From 98637b7b01106de98aacc2b531f92c0883b381ee Mon Sep 17 00:00:00 2001 From: José Bollo Date: Thu, 25 Jan 2018 16:39:28 +0100 Subject: cynara: upgrade to 0.14.10 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Change-Id: I33caaa8a435e0b36afff43c4199428ae9336d612 Signed-off-by: José Bollo --- meta-security/recipes-security/cynara/cynara.inc | 158 -------------------- .../cynara/cynara/0001-Add-fallthrough-tags.patch | 59 ++++++++ ...uires-include-functional-for-std-function.patch | 38 +++++ ...void-warning-when-compiling-without-smack.patch | 45 ++++++ .../cynara/cynara/0004-Fix-mode-of-sockets.patch | 44 ++++++ .../cynara/cynara/0005-Allow-to-tune-sockets.patch | 127 ++++++++++++++++ ...0006-Install-socket-activation-by-default.patch | 80 ++++++++++ ...cmake-Improves-directories-and-libsystemd.patch | 119 --------------- .../cynara/cynara/gmock-pthread-linking.patch | 31 ---- .../recipes-security/cynara/cynara_0.14.10.bb | 163 +++++++++++++++++++++ .../recipes-security/cynara/cynara_git.bb | 11 -- 11 files changed, 556 insertions(+), 319 deletions(-) delete mode 100644 meta-security/recipes-security/cynara/cynara.inc create mode 100644 meta-security/recipes-security/cynara/cynara/0001-Add-fallthrough-tags.patch create mode 100644 meta-security/recipes-security/cynara/cynara/0002-gcc-7-requires-include-functional-for-std-function.patch create mode 100644 meta-security/recipes-security/cynara/cynara/0003-Avoid-warning-when-compiling-without-smack.patch create mode 100644 meta-security/recipes-security/cynara/cynara/0004-Fix-mode-of-sockets.patch create mode 100644 meta-security/recipes-security/cynara/cynara/0005-Allow-to-tune-sockets.patch create mode 100644 meta-security/recipes-security/cynara/cynara/0006-Install-socket-activation-by-default.patch delete mode 100644 meta-security/recipes-security/cynara/cynara/cmake-Improves-directories-and-libsystemd.patch delete mode 100644 meta-security/recipes-security/cynara/cynara/gmock-pthread-linking.patch create mode 100644 meta-security/recipes-security/cynara/cynara_0.14.10.bb delete mode 100644 meta-security/recipes-security/cynara/cynara_git.bb (limited to 'meta-security') diff --git a/meta-security/recipes-security/cynara/cynara.inc b/meta-security/recipes-security/cynara/cynara.inc deleted file mode 100644 index 1e80b6163..000000000 --- a/meta-security/recipes-security/cynara/cynara.inc +++ /dev/null @@ -1,158 +0,0 @@ -DESCRIPTION = "Cynara service with client libraries" -LICENSE = "Apache-2.0" -LIC_FILES_CHKSUM = "file://LICENSE;md5=86d3f3a95c324c9479bd8986968f4327;beginline=3" - -DEPENDS = " \ -dbus \ -glib-2.0 \ -systemd \ -zip \ -" - -# For testing: -# DEPENDS += "gmock" - -PACKAGECONFIG ??= "" -# Use debug mode to increase logging. Beware, also compiles with less optimization -# and thus has to disable FORTIFY_SOURCE below. -PACKAGECONFIG[debug] = "-DCMAKE_BUILD_TYPE=DEBUG,-DCMAKE_BUILD_TYPE=RELEASE,libunwind elfutils" - -inherit cmake - -CXXFLAGS_append = " \ --DCYNARA_STATE_PATH=\\\\\"${localstatedir}/cynara/\\\\\" \ --DCYNARA_LIB_PATH=\\\\\"${prefix}/lib/cynara/\\\\\" \ --DCYNARA_TESTS_DIR=\\\\\"${prefix}/share/cynara/tests/\\\\\" \ --DCYNARA_CONFIGURATION_DIR=\\\\\"${sysconfdir}/cynara/\\\\\" \ -${@bb.utils.contains('PACKAGECONFIG', 'debug', '-Wp,-U_FORTIFY_SOURCE', '', d)} \ -" - -EXTRA_OECMAKE += " \ --DCMAKE_VERBOSE_MAKEFILE=ON \ --DBUILD_WITH_SYSTEMD=ON \ --DSYSTEMD_UNIT_DIR=${systemd_unitdir}/system \ --DSOCKET_DIR=/run/cynara \ -" - -# Explicitly package empty directory. Otherwise Cynara prints warnings -# at runtime: -# cyad[198]: Couldn't scan for plugins in : -FILES_${PN}_append = " \ -${libdir}/cynara/plugin/service \ -${libdir}/cynara/plugin/client \ -" - -# Testing depends on gmock and gtest. They can be found in meta-oe -# and are not necessarily available, so this feature is off by default. -# If gmock from meta-oe is used, then a workaround is needed to avoid -# a link error (libgmock.a calls pthread functions without libpthread -# being listed in the .pc file). -PACKAGECONFIG[tests] = "-DBUILD_TESTS:BOOL=ON,-DBUILD_TESTS:BOOL=OFF,gmock gtest," -SRC_URI_append = "${@bb.utils.contains('PACKAGECONFIG', 'tests', ' file://gmock-pthread-linking.patch file://run-ptest', '', d)}" - -# Will be empty if no tests were built. -inherit ptest -FILES_${PN}-ptest += "${bindir}/cynara-tests ${bindir}/cynara-db-migration-tests ${datadir}/cynara/tests" -do_install_ptest () { - if ${@bb.utils.contains('PACKAGECONFIG', 'tests', 'true', 'false', d)}; then - mkdir -p ${D}/${datadir}/cynara/tests - cp -r ${S}/test/db/* ${D}/${datadir}/cynara/tests - fi -} - -do_compile_prepend () { - # en_US.UTF8 is not available, causing cynara-tests parser.getKeyAndValue to fail. - # Submitted upstream: https://github.com/Samsung/cynara/issues/10 - sed -i -e 's/std::locale("en_US.UTF8")/std::locale::classic()/g' ${S}/test/credsCommons/parser/Parser.cpp -} - -inherit useradd -USERADD_PACKAGES = "${PN}" -GROUPADD_PARAM_${PN} = "-r cynara" -USERADD_PARAM_${PN} = "\ ---system --home ${localstatedir}/lib/empty \ ---no-create-home --shell /bin/false \ ---gid cynara cynara \ -" - -# Causes deadlock during booting, see workaround in postinst below. -#inherit systemd -#SYSTEMD_SERVICE_${PN} = "cynara.service" - -do_install_append () { - chmod a+rx ${D}/${sbindir}/cynara-db-migration - - install -d ${D}${sysconfdir}/cynara/ - install -m 644 ${S}/conf/creds.conf ${D}/${sysconfdir}/cynara/creds.conf - - # No need to create empty directories except for those which - # Cynara expects to find. - # install -d ${D}${localstatedir}/cynara/ - # install -d ${D}${prefix}/share/cynara/tests/empty_db - install -d ${D}${libdir}/cynara/plugin/client - install -d ${D}${libdir}/cynara/plugin/service - - # install db* ${D}${prefix}/share/cynara/tests/ - - install -d ${D}${systemd_unitdir}/system/sockets.target.wants - ln -s ../cynara.socket ${D}${systemd_unitdir}/system/sockets.target.wants/cynara.socket - ln -s ../cynara-admin.socket ${D}${systemd_unitdir}/system/sockets.target.wants/cynara-admin.socket - ln -s ../cynara-agent.socket ${D}${systemd_unitdir}/system/sockets.target.wants/cynara-agent.socket -} - -FILES_${PN} += "${systemd_unitdir}/system" - -# Cynara itself has no dependency on Smack. Only its installation -# is Smack-aware in the sense that it sets Smack labels. Do not -# depend on smack userspace unless we really need Smack labels. -# -# The Tizen .spec file calls cynara-db-migration in a %pre section. -# That only works when cynara-db-migration is packaged separately -# (overly complex) and does not seem necessary: perhaps there is a -# time window where cynara might already get activated before -# the postinst completes, but that is a general problem. It gets -# avoided entirely when calling this script while building the -# rootfs. -RDEPENDS_${PN}_append_with-lsm-smack = " smack" -DEPENDS_append_with-lsm-smack = " smack-native" -CHSMACK_with-lsm-smack = "chsmack" -CHSMACK = "true" -pkg_postinst_${PN} () { - # Fail on error. - set -e - - # It would be nice to run the code below while building an image, - # but currently the calls to cynara-db-chsgen (a binary) in - # cynara-db-migration (a script) prevent that. Rely instead - # on OE's support for running failed postinst scripts at first boot. - if [ x"$D" != "x" ]; then - exit 1 - fi - - mkdir -p $D${sysconfdir}/cynara - ${CHSMACK} -a System $D${sysconfdir}/cynara - - # Strip git patch level information, the version comparison code - # in cynara-db-migration only expect major.minor.patch version numbers. - VERSION=${@bb.data.getVar('PV',d,1).split('+git')[0]} - if [ -d $D${localstatedir}/cynara ] ; then - # upgrade - echo "NOTE: updating cynara DB to version $VERSION" - $D${sbindir}/cynara-db-migration upgrade -f 0.0.0 -t $VERSION - else - # install - echo "NOTE: creating cynara DB for version $VERSION" - mkdir -p $D${localstatedir}/cynara - ${CHSMACK} -a System $D${localstatedir}/cynara - $D${sbindir}/cynara-db-migration install -t $VERSION - fi - - # Workaround for systemd.bbclass issue: it would call - # "systemctl start" without "--no-block", but because - # the service is not ready to run at the time when - # this scripts gets executed by run-postinsts.service, - # booting deadlocks. - echo "NOTE: enabling and starting cynara service" - systemctl enable cynara - systemctl start --no-block cynara -} diff --git a/meta-security/recipes-security/cynara/cynara/0001-Add-fallthrough-tags.patch b/meta-security/recipes-security/cynara/cynara/0001-Add-fallthrough-tags.patch new file mode 100644 index 000000000..11387b98b --- /dev/null +++ b/meta-security/recipes-security/cynara/cynara/0001-Add-fallthrough-tags.patch @@ -0,0 +1,59 @@ +From 3d387993b5a4283e8aebd8e777b2ccd45d233959 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Jos=C3=A9=20Bollo?= +Date: Thu, 25 Jan 2018 12:00:18 +0100 +Subject: [PATCH 1/6] Add fallthrough tags +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +GCC 7 emits a warning when the tag /*@fallthrough@*/ +doesn't appear in a switch case when a case continue +to the next after some processing. + +Change-Id: I420e3788a4c0a6d910a1214964c5480bbd12708c +Signed-off-by: José Bollo +--- + src/admin/api/admin-api.cpp | 1 + + src/client-async/logic/Logic.cpp | 1 + + src/common/sockets/SocketClient.cpp | 1 + + 3 files changed, 3 insertions(+) + +diff --git a/src/admin/api/admin-api.cpp b/src/admin/api/admin-api.cpp +index c638f41..aafa45e 100644 +--- a/src/admin/api/admin-api.cpp ++++ b/src/admin/api/admin-api.cpp +@@ -146,6 +146,7 @@ int cynara_admin_set_policies(struct cynara_admin *p_cynara_admin, + case CYNARA_ADMIN_BUCKET: + if (!isStringValid(policy->result_extra)) + return CYNARA_API_INVALID_PARAM; ++ /*@fallthrough@*/ + default: + { + std::string extraStr = policy->result_extra ? policy->result_extra : ""; +diff --git a/src/client-async/logic/Logic.cpp b/src/client-async/logic/Logic.cpp +index 5ae0251..c1d6c33 100644 +--- a/src/client-async/logic/Logic.cpp ++++ b/src/client-async/logic/Logic.cpp +@@ -233,6 +233,7 @@ bool Logic::processOut(void) { + case Socket::SendStatus::ALL_DATA_SENT: + onStatusChange(m_socketClient.getSockFd(), + cynara_async_status::CYNARA_STATUS_FOR_READ); ++ /*@fallthrough@*/ + case Socket::SendStatus::PARTIAL_DATA_SENT: + return true; + default: +diff --git a/src/common/sockets/SocketClient.cpp b/src/common/sockets/SocketClient.cpp +index b1ca4f7..f4394e5 100644 +--- a/src/common/sockets/SocketClient.cpp ++++ b/src/common/sockets/SocketClient.cpp +@@ -45,6 +45,7 @@ bool SocketClient::connect(void) { + LOGW("Error connecting to Cynara. Service not available."); + return false; + } ++ /*@fallthrough@*/ + default: + return true; + } +-- +2.14.3 + diff --git a/meta-security/recipes-security/cynara/cynara/0002-gcc-7-requires-include-functional-for-std-function.patch b/meta-security/recipes-security/cynara/cynara/0002-gcc-7-requires-include-functional-for-std-function.patch new file mode 100644 index 000000000..760a1c5b2 --- /dev/null +++ b/meta-security/recipes-security/cynara/cynara/0002-gcc-7-requires-include-functional-for-std-function.patch @@ -0,0 +1,38 @@ +From b18e66ce7f81c56e3a97ed075cb60d5a43b2e57c Mon Sep 17 00:00:00 2001 +From: Changhyeok Bae +Date: Sun, 17 Dec 2017 15:28:28 +0000 +Subject: [PATCH 2/6] gcc-7 requires include for std::function + +Signed-off-by: Changhyeok Bae +--- + src/common/types/PolicyBucket.h | 1 + + src/cyad/AdminPolicyParser.h | 1 + + 2 files changed, 2 insertions(+) + +diff --git a/src/common/types/PolicyBucket.h b/src/common/types/PolicyBucket.h +index 029d3dd..1bceeca 100644 +--- a/src/common/types/PolicyBucket.h ++++ b/src/common/types/PolicyBucket.h +@@ -30,6 +30,7 @@ + #include + #include + #include ++#include + + #include + #include +diff --git a/src/cyad/AdminPolicyParser.h b/src/cyad/AdminPolicyParser.h +index 53dde23..f38c194 100644 +--- a/src/cyad/AdminPolicyParser.h ++++ b/src/cyad/AdminPolicyParser.h +@@ -25,6 +25,7 @@ + + #include + #include ++#include + + #include + +-- +2.14.3 + diff --git a/meta-security/recipes-security/cynara/cynara/0003-Avoid-warning-when-compiling-without-smack.patch b/meta-security/recipes-security/cynara/cynara/0003-Avoid-warning-when-compiling-without-smack.patch new file mode 100644 index 000000000..8c47c3b26 --- /dev/null +++ b/meta-security/recipes-security/cynara/cynara/0003-Avoid-warning-when-compiling-without-smack.patch @@ -0,0 +1,45 @@ +From 6ad54c5e732e7cf0a29f29f48fa757e3e56d6860 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Jos=C3=A9=20Bollo?= +Date: Thu, 25 Jan 2018 11:38:16 +0100 +Subject: [PATCH 3/6] Avoid warning when compiling without smack +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +When DB_FILES_SMACK_LABEL is not defined, cmake complains +with the following message: + +> -- Checking for modules '' +> Please specify at least one package name on the command line. + +Change-Id: Ie837cae81114d096f951ec0ee4ada4173fb60190 +Signed-off-by: José Bollo +--- + src/admin/CMakeLists.txt | 10 +++++----- + 1 file changed, 5 insertions(+), 5 deletions(-) + +diff --git a/src/admin/CMakeLists.txt b/src/admin/CMakeLists.txt +index e4f354a..38b8669 100644 +--- a/src/admin/CMakeLists.txt ++++ b/src/admin/CMakeLists.txt +@@ -23,12 +23,12 @@ IF (DB_FILES_SMACK_LABEL) + SET(SMACK "smack") + SET(LIBSMACK "libsmack") + ADD_DEFINITIONS("-DDB_FILES_SMACK_LABEL=\"${DB_FILES_SMACK_LABEL}\"") +-ENDIF (DB_FILES_SMACK_LABEL) + +-PKG_CHECK_MODULES(CYNARA_ADMIN_API_DEP +- REQUIRED +- ${LIBSMACK} +- ) ++ PKG_CHECK_MODULES(CYNARA_ADMIN_API_DEP ++ REQUIRED ++ ${LIBSMACK} ++ ) ++ENDIF (DB_FILES_SMACK_LABEL) + + SET(CYNARA_LIB_CYNARA_ADMIN_PATH ${CYNARA_PATH}/admin) + +-- +2.14.3 + diff --git a/meta-security/recipes-security/cynara/cynara/0004-Fix-mode-of-sockets.patch b/meta-security/recipes-security/cynara/cynara/0004-Fix-mode-of-sockets.patch new file mode 100644 index 000000000..164542899 --- /dev/null +++ b/meta-security/recipes-security/cynara/cynara/0004-Fix-mode-of-sockets.patch @@ -0,0 +1,44 @@ +From 2bd62bca98a8a8cf194fb2b68aed68d982f58520 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Jos=C3=A9=20Bollo?= +Date: Thu, 25 Jan 2018 12:52:39 +0100 +Subject: [PATCH 4/6] Fix mode of sockets +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Setting execution bit on the socket serves nothing. + +Change-Id: I2ca1ea8e0c369ee5517878e92073ace0e50f9f10 +Signed-off-by: José Bollo +--- + systemd/cynara-admin.socket | 2 +- + systemd/cynara.socket | 2 +- + 2 files changed, 2 insertions(+), 2 deletions(-) + +diff --git a/systemd/cynara-admin.socket b/systemd/cynara-admin.socket +index 2d1aea4..ed38386 100644 +--- a/systemd/cynara-admin.socket ++++ b/systemd/cynara-admin.socket +@@ -1,6 +1,6 @@ + [Socket] + ListenStream=/run/cynara/cynara-admin.socket +-SocketMode=0700 ++SocketMode=0600 + SmackLabelIPIn=@ + SmackLabelIPOut=@ + +diff --git a/systemd/cynara.socket b/systemd/cynara.socket +index 9f2a870..fad2745 100644 +--- a/systemd/cynara.socket ++++ b/systemd/cynara.socket +@@ -1,6 +1,6 @@ + [Socket] + ListenStream=/run/cynara/cynara.socket +-SocketMode=0777 ++SocketMode=0666 + SmackLabelIPIn=* + SmackLabelIPOut=@ + +-- +2.14.3 + diff --git a/meta-security/recipes-security/cynara/cynara/0005-Allow-to-tune-sockets.patch b/meta-security/recipes-security/cynara/cynara/0005-Allow-to-tune-sockets.patch new file mode 100644 index 000000000..b4a2d74e8 --- /dev/null +++ b/meta-security/recipes-security/cynara/cynara/0005-Allow-to-tune-sockets.patch @@ -0,0 +1,127 @@ +From d919b110a2fbccdce084c651f4d7d7de66f2f869 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Jos=C3=A9=20Bollo?= +Date: Thu, 25 Jan 2018 13:47:37 +0100 +Subject: [PATCH 5/6] Allow to tune sockets +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Allow to change the directory of sockets +through a true integration of SOCKET_DIR + +Allow to override the socket's group of + - /run/cynara/cynara-agent.socket + - /run/cynara/cynara-monitor-get.socket + +through the newly defined variable CYNARA_ADMIN_SOCKET_GROUP + +Change-Id: I7d58854c328e948e3d6d7fa3fc00569fd08f8aef +Signed-off-by: José Bollo +--- + systemd/CMakeLists.txt | 19 +++++++++++++++---- + .../{cynara-admin.socket => cynara-admin.socket.in} | 2 +- + .../{cynara-agent.socket => cynara-agent.socket.in} | 4 ++-- + ...onitor-get.socket => cynara-monitor-get.socket.in} | 4 ++-- + systemd/{cynara.socket => cynara.socket.in} | 2 +- + 5 files changed, 21 insertions(+), 10 deletions(-) + rename systemd/{cynara-admin.socket => cynara-admin.socket.in} (78%) + rename systemd/{cynara-agent.socket => cynara-agent.socket.in} (66%) + rename systemd/{cynara-monitor-get.socket => cynara-monitor-get.socket.in} (64%) + rename systemd/{cynara.socket => cynara.socket.in} (80%) + +diff --git a/systemd/CMakeLists.txt b/systemd/CMakeLists.txt +index 20accf0..1b75c12 100644 +--- a/systemd/CMakeLists.txt ++++ b/systemd/CMakeLists.txt +@@ -16,13 +16,24 @@ + # @author Lukasz Wojciechowski + # + ++SET(CYNARA_ADMIN_SOCKET_GROUP ++ "security_fw" ++ CACHE STRING ++ "Group to apply on administrative sockets") ++ ++ ++CONFIGURE_FILE(cynara.socket.in cynara.socket @ONLY) ++CONFIGURE_FILE(cynara-admin.socket.in cynara-admin.socket @ONLY) ++CONFIGURE_FILE(cynara-agent.socket.in cynara-agent.socket @ONLY) ++CONFIGURE_FILE(cynara-monitor-get.socket.in cynara-monitor-get.socket @ONLY) ++ + INSTALL(FILES + ${CMAKE_SOURCE_DIR}/systemd/cynara.service + ${CMAKE_SOURCE_DIR}/systemd/cynara.target +- ${CMAKE_SOURCE_DIR}/systemd/cynara.socket +- ${CMAKE_SOURCE_DIR}/systemd/cynara-admin.socket +- ${CMAKE_SOURCE_DIR}/systemd/cynara-agent.socket +- ${CMAKE_SOURCE_DIR}/systemd/cynara-monitor-get.socket ++ ${CMAKE_BINARY_DIR}/systemd/cynara.socket ++ ${CMAKE_BINARY_DIR}/systemd/cynara-admin.socket ++ ${CMAKE_BINARY_DIR}/systemd/cynara-agent.socket ++ ${CMAKE_BINARY_DIR}/systemd/cynara-monitor-get.socket + DESTINATION + ${SYSTEMD_UNIT_DIR} + ) +diff --git a/systemd/cynara-admin.socket b/systemd/cynara-admin.socket.in +similarity index 78% +rename from systemd/cynara-admin.socket +rename to systemd/cynara-admin.socket.in +index ed38386..2364c3e 100644 +--- a/systemd/cynara-admin.socket ++++ b/systemd/cynara-admin.socket.in +@@ -1,5 +1,5 @@ + [Socket] +-ListenStream=/run/cynara/cynara-admin.socket ++ListenStream=@SOCKET_DIR@/cynara-admin.socket + SocketMode=0600 + SmackLabelIPIn=@ + SmackLabelIPOut=@ +diff --git a/systemd/cynara-agent.socket b/systemd/cynara-agent.socket.in +similarity index 66% +rename from systemd/cynara-agent.socket +rename to systemd/cynara-agent.socket.in +index 5a677e0..4f86c9d 100644 +--- a/systemd/cynara-agent.socket ++++ b/systemd/cynara-agent.socket.in +@@ -1,6 +1,6 @@ + [Socket] +-ListenStream=/run/cynara/cynara-agent.socket +-SocketGroup=security_fw ++ListenStream=@SOCKET_DIR@/cynara-agent.socket ++SocketGroup=@CYNARA_ADMIN_SOCKET_GROUP@ + SocketMode=0060 + SmackLabelIPIn=* + SmackLabelIPOut=@ +diff --git a/systemd/cynara-monitor-get.socket b/systemd/cynara-monitor-get.socket.in +similarity index 64% +rename from systemd/cynara-monitor-get.socket +rename to systemd/cynara-monitor-get.socket.in +index a50feeb..b88dbf7 100644 +--- a/systemd/cynara-monitor-get.socket ++++ b/systemd/cynara-monitor-get.socket.in +@@ -1,6 +1,6 @@ + [Socket] +-ListenStream=/run/cynara/cynara-monitor-get.socket +-SocketGroup=security_fw ++ListenStream=@SOCKET_DIR@/cynara-monitor-get.socket ++SocketGroup=@CYNARA_ADMIN_SOCKET_GROUP@ + SocketMode=0060 + SmackLabelIPIn=@ + SmackLabelIPOut=@ +diff --git a/systemd/cynara.socket b/systemd/cynara.socket.in +similarity index 80% +rename from systemd/cynara.socket +rename to systemd/cynara.socket.in +index fad2745..ba76549 100644 +--- a/systemd/cynara.socket ++++ b/systemd/cynara.socket.in +@@ -1,5 +1,5 @@ + [Socket] +-ListenStream=/run/cynara/cynara.socket ++ListenStream=@SOCKET_DIR@/cynara.socket + SocketMode=0666 + SmackLabelIPIn=* + SmackLabelIPOut=@ +-- +2.14.3 + diff --git a/meta-security/recipes-security/cynara/cynara/0006-Install-socket-activation-by-default.patch b/meta-security/recipes-security/cynara/cynara/0006-Install-socket-activation-by-default.patch new file mode 100644 index 000000000..0cfc785c1 --- /dev/null +++ b/meta-security/recipes-security/cynara/cynara/0006-Install-socket-activation-by-default.patch @@ -0,0 +1,80 @@ +From d54e425b0685c9e3e06f5b4efcbd206950d14f3c Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Jos=C3=A9=20Bollo?= +Date: Thu, 25 Jan 2018 14:09:23 +0100 +Subject: [PATCH 6/6] Install socket activation by default +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Change-Id: Ifd10c3800486689ed0ed6271df59760ccfbf6caf +Signed-off-by: José Bollo +--- + packaging/cynara.spec | 5 ----- + systemd/CMakeLists.txt | 7 +++++++ + systemd/sockets.target.wants/cynara-admin.socket | 1 + + systemd/sockets.target.wants/cynara-agent.socket | 1 + + systemd/sockets.target.wants/cynara.socket | 1 + + 5 files changed, 10 insertions(+), 5 deletions(-) + create mode 120000 systemd/sockets.target.wants/cynara-admin.socket + create mode 120000 systemd/sockets.target.wants/cynara-agent.socket + create mode 120000 systemd/sockets.target.wants/cynara.socket + +diff --git a/packaging/cynara.spec b/packaging/cynara.spec +index d2e0b80..2c5b326 100644 +--- a/packaging/cynara.spec ++++ b/packaging/cynara.spec +@@ -72,12 +72,7 @@ make %{?jobs:-j%jobs} + rm -rf %{buildroot} + %make_install + +-mkdir -p %{buildroot}%{_unitdir}/sockets.target.wants + mkdir -p %{buildroot}%{_unitdir}/multi-user.target.wants +-ln -s ../cynara.socket %{buildroot}%{_unitdir}/sockets.target.wants/cynara.socket +-ln -s ../cynara-admin.socket %{buildroot}%{_unitdir}/sockets.target.wants/cynara-admin.socket +-ln -s ../cynara-agent.socket %{buildroot}%{_unitdir}/sockets.target.wants/cynara-agent.socket +-ln -s ../cynara-monitor-get.socket %{buildroot}%{_unitdir}/sockets.target.wants/cynara-monitor-get.socket + ln -s ../cynara.service %{buildroot}%{_unitdir}/multi-user.target.wants/cynara.service + + %post +diff --git a/systemd/CMakeLists.txt b/systemd/CMakeLists.txt +index 1b75c12..9a2d70d 100644 +--- a/systemd/CMakeLists.txt ++++ b/systemd/CMakeLists.txt +@@ -38,3 +38,10 @@ INSTALL(FILES + ${SYSTEMD_UNIT_DIR} + ) + ++INSTALL(DIRECTORY ++ ${CMAKE_SOURCE_DIR}/systemd/sockets.target.wants ++ DESTINATION ++ ${SYSTEMD_UNIT_DIR} ++) ++ ++ +diff --git a/systemd/sockets.target.wants/cynara-admin.socket b/systemd/sockets.target.wants/cynara-admin.socket +new file mode 120000 +index 0000000..3d0b1ce +--- /dev/null ++++ b/systemd/sockets.target.wants/cynara-admin.socket +@@ -0,0 +1 @@ ++../cynara-admin.socket +\ No newline at end of file +diff --git a/systemd/sockets.target.wants/cynara-agent.socket b/systemd/sockets.target.wants/cynara-agent.socket +new file mode 120000 +index 0000000..22b37dd +--- /dev/null ++++ b/systemd/sockets.target.wants/cynara-agent.socket +@@ -0,0 +1 @@ ++../cynara-agent.socket +\ No newline at end of file +diff --git a/systemd/sockets.target.wants/cynara.socket b/systemd/sockets.target.wants/cynara.socket +new file mode 120000 +index 0000000..c0e5a5b +--- /dev/null ++++ b/systemd/sockets.target.wants/cynara.socket +@@ -0,0 +1 @@ ++../cynara.socket +\ No newline at end of file +-- +2.14.3 + diff --git a/meta-security/recipes-security/cynara/cynara/cmake-Improves-directories-and-libsystemd.patch b/meta-security/recipes-security/cynara/cynara/cmake-Improves-directories-and-libsystemd.patch deleted file mode 100644 index 7ad94ed40..000000000 --- a/meta-security/recipes-security/cynara/cynara/cmake-Improves-directories-and-libsystemd.patch +++ /dev/null @@ -1,119 +0,0 @@ -From 9d1ba2f7c5d72436b17d0f3982a00380c72a58f8 Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?Jos=C3=A9=20Bollo?= -Date: Mon, 4 Jul 2016 13:54:59 +0200 -Subject: [PATCH] cmake: Improves directories and libsystemd -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -The previous implementation was not fully compliant with -standards. It was missing some of the predefined variable -DATAROOTDIR, it was missing specificity of -CMAKE_INSTALL_FULL_SYSCONFDIR. It also was not compatible -with yocto build system bitbake. - -The library systemd is changing. The previous previous -pkg-config files 'libsystemd-daemon' and 'libsystemd-journal' -are now deprecated in favour of 'libsystemd'. - -Upstream-status: Submitted [https://github.com/Samsung/cynara/pull/16] - -Signed-off-by: José Bollo ---- - CMakeLists.txt | 46 ++++++++++++++++++++-------------------------- - 1 file changed, 20 insertions(+), 26 deletions(-) - -diff --git a/CMakeLists.txt b/CMakeLists.txt -index b0ee75f..6a439e2 100644 ---- a/CMakeLists.txt -+++ b/CMakeLists.txt -@@ -43,66 +43,60 @@ ENDIF (NOT BUILD_COMMONS AND NOT BUILD_SERVICE AND NOT BUILD_DBUS) - - ########################## search for packages ################################ - --#1st case. User choose to build with systemd. --IF (DEFINED BUILD_WITH_SYSTEMD AND BUILD_WITH_SYSTEMD) -- PKG_CHECK_MODULES(SYSTEMD_DEP -- REQUIRED -- libsystemd-daemon -- libsystemd-journal -- ) --ENDIF (DEFINED BUILD_WITH_SYSTEMD AND BUILD_WITH_SYSTEMD) -+#Search the new libsystemd package -+PKG_CHECK_MODULES(SYSTEMD_DEP QUIET libsystemd) - --#2nd case. User choose not to build with systemd. Noting to do in this case. --#IF (DEFINED BUILD_WITH_SYSTEMD AND NOT BUILD_WITH_SYSTEMD) --#ENDIF (DEFINED BUILD_WITH_SYSTEMD AND NOT BUILD_WITH_SYSTEMD) -- --#3rd case. User did not choose. If we can we will use systemd. --IF (NOT DEFINED BUILD_WITH_SYSTEMD) -+#Fallback ot the oldest libsystemd packages -+IF(NOT SYSTEMD_DEP_FOUND) - PKG_CHECK_MODULES(SYSTEMD_DEP - QUIET - libsystemd-daemon - libsystemd-journal - ) -- -- IF (SYSTEMD_DEP_FOUND) -- SET(BUILD_WITH_SYSTEMD ON) -- ENDIF (SYSTEMD_DEP_FOUND) --ENDIF (NOT DEFINED BUILD_WITH_SYSTEMD) -+ENDIF(NOT SYSTEMD_DEP_FOUND) -+ -+#Enforce and check -+IF(SYSTEMD_DEP_FOUND) -+ #Enforce use of systemd if present -+ SET(BUILD_WITH_SYSTEMD ON) -+ELSEIF(BUILD_WITH_SYSTEMD) -+ MESSAGE(FATAL_ERROR "Can't find libsystemd") -+ENDIF() - - ######################## directory configuration ############################ - - SET(LIB_DIR -- "${CMAKE_INSTALL_PREFIX}/${CMAKE_INSTALL_LIBDIR}" -+ "${CMAKE_INSTALL_FULL_LIBDIR}" - CACHE PATH - "Object code libraries directory") - - SET(BIN_DIR -- "${CMAKE_INSTALL_PREFIX}/${CMAKE_INSTALL_BINDIR}" -+ "${CMAKE_INSTALL_FULL_BINDIR}" - CACHE PATH - "User executables directory") - - SET(SBIN_DIR -- "${CMAKE_INSTALL_PREFIX}/${CMAKE_INSTALL_SBINDIR}" -+ "${CMAKE_INSTALL_FULL_SBINDIR}" - CACHE PATH - "System admin executables directory") - - SET(SYS_CONFIG_DIR -- "${CMAKE_INSTALL_PREFIX}/${CMAKE_INSTALL_SYSCONFDIR}" -+ "${CMAKE_INSTALL_FULL_SYSCONFDIR}" - CACHE PATH - "Read-only single-machine data directory") - - SET(INCLUDE_DIR -- "${CMAKE_INSTALL_PREFIX}/${CMAKE_INSTALL_INCLUDEDIR}" -+ "${CMAKE_INSTALL_FULL_INCLUDEDIR}" - CACHE PATH - "Header files directory") - - SET(LOCAL_STATE_DIR -- "${CMAKE_INSTALL_PREFIX}/${CMAKE_INSTALL_LOCALSTATEDIR}" -+ "${CMAKE_INSTALL_FULL_LOCALSTATEDIR}" - CACHE PATH - "Modifiable single-machine data directory") - - SET(DATA_ROOT_DIR -- "${CMAKE_INSTALL_PREFIX}/share" -+ "${CMAKE_INSTALL_FULL_DATAROOTDIR}" - CACHE PATH - "Read-only architecture-independent data root directory") - --- -2.5.5 - diff --git a/meta-security/recipes-security/cynara/cynara/gmock-pthread-linking.patch b/meta-security/recipes-security/cynara/cynara/gmock-pthread-linking.patch deleted file mode 100644 index 1a204eb14..000000000 --- a/meta-security/recipes-security/cynara/cynara/gmock-pthread-linking.patch +++ /dev/null @@ -1,31 +0,0 @@ -From 80cc04091410d6a322fee1a2922fdf867395f00a Mon Sep 17 00:00:00 2001 -From: Patrick Ohly -Date: Fri, 29 May 2015 10:21:57 +0200 -Subject: [PATCH] work around gmock pthread dependency - -In meta-oe, gmock's .pc file does not declare that users of -gmock must link against pthread. Let's work around that -here by always linking tests against libpthread. - -Upstream-status: Inappropriate [embedded specific] - -Signed-off-by: Patrick Ohly ---- - test/CMakeLists.txt | 1 + - 1 file changed, 1 insertion(+) - -diff --git a/test/CMakeLists.txt b/test/CMakeLists.txt -index 25a70db..f490a24 100644 ---- a/test/CMakeLists.txt -+++ b/test/CMakeLists.txt -@@ -138,6 +138,7 @@ ADD_EXECUTABLE(${TARGET_CYNARA_TESTS} - TARGET_LINK_LIBRARIES(${TARGET_CYNARA_TESTS} - ${PKGS_LDFLAGS} - ${PKGS_LIBRARIES} -+ pthread - crypt - ) - INSTALL(TARGETS ${TARGET_CYNARA_TESTS} DESTINATION ${BIN_INSTALL_DIR}) --- -2.1.4 - diff --git a/meta-security/recipes-security/cynara/cynara_0.14.10.bb b/meta-security/recipes-security/cynara/cynara_0.14.10.bb new file mode 100644 index 000000000..6c187fced --- /dev/null +++ b/meta-security/recipes-security/cynara/cynara_0.14.10.bb @@ -0,0 +1,163 @@ +DESCRIPTION = "Cynara service with client libraries" +LICENSE = "Apache-2.0" +LIC_FILES_CHKSUM = "file://LICENSE;md5=86d3f3a95c324c9479bd8986968f4327;beginline=3" + +PV = "0.14.10+git${SRCPV}" +SRCREV = "be455dcaf1400bec0272a6ce90852b9147393a60" +SRC_URI = "git://github.com/Samsung/cynara.git" +S = "${WORKDIR}/git" + +SRC_URI += " \ + file://cynara-db-migration-abort-on-errors.patch \ + file://0001-Add-fallthrough-tags.patch \ + file://0002-gcc-7-requires-include-functional-for-std-function.patch \ + file://0003-Avoid-warning-when-compiling-without-smack.patch \ + file://0004-Fix-mode-of-sockets.patch \ + file://0005-Allow-to-tune-sockets.patch \ + file://0006-Install-socket-activation-by-default.patch \ +" + +DEPENDS = " \ +glib-2.0 \ +systemd \ +zip \ +" + +PACKAGECONFIG ??= "" +# Use debug mode to increase logging. Beware, also compiles with less optimization +# and thus has to disable FORTIFY_SOURCE below. +PACKAGECONFIG[debug] = "-DCMAKE_BUILD_TYPE=DEBUG,-DCMAKE_BUILD_TYPE=RELEASE,libunwind elfutils" + +inherit cmake + +EXTRA_OECMAKE += " \ + -DCMAKE_VERBOSE_MAKEFILE=ON \ + -DBUILD_WITH_SYSTEMD_DAEMON=ON \ + -DBUILD_WITH_SYSTEMD_JOURNAL=ON \ + -DSYSTEMD_UNIT_DIR=${systemd_system_unitdir} \ + -DSOCKET_DIR=/run/cynara \ + -DBUILD_COMMONS=ON \ + -DBUILD_SERVICE=ON \ + -DBUILD_DBUS=OFF \ + -DCYNARA_ADMIN_SOCKET_GROUP=cynara \ +" + +# Explicitly package empty directory. Otherwise Cynara prints warnings +# at runtime: +# cyad[198]: Couldn't scan for plugins in : +FILES_${PN}_append = " \ +${libdir}/cynara/plugin/service \ +${libdir}/cynara/plugin/client \ +" + +inherit useradd +USERADD_PACKAGES = "${PN}" +GROUPADD_PARAM_${PN} = "-r cynara" +USERADD_PARAM_${PN} = "\ +--system --home ${localstatedir}/lib/empty \ +--no-create-home --shell /bin/false \ +--gid cynara cynara \ +" + +# Causes deadlock during booting, see workaround in postinst below. +#inherit systemd +#SYSTEMD_SERVICE_${PN} = "cynara.service" + +#do_install_append () { +# chmod a+rx ${D}/${sbindir}/cynara-db-migration +# +# install -d ${D}${sysconfdir}/cynara/ +# install -m 644 ${S}/conf/creds.conf ${D}/${sysconfdir}/cynara/creds.conf +# +# # No need to create empty directories except for those which +# # Cynara expects to find. +# # install -d ${D}${localstatedir}/cynara/ +# # install -d ${D}${prefix}/share/cynara/tests/empty_db +# install -d ${D}${libdir}/cynara/plugin/client +# install -d ${D}${libdir}/cynara/plugin/service +# +# # install db* ${D}${prefix}/share/cynara/tests/ +# +# install -d ${D}${systemd_system_unitdir}/sockets.target.wants +# ln -s ../cynara.socket ${D}${systemd_system_unitdir}/sockets.target.wants/cynara.socket +# ln -s ../cynara-admin.socket ${D}${systemd_system_unitdir}/sockets.target.wants/cynara-admin.socket +# ln -s ../cynara-agent.socket ${D}${systemd_system_unitdir}/sockets.target.wants/cynara-agent.socket +#} + +FILES_${PN} += "${systemd_system_unitdir}" + +# Cynara itself has no dependency on Smack. Only its installation +# is Smack-aware in the sense that it sets Smack labels. Do not +# depend on smack userspace unless we really need Smack labels. +# +# The Tizen .spec file calls cynara-db-migration in a %pre section. +# That only works when cynara-db-migration is packaged separately +# (overly complex) and does not seem necessary: perhaps there is a +# time window where cynara might already get activated before +# the postinst completes, but that is a general problem. It gets +# avoided entirely when calling this script while building the +# rootfs. +DEPENDS_append_with-lsm-smack = " smack smack-native" +EXTRA_OECMAKE_append_with-lsm-smack = " -DDB_FILES_SMACK_LABEL=System" +CHSMACK_with-lsm-smack = "chsmack" +CHSMACK = "true" +pkg_postinst_${PN} () { + # Fail on error. + set -e + + # It would be nice to run the code below while building an image, + # but currently the calls to cynara-db-chsgen (a binary) in + # cynara-db-migration (a script) prevent that. Rely instead + # on OE's support for running failed postinst scripts at first boot. + if [ x"$D" != "x" ]; then + exit 1 + fi + + mkdir -p $D${sysconfdir}/cynara + ${CHSMACK} -a System $D${sysconfdir}/cynara + + # Strip git patch level information, the version comparison code + # in cynara-db-migration only expect major.minor.patch version numbers. + VERSION=${@d.getVar('PV',d,1).split('+git')[0]} + if [ -d $D${localstatedir}/cynara ] ; then + # upgrade + echo "NOTE: updating cynara DB to version $VERSION" + $D${sbindir}/cynara-db-migration upgrade -f 0.0.0 -t $VERSION + else + # install + echo "NOTE: creating cynara DB for version $VERSION" + mkdir -p $D${localstatedir}/cynara + ${CHSMACK} -a System $D${localstatedir}/cynara + $D${sbindir}/cynara-db-migration install -t $VERSION + fi + + # Workaround for systemd.bbclass issue: it would call + # "systemctl start" without "--no-block", but because + # the service is not ready to run at the time when + # this scripts gets executed by run-postinsts.service, + # booting deadlocks. + echo "NOTE: enabling and starting cynara service" + systemctl enable cynara + systemctl start --no-block cynara +} + +# Testing depends on gmock and gtest. They can be found in meta-oe +# and are not necessarily available, so this feature is off by default. +# If gmock from meta-oe is used, then a workaround is needed to avoid +# a link error (libgmock.a calls pthread functions without libpthread +# being listed in the .pc file). +DEPENDS_append = "${@bb.utils.contains('PACKAGECONFIG', 'tests', ' gmock', '', d)}" +LDFLAGS_append = "${@bb.utils.contains('PACKAGECONFIG', 'tests', ' -lpthread', '', d)}" +SRC_URI_append = "${@bb.utils.contains('PACKAGECONFIG', 'tests', ' file://run-ptest', '', d)}" +PACKAGECONFIG[tests] = "-DBUILD_TESTS:BOOL=ON,-DBUILD_TESTS:BOOL=OFF,gmock gtest," + +# Will be empty if no tests were built. +inherit ptest +FILES_${PN}-ptest += "${bindir}/cynara-tests ${bindir}/cynara-db-migration-tests ${datadir}/cynara/tests" +do_install_ptest () { + if ${@bb.utils.contains('PACKAGECONFIG', 'tests', 'true', 'false', d)}; then + mkdir -p ${D}/${datadir}/cynara/tests + cp -r ${S}/test/db/* ${D}/${datadir}/cynara/tests + fi +} + diff --git a/meta-security/recipes-security/cynara/cynara_git.bb b/meta-security/recipes-security/cynara/cynara_git.bb deleted file mode 100644 index 6e387d41e..000000000 --- a/meta-security/recipes-security/cynara/cynara_git.bb +++ /dev/null @@ -1,11 +0,0 @@ -require cynara.inc - -PV = "0.11.0+git${SRCPV}" -SRCREV = "973765e329f8a84c1549cb2b0c65ccb1cce3c2d3" -SRC_URI = "git://github.com/Samsung/cynara.git" -S = "${WORKDIR}/git" - -SRC_URI += " \ -file://cynara-db-migration-abort-on-errors.patch \ -file://cmake-Improves-directories-and-libsystemd.patch \ -" -- cgit 1.2.3-korg