From 1ac5c704bb4b7fd72d9e382ccf23f4d186da0f86 Mon Sep 17 00:00:00 2001
From: Stephane Desneux <stephane.desneux@iot.bzh>
Date: Thu, 23 Jun 2016 16:00:59 +0000
Subject: add layer meta-app-framework

meta-app-framework is a layer containing the AGL App Framework recipes

4 new layers are added for application framework:
    * meta-intel-iot-security/meta-security-smack
    * meta-intel-iot-security/meta-security-framework
    * meta-agl/meta-agl-security
    * meta-agl/meta-app-framework

Configuration file changes to support AppFw:
    * activation of Smack and Cynara
    * modify the tar command to be used to support Smack extended attributes

Change-Id: Idc8abdc8869787feb4b534ee45bf7b5d3dde3632
Signed-off-by: Stephane Desneux <stephane.desneux@iot.bzh>
---
 .../libcap/removing-capability-enforcement.patch   | 79 ++++++++++++++++++++++
 .../recipes-support/libcap/libcap_%.bbappend       |  5 ++
 2 files changed, 84 insertions(+)
 create mode 100644 meta-app-framework/recipes-support/libcap/libcap/removing-capability-enforcement.patch
 create mode 100644 meta-app-framework/recipes-support/libcap/libcap_%.bbappend

(limited to 'meta-app-framework/recipes-support/libcap')

diff --git a/meta-app-framework/recipes-support/libcap/libcap/removing-capability-enforcement.patch b/meta-app-framework/recipes-support/libcap/libcap/removing-capability-enforcement.patch
new file mode 100644
index 000000000..fd01c19e9
--- /dev/null
+++ b/meta-app-framework/recipes-support/libcap/libcap/removing-capability-enforcement.patch
@@ -0,0 +1,79 @@
+From c34b2725817d4fd1fd6878bbb16617cb9e3e3a70 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Jos=C3=A9=20Bollo?= <jose.bollo@iot.bzh>
+Date: Fri, 22 Jan 2016 16:23:59 +0100
+Subject: [PATCH] removing capability enforcement
+
+Change-Id: Idb724192ceab176a611bbed45c0ebc9c8eb5dd30
+---
+ progs/setcap.c | 43 -------------------------------------------
+ 1 file changed, 43 deletions(-)
+
+diff --git a/progs/setcap.c b/progs/setcap.c
+index 83090ae..01faa17 100644
+--- a/progs/setcap.c
++++ b/progs/setcap.c
+@@ -58,7 +58,6 @@ static int read_caps(int quiet, const char *filename, char *buffer)
+ 
+ int main(int argc, char **argv)
+ {
+-    int tried_to_cap_setfcap = 0;
+     char buffer[MAXCAP+1];
+     int retval, quiet=0, verify=0;
+     cap_t mycaps;
+@@ -150,53 +149,11 @@ int main(int argc, char **argv)
+ 		printf("%s: OK\n", *argv);
+ 	    }
+ 	} else {
+-	    if (!tried_to_cap_setfcap) {
+-		capflag = CAP_SETFCAP;
+-
+-		/*
+-		 * Raise the effective CAP_SETFCAP.
+-		 */
+-		if (cap_set_flag(mycaps, CAP_EFFECTIVE, 1, &capflag, CAP_SET)
+-		    != 0) {
+-		    perror("unable to manipulate CAP_SETFCAP - "
+-			   "try a newer libcap?");
+-		    exit(1);
+-		}
+-		if (cap_set_proc(mycaps) != 0) {
+-		    perror("unable to set CAP_SETFCAP effective capability");
+-		    exit(1);
+-		}
+-		tried_to_cap_setfcap = 1;
+-	    }
+ 	    retval = cap_set_file(*++argv, cap_d);
+ 	    if (retval != 0) {
+-		int explained = 0;
+-#ifdef linux
+-		cap_value_t cap;
+-		cap_flag_value_t per_state;
+-
+-		for (cap = 0;
+-		     cap_get_flag(cap_d, cap, CAP_PERMITTED, &per_state) != -1;
+-		     cap++) {
+-		    cap_flag_value_t inh_state, eff_state;
+-
+-		    cap_get_flag(cap_d, cap, CAP_INHERITABLE, &inh_state);
+-		    cap_get_flag(cap_d, cap, CAP_EFFECTIVE, &eff_state);
+-		    if ((inh_state | per_state) != eff_state) {
+-			fprintf(stderr, "NOTE: Under Linux, effective file capabilities must either be empty, or\n"
+-				"      exactly match the union of selected permitted and inheritable bits.\n");
+-			explained = 1;
+-			break;
+-		    }
+-		}
+-#endif /* def linux */
+-		
+ 		fprintf(stderr,
+ 			"Failed to set capabilities on file `%s' (%s)\n",
+ 			argv[0], strerror(errno));
+-		if (!explained) {
+-		    usage();
+-		}
+ 	    }
+ 	}
+ 	if (cap_d) {
+-- 
+2.1.4
+
diff --git a/meta-app-framework/recipes-support/libcap/libcap_%.bbappend b/meta-app-framework/recipes-support/libcap/libcap_%.bbappend
new file mode 100644
index 000000000..fbe893501
--- /dev/null
+++ b/meta-app-framework/recipes-support/libcap/libcap_%.bbappend
@@ -0,0 +1,5 @@
+FILESEXTRAPATHS_append_class-native := ":${THISDIR}/${PN}"
+SRC_URI_append_class-native = " file://removing-capability-enforcement.patch"
+PACKAGECONFIG_class-native ?= "attr"
+DEPENDS_append_class-native = " attr-native"
+
-- 
cgit 


From cbca8a09594c90392b2bf87437daa4b9a9db9bff Mon Sep 17 00:00:00 2001
From: Ronan Le Martret <ronan.lemartret@iot.bzh>
Date: Fri, 14 Oct 2016 14:21:15 +0200
Subject: fix libcap patch

Change-Id: I49d42748c6dcb1927d1370b0706a085a17aa8a2b
Signed-off-by: Ronan Le Martret <ronan.lemartret@iot.bzh>
Signed-off-by: Stephane Desneux <stephane.desneux@iot.bzh>
---
 .../libcap/removing-capability-enforcement.patch   | 22 +++++++++++++++-------
 1 file changed, 15 insertions(+), 7 deletions(-)

(limited to 'meta-app-framework/recipes-support/libcap')

diff --git a/meta-app-framework/recipes-support/libcap/libcap/removing-capability-enforcement.patch b/meta-app-framework/recipes-support/libcap/libcap/removing-capability-enforcement.patch
index fd01c19e9..fa359fa87 100644
--- a/meta-app-framework/recipes-support/libcap/libcap/removing-capability-enforcement.patch
+++ b/meta-app-framework/recipes-support/libcap/libcap/removing-capability-enforcement.patch
@@ -3,16 +3,18 @@ From: =?UTF-8?q?Jos=C3=A9=20Bollo?= <jose.bollo@iot.bzh>
 Date: Fri, 22 Jan 2016 16:23:59 +0100
 Subject: [PATCH] removing capability enforcement
 
+Signed-off-by: ronan <ronan@iot.bzh>
+
 Change-Id: Idb724192ceab176a611bbed45c0ebc9c8eb5dd30
 ---
- progs/setcap.c | 43 -------------------------------------------
- 1 file changed, 43 deletions(-)
+ progs/setcap.c | 45 +--------------------------------------------
+ 1 file changed, 1 insertion(+), 44 deletions(-)
 
 diff --git a/progs/setcap.c b/progs/setcap.c
-index 83090ae..01faa17 100644
+index 7304343..71999b6 100644
 --- a/progs/setcap.c
 +++ b/progs/setcap.c
-@@ -58,7 +58,6 @@ static int read_caps(int quiet, const char *filename, char *buffer)
+@@ -58,11 +58,9 @@ static int read_caps(int quiet, const char *filename, char *buffer)
  
  int main(int argc, char **argv)
  {
@@ -20,7 +22,11 @@ index 83090ae..01faa17 100644
      char buffer[MAXCAP+1];
      int retval, quiet=0, verify=0;
      cap_t mycaps;
-@@ -150,53 +149,11 @@ int main(int argc, char **argv)
+-    cap_value_t capflag;
+ 
+     if (argc < 3) {
+ 	usage();
+@@ -150,54 +148,13 @@ int main(int argc, char **argv)
  		printf("%s: OK\n", *argv);
  	    }
  	} else {
@@ -45,6 +51,7 @@ index 83090ae..01faa17 100644
  	    retval = cap_set_file(*++argv, cap_d);
  	    if (retval != 0) {
 -		int explained = 0;
+ 		int oerrno = errno;
 -#ifdef linux
 -		cap_value_t cap;
 -		cap_flag_value_t per_state;
@@ -67,13 +74,14 @@ index 83090ae..01faa17 100644
 -		
  		fprintf(stderr,
  			"Failed to set capabilities on file `%s' (%s)\n",
- 			argv[0], strerror(errno));
+ 			argv[0], strerror(oerrno));
 -		if (!explained) {
 -		    usage();
 -		}
++
  	    }
  	}
  	if (cap_d) {
 -- 
-2.1.4
+2.6.6
 
-- 
cgit