diff options
Diffstat (limited to 'meta-security/recipes-security/cynara')
6 files changed, 354 insertions, 0 deletions
diff --git a/meta-security/recipes-security/cynara/cynara.inc b/meta-security/recipes-security/cynara/cynara.inc new file mode 100644 index 000000000..0e823edcc --- /dev/null +++ b/meta-security/recipes-security/cynara/cynara.inc @@ -0,0 +1,158 @@ +DESCRIPTION = "Cynara service with client libraries" +LICENSE = "Apache-2.0" +LIC_FILES_CHKSUM = "file://LICENSE;md5=86d3f3a95c324c9479bd8986968f4327;beginline=3" + +DEPENDS = " \ +dbus \ +glib-2.0 \ +systemd \ +zip \ +" + +# For testing: +# DEPENDS += "gmock" + +PACKAGECONFIG ??= "" +# Use debug mode to increase logging. Beware, also compiles with less optimization +# and thus has to disable FORTIFY_SOURCE below. +PACKAGECONFIG[debug] = "-DCMAKE_BUILD_TYPE=DEBUG,-DCMAKE_BUILD_TYPE=RELEASE,libunwind elfutils" + +inherit cmake + +CXXFLAGS_append = " \ +-DCYNARA_STATE_PATH=\\\\\"${localstatedir}/cynara/\\\\\" \ +-DCYNARA_LIB_PATH=\\\\\"${prefix}/lib/cynara/\\\\\" \ +-DCYNARA_TESTS_DIR=\\\\\"${prefix}/share/cynara/tests/\\\\\" \ +-DCYNARA_CONFIGURATION_DIR=\\\\\"${sysconfdir}/cynara/\\\\\" \ +${@bb.utils.contains('PACKAGECONFIG', 'debug', '-Wp,-U_FORTIFY_SOURCE', '', d)} \ +" + +EXTRA_OECMAKE += " \ +-DCMAKE_VERBOSE_MAKEFILE=ON \ +-DBUILD_WITH_SYSTEMD=ON \ +-DSYSTEMD_UNIT_DIR=${systemd_unitdir}/system \ +-DSOCKET_DIR=/run/cynara \ +" + +# Explicitly package empty directory. Otherwise Cynara prints warnings +# at runtime: +# cyad[198]: Couldn't scan for plugins in </usr/lib/cynara/plugin/service/> : <No such file or directory> +FILES_${PN}_append = " \ +${libdir}/cynara/plugin/service \ +${libdir}/cynara/plugin/client \ +" + +# Testing depends on gmock and gtest. They can be found in meta-oe +# and are not necessarily available, so this feature is off by default. +# If gmock from meta-oe is used, then a workaround is needed to avoid +# a link error (libgmock.a calls pthread functions without libpthread +# being listed in the .pc file). +PACKAGECONFIG[tests] = "-DBUILD_TESTS:BOOL=ON,-DBUILD_TESTS:BOOL=OFF,gmock gtest," +SRC_URI_append = "${@bb.utils.contains('PACKAGECONFIG', 'tests', ' file://gmock-pthread-linking.patch file://run-ptest', '', d)}" + +# Will be empty if no tests were built. +inherit ptest +FILES_${PN}-ptest += "${bindir}/cynara-tests ${bindir}/cynara-db-migration-tests ${datadir}/cynara/tests" +do_install_ptest () { + if ${@bb.utils.contains('PACKAGECONFIG', 'tests', 'true', 'false', d)}; then + mkdir -p ${D}/${datadir}/cynara/tests + cp -r ${S}/test/db/* ${D}/${datadir}/cynara/tests + fi +} + +do_compile_prepend () { + # en_US.UTF8 is not available, causing cynara-tests parser.getKeyAndValue to fail. + # Submitted upstream: https://github.com/Samsung/cynara/issues/10 + sed -i -e 's/std::locale("en_US.UTF8")/std::locale::classic()/g' ${S}/test/credsCommons/parser/Parser.cpp +} + +inherit useradd +USERADD_PACKAGES = "${PN}" +GROUPADD_PARAM_${PN} = "-r cynara" +USERADD_PARAM_${PN} = "\ +--system --home ${localstatedir}/lib/empty \ +--no-create-home --shell /bin/false \ +--gid cynara cynara \ +" + +# Causes deadlock during booting, see workaround in postinst below. +#inherit systemd +#SYSTEMD_SERVICE_${PN} = "cynara.service" + +do_install_append () { + chmod a+rx ${D}/${sbindir}/cynara-db-migration + + install -d ${D}${sysconfdir}/cynara/ + install -m 644 ${S}/conf/creds.conf ${D}/${sysconfdir}/cynara/creds.conf + + # No need to create empty directories except for those which + # Cynara expects to find. + # install -d ${D}${localstatedir}/cynara/ + # install -d ${D}${prefix}/share/cynara/tests/empty_db + install -d ${D}${libdir}/cynara/plugin/client + install -d ${D}${libdir}/cynara/plugin/service + + # install db* ${D}${prefix}/share/cynara/tests/ + + install -d ${D}${systemd_unitdir}/system/sockets.target.wants + ln -s ../cynara.socket ${D}${systemd_unitdir}/system/sockets.target.wants/cynara.socket + ln -s ../cynara-admin.socket ${D}${systemd_unitdir}/system/sockets.target.wants/cynara-admin.socket + ln -s ../cynara-agent.socket ${D}${systemd_unitdir}/system/sockets.target.wants/cynara-agent.socket +} + +FILES_${PN} += "${systemd_unitdir}/system" + +# Cynara itself has no dependency on Smack. Only its installation +# is Smack-aware in the sense that it sets Smack labels. Do not +# depend on smack userspace unless we really need Smack labels. +# +# The Tizen .spec file calls cynara-db-migration in a %pre section. +# That only works when cynara-db-migration is packaged separately +# (overly complex) and does not seem necessary: perhaps there is a +# time window where cynara might already get activated before +# the postinst completes, but that is a general problem. It gets +# avoided entirely when calling this script while building the +# rootfs. +RDEPENDS_${PN}_append_with-lsm-smack = " smack-userspace" +DEPENDS_append_with-lsm-smack = " smack-userspace-native" +CHSMACK_with-lsm-smack = "chsmack" +CHSMACK = "true" +pkg_postinst_${PN} () { + # Fail on error. + set -e + + # It would be nice to run the code below while building an image, + # but currently the calls to cynara-db-chsgen (a binary) in + # cynara-db-migration (a script) prevent that. Rely instead + # on OE's support for running failed postinst scripts at first boot. + if [ x"$D" != "x" ]; then + exit 1 + fi + + mkdir -p $D${sysconfdir}/cynara + ${CHSMACK} -a System $D${sysconfdir}/cynara + + # Strip git patch level information, the version comparison code + # in cynara-db-migration only expect major.minor.patch version numbers. + VERSION=${@bb.data.getVar('PV',d,1).split('+git')[0]} + if [ -d $D${localstatedir}/cynara ] ; then + # upgrade + echo "NOTE: updating cynara DB to version $VERSION" + $D${sbindir}/cynara-db-migration upgrade -f 0.0.0 -t $VERSION + else + # install + echo "NOTE: creating cynara DB for version $VERSION" + mkdir -p $D${localstatedir}/cynara + ${CHSMACK} -a System $D${localstatedir}/cynara + $D${sbindir}/cynara-db-migration install -t $VERSION + fi + + # Workaround for systemd.bbclass issue: it would call + # "systemctl start" without "--no-block", but because + # the service is not ready to run at the time when + # this scripts gets executed by run-postinsts.service, + # booting deadlocks. + echo "NOTE: enabling and starting cynara service" + systemctl enable cynara + systemctl start --no-block cynara +} diff --git a/meta-security/recipes-security/cynara/cynara/cmake-Improves-directories-and-libsystemd.patch b/meta-security/recipes-security/cynara/cynara/cmake-Improves-directories-and-libsystemd.patch new file mode 100644 index 000000000..7ad94ed40 --- /dev/null +++ b/meta-security/recipes-security/cynara/cynara/cmake-Improves-directories-and-libsystemd.patch @@ -0,0 +1,119 @@ +From 9d1ba2f7c5d72436b17d0f3982a00380c72a58f8 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Jos=C3=A9=20Bollo?= <jose.bollo@iot.bzh> +Date: Mon, 4 Jul 2016 13:54:59 +0200 +Subject: [PATCH] cmake: Improves directories and libsystemd +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +The previous implementation was not fully compliant with +standards. It was missing some of the predefined variable +DATAROOTDIR, it was missing specificity of +CMAKE_INSTALL_FULL_SYSCONFDIR. It also was not compatible +with yocto build system bitbake. + +The library systemd is changing. The previous previous +pkg-config files 'libsystemd-daemon' and 'libsystemd-journal' +are now deprecated in favour of 'libsystemd'. + +Upstream-status: Submitted [https://github.com/Samsung/cynara/pull/16] + +Signed-off-by: José Bollo <jose.bollo@iot.bzh> +--- + CMakeLists.txt | 46 ++++++++++++++++++++-------------------------- + 1 file changed, 20 insertions(+), 26 deletions(-) + +diff --git a/CMakeLists.txt b/CMakeLists.txt +index b0ee75f..6a439e2 100644 +--- a/CMakeLists.txt ++++ b/CMakeLists.txt +@@ -43,66 +43,60 @@ ENDIF (NOT BUILD_COMMONS AND NOT BUILD_SERVICE AND NOT BUILD_DBUS) + + ########################## search for packages ################################ + +-#1st case. User choose to build with systemd. +-IF (DEFINED BUILD_WITH_SYSTEMD AND BUILD_WITH_SYSTEMD) +- PKG_CHECK_MODULES(SYSTEMD_DEP +- REQUIRED +- libsystemd-daemon +- libsystemd-journal +- ) +-ENDIF (DEFINED BUILD_WITH_SYSTEMD AND BUILD_WITH_SYSTEMD) ++#Search the new libsystemd package ++PKG_CHECK_MODULES(SYSTEMD_DEP QUIET libsystemd) + +-#2nd case. User choose not to build with systemd. Noting to do in this case. +-#IF (DEFINED BUILD_WITH_SYSTEMD AND NOT BUILD_WITH_SYSTEMD) +-#ENDIF (DEFINED BUILD_WITH_SYSTEMD AND NOT BUILD_WITH_SYSTEMD) +- +-#3rd case. User did not choose. If we can we will use systemd. +-IF (NOT DEFINED BUILD_WITH_SYSTEMD) ++#Fallback ot the oldest libsystemd packages ++IF(NOT SYSTEMD_DEP_FOUND) + PKG_CHECK_MODULES(SYSTEMD_DEP + QUIET + libsystemd-daemon + libsystemd-journal + ) +- +- IF (SYSTEMD_DEP_FOUND) +- SET(BUILD_WITH_SYSTEMD ON) +- ENDIF (SYSTEMD_DEP_FOUND) +-ENDIF (NOT DEFINED BUILD_WITH_SYSTEMD) ++ENDIF(NOT SYSTEMD_DEP_FOUND) ++ ++#Enforce and check ++IF(SYSTEMD_DEP_FOUND) ++ #Enforce use of systemd if present ++ SET(BUILD_WITH_SYSTEMD ON) ++ELSEIF(BUILD_WITH_SYSTEMD) ++ MESSAGE(FATAL_ERROR "Can't find libsystemd") ++ENDIF() + + ######################## directory configuration ############################ + + SET(LIB_DIR +- "${CMAKE_INSTALL_PREFIX}/${CMAKE_INSTALL_LIBDIR}" ++ "${CMAKE_INSTALL_FULL_LIBDIR}" + CACHE PATH + "Object code libraries directory") + + SET(BIN_DIR +- "${CMAKE_INSTALL_PREFIX}/${CMAKE_INSTALL_BINDIR}" ++ "${CMAKE_INSTALL_FULL_BINDIR}" + CACHE PATH + "User executables directory") + + SET(SBIN_DIR +- "${CMAKE_INSTALL_PREFIX}/${CMAKE_INSTALL_SBINDIR}" ++ "${CMAKE_INSTALL_FULL_SBINDIR}" + CACHE PATH + "System admin executables directory") + + SET(SYS_CONFIG_DIR +- "${CMAKE_INSTALL_PREFIX}/${CMAKE_INSTALL_SYSCONFDIR}" ++ "${CMAKE_INSTALL_FULL_SYSCONFDIR}" + CACHE PATH + "Read-only single-machine data directory") + + SET(INCLUDE_DIR +- "${CMAKE_INSTALL_PREFIX}/${CMAKE_INSTALL_INCLUDEDIR}" ++ "${CMAKE_INSTALL_FULL_INCLUDEDIR}" + CACHE PATH + "Header files directory") + + SET(LOCAL_STATE_DIR +- "${CMAKE_INSTALL_PREFIX}/${CMAKE_INSTALL_LOCALSTATEDIR}" ++ "${CMAKE_INSTALL_FULL_LOCALSTATEDIR}" + CACHE PATH + "Modifiable single-machine data directory") + + SET(DATA_ROOT_DIR +- "${CMAKE_INSTALL_PREFIX}/share" ++ "${CMAKE_INSTALL_FULL_DATAROOTDIR}" + CACHE PATH + "Read-only architecture-independent data root directory") + +-- +2.5.5 + diff --git a/meta-security/recipes-security/cynara/cynara/cynara-db-migration-abort-on-errors.patch b/meta-security/recipes-security/cynara/cynara/cynara-db-migration-abort-on-errors.patch new file mode 100644 index 000000000..cbf372ad9 --- /dev/null +++ b/meta-security/recipes-security/cynara/cynara/cynara-db-migration-abort-on-errors.patch @@ -0,0 +1,31 @@ +From 297774fa4d01156c0327d6e6380a7ecae30bf875 Mon Sep 17 00:00:00 2001 +From: Patrick Ohly <patrick.ohly@intel.com> +Date: Mon, 23 Mar 2015 15:01:39 -0700 +Subject: [PATCH 1/2] cynara-db-migration.in: abort on errors + +"set -e" enables error checking for all commands invoked by the script. +Previously, errors were silently ignored. + +Upstream-status: Submitted [https://github.com/Samsung/cynara/pull/8] + +Signed-off-by: Patrick Ohly <patrick.ohly@intel.com> +--- + migration/cynara-db-migration | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/migration/cynara-db-migration.in b/migration/cynara-db-migration.in +index ff9bd61..f6e7f94 100644 +--- a/migration/cynara-db-migration.in ++++ b/migration/cynara-db-migration.in +@@ -19,6 +19,8 @@ + # @brief Migration tool for Cynara's database + # + ++set -e ++ + ##### Constants (these must not be modified by shell) + + STATE_PATH='@LOCAL_STATE_DIR@/@PROJECT_NAME@' +-- +1.8.4.5 + diff --git a/meta-security/recipes-security/cynara/cynara/gmock-pthread-linking.patch b/meta-security/recipes-security/cynara/cynara/gmock-pthread-linking.patch new file mode 100644 index 000000000..1a204eb14 --- /dev/null +++ b/meta-security/recipes-security/cynara/cynara/gmock-pthread-linking.patch @@ -0,0 +1,31 @@ +From 80cc04091410d6a322fee1a2922fdf867395f00a Mon Sep 17 00:00:00 2001 +From: Patrick Ohly <patrick.ohly@intel.com> +Date: Fri, 29 May 2015 10:21:57 +0200 +Subject: [PATCH] work around gmock pthread dependency + +In meta-oe, gmock's .pc file does not declare that users of +gmock must link against pthread. Let's work around that +here by always linking tests against libpthread. + +Upstream-status: Inappropriate [embedded specific] + +Signed-off-by: Patrick Ohly <patrick.ohly@intel.com> +--- + test/CMakeLists.txt | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/test/CMakeLists.txt b/test/CMakeLists.txt +index 25a70db..f490a24 100644 +--- a/test/CMakeLists.txt ++++ b/test/CMakeLists.txt +@@ -138,6 +138,7 @@ ADD_EXECUTABLE(${TARGET_CYNARA_TESTS} + TARGET_LINK_LIBRARIES(${TARGET_CYNARA_TESTS} + ${PKGS_LDFLAGS} + ${PKGS_LIBRARIES} ++ pthread + crypt + ) + INSTALL(TARGETS ${TARGET_CYNARA_TESTS} DESTINATION ${BIN_INSTALL_DIR}) +-- +2.1.4 + diff --git a/meta-security/recipes-security/cynara/cynara/run-ptest b/meta-security/recipes-security/cynara/cynara/run-ptest new file mode 100755 index 000000000..f8dd5d8b4 --- /dev/null +++ b/meta-security/recipes-security/cynara/cynara/run-ptest @@ -0,0 +1,4 @@ +#!/bin/sh + +cynara-tests | sed -e 's/^\[ *OK *\] \(\S*\)$/PASS: \1/' -e 's/^\[ *FAILED *\] \(\S*\)$/FAIL: \1/' +sh /usr/bin/cynara-db-migration-tests | sed -e 's/^Test .*(\([^)]*\)).*passed.*/PASS: \1/' -e 's/^Test .*(\([^)]*\)).*failed.*/FAIL: \1/' diff --git a/meta-security/recipes-security/cynara/cynara_git.bb b/meta-security/recipes-security/cynara/cynara_git.bb new file mode 100644 index 000000000..6e387d41e --- /dev/null +++ b/meta-security/recipes-security/cynara/cynara_git.bb @@ -0,0 +1,11 @@ +require cynara.inc + +PV = "0.11.0+git${SRCPV}" +SRCREV = "973765e329f8a84c1549cb2b0c65ccb1cce3c2d3" +SRC_URI = "git://github.com/Samsung/cynara.git" +S = "${WORKDIR}/git" + +SRC_URI += " \ +file://cynara-db-migration-abort-on-errors.patch \ +file://cmake-Improves-directories-and-libsystemd.patch \ +" |