From a13d8ad3225f316fc7d7edaf2805b6cf2e3b5dd1 Mon Sep 17 00:00:00 2001 From: José Bollo Date: Tue, 26 Nov 2019 15:21:18 +0100 Subject: security-manager: Improve integration MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit This fixes some issues encountered by the current integration of the security-manager: - its recipes is spread in too much directories (see SPEC-2092) - its initialization should be checked (see SPEC-2091) - the location of the database has to be changed (see SPEC-1717 that provided a workaround) All in one, I decided to create that ticket that summarize the work that can be quickly achieved to answer all this issues that are tightly coupled. Bug-AGL: SPEC-2972 Bug-AGL: SPEC-2092 Bug-AGL: SPEC-2091 Bug-AGL: SPEC-1717 Change-Id: I7af941c25cfa1624d76c2e8f512f6535918912f0 Signed-off-by: José Bollo --- .../0001-Fix-Cmake-conf-for-gcc6-build.patch | 40 ---- .../security-manager/0001-Fix-gcc6-build.patch | 38 --- ...uires-include-functional-for-std-function.patch | 51 ---- .../Removing-tizen-platform-config.patch | 196 ---------------- .../init-security-manager-db.service | 15 -- .../security-manager/init-security-manager-db.sh | 6 - .../security-manager/security-manager_%.bbappend | 24 +- .../security-manager/security-manager_git.bbappend | 2 - .../security-manager/security-manager.inc | 53 ++--- .../0001-Avoid-casting-from-const-T-to-void.patch | 127 ---------- ...Fix-gcc8-warning-error-Werror-catch-value.patch | 32 --- ...0001-Smack-rules-create-two-new-functions.patch | 116 --------- .../0001-systemd-stop-using-compat-libs.patch | 47 ++++ ...all-implement-multiple-set-of-smack-rules.patch | 34 --- ...nager-policy-reload-do-not-depend-on-GNU-.patch | 36 +++ ...0003-Smack-rules-create-two-new-functions.patch | 117 ++++++++++ ...all-implement-multiple-set-of-smack-rules.patch | 34 +++ .../0005-c-11-replace-deprecated-auto_ptr.patch | 32 +++ ...ocket-manager-removes-tizen-specific-call.patch | 47 ++++ ...007-removes-dependency-to-libslp-db-utils.patch | 78 +++++++ .../security-manager/0008-Fix-gcc6-build.patch | 38 +++ .../0009-Fix-Cmake-conf-for-gcc6-build.patch | 40 ++++ ...uires-include-functional-for-std-function.patch | 51 ++++ ...Fix-gcc8-warning-error-Werror-catch-value.patch | 32 +++ .../0012-Avoid-casting-from-const-T-to-void.patch | 122 ++++++++++ .../0013-Removing-tizen-platform-config.patch | 259 +++++++++++++++++++++ ...e-post-install-initialization-of-database.patch | 78 +++++++ .../Removing-tizen-platform-config.patch | 196 ---------------- .../c-11-replace-depracated-auto_ptr.patch | 32 --- .../security-manager/include-linux-xattr.patch | 24 -- .../libcap-without-pkgconfig.patch | 32 --- .../removes-dependency-to-libslp-db-utils.patch | 78 ------- ...nager-policy-reload-do-not-depend-on-GNU-.patch | 35 --- ...ocket-manager-removes-tizen-specific-call.patch | 47 ---- .../systemd-stop-using-compat-libs.patch | 47 ---- .../security-manager/security-manager_git.bb | 40 ++-- 36 files changed, 1049 insertions(+), 1227 deletions(-) delete mode 100644 meta-app-framework/recipes-core/security-manager/security-manager/0001-Fix-Cmake-conf-for-gcc6-build.patch delete mode 100644 meta-app-framework/recipes-core/security-manager/security-manager/0001-Fix-gcc6-build.patch delete mode 100644 meta-app-framework/recipes-core/security-manager/security-manager/0001-gcc-7-requires-include-functional-for-std-function.patch delete mode 100644 meta-app-framework/recipes-core/security-manager/security-manager/Removing-tizen-platform-config.patch delete mode 100644 meta-app-framework/recipes-core/security-manager/security-manager/init-security-manager-db.service delete mode 100644 meta-app-framework/recipes-core/security-manager/security-manager/init-security-manager-db.sh delete mode 100644 meta-app-framework/recipes-security/security-manager/security-manager_git.bbappend delete mode 100644 meta-security/recipes-security/security-manager/security-manager/0001-Avoid-casting-from-const-T-to-void.patch delete mode 100644 meta-security/recipes-security/security-manager/security-manager/0001-Fix-gcc8-warning-error-Werror-catch-value.patch delete mode 100644 meta-security/recipes-security/security-manager/security-manager/0001-Smack-rules-create-two-new-functions.patch create mode 100644 meta-security/recipes-security/security-manager/security-manager/0001-systemd-stop-using-compat-libs.patch delete mode 100644 meta-security/recipes-security/security-manager/security-manager/0002-app-install-implement-multiple-set-of-smack-rules.patch create mode 100644 meta-security/recipes-security/security-manager/security-manager/0002-security-manager-policy-reload-do-not-depend-on-GNU-.patch create mode 100644 meta-security/recipes-security/security-manager/security-manager/0003-Smack-rules-create-two-new-functions.patch create mode 100644 meta-security/recipes-security/security-manager/security-manager/0004-app-install-implement-multiple-set-of-smack-rules.patch create mode 100644 meta-security/recipes-security/security-manager/security-manager/0005-c-11-replace-deprecated-auto_ptr.patch create mode 100644 meta-security/recipes-security/security-manager/security-manager/0006-socket-manager-removes-tizen-specific-call.patch create mode 100644 meta-security/recipes-security/security-manager/security-manager/0007-removes-dependency-to-libslp-db-utils.patch create mode 100644 meta-security/recipes-security/security-manager/security-manager/0008-Fix-gcc6-build.patch create mode 100644 meta-security/recipes-security/security-manager/security-manager/0009-Fix-Cmake-conf-for-gcc6-build.patch create mode 100644 meta-security/recipes-security/security-manager/security-manager/0010-gcc-7-requires-include-functional-for-std-function.patch create mode 100644 meta-security/recipes-security/security-manager/security-manager/0011-Fix-gcc8-warning-error-Werror-catch-value.patch create mode 100644 meta-security/recipes-security/security-manager/security-manager/0012-Avoid-casting-from-const-T-to-void.patch create mode 100644 meta-security/recipes-security/security-manager/security-manager/0013-Removing-tizen-platform-config.patch create mode 100644 meta-security/recipes-security/security-manager/security-manager/0014-Ensure-post-install-initialization-of-database.patch delete mode 100644 meta-security/recipes-security/security-manager/security-manager/Removing-tizen-platform-config.patch delete mode 100644 meta-security/recipes-security/security-manager/security-manager/c-11-replace-depracated-auto_ptr.patch delete mode 100644 meta-security/recipes-security/security-manager/security-manager/include-linux-xattr.patch delete mode 100644 meta-security/recipes-security/security-manager/security-manager/libcap-without-pkgconfig.patch delete mode 100644 meta-security/recipes-security/security-manager/security-manager/removes-dependency-to-libslp-db-utils.patch delete mode 100644 meta-security/recipes-security/security-manager/security-manager/security-manager-policy-reload-do-not-depend-on-GNU-.patch delete mode 100644 meta-security/recipes-security/security-manager/security-manager/socket-manager-removes-tizen-specific-call.patch delete mode 100644 meta-security/recipes-security/security-manager/security-manager/systemd-stop-using-compat-libs.patch diff --git a/meta-app-framework/recipes-core/security-manager/security-manager/0001-Fix-Cmake-conf-for-gcc6-build.patch b/meta-app-framework/recipes-core/security-manager/security-manager/0001-Fix-Cmake-conf-for-gcc6-build.patch deleted file mode 100644 index 43a3ee103..000000000 --- a/meta-app-framework/recipes-core/security-manager/security-manager/0001-Fix-Cmake-conf-for-gcc6-build.patch +++ /dev/null @@ -1,40 +0,0 @@ -From 19c99315a5dcba3b696c30d1fdd42a1dcd574a80 Mon Sep 17 00:00:00 2001 -From: Ronan -Date: Thu, 13 Oct 2016 11:37:47 +0200 -Subject: [PATCH] Fix Cmake conf for gcc6 build - -Signed-off-by: Ronan ---- - src/cmd/CMakeLists.txt | 4 +--- - src/server/CMakeLists.txt | 1 - - 2 files changed, 1 insertion(+), 4 deletions(-) - -diff --git a/src/cmd/CMakeLists.txt b/src/cmd/CMakeLists.txt -index ee9a160..aa7a12c 100644 ---- a/src/cmd/CMakeLists.txt -+++ b/src/cmd/CMakeLists.txt -@@ -1,8 +1,6 @@ - FIND_PACKAGE(Boost REQUIRED COMPONENTS program_options) - --INCLUDE_DIRECTORIES(SYSTEM -- ${Boost_INCLUDE_DIRS} -- ) -+ - - INCLUDE_DIRECTORIES( - ${INCLUDE_PATH} -diff --git a/src/server/CMakeLists.txt b/src/server/CMakeLists.txt -index 753eb96..8eef25d 100644 ---- a/src/server/CMakeLists.txt -+++ b/src/server/CMakeLists.txt -@@ -8,7 +8,6 @@ FIND_PACKAGE(Threads REQUIRED) - - INCLUDE_DIRECTORIES(SYSTEM - ${SERVER_DEP_INCLUDE_DIRS} -- ${Boost_INCLUDE_DIRS} - ${Threads_INCLUDE_DIRS} - ) - --- -2.6.6 - diff --git a/meta-app-framework/recipes-core/security-manager/security-manager/0001-Fix-gcc6-build.patch b/meta-app-framework/recipes-core/security-manager/security-manager/0001-Fix-gcc6-build.patch deleted file mode 100644 index 1b3c8c427..000000000 --- a/meta-app-framework/recipes-core/security-manager/security-manager/0001-Fix-gcc6-build.patch +++ /dev/null @@ -1,38 +0,0 @@ -From cb9acc2b723b297ee373bf814282711f02657aa5 Mon Sep 17 00:00:00 2001 -From: Ronan -Date: Wed, 12 Oct 2016 17:48:55 +0200 -Subject: [PATCH] Fix gcc6 build - -Signed-off-by: ronan ---- - src/client/client-security-manager.cpp | 1 + - src/common/include/privilege_db.h | 1 + - 2 files changed, 2 insertions(+) - -diff --git a/src/client/client-security-manager.cpp b/src/client/client-security-manager.cpp -index 74a6b30..347cddd 100644 ---- a/src/client/client-security-manager.cpp -+++ b/src/client/client-security-manager.cpp -@@ -46,6 +46,7 @@ - #include - #include - #include -+#include - - static const char *EMPTY = ""; - -diff --git a/src/common/include/privilege_db.h b/src/common/include/privilege_db.h -index 03c6680..8dd39a1 100644 ---- a/src/common/include/privilege_db.h -+++ b/src/common/include/privilege_db.h -@@ -32,6 +32,7 @@ - #include - #include - #include -+#include - - #include - --- -2.6.6 - diff --git a/meta-app-framework/recipes-core/security-manager/security-manager/0001-gcc-7-requires-include-functional-for-std-function.patch b/meta-app-framework/recipes-core/security-manager/security-manager/0001-gcc-7-requires-include-functional-for-std-function.patch deleted file mode 100644 index 7b6845abc..000000000 --- a/meta-app-framework/recipes-core/security-manager/security-manager/0001-gcc-7-requires-include-functional-for-std-function.patch +++ /dev/null @@ -1,51 +0,0 @@ -From ed1c105db9d7b1ceb52ec16f35b0a2c959c19c6d Mon Sep 17 00:00:00 2001 -From: Changhyeok Bae -Date: Sun, 17 Dec 2017 15:40:58 +0000 -Subject: [PATCH] gcc-7 requires include for std::function - -Signed-off-by: Changhyeok Bae ---- - src/client/client-common.cpp | 1 + - src/common/smack-labels.cpp | 1 + - src/dpl/core/src/binary_queue.cpp | 1 + - 3 files changed, 3 insertions(+) - -diff --git a/src/client/client-common.cpp b/src/client/client-common.cpp -index 883ab8d..1babdf7 100644 ---- a/src/client/client-common.cpp -+++ b/src/client/client-common.cpp -@@ -31,6 +31,7 @@ - #include - #include - #include -+#include - - #include - #include -diff --git a/src/common/smack-labels.cpp b/src/common/smack-labels.cpp -index 0294a42..1598099 100644 ---- a/src/common/smack-labels.cpp -+++ b/src/common/smack-labels.cpp -@@ -29,6 +29,7 @@ - #include - #include - #include -+#include - #include - #include - #include -diff --git a/src/dpl/core/src/binary_queue.cpp b/src/dpl/core/src/binary_queue.cpp -index 72817a6..838409f 100644 ---- a/src/dpl/core/src/binary_queue.cpp -+++ b/src/dpl/core/src/binary_queue.cpp -@@ -26,6 +26,7 @@ - #include - #include - #include -+#include - - namespace SecurityManager { - BinaryQueue::BinaryQueue() : --- -2.7.4 - diff --git a/meta-app-framework/recipes-core/security-manager/security-manager/Removing-tizen-platform-config.patch b/meta-app-framework/recipes-core/security-manager/security-manager/Removing-tizen-platform-config.patch deleted file mode 100644 index bea3516d8..000000000 --- a/meta-app-framework/recipes-core/security-manager/security-manager/Removing-tizen-platform-config.patch +++ /dev/null @@ -1,196 +0,0 @@ -From 72e66d0e42f3bb6efd689ce33b1df407d94b3c60 Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?Jos=C3=A9=20Bollo?= -Date: Mon, 16 Nov 2015 14:26:25 +0100 -Subject: [PATCH] Removing tizen-platform-config - -Change-Id: Ic832a2b75229517b09faba969c27fb1a4b490121 ---- - policy/security-manager-policy-reload | 2 +- - src/common/file-lock.cpp | 4 +--- - src/common/include/file-lock.h | 1 - - src/common/include/privilege_db.h | 3 +-- - src/common/service_impl.cpp | 39 +++++++++++------------------------ - src/common/smack-rules.cpp | 12 ++++------- - 6 files changed, 19 insertions(+), 42 deletions(-) - -diff --git a/policy/security-manager-policy-reload b/policy/security-manager-policy-reload -index 6f211c6..ed8047a 100755 ---- a/policy/security-manager-policy-reload -+++ b/policy/security-manager-policy-reload -@@ -2,7 +2,7 @@ - - POLICY_PATH=/usr/share/security-manager/policy - PRIVILEGE_GROUP_MAPPING=$POLICY_PATH/privilege-group.list --DB_FILE=`tzplatform-get TZ_SYS_DB | cut -d= -f2`/.security-manager.db -+DB_FILE=/var/local/db/security-manager/.security-manager.db - - # Create default buckets - while read bucket default_policy -diff --git a/src/common/file-lock.cpp b/src/common/file-lock.cpp -index 6f3996c..1dada17 100644 ---- a/src/common/file-lock.cpp -+++ b/src/common/file-lock.cpp -@@ -30,9 +30,7 @@ - - namespace SecurityManager { - --char const * const SERVICE_LOCK_FILE = tzplatform_mkpath3(TZ_SYS_RUN, -- "lock", -- "security-manager.lock"); -+char const * const SERVICE_LOCK_FILE = "/var/run/lock/security-manager.lock"; - - FileLocker::FileLocker(const std::string &lockFile, bool blocking) - { -diff --git a/src/common/include/file-lock.h b/src/common/include/file-lock.h -index 604b019..21a86a0 100644 ---- a/src/common/include/file-lock.h -+++ b/src/common/include/file-lock.h -@@ -29,7 +29,6 @@ - - #include - #include --#include - - namespace SecurityManager { - -diff --git a/src/common/include/privilege_db.h b/src/common/include/privilege_db.h -index 4d73d90..03c6680 100644 ---- a/src/common/include/privilege_db.h -+++ b/src/common/include/privilege_db.h -@@ -34,14 +34,13 @@ - #include - - #include --#include - - #ifndef PRIVILEGE_DB_H_ - #define PRIVILEGE_DB_H_ - - namespace SecurityManager { - --const char *const PRIVILEGE_DB_PATH = tzplatform_mkpath(TZ_SYS_DB, ".security-manager.db"); -+const char *const PRIVILEGE_DB_PATH = "/var/local/db/security-manager/.security-manager.db"; - - enum class QueryType { - EGetPkgPrivileges, -diff --git a/src/common/service_impl.cpp b/src/common/service_impl.cpp -index ae305d3..65cc8b5 100644 ---- a/src/common/service_impl.cpp -+++ b/src/common/service_impl.cpp -@@ -32,7 +32,6 @@ - #include - - #include --#include - - #include "protocols.h" - #include "privilege_db.h" -@@ -131,7 +130,13 @@ static inline int validatePolicy(policy_entry &policyEntry, std::string uidStr, - - static uid_t getGlobalUserId(void) - { -- static uid_t globaluid = tzplatform_getuid(TZ_SYS_GLOBALAPP_USER); -+ static uid_t globaluid = 0; -+ if (!globaluid) { -+ struct passwd pw, *p; -+ char buf[4096]; -+ int rc = getpwnam_r("afm", &pw, buf, sizeof buf, &p); -+ globaluid = (rc || p == NULL) ? 555 : p->pw_uid; -+ } - return globaluid; - } - -@@ -161,37 +166,17 @@ static inline bool isSubDir(const char *parent, const char *subdir) - - static bool getUserAppDir(const uid_t &uid, std::string &userAppDir) - { -- struct tzplatform_context *tz_ctx = nullptr; -- -- if (tzplatform_context_create(&tz_ctx)) -- return false; -- -- if (tzplatform_context_set_user(tz_ctx, uid)) { -- tzplatform_context_destroy(tz_ctx); -- tz_ctx = nullptr; -+ struct passwd pw, *p; -+ char buf[4096]; -+ int rc = getpwuid_r(uid, &pw, buf, sizeof buf, &p); -+ if (rc || p == NULL) - return false; -- } -- -- enum tzplatform_variable id = -- (uid == getGlobalUserId()) ? TZ_SYS_RW_APP : TZ_USER_APP; -- const char *appDir = tzplatform_context_getenv(tz_ctx, id); -- if (!appDir) { -- tzplatform_context_destroy(tz_ctx); -- tz_ctx = nullptr; -- return false; -- } -- -- userAppDir = appDir; -- -- tzplatform_context_destroy(tz_ctx); -- tz_ctx = nullptr; -- -+ userAppDir = p->pw_dir; - return true; - } - - static inline bool installRequestAuthCheck(const app_inst_req &req, uid_t uid, bool &isCorrectPath, std::string &appPath) - { -- std::string userHome; - std::string userAppDir; - std::stringstream correctPath; - -diff --git a/src/common/smack-rules.cpp b/src/common/smack-rules.cpp -index d834e42..8b5728b 100644 ---- a/src/common/smack-rules.cpp -+++ b/src/common/smack-rules.cpp -@@ -34,7 +34,6 @@ - #include - - #include --#include - - #include "smack-labels.h" - #include "smack-rules.h" -@@ -43,7 +42,7 @@ namespace SecurityManager { - - const char *const SMACK_APP_LABEL_TEMPLATE = "~APP~"; - const char *const SMACK_PKG_LABEL_TEMPLATE = "~PKG~"; --const char *const APP_RULES_TEMPLATE_FILE_PATH = tzplatform_mkpath4(TZ_SYS_SHARE, "security-manager", "policy", "app-rules-template.smack"); -+const char *const APP_RULES_TEMPLATE_FILE_PATH = "/usr/share/security-manager/policy/app-rules-template.smack"; - const char *const SMACK_APP_IN_PACKAGE_PERMS = "rwxat"; - - SmackRules::SmackRules() -@@ -237,14 +236,12 @@ void SmackRules::generatePackageCrossDeps(const std::vector &pkgCon - - std::string SmackRules::getPackageRulesFilePath(const std::string &pkgId) - { -- std::string path(tzplatform_mkpath3(TZ_SYS_SMACK, "accesses.d", ("pkg_" + pkgId).c_str())); -- return path; -+ return "/etc/smack/accesses.d/pkg_" + pkgId; - } - - std::string SmackRules::getApplicationRulesFilePath(const std::string &appId) - { -- std::string path(tzplatform_mkpath3(TZ_SYS_SMACK, "accesses.d", ("app_" + appId).c_str())); -- return path; -+ return "/etc/smack/accesses.d/app_" + appId; - } - void SmackRules::installApplicationPrivilegesRules(const std::string &appId, const std::string &pkgId, - const std::vector &pkgContents, const std::vector &privileges) -@@ -256,8 +253,7 @@ void SmackRules::installApplicationPrivilegesRules(const std::string &appId, con - for (auto privilege : privileges) { - if (privilege.empty()) - continue; -- std::string fprivilege ( privilege + "-template.smack"); -- std::string path(tzplatform_mkpath4(TZ_SYS_SHARE, "security-manager", "policy", fprivilege.c_str())); -+ std::string path = "/usr/share/security-manager/policy/" + privilege + "-template.smack"; - if( stat(path.c_str(), &buffer) == 0) - smackRules.addFromTemplateFile(appId, pkgId, path); - } --- -2.1.4 - diff --git a/meta-app-framework/recipes-core/security-manager/security-manager/init-security-manager-db.service b/meta-app-framework/recipes-core/security-manager/security-manager/init-security-manager-db.service deleted file mode 100644 index 8ed5e8601..000000000 --- a/meta-app-framework/recipes-core/security-manager/security-manager/init-security-manager-db.service +++ /dev/null @@ -1,15 +0,0 @@ -# -# Install security-manager DB to /var - -[Unit] -Description=Install Security Manager database -After=sysinit.target -Before=security-manager.service - -[Install] -WantedBy=default.target - -[Service] -Type=oneshot -User=root -ExecStart=/usr/bin/init-security-manager-db.sh diff --git a/meta-app-framework/recipes-core/security-manager/security-manager/init-security-manager-db.sh b/meta-app-framework/recipes-core/security-manager/security-manager/init-security-manager-db.sh deleted file mode 100644 index f90192a84..000000000 --- a/meta-app-framework/recipes-core/security-manager/security-manager/init-security-manager-db.sh +++ /dev/null @@ -1,6 +0,0 @@ -#!/bin/sh - -if [ ! -e "/var/local/db/security-manager" ]; then - mkdir -p /var/local/db - cp -ra /usr/dbspace/ /var/local/db/security-manager -fi diff --git a/meta-app-framework/recipes-core/security-manager/security-manager_%.bbappend b/meta-app-framework/recipes-core/security-manager/security-manager_%.bbappend index 61c933a7e..3306d4c72 100644 --- a/meta-app-framework/recipes-core/security-manager/security-manager_%.bbappend +++ b/meta-app-framework/recipes-core/security-manager/security-manager_%.bbappend @@ -1,25 +1,7 @@ FILESEXTRAPATHS_prepend := "${THISDIR}/security-manager:" -PACKAGE_WRITE_DEPS_append_with-lsm-smack = " smack-native" - -SRC_URI += " file://0001-Adapt-rules-to-AGL.patch \ - file://init-security-manager-db.service \ - file://init-security-manager-db.sh \ - file://0001-Fix-gcc6-build.patch \ - file://0001-Fix-Cmake-conf-for-gcc6-build.patch \ - file://0001-gcc-7-requires-include-functional-for-std-function.patch \ -" - -FILES_${PN}_append = "${bindir}/init-security-manager-db.sh \ - ${@bb.utils.contains('DISTRO_FEATURES', 'systemd', '${systemd_unitdir}/system/init-security-manager-db.service', '', d)} \ +EXTRA_OECMAKE =+ " -DGLOBALUSER=afm" +SRC_URI += " \ + file://0001-Adapt-rules-to-AGL.patch \ " -do_install_append () { - install -p -D ${WORKDIR}/init-security-manager-db.sh ${D}${bindir}/init-security-manager-db.sh - if ${@bb.utils.contains('DISTRO_FEATURES', 'systemd', 'true', 'false', d)}; then - mkdir -p ${D}${systemd_unitdir}/system - mkdir -p ${D}${sysconfdir}/systemd/system/default.target.wants - install -m 644 -p -D ${WORKDIR}/init-security-manager-db.service ${D}${systemd_unitdir}/system/init-security-manager-db.service - ln -sf ${systemd_unitdir}/system/init-security-manager-db.service ${D}${sysconfdir}/systemd/system/default.target.wants - fi -} diff --git a/meta-app-framework/recipes-security/security-manager/security-manager_git.bbappend b/meta-app-framework/recipes-security/security-manager/security-manager_git.bbappend deleted file mode 100644 index 424b49358..000000000 --- a/meta-app-framework/recipes-security/security-manager/security-manager_git.bbappend +++ /dev/null @@ -1,2 +0,0 @@ -do_patch[depends] += "quilt-native:do_populate_sysroot libcap:do_populate_sysroot" -APPLY = "no" diff --git a/meta-security/recipes-security/security-manager/security-manager.inc b/meta-security/recipes-security/security-manager/security-manager.inc index ddd87a930..fdc5083e6 100644 --- a/meta-security/recipes-security/security-manager/security-manager.inc +++ b/meta-security/recipes-security/security-manager/security-manager.inc @@ -4,35 +4,33 @@ LIC_FILES_CHKSUM = "file://LICENSE;md5=86d3f3a95c324c9479bd8986968f4327;beginlin inherit cmake -# Out-of-tree build is broken ("sqlite3 .security-manager.db -Date: Fri, 1 Feb 2019 15:37:44 +0100 -Subject: [PATCH] Avoid casting from "const T&" to "void*" -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -Latest version of g++ refuse the cast - - reinterpret_cast(serviceFunction) - -I made no investigation to know if the problem -is coming from the const or not. - -Signed-off-by: José Bollo ---- - src/server/main/include/service-thread.h | 43 ++++++++++-------------- - 1 file changed, 18 insertions(+), 25 deletions(-) - -diff --git a/src/server/main/include/service-thread.h b/src/server/main/include/service-thread.h -index 964d168..92b0ec8 100644 ---- a/src/server/main/include/service-thread.h -+++ b/src/server/main/include/service-thread.h -@@ -9,78 +94,72 @@ public: - Join(); - while (!m_eventQueue.empty()){ - auto front = m_eventQueue.front(); -- delete front.eventPtr; -+ delete front; - m_eventQueue.pop(); - } - } - - template - void Event(const T &event, - Service *servicePtr, - void (Service::*serviceFunction)(const T &)) - { -- EventDescription description; -- description.serviceFunctionPtr = -- reinterpret_cast(serviceFunction); -- description.servicePtr = servicePtr; -- description.eventFunctionPtr = &ServiceThread::EventCall; -- description.eventPtr = new T(event); -+ EventCallerBase *ec = new EventCaller(event, servicePtr, serviceFunction); - { - std::lock_guard lock(m_eventQueueMutex); -- m_eventQueue.push(description); -+ m_eventQueue.push(ec); - } - m_waitCondition.notify_one(); - } - - protected: - -- struct EventDescription { -- void (Service::*serviceFunctionPtr)(void *); -- Service *servicePtr; -- void (ServiceThread::*eventFunctionPtr)(const EventDescription &event); -- GenericEvent* eventPtr; -- }; -- -- template -- void EventCall(const EventDescription &desc) { -- auto fun = reinterpret_cast(desc.serviceFunctionPtr); -- const T& eventLocale = *(static_cast(desc.eventPtr)); -- (desc.servicePtr->*fun)(eventLocale); -- } -+ struct EventCallerBase { -+ virtual void fire() = 0; -+ virtual ~EventCallerBase() {} -+ }; - -+ template -+ struct EventCaller : public EventCallerBase { -+ T *event; Service *target; void (Service::*function)(const T&); -+ EventCaller(const T &e, Service *c, void (Service::*f)(const T&)) : event(new T(e)), target(c), function(f) {} -+ ~EventCaller() { delete event; } -+ void fire() { (target->*function)(*event); } -+ }; -+ - static void ThreadLoopStatic(ServiceThread *ptr) { - ptr->ThreadLoop(); - } - - void ThreadLoop(){ - for (;;) { -- EventDescription description = {NULL, NULL, NULL, NULL}; -+ EventCallerBase *ec = NULL; - { - std::unique_lock ulock(m_eventQueueMutex); - if (m_quit) - return; - if (!m_eventQueue.empty()) { -- description = m_eventQueue.front(); -+ ec = m_eventQueue.front(); - m_eventQueue.pop(); - } else { - m_waitCondition.wait(ulock); - } - } - -- if (description.eventPtr != NULL) { -+ if (ec != NULL) { - UNHANDLED_EXCEPTION_HANDLER_BEGIN - { -- (this->*description.eventFunctionPtr)(description); -- delete description.eventPtr; -+ ec->fire(); - } - UNHANDLED_EXCEPTION_HANDLER_END -+ delete ec; - } - } - } - - std::thread m_thread; - std::mutex m_eventQueueMutex; -- std::queue m_eventQueue; -+ std::queue m_eventQueue; - std::condition_variable m_waitCondition; - - State m_state; --- -2.17.2 - diff --git a/meta-security/recipes-security/security-manager/security-manager/0001-Fix-gcc8-warning-error-Werror-catch-value.patch b/meta-security/recipes-security/security-manager/security-manager/0001-Fix-gcc8-warning-error-Werror-catch-value.patch deleted file mode 100644 index 5a55a3128..000000000 --- a/meta-security/recipes-security/security-manager/security-manager/0001-Fix-gcc8-warning-error-Werror-catch-value.patch +++ /dev/null @@ -1,32 +0,0 @@ -From 37c63c280eaec8cae3a321d45404d6c03a68c9d9 Mon Sep 17 00:00:00 2001 -From: Stephane Desneux -Date: Fri, 1 Feb 2019 12:26:17 +0000 -Subject: [PATCH] Fix gcc8 warning/error [-Werror=catch-value=] - -Fixes the following warning/error during compile: - -src/dpl/core/src/assert.cpp:61:14: error: catching polymorphic type 'class SecurityManager::Exception' by value [-Werror=catch-value=] -| } catch (Exception) { -| ^~~~~~~~~ - -Signed-off-by: Stephane Desneux ---- - src/dpl/core/src/assert.cpp | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/src/dpl/core/src/assert.cpp b/src/dpl/core/src/assert.cpp -index 63538a2..fc60ce9 100644 ---- a/src/dpl/core/src/assert.cpp -+++ b/src/dpl/core/src/assert.cpp -@@ -58,7 +58,7 @@ void AssertProc(const char *condition, - INTERNAL_LOG("### Function: " << function); - INTERNAL_LOG( - "################################################################################"); -- } catch (Exception) { -+ } catch (Exception const&) { - // Just ignore possible double errors - } - --- -2.11.0 - diff --git a/meta-security/recipes-security/security-manager/security-manager/0001-Smack-rules-create-two-new-functions.patch b/meta-security/recipes-security/security-manager/security-manager/0001-Smack-rules-create-two-new-functions.patch deleted file mode 100644 index b0e11afe4..000000000 --- a/meta-security/recipes-security/security-manager/security-manager/0001-Smack-rules-create-two-new-functions.patch +++ /dev/null @@ -1,116 +0,0 @@ -From d130a7384428a96f31ad5950ffbffadc0aa29a15 Mon Sep 17 00:00:00 2001 -From: Alejandro Joya -Date: Wed, 4 Nov 2015 19:01:35 -0600 -Subject: [PATCH 1/2] Smack-rules: create two new functions - -It let to smack-rules to create multiple set of rules -related with the privileges. - -It runs from the same bases than for a static set of rules on the -template, but let you add 1 or many templates for different cases. - -Signed-off-by: Alejandro Joya ---- - src/common/include/smack-rules.h | 15 ++++++++++++++ - src/common/smack-rules.cpp | 44 ++++++++++++++++++++++++++++++++++++++++ - 2 files changed, 59 insertions(+) - -diff --git a/src/common/include/smack-rules.h b/src/common/include/smack-rules.h -index 91446a7..f9fa438 100644 ---- a/src/common/include/smack-rules.h -+++ b/src/common/include/smack-rules.h -@@ -47,6 +47,8 @@ public: - void addFromTemplate(const std::vector &templateRules, - const std::string &appId, const std::string &pkgId); - void addFromTemplateFile(const std::string &appId, const std::string &pkgId); -+ void addFromTemplateFile(const std::string &appId, const std::string &pkgId, -+ const std::string &path); - - void apply() const; - void clear() const; -@@ -75,6 +77,19 @@ public: - static void installApplicationRules(const std::string &appId, const std::string &pkgId, - const std::vector &pkgContents); - /** -+ * Install privileges-specific smack rules. -+ * -+ * Function creates smack rules using predefined template. Rules are applied -+ * to the kernel and saved on persistent storage so they are loaded on system boot. -+ * -+ * @param[in] appId - application id that is beeing installed -+ * @param[in] pkgId - package id that the application is in -+ * @param[in] pkgContents - a list of all applications in the package -+ * @param[in] privileges - a list of all prvileges -+ */ -+ static void installApplicationPrivilegesRules(const std::string &appId, const std::string &pkgId, -+ const std::vector &pkgContents, const std::vector &privileges); -+ /** - * Uninstall package-specific smack rules. - * - * Function loads package-specific smack rules, revokes them from the kernel -diff --git a/src/common/smack-rules.cpp b/src/common/smack-rules.cpp -index 3629e0f..d834e42 100644 ---- a/src/common/smack-rules.cpp -+++ b/src/common/smack-rules.cpp -@@ -135,6 +135,29 @@ void SmackRules::saveToFile(const std::string &path) const - } - } - -+void SmackRules::addFromTemplateFile(const std::string &appId, -+ const std::string &pkgId, const std::string &path) -+{ -+ std::vector templateRules; -+ std::string line; -+ std::ifstream templateRulesFile(path); -+ -+ if (!templateRulesFile.is_open()) { -+ LogError("Cannot open rules template file: " << path); -+ ThrowMsg(SmackException::FileError, "Cannot open rules template file: " << path); -+ } -+ -+ while (std::getline(templateRulesFile, line)) { -+ templateRules.push_back(line); -+ } -+ -+ if (templateRulesFile.bad()) { -+ LogError("Error reading template file: " << APP_RULES_TEMPLATE_FILE_PATH); -+ ThrowMsg(SmackException::FileError, "Error reading template file: " << APP_RULES_TEMPLATE_FILE_PATH); -+ } -+ -+ addFromTemplate(templateRules, appId, pkgId); -+} - - void SmackRules::addFromTemplateFile(const std::string &appId, - const std::string &pkgId) -@@ -223,7 +246,28 @@ std::string SmackRules::getApplicationRulesFilePath(const std::string &appId) - std::string path(tzplatform_mkpath3(TZ_SYS_SMACK, "accesses.d", ("app_" + appId).c_str())); - return path; - } -+void SmackRules::installApplicationPrivilegesRules(const std::string &appId, const std::string &pkgId, -+ const std::vector &pkgContents, const std::vector &privileges) -+{ -+ SmackRules smackRules; -+ std::string appPath = getApplicationRulesFilePath(appId); -+ smackRules.loadFromFile(appPath); -+ struct stat buffer; -+ for (auto privilege : privileges) { -+ if (privilege.empty()) -+ continue; -+ std::string fprivilege ( privilege + "-template.smack"); -+ std::string path(tzplatform_mkpath4(TZ_SYS_SHARE, "security-manager", "policy", fprivilege.c_str())); -+ if( stat(path.c_str(), &buffer) == 0) -+ smackRules.addFromTemplateFile(appId, pkgId, path); -+ } -+ -+ if (smack_smackfs_path() != NULL) -+ smackRules.apply(); - -+ smackRules.saveToFile(appPath); -+ updatePackageRules(pkgId, pkgContents); -+} - void SmackRules::installApplicationRules(const std::string &appId, const std::string &pkgId, - const std::vector &pkgContents) - { --- -2.1.0 - diff --git a/meta-security/recipes-security/security-manager/security-manager/0001-systemd-stop-using-compat-libs.patch b/meta-security/recipes-security/security-manager/security-manager/0001-systemd-stop-using-compat-libs.patch new file mode 100644 index 000000000..91ce81963 --- /dev/null +++ b/meta-security/recipes-security/security-manager/security-manager/0001-systemd-stop-using-compat-libs.patch @@ -0,0 +1,47 @@ +From 3d9d1d83fe298a364f51ad752c17aad461beded3 Mon Sep 17 00:00:00 2001 +From: Patrick Ohly +Date: Tue, 24 Mar 2015 04:54:03 -0700 +Subject: [PATCH 01/14] systemd: stop using compat libs + +libsystemd-journal and libsystemd-daemon are considered obsolete +in systemd since 2.09 and may not be available (not compiled +by default). + +The code works fine with the current libsystemd, so just +use that. + +Signed-off-by: Patrick Ohly +Upstream-Status: Submitted (https://github.com/Samsung/security-manager/pull/1 +--- + src/common/CMakeLists.txt | 2 +- + src/server/CMakeLists.txt | 2 +- + 2 files changed, 2 insertions(+), 2 deletions(-) + +diff --git a/src/common/CMakeLists.txt b/src/common/CMakeLists.txt +index 2da9c3e..968c7c1 100644 +--- a/src/common/CMakeLists.txt ++++ b/src/common/CMakeLists.txt +@@ -3,7 +3,7 @@ SET(COMMON_VERSION ${COMMON_VERSION_MAJOR}.0.2) + + PKG_CHECK_MODULES(COMMON_DEP + REQUIRED +- libsystemd-journal ++ libsystemd + libsmack + db-util + cynara-admin +diff --git a/src/server/CMakeLists.txt b/src/server/CMakeLists.txt +index 753eb96..6849d76 100644 +--- a/src/server/CMakeLists.txt ++++ b/src/server/CMakeLists.txt +@@ -1,6 +1,6 @@ + PKG_CHECK_MODULES(SERVER_DEP + REQUIRED +- libsystemd-daemon ++ libsystemd + ) + + FIND_PACKAGE(Boost REQUIRED) +-- +2.21.0 + diff --git a/meta-security/recipes-security/security-manager/security-manager/0002-app-install-implement-multiple-set-of-smack-rules.patch b/meta-security/recipes-security/security-manager/security-manager/0002-app-install-implement-multiple-set-of-smack-rules.patch deleted file mode 100644 index d60096a15..000000000 --- a/meta-security/recipes-security/security-manager/security-manager/0002-app-install-implement-multiple-set-of-smack-rules.patch +++ /dev/null @@ -1,34 +0,0 @@ -From 19688cbe2ca10921a499f3fa265928dca54cf98d Mon Sep 17 00:00:00 2001 -From: Alejandro Joya -Date: Wed, 4 Nov 2015 19:06:23 -0600 -Subject: [PATCH 2/2] app-install: implement multiple set of smack-rules - -If it's need it could create load multiple set of smack rules -related with the privileges. -It wouldn't affect the case that only the default set of rules is need it. - -Signed-off-by: Alejandro Joya ---- - src/common/service_impl.cpp | 6 ++++++ - 1 file changed, 6 insertions(+) - -diff --git a/src/common/service_impl.cpp b/src/common/service_impl.cpp -index 7fd621c..ae305d3 100644 ---- a/src/common/service_impl.cpp -+++ b/src/common/service_impl.cpp -@@ -338,6 +338,12 @@ int appInstall(const app_inst_req &req, uid_t uid) - LogDebug("Adding Smack rules for new appId: " << req.appId << " with pkgId: " - << req.pkgId << ". Applications in package: " << pkgContents.size()); - SmackRules::installApplicationRules(req.appId, req.pkgId, pkgContents); -+ /*Setup for privileges custom rules*/ -+ LogDebug("Adding Smack rules for new appId: " << req.appId << " with pkgId: " -+ << req.pkgId << ". Applications in package: " << pkgContents.size() -+ << " and Privileges"); -+ SmackRules::installApplicationPrivilegesRules(req.appId, req.pkgId, -+ pkgContents,req.privileges); - } catch (const SmackException::Base &e) { - LogError("Error while applying Smack policy for application: " << e.DumpToString()); - return SECURITY_MANAGER_API_ERROR_SETTING_FILE_LABEL_FAILED; --- -2.1.0 - diff --git a/meta-security/recipes-security/security-manager/security-manager/0002-security-manager-policy-reload-do-not-depend-on-GNU-.patch b/meta-security/recipes-security/security-manager/security-manager/0002-security-manager-policy-reload-do-not-depend-on-GNU-.patch new file mode 100644 index 000000000..b6346480b --- /dev/null +++ b/meta-security/recipes-security/security-manager/security-manager/0002-security-manager-policy-reload-do-not-depend-on-GNU-.patch @@ -0,0 +1,36 @@ +From a90515613f09140049b2bdf471fa83d5dd7bad1c Mon Sep 17 00:00:00 2001 +From: Patrick Ohly +Date: Wed, 19 Aug 2015 15:02:32 +0200 +Subject: [PATCH 02/14] security-manager-policy-reload: do not depend on GNU + sed + +\U (= make replacement uppercase) is a GNU sed extension which is not +supported by other sed implementation's (like the one from +busybox). When using busybox, the bucket for user profiles became +USER_TYPE_Uadmin instead USER_TYPE_ADMIN. + +To make SecurityManager more portable, better use tr to turn the +bucket name into uppercase. + +Signed-off-by: Patrick Ohly +Upstream-Status: Submitted (https://github.com/Samsung/security-manager/pull/1 +--- + policy/security-manager-policy-reload | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/policy/security-manager-policy-reload b/policy/security-manager-policy-reload +index 274c49c..6f211c6 100755 +--- a/policy/security-manager-policy-reload ++++ b/policy/security-manager-policy-reload +@@ -33,7 +33,7 @@ END + find "$POLICY_PATH" -name "usertype-*.profile" | + while read file + do +- bucket="`echo $file | sed -r 's|.*/usertype-(.*).profile$|USER_TYPE_\U\1|'`" ++ bucket="`echo $file | sed -r 's|.*/usertype-(.*).profile$|USER_TYPE_\1|' | tr '[:lower:]' '[:upper:]'`" + + # Re-create the bucket with empty contents + cyad --delete-bucket=$bucket || true +-- +2.21.0 + diff --git a/meta-security/recipes-security/security-manager/security-manager/0003-Smack-rules-create-two-new-functions.patch b/meta-security/recipes-security/security-manager/security-manager/0003-Smack-rules-create-two-new-functions.patch new file mode 100644 index 000000000..d79345e01 --- /dev/null +++ b/meta-security/recipes-security/security-manager/security-manager/0003-Smack-rules-create-two-new-functions.patch @@ -0,0 +1,117 @@ +From a80e33bc0a10fa4bed5d0b7bf29f45dd2565d309 Mon Sep 17 00:00:00 2001 +From: Alejandro Joya +Date: Wed, 4 Nov 2015 19:01:35 -0600 +Subject: [PATCH 03/14] Smack-rules: create two new functions + +It let to smack-rules to create multiple set of rules +related with the privileges. + +It runs from the same bases than for a static set of rules on the +template, but let you add 1 or many templates for different cases. + +Change-Id: I14f8d4e914ad5a7ba34c96f3cb5589f0b15292de +Signed-off-by: Alejandro Joya +--- + src/common/include/smack-rules.h | 15 +++++++++++ + src/common/smack-rules.cpp | 44 ++++++++++++++++++++++++++++++++ + 2 files changed, 59 insertions(+) + +diff --git a/src/common/include/smack-rules.h b/src/common/include/smack-rules.h +index 91446a7..3ad9dd4 100644 +--- a/src/common/include/smack-rules.h ++++ b/src/common/include/smack-rules.h +@@ -47,6 +47,8 @@ public: + void addFromTemplate(const std::vector &templateRules, + const std::string &appId, const std::string &pkgId); + void addFromTemplateFile(const std::string &appId, const std::string &pkgId); ++ void addFromTemplateFile(const std::string &appId, const std::string &pkgId, ++ const std::string &path); + + void apply() const; + void clear() const; +@@ -74,6 +76,19 @@ public: + */ + static void installApplicationRules(const std::string &appId, const std::string &pkgId, + const std::vector &pkgContents); ++ /** ++ * Install privileges-specific smack rules. ++ * ++ * Function creates smack rules using predefined template. Rules are applied ++ * to the kernel and saved on persistent storage so they are loaded on system boot. ++ * ++ * @param[in] appId - application id that is beeing installed ++ * @param[in] pkgId - package id that the application is in ++ * @param[in] pkgContents - a list of all applications in the package ++ * @param[in] privileges - a list of all prvileges ++ */ ++ static void installApplicationPrivilegesRules(const std::string &appId, const std::string &pkgId, ++ const std::vector &pkgContents, const std::vector &privileges); + /** + * Uninstall package-specific smack rules. + * +diff --git a/src/common/smack-rules.cpp b/src/common/smack-rules.cpp +index 3629e0f..922a56f 100644 +--- a/src/common/smack-rules.cpp ++++ b/src/common/smack-rules.cpp +@@ -135,6 +135,29 @@ void SmackRules::saveToFile(const std::string &path) const + } + } + ++void SmackRules::addFromTemplateFile(const std::string &appId, ++ const std::string &pkgId, const std::string &path) ++{ ++ std::vector templateRules; ++ std::string line; ++ std::ifstream templateRulesFile(path); ++ ++ if (!templateRulesFile.is_open()) { ++ LogError("Cannot open rules template file: " << path); ++ ThrowMsg(SmackException::FileError, "Cannot open rules template file: " << path); ++ } ++ ++ while (std::getline(templateRulesFile, line)) { ++ templateRules.push_back(line); ++ } ++ ++ if (templateRulesFile.bad()) { ++ LogError("Error reading template file: " << APP_RULES_TEMPLATE_FILE_PATH); ++ ThrowMsg(SmackException::FileError, "Error reading template file: " << APP_RULES_TEMPLATE_FILE_PATH); ++ } ++ ++ addFromTemplate(templateRules, appId, pkgId); ++} + + void SmackRules::addFromTemplateFile(const std::string &appId, + const std::string &pkgId) +@@ -223,7 +246,28 @@ std::string SmackRules::getApplicationRulesFilePath(const std::string &appId) + std::string path(tzplatform_mkpath3(TZ_SYS_SMACK, "accesses.d", ("app_" + appId).c_str())); + return path; + } ++void SmackRules::installApplicationPrivilegesRules(const std::string &appId, const std::string &pkgId, ++ const std::vector &pkgContents, const std::vector &privileges) ++{ ++ SmackRules smackRules; ++ std::string appPath = getApplicationRulesFilePath(appId); ++ smackRules.loadFromFile(appPath); ++ struct stat buffer; ++ for (auto privilege : privileges) { ++ if (privilege.empty()) ++ continue; ++ std::string fprivilege ( privilege + "-template.smack"); ++ std::string path(tzplatform_mkpath4(TZ_SYS_SHARE, "security-manager", "policy", fprivilege.c_str())); ++ if( stat(path.c_str(), &buffer) == 0) ++ smackRules.addFromTemplateFile(appId, pkgId, path); ++ } ++ ++ if (smack_smackfs_path() != NULL) ++ smackRules.apply(); + ++ smackRules.saveToFile(appPath); ++ updatePackageRules(pkgId, pkgContents); ++} + void SmackRules::installApplicationRules(const std::string &appId, const std::string &pkgId, + const std::vector &pkgContents) + { +-- +2.21.0 + diff --git a/meta-security/recipes-security/security-manager/security-manager/0004-app-install-implement-multiple-set-of-smack-rules.patch b/meta-security/recipes-security/security-manager/security-manager/0004-app-install-implement-multiple-set-of-smack-rules.patch new file mode 100644 index 000000000..59d4971ff --- /dev/null +++ b/meta-security/recipes-security/security-manager/security-manager/0004-app-install-implement-multiple-set-of-smack-rules.patch @@ -0,0 +1,34 @@ +From a5979d9d674e400ecd7fcdf5d7589cfa0cfeb492 Mon Sep 17 00:00:00 2001 +From: Alejandro Joya +Date: Wed, 4 Nov 2015 19:06:23 -0600 +Subject: [PATCH 04/14] app-install: implement multiple set of smack-rules + +If it's need it could create load multiple set of smack rules +related with the privileges. +It wouldn't affect the case that only the default set of rules is need it. + +Signed-off-by: Alejandro Joya +--- + src/common/service_impl.cpp | 6 ++++++ + 1 file changed, 6 insertions(+) + +diff --git a/src/common/service_impl.cpp b/src/common/service_impl.cpp +index 7fd621c..ae305d3 100644 +--- a/src/common/service_impl.cpp ++++ b/src/common/service_impl.cpp +@@ -338,6 +338,12 @@ int appInstall(const app_inst_req &req, uid_t uid) + LogDebug("Adding Smack rules for new appId: " << req.appId << " with pkgId: " + << req.pkgId << ". Applications in package: " << pkgContents.size()); + SmackRules::installApplicationRules(req.appId, req.pkgId, pkgContents); ++ /*Setup for privileges custom rules*/ ++ LogDebug("Adding Smack rules for new appId: " << req.appId << " with pkgId: " ++ << req.pkgId << ". Applications in package: " << pkgContents.size() ++ << " and Privileges"); ++ SmackRules::installApplicationPrivilegesRules(req.appId, req.pkgId, ++ pkgContents,req.privileges); + } catch (const SmackException::Base &e) { + LogError("Error while applying Smack policy for application: " << e.DumpToString()); + return SECURITY_MANAGER_API_ERROR_SETTING_FILE_LABEL_FAILED; +-- +2.21.0 + diff --git a/meta-security/recipes-security/security-manager/security-manager/0005-c-11-replace-deprecated-auto_ptr.patch b/meta-security/recipes-security/security-manager/security-manager/0005-c-11-replace-deprecated-auto_ptr.patch new file mode 100644 index 000000000..0739f28c7 --- /dev/null +++ b/meta-security/recipes-security/security-manager/security-manager/0005-c-11-replace-deprecated-auto_ptr.patch @@ -0,0 +1,32 @@ +From 198ba9b9782fda19803e94d2afeff91189ac27af Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Jos=C3=A9=20Bollo?= +Date: Wed, 13 Jan 2016 17:30:06 +0100 +Subject: [PATCH 05/14] c++11: replace deprecated auto_ptr +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Upstream-Status: Submitted [https://review.tizen.org/gerrit/#/c/56940/] + +Change-Id: Id793c784c9674eef48f346226c094bdd9f7bbda8 +Signed-off-by: José Bollo +--- + src/dpl/core/include/dpl/binary_queue.h | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/src/dpl/core/include/dpl/binary_queue.h b/src/dpl/core/include/dpl/binary_queue.h +index dd03f5e..185b6c7 100644 +--- a/src/dpl/core/include/dpl/binary_queue.h ++++ b/src/dpl/core/include/dpl/binary_queue.h +@@ -33,7 +33,7 @@ namespace SecurityManager { + * Binary queue auto pointer + */ + class BinaryQueue; +-typedef std::auto_ptr BinaryQueueAutoPtr; ++typedef std::unique_ptr BinaryQueueAutoPtr; + + /** + * Binary stream implemented as constant size bucket list +-- +2.21.0 + diff --git a/meta-security/recipes-security/security-manager/security-manager/0006-socket-manager-removes-tizen-specific-call.patch b/meta-security/recipes-security/security-manager/security-manager/0006-socket-manager-removes-tizen-specific-call.patch new file mode 100644 index 000000000..3b8aad98c --- /dev/null +++ b/meta-security/recipes-security/security-manager/security-manager/0006-socket-manager-removes-tizen-specific-call.patch @@ -0,0 +1,47 @@ +From ec098bf03cea23350ca7d1ea2ad88b9c88228943 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Jos=C3=A9=20Bollo?= +Date: Fri, 8 Jan 2016 16:53:46 +0100 +Subject: [PATCH 06/14] socket-manager: removes tizen specific call +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +The function 'smack_fgetlabel' is specific to Tizen +and is no more maintained upstream. + +Upstream-Status: Accepted [https://review.tizen.org/gerrit/#/c/56507/] + +Change-Id: I3802742b1758efe37b33e6d968ff727d68f2fd1f +Signed-off-by: José Bollo +--- + src/server/main/socket-manager.cpp | 7 ++++--- + 1 file changed, 4 insertions(+), 3 deletions(-) + +diff --git a/src/server/main/socket-manager.cpp b/src/server/main/socket-manager.cpp +index 94c54c6..5e1a79b 100644 +--- a/src/server/main/socket-manager.cpp ++++ b/src/server/main/socket-manager.cpp +@@ -30,6 +30,7 @@ + #include + #include + #include ++#include + #include + #include + #include +@@ -493,9 +494,9 @@ int SocketManager::CreateDomainSocketHelp( + if (smack_check()) { + LogInfo("Set up smack label: " << desc.smackLabel); + +- if (0 != smack_fsetlabel(sockfd, desc.smackLabel.c_str(), SMACK_LABEL_IPIN)) { +- LogError("Error in smack_fsetlabel"); +- ThrowMsg(Exception::InitFailed, "Error in smack_fsetlabel"); ++ if (0 != smack_set_label_for_file(sockfd, XATTR_NAME_SMACKIPIN, desc.smackLabel.c_str())) { ++ LogError("Error in smack_set_label_for_file"); ++ ThrowMsg(Exception::InitFailed, "Error in smack_set_label_for_file"); + } + } else { + LogInfo("No smack on platform. Socket won't be securied with smack label!"); +-- +2.21.0 + diff --git a/meta-security/recipes-security/security-manager/security-manager/0007-removes-dependency-to-libslp-db-utils.patch b/meta-security/recipes-security/security-manager/security-manager/0007-removes-dependency-to-libslp-db-utils.patch new file mode 100644 index 000000000..bad99d25a --- /dev/null +++ b/meta-security/recipes-security/security-manager/security-manager/0007-removes-dependency-to-libslp-db-utils.patch @@ -0,0 +1,78 @@ +From 9d0791dab4b4df086374c5c0ba2a6558e10e81c1 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Jos=C3=A9=20Bollo?= +Date: Mon, 16 Nov 2015 15:56:27 +0100 +Subject: [PATCH 07/14] removes dependency to libslp-db-utils + +Change-Id: I90471e77d20e04bae58cc42eb2639e4aef97fdec +--- + src/common/CMakeLists.txt | 3 ++- + src/dpl/db/src/sql_connection.cpp | 17 +---------------- + 2 files changed, 3 insertions(+), 17 deletions(-) + +diff --git a/src/common/CMakeLists.txt b/src/common/CMakeLists.txt +index 968c7c1..9ae376f 100644 +--- a/src/common/CMakeLists.txt ++++ b/src/common/CMakeLists.txt +@@ -5,7 +5,8 @@ PKG_CHECK_MODULES(COMMON_DEP + REQUIRED + libsystemd + libsmack +- db-util ++ sqlite3 ++ icu-i18n + cynara-admin + cynara-client + ) +diff --git a/src/dpl/db/src/sql_connection.cpp b/src/dpl/db/src/sql_connection.cpp +index fdb4fe4..f49a6dc 100644 +--- a/src/dpl/db/src/sql_connection.cpp ++++ b/src/dpl/db/src/sql_connection.cpp +@@ -26,7 +26,6 @@ + #include + #include + #include +-#include + #include + #include + #include +@@ -606,16 +605,7 @@ void SqlConnection::Connect(const std::string &address, + + // Connect to database + int result; +- if (type & Flag::UseLucene) { +- result = db_util_open_with_options( +- address.c_str(), +- &m_connection, +- flag, +- NULL); +- +- m_usingLucene = true; +- LogPedantic("Lucene index enabled"); +- } else { ++ (void)type; + result = sqlite3_open_v2( + address.c_str(), + &m_connection, +@@ -624,7 +614,6 @@ void SqlConnection::Connect(const std::string &address, + + m_usingLucene = false; + LogPedantic("Lucene index disabled"); +- } + + if (result == SQLITE_OK) { + LogPedantic("Connected to DB"); +@@ -653,11 +642,7 @@ void SqlConnection::Disconnect() + + int result; + +- if (m_usingLucene) { +- result = db_util_close(m_connection); +- } else { + result = sqlite3_close(m_connection); +- } + + if (result != SQLITE_OK) { + const char *error = sqlite3_errmsg(m_connection); +-- +2.21.0 + diff --git a/meta-security/recipes-security/security-manager/security-manager/0008-Fix-gcc6-build.patch b/meta-security/recipes-security/security-manager/security-manager/0008-Fix-gcc6-build.patch new file mode 100644 index 000000000..5ece7ef4f --- /dev/null +++ b/meta-security/recipes-security/security-manager/security-manager/0008-Fix-gcc6-build.patch @@ -0,0 +1,38 @@ +From a1d9b40b4fa2e73d31a53e398c286bffeaae1732 Mon Sep 17 00:00:00 2001 +From: Ronan +Date: Wed, 12 Oct 2016 17:48:55 +0200 +Subject: [PATCH 08/14] Fix gcc6 build + +Signed-off-by: ronan +--- + src/client/client-security-manager.cpp | 1 + + src/common/include/privilege_db.h | 1 + + 2 files changed, 2 insertions(+) + +diff --git a/src/client/client-security-manager.cpp b/src/client/client-security-manager.cpp +index 74a6b30..347cddd 100644 +--- a/src/client/client-security-manager.cpp ++++ b/src/client/client-security-manager.cpp +@@ -46,6 +46,7 @@ + #include + #include + #include ++#include + + static const char *EMPTY = ""; + +diff --git a/src/common/include/privilege_db.h b/src/common/include/privilege_db.h +index 4d73d90..08fb9d6 100644 +--- a/src/common/include/privilege_db.h ++++ b/src/common/include/privilege_db.h +@@ -32,6 +32,7 @@ + #include + #include + #include ++#include + + #include + #include +-- +2.21.0 + diff --git a/meta-security/recipes-security/security-manager/security-manager/0009-Fix-Cmake-conf-for-gcc6-build.patch b/meta-security/recipes-security/security-manager/security-manager/0009-Fix-Cmake-conf-for-gcc6-build.patch new file mode 100644 index 000000000..706eb1a93 --- /dev/null +++ b/meta-security/recipes-security/security-manager/security-manager/0009-Fix-Cmake-conf-for-gcc6-build.patch @@ -0,0 +1,40 @@ +From 382379d74221bcc60a0ab70d63430a1c0587b2ec Mon Sep 17 00:00:00 2001 +From: Ronan +Date: Thu, 13 Oct 2016 11:37:47 +0200 +Subject: [PATCH 09/14] Fix Cmake conf for gcc6 build + +Signed-off-by: Ronan +--- + src/cmd/CMakeLists.txt | 4 +--- + src/server/CMakeLists.txt | 1 - + 2 files changed, 1 insertion(+), 4 deletions(-) + +diff --git a/src/cmd/CMakeLists.txt b/src/cmd/CMakeLists.txt +index ee9a160..aa7a12c 100644 +--- a/src/cmd/CMakeLists.txt ++++ b/src/cmd/CMakeLists.txt +@@ -1,8 +1,6 @@ + FIND_PACKAGE(Boost REQUIRED COMPONENTS program_options) + +-INCLUDE_DIRECTORIES(SYSTEM +- ${Boost_INCLUDE_DIRS} +- ) ++ + + INCLUDE_DIRECTORIES( + ${INCLUDE_PATH} +diff --git a/src/server/CMakeLists.txt b/src/server/CMakeLists.txt +index 6849d76..9598037 100644 +--- a/src/server/CMakeLists.txt ++++ b/src/server/CMakeLists.txt +@@ -8,7 +8,6 @@ FIND_PACKAGE(Threads REQUIRED) + + INCLUDE_DIRECTORIES(SYSTEM + ${SERVER_DEP_INCLUDE_DIRS} +- ${Boost_INCLUDE_DIRS} + ${Threads_INCLUDE_DIRS} + ) + +-- +2.21.0 + diff --git a/meta-security/recipes-security/security-manager/security-manager/0010-gcc-7-requires-include-functional-for-std-function.patch b/meta-security/recipes-security/security-manager/security-manager/0010-gcc-7-requires-include-functional-for-std-function.patch new file mode 100644 index 000000000..0f48c5f68 --- /dev/null +++ b/meta-security/recipes-security/security-manager/security-manager/0010-gcc-7-requires-include-functional-for-std-function.patch @@ -0,0 +1,51 @@ +From 8e93699c0f225716f3cd5eff790270ae9e3880f9 Mon Sep 17 00:00:00 2001 +From: Changhyeok Bae +Date: Sun, 17 Dec 2017 15:40:58 +0000 +Subject: [PATCH 10/14] gcc-7 requires include for std::function + +Signed-off-by: Changhyeok Bae +--- + src/client/client-common.cpp | 1 + + src/common/smack-labels.cpp | 1 + + src/dpl/core/src/binary_queue.cpp | 1 + + 3 files changed, 3 insertions(+) + +diff --git a/src/client/client-common.cpp b/src/client/client-common.cpp +index 883ab8d..1babdf7 100644 +--- a/src/client/client-common.cpp ++++ b/src/client/client-common.cpp +@@ -31,6 +31,7 @@ + #include + #include + #include ++#include + + #include + #include +diff --git a/src/common/smack-labels.cpp b/src/common/smack-labels.cpp +index 0294a42..1598099 100644 +--- a/src/common/smack-labels.cpp ++++ b/src/common/smack-labels.cpp +@@ -29,6 +29,7 @@ + #include + #include + #include ++#include + #include + #include + #include +diff --git a/src/dpl/core/src/binary_queue.cpp b/src/dpl/core/src/binary_queue.cpp +index 72817a6..838409f 100644 +--- a/src/dpl/core/src/binary_queue.cpp ++++ b/src/dpl/core/src/binary_queue.cpp +@@ -26,6 +26,7 @@ + #include + #include + #include ++#include + + namespace SecurityManager { + BinaryQueue::BinaryQueue() : +-- +2.21.0 + diff --git a/meta-security/recipes-security/security-manager/security-manager/0011-Fix-gcc8-warning-error-Werror-catch-value.patch b/meta-security/recipes-security/security-manager/security-manager/0011-Fix-gcc8-warning-error-Werror-catch-value.patch new file mode 100644 index 000000000..5c679fc26 --- /dev/null +++ b/meta-security/recipes-security/security-manager/security-manager/0011-Fix-gcc8-warning-error-Werror-catch-value.patch @@ -0,0 +1,32 @@ +From 243b7ffee16558d7cb9b411f49380138efeffca9 Mon Sep 17 00:00:00 2001 +From: Stephane Desneux +Date: Fri, 1 Feb 2019 12:26:17 +0000 +Subject: [PATCH 11/14] Fix gcc8 warning/error [-Werror=catch-value=] + +Fixes the following warning/error during compile: + +src/dpl/core/src/assert.cpp:61:14: error: catching polymorphic type 'class SecurityManager::Exception' by value [-Werror=catch-value=] +| } catch (Exception) { +| ^~~~~~~~~ + +Signed-off-by: Stephane Desneux +--- + src/dpl/core/src/assert.cpp | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/src/dpl/core/src/assert.cpp b/src/dpl/core/src/assert.cpp +index 63538a2..fc60ce9 100644 +--- a/src/dpl/core/src/assert.cpp ++++ b/src/dpl/core/src/assert.cpp +@@ -58,7 +58,7 @@ void AssertProc(const char *condition, + INTERNAL_LOG("### Function: " << function); + INTERNAL_LOG( + "################################################################################"); +- } catch (Exception) { ++ } catch (Exception const&) { + // Just ignore possible double errors + } + +-- +2.21.0 + diff --git a/meta-security/recipes-security/security-manager/security-manager/0012-Avoid-casting-from-const-T-to-void.patch b/meta-security/recipes-security/security-manager/security-manager/0012-Avoid-casting-from-const-T-to-void.patch new file mode 100644 index 000000000..91ccf9ee2 --- /dev/null +++ b/meta-security/recipes-security/security-manager/security-manager/0012-Avoid-casting-from-const-T-to-void.patch @@ -0,0 +1,122 @@ +From 5ee51d38575f289c2bf37ed817ef680ed47bb320 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Jos=C3=A9=20Bollo?= +Date: Fri, 1 Feb 2019 15:37:44 +0100 +Subject: [PATCH 12/14] Avoid casting from "const T&" to "void*" +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Latest version of g++ refuse the cast + + reinterpret_cast(serviceFunction) + +I made no investigation to know if the problem +is coming from the const or not. + +Signed-off-by: José Bollo +--- + src/server/main/include/service-thread.h | 42 ++++++++++-------------- + 1 file changed, 18 insertions(+), 24 deletions(-) + +diff --git a/src/server/main/include/service-thread.h b/src/server/main/include/service-thread.h +index 964d168..61fdda8 100644 +--- a/src/server/main/include/service-thread.h ++++ b/src/server/main/include/service-thread.h +@@ -94,7 +94,7 @@ public: + Join(); + while (!m_eventQueue.empty()){ + auto front = m_eventQueue.front(); +- delete front.eventPtr; ++ delete front; + m_eventQueue.pop(); + } + } +@@ -104,34 +104,28 @@ public: + Service *servicePtr, + void (Service::*serviceFunction)(const T &)) + { +- EventDescription description; +- description.serviceFunctionPtr = +- reinterpret_cast(serviceFunction); +- description.servicePtr = servicePtr; +- description.eventFunctionPtr = &ServiceThread::EventCall; +- description.eventPtr = new T(event); ++ EventCallerBase *ec = new EventCaller(event, servicePtr, serviceFunction); + { + std::lock_guard lock(m_eventQueueMutex); +- m_eventQueue.push(description); ++ m_eventQueue.push(ec); + } + m_waitCondition.notify_one(); + } + + protected: + +- struct EventDescription { +- void (Service::*serviceFunctionPtr)(void *); +- Service *servicePtr; +- void (ServiceThread::*eventFunctionPtr)(const EventDescription &event); +- GenericEvent* eventPtr; ++ struct EventCallerBase { ++ virtual void fire() = 0; ++ virtual ~EventCallerBase() {} + }; + + template +- void EventCall(const EventDescription &desc) { +- auto fun = reinterpret_cast(desc.serviceFunctionPtr); +- const T& eventLocale = *(static_cast(desc.eventPtr)); +- (desc.servicePtr->*fun)(eventLocale); +- } ++ struct EventCaller : public EventCallerBase { ++ T *event; Service *target; void (Service::*function)(const T&); ++ EventCaller(const T &e, Service *c, void (Service::*f)(const T&)) : event(new T(e)), target(c), function(f) {} ++ ~EventCaller() { delete event; } ++ void fire() { (target->*function)(*event); } ++ }; + + static void ThreadLoopStatic(ServiceThread *ptr) { + ptr->ThreadLoop(); +@@ -139,33 +133,33 @@ protected: + + void ThreadLoop(){ + for (;;) { +- EventDescription description = {NULL, NULL, NULL, NULL}; ++ EventCallerBase *ec = NULL; + { + std::unique_lock ulock(m_eventQueueMutex); + if (m_quit) + return; + if (!m_eventQueue.empty()) { +- description = m_eventQueue.front(); ++ ec = m_eventQueue.front(); + m_eventQueue.pop(); + } else { + m_waitCondition.wait(ulock); + } + } + +- if (description.eventPtr != NULL) { ++ if (ec != NULL) { + UNHANDLED_EXCEPTION_HANDLER_BEGIN + { +- (this->*description.eventFunctionPtr)(description); +- delete description.eventPtr; ++ ec->fire(); + } + UNHANDLED_EXCEPTION_HANDLER_END ++ delete ec; + } + } + } + + std::thread m_thread; + std::mutex m_eventQueueMutex; +- std::queue m_eventQueue; ++ std::queue m_eventQueue; + std::condition_variable m_waitCondition; + + State m_state; +-- +2.21.0 + diff --git a/meta-security/recipes-security/security-manager/security-manager/0013-Removing-tizen-platform-config.patch b/meta-security/recipes-security/security-manager/security-manager/0013-Removing-tizen-platform-config.patch new file mode 100644 index 000000000..fb6215923 --- /dev/null +++ b/meta-security/recipes-security/security-manager/security-manager/0013-Removing-tizen-platform-config.patch @@ -0,0 +1,259 @@ +From 6c96a39ba7a7763ccd47e379dbfd8d376164985f Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Jos=C3=A9=20Bollo?= +Date: Mon, 16 Nov 2015 14:26:25 +0100 +Subject: [PATCH 13/14] Removing tizen-platform-config + +Change-Id: Ic832a2b75229517b09faba969c27fb1a4b490121 +--- + CMakeLists.txt | 16 +++++++- + db/CMakeLists.txt | 2 +- + policy/CMakeLists.txt | 1 + + ...load => security-manager-policy-reload.in} | 4 +- + src/common/file-lock.cpp | 4 +- + src/common/include/file-lock.h | 1 - + src/common/include/privilege_db.h | 3 +- + src/common/service_impl.cpp | 39 ++++++------------- + src/common/smack-rules.cpp | 12 ++---- + 9 files changed, 37 insertions(+), 45 deletions(-) + rename policy/{security-manager-policy-reload => security-manager-policy-reload.in} (94%) + +diff --git a/CMakeLists.txt b/CMakeLists.txt +index 28790d8..37a43cc 100644 +--- a/CMakeLists.txt ++++ b/CMakeLists.txt +@@ -49,7 +49,7 @@ ADD_DEFINITIONS("-Wall") # Generate all warnings + ADD_DEFINITIONS("-Wextra") # Generate even more extra warnings + + STRING(REGEX MATCH "([^.]*)" API_VERSION "${VERSION}") +-ADD_DEFINITIONS("-DAPI_VERSION=\"$(API_VERSION)\"") ++ADD_DEFINITIONS("-DAPI_VERSION=\"${API_VERSION}\"") + + ADD_DEFINITIONS("-DSMACK_ENABLED") + +@@ -58,6 +58,20 @@ IF (CMAKE_BUILD_TYPE MATCHES "DEBUG") + ADD_DEFINITIONS("-DBUILD_TYPE_DEBUG") + ENDIF (CMAKE_BUILD_TYPE MATCHES "DEBUG") + ++SET(DATADIR "/usr/share/security-manager" CACHE STRING "path to data directory") ++SET(SMACKRULESDIR "/etc/smack/accesses.d" CACHE STRING "path to Smack rules directory") ++SET(LOCKDIR "/var/run/lock" CACHE STRING "path to lock directory") ++SET(DB_INSTALL_DIR "/var/db/security-manager" CACHE STRING "path to database directory") ++SET(DB_FILENAME ".security-manager.db" CACHE STRING "basename of database") ++SET(GLOBALUSER "userapp" CACHE STRING "name of the global user") ++ ++ADD_DEFINITIONS("-DDATADIR=\"${DATADIR}\"") ++ADD_DEFINITIONS("-DSMACKRULESDIR=\"${SMACKRULESDIR}\"") ++ADD_DEFINITIONS("-DLOCKDIR=\"${LOCKDIR}\"") ++ADD_DEFINITIONS("-DDB_INSTALL_DIR=\"${DB_INSTALL_DIR}\"") ++ADD_DEFINITIONS("-DDB_FILENAME=\"${DB_FILENAME}\"") ++ADD_DEFINITIONS("-DGLOBALUSER=\"${GLOBALUSER}\"") ++ + ADD_SUBDIRECTORY(src) + ADD_SUBDIRECTORY(pc) + ADD_SUBDIRECTORY(systemd) +diff --git a/db/CMakeLists.txt b/db/CMakeLists.txt +index 9e8ffcc..d7af1a0 100644 +--- a/db/CMakeLists.txt ++++ b/db/CMakeLists.txt +@@ -1,4 +1,4 @@ +-SET(TARGET_DB ".security-manager.db") ++SET(TARGET_DB "$(DB_FILENAME)") + + ADD_CUSTOM_COMMAND( + OUTPUT ${TARGET_DB} ${TARGET_DB}-journal +diff --git a/policy/CMakeLists.txt b/policy/CMakeLists.txt +index bd08edc..626a2bd 100644 +--- a/policy/CMakeLists.txt ++++ b/policy/CMakeLists.txt +@@ -1,4 +1,5 @@ + FILE(GLOB USERTYPE_POLICY_FILES usertype-*.profile) ++CONFIGURE_FILE(security-manager-policy-reload.in security-manager-policy-reload @ONLY) + INSTALL(FILES ${USERTYPE_POLICY_FILES} DESTINATION ${SHARE_INSTALL_PREFIX}/security-manager/policy) + INSTALL(FILES "app-rules-template.smack" DESTINATION ${SHARE_INSTALL_PREFIX}/security-manager/policy) + INSTALL(FILES "privilege-group.list" DESTINATION ${SHARE_INSTALL_PREFIX}/security-manager/policy) +diff --git a/policy/security-manager-policy-reload b/policy/security-manager-policy-reload.in +similarity index 94% +rename from policy/security-manager-policy-reload +rename to policy/security-manager-policy-reload.in +index 6f211c6..c1bc4e2 100755 +--- a/policy/security-manager-policy-reload ++++ b/policy/security-manager-policy-reload.in +@@ -1,8 +1,8 @@ + #!/bin/sh -e + +-POLICY_PATH=/usr/share/security-manager/policy ++POLICY_PATH=@DATADIR@/policy + PRIVILEGE_GROUP_MAPPING=$POLICY_PATH/privilege-group.list +-DB_FILE=`tzplatform-get TZ_SYS_DB | cut -d= -f2`/.security-manager.db ++DB_FILE=@DB_INSTALL_DIR@/@DB_FILENAME@ + + # Create default buckets + while read bucket default_policy +diff --git a/src/common/file-lock.cpp b/src/common/file-lock.cpp +index 6f3996c..88d2092 100644 +--- a/src/common/file-lock.cpp ++++ b/src/common/file-lock.cpp +@@ -30,9 +30,7 @@ + + namespace SecurityManager { + +-char const * const SERVICE_LOCK_FILE = tzplatform_mkpath3(TZ_SYS_RUN, +- "lock", +- "security-manager.lock"); ++char const * const SERVICE_LOCK_FILE = LOCKDIR "/security-manager.lock"; + + FileLocker::FileLocker(const std::string &lockFile, bool blocking) + { +diff --git a/src/common/include/file-lock.h b/src/common/include/file-lock.h +index 604b019..21a86a0 100644 +--- a/src/common/include/file-lock.h ++++ b/src/common/include/file-lock.h +@@ -29,7 +29,6 @@ + + #include + #include +-#include + + namespace SecurityManager { + +diff --git a/src/common/include/privilege_db.h b/src/common/include/privilege_db.h +index 08fb9d6..3344987 100644 +--- a/src/common/include/privilege_db.h ++++ b/src/common/include/privilege_db.h +@@ -35,14 +35,13 @@ + #include + + #include +-#include + + #ifndef PRIVILEGE_DB_H_ + #define PRIVILEGE_DB_H_ + + namespace SecurityManager { + +-const char *const PRIVILEGE_DB_PATH = tzplatform_mkpath(TZ_SYS_DB, ".security-manager.db"); ++const char *const PRIVILEGE_DB_PATH = DB_INSTALL_DIR "/" DB_FILENAME; + + enum class QueryType { + EGetPkgPrivileges, +diff --git a/src/common/service_impl.cpp b/src/common/service_impl.cpp +index ae305d3..42150fe 100644 +--- a/src/common/service_impl.cpp ++++ b/src/common/service_impl.cpp +@@ -32,7 +32,6 @@ + #include + + #include +-#include + + #include "protocols.h" + #include "privilege_db.h" +@@ -131,7 +130,13 @@ static inline int validatePolicy(policy_entry &policyEntry, std::string uidStr, + + static uid_t getGlobalUserId(void) + { +- static uid_t globaluid = tzplatform_getuid(TZ_SYS_GLOBALAPP_USER); ++ static uid_t globaluid = 0; ++ if (!globaluid) { ++ struct passwd pw, *p; ++ char buf[4096]; ++ int rc = getpwnam_r(GLOBALUSER, &pw, buf, sizeof buf, &p); ++ globaluid = (rc || p == NULL) ? 555 : p->pw_uid; ++ } + return globaluid; + } + +@@ -161,37 +166,17 @@ static inline bool isSubDir(const char *parent, const char *subdir) + + static bool getUserAppDir(const uid_t &uid, std::string &userAppDir) + { +- struct tzplatform_context *tz_ctx = nullptr; +- +- if (tzplatform_context_create(&tz_ctx)) +- return false; +- +- if (tzplatform_context_set_user(tz_ctx, uid)) { +- tzplatform_context_destroy(tz_ctx); +- tz_ctx = nullptr; ++ struct passwd pw, *p; ++ char buf[4096]; ++ int rc = getpwuid_r(uid, &pw, buf, sizeof buf, &p); ++ if (rc || p == NULL) + return false; +- } +- +- enum tzplatform_variable id = +- (uid == getGlobalUserId()) ? TZ_SYS_RW_APP : TZ_USER_APP; +- const char *appDir = tzplatform_context_getenv(tz_ctx, id); +- if (!appDir) { +- tzplatform_context_destroy(tz_ctx); +- tz_ctx = nullptr; +- return false; +- } +- +- userAppDir = appDir; +- +- tzplatform_context_destroy(tz_ctx); +- tz_ctx = nullptr; +- ++ userAppDir = p->pw_dir; + return true; + } + + static inline bool installRequestAuthCheck(const app_inst_req &req, uid_t uid, bool &isCorrectPath, std::string &appPath) + { +- std::string userHome; + std::string userAppDir; + std::stringstream correctPath; + +diff --git a/src/common/smack-rules.cpp b/src/common/smack-rules.cpp +index 922a56f..c2e0041 100644 +--- a/src/common/smack-rules.cpp ++++ b/src/common/smack-rules.cpp +@@ -34,7 +34,6 @@ + #include + + #include +-#include + + #include "smack-labels.h" + #include "smack-rules.h" +@@ -43,7 +42,7 @@ namespace SecurityManager { + + const char *const SMACK_APP_LABEL_TEMPLATE = "~APP~"; + const char *const SMACK_PKG_LABEL_TEMPLATE = "~PKG~"; +-const char *const APP_RULES_TEMPLATE_FILE_PATH = tzplatform_mkpath4(TZ_SYS_SHARE, "security-manager", "policy", "app-rules-template.smack"); ++const char *const APP_RULES_TEMPLATE_FILE_PATH = DATADIR "/policy/app-rules-template.smack"; + const char *const SMACK_APP_IN_PACKAGE_PERMS = "rwxat"; + + SmackRules::SmackRules() +@@ -237,14 +236,12 @@ void SmackRules::generatePackageCrossDeps(const std::vector &pkgCon + + std::string SmackRules::getPackageRulesFilePath(const std::string &pkgId) + { +- std::string path(tzplatform_mkpath3(TZ_SYS_SMACK, "accesses.d", ("pkg_" + pkgId).c_str())); +- return path; ++ return SMACKRULESDIR "/pkg_" + pkgId; + } + + std::string SmackRules::getApplicationRulesFilePath(const std::string &appId) + { +- std::string path(tzplatform_mkpath3(TZ_SYS_SMACK, "accesses.d", ("app_" + appId).c_str())); +- return path; ++ return SMACKRULESDIR "/app_" + appId; + } + void SmackRules::installApplicationPrivilegesRules(const std::string &appId, const std::string &pkgId, + const std::vector &pkgContents, const std::vector &privileges) +@@ -256,8 +253,7 @@ void SmackRules::installApplicationPrivilegesRules(const std::string &appId, con + for (auto privilege : privileges) { + if (privilege.empty()) + continue; +- std::string fprivilege ( privilege + "-template.smack"); +- std::string path(tzplatform_mkpath4(TZ_SYS_SHARE, "security-manager", "policy", fprivilege.c_str())); ++ std::string path = DATADIR "/policy/" + privilege + "-template.smack"; + if( stat(path.c_str(), &buffer) == 0) + smackRules.addFromTemplateFile(appId, pkgId, path); + } +-- +2.21.0 + diff --git a/meta-security/recipes-security/security-manager/security-manager/0014-Ensure-post-install-initialization-of-database.patch b/meta-security/recipes-security/security-manager/security-manager/0014-Ensure-post-install-initialization-of-database.patch new file mode 100644 index 000000000..542a387d2 --- /dev/null +++ b/meta-security/recipes-security/security-manager/security-manager/0014-Ensure-post-install-initialization-of-database.patch @@ -0,0 +1,78 @@ +From c7f9d14e38a1b6d40b2fffa01433a3025eff9abd Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Jos=C3=A9=20Bollo?= +Date: Tue, 26 Nov 2019 12:34:39 +0100 +Subject: [PATCH 14/14] Ensure post install initialization of database +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Creation of the database was made during image creation, +leading to issue with SOTA. This adds the creation on +need before launching the service. + +Change-Id: Idfd0676bd87d39f7c10eaafd63f3a318f675c972 +Signed-off-by: José Bollo +--- + db/CMakeLists.txt | 14 ++++++-------- + db/security-manager-setup | 14 ++++++++++++++ + systemd/security-manager.service.in | 1 + + 3 files changed, 21 insertions(+), 8 deletions(-) + create mode 100644 db/security-manager-setup + +diff --git a/db/CMakeLists.txt b/db/CMakeLists.txt +index d7af1a0..dcf5bc8 100644 +--- a/db/CMakeLists.txt ++++ b/db/CMakeLists.txt +@@ -1,12 +1,10 @@ +-SET(TARGET_DB "$(DB_FILENAME)") +- + ADD_CUSTOM_COMMAND( +- OUTPUT ${TARGET_DB} ${TARGET_DB}-journal +- COMMAND sqlite3 ${TARGET_DB} .security-manager-setup ++ DEPENDS security-manager-setup db.sql ++) + + # Add a dummy build target to trigger building of ${TARGET_DB} +-ADD_CUSTOM_TARGET(DB ALL DEPENDS ${TARGET_DB}) ++ADD_CUSTOM_TARGET(DB ALL DEPENDS .security-manager-setup) + +-INSTALL(FILES ${TARGET_DB} DESTINATION ${DB_INSTALL_DIR}) +-INSTALL(FILES ${TARGET_DB}-journal DESTINATION ${DB_INSTALL_DIR}) ++INSTALL(PROGRAMS .security-manager-setup DESTINATION ${BIN_INSTALL_DIR}) +diff --git a/db/security-manager-setup b/db/security-manager-setup +new file mode 100644 +index 0000000..5675baf +--- /dev/null ++++ b/db/security-manager-setup +@@ -0,0 +1,14 @@ ++#!/bin/sh ++ ++if test -f "$1"; then exit; fi ++set -e ++dbdir="$(dirname "$1")" ++dbfile="$(basename "$1")" ++test -n "$dbfile" ++test -n "$dbdir" ++mkdir -p "$dbdir" ++cd "$dbdir" ++sqlite3 "$dbfile" << END-OF-CAT ++--DB.SQL-- ++END-OF-CAT ++ +diff --git a/systemd/security-manager.service.in b/systemd/security-manager.service.in +index 23fd1b2..2bf97d7 100644 +--- a/systemd/security-manager.service.in ++++ b/systemd/security-manager.service.in +@@ -3,5 +3,6 @@ Description=Start the security manager + + [Service] + Type=notify ++ExecStartPre=@BIN_INSTALL_DIR@/.security-manager-setup @DB_INSTALL_DIR@/@DB_FILENAME@ + ExecStart=@BIN_INSTALL_DIR@/security-manager + Sockets=security-manager.socket +-- +2.21.0 + diff --git a/meta-security/recipes-security/security-manager/security-manager/Removing-tizen-platform-config.patch b/meta-security/recipes-security/security-manager/security-manager/Removing-tizen-platform-config.patch deleted file mode 100644 index 4baea6572..000000000 --- a/meta-security/recipes-security/security-manager/security-manager/Removing-tizen-platform-config.patch +++ /dev/null @@ -1,196 +0,0 @@ -From 72e66d0e42f3bb6efd689ce33b1df407d94b3c60 Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?Jos=C3=A9=20Bollo?= -Date: Mon, 16 Nov 2015 14:26:25 +0100 -Subject: [PATCH] Removing tizen-platform-config - -Change-Id: Ic832a2b75229517b09faba969c27fb1a4b490121 ---- - policy/security-manager-policy-reload | 2 +- - src/common/file-lock.cpp | 4 +--- - src/common/include/file-lock.h | 1 - - src/common/include/privilege_db.h | 3 +-- - src/common/service_impl.cpp | 39 +++++++++++------------------------ - src/common/smack-rules.cpp | 12 ++++------- - 6 files changed, 19 insertions(+), 42 deletions(-) - -diff --git a/policy/security-manager-policy-reload b/policy/security-manager-policy-reload -index 6f211c6..ed8047a 100755 ---- a/policy/security-manager-policy-reload -+++ b/policy/security-manager-policy-reload -@@ -2,7 +2,7 @@ - - POLICY_PATH=/usr/share/security-manager/policy - PRIVILEGE_GROUP_MAPPING=$POLICY_PATH/privilege-group.list --DB_FILE=`tzplatform-get TZ_SYS_DB | cut -d= -f2`/.security-manager.db -+DB_FILE=/usr/dbspace/.security-manager.db - - # Create default buckets - while read bucket default_policy -diff --git a/src/common/file-lock.cpp b/src/common/file-lock.cpp -index 6f3996c..1dada17 100644 ---- a/src/common/file-lock.cpp -+++ b/src/common/file-lock.cpp -@@ -30,9 +30,7 @@ - - namespace SecurityManager { - --char const * const SERVICE_LOCK_FILE = tzplatform_mkpath3(TZ_SYS_RUN, -- "lock", -- "security-manager.lock"); -+char const * const SERVICE_LOCK_FILE = "/var/run/lock/security-manager.lock"; - - FileLocker::FileLocker(const std::string &lockFile, bool blocking) - { -diff --git a/src/common/include/file-lock.h b/src/common/include/file-lock.h -index 604b019..21a86a0 100644 ---- a/src/common/include/file-lock.h -+++ b/src/common/include/file-lock.h -@@ -29,7 +29,6 @@ - - #include - #include --#include - - namespace SecurityManager { - -diff --git a/src/common/include/privilege_db.h b/src/common/include/privilege_db.h -index 4d73d90..03c6680 100644 ---- a/src/common/include/privilege_db.h -+++ b/src/common/include/privilege_db.h -@@ -34,14 +34,13 @@ - #include - - #include --#include - - #ifndef PRIVILEGE_DB_H_ - #define PRIVILEGE_DB_H_ - - namespace SecurityManager { - --const char *const PRIVILEGE_DB_PATH = tzplatform_mkpath(TZ_SYS_DB, ".security-manager.db"); -+const char *const PRIVILEGE_DB_PATH = "/usr/dbspace/.security-manager.db"; - - enum class QueryType { - EGetPkgPrivileges, -diff --git a/src/common/service_impl.cpp b/src/common/service_impl.cpp -index ae305d3..65cc8b5 100644 ---- a/src/common/service_impl.cpp -+++ b/src/common/service_impl.cpp -@@ -32,7 +32,6 @@ - #include - - #include --#include - - #include "protocols.h" - #include "privilege_db.h" -@@ -131,7 +130,13 @@ static inline int validatePolicy(policy_entry &policyEntry, std::string uidStr, - - static uid_t getGlobalUserId(void) - { -- static uid_t globaluid = tzplatform_getuid(TZ_SYS_GLOBALAPP_USER); -+ static uid_t globaluid = 0; -+ if (!globaluid) { -+ struct passwd pw, *p; -+ char buf[4096]; -+ int rc = getpwnam_r("userapp", &pw, buf, sizeof buf, &p); -+ globaluid = (rc || p == NULL) ? 555 : p->pw_uid; -+ } - return globaluid; - } - -@@ -161,37 +166,17 @@ static inline bool isSubDir(const char *parent, const char *subdir) - - static bool getUserAppDir(const uid_t &uid, std::string &userAppDir) - { -- struct tzplatform_context *tz_ctx = nullptr; -- -- if (tzplatform_context_create(&tz_ctx)) -- return false; -- -- if (tzplatform_context_set_user(tz_ctx, uid)) { -- tzplatform_context_destroy(tz_ctx); -- tz_ctx = nullptr; -+ struct passwd pw, *p; -+ char buf[4096]; -+ int rc = getpwuid_r(uid, &pw, buf, sizeof buf, &p); -+ if (rc || p == NULL) - return false; -- } -- -- enum tzplatform_variable id = -- (uid == getGlobalUserId()) ? TZ_SYS_RW_APP : TZ_USER_APP; -- const char *appDir = tzplatform_context_getenv(tz_ctx, id); -- if (!appDir) { -- tzplatform_context_destroy(tz_ctx); -- tz_ctx = nullptr; -- return false; -- } -- -- userAppDir = appDir; -- -- tzplatform_context_destroy(tz_ctx); -- tz_ctx = nullptr; -- -+ userAppDir = p->pw_dir; - return true; - } - - static inline bool installRequestAuthCheck(const app_inst_req &req, uid_t uid, bool &isCorrectPath, std::string &appPath) - { -- std::string userHome; - std::string userAppDir; - std::stringstream correctPath; - -diff --git a/src/common/smack-rules.cpp b/src/common/smack-rules.cpp -index d834e42..8b5728b 100644 ---- a/src/common/smack-rules.cpp -+++ b/src/common/smack-rules.cpp -@@ -34,7 +34,6 @@ - #include - - #include --#include - - #include "smack-labels.h" - #include "smack-rules.h" -@@ -43,7 +42,7 @@ namespace SecurityManager { - - const char *const SMACK_APP_LABEL_TEMPLATE = "~APP~"; - const char *const SMACK_PKG_LABEL_TEMPLATE = "~PKG~"; --const char *const APP_RULES_TEMPLATE_FILE_PATH = tzplatform_mkpath4(TZ_SYS_SHARE, "security-manager", "policy", "app-rules-template.smack"); -+const char *const APP_RULES_TEMPLATE_FILE_PATH = "/usr/share/security-manager/policy/app-rules-template.smack"; - const char *const SMACK_APP_IN_PACKAGE_PERMS = "rwxat"; - - SmackRules::SmackRules() -@@ -237,14 +236,12 @@ void SmackRules::generatePackageCrossDeps(const std::vector &pkgCon - - std::string SmackRules::getPackageRulesFilePath(const std::string &pkgId) - { -- std::string path(tzplatform_mkpath3(TZ_SYS_SMACK, "accesses.d", ("pkg_" + pkgId).c_str())); -- return path; -+ return "/etc/smack/accesses.d/pkg_" + pkgId; - } - - std::string SmackRules::getApplicationRulesFilePath(const std::string &appId) - { -- std::string path(tzplatform_mkpath3(TZ_SYS_SMACK, "accesses.d", ("app_" + appId).c_str())); -- return path; -+ return "/etc/smack/accesses.d/app_" + appId; - } - void SmackRules::installApplicationPrivilegesRules(const std::string &appId, const std::string &pkgId, - const std::vector &pkgContents, const std::vector &privileges) -@@ -256,8 +253,7 @@ void SmackRules::installApplicationPrivilegesRules(const std::string &appId, con - for (auto privilege : privileges) { - if (privilege.empty()) - continue; -- std::string fprivilege ( privilege + "-template.smack"); -- std::string path(tzplatform_mkpath4(TZ_SYS_SHARE, "security-manager", "policy", fprivilege.c_str())); -+ std::string path = "/usr/share/security-manager/policy/" + privilege + "-template.smack"; - if( stat(path.c_str(), &buffer) == 0) - smackRules.addFromTemplateFile(appId, pkgId, path); - } --- -2.1.4 - diff --git a/meta-security/recipes-security/security-manager/security-manager/c-11-replace-depracated-auto_ptr.patch b/meta-security/recipes-security/security-manager/security-manager/c-11-replace-depracated-auto_ptr.patch deleted file mode 100644 index c312a9e72..000000000 --- a/meta-security/recipes-security/security-manager/security-manager/c-11-replace-depracated-auto_ptr.patch +++ /dev/null @@ -1,32 +0,0 @@ -From 6abeec29a0e704f4bf7084b29275b99fea0a78de Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?Jos=C3=A9=20Bollo?= -Date: Wed, 13 Jan 2016 17:30:06 +0100 -Subject: [PATCH 2/2] c++11: replace depracated auto_ptr -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -Upstream-Status: Submitted [https://review.tizen.org/gerrit/#/c/56940/] - -Change-Id: Id793c784c9674eef48f346226c094bdd9f7bbda8 -Signed-off-by: José Bollo ---- - src/dpl/core/include/dpl/binary_queue.h | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/src/dpl/core/include/dpl/binary_queue.h b/src/dpl/core/include/dpl/binary_queue.h -index dd03f5e..185b6c7 100644 ---- a/src/dpl/core/include/dpl/binary_queue.h -+++ b/src/dpl/core/include/dpl/binary_queue.h -@@ -33,7 +33,7 @@ namespace SecurityManager { - * Binary queue auto pointer - */ - class BinaryQueue; --typedef std::auto_ptr BinaryQueueAutoPtr; -+typedef std::unique_ptr BinaryQueueAutoPtr; - - /** - * Binary stream implemented as constant size bucket list --- -2.1.4 - diff --git a/meta-security/recipes-security/security-manager/security-manager/include-linux-xattr.patch b/meta-security/recipes-security/security-manager/security-manager/include-linux-xattr.patch deleted file mode 100644 index 33fbc025e..000000000 --- a/meta-security/recipes-security/security-manager/security-manager/include-linux-xattr.patch +++ /dev/null @@ -1,24 +0,0 @@ -From: José Bollo -Date: Tue, 30 Oct 2015 14:32:03 -0100 -Subject: [PATCH] include linux xattr - -adds a #include in source. - ---- - src/client/client-security-manager.cpp | 1 + - 1 file changed, 1 insertion(+) - -diff --git a/src/client/client-security-manager.cpp b/src/client/client-security-manager.cpp -index 74a6b30..641790b 100644 ---- a/src/client/client-security-manager.cpp -+++ b/src/client/client-security-manager.cpp -@@ -34,6 +34,7 @@ - #include - #include - #include -+#include - #include - #include - --- -2.1.4 diff --git a/meta-security/recipes-security/security-manager/security-manager/libcap-without-pkgconfig.patch b/meta-security/recipes-security/security-manager/security-manager/libcap-without-pkgconfig.patch deleted file mode 100644 index a948343f8..000000000 --- a/meta-security/recipes-security/security-manager/security-manager/libcap-without-pkgconfig.patch +++ /dev/null @@ -1,32 +0,0 @@ -From: José Bollo -Date: Tue, 30 Oct 2015 14:32:03 -0100 -Subject: [PATCH] libcap without pkgconfig - -Handles libcap that isn't distributed for pkg-config - ---- - src/client/CMakeLists.txt | 1 - - 1 file changed, 1 deletion(-) - -diff --git a/src/client/CMakeLists.txt b/src/client/CMakeLists.txt -index 5399a55..0250ce2 100644 ---- a/src/client/CMakeLists.txt -+++ b/src/client/CMakeLists.txt -@@ -1,7 +1,6 @@ - PKG_CHECK_MODULES(CLIENT_DEP - REQUIRED - libsmack -- libcap - ) - - SET(CLIENT_VERSION_MAJOR 1) -@@ -37,6 +36,7 @@ SET_TARGET_PROPERTIES(${TARGET_CLIENT} - TARGET_LINK_LIBRARIES(${TARGET_CLIENT} - ${TARGET_COMMON} - ${CLIENT_DEP_LIBRARIES} -+ cap - ) - - INSTALL(TARGETS ${TARGET_CLIENT} DESTINATION ${LIB_INSTALL_DIR}) --- -2.1.4 diff --git a/meta-security/recipes-security/security-manager/security-manager/removes-dependency-to-libslp-db-utils.patch b/meta-security/recipes-security/security-manager/security-manager/removes-dependency-to-libslp-db-utils.patch deleted file mode 100644 index f94973074..000000000 --- a/meta-security/recipes-security/security-manager/security-manager/removes-dependency-to-libslp-db-utils.patch +++ /dev/null @@ -1,78 +0,0 @@ -From 1e2f8f58d4320afa1d83a6f94822e53346108ee8 Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?Jos=C3=A9=20Bollo?= -Date: Mon, 16 Nov 2015 15:56:27 +0100 -Subject: [PATCH] removes dependency to libslp-db-utils - -Change-Id: I90471e77d20e04bae58cc42eb2639e4aef97fdec ---- - src/common/CMakeLists.txt | 1 ++- - src/dpl/db/src/sql_connection.cpp | 17 +---------------- - 2 files changed, 3 additions(+), 17 deletions(-) - -diff --git a/src/common/CMakeLists.txt b/src/common/CMakeLists.txt -index 968c7c1..d1fe644 100644 ---- a/src/common/CMakeLists.txt -+++ b/src/common/CMakeLists.txt -@@ -5,7 +5,8 @@ PKG_CHECK_MODULES(COMMON_DEP - REQUIRED - libsystemd - libsmack -- db-util -+ sqlite3 -+ icu-i18n - cynara-admin - cynara-client - ) -diff --git a/src/dpl/db/src/sql_connection.cpp b/src/dpl/db/src/sql_connection.cpp -index fdb4fe4..1fb97be 100644 ---- a/src/dpl/db/src/sql_connection.cpp -+++ b/src/dpl/db/src/sql_connection.cpp -@@ -26,7 +26,6 @@ - #include - #include - #include --#include - #include - #include - #include -@@ -606,16 +605,7 @@ void SqlConnection::Connect(const std::string &address, - - // Connect to database - int result; -- if (type & Flag::UseLucene) { -- result = db_util_open_with_options( -- address.c_str(), -- &m_connection, -- flag, -- NULL); -- -- m_usingLucene = true; -- LogPedantic("Lucene index enabled"); -- } else { -+ (void)type; - result = sqlite3_open_v2( - address.c_str(), - &m_connection, -@@ -624,7 +614,6 @@ void SqlConnection::Connect(const std::string &address, - - m_usingLucene = false; - LogPedantic("Lucene index disabled"); -- } - - if (result == SQLITE_OK) { - LogPedantic("Connected to DB"); -@@ -653,11 +642,7 @@ void SqlConnection::Disconnect() - - int result; - -- if (m_usingLucene) { -- result = db_util_close(m_connection); -- } else { - result = sqlite3_close(m_connection); -- } - - if (result != SQLITE_OK) { - const char *error = sqlite3_errmsg(m_connection); --- -2.1.4 - diff --git a/meta-security/recipes-security/security-manager/security-manager/security-manager-policy-reload-do-not-depend-on-GNU-.patch b/meta-security/recipes-security/security-manager/security-manager/security-manager-policy-reload-do-not-depend-on-GNU-.patch deleted file mode 100644 index ac57964ca..000000000 --- a/meta-security/recipes-security/security-manager/security-manager/security-manager-policy-reload-do-not-depend-on-GNU-.patch +++ /dev/null @@ -1,35 +0,0 @@ -From d2995014142306987bf86b4d508a84b9b4683c5c Mon Sep 17 00:00:00 2001 -From: Patrick Ohly -Date: Wed, 19 Aug 2015 15:02:32 +0200 -Subject: [PATCH 2/2] security-manager-policy-reload: do not depend on GNU sed - -\U (= make replacement uppercase) is a GNU sed extension which is not -supported by other sed implementation's (like the one from -busybox). When using busybox, the bucket for user profiles became -USER_TYPE_Uadmin instead USER_TYPE_ADMIN. - -To make SecurityManager more portable, better use tr to turn the -bucket name into uppercase. - -Signed-off-by: Patrick Ohly -Upstream-Status: Submitted (https://github.com/Samsung/security-manager/pull/1 - ---- - policy/security-manager-policy-reload | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/policy/security-manager-policy-reload b/policy/security-manager-policy-reload -index 274c49c..6f211c6 100755 ---- a/policy/security-manager-policy-reload -+++ b/policy/security-manager-policy-reload -@@ -33,7 +33,7 @@ END - find "$POLICY_PATH" -name "usertype-*.profile" | - while read file - do -- bucket="`echo $file | sed -r 's|.*/usertype-(.*).profile$|USER_TYPE_\U\1|'`" -+ bucket="`echo $file | sed -r 's|.*/usertype-(.*).profile$|USER_TYPE_\1|' | tr '[:lower:]' '[:upper:]'`" - - # Re-create the bucket with empty contents - cyad --delete-bucket=$bucket || true --- -2.1.4 diff --git a/meta-security/recipes-security/security-manager/security-manager/socket-manager-removes-tizen-specific-call.patch b/meta-security/recipes-security/security-manager/security-manager/socket-manager-removes-tizen-specific-call.patch deleted file mode 100644 index fa4c21c7f..000000000 --- a/meta-security/recipes-security/security-manager/security-manager/socket-manager-removes-tizen-specific-call.patch +++ /dev/null @@ -1,47 +0,0 @@ -From 75c4852e47217ab85d6840b488ab4b3688091856 Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?Jos=C3=A9=20Bollo?= -Date: Fri, 8 Jan 2016 16:53:46 +0100 -Subject: [PATCH 1/2] socket-manager: removes tizen specific call -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -The function 'smack_fgetlabel' is specific to Tizen -and is no more maintained upstream. - -Upstream-Status: Accepted [https://review.tizen.org/gerrit/#/c/56507/] - -Change-Id: I3802742b1758efe37b33e6d968ff727d68f2fd1f -Signed-off-by: José Bollo ---- - src/server/main/socket-manager.cpp | 7 ++++--- - 1 file changed, 4 insertions(+), 3 deletions(-) - -diff --git a/src/server/main/socket-manager.cpp b/src/server/main/socket-manager.cpp -index 0366186..c5cec18 100644 ---- a/src/server/main/socket-manager.cpp -+++ b/src/server/main/socket-manager.cpp -@@ -30,6 +30,7 @@ - #include - #include - #include -+#include - #include - #include - #include -@@ -500,9 +501,9 @@ int SocketManager::CreateDomainSocketHelp( - if (smack_check()) { - LogInfo("Set up smack label: " << desc.smackLabel); - -- if (0 != smack_fsetlabel(sockfd, desc.smackLabel.c_str(), SMACK_LABEL_IPIN)) { -- LogError("Error in smack_fsetlabel"); -- ThrowMsg(Exception::InitFailed, "Error in smack_fsetlabel"); -+ if (0 != smack_set_label_for_file(sockfd, XATTR_NAME_SMACKIPIN, desc.smackLabel.c_str())) { -+ LogError("Error in smack_set_label_for_file"); -+ ThrowMsg(Exception::InitFailed, "Error in smack_set_label_for_file"); - } - } else { - LogInfo("No smack on platform. Socket won't be securied with smack label!"); --- -2.1.4 - diff --git a/meta-security/recipes-security/security-manager/security-manager/systemd-stop-using-compat-libs.patch b/meta-security/recipes-security/security-manager/security-manager/systemd-stop-using-compat-libs.patch deleted file mode 100644 index cd5c36a6a..000000000 --- a/meta-security/recipes-security/security-manager/security-manager/systemd-stop-using-compat-libs.patch +++ /dev/null @@ -1,47 +0,0 @@ -From 8ec024d2adecb53029c6f1af2b95c93dfd43a7cb Mon Sep 17 00:00:00 2001 -From: Patrick Ohly -Date: Tue, 24 Mar 2015 04:54:03 -0700 -Subject: [PATCH] systemd: stop using compat libs - -libsystemd-journal and libsystemd-daemon are considered obsolete -in systemd since 2.09 and may not be available (not compiled -by default). - -The code works fine with the current libsystemd, so just -use that. - -Signed-off-by: Patrick Ohly -Upstream-Status: Submitted (https://github.com/Samsung/security-manager/pull/1 - ---- - src/common/CMakeLists.txt | 2 +- - src/server/CMakeLists.txt | 2 +- - 2 files changed, 2 insertions(+), 2 deletions(-) - -diff --git a/src/common/CMakeLists.txt b/src/common/CMakeLists.txt -index 2da9c3e..968c7c1 100644 ---- a/src/common/CMakeLists.txt -+++ b/src/common/CMakeLists.txt -@@ -3,7 +3,7 @@ SET(COMMON_VERSION ${COMMON_VERSION_MAJOR}.0.2) - - PKG_CHECK_MODULES(COMMON_DEP - REQUIRED -- libsystemd-journal -+ libsystemd - libsmack - db-util - cynara-admin -diff --git a/src/server/CMakeLists.txt b/src/server/CMakeLists.txt -index 753eb96..6849d76 100644 ---- a/src/server/CMakeLists.txt -+++ b/src/server/CMakeLists.txt -@@ -1,6 +1,6 @@ - PKG_CHECK_MODULES(SERVER_DEP - REQUIRED -- libsystemd-daemon -+ libsystemd - ) - - FIND_PACKAGE(Boost REQUIRED) --- -2.1.4 diff --git a/meta-security/recipes-security/security-manager/security-manager_git.bb b/meta-security/recipes-security/security-manager/security-manager_git.bb index 3cbc3aea8..f438ea505 100644 --- a/meta-security/recipes-security/security-manager/security-manager_git.bb +++ b/meta-security/recipes-security/security-manager/security-manager_git.bb @@ -6,32 +6,20 @@ SRC_URI += "git://github.com/Samsung/security-manager.git" S = "${WORKDIR}/git" SRC_URI += " \ -file://systemd-stop-using-compat-libs.patch \ -file://security-manager-policy-reload-do-not-depend-on-GNU-.patch \ -file://0001-Smack-rules-create-two-new-functions.patch \ -file://0002-app-install-implement-multiple-set-of-smack-rules.patch \ -file://c-11-replace-depracated-auto_ptr.patch \ -file://socket-manager-removes-tizen-specific-call.patch \ -file://Removing-tizen-platform-config.patch \ -file://removes-dependency-to-libslp-db-utils.patch \ -file://0001-Fix-gcc8-warning-error-Werror-catch-value.patch \ -file://0001-Avoid-casting-from-const-T-to-void.patch \ -" - -########################################## -# This are patches for backward compatibility to the version dizzy of poky. -# The dizzy version of libcap isn't providing a packconfig file. -# This is solved by the patch libcap-without-pkgconfig.patch. -# But after solving that issue, it appears that linux/xattr.h should -# also be include add definitions of XATTR_NAME_SMACK... values. -# Unfortunately, there is no explanation why linux/xattr.h should -# also be included (patch include-linux-xattr.patch) -########################################## -do_patch[depends] = "libcap:do_populate_sysroot" -APPLY = "${@str('no' if os.path.exists('${STAGING_LIBDIR}/pkgconfig/libcap.pc') else 'yes')}" -SRC_URI += "\ - file://libcap-without-pkgconfig.patch;apply=${APPLY} \ - file://include-linux-xattr.patch;apply=${APPLY} \ + file://0001-systemd-stop-using-compat-libs.patch \ + file://0002-security-manager-policy-reload-do-not-depend-on-GNU-.patch \ + file://0003-Smack-rules-create-two-new-functions.patch \ + file://0004-app-install-implement-multiple-set-of-smack-rules.patch \ + file://0005-c-11-replace-deprecated-auto_ptr.patch \ + file://0006-socket-manager-removes-tizen-specific-call.patch \ + file://0007-removes-dependency-to-libslp-db-utils.patch \ + file://0008-Fix-gcc6-build.patch \ + file://0009-Fix-Cmake-conf-for-gcc6-build.patch \ + file://0010-gcc-7-requires-include-functional-for-std-function.patch \ + file://0011-Fix-gcc8-warning-error-Werror-catch-value.patch \ + file://0012-Avoid-casting-from-const-T-to-void.patch \ + file://0013-Removing-tizen-platform-config.patch \ + file://0014-Ensure-post-install-initialization-of-database.patch \ " # Use make with cmake and not ninja -- cgit 1.2.3-korg