From f70d712e4f505f5c5b50ae17f4f023d20a667568 Mon Sep 17 00:00:00 2001 From: José Bollo Date: Wed, 24 Jan 2018 11:38:43 +0100 Subject: Integrate parts of meta-intel-iot-security MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Adds the recipes of the sub layers - meta-security-framework - meta-security-smack Change-Id: I618608008a3b3d1d34adb6e38048110f13ac0643 Signed-off-by: José Bollo --- meta-security/COPYING.MIT | 17 + meta-security/README.md | 31 + meta-security/classes/deploy-files.bbclass | 68 + meta-security/classes/xattr-images.bbclass | 137 + meta-security/conf/layer.conf | 12 + meta-security/lib/oeqa/runtime/__init__.py | 0 meta-security/lib/oeqa/runtime/files/notroot.py | 33 + .../oeqa/runtime/files/smack_test_file_access.sh | 54 + .../files/test_privileged_change_self_label.sh | 18 + .../lib/oeqa/runtime/files/test_smack_onlycap.sh | 27 + .../oeqa/runtime/files/test_smack_tcp_sockets.sh | 108 + .../oeqa/runtime/files/test_smack_udp_sockets.sh | 107 + meta-security/lib/oeqa/runtime/securitymanager.py | 108 + meta-security/lib/oeqa/runtime/smack.py | 589 ++++ .../recipes-connectivity/bluez5/bluez5_%.bbappend | 55 + .../connman/connman_%.bbappend | 32 + .../recipes-core/base-files/base-files_%.bbappend | 73 + .../recipes-core/coreutils/coreutils_%.bbappend | 7 + ...mleak-in-GetConnectionCredentials-handler.patch | 32 + ...lper-for-using-byte-arrays-as-the-variant.patch | 97 + ...ostic-support-for-LinuxSecurityLabel-cred.patch | 515 ++++ ...on-of-Cynara-asynchronous-security-checks.patch | 2253 +++++++++++++++ ...sage-dispatching-when-send-rule-result-is.patch | 941 +++++++ ...ailability-of-policy-results-for-broadcas.patch | 1071 +++++++ ...d-own-rule-result-unavailability-handling.patch | 1142 ++++++++ ...onnectionSmackContext-D-Bus-daemon-method.patch | 99 + ...m-Cynara-runtime-policy-checks-by-default.patch | 116 + .../recipes-core/dbus/dbus-cynara_1.8.18.bb | 58 + meta-security/recipes-core/dbus/dbus-oe-core.inc | 170 ++ meta-security/recipes-core/dbus/dbus_%.bbappend | 27 + .../packagegroup-security-framework.bb | 22 + ...ck-Handling-of-run-and-sys-fs-cgroup-v216.patch | 49 + ...n-smack-Handling-of-run-and-sys-fs-cgroup.patch | 50 + .../0004-tizen-smack-Handling-of-dev-v216.patch | 82 + .../systemd/0004-tizen-smack-Handling-of-dev.patch | 68 + .../0005-tizen-smack-Handling-network-v216.patch | 107 + .../0005-tizen-smack-Handling-network-v225.patch | 191 ++ .../0005-tizen-smack-Handling-network-v228.patch | 179 ++ .../0005-tizen-smack-Handling-network.patch | 106 + ...zen-smack-Runs-systemd-journald-with-v216.patch | 41 + ...07-tizen-smack-Runs-systemd-journald-with.patch | 37 + ...x-handling-of-symlink-Smack-labellin-v228.patch | 58 + .../systemd/systemd/udev-smack-default.rules | 23 + .../recipes-core/systemd/systemd_%.bbappend | 120 + .../recipes-core/util-linux/util-linux_%.bbappend | 8 + .../recipes-devtools/e2fsprogs/e2fsprogs.inc | 27 + .../e2fsprogs/e2fsprogs/acinclude.m4 | 135 + .../e2fsprogs/e2fsprogs/mkdir.patch | 18 + .../e2fsprogs/e2fsprogs/ptest.patch | 67 + .../e2fsprogs/e2fsprogs/quiet-debugfs.patch | 19 + .../e2fsprogs/e2fsprogs/remove.ldconfig.call.patch | 44 + .../recipes-devtools/e2fsprogs/e2fsprogs/run-ptest | 11 + .../e2fsprogs/e2fsprogs_%.bbappend | 14 + .../recipes-devtools/e2fsprogs/e2fsprogs_git.bb | 106 + ...fix-adding-multiple-xattrs-during-image-c.patch | 51 + .../recipes-kernel/linux/linux-%.bbappend | 17 + meta-security/recipes-kernel/linux/linux/audit.cfg | 2 + .../linux/linux/smack-default-lsm.cfg | 2 + meta-security/recipes-kernel/linux/linux/smack.cfg | 8 + .../audit/add-system-call-table-for-ARM.patch | 46 + .../audit/audit/audit-for-cross-compiling.patch | 2938 ++++++++++++++++++++ .../audit/audit/audit-python-configure.patch | 27 + .../audit/audit/audit-python.patch | 31 + .../audit/audit/audit-volatile.conf | 1 + meta-security/recipes-security/audit/audit/auditd | 153 + .../recipes-security/audit/audit/auditd.service | 20 + .../audit/audit/disable-ldap.patch | 59 + .../audit/audit/fix-swig-host-contamination.patch | 48 + .../recipes-security/audit/audit_2.3.2.bb | 102 + meta-security/recipes-security/cynara/cynara.inc | 158 ++ ...cmake-Improves-directories-and-libsystemd.patch | 119 + .../cynara-db-migration-abort-on-errors.patch | 31 + .../cynara/cynara/gmock-pthread-linking.patch | 31 + .../recipes-security/cynara/cynara/run-ptest | 4 + .../recipes-security/cynara/cynara_git.bb | 11 + .../keyutils/keyutils-arm-remove-m32-m64.patch | 19 + .../keyutils/keyutils_fix_library_install.patch | 30 + .../keyutils/keyutils_fix_x86-64_cflags.patch | 13 + .../keyutils/keyutils_fix_x86_cflags.patch | 13 + .../recipes-security/keyutils/keyutils_1.5.8.bb | 44 + .../libcap-ng/libcap-ng/CVE-2014-3215.patch | 79 + .../libcap-ng/libcap-ng/python.patch | 39 + .../recipes-security/libcap-ng/libcap-ng_0.7.3.bb | 39 + .../security-manager/security-manager.inc | 98 + ...0001-Smack-rules-create-two-new-functions.patch | 116 + ...all-implement-multiple-set-of-smack-rules.patch | 34 + .../Removing-tizen-platform-config.patch | 196 ++ .../c-11-replace-depracated-auto_ptr.patch | 32 + .../security-manager/include-linux-xattr.patch | 24 + .../libcap-without-pkgconfig.patch | 32 + .../removes-dependency-to-libslp-db-utils.patch | 78 + ...nager-policy-reload-do-not-depend-on-GNU-.patch | 35 + ...ocket-manager-removes-tizen-specific-call.patch | 47 + .../systemd-stop-using-compat-libs.patch | 47 + .../security-manager/security-manager_git.bb | 34 + .../recipes-security/smack/smack-userspace_git.bb | 27 + .../recipes-security/smacknet/files/smacknet | 184 ++ .../smacknet/files/smacknet.service | 11 + .../recipes-security/smacknet/smacknet.bb | 29 + meta-security/recipes-test/app-runas/app-runas.bb | 17 + .../recipes-test/app-runas/files/app-runas.cpp | 221 ++ .../recipes-test/mmap-smack-test/files/mmap.c | 7 + .../mmap-smack-test/mmap-smack-test.bb | 16 + .../mmap-smack-test/mmap-smack-test.bbappend | 2 + .../recipes-test/tcp-smack-test/files/tcp_client.c | 111 + .../recipes-test/tcp-smack-test/files/tcp_server.c | 118 + .../recipes-test/tcp-smack-test/tcp-smack-test.bb | 20 + .../tcp-smack-test/tcp-smack-test.bbappend | 2 + .../recipes-test/udp-smack-test/files/udp_client.c | 75 + .../recipes-test/udp-smack-test/files/udp_server.c | 93 + .../recipes-test/udp-smack-test/udp-smack-test.bb | 20 + .../udp-smack-test/udp-smack-test.bbappend | 2 + 112 files changed, 15442 insertions(+) create mode 100644 meta-security/COPYING.MIT create mode 100644 meta-security/README.md create mode 100644 meta-security/classes/deploy-files.bbclass create mode 100644 meta-security/classes/xattr-images.bbclass create mode 100644 meta-security/conf/layer.conf create mode 100644 meta-security/lib/oeqa/runtime/__init__.py create mode 100644 meta-security/lib/oeqa/runtime/files/notroot.py create mode 100644 meta-security/lib/oeqa/runtime/files/smack_test_file_access.sh create mode 100644 meta-security/lib/oeqa/runtime/files/test_privileged_change_self_label.sh create mode 100644 meta-security/lib/oeqa/runtime/files/test_smack_onlycap.sh create mode 100644 meta-security/lib/oeqa/runtime/files/test_smack_tcp_sockets.sh create mode 100644 meta-security/lib/oeqa/runtime/files/test_smack_udp_sockets.sh create mode 100644 meta-security/lib/oeqa/runtime/securitymanager.py create mode 100644 meta-security/lib/oeqa/runtime/smack.py create mode 100644 meta-security/recipes-connectivity/bluez5/bluez5_%.bbappend create mode 100644 meta-security/recipes-connectivity/connman/connman_%.bbappend create mode 100644 meta-security/recipes-core/base-files/base-files_%.bbappend create mode 100644 meta-security/recipes-core/coreutils/coreutils_%.bbappend create mode 100644 meta-security/recipes-core/dbus/dbus-cynara/0001-Fix-memleak-in-GetConnectionCredentials-handler.patch create mode 100644 meta-security/recipes-core/dbus/dbus-cynara/0002-New-a-sv-helper-for-using-byte-arrays-as-the-variant.patch create mode 100644 meta-security/recipes-core/dbus/dbus-cynara/0003-Add-LSM-agnostic-support-for-LinuxSecurityLabel-cred.patch create mode 100644 meta-security/recipes-core/dbus/dbus-cynara/0004-Integration-of-Cynara-asynchronous-security-checks.patch create mode 100644 meta-security/recipes-core/dbus/dbus-cynara/0005-Disable-message-dispatching-when-send-rule-result-is.patch create mode 100644 meta-security/recipes-core/dbus/dbus-cynara/0006-Handle-unavailability-of-policy-results-for-broadcas.patch create mode 100644 meta-security/recipes-core/dbus/dbus-cynara/0007-Add-own-rule-result-unavailability-handling.patch create mode 100644 meta-security/recipes-core/dbus/dbus-cynara/0008-Add-GetConnectionSmackContext-D-Bus-daemon-method.patch create mode 100644 meta-security/recipes-core/dbus/dbus-cynara/Perform-Cynara-runtime-policy-checks-by-default.patch create mode 100644 meta-security/recipes-core/dbus/dbus-cynara_1.8.18.bb create mode 100644 meta-security/recipes-core/dbus/dbus-oe-core.inc create mode 100644 meta-security/recipes-core/dbus/dbus_%.bbappend create mode 100644 meta-security/recipes-core/packagegroups/packagegroup-security-framework.bb create mode 100644 meta-security/recipes-core/systemd/systemd/0003-tizen-smack-Handling-of-run-and-sys-fs-cgroup-v216.patch create mode 100644 meta-security/recipes-core/systemd/systemd/0003-tizen-smack-Handling-of-run-and-sys-fs-cgroup.patch create mode 100644 meta-security/recipes-core/systemd/systemd/0004-tizen-smack-Handling-of-dev-v216.patch create mode 100644 meta-security/recipes-core/systemd/systemd/0004-tizen-smack-Handling-of-dev.patch create mode 100644 meta-security/recipes-core/systemd/systemd/0005-tizen-smack-Handling-network-v216.patch create mode 100644 meta-security/recipes-core/systemd/systemd/0005-tizen-smack-Handling-network-v225.patch create mode 100644 meta-security/recipes-core/systemd/systemd/0005-tizen-smack-Handling-network-v228.patch create mode 100644 meta-security/recipes-core/systemd/systemd/0005-tizen-smack-Handling-network.patch create mode 100644 meta-security/recipes-core/systemd/systemd/0007-tizen-smack-Runs-systemd-journald-with-v216.patch create mode 100644 meta-security/recipes-core/systemd/systemd/0007-tizen-smack-Runs-systemd-journald-with.patch create mode 100644 meta-security/recipes-core/systemd/systemd/mount-setup.c-fix-handling-of-symlink-Smack-labellin-v228.patch create mode 100644 meta-security/recipes-core/systemd/systemd/udev-smack-default.rules create mode 100644 meta-security/recipes-core/systemd/systemd_%.bbappend create mode 100644 meta-security/recipes-core/util-linux/util-linux_%.bbappend create mode 100644 meta-security/recipes-devtools/e2fsprogs/e2fsprogs.inc create mode 100644 meta-security/recipes-devtools/e2fsprogs/e2fsprogs/acinclude.m4 create mode 100644 meta-security/recipes-devtools/e2fsprogs/e2fsprogs/mkdir.patch create mode 100644 meta-security/recipes-devtools/e2fsprogs/e2fsprogs/ptest.patch create mode 100644 meta-security/recipes-devtools/e2fsprogs/e2fsprogs/quiet-debugfs.patch create mode 100644 meta-security/recipes-devtools/e2fsprogs/e2fsprogs/remove.ldconfig.call.patch create mode 100644 meta-security/recipes-devtools/e2fsprogs/e2fsprogs/run-ptest create mode 100644 meta-security/recipes-devtools/e2fsprogs/e2fsprogs_%.bbappend create mode 100644 meta-security/recipes-devtools/e2fsprogs/e2fsprogs_git.bb create mode 100644 meta-security/recipes-devtools/e2fsprogs/files/ext_attr.c-fix-adding-multiple-xattrs-during-image-c.patch create mode 100644 meta-security/recipes-kernel/linux/linux-%.bbappend create mode 100644 meta-security/recipes-kernel/linux/linux/audit.cfg create mode 100644 meta-security/recipes-kernel/linux/linux/smack-default-lsm.cfg create mode 100644 meta-security/recipes-kernel/linux/linux/smack.cfg create mode 100644 meta-security/recipes-security/audit/audit/add-system-call-table-for-ARM.patch create mode 100644 meta-security/recipes-security/audit/audit/audit-for-cross-compiling.patch create mode 100644 meta-security/recipes-security/audit/audit/audit-python-configure.patch create mode 100644 meta-security/recipes-security/audit/audit/audit-python.patch create mode 100644 meta-security/recipes-security/audit/audit/audit-volatile.conf create mode 100755 meta-security/recipes-security/audit/audit/auditd create mode 100644 meta-security/recipes-security/audit/audit/auditd.service create mode 100644 meta-security/recipes-security/audit/audit/disable-ldap.patch create mode 100644 meta-security/recipes-security/audit/audit/fix-swig-host-contamination.patch create mode 100644 meta-security/recipes-security/audit/audit_2.3.2.bb create mode 100644 meta-security/recipes-security/cynara/cynara.inc create mode 100644 meta-security/recipes-security/cynara/cynara/cmake-Improves-directories-and-libsystemd.patch create mode 100644 meta-security/recipes-security/cynara/cynara/cynara-db-migration-abort-on-errors.patch create mode 100644 meta-security/recipes-security/cynara/cynara/gmock-pthread-linking.patch create mode 100755 meta-security/recipes-security/cynara/cynara/run-ptest create mode 100644 meta-security/recipes-security/cynara/cynara_git.bb create mode 100644 meta-security/recipes-security/keyutils/keyutils/keyutils-arm-remove-m32-m64.patch create mode 100644 meta-security/recipes-security/keyutils/keyutils/keyutils_fix_library_install.patch create mode 100644 meta-security/recipes-security/keyutils/keyutils/keyutils_fix_x86-64_cflags.patch create mode 100644 meta-security/recipes-security/keyutils/keyutils/keyutils_fix_x86_cflags.patch create mode 100644 meta-security/recipes-security/keyutils/keyutils_1.5.8.bb create mode 100644 meta-security/recipes-security/libcap-ng/libcap-ng/CVE-2014-3215.patch create mode 100644 meta-security/recipes-security/libcap-ng/libcap-ng/python.patch create mode 100644 meta-security/recipes-security/libcap-ng/libcap-ng_0.7.3.bb create mode 100644 meta-security/recipes-security/security-manager/security-manager.inc create mode 100644 meta-security/recipes-security/security-manager/security-manager/0001-Smack-rules-create-two-new-functions.patch create mode 100644 meta-security/recipes-security/security-manager/security-manager/0002-app-install-implement-multiple-set-of-smack-rules.patch create mode 100644 meta-security/recipes-security/security-manager/security-manager/Removing-tizen-platform-config.patch create mode 100644 meta-security/recipes-security/security-manager/security-manager/c-11-replace-depracated-auto_ptr.patch create mode 100644 meta-security/recipes-security/security-manager/security-manager/include-linux-xattr.patch create mode 100644 meta-security/recipes-security/security-manager/security-manager/libcap-without-pkgconfig.patch create mode 100644 meta-security/recipes-security/security-manager/security-manager/removes-dependency-to-libslp-db-utils.patch create mode 100644 meta-security/recipes-security/security-manager/security-manager/security-manager-policy-reload-do-not-depend-on-GNU-.patch create mode 100644 meta-security/recipes-security/security-manager/security-manager/socket-manager-removes-tizen-specific-call.patch create mode 100644 meta-security/recipes-security/security-manager/security-manager/systemd-stop-using-compat-libs.patch create mode 100644 meta-security/recipes-security/security-manager/security-manager_git.bb create mode 100644 meta-security/recipes-security/smack/smack-userspace_git.bb create mode 100644 meta-security/recipes-security/smacknet/files/smacknet create mode 100644 meta-security/recipes-security/smacknet/files/smacknet.service create mode 100644 meta-security/recipes-security/smacknet/smacknet.bb create mode 100644 meta-security/recipes-test/app-runas/app-runas.bb create mode 100644 meta-security/recipes-test/app-runas/files/app-runas.cpp create mode 100644 meta-security/recipes-test/mmap-smack-test/files/mmap.c create mode 100644 meta-security/recipes-test/mmap-smack-test/mmap-smack-test.bb create mode 100644 meta-security/recipes-test/mmap-smack-test/mmap-smack-test.bbappend create mode 100644 meta-security/recipes-test/tcp-smack-test/files/tcp_client.c create mode 100644 meta-security/recipes-test/tcp-smack-test/files/tcp_server.c create mode 100644 meta-security/recipes-test/tcp-smack-test/tcp-smack-test.bb create mode 100644 meta-security/recipes-test/tcp-smack-test/tcp-smack-test.bbappend create mode 100644 meta-security/recipes-test/udp-smack-test/files/udp_client.c create mode 100644 meta-security/recipes-test/udp-smack-test/files/udp_server.c create mode 100644 meta-security/recipes-test/udp-smack-test/udp-smack-test.bb create mode 100644 meta-security/recipes-test/udp-smack-test/udp-smack-test.bbappend diff --git a/meta-security/COPYING.MIT b/meta-security/COPYING.MIT new file mode 100644 index 000000000..89de35479 --- /dev/null +++ b/meta-security/COPYING.MIT @@ -0,0 +1,17 @@ +Permission is hereby granted, free of charge, to any person obtaining a copy +of this software and associated documentation files (the "Software"), to deal +in the Software without restriction, including without limitation the rights +to use, copy, modify, merge, publish, distribute, sublicense, and/or sell +copies of the Software, and to permit persons to whom the Software is +furnished to do so, subject to the following conditions: + +The above copyright notice and this permission notice shall be included in +all copies or substantial portions of the Software. + +THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR +IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, +FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE +AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER +LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, +OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN +THE SOFTWARE. diff --git a/meta-security/README.md b/meta-security/README.md new file mode 100644 index 000000000..0bae9f3fb --- /dev/null +++ b/meta-security/README.md @@ -0,0 +1,31 @@ +This README file contains information on the contents of the +meta-security layer. + +Please see the corresponding sections below for details. + + +Dependencies +============ + +This layer depends on: + + URI: git://git.openembedded.org/bitbake + branch: master + + URI: git://git.openembedded.org/openembedded-core + layers: meta + branch: master + + URI: git://git.yoctoproject.org/meta-security + branch: master + + +Patches +======= + +Please submit any patches against the meta-security layer via gerrit +reviews. + +For discussion use the discussion mailing list +mailto:automotive-discussions@lists.linuxfoundation.org + diff --git a/meta-security/classes/deploy-files.bbclass b/meta-security/classes/deploy-files.bbclass new file mode 100644 index 000000000..ec19323a3 --- /dev/null +++ b/meta-security/classes/deploy-files.bbclass @@ -0,0 +1,68 @@ +DEPLOY_FILES_DIR = "${WORKDIR}/deploy-files-${PN}" +SSTATETASKS += "do_deploy_files" +do_deploy_files[sstate-inputdirs] = "${DEPLOY_FILES_DIR}" +do_deploy_files[sstate-outputdirs] = "${DEPLOY_DIR}/files/" + +python do_deploy_files_setscene () { + sstate_setscene(d) +} +addtask do_deploy_files_setscene +do_deploy_files[dirs] = "${DEPLOY_FILES_DIR} ${B}" + +# Use like this: +# DEPLOY_FILES = "abc xyz" +# DEPLOY_FILES_FROM[abc] = "file-ab dir-c" +# DEPLOY_FILES_TO[abc] = "directory-for-abc" +# DEPLOY_FILES_FROM[xyz] = "file-xyz" +# DEPLOY_FILES_TO[xyz] = "directory-for-xyz" +# +# The destination directory will be created inside +# ${DEPLOYDIR}. The source files and directories +# will be copied such that their name and (for +# directories) the directory tree below it will +# be preserved. Shell wildcards are supported. +# +# The default DEPLOY_FILES copies files for the native host +# and the target into two different directories. Use that as follows: +# DEPLOY_FILES_FROM_native = "native-file" +# DEPLOY_FILES_FROM_target = "target-file" + +DEPLOY_FILES ?= "native target" +DEPLOY_FILES_FROM[native] ?= "" +DEPLOY_FILES_TO[native] = "native/${BUILD_ARCH}" +DEPLOY_FILES_FROM[target] ?= "" +DEPLOY_FILES_TO[target] = "target/${MACHINE}" + +# We have to use a Python function to access variable flags. Because +# bitbake then does not know about the dependency on these variables, +# we need to explicitly declare that. DEPLOYDIR may change without +# invalidating the sstate, therefore it is not listed. +do_deploy_files[vardeps] = "DEPLOY_FILES DEPLOY_FILES_FROM DEPLOY_FILES_TO" +python do_deploy_files () { + import glob + import os + import shutil + + for file in (d.getVar('DEPLOY_FILES', True) or '').split(): + bb.note('file: %s' % file) + from_pattern = d.getVarFlag('DEPLOY_FILES_FROM', file, True) + bb.note('from: %s' % from_pattern) + if from_pattern: + to = os.path.join(d.getVar('DEPLOY_FILES_DIR', True), d.getVarFlag('DEPLOY_FILES_TO', file, True)) + bb.note('to: %s' % to) + if not os.path.isdir(to): + os.makedirs(to) + for from_path in from_pattern.split(): + for src in (glob.glob(from_path) or [from_path]): + bb.note('Deploying %s to %s' % (src, to)) + if os.path.isdir(src): + src_dirname = shutil._basename(src) + to = os.path.join(to, src_dirname) + if os.path.exists(to): + bb.utils.remove(to, True) + shutil.copytree(src, to) + else: + shutil.copy(src, to) +} + +addtask deploy_files before do_build after do_compile diff --git a/meta-security/classes/xattr-images.bbclass b/meta-security/classes/xattr-images.bbclass new file mode 100644 index 000000000..565a3fb6e --- /dev/null +++ b/meta-security/classes/xattr-images.bbclass @@ -0,0 +1,137 @@ +# Both Smack and IMA/EVM rely on xattrs. Inheriting this class ensures +# that these xattrs get preserved in tar and jffs2 images. +# +# It also fixes the rootfs so that the content of directories with +# SMACK::TRANSMUTE is correctly labelled. This is because pseudo does +# not know the special semantic of SMACK::TRANSMUTE and omits the +# updating of the Smack label when creating entries inside such a directory, +# for example /etc (see base-files_%.bbappend). Without the fixup, +# files already installed during the image creation would have different (and +# wrong) Smack labels. + +# xattr support is expected to be compiled into mtd-utils. We just need to +# use it. +EXTRA_IMAGECMD_jffs2_append = " --with-xattr" + +# By default, OE-core uses tar from the host, which may or may not have the +# --xattrs parameter which was introduced in 1.27. For image building we +# use a recent enough tar instead. +# +# The GNU documentation does not specify whether --xattrs-include is necessary. +# In practice, it turned out to be not needed when creating archives and +# required when extracting, but it seems prudent to use it in both cases. +IMAGE_DEPENDS_tar_append = " tar-replacement-native" +EXTRANATIVEPATH += "tar-native" +IMAGE_CMD_TAR = "tar --xattrs --xattrs-include=*" + +xattr_images_fix_transmute[dirs] = "${IMAGE_ROOTFS}" +python xattr_images_fix_transmute () { + # The recursive updating of the Smack label ensures that each entry + # has the label set for its parent directories if one of those was + # marked as transmuting. + # + # In addition, "_" is set explicitly on everything that would not + # have a label otherwise. This is a workaround for tools like swupd + # which transfers files from a rootfs onto a target device where Smack + # is active: on the target, each file gets assigned a label, typically + # the one from the process which creates it. swupd (or rather, the tools + # it is currently built on) knows how to set security.SMACK64="_" when + # it is set on the original files, but it does not know that it needs + # to remove that xattr when not set. + import os + import errno + + if getattr(os, 'getxattr', None): + # Python 3: os has xattr support. + def lgetxattr(f, attr): + try: + value = os.getxattr(f, attr, follow_symlinks=False) + return value.decode('utf8') + except OSError as ex: + if ex.errno == errno.ENODATA: + return None + + def lsetxattr(f, attr, value): + os.setxattr(f, attr.encode('utf8'), value.encode('utf8'), follow_symlinks=False) + else: + # Python 2: xattr support only in xattr module. + # + # Cannot use the 'xattr' module, it is not part of a standard Python + # installation. Instead re-implement using ctypes. Only has to be good + # enough for xattrs that are strings. Always operates on the symlinks themselves, + # not what they point to. + import ctypes + + # We cannot look up the xattr functions inside libc. That bypasses + # pseudo, which overrides these functions via LD_PRELOAD. Instead we have to + # find the function address and then create a ctypes function from it. + libdl = ctypes.CDLL("libdl.so.2") + _dlsym = libdl.dlsym + _dlsym.restype = ctypes.c_void_p + RTLD_DEFAULT = ctypes.c_void_p(0) + _lgetxattr = ctypes.CFUNCTYPE(ctypes.c_ssize_t, ctypes.c_char_p, ctypes.c_char_p, ctypes.c_void_p, ctypes.c_size_t, + use_errno=True)(_dlsym(RTLD_DEFAULT, 'lgetxattr')) + _lsetxattr = ctypes.CFUNCTYPE(ctypes.c_int, ctypes.c_char_p, ctypes.c_char_p, ctypes.c_void_p, ctypes.c_size_t, ctypes.c_int, + use_errno=True)(_dlsym(RTLD_DEFAULT, 'lsetxattr')) + + def lgetxattr(f, attr): + len = 32 + while True: + buffer = ctypes.create_string_buffer('\000' * len) + res = _lgetxattr(f, attr, buffer, ctypes.c_size_t(len)) + if res >= 0: + return buffer.value + else: + error = ctypes.get_errno() + if ctypes.get_errno() == errno.ERANGE: + len *= 2 + elif error == errno.ENODATA: + return None + else: + raise IOError(error, 'lgetxattr(%s, %s): %d = %s = %s' % + (f, attr, error, errno.errorcode[error], os.strerror(error))) + + def lsetxattr(f, attr, value): + res = _lsetxattr(f, attr, value, ctypes.c_size_t(len(value)), ctypes.c_int(0)) + if res != 0: + error = ctypes.get_errno() + raise IOError(error, 'lsetxattr(%s, %s, %s): %d = %s = %s' % + (f, attr, value, error, errno.errorcode[error], os.strerror(error))) + + def visit(path, deflabel, deftransmute): + isrealdir = os.path.isdir(path) and not os.path.islink(path) + curlabel = lgetxattr(path, 'security.SMACK64') + transmute = lgetxattr(path, 'security.SMACK64TRANSMUTE') == 'TRUE' + + if not curlabel: + # Since swupd doesn't remove the label from an updated file assigned by + # the target device's kernel upon unpacking the file from an update, + # we have to set the floor label explicitly even though it is the default label + # and thus adding it would create additional overhead. Otherwise this + # would result in hash mismatches reported by `swupd verify`. + lsetxattr(path, 'security.SMACK64', deflabel) + if not transmute and deftransmute and isrealdir: + lsetxattr(path, 'security.SMACK64TRANSMUTE', 'TRUE') + + # Identify transmuting directories and change the default Smack + # label inside them. In addition, directories themselves must become + # transmuting. + if isrealdir: + if transmute: + deflabel = lgetxattr(path, 'security.SMACK64') + deftransmute = True + if deflabel is None: + raise RuntimeError('%s: transmuting directory without Smack label' % path) + elif curlabel: + # Directory with explicit label set and not transmuting => do not + # change the content unless we run into another transmuting directory. + deflabel = '_' + deftransmute = False + + for entry in os.listdir(path): + visit(os.path.join(path, entry), deflabel, deftransmute) + + visit('.', '_', False) +} +# Same logic as in ima-evm-rootfs.bbclass: try to run as late as possible. +IMAGE_PREPROCESS_COMMAND_append_with-lsm-smack = " xattr_images_fix_transmute ; " diff --git a/meta-security/conf/layer.conf b/meta-security/conf/layer.conf new file mode 100644 index 000000000..c051e5885 --- /dev/null +++ b/meta-security/conf/layer.conf @@ -0,0 +1,12 @@ +# We have a conf and classes directory, add to BBPATH +BBPATH =. "${LAYERDIR}:" + +# We have a packages directory, add to BBFILES +BBFILES := "${BBFILES} \ + ${LAYERDIR}/recipes-*/*/*.bb \ + ${LAYERDIR}/recipes-*/*/*.bbappend" + +# Must prioritize our rpm recipe over the default ones. +BBFILE_COLLECTIONS += "security-smack" +BBFILE_PATTERN_security-smack := "^${LAYERDIR}/" +BBFILE_PRIORITY_security-smack = "8" diff --git a/meta-security/lib/oeqa/runtime/__init__.py b/meta-security/lib/oeqa/runtime/__init__.py new file mode 100644 index 000000000..e69de29bb diff --git a/meta-security/lib/oeqa/runtime/files/notroot.py b/meta-security/lib/oeqa/runtime/files/notroot.py new file mode 100644 index 000000000..f0eb0b5b9 --- /dev/null +++ b/meta-security/lib/oeqa/runtime/files/notroot.py @@ -0,0 +1,33 @@ +#!/usr/bin/env python +# +# Script used for running executables with custom labels, as well as custom uid/gid +# Process label is changed by writing to /proc/self/attr/curent +# +# Script expects user id and group id to exist, and be the same. +# +# From adduser manual: +# """By default, each user in Debian GNU/Linux is given a corresponding group +# with the same name. """ +# +# Usage: root@desk:~# python notroot.py