diff options
Diffstat (limited to 'meta-security/recipes-security')
31 files changed, 0 insertions, 1986 deletions
diff --git a/meta-security/recipes-security/audit/audit/0001-lib-i386_table.h-add-new-syscall.patch b/meta-security/recipes-security/audit/audit/0001-lib-i386_table.h-add-new-syscall.patch deleted file mode 100644 index 6e1827c08..000000000 --- a/meta-security/recipes-security/audit/audit/0001-lib-i386_table.h-add-new-syscall.patch +++ /dev/null @@ -1,42 +0,0 @@ -From df878b92e01f4d1c3de7f7d8229cea6a431509eb Mon Sep 17 00:00:00 2001 -From: Mingli Yu <mingli.yu@windriver.com> -Date: Wed, 19 Feb 2020 15:23:40 +0800 -Subject: [PATCH] lib/i386_table.h: add new syscall - -On 32bit system, -After upgrade glibc to 2.31 - # strace -o /tmp/test.log date -s 09:16:45 - # tail -f /tmp/test.log - close(3) = 0 - stat64("/etc/localtime", {st_mode=S_IFREG|0644, st_size=114, ...}) = 0 - clock_settime64(CLOCK_REALTIME, {tv_sec=1582103805, tv_nsec=0}) = 0 - fstat64(1, {st_mode=S_IFCHR|0600, st_rdev=makedev(0x4, 0x40), ...}) = 0 - ioctl(1, TCGETS, {B115200 opost isig icanon echo ...}) = 0 - write(1, "Wed Feb 19 09:16:45 UTC 2020\n", 29) = 29 - close(1) = 0 - close(2) = 0 - exit_group(0) = ? - +++ exited with 0 +++ - -It means the clock_settime64 syscall is used, so -add the syscall. - -Upstream-Status: Submitted [https://github.com/linux-audit/audit-userspace/pull/116] - -Signed-off-by: Mingli Yu <mingli.yu@windriver.com> ---- - lib/i386_table.h | 1 + - 1 file changed, 1 insertion(+) - -diff --git a/lib/i386_table.h b/lib/i386_table.h -index 1a64c88..65fd4d9 100644 ---- a/lib/i386_table.h -+++ b/lib/i386_table.h -@@ -405,3 +405,4 @@ _S(383, "statx") - _S(384, "arch_prctl") - _S(385, "io_pgetevents") - _S(386, "rseq") -+_S(404, "clock_settime64") --- -2.7.4 - diff --git a/meta-security/recipes-security/audit/audit/Add-substitue-functions-for-strndupa-rawmemchr.patch b/meta-security/recipes-security/audit/audit/Add-substitue-functions-for-strndupa-rawmemchr.patch deleted file mode 100644 index bb6c61e80..000000000 --- a/meta-security/recipes-security/audit/audit/Add-substitue-functions-for-strndupa-rawmemchr.patch +++ /dev/null @@ -1,133 +0,0 @@ -From bdcdc3dff4469aac88e718bd15958d5ed4b9392a Mon Sep 17 00:00:00 2001 -From: Steve Grubb <sgrubb@redhat.com> -Date: Tue, 26 Feb 2019 18:33:33 -0500 -Subject: [PATCH] Add substitue functions for strndupa & rawmemchr - -Upstream-Status: Backport -[https://github.com/linux-audit/audit-userspace/commit/d579a08bb1cde71f939c13ac6b2261052ae9f77e] ---- - auparse/auparse.c | 12 +++++++++++- - auparse/interpret.c | 9 ++++++++- - configure.ac | 14 +++++++++++++- - src/ausearch-lol.c | 12 +++++++++++- - 4 files changed, 43 insertions(+), 4 deletions(-) - -diff --git a/auparse/auparse.c b/auparse/auparse.c -index 650db02..2e1c737 100644 ---- a/auparse/auparse.c -+++ b/auparse/auparse.c -@@ -1,5 +1,5 @@ - /* auparse.c -- -- * Copyright 2006-08,2012-17 Red Hat Inc., Durham, North Carolina. -+ * Copyright 2006-08,2012-19 Red Hat Inc., Durham, North Carolina. - * All Rights Reserved. - * - * This library is free software; you can redistribute it and/or -@@ -1118,6 +1118,16 @@ static int str2event(char *s, au_event_t *e) - return 0; - } - -+#ifndef HAVE_STRNDUPA -+static inline char *strndupa(const char *old, size_t n) -+{ -+ size_t len = strnlen(old, n); -+ char *tmp = alloca(len + 1); -+ tmp[len] = 0; -+ return memcpy(tmp, old, len); -+} -+#endif -+ - /* Returns 0 on success and 1 on error */ - static int extract_timestamp(const char *b, au_event_t *e) - { -diff --git a/auparse/interpret.c b/auparse/interpret.c -index 51c4a5e..67b7b77 100644 ---- a/auparse/interpret.c -+++ b/auparse/interpret.c -@@ -853,6 +853,13 @@ err_out: - return print_escaped(id->val); - } - -+// rawmemchr is faster. Let's use it if we have it. -+#ifdef HAVE_RAWMEMCHR -+#define STRCHR rawmemchr -+#else -+#define STRCHR strchr -+#endif -+ - static const char *print_proctitle(const char *val) - { - char *out = (char *)print_escaped(val); -@@ -863,7 +870,7 @@ static const char *print_proctitle(const char *val) - // Proctitle has arguments separated by NUL bytes - // We need to write over the NUL bytes with a space - // so that we can see the arguments -- while ((ptr = rawmemchr(ptr, '\0'))) { -+ while ((ptr = STRCHR(ptr, '\0'))) { - if (ptr >= end) - break; - *ptr = ' '; -diff --git a/configure.ac b/configure.ac -index 54bdbf1..aef07fb 100644 ---- a/configure.ac -+++ b/configure.ac -@@ -1,7 +1,7 @@ - dnl - define([AC_INIT_NOTICE], - [### Generated automatically using autoconf version] AC_ACVERSION [ --### Copyright 2005-18 Steve Grubb <sgrubb@redhat.com> -+### Copyright 2005-19 Steve Grubb <sgrubb@redhat.com> - ### - ### Permission is hereby granted, free of charge, to any person obtaining a - ### copy of this software and associated documentation files (the "Software"), -@@ -72,6 +72,18 @@ dnl; posix_fallocate is used in audisp-remote - AC_CHECK_FUNCS([posix_fallocate]) - dnl; signalfd is needed for libev - AC_CHECK_FUNC([signalfd], [], [ AC_MSG_ERROR([The signalfd system call is necessary for auditd]) ]) -+dnl; check if rawmemchr is available -+AC_CHECK_FUNCS([rawmemchr]) -+dnl; check if strndupa is available -+AC_LINK_IFELSE( -+ [AC_LANG_SOURCE( -+ [[ -+ #define _GNU_SOURCE -+ #include <string.h> -+ int main() { (void) strndupa("test", 10); return 0; }]])], -+ [AC_DEFINE(HAVE_STRNDUPA, 1, [Let us know if we have it or not])], -+ [] -+) - - ALLWARNS="" - ALLDEBUG="-g" -diff --git a/src/ausearch-lol.c b/src/ausearch-lol.c -index 5d17a72..758c33e 100644 ---- a/src/ausearch-lol.c -+++ b/src/ausearch-lol.c -@@ -1,6 +1,6 @@ - /* - * ausearch-lol.c - linked list of linked lists library --* Copyright (c) 2008,2010,2014,2016 Red Hat Inc., Durham, North Carolina. -+* Copyright (c) 2008,2010,2014,2016,2019 Red Hat Inc., Durham, North Carolina. - * All Rights Reserved. - * - * This software may be freely redistributed and/or modified under the -@@ -152,6 +152,16 @@ static int compare_event_time(event *e1, event *e2) - return 0; - } - -+#ifndef HAVE_STRNDUPA -+static inline char *strndupa(const char *old, size_t n) -+{ -+ size_t len = strnlen(old, n); -+ char *tmp = alloca(len + 1); -+ tmp[len] = 0; -+ return memcpy(tmp, old, len); -+} -+#endif -+ - /* - * This function will look at the line and pick out pieces of it. - */ --- -2.7.4 - diff --git a/meta-security/recipes-security/audit/audit/Fixed-swig-host-contamination-issue.patch b/meta-security/recipes-security/audit/audit/Fixed-swig-host-contamination-issue.patch deleted file mode 100644 index 7c2699540..000000000 --- a/meta-security/recipes-security/audit/audit/Fixed-swig-host-contamination-issue.patch +++ /dev/null @@ -1,57 +0,0 @@ -From a07271f1cce82122610b622bcea4a8a37528f321 Mon Sep 17 00:00:00 2001 -From: Li xin <lixin.fnst@cn.fujitsu.com> -Date: Sun, 19 Jul 2015 02:42:58 +0900 -Subject: [PATCH] audit: Fixed swig host contamination issue - -The audit build uses swig to generate a python wrapper. -Unfortunately, the swig info file references host include -directories. Some of these were previously noticed and -eliminated, but the one fixed here was not. - -Upstream-Status: Inappropriate [embedded specific] - -Signed-off-by: Anders Hedlund <anders.hedlund@windriver.com> -Signed-off-by: Joe Slater <jslater@windriver.com> -Signed-off-by: Yi Zhao <yi.zhao@windriver.com> ---- - bindings/swig/python3/Makefile.am | 3 ++- - bindings/swig/src/auditswig.i | 2 +- - 2 files changed, 3 insertions(+), 2 deletions(-) - -diff --git a/bindings/swig/python3/Makefile.am b/bindings/swig/python3/Makefile.am -index 9938418..fa46aac 100644 ---- a/bindings/swig/python3/Makefile.am -+++ b/bindings/swig/python3/Makefile.am -@@ -22,6 +22,7 @@ - CONFIG_CLEAN_FILES = *.loT *.rej *.orig - AM_CFLAGS = -fPIC -DPIC -fno-strict-aliasing $(PYTHON3_CFLAGS) - AM_CPPFLAGS = -I. -I$(top_builddir) -I${top_srcdir}/lib $(PYTHON3_INCLUDES) -+STDINC ?= /usr/include - LIBS = $(top_builddir)/lib/libaudit.la - SWIG_FLAGS = -python -py3 -modern - SWIG_INCLUDES = -I. -I$(top_builddir) -I${top_srcdir}/lib $(PYTHON3_INCLUDES) -@@ -37,7 +38,7 @@ _audit_la_DEPENDENCIES =${top_srcdir}/lib/libaudit.h ${top_builddir}/lib/libaudi - _audit_la_LIBADD = ${top_builddir}/lib/libaudit.la - nodist__audit_la_SOURCES = audit_wrap.c - audit.py audit_wrap.c: ${srcdir}/../src/auditswig.i -- swig -o audit_wrap.c ${SWIG_FLAGS} ${SWIG_INCLUDES} ${srcdir}/../src/auditswig.i -+ swig -o audit_wrap.c ${SWIG_FLAGS} ${SWIG_INCLUDES} -I$(STDINC) ${srcdir}/../src/auditswig.i - - CLEANFILES = audit.py* audit_wrap.c *~ - -diff --git a/bindings/swig/src/auditswig.i b/bindings/swig/src/auditswig.i -index 7ebb373..424fb68 100644 ---- a/bindings/swig/src/auditswig.i -+++ b/bindings/swig/src/auditswig.i -@@ -39,7 +39,7 @@ signed - #define __attribute(X) /*nothing*/ - typedef unsigned __u32; - typedef unsigned uid_t; --%include "/usr/include/linux/audit.h" -+%include "linux/audit.h" - #define __extension__ /*nothing*/ - #include <stdint.h> - %include "../lib/libaudit.h" --- -2.7.4 - diff --git a/meta-security/recipes-security/audit/audit/audit-volatile.conf b/meta-security/recipes-security/audit/audit/audit-volatile.conf deleted file mode 100644 index 9cbe1547a..000000000 --- a/meta-security/recipes-security/audit/audit/audit-volatile.conf +++ /dev/null @@ -1 +0,0 @@ -d /var/log/audit 0750 root root - diff --git a/meta-security/recipes-security/audit/audit/auditd b/meta-security/recipes-security/audit/audit/auditd deleted file mode 100755 index cda2e43d4..000000000 --- a/meta-security/recipes-security/audit/audit/auditd +++ /dev/null @@ -1,153 +0,0 @@ -#! /bin/sh -### BEGIN INIT INFO -# Provides: auditd -# Required-Start: $local_fs -# Required-Stop: $local_fs -# Default-Start: 2 3 4 5 -# Default-Stop: 0 1 6 -# Short-Description: Audit Daemon -# Description: Collects audit information from Linux 2.6 Kernels. -### END INIT INFO - -# Author: Philipp Matthias Hahn <pmhahn@debian.org> -# Based on Debians /etc/init.d/skeleton and Auditds init.d/auditd.init - -# June, 2012: Adopted for yocto <amy.fong@windriver.com> - -# PATH should only include /usr/* if it runs after the mountnfs.sh script -PATH=/sbin:/bin:/usr/sbin:/usr/bin -DESC="audit daemon" -NAME=auditd -DAEMON=/sbin/auditd -PIDFILE=/var/run/"$NAME".pid -SCRIPTNAME=/etc/init.d/"$NAME" - -# Exit if the package is not installed -[ -x "$DAEMON" ] || exit 0 - -# Read configuration variable file if it is present -[ -r /etc/default/"$NAME" ] && . /etc/default/"$NAME" - -. /etc/default/rcS - -. /etc/init.d/functions - -# -# Function that starts the daemon/service -# -do_start() -{ - # Return - # 0 if daemon has been started - # 1 if daemon was already running - # 2 if daemon could not be started - start-stop-daemon -S --quiet --pidfile "$PIDFILE" --exec "$DAEMON" --test > /dev/null \ - || return 1 - start-stop-daemon -S --quiet --pidfile "$PIDFILE" --exec "$DAEMON" -- \ - $EXTRAOPTIONS \ - || return 2 - if [ -f /etc/audit/audit.rules ] - then - /sbin/auditctl -R /etc/audit/audit.rules >/dev/null - fi -} - -# -# Function that stops the daemon/service -# -do_stop() -{ - # Return - # 0 if daemon has been stopped - # 1 if daemon was already stopped - # 2 if daemon could not be stopped - # other if a failure occurred - start-stop-daemon -K --quiet --pidfile "$PIDFILE" --name "$NAME" - RETVAL="$?" - [ "$RETVAL" = 2 ] && return 2 - # Many daemons don't delete their pidfiles when they exit. - rm -f "$PIDFILE" - rm -f /var/run/audit_events - # Remove watches so shutdown works cleanly - case "$AUDITD_CLEAN_STOP" in - no|NO) ;; - *) /sbin/auditctl -D >/dev/null ;; - esac - return "$RETVAL" -} - -# -# Function that sends a SIGHUP to the daemon/service -# -do_reload() { - start-stop-daemon -K --signal HUP --quiet --pidfile $PIDFILE --name $NAME - return 0 -} - -if [ ! -e /var/log/audit ]; then - mkdir -p /var/log/audit - [ -x /sbin/restorecon ] && /sbin/restorecon -F /var/log/audit -fi - -case "$1" in - start) - [ "$VERBOSE" != no ] && echo "Starting $DESC" "$NAME" - do_start - case "$?" in - 0|1) [ "$VERBOSE" != no ] && echo 0 ;; - 2) [ "$VERBOSE" != no ] && echo 1 ;; - esac - ;; - stop) - [ "$VERBOSE" != no ] && echo "Stopping $DESC" "$NAME" - do_stop - case "$?" in - 0|1) [ "$VERBOSE" != no ] && echo 0 ;; - 2) [ "$VERBOSE" != no ] && echo 1 ;; - esac - ;; - reload|force-reload) - echo "Reloading $DESC" "$NAME" - do_reload - echo $? - ;; - restart) - echo "Restarting $DESC" "$NAME" - do_stop - case "$?" in - 0|1) - do_start - case "$?" in - 0) echo 0 ;; - 1) echo 1 ;; # Old process is still running - *) echo 1 ;; # Failed to start - esac - ;; - *) - # Failed to stop - echo 1 - ;; - esac - ;; - rotate) - echo "Rotating $DESC logs" "$NAME" - start-stop-daemon -K --signal USR1 --quiet --pidfile "$PIDFILE" --name "$NAME" - echo $? - ;; - status) - pidofproc "$DAEMON" >/dev/null - status=$? - if [ $status -eq 0 ]; then - echo "$NAME is running." - else - echo "$NAME is not running." - fi - exit $status - ;; - *) - echo "Usage: $SCRIPTNAME {start|stop|restart|reload|force-reload|rotate|status}" >&2 - exit 3 - ;; -esac - -: diff --git a/meta-security/recipes-security/audit/audit/auditd.service b/meta-security/recipes-security/audit/audit/auditd.service deleted file mode 100644 index ebc079897..000000000 --- a/meta-security/recipes-security/audit/audit/auditd.service +++ /dev/null @@ -1,20 +0,0 @@ -[Unit] -Description=Security Auditing Service -DefaultDependencies=no -After=local-fs.target -Conflicts=shutdown.target -Before=sysinit.target shutdown.target -After=systemd-tmpfiles-setup.service - -[Service] -ExecStart=/sbin/auditd -n -## To use augenrules, copy this file to /etc/systemd/system/auditd.service -## and uncomment the next line and delete/comment out the auditctl line. -## Then copy existing rules to /etc/audit/rules.d/ -## Not doing this last step can cause loss of existing rules -#ExecStartPost=-/sbin/augenrules --load -ExecStartPost=-/sbin/auditctl -R /etc/audit/audit.rules -ExecReload=/bin/kill -HUP $MAINPID - -[Install] -WantedBy=multi-user.target diff --git a/meta-security/recipes-security/audit/audit_2.8.5.bb b/meta-security/recipes-security/audit/audit_2.8.5.bb deleted file mode 100644 index af36ed5e2..000000000 --- a/meta-security/recipes-security/audit/audit_2.8.5.bb +++ /dev/null @@ -1,106 +0,0 @@ -SUMMARY = "User space tools for kernel auditing" -DESCRIPTION = "The audit package contains the user space utilities for \ -storing and searching the audit records generated by the audit subsystem \ -in the Linux kernel." -HOMEPAGE = "http://people.redhat.com/sgrubb/audit/" -SECTION = "base" -LICENSE = "GPLv2+ & LGPLv2+" -LIC_FILES_CHKSUM = "file://COPYING;md5=94d55d512a9ba36caa9b7df079bae19f" - -SRC_URI = "git://github.com/linux-audit/${BPN}-userspace.git;branch=2.8_maintenance \ - file://Add-substitue-functions-for-strndupa-rawmemchr.patch \ - file://Fixed-swig-host-contamination-issue.patch \ - file://0001-lib-i386_table.h-add-new-syscall.patch \ - file://auditd \ - file://auditd.service \ - file://audit-volatile.conf \ -" - -S = "${WORKDIR}/git" -SRCREV = "5fae55c1ad15b3cefe6890eba7311af163e9133c" - -inherit autotools python3native update-rc.d systemd - -UPDATERCPN = "auditd" -INITSCRIPT_NAME = "auditd" -INITSCRIPT_PARAMS = "defaults" - -SYSTEMD_PACKAGES = "auditd" -SYSTEMD_SERVICE_auditd = "auditd.service" - -DEPENDS += "python3 tcp-wrappers libcap-ng linux-libc-headers swig-native" - -EXTRA_OECONF += "--without-prelude \ - --with-libwrap \ - --enable-gssapi-krb5=no \ - --with-libcap-ng=yes \ - --with-python3=yes \ - --libdir=${base_libdir} \ - --sbindir=${base_sbindir} \ - --without-python \ - --without-golang \ - --disable-zos-remote \ - " -EXTRA_OECONF_append_arm = " --with-arm=yes" -EXTRA_OECONF_append_aarch64 = " --with-aarch64=yes" - -EXTRA_OEMAKE += "PYLIBVER='python${PYTHON_BASEVERSION}' \ - PYINC='${STAGING_INCDIR}/$(PYLIBVER)' \ - pyexecdir=${libdir}/python${PYTHON_BASEVERSION}/site-packages \ - STDINC='${STAGING_INCDIR}' \ - pkgconfigdir=${libdir}/pkgconfig \ - " - -SUMMARY_audispd-plugins = "Plugins for the audit event dispatcher" -DESCRIPTION_audispd-plugins = "The audispd-plugins package provides plugins for the real-time \ -interface to the audit system, audispd. These plugins can do things \ -like relay events to remote machines or analyze events for suspicious \ -behavior." - -PACKAGES =+ "audispd-plugins" -PACKAGES += "auditd ${PN}-python" - -FILES_${PN} = "${sysconfdir}/libaudit.conf ${base_libdir}/libaudit.so.1* ${base_libdir}/libauparse.so.*" -FILES_auditd += "${bindir}/* ${base_sbindir}/* ${sysconfdir}/*" -FILES_audispd-plugins += "${sysconfdir}/audisp/audisp-remote.conf \ - ${sysconfdir}/audisp/plugins.d/au-remote.conf \ - ${sbindir}/audisp-remote ${localstatedir}/spool/audit \ - " -FILES_${PN}-dbg += "${libdir}/python${PYTHON_BASEVERSION}/*/.debug" -FILES_${PN}-python = "${libdir}/python${PYTHON_BASEVERSION}" - -CONFFILES_auditd += "${sysconfdir}/audit/audit.rules" -RDEPENDS_auditd += "bash" - -do_install_append() { - rm -f ${D}/${libdir}/python${PYTHON_BASEVERSION}/site-packages/*.a - rm -f ${D}/${libdir}/python${PYTHON_BASEVERSION}/site-packages/*.la - - # reuse auditd config - [ ! -e ${D}/etc/default ] && mkdir ${D}/etc/default - mv ${D}/etc/sysconfig/auditd ${D}/etc/default - rmdir ${D}/etc/sysconfig/ - - # replace init.d - install -D -m 0755 ${WORKDIR}/auditd ${D}/etc/init.d/auditd - rm -rf ${D}/etc/rc.d - - if ${@bb.utils.contains('DISTRO_FEATURES', 'systemd', 'true', 'false', d)}; then - install -d ${D}${sysconfdir}/tmpfiles.d/ - install -m 0644 ${WORKDIR}/audit-volatile.conf ${D}${sysconfdir}/tmpfiles.d/ - fi - - # install systemd unit files - install -d ${D}${systemd_unitdir}/system - install -m 0644 ${WORKDIR}/auditd.service ${D}${systemd_unitdir}/system - - # audit-2.5 doesn't install any rules by default, so we do that here - mkdir -p ${D}/etc/audit ${D}/etc/audit/rules.d - cp ${S}/rules/10-base-config.rules ${D}/etc/audit/rules.d/audit.rules - - chmod 750 ${D}/etc/audit ${D}/etc/audit/rules.d - chmod 640 ${D}/etc/audit/auditd.conf ${D}/etc/audit/rules.d/audit.rules - - # Based on the audit.spec "Copy default rules into place on new installation" - cp ${D}/etc/audit/rules.d/audit.rules ${D}/etc/audit/audit.rules -} diff --git a/meta-security/recipes-security/cynagoauth/cynagoauth_0.1.bb b/meta-security/recipes-security/cynagoauth/cynagoauth_0.1.bb deleted file mode 100644 index c77c99189..000000000 --- a/meta-security/recipes-security/cynagoauth/cynagoauth_0.1.bb +++ /dev/null @@ -1,23 +0,0 @@ -DESCRIPTION = "OAuth server using cynagora backend" -LICENSE = "Apache-2.0" -LIC_FILES_CHKSUM = "file://LICENSE.txt;md5=3b83ef96387f14655fc854ddc3c6bd57" - -SRC_URI = "git://gerrit.automotivelinux.org/gerrit/src/cynagoauth.git;protocol=https;branch=${AGL_BRANCH}" -SRCREV = "26a5dbddf3a9bfde481a6fcd2aae16c7ecba665f" -PV = "0.1+git${SRCPV}" - -S = "${WORKDIR}/git" - -DEPENDS = "json-c libmicrohttpd openssl cynagora" - -inherit cmake - -EXTRA_OECMAKE += " \ - -DDEFAULTHOSTS=:7777 \ - -DDEFAULTURL=http://localhost:7777/tok \ - -DUNITDIR_SYSTEM=${systemd_system_unitdir} \ -" - -FILES_${PN} += "${systemd_system_unitdir}" - - diff --git a/meta-security/recipes-security/cynagora/cynagora-cynara-compat_2.1.bb b/meta-security/recipes-security/cynagora/cynagora-cynara-compat_2.1.bb deleted file mode 100644 index f146051cd..000000000 --- a/meta-security/recipes-security/cynagora/cynagora-cynara-compat_2.1.bb +++ /dev/null @@ -1,30 +0,0 @@ -DESCRIPTION = "Cynara service with client libraries" -LICENSE = "Apache-2.0" -LIC_FILES_CHKSUM = "file://Apache-2.0;md5=3b83ef96387f14655fc854ddc3c6bd57" - -SRC_URI = "git://gerrit.automotivelinux.org/gerrit/src/cynagora;protocol=https;branch=${AGL_BRANCH}" -SRCREV = "7d7907651c42c5c32deabc17b639e0e1765eae60" -PV = "2.1+git${SRCPV}" - -S = "${WORKDIR}/git" - -inherit cmake - -PROVIDES = "cynara" -RPROVIDES_${PN} = "cynara" -DEPENDS = "libcap" -RDEPENDS_${PN} = "cynagora" - -EXTRA_OECMAKE += " \ - -DWITH_SYSTEMD=OFF \ - -DWITH_CYNARA_COMPAT=ON \ - -DDIRECT_CYNARA_COMPAT=ON \ -" - -do_install_append() { - # remove cynagora stuff - rm $(find ${D} -name '*cynagora*') - # remove stupid test - rm -r ${D}${bindir} -} - diff --git a/meta-security/recipes-security/cynagora/cynagora/run-ptest b/meta-security/recipes-security/cynagora/cynagora/run-ptest deleted file mode 100755 index f95f0725b..000000000 --- a/meta-security/recipes-security/cynagora/cynagora/run-ptest +++ /dev/null @@ -1,4 +0,0 @@ -#!/bin/sh - -# test access to cynagora server -cynagora-admin list > /dev/null diff --git a/meta-security/recipes-security/cynagora/cynagora_2.1.bb b/meta-security/recipes-security/cynagora/cynagora_2.1.bb deleted file mode 100644 index 73f2f0949..000000000 --- a/meta-security/recipes-security/cynagora/cynagora_2.1.bb +++ /dev/null @@ -1,38 +0,0 @@ -DESCRIPTION = "Cynagora service and client libraries" -LICENSE = "Apache-2.0" -LIC_FILES_CHKSUM = "file://Apache-2.0;md5=3b83ef96387f14655fc854ddc3c6bd57" - -SRC_URI = "git://gerrit.automotivelinux.org/gerrit/src/cynagora;protocol=https;branch=${AGL_BRANCH}" -SRCREV = "7d7907651c42c5c32deabc17b639e0e1765eae60" -PV = "2.1+git${SRCPV}" - -S = "${WORKDIR}/git" - -DEPENDS = "systemd libcap" - -inherit cmake - -EXTRA_OECMAKE += " \ - -DSYSTEMD_UNIT_DIR=${systemd_system_unitdir} \ - -DWITH_SYSTEMD=ON \ - -DWITH_CYNARA_COMPAT=OFF \ -" - -inherit useradd -USERADD_PACKAGES = "${PN}" -GROUPADD_PARAM_${PN} = "-r cynagora" -USERADD_PARAM_${PN} = "\ ---system --home ${localstatedir}/lib/empty \ ---no-create-home --shell /bin/false \ ---gid cynagora cynagora \ -" - -FILES_${PN} += "${systemd_system_unitdir}" - -PACKAGES =+ "${PN}-tools" -FILES_${PN}-tools += "${bindir}/cynagora-admin ${bindir}/cynagora-agent" -RDEPENDS_${PN}_append_agl-devel = " ${PN}-tools" - -inherit ptest -SRC_URI_append = " file://run-ptest" -RDEPENDS_${PN}-ptest_append = " ${PN}-tools" diff --git a/meta-security/recipes-security/security-manager/security-manager.inc b/meta-security/recipes-security/security-manager/security-manager.inc deleted file mode 100644 index e1d1f4011..000000000 --- a/meta-security/recipes-security/security-manager/security-manager.inc +++ /dev/null @@ -1,83 +0,0 @@ -DESCRIPTION = "Security manager and utilities" -LICENSE = "Apache-2.0" -LIC_FILES_CHKSUM = "file://LICENSE;md5=86d3f3a95c324c9479bd8986968f4327;beginline=3" - -inherit cmake - -B = "${S}" - -DEPENDS = " \ - attr \ - boost \ - cynara \ - icu \ - libcap \ - smack \ - sqlite3 \ - systemd \ -" - -PACKAGECONFIG ??= "" -PACKAGECONFIG[debug] = "-DCMAKE_BUILD_TYPE=DEBUG,-DCMAKE_BUILD_TYPE=RELEASE" - -TZ_SYS_DB ?= "/var/db/security-manager" - -EXTRA_OECMAKE = " \ - -DCMAKE_VERBOSE_MAKEFILE=ON \ - -DVERSION=${PV} \ - -DSYSTEMD_INSTALL_DIR=${systemd_unitdir}/system \ - -DBIN_INSTALL_DIR=${bindir} \ - -DDB_INSTALL_DIR=${TZ_SYS_DB} \ - -DLIB_INSTALL_DIR=${libdir} \ - -DSHARE_INSTALL_PREFIX=${datadir} \ - -DINCLUDE_INSTALL_DIR=${includedir} \ -" - -inherit systemd -SYSTEMD_SERVICE_${PN} = "security-manager.service" - -inherit features_check -REQUIRED_DISTRO_FEATURES += "smack" - -# The upstream source code contains the Tizen-specific policy configuration files. -# To replace them, create a security-manager.bbappend and set the following variable to a -# space-separated list of policy file names (not URIs!), for example: -# SECURITY_MANAGER_POLICY = "privilege-group.list usertype-system.profile" -# -# Leave it empty to use the upstream Tizen policy. -SECURITY_MANAGER_POLICY ?= "" -SRC_URI_append = " ${@' '.join(['file://' + x for x in d.getVar('SECURITY_MANAGER_POLICY', True).split()])}" -python do_patch_append () { - import os - import shutil - import glob - files = d.getVar('SECURITY_MANAGER_POLICY', True).split() - if files: - s = d.getVar('S', True) - workdir = d.getVar('WORKDIR', True) - for pattern in ['*.profile', '*.list']: - for old_file in glob.glob(s + '/policy/' + pattern): - os.unlink(old_file) - for file in files: - shutil.copy(file, s + '/policy') -} - -do_install_append () { - install -d ${D}/${systemd_unitdir}/system/multi-user.target.wants - ln -s ../security-manager.service ${D}/${systemd_unitdir}/system/multi-user.target.wants/security-manager.service - install -d ${D}/${systemd_unitdir}/system/sockets.target.wants - ln -s ../security-manager.socket ${D}/${systemd_unitdir}/system/sockets.target.wants/security-manager.socket -} - -RDEPENDS_${PN} += "sqlite3 cynara" -FILES_${PN} += " \ - ${systemd_unitdir} \ - ${TZ_SYS_DB} \ - ${bindir}/.security-manager-setup \ -" - -PACKAGES =+ "${PN}-policy" -FILES_${PN}-policy = " \ - ${datadir}/${PN} \ - ${bindir}/security-manager-policy-reload \ -" diff --git a/meta-security/recipes-security/security-manager/security-manager/0001-systemd-stop-using-compat-libs.patch b/meta-security/recipes-security/security-manager/security-manager/0001-systemd-stop-using-compat-libs.patch deleted file mode 100644 index 91ce81963..000000000 --- a/meta-security/recipes-security/security-manager/security-manager/0001-systemd-stop-using-compat-libs.patch +++ /dev/null @@ -1,47 +0,0 @@ -From 3d9d1d83fe298a364f51ad752c17aad461beded3 Mon Sep 17 00:00:00 2001 -From: Patrick Ohly <patrick.ohly@intel.com> -Date: Tue, 24 Mar 2015 04:54:03 -0700 -Subject: [PATCH 01/14] systemd: stop using compat libs - -libsystemd-journal and libsystemd-daemon are considered obsolete -in systemd since 2.09 and may not be available (not compiled -by default). - -The code works fine with the current libsystemd, so just -use that. - -Signed-off-by: Patrick Ohly <patrick.ohly@intel.com> -Upstream-Status: Submitted (https://github.com/Samsung/security-manager/pull/1 ---- - src/common/CMakeLists.txt | 2 +- - src/server/CMakeLists.txt | 2 +- - 2 files changed, 2 insertions(+), 2 deletions(-) - -diff --git a/src/common/CMakeLists.txt b/src/common/CMakeLists.txt -index 2da9c3e..968c7c1 100644 ---- a/src/common/CMakeLists.txt -+++ b/src/common/CMakeLists.txt -@@ -3,7 +3,7 @@ SET(COMMON_VERSION ${COMMON_VERSION_MAJOR}.0.2) - - PKG_CHECK_MODULES(COMMON_DEP - REQUIRED -- libsystemd-journal -+ libsystemd - libsmack - db-util - cynara-admin -diff --git a/src/server/CMakeLists.txt b/src/server/CMakeLists.txt -index 753eb96..6849d76 100644 ---- a/src/server/CMakeLists.txt -+++ b/src/server/CMakeLists.txt -@@ -1,6 +1,6 @@ - PKG_CHECK_MODULES(SERVER_DEP - REQUIRED -- libsystemd-daemon -+ libsystemd - ) - - FIND_PACKAGE(Boost REQUIRED) --- -2.21.0 - diff --git a/meta-security/recipes-security/security-manager/security-manager/0002-security-manager-policy-reload-do-not-depend-on-GNU-.patch b/meta-security/recipes-security/security-manager/security-manager/0002-security-manager-policy-reload-do-not-depend-on-GNU-.patch deleted file mode 100644 index b6346480b..000000000 --- a/meta-security/recipes-security/security-manager/security-manager/0002-security-manager-policy-reload-do-not-depend-on-GNU-.patch +++ /dev/null @@ -1,36 +0,0 @@ -From a90515613f09140049b2bdf471fa83d5dd7bad1c Mon Sep 17 00:00:00 2001 -From: Patrick Ohly <patrick.ohly@intel.com> -Date: Wed, 19 Aug 2015 15:02:32 +0200 -Subject: [PATCH 02/14] security-manager-policy-reload: do not depend on GNU - sed - -\U (= make replacement uppercase) is a GNU sed extension which is not -supported by other sed implementation's (like the one from -busybox). When using busybox, the bucket for user profiles became -USER_TYPE_Uadmin instead USER_TYPE_ADMIN. - -To make SecurityManager more portable, better use tr to turn the -bucket name into uppercase. - -Signed-off-by: Patrick Ohly <patrick.ohly@intel.com> -Upstream-Status: Submitted (https://github.com/Samsung/security-manager/pull/1 ---- - policy/security-manager-policy-reload | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/policy/security-manager-policy-reload b/policy/security-manager-policy-reload -index 274c49c..6f211c6 100755 ---- a/policy/security-manager-policy-reload -+++ b/policy/security-manager-policy-reload -@@ -33,7 +33,7 @@ END - find "$POLICY_PATH" -name "usertype-*.profile" | - while read file - do -- bucket="`echo $file | sed -r 's|.*/usertype-(.*).profile$|USER_TYPE_\U\1|'`" -+ bucket="`echo $file | sed -r 's|.*/usertype-(.*).profile$|USER_TYPE_\1|' | tr '[:lower:]' '[:upper:]'`" - - # Re-create the bucket with empty contents - cyad --delete-bucket=$bucket || true --- -2.21.0 - diff --git a/meta-security/recipes-security/security-manager/security-manager/0003-Smack-rules-create-two-new-functions.patch b/meta-security/recipes-security/security-manager/security-manager/0003-Smack-rules-create-two-new-functions.patch deleted file mode 100644 index d79345e01..000000000 --- a/meta-security/recipes-security/security-manager/security-manager/0003-Smack-rules-create-two-new-functions.patch +++ /dev/null @@ -1,117 +0,0 @@ -From a80e33bc0a10fa4bed5d0b7bf29f45dd2565d309 Mon Sep 17 00:00:00 2001 -From: Alejandro Joya <alejandro.joya.cruz@intel.com> -Date: Wed, 4 Nov 2015 19:01:35 -0600 -Subject: [PATCH 03/14] Smack-rules: create two new functions - -It let to smack-rules to create multiple set of rules -related with the privileges. - -It runs from the same bases than for a static set of rules on the -template, but let you add 1 or many templates for different cases. - -Change-Id: I14f8d4e914ad5a7ba34c96f3cb5589f0b15292de -Signed-off-by: Alejandro Joya <alejandro.joya.cruz@intel.com> ---- - src/common/include/smack-rules.h | 15 +++++++++++ - src/common/smack-rules.cpp | 44 ++++++++++++++++++++++++++++++++ - 2 files changed, 59 insertions(+) - -diff --git a/src/common/include/smack-rules.h b/src/common/include/smack-rules.h -index 91446a7..3ad9dd4 100644 ---- a/src/common/include/smack-rules.h -+++ b/src/common/include/smack-rules.h -@@ -47,6 +47,8 @@ public: - void addFromTemplate(const std::vector<std::string> &templateRules, - const std::string &appId, const std::string &pkgId); - void addFromTemplateFile(const std::string &appId, const std::string &pkgId); -+ void addFromTemplateFile(const std::string &appId, const std::string &pkgId, -+ const std::string &path); - - void apply() const; - void clear() const; -@@ -74,6 +76,19 @@ public: - */ - static void installApplicationRules(const std::string &appId, const std::string &pkgId, - const std::vector<std::string> &pkgContents); -+ /** -+ * Install privileges-specific smack rules. -+ * -+ * Function creates smack rules using predefined template. Rules are applied -+ * to the kernel and saved on persistent storage so they are loaded on system boot. -+ * -+ * @param[in] appId - application id that is beeing installed -+ * @param[in] pkgId - package id that the application is in -+ * @param[in] pkgContents - a list of all applications in the package -+ * @param[in] privileges - a list of all prvileges -+ */ -+ static void installApplicationPrivilegesRules(const std::string &appId, const std::string &pkgId, -+ const std::vector<std::string> &pkgContents, const std::vector<std::string> &privileges); - /** - * Uninstall package-specific smack rules. - * -diff --git a/src/common/smack-rules.cpp b/src/common/smack-rules.cpp -index 3629e0f..922a56f 100644 ---- a/src/common/smack-rules.cpp -+++ b/src/common/smack-rules.cpp -@@ -135,6 +135,29 @@ void SmackRules::saveToFile(const std::string &path) const - } - } - -+void SmackRules::addFromTemplateFile(const std::string &appId, -+ const std::string &pkgId, const std::string &path) -+{ -+ std::vector<std::string> templateRules; -+ std::string line; -+ std::ifstream templateRulesFile(path); -+ -+ if (!templateRulesFile.is_open()) { -+ LogError("Cannot open rules template file: " << path); -+ ThrowMsg(SmackException::FileError, "Cannot open rules template file: " << path); -+ } -+ -+ while (std::getline(templateRulesFile, line)) { -+ templateRules.push_back(line); -+ } -+ -+ if (templateRulesFile.bad()) { -+ LogError("Error reading template file: " << APP_RULES_TEMPLATE_FILE_PATH); -+ ThrowMsg(SmackException::FileError, "Error reading template file: " << APP_RULES_TEMPLATE_FILE_PATH); -+ } -+ -+ addFromTemplate(templateRules, appId, pkgId); -+} - - void SmackRules::addFromTemplateFile(const std::string &appId, - const std::string &pkgId) -@@ -223,7 +246,28 @@ std::string SmackRules::getApplicationRulesFilePath(const std::string &appId) - std::string path(tzplatform_mkpath3(TZ_SYS_SMACK, "accesses.d", ("app_" + appId).c_str())); - return path; - } -+void SmackRules::installApplicationPrivilegesRules(const std::string &appId, const std::string &pkgId, -+ const std::vector<std::string> &pkgContents, const std::vector<std::string> &privileges) -+{ -+ SmackRules smackRules; -+ std::string appPath = getApplicationRulesFilePath(appId); -+ smackRules.loadFromFile(appPath); -+ struct stat buffer; -+ for (auto privilege : privileges) { -+ if (privilege.empty()) -+ continue; -+ std::string fprivilege ( privilege + "-template.smack"); -+ std::string path(tzplatform_mkpath4(TZ_SYS_SHARE, "security-manager", "policy", fprivilege.c_str())); -+ if( stat(path.c_str(), &buffer) == 0) -+ smackRules.addFromTemplateFile(appId, pkgId, path); -+ } -+ -+ if (smack_smackfs_path() != NULL) -+ smackRules.apply(); - -+ smackRules.saveToFile(appPath); -+ updatePackageRules(pkgId, pkgContents); -+} - void SmackRules::installApplicationRules(const std::string &appId, const std::string &pkgId, - const std::vector<std::string> &pkgContents) - { --- -2.21.0 - diff --git a/meta-security/recipes-security/security-manager/security-manager/0004-app-install-implement-multiple-set-of-smack-rules.patch b/meta-security/recipes-security/security-manager/security-manager/0004-app-install-implement-multiple-set-of-smack-rules.patch deleted file mode 100644 index 59d4971ff..000000000 --- a/meta-security/recipes-security/security-manager/security-manager/0004-app-install-implement-multiple-set-of-smack-rules.patch +++ /dev/null @@ -1,34 +0,0 @@ -From a5979d9d674e400ecd7fcdf5d7589cfa0cfeb492 Mon Sep 17 00:00:00 2001 -From: Alejandro Joya <alejandro.joya.cruz@intel.com> -Date: Wed, 4 Nov 2015 19:06:23 -0600 -Subject: [PATCH 04/14] app-install: implement multiple set of smack-rules - -If it's need it could create load multiple set of smack rules -related with the privileges. -It wouldn't affect the case that only the default set of rules is need it. - -Signed-off-by: Alejandro Joya <alejandro.joya.cruz@intel.com> ---- - src/common/service_impl.cpp | 6 ++++++ - 1 file changed, 6 insertions(+) - -diff --git a/src/common/service_impl.cpp b/src/common/service_impl.cpp -index 7fd621c..ae305d3 100644 ---- a/src/common/service_impl.cpp -+++ b/src/common/service_impl.cpp -@@ -338,6 +338,12 @@ int appInstall(const app_inst_req &req, uid_t uid) - LogDebug("Adding Smack rules for new appId: " << req.appId << " with pkgId: " - << req.pkgId << ". Applications in package: " << pkgContents.size()); - SmackRules::installApplicationRules(req.appId, req.pkgId, pkgContents); -+ /*Setup for privileges custom rules*/ -+ LogDebug("Adding Smack rules for new appId: " << req.appId << " with pkgId: " -+ << req.pkgId << ". Applications in package: " << pkgContents.size() -+ << " and Privileges"); -+ SmackRules::installApplicationPrivilegesRules(req.appId, req.pkgId, -+ pkgContents,req.privileges); - } catch (const SmackException::Base &e) { - LogError("Error while applying Smack policy for application: " << e.DumpToString()); - return SECURITY_MANAGER_API_ERROR_SETTING_FILE_LABEL_FAILED; --- -2.21.0 - diff --git a/meta-security/recipes-security/security-manager/security-manager/0005-c-11-replace-deprecated-auto_ptr.patch b/meta-security/recipes-security/security-manager/security-manager/0005-c-11-replace-deprecated-auto_ptr.patch deleted file mode 100644 index 0739f28c7..000000000 --- a/meta-security/recipes-security/security-manager/security-manager/0005-c-11-replace-deprecated-auto_ptr.patch +++ /dev/null @@ -1,32 +0,0 @@ -From 198ba9b9782fda19803e94d2afeff91189ac27af Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?Jos=C3=A9=20Bollo?= <jobol@nonadev.net> -Date: Wed, 13 Jan 2016 17:30:06 +0100 -Subject: [PATCH 05/14] c++11: replace deprecated auto_ptr -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -Upstream-Status: Submitted [https://review.tizen.org/gerrit/#/c/56940/] - -Change-Id: Id793c784c9674eef48f346226c094bdd9f7bbda8 -Signed-off-by: José Bollo <jobol@nonadev.net> ---- - src/dpl/core/include/dpl/binary_queue.h | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/src/dpl/core/include/dpl/binary_queue.h b/src/dpl/core/include/dpl/binary_queue.h -index dd03f5e..185b6c7 100644 ---- a/src/dpl/core/include/dpl/binary_queue.h -+++ b/src/dpl/core/include/dpl/binary_queue.h -@@ -33,7 +33,7 @@ namespace SecurityManager { - * Binary queue auto pointer - */ - class BinaryQueue; --typedef std::auto_ptr<BinaryQueue> BinaryQueueAutoPtr; -+typedef std::unique_ptr<BinaryQueue> BinaryQueueAutoPtr; - - /** - * Binary stream implemented as constant size bucket list --- -2.21.0 - diff --git a/meta-security/recipes-security/security-manager/security-manager/0006-socket-manager-removes-tizen-specific-call.patch b/meta-security/recipes-security/security-manager/security-manager/0006-socket-manager-removes-tizen-specific-call.patch deleted file mode 100644 index 3b8aad98c..000000000 --- a/meta-security/recipes-security/security-manager/security-manager/0006-socket-manager-removes-tizen-specific-call.patch +++ /dev/null @@ -1,47 +0,0 @@ -From ec098bf03cea23350ca7d1ea2ad88b9c88228943 Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?Jos=C3=A9=20Bollo?= <jose.bollo@iot.bzh> -Date: Fri, 8 Jan 2016 16:53:46 +0100 -Subject: [PATCH 06/14] socket-manager: removes tizen specific call -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -The function 'smack_fgetlabel' is specific to Tizen -and is no more maintained upstream. - -Upstream-Status: Accepted [https://review.tizen.org/gerrit/#/c/56507/] - -Change-Id: I3802742b1758efe37b33e6d968ff727d68f2fd1f -Signed-off-by: José Bollo <jobol@nonadev.net> ---- - src/server/main/socket-manager.cpp | 7 ++++--- - 1 file changed, 4 insertions(+), 3 deletions(-) - -diff --git a/src/server/main/socket-manager.cpp b/src/server/main/socket-manager.cpp -index 94c54c6..5e1a79b 100644 ---- a/src/server/main/socket-manager.cpp -+++ b/src/server/main/socket-manager.cpp -@@ -30,6 +30,7 @@ - #include <sys/types.h> - #include <sys/socket.h> - #include <sys/smack.h> -+#include <linux/xattr.h> - #include <sys/un.h> - #include <sys/stat.h> - #include <unistd.h> -@@ -493,9 +494,9 @@ int SocketManager::CreateDomainSocketHelp( - if (smack_check()) { - LogInfo("Set up smack label: " << desc.smackLabel); - -- if (0 != smack_fsetlabel(sockfd, desc.smackLabel.c_str(), SMACK_LABEL_IPIN)) { -- LogError("Error in smack_fsetlabel"); -- ThrowMsg(Exception::InitFailed, "Error in smack_fsetlabel"); -+ if (0 != smack_set_label_for_file(sockfd, XATTR_NAME_SMACKIPIN, desc.smackLabel.c_str())) { -+ LogError("Error in smack_set_label_for_file"); -+ ThrowMsg(Exception::InitFailed, "Error in smack_set_label_for_file"); - } - } else { - LogInfo("No smack on platform. Socket won't be securied with smack label!"); --- -2.21.0 - diff --git a/meta-security/recipes-security/security-manager/security-manager/0007-removes-dependency-to-libslp-db-utils.patch b/meta-security/recipes-security/security-manager/security-manager/0007-removes-dependency-to-libslp-db-utils.patch deleted file mode 100644 index bad99d25a..000000000 --- a/meta-security/recipes-security/security-manager/security-manager/0007-removes-dependency-to-libslp-db-utils.patch +++ /dev/null @@ -1,78 +0,0 @@ -From 9d0791dab4b4df086374c5c0ba2a6558e10e81c1 Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?Jos=C3=A9=20Bollo?= <jose.bollo@iot.bzh> -Date: Mon, 16 Nov 2015 15:56:27 +0100 -Subject: [PATCH 07/14] removes dependency to libslp-db-utils - -Change-Id: I90471e77d20e04bae58cc42eb2639e4aef97fdec ---- - src/common/CMakeLists.txt | 3 ++- - src/dpl/db/src/sql_connection.cpp | 17 +---------------- - 2 files changed, 3 insertions(+), 17 deletions(-) - -diff --git a/src/common/CMakeLists.txt b/src/common/CMakeLists.txt -index 968c7c1..9ae376f 100644 ---- a/src/common/CMakeLists.txt -+++ b/src/common/CMakeLists.txt -@@ -5,7 +5,8 @@ PKG_CHECK_MODULES(COMMON_DEP - REQUIRED - libsystemd - libsmack -- db-util -+ sqlite3 -+ icu-i18n - cynara-admin - cynara-client - ) -diff --git a/src/dpl/db/src/sql_connection.cpp b/src/dpl/db/src/sql_connection.cpp -index fdb4fe4..f49a6dc 100644 ---- a/src/dpl/db/src/sql_connection.cpp -+++ b/src/dpl/db/src/sql_connection.cpp -@@ -26,7 +26,6 @@ - #include <memory> - #include <dpl/noncopyable.h> - #include <dpl/assert.h> --#include <db-util.h> - #include <unistd.h> - #include <cstdio> - #include <cstdarg> -@@ -606,16 +605,7 @@ void SqlConnection::Connect(const std::string &address, - - // Connect to database - int result; -- if (type & Flag::UseLucene) { -- result = db_util_open_with_options( -- address.c_str(), -- &m_connection, -- flag, -- NULL); -- -- m_usingLucene = true; -- LogPedantic("Lucene index enabled"); -- } else { -+ (void)type; - result = sqlite3_open_v2( - address.c_str(), - &m_connection, -@@ -624,7 +614,6 @@ void SqlConnection::Connect(const std::string &address, - - m_usingLucene = false; - LogPedantic("Lucene index disabled"); -- } - - if (result == SQLITE_OK) { - LogPedantic("Connected to DB"); -@@ -653,11 +642,7 @@ void SqlConnection::Disconnect() - - int result; - -- if (m_usingLucene) { -- result = db_util_close(m_connection); -- } else { - result = sqlite3_close(m_connection); -- } - - if (result != SQLITE_OK) { - const char *error = sqlite3_errmsg(m_connection); --- -2.21.0 - diff --git a/meta-security/recipes-security/security-manager/security-manager/0008-Fix-gcc6-build.patch b/meta-security/recipes-security/security-manager/security-manager/0008-Fix-gcc6-build.patch deleted file mode 100644 index 5ece7ef4f..000000000 --- a/meta-security/recipes-security/security-manager/security-manager/0008-Fix-gcc6-build.patch +++ /dev/null @@ -1,38 +0,0 @@ -From a1d9b40b4fa2e73d31a53e398c286bffeaae1732 Mon Sep 17 00:00:00 2001 -From: Ronan <ronan.lemartret@iot.bzh> -Date: Wed, 12 Oct 2016 17:48:55 +0200 -Subject: [PATCH 08/14] Fix gcc6 build - -Signed-off-by: ronan <ronan@ot.bzh> ---- - src/client/client-security-manager.cpp | 1 + - src/common/include/privilege_db.h | 1 + - 2 files changed, 2 insertions(+) - -diff --git a/src/client/client-security-manager.cpp b/src/client/client-security-manager.cpp -index 74a6b30..347cddd 100644 ---- a/src/client/client-security-manager.cpp -+++ b/src/client/client-security-manager.cpp -@@ -46,6 +46,7 @@ - #include <service_impl.h> - #include <security-manager.h> - #include <client-offline.h> -+#include <linux/xattr.h> - - static const char *EMPTY = ""; - -diff --git a/src/common/include/privilege_db.h b/src/common/include/privilege_db.h -index 4d73d90..08fb9d6 100644 ---- a/src/common/include/privilege_db.h -+++ b/src/common/include/privilege_db.h -@@ -32,6 +32,7 @@ - #include <map> - #include <stdbool.h> - #include <string> -+#include <vector> - - #include <dpl/db/sql_connection.h> - #include <tzplatform_config.h> --- -2.21.0 - diff --git a/meta-security/recipes-security/security-manager/security-manager/0009-Fix-Cmake-conf-for-gcc6-build.patch b/meta-security/recipes-security/security-manager/security-manager/0009-Fix-Cmake-conf-for-gcc6-build.patch deleted file mode 100644 index 706eb1a93..000000000 --- a/meta-security/recipes-security/security-manager/security-manager/0009-Fix-Cmake-conf-for-gcc6-build.patch +++ /dev/null @@ -1,40 +0,0 @@ -From 382379d74221bcc60a0ab70d63430a1c0587b2ec Mon Sep 17 00:00:00 2001 -From: Ronan <ronan.lemartret@iot.bzh> -Date: Thu, 13 Oct 2016 11:37:47 +0200 -Subject: [PATCH 09/14] Fix Cmake conf for gcc6 build - -Signed-off-by: Ronan <ronan.lemartret@iot.bzh> ---- - src/cmd/CMakeLists.txt | 4 +--- - src/server/CMakeLists.txt | 1 - - 2 files changed, 1 insertion(+), 4 deletions(-) - -diff --git a/src/cmd/CMakeLists.txt b/src/cmd/CMakeLists.txt -index ee9a160..aa7a12c 100644 ---- a/src/cmd/CMakeLists.txt -+++ b/src/cmd/CMakeLists.txt -@@ -1,8 +1,6 @@ - FIND_PACKAGE(Boost REQUIRED COMPONENTS program_options) - --INCLUDE_DIRECTORIES(SYSTEM -- ${Boost_INCLUDE_DIRS} -- ) -+ - - INCLUDE_DIRECTORIES( - ${INCLUDE_PATH} -diff --git a/src/server/CMakeLists.txt b/src/server/CMakeLists.txt -index 6849d76..9598037 100644 ---- a/src/server/CMakeLists.txt -+++ b/src/server/CMakeLists.txt -@@ -8,7 +8,6 @@ FIND_PACKAGE(Threads REQUIRED) - - INCLUDE_DIRECTORIES(SYSTEM - ${SERVER_DEP_INCLUDE_DIRS} -- ${Boost_INCLUDE_DIRS} - ${Threads_INCLUDE_DIRS} - ) - --- -2.21.0 - diff --git a/meta-security/recipes-security/security-manager/security-manager/0010-gcc-7-requires-include-functional-for-std-function.patch b/meta-security/recipes-security/security-manager/security-manager/0010-gcc-7-requires-include-functional-for-std-function.patch deleted file mode 100644 index 0f48c5f68..000000000 --- a/meta-security/recipes-security/security-manager/security-manager/0010-gcc-7-requires-include-functional-for-std-function.patch +++ /dev/null @@ -1,51 +0,0 @@ -From 8e93699c0f225716f3cd5eff790270ae9e3880f9 Mon Sep 17 00:00:00 2001 -From: Changhyeok Bae <changhyeok.bae@gmail.com> -Date: Sun, 17 Dec 2017 15:40:58 +0000 -Subject: [PATCH 10/14] gcc-7 requires include <functional> for std::function - -Signed-off-by: Changhyeok Bae <changhyeok.bae@gmail.com> ---- - src/client/client-common.cpp | 1 + - src/common/smack-labels.cpp | 1 + - src/dpl/core/src/binary_queue.cpp | 1 + - 3 files changed, 3 insertions(+) - -diff --git a/src/client/client-common.cpp b/src/client/client-common.cpp -index 883ab8d..1babdf7 100644 ---- a/src/client/client-common.cpp -+++ b/src/client/client-common.cpp -@@ -31,6 +31,7 @@ - #include <sys/xattr.h> - #include <linux/xattr.h> - #include <unistd.h> -+#include <functional> - - #include <dpl/log/log.h> - #include <dpl/serialization.h> -diff --git a/src/common/smack-labels.cpp b/src/common/smack-labels.cpp -index 0294a42..1598099 100644 ---- a/src/common/smack-labels.cpp -+++ b/src/common/smack-labels.cpp -@@ -29,6 +29,7 @@ - #include <sys/xattr.h> - #include <linux/xattr.h> - #include <memory> -+#include <functional> - #include <fts.h> - #include <cstring> - #include <string> -diff --git a/src/dpl/core/src/binary_queue.cpp b/src/dpl/core/src/binary_queue.cpp -index 72817a6..838409f 100644 ---- a/src/dpl/core/src/binary_queue.cpp -+++ b/src/dpl/core/src/binary_queue.cpp -@@ -26,6 +26,7 @@ - #include <malloc.h> - #include <cstring> - #include <new> -+#include <functional> - - namespace SecurityManager { - BinaryQueue::BinaryQueue() : --- -2.21.0 - diff --git a/meta-security/recipes-security/security-manager/security-manager/0011-Fix-gcc8-warning-error-Werror-catch-value.patch b/meta-security/recipes-security/security-manager/security-manager/0011-Fix-gcc8-warning-error-Werror-catch-value.patch deleted file mode 100644 index 5c679fc26..000000000 --- a/meta-security/recipes-security/security-manager/security-manager/0011-Fix-gcc8-warning-error-Werror-catch-value.patch +++ /dev/null @@ -1,32 +0,0 @@ -From 243b7ffee16558d7cb9b411f49380138efeffca9 Mon Sep 17 00:00:00 2001 -From: Stephane Desneux <stephane.desneux@iot.bzh> -Date: Fri, 1 Feb 2019 12:26:17 +0000 -Subject: [PATCH 11/14] Fix gcc8 warning/error [-Werror=catch-value=] - -Fixes the following warning/error during compile: - -src/dpl/core/src/assert.cpp:61:14: error: catching polymorphic type 'class SecurityManager::Exception' by value [-Werror=catch-value=] -| } catch (Exception) { -| ^~~~~~~~~ - -Signed-off-by: Stephane Desneux <stephane.desneux@iot.bzh> ---- - src/dpl/core/src/assert.cpp | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/src/dpl/core/src/assert.cpp b/src/dpl/core/src/assert.cpp -index 63538a2..fc60ce9 100644 ---- a/src/dpl/core/src/assert.cpp -+++ b/src/dpl/core/src/assert.cpp -@@ -58,7 +58,7 @@ void AssertProc(const char *condition, - INTERNAL_LOG("### Function: " << function); - INTERNAL_LOG( - "################################################################################"); -- } catch (Exception) { -+ } catch (Exception const&) { - // Just ignore possible double errors - } - --- -2.21.0 - diff --git a/meta-security/recipes-security/security-manager/security-manager/0012-Avoid-casting-from-const-T-to-void.patch b/meta-security/recipes-security/security-manager/security-manager/0012-Avoid-casting-from-const-T-to-void.patch deleted file mode 100644 index 91ccf9ee2..000000000 --- a/meta-security/recipes-security/security-manager/security-manager/0012-Avoid-casting-from-const-T-to-void.patch +++ /dev/null @@ -1,122 +0,0 @@ -From 5ee51d38575f289c2bf37ed817ef680ed47bb320 Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?Jos=C3=A9=20Bollo?= <jose.bollo@iot.bzh> -Date: Fri, 1 Feb 2019 15:37:44 +0100 -Subject: [PATCH 12/14] Avoid casting from "const T&" to "void*" -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -Latest version of g++ refuse the cast - - reinterpret_cast<void (Service::*)(void*)>(serviceFunction) - -I made no investigation to know if the problem -is coming from the const or not. - -Signed-off-by: José Bollo <jose.bollo@iot.bzh> ---- - src/server/main/include/service-thread.h | 42 ++++++++++-------------- - 1 file changed, 18 insertions(+), 24 deletions(-) - -diff --git a/src/server/main/include/service-thread.h b/src/server/main/include/service-thread.h -index 964d168..61fdda8 100644 ---- a/src/server/main/include/service-thread.h -+++ b/src/server/main/include/service-thread.h -@@ -94,7 +94,7 @@ public: - Join(); - while (!m_eventQueue.empty()){ - auto front = m_eventQueue.front(); -- delete front.eventPtr; -+ delete front; - m_eventQueue.pop(); - } - } -@@ -104,34 +104,28 @@ public: - Service *servicePtr, - void (Service::*serviceFunction)(const T &)) - { -- EventDescription description; -- description.serviceFunctionPtr = -- reinterpret_cast<void (Service::*)(void*)>(serviceFunction); -- description.servicePtr = servicePtr; -- description.eventFunctionPtr = &ServiceThread::EventCall<T>; -- description.eventPtr = new T(event); -+ EventCallerBase *ec = new EventCaller<T>(event, servicePtr, serviceFunction); - { - std::lock_guard<std::mutex> lock(m_eventQueueMutex); -- m_eventQueue.push(description); -+ m_eventQueue.push(ec); - } - m_waitCondition.notify_one(); - } - - protected: - -- struct EventDescription { -- void (Service::*serviceFunctionPtr)(void *); -- Service *servicePtr; -- void (ServiceThread::*eventFunctionPtr)(const EventDescription &event); -- GenericEvent* eventPtr; -+ struct EventCallerBase { -+ virtual void fire() = 0; -+ virtual ~EventCallerBase() {} - }; - - template <class T> -- void EventCall(const EventDescription &desc) { -- auto fun = reinterpret_cast<void (Service::*)(const T&)>(desc.serviceFunctionPtr); -- const T& eventLocale = *(static_cast<T*>(desc.eventPtr)); -- (desc.servicePtr->*fun)(eventLocale); -- } -+ struct EventCaller : public EventCallerBase { -+ T *event; Service *target; void (Service::*function)(const T&); -+ EventCaller(const T &e, Service *c, void (Service::*f)(const T&)) : event(new T(e)), target(c), function(f) {} -+ ~EventCaller() { delete event; } -+ void fire() { (target->*function)(*event); } -+ }; - - static void ThreadLoopStatic(ServiceThread *ptr) { - ptr->ThreadLoop(); -@@ -139,33 +133,33 @@ protected: - - void ThreadLoop(){ - for (;;) { -- EventDescription description = {NULL, NULL, NULL, NULL}; -+ EventCallerBase *ec = NULL; - { - std::unique_lock<std::mutex> ulock(m_eventQueueMutex); - if (m_quit) - return; - if (!m_eventQueue.empty()) { -- description = m_eventQueue.front(); -+ ec = m_eventQueue.front(); - m_eventQueue.pop(); - } else { - m_waitCondition.wait(ulock); - } - } - -- if (description.eventPtr != NULL) { -+ if (ec != NULL) { - UNHANDLED_EXCEPTION_HANDLER_BEGIN - { -- (this->*description.eventFunctionPtr)(description); -- delete description.eventPtr; -+ ec->fire(); - } - UNHANDLED_EXCEPTION_HANDLER_END -+ delete ec; - } - } - } - - std::thread m_thread; - std::mutex m_eventQueueMutex; -- std::queue<EventDescription> m_eventQueue; -+ std::queue<EventCallerBase*> m_eventQueue; - std::condition_variable m_waitCondition; - - State m_state; --- -2.21.0 - diff --git a/meta-security/recipes-security/security-manager/security-manager/0013-Removing-tizen-platform-config.patch b/meta-security/recipes-security/security-manager/security-manager/0013-Removing-tizen-platform-config.patch deleted file mode 100644 index fb6215923..000000000 --- a/meta-security/recipes-security/security-manager/security-manager/0013-Removing-tizen-platform-config.patch +++ /dev/null @@ -1,259 +0,0 @@ -From 6c96a39ba7a7763ccd47e379dbfd8d376164985f Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?Jos=C3=A9=20Bollo?= <jose.bollo@iot.bzh> -Date: Mon, 16 Nov 2015 14:26:25 +0100 -Subject: [PATCH 13/14] Removing tizen-platform-config - -Change-Id: Ic832a2b75229517b09faba969c27fb1a4b490121 ---- - CMakeLists.txt | 16 +++++++- - db/CMakeLists.txt | 2 +- - policy/CMakeLists.txt | 1 + - ...load => security-manager-policy-reload.in} | 4 +- - src/common/file-lock.cpp | 4 +- - src/common/include/file-lock.h | 1 - - src/common/include/privilege_db.h | 3 +- - src/common/service_impl.cpp | 39 ++++++------------- - src/common/smack-rules.cpp | 12 ++---- - 9 files changed, 37 insertions(+), 45 deletions(-) - rename policy/{security-manager-policy-reload => security-manager-policy-reload.in} (94%) - -diff --git a/CMakeLists.txt b/CMakeLists.txt -index 28790d8..37a43cc 100644 ---- a/CMakeLists.txt -+++ b/CMakeLists.txt -@@ -49,7 +49,7 @@ ADD_DEFINITIONS("-Wall") # Generate all warnings - ADD_DEFINITIONS("-Wextra") # Generate even more extra warnings - - STRING(REGEX MATCH "([^.]*)" API_VERSION "${VERSION}") --ADD_DEFINITIONS("-DAPI_VERSION=\"$(API_VERSION)\"") -+ADD_DEFINITIONS("-DAPI_VERSION=\"${API_VERSION}\"") - - ADD_DEFINITIONS("-DSMACK_ENABLED") - -@@ -58,6 +58,20 @@ IF (CMAKE_BUILD_TYPE MATCHES "DEBUG") - ADD_DEFINITIONS("-DBUILD_TYPE_DEBUG") - ENDIF (CMAKE_BUILD_TYPE MATCHES "DEBUG") - -+SET(DATADIR "/usr/share/security-manager" CACHE STRING "path to data directory") -+SET(SMACKRULESDIR "/etc/smack/accesses.d" CACHE STRING "path to Smack rules directory") -+SET(LOCKDIR "/var/run/lock" CACHE STRING "path to lock directory") -+SET(DB_INSTALL_DIR "/var/db/security-manager" CACHE STRING "path to database directory") -+SET(DB_FILENAME ".security-manager.db" CACHE STRING "basename of database") -+SET(GLOBALUSER "userapp" CACHE STRING "name of the global user") -+ -+ADD_DEFINITIONS("-DDATADIR=\"${DATADIR}\"") -+ADD_DEFINITIONS("-DSMACKRULESDIR=\"${SMACKRULESDIR}\"") -+ADD_DEFINITIONS("-DLOCKDIR=\"${LOCKDIR}\"") -+ADD_DEFINITIONS("-DDB_INSTALL_DIR=\"${DB_INSTALL_DIR}\"") -+ADD_DEFINITIONS("-DDB_FILENAME=\"${DB_FILENAME}\"") -+ADD_DEFINITIONS("-DGLOBALUSER=\"${GLOBALUSER}\"") -+ - ADD_SUBDIRECTORY(src) - ADD_SUBDIRECTORY(pc) - ADD_SUBDIRECTORY(systemd) -diff --git a/db/CMakeLists.txt b/db/CMakeLists.txt -index 9e8ffcc..d7af1a0 100644 ---- a/db/CMakeLists.txt -+++ b/db/CMakeLists.txt -@@ -1,4 +1,4 @@ --SET(TARGET_DB ".security-manager.db") -+SET(TARGET_DB "$(DB_FILENAME)") - - ADD_CUSTOM_COMMAND( - OUTPUT ${TARGET_DB} ${TARGET_DB}-journal -diff --git a/policy/CMakeLists.txt b/policy/CMakeLists.txt -index bd08edc..626a2bd 100644 ---- a/policy/CMakeLists.txt -+++ b/policy/CMakeLists.txt -@@ -1,4 +1,5 @@ - FILE(GLOB USERTYPE_POLICY_FILES usertype-*.profile) -+CONFIGURE_FILE(security-manager-policy-reload.in security-manager-policy-reload @ONLY) - INSTALL(FILES ${USERTYPE_POLICY_FILES} DESTINATION ${SHARE_INSTALL_PREFIX}/security-manager/policy) - INSTALL(FILES "app-rules-template.smack" DESTINATION ${SHARE_INSTALL_PREFIX}/security-manager/policy) - INSTALL(FILES "privilege-group.list" DESTINATION ${SHARE_INSTALL_PREFIX}/security-manager/policy) -diff --git a/policy/security-manager-policy-reload b/policy/security-manager-policy-reload.in -similarity index 94% -rename from policy/security-manager-policy-reload -rename to policy/security-manager-policy-reload.in -index 6f211c6..c1bc4e2 100755 ---- a/policy/security-manager-policy-reload -+++ b/policy/security-manager-policy-reload.in -@@ -1,8 +1,8 @@ - #!/bin/sh -e - --POLICY_PATH=/usr/share/security-manager/policy -+POLICY_PATH=@DATADIR@/policy - PRIVILEGE_GROUP_MAPPING=$POLICY_PATH/privilege-group.list --DB_FILE=`tzplatform-get TZ_SYS_DB | cut -d= -f2`/.security-manager.db -+DB_FILE=@DB_INSTALL_DIR@/@DB_FILENAME@ - - # Create default buckets - while read bucket default_policy -diff --git a/src/common/file-lock.cpp b/src/common/file-lock.cpp -index 6f3996c..88d2092 100644 ---- a/src/common/file-lock.cpp -+++ b/src/common/file-lock.cpp -@@ -30,9 +30,7 @@ - - namespace SecurityManager { - --char const * const SERVICE_LOCK_FILE = tzplatform_mkpath3(TZ_SYS_RUN, -- "lock", -- "security-manager.lock"); -+char const * const SERVICE_LOCK_FILE = LOCKDIR "/security-manager.lock"; - - FileLocker::FileLocker(const std::string &lockFile, bool blocking) - { -diff --git a/src/common/include/file-lock.h b/src/common/include/file-lock.h -index 604b019..21a86a0 100644 ---- a/src/common/include/file-lock.h -+++ b/src/common/include/file-lock.h -@@ -29,7 +29,6 @@ - - #include <dpl/exception.h> - #include <dpl/noncopyable.h> --#include <tzplatform_config.h> - - namespace SecurityManager { - -diff --git a/src/common/include/privilege_db.h b/src/common/include/privilege_db.h -index 08fb9d6..3344987 100644 ---- a/src/common/include/privilege_db.h -+++ b/src/common/include/privilege_db.h -@@ -35,14 +35,13 @@ - #include <vector> - - #include <dpl/db/sql_connection.h> --#include <tzplatform_config.h> - - #ifndef PRIVILEGE_DB_H_ - #define PRIVILEGE_DB_H_ - - namespace SecurityManager { - --const char *const PRIVILEGE_DB_PATH = tzplatform_mkpath(TZ_SYS_DB, ".security-manager.db"); -+const char *const PRIVILEGE_DB_PATH = DB_INSTALL_DIR "/" DB_FILENAME; - - enum class QueryType { - EGetPkgPrivileges, -diff --git a/src/common/service_impl.cpp b/src/common/service_impl.cpp -index ae305d3..42150fe 100644 ---- a/src/common/service_impl.cpp -+++ b/src/common/service_impl.cpp -@@ -32,7 +32,6 @@ - #include <algorithm> - - #include <dpl/log/log.h> --#include <tzplatform_config.h> - - #include "protocols.h" - #include "privilege_db.h" -@@ -131,7 +130,13 @@ static inline int validatePolicy(policy_entry &policyEntry, std::string uidStr, - - static uid_t getGlobalUserId(void) - { -- static uid_t globaluid = tzplatform_getuid(TZ_SYS_GLOBALAPP_USER); -+ static uid_t globaluid = 0; -+ if (!globaluid) { -+ struct passwd pw, *p; -+ char buf[4096]; -+ int rc = getpwnam_r(GLOBALUSER, &pw, buf, sizeof buf, &p); -+ globaluid = (rc || p == NULL) ? 555 : p->pw_uid; -+ } - return globaluid; - } - -@@ -161,37 +166,17 @@ static inline bool isSubDir(const char *parent, const char *subdir) - - static bool getUserAppDir(const uid_t &uid, std::string &userAppDir) - { -- struct tzplatform_context *tz_ctx = nullptr; -- -- if (tzplatform_context_create(&tz_ctx)) -- return false; -- -- if (tzplatform_context_set_user(tz_ctx, uid)) { -- tzplatform_context_destroy(tz_ctx); -- tz_ctx = nullptr; -+ struct passwd pw, *p; -+ char buf[4096]; -+ int rc = getpwuid_r(uid, &pw, buf, sizeof buf, &p); -+ if (rc || p == NULL) - return false; -- } -- -- enum tzplatform_variable id = -- (uid == getGlobalUserId()) ? TZ_SYS_RW_APP : TZ_USER_APP; -- const char *appDir = tzplatform_context_getenv(tz_ctx, id); -- if (!appDir) { -- tzplatform_context_destroy(tz_ctx); -- tz_ctx = nullptr; -- return false; -- } -- -- userAppDir = appDir; -- -- tzplatform_context_destroy(tz_ctx); -- tz_ctx = nullptr; -- -+ userAppDir = p->pw_dir; - return true; - } - - static inline bool installRequestAuthCheck(const app_inst_req &req, uid_t uid, bool &isCorrectPath, std::string &appPath) - { -- std::string userHome; - std::string userAppDir; - std::stringstream correctPath; - -diff --git a/src/common/smack-rules.cpp b/src/common/smack-rules.cpp -index 922a56f..c2e0041 100644 ---- a/src/common/smack-rules.cpp -+++ b/src/common/smack-rules.cpp -@@ -34,7 +34,6 @@ - #include <memory> - - #include <dpl/log/log.h> --#include <tzplatform_config.h> - - #include "smack-labels.h" - #include "smack-rules.h" -@@ -43,7 +42,7 @@ namespace SecurityManager { - - const char *const SMACK_APP_LABEL_TEMPLATE = "~APP~"; - const char *const SMACK_PKG_LABEL_TEMPLATE = "~PKG~"; --const char *const APP_RULES_TEMPLATE_FILE_PATH = tzplatform_mkpath4(TZ_SYS_SHARE, "security-manager", "policy", "app-rules-template.smack"); -+const char *const APP_RULES_TEMPLATE_FILE_PATH = DATADIR "/policy/app-rules-template.smack"; - const char *const SMACK_APP_IN_PACKAGE_PERMS = "rwxat"; - - SmackRules::SmackRules() -@@ -237,14 +236,12 @@ void SmackRules::generatePackageCrossDeps(const std::vector<std::string> &pkgCon - - std::string SmackRules::getPackageRulesFilePath(const std::string &pkgId) - { -- std::string path(tzplatform_mkpath3(TZ_SYS_SMACK, "accesses.d", ("pkg_" + pkgId).c_str())); -- return path; -+ return SMACKRULESDIR "/pkg_" + pkgId; - } - - std::string SmackRules::getApplicationRulesFilePath(const std::string &appId) - { -- std::string path(tzplatform_mkpath3(TZ_SYS_SMACK, "accesses.d", ("app_" + appId).c_str())); -- return path; -+ return SMACKRULESDIR "/app_" + appId; - } - void SmackRules::installApplicationPrivilegesRules(const std::string &appId, const std::string &pkgId, - const std::vector<std::string> &pkgContents, const std::vector<std::string> &privileges) -@@ -256,8 +253,7 @@ void SmackRules::installApplicationPrivilegesRules(const std::string &appId, con - for (auto privilege : privileges) { - if (privilege.empty()) - continue; -- std::string fprivilege ( privilege + "-template.smack"); -- std::string path(tzplatform_mkpath4(TZ_SYS_SHARE, "security-manager", "policy", fprivilege.c_str())); -+ std::string path = DATADIR "/policy/" + privilege + "-template.smack"; - if( stat(path.c_str(), &buffer) == 0) - smackRules.addFromTemplateFile(appId, pkgId, path); - } --- -2.21.0 - diff --git a/meta-security/recipes-security/security-manager/security-manager/0014-Ensure-post-install-initialization-of-database.patch b/meta-security/recipes-security/security-manager/security-manager/0014-Ensure-post-install-initialization-of-database.patch deleted file mode 100644 index 542a387d2..000000000 --- a/meta-security/recipes-security/security-manager/security-manager/0014-Ensure-post-install-initialization-of-database.patch +++ /dev/null @@ -1,78 +0,0 @@ -From c7f9d14e38a1b6d40b2fffa01433a3025eff9abd Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?Jos=C3=A9=20Bollo?= <jose.bollo@iot.bzh> -Date: Tue, 26 Nov 2019 12:34:39 +0100 -Subject: [PATCH 14/14] Ensure post install initialization of database -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -Creation of the database was made during image creation, -leading to issue with SOTA. This adds the creation on -need before launching the service. - -Change-Id: Idfd0676bd87d39f7c10eaafd63f3a318f675c972 -Signed-off-by: José Bollo <jose.bollo@iot.bzh> ---- - db/CMakeLists.txt | 14 ++++++-------- - db/security-manager-setup | 14 ++++++++++++++ - systemd/security-manager.service.in | 1 + - 3 files changed, 21 insertions(+), 8 deletions(-) - create mode 100644 db/security-manager-setup - -diff --git a/db/CMakeLists.txt b/db/CMakeLists.txt -index d7af1a0..dcf5bc8 100644 ---- a/db/CMakeLists.txt -+++ b/db/CMakeLists.txt -@@ -1,12 +1,10 @@ --SET(TARGET_DB "$(DB_FILENAME)") -- - ADD_CUSTOM_COMMAND( -- OUTPUT ${TARGET_DB} ${TARGET_DB}-journal -- COMMAND sqlite3 ${TARGET_DB} <db.sql -- ) -+ OUTPUT .security-manager-setup -+ COMMAND sed '/--DB\.SQL--/r db.sql' security-manager-setup > .security-manager-setup -+ DEPENDS security-manager-setup db.sql -+) - - # Add a dummy build target to trigger building of ${TARGET_DB} --ADD_CUSTOM_TARGET(DB ALL DEPENDS ${TARGET_DB}) -+ADD_CUSTOM_TARGET(DB ALL DEPENDS .security-manager-setup) - --INSTALL(FILES ${TARGET_DB} DESTINATION ${DB_INSTALL_DIR}) --INSTALL(FILES ${TARGET_DB}-journal DESTINATION ${DB_INSTALL_DIR}) -+INSTALL(PROGRAMS .security-manager-setup DESTINATION ${BIN_INSTALL_DIR}) -diff --git a/db/security-manager-setup b/db/security-manager-setup -new file mode 100644 -index 0000000..5675baf ---- /dev/null -+++ b/db/security-manager-setup -@@ -0,0 +1,14 @@ -+#!/bin/sh -+ -+if test -f "$1"; then exit; fi -+set -e -+dbdir="$(dirname "$1")" -+dbfile="$(basename "$1")" -+test -n "$dbfile" -+test -n "$dbdir" -+mkdir -p "$dbdir" -+cd "$dbdir" -+sqlite3 "$dbfile" << END-OF-CAT -+--DB.SQL-- -+END-OF-CAT -+ -diff --git a/systemd/security-manager.service.in b/systemd/security-manager.service.in -index 23fd1b2..2bf97d7 100644 ---- a/systemd/security-manager.service.in -+++ b/systemd/security-manager.service.in -@@ -3,5 +3,6 @@ Description=Start the security manager - - [Service] - Type=notify -+ExecStartPre=@BIN_INSTALL_DIR@/.security-manager-setup @DB_INSTALL_DIR@/@DB_FILENAME@ - ExecStart=@BIN_INSTALL_DIR@/security-manager - Sockets=security-manager.socket --- -2.21.0 - diff --git a/meta-security/recipes-security/security-manager/security-manager/0015-Restrict-socket-accesses.patch b/meta-security/recipes-security/security-manager/security-manager/0015-Restrict-socket-accesses.patch deleted file mode 100644 index d9949193b..000000000 --- a/meta-security/recipes-security/security-manager/security-manager/0015-Restrict-socket-accesses.patch +++ /dev/null @@ -1,34 +0,0 @@ -From 7cffcd61378a9d7c0e7db5691b2da3a37448c969 Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?Jos=C3=A9=20Bollo?= <jose.bollo@iot.bzh> -Date: Thu, 30 Jan 2020 09:19:25 +0100 -Subject: [PATCH 15/15] Restrict socket accesses -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -Ensure that only members of the group and the owner can access -the security manager. - -Bug-AGL: SPEC-3146 - -Change-Id: I68ce6523db4bfd4707c3680555c3cb0cf8858ef2 -Signed-off-by: José Bollo <jose.bollo@iot.bzh> ---- - systemd/security-manager.socket | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/systemd/security-manager.socket b/systemd/security-manager.socket -index af1c1da..b401f77 100644 ---- a/systemd/security-manager.socket -+++ b/systemd/security-manager.socket -@@ -1,6 +1,6 @@ - [Socket] - ListenStream=/run/security-manager.socket --SocketMode=0777 -+SocketMode=0660 - SmackLabelIPIn=* - SmackLabelIPOut=@ - --- -2.21.1 - diff --git a/meta-security/recipes-security/security-manager/security-manager_git.bb b/meta-security/recipes-security/security-manager/security-manager_git.bb deleted file mode 100644 index b34973519..000000000 --- a/meta-security/recipes-security/security-manager/security-manager_git.bb +++ /dev/null @@ -1,27 +0,0 @@ -require security-manager.inc - -PV = "1.0.2+git${SRCPV}" -SRCREV = "860305a595d681d650024ad07b3b0977e1fcb0a6" -SRC_URI += "git://github.com/Samsung/security-manager.git" -S = "${WORKDIR}/git" - -SRC_URI += " \ - file://0001-systemd-stop-using-compat-libs.patch \ - file://0002-security-manager-policy-reload-do-not-depend-on-GNU-.patch \ - file://0003-Smack-rules-create-two-new-functions.patch \ - file://0004-app-install-implement-multiple-set-of-smack-rules.patch \ - file://0005-c-11-replace-deprecated-auto_ptr.patch \ - file://0006-socket-manager-removes-tizen-specific-call.patch \ - file://0007-removes-dependency-to-libslp-db-utils.patch \ - file://0008-Fix-gcc6-build.patch \ - file://0009-Fix-Cmake-conf-for-gcc6-build.patch \ - file://0010-gcc-7-requires-include-functional-for-std-function.patch \ - file://0011-Fix-gcc8-warning-error-Werror-catch-value.patch \ - file://0012-Avoid-casting-from-const-T-to-void.patch \ - file://0013-Removing-tizen-platform-config.patch \ - file://0014-Ensure-post-install-initialization-of-database.patch \ - file://0015-Restrict-socket-accesses.patch \ -" - -# Use make with cmake and not ninja -OECMAKE_GENERATOR = "Unix Makefiles" diff --git a/meta-security/recipes-security/smacknet/files/smacknet b/meta-security/recipes-security/smacknet/files/smacknet deleted file mode 100644 index 3818d30ae..000000000 --- a/meta-security/recipes-security/smacknet/files/smacknet +++ /dev/null @@ -1,184 +0,0 @@ -#!/usr/bin/python -# Copyright (c) 2012, 2013, Intel Corporation -# Copyright (c) 2009 David Wolinsky <davidiw@ufl.edu), University of Florida -# All rights reserved. -# -# Redistribution and use in source and binary forms, with or without -# modification, are permitted provided that the following conditions -# are met: -# 1. Redistributions of source code must retain the above copyright -# notice, this list of conditions and the following disclaimer. -# 2. Redistributions in binary form must reproduce the above copyright -# notice, this list of conditions and the following disclaimer in the -# documentation and/or other materials provided with the distribution. -# 3. The name of the author may not be used to endorse or promote products -# derived from this software without specific prior written permission. -# -# THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR -# IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES -# OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. -# IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, -# INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT -# NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, -# DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY -# THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT -# (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF -# THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. - -import socket,fcntl, struct, thread -import os.path -import sys - -SMACKFS_LOAD="/sys/fs/smackfs/load2" -SMACKFS_NETLABEL="/sys/fs/smackfs/netlabel" -SIOCGIFADDR = 0x8915 -SIOCGIFNETMASK = 0x891b - -def get_ip_address(ifname): - s = socket.socket(socket.AF_INET, socket.SOCK_DGRAM) - return fcntl.ioctl(s.fileno(), SIOCGIFADDR, - struct.pack('256s', ifname.encode("utf-8")))[20:24] - -def get_netmask(ifname): - s = socket.socket(socket.AF_INET, socket.SOCK_DGRAM) - return fcntl.ioctl(s.fileno(), SIOCGIFNETMASK, - struct.pack('256s', ifname.encode("utf-8")))[20:24] - -def applynetlabeltags(interface, addr): - if not interface.startswith("lo"): - bmask = get_netmask(interface.encode("utf-8")) - prefix = bin(struct.unpack(">L", bmask)[0]).count("1") - tags = [ - addr+"/"+str(prefix)+" Network::Local\n", - "0.0.0.0/0 Network::Cloud\n", - "127.0.0.1/8 -CIPSO\n"] - smackfs_netlabel(tags) - -def loadnetlabelrules(): - rulesSystem = [ - "System Network::Cloud w\n", - "System Network::Local w\n", - "Network::Cloud System w\n", - "Network::Local System w\n"] - smackfs_load2(rulesSystem) - -def smackfs_load2 (rules): - with open(SMACKFS_LOAD, "w") as load2: - for rule in rules: - load2.write(rule) - -def smackfs_netlabel (tags): - for tag in tags: - with open(SMACKFS_NETLABEL, "w") as netlabel: - netlabel.write(tag) - -""" - Source of: Class ip monitor, and other functions named bellow. - Original author: David Wolinsky <davidiw@ufl.edu - Copied from: https://github.com/davidiw/Grid-Appliance/blob/master/scripts/ip_monitor.py - -""" - -"""4 byte alignment""" - -def align(inc): - diff = inc % 4 - return inc + ((4 - diff) % 4) - -class ifaddr: - """Parse an ifaddr packet""" - LOCAL = 2 - LABEL = 3 - - def __init__(self, packet): - self.family, self.prefixlen, self.flags, self.scope, self.index = \ - struct.unpack("BBBBI", packet[:8]) - -class rtattr: - """Parse a rtattr packet""" - GRP_IPV4_IFADDR = 0x10 - - NEWADDR = 20 - DELADDR = 21 - GETADDR = 22 - - def __init__(self, packet): - self.len, self.type = struct.unpack("HH", packet[:4]) - if self.type == ifaddr.LOCAL: - addr = struct.unpack("BBBB", packet[4:self.len]) - self.payload = "%s.%s.%s.%s" % (addr[0], addr[1], addr[2], addr[3]) - elif self.type == ifaddr.LABEL: - self.payload = packet[4:self.len].strip("\0") - else: - self.payload = packet[4:self.len] - -class netlink: - """Parse a netlink packet""" - REQUEST = 1 - ROOT = 0x100 - MATCH = 0x200 - DONE = 3 - - def __init__(self, packet): - self.msglen, self.msgtype, self.flags, self.seq, self.pid = \ - struct.unpack("IHHII", packet[:16]) - self.ifa = None - try: - self.ifa = ifaddr(packet[16:24]) - except: - return - - self.rtas = {} - pos = 24 - while pos < self.msglen: - try: - rta = rtattr(packet[pos:]) - except: - break - pos += align(rta.len) - self.rtas[rta.type] = rta.payload - -class ip_monitor: - def __init__(self, callback = None): - if callback == None: - callback = self.print_cb - self._callback = callback - - def print_cb(self, label, addr): - print (label + " => " + addr) - - def request_addrs(self, sock): - sock.send(struct.pack("IHHIIBBBBI", 24, rtattr.GETADDR, \ - netlink.REQUEST | netlink.ROOT | netlink.MATCH, 0, sock.getsockname()[0], \ - socket.AF_INET, 0, 0, 0, 0)) - - def start_thread(self): - thread.start_new_thread(self.run, ()) - - def run(self): - sock = socket.socket(socket.AF_NETLINK, socket.SOCK_RAW, socket.NETLINK_ROUTE) - sock.bind((0, rtattr.GRP_IPV4_IFADDR)) - self.request_addrs(sock) - - while True: - data = sock.recv(4096) - pos = 0 - while pos < len(data): - nl = netlink(data[pos:]) - if nl.msgtype == netlink.DONE: - break - pos += align(nl.msglen) - if nl.msgtype != rtattr.NEWADDR: - continue - self._callback(nl.rtas[ifaddr.LABEL], nl.rtas[ifaddr.LOCAL]) - -def main(): - if not os.path.isfile(SMACKFS_LOAD): - print ("Smack not found.") - return -1 - loadnetlabelrules() - - ip_monitor(applynetlabeltags).run() - -if __name__ == "__main__": - main() diff --git a/meta-security/recipes-security/smacknet/files/smacknet.service b/meta-security/recipes-security/smacknet/files/smacknet.service deleted file mode 100644 index 218d8b896..000000000 --- a/meta-security/recipes-security/smacknet/files/smacknet.service +++ /dev/null @@ -1,11 +0,0 @@ -[Unit] -Description=netlabels configuration for SMACK -Wants=network.target network-online.target -After=network.target network-online.target - -[Service] -TimeoutStartSec=0 -ExecStart=@BINDIR@/smacknet - -[Install] -WantedBy=multi-user.target diff --git a/meta-security/recipes-security/smacknet/smacknet.bb b/meta-security/recipes-security/smacknet/smacknet.bb deleted file mode 100644 index 250cdb132..000000000 --- a/meta-security/recipes-security/smacknet/smacknet.bb +++ /dev/null @@ -1,29 +0,0 @@ -#SMACKNET Description -SUMMARY = "Smack network labels configuration" -DESCRIPTION = "Provide service that will be labeling the network rules" -LICENSE = "BSD-3-Clause" -LIC_FILES_CHKSUM = "file://${COMMON_LICENSE_DIR}/BSD-3-Clause;md5=550794465ba0ec5312d6919e203a55f9" -RDEPENDS_${PN} = "python" - -SRC_URI += "file://smacknet \ - file://smacknet.service \ - " -S = "${WORKDIR}" - -inherit systemd - -inherit features_check -REQUIRED_DISTRO_FEATURES = "smack" - -#netlabel configuration service -SYSTEMD_SERVICE_${PN} = "smacknet.service" -SYSTEMD_AUTO_ENABLE = "enable" -do_install(){ - install -d ${D}${bindir} - install -m 0551 ${WORKDIR}/smacknet ${D}${bindir} - - install -d -m 755 ${D}${systemd_unitdir}/system - install -m 644 ${WORKDIR}/smacknet.service ${D}${systemd_unitdir}/system - sed -i -e 's,@BINDIR@,${bindir},g' ${D}${systemd_unitdir}/system/smacknet.service -} - |