From 1ac5c704bb4b7fd72d9e382ccf23f4d186da0f86 Mon Sep 17 00:00:00 2001 From: Stephane Desneux <stephane.desneux@iot.bzh> Date: Thu, 23 Jun 2016 16:00:59 +0000 Subject: add layer meta-app-framework meta-app-framework is a layer containing the AGL App Framework recipes 4 new layers are added for application framework: * meta-intel-iot-security/meta-security-smack * meta-intel-iot-security/meta-security-framework * meta-agl/meta-agl-security * meta-agl/meta-app-framework Configuration file changes to support AppFw: * activation of Smack and Cynara * modify the tar command to be used to support Smack extended attributes Change-Id: Idc8abdc8869787feb4b534ee45bf7b5d3dde3632 Signed-off-by: Stephane Desneux <stephane.desneux@iot.bzh> --- .../libcap/removing-capability-enforcement.patch | 79 ++++++++++++++++++++++ .../recipes-support/libcap/libcap_%.bbappend | 5 ++ 2 files changed, 84 insertions(+) create mode 100644 meta-app-framework/recipes-support/libcap/libcap/removing-capability-enforcement.patch create mode 100644 meta-app-framework/recipes-support/libcap/libcap_%.bbappend (limited to 'meta-app-framework/recipes-support/libcap') diff --git a/meta-app-framework/recipes-support/libcap/libcap/removing-capability-enforcement.patch b/meta-app-framework/recipes-support/libcap/libcap/removing-capability-enforcement.patch new file mode 100644 index 000000000..fd01c19e9 --- /dev/null +++ b/meta-app-framework/recipes-support/libcap/libcap/removing-capability-enforcement.patch @@ -0,0 +1,79 @@ +From c34b2725817d4fd1fd6878bbb16617cb9e3e3a70 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Jos=C3=A9=20Bollo?= <jose.bollo@iot.bzh> +Date: Fri, 22 Jan 2016 16:23:59 +0100 +Subject: [PATCH] removing capability enforcement + +Change-Id: Idb724192ceab176a611bbed45c0ebc9c8eb5dd30 +--- + progs/setcap.c | 43 ------------------------------------------- + 1 file changed, 43 deletions(-) + +diff --git a/progs/setcap.c b/progs/setcap.c +index 83090ae..01faa17 100644 +--- a/progs/setcap.c ++++ b/progs/setcap.c +@@ -58,7 +58,6 @@ static int read_caps(int quiet, const char *filename, char *buffer) + + int main(int argc, char **argv) + { +- int tried_to_cap_setfcap = 0; + char buffer[MAXCAP+1]; + int retval, quiet=0, verify=0; + cap_t mycaps; +@@ -150,53 +149,11 @@ int main(int argc, char **argv) + printf("%s: OK\n", *argv); + } + } else { +- if (!tried_to_cap_setfcap) { +- capflag = CAP_SETFCAP; +- +- /* +- * Raise the effective CAP_SETFCAP. +- */ +- if (cap_set_flag(mycaps, CAP_EFFECTIVE, 1, &capflag, CAP_SET) +- != 0) { +- perror("unable to manipulate CAP_SETFCAP - " +- "try a newer libcap?"); +- exit(1); +- } +- if (cap_set_proc(mycaps) != 0) { +- perror("unable to set CAP_SETFCAP effective capability"); +- exit(1); +- } +- tried_to_cap_setfcap = 1; +- } + retval = cap_set_file(*++argv, cap_d); + if (retval != 0) { +- int explained = 0; +-#ifdef linux +- cap_value_t cap; +- cap_flag_value_t per_state; +- +- for (cap = 0; +- cap_get_flag(cap_d, cap, CAP_PERMITTED, &per_state) != -1; +- cap++) { +- cap_flag_value_t inh_state, eff_state; +- +- cap_get_flag(cap_d, cap, CAP_INHERITABLE, &inh_state); +- cap_get_flag(cap_d, cap, CAP_EFFECTIVE, &eff_state); +- if ((inh_state | per_state) != eff_state) { +- fprintf(stderr, "NOTE: Under Linux, effective file capabilities must either be empty, or\n" +- " exactly match the union of selected permitted and inheritable bits.\n"); +- explained = 1; +- break; +- } +- } +-#endif /* def linux */ +- + fprintf(stderr, + "Failed to set capabilities on file `%s' (%s)\n", + argv[0], strerror(errno)); +- if (!explained) { +- usage(); +- } + } + } + if (cap_d) { +-- +2.1.4 + diff --git a/meta-app-framework/recipes-support/libcap/libcap_%.bbappend b/meta-app-framework/recipes-support/libcap/libcap_%.bbappend new file mode 100644 index 000000000..fbe893501 --- /dev/null +++ b/meta-app-framework/recipes-support/libcap/libcap_%.bbappend @@ -0,0 +1,5 @@ +FILESEXTRAPATHS_append_class-native := ":${THISDIR}/${PN}" +SRC_URI_append_class-native = " file://removing-capability-enforcement.patch" +PACKAGECONFIG_class-native ?= "attr" +DEPENDS_append_class-native = " attr-native" + -- cgit From cbca8a09594c90392b2bf87437daa4b9a9db9bff Mon Sep 17 00:00:00 2001 From: Ronan Le Martret <ronan.lemartret@iot.bzh> Date: Fri, 14 Oct 2016 14:21:15 +0200 Subject: fix libcap patch Change-Id: I49d42748c6dcb1927d1370b0706a085a17aa8a2b Signed-off-by: Ronan Le Martret <ronan.lemartret@iot.bzh> Signed-off-by: Stephane Desneux <stephane.desneux@iot.bzh> --- .../libcap/removing-capability-enforcement.patch | 22 +++++++++++++++------- 1 file changed, 15 insertions(+), 7 deletions(-) (limited to 'meta-app-framework/recipes-support/libcap') diff --git a/meta-app-framework/recipes-support/libcap/libcap/removing-capability-enforcement.patch b/meta-app-framework/recipes-support/libcap/libcap/removing-capability-enforcement.patch index fd01c19e9..fa359fa87 100644 --- a/meta-app-framework/recipes-support/libcap/libcap/removing-capability-enforcement.patch +++ b/meta-app-framework/recipes-support/libcap/libcap/removing-capability-enforcement.patch @@ -3,16 +3,18 @@ From: =?UTF-8?q?Jos=C3=A9=20Bollo?= <jose.bollo@iot.bzh> Date: Fri, 22 Jan 2016 16:23:59 +0100 Subject: [PATCH] removing capability enforcement +Signed-off-by: ronan <ronan@iot.bzh> + Change-Id: Idb724192ceab176a611bbed45c0ebc9c8eb5dd30 --- - progs/setcap.c | 43 ------------------------------------------- - 1 file changed, 43 deletions(-) + progs/setcap.c | 45 +-------------------------------------------- + 1 file changed, 1 insertion(+), 44 deletions(-) diff --git a/progs/setcap.c b/progs/setcap.c -index 83090ae..01faa17 100644 +index 7304343..71999b6 100644 --- a/progs/setcap.c +++ b/progs/setcap.c -@@ -58,7 +58,6 @@ static int read_caps(int quiet, const char *filename, char *buffer) +@@ -58,11 +58,9 @@ static int read_caps(int quiet, const char *filename, char *buffer) int main(int argc, char **argv) { @@ -20,7 +22,11 @@ index 83090ae..01faa17 100644 char buffer[MAXCAP+1]; int retval, quiet=0, verify=0; cap_t mycaps; -@@ -150,53 +149,11 @@ int main(int argc, char **argv) +- cap_value_t capflag; + + if (argc < 3) { + usage(); +@@ -150,54 +148,13 @@ int main(int argc, char **argv) printf("%s: OK\n", *argv); } } else { @@ -45,6 +51,7 @@ index 83090ae..01faa17 100644 retval = cap_set_file(*++argv, cap_d); if (retval != 0) { - int explained = 0; + int oerrno = errno; -#ifdef linux - cap_value_t cap; - cap_flag_value_t per_state; @@ -67,13 +74,14 @@ index 83090ae..01faa17 100644 - fprintf(stderr, "Failed to set capabilities on file `%s' (%s)\n", - argv[0], strerror(errno)); + argv[0], strerror(oerrno)); - if (!explained) { - usage(); - } ++ } } if (cap_d) { -- -2.1.4 +2.6.6 -- cgit