aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
-rw-r--r--meta-security/classes/deploy-files.bbclass68
-rw-r--r--meta-security/classes/xattr-images.bbclass137
-rw-r--r--meta-security/lib/oeqa/runtime/__init__.py0
-rw-r--r--meta-security/lib/oeqa/runtime/files/notroot.py33
-rw-r--r--meta-security/lib/oeqa/runtime/files/smack_test_file_access.sh54
-rw-r--r--meta-security/lib/oeqa/runtime/files/test_privileged_change_self_label.sh18
-rw-r--r--meta-security/lib/oeqa/runtime/files/test_smack_onlycap.sh27
-rw-r--r--meta-security/lib/oeqa/runtime/files/test_smack_tcp_sockets.sh108
-rw-r--r--meta-security/lib/oeqa/runtime/files/test_smack_udp_sockets.sh107
-rw-r--r--meta-security/lib/oeqa/runtime/securitymanager.py108
-rw-r--r--meta-security/lib/oeqa/runtime/smack.py589
-rw-r--r--meta-security/recipes-test/app-runas/app-runas.bb17
-rw-r--r--meta-security/recipes-test/app-runas/files/app-runas.cpp221
-rw-r--r--meta-security/recipes-test/mmap-smack-test/files/mmap.c7
-rw-r--r--meta-security/recipes-test/mmap-smack-test/mmap-smack-test.bb16
-rw-r--r--meta-security/recipes-test/mmap-smack-test/mmap-smack-test.bbappend2
-rw-r--r--meta-security/recipes-test/tcp-smack-test/files/tcp_client.c111
-rw-r--r--meta-security/recipes-test/tcp-smack-test/files/tcp_server.c118
-rw-r--r--meta-security/recipes-test/tcp-smack-test/tcp-smack-test.bb20
-rw-r--r--meta-security/recipes-test/tcp-smack-test/tcp-smack-test.bbappend2
-rw-r--r--meta-security/recipes-test/udp-smack-test/files/udp_client.c75
-rw-r--r--meta-security/recipes-test/udp-smack-test/files/udp_server.c93
-rw-r--r--meta-security/recipes-test/udp-smack-test/udp-smack-test.bb20
-rw-r--r--meta-security/recipes-test/udp-smack-test/udp-smack-test.bbappend2
24 files changed, 0 insertions, 1953 deletions
diff --git a/meta-security/classes/deploy-files.bbclass b/meta-security/classes/deploy-files.bbclass
deleted file mode 100644
index ec19323a3..000000000
--- a/meta-security/classes/deploy-files.bbclass
+++ /dev/null
@@ -1,68 +0,0 @@
-DEPLOY_FILES_DIR = "${WORKDIR}/deploy-files-${PN}"
-SSTATETASKS += "do_deploy_files"
-do_deploy_files[sstate-inputdirs] = "${DEPLOY_FILES_DIR}"
-do_deploy_files[sstate-outputdirs] = "${DEPLOY_DIR}/files/"
-
-python do_deploy_files_setscene () {
- sstate_setscene(d)
-}
-addtask do_deploy_files_setscene
-do_deploy_files[dirs] = "${DEPLOY_FILES_DIR} ${B}"
-
-# Use like this:
-# DEPLOY_FILES = "abc xyz"
-# DEPLOY_FILES_FROM[abc] = "file-ab dir-c"
-# DEPLOY_FILES_TO[abc] = "directory-for-abc"
-# DEPLOY_FILES_FROM[xyz] = "file-xyz"
-# DEPLOY_FILES_TO[xyz] = "directory-for-xyz"
-#
-# The destination directory will be created inside
-# ${DEPLOYDIR}. The source files and directories
-# will be copied such that their name and (for
-# directories) the directory tree below it will
-# be preserved. Shell wildcards are supported.
-#
-# The default DEPLOY_FILES copies files for the native host
-# and the target into two different directories. Use that as follows:
-# DEPLOY_FILES_FROM_native = "native-file"
-# DEPLOY_FILES_FROM_target = "target-file"
-
-DEPLOY_FILES ?= "native target"
-DEPLOY_FILES_FROM[native] ?= ""
-DEPLOY_FILES_TO[native] = "native/${BUILD_ARCH}"
-DEPLOY_FILES_FROM[target] ?= ""
-DEPLOY_FILES_TO[target] = "target/${MACHINE}"
-
-# We have to use a Python function to access variable flags. Because
-# bitbake then does not know about the dependency on these variables,
-# we need to explicitly declare that. DEPLOYDIR may change without
-# invalidating the sstate, therefore it is not listed.
-do_deploy_files[vardeps] = "DEPLOY_FILES DEPLOY_FILES_FROM DEPLOY_FILES_TO"
-python do_deploy_files () {
- import glob
- import os
- import shutil
-
- for file in (d.getVar('DEPLOY_FILES', True) or '').split():
- bb.note('file: %s' % file)
- from_pattern = d.getVarFlag('DEPLOY_FILES_FROM', file, True)
- bb.note('from: %s' % from_pattern)
- if from_pattern:
- to = os.path.join(d.getVar('DEPLOY_FILES_DIR', True), d.getVarFlag('DEPLOY_FILES_TO', file, True))
- bb.note('to: %s' % to)
- if not os.path.isdir(to):
- os.makedirs(to)
- for from_path in from_pattern.split():
- for src in (glob.glob(from_path) or [from_path]):
- bb.note('Deploying %s to %s' % (src, to))
- if os.path.isdir(src):
- src_dirname = shutil._basename(src)
- to = os.path.join(to, src_dirname)
- if os.path.exists(to):
- bb.utils.remove(to, True)
- shutil.copytree(src, to)
- else:
- shutil.copy(src, to)
-}
-
-addtask deploy_files before do_build after do_compile
diff --git a/meta-security/classes/xattr-images.bbclass b/meta-security/classes/xattr-images.bbclass
deleted file mode 100644
index 565a3fb6e..000000000
--- a/meta-security/classes/xattr-images.bbclass
+++ /dev/null
@@ -1,137 +0,0 @@
-# Both Smack and IMA/EVM rely on xattrs. Inheriting this class ensures
-# that these xattrs get preserved in tar and jffs2 images.
-#
-# It also fixes the rootfs so that the content of directories with
-# SMACK::TRANSMUTE is correctly labelled. This is because pseudo does
-# not know the special semantic of SMACK::TRANSMUTE and omits the
-# updating of the Smack label when creating entries inside such a directory,
-# for example /etc (see base-files_%.bbappend). Without the fixup,
-# files already installed during the image creation would have different (and
-# wrong) Smack labels.
-
-# xattr support is expected to be compiled into mtd-utils. We just need to
-# use it.
-EXTRA_IMAGECMD_jffs2_append = " --with-xattr"
-
-# By default, OE-core uses tar from the host, which may or may not have the
-# --xattrs parameter which was introduced in 1.27. For image building we
-# use a recent enough tar instead.
-#
-# The GNU documentation does not specify whether --xattrs-include is necessary.
-# In practice, it turned out to be not needed when creating archives and
-# required when extracting, but it seems prudent to use it in both cases.
-IMAGE_DEPENDS_tar_append = " tar-replacement-native"
-EXTRANATIVEPATH += "tar-native"
-IMAGE_CMD_TAR = "tar --xattrs --xattrs-include=*"
-
-xattr_images_fix_transmute[dirs] = "${IMAGE_ROOTFS}"
-python xattr_images_fix_transmute () {
- # The recursive updating of the Smack label ensures that each entry
- # has the label set for its parent directories if one of those was
- # marked as transmuting.
- #
- # In addition, "_" is set explicitly on everything that would not
- # have a label otherwise. This is a workaround for tools like swupd
- # which transfers files from a rootfs onto a target device where Smack
- # is active: on the target, each file gets assigned a label, typically
- # the one from the process which creates it. swupd (or rather, the tools
- # it is currently built on) knows how to set security.SMACK64="_" when
- # it is set on the original files, but it does not know that it needs
- # to remove that xattr when not set.
- import os
- import errno
-
- if getattr(os, 'getxattr', None):
- # Python 3: os has xattr support.
- def lgetxattr(f, attr):
- try:
- value = os.getxattr(f, attr, follow_symlinks=False)
- return value.decode('utf8')
- except OSError as ex:
- if ex.errno == errno.ENODATA:
- return None
-
- def lsetxattr(f, attr, value):
- os.setxattr(f, attr.encode('utf8'), value.encode('utf8'), follow_symlinks=False)
- else:
- # Python 2: xattr support only in xattr module.
- #
- # Cannot use the 'xattr' module, it is not part of a standard Python
- # installation. Instead re-implement using ctypes. Only has to be good
- # enough for xattrs that are strings. Always operates on the symlinks themselves,
- # not what they point to.
- import ctypes
-
- # We cannot look up the xattr functions inside libc. That bypasses
- # pseudo, which overrides these functions via LD_PRELOAD. Instead we have to
- # find the function address and then create a ctypes function from it.
- libdl = ctypes.CDLL("libdl.so.2")
- _dlsym = libdl.dlsym
- _dlsym.restype = ctypes.c_void_p
- RTLD_DEFAULT = ctypes.c_void_p(0)
- _lgetxattr = ctypes.CFUNCTYPE(ctypes.c_ssize_t, ctypes.c_char_p, ctypes.c_char_p, ctypes.c_void_p, ctypes.c_size_t,
- use_errno=True)(_dlsym(RTLD_DEFAULT, 'lgetxattr'))
- _lsetxattr = ctypes.CFUNCTYPE(ctypes.c_int, ctypes.c_char_p, ctypes.c_char_p, ctypes.c_void_p, ctypes.c_size_t, ctypes.c_int,
- use_errno=True)(_dlsym(RTLD_DEFAULT, 'lsetxattr'))
-
- def lgetxattr(f, attr):
- len = 32
- while True:
- buffer = ctypes.create_string_buffer('\000' * len)
- res = _lgetxattr(f, attr, buffer, ctypes.c_size_t(len))
- if res >= 0:
- return buffer.value
- else:
- error = ctypes.get_errno()
- if ctypes.get_errno() == errno.ERANGE:
- len *= 2
- elif error == errno.ENODATA:
- return None
- else:
- raise IOError(error, 'lgetxattr(%s, %s): %d = %s = %s' %
- (f, attr, error, errno.errorcode[error], os.strerror(error)))
-
- def lsetxattr(f, attr, value):
- res = _lsetxattr(f, attr, value, ctypes.c_size_t(len(value)), ctypes.c_int(0))
- if res != 0:
- error = ctypes.get_errno()
- raise IOError(error, 'lsetxattr(%s, %s, %s): %d = %s = %s' %
- (f, attr, value, error, errno.errorcode[error], os.strerror(error)))
-
- def visit(path, deflabel, deftransmute):
- isrealdir = os.path.isdir(path) and not os.path.islink(path)
- curlabel = lgetxattr(path, 'security.SMACK64')
- transmute = lgetxattr(path, 'security.SMACK64TRANSMUTE') == 'TRUE'
-
- if not curlabel:
- # Since swupd doesn't remove the label from an updated file assigned by
- # the target device's kernel upon unpacking the file from an update,
- # we have to set the floor label explicitly even though it is the default label
- # and thus adding it would create additional overhead. Otherwise this
- # would result in hash mismatches reported by `swupd verify`.
- lsetxattr(path, 'security.SMACK64', deflabel)
- if not transmute and deftransmute and isrealdir:
- lsetxattr(path, 'security.SMACK64TRANSMUTE', 'TRUE')
-
- # Identify transmuting directories and change the default Smack
- # label inside them. In addition, directories themselves must become
- # transmuting.
- if isrealdir:
- if transmute:
- deflabel = lgetxattr(path, 'security.SMACK64')
- deftransmute = True
- if deflabel is None:
- raise RuntimeError('%s: transmuting directory without Smack label' % path)
- elif curlabel:
- # Directory with explicit label set and not transmuting => do not
- # change the content unless we run into another transmuting directory.
- deflabel = '_'
- deftransmute = False
-
- for entry in os.listdir(path):
- visit(os.path.join(path, entry), deflabel, deftransmute)
-
- visit('.', '_', False)
-}
-# Same logic as in ima-evm-rootfs.bbclass: try to run as late as possible.
-IMAGE_PREPROCESS_COMMAND_append_with-lsm-smack = " xattr_images_fix_transmute ; "
diff --git a/meta-security/lib/oeqa/runtime/__init__.py b/meta-security/lib/oeqa/runtime/__init__.py
deleted file mode 100644
index e69de29bb..000000000
--- a/meta-security/lib/oeqa/runtime/__init__.py
+++ /dev/null
diff --git a/meta-security/lib/oeqa/runtime/files/notroot.py b/meta-security/lib/oeqa/runtime/files/notroot.py
deleted file mode 100644
index f0eb0b5b9..000000000
--- a/meta-security/lib/oeqa/runtime/files/notroot.py
+++ /dev/null
@@ -1,33 +0,0 @@
-#!/usr/bin/env python
-#
-# Script used for running executables with custom labels, as well as custom uid/gid
-# Process label is changed by writing to /proc/self/attr/curent
-#
-# Script expects user id and group id to exist, and be the same.
-#
-# From adduser manual:
-# """By default, each user in Debian GNU/Linux is given a corresponding group
-# with the same name. """
-#
-# Usage: root@desk:~# python notroot.py <uid> <label> <full_path_to_executable> [arguments ..]
-# eg: python notroot.py 1000 User::Label /bin/ping -c 3 192.168.1.1
-#
-# Author: Alexandru Cornea <alexandru.cornea@intel.com>
-import os
-import sys
-
-try:
- uid = int(sys.argv[1])
- sys.argv.pop(1)
- label = sys.argv[1]
- sys.argv.pop(1)
- open("/proc/self/attr/current", "w").write(label)
- path=sys.argv[1]
- sys.argv.pop(0)
- os.setgid(uid)
- os.setuid(uid)
- os.execv(path,sys.argv)
-
-except Exception,e:
- print e.message
- sys.exit(1)
diff --git a/meta-security/lib/oeqa/runtime/files/smack_test_file_access.sh b/meta-security/lib/oeqa/runtime/files/smack_test_file_access.sh
deleted file mode 100644
index 5a0ce84f2..000000000
--- a/meta-security/lib/oeqa/runtime/files/smack_test_file_access.sh
+++ /dev/null
@@ -1,54 +0,0 @@
-#!/bin/sh
-
-SMACK_PATH=`grep smack /proc/mounts | awk '{print $2}' `
-RC=0
-TMP="/tmp"
-test_file=$TMP/smack_test_access_file
-CAT=`which cat`
-ECHO=`which echo`
-uid=1000
-initial_label=`cat /proc/self/attr/current`
-python $TMP/notroot.py $uid "TheOther" $ECHO 'TEST' > $test_file
-chsmack -a "TheOther" $test_file
-
-# 12345678901234567890123456789012345678901234567890123456
-delrule="TheOne TheOther -----"
-rule_ro="TheOne TheOther r----"
-
-# Remove pre-existent rules for "TheOne TheOther <access>"
-echo -n "$delrule" > $SMACK_PATH/load
-python $TMP/notroot.py $uid "TheOne" $CAT $test_file 2>&1 1>/dev/null | grep -q "Permission denied" || RC=$?
-if [ $RC -ne 0 ]; then
- echo "Process with different label than the test file and no read access on it can read it"
- exit $RC
-fi
-
-# adding read access
-echo -n "$rule_ro" > $SMACK_PATH/load
-python $TMP/notroot.py $uid "TheOne" $CAT $test_file | grep -q "TEST" || RC=$?
-if [ $RC -ne 0 ]; then
- echo "Process with different label than the test file but with read access on it cannot read it"
- exit $RC
-fi
-
-# Remove pre-existent rules for "TheOne TheOther <access>"
-echo -n "$delrule" > $SMACK_PATH/load
-# changing label of test file to *
-# according to SMACK documentation, read access on a * object is always permitted
-chsmack -a '*' $test_file
-python $TMP/notroot.py $uid "TheOne" $CAT $test_file | grep -q "TEST" || RC=$?
-if [ $RC -ne 0 ]; then
- echo "Process cannot read file with * label"
- exit $RC
-fi
-
-# changing subject label to *
-# according to SMACK documentation, every access requested by a star labeled subject is rejected
-TOUCH=`which touch`
-python $TMP/notroot.py $uid '*' $TOUCH $TMP/test_file_2
-ls -la $TMP/test_file_2 2>&1 | grep -q 'No such file or directory' || RC=$?
-if [ $RC -ne 0 ];then
- echo "Process with label '*' should not have any access"
- exit $RC
-fi
-exit 0
diff --git a/meta-security/lib/oeqa/runtime/files/test_privileged_change_self_label.sh b/meta-security/lib/oeqa/runtime/files/test_privileged_change_self_label.sh
deleted file mode 100644
index 26d9e9d22..000000000
--- a/meta-security/lib/oeqa/runtime/files/test_privileged_change_self_label.sh
+++ /dev/null
@@ -1,18 +0,0 @@
-#!/bin/sh
-
-initial_label=`cat /proc/self/attr/current 2>/dev/null`
-modified_label="test_label"
-
-echo "$modified_label" >/proc/self/attr/current 2>/dev/null
-
-new_label=`cat /proc/self/attr/current 2>/dev/null`
-
-if [ "$new_label" != "$modified_label" ]; then
- # restore proper label
- echo $initial_label >/proc/self/attr/current
- echo "Privileged process could not change its label"
- exit 1
-fi
-
-echo "$initial_label" >/proc/self/attr/current 2>/dev/null
-exit 0 \ No newline at end of file
diff --git a/meta-security/lib/oeqa/runtime/files/test_smack_onlycap.sh b/meta-security/lib/oeqa/runtime/files/test_smack_onlycap.sh
deleted file mode 100644
index 1c4a93ab6..000000000
--- a/meta-security/lib/oeqa/runtime/files/test_smack_onlycap.sh
+++ /dev/null
@@ -1,27 +0,0 @@
-#!/bin/sh
-RC=0
-SMACK_PATH=`grep smack /proc/mounts | awk '{print $2}'`
-test_label="test_label"
-onlycap_initial=`cat $SMACK_PATH/onlycap`
-smack_initial=`cat /proc/self/attr/current`
-
-# need to set out label to be the same as onlycap, otherwise we lose our smack privileges
-# even if we are root
-echo "$test_label" > /proc/self/attr/current
-
-echo "$test_label" > $SMACK_PATH/onlycap || RC=$?
-if [ $RC -ne 0 ]; then
- echo "Onlycap label could not be set"
- return $RC
-fi
-
-if [ `cat $SMACK_PATH/onlycap` != "$test_label" ]; then
- echo "Onlycap label was not set correctly."
- return 1
-fi
-
-# resetting original onlycap label
-echo "$onlycap_initial" > $SMACK_PATH/onlycap 2>/dev/null
-
-# resetting our initial's process label
-echo "$smack_initial" > /proc/self/attr/current
diff --git a/meta-security/lib/oeqa/runtime/files/test_smack_tcp_sockets.sh b/meta-security/lib/oeqa/runtime/files/test_smack_tcp_sockets.sh
deleted file mode 100644
index ed18f2371..000000000
--- a/meta-security/lib/oeqa/runtime/files/test_smack_tcp_sockets.sh
+++ /dev/null
@@ -1,108 +0,0 @@
-#!/bin/sh
-RC=0
-test_file=/tmp/smack_socket_tcp
-SMACK_PATH=`grep smack /proc/mounts | awk '{print $2}' `
-# make sure no access is granted
-# 12345678901234567890123456789012345678901234567890123456
-echo -n "label1 label2 -----" > $SMACK_PATH/load
-
-tcp_server=`which tcp_server`
-if [ -z $tcp_server ]; then
- if [ -f "/tmp/tcp_server" ]; then
- tcp_server="/tmp/tcp_server"
- else
- echo "tcp_server binary not found"
- exit 1
- fi
-fi
-tcp_client=`which tcp_client`
-if [ -z $tcp_client ]; then
- if [ -f "/tmp/tcp_client" ]; then
- tcp_client="/tmp/tcp_client"
- else
- echo "tcp_client binary not found"
- exit 1
- fi
-fi
-
-# checking access for sockets with different labels
-$tcp_server 50016 label1 &>/dev/null &
-server_pid=$!
-sleep 2
-$tcp_client 50016 label2 label1 &>/dev/null &
-client_pid=$!
-
-wait $server_pid
-server_rv=$?
-wait $client_pid
-client_rv=$?
-
-if [ $server_rv -eq 0 -o $client_rv -eq 0 ]; then
- echo "Sockets with different labels should not communicate on tcp"
- exit 1
-fi
-
-# granting access between different labels
-# 12345678901234567890123456789012345678901234567890123456
-echo -n "label1 label2 rw---" > $SMACK_PATH/load
-# checking access for sockets with different labels, but having a rule granting rw
-$tcp_server 50017 label1 2>$test_file &
-server_pid=$!
-sleep 1
-$tcp_client 50017 label2 label1 2>$test_file &
-client_pid=$!
-wait $server_pid
-server_rv=$?
-wait $client_pid
-client_rv=$?
-if [ $server_rv -ne 0 -o $client_rv -ne 0 ]; then
- echo "Sockets with different labels, but having rw access, should communicate on tcp"
- exit 1
-fi
-
-# checking access for sockets with the same label
-$tcp_server 50018 label1 2>$test_file &
-server_pid=$!
-sleep 1
-$tcp_client 50018 label1 label1 2>$test_file &
-client_pid=$!
-wait $server_pid
-server_rv=$?
-wait $client_pid
-client_rv=$?
-if [ $server_rv -ne 0 -o $client_rv -ne 0 ]; then
- echo "Sockets with same labels should communicate on tcp"
- exit 1
-fi
-
-# checking access on socket labeled star (*)
-# should always be permitted
-$tcp_server 50019 \* 2>$test_file &
-server_pid=$!
-sleep 1
-$tcp_client 50019 label1 label1 2>$test_file &
-client_pid=$!
-wait $server_pid
-server_rv=$?
-wait $client_pid
-client_rv=$?
-if [ $server_rv -ne 0 -o $client_rv -ne 0 ]; then
- echo "Should have access on tcp socket labeled star (*)"
- exit 1
-fi
-
-# checking access from socket labeled star (*)
-# all access from subject star should be denied
-$tcp_server 50020 label1 2>$test_file &
-server_pid=$!
-sleep 1
-$tcp_client 50020 label1 \* 2>$test_file &
-client_pid=$!
-wait $server_pid
-server_rv=$?
-wait $client_pid
-client_rv=$?
-if [ $server_rv -eq 0 -o $client_rv -eq 0 ]; then
- echo "Socket labeled star should not have access to any tcp socket"
- exit 1
-fi
diff --git a/meta-security/lib/oeqa/runtime/files/test_smack_udp_sockets.sh b/meta-security/lib/oeqa/runtime/files/test_smack_udp_sockets.sh
deleted file mode 100644
index 419ab9f91..000000000
--- a/meta-security/lib/oeqa/runtime/files/test_smack_udp_sockets.sh
+++ /dev/null
@@ -1,107 +0,0 @@
-#!/bin/sh
-RC=0
-test_file="/tmp/smack_socket_udp"
-SMACK_PATH=`grep smack /proc/mounts | awk '{print $2}' `
-
-udp_server=`which udp_server`
-if [ -z $udp_server ]; then
- if [ -f "/tmp/udp_server" ]; then
- udp_server="/tmp/udp_server"
- else
- echo "udp_server binary not found"
- exit 1
- fi
-fi
-udp_client=`which udp_client`
-if [ -z $udp_client ]; then
- if [ -f "/tmp/udp_client" ]; then
- udp_client="/tmp/udp_client"
- else
- echo "udp_client binary not found"
- exit 1
- fi
-fi
-
-# make sure no access is granted
-# 12345678901234567890123456789012345678901234567890123456
-echo -n "label1 label2 -----" > $SMACK_PATH/load
-
-# checking access for sockets with different labels
-$udp_server 50021 label2 2>$test_file &
-server_pid=$!
-sleep 1
-$udp_client 50021 label1 2>$test_file &
-client_pid=$!
-wait $server_pid
-server_rv=$?
-wait $client_pid
-client_rv=$?
-if [ $server_rv -eq 0 ]; then
- echo "Sockets with different labels should not communicate on udp"
- exit 1
-fi
-
-# granting access between different labels
-# 12345678901234567890123456789012345678901234567890123456
-echo -n "label1 label2 rw---" > $SMACK_PATH/load
-# checking access for sockets with different labels, but having a rule granting rw
-$udp_server 50022 label2 2>$test_file &
-server_pid=$!
-sleep 1
-$udp_client 50022 label1 2>$test_file &
-client_pid=$!
-wait $server_pid
-server_rv=$?
-wait $client_pid
-client_rv=$?
-if [ $server_rv -ne 0 -o $client_rv -ne 0 ]; then
- echo "Sockets with different labels, but having rw access, should communicate on udp"
- exit 1
-fi
-
-# checking access for sockets with the same label
-$udp_server 50023 label1 &
-server_pid=$!
-sleep 1
-$udp_client 50023 label1 2>$test_file &
-client_pid=$!
-wait $server_pid
-server_rv=$?
-wait $client_pid
-client_rv=$?
-if [ $server_rv -ne 0 -o $client_rv -ne 0 ]; then
- echo "Sockets with same labels should communicate on udp"
- exit 1
-fi
-
-# checking access on socket labeled star (*)
-# should always be permitted
-$udp_server 50024 \* 2>$test_file &
-server_pid=$!
-sleep 1
-$udp_client 50024 label1 2>$test_file &
-client_pid=$!
-wait $server_pid
-server_rv=$?
-wait $client_pid
-client_rv=$?
-if [ $server_rv -ne 0 -o $client_rv -ne 0 ]; then
- echo "Should have access on udp socket labeled star (*)"
- exit 1
-fi
-
-# checking access from socket labeled star (*)
-# all access from subject star should be denied
-$udp_server 50025 label1 2>$test_file &
-server_pid=$!
-sleep 1
-$udp_client 50025 \* 2>$test_file &
-client_pid=$!
-wait $server_pid
-server_rv=$?
-wait $client_pid
-client_rv=$?
-if [ $server_rv -eq 0 ]; then
- echo "Socket labeled star should not have access to any udp socket"
- exit 1
-fi
diff --git a/meta-security/lib/oeqa/runtime/securitymanager.py b/meta-security/lib/oeqa/runtime/securitymanager.py
deleted file mode 100644
index ab0df5a42..000000000
--- a/meta-security/lib/oeqa/runtime/securitymanager.py
+++ /dev/null
@@ -1,108 +0,0 @@
-import unittest
-import re
-import os
-import string
-from oeqa.oetest import oeRuntimeTest, skipModule
-from oeqa.utils.decorators import *
-
-def get_files_dir():
- """Get directory of supporting files"""
- pkgarch = oeRuntimeTest.tc.d.getVar('MACHINE', True)
- deploydir = oeRuntimeTest.tc.d.getVar('DEPLOY_DIR', True)
- return os.path.join(deploydir, "files", "target", pkgarch)
-
-MAX_LABEL_LEN = 255
-LABEL = "a" * MAX_LABEL_LEN
-
-def setUpModule():
- if not oeRuntimeTest.hasPackage('security-manager'):
- skipModule(
- "security-manager module skipped: "
- "target doesn't have security-manager installed")
-
-class SecurityManagerBasicTest(oeRuntimeTest):
- ''' base smack test '''
- def setUp(self):
- # TODO: avoid hardcoding path (also in SecurityManager itself)
- self.security_manager_db = '/usr/dbspace/.security-manager.db'
- cmd = "sqlite3 %s 'SELECT name from privilege ORDER BY privilege_id'" % self.security_manager_db
- status, output = self.target.run(cmd)
- self.assertFalse(status, msg="%s failed: %s" % (cmd, output))
- self.privileges = output.split()
- if not self.privileges:
- # Only privileges that map to a Unix group need to be known to
- # SecurityManager. Therefore it is possible that the query above
- # returns nothing. In that case, make up something for the tests.
- self.privileges.append('FoobarPrivilege')
- self.appid = 'test-app-id'
- self.pkgid = 'test-pkg-id'
- self.user = 'security-manager-user'
- idcmd = 'id -u %s' % self.user
- status, output = self.target.run(idcmd)
- if status:
- # -D is from busybox. It disables setting a password.
- createcmd = 'adduser -D %s' % self.user
- status, output = self.target.run(createcmd)
- self.assertFalse(status, msg="%s failed: %s" % (createcmd, output))
- status, output = self.target.run(idcmd)
- self.assertTrue(output.isdigit(), msg="Unexpected output from %s: %s" % (idcmd, output))
- self.uid = output
-
-class SecurityManagerApp(SecurityManagerBasicTest):
- '''Tests covering app installation. Ordering is important, therefore tests are numbered.'''
-
- @skipUnlessPassed('test_ssh')
- def test_security_manager_01_setup(self):
- '''Check that basic SecurityManager setup is in place.'''
- # If we get this far, then at least the sqlite db must have been in place.
- # This does not mean much, but we need to start somewhere.
- pass
-
- @skipUnlessPassed('test_security_manager_01_setup')
- def test_security_manager_02_install(self):
- '''Test if installing an app sets up privilege rules for it, also in Cynara.'''
- self.target.copy_to(os.path.join(get_files_dir(), "app-runas"), "/tmp/")
- cmd = '/tmp/app-runas -a %s -p %s -u %s -r %s -i' % \
- (self.appid, self.pkgid, self.uid, self.privileges[0])
- status, output = self.target.run(cmd)
- self.assertFalse(status, msg="%s failed: %s" % (cmd, output))
- cmd = '''sqlite3 %s 'SELECT uid,app_name,pkg_name from app_pkg_view WHERE app_name = "%s"' ''' % \
- (self.security_manager_db, self.appid)
- status, output = self.target.run(cmd)
- self.assertFalse(status, msg="%s failed: %s" % (cmd, output))
- self.assertEqual(output, '|'.join((self.uid, self.appid, self.pkgid)))
- cmd = 'grep -r %s /var/cynara/db/' % self.appid
- status, output = self.target.run(cmd)
- self.assertFalse(status, msg="%s failed: %s" % (cmd, output))
- # User::App:: prefix still hard-coded here because it is not customizable at the moment.
- self.assertEqual(output, '/var/cynara/db/_MANIFESTS:User::App::%s;%s;%s;0xFFFF;' % \
- (self.appid, self.uid, self.privileges[0]))
-
- @skipUnlessPassed('test_security_manager_02_install')
- def test_security_manager_03_run(self):
- '''Test running as app. Depends on preparations in test_security_manager_install().'''
- cmd = '''/tmp/app-runas -a %s -u %s -e -- sh -c 'id -u && cat /proc/self/attr/current' ''' % \
- (self.appid, self.uid)
- status, output = self.target.run(cmd)
- self.assertFalse(status, msg="%s failed: %s" % (cmd, output))
- self.assertEqual(output, '%s\nUser::App::%s' % (self.uid, self.appid))
-
- @skipUnlessPassed('test_security_manager_02_install')
- def test_security_manager_03_uninstall(self):
- '''Test removal of an app.'''
- cmd = '/tmp/app-runas -a %s -p %s -u %s -d' % \
- (self.appid, self.pkgid, self.uid)
- status, output = self.target.run(cmd)
- self.assertFalse(status, msg="%s failed: %s" % (cmd, output))
- cmd = '''sqlite3 %s 'SELECT uid,app_name,pkg_name from app_pkg_view WHERE app_name = "%s"' ''' % \
- (self.security_manager_db, self.appid)
- status, output = self.target.run(cmd)
- self.assertFalse(status, msg="%s failed: %s" % (cmd, output))
- # Entry does not really get removed. Bug filed here:
- # https://github.com/Samsung/security-manager/issues/2
- # self.assertEqual(output, '')
- cmd = 'grep -r %s /var/cynara/db/' % self.appid
- status, output = self.target.run(cmd)
- self.assertFalse(status, msg="%s failed: %s" % (cmd, output))
- # This also does not get removed. Perhaps same root cause.
- # self.assertEqual(output, '')
diff --git a/meta-security/lib/oeqa/runtime/smack.py b/meta-security/lib/oeqa/runtime/smack.py
deleted file mode 100644
index 96af443b8..000000000
--- a/meta-security/lib/oeqa/runtime/smack.py
+++ /dev/null
@@ -1,589 +0,0 @@
-import unittest
-import re
-import os
-import string
-from oeqa.oetest import oeRuntimeTest, skipModule
-from oeqa.utils.decorators import *
-
-def get_files_dir():
- """Get directory of supporting files"""
- pkgarch = oeRuntimeTest.tc.d.getVar('MACHINE', True)
- deploydir = oeRuntimeTest.tc.d.getVar('DEPLOY_DIR', True)
- return os.path.join(deploydir, "files", "target", pkgarch)
-
-MAX_LABEL_LEN = 255
-LABEL = "a" * MAX_LABEL_LEN
-
-def setUpModule():
- if not oeRuntimeTest.hasFeature('smack'):
- skipModule(
- "smack module skipped: "
- "target doesn't have smack in DISTRO_FEATURES")
-
-class SmackBasicTest(oeRuntimeTest):
- ''' base smack test '''
- def setUp(self):
- status, output = self.target.run(
- "grep smack /proc/mounts | awk '{print $2}'")
- self.smack_path = output
- self.files_dir = os.path.join(
- os.path.abspath(os.path.dirname(__file__)), 'files')
- self.uid = 1000
- status,output = self.target.run("cat /proc/self/attr/current")
- self.current_label = output.strip()
-
-class SmackAccessLabel(SmackBasicTest):
-
- @skipUnlessPassed('test_ssh')
- def test_add_access_label(self):
- ''' Test if chsmack can correctly set a SMACK label '''
- filename = "/tmp/test_access_label"
- self.target.run("touch %s" %filename)
- status, output = self.target.run("chsmack -a %s %s" %(LABEL, filename))
- self.assertEqual(
- status, 0,
- "Cannot set smack access label. "
- "Status and output: %d %s" %(status, output))
- status, output = self.target.run("chsmack %s" %filename)
- self.target.run("rm %s" %filename)
- m = re.search('(?<=access=")\S+(?=")', output)
- if m is None:
- self.fail("Did not find access attribute")
- else:
- label_retrieved = m .group(0)
- self.assertEqual(
- LABEL, label_retrieved,
- "label not set correctly. expected and gotten: "
- "%s %s" %(LABEL,label_retrieved))
-
-class SmackExecLabel(SmackBasicTest):
-
- @skipUnlessPassed('test_ssh')
- def test_add_exec_label(self):
- '''Test if chsmack can correctly set a SMACK Exec label'''
- filename = "/tmp/test_exec_label"
- self.target.run("touch %s" %filename)
- status, output = self.target.run("chsmack -e %s %s" %(LABEL, filename))
- self.assertEqual(
- status, 0,
- "Cannot set smack exec label. "
- "Status and output: %d %s" %(status, output))
- status, output = self.target.run("chsmack %s" %filename)
- self.target.run("rm %s" %filename)
- m= re.search('(?<=execute=")\S+(?=")', output)
- if m is None:
- self.fail("Did not find execute attribute")
- else:
- label_retrieved = m.group(0)
- self.assertEqual(
- LABEL, label_retrieved,
- "label not set correctly. expected and gotten: " +
- "%s %s" %(LABEL,label_retrieved))
-
-class SmackMmapLabel(SmackBasicTest):
-
- @skipUnlessPassed('test_ssh')
- def test_add_mmap_label(self):
- '''Test if chsmack can correctly set a SMACK mmap label'''
- filename = "/tmp/test_exec_label"
- self.target.run("touch %s" %filename)
- status, output = self.target.run("chsmack -m %s %s" %(LABEL, filename))
- self.assertEqual(
- status, 0,
- "Cannot set smack mmap label. "
- "Status and output: %d %s" %(status, output))
- status, output = self.target.run("chsmack %s" %filename)
- self.target.run("rm %s" %filename)
- m = re.search('(?<=mmap=")\S+(?=")', output)
- if m is None:
- self.fail("Did not find mmap attribute")
- else:
- label_retrieved = m.group(0)
- self.assertEqual(
- LABEL, label_retrieved,
- "label not set correctly. expected and gotten: " +
- "%s %s" %(LABEL,label_retrieved))
-
-class SmackTransmutable(SmackBasicTest):
-
- @skipUnlessPassed('test_ssh')
- def test_add_transmutable(self):
- '''Test if chsmack can correctly set a SMACK transmutable mode'''
-
- directory = "~/test_transmutable"
- self.target.run("mkdir -p %s" %directory)
- status, output = self.target.run("chsmack -t %s" %directory)
- self.assertEqual(status, 0, "Cannot set smack transmutable. "
- "Status and output: %d %s" %(status, output))
- status, output = self.target.run("chsmack %s" %directory)
- self.target.run("rmdir %s" %directory)
- m = re.search('(?<=transmute=")\S+(?=")', output)
- if m is None:
- self.fail("Did not find transmute attribute")
- else:
- label_retrieved = m.group(0)
- self.assertEqual(
- "TRUE", label_retrieved,
- "label not set correctly. expected and gotten: " +
- "%s %s" %(LABEL,label_retrieved))
-
-class SmackChangeSelfLabelPrivilege(SmackBasicTest):
-
- @skipUnlessPassed('test_ssh')
- def test_privileged_change_self_label(self):
- '''Test if privileged process (with CAP_MAC_ADMIN privilege)
- can change its label.
- '''
-
- status, output = self.target.run("ls /tmp/notroot.py")
- if status != 0:
- self.target.copy_to(
- os.path.join(self.files_dir, 'notroot.py'),
- "/tmp/notroot.py")
-
- labelf = "/proc/self/attr/current"
- command = "/bin/sh -c 'echo PRIVILEGED >%s; cat %s'" %(labelf, labelf)
-
- status, output = self.target.run(
- "python /tmp/notroot.py 0 %s %s" %(self.current_label, command))
-
- self.assertIn("PRIVILEGED", output,
- "Privilege process did not change label.Output: %s" %output)
-
-class SmackChangeSelfLabelUnprivilege(SmackBasicTest):
-
- @skipUnlessPassed('test_ssh')
- def test_unprivileged_change_self_label(self):
- '''Test if unprivileged process (without CAP_MAC_ADMIN privilege)
- cannot change its label'''
-
- status, output = self.target.run("ls /tmp/notroot.py")
- if status != 0:
- self.target.copy_to(
- os.path.join(self.files_dir, 'notroot.py'),
- "/tmp/notroot.py")
-
- command = "/bin/sh -c 'echo %s >/proc/self/attr/current'" %LABEL
- status, output = self.target.run(
- "python /tmp/notroot.py %d %s %s"
- %(self.uid, self.current_label, command) +
- " 2>&1 | grep 'Operation not permitted'" )
-
- self.assertEqual(
- status, 0,
- "Unprivileged process should not be able to change its label")
-
-
-class SmackChangeFileLabelPrivilege(SmackBasicTest):
-
- @skipUnlessPassed('test_ssh')
- def test_unprivileged_change_file_label(self):
- '''Test if unprivileged process cannot change file labels'''
-
- status, chsmack = self.target.run("which chsmack")
- status, touch = self.target.run("which touch")
- filename = "/tmp/test_unprivileged_change_file_label"
-
- status, output = self.target.run("ls /tmp/notroot.py")
- if status != 0:
- self.target.copy_to(
- os.path.join(self.files_dir, 'notroot.py'),
- "/tmp/notroot.py")
-
- self.target.run("python /tmp/notroot.py %d %s %s %s" %(self.uid, self.current_label, touch, filename))
- status, output = self.target.run(
- "python /tmp/notroot.py " +
- "%d unprivileged %s -a %s %s 2>&1 " %(self.uid, chsmack, LABEL, filename) +
- "| grep 'Operation not permitted'" )
-
- self.target.run("rm %s" %filename)
- self.assertEqual(
- status, 0,
- "Unprivileged process changed label for %s" %filename)
-
-class SmackLoadRule(SmackBasicTest):
-
- @skipUnlessPassed('test_ssh')
- def test_load_smack_rule(self):
- '''Test if new smack access rules can be loaded'''
-
- # old 23 character format requires special spaces formatting
- # 12345678901234567890123456789012345678901234567890123
- ruleA="TheOne TheOther rwxat"
- ruleB="TheOne TheOther r----"
- clean="TheOne TheOther -----"
- modeA = "rwxat"
- modeB = "r"
-
- status, output = self.target.run(
- 'echo -n "%s" > %s/load' %(ruleA, self.smack_path))
- status, output = self.target.run(
- 'cat %s/load | grep "^TheOne" | grep " TheOther "' %self.smack_path)
- self.assertEqual(status, 0, "Rule A was not added")
- mode = list(filter(bool, output.split(" ")))[2].strip()
- self.assertEqual(
- mode, modeA,
- "Mode A was not set correctly; mode: %s" %mode)
-
- status, output = self.target.run(
- 'echo -n "%s" > %s/load' %(ruleB, self.smack_path))
- status, output = self.target.run(
- 'cat %s/load | grep "^TheOne" | grep " TheOther "' %self.smack_path)
- mode = list(filter(bool, output.split(" ")))[2].strip()
- self.assertEqual(
- mode, modeB,
- "Mode B was not set correctly; mode: %s" %mode)
-
- self.target.run('echo -n "%s" > %s/load' %(clean, self.smack_path))
-
-
-class SmackOnlycap(SmackBasicTest):
-
- @skipUnlessPassed('test_ssh')
- def test_smack_onlycap(self):
- '''Test if smack onlycap label can be set
-
- test needs to change the running label of the current process,
- so whole test takes places on image
- '''
- status, output = self.target.run("ls /tmp/test_smack_onlycap.sh")
- if status != 0:
- self.target.copy_to(
- os.path.join(self.files_dir, 'test_smack_onlycap.sh'),
- "/tmp/test_smack_onlycap.sh")
-
- status, output = self.target.run("sh /tmp/test_smack_onlycap.sh")
- self.assertEqual(status, 0, output)
-
-class SmackNetlabel(SmackBasicTest):
- @skipUnlessPassed('test_ssh')
- def test_smack_netlabel(self):
-
- test_label="191.191.191.191 TheOne"
- expected_label="191.191.191.191/32 TheOne"
-
- status, output = self.target.run(
- "echo -n '%s' > %s/netlabel" %(test_label, self.smack_path))
- self.assertEqual(
- status, 0,
- "Netlabel /32 could not be set. Output: %s" %output)
-
- status, output = self.target.run("cat %s/netlabel" %self.smack_path)
- self.assertIn(
- expected_label, output,
- "Did not find expected label in output: %s" %output)
-
- test_label="253.253.253.0/24 TheOther"
- status, output = self.target.run(
- "echo -n '%s' > %s/netlabel" %(test_label, self.smack_path))
- self.assertEqual(
- status, 0,
- "Netlabel /24 could not be set. Output: %s" %output)
-
- status, output = self.target.run("cat %s/netlabel" %self.smack_path)
- self.assertIn(
- test_label, output,
- "Did not find expected label in output: %s" %output)
-
-class SmackCipso(SmackBasicTest):
- @skipUnlessPassed('test_ssh')
- def test_smack_cipso(self):
- '''Test if smack cipso rules can be set'''
- # 12345678901234567890123456789012345678901234567890123456
- ruleA="TheOneA 2 0 "
- ruleB="TheOneB 3 1 55 "
- ruleC="TheOneC 4 2 17 33 "
-
- status, output = self.target.run(
- "echo -n '%s' > %s/cipso" %(ruleA, self.smack_path))
- self.assertEqual(status, 0,
- "Could not set cipso label A. Ouput: %s" %output)
-
- status, output = self.target.run(
- "cat %s/cipso | grep '^TheOneA'" %self.smack_path)
- self.assertEqual(status, 0, "Cipso rule A was not set")
- self.assertIn(" 2", output, "Rule A was not set correctly")
-
- status, output = self.target.run(
- "echo -n '%s' > %s/cipso" %(ruleB, self.smack_path))
- self.assertEqual(status, 0,
- "Could not set cipso label B. Ouput: %s" %output)
-
- status, output = self.target.run(
- "cat %s/cipso | grep '^TheOneB'" %self.smack_path)
- self.assertEqual(status, 0, "Cipso rule B was not set")
- self.assertIn("/55", output, "Rule B was not set correctly")
-
- status, output = self.target.run(
- "echo -n '%s' > %s/cipso" %(ruleC, self.smack_path))
- self.assertEqual(
- status, 0,
- "Could not set cipso label C. Ouput: %s" %output)
-
- status, output = self.target.run(
- "cat %s/cipso | grep '^TheOneC'" %self.smack_path)
- self.assertEqual(status, 0, "Cipso rule C was not set")
- self.assertIn("/17,33", output, "Rule C was not set correctly")
-
-class SmackDirect(SmackBasicTest):
- @skipUnlessPassed('test_ssh')
- def test_smack_direct(self):
- status, initial_direct = self.target.run(
- "cat %s/direct" %self.smack_path)
-
- test_direct="17"
- status, output = self.target.run(
- "echo '%s' > %s/direct" %(test_direct, self.smack_path))
- self.assertEqual(status, 0 ,
- "Could not set smack direct. Output: %s" %output)
- status, new_direct = self.target.run("cat %s/direct" %self.smack_path)
- # initial label before checking
- status, output = self.target.run(
- "echo '%s' > %s/direct" %(initial_direct, self.smack_path))
- self.assertEqual(
- test_direct, new_direct.strip(),
- "Smack direct label does not match.")
-
-
-class SmackAmbient(SmackBasicTest):
- @skipUnlessPassed('test_ssh')
- def test_smack_ambient(self):
- test_ambient = "test_ambient"
- status, initial_ambient = self.target.run("cat %s/ambient" %self.smack_path)
- status, output = self.target.run(
- "echo '%s' > %s/ambient" %(test_ambient, self.smack_path))
- self.assertEqual(status, 0,
- "Could not set smack ambient. Output: %s" %output)
-
- status, output = self.target.run("cat %s/ambient" %self.smack_path)
- # Filter '\x00', which is sometimes added to the ambient label
- new_ambient = ''.join(filter(lambda x: x in string.printable, output))
- initial_ambient = ''.join(filter(lambda x: x in string.printable, initial_ambient))
- status, output = self.target.run(
- "echo '%s' > %s/ambient" %(initial_ambient, self.smack_path))
- self.assertEqual(
- test_ambient, new_ambient.strip(),
- "Ambient label does not match")
-
-
-class SmackloadBinary(SmackBasicTest):
- @skipUnlessPassed('test_ssh')
- def test_smackload(self):
- '''Test if smackload command works'''
- rule="testobject testsubject rwx"
-
- status, output = self.target.run("echo -n '%s' > /tmp/rules" %rule)
- status, output = self.target.run("smackload /tmp/rules")
- self.assertEqual(
- status, 0,
- "Smackload failed to load rule. Output: %s" %output)
-
- status, output = self.target.run(
- "cat %s/load | grep '%s'" %(self.smack_path, rule))
- self.assertEqual(status, 0, "Smackload rule was loaded correctly")
-
-class SmackcipsoBinary(SmackBasicTest):
-
- @skipUnlessPassed('test_ssh')
- def test_smackcipso(self):
- '''Test if smackcipso command works'''
- # 12345678901234567890123456789012345678901234567890123456
- rule="cipsolabel 2 2 "
-
- status, output = self.target.run("echo '%s' | smackcipso" %rule)
- self.assertEqual(
- status, 0,
- "Smackcipso failed to load rule. Output: %s" %output)
-
- status, output = self.target.run(
- "cat %s/cipso | grep 'cipsolabel'" %self.smack_path)
- self.assertEqual(status, 0, "Smackload rule was loaded correctly")
- self.assertIn(
- "2/2", output,
- "Rule was not set correctly. Got: %s" %output)
-
-class SmackEnforceFileAccess(SmackBasicTest):
- @skipUnlessPassed('test_ssh')
- def test_smack_enforce_file_access(self):
- '''Test if smack file access is enforced (rwx)
-
- test needs to change the running label of the current process,
- so whole test takes places on image
- '''
- status, output = self.target.run("ls /tmp/smack_test_file_access.sh")
- if status != 0:
- self.target.copy_to(
- os.path.join(self.files_dir, 'smack_test_file_access.sh'),
- "/tmp/smack_test_file_access.sh")
-
- status, output = self.target.run("sh /tmp/smack_test_file_access.sh")
- self.assertEqual(status, 0, output)
-
-class SmackEnforceMmap(SmackBasicTest):
-
- @skipUnlessPassed('test_ssh')
- def test_smack_mmap_enforced(self):
- '''Test if smack mmap access is enforced'''
- raise unittest.SkipTest("Depends on mmap_test, which was removed from the layer while investigating its license.")
-
- # 12345678901234567890123456789012345678901234567890123456
- delr1="mmap_label mmap_test_label1 -----"
- delr2="mmap_label mmap_test_label2 -----"
- delr3="mmap_file_label mmap_test_label1 -----"
- delr4="mmap_file_label mmap_test_label2 -----"
-
- RuleA="mmap_label mmap_test_label1 rw---"
- RuleB="mmap_label mmap_test_label2 r--at"
- RuleC="mmap_file_label mmap_test_label1 rw---"
- RuleD="mmap_file_label mmap_test_label2 rwxat"
-
- mmap_label="mmap_label"
- file_label="mmap_file_label"
- test_file = "/tmp/smack_test_mmap"
- self.target.copy_to(os.path.join(get_files_dir(), "mmap_test"), "/tmp/")
- mmap_exe = "/tmp/mmap_test"
- status, echo = self.target.run("which echo")
- status, output = self.target.run("ls /tmp/notroot.py")
- if status != 0:
- self.target.copy_to(
- os.path.join(self.files_dir, 'notroot.py'),
- "/tmp/notroot.py")
- status, output = self.target.run(
- "python /tmp/notroot.py %d %s %s 'test' > %s" \
- %(self.uid, self.current_label, echo, test_file))
- status, output = self.target.run("ls %s" %test_file)
- self.assertEqual(status, 0, "Could not create mmap test file")
- self.target.run("chsmack -m %s %s" %(file_label, test_file))
- self.target.run("chsmack -e %s %s" %(mmap_label, mmap_exe))
-
- # test with no rules with mmap label or exec label as subject
- # access should be granted
- self.target.run('echo -n "%s" > %s/load' %(delr1, self.smack_path))
- self.target.run('echo -n "%s" > %s/load' %(delr2, self.smack_path))
- self.target.run('echo -n "%s" > %s/load' %(delr3, self.smack_path))
- self.target.run('echo -n "%s" > %s/load' %(delr4, self.smack_path))
- status, output = self.target.run("%s %s 0 2" % (mmap_exe, test_file))
- self.assertEqual(
- status, 0,
- "Should have mmap access without rules. Output: %s" %output)
-
- # add rules that do not match access required
- self.target.run('echo -n "%s" > %s/load' %(RuleA, self.smack_path))
- self.target.run('echo -n "%s" > %s/load' %(RuleB, self.smack_path))
- status, output = self.target.run("%s %s 0 2" % (mmap_exe, test_file))
- self.assertNotEqual(
- status, 0,
- "Should not have mmap access with unmatching rules. " +
- "Output: %s" %output)
- self.assertIn(
- "Permission denied", output,
- "Mmap access should be denied with unmatching rules")
-
- # add rule to match only partially (one way)
- self.target.run('echo -n "%s" > %s/load' %(RuleC, self.smack_path))
- status, output = self.target.run("%s %s 0 2" %(mmap_exe, test_file))
- self.assertNotEqual(
- status, 0,
- "Should not have mmap access with partial matching rules. " +
- "Output: %s" %output)
- self.assertIn(
- "Permission denied", output,
- "Mmap access should be denied with partial matching rules")
-
- # add rule to match fully
- self.target.run('echo -n "%s" > %s/load' %(RuleD, self.smack_path))
- status, output = self.target.run("%s %s 0 2" %(mmap_exe, test_file))
- self.assertEqual(
- status, 0,
- "Should have mmap access with full matching rules." +
- "Output: %s" %output)
-
-class SmackEnforceTransmutable(SmackBasicTest):
-
- def test_smack_transmute_dir(self):
- '''Test if smack transmute attribute works
-
- test needs to change the running label of the current process,
- so whole test takes places on image
- '''
- test_dir = "/tmp/smack_transmute_dir"
- label="transmute_label"
- status, initial_label = self.target.run("cat /proc/self/attr/current")
-
- self.target.run("mkdir -p %s" %test_dir)
- self.target.run("chsmack -a %s %s" %(label, test_dir))
- self.target.run("chsmack -t %s" %test_dir)
- self.target.run(
- "echo -n '%s %s rwxat' | smackload" %(initial_label, label) )
-
- self.target.run("touch %s/test" %test_dir)
- status, output = self.target.run("chsmack %s/test" %test_dir)
- self.assertIn(
- 'access="%s"' %label, output,
- "Did not get expected label. Output: %s" %output)
-
-
-class SmackTcpSockets(SmackBasicTest):
- def test_smack_tcp_sockets(self):
- '''Test if smack is enforced on tcp sockets
-
- whole test takes places on image, depends on tcp_server/tcp_client'''
-
- self.target.copy_to(os.path.join(get_files_dir(), "tcp_client"), "/tmp/")
- self.target.copy_to(os.path.join(get_files_dir(), "tcp_server"), "/tmp/")
- status, output = self.target.run("ls /tmp/test_smack_tcp_sockets.sh")
- if status != 0:
- self.target.copy_to(
- os.path.join(self.files_dir, 'test_smack_tcp_sockets.sh'),
- "/tmp/test_smack_tcp_sockets.sh")
-
- status, output = self.target.run("sh /tmp/test_smack_tcp_sockets.sh")
- self.assertEqual(status, 0, output)
-
-class SmackUdpSockets(SmackBasicTest):
- def test_smack_udp_sockets(self):
- '''Test if smack is enforced on udp sockets
-
- whole test takes places on image, depends on udp_server/udp_client'''
-
- self.target.copy_to(os.path.join(get_files_dir(), "udp_client"), "/tmp/")
- self.target.copy_to(os.path.join(get_files_dir(), "udp_server"), "/tmp/")
- status, output = self.target.run("ls /tmp/test_smack_udp_sockets.sh")
- if status != 0:
- self.target.copy_to(
- os.path.join(self.files_dir, 'test_smack_udp_sockets.sh'),
- "/tmp/test_smack_udp_sockets.sh")
-
- status, output = self.target.run("sh /tmp/test_smack_udp_sockets.sh")
- self.assertEqual(status, 0, output)
-
-class SmackFileLabels(SmackBasicTest):
-
- @skipUnlessPassed('test_ssh')
- def test_smack_labels(self):
- '''Check for correct Smack labels.'''
- expected = '''
-/tmp/ access="*"
-/etc/ access="System::Shared" transmute="TRUE"
-/etc/passwd access="System::Shared"
-/etc/terminfo access="System::Shared" transmute="TRUE"
-/etc/skel/ access="System::Shared" transmute="TRUE"
-/etc/skel/.profile access="System::Shared"
-/var/log/ access="System::Log" transmute="TRUE"
-/var/tmp/ access="*"
-'''
- files = ' '.join([x.split()[0] for x in expected.split('\n') if x])
- files_wildcard = ' '.join([x + '/*' for x in files.split()])
- # Auxiliary information.
- status, output = self.target.run(
- 'set -x; mount; ls -l -d %s; find %s | xargs ls -d -l; find %s | xargs chsmack' % (
- ' '.join([x.rstrip('/') for x in files.split()]), files, files
- )
- )
- msg = "File status:\n" + output
- status, output = self.target.run('chsmack %s' % files)
- self.assertEqual(
- status, 0, msg="status and output: %s and %s\n%s" % (status,output, msg))
- self.longMessage = True
- self.maxDiff = None
- self.assertEqual(output.strip().split('\n'), expected.strip().split('\n'), msg=msg)
diff --git a/meta-security/recipes-test/app-runas/app-runas.bb b/meta-security/recipes-test/app-runas/app-runas.bb
deleted file mode 100644
index 95725c2e7..000000000
--- a/meta-security/recipes-test/app-runas/app-runas.bb
+++ /dev/null
@@ -1,17 +0,0 @@
-LICENSE = "MIT"
-LIC_FILES_CHKSUM = "file://app-runas.cpp;beginline=3;endline=19;md5=1ca447189bb2c54039033d50d8982d92"
-SRC_URI = "file://app-runas.cpp"
-DEPENDS = "security-manager"
-S = "${WORKDIR}"
-
-do_compile () {
- ${CXX} ${CXXFLAGS} ${S}/app-runas.cpp `pkg-config --cflags --libs security-manager` -o app-runas
-}
-
-do_install () {
- install -D app-runas ${D}/${bindir}/app-runas
- chmod u+s ${D}/${bindir}/app-runas
-}
-
-inherit deploy-files
-DEPLOY_FILES_FROM[target] = "app-runas"
diff --git a/meta-security/recipes-test/app-runas/files/app-runas.cpp b/meta-security/recipes-test/app-runas/files/app-runas.cpp
deleted file mode 100644
index 58fa15504..000000000
--- a/meta-security/recipes-test/app-runas/files/app-runas.cpp
+++ /dev/null
@@ -1,221 +0,0 @@
-// (C) Copyright 2015 Intel Corporation
-//
-// Permission is hereby granted, free of charge, to any person obtaining a copy
-// of this software and associated documentation files (the "Software"), to deal
-// in the Software without restriction, including without limitation the rights
-// to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
-// copies of the Software, and to permit persons to whom the Software is
-// furnished to do so, subject to the following conditions:
-//
-// The above copyright notice and this permission notice shall be included in
-// all copies or substantial portions of the Software.
-//
-// THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
-// IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
-// FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
-// AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
-// LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
-// OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
-// THE SOFTWARE.
-
-#include <security-manager.h>
-
-#include <unistd.h>
-#include <stdlib.h>
-#include <stdio.h>
-#include <errno.h>
-#include <string.h>
-
-#include <sys/types.h>
-#include <sys/wait.h>
-
-#include <string>
-#include <vector>
-
-#define CHECK(x) { \
- int _ret = x; \
- if (_ret != SECURITY_MANAGER_SUCCESS) { \
- fprintf(stderr, "Failure in %s:%d: %s: %d = %s\n", __FILE__, __LINE__, #x, _ret, security_manager_strerror((lib_retcode)_ret)); \
- return EXIT_FAILURE; \
- } \
- }
-
-static int do_install(app_inst_req *preq)
-{
- CHECK(security_manager_app_install(preq));
- return 0;
-}
-
-static int do_uninstall(app_inst_req *preq)
-{
- CHECK(security_manager_app_uninstall(preq));
- return 0;
-}
-
-static int do_run(const char *appid, const char *uid, const char *file, char *const argv[])
-{
- if (!appid || !uid) {
- fprintf(stderr, "Always need appid, uid for app startup.\n");
- return EXIT_FAILURE;
- }
-
- pid_t child = fork();
- if (child == -1) {
- perror("fork");
- return EXIT_FAILURE;
- } else if (child) {
- int status;
- child = waitpid(child, &status, 0);
- if (child == -1) {
- perror("waitpid");
- return EXIT_FAILURE;
- }
- } else {
- // We cannot change the UID before security_manager_prepare_app()
- // (because then setup_smack() fails to change Smack labels of
- // our fds) and we cannot change the UID after it (because then
- // security_manager_drop_process_privileges() has already dropped
- // the necessary CAP_SETUID.
- // Instead, we need to do the steps from security_manager_prepare_app()
- // ourselves.
- CHECK(security_manager_set_process_label_from_appid(appid));
- CHECK(security_manager_set_process_groups_from_appid(appid));
- if (setuid(atoi(uid))) {
- fprintf(stderr, "setuid(%s): %s\n", uid, strerror(errno));
- exit(EXIT_FAILURE);
- }
- CHECK(security_manager_drop_process_privileges());
- // CHECK(security_manager_prepare_app(appid));
-
- execvp(file, argv);
- fprintf(stderr, "execvp(%s): %s", argv[optind], strerror(errno));
- exit(EXIT_FAILURE);
- }
- return 0;
-}
-
-int main(int argc, char **argv)
-{
- int flags, opt;
- int nsecs, tfnd;
- const char *appid = NULL;
- const char *pkgid = NULL;
- const char *uid = NULL;
- std::vector<const char *> privileges;
- std::vector< std::pair<app_install_path_type, std::string> > paths;
- int install = 0, uninstall = 0, run = 0;
-
- while ((opt = getopt(argc, argv, "a:p:u:r:t:ide")) != -1) {
- switch (opt) {
- case 'a':
- appid = optarg;
- break;
- case 'p':
- pkgid = optarg;
- break;
- case 'u':
- uid = optarg;
- break;
- case 'r':
- privileges.push_back(optarg);
- break;
- case 't': {
- const char *colon = strchr(optarg, ':');
- if (!colon) {
- fprintf(stderr, "-t parameter must be of the format <type>:<path>");
- return EXIT_FAILURE;
- }
- std::string typestr(optarg, colon - optarg);
- std::string path(colon + 1);
- app_install_path_type type;
- if (typestr == "private") {
- type = SECURITY_MANAGER_PATH_PRIVATE;
- } else if (typestr == "public") {
- type = SECURITY_MANAGER_PATH_PUBLIC;
- } else if (typestr == "public-ro") {
- type = SECURITY_MANAGER_PATH_PUBLIC_RO;
- } else if (typestr == "rw") {
- type = SECURITY_MANAGER_PATH_RW;
- } else if (typestr == "ro") {
- type = SECURITY_MANAGER_PATH_PRIVATE;
- } else {
- fprintf(stderr, "Invalid -t type: %s", typestr.c_str());
- return EXIT_FAILURE;
- }
- paths.push_back(std::make_pair(type, path));
- break;
- }
- case 'i':
- install = 1;
- break;
- case 'd':
- uninstall = 1;
- break;
- case 'e':
- run = 1;
- break;
- default: /* '?' */
- fprintf(stderr,
- "Usage: %s -i|-e|-d -a appid -u uid -p pkgid -r privilege1 ... -t private|public|public-ro|rw:<path> ... -- command args\n"
- " -i = install, command ignored\n"
- " -e = run command, privileges and pkgid ignored\n"
- " -d = uninstall, command and privileges ignored\n"
- " Install, run, and uninstall can be combined into a single invocation.\n",
- argv[0]);
- exit(EXIT_FAILURE);
- break;
- }
- }
-
- if ((install || uninstall) &&
- (!appid || !pkgid || !uid)) {
- fprintf(stderr, "Always need appid, pkgid, uid for app install or uninstall.\n");
- return EXIT_FAILURE;
- }
- if (run && optind >= argc) {
- fprintf(stderr, "Expected command after options\n");
- return EXIT_FAILURE;
- }
-
- app_inst_req *preq;
- CHECK(security_manager_app_inst_req_new(&preq));
- if (appid) {
- CHECK(security_manager_app_inst_req_set_app_id(preq, appid));
- }
- if (pkgid) {
- CHECK(security_manager_app_inst_req_set_pkg_id(preq, pkgid));
- }
- if (uid) {
- CHECK(security_manager_app_inst_req_set_uid(preq, atoi(uid)));
- }
- for (size_t i = 0; i < paths.size(); i++) {
- security_manager_app_inst_req_add_path(preq, paths[i].second.c_str(), paths[i].first);
- }
- for (size_t i = 0; i < privileges.size(); i++) {
- CHECK(security_manager_app_inst_req_add_privilege(preq, privileges[i]));
- }
-
- int result = 0;
- bool install_failed = false;
- if (install) {
- result = do_install(preq);
- if (result) {
- install_failed = true;
- }
- }
- if (run && !install_failed) {
- int run_result = do_run(appid, uid, argv[optind], argv + optind);
- if (run_result) {
- result = run_result;
- }
- }
- if (uninstall && !install_failed) {
- int uninstall_result = do_uninstall(preq);
- if (uninstall_result) {
- result = uninstall_result;
- }
- }
-
- security_manager_app_inst_req_free(preq);
- return result;
-}
diff --git a/meta-security/recipes-test/mmap-smack-test/files/mmap.c b/meta-security/recipes-test/mmap-smack-test/files/mmap.c
deleted file mode 100644
index f358d27b5..000000000
--- a/meta-security/recipes-test/mmap-smack-test/files/mmap.c
+++ /dev/null
@@ -1,7 +0,0 @@
-#include <stdio.h>
-
-int main(int argc, char **argv)
-{
- printf("Original test program removed while investigating its license.\n");
- return 1;
-}
diff --git a/meta-security/recipes-test/mmap-smack-test/mmap-smack-test.bb b/meta-security/recipes-test/mmap-smack-test/mmap-smack-test.bb
deleted file mode 100644
index 9d11509d0..000000000
--- a/meta-security/recipes-test/mmap-smack-test/mmap-smack-test.bb
+++ /dev/null
@@ -1,16 +0,0 @@
-SUMMARY = "Mmap binary used to test smack mmap attribute"
-DESCRIPTION = "Mmap binary used to test smack mmap attribute"
-LICENSE = "MIT"
-LIC_FILES_CHKSUM = "file://${COMMON_LICENSE_DIR}/MIT;md5=0835ade698e0bcf8506ecda2f7b4f302"
-
-SRC_URI = "file://mmap.c"
-
-S = "${WORKDIR}"
-do_compile() {
- ${CC} mmap.c ${LDFLAGS} -o mmap_test
-}
-
-do_install() {
- install -d ${D}${bindir}
- install -m 0755 mmap_test ${D}${bindir}
-}
diff --git a/meta-security/recipes-test/mmap-smack-test/mmap-smack-test.bbappend b/meta-security/recipes-test/mmap-smack-test/mmap-smack-test.bbappend
deleted file mode 100644
index e7d94f09f..000000000
--- a/meta-security/recipes-test/mmap-smack-test/mmap-smack-test.bbappend
+++ /dev/null
@@ -1,2 +0,0 @@
-inherit deploy-files
-DEPLOY_FILES_FROM[target] = "${WORKDIR}/mmap_test"
diff --git a/meta-security/recipes-test/tcp-smack-test/files/tcp_client.c b/meta-security/recipes-test/tcp-smack-test/files/tcp_client.c
deleted file mode 100644
index 185f97380..000000000
--- a/meta-security/recipes-test/tcp-smack-test/files/tcp_client.c
+++ /dev/null
@@ -1,111 +0,0 @@
-// (C) Copyright 2015 Intel Corporation
-//
-// Permission is hereby granted, free of charge, to any person obtaining a copy
-// of this software and associated documentation files (the "Software"), to deal
-// in the Software without restriction, including without limitation the rights
-// to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
-// copies of the Software, and to permit persons to whom the Software is
-// furnished to do so, subject to the following conditions:
-//
-// The above copyright notice and this permission notice shall be included in
-// all copies or substantial portions of the Software.
-//
-// THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
-// IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
-// FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
-// AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
-// LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
-// OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
-// THE SOFTWARE.
-#include <stdio.h>
-#include <sys/socket.h>
-#include <sys/types.h>
-#include <errno.h>
-#include <netinet/in.h>
-#include <unistd.h>
-#include <netdb.h>
-#include <string.h>
-#include <sys/xattr.h>
-
-int main(int argc, char* argv[])
-{
-
- int sock;
- char message[255] = "hello";
- struct sockaddr_in server_addr;
- char* label_in;
- char* label_out;
- char* attr_out = "security.SMACK64IPOUT";
- char* attr_in = "security.SMACK64IPIN";
- char out[256];
- int port;
-
- struct timeval timeout;
- timeout.tv_sec = 15;
- timeout.tv_usec = 0;
-
- struct hostent* host = gethostbyname("localhost");
-
- if (argc != 4)
- {
- perror("Client: Arguments missing, please provide socket labels");
- return 2;
- }
-
- port = atoi(argv[1]);
- label_in = argv[2];
- label_out = argv[3];
-
- if((sock = socket(AF_INET, SOCK_STREAM, 0)) < 0)
- {
- perror("Client: Socket failure");
- return 2;
- }
-
-
- if(fsetxattr(sock, attr_out, label_out, strlen(label_out), 0) < 0)
- {
- perror("Client: Unable to set attribute SMACK64IPOUT");
- return 2;
- }
-
- if(fsetxattr(sock, attr_in, label_in, strlen(label_in), 0) < 0)
- {
- perror("Client: Unable to set attribute SMACK64IPIN");
- return 2;
- }
-
- server_addr.sin_family = AF_INET;
- server_addr.sin_port = htons(port);
- bcopy((char*) host->h_addr, (char*) &server_addr.sin_addr.s_addr,host->h_length);
- bzero(&(server_addr.sin_zero),8);
-
- if(setsockopt(sock, SOL_SOCKET, SO_SNDTIMEO, &timeout, sizeof(timeout)) < 0)
- {
- perror("Client: Set timeout failed\n");
- return 2;
- }
-
- if (connect(sock, (struct sockaddr *)&server_addr,sizeof(struct sockaddr)) == -1)
- {
- perror("Client: Connection failure");
- close(sock);
- return 1;
- }
-
-
- if(write(sock, message, strlen(message)) < 0)
- {
- perror("Client: Error sending data\n");
- close(sock);
- return 1;
- }
- close(sock);
- return 0;
-}
-
-
-
-
-
-
diff --git a/meta-security/recipes-test/tcp-smack-test/files/tcp_server.c b/meta-security/recipes-test/tcp-smack-test/files/tcp_server.c
deleted file mode 100644
index 9285dc695..000000000
--- a/meta-security/recipes-test/tcp-smack-test/files/tcp_server.c
+++ /dev/null
@@ -1,118 +0,0 @@
-// (C) Copyright 2015 Intel Corporation
-//
-// Permission is hereby granted, free of charge, to any person obtaining a copy
-// of this software and associated documentation files (the "Software"), to deal
-// in the Software without restriction, including without limitation the rights
-// to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
-// copies of the Software, and to permit persons to whom the Software is
-// furnished to do so, subject to the following conditions:
-//
-// The above copyright notice and this permission notice shall be included in
-// all copies or substantial portions of the Software.
-//
-// THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
-// IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
-// FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
-// AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
-// LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
-// OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
-// THE SOFTWARE.
-#include <stdio.h>
-#include <sys/socket.h>
-#include <sys/types.h>
-#include <errno.h>
-#include <netinet/in.h>
-#include <unistd.h>
-#include <string.h>
-
-int main(int argc, char* argv[])
-{
-
- int sock;
- int clientsock;
- char message[255];
- socklen_t client_length;
- struct sockaddr_in server_addr, client_addr;
- char* label_in;
- char* attr_in = "security.SMACK64IPIN";
- int port;
-
- struct timeval timeout;
- timeout.tv_sec = 15;
- timeout.tv_usec = 0;
-
- if (argc != 3)
- {
- perror("Server: Argument missing please provide port and label for SMACK64IPIN");
- return 2;
- }
-
- port = atoi(argv[1]);
- label_in = argv[2];
- bzero(message,255);
-
-
- if((sock = socket(AF_INET, SOCK_STREAM, 0)) < 0)
- {
- perror("Server: Socket failure");
- return 2;
- }
-
-
- if(fsetxattr(sock, attr_in, label_in, strlen(label_in),0) < 0)
- {
- perror("Server: Unable to set attribute ipin 2");
- return 2;
- }
-
- server_addr.sin_family = AF_INET;
- server_addr.sin_port = htons(port);
- server_addr.sin_addr.s_addr = INADDR_ANY;
- bzero(&(server_addr.sin_zero),8);
-
- if(setsockopt(sock, SOL_SOCKET, SO_RCVTIMEO, &timeout, sizeof(timeout)) < 0)
- {
- perror("Server: Set timeout failed\n");
- return 2;
- }
-
- if(bind(sock, (struct sockaddr*) &server_addr, sizeof(server_addr)) < 0)
- {
- perror("Server: Bind failure ");
- return 2;
- }
-
- listen(sock, 1);
- client_length = sizeof(client_addr);
-
- clientsock = accept(sock,(struct sockaddr*) &client_addr, &client_length);
-
- if (clientsock < 0)
- {
- perror("Server: Connection failed");
- close(sock);
- return 1;
- }
-
-
- if(fsetxattr(clientsock, "security.SMACK64IPIN", label_in, strlen(label_in),0) < 0)
- {
- perror(" Server: Unable to set attribute ipin 2");
- close(sock);
- return 2;
- }
-
- if(read(clientsock, message, 254) < 0)
- {
- perror("Server: Error when reading from socket");
- close(clientsock);
- close(sock);
- return 1;
- }
-
-
- close(clientsock);
- close(sock);
-
- return 0;
-}
diff --git a/meta-security/recipes-test/tcp-smack-test/tcp-smack-test.bb b/meta-security/recipes-test/tcp-smack-test/tcp-smack-test.bb
deleted file mode 100644
index 57e7151a8..000000000
--- a/meta-security/recipes-test/tcp-smack-test/tcp-smack-test.bb
+++ /dev/null
@@ -1,20 +0,0 @@
-SUMMARY = "Binary used to test smack tcp sockets"
-DESCRIPTION = "Server and client binaries used to test smack attributes on TCP sockets"
-LICENSE = "MIT"
-LIC_FILES_CHKSUM = "file://${COMMON_LICENSE_DIR}/MIT;md5=0835ade698e0bcf8506ecda2f7b4f302"
-
-SRC_URI = "file://tcp_server.c \
- file://tcp_client.c \
-"
-
-S = "${WORKDIR}"
-do_compile() {
- ${CC} tcp_client.c ${LDFLAGS} -o tcp_client
- ${CC} tcp_server.c ${LDFLAGS} -o tcp_server
-}
-
-do_install() {
- install -d ${D}${bindir}
- install -m 0755 tcp_server ${D}${bindir}
- install -m 0755 tcp_client ${D}${bindir}
-}
diff --git a/meta-security/recipes-test/tcp-smack-test/tcp-smack-test.bbappend b/meta-security/recipes-test/tcp-smack-test/tcp-smack-test.bbappend
deleted file mode 100644
index 2755bf0e1..000000000
--- a/meta-security/recipes-test/tcp-smack-test/tcp-smack-test.bbappend
+++ /dev/null
@@ -1,2 +0,0 @@
-inherit deploy-files
-DEPLOY_FILES_FROM[target] = "${WORKDIR}/tcp_client ${WORKDIR}/tcp_server"
diff --git a/meta-security/recipes-test/udp-smack-test/files/udp_client.c b/meta-security/recipes-test/udp-smack-test/files/udp_client.c
deleted file mode 100644
index 4d3afbe6c..000000000
--- a/meta-security/recipes-test/udp-smack-test/files/udp_client.c
+++ /dev/null
@@ -1,75 +0,0 @@
-// (C) Copyright 2015 Intel Corporation
-//
-// Permission is hereby granted, free of charge, to any person obtaining a copy
-// of this software and associated documentation files (the "Software"), to deal
-// in the Software without restriction, including without limitation the rights
-// to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
-// copies of the Software, and to permit persons to whom the Software is
-// furnished to do so, subject to the following conditions:
-//
-// The above copyright notice and this permission notice shall be included in
-// all copies or substantial portions of the Software.
-//
-// THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
-// IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
-// FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
-// AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
-// LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
-// OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
-// THE SOFTWARE.
-#include <sys/socket.h>
-#include <stdio.h>
-#include <netinet/in.h>
-#include <netdb.h>
-#include <string.h>
-
-int main(int argc, char* argv[])
-{
- char* message = "hello";
- int sock, ret;
- struct sockaddr_in server_addr;
- struct hostent* host = gethostbyname("localhost");
- char* label;
- char* attr = "security.SMACK64IPOUT";
- int port;
- if (argc != 3)
- {
- perror("Client: Argument missing, please provide port and label for SMACK64IPOUT");
- return 2;
- }
-
- port = atoi(argv[1]);
- label = argv[2];
- sock = socket(AF_INET, SOCK_DGRAM,0);
- if(sock < 0)
- {
- perror("Client: Socket failure");
- return 2;
- }
-
-
- if(fsetxattr(sock, attr, label, strlen(label),0) < 0)
- {
- perror("Client: Unable to set attribute ");
- return 2;
- }
-
-
- server_addr.sin_family = AF_INET;
- server_addr.sin_port = htons(port);
- bcopy((char*) host->h_addr, (char*) &server_addr.sin_addr.s_addr,host->h_length);
- bzero(&(server_addr.sin_zero),8);
-
- ret = sendto(sock, message, strlen(message),0,(const struct sockaddr*)&server_addr,
- sizeof(struct sockaddr_in));
-
- close(sock);
- if(ret < 0)
- {
- perror("Client: Error sending message\n");
- return 1;
- }
-
- return 0;
-}
-
diff --git a/meta-security/recipes-test/udp-smack-test/files/udp_server.c b/meta-security/recipes-test/udp-smack-test/files/udp_server.c
deleted file mode 100644
index cbab71e65..000000000
--- a/meta-security/recipes-test/udp-smack-test/files/udp_server.c
+++ /dev/null
@@ -1,93 +0,0 @@
-// (C) Copyright 2015 Intel Corporation
-//
-// Permission is hereby granted, free of charge, to any person obtaining a copy
-// of this software and associated documentation files (the "Software"), to deal
-// in the Software without restriction, including without limitation the rights
-// to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
-// copies of the Software, and to permit persons to whom the Software is
-// furnished to do so, subject to the following conditions:
-//
-// The above copyright notice and this permission notice shall be included in
-// all copies or substantial portions of the Software.
-//
-// THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
-// IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
-// FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
-// AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
-// LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
-// OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
-// THE SOFTWARE.
-#include <sys/socket.h>
-#include <stdio.h>
-#include <netinet/in.h>
-#include <netdb.h>
-#include <string.h>
-
-int main(int argc, char* argv[])
-{
- int sock,ret;
- struct sockaddr_in server_addr, client_addr;
- socklen_t len;
- char message[5];
- char* label;
- char* attr = "security.SMACK64IPIN";
- int port;
-
- if(argc != 3)
- {
- perror("Server: Argument missing, please provide port and label for SMACK64IPIN");
- return 2;
- }
-
- port = atoi(argv[1]);
- label = argv[2];
-
- struct timeval timeout;
- timeout.tv_sec = 15;
- timeout.tv_usec = 0;
-
- sock = socket(AF_INET,SOCK_DGRAM,0);
- if(sock < 0)
- {
- perror("Server: Socket error");
- return 2;
- }
-
-
- if(fsetxattr(sock, attr, label, strlen(label), 0) < 0)
- {
- perror("Server: Unable to set attribute ");
- return 2;
- }
-
- server_addr.sin_family = AF_INET;
- server_addr.sin_port = htons(port);
- server_addr.sin_addr.s_addr = INADDR_ANY;
- bzero(&(server_addr.sin_zero),8);
-
-
- if(setsockopt(sock, SOL_SOCKET, SO_RCVTIMEO, &timeout, sizeof(timeout)) < 0)
- {
- perror("Server: Set timeout failed\n");
- return 2;
- }
-
- if(bind(sock, (struct sockaddr*) &server_addr, sizeof(server_addr)) < 0)
- {
- perror("Server: Bind failure");
- return 2;
- }
-
- len = sizeof(client_addr);
- ret = recvfrom(sock, message, sizeof(message), 0, (struct sockaddr*)&client_addr,
- &len);
- close(sock);
- if(ret < 0)
- {
- perror("Server: Error receiving");
- return 1;
-
- }
- return 0;
-}
-
diff --git a/meta-security/recipes-test/udp-smack-test/udp-smack-test.bb b/meta-security/recipes-test/udp-smack-test/udp-smack-test.bb
deleted file mode 100644
index 478e3688d..000000000
--- a/meta-security/recipes-test/udp-smack-test/udp-smack-test.bb
+++ /dev/null
@@ -1,20 +0,0 @@
-SUMMARY = "Binary used to test smack udp sockets"
-DESCRIPTION = "Server and client binaries used to test smack attributes on UDP sockets"
-LICENSE = "MIT"
-LIC_FILES_CHKSUM = "file://${COMMON_LICENSE_DIR}/MIT;md5=0835ade698e0bcf8506ecda2f7b4f302"
-
-SRC_URI = "file://udp_server.c \
- file://udp_client.c \
-"
-
-S = "${WORKDIR}"
-do_compile() {
- ${CC} udp_client.c ${LDFLAGS} -o udp_client
- ${CC} udp_server.c ${LDFLAGS} -o udp_server
-}
-
-do_install() {
- install -d ${D}${bindir}
- install -m 0755 udp_server ${D}${bindir}
- install -m 0755 udp_client ${D}${bindir}
-}
diff --git a/meta-security/recipes-test/udp-smack-test/udp-smack-test.bbappend b/meta-security/recipes-test/udp-smack-test/udp-smack-test.bbappend
deleted file mode 100644
index bf79ba4d4..000000000
--- a/meta-security/recipes-test/udp-smack-test/udp-smack-test.bbappend
+++ /dev/null
@@ -1,2 +0,0 @@
-inherit deploy-files
-DEPLOY_FILES_FROM[target] = "${WORKDIR}/udp_client ${WORKDIR}/udp_server"