aboutsummaryrefslogtreecommitdiffstats
path: root/meta-agl-core
diff options
context:
space:
mode:
Diffstat (limited to 'meta-agl-core')
-rw-r--r--meta-agl-core/recipes-kernel/linux/linux-4.14/Smack-Handle-CGROUP2-in-the-same-way-that-CGROUP.patch40
-rw-r--r--meta-agl-core/recipes-kernel/linux/linux-4.14/Smack-Privilege-check-on-key-operations.patch109
-rw-r--r--meta-agl-core/recipes-kernel/linux/linux-agl-4.14.inc8
-rwxr-xr-xmeta-agl-core/scripts/run-yocto-check-layer-feature-enabled.sh6
-rwxr-xr-xmeta-agl-core/scripts/run-yocto-check-layer.sh6
5 files changed, 2 insertions, 167 deletions
diff --git a/meta-agl-core/recipes-kernel/linux/linux-4.14/Smack-Handle-CGROUP2-in-the-same-way-that-CGROUP.patch b/meta-agl-core/recipes-kernel/linux/linux-4.14/Smack-Handle-CGROUP2-in-the-same-way-that-CGROUP.patch
deleted file mode 100644
index c595dfdf5..000000000
--- a/meta-agl-core/recipes-kernel/linux/linux-4.14/Smack-Handle-CGROUP2-in-the-same-way-that-CGROUP.patch
+++ /dev/null
@@ -1,40 +0,0 @@
-From 63f5acdf097b7baca8d0f7056a037f8811b48aaa Mon Sep 17 00:00:00 2001
-From: =?UTF-8?q?Jos=C3=A9=20Bollo?= <jose.bollo@iot.bzh>
-Date: Tue, 27 Feb 2018 17:06:21 +0100
-Subject: [PATCH] Smack: Handle CGROUP2 in the same way that CGROUP
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-The new file system CGROUP2 isn't actually handled
-by smack. This changes makes Smack treat equally
-CGROUP and CGROUP2 items.
-
-Signed-off-by: José Bollo <jose.bollo@iot.bzh>
----
- security/smack/smack_lsm.c | 2 ++
- 1 file changed, 2 insertions(+)
-
-diff --git a/security/smack/smack_lsm.c b/security/smack/smack_lsm.c
-index 03fdecba93bb..5d77ed04422c 100644
---- a/security/smack/smack_lsm.c
-+++ b/security/smack/smack_lsm.c
-@@ -3431,6 +3431,7 @@ static void smack_d_instantiate(struct dentry *opt_dentry, struct inode *inode)
- if (opt_dentry->d_parent == opt_dentry) {
- switch (sbp->s_magic) {
- case CGROUP_SUPER_MAGIC:
-+ case CGROUP2_SUPER_MAGIC:
- /*
- * The cgroup filesystem is never mounted,
- * so there's no opportunity to set the mount
-@@ -3474,6 +3475,7 @@ static void smack_d_instantiate(struct dentry *opt_dentry, struct inode *inode)
- switch (sbp->s_magic) {
- case SMACK_MAGIC:
- case CGROUP_SUPER_MAGIC:
-+ case CGROUP2_SUPER_MAGIC:
- /*
- * Casey says that it's a little embarrassing
- * that the smack file system doesn't do
---
-2.14.3
-
diff --git a/meta-agl-core/recipes-kernel/linux/linux-4.14/Smack-Privilege-check-on-key-operations.patch b/meta-agl-core/recipes-kernel/linux/linux-4.14/Smack-Privilege-check-on-key-operations.patch
deleted file mode 100644
index 4100bb8fd..000000000
--- a/meta-agl-core/recipes-kernel/linux/linux-4.14/Smack-Privilege-check-on-key-operations.patch
+++ /dev/null
@@ -1,109 +0,0 @@
-Smack: Privilege check on key operations
-
-Operations on key objects are subjected to Smack policy
-even if the process is privileged. This is inconsistent
-with the general behavior of Smack and may cause issues
-with authentication by privileged daemons. This patch
-allows processes with CAP_MAC_OVERRIDE to access keys
-even if the Smack rules indicate otherwise.
-
-Reported-by: Jose Bollo <jobol@nonadev.net>
-Signed-off-by: Casey Schaufler <casey@schaufler-ca.com>
----
- security/smack/smack.h | 1 +
- security/smack/smack_access.c | 40 +++++++++++++++++++++++++++++-----------
- security/smack/smack_lsm.c | 4 ++++
- 3 files changed, 34 insertions(+), 11 deletions(-)
-
-diff --git a/security/smack/smack.h b/security/smack/smack.h
-index 6a71fc7..f7db791 100644
---- a/security/smack/smack.h
-+++ b/security/smack/smack.h
-@@ -321,6 +321,7 @@ struct smack_known *smk_import_entry(const char *, int);
- void smk_insert_entry(struct smack_known *skp);
- struct smack_known *smk_find_entry(const char *);
- bool smack_privileged(int cap);
-+bool smack_privileged_cred(int cap, const struct cred *cred);
- void smk_destroy_label_list(struct list_head *list);
-
- /*
-diff --git a/security/smack/smack_access.c b/security/smack/smack_access.c
-index 1a30041..141ffac 100644
---- a/security/smack/smack_access.c
-+++ b/security/smack/smack_access.c
-@@ -623,26 +623,24 @@ struct smack_known *smack_from_secid(const u32 secid)
- LIST_HEAD(smack_onlycap_list);
- DEFINE_MUTEX(smack_onlycap_lock);
-
--/*
-+/**
-+ * smack_privileged_cred - are all privilege requirements met by cred
-+ * @cap: The requested capability
-+ * @cred: the credential to use
-+ *
- * Is the task privileged and allowed to be privileged
- * by the onlycap rule.
- *
- * Returns true if the task is allowed to be privileged, false if it's not.
- */
--bool smack_privileged(int cap)
-+bool smack_privileged_cred(int cap, const struct cred *cred)
- {
-- struct smack_known *skp = smk_of_current();
-+ struct task_smack *tsp = cred->security;
-+ struct smack_known *skp = tsp->smk_task;
- struct smack_known_list_elem *sklep;
- int rc;
-
-- /*
-- * All kernel tasks are privileged
-- */
-- if (unlikely(current->flags & PF_KTHREAD))
-- return true;
--
-- rc = cap_capable(current_cred(), &init_user_ns, cap,
-- SECURITY_CAP_AUDIT);
-+ rc = cap_capable(cred, &init_user_ns, cap, SECURITY_CAP_AUDIT);
- if (rc)
- return false;
-
-@@ -662,3 +660,23 @@ bool smack_privileged(int cap)
-
- return false;
- }
-+
-+/**
-+ * smack_privileged - are all privilege requirements met
-+ * @cap: The requested capability
-+ *
-+ * Is the task privileged and allowed to be privileged
-+ * by the onlycap rule.
-+ *
-+ * Returns true if the task is allowed to be privileged, false if it's not.
-+ */
-+bool smack_privileged(int cap)
-+{
-+ /*
-+ * All kernel tasks are privileged
-+ */
-+ if (unlikely(current->flags & PF_KTHREAD))
-+ return true;
-+
-+ return smack_privileged_cred(cap, current_cred());
-+}
-diff --git a/security/smack/smack_lsm.c b/security/smack/smack_lsm.c
-index 30f2c3d..03fdecb 100644
---- a/security/smack/smack_lsm.c
-+++ b/security/smack/smack_lsm.c
-@@ -4369,6 +4369,10 @@ static int smack_key_permission(key_ref_t key_ref,
- */
- if (tkp == NULL)
- return -EACCES;
-+
-+ if (smack_privileged_cred(CAP_MAC_OVERRIDE, cred))
-+ return 0;
-+
- #ifdef CONFIG_AUDIT
- smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_KEY);
- ad.a.u.key_struct.key = keyp->serial;
-
diff --git a/meta-agl-core/recipes-kernel/linux/linux-agl-4.14.inc b/meta-agl-core/recipes-kernel/linux/linux-agl-4.14.inc
index 8476f343b..9ab3d34af 100644
--- a/meta-agl-core/recipes-kernel/linux/linux-agl-4.14.inc
+++ b/meta-agl-core/recipes-kernel/linux/linux-agl-4.14.inc
@@ -1,13 +1,5 @@
FILESEXTRAPATHS:prepend := "${THISDIR}/linux-4.14:"
-#-------------------------------------------------------------------------
-# smack patches for kernels keys
-
-SRC_URI:append:with-lsm-smack = "\
- file://Smack-Privilege-check-on-key-operations.patch \
- file://Smack-Handle-CGROUP2-in-the-same-way-that-CGROUP.patch \
- "
-
SRC_URI:append = "\
file://net-sch_generic-add-if_afp.h-header-to-get-ARPHRD_CA.patch \
file://net-sch_generic-Use-pfifo_fast-as-fallback-scheduler.patch \
diff --git a/meta-agl-core/scripts/run-yocto-check-layer-feature-enabled.sh b/meta-agl-core/scripts/run-yocto-check-layer-feature-enabled.sh
index fec73069e..e0e9d17a4 100755
--- a/meta-agl-core/scripts/run-yocto-check-layer-feature-enabled.sh
+++ b/meta-agl-core/scripts/run-yocto-check-layer-feature-enabled.sh
@@ -20,14 +20,10 @@ AGL_EXTRA_IMAGE_FSTYPES ?= ""
# important settings imported from poky-agl.conf
# we do not import
-DISTRO_FEATURES:append = " systemd smack"
+DISTRO_FEATURES:append = " systemd"
DISTRO_FEATURES_BACKFILL_CONSIDERED:append = " sysvinit"
VIRTUAL-RUNTIME_init_manager = "systemd"
-# workaround:
-# ERROR: Nothing PROVIDES 'smack' (but /home/dl9pf/AGL/master-newlayout/external/meta-openembedded/meta-oe/recipes-extended/ostree/ostree_2020.3.bb DEPENDS on or otherwise requires it)
-BBMASK += "meta-openembedded/meta-oe/recipes-extended/ostree/ostree_2020.3.bb"
-
AGL_FEATURES += "aglcore"
EOF
diff --git a/meta-agl-core/scripts/run-yocto-check-layer.sh b/meta-agl-core/scripts/run-yocto-check-layer.sh
index 369ed98b4..3af61bc19 100755
--- a/meta-agl-core/scripts/run-yocto-check-layer.sh
+++ b/meta-agl-core/scripts/run-yocto-check-layer.sh
@@ -20,14 +20,10 @@ AGL_EXTRA_IMAGE_FSTYPES ?= ""
# important settings imported from poky-agl.conf
# we do not import
-DISTRO_FEATURES:append = " systemd smack"
+DISTRO_FEATURES:append = " systemd"
DISTRO_FEATURES_BACKFILL_CONSIDERED:append = " sysvinit"
VIRTUAL-RUNTIME_init_manager = "systemd"
-# workaround:
-# ERROR: Nothing PROVIDES 'smack' (but /home/dl9pf/AGL/master-newlayout/external/meta-openembedded/meta-oe/recipes-extended/ostree/ostree_2020.3.bb DEPENDS on or otherwise requires it)
-BBMASK += "meta-openembedded/meta-oe/recipes-extended/ostree/ostree_2020.3.bb"
-
EOF