto oom; dbus_message_unref (reply); @@ -1274,10 +1209,11 @@ index dace0e29..aab0e5c9 100644 + return BUS_RESULT_TRUE; oom: + BUS_SET_OOM (error); +@@ -218,11 +218,11 @@ failed: if (reply != NULL) dbus_message_unref (reply); - BUS_SET_OOM (error); - return FALSE; + return BUS_RESULT_FALSE; } @@ -1288,7 +1224,7 @@ index dace0e29..aab0e5c9 100644 bus_stats_handle_get_all_match_rules (DBusConnection *caller_connection, BusTransaction *transaction, DBusMessage *message, -@@ -250,7 +250,7 @@ bus_stats_handle_get_all_match_rules (DBusConnection *caller_connection, +@@ -246,7 +246,7 @@ bus_stats_handle_get_all_match_rules (DBusConnection *caller_connection, matchmaker = bus_context_get_matchmaker (context); if (!bus_registry_list_services (registry, &services, &services_len)) @@ -1297,7 +1233,7 @@ index dace0e29..aab0e5c9 100644 reply = dbus_message_new_method_return (message); if (reply == NULL) -@@ -329,7 +329,7 @@ bus_stats_handle_get_all_match_rules (DBusConnection *caller_connection, +@@ -325,7 +325,7 @@ bus_stats_handle_get_all_match_rules (DBusConnection *caller_connection, dbus_message_unref (reply); dbus_free_string_array (services); @@ -1306,7 +1242,7 @@ index dace0e29..aab0e5c9 100644 oom: if (reply != NULL) -@@ -338,7 +338,7 @@ oom: +@@ -334,7 +334,7 @@ oom: dbus_free_string_array (services); BUS_SET_OOM (error); @@ -1316,7 +1252,7 @@ index dace0e29..aab0e5c9 100644 #endif diff --git a/bus/stats.h b/bus/stats.h -index dcb022c4..683fa175 100644 +index dcb022c..683fa17 100644 --- a/bus/stats.h +++ b/bus/stats.h @@ -25,17 +25,17 @@ @@ -1340,6 +1276,3 @@ index dcb022c4..683fa175 100644 BusTransaction *transaction, DBusMessage *message, DBusError *error); --- -2.14.3 - diff --git a/meta-security/recipes-core/dbus-cynara/dbus-cynara/0005-Perform-Cynara-runtime-policy-checks-by-default.patch b/meta-security/recipes-core/dbus-cynara/dbus-cynara/0005-Perform-Cynara-runtime-policy-checks-by-default.patch index d30b2dbf8..6cc7c19c4 100644 --- a/meta-security/recipes-core/dbus-cynara/dbus-cynara/0005-Perform-Cynara-runtime-policy-checks-by-default.patch +++ b/meta-security/recipes-core/dbus-cynara/dbus-cynara/0005-Perform-Cynara-runtime-policy-checks-by-default.patch @@ -26,14 +26,14 @@ Change-Id: Ifb4a160bf6e0638404e0295a2e4fa3077efd881c Signed-off-by: Jacek Bukarewicz <j.bukarewicz@samsung.com> Cherry picked from e8610297cf7031e94eb314a2e8c11246f4405403 by Jose Bollo + +Updated for dbus 1.12.10 by Scott Murray. + Signed-off-by: José Bollo <jose.bollo@iot.bzh> ---- - bus/session.conf.in | 32 ++++++++++++++++++++++++++------ - bus/system.conf.in | 19 +++++++++++++++---- - 2 files changed, 41 insertions(+), 10 deletions(-) +Signed-off-by: Scott Murray <scott.murray@konsulko.com> diff --git a/bus/session.conf.in b/bus/session.conf.in -index affa7f1d..157dfb4d 100644 +index affa7f1..157dfb4 100644 --- a/bus/session.conf.in +++ b/bus/session.conf.in @@ -27,12 +27,32 @@ @@ -76,10 +76,10 @@ index affa7f1d..157dfb4d 100644 <!-- Include legacy configuration location --> diff --git a/bus/system.conf.in b/bus/system.conf.in -index 014f67ee..ebbd468a 100644 +index f139b55..19d0c04 100644 --- a/bus/system.conf.in +++ b/bus/system.conf.in -@@ -50,23 +50,34 @@ +@@ -50,17 +50,20 @@ <deny own="*"/> <deny send_type="method_call"/> @@ -104,9 +104,10 @@ index 014f67ee..ebbd468a 100644 <!-- Allow anyone to talk to the message bus --> <allow send_destination="org.freedesktop.DBus" - send_interface="org.freedesktop.DBus" /> - <allow send_destination="org.freedesktop.DBus" +@@ -69,6 +72,14 @@ send_interface="org.freedesktop.DBus.Introspectable"/> + <allow send_destination="org.freedesktop.DBus" + send_interface="org.freedesktop.DBus.Properties"/> + <!-- If there is a need specific bus services could be protected by Cynara as well. + However, this can lead to deadlock during the boot process when such check is made and + Cynara is not yet activated (systemd calls protected method synchronously, @@ -118,6 +119,3 @@ index 014f67ee..ebbd468a 100644 <!-- But disallow some specific bus services --> <deny send_destination="org.freedesktop.DBus" send_interface="org.freedesktop.DBus" --- -2.14.3 - diff --git a/meta-security/recipes-core/dbus-cynara/dbus-cynara_1.10.20.bb b/meta-security/recipes-core/dbus-cynara/dbus-cynara_1.12.10.bb index a97148366..2b494becb 100644 --- a/meta-security/recipes-core/dbus-cynara/dbus-cynara_1.10.20.bb +++ b/meta-security/recipes-core/dbus-cynara/dbus-cynara_1.12.10.bb @@ -1,4 +1,4 @@ -require ${COREBASE}/meta/recipes-core/dbus/dbus_1.10.20.bb +require ${COREBASE}/meta/recipes-core/dbus/dbus_1.12.10.bb FILESEXTRAPATHS_prepend := "${COREBASE}/meta/recipes-core/dbus/dbus:${THISDIR}/dbus-cynara:" S = "${WORKDIR}/dbus-${PV}" diff --git a/meta-security/recipes-core/dbus-cynara/dbus_%.bbappend b/meta-security/recipes-core/dbus-cynara/dbus_%.bbappend index 78df8ec3c..2923c5c18 100644 --- a/meta-security/recipes-core/dbus-cynara/dbus_%.bbappend +++ b/meta-security/recipes-core/dbus-cynara/dbus_%.bbappend @@ -1,4 +1,5 @@ FILESEXTRAPATHS_prepend := "${THISDIR}/dbus-cynara:" + SRC_URI_append = "\ file://0001-Integration-of-Cynara-asynchronous-security-checks.patch \ file://0002-Disable-message-dispatching-when-send-rule-result-is.patch \ diff --git a/meta-security/recipes-core/systemd/systemd_234.bbappend b/meta-security/recipes-core/systemd/systemd_239.bbappend index 79753a2d6..789c05f83 100644 --- a/meta-security/recipes-core/systemd/systemd_234.bbappend +++ b/meta-security/recipes-core/systemd/systemd_239.bbappend @@ -1,16 +1,7 @@ FILESEXTRAPATHS_prepend := "${THISDIR}/${PN}:" -################################################################################## -# What follows is temporary. -# This patch is still needed for systemd 234 but is normally upstreamed -# and thus should be removed in later versions. -################################################################################## -SRC_URI_append_with-lsm-smack = "\ - file://0001-Switch-Smack-label-earlier.patch \ -" - # Ensures systemd runs with label "System" -EXTRA_OECONF_append_with-lsm-smack = " --with-smack-run-label=System" +EXTRA_OEMESON_append_with-lsm-smack = " -Dsmack-run-label=System" ################################################################################## # Maintaining trivial, non-upstreamable configuration changes as patches diff --git a/meta-security/recipes-devtools/e2fsprogs/e2fsprogs.inc b/meta-security/recipes-devtools/e2fsprogs/e2fsprogs.inc deleted file mode 100644 index 09e4ea5bb..000000000 --- a/meta-security/recipes-devtools/e2fsprogs/e2fsprogs.inc +++ /dev/null @@ -1,27 +0,0 @@ -SUMMARY = "Ext2 Filesystem Utilities" -DESCRIPTION = "The Ext2 Filesystem Utilities (e2fsprogs) contain all of the standard utilities for creating, \ -fixing, configuring , and debugging ext2 filesystems." -HOMEPAGE = "http://e2fsprogs.sourceforge.net/" - -LICENSE = "GPLv2 & LGPLv2 & BSD & MIT" -LICENSE_e2fsprogs-e2fsck = "GPLv2" -LICENSE_e2fsprogs-mke2fs = "GPLv2" -LICENSE_e2fsprogs-fsck = "GPLv2" -LICENSE_e2fsprogs-tune2fs = "GPLv2" -LICENSE_e2fsprogs-badblocks = "GPLv2" -LIC_FILES_CHKSUM = "file://COPYING;md5=b48f21d765b875bd10400975d12c1ca2 \ - file://lib/ext2fs/ext2fs.h;beginline=1;endline=9;md5=596a8dedcb4e731c6b21c7a46fba6bef \ - file://lib/e2p/e2p.h;beginline=1;endline=7;md5=8a74ade8f9d65095d70ef2d4bf48e36a \ - file://lib/uuid/uuid.h.in;beginline=1;endline=32;md5=dbb8079e114a5f841934b99e59c8820a \ - file://lib/uuid/COPYING;md5=58dcd8452651fc8b07d1f65ce07ca8af \ - file://lib/et/et_name.c;beginline=1;endline=11;md5=ead236447dac7b980dbc5b4804d8c836 \ - file://lib/ss/ss.h;beginline=1;endline=20;md5=6e89ad47da6e75fecd2b5e0e81e1d4a6" -SECTION = "base" -DEPENDS = "util-linux" - -SRC_URI = "git://git.kernel.org/pub/scm/fs/ext2/e2fsprogs.git" -S = "${WORKDIR}/git" - -inherit autotools gettext texinfo pkgconfig multilib_header update-alternatives ptest - -BBCLASSEXTEND = "native nativesdk" diff --git a/meta-security/recipes-devtools/e2fsprogs/e2fsprogs/acinclude.m4 b/meta-security/recipes-devtools/e2fsprogs/e2fsprogs/acinclude.m4 deleted file mode 100644 index c0bd7dbde..000000000 --- a/meta-security/recipes-devtools/e2fsprogs/e2fsprogs/acinclude.m4 +++ /dev/null @@ -1,135 +0,0 @@ -# Extracted from the package's shipped aclocal.m4. Custom macros should be in -# acinclude.m4 so running aclocal doesn't blow them away. -# -# Signed-off-by: Ross Burton <ross.burton@intel.com> - -# from http://autoconf-archive.cryp.to/ax_tls.html -# -# This was licensed under the GPL with the following exception: -# -# As a special exception, the respective Autoconf Macro's copyright -# owner gives unlimited permission to copy, distribute and modify the -# configure scripts that are the output of Autoconf when processing -# the Macro. You need not follow the terms of the GNU General Public -# License when using or distributing such scripts, even though -# portions of the text of the Macro appear in them. The GNU General -# Public License (GPL) does govern all other use of the material that -# constitutes the Autoconf Macro. -# -# This special exception to the GPL applies to versions of the -# Autoconf Macro released by the Autoconf Macro Archive. When you make -# and distribute a modified version of the Autoconf Macro, you may -# extend this special exception to the GPL to apply to your modified -# version as well. -# -AC_DEFUN([AX_TLS], [ - AC_MSG_CHECKING(for thread local storage (TLS) class) - AC_CACHE_VAL(ac_cv_tls, [ - ax_tls_keywords="__thread __declspec(thread) none" - for ax_tls_keyword in $ax_tls_keywords; do - case $ax_tls_keyword in - none) ac_cv_tls=none ; break ;; - *) - AC_TRY_COMPILE( - [#include <stdlib.h> - static void - foo(void) { - static ] $ax_tls_keyword [ int bar; - exit(1); - }], - [], - [ac_cv_tls=$ax_tls_keyword ; break], - ac_cv_tls=none - ) - esac - done -]) - - if test "$ac_cv_tls" != "none"; then - dnl AC_DEFINE([TLS], [], [If the compiler supports a TLS storage class define it to that here]) - AC_DEFINE_UNQUOTED([TLS], $ac_cv_tls, [If the compiler supports a TLS storage class define it to that here]) - fi - AC_MSG_RESULT($ac_cv_tls) -]) - -# =========================================================================== -# http://www.nongnu.org/autoconf-archive/check_gnu_make.html -# =========================================================================== -# -# SYNOPSIS -# -# CHECK_GNU_MAKE() -# -# DESCRIPTION -# -# This macro searches for a GNU version of make. If a match is found, the -# makefile variable `ifGNUmake' is set to the empty string, otherwise it -# is set to "#". This is useful for including a special features in a -# Makefile, which cannot be handled by other versions of make. The -# variable _cv_gnu_make_command is set to the command to invoke GNU make -# if it exists, the empty string otherwise. -# -# Here is an example of its use: -# -# Makefile.in might contain: -# -# # A failsafe way of putting a dependency rule into a makefile -# $(DEPEND): -# $(CC) -MM $(srcdir)/*.c > $(DEPEND) -# -# @ifGNUmake@ ifeq ($(DEPEND),$(wildcard $(DEPEND))) -# @ifGNUmake@ include $(DEPEND) -# @ifGNUmake@ endif -# -# Then configure.in would normally contain: -# -# CHECK_GNU_MAKE() -# AC_OUTPUT(Makefile) -# -# Then perhaps to cause gnu make to override any other make, we could do -# something like this (note that GNU make always looks for GNUmakefile -# first): -# -# if ! test x$_cv_gnu_make_command = x ; then -# mv Makefile GNUmakefile -# echo .DEFAULT: > Makefile ; -# echo \ $_cv_gnu_make_command \$@ >> Makefile; -# fi -# -# Then, if any (well almost any) other make is called, and GNU make also -# exists, then the other make wraps the GNU make. -# -# LICENSE -# -# Copyright (c) 2008 John Darrington <j.darrington@elvis.murdoch.edu.au> -# -# Copying and distribution of this file, with or without modification, are -# permitted in any medium without royalty provided the copyright notice -# and this notice are preserved. -# -# Note: Modified by Ted Ts'o to add @ifNotGNUMake@ - -AC_DEFUN( - [CHECK_GNU_MAKE], [ AC_CACHE_CHECK( for GNU make,_cv_gnu_make_command, - _cv_gnu_make_command='' ; -dnl Search all the common names for GNU make - for a in "$MAKE" make gmake gnumake ; do - if test -z "$a" ; then continue ; fi ; - if ( sh -c "$a --version" 2> /dev/null | grep GNU 2>&1 > /dev/null ) ; then - _cv_gnu_make_command=$a ; - break; - fi - done ; - ) ; -dnl If there was a GNU version, then set @ifGNUmake@ to the empty string, '#' otherwise - if test "x$_cv_gnu_make_command" != "x" ; then - ifGNUmake='' ; - ifNotGNUmake='#' ; - else - ifGNUmake='#' ; - ifNotGNUmake='' ; - AC_MSG_RESULT("Not found"); - fi - AC_SUBST(ifGNUmake) - AC_SUBST(ifNotGNUmake) -] ) diff --git a/meta-security/recipes-devtools/e2fsprogs/e2fsprogs/mkdir.patch b/meta-security/recipes-devtools/e2fsprogs/e2fsprogs/mkdir.patch deleted file mode 100644 index 2a3aeff61..000000000 --- a/meta-security/recipes-devtools/e2fsprogs/e2fsprogs/mkdir.patch +++ /dev/null @@ -1,18 +0,0 @@ -Upstream-Status: Inappropriate [configuration] - -Signed-off-by: Mei Lei <lei.mei@intel.com> - -diff --git a/configure.ac b/configure.ac -index c1fe224..f5ac628 100644 ---- a/configure.ac -+++ b/configure.ac -@@ -1374,7 +1374,8 @@ if test -n "$WITH_DIET_LIBC" ; then - INCLUDES="$INCLUDES -D_REENTRANT" - fi - AC_SUBST(INCLUDES) --AM_MKINSTALLDIRS -+MKINSTALLDIRS="mkdir -p" -+AC_SUBST(MKINSTALLDIRS) - dnl - dnl Build CFLAGS - dnl diff --git a/meta-security/recipes-devtools/e2fsprogs/e2fsprogs/ptest.patch b/meta-security/recipes-devtools/e2fsprogs/e2fsprogs/ptest.patch deleted file mode 100644 index ef1ce5872..000000000 --- a/meta-security/recipes-devtools/e2fsprogs/e2fsprogs/ptest.patch +++ /dev/null @@ -1,67 +0,0 @@ -diff --git a/tests/Makefile.in b/tests/Makefile.in -index 60cf655..ce220f1 100644 ---- a/tests/Makefile.in -+++ b/tests/Makefile.in -@@ -18,7 +18,7 @@ test_one: $(srcdir)/test_one.in Makefile mke2fs.conf - @echo "#!/bin/sh" > test_one - @echo "HTREE=y" >> test_one - @echo "QUOTA=y" >> test_one -- @echo "SRCDIR=@srcdir@" >> test_one -+ @echo "SRCDIR=/usr/lib/e2fsprogs/ptest/test" >> test_one - @echo "DIFF_OPTS=@UNI_DIFF_OPTS@" >> test_one - @cat $(srcdir)/test_one.in >> test_one - @chmod +x test_one -@@ -26,7 +26,7 @@ test_one: $(srcdir)/test_one.in Makefile mke2fs.conf - test_script: test_one test_script.in Makefile mke2fs.conf - @echo "Creating test_script..." - @echo "#!/bin/sh" > test_script -- @echo "SRCDIR=@srcdir@" >> test_script -+ @echo "SRCDIR=/usr/lib/e2fsprogs/ptest/test" >> test_script - @cat $(srcdir)/test_script.in >> test_script - @chmod +x test_script - -diff --git a/tests/test_config b/tests/test_config -index 7f39157..c815a44 100644 ---- a/tests/test_config -+++ b/tests/test_config -@@ -3,24 +3,24 @@ - # - - unset LANG LANGUAGE LC_ADDRESS LC_ALL LC_COLLATE LC_CTYPE LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES LC_MONETARY LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE LC_TIME PAGER --FSCK="$USE_VALGRIND ../e2fsck/e2fsck" --MKE2FS="$USE_VALGRIND ../misc/mke2fs" --DUMPE2FS="$USE_VALGRIND ../misc/dumpe2fs" --TUNE2FS="$USE_VALGRIND ../misc/tune2fs" --CHATTR="$USE_VALGRIND../misc/chattr" --LSATTR="$USE_VALGRIND ../misc/lsattr" --E2IMAGE="$USE_VALGRIND ../misc/e2image" --E2IMAGE_EXE="../misc/e2image" --DEBUGFS="$USE_VALGRIND ../debugfs/debugfs" --DEBUGFS_EXE="../debugfs/debugfs" --TEST_BITS="../debugfs/debugfs" --RESIZE2FS_EXE="../resize/resize2fs" -+FSCK="$USE_VALGRIND e2fsck" -+MKE2FS="$USE_VALGRIND mke2fs" -+DUMPE2FS="$USE_VALGRIND dumpe2fs" -+TUNE2FS="$USE_VALGRIND tune2fs" -+CHATTR="$USE_VALGRIND chattr" -+LSATTR="$USE_VALGRIND lsattr" -+E2IMAGE="$USE_VALGRIND e2image" -+E2IMAGE_EXE="/sbin/e2image" -+DEBUGFS="$USE_VALGRIND debugfs" -+DEBUGFS_EXE="/sbin/debugfs" -+TEST_BITS="/sbin/debugfs" -+RESIZE2FS_EXE="/sbin/resize2fs" - RESIZE2FS="$USE_VALGRIND $RESIZE2FS_EXE" --E2UNDO_EXE="../misc/e2undo" -+E2UNDO_EXE="/sbin/e2undo" - E2UNDO="$USE_VALGRIND $E2UNDO_EXE" --TEST_REL=../tests/progs/test_rel --TEST_ICOUNT=../tests/progs/test_icount --CRCSUM=../tests/progs/crcsum -+TEST_REL=./progs/test_rel -+TEST_ICOUNT=./progs/test_icount -+CRCSUM=./progs/crcsum - CLEAN_OUTPUT="sed -f $cmd_dir/filter.sed" - LD_LIBRARY_PATH=../lib:../lib/ext2fs:../lib/e2p:../lib/et:../lib/ss:${LD_LIBRARY_PATH} - DYLD_LIBRARY_PATH=../lib:../lib/ext2fs:../lib/e2p:../lib/et:../lib/ss:${DYLD_LIBRARY_PATH} diff --git a/meta-security/recipes-devtools/e2fsprogs/e2fsprogs/quiet-debugfs.patch b/meta-security/recipes-devtools/e2fsprogs/e2fsprogs/quiet-debugfs.patch deleted file mode 100644 index 830e9d57a..000000000 --- a/meta-security/recipes-devtools/e2fsprogs/e2fsprogs/quiet-debugfs.patch +++ /dev/null @@ -1,19 +0,0 @@ -When executing a script don't echo every command, as we do this for entire -filesystems at rootfs time. - -Upstream-Status: Inappropriate -Signed-off-by: Ross Burton <ross.burton@intel.com> - -diff --git a/debugfs/debugfs.c b/debugfs/debugfs.c -index 5590295..ac57292 100644 ---- a/debugfs/debugfs.c -+++ b/debugfs/debugfs.c -@@ -2378,7 +2378,7 @@ static int source_file(const char *cmd_file, int ss_idx) - cp = strchr(buf, '\r'); - if (cp) - *cp = 0; -- printf("debugfs: %s\n", buf); -+ /*printf("debugfs: %s\n", buf);*/ - retval = ss_execute_line(ss_idx, buf); - if (retval) { - ss_perror(ss_idx, retval, buf); diff --git a/meta-security/recipes-devtools/e2fsprogs/e2fsprogs/remove.ldconfig.call.patch b/meta-security/recipes-devtools/e2fsprogs/e2fsprogs/remove.ldconfig.call.patch deleted file mode 100644 index f3e6eb778..000000000 --- a/meta-security/recipes-devtools/e2fsprogs/e2fsprogs/remove.ldconfig.call.patch +++ /dev/null @@ -1,44 +0,0 @@ -From b139e03ac2f72e644e547c7ee9b1514383af4d97 Mon Sep 17 00:00:00 2001 -From: Andrei Dinu <andrei.adrianx.dinu@intel.com> -Date: Wed, 30 Jan 2013 15:22:04 +0200 -Subject: [PATCH] When /etc/ld.so.cache is writeable by user running bitbake - then it creates invalid cache (in my case libstdc++.so - cannot be found after building zlib(-native) and I have to - call touch */libstdc++.so && /sbin/ldconfig to fix it. - -So remove ldconfig call from make install-libs - -Patch authored by Martin Jansa. - -Upstream-Status: Inappropriate [disable feature] - -Signed-off-by: Scott Garman <scott.a.garman@intel.com> -Signed-off-by: Andrei Dinu <andrei.adrianx.dinu@intel.com> ---- - lib/Makefile.elf-lib | 3 --- - 1 file changed, 3 deletions(-) - -diff --git a/lib/Makefile.elf-lib b/lib/Makefile.elf-lib -index 78479d3..4a4a5ac 100644 ---- a/lib/Makefile.elf-lib -+++ b/lib/Makefile.elf-lib -@@ -50,8 +50,6 @@ install-shlibs install:: $(ELF_LIB) installdirs-elf-lib $(DEP_INSTALL_SYMLINK) - $(E) " SYMLINK $(libdir)/$(ELF_IMAGE).so" - $(Q) $(INSTALL_SYMLINK) $(ELF_INSTALL_DIR)/$(ELF_SONAME) \ - $(libdir)/$(ELF_IMAGE).so $(DESTDIR) -- $(E) " LDCONFIG" -- $(Q) -$(LDCONFIG) - - install-strip: install - $(E) " STRIP-LIB $(ELF_INSTALL_DIR)/$(ELF_LIB)" -@@ -67,7 +65,6 @@ uninstall-shlibs uninstall:: - $(RM) -f $(DESTDIR)$(ELF_INSTALL_DIR)/$(ELF_LIB) \ - $(DESTDIR)$(ELF_INSTALL_DIR)/$(ELF_SONAME) \ - $(DESTDIR)$(libdir)/$(ELF_IMAGE).so -- -$(LDCONFIG) - - clean:: - $(RM) -rf elfshared --- -1.7.9.5 - diff --git a/meta-security/recipes-devtools/e2fsprogs/e2fsprogs/run-ptest b/meta-security/recipes-devtools/e2fsprogs/e2fsprogs/run-ptest deleted file mode 100644 index 1ac251324..000000000 --- a/meta-security/recipes-devtools/e2fsprogs/e2fsprogs/run-ptest +++ /dev/null @@ -1,11 +0,0 @@ -#!/bin/sh - -cd ./test -./test_script &>../test.log -if [ $? -eq 0 ] -then - echo "PASS: e2fsprogs" - rm test.log -else - echo "FAIL: e2fsprogs" -fi diff --git a/meta-security/recipes-devtools/e2fsprogs/e2fsprogs_%.bbappend b/meta-security/recipes-devtools/e2fsprogs/e2fsprogs_%.bbappend deleted file mode 100644 index 35dd361d4..000000000 --- a/meta-security/recipes-devtools/e2fsprogs/e2fsprogs_%.bbappend +++ /dev/null @@ -1,14 +0,0 @@ -FILESEXTRAPATHS_prepend := "${THISDIR}/files:" - -# Applying this patch is optional. Only some versions -# of e2fsprogs need it. So try to apply it, but if it fails, -# continue and hope the patch wasn't needed. If it is needed -# and got skipped, the oeqa Smack tests will catch the failure. -SRC_URI += "file://ext_attr.c-fix-adding-multiple-xattrs-during-image-c.patch;apply=no" - -do_patch[postfuncs] += "patch_xattr_support" -patch_xattr_support () { - cd ${S} - cp lib/ext2fs/ext_attr.c lib/ext2fs/ext_attr.c.orig - patch lib/ext2fs/ext_attr.c <${WORKDIR}/ext_attr.c-fix-adding-multiple-xattrs-during-image-c.patch && rm lib/ext2fs/ext_attr.c.orig || mv lib/ext2fs/ext_attr.c.orig lib/ext2fs/ext_attr.c -} diff --git a/meta-security/recipes-devtools/e2fsprogs/e2fsprogs_git.bb b/meta-security/recipes-devtools/e2fsprogs/e2fsprogs_git.bb deleted file mode 100644 index bc2d201a4..000000000 --- a/meta-security/recipes-devtools/e2fsprogs/e2fsprogs_git.bb +++ /dev/null @@ -1,106 +0,0 @@ -COREDIR = "${COREBASE}/meta/recipes-devtools/e2fsprogs" - -# This recipe is a copy of a e2fsprogs 1.42.99+1.43 from OE-core master and -# only meant to be used when the current OE-core does not have that version yet. -python () { - import os - upstream = os.path.join(d.getVar('COREDIR', True), 'e2fsprogs_1.42.9.bb') - if not os.path.exists(upstream): - raise bb.parse.SkipRecipe("This recipe replaces e2fsprogs 1.42.9 in OE-core. e2fsprogs from OE-core is something else and thus either recent enough to have xattr support or (less likely) something unexpected.") -} - - -require e2fsprogs.inc - -SRC_URI += "file://acinclude.m4 \ - file://remove.ldconfig.call.patch \ - file://quiet-debugfs.patch \ - file://run-ptest \ - file://ptest.patch \ - file://mkdir.patch \ -" - -SRCREV = "0f26747167cc9d82df849b0aad387bf824f04544" -PV = "1.42.99+1.43+git${SRCPV}" -UPSTREAM_CHECK_GITTAGREGEX = "v(?P<pver>\d+\.\d+(\.\d+)*)$" - -EXTRA_OECONF += "--libdir=${base_libdir} --sbindir=${base_sbindir} \ - --enable-elf-shlibs --disable-libuuid --disable-uuidd \ - --disable-libblkid --enable-verbose-makecmds" - -EXTRA_OECONF_darwin = "--libdir=${base_libdir} --sbindir=${base_sbindir} --enable-bsd-shlibs" - -PACKAGECONFIG ??= "" -PACKAGECONFIG[fuse] = '--enable-fuse2fs,--disable-fuse2fs,fuse' - -do_configure_prepend () { - cp ${WORKDIR}/acinclude.m4 ${S}/ -} - -do_install () { - oe_runmake 'DESTDIR=${D}' install - oe_runmake 'DESTDIR=${D}' install-libs - # We use blkid from util-linux now so remove from here - rm -f ${D}${base_libdir}/libblkid* - rm -rf ${D}${includedir}/blkid - rm -f ${D}${base_libdir}/pkgconfig/blkid.pc - rm -f ${D}${base_sbindir}/blkid - rm -f ${D}${base_sbindir}/fsck - rm -f ${D}${base_sbindir}/findfs - - # e2initrd_helper and the pkgconfig files belong in libdir - if [ ! ${D}${libdir} -ef ${D}${base_libdir} ]; then - install -d ${D}${libdir} - mv ${D}${base_libdir}/e2initrd_helper ${D}${libdir} - mv ${D}${base_libdir}/pkgconfig ${D}${libdir} - fi - - oe_multilib_header ext2fs/ext2_types.h - install -d ${D}${base_bindir} - mv ${D}${bindir}/chattr ${D}${base_bindir}/chattr.e2fsprogs - - install -v -m 755 ${S}/contrib/populate-extfs.sh ${D}${base_sbindir}/ -} - -do_install_append_class-target() { - # Clean host path in compile_et, mk_cmds - sed -i -e "s,ET_DIR=\"${S}/lib/et\",ET_DIR=\"${datadir}/et\",g" ${D}${bindir}/compile_et - sed -i -e "s,SS_DIR=\"${S}/lib/ss\",SS_DIR=\"${datadir}/ss\",g" ${D}${bindir}/mk_cmds -} - -RDEPENDS_e2fsprogs = "e2fsprogs-badblocks" -RRECOMMENDS_e2fsprogs = "e2fsprogs-mke2fs e2fsprogs-e2fsck" - -PACKAGES =+ "e2fsprogs-e2fsck e2fsprogs-mke2fs e2fsprogs-tune2fs e2fsprogs-badblocks e2fsprogs-resize2fs" -PACKAGES =+ "libcomerr libss libe2p libext2fs" - -FILES_e2fsprogs-resize2fs = "${base_sbindir}/resize2fs*" -FILES_e2fsprogs-e2fsck = "${base_sbindir}/e2fsck ${base_sbindir}/fsck.ext*" -FILES_e2fsprogs-mke2fs = "${base_sbindir}/mke2fs ${base_sbindir}/mkfs.ext* ${sysconfdir}/mke2fs.conf" -FILES_e2fsprogs-tune2fs = "${base_sbindir}/tune2fs ${base_sbindir}/e2label" -FILES_e2fsprogs-badblocks = "${base_sbindir}/badblocks" -FILES_libcomerr = "${base_libdir}/libcom_err.so.*" -FILES_libss = "${base_libdir}/libss.so.*" -FILES_libe2p = "${base_libdir}/libe2p.so.*" -FILES_libext2fs = "${libdir}/e2initrd_helper ${base_libdir}/libext2fs.so.*" -FILES_${PN}-dev += "${datadir}/*/*.awk ${datadir}/*/*.sed ${base_libdir}/*.so" - -ALTERNATIVE_${PN} = "chattr" -ALTERNATIVE_PRIORITY = "100" -ALTERNATIVE_LINK_NAME[chattr] = "${base_bindir}/chattr" -ALTERNATIVE_TARGET[chattr] = "${base_bindir}/chattr.e2fsprogs" - -ALTERNATIVE_${PN}-doc = "fsck.8" -ALTERNATIVE_LINK_NAME[fsck.8] = "${mandir}/man8/fsck.8" - -RDEPENDS_${PN}-ptest += "${PN} ${PN}-tune2fs coreutils procps bash" - -do_compile_ptest() { - oe_runmake -C ${B}/tests -} - -do_install_ptest() { - cp -a ${B}/tests ${D}${PTEST_PATH}/test - cp -a ${S}/tests/* ${D}${PTEST_PATH}/test - sed -e 's!../e2fsck/e2fsck!e2fsck!g' -i ${D}${PTEST_PATH}/test/*/expect* -} diff --git a/meta-security/recipes-devtools/e2fsprogs/files/ext_attr.c-fix-adding-multiple-xattrs-during-image-c.patch b/meta-security/recipes-devtools/e2fsprogs/files/ext_attr.c-fix-adding-multiple-xattrs-during-image-c.patch deleted file mode 100644 index 67b8b68fb..000000000 --- a/meta-security/recipes-devtools/e2fsprogs/files/ext_attr.c-fix-adding-multiple-xattrs-during-image-c.patch +++ /dev/null @@ -1,51 +0,0 @@ -From 3b2b0922e031628f313f5480c4f1f9413c6656bf Mon Sep 17 00:00:00 2001 -From: Richard Purdie <richard.purdie@linuxfoundation.org> -Date: Wed, 10 Feb 2016 15:51:43 +0100 -Subject: [PATCH] ext_attr.c: fix adding multiple xattrs during image creation - -http://www.nongnu.org/ext2-doc/ext2.html#CONTRIB-EXTENDED-ATTRIBUTES -contains the small snippet that "The entry descriptors are sorted by -attribute name, so that two extended attribute blocks can be compared -efficiently". - -The libext2fs code in e2fsprogs needs to be taught about this minor -sorting detail. Otherwise creating an image with "mkfs.ext -d" from a -filesystem that reports xattrs in listxattr() in an order that does -not match the expected order will lead to an image where listxattr() -reports all xattrs, but reading some values fails with ENODATA. - -[Patch from RP, commit message from Patrick and RP] - -Upstream-Status: Pending [https://bugzilla.yoctoproject.org/show_bug.cgi?id=8992] ---- - lib/ext2fs/ext_attr.c | 7 ++++++- - 1 file changed, 6 insertions(+), 1 deletion(-) - -diff --git a/lib/ext2fs/ext_attr.c b/lib/ext2fs/ext_attr.c -index 0a4f8c0..be8f9c3 100644 ---- a/lib/ext2fs/ext_attr.c -+++ b/lib/ext2fs/ext_attr.c -@@ -258,6 +258,7 @@ static struct ea_name_index ea_names[] = { - static int attr_compare(const void *a, const void *b) - { - const struct ext2_xattr *xa = a, *xb = b; -+ size_t len; - - if (xa->name == NULL) - return +1; -@@ -267,7 +268,11 @@ static int attr_compare(const void *a, const void *b) - return -1; - else if (!strcmp(xb->name, "system.data")) - return +1; -- return 0; -+ len = strlen(xa->name) - strlen(xb->name); -+ if (len) -+ return len; -+ -+ return strcmp(xa->name, xb->name); - } - - static const char *find_ea_prefix(int index) --- -2.1.4 - diff --git a/meta-security/recipes-security/cynara/cynara/0001-Add-fallthrough-tags.patch b/meta-security/recipes-security/cynara/cynara/0001-Add-fallthrough-tags.patch index 11387b98b..e1d0cfac9 100644 --- a/meta-security/recipes-security/cynara/cynara/0001-Add-fallthrough-tags.patch +++ b/meta-security/recipes-security/cynara/cynara/0001-Add-fallthrough-tags.patch @@ -1,7 +1,7 @@ -From 3d387993b5a4283e8aebd8e777b2ccd45d233959 Mon Sep 17 00:00:00 2001 +From 8bf90bf3e7a821dbd3b7029d87aa592eec6f1754 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Jos=C3=A9=20Bollo?= <jose.bollo@iot.bzh> Date: Thu, 25 Jan 2018 12:00:18 +0100 -Subject: [PATCH 1/6] Add fallthrough tags +Subject: [PATCH] Add fallthrough tags MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit @@ -12,6 +12,7 @@ to the next after some processing. Change-Id: I420e3788a4c0a6d910a1214964c5480bbd12708c Signed-off-by: José Bollo <jose.bollo@iot.bzh> + --- src/admin/api/admin-api.cpp | 1 + src/client-async/logic/Logic.cpp | 1 + @@ -54,6 +55,3 @@ index b1ca4f7..f4394e5 100644 default: return true; } --- -2.14.3 - diff --git a/meta-security/recipes-security/cynara/cynara/0001-fix-fallthrough-in-cmdlineparser.patch b/meta-security/recipes-security/cynara/cynara/0001-fix-fallthrough-in-cmdlineparser.patch new file mode 100644 index 000000000..40e11ce5d --- /dev/null +++ b/meta-security/recipes-security/cynara/cynara/0001-fix-fallthrough-in-cmdlineparser.patch @@ -0,0 +1,35 @@ +From ca28ec4a0781a1ab9ec5f015387436beb51adfc3 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Jan-Simon=20M=C3=B6ller?= <jsmoeller@linuxfoundation.org> +Date: Fri, 19 Oct 2018 08:09:28 +0000 +Subject: [PATCH] fix fallthrough in cmdlineparser +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Signed-off-by: Jan-Simon Möller <jsmoeller@linuxfoundation.org> + +--- + src/service/main/CmdlineParser.cpp | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/src/service/main/CmdlineParser.cpp b/src/service/main/CmdlineParser.cpp +index ca56e39..e07ea52 100644 +--- a/src/service/main/CmdlineParser.cpp ++++ b/src/service/main/CmdlineParser.cpp +@@ -112,13 +112,16 @@ struct CmdLineOptions handleCmdlineOptions(int argc, char * const *argv) { + case ':': // Missing argument + ret.m_error = true; + ret.m_exit = true; ++ /*@fallthrough@*/ + switch (optopt) { + case CmdlineOpt::Mask: + case CmdlineOpt::User: + case CmdlineOpt::Group: + printMissingArgument(execName, argv[optind - 1]); + return ret; ++ /*@fallthrough@*/ + } ++ /*@fallthrough@*/ + //intentional fall to Unknown option + case '?': // Unknown option + default: diff --git a/meta-security/recipes-security/cynara/cynara/0002-gcc-7-requires-include-functional-for-std-function.patch b/meta-security/recipes-security/cynara/cynara/0002-gcc-7-requires-include-functional-for-std-function.patch index 760a1c5b2..b8dbfac4d 100644 --- a/meta-security/recipes-security/cynara/cynara/0002-gcc-7-requires-include-functional-for-std-function.patch +++ b/meta-security/recipes-security/cynara/cynara/0002-gcc-7-requires-include-functional-for-std-function.patch @@ -1,9 +1,10 @@ -From b18e66ce7f81c56e3a97ed075cb60d5a43b2e57c Mon Sep 17 00:00:00 2001 +From e2d8414b0d1c6c59baf1bb73e856e93aaabaf955 Mon Sep 17 00:00:00 2001 From: Changhyeok Bae <changhyeok.bae@gmail.com> Date: Sun, 17 Dec 2017 15:28:28 +0000 -Subject: [PATCH 2/6] gcc-7 requires include <functional> for std::function +Subject: [PATCH] gcc-7 requires include <functional> for std::function Signed-off-by: Changhyeok Bae <changhyeok.bae@gmail.com> + --- src/common/types/PolicyBucket.h | 1 + src/cyad/AdminPolicyParser.h | 1 + @@ -33,6 +34,3 @@ index 53dde23..f38c194 100644 #include <cyad/CynaraAdminPolicies.h> --- -2.14.3 - diff --git a/meta-security/recipes-security/cynara/cynara/0003-Avoid-warning-when-compiling-without-smack.patch b/meta-security/recipes-security/cynara/cynara/0003-Avoid-warning-when-compiling-without-smack.patch index 8c47c3b26..1b105a00c 100644 --- a/meta-security/recipes-security/cynara/cynara/0003-Avoid-warning-when-compiling-without-smack.patch +++ b/meta-security/recipes-security/cynara/cynara/0003-Avoid-warning-when-compiling-without-smack.patch @@ -1,7 +1,7 @@ -From 6ad54c5e732e7cf0a29f29f48fa757e3e56d6860 Mon Sep 17 00:00:00 2001 +From fdcf2a68a4bfec588b1c6c969caa0be20961b807 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Jos=C3=A9=20Bollo?= <jose.bollo@iot.bzh> Date: Thu, 25 Jan 2018 11:38:16 +0100 -Subject: [PATCH 3/6] Avoid warning when compiling without smack +Subject: [PATCH] Avoid warning when compiling without smack MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit @@ -14,6 +14,7 @@ with the following message: Change-Id: Ie837cae81114d096f951ec0ee4ada4173fb60190 Signed-off-by: José Bollo <jose.bollo@iot.bzh> + --- src/admin/CMakeLists.txt | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) @@ -40,6 +41,3 @@ index e4f354a..38b8669 100644 SET(CYNARA_LIB_CYNARA_ADMIN_PATH ${CYNARA_PATH}/admin) --- -2.14.3 - diff --git a/meta-security/recipes-security/cynara/cynara/0004-Fix-mode-of-sockets.patch b/meta-security/recipes-security/cynara/cynara/0004-Fix-mode-of-sockets.patch index 164542899..f19cdfb50 100644 --- a/meta-security/recipes-security/cynara/cynara/0004-Fix-mode-of-sockets.patch +++ b/meta-security/recipes-security/cynara/cynara/0004-Fix-mode-of-sockets.patch @@ -1,7 +1,7 @@ -From 2bd62bca98a8a8cf194fb2b68aed68d982f58520 Mon Sep 17 00:00:00 2001 +From 233fb8a93343c3c9c04914e1148ef5ab87a808a1 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Jos=C3=A9=20Bollo?= <jose.bollo@iot.bzh> Date: Thu, 25 Jan 2018 12:52:39 +0100 -Subject: [PATCH 4/6] Fix mode of sockets +Subject: [PATCH] Fix mode of sockets MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit @@ -10,6 +10,7 @@ Setting execution bit on the socket serves nothing. Change-Id: I2ca1ea8e0c369ee5517878e92073ace0e50f9f10 Signed-off-by: José Bollo <jose.bollo@iot.bzh> + --- systemd/cynara-admin.socket | 2 +- systemd/cynara.socket | 2 +- @@ -39,6 +40,3 @@ index 9f2a870..fad2745 100644 SmackLabelIPIn=* SmackLabelIPOut=@ --- -2.14.3 - diff --git a/meta-security/recipes-security/cynara/cynara/0005-Allow-to-tune-sockets.patch b/meta-security/recipes-security/cynara/cynara/0005-Allow-to-tune-sockets.patch index b4a2d74e8..e954c7f21 100644 --- a/meta-security/recipes-security/cynara/cynara/0005-Allow-to-tune-sockets.patch +++ b/meta-security/recipes-security/cynara/cynara/0005-Allow-to-tune-sockets.patch @@ -1,7 +1,7 @@ -From d919b110a2fbccdce084c651f4d7d7de66f2f869 Mon Sep 17 00:00:00 2001 +From ebde8e9fdba7bc1c8152f7e45c551030a36ece82 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Jos=C3=A9=20Bollo?= <jose.bollo@iot.bzh> Date: Thu, 25 Jan 2018 13:47:37 +0100 -Subject: [PATCH 5/6] Allow to tune sockets +Subject: [PATCH] Allow to tune sockets MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit @@ -17,17 +17,26 @@ through the newly defined variable CYNARA_ADMIN_SOCKET_GROUP Change-Id: I7d58854c328e948e3d6d7fa3fc00569fd08f8aef Signed-off-by: José Bollo <jose.bollo@iot.bzh> + --- - systemd/CMakeLists.txt | 19 +++++++++++++++---- - .../{cynara-admin.socket => cynara-admin.socket.in} | 2 +- - .../{cynara-agent.socket => cynara-agent.socket.in} | 4 ++-- - ...onitor-get.socket => cynara-monitor-get.socket.in} | 4 ++-- - systemd/{cynara.socket => cynara.socket.in} | 2 +- - 5 files changed, 21 insertions(+), 10 deletions(-) - rename systemd/{cynara-admin.socket => cynara-admin.socket.in} (78%) - rename systemd/{cynara-agent.socket => cynara-agent.socket.in} (66%) - rename systemd/{cynara-monitor-get.socket => cynara-monitor-get.socket.in} (64%) - rename systemd/{cynara.socket => cynara.socket.in} (80%) + systemd/CMakeLists.txt | 19 +++++++++++++++---- + systemd/cynara-admin.socket | 14 -------------- + systemd/cynara-admin.socket.in | 14 ++++++++++++++ + systemd/cynara-agent.socket | 15 --------------- + systemd/cynara-agent.socket.in | 15 +++++++++++++++ + systemd/cynara-monitor-get.socket | 15 --------------- + systemd/cynara-monitor-get.socket.in | 15 +++++++++++++++ + systemd/cynara.socket | 14 -------------- + systemd/cynara.socket.in | 14 ++++++++++++++ + 9 files changed, 73 insertions(+), 62 deletions(-) + delete mode 100644 systemd/cynara-admin.socket + create mode 100644 systemd/cynara-admin.socket.in + delete mode 100644 systemd/cynara-agent.socket + create mode 100644 systemd/cynara-agent.socket.in + delete mode 100644 systemd/cynara-monitor-get.socket + create mode 100644 systemd/cynara-monitor-get.socket.in + delete mode 100644 systemd/cynara.socket + create mode 100644 systemd/cynara.socket.in diff --git a/systemd/CMakeLists.txt b/systemd/CMakeLists.txt index 20accf0..1b75c12 100644 @@ -62,66 +71,167 @@ index 20accf0..1b75c12 100644 DESTINATION ${SYSTEMD_UNIT_DIR} ) -diff --git a/systemd/cynara-admin.socket b/systemd/cynara-admin.socket.in -similarity index 78% -rename from systemd/cynara-admin.socket -rename to systemd/cynara-admin.socket.in -index ed38386..2364c3e 100644 +diff --git a/systemd/cynara-admin.socket b/systemd/cynara-admin.socket +deleted file mode 100644 +index ed38386..0000000 --- a/systemd/cynara-admin.socket -+++ b/systemd/cynara-admin.socket.in -@@ -1,5 +1,5 @@ - [Socket] ++++ /dev/null +@@ -1,14 +0,0 @@ +-[Socket] -ListenStream=/run/cynara/cynara-admin.socket +-SocketMode=0600 +-SmackLabelIPIn=@ +-SmackLabelIPOut=@ +- +-Service=cynara.service +- +-[Unit] +-Wants=cynara.target +-Before=cynara.target +- +-[Install] +-WantedBy=sockets.target +diff --git a/systemd/cynara-admin.socket.in b/systemd/cynara-admin.socket.in +new file mode 100644 +index 0000000..2364c3e +--- /dev/null ++++ b/systemd/cynara-admin.socket.in +@@ -0,0 +1,14 @@ ++[Socket] +ListenStream=@SOCKET_DIR@/cynara-admin.socket - SocketMode=0600 - SmackLabelIPIn=@ - SmackLabelIPOut=@ -diff --git a/systemd/cynara-agent.socket b/systemd/cynara-agent.socket.in -similarity index 66% -rename from systemd/cynara-agent.socket -rename to systemd/cynara-agent.socket.in -index 5a677e0..4f86c9d 100644 ++SocketMode=0600 ++SmackLabelIPIn=@ ++SmackLabelIPOut=@ ++ ++Service=cynara.service ++ ++[Unit] ++Wants=cynara.target ++Before=cynara.target ++ ++[Install] ++WantedBy=sockets.target +diff --git a/systemd/cynara-agent.socket b/systemd/cynara-agent.socket +deleted file mode 100644 +index 5a677e0..0000000 --- a/systemd/cynara-agent.socket -+++ b/systemd/cynara-agent.socket.in -@@ -1,6 +1,6 @@ - [Socket] ++++ /dev/null +@@ -1,15 +0,0 @@ +-[Socket] -ListenStream=/run/cynara/cynara-agent.socket -SocketGroup=security_fw +-SocketMode=0060 +-SmackLabelIPIn=* +-SmackLabelIPOut=@ +- +-Service=cynara.service +- +-[Unit] +-Wants=cynara.target +-Before=cynara.target +- +-[Install] +-WantedBy=sockets.target +diff --git a/systemd/cynara-agent.socket.in b/systemd/cynara-agent.socket.in +new file mode 100644 +index 0000000..4f86c9d +--- /dev/null ++++ b/systemd/cynara-agent.socket.in +@@ -0,0 +1,15 @@ ++[Socket] +ListenStream=@SOCKET_DIR@/cynara-agent.socket +SocketGroup=@CYNARA_ADMIN_SOCKET_GROUP@ - SocketMode=0060 - SmackLabelIPIn=* - SmackLabelIPOut=@ -diff --git a/systemd/cynara-monitor-get.socket b/systemd/cynara-monitor-get.socket.in -similarity index 64% -rename from systemd/cynara-monitor-get.socket -rename to systemd/cynara-monitor-get.socket.in -index a50feeb..b88dbf7 100644 ++SocketMode=0060 ++SmackLabelIPIn=* ++SmackLabelIPOut=@ ++ ++Service=cynara.service ++ ++[Unit] ++Wants=cynara.target ++Before=cynara.target ++ ++[Install] ++WantedBy=sockets.target +diff --git a/systemd/cynara-monitor-get.socket b/systemd/cynara-monitor-get.socket +deleted file mode 100644 +index a50feeb..0000000 --- a/systemd/cynara-monitor-get.socket -+++ b/systemd/cynara-monitor-get.socket.in -@@ -1,6 +1,6 @@ - [Socket] ++++ /dev/null +@@ -1,15 +0,0 @@ +-[Socket] -ListenStream=/run/cynara/cynara-monitor-get.socket -SocketGroup=security_fw +-SocketMode=0060 +-SmackLabelIPIn=@ +-SmackLabelIPOut=@ +- +-Service=cynara.service +- +-[Unit] +-Wants=cynara.target +-Before=cynara.target +- +-[Install] +-WantedBy=sockets.target +diff --git a/systemd/cynara-monitor-get.socket.in b/systemd/cynara-monitor-get.socket.in +new file mode 100644 +index 0000000..b88dbf7 +--- /dev/null ++++ b/systemd/cynara-monitor-get.socket.in +@@ -0,0 +1,15 @@ ++[Socket] +ListenStream=@SOCKET_DIR@/cynara-monitor-get.socket +SocketGroup=@CYNARA_ADMIN_SOCKET_GROUP@ - SocketMode=0060 - SmackLabelIPIn=@ - SmackLabelIPOut=@ -diff --git a/systemd/cynara.socket b/systemd/cynara.socket.in -similarity index 80% -rename from systemd/cynara.socket -rename to systemd/cynara.socket.in -index fad2745..ba76549 100644 ++SocketMode=0060 ++SmackLabelIPIn=@ ++SmackLabelIPOut=@ ++ ++Service=cynara.service ++ ++[Unit] ++Wants=cynara.target ++Before=cynara.target ++ ++[Install] ++WantedBy=sockets.target +diff --git a/systemd/cynara.socket b/systemd/cynara.socket +deleted file mode 100644 +index fad2745..0000000 --- a/systemd/cynara.socket -+++ b/systemd/cynara.socket.in -@@ -1,5 +1,5 @@ - [Socket] ++++ /dev/null +@@ -1,14 +0,0 @@ +-[Socket] -ListenStream=/run/cynara/cynara.socket +-SocketMode=0666 +-SmackLabelIPIn=* +-SmackLabelIPOut=@ +- +-Service=cynara.service +- +-[Unit] +-Wants=cynara.target +-Before=cynara.target +- +-[Install] +-WantedBy=sockets.target +diff --git a/systemd/cynara.socket.in b/systemd/cynara.socket.in +new file mode 100644 +index 0000000..ba76549 +--- /dev/null ++++ b/systemd/cynara.socket.in +@@ -0,0 +1,14 @@ ++[Socket] +ListenStream=@SOCKET_DIR@/cynara.socket - SocketMode=0666 - SmackLabelIPIn=* - SmackLabelIPOut=@ --- -2.14.3 - ++SocketMode=0666 ++SmackLabelIPIn=* ++SmackLabelIPOut=@ ++ ++Service=cynara.service ++ ++[Unit] ++Wants=cynara.target ++Before=cynara.target ++ ++[Install] ++WantedBy=sockets.target diff --git a/meta-security/recipes-security/cynara/cynara/0006-Install-socket-activation-by-default.patch b/meta-security/recipes-security/cynara/cynara/0006-Install-socket-activation-by-default.patch index 0cfc785c1..68864f1ed 100644 --- a/meta-security/recipes-security/cynara/cynara/0006-Install-socket-activation-by-default.patch +++ b/meta-security/recipes-security/cynara/cynara/0006-Install-socket-activation-by-default.patch @@ -1,13 +1,14 @@ -From d54e425b0685c9e3e06f5b4efcbd206950d14f3c Mon Sep 17 00:00:00 2001 +From 23f1a7cb34dd4ef88bac5a43057feaf7f50559aa Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Jos=C3=A9=20Bollo?= <jose.bollo@iot.bzh> Date: Thu, 25 Jan 2018 14:09:23 +0100 -Subject: [PATCH 6/6] Install socket activation by default +Subject: [PATCH] Install socket activation by default MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Change-Id: Ifd10c3800486689ed0ed6271df59760ccfbf6caf Signed-off-by: José Bollo <jose.bollo@iot.bzh> + --- packaging/cynara.spec | 5 ----- systemd/CMakeLists.txt | 7 +++++++ @@ -75,6 +76,3 @@ index 0000000..c0e5a5b @@ -0,0 +1 @@ +../cynara.socket \ No newline at end of file --- -2.14.3 - diff --git a/meta-security/recipes-security/cynara/cynara/cynara-db-migration-abort-on-errors.patch b/meta-security/recipes-security/cynara/cynara/cynara-db-migration-abort-on-errors.patch index cbf372ad9..c14418923 100644 --- a/meta-security/recipes-security/cynara/cynara/cynara-db-migration-abort-on-errors.patch +++ b/meta-security/recipes-security/cynara/cynara/cynara-db-migration-abort-on-errors.patch @@ -1,7 +1,7 @@ -From 297774fa4d01156c0327d6e6380a7ecae30bf875 Mon Sep 17 00:00:00 2001 +From 3605e9f8a3ea1252d1cf221398431e0d7a3ea34d Mon Sep 17 00:00:00 2001 From: Patrick Ohly <patrick.ohly@intel.com> Date: Mon, 23 Mar 2015 15:01:39 -0700 -Subject: [PATCH 1/2] cynara-db-migration.in: abort on errors +Subject: [PATCH] cynara-db-migration.in: abort on errors "set -e" enables error checking for all commands invoked by the script. Previously, errors were silently ignored. @@ -9,12 +9,13 @@ Previously, errors were silently ignored. Upstream-status: Submitted [https://github.com/Samsung/cynara/pull/8] Signed-off-by: Patrick Ohly <patrick.ohly@intel.com> + --- - migration/cynara-db-migration | 2 ++ + migration/cynara-db-migration.in | 2 ++ 1 file changed, 2 insertions(+) diff --git a/migration/cynara-db-migration.in b/migration/cynara-db-migration.in -index ff9bd61..f6e7f94 100644 +index 7b666d4..0682df6 100644 --- a/migration/cynara-db-migration.in +++ b/migration/cynara-db-migration.in @@ -19,6 +19,8 @@ @@ -25,7 +26,4 @@ index ff9bd61..f6e7f94 100644 + ##### Constants (these must not be modified by shell) - STATE_PATH='@LOCAL_STATE_DIR@/@PROJECT_NAME@' --- -1.8.4.5 - + PATH=/bin:/usr/bin:/sbin:/usr/sbin diff --git a/meta-security/recipes-security/cynara/cynara_0.14.10.bb b/meta-security/recipes-security/cynara/cynara_0.14.10.bb index 6c187fced..d2a09c693 100644 --- a/meta-security/recipes-security/cynara/cynara_0.14.10.bb +++ b/meta-security/recipes-security/cynara/cynara_0.14.10.bb @@ -15,6 +15,7 @@ SRC_URI += " \ file://0004-Fix-mode-of-sockets.patch \ file://0005-Allow-to-tune-sockets.patch \ file://0006-Install-socket-activation-by-default.patch \ + file://0001-fix-fallthrough-in-cmdlineparser.patch \ " DEPENDS = " \ @@ -84,6 +85,12 @@ USERADD_PARAM_${PN} = "\ # ln -s ../cynara-agent.socket ${D}${systemd_system_unitdir}/sockets.target.wants/cynara-agent.socket #} +# We want the post-install logic to create and label /var/cynara, so +# it should not be in the package. +do_install_append () { + rmdir ${D}${localstatedir}/cynara +} + FILES_${PN} += "${systemd_system_unitdir}" # Cynara itself has no dependency on Smack. Only its installation @@ -101,18 +108,7 @@ DEPENDS_append_with-lsm-smack = " smack smack-native" EXTRA_OECMAKE_append_with-lsm-smack = " -DDB_FILES_SMACK_LABEL=System" CHSMACK_with-lsm-smack = "chsmack" CHSMACK = "true" -pkg_postinst_${PN} () { - # Fail on error. - set -e - - # It would be nice to run the code below while building an image, - # but currently the calls to cynara-db-chsgen (a binary) in - # cynara-db-migration (a script) prevent that. Rely instead - # on OE's support for running failed postinst scripts at first boot. - if [ x"$D" != "x" ]; then - exit 1 - fi - +pkg_postinst_ontarget_${PN} () { mkdir -p $D${sysconfdir}/cynara ${CHSMACK} -a System $D${sysconfdir}/cynara diff --git a/meta-security/recipes-security/libcap-ng/libcap-ng/CVE-2014-3215.patch b/meta-security/recipes-security/libcap-ng/libcap-ng/CVE-2014-3215.patch deleted file mode 100644 index d7a868d2c..000000000 --- a/meta-security/recipes-security/libcap-ng/libcap-ng/CVE-2014-3215.patch +++ /dev/null @@ -1,79 +0,0 @@ -Upstream-Status: Pending - -diff --git a/docs/capng_lock.3 b/docs/capng_lock.3 -index 7683119..a070c1e 100644 ---- a/docs/capng_lock.3 -+++ b/docs/capng_lock.3 -@@ -8,12 +8,13 @@ int capng_lock(void); - - .SH "DESCRIPTION" - --capng_lock will take steps to prevent children of the current process to regain full privileges if the uid is 0. This should be called while possessing the CAP_SETPCAP capability in the kernel. This function will do the following if permitted by the kernel: Set the NOROOT option on for PR_SET_SECUREBITS, set the NOROOT_LOCKED option to on for PR_SET_SECUREBITS, set the PR_NO_SETUID_FIXUP option on for PR_SET_SECUREBITS, and set the PR_NO_SETUID_FIXUP_LOCKED option on for PR_SET_SECUREBITS. -+capng_lock will take steps to prevent children of the current process from gaining privileges by executing setuid programs. This should be called while possessing the CAP_SETPCAP capability in the kernel. - -+This function will do the following if permitted by the kernel: If the kernel supports PR_SET_NO_NEW_PRIVS, it will use it. Otherwise it will set the NOROOT option on for PR_SET_SECUREBITS, set the NOROOT_LOCKED option to on for PR_SET_SECUREBITS, set the PR_NO_SETUID_FIXUP option on for PR_SET_SECUREBITS, and set the PR_NO_SETUID_FIXUP_LOCKED option on for PR_SET_SECUREBITS. If both fail, it will return an error. - - .SH "RETURN VALUE" - --This returns 0 on success and a negative number on failure. -1 means a failure setting any of the PR_SET_SECUREBITS options. -+This returns 0 on success and a negative number on failure. -1 means a failure to use PR_SET_NO_NEW_PRIVS and a failure setting any of the PR_SET_SECUREBITS options. - - .SH "SEE ALSO" - -diff --git a/src/cap-ng.c b/src/cap-ng.c -index bd105ba..422f2bc 100644 ---- a/src/cap-ng.c -+++ b/src/cap-ng.c -@@ -45,6 +45,7 @@ - * 2.6.24 kernel XATTR_NAME_CAPS - * 2.6.25 kernel PR_CAPBSET_DROP, CAPABILITY_VERSION_2 - * 2.6.26 kernel PR_SET_SECUREBITS, SECURE_*_LOCKED, VERSION_3 -+ * 3.5 kernel PR_SET_NO_NEW_PRIVS - */ - - /* External syscall prototypes */ -@@ -122,6 +123,14 @@ extern int capget(cap_user_header_t header, const cap_user_data_t data); - #define SECURE_NO_SETUID_FIXUP_LOCKED 3 /* make bit-2 immutable */ - #endif - -+/* prctl values that we use */ -+#ifndef PR_SET_SECUREBITS -+#define PR_SET_SECUREBITS 28 -+#endif -+#ifndef PR_SET_NO_NEW_PRIVS -+#define PR_SET_NO_NEW_PRIVS 38 -+#endif -+ - // States: new, allocated, initted, updated, applied - typedef enum { CAPNG_NEW, CAPNG_ERROR, CAPNG_ALLOCATED, CAPNG_INIT, - CAPNG_UPDATED, CAPNG_APPLIED } capng_states_t; -@@ -663,15 +672,22 @@ int capng_change_id(int uid, int gid, capng_flags_t flag) - - int capng_lock(void) - { --#ifdef PR_SET_SECUREBITS -- int rc = prctl(PR_SET_SECUREBITS, -- 1 << SECURE_NOROOT | -- 1 << SECURE_NOROOT_LOCKED | -- 1 << SECURE_NO_SETUID_FIXUP | -- 1 << SECURE_NO_SETUID_FIXUP_LOCKED, 0, 0, 0); -+ int rc; -+ -+ // On Linux 3.5 and up, we can directly prevent ourselves and -+ // our descendents from gaining privileges. -+ if (prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0) == 0) -+ return 0; -+ -+ // This kernel is too old or otherwise doesn't support -+ // PR_SET_NO_NEW_PRIVS. Fall back to using securebits. -+ rc = prctl(PR_SET_SECUREBITS, -+ 1 << SECURE_NOROOT | -+ 1 << SECURE_NOROOT_LOCKED | -+ 1 << SECURE_NO_SETUID_FIXUP | -+ 1 << SECURE_NO_SETUID_FIXUP_LOCKED, 0, 0, 0); - if (rc) - return -1; --#endif - - return 0; - } diff --git a/meta-security/recipes-security/libcap-ng/libcap-ng/python.patch b/meta-security/recipes-security/libcap-ng/libcap-ng/python.patch deleted file mode 100644 index d82ceb454..000000000 --- a/meta-security/recipes-security/libcap-ng/libcap-ng/python.patch +++ /dev/null @@ -1,39 +0,0 @@ -configure.ac - Avoid an incorrect check for python. -Makefile.am - avoid hard coded host include paths. - -Signed-off-by: Mark Hatle <mark.hatle@windriver.com> - ---- libcap-ng-0.6.5/configure.ac.orig 2012-01-17 13:59:03.645898989 -0600 -+++ libcap-ng-0.6.5/configure.ac 2012-01-17 13:59:46.353959252 -0600 -@@ -120,17 +120,8 @@ - else - AC_MSG_RESULT(testing) - AM_PATH_PYTHON --if test -f /usr/include/python${am_cv_python_version}/Python.h ; then -- python_found="yes" -- AC_MSG_NOTICE(Python bindings will be built) --else -- python_found="no" -- if test x$use_python = xyes ; then -- AC_MSG_ERROR([Python explicitly required and python headers found]) -- else -- AC_MSG_WARN("Python headers not found - python bindings will not be made") -- fi --fi -+python_found="yes" -+AC_MSG_NOTICE(Python bindings will be built) - fi - AM_CONDITIONAL(HAVE_PYTHON, test ${python_found} = "yes") - ---- libcap-ng-0.6.5/bindings/python/Makefile.am.orig 2010-11-03 12:31:59.000000000 -0500 -+++ libcap-ng-0.6.5/bindings/python/Makefile.am 2012-01-17 14:05:50.199834467 -0600 -@@ -24,7 +24,8 @@ - CONFIG_CLEAN_FILES = *.loT *.rej *.orig - AM_CFLAGS = -fPIC -DPIC - PYLIBVER ?= python$(PYTHON_VERSION) --INCLUDES = -I. -I$(top_builddir) -I/usr/include/$(PYLIBVER) -+PYINC ?= /usr/include/$(PYLIBVER) -+INCLUDES = -I. -I$(top_builddir) -I$(PYINC) - LIBS = $(top_builddir)/src/libcap-ng.la - pyexec_PYTHON = capng.py - pyexec_LTLIBRARIES = _capng.la diff --git a/meta-security/recipes-security/libcap-ng/libcap-ng_0.7.3.bb b/meta-security/recipes-security/libcap-ng/libcap-ng_0.7.3.bb deleted file mode 100644 index e729518e9..000000000 --- a/meta-security/recipes-security/libcap-ng/libcap-ng_0.7.3.bb +++ /dev/null @@ -1,39 +0,0 @@ -SUMMARY = "An alternate posix capabilities library" -DESCRIPTION = "The libcap-ng library is intended to make programming \ -with POSIX capabilities much easier than the traditional libcap library." -HOMEPAGE = "http://freecode.com/projects/libcap-ng" -SECTION = "base" -LICENSE = "GPLv2+ & LGPLv2.1+" -LIC_FILES_CHKSUM = "file://COPYING;md5=94d55d512a9ba36caa9b7df079bae19f \ - file://COPYING.LIB;md5=e3eda01d9815f8d24aae2dbd89b68b06" - -SRC_URI = "http://people.redhat.com/sgrubb/libcap-ng/libcap-ng-${PV}.tar.gz \ - file://python.patch \ - file://CVE-2014-3215.patch \ - " - -inherit lib_package autotools pythonnative - -SRC_URI[md5sum] = "610afb774f80a8032b711281df126283" -SRC_URI[sha256sum] = "5ca441c8d3a1e4cfe8a8151907977662679457311ccaa7eaac91447c33a35bb1" - -DEPENDS += "swig-native python" - -EXTRA_OEMAKE += "PYLIBVER='python${PYTHON_BASEVERSION}' PYINC='${STAGING_INCDIR}/${PYLIBVER}'" - -PACKAGES += "${PN}-python" - -FILES_${PN}-dbg += "${libdir}/python${PYTHON_BASEVERSION}/*/.debug" -FILES_${PN}-python = "${libdir}/python${PYTHON_BASEVERSION}" - -BBCLASSEXTEND = "native" - -do_install_append() { - # Moving libcap-ng to base_libdir - if [ ! ${D}${libdir} -ef ${D}${base_libdir} ]; then - mkdir -p ${D}/${base_libdir}/ - mv -f ${D}${libdir}/libcap-ng.so.* ${D}${base_libdir}/ - relpath=${@os.path.relpath("${base_libdir}", "${libdir}")} - ln -sf ${relpath}/libcap-ng.so.0.0.0 ${D}${libdir}/libcap-ng.so - fi -} diff --git a/meta-security/recipes-security/security-manager/security-manager.inc b/meta-security/recipes-security/security-manager/security-manager.inc index 810106d75..ddd87a930 100644 --- a/meta-security/recipes-security/security-manager/security-manager.inc +++ b/meta-security/recipes-security/security-manager/security-manager.inc @@ -89,10 +89,6 @@ FILES_${PN}-policy = " \ ${bindir}/security-manager-policy-reload \ " RDEPENDS_${PN}-policy += "sqlite3 cynara" -pkg_postinst_${PN}-policy () { - if [ x"$D" = "x" ] && ${bindir}/security-manager-policy-reload; then - exit 0 - else - exit 1 - fi +pkg_postinst_ontarget_${PN}-policy () { + ${bindir}/security-manager-policy-reload } diff --git a/meta-security/recipes-security/security-manager/security-manager/0001-Avoid-casting-from-const-T-to-void.patch b/meta-security/recipes-security/security-manager/security-manager/0001-Avoid-casting-from-const-T-to-void.patch new file mode 100644 index 000000000..f598fdc82 --- /dev/null +++ b/meta-security/recipes-security/security-manager/security-manager/0001-Avoid-casting-from-const-T-to-void.patch @@ -0,0 +1,127 @@ +From 14c8842ed8a37fecbc70d46e27b49ae929b0c85f Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Jos=C3=A9=20Bollo?= <jose.bollo@iot.bzh> +Date: Fri, 1 Feb 2019 15:37:44 +0100 +Subject: [PATCH] Avoid casting from "const T&" to "void*" +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Latest version of g++ refuse the cast + + reinterpret_cast<void (Service::*)(void*)>(serviceFunction) + +I made no investigation to know if the problem +is coming from the const or not. + +Signed-off-by: José Bollo <jose.bollo@iot.bzh> +--- + src/server/main/include/service-thread.h | 43 ++++++++++-------------- + 1 file changed, 18 insertions(+), 25 deletions(-) + +diff --git a/src/server/main/include/service-thread.h b/src/server/main/include/service-thread.h +index 964d168..92b0ec8 100644 +--- a/src/server/main/include/service-thread.h ++++ b/src/server/main/include/service-thread.h +@@ -9,78 +94,72 @@ public: + Join(); + while (!m_eventQueue.empty()){ + auto front = m_eventQueue.front(); +- delete front.eventPtr; ++ delete front; + m_eventQueue.pop(); + } + } + + template <class T> + void Event(const T &event, + Service *servicePtr, + void (Service::*serviceFunction)(const T &)) + { +- EventDescription description; +- description.serviceFunctionPtr = +- reinterpret_cast<void (Service::*)(void*)>(serviceFunction); +- description.servicePtr = servicePtr; +- description.eventFunctionPtr = &ServiceThread::EventCall<T>; +- description.eventPtr = new T(event); ++ EventCallerBase *ec = new EventCaller<T>(event, servicePtr, serviceFunction); + { + std::lock_guard<std::mutex> lock(m_eventQueueMutex); +- m_eventQueue.push(description); ++ m_eventQueue.push(ec); + } + m_waitCondition.notify_one(); + } + + protected: + +- struct EventDescription { +- void (Service::*serviceFunctionPtr)(void *); +- Service *servicePtr; +- void (ServiceThread::*eventFunctionPtr)(const EventDescription &event); +- GenericEvent* eventPtr; +- }; +- +- template <class T> +- void EventCall(const EventDescription &desc) { +- auto fun = reinterpret_cast<void (Service::*)(const T&)>(desc.serviceFunctionPtr); +- const T& eventLocale = *(static_cast<T*>(desc.eventPtr)); +- (desc.servicePtr->*fun)(eventLocale); +- } ++ struct EventCallerBase { ++ virtual void fire() = 0; ++ virtual ~EventCallerBase() {} ++ }; + ++ template <class T> ++ struct EventCaller : public EventCallerBase { ++ T *event; Service *target; void (Service::*function)(const T&); ++ EventCaller(const T &e, Service *c, void (Service::*f)(const T&)) : event(new T(e)), target(c), function(f) {} ++ ~EventCaller() { delete event; } ++ void fire() { (target->*function)(*event); } ++ }; ++ + static void ThreadLoopStatic(ServiceThread *ptr) { + ptr->ThreadLoop(); + } + + void ThreadLoop(){ + for (;;) { +- EventDescription description = {NULL, NULL, NULL, NULL}; ++ EventCallerBase *ec = NULL; + { + std::unique_lock<std::mutex> ulock(m_eventQueueMutex); + if (m_quit) + return; + if (!m_eventQueue.empty()) { +- description = m_eventQueue.front(); ++ ec = m_eventQueue.front(); + m_eventQueue.pop(); + } else { + m_waitCondition.wait(ulock); + } + } + +- if (description.eventPtr != NULL) { ++ if (ec != NULL) { + UNHANDLED_EXCEPTION_HANDLER_BEGIN + { +- (this->*description.eventFunctionPtr)(description); +- delete description.eventPtr; ++ ec->fire(); + } + UNHANDLED_EXCEPTION_HANDLER_END ++ delete ec; + } + } + } + + std::thread m_thread; + std::mutex m_eventQueueMutex; +- std::queue<EventDescription> m_eventQueue; ++ std::queue<EventCallerBase*> m_eventQueue; + std::condition_variable m_waitCondition; + + State m_state; +-- +2.17.2 + diff --git a/meta-security/recipes-security/security-manager/security-manager/0001-Fix-gcc8-warning-error-Werror-catch-value.patch b/meta-security/recipes-security/security-manager/security-manager/0001-Fix-gcc8-warning-error-Werror-catch-value.patch new file mode 100644 index 000000000..5a55a3128 --- /dev/null +++ b/meta-security/recipes-security/security-manager/security-manager/0001-Fix-gcc8-warning-error-Werror-catch-value.patch @@ -0,0 +1,32 @@ +From 37c63c280eaec8cae3a321d45404d6c03a68c9d9 Mon Sep 17 00:00:00 2001 +From: Stephane Desneux <stephane.desneux@iot.bzh> +Date: Fri, 1 Feb 2019 12:26:17 +0000 +Subject: [PATCH] Fix gcc8 warning/error [-Werror=catch-value=] + +Fixes the following warning/error during compile: + +src/dpl/core/src/assert.cpp:61:14: error: catching polymorphic type 'class SecurityManager::Exception' by value [-Werror=catch-value=] +| } catch (Exception) { +| ^~~~~~~~~ + +Signed-off-by: Stephane Desneux <stephane.desneux@iot.bzh> +--- + src/dpl/core/src/assert.cpp | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/src/dpl/core/src/assert.cpp b/src/dpl/core/src/assert.cpp +index 63538a2..fc60ce9 100644 +--- a/src/dpl/core/src/assert.cpp ++++ b/src/dpl/core/src/assert.cpp +@@ -58,7 +58,7 @@ void AssertProc(const char *condition, + INTERNAL_LOG("### Function: " << function); + INTERNAL_LOG( + "################################################################################"); +- } catch (Exception) { ++ } catch (Exception const&) { + // Just ignore possible double errors + } + +-- +2.11.0 + diff --git a/meta-security/recipes-security/security-manager/security-manager_git.bb b/meta-security/recipes-security/security-manager/security-manager_git.bb index 65134d31a..3cbc3aea8 100644 --- a/meta-security/recipes-security/security-manager/security-manager_git.bb +++ b/meta-security/recipes-security/security-manager/security-manager_git.bb @@ -14,6 +14,8 @@ file://c-11-replace-depracated-auto_ptr.patch \ file://socket-manager-removes-tizen-specific-call.patch \ file://Removing-tizen-platform-config.patch \ file://removes-dependency-to-libslp-db-utils.patch \ +file://0001-Fix-gcc8-warning-error-Werror-catch-value.patch \ +file://0001-Avoid-casting-from-const-T-to-void.patch \ " ########################################## @@ -32,3 +34,5 @@ SRC_URI += "\ file://include-linux-xattr.patch;apply=${APPLY} \ " +# Use make with cmake and not ninja +OECMAKE_GENERATOR = "Unix Makefiles" diff --git a/meta-security/recipes-security/xmlsec1/xmlsec1_%.bbappend b/meta-security/recipes-security/xmlsec1/xmlsec1_%.bbappend new file mode 100644 index 000000000..9c6080fcf --- /dev/null +++ b/meta-security/recipes-security/xmlsec1/xmlsec1_%.bbappend @@ -0,0 +1,3 @@ +# remove the EXTRA_OECONF from the recipe to +# avoid an build error in >= YP SUMO +EXTRA_OECONF = "" |