diff options
Diffstat (limited to 'meta-security/recipes-security/cynara/cynara')
8 files changed, 428 insertions, 0 deletions
diff --git a/meta-security/recipes-security/cynara/cynara/0001-Add-fallthrough-tags.patch b/meta-security/recipes-security/cynara/cynara/0001-Add-fallthrough-tags.patch new file mode 100644 index 000000000..11387b98b --- /dev/null +++ b/meta-security/recipes-security/cynara/cynara/0001-Add-fallthrough-tags.patch @@ -0,0 +1,59 @@ +From 3d387993b5a4283e8aebd8e777b2ccd45d233959 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Jos=C3=A9=20Bollo?= <jose.bollo@iot.bzh> +Date: Thu, 25 Jan 2018 12:00:18 +0100 +Subject: [PATCH 1/6] Add fallthrough tags +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +GCC 7 emits a warning when the tag /*@fallthrough@*/ +doesn't appear in a switch case when a case continue +to the next after some processing. + +Change-Id: I420e3788a4c0a6d910a1214964c5480bbd12708c +Signed-off-by: José Bollo <jose.bollo@iot.bzh> +--- + src/admin/api/admin-api.cpp | 1 + + src/client-async/logic/Logic.cpp | 1 + + src/common/sockets/SocketClient.cpp | 1 + + 3 files changed, 3 insertions(+) + +diff --git a/src/admin/api/admin-api.cpp b/src/admin/api/admin-api.cpp +index c638f41..aafa45e 100644 +--- a/src/admin/api/admin-api.cpp ++++ b/src/admin/api/admin-api.cpp +@@ -146,6 +146,7 @@ int cynara_admin_set_policies(struct cynara_admin *p_cynara_admin, + case CYNARA_ADMIN_BUCKET: + if (!isStringValid(policy->result_extra)) + return CYNARA_API_INVALID_PARAM; ++ /*@fallthrough@*/ + default: + { + std::string extraStr = policy->result_extra ? policy->result_extra : ""; +diff --git a/src/client-async/logic/Logic.cpp b/src/client-async/logic/Logic.cpp +index 5ae0251..c1d6c33 100644 +--- a/src/client-async/logic/Logic.cpp ++++ b/src/client-async/logic/Logic.cpp +@@ -233,6 +233,7 @@ bool Logic::processOut(void) { + case Socket::SendStatus::ALL_DATA_SENT: + onStatusChange(m_socketClient.getSockFd(), + cynara_async_status::CYNARA_STATUS_FOR_READ); ++ /*@fallthrough@*/ + case Socket::SendStatus::PARTIAL_DATA_SENT: + return true; + default: +diff --git a/src/common/sockets/SocketClient.cpp b/src/common/sockets/SocketClient.cpp +index b1ca4f7..f4394e5 100644 +--- a/src/common/sockets/SocketClient.cpp ++++ b/src/common/sockets/SocketClient.cpp +@@ -45,6 +45,7 @@ bool SocketClient::connect(void) { + LOGW("Error connecting to Cynara. Service not available."); + return false; + } ++ /*@fallthrough@*/ + default: + return true; + } +-- +2.14.3 + diff --git a/meta-security/recipes-security/cynara/cynara/0002-gcc-7-requires-include-functional-for-std-function.patch b/meta-security/recipes-security/cynara/cynara/0002-gcc-7-requires-include-functional-for-std-function.patch new file mode 100644 index 000000000..760a1c5b2 --- /dev/null +++ b/meta-security/recipes-security/cynara/cynara/0002-gcc-7-requires-include-functional-for-std-function.patch @@ -0,0 +1,38 @@ +From b18e66ce7f81c56e3a97ed075cb60d5a43b2e57c Mon Sep 17 00:00:00 2001 +From: Changhyeok Bae <changhyeok.bae@gmail.com> +Date: Sun, 17 Dec 2017 15:28:28 +0000 +Subject: [PATCH 2/6] gcc-7 requires include <functional> for std::function + +Signed-off-by: Changhyeok Bae <changhyeok.bae@gmail.com> +--- + src/common/types/PolicyBucket.h | 1 + + src/cyad/AdminPolicyParser.h | 1 + + 2 files changed, 2 insertions(+) + +diff --git a/src/common/types/PolicyBucket.h b/src/common/types/PolicyBucket.h +index 029d3dd..1bceeca 100644 +--- a/src/common/types/PolicyBucket.h ++++ b/src/common/types/PolicyBucket.h +@@ -30,6 +30,7 @@ + #include <set> + #include <string> + #include <vector> ++#include <functional> + + #include <exceptions/NotImplementedException.h> + #include <types/pointers.h> +diff --git a/src/cyad/AdminPolicyParser.h b/src/cyad/AdminPolicyParser.h +index 53dde23..f38c194 100644 +--- a/src/cyad/AdminPolicyParser.h ++++ b/src/cyad/AdminPolicyParser.h +@@ -25,6 +25,7 @@ + + #include <istream> + #include <memory> ++#include <functional> + + #include <cyad/CynaraAdminPolicies.h> + +-- +2.14.3 + diff --git a/meta-security/recipes-security/cynara/cynara/0003-Avoid-warning-when-compiling-without-smack.patch b/meta-security/recipes-security/cynara/cynara/0003-Avoid-warning-when-compiling-without-smack.patch new file mode 100644 index 000000000..8c47c3b26 --- /dev/null +++ b/meta-security/recipes-security/cynara/cynara/0003-Avoid-warning-when-compiling-without-smack.patch @@ -0,0 +1,45 @@ +From 6ad54c5e732e7cf0a29f29f48fa757e3e56d6860 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Jos=C3=A9=20Bollo?= <jose.bollo@iot.bzh> +Date: Thu, 25 Jan 2018 11:38:16 +0100 +Subject: [PATCH 3/6] Avoid warning when compiling without smack +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +When DB_FILES_SMACK_LABEL is not defined, cmake complains +with the following message: + +> -- Checking for modules '' +> Please specify at least one package name on the command line. + +Change-Id: Ie837cae81114d096f951ec0ee4ada4173fb60190 +Signed-off-by: José Bollo <jose.bollo@iot.bzh> +--- + src/admin/CMakeLists.txt | 10 +++++----- + 1 file changed, 5 insertions(+), 5 deletions(-) + +diff --git a/src/admin/CMakeLists.txt b/src/admin/CMakeLists.txt +index e4f354a..38b8669 100644 +--- a/src/admin/CMakeLists.txt ++++ b/src/admin/CMakeLists.txt +@@ -23,12 +23,12 @@ IF (DB_FILES_SMACK_LABEL) + SET(SMACK "smack") + SET(LIBSMACK "libsmack") + ADD_DEFINITIONS("-DDB_FILES_SMACK_LABEL=\"${DB_FILES_SMACK_LABEL}\"") +-ENDIF (DB_FILES_SMACK_LABEL) + +-PKG_CHECK_MODULES(CYNARA_ADMIN_API_DEP +- REQUIRED +- ${LIBSMACK} +- ) ++ PKG_CHECK_MODULES(CYNARA_ADMIN_API_DEP ++ REQUIRED ++ ${LIBSMACK} ++ ) ++ENDIF (DB_FILES_SMACK_LABEL) + + SET(CYNARA_LIB_CYNARA_ADMIN_PATH ${CYNARA_PATH}/admin) + +-- +2.14.3 + diff --git a/meta-security/recipes-security/cynara/cynara/0004-Fix-mode-of-sockets.patch b/meta-security/recipes-security/cynara/cynara/0004-Fix-mode-of-sockets.patch new file mode 100644 index 000000000..164542899 --- /dev/null +++ b/meta-security/recipes-security/cynara/cynara/0004-Fix-mode-of-sockets.patch @@ -0,0 +1,44 @@ +From 2bd62bca98a8a8cf194fb2b68aed68d982f58520 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Jos=C3=A9=20Bollo?= <jose.bollo@iot.bzh> +Date: Thu, 25 Jan 2018 12:52:39 +0100 +Subject: [PATCH 4/6] Fix mode of sockets +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Setting execution bit on the socket serves nothing. + +Change-Id: I2ca1ea8e0c369ee5517878e92073ace0e50f9f10 +Signed-off-by: José Bollo <jose.bollo@iot.bzh> +--- + systemd/cynara-admin.socket | 2 +- + systemd/cynara.socket | 2 +- + 2 files changed, 2 insertions(+), 2 deletions(-) + +diff --git a/systemd/cynara-admin.socket b/systemd/cynara-admin.socket +index 2d1aea4..ed38386 100644 +--- a/systemd/cynara-admin.socket ++++ b/systemd/cynara-admin.socket +@@ -1,6 +1,6 @@ + [Socket] + ListenStream=/run/cynara/cynara-admin.socket +-SocketMode=0700 ++SocketMode=0600 + SmackLabelIPIn=@ + SmackLabelIPOut=@ + +diff --git a/systemd/cynara.socket b/systemd/cynara.socket +index 9f2a870..fad2745 100644 +--- a/systemd/cynara.socket ++++ b/systemd/cynara.socket +@@ -1,6 +1,6 @@ + [Socket] + ListenStream=/run/cynara/cynara.socket +-SocketMode=0777 ++SocketMode=0666 + SmackLabelIPIn=* + SmackLabelIPOut=@ + +-- +2.14.3 + diff --git a/meta-security/recipes-security/cynara/cynara/0005-Allow-to-tune-sockets.patch b/meta-security/recipes-security/cynara/cynara/0005-Allow-to-tune-sockets.patch new file mode 100644 index 000000000..b4a2d74e8 --- /dev/null +++ b/meta-security/recipes-security/cynara/cynara/0005-Allow-to-tune-sockets.patch @@ -0,0 +1,127 @@ +From d919b110a2fbccdce084c651f4d7d7de66f2f869 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Jos=C3=A9=20Bollo?= <jose.bollo@iot.bzh> +Date: Thu, 25 Jan 2018 13:47:37 +0100 +Subject: [PATCH 5/6] Allow to tune sockets +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Allow to change the directory of sockets +through a true integration of SOCKET_DIR + +Allow to override the socket's group of + - /run/cynara/cynara-agent.socket + - /run/cynara/cynara-monitor-get.socket + +through the newly defined variable CYNARA_ADMIN_SOCKET_GROUP + +Change-Id: I7d58854c328e948e3d6d7fa3fc00569fd08f8aef +Signed-off-by: José Bollo <jose.bollo@iot.bzh> +--- + systemd/CMakeLists.txt | 19 +++++++++++++++---- + .../{cynara-admin.socket => cynara-admin.socket.in} | 2 +- + .../{cynara-agent.socket => cynara-agent.socket.in} | 4 ++-- + ...onitor-get.socket => cynara-monitor-get.socket.in} | 4 ++-- + systemd/{cynara.socket => cynara.socket.in} | 2 +- + 5 files changed, 21 insertions(+), 10 deletions(-) + rename systemd/{cynara-admin.socket => cynara-admin.socket.in} (78%) + rename systemd/{cynara-agent.socket => cynara-agent.socket.in} (66%) + rename systemd/{cynara-monitor-get.socket => cynara-monitor-get.socket.in} (64%) + rename systemd/{cynara.socket => cynara.socket.in} (80%) + +diff --git a/systemd/CMakeLists.txt b/systemd/CMakeLists.txt +index 20accf0..1b75c12 100644 +--- a/systemd/CMakeLists.txt ++++ b/systemd/CMakeLists.txt +@@ -16,13 +16,24 @@ + # @author Lukasz Wojciechowski <l.wojciechow@partner.samsung.com> + # + ++SET(CYNARA_ADMIN_SOCKET_GROUP ++ "security_fw" ++ CACHE STRING ++ "Group to apply on administrative sockets") ++ ++ ++CONFIGURE_FILE(cynara.socket.in cynara.socket @ONLY) ++CONFIGURE_FILE(cynara-admin.socket.in cynara-admin.socket @ONLY) ++CONFIGURE_FILE(cynara-agent.socket.in cynara-agent.socket @ONLY) ++CONFIGURE_FILE(cynara-monitor-get.socket.in cynara-monitor-get.socket @ONLY) ++ + INSTALL(FILES + ${CMAKE_SOURCE_DIR}/systemd/cynara.service + ${CMAKE_SOURCE_DIR}/systemd/cynara.target +- ${CMAKE_SOURCE_DIR}/systemd/cynara.socket +- ${CMAKE_SOURCE_DIR}/systemd/cynara-admin.socket +- ${CMAKE_SOURCE_DIR}/systemd/cynara-agent.socket +- ${CMAKE_SOURCE_DIR}/systemd/cynara-monitor-get.socket ++ ${CMAKE_BINARY_DIR}/systemd/cynara.socket ++ ${CMAKE_BINARY_DIR}/systemd/cynara-admin.socket ++ ${CMAKE_BINARY_DIR}/systemd/cynara-agent.socket ++ ${CMAKE_BINARY_DIR}/systemd/cynara-monitor-get.socket + DESTINATION + ${SYSTEMD_UNIT_DIR} + ) +diff --git a/systemd/cynara-admin.socket b/systemd/cynara-admin.socket.in +similarity index 78% +rename from systemd/cynara-admin.socket +rename to systemd/cynara-admin.socket.in +index ed38386..2364c3e 100644 +--- a/systemd/cynara-admin.socket ++++ b/systemd/cynara-admin.socket.in +@@ -1,5 +1,5 @@ + [Socket] +-ListenStream=/run/cynara/cynara-admin.socket ++ListenStream=@SOCKET_DIR@/cynara-admin.socket + SocketMode=0600 + SmackLabelIPIn=@ + SmackLabelIPOut=@ +diff --git a/systemd/cynara-agent.socket b/systemd/cynara-agent.socket.in +similarity index 66% +rename from systemd/cynara-agent.socket +rename to systemd/cynara-agent.socket.in +index 5a677e0..4f86c9d 100644 +--- a/systemd/cynara-agent.socket ++++ b/systemd/cynara-agent.socket.in +@@ -1,6 +1,6 @@ + [Socket] +-ListenStream=/run/cynara/cynara-agent.socket +-SocketGroup=security_fw ++ListenStream=@SOCKET_DIR@/cynara-agent.socket ++SocketGroup=@CYNARA_ADMIN_SOCKET_GROUP@ + SocketMode=0060 + SmackLabelIPIn=* + SmackLabelIPOut=@ +diff --git a/systemd/cynara-monitor-get.socket b/systemd/cynara-monitor-get.socket.in +similarity index 64% +rename from systemd/cynara-monitor-get.socket +rename to systemd/cynara-monitor-get.socket.in +index a50feeb..b88dbf7 100644 +--- a/systemd/cynara-monitor-get.socket ++++ b/systemd/cynara-monitor-get.socket.in +@@ -1,6 +1,6 @@ + [Socket] +-ListenStream=/run/cynara/cynara-monitor-get.socket +-SocketGroup=security_fw ++ListenStream=@SOCKET_DIR@/cynara-monitor-get.socket ++SocketGroup=@CYNARA_ADMIN_SOCKET_GROUP@ + SocketMode=0060 + SmackLabelIPIn=@ + SmackLabelIPOut=@ +diff --git a/systemd/cynara.socket b/systemd/cynara.socket.in +similarity index 80% +rename from systemd/cynara.socket +rename to systemd/cynara.socket.in +index fad2745..ba76549 100644 +--- a/systemd/cynara.socket ++++ b/systemd/cynara.socket.in +@@ -1,5 +1,5 @@ + [Socket] +-ListenStream=/run/cynara/cynara.socket ++ListenStream=@SOCKET_DIR@/cynara.socket + SocketMode=0666 + SmackLabelIPIn=* + SmackLabelIPOut=@ +-- +2.14.3 + diff --git a/meta-security/recipes-security/cynara/cynara/0006-Install-socket-activation-by-default.patch b/meta-security/recipes-security/cynara/cynara/0006-Install-socket-activation-by-default.patch new file mode 100644 index 000000000..0cfc785c1 --- /dev/null +++ b/meta-security/recipes-security/cynara/cynara/0006-Install-socket-activation-by-default.patch @@ -0,0 +1,80 @@ +From d54e425b0685c9e3e06f5b4efcbd206950d14f3c Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Jos=C3=A9=20Bollo?= <jose.bollo@iot.bzh> +Date: Thu, 25 Jan 2018 14:09:23 +0100 +Subject: [PATCH 6/6] Install socket activation by default +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Change-Id: Ifd10c3800486689ed0ed6271df59760ccfbf6caf +Signed-off-by: José Bollo <jose.bollo@iot.bzh> +--- + packaging/cynara.spec | 5 ----- + systemd/CMakeLists.txt | 7 +++++++ + systemd/sockets.target.wants/cynara-admin.socket | 1 + + systemd/sockets.target.wants/cynara-agent.socket | 1 + + systemd/sockets.target.wants/cynara.socket | 1 + + 5 files changed, 10 insertions(+), 5 deletions(-) + create mode 120000 systemd/sockets.target.wants/cynara-admin.socket + create mode 120000 systemd/sockets.target.wants/cynara-agent.socket + create mode 120000 systemd/sockets.target.wants/cynara.socket + +diff --git a/packaging/cynara.spec b/packaging/cynara.spec +index d2e0b80..2c5b326 100644 +--- a/packaging/cynara.spec ++++ b/packaging/cynara.spec +@@ -72,12 +72,7 @@ make %{?jobs:-j%jobs} + rm -rf %{buildroot} + %make_install + +-mkdir -p %{buildroot}%{_unitdir}/sockets.target.wants + mkdir -p %{buildroot}%{_unitdir}/multi-user.target.wants +-ln -s ../cynara.socket %{buildroot}%{_unitdir}/sockets.target.wants/cynara.socket +-ln -s ../cynara-admin.socket %{buildroot}%{_unitdir}/sockets.target.wants/cynara-admin.socket +-ln -s ../cynara-agent.socket %{buildroot}%{_unitdir}/sockets.target.wants/cynara-agent.socket +-ln -s ../cynara-monitor-get.socket %{buildroot}%{_unitdir}/sockets.target.wants/cynara-monitor-get.socket + ln -s ../cynara.service %{buildroot}%{_unitdir}/multi-user.target.wants/cynara.service + + %post +diff --git a/systemd/CMakeLists.txt b/systemd/CMakeLists.txt +index 1b75c12..9a2d70d 100644 +--- a/systemd/CMakeLists.txt ++++ b/systemd/CMakeLists.txt +@@ -38,3 +38,10 @@ INSTALL(FILES + ${SYSTEMD_UNIT_DIR} + ) + ++INSTALL(DIRECTORY ++ ${CMAKE_SOURCE_DIR}/systemd/sockets.target.wants ++ DESTINATION ++ ${SYSTEMD_UNIT_DIR} ++) ++ ++ +diff --git a/systemd/sockets.target.wants/cynara-admin.socket b/systemd/sockets.target.wants/cynara-admin.socket +new file mode 120000 +index 0000000..3d0b1ce +--- /dev/null ++++ b/systemd/sockets.target.wants/cynara-admin.socket +@@ -0,0 +1 @@ ++../cynara-admin.socket +\ No newline at end of file +diff --git a/systemd/sockets.target.wants/cynara-agent.socket b/systemd/sockets.target.wants/cynara-agent.socket +new file mode 120000 +index 0000000..22b37dd +--- /dev/null ++++ b/systemd/sockets.target.wants/cynara-agent.socket +@@ -0,0 +1 @@ ++../cynara-agent.socket +\ No newline at end of file +diff --git a/systemd/sockets.target.wants/cynara.socket b/systemd/sockets.target.wants/cynara.socket +new file mode 120000 +index 0000000..c0e5a5b +--- /dev/null ++++ b/systemd/sockets.target.wants/cynara.socket +@@ -0,0 +1 @@ ++../cynara.socket +\ No newline at end of file +-- +2.14.3 + diff --git a/meta-security/recipes-security/cynara/cynara/cynara-db-migration-abort-on-errors.patch b/meta-security/recipes-security/cynara/cynara/cynara-db-migration-abort-on-errors.patch new file mode 100644 index 000000000..cbf372ad9 --- /dev/null +++ b/meta-security/recipes-security/cynara/cynara/cynara-db-migration-abort-on-errors.patch @@ -0,0 +1,31 @@ +From 297774fa4d01156c0327d6e6380a7ecae30bf875 Mon Sep 17 00:00:00 2001 +From: Patrick Ohly <patrick.ohly@intel.com> +Date: Mon, 23 Mar 2015 15:01:39 -0700 +Subject: [PATCH 1/2] cynara-db-migration.in: abort on errors + +"set -e" enables error checking for all commands invoked by the script. +Previously, errors were silently ignored. + +Upstream-status: Submitted [https://github.com/Samsung/cynara/pull/8] + +Signed-off-by: Patrick Ohly <patrick.ohly@intel.com> +--- + migration/cynara-db-migration | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/migration/cynara-db-migration.in b/migration/cynara-db-migration.in +index ff9bd61..f6e7f94 100644 +--- a/migration/cynara-db-migration.in ++++ b/migration/cynara-db-migration.in +@@ -19,6 +19,8 @@ + # @brief Migration tool for Cynara's database + # + ++set -e ++ + ##### Constants (these must not be modified by shell) + + STATE_PATH='@LOCAL_STATE_DIR@/@PROJECT_NAME@' +-- +1.8.4.5 + diff --git a/meta-security/recipes-security/cynara/cynara/run-ptest b/meta-security/recipes-security/cynara/cynara/run-ptest new file mode 100755 index 000000000..f8dd5d8b4 --- /dev/null +++ b/meta-security/recipes-security/cynara/cynara/run-ptest @@ -0,0 +1,4 @@ +#!/bin/sh + +cynara-tests | sed -e 's/^\[ *OK *\] \(\S*\)$/PASS: \1/' -e 's/^\[ *FAILED *\] \(\S*\)$/FAIL: \1/' +sh /usr/bin/cynara-db-migration-tests | sed -e 's/^Test .*(\([^)]*\)).*passed.*/PASS: \1/' -e 's/^Test .*(\([^)]*\)).*failed.*/FAIL: \1/' |