path: root/meta-security
AgeCommit message (Collapse)AuthorFilesLines
2020-02-15security-manager: Restrict socket accessesJosé Bollo2-0/+35
Ensure that only members of the group and the owner can access the security manager. Bug-AGL: SPEC-3146 Change-Id: Ia529be6b4ef425d03be31f0d2e2d623fa6ac091e Signed-off-by: José Bollo <>
2019-12-19cynagoauth: Add a basic OAuth serverJosé Bollo1-0/+23
cynagoauth is a basic OAuth2 server implementing delivery of tokens based on the Smack label of the client. Bug-AGL: SPEC-2550 Bug-AGL: SPEC-2968 Bug-AGL: SPEC-3032 Change-Id: I93aa1864ac68ec51963a25e80150879ea88a5766 Signed-off-by: José Bollo <>
2019-12-19cynagora: Bump versionJosé Bollo1-2/+2
Includes: * 23bc103 agent-at: Move field separator from : to ; * c29761c Improve integration of cynagora Bug-AGL: SPEC-2968 Change-Id: I83af517b446f0a55de253568b17069b6231d3034 Signed-off-by: José Bollo <>
2019-12-03security-manager: Improve integrationJosé Bollo18-208/+396
This fixes some issues encountered by the current integration of the security-manager: - its recipes is spread in too much directories (see SPEC-2092) - its initialization should be checked (see SPEC-2091) - the location of the database has to be changed (see SPEC-1717 that provided a workaround) All in one, I decided to create that ticket that summarize the work that can be quickly achieved to answer all this issues that are tightly coupled. Bug-AGL: SPEC-2972 Bug-AGL: SPEC-2092 Bug-AGL: SPEC-2091 Bug-AGL: SPEC-1717 Change-Id: I7af941c25cfa1624d76c2e8f512f6535918912f0 Signed-off-by: José Bollo <>
2019-11-07Cynagora: Replace cynara with cynagoraJosé Bollo15-720/+74
Shift from the permission database cynara to cynagora permission database with a compatibility library. The cache size required by dbus-cynara is updated because that size is now a count of bytes, not a count of entries. Bug-AGL: SPEC-2844 Change-Id: I9a81de6e3b8bcb94adc0bb05c63183c2eda3f310 Signed-off-by: José Bollo <>
2019-10-31Restrict smack dependency on coreutil to runtimeRonan Le Martret1-4/+4
- avoid build cycle dependency in yocto zeus Bug-AGL: SPEC-2932 Change-Id: Icfcc59d873cb75213a50547f5b7d70888dbe41bc Signed-off-by: Ronan Le Martret <>
2019-09-16base-files: add /media to System::Shared SMACK labelMatt Ranostay1-0/+6
All media mountpoints should have the System::Shared label to avoid access denials on multimedia items. Bug-AGL: SPEC-2774 Change-Id: Ib9bb1b26a1950cacd5e1f384cbe19d4a4a6373d9 Signed-off-by: Matt Ranostay <>
2019-08-16dbus-cynara: Fix SIGSEGV on disconnectionsJosé Bollo2-0/+111
Sometime, at start of the system, dbus-daemon was crashing because a pending authorisation were reactivating a closed connection. Also, clean unused function and improve compatibilty to newer gcc. Bug-AGL: SPEC-2752 Change-Id: I0ad32e93bd0de099a304e37d0c91c56915fb731c Signed-off-by: José Bollo <>
2019-08-16dbus-cynara: Simplifies build recipeJosé Bollo4-81/+13
Simplifies the way of building dbus-cynara by removing the specific recipes in favour of a recipe for dbus that handles the class-target build feature. It requires to remove fake dependencies of cynara. This is a suggestion of Tom Rini. Bug-AGL: SPEC-1839 Change-Id: Id7a736eb4b73cdb679fa9dde30e9ad8e56c2894e Signed-off-by: José Bollo <>
2019-06-19dbus-cynara: Fix upgrading to dbus-1.12.10Jose Bollo7-143/+549
Migration to yocto/oe/thud implied the shift to dbus-1.12.10. This fixes some upgrading concern. Bug-AGL: SPEC-1837 Change-Id: Iaa9c1493e2fbc2a014aae1315e4e4a31891178cb Signed-off-by: Jose Bollo <> Signed-off-by: José Bollo <>
2019-04-04Upgrade to thudScott Murray36-1299/+814
Changes include: - Add LAYERSERIES_COMPAT definitions to layer.conf files - Remove now unnecessary SECURITY_*FLAGS over-rides from distro configuration - Set intel-corei7-64 preferred kernel version to 4.19 to match latest linux-intel kernel available in meta-intel - Update qemuarm preferred kernel version to 4.18 to match latest linux-yocto - Update firmware package and devicetree file names for raspberrypi3 - Remove linux-firmware bbappend specific to raspberrypi, it seems no longer required and breaks the cross SDK build - Update linux-intel bbappend to 4.19, remove now unnecessary patch - Remove now unnecessary lttng-modules backport - Update linux-raspberrypi bbappend to 4.14 kernel - Added kernel configuration fragment for raspberrypi to disable Kprobes. This is required until linux-raspberrypi is updated to greater than 4.14.104 to avoid a build failure in lttng-modules related to a check for known breakage in the kernel CONFIG_OPTPROBES code. - Replace obsolete base_conditional usage with oe.utils.conditional - Add gstreamer1.0-plugins-bad bbappend for raspberrypi3 to disable faad PACKAGECONFIG to avoid commercial license issues - Remove unused and unbuildable Vayu gstreamer recipes - Update linux-ti-staging bbappend for new BSP kernel - Regen dcan2_pinmux_enable.patch for linux-ti-staging to remove fuzz warning, and remove upstreamed fix_dcan_addresses.patch - Remove ipumm-fw from meta-agl-bsp/meta-ti, as newer version is available in the upstream BSP - Update meta-agl-bsp/meta-ti weston patch to apply against 5.0.0 - Update meta-agl-bsp/meta-ti wayland-ivi-extension patch to apply against 2.2.0 - Add ti-sgx-ddk-km patch to add AGL toolchain configuration file - Remove now unnecessary fdtoverlay recipe - Update core.cfg and ivishell.cfg in weston-ini-conf recipe to handle move of configuration in Weston 5.0.0 - Update connman-ncurses patch to remove fuzz warning - Add installation of systemd over-ride file for run-postinsts.service in run-postinsts bbappend to workaround race condition between ldconfig.service and the /sbin/ldconfig invocations in the post-install scripts run by run-postinsts.service. The observed failure was cynara's post-install script failing and its database not being created. - Remove now unnecessary valgrind backport - Add patches to fix most driver compilation against newer kernels - Update libmicrohttpd bbappend - Remove libssp-dev from agl-image-graphical-qt5-crosssdk and agl-demo-platform-html5-crosssdk, upstream have removed it from non-mingw32 platform SDKs - Update wayland-ivi-extension recipe to build 2.2.0, and update local patches - Update weston patches for 5.0.0. Patches: 0016-ivi-shell_add_screen_remove_layer_api.patch 0017-ivi-shell-register-ivi_layout_interface.patch have been removed as they have been applied upstream and are no longer necessary. Patches: 0018-compositor-add-output-type-to-weston_output.patch 0019-compositor-drm-introduce-drm_get_dmafd_from_view.patch (both related to Waltham) have been disabled for now as they need significant rework. - Remove weston-conf RRECOMMENDS in weston bbappend to avoid conflict with weston-ini-conf - Add OECMAKE_GENERATOR = "Unix Makefiles" to aglwgt.bbclass to work around CMake+ninja issue in cmake-apps-module - Update dbus cynara patches for 1.12.10 - Add do_install_append in cynara recipe to remove /var/cynara from cynara package so the directory creation and labelling in the post-install scriptlet will function as intended - Remove now unnecessary e2fsprogs backport - Remove now unnecessary libcap-ng backport - Update pulseaudio patches to remove fuzz warnings - Update neardal patch to remove fuzz warning - Update freetype patch to remove fuzz warning - Rename opencv bbappend to 3.% to handle 3.x backports in upstream - Updated qtwayland patch to remove fuzz warning Changes from Stephane Desneux <>: - Remove wayland-ivi-extension PREFERRED_VERSION - Remove now unnecessary nativesdk-cmake patch - Remove now unnecessary ptest-runner patches - Remove now unnecessary harfbuzz patches - Disable waltham-transmitter as it does not build against weston 5.0.0 - Update af-main, cynara, and security-manager to use pkg_postinst_ontarget - Bump connman-ncurses revision to avoid deprecated ncurses functions - Update libva package usage with new intel-vaapi-driver name - Add patches to security-manager to fix compilation with gcc8 - Updated systemd bbappend Changes from Jan-Simon Möller <>: - Remove meta-agl-bsp/ROCKO.FIXMEs - Remove linux-yocto_4.12.bbappend and now unnecessary associated patch - Remove now unneeded kern-tools-native patch - Bump gstreamer PREFERRED_VERSIONs to 1.14.x - Remove latencytop from packagegroup-agl-core-devel, it has been dropped by upstream - Remove now unnecessary rpm patches - Update pulseaudio bbappend to 12.2 - Update opencv bbappend to 3.4 - Update freetype bbappend to 2.9.1 - Update dbus bbappend to 1.12.10 - Update weston bbappend to 5.0.0 - Update cynara patches to remove fuzz warnings - Add patch to cynara to fix compilation with gcc8 - Add xmlsec1 bbappend to clear EXTRA_OECONF to fix compilation on sumo or newer Changes from Ronan Le Martet <>: - Update meta-rcar-gen3-adas layer gstreamer1.0-plugin-vspfilter bbappend to version 1.0.1 Known issues (marked with FIXME): - CMake+ninja issue in cmake-apps-module has been worked around with OECMAKE_GENERATOR - waltham-transmitter and the patches to weston related to it have been disabled - Currently unclear if patch to libcap-native is actually required or not Bug-AGL: SPEC-1837 Change-Id: I7b8b9ef667aec2d229952eace6663dfc761654d0 Signed-off-by: Scott Murray <>
2018-12-18connman+bluez5: Update rights for smack systemsJosé Bollo4-18/+26
Reading the file /etc/resolv.conf that is linked to /run/connman/resolv.conf is not possible for common users. This changes add the setting of the directory /run/connman that allows common applications to read that file. To achieves this goal, that changes use the intended tuning mechanism of systemd instead of using sed. This is cleaner. Thus this as been adapted for bluez5 too. Bug-AGL: SPEC-2006 Change-Id: I3d2a708be2a5c62664bfcf90757e9e5c080d6179 Signed-off-by: José Bollo <>
2018-12-18smack-system-setup: Update udev rulesJosé Bollo1-0/+4
Add rules to correctly tag devices with *. The most general rule is that devices should be protected using DAC rules (user and group). Bug-AGL: SPEC-2006 Change-Id: Ie18f79353f8f7645c2b615a359c65ec3a6984958 Signed-off-by: José Bollo <>
2018-12-14systemd: Cleanup of recipe of meta-securityJosé Bollo12-1012/+9
The recipe for systemd that belongs to meta-security was carrying lot of history for probably no purpose. If history is needed, curious people can still refer to Change-Id: I8762da7feb2084de2a97025498eb47ef815c7954 Signed-off-by: José Bollo <>
2018-12-14systemd: Refactor build using smack-system-setupJosé Bollo8-69/+144
This changes introduces the new recipe meta-security/recipes-core/smack-system-setup/ The purpose is to split the recipe of systemd in two parts: - A part specific to systemd and only systemd It actually includes Smack patches for systemd and a renaming of udev-rules. - A part more oriented on putting the system in order to run with Smack activated. At the end, it will probably save many rebuilds as systemd recipe will evolve less in relation with the setup of the system. As example, the udev rule file "55-udev-smack-default.rules" that setup udev rules specific to smack is no more brought by systemd but by smack-system-setup. Also at the same time, some cleanup and refactoring is done. Note that the ".bbappend" file for systemd is now fixed in version and is including a common file file that records the several known versions. No cleanup was made on the versioned patch for the sake of memory. The cleanup of the history is to be achieved later... Bug-AGL: SPEC-2045 Change-Id: Iacf772142a381729dfdbe98d133a3effc4d6cf68 Signed-off-by: José Bollo <>
2018-09-28Move security manager database under /var/localAnton Gerasimov1-1/+1
It is critical for agl-sota feature Bug-AGL: SPEC-1717 Change-Id: Ia4060721e3a092d13934d3af575199e67e356e71 Signed-off-by: Anton Gerasimov <>
2018-05-313rd part of the layer/profile rework [1/2]Jan-Simon Möller1-3/+3
This is the last larger commit in this series and deals with the graphical part. We introduce the graphical profiles: - meta-agl-profile-graphical -- meta-agl-profile-graphical-html5 -- meta-agl-profile-graphical-qt5 Notable changes: - weston-ini-conf moved to the meta-agl-bsp layer. Most BSPs have bbappends, so we need to have the recipes present (but unused) even in the console images. - new image: agl-image-boot = terminal-only + network + package-manaager. Ready for using package-feeds - new image/sdk: agl-image-minimal-crosssdk - agl-service-mediaplayer has a dependency on weston, thus it cannot be in the 'core'. Moved it to profile-graphical. - The wayland-ivi-extension moved to the agl-demo-platform. - The app-framework layer included and pulled 'web-runtime' as dependency. This broke console-only images. This has been moved to be in meta-agl-demo only for now. - added and massaged the agl-features. - found and added a useful script 'oe-depends-dot' that helps to work with the dot files (produced with bitbake -g) Todo: - we'll need another pass through the packagegroups. The dependencies for the layers/profiles are now sorted-out but we might have to add/shuffle a few packages. For further details, see meta-agl/docs/ v2: fix meta-agl/meta-security/conf/layer.conf - the immediate expansion previously used in there caused some recipes not being added to BBFILES. v3: fix packagegroup renaming (packagegroup-agl-devel -> packagegroup-agl-core-devel) v4: fix missing packagegroup inclusion (tnx Jose, Scott, Stephane) v5: fix missing packagegroup inclusion v6: explicitely put profile-graphical-qt5 on-top of profile-graphical v7: re-add 'procps' when agl-devel feature is on Bug-AGL: SPEC-145 Change-Id: I24cdcd1118932758d0c55d333338238f2a770877 Signed-off-by: Jan-Simon Möller <>
2018-04-06dbus-cynara: Fix a missing RDEPENDSJosé Bollo1-0/+2
dbus-cynara is a separate package of dbus because it allows to break the dependency loop dbus -> cynara -> ... -> dbus coming from the fact that many many usefull things depend on dbus: documentation generators, test handlers, ... In other words, dbus-cynara is the same as dbus. As such, it uses the subpackage dbus-lib (known as libdbus). This has to be set as a RDEPENDS, otherwise bitbake complains: QA Issue: dbus-cynara rdepends on dbus-lib, but it isn't a builds dependency, missing dbus in DEPENDS or PACKAGECONFIG? Change-Id: I72472dc9e6e8f21d0aabc9a1186f1cb7d8343445 Signed-off-by: José Bollo <>
2018-04-05Merge "dbus-cynara: Avoid dependency loop"Jan-Simon Moeller17-6279/+75
2018-04-04dbus-cynara: Avoid dependency loopJosé Bollo17-6279/+75
The dependency loop appeared when compiling with DISTRO_FEATURE ptest. To avoid it, I restore the logic implemented before in meta-intel-iot-security. I also remove unless files. Bug-AGL: SPEC-1334 Change-Id: Ibe8b9359a65fec034df2534c5fceb4769e63aa99 Signed-off-by: José Bollo <>
2018-04-04Adapt repository priorities in preparation of the profilesJan-Simon Möller1-1/+1
The profiles need a clear priorization of the layers. Especially the core layers need a high prio in this context. Apply a prio of 70 to core/essential layers and of 60 to BSP, netboot and smack. Change-Id: I24a59daadab4c98ffbcb799cc784e84e87ac7d23 Signed-off-by: Jan-Simon Möller <>
2018-04-01Remove upstreamed patch for typo in verify3Jan-Simon Möller2-14/+0
Upstream recipe has fix included. Change-Id: Ice5b699c9fbd25ec9b1dceb0bdac8f669cec9b0f Signed-off-by: Jan-Simon Möller <>
2018-03-27xmlsec1: Fix compilation issue in examplesJosé Bollo2-0/+14
When the feature agl-ptest is selected, it leads to a compilation error due to an unexpected character in the file examples/verify3.c. Bug-AGL: SPEC-1353 Change-Id: Idcda2eed181636a9229b4a666a1ef31eddc6309c Signed-off-by: José Bollo <>
2018-02-13meta-security: Remove unused contentJosé Bollo24-1953/+0
This unused content can be devided in two parts: - setting and feature in bitbake classes - tests None are actually used by AGL. Even if this content can be later included in distribution, I prefer to remove it now. Change-Id: I4e6a8ac6326986a5652a7c47614dcaa3db8cabb6 Signed-off-by: José Bollo <>
2018-02-13dbus-cynara: Upgrade to 1.10.20José Bollo18-255/+5794
The main patches from dbus to make it cynara aware are cherry-picked on top of the dbus 1.10.20 that is the upstream version for rocko. Change-Id: Ib7b07f335543cb56c4c96ef8f55305e61bc69b5c Signed-off-by: José Bollo <>
2018-02-13cynara: upgrade to 0.14.10José Bollo10-225/+462
Change-Id: I33caaa8a435e0b36afff43c4199428ae9336d612 Signed-off-by: José Bollo <>
2018-02-13Remove smack recipeJosé Bollo5-33/+6
smack user space library is provided by meta-security Change-Id: Ifb5e88e5f5a1aab3e695ab91a56d8c55c33fd004 Signed-off-by: José Bollo <>
2018-02-13Integrate parts of meta-intel-iot-securityJosé Bollo112-0/+15442
Adds the recipes of the sub layers - meta-security-framework - meta-security-smack Change-Id: I618608008a3b3d1d34adb6e38048110f13ac0643 Signed-off-by: José Bollo <>