From 1b847a21fac05e88510fe37db63d0d9e4b72e633 Mon Sep 17 00:00:00 2001
From: José Bollo <jose.bollo@iot.bzh>
Date: Tue, 27 Mar 2018 11:05:46 +0200
Subject: dbus-cynara: Avoid dependency loop
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

The dependency loop appeared when compiling
with DISTRO_FEATURE ptest.

To avoid it, I restore the logic implemented before in
meta-intel-iot-security. I also remove unless files.

Bug-AGL: SPEC-1334

Change-Id: Ibe8b9359a65fec034df2534c5fceb4769e63aa99
Signed-off-by: José Bollo <jose.bollo@iot.bzh>
---
 ...m-Cynara-runtime-policy-checks-by-default.patch | 123 ---------------------
 1 file changed, 123 deletions(-)
 delete mode 100644 meta-security/recipes-core/dbus-cynara/dbus/0005-Perform-Cynara-runtime-policy-checks-by-default.patch

(limited to 'meta-security/recipes-core/dbus-cynara/dbus/0005-Perform-Cynara-runtime-policy-checks-by-default.patch')

diff --git a/meta-security/recipes-core/dbus-cynara/dbus/0005-Perform-Cynara-runtime-policy-checks-by-default.patch b/meta-security/recipes-core/dbus-cynara/dbus/0005-Perform-Cynara-runtime-policy-checks-by-default.patch
deleted file mode 100644
index d30b2dbf8..000000000
--- a/meta-security/recipes-core/dbus-cynara/dbus/0005-Perform-Cynara-runtime-policy-checks-by-default.patch
+++ /dev/null
@@ -1,123 +0,0 @@
-From 92a373a6dbb1c7cd7c9824167aac232f3e0daebd Mon Sep 17 00:00:00 2001
-From: Jacek Bukarewicz <j.bukarewicz@samsung.com>
-Date: Tue, 23 Jun 2015 11:08:48 +0200
-Subject: [PATCH 5/5] Perform Cynara runtime policy checks by default
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-This change introduces http://tizen.org/privilege/internal/dbus privilege
-which is supposed to be available only to trusted system resources.
-Checks for this privilege are used in place of certain allow rules to
-make security policy more strict.
-
-For system bus sending and receiving signals now requires
-http://tizen.org/privilege/internal/dbus privilege. Requesting name
-ownership and sending methods is still denied by default.
-
-For session bus http://tizen.org/privilege/internal/dbus privilege
-is now required for requesting name, calling methods, sending and receiving
-signals.
-
-Services are supposed to override these default settings to implement their
-own security policy.
-
-Change-Id: Ifb4a160bf6e0638404e0295a2e4fa3077efd881c
-Signed-off-by: Jacek Bukarewicz <j.bukarewicz@samsung.com>
-
-Cherry picked from e8610297cf7031e94eb314a2e8c11246f4405403 by Jose Bollo
-Signed-off-by: José Bollo <jose.bollo@iot.bzh>
----
- bus/session.conf.in | 32 ++++++++++++++++++++++++++------
- bus/system.conf.in  | 19 +++++++++++++++----
- 2 files changed, 41 insertions(+), 10 deletions(-)
-
-diff --git a/bus/session.conf.in b/bus/session.conf.in
-index affa7f1d..157dfb4d 100644
---- a/bus/session.conf.in
-+++ b/bus/session.conf.in
-@@ -27,12 +27,32 @@
-   <standard_session_servicedirs />
- 
-   <policy context="default">
--    <!-- Allow everything to be sent -->
--    <allow send_destination="*" eavesdrop="true"/>
--    <!-- Allow everything to be received -->
--    <allow eavesdrop="true"/>
--    <!-- Allow anyone to own anything -->
--    <allow own="*"/>
-+    <!-- By default clients require internal/dbus privilege to communicate
-+         with D-Bus services and to claim name ownership. This is internal privilege that
-+         is only accessible to trusted system services -->
-+    <check own="*"                  privilege="http://tizen.org/privilege/internal/dbus" />
-+    <check send_type="method_call"  privilege="http://tizen.org/privilege/internal/dbus" />
-+    <check send_type="signal"       privilege="http://tizen.org/privilege/internal/dbus" />
-+    <check receive_type="signal"    privilege="http://tizen.org/privilege/internal/dbus" />
-+
-+    <!-- Reply messages (method returns, errors) are allowed
-+         by default -->
-+    <allow send_requested_reply="true" send_type="method_return"/>
-+    <allow send_requested_reply="true" send_type="error"/>
-+
-+    <!-- All messages but signals may be received by default -->
-+    <allow receive_type="method_call"/>
-+    <allow receive_type="method_return"/>
-+    <allow receive_type="error"/>
-+
-+    <!-- Allow anyone to talk to the message bus -->
-+    <allow send_destination="org.freedesktop.DBus"/>
-+    <allow receive_sender="org.freedesktop.DBus"/>
-+
-+    <!-- But disallow some specific bus services -->
-+    <deny send_destination="org.freedesktop.DBus"
-+          send_interface="org.freedesktop.DBus"
-+          send_member="UpdateActivationEnvironment"/>
-   </policy>
- 
-   <!-- Include legacy configuration location -->
-diff --git a/bus/system.conf.in b/bus/system.conf.in
-index 014f67ee..ebbd468a 100644
---- a/bus/system.conf.in
-+++ b/bus/system.conf.in
-@@ -50,23 +50,34 @@
-     <deny own="*"/>
-     <deny send_type="method_call"/>
- 
--    <!-- Signals and reply messages (method returns, errors) are allowed
-+    <!-- By default clients require internal/dbus privilege to send and receive signaks.
-+         This is internal privilege that is only accessible to trusted system services -->
-+    <check send_type="signal"       privilege="http://tizen.org/privilege/internal/dbus" />
-+    <check receive_type="signal"    privilege="http://tizen.org/privilege/internal/dbus" />
-+
-+    <!-- Reply messages (method returns, errors) are allowed
-          by default -->
--    <allow send_type="signal"/>
-     <allow send_requested_reply="true" send_type="method_return"/>
-     <allow send_requested_reply="true" send_type="error"/>
- 
--    <!-- All messages may be received by default -->
-+    <!-- All messages but signals may be received by default -->
-     <allow receive_type="method_call"/>
-     <allow receive_type="method_return"/>
-     <allow receive_type="error"/>
--    <allow receive_type="signal"/>
- 
-     <!-- Allow anyone to talk to the message bus -->
-     <allow send_destination="org.freedesktop.DBus"
-            send_interface="org.freedesktop.DBus" />
-     <allow send_destination="org.freedesktop.DBus"
-            send_interface="org.freedesktop.DBus.Introspectable"/>
-+    <!-- If there is a need specific bus services could be protected by Cynara as well.
-+         However, this can lead to deadlock during the boot process when such check is made and
-+         Cynara is not yet activated (systemd calls protected method synchronously,
-+         dbus daemon tries to consult Cynara, Cynara waits for systemd activation).
-+         Therefore it is advised to allow root processes to use bus services.
-+         Currently anyone is allowed to talk to the message bus -->
-+    <allow receive_sender="org.freedesktop.DBus"/>
-+
-     <!-- But disallow some specific bus services -->
-     <deny send_destination="org.freedesktop.DBus"
-           send_interface="org.freedesktop.DBus"
--- 
-2.14.3
-
-- 
cgit 1.2.3-korg