summaryrefslogtreecommitdiffstats
path: root/meta-security/recipes-security/smacknet
diff options
context:
space:
mode:
Diffstat (limited to 'meta-security/recipes-security/smacknet')
-rw-r--r--meta-security/recipes-security/smacknet/files/smacknet184
-rw-r--r--meta-security/recipes-security/smacknet/files/smacknet.service11
-rw-r--r--meta-security/recipes-security/smacknet/smacknet.bb29
3 files changed, 0 insertions, 224 deletions
diff --git a/meta-security/recipes-security/smacknet/files/smacknet b/meta-security/recipes-security/smacknet/files/smacknet
deleted file mode 100644
index 3818d30ae..000000000
--- a/meta-security/recipes-security/smacknet/files/smacknet
+++ /dev/null
@@ -1,184 +0,0 @@
-#!/usr/bin/python
-# Copyright (c) 2012, 2013, Intel Corporation
-# Copyright (c) 2009 David Wolinsky <davidiw@ufl.edu), University of Florida
-# All rights reserved.
-#
-# Redistribution and use in source and binary forms, with or without
-# modification, are permitted provided that the following conditions
-# are met:
-# 1. Redistributions of source code must retain the above copyright
-# notice, this list of conditions and the following disclaimer.
-# 2. Redistributions in binary form must reproduce the above copyright
-# notice, this list of conditions and the following disclaimer in the
-# documentation and/or other materials provided with the distribution.
-# 3. The name of the author may not be used to endorse or promote products
-# derived from this software without specific prior written permission.
-#
-# THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
-# IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
-# OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
-# IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
-# INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
-# NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
-# DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
-# THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
-# (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
-# THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
-
-import socket,fcntl, struct, thread
-import os.path
-import sys
-
-SMACKFS_LOAD="/sys/fs/smackfs/load2"
-SMACKFS_NETLABEL="/sys/fs/smackfs/netlabel"
-SIOCGIFADDR = 0x8915
-SIOCGIFNETMASK = 0x891b
-
-def get_ip_address(ifname):
- s = socket.socket(socket.AF_INET, socket.SOCK_DGRAM)
- return fcntl.ioctl(s.fileno(), SIOCGIFADDR,
- struct.pack('256s', ifname.encode("utf-8")))[20:24]
-
-def get_netmask(ifname):
- s = socket.socket(socket.AF_INET, socket.SOCK_DGRAM)
- return fcntl.ioctl(s.fileno(), SIOCGIFNETMASK,
- struct.pack('256s', ifname.encode("utf-8")))[20:24]
-
-def applynetlabeltags(interface, addr):
- if not interface.startswith("lo"):
- bmask = get_netmask(interface.encode("utf-8"))
- prefix = bin(struct.unpack(">L", bmask)[0]).count("1")
- tags = [
- addr+"/"+str(prefix)+" Network::Local\n",
- "0.0.0.0/0 Network::Cloud\n",
- "127.0.0.1/8 -CIPSO\n"]
- smackfs_netlabel(tags)
-
-def loadnetlabelrules():
- rulesSystem = [
- "System Network::Cloud w\n",
- "System Network::Local w\n",
- "Network::Cloud System w\n",
- "Network::Local System w\n"]
- smackfs_load2(rulesSystem)
-
-def smackfs_load2 (rules):
- with open(SMACKFS_LOAD, "w") as load2:
- for rule in rules:
- load2.write(rule)
-
-def smackfs_netlabel (tags):
- for tag in tags:
- with open(SMACKFS_NETLABEL, "w") as netlabel:
- netlabel.write(tag)
-
-"""
- Source of: Class ip monitor, and other functions named bellow.
- Original author: David Wolinsky <davidiw@ufl.edu
- Copied from: https://github.com/davidiw/Grid-Appliance/blob/master/scripts/ip_monitor.py
-
-"""
-
-"""4 byte alignment"""
-
-def align(inc):
- diff = inc % 4
- return inc + ((4 - diff) % 4)
-
-class ifaddr:
- """Parse an ifaddr packet"""
- LOCAL = 2
- LABEL = 3
-
- def __init__(self, packet):
- self.family, self.prefixlen, self.flags, self.scope, self.index = \
- struct.unpack("BBBBI", packet[:8])
-
-class rtattr:
- """Parse a rtattr packet"""
- GRP_IPV4_IFADDR = 0x10
-
- NEWADDR = 20
- DELADDR = 21
- GETADDR = 22
-
- def __init__(self, packet):
- self.len, self.type = struct.unpack("HH", packet[:4])
- if self.type == ifaddr.LOCAL:
- addr = struct.unpack("BBBB", packet[4:self.len])
- self.payload = "%s.%s.%s.%s" % (addr[0], addr[1], addr[2], addr[3])
- elif self.type == ifaddr.LABEL:
- self.payload = packet[4:self.len].strip("\0")
- else:
- self.payload = packet[4:self.len]
-
-class netlink:
- """Parse a netlink packet"""
- REQUEST = 1
- ROOT = 0x100
- MATCH = 0x200
- DONE = 3
-
- def __init__(self, packet):
- self.msglen, self.msgtype, self.flags, self.seq, self.pid = \
- struct.unpack("IHHII", packet[:16])
- self.ifa = None
- try:
- self.ifa = ifaddr(packet[16:24])
- except:
- return
-
- self.rtas = {}
- pos = 24
- while pos < self.msglen:
- try:
- rta = rtattr(packet[pos:])
- except:
- break
- pos += align(rta.len)
- self.rtas[rta.type] = rta.payload
-
-class ip_monitor:
- def __init__(self, callback = None):
- if callback == None:
- callback = self.print_cb
- self._callback = callback
-
- def print_cb(self, label, addr):
- print (label + " => " + addr)
-
- def request_addrs(self, sock):
- sock.send(struct.pack("IHHIIBBBBI", 24, rtattr.GETADDR, \
- netlink.REQUEST | netlink.ROOT | netlink.MATCH, 0, sock.getsockname()[0], \
- socket.AF_INET, 0, 0, 0, 0))
-
- def start_thread(self):
- thread.start_new_thread(self.run, ())
-
- def run(self):
- sock = socket.socket(socket.AF_NETLINK, socket.SOCK_RAW, socket.NETLINK_ROUTE)
- sock.bind((0, rtattr.GRP_IPV4_IFADDR))
- self.request_addrs(sock)
-
- while True:
- data = sock.recv(4096)
- pos = 0
- while pos < len(data):
- nl = netlink(data[pos:])
- if nl.msgtype == netlink.DONE:
- break
- pos += align(nl.msglen)
- if nl.msgtype != rtattr.NEWADDR:
- continue
- self._callback(nl.rtas[ifaddr.LABEL], nl.rtas[ifaddr.LOCAL])
-
-def main():
- if not os.path.isfile(SMACKFS_LOAD):
- print ("Smack not found.")
- return -1
- loadnetlabelrules()
-
- ip_monitor(applynetlabeltags).run()
-
-if __name__ == "__main__":
- main()
diff --git a/meta-security/recipes-security/smacknet/files/smacknet.service b/meta-security/recipes-security/smacknet/files/smacknet.service
deleted file mode 100644
index 218d8b896..000000000
--- a/meta-security/recipes-security/smacknet/files/smacknet.service
+++ /dev/null
@@ -1,11 +0,0 @@
-[Unit]
-Description=netlabels configuration for SMACK
-Wants=network.target network-online.target
-After=network.target network-online.target
-
-[Service]
-TimeoutStartSec=0
-ExecStart=@BINDIR@/smacknet
-
-[Install]
-WantedBy=multi-user.target
diff --git a/meta-security/recipes-security/smacknet/smacknet.bb b/meta-security/recipes-security/smacknet/smacknet.bb
deleted file mode 100644
index 250cdb132..000000000
--- a/meta-security/recipes-security/smacknet/smacknet.bb
+++ /dev/null
@@ -1,29 +0,0 @@
-#SMACKNET Description
-SUMMARY = "Smack network labels configuration"
-DESCRIPTION = "Provide service that will be labeling the network rules"
-LICENSE = "BSD-3-Clause"
-LIC_FILES_CHKSUM = "file://${COMMON_LICENSE_DIR}/BSD-3-Clause;md5=550794465ba0ec5312d6919e203a55f9"
-RDEPENDS_${PN} = "python"
-
-SRC_URI += "file://smacknet \
- file://smacknet.service \
- "
-S = "${WORKDIR}"
-
-inherit systemd
-
-inherit features_check
-REQUIRED_DISTRO_FEATURES = "smack"
-
-#netlabel configuration service
-SYSTEMD_SERVICE_${PN} = "smacknet.service"
-SYSTEMD_AUTO_ENABLE = "enable"
-do_install(){
- install -d ${D}${bindir}
- install -m 0551 ${WORKDIR}/smacknet ${D}${bindir}
-
- install -d -m 755 ${D}${systemd_unitdir}/system
- install -m 644 ${WORKDIR}/smacknet.service ${D}${systemd_unitdir}/system
- sed -i -e 's,@BINDIR@,${bindir},g' ${D}${systemd_unitdir}/system/smacknet.service
-}
-