summaryrefslogtreecommitdiffstats
path: root/meta-app-framework/recipes-core/security-manager
AgeCommit message (Collapse)AuthorFilesLines
2020-12-17SPEC-3723: restructure meta-aglJan-Simon Moeller2-57/+0
Goal is to reach a minimal meta-agl-core as base for IVI and IC work at the same time. Trim dependencies and move most 'demo' related recipes to meta-agl-demo. v2: changed to bbapend + .inc , added description v3: testbuild of all images v4: restore -test packagegroup and -qa images, compare manifests and adapt packagegroups. v5: rebased v6: merged meta-agl-distro into meta-agl-core, due to dependency on meta-oe, moved -test packagegroup and -qa images to own layer meta-agl-core-test v7: Fixed comments from Paul Barker v8: Update the markdown files v9: restore wayland/weston/agl-compositor recipes/appends, reworked to move app f/w specific changes to bbappends in meta-app-framework and only demo specific weston-init changes to meta-agl-demo v10: fix s/agldemo/aglcore/ missed in weston-init.bbappend Description: This patch is part 1 out of 2 large patches that implement the layer rework discussed during the previous workshop. Essentially meta-agl-core is the small but versatile new core layer of AGL serving as basis for the work done by the IC and IVI EGs. All demo related work is moved to meta-agl-demo in the 2nd patchset. This should be applied together as atomic change. The resulting meta-agl/* follows these guidelines: - only bsp adaptations in meta-agl-bsp - remove the agl-profile-* layers for simplicity -- the packagegroup-agl(-profile)-graphical and so on have been kept in meta-agl-demo - meta-agl-profile-core is now meta-agl-core - meta-agl-core does pass yocto-check-layer -- therefore use the bbappend + conditional + .inc file construct found in meta-virtualization - meta-agl/meta-security has been merged into meta-agl/meta-app-framework - meta-netboot does pass yocto-check-layer - meta-pipewire does pass yocto-check-layer Migration: All packagegroups are preserved but they're now enabled by 'agl-demo'. Bug-AGL: SPEC-3723 Signed-off-by: Jan-Simon Moeller <jsmoeller@linuxfoundation.org> Signed-off-by: Scott Murray <scott.murray@konsulko.com> Change-Id: Ia6c6e5e6ce2b4ffa69ea94959cdc57c310ba7c53 Reviewed-on: https://gerrit.automotivelinux.org/gerrit/c/AGL/meta-agl/+/25769
2019-12-03security-manager: Improve integrationJosé Bollo7-367/+3
This fixes some issues encountered by the current integration of the security-manager: - its recipes is spread in too much directories (see SPEC-2092) - its initialization should be checked (see SPEC-2091) - the location of the database has to be changed (see SPEC-1717 that provided a workaround) All in one, I decided to create that ticket that summarize the work that can be quickly achieved to answer all this issues that are tightly coupled. Bug-AGL: SPEC-2972 Bug-AGL: SPEC-2092 Bug-AGL: SPEC-2091 Bug-AGL: SPEC-1717 Change-Id: I7af941c25cfa1624d76c2e8f512f6535918912f0 Signed-off-by: José Bollo <jose.bollo@iot.bzh>
2018-09-28Move security manager database under /var/localAnton Gerasimov2-5/+5
It is critical for agl-sota feature Bug-AGL: SPEC-1717 Change-Id: Ia4060721e3a092d13934d3af575199e67e356e71 Signed-off-by: Anton Gerasimov <anton.gerasimov@here.com>
2018-02-13Remove smack recipeJosé Bollo1-1/+1
smack user space library is provided by meta-security Change-Id: Ifb5e88e5f5a1aab3e695ab91a56d8c55c33fd004 Signed-off-by: José Bollo <jose.bollo@iot.bzh>
2018-02-13Rename smack OVERRIDE to with-lsm-smackJosé Bollo1-1/+1
Using the OVERRIDE "smack" came with the use of the layer meta-intel-iot-security. When switching to meta-security, it conflicts with the package name 'smack' that provide the smack user library. Yocto was reporting the following error: ERROR: .../meta-security/recipes-security/smack/smack_1.3.0.bb: QA Issue: Recipe .../meta-security/recipes-security/smack/smack_1.3.0.bb has PN of "smack" which is in OVERRIDES, this can result in unexpected behaviour. [pn-overrides] Change-Id: Id71b283bf1ce5682bd94bf96595eb32506acb1d5 Signed-off-by: José Bollo <jose.bollo@iot.bzh>
2018-02-13security-manager: Fix build error that causes gcc v7.0Changhyeok Bae2-0/+52
gcc v7 requires include <functional> for std::function. Bug-AGL: SPEC-1181 Change-Id: Id5deb6f5ea5c2c82ae4a26889f209e1d7619000e Signed-off-by: Changhyeok Bae <changhyeok.bae@gmail.com>
2017-09-15Fix post install script dependencyRonan Le Martret1-0/+2
* Since yocto pyro we need to declare PACKAGE_WRITE_DEPS, dependency for post install script http://www.yoctoproject.org/docs/2.3/mega-manual/mega-manual.html#var-PACKAGE_WRITE_DEPS * we alsa need to explicit exit 1 if post script failed Bug-AGL: SPEC-646 Bug-AGL: SPEC-825 Change-Id: Ic15f8af884895fecacceb9886de5bebe591a2be0 Signed-off-by: Ronan Le Martret <ronan.lemartret@iot.bzh> Reviewed-on: https://gerrit.automotivelinux.org/gerrit/10883 Reviewed-by: Stéphane Desneux <stephane.desneux@iot.bzh> Reviewed-by: Thomas Rini <trini@konsulko.com> Reviewed-by: Jan-Simon Moeller <jsmoeller@linuxfoundation.org> Tested-by: Jan-Simon Moeller <jsmoeller@linuxfoundation.org>
2017-05-25Security-manager: update of global user nameJosé Bollo1-1/+1
The global user name is 'afm' AGL-Bug: SPEC-617 Change-Id: I8b129afb333fdf0e90fde5e364ce6b56ceb5d712 Signed-off-by: José Bollo <jose.bollo@iot.bzh> Reviewed-on: https://gerrit.automotivelinux.org/gerrit/9503 Reviewed-by: Scott Murray <scott.murray@konsulko.com> Tested-by: Jenkins Job builder account <agl-jobbuilder@automotivelinux.org> ci-image-build: Jenkins Job builder account <agl-jobbuilder@automotivelinux.org> Reviewed-by: Matt Porter <mporter@konsulko.com> Reviewed-by: Jan-Simon Moeller <jsmoeller@linuxfoundation.org>
2017-03-27Removes systemd warningsJosé Bollo1-1/+1
Systemd was complaining that the service files were executable. This patch removes that issue. Change-Id: I77183bb142956fec84b3ca727f7084e8f652c292 Signed-off-by: José Bollo <jose.bollo@iot.bzh> Signed-off-by: Stephane Desneux <stephane.desneux@iot.bzh>
2017-03-27fix for gcc6 buildRonan3-1/+82
Change-Id: Iea4f0ba83e1d93ea2e7cc5950dced714b65dd251 Signed-off-by: Ronan <ronan.lemartret@iot.bzh> Signed-off-by: Stephane Desneux <stephane.desneux@iot.bzh>
2017-03-27Don't override SYSTEMD_SERVICE of original recipe.Anton Gerasimov1-3/+6
Latest change for compatibility with OSTree introduced this bug, fix. Change-Id: Ib9c7fe624fbbd722abe07ca08ff56f4334dbf13e Signed-off-by: Anton Gerasimov <anton@advancedtelematic.com> Signed-off-by: Stephane Desneux <stephane.desneux@iot.bzh>
2017-03-27Move all writable data used by security-manager and appfw to /varAnton Gerasimov4-1/+230
The purpose of these changes is to make OSTree and AppFw update domains compatible with each other. Some intergation code is also needed to deploy initial data to writable area (see SPEC-359 in Jira). Bug-AGL: SPEC-359 Change-Id: Iccba1e9916c569167df2922ad5e2d90cc33f06fe Signed-off-by: Anton Gerasimov <anton@advancedtelematic.com> Signed-off-by: Stephane Desneux <stephane.desneux@iot.bzh>
2017-03-27FWK: Adaptations for jethroJosé Bollo2-0/+54
Since introduction of ambient capabilities, systemd deprecated the use of Capabilities. With systemd 229 activated with krogoth, the use of Capabilities does nothing. This commits avoids to use SecureBits and Capabilities. It now relies on the fact that post installations are setting the capabilities to the file: - setcap cap_mac_override,cap_dac_override=ep afm-system-daemon - setcap cap_mac_override,cap_mac_admin,cap_setgid=ep afm-user-daemon Using p (permitted) instead of i (inherited) that was previously used. It also includes evolutions of the security model to be synchronized with the deletion of 'User'. The recommended version to use now is the commit 20bbb97f6d5400b126ae96ef446c3e60c7e16285. Change-Id: Id24ce7c7651e2fdf8d66b6e8286268e7d88508a0 Signed-off-by: José Bollo <jose.bollo@iot.bzh> Signed-off-by: Stephane Desneux <stephane.desneux@iot.bzh>