From f70d712e4f505f5c5b50ae17f4f023d20a667568 Mon Sep 17 00:00:00 2001
From: José Bollo <jose.bollo@iot.bzh>
Date: Wed, 24 Jan 2018 11:38:43 +0100
Subject: Integrate parts of meta-intel-iot-security
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Adds the recipes of the sub layers
 - meta-security-framework
 - meta-security-smack

Change-Id: I618608008a3b3d1d34adb6e38048110f13ac0643
Signed-off-by: José Bollo <jose.bollo@iot.bzh>
---
 .../recipes-security/smacknet/files/smacknet       | 184 +++++++++++++++++++++
 .../smacknet/files/smacknet.service                |  11 ++
 .../recipes-security/smacknet/smacknet.bb          |  29 ++++
 3 files changed, 224 insertions(+)
 create mode 100644 meta-security/recipes-security/smacknet/files/smacknet
 create mode 100644 meta-security/recipes-security/smacknet/files/smacknet.service
 create mode 100644 meta-security/recipes-security/smacknet/smacknet.bb

(limited to 'meta-security/recipes-security/smacknet')

diff --git a/meta-security/recipes-security/smacknet/files/smacknet b/meta-security/recipes-security/smacknet/files/smacknet
new file mode 100644
index 000000000..3818d30ae
--- /dev/null
+++ b/meta-security/recipes-security/smacknet/files/smacknet
@@ -0,0 +1,184 @@
+#!/usr/bin/python
+# Copyright (c) 2012, 2013, Intel Corporation 
+# Copyright (c) 2009 David Wolinsky <davidiw@ufl.edu), University of Florida
+# All rights reserved.
+# 
+# Redistribution and use in source and binary forms, with or without
+# modification, are permitted provided that the following conditions
+# are met:
+# 1. Redistributions of source code must retain the above copyright
+#    notice, this list of conditions and the following disclaimer.
+# 2. Redistributions in binary form must reproduce the above copyright
+#    notice, this list of conditions and the following disclaimer in the
+#    documentation and/or other materials provided with the distribution.
+# 3. The name of the author may not be used to endorse or promote products
+#    derived from this software without specific prior written permission.
+#
+# THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
+# IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
+# OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
+# IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
+# INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+# NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
+# DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
+# THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+# (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
+# THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+
+import socket,fcntl, struct, thread
+import os.path
+import sys
+
+SMACKFS_LOAD="/sys/fs/smackfs/load2"
+SMACKFS_NETLABEL="/sys/fs/smackfs/netlabel"
+SIOCGIFADDR = 0x8915
+SIOCGIFNETMASK = 0x891b
+
+def get_ip_address(ifname):
+    s = socket.socket(socket.AF_INET, socket.SOCK_DGRAM)
+    return fcntl.ioctl(s.fileno(), SIOCGIFADDR, 
+			struct.pack('256s', ifname.encode("utf-8")))[20:24]
+
+def get_netmask(ifname):
+   s = socket.socket(socket.AF_INET, socket.SOCK_DGRAM)
+   return fcntl.ioctl(s.fileno(), SIOCGIFNETMASK, 
+			struct.pack('256s', ifname.encode("utf-8")))[20:24]
+
+def applynetlabeltags(interface, addr):
+	if not interface.startswith("lo"):
+		bmask = get_netmask(interface.encode("utf-8"))
+		prefix = bin(struct.unpack(">L", bmask)[0]).count("1")
+		tags = [
+			addr+"/"+str(prefix)+" Network::Local\n", 
+			"0.0.0.0/0 Network::Cloud\n",
+			"127.0.0.1/8 -CIPSO\n"]
+		smackfs_netlabel(tags)
+	
+def loadnetlabelrules():
+	rulesSystem = [
+		"System Network::Cloud w\n",
+		"System Network::Local w\n",
+		"Network::Cloud System w\n",
+		"Network::Local System w\n"]
+	smackfs_load2(rulesSystem)
+
+def smackfs_load2 (rules):
+	with open(SMACKFS_LOAD, "w") as load2:
+		for rule in rules:
+			load2.write(rule)
+
+def smackfs_netlabel (tags):
+	for tag in tags:
+		with open(SMACKFS_NETLABEL, "w") as netlabel:
+			netlabel.write(tag)
+
+""" 
+    Source of: Class ip monitor, and other functions named bellow.
+    Original author: David Wolinsky <davidiw@ufl.edu
+    Copied from: https://github.com/davidiw/Grid-Appliance/blob/master/scripts/ip_monitor.py
+    
+"""
+
+"""4 byte alignment"""
+
+def align(inc):
+	diff = inc % 4
+	return inc + ((4 - diff) % 4)
+
+class ifaddr:
+  """Parse an ifaddr packet"""
+  LOCAL = 2
+  LABEL = 3
+
+  def __init__(self, packet):
+    self.family, self.prefixlen, self.flags, self.scope, self.index = \
+        struct.unpack("BBBBI", packet[:8])
+
+class rtattr:
+  """Parse a rtattr packet"""
+  GRP_IPV4_IFADDR = 0x10
+
+  NEWADDR = 20
+  DELADDR = 21
+  GETADDR = 22
+
+  def __init__(self, packet):
+    self.len, self.type = struct.unpack("HH", packet[:4])
+    if self.type == ifaddr.LOCAL:
+      addr = struct.unpack("BBBB", packet[4:self.len])
+      self.payload = "%s.%s.%s.%s" % (addr[0], addr[1], addr[2], addr[3])
+    elif self.type == ifaddr.LABEL:
+      self.payload = packet[4:self.len].strip("\0")
+    else:
+      self.payload = packet[4:self.len]
+
+class netlink:
+  """Parse a netlink packet"""
+  REQUEST = 1
+  ROOT = 0x100
+  MATCH = 0x200
+  DONE = 3
+
+  def __init__(self, packet):
+    self.msglen, self.msgtype, self.flags, self.seq, self.pid = \
+        struct.unpack("IHHII", packet[:16])
+    self.ifa = None
+    try:
+      self.ifa = ifaddr(packet[16:24])
+    except:
+      return
+
+    self.rtas = {}
+    pos = 24
+    while pos < self.msglen:
+      try:
+        rta = rtattr(packet[pos:])
+      except:
+        break
+      pos += align(rta.len)
+      self.rtas[rta.type] = rta.payload
+
+class ip_monitor:
+  def __init__(self, callback = None):
+    if callback == None:
+      callback = self.print_cb
+    self._callback = callback
+
+  def print_cb(self, label, addr):
+    print (label + " => " + addr)
+
+  def request_addrs(self, sock):
+    sock.send(struct.pack("IHHIIBBBBI", 24, rtattr.GETADDR, \
+      netlink.REQUEST | netlink.ROOT | netlink.MATCH, 0, sock.getsockname()[0], \
+      socket.AF_INET, 0, 0, 0, 0))
+
+  def start_thread(self):
+    thread.start_new_thread(self.run, ())
+
+  def run(self):
+    sock = socket.socket(socket.AF_NETLINK, socket.SOCK_RAW, socket.NETLINK_ROUTE)
+    sock.bind((0, rtattr.GRP_IPV4_IFADDR))
+    self.request_addrs(sock)
+
+    while True:
+      data = sock.recv(4096)
+      pos = 0
+      while pos < len(data):
+        nl = netlink(data[pos:])
+        if nl.msgtype == netlink.DONE:
+          break
+        pos += align(nl.msglen)
+        if nl.msgtype != rtattr.NEWADDR:
+          continue
+        self._callback(nl.rtas[ifaddr.LABEL], nl.rtas[ifaddr.LOCAL])
+
+def main():
+	if not os.path.isfile(SMACKFS_LOAD):
+		print ("Smack not found.")
+		return -1
+	loadnetlabelrules()
+	
+	ip_monitor(applynetlabeltags).run()
+
+if __name__ == "__main__":
+    main()
diff --git a/meta-security/recipes-security/smacknet/files/smacknet.service b/meta-security/recipes-security/smacknet/files/smacknet.service
new file mode 100644
index 000000000..218d8b896
--- /dev/null
+++ b/meta-security/recipes-security/smacknet/files/smacknet.service
@@ -0,0 +1,11 @@
+[Unit]
+Description=netlabels configuration for SMACK
+Wants=network.target network-online.target
+After=network.target network-online.target
+
+[Service]
+TimeoutStartSec=0
+ExecStart=@BINDIR@/smacknet
+
+[Install]
+WantedBy=multi-user.target
diff --git a/meta-security/recipes-security/smacknet/smacknet.bb b/meta-security/recipes-security/smacknet/smacknet.bb
new file mode 100644
index 000000000..553456aee
--- /dev/null
+++ b/meta-security/recipes-security/smacknet/smacknet.bb
@@ -0,0 +1,29 @@
+#SMACKNET Description
+SUMMARY = "Smack network labels configuration"
+DESCRIPTION = "Provide service that will be labeling the network rules"
+LICENSE = "BSD-3-Clause"
+LIC_FILES_CHKSUM = "file://${COMMON_LICENSE_DIR}/BSD-3-Clause;md5=550794465ba0ec5312d6919e203a55f9"
+RDEPENDS_${PN} = "python"
+
+SRC_URI += "file://smacknet \
+        file://smacknet.service \
+	"
+S = "${WORKDIR}"
+
+inherit systemd
+
+inherit distro_features_check
+REQUIRED_DISTRO_FEATURES = "smack"
+
+#netlabel configuration service
+SYSTEMD_SERVICE_${PN} = "smacknet.service"
+SYSTEMD_AUTO_ENABLE = "enable"
+do_install(){
+        install -d ${D}${bindir}
+        install -m 0551 ${WORKDIR}/smacknet ${D}${bindir}
+
+        install -d -m 755 ${D}${systemd_unitdir}/system
+        install -m 644 ${WORKDIR}/smacknet.service ${D}${systemd_unitdir}/system
+        sed -i -e 's,@BINDIR@,${bindir},g' ${D}${systemd_unitdir}/system/smacknet.service
+}
+   
-- 
cgit 1.2.3-korg