From d468ce3b3d602f7c8a88d67126a32900b76fd433 Mon Sep 17 00:00:00 2001 From: Jan-Simon Moeller Date: Mon, 18 Oct 2021 14:07:53 +0200 Subject: Prepare master for new framework integration During the last workshop the transition to the new framework was presented. This change essentially deprecates the SMACK-based application framework. To prepare the integration of it, we remove the deprecated components: - meta-agl-core: remove Smack kernel patches - meta-app-framework - meta-pipewire/dynamic-layers/meta-app-framework/ v2: rebased Bug-AGL: SPEC-4121 Signed-off-by: Jan-Simon Moeller Change-Id: Icdaeadfb5d2193f3a4c535168c88da6073423e67 Reviewed-on: https://gerrit.automotivelinux.org/gerrit/c/AGL/meta-agl/+/26752 --- ...andle-CGROUP2-in-the-same-way-that-CGROUP.patch | 40 -------- .../Smack-Privilege-check-on-key-operations.patch | 109 --------------------- .../recipes-kernel/linux/linux-agl-4.14.inc | 8 -- .../run-yocto-check-layer-feature-enabled.sh | 6 +- meta-agl-core/scripts/run-yocto-check-layer.sh | 6 +- 5 files changed, 2 insertions(+), 167 deletions(-) delete mode 100644 meta-agl-core/recipes-kernel/linux/linux-4.14/Smack-Handle-CGROUP2-in-the-same-way-that-CGROUP.patch delete mode 100644 meta-agl-core/recipes-kernel/linux/linux-4.14/Smack-Privilege-check-on-key-operations.patch (limited to 'meta-agl-core') diff --git a/meta-agl-core/recipes-kernel/linux/linux-4.14/Smack-Handle-CGROUP2-in-the-same-way-that-CGROUP.patch b/meta-agl-core/recipes-kernel/linux/linux-4.14/Smack-Handle-CGROUP2-in-the-same-way-that-CGROUP.patch deleted file mode 100644 index c595dfdf5..000000000 --- a/meta-agl-core/recipes-kernel/linux/linux-4.14/Smack-Handle-CGROUP2-in-the-same-way-that-CGROUP.patch +++ /dev/null @@ -1,40 +0,0 @@ -From 63f5acdf097b7baca8d0f7056a037f8811b48aaa Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?Jos=C3=A9=20Bollo?= -Date: Tue, 27 Feb 2018 17:06:21 +0100 -Subject: [PATCH] Smack: Handle CGROUP2 in the same way that CGROUP -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -The new file system CGROUP2 isn't actually handled -by smack. This changes makes Smack treat equally -CGROUP and CGROUP2 items. - -Signed-off-by: José Bollo ---- - security/smack/smack_lsm.c | 2 ++ - 1 file changed, 2 insertions(+) - -diff --git a/security/smack/smack_lsm.c b/security/smack/smack_lsm.c -index 03fdecba93bb..5d77ed04422c 100644 ---- a/security/smack/smack_lsm.c -+++ b/security/smack/smack_lsm.c -@@ -3431,6 +3431,7 @@ static void smack_d_instantiate(struct dentry *opt_dentry, struct inode *inode) - if (opt_dentry->d_parent == opt_dentry) { - switch (sbp->s_magic) { - case CGROUP_SUPER_MAGIC: -+ case CGROUP2_SUPER_MAGIC: - /* - * The cgroup filesystem is never mounted, - * so there's no opportunity to set the mount -@@ -3474,6 +3475,7 @@ static void smack_d_instantiate(struct dentry *opt_dentry, struct inode *inode) - switch (sbp->s_magic) { - case SMACK_MAGIC: - case CGROUP_SUPER_MAGIC: -+ case CGROUP2_SUPER_MAGIC: - /* - * Casey says that it's a little embarrassing - * that the smack file system doesn't do --- -2.14.3 - diff --git a/meta-agl-core/recipes-kernel/linux/linux-4.14/Smack-Privilege-check-on-key-operations.patch b/meta-agl-core/recipes-kernel/linux/linux-4.14/Smack-Privilege-check-on-key-operations.patch deleted file mode 100644 index 4100bb8fd..000000000 --- a/meta-agl-core/recipes-kernel/linux/linux-4.14/Smack-Privilege-check-on-key-operations.patch +++ /dev/null @@ -1,109 +0,0 @@ -Smack: Privilege check on key operations - -Operations on key objects are subjected to Smack policy -even if the process is privileged. This is inconsistent -with the general behavior of Smack and may cause issues -with authentication by privileged daemons. This patch -allows processes with CAP_MAC_OVERRIDE to access keys -even if the Smack rules indicate otherwise. - -Reported-by: Jose Bollo -Signed-off-by: Casey Schaufler ---- - security/smack/smack.h | 1 + - security/smack/smack_access.c | 40 +++++++++++++++++++++++++++++----------- - security/smack/smack_lsm.c | 4 ++++ - 3 files changed, 34 insertions(+), 11 deletions(-) - -diff --git a/security/smack/smack.h b/security/smack/smack.h -index 6a71fc7..f7db791 100644 ---- a/security/smack/smack.h -+++ b/security/smack/smack.h -@@ -321,6 +321,7 @@ struct smack_known *smk_import_entry(const char *, int); - void smk_insert_entry(struct smack_known *skp); - struct smack_known *smk_find_entry(const char *); - bool smack_privileged(int cap); -+bool smack_privileged_cred(int cap, const struct cred *cred); - void smk_destroy_label_list(struct list_head *list); - - /* -diff --git a/security/smack/smack_access.c b/security/smack/smack_access.c -index 1a30041..141ffac 100644 ---- a/security/smack/smack_access.c -+++ b/security/smack/smack_access.c -@@ -623,26 +623,24 @@ struct smack_known *smack_from_secid(const u32 secid) - LIST_HEAD(smack_onlycap_list); - DEFINE_MUTEX(smack_onlycap_lock); - --/* -+/** -+ * smack_privileged_cred - are all privilege requirements met by cred -+ * @cap: The requested capability -+ * @cred: the credential to use -+ * - * Is the task privileged and allowed to be privileged - * by the onlycap rule. - * - * Returns true if the task is allowed to be privileged, false if it's not. - */ --bool smack_privileged(int cap) -+bool smack_privileged_cred(int cap, const struct cred *cred) - { -- struct smack_known *skp = smk_of_current(); -+ struct task_smack *tsp = cred->security; -+ struct smack_known *skp = tsp->smk_task; - struct smack_known_list_elem *sklep; - int rc; - -- /* -- * All kernel tasks are privileged -- */ -- if (unlikely(current->flags & PF_KTHREAD)) -- return true; -- -- rc = cap_capable(current_cred(), &init_user_ns, cap, -- SECURITY_CAP_AUDIT); -+ rc = cap_capable(cred, &init_user_ns, cap, SECURITY_CAP_AUDIT); - if (rc) - return false; - -@@ -662,3 +660,23 @@ bool smack_privileged(int cap) - - return false; - } -+ -+/** -+ * smack_privileged - are all privilege requirements met -+ * @cap: The requested capability -+ * -+ * Is the task privileged and allowed to be privileged -+ * by the onlycap rule. -+ * -+ * Returns true if the task is allowed to be privileged, false if it's not. -+ */ -+bool smack_privileged(int cap) -+{ -+ /* -+ * All kernel tasks are privileged -+ */ -+ if (unlikely(current->flags & PF_KTHREAD)) -+ return true; -+ -+ return smack_privileged_cred(cap, current_cred()); -+} -diff --git a/security/smack/smack_lsm.c b/security/smack/smack_lsm.c -index 30f2c3d..03fdecb 100644 ---- a/security/smack/smack_lsm.c -+++ b/security/smack/smack_lsm.c -@@ -4369,6 +4369,10 @@ static int smack_key_permission(key_ref_t key_ref, - */ - if (tkp == NULL) - return -EACCES; -+ -+ if (smack_privileged_cred(CAP_MAC_OVERRIDE, cred)) -+ return 0; -+ - #ifdef CONFIG_AUDIT - smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_KEY); - ad.a.u.key_struct.key = keyp->serial; - diff --git a/meta-agl-core/recipes-kernel/linux/linux-agl-4.14.inc b/meta-agl-core/recipes-kernel/linux/linux-agl-4.14.inc index 8476f343b..9ab3d34af 100644 --- a/meta-agl-core/recipes-kernel/linux/linux-agl-4.14.inc +++ b/meta-agl-core/recipes-kernel/linux/linux-agl-4.14.inc @@ -1,13 +1,5 @@ FILESEXTRAPATHS:prepend := "${THISDIR}/linux-4.14:" -#------------------------------------------------------------------------- -# smack patches for kernels keys - -SRC_URI:append:with-lsm-smack = "\ - file://Smack-Privilege-check-on-key-operations.patch \ - file://Smack-Handle-CGROUP2-in-the-same-way-that-CGROUP.patch \ - " - SRC_URI:append = "\ file://net-sch_generic-add-if_afp.h-header-to-get-ARPHRD_CA.patch \ file://net-sch_generic-Use-pfifo_fast-as-fallback-scheduler.patch \ diff --git a/meta-agl-core/scripts/run-yocto-check-layer-feature-enabled.sh b/meta-agl-core/scripts/run-yocto-check-layer-feature-enabled.sh index fec73069e..e0e9d17a4 100755 --- a/meta-agl-core/scripts/run-yocto-check-layer-feature-enabled.sh +++ b/meta-agl-core/scripts/run-yocto-check-layer-feature-enabled.sh @@ -20,14 +20,10 @@ AGL_EXTRA_IMAGE_FSTYPES ?= "" # important settings imported from poky-agl.conf # we do not import -DISTRO_FEATURES:append = " systemd smack" +DISTRO_FEATURES:append = " systemd" DISTRO_FEATURES_BACKFILL_CONSIDERED:append = " sysvinit" VIRTUAL-RUNTIME_init_manager = "systemd" -# workaround: -# ERROR: Nothing PROVIDES 'smack' (but /home/dl9pf/AGL/master-newlayout/external/meta-openembedded/meta-oe/recipes-extended/ostree/ostree_2020.3.bb DEPENDS on or otherwise requires it) -BBMASK += "meta-openembedded/meta-oe/recipes-extended/ostree/ostree_2020.3.bb" - AGL_FEATURES += "aglcore" EOF diff --git a/meta-agl-core/scripts/run-yocto-check-layer.sh b/meta-agl-core/scripts/run-yocto-check-layer.sh index 369ed98b4..3af61bc19 100755 --- a/meta-agl-core/scripts/run-yocto-check-layer.sh +++ b/meta-agl-core/scripts/run-yocto-check-layer.sh @@ -20,14 +20,10 @@ AGL_EXTRA_IMAGE_FSTYPES ?= "" # important settings imported from poky-agl.conf # we do not import -DISTRO_FEATURES:append = " systemd smack" +DISTRO_FEATURES:append = " systemd" DISTRO_FEATURES_BACKFILL_CONSIDERED:append = " sysvinit" VIRTUAL-RUNTIME_init_manager = "systemd" -# workaround: -# ERROR: Nothing PROVIDES 'smack' (but /home/dl9pf/AGL/master-newlayout/external/meta-openembedded/meta-oe/recipes-extended/ostree/ostree_2020.3.bb DEPENDS on or otherwise requires it) -BBMASK += "meta-openembedded/meta-oe/recipes-extended/ostree/ostree_2020.3.bb" - EOF -- cgit 1.2.3-korg