diff options
Diffstat (limited to 'meta-security/recipes-security')
17 files changed, 401 insertions, 267 deletions
diff --git a/meta-security/recipes-security/cynara/cynara/0001-Add-fallthrough-tags.patch b/meta-security/recipes-security/cynara/cynara/0001-Add-fallthrough-tags.patch index 11387b98b..e1d0cfac9 100644 --- a/meta-security/recipes-security/cynara/cynara/0001-Add-fallthrough-tags.patch +++ b/meta-security/recipes-security/cynara/cynara/0001-Add-fallthrough-tags.patch @@ -1,7 +1,7 @@ -From 3d387993b5a4283e8aebd8e777b2ccd45d233959 Mon Sep 17 00:00:00 2001 +From 8bf90bf3e7a821dbd3b7029d87aa592eec6f1754 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Jos=C3=A9=20Bollo?= <jose.bollo@iot.bzh> Date: Thu, 25 Jan 2018 12:00:18 +0100 -Subject: [PATCH 1/6] Add fallthrough tags +Subject: [PATCH] Add fallthrough tags MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit @@ -12,6 +12,7 @@ to the next after some processing. Change-Id: I420e3788a4c0a6d910a1214964c5480bbd12708c Signed-off-by: José Bollo <jose.bollo@iot.bzh> + --- src/admin/api/admin-api.cpp | 1 + src/client-async/logic/Logic.cpp | 1 + @@ -54,6 +55,3 @@ index b1ca4f7..f4394e5 100644 default: return true; } --- -2.14.3 - diff --git a/meta-security/recipes-security/cynara/cynara/0001-fix-fallthrough-in-cmdlineparser.patch b/meta-security/recipes-security/cynara/cynara/0001-fix-fallthrough-in-cmdlineparser.patch new file mode 100644 index 000000000..40e11ce5d --- /dev/null +++ b/meta-security/recipes-security/cynara/cynara/0001-fix-fallthrough-in-cmdlineparser.patch @@ -0,0 +1,35 @@ +From ca28ec4a0781a1ab9ec5f015387436beb51adfc3 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Jan-Simon=20M=C3=B6ller?= <jsmoeller@linuxfoundation.org> +Date: Fri, 19 Oct 2018 08:09:28 +0000 +Subject: [PATCH] fix fallthrough in cmdlineparser +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Signed-off-by: Jan-Simon Möller <jsmoeller@linuxfoundation.org> + +--- + src/service/main/CmdlineParser.cpp | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/src/service/main/CmdlineParser.cpp b/src/service/main/CmdlineParser.cpp +index ca56e39..e07ea52 100644 +--- a/src/service/main/CmdlineParser.cpp ++++ b/src/service/main/CmdlineParser.cpp +@@ -112,13 +112,16 @@ struct CmdLineOptions handleCmdlineOptions(int argc, char * const *argv) { + case ':': // Missing argument + ret.m_error = true; + ret.m_exit = true; ++ /*@fallthrough@*/ + switch (optopt) { + case CmdlineOpt::Mask: + case CmdlineOpt::User: + case CmdlineOpt::Group: + printMissingArgument(execName, argv[optind - 1]); + return ret; ++ /*@fallthrough@*/ + } ++ /*@fallthrough@*/ + //intentional fall to Unknown option + case '?': // Unknown option + default: diff --git a/meta-security/recipes-security/cynara/cynara/0002-gcc-7-requires-include-functional-for-std-function.patch b/meta-security/recipes-security/cynara/cynara/0002-gcc-7-requires-include-functional-for-std-function.patch index 760a1c5b2..b8dbfac4d 100644 --- a/meta-security/recipes-security/cynara/cynara/0002-gcc-7-requires-include-functional-for-std-function.patch +++ b/meta-security/recipes-security/cynara/cynara/0002-gcc-7-requires-include-functional-for-std-function.patch @@ -1,9 +1,10 @@ -From b18e66ce7f81c56e3a97ed075cb60d5a43b2e57c Mon Sep 17 00:00:00 2001 +From e2d8414b0d1c6c59baf1bb73e856e93aaabaf955 Mon Sep 17 00:00:00 2001 From: Changhyeok Bae <changhyeok.bae@gmail.com> Date: Sun, 17 Dec 2017 15:28:28 +0000 -Subject: [PATCH 2/6] gcc-7 requires include <functional> for std::function +Subject: [PATCH] gcc-7 requires include <functional> for std::function Signed-off-by: Changhyeok Bae <changhyeok.bae@gmail.com> + --- src/common/types/PolicyBucket.h | 1 + src/cyad/AdminPolicyParser.h | 1 + @@ -33,6 +34,3 @@ index 53dde23..f38c194 100644 #include <cyad/CynaraAdminPolicies.h> --- -2.14.3 - diff --git a/meta-security/recipes-security/cynara/cynara/0003-Avoid-warning-when-compiling-without-smack.patch b/meta-security/recipes-security/cynara/cynara/0003-Avoid-warning-when-compiling-without-smack.patch index 8c47c3b26..1b105a00c 100644 --- a/meta-security/recipes-security/cynara/cynara/0003-Avoid-warning-when-compiling-without-smack.patch +++ b/meta-security/recipes-security/cynara/cynara/0003-Avoid-warning-when-compiling-without-smack.patch @@ -1,7 +1,7 @@ -From 6ad54c5e732e7cf0a29f29f48fa757e3e56d6860 Mon Sep 17 00:00:00 2001 +From fdcf2a68a4bfec588b1c6c969caa0be20961b807 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Jos=C3=A9=20Bollo?= <jose.bollo@iot.bzh> Date: Thu, 25 Jan 2018 11:38:16 +0100 -Subject: [PATCH 3/6] Avoid warning when compiling without smack +Subject: [PATCH] Avoid warning when compiling without smack MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit @@ -14,6 +14,7 @@ with the following message: Change-Id: Ie837cae81114d096f951ec0ee4ada4173fb60190 Signed-off-by: José Bollo <jose.bollo@iot.bzh> + --- src/admin/CMakeLists.txt | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) @@ -40,6 +41,3 @@ index e4f354a..38b8669 100644 SET(CYNARA_LIB_CYNARA_ADMIN_PATH ${CYNARA_PATH}/admin) --- -2.14.3 - diff --git a/meta-security/recipes-security/cynara/cynara/0004-Fix-mode-of-sockets.patch b/meta-security/recipes-security/cynara/cynara/0004-Fix-mode-of-sockets.patch index 164542899..f19cdfb50 100644 --- a/meta-security/recipes-security/cynara/cynara/0004-Fix-mode-of-sockets.patch +++ b/meta-security/recipes-security/cynara/cynara/0004-Fix-mode-of-sockets.patch @@ -1,7 +1,7 @@ -From 2bd62bca98a8a8cf194fb2b68aed68d982f58520 Mon Sep 17 00:00:00 2001 +From 233fb8a93343c3c9c04914e1148ef5ab87a808a1 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Jos=C3=A9=20Bollo?= <jose.bollo@iot.bzh> Date: Thu, 25 Jan 2018 12:52:39 +0100 -Subject: [PATCH 4/6] Fix mode of sockets +Subject: [PATCH] Fix mode of sockets MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit @@ -10,6 +10,7 @@ Setting execution bit on the socket serves nothing. Change-Id: I2ca1ea8e0c369ee5517878e92073ace0e50f9f10 Signed-off-by: José Bollo <jose.bollo@iot.bzh> + --- systemd/cynara-admin.socket | 2 +- systemd/cynara.socket | 2 +- @@ -39,6 +40,3 @@ index 9f2a870..fad2745 100644 SmackLabelIPIn=* SmackLabelIPOut=@ --- -2.14.3 - diff --git a/meta-security/recipes-security/cynara/cynara/0005-Allow-to-tune-sockets.patch b/meta-security/recipes-security/cynara/cynara/0005-Allow-to-tune-sockets.patch index b4a2d74e8..e954c7f21 100644 --- a/meta-security/recipes-security/cynara/cynara/0005-Allow-to-tune-sockets.patch +++ b/meta-security/recipes-security/cynara/cynara/0005-Allow-to-tune-sockets.patch @@ -1,7 +1,7 @@ -From d919b110a2fbccdce084c651f4d7d7de66f2f869 Mon Sep 17 00:00:00 2001 +From ebde8e9fdba7bc1c8152f7e45c551030a36ece82 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Jos=C3=A9=20Bollo?= <jose.bollo@iot.bzh> Date: Thu, 25 Jan 2018 13:47:37 +0100 -Subject: [PATCH 5/6] Allow to tune sockets +Subject: [PATCH] Allow to tune sockets MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit @@ -17,17 +17,26 @@ through the newly defined variable CYNARA_ADMIN_SOCKET_GROUP Change-Id: I7d58854c328e948e3d6d7fa3fc00569fd08f8aef Signed-off-by: José Bollo <jose.bollo@iot.bzh> + --- - systemd/CMakeLists.txt | 19 +++++++++++++++---- - .../{cynara-admin.socket => cynara-admin.socket.in} | 2 +- - .../{cynara-agent.socket => cynara-agent.socket.in} | 4 ++-- - ...onitor-get.socket => cynara-monitor-get.socket.in} | 4 ++-- - systemd/{cynara.socket => cynara.socket.in} | 2 +- - 5 files changed, 21 insertions(+), 10 deletions(-) - rename systemd/{cynara-admin.socket => cynara-admin.socket.in} (78%) - rename systemd/{cynara-agent.socket => cynara-agent.socket.in} (66%) - rename systemd/{cynara-monitor-get.socket => cynara-monitor-get.socket.in} (64%) - rename systemd/{cynara.socket => cynara.socket.in} (80%) + systemd/CMakeLists.txt | 19 +++++++++++++++---- + systemd/cynara-admin.socket | 14 -------------- + systemd/cynara-admin.socket.in | 14 ++++++++++++++ + systemd/cynara-agent.socket | 15 --------------- + systemd/cynara-agent.socket.in | 15 +++++++++++++++ + systemd/cynara-monitor-get.socket | 15 --------------- + systemd/cynara-monitor-get.socket.in | 15 +++++++++++++++ + systemd/cynara.socket | 14 -------------- + systemd/cynara.socket.in | 14 ++++++++++++++ + 9 files changed, 73 insertions(+), 62 deletions(-) + delete mode 100644 systemd/cynara-admin.socket + create mode 100644 systemd/cynara-admin.socket.in + delete mode 100644 systemd/cynara-agent.socket + create mode 100644 systemd/cynara-agent.socket.in + delete mode 100644 systemd/cynara-monitor-get.socket + create mode 100644 systemd/cynara-monitor-get.socket.in + delete mode 100644 systemd/cynara.socket + create mode 100644 systemd/cynara.socket.in diff --git a/systemd/CMakeLists.txt b/systemd/CMakeLists.txt index 20accf0..1b75c12 100644 @@ -62,66 +71,167 @@ index 20accf0..1b75c12 100644 DESTINATION ${SYSTEMD_UNIT_DIR} ) -diff --git a/systemd/cynara-admin.socket b/systemd/cynara-admin.socket.in -similarity index 78% -rename from systemd/cynara-admin.socket -rename to systemd/cynara-admin.socket.in -index ed38386..2364c3e 100644 +diff --git a/systemd/cynara-admin.socket b/systemd/cynara-admin.socket +deleted file mode 100644 +index ed38386..0000000 --- a/systemd/cynara-admin.socket -+++ b/systemd/cynara-admin.socket.in -@@ -1,5 +1,5 @@ - [Socket] ++++ /dev/null +@@ -1,14 +0,0 @@ +-[Socket] -ListenStream=/run/cynara/cynara-admin.socket +-SocketMode=0600 +-SmackLabelIPIn=@ +-SmackLabelIPOut=@ +- +-Service=cynara.service +- +-[Unit] +-Wants=cynara.target +-Before=cynara.target +- +-[Install] +-WantedBy=sockets.target +diff --git a/systemd/cynara-admin.socket.in b/systemd/cynara-admin.socket.in +new file mode 100644 +index 0000000..2364c3e +--- /dev/null ++++ b/systemd/cynara-admin.socket.in +@@ -0,0 +1,14 @@ ++[Socket] +ListenStream=@SOCKET_DIR@/cynara-admin.socket - SocketMode=0600 - SmackLabelIPIn=@ - SmackLabelIPOut=@ -diff --git a/systemd/cynara-agent.socket b/systemd/cynara-agent.socket.in -similarity index 66% -rename from systemd/cynara-agent.socket -rename to systemd/cynara-agent.socket.in -index 5a677e0..4f86c9d 100644 ++SocketMode=0600 ++SmackLabelIPIn=@ ++SmackLabelIPOut=@ ++ ++Service=cynara.service ++ ++[Unit] ++Wants=cynara.target ++Before=cynara.target ++ ++[Install] ++WantedBy=sockets.target +diff --git a/systemd/cynara-agent.socket b/systemd/cynara-agent.socket +deleted file mode 100644 +index 5a677e0..0000000 --- a/systemd/cynara-agent.socket -+++ b/systemd/cynara-agent.socket.in -@@ -1,6 +1,6 @@ - [Socket] ++++ /dev/null +@@ -1,15 +0,0 @@ +-[Socket] -ListenStream=/run/cynara/cynara-agent.socket -SocketGroup=security_fw +-SocketMode=0060 +-SmackLabelIPIn=* +-SmackLabelIPOut=@ +- +-Service=cynara.service +- +-[Unit] +-Wants=cynara.target +-Before=cynara.target +- +-[Install] +-WantedBy=sockets.target +diff --git a/systemd/cynara-agent.socket.in b/systemd/cynara-agent.socket.in +new file mode 100644 +index 0000000..4f86c9d +--- /dev/null ++++ b/systemd/cynara-agent.socket.in +@@ -0,0 +1,15 @@ ++[Socket] +ListenStream=@SOCKET_DIR@/cynara-agent.socket +SocketGroup=@CYNARA_ADMIN_SOCKET_GROUP@ - SocketMode=0060 - SmackLabelIPIn=* - SmackLabelIPOut=@ -diff --git a/systemd/cynara-monitor-get.socket b/systemd/cynara-monitor-get.socket.in -similarity index 64% -rename from systemd/cynara-monitor-get.socket -rename to systemd/cynara-monitor-get.socket.in -index a50feeb..b88dbf7 100644 ++SocketMode=0060 ++SmackLabelIPIn=* ++SmackLabelIPOut=@ ++ ++Service=cynara.service ++ ++[Unit] ++Wants=cynara.target ++Before=cynara.target ++ ++[Install] ++WantedBy=sockets.target +diff --git a/systemd/cynara-monitor-get.socket b/systemd/cynara-monitor-get.socket +deleted file mode 100644 +index a50feeb..0000000 --- a/systemd/cynara-monitor-get.socket -+++ b/systemd/cynara-monitor-get.socket.in -@@ -1,6 +1,6 @@ - [Socket] ++++ /dev/null +@@ -1,15 +0,0 @@ +-[Socket] -ListenStream=/run/cynara/cynara-monitor-get.socket -SocketGroup=security_fw +-SocketMode=0060 +-SmackLabelIPIn=@ +-SmackLabelIPOut=@ +- +-Service=cynara.service +- +-[Unit] +-Wants=cynara.target +-Before=cynara.target +- +-[Install] +-WantedBy=sockets.target +diff --git a/systemd/cynara-monitor-get.socket.in b/systemd/cynara-monitor-get.socket.in +new file mode 100644 +index 0000000..b88dbf7 +--- /dev/null ++++ b/systemd/cynara-monitor-get.socket.in +@@ -0,0 +1,15 @@ ++[Socket] +ListenStream=@SOCKET_DIR@/cynara-monitor-get.socket +SocketGroup=@CYNARA_ADMIN_SOCKET_GROUP@ - SocketMode=0060 - SmackLabelIPIn=@ - SmackLabelIPOut=@ -diff --git a/systemd/cynara.socket b/systemd/cynara.socket.in -similarity index 80% -rename from systemd/cynara.socket -rename to systemd/cynara.socket.in -index fad2745..ba76549 100644 ++SocketMode=0060 ++SmackLabelIPIn=@ ++SmackLabelIPOut=@ ++ ++Service=cynara.service ++ ++[Unit] ++Wants=cynara.target ++Before=cynara.target ++ ++[Install] ++WantedBy=sockets.target +diff --git a/systemd/cynara.socket b/systemd/cynara.socket +deleted file mode 100644 +index fad2745..0000000 --- a/systemd/cynara.socket -+++ b/systemd/cynara.socket.in -@@ -1,5 +1,5 @@ - [Socket] ++++ /dev/null +@@ -1,14 +0,0 @@ +-[Socket] -ListenStream=/run/cynara/cynara.socket +-SocketMode=0666 +-SmackLabelIPIn=* +-SmackLabelIPOut=@ +- +-Service=cynara.service +- +-[Unit] +-Wants=cynara.target +-Before=cynara.target +- +-[Install] +-WantedBy=sockets.target +diff --git a/systemd/cynara.socket.in b/systemd/cynara.socket.in +new file mode 100644 +index 0000000..ba76549 +--- /dev/null ++++ b/systemd/cynara.socket.in +@@ -0,0 +1,14 @@ ++[Socket] +ListenStream=@SOCKET_DIR@/cynara.socket - SocketMode=0666 - SmackLabelIPIn=* - SmackLabelIPOut=@ --- -2.14.3 - ++SocketMode=0666 ++SmackLabelIPIn=* ++SmackLabelIPOut=@ ++ ++Service=cynara.service ++ ++[Unit] ++Wants=cynara.target ++Before=cynara.target ++ ++[Install] ++WantedBy=sockets.target diff --git a/meta-security/recipes-security/cynara/cynara/0006-Install-socket-activation-by-default.patch b/meta-security/recipes-security/cynara/cynara/0006-Install-socket-activation-by-default.patch index 0cfc785c1..68864f1ed 100644 --- a/meta-security/recipes-security/cynara/cynara/0006-Install-socket-activation-by-default.patch +++ b/meta-security/recipes-security/cynara/cynara/0006-Install-socket-activation-by-default.patch @@ -1,13 +1,14 @@ -From d54e425b0685c9e3e06f5b4efcbd206950d14f3c Mon Sep 17 00:00:00 2001 +From 23f1a7cb34dd4ef88bac5a43057feaf7f50559aa Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Jos=C3=A9=20Bollo?= <jose.bollo@iot.bzh> Date: Thu, 25 Jan 2018 14:09:23 +0100 -Subject: [PATCH 6/6] Install socket activation by default +Subject: [PATCH] Install socket activation by default MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Change-Id: Ifd10c3800486689ed0ed6271df59760ccfbf6caf Signed-off-by: José Bollo <jose.bollo@iot.bzh> + --- packaging/cynara.spec | 5 ----- systemd/CMakeLists.txt | 7 +++++++ @@ -75,6 +76,3 @@ index 0000000..c0e5a5b @@ -0,0 +1 @@ +../cynara.socket \ No newline at end of file --- -2.14.3 - diff --git a/meta-security/recipes-security/cynara/cynara/cynara-db-migration-abort-on-errors.patch b/meta-security/recipes-security/cynara/cynara/cynara-db-migration-abort-on-errors.patch index cbf372ad9..c14418923 100644 --- a/meta-security/recipes-security/cynara/cynara/cynara-db-migration-abort-on-errors.patch +++ b/meta-security/recipes-security/cynara/cynara/cynara-db-migration-abort-on-errors.patch @@ -1,7 +1,7 @@ -From 297774fa4d01156c0327d6e6380a7ecae30bf875 Mon Sep 17 00:00:00 2001 +From 3605e9f8a3ea1252d1cf221398431e0d7a3ea34d Mon Sep 17 00:00:00 2001 From: Patrick Ohly <patrick.ohly@intel.com> Date: Mon, 23 Mar 2015 15:01:39 -0700 -Subject: [PATCH 1/2] cynara-db-migration.in: abort on errors +Subject: [PATCH] cynara-db-migration.in: abort on errors "set -e" enables error checking for all commands invoked by the script. Previously, errors were silently ignored. @@ -9,12 +9,13 @@ Previously, errors were silently ignored. Upstream-status: Submitted [https://github.com/Samsung/cynara/pull/8] Signed-off-by: Patrick Ohly <patrick.ohly@intel.com> + --- - migration/cynara-db-migration | 2 ++ + migration/cynara-db-migration.in | 2 ++ 1 file changed, 2 insertions(+) diff --git a/migration/cynara-db-migration.in b/migration/cynara-db-migration.in -index ff9bd61..f6e7f94 100644 +index 7b666d4..0682df6 100644 --- a/migration/cynara-db-migration.in +++ b/migration/cynara-db-migration.in @@ -19,6 +19,8 @@ @@ -25,7 +26,4 @@ index ff9bd61..f6e7f94 100644 + ##### Constants (these must not be modified by shell) - STATE_PATH='@LOCAL_STATE_DIR@/@PROJECT_NAME@' --- -1.8.4.5 - + PATH=/bin:/usr/bin:/sbin:/usr/sbin diff --git a/meta-security/recipes-security/cynara/cynara_0.14.10.bb b/meta-security/recipes-security/cynara/cynara_0.14.10.bb index 6c187fced..d2a09c693 100644 --- a/meta-security/recipes-security/cynara/cynara_0.14.10.bb +++ b/meta-security/recipes-security/cynara/cynara_0.14.10.bb @@ -15,6 +15,7 @@ SRC_URI += " \ file://0004-Fix-mode-of-sockets.patch \ file://0005-Allow-to-tune-sockets.patch \ file://0006-Install-socket-activation-by-default.patch \ + file://0001-fix-fallthrough-in-cmdlineparser.patch \ " DEPENDS = " \ @@ -84,6 +85,12 @@ USERADD_PARAM_${PN} = "\ # ln -s ../cynara-agent.socket ${D}${systemd_system_unitdir}/sockets.target.wants/cynara-agent.socket #} +# We want the post-install logic to create and label /var/cynara, so +# it should not be in the package. +do_install_append () { + rmdir ${D}${localstatedir}/cynara +} + FILES_${PN} += "${systemd_system_unitdir}" # Cynara itself has no dependency on Smack. Only its installation @@ -101,18 +108,7 @@ DEPENDS_append_with-lsm-smack = " smack smack-native" EXTRA_OECMAKE_append_with-lsm-smack = " -DDB_FILES_SMACK_LABEL=System" CHSMACK_with-lsm-smack = "chsmack" CHSMACK = "true" -pkg_postinst_${PN} () { - # Fail on error. - set -e - - # It would be nice to run the code below while building an image, - # but currently the calls to cynara-db-chsgen (a binary) in - # cynara-db-migration (a script) prevent that. Rely instead - # on OE's support for running failed postinst scripts at first boot. - if [ x"$D" != "x" ]; then - exit 1 - fi - +pkg_postinst_ontarget_${PN} () { mkdir -p $D${sysconfdir}/cynara ${CHSMACK} -a System $D${sysconfdir}/cynara diff --git a/meta-security/recipes-security/libcap-ng/libcap-ng/CVE-2014-3215.patch b/meta-security/recipes-security/libcap-ng/libcap-ng/CVE-2014-3215.patch deleted file mode 100644 index d7a868d2c..000000000 --- a/meta-security/recipes-security/libcap-ng/libcap-ng/CVE-2014-3215.patch +++ /dev/null @@ -1,79 +0,0 @@ -Upstream-Status: Pending - -diff --git a/docs/capng_lock.3 b/docs/capng_lock.3 -index 7683119..a070c1e 100644 ---- a/docs/capng_lock.3 -+++ b/docs/capng_lock.3 -@@ -8,12 +8,13 @@ int capng_lock(void); - - .SH "DESCRIPTION" - --capng_lock will take steps to prevent children of the current process to regain full privileges if the uid is 0. This should be called while possessing the CAP_SETPCAP capability in the kernel. This function will do the following if permitted by the kernel: Set the NOROOT option on for PR_SET_SECUREBITS, set the NOROOT_LOCKED option to on for PR_SET_SECUREBITS, set the PR_NO_SETUID_FIXUP option on for PR_SET_SECUREBITS, and set the PR_NO_SETUID_FIXUP_LOCKED option on for PR_SET_SECUREBITS. -+capng_lock will take steps to prevent children of the current process from gaining privileges by executing setuid programs. This should be called while possessing the CAP_SETPCAP capability in the kernel. - -+This function will do the following if permitted by the kernel: If the kernel supports PR_SET_NO_NEW_PRIVS, it will use it. Otherwise it will set the NOROOT option on for PR_SET_SECUREBITS, set the NOROOT_LOCKED option to on for PR_SET_SECUREBITS, set the PR_NO_SETUID_FIXUP option on for PR_SET_SECUREBITS, and set the PR_NO_SETUID_FIXUP_LOCKED option on for PR_SET_SECUREBITS. If both fail, it will return an error. - - .SH "RETURN VALUE" - --This returns 0 on success and a negative number on failure. -1 means a failure setting any of the PR_SET_SECUREBITS options. -+This returns 0 on success and a negative number on failure. -1 means a failure to use PR_SET_NO_NEW_PRIVS and a failure setting any of the PR_SET_SECUREBITS options. - - .SH "SEE ALSO" - -diff --git a/src/cap-ng.c b/src/cap-ng.c -index bd105ba..422f2bc 100644 ---- a/src/cap-ng.c -+++ b/src/cap-ng.c -@@ -45,6 +45,7 @@ - * 2.6.24 kernel XATTR_NAME_CAPS - * 2.6.25 kernel PR_CAPBSET_DROP, CAPABILITY_VERSION_2 - * 2.6.26 kernel PR_SET_SECUREBITS, SECURE_*_LOCKED, VERSION_3 -+ * 3.5 kernel PR_SET_NO_NEW_PRIVS - */ - - /* External syscall prototypes */ -@@ -122,6 +123,14 @@ extern int capget(cap_user_header_t header, const cap_user_data_t data); - #define SECURE_NO_SETUID_FIXUP_LOCKED 3 /* make bit-2 immutable */ - #endif - -+/* prctl values that we use */ -+#ifndef PR_SET_SECUREBITS -+#define PR_SET_SECUREBITS 28 -+#endif -+#ifndef PR_SET_NO_NEW_PRIVS -+#define PR_SET_NO_NEW_PRIVS 38 -+#endif -+ - // States: new, allocated, initted, updated, applied - typedef enum { CAPNG_NEW, CAPNG_ERROR, CAPNG_ALLOCATED, CAPNG_INIT, - CAPNG_UPDATED, CAPNG_APPLIED } capng_states_t; -@@ -663,15 +672,22 @@ int capng_change_id(int uid, int gid, capng_flags_t flag) - - int capng_lock(void) - { --#ifdef PR_SET_SECUREBITS -- int rc = prctl(PR_SET_SECUREBITS, -- 1 << SECURE_NOROOT | -- 1 << SECURE_NOROOT_LOCKED | -- 1 << SECURE_NO_SETUID_FIXUP | -- 1 << SECURE_NO_SETUID_FIXUP_LOCKED, 0, 0, 0); -+ int rc; -+ -+ // On Linux 3.5 and up, we can directly prevent ourselves and -+ // our descendents from gaining privileges. -+ if (prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0) == 0) -+ return 0; -+ -+ // This kernel is too old or otherwise doesn't support -+ // PR_SET_NO_NEW_PRIVS. Fall back to using securebits. -+ rc = prctl(PR_SET_SECUREBITS, -+ 1 << SECURE_NOROOT | -+ 1 << SECURE_NOROOT_LOCKED | -+ 1 << SECURE_NO_SETUID_FIXUP | -+ 1 << SECURE_NO_SETUID_FIXUP_LOCKED, 0, 0, 0); - if (rc) - return -1; --#endif - - return 0; - } diff --git a/meta-security/recipes-security/libcap-ng/libcap-ng/python.patch b/meta-security/recipes-security/libcap-ng/libcap-ng/python.patch deleted file mode 100644 index d82ceb454..000000000 --- a/meta-security/recipes-security/libcap-ng/libcap-ng/python.patch +++ /dev/null @@ -1,39 +0,0 @@ -configure.ac - Avoid an incorrect check for python. -Makefile.am - avoid hard coded host include paths. - -Signed-off-by: Mark Hatle <mark.hatle@windriver.com> - ---- libcap-ng-0.6.5/configure.ac.orig 2012-01-17 13:59:03.645898989 -0600 -+++ libcap-ng-0.6.5/configure.ac 2012-01-17 13:59:46.353959252 -0600 -@@ -120,17 +120,8 @@ - else - AC_MSG_RESULT(testing) - AM_PATH_PYTHON --if test -f /usr/include/python${am_cv_python_version}/Python.h ; then -- python_found="yes" -- AC_MSG_NOTICE(Python bindings will be built) --else -- python_found="no" -- if test x$use_python = xyes ; then -- AC_MSG_ERROR([Python explicitly required and python headers found]) -- else -- AC_MSG_WARN("Python headers not found - python bindings will not be made") -- fi --fi -+python_found="yes" -+AC_MSG_NOTICE(Python bindings will be built) - fi - AM_CONDITIONAL(HAVE_PYTHON, test ${python_found} = "yes") - ---- libcap-ng-0.6.5/bindings/python/Makefile.am.orig 2010-11-03 12:31:59.000000000 -0500 -+++ libcap-ng-0.6.5/bindings/python/Makefile.am 2012-01-17 14:05:50.199834467 -0600 -@@ -24,7 +24,8 @@ - CONFIG_CLEAN_FILES = *.loT *.rej *.orig - AM_CFLAGS = -fPIC -DPIC - PYLIBVER ?= python$(PYTHON_VERSION) --INCLUDES = -I. -I$(top_builddir) -I/usr/include/$(PYLIBVER) -+PYINC ?= /usr/include/$(PYLIBVER) -+INCLUDES = -I. -I$(top_builddir) -I$(PYINC) - LIBS = $(top_builddir)/src/libcap-ng.la - pyexec_PYTHON = capng.py - pyexec_LTLIBRARIES = _capng.la diff --git a/meta-security/recipes-security/libcap-ng/libcap-ng_0.7.3.bb b/meta-security/recipes-security/libcap-ng/libcap-ng_0.7.3.bb deleted file mode 100644 index e729518e9..000000000 --- a/meta-security/recipes-security/libcap-ng/libcap-ng_0.7.3.bb +++ /dev/null @@ -1,39 +0,0 @@ -SUMMARY = "An alternate posix capabilities library" -DESCRIPTION = "The libcap-ng library is intended to make programming \ -with POSIX capabilities much easier than the traditional libcap library." -HOMEPAGE = "http://freecode.com/projects/libcap-ng" -SECTION = "base" -LICENSE = "GPLv2+ & LGPLv2.1+" -LIC_FILES_CHKSUM = "file://COPYING;md5=94d55d512a9ba36caa9b7df079bae19f \ - file://COPYING.LIB;md5=e3eda01d9815f8d24aae2dbd89b68b06" - -SRC_URI = "http://people.redhat.com/sgrubb/libcap-ng/libcap-ng-${PV}.tar.gz \ - file://python.patch \ - file://CVE-2014-3215.patch \ - " - -inherit lib_package autotools pythonnative - -SRC_URI[md5sum] = "610afb774f80a8032b711281df126283" -SRC_URI[sha256sum] = "5ca441c8d3a1e4cfe8a8151907977662679457311ccaa7eaac91447c33a35bb1" - -DEPENDS += "swig-native python" - -EXTRA_OEMAKE += "PYLIBVER='python${PYTHON_BASEVERSION}' PYINC='${STAGING_INCDIR}/${PYLIBVER}'" - -PACKAGES += "${PN}-python" - -FILES_${PN}-dbg += "${libdir}/python${PYTHON_BASEVERSION}/*/.debug" -FILES_${PN}-python = "${libdir}/python${PYTHON_BASEVERSION}" - -BBCLASSEXTEND = "native" - -do_install_append() { - # Moving libcap-ng to base_libdir - if [ ! ${D}${libdir} -ef ${D}${base_libdir} ]; then - mkdir -p ${D}/${base_libdir}/ - mv -f ${D}${libdir}/libcap-ng.so.* ${D}${base_libdir}/ - relpath=${@os.path.relpath("${base_libdir}", "${libdir}")} - ln -sf ${relpath}/libcap-ng.so.0.0.0 ${D}${libdir}/libcap-ng.so - fi -} diff --git a/meta-security/recipes-security/security-manager/security-manager.inc b/meta-security/recipes-security/security-manager/security-manager.inc index 810106d75..ddd87a930 100644 --- a/meta-security/recipes-security/security-manager/security-manager.inc +++ b/meta-security/recipes-security/security-manager/security-manager.inc @@ -89,10 +89,6 @@ FILES_${PN}-policy = " \ ${bindir}/security-manager-policy-reload \ " RDEPENDS_${PN}-policy += "sqlite3 cynara" -pkg_postinst_${PN}-policy () { - if [ x"$D" = "x" ] && ${bindir}/security-manager-policy-reload; then - exit 0 - else - exit 1 - fi +pkg_postinst_ontarget_${PN}-policy () { + ${bindir}/security-manager-policy-reload } diff --git a/meta-security/recipes-security/security-manager/security-manager/0001-Avoid-casting-from-const-T-to-void.patch b/meta-security/recipes-security/security-manager/security-manager/0001-Avoid-casting-from-const-T-to-void.patch new file mode 100644 index 000000000..f598fdc82 --- /dev/null +++ b/meta-security/recipes-security/security-manager/security-manager/0001-Avoid-casting-from-const-T-to-void.patch @@ -0,0 +1,127 @@ +From 14c8842ed8a37fecbc70d46e27b49ae929b0c85f Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Jos=C3=A9=20Bollo?= <jose.bollo@iot.bzh> +Date: Fri, 1 Feb 2019 15:37:44 +0100 +Subject: [PATCH] Avoid casting from "const T&" to "void*" +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Latest version of g++ refuse the cast + + reinterpret_cast<void (Service::*)(void*)>(serviceFunction) + +I made no investigation to know if the problem +is coming from the const or not. + +Signed-off-by: José Bollo <jose.bollo@iot.bzh> +--- + src/server/main/include/service-thread.h | 43 ++++++++++-------------- + 1 file changed, 18 insertions(+), 25 deletions(-) + +diff --git a/src/server/main/include/service-thread.h b/src/server/main/include/service-thread.h +index 964d168..92b0ec8 100644 +--- a/src/server/main/include/service-thread.h ++++ b/src/server/main/include/service-thread.h +@@ -9,78 +94,72 @@ public: + Join(); + while (!m_eventQueue.empty()){ + auto front = m_eventQueue.front(); +- delete front.eventPtr; ++ delete front; + m_eventQueue.pop(); + } + } + + template <class T> + void Event(const T &event, + Service *servicePtr, + void (Service::*serviceFunction)(const T &)) + { +- EventDescription description; +- description.serviceFunctionPtr = +- reinterpret_cast<void (Service::*)(void*)>(serviceFunction); +- description.servicePtr = servicePtr; +- description.eventFunctionPtr = &ServiceThread::EventCall<T>; +- description.eventPtr = new T(event); ++ EventCallerBase *ec = new EventCaller<T>(event, servicePtr, serviceFunction); + { + std::lock_guard<std::mutex> lock(m_eventQueueMutex); +- m_eventQueue.push(description); ++ m_eventQueue.push(ec); + } + m_waitCondition.notify_one(); + } + + protected: + +- struct EventDescription { +- void (Service::*serviceFunctionPtr)(void *); +- Service *servicePtr; +- void (ServiceThread::*eventFunctionPtr)(const EventDescription &event); +- GenericEvent* eventPtr; +- }; +- +- template <class T> +- void EventCall(const EventDescription &desc) { +- auto fun = reinterpret_cast<void (Service::*)(const T&)>(desc.serviceFunctionPtr); +- const T& eventLocale = *(static_cast<T*>(desc.eventPtr)); +- (desc.servicePtr->*fun)(eventLocale); +- } ++ struct EventCallerBase { ++ virtual void fire() = 0; ++ virtual ~EventCallerBase() {} ++ }; + ++ template <class T> ++ struct EventCaller : public EventCallerBase { ++ T *event; Service *target; void (Service::*function)(const T&); ++ EventCaller(const T &e, Service *c, void (Service::*f)(const T&)) : event(new T(e)), target(c), function(f) {} ++ ~EventCaller() { delete event; } ++ void fire() { (target->*function)(*event); } ++ }; ++ + static void ThreadLoopStatic(ServiceThread *ptr) { + ptr->ThreadLoop(); + } + + void ThreadLoop(){ + for (;;) { +- EventDescription description = {NULL, NULL, NULL, NULL}; ++ EventCallerBase *ec = NULL; + { + std::unique_lock<std::mutex> ulock(m_eventQueueMutex); + if (m_quit) + return; + if (!m_eventQueue.empty()) { +- description = m_eventQueue.front(); ++ ec = m_eventQueue.front(); + m_eventQueue.pop(); + } else { + m_waitCondition.wait(ulock); + } + } + +- if (description.eventPtr != NULL) { ++ if (ec != NULL) { + UNHANDLED_EXCEPTION_HANDLER_BEGIN + { +- (this->*description.eventFunctionPtr)(description); +- delete description.eventPtr; ++ ec->fire(); + } + UNHANDLED_EXCEPTION_HANDLER_END ++ delete ec; + } + } + } + + std::thread m_thread; + std::mutex m_eventQueueMutex; +- std::queue<EventDescription> m_eventQueue; ++ std::queue<EventCallerBase*> m_eventQueue; + std::condition_variable m_waitCondition; + + State m_state; +-- +2.17.2 + diff --git a/meta-security/recipes-security/security-manager/security-manager/0001-Fix-gcc8-warning-error-Werror-catch-value.patch b/meta-security/recipes-security/security-manager/security-manager/0001-Fix-gcc8-warning-error-Werror-catch-value.patch new file mode 100644 index 000000000..5a55a3128 --- /dev/null +++ b/meta-security/recipes-security/security-manager/security-manager/0001-Fix-gcc8-warning-error-Werror-catch-value.patch @@ -0,0 +1,32 @@ +From 37c63c280eaec8cae3a321d45404d6c03a68c9d9 Mon Sep 17 00:00:00 2001 +From: Stephane Desneux <stephane.desneux@iot.bzh> +Date: Fri, 1 Feb 2019 12:26:17 +0000 +Subject: [PATCH] Fix gcc8 warning/error [-Werror=catch-value=] + +Fixes the following warning/error during compile: + +src/dpl/core/src/assert.cpp:61:14: error: catching polymorphic type 'class SecurityManager::Exception' by value [-Werror=catch-value=] +| } catch (Exception) { +| ^~~~~~~~~ + +Signed-off-by: Stephane Desneux <stephane.desneux@iot.bzh> +--- + src/dpl/core/src/assert.cpp | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/src/dpl/core/src/assert.cpp b/src/dpl/core/src/assert.cpp +index 63538a2..fc60ce9 100644 +--- a/src/dpl/core/src/assert.cpp ++++ b/src/dpl/core/src/assert.cpp +@@ -58,7 +58,7 @@ void AssertProc(const char *condition, + INTERNAL_LOG("### Function: " << function); + INTERNAL_LOG( + "################################################################################"); +- } catch (Exception) { ++ } catch (Exception const&) { + // Just ignore possible double errors + } + +-- +2.11.0 + diff --git a/meta-security/recipes-security/security-manager/security-manager_git.bb b/meta-security/recipes-security/security-manager/security-manager_git.bb index 65134d31a..3cbc3aea8 100644 --- a/meta-security/recipes-security/security-manager/security-manager_git.bb +++ b/meta-security/recipes-security/security-manager/security-manager_git.bb @@ -14,6 +14,8 @@ file://c-11-replace-depracated-auto_ptr.patch \ file://socket-manager-removes-tizen-specific-call.patch \ file://Removing-tizen-platform-config.patch \ file://removes-dependency-to-libslp-db-utils.patch \ +file://0001-Fix-gcc8-warning-error-Werror-catch-value.patch \ +file://0001-Avoid-casting-from-const-T-to-void.patch \ " ########################################## @@ -32,3 +34,5 @@ SRC_URI += "\ file://include-linux-xattr.patch;apply=${APPLY} \ " +# Use make with cmake and not ninja +OECMAKE_GENERATOR = "Unix Makefiles" diff --git a/meta-security/recipes-security/xmlsec1/xmlsec1_%.bbappend b/meta-security/recipes-security/xmlsec1/xmlsec1_%.bbappend new file mode 100644 index 000000000..9c6080fcf --- /dev/null +++ b/meta-security/recipes-security/xmlsec1/xmlsec1_%.bbappend @@ -0,0 +1,3 @@ +# remove the EXTRA_OECONF from the recipe to +# avoid an build error in >= YP SUMO +EXTRA_OECONF = "" |