diff options
Diffstat (limited to 'meta-app-framework/recipes-security/security-manager/security-manager')
16 files changed, 0 insertions, 1095 deletions
diff --git a/meta-app-framework/recipes-security/security-manager/security-manager/0001-Adapt-rules-to-AGL.patch b/meta-app-framework/recipes-security/security-manager/security-manager/0001-Adapt-rules-to-AGL.patch deleted file mode 100644 index 4c91f7fa3..000000000 --- a/meta-app-framework/recipes-security/security-manager/security-manager/0001-Adapt-rules-to-AGL.patch +++ /dev/null @@ -1,50 +0,0 @@ -From 935e4e4e746b5ffcda80c80097dc75c2581c1a89 Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?Jos=C3=A9=20Bollo?= <jose.bollo@iot.bzh> -Date: Wed, 19 Oct 2016 13:45:54 +0200 -Subject: [PATCH] Adapt rules to AGL -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -AGL distribution uses the repository https://github.com/01org/meta-intel-iot-security.git -as basis for the integration of security framework. The security framework -that it provides is an evolution of the security framework of tizen refited -to the distribution Ostro of Intel. This refit took the decision to simplify -the model by removing the running label "User". More can be viewed here: -https://github.com/01org/meta-intel-iot-security/pull/116 - -This commits adapt the template to the rules that are now needed -after this evolution. - -It also integrates one other evolutions: the shared label becomes User::App-Shared instead -of User::App::Shared to avoid collision with application of id "Shared". - -Change-Id: Ieb566b63f8c8e691b5f75e06499a3b576d042546 -Signed-off-by: José Bollo <jose.bollo@iot.bzh> ---- - policy/app-rules-template.smack | 8 ++++---- - 1 file changed, 4 insertions(+), 4 deletions(-) - -diff --git a/policy/app-rules-template.smack b/policy/app-rules-template.smack -index 1311169..b4cd2e3 100644 ---- a/policy/app-rules-template.smack -+++ b/policy/app-rules-template.smack -@@ -1,12 +1,10 @@ --System ~APP~ rwx -+System ~APP~ rwxa -+System ~PKG~ rwxat - ~APP~ System wx - ~APP~ System::Shared rx - ~APP~ System::Run rwxat - ~APP~ System::Log rwxa - ~APP~ _ l --User ~APP~ rwxa --User ~PKG~ rwxat --~APP~ User wx - ~APP~ User::Home rxl --~APP~ User::App::Shared rwxat -+~APP~ User::App-Shared rwxat - ~APP~ ~PKG~ rwxat --- -2.7.4 - diff --git a/meta-app-framework/recipes-security/security-manager/security-manager/0001-systemd-stop-using-compat-libs.patch b/meta-app-framework/recipes-security/security-manager/security-manager/0001-systemd-stop-using-compat-libs.patch deleted file mode 100644 index 91ce81963..000000000 --- a/meta-app-framework/recipes-security/security-manager/security-manager/0001-systemd-stop-using-compat-libs.patch +++ /dev/null @@ -1,47 +0,0 @@ -From 3d9d1d83fe298a364f51ad752c17aad461beded3 Mon Sep 17 00:00:00 2001 -From: Patrick Ohly <patrick.ohly@intel.com> -Date: Tue, 24 Mar 2015 04:54:03 -0700 -Subject: [PATCH 01/14] systemd: stop using compat libs - -libsystemd-journal and libsystemd-daemon are considered obsolete -in systemd since 2.09 and may not be available (not compiled -by default). - -The code works fine with the current libsystemd, so just -use that. - -Signed-off-by: Patrick Ohly <patrick.ohly@intel.com> -Upstream-Status: Submitted (https://github.com/Samsung/security-manager/pull/1 ---- - src/common/CMakeLists.txt | 2 +- - src/server/CMakeLists.txt | 2 +- - 2 files changed, 2 insertions(+), 2 deletions(-) - -diff --git a/src/common/CMakeLists.txt b/src/common/CMakeLists.txt -index 2da9c3e..968c7c1 100644 ---- a/src/common/CMakeLists.txt -+++ b/src/common/CMakeLists.txt -@@ -3,7 +3,7 @@ SET(COMMON_VERSION ${COMMON_VERSION_MAJOR}.0.2) - - PKG_CHECK_MODULES(COMMON_DEP - REQUIRED -- libsystemd-journal -+ libsystemd - libsmack - db-util - cynara-admin -diff --git a/src/server/CMakeLists.txt b/src/server/CMakeLists.txt -index 753eb96..6849d76 100644 ---- a/src/server/CMakeLists.txt -+++ b/src/server/CMakeLists.txt -@@ -1,6 +1,6 @@ - PKG_CHECK_MODULES(SERVER_DEP - REQUIRED -- libsystemd-daemon -+ libsystemd - ) - - FIND_PACKAGE(Boost REQUIRED) --- -2.21.0 - diff --git a/meta-app-framework/recipes-security/security-manager/security-manager/0002-security-manager-policy-reload-do-not-depend-on-GNU-.patch b/meta-app-framework/recipes-security/security-manager/security-manager/0002-security-manager-policy-reload-do-not-depend-on-GNU-.patch deleted file mode 100644 index b6346480b..000000000 --- a/meta-app-framework/recipes-security/security-manager/security-manager/0002-security-manager-policy-reload-do-not-depend-on-GNU-.patch +++ /dev/null @@ -1,36 +0,0 @@ -From a90515613f09140049b2bdf471fa83d5dd7bad1c Mon Sep 17 00:00:00 2001 -From: Patrick Ohly <patrick.ohly@intel.com> -Date: Wed, 19 Aug 2015 15:02:32 +0200 -Subject: [PATCH 02/14] security-manager-policy-reload: do not depend on GNU - sed - -\U (= make replacement uppercase) is a GNU sed extension which is not -supported by other sed implementation's (like the one from -busybox). When using busybox, the bucket for user profiles became -USER_TYPE_Uadmin instead USER_TYPE_ADMIN. - -To make SecurityManager more portable, better use tr to turn the -bucket name into uppercase. - -Signed-off-by: Patrick Ohly <patrick.ohly@intel.com> -Upstream-Status: Submitted (https://github.com/Samsung/security-manager/pull/1 ---- - policy/security-manager-policy-reload | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/policy/security-manager-policy-reload b/policy/security-manager-policy-reload -index 274c49c..6f211c6 100755 ---- a/policy/security-manager-policy-reload -+++ b/policy/security-manager-policy-reload -@@ -33,7 +33,7 @@ END - find "$POLICY_PATH" -name "usertype-*.profile" | - while read file - do -- bucket="`echo $file | sed -r 's|.*/usertype-(.*).profile$|USER_TYPE_\U\1|'`" -+ bucket="`echo $file | sed -r 's|.*/usertype-(.*).profile$|USER_TYPE_\1|' | tr '[:lower:]' '[:upper:]'`" - - # Re-create the bucket with empty contents - cyad --delete-bucket=$bucket || true --- -2.21.0 - diff --git a/meta-app-framework/recipes-security/security-manager/security-manager/0003-Smack-rules-create-two-new-functions.patch b/meta-app-framework/recipes-security/security-manager/security-manager/0003-Smack-rules-create-two-new-functions.patch deleted file mode 100644 index d79345e01..000000000 --- a/meta-app-framework/recipes-security/security-manager/security-manager/0003-Smack-rules-create-two-new-functions.patch +++ /dev/null @@ -1,117 +0,0 @@ -From a80e33bc0a10fa4bed5d0b7bf29f45dd2565d309 Mon Sep 17 00:00:00 2001 -From: Alejandro Joya <alejandro.joya.cruz@intel.com> -Date: Wed, 4 Nov 2015 19:01:35 -0600 -Subject: [PATCH 03/14] Smack-rules: create two new functions - -It let to smack-rules to create multiple set of rules -related with the privileges. - -It runs from the same bases than for a static set of rules on the -template, but let you add 1 or many templates for different cases. - -Change-Id: I14f8d4e914ad5a7ba34c96f3cb5589f0b15292de -Signed-off-by: Alejandro Joya <alejandro.joya.cruz@intel.com> ---- - src/common/include/smack-rules.h | 15 +++++++++++ - src/common/smack-rules.cpp | 44 ++++++++++++++++++++++++++++++++ - 2 files changed, 59 insertions(+) - -diff --git a/src/common/include/smack-rules.h b/src/common/include/smack-rules.h -index 91446a7..3ad9dd4 100644 ---- a/src/common/include/smack-rules.h -+++ b/src/common/include/smack-rules.h -@@ -47,6 +47,8 @@ public: - void addFromTemplate(const std::vector<std::string> &templateRules, - const std::string &appId, const std::string &pkgId); - void addFromTemplateFile(const std::string &appId, const std::string &pkgId); -+ void addFromTemplateFile(const std::string &appId, const std::string &pkgId, -+ const std::string &path); - - void apply() const; - void clear() const; -@@ -74,6 +76,19 @@ public: - */ - static void installApplicationRules(const std::string &appId, const std::string &pkgId, - const std::vector<std::string> &pkgContents); -+ /** -+ * Install privileges-specific smack rules. -+ * -+ * Function creates smack rules using predefined template. Rules are applied -+ * to the kernel and saved on persistent storage so they are loaded on system boot. -+ * -+ * @param[in] appId - application id that is beeing installed -+ * @param[in] pkgId - package id that the application is in -+ * @param[in] pkgContents - a list of all applications in the package -+ * @param[in] privileges - a list of all prvileges -+ */ -+ static void installApplicationPrivilegesRules(const std::string &appId, const std::string &pkgId, -+ const std::vector<std::string> &pkgContents, const std::vector<std::string> &privileges); - /** - * Uninstall package-specific smack rules. - * -diff --git a/src/common/smack-rules.cpp b/src/common/smack-rules.cpp -index 3629e0f..922a56f 100644 ---- a/src/common/smack-rules.cpp -+++ b/src/common/smack-rules.cpp -@@ -135,6 +135,29 @@ void SmackRules::saveToFile(const std::string &path) const - } - } - -+void SmackRules::addFromTemplateFile(const std::string &appId, -+ const std::string &pkgId, const std::string &path) -+{ -+ std::vector<std::string> templateRules; -+ std::string line; -+ std::ifstream templateRulesFile(path); -+ -+ if (!templateRulesFile.is_open()) { -+ LogError("Cannot open rules template file: " << path); -+ ThrowMsg(SmackException::FileError, "Cannot open rules template file: " << path); -+ } -+ -+ while (std::getline(templateRulesFile, line)) { -+ templateRules.push_back(line); -+ } -+ -+ if (templateRulesFile.bad()) { -+ LogError("Error reading template file: " << APP_RULES_TEMPLATE_FILE_PATH); -+ ThrowMsg(SmackException::FileError, "Error reading template file: " << APP_RULES_TEMPLATE_FILE_PATH); -+ } -+ -+ addFromTemplate(templateRules, appId, pkgId); -+} - - void SmackRules::addFromTemplateFile(const std::string &appId, - const std::string &pkgId) -@@ -223,7 +246,28 @@ std::string SmackRules::getApplicationRulesFilePath(const std::string &appId) - std::string path(tzplatform_mkpath3(TZ_SYS_SMACK, "accesses.d", ("app_" + appId).c_str())); - return path; - } -+void SmackRules::installApplicationPrivilegesRules(const std::string &appId, const std::string &pkgId, -+ const std::vector<std::string> &pkgContents, const std::vector<std::string> &privileges) -+{ -+ SmackRules smackRules; -+ std::string appPath = getApplicationRulesFilePath(appId); -+ smackRules.loadFromFile(appPath); -+ struct stat buffer; -+ for (auto privilege : privileges) { -+ if (privilege.empty()) -+ continue; -+ std::string fprivilege ( privilege + "-template.smack"); -+ std::string path(tzplatform_mkpath4(TZ_SYS_SHARE, "security-manager", "policy", fprivilege.c_str())); -+ if( stat(path.c_str(), &buffer) == 0) -+ smackRules.addFromTemplateFile(appId, pkgId, path); -+ } -+ -+ if (smack_smackfs_path() != NULL) -+ smackRules.apply(); - -+ smackRules.saveToFile(appPath); -+ updatePackageRules(pkgId, pkgContents); -+} - void SmackRules::installApplicationRules(const std::string &appId, const std::string &pkgId, - const std::vector<std::string> &pkgContents) - { --- -2.21.0 - diff --git a/meta-app-framework/recipes-security/security-manager/security-manager/0004-app-install-implement-multiple-set-of-smack-rules.patch b/meta-app-framework/recipes-security/security-manager/security-manager/0004-app-install-implement-multiple-set-of-smack-rules.patch deleted file mode 100644 index 59d4971ff..000000000 --- a/meta-app-framework/recipes-security/security-manager/security-manager/0004-app-install-implement-multiple-set-of-smack-rules.patch +++ /dev/null @@ -1,34 +0,0 @@ -From a5979d9d674e400ecd7fcdf5d7589cfa0cfeb492 Mon Sep 17 00:00:00 2001 -From: Alejandro Joya <alejandro.joya.cruz@intel.com> -Date: Wed, 4 Nov 2015 19:06:23 -0600 -Subject: [PATCH 04/14] app-install: implement multiple set of smack-rules - -If it's need it could create load multiple set of smack rules -related with the privileges. -It wouldn't affect the case that only the default set of rules is need it. - -Signed-off-by: Alejandro Joya <alejandro.joya.cruz@intel.com> ---- - src/common/service_impl.cpp | 6 ++++++ - 1 file changed, 6 insertions(+) - -diff --git a/src/common/service_impl.cpp b/src/common/service_impl.cpp -index 7fd621c..ae305d3 100644 ---- a/src/common/service_impl.cpp -+++ b/src/common/service_impl.cpp -@@ -338,6 +338,12 @@ int appInstall(const app_inst_req &req, uid_t uid) - LogDebug("Adding Smack rules for new appId: " << req.appId << " with pkgId: " - << req.pkgId << ". Applications in package: " << pkgContents.size()); - SmackRules::installApplicationRules(req.appId, req.pkgId, pkgContents); -+ /*Setup for privileges custom rules*/ -+ LogDebug("Adding Smack rules for new appId: " << req.appId << " with pkgId: " -+ << req.pkgId << ". Applications in package: " << pkgContents.size() -+ << " and Privileges"); -+ SmackRules::installApplicationPrivilegesRules(req.appId, req.pkgId, -+ pkgContents,req.privileges); - } catch (const SmackException::Base &e) { - LogError("Error while applying Smack policy for application: " << e.DumpToString()); - return SECURITY_MANAGER_API_ERROR_SETTING_FILE_LABEL_FAILED; --- -2.21.0 - diff --git a/meta-app-framework/recipes-security/security-manager/security-manager/0005-c-11-replace-deprecated-auto_ptr.patch b/meta-app-framework/recipes-security/security-manager/security-manager/0005-c-11-replace-deprecated-auto_ptr.patch deleted file mode 100644 index 0739f28c7..000000000 --- a/meta-app-framework/recipes-security/security-manager/security-manager/0005-c-11-replace-deprecated-auto_ptr.patch +++ /dev/null @@ -1,32 +0,0 @@ -From 198ba9b9782fda19803e94d2afeff91189ac27af Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?Jos=C3=A9=20Bollo?= <jobol@nonadev.net> -Date: Wed, 13 Jan 2016 17:30:06 +0100 -Subject: [PATCH 05/14] c++11: replace deprecated auto_ptr -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -Upstream-Status: Submitted [https://review.tizen.org/gerrit/#/c/56940/] - -Change-Id: Id793c784c9674eef48f346226c094bdd9f7bbda8 -Signed-off-by: José Bollo <jobol@nonadev.net> ---- - src/dpl/core/include/dpl/binary_queue.h | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/src/dpl/core/include/dpl/binary_queue.h b/src/dpl/core/include/dpl/binary_queue.h -index dd03f5e..185b6c7 100644 ---- a/src/dpl/core/include/dpl/binary_queue.h -+++ b/src/dpl/core/include/dpl/binary_queue.h -@@ -33,7 +33,7 @@ namespace SecurityManager { - * Binary queue auto pointer - */ - class BinaryQueue; --typedef std::auto_ptr<BinaryQueue> BinaryQueueAutoPtr; -+typedef std::unique_ptr<BinaryQueue> BinaryQueueAutoPtr; - - /** - * Binary stream implemented as constant size bucket list --- -2.21.0 - diff --git a/meta-app-framework/recipes-security/security-manager/security-manager/0006-socket-manager-removes-tizen-specific-call.patch b/meta-app-framework/recipes-security/security-manager/security-manager/0006-socket-manager-removes-tizen-specific-call.patch deleted file mode 100644 index 3b8aad98c..000000000 --- a/meta-app-framework/recipes-security/security-manager/security-manager/0006-socket-manager-removes-tizen-specific-call.patch +++ /dev/null @@ -1,47 +0,0 @@ -From ec098bf03cea23350ca7d1ea2ad88b9c88228943 Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?Jos=C3=A9=20Bollo?= <jose.bollo@iot.bzh> -Date: Fri, 8 Jan 2016 16:53:46 +0100 -Subject: [PATCH 06/14] socket-manager: removes tizen specific call -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -The function 'smack_fgetlabel' is specific to Tizen -and is no more maintained upstream. - -Upstream-Status: Accepted [https://review.tizen.org/gerrit/#/c/56507/] - -Change-Id: I3802742b1758efe37b33e6d968ff727d68f2fd1f -Signed-off-by: José Bollo <jobol@nonadev.net> ---- - src/server/main/socket-manager.cpp | 7 ++++--- - 1 file changed, 4 insertions(+), 3 deletions(-) - -diff --git a/src/server/main/socket-manager.cpp b/src/server/main/socket-manager.cpp -index 94c54c6..5e1a79b 100644 ---- a/src/server/main/socket-manager.cpp -+++ b/src/server/main/socket-manager.cpp -@@ -30,6 +30,7 @@ - #include <sys/types.h> - #include <sys/socket.h> - #include <sys/smack.h> -+#include <linux/xattr.h> - #include <sys/un.h> - #include <sys/stat.h> - #include <unistd.h> -@@ -493,9 +494,9 @@ int SocketManager::CreateDomainSocketHelp( - if (smack_check()) { - LogInfo("Set up smack label: " << desc.smackLabel); - -- if (0 != smack_fsetlabel(sockfd, desc.smackLabel.c_str(), SMACK_LABEL_IPIN)) { -- LogError("Error in smack_fsetlabel"); -- ThrowMsg(Exception::InitFailed, "Error in smack_fsetlabel"); -+ if (0 != smack_set_label_for_file(sockfd, XATTR_NAME_SMACKIPIN, desc.smackLabel.c_str())) { -+ LogError("Error in smack_set_label_for_file"); -+ ThrowMsg(Exception::InitFailed, "Error in smack_set_label_for_file"); - } - } else { - LogInfo("No smack on platform. Socket won't be securied with smack label!"); --- -2.21.0 - diff --git a/meta-app-framework/recipes-security/security-manager/security-manager/0007-removes-dependency-to-libslp-db-utils.patch b/meta-app-framework/recipes-security/security-manager/security-manager/0007-removes-dependency-to-libslp-db-utils.patch deleted file mode 100644 index bad99d25a..000000000 --- a/meta-app-framework/recipes-security/security-manager/security-manager/0007-removes-dependency-to-libslp-db-utils.patch +++ /dev/null @@ -1,78 +0,0 @@ -From 9d0791dab4b4df086374c5c0ba2a6558e10e81c1 Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?Jos=C3=A9=20Bollo?= <jose.bollo@iot.bzh> -Date: Mon, 16 Nov 2015 15:56:27 +0100 -Subject: [PATCH 07/14] removes dependency to libslp-db-utils - -Change-Id: I90471e77d20e04bae58cc42eb2639e4aef97fdec ---- - src/common/CMakeLists.txt | 3 ++- - src/dpl/db/src/sql_connection.cpp | 17 +---------------- - 2 files changed, 3 insertions(+), 17 deletions(-) - -diff --git a/src/common/CMakeLists.txt b/src/common/CMakeLists.txt -index 968c7c1..9ae376f 100644 ---- a/src/common/CMakeLists.txt -+++ b/src/common/CMakeLists.txt -@@ -5,7 +5,8 @@ PKG_CHECK_MODULES(COMMON_DEP - REQUIRED - libsystemd - libsmack -- db-util -+ sqlite3 -+ icu-i18n - cynara-admin - cynara-client - ) -diff --git a/src/dpl/db/src/sql_connection.cpp b/src/dpl/db/src/sql_connection.cpp -index fdb4fe4..f49a6dc 100644 ---- a/src/dpl/db/src/sql_connection.cpp -+++ b/src/dpl/db/src/sql_connection.cpp -@@ -26,7 +26,6 @@ - #include <memory> - #include <dpl/noncopyable.h> - #include <dpl/assert.h> --#include <db-util.h> - #include <unistd.h> - #include <cstdio> - #include <cstdarg> -@@ -606,16 +605,7 @@ void SqlConnection::Connect(const std::string &address, - - // Connect to database - int result; -- if (type & Flag::UseLucene) { -- result = db_util_open_with_options( -- address.c_str(), -- &m_connection, -- flag, -- NULL); -- -- m_usingLucene = true; -- LogPedantic("Lucene index enabled"); -- } else { -+ (void)type; - result = sqlite3_open_v2( - address.c_str(), - &m_connection, -@@ -624,7 +614,6 @@ void SqlConnection::Connect(const std::string &address, - - m_usingLucene = false; - LogPedantic("Lucene index disabled"); -- } - - if (result == SQLITE_OK) { - LogPedantic("Connected to DB"); -@@ -653,11 +642,7 @@ void SqlConnection::Disconnect() - - int result; - -- if (m_usingLucene) { -- result = db_util_close(m_connection); -- } else { - result = sqlite3_close(m_connection); -- } - - if (result != SQLITE_OK) { - const char *error = sqlite3_errmsg(m_connection); --- -2.21.0 - diff --git a/meta-app-framework/recipes-security/security-manager/security-manager/0008-Fix-gcc6-build.patch b/meta-app-framework/recipes-security/security-manager/security-manager/0008-Fix-gcc6-build.patch deleted file mode 100644 index 5ece7ef4f..000000000 --- a/meta-app-framework/recipes-security/security-manager/security-manager/0008-Fix-gcc6-build.patch +++ /dev/null @@ -1,38 +0,0 @@ -From a1d9b40b4fa2e73d31a53e398c286bffeaae1732 Mon Sep 17 00:00:00 2001 -From: Ronan <ronan.lemartret@iot.bzh> -Date: Wed, 12 Oct 2016 17:48:55 +0200 -Subject: [PATCH 08/14] Fix gcc6 build - -Signed-off-by: ronan <ronan@ot.bzh> ---- - src/client/client-security-manager.cpp | 1 + - src/common/include/privilege_db.h | 1 + - 2 files changed, 2 insertions(+) - -diff --git a/src/client/client-security-manager.cpp b/src/client/client-security-manager.cpp -index 74a6b30..347cddd 100644 ---- a/src/client/client-security-manager.cpp -+++ b/src/client/client-security-manager.cpp -@@ -46,6 +46,7 @@ - #include <service_impl.h> - #include <security-manager.h> - #include <client-offline.h> -+#include <linux/xattr.h> - - static const char *EMPTY = ""; - -diff --git a/src/common/include/privilege_db.h b/src/common/include/privilege_db.h -index 4d73d90..08fb9d6 100644 ---- a/src/common/include/privilege_db.h -+++ b/src/common/include/privilege_db.h -@@ -32,6 +32,7 @@ - #include <map> - #include <stdbool.h> - #include <string> -+#include <vector> - - #include <dpl/db/sql_connection.h> - #include <tzplatform_config.h> --- -2.21.0 - diff --git a/meta-app-framework/recipes-security/security-manager/security-manager/0009-Fix-Cmake-conf-for-gcc6-build.patch b/meta-app-framework/recipes-security/security-manager/security-manager/0009-Fix-Cmake-conf-for-gcc6-build.patch deleted file mode 100644 index 706eb1a93..000000000 --- a/meta-app-framework/recipes-security/security-manager/security-manager/0009-Fix-Cmake-conf-for-gcc6-build.patch +++ /dev/null @@ -1,40 +0,0 @@ -From 382379d74221bcc60a0ab70d63430a1c0587b2ec Mon Sep 17 00:00:00 2001 -From: Ronan <ronan.lemartret@iot.bzh> -Date: Thu, 13 Oct 2016 11:37:47 +0200 -Subject: [PATCH 09/14] Fix Cmake conf for gcc6 build - -Signed-off-by: Ronan <ronan.lemartret@iot.bzh> ---- - src/cmd/CMakeLists.txt | 4 +--- - src/server/CMakeLists.txt | 1 - - 2 files changed, 1 insertion(+), 4 deletions(-) - -diff --git a/src/cmd/CMakeLists.txt b/src/cmd/CMakeLists.txt -index ee9a160..aa7a12c 100644 ---- a/src/cmd/CMakeLists.txt -+++ b/src/cmd/CMakeLists.txt -@@ -1,8 +1,6 @@ - FIND_PACKAGE(Boost REQUIRED COMPONENTS program_options) - --INCLUDE_DIRECTORIES(SYSTEM -- ${Boost_INCLUDE_DIRS} -- ) -+ - - INCLUDE_DIRECTORIES( - ${INCLUDE_PATH} -diff --git a/src/server/CMakeLists.txt b/src/server/CMakeLists.txt -index 6849d76..9598037 100644 ---- a/src/server/CMakeLists.txt -+++ b/src/server/CMakeLists.txt -@@ -8,7 +8,6 @@ FIND_PACKAGE(Threads REQUIRED) - - INCLUDE_DIRECTORIES(SYSTEM - ${SERVER_DEP_INCLUDE_DIRS} -- ${Boost_INCLUDE_DIRS} - ${Threads_INCLUDE_DIRS} - ) - --- -2.21.0 - diff --git a/meta-app-framework/recipes-security/security-manager/security-manager/0010-gcc-7-requires-include-functional-for-std-function.patch b/meta-app-framework/recipes-security/security-manager/security-manager/0010-gcc-7-requires-include-functional-for-std-function.patch deleted file mode 100644 index 0f48c5f68..000000000 --- a/meta-app-framework/recipes-security/security-manager/security-manager/0010-gcc-7-requires-include-functional-for-std-function.patch +++ /dev/null @@ -1,51 +0,0 @@ -From 8e93699c0f225716f3cd5eff790270ae9e3880f9 Mon Sep 17 00:00:00 2001 -From: Changhyeok Bae <changhyeok.bae@gmail.com> -Date: Sun, 17 Dec 2017 15:40:58 +0000 -Subject: [PATCH 10/14] gcc-7 requires include <functional> for std::function - -Signed-off-by: Changhyeok Bae <changhyeok.bae@gmail.com> ---- - src/client/client-common.cpp | 1 + - src/common/smack-labels.cpp | 1 + - src/dpl/core/src/binary_queue.cpp | 1 + - 3 files changed, 3 insertions(+) - -diff --git a/src/client/client-common.cpp b/src/client/client-common.cpp -index 883ab8d..1babdf7 100644 ---- a/src/client/client-common.cpp -+++ b/src/client/client-common.cpp -@@ -31,6 +31,7 @@ - #include <sys/xattr.h> - #include <linux/xattr.h> - #include <unistd.h> -+#include <functional> - - #include <dpl/log/log.h> - #include <dpl/serialization.h> -diff --git a/src/common/smack-labels.cpp b/src/common/smack-labels.cpp -index 0294a42..1598099 100644 ---- a/src/common/smack-labels.cpp -+++ b/src/common/smack-labels.cpp -@@ -29,6 +29,7 @@ - #include <sys/xattr.h> - #include <linux/xattr.h> - #include <memory> -+#include <functional> - #include <fts.h> - #include <cstring> - #include <string> -diff --git a/src/dpl/core/src/binary_queue.cpp b/src/dpl/core/src/binary_queue.cpp -index 72817a6..838409f 100644 ---- a/src/dpl/core/src/binary_queue.cpp -+++ b/src/dpl/core/src/binary_queue.cpp -@@ -26,6 +26,7 @@ - #include <malloc.h> - #include <cstring> - #include <new> -+#include <functional> - - namespace SecurityManager { - BinaryQueue::BinaryQueue() : --- -2.21.0 - diff --git a/meta-app-framework/recipes-security/security-manager/security-manager/0011-Fix-gcc8-warning-error-Werror-catch-value.patch b/meta-app-framework/recipes-security/security-manager/security-manager/0011-Fix-gcc8-warning-error-Werror-catch-value.patch deleted file mode 100644 index 5c679fc26..000000000 --- a/meta-app-framework/recipes-security/security-manager/security-manager/0011-Fix-gcc8-warning-error-Werror-catch-value.patch +++ /dev/null @@ -1,32 +0,0 @@ -From 243b7ffee16558d7cb9b411f49380138efeffca9 Mon Sep 17 00:00:00 2001 -From: Stephane Desneux <stephane.desneux@iot.bzh> -Date: Fri, 1 Feb 2019 12:26:17 +0000 -Subject: [PATCH 11/14] Fix gcc8 warning/error [-Werror=catch-value=] - -Fixes the following warning/error during compile: - -src/dpl/core/src/assert.cpp:61:14: error: catching polymorphic type 'class SecurityManager::Exception' by value [-Werror=catch-value=] -| } catch (Exception) { -| ^~~~~~~~~ - -Signed-off-by: Stephane Desneux <stephane.desneux@iot.bzh> ---- - src/dpl/core/src/assert.cpp | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/src/dpl/core/src/assert.cpp b/src/dpl/core/src/assert.cpp -index 63538a2..fc60ce9 100644 ---- a/src/dpl/core/src/assert.cpp -+++ b/src/dpl/core/src/assert.cpp -@@ -58,7 +58,7 @@ void AssertProc(const char *condition, - INTERNAL_LOG("### Function: " << function); - INTERNAL_LOG( - "################################################################################"); -- } catch (Exception) { -+ } catch (Exception const&) { - // Just ignore possible double errors - } - --- -2.21.0 - diff --git a/meta-app-framework/recipes-security/security-manager/security-manager/0012-Avoid-casting-from-const-T-to-void.patch b/meta-app-framework/recipes-security/security-manager/security-manager/0012-Avoid-casting-from-const-T-to-void.patch deleted file mode 100644 index 91ccf9ee2..000000000 --- a/meta-app-framework/recipes-security/security-manager/security-manager/0012-Avoid-casting-from-const-T-to-void.patch +++ /dev/null @@ -1,122 +0,0 @@ -From 5ee51d38575f289c2bf37ed817ef680ed47bb320 Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?Jos=C3=A9=20Bollo?= <jose.bollo@iot.bzh> -Date: Fri, 1 Feb 2019 15:37:44 +0100 -Subject: [PATCH 12/14] Avoid casting from "const T&" to "void*" -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -Latest version of g++ refuse the cast - - reinterpret_cast<void (Service::*)(void*)>(serviceFunction) - -I made no investigation to know if the problem -is coming from the const or not. - -Signed-off-by: José Bollo <jose.bollo@iot.bzh> ---- - src/server/main/include/service-thread.h | 42 ++++++++++-------------- - 1 file changed, 18 insertions(+), 24 deletions(-) - -diff --git a/src/server/main/include/service-thread.h b/src/server/main/include/service-thread.h -index 964d168..61fdda8 100644 ---- a/src/server/main/include/service-thread.h -+++ b/src/server/main/include/service-thread.h -@@ -94,7 +94,7 @@ public: - Join(); - while (!m_eventQueue.empty()){ - auto front = m_eventQueue.front(); -- delete front.eventPtr; -+ delete front; - m_eventQueue.pop(); - } - } -@@ -104,34 +104,28 @@ public: - Service *servicePtr, - void (Service::*serviceFunction)(const T &)) - { -- EventDescription description; -- description.serviceFunctionPtr = -- reinterpret_cast<void (Service::*)(void*)>(serviceFunction); -- description.servicePtr = servicePtr; -- description.eventFunctionPtr = &ServiceThread::EventCall<T>; -- description.eventPtr = new T(event); -+ EventCallerBase *ec = new EventCaller<T>(event, servicePtr, serviceFunction); - { - std::lock_guard<std::mutex> lock(m_eventQueueMutex); -- m_eventQueue.push(description); -+ m_eventQueue.push(ec); - } - m_waitCondition.notify_one(); - } - - protected: - -- struct EventDescription { -- void (Service::*serviceFunctionPtr)(void *); -- Service *servicePtr; -- void (ServiceThread::*eventFunctionPtr)(const EventDescription &event); -- GenericEvent* eventPtr; -+ struct EventCallerBase { -+ virtual void fire() = 0; -+ virtual ~EventCallerBase() {} - }; - - template <class T> -- void EventCall(const EventDescription &desc) { -- auto fun = reinterpret_cast<void (Service::*)(const T&)>(desc.serviceFunctionPtr); -- const T& eventLocale = *(static_cast<T*>(desc.eventPtr)); -- (desc.servicePtr->*fun)(eventLocale); -- } -+ struct EventCaller : public EventCallerBase { -+ T *event; Service *target; void (Service::*function)(const T&); -+ EventCaller(const T &e, Service *c, void (Service::*f)(const T&)) : event(new T(e)), target(c), function(f) {} -+ ~EventCaller() { delete event; } -+ void fire() { (target->*function)(*event); } -+ }; - - static void ThreadLoopStatic(ServiceThread *ptr) { - ptr->ThreadLoop(); -@@ -139,33 +133,33 @@ protected: - - void ThreadLoop(){ - for (;;) { -- EventDescription description = {NULL, NULL, NULL, NULL}; -+ EventCallerBase *ec = NULL; - { - std::unique_lock<std::mutex> ulock(m_eventQueueMutex); - if (m_quit) - return; - if (!m_eventQueue.empty()) { -- description = m_eventQueue.front(); -+ ec = m_eventQueue.front(); - m_eventQueue.pop(); - } else { - m_waitCondition.wait(ulock); - } - } - -- if (description.eventPtr != NULL) { -+ if (ec != NULL) { - UNHANDLED_EXCEPTION_HANDLER_BEGIN - { -- (this->*description.eventFunctionPtr)(description); -- delete description.eventPtr; -+ ec->fire(); - } - UNHANDLED_EXCEPTION_HANDLER_END -+ delete ec; - } - } - } - - std::thread m_thread; - std::mutex m_eventQueueMutex; -- std::queue<EventDescription> m_eventQueue; -+ std::queue<EventCallerBase*> m_eventQueue; - std::condition_variable m_waitCondition; - - State m_state; --- -2.21.0 - diff --git a/meta-app-framework/recipes-security/security-manager/security-manager/0013-Removing-tizen-platform-config.patch b/meta-app-framework/recipes-security/security-manager/security-manager/0013-Removing-tizen-platform-config.patch deleted file mode 100644 index fb6215923..000000000 --- a/meta-app-framework/recipes-security/security-manager/security-manager/0013-Removing-tizen-platform-config.patch +++ /dev/null @@ -1,259 +0,0 @@ -From 6c96a39ba7a7763ccd47e379dbfd8d376164985f Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?Jos=C3=A9=20Bollo?= <jose.bollo@iot.bzh> -Date: Mon, 16 Nov 2015 14:26:25 +0100 -Subject: [PATCH 13/14] Removing tizen-platform-config - -Change-Id: Ic832a2b75229517b09faba969c27fb1a4b490121 ---- - CMakeLists.txt | 16 +++++++- - db/CMakeLists.txt | 2 +- - policy/CMakeLists.txt | 1 + - ...load => security-manager-policy-reload.in} | 4 +- - src/common/file-lock.cpp | 4 +- - src/common/include/file-lock.h | 1 - - src/common/include/privilege_db.h | 3 +- - src/common/service_impl.cpp | 39 ++++++------------- - src/common/smack-rules.cpp | 12 ++---- - 9 files changed, 37 insertions(+), 45 deletions(-) - rename policy/{security-manager-policy-reload => security-manager-policy-reload.in} (94%) - -diff --git a/CMakeLists.txt b/CMakeLists.txt -index 28790d8..37a43cc 100644 ---- a/CMakeLists.txt -+++ b/CMakeLists.txt -@@ -49,7 +49,7 @@ ADD_DEFINITIONS("-Wall") # Generate all warnings - ADD_DEFINITIONS("-Wextra") # Generate even more extra warnings - - STRING(REGEX MATCH "([^.]*)" API_VERSION "${VERSION}") --ADD_DEFINITIONS("-DAPI_VERSION=\"$(API_VERSION)\"") -+ADD_DEFINITIONS("-DAPI_VERSION=\"${API_VERSION}\"") - - ADD_DEFINITIONS("-DSMACK_ENABLED") - -@@ -58,6 +58,20 @@ IF (CMAKE_BUILD_TYPE MATCHES "DEBUG") - ADD_DEFINITIONS("-DBUILD_TYPE_DEBUG") - ENDIF (CMAKE_BUILD_TYPE MATCHES "DEBUG") - -+SET(DATADIR "/usr/share/security-manager" CACHE STRING "path to data directory") -+SET(SMACKRULESDIR "/etc/smack/accesses.d" CACHE STRING "path to Smack rules directory") -+SET(LOCKDIR "/var/run/lock" CACHE STRING "path to lock directory") -+SET(DB_INSTALL_DIR "/var/db/security-manager" CACHE STRING "path to database directory") -+SET(DB_FILENAME ".security-manager.db" CACHE STRING "basename of database") -+SET(GLOBALUSER "userapp" CACHE STRING "name of the global user") -+ -+ADD_DEFINITIONS("-DDATADIR=\"${DATADIR}\"") -+ADD_DEFINITIONS("-DSMACKRULESDIR=\"${SMACKRULESDIR}\"") -+ADD_DEFINITIONS("-DLOCKDIR=\"${LOCKDIR}\"") -+ADD_DEFINITIONS("-DDB_INSTALL_DIR=\"${DB_INSTALL_DIR}\"") -+ADD_DEFINITIONS("-DDB_FILENAME=\"${DB_FILENAME}\"") -+ADD_DEFINITIONS("-DGLOBALUSER=\"${GLOBALUSER}\"") -+ - ADD_SUBDIRECTORY(src) - ADD_SUBDIRECTORY(pc) - ADD_SUBDIRECTORY(systemd) -diff --git a/db/CMakeLists.txt b/db/CMakeLists.txt -index 9e8ffcc..d7af1a0 100644 ---- a/db/CMakeLists.txt -+++ b/db/CMakeLists.txt -@@ -1,4 +1,4 @@ --SET(TARGET_DB ".security-manager.db") -+SET(TARGET_DB "$(DB_FILENAME)") - - ADD_CUSTOM_COMMAND( - OUTPUT ${TARGET_DB} ${TARGET_DB}-journal -diff --git a/policy/CMakeLists.txt b/policy/CMakeLists.txt -index bd08edc..626a2bd 100644 ---- a/policy/CMakeLists.txt -+++ b/policy/CMakeLists.txt -@@ -1,4 +1,5 @@ - FILE(GLOB USERTYPE_POLICY_FILES usertype-*.profile) -+CONFIGURE_FILE(security-manager-policy-reload.in security-manager-policy-reload @ONLY) - INSTALL(FILES ${USERTYPE_POLICY_FILES} DESTINATION ${SHARE_INSTALL_PREFIX}/security-manager/policy) - INSTALL(FILES "app-rules-template.smack" DESTINATION ${SHARE_INSTALL_PREFIX}/security-manager/policy) - INSTALL(FILES "privilege-group.list" DESTINATION ${SHARE_INSTALL_PREFIX}/security-manager/policy) -diff --git a/policy/security-manager-policy-reload b/policy/security-manager-policy-reload.in -similarity index 94% -rename from policy/security-manager-policy-reload -rename to policy/security-manager-policy-reload.in -index 6f211c6..c1bc4e2 100755 ---- a/policy/security-manager-policy-reload -+++ b/policy/security-manager-policy-reload.in -@@ -1,8 +1,8 @@ - #!/bin/sh -e - --POLICY_PATH=/usr/share/security-manager/policy -+POLICY_PATH=@DATADIR@/policy - PRIVILEGE_GROUP_MAPPING=$POLICY_PATH/privilege-group.list --DB_FILE=`tzplatform-get TZ_SYS_DB | cut -d= -f2`/.security-manager.db -+DB_FILE=@DB_INSTALL_DIR@/@DB_FILENAME@ - - # Create default buckets - while read bucket default_policy -diff --git a/src/common/file-lock.cpp b/src/common/file-lock.cpp -index 6f3996c..88d2092 100644 ---- a/src/common/file-lock.cpp -+++ b/src/common/file-lock.cpp -@@ -30,9 +30,7 @@ - - namespace SecurityManager { - --char const * const SERVICE_LOCK_FILE = tzplatform_mkpath3(TZ_SYS_RUN, -- "lock", -- "security-manager.lock"); -+char const * const SERVICE_LOCK_FILE = LOCKDIR "/security-manager.lock"; - - FileLocker::FileLocker(const std::string &lockFile, bool blocking) - { -diff --git a/src/common/include/file-lock.h b/src/common/include/file-lock.h -index 604b019..21a86a0 100644 ---- a/src/common/include/file-lock.h -+++ b/src/common/include/file-lock.h -@@ -29,7 +29,6 @@ - - #include <dpl/exception.h> - #include <dpl/noncopyable.h> --#include <tzplatform_config.h> - - namespace SecurityManager { - -diff --git a/src/common/include/privilege_db.h b/src/common/include/privilege_db.h -index 08fb9d6..3344987 100644 ---- a/src/common/include/privilege_db.h -+++ b/src/common/include/privilege_db.h -@@ -35,14 +35,13 @@ - #include <vector> - - #include <dpl/db/sql_connection.h> --#include <tzplatform_config.h> - - #ifndef PRIVILEGE_DB_H_ - #define PRIVILEGE_DB_H_ - - namespace SecurityManager { - --const char *const PRIVILEGE_DB_PATH = tzplatform_mkpath(TZ_SYS_DB, ".security-manager.db"); -+const char *const PRIVILEGE_DB_PATH = DB_INSTALL_DIR "/" DB_FILENAME; - - enum class QueryType { - EGetPkgPrivileges, -diff --git a/src/common/service_impl.cpp b/src/common/service_impl.cpp -index ae305d3..42150fe 100644 ---- a/src/common/service_impl.cpp -+++ b/src/common/service_impl.cpp -@@ -32,7 +32,6 @@ - #include <algorithm> - - #include <dpl/log/log.h> --#include <tzplatform_config.h> - - #include "protocols.h" - #include "privilege_db.h" -@@ -131,7 +130,13 @@ static inline int validatePolicy(policy_entry &policyEntry, std::string uidStr, - - static uid_t getGlobalUserId(void) - { -- static uid_t globaluid = tzplatform_getuid(TZ_SYS_GLOBALAPP_USER); -+ static uid_t globaluid = 0; -+ if (!globaluid) { -+ struct passwd pw, *p; -+ char buf[4096]; -+ int rc = getpwnam_r(GLOBALUSER, &pw, buf, sizeof buf, &p); -+ globaluid = (rc || p == NULL) ? 555 : p->pw_uid; -+ } - return globaluid; - } - -@@ -161,37 +166,17 @@ static inline bool isSubDir(const char *parent, const char *subdir) - - static bool getUserAppDir(const uid_t &uid, std::string &userAppDir) - { -- struct tzplatform_context *tz_ctx = nullptr; -- -- if (tzplatform_context_create(&tz_ctx)) -- return false; -- -- if (tzplatform_context_set_user(tz_ctx, uid)) { -- tzplatform_context_destroy(tz_ctx); -- tz_ctx = nullptr; -+ struct passwd pw, *p; -+ char buf[4096]; -+ int rc = getpwuid_r(uid, &pw, buf, sizeof buf, &p); -+ if (rc || p == NULL) - return false; -- } -- -- enum tzplatform_variable id = -- (uid == getGlobalUserId()) ? TZ_SYS_RW_APP : TZ_USER_APP; -- const char *appDir = tzplatform_context_getenv(tz_ctx, id); -- if (!appDir) { -- tzplatform_context_destroy(tz_ctx); -- tz_ctx = nullptr; -- return false; -- } -- -- userAppDir = appDir; -- -- tzplatform_context_destroy(tz_ctx); -- tz_ctx = nullptr; -- -+ userAppDir = p->pw_dir; - return true; - } - - static inline bool installRequestAuthCheck(const app_inst_req &req, uid_t uid, bool &isCorrectPath, std::string &appPath) - { -- std::string userHome; - std::string userAppDir; - std::stringstream correctPath; - -diff --git a/src/common/smack-rules.cpp b/src/common/smack-rules.cpp -index 922a56f..c2e0041 100644 ---- a/src/common/smack-rules.cpp -+++ b/src/common/smack-rules.cpp -@@ -34,7 +34,6 @@ - #include <memory> - - #include <dpl/log/log.h> --#include <tzplatform_config.h> - - #include "smack-labels.h" - #include "smack-rules.h" -@@ -43,7 +42,7 @@ namespace SecurityManager { - - const char *const SMACK_APP_LABEL_TEMPLATE = "~APP~"; - const char *const SMACK_PKG_LABEL_TEMPLATE = "~PKG~"; --const char *const APP_RULES_TEMPLATE_FILE_PATH = tzplatform_mkpath4(TZ_SYS_SHARE, "security-manager", "policy", "app-rules-template.smack"); -+const char *const APP_RULES_TEMPLATE_FILE_PATH = DATADIR "/policy/app-rules-template.smack"; - const char *const SMACK_APP_IN_PACKAGE_PERMS = "rwxat"; - - SmackRules::SmackRules() -@@ -237,14 +236,12 @@ void SmackRules::generatePackageCrossDeps(const std::vector<std::string> &pkgCon - - std::string SmackRules::getPackageRulesFilePath(const std::string &pkgId) - { -- std::string path(tzplatform_mkpath3(TZ_SYS_SMACK, "accesses.d", ("pkg_" + pkgId).c_str())); -- return path; -+ return SMACKRULESDIR "/pkg_" + pkgId; - } - - std::string SmackRules::getApplicationRulesFilePath(const std::string &appId) - { -- std::string path(tzplatform_mkpath3(TZ_SYS_SMACK, "accesses.d", ("app_" + appId).c_str())); -- return path; -+ return SMACKRULESDIR "/app_" + appId; - } - void SmackRules::installApplicationPrivilegesRules(const std::string &appId, const std::string &pkgId, - const std::vector<std::string> &pkgContents, const std::vector<std::string> &privileges) -@@ -256,8 +253,7 @@ void SmackRules::installApplicationPrivilegesRules(const std::string &appId, con - for (auto privilege : privileges) { - if (privilege.empty()) - continue; -- std::string fprivilege ( privilege + "-template.smack"); -- std::string path(tzplatform_mkpath4(TZ_SYS_SHARE, "security-manager", "policy", fprivilege.c_str())); -+ std::string path = DATADIR "/policy/" + privilege + "-template.smack"; - if( stat(path.c_str(), &buffer) == 0) - smackRules.addFromTemplateFile(appId, pkgId, path); - } --- -2.21.0 - diff --git a/meta-app-framework/recipes-security/security-manager/security-manager/0014-Ensure-post-install-initialization-of-database.patch b/meta-app-framework/recipes-security/security-manager/security-manager/0014-Ensure-post-install-initialization-of-database.patch deleted file mode 100644 index 542a387d2..000000000 --- a/meta-app-framework/recipes-security/security-manager/security-manager/0014-Ensure-post-install-initialization-of-database.patch +++ /dev/null @@ -1,78 +0,0 @@ -From c7f9d14e38a1b6d40b2fffa01433a3025eff9abd Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?Jos=C3=A9=20Bollo?= <jose.bollo@iot.bzh> -Date: Tue, 26 Nov 2019 12:34:39 +0100 -Subject: [PATCH 14/14] Ensure post install initialization of database -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -Creation of the database was made during image creation, -leading to issue with SOTA. This adds the creation on -need before launching the service. - -Change-Id: Idfd0676bd87d39f7c10eaafd63f3a318f675c972 -Signed-off-by: José Bollo <jose.bollo@iot.bzh> ---- - db/CMakeLists.txt | 14 ++++++-------- - db/security-manager-setup | 14 ++++++++++++++ - systemd/security-manager.service.in | 1 + - 3 files changed, 21 insertions(+), 8 deletions(-) - create mode 100644 db/security-manager-setup - -diff --git a/db/CMakeLists.txt b/db/CMakeLists.txt -index d7af1a0..dcf5bc8 100644 ---- a/db/CMakeLists.txt -+++ b/db/CMakeLists.txt -@@ -1,12 +1,10 @@ --SET(TARGET_DB "$(DB_FILENAME)") -- - ADD_CUSTOM_COMMAND( -- OUTPUT ${TARGET_DB} ${TARGET_DB}-journal -- COMMAND sqlite3 ${TARGET_DB} <db.sql -- ) -+ OUTPUT .security-manager-setup -+ COMMAND sed '/--DB\.SQL--/r db.sql' security-manager-setup > .security-manager-setup -+ DEPENDS security-manager-setup db.sql -+) - - # Add a dummy build target to trigger building of ${TARGET_DB} --ADD_CUSTOM_TARGET(DB ALL DEPENDS ${TARGET_DB}) -+ADD_CUSTOM_TARGET(DB ALL DEPENDS .security-manager-setup) - --INSTALL(FILES ${TARGET_DB} DESTINATION ${DB_INSTALL_DIR}) --INSTALL(FILES ${TARGET_DB}-journal DESTINATION ${DB_INSTALL_DIR}) -+INSTALL(PROGRAMS .security-manager-setup DESTINATION ${BIN_INSTALL_DIR}) -diff --git a/db/security-manager-setup b/db/security-manager-setup -new file mode 100644 -index 0000000..5675baf ---- /dev/null -+++ b/db/security-manager-setup -@@ -0,0 +1,14 @@ -+#!/bin/sh -+ -+if test -f "$1"; then exit; fi -+set -e -+dbdir="$(dirname "$1")" -+dbfile="$(basename "$1")" -+test -n "$dbfile" -+test -n "$dbdir" -+mkdir -p "$dbdir" -+cd "$dbdir" -+sqlite3 "$dbfile" << END-OF-CAT -+--DB.SQL-- -+END-OF-CAT -+ -diff --git a/systemd/security-manager.service.in b/systemd/security-manager.service.in -index 23fd1b2..2bf97d7 100644 ---- a/systemd/security-manager.service.in -+++ b/systemd/security-manager.service.in -@@ -3,5 +3,6 @@ Description=Start the security manager - - [Service] - Type=notify -+ExecStartPre=@BIN_INSTALL_DIR@/.security-manager-setup @DB_INSTALL_DIR@/@DB_FILENAME@ - ExecStart=@BIN_INSTALL_DIR@/security-manager - Sockets=security-manager.socket --- -2.21.0 - diff --git a/meta-app-framework/recipes-security/security-manager/security-manager/0015-Restrict-socket-accesses.patch b/meta-app-framework/recipes-security/security-manager/security-manager/0015-Restrict-socket-accesses.patch deleted file mode 100644 index d9949193b..000000000 --- a/meta-app-framework/recipes-security/security-manager/security-manager/0015-Restrict-socket-accesses.patch +++ /dev/null @@ -1,34 +0,0 @@ -From 7cffcd61378a9d7c0e7db5691b2da3a37448c969 Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?Jos=C3=A9=20Bollo?= <jose.bollo@iot.bzh> -Date: Thu, 30 Jan 2020 09:19:25 +0100 -Subject: [PATCH 15/15] Restrict socket accesses -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -Ensure that only members of the group and the owner can access -the security manager. - -Bug-AGL: SPEC-3146 - -Change-Id: I68ce6523db4bfd4707c3680555c3cb0cf8858ef2 -Signed-off-by: José Bollo <jose.bollo@iot.bzh> ---- - systemd/security-manager.socket | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/systemd/security-manager.socket b/systemd/security-manager.socket -index af1c1da..b401f77 100644 ---- a/systemd/security-manager.socket -+++ b/systemd/security-manager.socket -@@ -1,6 +1,6 @@ - [Socket] - ListenStream=/run/security-manager.socket --SocketMode=0777 -+SocketMode=0660 - SmackLabelIPIn=* - SmackLabelIPOut=@ - --- -2.21.1 - |