diff options
| author |   José Bollo <jose.bollo@iot.bzh> | 2018-02-08 09:57:25 +0100 |
|---|---|---|
| committer | José Bollo <jose.bollo@iot.bzh> | 2018-02-13 11:02:00 +0100 |
| commit | 0ffb178ea81ebcde3990dd8269ccc08ebbc83416 (patch) | |
| tree | eb7db261cbbda2bb1ca31b962d9d2255a0931734 /meta-security | |
| parent | 4c1200c414361d35faf90ba887e012ab3cbab3db (diff) | |
meta-security: Remove unused content
This unused content can be devided in two parts:
- setting and feature in bitbake classes
- tests
None are actually used by AGL.
Even if this content can be later included in distribution,
I prefer to remove it now.
Change-Id: I4e6a8ac6326986a5652a7c47614dcaa3db8cabb6
Signed-off-by: José Bollo <jose.bollo@iot.bzh>
Diffstat (limited to 'meta-security')
24 files changed, 0 insertions, 1953 deletions
diff --git a/meta-security/classes/deploy-files.bbclass b/meta-security/classes/deploy-files.bbclass deleted file mode 100644 index ec19323a3..000000000 --- a/meta-security/classes/deploy-files.bbclass +++ /dev/null @@ -1,68 +0,0 @@ -DEPLOY_FILES_DIR = "${WORKDIR}/deploy-files-${PN}" -SSTATETASKS += "do_deploy_files" -do_deploy_files[sstate-inputdirs] = "${DEPLOY_FILES_DIR}" -do_deploy_files[sstate-outputdirs] = "${DEPLOY_DIR}/files/" - -python do_deploy_files_setscene () { - sstate_setscene(d) -} -addtask do_deploy_files_setscene -do_deploy_files[dirs] = "${DEPLOY_FILES_DIR} ${B}" - -# Use like this: -# DEPLOY_FILES = "abc xyz" -# DEPLOY_FILES_FROM[abc] = "file-ab dir-c" -# DEPLOY_FILES_TO[abc] = "directory-for-abc" -# DEPLOY_FILES_FROM[xyz] = "file-xyz" -# DEPLOY_FILES_TO[xyz] = "directory-for-xyz" -# -# The destination directory will be created inside -# ${DEPLOYDIR}. The source files and directories -# will be copied such that their name and (for -# directories) the directory tree below it will -# be preserved. Shell wildcards are supported. -# -# The default DEPLOY_FILES copies files for the native host -# and the target into two different directories. Use that as follows: -# DEPLOY_FILES_FROM_native = "native-file" -# DEPLOY_FILES_FROM_target = "target-file" - -DEPLOY_FILES ?= "native target" -DEPLOY_FILES_FROM[native] ?= "" -DEPLOY_FILES_TO[native] = "native/${BUILD_ARCH}" -DEPLOY_FILES_FROM[target] ?= "" -DEPLOY_FILES_TO[target] = "target/${MACHINE}" - -# We have to use a Python function to access variable flags. Because -# bitbake then does not know about the dependency on these variables, -# we need to explicitly declare that. DEPLOYDIR may change without -# invalidating the sstate, therefore it is not listed. -do_deploy_files[vardeps] = "DEPLOY_FILES DEPLOY_FILES_FROM DEPLOY_FILES_TO" -python do_deploy_files () { - import glob - import os - import shutil - - for file in (d.getVar('DEPLOY_FILES', True) or '').split(): - bb.note('file: %s' % file) - from_pattern = d.getVarFlag('DEPLOY_FILES_FROM', file, True) - bb.note('from: %s' % from_pattern) - if from_pattern: - to = os.path.join(d.getVar('DEPLOY_FILES_DIR', True), d.getVarFlag('DEPLOY_FILES_TO', file, True)) - bb.note('to: %s' % to) - if not os.path.isdir(to): - os.makedirs(to) - for from_path in from_pattern.split(): - for src in (glob.glob(from_path) or [from_path]): - bb.note('Deploying %s to %s' % (src, to)) - if os.path.isdir(src): - src_dirname = shutil._basename(src) - to = os.path.join(to, src_dirname) - if os.path.exists(to): - bb.utils.remove(to, True) - shutil.copytree(src, to) - else: - shutil.copy(src, to) -} - -addtask deploy_files before do_build after do_compile diff --git a/meta-security/classes/xattr-images.bbclass b/meta-security/classes/xattr-images.bbclass deleted file mode 100644 index 565a3fb6e..000000000 --- a/meta-security/classes/xattr-images.bbclass +++ /dev/null @@ -1,137 +0,0 @@ -# Both Smack and IMA/EVM rely on xattrs. Inheriting this class ensures -# that these xattrs get preserved in tar and jffs2 images. -# -# It also fixes the rootfs so that the content of directories with -# SMACK::TRANSMUTE is correctly labelled. This is because pseudo does -# not know the special semantic of SMACK::TRANSMUTE and omits the -# updating of the Smack label when creating entries inside such a directory, -# for example /etc (see base-files_%.bbappend). Without the fixup, -# files already installed during the image creation would have different (and -# wrong) Smack labels. - -# xattr support is expected to be compiled into mtd-utils. We just need to -# use it. -EXTRA_IMAGECMD_jffs2_append = " --with-xattr" - -# By default, OE-core uses tar from the host, which may or may not have the -# --xattrs parameter which was introduced in 1.27. For image building we -# use a recent enough tar instead. -# -# The GNU documentation does not specify whether --xattrs-include is necessary. -# In practice, it turned out to be not needed when creating archives and -# required when extracting, but it seems prudent to use it in both cases. -IMAGE_DEPENDS_tar_append = " tar-replacement-native" -EXTRANATIVEPATH += "tar-native" -IMAGE_CMD_TAR = "tar --xattrs --xattrs-include=*" - -xattr_images_fix_transmute[dirs] = "${IMAGE_ROOTFS}" -python xattr_images_fix_transmute () { - # The recursive updating of the Smack label ensures that each entry - # has the label set for its parent directories if one of those was - # marked as transmuting. - # - # In addition, "_" is set explicitly on everything that would not - # have a label otherwise. This is a workaround for tools like swupd - # which transfers files from a rootfs onto a target device where Smack - # is active: on the target, each file gets assigned a label, typically - # the one from the process which creates it. swupd (or rather, the tools - # it is currently built on) knows how to set security.SMACK64="_" when - # it is set on the original files, but it does not know that it needs - # to remove that xattr when not set. - import os - import errno - - if getattr(os, 'getxattr', None): - # Python 3: os has xattr support. - def lgetxattr(f, attr): - try: - value = os.getxattr(f, attr, follow_symlinks=False) - return value.decode('utf8') - except OSError as ex: - if ex.errno == errno.ENODATA: - return None - - def lsetxattr(f, attr, value): - os.setxattr(f, attr.encode('utf8'), value.encode('utf8'), follow_symlinks=False) - else: - # Python 2: xattr support only in xattr module. - # - # Cannot use the 'xattr' module, it is not part of a standard Python - # installation. Instead re-implement using ctypes. Only has to be good - # enough for xattrs that are strings. Always operates on the symlinks themselves, - # not what they point to. - import ctypes - - # We cannot look up the xattr functions inside libc. That bypasses - # pseudo, which overrides these functions via LD_PRELOAD. Instead we have to - # find the function address and then create a ctypes function from it. - libdl = ctypes.CDLL("libdl.so.2") - _dlsym = libdl.dlsym - _dlsym.restype = ctypes.c_void_p - RTLD_DEFAULT = ctypes.c_void_p(0) - _lgetxattr = ctypes.CFUNCTYPE(ctypes.c_ssize_t, ctypes.c_char_p, ctypes.c_char_p, ctypes.c_void_p, ctypes.c_size_t, - use_errno=True)(_dlsym(RTLD_DEFAULT, 'lgetxattr')) - _lsetxattr = ctypes.CFUNCTYPE(ctypes.c_int, ctypes.c_char_p, ctypes.c_char_p, ctypes.c_void_p, ctypes.c_size_t, ctypes.c_int, - use_errno=True)(_dlsym(RTLD_DEFAULT, 'lsetxattr')) - - def lgetxattr(f, attr): - len = 32 - while True: - buffer = ctypes.create_string_buffer('\000' * len) - res = _lgetxattr(f, attr, buffer, ctypes.c_size_t(len)) - if res >= 0: - return buffer.value - else: - error = ctypes.get_errno() - if ctypes.get_errno() == errno.ERANGE: - len *= 2 - elif error == errno.ENODATA: - return None - else: - raise IOError(error, 'lgetxattr(%s, %s): %d = %s = %s' % - (f, attr, error, errno.errorcode[error], os.strerror(error))) - - def lsetxattr(f, attr, value): - res = _lsetxattr(f, attr, value, ctypes.c_size_t(len(value)), ctypes.c_int(0)) - if res != 0: - error = ctypes.get_errno() - raise IOError(error, 'lsetxattr(%s, %s, %s): %d = %s = %s' % - (f, attr, value, error, errno.errorcode[error], os.strerror(error))) - - def visit(path, deflabel, deftransmute): - isrealdir = os.path.isdir(path) and not os.path.islink(path) - curlabel = lgetxattr(path, 'security.SMACK64') - transmute = lgetxattr(path, 'security.SMACK64TRANSMUTE') == 'TRUE' - - if not curlabel: - # Since swupd doesn't remove the label from an updated file assigned by - # the target device's kernel upon unpacking the file from an update, - # we have to set the floor label explicitly even though it is the default label - # and thus adding it would create additional overhead. Otherwise this - # would result in hash mismatches reported by `swupd verify`. - lsetxattr(path, 'security.SMACK64', deflabel) - if not transmute and deftransmute and isrealdir: - lsetxattr(path, 'security.SMACK64TRANSMUTE', 'TRUE') - - # Identify transmuting directories and change the default Smack - # label inside them. In addition, directories themselves must become - # transmuting. - if isrealdir: - if transmute: - deflabel = lgetxattr(path, 'security.SMACK64') - deftransmute = True - if deflabel is None: - raise RuntimeError('%s: transmuting directory without Smack label' % path) - elif curlabel: - # Directory with explicit label set and not transmuting => do not - # change the content unless we run into another transmuting directory. - deflabel = '_' - deftransmute = False - - for entry in os.listdir(path): - visit(os.path.join(path, entry), deflabel, deftransmute) - - visit('.', '_', False) -} -# Same logic as in ima-evm-rootfs.bbclass: try to run as late as possible. -IMAGE_PREPROCESS_COMMAND_append_with-lsm-smack = " xattr_images_fix_transmute ; " diff --git a/meta-security/lib/oeqa/runtime/__init__.py b/meta-security/lib/oeqa/runtime/__init__.py deleted file mode 100644 index e69de29bb..000000000 --- a/meta-security/lib/oeqa/runtime/__init__.py +++ /dev/null diff --git a/meta-security/lib/oeqa/runtime/files/notroot.py b/meta-security/lib/oeqa/runtime/files/notroot.py deleted file mode 100644 index f0eb0b5b9..000000000 --- a/meta-security/lib/oeqa/runtime/files/notroot.py +++ /dev/null @@ -1,33 +0,0 @@ -#!/usr/bin/env python -# -# Script used for running executables with custom labels, as well as custom uid/gid -# Process label is changed by writing to /proc/self/attr/curent -# -# Script expects user id and group id to exist, and be the same. -# -# From adduser manual: -# """By default, each user in Debian GNU/Linux is given a corresponding group -# with the same name. """ -# -# Usage: root@desk:~# python notroot.py <uid> <label> <full_path_to_executable> [arguments ..] -# eg: python notroot.py 1000 User::Label /bin/ping -c 3 192.168.1.1 -# -# Author: Alexandru Cornea <alexandru.cornea@intel.com> -import os -import sys - -try: - uid = int(sys.argv[1]) - sys.argv.pop(1) - label = sys.argv[1] - sys.argv.pop(1) - open("/proc/self/attr/current", "w").write(label) - path=sys.argv[1] - sys.argv.pop(0) - os.setgid(uid) - os.setuid(uid) - os.execv(path,sys.argv) - -except Exception,e: - print e.message - sys.exit(1) diff --git a/meta-security/lib/oeqa/runtime/files/smack_test_file_access.sh b/meta-security/lib/oeqa/runtime/files/smack_test_file_access.sh deleted file mode 100644 index 5a0ce84f2..000000000 --- a/meta-security/lib/oeqa/runtime/files/smack_test_file_access.sh +++ /dev/null @@ -1,54 +0,0 @@ -#!/bin/sh - -SMACK_PATH=`grep smack /proc/mounts | awk '{print $2}' ` -RC=0 -TMP="/tmp" -test_file=$TMP/smack_test_access_file -CAT=`which cat` -ECHO=`which echo` -uid=1000 -initial_label=`cat /proc/self/attr/current` -python $TMP/notroot.py $uid "TheOther" $ECHO 'TEST' > $test_file -chsmack -a "TheOther" $test_file - -# 12345678901234567890123456789012345678901234567890123456 -delrule="TheOne TheOther -----" -rule_ro="TheOne TheOther r----" - -# Remove pre-existent rules for "TheOne TheOther <access>" -echo -n "$delrule" > $SMACK_PATH/load -python $TMP/notroot.py $uid "TheOne" $CAT $test_file 2>&1 1>/dev/null | grep -q "Permission denied" || RC=$? -if [ $RC -ne 0 ]; then - echo "Process with different label than the test file and no read access on it can read it" - exit $RC -fi - -# adding read access -echo -n "$rule_ro" > $SMACK_PATH/load -python $TMP/notroot.py $uid "TheOne" $CAT $test_file | grep -q "TEST" || RC=$? -if [ $RC -ne 0 ]; then - echo "Process with different label than the test file but with read access on it cannot read it" - exit $RC -fi - -# Remove pre-existent rules for "TheOne TheOther <access>" -echo -n "$delrule" > $SMACK_PATH/load -# changing label of test file to * -# according to SMACK documentation, read access on a * object is always permitted -chsmack -a '*' $test_file -python $TMP/notroot.py $uid "TheOne" $CAT $test_file | grep -q "TEST" || RC=$? -if [ $RC -ne 0 ]; then - echo "Process cannot read file with * label" - exit $RC -fi - -# changing subject label to * -# according to SMACK documentation, every access requested by a star labeled subject is rejected -TOUCH=`which touch` -python $TMP/notroot.py $uid '*' $TOUCH $TMP/test_file_2 -ls -la $TMP/test_file_2 2>&1 | grep -q 'No such file or directory' || RC=$? -if [ $RC -ne 0 ];then - echo "Process with label '*' should not have any access" - exit $RC -fi -exit 0 diff --git a/meta-security/lib/oeqa/runtime/files/test_privileged_change_self_label.sh b/meta-security/lib/oeqa/runtime/files/test_privileged_change_self_label.sh deleted file mode 100644 index 26d9e9d22..000000000 --- a/meta-security/lib/oeqa/runtime/files/test_privileged_change_self_label.sh +++ /dev/null @@ -1,18 +0,0 @@ -#!/bin/sh - -initial_label=`cat /proc/self/attr/current 2>/dev/null` -modified_label="test_label" - -echo "$modified_label" >/proc/self/attr/current 2>/dev/null - -new_label=`cat /proc/self/attr/current 2>/dev/null` - -if [ "$new_label" != "$modified_label" ]; then - # restore proper label - echo $initial_label >/proc/self/attr/current - echo "Privileged process could not change its label" - exit 1 -fi - -echo "$initial_label" >/proc/self/attr/current 2>/dev/null -exit 0
\ No newline at end of file diff --git a/meta-security/lib/oeqa/runtime/files/test_smack_onlycap.sh b/meta-security/lib/oeqa/runtime/files/test_smack_onlycap.sh deleted file mode 100644 index 1c4a93ab6..000000000 --- a/meta-security/lib/oeqa/runtime/files/test_smack_onlycap.sh +++ /dev/null @@ -1,27 +0,0 @@ -#!/bin/sh -RC=0 -SMACK_PATH=`grep smack /proc/mounts | awk '{print $2}'` -test_label="test_label" -onlycap_initial=`cat $SMACK_PATH/onlycap` -smack_initial=`cat /proc/self/attr/current` - -# need to set out label to be the same as onlycap, otherwise we lose our smack privileges -# even if we are root -echo "$test_label" > /proc/self/attr/current - -echo "$test_label" > $SMACK_PATH/onlycap || RC=$? -if [ $RC -ne 0 ]; then - echo "Onlycap label could not be set" - return $RC -fi - -if [ `cat $SMACK_PATH/onlycap` != "$test_label" ]; then - echo "Onlycap label was not set correctly." - return 1 -fi - -# resetting original onlycap label -echo "$onlycap_initial" > $SMACK_PATH/onlycap 2>/dev/null - -# resetting our initial's process label -echo "$smack_initial" > /proc/self/attr/current diff --git a/meta-security/lib/oeqa/runtime/files/test_smack_tcp_sockets.sh b/meta-security/lib/oeqa/runtime/files/test_smack_tcp_sockets.sh deleted file mode 100644 index ed18f2371..000000000 --- a/meta-security/lib/oeqa/runtime/files/test_smack_tcp_sockets.sh +++ /dev/null @@ -1,108 +0,0 @@ -#!/bin/sh -RC=0 -test_file=/tmp/smack_socket_tcp -SMACK_PATH=`grep smack /proc/mounts | awk '{print $2}' ` -# make sure no access is granted -# 12345678901234567890123456789012345678901234567890123456 -echo -n "label1 label2 -----" > $SMACK_PATH/load - -tcp_server=`which tcp_server` -if [ -z $tcp_server ]; then - if [ -f "/tmp/tcp_server" ]; then - tcp_server="/tmp/tcp_server" - else - echo "tcp_server binary not found" - exit 1 - fi -fi -tcp_client=`which tcp_client` -if [ -z $tcp_client ]; then - if [ -f "/tmp/tcp_client" ]; then - tcp_client="/tmp/tcp_client" - else - echo "tcp_client binary not found" - exit 1 - fi -fi - -# checking access for sockets with different labels -$tcp_server 50016 label1 &>/dev/null & -server_pid=$! -sleep 2 -$tcp_client 50016 label2 label1 &>/dev/null & -client_pid=$! - -wait $server_pid -server_rv=$? -wait $client_pid -client_rv=$? - -if [ $server_rv -eq 0 -o $client_rv -eq 0 ]; then - echo "Sockets with different labels should not communicate on tcp" - exit 1 -fi - -# granting access between different labels -# 12345678901234567890123456789012345678901234567890123456 -echo -n "label1 label2 rw---" > $SMACK_PATH/load -# checking access for sockets with different labels, but having a rule granting rw -$tcp_server 50017 label1 2>$test_file & -server_pid=$! -sleep 1 -$tcp_client 50017 label2 label1 2>$test_file & -client_pid=$! -wait $server_pid -server_rv=$? -wait $client_pid -client_rv=$? -if [ $server_rv -ne 0 -o $client_rv -ne 0 ]; then - echo "Sockets with different labels, but having rw access, should communicate on tcp" - exit 1 -fi - -# checking access for sockets with the same label -$tcp_server 50018 label1 2>$test_file & -server_pid=$! -sleep 1 -$tcp_client 50018 label1 label1 2>$test_file & -client_pid=$! -wait $server_pid -server_rv=$? -wait $client_pid -client_rv=$? -if [ $server_rv -ne 0 -o $client_rv -ne 0 ]; then - echo "Sockets with same labels should communicate on tcp" - exit 1 -fi - -# checking access on socket labeled star (*) -# should always be permitted -$tcp_server 50019 \* 2>$test_file & -server_pid=$! -sleep 1 -$tcp_client 50019 label1 label1 2>$test_file & -client_pid=$! -wait $server_pid -server_rv=$? -wait $client_pid -client_rv=$? -if [ $server_rv -ne 0 -o $client_rv -ne 0 ]; then - echo "Should have access on tcp socket labeled star (*)" - exit 1 -fi - -# checking access from socket labeled star (*) -# all access from subject star should be denied -$tcp_server 50020 label1 2>$test_file & -server_pid=$! -sleep 1 -$tcp_client 50020 label1 \* 2>$test_file & -client_pid=$! -wait $server_pid -server_rv=$? -wait $client_pid -client_rv=$? -if [ $server_rv -eq 0 -o $client_rv -eq 0 ]; then - echo "Socket labeled star should not have access to any tcp socket" - exit 1 -fi diff --git a/meta-security/lib/oeqa/runtime/files/test_smack_udp_sockets.sh b/meta-security/lib/oeqa/runtime/files/test_smack_udp_sockets.sh deleted file mode 100644 index 419ab9f91..000000000 --- a/meta-security/lib/oeqa/runtime/files/test_smack_udp_sockets.sh +++ /dev/null @@ -1,107 +0,0 @@ -#!/bin/sh -RC=0 -test_file="/tmp/smack_socket_udp" -SMACK_PATH=`grep smack /proc/mounts | awk '{print $2}' ` - -udp_server=`which udp_server` -if [ -z $udp_server ]; then - if [ -f "/tmp/udp_server" ]; then - udp_server="/tmp/udp_server" - else - echo "udp_server binary not found" - exit 1 - fi -fi -udp_client=`which udp_client` -if [ -z $udp_client ]; then - if [ -f "/tmp/udp_client" ]; then - udp_client="/tmp/udp_client" - else - echo "udp_client binary not found" - exit 1 - fi -fi - -# make sure no access is granted -# 12345678901234567890123456789012345678901234567890123456 -echo -n "label1 label2 -----" > $SMACK_PATH/load - -# checking access for sockets with different labels -$udp_server 50021 label2 2>$test_file & -server_pid=$! -sleep 1 -$udp_client 50021 label1 2>$test_file & -client_pid=$! -wait $server_pid -server_rv=$? -wait $client_pid -client_rv=$? -if [ $server_rv -eq 0 ]; then - echo "Sockets with different labels should not communicate on udp" - exit 1 -fi - -# granting access between different labels -# 12345678901234567890123456789012345678901234567890123456 -echo -n "label1 label2 rw---" > $SMACK_PATH/load -# checking access for sockets with different labels, but having a rule granting rw -$udp_server 50022 label2 2>$test_file & -server_pid=$! -sleep 1 -$udp_client 50022 label1 2>$test_file & -client_pid=$! -wait $server_pid -server_rv=$? -wait $client_pid -client_rv=$? -if [ $server_rv -ne 0 -o $client_rv -ne 0 ]; then - echo "Sockets with different labels, but having rw access, should communicate on udp" - exit 1 -fi - -# checking access for sockets with the same label -$udp_server 50023 label1 & -server_pid=$! -sleep 1 -$udp_client 50023 label1 2>$test_file & -client_pid=$! -wait $server_pid -server_rv=$? -wait $client_pid -client_rv=$? -if [ $server_rv -ne 0 -o $client_rv -ne 0 ]; then - echo "Sockets with same labels should communicate on udp" - exit 1 -fi - -# checking access on socket labeled star (*) -# should always be permitted -$udp_server 50024 \* 2>$test_file & -server_pid=$! -sleep 1 -$udp_client 50024 label1 2>$test_file & -client_pid=$! -wait $server_pid -server_rv=$? -wait $client_pid -client_rv=$? -if [ $server_rv -ne 0 -o $client_rv -ne 0 ]; then - echo "Should have access on udp socket labeled star (*)" - exit 1 -fi - -# checking access from socket labeled star (*) -# all access from subject star should be denied -$udp_server 50025 label1 2>$test_file & -server_pid=$! -sleep 1 -$udp_client 50025 \* 2>$test_file & -client_pid=$! -wait $server_pid -server_rv=$? -wait $client_pid -client_rv=$? -if [ $server_rv -eq 0 ]; then - echo "Socket labeled star should not have access to any udp socket" - exit 1 -fi diff --git a/meta-security/lib/oeqa/runtime/securitymanager.py b/meta-security/lib/oeqa/runtime/securitymanager.py deleted file mode 100644 index ab0df5a42..000000000 --- a/meta-security/lib/oeqa/runtime/securitymanager.py +++ /dev/null @@ -1,108 +0,0 @@ -import unittest -import re -import os -import string -from oeqa.oetest import oeRuntimeTest, skipModule -from oeqa.utils.decorators import * - -def get_files_dir(): - """Get directory of supporting files""" - pkgarch = oeRuntimeTest.tc.d.getVar('MACHINE', True) - deploydir = oeRuntimeTest.tc.d.getVar('DEPLOY_DIR', True) - return os.path.join(deploydir, "files", "target", pkgarch) - -MAX_LABEL_LEN = 255 -LABEL = "a" * MAX_LABEL_LEN - -def setUpModule(): - if not oeRuntimeTest.hasPackage('security-manager'): - skipModule( - "security-manager module skipped: " - "target doesn't have security-manager installed") - -class SecurityManagerBasicTest(oeRuntimeTest): - ''' base smack test ''' - def setUp(self): - # TODO: avoid hardcoding path (also in SecurityManager itself) - self.security_manager_db = '/usr/dbspace/.security-manager.db' - cmd = "sqlite3 %s 'SELECT name from privilege ORDER BY privilege_id'" % self.security_manager_db - status, output = self.target.run(cmd) - self.assertFalse(status, msg="%s failed: %s" % (cmd, output)) - self.privileges = output.split() - if not self.privileges: - # Only privileges that map to a Unix group need to be known to - # SecurityManager. Therefore it is possible that the query above - # returns nothing. In that case, make up something for the tests. - self.privileges.append('FoobarPrivilege') - self.appid = 'test-app-id' - self.pkgid = 'test-pkg-id' - self.user = 'security-manager-user' - idcmd = 'id -u %s' % self.user - status, output = self.target.run(idcmd) - if status: - # -D is from busybox. It disables setting a password. - createcmd = 'adduser -D %s' % self.user - status, output = self.target.run(createcmd) - self.assertFalse(status, msg="%s failed: %s" % (createcmd, output)) - status, output = self.target.run(idcmd) - self.assertTrue(output.isdigit(), msg="Unexpected output from %s: %s" % (idcmd, output)) - self.uid = output - -class SecurityManagerApp(SecurityManagerBasicTest): - '''Tests covering app installation. Ordering is important, therefore tests are numbered.''' - - @skipUnlessPassed('test_ssh') - def test_security_manager_01_setup(self): - '''Check that basic SecurityManager setup is in place.''' - # If we get this far, then at least the sqlite db must have been in place. - # This does not mean much, but we need to start somewhere. - pass - - @skipUnlessPassed('test_security_manager_01_setup') - def test_security_manager_02_install(self): - '''Test if installing an app sets up privilege rules for it, also in Cynara.''' - self.target.copy_to(os.path.join(get_files_dir(), "app-runas"), "/tmp/") - cmd = '/tmp/app-runas -a %s -p %s -u %s -r %s -i' % \ - (self.appid, self.pkgid, self.uid, self.privileges[0]) - status, output = self.target.run(cmd) - self.assertFalse(status, msg="%s failed: %s" % (cmd, output)) - cmd = '''sqlite3 %s 'SELECT uid,app_name,pkg_name from app_pkg_view WHERE app_name = "%s"' ''' % \ - (self.security_manager_db, self.appid) - status, output = self.target.run(cmd) - self.assertFalse(status, msg="%s failed: %s" % (cmd, output)) - self.assertEqual(output, '|'.join((self.uid, self.appid, self.pkgid))) - cmd = 'grep -r %s /var/cynara/db/' % self.appid - status, output = self.target.run(cmd) - self.assertFalse(status, msg="%s failed: %s" % (cmd, output)) - # User::App:: prefix still hard-coded here because it is not customizable at the moment. - self.assertEqual(output, '/var/cynara/db/_MANIFESTS:User::App::%s;%s;%s;0xFFFF;' % \ - (self.appid, self.uid, self.privileges[0])) - - @skipUnlessPassed('test_security_manager_02_install') - def test_security_manager_03_run(self): - '''Test running as app. Depends on preparations in test_security_manager_install().''' - cmd = '''/tmp/app-runas -a %s -u %s -e -- sh -c 'id -u && cat /proc/self/attr/current' ''' % \ - (self.appid, self.uid) - status, output = self.target.run(cmd) - self.assertFalse(status, msg="%s failed: %s" % (cmd, output)) - self.assertEqual(output, '%s\nUser::App::%s' % (self.uid, self.appid)) - - @skipUnlessPassed('test_security_manager_02_install') - def test_security_manager_03_uninstall(self): - '''Test removal of an app.''' - cmd = '/tmp/app-runas -a %s -p %s -u %s -d' % \ - (self.appid, self.pkgid, self.uid) - status, output = self.target.run(cmd) - self.assertFalse(status, msg="%s failed: %s" % (cmd, output)) - cmd = '''sqlite3 %s 'SELECT uid,app_name,pkg_name from app_pkg_view WHERE app_name = "%s"' ''' % \ - (self.security_manager_db, self.appid) - status, output = self.target.run(cmd) - self.assertFalse(status, msg="%s failed: %s" % (cmd, output)) - # Entry does not really get removed. Bug filed here: - # https://github.com/Samsung/security-manager/issues/2 - # self.assertEqual(output, '') - cmd = 'grep -r %s /var/cynara/db/' % self.appid - status, output = self.target.run(cmd) - self.assertFalse(status, msg="%s failed: %s" % (cmd, output)) - # This also does not get removed. Perhaps same root cause. - # self.assertEqual(output, '') diff --git a/meta-security/lib/oeqa/runtime/smack.py b/meta-security/lib/oeqa/runtime/smack.py deleted file mode 100644 index 96af443b8..000000000 --- a/meta-security/lib/oeqa/runtime/smack.py +++ /dev/null @@ -1,589 +0,0 @@ -import unittest -import re -import os -import string -from oeqa.oetest import oeRuntimeTest, skipModule -from oeqa.utils.decorators import * - -def get_files_dir(): - """Get directory of supporting files""" - pkgarch = oeRuntimeTest.tc.d.getVar('MACHINE', True) - deploydir = oeRuntimeTest.tc.d.getVar('DEPLOY_DIR', True) - return os.path.join(deploydir, "files", "target", pkgarch) - -MAX_LABEL_LEN = 255 -LABEL = "a" * MAX_LABEL_LEN - -def setUpModule(): - if not oeRuntimeTest.hasFeature('smack'): - skipModule( - "smack module skipped: " - "target doesn't have smack in DISTRO_FEATURES") - -class SmackBasicTest(oeRuntimeTest): - ''' base smack test ''' - def setUp(self): - status, output = self.target.run( - "grep smack /proc/mounts | awk '{print $2}'") - self.smack_path = output - self.files_dir = os.path.join( - os.path.abspath(os.path.dirname(__file__)), 'files') - self.uid = 1000 - status,output = self.target.run("cat /proc/self/attr/current") - self.current_label = output.strip() - -class SmackAccessLabel(SmackBasicTest): - - @skipUnlessPassed('test_ssh') - def test_add_access_label(self): - ''' Test if chsmack can correctly set a SMACK label ''' - filename = "/tmp/test_access_label" - self.target.run("touch %s" %filename) - status, output = self.target.run("chsmack -a %s %s" %(LABEL, filename)) - self.assertEqual( - status, 0, - "Cannot set smack access label. " - "Status and output: %d %s" %(status, output)) - status, output = self.target.run("chsmack %s" %filename) - self.target.run("rm %s" %filename) - m = re.search('(?<=access=")\S+(?=")', output) - if m is None: - self.fail("Did not find access attribute") - else: - label_retrieved = m .group(0) - self.assertEqual( - LABEL, label_retrieved, - "label not set correctly. expected and gotten: " - "%s %s" %(LABEL,label_retrieved)) - -class SmackExecLabel(SmackBasicTest): - - @skipUnlessPassed('test_ssh') - def test_add_exec_label(self): - '''Test if chsmack can correctly set a SMACK Exec label''' - filename = "/tmp/test_exec_label" - self.target.run("touch %s" %filename) - status, output = self.target.run("chsmack -e %s %s" %(LABEL, filename)) - self.assertEqual( - status, 0, - "Cannot set smack exec label. " - "Status and output: %d %s" %(status, output)) - status, output = self.target.run("chsmack %s" %filename) - self.target.run("rm %s" %filename) - m= re.search('(?<=execute=")\S+(?=")', output) - if m is None: - self.fail("Did not find execute attribute") - else: - label_retrieved = m.group(0) - self.assertEqual( - LABEL, label_retrieved, - "label not set correctly. expected and gotten: " + - "%s %s" %(LABEL,label_retrieved)) - -class SmackMmapLabel(SmackBasicTest): - - @skipUnlessPassed('test_ssh') - def test_add_mmap_label(self): - '''Test if chsmack can correctly set a SMACK mmap label''' - filename = "/tmp/test_exec_label" - self.target.run("touch %s" %filename) - status, output = self.target.run("chsmack -m %s %s" %(LABEL, filename)) - self.assertEqual( - status, 0, - "Cannot set smack mmap label. " - "Status and output: %d %s" %(status, output)) - status, output = self.target.run("chsmack %s" %filename) - self.target.run("rm %s" %filename) - m = re.search('(?<=mmap=")\S+(?=")', output) - if m is None: - self.fail("Did not find mmap attribute") - else: - label_retrieved = m.group(0) - self.assertEqual( - LABEL, label_retrieved, - "label not set correctly. expected and gotten: " + - "%s %s" %(LABEL,label_retrieved)) - -class SmackTransmutable(SmackBasicTest): - - @skipUnlessPassed('test_ssh') - def test_add_transmutable(self): - '''Test if chsmack can correctly set a SMACK transmutable mode''' - - directory = "~/test_transmutable" - self.target.run("mkdir -p %s" %directory) - status, output = self.target.run("chsmack -t %s" %directory) - self.assertEqual(status, 0, "Cannot set smack transmutable. " - "Status and output: %d %s" %(status, output)) - status, output = self.target.run("chsmack %s" %directory) - self.target.run("rmdir %s" %directory) - m = re.search('(?<=transmute=")\S+(?=")', output) - if m is None: - self.fail("Did not find transmute attribute") - else: - label_retrieved = m.group(0) - self.assertEqual( - "TRUE", label_retrieved, - "label not set correctly. expected and gotten: " + - "%s %s" %(LABEL,label_retrieved)) - -class SmackChangeSelfLabelPrivilege(SmackBasicTest): - - @skipUnlessPassed('test_ssh') - def test_privileged_change_self_label(self): - '''Test if privileged process (with CAP_MAC_ADMIN privilege) - can change its label. - ''' - - status, output = self.target.run("ls /tmp/notroot.py") - if status != 0: - self.target.copy_to( - os.path.join(self.files_dir, 'notroot.py'), - "/tmp/notroot.py") - - labelf = "/proc/self/attr/current" - command = "/bin/sh -c 'echo PRIVILEGED >%s; cat %s'" %(labelf, labelf) - - status, output = self.target.run( - "python /tmp/notroot.py 0 %s %s" %(self.current_label, command)) - - self.assertIn("PRIVILEGED", output, - "Privilege process did not change label.Output: %s" %output) - -class SmackChangeSelfLabelUnprivilege(SmackBasicTest): - - @skipUnlessPassed('test_ssh') - def test_unprivileged_change_self_label(self): - '''Test if unprivileged process (without CAP_MAC_ADMIN privilege) - cannot change its label''' - - status, output = self.target.run("ls /tmp/notroot.py") - if status != 0: - self.target.copy_to( - os.path.join(self.files_dir, 'notroot.py'), - "/tmp/notroot.py") - - command = "/bin/sh -c 'echo %s >/proc/self/attr/current'" %LABEL - status, output = self.target.run( - "python /tmp/notroot.py %d %s %s" - %(self.uid, self.current_label, command) + - " 2>&1 | grep 'Operation not permitted'" ) - - self.assertEqual( - status, 0, - "Unprivileged process should not be able to change its label") - - -class SmackChangeFileLabelPrivilege(SmackBasicTest): - - @skipUnlessPassed('test_ssh') - def test_unprivileged_change_file_label(self): - '''Test if unprivileged process cannot change file labels''' - - status, chsmack = self.target.run("which chsmack") - status, touch = self.target.run("which touch") - filename = "/tmp/test_unprivileged_change_file_label" - - status, output = self.target.run("ls /tmp/notroot.py") - if status != 0: - self.target.copy_to( - os.path.join(self.files_dir, 'notroot.py'), - "/tmp/notroot.py") - - self.target.run("python /tmp/notroot.py %d %s %s %s" %(self.uid, self.current_label, touch, filename)) - status, output = self.target.run( - "python /tmp/notroot.py " + - "%d unprivileged %s -a %s %s 2>&1 " %(self.uid, chsmack, LABEL, filename) + - "| grep 'Operation not permitted'" ) - - self.target.run("rm %s" %filename) - self.assertEqual( - status, 0, - "Unprivileged process changed label for %s" %filename) - -class SmackLoadRule(SmackBasicTest): - - @skipUnlessPassed('test_ssh') - def test_load_smack_rule(self): - '''Test if new smack access rules can be loaded''' - - # old 23 character format requires special spaces formatting - # 12345678901234567890123456789012345678901234567890123 - ruleA="TheOne TheOther rwxat" - ruleB="TheOne TheOther r----" - clean="TheOne TheOther -----" - modeA = "rwxat" - modeB = "r" - - status, output = self.target.run( - 'echo -n "%s" > %s/load' %(ruleA, self.smack_path)) - status, output = self.target.run( - 'cat %s/load | grep "^TheOne" | grep " TheOther "' %self.smack_path) - self.assertEqual(status, 0, "Rule A was not added") - mode = list(filter(bool, output.split(" ")))[2].strip() - self.assertEqual( - mode, modeA, - "Mode A was not set correctly; mode: %s" %mode) - - status, output = self.target.run( - 'echo -n "%s" > %s/load' %(ruleB, self.smack_path)) - status, output = self.target.run( - 'cat %s/load | grep "^TheOne" | grep " TheOther "' %self.smack_path) - mode = list(filter(bool, output.split(" ")))[2].strip() - self.assertEqual( - mode, modeB, - "Mode B was not set correctly; mode: %s" %mode) - - self.target.run('echo -n "%s" > %s/load' %(clean, self.smack_path)) - - -class SmackOnlycap(SmackBasicTest): - - @skipUnlessPassed('test_ssh') - def test_smack_onlycap(self): - '''Test if smack onlycap label can be set - - test needs to change the running label of the current process, - so whole test takes places on image - ''' - status, output = self.target.run("ls /tmp/test_smack_onlycap.sh") - if status != 0: - self.target.copy_to( - os.path.join(self.files_dir, 'test_smack_onlycap.sh'), - "/tmp/test_smack_onlycap.sh") - - status, output = self.target.run("sh /tmp/test_smack_onlycap.sh") - self.assertEqual(status, 0, output) - -class SmackNetlabel(SmackBasicTest): - @skipUnlessPassed('test_ssh') - def test_smack_netlabel(self): - - test_label="191.191.191.191 TheOne" - expected_label="191.191.191.191/32 TheOne" - - status, output = self.target.run( - "echo -n '%s' > %s/netlabel" %(test_label, self.smack_path)) - self.assertEqual( - status, 0, - "Netlabel /32 could not be set. Output: %s" %output) - - status, output = self.target.run("cat %s/netlabel" %self.smack_path) - self.assertIn( - expected_label, output, - "Did not find expected label in output: %s" %output) - - test_label="253.253.253.0/24 TheOther" - status, output = self.target.run( - "echo -n '%s' > %s/netlabel" %(test_label, self.smack_path)) - self.assertEqual( - status, 0, - "Netlabel /24 could not be set. Output: %s" %output) - - status, output = self.target.run("cat %s/netlabel" %self.smack_path) - self.assertIn( - test_label, output, - "Did not find expected label in output: %s" %output) - -class SmackCipso(SmackBasicTest): - @skipUnlessPassed('test_ssh') - def test_smack_cipso(self): - '''Test if smack cipso rules can be set''' - # 12345678901234567890123456789012345678901234567890123456 - ruleA="TheOneA 2 0 " - ruleB="TheOneB 3 1 55 " - ruleC="TheOneC 4 2 17 33 " - - status, output = self.target.run( - "echo -n '%s' > %s/cipso" %(ruleA, self.smack_path)) - self.assertEqual(status, 0, - "Could not set cipso label A. Ouput: %s" %output) - - status, output = self.target.run( - "cat %s/cipso | grep '^TheOneA'" %self.smack_path) - self.assertEqual(status, 0, "Cipso rule A was not set") - self.assertIn(" 2", output, "Rule A was not set correctly") - - status, output = self.target.run( - "echo -n '%s' > %s/cipso" %(ruleB, self.smack_path)) - self.assertEqual(status, 0, - "Could not set cipso label B. Ouput: %s" %output) - - status, output = self.target.run( - "cat %s/cipso | grep '^TheOneB'" %self.smack_path) - self.assertEqual(status, 0, "Cipso rule B was not set") - self.assertIn("/55", output, "Rule B was not set correctly") - - status, output = self.target.run( - "echo -n '%s' > %s/cipso" %(ruleC, self.smack_path)) - self.assertEqual( - status, 0, - "Could not set cipso label C. Ouput: %s" %output) - - status, output = self.target.run( - "cat %s/cipso | grep '^TheOneC'" %self.smack_path) - self.assertEqual(status, 0, "Cipso rule C was not set") - self.assertIn("/17,33", output, "Rule C was not set correctly") - -class SmackDirect(SmackBasicTest): - @skipUnlessPassed('test_ssh') - def test_smack_direct(self): - status, initial_direct = self.target.run( - "cat %s/direct" %self.smack_path) - - test_direct="17" - status, output = self.target.run( - "echo '%s' > %s/direct" %(test_direct, self.smack_path)) - self.assertEqual(status, 0 , - "Could not set smack direct. Output: %s" %output) - status, new_direct = self.target.run("cat %s/direct" %self.smack_path) - # initial label before checking - status, output = self.target.run( - "echo '%s' > %s/direct" %(initial_direct, self.smack_path)) - self.assertEqual( - test_direct, new_direct.strip(), - "Smack direct label does not match.") - - -class SmackAmbient(SmackBasicTest): - @skipUnlessPassed('test_ssh') - def test_smack_ambient(self): - test_ambient = "test_ambient" - status, initial_ambient = self.target.run("cat %s/ambient" %self.smack_path) - status, output = self.target.run( - "echo '%s' > %s/ambient" %(test_ambient, self.smack_path)) - self.assertEqual(status, 0, - "Could not set smack ambient. Output: %s" %output) - - status, output = self.target.run("cat %s/ambient" %self.smack_path) - # Filter '\x00', which is sometimes added to the ambient label - new_ambient = ''.join(filter(lambda x: x in string.printable, output)) - initial_ambient = ''.join(filter(lambda x: x in string.printable, initial_ambient)) - status, output = self.target.run( - "echo '%s' > %s/ambient" %(initial_ambient, self.smack_path)) - self.assertEqual( - test_ambient, new_ambient.strip(), - "Ambient label does not match") - - -class SmackloadBinary(SmackBasicTest): - @skipUnlessPassed('test_ssh') - def test_smackload(self): - '''Test if smackload command works''' - rule="testobject testsubject rwx" - - status, output = self.target.run("echo -n '%s' > /tmp/rules" %rule) - status, output = self.target.run("smackload /tmp/rules") - self.assertEqual( - status, 0, - "Smackload failed to load rule. Output: %s" %output) - - status, output = self.target.run( - "cat %s/load | grep '%s'" %(self.smack_path, rule)) - self.assertEqual(status, 0, "Smackload rule was loaded correctly") - -class SmackcipsoBinary(SmackBasicTest): - - @skipUnlessPassed('test_ssh') - def test_smackcipso(self): - '''Test if smackcipso command works''' - # 12345678901234567890123456789012345678901234567890123456 - rule="cipsolabel 2 2 " - - status, output = self.target.run("echo '%s' | smackcipso" %rule) - self.assertEqual( - status, 0, - "Smackcipso failed to load rule. Output: %s" %output) - - status, output = self.target.run( - "cat %s/cipso | grep 'cipsolabel'" %self.smack_path) - self.assertEqual(status, 0, "Smackload rule was loaded correctly") - self.assertIn( - "2/2", output, - "Rule was not set correctly. Got: %s" %output) - -class SmackEnforceFileAccess(SmackBasicTest): - @skipUnlessPassed('test_ssh') - def test_smack_enforce_file_access(self): - '''Test if smack file access is enforced (rwx) - - test needs to change the running label of the current process, - so whole test takes places on image - ''' - status, output = self.target.run("ls /tmp/smack_test_file_access.sh") - if status != 0: - self.target.copy_to( - os.path.join(self.files_dir, 'smack_test_file_access.sh'), - "/tmp/smack_test_file_access.sh") - - status, output = self.target.run("sh /tmp/smack_test_file_access.sh") - self.assertEqual(status, 0, output) - -class SmackEnforceMmap(SmackBasicTest): - - @skipUnlessPassed('test_ssh') - def test_smack_mmap_enforced(self): - '''Test if smack mmap access is enforced''' - raise unittest.SkipTest("Depends on mmap_test, which was removed from the layer while investigating its license.") - - # 12345678901234567890123456789012345678901234567890123456 - delr1="mmap_label mmap_test_label1 -----" - delr2="mmap_label mmap_test_label2 -----" - delr3="mmap_file_label mmap_test_label1 -----" - delr4="mmap_file_label mmap_test_label2 -----" - - RuleA="mmap_label mmap_test_label1 rw---" - RuleB="mmap_label mmap_test_label2 r--at" - RuleC="mmap_file_label mmap_test_label1 rw---" - RuleD="mmap_file_label mmap_test_label2 rwxat" - - mmap_label="mmap_label" - file_label="mmap_file_label" - test_file = "/tmp/smack_test_mmap" - self.target.copy_to(os.path.join(get_files_dir(), "mmap_test"), "/tmp/") - mmap_exe = "/tmp/mmap_test" - status, echo = self.target.run("which echo") - status, output = self.target.run("ls /tmp/notroot.py") - if status != 0: - self.target.copy_to( - os.path.join(self.files_dir, 'notroot.py'), - "/tmp/notroot.py") - status, output = self.target.run( - "python /tmp/notroot.py %d %s %s 'test' > %s" \ - %(self.uid, self.current_label, echo, test_file)) - status, output = self.target.run("ls %s" %test_file) - self.assertEqual(status, 0, "Could not create mmap test file") - self.target.run("chsmack -m %s %s" %(file_label, test_file)) - self.target.run("chsmack -e %s %s" %(mmap_label, mmap_exe)) - - # test with no rules with mmap label or exec label as subject - # access should be granted - self.target.run('echo -n "%s" > %s/load' %(delr1, self.smack_path)) - self.target.run('echo -n "%s" > %s/load' %(delr2, self.smack_path)) - self.target.run('echo -n "%s" > %s/load' %(delr3, self.smack_path)) - self.target.run('echo -n "%s" > %s/load' %(delr4, self.smack_path)) - status, output = self.target.run("%s %s 0 2" % (mmap_exe, test_file)) - self.assertEqual( - status, 0, - "Should have mmap access without rules. Output: %s" %output) - - # add rules that do not match access required - self.target.run('echo -n "%s" > %s/load' %(RuleA, self.smack_path)) - self.target.run('echo -n "%s" > %s/load' %(RuleB, self.smack_path)) - status, output = self.target.run("%s %s 0 2" % (mmap_exe, test_file)) - self.assertNotEqual( - status, 0, - "Should not have mmap access with unmatching rules. " + - "Output: %s" %output) - self.assertIn( - "Permission denied", output, - "Mmap access should be denied with unmatching rules") - - # add rule to match only partially (one way) - self.target.run('echo -n "%s" > %s/load' %(RuleC, self.smack_path)) - status, output = self.target.run("%s %s 0 2" %(mmap_exe, test_file)) - self.assertNotEqual( - status, 0, - "Should not have mmap access with partial matching rules. " + - "Output: %s" %output) - self.assertIn( - "Permission denied", output, - "Mmap access should be denied with partial matching rules") - - # add rule to match fully - self.target.run('echo -n "%s" > %s/load' %(RuleD, self.smack_path)) - status, output = self.target.run("%s %s 0 2" %(mmap_exe, test_file)) - self.assertEqual( - status, 0, - "Should have mmap access with full matching rules." + - "Output: %s" %output) - -class SmackEnforceTransmutable(SmackBasicTest): - - def test_smack_transmute_dir(self): - '''Test if smack transmute attribute works - - test needs to change the running label of the current process, - so whole test takes places on image - ''' - test_dir = "/tmp/smack_transmute_dir" - label="transmute_label" - status, initial_label = self.target.run("cat /proc/self/attr/current") - - self.target.run("mkdir -p %s" %test_dir) - self.target.run("chsmack -a %s %s" %(label, test_dir)) - self.target.run("chsmack -t %s" %test_dir) - self.target.run( - "echo -n '%s %s rwxat' | smackload" %(initial_label, label) ) - - self.target.run("touch %s/test" %test_dir) - status, output = self.target.run("chsmack %s/test" %test_dir) - self.assertIn( - 'access="%s"' %label, output, - "Did not get expected label. Output: %s" %output) - - -class SmackTcpSockets(SmackBasicTest): - def test_smack_tcp_sockets(self): - '''Test if smack is enforced on tcp sockets - - whole test takes places on image, depends on tcp_server/tcp_client''' - - self.target.copy_to(os.path.join(get_files_dir(), "tcp_client"), "/tmp/") - self.target.copy_to(os.path.join(get_files_dir(), "tcp_server"), "/tmp/") - status, output = self.target.run("ls /tmp/test_smack_tcp_sockets.sh") - if status != 0: - self.target.copy_to( - os.path.join(self.files_dir, 'test_smack_tcp_sockets.sh'), - "/tmp/test_smack_tcp_sockets.sh") - - status, output = self.target.run("sh /tmp/test_smack_tcp_sockets.sh") - self.assertEqual(status, 0, output) - -class SmackUdpSockets(SmackBasicTest): - def test_smack_udp_sockets(self): - '''Test if smack is enforced on udp sockets - - whole test takes places on image, depends on udp_server/udp_client''' - - self.target.copy_to(os.path.join(get_files_dir(), "udp_client"), "/tmp/") - self.target.copy_to(os.path.join(get_files_dir(), "udp_server"), "/tmp/") - status, output = self.target.run("ls /tmp/test_smack_udp_sockets.sh") - if status != 0: - self.target.copy_to( - os.path.join(self.files_dir, 'test_smack_udp_sockets.sh'), - "/tmp/test_smack_udp_sockets.sh") - - status, output = self.target.run("sh /tmp/test_smack_udp_sockets.sh") - self.assertEqual(status, 0, output) - -class SmackFileLabels(SmackBasicTest): - - @skipUnlessPassed('test_ssh') - def test_smack_labels(self): - '''Check for correct Smack labels.''' - expected = ''' -/tmp/ access="*" -/etc/ access="System::Shared" transmute="TRUE" -/etc/passwd access="System::Shared" -/etc/terminfo access="System::Shared" transmute="TRUE" -/etc/skel/ access="System::Shared" transmute="TRUE" -/etc/skel/.profile access="System::Shared" -/var/log/ access="System::Log" transmute="TRUE" -/var/tmp/ access="*" -''' - files = ' '.join([x.split()[0] for x in expected.split('\n') if x]) - files_wildcard = ' '.join([x + '/*' for x in files.split()]) - # Auxiliary information. - status, output = self.target.run( - 'set -x; mount; ls -l -d %s; find %s | xargs ls -d -l; find %s | xargs chsmack' % ( - ' '.join([x.rstrip('/') for x in files.split()]), files, files - ) - ) - msg = "File status:\n" + output - status, output = self.target.run('chsmack %s' % files) - self.assertEqual( - status, 0, msg="status and output: %s and %s\n%s" % (status,output, msg)) - self.longMessage = True - self.maxDiff = None - self.assertEqual(output.strip().split('\n'), expected.strip().split('\n'), msg=msg) diff --git a/meta-security/recipes-test/app-runas/app-runas.bb b/meta-security/recipes-test/app-runas/app-runas.bb deleted file mode 100644 index 95725c2e7..000000000 --- a/meta-security/recipes-test/app-runas/app-runas.bb +++ /dev/null @@ -1,17 +0,0 @@ -LICENSE = "MIT" -LIC_FILES_CHKSUM = "file://app-runas.cpp;beginline=3;endline=19;md5=1ca447189bb2c54039033d50d8982d92" -SRC_URI = "file://app-runas.cpp" -DEPENDS = "security-manager" -S = "${WORKDIR}" - -do_compile () { - ${CXX} ${CXXFLAGS} ${S}/app-runas.cpp `pkg-config --cflags --libs security-manager` -o app-runas -} - -do_install () { - install -D app-runas ${D}/${bindir}/app-runas - chmod u+s ${D}/${bindir}/app-runas -} - -inherit deploy-files -DEPLOY_FILES_FROM[target] = "app-runas" diff --git a/meta-security/recipes-test/app-runas/files/app-runas.cpp b/meta-security/recipes-test/app-runas/files/app-runas.cpp deleted file mode 100644 index 58fa15504..000000000 --- a/meta-security/recipes-test/app-runas/files/app-runas.cpp +++ /dev/null @@ -1,221 +0,0 @@ -// (C) Copyright 2015 Intel Corporation -// -// Permission is hereby granted, free of charge, to any person obtaining a copy -// of this software and associated documentation files (the "Software"), to deal -// in the Software without restriction, including without limitation the rights -// to use, copy, modify, merge, publish, distribute, sublicense, and/or sell -// copies of the Software, and to permit persons to whom the Software is -// furnished to do so, subject to the following conditions: -// -// The above copyright notice and this permission notice shall be included in -// all copies or substantial portions of the Software. -// -// THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR -// IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, -// FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE -// AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER -// LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, -// OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN -// THE SOFTWARE. - -#include <security-manager.h> - -#include <unistd.h> -#include <stdlib.h> -#include <stdio.h> -#include <errno.h> -#include <string.h> - -#include <sys/types.h> -#include <sys/wait.h> - -#include <string> -#include <vector> - -#define CHECK(x) { \ - int _ret = x; \ - if (_ret != SECURITY_MANAGER_SUCCESS) { \ - fprintf(stderr, "Failure in %s:%d: %s: %d = %s\n", __FILE__, __LINE__, #x, _ret, security_manager_strerror((lib_retcode)_ret)); \ - return EXIT_FAILURE; \ - } \ - } - -static int do_install(app_inst_req *preq) -{ - CHECK(security_manager_app_install(preq)); - return 0; -} - -static int do_uninstall(app_inst_req *preq) -{ - CHECK(security_manager_app_uninstall(preq)); - return 0; -} - -static int do_run(const char *appid, const char *uid, const char *file, char *const argv[]) -{ - if (!appid || !uid) { - fprintf(stderr, "Always need appid, uid for app startup.\n"); - return EXIT_FAILURE; - } - - pid_t child = fork(); - if (child == -1) { - perror("fork"); - return EXIT_FAILURE; - } else if (child) { - int status; - child = waitpid(child, &status, 0); - if (child == -1) { - perror("waitpid"); - return EXIT_FAILURE; - } - } else { - // We cannot change the UID before security_manager_prepare_app() - // (because then setup_smack() fails to change Smack labels of - // our fds) and we cannot change the UID after it (because then - // security_manager_drop_process_privileges() has already dropped - // the necessary CAP_SETUID. - // Instead, we need to do the steps from security_manager_prepare_app() - // ourselves. - CHECK(security_manager_set_process_label_from_appid(appid)); - CHECK(security_manager_set_process_groups_from_appid(appid)); - if (setuid(atoi(uid))) { - fprintf(stderr, "setuid(%s): %s\n", uid, strerror(errno)); - exit(EXIT_FAILURE); - } - CHECK(security_manager_drop_process_privileges()); - // CHECK(security_manager_prepare_app(appid)); - - execvp(file, argv); - fprintf(stderr, "execvp(%s): %s", argv[optind], strerror(errno)); - exit(EXIT_FAILURE); - } - return 0; -} - -int main(int argc, char **argv) -{ - int flags, opt; - int nsecs, tfnd; - const char *appid = NULL; - const char *pkgid = NULL; - const char *uid = NULL; - std::vector<const char *> privileges; - std::vector< std::pair<app_install_path_type, std::string> > paths; - int install = 0, uninstall = 0, run = 0; - - while ((opt = getopt(argc, argv, "a:p:u:r:t:ide")) != -1) { - switch (opt) { - case 'a': - appid = optarg; - break; - case 'p': - pkgid = optarg; - break; - case 'u': - uid = optarg; - break; - case 'r': - privileges.push_back(optarg); - break; - case 't': { - const char *colon = strchr(optarg, ':'); - if (!colon) { - fprintf(stderr, "-t parameter must be of the format <type>:<path>"); - return EXIT_FAILURE; - } - std::string typestr(optarg, colon - optarg); - std::string path(colon + 1); - app_install_path_type type; - if (typestr == "private") { - type = SECURITY_MANAGER_PATH_PRIVATE; - } else if (typestr == "public") { - type = SECURITY_MANAGER_PATH_PUBLIC; - } else if (typestr == "public-ro") { - type = SECURITY_MANAGER_PATH_PUBLIC_RO; - } else if (typestr == "rw") { - type = SECURITY_MANAGER_PATH_RW; - } else if (typestr == "ro") { - type = SECURITY_MANAGER_PATH_PRIVATE; - } else { - fprintf(stderr, "Invalid -t type: %s", typestr.c_str()); - return EXIT_FAILURE; - } - paths.push_back(std::make_pair(type, path)); - break; - } - case 'i': - install = 1; - break; - case 'd': - uninstall = 1; - break; - case 'e': - run = 1; - break; - default: /* '?' */ - fprintf(stderr, - "Usage: %s -i|-e|-d -a appid -u uid -p pkgid -r privilege1 ... -t private|public|public-ro|rw:<path> ... -- command args\n" - " -i = install, command ignored\n" - " -e = run command, privileges and pkgid ignored\n" - " -d = uninstall, command and privileges ignored\n" - " Install, run, and uninstall can be combined into a single invocation.\n", - argv[0]); - exit(EXIT_FAILURE); - break; - } - } - - if ((install || uninstall) && - (!appid || !pkgid || !uid)) { - fprintf(stderr, "Always need appid, pkgid, uid for app install or uninstall.\n"); - return EXIT_FAILURE; - } - if (run && optind >= argc) { - fprintf(stderr, "Expected command after options\n"); - return EXIT_FAILURE; - } - - app_inst_req *preq; - CHECK(security_manager_app_inst_req_new(&preq)); - if (appid) { - CHECK(security_manager_app_inst_req_set_app_id(preq, appid)); - } - if (pkgid) { - CHECK(security_manager_app_inst_req_set_pkg_id(preq, pkgid)); - } - if (uid) { - CHECK(security_manager_app_inst_req_set_uid(preq, atoi(uid))); - } - for (size_t i = 0; i < paths.size(); i++) { - security_manager_app_inst_req_add_path(preq, paths[i].second.c_str(), paths[i].first); - } - for (size_t i = 0; i < privileges.size(); i++) { - CHECK(security_manager_app_inst_req_add_privilege(preq, privileges[i])); - } - - int result = 0; - bool install_failed = false; - if (install) { - result = do_install(preq); - if (result) { - install_failed = true; - } - } - if (run && !install_failed) { - int run_result = do_run(appid, uid, argv[optind], argv + optind); - if (run_result) { - result = run_result; - } - } - if (uninstall && !install_failed) { - int uninstall_result = do_uninstall(preq); - if (uninstall_result) { - result = uninstall_result; - } - } - - security_manager_app_inst_req_free(preq); - return result; -} diff --git a/meta-security/recipes-test/mmap-smack-test/files/mmap.c b/meta-security/recipes-test/mmap-smack-test/files/mmap.c deleted file mode 100644 index f358d27b5..000000000 --- a/meta-security/recipes-test/mmap-smack-test/files/mmap.c +++ /dev/null @@ -1,7 +0,0 @@ -#include <stdio.h> - -int main(int argc, char **argv) -{ - printf("Original test program removed while investigating its license.\n"); - return 1; -} diff --git a/meta-security/recipes-test/mmap-smack-test/mmap-smack-test.bb b/meta-security/recipes-test/mmap-smack-test/mmap-smack-test.bb deleted file mode 100644 index 9d11509d0..000000000 --- a/meta-security/recipes-test/mmap-smack-test/mmap-smack-test.bb +++ /dev/null @@ -1,16 +0,0 @@ -SUMMARY = "Mmap binary used to test smack mmap attribute" -DESCRIPTION = "Mmap binary used to test smack mmap attribute" -LICENSE = "MIT" -LIC_FILES_CHKSUM = "file://${COMMON_LICENSE_DIR}/MIT;md5=0835ade698e0bcf8506ecda2f7b4f302" - -SRC_URI = "file://mmap.c" - -S = "${WORKDIR}" -do_compile() { - ${CC} mmap.c ${LDFLAGS} -o mmap_test -} - -do_install() { - install -d ${D}${bindir} - install -m 0755 mmap_test ${D}${bindir} -} diff --git a/meta-security/recipes-test/mmap-smack-test/mmap-smack-test.bbappend b/meta-security/recipes-test/mmap-smack-test/mmap-smack-test.bbappend deleted file mode 100644 index e7d94f09f..000000000 --- a/meta-security/recipes-test/mmap-smack-test/mmap-smack-test.bbappend +++ /dev/null @@ -1,2 +0,0 @@ -inherit deploy-files -DEPLOY_FILES_FROM[target] = "${WORKDIR}/mmap_test" diff --git a/meta-security/recipes-test/tcp-smack-test/files/tcp_client.c b/meta-security/recipes-test/tcp-smack-test/files/tcp_client.c deleted file mode 100644 index 185f97380..000000000 --- a/meta-security/recipes-test/tcp-smack-test/files/tcp_client.c +++ /dev/null @@ -1,111 +0,0 @@ -// (C) Copyright 2015 Intel Corporation
-//
-// Permission is hereby granted, free of charge, to any person obtaining a copy
-// of this software and associated documentation files (the "Software"), to deal
-// in the Software without restriction, including without limitation the rights
-// to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
-// copies of the Software, and to permit persons to whom the Software is
-// furnished to do so, subject to the following conditions:
-//
-// The above copyright notice and this permission notice shall be included in
-// all copies or substantial portions of the Software.
-//
-// THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
-// IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
-// FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
-// AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
-// LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
-// OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
-// THE SOFTWARE.
-#include <stdio.h>
-#include <sys/socket.h>
-#include <sys/types.h>
-#include <errno.h>
-#include <netinet/in.h>
-#include <unistd.h>
-#include <netdb.h>
-#include <string.h>
-#include <sys/xattr.h>
-
-int main(int argc, char* argv[])
-{
-
- int sock;
- char message[255] = "hello";
- struct sockaddr_in server_addr;
- char* label_in;
- char* label_out;
- char* attr_out = "security.SMACK64IPOUT";
- char* attr_in = "security.SMACK64IPIN";
- char out[256];
- int port;
-
- struct timeval timeout;
- timeout.tv_sec = 15;
- timeout.tv_usec = 0;
-
- struct hostent* host = gethostbyname("localhost");
-
- if (argc != 4)
- {
- perror("Client: Arguments missing, please provide socket labels");
- return 2;
- }
-
- port = atoi(argv[1]);
- label_in = argv[2];
- label_out = argv[3];
-
- if((sock = socket(AF_INET, SOCK_STREAM, 0)) < 0)
- {
- perror("Client: Socket failure");
- return 2;
- }
-
-
- if(fsetxattr(sock, attr_out, label_out, strlen(label_out), 0) < 0)
- {
- perror("Client: Unable to set attribute SMACK64IPOUT");
- return 2;
- }
-
- if(fsetxattr(sock, attr_in, label_in, strlen(label_in), 0) < 0)
- {
- perror("Client: Unable to set attribute SMACK64IPIN");
- return 2;
- }
-
- server_addr.sin_family = AF_INET;
- server_addr.sin_port = htons(port);
- bcopy((char*) host->h_addr, (char*) &server_addr.sin_addr.s_addr,host->h_length);
- bzero(&(server_addr.sin_zero),8);
-
- if(setsockopt(sock, SOL_SOCKET, SO_SNDTIMEO, &timeout, sizeof(timeout)) < 0)
- {
- perror("Client: Set timeout failed\n");
- return 2;
- }
-
- if (connect(sock, (struct sockaddr *)&server_addr,sizeof(struct sockaddr)) == -1)
- {
- perror("Client: Connection failure");
- close(sock);
- return 1;
- }
-
-
- if(write(sock, message, strlen(message)) < 0)
- {
- perror("Client: Error sending data\n");
- close(sock);
- return 1;
- }
- close(sock);
- return 0;
-}
-
-
-
-
-
-
diff --git a/meta-security/recipes-test/tcp-smack-test/files/tcp_server.c b/meta-security/recipes-test/tcp-smack-test/files/tcp_server.c deleted file mode 100644 index 9285dc695..000000000 --- a/meta-security/recipes-test/tcp-smack-test/files/tcp_server.c +++ /dev/null @@ -1,118 +0,0 @@ -// (C) Copyright 2015 Intel Corporation
-//
-// Permission is hereby granted, free of charge, to any person obtaining a copy
-// of this software and associated documentation files (the "Software"), to deal
-// in the Software without restriction, including without limitation the rights
-// to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
-// copies of the Software, and to permit persons to whom the Software is
-// furnished to do so, subject to the following conditions:
-//
-// The above copyright notice and this permission notice shall be included in
-// all copies or substantial portions of the Software.
-//
-// THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
-// IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
-// FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
-// AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
-// LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
-// OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
-// THE SOFTWARE.
-#include <stdio.h>
-#include <sys/socket.h>
-#include <sys/types.h>
-#include <errno.h>
-#include <netinet/in.h>
-#include <unistd.h>
-#include <string.h>
-
-int main(int argc, char* argv[])
-{
-
- int sock;
- int clientsock;
- char message[255];
- socklen_t client_length;
- struct sockaddr_in server_addr, client_addr;
- char* label_in;
- char* attr_in = "security.SMACK64IPIN";
- int port;
-
- struct timeval timeout;
- timeout.tv_sec = 15;
- timeout.tv_usec = 0;
-
- if (argc != 3)
- {
- perror("Server: Argument missing please provide port and label for SMACK64IPIN");
- return 2;
- }
-
- port = atoi(argv[1]);
- label_in = argv[2];
- bzero(message,255);
-
-
- if((sock = socket(AF_INET, SOCK_STREAM, 0)) < 0)
- {
- perror("Server: Socket failure");
- return 2;
- }
-
-
- if(fsetxattr(sock, attr_in, label_in, strlen(label_in),0) < 0)
- {
- perror("Server: Unable to set attribute ipin 2");
- return 2;
- }
-
- server_addr.sin_family = AF_INET;
- server_addr.sin_port = htons(port);
- server_addr.sin_addr.s_addr = INADDR_ANY;
- bzero(&(server_addr.sin_zero),8);
-
- if(setsockopt(sock, SOL_SOCKET, SO_RCVTIMEO, &timeout, sizeof(timeout)) < 0)
- {
- perror("Server: Set timeout failed\n");
- return 2;
- }
-
- if(bind(sock, (struct sockaddr*) &server_addr, sizeof(server_addr)) < 0)
- {
- perror("Server: Bind failure ");
- return 2;
- }
-
- listen(sock, 1);
- client_length = sizeof(client_addr);
-
- clientsock = accept(sock,(struct sockaddr*) &client_addr, &client_length);
-
- if (clientsock < 0)
- {
- perror("Server: Connection failed");
- close(sock);
- return 1;
- }
-
-
- if(fsetxattr(clientsock, "security.SMACK64IPIN", label_in, strlen(label_in),0) < 0)
- {
- perror(" Server: Unable to set attribute ipin 2");
- close(sock);
- return 2;
- }
-
- if(read(clientsock, message, 254) < 0)
- {
- perror("Server: Error when reading from socket");
- close(clientsock);
- close(sock);
- return 1;
- }
-
-
- close(clientsock);
- close(sock);
-
- return 0;
-}
diff --git a/meta-security/recipes-test/tcp-smack-test/tcp-smack-test.bb b/meta-security/recipes-test/tcp-smack-test/tcp-smack-test.bb deleted file mode 100644 index 57e7151a8..000000000 --- a/meta-security/recipes-test/tcp-smack-test/tcp-smack-test.bb +++ /dev/null @@ -1,20 +0,0 @@ -SUMMARY = "Binary used to test smack tcp sockets" -DESCRIPTION = "Server and client binaries used to test smack attributes on TCP sockets" -LICENSE = "MIT" -LIC_FILES_CHKSUM = "file://${COMMON_LICENSE_DIR}/MIT;md5=0835ade698e0bcf8506ecda2f7b4f302" - -SRC_URI = "file://tcp_server.c \ - file://tcp_client.c \ -" - -S = "${WORKDIR}" -do_compile() { - ${CC} tcp_client.c ${LDFLAGS} -o tcp_client - ${CC} tcp_server.c ${LDFLAGS} -o tcp_server -} - -do_install() { - install -d ${D}${bindir} - install -m 0755 tcp_server ${D}${bindir} - install -m 0755 tcp_client ${D}${bindir} -} diff --git a/meta-security/recipes-test/tcp-smack-test/tcp-smack-test.bbappend b/meta-security/recipes-test/tcp-smack-test/tcp-smack-test.bbappend deleted file mode 100644 index 2755bf0e1..000000000 --- a/meta-security/recipes-test/tcp-smack-test/tcp-smack-test.bbappend +++ /dev/null @@ -1,2 +0,0 @@ -inherit deploy-files -DEPLOY_FILES_FROM[target] = "${WORKDIR}/tcp_client ${WORKDIR}/tcp_server" diff --git a/meta-security/recipes-test/udp-smack-test/files/udp_client.c b/meta-security/recipes-test/udp-smack-test/files/udp_client.c deleted file mode 100644 index 4d3afbe6c..000000000 --- a/meta-security/recipes-test/udp-smack-test/files/udp_client.c +++ /dev/null @@ -1,75 +0,0 @@ -// (C) Copyright 2015 Intel Corporation
-//
-// Permission is hereby granted, free of charge, to any person obtaining a copy
-// of this software and associated documentation files (the "Software"), to deal
-// in the Software without restriction, including without limitation the rights
-// to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
-// copies of the Software, and to permit persons to whom the Software is
-// furnished to do so, subject to the following conditions:
-//
-// The above copyright notice and this permission notice shall be included in
-// all copies or substantial portions of the Software.
-//
-// THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
-// IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
-// FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
-// AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
-// LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
-// OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
-// THE SOFTWARE.
-#include <sys/socket.h>
-#include <stdio.h>
-#include <netinet/in.h>
-#include <netdb.h>
-#include <string.h>
-
-int main(int argc, char* argv[])
-{
- char* message = "hello";
- int sock, ret;
- struct sockaddr_in server_addr;
- struct hostent* host = gethostbyname("localhost");
- char* label;
- char* attr = "security.SMACK64IPOUT";
- int port;
- if (argc != 3)
- {
- perror("Client: Argument missing, please provide port and label for SMACK64IPOUT");
- return 2;
- }
-
- port = atoi(argv[1]);
- label = argv[2];
- sock = socket(AF_INET, SOCK_DGRAM,0);
- if(sock < 0)
- {
- perror("Client: Socket failure");
- return 2;
- }
-
-
- if(fsetxattr(sock, attr, label, strlen(label),0) < 0)
- {
- perror("Client: Unable to set attribute ");
- return 2;
- }
-
-
- server_addr.sin_family = AF_INET;
- server_addr.sin_port = htons(port);
- bcopy((char*) host->h_addr, (char*) &server_addr.sin_addr.s_addr,host->h_length);
- bzero(&(server_addr.sin_zero),8);
-
- ret = sendto(sock, message, strlen(message),0,(const struct sockaddr*)&server_addr,
- sizeof(struct sockaddr_in));
-
- close(sock);
- if(ret < 0)
- {
- perror("Client: Error sending message\n");
- return 1;
- }
-
- return 0;
-}
-
diff --git a/meta-security/recipes-test/udp-smack-test/files/udp_server.c b/meta-security/recipes-test/udp-smack-test/files/udp_server.c deleted file mode 100644 index cbab71e65..000000000 --- a/meta-security/recipes-test/udp-smack-test/files/udp_server.c +++ /dev/null @@ -1,93 +0,0 @@ -// (C) Copyright 2015 Intel Corporation
-//
-// Permission is hereby granted, free of charge, to any person obtaining a copy
-// of this software and associated documentation files (the "Software"), to deal
-// in the Software without restriction, including without limitation the rights
-// to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
-// copies of the Software, and to permit persons to whom the Software is
-// furnished to do so, subject to the following conditions:
-//
-// The above copyright notice and this permission notice shall be included in
-// all copies or substantial portions of the Software.
-//
-// THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
-// IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
-// FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
-// AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
-// LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
-// OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
-// THE SOFTWARE.
-#include <sys/socket.h>
-#include <stdio.h>
-#include <netinet/in.h>
-#include <netdb.h>
-#include <string.h>
-
-int main(int argc, char* argv[])
-{
- int sock,ret;
- struct sockaddr_in server_addr, client_addr;
- socklen_t len;
- char message[5];
- char* label;
- char* attr = "security.SMACK64IPIN";
- int port;
-
- if(argc != 3)
- {
- perror("Server: Argument missing, please provide port and label for SMACK64IPIN");
- return 2;
- }
-
- port = atoi(argv[1]);
- label = argv[2];
-
- struct timeval timeout;
- timeout.tv_sec = 15;
- timeout.tv_usec = 0;
-
- sock = socket(AF_INET,SOCK_DGRAM,0);
- if(sock < 0)
- {
- perror("Server: Socket error");
- return 2;
- }
-
-
- if(fsetxattr(sock, attr, label, strlen(label), 0) < 0)
- {
- perror("Server: Unable to set attribute ");
- return 2;
- }
-
- server_addr.sin_family = AF_INET;
- server_addr.sin_port = htons(port);
- server_addr.sin_addr.s_addr = INADDR_ANY;
- bzero(&(server_addr.sin_zero),8);
-
-
- if(setsockopt(sock, SOL_SOCKET, SO_RCVTIMEO, &timeout, sizeof(timeout)) < 0)
- {
- perror("Server: Set timeout failed\n");
- return 2;
- }
-
- if(bind(sock, (struct sockaddr*) &server_addr, sizeof(server_addr)) < 0)
- {
- perror("Server: Bind failure");
- return 2;
- }
-
- len = sizeof(client_addr);
- ret = recvfrom(sock, message, sizeof(message), 0, (struct sockaddr*)&client_addr,
- &len);
- close(sock);
- if(ret < 0)
- {
- perror("Server: Error receiving");
- return 1;
-
- }
- return 0;
-}
-
diff --git a/meta-security/recipes-test/udp-smack-test/udp-smack-test.bb b/meta-security/recipes-test/udp-smack-test/udp-smack-test.bb deleted file mode 100644 index 478e3688d..000000000 --- a/meta-security/recipes-test/udp-smack-test/udp-smack-test.bb +++ /dev/null @@ -1,20 +0,0 @@ -SUMMARY = "Binary used to test smack udp sockets" -DESCRIPTION = "Server and client binaries used to test smack attributes on UDP sockets" -LICENSE = "MIT" -LIC_FILES_CHKSUM = "file://${COMMON_LICENSE_DIR}/MIT;md5=0835ade698e0bcf8506ecda2f7b4f302" - -SRC_URI = "file://udp_server.c \ - file://udp_client.c \ -" - -S = "${WORKDIR}" -do_compile() { - ${CC} udp_client.c ${LDFLAGS} -o udp_client - ${CC} udp_server.c ${LDFLAGS} -o udp_server -} - -do_install() { - install -d ${D}${bindir} - install -m 0755 udp_server ${D}${bindir} - install -m 0755 udp_client ${D}${bindir} -} diff --git a/meta-security/recipes-test/udp-smack-test/udp-smack-test.bbappend b/meta-security/recipes-test/udp-smack-test/udp-smack-test.bbappend deleted file mode 100644 index bf79ba4d4..000000000 --- a/meta-security/recipes-test/udp-smack-test/udp-smack-test.bbappend +++ /dev/null @@ -1,2 +0,0 @@ -inherit deploy-files -DEPLOY_FILES_FROM[target] = "${WORKDIR}/udp_client ${WORKDIR}/udp_server" |