diff options
Diffstat (limited to 'meta-app-framework/recipes-security')
32 files changed, 1830 insertions, 4 deletions
diff --git a/meta-app-framework/recipes-security/audit/audit/0001-lib-i386_table.h-add-new-syscall.patch b/meta-app-framework/recipes-security/audit/audit/0001-lib-i386_table.h-add-new-syscall.patch new file mode 100644 index 000000000..6e1827c08 --- /dev/null +++ b/meta-app-framework/recipes-security/audit/audit/0001-lib-i386_table.h-add-new-syscall.patch @@ -0,0 +1,42 @@ +From df878b92e01f4d1c3de7f7d8229cea6a431509eb Mon Sep 17 00:00:00 2001 +From: Mingli Yu <mingli.yu@windriver.com> +Date: Wed, 19 Feb 2020 15:23:40 +0800 +Subject: [PATCH] lib/i386_table.h: add new syscall + +On 32bit system, +After upgrade glibc to 2.31 + # strace -o /tmp/test.log date -s 09:16:45 + # tail -f /tmp/test.log + close(3) = 0 + stat64("/etc/localtime", {st_mode=S_IFREG|0644, st_size=114, ...}) = 0 + clock_settime64(CLOCK_REALTIME, {tv_sec=1582103805, tv_nsec=0}) = 0 + fstat64(1, {st_mode=S_IFCHR|0600, st_rdev=makedev(0x4, 0x40), ...}) = 0 + ioctl(1, TCGETS, {B115200 opost isig icanon echo ...}) = 0 + write(1, "Wed Feb 19 09:16:45 UTC 2020\n", 29) = 29 + close(1) = 0 + close(2) = 0 + exit_group(0) = ? + +++ exited with 0 +++ + +It means the clock_settime64 syscall is used, so +add the syscall. + +Upstream-Status: Submitted [https://github.com/linux-audit/audit-userspace/pull/116] + +Signed-off-by: Mingli Yu <mingli.yu@windriver.com> +--- + lib/i386_table.h | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/lib/i386_table.h b/lib/i386_table.h +index 1a64c88..65fd4d9 100644 +--- a/lib/i386_table.h ++++ b/lib/i386_table.h +@@ -405,3 +405,4 @@ _S(383, "statx") + _S(384, "arch_prctl") + _S(385, "io_pgetevents") + _S(386, "rseq") ++_S(404, "clock_settime64") +-- +2.7.4 + diff --git a/meta-app-framework/recipes-security/audit/audit/Add-substitue-functions-for-strndupa-rawmemchr.patch b/meta-app-framework/recipes-security/audit/audit/Add-substitue-functions-for-strndupa-rawmemchr.patch new file mode 100644 index 000000000..bb6c61e80 --- /dev/null +++ b/meta-app-framework/recipes-security/audit/audit/Add-substitue-functions-for-strndupa-rawmemchr.patch @@ -0,0 +1,133 @@ +From bdcdc3dff4469aac88e718bd15958d5ed4b9392a Mon Sep 17 00:00:00 2001 +From: Steve Grubb <sgrubb@redhat.com> +Date: Tue, 26 Feb 2019 18:33:33 -0500 +Subject: [PATCH] Add substitue functions for strndupa & rawmemchr + +Upstream-Status: Backport +[https://github.com/linux-audit/audit-userspace/commit/d579a08bb1cde71f939c13ac6b2261052ae9f77e] +--- + auparse/auparse.c | 12 +++++++++++- + auparse/interpret.c | 9 ++++++++- + configure.ac | 14 +++++++++++++- + src/ausearch-lol.c | 12 +++++++++++- + 4 files changed, 43 insertions(+), 4 deletions(-) + +diff --git a/auparse/auparse.c b/auparse/auparse.c +index 650db02..2e1c737 100644 +--- a/auparse/auparse.c ++++ b/auparse/auparse.c +@@ -1,5 +1,5 @@ + /* auparse.c -- +- * Copyright 2006-08,2012-17 Red Hat Inc., Durham, North Carolina. ++ * Copyright 2006-08,2012-19 Red Hat Inc., Durham, North Carolina. + * All Rights Reserved. + * + * This library is free software; you can redistribute it and/or +@@ -1118,6 +1118,16 @@ static int str2event(char *s, au_event_t *e) + return 0; + } + ++#ifndef HAVE_STRNDUPA ++static inline char *strndupa(const char *old, size_t n) ++{ ++ size_t len = strnlen(old, n); ++ char *tmp = alloca(len + 1); ++ tmp[len] = 0; ++ return memcpy(tmp, old, len); ++} ++#endif ++ + /* Returns 0 on success and 1 on error */ + static int extract_timestamp(const char *b, au_event_t *e) + { +diff --git a/auparse/interpret.c b/auparse/interpret.c +index 51c4a5e..67b7b77 100644 +--- a/auparse/interpret.c ++++ b/auparse/interpret.c +@@ -853,6 +853,13 @@ err_out: + return print_escaped(id->val); + } + ++// rawmemchr is faster. Let's use it if we have it. ++#ifdef HAVE_RAWMEMCHR ++#define STRCHR rawmemchr ++#else ++#define STRCHR strchr ++#endif ++ + static const char *print_proctitle(const char *val) + { + char *out = (char *)print_escaped(val); +@@ -863,7 +870,7 @@ static const char *print_proctitle(const char *val) + // Proctitle has arguments separated by NUL bytes + // We need to write over the NUL bytes with a space + // so that we can see the arguments +- while ((ptr = rawmemchr(ptr, '\0'))) { ++ while ((ptr = STRCHR(ptr, '\0'))) { + if (ptr >= end) + break; + *ptr = ' '; +diff --git a/configure.ac b/configure.ac +index 54bdbf1..aef07fb 100644 +--- a/configure.ac ++++ b/configure.ac +@@ -1,7 +1,7 @@ + dnl + define([AC_INIT_NOTICE], + [### Generated automatically using autoconf version] AC_ACVERSION [ +-### Copyright 2005-18 Steve Grubb <sgrubb@redhat.com> ++### Copyright 2005-19 Steve Grubb <sgrubb@redhat.com> + ### + ### Permission is hereby granted, free of charge, to any person obtaining a + ### copy of this software and associated documentation files (the "Software"), +@@ -72,6 +72,18 @@ dnl; posix_fallocate is used in audisp-remote + AC_CHECK_FUNCS([posix_fallocate]) + dnl; signalfd is needed for libev + AC_CHECK_FUNC([signalfd], [], [ AC_MSG_ERROR([The signalfd system call is necessary for auditd]) ]) ++dnl; check if rawmemchr is available ++AC_CHECK_FUNCS([rawmemchr]) ++dnl; check if strndupa is available ++AC_LINK_IFELSE( ++ [AC_LANG_SOURCE( ++ [[ ++ #define _GNU_SOURCE ++ #include <string.h> ++ int main() { (void) strndupa("test", 10); return 0; }]])], ++ [AC_DEFINE(HAVE_STRNDUPA, 1, [Let us know if we have it or not])], ++ [] ++) + + ALLWARNS="" + ALLDEBUG="-g" +diff --git a/src/ausearch-lol.c b/src/ausearch-lol.c +index 5d17a72..758c33e 100644 +--- a/src/ausearch-lol.c ++++ b/src/ausearch-lol.c +@@ -1,6 +1,6 @@ + /* + * ausearch-lol.c - linked list of linked lists library +-* Copyright (c) 2008,2010,2014,2016 Red Hat Inc., Durham, North Carolina. ++* Copyright (c) 2008,2010,2014,2016,2019 Red Hat Inc., Durham, North Carolina. + * All Rights Reserved. + * + * This software may be freely redistributed and/or modified under the +@@ -152,6 +152,16 @@ static int compare_event_time(event *e1, event *e2) + return 0; + } + ++#ifndef HAVE_STRNDUPA ++static inline char *strndupa(const char *old, size_t n) ++{ ++ size_t len = strnlen(old, n); ++ char *tmp = alloca(len + 1); ++ tmp[len] = 0; ++ return memcpy(tmp, old, len); ++} ++#endif ++ + /* + * This function will look at the line and pick out pieces of it. + */ +-- +2.7.4 + diff --git a/meta-app-framework/recipes-security/audit/audit/Fixed-swig-host-contamination-issue.patch b/meta-app-framework/recipes-security/audit/audit/Fixed-swig-host-contamination-issue.patch new file mode 100644 index 000000000..7c2699540 --- /dev/null +++ b/meta-app-framework/recipes-security/audit/audit/Fixed-swig-host-contamination-issue.patch @@ -0,0 +1,57 @@ +From a07271f1cce82122610b622bcea4a8a37528f321 Mon Sep 17 00:00:00 2001 +From: Li xin <lixin.fnst@cn.fujitsu.com> +Date: Sun, 19 Jul 2015 02:42:58 +0900 +Subject: [PATCH] audit: Fixed swig host contamination issue + +The audit build uses swig to generate a python wrapper. +Unfortunately, the swig info file references host include +directories. Some of these were previously noticed and +eliminated, but the one fixed here was not. + +Upstream-Status: Inappropriate [embedded specific] + +Signed-off-by: Anders Hedlund <anders.hedlund@windriver.com> +Signed-off-by: Joe Slater <jslater@windriver.com> +Signed-off-by: Yi Zhao <yi.zhao@windriver.com> +--- + bindings/swig/python3/Makefile.am | 3 ++- + bindings/swig/src/auditswig.i | 2 +- + 2 files changed, 3 insertions(+), 2 deletions(-) + +diff --git a/bindings/swig/python3/Makefile.am b/bindings/swig/python3/Makefile.am +index 9938418..fa46aac 100644 +--- a/bindings/swig/python3/Makefile.am ++++ b/bindings/swig/python3/Makefile.am +@@ -22,6 +22,7 @@ + CONFIG_CLEAN_FILES = *.loT *.rej *.orig + AM_CFLAGS = -fPIC -DPIC -fno-strict-aliasing $(PYTHON3_CFLAGS) + AM_CPPFLAGS = -I. -I$(top_builddir) -I${top_srcdir}/lib $(PYTHON3_INCLUDES) ++STDINC ?= /usr/include + LIBS = $(top_builddir)/lib/libaudit.la + SWIG_FLAGS = -python -py3 -modern + SWIG_INCLUDES = -I. -I$(top_builddir) -I${top_srcdir}/lib $(PYTHON3_INCLUDES) +@@ -37,7 +38,7 @@ _audit_la_DEPENDENCIES =${top_srcdir}/lib/libaudit.h ${top_builddir}/lib/libaudi + _audit_la_LIBADD = ${top_builddir}/lib/libaudit.la + nodist__audit_la_SOURCES = audit_wrap.c + audit.py audit_wrap.c: ${srcdir}/../src/auditswig.i +- swig -o audit_wrap.c ${SWIG_FLAGS} ${SWIG_INCLUDES} ${srcdir}/../src/auditswig.i ++ swig -o audit_wrap.c ${SWIG_FLAGS} ${SWIG_INCLUDES} -I$(STDINC) ${srcdir}/../src/auditswig.i + + CLEANFILES = audit.py* audit_wrap.c *~ + +diff --git a/bindings/swig/src/auditswig.i b/bindings/swig/src/auditswig.i +index 7ebb373..424fb68 100644 +--- a/bindings/swig/src/auditswig.i ++++ b/bindings/swig/src/auditswig.i +@@ -39,7 +39,7 @@ signed + #define __attribute(X) /*nothing*/ + typedef unsigned __u32; + typedef unsigned uid_t; +-%include "/usr/include/linux/audit.h" ++%include "linux/audit.h" + #define __extension__ /*nothing*/ + #include <stdint.h> + %include "../lib/libaudit.h" +-- +2.7.4 + diff --git a/meta-app-framework/recipes-security/audit/audit/audit-volatile.conf b/meta-app-framework/recipes-security/audit/audit/audit-volatile.conf new file mode 100644 index 000000000..9cbe1547a --- /dev/null +++ b/meta-app-framework/recipes-security/audit/audit/audit-volatile.conf @@ -0,0 +1 @@ +d /var/log/audit 0750 root root - diff --git a/meta-app-framework/recipes-security/audit/audit/auditd b/meta-app-framework/recipes-security/audit/audit/auditd new file mode 100755 index 000000000..cda2e43d4 --- /dev/null +++ b/meta-app-framework/recipes-security/audit/audit/auditd @@ -0,0 +1,153 @@ +#! /bin/sh +### BEGIN INIT INFO +# Provides: auditd +# Required-Start: $local_fs +# Required-Stop: $local_fs +# Default-Start: 2 3 4 5 +# Default-Stop: 0 1 6 +# Short-Description: Audit Daemon +# Description: Collects audit information from Linux 2.6 Kernels. +### END INIT INFO + +# Author: Philipp Matthias Hahn <pmhahn@debian.org> +# Based on Debians /etc/init.d/skeleton and Auditds init.d/auditd.init + +# June, 2012: Adopted for yocto <amy.fong@windriver.com> + +# PATH should only include /usr/* if it runs after the mountnfs.sh script +PATH=/sbin:/bin:/usr/sbin:/usr/bin +DESC="audit daemon" +NAME=auditd +DAEMON=/sbin/auditd +PIDFILE=/var/run/"$NAME".pid +SCRIPTNAME=/etc/init.d/"$NAME" + +# Exit if the package is not installed +[ -x "$DAEMON" ] || exit 0 + +# Read configuration variable file if it is present +[ -r /etc/default/"$NAME" ] && . /etc/default/"$NAME" + +. /etc/default/rcS + +. /etc/init.d/functions + +# +# Function that starts the daemon/service +# +do_start() +{ + # Return + # 0 if daemon has been started + # 1 if daemon was already running + # 2 if daemon could not be started + start-stop-daemon -S --quiet --pidfile "$PIDFILE" --exec "$DAEMON" --test > /dev/null \ + || return 1 + start-stop-daemon -S --quiet --pidfile "$PIDFILE" --exec "$DAEMON" -- \ + $EXTRAOPTIONS \ + || return 2 + if [ -f /etc/audit/audit.rules ] + then + /sbin/auditctl -R /etc/audit/audit.rules >/dev/null + fi +} + +# +# Function that stops the daemon/service +# +do_stop() +{ + # Return + # 0 if daemon has been stopped + # 1 if daemon was already stopped + # 2 if daemon could not be stopped + # other if a failure occurred + start-stop-daemon -K --quiet --pidfile "$PIDFILE" --name "$NAME" + RETVAL="$?" + [ "$RETVAL" = 2 ] && return 2 + # Many daemons don't delete their pidfiles when they exit. + rm -f "$PIDFILE" + rm -f /var/run/audit_events + # Remove watches so shutdown works cleanly + case "$AUDITD_CLEAN_STOP" in + no|NO) ;; + *) /sbin/auditctl -D >/dev/null ;; + esac + return "$RETVAL" +} + +# +# Function that sends a SIGHUP to the daemon/service +# +do_reload() { + start-stop-daemon -K --signal HUP --quiet --pidfile $PIDFILE --name $NAME + return 0 +} + +if [ ! -e /var/log/audit ]; then + mkdir -p /var/log/audit + [ -x /sbin/restorecon ] && /sbin/restorecon -F /var/log/audit +fi + +case "$1" in + start) + [ "$VERBOSE" != no ] && echo "Starting $DESC" "$NAME" + do_start + case "$?" in + 0|1) [ "$VERBOSE" != no ] && echo 0 ;; + 2) [ "$VERBOSE" != no ] && echo 1 ;; + esac + ;; + stop) + [ "$VERBOSE" != no ] && echo "Stopping $DESC" "$NAME" + do_stop + case "$?" in + 0|1) [ "$VERBOSE" != no ] && echo 0 ;; + 2) [ "$VERBOSE" != no ] && echo 1 ;; + esac + ;; + reload|force-reload) + echo "Reloading $DESC" "$NAME" + do_reload + echo $? + ;; + restart) + echo "Restarting $DESC" "$NAME" + do_stop + case "$?" in + 0|1) + do_start + case "$?" in + 0) echo 0 ;; + 1) echo 1 ;; # Old process is still running + *) echo 1 ;; # Failed to start + esac + ;; + *) + # Failed to stop + echo 1 + ;; + esac + ;; + rotate) + echo "Rotating $DESC logs" "$NAME" + start-stop-daemon -K --signal USR1 --quiet --pidfile "$PIDFILE" --name "$NAME" + echo $? + ;; + status) + pidofproc "$DAEMON" >/dev/null + status=$? + if [ $status -eq 0 ]; then + echo "$NAME is running." + else + echo "$NAME is not running." + fi + exit $status + ;; + *) + echo "Usage: $SCRIPTNAME {start|stop|restart|reload|force-reload|rotate|status}" >&2 + exit 3 + ;; +esac + +: diff --git a/meta-app-framework/recipes-security/audit/audit/auditd.service b/meta-app-framework/recipes-security/audit/audit/auditd.service new file mode 100644 index 000000000..ebc079897 --- /dev/null +++ b/meta-app-framework/recipes-security/audit/audit/auditd.service @@ -0,0 +1,20 @@ +[Unit] +Description=Security Auditing Service +DefaultDependencies=no +After=local-fs.target +Conflicts=shutdown.target +Before=sysinit.target shutdown.target +After=systemd-tmpfiles-setup.service + +[Service] +ExecStart=/sbin/auditd -n +## To use augenrules, copy this file to /etc/systemd/system/auditd.service +## and uncomment the next line and delete/comment out the auditctl line. +## Then copy existing rules to /etc/audit/rules.d/ +## Not doing this last step can cause loss of existing rules +#ExecStartPost=-/sbin/augenrules --load +ExecStartPost=-/sbin/auditctl -R /etc/audit/audit.rules +ExecReload=/bin/kill -HUP $MAINPID + +[Install] +WantedBy=multi-user.target diff --git a/meta-app-framework/recipes-security/audit/audit_2.8.5.bb b/meta-app-framework/recipes-security/audit/audit_2.8.5.bb new file mode 100644 index 000000000..af36ed5e2 --- /dev/null +++ b/meta-app-framework/recipes-security/audit/audit_2.8.5.bb @@ -0,0 +1,106 @@ +SUMMARY = "User space tools for kernel auditing" +DESCRIPTION = "The audit package contains the user space utilities for \ +storing and searching the audit records generated by the audit subsystem \ +in the Linux kernel." +HOMEPAGE = "http://people.redhat.com/sgrubb/audit/" +SECTION = "base" +LICENSE = "GPLv2+ & LGPLv2+" +LIC_FILES_CHKSUM = "file://COPYING;md5=94d55d512a9ba36caa9b7df079bae19f" + +SRC_URI = "git://github.com/linux-audit/${BPN}-userspace.git;branch=2.8_maintenance \ + file://Add-substitue-functions-for-strndupa-rawmemchr.patch \ + file://Fixed-swig-host-contamination-issue.patch \ + file://0001-lib-i386_table.h-add-new-syscall.patch \ + file://auditd \ + file://auditd.service \ + file://audit-volatile.conf \ +" + +S = "${WORKDIR}/git" +SRCREV = "5fae55c1ad15b3cefe6890eba7311af163e9133c" + +inherit autotools python3native update-rc.d systemd + +UPDATERCPN = "auditd" +INITSCRIPT_NAME = "auditd" +INITSCRIPT_PARAMS = "defaults" + +SYSTEMD_PACKAGES = "auditd" +SYSTEMD_SERVICE_auditd = "auditd.service" + +DEPENDS += "python3 tcp-wrappers libcap-ng linux-libc-headers swig-native" + +EXTRA_OECONF += "--without-prelude \ + --with-libwrap \ + --enable-gssapi-krb5=no \ + --with-libcap-ng=yes \ + --with-python3=yes \ + --libdir=${base_libdir} \ + --sbindir=${base_sbindir} \ + --without-python \ + --without-golang \ + --disable-zos-remote \ + " +EXTRA_OECONF_append_arm = " --with-arm=yes" +EXTRA_OECONF_append_aarch64 = " --with-aarch64=yes" + +EXTRA_OEMAKE += "PYLIBVER='python${PYTHON_BASEVERSION}' \ + PYINC='${STAGING_INCDIR}/$(PYLIBVER)' \ + pyexecdir=${libdir}/python${PYTHON_BASEVERSION}/site-packages \ + STDINC='${STAGING_INCDIR}' \ + pkgconfigdir=${libdir}/pkgconfig \ + " + +SUMMARY_audispd-plugins = "Plugins for the audit event dispatcher" +DESCRIPTION_audispd-plugins = "The audispd-plugins package provides plugins for the real-time \ +interface to the audit system, audispd. These plugins can do things \ +like relay events to remote machines or analyze events for suspicious \ +behavior." + +PACKAGES =+ "audispd-plugins" +PACKAGES += "auditd ${PN}-python" + +FILES_${PN} = "${sysconfdir}/libaudit.conf ${base_libdir}/libaudit.so.1* ${base_libdir}/libauparse.so.*" +FILES_auditd += "${bindir}/* ${base_sbindir}/* ${sysconfdir}/*" +FILES_audispd-plugins += "${sysconfdir}/audisp/audisp-remote.conf \ + ${sysconfdir}/audisp/plugins.d/au-remote.conf \ + ${sbindir}/audisp-remote ${localstatedir}/spool/audit \ + " +FILES_${PN}-dbg += "${libdir}/python${PYTHON_BASEVERSION}/*/.debug" +FILES_${PN}-python = "${libdir}/python${PYTHON_BASEVERSION}" + +CONFFILES_auditd += "${sysconfdir}/audit/audit.rules" +RDEPENDS_auditd += "bash" + +do_install_append() { + rm -f ${D}/${libdir}/python${PYTHON_BASEVERSION}/site-packages/*.a + rm -f ${D}/${libdir}/python${PYTHON_BASEVERSION}/site-packages/*.la + + # reuse auditd config + [ ! -e ${D}/etc/default ] && mkdir ${D}/etc/default + mv ${D}/etc/sysconfig/auditd ${D}/etc/default + rmdir ${D}/etc/sysconfig/ + + # replace init.d + install -D -m 0755 ${WORKDIR}/auditd ${D}/etc/init.d/auditd + rm -rf ${D}/etc/rc.d + + if ${@bb.utils.contains('DISTRO_FEATURES', 'systemd', 'true', 'false', d)}; then + install -d ${D}${sysconfdir}/tmpfiles.d/ + install -m 0644 ${WORKDIR}/audit-volatile.conf ${D}${sysconfdir}/tmpfiles.d/ + fi + + # install systemd unit files + install -d ${D}${systemd_unitdir}/system + install -m 0644 ${WORKDIR}/auditd.service ${D}${systemd_unitdir}/system + + # audit-2.5 doesn't install any rules by default, so we do that here + mkdir -p ${D}/etc/audit ${D}/etc/audit/rules.d + cp ${S}/rules/10-base-config.rules ${D}/etc/audit/rules.d/audit.rules + + chmod 750 ${D}/etc/audit ${D}/etc/audit/rules.d + chmod 640 ${D}/etc/audit/auditd.conf ${D}/etc/audit/rules.d/audit.rules + + # Based on the audit.spec "Copy default rules into place on new installation" + cp ${D}/etc/audit/rules.d/audit.rules ${D}/etc/audit/audit.rules +} diff --git a/meta-app-framework/recipes-security/cynagoauth/cynagoauth_0.1.bb b/meta-app-framework/recipes-security/cynagoauth/cynagoauth_0.1.bb new file mode 100644 index 000000000..c77c99189 --- /dev/null +++ b/meta-app-framework/recipes-security/cynagoauth/cynagoauth_0.1.bb @@ -0,0 +1,23 @@ +DESCRIPTION = "OAuth server using cynagora backend" +LICENSE = "Apache-2.0" +LIC_FILES_CHKSUM = "file://LICENSE.txt;md5=3b83ef96387f14655fc854ddc3c6bd57" + +SRC_URI = "git://gerrit.automotivelinux.org/gerrit/src/cynagoauth.git;protocol=https;branch=${AGL_BRANCH}" +SRCREV = "26a5dbddf3a9bfde481a6fcd2aae16c7ecba665f" +PV = "0.1+git${SRCPV}" + +S = "${WORKDIR}/git" + +DEPENDS = "json-c libmicrohttpd openssl cynagora" + +inherit cmake + +EXTRA_OECMAKE += " \ + -DDEFAULTHOSTS=:7777 \ + -DDEFAULTURL=http://localhost:7777/tok \ + -DUNITDIR_SYSTEM=${systemd_system_unitdir} \ +" + +FILES_${PN} += "${systemd_system_unitdir}" + + diff --git a/meta-app-framework/recipes-security/cynagora/cynagora-cynara-compat_2.1.bb b/meta-app-framework/recipes-security/cynagora/cynagora-cynara-compat_2.1.bb new file mode 100644 index 000000000..f146051cd --- /dev/null +++ b/meta-app-framework/recipes-security/cynagora/cynagora-cynara-compat_2.1.bb @@ -0,0 +1,30 @@ +DESCRIPTION = "Cynara service with client libraries" +LICENSE = "Apache-2.0" +LIC_FILES_CHKSUM = "file://Apache-2.0;md5=3b83ef96387f14655fc854ddc3c6bd57" + +SRC_URI = "git://gerrit.automotivelinux.org/gerrit/src/cynagora;protocol=https;branch=${AGL_BRANCH}" +SRCREV = "7d7907651c42c5c32deabc17b639e0e1765eae60" +PV = "2.1+git${SRCPV}" + +S = "${WORKDIR}/git" + +inherit cmake + +PROVIDES = "cynara" +RPROVIDES_${PN} = "cynara" +DEPENDS = "libcap" +RDEPENDS_${PN} = "cynagora" + +EXTRA_OECMAKE += " \ + -DWITH_SYSTEMD=OFF \ + -DWITH_CYNARA_COMPAT=ON \ + -DDIRECT_CYNARA_COMPAT=ON \ +" + +do_install_append() { + # remove cynagora stuff + rm $(find ${D} -name '*cynagora*') + # remove stupid test + rm -r ${D}${bindir} +} + diff --git a/meta-app-framework/recipes-security/cynagora/cynagora/run-ptest b/meta-app-framework/recipes-security/cynagora/cynagora/run-ptest new file mode 100755 index 000000000..f95f0725b --- /dev/null +++ b/meta-app-framework/recipes-security/cynagora/cynagora/run-ptest @@ -0,0 +1,4 @@ +#!/bin/sh + +# test access to cynagora server +cynagora-admin list > /dev/null diff --git a/meta-app-framework/recipes-security/cynagora/cynagora_2.1.bb b/meta-app-framework/recipes-security/cynagora/cynagora_2.1.bb new file mode 100644 index 000000000..73f2f0949 --- /dev/null +++ b/meta-app-framework/recipes-security/cynagora/cynagora_2.1.bb @@ -0,0 +1,38 @@ +DESCRIPTION = "Cynagora service and client libraries" +LICENSE = "Apache-2.0" +LIC_FILES_CHKSUM = "file://Apache-2.0;md5=3b83ef96387f14655fc854ddc3c6bd57" + +SRC_URI = "git://gerrit.automotivelinux.org/gerrit/src/cynagora;protocol=https;branch=${AGL_BRANCH}" +SRCREV = "7d7907651c42c5c32deabc17b639e0e1765eae60" +PV = "2.1+git${SRCPV}" + +S = "${WORKDIR}/git" + +DEPENDS = "systemd libcap" + +inherit cmake + +EXTRA_OECMAKE += " \ + -DSYSTEMD_UNIT_DIR=${systemd_system_unitdir} \ + -DWITH_SYSTEMD=ON \ + -DWITH_CYNARA_COMPAT=OFF \ +" + +inherit useradd +USERADD_PACKAGES = "${PN}" +GROUPADD_PARAM_${PN} = "-r cynagora" +USERADD_PARAM_${PN} = "\ +--system --home ${localstatedir}/lib/empty \ +--no-create-home --shell /bin/false \ +--gid cynagora cynagora \ +" + +FILES_${PN} += "${systemd_system_unitdir}" + +PACKAGES =+ "${PN}-tools" +FILES_${PN}-tools += "${bindir}/cynagora-admin ${bindir}/cynagora-agent" +RDEPENDS_${PN}_append_agl-devel = " ${PN}-tools" + +inherit ptest +SRC_URI_append = " file://run-ptest" +RDEPENDS_${PN}-ptest_append = " ${PN}-tools" diff --git a/meta-app-framework/recipes-security/security-manager/security-manager.inc b/meta-app-framework/recipes-security/security-manager/security-manager.inc new file mode 100644 index 000000000..e1d1f4011 --- /dev/null +++ b/meta-app-framework/recipes-security/security-manager/security-manager.inc @@ -0,0 +1,83 @@ +DESCRIPTION = "Security manager and utilities" +LICENSE = "Apache-2.0" +LIC_FILES_CHKSUM = "file://LICENSE;md5=86d3f3a95c324c9479bd8986968f4327;beginline=3" + +inherit cmake + +B = "${S}" + +DEPENDS = " \ + attr \ + boost \ + cynara \ + icu \ + libcap \ + smack \ + sqlite3 \ + systemd \ +" + +PACKAGECONFIG ??= "" +PACKAGECONFIG[debug] = "-DCMAKE_BUILD_TYPE=DEBUG,-DCMAKE_BUILD_TYPE=RELEASE" + +TZ_SYS_DB ?= "/var/db/security-manager" + +EXTRA_OECMAKE = " \ + -DCMAKE_VERBOSE_MAKEFILE=ON \ + -DVERSION=${PV} \ + -DSYSTEMD_INSTALL_DIR=${systemd_unitdir}/system \ + -DBIN_INSTALL_DIR=${bindir} \ + -DDB_INSTALL_DIR=${TZ_SYS_DB} \ + -DLIB_INSTALL_DIR=${libdir} \ + -DSHARE_INSTALL_PREFIX=${datadir} \ + -DINCLUDE_INSTALL_DIR=${includedir} \ +" + +inherit systemd +SYSTEMD_SERVICE_${PN} = "security-manager.service" + +inherit features_check +REQUIRED_DISTRO_FEATURES += "smack" + +# The upstream source code contains the Tizen-specific policy configuration files. +# To replace them, create a security-manager.bbappend and set the following variable to a +# space-separated list of policy file names (not URIs!), for example: +# SECURITY_MANAGER_POLICY = "privilege-group.list usertype-system.profile" +# +# Leave it empty to use the upstream Tizen policy. +SECURITY_MANAGER_POLICY ?= "" +SRC_URI_append = " ${@' '.join(['file://' + x for x in d.getVar('SECURITY_MANAGER_POLICY', True).split()])}" +python do_patch_append () { + import os + import shutil + import glob + files = d.getVar('SECURITY_MANAGER_POLICY', True).split() + if files: + s = d.getVar('S', True) + workdir = d.getVar('WORKDIR', True) + for pattern in ['*.profile', '*.list']: + for old_file in glob.glob(s + '/policy/' + pattern): + os.unlink(old_file) + for file in files: + shutil.copy(file, s + '/policy') +} + +do_install_append () { + install -d ${D}/${systemd_unitdir}/system/multi-user.target.wants + ln -s ../security-manager.service ${D}/${systemd_unitdir}/system/multi-user.target.wants/security-manager.service + install -d ${D}/${systemd_unitdir}/system/sockets.target.wants + ln -s ../security-manager.socket ${D}/${systemd_unitdir}/system/sockets.target.wants/security-manager.socket +} + +RDEPENDS_${PN} += "sqlite3 cynara" +FILES_${PN} += " \ + ${systemd_unitdir} \ + ${TZ_SYS_DB} \ + ${bindir}/.security-manager-setup \ +" + +PACKAGES =+ "${PN}-policy" +FILES_${PN}-policy = " \ + ${datadir}/${PN} \ + ${bindir}/security-manager-policy-reload \ +" diff --git a/meta-app-framework/recipes-security/security-manager/security-manager/0001-Adapt-rules-to-AGL.patch b/meta-app-framework/recipes-security/security-manager/security-manager/0001-Adapt-rules-to-AGL.patch new file mode 100644 index 000000000..4c91f7fa3 --- /dev/null +++ b/meta-app-framework/recipes-security/security-manager/security-manager/0001-Adapt-rules-to-AGL.patch @@ -0,0 +1,50 @@ +From 935e4e4e746b5ffcda80c80097dc75c2581c1a89 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Jos=C3=A9=20Bollo?= <jose.bollo@iot.bzh> +Date: Wed, 19 Oct 2016 13:45:54 +0200 +Subject: [PATCH] Adapt rules to AGL +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +AGL distribution uses the repository https://github.com/01org/meta-intel-iot-security.git +as basis for the integration of security framework. The security framework +that it provides is an evolution of the security framework of tizen refited +to the distribution Ostro of Intel. This refit took the decision to simplify +the model by removing the running label "User". More can be viewed here: +https://github.com/01org/meta-intel-iot-security/pull/116 + +This commits adapt the template to the rules that are now needed +after this evolution. + +It also integrates one other evolutions: the shared label becomes User::App-Shared instead +of User::App::Shared to avoid collision with application of id "Shared". + +Change-Id: Ieb566b63f8c8e691b5f75e06499a3b576d042546 +Signed-off-by: José Bollo <jose.bollo@iot.bzh> +--- + policy/app-rules-template.smack | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +diff --git a/policy/app-rules-template.smack b/policy/app-rules-template.smack +index 1311169..b4cd2e3 100644 +--- a/policy/app-rules-template.smack ++++ b/policy/app-rules-template.smack +@@ -1,12 +1,10 @@ +-System ~APP~ rwx ++System ~APP~ rwxa ++System ~PKG~ rwxat + ~APP~ System wx + ~APP~ System::Shared rx + ~APP~ System::Run rwxat + ~APP~ System::Log rwxa + ~APP~ _ l +-User ~APP~ rwxa +-User ~PKG~ rwxat +-~APP~ User wx + ~APP~ User::Home rxl +-~APP~ User::App::Shared rwxat ++~APP~ User::App-Shared rwxat + ~APP~ ~PKG~ rwxat +-- +2.7.4 + diff --git a/meta-app-framework/recipes-security/security-manager/security-manager/0001-systemd-stop-using-compat-libs.patch b/meta-app-framework/recipes-security/security-manager/security-manager/0001-systemd-stop-using-compat-libs.patch new file mode 100644 index 000000000..91ce81963 --- /dev/null +++ b/meta-app-framework/recipes-security/security-manager/security-manager/0001-systemd-stop-using-compat-libs.patch @@ -0,0 +1,47 @@ +From 3d9d1d83fe298a364f51ad752c17aad461beded3 Mon Sep 17 00:00:00 2001 +From: Patrick Ohly <patrick.ohly@intel.com> +Date: Tue, 24 Mar 2015 04:54:03 -0700 +Subject: [PATCH 01/14] systemd: stop using compat libs + +libsystemd-journal and libsystemd-daemon are considered obsolete +in systemd since 2.09 and may not be available (not compiled +by default). + +The code works fine with the current libsystemd, so just +use that. + +Signed-off-by: Patrick Ohly <patrick.ohly@intel.com> +Upstream-Status: Submitted (https://github.com/Samsung/security-manager/pull/1 +--- + src/common/CMakeLists.txt | 2 +- + src/server/CMakeLists.txt | 2 +- + 2 files changed, 2 insertions(+), 2 deletions(-) + +diff --git a/src/common/CMakeLists.txt b/src/common/CMakeLists.txt +index 2da9c3e..968c7c1 100644 +--- a/src/common/CMakeLists.txt ++++ b/src/common/CMakeLists.txt +@@ -3,7 +3,7 @@ SET(COMMON_VERSION ${COMMON_VERSION_MAJOR}.0.2) + + PKG_CHECK_MODULES(COMMON_DEP + REQUIRED +- libsystemd-journal ++ libsystemd + libsmack + db-util + cynara-admin +diff --git a/src/server/CMakeLists.txt b/src/server/CMakeLists.txt +index 753eb96..6849d76 100644 +--- a/src/server/CMakeLists.txt ++++ b/src/server/CMakeLists.txt +@@ -1,6 +1,6 @@ + PKG_CHECK_MODULES(SERVER_DEP + REQUIRED +- libsystemd-daemon ++ libsystemd + ) + + FIND_PACKAGE(Boost REQUIRED) +-- +2.21.0 + diff --git a/meta-app-framework/recipes-security/security-manager/security-manager/0002-security-manager-policy-reload-do-not-depend-on-GNU-.patch b/meta-app-framework/recipes-security/security-manager/security-manager/0002-security-manager-policy-reload-do-not-depend-on-GNU-.patch new file mode 100644 index 000000000..b6346480b --- /dev/null +++ b/meta-app-framework/recipes-security/security-manager/security-manager/0002-security-manager-policy-reload-do-not-depend-on-GNU-.patch @@ -0,0 +1,36 @@ +From a90515613f09140049b2bdf471fa83d5dd7bad1c Mon Sep 17 00:00:00 2001 +From: Patrick Ohly <patrick.ohly@intel.com> +Date: Wed, 19 Aug 2015 15:02:32 +0200 +Subject: [PATCH 02/14] security-manager-policy-reload: do not depend on GNU + sed + +\U (= make replacement uppercase) is a GNU sed extension which is not +supported by other sed implementation's (like the one from +busybox). When using busybox, the bucket for user profiles became +USER_TYPE_Uadmin instead USER_TYPE_ADMIN. + +To make SecurityManager more portable, better use tr to turn the +bucket name into uppercase. + +Signed-off-by: Patrick Ohly <patrick.ohly@intel.com> +Upstream-Status: Submitted (https://github.com/Samsung/security-manager/pull/1 +--- + policy/security-manager-policy-reload | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/policy/security-manager-policy-reload b/policy/security-manager-policy-reload +index 274c49c..6f211c6 100755 +--- a/policy/security-manager-policy-reload ++++ b/policy/security-manager-policy-reload +@@ -33,7 +33,7 @@ END + find "$POLICY_PATH" -name "usertype-*.profile" | + while read file + do +- bucket="`echo $file | sed -r 's|.*/usertype-(.*).profile$|USER_TYPE_\U\1|'`" ++ bucket="`echo $file | sed -r 's|.*/usertype-(.*).profile$|USER_TYPE_\1|' | tr '[:lower:]' '[:upper:]'`" + + # Re-create the bucket with empty contents + cyad --delete-bucket=$bucket || true +-- +2.21.0 + diff --git a/meta-app-framework/recipes-security/security-manager/security-manager/0003-Smack-rules-create-two-new-functions.patch b/meta-app-framework/recipes-security/security-manager/security-manager/0003-Smack-rules-create-two-new-functions.patch new file mode 100644 index 000000000..d79345e01 --- /dev/null +++ b/meta-app-framework/recipes-security/security-manager/security-manager/0003-Smack-rules-create-two-new-functions.patch @@ -0,0 +1,117 @@ +From a80e33bc0a10fa4bed5d0b7bf29f45dd2565d309 Mon Sep 17 00:00:00 2001 +From: Alejandro Joya <alejandro.joya.cruz@intel.com> +Date: Wed, 4 Nov 2015 19:01:35 -0600 +Subject: [PATCH 03/14] Smack-rules: create two new functions + +It let to smack-rules to create multiple set of rules +related with the privileges. + +It runs from the same bases than for a static set of rules on the +template, but let you add 1 or many templates for different cases. + +Change-Id: I14f8d4e914ad5a7ba34c96f3cb5589f0b15292de +Signed-off-by: Alejandro Joya <alejandro.joya.cruz@intel.com> +--- + src/common/include/smack-rules.h | 15 +++++++++++ + src/common/smack-rules.cpp | 44 ++++++++++++++++++++++++++++++++ + 2 files changed, 59 insertions(+) + +diff --git a/src/common/include/smack-rules.h b/src/common/include/smack-rules.h +index 91446a7..3ad9dd4 100644 +--- a/src/common/include/smack-rules.h ++++ b/src/common/include/smack-rules.h +@@ -47,6 +47,8 @@ public: + void addFromTemplate(const std::vector<std::string> &templateRules, + const std::string &appId, const std::string &pkgId); + void addFromTemplateFile(const std::string &appId, const std::string &pkgId); ++ void addFromTemplateFile(const std::string &appId, const std::string &pkgId, ++ const std::string &path); + + void apply() const; + void clear() const; +@@ -74,6 +76,19 @@ public: + */ + static void installApplicationRules(const std::string &appId, const std::string &pkgId, + const std::vector<std::string> &pkgContents); ++ /** ++ * Install privileges-specific smack rules. ++ * ++ * Function creates smack rules using predefined template. Rules are applied ++ * to the kernel and saved on persistent storage so they are loaded on system boot. ++ * ++ * @param[in] appId - application id that is beeing installed ++ * @param[in] pkgId - package id that the application is in ++ * @param[in] pkgContents - a list of all applications in the package ++ * @param[in] privileges - a list of all prvileges ++ */ ++ static void installApplicationPrivilegesRules(const std::string &appId, const std::string &pkgId, ++ const std::vector<std::string> &pkgContents, const std::vector<std::string> &privileges); + /** + * Uninstall package-specific smack rules. + * +diff --git a/src/common/smack-rules.cpp b/src/common/smack-rules.cpp +index 3629e0f..922a56f 100644 +--- a/src/common/smack-rules.cpp ++++ b/src/common/smack-rules.cpp +@@ -135,6 +135,29 @@ void SmackRules::saveToFile(const std::string &path) const + } + } + ++void SmackRules::addFromTemplateFile(const std::string &appId, ++ const std::string &pkgId, const std::string &path) ++{ ++ std::vector<std::string> templateRules; ++ std::string line; ++ std::ifstream templateRulesFile(path); ++ ++ if (!templateRulesFile.is_open()) { ++ LogError("Cannot open rules template file: " << path); ++ ThrowMsg(SmackException::FileError, "Cannot open rules template file: " << path); ++ } ++ ++ while (std::getline(templateRulesFile, line)) { ++ templateRules.push_back(line); ++ } ++ ++ if (templateRulesFile.bad()) { ++ LogError("Error reading template file: " << APP_RULES_TEMPLATE_FILE_PATH); ++ ThrowMsg(SmackException::FileError, "Error reading template file: " << APP_RULES_TEMPLATE_FILE_PATH); ++ } ++ ++ addFromTemplate(templateRules, appId, pkgId); ++} + + void SmackRules::addFromTemplateFile(const std::string &appId, + const std::string &pkgId) +@@ -223,7 +246,28 @@ std::string SmackRules::getApplicationRulesFilePath(const std::string &appId) + std::string path(tzplatform_mkpath3(TZ_SYS_SMACK, "accesses.d", ("app_" + appId).c_str())); + return path; + } ++void SmackRules::installApplicationPrivilegesRules(const std::string &appId, const std::string &pkgId, ++ const std::vector<std::string> &pkgContents, const std::vector<std::string> &privileges) ++{ ++ SmackRules smackRules; ++ std::string appPath = getApplicationRulesFilePath(appId); ++ smackRules.loadFromFile(appPath); ++ struct stat buffer; ++ for (auto privilege : privileges) { ++ if (privilege.empty()) ++ continue; ++ std::string fprivilege ( privilege + "-template.smack"); ++ std::string path(tzplatform_mkpath4(TZ_SYS_SHARE, "security-manager", "policy", fprivilege.c_str())); ++ if( stat(path.c_str(), &buffer) == 0) ++ smackRules.addFromTemplateFile(appId, pkgId, path); ++ } ++ ++ if (smack_smackfs_path() != NULL) ++ smackRules.apply(); + ++ smackRules.saveToFile(appPath); ++ updatePackageRules(pkgId, pkgContents); ++} + void SmackRules::installApplicationRules(const std::string &appId, const std::string &pkgId, + const std::vector<std::string> &pkgContents) + { +-- +2.21.0 + diff --git a/meta-app-framework/recipes-security/security-manager/security-manager/0004-app-install-implement-multiple-set-of-smack-rules.patch b/meta-app-framework/recipes-security/security-manager/security-manager/0004-app-install-implement-multiple-set-of-smack-rules.patch new file mode 100644 index 000000000..59d4971ff --- /dev/null +++ b/meta-app-framework/recipes-security/security-manager/security-manager/0004-app-install-implement-multiple-set-of-smack-rules.patch @@ -0,0 +1,34 @@ +From a5979d9d674e400ecd7fcdf5d7589cfa0cfeb492 Mon Sep 17 00:00:00 2001 +From: Alejandro Joya <alejandro.joya.cruz@intel.com> +Date: Wed, 4 Nov 2015 19:06:23 -0600 +Subject: [PATCH 04/14] app-install: implement multiple set of smack-rules + +If it's need it could create load multiple set of smack rules +related with the privileges. +It wouldn't affect the case that only the default set of rules is need it. + +Signed-off-by: Alejandro Joya <alejandro.joya.cruz@intel.com> +--- + src/common/service_impl.cpp | 6 ++++++ + 1 file changed, 6 insertions(+) + +diff --git a/src/common/service_impl.cpp b/src/common/service_impl.cpp +index 7fd621c..ae305d3 100644 +--- a/src/common/service_impl.cpp ++++ b/src/common/service_impl.cpp +@@ -338,6 +338,12 @@ int appInstall(const app_inst_req &req, uid_t uid) + LogDebug("Adding Smack rules for new appId: " << req.appId << " with pkgId: " + << req.pkgId << ". Applications in package: " << pkgContents.size()); + SmackRules::installApplicationRules(req.appId, req.pkgId, pkgContents); ++ /*Setup for privileges custom rules*/ ++ LogDebug("Adding Smack rules for new appId: " << req.appId << " with pkgId: " ++ << req.pkgId << ". Applications in package: " << pkgContents.size() ++ << " and Privileges"); ++ SmackRules::installApplicationPrivilegesRules(req.appId, req.pkgId, ++ pkgContents,req.privileges); + } catch (const SmackException::Base &e) { + LogError("Error while applying Smack policy for application: " << e.DumpToString()); + return SECURITY_MANAGER_API_ERROR_SETTING_FILE_LABEL_FAILED; +-- +2.21.0 + diff --git a/meta-app-framework/recipes-security/security-manager/security-manager/0005-c-11-replace-deprecated-auto_ptr.patch b/meta-app-framework/recipes-security/security-manager/security-manager/0005-c-11-replace-deprecated-auto_ptr.patch new file mode 100644 index 000000000..0739f28c7 --- /dev/null +++ b/meta-app-framework/recipes-security/security-manager/security-manager/0005-c-11-replace-deprecated-auto_ptr.patch @@ -0,0 +1,32 @@ +From 198ba9b9782fda19803e94d2afeff91189ac27af Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Jos=C3=A9=20Bollo?= <jobol@nonadev.net> +Date: Wed, 13 Jan 2016 17:30:06 +0100 +Subject: [PATCH 05/14] c++11: replace deprecated auto_ptr +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Upstream-Status: Submitted [https://review.tizen.org/gerrit/#/c/56940/] + +Change-Id: Id793c784c9674eef48f346226c094bdd9f7bbda8 +Signed-off-by: José Bollo <jobol@nonadev.net> +--- + src/dpl/core/include/dpl/binary_queue.h | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/src/dpl/core/include/dpl/binary_queue.h b/src/dpl/core/include/dpl/binary_queue.h +index dd03f5e..185b6c7 100644 +--- a/src/dpl/core/include/dpl/binary_queue.h ++++ b/src/dpl/core/include/dpl/binary_queue.h +@@ -33,7 +33,7 @@ namespace SecurityManager { + * Binary queue auto pointer + */ + class BinaryQueue; +-typedef std::auto_ptr<BinaryQueue> BinaryQueueAutoPtr; ++typedef std::unique_ptr<BinaryQueue> BinaryQueueAutoPtr; + + /** + * Binary stream implemented as constant size bucket list +-- +2.21.0 + diff --git a/meta-app-framework/recipes-security/security-manager/security-manager/0006-socket-manager-removes-tizen-specific-call.patch b/meta-app-framework/recipes-security/security-manager/security-manager/0006-socket-manager-removes-tizen-specific-call.patch new file mode 100644 index 000000000..3b8aad98c --- /dev/null +++ b/meta-app-framework/recipes-security/security-manager/security-manager/0006-socket-manager-removes-tizen-specific-call.patch @@ -0,0 +1,47 @@ +From ec098bf03cea23350ca7d1ea2ad88b9c88228943 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Jos=C3=A9=20Bollo?= <jose.bollo@iot.bzh> +Date: Fri, 8 Jan 2016 16:53:46 +0100 +Subject: [PATCH 06/14] socket-manager: removes tizen specific call +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +The function 'smack_fgetlabel' is specific to Tizen +and is no more maintained upstream. + +Upstream-Status: Accepted [https://review.tizen.org/gerrit/#/c/56507/] + +Change-Id: I3802742b1758efe37b33e6d968ff727d68f2fd1f +Signed-off-by: José Bollo <jobol@nonadev.net> +--- + src/server/main/socket-manager.cpp | 7 ++++--- + 1 file changed, 4 insertions(+), 3 deletions(-) + +diff --git a/src/server/main/socket-manager.cpp b/src/server/main/socket-manager.cpp +index 94c54c6..5e1a79b 100644 +--- a/src/server/main/socket-manager.cpp ++++ b/src/server/main/socket-manager.cpp +@@ -30,6 +30,7 @@ + #include <sys/types.h> + #include <sys/socket.h> + #include <sys/smack.h> ++#include <linux/xattr.h> + #include <sys/un.h> + #include <sys/stat.h> + #include <unistd.h> +@@ -493,9 +494,9 @@ int SocketManager::CreateDomainSocketHelp( + if (smack_check()) { + LogInfo("Set up smack label: " << desc.smackLabel); + +- if (0 != smack_fsetlabel(sockfd, desc.smackLabel.c_str(), SMACK_LABEL_IPIN)) { +- LogError("Error in smack_fsetlabel"); +- ThrowMsg(Exception::InitFailed, "Error in smack_fsetlabel"); ++ if (0 != smack_set_label_for_file(sockfd, XATTR_NAME_SMACKIPIN, desc.smackLabel.c_str())) { ++ LogError("Error in smack_set_label_for_file"); ++ ThrowMsg(Exception::InitFailed, "Error in smack_set_label_for_file"); + } + } else { + LogInfo("No smack on platform. Socket won't be securied with smack label!"); +-- +2.21.0 + diff --git a/meta-app-framework/recipes-security/security-manager/security-manager/0007-removes-dependency-to-libslp-db-utils.patch b/meta-app-framework/recipes-security/security-manager/security-manager/0007-removes-dependency-to-libslp-db-utils.patch new file mode 100644 index 000000000..bad99d25a --- /dev/null +++ b/meta-app-framework/recipes-security/security-manager/security-manager/0007-removes-dependency-to-libslp-db-utils.patch @@ -0,0 +1,78 @@ +From 9d0791dab4b4df086374c5c0ba2a6558e10e81c1 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Jos=C3=A9=20Bollo?= <jose.bollo@iot.bzh> +Date: Mon, 16 Nov 2015 15:56:27 +0100 +Subject: [PATCH 07/14] removes dependency to libslp-db-utils + +Change-Id: I90471e77d20e04bae58cc42eb2639e4aef97fdec +--- + src/common/CMakeLists.txt | 3 ++- + src/dpl/db/src/sql_connection.cpp | 17 +---------------- + 2 files changed, 3 insertions(+), 17 deletions(-) + +diff --git a/src/common/CMakeLists.txt b/src/common/CMakeLists.txt +index 968c7c1..9ae376f 100644 +--- a/src/common/CMakeLists.txt ++++ b/src/common/CMakeLists.txt +@@ -5,7 +5,8 @@ PKG_CHECK_MODULES(COMMON_DEP + REQUIRED + libsystemd + libsmack +- db-util ++ sqlite3 ++ icu-i18n + cynara-admin + cynara-client + ) +diff --git a/src/dpl/db/src/sql_connection.cpp b/src/dpl/db/src/sql_connection.cpp +index fdb4fe4..f49a6dc 100644 +--- a/src/dpl/db/src/sql_connection.cpp ++++ b/src/dpl/db/src/sql_connection.cpp +@@ -26,7 +26,6 @@ + #include <memory> + #include <dpl/noncopyable.h> + #include <dpl/assert.h> +-#include <db-util.h> + #include <unistd.h> + #include <cstdio> + #include <cstdarg> +@@ -606,16 +605,7 @@ void SqlConnection::Connect(const std::string &address, + + // Connect to database + int result; +- if (type & Flag::UseLucene) { +- result = db_util_open_with_options( +- address.c_str(), +- &m_connection, +- flag, +- NULL); +- +- m_usingLucene = true; +- LogPedantic("Lucene index enabled"); +- } else { ++ (void)type; + result = sqlite3_open_v2( + address.c_str(), + &m_connection, +@@ -624,7 +614,6 @@ void SqlConnection::Connect(const std::string &address, + + m_usingLucene = false; + LogPedantic("Lucene index disabled"); +- } + + if (result == SQLITE_OK) { + LogPedantic("Connected to DB"); +@@ -653,11 +642,7 @@ void SqlConnection::Disconnect() + + int result; + +- if (m_usingLucene) { +- result = db_util_close(m_connection); +- } else { + result = sqlite3_close(m_connection); +- } + + if (result != SQLITE_OK) { + const char *error = sqlite3_errmsg(m_connection); +-- +2.21.0 + diff --git a/meta-app-framework/recipes-security/security-manager/security-manager/0008-Fix-gcc6-build.patch b/meta-app-framework/recipes-security/security-manager/security-manager/0008-Fix-gcc6-build.patch new file mode 100644 index 000000000..5ece7ef4f --- /dev/null +++ b/meta-app-framework/recipes-security/security-manager/security-manager/0008-Fix-gcc6-build.patch @@ -0,0 +1,38 @@ +From a1d9b40b4fa2e73d31a53e398c286bffeaae1732 Mon Sep 17 00:00:00 2001 +From: Ronan <ronan.lemartret@iot.bzh> +Date: Wed, 12 Oct 2016 17:48:55 +0200 +Subject: [PATCH 08/14] Fix gcc6 build + +Signed-off-by: ronan <ronan@ot.bzh> +--- + src/client/client-security-manager.cpp | 1 + + src/common/include/privilege_db.h | 1 + + 2 files changed, 2 insertions(+) + +diff --git a/src/client/client-security-manager.cpp b/src/client/client-security-manager.cpp +index 74a6b30..347cddd 100644 +--- a/src/client/client-security-manager.cpp ++++ b/src/client/client-security-manager.cpp +@@ -46,6 +46,7 @@ + #include <service_impl.h> + #include <security-manager.h> + #include <client-offline.h> ++#include <linux/xattr.h> + + static const char *EMPTY = ""; + +diff --git a/src/common/include/privilege_db.h b/src/common/include/privilege_db.h +index 4d73d90..08fb9d6 100644 +--- a/src/common/include/privilege_db.h ++++ b/src/common/include/privilege_db.h +@@ -32,6 +32,7 @@ + #include <map> + #include <stdbool.h> + #include <string> ++#include <vector> + + #include <dpl/db/sql_connection.h> + #include <tzplatform_config.h> +-- +2.21.0 + diff --git a/meta-app-framework/recipes-security/security-manager/security-manager/0009-Fix-Cmake-conf-for-gcc6-build.patch b/meta-app-framework/recipes-security/security-manager/security-manager/0009-Fix-Cmake-conf-for-gcc6-build.patch new file mode 100644 index 000000000..706eb1a93 --- /dev/null +++ b/meta-app-framework/recipes-security/security-manager/security-manager/0009-Fix-Cmake-conf-for-gcc6-build.patch @@ -0,0 +1,40 @@ +From 382379d74221bcc60a0ab70d63430a1c0587b2ec Mon Sep 17 00:00:00 2001 +From: Ronan <ronan.lemartret@iot.bzh> +Date: Thu, 13 Oct 2016 11:37:47 +0200 +Subject: [PATCH 09/14] Fix Cmake conf for gcc6 build + +Signed-off-by: Ronan <ronan.lemartret@iot.bzh> +--- + src/cmd/CMakeLists.txt | 4 +--- + src/server/CMakeLists.txt | 1 - + 2 files changed, 1 insertion(+), 4 deletions(-) + +diff --git a/src/cmd/CMakeLists.txt b/src/cmd/CMakeLists.txt +index ee9a160..aa7a12c 100644 +--- a/src/cmd/CMakeLists.txt ++++ b/src/cmd/CMakeLists.txt +@@ -1,8 +1,6 @@ + FIND_PACKAGE(Boost REQUIRED COMPONENTS program_options) + +-INCLUDE_DIRECTORIES(SYSTEM +- ${Boost_INCLUDE_DIRS} +- ) ++ + + INCLUDE_DIRECTORIES( + ${INCLUDE_PATH} +diff --git a/src/server/CMakeLists.txt b/src/server/CMakeLists.txt +index 6849d76..9598037 100644 +--- a/src/server/CMakeLists.txt ++++ b/src/server/CMakeLists.txt +@@ -8,7 +8,6 @@ FIND_PACKAGE(Threads REQUIRED) + + INCLUDE_DIRECTORIES(SYSTEM + ${SERVER_DEP_INCLUDE_DIRS} +- ${Boost_INCLUDE_DIRS} + ${Threads_INCLUDE_DIRS} + ) + +-- +2.21.0 + diff --git a/meta-app-framework/recipes-security/security-manager/security-manager/0010-gcc-7-requires-include-functional-for-std-function.patch b/meta-app-framework/recipes-security/security-manager/security-manager/0010-gcc-7-requires-include-functional-for-std-function.patch new file mode 100644 index 000000000..0f48c5f68 --- /dev/null +++ b/meta-app-framework/recipes-security/security-manager/security-manager/0010-gcc-7-requires-include-functional-for-std-function.patch @@ -0,0 +1,51 @@ +From 8e93699c0f225716f3cd5eff790270ae9e3880f9 Mon Sep 17 00:00:00 2001 +From: Changhyeok Bae <changhyeok.bae@gmail.com> +Date: Sun, 17 Dec 2017 15:40:58 +0000 +Subject: [PATCH 10/14] gcc-7 requires include <functional> for std::function + +Signed-off-by: Changhyeok Bae <changhyeok.bae@gmail.com> +--- + src/client/client-common.cpp | 1 + + src/common/smack-labels.cpp | 1 + + src/dpl/core/src/binary_queue.cpp | 1 + + 3 files changed, 3 insertions(+) + +diff --git a/src/client/client-common.cpp b/src/client/client-common.cpp +index 883ab8d..1babdf7 100644 +--- a/src/client/client-common.cpp ++++ b/src/client/client-common.cpp +@@ -31,6 +31,7 @@ + #include <sys/xattr.h> + #include <linux/xattr.h> + #include <unistd.h> ++#include <functional> + + #include <dpl/log/log.h> + #include <dpl/serialization.h> +diff --git a/src/common/smack-labels.cpp b/src/common/smack-labels.cpp +index 0294a42..1598099 100644 +--- a/src/common/smack-labels.cpp ++++ b/src/common/smack-labels.cpp +@@ -29,6 +29,7 @@ + #include <sys/xattr.h> + #include <linux/xattr.h> + #include <memory> ++#include <functional> + #include <fts.h> + #include <cstring> + #include <string> +diff --git a/src/dpl/core/src/binary_queue.cpp b/src/dpl/core/src/binary_queue.cpp +index 72817a6..838409f 100644 +--- a/src/dpl/core/src/binary_queue.cpp ++++ b/src/dpl/core/src/binary_queue.cpp +@@ -26,6 +26,7 @@ + #include <malloc.h> + #include <cstring> + #include <new> ++#include <functional> + + namespace SecurityManager { + BinaryQueue::BinaryQueue() : +-- +2.21.0 + diff --git a/meta-app-framework/recipes-security/security-manager/security-manager/0011-Fix-gcc8-warning-error-Werror-catch-value.patch b/meta-app-framework/recipes-security/security-manager/security-manager/0011-Fix-gcc8-warning-error-Werror-catch-value.patch new file mode 100644 index 000000000..5c679fc26 --- /dev/null +++ b/meta-app-framework/recipes-security/security-manager/security-manager/0011-Fix-gcc8-warning-error-Werror-catch-value.patch @@ -0,0 +1,32 @@ +From 243b7ffee16558d7cb9b411f49380138efeffca9 Mon Sep 17 00:00:00 2001 +From: Stephane Desneux <stephane.desneux@iot.bzh> +Date: Fri, 1 Feb 2019 12:26:17 +0000 +Subject: [PATCH 11/14] Fix gcc8 warning/error [-Werror=catch-value=] + +Fixes the following warning/error during compile: + +src/dpl/core/src/assert.cpp:61:14: error: catching polymorphic type 'class SecurityManager::Exception' by value [-Werror=catch-value=] +| } catch (Exception) { +| ^~~~~~~~~ + +Signed-off-by: Stephane Desneux <stephane.desneux@iot.bzh> +--- + src/dpl/core/src/assert.cpp | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/src/dpl/core/src/assert.cpp b/src/dpl/core/src/assert.cpp +index 63538a2..fc60ce9 100644 +--- a/src/dpl/core/src/assert.cpp ++++ b/src/dpl/core/src/assert.cpp +@@ -58,7 +58,7 @@ void AssertProc(const char *condition, + INTERNAL_LOG("### Function: " << function); + INTERNAL_LOG( + "################################################################################"); +- } catch (Exception) { ++ } catch (Exception const&) { + // Just ignore possible double errors + } + +-- +2.21.0 + diff --git a/meta-app-framework/recipes-security/security-manager/security-manager/0012-Avoid-casting-from-const-T-to-void.patch b/meta-app-framework/recipes-security/security-manager/security-manager/0012-Avoid-casting-from-const-T-to-void.patch new file mode 100644 index 000000000..91ccf9ee2 --- /dev/null +++ b/meta-app-framework/recipes-security/security-manager/security-manager/0012-Avoid-casting-from-const-T-to-void.patch @@ -0,0 +1,122 @@ +From 5ee51d38575f289c2bf37ed817ef680ed47bb320 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Jos=C3=A9=20Bollo?= <jose.bollo@iot.bzh> +Date: Fri, 1 Feb 2019 15:37:44 +0100 +Subject: [PATCH 12/14] Avoid casting from "const T&" to "void*" +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Latest version of g++ refuse the cast + + reinterpret_cast<void (Service::*)(void*)>(serviceFunction) + +I made no investigation to know if the problem +is coming from the const or not. + +Signed-off-by: José Bollo <jose.bollo@iot.bzh> +--- + src/server/main/include/service-thread.h | 42 ++++++++++-------------- + 1 file changed, 18 insertions(+), 24 deletions(-) + +diff --git a/src/server/main/include/service-thread.h b/src/server/main/include/service-thread.h +index 964d168..61fdda8 100644 +--- a/src/server/main/include/service-thread.h ++++ b/src/server/main/include/service-thread.h +@@ -94,7 +94,7 @@ public: + Join(); + while (!m_eventQueue.empty()){ + auto front = m_eventQueue.front(); +- delete front.eventPtr; ++ delete front; + m_eventQueue.pop(); + } + } +@@ -104,34 +104,28 @@ public: + Service *servicePtr, + void (Service::*serviceFunction)(const T &)) + { +- EventDescription description; +- description.serviceFunctionPtr = +- reinterpret_cast<void (Service::*)(void*)>(serviceFunction); +- description.servicePtr = servicePtr; +- description.eventFunctionPtr = &ServiceThread::EventCall<T>; +- description.eventPtr = new T(event); ++ EventCallerBase *ec = new EventCaller<T>(event, servicePtr, serviceFunction); + { + std::lock_guard<std::mutex> lock(m_eventQueueMutex); +- m_eventQueue.push(description); ++ m_eventQueue.push(ec); + } + m_waitCondition.notify_one(); + } + + protected: + +- struct EventDescription { +- void (Service::*serviceFunctionPtr)(void *); +- Service *servicePtr; +- void (ServiceThread::*eventFunctionPtr)(const EventDescription &event); +- GenericEvent* eventPtr; ++ struct EventCallerBase { ++ virtual void fire() = 0; ++ virtual ~EventCallerBase() {} + }; + + template <class T> +- void EventCall(const EventDescription &desc) { +- auto fun = reinterpret_cast<void (Service::*)(const T&)>(desc.serviceFunctionPtr); +- const T& eventLocale = *(static_cast<T*>(desc.eventPtr)); +- (desc.servicePtr->*fun)(eventLocale); +- } ++ struct EventCaller : public EventCallerBase { ++ T *event; Service *target; void (Service::*function)(const T&); ++ EventCaller(const T &e, Service *c, void (Service::*f)(const T&)) : event(new T(e)), target(c), function(f) {} ++ ~EventCaller() { delete event; } ++ void fire() { (target->*function)(*event); } ++ }; + + static void ThreadLoopStatic(ServiceThread *ptr) { + ptr->ThreadLoop(); +@@ -139,33 +133,33 @@ protected: + + void ThreadLoop(){ + for (;;) { +- EventDescription description = {NULL, NULL, NULL, NULL}; ++ EventCallerBase *ec = NULL; + { + std::unique_lock<std::mutex> ulock(m_eventQueueMutex); + if (m_quit) + return; + if (!m_eventQueue.empty()) { +- description = m_eventQueue.front(); ++ ec = m_eventQueue.front(); + m_eventQueue.pop(); + } else { + m_waitCondition.wait(ulock); + } + } + +- if (description.eventPtr != NULL) { ++ if (ec != NULL) { + UNHANDLED_EXCEPTION_HANDLER_BEGIN + { +- (this->*description.eventFunctionPtr)(description); +- delete description.eventPtr; ++ ec->fire(); + } + UNHANDLED_EXCEPTION_HANDLER_END ++ delete ec; + } + } + } + + std::thread m_thread; + std::mutex m_eventQueueMutex; +- std::queue<EventDescription> m_eventQueue; ++ std::queue<EventCallerBase*> m_eventQueue; + std::condition_variable m_waitCondition; + + State m_state; +-- +2.21.0 + diff --git a/meta-app-framework/recipes-security/security-manager/security-manager/0013-Removing-tizen-platform-config.patch b/meta-app-framework/recipes-security/security-manager/security-manager/0013-Removing-tizen-platform-config.patch new file mode 100644 index 000000000..fb6215923 --- /dev/null +++ b/meta-app-framework/recipes-security/security-manager/security-manager/0013-Removing-tizen-platform-config.patch @@ -0,0 +1,259 @@ +From 6c96a39ba7a7763ccd47e379dbfd8d376164985f Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Jos=C3=A9=20Bollo?= <jose.bollo@iot.bzh> +Date: Mon, 16 Nov 2015 14:26:25 +0100 +Subject: [PATCH 13/14] Removing tizen-platform-config + +Change-Id: Ic832a2b75229517b09faba969c27fb1a4b490121 +--- + CMakeLists.txt | 16 +++++++- + db/CMakeLists.txt | 2 +- + policy/CMakeLists.txt | 1 + + ...load => security-manager-policy-reload.in} | 4 +- + src/common/file-lock.cpp | 4 +- + src/common/include/file-lock.h | 1 - + src/common/include/privilege_db.h | 3 +- + src/common/service_impl.cpp | 39 ++++++------------- + src/common/smack-rules.cpp | 12 ++---- + 9 files changed, 37 insertions(+), 45 deletions(-) + rename policy/{security-manager-policy-reload => security-manager-policy-reload.in} (94%) + +diff --git a/CMakeLists.txt b/CMakeLists.txt +index 28790d8..37a43cc 100644 +--- a/CMakeLists.txt ++++ b/CMakeLists.txt +@@ -49,7 +49,7 @@ ADD_DEFINITIONS("-Wall") # Generate all warnings + ADD_DEFINITIONS("-Wextra") # Generate even more extra warnings + + STRING(REGEX MATCH "([^.]*)" API_VERSION "${VERSION}") +-ADD_DEFINITIONS("-DAPI_VERSION=\"$(API_VERSION)\"") ++ADD_DEFINITIONS("-DAPI_VERSION=\"${API_VERSION}\"") + + ADD_DEFINITIONS("-DSMACK_ENABLED") + +@@ -58,6 +58,20 @@ IF (CMAKE_BUILD_TYPE MATCHES "DEBUG") + ADD_DEFINITIONS("-DBUILD_TYPE_DEBUG") + ENDIF (CMAKE_BUILD_TYPE MATCHES "DEBUG") + ++SET(DATADIR "/usr/share/security-manager" CACHE STRING "path to data directory") ++SET(SMACKRULESDIR "/etc/smack/accesses.d" CACHE STRING "path to Smack rules directory") ++SET(LOCKDIR "/var/run/lock" CACHE STRING "path to lock directory") ++SET(DB_INSTALL_DIR "/var/db/security-manager" CACHE STRING "path to database directory") ++SET(DB_FILENAME ".security-manager.db" CACHE STRING "basename of database") ++SET(GLOBALUSER "userapp" CACHE STRING "name of the global user") ++ ++ADD_DEFINITIONS("-DDATADIR=\"${DATADIR}\"") ++ADD_DEFINITIONS("-DSMACKRULESDIR=\"${SMACKRULESDIR}\"") ++ADD_DEFINITIONS("-DLOCKDIR=\"${LOCKDIR}\"") ++ADD_DEFINITIONS("-DDB_INSTALL_DIR=\"${DB_INSTALL_DIR}\"") ++ADD_DEFINITIONS("-DDB_FILENAME=\"${DB_FILENAME}\"") ++ADD_DEFINITIONS("-DGLOBALUSER=\"${GLOBALUSER}\"") ++ + ADD_SUBDIRECTORY(src) + ADD_SUBDIRECTORY(pc) + ADD_SUBDIRECTORY(systemd) +diff --git a/db/CMakeLists.txt b/db/CMakeLists.txt +index 9e8ffcc..d7af1a0 100644 +--- a/db/CMakeLists.txt ++++ b/db/CMakeLists.txt +@@ -1,4 +1,4 @@ +-SET(TARGET_DB ".security-manager.db") ++SET(TARGET_DB "$(DB_FILENAME)") + + ADD_CUSTOM_COMMAND( + OUTPUT ${TARGET_DB} ${TARGET_DB}-journal +diff --git a/policy/CMakeLists.txt b/policy/CMakeLists.txt +index bd08edc..626a2bd 100644 +--- a/policy/CMakeLists.txt ++++ b/policy/CMakeLists.txt +@@ -1,4 +1,5 @@ + FILE(GLOB USERTYPE_POLICY_FILES usertype-*.profile) ++CONFIGURE_FILE(security-manager-policy-reload.in security-manager-policy-reload @ONLY) + INSTALL(FILES ${USERTYPE_POLICY_FILES} DESTINATION ${SHARE_INSTALL_PREFIX}/security-manager/policy) + INSTALL(FILES "app-rules-template.smack" DESTINATION ${SHARE_INSTALL_PREFIX}/security-manager/policy) + INSTALL(FILES "privilege-group.list" DESTINATION ${SHARE_INSTALL_PREFIX}/security-manager/policy) +diff --git a/policy/security-manager-policy-reload b/policy/security-manager-policy-reload.in +similarity index 94% +rename from policy/security-manager-policy-reload +rename to policy/security-manager-policy-reload.in +index 6f211c6..c1bc4e2 100755 +--- a/policy/security-manager-policy-reload ++++ b/policy/security-manager-policy-reload.in +@@ -1,8 +1,8 @@ + #!/bin/sh -e + +-POLICY_PATH=/usr/share/security-manager/policy ++POLICY_PATH=@DATADIR@/policy + PRIVILEGE_GROUP_MAPPING=$POLICY_PATH/privilege-group.list +-DB_FILE=`tzplatform-get TZ_SYS_DB | cut -d= -f2`/.security-manager.db ++DB_FILE=@DB_INSTALL_DIR@/@DB_FILENAME@ + + # Create default buckets + while read bucket default_policy +diff --git a/src/common/file-lock.cpp b/src/common/file-lock.cpp +index 6f3996c..88d2092 100644 +--- a/src/common/file-lock.cpp ++++ b/src/common/file-lock.cpp +@@ -30,9 +30,7 @@ + + namespace SecurityManager { + +-char const * const SERVICE_LOCK_FILE = tzplatform_mkpath3(TZ_SYS_RUN, +- "lock", +- "security-manager.lock"); ++char const * const SERVICE_LOCK_FILE = LOCKDIR "/security-manager.lock"; + + FileLocker::FileLocker(const std::string &lockFile, bool blocking) + { +diff --git a/src/common/include/file-lock.h b/src/common/include/file-lock.h +index 604b019..21a86a0 100644 +--- a/src/common/include/file-lock.h ++++ b/src/common/include/file-lock.h +@@ -29,7 +29,6 @@ + + #include <dpl/exception.h> + #include <dpl/noncopyable.h> +-#include <tzplatform_config.h> + + namespace SecurityManager { + +diff --git a/src/common/include/privilege_db.h b/src/common/include/privilege_db.h +index 08fb9d6..3344987 100644 +--- a/src/common/include/privilege_db.h ++++ b/src/common/include/privilege_db.h +@@ -35,14 +35,13 @@ + #include <vector> + + #include <dpl/db/sql_connection.h> +-#include <tzplatform_config.h> + + #ifndef PRIVILEGE_DB_H_ + #define PRIVILEGE_DB_H_ + + namespace SecurityManager { + +-const char *const PRIVILEGE_DB_PATH = tzplatform_mkpath(TZ_SYS_DB, ".security-manager.db"); ++const char *const PRIVILEGE_DB_PATH = DB_INSTALL_DIR "/" DB_FILENAME; + + enum class QueryType { + EGetPkgPrivileges, +diff --git a/src/common/service_impl.cpp b/src/common/service_impl.cpp +index ae305d3..42150fe 100644 +--- a/src/common/service_impl.cpp ++++ b/src/common/service_impl.cpp +@@ -32,7 +32,6 @@ + #include <algorithm> + + #include <dpl/log/log.h> +-#include <tzplatform_config.h> + + #include "protocols.h" + #include "privilege_db.h" +@@ -131,7 +130,13 @@ static inline int validatePolicy(policy_entry &policyEntry, std::string uidStr, + + static uid_t getGlobalUserId(void) + { +- static uid_t globaluid = tzplatform_getuid(TZ_SYS_GLOBALAPP_USER); ++ static uid_t globaluid = 0; ++ if (!globaluid) { ++ struct passwd pw, *p; ++ char buf[4096]; ++ int rc = getpwnam_r(GLOBALUSER, &pw, buf, sizeof buf, &p); ++ globaluid = (rc || p == NULL) ? 555 : p->pw_uid; ++ } + return globaluid; + } + +@@ -161,37 +166,17 @@ static inline bool isSubDir(const char *parent, const char *subdir) + + static bool getUserAppDir(const uid_t &uid, std::string &userAppDir) + { +- struct tzplatform_context *tz_ctx = nullptr; +- +- if (tzplatform_context_create(&tz_ctx)) +- return false; +- +- if (tzplatform_context_set_user(tz_ctx, uid)) { +- tzplatform_context_destroy(tz_ctx); +- tz_ctx = nullptr; ++ struct passwd pw, *p; ++ char buf[4096]; ++ int rc = getpwuid_r(uid, &pw, buf, sizeof buf, &p); ++ if (rc || p == NULL) + return false; +- } +- +- enum tzplatform_variable id = +- (uid == getGlobalUserId()) ? TZ_SYS_RW_APP : TZ_USER_APP; +- const char *appDir = tzplatform_context_getenv(tz_ctx, id); +- if (!appDir) { +- tzplatform_context_destroy(tz_ctx); +- tz_ctx = nullptr; +- return false; +- } +- +- userAppDir = appDir; +- +- tzplatform_context_destroy(tz_ctx); +- tz_ctx = nullptr; +- ++ userAppDir = p->pw_dir; + return true; + } + + static inline bool installRequestAuthCheck(const app_inst_req &req, uid_t uid, bool &isCorrectPath, std::string &appPath) + { +- std::string userHome; + std::string userAppDir; + std::stringstream correctPath; + +diff --git a/src/common/smack-rules.cpp b/src/common/smack-rules.cpp +index 922a56f..c2e0041 100644 +--- a/src/common/smack-rules.cpp ++++ b/src/common/smack-rules.cpp +@@ -34,7 +34,6 @@ + #include <memory> + + #include <dpl/log/log.h> +-#include <tzplatform_config.h> + + #include "smack-labels.h" + #include "smack-rules.h" +@@ -43,7 +42,7 @@ namespace SecurityManager { + + const char *const SMACK_APP_LABEL_TEMPLATE = "~APP~"; + const char *const SMACK_PKG_LABEL_TEMPLATE = "~PKG~"; +-const char *const APP_RULES_TEMPLATE_FILE_PATH = tzplatform_mkpath4(TZ_SYS_SHARE, "security-manager", "policy", "app-rules-template.smack"); ++const char *const APP_RULES_TEMPLATE_FILE_PATH = DATADIR "/policy/app-rules-template.smack"; + const char *const SMACK_APP_IN_PACKAGE_PERMS = "rwxat"; + + SmackRules::SmackRules() +@@ -237,14 +236,12 @@ void SmackRules::generatePackageCrossDeps(const std::vector<std::string> &pkgCon + + std::string SmackRules::getPackageRulesFilePath(const std::string &pkgId) + { +- std::string path(tzplatform_mkpath3(TZ_SYS_SMACK, "accesses.d", ("pkg_" + pkgId).c_str())); +- return path; ++ return SMACKRULESDIR "/pkg_" + pkgId; + } + + std::string SmackRules::getApplicationRulesFilePath(const std::string &appId) + { +- std::string path(tzplatform_mkpath3(TZ_SYS_SMACK, "accesses.d", ("app_" + appId).c_str())); +- return path; ++ return SMACKRULESDIR "/app_" + appId; + } + void SmackRules::installApplicationPrivilegesRules(const std::string &appId, const std::string &pkgId, + const std::vector<std::string> &pkgContents, const std::vector<std::string> &privileges) +@@ -256,8 +253,7 @@ void SmackRules::installApplicationPrivilegesRules(const std::string &appId, con + for (auto privilege : privileges) { + if (privilege.empty()) + continue; +- std::string fprivilege ( privilege + "-template.smack"); +- std::string path(tzplatform_mkpath4(TZ_SYS_SHARE, "security-manager", "policy", fprivilege.c_str())); ++ std::string path = DATADIR "/policy/" + privilege + "-template.smack"; + if( stat(path.c_str(), &buffer) == 0) + smackRules.addFromTemplateFile(appId, pkgId, path); + } +-- +2.21.0 + diff --git a/meta-app-framework/recipes-security/security-manager/security-manager/0014-Ensure-post-install-initialization-of-database.patch b/meta-app-framework/recipes-security/security-manager/security-manager/0014-Ensure-post-install-initialization-of-database.patch new file mode 100644 index 000000000..542a387d2 --- /dev/null +++ b/meta-app-framework/recipes-security/security-manager/security-manager/0014-Ensure-post-install-initialization-of-database.patch @@ -0,0 +1,78 @@ +From c7f9d14e38a1b6d40b2fffa01433a3025eff9abd Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Jos=C3=A9=20Bollo?= <jose.bollo@iot.bzh> +Date: Tue, 26 Nov 2019 12:34:39 +0100 +Subject: [PATCH 14/14] Ensure post install initialization of database +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Creation of the database was made during image creation, +leading to issue with SOTA. This adds the creation on +need before launching the service. + +Change-Id: Idfd0676bd87d39f7c10eaafd63f3a318f675c972 +Signed-off-by: José Bollo <jose.bollo@iot.bzh> +--- + db/CMakeLists.txt | 14 ++++++-------- + db/security-manager-setup | 14 ++++++++++++++ + systemd/security-manager.service.in | 1 + + 3 files changed, 21 insertions(+), 8 deletions(-) + create mode 100644 db/security-manager-setup + +diff --git a/db/CMakeLists.txt b/db/CMakeLists.txt +index d7af1a0..dcf5bc8 100644 +--- a/db/CMakeLists.txt ++++ b/db/CMakeLists.txt +@@ -1,12 +1,10 @@ +-SET(TARGET_DB "$(DB_FILENAME)") +- + ADD_CUSTOM_COMMAND( +- OUTPUT ${TARGET_DB} ${TARGET_DB}-journal +- COMMAND sqlite3 ${TARGET_DB} <db.sql +- ) ++ OUTPUT .security-manager-setup ++ COMMAND sed '/--DB\.SQL--/r db.sql' security-manager-setup > .security-manager-setup ++ DEPENDS security-manager-setup db.sql ++) + + # Add a dummy build target to trigger building of ${TARGET_DB} +-ADD_CUSTOM_TARGET(DB ALL DEPENDS ${TARGET_DB}) ++ADD_CUSTOM_TARGET(DB ALL DEPENDS .security-manager-setup) + +-INSTALL(FILES ${TARGET_DB} DESTINATION ${DB_INSTALL_DIR}) +-INSTALL(FILES ${TARGET_DB}-journal DESTINATION ${DB_INSTALL_DIR}) ++INSTALL(PROGRAMS .security-manager-setup DESTINATION ${BIN_INSTALL_DIR}) +diff --git a/db/security-manager-setup b/db/security-manager-setup +new file mode 100644 +index 0000000..5675baf +--- /dev/null ++++ b/db/security-manager-setup +@@ -0,0 +1,14 @@ ++#!/bin/sh ++ ++if test -f "$1"; then exit; fi ++set -e ++dbdir="$(dirname "$1")" ++dbfile="$(basename "$1")" ++test -n "$dbfile" ++test -n "$dbdir" ++mkdir -p "$dbdir" ++cd "$dbdir" ++sqlite3 "$dbfile" << END-OF-CAT ++--DB.SQL-- ++END-OF-CAT ++ +diff --git a/systemd/security-manager.service.in b/systemd/security-manager.service.in +index 23fd1b2..2bf97d7 100644 +--- a/systemd/security-manager.service.in ++++ b/systemd/security-manager.service.in +@@ -3,5 +3,6 @@ Description=Start the security manager + + [Service] + Type=notify ++ExecStartPre=@BIN_INSTALL_DIR@/.security-manager-setup @DB_INSTALL_DIR@/@DB_FILENAME@ + ExecStart=@BIN_INSTALL_DIR@/security-manager + Sockets=security-manager.socket +-- +2.21.0 + diff --git a/meta-app-framework/recipes-security/security-manager/security-manager/0015-Restrict-socket-accesses.patch b/meta-app-framework/recipes-security/security-manager/security-manager/0015-Restrict-socket-accesses.patch new file mode 100644 index 000000000..d9949193b --- /dev/null +++ b/meta-app-framework/recipes-security/security-manager/security-manager/0015-Restrict-socket-accesses.patch @@ -0,0 +1,34 @@ +From 7cffcd61378a9d7c0e7db5691b2da3a37448c969 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Jos=C3=A9=20Bollo?= <jose.bollo@iot.bzh> +Date: Thu, 30 Jan 2020 09:19:25 +0100 +Subject: [PATCH 15/15] Restrict socket accesses +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Ensure that only members of the group and the owner can access +the security manager. + +Bug-AGL: SPEC-3146 + +Change-Id: I68ce6523db4bfd4707c3680555c3cb0cf8858ef2 +Signed-off-by: José Bollo <jose.bollo@iot.bzh> +--- + systemd/security-manager.socket | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/systemd/security-manager.socket b/systemd/security-manager.socket +index af1c1da..b401f77 100644 +--- a/systemd/security-manager.socket ++++ b/systemd/security-manager.socket +@@ -1,6 +1,6 @@ + [Socket] + ListenStream=/run/security-manager.socket +-SocketMode=0777 ++SocketMode=0660 + SmackLabelIPIn=* + SmackLabelIPOut=@ + +-- +2.21.1 + diff --git a/meta-app-framework/recipes-security/security-manager/security-manager_%.bbappend b/meta-app-framework/recipes-security/security-manager/security-manager_%.bbappend new file mode 100644 index 000000000..ec8435369 --- /dev/null +++ b/meta-app-framework/recipes-security/security-manager/security-manager_%.bbappend @@ -0,0 +1,13 @@ +FILESEXTRAPATHS_prepend := "${THISDIR}/security-manager:" + +EXTRA_OECMAKE =+ " -DGLOBALUSER=afm" + +SRC_URI += " \ + file://0001-Adapt-rules-to-AGL.patch \ +" + +do_install_append() { + # Needed for wayland-0 socket access and memfd usage + echo "~APP~ System::Weston rw" >> ${D}${datadir}/security-manager/policy/app-rules-template.smack + echo "System::Weston ~APP~ rw" >> ${D}${datadir}/security-manager/policy/app-rules-template.smack +} diff --git a/meta-app-framework/recipes-security/security-manager/security-manager_git.bb b/meta-app-framework/recipes-security/security-manager/security-manager_git.bb new file mode 100644 index 000000000..b34973519 --- /dev/null +++ b/meta-app-framework/recipes-security/security-manager/security-manager_git.bb @@ -0,0 +1,27 @@ +require security-manager.inc + +PV = "1.0.2+git${SRCPV}" +SRCREV = "860305a595d681d650024ad07b3b0977e1fcb0a6" +SRC_URI += "git://github.com/Samsung/security-manager.git" +S = "${WORKDIR}/git" + +SRC_URI += " \ + file://0001-systemd-stop-using-compat-libs.patch \ + file://0002-security-manager-policy-reload-do-not-depend-on-GNU-.patch \ + file://0003-Smack-rules-create-two-new-functions.patch \ + file://0004-app-install-implement-multiple-set-of-smack-rules.patch \ + file://0005-c-11-replace-deprecated-auto_ptr.patch \ + file://0006-socket-manager-removes-tizen-specific-call.patch \ + file://0007-removes-dependency-to-libslp-db-utils.patch \ + file://0008-Fix-gcc6-build.patch \ + file://0009-Fix-Cmake-conf-for-gcc6-build.patch \ + file://0010-gcc-7-requires-include-functional-for-std-function.patch \ + file://0011-Fix-gcc8-warning-error-Werror-catch-value.patch \ + file://0012-Avoid-casting-from-const-T-to-void.patch \ + file://0013-Removing-tizen-platform-config.patch \ + file://0014-Ensure-post-install-initialization-of-database.patch \ + file://0015-Restrict-socket-accesses.patch \ +" + +# Use make with cmake and not ninja +OECMAKE_GENERATOR = "Unix Makefiles" diff --git a/meta-app-framework/recipes-security/xmlsec1/xmlsec1_1.%.bbappend b/meta-app-framework/recipes-security/xmlsec1/xmlsec1_1.%.bbappend index 09820be2f..afbc16c30 100644 --- a/meta-app-framework/recipes-security/xmlsec1/xmlsec1_1.%.bbappend +++ b/meta-app-framework/recipes-security/xmlsec1/xmlsec1_1.%.bbappend @@ -1,4 +1 @@ -# Disable nss to avoid build issues on native -PACKAGECONFIG = "gnutls libgcrypt openssl des" - -BBCLASSEXTEND = "native nativesdk" +require ${@bb.utils.contains('APPFW_ENABLED', '1', 'xmlsec1_appfw.inc', '', d)} diff --git a/meta-app-framework/recipes-security/xmlsec1/xmlsec1_appfw.inc b/meta-app-framework/recipes-security/xmlsec1/xmlsec1_appfw.inc new file mode 100644 index 000000000..09820be2f --- /dev/null +++ b/meta-app-framework/recipes-security/xmlsec1/xmlsec1_appfw.inc @@ -0,0 +1,4 @@ +# Disable nss to avoid build issues on native +PACKAGECONFIG = "gnutls libgcrypt openssl des" + +BBCLASSEXTEND = "native nativesdk" |