Age | Commit message (Collapse) | Author | Files | Lines |
|
Ensure that only members of the group and the owner can access
the security manager.
Bug-AGL: SPEC-3146
Change-Id: Ia529be6b4ef425d03be31f0d2e2d623fa6ac091e
Signed-off-by: José Bollo <jose.bollo@iot.bzh>
|
|
cynagoauth is a basic OAuth2 server implementing
delivery of tokens based on the Smack label of the
client.
Bug-AGL: SPEC-2550
Bug-AGL: SPEC-2968
Bug-AGL: SPEC-3032
Change-Id: I93aa1864ac68ec51963a25e80150879ea88a5766
Signed-off-by: José Bollo <jose.bollo@iot.bzh>
|
|
Includes:
* 23bc103 agent-at: Move field separator from : to ;
* c29761c Improve integration of cynagora
Bug-AGL: SPEC-2968
Change-Id: I83af517b446f0a55de253568b17069b6231d3034
Signed-off-by: José Bollo <jose.bollo@iot.bzh>
|
|
This fixes some issues encountered by the current
integration of the security-manager:
- its recipes is spread in too much directories (see SPEC-2092)
- its initialization should be checked (see SPEC-2091)
- the location of the database has to be changed
(see SPEC-1717 that provided a workaround)
All in one, I decided to create that ticket that summarize
the work that can be quickly achieved to answer all this
issues that are tightly coupled.
Bug-AGL: SPEC-2972
Bug-AGL: SPEC-2092
Bug-AGL: SPEC-2091
Bug-AGL: SPEC-1717
Change-Id: I7af941c25cfa1624d76c2e8f512f6535918912f0
Signed-off-by: José Bollo <jose.bollo@iot.bzh>
|
|
Shift from the permission database cynara
to cynagora permission database with a compatibility
library.
The cache size required by dbus-cynara is updated
because that size is now a count of bytes, not a count
of entries.
Bug-AGL: SPEC-2844
Change-Id: I9a81de6e3b8bcb94adc0bb05c63183c2eda3f310
Signed-off-by: José Bollo <jose.bollo@iot.bzh>
|
|
- avoid build cycle dependency in yocto zeus
Bug-AGL: SPEC-2932
Change-Id: Icfcc59d873cb75213a50547f5b7d70888dbe41bc
Signed-off-by: Ronan Le Martret <ronan.lemartret@iot.bzh>
|
|
All media mountpoints should have the System::Shared label
to avoid access denials on multimedia items.
Bug-AGL: SPEC-2774
Change-Id: Ib9bb1b26a1950cacd5e1f384cbe19d4a4a6373d9
Signed-off-by: Matt Ranostay <matt.ranostay@konsulko.com>
|
|
Sometime, at start of the system, dbus-daemon was crashing
because a pending authorisation were reactivating a closed
connection.
Also, clean unused function and improve compatibilty to newer gcc.
Bug-AGL: SPEC-2752
Change-Id: I0ad32e93bd0de099a304e37d0c91c56915fb731c
Signed-off-by: José Bollo <jose.bollo@iot.bzh>
|
|
Simplifies the way of building dbus-cynara by removing
the specific recipes in favour of a recipe for dbus that
handles the class-target build feature.
It requires to remove fake dependencies of cynara.
This is a suggestion of Tom Rini.
Bug-AGL: SPEC-1839
Change-Id: Id7a736eb4b73cdb679fa9dde30e9ad8e56c2894e
Signed-off-by: José Bollo <jose.bollo@iot.bzh>
|
|
Migration to yocto/oe/thud implied the shift
to dbus-1.12.10. This fixes some upgrading
concern.
Bug-AGL: SPEC-1837
Change-Id: Iaa9c1493e2fbc2a014aae1315e4e4a31891178cb
Signed-off-by: Jose Bollo <jose.bollo@iot.bzh>
Signed-off-by: José Bollo <jose.bollo@iot.bzh>
|
|
Changes include:
- Add LAYERSERIES_COMPAT definitions to layer.conf files
- Remove now unnecessary SECURITY_*FLAGS over-rides from distro
configuration
- Set intel-corei7-64 preferred kernel version to 4.19 to match
latest linux-intel kernel available in meta-intel
- Update qemuarm preferred kernel version to 4.18 to match latest
linux-yocto
- Update firmware package and devicetree file names for raspberrypi3
- Remove linux-firmware bbappend specific to raspberrypi, it seems no
longer required and breaks the cross SDK build
- Update linux-intel bbappend to 4.19, remove now unnecessary patch
- Remove now unnecessary lttng-modules backport
- Update linux-raspberrypi bbappend to 4.14 kernel
- Added kernel configuration fragment for raspberrypi to disable
Kprobes. This is required until linux-raspberrypi is updated to
greater than 4.14.104 to avoid a build failure in lttng-modules
related to a check for known breakage in the kernel CONFIG_OPTPROBES
code.
- Replace obsolete base_conditional usage with oe.utils.conditional
- Add gstreamer1.0-plugins-bad bbappend for raspberrypi3 to disable
faad PACKAGECONFIG to avoid commercial license issues
- Remove unused and unbuildable Vayu gstreamer recipes
- Update linux-ti-staging bbappend for new BSP kernel
- Regen dcan2_pinmux_enable.patch for linux-ti-staging to remove fuzz
warning, and remove upstreamed fix_dcan_addresses.patch
- Remove ipumm-fw from meta-agl-bsp/meta-ti, as newer version is
available in the upstream BSP
- Update meta-agl-bsp/meta-ti weston patch to apply against 5.0.0
- Update meta-agl-bsp/meta-ti wayland-ivi-extension patch to apply
against 2.2.0
- Add ti-sgx-ddk-km patch to add AGL toolchain configuration file
- Remove now unnecessary fdtoverlay recipe
- Update core.cfg and ivishell.cfg in weston-ini-conf recipe to handle
move of ivi-controller.so configuration in Weston 5.0.0
- Update connman-ncurses patch to remove fuzz warning
- Add installation of systemd over-ride file for run-postinsts.service
in run-postinsts bbappend to workaround race condition between
ldconfig.service and the /sbin/ldconfig invocations in the
post-install scripts run by run-postinsts.service. The observed
failure was cynara's post-install script failing and its database
not being created.
- Remove now unnecessary valgrind backport
- Add patches to fix most driver compilation against newer kernels
- Update libmicrohttpd bbappend
- Remove libssp-dev from agl-image-graphical-qt5-crosssdk and
agl-demo-platform-html5-crosssdk, upstream have removed it from
non-mingw32 platform SDKs
- Update wayland-ivi-extension recipe to build 2.2.0, and update
local patches
- Update weston patches for 5.0.0. Patches:
0016-ivi-shell_add_screen_remove_layer_api.patch
0017-ivi-shell-register-ivi_layout_interface.patch
have been removed as they have been applied upstream and are no longer
necessary. Patches:
0018-compositor-add-output-type-to-weston_output.patch
0019-compositor-drm-introduce-drm_get_dmafd_from_view.patch
(both related to Waltham) have been disabled for now as they need
significant rework.
- Remove weston-conf RRECOMMENDS in weston bbappend to avoid conflict
with weston-ini-conf
- Add OECMAKE_GENERATOR = "Unix Makefiles" to aglwgt.bbclass to work
around CMake+ninja issue in cmake-apps-module
- Update dbus cynara patches for 1.12.10
- Add do_install_append in cynara recipe to remove /var/cynara from
cynara package so the directory creation and labelling in the
post-install scriptlet will function as intended
- Remove now unnecessary e2fsprogs backport
- Remove now unnecessary libcap-ng backport
- Update pulseaudio patches to remove fuzz warnings
- Update neardal patch to remove fuzz warning
- Update freetype patch to remove fuzz warning
- Rename opencv bbappend to 3.% to handle 3.x backports in upstream
- Updated qtwayland patch to remove fuzz warning
Changes from Stephane Desneux <stephane.desneux@iot.bzh>:
- Remove wayland-ivi-extension PREFERRED_VERSION
- Remove now unnecessary nativesdk-cmake patch
- Remove now unnecessary ptest-runner patches
- Remove now unnecessary harfbuzz patches
- Disable waltham-transmitter as it does not build against weston 5.0.0
- Update af-main, cynara, and security-manager to use pkg_postinst_ontarget
- Bump connman-ncurses revision to avoid deprecated ncurses functions
- Update libva package usage with new intel-vaapi-driver name
- Add patches to security-manager to fix compilation with gcc8
- Updated systemd bbappend
Changes from Jan-Simon Möller <jsmoeller@linuxfoundation.org>:
- Remove meta-agl-bsp/ROCKO.FIXMEs
- Remove linux-yocto_4.12.bbappend and now unnecessary associated
patch
- Remove now unneeded kern-tools-native patch
- Bump gstreamer PREFERRED_VERSIONs to 1.14.x
- Remove latencytop from packagegroup-agl-core-devel, it has been
dropped by upstream
- Remove now unnecessary rpm patches
- Update pulseaudio bbappend to 12.2
- Update opencv bbappend to 3.4
- Update freetype bbappend to 2.9.1
- Update dbus bbappend to 1.12.10
- Update weston bbappend to 5.0.0
- Update cynara patches to remove fuzz warnings
- Add patch to cynara to fix compilation with gcc8
- Add xmlsec1 bbappend to clear EXTRA_OECONF to fix compilation on
sumo or newer
Changes from Ronan Le Martet <ronan.lemartet@iot.bzh>:
- Update meta-rcar-gen3-adas layer gstreamer1.0-plugin-vspfilter
bbappend to version 1.0.1
Known issues (marked with FIXME):
- CMake+ninja issue in cmake-apps-module has been worked around with
OECMAKE_GENERATOR
- waltham-transmitter and the patches to weston related to it have been
disabled
- Currently unclear if patch to libcap-native is actually required or
not
Bug-AGL: SPEC-1837
Change-Id: I7b8b9ef667aec2d229952eace6663dfc761654d0
Signed-off-by: Scott Murray <scott.murray@konsulko.com>
|
|
Reading the file /etc/resolv.conf that is linked to
/run/connman/resolv.conf is not possible for common users.
This changes add the setting of the directory /run/connman
that allows common applications to read that file.
To achieves this goal, that changes use the intended
tuning mechanism of systemd instead of using sed.
This is cleaner. Thus this as been adapted for bluez5 too.
Bug-AGL: SPEC-2006
Change-Id: I3d2a708be2a5c62664bfcf90757e9e5c080d6179
Signed-off-by: José Bollo <jose.bollo@iot.bzh>
|
|
Add rules to correctly tag devices with *.
The most general rule is that devices should be
protected using DAC rules (user and group).
Bug-AGL: SPEC-2006
Change-Id: Ie18f79353f8f7645c2b615a359c65ec3a6984958
Signed-off-by: José Bollo <jose.bollo@iot.bzh>
|
|
The recipe for systemd that belongs to meta-security
was carrying lot of history for probably no purpose.
If history is needed, curious people can still refer to
https://github.com/intel/meta-intel-iot-security
Change-Id: I8762da7feb2084de2a97025498eb47ef815c7954
Signed-off-by: José Bollo <jose.bollo@iot.bzh>
|
|
This changes introduces the new recipe
meta-security/recipes-core/smack-system-setup/smack-system-setup_1.bb
The purpose is to split the recipe of systemd in two
parts:
- A part specific to systemd and only systemd
It actually includes Smack patches for systemd
and a renaming of udev-rules.
- A part more oriented on putting the system in
order to run with Smack activated.
At the end, it will probably save many rebuilds as
systemd recipe will evolve less in relation with the
setup of the system.
As example, the udev rule file "55-udev-smack-default.rules"
that setup udev rules specific to smack is no more brought
by systemd but by smack-system-setup.
Also at the same time, some cleanup and refactoring is
done. Note that the ".bbappend" file for systemd is
now fixed in version and is including a common file file
that records the several known versions. No cleanup was
made on the versioned patch for the sake of memory.
The cleanup of the history is to be achieved later...
Bug-AGL: SPEC-2045
Change-Id: Iacf772142a381729dfdbe98d133a3effc4d6cf68
Signed-off-by: José Bollo <jose.bollo@iot.bzh>
|
|
It is critical for agl-sota feature
Bug-AGL: SPEC-1717
Change-Id: Ia4060721e3a092d13934d3af575199e67e356e71
Signed-off-by: Anton Gerasimov <anton.gerasimov@here.com>
|
|
This is the last larger commit in this series and deals with the graphical part.
We introduce the graphical profiles:
- meta-agl-profile-graphical
-- meta-agl-profile-graphical-html5
-- meta-agl-profile-graphical-qt5
Notable changes:
- weston-ini-conf moved to the meta-agl-bsp layer. Most BSPs have bbappends, so we need to have the recipes present (but unused) even in the console images.
- new image: agl-image-boot = terminal-only + network + package-manaager. Ready for using package-feeds
- new image/sdk: agl-image-minimal-crosssdk
- agl-service-mediaplayer has a dependency on weston, thus it cannot be in the 'core'. Moved it to profile-graphical.
- The wayland-ivi-extension moved to the agl-demo-platform.
- The app-framework layer included and pulled 'web-runtime' as dependency. This broke console-only images. This has been moved to be in meta-agl-demo only for now.
- added and massaged the agl-features.
- found and added a useful script 'oe-depends-dot' that helps to work with the dot files (produced with bitbake -g)
Todo:
- we'll need another pass through the packagegroups. The dependencies for the layers/profiles are now sorted-out but we might have to add/shuffle a few packages.
For further details, see meta-agl/docs/profiles.md.
v2: fix meta-agl/meta-security/conf/layer.conf - the immediate expansion previously used in there caused some recipes not being added to BBFILES.
v3: fix packagegroup renaming (packagegroup-agl-devel -> packagegroup-agl-core-devel)
v4: fix missing packagegroup inclusion (tnx Jose, Scott, Stephane)
v5: fix missing packagegroup inclusion
v6: explicitely put profile-graphical-qt5 on-top of profile-graphical
v7: re-add 'procps' when agl-devel feature is on
Bug-AGL: SPEC-145
Change-Id: I24cdcd1118932758d0c55d333338238f2a770877
Signed-off-by: Jan-Simon Möller <jsmoeller@linuxfoundation.org>
|
|
dbus-cynara is a separate package of dbus because it
allows to break the dependency loop dbus -> cynara -> ... -> dbus
coming from the fact that many many usefull things depend
on dbus: documentation generators, test handlers, ...
In other words, dbus-cynara is the same as dbus. As such, it
uses the subpackage dbus-lib (known as libdbus). This has to
be set as a RDEPENDS, otherwise bitbake complains:
QA Issue: dbus-cynara rdepends on dbus-lib, but it isn't a builds
dependency, missing dbus in DEPENDS or PACKAGECONFIG?
Change-Id: I72472dc9e6e8f21d0aabc9a1186f1cb7d8343445
Signed-off-by: José Bollo <jose.bollo@iot.bzh>
|
|
|
|
The dependency loop appeared when compiling
with DISTRO_FEATURE ptest.
To avoid it, I restore the logic implemented before in
meta-intel-iot-security. I also remove unless files.
Bug-AGL: SPEC-1334
Change-Id: Ibe8b9359a65fec034df2534c5fceb4769e63aa99
Signed-off-by: José Bollo <jose.bollo@iot.bzh>
|
|
The profiles need a clear priorization of the layers.
Especially the core layers need a high prio in this context.
Apply a prio of 70 to core/essential layers and of 60 to BSP, netboot and smack.
Change-Id: I24a59daadab4c98ffbcb799cc784e84e87ac7d23
Signed-off-by: Jan-Simon Möller <jsmoeller@linuxfoundation.org>
|
|
Upstream recipe has fix included.
Change-Id: Ice5b699c9fbd25ec9b1dceb0bdac8f669cec9b0f
Signed-off-by: Jan-Simon Möller <jsmoeller@linuxfoundation.org>
|
|
When the feature agl-ptest is selected, it leads to
a compilation error due to an unexpected character
in the file examples/verify3.c.
Bug-AGL: SPEC-1353
Change-Id: Idcda2eed181636a9229b4a666a1ef31eddc6309c
Signed-off-by: José Bollo <jose.bollo@iot.bzh>
|
|
This unused content can be devided in two parts:
- setting and feature in bitbake classes
- tests
None are actually used by AGL.
Even if this content can be later included in distribution,
I prefer to remove it now.
Change-Id: I4e6a8ac6326986a5652a7c47614dcaa3db8cabb6
Signed-off-by: José Bollo <jose.bollo@iot.bzh>
|
|
The main patches from dbus to make it cynara aware are
cherry-picked on top of the dbus 1.10.20 that is the
upstream version for rocko.
Change-Id: Ib7b07f335543cb56c4c96ef8f55305e61bc69b5c
Signed-off-by: José Bollo <jose.bollo@iot.bzh>
|
|
Change-Id: I33caaa8a435e0b36afff43c4199428ae9336d612
Signed-off-by: José Bollo <jose.bollo@iot.bzh>
|
|
smack user space library is provided by meta-security
Change-Id: Ifb5e88e5f5a1aab3e695ab91a56d8c55c33fd004
Signed-off-by: José Bollo <jose.bollo@iot.bzh>
|
|
Adds the recipes of the sub layers
- meta-security-framework
- meta-security-smack
Change-Id: I618608008a3b3d1d34adb6e38048110f13ac0643
Signed-off-by: José Bollo <jose.bollo@iot.bzh>
|