aboutsummaryrefslogtreecommitdiffstats
path: root/meta-security
diff options
context:
space:
mode:
Diffstat (limited to 'meta-security')
-rw-r--r--meta-security/conf/layer.conf2
-rw-r--r--meta-security/recipes-core/dbus-cynara/dbus-cynara/0001-Integration-of-Cynara-asynchronous-security-checks.patch389
-rw-r--r--meta-security/recipes-core/dbus-cynara/dbus-cynara/0002-Disable-message-dispatching-when-send-rule-result-is.patch104
-rw-r--r--meta-security/recipes-core/dbus-cynara/dbus-cynara/0003-Handle-unavailability-of-policy-results-for-broadcas.patch117
-rw-r--r--meta-security/recipes-core/dbus-cynara/dbus-cynara/0004-Add-own-rule-result-unavailability-handling.patch305
-rw-r--r--meta-security/recipes-core/dbus-cynara/dbus-cynara/0005-Perform-Cynara-runtime-policy-checks-by-default.patch22
-rw-r--r--meta-security/recipes-core/dbus-cynara/dbus-cynara_1.12.10.bb (renamed from meta-security/recipes-core/dbus-cynara/dbus-cynara_1.10.20.bb)2
-rw-r--r--meta-security/recipes-core/dbus-cynara/dbus_%.bbappend1
-rw-r--r--meta-security/recipes-core/systemd/systemd_239.bbappend (renamed from meta-security/recipes-core/systemd/systemd_234.bbappend)11
-rw-r--r--meta-security/recipes-devtools/e2fsprogs/e2fsprogs.inc27
-rw-r--r--meta-security/recipes-devtools/e2fsprogs/e2fsprogs/acinclude.m4135
-rw-r--r--meta-security/recipes-devtools/e2fsprogs/e2fsprogs/mkdir.patch18
-rw-r--r--meta-security/recipes-devtools/e2fsprogs/e2fsprogs/ptest.patch67
-rw-r--r--meta-security/recipes-devtools/e2fsprogs/e2fsprogs/quiet-debugfs.patch19
-rw-r--r--meta-security/recipes-devtools/e2fsprogs/e2fsprogs/remove.ldconfig.call.patch44
-rw-r--r--meta-security/recipes-devtools/e2fsprogs/e2fsprogs/run-ptest11
-rw-r--r--meta-security/recipes-devtools/e2fsprogs/e2fsprogs_%.bbappend14
-rw-r--r--meta-security/recipes-devtools/e2fsprogs/e2fsprogs_git.bb106
-rw-r--r--meta-security/recipes-devtools/e2fsprogs/files/ext_attr.c-fix-adding-multiple-xattrs-during-image-c.patch51
-rw-r--r--meta-security/recipes-security/cynara/cynara/0001-Add-fallthrough-tags.patch8
-rw-r--r--meta-security/recipes-security/cynara/cynara/0001-fix-fallthrough-in-cmdlineparser.patch35
-rw-r--r--meta-security/recipes-security/cynara/cynara/0002-gcc-7-requires-include-functional-for-std-function.patch8
-rw-r--r--meta-security/recipes-security/cynara/cynara/0003-Avoid-warning-when-compiling-without-smack.patch8
-rw-r--r--meta-security/recipes-security/cynara/cynara/0004-Fix-mode-of-sockets.patch8
-rw-r--r--meta-security/recipes-security/cynara/cynara/0005-Allow-to-tune-sockets.patch228
-rw-r--r--meta-security/recipes-security/cynara/cynara/0006-Install-socket-activation-by-default.patch8
-rw-r--r--meta-security/recipes-security/cynara/cynara/cynara-db-migration-abort-on-errors.patch14
-rw-r--r--meta-security/recipes-security/cynara/cynara_0.14.10.bb20
-rw-r--r--meta-security/recipes-security/libcap-ng/libcap-ng/CVE-2014-3215.patch79
-rw-r--r--meta-security/recipes-security/libcap-ng/libcap-ng/python.patch39
-rw-r--r--meta-security/recipes-security/libcap-ng/libcap-ng_0.7.3.bb39
-rw-r--r--meta-security/recipes-security/security-manager/security-manager.inc8
-rw-r--r--meta-security/recipes-security/security-manager/security-manager/0001-Avoid-casting-from-const-T-to-void.patch127
-rw-r--r--meta-security/recipes-security/security-manager/security-manager/0001-Fix-gcc8-warning-error-Werror-catch-value.patch32
-rw-r--r--meta-security/recipes-security/security-manager/security-manager_git.bb4
-rw-r--r--meta-security/recipes-security/xmlsec1/xmlsec1_%.bbappend3
36 files changed, 814 insertions, 1299 deletions
diff --git a/meta-security/conf/layer.conf b/meta-security/conf/layer.conf
index 2da233a76..16dae3989 100644
--- a/meta-security/conf/layer.conf
+++ b/meta-security/conf/layer.conf
@@ -10,3 +10,5 @@ BBFILES += " ${LAYERDIR}/recipes-*/*/*.bb \
BBFILE_COLLECTIONS += "security-smack"
BBFILE_PATTERN_security-smack := "^${LAYERDIR}/"
BBFILE_PRIORITY_security-smack = "60"
+
+LAYERSERIES_COMPAT_security-smack = "thud"
diff --git a/meta-security/recipes-core/dbus-cynara/dbus-cynara/0001-Integration-of-Cynara-asynchronous-security-checks.patch b/meta-security/recipes-core/dbus-cynara/dbus-cynara/0001-Integration-of-Cynara-asynchronous-security-checks.patch
index 6a7e8a39d..d04c60cd9 100644
--- a/meta-security/recipes-core/dbus-cynara/dbus-cynara/0001-Integration-of-Cynara-asynchronous-security-checks.patch
+++ b/meta-security/recipes-core/dbus-cynara/dbus-cynara/0001-Integration-of-Cynara-asynchronous-security-checks.patch
@@ -19,46 +19,17 @@ Currently such return value results in message denial.
Cherry picked from 4dcfb02f17247ff9de966b62182cd2e08f301238
by José Bollo.
+Updated for dbus 1.10.20 by Scott Murray.
+
Change-Id: I9bcbce34577e5dc2a3cecf6233a0a2b0e43e1108
Signed-off-by: José Bollo <jose.bollo@iot.bzh>
----
- bus/Makefile.am | 6 +
- bus/bus.c | 136 +++++---
- bus/bus.h | 32 +-
- bus/check.c | 217 ++++++++++++
- bus/check.h | 68 ++++
- bus/config-parser-common.c | 6 +
- bus/config-parser-common.h | 1 +
- bus/config-parser.c | 71 +++-
- bus/connection.c | 56 ++-
- bus/connection.h | 4 +
- bus/cynara.c | 374 +++++++++++++++++++++
- bus/cynara.h | 37 ++
- bus/dispatch.c | 44 ++-
- bus/policy.c | 193 +++++++----
- bus/policy.h | 51 ++-
- configure.ac | 12 +
- test/Makefile.am | 1 +
- test/data/invalid-config-files/badcheck-1.conf | 9 +
- test/data/invalid-config-files/badcheck-2.conf | 9 +
- test/data/valid-config-files/check-1.conf | 9 +
- .../valid-config-files/debug-check-some.conf.in | 18 +
- tools/dbus-send.c | 2 +-
- 22 files changed, 1193 insertions(+), 163 deletions(-)
- create mode 100644 bus/check.c
- create mode 100644 bus/check.h
- create mode 100644 bus/cynara.c
- create mode 100644 bus/cynara.h
- create mode 100644 test/data/invalid-config-files/badcheck-1.conf
- create mode 100644 test/data/invalid-config-files/badcheck-2.conf
- create mode 100644 test/data/valid-config-files/check-1.conf
- create mode 100644 test/data/valid-config-files/debug-check-some.conf.in
+Signed-off-by: Scott Murray <scott.murray@konsulko.com>
diff --git a/bus/Makefile.am b/bus/Makefile.am
-index 33af09b0..3f57cc48 100644
+index 9ae3071..46afb31 100644
--- a/bus/Makefile.am
+++ b/bus/Makefile.am
-@@ -9,6 +9,7 @@ DBUS_BUS_LIBS = \
+@@ -13,6 +13,7 @@ DBUS_BUS_LIBS = \
$(THREAD_LIBS) \
$(ADT_LIBS) \
$(NETWORK_libs) \
@@ -66,7 +37,7 @@ index 33af09b0..3f57cc48 100644
$(NULL)
DBUS_LAUNCHER_LIBS = \
-@@ -24,6 +25,7 @@ AM_CPPFLAGS = \
+@@ -30,6 +31,7 @@ AM_CPPFLAGS = \
$(APPARMOR_CFLAGS) \
-DDBUS_SYSTEM_CONFIG_FILE=\""$(dbusdatadir)/system.conf"\" \
-DDBUS_COMPILATION \
@@ -74,15 +45,16 @@ index 33af09b0..3f57cc48 100644
$(NULL)
# if assertions are enabled, improve backtraces
-@@ -82,12 +84,16 @@ BUS_SOURCES= \
+@@ -90,6 +92,8 @@ BUS_SOURCES= \
audit.h \
bus.c \
bus.h \
+ check.c \
+ check.h \
+ config-loader-expat.c \
config-parser.c \
config-parser.h \
- config-parser-common.c \
+@@ -97,6 +101,8 @@ BUS_SOURCES= \
config-parser-common.h \
connection.c \
connection.h \
@@ -91,19 +63,33 @@ index 33af09b0..3f57cc48 100644
desktop-file.c \
desktop-file.h \
$(DIR_WATCH_SOURCE) \
+diff --git a/bus/activation.c b/bus/activation.c
+index 6f009f5..451179d 100644
+--- a/bus/activation.c
++++ b/bus/activation.c
+@@ -1795,7 +1795,8 @@ bus_activation_activate_service (BusActivation *activation,
+ NULL, /* proposed recipient */
+ activation_message,
+ entry,
+- error))
++ error,
++ NULL))
+ {
+ _DBUS_ASSERT_ERROR_IS_SET (error);
+ _dbus_verbose ("activation not authorized: %s: %s\n",
diff --git a/bus/bus.c b/bus/bus.c
-index fd4ab9e4..c4008505 100644
+index 30ce4e1..237efe3 100644
--- a/bus/bus.c
+++ b/bus/bus.c
-@@ -37,6 +37,7 @@
+@@ -38,6 +38,7 @@
#include "apparmor.h"
#include "audit.h"
#include "dir-watch.h"
+#include "check.h"
+ #include <dbus/dbus-auth.h>
#include <dbus/dbus-list.h>
#include <dbus/dbus-hash.h>
- #include <dbus/dbus-credentials.h>
-@@ -65,6 +66,7 @@ struct BusContext
+@@ -67,6 +68,7 @@ struct BusContext
BusRegistry *registry;
BusPolicy *policy;
BusMatchmaker *matchmaker;
@@ -111,7 +97,7 @@ index fd4ab9e4..c4008505 100644
BusLimits limits;
DBusRLimit *initial_fd_limit;
unsigned int fork : 1;
-@@ -988,6 +990,10 @@ bus_context_new (const DBusString *config_file,
+@@ -1003,6 +1005,10 @@ bus_context_new (const DBusString *config_file,
parser = NULL;
}
@@ -122,7 +108,7 @@ index fd4ab9e4..c4008505 100644
dbus_server_free_data_slot (&server_data_slot);
return context;
-@@ -1112,6 +1118,12 @@ bus_context_unref (BusContext *context)
+@@ -1127,6 +1133,12 @@ bus_context_unref (BusContext *context)
bus_context_shutdown (context);
@@ -135,7 +121,7 @@ index fd4ab9e4..c4008505 100644
if (context->connections)
{
bus_connections_unref (context->connections);
-@@ -1241,6 +1253,12 @@ bus_context_get_loop (BusContext *context)
+@@ -1256,6 +1268,12 @@ bus_context_get_loop (BusContext *context)
return context->loop;
}
@@ -148,7 +134,7 @@ index fd4ab9e4..c4008505 100644
dbus_bool_t
bus_context_allow_unix_user (BusContext *context,
unsigned long uid)
-@@ -1456,6 +1474,7 @@ complain_about_message (BusContext *context,
+@@ -1451,6 +1469,7 @@ complain_about_message (BusContext *context,
DBusConnection *proposed_recipient,
dbus_bool_t requested_reply,
dbus_bool_t log,
@@ -156,7 +142,7 @@ index fd4ab9e4..c4008505 100644
DBusError *error)
{
DBusError stack_error = DBUS_ERROR_INIT;
-@@ -1485,7 +1504,8 @@ complain_about_message (BusContext *context,
+@@ -1480,7 +1499,8 @@ complain_about_message (BusContext *context,
dbus_set_error (&stack_error, error_name,
"%s, %d matched rules; type=\"%s\", sender=\"%s\" (%s) "
"interface=\"%s\" member=\"%s\" error name=\"%s\" "
@@ -166,7 +152,7 @@ index fd4ab9e4..c4008505 100644
complaint,
matched_rules,
dbus_message_type_to_string (dbus_message_get_type (message)),
-@@ -1496,7 +1516,8 @@ complain_about_message (BusContext *context,
+@@ -1491,7 +1511,8 @@ complain_about_message (BusContext *context,
nonnull (dbus_message_get_error_name (message), "(unset)"),
requested_reply,
nonnull (dbus_message_get_destination (message), DBUS_SERVICE_DBUS),
@@ -176,26 +162,21 @@ index fd4ab9e4..c4008505 100644
/* If we hit OOM while setting the error, this will syslog "out of memory"
* which is itself an indication that something is seriously wrong */
-@@ -1520,14 +1541,15 @@ complain_about_message (BusContext *context,
+@@ -1519,7 +1540,7 @@ complain_about_message (BusContext *context,
* NULL for addressed_recipient may mean the bus driver, or may mean
* no destination was specified in the message (e.g. a signal).
*/
-dbus_bool_t
--bus_context_check_security_policy (BusContext *context,
-- BusTransaction *transaction,
-- DBusConnection *sender,
-- DBusConnection *addressed_recipient,
-- DBusConnection *proposed_recipient,
-- DBusMessage *message,
-- DBusError *error)
+BusResult
-+bus_context_check_security_policy (BusContext *context,
-+ BusTransaction *transaction,
-+ DBusConnection *sender,
-+ DBusConnection *addressed_recipient,
-+ DBusConnection *proposed_recipient,
-+ DBusMessage *message,
-+ DBusError *error,
+ bus_context_check_security_policy (BusContext *context,
+ BusTransaction *transaction,
+ DBusConnection *sender,
+@@ -1527,7 +1548,8 @@ bus_context_check_security_policy (BusContext *context,
+ DBusConnection *proposed_recipient,
+ DBusMessage *message,
+ BusActivationEntry *activation_entry,
+- DBusError *error)
++ DBusError *error,
+ BusDeferredMessage **deferred_message)
{
const char *src, *dest;
@@ -208,7 +189,7 @@ index fd4ab9e4..c4008505 100644
type = dbus_message_get_type (message);
src = dbus_message_get_sender (message);
-@@ -1564,7 +1587,7 @@ bus_context_check_security_policy (BusContext *context,
+@@ -1565,7 +1588,7 @@ bus_context_check_security_policy (BusContext *context,
dbus_set_error (error, DBUS_ERROR_ACCESS_DENIED,
"Message bus will not accept messages of unknown type\n");
@@ -217,7 +198,7 @@ index fd4ab9e4..c4008505 100644
}
requested_reply = FALSE;
-@@ -1594,7 +1617,7 @@ bus_context_check_security_policy (BusContext *context,
+@@ -1595,7 +1618,7 @@ bus_context_check_security_policy (BusContext *context,
if (dbus_error_is_set (&error2))
{
dbus_move_error (&error2, error);
@@ -226,7 +207,7 @@ index fd4ab9e4..c4008505 100644
}
}
}
-@@ -1621,11 +1644,11 @@ bus_context_check_security_policy (BusContext *context,
+@@ -1624,11 +1647,11 @@ bus_context_check_security_policy (BusContext *context,
complain_about_message (context, DBUS_ERROR_ACCESS_DENIED,
"An SELinux policy prevents this sender from sending this "
"message to this recipient",
@@ -240,16 +221,16 @@ index fd4ab9e4..c4008505 100644
}
/* next verify AppArmor access controls. If allowed then
-@@ -1642,7 +1665,7 @@ bus_context_check_security_policy (BusContext *context,
- dest ? dest : DBUS_SERVICE_DBUS,
+@@ -1646,7 +1669,7 @@ bus_context_check_security_policy (BusContext *context,
src ? src : DBUS_SERVICE_DBUS,
+ activation_entry,
error))
- return FALSE;
+ return BUS_RESULT_FALSE;
if (!bus_connection_is_active (sender))
{
-@@ -1656,7 +1679,7 @@ bus_context_check_security_policy (BusContext *context,
+@@ -1660,7 +1683,7 @@ bus_context_check_security_policy (BusContext *context,
{
_dbus_verbose ("security check allowing %s message\n",
"Hello");
@@ -258,7 +239,7 @@ index fd4ab9e4..c4008505 100644
}
else
{
-@@ -1667,7 +1690,7 @@ bus_context_check_security_policy (BusContext *context,
+@@ -1671,7 +1694,7 @@ bus_context_check_security_policy (BusContext *context,
"Client tried to send a message other than %s without being registered",
"Hello");
@@ -267,7 +248,7 @@ index fd4ab9e4..c4008505 100644
}
}
}
-@@ -1716,20 +1739,29 @@ bus_context_check_security_policy (BusContext *context,
+@@ -1720,20 +1743,29 @@ bus_context_check_security_policy (BusContext *context,
(proposed_recipient == NULL && recipient_policy == NULL));
log = FALSE;
@@ -311,7 +292,7 @@ index fd4ab9e4..c4008505 100644
if (log)
{
-@@ -1738,23 +1770,29 @@ bus_context_check_security_policy (BusContext *context,
+@@ -1742,23 +1774,29 @@ bus_context_check_security_policy (BusContext *context,
complain_about_message (context, DBUS_ERROR_ACCESS_DENIED,
"Would reject message", toggles,
message, sender, proposed_recipient, requested_reply,
@@ -355,7 +336,7 @@ index fd4ab9e4..c4008505 100644
}
/* See if limits on size have been exceeded */
-@@ -1764,10 +1802,10 @@ bus_context_check_security_policy (BusContext *context,
+@@ -1768,10 +1806,10 @@ bus_context_check_security_policy (BusContext *context,
{
complain_about_message (context, DBUS_ERROR_LIMITS_EXCEEDED,
"Rejected: destination has a full message queue",
@@ -368,7 +349,7 @@ index fd4ab9e4..c4008505 100644
}
/* Record that we will allow a reply here in the future (don't
-@@ -1784,11 +1822,11 @@ bus_context_check_security_policy (BusContext *context,
+@@ -1792,11 +1830,11 @@ bus_context_check_security_policy (BusContext *context,
message, error))
{
_dbus_verbose ("Failed to record reply expectation or problem with the message expecting a reply\n");
@@ -383,13 +364,13 @@ index fd4ab9e4..c4008505 100644
void
diff --git a/bus/bus.h b/bus/bus.h
-index 3fab59ff..dab7791f 100644
+index 2e0de82..82c32c8 100644
--- a/bus/bus.h
+++ b/bus/bus.h
-@@ -44,6 +44,22 @@ typedef struct BusOwner BusOwner;
- typedef struct BusTransaction BusTransaction;
+@@ -45,6 +45,22 @@ typedef struct BusTransaction BusTransaction;
typedef struct BusMatchmaker BusMatchmaker;
typedef struct BusMatchRule BusMatchRule;
+ typedef struct BusActivationEntry BusActivationEntry;
+typedef struct BusCheck BusCheck;
+typedef struct BusDeferredMessage BusDeferredMessage;
+typedef struct BusCynara BusCynara;
@@ -409,7 +390,7 @@ index 3fab59ff..dab7791f 100644
typedef struct
{
-@@ -97,6 +113,7 @@ BusConnections* bus_context_get_connections (BusContext
+@@ -101,6 +117,7 @@ BusConnections* bus_context_get_connections (BusContext
BusActivation* bus_context_get_activation (BusContext *context);
BusMatchmaker* bus_context_get_matchmaker (BusContext *context);
DBusLoop* bus_context_get_loop (BusContext *context);
@@ -417,31 +398,27 @@ index 3fab59ff..dab7791f 100644
dbus_bool_t bus_context_allow_unix_user (BusContext *context,
unsigned long uid);
dbus_bool_t bus_context_allow_windows_user (BusContext *context,
-@@ -131,13 +148,14 @@ void bus_context_log_and_set_error (BusContext
+@@ -136,14 +153,15 @@ void bus_context_log_and_set_error (BusContext
const char *name,
const char *msg,
...) _DBUS_GNUC_PRINTF (5, 6);
-dbus_bool_t bus_context_check_security_policy (BusContext *context,
-- BusTransaction *transaction,
-- DBusConnection *sender,
-- DBusConnection *addressed_recipient,
-- DBusConnection *proposed_recipient,
-- DBusMessage *message,
++BusResult bus_context_check_security_policy (BusContext *context,
+ BusTransaction *transaction,
+ DBusConnection *sender,
+ DBusConnection *addressed_recipient,
+ DBusConnection *proposed_recipient,
+ DBusMessage *message,
+ BusActivationEntry *activation_entry,
- DBusError *error);
-+BusResult bus_context_check_security_policy (BusContext *context,
-+ BusTransaction *transaction,
-+ DBusConnection *sender,
-+ DBusConnection *addressed_recipient,
-+ DBusConnection *proposed_recipient,
-+ DBusMessage *message,
-+ DBusError *error,
++ DBusError *error,
+ BusDeferredMessage **deferred_message);
void bus_context_check_all_watches (BusContext *context);
#endif /* BUS_BUS_H */
diff --git a/bus/check.c b/bus/check.c
new file mode 100644
-index 00000000..5b72d31c
+index 0000000..5b72d31
--- /dev/null
+++ b/bus/check.c
@@ -0,0 +1,217 @@
@@ -664,7 +641,7 @@ index 00000000..5b72d31c
+}
diff --git a/bus/check.h b/bus/check.h
new file mode 100644
-index 00000000..c3fcaf90
+index 0000000..c3fcaf9
--- /dev/null
+++ b/bus/check.h
@@ -0,0 +1,68 @@
@@ -737,7 +714,7 @@ index 00000000..c3fcaf90
+ BusResult result);
+#endif /* BUS_CHECK_H */
diff --git a/bus/config-parser-common.c b/bus/config-parser-common.c
-index 5db6b289..ea25f5e6 100644
+index c1c4191..e2f253d 100644
--- a/bus/config-parser-common.c
+++ b/bus/config-parser-common.c
@@ -75,6 +75,10 @@ bus_config_parser_element_name_to_type (const char *name)
@@ -761,7 +738,7 @@ index 5db6b289..ea25f5e6 100644
return "fork";
case ELEMENT_PIDFILE:
diff --git a/bus/config-parser-common.h b/bus/config-parser-common.h
-index 382a0141..9e026d10 100644
+index 382a014..9e026d1 100644
--- a/bus/config-parser-common.h
+++ b/bus/config-parser-common.h
@@ -36,6 +36,7 @@ typedef enum
@@ -773,10 +750,10 @@ index 382a0141..9e026d10 100644
ELEMENT_PIDFILE,
ELEMENT_SERVICEDIR,
diff --git a/bus/config-parser.c b/bus/config-parser.c
-index d9f6042c..a8c4ca5d 100644
+index be27d38..b54b0e4 100644
--- a/bus/config-parser.c
+++ b/bus/config-parser.c
-@@ -1172,7 +1172,7 @@ append_rule_from_element (BusConfigParser *parser,
+@@ -1318,7 +1318,7 @@ append_rule_from_element (BusConfigParser *parser,
const char *element_name,
const char **attribute_names,
const char **attribute_values,
@@ -785,15 +762,15 @@ index d9f6042c..a8c4ca5d 100644
DBusError *error)
{
const char *log;
-@@ -1195,6 +1195,7 @@ append_rule_from_element (BusConfigParser *parser,
+@@ -1360,6 +1360,7 @@ append_rule_from_element (BusConfigParser *parser,
const char *own_prefix;
const char *user;
const char *group;
+ const char *privilege;
BusPolicyRule *rule;
-
-@@ -1222,6 +1223,7 @@ append_rule_from_element (BusConfigParser *parser,
+
+@@ -1390,6 +1391,7 @@ append_rule_from_element (BusConfigParser *parser,
"user", &user,
"group", &group,
"log", &log,
@@ -801,15 +778,15 @@ index d9f6042c..a8c4ca5d 100644
NULL))
return FALSE;
-@@ -1230,6 +1232,7 @@ append_rule_from_element (BusConfigParser *parser,
- receive_interface || receive_member || receive_error || receive_sender ||
- receive_type || receive_path || eavesdrop ||
- send_requested_reply || receive_requested_reply ||
+@@ -1422,6 +1424,7 @@ append_rule_from_element (BusConfigParser *parser,
+
+ if (!(any_send_attribute ||
+ any_receive_attribute ||
+ privilege ||
own || own_prefix || user || group))
{
dbus_set_error (error, DBUS_ERROR_FAILED,
-@@ -1246,7 +1249,30 @@ append_rule_from_element (BusConfigParser *parser,
+@@ -1438,7 +1441,30 @@ append_rule_from_element (BusConfigParser *parser,
element_name);
return FALSE;
}
@@ -841,25 +818,25 @@ index d9f6042c..a8c4ca5d 100644
/* Allowed combinations of elements are:
*
* base, must be all send or all receive:
-@@ -1420,7 +1446,7 @@ append_rule_from_element (BusConfigParser *parser,
- return FALSE;
- }
-
+@@ -1589,7 +1615,7 @@ append_rule_from_element (BusConfigParser *parser,
+ error))
+ return FALSE;
+
- rule = bus_policy_rule_new (BUS_POLICY_RULE_SEND, allow);
-+ rule = bus_policy_rule_new (BUS_POLICY_RULE_SEND, access);
++ rule = bus_policy_rule_new (BUS_POLICY_RULE_SEND, access);
if (rule == NULL)
goto nomem;
-@@ -1502,7 +1528,7 @@ append_rule_from_element (BusConfigParser *parser,
- return FALSE;
- }
-
+@@ -1694,7 +1720,7 @@ append_rule_from_element (BusConfigParser *parser,
+ error))
+ return FALSE;
+
- rule = bus_policy_rule_new (BUS_POLICY_RULE_RECEIVE, allow);
-+ rule = bus_policy_rule_new (BUS_POLICY_RULE_RECEIVE, access);
++ rule = bus_policy_rule_new (BUS_POLICY_RULE_RECEIVE, access);
if (rule == NULL)
goto nomem;
-@@ -1532,7 +1558,7 @@ append_rule_from_element (BusConfigParser *parser,
+@@ -1726,7 +1752,7 @@ append_rule_from_element (BusConfigParser *parser,
}
else if (own || own_prefix)
{
@@ -868,7 +845,7 @@ index d9f6042c..a8c4ca5d 100644
if (rule == NULL)
goto nomem;
-@@ -1558,7 +1584,7 @@ append_rule_from_element (BusConfigParser *parser,
+@@ -1752,7 +1778,7 @@ append_rule_from_element (BusConfigParser *parser,
{
if (IS_WILDCARD (user))
{
@@ -877,7 +854,7 @@ index d9f6042c..a8c4ca5d 100644
if (rule == NULL)
goto nomem;
-@@ -1573,7 +1599,7 @@ append_rule_from_element (BusConfigParser *parser,
+@@ -1767,7 +1793,7 @@ append_rule_from_element (BusConfigParser *parser,
if (_dbus_parse_unix_user_from_config (&username, &uid))
{
@@ -886,7 +863,7 @@ index d9f6042c..a8c4ca5d 100644
if (rule == NULL)
goto nomem;
-@@ -1590,7 +1616,7 @@ append_rule_from_element (BusConfigParser *parser,
+@@ -1784,7 +1810,7 @@ append_rule_from_element (BusConfigParser *parser,
{
if (IS_WILDCARD (group))
{
@@ -895,7 +872,7 @@ index d9f6042c..a8c4ca5d 100644
if (rule == NULL)
goto nomem;
-@@ -1605,7 +1631,7 @@ append_rule_from_element (BusConfigParser *parser,
+@@ -1799,7 +1825,7 @@ append_rule_from_element (BusConfigParser *parser,
if (_dbus_parse_unix_group_from_config (&groupname, &gid))
{
@@ -904,7 +881,7 @@ index d9f6042c..a8c4ca5d 100644
if (rule == NULL)
goto nomem;
-@@ -1629,6 +1655,10 @@ append_rule_from_element (BusConfigParser *parser,
+@@ -1823,6 +1849,10 @@ append_rule_from_element (BusConfigParser *parser,
_dbus_assert (pe != NULL);
_dbus_assert (pe->type == ELEMENT_POLICY);
@@ -915,7 +892,7 @@ index d9f6042c..a8c4ca5d 100644
switch (pe->d.policy.type)
{
case POLICY_IGNORED:
-@@ -1703,7 +1733,7 @@ start_policy_child (BusConfigParser *parser,
+@@ -1898,7 +1928,7 @@ start_policy_child (BusConfigParser *parser,
{
if (!append_rule_from_element (parser, element_name,
attribute_names, attribute_values,
@@ -924,7 +901,7 @@ index d9f6042c..a8c4ca5d 100644
return FALSE;
if (push_element (parser, ELEMENT_ALLOW) == NULL)
-@@ -1718,7 +1748,7 @@ start_policy_child (BusConfigParser *parser,
+@@ -1913,7 +1943,7 @@ start_policy_child (BusConfigParser *parser,
{
if (!append_rule_from_element (parser, element_name,
attribute_names, attribute_values,
@@ -933,7 +910,7 @@ index d9f6042c..a8c4ca5d 100644
return FALSE;
if (push_element (parser, ELEMENT_DENY) == NULL)
-@@ -1727,6 +1757,21 @@ start_policy_child (BusConfigParser *parser,
+@@ -1922,6 +1952,21 @@ start_policy_child (BusConfigParser *parser,
return FALSE;
}
@@ -955,7 +932,7 @@ index d9f6042c..a8c4ca5d 100644
return TRUE;
}
else
-@@ -2088,6 +2133,7 @@ bus_config_parser_end_element (BusConfigParser *parser,
+@@ -2284,6 +2329,7 @@ bus_config_parser_end_element (BusConfigParser *parser,
case ELEMENT_POLICY:
case ELEMENT_ALLOW:
case ELEMENT_DENY:
@@ -963,7 +940,7 @@ index d9f6042c..a8c4ca5d 100644
case ELEMENT_FORK:
case ELEMENT_SYSLOG:
case ELEMENT_KEEP_UMASK:
-@@ -2397,6 +2443,7 @@ bus_config_parser_content (BusConfigParser *parser,
+@@ -2600,6 +2646,7 @@ bus_config_parser_content (BusConfigParser *parser,
case ELEMENT_POLICY:
case ELEMENT_ALLOW:
case ELEMENT_DENY:
@@ -971,7 +948,7 @@ index d9f6042c..a8c4ca5d 100644
case ELEMENT_FORK:
case ELEMENT_SYSLOG:
case ELEMENT_KEEP_UMASK:
-@@ -2862,6 +2909,8 @@ do_load (const DBusString *full_path,
+@@ -3127,6 +3174,8 @@ do_load (const DBusString *full_path,
dbus_error_init (&error);
parser = bus_config_load (full_path, TRUE, NULL, &error);
@@ -981,7 +958,7 @@ index d9f6042c..a8c4ca5d 100644
{
_DBUS_ASSERT_ERROR_IS_SET (&error);
diff --git a/bus/connection.c b/bus/connection.c
-index 02d6c220..eea50ecd 100644
+index 53605fa..deebde3 100644
--- a/bus/connection.c
+++ b/bus/connection.c
@@ -36,6 +36,10 @@
@@ -1061,7 +1038,7 @@ index 02d6c220..eea50ecd 100644
}
static void
-@@ -451,6 +458,10 @@ free_connection_data (void *data)
+@@ -448,6 +455,10 @@ free_connection_data (void *data)
dbus_free (d->name);
@@ -1072,7 +1049,7 @@ index 02d6c220..eea50ecd 100644
dbus_free (d);
}
-@@ -1063,6 +1074,22 @@ bus_connection_get_policy (DBusConnection *connection)
+@@ -1078,6 +1089,22 @@ bus_connection_get_policy (DBusConnection *connection)
return d->policy;
}
@@ -1095,7 +1072,7 @@ index 02d6c220..eea50ecd 100644
static dbus_bool_t
foreach_active (BusConnections *connections,
BusConnectionForeachFunction function,
-@@ -2289,6 +2316,7 @@ bus_transaction_send_from_driver (BusTransaction *transaction,
+@@ -2333,6 +2360,7 @@ bus_transaction_send_from_driver (BusTransaction *transaction,
DBusMessage *message)
{
DBusError error = DBUS_ERROR_INIT;
@@ -1103,22 +1080,24 @@ index 02d6c220..eea50ecd 100644
/* We have to set the sender to the driver, and have
* to check security policy since it was not done in
-@@ -2326,9 +2354,11 @@ bus_transaction_send_from_driver (BusTransaction *transaction,
+@@ -2370,10 +2398,12 @@ bus_transaction_send_from_driver (BusTransaction *transaction,
* if we're actively capturing messages, it's nice to log that we
* tried to send it and did not allow ourselves to do so.
*/
- if (!bus_context_check_security_policy (bus_transaction_get_context (transaction),
- transaction,
-- NULL, connection, connection, message, &error))
+- NULL, connection, connection,
+- message, NULL, &error))
+ res = bus_context_check_security_policy (bus_transaction_get_context (transaction),
+ transaction,
-+ NULL, connection, connection, message, &error,
++ NULL, connection, connection,
++ message, NULL, &error,
+ NULL);
+ if (res == BUS_RESULT_FALSE)
{
- if (!bus_transaction_capture_error_reply (transaction, &error, message))
- {
-@@ -2342,6 +2372,12 @@ bus_transaction_send_from_driver (BusTransaction *transaction,
+ if (!bus_transaction_capture_error_reply (transaction, connection,
+ &error, message))
+@@ -2388,6 +2418,12 @@ bus_transaction_send_from_driver (BusTransaction *transaction,
dbus_error_free (&error);
return TRUE;
}
@@ -1132,7 +1111,7 @@ index 02d6c220..eea50ecd 100644
return bus_transaction_send (transaction, connection, message);
}
diff --git a/bus/connection.h b/bus/connection.h
-index 8c68d0a0..a6e5dfde 100644
+index 9e253ae..71078ea 100644
--- a/bus/connection.h
+++ b/bus/connection.h
@@ -31,6 +31,7 @@
@@ -1143,7 +1122,7 @@ index 8c68d0a0..a6e5dfde 100644
BusConnections* bus_connections_new (BusContext *context);
BusConnections* bus_connections_ref (BusConnections *connections);
-@@ -122,6 +123,9 @@ dbus_bool_t bus_connection_be_monitor (DBusConnection *connection,
+@@ -124,6 +125,9 @@ dbus_bool_t bus_connection_be_monitor (DBusConnection *connection,
BusTransaction *transaction,
DBusList **rules,
DBusError *error);
@@ -1155,7 +1134,7 @@ index 8c68d0a0..a6e5dfde 100644
diff --git a/bus/cynara.c b/bus/cynara.c
new file mode 100644
-index 00000000..57a4c45c
+index 0000000..57a4c45
--- /dev/null
+++ b/bus/cynara.c
@@ -0,0 +1,374 @@
@@ -1535,7 +1514,7 @@ index 00000000..57a4c45c
+#endif /* DBUS_ENABLE_CYNARA */
diff --git a/bus/cynara.h b/bus/cynara.h
new file mode 100644
-index 00000000..c4728bb7
+index 0000000..c4728bb
--- /dev/null
+++ b/bus/cynara.h
@@ -0,0 +1,37 @@
@@ -1577,7 +1556,7 @@ index 00000000..c4728bb7
+ BusDeferredMessageStatus check_type,
+ BusDeferredMessage **deferred_message);
diff --git a/bus/dispatch.c b/bus/dispatch.c
-index edfa1b44..05be3bdf 100644
+index 19228be..7e51bc1 100644
--- a/bus/dispatch.c
+++ b/bus/dispatch.c
@@ -25,6 +25,7 @@
@@ -1588,7 +1567,7 @@ index edfa1b44..05be3bdf 100644
#include "connection.h"
#include "driver.h"
#include "services.h"
-@@ -64,13 +65,17 @@ send_one_message (DBusConnection *connection,
+@@ -64,14 +65,18 @@ send_one_message (DBusConnection *connection,
DBusError *error)
{
DBusError stack_error = DBUS_ERROR_INIT;
@@ -1601,14 +1580,15 @@ index edfa1b44..05be3bdf 100644
addressed_recipient,
connection,
message,
+ NULL,
- &stack_error))
+ &stack_error,
+ &deferred_message);
+ if (result != BUS_RESULT_TRUE)
{
- if (!bus_transaction_capture_error_reply (transaction, &stack_error,
- message))
-@@ -129,6 +134,7 @@ bus_dispatch_matches (BusTransaction *transaction,
+ if (!bus_transaction_capture_error_reply (transaction, sender,
+ &stack_error, message))
+@@ -130,6 +135,7 @@ bus_dispatch_matches (BusTransaction *transaction,
BusMatchmaker *matchmaker;
DBusList *link;
BusContext *context;
@@ -1616,19 +1596,19 @@ index edfa1b44..05be3bdf 100644
_DBUS_ASSERT_ERROR_IS_CLEAR (error);
-@@ -144,11 +150,21 @@ bus_dispatch_matches (BusTransaction *transaction,
+@@ -145,11 +151,21 @@ bus_dispatch_matches (BusTransaction *transaction,
/* First, send the message to the addressed_recipient, if there is one. */
if (addressed_recipient != NULL)
{
- if (!bus_context_check_security_policy (context, transaction,
- sender, addressed_recipient,
- addressed_recipient,
-- message, error))
+- message, NULL, error))
+ BusResult res;
+ res = bus_context_check_security_policy (context, transaction,
+ sender, addressed_recipient,
+ addressed_recipient,
-+ message, error,
++ message, NULL, error,
+ &deferred_message);
+ if (res == BUS_RESULT_FALSE)
return FALSE;
@@ -1642,16 +1622,25 @@ index edfa1b44..05be3bdf 100644
if (dbus_message_contains_unix_fds (message) &&
!dbus_connection_can_send_type (addressed_recipient,
-@@ -379,12 +395,24 @@ bus_dispatch (DBusConnection *connection,
+@@ -374,19 +390,32 @@ bus_dispatch (DBusConnection *connection,
if (service_name &&
strcmp (service_name, DBUS_SERVICE_DBUS) == 0) /* to bus driver */
{
-- if (!bus_context_check_security_policy (context, transaction,
-- connection, NULL, NULL, message, &error))
+ BusDeferredMessage *deferred_message;
+ BusResult res;
++
+ if (!bus_transaction_capture (transaction, connection, NULL, message))
+ {
+ BUS_SET_OOM (&error);
+ goto out;
+ }
+
+- if (!bus_context_check_security_policy (context, transaction,
+- connection, NULL, NULL, message,
+- NULL, &error))
+ res = bus_context_check_security_policy (context, transaction,
-+ connection, NULL, NULL, message, &error,
++ connection, NULL, NULL, message,
++ NULL, &error,
+ &deferred_message);
+ if (res == BUS_RESULT_FALSE)
{
@@ -1670,7 +1659,7 @@ index edfa1b44..05be3bdf 100644
_dbus_verbose ("Giving message to %s\n", DBUS_SERVICE_DBUS);
if (!bus_driver_handle_message (connection, transaction, message, &error))
diff --git a/bus/policy.c b/bus/policy.c
-index 082f3853..bcade176 100644
+index a37be80..7ee1ce5 100644
--- a/bus/policy.c
+++ b/bus/policy.c
@@ -22,6 +22,7 @@
@@ -1681,7 +1670,7 @@ index 082f3853..bcade176 100644
#include "policy.h"
#include "services.h"
#include "test.h"
-@@ -32,7 +33,7 @@
+@@ -33,7 +34,7 @@
BusPolicyRule*
bus_policy_rule_new (BusPolicyRuleType type,
@@ -1690,7 +1679,7 @@ index 082f3853..bcade176 100644
{
BusPolicyRule *rule;
-@@ -42,7 +43,7 @@ bus_policy_rule_new (BusPolicyRuleType type,
+@@ -43,7 +44,7 @@ bus_policy_rule_new (BusPolicyRuleType type,
rule->type = type;
rule->refcount = 1;
@@ -1699,7 +1688,7 @@ index 082f3853..bcade176 100644
switch (rule->type)
{
-@@ -54,18 +55,19 @@ bus_policy_rule_new (BusPolicyRuleType type,
+@@ -55,18 +56,19 @@ bus_policy_rule_new (BusPolicyRuleType type,
break;
case BUS_POLICY_RULE_SEND:
rule->d.send.message_type = DBUS_MESSAGE_TYPE_INVALID;
@@ -1722,9 +1711,9 @@ index 082f3853..bcade176 100644
break;
case BUS_POLICY_RULE_OWN:
break;
-@@ -117,7 +119,8 @@ bus_policy_rule_unref (BusPolicyRule *rule)
- case BUS_POLICY_RULE_GROUP:
- break;
+@@ -122,7 +124,8 @@ bus_policy_rule_unref (BusPolicyRule *rule)
+ default:
+ _dbus_assert_not_reached ("invalid rule");
}
-
+
@@ -1732,7 +1721,7 @@ index 082f3853..bcade176 100644
dbus_free (rule);
}
}
-@@ -427,7 +430,10 @@ list_allows_user (dbus_bool_t def,
+@@ -435,7 +438,10 @@ list_allows_user (dbus_bool_t def,
else
continue;
@@ -1744,7 +1733,7 @@ index 082f3853..bcade176 100644
}
return allowed;
-@@ -862,18 +868,23 @@ bus_client_policy_append_rule (BusClientPolicy *policy,
+@@ -873,18 +879,23 @@ bus_client_policy_append_rule (BusClientPolicy *policy,
return TRUE;
}
@@ -1778,7 +1767,7 @@ index 082f3853..bcade176 100644
/* policy->rules is in the order the rules appeared
* in the config file, i.e. last rule that applies wins
*/
-@@ -881,7 +892,7 @@ bus_client_policy_check_can_send (BusClientPolicy *policy,
+@@ -892,7 +903,7 @@ bus_client_policy_check_can_send (BusClientPolicy *policy,
_dbus_verbose (" (policy) checking send rules\n");
*toggles = 0;
@@ -1787,7 +1776,7 @@ index 082f3853..bcade176 100644
link = _dbus_list_get_first_link (&policy->rules);
while (link != NULL)
{
-@@ -912,13 +923,14 @@ bus_client_policy_check_can_send (BusClientPolicy *policy,
+@@ -923,13 +934,14 @@ bus_client_policy_check_can_send (BusClientPolicy *policy,
/* If it's a reply, the requested_reply flag kicks in */
if (dbus_message_get_reply_serial (message) != 0)
{
@@ -1807,7 +1796,7 @@ index 082f3853..bcade176 100644
continue;
}
-@@ -926,7 +938,7 @@ bus_client_policy_check_can_send (BusClientPolicy *policy,
+@@ -937,7 +949,7 @@ bus_client_policy_check_can_send (BusClientPolicy *policy,
* when the reply was not requested. requested_reply=true means the
* rule always applies.
*/
@@ -1816,7 +1805,7 @@ index 082f3853..bcade176 100644
{
_dbus_verbose (" (policy) skipping deny rule since it only applies to unrequested replies\n");
continue;
-@@ -949,13 +961,15 @@ bus_client_policy_check_can_send (BusClientPolicy *policy,
+@@ -960,13 +972,15 @@ bus_client_policy_check_can_send (BusClientPolicy *policy,
/* The interface is optional in messages. For allow rules, if the message
* has no interface we want to skip the rule (and thus not allow);
* for deny rules, if the message has no interface we want to use the
@@ -1834,7 +1823,7 @@ index 082f3853..bcade176 100644
(!no_interface &&
strcmp (dbus_message_get_interface (message),
rule->d.send.interface) != 0))
-@@ -1029,33 +1043,63 @@ bus_client_policy_check_can_send (BusClientPolicy *policy,
+@@ -1079,33 +1093,63 @@ bus_client_policy_check_can_send (BusClientPolicy *policy,
}
/* Use this rule */
@@ -1912,7 +1901,7 @@ index 082f3853..bcade176 100644
eavesdropping =
addressed_recipient != proposed_recipient &&
-@@ -1068,7 +1112,7 @@ bus_client_policy_check_can_receive (BusClientPolicy *policy,
+@@ -1118,7 +1162,7 @@ bus_client_policy_check_can_receive (BusClientPolicy *policy,
_dbus_verbose (" (policy) checking receive rules, eavesdropping = %d\n", eavesdropping);
*toggles = 0;
@@ -1921,7 +1910,7 @@ index 082f3853..bcade176 100644
link = _dbus_list_get_first_link (&policy->rules);
while (link != NULL)
{
-@@ -1091,19 +1135,21 @@ bus_client_policy_check_can_receive (BusClientPolicy *policy,
+@@ -1141,19 +1185,21 @@ bus_client_policy_check_can_receive (BusClientPolicy *policy,
}
}
@@ -1948,7 +1937,7 @@ index 082f3853..bcade176 100644
{
_dbus_verbose (" (policy) skipping deny rule since it only applies to eavesdropping\n");
continue;
-@@ -1112,13 +1158,14 @@ bus_client_policy_check_can_receive (BusClientPolicy *policy,
+@@ -1162,13 +1208,14 @@ bus_client_policy_check_can_receive (BusClientPolicy *policy,
/* If it's a reply, the requested_reply flag kicks in */
if (dbus_message_get_reply_serial (message) != 0)
{
@@ -1968,7 +1957,7 @@ index 082f3853..bcade176 100644
continue;
}
-@@ -1126,7 +1173,7 @@ bus_client_policy_check_can_receive (BusClientPolicy *policy,
+@@ -1176,7 +1223,7 @@ bus_client_policy_check_can_receive (BusClientPolicy *policy,
* when the reply was not requested. requested_reply=true means the
* rule always applies.
*/
@@ -1977,7 +1966,7 @@ index 082f3853..bcade176 100644
{
_dbus_verbose (" (policy) skipping deny rule since it only applies to unrequested replies\n");
continue;
-@@ -1149,13 +1196,13 @@ bus_client_policy_check_can_receive (BusClientPolicy *policy,
+@@ -1199,13 +1246,13 @@ bus_client_policy_check_can_receive (BusClientPolicy *policy,
/* The interface is optional in messages. For allow rules, if the message
* has no interface we want to skip the rule (and thus not allow);
* for deny rules, if the message has no interface we want to use the
@@ -1993,9 +1982,9 @@ index 082f3853..bcade176 100644
(!no_interface &&
strcmp (dbus_message_get_interface (message),
rule->d.receive.interface) != 0))
-@@ -1230,14 +1277,42 @@ bus_client_policy_check_can_receive (BusClientPolicy *policy,
+@@ -1295,14 +1342,42 @@ bus_client_policy_check_can_receive (BusClientPolicy *policy,
}
-
+
/* Use this rule */
- allowed = rule->allow;
+ switch (rule->access)
@@ -2040,7 +2029,7 @@ index 082f3853..bcade176 100644
}
-@@ -1289,7 +1364,7 @@ bus_rules_check_can_own (DBusList *rules,
+@@ -1354,7 +1429,7 @@ bus_rules_check_can_own (DBusList *rules,
}
/* Use this rule */
@@ -2050,12 +2039,12 @@ index 082f3853..bcade176 100644
return allowed;
diff --git a/bus/policy.h b/bus/policy.h
-index d1d3e72b..e9f193af 100644
+index ec43ffa..f306a3c 100644
--- a/bus/policy.h
+++ b/bus/policy.h
-@@ -39,6 +39,14 @@ typedef enum
- BUS_POLICY_RULE_GROUP
- } BusPolicyRuleType;
+@@ -46,6 +46,14 @@ typedef enum
+ BUS_POLICY_TRISTATE_TRUE
+ } BusPolicyTristate;
+typedef enum
+{
@@ -2068,7 +2057,7 @@ index d1d3e72b..e9f193af 100644
/** determines whether the rule affects a connection, or some global item */
#define BUS_POLICY_RULE_IS_PER_CLIENT(rule) (!((rule)->type == BUS_POLICY_RULE_USER || \
(rule)->type == BUS_POLICY_RULE_GROUP))
-@@ -49,8 +57,9 @@ struct BusPolicyRule
+@@ -56,8 +64,9 @@ struct BusPolicyRule
BusPolicyRuleType type;
@@ -2080,7 +2069,7 @@ index d1d3e72b..e9f193af 100644
union
{
struct
-@@ -106,7 +115,7 @@ struct BusPolicyRule
+@@ -118,7 +127,7 @@ struct BusPolicyRule
};
BusPolicyRule* bus_policy_rule_new (BusPolicyRuleType type,
@@ -2089,7 +2078,7 @@ index d1d3e72b..e9f193af 100644
BusPolicyRule* bus_policy_rule_ref (BusPolicyRule *rule);
void bus_policy_rule_unref (BusPolicyRule *rule);
-@@ -140,21 +149,27 @@ dbus_bool_t bus_policy_merge (BusPolicy *policy,
+@@ -152,21 +161,27 @@ dbus_bool_t bus_policy_merge (BusPolicy *policy,
BusClientPolicy* bus_client_policy_new (void);
BusClientPolicy* bus_client_policy_ref (BusClientPolicy *policy);
void bus_client_policy_unref (BusClientPolicy *policy);
@@ -2133,10 +2122,10 @@ index d1d3e72b..e9f193af 100644
const DBusString *service_name);
dbus_bool_t bus_client_policy_append_rule (BusClientPolicy *policy,
diff --git a/configure.ac b/configure.ac
-index 71e3515c..f3a2ffc1 100644
+index 80671b2..d975b04 100644
--- a/configure.ac
+++ b/configure.ac
-@@ -1873,6 +1873,17 @@ AC_ARG_ENABLE([user-session],
+@@ -1761,6 +1761,17 @@ AC_ARG_ENABLE([user-session],
AM_CONDITIONAL([DBUS_ENABLE_USER_SESSION],
[test "x$enable_user_session" = xyes])
@@ -2154,7 +2143,7 @@ index 71e3515c..f3a2ffc1 100644
AC_CONFIG_FILES([
Doxyfile
dbus/Version
-@@ -1952,6 +1963,7 @@ echo "
+@@ -1843,6 +1854,7 @@ echo "
Building bus stats API: ${enable_stats}
Building SELinux support: ${have_selinux}
Building AppArmor support: ${have_apparmor}
@@ -2163,20 +2152,20 @@ index 71e3515c..f3a2ffc1 100644
Building kqueue support: ${have_kqueue}
Building systemd support: ${have_systemd}
diff --git a/test/Makefile.am b/test/Makefile.am
-index 914dd7f2..86882537 100644
+index 6a6e1a3..ce84dbc 100644
--- a/test/Makefile.am
+++ b/test/Makefile.am
-@@ -341,6 +341,7 @@ in_data = \
+@@ -439,6 +439,7 @@ in_data = \
data/valid-config-files/debug-allow-all.conf.in \
data/valid-config-files/finite-timeout.conf.in \
data/valid-config-files/forbidding.conf.in \
+ data/valid-config-files/debug-check-some.conf.in \
data/valid-config-files/incoming-limit.conf.in \
- data/valid-config-files/multi-user.conf.in \
- data/valid-config-files/systemd-activation.conf.in \
+ data/valid-config-files/max-completed-connections.conf.in \
+ data/valid-config-files/max-connections-per-user.conf.in \
diff --git a/test/data/invalid-config-files/badcheck-1.conf b/test/data/invalid-config-files/badcheck-1.conf
new file mode 100644
-index 00000000..fad9f502
+index 0000000..fad9f50
--- /dev/null
+++ b/test/data/invalid-config-files/badcheck-1.conf
@@ -0,0 +1,9 @@
@@ -2191,7 +2180,7 @@ index 00000000..fad9f502
+</busconfig>
diff --git a/test/data/invalid-config-files/badcheck-2.conf b/test/data/invalid-config-files/badcheck-2.conf
new file mode 100644
-index 00000000..63c7ef25
+index 0000000..63c7ef2
--- /dev/null
+++ b/test/data/invalid-config-files/badcheck-2.conf
@@ -0,0 +1,9 @@
@@ -2206,7 +2195,7 @@ index 00000000..63c7ef25
+</busconfig>
diff --git a/test/data/valid-config-files/check-1.conf b/test/data/valid-config-files/check-1.conf
new file mode 100644
-index 00000000..ad714733
+index 0000000..ad71473
--- /dev/null
+++ b/test/data/valid-config-files/check-1.conf
@@ -0,0 +1,9 @@
@@ -2221,7 +2210,7 @@ index 00000000..ad714733
+</busconfig>
diff --git a/test/data/valid-config-files/debug-check-some.conf.in b/test/data/valid-config-files/debug-check-some.conf.in
new file mode 100644
-index 00000000..47ee8548
+index 0000000..47ee854
--- /dev/null
+++ b/test/data/valid-config-files/debug-check-some.conf.in
@@ -0,0 +1,18 @@
@@ -2243,19 +2232,3 @@ index 00000000..47ee8548
+ <check privilege="foo" send_interface="org.freedesktop.TestSuite" send_member="Echo"/>
+ </policy>
+</busconfig>
-diff --git a/tools/dbus-send.c b/tools/dbus-send.c
-index 0dc1f5b3..76ddab3f 100644
---- a/tools/dbus-send.c
-+++ b/tools/dbus-send.c
-@@ -458,7 +458,7 @@ main (int argc, char *argv[])
- char *arg;
- char *c;
- int type;
-- int secondary_type;
-+ int secondary_type = 0;
- int container_type;
- DBusMessageIter *target_iter;
- DBusMessageIter container_iter;
---
-2.14.3
-
diff --git a/meta-security/recipes-core/dbus-cynara/dbus-cynara/0002-Disable-message-dispatching-when-send-rule-result-is.patch b/meta-security/recipes-core/dbus-cynara/dbus-cynara/0002-Disable-message-dispatching-when-send-rule-result-is.patch
index b1c3f3fdc..4fd75510e 100644
--- a/meta-security/recipes-core/dbus-cynara/dbus-cynara/0002-Disable-message-dispatching-when-send-rule-result-is.patch
+++ b/meta-security/recipes-core/dbus-cynara/dbus-cynara/0002-Disable-message-dispatching-when-send-rule-result-is.patch
@@ -22,27 +22,16 @@ Change-Id: I57eccbf973525fd51369c7d4e58908292f44da80
Cherry-picked from b1b87ad9f20b2052c28431b48e81073078a745ce
by Jose Bollo.
+Updated for dbus 1.12.10 by Scott Murray.
+
Signed-off-by: José Bollo <jose.bollo@iot.bzh>
----
- bus/activation.c | 78 +++++++++++++++--
- bus/check.c | 109 ++++++++++++++++++++++--
- bus/check.h | 10 +++
- bus/cynara.c | 1 -
- bus/dispatch.c | 184 ++++++++++++++++++++++++++++++++++++----
- bus/dispatch.h | 2 +-
- bus/driver.c | 12 ++-
- dbus/dbus-connection-internal.h | 15 ++++
- dbus/dbus-connection.c | 125 +++++++++++++++++++++++++--
- dbus/dbus-list.c | 29 +++++++
- dbus/dbus-list.h | 3 +
- dbus/dbus-shared.h | 3 +-
- 12 files changed, 528 insertions(+), 43 deletions(-)
+Signed-off-by: Scott Murray <scott.murray@konsulko.com>
diff --git a/bus/activation.c b/bus/activation.c
-index 1a98af6d..343d3f22 100644
+index 451179d..5f02153 100644
--- a/bus/activation.c
+++ b/bus/activation.c
-@@ -31,6 +31,7 @@
+@@ -32,6 +32,7 @@
#include "services.h"
#include "test.h"
#include "utils.h"
@@ -50,7 +39,7 @@ index 1a98af6d..343d3f22 100644
#include <dbus/dbus-internals.h>
#include <dbus/dbus-hash.h>
#include <dbus/dbus-list.h>
-@@ -91,6 +92,8 @@ struct BusPendingActivationEntry
+@@ -94,6 +95,8 @@ struct BusPendingActivationEntry
DBusConnection *connection;
dbus_bool_t auto_activation;
@@ -59,7 +48,7 @@ index 1a98af6d..343d3f22 100644
};
typedef struct
-@@ -1180,20 +1183,23 @@ bus_activation_send_pending_auto_activation_messages (BusActivation *activation
+@@ -1241,20 +1244,23 @@ bus_activation_send_pending_auto_activation_messages (BusActivation *activation
BusPendingActivationEntry *entry = link->data;
DBusList *next = _dbus_list_get_next_link (&pending_activation->entries, link);
@@ -88,7 +77,7 @@ index 1a98af6d..343d3f22 100644
{
/* If permission is denied, we just want to return the error
* to the original method invoker; in particular, we don't
-@@ -1205,9 +1211,40 @@ bus_activation_send_pending_auto_activation_messages (BusActivation *activation
+@@ -1266,9 +1272,40 @@ bus_activation_send_pending_auto_activation_messages (BusActivation *activation
bus_connection_send_oom_error (entry->connection,
entry->activation_message);
}
@@ -131,7 +120,7 @@ index 1a98af6d..343d3f22 100644
}
}
-@@ -1225,6 +1262,19 @@ bus_activation_send_pending_auto_activation_messages (BusActivation *activation
+@@ -1286,6 +1323,19 @@ bus_activation_send_pending_auto_activation_messages (BusActivation *activation
return TRUE;
error:
@@ -151,20 +140,22 @@ index 1a98af6d..343d3f22 100644
return FALSE;
}
-@@ -2028,13 +2078,23 @@ bus_activation_activate_service (BusActivation *activation,
+@@ -2078,6 +2128,7 @@ bus_activation_activate_service (BusActivation *activation,
if (service != NULL)
{
+ BusResult res;
bus_context_log (activation->context,
- DBUS_SYSTEM_LOG_INFO, "Activating via systemd: service name='%s' unit='%s'",
+ DBUS_SYSTEM_LOG_INFO, "Activating via systemd: service name='%s' unit='%s' requested by '%s' (%s)",
service_name,
- entry->systemd_service);
+@@ -2085,8 +2136,17 @@ bus_activation_activate_service (BusActivation *activation,
+ bus_connection_get_name (connection),
+ bus_connection_get_loginfo (connection));
/* Wonderful, systemd is connected, let's just send the msg */
-- retval = bus_dispatch_matches (activation_transaction, NULL, bus_service_get_primary_owners_connection (service),
-- message, error);
-+ res = bus_dispatch_matches (activation_transaction, NULL, bus_service_get_primary_owners_connection (service),
-+ message, error);
+- retval = bus_dispatch_matches (activation_transaction, NULL,
+- systemd, message, error);
++ res = bus_dispatch_matches (activation_transaction, NULL,
++ systemd, message, error);
+
+ if (res == BUS_RESULT_TRUE)
+ retval = TRUE;
@@ -178,7 +169,7 @@ index 1a98af6d..343d3f22 100644
else
{
diff --git a/bus/check.c b/bus/check.c
-index 5b72d31c..4b8a6994 100644
+index 5b72d31..4b8a699 100644
--- a/bus/check.c
+++ b/bus/check.c
@@ -55,6 +55,8 @@ typedef struct BusDeferredMessage
@@ -348,7 +339,7 @@ index 5b72d31c..4b8a6994 100644
bus_deferred_message_response_received (BusDeferredMessage *deferred_message,
BusResult result)
diff --git a/bus/check.h b/bus/check.h
-index c3fcaf90..d1775497 100644
+index c3fcaf9..d177549 100644
--- a/bus/check.h
+++ b/bus/check.h
@@ -55,6 +55,7 @@ BusResult bus_check_privilege (BusCheck *check,
@@ -374,7 +365,7 @@ index c3fcaf90..d1775497 100644
+
#endif /* BUS_CHECK_H */
diff --git a/bus/cynara.c b/bus/cynara.c
-index 57a4c45c..77aed623 100644
+index 57a4c45..77aed62 100644
--- a/bus/cynara.c
+++ b/bus/cynara.c
@@ -36,7 +36,6 @@
@@ -386,7 +377,7 @@ index 57a4c45c..77aed623 100644
typedef struct BusCynara
{
diff --git a/bus/dispatch.c b/bus/dispatch.c
-index 05be3bdf..7353501b 100644
+index 7e51bc1..0250b53 100644
--- a/bus/dispatch.c
+++ b/bus/dispatch.c
@@ -35,6 +35,7 @@
@@ -397,7 +388,7 @@ index 05be3bdf..7353501b 100644
#include <dbus/dbus-misc.h>
#include <string.h>
-@@ -121,7 +122,7 @@ send_one_message (DBusConnection *connection,
+@@ -122,7 +123,7 @@ send_one_message (DBusConnection *connection,
return TRUE;
}
@@ -406,8 +397,8 @@ index 05be3bdf..7353501b 100644
bus_dispatch_matches (BusTransaction *transaction,
DBusConnection *sender,
DBusConnection *addressed_recipient,
-@@ -157,13 +158,29 @@ bus_dispatch_matches (BusTransaction *transaction,
- message, error,
+@@ -158,13 +159,29 @@ bus_dispatch_matches (BusTransaction *transaction,
+ message, NULL, error,
&deferred_message);
if (res == BUS_RESULT_FALSE)
- return FALSE;
@@ -441,7 +432,7 @@ index 05be3bdf..7353501b 100644
}
if (dbus_message_contains_unix_fds (message) &&
-@@ -174,14 +191,14 @@ bus_dispatch_matches (BusTransaction *transaction,
+@@ -175,14 +192,14 @@ bus_dispatch_matches (BusTransaction *transaction,
DBUS_ERROR_NOT_SUPPORTED,
"Tried to send message with Unix file descriptors"
"to a client that doesn't support that.");
@@ -459,7 +450,7 @@ index 05be3bdf..7353501b 100644
}
}
-@@ -196,7 +213,7 @@ bus_dispatch_matches (BusTransaction *transaction,
+@@ -197,7 +214,7 @@ bus_dispatch_matches (BusTransaction *transaction,
&recipients))
{
BUS_SET_OOM (error);
@@ -468,7 +459,7 @@ index 05be3bdf..7353501b 100644
}
link = _dbus_list_get_first_link (&recipients);
-@@ -218,10 +235,10 @@ bus_dispatch_matches (BusTransaction *transaction,
+@@ -219,10 +236,10 @@ bus_dispatch_matches (BusTransaction *transaction,
if (dbus_error_is_set (&tmp_error))
{
dbus_move_error (&tmp_error, error);
@@ -481,7 +472,7 @@ index 05be3bdf..7353501b 100644
}
static DBusHandlerResult
-@@ -407,10 +424,12 @@ bus_dispatch (DBusConnection *connection,
+@@ -410,10 +427,12 @@ bus_dispatch (DBusConnection *connection,
}
else if (res == BUS_RESULT_LATER)
{
@@ -498,7 +489,7 @@ index 05be3bdf..7353501b 100644
goto out;
}
-@@ -475,8 +494,14 @@ bus_dispatch (DBusConnection *connection,
+@@ -515,8 +534,14 @@ bus_dispatch (DBusConnection *connection,
* addressed_recipient == NULL), and match it against other connections'
* match rules.
*/
@@ -515,9 +506,9 @@ index 05be3bdf..7353501b 100644
out:
if (dbus_error_is_set (&error))
-@@ -5001,9 +5026,132 @@ bus_dispatch_test_conf_fail (const DBusString *test_data_dir,
- return TRUE;
+@@ -5061,9 +5086,132 @@ bus_dispatch_test_conf_fail (const DBusString *test_data_dir,
}
+ #endif
+typedef struct {
+ DBusTimeout *timeout;
@@ -649,7 +640,7 @@ index 05be3bdf..7353501b 100644
_dbus_verbose ("Normal activation tests\n");
if (!bus_dispatch_test_conf (test_data_dir,
diff --git a/bus/dispatch.h b/bus/dispatch.h
-index fb5ba7a5..afba6a24 100644
+index fb5ba7a..afba6a2 100644
--- a/bus/dispatch.h
+++ b/bus/dispatch.h
@@ -29,7 +29,7 @@
@@ -662,10 +653,10 @@ index fb5ba7a5..afba6a24 100644
DBusConnection *recipient,
DBusMessage *message,
diff --git a/bus/driver.c b/bus/driver.c
-index b7e1a0a0..a5823d4d 100644
+index cd0a714..f414f64 100644
--- a/bus/driver.c
+++ b/bus/driver.c
-@@ -225,6 +225,7 @@ bus_driver_send_service_owner_changed (const char *service_name,
+@@ -218,6 +218,7 @@ bus_driver_send_service_owner_changed (const char *service_name,
{
DBusMessage *message;
dbus_bool_t retval;
@@ -673,8 +664,8 @@ index b7e1a0a0..a5823d4d 100644
const char *null_service;
_DBUS_ASSERT_ERROR_IS_CLEAR (error);
-@@ -260,7 +261,16 @@ bus_driver_send_service_owner_changed (const char *service_name,
- if (!bus_transaction_capture (transaction, NULL, message))
+@@ -253,7 +254,16 @@ bus_driver_send_service_owner_changed (const char *service_name,
+ if (!bus_transaction_capture (transaction, NULL, NULL, message))
goto oom;
- retval = bus_dispatch_matches (transaction, NULL, NULL, message, error);
@@ -692,7 +683,7 @@ index b7e1a0a0..a5823d4d 100644
return retval;
diff --git a/dbus/dbus-connection-internal.h b/dbus/dbus-connection-internal.h
-index 48357321..94b1c951 100644
+index 4835732..94b1c95 100644
--- a/dbus/dbus-connection-internal.h
+++ b/dbus/dbus-connection-internal.h
@@ -118,6 +118,21 @@ DBUS_PRIVATE_EXPORT
@@ -718,7 +709,7 @@ index 48357321..94b1c951 100644
DBUS_PRIVATE_EXPORT
void _dbus_connection_get_stats (DBusConnection *connection,
diff --git a/dbus/dbus-connection.c b/dbus/dbus-connection.c
-index 7f5b3292..ed0be70d 100644
+index c525b6d..f1b0ea0 100644
--- a/dbus/dbus-connection.c
+++ b/dbus/dbus-connection.c
@@ -311,7 +311,8 @@ struct DBusConnection
@@ -771,7 +762,7 @@ index 7f5b3292..ed0be70d 100644
#ifdef DBUS_ENABLE_EMBEDDED_TESTS
/**
* Gets the locks so we can examine them
-@@ -4070,6 +4104,82 @@ _dbus_connection_putback_message_link_unlocked (DBusConnection *connection,
+@@ -4069,6 +4103,82 @@ _dbus_connection_putback_message_link_unlocked (DBusConnection *connection,
"_dbus_connection_putback_message_link_unlocked");
}
@@ -854,7 +845,7 @@ index 7f5b3292..ed0be70d 100644
/**
* Returns the first-received message from the incoming message queue,
* removing it from the queue. The caller owns a reference to the
-@@ -4253,8 +4363,9 @@ static DBusDispatchStatus
+@@ -4252,8 +4362,9 @@ static DBusDispatchStatus
_dbus_connection_get_dispatch_status_unlocked (DBusConnection *connection)
{
HAVE_LOCK_CHECK (connection);
@@ -866,7 +857,7 @@ index 7f5b3292..ed0be70d 100644
return DBUS_DISPATCH_DATA_REMAINS;
else if (!_dbus_transport_queue_messages (connection->transport))
return DBUS_DISPATCH_NEED_MEMORY;
-@@ -4717,6 +4828,8 @@ dbus_connection_dispatch (DBusConnection *connection)
+@@ -4716,6 +4827,8 @@ dbus_connection_dispatch (DBusConnection *connection)
CONNECTION_LOCK (connection);
@@ -875,7 +866,7 @@ index 7f5b3292..ed0be70d 100644
if (result == DBUS_HANDLER_RESULT_NEED_MEMORY)
{
_dbus_verbose ("No memory\n");
-@@ -4839,9 +4952,11 @@ dbus_connection_dispatch (DBusConnection *connection)
+@@ -4838,9 +4951,11 @@ dbus_connection_dispatch (DBusConnection *connection)
connection);
out:
@@ -890,7 +881,7 @@ index 7f5b3292..ed0be70d 100644
/* Put message back, and we'll start over.
* Yes this means handlers must be idempotent if they
diff --git a/dbus/dbus-list.c b/dbus/dbus-list.c
-index c4c1856f..f84918b1 100644
+index 8e713c0..32ea871 100644
--- a/dbus/dbus-list.c
+++ b/dbus/dbus-list.c
@@ -458,6 +458,35 @@ _dbus_list_remove_last (DBusList **list,
@@ -930,7 +921,7 @@ index c4c1856f..f84918b1 100644
* Finds a value in the list. Returns the last link
* with value equal to the given data pointer.
diff --git a/dbus/dbus-list.h b/dbus/dbus-list.h
-index 9350a0da..fee9f1bc 100644
+index 9350a0d..fee9f1b 100644
--- a/dbus/dbus-list.h
+++ b/dbus/dbus-list.h
@@ -68,6 +68,9 @@ DBUS_PRIVATE_EXPORT
@@ -944,7 +935,7 @@ index 9350a0da..fee9f1bc 100644
void *data);
DBUS_PRIVATE_EXPORT
diff --git a/dbus/dbus-shared.h b/dbus/dbus-shared.h
-index 7ab91035..e5bfbed6 100644
+index 7ab9103..e5bfbed 100644
--- a/dbus/dbus-shared.h
+++ b/dbus/dbus-shared.h
@@ -67,7 +67,8 @@ typedef enum
@@ -957,6 +948,3 @@ index 7ab91035..e5bfbed6 100644
} DBusHandlerResult;
/* Bus names */
---
-2.14.3
-
diff --git a/meta-security/recipes-core/dbus-cynara/dbus-cynara/0003-Handle-unavailability-of-policy-results-for-broadcas.patch b/meta-security/recipes-core/dbus-cynara/dbus-cynara/0003-Handle-unavailability-of-policy-results-for-broadcas.patch
index b797064ec..7f17bd00a 100644
--- a/meta-security/recipes-core/dbus-cynara/dbus-cynara/0003-Handle-unavailability-of-policy-results-for-broadcas.patch
+++ b/meta-security/recipes-core/dbus-cynara/dbus-cynara/0003-Handle-unavailability-of-policy-results-for-broadcas.patch
@@ -23,26 +23,16 @@ Change-Id: Iecd5395f75a4c7811fa97247a37d8fc4d42e8814
Cherry picked from 1e231194610892dd4360224998d91336097b05a1 by Jose Bollo
+Updated for dbus 1.12.10 by Scott Murray.
+
Signed-off-by: José Bollo <jose.bollo@iot.bzh>
----
- bus/activation.c | 4 +-
- bus/bus.c | 50 +++++++--
- bus/bus.h | 19 ++++
- bus/check.c | 307 +++++++++++++++++++++++++++++++++++++++++++++++++++++++
- bus/check.h | 25 +++++
- bus/connection.c | 169 ++++++++++++++++++++++++++++--
- bus/connection.h | 19 +++-
- bus/dispatch.c | 121 ++++++++++++++++++----
- bus/dispatch.h | 11 +-
- bus/driver.c | 2 +-
- bus/policy.c | 6 ++
- 11 files changed, 686 insertions(+), 47 deletions(-)
+Signed-off-by: Scott Murray <scott.murray@konsulko.com>
diff --git a/bus/activation.c b/bus/activation.c
-index 343d3f22..11bd8386 100644
+index 5f02153..f2981e1 100644
--- a/bus/activation.c
+++ b/bus/activation.c
-@@ -1198,7 +1198,7 @@ bus_activation_send_pending_auto_activation_messages (BusActivation *activation
+@@ -1259,7 +1259,7 @@ bus_activation_send_pending_auto_activation_messages (BusActivation *activation
res = bus_dispatch_matches (transaction,
entry->connection,
addressed_recipient,
@@ -51,20 +41,20 @@ index 343d3f22..11bd8386 100644
if (res == BUS_RESULT_FALSE)
{
/* If permission is denied, we just want to return the error
-@@ -2085,7 +2085,7 @@ bus_activation_activate_service (BusActivation *activation,
- entry->systemd_service);
+@@ -2137,7 +2137,7 @@ bus_activation_activate_service (BusActivation *activation,
+ bus_connection_get_loginfo (connection));
/* Wonderful, systemd is connected, let's just send the msg */
- res = bus_dispatch_matches (activation_transaction, NULL, bus_service_get_primary_owners_connection (service),
-- message, error);
-+ message, NULL, error);
+ res = bus_dispatch_matches (activation_transaction, NULL,
+- systemd, message, error);
++ systemd, message, NULL, error);
if (res == BUS_RESULT_TRUE)
retval = TRUE;
diff --git a/bus/bus.c b/bus/bus.c
-index c4008505..911e2340 100644
+index 237efe3..5bb5637 100644
--- a/bus/bus.c
+++ b/bus/bus.c
-@@ -1796,17 +1796,9 @@ bus_context_check_security_policy (BusContext *context,
+@@ -1800,17 +1800,9 @@ bus_context_check_security_policy (BusContext *context,
}
/* See if limits on size have been exceeded */
@@ -84,7 +74,7 @@ index c4008505..911e2340 100644
/* Record that we will allow a reply here in the future (don't
* bother if the recipient is the bus or this is an eavesdropping
-@@ -1861,3 +1853,41 @@ bus_context_check_all_watches (BusContext *context)
+@@ -1869,3 +1861,41 @@ bus_context_check_all_watches (BusContext *context)
_dbus_server_toggle_all_watches (server, enabled);
}
}
@@ -127,10 +117,10 @@ index c4008505..911e2340 100644
+ return TRUE;
+}
diff --git a/bus/bus.h b/bus/bus.h
-index dab7791f..445165c9 100644
+index 82c32c8..1b08f7c 100644
--- a/bus/bus.h
+++ b/bus/bus.h
-@@ -158,4 +158,23 @@ BusResult bus_context_check_security_policy (BusContext
+@@ -164,4 +164,23 @@ BusResult bus_context_check_security_policy (BusContext
BusDeferredMessage **deferred_message);
void bus_context_check_all_watches (BusContext *context);
@@ -155,7 +145,7 @@ index dab7791f..445165c9 100644
+
#endif /* BUS_BUS_H */
diff --git a/bus/check.c b/bus/check.c
-index 4b8a6994..b8833349 100644
+index 4b8a699..f3d283f 100644
--- a/bus/check.c
+++ b/bus/check.c
@@ -49,6 +49,9 @@ typedef struct BusDeferredMessage
@@ -370,7 +360,7 @@ index 4b8a6994..b8833349 100644
+ deferred_message->sender,
+ deferred_message->addressed_recipient,
+ deferred_message->proposed_recipient,
-+ deferred_message->message, NULL,
++ deferred_message->message, NULL, NULL,
+ &deferred_message2);
+
+ if (result == BUS_RESULT_LATER)
@@ -511,7 +501,7 @@ index 4b8a6994..b8833349 100644
}
+
diff --git a/bus/check.h b/bus/check.h
-index d1775497..9c13c184 100644
+index d177549..9c13c18 100644
--- a/bus/check.h
+++ b/bus/check.h
@@ -64,12 +64,37 @@ BusDeferredMessage *bus_deferred_message_new (DBusMessage *messag
@@ -553,7 +543,7 @@ index d1775497..9c13c184 100644
extern BusResult (*bus_check_test_override) (DBusConnection *connection,
const char *privilege);
diff --git a/bus/connection.c b/bus/connection.c
-index eea50ecd..1c0bdffb 100644
+index deebde3..f9e563b 100644
--- a/bus/connection.c
+++ b/bus/connection.c
@@ -31,11 +31,13 @@
@@ -587,7 +577,7 @@ index eea50ecd..1c0bdffb 100644
bus_dispatch_remove_connection (connection);
/* no more watching */
-@@ -2264,7 +2269,7 @@ bus_transaction_capture (BusTransaction *transaction,
+@@ -2307,7 +2312,7 @@ bus_transaction_capture (BusTransaction *transaction,
{
DBusConnection *recipient = link->data;
@@ -596,7 +586,7 @@ index eea50ecd..1c0bdffb 100644
goto out;
}
-@@ -2317,6 +2322,7 @@ bus_transaction_send_from_driver (BusTransaction *transaction,
+@@ -2361,6 +2366,7 @@ bus_transaction_send_from_driver (BusTransaction *transaction,
{
DBusError error = DBUS_ERROR_INIT;
BusResult res;
@@ -604,17 +594,17 @@ index eea50ecd..1c0bdffb 100644
/* We have to set the sender to the driver, and have
* to check security policy since it was not done in
-@@ -2357,7 +2363,8 @@ bus_transaction_send_from_driver (BusTransaction *transaction,
- res = bus_context_check_security_policy (bus_transaction_get_context (transaction),
+@@ -2402,7 +2408,8 @@ bus_transaction_send_from_driver (BusTransaction *transaction,
transaction,
- NULL, connection, connection, message, &error,
+ NULL, connection, connection,
+ message, NULL, &error,
- NULL);
+ &deferred_message);
+
if (res == BUS_RESULT_FALSE)
{
- if (!bus_transaction_capture_error_reply (transaction, &error, message))
-@@ -2374,18 +2381,20 @@ bus_transaction_send_from_driver (BusTransaction *transaction,
+ if (!bus_transaction_capture_error_reply (transaction, connection,
+@@ -2420,18 +2427,20 @@ bus_transaction_send_from_driver (BusTransaction *transaction,
}
else if (res == BUS_RESULT_LATER)
{
@@ -639,7 +629,7 @@ index eea50ecd..1c0bdffb 100644
{
MessageToSend *to_send;
BusConnectionData *d;
-@@ -2411,7 +2420,28 @@ bus_transaction_send (BusTransaction *transaction,
+@@ -2457,7 +2466,28 @@ bus_transaction_send (BusTransaction *transaction,
d = BUS_CONNECTION_DATA (connection);
_dbus_assert (d != NULL);
@@ -669,7 +659,7 @@ index eea50ecd..1c0bdffb 100644
to_send = dbus_new (MessageToSend, 1);
if (to_send == NULL)
{
-@@ -2663,6 +2693,131 @@ bus_transaction_add_cancel_hook (BusTransaction *transaction,
+@@ -2709,6 +2739,131 @@ bus_transaction_add_cancel_hook (BusTransaction *transaction,
return TRUE;
}
@@ -802,10 +792,10 @@ index eea50ecd..1c0bdffb 100644
bus_connections_get_n_active (BusConnections *connections)
{
diff --git a/bus/connection.h b/bus/connection.h
-index a6e5dfde..46e883e6 100644
+index 71078ea..97dae96 100644
--- a/bus/connection.h
+++ b/bus/connection.h
-@@ -83,6 +83,22 @@ dbus_bool_t bus_connection_preallocate_oom_error (DBusConnection *connection);
+@@ -85,6 +85,22 @@ dbus_bool_t bus_connection_preallocate_oom_error (DBusConnection *connection);
void bus_connection_send_oom_error (DBusConnection *connection,
DBusMessage *in_reply_to);
@@ -828,7 +818,7 @@ index a6e5dfde..46e883e6 100644
/* called by signals.c */
dbus_bool_t bus_connection_add_match_rule (DBusConnection *connection,
BusMatchRule *rule);
-@@ -135,7 +151,8 @@ BusTransaction* bus_transaction_new (BusContext *
+@@ -137,7 +153,8 @@ BusTransaction* bus_transaction_new (BusContext *
BusContext* bus_transaction_get_context (BusTransaction *transaction);
dbus_bool_t bus_transaction_send (BusTransaction *transaction,
DBusConnection *connection,
@@ -837,9 +827,9 @@ index a6e5dfde..46e883e6 100644
+ dbus_bool_t deferred_dispatch);
dbus_bool_t bus_transaction_capture (BusTransaction *transaction,
DBusConnection *connection,
- DBusMessage *message);
+ DBusConnection *addressed_recipient,
diff --git a/bus/dispatch.c b/bus/dispatch.c
-index 7353501b..e32c9263 100644
+index 0250b53..1bdcbf0 100644
--- a/bus/dispatch.c
+++ b/bus/dispatch.c
@@ -33,6 +33,7 @@
@@ -850,16 +840,16 @@ index 7353501b..e32c9263 100644
#include "test.h"
#include <dbus/dbus-internals.h>
#include <dbus/dbus-connection-internal.h>
-@@ -76,7 +77,7 @@ send_one_message (DBusConnection *connection,
- message,
+@@ -77,7 +78,7 @@ send_one_message (DBusConnection *connection,
+ NULL,
&stack_error,
&deferred_message);
- if (result != BUS_RESULT_TRUE)
+ if (result == BUS_RESULT_FALSE)
{
- if (!bus_transaction_capture_error_reply (transaction, &stack_error,
- message))
-@@ -111,9 +112,19 @@ send_one_message (DBusConnection *connection,
+ if (!bus_transaction_capture_error_reply (transaction, sender,
+ &stack_error, message))
+@@ -112,9 +113,19 @@ send_one_message (DBusConnection *connection,
return TRUE; /* don't send it but don't return an error either */
}
@@ -880,7 +870,7 @@ index 7353501b..e32c9263 100644
{
BUS_SET_OOM (error);
return FALSE;
-@@ -123,11 +134,12 @@ send_one_message (DBusConnection *connection,
+@@ -124,11 +135,12 @@ send_one_message (DBusConnection *connection,
}
BusResult
@@ -898,7 +888,7 @@ index 7353501b..e32c9263 100644
{
DBusError tmp_error;
BusConnections *connections;
-@@ -151,17 +163,78 @@ bus_dispatch_matches (BusTransaction *transaction,
+@@ -152,17 +164,78 @@ bus_dispatch_matches (BusTransaction *transaction,
/* First, send the message to the addressed_recipient, if there is one. */
if (addressed_recipient != NULL)
{
@@ -906,7 +896,7 @@ index 7353501b..e32c9263 100644
- res = bus_context_check_security_policy (context, transaction,
- sender, addressed_recipient,
- addressed_recipient,
-- message, error,
+- message, NULL, error,
- &deferred_message);
- if (res == BUS_RESULT_FALSE)
+ BusResult result;
@@ -961,7 +951,7 @@ index 7353501b..e32c9263 100644
+
+ if (result == BUS_RESULT_LATER)
+ result = bus_context_check_security_policy(context, transaction,
-+ sender, addressed_recipient, addressed_recipient, message, error,
++ sender, addressed_recipient, addressed_recipient, message, NULL, error,
+ &deferred_message);
+
+ if (result == BUS_RESULT_FALSE)
@@ -985,7 +975,7 @@ index 7353501b..e32c9263 100644
status = bus_deferred_message_get_status(deferred_message);
if (status & BUS_DEFERRED_MESSAGE_CHECK_SEND)
-@@ -172,13 +245,18 @@ bus_dispatch_matches (BusTransaction *transaction,
+@@ -173,13 +246,18 @@ bus_dispatch_matches (BusTransaction *transaction,
}
else if (status & BUS_DEFERRED_MESSAGE_CHECK_RECEIVE)
{
@@ -1008,7 +998,7 @@ index 7353501b..e32c9263 100644
return BUS_RESULT_FALSE;
}
}
-@@ -195,7 +273,8 @@ bus_dispatch_matches (BusTransaction *transaction,
+@@ -196,7 +274,8 @@ bus_dispatch_matches (BusTransaction *transaction,
}
/* Dispatch the message */
@@ -1018,7 +1008,7 @@ index 7353501b..e32c9263 100644
{
BUS_SET_OOM (error);
return BUS_RESULT_FALSE;
-@@ -495,7 +574,7 @@ bus_dispatch (DBusConnection *connection,
+@@ -535,7 +614,7 @@ bus_dispatch (DBusConnection *connection,
* match rules.
*/
if (BUS_RESULT_LATER == bus_dispatch_matches (transaction, connection, addressed_recipient,
@@ -1028,7 +1018,7 @@ index 7353501b..e32c9263 100644
/* Roll back and dispatch the message once the policy result is available */
bus_transaction_cancel_and_free (transaction);
diff --git a/bus/dispatch.h b/bus/dispatch.h
-index afba6a24..f6102e80 100644
+index afba6a2..f6102e8 100644
--- a/bus/dispatch.h
+++ b/bus/dispatch.h
@@ -29,10 +29,11 @@
@@ -1049,11 +1039,11 @@ index afba6a24..f6102e80 100644
#endif /* BUS_DISPATCH_H */
diff --git a/bus/driver.c b/bus/driver.c
-index a5823d4d..5acdd62a 100644
+index f414f64..d89a658 100644
--- a/bus/driver.c
+++ b/bus/driver.c
-@@ -261,7 +261,7 @@ bus_driver_send_service_owner_changed (const char *service_name,
- if (!bus_transaction_capture (transaction, NULL, message))
+@@ -254,7 +254,7 @@ bus_driver_send_service_owner_changed (const char *service_name,
+ if (!bus_transaction_capture (transaction, NULL, NULL, message))
goto oom;
- res = bus_dispatch_matches (transaction, NULL, NULL, message, error);
@@ -1062,10 +1052,10 @@ index a5823d4d..5acdd62a 100644
retval = TRUE;
else
diff --git a/bus/policy.c b/bus/policy.c
-index bcade176..47bd1a24 100644
+index 7ee1ce5..b1fab0d 100644
--- a/bus/policy.c
+++ b/bus/policy.c
-@@ -1071,6 +1071,9 @@ bus_client_policy_check_can_send (DBusConnection *sender,
+@@ -1121,6 +1121,9 @@ bus_client_policy_check_can_send (DBusConnection *sender,
result = bus_check_privilege(check, message, sender, addressed_recipient, receiver,
privilege, BUS_DEFERRED_MESSAGE_CHECK_SEND, deferred_message);
@@ -1075,7 +1065,7 @@ index bcade176..47bd1a24 100644
}
else
privilege = NULL;
-@@ -1305,6 +1308,9 @@ bus_client_policy_check_can_receive (BusClientPolicy *policy,
+@@ -1370,6 +1373,9 @@ bus_client_policy_check_can_receive (BusClientPolicy *policy,
result = bus_check_privilege(check, message, sender, addressed_recipient, proposed_recipient,
privilege, BUS_DEFERRED_MESSAGE_CHECK_RECEIVE, deferred_message);
@@ -1085,6 +1075,3 @@ index bcade176..47bd1a24 100644
}
else
privilege = NULL;
---
-2.14.3
-
diff --git a/meta-security/recipes-core/dbus-cynara/dbus-cynara/0004-Add-own-rule-result-unavailability-handling.patch b/meta-security/recipes-core/dbus-cynara/dbus-cynara/0004-Add-own-rule-result-unavailability-handling.patch
index 1086f5b12..bde785241 100644
--- a/meta-security/recipes-core/dbus-cynara/dbus-cynara/0004-Add-own-rule-result-unavailability-handling.patch
+++ b/meta-security/recipes-core/dbus-cynara/dbus-cynara/0004-Add-own-rule-result-unavailability-handling.patch
@@ -19,24 +19,16 @@ Change-Id: I4c2cbd4585e41fccd8a30f825a8f0d342ab56755
Cherry-picked from 35ef89cd6777ea2430077fc621d21bd01df92349 by Jose.bollo
+Updated for dbus 1.12.10 by Scott Murray.
+
Signed-off-by: José Bollo <jose.bollo@iot.bzh>
----
- bus/dispatch.c | 11 ++-
- bus/driver.c | 259 ++++++++++++++++++++++++++++++---------------------------
- bus/driver.h | 2 +-
- bus/policy.c | 51 +++++++++---
- bus/policy.h | 6 +-
- bus/services.c | 26 ++++--
- bus/services.h | 3 +-
- bus/stats.c | 28 +++----
- bus/stats.h | 6 +-
- 9 files changed, 229 insertions(+), 163 deletions(-)
+Signed-off-by: Scott Murray <scott.murray@konsulko.com>
diff --git a/bus/dispatch.c b/bus/dispatch.c
-index e32c9263..4d57c556 100644
+index 1bdcbf0..625add5 100644
--- a/bus/dispatch.c
+++ b/bus/dispatch.c
-@@ -513,8 +513,17 @@ bus_dispatch (DBusConnection *connection,
+@@ -516,8 +516,17 @@ bus_dispatch (DBusConnection *connection,
}
_dbus_verbose ("Giving message to %s\n", DBUS_SERVICE_DBUS);
@@ -56,10 +48,10 @@ index e32c9263..4d57c556 100644
else if (!bus_connection_is_active (connection)) /* clients must talk to bus driver first */
{
diff --git a/bus/driver.c b/bus/driver.c
-index 5acdd62a..bc4ce0b5 100644
+index d89a658..5ee60cb 100644
--- a/bus/driver.c
+++ b/bus/driver.c
-@@ -427,7 +427,7 @@ create_unique_client_name (BusRegistry *registry,
+@@ -420,7 +420,7 @@ create_unique_client_name (BusRegistry *registry,
return TRUE;
}
@@ -68,7 +60,7 @@ index 5acdd62a..bc4ce0b5 100644
bus_driver_handle_hello (DBusConnection *connection,
BusTransaction *transaction,
DBusMessage *message,
-@@ -435,7 +435,7 @@ bus_driver_handle_hello (DBusConnection *connection,
+@@ -428,7 +428,7 @@ bus_driver_handle_hello (DBusConnection *connection,
{
DBusString unique_name;
BusService *service;
@@ -76,8 +68,8 @@ index 5acdd62a..bc4ce0b5 100644
+ BusResult retval;
BusRegistry *registry;
BusConnections *connections;
-
-@@ -446,7 +446,7 @@ bus_driver_handle_hello (DBusConnection *connection,
+ DBusError tmp_error;
+@@ -442,7 +442,7 @@ bus_driver_handle_hello (DBusConnection *connection,
/* We already handled an Hello message for this connection. */
dbus_set_error (error, DBUS_ERROR_FAILED,
"Already handled an Hello message");
@@ -86,10 +78,10 @@ index 5acdd62a..bc4ce0b5 100644
}
/* Note that when these limits are exceeded we don't disconnect the
-@@ -460,16 +460,16 @@ bus_driver_handle_hello (DBusConnection *connection,
- error))
- {
- _DBUS_ASSERT_ERROR_IS_SET (error);
+@@ -464,16 +464,16 @@ bus_driver_handle_hello (DBusConnection *connection,
+ bus_context_log (context, DBUS_SYSTEM_LOG_WARNING, "%s (%s=%d)",
+ tmp_error.message, limit_name, limit);
+ dbus_move_error (&tmp_error, error);
- return FALSE;
+ return BUS_RESULT_FALSE;
}
@@ -106,7 +98,7 @@ index 5acdd62a..bc4ce0b5 100644
registry = bus_connection_get_registry (connection);
-@@ -502,7 +502,7 @@ bus_driver_handle_hello (DBusConnection *connection,
+@@ -506,7 +506,7 @@ bus_driver_handle_hello (DBusConnection *connection,
goto out_0;
_dbus_assert (bus_connection_is_active (connection));
@@ -115,7 +107,7 @@ index 5acdd62a..bc4ce0b5 100644
out_0:
_dbus_string_free (&unique_name);
-@@ -554,7 +554,7 @@ bus_driver_send_welcome_message (DBusConnection *connection,
+@@ -558,7 +558,7 @@ bus_driver_send_welcome_message (DBusConnection *connection,
}
}
@@ -124,7 +116,7 @@ index 5acdd62a..bc4ce0b5 100644
bus_driver_handle_list_services (DBusConnection *connection,
BusTransaction *transaction,
DBusMessage *message,
-@@ -576,14 +576,14 @@ bus_driver_handle_list_services (DBusConnection *connection,
+@@ -580,14 +580,14 @@ bus_driver_handle_list_services (DBusConnection *connection,
if (reply == NULL)
{
BUS_SET_OOM (error);
@@ -141,7 +133,7 @@ index 5acdd62a..bc4ce0b5 100644
}
dbus_message_iter_init_append (reply, &iter);
-@@ -595,7 +595,7 @@ bus_driver_handle_list_services (DBusConnection *connection,
+@@ -599,7 +599,7 @@ bus_driver_handle_list_services (DBusConnection *connection,
dbus_free_string_array (services);
dbus_message_unref (reply);
BUS_SET_OOM (error);
@@ -150,7 +142,7 @@ index 5acdd62a..bc4ce0b5 100644
}
{
-@@ -607,7 +607,7 @@ bus_driver_handle_list_services (DBusConnection *connection,
+@@ -611,7 +611,7 @@ bus_driver_handle_list_services (DBusConnection *connection,
dbus_free_string_array (services);
dbus_message_unref (reply);
BUS_SET_OOM (error);
@@ -159,7 +151,7 @@ index 5acdd62a..bc4ce0b5 100644
}
}
-@@ -620,7 +620,7 @@ bus_driver_handle_list_services (DBusConnection *connection,
+@@ -624,7 +624,7 @@ bus_driver_handle_list_services (DBusConnection *connection,
dbus_free_string_array (services);
dbus_message_unref (reply);
BUS_SET_OOM (error);
@@ -168,7 +160,7 @@ index 5acdd62a..bc4ce0b5 100644
}
++i;
}
-@@ -631,23 +631,23 @@ bus_driver_handle_list_services (DBusConnection *connection,
+@@ -635,23 +635,23 @@ bus_driver_handle_list_services (DBusConnection *connection,
{
dbus_message_unref (reply);
BUS_SET_OOM (error);
@@ -196,7 +188,7 @@ index 5acdd62a..bc4ce0b5 100644
bus_driver_handle_list_activatable_services (DBusConnection *connection,
BusTransaction *transaction,
DBusMessage *message,
-@@ -669,14 +669,14 @@ bus_driver_handle_list_activatable_services (DBusConnection *connection,
+@@ -673,14 +673,14 @@ bus_driver_handle_list_activatable_services (DBusConnection *connection,
if (reply == NULL)
{
BUS_SET_OOM (error);
@@ -213,7 +205,7 @@ index 5acdd62a..bc4ce0b5 100644
}
dbus_message_iter_init_append (reply, &iter);
-@@ -688,7 +688,7 @@ bus_driver_handle_list_activatable_services (DBusConnection *connection,
+@@ -692,7 +692,7 @@ bus_driver_handle_list_activatable_services (DBusConnection *connection,
dbus_free_string_array (services);
dbus_message_unref (reply);
BUS_SET_OOM (error);
@@ -222,7 +214,7 @@ index 5acdd62a..bc4ce0b5 100644
}
{
-@@ -700,7 +700,7 @@ bus_driver_handle_list_activatable_services (DBusConnection *connection,
+@@ -704,7 +704,7 @@ bus_driver_handle_list_activatable_services (DBusConnection *connection,
dbus_free_string_array (services);
dbus_message_unref (reply);
BUS_SET_OOM (error);
@@ -231,7 +223,7 @@ index 5acdd62a..bc4ce0b5 100644
}
}
-@@ -713,7 +713,7 @@ bus_driver_handle_list_activatable_services (DBusConnection *connection,
+@@ -717,7 +717,7 @@ bus_driver_handle_list_activatable_services (DBusConnection *connection,
dbus_free_string_array (services);
dbus_message_unref (reply);
BUS_SET_OOM (error);
@@ -240,7 +232,7 @@ index 5acdd62a..bc4ce0b5 100644
}
++i;
}
-@@ -724,23 +724,23 @@ bus_driver_handle_list_activatable_services (DBusConnection *connection,
+@@ -728,23 +728,23 @@ bus_driver_handle_list_activatable_services (DBusConnection *connection,
{
dbus_message_unref (reply);
BUS_SET_OOM (error);
@@ -268,7 +260,7 @@ index 5acdd62a..bc4ce0b5 100644
bus_driver_handle_acquire_service (DBusConnection *connection,
BusTransaction *transaction,
DBusMessage *message,
-@@ -751,7 +751,8 @@ bus_driver_handle_acquire_service (DBusConnection *connection,
+@@ -755,7 +755,8 @@ bus_driver_handle_acquire_service (DBusConnection *connection,
const char *name;
dbus_uint32_t service_reply;
dbus_uint32_t flags;
@@ -278,7 +270,7 @@ index 5acdd62a..bc4ce0b5 100644
BusRegistry *registry;
_DBUS_ASSERT_ERROR_IS_CLEAR (error);
-@@ -762,20 +763,24 @@ bus_driver_handle_acquire_service (DBusConnection *connection,
+@@ -766,20 +767,24 @@ bus_driver_handle_acquire_service (DBusConnection *connection,
DBUS_TYPE_STRING, &name,
DBUS_TYPE_UINT32, &flags,
DBUS_TYPE_INVALID))
@@ -310,7 +302,7 @@ index 5acdd62a..bc4ce0b5 100644
reply = dbus_message_new_method_return (message);
if (reply == NULL)
-@@ -796,7 +801,7 @@ bus_driver_handle_acquire_service (DBusConnection *connection,
+@@ -800,7 +805,7 @@ bus_driver_handle_acquire_service (DBusConnection *connection,
goto out;
}
@@ -319,7 +311,7 @@ index 5acdd62a..bc4ce0b5 100644
out:
if (reply)
-@@ -804,7 +809,7 @@ bus_driver_handle_acquire_service (DBusConnection *connection,
+@@ -808,7 +813,7 @@ bus_driver_handle_acquire_service (DBusConnection *connection,
return retval;
}
@@ -328,7 +320,7 @@ index 5acdd62a..bc4ce0b5 100644
bus_driver_handle_release_service (DBusConnection *connection,
BusTransaction *transaction,
DBusMessage *message,
-@@ -814,7 +819,7 @@ bus_driver_handle_release_service (DBusConnection *connection,
+@@ -818,7 +823,7 @@ bus_driver_handle_release_service (DBusConnection *connection,
DBusString service_name;
const char *name;
dbus_uint32_t service_reply;
@@ -337,7 +329,7 @@ index 5acdd62a..bc4ce0b5 100644
BusRegistry *registry;
_DBUS_ASSERT_ERROR_IS_CLEAR (error);
-@@ -824,11 +829,11 @@ bus_driver_handle_release_service (DBusConnection *connection,
+@@ -828,11 +833,11 @@ bus_driver_handle_release_service (DBusConnection *connection,
if (!dbus_message_get_args (message, error,
DBUS_TYPE_STRING, &name,
DBUS_TYPE_INVALID))
@@ -351,7 +343,7 @@ index 5acdd62a..bc4ce0b5 100644
reply = NULL;
_dbus_string_init_const (&service_name, name);
-@@ -857,7 +862,7 @@ bus_driver_handle_release_service (DBusConnection *connection,
+@@ -861,7 +866,7 @@ bus_driver_handle_release_service (DBusConnection *connection,
goto out;
}
@@ -360,7 +352,7 @@ index 5acdd62a..bc4ce0b5 100644
out:
if (reply)
-@@ -865,7 +870,7 @@ bus_driver_handle_release_service (DBusConnection *connection,
+@@ -869,7 +874,7 @@ bus_driver_handle_release_service (DBusConnection *connection,
return retval;
}
@@ -369,7 +361,7 @@ index 5acdd62a..bc4ce0b5 100644
bus_driver_handle_service_exists (DBusConnection *connection,
BusTransaction *transaction,
DBusMessage *message,
-@@ -876,7 +881,7 @@ bus_driver_handle_service_exists (DBusConnection *connection,
+@@ -880,7 +885,7 @@ bus_driver_handle_service_exists (DBusConnection *connection,
BusService *service;
dbus_bool_t service_exists;
const char *name;
@@ -378,7 +370,7 @@ index 5acdd62a..bc4ce0b5 100644
BusRegistry *registry;
_DBUS_ASSERT_ERROR_IS_CLEAR (error);
-@@ -886,9 +891,9 @@ bus_driver_handle_service_exists (DBusConnection *connection,
+@@ -890,9 +895,9 @@ bus_driver_handle_service_exists (DBusConnection *connection,
if (!dbus_message_get_args (message, error,
DBUS_TYPE_STRING, &name,
DBUS_TYPE_INVALID))
@@ -390,7 +382,7 @@ index 5acdd62a..bc4ce0b5 100644
if (strcmp (name, DBUS_SERVICE_DBUS) == 0)
{
-@@ -922,7 +927,7 @@ bus_driver_handle_service_exists (DBusConnection *connection,
+@@ -926,7 +931,7 @@ bus_driver_handle_service_exists (DBusConnection *connection,
goto out;
}
@@ -399,7 +391,7 @@ index 5acdd62a..bc4ce0b5 100644
out:
if (reply)
-@@ -931,7 +936,7 @@ bus_driver_handle_service_exists (DBusConnection *connection,
+@@ -935,7 +940,7 @@ bus_driver_handle_service_exists (DBusConnection *connection,
return retval;
}
@@ -408,7 +400,7 @@ index 5acdd62a..bc4ce0b5 100644
bus_driver_handle_activate_service (DBusConnection *connection,
BusTransaction *transaction,
DBusMessage *message,
-@@ -939,7 +944,7 @@ bus_driver_handle_activate_service (DBusConnection *connection,
+@@ -943,7 +948,7 @@ bus_driver_handle_activate_service (DBusConnection *connection,
{
dbus_uint32_t flags;
const char *name;
@@ -417,7 +409,7 @@ index 5acdd62a..bc4ce0b5 100644
BusActivation *activation;
_DBUS_ASSERT_ERROR_IS_CLEAR (error);
-@@ -953,10 +958,10 @@ bus_driver_handle_activate_service (DBusConnection *connection,
+@@ -957,10 +962,10 @@ bus_driver_handle_activate_service (DBusConnection *connection,
{
_DBUS_ASSERT_ERROR_IS_SET (error);
_dbus_verbose ("No memory to get arguments to StartServiceByName\n");
@@ -430,7 +422,7 @@ index 5acdd62a..bc4ce0b5 100644
if (!bus_activation_activate_service (activation, connection, transaction, FALSE,
message, name, error))
-@@ -966,7 +971,7 @@ bus_driver_handle_activate_service (DBusConnection *connection,
+@@ -970,7 +975,7 @@ bus_driver_handle_activate_service (DBusConnection *connection,
goto out;
}
@@ -439,7 +431,7 @@ index 5acdd62a..bc4ce0b5 100644
out:
return retval;
-@@ -1068,13 +1073,13 @@ bus_driver_send_or_activate (BusTransaction *transaction,
+@@ -1072,13 +1077,13 @@ bus_driver_send_or_activate (BusTransaction *transaction,
return TRUE;
}
@@ -455,25 +447,7 @@ index 5acdd62a..bc4ce0b5 100644
BusActivation *activation;
BusContext *context;
DBusMessageIter iter;
-@@ -1090,7 +1095,7 @@ bus_driver_handle_update_activation_environment (DBusConnection *connection,
- _DBUS_ASSERT_ERROR_IS_CLEAR (error);
-
- if (!bus_driver_check_message_is_for_us (message, error))
-- return FALSE;
-+ return BUS_RESULT_FALSE;
-
- #ifdef DBUS_UNIX
- {
@@ -1100,7 +1105,7 @@ bus_driver_handle_update_activation_environment (DBusConnection *connection,
- */
- if (!bus_driver_check_caller_is_privileged (connection, transaction,
- message, error))
-- return FALSE;
-+ return BUS_RESULT_FALSE;
- }
- #endif
-
-@@ -1111,7 +1116,7 @@ bus_driver_handle_update_activation_environment (DBusConnection *connection,
dbus_set_error (error, DBUS_ERROR_ACCESS_DENIED,
"Cannot change activation environment "
"on a system bus.");
@@ -482,7 +456,7 @@ index 5acdd62a..bc4ce0b5 100644
}
activation = bus_connection_get_activation (connection);
-@@ -1125,7 +1130,7 @@ bus_driver_handle_update_activation_environment (DBusConnection *connection,
+@@ -1114,7 +1119,7 @@ bus_driver_handle_update_activation_environment (DBusConnection *connection,
dbus_message_iter_recurse (&iter, &dict_iter);
@@ -491,8 +465,8 @@ index 5acdd62a..bc4ce0b5 100644
systemd_message = NULL;
/* Then loop through the sent dictionary, add the location of
-@@ -1291,7 +1296,7 @@ bus_driver_handle_update_activation_environment (DBusConnection *connection,
- message, error))
+@@ -1279,7 +1284,7 @@ bus_driver_handle_update_activation_environment (DBusConnection *connection,
+ if (!bus_driver_send_ack_reply (connection, transaction, message, error))
goto out;
- retval = TRUE;
@@ -500,7 +474,7 @@ index 5acdd62a..bc4ce0b5 100644
out:
if (systemd_message != NULL)
-@@ -1301,7 +1306,7 @@ bus_driver_handle_update_activation_environment (DBusConnection *connection,
+@@ -1289,7 +1294,7 @@ bus_driver_handle_update_activation_environment (DBusConnection *connection,
return retval;
}
@@ -509,7 +483,7 @@ index 5acdd62a..bc4ce0b5 100644
bus_driver_handle_add_match (DBusConnection *connection,
BusTransaction *transaction,
DBusMessage *message,
-@@ -1367,16 +1372,16 @@ bus_driver_handle_add_match (DBusConnection *connection,
+@@ -1371,16 +1376,16 @@ bus_driver_handle_add_match (DBusConnection *connection,
bus_match_rule_unref (rule);
@@ -529,7 +503,7 @@ index 5acdd62a..bc4ce0b5 100644
bus_driver_handle_remove_match (DBusConnection *connection,
BusTransaction *transaction,
DBusMessage *message,
-@@ -1420,16 +1425,16 @@ bus_driver_handle_remove_match (DBusConnection *connection,
+@@ -1423,16 +1428,16 @@ bus_driver_handle_remove_match (DBusConnection *connection,
bus_match_rule_unref (rule);
@@ -549,7 +523,7 @@ index 5acdd62a..bc4ce0b5 100644
bus_driver_handle_get_service_owner (DBusConnection *connection,
BusTransaction *transaction,
DBusMessage *message,
-@@ -1499,7 +1504,7 @@ bus_driver_handle_get_service_owner (DBusConnection *connection,
+@@ -1502,7 +1507,7 @@ bus_driver_handle_get_service_owner (DBusConnection *connection,
dbus_message_unref (reply);
@@ -558,7 +532,7 @@ index 5acdd62a..bc4ce0b5 100644
oom:
BUS_SET_OOM (error);
-@@ -1508,10 +1513,10 @@ bus_driver_handle_get_service_owner (DBusConnection *connection,
+@@ -1511,10 +1516,10 @@ bus_driver_handle_get_service_owner (DBusConnection *connection,
_DBUS_ASSERT_ERROR_IS_SET (error);
if (reply)
dbus_message_unref (reply);
@@ -571,7 +545,7 @@ index 5acdd62a..bc4ce0b5 100644
bus_driver_handle_list_queued_owners (DBusConnection *connection,
BusTransaction *transaction,
DBusMessage *message,
-@@ -1602,7 +1607,7 @@ bus_driver_handle_list_queued_owners (DBusConnection *connection,
+@@ -1606,7 +1611,7 @@ bus_driver_handle_list_queued_owners (DBusConnection *connection,
dbus_message_unref (reply);
@@ -580,7 +554,7 @@ index 5acdd62a..bc4ce0b5 100644
oom:
BUS_SET_OOM (error);
-@@ -1615,10 +1620,10 @@ bus_driver_handle_list_queued_owners (DBusConnection *connection,
+@@ -1619,10 +1624,10 @@ bus_driver_handle_list_queued_owners (DBusConnection *connection,
if (base_names)
_dbus_list_clear (&base_names);
@@ -593,7 +567,7 @@ index 5acdd62a..bc4ce0b5 100644
bus_driver_handle_get_connection_unix_user (DBusConnection *connection,
BusTransaction *transaction,
DBusMessage *message,
-@@ -1673,7 +1678,7 @@ bus_driver_handle_get_connection_unix_user (DBusConnection *connection,
+@@ -1679,7 +1684,7 @@ bus_driver_handle_get_connection_unix_user (DBusConnection *connection,
dbus_message_unref (reply);
@@ -602,7 +576,7 @@ index 5acdd62a..bc4ce0b5 100644
oom:
BUS_SET_OOM (error);
-@@ -1682,10 +1687,10 @@ bus_driver_handle_get_connection_unix_user (DBusConnection *connection,
+@@ -1688,10 +1693,10 @@ bus_driver_handle_get_connection_unix_user (DBusConnection *connection,
_DBUS_ASSERT_ERROR_IS_SET (error);
if (reply)
dbus_message_unref (reply);
@@ -615,7 +589,7 @@ index 5acdd62a..bc4ce0b5 100644
bus_driver_handle_get_connection_unix_process_id (DBusConnection *connection,
BusTransaction *transaction,
DBusMessage *message,
-@@ -1740,7 +1745,7 @@ bus_driver_handle_get_connection_unix_process_id (DBusConnection *connection,
+@@ -1748,7 +1753,7 @@ bus_driver_handle_get_connection_unix_process_id (DBusConnection *connection,
dbus_message_unref (reply);
@@ -624,7 +598,7 @@ index 5acdd62a..bc4ce0b5 100644
oom:
BUS_SET_OOM (error);
-@@ -1749,10 +1754,10 @@ bus_driver_handle_get_connection_unix_process_id (DBusConnection *connection,
+@@ -1757,10 +1762,10 @@ bus_driver_handle_get_connection_unix_process_id (DBusConnection *connection,
_DBUS_ASSERT_ERROR_IS_SET (error);
if (reply)
dbus_message_unref (reply);
@@ -637,7 +611,7 @@ index 5acdd62a..bc4ce0b5 100644
bus_driver_handle_get_adt_audit_session_data (DBusConnection *connection,
BusTransaction *transaction,
DBusMessage *message,
-@@ -1803,7 +1808,7 @@ bus_driver_handle_get_adt_audit_session_data (DBusConnection *connection,
+@@ -1811,7 +1816,7 @@ bus_driver_handle_get_adt_audit_session_data (DBusConnection *connection,
dbus_message_unref (reply);
@@ -646,7 +620,7 @@ index 5acdd62a..bc4ce0b5 100644
oom:
BUS_SET_OOM (error);
-@@ -1812,10 +1817,10 @@ bus_driver_handle_get_adt_audit_session_data (DBusConnection *connection,
+@@ -1820,10 +1825,10 @@ bus_driver_handle_get_adt_audit_session_data (DBusConnection *connection,
_DBUS_ASSERT_ERROR_IS_SET (error);
if (reply)
dbus_message_unref (reply);
@@ -659,7 +633,7 @@ index 5acdd62a..bc4ce0b5 100644
bus_driver_handle_get_connection_selinux_security_context (DBusConnection *connection,
BusTransaction *transaction,
DBusMessage *message,
-@@ -1863,7 +1868,7 @@ bus_driver_handle_get_connection_selinux_security_context (DBusConnection *conne
+@@ -1872,7 +1877,7 @@ bus_driver_handle_get_connection_selinux_security_context (DBusConnection *conne
dbus_message_unref (reply);
@@ -668,7 +642,7 @@ index 5acdd62a..bc4ce0b5 100644
oom:
BUS_SET_OOM (error);
-@@ -1872,10 +1877,10 @@ bus_driver_handle_get_connection_selinux_security_context (DBusConnection *conne
+@@ -1881,10 +1886,10 @@ bus_driver_handle_get_connection_selinux_security_context (DBusConnection *conne
_DBUS_ASSERT_ERROR_IS_SET (error);
if (reply)
dbus_message_unref (reply);
@@ -681,7 +655,7 @@ index 5acdd62a..bc4ce0b5 100644
bus_driver_handle_get_connection_credentials (DBusConnection *connection,
BusTransaction *transaction,
DBusMessage *message,
-@@ -1987,7 +1992,7 @@ bus_driver_handle_get_connection_credentials (DBusConnection *connection,
+@@ -1998,7 +2003,7 @@ bus_driver_handle_get_connection_credentials (DBusConnection *connection,
dbus_message_unref (reply);
@@ -690,7 +664,7 @@ index 5acdd62a..bc4ce0b5 100644
oom:
BUS_SET_OOM (error);
-@@ -2001,10 +2006,10 @@ bus_driver_handle_get_connection_credentials (DBusConnection *connection,
+@@ -2012,10 +2017,10 @@ bus_driver_handle_get_connection_credentials (DBusConnection *connection,
dbus_message_unref (reply);
}
@@ -703,7 +677,7 @@ index 5acdd62a..bc4ce0b5 100644
bus_driver_handle_reload_config (DBusConnection *connection,
BusTransaction *transaction,
DBusMessage *message,
-@@ -2029,7 +2034,7 @@ bus_driver_handle_reload_config (DBusConnection *connection,
+@@ -2040,7 +2045,7 @@ bus_driver_handle_reload_config (DBusConnection *connection,
goto oom;
dbus_message_unref (reply);
@@ -712,7 +686,7 @@ index 5acdd62a..bc4ce0b5 100644
oom:
BUS_SET_OOM (error);
-@@ -2038,11 +2043,11 @@ bus_driver_handle_reload_config (DBusConnection *connection,
+@@ -2049,11 +2054,11 @@ bus_driver_handle_reload_config (DBusConnection *connection,
_DBUS_ASSERT_ERROR_IS_SET (error);
if (reply)
dbus_message_unref (reply);
@@ -726,7 +700,7 @@ index 5acdd62a..bc4ce0b5 100644
bus_driver_handle_enable_verbose (DBusConnection *connection,
BusTransaction *transaction,
DBusMessage *message,
-@@ -2062,7 +2067,7 @@ bus_driver_handle_enable_verbose (DBusConnection *connection,
+@@ -2073,7 +2078,7 @@ bus_driver_handle_enable_verbose (DBusConnection *connection,
_dbus_set_verbose(TRUE);
dbus_message_unref (reply);
@@ -735,7 +709,7 @@ index 5acdd62a..bc4ce0b5 100644
oom:
_DBUS_ASSERT_ERROR_IS_CLEAR (error);
-@@ -2071,10 +2076,10 @@ bus_driver_handle_enable_verbose (DBusConnection *connection,
+@@ -2082,10 +2087,10 @@ bus_driver_handle_enable_verbose (DBusConnection *connection,
if (reply)
dbus_message_unref (reply);
@@ -748,7 +722,7 @@ index 5acdd62a..bc4ce0b5 100644
bus_driver_handle_disable_verbose (DBusConnection *connection,
BusTransaction *transaction,
DBusMessage *message,
-@@ -2094,7 +2099,7 @@ bus_driver_handle_disable_verbose (DBusConnection *connection,
+@@ -2105,7 +2110,7 @@ bus_driver_handle_disable_verbose (DBusConnection *connection,
_dbus_set_verbose(FALSE);
dbus_message_unref (reply);
@@ -757,7 +731,7 @@ index 5acdd62a..bc4ce0b5 100644
oom:
_DBUS_ASSERT_ERROR_IS_CLEAR (error);
-@@ -2103,11 +2108,11 @@ bus_driver_handle_disable_verbose (DBusConnection *connection,
+@@ -2114,11 +2119,11 @@ bus_driver_handle_disable_verbose (DBusConnection *connection,
if (reply)
dbus_message_unref (reply);
@@ -771,7 +745,7 @@ index 5acdd62a..bc4ce0b5 100644
bus_driver_handle_get_id (DBusConnection *connection,
BusTransaction *transaction,
DBusMessage *message,
-@@ -2123,7 +2128,7 @@ bus_driver_handle_get_id (DBusConnection *connection,
+@@ -2134,7 +2139,7 @@ bus_driver_handle_get_id (DBusConnection *connection,
if (!_dbus_string_init (&uuid))
{
BUS_SET_OOM (error);
@@ -780,7 +754,7 @@ index 5acdd62a..bc4ce0b5 100644
}
reply = NULL;
-@@ -2149,7 +2154,7 @@ bus_driver_handle_get_id (DBusConnection *connection,
+@@ -2160,7 +2165,7 @@ bus_driver_handle_get_id (DBusConnection *connection,
_dbus_string_free (&uuid);
dbus_message_unref (reply);
@@ -789,7 +763,7 @@ index 5acdd62a..bc4ce0b5 100644
oom:
_DBUS_ASSERT_ERROR_IS_CLEAR (error);
-@@ -2159,10 +2164,10 @@ bus_driver_handle_get_id (DBusConnection *connection,
+@@ -2170,10 +2175,10 @@ bus_driver_handle_get_id (DBusConnection *connection,
if (reply)
dbus_message_unref (reply);
_dbus_string_free (&uuid);
@@ -802,7 +776,7 @@ index 5acdd62a..bc4ce0b5 100644
bus_driver_handle_become_monitor (DBusConnection *connection,
BusTransaction *transaction,
DBusMessage *message,
-@@ -2178,7 +2183,7 @@ bus_driver_handle_become_monitor (DBusConnection *connection,
+@@ -2189,7 +2194,7 @@ bus_driver_handle_become_monitor (DBusConnection *connection,
int i;
int n_match_rules;
dbus_uint32_t flags;
@@ -811,7 +785,7 @@ index 5acdd62a..bc4ce0b5 100644
_DBUS_ASSERT_ERROR_IS_CLEAR (error);
-@@ -2258,10 +2263,10 @@ bus_driver_handle_become_monitor (DBusConnection *connection,
+@@ -2262,10 +2267,10 @@ bus_driver_handle_become_monitor (DBusConnection *connection,
if (!bus_connection_be_monitor (connection, transaction, &rules, error))
goto out;
@@ -824,7 +798,7 @@ index 5acdd62a..bc4ce0b5 100644
_DBUS_ASSERT_ERROR_IS_CLEAR (error);
else
_DBUS_ASSERT_ERROR_IS_SET (error);
-@@ -2282,10 +2287,10 @@ typedef struct
+@@ -2389,10 +2394,10 @@ typedef struct
const char *name;
const char *in_args;
const char *out_args;
@@ -836,19 +810,19 @@ index 5acdd62a..bc4ce0b5 100644
+ BusTransaction *transaction,
+ DBusMessage *message,
+ DBusError *error);
+ MethodFlags flags;
} MessageHandler;
- /* For speed it might be useful to sort this in order of
-@@ -2370,7 +2375,7 @@ static const MessageHandler dbus_message_handlers[] = {
- { NULL, NULL, NULL, NULL }
+@@ -2511,7 +2516,7 @@ static const PropertyHandler dbus_property_handlers[] = {
+ { NULL, NULL, NULL }
};
-static dbus_bool_t bus_driver_handle_introspect (DBusConnection *,
+static BusResult bus_driver_handle_introspect (DBusConnection *,
BusTransaction *, DBusMessage *, DBusError *);
- static const MessageHandler introspectable_message_handlers[] = {
-@@ -2514,7 +2519,7 @@ bus_driver_generate_introspect_string (DBusString *xml)
+ static const MessageHandler properties_message_handlers[] = {
+@@ -2763,7 +2768,7 @@ bus_driver_generate_introspect_string (DBusString *xml,
return TRUE;
}
@@ -857,7 +831,7 @@ index 5acdd62a..bc4ce0b5 100644
bus_driver_handle_introspect (DBusConnection *connection,
BusTransaction *transaction,
DBusMessage *message,
-@@ -2534,13 +2539,13 @@ bus_driver_handle_introspect (DBusConnection *connection,
+@@ -2784,13 +2789,13 @@ bus_driver_handle_introspect (DBusConnection *connection,
DBUS_TYPE_INVALID))
{
_DBUS_ASSERT_ERROR_IS_SET (error);
@@ -872,8 +846,8 @@ index 5acdd62a..bc4ce0b5 100644
+ return BUS_RESULT_FALSE;
}
- if (!bus_driver_generate_introspect_string (&xml))
-@@ -2563,7 +2568,7 @@ bus_driver_handle_introspect (DBusConnection *connection,
+ is_canonical_path = dbus_message_has_path (message, DBUS_PATH_DBUS);
+@@ -2815,7 +2820,7 @@ bus_driver_handle_introspect (DBusConnection *connection,
dbus_message_unref (reply);
_dbus_string_free (&xml);
@@ -882,7 +856,7 @@ index 5acdd62a..bc4ce0b5 100644
oom:
BUS_SET_OOM (error);
-@@ -2573,7 +2578,7 @@ bus_driver_handle_introspect (DBusConnection *connection,
+@@ -2825,10 +2830,10 @@ bus_driver_handle_introspect (DBusConnection *connection,
_dbus_string_free (&xml);
@@ -890,25 +864,20 @@ index 5acdd62a..bc4ce0b5 100644
+ return BUS_RESULT_FALSE;
}
- /*
-@@ -2608,7 +2613,7 @@ bus_driver_check_message_is_for_us (DBusMessage *message,
- return TRUE;
- }
-
-dbus_bool_t
+BusResult
bus_driver_handle_message (DBusConnection *connection,
BusTransaction *transaction,
DBusMessage *message,
-@@ -2618,6 +2623,7 @@ bus_driver_handle_message (DBusConnection *connection,
- const InterfaceHandler *ih;
+@@ -2839,6 +2844,7 @@ bus_driver_handle_message (DBusConnection *connection,
const MessageHandler *mh;
dbus_bool_t found_interface = FALSE;
+ dbus_bool_t is_canonical_path;
+ BusResult res;
_DBUS_ASSERT_ERROR_IS_CLEAR (error);
-@@ -2633,7 +2639,7 @@ bus_driver_handle_message (DBusConnection *connection,
+@@ -2854,7 +2860,7 @@ bus_driver_handle_message (DBusConnection *connection,
transaction,
message,
error))
@@ -917,7 +886,7 @@ index 5acdd62a..bc4ce0b5 100644
context = bus_connection_get_context (connection);
systemd = bus_driver_get_owner_of_name (connection,
-@@ -2650,7 +2656,7 @@ bus_driver_handle_message (DBusConnection *connection,
+@@ -2871,7 +2877,7 @@ bus_driver_handle_message (DBusConnection *connection,
attacker ? attacker : "(unauthenticated)",
bus_connection_get_loginfo (connection));
/* ignore it */
@@ -926,7 +895,7 @@ index 5acdd62a..bc4ce0b5 100644
}
if (!bus_context_get_systemd_activation (context))
-@@ -2658,16 +2664,16 @@ bus_driver_handle_message (DBusConnection *connection,
+@@ -2879,16 +2885,16 @@ bus_driver_handle_message (DBusConnection *connection,
bus_context_log (context, DBUS_SYSTEM_LOG_WARNING,
"Ignoring unexpected ActivationFailure message "
"while not using systemd activation");
@@ -946,7 +915,7 @@ index 5acdd62a..bc4ce0b5 100644
}
/* may be NULL, which means "any interface will do" */
-@@ -2709,20 +2715,27 @@ bus_driver_handle_message (DBusConnection *connection,
+@@ -2953,20 +2959,27 @@ bus_driver_handle_message (DBusConnection *connection,
name, dbus_message_get_signature (message),
mh->in_args);
_DBUS_ASSERT_ERROR_IS_SET (error);
@@ -979,7 +948,7 @@ index 5acdd62a..bc4ce0b5 100644
}
}
}
-@@ -2734,7 +2747,7 @@ bus_driver_handle_message (DBusConnection *connection,
+@@ -2978,7 +2991,7 @@ bus_driver_handle_message (DBusConnection *connection,
"%s does not understand message %s",
DBUS_SERVICE_DBUS, name);
@@ -989,11 +958,11 @@ index 5acdd62a..bc4ce0b5 100644
void
diff --git a/bus/driver.h b/bus/driver.h
-index 201709c4..3ff4ff15 100644
+index ac1289d..183c28b 100644
--- a/bus/driver.h
+++ b/bus/driver.h
-@@ -28,7 +28,7 @@
- #include "connection.h"
+@@ -35,7 +35,7 @@ typedef enum
+ } BusDriverFound;
void bus_driver_remove_connection (DBusConnection *connection);
-dbus_bool_t bus_driver_handle_message (DBusConnection *connection,
@@ -1002,10 +971,10 @@ index 201709c4..3ff4ff15 100644
DBusMessage *message,
DBusError *error);
diff --git a/bus/policy.c b/bus/policy.c
-index 47bd1a24..7244a46f 100644
+index b1fab0d..27b66d1 100644
--- a/bus/policy.c
+++ b/bus/policy.c
-@@ -1323,18 +1323,21 @@ bus_client_policy_check_can_receive (BusClientPolicy *policy,
+@@ -1388,18 +1388,21 @@ bus_client_policy_check_can_receive (BusClientPolicy *policy,
@@ -1031,7 +1000,7 @@ index 47bd1a24..7244a46f 100644
link = _dbus_list_get_first_link (&rules);
while (link != NULL)
{
-@@ -1370,17 +1373,45 @@ bus_rules_check_can_own (DBusList *rules,
+@@ -1435,17 +1438,45 @@ bus_rules_check_can_own (DBusList *rules,
}
/* Use this rule */
@@ -1082,7 +1051,7 @@ index 47bd1a24..7244a46f 100644
}
#ifdef DBUS_ENABLE_EMBEDDED_TESTS
-@@ -1388,7 +1419,7 @@ dbus_bool_t
+@@ -1453,7 +1484,7 @@ dbus_bool_t
bus_policy_check_can_own (BusPolicy *policy,
const DBusString *service_name)
{
@@ -1092,10 +1061,10 @@ index 47bd1a24..7244a46f 100644
#endif /* DBUS_ENABLE_EMBEDDED_TESTS */
diff --git a/bus/policy.h b/bus/policy.h
-index e9f193af..1f234310 100644
+index f306a3c..39d7cc5 100644
--- a/bus/policy.h
+++ b/bus/policy.h
-@@ -170,8 +170,10 @@ BusResult bus_client_policy_check_can_receive (BusClientPolicy *polic
+@@ -182,8 +182,10 @@ BusResult bus_client_policy_check_can_receive (BusClientPolicy *polic
dbus_int32_t *toggles,
const char **privilege_param,
BusDeferredMessage **deferred_message);
@@ -1109,10 +1078,10 @@ index e9f193af..1f234310 100644
BusPolicyRule *rule);
void bus_client_policy_optimize (BusClientPolicy *policy);
diff --git a/bus/services.c b/bus/services.c
-index 6a4c8848..fcc2d261 100644
+index 127edda..586af18 100644
--- a/bus/services.c
+++ b/bus/services.c
-@@ -376,24 +376,26 @@ bus_registry_list_services (BusRegistry *registry,
+@@ -376,16 +376,17 @@ bus_registry_list_services (BusRegistry *registry,
return FALSE;
}
@@ -1132,17 +1101,18 @@ index 6a4c8848..fcc2d261 100644
DBusConnection *old_owner_conn;
BusClientPolicy *policy;
BusService *service;
- BusActivation *activation;
+@@ -393,8 +394,9 @@ bus_registry_acquire_service (BusRegistry *registry,
BusSELinuxID *sid;
BusOwner *primary_owner;
+ int limit;
+ BusResult res;
-
+
- retval = FALSE;
+ retval = BUS_RESULT_FALSE;
if (!_dbus_validate_bus_name (service_name, 0,
_dbus_string_get_length (service_name)))
-@@ -466,7 +468,8 @@ bus_registry_acquire_service (BusRegistry *registry,
+@@ -467,7 +469,8 @@ bus_registry_acquire_service (BusRegistry *registry,
_dbus_string_get_const_data (service_name), error))
goto out;
@@ -1152,7 +1122,7 @@ index 6a4c8848..fcc2d261 100644
{
dbus_set_error (error, DBUS_ERROR_ACCESS_DENIED,
"Connection \"%s\" is not allowed to own the service \"%s\" due "
-@@ -477,6 +480,11 @@ bus_registry_acquire_service (BusRegistry *registry,
+@@ -478,6 +481,11 @@ bus_registry_acquire_service (BusRegistry *registry,
_dbus_string_get_const_data (service_name));
goto out;
}
@@ -1162,9 +1132,9 @@ index 6a4c8848..fcc2d261 100644
+ goto out;
+ }
- if (bus_connection_get_n_services_owned (connection) >=
- bus_context_get_max_services_per_connection (registry->context))
-@@ -593,11 +601,13 @@ bus_registry_acquire_service (BusRegistry *registry,
+ limit = bus_context_get_max_services_per_connection (registry->context);
+
+@@ -603,11 +611,13 @@ bus_registry_acquire_service (BusRegistry *registry,
}
activation = bus_context_get_activation (registry->context);
@@ -1183,7 +1153,7 @@ index 6a4c8848..fcc2d261 100644
out:
return retval;
diff --git a/bus/services.h b/bus/services.h
-index 056dd9fa..3df3dd7d 100644
+index 056dd9f..3df3dd7 100644
--- a/bus/services.h
+++ b/bus/services.h
@@ -50,8 +50,9 @@ void bus_registry_foreach (BusRegistry *registry
@@ -1198,7 +1168,7 @@ index 056dd9fa..3df3dd7d 100644
dbus_uint32_t flags,
dbus_uint32_t *result,
diff --git a/bus/stats.c b/bus/stats.c
-index dace0e29..aab0e5c9 100644
+index 1582255..4ba72d6 100644
--- a/bus/stats.c
+++ b/bus/stats.c
@@ -36,7 +36,7 @@
@@ -1210,16 +1180,7 @@ index dace0e29..aab0e5c9 100644
bus_stats_handle_get_stats (DBusConnection *connection,
BusTransaction *transaction,
DBusMessage *message,
-@@ -52,7 +52,7 @@ bus_stats_handle_get_stats (DBusConnection *connection,
- _DBUS_ASSERT_ERROR_IS_CLEAR (error);
-
- if (!bus_driver_check_message_is_for_us (message, error))
-- return FALSE;
-+ return BUS_RESULT_FALSE;
-
- context = bus_transaction_get_context (transaction);
- connections = bus_context_get_connections (context);
-@@ -107,17 +107,17 @@ bus_stats_handle_get_stats (DBusConnection *connection,
+@@ -104,17 +104,17 @@ bus_stats_handle_get_stats (DBusConnection *connection,
goto oom;
dbus_message_unref (reply);
@@ -1240,33 +1201,7 @@ index dace0e29..aab0e5c9 100644
bus_stats_handle_get_connection_stats (DBusConnection *caller_connection,
BusTransaction *transaction,
DBusMessage *message,
-@@ -137,14 +137,14 @@ bus_stats_handle_get_connection_stats (DBusConnection *caller_connection,
- _DBUS_ASSERT_ERROR_IS_CLEAR (error);
-
- if (!bus_driver_check_message_is_for_us (message, error))
-- return FALSE;
-+ return BUS_RESULT_FALSE;
-
- registry = bus_connection_get_registry (caller_connection);
-
- if (! dbus_message_get_args (message, error,
- DBUS_TYPE_STRING, &bus_name,
- DBUS_TYPE_INVALID))
-- return FALSE;
-+ return BUS_RESULT_FALSE;
-
- _dbus_string_init_const (&bus_name_str, bus_name);
- service = bus_registry_lookup (registry, &bus_name_str);
-@@ -153,7 +153,7 @@ bus_stats_handle_get_connection_stats (DBusConnection *caller_connection,
- {
- dbus_set_error (error, DBUS_ERROR_NAME_HAS_NO_OWNER,
- "Bus name '%s' has no owner", bus_name);
-- return FALSE;
-+ return BUS_RESULT_FALSE;
- }
-
- stats_connection = bus_service_get_primary_owners_connection (service);
-@@ -215,18 +215,18 @@ bus_stats_handle_get_connection_stats (DBusConnection *caller_connection,
+@@ -209,7 +209,7 @@ bus_stats_handle_get_connection_stats (DBusConnection *caller_connection,
goto oom;
dbus_message_unref (reply);
@@ -1274,10 +1209,11 @@ index dace0e29..aab0e5c9 100644
+ return BUS_RESULT_TRUE;
oom:
+ BUS_SET_OOM (error);
+@@ -218,11 +218,11 @@ failed:
if (reply != NULL)
dbus_message_unref (reply);
- BUS_SET_OOM (error);
- return FALSE;
+ return BUS_RESULT_FALSE;
}
@@ -1288,7 +1224,7 @@ index dace0e29..aab0e5c9 100644
bus_stats_handle_get_all_match_rules (DBusConnection *caller_connection,
BusTransaction *transaction,
DBusMessage *message,
-@@ -250,7 +250,7 @@ bus_stats_handle_get_all_match_rules (DBusConnection *caller_connection,
+@@ -246,7 +246,7 @@ bus_stats_handle_get_all_match_rules (DBusConnection *caller_connection,
matchmaker = bus_context_get_matchmaker (context);
if (!bus_registry_list_services (registry, &services, &services_len))
@@ -1297,7 +1233,7 @@ index dace0e29..aab0e5c9 100644
reply = dbus_message_new_method_return (message);
if (reply == NULL)
-@@ -329,7 +329,7 @@ bus_stats_handle_get_all_match_rules (DBusConnection *caller_connection,
+@@ -325,7 +325,7 @@ bus_stats_handle_get_all_match_rules (DBusConnection *caller_connection,
dbus_message_unref (reply);
dbus_free_string_array (services);
@@ -1306,7 +1242,7 @@ index dace0e29..aab0e5c9 100644
oom:
if (reply != NULL)
-@@ -338,7 +338,7 @@ oom:
+@@ -334,7 +334,7 @@ oom:
dbus_free_string_array (services);
BUS_SET_OOM (error);
@@ -1316,7 +1252,7 @@ index dace0e29..aab0e5c9 100644
#endif
diff --git a/bus/stats.h b/bus/stats.h
-index dcb022c4..683fa175 100644
+index dcb022c..683fa17 100644
--- a/bus/stats.h
+++ b/bus/stats.h
@@ -25,17 +25,17 @@
@@ -1340,6 +1276,3 @@ index dcb022c4..683fa175 100644
BusTransaction *transaction,
DBusMessage *message,
DBusError *error);
---
-2.14.3
-
diff --git a/meta-security/recipes-core/dbus-cynara/dbus-cynara/0005-Perform-Cynara-runtime-policy-checks-by-default.patch b/meta-security/recipes-core/dbus-cynara/dbus-cynara/0005-Perform-Cynara-runtime-policy-checks-by-default.patch
index d30b2dbf8..6cc7c19c4 100644
--- a/meta-security/recipes-core/dbus-cynara/dbus-cynara/0005-Perform-Cynara-runtime-policy-checks-by-default.patch
+++ b/meta-security/recipes-core/dbus-cynara/dbus-cynara/0005-Perform-Cynara-runtime-policy-checks-by-default.patch
@@ -26,14 +26,14 @@ Change-Id: Ifb4a160bf6e0638404e0295a2e4fa3077efd881c
Signed-off-by: Jacek Bukarewicz <j.bukarewicz@samsung.com>
Cherry picked from e8610297cf7031e94eb314a2e8c11246f4405403 by Jose Bollo
+
+Updated for dbus 1.12.10 by Scott Murray.
+
Signed-off-by: José Bollo <jose.bollo@iot.bzh>
----
- bus/session.conf.in | 32 ++++++++++++++++++++++++++------
- bus/system.conf.in | 19 +++++++++++++++----
- 2 files changed, 41 insertions(+), 10 deletions(-)
+Signed-off-by: Scott Murray <scott.murray@konsulko.com>
diff --git a/bus/session.conf.in b/bus/session.conf.in
-index affa7f1d..157dfb4d 100644
+index affa7f1..157dfb4 100644
--- a/bus/session.conf.in
+++ b/bus/session.conf.in
@@ -27,12 +27,32 @@
@@ -76,10 +76,10 @@ index affa7f1d..157dfb4d 100644
<!-- Include legacy configuration location -->
diff --git a/bus/system.conf.in b/bus/system.conf.in
-index 014f67ee..ebbd468a 100644
+index f139b55..19d0c04 100644
--- a/bus/system.conf.in
+++ b/bus/system.conf.in
-@@ -50,23 +50,34 @@
+@@ -50,17 +50,20 @@
<deny own="*"/>
<deny send_type="method_call"/>
@@ -104,9 +104,10 @@ index 014f67ee..ebbd468a 100644
<!-- Allow anyone to talk to the message bus -->
<allow send_destination="org.freedesktop.DBus"
- send_interface="org.freedesktop.DBus" />
- <allow send_destination="org.freedesktop.DBus"
+@@ -69,6 +72,14 @@
send_interface="org.freedesktop.DBus.Introspectable"/>
+ <allow send_destination="org.freedesktop.DBus"
+ send_interface="org.freedesktop.DBus.Properties"/>
+ <!-- If there is a need specific bus services could be protected by Cynara as well.
+ However, this can lead to deadlock during the boot process when such check is made and
+ Cynara is not yet activated (systemd calls protected method synchronously,
@@ -118,6 +119,3 @@ index 014f67ee..ebbd468a 100644
<!-- But disallow some specific bus services -->
<deny send_destination="org.freedesktop.DBus"
send_interface="org.freedesktop.DBus"
---
-2.14.3
-
diff --git a/meta-security/recipes-core/dbus-cynara/dbus-cynara_1.10.20.bb b/meta-security/recipes-core/dbus-cynara/dbus-cynara_1.12.10.bb
index a97148366..2b494becb 100644
--- a/meta-security/recipes-core/dbus-cynara/dbus-cynara_1.10.20.bb
+++ b/meta-security/recipes-core/dbus-cynara/dbus-cynara_1.12.10.bb
@@ -1,4 +1,4 @@
-require ${COREBASE}/meta/recipes-core/dbus/dbus_1.10.20.bb
+require ${COREBASE}/meta/recipes-core/dbus/dbus_1.12.10.bb
FILESEXTRAPATHS_prepend := "${COREBASE}/meta/recipes-core/dbus/dbus:${THISDIR}/dbus-cynara:"
S = "${WORKDIR}/dbus-${PV}"
diff --git a/meta-security/recipes-core/dbus-cynara/dbus_%.bbappend b/meta-security/recipes-core/dbus-cynara/dbus_%.bbappend
index 78df8ec3c..2923c5c18 100644
--- a/meta-security/recipes-core/dbus-cynara/dbus_%.bbappend
+++ b/meta-security/recipes-core/dbus-cynara/dbus_%.bbappend
@@ -1,4 +1,5 @@
FILESEXTRAPATHS_prepend := "${THISDIR}/dbus-cynara:"
+
SRC_URI_append = "\
file://0001-Integration-of-Cynara-asynchronous-security-checks.patch \
file://0002-Disable-message-dispatching-when-send-rule-result-is.patch \
diff --git a/meta-security/recipes-core/systemd/systemd_234.bbappend b/meta-security/recipes-core/systemd/systemd_239.bbappend
index 79753a2d6..789c05f83 100644
--- a/meta-security/recipes-core/systemd/systemd_234.bbappend
+++ b/meta-security/recipes-core/systemd/systemd_239.bbappend
@@ -1,16 +1,7 @@
FILESEXTRAPATHS_prepend := "${THISDIR}/${PN}:"
-##################################################################################
-# What follows is temporary.
-# This patch is still needed for systemd 234 but is normally upstreamed
-# and thus should be removed in later versions.
-##################################################################################
-SRC_URI_append_with-lsm-smack = "\
- file://0001-Switch-Smack-label-earlier.patch \
-"
-
# Ensures systemd runs with label "System"
-EXTRA_OECONF_append_with-lsm-smack = " --with-smack-run-label=System"
+EXTRA_OEMESON_append_with-lsm-smack = " -Dsmack-run-label=System"
##################################################################################
# Maintaining trivial, non-upstreamable configuration changes as patches
diff --git a/meta-security/recipes-devtools/e2fsprogs/e2fsprogs.inc b/meta-security/recipes-devtools/e2fsprogs/e2fsprogs.inc
deleted file mode 100644
index 09e4ea5bb..000000000
--- a/meta-security/recipes-devtools/e2fsprogs/e2fsprogs.inc
+++ /dev/null
@@ -1,27 +0,0 @@
-SUMMARY = "Ext2 Filesystem Utilities"
-DESCRIPTION = "The Ext2 Filesystem Utilities (e2fsprogs) contain all of the standard utilities for creating, \
-fixing, configuring , and debugging ext2 filesystems."
-HOMEPAGE = "http://e2fsprogs.sourceforge.net/"
-
-LICENSE = "GPLv2 & LGPLv2 & BSD & MIT"
-LICENSE_e2fsprogs-e2fsck = "GPLv2"
-LICENSE_e2fsprogs-mke2fs = "GPLv2"
-LICENSE_e2fsprogs-fsck = "GPLv2"
-LICENSE_e2fsprogs-tune2fs = "GPLv2"
-LICENSE_e2fsprogs-badblocks = "GPLv2"
-LIC_FILES_CHKSUM = "file://COPYING;md5=b48f21d765b875bd10400975d12c1ca2 \
- file://lib/ext2fs/ext2fs.h;beginline=1;endline=9;md5=596a8dedcb4e731c6b21c7a46fba6bef \
- file://lib/e2p/e2p.h;beginline=1;endline=7;md5=8a74ade8f9d65095d70ef2d4bf48e36a \
- file://lib/uuid/uuid.h.in;beginline=1;endline=32;md5=dbb8079e114a5f841934b99e59c8820a \
- file://lib/uuid/COPYING;md5=58dcd8452651fc8b07d1f65ce07ca8af \
- file://lib/et/et_name.c;beginline=1;endline=11;md5=ead236447dac7b980dbc5b4804d8c836 \
- file://lib/ss/ss.h;beginline=1;endline=20;md5=6e89ad47da6e75fecd2b5e0e81e1d4a6"
-SECTION = "base"
-DEPENDS = "util-linux"
-
-SRC_URI = "git://git.kernel.org/pub/scm/fs/ext2/e2fsprogs.git"
-S = "${WORKDIR}/git"
-
-inherit autotools gettext texinfo pkgconfig multilib_header update-alternatives ptest
-
-BBCLASSEXTEND = "native nativesdk"
diff --git a/meta-security/recipes-devtools/e2fsprogs/e2fsprogs/acinclude.m4 b/meta-security/recipes-devtools/e2fsprogs/e2fsprogs/acinclude.m4
deleted file mode 100644
index c0bd7dbde..000000000
--- a/meta-security/recipes-devtools/e2fsprogs/e2fsprogs/acinclude.m4
+++ /dev/null
@@ -1,135 +0,0 @@
-# Extracted from the package's shipped aclocal.m4. Custom macros should be in
-# acinclude.m4 so running aclocal doesn't blow them away.
-#
-# Signed-off-by: Ross Burton <ross.burton@intel.com>
-
-# from http://autoconf-archive.cryp.to/ax_tls.html
-#
-# This was licensed under the GPL with the following exception:
-#
-# As a special exception, the respective Autoconf Macro's copyright
-# owner gives unlimited permission to copy, distribute and modify the
-# configure scripts that are the output of Autoconf when processing
-# the Macro. You need not follow the terms of the GNU General Public
-# License when using or distributing such scripts, even though
-# portions of the text of the Macro appear in them. The GNU General
-# Public License (GPL) does govern all other use of the material that
-# constitutes the Autoconf Macro.
-#
-# This special exception to the GPL applies to versions of the
-# Autoconf Macro released by the Autoconf Macro Archive. When you make
-# and distribute a modified version of the Autoconf Macro, you may
-# extend this special exception to the GPL to apply to your modified
-# version as well.
-#
-AC_DEFUN([AX_TLS], [
- AC_MSG_CHECKING(for thread local storage (TLS) class)
- AC_CACHE_VAL(ac_cv_tls, [
- ax_tls_keywords="__thread __declspec(thread) none"
- for ax_tls_keyword in $ax_tls_keywords; do
- case $ax_tls_keyword in
- none) ac_cv_tls=none ; break ;;
- *)
- AC_TRY_COMPILE(
- [#include <stdlib.h>
- static void
- foo(void) {
- static ] $ax_tls_keyword [ int bar;
- exit(1);
- }],
- [],
- [ac_cv_tls=$ax_tls_keyword ; break],
- ac_cv_tls=none
- )
- esac
- done
-])
-
- if test "$ac_cv_tls" != "none"; then
- dnl AC_DEFINE([TLS], [], [If the compiler supports a TLS storage class define it to that here])
- AC_DEFINE_UNQUOTED([TLS], $ac_cv_tls, [If the compiler supports a TLS storage class define it to that here])
- fi
- AC_MSG_RESULT($ac_cv_tls)
-])
-
-# ===========================================================================
-# http://www.nongnu.org/autoconf-archive/check_gnu_make.html
-# ===========================================================================
-#
-# SYNOPSIS
-#
-# CHECK_GNU_MAKE()
-#
-# DESCRIPTION
-#
-# This macro searches for a GNU version of make. If a match is found, the
-# makefile variable `ifGNUmake' is set to the empty string, otherwise it
-# is set to "#". This is useful for including a special features in a
-# Makefile, which cannot be handled by other versions of make. The
-# variable _cv_gnu_make_command is set to the command to invoke GNU make
-# if it exists, the empty string otherwise.
-#
-# Here is an example of its use:
-#
-# Makefile.in might contain:
-#
-# # A failsafe way of putting a dependency rule into a makefile
-# $(DEPEND):
-# $(CC) -MM $(srcdir)/*.c > $(DEPEND)
-#
-# @ifGNUmake@ ifeq ($(DEPEND),$(wildcard $(DEPEND)))
-# @ifGNUmake@ include $(DEPEND)
-# @ifGNUmake@ endif
-#
-# Then configure.in would normally contain:
-#
-# CHECK_GNU_MAKE()
-# AC_OUTPUT(Makefile)
-#
-# Then perhaps to cause gnu make to override any other make, we could do
-# something like this (note that GNU make always looks for GNUmakefile
-# first):
-#
-# if ! test x$_cv_gnu_make_command = x ; then
-# mv Makefile GNUmakefile
-# echo .DEFAULT: > Makefile ;
-# echo \ $_cv_gnu_make_command \$@ >> Makefile;
-# fi
-#
-# Then, if any (well almost any) other make is called, and GNU make also
-# exists, then the other make wraps the GNU make.
-#
-# LICENSE
-#
-# Copyright (c) 2008 John Darrington <j.darrington@elvis.murdoch.edu.au>
-#
-# Copying and distribution of this file, with or without modification, are
-# permitted in any medium without royalty provided the copyright notice
-# and this notice are preserved.
-#
-# Note: Modified by Ted Ts'o to add @ifNotGNUMake@
-
-AC_DEFUN(
- [CHECK_GNU_MAKE], [ AC_CACHE_CHECK( for GNU make,_cv_gnu_make_command,
- _cv_gnu_make_command='' ;
-dnl Search all the common names for GNU make
- for a in "$MAKE" make gmake gnumake ; do
- if test -z "$a" ; then continue ; fi ;
- if ( sh -c "$a --version" 2> /dev/null | grep GNU 2>&1 > /dev/null ) ; then
- _cv_gnu_make_command=$a ;
- break;
- fi
- done ;
- ) ;
-dnl If there was a GNU version, then set @ifGNUmake@ to the empty string, '#' otherwise
- if test "x$_cv_gnu_make_command" != "x" ; then
- ifGNUmake='' ;
- ifNotGNUmake='#' ;
- else
- ifGNUmake='#' ;
- ifNotGNUmake='' ;
- AC_MSG_RESULT("Not found");
- fi
- AC_SUBST(ifGNUmake)
- AC_SUBST(ifNotGNUmake)
-] )
diff --git a/meta-security/recipes-devtools/e2fsprogs/e2fsprogs/mkdir.patch b/meta-security/recipes-devtools/e2fsprogs/e2fsprogs/mkdir.patch
deleted file mode 100644
index 2a3aeff61..000000000
--- a/meta-security/recipes-devtools/e2fsprogs/e2fsprogs/mkdir.patch
+++ /dev/null
@@ -1,18 +0,0 @@
-Upstream-Status: Inappropriate [configuration]
-
-Signed-off-by: Mei Lei <lei.mei@intel.com>
-
-diff --git a/configure.ac b/configure.ac
-index c1fe224..f5ac628 100644
---- a/configure.ac
-+++ b/configure.ac
-@@ -1374,7 +1374,8 @@ if test -n "$WITH_DIET_LIBC" ; then
- INCLUDES="$INCLUDES -D_REENTRANT"
- fi
- AC_SUBST(INCLUDES)
--AM_MKINSTALLDIRS
-+MKINSTALLDIRS="mkdir -p"
-+AC_SUBST(MKINSTALLDIRS)
- dnl
- dnl Build CFLAGS
- dnl
diff --git a/meta-security/recipes-devtools/e2fsprogs/e2fsprogs/ptest.patch b/meta-security/recipes-devtools/e2fsprogs/e2fsprogs/ptest.patch
deleted file mode 100644
index ef1ce5872..000000000
--- a/meta-security/recipes-devtools/e2fsprogs/e2fsprogs/ptest.patch
+++ /dev/null
@@ -1,67 +0,0 @@
-diff --git a/tests/Makefile.in b/tests/Makefile.in
-index 60cf655..ce220f1 100644
---- a/tests/Makefile.in
-+++ b/tests/Makefile.in
-@@ -18,7 +18,7 @@ test_one: $(srcdir)/test_one.in Makefile mke2fs.conf
- @echo "#!/bin/sh" > test_one
- @echo "HTREE=y" >> test_one
- @echo "QUOTA=y" >> test_one
-- @echo "SRCDIR=@srcdir@" >> test_one
-+ @echo "SRCDIR=/usr/lib/e2fsprogs/ptest/test" >> test_one
- @echo "DIFF_OPTS=@UNI_DIFF_OPTS@" >> test_one
- @cat $(srcdir)/test_one.in >> test_one
- @chmod +x test_one
-@@ -26,7 +26,7 @@ test_one: $(srcdir)/test_one.in Makefile mke2fs.conf
- test_script: test_one test_script.in Makefile mke2fs.conf
- @echo "Creating test_script..."
- @echo "#!/bin/sh" > test_script
-- @echo "SRCDIR=@srcdir@" >> test_script
-+ @echo "SRCDIR=/usr/lib/e2fsprogs/ptest/test" >> test_script
- @cat $(srcdir)/test_script.in >> test_script
- @chmod +x test_script
-
-diff --git a/tests/test_config b/tests/test_config
-index 7f39157..c815a44 100644
---- a/tests/test_config
-+++ b/tests/test_config
-@@ -3,24 +3,24 @@
- #
-
- unset LANG LANGUAGE LC_ADDRESS LC_ALL LC_COLLATE LC_CTYPE LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES LC_MONETARY LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE LC_TIME PAGER
--FSCK="$USE_VALGRIND ../e2fsck/e2fsck"
--MKE2FS="$USE_VALGRIND ../misc/mke2fs"
--DUMPE2FS="$USE_VALGRIND ../misc/dumpe2fs"
--TUNE2FS="$USE_VALGRIND ../misc/tune2fs"
--CHATTR="$USE_VALGRIND../misc/chattr"
--LSATTR="$USE_VALGRIND ../misc/lsattr"
--E2IMAGE="$USE_VALGRIND ../misc/e2image"
--E2IMAGE_EXE="../misc/e2image"
--DEBUGFS="$USE_VALGRIND ../debugfs/debugfs"
--DEBUGFS_EXE="../debugfs/debugfs"
--TEST_BITS="../debugfs/debugfs"
--RESIZE2FS_EXE="../resize/resize2fs"
-+FSCK="$USE_VALGRIND e2fsck"
-+MKE2FS="$USE_VALGRIND mke2fs"
-+DUMPE2FS="$USE_VALGRIND dumpe2fs"
-+TUNE2FS="$USE_VALGRIND tune2fs"
-+CHATTR="$USE_VALGRIND chattr"
-+LSATTR="$USE_VALGRIND lsattr"
-+E2IMAGE="$USE_VALGRIND e2image"
-+E2IMAGE_EXE="/sbin/e2image"
-+DEBUGFS="$USE_VALGRIND debugfs"
-+DEBUGFS_EXE="/sbin/debugfs"
-+TEST_BITS="/sbin/debugfs"
-+RESIZE2FS_EXE="/sbin/resize2fs"
- RESIZE2FS="$USE_VALGRIND $RESIZE2FS_EXE"
--E2UNDO_EXE="../misc/e2undo"
-+E2UNDO_EXE="/sbin/e2undo"
- E2UNDO="$USE_VALGRIND $E2UNDO_EXE"
--TEST_REL=../tests/progs/test_rel
--TEST_ICOUNT=../tests/progs/test_icount
--CRCSUM=../tests/progs/crcsum
-+TEST_REL=./progs/test_rel
-+TEST_ICOUNT=./progs/test_icount
-+CRCSUM=./progs/crcsum
- CLEAN_OUTPUT="sed -f $cmd_dir/filter.sed"
- LD_LIBRARY_PATH=../lib:../lib/ext2fs:../lib/e2p:../lib/et:../lib/ss:${LD_LIBRARY_PATH}
- DYLD_LIBRARY_PATH=../lib:../lib/ext2fs:../lib/e2p:../lib/et:../lib/ss:${DYLD_LIBRARY_PATH}
diff --git a/meta-security/recipes-devtools/e2fsprogs/e2fsprogs/quiet-debugfs.patch b/meta-security/recipes-devtools/e2fsprogs/e2fsprogs/quiet-debugfs.patch
deleted file mode 100644
index 830e9d57a..000000000
--- a/meta-security/recipes-devtools/e2fsprogs/e2fsprogs/quiet-debugfs.patch
+++ /dev/null
@@ -1,19 +0,0 @@
-When executing a script don't echo every command, as we do this for entire
-filesystems at rootfs time.
-
-Upstream-Status: Inappropriate
-Signed-off-by: Ross Burton <ross.burton@intel.com>
-
-diff --git a/debugfs/debugfs.c b/debugfs/debugfs.c
-index 5590295..ac57292 100644
---- a/debugfs/debugfs.c
-+++ b/debugfs/debugfs.c
-@@ -2378,7 +2378,7 @@ static int source_file(const char *cmd_file, int ss_idx)
- cp = strchr(buf, '\r');
- if (cp)
- *cp = 0;
-- printf("debugfs: %s\n", buf);
-+ /*printf("debugfs: %s\n", buf);*/
- retval = ss_execute_line(ss_idx, buf);
- if (retval) {
- ss_perror(ss_idx, retval, buf);
diff --git a/meta-security/recipes-devtools/e2fsprogs/e2fsprogs/remove.ldconfig.call.patch b/meta-security/recipes-devtools/e2fsprogs/e2fsprogs/remove.ldconfig.call.patch
deleted file mode 100644
index f3e6eb778..000000000
--- a/meta-security/recipes-devtools/e2fsprogs/e2fsprogs/remove.ldconfig.call.patch
+++ /dev/null
@@ -1,44 +0,0 @@
-From b139e03ac2f72e644e547c7ee9b1514383af4d97 Mon Sep 17 00:00:00 2001
-From: Andrei Dinu <andrei.adrianx.dinu@intel.com>
-Date: Wed, 30 Jan 2013 15:22:04 +0200
-Subject: [PATCH] When /etc/ld.so.cache is writeable by user running bitbake
- then it creates invalid cache (in my case libstdc++.so
- cannot be found after building zlib(-native) and I have to
- call touch */libstdc++.so && /sbin/ldconfig to fix it.
-
-So remove ldconfig call from make install-libs
-
-Patch authored by Martin Jansa.
-
-Upstream-Status: Inappropriate [disable feature]
-
-Signed-off-by: Scott Garman <scott.a.garman@intel.com>
-Signed-off-by: Andrei Dinu <andrei.adrianx.dinu@intel.com>
----
- lib/Makefile.elf-lib | 3 ---
- 1 file changed, 3 deletions(-)
-
-diff --git a/lib/Makefile.elf-lib b/lib/Makefile.elf-lib
-index 78479d3..4a4a5ac 100644
---- a/lib/Makefile.elf-lib
-+++ b/lib/Makefile.elf-lib
-@@ -50,8 +50,6 @@ install-shlibs install:: $(ELF_LIB) installdirs-elf-lib $(DEP_INSTALL_SYMLINK)
- $(E) " SYMLINK $(libdir)/$(ELF_IMAGE).so"
- $(Q) $(INSTALL_SYMLINK) $(ELF_INSTALL_DIR)/$(ELF_SONAME) \
- $(libdir)/$(ELF_IMAGE).so $(DESTDIR)
-- $(E) " LDCONFIG"
-- $(Q) -$(LDCONFIG)
-
- install-strip: install
- $(E) " STRIP-LIB $(ELF_INSTALL_DIR)/$(ELF_LIB)"
-@@ -67,7 +65,6 @@ uninstall-shlibs uninstall::
- $(RM) -f $(DESTDIR)$(ELF_INSTALL_DIR)/$(ELF_LIB) \
- $(DESTDIR)$(ELF_INSTALL_DIR)/$(ELF_SONAME) \
- $(DESTDIR)$(libdir)/$(ELF_IMAGE).so
-- -$(LDCONFIG)
-
- clean::
- $(RM) -rf elfshared
---
-1.7.9.5
-
diff --git a/meta-security/recipes-devtools/e2fsprogs/e2fsprogs/run-ptest b/meta-security/recipes-devtools/e2fsprogs/e2fsprogs/run-ptest
deleted file mode 100644
index 1ac251324..000000000
--- a/meta-security/recipes-devtools/e2fsprogs/e2fsprogs/run-ptest
+++ /dev/null
@@ -1,11 +0,0 @@
-#!/bin/sh
-
-cd ./test
-./test_script &>../test.log
-if [ $? -eq 0 ]
-then
- echo "PASS: e2fsprogs"
- rm test.log
-else
- echo "FAIL: e2fsprogs"
-fi
diff --git a/meta-security/recipes-devtools/e2fsprogs/e2fsprogs_%.bbappend b/meta-security/recipes-devtools/e2fsprogs/e2fsprogs_%.bbappend
deleted file mode 100644
index 35dd361d4..000000000
--- a/meta-security/recipes-devtools/e2fsprogs/e2fsprogs_%.bbappend
+++ /dev/null
@@ -1,14 +0,0 @@
-FILESEXTRAPATHS_prepend := "${THISDIR}/files:"
-
-# Applying this patch is optional. Only some versions
-# of e2fsprogs need it. So try to apply it, but if it fails,
-# continue and hope the patch wasn't needed. If it is needed
-# and got skipped, the oeqa Smack tests will catch the failure.
-SRC_URI += "file://ext_attr.c-fix-adding-multiple-xattrs-during-image-c.patch;apply=no"
-
-do_patch[postfuncs] += "patch_xattr_support"
-patch_xattr_support () {
- cd ${S}
- cp lib/ext2fs/ext_attr.c lib/ext2fs/ext_attr.c.orig
- patch lib/ext2fs/ext_attr.c <${WORKDIR}/ext_attr.c-fix-adding-multiple-xattrs-during-image-c.patch && rm lib/ext2fs/ext_attr.c.orig || mv lib/ext2fs/ext_attr.c.orig lib/ext2fs/ext_attr.c
-}
diff --git a/meta-security/recipes-devtools/e2fsprogs/e2fsprogs_git.bb b/meta-security/recipes-devtools/e2fsprogs/e2fsprogs_git.bb
deleted file mode 100644
index bc2d201a4..000000000
--- a/meta-security/recipes-devtools/e2fsprogs/e2fsprogs_git.bb
+++ /dev/null
@@ -1,106 +0,0 @@
-COREDIR = "${COREBASE}/meta/recipes-devtools/e2fsprogs"
-
-# This recipe is a copy of a e2fsprogs 1.42.99+1.43 from OE-core master and
-# only meant to be used when the current OE-core does not have that version yet.
-python () {
- import os
- upstream = os.path.join(d.getVar('COREDIR', True), 'e2fsprogs_1.42.9.bb')
- if not os.path.exists(upstream):
- raise bb.parse.SkipRecipe("This recipe replaces e2fsprogs 1.42.9 in OE-core. e2fsprogs from OE-core is something else and thus either recent enough to have xattr support or (less likely) something unexpected.")
-}
-
-
-require e2fsprogs.inc
-
-SRC_URI += "file://acinclude.m4 \
- file://remove.ldconfig.call.patch \
- file://quiet-debugfs.patch \
- file://run-ptest \
- file://ptest.patch \
- file://mkdir.patch \
-"
-
-SRCREV = "0f26747167cc9d82df849b0aad387bf824f04544"
-PV = "1.42.99+1.43+git${SRCPV}"
-UPSTREAM_CHECK_GITTAGREGEX = "v(?P<pver>\d+\.\d+(\.\d+)*)$"
-
-EXTRA_OECONF += "--libdir=${base_libdir} --sbindir=${base_sbindir} \
- --enable-elf-shlibs --disable-libuuid --disable-uuidd \
- --disable-libblkid --enable-verbose-makecmds"
-
-EXTRA_OECONF_darwin = "--libdir=${base_libdir} --sbindir=${base_sbindir} --enable-bsd-shlibs"
-
-PACKAGECONFIG ??= ""
-PACKAGECONFIG[fuse] = '--enable-fuse2fs,--disable-fuse2fs,fuse'
-
-do_configure_prepend () {
- cp ${WORKDIR}/acinclude.m4 ${S}/
-}
-
-do_install () {
- oe_runmake 'DESTDIR=${D}' install
- oe_runmake 'DESTDIR=${D}' install-libs
- # We use blkid from util-linux now so remove from here
- rm -f ${D}${base_libdir}/libblkid*
- rm -rf ${D}${includedir}/blkid
- rm -f ${D}${base_libdir}/pkgconfig/blkid.pc
- rm -f ${D}${base_sbindir}/blkid
- rm -f ${D}${base_sbindir}/fsck
- rm -f ${D}${base_sbindir}/findfs
-
- # e2initrd_helper and the pkgconfig files belong in libdir
- if [ ! ${D}${libdir} -ef ${D}${base_libdir} ]; then
- install -d ${D}${libdir}
- mv ${D}${base_libdir}/e2initrd_helper ${D}${libdir}
- mv ${D}${base_libdir}/pkgconfig ${D}${libdir}
- fi
-
- oe_multilib_header ext2fs/ext2_types.h
- install -d ${D}${base_bindir}
- mv ${D}${bindir}/chattr ${D}${base_bindir}/chattr.e2fsprogs
-
- install -v -m 755 ${S}/contrib/populate-extfs.sh ${D}${base_sbindir}/
-}
-
-do_install_append_class-target() {
- # Clean host path in compile_et, mk_cmds
- sed -i -e "s,ET_DIR=\"${S}/lib/et\",ET_DIR=\"${datadir}/et\",g" ${D}${bindir}/compile_et
- sed -i -e "s,SS_DIR=\"${S}/lib/ss\",SS_DIR=\"${datadir}/ss\",g" ${D}${bindir}/mk_cmds
-}
-
-RDEPENDS_e2fsprogs = "e2fsprogs-badblocks"
-RRECOMMENDS_e2fsprogs = "e2fsprogs-mke2fs e2fsprogs-e2fsck"
-
-PACKAGES =+ "e2fsprogs-e2fsck e2fsprogs-mke2fs e2fsprogs-tune2fs e2fsprogs-badblocks e2fsprogs-resize2fs"
-PACKAGES =+ "libcomerr libss libe2p libext2fs"
-
-FILES_e2fsprogs-resize2fs = "${base_sbindir}/resize2fs*"
-FILES_e2fsprogs-e2fsck = "${base_sbindir}/e2fsck ${base_sbindir}/fsck.ext*"
-FILES_e2fsprogs-mke2fs = "${base_sbindir}/mke2fs ${base_sbindir}/mkfs.ext* ${sysconfdir}/mke2fs.conf"
-FILES_e2fsprogs-tune2fs = "${base_sbindir}/tune2fs ${base_sbindir}/e2label"
-FILES_e2fsprogs-badblocks = "${base_sbindir}/badblocks"
-FILES_libcomerr = "${base_libdir}/libcom_err.so.*"
-FILES_libss = "${base_libdir}/libss.so.*"
-FILES_libe2p = "${base_libdir}/libe2p.so.*"
-FILES_libext2fs = "${libdir}/e2initrd_helper ${base_libdir}/libext2fs.so.*"
-FILES_${PN}-dev += "${datadir}/*/*.awk ${datadir}/*/*.sed ${base_libdir}/*.so"
-
-ALTERNATIVE_${PN} = "chattr"
-ALTERNATIVE_PRIORITY = "100"
-ALTERNATIVE_LINK_NAME[chattr] = "${base_bindir}/chattr"
-ALTERNATIVE_TARGET[chattr] = "${base_bindir}/chattr.e2fsprogs"
-
-ALTERNATIVE_${PN}-doc = "fsck.8"
-ALTERNATIVE_LINK_NAME[fsck.8] = "${mandir}/man8/fsck.8"
-
-RDEPENDS_${PN}-ptest += "${PN} ${PN}-tune2fs coreutils procps bash"
-
-do_compile_ptest() {
- oe_runmake -C ${B}/tests
-}
-
-do_install_ptest() {
- cp -a ${B}/tests ${D}${PTEST_PATH}/test
- cp -a ${S}/tests/* ${D}${PTEST_PATH}/test
- sed -e 's!../e2fsck/e2fsck!e2fsck!g' -i ${D}${PTEST_PATH}/test/*/expect*
-}
diff --git a/meta-security/recipes-devtools/e2fsprogs/files/ext_attr.c-fix-adding-multiple-xattrs-during-image-c.patch b/meta-security/recipes-devtools/e2fsprogs/files/ext_attr.c-fix-adding-multiple-xattrs-during-image-c.patch
deleted file mode 100644
index 67b8b68fb..000000000
--- a/meta-security/recipes-devtools/e2fsprogs/files/ext_attr.c-fix-adding-multiple-xattrs-during-image-c.patch
+++ /dev/null
@@ -1,51 +0,0 @@
-From 3b2b0922e031628f313f5480c4f1f9413c6656bf Mon Sep 17 00:00:00 2001
-From: Richard Purdie <richard.purdie@linuxfoundation.org>
-Date: Wed, 10 Feb 2016 15:51:43 +0100
-Subject: [PATCH] ext_attr.c: fix adding multiple xattrs during image creation
-
-http://www.nongnu.org/ext2-doc/ext2.html#CONTRIB-EXTENDED-ATTRIBUTES
-contains the small snippet that "The entry descriptors are sorted by
-attribute name, so that two extended attribute blocks can be compared
-efficiently".
-
-The libext2fs code in e2fsprogs needs to be taught about this minor
-sorting detail. Otherwise creating an image with "mkfs.ext -d" from a
-filesystem that reports xattrs in listxattr() in an order that does
-not match the expected order will lead to an image where listxattr()
-reports all xattrs, but reading some values fails with ENODATA.
-
-[Patch from RP, commit message from Patrick and RP]
-
-Upstream-Status: Pending [https://bugzilla.yoctoproject.org/show_bug.cgi?id=8992]
----
- lib/ext2fs/ext_attr.c | 7 ++++++-
- 1 file changed, 6 insertions(+), 1 deletion(-)
-
-diff --git a/lib/ext2fs/ext_attr.c b/lib/ext2fs/ext_attr.c
-index 0a4f8c0..be8f9c3 100644
---- a/lib/ext2fs/ext_attr.c
-+++ b/lib/ext2fs/ext_attr.c
-@@ -258,6 +258,7 @@ static struct ea_name_index ea_names[] = {
- static int attr_compare(const void *a, const void *b)
- {
- const struct ext2_xattr *xa = a, *xb = b;
-+ size_t len;
-
- if (xa->name == NULL)
- return +1;
-@@ -267,7 +268,11 @@ static int attr_compare(const void *a, const void *b)
- return -1;
- else if (!strcmp(xb->name, "system.data"))
- return +1;
-- return 0;
-+ len = strlen(xa->name) - strlen(xb->name);
-+ if (len)
-+ return len;
-+
-+ return strcmp(xa->name, xb->name);
- }
-
- static const char *find_ea_prefix(int index)
---
-2.1.4
-
diff --git a/meta-security/recipes-security/cynara/cynara/0001-Add-fallthrough-tags.patch b/meta-security/recipes-security/cynara/cynara/0001-Add-fallthrough-tags.patch
index 11387b98b..e1d0cfac9 100644
--- a/meta-security/recipes-security/cynara/cynara/0001-Add-fallthrough-tags.patch
+++ b/meta-security/recipes-security/cynara/cynara/0001-Add-fallthrough-tags.patch
@@ -1,7 +1,7 @@
-From 3d387993b5a4283e8aebd8e777b2ccd45d233959 Mon Sep 17 00:00:00 2001
+From 8bf90bf3e7a821dbd3b7029d87aa592eec6f1754 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Jos=C3=A9=20Bollo?= <jose.bollo@iot.bzh>
Date: Thu, 25 Jan 2018 12:00:18 +0100
-Subject: [PATCH 1/6] Add fallthrough tags
+Subject: [PATCH] Add fallthrough tags
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
@@ -12,6 +12,7 @@ to the next after some processing.
Change-Id: I420e3788a4c0a6d910a1214964c5480bbd12708c
Signed-off-by: José Bollo <jose.bollo@iot.bzh>
+
---
src/admin/api/admin-api.cpp | 1 +
src/client-async/logic/Logic.cpp | 1 +
@@ -54,6 +55,3 @@ index b1ca4f7..f4394e5 100644
default:
return true;
}
---
-2.14.3
-
diff --git a/meta-security/recipes-security/cynara/cynara/0001-fix-fallthrough-in-cmdlineparser.patch b/meta-security/recipes-security/cynara/cynara/0001-fix-fallthrough-in-cmdlineparser.patch
new file mode 100644
index 000000000..40e11ce5d
--- /dev/null
+++ b/meta-security/recipes-security/cynara/cynara/0001-fix-fallthrough-in-cmdlineparser.patch
@@ -0,0 +1,35 @@
+From ca28ec4a0781a1ab9ec5f015387436beb51adfc3 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Jan-Simon=20M=C3=B6ller?= <jsmoeller@linuxfoundation.org>
+Date: Fri, 19 Oct 2018 08:09:28 +0000
+Subject: [PATCH] fix fallthrough in cmdlineparser
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Signed-off-by: Jan-Simon Möller <jsmoeller@linuxfoundation.org>
+
+---
+ src/service/main/CmdlineParser.cpp | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/src/service/main/CmdlineParser.cpp b/src/service/main/CmdlineParser.cpp
+index ca56e39..e07ea52 100644
+--- a/src/service/main/CmdlineParser.cpp
++++ b/src/service/main/CmdlineParser.cpp
+@@ -112,13 +112,16 @@ struct CmdLineOptions handleCmdlineOptions(int argc, char * const *argv) {
+ case ':': // Missing argument
+ ret.m_error = true;
+ ret.m_exit = true;
++ /*@fallthrough@*/
+ switch (optopt) {
+ case CmdlineOpt::Mask:
+ case CmdlineOpt::User:
+ case CmdlineOpt::Group:
+ printMissingArgument(execName, argv[optind - 1]);
+ return ret;
++ /*@fallthrough@*/
+ }
++ /*@fallthrough@*/
+ //intentional fall to Unknown option
+ case '?': // Unknown option
+ default:
diff --git a/meta-security/recipes-security/cynara/cynara/0002-gcc-7-requires-include-functional-for-std-function.patch b/meta-security/recipes-security/cynara/cynara/0002-gcc-7-requires-include-functional-for-std-function.patch
index 760a1c5b2..b8dbfac4d 100644
--- a/meta-security/recipes-security/cynara/cynara/0002-gcc-7-requires-include-functional-for-std-function.patch
+++ b/meta-security/recipes-security/cynara/cynara/0002-gcc-7-requires-include-functional-for-std-function.patch
@@ -1,9 +1,10 @@
-From b18e66ce7f81c56e3a97ed075cb60d5a43b2e57c Mon Sep 17 00:00:00 2001
+From e2d8414b0d1c6c59baf1bb73e856e93aaabaf955 Mon Sep 17 00:00:00 2001
From: Changhyeok Bae <changhyeok.bae@gmail.com>
Date: Sun, 17 Dec 2017 15:28:28 +0000
-Subject: [PATCH 2/6] gcc-7 requires include <functional> for std::function
+Subject: [PATCH] gcc-7 requires include <functional> for std::function
Signed-off-by: Changhyeok Bae <changhyeok.bae@gmail.com>
+
---
src/common/types/PolicyBucket.h | 1 +
src/cyad/AdminPolicyParser.h | 1 +
@@ -33,6 +34,3 @@ index 53dde23..f38c194 100644
#include <cyad/CynaraAdminPolicies.h>
---
-2.14.3
-
diff --git a/meta-security/recipes-security/cynara/cynara/0003-Avoid-warning-when-compiling-without-smack.patch b/meta-security/recipes-security/cynara/cynara/0003-Avoid-warning-when-compiling-without-smack.patch
index 8c47c3b26..1b105a00c 100644
--- a/meta-security/recipes-security/cynara/cynara/0003-Avoid-warning-when-compiling-without-smack.patch
+++ b/meta-security/recipes-security/cynara/cynara/0003-Avoid-warning-when-compiling-without-smack.patch
@@ -1,7 +1,7 @@
-From 6ad54c5e732e7cf0a29f29f48fa757e3e56d6860 Mon Sep 17 00:00:00 2001
+From fdcf2a68a4bfec588b1c6c969caa0be20961b807 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Jos=C3=A9=20Bollo?= <jose.bollo@iot.bzh>
Date: Thu, 25 Jan 2018 11:38:16 +0100
-Subject: [PATCH 3/6] Avoid warning when compiling without smack
+Subject: [PATCH] Avoid warning when compiling without smack
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
@@ -14,6 +14,7 @@ with the following message:
Change-Id: Ie837cae81114d096f951ec0ee4ada4173fb60190
Signed-off-by: José Bollo <jose.bollo@iot.bzh>
+
---
src/admin/CMakeLists.txt | 10 +++++-----
1 file changed, 5 insertions(+), 5 deletions(-)
@@ -40,6 +41,3 @@ index e4f354a..38b8669 100644
SET(CYNARA_LIB_CYNARA_ADMIN_PATH ${CYNARA_PATH}/admin)
---
-2.14.3
-
diff --git a/meta-security/recipes-security/cynara/cynara/0004-Fix-mode-of-sockets.patch b/meta-security/recipes-security/cynara/cynara/0004-Fix-mode-of-sockets.patch
index 164542899..f19cdfb50 100644
--- a/meta-security/recipes-security/cynara/cynara/0004-Fix-mode-of-sockets.patch
+++ b/meta-security/recipes-security/cynara/cynara/0004-Fix-mode-of-sockets.patch
@@ -1,7 +1,7 @@
-From 2bd62bca98a8a8cf194fb2b68aed68d982f58520 Mon Sep 17 00:00:00 2001
+From 233fb8a93343c3c9c04914e1148ef5ab87a808a1 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Jos=C3=A9=20Bollo?= <jose.bollo@iot.bzh>
Date: Thu, 25 Jan 2018 12:52:39 +0100
-Subject: [PATCH 4/6] Fix mode of sockets
+Subject: [PATCH] Fix mode of sockets
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
@@ -10,6 +10,7 @@ Setting execution bit on the socket serves nothing.
Change-Id: I2ca1ea8e0c369ee5517878e92073ace0e50f9f10
Signed-off-by: José Bollo <jose.bollo@iot.bzh>
+
---
systemd/cynara-admin.socket | 2 +-
systemd/cynara.socket | 2 +-
@@ -39,6 +40,3 @@ index 9f2a870..fad2745 100644
SmackLabelIPIn=*
SmackLabelIPOut=@
---
-2.14.3
-
diff --git a/meta-security/recipes-security/cynara/cynara/0005-Allow-to-tune-sockets.patch b/meta-security/recipes-security/cynara/cynara/0005-Allow-to-tune-sockets.patch
index b4a2d74e8..e954c7f21 100644
--- a/meta-security/recipes-security/cynara/cynara/0005-Allow-to-tune-sockets.patch
+++ b/meta-security/recipes-security/cynara/cynara/0005-Allow-to-tune-sockets.patch
@@ -1,7 +1,7 @@
-From d919b110a2fbccdce084c651f4d7d7de66f2f869 Mon Sep 17 00:00:00 2001
+From ebde8e9fdba7bc1c8152f7e45c551030a36ece82 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Jos=C3=A9=20Bollo?= <jose.bollo@iot.bzh>
Date: Thu, 25 Jan 2018 13:47:37 +0100
-Subject: [PATCH 5/6] Allow to tune sockets
+Subject: [PATCH] Allow to tune sockets
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
@@ -17,17 +17,26 @@ through the newly defined variable CYNARA_ADMIN_SOCKET_GROUP
Change-Id: I7d58854c328e948e3d6d7fa3fc00569fd08f8aef
Signed-off-by: José Bollo <jose.bollo@iot.bzh>
+
---
- systemd/CMakeLists.txt | 19 +++++++++++++++----
- .../{cynara-admin.socket => cynara-admin.socket.in} | 2 +-
- .../{cynara-agent.socket => cynara-agent.socket.in} | 4 ++--
- ...onitor-get.socket => cynara-monitor-get.socket.in} | 4 ++--
- systemd/{cynara.socket => cynara.socket.in} | 2 +-
- 5 files changed, 21 insertions(+), 10 deletions(-)
- rename systemd/{cynara-admin.socket => cynara-admin.socket.in} (78%)
- rename systemd/{cynara-agent.socket => cynara-agent.socket.in} (66%)
- rename systemd/{cynara-monitor-get.socket => cynara-monitor-get.socket.in} (64%)
- rename systemd/{cynara.socket => cynara.socket.in} (80%)
+ systemd/CMakeLists.txt | 19 +++++++++++++++----
+ systemd/cynara-admin.socket | 14 --------------
+ systemd/cynara-admin.socket.in | 14 ++++++++++++++
+ systemd/cynara-agent.socket | 15 ---------------
+ systemd/cynara-agent.socket.in | 15 +++++++++++++++
+ systemd/cynara-monitor-get.socket | 15 ---------------
+ systemd/cynara-monitor-get.socket.in | 15 +++++++++++++++
+ systemd/cynara.socket | 14 --------------
+ systemd/cynara.socket.in | 14 ++++++++++++++
+ 9 files changed, 73 insertions(+), 62 deletions(-)
+ delete mode 100644 systemd/cynara-admin.socket
+ create mode 100644 systemd/cynara-admin.socket.in
+ delete mode 100644 systemd/cynara-agent.socket
+ create mode 100644 systemd/cynara-agent.socket.in
+ delete mode 100644 systemd/cynara-monitor-get.socket
+ create mode 100644 systemd/cynara-monitor-get.socket.in
+ delete mode 100644 systemd/cynara.socket
+ create mode 100644 systemd/cynara.socket.in
diff --git a/systemd/CMakeLists.txt b/systemd/CMakeLists.txt
index 20accf0..1b75c12 100644
@@ -62,66 +71,167 @@ index 20accf0..1b75c12 100644
DESTINATION
${SYSTEMD_UNIT_DIR}
)
-diff --git a/systemd/cynara-admin.socket b/systemd/cynara-admin.socket.in
-similarity index 78%
-rename from systemd/cynara-admin.socket
-rename to systemd/cynara-admin.socket.in
-index ed38386..2364c3e 100644
+diff --git a/systemd/cynara-admin.socket b/systemd/cynara-admin.socket
+deleted file mode 100644
+index ed38386..0000000
--- a/systemd/cynara-admin.socket
-+++ b/systemd/cynara-admin.socket.in
-@@ -1,5 +1,5 @@
- [Socket]
++++ /dev/null
+@@ -1,14 +0,0 @@
+-[Socket]
-ListenStream=/run/cynara/cynara-admin.socket
+-SocketMode=0600
+-SmackLabelIPIn=@
+-SmackLabelIPOut=@
+-
+-Service=cynara.service
+-
+-[Unit]
+-Wants=cynara.target
+-Before=cynara.target
+-
+-[Install]
+-WantedBy=sockets.target
+diff --git a/systemd/cynara-admin.socket.in b/systemd/cynara-admin.socket.in
+new file mode 100644
+index 0000000..2364c3e
+--- /dev/null
++++ b/systemd/cynara-admin.socket.in
+@@ -0,0 +1,14 @@
++[Socket]
+ListenStream=@SOCKET_DIR@/cynara-admin.socket
- SocketMode=0600
- SmackLabelIPIn=@
- SmackLabelIPOut=@
-diff --git a/systemd/cynara-agent.socket b/systemd/cynara-agent.socket.in
-similarity index 66%
-rename from systemd/cynara-agent.socket
-rename to systemd/cynara-agent.socket.in
-index 5a677e0..4f86c9d 100644
++SocketMode=0600
++SmackLabelIPIn=@
++SmackLabelIPOut=@
++
++Service=cynara.service
++
++[Unit]
++Wants=cynara.target
++Before=cynara.target
++
++[Install]
++WantedBy=sockets.target
+diff --git a/systemd/cynara-agent.socket b/systemd/cynara-agent.socket
+deleted file mode 100644
+index 5a677e0..0000000
--- a/systemd/cynara-agent.socket
-+++ b/systemd/cynara-agent.socket.in
-@@ -1,6 +1,6 @@
- [Socket]
++++ /dev/null
+@@ -1,15 +0,0 @@
+-[Socket]
-ListenStream=/run/cynara/cynara-agent.socket
-SocketGroup=security_fw
+-SocketMode=0060
+-SmackLabelIPIn=*
+-SmackLabelIPOut=@
+-
+-Service=cynara.service
+-
+-[Unit]
+-Wants=cynara.target
+-Before=cynara.target
+-
+-[Install]
+-WantedBy=sockets.target
+diff --git a/systemd/cynara-agent.socket.in b/systemd/cynara-agent.socket.in
+new file mode 100644
+index 0000000..4f86c9d
+--- /dev/null
++++ b/systemd/cynara-agent.socket.in
+@@ -0,0 +1,15 @@
++[Socket]
+ListenStream=@SOCKET_DIR@/cynara-agent.socket
+SocketGroup=@CYNARA_ADMIN_SOCKET_GROUP@
- SocketMode=0060
- SmackLabelIPIn=*
- SmackLabelIPOut=@
-diff --git a/systemd/cynara-monitor-get.socket b/systemd/cynara-monitor-get.socket.in
-similarity index 64%
-rename from systemd/cynara-monitor-get.socket
-rename to systemd/cynara-monitor-get.socket.in
-index a50feeb..b88dbf7 100644
++SocketMode=0060
++SmackLabelIPIn=*
++SmackLabelIPOut=@
++
++Service=cynara.service
++
++[Unit]
++Wants=cynara.target
++Before=cynara.target
++
++[Install]
++WantedBy=sockets.target
+diff --git a/systemd/cynara-monitor-get.socket b/systemd/cynara-monitor-get.socket
+deleted file mode 100644
+index a50feeb..0000000
--- a/systemd/cynara-monitor-get.socket
-+++ b/systemd/cynara-monitor-get.socket.in
-@@ -1,6 +1,6 @@
- [Socket]
++++ /dev/null
+@@ -1,15 +0,0 @@
+-[Socket]
-ListenStream=/run/cynara/cynara-monitor-get.socket
-SocketGroup=security_fw
+-SocketMode=0060
+-SmackLabelIPIn=@
+-SmackLabelIPOut=@
+-
+-Service=cynara.service
+-
+-[Unit]
+-Wants=cynara.target
+-Before=cynara.target
+-
+-[Install]
+-WantedBy=sockets.target
+diff --git a/systemd/cynara-monitor-get.socket.in b/systemd/cynara-monitor-get.socket.in
+new file mode 100644
+index 0000000..b88dbf7
+--- /dev/null
++++ b/systemd/cynara-monitor-get.socket.in
+@@ -0,0 +1,15 @@
++[Socket]
+ListenStream=@SOCKET_DIR@/cynara-monitor-get.socket
+SocketGroup=@CYNARA_ADMIN_SOCKET_GROUP@
- SocketMode=0060
- SmackLabelIPIn=@
- SmackLabelIPOut=@
-diff --git a/systemd/cynara.socket b/systemd/cynara.socket.in
-similarity index 80%
-rename from systemd/cynara.socket
-rename to systemd/cynara.socket.in
-index fad2745..ba76549 100644
++SocketMode=0060
++SmackLabelIPIn=@
++SmackLabelIPOut=@
++
++Service=cynara.service
++
++[Unit]
++Wants=cynara.target
++Before=cynara.target
++
++[Install]
++WantedBy=sockets.target
+diff --git a/systemd/cynara.socket b/systemd/cynara.socket
+deleted file mode 100644
+index fad2745..0000000
--- a/systemd/cynara.socket
-+++ b/systemd/cynara.socket.in
-@@ -1,5 +1,5 @@
- [Socket]
++++ /dev/null
+@@ -1,14 +0,0 @@
+-[Socket]
-ListenStream=/run/cynara/cynara.socket
+-SocketMode=0666
+-SmackLabelIPIn=*
+-SmackLabelIPOut=@
+-
+-Service=cynara.service
+-
+-[Unit]
+-Wants=cynara.target
+-Before=cynara.target
+-
+-[Install]
+-WantedBy=sockets.target
+diff --git a/systemd/cynara.socket.in b/systemd/cynara.socket.in
+new file mode 100644
+index 0000000..ba76549
+--- /dev/null
++++ b/systemd/cynara.socket.in
+@@ -0,0 +1,14 @@
++[Socket]
+ListenStream=@SOCKET_DIR@/cynara.socket
- SocketMode=0666
- SmackLabelIPIn=*
- SmackLabelIPOut=@
---
-2.14.3
-
++SocketMode=0666
++SmackLabelIPIn=*
++SmackLabelIPOut=@
++
++Service=cynara.service
++
++[Unit]
++Wants=cynara.target
++Before=cynara.target
++
++[Install]
++WantedBy=sockets.target
diff --git a/meta-security/recipes-security/cynara/cynara/0006-Install-socket-activation-by-default.patch b/meta-security/recipes-security/cynara/cynara/0006-Install-socket-activation-by-default.patch
index 0cfc785c1..68864f1ed 100644
--- a/meta-security/recipes-security/cynara/cynara/0006-Install-socket-activation-by-default.patch
+++ b/meta-security/recipes-security/cynara/cynara/0006-Install-socket-activation-by-default.patch
@@ -1,13 +1,14 @@
-From d54e425b0685c9e3e06f5b4efcbd206950d14f3c Mon Sep 17 00:00:00 2001
+From 23f1a7cb34dd4ef88bac5a43057feaf7f50559aa Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Jos=C3=A9=20Bollo?= <jose.bollo@iot.bzh>
Date: Thu, 25 Jan 2018 14:09:23 +0100
-Subject: [PATCH 6/6] Install socket activation by default
+Subject: [PATCH] Install socket activation by default
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Change-Id: Ifd10c3800486689ed0ed6271df59760ccfbf6caf
Signed-off-by: José Bollo <jose.bollo@iot.bzh>
+
---
packaging/cynara.spec | 5 -----
systemd/CMakeLists.txt | 7 +++++++
@@ -75,6 +76,3 @@ index 0000000..c0e5a5b
@@ -0,0 +1 @@
+../cynara.socket
\ No newline at end of file
---
-2.14.3
-
diff --git a/meta-security/recipes-security/cynara/cynara/cynara-db-migration-abort-on-errors.patch b/meta-security/recipes-security/cynara/cynara/cynara-db-migration-abort-on-errors.patch
index cbf372ad9..c14418923 100644
--- a/meta-security/recipes-security/cynara/cynara/cynara-db-migration-abort-on-errors.patch
+++ b/meta-security/recipes-security/cynara/cynara/cynara-db-migration-abort-on-errors.patch
@@ -1,7 +1,7 @@
-From 297774fa4d01156c0327d6e6380a7ecae30bf875 Mon Sep 17 00:00:00 2001
+From 3605e9f8a3ea1252d1cf221398431e0d7a3ea34d Mon Sep 17 00:00:00 2001
From: Patrick Ohly <patrick.ohly@intel.com>
Date: Mon, 23 Mar 2015 15:01:39 -0700
-Subject: [PATCH 1/2] cynara-db-migration.in: abort on errors
+Subject: [PATCH] cynara-db-migration.in: abort on errors
"set -e" enables error checking for all commands invoked by the script.
Previously, errors were silently ignored.
@@ -9,12 +9,13 @@ Previously, errors were silently ignored.
Upstream-status: Submitted [https://github.com/Samsung/cynara/pull/8]
Signed-off-by: Patrick Ohly <patrick.ohly@intel.com>
+
---
- migration/cynara-db-migration | 2 ++
+ migration/cynara-db-migration.in | 2 ++
1 file changed, 2 insertions(+)
diff --git a/migration/cynara-db-migration.in b/migration/cynara-db-migration.in
-index ff9bd61..f6e7f94 100644
+index 7b666d4..0682df6 100644
--- a/migration/cynara-db-migration.in
+++ b/migration/cynara-db-migration.in
@@ -19,6 +19,8 @@
@@ -25,7 +26,4 @@ index ff9bd61..f6e7f94 100644
+
##### Constants (these must not be modified by shell)
- STATE_PATH='@LOCAL_STATE_DIR@/@PROJECT_NAME@'
---
-1.8.4.5
-
+ PATH=/bin:/usr/bin:/sbin:/usr/sbin
diff --git a/meta-security/recipes-security/cynara/cynara_0.14.10.bb b/meta-security/recipes-security/cynara/cynara_0.14.10.bb
index 6c187fced..d2a09c693 100644
--- a/meta-security/recipes-security/cynara/cynara_0.14.10.bb
+++ b/meta-security/recipes-security/cynara/cynara_0.14.10.bb
@@ -15,6 +15,7 @@ SRC_URI += " \
file://0004-Fix-mode-of-sockets.patch \
file://0005-Allow-to-tune-sockets.patch \
file://0006-Install-socket-activation-by-default.patch \
+ file://0001-fix-fallthrough-in-cmdlineparser.patch \
"
DEPENDS = " \
@@ -84,6 +85,12 @@ USERADD_PARAM_${PN} = "\
# ln -s ../cynara-agent.socket ${D}${systemd_system_unitdir}/sockets.target.wants/cynara-agent.socket
#}
+# We want the post-install logic to create and label /var/cynara, so
+# it should not be in the package.
+do_install_append () {
+ rmdir ${D}${localstatedir}/cynara
+}
+
FILES_${PN} += "${systemd_system_unitdir}"
# Cynara itself has no dependency on Smack. Only its installation
@@ -101,18 +108,7 @@ DEPENDS_append_with-lsm-smack = " smack smack-native"
EXTRA_OECMAKE_append_with-lsm-smack = " -DDB_FILES_SMACK_LABEL=System"
CHSMACK_with-lsm-smack = "chsmack"
CHSMACK = "true"
-pkg_postinst_${PN} () {
- # Fail on error.
- set -e
-
- # It would be nice to run the code below while building an image,
- # but currently the calls to cynara-db-chsgen (a binary) in
- # cynara-db-migration (a script) prevent that. Rely instead
- # on OE's support for running failed postinst scripts at first boot.
- if [ x"$D" != "x" ]; then
- exit 1
- fi
-
+pkg_postinst_ontarget_${PN} () {
mkdir -p $D${sysconfdir}/cynara
${CHSMACK} -a System $D${sysconfdir}/cynara
diff --git a/meta-security/recipes-security/libcap-ng/libcap-ng/CVE-2014-3215.patch b/meta-security/recipes-security/libcap-ng/libcap-ng/CVE-2014-3215.patch
deleted file mode 100644
index d7a868d2c..000000000
--- a/meta-security/recipes-security/libcap-ng/libcap-ng/CVE-2014-3215.patch
+++ /dev/null
@@ -1,79 +0,0 @@
-Upstream-Status: Pending
-
-diff --git a/docs/capng_lock.3 b/docs/capng_lock.3
-index 7683119..a070c1e 100644
---- a/docs/capng_lock.3
-+++ b/docs/capng_lock.3
-@@ -8,12 +8,13 @@ int capng_lock(void);
-
- .SH "DESCRIPTION"
-
--capng_lock will take steps to prevent children of the current process to regain full privileges if the uid is 0. This should be called while possessing the CAP_SETPCAP capability in the kernel. This function will do the following if permitted by the kernel: Set the NOROOT option on for PR_SET_SECUREBITS, set the NOROOT_LOCKED option to on for PR_SET_SECUREBITS, set the PR_NO_SETUID_FIXUP option on for PR_SET_SECUREBITS, and set the PR_NO_SETUID_FIXUP_LOCKED option on for PR_SET_SECUREBITS.
-+capng_lock will take steps to prevent children of the current process from gaining privileges by executing setuid programs. This should be called while possessing the CAP_SETPCAP capability in the kernel.
-
-+This function will do the following if permitted by the kernel: If the kernel supports PR_SET_NO_NEW_PRIVS, it will use it. Otherwise it will set the NOROOT option on for PR_SET_SECUREBITS, set the NOROOT_LOCKED option to on for PR_SET_SECUREBITS, set the PR_NO_SETUID_FIXUP option on for PR_SET_SECUREBITS, and set the PR_NO_SETUID_FIXUP_LOCKED option on for PR_SET_SECUREBITS. If both fail, it will return an error.
-
- .SH "RETURN VALUE"
-
--This returns 0 on success and a negative number on failure. -1 means a failure setting any of the PR_SET_SECUREBITS options.
-+This returns 0 on success and a negative number on failure. -1 means a failure to use PR_SET_NO_NEW_PRIVS and a failure setting any of the PR_SET_SECUREBITS options.
-
- .SH "SEE ALSO"
-
-diff --git a/src/cap-ng.c b/src/cap-ng.c
-index bd105ba..422f2bc 100644
---- a/src/cap-ng.c
-+++ b/src/cap-ng.c
-@@ -45,6 +45,7 @@
- * 2.6.24 kernel XATTR_NAME_CAPS
- * 2.6.25 kernel PR_CAPBSET_DROP, CAPABILITY_VERSION_2
- * 2.6.26 kernel PR_SET_SECUREBITS, SECURE_*_LOCKED, VERSION_3
-+ * 3.5 kernel PR_SET_NO_NEW_PRIVS
- */
-
- /* External syscall prototypes */
-@@ -122,6 +123,14 @@ extern int capget(cap_user_header_t header, const cap_user_data_t data);
- #define SECURE_NO_SETUID_FIXUP_LOCKED 3 /* make bit-2 immutable */
- #endif
-
-+/* prctl values that we use */
-+#ifndef PR_SET_SECUREBITS
-+#define PR_SET_SECUREBITS 28
-+#endif
-+#ifndef PR_SET_NO_NEW_PRIVS
-+#define PR_SET_NO_NEW_PRIVS 38
-+#endif
-+
- // States: new, allocated, initted, updated, applied
- typedef enum { CAPNG_NEW, CAPNG_ERROR, CAPNG_ALLOCATED, CAPNG_INIT,
- CAPNG_UPDATED, CAPNG_APPLIED } capng_states_t;
-@@ -663,15 +672,22 @@ int capng_change_id(int uid, int gid, capng_flags_t flag)
-
- int capng_lock(void)
- {
--#ifdef PR_SET_SECUREBITS
-- int rc = prctl(PR_SET_SECUREBITS,
-- 1 << SECURE_NOROOT |
-- 1 << SECURE_NOROOT_LOCKED |
-- 1 << SECURE_NO_SETUID_FIXUP |
-- 1 << SECURE_NO_SETUID_FIXUP_LOCKED, 0, 0, 0);
-+ int rc;
-+
-+ // On Linux 3.5 and up, we can directly prevent ourselves and
-+ // our descendents from gaining privileges.
-+ if (prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0) == 0)
-+ return 0;
-+
-+ // This kernel is too old or otherwise doesn't support
-+ // PR_SET_NO_NEW_PRIVS. Fall back to using securebits.
-+ rc = prctl(PR_SET_SECUREBITS,
-+ 1 << SECURE_NOROOT |
-+ 1 << SECURE_NOROOT_LOCKED |
-+ 1 << SECURE_NO_SETUID_FIXUP |
-+ 1 << SECURE_NO_SETUID_FIXUP_LOCKED, 0, 0, 0);
- if (rc)
- return -1;
--#endif
-
- return 0;
- }
diff --git a/meta-security/recipes-security/libcap-ng/libcap-ng/python.patch b/meta-security/recipes-security/libcap-ng/libcap-ng/python.patch
deleted file mode 100644
index d82ceb454..000000000
--- a/meta-security/recipes-security/libcap-ng/libcap-ng/python.patch
+++ /dev/null
@@ -1,39 +0,0 @@
-configure.ac - Avoid an incorrect check for python.
-Makefile.am - avoid hard coded host include paths.
-
-Signed-off-by: Mark Hatle <mark.hatle@windriver.com>
-
---- libcap-ng-0.6.5/configure.ac.orig 2012-01-17 13:59:03.645898989 -0600
-+++ libcap-ng-0.6.5/configure.ac 2012-01-17 13:59:46.353959252 -0600
-@@ -120,17 +120,8 @@
- else
- AC_MSG_RESULT(testing)
- AM_PATH_PYTHON
--if test -f /usr/include/python${am_cv_python_version}/Python.h ; then
-- python_found="yes"
-- AC_MSG_NOTICE(Python bindings will be built)
--else
-- python_found="no"
-- if test x$use_python = xyes ; then
-- AC_MSG_ERROR([Python explicitly required and python headers found])
-- else
-- AC_MSG_WARN("Python headers not found - python bindings will not be made")
-- fi
--fi
-+python_found="yes"
-+AC_MSG_NOTICE(Python bindings will be built)
- fi
- AM_CONDITIONAL(HAVE_PYTHON, test ${python_found} = "yes")
-
---- libcap-ng-0.6.5/bindings/python/Makefile.am.orig 2010-11-03 12:31:59.000000000 -0500
-+++ libcap-ng-0.6.5/bindings/python/Makefile.am 2012-01-17 14:05:50.199834467 -0600
-@@ -24,7 +24,8 @@
- CONFIG_CLEAN_FILES = *.loT *.rej *.orig
- AM_CFLAGS = -fPIC -DPIC
- PYLIBVER ?= python$(PYTHON_VERSION)
--INCLUDES = -I. -I$(top_builddir) -I/usr/include/$(PYLIBVER)
-+PYINC ?= /usr/include/$(PYLIBVER)
-+INCLUDES = -I. -I$(top_builddir) -I$(PYINC)
- LIBS = $(top_builddir)/src/libcap-ng.la
- pyexec_PYTHON = capng.py
- pyexec_LTLIBRARIES = _capng.la
diff --git a/meta-security/recipes-security/libcap-ng/libcap-ng_0.7.3.bb b/meta-security/recipes-security/libcap-ng/libcap-ng_0.7.3.bb
deleted file mode 100644
index e729518e9..000000000
--- a/meta-security/recipes-security/libcap-ng/libcap-ng_0.7.3.bb
+++ /dev/null
@@ -1,39 +0,0 @@
-SUMMARY = "An alternate posix capabilities library"
-DESCRIPTION = "The libcap-ng library is intended to make programming \
-with POSIX capabilities much easier than the traditional libcap library."
-HOMEPAGE = "http://freecode.com/projects/libcap-ng"
-SECTION = "base"
-LICENSE = "GPLv2+ & LGPLv2.1+"
-LIC_FILES_CHKSUM = "file://COPYING;md5=94d55d512a9ba36caa9b7df079bae19f \
- file://COPYING.LIB;md5=e3eda01d9815f8d24aae2dbd89b68b06"
-
-SRC_URI = "http://people.redhat.com/sgrubb/libcap-ng/libcap-ng-${PV}.tar.gz \
- file://python.patch \
- file://CVE-2014-3215.patch \
- "
-
-inherit lib_package autotools pythonnative
-
-SRC_URI[md5sum] = "610afb774f80a8032b711281df126283"
-SRC_URI[sha256sum] = "5ca441c8d3a1e4cfe8a8151907977662679457311ccaa7eaac91447c33a35bb1"
-
-DEPENDS += "swig-native python"
-
-EXTRA_OEMAKE += "PYLIBVER='python${PYTHON_BASEVERSION}' PYINC='${STAGING_INCDIR}/${PYLIBVER}'"
-
-PACKAGES += "${PN}-python"
-
-FILES_${PN}-dbg += "${libdir}/python${PYTHON_BASEVERSION}/*/.debug"
-FILES_${PN}-python = "${libdir}/python${PYTHON_BASEVERSION}"
-
-BBCLASSEXTEND = "native"
-
-do_install_append() {
- # Moving libcap-ng to base_libdir
- if [ ! ${D}${libdir} -ef ${D}${base_libdir} ]; then
- mkdir -p ${D}/${base_libdir}/
- mv -f ${D}${libdir}/libcap-ng.so.* ${D}${base_libdir}/
- relpath=${@os.path.relpath("${base_libdir}", "${libdir}")}
- ln -sf ${relpath}/libcap-ng.so.0.0.0 ${D}${libdir}/libcap-ng.so
- fi
-}
diff --git a/meta-security/recipes-security/security-manager/security-manager.inc b/meta-security/recipes-security/security-manager/security-manager.inc
index 810106d75..ddd87a930 100644
--- a/meta-security/recipes-security/security-manager/security-manager.inc
+++ b/meta-security/recipes-security/security-manager/security-manager.inc
@@ -89,10 +89,6 @@ FILES_${PN}-policy = " \
${bindir}/security-manager-policy-reload \
"
RDEPENDS_${PN}-policy += "sqlite3 cynara"
-pkg_postinst_${PN}-policy () {
- if [ x"$D" = "x" ] && ${bindir}/security-manager-policy-reload; then
- exit 0
- else
- exit 1
- fi
+pkg_postinst_ontarget_${PN}-policy () {
+ ${bindir}/security-manager-policy-reload
}
diff --git a/meta-security/recipes-security/security-manager/security-manager/0001-Avoid-casting-from-const-T-to-void.patch b/meta-security/recipes-security/security-manager/security-manager/0001-Avoid-casting-from-const-T-to-void.patch
new file mode 100644
index 000000000..f598fdc82
--- /dev/null
+++ b/meta-security/recipes-security/security-manager/security-manager/0001-Avoid-casting-from-const-T-to-void.patch
@@ -0,0 +1,127 @@
+From 14c8842ed8a37fecbc70d46e27b49ae929b0c85f Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Jos=C3=A9=20Bollo?= <jose.bollo@iot.bzh>
+Date: Fri, 1 Feb 2019 15:37:44 +0100
+Subject: [PATCH] Avoid casting from "const T&" to "void*"
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Latest version of g++ refuse the cast
+
+ reinterpret_cast<void (Service::*)(void*)>(serviceFunction)
+
+I made no investigation to know if the problem
+is coming from the const or not.
+
+Signed-off-by: José Bollo <jose.bollo@iot.bzh>
+---
+ src/server/main/include/service-thread.h | 43 ++++++++++--------------
+ 1 file changed, 18 insertions(+), 25 deletions(-)
+
+diff --git a/src/server/main/include/service-thread.h b/src/server/main/include/service-thread.h
+index 964d168..92b0ec8 100644
+--- a/src/server/main/include/service-thread.h
++++ b/src/server/main/include/service-thread.h
+@@ -9,78 +94,72 @@ public:
+ Join();
+ while (!m_eventQueue.empty()){
+ auto front = m_eventQueue.front();
+- delete front.eventPtr;
++ delete front;
+ m_eventQueue.pop();
+ }
+ }
+
+ template <class T>
+ void Event(const T &event,
+ Service *servicePtr,
+ void (Service::*serviceFunction)(const T &))
+ {
+- EventDescription description;
+- description.serviceFunctionPtr =
+- reinterpret_cast<void (Service::*)(void*)>(serviceFunction);
+- description.servicePtr = servicePtr;
+- description.eventFunctionPtr = &ServiceThread::EventCall<T>;
+- description.eventPtr = new T(event);
++ EventCallerBase *ec = new EventCaller<T>(event, servicePtr, serviceFunction);
+ {
+ std::lock_guard<std::mutex> lock(m_eventQueueMutex);
+- m_eventQueue.push(description);
++ m_eventQueue.push(ec);
+ }
+ m_waitCondition.notify_one();
+ }
+
+ protected:
+
+- struct EventDescription {
+- void (Service::*serviceFunctionPtr)(void *);
+- Service *servicePtr;
+- void (ServiceThread::*eventFunctionPtr)(const EventDescription &event);
+- GenericEvent* eventPtr;
+- };
+-
+- template <class T>
+- void EventCall(const EventDescription &desc) {
+- auto fun = reinterpret_cast<void (Service::*)(const T&)>(desc.serviceFunctionPtr);
+- const T& eventLocale = *(static_cast<T*>(desc.eventPtr));
+- (desc.servicePtr->*fun)(eventLocale);
+- }
++ struct EventCallerBase {
++ virtual void fire() = 0;
++ virtual ~EventCallerBase() {}
++ };
+
++ template <class T>
++ struct EventCaller : public EventCallerBase {
++ T *event; Service *target; void (Service::*function)(const T&);
++ EventCaller(const T &e, Service *c, void (Service::*f)(const T&)) : event(new T(e)), target(c), function(f) {}
++ ~EventCaller() { delete event; }
++ void fire() { (target->*function)(*event); }
++ };
++
+ static void ThreadLoopStatic(ServiceThread *ptr) {
+ ptr->ThreadLoop();
+ }
+
+ void ThreadLoop(){
+ for (;;) {
+- EventDescription description = {NULL, NULL, NULL, NULL};
++ EventCallerBase *ec = NULL;
+ {
+ std::unique_lock<std::mutex> ulock(m_eventQueueMutex);
+ if (m_quit)
+ return;
+ if (!m_eventQueue.empty()) {
+- description = m_eventQueue.front();
++ ec = m_eventQueue.front();
+ m_eventQueue.pop();
+ } else {
+ m_waitCondition.wait(ulock);
+ }
+ }
+
+- if (description.eventPtr != NULL) {
++ if (ec != NULL) {
+ UNHANDLED_EXCEPTION_HANDLER_BEGIN
+ {
+- (this->*description.eventFunctionPtr)(description);
+- delete description.eventPtr;
++ ec->fire();
+ }
+ UNHANDLED_EXCEPTION_HANDLER_END
++ delete ec;
+ }
+ }
+ }
+
+ std::thread m_thread;
+ std::mutex m_eventQueueMutex;
+- std::queue<EventDescription> m_eventQueue;
++ std::queue<EventCallerBase*> m_eventQueue;
+ std::condition_variable m_waitCondition;
+
+ State m_state;
+--
+2.17.2
+
diff --git a/meta-security/recipes-security/security-manager/security-manager/0001-Fix-gcc8-warning-error-Werror-catch-value.patch b/meta-security/recipes-security/security-manager/security-manager/0001-Fix-gcc8-warning-error-Werror-catch-value.patch
new file mode 100644
index 000000000..5a55a3128
--- /dev/null
+++ b/meta-security/recipes-security/security-manager/security-manager/0001-Fix-gcc8-warning-error-Werror-catch-value.patch
@@ -0,0 +1,32 @@
+From 37c63c280eaec8cae3a321d45404d6c03a68c9d9 Mon Sep 17 00:00:00 2001
+From: Stephane Desneux <stephane.desneux@iot.bzh>
+Date: Fri, 1 Feb 2019 12:26:17 +0000
+Subject: [PATCH] Fix gcc8 warning/error [-Werror=catch-value=]
+
+Fixes the following warning/error during compile:
+
+src/dpl/core/src/assert.cpp:61:14: error: catching polymorphic type 'class SecurityManager::Exception' by value [-Werror=catch-value=]
+| } catch (Exception) {
+| ^~~~~~~~~
+
+Signed-off-by: Stephane Desneux <stephane.desneux@iot.bzh>
+---
+ src/dpl/core/src/assert.cpp | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/src/dpl/core/src/assert.cpp b/src/dpl/core/src/assert.cpp
+index 63538a2..fc60ce9 100644
+--- a/src/dpl/core/src/assert.cpp
++++ b/src/dpl/core/src/assert.cpp
+@@ -58,7 +58,7 @@ void AssertProc(const char *condition,
+ INTERNAL_LOG("### Function: " << function);
+ INTERNAL_LOG(
+ "################################################################################");
+- } catch (Exception) {
++ } catch (Exception const&) {
+ // Just ignore possible double errors
+ }
+
+--
+2.11.0
+
diff --git a/meta-security/recipes-security/security-manager/security-manager_git.bb b/meta-security/recipes-security/security-manager/security-manager_git.bb
index 65134d31a..3cbc3aea8 100644
--- a/meta-security/recipes-security/security-manager/security-manager_git.bb
+++ b/meta-security/recipes-security/security-manager/security-manager_git.bb
@@ -14,6 +14,8 @@ file://c-11-replace-depracated-auto_ptr.patch \
file://socket-manager-removes-tizen-specific-call.patch \
file://Removing-tizen-platform-config.patch \
file://removes-dependency-to-libslp-db-utils.patch \
+file://0001-Fix-gcc8-warning-error-Werror-catch-value.patch \
+file://0001-Avoid-casting-from-const-T-to-void.patch \
"
##########################################
@@ -32,3 +34,5 @@ SRC_URI += "\
file://include-linux-xattr.patch;apply=${APPLY} \
"
+# Use make with cmake and not ninja
+OECMAKE_GENERATOR = "Unix Makefiles"
diff --git a/meta-security/recipes-security/xmlsec1/xmlsec1_%.bbappend b/meta-security/recipes-security/xmlsec1/xmlsec1_%.bbappend
new file mode 100644
index 000000000..9c6080fcf
--- /dev/null
+++ b/meta-security/recipes-security/xmlsec1/xmlsec1_%.bbappend
@@ -0,0 +1,3 @@
+# remove the EXTRA_OECONF from the recipe to
+# avoid an build error in >= YP SUMO
+EXTRA_OECONF = ""