diff options
Diffstat (limited to 'meta-agl-core')
5 files changed, 2 insertions, 159 deletions
diff --git a/meta-agl-core/recipes-kernel/linux/linux-4.14/Smack-Handle-CGROUP2-in-the-same-way-that-CGROUP.patch b/meta-agl-core/recipes-kernel/linux/linux-4.14/Smack-Handle-CGROUP2-in-the-same-way-that-CGROUP.patch deleted file mode 100644 index c595dfdf5..000000000 --- a/meta-agl-core/recipes-kernel/linux/linux-4.14/Smack-Handle-CGROUP2-in-the-same-way-that-CGROUP.patch +++ /dev/null @@ -1,40 +0,0 @@ -From 63f5acdf097b7baca8d0f7056a037f8811b48aaa Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?Jos=C3=A9=20Bollo?= <jose.bollo@iot.bzh> -Date: Tue, 27 Feb 2018 17:06:21 +0100 -Subject: [PATCH] Smack: Handle CGROUP2 in the same way that CGROUP -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -The new file system CGROUP2 isn't actually handled -by smack. This changes makes Smack treat equally -CGROUP and CGROUP2 items. - -Signed-off-by: José Bollo <jose.bollo@iot.bzh> ---- - security/smack/smack_lsm.c | 2 ++ - 1 file changed, 2 insertions(+) - -diff --git a/security/smack/smack_lsm.c b/security/smack/smack_lsm.c -index 03fdecba93bb..5d77ed04422c 100644 ---- a/security/smack/smack_lsm.c -+++ b/security/smack/smack_lsm.c -@@ -3431,6 +3431,7 @@ static void smack_d_instantiate(struct dentry *opt_dentry, struct inode *inode) - if (opt_dentry->d_parent == opt_dentry) { - switch (sbp->s_magic) { - case CGROUP_SUPER_MAGIC: -+ case CGROUP2_SUPER_MAGIC: - /* - * The cgroup filesystem is never mounted, - * so there's no opportunity to set the mount -@@ -3474,6 +3475,7 @@ static void smack_d_instantiate(struct dentry *opt_dentry, struct inode *inode) - switch (sbp->s_magic) { - case SMACK_MAGIC: - case CGROUP_SUPER_MAGIC: -+ case CGROUP2_SUPER_MAGIC: - /* - * Casey says that it's a little embarrassing - * that the smack file system doesn't do --- -2.14.3 - diff --git a/meta-agl-core/recipes-kernel/linux/linux-4.14/Smack-Privilege-check-on-key-operations.patch b/meta-agl-core/recipes-kernel/linux/linux-4.14/Smack-Privilege-check-on-key-operations.patch deleted file mode 100644 index 4100bb8fd..000000000 --- a/meta-agl-core/recipes-kernel/linux/linux-4.14/Smack-Privilege-check-on-key-operations.patch +++ /dev/null @@ -1,109 +0,0 @@ -Smack: Privilege check on key operations - -Operations on key objects are subjected to Smack policy -even if the process is privileged. This is inconsistent -with the general behavior of Smack and may cause issues -with authentication by privileged daemons. This patch -allows processes with CAP_MAC_OVERRIDE to access keys -even if the Smack rules indicate otherwise. - -Reported-by: Jose Bollo <jobol@nonadev.net> -Signed-off-by: Casey Schaufler <casey@schaufler-ca.com> ---- - security/smack/smack.h | 1 + - security/smack/smack_access.c | 40 +++++++++++++++++++++++++++++----------- - security/smack/smack_lsm.c | 4 ++++ - 3 files changed, 34 insertions(+), 11 deletions(-) - -diff --git a/security/smack/smack.h b/security/smack/smack.h -index 6a71fc7..f7db791 100644 ---- a/security/smack/smack.h -+++ b/security/smack/smack.h -@@ -321,6 +321,7 @@ struct smack_known *smk_import_entry(const char *, int); - void smk_insert_entry(struct smack_known *skp); - struct smack_known *smk_find_entry(const char *); - bool smack_privileged(int cap); -+bool smack_privileged_cred(int cap, const struct cred *cred); - void smk_destroy_label_list(struct list_head *list); - - /* -diff --git a/security/smack/smack_access.c b/security/smack/smack_access.c -index 1a30041..141ffac 100644 ---- a/security/smack/smack_access.c -+++ b/security/smack/smack_access.c -@@ -623,26 +623,24 @@ struct smack_known *smack_from_secid(const u32 secid) - LIST_HEAD(smack_onlycap_list); - DEFINE_MUTEX(smack_onlycap_lock); - --/* -+/** -+ * smack_privileged_cred - are all privilege requirements met by cred -+ * @cap: The requested capability -+ * @cred: the credential to use -+ * - * Is the task privileged and allowed to be privileged - * by the onlycap rule. - * - * Returns true if the task is allowed to be privileged, false if it's not. - */ --bool smack_privileged(int cap) -+bool smack_privileged_cred(int cap, const struct cred *cred) - { -- struct smack_known *skp = smk_of_current(); -+ struct task_smack *tsp = cred->security; -+ struct smack_known *skp = tsp->smk_task; - struct smack_known_list_elem *sklep; - int rc; - -- /* -- * All kernel tasks are privileged -- */ -- if (unlikely(current->flags & PF_KTHREAD)) -- return true; -- -- rc = cap_capable(current_cred(), &init_user_ns, cap, -- SECURITY_CAP_AUDIT); -+ rc = cap_capable(cred, &init_user_ns, cap, SECURITY_CAP_AUDIT); - if (rc) - return false; - -@@ -662,3 +660,23 @@ bool smack_privileged(int cap) - - return false; - } -+ -+/** -+ * smack_privileged - are all privilege requirements met -+ * @cap: The requested capability -+ * -+ * Is the task privileged and allowed to be privileged -+ * by the onlycap rule. -+ * -+ * Returns true if the task is allowed to be privileged, false if it's not. -+ */ -+bool smack_privileged(int cap) -+{ -+ /* -+ * All kernel tasks are privileged -+ */ -+ if (unlikely(current->flags & PF_KTHREAD)) -+ return true; -+ -+ return smack_privileged_cred(cap, current_cred()); -+} -diff --git a/security/smack/smack_lsm.c b/security/smack/smack_lsm.c -index 30f2c3d..03fdecb 100644 ---- a/security/smack/smack_lsm.c -+++ b/security/smack/smack_lsm.c -@@ -4369,6 +4369,10 @@ static int smack_key_permission(key_ref_t key_ref, - */ - if (tkp == NULL) - return -EACCES; -+ -+ if (smack_privileged_cred(CAP_MAC_OVERRIDE, cred)) -+ return 0; -+ - #ifdef CONFIG_AUDIT - smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_KEY); - ad.a.u.key_struct.key = keyp->serial; - diff --git a/meta-agl-core/recipes-kernel/linux/linux-agl-4.14.inc b/meta-agl-core/recipes-kernel/linux/linux-agl-4.14.inc index 8476f343b..9ab3d34af 100644 --- a/meta-agl-core/recipes-kernel/linux/linux-agl-4.14.inc +++ b/meta-agl-core/recipes-kernel/linux/linux-agl-4.14.inc @@ -1,13 +1,5 @@ FILESEXTRAPATHS:prepend := "${THISDIR}/linux-4.14:" -#------------------------------------------------------------------------- -# smack patches for kernels keys - -SRC_URI:append:with-lsm-smack = "\ - file://Smack-Privilege-check-on-key-operations.patch \ - file://Smack-Handle-CGROUP2-in-the-same-way-that-CGROUP.patch \ - " - SRC_URI:append = "\ file://net-sch_generic-add-if_afp.h-header-to-get-ARPHRD_CA.patch \ file://net-sch_generic-Use-pfifo_fast-as-fallback-scheduler.patch \ diff --git a/meta-agl-core/scripts/run-yocto-check-layer-feature-enabled.sh b/meta-agl-core/scripts/run-yocto-check-layer-feature-enabled.sh index fec73069e..f00ccc665 100755 --- a/meta-agl-core/scripts/run-yocto-check-layer-feature-enabled.sh +++ b/meta-agl-core/scripts/run-yocto-check-layer-feature-enabled.sh @@ -20,7 +20,7 @@ AGL_EXTRA_IMAGE_FSTYPES ?= "" # important settings imported from poky-agl.conf # we do not import -DISTRO_FEATURES:append = " systemd smack" +DISTRO_FEATURES:append = " systemd" DISTRO_FEATURES_BACKFILL_CONSIDERED:append = " sysvinit" VIRTUAL-RUNTIME_init_manager = "systemd" diff --git a/meta-agl-core/scripts/run-yocto-check-layer.sh b/meta-agl-core/scripts/run-yocto-check-layer.sh index 369ed98b4..71eaedb70 100755 --- a/meta-agl-core/scripts/run-yocto-check-layer.sh +++ b/meta-agl-core/scripts/run-yocto-check-layer.sh @@ -20,7 +20,7 @@ AGL_EXTRA_IMAGE_FSTYPES ?= "" # important settings imported from poky-agl.conf # we do not import -DISTRO_FEATURES:append = " systemd smack" +DISTRO_FEATURES:append = " systemd" DISTRO_FEATURES_BACKFILL_CONSIDERED:append = " sysvinit" VIRTUAL-RUNTIME_init_manager = "systemd" |