From d468ce3b3d602f7c8a88d67126a32900b76fd433 Mon Sep 17 00:00:00 2001 From: Jan-Simon Moeller Date: Mon, 18 Oct 2021 14:07:53 +0200 Subject: Prepare master for new framework integration During the last workshop the transition to the new framework was presented. This change essentially deprecates the SMACK-based application framework. To prepare the integration of it, we remove the deprecated components: - meta-agl-core: remove Smack kernel patches - meta-app-framework - meta-pipewire/dynamic-layers/meta-app-framework/ v2: rebased Bug-AGL: SPEC-4121 Signed-off-by: Jan-Simon Moeller Change-Id: Icdaeadfb5d2193f3a4c535168c88da6073423e67 Reviewed-on: https://gerrit.automotivelinux.org/gerrit/c/AGL/meta-agl/+/26752 --- .../recipes-connectivity/bluez5/bluez5_%.bbappend | 1 - .../recipes-connectivity/bluez5/bluez5_appfw.inc | 55 ---------------------- .../bluez5/files/bluetooth.service.conf | 2 - .../connman/connman_%.bbappend | 1 - .../recipes-connectivity/connman/connman_appfw.inc | 34 ------------- .../connman/files/connman.service.conf | 4 -- 6 files changed, 97 deletions(-) delete mode 100644 meta-app-framework/recipes-connectivity/bluez5/bluez5_%.bbappend delete mode 100644 meta-app-framework/recipes-connectivity/bluez5/bluez5_appfw.inc delete mode 100644 meta-app-framework/recipes-connectivity/bluez5/files/bluetooth.service.conf delete mode 100644 meta-app-framework/recipes-connectivity/connman/connman_%.bbappend delete mode 100644 meta-app-framework/recipes-connectivity/connman/connman_appfw.inc delete mode 100644 meta-app-framework/recipes-connectivity/connman/files/connman.service.conf (limited to 'meta-app-framework/recipes-connectivity') diff --git a/meta-app-framework/recipes-connectivity/bluez5/bluez5_%.bbappend b/meta-app-framework/recipes-connectivity/bluez5/bluez5_%.bbappend deleted file mode 100644 index 20d2a68d7..000000000 --- a/meta-app-framework/recipes-connectivity/bluez5/bluez5_%.bbappend +++ /dev/null @@ -1 +0,0 @@ -require ${@bb.utils.contains('APPFW_ENABLED', '1', 'bluez5_appfw.inc', '', d)} diff --git a/meta-app-framework/recipes-connectivity/bluez5/bluez5_appfw.inc b/meta-app-framework/recipes-connectivity/bluez5/bluez5_appfw.inc deleted file mode 100644 index 7b74de980..000000000 --- a/meta-app-framework/recipes-connectivity/bluez5/bluez5_appfw.inc +++ /dev/null @@ -1,55 +0,0 @@ -# Recent bluez5 releases started limiting the capabilities of -# bluetoothd. When running on a Smack-enabled system, that change has the -# effect that bluetoothd can no longer create the input device under -# /sys because bluez5 running with label "System" has no write -# access to that. -# -# It works when running as normal root with unrestricted capabilities -# because then CAP_MAC_OVERRIDE (a Smack-specific capability) allows -# the process to ignore Smack rules. -# -# We need to ensure that bluetoothd still has that capability. -# -# To fix the issue, Patick and Casey(the Smack architect) had a talk -# about it in Ostro dev mail list. Casey has some ideas about the issue: -# "Turning off privilege is a great thing to do *so long as you don't -# really need the privilege*. In this case you really need it. -# The application package isn't written to account for Smack's use of -# CAP_MAC_OVERRIDE as the mechanism for controlling this dangerous operation. -# Yes, it would be possible to change /proc to change the Smack label on -# that particular file, but that might open other paths for exploit. -# I say give the program the required capability. The program maintainer -# may well say change the kernel handling of /proc. You're stuck in the -# middle, as both work the way they're intended and hence the system -# doesn't work. :( There isn't a way to make this work without "loosening" -# something." -# Therefore, when we we run the program with CAP_MAC_OVERRIDE, -# the whole reason for having capabilities is so the we can give a -# process the ability to bypass one kind of check without giving it the -# ability to bypass other, unrelated checks. A process with -# CAP_MAC_OVERRIDE is still constrained by the file mode bits. -# We was overly worried about granting that capability. -# When it has no other effect than excluding a process from Smack MAC enforcement, -# then adding to the process seems like the right solution for now. -# -# The conclusion from Patick and Casey is that the Smack architect give the key point -# that this is the solution preferred. -# -# Because the solution is to some extend specific to the environment -# in which connmand runs, this change is not submitted upstream -# and it can be overridden by a distro via FIX_BLUEZ5_CAPABILITIES. -# -# The related patch has been submitted to upstream too. -# upstream link: http://permalink.gmane.org/gmane.linux.bluez.kernel/67993 - -FILESEXTRAPATHS:prepend := "${THISDIR}/files:" - -SRC_URI:append:with-lsm-smack = "\ - file://bluetooth.service.conf \ -" - -FILES:${PN}:append = " ${systemd_unitdir}" - -do_install:append:with-lsm-smack() { - install -Dm0644 ${WORKDIR}/bluetooth.service.conf ${D}${systemd_unitdir}/system/bluetooth.service.d/smack.conf -} diff --git a/meta-app-framework/recipes-connectivity/bluez5/files/bluetooth.service.conf b/meta-app-framework/recipes-connectivity/bluez5/files/bluetooth.service.conf deleted file mode 100644 index b93ab4fee..000000000 --- a/meta-app-framework/recipes-connectivity/bluez5/files/bluetooth.service.conf +++ /dev/null @@ -1,2 +0,0 @@ -[Service] -CapabilityBoundingSet=CAP_MAC_OVERRIDE diff --git a/meta-app-framework/recipes-connectivity/connman/connman_%.bbappend b/meta-app-framework/recipes-connectivity/connman/connman_%.bbappend deleted file mode 100644 index 72aa9f276..000000000 --- a/meta-app-framework/recipes-connectivity/connman/connman_%.bbappend +++ /dev/null @@ -1 +0,0 @@ -require ${@bb.utils.contains('APPFW_ENABLED', '1', 'connman_appfw.inc', '', d)} diff --git a/meta-app-framework/recipes-connectivity/connman/connman_appfw.inc b/meta-app-framework/recipes-connectivity/connman/connman_appfw.inc deleted file mode 100644 index 644602021..000000000 --- a/meta-app-framework/recipes-connectivity/connman/connman_appfw.inc +++ /dev/null @@ -1,34 +0,0 @@ -# Recent ConnMan releases started limiting the capabilities of -# ConnMan. When running on a Smack-enabled system, that change has the -# effect that connmand can no longer change network settings under -# /proc/net because the Smack label of /proc is "_", and connmand -# running with label "System" has no write access to that. -# -# It works when running as normal root with unrestricted capabilities -# because then CAP_MAC_OVERRIDE (a Smack-specific capability) allows -# the process to ignore Smack rules. -# -# We need to ensure that connmand still has that capability. -# -# The alternative would be to set up fine-grained labelling of -# /proc with corresponding rules, which is considerably more work -# and also may depend on kernel changes (like supporting smackfsroot -# for procfs, which seems to be missing at the moment). -# -# Because the solution is to some extend specific to the environment -# in which connmand runs, this change is not submitted upstream -# and it can be overridden by a distro via FIX_CONNMAN_CAPABILITIES. - -FILESEXTRAPATHS:prepend := "${THISDIR}/files:" - -SRC_URI:append:with-lsm-smack = "\ - file://connman.service.conf \ -" - -RDEPENDS:${PN}:append:with-lsm-smack = " smack" - -FILES:${PN}:append = " ${systemd_unitdir}" - -do_install:append:with-lsm-smack() { - install -Dm0644 ${WORKDIR}/connman.service.conf ${D}${systemd_unitdir}/system/connman.service.d/smack.conf -} diff --git a/meta-app-framework/recipes-connectivity/connman/files/connman.service.conf b/meta-app-framework/recipes-connectivity/connman/files/connman.service.conf deleted file mode 100644 index 6ebbf6ad1..000000000 --- a/meta-app-framework/recipes-connectivity/connman/files/connman.service.conf +++ /dev/null @@ -1,4 +0,0 @@ -[Service] -CapabilityBoundingSet=CAP_MAC_OVERRIDE -ExecStartPre=+-/bin/mkdir -p /run/connman -ExecStartPre=+-/usr/bin/chsmack -t -a System::Shared /run/connman -- cgit 1.2.3-korg