From a13d8ad3225f316fc7d7edaf2805b6cf2e3b5dd1 Mon Sep 17 00:00:00 2001 From: José Bollo Date: Tue, 26 Nov 2019 15:21:18 +0100 Subject: security-manager: Improve integration MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit This fixes some issues encountered by the current integration of the security-manager: - its recipes is spread in too much directories (see SPEC-2092) - its initialization should be checked (see SPEC-2091) - the location of the database has to be changed (see SPEC-1717 that provided a workaround) All in one, I decided to create that ticket that summarize the work that can be quickly achieved to answer all this issues that are tightly coupled. Bug-AGL: SPEC-2972 Bug-AGL: SPEC-2092 Bug-AGL: SPEC-2091 Bug-AGL: SPEC-1717 Change-Id: I7af941c25cfa1624d76c2e8f512f6535918912f0 Signed-off-by: José Bollo --- .../0001-Fix-Cmake-conf-for-gcc6-build.patch | 40 ----- .../security-manager/0001-Fix-gcc6-build.patch | 38 ---- ...uires-include-functional-for-std-function.patch | 51 ------ .../Removing-tizen-platform-config.patch | 196 --------------------- .../init-security-manager-db.service | 15 -- .../security-manager/init-security-manager-db.sh | 6 - .../security-manager/security-manager_%.bbappend | 24 +-- .../security-manager/security-manager_git.bbappend | 2 - 8 files changed, 3 insertions(+), 369 deletions(-) delete mode 100644 meta-app-framework/recipes-core/security-manager/security-manager/0001-Fix-Cmake-conf-for-gcc6-build.patch delete mode 100644 meta-app-framework/recipes-core/security-manager/security-manager/0001-Fix-gcc6-build.patch delete mode 100644 meta-app-framework/recipes-core/security-manager/security-manager/0001-gcc-7-requires-include-functional-for-std-function.patch delete mode 100644 meta-app-framework/recipes-core/security-manager/security-manager/Removing-tizen-platform-config.patch delete mode 100644 meta-app-framework/recipes-core/security-manager/security-manager/init-security-manager-db.service delete mode 100644 meta-app-framework/recipes-core/security-manager/security-manager/init-security-manager-db.sh delete mode 100644 meta-app-framework/recipes-security/security-manager/security-manager_git.bbappend (limited to 'meta-app-framework') diff --git a/meta-app-framework/recipes-core/security-manager/security-manager/0001-Fix-Cmake-conf-for-gcc6-build.patch b/meta-app-framework/recipes-core/security-manager/security-manager/0001-Fix-Cmake-conf-for-gcc6-build.patch deleted file mode 100644 index 43a3ee103..000000000 --- a/meta-app-framework/recipes-core/security-manager/security-manager/0001-Fix-Cmake-conf-for-gcc6-build.patch +++ /dev/null @@ -1,40 +0,0 @@ -From 19c99315a5dcba3b696c30d1fdd42a1dcd574a80 Mon Sep 17 00:00:00 2001 -From: Ronan -Date: Thu, 13 Oct 2016 11:37:47 +0200 -Subject: [PATCH] Fix Cmake conf for gcc6 build - -Signed-off-by: Ronan ---- - src/cmd/CMakeLists.txt | 4 +--- - src/server/CMakeLists.txt | 1 - - 2 files changed, 1 insertion(+), 4 deletions(-) - -diff --git a/src/cmd/CMakeLists.txt b/src/cmd/CMakeLists.txt -index ee9a160..aa7a12c 100644 ---- a/src/cmd/CMakeLists.txt -+++ b/src/cmd/CMakeLists.txt -@@ -1,8 +1,6 @@ - FIND_PACKAGE(Boost REQUIRED COMPONENTS program_options) - --INCLUDE_DIRECTORIES(SYSTEM -- ${Boost_INCLUDE_DIRS} -- ) -+ - - INCLUDE_DIRECTORIES( - ${INCLUDE_PATH} -diff --git a/src/server/CMakeLists.txt b/src/server/CMakeLists.txt -index 753eb96..8eef25d 100644 ---- a/src/server/CMakeLists.txt -+++ b/src/server/CMakeLists.txt -@@ -8,7 +8,6 @@ FIND_PACKAGE(Threads REQUIRED) - - INCLUDE_DIRECTORIES(SYSTEM - ${SERVER_DEP_INCLUDE_DIRS} -- ${Boost_INCLUDE_DIRS} - ${Threads_INCLUDE_DIRS} - ) - --- -2.6.6 - diff --git a/meta-app-framework/recipes-core/security-manager/security-manager/0001-Fix-gcc6-build.patch b/meta-app-framework/recipes-core/security-manager/security-manager/0001-Fix-gcc6-build.patch deleted file mode 100644 index 1b3c8c427..000000000 --- a/meta-app-framework/recipes-core/security-manager/security-manager/0001-Fix-gcc6-build.patch +++ /dev/null @@ -1,38 +0,0 @@ -From cb9acc2b723b297ee373bf814282711f02657aa5 Mon Sep 17 00:00:00 2001 -From: Ronan -Date: Wed, 12 Oct 2016 17:48:55 +0200 -Subject: [PATCH] Fix gcc6 build - -Signed-off-by: ronan ---- - src/client/client-security-manager.cpp | 1 + - src/common/include/privilege_db.h | 1 + - 2 files changed, 2 insertions(+) - -diff --git a/src/client/client-security-manager.cpp b/src/client/client-security-manager.cpp -index 74a6b30..347cddd 100644 ---- a/src/client/client-security-manager.cpp -+++ b/src/client/client-security-manager.cpp -@@ -46,6 +46,7 @@ - #include - #include - #include -+#include - - static const char *EMPTY = ""; - -diff --git a/src/common/include/privilege_db.h b/src/common/include/privilege_db.h -index 03c6680..8dd39a1 100644 ---- a/src/common/include/privilege_db.h -+++ b/src/common/include/privilege_db.h -@@ -32,6 +32,7 @@ - #include - #include - #include -+#include - - #include - --- -2.6.6 - diff --git a/meta-app-framework/recipes-core/security-manager/security-manager/0001-gcc-7-requires-include-functional-for-std-function.patch b/meta-app-framework/recipes-core/security-manager/security-manager/0001-gcc-7-requires-include-functional-for-std-function.patch deleted file mode 100644 index 7b6845abc..000000000 --- a/meta-app-framework/recipes-core/security-manager/security-manager/0001-gcc-7-requires-include-functional-for-std-function.patch +++ /dev/null @@ -1,51 +0,0 @@ -From ed1c105db9d7b1ceb52ec16f35b0a2c959c19c6d Mon Sep 17 00:00:00 2001 -From: Changhyeok Bae -Date: Sun, 17 Dec 2017 15:40:58 +0000 -Subject: [PATCH] gcc-7 requires include for std::function - -Signed-off-by: Changhyeok Bae ---- - src/client/client-common.cpp | 1 + - src/common/smack-labels.cpp | 1 + - src/dpl/core/src/binary_queue.cpp | 1 + - 3 files changed, 3 insertions(+) - -diff --git a/src/client/client-common.cpp b/src/client/client-common.cpp -index 883ab8d..1babdf7 100644 ---- a/src/client/client-common.cpp -+++ b/src/client/client-common.cpp -@@ -31,6 +31,7 @@ - #include - #include - #include -+#include - - #include - #include -diff --git a/src/common/smack-labels.cpp b/src/common/smack-labels.cpp -index 0294a42..1598099 100644 ---- a/src/common/smack-labels.cpp -+++ b/src/common/smack-labels.cpp -@@ -29,6 +29,7 @@ - #include - #include - #include -+#include - #include - #include - #include -diff --git a/src/dpl/core/src/binary_queue.cpp b/src/dpl/core/src/binary_queue.cpp -index 72817a6..838409f 100644 ---- a/src/dpl/core/src/binary_queue.cpp -+++ b/src/dpl/core/src/binary_queue.cpp -@@ -26,6 +26,7 @@ - #include - #include - #include -+#include - - namespace SecurityManager { - BinaryQueue::BinaryQueue() : --- -2.7.4 - diff --git a/meta-app-framework/recipes-core/security-manager/security-manager/Removing-tizen-platform-config.patch b/meta-app-framework/recipes-core/security-manager/security-manager/Removing-tizen-platform-config.patch deleted file mode 100644 index bea3516d8..000000000 --- a/meta-app-framework/recipes-core/security-manager/security-manager/Removing-tizen-platform-config.patch +++ /dev/null @@ -1,196 +0,0 @@ -From 72e66d0e42f3bb6efd689ce33b1df407d94b3c60 Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?Jos=C3=A9=20Bollo?= -Date: Mon, 16 Nov 2015 14:26:25 +0100 -Subject: [PATCH] Removing tizen-platform-config - -Change-Id: Ic832a2b75229517b09faba969c27fb1a4b490121 ---- - policy/security-manager-policy-reload | 2 +- - src/common/file-lock.cpp | 4 +--- - src/common/include/file-lock.h | 1 - - src/common/include/privilege_db.h | 3 +-- - src/common/service_impl.cpp | 39 +++++++++++------------------------ - src/common/smack-rules.cpp | 12 ++++------- - 6 files changed, 19 insertions(+), 42 deletions(-) - -diff --git a/policy/security-manager-policy-reload b/policy/security-manager-policy-reload -index 6f211c6..ed8047a 100755 ---- a/policy/security-manager-policy-reload -+++ b/policy/security-manager-policy-reload -@@ -2,7 +2,7 @@ - - POLICY_PATH=/usr/share/security-manager/policy - PRIVILEGE_GROUP_MAPPING=$POLICY_PATH/privilege-group.list --DB_FILE=`tzplatform-get TZ_SYS_DB | cut -d= -f2`/.security-manager.db -+DB_FILE=/var/local/db/security-manager/.security-manager.db - - # Create default buckets - while read bucket default_policy -diff --git a/src/common/file-lock.cpp b/src/common/file-lock.cpp -index 6f3996c..1dada17 100644 ---- a/src/common/file-lock.cpp -+++ b/src/common/file-lock.cpp -@@ -30,9 +30,7 @@ - - namespace SecurityManager { - --char const * const SERVICE_LOCK_FILE = tzplatform_mkpath3(TZ_SYS_RUN, -- "lock", -- "security-manager.lock"); -+char const * const SERVICE_LOCK_FILE = "/var/run/lock/security-manager.lock"; - - FileLocker::FileLocker(const std::string &lockFile, bool blocking) - { -diff --git a/src/common/include/file-lock.h b/src/common/include/file-lock.h -index 604b019..21a86a0 100644 ---- a/src/common/include/file-lock.h -+++ b/src/common/include/file-lock.h -@@ -29,7 +29,6 @@ - - #include - #include --#include - - namespace SecurityManager { - -diff --git a/src/common/include/privilege_db.h b/src/common/include/privilege_db.h -index 4d73d90..03c6680 100644 ---- a/src/common/include/privilege_db.h -+++ b/src/common/include/privilege_db.h -@@ -34,14 +34,13 @@ - #include - - #include --#include - - #ifndef PRIVILEGE_DB_H_ - #define PRIVILEGE_DB_H_ - - namespace SecurityManager { - --const char *const PRIVILEGE_DB_PATH = tzplatform_mkpath(TZ_SYS_DB, ".security-manager.db"); -+const char *const PRIVILEGE_DB_PATH = "/var/local/db/security-manager/.security-manager.db"; - - enum class QueryType { - EGetPkgPrivileges, -diff --git a/src/common/service_impl.cpp b/src/common/service_impl.cpp -index ae305d3..65cc8b5 100644 ---- a/src/common/service_impl.cpp -+++ b/src/common/service_impl.cpp -@@ -32,7 +32,6 @@ - #include - - #include --#include - - #include "protocols.h" - #include "privilege_db.h" -@@ -131,7 +130,13 @@ static inline int validatePolicy(policy_entry &policyEntry, std::string uidStr, - - static uid_t getGlobalUserId(void) - { -- static uid_t globaluid = tzplatform_getuid(TZ_SYS_GLOBALAPP_USER); -+ static uid_t globaluid = 0; -+ if (!globaluid) { -+ struct passwd pw, *p; -+ char buf[4096]; -+ int rc = getpwnam_r("afm", &pw, buf, sizeof buf, &p); -+ globaluid = (rc || p == NULL) ? 555 : p->pw_uid; -+ } - return globaluid; - } - -@@ -161,37 +166,17 @@ static inline bool isSubDir(const char *parent, const char *subdir) - - static bool getUserAppDir(const uid_t &uid, std::string &userAppDir) - { -- struct tzplatform_context *tz_ctx = nullptr; -- -- if (tzplatform_context_create(&tz_ctx)) -- return false; -- -- if (tzplatform_context_set_user(tz_ctx, uid)) { -- tzplatform_context_destroy(tz_ctx); -- tz_ctx = nullptr; -+ struct passwd pw, *p; -+ char buf[4096]; -+ int rc = getpwuid_r(uid, &pw, buf, sizeof buf, &p); -+ if (rc || p == NULL) - return false; -- } -- -- enum tzplatform_variable id = -- (uid == getGlobalUserId()) ? TZ_SYS_RW_APP : TZ_USER_APP; -- const char *appDir = tzplatform_context_getenv(tz_ctx, id); -- if (!appDir) { -- tzplatform_context_destroy(tz_ctx); -- tz_ctx = nullptr; -- return false; -- } -- -- userAppDir = appDir; -- -- tzplatform_context_destroy(tz_ctx); -- tz_ctx = nullptr; -- -+ userAppDir = p->pw_dir; - return true; - } - - static inline bool installRequestAuthCheck(const app_inst_req &req, uid_t uid, bool &isCorrectPath, std::string &appPath) - { -- std::string userHome; - std::string userAppDir; - std::stringstream correctPath; - -diff --git a/src/common/smack-rules.cpp b/src/common/smack-rules.cpp -index d834e42..8b5728b 100644 ---- a/src/common/smack-rules.cpp -+++ b/src/common/smack-rules.cpp -@@ -34,7 +34,6 @@ - #include - - #include --#include - - #include "smack-labels.h" - #include "smack-rules.h" -@@ -43,7 +42,7 @@ namespace SecurityManager { - - const char *const SMACK_APP_LABEL_TEMPLATE = "~APP~"; - const char *const SMACK_PKG_LABEL_TEMPLATE = "~PKG~"; --const char *const APP_RULES_TEMPLATE_FILE_PATH = tzplatform_mkpath4(TZ_SYS_SHARE, "security-manager", "policy", "app-rules-template.smack"); -+const char *const APP_RULES_TEMPLATE_FILE_PATH = "/usr/share/security-manager/policy/app-rules-template.smack"; - const char *const SMACK_APP_IN_PACKAGE_PERMS = "rwxat"; - - SmackRules::SmackRules() -@@ -237,14 +236,12 @@ void SmackRules::generatePackageCrossDeps(const std::vector &pkgCon - - std::string SmackRules::getPackageRulesFilePath(const std::string &pkgId) - { -- std::string path(tzplatform_mkpath3(TZ_SYS_SMACK, "accesses.d", ("pkg_" + pkgId).c_str())); -- return path; -+ return "/etc/smack/accesses.d/pkg_" + pkgId; - } - - std::string SmackRules::getApplicationRulesFilePath(const std::string &appId) - { -- std::string path(tzplatform_mkpath3(TZ_SYS_SMACK, "accesses.d", ("app_" + appId).c_str())); -- return path; -+ return "/etc/smack/accesses.d/app_" + appId; - } - void SmackRules::installApplicationPrivilegesRules(const std::string &appId, const std::string &pkgId, - const std::vector &pkgContents, const std::vector &privileges) -@@ -256,8 +253,7 @@ void SmackRules::installApplicationPrivilegesRules(const std::string &appId, con - for (auto privilege : privileges) { - if (privilege.empty()) - continue; -- std::string fprivilege ( privilege + "-template.smack"); -- std::string path(tzplatform_mkpath4(TZ_SYS_SHARE, "security-manager", "policy", fprivilege.c_str())); -+ std::string path = "/usr/share/security-manager/policy/" + privilege + "-template.smack"; - if( stat(path.c_str(), &buffer) == 0) - smackRules.addFromTemplateFile(appId, pkgId, path); - } --- -2.1.4 - diff --git a/meta-app-framework/recipes-core/security-manager/security-manager/init-security-manager-db.service b/meta-app-framework/recipes-core/security-manager/security-manager/init-security-manager-db.service deleted file mode 100644 index 8ed5e8601..000000000 --- a/meta-app-framework/recipes-core/security-manager/security-manager/init-security-manager-db.service +++ /dev/null @@ -1,15 +0,0 @@ -# -# Install security-manager DB to /var - -[Unit] -Description=Install Security Manager database -After=sysinit.target -Before=security-manager.service - -[Install] -WantedBy=default.target - -[Service] -Type=oneshot -User=root -ExecStart=/usr/bin/init-security-manager-db.sh diff --git a/meta-app-framework/recipes-core/security-manager/security-manager/init-security-manager-db.sh b/meta-app-framework/recipes-core/security-manager/security-manager/init-security-manager-db.sh deleted file mode 100644 index f90192a84..000000000 --- a/meta-app-framework/recipes-core/security-manager/security-manager/init-security-manager-db.sh +++ /dev/null @@ -1,6 +0,0 @@ -#!/bin/sh - -if [ ! -e "/var/local/db/security-manager" ]; then - mkdir -p /var/local/db - cp -ra /usr/dbspace/ /var/local/db/security-manager -fi diff --git a/meta-app-framework/recipes-core/security-manager/security-manager_%.bbappend b/meta-app-framework/recipes-core/security-manager/security-manager_%.bbappend index 61c933a7e..3306d4c72 100644 --- a/meta-app-framework/recipes-core/security-manager/security-manager_%.bbappend +++ b/meta-app-framework/recipes-core/security-manager/security-manager_%.bbappend @@ -1,25 +1,7 @@ FILESEXTRAPATHS_prepend := "${THISDIR}/security-manager:" -PACKAGE_WRITE_DEPS_append_with-lsm-smack = " smack-native" - -SRC_URI += " file://0001-Adapt-rules-to-AGL.patch \ - file://init-security-manager-db.service \ - file://init-security-manager-db.sh \ - file://0001-Fix-gcc6-build.patch \ - file://0001-Fix-Cmake-conf-for-gcc6-build.patch \ - file://0001-gcc-7-requires-include-functional-for-std-function.patch \ -" - -FILES_${PN}_append = "${bindir}/init-security-manager-db.sh \ - ${@bb.utils.contains('DISTRO_FEATURES', 'systemd', '${systemd_unitdir}/system/init-security-manager-db.service', '', d)} \ +EXTRA_OECMAKE =+ " -DGLOBALUSER=afm" +SRC_URI += " \ + file://0001-Adapt-rules-to-AGL.patch \ " -do_install_append () { - install -p -D ${WORKDIR}/init-security-manager-db.sh ${D}${bindir}/init-security-manager-db.sh - if ${@bb.utils.contains('DISTRO_FEATURES', 'systemd', 'true', 'false', d)}; then - mkdir -p ${D}${systemd_unitdir}/system - mkdir -p ${D}${sysconfdir}/systemd/system/default.target.wants - install -m 644 -p -D ${WORKDIR}/init-security-manager-db.service ${D}${systemd_unitdir}/system/init-security-manager-db.service - ln -sf ${systemd_unitdir}/system/init-security-manager-db.service ${D}${sysconfdir}/systemd/system/default.target.wants - fi -} diff --git a/meta-app-framework/recipes-security/security-manager/security-manager_git.bbappend b/meta-app-framework/recipes-security/security-manager/security-manager_git.bbappend deleted file mode 100644 index 424b49358..000000000 --- a/meta-app-framework/recipes-security/security-manager/security-manager_git.bbappend +++ /dev/null @@ -1,2 +0,0 @@ -do_patch[depends] += "quilt-native:do_populate_sysroot libcap:do_populate_sysroot" -APPLY = "no" -- cgit 1.2.3-korg