diff options
Diffstat (limited to 'external/meta-security/recipes-mac')
30 files changed, 1906 insertions, 0 deletions
diff --git a/external/meta-security/recipes-mac/AppArmor/apparmor_2.13.4.bb b/external/meta-security/recipes-mac/AppArmor/apparmor_2.13.4.bb new file mode 100644 index 00000000..552cac70 --- /dev/null +++ b/external/meta-security/recipes-mac/AppArmor/apparmor_2.13.4.bb @@ -0,0 +1,199 @@ +SUMMARY = "AppArmor another MAC control system" +DESCRIPTION = "user-space parser utility for AppArmor \ + This provides the system initialization scripts needed to use the \ + AppArmor Mandatory Access Control system, including the AppArmor Parser \ + which is required to convert AppArmor text profiles into machine-readable \ + policies that are loaded into the kernel for use with the AppArmor Linux \ + Security Module." +HOMEAPAGE = "http://apparmor.net/" +SECTION = "admin" + +LICENSE = "GPLv2 & GPLv2+ & BSD-3-Clause & LGPLv2.1+" +LIC_FILES_CHKSUM = "file://${S}/LICENSE;md5=fd57a4b0bc782d7b80fd431f10bbf9d0" + +DEPENDS = "bison-native apr gettext-native coreutils-native" + +SRC_URI = " \ + git://gitlab.com/apparmor/apparmor.git;protocol=https;branch=apparmor-2.13 \ + file://disable_perl_h_check.patch \ + file://crosscompile_perl_bindings.patch \ + file://apparmor.rc \ + file://functions \ + file://apparmor \ + file://apparmor.service \ + file://0001-Makefile.am-suppress-perllocal.pod.patch \ + file://run-ptest \ + " + +SRCREV = "df0ac742f7a1146181d8734d03334494f2015134" +S = "${WORKDIR}/git" + +PARALLEL_MAKE = "" + +inherit pkgconfig autotools-brokensep update-rc.d python3native perlnative ptest cpan manpages systemd features_check +REQUIRED_DISTRO_FEATURES = "apparmor" + +PACKAGECONFIG ??= "python perl aa-decode" +PACKAGECONFIG[manpages] = "--enable-man-pages, --disable-man-pages" +PACKAGECONFIG[python] = "--with-python, --without-python, python3 swig-native" +PACKAGECONFIG[perl] = "--with-perl, --without-perl, perl perl-native swig-native" +PACKAGECONFIG[apache2] = ",,apache2," +PACKAGECONFIG[aa-decode] = ",,,bash" + +PAMLIB="${@bb.utils.contains('DISTRO_FEATURES', 'pam', '1', '0', d)}" +HTTPD="${@bb.utils.contains('PACKAGECONFIG', 'apache2', '1', '0', d)}" + +python() { + if 'apache2' in d.getVar('PACKAGECONFIG').split() and \ + 'webserver' not in d.getVar('BBFILE_COLLECTIONS').split(): + raise bb.parse.SkipRecipe('Requires meta-webserver to be present.') +} + +DISABLE_STATIC = "" + +do_configure() { + cd ${S}/libraries/libapparmor + aclocal + autoconf --force + libtoolize --automake -c --force + automake -ac + ./configure ${CONFIGUREOPTS} ${EXTRA_OECONF} +} + +do_compile () { + # Fixes: + # | sed -ie 's///g' Makefile.perl + # | sed: -e expression #1, char 0: no previous regular expression + #| Makefile:478: recipe for target 'Makefile.perl' failed + sed -i "s@sed -ie 's///g' Makefile.perl@@" ${S}/libraries/libapparmor/swig/perl/Makefile + + + oe_runmake -C ${B}/libraries/libapparmor + oe_runmake -C ${B}/binutils + oe_runmake -C ${B}/utils + oe_runmake -C ${B}/parser + oe_runmake -C ${B}/profiles + + if test -z "${HTTPD}" ; then + oe_runmake -C ${B}/changehat/mod_apparmor + fi + + if test -z "${PAMLIB}" ; then + oe_runmake -C ${B}/changehat/pam_apparmor + fi +} + +do_install () { + install -d ${D}/${INIT_D_DIR} + install -d ${D}/lib/apparmor + oe_runmake -C ${B}/libraries/libapparmor DESTDIR="${D}" install + oe_runmake -C ${B}/binutils DESTDIR="${D}" install + oe_runmake -C ${B}/utils DESTDIR="${D}" install + oe_runmake -C ${B}/parser DESTDIR="${D}" install + oe_runmake -C ${B}/profiles DESTDIR="${D}" install + + # If perl is disabled this script won't be any good + if ! ${@bb.utils.contains('PACKAGECONFIG','perl','true','false', d)}; then + rm -f ${D}${sbindir}/aa-notify + fi + + if ! ${@bb.utils.contains('PACKAGECONFIG','aa-decode','true','false', d)}; then + rm -f ${D}${sbindir}/aa-decode + fi + + if test -z "${HTTPD}" ; then + oe_runmake -C ${B}/changehat/mod_apparmor DESTDIR="${D}" install + fi + + if test -z "${PAMLIB}" ; then + oe_runmake -C ${B}/changehat/pam_apparmor DESTDIR="${D}" install + fi + + # aa-easyprof is installed by python-tools-setup.py, fix it up + sed -i -e 's:/usr/bin/env.*:/usr/bin/python3:' ${D}${bindir}/aa-easyprof + chmod 0755 ${D}${bindir}/aa-easyprof + + install ${WORKDIR}/apparmor ${D}/${INIT_D_DIR}/apparmor + install ${WORKDIR}/functions ${D}/lib/apparmor + sed -i -e 's/getconf _NPROCESSORS_ONLN/nproc/' ${D}/lib/apparmor/functions + sed -i -e 's/ls -AU/ls -A/' ${D}/lib/apparmor/functions + + if ${@bb.utils.contains('DISTRO_FEATURES','systemd','true','false',d)}; then + install -d ${D}${systemd_system_unitdir} + install -m 0644 ${WORKDIR}/apparmor.service ${D}${systemd_system_unitdir} + fi +} + +#Building ptest on arm fails. +do_compile_ptest_aarch64 () { + : +} + +do_compile_ptest_arm () { + : +} + +do_compile_ptest () { + oe_runmake -C ${B}/tests/regression/apparmor + oe_runmake -C ${B}/parser/tst + oe_runmake -C ${B}/libraries/libapparmor +} + +do_install_ptest () { + t=${D}/${PTEST_PATH}/testsuite + install -d ${t} + install -d ${t}/tests/regression/apparmor + cp -rf ${B}/tests/regression/apparmor ${t}/tests/regression + + install -d ${t}/parser/tst + cp -rf ${B}/parser/tst ${t}/parser + cp ${B}/parser/apparmor_parser ${t}/parser + cp ${B}/parser/frob_slack_rc ${t}/parser + + install -d ${t}/libraries/libapparmor + cp -rf ${B}/libraries/libapparmor ${t}/libraries + + install -d ${t}/common + cp -rf ${B}/common ${t} + + install -d ${t}/binutils + cp -rf ${B}/binutils ${t} +} + +#Building ptest on arm fails. +do_install_ptest_aarch64 () { + : +} + +do_install_ptest_arm() { + : +} + +pkg_postinst_ontarget_${PN} () { +if [ ! -d /etc/apparmor.d/cache ] ; then + mkdir /etc/apparmor.d/cache +fi +} + +# We need the init script so don't rm it +RMINITDIR_class-target_remove = " rm_sysvinit_initddir" + +INITSCRIPT_PACKAGES = "${PN}" +INITSCRIPT_NAME = "apparmor" +INITSCRIPT_PARAMS = "start 16 2 3 4 5 . stop 35 0 1 6 ." + +SYSTEMD_PACKAGES = "${PN}" +SYSTEMD_SERVICE_${PN} = "apparmor.service" +SYSTEMD_AUTO_ENABLE ?= "enable" + +PACKAGES += "mod-${PN}" + +FILES_${PN} += "/lib/apparmor/ ${sysconfdir}/apparmor ${PYTHON_SITEPACKAGES_DIR}" +FILES_mod-${PN} = "${libdir}/apache2/modules/*" + +# Add coreutils and findutils only if sysvinit scripts are in use +RDEPENDS_${PN} += "${@["coreutils findutils", ""][(d.getVar('VIRTUAL-RUNTIME_init_manager') == 'systemd')]} ${@bb.utils.contains('PACKAGECONFIG','python','python3-core python3-modules','', d)}" +RDEPENDS_${PN}_remove += "${@bb.utils.contains('PACKAGECONFIG','perl','','perl', d)}" +RDEPENDS_${PN}-ptest += "perl coreutils dbus-lib bash" + +PRIVATE_LIBS_${PN}-ptest = "libapparmor.so*" diff --git a/external/meta-security/recipes-mac/AppArmor/files/0001-Makefile.am-suppress-perllocal.pod.patch b/external/meta-security/recipes-mac/AppArmor/files/0001-Makefile.am-suppress-perllocal.pod.patch new file mode 100644 index 00000000..9807be12 --- /dev/null +++ b/external/meta-security/recipes-mac/AppArmor/files/0001-Makefile.am-suppress-perllocal.pod.patch @@ -0,0 +1,28 @@ +From 9f9cfbf07214ac68a55372a3c2777192765cbeb9 Mon Sep 17 00:00:00 2001 +From: Naveen Saini <naveen.kumar.saini@intel.com> +Date: Fri, 20 Sep 2019 18:53:53 +0800 +Subject: [PATCH] Makefile.am: suppress perllocal.pod + +Upstream-Status: Inappropriate [OE-Specific] + +Signed-off-by: Naveen Saini <naveen.kumar.saini@intel.com> +--- + libraries/libapparmor/swig/perl/Makefile.am | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/libraries/libapparmor/swig/perl/Makefile.am b/libraries/libapparmor/swig/perl/Makefile.am +index 6ae4e30c..be00dc7f 100644 +--- a/libraries/libapparmor/swig/perl/Makefile.am ++++ b/libraries/libapparmor/swig/perl/Makefile.am +@@ -11,7 +11,7 @@ MOSTLYCLEANFILES=libapparmor_wrap.c LibAppArmor.pm + LibAppArmor.pm: libapparmor_wrap.c + + Makefile.perl: Makefile.PL LibAppArmor.pm +- $(PERL) $< PREFIX=$(prefix) MAKEFILE=$@ ++ $(PERL) $< PREFIX=$(prefix) MAKEFILE=$@ NO_PERLLOCAL=1 + sed -ie 's/LD_RUN_PATH="\x24(LD_RUN_PATH)"//g' Makefile.perl + sed -ie 's/^LD_RUN_PATH.*//g' Makefile.perl + +-- +2.17.1 + diff --git a/external/meta-security/recipes-mac/AppArmor/files/apparmor b/external/meta-security/recipes-mac/AppArmor/files/apparmor new file mode 100644 index 00000000..604e48d5 --- /dev/null +++ b/external/meta-security/recipes-mac/AppArmor/files/apparmor @@ -0,0 +1,226 @@ +#!/bin/sh +# ---------------------------------------------------------------------- +# Copyright (c) 1999, 2000, 2001, 2002, 2003, 2004, 2005, 2006, 2007 +# NOVELL (All rights reserved) +# Copyright (c) 2008, 2009 Canonical, Ltd. +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of version 2 of the GNU General Public +# License published by the Free Software Foundation. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program; if not, contact Novell, Inc. +# ---------------------------------------------------------------------- +# Authors: +# Steve Beattie <steve.beattie@canonical.com> +# Kees Cook <kees@ubuntu.com> +# +# /etc/init.d/apparmor +# +### BEGIN INIT INFO +# Provides: apparmor +# Required-Start: $local_fs +# Required-Stop: umountfs +# Default-Start: S +# Default-Stop: +# Short-Description: AppArmor initialization +# Description: AppArmor init script. This script loads all AppArmor profiles. +### END INIT INFO + +log_daemon_msg() { + echo $* +} + +log_end_msg () { + retval=$1 + if [ $retval -eq 0 ]; then + echo "." + else + echo " failed!" + fi + return $retval +} + +. /lib/apparmor/functions + +usage() { + echo "Usage: $0 {start|stop|restart|reload|force-reload|status|recache}" +} + +test -x ${PARSER} || exit 0 # by debian policy +# LSM is built-in, so it is either there or not enabled for this boot +test -d /sys/module/apparmor || exit 0 + +securityfs() { + # Need securityfs for any mode + if [ ! -d "${AA_SFS}" ]; then + if cut -d" " -f2,3 /proc/mounts | grep -q "^${SECURITYFS} securityfs"'$' ; then + log_daemon_msg "AppArmor not available as kernel LSM." + log_end_msg 1 + exit 1 + else + log_daemon_msg "Mounting securityfs on ${SECURITYFS}" + if ! mount -t securityfs none "${SECURITYFS}"; then + log_end_msg 1 + exit 1 + fi + fi + fi + if [ ! -w "$AA_SFS"/.load ]; then + log_daemon_msg "Insufficient privileges to change profiles." + log_end_msg 1 + exit 1 + fi +} + +handle_system_policy_package_updates() { + apparmor_was_updated=0 + + if ! compare_previous_version ; then + # On snappy flavors, if the current and previous versions are + # different then clear the system cache. snappy will handle + # "$PROFILES_CACHE_VAR" itself (on Touch flavors + # compare_previous_version always returns '0' since snappy + # isn't available). + clear_cache_system + apparmor_was_updated=1 + elif ! compare_and_save_debsums apparmor ; then + # If the system policy has been updated since the last time we + # ran, clear the cache to prevent potentially stale binary + # cache files after an Ubuntu image based upgrade (LP: + # #1350673). This can be removed once all system image flavors + # move to snappy (on snappy systems compare_and_save_debsums + # always returns '0' since /var/lib/dpkg doesn't exist). + clear_cache + apparmor_was_updated=1 + fi + + if [ -x /usr/bin/aa-clickhook ] || [ -x /usr/bin/aa-profile-hook ] ; then + # If packages for system policy that affect click packages have + # been updated since the last time we ran, run aa-clickhook -f + force_clickhook=0 + force_profile_hook=0 + if ! compare_and_save_debsums apparmor-easyprof-ubuntu ; then + force_clickhook=1 + fi + if ! compare_and_save_debsums apparmor-easyprof-ubuntu-snappy ; then + force_clickhook=1 + fi + if ! compare_and_save_debsums click-apparmor ; then + force_clickhook=1 + force_profile_hook=1 + fi + if [ -x /usr/bin/aa-clickhook ] && ([ $force_clickhook -eq 1 ] || [ $apparmor_was_updated -eq 1 ]) ; then + aa-clickhook -f + fi + if [ -x /usr/bin/aa-profile-hook ] && ([ $force_profile_hook -eq 1 ] || [ $apparmor_was_updated -eq 1 ]) ; then + aa-profile-hook -f + fi + fi +} + +# Allow "recache" even when running on the liveCD +if [ "$1" = "recache" ]; then + log_daemon_msg "Recaching AppArmor profiles" + recache_profiles + rc=$? + log_end_msg "$rc" + exit $rc +fi + +# do not perform start/stop/reload actions when running from liveCD +test -d /rofs/etc/apparmor.d && exit 0 + +rc=255 +case "$1" in + start) + if test -x /sbin/systemd-detect-virt && \ + systemd-detect-virt --quiet --container && \ + ! is_container_with_internal_policy; then + log_daemon_msg "Not starting AppArmor in container" + log_end_msg 0 + exit 0 + fi + log_daemon_msg "Starting AppArmor profiles" + securityfs + # That is only useful for click, snappy and system images, + # i.e. not in Debian. And it reads and writes to /var, that + # can be remote-mounted, so it would prevent us from using + # Before=sysinit.target without possibly introducing dependency + # loops. + handle_system_policy_package_updates + load_configured_profiles + rc=$? + log_end_msg "$rc" + ;; + stop) + log_daemon_msg "Clearing AppArmor profiles cache" + clear_cache + rc=$? + log_end_msg "$rc" + cat >&2 <<EOM +All profile caches have been cleared, but no profiles have been unloaded. +Unloading profiles will leave already running processes permanently +unconfined, which can lead to unexpected situations. + +To set a process to complain mode, use the command line tool +'aa-complain'. To really tear down all profiles, run the init script +with the 'teardown' option." +EOM + ;; + teardown) + if test -x /sbin/systemd-detect-virt && \ + systemd-detect-virt --quiet --container && \ + ! is_container_with_internal_policy; then + log_daemon_msg "Not tearing down AppArmor in container" + log_end_msg 0 + exit 0 + fi + log_daemon_msg "Unloading AppArmor profiles" + securityfs + running_profile_names | while read profile; do + if ! unload_profile "$profile" ; then + log_end_msg 1 + exit 1 + fi + done + rc=0 + log_end_msg $rc + ;; + restart|reload|force-reload) + if test -x /sbin/systemd-detect-virt && \ + systemd-detect-virt --quiet --container && \ + ! is_container_with_internal_policy; then + log_daemon_msg "Not reloading AppArmor in container" + log_end_msg 0 + exit 0 + fi + log_daemon_msg "Reloading AppArmor profiles" + securityfs + clear_cache + load_configured_profiles + rc=$? + unload_obsolete_profiles + + log_end_msg "$rc" + ;; + status) + securityfs + if [ -x /usr/sbin/aa-status ]; then + aa-status --verbose + else + cat "$AA_SFS"/profiles + fi + rc=$? + ;; + *) + usage + rc=1 + ;; + esac +exit $rc diff --git a/external/meta-security/recipes-mac/AppArmor/files/apparmor.rc b/external/meta-security/recipes-mac/AppArmor/files/apparmor.rc new file mode 100644 index 00000000..1507d7b5 --- /dev/null +++ b/external/meta-security/recipes-mac/AppArmor/files/apparmor.rc @@ -0,0 +1,98 @@ +description "Pre-cache and pre-load apparmor profiles" +author "Dimitri John Ledkov <xnox@ubuntu.com> and Jamie Strandboge <jamie@ubuntu.com>" + +task + +start on starting rc-sysinit + +script + [ -d /rofs/etc/apparmor.d ] && exit 0 # do not load on liveCD + [ -d /sys/module/apparmor ] || exit 0 # do not load without AppArmor + [ -x /sbin/apparmor_parser ] || exit 0 # do not load without parser + + . /lib/apparmor/functions + + systemd-detect-virt --quiet --container && ! is_container_with_internal_policy && exit 0 || true + + # Need securityfs for any mode + if [ ! -d /sys/kernel/security/apparmor ]; then + if cut -d" " -f2,3 /proc/mounts | grep -q "^/sys/kernel/security securityfs"'$' ; then + exit 0 + else + mount -t securityfs none /sys/kernel/security || exit 0 + fi + fi + + [ -w /sys/kernel/security/apparmor/.load ] || exit 0 + + apparmor_was_updated=0 + if ! compare_previous_version ; then + # On snappy flavors, if the current and previous versions are + # different then clear the system cache. snappy will handle + # "$PROFILES_CACHE_VAR" itself (on Touch flavors + # compare_previous_version always returns '0' since snappy + # isn't available). + clear_cache_system + apparmor_was_updated=1 + elif ! compare_and_save_debsums apparmor ; then + # If the system policy has been updated since the last time we + # ran, clear the cache to prevent potentially stale binary + # cache files after an Ubuntu image based upgrade (LP: + # #1350673). This can be removed once all system image flavors + # move to snappy (on snappy systems compare_and_save_debsums + # always returns '0' since /var/lib/dpkg doesn't exist). + clear_cache + apparmor_was_updated=1 + fi + + if [ -x /usr/bin/aa-clickhook ] || [ -x /usr/bin/aa-profile-hook ] ; then + # If packages for system policy that affect click packages have + # been updated since the last time we ran, run aa-clickhook -f + force_clickhook=0 + force_profile_hook=0 + if ! compare_and_save_debsums apparmor-easyprof-ubuntu ; then + force_clickhook=1 + fi + if ! compare_and_save_debsums apparmor-easyprof-ubuntu-snappy ; then + force_clickhook=1 + fi + if ! compare_and_save_debsums click-apparmor ; then + force_clickhook=1 + force_profile_hook=1 + fi + if [ -x /usr/bin/aa-clickhook ] && ([ $force_clickhook -eq 1 ] || [ $apparmor_was_updated -eq 1 ]) ; then + aa-clickhook -f + fi + if [ -x /usr/bin/aa-profile-hook ] && ([ $force_profile_hook -eq 1 ] || [ $apparmor_was_updated -eq 1 ]) ; then + aa-profile-hook -f + fi + fi + + if [ "$ACTION" = "teardown" ]; then + running_profile_names | while read profile; do + unload_profile "$profile" + done + exit 0 + fi + + if [ "$ACTION" = "clear" ]; then + clear_cache + exit 0 + fi + + if [ "$ACTION" = "reload" ] || [ "$ACTION" = "force-reload" ]; then + clear_cache + load_configured_profiles + unload_obsolete_profiles + exit 0 + fi + + # Note: if apparmor-easyprof-ubuntu md5sums didn't match up above, + # aa-clickhook will have already compiled the policy, generated the cache + # files and loaded them into the kernel by this point, so reloading click + # policy from cache, while fairly fast (<2 seconds for 250 profiles on + # armhf), is redundant. Fixing this would complicate the logic quite a bit + # and it wouldn't improve the (by far) common case (ie, when + # 'aa-clickhook -f' is not run). + load_configured_profiles +end script diff --git a/external/meta-security/recipes-mac/AppArmor/files/apparmor.service b/external/meta-security/recipes-mac/AppArmor/files/apparmor.service new file mode 100644 index 00000000..e66afe4e --- /dev/null +++ b/external/meta-security/recipes-mac/AppArmor/files/apparmor.service @@ -0,0 +1,22 @@ +[Unit] +Description=AppArmor initialization +After=local-fs.target +Before=sysinit.target +AssertPathIsReadWrite=/sys/kernel/security/apparmor/.load +ConditionSecurity=apparmor +DefaultDependencies=no +Documentation=man:apparmor(7) +Documentation=http://wiki.apparmor.net/ + +# Don't start this unit on the Ubuntu Live CD +ConditionPathExists=!/rofs/etc/apparmor.d + +[Service] +Type=oneshot +RemainAfterExit=yes +ExecStart=/etc/init.d/apparmor start +ExecStop=/etc/init.d/apparmor stop +ExecReload=/etc/init.d/apparmor reload + +[Install] +WantedBy=sysinit.target diff --git a/external/meta-security/recipes-mac/AppArmor/files/crosscompile_perl_bindings.patch b/external/meta-security/recipes-mac/AppArmor/files/crosscompile_perl_bindings.patch new file mode 100644 index 00000000..ef55de71 --- /dev/null +++ b/external/meta-security/recipes-mac/AppArmor/files/crosscompile_perl_bindings.patch @@ -0,0 +1,25 @@ +Upstream-Status: Inappropriate [configuration] + +As we're cross-compiling here we need to override CC/LD that MakeMaker has +stuck in the generated Makefile with our cross tools. In this case, linking is +done via the compiler rather than the linker directly so pass in CC not LD +here. + +Signed-Off-By: Tom Rini <trini@konsulko.com> + +--- a/libraries/libapparmor/swig/perl/Makefile.am.orig 2017-06-13 19:04:43.296676212 -0400 ++++ b/libraries/libapparmor/swig/perl/Makefile.am 2017-06-13 19:05:03.488676693 -0400 +@@ -16,11 +16,11 @@ + + LibAppArmor.so: libapparmor_wrap.c Makefile.perl + if test ! -f libapparmor_wrap.c; then cp $(srcdir)/libapparmor_wrap.c . ; fi +- $(MAKE) -fMakefile.perl ++ $(MAKE) -fMakefile.perl CC='$(CC)' LD='$(CC)' + if test $(top_srcdir) != $(top_builddir) ; then rm -f libapparmor_wrap.c ; fi + + install-exec-local: Makefile.perl +- $(MAKE) -fMakefile.perl install_vendor ++ $(MAKE) -fMakefile.perl install_vendor CC='$(CC)' LD='$(CC)' + + # sadly there is no make uninstall for perl + #uninstall-local: Makefile.perl diff --git a/external/meta-security/recipes-mac/AppArmor/files/disable_pdf.patch b/external/meta-security/recipes-mac/AppArmor/files/disable_pdf.patch new file mode 100644 index 00000000..c6b4bddc --- /dev/null +++ b/external/meta-security/recipes-mac/AppArmor/files/disable_pdf.patch @@ -0,0 +1,33 @@ +Index: apparmor-2.10.95/parser/Makefile +=================================================================== +--- apparmor-2.10.95.orig/parser/Makefile ++++ apparmor-2.10.95/parser/Makefile +@@ -139,17 +139,6 @@ export Q VERBOSE BUILD_OUTPUT + po/${NAME}.pot: ${SRCS} ${HDRS} + $(MAKE) -C po ${NAME}.pot NAME=${NAME} SOURCES="${SRCS} ${HDRS}" + +-techdoc.pdf: techdoc.tex +- timestamp=$(shell date --utc "+%Y%m%d%H%M%S%z" -r $< );\ +- while pdflatex "\def\fixedpdfdate{$$timestamp}\input $<" ${BUILD_OUTPUT} || exit 1 ; \ +- grep -q "Label(s) may have changed" techdoc.log; \ +- do :; done +- +-techdoc/index.html: techdoc.pdf +- latex2html -show_section_numbers -split 0 -noinfo -nonavigation -noaddress techdoc.tex ${BUILD_OUTPUT} +- +-techdoc.txt: techdoc/index.html +- w3m -dump $< > $@ + + # targets arranged this way so that people who don't want full docs can + # pick specific targets they want. +@@ -159,9 +148,7 @@ manpages: $(MANPAGES) + + htmlmanpages: $(HTMLMANPAGES) + +-pdf: techdoc.pdf +- +-docs: manpages htmlmanpages pdf ++docs: manpages htmlmanpages + + indep: docs + $(Q)$(MAKE) -C po all diff --git a/external/meta-security/recipes-mac/AppArmor/files/disable_perl_h_check.patch b/external/meta-security/recipes-mac/AppArmor/files/disable_perl_h_check.patch new file mode 100644 index 00000000..cf2640fc --- /dev/null +++ b/external/meta-security/recipes-mac/AppArmor/files/disable_perl_h_check.patch @@ -0,0 +1,19 @@ +Upstream-Status: Inappropriate [configuration] + +Remove file check for $perl_includedir/perl.h. AC_CHECK_FILE will fail on +cross compilation. Rather than try and get a compile check to work here, +we know that we have what's required via our metadata so remove only this +check. + +Signed-Off-By: Tom Rini <trini@konsulko.com> + +--- a/libraries/libapparmor/configure.ac.orig 2017-06-13 16:41:38.668471495 -0400 ++++ b/libraries/libapparmor/configure.ac 2017-06-13 16:41:40.708471543 -0400 +@@ -58,7 +58,6 @@ + AC_PATH_PROG(PERL, perl) + test -z "$PERL" && AC_MSG_ERROR([perl is required when enabling perl bindings]) + perl_includedir="`$PERL -e 'use Config; print $Config{archlib}'`/CORE" +- AC_CHECK_FILE($perl_includedir/perl.h, enable_perl=yes, enable_perl=no) + fi + + diff --git a/external/meta-security/recipes-mac/AppArmor/files/functions b/external/meta-security/recipes-mac/AppArmor/files/functions new file mode 100644 index 00000000..cef8cfe7 --- /dev/null +++ b/external/meta-security/recipes-mac/AppArmor/files/functions @@ -0,0 +1,271 @@ +# /lib/apparmor/functions for Debian -*- shell-script -*- +# ---------------------------------------------------------------------- +# Copyright (c) 1999, 2000, 2001, 2002, 2003, 2004, 2005, 2006, 2007 +# NOVELL (All rights reserved) +# Copyright (c) 2008-2010 Canonical, Ltd. +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of version 2 of the GNU General Public +# License published by the Free Software Foundation. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program; if not, contact Novell, Inc. +# ---------------------------------------------------------------------- +# Authors: +# Kees Cook <kees@ubuntu.com> + +PROFILES="/etc/apparmor.d" +PROFILES_CACHE="$PROFILES/cache" +PROFILES_VAR="/var/lib/apparmor/profiles" +PROFILES_SNAPPY="/var/lib/snapd/apparmor/profiles" +PROFILES_CACHE_VAR="/var/cache/apparmor" +PARSER="/sbin/apparmor_parser" +SECURITYFS="/sys/kernel/security" +export AA_SFS="$SECURITYFS/apparmor" + +# Suppress warnings when booting in quiet mode +quiet_arg="" +[ "${QUIET:-no}" = yes ] && quiet_arg="-q" +[ "${quiet:-n}" = y ] && quiet_arg="-q" + +foreach_configured_profile() { + rc_all="0" + for pdir in "$PROFILES" "$PROFILES_VAR" "$PROFILES_SNAPPY" ; do + if [ ! -d "$pdir" ]; then + continue + fi + num=`find "$pdir" -type f ! -name '*.md5sums' | wc -l` + if [ "$num" = "0" ]; then + continue + fi + + cache_dir="$PROFILES_CACHE" + if [ -d "$PROFILES_CACHE_VAR" ] && [ "$pdir" = "$PROFILES_VAR" ] || [ "$pdir" = "$PROFILES_SNAPPY" ]; then + cache_dir="$PROFILES_CACHE_VAR" + fi + cache_args="--cache-loc=$cache_dir" + if [ ! -d "$cache_dir" ]; then + cache_args= + fi + + # LP: #1383858 - expr tree simplification is too slow for + # Touch policy on ARM, so disable it for now + cache_extra_args= + if [ -d "$PROFILES_CACHE_VAR" ] && [ "$pdir" = "$PROFILES_VAR" ] || [ "$pdir" = "$PROFILES_SNAPPY" ]; then + cache_extra_args="-O no-expr-simplify" + fi + + # If need to compile everything, then use -n1 with xargs to + # take advantage of -P. When cache files are in use, omit -n1 + # since it is considerably faster on moderately sized profile + # sets to give the parser all the profiles to load at once + n1_args= + num=`find "$cache_dir" -type f ! -name '.features' | wc -l` + if [ "$num" = "0" ]; then + n1_args="-n1" + fi + + (ls -1 "$pdir" | egrep -v '(\.dpkg-(new|old|dist|bak)|~)$' | \ + while read profile; do + if [ -f "$pdir"/"$profile" ]; then + echo "$pdir"/"$profile" + fi + done) | \ + xargs $n1_args -d"\n" -P$(getconf _NPROCESSORS_ONLN) "$PARSER" "$@" $cache_args $cache_extra_args -- || { + rc_all="$?" + # FIXME: when the parser properly handles broken + # profiles (LP: #1377338), remove this if statement. + # For now, if the xargs returns with error, just run + # through everything with -n1. (This could be broken + # out and refactored, but this is temporary so make it + # easy to understand and revert) + if [ "$rc_all" != "0" ]; then + (ls -1 "$pdir" | \ + egrep -v '(\.dpkg-(new|old|dist|bak)|~)$' | \ + while read profile; do + if [ -f "$pdir"/"$profile" ]; then + echo "$pdir"/"$profile" + fi + done) | \ + xargs -n1 -d"\n" -P$(getconf _NPROCESSORS_ONLN) "$PARSER" "$@" $cache_args $cache_extra_args -- || { + rc_all="$?" + } + fi + } + done + return $rc_all +} + +load_configured_profiles() { + clear_cache_if_outdated + foreach_configured_profile $quiet_arg --write-cache --replace +} + +load_configured_profiles_without_caching() { + foreach_configured_profile $quiet_arg --replace +} + +recache_profiles() { + clear_cache + foreach_configured_profile $quiet_arg --write-cache --skip-kernel-load +} + +configured_profile_names() { + foreach_configured_profile $quiet_arg -N 2>/dev/null | LC_COLLATE=C sort | grep -v '//' +} + +running_profile_names() { + # Output a sorted list of loaded profiles, skipping libvirt's + # dynamically generated files + cat "$AA_SFS"/profiles | sed -e "s/ (\(enforce\|complain\))$//" | egrep -v '^libvirt-[0-9a-f\-]+$' | LC_COLLATE=C sort | grep -v '//' +} + +unload_profile() { + echo -n "$1" > "$AA_SFS"/.remove +} + +clear_cache() { + clear_cache_system + clear_cache_var +} + +clear_cache_system() { + find "$PROFILES_CACHE" -maxdepth 1 -type f -print0 | xargs -0 rm -f -- +} + +clear_cache_var() { + find "$PROFILES_CACHE_VAR" -maxdepth 1 -type f -print0 | xargs -0 rm -f -- +} + +read_features_dir() +{ + for f in `ls -AU "$1"` ; do + if [ -f "$1/$f" ] ; then + read -r KF < "$1/$f" || true + echo -n "$f {$KF } " + elif [ -d "$1/$f" ] ; then + echo -n "$f {" + KF=`read_features_dir "$1/$f"` || true + echo -n "$KF} " + fi + done +} + +clear_cache_if_outdated() { + if [ -r "$PROFILES_CACHE"/.features ]; then + if [ -d "$AA_SFS"/features ]; then + KERN_FEATURES=`read_features_dir "$AA_SFS"/features` + else + read -r KERN_FEATURES < "$AA_SFS"/features + fi + CACHE_FEATURES=`tr '\n' ' ' < "$PROFILES_CACHE"/.features` + if [ "$KERN_FEATURES" != "$CACHE_FEATURES" ]; then + clear_cache + fi + fi +} + +unload_obsolete_profiles() { + # Currently we must re-parse all the profiles to get policy names. :( + aa_configured=$(mktemp -t aa-XXXXXX) + configured_profile_names > "$aa_configured" || true + aa_loaded=$(mktemp -t aa-XXXXXX) + running_profile_names > "$aa_loaded" || true + LC_COLLATE=C comm -2 -3 "$aa_loaded" "$aa_configured" | while read profile ; do + unload_profile "$profile" + done + rm -f "$aa_configured" "$aa_loaded" +} + +# If the system debsum differs from the saved debsum, the new system debsum is +# saved and non-zero is returned. Returns 0 if the two debsums matched or if +# the system debsum file does not exist. This can be removed when system image +# flavors all move to snappy. +compare_and_save_debsums() { + pkg="$1" + + if [ -n $pkg ] && [ -d "$PROFILES_VAR" ]; then + sums="/var/lib/dpkg/info/${pkg}.md5sums" + # store saved md5sums in /var/lib/apparmor/profiles since + # /var/cache/apparmor might be cleared by apparmor + saved_sums="${PROFILES_VAR}/.${pkg}.md5sums" + + if [ -f "$sums" ] && \ + ! diff -q "$sums" "$saved_sums" 2>&1 >/dev/null ; then + cp -f "$sums" "$saved_sums" + return 1 + fi + fi + + return 0 +} + +compare_previous_version() { + installed="/usr/share/snappy/security-policy-version" + previous="/var/lib/snappy/security-policy-version" + + # When just $previous doesn't exist, assume this is a new system with + # no cache and don't do anything special. + if [ -f "$installed" ] && [ -f "$previous" ]; then + pv=`grep '^apparmor/' "$previous" | cut -d ' ' -f 2` + iv=`grep '^apparmor/' "$installed" | cut -d ' ' -f 2` + if [ -n "$iv" ] && [ -n "$pv" ] && [ "$iv" != "$pv" ]; then + # snappy updates $previous elsewhere, so just return + return 1 + fi + fi + + return 0 +} + +# Checks to see if the current container is capable of having internal AppArmor +# profiles that should be loaded. Callers of this function should have already +# verified that they're running inside of a container environment with +# something like `systemd-detect-virt --container`. +# +# The only known container environments capable of supporting internal policy +# are LXD and LXC environment. +# +# Returns 0 if the container environment is capable of having its own internal +# policy and non-zero otherwise. +# +# IMPORTANT: This function will return 0 in the case of a non-LXD/non-LXC +# system container technology being nested inside of a LXD/LXC container that +# utilized an AppArmor namespace and profile stacking. The reason 0 will be +# returned is because .ns_stacked will be "yes" and .ns_name will still match +# "lx[dc]-*" since the nested system container technology will not have set up +# a new AppArmor profile namespace. This will result in the nested system +# container's boot process to experience failed policy loads but the boot +# process should continue without any loss of functionality. This is an +# unsupported configuration that cannot be properly handled by this function. +is_container_with_internal_policy() { + local ns_stacked_path="${AA_SFS}/.ns_stacked" + local ns_name_path="${AA_SFS}/.ns_name" + local ns_stacked + local ns_name + + if ! [ -f "$ns_stacked_path" ] || ! [ -f "$ns_name_path" ]; then + return 1 + fi + + read -r ns_stacked < "$ns_stacked_path" + if [ "$ns_stacked" != "yes" ]; then + return 1 + fi + + # LXD and LXC set up AppArmor namespaces starting with "lxd-" and + # "lxc-", respectively. Return non-zero for all other namespace + # identifiers. + read -r ns_name < "$ns_name_path" + if [ "${ns_name#lxd-*}" = "$ns_name" ] && \ + [ "${ns_name#lxc-*}" = "$ns_name" ]; then + return 1 + fi + + return 0 +} diff --git a/external/meta-security/recipes-mac/AppArmor/files/run-ptest b/external/meta-security/recipes-mac/AppArmor/files/run-ptest new file mode 100644 index 00000000..3b8e427e --- /dev/null +++ b/external/meta-security/recipes-mac/AppArmor/files/run-ptest @@ -0,0 +1,4 @@ +#! /bin/sh +cd testsuite + +make -C tests/regression/apparmor tests diff --git a/external/meta-security/recipes-mac/ccs-tools/README b/external/meta-security/recipes-mac/ccs-tools/README new file mode 100644 index 00000000..4a4faa71 --- /dev/null +++ b/external/meta-security/recipes-mac/ccs-tools/README @@ -0,0 +1,12 @@ +Documentation: +http://tomoyo.sourceforge.jp/1.8/index.html.en + + +To start via command line add: + +" security=tomoyo TOMOYO_trigger=/usr/lib/systemd/systemd" + +To initialize: +/usr/lib/ccs/init_policy + +DISTRO_FEATURES_append = " tomoyo" diff --git a/external/meta-security/recipes-mac/ccs-tools/ccs-tools_1.8.4.bb b/external/meta-security/recipes-mac/ccs-tools/ccs-tools_1.8.4.bb new file mode 100644 index 00000000..79af6a5d --- /dev/null +++ b/external/meta-security/recipes-mac/ccs-tools/ccs-tools_1.8.4.bb @@ -0,0 +1,50 @@ +SUMMARY = "Tomoyo" +DESCRIPTION = "TOMOYO Linux is a Mandatory Access Control (MAC) implementation for Linux that can be used to increase the security of a system, while also being useful purely as a system analysis tool. \nTo start via command line add: \nsecurity=tomoyo TOMOYO_trigger=/usr/lib/systemd/systemd \nTo initialize: \n/usr/lib/ccs/init_policy" + +SECTION = "security" +LICENSE = "GPL-2.0" +LIC_FILES_CHKSUM = "file://COPYING.ccs;md5=751419260aa954499f7abaabaa882bbe" + +DEPENDS = "ncurses" + +DS = "20150505" +SRC_URI = "http://osdn.dl.sourceforge.jp/tomoyo/49693/${BPN}-${PV}-${DS}.tar.gz" + +SRC_URI[md5sum] = "eeee8eb96a7680bfa9c8f6de55502c44" +SRC_URI[sha256sum] = "c358b80a2ea77a9dda79dc2a056dae3acaf3a72fcb8481cfb1cd1f16746324b4" + +S = "${WORKDIR}/${BPN}" + +inherit features_check + +do_make(){ + oe_runmake USRLIBDIR=${libdir} all + cd ${S}/kernel_test + oe_runmake all +} + +do_install(){ + oe_runmake INSTALLDIR=${D} USRLIBDIR=${libdir} install +} + +PACKAGE="${PN} ${PN}-dbg ${PN}-doc" + +FILES_${PN} = "\ + ${sbindir}/* \ + ${base_sbindir}/* \ + ${libdir}/* \ +" + +FILES_${PN}-doc = "\ + ${mandir}/man8/* \ +" + +FILES_${PN}-dbg = "\ + ${base_sbindir}/.debug/* \ + ${sbindir}/.debug/* \ + ${libdir}/.debug/* \ + ${libdir}/ccs/.debug/* \ + /usr/src/debug/* \ +" + +REQUIRED_DISTRO_FEATURES ?=" tomoyo" diff --git a/external/meta-security/recipes-mac/smack/mmap-smack-test/mmap.c b/external/meta-security/recipes-mac/smack/mmap-smack-test/mmap.c new file mode 100644 index 00000000..f358d27b --- /dev/null +++ b/external/meta-security/recipes-mac/smack/mmap-smack-test/mmap.c @@ -0,0 +1,7 @@ +#include <stdio.h> + +int main(int argc, char **argv) +{ + printf("Original test program removed while investigating its license.\n"); + return 1; +} diff --git a/external/meta-security/recipes-mac/smack/mmap-smack-test_1.0.bb b/external/meta-security/recipes-mac/smack/mmap-smack-test_1.0.bb new file mode 100644 index 00000000..9d11509d --- /dev/null +++ b/external/meta-security/recipes-mac/smack/mmap-smack-test_1.0.bb @@ -0,0 +1,16 @@ +SUMMARY = "Mmap binary used to test smack mmap attribute" +DESCRIPTION = "Mmap binary used to test smack mmap attribute" +LICENSE = "MIT" +LIC_FILES_CHKSUM = "file://${COMMON_LICENSE_DIR}/MIT;md5=0835ade698e0bcf8506ecda2f7b4f302" + +SRC_URI = "file://mmap.c" + +S = "${WORKDIR}" +do_compile() { + ${CC} mmap.c ${LDFLAGS} -o mmap_test +} + +do_install() { + install -d ${D}${bindir} + install -m 0755 mmap_test ${D}${bindir} +} diff --git a/external/meta-security/recipes-mac/smack/smack-test/notroot.py b/external/meta-security/recipes-mac/smack/smack-test/notroot.py new file mode 100644 index 00000000..f0eb0b5b --- /dev/null +++ b/external/meta-security/recipes-mac/smack/smack-test/notroot.py @@ -0,0 +1,33 @@ +#!/usr/bin/env python +# +# Script used for running executables with custom labels, as well as custom uid/gid +# Process label is changed by writing to /proc/self/attr/curent +# +# Script expects user id and group id to exist, and be the same. +# +# From adduser manual: +# """By default, each user in Debian GNU/Linux is given a corresponding group +# with the same name. """ +# +# Usage: root@desk:~# python notroot.py <uid> <label> <full_path_to_executable> [arguments ..] +# eg: python notroot.py 1000 User::Label /bin/ping -c 3 192.168.1.1 +# +# Author: Alexandru Cornea <alexandru.cornea@intel.com> +import os +import sys + +try: + uid = int(sys.argv[1]) + sys.argv.pop(1) + label = sys.argv[1] + sys.argv.pop(1) + open("/proc/self/attr/current", "w").write(label) + path=sys.argv[1] + sys.argv.pop(0) + os.setgid(uid) + os.setuid(uid) + os.execv(path,sys.argv) + +except Exception,e: + print e.message + sys.exit(1) diff --git a/external/meta-security/recipes-mac/smack/smack-test/smack_test_file_access.sh b/external/meta-security/recipes-mac/smack/smack-test/smack_test_file_access.sh new file mode 100644 index 00000000..5a0ce84f --- /dev/null +++ b/external/meta-security/recipes-mac/smack/smack-test/smack_test_file_access.sh @@ -0,0 +1,54 @@ +#!/bin/sh + +SMACK_PATH=`grep smack /proc/mounts | awk '{print $2}' ` +RC=0 +TMP="/tmp" +test_file=$TMP/smack_test_access_file +CAT=`which cat` +ECHO=`which echo` +uid=1000 +initial_label=`cat /proc/self/attr/current` +python $TMP/notroot.py $uid "TheOther" $ECHO 'TEST' > $test_file +chsmack -a "TheOther" $test_file + +# 12345678901234567890123456789012345678901234567890123456 +delrule="TheOne TheOther -----" +rule_ro="TheOne TheOther r----" + +# Remove pre-existent rules for "TheOne TheOther <access>" +echo -n "$delrule" > $SMACK_PATH/load +python $TMP/notroot.py $uid "TheOne" $CAT $test_file 2>&1 1>/dev/null | grep -q "Permission denied" || RC=$? +if [ $RC -ne 0 ]; then + echo "Process with different label than the test file and no read access on it can read it" + exit $RC +fi + +# adding read access +echo -n "$rule_ro" > $SMACK_PATH/load +python $TMP/notroot.py $uid "TheOne" $CAT $test_file | grep -q "TEST" || RC=$? +if [ $RC -ne 0 ]; then + echo "Process with different label than the test file but with read access on it cannot read it" + exit $RC +fi + +# Remove pre-existent rules for "TheOne TheOther <access>" +echo -n "$delrule" > $SMACK_PATH/load +# changing label of test file to * +# according to SMACK documentation, read access on a * object is always permitted +chsmack -a '*' $test_file +python $TMP/notroot.py $uid "TheOne" $CAT $test_file | grep -q "TEST" || RC=$? +if [ $RC -ne 0 ]; then + echo "Process cannot read file with * label" + exit $RC +fi + +# changing subject label to * +# according to SMACK documentation, every access requested by a star labeled subject is rejected +TOUCH=`which touch` +python $TMP/notroot.py $uid '*' $TOUCH $TMP/test_file_2 +ls -la $TMP/test_file_2 2>&1 | grep -q 'No such file or directory' || RC=$? +if [ $RC -ne 0 ];then + echo "Process with label '*' should not have any access" + exit $RC +fi +exit 0 diff --git a/external/meta-security/recipes-mac/smack/smack-test/test_privileged_change_self_label.sh b/external/meta-security/recipes-mac/smack/smack-test/test_privileged_change_self_label.sh new file mode 100644 index 00000000..26d9e9d2 --- /dev/null +++ b/external/meta-security/recipes-mac/smack/smack-test/test_privileged_change_self_label.sh @@ -0,0 +1,18 @@ +#!/bin/sh + +initial_label=`cat /proc/self/attr/current 2>/dev/null` +modified_label="test_label" + +echo "$modified_label" >/proc/self/attr/current 2>/dev/null + +new_label=`cat /proc/self/attr/current 2>/dev/null` + +if [ "$new_label" != "$modified_label" ]; then + # restore proper label + echo $initial_label >/proc/self/attr/current + echo "Privileged process could not change its label" + exit 1 +fi + +echo "$initial_label" >/proc/self/attr/current 2>/dev/null +exit 0
\ No newline at end of file diff --git a/external/meta-security/recipes-mac/smack/smack-test/test_smack_onlycap.sh b/external/meta-security/recipes-mac/smack/smack-test/test_smack_onlycap.sh new file mode 100644 index 00000000..1c4a93ab --- /dev/null +++ b/external/meta-security/recipes-mac/smack/smack-test/test_smack_onlycap.sh @@ -0,0 +1,27 @@ +#!/bin/sh +RC=0 +SMACK_PATH=`grep smack /proc/mounts | awk '{print $2}'` +test_label="test_label" +onlycap_initial=`cat $SMACK_PATH/onlycap` +smack_initial=`cat /proc/self/attr/current` + +# need to set out label to be the same as onlycap, otherwise we lose our smack privileges +# even if we are root +echo "$test_label" > /proc/self/attr/current + +echo "$test_label" > $SMACK_PATH/onlycap || RC=$? +if [ $RC -ne 0 ]; then + echo "Onlycap label could not be set" + return $RC +fi + +if [ `cat $SMACK_PATH/onlycap` != "$test_label" ]; then + echo "Onlycap label was not set correctly." + return 1 +fi + +# resetting original onlycap label +echo "$onlycap_initial" > $SMACK_PATH/onlycap 2>/dev/null + +# resetting our initial's process label +echo "$smack_initial" > /proc/self/attr/current diff --git a/external/meta-security/recipes-mac/smack/smack-test_1.0.bb b/external/meta-security/recipes-mac/smack/smack-test_1.0.bb new file mode 100644 index 00000000..d5de6076 --- /dev/null +++ b/external/meta-security/recipes-mac/smack/smack-test_1.0.bb @@ -0,0 +1,25 @@ +SUMMARY = "Smack test scripts" +DESCRIPTION = "Smack scripts" +LICENSE = "MIT" +LIC_FILES_CHKSUM = "file://${COMMON_LICENSE_DIR}/MIT;md5=0835ade698e0bcf8506ecda2f7b4f302" + +SRC_URI = " \ + file://notroot.py \ + file://smack_test_file_access.sh \ + file://test_privileged_change_self_label.sh \ + file://test_smack_onlycap.sh \ +" + +S = "${WORKDIR}" + +inherit features_check + +REQUIRED_DISTRO_FEATURES = "smack" + +do_install() { + install -d ${D}${sbindir} + install -m 0755 notroot.py ${D}${sbindir} + install -m 0755 *.sh ${D}${sbindir} +} + +RDEPENDS_${PN} = "smack python mmap-smack-test tcp-smack-test udp-smack-test" diff --git a/external/meta-security/recipes-mac/smack/smack/run-ptest b/external/meta-security/recipes-mac/smack/smack/run-ptest new file mode 100644 index 00000000..049a9b47 --- /dev/null +++ b/external/meta-security/recipes-mac/smack/smack/run-ptest @@ -0,0 +1,3 @@ +#!/bin/sh +./tests/make_policies.bash ./tests/generator +./tests/make_policies.bash ./tests/generator labels diff --git a/external/meta-security/recipes-mac/smack/smack/smack_generator_make_fixup.patch b/external/meta-security/recipes-mac/smack/smack/smack_generator_make_fixup.patch new file mode 100644 index 00000000..4d677e75 --- /dev/null +++ b/external/meta-security/recipes-mac/smack/smack/smack_generator_make_fixup.patch @@ -0,0 +1,18 @@ +Upstream-Status: Pending + +Signed-off-by: Armin Kuster <akuster808@gmail.com> + + +Index: git/tests/Makefile +=================================================================== +--- git.orig/tests/Makefile ++++ git/tests/Makefile +@@ -4,7 +4,7 @@ clean: + rm -rf ./out ./generator + + generator: generator.c +- gcc -Wall -O3 generator.c -o ./generator ++ ${CC} ${LDFLAGS} generator.c -o ./generator + + policies: ./generator ./make_policies.bash + ./make_policies.bash ./generator diff --git a/external/meta-security/recipes-mac/smack/smack_1.3.1.bb b/external/meta-security/recipes-mac/smack/smack_1.3.1.bb new file mode 100644 index 00000000..b1ea4e9f --- /dev/null +++ b/external/meta-security/recipes-mac/smack/smack_1.3.1.bb @@ -0,0 +1,59 @@ +DESCRIPTION = "Selection of tools for developers working with Smack" +HOMEPAGE = "https://github.com/smack-team/smack" +SECTION = "Security/Access Control" +LICENSE = "LGPL-2.1" + +LIC_FILES_CHKSUM = "file://COPYING;md5=4fbd65380cdd255951079008b364516c" + +SRCREV = "4a102c7584b39ce693995ffb65e0918a9df98dd8" +SRC_URI = " \ + git://github.com/smack-team/smack.git \ + file://smack_generator_make_fixup.patch \ + file://run-ptest" + +PV = "1.3.1" + +inherit autotools update-rc.d pkgconfig ptest +inherit ${@bb.utils.contains('VIRTUAL-RUNTIME_init_manager','systemd','systemd','', d)} +inherit features_check + +REQUIRED_DISTRO_FEATURES = "smack" + + +S = "${WORKDIR}/git" + +PACKAGECONFIG ??= "" +PACKAGECONFIG_append = " ${@bb.utils.contains('DISTRO_FEATURES', 'systemd', 'systemd', '', d)}" + +PACKAGECONFIG[systemd] = "--with-systemdsystemunitdir=${systemd_system_unitdir}, --without-systemdsystemunitdir, systemd" + +do_compile_append () { + oe_runmake -C ${S}/tests generator +} + +do_install_append () { + install -d ${D}${sysconfdir}/init.d + install -d ${D}${sysconfdir}/smack + install -d ${D}${sysconfdir}/smack/accesses.d + install -d ${D}${sysconfdir}/smack/cipso.d + install ${S}/init/smack.rc ${D}/${sysconfdir}/init.d/smack +} + +do_install_ptest () { + install -d ${D}${PTEST_PATH}/tests + install ${S}/tests/generator ${D}/${PTEST_PATH}/tests + install ${S}/tests/generate-rules.sh ${D}${PTEST_PATH}/tests + install ${S}/tests/make_policies.bash ${D}${PTEST_PATH}/tests +} + +INITSCRIPT_PACKAGES = "${PN}" +INITSCRIPT_NAME = "smack" +INITSCRIPT_PARAMS = "start 16 2 3 4 5 . stop 35 0 1 6 ." + +FILES_${PN} += "${sysconfdir}/init.d/smack" +FILES_${PN}-ptest += "generator" + +RDEPENDS_${PN} += "coreutils python3-core" +RDEPENDS_${PN}-ptest += "make bash bc" + +BBCLASSEXTEND = "native" diff --git a/external/meta-security/recipes-mac/smack/tcp-smack-test/tcp_client.c b/external/meta-security/recipes-mac/smack/tcp-smack-test/tcp_client.c new file mode 100644 index 00000000..185f9738 --- /dev/null +++ b/external/meta-security/recipes-mac/smack/tcp-smack-test/tcp_client.c @@ -0,0 +1,111 @@ +// (C) Copyright 2015 Intel Corporation
+//
+// Permission is hereby granted, free of charge, to any person obtaining a copy
+// of this software and associated documentation files (the "Software"), to deal
+// in the Software without restriction, including without limitation the rights
+// to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+// copies of the Software, and to permit persons to whom the Software is
+// furnished to do so, subject to the following conditions:
+//
+// The above copyright notice and this permission notice shall be included in
+// all copies or substantial portions of the Software.
+//
+// THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+// IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+// FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+// AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+// LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+// OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
+// THE SOFTWARE.
+#include <stdio.h>
+#include <sys/socket.h>
+#include <sys/types.h>
+#include <errno.h>
+#include <netinet/in.h>
+#include <unistd.h>
+#include <netdb.h>
+#include <string.h>
+#include <sys/xattr.h>
+
+int main(int argc, char* argv[])
+{
+
+ int sock;
+ char message[255] = "hello";
+ struct sockaddr_in server_addr;
+ char* label_in;
+ char* label_out;
+ char* attr_out = "security.SMACK64IPOUT";
+ char* attr_in = "security.SMACK64IPIN";
+ char out[256];
+ int port;
+
+ struct timeval timeout;
+ timeout.tv_sec = 15;
+ timeout.tv_usec = 0;
+
+ struct hostent* host = gethostbyname("localhost");
+
+ if (argc != 4)
+ {
+ perror("Client: Arguments missing, please provide socket labels");
+ return 2;
+ }
+
+ port = atoi(argv[1]);
+ label_in = argv[2];
+ label_out = argv[3];
+
+ if((sock = socket(AF_INET, SOCK_STREAM, 0)) < 0)
+ {
+ perror("Client: Socket failure");
+ return 2;
+ }
+
+
+ if(fsetxattr(sock, attr_out, label_out, strlen(label_out), 0) < 0)
+ {
+ perror("Client: Unable to set attribute SMACK64IPOUT");
+ return 2;
+ }
+
+ if(fsetxattr(sock, attr_in, label_in, strlen(label_in), 0) < 0)
+ {
+ perror("Client: Unable to set attribute SMACK64IPIN");
+ return 2;
+ }
+
+ server_addr.sin_family = AF_INET;
+ server_addr.sin_port = htons(port);
+ bcopy((char*) host->h_addr, (char*) &server_addr.sin_addr.s_addr,host->h_length);
+ bzero(&(server_addr.sin_zero),8);
+
+ if(setsockopt(sock, SOL_SOCKET, SO_SNDTIMEO, &timeout, sizeof(timeout)) < 0)
+ {
+ perror("Client: Set timeout failed\n");
+ return 2;
+ }
+
+ if (connect(sock, (struct sockaddr *)&server_addr,sizeof(struct sockaddr)) == -1)
+ {
+ perror("Client: Connection failure");
+ close(sock);
+ return 1;
+ }
+
+
+ if(write(sock, message, strlen(message)) < 0)
+ {
+ perror("Client: Error sending data\n");
+ close(sock);
+ return 1;
+ }
+ close(sock);
+ return 0;
+}
+
+
+
+
+
+
diff --git a/external/meta-security/recipes-mac/smack/tcp-smack-test/tcp_server.c b/external/meta-security/recipes-mac/smack/tcp-smack-test/tcp_server.c new file mode 100644 index 00000000..9285dc69 --- /dev/null +++ b/external/meta-security/recipes-mac/smack/tcp-smack-test/tcp_server.c @@ -0,0 +1,118 @@ +// (C) Copyright 2015 Intel Corporation
+//
+// Permission is hereby granted, free of charge, to any person obtaining a copy
+// of this software and associated documentation files (the "Software"), to deal
+// in the Software without restriction, including without limitation the rights
+// to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+// copies of the Software, and to permit persons to whom the Software is
+// furnished to do so, subject to the following conditions:
+//
+// The above copyright notice and this permission notice shall be included in
+// all copies or substantial portions of the Software.
+//
+// THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+// IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+// FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+// AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+// LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+// OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
+// THE SOFTWARE.
+#include <stdio.h>
+#include <sys/socket.h>
+#include <sys/types.h>
+#include <errno.h>
+#include <netinet/in.h>
+#include <unistd.h>
+#include <string.h>
+
+int main(int argc, char* argv[])
+{
+
+ int sock;
+ int clientsock;
+ char message[255];
+ socklen_t client_length;
+ struct sockaddr_in server_addr, client_addr;
+ char* label_in;
+ char* attr_in = "security.SMACK64IPIN";
+ int port;
+
+ struct timeval timeout;
+ timeout.tv_sec = 15;
+ timeout.tv_usec = 0;
+
+ if (argc != 3)
+ {
+ perror("Server: Argument missing please provide port and label for SMACK64IPIN");
+ return 2;
+ }
+
+ port = atoi(argv[1]);
+ label_in = argv[2];
+ bzero(message,255);
+
+
+ if((sock = socket(AF_INET, SOCK_STREAM, 0)) < 0)
+ {
+ perror("Server: Socket failure");
+ return 2;
+ }
+
+
+ if(fsetxattr(sock, attr_in, label_in, strlen(label_in),0) < 0)
+ {
+ perror("Server: Unable to set attribute ipin 2");
+ return 2;
+ }
+
+ server_addr.sin_family = AF_INET;
+ server_addr.sin_port = htons(port);
+ server_addr.sin_addr.s_addr = INADDR_ANY;
+ bzero(&(server_addr.sin_zero),8);
+
+ if(setsockopt(sock, SOL_SOCKET, SO_RCVTIMEO, &timeout, sizeof(timeout)) < 0)
+ {
+ perror("Server: Set timeout failed\n");
+ return 2;
+ }
+
+ if(bind(sock, (struct sockaddr*) &server_addr, sizeof(server_addr)) < 0)
+ {
+ perror("Server: Bind failure ");
+ return 2;
+ }
+
+ listen(sock, 1);
+ client_length = sizeof(client_addr);
+
+ clientsock = accept(sock,(struct sockaddr*) &client_addr, &client_length);
+
+ if (clientsock < 0)
+ {
+ perror("Server: Connection failed");
+ close(sock);
+ return 1;
+ }
+
+
+ if(fsetxattr(clientsock, "security.SMACK64IPIN", label_in, strlen(label_in),0) < 0)
+ {
+ perror(" Server: Unable to set attribute ipin 2");
+ close(sock);
+ return 2;
+ }
+
+ if(read(clientsock, message, 254) < 0)
+ {
+ perror("Server: Error when reading from socket");
+ close(clientsock);
+ close(sock);
+ return 1;
+ }
+
+
+ close(clientsock);
+ close(sock);
+
+ return 0;
+}
diff --git a/external/meta-security/recipes-mac/smack/tcp-smack-test/test_smack_tcp_sockets.sh b/external/meta-security/recipes-mac/smack/tcp-smack-test/test_smack_tcp_sockets.sh new file mode 100644 index 00000000..ed18f237 --- /dev/null +++ b/external/meta-security/recipes-mac/smack/tcp-smack-test/test_smack_tcp_sockets.sh @@ -0,0 +1,108 @@ +#!/bin/sh +RC=0 +test_file=/tmp/smack_socket_tcp +SMACK_PATH=`grep smack /proc/mounts | awk '{print $2}' ` +# make sure no access is granted +# 12345678901234567890123456789012345678901234567890123456 +echo -n "label1 label2 -----" > $SMACK_PATH/load + +tcp_server=`which tcp_server` +if [ -z $tcp_server ]; then + if [ -f "/tmp/tcp_server" ]; then + tcp_server="/tmp/tcp_server" + else + echo "tcp_server binary not found" + exit 1 + fi +fi +tcp_client=`which tcp_client` +if [ -z $tcp_client ]; then + if [ -f "/tmp/tcp_client" ]; then + tcp_client="/tmp/tcp_client" + else + echo "tcp_client binary not found" + exit 1 + fi +fi + +# checking access for sockets with different labels +$tcp_server 50016 label1 &>/dev/null & +server_pid=$! +sleep 2 +$tcp_client 50016 label2 label1 &>/dev/null & +client_pid=$! + +wait $server_pid +server_rv=$? +wait $client_pid +client_rv=$? + +if [ $server_rv -eq 0 -o $client_rv -eq 0 ]; then + echo "Sockets with different labels should not communicate on tcp" + exit 1 +fi + +# granting access between different labels +# 12345678901234567890123456789012345678901234567890123456 +echo -n "label1 label2 rw---" > $SMACK_PATH/load +# checking access for sockets with different labels, but having a rule granting rw +$tcp_server 50017 label1 2>$test_file & +server_pid=$! +sleep 1 +$tcp_client 50017 label2 label1 2>$test_file & +client_pid=$! +wait $server_pid +server_rv=$? +wait $client_pid +client_rv=$? +if [ $server_rv -ne 0 -o $client_rv -ne 0 ]; then + echo "Sockets with different labels, but having rw access, should communicate on tcp" + exit 1 +fi + +# checking access for sockets with the same label +$tcp_server 50018 label1 2>$test_file & +server_pid=$! +sleep 1 +$tcp_client 50018 label1 label1 2>$test_file & +client_pid=$! +wait $server_pid +server_rv=$? +wait $client_pid +client_rv=$? +if [ $server_rv -ne 0 -o $client_rv -ne 0 ]; then + echo "Sockets with same labels should communicate on tcp" + exit 1 +fi + +# checking access on socket labeled star (*) +# should always be permitted +$tcp_server 50019 \* 2>$test_file & +server_pid=$! +sleep 1 +$tcp_client 50019 label1 label1 2>$test_file & +client_pid=$! +wait $server_pid +server_rv=$? +wait $client_pid +client_rv=$? +if [ $server_rv -ne 0 -o $client_rv -ne 0 ]; then + echo "Should have access on tcp socket labeled star (*)" + exit 1 +fi + +# checking access from socket labeled star (*) +# all access from subject star should be denied +$tcp_server 50020 label1 2>$test_file & +server_pid=$! +sleep 1 +$tcp_client 50020 label1 \* 2>$test_file & +client_pid=$! +wait $server_pid +server_rv=$? +wait $client_pid +client_rv=$? +if [ $server_rv -eq 0 -o $client_rv -eq 0 ]; then + echo "Socket labeled star should not have access to any tcp socket" + exit 1 +fi diff --git a/external/meta-security/recipes-mac/smack/tcp-smack-test_1.0.bb b/external/meta-security/recipes-mac/smack/tcp-smack-test_1.0.bb new file mode 100644 index 00000000..d2b3f6b3 --- /dev/null +++ b/external/meta-security/recipes-mac/smack/tcp-smack-test_1.0.bb @@ -0,0 +1,24 @@ +SUMMARY = "Binary used to test smack tcp sockets" +DESCRIPTION = "Server and client binaries used to test smack attributes on TCP sockets" +LICENSE = "MIT" +LIC_FILES_CHKSUM = "file://${COMMON_LICENSE_DIR}/MIT;md5=0835ade698e0bcf8506ecda2f7b4f302" + +SRC_URI = "file://tcp_server.c \ + file://tcp_client.c \ + file://test_smack_tcp_sockets.sh \ +" + +S = "${WORKDIR}" + +do_compile() { + ${CC} tcp_client.c ${LDFLAGS} -o tcp_client + ${CC} tcp_server.c ${LDFLAGS} -o tcp_server +} + +do_install() { + install -d ${D}${bindir} + install -d ${D}${sbindir} + install -m 0755 tcp_server ${D}${bindir} + install -m 0755 tcp_client ${D}${bindir} + install -m 0755 test_smack_tcp_sockets.sh ${D}${sbindir} +} diff --git a/external/meta-security/recipes-mac/smack/udp-smack-test/test_smack_udp_sockets.sh b/external/meta-security/recipes-mac/smack/udp-smack-test/test_smack_udp_sockets.sh new file mode 100644 index 00000000..419ab9f9 --- /dev/null +++ b/external/meta-security/recipes-mac/smack/udp-smack-test/test_smack_udp_sockets.sh @@ -0,0 +1,107 @@ +#!/bin/sh +RC=0 +test_file="/tmp/smack_socket_udp" +SMACK_PATH=`grep smack /proc/mounts | awk '{print $2}' ` + +udp_server=`which udp_server` +if [ -z $udp_server ]; then + if [ -f "/tmp/udp_server" ]; then + udp_server="/tmp/udp_server" + else + echo "udp_server binary not found" + exit 1 + fi +fi +udp_client=`which udp_client` +if [ -z $udp_client ]; then + if [ -f "/tmp/udp_client" ]; then + udp_client="/tmp/udp_client" + else + echo "udp_client binary not found" + exit 1 + fi +fi + +# make sure no access is granted +# 12345678901234567890123456789012345678901234567890123456 +echo -n "label1 label2 -----" > $SMACK_PATH/load + +# checking access for sockets with different labels +$udp_server 50021 label2 2>$test_file & +server_pid=$! +sleep 1 +$udp_client 50021 label1 2>$test_file & +client_pid=$! +wait $server_pid +server_rv=$? +wait $client_pid +client_rv=$? +if [ $server_rv -eq 0 ]; then + echo "Sockets with different labels should not communicate on udp" + exit 1 +fi + +# granting access between different labels +# 12345678901234567890123456789012345678901234567890123456 +echo -n "label1 label2 rw---" > $SMACK_PATH/load +# checking access for sockets with different labels, but having a rule granting rw +$udp_server 50022 label2 2>$test_file & +server_pid=$! +sleep 1 +$udp_client 50022 label1 2>$test_file & +client_pid=$! +wait $server_pid +server_rv=$? +wait $client_pid +client_rv=$? +if [ $server_rv -ne 0 -o $client_rv -ne 0 ]; then + echo "Sockets with different labels, but having rw access, should communicate on udp" + exit 1 +fi + +# checking access for sockets with the same label +$udp_server 50023 label1 & +server_pid=$! +sleep 1 +$udp_client 50023 label1 2>$test_file & +client_pid=$! +wait $server_pid +server_rv=$? +wait $client_pid +client_rv=$? +if [ $server_rv -ne 0 -o $client_rv -ne 0 ]; then + echo "Sockets with same labels should communicate on udp" + exit 1 +fi + +# checking access on socket labeled star (*) +# should always be permitted +$udp_server 50024 \* 2>$test_file & +server_pid=$! +sleep 1 +$udp_client 50024 label1 2>$test_file & +client_pid=$! +wait $server_pid +server_rv=$? +wait $client_pid +client_rv=$? +if [ $server_rv -ne 0 -o $client_rv -ne 0 ]; then + echo "Should have access on udp socket labeled star (*)" + exit 1 +fi + +# checking access from socket labeled star (*) +# all access from subject star should be denied +$udp_server 50025 label1 2>$test_file & +server_pid=$! +sleep 1 +$udp_client 50025 \* 2>$test_file & +client_pid=$! +wait $server_pid +server_rv=$? +wait $client_pid +client_rv=$? +if [ $server_rv -eq 0 ]; then + echo "Socket labeled star should not have access to any udp socket" + exit 1 +fi diff --git a/external/meta-security/recipes-mac/smack/udp-smack-test/udp_client.c b/external/meta-security/recipes-mac/smack/udp-smack-test/udp_client.c new file mode 100644 index 00000000..4d3afbe6 --- /dev/null +++ b/external/meta-security/recipes-mac/smack/udp-smack-test/udp_client.c @@ -0,0 +1,75 @@ +// (C) Copyright 2015 Intel Corporation
+//
+// Permission is hereby granted, free of charge, to any person obtaining a copy
+// of this software and associated documentation files (the "Software"), to deal
+// in the Software without restriction, including without limitation the rights
+// to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+// copies of the Software, and to permit persons to whom the Software is
+// furnished to do so, subject to the following conditions:
+//
+// The above copyright notice and this permission notice shall be included in
+// all copies or substantial portions of the Software.
+//
+// THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+// IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+// FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+// AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+// LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+// OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
+// THE SOFTWARE.
+#include <sys/socket.h>
+#include <stdio.h>
+#include <netinet/in.h>
+#include <netdb.h>
+#include <string.h>
+
+int main(int argc, char* argv[])
+{
+ char* message = "hello";
+ int sock, ret;
+ struct sockaddr_in server_addr;
+ struct hostent* host = gethostbyname("localhost");
+ char* label;
+ char* attr = "security.SMACK64IPOUT";
+ int port;
+ if (argc != 3)
+ {
+ perror("Client: Argument missing, please provide port and label for SMACK64IPOUT");
+ return 2;
+ }
+
+ port = atoi(argv[1]);
+ label = argv[2];
+ sock = socket(AF_INET, SOCK_DGRAM,0);
+ if(sock < 0)
+ {
+ perror("Client: Socket failure");
+ return 2;
+ }
+
+
+ if(fsetxattr(sock, attr, label, strlen(label),0) < 0)
+ {
+ perror("Client: Unable to set attribute ");
+ return 2;
+ }
+
+
+ server_addr.sin_family = AF_INET;
+ server_addr.sin_port = htons(port);
+ bcopy((char*) host->h_addr, (char*) &server_addr.sin_addr.s_addr,host->h_length);
+ bzero(&(server_addr.sin_zero),8);
+
+ ret = sendto(sock, message, strlen(message),0,(const struct sockaddr*)&server_addr,
+ sizeof(struct sockaddr_in));
+
+ close(sock);
+ if(ret < 0)
+ {
+ perror("Client: Error sending message\n");
+ return 1;
+ }
+
+ return 0;
+}
+
diff --git a/external/meta-security/recipes-mac/smack/udp-smack-test/udp_server.c b/external/meta-security/recipes-mac/smack/udp-smack-test/udp_server.c new file mode 100644 index 00000000..cbab71e6 --- /dev/null +++ b/external/meta-security/recipes-mac/smack/udp-smack-test/udp_server.c @@ -0,0 +1,93 @@ +// (C) Copyright 2015 Intel Corporation
+//
+// Permission is hereby granted, free of charge, to any person obtaining a copy
+// of this software and associated documentation files (the "Software"), to deal
+// in the Software without restriction, including without limitation the rights
+// to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+// copies of the Software, and to permit persons to whom the Software is
+// furnished to do so, subject to the following conditions:
+//
+// The above copyright notice and this permission notice shall be included in
+// all copies or substantial portions of the Software.
+//
+// THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+// IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+// FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+// AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+// LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+// OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
+// THE SOFTWARE.
+#include <sys/socket.h>
+#include <stdio.h>
+#include <netinet/in.h>
+#include <netdb.h>
+#include <string.h>
+
+int main(int argc, char* argv[])
+{
+ int sock,ret;
+ struct sockaddr_in server_addr, client_addr;
+ socklen_t len;
+ char message[5];
+ char* label;
+ char* attr = "security.SMACK64IPIN";
+ int port;
+
+ if(argc != 3)
+ {
+ perror("Server: Argument missing, please provide port and label for SMACK64IPIN");
+ return 2;
+ }
+
+ port = atoi(argv[1]);
+ label = argv[2];
+
+ struct timeval timeout;
+ timeout.tv_sec = 15;
+ timeout.tv_usec = 0;
+
+ sock = socket(AF_INET,SOCK_DGRAM,0);
+ if(sock < 0)
+ {
+ perror("Server: Socket error");
+ return 2;
+ }
+
+
+ if(fsetxattr(sock, attr, label, strlen(label), 0) < 0)
+ {
+ perror("Server: Unable to set attribute ");
+ return 2;
+ }
+
+ server_addr.sin_family = AF_INET;
+ server_addr.sin_port = htons(port);
+ server_addr.sin_addr.s_addr = INADDR_ANY;
+ bzero(&(server_addr.sin_zero),8);
+
+
+ if(setsockopt(sock, SOL_SOCKET, SO_RCVTIMEO, &timeout, sizeof(timeout)) < 0)
+ {
+ perror("Server: Set timeout failed\n");
+ return 2;
+ }
+
+ if(bind(sock, (struct sockaddr*) &server_addr, sizeof(server_addr)) < 0)
+ {
+ perror("Server: Bind failure");
+ return 2;
+ }
+
+ len = sizeof(client_addr);
+ ret = recvfrom(sock, message, sizeof(message), 0, (struct sockaddr*)&client_addr,
+ &len);
+ close(sock);
+ if(ret < 0)
+ {
+ perror("Server: Error receiving");
+ return 1;
+
+ }
+ return 0;
+}
+
diff --git a/external/meta-security/recipes-mac/smack/udp-smack-test_1.0.bb b/external/meta-security/recipes-mac/smack/udp-smack-test_1.0.bb new file mode 100644 index 00000000..9193f898 --- /dev/null +++ b/external/meta-security/recipes-mac/smack/udp-smack-test_1.0.bb @@ -0,0 +1,23 @@ +SUMMARY = "Binary used to test smack udp sockets" +DESCRIPTION = "Server and client binaries used to test smack attributes on UDP sockets" +LICENSE = "MIT" +LIC_FILES_CHKSUM = "file://${COMMON_LICENSE_DIR}/MIT;md5=0835ade698e0bcf8506ecda2f7b4f302" + +SRC_URI = "file://udp_server.c \ + file://udp_client.c \ + file://test_smack_udp_sockets.sh \ +" + +S = "${WORKDIR}" +do_compile() { + ${CC} udp_client.c ${LDFLAGS} -o udp_client + ${CC} udp_server.c ${LDFLAGS} -o udp_server +} + +do_install() { + install -d ${D}${bindir} + install -d ${D}${sbindir} + install -m 0755 udp_server ${D}${bindir} + install -m 0755 udp_client ${D}${bindir} + install -m 0755 test_smack_udp_sockets.sh ${D}${sbindir} +} |