diff options
Diffstat (limited to 'meta-agl/meta-security')
37 files changed, 533 insertions, 932 deletions
diff --git a/meta-agl/meta-security/recipes-core/coreutils/coreutils_%.bbappend b/meta-agl/meta-security/recipes-core/coreutils/coreutils_%.bbappend index ceaf6a29..1b9b722e 100644 --- a/meta-agl/meta-security/recipes-core/coreutils/coreutils_%.bbappend +++ b/meta-agl/meta-security/recipes-core/coreutils/coreutils_%.bbappend @@ -1,7 +1,7 @@ # Smack patches are included in coreutils v8.22, we just need to enable them. # The default is not deterministic (enabled if libsmack found), so disable # explicitly otherwise. -EXTRA_OECONF_SMACK = "--disable-libsmack" -EXTRA_OECONF_SMACK_with-lsm-smack = "--enable-libsmack" -EXTRA_OECONF_append = " ${EXTRA_OECONF_SMACK}" -DEPENDS_append_with-lsm-smack = " smack" +EXTRA_OECONF_SMACK_class-target = "--disable-libsmack" +EXTRA_OECONF_SMACK_with-lsm-smack_class-target = "--enable-libsmack" +EXTRA_OECONF_append_class-target = " ${EXTRA_OECONF_SMACK}" +DEPENDS_append_with-lsm-smack_class-target = " smack" diff --git a/meta-agl/meta-security/recipes-core/dbus-cynara/dbus-cynara/0001-Integration-of-Cynara-asynchronous-security-checks.patch b/meta-agl/meta-security/recipes-core/dbus-cynara/dbus-cynara/0001-Integration-of-Cynara-asynchronous-security-checks.patch index 3dbfa8a8..69d13ac3 100644 --- a/meta-agl/meta-security/recipes-core/dbus-cynara/dbus-cynara/0001-Integration-of-Cynara-asynchronous-security-checks.patch +++ b/meta-agl/meta-security/recipes-core/dbus-cynara/dbus-cynara/0001-Integration-of-Cynara-asynchronous-security-checks.patch @@ -1197,7 +1197,7 @@ index 0000000..57a4c45 + +#define USE_CYNARA_CACHE 1 +#ifdef USE_CYNARA_CACHE -+#define CYNARA_CACHE_SIZE 1000 ++#define CYNARA_CACHE_SIZE 7000 +#endif + +static dbus_bool_t bus_cynara_watch_callback(DBusWatch *watch, diff --git a/meta-agl/meta-security/recipes-core/packagegroups/packagegroup-security-framework.bb b/meta-agl/meta-security/recipes-core/packagegroups/packagegroup-security-framework.bb index 6dd575df..bc708600 100644 --- a/meta-agl/meta-security/recipes-core/packagegroups/packagegroup-security-framework.bb +++ b/meta-agl/meta-security/recipes-core/packagegroups/packagegroup-security-framework.bb @@ -15,7 +15,7 @@ inherit packagegroup # the policy packaged from the upstream source code here. Adapting # it for the distro can be done by patching that source. RDEPENDS_${PN}_append_with-lsm-smack = " \ - cynara \ + cynagora \ security-manager \ security-manager-policy \ smacknet \ diff --git a/meta-agl/meta-security/recipes-kernel/linux/linux/smack.cfg b/meta-agl/meta-security/recipes-kernel/linux/linux/smack.cfg index 62f465a4..45a92f14 100644 --- a/meta-agl/meta-security/recipes-kernel/linux/linux/smack.cfg +++ b/meta-agl/meta-security/recipes-kernel/linux/linux/smack.cfg @@ -5,4 +5,5 @@ CONFIG_EXT3_FS_SECURITY=y CONFIG_EXT4_FS_SECURITY=y CONFIG_SECURITY=y CONFIG_SECURITY_SMACK=y +CONFIG_SECURITY_SMACK_APPEND_SIGNALS=y CONFIG_TMPFS_XATTR=y diff --git a/meta-agl/meta-security/recipes-security/cynagoauth/cynagoauth_0.1.bb b/meta-agl/meta-security/recipes-security/cynagoauth/cynagoauth_0.1.bb new file mode 100644 index 00000000..c77c9918 --- /dev/null +++ b/meta-agl/meta-security/recipes-security/cynagoauth/cynagoauth_0.1.bb @@ -0,0 +1,23 @@ +DESCRIPTION = "OAuth server using cynagora backend" +LICENSE = "Apache-2.0" +LIC_FILES_CHKSUM = "file://LICENSE.txt;md5=3b83ef96387f14655fc854ddc3c6bd57" + +SRC_URI = "git://gerrit.automotivelinux.org/gerrit/src/cynagoauth.git;protocol=https;branch=${AGL_BRANCH}" +SRCREV = "26a5dbddf3a9bfde481a6fcd2aae16c7ecba665f" +PV = "0.1+git${SRCPV}" + +S = "${WORKDIR}/git" + +DEPENDS = "json-c libmicrohttpd openssl cynagora" + +inherit cmake + +EXTRA_OECMAKE += " \ + -DDEFAULTHOSTS=:7777 \ + -DDEFAULTURL=http://localhost:7777/tok \ + -DUNITDIR_SYSTEM=${systemd_system_unitdir} \ +" + +FILES_${PN} += "${systemd_system_unitdir}" + + diff --git a/meta-agl/meta-security/recipes-security/cynagora/cynagora-cynara-compat_2.0.bb b/meta-agl/meta-security/recipes-security/cynagora/cynagora-cynara-compat_2.0.bb new file mode 100644 index 00000000..fa5cdbad --- /dev/null +++ b/meta-agl/meta-security/recipes-security/cynagora/cynagora-cynara-compat_2.0.bb @@ -0,0 +1,30 @@ +DESCRIPTION = "Cynara service with client libraries" +LICENSE = "Apache-2.0" +LIC_FILES_CHKSUM = "file://Apache-2.0;md5=3b83ef96387f14655fc854ddc3c6bd57" + +SRC_URI = "git://gerrit.automotivelinux.org/gerrit/src/cynagora;protocol=https;branch=${AGL_BRANCH}" +SRCREV = "6c88efcb7b1361ba6389753e520e26fc556b7d79" +PV = "2.0+git${SRCPV}" + +S = "${WORKDIR}/git" + +inherit cmake + +PROVIDES = "cynara" +RPROVIDES_${PN} = "cynara" +DEPENDS = "libcap" +RDEPENDS_${PN} = "cynagora" + +EXTRA_OECMAKE += " \ + -DWITH_SYSTEMD=OFF \ + -DWITH_CYNARA_COMPAT=ON \ + -DDIRECT_CYNARA_COMPAT=ON \ +" + +do_install_append() { + # remove cynagora stuff + rm $(find ${D} -name '*cynagora*') + # remove stupid test + rm -r ${D}${bindir} +} + diff --git a/meta-agl/meta-security/recipes-security/cynagora/cynagora/run-ptest b/meta-agl/meta-security/recipes-security/cynagora/cynagora/run-ptest new file mode 100755 index 00000000..f95f0725 --- /dev/null +++ b/meta-agl/meta-security/recipes-security/cynagora/cynagora/run-ptest @@ -0,0 +1,4 @@ +#!/bin/sh + +# test access to cynagora server +cynagora-admin list > /dev/null diff --git a/meta-agl/meta-security/recipes-security/cynagora/cynagora_2.0.bb b/meta-agl/meta-security/recipes-security/cynagora/cynagora_2.0.bb new file mode 100644 index 00000000..fef21c64 --- /dev/null +++ b/meta-agl/meta-security/recipes-security/cynagora/cynagora_2.0.bb @@ -0,0 +1,38 @@ +DESCRIPTION = "Cynagora service and client libraries" +LICENSE = "Apache-2.0" +LIC_FILES_CHKSUM = "file://Apache-2.0;md5=3b83ef96387f14655fc854ddc3c6bd57" + +SRC_URI = "git://gerrit.automotivelinux.org/gerrit/src/cynagora;protocol=https;branch=${AGL_BRANCH}" +SRCREV = "d73ac5e96eeb2f76081af3d944b30ed8e29cac39" +PV = "2.0+git${SRCPV}" + +S = "${WORKDIR}/git" + +DEPENDS = "systemd libcap" + +inherit cmake + +EXTRA_OECMAKE += " \ + -DSYSTEMD_UNIT_DIR=${systemd_system_unitdir} \ + -DWITH_SYSTEMD=ON \ + -DWITH_CYNARA_COMPAT=OFF \ +" + +inherit useradd +USERADD_PACKAGES = "${PN}" +GROUPADD_PARAM_${PN} = "-r cynagora" +USERADD_PARAM_${PN} = "\ +--system --home ${localstatedir}/lib/empty \ +--no-create-home --shell /bin/false \ +--gid cynagora cynagora \ +" + +FILES_${PN} += "${systemd_system_unitdir}" + +PACKAGES =+ "${PN}-tools" +FILES_${PN}-tools += "${bindir}/cynagora-admin ${bindir}/cynagora-agent" +RDEPENDS_${PN}_append_agl-devel = " ${PN}-tools" + +inherit ptest +SRC_URI_append = " file://run-ptest" +RDEPENDS_${PN}-ptest_append = " ${PN}-tools" diff --git a/meta-agl/meta-security/recipes-security/cynara/cynara/0001-Add-fallthrough-tags.patch b/meta-agl/meta-security/recipes-security/cynara/cynara/0001-Add-fallthrough-tags.patch deleted file mode 100644 index e1d0cfac..00000000 --- a/meta-agl/meta-security/recipes-security/cynara/cynara/0001-Add-fallthrough-tags.patch +++ /dev/null @@ -1,57 +0,0 @@ -From 8bf90bf3e7a821dbd3b7029d87aa592eec6f1754 Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?Jos=C3=A9=20Bollo?= <jose.bollo@iot.bzh> -Date: Thu, 25 Jan 2018 12:00:18 +0100 -Subject: [PATCH] Add fallthrough tags -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -GCC 7 emits a warning when the tag /*@fallthrough@*/ -doesn't appear in a switch case when a case continue -to the next after some processing. - -Change-Id: I420e3788a4c0a6d910a1214964c5480bbd12708c -Signed-off-by: José Bollo <jose.bollo@iot.bzh> - ---- - src/admin/api/admin-api.cpp | 1 + - src/client-async/logic/Logic.cpp | 1 + - src/common/sockets/SocketClient.cpp | 1 + - 3 files changed, 3 insertions(+) - -diff --git a/src/admin/api/admin-api.cpp b/src/admin/api/admin-api.cpp -index c638f41..aafa45e 100644 ---- a/src/admin/api/admin-api.cpp -+++ b/src/admin/api/admin-api.cpp -@@ -146,6 +146,7 @@ int cynara_admin_set_policies(struct cynara_admin *p_cynara_admin, - case CYNARA_ADMIN_BUCKET: - if (!isStringValid(policy->result_extra)) - return CYNARA_API_INVALID_PARAM; -+ /*@fallthrough@*/ - default: - { - std::string extraStr = policy->result_extra ? policy->result_extra : ""; -diff --git a/src/client-async/logic/Logic.cpp b/src/client-async/logic/Logic.cpp -index 5ae0251..c1d6c33 100644 ---- a/src/client-async/logic/Logic.cpp -+++ b/src/client-async/logic/Logic.cpp -@@ -233,6 +233,7 @@ bool Logic::processOut(void) { - case Socket::SendStatus::ALL_DATA_SENT: - onStatusChange(m_socketClient.getSockFd(), - cynara_async_status::CYNARA_STATUS_FOR_READ); -+ /*@fallthrough@*/ - case Socket::SendStatus::PARTIAL_DATA_SENT: - return true; - default: -diff --git a/src/common/sockets/SocketClient.cpp b/src/common/sockets/SocketClient.cpp -index b1ca4f7..f4394e5 100644 ---- a/src/common/sockets/SocketClient.cpp -+++ b/src/common/sockets/SocketClient.cpp -@@ -45,6 +45,7 @@ bool SocketClient::connect(void) { - LOGW("Error connecting to Cynara. Service not available."); - return false; - } -+ /*@fallthrough@*/ - default: - return true; - } diff --git a/meta-agl/meta-security/recipes-security/cynara/cynara/0001-fix-fallthrough-in-cmdlineparser.patch b/meta-agl/meta-security/recipes-security/cynara/cynara/0001-fix-fallthrough-in-cmdlineparser.patch deleted file mode 100644 index 40e11ce5..00000000 --- a/meta-agl/meta-security/recipes-security/cynara/cynara/0001-fix-fallthrough-in-cmdlineparser.patch +++ /dev/null @@ -1,35 +0,0 @@ -From ca28ec4a0781a1ab9ec5f015387436beb51adfc3 Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?Jan-Simon=20M=C3=B6ller?= <jsmoeller@linuxfoundation.org> -Date: Fri, 19 Oct 2018 08:09:28 +0000 -Subject: [PATCH] fix fallthrough in cmdlineparser -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -Signed-off-by: Jan-Simon Möller <jsmoeller@linuxfoundation.org> - ---- - src/service/main/CmdlineParser.cpp | 3 +++ - 1 file changed, 3 insertions(+) - -diff --git a/src/service/main/CmdlineParser.cpp b/src/service/main/CmdlineParser.cpp -index ca56e39..e07ea52 100644 ---- a/src/service/main/CmdlineParser.cpp -+++ b/src/service/main/CmdlineParser.cpp -@@ -112,13 +112,16 @@ struct CmdLineOptions handleCmdlineOptions(int argc, char * const *argv) { - case ':': // Missing argument - ret.m_error = true; - ret.m_exit = true; -+ /*@fallthrough@*/ - switch (optopt) { - case CmdlineOpt::Mask: - case CmdlineOpt::User: - case CmdlineOpt::Group: - printMissingArgument(execName, argv[optind - 1]); - return ret; -+ /*@fallthrough@*/ - } -+ /*@fallthrough@*/ - //intentional fall to Unknown option - case '?': // Unknown option - default: diff --git a/meta-agl/meta-security/recipes-security/cynara/cynara/0002-gcc-7-requires-include-functional-for-std-function.patch b/meta-agl/meta-security/recipes-security/cynara/cynara/0002-gcc-7-requires-include-functional-for-std-function.patch deleted file mode 100644 index b8dbfac4..00000000 --- a/meta-agl/meta-security/recipes-security/cynara/cynara/0002-gcc-7-requires-include-functional-for-std-function.patch +++ /dev/null @@ -1,36 +0,0 @@ -From e2d8414b0d1c6c59baf1bb73e856e93aaabaf955 Mon Sep 17 00:00:00 2001 -From: Changhyeok Bae <changhyeok.bae@gmail.com> -Date: Sun, 17 Dec 2017 15:28:28 +0000 -Subject: [PATCH] gcc-7 requires include <functional> for std::function - -Signed-off-by: Changhyeok Bae <changhyeok.bae@gmail.com> - ---- - src/common/types/PolicyBucket.h | 1 + - src/cyad/AdminPolicyParser.h | 1 + - 2 files changed, 2 insertions(+) - -diff --git a/src/common/types/PolicyBucket.h b/src/common/types/PolicyBucket.h -index 029d3dd..1bceeca 100644 ---- a/src/common/types/PolicyBucket.h -+++ b/src/common/types/PolicyBucket.h -@@ -30,6 +30,7 @@ - #include <set> - #include <string> - #include <vector> -+#include <functional> - - #include <exceptions/NotImplementedException.h> - #include <types/pointers.h> -diff --git a/src/cyad/AdminPolicyParser.h b/src/cyad/AdminPolicyParser.h -index 53dde23..f38c194 100644 ---- a/src/cyad/AdminPolicyParser.h -+++ b/src/cyad/AdminPolicyParser.h -@@ -25,6 +25,7 @@ - - #include <istream> - #include <memory> -+#include <functional> - - #include <cyad/CynaraAdminPolicies.h> - diff --git a/meta-agl/meta-security/recipes-security/cynara/cynara/0003-Avoid-warning-when-compiling-without-smack.patch b/meta-agl/meta-security/recipes-security/cynara/cynara/0003-Avoid-warning-when-compiling-without-smack.patch deleted file mode 100644 index 1b105a00..00000000 --- a/meta-agl/meta-security/recipes-security/cynara/cynara/0003-Avoid-warning-when-compiling-without-smack.patch +++ /dev/null @@ -1,43 +0,0 @@ -From fdcf2a68a4bfec588b1c6c969caa0be20961b807 Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?Jos=C3=A9=20Bollo?= <jose.bollo@iot.bzh> -Date: Thu, 25 Jan 2018 11:38:16 +0100 -Subject: [PATCH] Avoid warning when compiling without smack -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -When DB_FILES_SMACK_LABEL is not defined, cmake complains -with the following message: - -> -- Checking for modules '' -> Please specify at least one package name on the command line. - -Change-Id: Ie837cae81114d096f951ec0ee4ada4173fb60190 -Signed-off-by: José Bollo <jose.bollo@iot.bzh> - ---- - src/admin/CMakeLists.txt | 10 +++++----- - 1 file changed, 5 insertions(+), 5 deletions(-) - -diff --git a/src/admin/CMakeLists.txt b/src/admin/CMakeLists.txt -index e4f354a..38b8669 100644 ---- a/src/admin/CMakeLists.txt -+++ b/src/admin/CMakeLists.txt -@@ -23,12 +23,12 @@ IF (DB_FILES_SMACK_LABEL) - SET(SMACK "smack") - SET(LIBSMACK "libsmack") - ADD_DEFINITIONS("-DDB_FILES_SMACK_LABEL=\"${DB_FILES_SMACK_LABEL}\"") --ENDIF (DB_FILES_SMACK_LABEL) - --PKG_CHECK_MODULES(CYNARA_ADMIN_API_DEP -- REQUIRED -- ${LIBSMACK} -- ) -+ PKG_CHECK_MODULES(CYNARA_ADMIN_API_DEP -+ REQUIRED -+ ${LIBSMACK} -+ ) -+ENDIF (DB_FILES_SMACK_LABEL) - - SET(CYNARA_LIB_CYNARA_ADMIN_PATH ${CYNARA_PATH}/admin) - diff --git a/meta-agl/meta-security/recipes-security/cynara/cynara/0004-Fix-mode-of-sockets.patch b/meta-agl/meta-security/recipes-security/cynara/cynara/0004-Fix-mode-of-sockets.patch deleted file mode 100644 index f19cdfb5..00000000 --- a/meta-agl/meta-security/recipes-security/cynara/cynara/0004-Fix-mode-of-sockets.patch +++ /dev/null @@ -1,42 +0,0 @@ -From 233fb8a93343c3c9c04914e1148ef5ab87a808a1 Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?Jos=C3=A9=20Bollo?= <jose.bollo@iot.bzh> -Date: Thu, 25 Jan 2018 12:52:39 +0100 -Subject: [PATCH] Fix mode of sockets -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -Setting execution bit on the socket serves nothing. - -Change-Id: I2ca1ea8e0c369ee5517878e92073ace0e50f9f10 -Signed-off-by: José Bollo <jose.bollo@iot.bzh> - ---- - systemd/cynara-admin.socket | 2 +- - systemd/cynara.socket | 2 +- - 2 files changed, 2 insertions(+), 2 deletions(-) - -diff --git a/systemd/cynara-admin.socket b/systemd/cynara-admin.socket -index 2d1aea4..ed38386 100644 ---- a/systemd/cynara-admin.socket -+++ b/systemd/cynara-admin.socket -@@ -1,6 +1,6 @@ - [Socket] - ListenStream=/run/cynara/cynara-admin.socket --SocketMode=0700 -+SocketMode=0600 - SmackLabelIPIn=@ - SmackLabelIPOut=@ - -diff --git a/systemd/cynara.socket b/systemd/cynara.socket -index 9f2a870..fad2745 100644 ---- a/systemd/cynara.socket -+++ b/systemd/cynara.socket -@@ -1,6 +1,6 @@ - [Socket] - ListenStream=/run/cynara/cynara.socket --SocketMode=0777 -+SocketMode=0666 - SmackLabelIPIn=* - SmackLabelIPOut=@ - diff --git a/meta-agl/meta-security/recipes-security/cynara/cynara/0005-Allow-to-tune-sockets.patch b/meta-agl/meta-security/recipes-security/cynara/cynara/0005-Allow-to-tune-sockets.patch deleted file mode 100644 index e954c7f2..00000000 --- a/meta-agl/meta-security/recipes-security/cynara/cynara/0005-Allow-to-tune-sockets.patch +++ /dev/null @@ -1,237 +0,0 @@ -From ebde8e9fdba7bc1c8152f7e45c551030a36ece82 Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?Jos=C3=A9=20Bollo?= <jose.bollo@iot.bzh> -Date: Thu, 25 Jan 2018 13:47:37 +0100 -Subject: [PATCH] Allow to tune sockets -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -Allow to change the directory of sockets -through a true integration of SOCKET_DIR - -Allow to override the socket's group of - - /run/cynara/cynara-agent.socket - - /run/cynara/cynara-monitor-get.socket - -through the newly defined variable CYNARA_ADMIN_SOCKET_GROUP - -Change-Id: I7d58854c328e948e3d6d7fa3fc00569fd08f8aef -Signed-off-by: José Bollo <jose.bollo@iot.bzh> - ---- - systemd/CMakeLists.txt | 19 +++++++++++++++---- - systemd/cynara-admin.socket | 14 -------------- - systemd/cynara-admin.socket.in | 14 ++++++++++++++ - systemd/cynara-agent.socket | 15 --------------- - systemd/cynara-agent.socket.in | 15 +++++++++++++++ - systemd/cynara-monitor-get.socket | 15 --------------- - systemd/cynara-monitor-get.socket.in | 15 +++++++++++++++ - systemd/cynara.socket | 14 -------------- - systemd/cynara.socket.in | 14 ++++++++++++++ - 9 files changed, 73 insertions(+), 62 deletions(-) - delete mode 100644 systemd/cynara-admin.socket - create mode 100644 systemd/cynara-admin.socket.in - delete mode 100644 systemd/cynara-agent.socket - create mode 100644 systemd/cynara-agent.socket.in - delete mode 100644 systemd/cynara-monitor-get.socket - create mode 100644 systemd/cynara-monitor-get.socket.in - delete mode 100644 systemd/cynara.socket - create mode 100644 systemd/cynara.socket.in - -diff --git a/systemd/CMakeLists.txt b/systemd/CMakeLists.txt -index 20accf0..1b75c12 100644 ---- a/systemd/CMakeLists.txt -+++ b/systemd/CMakeLists.txt -@@ -16,13 +16,24 @@ - # @author Lukasz Wojciechowski <l.wojciechow@partner.samsung.com> - # - -+SET(CYNARA_ADMIN_SOCKET_GROUP -+ "security_fw" -+ CACHE STRING -+ "Group to apply on administrative sockets") -+ -+ -+CONFIGURE_FILE(cynara.socket.in cynara.socket @ONLY) -+CONFIGURE_FILE(cynara-admin.socket.in cynara-admin.socket @ONLY) -+CONFIGURE_FILE(cynara-agent.socket.in cynara-agent.socket @ONLY) -+CONFIGURE_FILE(cynara-monitor-get.socket.in cynara-monitor-get.socket @ONLY) -+ - INSTALL(FILES - ${CMAKE_SOURCE_DIR}/systemd/cynara.service - ${CMAKE_SOURCE_DIR}/systemd/cynara.target -- ${CMAKE_SOURCE_DIR}/systemd/cynara.socket -- ${CMAKE_SOURCE_DIR}/systemd/cynara-admin.socket -- ${CMAKE_SOURCE_DIR}/systemd/cynara-agent.socket -- ${CMAKE_SOURCE_DIR}/systemd/cynara-monitor-get.socket -+ ${CMAKE_BINARY_DIR}/systemd/cynara.socket -+ ${CMAKE_BINARY_DIR}/systemd/cynara-admin.socket -+ ${CMAKE_BINARY_DIR}/systemd/cynara-agent.socket -+ ${CMAKE_BINARY_DIR}/systemd/cynara-monitor-get.socket - DESTINATION - ${SYSTEMD_UNIT_DIR} - ) -diff --git a/systemd/cynara-admin.socket b/systemd/cynara-admin.socket -deleted file mode 100644 -index ed38386..0000000 ---- a/systemd/cynara-admin.socket -+++ /dev/null -@@ -1,14 +0,0 @@ --[Socket] --ListenStream=/run/cynara/cynara-admin.socket --SocketMode=0600 --SmackLabelIPIn=@ --SmackLabelIPOut=@ -- --Service=cynara.service -- --[Unit] --Wants=cynara.target --Before=cynara.target -- --[Install] --WantedBy=sockets.target -diff --git a/systemd/cynara-admin.socket.in b/systemd/cynara-admin.socket.in -new file mode 100644 -index 0000000..2364c3e ---- /dev/null -+++ b/systemd/cynara-admin.socket.in -@@ -0,0 +1,14 @@ -+[Socket] -+ListenStream=@SOCKET_DIR@/cynara-admin.socket -+SocketMode=0600 -+SmackLabelIPIn=@ -+SmackLabelIPOut=@ -+ -+Service=cynara.service -+ -+[Unit] -+Wants=cynara.target -+Before=cynara.target -+ -+[Install] -+WantedBy=sockets.target -diff --git a/systemd/cynara-agent.socket b/systemd/cynara-agent.socket -deleted file mode 100644 -index 5a677e0..0000000 ---- a/systemd/cynara-agent.socket -+++ /dev/null -@@ -1,15 +0,0 @@ --[Socket] --ListenStream=/run/cynara/cynara-agent.socket --SocketGroup=security_fw --SocketMode=0060 --SmackLabelIPIn=* --SmackLabelIPOut=@ -- --Service=cynara.service -- --[Unit] --Wants=cynara.target --Before=cynara.target -- --[Install] --WantedBy=sockets.target -diff --git a/systemd/cynara-agent.socket.in b/systemd/cynara-agent.socket.in -new file mode 100644 -index 0000000..4f86c9d ---- /dev/null -+++ b/systemd/cynara-agent.socket.in -@@ -0,0 +1,15 @@ -+[Socket] -+ListenStream=@SOCKET_DIR@/cynara-agent.socket -+SocketGroup=@CYNARA_ADMIN_SOCKET_GROUP@ -+SocketMode=0060 -+SmackLabelIPIn=* -+SmackLabelIPOut=@ -+ -+Service=cynara.service -+ -+[Unit] -+Wants=cynara.target -+Before=cynara.target -+ -+[Install] -+WantedBy=sockets.target -diff --git a/systemd/cynara-monitor-get.socket b/systemd/cynara-monitor-get.socket -deleted file mode 100644 -index a50feeb..0000000 ---- a/systemd/cynara-monitor-get.socket -+++ /dev/null -@@ -1,15 +0,0 @@ --[Socket] --ListenStream=/run/cynara/cynara-monitor-get.socket --SocketGroup=security_fw --SocketMode=0060 --SmackLabelIPIn=@ --SmackLabelIPOut=@ -- --Service=cynara.service -- --[Unit] --Wants=cynara.target --Before=cynara.target -- --[Install] --WantedBy=sockets.target -diff --git a/systemd/cynara-monitor-get.socket.in b/systemd/cynara-monitor-get.socket.in -new file mode 100644 -index 0000000..b88dbf7 ---- /dev/null -+++ b/systemd/cynara-monitor-get.socket.in -@@ -0,0 +1,15 @@ -+[Socket] -+ListenStream=@SOCKET_DIR@/cynara-monitor-get.socket -+SocketGroup=@CYNARA_ADMIN_SOCKET_GROUP@ -+SocketMode=0060 -+SmackLabelIPIn=@ -+SmackLabelIPOut=@ -+ -+Service=cynara.service -+ -+[Unit] -+Wants=cynara.target -+Before=cynara.target -+ -+[Install] -+WantedBy=sockets.target -diff --git a/systemd/cynara.socket b/systemd/cynara.socket -deleted file mode 100644 -index fad2745..0000000 ---- a/systemd/cynara.socket -+++ /dev/null -@@ -1,14 +0,0 @@ --[Socket] --ListenStream=/run/cynara/cynara.socket --SocketMode=0666 --SmackLabelIPIn=* --SmackLabelIPOut=@ -- --Service=cynara.service -- --[Unit] --Wants=cynara.target --Before=cynara.target -- --[Install] --WantedBy=sockets.target -diff --git a/systemd/cynara.socket.in b/systemd/cynara.socket.in -new file mode 100644 -index 0000000..ba76549 ---- /dev/null -+++ b/systemd/cynara.socket.in -@@ -0,0 +1,14 @@ -+[Socket] -+ListenStream=@SOCKET_DIR@/cynara.socket -+SocketMode=0666 -+SmackLabelIPIn=* -+SmackLabelIPOut=@ -+ -+Service=cynara.service -+ -+[Unit] -+Wants=cynara.target -+Before=cynara.target -+ -+[Install] -+WantedBy=sockets.target diff --git a/meta-agl/meta-security/recipes-security/cynara/cynara/0006-Install-socket-activation-by-default.patch b/meta-agl/meta-security/recipes-security/cynara/cynara/0006-Install-socket-activation-by-default.patch deleted file mode 100644 index 68864f1e..00000000 --- a/meta-agl/meta-security/recipes-security/cynara/cynara/0006-Install-socket-activation-by-default.patch +++ /dev/null @@ -1,78 +0,0 @@ -From 23f1a7cb34dd4ef88bac5a43057feaf7f50559aa Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?Jos=C3=A9=20Bollo?= <jose.bollo@iot.bzh> -Date: Thu, 25 Jan 2018 14:09:23 +0100 -Subject: [PATCH] Install socket activation by default -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -Change-Id: Ifd10c3800486689ed0ed6271df59760ccfbf6caf -Signed-off-by: José Bollo <jose.bollo@iot.bzh> - ---- - packaging/cynara.spec | 5 ----- - systemd/CMakeLists.txt | 7 +++++++ - systemd/sockets.target.wants/cynara-admin.socket | 1 + - systemd/sockets.target.wants/cynara-agent.socket | 1 + - systemd/sockets.target.wants/cynara.socket | 1 + - 5 files changed, 10 insertions(+), 5 deletions(-) - create mode 120000 systemd/sockets.target.wants/cynara-admin.socket - create mode 120000 systemd/sockets.target.wants/cynara-agent.socket - create mode 120000 systemd/sockets.target.wants/cynara.socket - -diff --git a/packaging/cynara.spec b/packaging/cynara.spec -index d2e0b80..2c5b326 100644 ---- a/packaging/cynara.spec -+++ b/packaging/cynara.spec -@@ -72,12 +72,7 @@ make %{?jobs:-j%jobs} - rm -rf %{buildroot} - %make_install - --mkdir -p %{buildroot}%{_unitdir}/sockets.target.wants - mkdir -p %{buildroot}%{_unitdir}/multi-user.target.wants --ln -s ../cynara.socket %{buildroot}%{_unitdir}/sockets.target.wants/cynara.socket --ln -s ../cynara-admin.socket %{buildroot}%{_unitdir}/sockets.target.wants/cynara-admin.socket --ln -s ../cynara-agent.socket %{buildroot}%{_unitdir}/sockets.target.wants/cynara-agent.socket --ln -s ../cynara-monitor-get.socket %{buildroot}%{_unitdir}/sockets.target.wants/cynara-monitor-get.socket - ln -s ../cynara.service %{buildroot}%{_unitdir}/multi-user.target.wants/cynara.service - - %post -diff --git a/systemd/CMakeLists.txt b/systemd/CMakeLists.txt -index 1b75c12..9a2d70d 100644 ---- a/systemd/CMakeLists.txt -+++ b/systemd/CMakeLists.txt -@@ -38,3 +38,10 @@ INSTALL(FILES - ${SYSTEMD_UNIT_DIR} - ) - -+INSTALL(DIRECTORY -+ ${CMAKE_SOURCE_DIR}/systemd/sockets.target.wants -+ DESTINATION -+ ${SYSTEMD_UNIT_DIR} -+) -+ -+ -diff --git a/systemd/sockets.target.wants/cynara-admin.socket b/systemd/sockets.target.wants/cynara-admin.socket -new file mode 120000 -index 0000000..3d0b1ce ---- /dev/null -+++ b/systemd/sockets.target.wants/cynara-admin.socket -@@ -0,0 +1 @@ -+../cynara-admin.socket -\ No newline at end of file -diff --git a/systemd/sockets.target.wants/cynara-agent.socket b/systemd/sockets.target.wants/cynara-agent.socket -new file mode 120000 -index 0000000..22b37dd ---- /dev/null -+++ b/systemd/sockets.target.wants/cynara-agent.socket -@@ -0,0 +1 @@ -+../cynara-agent.socket -\ No newline at end of file -diff --git a/systemd/sockets.target.wants/cynara.socket b/systemd/sockets.target.wants/cynara.socket -new file mode 120000 -index 0000000..c0e5a5b ---- /dev/null -+++ b/systemd/sockets.target.wants/cynara.socket -@@ -0,0 +1 @@ -+../cynara.socket -\ No newline at end of file diff --git a/meta-agl/meta-security/recipes-security/cynara/cynara/cynara-db-migration-abort-on-errors.patch b/meta-agl/meta-security/recipes-security/cynara/cynara/cynara-db-migration-abort-on-errors.patch deleted file mode 100644 index c1441892..00000000 --- a/meta-agl/meta-security/recipes-security/cynara/cynara/cynara-db-migration-abort-on-errors.patch +++ /dev/null @@ -1,29 +0,0 @@ -From 3605e9f8a3ea1252d1cf221398431e0d7a3ea34d Mon Sep 17 00:00:00 2001 -From: Patrick Ohly <patrick.ohly@intel.com> -Date: Mon, 23 Mar 2015 15:01:39 -0700 -Subject: [PATCH] cynara-db-migration.in: abort on errors - -"set -e" enables error checking for all commands invoked by the script. -Previously, errors were silently ignored. - -Upstream-status: Submitted [https://github.com/Samsung/cynara/pull/8] - -Signed-off-by: Patrick Ohly <patrick.ohly@intel.com> - ---- - migration/cynara-db-migration.in | 2 ++ - 1 file changed, 2 insertions(+) - -diff --git a/migration/cynara-db-migration.in b/migration/cynara-db-migration.in -index 7b666d4..0682df6 100644 ---- a/migration/cynara-db-migration.in -+++ b/migration/cynara-db-migration.in -@@ -19,6 +19,8 @@ - # @brief Migration tool for Cynara's database - # - -+set -e -+ - ##### Constants (these must not be modified by shell) - - PATH=/bin:/usr/bin:/sbin:/usr/sbin diff --git a/meta-agl/meta-security/recipes-security/cynara/cynara/run-ptest b/meta-agl/meta-security/recipes-security/cynara/cynara/run-ptest deleted file mode 100755 index f8dd5d8b..00000000 --- a/meta-agl/meta-security/recipes-security/cynara/cynara/run-ptest +++ /dev/null @@ -1,4 +0,0 @@ -#!/bin/sh - -cynara-tests | sed -e 's/^\[ *OK *\] \(\S*\)$/PASS: \1/' -e 's/^\[ *FAILED *\] \(\S*\)$/FAIL: \1/' -sh /usr/bin/cynara-db-migration-tests | sed -e 's/^Test .*(\([^)]*\)).*passed.*/PASS: \1/' -e 's/^Test .*(\([^)]*\)).*failed.*/FAIL: \1/' diff --git a/meta-agl/meta-security/recipes-security/cynara/cynara_0.14.10.bb b/meta-agl/meta-security/recipes-security/cynara/cynara_0.14.10.bb deleted file mode 100644 index 765c17bc..00000000 --- a/meta-agl/meta-security/recipes-security/cynara/cynara_0.14.10.bb +++ /dev/null @@ -1,157 +0,0 @@ -DESCRIPTION = "Cynara service with client libraries" -LICENSE = "Apache-2.0" -LIC_FILES_CHKSUM = "file://LICENSE;md5=86d3f3a95c324c9479bd8986968f4327;beginline=3" - -PV = "0.14.10+git${SRCPV}" -SRCREV = "be455dcaf1400bec0272a6ce90852b9147393a60" -SRC_URI = "git://github.com/Samsung/cynara.git" -S = "${WORKDIR}/git" - -SRC_URI += " \ - file://cynara-db-migration-abort-on-errors.patch \ - file://0001-Add-fallthrough-tags.patch \ - file://0002-gcc-7-requires-include-functional-for-std-function.patch \ - file://0003-Avoid-warning-when-compiling-without-smack.patch \ - file://0004-Fix-mode-of-sockets.patch \ - file://0005-Allow-to-tune-sockets.patch \ - file://0006-Install-socket-activation-by-default.patch \ - file://0001-fix-fallthrough-in-cmdlineparser.patch \ -" - -DEPENDS = " \ -systemd \ -" - -PACKAGECONFIG ??= "" -# Use debug mode to increase logging. Beware, also compiles with less optimization -# and thus has to disable FORTIFY_SOURCE below. -PACKAGECONFIG[debug] = "-DCMAKE_BUILD_TYPE=DEBUG,-DCMAKE_BUILD_TYPE=RELEASE,libunwind elfutils" - -inherit cmake - -EXTRA_OECMAKE += " \ - -DCMAKE_VERBOSE_MAKEFILE=ON \ - -DBUILD_WITH_SYSTEMD_DAEMON=ON \ - -DBUILD_WITH_SYSTEMD_JOURNAL=ON \ - -DSYSTEMD_UNIT_DIR=${systemd_system_unitdir} \ - -DSOCKET_DIR=/run/cynara \ - -DBUILD_COMMONS=ON \ - -DBUILD_SERVICE=ON \ - -DBUILD_DBUS=OFF \ - -DCYNARA_ADMIN_SOCKET_GROUP=cynara \ -" - -# Explicitly package empty directory. Otherwise Cynara prints warnings -# at runtime: -# cyad[198]: Couldn't scan for plugins in </usr/lib/cynara/plugin/service/> : <No such file or directory> -FILES_${PN}_append = " \ -${libdir}/cynara/plugin/service \ -${libdir}/cynara/plugin/client \ -" - -inherit useradd -USERADD_PACKAGES = "${PN}" -GROUPADD_PARAM_${PN} = "-r cynara" -USERADD_PARAM_${PN} = "\ ---system --home ${localstatedir}/lib/empty \ ---no-create-home --shell /bin/false \ ---gid cynara cynara \ -" - -# Causes deadlock during booting, see workaround in postinst below. -#inherit systemd -#SYSTEMD_SERVICE_${PN} = "cynara.service" - -#do_install_append () { -# chmod a+rx ${D}/${sbindir}/cynara-db-migration -# -# install -d ${D}${sysconfdir}/cynara/ -# install -m 644 ${S}/conf/creds.conf ${D}/${sysconfdir}/cynara/creds.conf -# -# # No need to create empty directories except for those which -# # Cynara expects to find. -# # install -d ${D}${localstatedir}/cynara/ -# # install -d ${D}${prefix}/share/cynara/tests/empty_db -# install -d ${D}${libdir}/cynara/plugin/client -# install -d ${D}${libdir}/cynara/plugin/service -# -# # install db* ${D}${prefix}/share/cynara/tests/ -# -# install -d ${D}${systemd_system_unitdir}/sockets.target.wants -# ln -s ../cynara.socket ${D}${systemd_system_unitdir}/sockets.target.wants/cynara.socket -# ln -s ../cynara-admin.socket ${D}${systemd_system_unitdir}/sockets.target.wants/cynara-admin.socket -# ln -s ../cynara-agent.socket ${D}${systemd_system_unitdir}/sockets.target.wants/cynara-agent.socket -#} - -# We want the post-install logic to create and label /var/cynara, so -# it should not be in the package. -do_install_append () { - rmdir ${D}${localstatedir}/cynara -} - -FILES_${PN} += "${systemd_system_unitdir}" - -# Cynara itself has no dependency on Smack. Only its installation -# is Smack-aware in the sense that it sets Smack labels. Do not -# depend on smack userspace unless we really need Smack labels. -# -# The Tizen .spec file calls cynara-db-migration in a %pre section. -# That only works when cynara-db-migration is packaged separately -# (overly complex) and does not seem necessary: perhaps there is a -# time window where cynara might already get activated before -# the postinst completes, but that is a general problem. It gets -# avoided entirely when calling this script while building the -# rootfs. -DEPENDS_append_with-lsm-smack = " smack smack-native" -EXTRA_OECMAKE_append_with-lsm-smack = " -DDB_FILES_SMACK_LABEL=System" -CHSMACK_with-lsm-smack = "chsmack" -CHSMACK = "true" -pkg_postinst_ontarget_${PN} () { - mkdir -p $D${sysconfdir}/cynara - ${CHSMACK} -a System $D${sysconfdir}/cynara - - # Strip git patch level information, the version comparison code - # in cynara-db-migration only expect major.minor.patch version numbers. - VERSION=${@d.getVar('PV',d,1).split('+git')[0]} - if [ -d $D${localstatedir}/cynara ] ; then - # upgrade - echo "NOTE: updating cynara DB to version $VERSION" - $D${sbindir}/cynara-db-migration upgrade -f 0.0.0 -t $VERSION - else - # install - echo "NOTE: creating cynara DB for version $VERSION" - mkdir -p $D${localstatedir}/cynara - ${CHSMACK} -a System $D${localstatedir}/cynara - $D${sbindir}/cynara-db-migration install -t $VERSION - fi - - # Workaround for systemd.bbclass issue: it would call - # "systemctl start" without "--no-block", but because - # the service is not ready to run at the time when - # this scripts gets executed by run-postinsts.service, - # booting deadlocks. - echo "NOTE: enabling and starting cynara service" - systemctl enable cynara - systemctl start --no-block cynara -} - -# Testing depends on gmock and gtest. They can be found in meta-oe -# and are not necessarily available, so this feature is off by default. -# If gmock from meta-oe is used, then a workaround is needed to avoid -# a link error (libgmock.a calls pthread functions without libpthread -# being listed in the .pc file). -DEPENDS_append = "${@bb.utils.contains('PACKAGECONFIG', 'tests', ' gmock', '', d)}" -LDFLAGS_append = "${@bb.utils.contains('PACKAGECONFIG', 'tests', ' -lpthread', '', d)}" -SRC_URI_append = "${@bb.utils.contains('PACKAGECONFIG', 'tests', ' file://run-ptest', '', d)}" -PACKAGECONFIG[tests] = "-DBUILD_TESTS:BOOL=ON,-DBUILD_TESTS:BOOL=OFF,gmock gtest," - -# Will be empty if no tests were built. -inherit ptest -FILES_${PN}-ptest += "${bindir}/cynara-tests ${bindir}/cynara-db-migration-tests ${datadir}/cynara/tests" -do_install_ptest () { - if ${@bb.utils.contains('PACKAGECONFIG', 'tests', 'true', 'false', d)}; then - mkdir -p ${D}/${datadir}/cynara/tests - cp -r ${S}/test/db/* ${D}/${datadir}/cynara/tests - fi -} - diff --git a/meta-agl/meta-security/recipes-security/security-manager/security-manager.inc b/meta-agl/meta-security/recipes-security/security-manager/security-manager.inc index ddd87a93..fdc5083e 100644 --- a/meta-agl/meta-security/recipes-security/security-manager/security-manager.inc +++ b/meta-agl/meta-security/recipes-security/security-manager/security-manager.inc @@ -4,35 +4,33 @@ LIC_FILES_CHKSUM = "file://LICENSE;md5=86d3f3a95c324c9479bd8986968f4327;beginlin inherit cmake -# Out-of-tree build is broken ("sqlite3 .security-manager.db <db.sql" where db.sql is in $S/db). B = "${S}" DEPENDS = " \ -attr \ -boost \ -cynara \ -icu \ -libcap \ -smack \ -sqlite3 \ -sqlite3-native \ -systemd \ + attr \ + boost \ + cynara \ + icu \ + libcap \ + smack \ + sqlite3 \ + systemd \ " PACKAGECONFIG ??= "" PACKAGECONFIG[debug] = "-DCMAKE_BUILD_TYPE=DEBUG,-DCMAKE_BUILD_TYPE=RELEASE" -TZ_SYS_DB = "/var/local/db/security-manager" +TZ_SYS_DB ?= "/var/db/security-manager" EXTRA_OECMAKE = " \ --DCMAKE_VERBOSE_MAKEFILE=ON \ --DVERSION=${PV} \ --DSYSTEMD_INSTALL_DIR=${systemd_unitdir}/system \ --DBIN_INSTALL_DIR=${bindir} \ --DDB_INSTALL_DIR=${TZ_SYS_DB} \ --DLIB_INSTALL_DIR=${libdir} \ --DSHARE_INSTALL_PREFIX=${datadir} \ --DINCLUDE_INSTALL_DIR=${includedir} \ + -DCMAKE_VERBOSE_MAKEFILE=ON \ + -DVERSION=${PV} \ + -DSYSTEMD_INSTALL_DIR=${systemd_unitdir}/system \ + -DBIN_INSTALL_DIR=${bindir} \ + -DDB_INSTALL_DIR=${TZ_SYS_DB} \ + -DLIB_INSTALL_DIR=${libdir} \ + -DSHARE_INSTALL_PREFIX=${datadir} \ + -DINCLUDE_INSTALL_DIR=${includedir} \ " inherit systemd @@ -71,16 +69,11 @@ do_install_append () { ln -s ../security-manager.socket ${D}/${systemd_unitdir}/system/sockets.target.wants/security-manager.socket } -RDEPENDS_${PN} += "smack" -pkg_postinst_${PN} () { - set -e - chsmack -a System $D${TZ_SYS_DB}/.security-manager.db - chsmack -a System $D${TZ_SYS_DB}/.security-manager.db-journal -} - +RDEPENDS_${PN} += "sqlite3 cynara" FILES_${PN} += " \ -${systemd_unitdir} \ -${TZ_SYS_DB} \ + ${systemd_unitdir} \ + ${TZ_SYS_DB} \ + ${bindir}/.security-manager-setup \ " PACKAGES =+ "${PN}-policy" @@ -88,7 +81,3 @@ FILES_${PN}-policy = " \ ${datadir}/${PN} \ ${bindir}/security-manager-policy-reload \ " -RDEPENDS_${PN}-policy += "sqlite3 cynara" -pkg_postinst_ontarget_${PN}-policy () { - ${bindir}/security-manager-policy-reload -} diff --git a/meta-agl/meta-security/recipes-security/security-manager/security-manager/systemd-stop-using-compat-libs.patch b/meta-agl/meta-security/recipes-security/security-manager/security-manager/0001-systemd-stop-using-compat-libs.patch index cd5c36a6..91ce8196 100644 --- a/meta-agl/meta-security/recipes-security/security-manager/security-manager/systemd-stop-using-compat-libs.patch +++ b/meta-agl/meta-security/recipes-security/security-manager/security-manager/0001-systemd-stop-using-compat-libs.patch @@ -1,7 +1,7 @@ -From 8ec024d2adecb53029c6f1af2b95c93dfd43a7cb Mon Sep 17 00:00:00 2001 +From 3d9d1d83fe298a364f51ad752c17aad461beded3 Mon Sep 17 00:00:00 2001 From: Patrick Ohly <patrick.ohly@intel.com> Date: Tue, 24 Mar 2015 04:54:03 -0700 -Subject: [PATCH] systemd: stop using compat libs +Subject: [PATCH 01/14] systemd: stop using compat libs libsystemd-journal and libsystemd-daemon are considered obsolete in systemd since 2.09 and may not be available (not compiled @@ -12,7 +12,6 @@ use that. Signed-off-by: Patrick Ohly <patrick.ohly@intel.com> Upstream-Status: Submitted (https://github.com/Samsung/security-manager/pull/1 - --- src/common/CMakeLists.txt | 2 +- src/server/CMakeLists.txt | 2 +- @@ -44,4 +43,5 @@ index 753eb96..6849d76 100644 FIND_PACKAGE(Boost REQUIRED) -- -2.1.4 +2.21.0 + diff --git a/meta-agl/meta-security/recipes-security/security-manager/security-manager/security-manager-policy-reload-do-not-depend-on-GNU-.patch b/meta-agl/meta-security/recipes-security/security-manager/security-manager/0002-security-manager-policy-reload-do-not-depend-on-GNU-.patch index ac57964c..b6346480 100644 --- a/meta-agl/meta-security/recipes-security/security-manager/security-manager/security-manager-policy-reload-do-not-depend-on-GNU-.patch +++ b/meta-agl/meta-security/recipes-security/security-manager/security-manager/0002-security-manager-policy-reload-do-not-depend-on-GNU-.patch @@ -1,7 +1,8 @@ -From d2995014142306987bf86b4d508a84b9b4683c5c Mon Sep 17 00:00:00 2001 +From a90515613f09140049b2bdf471fa83d5dd7bad1c Mon Sep 17 00:00:00 2001 From: Patrick Ohly <patrick.ohly@intel.com> Date: Wed, 19 Aug 2015 15:02:32 +0200 -Subject: [PATCH 2/2] security-manager-policy-reload: do not depend on GNU sed +Subject: [PATCH 02/14] security-manager-policy-reload: do not depend on GNU + sed \U (= make replacement uppercase) is a GNU sed extension which is not supported by other sed implementation's (like the one from @@ -13,7 +14,6 @@ bucket name into uppercase. Signed-off-by: Patrick Ohly <patrick.ohly@intel.com> Upstream-Status: Submitted (https://github.com/Samsung/security-manager/pull/1 - --- policy/security-manager-policy-reload | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) @@ -32,4 +32,5 @@ index 274c49c..6f211c6 100755 # Re-create the bucket with empty contents cyad --delete-bucket=$bucket || true -- -2.1.4 +2.21.0 + diff --git a/meta-agl/meta-security/recipes-security/security-manager/security-manager/0001-Smack-rules-create-two-new-functions.patch b/meta-agl/meta-security/recipes-security/security-manager/security-manager/0003-Smack-rules-create-two-new-functions.patch index b0e11afe..d79345e0 100644 --- a/meta-agl/meta-security/recipes-security/security-manager/security-manager/0001-Smack-rules-create-two-new-functions.patch +++ b/meta-agl/meta-security/recipes-security/security-manager/security-manager/0003-Smack-rules-create-two-new-functions.patch @@ -1,7 +1,7 @@ -From d130a7384428a96f31ad5950ffbffadc0aa29a15 Mon Sep 17 00:00:00 2001 +From a80e33bc0a10fa4bed5d0b7bf29f45dd2565d309 Mon Sep 17 00:00:00 2001 From: Alejandro Joya <alejandro.joya.cruz@intel.com> Date: Wed, 4 Nov 2015 19:01:35 -0600 -Subject: [PATCH 1/2] Smack-rules: create two new functions +Subject: [PATCH 03/14] Smack-rules: create two new functions It let to smack-rules to create multiple set of rules related with the privileges. @@ -9,14 +9,15 @@ related with the privileges. It runs from the same bases than for a static set of rules on the template, but let you add 1 or many templates for different cases. +Change-Id: I14f8d4e914ad5a7ba34c96f3cb5589f0b15292de Signed-off-by: Alejandro Joya <alejandro.joya.cruz@intel.com> --- - src/common/include/smack-rules.h | 15 ++++++++++++++ - src/common/smack-rules.cpp | 44 ++++++++++++++++++++++++++++++++++++++++ + src/common/include/smack-rules.h | 15 +++++++++++ + src/common/smack-rules.cpp | 44 ++++++++++++++++++++++++++++++++ 2 files changed, 59 insertions(+) diff --git a/src/common/include/smack-rules.h b/src/common/include/smack-rules.h -index 91446a7..f9fa438 100644 +index 91446a7..3ad9dd4 100644 --- a/src/common/include/smack-rules.h +++ b/src/common/include/smack-rules.h @@ -47,6 +47,8 @@ public: @@ -28,10 +29,11 @@ index 91446a7..f9fa438 100644 void apply() const; void clear() const; -@@ -75,6 +77,19 @@ public: +@@ -74,6 +76,19 @@ public: + */ static void installApplicationRules(const std::string &appId, const std::string &pkgId, const std::vector<std::string> &pkgContents); - /** ++ /** + * Install privileges-specific smack rules. + * + * Function creates smack rules using predefined template. Rules are applied @@ -40,16 +42,15 @@ index 91446a7..f9fa438 100644 + * @param[in] appId - application id that is beeing installed + * @param[in] pkgId - package id that the application is in + * @param[in] pkgContents - a list of all applications in the package -+ * @param[in] privileges - a list of all prvileges ++ * @param[in] privileges - a list of all prvileges + */ + static void installApplicationPrivilegesRules(const std::string &appId, const std::string &pkgId, + const std::vector<std::string> &pkgContents, const std::vector<std::string> &privileges); -+ /** + /** * Uninstall package-specific smack rules. * - * Function loads package-specific smack rules, revokes them from the kernel diff --git a/src/common/smack-rules.cpp b/src/common/smack-rules.cpp -index 3629e0f..d834e42 100644 +index 3629e0f..922a56f 100644 --- a/src/common/smack-rules.cpp +++ b/src/common/smack-rules.cpp @@ -135,6 +135,29 @@ void SmackRules::saveToFile(const std::string &path) const @@ -98,7 +99,7 @@ index 3629e0f..d834e42 100644 + continue; + std::string fprivilege ( privilege + "-template.smack"); + std::string path(tzplatform_mkpath4(TZ_SYS_SHARE, "security-manager", "policy", fprivilege.c_str())); -+ if( stat(path.c_str(), &buffer) == 0) ++ if( stat(path.c_str(), &buffer) == 0) + smackRules.addFromTemplateFile(appId, pkgId, path); + } + @@ -112,5 +113,5 @@ index 3629e0f..d834e42 100644 const std::vector<std::string> &pkgContents) { -- -2.1.0 +2.21.0 diff --git a/meta-agl/meta-security/recipes-security/security-manager/security-manager/0002-app-install-implement-multiple-set-of-smack-rules.patch b/meta-agl/meta-security/recipes-security/security-manager/security-manager/0004-app-install-implement-multiple-set-of-smack-rules.patch index d60096a1..59d4971f 100644 --- a/meta-agl/meta-security/recipes-security/security-manager/security-manager/0002-app-install-implement-multiple-set-of-smack-rules.patch +++ b/meta-agl/meta-security/recipes-security/security-manager/security-manager/0004-app-install-implement-multiple-set-of-smack-rules.patch @@ -1,7 +1,7 @@ -From 19688cbe2ca10921a499f3fa265928dca54cf98d Mon Sep 17 00:00:00 2001 +From a5979d9d674e400ecd7fcdf5d7589cfa0cfeb492 Mon Sep 17 00:00:00 2001 From: Alejandro Joya <alejandro.joya.cruz@intel.com> Date: Wed, 4 Nov 2015 19:06:23 -0600 -Subject: [PATCH 2/2] app-install: implement multiple set of smack-rules +Subject: [PATCH 04/14] app-install: implement multiple set of smack-rules If it's need it could create load multiple set of smack rules related with the privileges. @@ -30,5 +30,5 @@ index 7fd621c..ae305d3 100644 LogError("Error while applying Smack policy for application: " << e.DumpToString()); return SECURITY_MANAGER_API_ERROR_SETTING_FILE_LABEL_FAILED; -- -2.1.0 +2.21.0 diff --git a/meta-agl/meta-security/recipes-security/security-manager/security-manager/c-11-replace-depracated-auto_ptr.patch b/meta-agl/meta-security/recipes-security/security-manager/security-manager/0005-c-11-replace-deprecated-auto_ptr.patch index c312a9e7..0739f28c 100644 --- a/meta-agl/meta-security/recipes-security/security-manager/security-manager/c-11-replace-depracated-auto_ptr.patch +++ b/meta-agl/meta-security/recipes-security/security-manager/security-manager/0005-c-11-replace-deprecated-auto_ptr.patch @@ -1,7 +1,7 @@ -From 6abeec29a0e704f4bf7084b29275b99fea0a78de Mon Sep 17 00:00:00 2001 +From 198ba9b9782fda19803e94d2afeff91189ac27af Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Jos=C3=A9=20Bollo?= <jobol@nonadev.net> Date: Wed, 13 Jan 2016 17:30:06 +0100 -Subject: [PATCH 2/2] c++11: replace depracated auto_ptr +Subject: [PATCH 05/14] c++11: replace deprecated auto_ptr MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit @@ -28,5 +28,5 @@ index dd03f5e..185b6c7 100644 /** * Binary stream implemented as constant size bucket list -- -2.1.4 +2.21.0 diff --git a/meta-agl/meta-security/recipes-security/security-manager/security-manager/socket-manager-removes-tizen-specific-call.patch b/meta-agl/meta-security/recipes-security/security-manager/security-manager/0006-socket-manager-removes-tizen-specific-call.patch index fa4c21c7..3b8aad98 100644 --- a/meta-agl/meta-security/recipes-security/security-manager/security-manager/socket-manager-removes-tizen-specific-call.patch +++ b/meta-agl/meta-security/recipes-security/security-manager/security-manager/0006-socket-manager-removes-tizen-specific-call.patch @@ -1,7 +1,7 @@ -From 75c4852e47217ab85d6840b488ab4b3688091856 Mon Sep 17 00:00:00 2001 +From ec098bf03cea23350ca7d1ea2ad88b9c88228943 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Jos=C3=A9=20Bollo?= <jose.bollo@iot.bzh> Date: Fri, 8 Jan 2016 16:53:46 +0100 -Subject: [PATCH 1/2] socket-manager: removes tizen specific call +Subject: [PATCH 06/14] socket-manager: removes tizen specific call MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit @@ -18,7 +18,7 @@ Signed-off-by: José Bollo <jobol@nonadev.net> 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/src/server/main/socket-manager.cpp b/src/server/main/socket-manager.cpp -index 0366186..c5cec18 100644 +index 94c54c6..5e1a79b 100644 --- a/src/server/main/socket-manager.cpp +++ b/src/server/main/socket-manager.cpp @@ -30,6 +30,7 @@ @@ -29,7 +29,7 @@ index 0366186..c5cec18 100644 #include <sys/un.h> #include <sys/stat.h> #include <unistd.h> -@@ -500,9 +501,9 @@ int SocketManager::CreateDomainSocketHelp( +@@ -493,9 +494,9 @@ int SocketManager::CreateDomainSocketHelp( if (smack_check()) { LogInfo("Set up smack label: " << desc.smackLabel); @@ -43,5 +43,5 @@ index 0366186..c5cec18 100644 } else { LogInfo("No smack on platform. Socket won't be securied with smack label!"); -- -2.1.4 +2.21.0 diff --git a/meta-agl/meta-security/recipes-security/security-manager/security-manager/removes-dependency-to-libslp-db-utils.patch b/meta-agl/meta-security/recipes-security/security-manager/security-manager/0007-removes-dependency-to-libslp-db-utils.patch index f9497307..bad99d25 100644 --- a/meta-agl/meta-security/recipes-security/security-manager/security-manager/removes-dependency-to-libslp-db-utils.patch +++ b/meta-agl/meta-security/recipes-security/security-manager/security-manager/0007-removes-dependency-to-libslp-db-utils.patch @@ -1,16 +1,16 @@ -From 1e2f8f58d4320afa1d83a6f94822e53346108ee8 Mon Sep 17 00:00:00 2001 +From 9d0791dab4b4df086374c5c0ba2a6558e10e81c1 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Jos=C3=A9=20Bollo?= <jose.bollo@iot.bzh> Date: Mon, 16 Nov 2015 15:56:27 +0100 -Subject: [PATCH] removes dependency to libslp-db-utils +Subject: [PATCH 07/14] removes dependency to libslp-db-utils Change-Id: I90471e77d20e04bae58cc42eb2639e4aef97fdec --- - src/common/CMakeLists.txt | 1 ++- + src/common/CMakeLists.txt | 3 ++- src/dpl/db/src/sql_connection.cpp | 17 +---------------- - 2 files changed, 3 additions(+), 17 deletions(-) + 2 files changed, 3 insertions(+), 17 deletions(-) diff --git a/src/common/CMakeLists.txt b/src/common/CMakeLists.txt -index 968c7c1..d1fe644 100644 +index 968c7c1..9ae376f 100644 --- a/src/common/CMakeLists.txt +++ b/src/common/CMakeLists.txt @@ -5,7 +5,8 @@ PKG_CHECK_MODULES(COMMON_DEP @@ -18,13 +18,13 @@ index 968c7c1..d1fe644 100644 libsystemd libsmack - db-util -+ sqlite3 ++ sqlite3 + icu-i18n cynara-admin cynara-client ) diff --git a/src/dpl/db/src/sql_connection.cpp b/src/dpl/db/src/sql_connection.cpp -index fdb4fe4..1fb97be 100644 +index fdb4fe4..f49a6dc 100644 --- a/src/dpl/db/src/sql_connection.cpp +++ b/src/dpl/db/src/sql_connection.cpp @@ -26,7 +26,6 @@ @@ -74,5 +74,5 @@ index fdb4fe4..1fb97be 100644 if (result != SQLITE_OK) { const char *error = sqlite3_errmsg(m_connection); -- -2.1.4 +2.21.0 diff --git a/meta-agl/meta-security/recipes-security/security-manager/security-manager/0008-Fix-gcc6-build.patch b/meta-agl/meta-security/recipes-security/security-manager/security-manager/0008-Fix-gcc6-build.patch new file mode 100644 index 00000000..5ece7ef4 --- /dev/null +++ b/meta-agl/meta-security/recipes-security/security-manager/security-manager/0008-Fix-gcc6-build.patch @@ -0,0 +1,38 @@ +From a1d9b40b4fa2e73d31a53e398c286bffeaae1732 Mon Sep 17 00:00:00 2001 +From: Ronan <ronan.lemartret@iot.bzh> +Date: Wed, 12 Oct 2016 17:48:55 +0200 +Subject: [PATCH 08/14] Fix gcc6 build + +Signed-off-by: ronan <ronan@ot.bzh> +--- + src/client/client-security-manager.cpp | 1 + + src/common/include/privilege_db.h | 1 + + 2 files changed, 2 insertions(+) + +diff --git a/src/client/client-security-manager.cpp b/src/client/client-security-manager.cpp +index 74a6b30..347cddd 100644 +--- a/src/client/client-security-manager.cpp ++++ b/src/client/client-security-manager.cpp +@@ -46,6 +46,7 @@ + #include <service_impl.h> + #include <security-manager.h> + #include <client-offline.h> ++#include <linux/xattr.h> + + static const char *EMPTY = ""; + +diff --git a/src/common/include/privilege_db.h b/src/common/include/privilege_db.h +index 4d73d90..08fb9d6 100644 +--- a/src/common/include/privilege_db.h ++++ b/src/common/include/privilege_db.h +@@ -32,6 +32,7 @@ + #include <map> + #include <stdbool.h> + #include <string> ++#include <vector> + + #include <dpl/db/sql_connection.h> + #include <tzplatform_config.h> +-- +2.21.0 + diff --git a/meta-agl/meta-security/recipes-security/security-manager/security-manager/0009-Fix-Cmake-conf-for-gcc6-build.patch b/meta-agl/meta-security/recipes-security/security-manager/security-manager/0009-Fix-Cmake-conf-for-gcc6-build.patch new file mode 100644 index 00000000..706eb1a9 --- /dev/null +++ b/meta-agl/meta-security/recipes-security/security-manager/security-manager/0009-Fix-Cmake-conf-for-gcc6-build.patch @@ -0,0 +1,40 @@ +From 382379d74221bcc60a0ab70d63430a1c0587b2ec Mon Sep 17 00:00:00 2001 +From: Ronan <ronan.lemartret@iot.bzh> +Date: Thu, 13 Oct 2016 11:37:47 +0200 +Subject: [PATCH 09/14] Fix Cmake conf for gcc6 build + +Signed-off-by: Ronan <ronan.lemartret@iot.bzh> +--- + src/cmd/CMakeLists.txt | 4 +--- + src/server/CMakeLists.txt | 1 - + 2 files changed, 1 insertion(+), 4 deletions(-) + +diff --git a/src/cmd/CMakeLists.txt b/src/cmd/CMakeLists.txt +index ee9a160..aa7a12c 100644 +--- a/src/cmd/CMakeLists.txt ++++ b/src/cmd/CMakeLists.txt +@@ -1,8 +1,6 @@ + FIND_PACKAGE(Boost REQUIRED COMPONENTS program_options) + +-INCLUDE_DIRECTORIES(SYSTEM +- ${Boost_INCLUDE_DIRS} +- ) ++ + + INCLUDE_DIRECTORIES( + ${INCLUDE_PATH} +diff --git a/src/server/CMakeLists.txt b/src/server/CMakeLists.txt +index 6849d76..9598037 100644 +--- a/src/server/CMakeLists.txt ++++ b/src/server/CMakeLists.txt +@@ -8,7 +8,6 @@ FIND_PACKAGE(Threads REQUIRED) + + INCLUDE_DIRECTORIES(SYSTEM + ${SERVER_DEP_INCLUDE_DIRS} +- ${Boost_INCLUDE_DIRS} + ${Threads_INCLUDE_DIRS} + ) + +-- +2.21.0 + diff --git a/meta-agl/meta-security/recipes-security/security-manager/security-manager/0010-gcc-7-requires-include-functional-for-std-function.patch b/meta-agl/meta-security/recipes-security/security-manager/security-manager/0010-gcc-7-requires-include-functional-for-std-function.patch new file mode 100644 index 00000000..0f48c5f6 --- /dev/null +++ b/meta-agl/meta-security/recipes-security/security-manager/security-manager/0010-gcc-7-requires-include-functional-for-std-function.patch @@ -0,0 +1,51 @@ +From 8e93699c0f225716f3cd5eff790270ae9e3880f9 Mon Sep 17 00:00:00 2001 +From: Changhyeok Bae <changhyeok.bae@gmail.com> +Date: Sun, 17 Dec 2017 15:40:58 +0000 +Subject: [PATCH 10/14] gcc-7 requires include <functional> for std::function + +Signed-off-by: Changhyeok Bae <changhyeok.bae@gmail.com> +--- + src/client/client-common.cpp | 1 + + src/common/smack-labels.cpp | 1 + + src/dpl/core/src/binary_queue.cpp | 1 + + 3 files changed, 3 insertions(+) + +diff --git a/src/client/client-common.cpp b/src/client/client-common.cpp +index 883ab8d..1babdf7 100644 +--- a/src/client/client-common.cpp ++++ b/src/client/client-common.cpp +@@ -31,6 +31,7 @@ + #include <sys/xattr.h> + #include <linux/xattr.h> + #include <unistd.h> ++#include <functional> + + #include <dpl/log/log.h> + #include <dpl/serialization.h> +diff --git a/src/common/smack-labels.cpp b/src/common/smack-labels.cpp +index 0294a42..1598099 100644 +--- a/src/common/smack-labels.cpp ++++ b/src/common/smack-labels.cpp +@@ -29,6 +29,7 @@ + #include <sys/xattr.h> + #include <linux/xattr.h> + #include <memory> ++#include <functional> + #include <fts.h> + #include <cstring> + #include <string> +diff --git a/src/dpl/core/src/binary_queue.cpp b/src/dpl/core/src/binary_queue.cpp +index 72817a6..838409f 100644 +--- a/src/dpl/core/src/binary_queue.cpp ++++ b/src/dpl/core/src/binary_queue.cpp +@@ -26,6 +26,7 @@ + #include <malloc.h> + #include <cstring> + #include <new> ++#include <functional> + + namespace SecurityManager { + BinaryQueue::BinaryQueue() : +-- +2.21.0 + diff --git a/meta-agl/meta-security/recipes-security/security-manager/security-manager/0001-Fix-gcc8-warning-error-Werror-catch-value.patch b/meta-agl/meta-security/recipes-security/security-manager/security-manager/0011-Fix-gcc8-warning-error-Werror-catch-value.patch index 5a55a312..5c679fc2 100644 --- a/meta-agl/meta-security/recipes-security/security-manager/security-manager/0001-Fix-gcc8-warning-error-Werror-catch-value.patch +++ b/meta-agl/meta-security/recipes-security/security-manager/security-manager/0011-Fix-gcc8-warning-error-Werror-catch-value.patch @@ -1,7 +1,7 @@ -From 37c63c280eaec8cae3a321d45404d6c03a68c9d9 Mon Sep 17 00:00:00 2001 +From 243b7ffee16558d7cb9b411f49380138efeffca9 Mon Sep 17 00:00:00 2001 From: Stephane Desneux <stephane.desneux@iot.bzh> Date: Fri, 1 Feb 2019 12:26:17 +0000 -Subject: [PATCH] Fix gcc8 warning/error [-Werror=catch-value=] +Subject: [PATCH 11/14] Fix gcc8 warning/error [-Werror=catch-value=] Fixes the following warning/error during compile: @@ -28,5 +28,5 @@ index 63538a2..fc60ce9 100644 } -- -2.11.0 +2.21.0 diff --git a/meta-agl/meta-security/recipes-security/security-manager/security-manager/0001-Avoid-casting-from-const-T-to-void.patch b/meta-agl/meta-security/recipes-security/security-manager/security-manager/0012-Avoid-casting-from-const-T-to-void.patch index f598fdc8..91ccf9ee 100644 --- a/meta-agl/meta-security/recipes-security/security-manager/security-manager/0001-Avoid-casting-from-const-T-to-void.patch +++ b/meta-agl/meta-security/recipes-security/security-manager/security-manager/0012-Avoid-casting-from-const-T-to-void.patch @@ -1,7 +1,7 @@ -From 14c8842ed8a37fecbc70d46e27b49ae929b0c85f Mon Sep 17 00:00:00 2001 +From 5ee51d38575f289c2bf37ed817ef680ed47bb320 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Jos=C3=A9=20Bollo?= <jose.bollo@iot.bzh> Date: Fri, 1 Feb 2019 15:37:44 +0100 -Subject: [PATCH] Avoid casting from "const T&" to "void*" +Subject: [PATCH 12/14] Avoid casting from "const T&" to "void*" MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit @@ -15,14 +15,14 @@ is coming from the const or not. Signed-off-by: José Bollo <jose.bollo@iot.bzh> --- - src/server/main/include/service-thread.h | 43 ++++++++++-------------- - 1 file changed, 18 insertions(+), 25 deletions(-) + src/server/main/include/service-thread.h | 42 ++++++++++-------------- + 1 file changed, 18 insertions(+), 24 deletions(-) diff --git a/src/server/main/include/service-thread.h b/src/server/main/include/service-thread.h -index 964d168..92b0ec8 100644 +index 964d168..61fdda8 100644 --- a/src/server/main/include/service-thread.h +++ b/src/server/main/include/service-thread.h -@@ -9,78 +94,72 @@ public: +@@ -94,7 +94,7 @@ public: Join(); while (!m_eventQueue.empty()){ auto front = m_eventQueue.front(); @@ -31,9 +31,7 @@ index 964d168..92b0ec8 100644 m_eventQueue.pop(); } } - - template <class T> - void Event(const T &event, +@@ -104,34 +104,28 @@ public: Service *servicePtr, void (Service::*serviceFunction)(const T &)) { @@ -59,30 +57,27 @@ index 964d168..92b0ec8 100644 - Service *servicePtr; - void (ServiceThread::*eventFunctionPtr)(const EventDescription &event); - GenericEvent* eventPtr; -- }; -- -- template <class T> ++ struct EventCallerBase { ++ virtual void fire() = 0; ++ virtual ~EventCallerBase() {} + }; + + template <class T> - void EventCall(const EventDescription &desc) { - auto fun = reinterpret_cast<void (Service::*)(const T&)>(desc.serviceFunctionPtr); - const T& eventLocale = *(static_cast<T*>(desc.eventPtr)); - (desc.servicePtr->*fun)(eventLocale); - } -+ struct EventCallerBase { -+ virtual void fire() = 0; -+ virtual ~EventCallerBase() {} -+ }; - -+ template <class T> + struct EventCaller : public EventCallerBase { + T *event; Service *target; void (Service::*function)(const T&); + EventCaller(const T &e, Service *c, void (Service::*f)(const T&)) : event(new T(e)), target(c), function(f) {} + ~EventCaller() { delete event; } + void fire() { (target->*function)(*event); } + }; -+ + static void ThreadLoopStatic(ServiceThread *ptr) { ptr->ThreadLoop(); - } +@@ -139,33 +133,33 @@ protected: void ThreadLoop(){ for (;;) { @@ -123,5 +118,5 @@ index 964d168..92b0ec8 100644 State m_state; -- -2.17.2 +2.21.0 diff --git a/meta-agl/meta-security/recipes-security/security-manager/security-manager/Removing-tizen-platform-config.patch b/meta-agl/meta-security/recipes-security/security-manager/security-manager/0013-Removing-tizen-platform-config.patch index 4baea657..fb621592 100644 --- a/meta-agl/meta-security/recipes-security/security-manager/security-manager/Removing-tizen-platform-config.patch +++ b/meta-agl/meta-security/recipes-security/security-manager/security-manager/0013-Removing-tizen-platform-config.patch @@ -1,33 +1,96 @@ -From 72e66d0e42f3bb6efd689ce33b1df407d94b3c60 Mon Sep 17 00:00:00 2001 +From 6c96a39ba7a7763ccd47e379dbfd8d376164985f Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Jos=C3=A9=20Bollo?= <jose.bollo@iot.bzh> Date: Mon, 16 Nov 2015 14:26:25 +0100 -Subject: [PATCH] Removing tizen-platform-config +Subject: [PATCH 13/14] Removing tizen-platform-config Change-Id: Ic832a2b75229517b09faba969c27fb1a4b490121 --- - policy/security-manager-policy-reload | 2 +- - src/common/file-lock.cpp | 4 +--- - src/common/include/file-lock.h | 1 - - src/common/include/privilege_db.h | 3 +-- - src/common/service_impl.cpp | 39 +++++++++++------------------------ - src/common/smack-rules.cpp | 12 ++++------- - 6 files changed, 19 insertions(+), 42 deletions(-) + CMakeLists.txt | 16 +++++++- + db/CMakeLists.txt | 2 +- + policy/CMakeLists.txt | 1 + + ...load => security-manager-policy-reload.in} | 4 +- + src/common/file-lock.cpp | 4 +- + src/common/include/file-lock.h | 1 - + src/common/include/privilege_db.h | 3 +- + src/common/service_impl.cpp | 39 ++++++------------- + src/common/smack-rules.cpp | 12 ++---- + 9 files changed, 37 insertions(+), 45 deletions(-) + rename policy/{security-manager-policy-reload => security-manager-policy-reload.in} (94%) -diff --git a/policy/security-manager-policy-reload b/policy/security-manager-policy-reload -index 6f211c6..ed8047a 100755 +diff --git a/CMakeLists.txt b/CMakeLists.txt +index 28790d8..37a43cc 100644 +--- a/CMakeLists.txt ++++ b/CMakeLists.txt +@@ -49,7 +49,7 @@ ADD_DEFINITIONS("-Wall") # Generate all warnings + ADD_DEFINITIONS("-Wextra") # Generate even more extra warnings + + STRING(REGEX MATCH "([^.]*)" API_VERSION "${VERSION}") +-ADD_DEFINITIONS("-DAPI_VERSION=\"$(API_VERSION)\"") ++ADD_DEFINITIONS("-DAPI_VERSION=\"${API_VERSION}\"") + + ADD_DEFINITIONS("-DSMACK_ENABLED") + +@@ -58,6 +58,20 @@ IF (CMAKE_BUILD_TYPE MATCHES "DEBUG") + ADD_DEFINITIONS("-DBUILD_TYPE_DEBUG") + ENDIF (CMAKE_BUILD_TYPE MATCHES "DEBUG") + ++SET(DATADIR "/usr/share/security-manager" CACHE STRING "path to data directory") ++SET(SMACKRULESDIR "/etc/smack/accesses.d" CACHE STRING "path to Smack rules directory") ++SET(LOCKDIR "/var/run/lock" CACHE STRING "path to lock directory") ++SET(DB_INSTALL_DIR "/var/db/security-manager" CACHE STRING "path to database directory") ++SET(DB_FILENAME ".security-manager.db" CACHE STRING "basename of database") ++SET(GLOBALUSER "userapp" CACHE STRING "name of the global user") ++ ++ADD_DEFINITIONS("-DDATADIR=\"${DATADIR}\"") ++ADD_DEFINITIONS("-DSMACKRULESDIR=\"${SMACKRULESDIR}\"") ++ADD_DEFINITIONS("-DLOCKDIR=\"${LOCKDIR}\"") ++ADD_DEFINITIONS("-DDB_INSTALL_DIR=\"${DB_INSTALL_DIR}\"") ++ADD_DEFINITIONS("-DDB_FILENAME=\"${DB_FILENAME}\"") ++ADD_DEFINITIONS("-DGLOBALUSER=\"${GLOBALUSER}\"") ++ + ADD_SUBDIRECTORY(src) + ADD_SUBDIRECTORY(pc) + ADD_SUBDIRECTORY(systemd) +diff --git a/db/CMakeLists.txt b/db/CMakeLists.txt +index 9e8ffcc..d7af1a0 100644 +--- a/db/CMakeLists.txt ++++ b/db/CMakeLists.txt +@@ -1,4 +1,4 @@ +-SET(TARGET_DB ".security-manager.db") ++SET(TARGET_DB "$(DB_FILENAME)") + + ADD_CUSTOM_COMMAND( + OUTPUT ${TARGET_DB} ${TARGET_DB}-journal +diff --git a/policy/CMakeLists.txt b/policy/CMakeLists.txt +index bd08edc..626a2bd 100644 +--- a/policy/CMakeLists.txt ++++ b/policy/CMakeLists.txt +@@ -1,4 +1,5 @@ + FILE(GLOB USERTYPE_POLICY_FILES usertype-*.profile) ++CONFIGURE_FILE(security-manager-policy-reload.in security-manager-policy-reload @ONLY) + INSTALL(FILES ${USERTYPE_POLICY_FILES} DESTINATION ${SHARE_INSTALL_PREFIX}/security-manager/policy) + INSTALL(FILES "app-rules-template.smack" DESTINATION ${SHARE_INSTALL_PREFIX}/security-manager/policy) + INSTALL(FILES "privilege-group.list" DESTINATION ${SHARE_INSTALL_PREFIX}/security-manager/policy) +diff --git a/policy/security-manager-policy-reload b/policy/security-manager-policy-reload.in +similarity index 94% +rename from policy/security-manager-policy-reload +rename to policy/security-manager-policy-reload.in +index 6f211c6..c1bc4e2 100755 --- a/policy/security-manager-policy-reload -+++ b/policy/security-manager-policy-reload -@@ -2,7 +2,7 @@ ++++ b/policy/security-manager-policy-reload.in +@@ -1,8 +1,8 @@ + #!/bin/sh -e - POLICY_PATH=/usr/share/security-manager/policy +-POLICY_PATH=/usr/share/security-manager/policy ++POLICY_PATH=@DATADIR@/policy PRIVILEGE_GROUP_MAPPING=$POLICY_PATH/privilege-group.list -DB_FILE=`tzplatform-get TZ_SYS_DB | cut -d= -f2`/.security-manager.db -+DB_FILE=/usr/dbspace/.security-manager.db ++DB_FILE=@DB_INSTALL_DIR@/@DB_FILENAME@ # Create default buckets while read bucket default_policy diff --git a/src/common/file-lock.cpp b/src/common/file-lock.cpp -index 6f3996c..1dada17 100644 +index 6f3996c..88d2092 100644 --- a/src/common/file-lock.cpp +++ b/src/common/file-lock.cpp @@ -30,9 +30,7 @@ @@ -37,7 +100,7 @@ index 6f3996c..1dada17 100644 -char const * const SERVICE_LOCK_FILE = tzplatform_mkpath3(TZ_SYS_RUN, - "lock", - "security-manager.lock"); -+char const * const SERVICE_LOCK_FILE = "/var/run/lock/security-manager.lock"; ++char const * const SERVICE_LOCK_FILE = LOCKDIR "/security-manager.lock"; FileLocker::FileLocker(const std::string &lockFile, bool blocking) { @@ -54,11 +117,11 @@ index 604b019..21a86a0 100644 namespace SecurityManager { diff --git a/src/common/include/privilege_db.h b/src/common/include/privilege_db.h -index 4d73d90..03c6680 100644 +index 08fb9d6..3344987 100644 --- a/src/common/include/privilege_db.h +++ b/src/common/include/privilege_db.h -@@ -34,14 +34,13 @@ - #include <string> +@@ -35,14 +35,13 @@ + #include <vector> #include <dpl/db/sql_connection.h> -#include <tzplatform_config.h> @@ -69,12 +132,12 @@ index 4d73d90..03c6680 100644 namespace SecurityManager { -const char *const PRIVILEGE_DB_PATH = tzplatform_mkpath(TZ_SYS_DB, ".security-manager.db"); -+const char *const PRIVILEGE_DB_PATH = "/usr/dbspace/.security-manager.db"; ++const char *const PRIVILEGE_DB_PATH = DB_INSTALL_DIR "/" DB_FILENAME; enum class QueryType { EGetPkgPrivileges, diff --git a/src/common/service_impl.cpp b/src/common/service_impl.cpp -index ae305d3..65cc8b5 100644 +index ae305d3..42150fe 100644 --- a/src/common/service_impl.cpp +++ b/src/common/service_impl.cpp @@ -32,7 +32,6 @@ @@ -94,7 +157,7 @@ index ae305d3..65cc8b5 100644 + if (!globaluid) { + struct passwd pw, *p; + char buf[4096]; -+ int rc = getpwnam_r("userapp", &pw, buf, sizeof buf, &p); ++ int rc = getpwnam_r(GLOBALUSER, &pw, buf, sizeof buf, &p); + globaluid = (rc || p == NULL) ? 555 : p->pw_uid; + } return globaluid; @@ -144,7 +207,7 @@ index ae305d3..65cc8b5 100644 std::stringstream correctPath; diff --git a/src/common/smack-rules.cpp b/src/common/smack-rules.cpp -index d834e42..8b5728b 100644 +index 922a56f..c2e0041 100644 --- a/src/common/smack-rules.cpp +++ b/src/common/smack-rules.cpp @@ -34,7 +34,6 @@ @@ -160,7 +223,7 @@ index d834e42..8b5728b 100644 const char *const SMACK_APP_LABEL_TEMPLATE = "~APP~"; const char *const SMACK_PKG_LABEL_TEMPLATE = "~PKG~"; -const char *const APP_RULES_TEMPLATE_FILE_PATH = tzplatform_mkpath4(TZ_SYS_SHARE, "security-manager", "policy", "app-rules-template.smack"); -+const char *const APP_RULES_TEMPLATE_FILE_PATH = "/usr/share/security-manager/policy/app-rules-template.smack"; ++const char *const APP_RULES_TEMPLATE_FILE_PATH = DATADIR "/policy/app-rules-template.smack"; const char *const SMACK_APP_IN_PACKAGE_PERMS = "rwxat"; SmackRules::SmackRules() @@ -170,14 +233,14 @@ index d834e42..8b5728b 100644 { - std::string path(tzplatform_mkpath3(TZ_SYS_SMACK, "accesses.d", ("pkg_" + pkgId).c_str())); - return path; -+ return "/etc/smack/accesses.d/pkg_" + pkgId; ++ return SMACKRULESDIR "/pkg_" + pkgId; } std::string SmackRules::getApplicationRulesFilePath(const std::string &appId) { - std::string path(tzplatform_mkpath3(TZ_SYS_SMACK, "accesses.d", ("app_" + appId).c_str())); - return path; -+ return "/etc/smack/accesses.d/app_" + appId; ++ return SMACKRULESDIR "/app_" + appId; } void SmackRules::installApplicationPrivilegesRules(const std::string &appId, const std::string &pkgId, const std::vector<std::string> &pkgContents, const std::vector<std::string> &privileges) @@ -187,10 +250,10 @@ index d834e42..8b5728b 100644 continue; - std::string fprivilege ( privilege + "-template.smack"); - std::string path(tzplatform_mkpath4(TZ_SYS_SHARE, "security-manager", "policy", fprivilege.c_str())); -+ std::string path = "/usr/share/security-manager/policy/" + privilege + "-template.smack"; - if( stat(path.c_str(), &buffer) == 0) ++ std::string path = DATADIR "/policy/" + privilege + "-template.smack"; + if( stat(path.c_str(), &buffer) == 0) smackRules.addFromTemplateFile(appId, pkgId, path); } -- -2.1.4 +2.21.0 diff --git a/meta-agl/meta-security/recipes-security/security-manager/security-manager/0014-Ensure-post-install-initialization-of-database.patch b/meta-agl/meta-security/recipes-security/security-manager/security-manager/0014-Ensure-post-install-initialization-of-database.patch new file mode 100644 index 00000000..542a387d --- /dev/null +++ b/meta-agl/meta-security/recipes-security/security-manager/security-manager/0014-Ensure-post-install-initialization-of-database.patch @@ -0,0 +1,78 @@ +From c7f9d14e38a1b6d40b2fffa01433a3025eff9abd Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Jos=C3=A9=20Bollo?= <jose.bollo@iot.bzh> +Date: Tue, 26 Nov 2019 12:34:39 +0100 +Subject: [PATCH 14/14] Ensure post install initialization of database +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Creation of the database was made during image creation, +leading to issue with SOTA. This adds the creation on +need before launching the service. + +Change-Id: Idfd0676bd87d39f7c10eaafd63f3a318f675c972 +Signed-off-by: José Bollo <jose.bollo@iot.bzh> +--- + db/CMakeLists.txt | 14 ++++++-------- + db/security-manager-setup | 14 ++++++++++++++ + systemd/security-manager.service.in | 1 + + 3 files changed, 21 insertions(+), 8 deletions(-) + create mode 100644 db/security-manager-setup + +diff --git a/db/CMakeLists.txt b/db/CMakeLists.txt +index d7af1a0..dcf5bc8 100644 +--- a/db/CMakeLists.txt ++++ b/db/CMakeLists.txt +@@ -1,12 +1,10 @@ +-SET(TARGET_DB "$(DB_FILENAME)") +- + ADD_CUSTOM_COMMAND( +- OUTPUT ${TARGET_DB} ${TARGET_DB}-journal +- COMMAND sqlite3 ${TARGET_DB} <db.sql +- ) ++ OUTPUT .security-manager-setup ++ COMMAND sed '/--DB\.SQL--/r db.sql' security-manager-setup > .security-manager-setup ++ DEPENDS security-manager-setup db.sql ++) + + # Add a dummy build target to trigger building of ${TARGET_DB} +-ADD_CUSTOM_TARGET(DB ALL DEPENDS ${TARGET_DB}) ++ADD_CUSTOM_TARGET(DB ALL DEPENDS .security-manager-setup) + +-INSTALL(FILES ${TARGET_DB} DESTINATION ${DB_INSTALL_DIR}) +-INSTALL(FILES ${TARGET_DB}-journal DESTINATION ${DB_INSTALL_DIR}) ++INSTALL(PROGRAMS .security-manager-setup DESTINATION ${BIN_INSTALL_DIR}) +diff --git a/db/security-manager-setup b/db/security-manager-setup +new file mode 100644 +index 0000000..5675baf +--- /dev/null ++++ b/db/security-manager-setup +@@ -0,0 +1,14 @@ ++#!/bin/sh ++ ++if test -f "$1"; then exit; fi ++set -e ++dbdir="$(dirname "$1")" ++dbfile="$(basename "$1")" ++test -n "$dbfile" ++test -n "$dbdir" ++mkdir -p "$dbdir" ++cd "$dbdir" ++sqlite3 "$dbfile" << END-OF-CAT ++--DB.SQL-- ++END-OF-CAT ++ +diff --git a/systemd/security-manager.service.in b/systemd/security-manager.service.in +index 23fd1b2..2bf97d7 100644 +--- a/systemd/security-manager.service.in ++++ b/systemd/security-manager.service.in +@@ -3,5 +3,6 @@ Description=Start the security manager + + [Service] + Type=notify ++ExecStartPre=@BIN_INSTALL_DIR@/.security-manager-setup @DB_INSTALL_DIR@/@DB_FILENAME@ + ExecStart=@BIN_INSTALL_DIR@/security-manager + Sockets=security-manager.socket +-- +2.21.0 + diff --git a/meta-agl/meta-security/recipes-security/security-manager/security-manager/0015-Restrict-socket-accesses.patch b/meta-agl/meta-security/recipes-security/security-manager/security-manager/0015-Restrict-socket-accesses.patch new file mode 100644 index 00000000..d9949193 --- /dev/null +++ b/meta-agl/meta-security/recipes-security/security-manager/security-manager/0015-Restrict-socket-accesses.patch @@ -0,0 +1,34 @@ +From 7cffcd61378a9d7c0e7db5691b2da3a37448c969 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Jos=C3=A9=20Bollo?= <jose.bollo@iot.bzh> +Date: Thu, 30 Jan 2020 09:19:25 +0100 +Subject: [PATCH 15/15] Restrict socket accesses +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Ensure that only members of the group and the owner can access +the security manager. + +Bug-AGL: SPEC-3146 + +Change-Id: I68ce6523db4bfd4707c3680555c3cb0cf8858ef2 +Signed-off-by: José Bollo <jose.bollo@iot.bzh> +--- + systemd/security-manager.socket | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/systemd/security-manager.socket b/systemd/security-manager.socket +index af1c1da..b401f77 100644 +--- a/systemd/security-manager.socket ++++ b/systemd/security-manager.socket +@@ -1,6 +1,6 @@ + [Socket] + ListenStream=/run/security-manager.socket +-SocketMode=0777 ++SocketMode=0660 + SmackLabelIPIn=* + SmackLabelIPOut=@ + +-- +2.21.1 + diff --git a/meta-agl/meta-security/recipes-security/security-manager/security-manager/include-linux-xattr.patch b/meta-agl/meta-security/recipes-security/security-manager/security-manager/include-linux-xattr.patch deleted file mode 100644 index 33fbc025..00000000 --- a/meta-agl/meta-security/recipes-security/security-manager/security-manager/include-linux-xattr.patch +++ /dev/null @@ -1,24 +0,0 @@ -From: José Bollo <jose.bollo@iot.bzh> -Date: Tue, 30 Oct 2015 14:32:03 -0100 -Subject: [PATCH] include linux xattr - -adds a #include <linux/xattr.h> in source. - ---- - src/client/client-security-manager.cpp | 1 + - 1 file changed, 1 insertion(+) - -diff --git a/src/client/client-security-manager.cpp b/src/client/client-security-manager.cpp -index 74a6b30..641790b 100644 ---- a/src/client/client-security-manager.cpp -+++ b/src/client/client-security-manager.cpp -@@ -34,6 +34,7 @@ - #include <sys/types.h> - #include <sys/stat.h> - #include <sys/xattr.h> -+#include <linux/xattr.h> - #include <sys/smack.h> - #include <sys/capability.h> - --- -2.1.4 diff --git a/meta-agl/meta-security/recipes-security/security-manager/security-manager/libcap-without-pkgconfig.patch b/meta-agl/meta-security/recipes-security/security-manager/security-manager/libcap-without-pkgconfig.patch deleted file mode 100644 index a948343f..00000000 --- a/meta-agl/meta-security/recipes-security/security-manager/security-manager/libcap-without-pkgconfig.patch +++ /dev/null @@ -1,32 +0,0 @@ -From: José Bollo <jose.bollo@iot.bzh> -Date: Tue, 30 Oct 2015 14:32:03 -0100 -Subject: [PATCH] libcap without pkgconfig - -Handles libcap that isn't distributed for pkg-config - ---- - src/client/CMakeLists.txt | 1 - - 1 file changed, 1 deletion(-) - -diff --git a/src/client/CMakeLists.txt b/src/client/CMakeLists.txt -index 5399a55..0250ce2 100644 ---- a/src/client/CMakeLists.txt -+++ b/src/client/CMakeLists.txt -@@ -1,7 +1,6 @@ - PKG_CHECK_MODULES(CLIENT_DEP - REQUIRED - libsmack -- libcap - ) - - SET(CLIENT_VERSION_MAJOR 1) -@@ -37,6 +36,7 @@ SET_TARGET_PROPERTIES(${TARGET_CLIENT} - TARGET_LINK_LIBRARIES(${TARGET_CLIENT} - ${TARGET_COMMON} - ${CLIENT_DEP_LIBRARIES} -+ cap - ) - - INSTALL(TARGETS ${TARGET_CLIENT} DESTINATION ${LIB_INSTALL_DIR}) --- -2.1.4 diff --git a/meta-agl/meta-security/recipes-security/security-manager/security-manager_git.bb b/meta-agl/meta-security/recipes-security/security-manager/security-manager_git.bb index 3cbc3aea..b3497351 100644 --- a/meta-agl/meta-security/recipes-security/security-manager/security-manager_git.bb +++ b/meta-agl/meta-security/recipes-security/security-manager/security-manager_git.bb @@ -6,32 +6,21 @@ SRC_URI += "git://github.com/Samsung/security-manager.git" S = "${WORKDIR}/git" SRC_URI += " \ -file://systemd-stop-using-compat-libs.patch \ -file://security-manager-policy-reload-do-not-depend-on-GNU-.patch \ -file://0001-Smack-rules-create-two-new-functions.patch \ -file://0002-app-install-implement-multiple-set-of-smack-rules.patch \ -file://c-11-replace-depracated-auto_ptr.patch \ -file://socket-manager-removes-tizen-specific-call.patch \ -file://Removing-tizen-platform-config.patch \ -file://removes-dependency-to-libslp-db-utils.patch \ -file://0001-Fix-gcc8-warning-error-Werror-catch-value.patch \ -file://0001-Avoid-casting-from-const-T-to-void.patch \ -" - -########################################## -# This are patches for backward compatibility to the version dizzy of poky. -# The dizzy version of libcap isn't providing a packconfig file. -# This is solved by the patch libcap-without-pkgconfig.patch. -# But after solving that issue, it appears that linux/xattr.h should -# also be include add definitions of XATTR_NAME_SMACK... values. -# Unfortunately, there is no explanation why linux/xattr.h should -# also be included (patch include-linux-xattr.patch) -########################################## -do_patch[depends] = "libcap:do_populate_sysroot" -APPLY = "${@str('no' if os.path.exists('${STAGING_LIBDIR}/pkgconfig/libcap.pc') else 'yes')}" -SRC_URI += "\ - file://libcap-without-pkgconfig.patch;apply=${APPLY} \ - file://include-linux-xattr.patch;apply=${APPLY} \ + file://0001-systemd-stop-using-compat-libs.patch \ + file://0002-security-manager-policy-reload-do-not-depend-on-GNU-.patch \ + file://0003-Smack-rules-create-two-new-functions.patch \ + file://0004-app-install-implement-multiple-set-of-smack-rules.patch \ + file://0005-c-11-replace-deprecated-auto_ptr.patch \ + file://0006-socket-manager-removes-tizen-specific-call.patch \ + file://0007-removes-dependency-to-libslp-db-utils.patch \ + file://0008-Fix-gcc6-build.patch \ + file://0009-Fix-Cmake-conf-for-gcc6-build.patch \ + file://0010-gcc-7-requires-include-functional-for-std-function.patch \ + file://0011-Fix-gcc8-warning-error-Werror-catch-value.patch \ + file://0012-Avoid-casting-from-const-T-to-void.patch \ + file://0013-Removing-tizen-platform-config.patch \ + file://0014-Ensure-post-install-initialization-of-database.patch \ + file://0015-Restrict-socket-accesses.patch \ " # Use make with cmake and not ninja |