diff options
Diffstat (limited to 'meta-app-framework')
24 files changed, 107 insertions, 614 deletions
diff --git a/meta-app-framework/conf/include/agl-appfw-smack.inc b/meta-app-framework/conf/include/agl-appfw-smack.inc index 1d8ab0a77..b6b998a9b 100644 --- a/meta-app-framework/conf/include/agl-appfw-smack.inc +++ b/meta-app-framework/conf/include/agl-appfw-smack.inc @@ -1,10 +1,10 @@ # enable security features (smack, cynara) - required by Application Framework -OVERRIDES .= ":smack" -DISTRO_FEATURES_append = " smack dbus-cynara xattr" +OVERRIDES .= ":with-lsm-smack" +DISTRO_FEATURES_append = " smack xattr" # use tar-native to support SMACK extended attributes independently of host config IMAGE_CMD_TAR = "tar --xattrs --xattrs-include='*'" -IMAGE_DEPENDS_tar_append = " tar-replacement-native" +do_image_tar[depends] += "tar-replacement-native:do_populate_sysroot" EXTRANATIVEPATH += "tar-native" # security: enable ssh server in place of dropbear to support PAM on user sessions diff --git a/meta-app-framework/recipes-core/af-main/af-main_1.0.bb b/meta-app-framework/recipes-core/af-main/af-main_1.0.bb index 8ac661527..e160486b2 100644 --- a/meta-app-framework/recipes-core/af-main/af-main_1.0.bb +++ b/meta-app-framework/recipes-core/af-main/af-main_1.0.bb @@ -14,7 +14,7 @@ DEPENDS = "openssl libxml2 xmlsec1 systemd libzip json-c systemd security-manage DEPENDS_class-native = "openssl libxml2 xmlsec1 libzip json-c" RDEPENDS_${PN}_class-target += "af-binder-tools" -PACKAGE_WRITE_DEPS_append_smack = " smack-userspace-native libcap-native" +PACKAGE_WRITE_DEPS_append_with-lsm-smack = " smack-native libcap-native" EXTRA_OECMAKE_class-native = "\ -DUSE_LIBZIP=1 \ @@ -46,8 +46,8 @@ GROUPADD_PARAM_${PN} = "-r ${afm_name}" FILES_${PN} += "\ ${@bb.utils.contains('DISTRO_FEATURES', 'systemd', '${systemd_user_unitdir}/afm-user-daemon.service', '', d)} \ " -RDEPENDS_${PN}_append_smack = " smack-userspace bash" -DEPENDS_append_smack = " smack-userspace-native" +RDEPENDS_${PN}_append_with-lsm-smack = " smack bash" +DEPENDS_append_with-lsm-smack = " smack-native" # short hacks here SRC_URI += "\ @@ -90,7 +90,7 @@ pkg_postinst_${PN}() { chown ${afm_name}:${afm_name} $D${afm_datadir}/icons } -pkg_postinst_${PN}_append_smack() { +pkg_postinst_${PN}_append_with-lsm-smack() { if ${@bb.utils.contains('DISTRO_FEATURES', 'systemd', 'true', 'false', d)}; then chsmack -a 'System::Shared' -t $D${systemd_units_root}/system chsmack -a 'System::Shared' -t $D${systemd_units_root}/system/afm-user-session@.target.wants diff --git a/meta-app-framework/recipes-core/base-files/base-files_%.bbappend b/meta-app-framework/recipes-core/base-files/base-files_%.bbappend index 636bcc4df..b837d03ad 100644 --- a/meta-app-framework/recipes-core/base-files/base-files_%.bbappend +++ b/meta-app-framework/recipes-core/base-files/base-files_%.bbappend @@ -1,5 +1,5 @@ -RDEPENDS_${PN}_append_smack = " smack-userspace" -PACKAGE_WRITE_DEPS_append_smack = " smack-userspace-native" +RDEPENDS_${PN}_append_with-lsm-smack = " smack" +PACKAGE_WRITE_DEPS_append_with-lsm-smack = " smack-native" do_install_append() { install -d ${D}/${sysconfdir}/skel/app-data @@ -13,7 +13,7 @@ do_install_append() { ln -s ../../var/local ${D}/usr/local } -do_install_append_smack () { +do_install_append_with-lsm-smack () { install -d ${D}/${sysconfdir}/smack/accesses.d cat > ${D}/${sysconfdir}/smack/accesses.d/default-access-domains-no-user <<EOF System User::App-Shared rwxat @@ -22,7 +22,7 @@ EOF chmod 0644 ${D}/${sysconfdir}/smack/accesses.d/default-access-domains-no-user } -pkg_postinst_${PN}_append_smack() { +pkg_postinst_${PN}_append_with-lsm-smack() { chsmack -r -a 'User::Home' -t -D $D/${sysconfdir}/skel chsmack -a 'User::App-Shared' -D $D/${sysconfdir}/skel/app-data cp -rTf --preserve=all $D/${sysconfdir}/skel $D/${ROOT_HOME} diff --git a/meta-app-framework/recipes-core/packagegroups/packagegroup-agl-core-security.bbappend b/meta-app-framework/recipes-core/packagegroups/packagegroup-agl-core-security.bbappend index 0c9efe465..a8d04ab6d 100644 --- a/meta-app-framework/recipes-core/packagegroups/packagegroup-agl-core-security.bbappend +++ b/meta-app-framework/recipes-core/packagegroups/packagegroup-agl-core-security.bbappend @@ -1,7 +1,6 @@ RDEPENDS_${PN} += "\ xmlsec1 \ cynara \ - dbus-cynara \ security-manager \ security-manager-policy \ agl-users \ diff --git a/meta-app-framework/recipes-core/security-manager/security-manager/0001-gcc-7-requires-include-functional-for-std-function.patch b/meta-app-framework/recipes-core/security-manager/security-manager/0001-gcc-7-requires-include-functional-for-std-function.patch new file mode 100644 index 000000000..7b6845abc --- /dev/null +++ b/meta-app-framework/recipes-core/security-manager/security-manager/0001-gcc-7-requires-include-functional-for-std-function.patch @@ -0,0 +1,51 @@ +From ed1c105db9d7b1ceb52ec16f35b0a2c959c19c6d Mon Sep 17 00:00:00 2001 +From: Changhyeok Bae <changhyeok.bae@gmail.com> +Date: Sun, 17 Dec 2017 15:40:58 +0000 +Subject: [PATCH] gcc-7 requires include <functional> for std::function + +Signed-off-by: Changhyeok Bae <changhyeok.bae@gmail.com> +--- + src/client/client-common.cpp | 1 + + src/common/smack-labels.cpp | 1 + + src/dpl/core/src/binary_queue.cpp | 1 + + 3 files changed, 3 insertions(+) + +diff --git a/src/client/client-common.cpp b/src/client/client-common.cpp +index 883ab8d..1babdf7 100644 +--- a/src/client/client-common.cpp ++++ b/src/client/client-common.cpp +@@ -31,6 +31,7 @@ + #include <sys/xattr.h> + #include <linux/xattr.h> + #include <unistd.h> ++#include <functional> + + #include <dpl/log/log.h> + #include <dpl/serialization.h> +diff --git a/src/common/smack-labels.cpp b/src/common/smack-labels.cpp +index 0294a42..1598099 100644 +--- a/src/common/smack-labels.cpp ++++ b/src/common/smack-labels.cpp +@@ -29,6 +29,7 @@ + #include <sys/xattr.h> + #include <linux/xattr.h> + #include <memory> ++#include <functional> + #include <fts.h> + #include <cstring> + #include <string> +diff --git a/src/dpl/core/src/binary_queue.cpp b/src/dpl/core/src/binary_queue.cpp +index 72817a6..838409f 100644 +--- a/src/dpl/core/src/binary_queue.cpp ++++ b/src/dpl/core/src/binary_queue.cpp +@@ -26,6 +26,7 @@ + #include <malloc.h> + #include <cstring> + #include <new> ++#include <functional> + + namespace SecurityManager { + BinaryQueue::BinaryQueue() : +-- +2.7.4 + diff --git a/meta-app-framework/recipes-core/security-manager/security-manager_%.bbappend b/meta-app-framework/recipes-core/security-manager/security-manager_%.bbappend index bd1a43ea3..61c933a7e 100644 --- a/meta-app-framework/recipes-core/security-manager/security-manager_%.bbappend +++ b/meta-app-framework/recipes-core/security-manager/security-manager_%.bbappend @@ -1,12 +1,13 @@ FILESEXTRAPATHS_prepend := "${THISDIR}/security-manager:" -PACKAGE_WRITE_DEPS_append_smack = " smack-userspace-native" +PACKAGE_WRITE_DEPS_append_with-lsm-smack = " smack-native" SRC_URI += " file://0001-Adapt-rules-to-AGL.patch \ file://init-security-manager-db.service \ file://init-security-manager-db.sh \ file://0001-Fix-gcc6-build.patch \ file://0001-Fix-Cmake-conf-for-gcc6-build.patch \ + file://0001-gcc-7-requires-include-functional-for-std-function.patch \ " FILES_${PN}_append = "${bindir}/init-security-manager-db.sh \ diff --git a/meta-app-framework/recipes-kernel/linux/linux-%.bbappend b/meta-app-framework/recipes-kernel/linux/linux-%.bbappend index 02595efdf..fba5bf13d 100644 --- a/meta-app-framework/recipes-kernel/linux/linux-%.bbappend +++ b/meta-app-framework/recipes-kernel/linux/linux-%.bbappend @@ -1,3 +1,3 @@ FILESEXTRAPATHS_prepend := "${THISDIR}/linux:" -SRC_URI_append_smack = " file://audit.cfg" +SRC_URI_append_with-lsm-smack = " file://audit.cfg" diff --git a/meta-app-framework/recipes-kernel/linux/linux-yocto_4.1.bbappend b/meta-app-framework/recipes-kernel/linux/linux-yocto_4.1.bbappend deleted file mode 100644 index c1c657201..000000000 --- a/meta-app-framework/recipes-kernel/linux/linux-yocto_4.1.bbappend +++ /dev/null @@ -1,12 +0,0 @@ -FILESEXTRAPATHS_prepend := "${THISDIR}/linux/linux-yocto-4.1:" - -#------------------------------------------------------------------------- -# smack patches for handling bluetooth - -SRC_URI_append_smack = "\ - file://0001-Smack-File-receive-for-sockets.patch \ - file://0002-smack-fix-cache-of-access-labels.patch \ - file://0003-Smack-ignore-null-signal-in-smack_task_kill.patch \ - file://0004-Smack-Assign-smack_known_web-label-for-kernel-thread.patch \ -" - diff --git a/meta-app-framework/recipes-kernel/linux/linux-yocto_4.4.bbappend b/meta-app-framework/recipes-kernel/linux/linux-yocto_4.4.bbappend deleted file mode 100644 index 51df08719..000000000 --- a/meta-app-framework/recipes-kernel/linux/linux-yocto_4.4.bbappend +++ /dev/null @@ -1,11 +0,0 @@ -FILESEXTRAPATHS_prepend := "${THISDIR}/linux/linux-yocto-4.4:" - -#------------------------------------------------------------------------- -# smack patches for handling bluetooth - -SRC_URI_append_smack = "\ - file://0002-smack-fix-cache-of-access-labels.patch \ - file://0003-Smack-ignore-null-signal-in-smack_task_kill.patch \ - file://0004-Smack-Assign-smack_known_web-label-for-kernel-thread.patch \ -" - diff --git a/meta-app-framework/recipes-kernel/linux/linux/linux-yocto-4.1/0001-Smack-File-receive-for-sockets.patch b/meta-app-framework/recipes-kernel/linux/linux/linux-yocto-4.1/0001-Smack-File-receive-for-sockets.patch deleted file mode 100644 index b0c5ee8f4..000000000 --- a/meta-app-framework/recipes-kernel/linux/linux/linux-yocto-4.1/0001-Smack-File-receive-for-sockets.patch +++ /dev/null @@ -1,62 +0,0 @@ -From 2e65b888820ea372984d412cee3bd7dcba05d7d2 Mon Sep 17 00:00:00 2001 -From: Casey Schaufler <casey@schaufler-ca.com> -Date: Mon, 7 Dec 2015 14:34:32 -0800 -Subject: [PATCH 1/4] Smack: File receive for sockets - -The existing file receive hook checks for access on -the file inode even for UDS. This is not right, as -the inode is not used by Smack to make access checks -for sockets. This change checks for an appropriate -access relationship between the receiving (current) -process and the socket. If the process can't write -to the socket's send label or the socket's receive -label can't write to the process fail. - -This will allow the legitimate cases, where the -socket sender and socket receiver can freely communicate. -Only strangly set socket labels should cause a problem. - -Signed-off-by: Casey Schaufler <casey@schaufler-ca.com> ---- - security/smack/smack_lsm.c | 22 ++++++++++++++++++++++ - 1 file changed, 22 insertions(+) - -diff --git a/security/smack/smack_lsm.c b/security/smack/smack_lsm.c -index b644757..487b2f3 100644 ---- a/security/smack/smack_lsm.c -+++ b/security/smack/smack_lsm.c -@@ -1672,9 +1672,31 @@ static int smack_file_receive(struct file *file) - int may = 0; - struct smk_audit_info ad; - struct inode *inode = file_inode(file); -+ struct socket *sock; -+ struct task_smack *tsp; -+ struct socket_smack *ssp; - - smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_PATH); - smk_ad_setfield_u_fs_path(&ad, file->f_path); -+ -+ if (S_ISSOCK(inode->i_mode)) { -+ sock = SOCKET_I(inode); -+ ssp = sock->sk->sk_security; -+ tsp = current_security(); -+ /* -+ * If the receiving process can't write to the -+ * passed socket or if the passed socket can't -+ * write to the receiving process don't accept -+ * the passed socket. -+ */ -+ rc = smk_access(tsp->smk_task, ssp->smk_out, MAY_WRITE, &ad); -+ rc = smk_bu_file(file, may, rc); -+ if (rc < 0) -+ return rc; -+ rc = smk_access(ssp->smk_in, tsp->smk_task, MAY_WRITE, &ad); -+ rc = smk_bu_file(file, may, rc); -+ return rc; -+ } - /* - * This code relies on bitmasks. - */ --- -2.7.4 - diff --git a/meta-app-framework/recipes-kernel/linux/linux/linux-yocto-4.1/0002-smack-fix-cache-of-access-labels.patch b/meta-app-framework/recipes-kernel/linux/linux/linux-yocto-4.1/0002-smack-fix-cache-of-access-labels.patch deleted file mode 100644 index 51c3b31ec..000000000 --- a/meta-app-framework/recipes-kernel/linux/linux/linux-yocto-4.1/0002-smack-fix-cache-of-access-labels.patch +++ /dev/null @@ -1,43 +0,0 @@ -From 5bcea0fc4e5360deca133e211fdc76717a1693a4 Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?Jos=C3=A9=20Bollo?= <jobol@nonadev.net> -Date: Tue, 12 Jan 2016 21:23:40 +0100 -Subject: [PATCH 2/4] smack: fix cache of access labels -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -Before this commit, removing the access property of -a file, aka, the extended attribute security.SMACK64 -was not effictive until the cache had been cleaned. - -This patch fixes that problem. - -Signed-off-by: José Bollo <jobol@nonadev.net> -Acked-by: Casey Schaufler <casey@schaufler-ca.com> ---- - security/smack/smack_lsm.c | 8 ++++++-- - 1 file changed, 6 insertions(+), 2 deletions(-) - -diff --git a/security/smack/smack_lsm.c b/security/smack/smack_lsm.c -index 487b2f3..b9393e3 100644 ---- a/security/smack/smack_lsm.c -+++ b/security/smack/smack_lsm.c -@@ -1256,9 +1256,13 @@ static int smack_inode_removexattr(struct dentry *dentry, const char *name) - * Don't do anything special for these. - * XATTR_NAME_SMACKIPIN - * XATTR_NAME_SMACKIPOUT -- * XATTR_NAME_SMACKEXEC - */ -- if (strcmp(name, XATTR_NAME_SMACK) == 0) -+ if (strcmp(name, XATTR_NAME_SMACK) == 0) { -+ struct super_block *sbp = d_backing_inode(dentry)->i_sb; -+ struct superblock_smack *sbsp = sbp->s_security; -+ -+ isp->smk_inode = sbsp->smk_default; -+ } else if (strcmp(name, XATTR_NAME_SMACKEXEC) == 0) - isp->smk_task = NULL; - else if (strcmp(name, XATTR_NAME_SMACKMMAP) == 0) - isp->smk_mmap = NULL; --- -2.7.4 - diff --git a/meta-app-framework/recipes-kernel/linux/linux/linux-yocto-4.1/0003-Smack-ignore-null-signal-in-smack_task_kill.patch b/meta-app-framework/recipes-kernel/linux/linux/linux-yocto-4.1/0003-Smack-ignore-null-signal-in-smack_task_kill.patch deleted file mode 100644 index 67761ae46..000000000 --- a/meta-app-framework/recipes-kernel/linux/linux/linux-yocto-4.1/0003-Smack-ignore-null-signal-in-smack_task_kill.patch +++ /dev/null @@ -1,39 +0,0 @@ -From aa63c4f8ece0c54a9be735ac38667f11fcd6f44a Mon Sep 17 00:00:00 2001 -From: Rafal Krypa <r.krypa@samsung.com> -Date: Mon, 4 Apr 2016 11:14:53 +0200 -Subject: [PATCH 3/4] Smack: ignore null signal in smack_task_kill - -Kill with signal number 0 is commonly used for checking PID existence. -Smack treated such cases like any other kills, although no signal is -actually delivered when sig == 0. - -Checking permissions when sig == 0 didn't prevent an unprivileged caller -from learning whether PID exists or not. When it existed, kernel returned -EPERM, when it didn't - ESRCH. The only effect of policy check in such -case is noise in audit logs. - -This change lets Smack silently ignore kill() invocations with sig == 0. - -Signed-off-by: Rafal Krypa <r.krypa@samsung.com> -Acked-by: Casey Schaufler <casey@schaufler-ca.com> ---- - security/smack/smack_lsm.c | 3 +++ - 1 file changed, 3 insertions(+) - -diff --git a/security/smack/smack_lsm.c b/security/smack/smack_lsm.c -index b9393e3..c916f58 100644 ---- a/security/smack/smack_lsm.c -+++ b/security/smack/smack_lsm.c -@@ -2056,6 +2056,9 @@ static int smack_task_kill(struct task_struct *p, struct siginfo *info, - struct smack_known *tkp = smk_of_task_struct(p); - int rc; - -+ if (!sig) -+ return 0; /* null signal; existence test */ -+ - smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_TASK); - smk_ad_setfield_u_tsk(&ad, p); - /* --- -2.7.4 - diff --git a/meta-app-framework/recipes-kernel/linux/linux/linux-yocto-4.1/0004-Smack-Assign-smack_known_web-label-for-kernel-thread.patch b/meta-app-framework/recipes-kernel/linux/linux/linux-yocto-4.1/0004-Smack-Assign-smack_known_web-label-for-kernel-thread.patch deleted file mode 100644 index 4281c201c..000000000 --- a/meta-app-framework/recipes-kernel/linux/linux/linux-yocto-4.1/0004-Smack-Assign-smack_known_web-label-for-kernel-thread.patch +++ /dev/null @@ -1,49 +0,0 @@ -From b2b9e7ec8e79ede841104f76464f4b77c057b011 Mon Sep 17 00:00:00 2001 -From: jooseong lee <jooseong.lee@samsung.com> -Date: Thu, 3 Nov 2016 10:55:43 +0100 -Subject: [PATCH 4/4] Smack: Assign smack_known_web label for kernel thread's -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -Assign smack_known_web label for kernel thread's socket in the sk_alloc_security hook - -Creating struct sock by sk_alloc function in various kernel subsystems -like bluetooth dosen't call smack_socket_post_create(). In such case, -received sock label is the floor('_') label and makes access deny. - -Refers-to: https://review.tizen.org/gerrit/#/c/80717/4 - -Change-Id: I2e5c9359bfede84a988fd4d4d74cdb9dfdfc52d8 -Signed-off-by: jooseong lee <jooseong.lee@samsung.com> -Signed-off-by: José Bollo <jose.bollo@iot.bzh> ---- - security/smack/smack_lsm.c | 12 ++++++++++-- - 1 file changed, 10 insertions(+), 2 deletions(-) - -diff --git a/security/smack/smack_lsm.c b/security/smack/smack_lsm.c -index c916f58..cc6769b 100644 ---- a/security/smack/smack_lsm.c -+++ b/security/smack/smack_lsm.c -@@ -2138,8 +2138,16 @@ static int smack_sk_alloc_security(struct sock *sk, int family, gfp_t gfp_flags) - if (ssp == NULL) - return -ENOMEM; - -- ssp->smk_in = skp; -- ssp->smk_out = skp; -+ /* -+ * Sockets created by kernel threads receive web label. -+ */ -+ if (unlikely(current->flags & PF_KTHREAD)) { -+ ssp->smk_in = &smack_known_web; -+ ssp->smk_out = &smack_known_web; -+ } else { -+ ssp->smk_in = skp; -+ ssp->smk_out = skp; -+ } - ssp->smk_packet = NULL; - - sk->sk_security = ssp; --- -2.7.4 - diff --git a/meta-app-framework/recipes-kernel/linux/linux/linux-yocto-4.4/0001-Smack-File-receive-for-sockets.patch b/meta-app-framework/recipes-kernel/linux/linux/linux-yocto-4.4/0001-Smack-File-receive-for-sockets.patch deleted file mode 100644 index 4021e5d38..000000000 --- a/meta-app-framework/recipes-kernel/linux/linux/linux-yocto-4.4/0001-Smack-File-receive-for-sockets.patch +++ /dev/null @@ -1,65 +0,0 @@ -From 2b206c36b16e72cfe41cd22448d8527359ffd962 Mon Sep 17 00:00:00 2001 -From: Casey Schaufler <casey@schaufler-ca.com> -Date: Mon, 7 Dec 2015 14:34:32 -0800 -Subject: [PATCH 1/4] Smack: File receive for sockets - -The existing file receive hook checks for access on -the file inode even for UDS. This is not right, as -the inode is not used by Smack to make access checks -for sockets. This change checks for an appropriate -access relationship between the receiving (current) -process and the socket. If the process can't write -to the socket's send label or the socket's receive -label can't write to the process fail. - -This will allow the legitimate cases, where the -socket sender and socket receiver can freely communicate. -Only strangly set socket labels should cause a problem. - -Signed-off-by: Casey Schaufler <casey@schaufler-ca.com> ---- - security/smack/smack_lsm.c | 22 ++++++++++++++++++++++ - 1 file changed, 22 insertions(+) - -diff --git a/security/smack/smack_lsm.c b/security/smack/smack_lsm.c -index ff81026..b20ef06 100644 ---- a/security/smack/smack_lsm.c -+++ b/security/smack/smack_lsm.c -@@ -1860,12 +1860,34 @@ static int smack_file_receive(struct file *file) - int may = 0; - struct smk_audit_info ad; - struct inode *inode = file_inode(file); -+ struct socket *sock; -+ struct task_smack *tsp; -+ struct socket_smack *ssp; - - if (unlikely(IS_PRIVATE(inode))) - return 0; - - smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_PATH); - smk_ad_setfield_u_fs_path(&ad, file->f_path); -+ -+ if (S_ISSOCK(inode->i_mode)) { -+ sock = SOCKET_I(inode); -+ ssp = sock->sk->sk_security; -+ tsp = current_security(); -+ /* -+ * If the receiving process can't write to the -+ * passed socket or if the passed socket can't -+ * write to the receiving process don't accept -+ * the passed socket. -+ */ -+ rc = smk_access(tsp->smk_task, ssp->smk_out, MAY_WRITE, &ad); -+ rc = smk_bu_file(file, may, rc); -+ if (rc < 0) -+ return rc; -+ rc = smk_access(ssp->smk_in, tsp->smk_task, MAY_WRITE, &ad); -+ rc = smk_bu_file(file, may, rc); -+ return rc; -+ } - /* - * This code relies on bitmasks. - */ --- -2.7.4 - diff --git a/meta-app-framework/recipes-kernel/linux/linux/linux-yocto-4.4/0002-smack-fix-cache-of-access-labels.patch b/meta-app-framework/recipes-kernel/linux/linux/linux-yocto-4.4/0002-smack-fix-cache-of-access-labels.patch deleted file mode 100644 index c516f3aa5..000000000 --- a/meta-app-framework/recipes-kernel/linux/linux/linux-yocto-4.4/0002-smack-fix-cache-of-access-labels.patch +++ /dev/null @@ -1,43 +0,0 @@ -From 99267706991ab84bd44ceaea9a7ec886bbdd58e0 Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?Jos=C3=A9=20Bollo?= <jobol@nonadev.net> -Date: Tue, 12 Jan 2016 21:23:40 +0100 -Subject: [PATCH 2/4] smack: fix cache of access labels -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -Before this commit, removing the access property of -a file, aka, the extended attribute security.SMACK64 -was not effictive until the cache had been cleaned. - -This patch fixes that problem. - -Signed-off-by: José Bollo <jobol@nonadev.net> -Acked-by: Casey Schaufler <casey@schaufler-ca.com> ---- - security/smack/smack_lsm.c | 8 ++++++-- - 1 file changed, 6 insertions(+), 2 deletions(-) - -diff --git a/security/smack/smack_lsm.c b/security/smack/smack_lsm.c -index b20ef06..b2bcb14 100644 ---- a/security/smack/smack_lsm.c -+++ b/security/smack/smack_lsm.c -@@ -1444,9 +1444,13 @@ static int smack_inode_removexattr(struct dentry *dentry, const char *name) - * Don't do anything special for these. - * XATTR_NAME_SMACKIPIN - * XATTR_NAME_SMACKIPOUT -- * XATTR_NAME_SMACKEXEC - */ -- if (strcmp(name, XATTR_NAME_SMACK) == 0) -+ if (strcmp(name, XATTR_NAME_SMACK) == 0) { -+ struct super_block *sbp = d_backing_inode(dentry)->i_sb; -+ struct superblock_smack *sbsp = sbp->s_security; -+ -+ isp->smk_inode = sbsp->smk_default; -+ } else if (strcmp(name, XATTR_NAME_SMACKEXEC) == 0) - isp->smk_task = NULL; - else if (strcmp(name, XATTR_NAME_SMACKMMAP) == 0) - isp->smk_mmap = NULL; --- -2.7.4 - diff --git a/meta-app-framework/recipes-kernel/linux/linux/linux-yocto-4.4/0003-Smack-ignore-null-signal-in-smack_task_kill.patch b/meta-app-framework/recipes-kernel/linux/linux/linux-yocto-4.4/0003-Smack-ignore-null-signal-in-smack_task_kill.patch deleted file mode 100644 index c9180bb9f..000000000 --- a/meta-app-framework/recipes-kernel/linux/linux/linux-yocto-4.4/0003-Smack-ignore-null-signal-in-smack_task_kill.patch +++ /dev/null @@ -1,39 +0,0 @@ -From ec4eb03af07b0fbc330aecca6ac4ebd6accd8825 Mon Sep 17 00:00:00 2001 -From: Rafal Krypa <r.krypa@samsung.com> -Date: Mon, 4 Apr 2016 11:14:53 +0200 -Subject: [PATCH 3/4] Smack: ignore null signal in smack_task_kill - -Kill with signal number 0 is commonly used for checking PID existence. -Smack treated such cases like any other kills, although no signal is -actually delivered when sig == 0. - -Checking permissions when sig == 0 didn't prevent an unprivileged caller -from learning whether PID exists or not. When it existed, kernel returned -EPERM, when it didn't - ESRCH. The only effect of policy check in such -case is noise in audit logs. - -This change lets Smack silently ignore kill() invocations with sig == 0. - -Signed-off-by: Rafal Krypa <r.krypa@samsung.com> -Acked-by: Casey Schaufler <casey@schaufler-ca.com> ---- - security/smack/smack_lsm.c | 3 +++ - 1 file changed, 3 insertions(+) - -diff --git a/security/smack/smack_lsm.c b/security/smack/smack_lsm.c -index b2bcb14..cf8a93f 100644 ---- a/security/smack/smack_lsm.c -+++ b/security/smack/smack_lsm.c -@@ -2239,6 +2239,9 @@ static int smack_task_kill(struct task_struct *p, struct siginfo *info, - struct smack_known *tkp = smk_of_task_struct(p); - int rc; - -+ if (!sig) -+ return 0; /* null signal; existence test */ -+ - smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_TASK); - smk_ad_setfield_u_tsk(&ad, p); - /* --- -2.7.4 - diff --git a/meta-app-framework/recipes-kernel/linux/linux/linux-yocto-4.4/0004-Smack-Assign-smack_known_web-label-for-kernel-thread.patch b/meta-app-framework/recipes-kernel/linux/linux/linux-yocto-4.4/0004-Smack-Assign-smack_known_web-label-for-kernel-thread.patch deleted file mode 100644 index a1eeac3d7..000000000 --- a/meta-app-framework/recipes-kernel/linux/linux/linux-yocto-4.4/0004-Smack-Assign-smack_known_web-label-for-kernel-thread.patch +++ /dev/null @@ -1,49 +0,0 @@ -From c8bbb0f916de54610513e376070aea531af19dd6 Mon Sep 17 00:00:00 2001 -From: jooseong lee <jooseong.lee@samsung.com> -Date: Thu, 3 Nov 2016 10:55:43 +0100 -Subject: [PATCH 4/4] Smack: Assign smack_known_web label for kernel thread's -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -Assign smack_known_web label for kernel thread's socket in the sk_alloc_security hook - -Creating struct sock by sk_alloc function in various kernel subsystems -like bluetooth dosen't call smack_socket_post_create(). In such case, -received sock label is the floor('_') label and makes access deny. - -Refers-to: https://review.tizen.org/gerrit/#/c/80717/4 - -Change-Id: I2e5c9359bfede84a988fd4d4d74cdb9dfdfc52d8 -Signed-off-by: jooseong lee <jooseong.lee@samsung.com> -Signed-off-by: José Bollo <jose.bollo@iot.bzh> ---- - security/smack/smack_lsm.c | 12 ++++++++++-- - 1 file changed, 10 insertions(+), 2 deletions(-) - -diff --git a/security/smack/smack_lsm.c b/security/smack/smack_lsm.c -index cf8a93f..21651bc 100644 ---- a/security/smack/smack_lsm.c -+++ b/security/smack/smack_lsm.c -@@ -2321,8 +2321,16 @@ static int smack_sk_alloc_security(struct sock *sk, int family, gfp_t gfp_flags) - if (ssp == NULL) - return -ENOMEM; - -- ssp->smk_in = skp; -- ssp->smk_out = skp; -+ /* -+ * Sockets created by kernel threads receive web label. -+ */ -+ if (unlikely(current->flags & PF_KTHREAD)) { -+ ssp->smk_in = &smack_known_web; -+ ssp->smk_out = &smack_known_web; -+ } else { -+ ssp->smk_in = skp; -+ ssp->smk_out = skp; -+ } - ssp->smk_packet = NULL; - - sk->sk_security = ssp; --- -2.7.4 - diff --git a/meta-app-framework/recipes-security/cynara/cynara/0001-gcc-7-requires-include-functional-for-std-function.patch b/meta-app-framework/recipes-security/cynara/cynara/0001-gcc-7-requires-include-functional-for-std-function.patch new file mode 100644 index 000000000..bd060b26d --- /dev/null +++ b/meta-app-framework/recipes-security/cynara/cynara/0001-gcc-7-requires-include-functional-for-std-function.patch @@ -0,0 +1,38 @@ +From 2169344adbb42ff580856204e2b290e3b04fd447 Mon Sep 17 00:00:00 2001 +From: Changhyeok Bae <changhyeok.bae@gmail.com> +Date: Sun, 17 Dec 2017 15:28:28 +0000 +Subject: [PATCH] gcc-7 requires include <functional> for std::function + +Signed-off-by: Changhyeok Bae <changhyeok.bae@gmail.com> +--- + src/common/types/PolicyBucket.h | 1 + + src/cyad/AdminPolicyParser.h | 1 + + 2 files changed, 2 insertions(+) + +diff --git a/src/common/types/PolicyBucket.h b/src/common/types/PolicyBucket.h +index 029d3dd..1bceeca 100644 +--- a/src/common/types/PolicyBucket.h ++++ b/src/common/types/PolicyBucket.h +@@ -30,6 +30,7 @@ + #include <set> + #include <string> + #include <vector> ++#include <functional> + + #include <exceptions/NotImplementedException.h> + #include <types/pointers.h> +diff --git a/src/cyad/AdminPolicyParser.h b/src/cyad/AdminPolicyParser.h +index 53dde23..f38c194 100644 +--- a/src/cyad/AdminPolicyParser.h ++++ b/src/cyad/AdminPolicyParser.h +@@ -25,6 +25,7 @@ + + #include <istream> + #include <memory> ++#include <functional> + + #include <cyad/CynaraAdminPolicies.h> + +-- +2.7.4 + diff --git a/meta-app-framework/recipes-security/cynara/cynara_git.bbappend b/meta-app-framework/recipes-security/cynara/cynara_git.bbappend deleted file mode 100644 index 9a61e7044..000000000 --- a/meta-app-framework/recipes-security/cynara/cynara_git.bbappend +++ /dev/null @@ -1,39 +0,0 @@ -pkg_postinst_${PN} () { - # Fail on error. - set -e - - # It would be nice to run the code below while building an image, - # but currently the calls to cynara-db-chsgen (a binary) in - # cynara-db-migration (a script) prevent that. Rely instead - # on OE's support for running failed postinst scripts at first boot. - if [ x"$D" != "x" ]; then - exit 1 - fi - - mkdir -p $D${sysconfdir}/cynara - ${CHSMACK} -a System $D${sysconfdir}/cynara - - # Strip git patch level information, the version comparison code - # in cynara-db-migration only expect major.minor.patch version numbers. - VERSION=${@d.getVar('PV',d,1).split('+git')[0]} - if [ -d $D${localstatedir}/cynara ] ; then - # upgrade - echo "NOTE: updating cynara DB to version $VERSION" - $D${sbindir}/cynara-db-migration upgrade -f 0.0.0 -t $VERSION - else - # install - echo "NOTE: creating cynara DB for version $VERSION" - mkdir -p $D${localstatedir}/cynara - ${CHSMACK} -a System $D${localstatedir}/cynara - $D${sbindir}/cynara-db-migration install -t $VERSION - fi - - # Workaround for systemd.bbclass issue: it would call - # "systemctl start" without "--no-block", but because - # the service is not ready to run at the time when - # this scripts gets executed by run-postinsts.service, - # booting deadlocks. - echo "NOTE: enabling and starting cynara service" - systemctl enable cynara - systemctl start --no-block cynara -} diff --git a/meta-app-framework/recipes-security/xmlsec1/xmlsec1_1.%.bbappend b/meta-app-framework/recipes-security/xmlsec1/xmlsec1_1.%.bbappend new file mode 100644 index 000000000..08d2a3dd0 --- /dev/null +++ b/meta-app-framework/recipes-security/xmlsec1/xmlsec1_1.%.bbappend @@ -0,0 +1,4 @@ + +DEPENDS = "libtool libxml2 libxslt openssl gnutls libgcrypt" + +BBCLASSEXTEND = "native nativesdk" diff --git a/meta-app-framework/recipes-support/libcap/libcap_%.bbappend b/meta-app-framework/recipes-support/libcap/libcap_%.bbappend index fbe893501..c4561db22 100644 --- a/meta-app-framework/recipes-support/libcap/libcap_%.bbappend +++ b/meta-app-framework/recipes-support/libcap/libcap_%.bbappend @@ -1,5 +1,2 @@ FILESEXTRAPATHS_append_class-native := ":${THISDIR}/${PN}" SRC_URI_append_class-native = " file://removing-capability-enforcement.patch" -PACKAGECONFIG_class-native ?= "attr" -DEPENDS_append_class-native = " attr-native" - diff --git a/meta-app-framework/recipes-support/libmicrohttpd/libmicrohttpd_0.9.55.bb b/meta-app-framework/recipes-support/libmicrohttpd/libmicrohttpd_0.9.55.bb deleted file mode 100644 index bb650ce23..000000000 --- a/meta-app-framework/recipes-support/libmicrohttpd/libmicrohttpd_0.9.55.bb +++ /dev/null @@ -1,25 +0,0 @@ -DESCRIPTION = "A small C library that is supposed to make it easy to run an HTTP server as part of another application" -HOMEPAGE = "http://www.gnu.org/software/libmicrohttpd/" -LICENSE = "LGPL-2.1+" -LIC_FILES_CHKSUM = "file://COPYING;md5=9331186f4f80db7da0e724bdd6554ee5" -SECTION = "net" -DEPENDS = "libgcrypt gnutls file" - -SRC_URI = "http://ftp.gnu.org/gnu/libmicrohttpd/${BPN}-${PV}.tar.gz" -SRC_URI[md5sum] = "1c20f84a8b9cf692dd50b558b3571a3a" -SRC_URI[sha256sum] = "0c1cab8dc9f2588bd3076a28f77a7f8de9560cbf2d80e53f9a8696ada80ed0f8" - -inherit autotools lib_package pkgconfig gettext - -EXTRA_OECONF += "--disable-static --with-gnutls=${STAGING_LIBDIR}/../" - -PACKAGECONFIG ?= "curl" -PACKAGECONFIG_append_class-target = "\ - ${@bb.utils.contains('DISTRO_FEATURES', 'largefile', 'largefile', '', d)} \ -" -PACKAGECONFIG[largefile] = "--enable-largefile,--disable-largefile,," -PACKAGECONFIG[curl] = "--enable-curl,--disable-curl,curl," - -do_compile_append() { - sed -i s:-L${STAGING_LIBDIR}::g libmicrohttpd.pc -} diff --git a/meta-app-framework/recipes-support/xmlsec1/xmlsec1/Only-require-libxslt-in-.pc-files-when-necessary.patch b/meta-app-framework/recipes-support/xmlsec1/xmlsec1/Only-require-libxslt-in-.pc-files-when-necessary.patch deleted file mode 100644 index c92df77f0..000000000 --- a/meta-app-framework/recipes-support/xmlsec1/xmlsec1/Only-require-libxslt-in-.pc-files-when-necessary.patch +++ /dev/null @@ -1,115 +0,0 @@ -From 1e39acf581ef47876b058da41774cbc92560d797 Mon Sep 17 00:00:00 2001 -From: Manuel Bachmann <manuel.bachmann@iot.bzh> -Date: Wed, 27 Jan 2016 14:16:40 +0100 -Subject: [PATCH] Only require libxslt in .pc files when necessary - -If we build xmlsec without libxslt ("--without-libxslt" at -configure time), dependent packages will still require it -because it is unconditionally mentioned in .pc files (used -by pkg-config). - -We now make sure that this dependency is mentioned only if -the configure script validates libxslt presence. - -Signed-off-by: Manuel Bachmann <manuel.bachmann@iot.bzh> ---- - configure.in | 4 ++++ - xmlsec-gcrypt.pc.in | 2 +- - xmlsec-gnutls.pc.in | 2 +- - xmlsec-nss.pc.in | 2 +- - xmlsec-openssl.pc.in | 2 +- - xmlsec.pc.in | 2 +- - 6 files changed, 9 insertions(+), 5 deletions(-) - -diff --git a/configure.in b/configure.in -index 7d976d0..a8350a9 100644 ---- a/configure.in -+++ b/configure.in -@@ -255,6 +255,7 @@ dnl ========================================================================== - dnl find libxslt - dnl ========================================================================== - XMLSEC_NO_LIBXSLT="1" -+LIBXSLT_COND="libxslt >=" - LIBXSLT_MIN_VERSION=1.0.20 - LIBXSLT_CONFIG="xslt-config" - LIBXSLT_CFLAGS="" -@@ -324,6 +325,8 @@ fi - if test "z$LIBXSLT_FOUND" = "zyes" ; then - XMLSEC_NO_LIBXSLT="0" - else -+ LIBXSLT_COND="" -+ LIBXSLT_MIN_VERSION="" - XMLSEC_DEFINES="$XMLSEC_DEFINES -DXMLSEC_NO_XSLT=1" - fi - -@@ -332,6 +335,7 @@ AC_SUBST(LIBXSLT_CFLAGS) - AC_SUBST(LIBXSLT_LIBS) - AC_SUBST(LIBXSLT_CONFIG) - AC_SUBST(LIBXSLT_MIN_VERSION) -+AC_SUBST(LIBXSLT_COND) - - dnl ========================================================================== - dnl See if we can find a crypto library -diff --git a/xmlsec-gcrypt.pc.in b/xmlsec-gcrypt.pc.in -index 1c00496..33bc2ff 100644 ---- a/xmlsec-gcrypt.pc.in -+++ b/xmlsec-gcrypt.pc.in -@@ -6,6 +6,6 @@ includedir=@includedir@ - Name: xmlsec1-gcrypt - Version: @VERSION@ - Description: XML Security Library implements XML Signature and XML Encryption standards --Requires: libxml-2.0 >= @LIBXML_MIN_VERSION@ libxslt >= @LIBXSLT_MIN_VERSION@ -+Requires: libxml-2.0 >= @LIBXML_MIN_VERSION@ @LIBXSLT_COND@ @LIBXSLT_MIN_VERSION@ - Cflags: -DXMLSEC_CRYPTO=\"gcrypt\" @XMLSEC_GCRYPT_CFLAGS@ - Libs: @XMLSEC_GCRYPT_LIBS@ -diff --git a/xmlsec-gnutls.pc.in b/xmlsec-gnutls.pc.in -index e538cd4..d01cf82 100644 ---- a/xmlsec-gnutls.pc.in -+++ b/xmlsec-gnutls.pc.in -@@ -6,6 +6,6 @@ includedir=@includedir@ - Name: xmlsec1-gnutls - Version: @VERSION@ - Description: XML Security Library implements XML Signature and XML Encryption standards --Requires: libxml-2.0 >= @LIBXML_MIN_VERSION@ libxslt >= @LIBXSLT_MIN_VERSION@ -+Requires: libxml-2.0 >= @LIBXML_MIN_VERSION@ @LIBXSLT_COND@ @LIBXSLT_MIN_VERSION@ - Cflags: -DXMLSEC_CRYPTO=\"gnutls\" @XMLSEC_GNUTLS_CFLAGS@ - Libs: @XMLSEC_GNUTLS_LIBS@ -diff --git a/xmlsec-nss.pc.in b/xmlsec-nss.pc.in -index a6d6c5c..75f0232 100644 ---- a/xmlsec-nss.pc.in -+++ b/xmlsec-nss.pc.in -@@ -6,6 +6,6 @@ includedir=@includedir@ - Name: xmlsec1-nss - Version: @VERSION@ - Description: XML Security Library implements XML Signature and XML Encryption standards --Requires: libxml-2.0 >= @LIBXML_MIN_VERSION@ libxslt >= @LIBXSLT_MIN_VERSION@ @NSPR_PACKAGE@ >= @MOZILLA_MIN_VERSION@ @NSS_PACKAGE@ >= @MOZILLA_MIN_VERSION@ -+Requires: libxml-2.0 >= @LIBXML_MIN_VERSION@ @LIBXSLT_COND@ @LIBXSLT_MIN_VERSION@ @NSPR_PACKAGE@ >= @MOZILLA_MIN_VERSION@ @NSS_PACKAGE@ >= @MOZILLA_MIN_VERSION@ - Cflags: -DXMLSEC_CRYPTO=\"nss\" -DXMLSEC_CRYPTO_NSS=1 @XMLSEC_CORE_CFLAGS@ - Libs: -L${libdir} -lxmlsec1-nss @XMLSEC_CORE_LIBS@ -diff --git a/xmlsec-openssl.pc.in b/xmlsec-openssl.pc.in -index 85ee2b0..e9d0651 100644 ---- a/xmlsec-openssl.pc.in -+++ b/xmlsec-openssl.pc.in -@@ -6,6 +6,6 @@ includedir=@includedir@ - Name: xmlsec1-openssl - Version: @VERSION@ - Description: XML Security Library implements XML Signature and XML Encryption standards --Requires: libxml-2.0 >= @LIBXML_MIN_VERSION@ libxslt >= @LIBXSLT_MIN_VERSION@ -+Requires: libxml-2.0 >= @LIBXML_MIN_VERSION@ @LIBXSLT_COND@ @LIBXSLT_MIN_VERSION@ - Cflags: -DXMLSEC_CRYPTO=\"openssl\" @XMLSEC_OPENSSL_CFLAGS@ - Libs: @XMLSEC_OPENSSL_LIBS@ -diff --git a/xmlsec.pc.in b/xmlsec.pc.in -index a750ab8..14ea670 100644 ---- a/xmlsec.pc.in -+++ b/xmlsec.pc.in -@@ -6,6 +6,6 @@ includedir=@includedir@ - Name: xmlsec1 - Version: @VERSION@ - Description: XML Security Library implements XML Signature and XML Encryption standards --Requires: libxml-2.0 >= @LIBXML_MIN_VERSION@ libxslt >= @LIBXSLT_MIN_VERSION@ -+Requires: libxml-2.0 >= @LIBXML_MIN_VERSION@ @LIBXSLT_COND@ @LIBXSLT_MIN_VERSION@ - Cflags: -DXMLSEC_CRYPTO=\"@XMLSEC_CRYPTO@\" -DXMLSEC_CRYPTO_DYNAMIC_LOADING=1 @XMLSEC_CORE_CFLAGS@ - Libs: -L${libdir} @XMLSEC_CORE_LIBS@ --- -2.6.2 - diff --git a/meta-app-framework/recipes-support/xmlsec1/xmlsec1_1.%.bbappend b/meta-app-framework/recipes-support/xmlsec1/xmlsec1_1.%.bbappend deleted file mode 100644 index 8f1972f07..000000000 --- a/meta-app-framework/recipes-support/xmlsec1/xmlsec1_1.%.bbappend +++ /dev/null @@ -1,6 +0,0 @@ -FILESEXTRAPATHS_append := ":${THISDIR}/${PN}" -SRC_URI += "file://Only-require-libxslt-in-.pc-files-when-necessary.patch" - -DEPENDS += "libxml2" - -BBCLASSEXTEND = "native nativesdk" |