diff options
Diffstat (limited to 'meta-agl/meta-security')
73 files changed, 12090 insertions, 0 deletions
diff --git a/meta-agl/meta-security/COPYING.MIT b/meta-agl/meta-security/COPYING.MIT new file mode 100644 index 00000000..89de3547 --- /dev/null +++ b/meta-agl/meta-security/COPYING.MIT @@ -0,0 +1,17 @@ +Permission is hereby granted, free of charge, to any person obtaining a copy +of this software and associated documentation files (the "Software"), to deal +in the Software without restriction, including without limitation the rights +to use, copy, modify, merge, publish, distribute, sublicense, and/or sell +copies of the Software, and to permit persons to whom the Software is +furnished to do so, subject to the following conditions: + +The above copyright notice and this permission notice shall be included in +all copies or substantial portions of the Software. + +THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR +IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, +FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE +AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER +LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, +OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN +THE SOFTWARE. diff --git a/meta-agl/meta-security/README.md b/meta-agl/meta-security/README.md new file mode 100644 index 00000000..0bae9f3f --- /dev/null +++ b/meta-agl/meta-security/README.md @@ -0,0 +1,31 @@ +This README file contains information on the contents of the +meta-security layer. + +Please see the corresponding sections below for details. + + +Dependencies +============ + +This layer depends on: + + URI: git://git.openembedded.org/bitbake + branch: master + + URI: git://git.openembedded.org/openembedded-core + layers: meta + branch: master + + URI: git://git.yoctoproject.org/meta-security + branch: master + + +Patches +======= + +Please submit any patches against the meta-security layer via gerrit +reviews. + +For discussion use the discussion mailing list +mailto:automotive-discussions@lists.linuxfoundation.org + diff --git a/meta-agl/meta-security/conf/layer.conf b/meta-agl/meta-security/conf/layer.conf new file mode 100644 index 00000000..16dae398 --- /dev/null +++ b/meta-agl/meta-security/conf/layer.conf @@ -0,0 +1,14 @@ +# We have a conf and classes directory, add to BBPATH +BBPATH =. "${LAYERDIR}:" + +# We have a packages directory, add to BBFILES +BBFILES += " ${LAYERDIR}/recipes-*/*/*.bb \ + ${LAYERDIR}/recipes-*/*/*.bbappend \ + " + +# Must prioritize our rpm recipe over the default ones. +BBFILE_COLLECTIONS += "security-smack" +BBFILE_PATTERN_security-smack := "^${LAYERDIR}/" +BBFILE_PRIORITY_security-smack = "60" + +LAYERSERIES_COMPAT_security-smack = "thud" diff --git a/meta-agl/meta-security/recipes-connectivity/bluez5/bluez5_%.bbappend b/meta-agl/meta-security/recipes-connectivity/bluez5/bluez5_%.bbappend new file mode 100644 index 00000000..3767681b --- /dev/null +++ b/meta-agl/meta-security/recipes-connectivity/bluez5/bluez5_%.bbappend @@ -0,0 +1,55 @@ +# Recent bluez5 releases started limiting the capabilities of +# bluetoothd. When running on a Smack-enabled system, that change has the +# effect that bluetoothd can no longer create the input device under +# /sys because bluez5 running with label "System" has no write +# access to that. +# +# It works when running as normal root with unrestricted capabilities +# because then CAP_MAC_OVERRIDE (a Smack-specific capability) allows +# the process to ignore Smack rules. +# +# We need to ensure that bluetoothd still has that capability. +# +# To fix the issue, Patick and Casey(the Smack architect) had a talk +# about it in Ostro dev mail list. Casey has some ideas about the issue: +# "Turning off privilege is a great thing to do *so long as you don't +# really need the privilege*. In this case you really need it. +# The application package isn't written to account for Smack's use of +# CAP_MAC_OVERRIDE as the mechanism for controlling this dangerous operation. +# Yes, it would be possible to change /proc to change the Smack label on +# that particular file, but that might open other paths for exploit. +# I say give the program the required capability. The program maintainer +# may well say change the kernel handling of /proc. You're stuck in the +# middle, as both work the way they're intended and hence the system +# doesn't work. :( There isn't a way to make this work without "loosening" +# something." +# Therefore, when we we run the program with CAP_MAC_OVERRIDE, +# the whole reason for having capabilities is so the we can give a +# process the ability to bypass one kind of check without giving it the +# ability to bypass other, unrelated checks. A process with +# CAP_MAC_OVERRIDE is still constrained by the file mode bits. +# We was overly worried about granting that capability. +# When it has no other effect than excluding a process from Smack MAC enforcement, +# then adding to the process seems like the right solution for now. +# +# The conclusion from Patick and Casey is that the Smack architect give the key point +# that this is the solution preferred. +# +# Because the solution is to some extend specific to the environment +# in which connmand runs, this change is not submitted upstream +# and it can be overridden by a distro via FIX_BLUEZ5_CAPABILITIES. +# +# The related patch has been submitted to upstream too. +# upstream link: http://permalink.gmane.org/gmane.linux.bluez.kernel/67993 + +FILESEXTRAPATHS_prepend := "${THISDIR}/files:" + +SRC_URI_append_with-lsm-smack = "\ + file://bluetooth.service.conf \ +" + +FILES_${PN} += "${systemd_unitdir}" + +do_install_append_with-lsm-smack() { + install -Dm0644 ${WORKDIR}/bluetooth.service.conf ${D}${systemd_unitdir}/system/bluetooth.service.d/smack.conf +} diff --git a/meta-agl/meta-security/recipes-connectivity/bluez5/files/bluetooth.service.conf b/meta-agl/meta-security/recipes-connectivity/bluez5/files/bluetooth.service.conf new file mode 100644 index 00000000..b93ab4fe --- /dev/null +++ b/meta-agl/meta-security/recipes-connectivity/bluez5/files/bluetooth.service.conf @@ -0,0 +1,2 @@ +[Service] +CapabilityBoundingSet=CAP_MAC_OVERRIDE diff --git a/meta-agl/meta-security/recipes-connectivity/connman/connman_%.bbappend b/meta-agl/meta-security/recipes-connectivity/connman/connman_%.bbappend new file mode 100644 index 00000000..3b010490 --- /dev/null +++ b/meta-agl/meta-security/recipes-connectivity/connman/connman_%.bbappend @@ -0,0 +1,34 @@ +# Recent ConnMan releases started limiting the capabilities of +# ConnMan. When running on a Smack-enabled system, that change has the +# effect that connmand can no longer change network settings under +# /proc/net because the Smack label of /proc is "_", and connmand +# running with label "System" has no write access to that. +# +# It works when running as normal root with unrestricted capabilities +# because then CAP_MAC_OVERRIDE (a Smack-specific capability) allows +# the process to ignore Smack rules. +# +# We need to ensure that connmand still has that capability. +# +# The alternative would be to set up fine-grained labelling of +# /proc with corresponding rules, which is considerably more work +# and also may depend on kernel changes (like supporting smackfsroot +# for procfs, which seems to be missing at the moment). +# +# Because the solution is to some extend specific to the environment +# in which connmand runs, this change is not submitted upstream +# and it can be overridden by a distro via FIX_CONNMAN_CAPABILITIES. + +FILESEXTRAPATHS_prepend := "${THISDIR}/files:" + +SRC_URI_append_with-lsm-smack = "\ + file://connman.service.conf \ +" + +RDEPENDS_${PN}_append_with-lsm-smack = " smack" + +FILES_${PN} += "${systemd_unitdir}" + +do_install_append_with-lsm-smack() { + install -Dm0644 ${WORKDIR}/connman.service.conf ${D}${systemd_unitdir}/system/connman.service.d/smack.conf +} diff --git a/meta-agl/meta-security/recipes-connectivity/connman/files/connman.service.conf b/meta-agl/meta-security/recipes-connectivity/connman/files/connman.service.conf new file mode 100644 index 00000000..6ebbf6ad --- /dev/null +++ b/meta-agl/meta-security/recipes-connectivity/connman/files/connman.service.conf @@ -0,0 +1,4 @@ +[Service] +CapabilityBoundingSet=CAP_MAC_OVERRIDE +ExecStartPre=+-/bin/mkdir -p /run/connman +ExecStartPre=+-/usr/bin/chsmack -t -a System::Shared /run/connman diff --git a/meta-agl/meta-security/recipes-core/base-files/base-files_%.bbappend b/meta-agl/meta-security/recipes-core/base-files/base-files_%.bbappend new file mode 100644 index 00000000..f0e340f5 --- /dev/null +++ b/meta-agl/meta-security/recipes-core/base-files/base-files_%.bbappend @@ -0,0 +1,79 @@ +# Install default Smack rules, copied from a running Tizen IVI 3.0. +# Corresponds to manifest file from default-access-domains in Tizen: +# https://review.tizen.org/git?p=platform/core/security/default-ac-domains.git;a=blob;f=packaging/default-ac-domains.manifest +do_install_append_with-lsm-smack () { + install -d ${D}/${sysconfdir}/smack/accesses.d + cat >${D}/${sysconfdir}/smack/accesses.d/default-access-domains <<EOF +System _ -----l +System System::Log rwxa-- +System System::Run rwxat- +System System::Shared rwxat- +System ^ rwxa-- +_ System::Run rwxat- +_ System -wx--- +^ System::Log rwxa-- +^ System::Run rwxat- +^ System rwxa-- +EOF + chmod 0644 ${D}/${sysconfdir}/smack/accesses.d/default-access-domains + + install -d ${D}/${libdir}/tmpfiles.d + cat >${D}/${libdir}/tmpfiles.d/packet-forwarding.conf <<EOF +t /proc/sys/net/ipv4/conf/all/forwarding - - - - security.SMACK64=* +t /proc/sys/net/ipv6/conf/all/forwarding - - - - security.SMACK64=* +t /proc/sys/net/ipv4/conf/default/forwarding - - - - security.SMACK64=* +t /proc/sys/net/ipv6/conf/default/forwarding - - - - security.SMACK64=* +EOF + chmod 0644 ${D}/${libdir}/tmpfiles.d/packet-forwarding.conf + + install -d ${D}/${base_libdir}/udev/rules.d + cat >${D}/${base_libdir}/udev/rules.d/85-netdev-ipconf-smacklabel.rules <<EOF +SUBSYSTEM=="net", ENV{ID_NET_NAME}=="", RUN+="/bin/sh -c '/usr/bin/chsmack -a \* /proc/sys/net/ipv4/conf/%k/*'", RUN+="/bin/sh -c '/usr/bin/chsmack -a \* /proc/sys/net/ipv6/conf/%k/*'" + +SUBSYSTEM=="net", ENV{ID_NET_NAME}!="", RUN+="/bin/sh -c '/usr/bin/chsmack -a \* /proc/sys/net/ipv4/conf/\$env{ID_NET_NAME}/*'", RUN+="/bin/sh -c '/usr/bin/chsmack -a \* /proc/sys/net/ipv6/conf/\$env{ID_NET_NAME}/*'" +EOF + chmod 0644 ${D}/${base_libdir}/udev/rules.d/85-netdev-ipconf-smacklabel.rules +} + +# Do not rely on an rpm with manifest support. Apparently that approach +# will no longer be used in Tizen 3.0. Instead set special Smack attributes +# via postinst. This is much easier to use with bitbake, too: +# - no need to maintain a patched rpm +# - works for directories which are not packaged by default when empty +RDEPENDS_${PN}_append_with-lsm-smack = " smack" +DEPENDS_append_with-lsm-smack = " smack-native" +pkg_postinst_${PN}_with-lsm-smack() { + #!/bin/sh -e + + # https://review.tizen.org/gerrit/gitweb?p=platform/upstream/filesystem.git;a=blob;f=packaging/filesystem.manifest: + # <filesystem path="/etc" label="System::Shared" type="transmutable" /> + install -d $D${sysconfdir} + # This has no effect on files installed into /etc during image construction + # because pseudo does not know the special semantic of SMACK::TRANSMUTE. + # To avoid having different xattrs on files inside /etc when pre-installed + # in an image vs. installed on a device, the xattr-images.bbclass has + # a workaround for this deficiency in pseudo. + chsmack -t $D${sysconfdir} + chsmack -a 'System::Shared' $D${sysconfdir} + + # Same for /media. Any daemon running as "System" will get write access + # to everything. + install -d $D/media + chsmack -t $D/media + chsmack -a 'System::Shared' $D/media + + # Same for /var. Any daemon running as "System" will get write access + # to everything. + install -d $D${localstatedir} + chsmack -t $D${localstatedir} + chsmack -a 'System::Shared' $D${localstatedir} + + # <filesystem path="/tmp" label="*" /> + mkdir -p $D/tmp + chsmack -a '*' $D/tmp + + # <filesystem path="/var/log" label="System::Log" type="transmutable" /> + # <filesystem path="/var/tmp" label="*" /> + # These are in a file system mounted by systemd. We patch the systemd service + # to set these attributes. +} diff --git a/meta-agl/meta-security/recipes-core/coreutils/coreutils_%.bbappend b/meta-agl/meta-security/recipes-core/coreutils/coreutils_%.bbappend new file mode 100644 index 00000000..ceaf6a29 --- /dev/null +++ b/meta-agl/meta-security/recipes-core/coreutils/coreutils_%.bbappend @@ -0,0 +1,7 @@ +# Smack patches are included in coreutils v8.22, we just need to enable them. +# The default is not deterministic (enabled if libsmack found), so disable +# explicitly otherwise. +EXTRA_OECONF_SMACK = "--disable-libsmack" +EXTRA_OECONF_SMACK_with-lsm-smack = "--enable-libsmack" +EXTRA_OECONF_append = " ${EXTRA_OECONF_SMACK}" +DEPENDS_append_with-lsm-smack = " smack" diff --git a/meta-agl/meta-security/recipes-core/dbus-cynara/dbus-cynara/0001-Integration-of-Cynara-asynchronous-security-checks.patch b/meta-agl/meta-security/recipes-core/dbus-cynara/dbus-cynara/0001-Integration-of-Cynara-asynchronous-security-checks.patch new file mode 100644 index 00000000..3dbfa8a8 --- /dev/null +++ b/meta-agl/meta-security/recipes-core/dbus-cynara/dbus-cynara/0001-Integration-of-Cynara-asynchronous-security-checks.patch @@ -0,0 +1,2232 @@ +From 6c498a9b0f4122d1ac49d603f9968b6d85830cdb Mon Sep 17 00:00:00 2001 +From: Jacek Bukarewicz <j.bukarewicz@samsung.com> +Date: Thu, 27 Nov 2014 18:11:05 +0100 +Subject: Integration of Cynara asynchronous security checks +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +This commit introduces basic framework for asynchronous policy +checks and Cynara integration code. Functions for checking security +policy can now return third value - BUS_RESULT_LATER denoting check +result unavailability. Whenever policy checker cannot decide on the +result of the check it is supposed to allocate DeferredMessage structure +that will be passed to the upper layers which can decide what should be +done in such situation. +Proper handling of such case will be implemented in subsequent commits. +Currently such return value results in message denial. + +Cherry picked from 4dcfb02f17247ff9de966b62182cd2e08f301238 +by José Bollo. + +Updated for dbus 1.10.20 by Scott Murray and José Bollo + +Change-Id: I9bcbce34577e5dc2a3cecf6233a0a2b0e43e1108 +Signed-off-by: José Bollo <jose.bollo@iot.bzh> +Signed-off-by: Scott Murray <scott.murray@konsulko.com> + +diff --git a/bus/Makefile.am b/bus/Makefile.am +index 9ae3071..46afb31 100644 +--- a/bus/Makefile.am ++++ b/bus/Makefile.am +@@ -13,6 +13,7 @@ DBUS_BUS_LIBS = \ + $(THREAD_LIBS) \ + $(ADT_LIBS) \ + $(NETWORK_libs) \ ++ $(CYNARA_LIBS) \ + $(NULL) + + DBUS_LAUNCHER_LIBS = \ +@@ -30,6 +31,7 @@ AM_CPPFLAGS = \ + $(APPARMOR_CFLAGS) \ + -DDBUS_SYSTEM_CONFIG_FILE=\""$(dbusdatadir)/system.conf"\" \ + -DDBUS_COMPILATION \ ++ $(CYNARA_CFLAGS) \ + $(NULL) + + # if assertions are enabled, improve backtraces +@@ -90,6 +92,8 @@ BUS_SOURCES= \ + audit.h \ + bus.c \ + bus.h \ ++ check.c \ ++ check.h \ + config-loader-expat.c \ + config-parser.c \ + config-parser.h \ +@@ -97,6 +101,8 @@ BUS_SOURCES= \ + config-parser-common.h \ + connection.c \ + connection.h \ ++ cynara.c \ ++ cynara.h \ + desktop-file.c \ + desktop-file.h \ + $(DIR_WATCH_SOURCE) \ +diff --git a/bus/activation.c b/bus/activation.c +index 6f009f5..f8a02eb 100644 +--- a/bus/activation.c ++++ b/bus/activation.c +@@ -1788,14 +1788,15 @@ bus_activation_activate_service (BusActivation *activation, + + if (auto_activation && + entry != NULL && +- !bus_context_check_security_policy (activation->context, ++ BUS_RESULT_TRUE != bus_context_check_security_policy (activation->context, + transaction, + connection, /* sender */ + NULL, /* addressed recipient */ + NULL, /* proposed recipient */ + activation_message, + entry, +- error)) ++ error, ++ NULL)) + { + _DBUS_ASSERT_ERROR_IS_SET (error); + _dbus_verbose ("activation not authorized: %s: %s\n", +diff --git a/bus/bus.c b/bus/bus.c +index 30ce4e1..237efe3 100644 +--- a/bus/bus.c ++++ b/bus/bus.c +@@ -38,6 +38,7 @@ + #include "apparmor.h" + #include "audit.h" + #include "dir-watch.h" ++#include "check.h" + #include <dbus/dbus-auth.h> + #include <dbus/dbus-list.h> + #include <dbus/dbus-hash.h> +@@ -67,6 +68,7 @@ struct BusContext + BusRegistry *registry; + BusPolicy *policy; + BusMatchmaker *matchmaker; ++ BusCheck *check; + BusLimits limits; + DBusRLimit *initial_fd_limit; + unsigned int fork : 1; +@@ -1003,6 +1005,10 @@ bus_context_new (const DBusString *config_file, + parser = NULL; + } + ++ context->check = bus_check_new(context, error); ++ if (context->check == NULL) ++ goto failed; ++ + dbus_server_free_data_slot (&server_data_slot); + + return context; +@@ -1127,6 +1133,12 @@ bus_context_unref (BusContext *context) + + bus_context_shutdown (context); + ++ if (context->check) ++ { ++ bus_check_unref(context->check); ++ context->check = NULL; ++ } ++ + if (context->connections) + { + bus_connections_unref (context->connections); +@@ -1256,6 +1268,12 @@ bus_context_get_loop (BusContext *context) + return context->loop; + } + ++BusCheck* ++bus_context_get_check (BusContext *context) ++{ ++ return context->check; ++} ++ + dbus_bool_t + bus_context_allow_unix_user (BusContext *context, + unsigned long uid) +@@ -1451,6 +1469,7 @@ complain_about_message (BusContext *context, + DBusConnection *proposed_recipient, + dbus_bool_t requested_reply, + dbus_bool_t log, ++ const char *privilege, + DBusError *error) + { + DBusError stack_error = DBUS_ERROR_INIT; +@@ -1480,7 +1499,8 @@ complain_about_message (BusContext *context, + dbus_set_error (&stack_error, error_name, + "%s, %d matched rules; type=\"%s\", sender=\"%s\" (%s) " + "interface=\"%s\" member=\"%s\" error name=\"%s\" " +- "requested_reply=\"%d\" destination=\"%s\" (%s)", ++ "requested_reply=\"%d\" destination=\"%s\" (%s) " ++ "privilege=\"%s\"", + complaint, + matched_rules, + dbus_message_type_to_string (dbus_message_get_type (message)), +@@ -1491,7 +1511,8 @@ complain_about_message (BusContext *context, + nonnull (dbus_message_get_error_name (message), "(unset)"), + requested_reply, + nonnull (dbus_message_get_destination (message), DBUS_SERVICE_DBUS), +- proposed_recipient_loginfo); ++ proposed_recipient_loginfo, ++ nonnull (privilege, "(n/a)")); + + /* If we hit OOM while setting the error, this will syslog "out of memory" + * which is itself an indication that something is seriously wrong */ +@@ -1519,7 +1540,7 @@ complain_about_message (BusContext *context, + * NULL for addressed_recipient may mean the bus driver, or may mean + * no destination was specified in the message (e.g. a signal). + */ +-dbus_bool_t ++BusResult + bus_context_check_security_policy (BusContext *context, + BusTransaction *transaction, + DBusConnection *sender, +@@ -1527,7 +1548,8 @@ bus_context_check_security_policy (BusContext *context, + DBusConnection *proposed_recipient, + DBusMessage *message, + BusActivationEntry *activation_entry, +- DBusError *error) ++ DBusError *error, ++ BusDeferredMessage **deferred_message) + { + const char *src, *dest; + BusClientPolicy *sender_policy; +@@ -1536,6 +1558,7 @@ bus_context_check_security_policy (BusContext *context, + dbus_bool_t log; + int type; + dbus_bool_t requested_reply; ++ const char *privilege; + + type = dbus_message_get_type (message); + src = dbus_message_get_sender (message); +@@ -1565,7 +1588,7 @@ bus_context_check_security_policy (BusContext *context, + dbus_set_error (error, DBUS_ERROR_ACCESS_DENIED, + "Message bus will not accept messages of unknown type\n"); + +- return FALSE; ++ return BUS_RESULT_FALSE; + } + + requested_reply = FALSE; +@@ -1595,7 +1618,7 @@ bus_context_check_security_policy (BusContext *context, + if (dbus_error_is_set (&error2)) + { + dbus_move_error (&error2, error); +- return FALSE; ++ return BUS_RESULT_FALSE; + } + } + } +@@ -1624,11 +1647,11 @@ bus_context_check_security_policy (BusContext *context, + complain_about_message (context, DBUS_ERROR_ACCESS_DENIED, + "An SELinux policy prevents this sender from sending this " + "message to this recipient", +- 0, message, sender, proposed_recipient, FALSE, FALSE, error); ++ 0, message, sender, proposed_recipient, FALSE, FALSE, NULL, error); + _dbus_verbose ("SELinux security check denying send to service\n"); + } + +- return FALSE; ++ return BUS_RESULT_FALSE; + } + + /* next verify AppArmor access controls. If allowed then +@@ -1646,7 +1669,7 @@ bus_context_check_security_policy (BusContext *context, + src ? src : DBUS_SERVICE_DBUS, + activation_entry, + error)) +- return FALSE; ++ return BUS_RESULT_FALSE; + + if (!bus_connection_is_active (sender)) + { +@@ -1660,7 +1683,7 @@ bus_context_check_security_policy (BusContext *context, + { + _dbus_verbose ("security check allowing %s message\n", + "Hello"); +- return TRUE; ++ return BUS_RESULT_TRUE; + } + else + { +@@ -1671,7 +1694,7 @@ bus_context_check_security_policy (BusContext *context, + "Client tried to send a message other than %s without being registered", + "Hello"); + +- return FALSE; ++ return BUS_RESULT_FALSE; + } + } + } +@@ -1720,20 +1743,29 @@ bus_context_check_security_policy (BusContext *context, + (proposed_recipient == NULL && recipient_policy == NULL)); + + log = FALSE; +- if (sender_policy && +- !bus_client_policy_check_can_send (sender_policy, +- context->registry, +- requested_reply, +- proposed_recipient, +- message, &toggles, &log)) +- { +- complain_about_message (context, DBUS_ERROR_ACCESS_DENIED, +- "Rejected send message", toggles, +- message, sender, proposed_recipient, requested_reply, +- (addressed_recipient == proposed_recipient), error); +- _dbus_verbose ("security policy disallowing message due to sender policy\n"); +- return FALSE; +- } ++ if (sender_policy) ++ { ++ BusResult res = bus_client_policy_check_can_send (sender, ++ sender_policy, ++ context->registry, ++ requested_reply, ++ addressed_recipient, ++ proposed_recipient, ++ message, &toggles, &log, &privilege, ++ deferred_message); ++ if (res == BUS_RESULT_FALSE) ++ { ++ complain_about_message (context, DBUS_ERROR_ACCESS_DENIED, ++ "Rejected send message", toggles, ++ message, sender, proposed_recipient, requested_reply, ++ (addressed_recipient == proposed_recipient), privilege, ++ error); ++ _dbus_verbose ("security policy disallowing message due to sender policy\n"); ++ return BUS_RESULT_FALSE; ++ } ++ else if (res == BUS_RESULT_LATER) ++ return BUS_RESULT_LATER; ++ } + + if (log) + { +@@ -1742,23 +1774,29 @@ bus_context_check_security_policy (BusContext *context, + complain_about_message (context, DBUS_ERROR_ACCESS_DENIED, + "Would reject message", toggles, + message, sender, proposed_recipient, requested_reply, +- TRUE, NULL); ++ TRUE, privilege, NULL); + } + +- if (recipient_policy && +- !bus_client_policy_check_can_receive (recipient_policy, +- context->registry, +- requested_reply, +- sender, +- addressed_recipient, proposed_recipient, +- message, &toggles)) ++ if (recipient_policy) + { +- complain_about_message (context, DBUS_ERROR_ACCESS_DENIED, +- "Rejected receive message", toggles, +- message, sender, proposed_recipient, requested_reply, +- (addressed_recipient == proposed_recipient), error); +- _dbus_verbose ("security policy disallowing message due to recipient policy\n"); +- return FALSE; ++ BusResult res; ++ res = bus_client_policy_check_can_receive (recipient_policy, ++ context->registry, ++ requested_reply, ++ sender, ++ addressed_recipient, proposed_recipient, ++ message, &toggles, &privilege, deferred_message); ++ if (res == BUS_RESULT_FALSE) ++ { ++ complain_about_message(context, DBUS_ERROR_ACCESS_DENIED, "Rejected receive message", ++ toggles, message, sender, proposed_recipient, requested_reply, ++ (addressed_recipient == proposed_recipient), privilege, error); ++ _dbus_verbose( ++ "security policy disallowing message due to recipient policy\n"); ++ return BUS_RESULT_FALSE; ++ } ++ else if (res == BUS_RESULT_LATER) ++ return BUS_RESULT_LATER; + } + + /* See if limits on size have been exceeded */ +@@ -1768,10 +1806,10 @@ bus_context_check_security_policy (BusContext *context, + { + complain_about_message (context, DBUS_ERROR_LIMITS_EXCEEDED, + "Rejected: destination has a full message queue", +- 0, message, sender, proposed_recipient, requested_reply, TRUE, ++ 0, message, sender, proposed_recipient, requested_reply, TRUE, NULL, + error); + _dbus_verbose ("security policy disallowing message due to full message queue\n"); +- return FALSE; ++ return BUS_RESULT_FALSE; + } + + /* Record that we will allow a reply here in the future (don't +@@ -1792,11 +1830,11 @@ bus_context_check_security_policy (BusContext *context, + message, error)) + { + _dbus_verbose ("Failed to record reply expectation or problem with the message expecting a reply\n"); +- return FALSE; ++ return BUS_RESULT_FALSE; + } + + _dbus_verbose ("security policy allowing message\n"); +- return TRUE; ++ return BUS_RESULT_TRUE; + } + + void +diff --git a/bus/bus.h b/bus/bus.h +index 2e0de82..82c32c8 100644 +--- a/bus/bus.h ++++ b/bus/bus.h +@@ -45,6 +45,22 @@ typedef struct BusTransaction BusTransaction; + typedef struct BusMatchmaker BusMatchmaker; + typedef struct BusMatchRule BusMatchRule; + typedef struct BusActivationEntry BusActivationEntry; ++typedef struct BusCheck BusCheck; ++typedef struct BusDeferredMessage BusDeferredMessage; ++typedef struct BusCynara BusCynara; ++ ++/** ++ * BusResult is defined as a pointer to a dummy structure to allow detection of type mismatches. ++ * The disadvantage of such solution is that now BusResult variables cannot be used in switch ++ * statement. ++ * Additionally, BUS_RESULT_TRUE is defined as 0 instead of 1 to help detect type mismatches ++ * at runtime. ++ */ ++typedef const struct BusResultStruct { int dummy; } *BusResult; ++ ++static const BusResult BUS_RESULT_TRUE = (BusResult)0x0; ++static const BusResult BUS_RESULT_FALSE = (BusResult)0x1; ++static const BusResult BUS_RESULT_LATER = (BusResult)0x2; + + typedef struct + { +@@ -101,6 +117,7 @@ BusConnections* bus_context_get_connections (BusContext + BusActivation* bus_context_get_activation (BusContext *context); + BusMatchmaker* bus_context_get_matchmaker (BusContext *context); + DBusLoop* bus_context_get_loop (BusContext *context); ++BusCheck * bus_context_get_check (BusContext *context); + dbus_bool_t bus_context_allow_unix_user (BusContext *context, + unsigned long uid); + dbus_bool_t bus_context_allow_windows_user (BusContext *context, +@@ -136,14 +153,15 @@ void bus_context_log_and_set_error (BusContext + const char *name, + const char *msg, + ...) _DBUS_GNUC_PRINTF (5, 6); +-dbus_bool_t bus_context_check_security_policy (BusContext *context, ++BusResult bus_context_check_security_policy (BusContext *context, + BusTransaction *transaction, + DBusConnection *sender, + DBusConnection *addressed_recipient, + DBusConnection *proposed_recipient, + DBusMessage *message, + BusActivationEntry *activation_entry, +- DBusError *error); ++ DBusError *error, ++ BusDeferredMessage **deferred_message); + void bus_context_check_all_watches (BusContext *context); + + #endif /* BUS_BUS_H */ +diff --git a/bus/check.c b/bus/check.c +new file mode 100644 +index 0000000..5b72d31 +--- /dev/null ++++ b/bus/check.c +@@ -0,0 +1,217 @@ ++/* -*- mode: C; c-file-style: "gnu"; indent-tabs-mode: nil; -*- */ ++/* check.c Bus security policy runtime check ++ * ++ * Copyright (C) 2014 Intel, Inc. ++ * Copyright (c) 2014 Samsung Electronics, Ltd. ++ * ++ * Licensed under the Academic Free License version 2.1 ++ * ++ * This program is free software; you can redistribute it and/or modify ++ * it under the terms of the GNU General Public License as published by ++ * the Free Software Foundation; either version 2 of the License, or ++ * (at your option) any later version. ++ * ++ * This program is distributed in the hope that it will be useful, ++ * but WITHOUT ANY WARRANTY; without even the implied warranty of ++ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the ++ * GNU General Public License for more details. ++ * ++ * You should have received a copy of the GNU General Public License ++ * along with this program; if not, write to the Free Software ++ * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA ++ * ++ */ ++ ++#include <config.h> ++#include "check.h" ++#include "connection.h" ++#include "dispatch.h" ++#include "cynara.h" ++#include "utils.h" ++#include <dbus/dbus-connection-internal.h> ++#include <dbus/dbus-message-internal.h> ++#include <dbus/dbus-internals.h> ++ ++ ++typedef struct BusCheck ++{ ++ int refcount; ++ ++ BusContext *context; ++ BusCynara *cynara; ++} BusCheck; ++ ++typedef struct BusDeferredMessage ++{ ++ int refcount; ++ ++ DBusMessage *message; ++ DBusConnection *sender; ++ DBusConnection *proposed_recipient; ++ DBusConnection *addressed_recipient; ++ dbus_bool_t full_dispatch; ++ BusDeferredMessageStatus status; ++ BusResult response; ++ BusCheckResponseFunc response_callback; ++} BusDeferredMessage; ++ ++BusCheck * ++bus_check_new (BusContext *context, DBusError *error) ++{ ++ BusCheck *check; ++ ++ check = dbus_new(BusCheck, 1); ++ if (check == NULL) ++ { ++ BUS_SET_OOM(error); ++ return NULL; ++ } ++ ++ check->refcount = 1; ++ check->context = context; ++ check->cynara = bus_cynara_new(check, error); ++ if (dbus_error_is_set(error)) ++ { ++ dbus_free(check); ++ return NULL; ++ } ++ ++ return check; ++} ++ ++BusCheck * ++bus_check_ref (BusCheck *check) ++{ ++ _dbus_assert (check->refcount > 0); ++ check->refcount += 1; ++ ++ return check; ++} ++ ++void ++bus_check_unref (BusCheck *check) ++{ ++ _dbus_assert (check->refcount > 0); ++ ++ check->refcount -= 1; ++ ++ if (check->refcount == 0) ++ { ++ bus_cynara_unref(check->cynara); ++ dbus_free(check); ++ } ++} ++ ++BusContext * ++bus_check_get_context (BusCheck *check) ++{ ++ return check->context; ++} ++ ++BusCynara * ++bus_check_get_cynara (BusCheck *check) ++{ ++ return check->cynara; ++} ++ ++BusResult ++bus_check_privilege (BusCheck *check, ++ DBusMessage *message, ++ DBusConnection *sender, ++ DBusConnection *addressed_recipient, ++ DBusConnection *proposed_recipient, ++ const char *privilege, ++ BusDeferredMessageStatus check_type, ++ BusDeferredMessage **deferred_message) ++{ ++ BusResult result = BUS_RESULT_FALSE; ++#ifdef DBUS_ENABLE_CYNARA ++ BusCynara *cynara; ++#endif ++ DBusConnection *connection; ++ ++ connection = check_type == BUS_DEFERRED_MESSAGE_CHECK_RECEIVE ? proposed_recipient : sender; ++ ++ if (!dbus_connection_get_is_connected(connection)) ++ { ++ return BUS_RESULT_FALSE; ++ } ++ ++ /* ask policy checkers */ ++#ifdef DBUS_ENABLE_CYNARA ++ cynara = bus_check_get_cynara(check); ++ result = bus_cynara_check_privilege(cynara, message, sender, addressed_recipient, ++ proposed_recipient, privilege, check_type, deferred_message); ++#endif ++ ++ if (result == BUS_RESULT_LATER && deferred_message != NULL) ++ { ++ (*deferred_message)->status |= check_type; ++ } ++ return result; ++} ++ ++BusDeferredMessage *bus_deferred_message_new (DBusMessage *message, ++ DBusConnection *sender, ++ DBusConnection *addressed_recipient, ++ DBusConnection *proposed_recipient, ++ BusResult response) ++{ ++ BusDeferredMessage *deferred_message; ++ ++ deferred_message = dbus_new(BusDeferredMessage, 1); ++ if (deferred_message == NULL) ++ { ++ return NULL; ++ } ++ ++ deferred_message->refcount = 1; ++ deferred_message->sender = sender != NULL ? dbus_connection_ref(sender) : NULL; ++ deferred_message->addressed_recipient = addressed_recipient != NULL ? dbus_connection_ref(addressed_recipient) : NULL; ++ deferred_message->proposed_recipient = proposed_recipient != NULL ? dbus_connection_ref(proposed_recipient) : NULL; ++ deferred_message->message = dbus_message_ref(message); ++ deferred_message->response = response; ++ deferred_message->status = 0; ++ deferred_message->full_dispatch = FALSE; ++ deferred_message->response_callback = NULL; ++ ++ return deferred_message; ++} ++ ++BusDeferredMessage * ++bus_deferred_message_ref (BusDeferredMessage *deferred_message) ++{ ++ _dbus_assert (deferred_message->refcount > 0); ++ deferred_message->refcount += 1; ++ return deferred_message; ++} ++ ++void ++bus_deferred_message_unref (BusDeferredMessage *deferred_message) ++{ ++ _dbus_assert (deferred_message->refcount > 0); ++ ++ deferred_message->refcount -= 1; ++ ++ if (deferred_message->refcount == 0) ++ { ++ dbus_message_unref(deferred_message->message); ++ if (deferred_message->sender != NULL) ++ dbus_connection_unref(deferred_message->sender); ++ if (deferred_message->addressed_recipient != NULL) ++ dbus_connection_unref(deferred_message->addressed_recipient); ++ if (deferred_message->proposed_recipient != NULL) ++ dbus_connection_unref(deferred_message->proposed_recipient); ++ dbus_free(deferred_message); ++ } ++} ++ ++void ++bus_deferred_message_response_received (BusDeferredMessage *deferred_message, ++ BusResult result) ++{ ++ if (deferred_message->response_callback != NULL) ++ { ++ deferred_message->response_callback(deferred_message, result); ++ } ++} +diff --git a/bus/check.h b/bus/check.h +new file mode 100644 +index 0000000..c3fcaf9 +--- /dev/null ++++ b/bus/check.h +@@ -0,0 +1,68 @@ ++/* -*- mode: C; c-file-style: "gnu"; indent-tabs-mode: nil; -*- */ ++/* check.h Bus security policy runtime check ++ * ++ * Copyright (C) 2014 Intel, Inc. ++ * Copyright (c) 2014 Samsung Electronics, Ltd. ++ * ++ * Licensed under the Academic Free License version 2.1 ++ * ++ * This program is free software; you can redistribute it and/or modify ++ * it under the terms of the GNU General Public License as published by ++ * the Free Software Foundation; either version 2 of the License, or ++ * (at your option) any later version. ++ * ++ * This program is distributed in the hope that it will be useful, ++ * but WITHOUT ANY WARRANTY; without even the implied warranty of ++ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the ++ * GNU General Public License for more details. ++ * ++ * You should have received a copy of the GNU General Public License ++ * along with this program; if not, write to the Free Software ++ * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA ++ * ++ */ ++ ++#ifndef BUS_CHECK_H ++#define BUS_CHECK_H ++ ++#include "bus.h" ++#include "policy.h" ++ ++ ++typedef void (*BusCheckResponseFunc) (BusDeferredMessage *message, ++ BusResult result); ++ ++typedef enum { ++ BUS_DEFERRED_MESSAGE_CHECK_SEND = 1 << 0, ++ BUS_DEFERRED_MESSAGE_CHECK_RECEIVE = 1 << 1, ++ BUS_DEFERRED_MESSAGE_CHECK_OWN = 1 << 2, ++} BusDeferredMessageStatus; ++ ++ ++BusCheck *bus_check_new (BusContext *context, ++ DBusError *error); ++BusCheck *bus_check_ref (BusCheck *check); ++void bus_check_unref (BusCheck *check); ++ ++BusContext *bus_check_get_context (BusCheck *check); ++BusCynara *bus_check_get_cynara (BusCheck *check); ++BusResult bus_check_privilege (BusCheck *check, ++ DBusMessage *message, ++ DBusConnection *sender, ++ DBusConnection *addressed_recipient, ++ DBusConnection *proposed_recipient, ++ const char *privilege, ++ BusDeferredMessageStatus check_type, ++ BusDeferredMessage **deferred_message); ++ ++BusDeferredMessage *bus_deferred_message_new (DBusMessage *message, ++ DBusConnection *sender, ++ DBusConnection *addressed_recipient, ++ DBusConnection *proposed_recipient, ++ BusResult response); ++ ++BusDeferredMessage *bus_deferred_message_ref (BusDeferredMessage *deferred_message); ++void bus_deferred_message_unref (BusDeferredMessage *deferred_message); ++void bus_deferred_message_response_received (BusDeferredMessage *deferred_message, ++ BusResult result); ++#endif /* BUS_CHECK_H */ +diff --git a/bus/config-parser-common.c b/bus/config-parser-common.c +index c1c4191..e2f253d 100644 +--- a/bus/config-parser-common.c ++++ b/bus/config-parser-common.c +@@ -75,6 +75,10 @@ bus_config_parser_element_name_to_type (const char *name) + { + return ELEMENT_DENY; + } ++ else if (strcmp (name, "check") == 0) ++ { ++ return ELEMENT_CHECK; ++ } + else if (strcmp (name, "servicehelper") == 0) + { + return ELEMENT_SERVICEHELPER; +@@ -159,6 +163,8 @@ bus_config_parser_element_type_to_name (ElementType type) + return "allow"; + case ELEMENT_DENY: + return "deny"; ++ case ELEMENT_CHECK: ++ return "check"; + case ELEMENT_FORK: + return "fork"; + case ELEMENT_PIDFILE: +diff --git a/bus/config-parser-common.h b/bus/config-parser-common.h +index 382a014..9e026d1 100644 +--- a/bus/config-parser-common.h ++++ b/bus/config-parser-common.h +@@ -36,6 +36,7 @@ typedef enum + ELEMENT_LIMIT, + ELEMENT_ALLOW, + ELEMENT_DENY, ++ ELEMENT_CHECK, + ELEMENT_FORK, + ELEMENT_PIDFILE, + ELEMENT_SERVICEDIR, +diff --git a/bus/config-parser.c b/bus/config-parser.c +index be27d38..b5f1dd1 100644 +--- a/bus/config-parser.c ++++ b/bus/config-parser.c +@@ -1318,7 +1318,7 @@ append_rule_from_element (BusConfigParser *parser, + const char *element_name, + const char **attribute_names, + const char **attribute_values, +- dbus_bool_t allow, ++ BusPolicyRuleAccess access, + DBusError *error) + { + const char *log; +@@ -1360,6 +1360,7 @@ append_rule_from_element (BusConfigParser *parser, + const char *own_prefix; + const char *user; + const char *group; ++ const char *privilege; + + BusPolicyRule *rule; + +@@ -1390,6 +1391,7 @@ append_rule_from_element (BusConfigParser *parser, + "user", &user, + "group", &group, + "log", &log, ++ "privilege", &privilege, + NULL)) + return FALSE; + +@@ -1422,6 +1424,7 @@ append_rule_from_element (BusConfigParser *parser, + + if (!(any_send_attribute || + any_receive_attribute || ++ privilege || + own || own_prefix || user || group)) + { + dbus_set_error (error, DBUS_ERROR_FAILED, +@@ -1438,7 +1441,30 @@ append_rule_from_element (BusConfigParser *parser, + element_name); + return FALSE; + } +- ++ ++ if (access == BUS_POLICY_RULE_ACCESS_CHECK) ++ { ++ if (privilege == NULL || !*privilege) ++ { ++ dbus_set_error (error, DBUS_ERROR_FAILED, ++ "On element <%s>, you must specify the privilege to be checked.", ++ element_name); ++ return FALSE; ++ } ++ } ++ else ++ { ++ if (privilege != NULL && *privilege) ++ { ++ dbus_set_error (error, DBUS_ERROR_FAILED, ++ "On element <%s>, privilege %s is used outside of a check rule.", ++ element_name, privilege); ++ return FALSE; ++ } ++ else ++ privilege = NULL; /* replace (potentially) empty string with NULL pointer, it wouldn't be used anyway */ ++ } ++ + /* Allowed combinations of elements are: + * + * base, must be all send or all receive: +@@ -1589,7 +1615,7 @@ append_rule_from_element (BusConfigParser *parser, + error)) + return FALSE; + +- rule = bus_policy_rule_new (BUS_POLICY_RULE_SEND, allow); ++ rule = bus_policy_rule_new (BUS_POLICY_RULE_SEND, access); + if (rule == NULL) + goto nomem; + +@@ -1694,7 +1720,7 @@ append_rule_from_element (BusConfigParser *parser, + error)) + return FALSE; + +- rule = bus_policy_rule_new (BUS_POLICY_RULE_RECEIVE, allow); ++ rule = bus_policy_rule_new (BUS_POLICY_RULE_RECEIVE, access); + if (rule == NULL) + goto nomem; + +@@ -1726,7 +1752,7 @@ append_rule_from_element (BusConfigParser *parser, + } + else if (own || own_prefix) + { +- rule = bus_policy_rule_new (BUS_POLICY_RULE_OWN, allow); ++ rule = bus_policy_rule_new (BUS_POLICY_RULE_OWN, access); + if (rule == NULL) + goto nomem; + +@@ -1752,7 +1778,7 @@ append_rule_from_element (BusConfigParser *parser, + { + if (IS_WILDCARD (user)) + { +- rule = bus_policy_rule_new (BUS_POLICY_RULE_USER, allow); ++ rule = bus_policy_rule_new (BUS_POLICY_RULE_USER, access); + if (rule == NULL) + goto nomem; + +@@ -1767,7 +1793,7 @@ append_rule_from_element (BusConfigParser *parser, + + if (_dbus_parse_unix_user_from_config (&username, &uid)) + { +- rule = bus_policy_rule_new (BUS_POLICY_RULE_USER, allow); ++ rule = bus_policy_rule_new (BUS_POLICY_RULE_USER, access); + if (rule == NULL) + goto nomem; + +@@ -1784,7 +1810,7 @@ append_rule_from_element (BusConfigParser *parser, + { + if (IS_WILDCARD (group)) + { +- rule = bus_policy_rule_new (BUS_POLICY_RULE_GROUP, allow); ++ rule = bus_policy_rule_new (BUS_POLICY_RULE_GROUP, access); + if (rule == NULL) + goto nomem; + +@@ -1799,7 +1825,7 @@ append_rule_from_element (BusConfigParser *parser, + + if (_dbus_parse_unix_group_from_config (&groupname, &gid)) + { +- rule = bus_policy_rule_new (BUS_POLICY_RULE_GROUP, allow); ++ rule = bus_policy_rule_new (BUS_POLICY_RULE_GROUP, access); + if (rule == NULL) + goto nomem; + +@@ -1823,6 +1849,10 @@ append_rule_from_element (BusConfigParser *parser, + _dbus_assert (pe != NULL); + _dbus_assert (pe->type == ELEMENT_POLICY); + ++ rule->privilege = _dbus_strdup (privilege); ++ if (privilege && !rule->privilege) ++ goto nomem; ++ + switch (pe->d.policy.type) + { + case POLICY_IGNORED: +@@ -1898,7 +1928,7 @@ start_policy_child (BusConfigParser *parser, + { + if (!append_rule_from_element (parser, element_name, + attribute_names, attribute_values, +- TRUE, error)) ++ BUS_POLICY_RULE_ACCESS_ALLOW, error)) + return FALSE; + + if (push_element (parser, ELEMENT_ALLOW) == NULL) +@@ -1913,7 +1943,7 @@ start_policy_child (BusConfigParser *parser, + { + if (!append_rule_from_element (parser, element_name, + attribute_names, attribute_values, +- FALSE, error)) ++ BUS_POLICY_RULE_ACCESS_DENY, error)) + return FALSE; + + if (push_element (parser, ELEMENT_DENY) == NULL) +@@ -1922,6 +1952,21 @@ start_policy_child (BusConfigParser *parser, + return FALSE; + } + ++ return TRUE; ++ } ++ else if (strcmp (element_name, "check") == 0) ++ { ++ if (!append_rule_from_element (parser, element_name, ++ attribute_names, attribute_values, ++ BUS_POLICY_RULE_ACCESS_CHECK, error)) ++ return FALSE; ++ ++ if (push_element (parser, ELEMENT_CHECK) == NULL) ++ { ++ BUS_SET_OOM (error); ++ return FALSE; ++ } ++ + return TRUE; + } + else +@@ -2284,6 +2329,7 @@ bus_config_parser_end_element (BusConfigParser *parser, + case ELEMENT_POLICY: + case ELEMENT_ALLOW: + case ELEMENT_DENY: ++ case ELEMENT_CHECK: + case ELEMENT_FORK: + case ELEMENT_SYSLOG: + case ELEMENT_KEEP_UMASK: +@@ -2600,6 +2646,7 @@ bus_config_parser_content (BusConfigParser *parser, + case ELEMENT_POLICY: + case ELEMENT_ALLOW: + case ELEMENT_DENY: ++ case ELEMENT_CHECK: + case ELEMENT_FORK: + case ELEMENT_SYSLOG: + case ELEMENT_KEEP_UMASK: +@@ -3127,6 +3174,8 @@ do_load (const DBusString *full_path, + dbus_error_init (&error); + + parser = bus_config_load (full_path, TRUE, NULL, &error); ++ if (dbus_error_is_set (&error)) ++ _dbus_verbose ("Failed to load file: %s\n", error.message); + if (parser == NULL) + { + _DBUS_ASSERT_ERROR_IS_SET (&error); +diff --git a/bus/connection.c b/bus/connection.c +index 53605fa..b348d42 100644 +--- a/bus/connection.c ++++ b/bus/connection.c +@@ -36,6 +36,10 @@ + #include <dbus/dbus-timeout.h> + #include <dbus/dbus-connection-internal.h> + #include <dbus/dbus-internals.h> ++#ifdef DBUS_ENABLE_CYNARA ++#include <stdlib.h> ++#include <cynara-session.h> ++#endif + + /* Trim executed commands to this length; we want to keep logs readable */ + #define MAX_LOG_COMMAND_LEN 50 +@@ -116,6 +120,9 @@ typedef struct + + /** non-NULL if and only if this is a monitor */ + DBusList *link_in_monitors; ++#ifdef DBUS_ENABLE_CYNARA ++ char *cynara_session_id; ++#endif + } BusConnectionData; + + static dbus_bool_t bus_pending_reply_expired (BusExpireList *list, +@@ -129,8 +136,8 @@ static dbus_bool_t expire_incomplete_timeout (void *data); + + #define BUS_CONNECTION_DATA(connection) (dbus_connection_get_data ((connection), connection_data_slot)) + +-static DBusLoop* +-connection_get_loop (DBusConnection *connection) ++DBusLoop* ++bus_connection_get_loop (DBusConnection *connection) + { + BusConnectionData *d; + +@@ -354,7 +361,7 @@ add_connection_watch (DBusWatch *watch, + { + DBusConnection *connection = data; + +- return _dbus_loop_add_watch (connection_get_loop (connection), watch); ++ return _dbus_loop_add_watch (bus_connection_get_loop (connection), watch); + } + + static void +@@ -363,7 +370,7 @@ remove_connection_watch (DBusWatch *watch, + { + DBusConnection *connection = data; + +- _dbus_loop_remove_watch (connection_get_loop (connection), watch); ++ _dbus_loop_remove_watch (bus_connection_get_loop (connection), watch); + } + + static void +@@ -372,7 +379,7 @@ toggle_connection_watch (DBusWatch *watch, + { + DBusConnection *connection = data; + +- _dbus_loop_toggle_watch (connection_get_loop (connection), watch); ++ _dbus_loop_toggle_watch (bus_connection_get_loop (connection), watch); + } + + static dbus_bool_t +@@ -381,7 +388,7 @@ add_connection_timeout (DBusTimeout *timeout, + { + DBusConnection *connection = data; + +- return _dbus_loop_add_timeout (connection_get_loop (connection), timeout); ++ return _dbus_loop_add_timeout (bus_connection_get_loop (connection), timeout); + } + + static void +@@ -390,7 +397,7 @@ remove_connection_timeout (DBusTimeout *timeout, + { + DBusConnection *connection = data; + +- _dbus_loop_remove_timeout (connection_get_loop (connection), timeout); ++ _dbus_loop_remove_timeout (bus_connection_get_loop (connection), timeout); + } + + static void +@@ -448,6 +455,10 @@ free_connection_data (void *data) + + dbus_free (d->name); + ++#ifdef DBUS_ENABLE_CYNARA ++ free (d->cynara_session_id); ++#endif ++ + dbus_free (d); + } + +@@ -1078,6 +1089,22 @@ bus_connection_get_policy (DBusConnection *connection) + return d->policy; + } + ++#ifdef DBUS_ENABLE_CYNARA ++const char *bus_connection_get_cynara_session_id (DBusConnection *connection) ++{ ++ BusConnectionData *d = BUS_CONNECTION_DATA (connection); ++ _dbus_assert (d != NULL); ++ ++ if (d->cynara_session_id == NULL) ++ { ++ unsigned long pid; ++ if (dbus_connection_get_unix_process_id(connection, &pid)) ++ d->cynara_session_id = cynara_session_from_pid(pid); ++ } ++ return d->cynara_session_id; ++} ++#endif ++ + static dbus_bool_t + foreach_active (BusConnections *connections, + BusConnectionForeachFunction function, +@@ -2333,6 +2360,7 @@ bus_transaction_send_from_driver (BusTransaction *transaction, + DBusMessage *message) + { + DBusError error = DBUS_ERROR_INIT; ++ BusResult res; + + /* We have to set the sender to the driver, and have + * to check security policy since it was not done in +@@ -2370,10 +2398,11 @@ bus_transaction_send_from_driver (BusTransaction *transaction, + * if we're actively capturing messages, it's nice to log that we + * tried to send it and did not allow ourselves to do so. + */ +- if (!bus_context_check_security_policy (bus_transaction_get_context (transaction), +- transaction, +- NULL, connection, connection, +- message, NULL, &error)) ++ res = bus_context_check_security_policy (bus_transaction_get_context (transaction), ++ transaction, ++ NULL, connection, connection, message, NULL, ++ &error, NULL); ++ if (res == BUS_RESULT_FALSE) + { + if (!bus_transaction_capture_error_reply (transaction, connection, + &error, message)) +@@ -2388,6 +2417,12 @@ bus_transaction_send_from_driver (BusTransaction *transaction, + dbus_error_free (&error); + return TRUE; + } ++ else if (res == BUS_RESULT_LATER) ++ { ++ _dbus_verbose ("Cannot delay sending message from bus driver, dropping it\n"); ++ dbus_error_free (&error); ++ return TRUE; ++ } + + return bus_transaction_send (transaction, connection, message); + } +diff --git a/bus/connection.h b/bus/connection.h +index 9e253ae..71078ea 100644 +--- a/bus/connection.h ++++ b/bus/connection.h +@@ -31,6 +31,7 @@ + typedef dbus_bool_t (* BusConnectionForeachFunction) (DBusConnection *connection, + void *data); + ++DBusLoop* bus_connection_get_loop (DBusConnection *connection); + + BusConnections* bus_connections_new (BusContext *context); + BusConnections* bus_connections_ref (BusConnections *connections); +@@ -124,6 +125,9 @@ dbus_bool_t bus_connection_be_monitor (DBusConnection *connection, + BusTransaction *transaction, + DBusList **rules, + DBusError *error); ++#ifdef DBUS_ENABLE_CYNARA ++const char *bus_connection_get_cynara_session_id (DBusConnection *connection); ++#endif + + /* transaction API so we can send or not send a block of messages as a whole */ + +diff --git a/bus/cynara.c b/bus/cynara.c +new file mode 100644 +index 0000000..57a4c45 +--- /dev/null ++++ b/bus/cynara.c +@@ -0,0 +1,374 @@ ++/* -*- mode: C; c-file-style: "gnu"; indent-tabs-mode: nil; -*- */ ++/* cynara.c Cynara runtime privilege checking ++ * ++ * Copyright (c) 2014 Samsung Electronics, Ltd. ++ * ++ * Licensed under the Academic Free License version 2.1 ++ * ++ * This program is free software; you can redistribute it and/or modify ++ * it under the terms of the GNU General Public License as published by ++ * the Free Software Foundation; either version 2 of the License, or ++ * (at your option) any later version. ++ * ++ * This program is distributed in the hope that it will be useful, ++ * but WITHOUT ANY WARRANTY; without even the implied warranty of ++ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the ++ * GNU General Public License for more details. ++ * ++ * You should have received a copy of the GNU General Public License ++ * along with this program; if not, write to the Free Software ++ * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA ++ * ++ */ ++ ++#include <config.h> ++#include "cynara.h" ++#include "check.h" ++#include "utils.h" ++ ++#include <stdio.h> ++ ++#include <dbus/dbus.h> ++#include <dbus/dbus-watch.h> ++#include <dbus/dbus-connection-internal.h> ++#include <bus/connection.h> ++#ifdef DBUS_ENABLE_CYNARA ++#include <cynara-client-async.h> ++#endif ++ ++ ++#ifdef DBUS_ENABLE_CYNARA ++typedef struct BusCynara ++{ ++ int refcount; ++ ++ BusContext *context; ++ BusCheck *check; ++ cynara_async *cynara; ++ DBusWatch *cynara_watch; ++} BusCynara; ++ ++#define USE_CYNARA_CACHE 1 ++#ifdef USE_CYNARA_CACHE ++#define CYNARA_CACHE_SIZE 1000 ++#endif ++ ++static dbus_bool_t bus_cynara_watch_callback(DBusWatch *watch, ++ unsigned int flags, ++ void *data); ++ ++static void status_callback(int old_fd, ++ int new_fd, ++ cynara_async_status status, ++ void *user_status_data); ++static void bus_cynara_check_response_callback (cynara_check_id check_id, ++ cynara_async_call_cause cause, ++ int response, ++ void *user_response_data); ++#endif ++ ++ ++BusCynara * ++bus_cynara_new(BusCheck *check, DBusError *error) ++{ ++#ifdef DBUS_ENABLE_CYNARA ++ BusContext *context; ++ BusCynara *cynara; ++ cynara_async_configuration *conf = NULL; ++ int ret; ++ ++ cynara = dbus_new(BusCynara, 1); ++ if (cynara == NULL) ++ { ++ BUS_SET_OOM(error); ++ return NULL; ++ } ++ ++ context = bus_check_get_context(check); ++ ++ cynara->refcount = 1; ++ cynara->check = check; ++ cynara->context = context; ++ cynara->cynara_watch = NULL; ++ ++ ret = cynara_async_configuration_create(&conf); ++ if (ret != CYNARA_API_SUCCESS) ++ { ++ dbus_set_error (error, DBUS_ERROR_FAILED, "Failed to create Cynara configuration"); ++ goto out; ++ } ++ ++#ifdef CYNARA_CACHE_SIZE ++ ret = cynara_async_configuration_set_cache_size(conf, CYNARA_CACHE_SIZE); ++ if (ret != CYNARA_API_SUCCESS) ++ { ++ dbus_set_error (error, DBUS_ERROR_FAILED, "Failed to Cynara cache size"); ++ goto out; ++ } ++#endif ++ ++ ret = cynara_async_initialize(&cynara->cynara, conf, &status_callback, cynara); ++ if (ret != CYNARA_API_SUCCESS) ++ { ++ dbus_set_error (error, DBUS_ERROR_FAILED, "Failed to initialize Cynara client"); ++ goto out; ++ } ++ ++out: ++ cynara_async_configuration_destroy(conf); ++ if (ret != CYNARA_API_SUCCESS) ++ { ++ dbus_free(cynara); ++ return NULL; ++ } ++ ++ return cynara; ++#else ++ return NULL; ++#endif ++} ++ ++BusCynara * ++bus_cynara_ref (BusCynara *cynara) ++{ ++#ifdef DBUS_ENABLE_CYNARA ++ _dbus_assert (cynara->refcount > 0); ++ cynara->refcount += 1; ++ ++ return cynara; ++#else ++ return NULL; ++#endif ++} ++ ++void ++bus_cynara_unref (BusCynara *cynara) ++{ ++#ifdef DBUS_ENABLE_CYNARA ++ _dbus_assert (cynara->refcount > 0); ++ ++ cynara->refcount -= 1; ++ ++ if (cynara->refcount == 0) ++ { ++ cynara_async_finish(cynara->cynara); ++ dbus_free(cynara); ++ } ++#endif ++} ++ ++BusResult ++bus_cynara_check_privilege (BusCynara *cynara, ++ DBusMessage *message, ++ DBusConnection *sender, ++ DBusConnection *addressed_recipient, ++ DBusConnection *proposed_recipient, ++ const char *privilege, ++ BusDeferredMessageStatus check_type, ++ BusDeferredMessage **deferred_message_param) ++{ ++#ifdef DBUS_ENABLE_CYNARA ++ int result; ++ unsigned long uid; ++ char *label; ++ const char *session_id; ++ char user[32]; ++ cynara_check_id check_id; ++ DBusConnection *connection = check_type == BUS_DEFERRED_MESSAGE_CHECK_RECEIVE ? proposed_recipient : sender; ++ BusDeferredMessage *deferred_message; ++ BusResult ret; ++ ++ _dbus_assert(connection != NULL); ++ ++ if (dbus_connection_get_unix_user(connection, &uid) == FALSE) ++ return BUS_RESULT_FALSE; ++ ++ if (_dbus_connection_get_linux_security_label(connection, &label) == FALSE || label == NULL) ++ { ++ _dbus_warn("Failed to obtain security label for connection\n"); ++ return BUS_RESULT_FALSE; ++ } ++ ++ session_id = bus_connection_get_cynara_session_id (connection); ++ if (session_id == NULL) ++ { ++ ret = BUS_RESULT_FALSE; ++ goto out; ++ } ++ ++ snprintf(user, sizeof(user), "%lu", uid); ++ ++#if USE_CYNARA_CACHE ++ result = cynara_async_check_cache(cynara->cynara, label, session_id, user, privilege); ++#else ++ result = CYNARA_API_CACHE_MISS; ++#endif ++ ++ switch (result) ++ { ++ case CYNARA_API_ACCESS_ALLOWED: ++ _dbus_verbose("Cynara: got ALLOWED answer from cache (client=%s session_id=%s user=%s privilege=%s)\n", ++ label, session_id, user, privilege); ++ ret = BUS_RESULT_TRUE; ++ break; ++ ++ case CYNARA_API_ACCESS_DENIED: ++ _dbus_verbose("Cynara: got DENIED answer from cache (client=%s session_id=%s user=%s privilege=%s)\n", ++ label, session_id, user, privilege); ++ ret = BUS_RESULT_FALSE; ++ break; ++ ++ case CYNARA_API_CACHE_MISS: ++ deferred_message = bus_deferred_message_new(message, sender, addressed_recipient, ++ proposed_recipient, BUS_RESULT_LATER); ++ if (deferred_message == NULL) ++ { ++ _dbus_verbose("Failed to allocate memory for deferred message\n"); ++ ret = BUS_RESULT_FALSE; ++ goto out; ++ } ++ ++ /* callback is supposed to unref deferred_message*/ ++ result = cynara_async_create_request(cynara->cynara, label, session_id, user, privilege, &check_id, ++ &bus_cynara_check_response_callback, deferred_message); ++ if (result == CYNARA_API_SUCCESS) ++ { ++ _dbus_verbose("Created Cynara request: client=%s session_id=%s user=%s privilege=%s check_id=%u " ++ "deferred_message=%p\n", label, session_id, user, privilege, (unsigned int)check_id, deferred_message); ++ if (deferred_message_param != NULL) ++ *deferred_message_param = deferred_message; ++ ret = BUS_RESULT_LATER; ++ } ++ else ++ { ++ _dbus_verbose("Error on cynara request create: %i\n", result); ++ bus_deferred_message_unref(deferred_message); ++ ret = BUS_RESULT_FALSE; ++ } ++ break; ++ default: ++ _dbus_verbose("Error when accessing Cynara cache: %i\n", result); ++ ret = BUS_RESULT_FALSE; ++ } ++out: ++ dbus_free(label); ++ return ret; ++ ++#else ++ return BUS_RESULT_FALSE; ++#endif ++} ++ ++ ++ ++#ifdef DBUS_ENABLE_CYNARA ++static void ++status_callback(int old_fd, int new_fd, cynara_async_status status, ++ void *user_status_data) ++{ ++ BusCynara *cynara = (BusCynara *)user_status_data; ++ DBusLoop *loop = bus_context_get_loop(cynara->context); ++ ++ if (cynara->cynara_watch != NULL) ++ { ++ _dbus_loop_remove_watch(loop, cynara->cynara_watch); ++ _dbus_watch_invalidate(cynara->cynara_watch); ++ _dbus_watch_unref(cynara->cynara_watch); ++ cynara->cynara_watch = NULL; ++ } ++ ++ if (new_fd != -1) ++ { ++ unsigned int flags; ++ DBusWatch *watch; ++ ++ switch (status) ++ { ++ case CYNARA_STATUS_FOR_READ: ++ flags = DBUS_WATCH_READABLE; ++ break; ++ case CYNARA_STATUS_FOR_RW: ++ flags = DBUS_WATCH_READABLE | DBUS_WATCH_WRITABLE; ++ break; ++ default: ++ /* Cynara passed unknown status - warn and add RW watch */ ++ _dbus_verbose("Cynara passed unknown status value: 0x%08X\n", (unsigned int)status); ++ flags = DBUS_WATCH_READABLE | DBUS_WATCH_WRITABLE; ++ break; ++ } ++ ++ watch = _dbus_watch_new(new_fd, flags, TRUE, &bus_cynara_watch_callback, cynara, NULL); ++ if (watch != NULL) ++ { ++ if (_dbus_loop_add_watch(loop, watch) == TRUE) ++ { ++ cynara->cynara_watch = watch; ++ return; ++ } ++ ++ _dbus_watch_invalidate(watch); ++ _dbus_watch_unref(watch); ++ } ++ ++ /* It seems like not much can be done at this point. Cynara events won't be processed ++ * until next Cynara function call triggering status callback */ ++ _dbus_verbose("Failed to add dbus watch\n"); ++ } ++} ++ ++static dbus_bool_t ++bus_cynara_watch_callback(DBusWatch *watch, ++ unsigned int flags, ++ void *data) ++{ ++ BusCynara *cynara = (BusCynara *)data; ++ int result = cynara_async_process(cynara->cynara); ++ if (result != CYNARA_API_SUCCESS) ++ _dbus_verbose("cynara_async_process returned %d\n", result); ++ ++ return result != CYNARA_API_OUT_OF_MEMORY ? TRUE : FALSE; ++} ++ ++static inline const char * ++call_cause_to_string(cynara_async_call_cause cause) ++{ ++ switch (cause) ++ { ++ case CYNARA_CALL_CAUSE_ANSWER: ++ return "ANSWER"; ++ case CYNARA_CALL_CAUSE_CANCEL: ++ return "CANCEL"; ++ case CYNARA_CALL_CAUSE_FINISH: ++ return "FINSIH"; ++ case CYNARA_CALL_CAUSE_SERVICE_NOT_AVAILABLE: ++ return "SERVICE NOT AVAILABLE"; ++ default: ++ return "INVALID"; ++ } ++} ++ ++static void ++bus_cynara_check_response_callback (cynara_check_id check_id, ++ cynara_async_call_cause cause, ++ int response, ++ void *user_response_data) ++{ ++ BusDeferredMessage *deferred_message = user_response_data; ++ BusResult result; ++ ++ _dbus_verbose("Cynara callback: check_id=%u, cause=%s response=%i response_data=%p\n", ++ (unsigned int)check_id, call_cause_to_string(cause), response, user_response_data); ++ ++ if (deferred_message == NULL) ++ return; ++ ++ if (cause == CYNARA_CALL_CAUSE_ANSWER && response == CYNARA_API_ACCESS_ALLOWED) ++ result = BUS_RESULT_TRUE; ++ else ++ result = BUS_RESULT_FALSE; ++ ++ bus_deferred_message_response_received(deferred_message, result); ++ bus_deferred_message_unref(deferred_message); ++} ++ ++#endif /* DBUS_ENABLE_CYNARA */ +diff --git a/bus/cynara.h b/bus/cynara.h +new file mode 100644 +index 0000000..c4728bb +--- /dev/null ++++ b/bus/cynara.h +@@ -0,0 +1,37 @@ ++/* -*- mode: C; c-file-style: "gnu"; indent-tabs-mode: nil; -*- */ ++/* cynara.h Cynara runtime privilege checking ++ * ++ * Copyright (c) 2014 Samsung Electronics, Ltd. ++ * ++ * Licensed under the Academic Free License version 2.1 ++ * ++ * This program is free software; you can redistribute it and/or modify ++ * it under the terms of the GNU General Public License as published by ++ * the Free Software Foundation; either version 2 of the License, or ++ * (at your option) any later version. ++ * ++ * This program is distributed in the hope that it will be useful, ++ * but WITHOUT ANY WARRANTY; without even the implied warranty of ++ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the ++ * GNU General Public License for more details. ++ * ++ * You should have received a copy of the GNU General Public License ++ * along with this program; if not, write to the Free Software ++ * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA ++ * ++ */ ++ ++#include "bus.h" ++#include "check.h" ++ ++BusCynara *bus_cynara_new (BusCheck *check, DBusError *error); ++BusCynara *bus_cynara_ref (BusCynara *cynara); ++void bus_cynara_unref (BusCynara *cynara); ++BusResult bus_cynara_check_privilege (BusCynara *cynara, ++ DBusMessage *message, ++ DBusConnection *sender, ++ DBusConnection *addressed_recipient, ++ DBusConnection *proposed_recipient, ++ const char *privilege, ++ BusDeferredMessageStatus check_type, ++ BusDeferredMessage **deferred_message); +diff --git a/bus/dispatch.c b/bus/dispatch.c +index 19228be..d3867f7 100644 +--- a/bus/dispatch.c ++++ b/bus/dispatch.c +@@ -25,6 +25,7 @@ + + #include <config.h> + #include "dispatch.h" ++#include "check.h" + #include "connection.h" + #include "driver.h" + #include "services.h" +@@ -64,14 +65,18 @@ send_one_message (DBusConnection *connection, + DBusError *error) + { + DBusError stack_error = DBUS_ERROR_INIT; ++ BusDeferredMessage *deferred_message; ++ BusResult result; + +- if (!bus_context_check_security_policy (context, transaction, ++ result = bus_context_check_security_policy (context, transaction, + sender, + addressed_recipient, + connection, + message, + NULL, +- &stack_error)) ++ &stack_error, ++ &deferred_message); ++ if (result != BUS_RESULT_TRUE) + { + if (!bus_transaction_capture_error_reply (transaction, sender, + &stack_error, message)) +@@ -130,6 +135,8 @@ bus_dispatch_matches (BusTransaction *transaction, + BusMatchmaker *matchmaker; + DBusList *link; + BusContext *context; ++ BusDeferredMessage *deferred_message; ++ BusResult res; + + _DBUS_ASSERT_ERROR_IS_CLEAR (error); + +@@ -145,11 +152,20 @@ bus_dispatch_matches (BusTransaction *transaction, + /* First, send the message to the addressed_recipient, if there is one. */ + if (addressed_recipient != NULL) + { +- if (!bus_context_check_security_policy (context, transaction, +- sender, addressed_recipient, +- addressed_recipient, +- message, NULL, error)) ++ res = bus_context_check_security_policy (context, transaction, ++ sender, addressed_recipient, ++ addressed_recipient, ++ message, NULL, error, ++ &deferred_message); ++ if (res == BUS_RESULT_FALSE) + return FALSE; ++ else if (res == BUS_RESULT_LATER) ++ { ++ dbus_set_error (error, ++ DBUS_ERROR_ACCESS_DENIED, ++ "Rejecting message because time is needed to check security policy"); ++ return FALSE; ++ } + + if (dbus_message_contains_unix_fds (message) && + !dbus_connection_can_send_type (addressed_recipient, +@@ -374,19 +390,31 @@ bus_dispatch (DBusConnection *connection, + if (service_name && + strcmp (service_name, DBUS_SERVICE_DBUS) == 0) /* to bus driver */ + { ++ BusDeferredMessage *deferred_message; ++ BusResult res; ++ + if (!bus_transaction_capture (transaction, connection, NULL, message)) + { + BUS_SET_OOM (&error); + goto out; + } + +- if (!bus_context_check_security_policy (context, transaction, +- connection, NULL, NULL, message, +- NULL, &error)) ++ res = bus_context_check_security_policy (context, transaction, ++ connection, NULL, NULL, message, NULL, ++ &error, &deferred_message); ++ if (res == BUS_RESULT_FALSE) + { + _dbus_verbose ("Security policy rejected message\n"); + goto out; + } ++ else if (res == BUS_RESULT_LATER) ++ { ++ dbus_set_error (&error, ++ DBUS_ERROR_ACCESS_DENIED, ++ "Rejecting message because time is needed to check security policy"); ++ _dbus_verbose ("Security policy needs time to check policy. Dropping message\n"); ++ goto out; ++ } + + _dbus_verbose ("Giving message to %s\n", DBUS_SERVICE_DBUS); + if (!bus_driver_handle_message (connection, transaction, message, &error)) +diff --git a/bus/policy.c b/bus/policy.c +index a37be80..7ee1ce5 100644 +--- a/bus/policy.c ++++ b/bus/policy.c +@@ -22,6 +22,7 @@ + */ + + #include <config.h> ++#include "check.h" + #include "policy.h" + #include "services.h" + #include "test.h" +@@ -33,7 +34,7 @@ + + BusPolicyRule* + bus_policy_rule_new (BusPolicyRuleType type, +- dbus_bool_t allow) ++ BusPolicyRuleAccess access) + { + BusPolicyRule *rule; + +@@ -43,7 +44,7 @@ bus_policy_rule_new (BusPolicyRuleType type, + + rule->type = type; + rule->refcount = 1; +- rule->allow = allow; ++ rule->access = access; + + switch (rule->type) + { +@@ -55,18 +56,19 @@ bus_policy_rule_new (BusPolicyRuleType type, + break; + case BUS_POLICY_RULE_SEND: + rule->d.send.message_type = DBUS_MESSAGE_TYPE_INVALID; +- + /* allow rules default to TRUE (only requested replies allowed) ++ * check rules default to TRUE (only requested replies are checked) + * deny rules default to FALSE (only unrequested replies denied) + */ +- rule->d.send.requested_reply = rule->allow; ++ rule->d.send.requested_reply = rule->access != BUS_POLICY_RULE_ACCESS_DENY; + break; + case BUS_POLICY_RULE_RECEIVE: + rule->d.receive.message_type = DBUS_MESSAGE_TYPE_INVALID; + /* allow rules default to TRUE (only requested replies allowed) ++ * check rules default to TRUE (only requested replies are checked) + * deny rules default to FALSE (only unrequested replies denied) + */ +- rule->d.receive.requested_reply = rule->allow; ++ rule->d.receive.requested_reply = rule->access != BUS_POLICY_RULE_ACCESS_DENY; + break; + case BUS_POLICY_RULE_OWN: + break; +@@ -122,7 +124,8 @@ bus_policy_rule_unref (BusPolicyRule *rule) + default: + _dbus_assert_not_reached ("invalid rule"); + } +- ++ ++ dbus_free (rule->privilege); + dbus_free (rule); + } + } +@@ -435,7 +438,10 @@ list_allows_user (dbus_bool_t def, + else + continue; + +- allowed = rule->allow; ++ /* We don't intend to support <check user="..." /> and <check group="..." /> ++ rules. They are treated like deny. ++ */ ++ allowed = rule->access == BUS_POLICY_RULE_ACCESS_ALLOW; + } + + return allowed; +@@ -873,18 +879,23 @@ bus_client_policy_append_rule (BusClientPolicy *policy, + return TRUE; + } + +-dbus_bool_t +-bus_client_policy_check_can_send (BusClientPolicy *policy, +- BusRegistry *registry, +- dbus_bool_t requested_reply, +- DBusConnection *receiver, +- DBusMessage *message, +- dbus_int32_t *toggles, +- dbus_bool_t *log) ++BusResult ++bus_client_policy_check_can_send (DBusConnection *sender, ++ BusClientPolicy *policy, ++ BusRegistry *registry, ++ dbus_bool_t requested_reply, ++ DBusConnection *addressed_recipient, ++ DBusConnection *receiver, ++ DBusMessage *message, ++ dbus_int32_t *toggles, ++ dbus_bool_t *log, ++ const char **privilege_param, ++ BusDeferredMessage **deferred_message) + { + DBusList *link; +- dbus_bool_t allowed; +- ++ BusResult result; ++ const char *privilege; ++ + /* policy->rules is in the order the rules appeared + * in the config file, i.e. last rule that applies wins + */ +@@ -892,7 +903,7 @@ bus_client_policy_check_can_send (BusClientPolicy *policy, + _dbus_verbose (" (policy) checking send rules\n"); + *toggles = 0; + +- allowed = FALSE; ++ result = BUS_RESULT_FALSE; + link = _dbus_list_get_first_link (&policy->rules); + while (link != NULL) + { +@@ -923,13 +934,14 @@ bus_client_policy_check_can_send (BusClientPolicy *policy, + /* If it's a reply, the requested_reply flag kicks in */ + if (dbus_message_get_reply_serial (message) != 0) + { +- /* for allow, requested_reply=true means the rule applies +- * only when reply was requested. requested_reply=false means +- * always allow. ++ /* for allow or check requested_reply=true means the rule applies ++ * only when reply was requested. requested_reply=false means the ++ * rule always applies + */ +- if (!requested_reply && rule->allow && rule->d.send.requested_reply && !rule->d.send.eavesdrop) ++ if (!requested_reply && rule->access != BUS_POLICY_RULE_ACCESS_DENY && rule->d.send.requested_reply && !rule->d.send.eavesdrop) + { +- _dbus_verbose (" (policy) skipping allow rule since it only applies to requested replies and does not allow eavesdropping\n"); ++ _dbus_verbose (" (policy) skipping %s rule since it only applies to requested replies and does not allow eavesdropping\n", ++ rule->access == BUS_POLICY_RULE_ACCESS_ALLOW ? "allow" : "check"); + continue; + } + +@@ -937,7 +949,7 @@ bus_client_policy_check_can_send (BusClientPolicy *policy, + * when the reply was not requested. requested_reply=true means the + * rule always applies. + */ +- if (requested_reply && !rule->allow && !rule->d.send.requested_reply) ++ if (requested_reply && rule->access == BUS_POLICY_RULE_ACCESS_DENY && !rule->d.send.requested_reply) + { + _dbus_verbose (" (policy) skipping deny rule since it only applies to unrequested replies\n"); + continue; +@@ -960,13 +972,15 @@ bus_client_policy_check_can_send (BusClientPolicy *policy, + /* The interface is optional in messages. For allow rules, if the message + * has no interface we want to skip the rule (and thus not allow); + * for deny rules, if the message has no interface we want to use the +- * rule (and thus deny). ++ * rule (and thus deny). Check rules are meant to be used like allow ++ * rules (they can grant access, but not remove it), so we treat it like ++ * allow here. + */ + dbus_bool_t no_interface; + + no_interface = dbus_message_get_interface (message) == NULL; + +- if ((no_interface && rule->allow) || ++ if ((no_interface && rule->access != BUS_POLICY_RULE_ACCESS_DENY) || + (!no_interface && + strcmp (dbus_message_get_interface (message), + rule->d.send.interface) != 0)) +@@ -1079,33 +1093,63 @@ bus_client_policy_check_can_send (BusClientPolicy *policy, + } + + /* Use this rule */ +- allowed = rule->allow; ++ switch (rule->access) ++ { ++ case BUS_POLICY_RULE_ACCESS_ALLOW: ++ result = BUS_RESULT_TRUE; ++ break; ++ case BUS_POLICY_RULE_ACCESS_DENY: ++ result = BUS_RESULT_FALSE; ++ break; ++ case BUS_POLICY_RULE_ACCESS_CHECK: ++ result = BUS_RESULT_LATER; ++ privilege = rule->privilege; ++ break; ++ } ++ + *log = rule->d.send.log; + (*toggles)++; + +- _dbus_verbose (" (policy) used rule, allow now = %d\n", +- allowed); ++ _dbus_verbose (" (policy) used rule, result now = %d\n", ++ (int)(intptr_t)result); + } + +- return allowed; ++ if (result == BUS_RESULT_LATER) ++ { ++ BusContext *context = bus_connection_get_context(sender); ++ BusCheck *check = bus_context_get_check(context); ++ ++ result = bus_check_privilege(check, message, sender, addressed_recipient, receiver, ++ privilege, BUS_DEFERRED_MESSAGE_CHECK_SEND, deferred_message); ++ } ++ else ++ privilege = NULL; ++ ++ if (privilege_param != NULL) ++ *privilege_param = privilege; ++ ++ return result; + } + + /* See docs on what the args mean on bus_context_check_security_policy() + * comment + */ +-dbus_bool_t +-bus_client_policy_check_can_receive (BusClientPolicy *policy, +- BusRegistry *registry, +- dbus_bool_t requested_reply, +- DBusConnection *sender, +- DBusConnection *addressed_recipient, +- DBusConnection *proposed_recipient, +- DBusMessage *message, +- dbus_int32_t *toggles) ++BusResult ++bus_client_policy_check_can_receive (BusClientPolicy *policy, ++ BusRegistry *registry, ++ dbus_bool_t requested_reply, ++ DBusConnection *sender, ++ DBusConnection *addressed_recipient, ++ DBusConnection *proposed_recipient, ++ DBusMessage *message, ++ dbus_int32_t *toggles, ++ const char **privilege_param, ++ BusDeferredMessage **deferred_message) + { + DBusList *link; +- dbus_bool_t allowed; + dbus_bool_t eavesdropping; ++ BusResult result; ++ const char *privilege; + + eavesdropping = + addressed_recipient != proposed_recipient && +@@ -1118,7 +1162,7 @@ bus_client_policy_check_can_receive (BusClientPolicy *policy, + _dbus_verbose (" (policy) checking receive rules, eavesdropping = %d\n", eavesdropping); + *toggles = 0; + +- allowed = FALSE; ++ result = BUS_RESULT_FALSE; + link = _dbus_list_get_first_link (&policy->rules); + while (link != NULL) + { +@@ -1141,19 +1185,21 @@ bus_client_policy_check_can_receive (BusClientPolicy *policy, + } + } + +- /* for allow, eavesdrop=false means the rule doesn't apply when +- * eavesdropping. eavesdrop=true means always allow. ++ ++ /* for allow or check, eavesdrop=false means the rule doesn't apply when ++ * eavesdropping. eavesdrop=true means the rule always applies + */ +- if (eavesdropping && rule->allow && !rule->d.receive.eavesdrop) ++ if (eavesdropping && rule->access != BUS_POLICY_RULE_ACCESS_DENY && !rule->d.receive.eavesdrop) + { +- _dbus_verbose (" (policy) skipping allow rule since it doesn't apply to eavesdropping\n"); ++ _dbus_verbose (" (policy) skipping %s rule since it doesn't apply to eavesdropping\n", ++ rule->access == BUS_POLICY_RULE_ACCESS_ALLOW ? "allow" : "check"); + continue; + } + + /* for deny, eavesdrop=true means the rule applies only when + * eavesdropping; eavesdrop=false means always deny. + */ +- if (!eavesdropping && !rule->allow && rule->d.receive.eavesdrop) ++ if (!eavesdropping && rule->access == BUS_POLICY_RULE_ACCESS_DENY && rule->d.receive.eavesdrop) + { + _dbus_verbose (" (policy) skipping deny rule since it only applies to eavesdropping\n"); + continue; +@@ -1162,13 +1208,14 @@ bus_client_policy_check_can_receive (BusClientPolicy *policy, + /* If it's a reply, the requested_reply flag kicks in */ + if (dbus_message_get_reply_serial (message) != 0) + { +- /* for allow, requested_reply=true means the rule applies +- * only when reply was requested. requested_reply=false means +- * always allow. ++ /* for allow or check requested_reply=true means the rule applies ++ * only when reply was requested. requested_reply=false means the ++ * rule always applies + */ +- if (!requested_reply && rule->allow && rule->d.receive.requested_reply && !rule->d.receive.eavesdrop) ++ if (!requested_reply && rule->access != BUS_POLICY_RULE_ACCESS_DENY && rule->d.send.requested_reply && !rule->d.send.eavesdrop) + { +- _dbus_verbose (" (policy) skipping allow rule since it only applies to requested replies and does not allow eavesdropping\n"); ++ _dbus_verbose (" (policy) skipping %s rule since it only applies to requested replies and does not allow eavesdropping\n", ++ rule->access == BUS_POLICY_RULE_ACCESS_DENY ? "allow" : "deny"); + continue; + } + +@@ -1176,7 +1223,7 @@ bus_client_policy_check_can_receive (BusClientPolicy *policy, + * when the reply was not requested. requested_reply=true means the + * rule always applies. + */ +- if (requested_reply && !rule->allow && !rule->d.receive.requested_reply) ++ if (requested_reply && rule->access == BUS_POLICY_RULE_ACCESS_DENY && !rule->d.receive.requested_reply) + { + _dbus_verbose (" (policy) skipping deny rule since it only applies to unrequested replies\n"); + continue; +@@ -1199,13 +1246,13 @@ bus_client_policy_check_can_receive (BusClientPolicy *policy, + /* The interface is optional in messages. For allow rules, if the message + * has no interface we want to skip the rule (and thus not allow); + * for deny rules, if the message has no interface we want to use the +- * rule (and thus deny). ++ * rule (and thus deny). Check rules are treated like allow rules. + */ + dbus_bool_t no_interface; + + no_interface = dbus_message_get_interface (message) == NULL; + +- if ((no_interface && rule->allow) || ++ if ((no_interface && rule->access != BUS_POLICY_RULE_ACCESS_DENY) || + (!no_interface && + strcmp (dbus_message_get_interface (message), + rule->d.receive.interface) != 0)) +@@ -1295,14 +1342,42 @@ bus_client_policy_check_can_receive (BusClientPolicy *policy, + } + + /* Use this rule */ +- allowed = rule->allow; ++ switch (rule->access) ++ { ++ case BUS_POLICY_RULE_ACCESS_ALLOW: ++ result = BUS_RESULT_TRUE; ++ break; ++ case BUS_POLICY_RULE_ACCESS_DENY: ++ result = BUS_RESULT_FALSE; ++ break; ++ case BUS_POLICY_RULE_ACCESS_CHECK: ++ result = BUS_RESULT_LATER; ++ privilege = rule->privilege; ++ break; ++ } ++ + (*toggles)++; + +- _dbus_verbose (" (policy) used rule, allow now = %d\n", +- allowed); ++ _dbus_verbose (" (policy) used rule, result now = %d\n", ++ (int)(intptr_t)result); + } + +- return allowed; ++ ++ if (result == BUS_RESULT_LATER) ++ { ++ BusContext *context = bus_connection_get_context(proposed_recipient); ++ BusCheck *check = bus_context_get_check(context); ++ ++ result = bus_check_privilege(check, message, sender, addressed_recipient, proposed_recipient, ++ privilege, BUS_DEFERRED_MESSAGE_CHECK_RECEIVE, deferred_message); ++ } ++ else ++ privilege = NULL; ++ ++ if (privilege_param != NULL) ++ *privilege_param = privilege; ++ ++ return result; + } + + +@@ -1354,7 +1429,7 @@ bus_rules_check_can_own (DBusList *rules, + } + + /* Use this rule */ +- allowed = rule->allow; ++ allowed = rule->access == BUS_POLICY_RULE_ACCESS_ALLOW; + } + + return allowed; +diff --git a/bus/policy.h b/bus/policy.h +index ec43ffa..f839d23 100644 +--- a/bus/policy.h ++++ b/bus/policy.h +@@ -46,6 +46,14 @@ typedef enum + BUS_POLICY_TRISTATE_TRUE + } BusPolicyTristate; + ++typedef enum ++{ ++ BUS_POLICY_RULE_ACCESS_DENY, ++ BUS_POLICY_RULE_ACCESS_ALLOW, ++ /** runtime check resulting in allow or deny */ ++ BUS_POLICY_RULE_ACCESS_CHECK ++} BusPolicyRuleAccess; ++ + /** determines whether the rule affects a connection, or some global item */ + #define BUS_POLICY_RULE_IS_PER_CLIENT(rule) (!((rule)->type == BUS_POLICY_RULE_USER || \ + (rule)->type == BUS_POLICY_RULE_GROUP)) +@@ -56,8 +64,9 @@ struct BusPolicyRule + + BusPolicyRuleType type; + +- unsigned int allow : 1; /**< #TRUE if this allows, #FALSE if it denies */ +- ++ unsigned int access : 2; /**< BusPolicyRuleAccess */ ++ char *privilege; /**< for BUS_POLICY_RULE_ACCESS_CHECK */ ++ + union + { + struct +@@ -118,7 +127,7 @@ struct BusPolicyRule + }; + + BusPolicyRule* bus_policy_rule_new (BusPolicyRuleType type, +- dbus_bool_t allow); ++ BusPolicyRuleAccess access); + BusPolicyRule* bus_policy_rule_ref (BusPolicyRule *rule); + void bus_policy_rule_unref (BusPolicyRule *rule); + +@@ -152,21 +161,27 @@ dbus_bool_t bus_policy_merge (BusPolicy *policy, + BusClientPolicy* bus_client_policy_new (void); + BusClientPolicy* bus_client_policy_ref (BusClientPolicy *policy); + void bus_client_policy_unref (BusClientPolicy *policy); +-dbus_bool_t bus_client_policy_check_can_send (BusClientPolicy *policy, ++BusResult bus_client_policy_check_can_send (DBusConnection *sender, ++ BusClientPolicy *policy, + BusRegistry *registry, + dbus_bool_t requested_reply, ++ DBusConnection *addressed_recipient, + DBusConnection *receiver, + DBusMessage *message, + dbus_int32_t *toggles, +- dbus_bool_t *log); +-dbus_bool_t bus_client_policy_check_can_receive (BusClientPolicy *policy, ++ dbus_bool_t *log, ++ const char **privilege_param, ++ BusDeferredMessage **deferred_message); ++BusResult bus_client_policy_check_can_receive (BusClientPolicy *policy, + BusRegistry *registry, + dbus_bool_t requested_reply, + DBusConnection *sender, + DBusConnection *addressed_recipient, + DBusConnection *proposed_recipient, + DBusMessage *message, +- dbus_int32_t *toggles); ++ dbus_int32_t *toggles, ++ const char **privilege_param, ++ BusDeferredMessage **deferred_message); + dbus_bool_t bus_client_policy_check_can_own (BusClientPolicy *policy, + const DBusString *service_name); + dbus_bool_t bus_client_policy_append_rule (BusClientPolicy *policy, +diff --git a/configure.ac b/configure.ac +index 81028ba..f21d1b2 100644 +--- a/configure.ac ++++ b/configure.ac +@@ -1770,6 +1770,17 @@ AC_ARG_ENABLE([user-session], + AM_CONDITIONAL([DBUS_ENABLE_USER_SESSION], + [test "x$enable_user_session" = xyes]) + ++#enable cynara integration ++AC_ARG_ENABLE([cynara], [AS_HELP_STRING([--enable-cynara], [enable Cynara integration])], [], [enable_cynara=no]) ++if test "x$enable_cynara" = xyes; then ++ PKG_CHECK_MODULES([CYNARA], [cynara-client-async >= 0.6.0 cynara-session >= 0.6.0], ++ [AC_DEFINE([DBUS_ENABLE_CYNARA], [1], [Define to enable Cynara privilege checks in dbus-daemon])], ++ [AC_MSG_ERROR([libcynara-client-async and cynara-session are required to enable Cynara integration])]) ++fi ++ ++AC_SUBST([CYNARA_CFLAGS]) ++AC_SUBST([CYNARA_LIBS]) ++ + AC_CONFIG_FILES([ + Doxyfile + dbus/Version +@@ -1852,6 +1863,7 @@ echo " + Building bus stats API: ${enable_stats} + Building SELinux support: ${have_selinux} + Building AppArmor support: ${have_apparmor} ++ Building Cynara support: ${enable_cynara} + Building inotify support: ${have_inotify} + Building kqueue support: ${have_kqueue} + Building systemd support: ${have_systemd} +diff --git a/test/Makefile.am b/test/Makefile.am +index 6a6e1a3..ce84dbc 100644 +--- a/test/Makefile.am ++++ b/test/Makefile.am +@@ -439,6 +439,7 @@ in_data = \ + data/valid-config-files/debug-allow-all.conf.in \ + data/valid-config-files/finite-timeout.conf.in \ + data/valid-config-files/forbidding.conf.in \ ++ data/valid-config-files/debug-check-some.conf.in \ + data/valid-config-files/incoming-limit.conf.in \ + data/valid-config-files/max-completed-connections.conf.in \ + data/valid-config-files/max-connections-per-user.conf.in \ +diff --git a/test/data/invalid-config-files/badcheck-1.conf b/test/data/invalid-config-files/badcheck-1.conf +new file mode 100644 +index 0000000..fad9f50 +--- /dev/null ++++ b/test/data/invalid-config-files/badcheck-1.conf +@@ -0,0 +1,9 @@ ++<!DOCTYPE busconfig PUBLIC "-//freedesktop//DTD D-BUS Bus Configuration 1.0//EN" ++ "http://www.freedesktop.org/standards/dbus/1.0/busconfig.dtd"> ++<busconfig> ++ <user>mybususer</user> ++ <listen>unix:path=/foo/bar</listen> ++ <policy context="default"> ++ <allow privilege="foo" send_destination="*"/> <!-- extra privilege="foo" --> ++ </policy> ++</busconfig> +diff --git a/test/data/invalid-config-files/badcheck-2.conf b/test/data/invalid-config-files/badcheck-2.conf +new file mode 100644 +index 0000000..63c7ef2 +--- /dev/null ++++ b/test/data/invalid-config-files/badcheck-2.conf +@@ -0,0 +1,9 @@ ++<!DOCTYPE busconfig PUBLIC "-//freedesktop//DTD D-BUS Bus Configuration 1.0//EN" ++ "http://www.freedesktop.org/standards/dbus/1.0/busconfig.dtd"> ++<busconfig> ++ <user>mybususer</user> ++ <listen>unix:path=/foo/bar</listen> ++ <policy context="default"> ++ <check send_destination="*"/> <!-- missing privilege="foo" --> ++ </policy> ++</busconfig> +diff --git a/test/data/valid-config-files/check-1.conf b/test/data/valid-config-files/check-1.conf +new file mode 100644 +index 0000000..ad71473 +--- /dev/null ++++ b/test/data/valid-config-files/check-1.conf +@@ -0,0 +1,9 @@ ++<!DOCTYPE busconfig PUBLIC "-//freedesktop//DTD D-BUS Bus Configuration 1.0//EN" ++ "http://www.freedesktop.org/standards/dbus/1.0/busconfig.dtd"> ++<busconfig> ++ <user>mybususer</user> ++ <listen>unix:path=/foo/bar</listen> ++ <policy context="default"> ++ <check privilege="foo" send_destination="*"/> ++ </policy> ++</busconfig> +diff --git a/test/data/valid-config-files/debug-check-some.conf.in b/test/data/valid-config-files/debug-check-some.conf.in +new file mode 100644 +index 0000000..47ee854 +--- /dev/null ++++ b/test/data/valid-config-files/debug-check-some.conf.in +@@ -0,0 +1,18 @@ ++<!-- Bus that listens on a debug pipe and doesn't create any restrictions --> ++ ++<!DOCTYPE busconfig PUBLIC "-//freedesktop//DTD D-BUS Bus Configuration 1.0//EN" ++ "http://www.freedesktop.org/standards/dbus/1.0/busconfig.dtd"> ++<busconfig> ++ <listen>debug-pipe:name=test-server</listen> ++ <listen>@TEST_LISTEN@</listen> ++ <servicedir>@DBUS_TEST_DATA@/valid-service-files</servicedir> ++ <policy context="default"> ++ <allow send_interface="*"/> ++ <allow receive_interface="*"/> ++ <allow own="*"/> ++ <allow user="*"/> ++ ++ <deny send_interface="org.freedesktop.TestSuite" send_member="Echo"/> ++ <check privilege="foo" send_interface="org.freedesktop.TestSuite" send_member="Echo"/> ++ </policy> ++</busconfig> +-- +2.17.2 + diff --git a/meta-agl/meta-security/recipes-core/dbus-cynara/dbus-cynara/0002-Disable-message-dispatching-when-send-rule-result-is.patch b/meta-agl/meta-security/recipes-core/dbus-cynara/dbus-cynara/0002-Disable-message-dispatching-when-send-rule-result-is.patch new file mode 100644 index 00000000..ebbd531f --- /dev/null +++ b/meta-agl/meta-security/recipes-core/dbus-cynara/dbus-cynara/0002-Disable-message-dispatching-when-send-rule-result-is.patch @@ -0,0 +1,949 @@ +From aae977a0c4bb1c25640c7056166fbc4e76ef1db6 Mon Sep 17 00:00:00 2001 +From: Jacek Bukarewicz <j.bukarewicz@samsung.com> +Date: Fri, 28 Nov 2014 12:07:39 +0100 +Subject: Disable message dispatching when send rule result is not known +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +When unicast message is sent to addressed recipient and policy result +is not available message dispatch from the sender is disabled. +This also means that any further messages from the given connection are +put into the incoming queue without being processed. If response is received +message dispatching is resumed. This time answer is attached to the message +which is now processed synchronously. +Receive rule result unavailability is not yet handled - such messages are +rejected. Also, if message is sent to non-addressed recipient and policy result +is unknown, message is silently dropped. + +Cherry-picked from b1b87ad9f20b2052c28431b48e81073078a745ce +by Jose Bollo. + +Updated for dbus 1.10.20 by Scott Murray and José Bollo + +Signed-off-by: José Bollo <jose.bollo@iot.bzh> +Signed-off-by: Scott Murray <scott.murray@konsulko.com> + +diff --git a/bus/activation.c b/bus/activation.c +index f8a02eb..005047f 100644 +--- a/bus/activation.c ++++ b/bus/activation.c +@@ -32,6 +32,7 @@ + #include "services.h" + #include "test.h" + #include "utils.h" ++#include <dbus/dbus-connection-internal.h> + #include <dbus/dbus-internals.h> + #include <dbus/dbus-hash.h> + #include <dbus/dbus-list.h> +@@ -94,6 +95,8 @@ struct BusPendingActivationEntry + DBusConnection *connection; + + dbus_bool_t auto_activation; ++ ++ dbus_bool_t is_put_back; + }; + + typedef struct +@@ -1241,20 +1244,23 @@ bus_activation_send_pending_auto_activation_messages (BusActivation *activation + BusPendingActivationEntry *entry = link->data; + DBusList *next = _dbus_list_get_next_link (&pending_activation->entries, link); + +- if (entry->auto_activation && (entry->connection == NULL || dbus_connection_get_is_connected (entry->connection))) ++ if (entry->auto_activation && !entry->is_put_back && ++ (entry->connection == NULL || dbus_connection_get_is_connected (entry->connection))) + { + DBusConnection *addressed_recipient; + DBusError error; ++ BusResult res; + + dbus_error_init (&error); + + addressed_recipient = bus_service_get_primary_owners_connection (service); + + /* Resume dispatching where we left off in bus_dispatch() */ +- if (!bus_dispatch_matches (transaction, +- entry->connection, +- addressed_recipient, +- entry->activation_message, &error)) ++ res = bus_dispatch_matches (transaction, ++ entry->connection, ++ addressed_recipient, ++ entry->activation_message, &error); ++ if (res == BUS_RESULT_FALSE) + { + /* If permission is denied, we just want to return the error + * to the original method invoker; in particular, we don't +@@ -1266,9 +1272,40 @@ bus_activation_send_pending_auto_activation_messages (BusActivation *activation + bus_connection_send_oom_error (entry->connection, + entry->activation_message); + } ++ } ++ else if (res == BUS_RESULT_LATER) ++ { ++ DBusList *putback_message_link = link; ++ DBusMessage *last_inserted_message = NULL; ++ ++ /* NULL entry->connection implies sending pending ActivationRequest message to systemd */ ++ if (entry->connection == NULL) ++ { ++ _dbus_assert_not_reached ("bus_dispatch_matches returned BUS_RESULT_LATER unexpectedly when sender is NULL"); ++ link = next; ++ continue; ++ } + +- link = next; +- continue; ++ /** ++ * Getting here means that policy check result is not yet available and dispatching ++ * messages from entry->connection has been disabled. ++ * Let's put back all messages for the given connection in the incoming queue and mark ++ * this entry as put back so they are not handled twice. ++ */ ++ while (putback_message_link != NULL) ++ { ++ BusPendingActivationEntry *putback_message = putback_message_link->data; ++ if (putback_message->connection == entry->connection) ++ { ++ if (!_dbus_connection_putback_message (putback_message->connection, last_inserted_message, ++ putback_message->activation_message, &error)) ++ goto error; ++ last_inserted_message = putback_message->activation_message; ++ putback_message->is_put_back = TRUE; ++ } ++ ++ putback_message_link = _dbus_list_get_next_link(&pending_activation->entries, putback_message_link); ++ } + } + } + +@@ -1286,6 +1323,19 @@ bus_activation_send_pending_auto_activation_messages (BusActivation *activation + return TRUE; + + error: ++ /* remove all messages that have been put to connections' incoming queues */ ++ link = _dbus_list_get_first_link (&pending_activation->entries); ++ while (link != NULL) ++ { ++ BusPendingActivationEntry *entry = link->data; ++ if (entry->is_put_back) ++ { ++ _dbus_connection_remove_message(entry->connection, entry->activation_message); ++ entry->is_put_back = FALSE; ++ } ++ link = _dbus_list_get_next_link(&pending_activation->entries, link); ++ } ++ + return FALSE; + } + +@@ -2078,6 +2128,7 @@ bus_activation_activate_service (BusActivation *activation, + + if (service != NULL) + { ++ BusResult res; + bus_context_log (activation->context, + DBUS_SYSTEM_LOG_INFO, "Activating via systemd: service name='%s' unit='%s' requested by '%s' (%s)", + service_name, +@@ -2085,8 +2136,17 @@ bus_activation_activate_service (BusActivation *activation, + bus_connection_get_name (connection), + bus_connection_get_loginfo (connection)); + /* Wonderful, systemd is connected, let's just send the msg */ +- retval = bus_dispatch_matches (activation_transaction, NULL, ++ res = bus_dispatch_matches (activation_transaction, NULL, + systemd, message, error); ++ ++ if (res == BUS_RESULT_TRUE) ++ retval = TRUE; ++ else ++ { ++ retval = FALSE; ++ if (res == BUS_RESULT_LATER) ++ _dbus_verbose("Unexpectedly need time to check message from bus driver to systemd - dropping the message.\n"); ++ } + } + else + { +diff --git a/bus/check.c b/bus/check.c +index 5b72d31..4b8a699 100644 +--- a/bus/check.c ++++ b/bus/check.c +@@ -55,6 +55,8 @@ typedef struct BusDeferredMessage + BusCheckResponseFunc response_callback; + } BusDeferredMessage; + ++static dbus_int32_t deferred_message_data_slot = -1; ++ + BusCheck * + bus_check_new (BusContext *context, DBusError *error) + { +@@ -67,11 +69,19 @@ bus_check_new (BusContext *context, DBusError *error) + return NULL; + } + ++ if (!dbus_message_allocate_data_slot(&deferred_message_data_slot)) ++ { ++ dbus_free(check); ++ BUS_SET_OOM(error); ++ return NULL; ++ } ++ + check->refcount = 1; + check->context = context; + check->cynara = bus_cynara_new(check, error); + if (dbus_error_is_set(error)) + { ++ dbus_message_free_data_slot(&deferred_message_data_slot); + dbus_free(check); + return NULL; + } +@@ -98,6 +108,7 @@ bus_check_unref (BusCheck *check) + if (check->refcount == 0) + { + bus_cynara_unref(check->cynara); ++ dbus_message_free_data_slot(&deferred_message_data_slot); + dbus_free(check); + } + } +@@ -114,6 +125,45 @@ bus_check_get_cynara (BusCheck *check) + return check->cynara; + } + ++static void ++bus_check_enable_dispatch_callback (BusDeferredMessage *deferred_message, ++ BusResult result) ++{ ++ _dbus_verbose("bus_check_enable_dispatch_callback called deferred_message=%p\n", deferred_message); ++ ++ deferred_message->response = result; ++ _dbus_connection_enable_dispatch(deferred_message->sender); ++} ++ ++static void ++deferred_message_free_function(void *data) ++{ ++ BusDeferredMessage *deferred_message = (BusDeferredMessage *)data; ++ bus_deferred_message_unref(deferred_message); ++} ++ ++void ++bus_deferred_message_disable_sender (BusDeferredMessage *deferred_message) ++{ ++ _dbus_assert(deferred_message != NULL); ++ _dbus_assert(deferred_message->sender != NULL); ++ ++ if (dbus_message_get_data(deferred_message->message, deferred_message_data_slot) == NULL) ++ { ++ if (dbus_message_set_data(deferred_message->message, deferred_message_data_slot, deferred_message, ++ deferred_message_free_function)) ++ bus_deferred_message_ref(deferred_message); ++ } ++ ++ _dbus_connection_disable_dispatch(deferred_message->sender); ++ deferred_message->response_callback = bus_check_enable_dispatch_callback; ++} ++ ++#ifdef DBUS_ENABLE_EMBEDDED_TESTS ++BusResult (*bus_check_test_override) (DBusConnection *connection, ++ const char *privilege); ++#endif ++ + BusResult + bus_check_privilege (BusCheck *check, + DBusMessage *message, +@@ -124,6 +174,7 @@ bus_check_privilege (BusCheck *check, + BusDeferredMessageStatus check_type, + BusDeferredMessage **deferred_message) + { ++ BusDeferredMessage *previous_deferred_message; + BusResult result = BUS_RESULT_FALSE; + #ifdef DBUS_ENABLE_CYNARA + BusCynara *cynara; +@@ -137,16 +188,54 @@ bus_check_privilege (BusCheck *check, + return BUS_RESULT_FALSE; + } + +- /* ask policy checkers */ +-#ifdef DBUS_ENABLE_CYNARA +- cynara = bus_check_get_cynara(check); +- result = bus_cynara_check_privilege(cynara, message, sender, addressed_recipient, +- proposed_recipient, privilege, check_type, deferred_message); ++#ifdef DBUS_ENABLE_EMBEDDED_TESTS ++ if (bus_check_test_override) ++ return bus_check_test_override (connection, privilege); + #endif + +- if (result == BUS_RESULT_LATER && deferred_message != NULL) ++ previous_deferred_message = dbus_message_get_data(message, deferred_message_data_slot); ++ /* check if message blocked at sender's queue is being processed */ ++ if (previous_deferred_message != NULL) ++ { ++ if ((check_type & BUS_DEFERRED_MESSAGE_CHECK_SEND) && ++ !(previous_deferred_message->status & BUS_DEFERRED_MESSAGE_CHECK_SEND)) ++ { ++ /** ++ * Message has been deferred due to receive or own rule which means that sending this message ++ * is allowed - it must have been checked previously. ++ * This might happen when client calls RequestName method which depending on security ++ * policy might result in both "can_send" and "can_own" Cynara checks. ++ */ ++ result = BUS_RESULT_TRUE; ++ } ++ else ++ { ++ result = previous_deferred_message->response; ++ if (result == BUS_RESULT_LATER) ++ { ++ /* result is still not known - reuse deferred message object */ ++ if (deferred_message != NULL) ++ *deferred_message = previous_deferred_message; ++ } ++ else ++ { ++ /* result is available - we can remove deferred message from the processed message */ ++ dbus_message_set_data(message, deferred_message_data_slot, NULL, NULL); ++ } ++ } ++ } ++ else + { +- (*deferred_message)->status |= check_type; ++ /* ask policy checkers */ ++#ifdef DBUS_ENABLE_CYNARA ++ cynara = bus_check_get_cynara(check); ++ result = bus_cynara_check_privilege(cynara, message, sender, addressed_recipient, ++ proposed_recipient, privilege, check_type, deferred_message); ++#endif ++ if (result == BUS_RESULT_LATER && deferred_message != NULL) ++ { ++ (*deferred_message)->status |= check_type; ++ } + } + return result; + } +@@ -206,6 +295,12 @@ bus_deferred_message_unref (BusDeferredMessage *deferred_message) + } + } + ++BusDeferredMessageStatus ++bus_deferred_message_get_status (BusDeferredMessage *deferred_message) ++{ ++ return deferred_message->status; ++} ++ + void + bus_deferred_message_response_received (BusDeferredMessage *deferred_message, + BusResult result) +diff --git a/bus/check.h b/bus/check.h +index c3fcaf9..d177549 100644 +--- a/bus/check.h ++++ b/bus/check.h +@@ -55,6 +55,7 @@ BusResult bus_check_privilege (BusCheck *check, + BusDeferredMessageStatus check_type, + BusDeferredMessage **deferred_message); + ++ + BusDeferredMessage *bus_deferred_message_new (DBusMessage *message, + DBusConnection *sender, + DBusConnection *addressed_recipient, +@@ -65,4 +66,13 @@ BusDeferredMessage *bus_deferred_message_ref (BusDeferredMessage + void bus_deferred_message_unref (BusDeferredMessage *deferred_message); + void bus_deferred_message_response_received (BusDeferredMessage *deferred_message, + BusResult result); ++void bus_deferred_message_disable_sender (BusDeferredMessage *deferred_message); ++ ++BusDeferredMessageStatus bus_deferred_message_get_status (BusDeferredMessage *deferred_message); ++ ++#ifdef DBUS_ENABLE_EMBEDDED_TESTS ++extern BusResult (*bus_check_test_override) (DBusConnection *connection, ++ const char *privilege); ++#endif ++ + #endif /* BUS_CHECK_H */ +diff --git a/bus/cynara.c b/bus/cynara.c +index 57a4c45..77aed62 100644 +--- a/bus/cynara.c ++++ b/bus/cynara.c +@@ -36,7 +36,6 @@ + #include <cynara-client-async.h> + #endif + +- + #ifdef DBUS_ENABLE_CYNARA + typedef struct BusCynara + { +diff --git a/bus/dispatch.c b/bus/dispatch.c +index d3867f7..50a22a3 100644 +--- a/bus/dispatch.c ++++ b/bus/dispatch.c +@@ -35,6 +35,7 @@ + #include "signals.h" + #include "test.h" + #include <dbus/dbus-internals.h> ++#include <dbus/dbus-connection-internal.h> + #include <dbus/dbus-misc.h> + #include <string.h> + +@@ -122,7 +123,7 @@ send_one_message (DBusConnection *connection, + return TRUE; + } + +-dbus_bool_t ++BusResult + bus_dispatch_matches (BusTransaction *transaction, + DBusConnection *sender, + DBusConnection *addressed_recipient, +@@ -158,13 +159,29 @@ bus_dispatch_matches (BusTransaction *transaction, + message, NULL, error, + &deferred_message); + if (res == BUS_RESULT_FALSE) +- return FALSE; ++ return BUS_RESULT_FALSE; + else if (res == BUS_RESULT_LATER) + { +- dbus_set_error (error, +- DBUS_ERROR_ACCESS_DENIED, +- "Rejecting message because time is needed to check security policy"); +- return FALSE; ++ BusDeferredMessageStatus status; ++ status = bus_deferred_message_get_status(deferred_message); ++ ++ if (status & BUS_DEFERRED_MESSAGE_CHECK_SEND) ++ { ++ /* send rule result not available - disable dispatching messages from the sender */ ++ bus_deferred_message_disable_sender(deferred_message); ++ return BUS_RESULT_LATER; ++ } ++ else if (status & BUS_DEFERRED_MESSAGE_CHECK_RECEIVE) ++ { ++ dbus_set_error (error, DBUS_ERROR_ACCESS_DENIED, ++ "Rejecting message because time is needed to check security policy"); ++ return BUS_RESULT_FALSE; ++ } ++ else ++ { ++ _dbus_verbose("deferred message has no status field set to send or receive unexpectedly\n"); ++ return BUS_RESULT_FALSE; ++ } + } + + if (dbus_message_contains_unix_fds (message) && +@@ -175,14 +192,14 @@ bus_dispatch_matches (BusTransaction *transaction, + DBUS_ERROR_NOT_SUPPORTED, + "Tried to send message with Unix file descriptors" + "to a client that doesn't support that."); +- return FALSE; +- } ++ return BUS_RESULT_FALSE; ++ } + + /* Dispatch the message */ + if (!bus_transaction_send (transaction, addressed_recipient, message)) + { + BUS_SET_OOM (error); +- return FALSE; ++ return BUS_RESULT_FALSE; + } + } + +@@ -197,7 +214,7 @@ bus_dispatch_matches (BusTransaction *transaction, + &recipients)) + { + BUS_SET_OOM (error); +- return FALSE; ++ return BUS_RESULT_FALSE; + } + + link = _dbus_list_get_first_link (&recipients); +@@ -219,10 +236,10 @@ bus_dispatch_matches (BusTransaction *transaction, + if (dbus_error_is_set (&tmp_error)) + { + dbus_move_error (&tmp_error, error); +- return FALSE; ++ return BUS_RESULT_FALSE; + } + else +- return TRUE; ++ return BUS_RESULT_TRUE; + } + + static DBusHandlerResult +@@ -409,10 +426,12 @@ bus_dispatch (DBusConnection *connection, + } + else if (res == BUS_RESULT_LATER) + { +- dbus_set_error (&error, +- DBUS_ERROR_ACCESS_DENIED, +- "Rejecting message because time is needed to check security policy"); +- _dbus_verbose ("Security policy needs time to check policy. Dropping message\n"); ++ /* Disable dispatching messages from the sender, ++ * roll back and dispatch the message once the policy result is available */ ++ bus_deferred_message_disable_sender(deferred_message); ++ bus_transaction_cancel_and_free (transaction); ++ transaction = NULL; ++ result = DBUS_HANDLER_RESULT_LATER; + goto out; + } + +@@ -514,8 +533,14 @@ bus_dispatch (DBusConnection *connection, + * addressed_recipient == NULL), and match it against other connections' + * match rules. + */ +- if (!bus_dispatch_matches (transaction, connection, addressed_recipient, message, &error)) +- goto out; ++ if (BUS_RESULT_LATER == bus_dispatch_matches (transaction, connection, addressed_recipient, ++ message, &error)) ++ { ++ /* Roll back and dispatch the message once the policy result is available */ ++ bus_transaction_cancel_and_free (transaction); ++ transaction = NULL; ++ result = DBUS_HANDLER_RESULT_LATER; ++ } + + out: + if (dbus_error_is_set (&error)) +@@ -5060,9 +5085,132 @@ bus_dispatch_test_conf_fail (const DBusString *test_data_dir, + } + #endif + ++typedef struct { ++ DBusTimeout *timeout; ++ DBusConnection *connection; ++ dbus_bool_t timedout; ++ int check_counter; ++} BusTestCheckData; ++ ++static BusTestCheckData *cdata; ++ ++static dbus_bool_t ++bus_dispatch_test_check_timeout (void *data) ++{ ++ _dbus_verbose ("timeout triggered - pretend that privilege check result is available\n"); ++ ++ /* should only happen once during the test */ ++ _dbus_assert (!cdata->timedout); ++ cdata->timedout = TRUE; ++ _dbus_connection_enable_dispatch (cdata->connection); ++ ++ /* don't call this again */ ++ _dbus_loop_remove_timeout (bus_connection_get_loop (cdata->connection), ++ cdata->timeout); ++ dbus_connection_unref (cdata->connection); ++ cdata->connection = NULL; ++ return TRUE; ++} ++ ++static BusResult ++bus_dispatch_test_check_override (DBusConnection *connection, ++ const char *privilege) ++{ ++ _dbus_verbose ("overriding privilege check %s #%d\n", privilege, cdata->check_counter); ++ cdata->check_counter++; ++ if (!cdata->timedout) ++ { ++ dbus_bool_t added; ++ ++ /* Should be the first privilege check for the "Echo" method. */ ++ _dbus_assert (cdata->check_counter == 1); ++ cdata->timeout = _dbus_timeout_new (1, bus_dispatch_test_check_timeout, ++ NULL, NULL); ++ _dbus_assert (cdata->timeout); ++ added = _dbus_loop_add_timeout (bus_connection_get_loop (connection), ++ cdata->timeout); ++ _dbus_assert (added); ++ cdata->connection = connection; ++ dbus_connection_ref (connection); ++ _dbus_connection_disable_dispatch (connection); ++ return BUS_RESULT_LATER; ++ } ++ else ++ { ++ /* Should only be checked one more time, and this time succeeds. */ ++ _dbus_assert (cdata->check_counter == 2); ++ return BUS_RESULT_TRUE; ++ } ++} ++ ++static dbus_bool_t ++bus_dispatch_test_check (const DBusString *test_data_dir) ++{ ++ const char *filename = "valid-config-files/debug-check-some.conf"; ++ BusContext *context; ++ DBusConnection *foo; ++ DBusError error; ++ dbus_bool_t result = TRUE; ++ BusTestCheckData data; ++ ++ /* save the config name for the activation helper */ ++ if (!setenv_TEST_LAUNCH_HELPER_CONFIG (test_data_dir, filename)) ++ _dbus_assert_not_reached ("no memory setting TEST_LAUNCH_HELPER_CONFIG"); ++ ++ dbus_error_init (&error); ++ ++ context = bus_context_new_test (test_data_dir, filename); ++ if (context == NULL) ++ return FALSE; ++ ++ foo = dbus_connection_open_private (TEST_DEBUG_PIPE, &error); ++ if (foo == NULL) ++ _dbus_assert_not_reached ("could not alloc connection"); ++ ++ if (!bus_setup_debug_client (foo)) ++ _dbus_assert_not_reached ("could not set up connection"); ++ ++ spin_connection_until_authenticated (context, foo); ++ ++ if (!check_hello_message (context, foo)) ++ _dbus_assert_not_reached ("hello message failed"); ++ ++ if (!check_double_hello_message (context, foo)) ++ _dbus_assert_not_reached ("double hello message failed"); ++ ++ if (!check_add_match (context, foo, "")) ++ _dbus_assert_not_reached ("AddMatch message failed"); ++ ++ /* ++ * Cause bus_check_send_privilege() to return BUS_RESULT_LATER in the ++ * first call, then BUS_RESULT_TRUE. ++ */ ++ cdata = &data; ++ memset (cdata, 0, sizeof(*cdata)); ++ bus_check_test_override = bus_dispatch_test_check_override; ++ ++ result = check_existent_service_auto_start (context, foo); ++ ++ _dbus_assert (cdata->check_counter == 2); ++ _dbus_assert (cdata->timedout); ++ _dbus_assert (cdata->timeout); ++ _dbus_assert (!cdata->connection); ++ _dbus_timeout_unref (cdata->timeout); ++ ++ kill_client_connection_unchecked (foo); ++ ++ bus_context_unref (context); ++ ++ return result; ++} ++ + dbus_bool_t + bus_dispatch_test (const DBusString *test_data_dir) + { ++ _dbus_verbose ("<check> tests\n"); ++ if (!bus_dispatch_test_check (test_data_dir)) ++ return FALSE; ++ + /* run normal activation tests */ + _dbus_verbose ("Normal activation tests\n"); + if (!bus_dispatch_test_conf (test_data_dir, +diff --git a/bus/dispatch.h b/bus/dispatch.h +index fb5ba7a..afba6a2 100644 +--- a/bus/dispatch.h ++++ b/bus/dispatch.h +@@ -29,7 +29,7 @@ + + dbus_bool_t bus_dispatch_add_connection (DBusConnection *connection); + void bus_dispatch_remove_connection (DBusConnection *connection); +-dbus_bool_t bus_dispatch_matches (BusTransaction *transaction, ++BusResult bus_dispatch_matches (BusTransaction *transaction, + DBusConnection *sender, + DBusConnection *recipient, + DBusMessage *message, +diff --git a/bus/driver.c b/bus/driver.c +index cd0a714..f414f64 100644 +--- a/bus/driver.c ++++ b/bus/driver.c +@@ -218,6 +218,7 @@ bus_driver_send_service_owner_changed (const char *service_name, + { + DBusMessage *message; + dbus_bool_t retval; ++ BusResult res; + const char *null_service; + + _DBUS_ASSERT_ERROR_IS_CLEAR (error); +@@ -253,7 +254,16 @@ bus_driver_send_service_owner_changed (const char *service_name, + if (!bus_transaction_capture (transaction, NULL, NULL, message)) + goto oom; + +- retval = bus_dispatch_matches (transaction, NULL, NULL, message, error); ++ res = bus_dispatch_matches (transaction, NULL, NULL, message, error); ++ if (res == BUS_RESULT_TRUE) ++ retval = TRUE; ++ else ++ { ++ retval = FALSE; ++ if (res == BUS_RESULT_LATER) ++ /* should never happen */ ++ _dbus_assert_not_reached ("bus_dispatch_matches returned BUS_RESULT_LATER unexpectedly"); ++ } + dbus_message_unref (message); + + return retval; +diff --git a/dbus/dbus-connection-internal.h b/dbus/dbus-connection-internal.h +index 4835732..94b1c95 100644 +--- a/dbus/dbus-connection-internal.h ++++ b/dbus/dbus-connection-internal.h +@@ -118,6 +118,21 @@ DBUS_PRIVATE_EXPORT + dbus_bool_t _dbus_connection_get_linux_security_label (DBusConnection *connection, + char **label_p); + ++DBUS_PRIVATE_EXPORT ++void _dbus_connection_enable_dispatch (DBusConnection *connection); ++DBUS_PRIVATE_EXPORT ++void _dbus_connection_disable_dispatch (DBusConnection *connection); ++ ++DBUS_PRIVATE_EXPORT ++dbus_bool_t _dbus_connection_putback_message (DBusConnection *connection, ++ DBusMessage *after_message, ++ DBusMessage *message, ++ DBusError *error); ++ ++DBUS_PRIVATE_EXPORT ++dbus_bool_t _dbus_connection_remove_message (DBusConnection *connection, ++ DBusMessage *message); ++ + /* if DBUS_ENABLE_STATS */ + DBUS_PRIVATE_EXPORT + void _dbus_connection_get_stats (DBusConnection *connection, +diff --git a/dbus/dbus-connection.c b/dbus/dbus-connection.c +index c525b6d..958968c 100644 +--- a/dbus/dbus-connection.c ++++ b/dbus/dbus-connection.c +@@ -311,7 +311,8 @@ struct DBusConnection + */ + dbus_bool_t dispatch_acquired; /**< Someone has dispatch path (can drain incoming queue) */ + dbus_bool_t io_path_acquired; /**< Someone has transport io path (can use the transport to read/write messages) */ +- ++ ++ unsigned int dispatch_disabled : 1; /**< if true, then dispatching incoming messages is stopped until enabled again */ + unsigned int shareable : 1; /**< #TRUE if libdbus owns a reference to the connection and can return it from dbus_connection_open() more than once */ + + unsigned int exit_on_disconnect : 1; /**< If #TRUE, exit after handling disconnect signal */ +@@ -439,6 +440,39 @@ _dbus_connection_wakeup_mainloop (DBusConnection *connection) + (*connection->wakeup_main_function) (connection->wakeup_main_data); + } + ++static void ++_dbus_connection_set_dispatch(DBusConnection *connection, ++ dbus_bool_t disabled) ++{ ++ CONNECTION_LOCK (connection); ++ if (connection->dispatch_disabled != disabled) ++ { ++ DBusDispatchStatus status; ++ ++ connection->dispatch_disabled = disabled; ++ status = _dbus_connection_get_dispatch_status_unlocked (connection); ++ _dbus_connection_update_dispatch_status_and_unlock (connection, status); ++ } ++ else ++ { ++ CONNECTION_UNLOCK (connection); ++ } ++} ++ ++ ++void ++_dbus_connection_enable_dispatch (DBusConnection *connection) ++{ ++ _dbus_connection_set_dispatch (connection, FALSE); ++} ++ ++void ++ _dbus_connection_disable_dispatch (DBusConnection *connection) ++{ ++ _dbus_connection_set_dispatch (connection, TRUE); ++} ++ ++ + #ifdef DBUS_ENABLE_EMBEDDED_TESTS + /** + * Gets the locks so we can examine them +@@ -4069,6 +4103,82 @@ _dbus_connection_putback_message_link_unlocked (DBusConnection *connection, + "_dbus_connection_putback_message_link_unlocked"); + } + ++dbus_bool_t ++_dbus_connection_putback_message (DBusConnection *connection, ++ DBusMessage *after_message, ++ DBusMessage *message, ++ DBusError *error) ++{ ++ DBusDispatchStatus status; ++ DBusList *message_link = _dbus_list_alloc_link (message); ++ DBusList *after_link; ++ if (message_link == NULL) ++ { ++ _DBUS_SET_OOM (error); ++ return FALSE; ++ } ++ dbus_message_ref (message); ++ ++ CONNECTION_LOCK (connection); ++ _dbus_connection_acquire_dispatch (connection); ++ HAVE_LOCK_CHECK (connection); ++ ++ after_link = _dbus_list_find_first(&connection->incoming_messages, after_message); ++ _dbus_list_insert_after_link (&connection->incoming_messages, after_link, message_link); ++ connection->n_incoming += 1; ++ ++ _dbus_verbose ("Message %p (%s %s %s '%s') put back into queue %p, %d incoming\n", ++ message_link->data, ++ dbus_message_type_to_string (dbus_message_get_type (message_link->data)), ++ dbus_message_get_interface (message_link->data) ? ++ dbus_message_get_interface (message_link->data) : ++ "no interface", ++ dbus_message_get_member (message_link->data) ? ++ dbus_message_get_member (message_link->data) : ++ "no member", ++ dbus_message_get_signature (message_link->data), ++ connection, connection->n_incoming); ++ ++ _dbus_message_trace_ref (message_link->data, -1, -1, ++ "_dbus_connection_putback_message"); ++ ++ _dbus_connection_release_dispatch (connection); ++ ++ status = _dbus_connection_get_dispatch_status_unlocked (connection); ++ _dbus_connection_update_dispatch_status_and_unlock (connection, status); ++ ++ return TRUE; ++} ++ ++dbus_bool_t ++_dbus_connection_remove_message (DBusConnection *connection, ++ DBusMessage *message) ++{ ++ DBusDispatchStatus status; ++ dbus_bool_t removed; ++ ++ CONNECTION_LOCK (connection); ++ _dbus_connection_acquire_dispatch (connection); ++ HAVE_LOCK_CHECK (connection); ++ ++ removed = _dbus_list_remove(&connection->incoming_messages, message); ++ ++ if (removed) ++ { ++ connection->n_incoming -= 1; ++ dbus_message_unref(message); ++ _dbus_verbose ("Message %p removed from incoming queue\n", message); ++ } ++ else ++ _dbus_verbose ("Message %p not found in the incoming queue\n", message); ++ ++ _dbus_connection_release_dispatch (connection); ++ ++ status = _dbus_connection_get_dispatch_status_unlocked (connection); ++ _dbus_connection_update_dispatch_status_and_unlock (connection, status); ++ return removed; ++} ++ + /** + * Returns the first-received message from the incoming message queue, + * removing it from the queue. The caller owns a reference to the +@@ -4252,8 +4362,9 @@ static DBusDispatchStatus + _dbus_connection_get_dispatch_status_unlocked (DBusConnection *connection) + { + HAVE_LOCK_CHECK (connection); +- +- if (connection->n_incoming > 0) ++ if (connection->dispatch_disabled && _dbus_connection_get_is_connected_unlocked(connection)) ++ return DBUS_DISPATCH_COMPLETE; ++ else if (connection->n_incoming > 0) + return DBUS_DISPATCH_DATA_REMAINS; + else if (!_dbus_transport_queue_messages (connection->transport)) + return DBUS_DISPATCH_NEED_MEMORY; +@@ -4716,6 +4827,8 @@ dbus_connection_dispatch (DBusConnection *connection) + + CONNECTION_LOCK (connection); + ++ if (result == DBUS_HANDLER_RESULT_LATER) ++ goto out; + if (result == DBUS_HANDLER_RESULT_NEED_MEMORY) + { + _dbus_verbose ("No memory\n"); +@@ -4838,9 +4951,11 @@ dbus_connection_dispatch (DBusConnection *connection) + connection); + + out: +- if (result == DBUS_HANDLER_RESULT_NEED_MEMORY) ++ if (result == DBUS_HANDLER_RESULT_LATER || ++ result == DBUS_HANDLER_RESULT_NEED_MEMORY) + { +- _dbus_verbose ("out of memory\n"); ++ if (result == DBUS_HANDLER_RESULT_NEED_MEMORY) ++ _dbus_verbose ("out of memory\n"); + + /* Put message back, and we'll start over. + * Yes this means handlers must be idempotent if they +diff --git a/dbus/dbus-list.c b/dbus/dbus-list.c +index 8e713c0..32ea871 100644 +--- a/dbus/dbus-list.c ++++ b/dbus/dbus-list.c +@@ -458,6 +458,35 @@ _dbus_list_remove_last (DBusList **list, + return FALSE; + } + ++/** ++ * Finds a value in the list. Returns the first link ++ * with value equal to the given data pointer. ++ * This is a linear-time operation. ++ * Returns #NULL if no value found that matches. ++ * ++ * @param list address of the list head. ++ * @param data the value to find. ++ * @returns the link if found ++ */ ++DBusList* ++_dbus_list_find_first (DBusList **list, ++ void *data) ++{ ++ DBusList *link; ++ ++ link = _dbus_list_get_first_link (list); ++ ++ while (link != NULL) ++ { ++ if (link->data == data) ++ return link; ++ ++ link = _dbus_list_get_next_link (list, link); ++ } ++ ++ return NULL; ++} ++ + /** + * Finds a value in the list. Returns the last link + * with value equal to the given data pointer. +diff --git a/dbus/dbus-list.h b/dbus/dbus-list.h +index 9350a0d..fee9f1b 100644 +--- a/dbus/dbus-list.h ++++ b/dbus/dbus-list.h +@@ -68,6 +68,9 @@ DBUS_PRIVATE_EXPORT + void _dbus_list_remove_link (DBusList **list, + DBusList *link); + DBUS_PRIVATE_EXPORT ++DBusList* _dbus_list_find_first (DBusList **list, ++ void *data); ++DBUS_PRIVATE_EXPORT + DBusList* _dbus_list_find_last (DBusList **list, + void *data); + DBUS_PRIVATE_EXPORT +diff --git a/dbus/dbus-shared.h b/dbus/dbus-shared.h +index 7ab9103..e5bfbed 100644 +--- a/dbus/dbus-shared.h ++++ b/dbus/dbus-shared.h +@@ -67,7 +67,8 @@ typedef enum + { + DBUS_HANDLER_RESULT_HANDLED, /**< Message has had its effect - no need to run more handlers. */ + DBUS_HANDLER_RESULT_NOT_YET_HANDLED, /**< Message has not had any effect - see if other handlers want it. */ +- DBUS_HANDLER_RESULT_NEED_MEMORY /**< Need more memory in order to return #DBUS_HANDLER_RESULT_HANDLED or #DBUS_HANDLER_RESULT_NOT_YET_HANDLED. Please try again later with more memory. */ ++ DBUS_HANDLER_RESULT_NEED_MEMORY, /**< Need more memory in order to return #DBUS_HANDLER_RESULT_HANDLED or #DBUS_HANDLER_RESULT_NOT_YET_HANDLED. Please try again later with more memory. */ ++ DBUS_HANDLER_RESULT_LATER /**< Message dispatch deferred due to pending policy check */ + } DBusHandlerResult; + + /* Bus names */ +-- +2.17.2 + diff --git a/meta-agl/meta-security/recipes-core/dbus-cynara/dbus-cynara/0003-Handle-unavailability-of-policy-results-for-broadcas.patch b/meta-agl/meta-security/recipes-core/dbus-cynara/dbus-cynara/0003-Handle-unavailability-of-policy-results-for-broadcas.patch new file mode 100644 index 00000000..1c2ab2bc --- /dev/null +++ b/meta-agl/meta-security/recipes-core/dbus-cynara/dbus-cynara/0003-Handle-unavailability-of-policy-results-for-broadcas.patch @@ -0,0 +1,1082 @@ +From fdc3d7086c8f7a623e3da80e559708545b9201fc Mon Sep 17 00:00:00 2001 +From: Jacek Bukarewicz <j.bukarewicz@samsung.com> +Date: Fri, 28 Nov 2014 12:39:33 +0100 +Subject: Handle unavailability of policy results for broadcasts and receive + rules +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +When message is sent to the addressed recipient and receive rule +result is unavailable we don't want to block the sender +as it most likely will be the privileged service, so instead we queue +it at the recipient. Any further messages sent to it will be queued to +maintain message order. Once the answer from Cynara arrives messages are +dispatched from the recipient queue. In such case full dispatch is +performed - messages are sent to addressed recipient and other +interested connections. +Messages sent to non-addressed recipients (eavesdroppers or broadcast +message recipients) are handled in a similar way. The difference is +that it is not full dispatch meaning message is sent to a single recipient. + +Cherry picked from 1e231194610892dd4360224998d91336097b05a1 by Jose Bollo + +Updated for dbus 1.10.20 by Scott Murray and José Bollo + +Signed-off-by: José Bollo <jose.bollo@iot.bzh> +Signed-off-by: Scott Murray <scott.murray@konsulko.com> + +diff --git a/bus/activation.c b/bus/activation.c +index 005047f..ffdc6fc 100644 +--- a/bus/activation.c ++++ b/bus/activation.c +@@ -1259,7 +1259,7 @@ bus_activation_send_pending_auto_activation_messages (BusActivation *activation + res = bus_dispatch_matches (transaction, + entry->connection, + addressed_recipient, +- entry->activation_message, &error); ++ entry->activation_message, NULL, &error); + if (res == BUS_RESULT_FALSE) + { + /* If permission is denied, we just want to return the error +@@ -2137,7 +2137,7 @@ bus_activation_activate_service (BusActivation *activation, + bus_connection_get_loginfo (connection)); + /* Wonderful, systemd is connected, let's just send the msg */ + res = bus_dispatch_matches (activation_transaction, NULL, +- systemd, message, error); ++ systemd, message, NULL, error); + + if (res == BUS_RESULT_TRUE) + retval = TRUE; +diff --git a/bus/bus.c b/bus/bus.c +index 237efe3..5bb5637 100644 +--- a/bus/bus.c ++++ b/bus/bus.c +@@ -1800,17 +1800,9 @@ bus_context_check_security_policy (BusContext *context, + } + + /* See if limits on size have been exceeded */ +- if (proposed_recipient && +- ((dbus_connection_get_outgoing_size (proposed_recipient) > context->limits.max_outgoing_bytes) || +- (dbus_connection_get_outgoing_unix_fds (proposed_recipient) > context->limits.max_outgoing_unix_fds))) +- { +- complain_about_message (context, DBUS_ERROR_LIMITS_EXCEEDED, +- "Rejected: destination has a full message queue", +- 0, message, sender, proposed_recipient, requested_reply, TRUE, NULL, +- error); +- _dbus_verbose ("security policy disallowing message due to full message queue\n"); ++ if (!bus_context_check_recipient_message_limits(context, proposed_recipient, sender, message, ++ requested_reply, error)) + return BUS_RESULT_FALSE; +- } + + /* Record that we will allow a reply here in the future (don't + * bother if the recipient is the bus or this is an eavesdropping +@@ -1869,3 +1861,41 @@ bus_context_check_all_watches (BusContext *context) + _dbus_server_toggle_all_watches (server, enabled); + } + } ++ ++void ++bus_context_complain_about_message (BusContext *context, ++ const char *error_name, ++ const char *complaint, ++ int matched_rules, ++ DBusMessage *message, ++ DBusConnection *sender, ++ DBusConnection *proposed_recipient, ++ dbus_bool_t requested_reply, ++ dbus_bool_t log, ++ const char *privilege, ++ DBusError *error) ++{ ++ complain_about_message(context, error_name, complaint, matched_rules, message, sender, ++ proposed_recipient, requested_reply, log, privilege, error); ++} ++ ++dbus_bool_t bus_context_check_recipient_message_limits (BusContext *context, ++ DBusConnection *recipient, ++ DBusConnection *sender, ++ DBusMessage *message, ++ dbus_bool_t requested_reply, ++ DBusError *error) ++{ ++ if (recipient && ++ ((dbus_connection_get_outgoing_size (recipient) > context->limits.max_outgoing_bytes) || ++ (dbus_connection_get_outgoing_unix_fds (recipient) > context->limits.max_outgoing_unix_fds))) ++ { ++ complain_about_message (context, DBUS_ERROR_LIMITS_EXCEEDED, ++ "Rejected: destination has a full message queue", ++ 0, message, sender, recipient, requested_reply, TRUE, NULL, ++ error); ++ _dbus_verbose ("security policy disallowing message due to full message queue\n"); ++ return FALSE; ++ } ++ return TRUE; ++} +diff --git a/bus/bus.h b/bus/bus.h +index 82c32c8..1b08f7c 100644 +--- a/bus/bus.h ++++ b/bus/bus.h +@@ -164,4 +164,23 @@ BusResult bus_context_check_security_policy (BusContext + BusDeferredMessage **deferred_message); + void bus_context_check_all_watches (BusContext *context); + ++dbus_bool_t bus_context_check_recipient_message_limits (BusContext *context, ++ DBusConnection *recipient, ++ DBusConnection *sender, ++ DBusMessage *message, ++ dbus_bool_t requested_reply, ++ DBusError *error); ++void bus_context_complain_about_message (BusContext *context, ++ const char *error_name, ++ const char *complaint, ++ int matched_rules, ++ DBusMessage *message, ++ DBusConnection *sender, ++ DBusConnection *proposed_recipient, ++ dbus_bool_t requested_reply, ++ dbus_bool_t log, ++ const char *privilege, ++ DBusError *error); ++ ++ + #endif /* BUS_BUS_H */ +diff --git a/bus/check.c b/bus/check.c +index 4b8a699..f3d283f 100644 +--- a/bus/check.c ++++ b/bus/check.c +@@ -49,6 +49,9 @@ typedef struct BusDeferredMessage + DBusConnection *sender; + DBusConnection *proposed_recipient; + DBusConnection *addressed_recipient; ++ dbus_bool_t requested_reply; ++ int matched_rules; ++ const char *privilege; + dbus_bool_t full_dispatch; + BusDeferredMessageStatus status; + BusResult response; +@@ -135,6 +138,89 @@ bus_check_enable_dispatch_callback (BusDeferredMessage *deferred_message, + _dbus_connection_enable_dispatch(deferred_message->sender); + } + ++static void ++bus_check_queued_message_reply_callback (BusDeferredMessage *deferred_message, ++ BusResult result) ++{ ++ int status; ++ ++ _dbus_verbose("bus_check_queued_message_reply_callback called message=%p\n", deferred_message); ++ ++ if (!bus_connection_is_active(deferred_message->proposed_recipient)) ++ return; ++ ++ status = deferred_message->status; ++ ++ deferred_message->status = 0; /* mark message as not waiting for response */ ++ deferred_message->response = result; ++ ++ /* ++ * If send rule allows us to send message we still need to check receive rules. ++ */ ++ if ((status & BUS_DEFERRED_MESSAGE_CHECK_SEND) && (result == BUS_RESULT_TRUE)) ++ { ++ int toggles; ++ BusContext *context; ++ BusRegistry *registry; ++ BusClientPolicy *recipient_policy; ++ BusDeferredMessage *deferred_message_receive; ++ ++ context = bus_connection_get_context(deferred_message->proposed_recipient); ++ registry = bus_context_get_registry(context); ++ recipient_policy = bus_connection_get_policy(deferred_message->proposed_recipient); ++ ++ deferred_message->response = bus_client_policy_check_can_receive(recipient_policy, registry, ++ deferred_message->requested_reply, deferred_message->sender, ++ deferred_message->addressed_recipient, deferred_message->proposed_recipient, deferred_message->message, ++ &toggles, NULL, &deferred_message_receive); ++ if (deferred_message->response == BUS_RESULT_LATER) ++ { ++ /* replace deferred message associated with send check with the one associated with ++ * receive check */ ++ if (!bus_deferred_message_replace(deferred_message, deferred_message_receive)) ++ { ++ /* failed to replace deferred message (due to oom). Set it to rejected */ ++ deferred_message->response = BUS_RESULT_FALSE; ++ } ++ } ++ } ++ ++ bus_connection_dispatch_deferred(deferred_message->proposed_recipient); ++} ++ ++static void ++queue_deferred_message_cancel_transaction_hook (void *data) ++{ ++ BusDeferredMessage *deferred_message = (BusDeferredMessage *)data; ++ bus_connection_remove_deferred_message(deferred_message->proposed_recipient, deferred_message); ++} ++ ++ ++dbus_bool_t ++bus_deferred_message_queue_at_recipient (BusDeferredMessage *deferred_message, ++ BusTransaction *transaction, ++ dbus_bool_t full_dispatch, ++ dbus_bool_t prepend) ++{ ++ _dbus_assert(deferred_message != NULL); ++ _dbus_assert(deferred_message->proposed_recipient != NULL); ++ ++ if (!bus_connection_queue_deferred_message(deferred_message->proposed_recipient, ++ deferred_message, prepend)) ++ return FALSE; ++ ++ if (!bus_transaction_add_cancel_hook(transaction, queue_deferred_message_cancel_transaction_hook, ++ deferred_message, NULL)) ++ { ++ bus_connection_remove_deferred_message(deferred_message->proposed_recipient, deferred_message); ++ return FALSE; ++ } ++ deferred_message->response_callback = bus_check_queued_message_reply_callback; ++ deferred_message->full_dispatch = full_dispatch; ++ ++ return TRUE; ++} ++ + static void + deferred_message_free_function(void *data) + { +@@ -159,6 +245,20 @@ bus_deferred_message_disable_sender (BusDeferredMessage *deferred_message) + deferred_message->response_callback = bus_check_enable_dispatch_callback; + } + ++void ++bus_deferred_message_set_policy_check_info (BusDeferredMessage *deferred_message, ++ dbus_bool_t requested_reply, ++ int matched_rules, ++ const char *privilege) ++{ ++ _dbus_assert(deferred_message != NULL); ++ ++ deferred_message->requested_reply = requested_reply; ++ deferred_message->matched_rules = matched_rules; ++ deferred_message->privilege = privilege; ++} ++ ++ + #ifdef DBUS_ENABLE_EMBEDDED_TESTS + BusResult (*bus_check_test_override) (DBusConnection *connection, + const char *privilege); +@@ -259,6 +359,9 @@ BusDeferredMessage *bus_deferred_message_new (DBusMessage *message, + deferred_message->addressed_recipient = addressed_recipient != NULL ? dbus_connection_ref(addressed_recipient) : NULL; + deferred_message->proposed_recipient = proposed_recipient != NULL ? dbus_connection_ref(proposed_recipient) : NULL; + deferred_message->message = dbus_message_ref(message); ++ deferred_message->requested_reply = FALSE; ++ deferred_message->matched_rules = 0; ++ deferred_message->privilege = NULL; + deferred_message->response = response; + deferred_message->status = 0; + deferred_message->full_dispatch = FALSE; +@@ -295,12 +398,215 @@ bus_deferred_message_unref (BusDeferredMessage *deferred_message) + } + } + ++dbus_bool_t ++bus_deferred_message_check_message_limits (BusDeferredMessage *deferred_message, DBusError *error) ++{ ++ BusContext *context = bus_connection_get_context(deferred_message->proposed_recipient); ++ ++ return bus_context_check_recipient_message_limits(context, deferred_message->proposed_recipient, ++ deferred_message->sender, deferred_message->message, deferred_message->requested_reply, ++ error); ++} ++ ++dbus_bool_t ++bus_deferred_message_expect_method_reply(BusDeferredMessage *deferred_message, BusTransaction *transaction, DBusError *error) ++{ ++ int type = dbus_message_get_type(deferred_message->message); ++ if (type == DBUS_MESSAGE_TYPE_METHOD_CALL && ++ deferred_message->sender && ++ deferred_message->addressed_recipient && ++ deferred_message->addressed_recipient == deferred_message->proposed_recipient && /* not eavesdropping */ ++ !bus_connections_expect_reply (bus_connection_get_connections (deferred_message->sender), ++ transaction, ++ deferred_message->sender, deferred_message->addressed_recipient, ++ deferred_message->message, error)) ++ { ++ _dbus_verbose ("Failed to record reply expectation or problem with the message expecting a reply\n"); ++ return FALSE; ++ } ++ return TRUE; ++} ++ ++void ++bus_deferred_message_create_error(BusDeferredMessage *deferred_message, ++ const char *error_message, DBusError *error) ++{ ++ BusContext *context; ++ _dbus_assert (deferred_message->status == 0 && deferred_message->response == BUS_RESULT_FALSE); ++ ++ if (deferred_message->sender == NULL) ++ return; /* error won't be sent to bus driver anyway */ ++ ++ context = bus_connection_get_context(deferred_message->sender); ++ bus_context_complain_about_message(context, DBUS_ERROR_ACCESS_DENIED, "Rejected message", ++ deferred_message->matched_rules, deferred_message->message, deferred_message->sender, ++ deferred_message->proposed_recipient, deferred_message->requested_reply, FALSE, ++ deferred_message->privilege, error); ++} ++ ++BusResult ++bus_deferred_message_dispatch (BusDeferredMessage *deferred_message) ++{ ++ BusContext *context = bus_connection_get_context (deferred_message->proposed_recipient); ++ BusTransaction *transaction = bus_transaction_new (context); ++ BusResult result = BUS_RESULT_TRUE; ++ DBusError error; ++ ++ if (transaction == NULL) ++ { ++ return BUS_RESULT_FALSE; ++ } ++ ++ dbus_error_init(&error); ++ ++ if (!deferred_message->full_dispatch) ++ { ++ result = deferred_message->response; ++ if (result == BUS_RESULT_TRUE) ++ { ++ if (!bus_context_check_recipient_message_limits(context, deferred_message->proposed_recipient, ++ deferred_message->sender, deferred_message->message, deferred_message->requested_reply, &error)) ++ result = BUS_RESULT_FALSE; ++ } ++ else if (result == BUS_RESULT_LATER) ++ { ++ BusDeferredMessage *deferred_message2; ++ result = bus_context_check_security_policy (context, transaction, ++ deferred_message->sender, ++ deferred_message->addressed_recipient, ++ deferred_message->proposed_recipient, ++ deferred_message->message, NULL, NULL, ++ &deferred_message2); ++ ++ if (result == BUS_RESULT_LATER) ++ { ++ /* prepend at recipient */ ++ if (!bus_deferred_message_queue_at_recipient(deferred_message2, transaction, ++ FALSE, TRUE)) ++ result = BUS_RESULT_FALSE; ++ } ++ } ++ ++ /* silently drop messages on access denial */ ++ if (result == BUS_RESULT_TRUE) ++ { ++ if (!bus_transaction_send (transaction, deferred_message->proposed_recipient, deferred_message->message, TRUE)) ++ result = BUS_RESULT_FALSE; ++ } ++ ++ bus_transaction_execute_and_free(transaction); ++ ++ goto out; ++ } ++ ++ /* do not attempt to send message if sender has disconnected */ ++ if (deferred_message->sender != NULL && !bus_connection_is_active(deferred_message->sender)) ++ { ++ bus_transaction_cancel_and_free(transaction); ++ result = BUS_RESULT_FALSE; ++ goto out; ++ } ++ ++ result = bus_dispatch_matches(transaction, deferred_message->sender, ++ deferred_message->addressed_recipient, deferred_message->message, deferred_message, &error); ++ ++ if (result == BUS_RESULT_LATER) ++ { ++ /* Message deferring was already done in bus_dispatch_matches */ ++ bus_transaction_cancel_and_free(transaction); ++ goto out; ++ } ++ ++ /* this part is a copy & paste from bus_dispatch function. Probably can be moved to a function */ ++ if (dbus_error_is_set (&error)) ++ { ++ if (!dbus_connection_get_is_connected (deferred_message->sender)) ++ { ++ /* If we disconnected it, we won't bother to send it any error ++ * messages. ++ */ ++ _dbus_verbose ("Not sending error to connection we disconnected\n"); ++ } ++ else if (dbus_error_has_name (&error, DBUS_ERROR_NO_MEMORY)) ++ { ++ bus_connection_send_oom_error (deferred_message->sender, deferred_message->message); ++ ++ /* cancel transaction due to OOM */ ++ if (transaction != NULL) ++ { ++ bus_transaction_cancel_and_free (transaction); ++ transaction = NULL; ++ } ++ } ++ else ++ { ++ /* Try to send the real error, if no mem to do that, send ++ * the OOM error ++ */ ++ _dbus_assert (transaction != NULL); ++ if (!bus_transaction_send_error_reply (transaction, deferred_message->sender, ++ &error, deferred_message->message)) ++ { ++ bus_connection_send_oom_error (deferred_message->sender, deferred_message->message); ++ ++ /* cancel transaction due to OOM */ ++ if (transaction != NULL) ++ { ++ bus_transaction_cancel_and_free (transaction); ++ transaction = NULL; ++ } ++ } ++ } ++ } ++ ++ if (transaction != NULL) ++ { ++ bus_transaction_execute_and_free (transaction); ++ } ++ ++out: ++ dbus_error_free(&error); ++ ++ return result; ++} ++ ++dbus_bool_t ++bus_deferred_message_replace (BusDeferredMessage *old_message, BusDeferredMessage *new_message) ++{ ++ if (bus_connection_replace_deferred_message(old_message->proposed_recipient, ++ old_message, new_message)) ++ { ++ new_message->response_callback = old_message->response_callback; ++ new_message->full_dispatch = old_message->full_dispatch; ++ return TRUE; ++ } ++ return FALSE; ++} ++ ++dbus_bool_t ++bus_deferred_message_waits_for_check(BusDeferredMessage *deferred_message) ++{ ++ return deferred_message->status != 0; ++} ++ ++DBusConnection * ++bus_deferred_message_get_recipient(BusDeferredMessage *deferred_message) ++{ ++ return deferred_message->proposed_recipient; ++} ++ + BusDeferredMessageStatus + bus_deferred_message_get_status (BusDeferredMessage *deferred_message) + { + return deferred_message->status; + } + ++BusResult ++bus_deferred_message_get_response (BusDeferredMessage *deferred_message) ++{ ++ return deferred_message->response; ++} ++ + void + bus_deferred_message_response_received (BusDeferredMessage *deferred_message, + BusResult result) +@@ -310,3 +616,4 @@ bus_deferred_message_response_received (BusDeferredMessage *deferred_message, + deferred_message->response_callback(deferred_message, result); + } + } ++ +diff --git a/bus/check.h b/bus/check.h +index d177549..9c13c18 100644 +--- a/bus/check.h ++++ b/bus/check.h +@@ -64,12 +64,37 @@ BusDeferredMessage *bus_deferred_message_new (DBusMessage *messag + + BusDeferredMessage *bus_deferred_message_ref (BusDeferredMessage *deferred_message); + void bus_deferred_message_unref (BusDeferredMessage *deferred_message); ++BusResult bus_deferred_message_dispatch (BusDeferredMessage *deferred_message); ++dbus_bool_t bus_deferred_message_waits_for_check (BusDeferredMessage *deferred_message); ++DBusConnection *bus_deferred_message_get_recipient (BusDeferredMessage *deferred_message); + void bus_deferred_message_response_received (BusDeferredMessage *deferred_message, + BusResult result); ++dbus_bool_t bus_deferred_message_queue_at_recipient (BusDeferredMessage *deferred_message, ++ BusTransaction *transaction, ++ dbus_bool_t full_dispatch, ++ dbus_bool_t prepend); ++dbus_bool_t bus_deferred_message_replace (BusDeferredMessage *old_message, ++ BusDeferredMessage *new_message); + void bus_deferred_message_disable_sender (BusDeferredMessage *deferred_message); ++BusResult bus_deferred_message_get_response (BusDeferredMessage *deferred_message); + + BusDeferredMessageStatus bus_deferred_message_get_status (BusDeferredMessage *deferred_message); + ++ ++dbus_bool_t bus_deferred_message_expect_method_reply (BusDeferredMessage *deferred_message, ++ BusTransaction *transaction, ++ DBusError *error); ++void bus_deferred_message_create_error (BusDeferredMessage *deferred_message, ++ const char *error_message, ++ DBusError *error); ++void bus_deferred_message_set_policy_check_info (BusDeferredMessage *deferred_message, ++ dbus_bool_t requested_reply, ++ int matched_rules, ++ const char *privilege); ++dbus_bool_t bus_deferred_message_check_message_limits (BusDeferredMessage *deferred_message, ++ DBusError *error); ++ ++ + #ifdef DBUS_ENABLE_EMBEDDED_TESTS + extern BusResult (*bus_check_test_override) (DBusConnection *connection, + const char *privilege); +diff --git a/bus/connection.c b/bus/connection.c +index b348d42..ee93384 100644 +--- a/bus/connection.c ++++ b/bus/connection.c +@@ -31,11 +31,13 @@ + #include "expirelist.h" + #include "selinux.h" + #include "apparmor.h" ++#include "check.h" + #include <dbus/dbus-list.h> + #include <dbus/dbus-hash.h> + #include <dbus/dbus-timeout.h> + #include <dbus/dbus-connection-internal.h> + #include <dbus/dbus-internals.h> ++#include <dbus/dbus-message-internal.h> + #ifdef DBUS_ENABLE_CYNARA + #include <stdlib.h> + #include <cynara-session.h> +@@ -102,6 +104,7 @@ typedef struct + DBusMessage *oom_message; + DBusPreallocatedSend *oom_preallocated; + BusClientPolicy *policy; ++ DBusList *deferred_messages; /**< Queue of messages deferred due to pending policy check */ + + char *cached_loginfo_string; + BusSELinuxID *selinux_id; +@@ -268,6 +271,8 @@ bus_connection_disconnected (DBusConnection *connection) + bus_transaction_execute_and_free (transaction); + } + ++ bus_connection_clear_deferred_messages(connection); ++ + bus_dispatch_remove_connection (connection); + + /* no more watching */ +@@ -2307,7 +2312,7 @@ bus_transaction_capture (BusTransaction *transaction, + { + DBusConnection *recipient = link->data; + +- if (!bus_transaction_send (transaction, recipient, message)) ++ if (!bus_transaction_send (transaction, recipient, message, FALSE)) + goto out; + } + +@@ -2361,6 +2366,7 @@ bus_transaction_send_from_driver (BusTransaction *transaction, + { + DBusError error = DBUS_ERROR_INIT; + BusResult res; ++ BusDeferredMessage *deferred_message; + + /* We have to set the sender to the driver, and have + * to check security policy since it was not done in +@@ -2401,7 +2407,7 @@ bus_transaction_send_from_driver (BusTransaction *transaction, + res = bus_context_check_security_policy (bus_transaction_get_context (transaction), + transaction, + NULL, connection, connection, message, NULL, +- &error, NULL); ++ &error, &deferred_message); + if (res == BUS_RESULT_FALSE) + { + if (!bus_transaction_capture_error_reply (transaction, connection, +@@ -2419,18 +2425,20 @@ bus_transaction_send_from_driver (BusTransaction *transaction, + } + else if (res == BUS_RESULT_LATER) + { +- _dbus_verbose ("Cannot delay sending message from bus driver, dropping it\n"); + dbus_error_free (&error); +- return TRUE; ++ if (!bus_deferred_message_queue_at_recipient(deferred_message, transaction, FALSE, FALSE)) ++ return FALSE; ++ return TRUE; /* pretend to have sent it */ + } + +- return bus_transaction_send (transaction, connection, message); ++ return bus_transaction_send (transaction, connection, message, FALSE); + } + + dbus_bool_t + bus_transaction_send (BusTransaction *transaction, + DBusConnection *connection, +- DBusMessage *message) ++ DBusMessage *message, ++ dbus_bool_t deferred_dispatch) + { + MessageToSend *to_send; + BusConnectionData *d; +@@ -2456,7 +2464,28 @@ bus_transaction_send (BusTransaction *transaction, + + d = BUS_CONNECTION_DATA (connection); + _dbus_assert (d != NULL); +- ++ ++ if (!deferred_dispatch && d->deferred_messages != NULL) ++ { ++ BusDeferredMessage *deferred_message; ++ dbus_bool_t success; ++ /* sender and addressed recipient are not required at this point as we only need to send message ++ * to a single recipient without performing policy check. */ ++ deferred_message = bus_deferred_message_new (message, ++ NULL, ++ NULL, ++ connection, ++ BUS_RESULT_TRUE); ++ if (deferred_message == NULL) ++ return FALSE; ++ ++ success = bus_deferred_message_queue_at_recipient(deferred_message, transaction, ++ FALSE, FALSE); ++ bus_deferred_message_unref(deferred_message); ++ ++ return success; ++ } ++ + to_send = dbus_new (MessageToSend, 1); + if (to_send == NULL) + { +@@ -2708,6 +2737,131 @@ bus_transaction_add_cancel_hook (BusTransaction *transaction, + return TRUE; + } + ++void ++bus_connection_dispatch_deferred (DBusConnection *connection) ++{ ++ BusDeferredMessage *message; ++ ++ _dbus_return_if_fail (connection != NULL); ++ ++ while ((message = bus_connection_pop_deferred_message(connection)) != NULL) ++ { ++ bus_deferred_message_dispatch(message); ++ bus_deferred_message_unref(message); ++ } ++} ++ ++dbus_bool_t ++bus_connection_has_deferred_messages (DBusConnection *connection) ++{ ++ BusConnectionData *d = BUS_CONNECTION_DATA(connection); ++ return d->deferred_messages != NULL ? TRUE : FALSE; ++} ++ ++dbus_bool_t ++bus_connection_queue_deferred_message (DBusConnection *connection, ++ BusDeferredMessage *message, ++ dbus_bool_t prepend) ++{ ++ BusConnectionData *d = BUS_CONNECTION_DATA(connection); ++ dbus_bool_t success; ++ if (prepend) ++ success = _dbus_list_prepend(&d->deferred_messages, message); ++ else ++ success = _dbus_list_append(&d->deferred_messages, message); ++ ++ if (success) ++ { ++ bus_deferred_message_ref(message); ++ return TRUE; ++ } ++ ++ return FALSE; ++} ++ ++dbus_bool_t ++bus_connection_replace_deferred_message (DBusConnection *connection, ++ BusDeferredMessage *oldMessage, ++ BusDeferredMessage *newMessage) ++{ ++ DBusList *link; ++ BusConnectionData *d = BUS_CONNECTION_DATA(connection); ++ ++ link = _dbus_list_find_first(&d->deferred_messages, oldMessage); ++ if (link == NULL) ++ return FALSE; ++ ++ if (!_dbus_list_insert_after(&d->deferred_messages, link, newMessage)) ++ return FALSE; ++ ++ bus_deferred_message_ref(newMessage); ++ _dbus_list_remove_link(&d->deferred_messages, link); ++ bus_deferred_message_unref(oldMessage); ++ return TRUE; ++} ++ ++BusDeferredMessage * ++bus_connection_pop_deferred_message (DBusConnection *connection) ++{ ++ DBusList *link; ++ BusDeferredMessage *message; ++ BusConnectionData *d = BUS_CONNECTION_DATA(connection); ++ ++ link =_dbus_list_get_first_link(&d->deferred_messages); ++ if (link != NULL) ++ { ++ message = link->data; ++ if (!bus_deferred_message_waits_for_check(message)) ++ { ++ _dbus_list_remove_link(&d->deferred_messages, link); ++ return message; ++ } ++ } ++ ++ return NULL; ++} ++ ++dbus_bool_t ++bus_connection_putback_deferred_message (DBusConnection *connection, BusDeferredMessage *message) ++{ ++ BusConnectionData *d = BUS_CONNECTION_DATA(connection); ++ if (_dbus_list_prepend(&d->deferred_messages, message)) ++ { ++ return TRUE; ++ } ++ return FALSE; ++} ++ ++void ++bus_connection_clear_deferred_messages (DBusConnection *connection) ++{ ++ BusConnectionData *d = BUS_CONNECTION_DATA(connection); ++ DBusList *link; ++ DBusList *next; ++ BusDeferredMessage *message; ++ ++ link =_dbus_list_get_first_link(&d->deferred_messages); ++ while (link != NULL) ++ { ++ next = _dbus_list_get_next_link (&d->deferred_messages, link); ++ message = link->data; ++ ++ bus_deferred_message_unref(message); ++ _dbus_list_remove_link(&d->deferred_messages, link); ++ ++ link = next; ++ } ++} ++ ++void ++bus_connection_remove_deferred_message (DBusConnection *connection, ++ BusDeferredMessage *message) ++{ ++ BusConnectionData *d = BUS_CONNECTION_DATA(connection); ++ if (_dbus_list_remove(&d->deferred_messages, message)) ++ bus_deferred_message_unref(message); ++} ++ + int + bus_connections_get_n_active (BusConnections *connections) + { +diff --git a/bus/connection.h b/bus/connection.h +index 71078ea..97dae96 100644 +--- a/bus/connection.h ++++ b/bus/connection.h +@@ -85,6 +85,22 @@ dbus_bool_t bus_connection_preallocate_oom_error (DBusConnection *connection); + void bus_connection_send_oom_error (DBusConnection *connection, + DBusMessage *in_reply_to); + ++dbus_bool_t bus_connection_has_deferred_messages (DBusConnection *connection); ++dbus_bool_t bus_connection_queue_deferred_message (DBusConnection *connection, ++ BusDeferredMessage *message, ++ dbus_bool_t prepend); ++BusDeferredMessage *bus_connection_pop_deferred_message (DBusConnection *connection); ++dbus_bool_t bus_connection_putback_deferred_message (DBusConnection *connection, ++ BusDeferredMessage *message); ++void bus_connection_remove_deferred_message (DBusConnection *connection, ++ BusDeferredMessage *message); ++dbus_bool_t bus_connection_replace_deferred_message (DBusConnection *connection, ++ BusDeferredMessage *oldMessage, ++ BusDeferredMessage *newMessage); ++void bus_connection_dispatch_deferred (DBusConnection *connection); ++void bus_connection_clear_deferred_messages (DBusConnection *connection); ++ ++ + /* called by signals.c */ + dbus_bool_t bus_connection_add_match_rule (DBusConnection *connection, + BusMatchRule *rule); +@@ -137,7 +153,8 @@ BusTransaction* bus_transaction_new (BusContext * + BusContext* bus_transaction_get_context (BusTransaction *transaction); + dbus_bool_t bus_transaction_send (BusTransaction *transaction, + DBusConnection *connection, +- DBusMessage *message); ++ DBusMessage *message, ++ dbus_bool_t deferred_dispatch); + dbus_bool_t bus_transaction_capture (BusTransaction *transaction, + DBusConnection *connection, + DBusConnection *addressed_recipient, +diff --git a/bus/dispatch.c b/bus/dispatch.c +index 50a22a3..7d30ce4 100644 +--- a/bus/dispatch.c ++++ b/bus/dispatch.c +@@ -33,6 +33,7 @@ + #include "utils.h" + #include "bus.h" + #include "signals.h" ++#include "dispatch.h" + #include "test.h" + #include <dbus/dbus-internals.h> + #include <dbus/dbus-connection-internal.h> +@@ -77,7 +78,7 @@ send_one_message (DBusConnection *connection, + NULL, + &stack_error, + &deferred_message); +- if (result != BUS_RESULT_TRUE) ++ if (result == BUS_RESULT_FALSE) + { + if (!bus_transaction_capture_error_reply (transaction, sender, + &stack_error, message)) +@@ -112,9 +113,19 @@ send_one_message (DBusConnection *connection, + return TRUE; /* don't send it but don't return an error either */ + } + ++ if (result == BUS_RESULT_LATER) ++ { ++ if (!bus_deferred_message_queue_at_recipient(deferred_message, transaction, FALSE, FALSE)) ++ { ++ BUS_SET_OOM (error); ++ return FALSE; ++ } ++ return TRUE; /* pretend to have sent it */ ++ } ++ + if (!bus_transaction_send (transaction, + connection, +- message)) ++ message, FALSE)) + { + BUS_SET_OOM (error); + return FALSE; +@@ -124,11 +135,12 @@ send_one_message (DBusConnection *connection, + } + + BusResult +-bus_dispatch_matches (BusTransaction *transaction, +- DBusConnection *sender, +- DBusConnection *addressed_recipient, +- DBusMessage *message, +- DBusError *error) ++bus_dispatch_matches (BusTransaction *transaction, ++ DBusConnection *sender, ++ DBusConnection *addressed_recipient, ++ DBusMessage *message, ++ BusDeferredMessage *dispatched_deferred_message, ++ DBusError *error) + { + DBusError tmp_error; + BusConnections *connections; +@@ -137,7 +149,6 @@ bus_dispatch_matches (BusTransaction *transaction, + DBusList *link; + BusContext *context; + BusDeferredMessage *deferred_message; +- BusResult res; + + _DBUS_ASSERT_ERROR_IS_CLEAR (error); + +@@ -153,16 +164,80 @@ bus_dispatch_matches (BusTransaction *transaction, + /* First, send the message to the addressed_recipient, if there is one. */ + if (addressed_recipient != NULL) + { +- res = bus_context_check_security_policy (context, transaction, ++ BusResult result; ++ /* To maintain message order message needs to be appended at the recipient if there are already ++ * deferred messages and we are not doing deferred dispatch ++ */ ++ if (dispatched_deferred_message == NULL && bus_connection_has_deferred_messages(addressed_recipient)) ++ { ++ deferred_message = bus_deferred_message_new(message, sender, ++ addressed_recipient, addressed_recipient, BUS_RESULT_LATER); ++ ++ if (deferred_message == NULL) ++ { ++ BUS_SET_OOM(error); ++ return BUS_RESULT_FALSE; ++ } ++ ++ if (!bus_deferred_message_queue_at_recipient(deferred_message, transaction, TRUE, FALSE)) ++ { ++ bus_deferred_message_unref(deferred_message); ++ BUS_SET_OOM(error); ++ return BUS_RESULT_FALSE; ++ } ++ ++ bus_deferred_message_unref(deferred_message); ++ return BUS_RESULT_TRUE; /* pretend to have sent it */ ++ } ++ ++ if (dispatched_deferred_message != NULL) ++ { ++ result = bus_deferred_message_get_response(dispatched_deferred_message); ++ if (result == BUS_RESULT_TRUE) ++ { ++ /* if we know the result of policy check we still need to check if message limits ++ * are not exceeded. It is also required to add entry in expected replies list if ++ * this is a method call ++ */ ++ if (!bus_deferred_message_check_message_limits(dispatched_deferred_message, error)) ++ return BUS_RESULT_FALSE; ++ ++ if (!bus_deferred_message_expect_method_reply(dispatched_deferred_message, transaction, error)) ++ return BUS_RESULT_FALSE; ++ } ++ else if (result == BUS_RESULT_FALSE) ++ { ++ bus_deferred_message_create_error(dispatched_deferred_message, "Rejected message", error); ++ return BUS_RESULT_FALSE; ++ } ++ } ++ else ++ result = BUS_RESULT_LATER; ++ ++ if (result == BUS_RESULT_LATER) ++ result = bus_context_check_security_policy (context, transaction, + sender, addressed_recipient, + addressed_recipient, + message, NULL, error, + &deferred_message); +- if (res == BUS_RESULT_FALSE) ++ ++ if (result == BUS_RESULT_FALSE) + return BUS_RESULT_FALSE; +- else if (res == BUS_RESULT_LATER) ++ else if (result == BUS_RESULT_LATER) + { + BusDeferredMessageStatus status; ++ ++ if (dispatched_deferred_message != NULL) ++ { ++ /* for deferred dispatch prepend message at the recipient */ ++ if (!bus_deferred_message_queue_at_recipient(deferred_message, transaction, TRUE, TRUE)) ++ { ++ BUS_SET_OOM(error); ++ return BUS_RESULT_FALSE; ++ } ++ return BUS_RESULT_TRUE; /* pretend to have sent it */ ++ } ++ + status = bus_deferred_message_get_status(deferred_message); + + if (status & BUS_DEFERRED_MESSAGE_CHECK_SEND) +@@ -173,13 +248,18 @@ bus_dispatch_matches (BusTransaction *transaction, + } + else if (status & BUS_DEFERRED_MESSAGE_CHECK_RECEIVE) + { +- dbus_set_error (error, DBUS_ERROR_ACCESS_DENIED, +- "Rejecting message because time is needed to check security policy"); +- return BUS_RESULT_FALSE; ++ /* receive rule result not available - queue message at the recipient */ ++ if (!bus_deferred_message_queue_at_recipient(deferred_message, transaction, TRUE, FALSE)) ++ { ++ BUS_SET_OOM(error); ++ return BUS_RESULT_FALSE; ++ } ++ ++ return BUS_RESULT_TRUE; /* pretend to have sent it */ + } + else + { +- _dbus_verbose("deferred message has no status field set to send or receive unexpectedly\n"); ++ _dbus_verbose("deferred message has no status field set unexpectedly\n"); + return BUS_RESULT_FALSE; + } + } +@@ -196,7 +276,8 @@ bus_dispatch_matches (BusTransaction *transaction, + } + + /* Dispatch the message */ +- if (!bus_transaction_send (transaction, addressed_recipient, message)) ++ if (!bus_transaction_send(transaction, addressed_recipient, message, ++ dispatched_deferred_message != NULL ? TRUE : FALSE)) + { + BUS_SET_OOM (error); + return BUS_RESULT_FALSE; +@@ -534,7 +615,7 @@ bus_dispatch (DBusConnection *connection, + * match rules. + */ + if (BUS_RESULT_LATER == bus_dispatch_matches (transaction, connection, addressed_recipient, +- message, &error)) ++ message, NULL, &error)) + { + /* Roll back and dispatch the message once the policy result is available */ + bus_transaction_cancel_and_free (transaction); +diff --git a/bus/dispatch.h b/bus/dispatch.h +index afba6a2..f6102e8 100644 +--- a/bus/dispatch.h ++++ b/bus/dispatch.h +@@ -29,10 +29,11 @@ + + dbus_bool_t bus_dispatch_add_connection (DBusConnection *connection); + void bus_dispatch_remove_connection (DBusConnection *connection); +-BusResult bus_dispatch_matches (BusTransaction *transaction, +- DBusConnection *sender, +- DBusConnection *recipient, +- DBusMessage *message, +- DBusError *error); ++BusResult bus_dispatch_matches (BusTransaction *transaction, ++ DBusConnection *sender, ++ DBusConnection *recipient, ++ DBusMessage *message, ++ BusDeferredMessage *dispatched_deferred_message, ++ DBusError *error); + + #endif /* BUS_DISPATCH_H */ +diff --git a/bus/driver.c b/bus/driver.c +index f414f64..d89a658 100644 +--- a/bus/driver.c ++++ b/bus/driver.c +@@ -254,7 +254,7 @@ bus_driver_send_service_owner_changed (const char *service_name, + if (!bus_transaction_capture (transaction, NULL, NULL, message)) + goto oom; + +- res = bus_dispatch_matches (transaction, NULL, NULL, message, error); ++ res = bus_dispatch_matches (transaction, NULL, NULL, message, NULL, error); + if (res == BUS_RESULT_TRUE) + retval = TRUE; + else +diff --git a/bus/policy.c b/bus/policy.c +index 7ee1ce5..b1fab0d 100644 +--- a/bus/policy.c ++++ b/bus/policy.c +@@ -1121,6 +1121,9 @@ bus_client_policy_check_can_send (DBusConnection *sender, + + result = bus_check_privilege(check, message, sender, addressed_recipient, receiver, + privilege, BUS_DEFERRED_MESSAGE_CHECK_SEND, deferred_message); ++ if (result == BUS_RESULT_LATER && deferred_message != NULL) ++ bus_deferred_message_set_policy_check_info(*deferred_message, requested_reply, ++ *toggles, privilege); + } + else + privilege = NULL; +@@ -1370,6 +1373,9 @@ bus_client_policy_check_can_receive (BusClientPolicy *policy, + + result = bus_check_privilege(check, message, sender, addressed_recipient, proposed_recipient, + privilege, BUS_DEFERRED_MESSAGE_CHECK_RECEIVE, deferred_message); ++ if (result == BUS_RESULT_LATER && deferred_message != NULL) ++ bus_deferred_message_set_policy_check_info(*deferred_message, requested_reply, ++ *toggles, privilege); + } + else + privilege = NULL; +-- +2.17.2 + diff --git a/meta-agl/meta-security/recipes-core/dbus-cynara/dbus-cynara/0004-Add-own-rule-result-unavailability-handling.patch b/meta-agl/meta-security/recipes-core/dbus-cynara/dbus-cynara/0004-Add-own-rule-result-unavailability-handling.patch new file mode 100644 index 00000000..9cb744de --- /dev/null +++ b/meta-agl/meta-security/recipes-core/dbus-cynara/dbus-cynara/0004-Add-own-rule-result-unavailability-handling.patch @@ -0,0 +1,1493 @@ +From e7ae85429aa3e6d80df13b3a5a492d9ccbf42518 Mon Sep 17 00:00:00 2001 +From: Jacek Bukarewicz <j.bukarewicz@samsung.com> +Date: Thu, 27 Nov 2014 11:26:21 +0100 +Subject: Add own rule result unavailability handling +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Own rule result unavailability is handled like send rules - dispatching +messages from the sender is blocked and resumed when result becomes +available. + +Handler of "RequestName" method needs to return BUS_RESULT_LATER when +policy result is not known therefore its return type is modified. +Since bus message handlers are put into function pointer array other +message handler function singatures are also affected. + +Cherry-picked from 35ef89cd6777ea2430077fc621d21bd01df92349 by Jose.bollo + +Updated for dbus 1.10.20 by Scott Murray and José Bollo + +Signed-off-by: José Bollo <jose.bollo@iot.bzh> +Signed-off-by: Scott Murray <scott.murray@konsulko.com> + +diff --git a/bus/dispatch.c b/bus/dispatch.c +index 7d30ce4..4b84c21 100644 +--- a/bus/dispatch.c ++++ b/bus/dispatch.c +@@ -517,8 +517,17 @@ bus_dispatch (DBusConnection *connection, + } + + _dbus_verbose ("Giving message to %s\n", DBUS_SERVICE_DBUS); +- if (!bus_driver_handle_message (connection, transaction, message, &error)) ++ res = bus_driver_handle_message (connection, transaction, message, &error); ++ if (res == BUS_RESULT_FALSE) + goto out; ++ else if (res == BUS_RESULT_LATER) ++ { ++ /* connection has been disabled in message handler */ ++ bus_transaction_cancel_and_free (transaction); ++ transaction = NULL; ++ result = DBUS_HANDLER_RESULT_LATER; ++ goto out; ++ } + } + else if (!bus_connection_is_active (connection)) /* clients must talk to bus driver first */ + { +diff --git a/bus/driver.c b/bus/driver.c +index d89a658..aaeb3b2 100644 +--- a/bus/driver.c ++++ b/bus/driver.c +@@ -420,7 +420,7 @@ create_unique_client_name (BusRegistry *registry, + return TRUE; + } + +-static dbus_bool_t ++static BusResult + bus_driver_handle_hello (DBusConnection *connection, + BusTransaction *transaction, + DBusMessage *message, +@@ -428,7 +428,7 @@ bus_driver_handle_hello (DBusConnection *connection, + { + DBusString unique_name; + BusService *service; +- dbus_bool_t retval; ++ BusResult retval; + BusRegistry *registry; + BusConnections *connections; + DBusError tmp_error; +@@ -442,7 +442,7 @@ bus_driver_handle_hello (DBusConnection *connection, + /* We already handled an Hello message for this connection. */ + dbus_set_error (error, DBUS_ERROR_FAILED, + "Already handled an Hello message"); +- return FALSE; ++ return BUS_RESULT_FALSE; + } + + /* Note that when these limits are exceeded we don't disconnect the +@@ -464,16 +464,16 @@ bus_driver_handle_hello (DBusConnection *connection, + bus_context_log (context, DBUS_SYSTEM_LOG_WARNING, "%s (%s=%d)", + tmp_error.message, limit_name, limit); + dbus_move_error (&tmp_error, error); +- return FALSE; ++ return BUS_RESULT_FALSE; + } + + if (!_dbus_string_init (&unique_name)) + { + BUS_SET_OOM (error); +- return FALSE; ++ return BUS_RESULT_FALSE; + } + +- retval = FALSE; ++ retval = BUS_RESULT_FALSE; + + registry = bus_connection_get_registry (connection); + +@@ -506,7 +506,7 @@ bus_driver_handle_hello (DBusConnection *connection, + goto out_0; + + _dbus_assert (bus_connection_is_active (connection)); +- retval = TRUE; ++ retval = BUS_RESULT_TRUE; + + out_0: + _dbus_string_free (&unique_name); +@@ -558,7 +558,7 @@ bus_driver_send_welcome_message (DBusConnection *connection, + } + } + +-static dbus_bool_t ++static BusResult + bus_driver_handle_list_services (DBusConnection *connection, + BusTransaction *transaction, + DBusMessage *message, +@@ -580,14 +580,14 @@ bus_driver_handle_list_services (DBusConnection *connection, + if (reply == NULL) + { + BUS_SET_OOM (error); +- return FALSE; ++ return BUS_RESULT_FALSE; + } + + if (!bus_registry_list_services (registry, &services, &len)) + { + dbus_message_unref (reply); + BUS_SET_OOM (error); +- return FALSE; ++ return BUS_RESULT_FALSE; + } + + dbus_message_iter_init_append (reply, &iter); +@@ -599,7 +599,7 @@ bus_driver_handle_list_services (DBusConnection *connection, + dbus_free_string_array (services); + dbus_message_unref (reply); + BUS_SET_OOM (error); +- return FALSE; ++ return BUS_RESULT_FALSE; + } + + { +@@ -611,7 +611,7 @@ bus_driver_handle_list_services (DBusConnection *connection, + dbus_free_string_array (services); + dbus_message_unref (reply); + BUS_SET_OOM (error); +- return FALSE; ++ return BUS_RESULT_FALSE; + } + } + +@@ -624,7 +624,7 @@ bus_driver_handle_list_services (DBusConnection *connection, + dbus_free_string_array (services); + dbus_message_unref (reply); + BUS_SET_OOM (error); +- return FALSE; ++ return BUS_RESULT_FALSE; + } + ++i; + } +@@ -635,23 +635,23 @@ bus_driver_handle_list_services (DBusConnection *connection, + { + dbus_message_unref (reply); + BUS_SET_OOM (error); +- return FALSE; ++ return BUS_RESULT_FALSE; + } + + if (!bus_transaction_send_from_driver (transaction, connection, reply)) + { + dbus_message_unref (reply); + BUS_SET_OOM (error); +- return FALSE; ++ return BUS_RESULT_FALSE; + } + else + { + dbus_message_unref (reply); +- return TRUE; ++ return BUS_RESULT_TRUE; + } + } + +-static dbus_bool_t ++static BusResult + bus_driver_handle_list_activatable_services (DBusConnection *connection, + BusTransaction *transaction, + DBusMessage *message, +@@ -673,14 +673,14 @@ bus_driver_handle_list_activatable_services (DBusConnection *connection, + if (reply == NULL) + { + BUS_SET_OOM (error); +- return FALSE; ++ return BUS_RESULT_FALSE; + } + + if (!bus_activation_list_services (activation, &services, &len)) + { + dbus_message_unref (reply); + BUS_SET_OOM (error); +- return FALSE; ++ return BUS_RESULT_FALSE; + } + + dbus_message_iter_init_append (reply, &iter); +@@ -692,7 +692,7 @@ bus_driver_handle_list_activatable_services (DBusConnection *connection, + dbus_free_string_array (services); + dbus_message_unref (reply); + BUS_SET_OOM (error); +- return FALSE; ++ return BUS_RESULT_FALSE; + } + + { +@@ -704,7 +704,7 @@ bus_driver_handle_list_activatable_services (DBusConnection *connection, + dbus_free_string_array (services); + dbus_message_unref (reply); + BUS_SET_OOM (error); +- return FALSE; ++ return BUS_RESULT_FALSE; + } + } + +@@ -717,7 +717,7 @@ bus_driver_handle_list_activatable_services (DBusConnection *connection, + dbus_free_string_array (services); + dbus_message_unref (reply); + BUS_SET_OOM (error); +- return FALSE; ++ return BUS_RESULT_FALSE; + } + ++i; + } +@@ -728,23 +728,23 @@ bus_driver_handle_list_activatable_services (DBusConnection *connection, + { + dbus_message_unref (reply); + BUS_SET_OOM (error); +- return FALSE; ++ return BUS_RESULT_FALSE; + } + + if (!bus_transaction_send_from_driver (transaction, connection, reply)) + { + dbus_message_unref (reply); + BUS_SET_OOM (error); +- return FALSE; ++ return BUS_RESULT_FALSE; + } + else + { + dbus_message_unref (reply); +- return TRUE; ++ return BUS_RESULT_TRUE; + } + } + +-static dbus_bool_t ++static BusResult + bus_driver_handle_acquire_service (DBusConnection *connection, + BusTransaction *transaction, + DBusMessage *message, +@@ -755,7 +755,8 @@ bus_driver_handle_acquire_service (DBusConnection *connection, + const char *name; + dbus_uint32_t service_reply; + dbus_uint32_t flags; +- dbus_bool_t retval; ++ BusResult retval; ++ BusResult res; + BusRegistry *registry; + + _DBUS_ASSERT_ERROR_IS_CLEAR (error); +@@ -766,20 +767,24 @@ bus_driver_handle_acquire_service (DBusConnection *connection, + DBUS_TYPE_STRING, &name, + DBUS_TYPE_UINT32, &flags, + DBUS_TYPE_INVALID)) +- return FALSE; ++ return BUS_RESULT_FALSE; + + _dbus_verbose ("Trying to own name %s with flags 0x%x\n", name, flags); + +- retval = FALSE; ++ retval = BUS_RESULT_FALSE; + reply = NULL; + + _dbus_string_init_const (&service_name, name); + +- if (!bus_registry_acquire_service (registry, connection, +- &service_name, flags, +- &service_reply, transaction, +- error)) +- goto out; ++ res = bus_registry_acquire_service (registry, connection, message, ++ &service_name, flags, ++ &service_reply, transaction, ++ error); ++ if (res != BUS_RESULT_TRUE) ++ { ++ retval = res; ++ goto out; ++ } + + reply = dbus_message_new_method_return (message); + if (reply == NULL) +@@ -800,7 +805,7 @@ bus_driver_handle_acquire_service (DBusConnection *connection, + goto out; + } + +- retval = TRUE; ++ retval = BUS_RESULT_TRUE; + + out: + if (reply) +@@ -808,7 +813,7 @@ bus_driver_handle_acquire_service (DBusConnection *connection, + return retval; + } + +-static dbus_bool_t ++static BusResult + bus_driver_handle_release_service (DBusConnection *connection, + BusTransaction *transaction, + DBusMessage *message, +@@ -818,7 +823,7 @@ bus_driver_handle_release_service (DBusConnection *connection, + DBusString service_name; + const char *name; + dbus_uint32_t service_reply; +- dbus_bool_t retval; ++ BusResult retval; + BusRegistry *registry; + + _DBUS_ASSERT_ERROR_IS_CLEAR (error); +@@ -828,11 +833,11 @@ bus_driver_handle_release_service (DBusConnection *connection, + if (!dbus_message_get_args (message, error, + DBUS_TYPE_STRING, &name, + DBUS_TYPE_INVALID)) +- return FALSE; ++ return BUS_RESULT_FALSE; + + _dbus_verbose ("Trying to release name %s\n", name); + +- retval = FALSE; ++ retval = BUS_RESULT_FALSE; + reply = NULL; + + _dbus_string_init_const (&service_name, name); +@@ -861,7 +866,7 @@ bus_driver_handle_release_service (DBusConnection *connection, + goto out; + } + +- retval = TRUE; ++ retval = BUS_RESULT_TRUE; + + out: + if (reply) +@@ -869,7 +874,7 @@ bus_driver_handle_release_service (DBusConnection *connection, + return retval; + } + +-static dbus_bool_t ++static BusResult + bus_driver_handle_service_exists (DBusConnection *connection, + BusTransaction *transaction, + DBusMessage *message, +@@ -880,7 +885,7 @@ bus_driver_handle_service_exists (DBusConnection *connection, + BusService *service; + dbus_bool_t service_exists; + const char *name; +- dbus_bool_t retval; ++ BusResult retval; + BusRegistry *registry; + + _DBUS_ASSERT_ERROR_IS_CLEAR (error); +@@ -890,9 +895,9 @@ bus_driver_handle_service_exists (DBusConnection *connection, + if (!dbus_message_get_args (message, error, + DBUS_TYPE_STRING, &name, + DBUS_TYPE_INVALID)) +- return FALSE; ++ return BUS_RESULT_FALSE; + +- retval = FALSE; ++ retval = BUS_RESULT_FALSE; + + if (strcmp (name, DBUS_SERVICE_DBUS) == 0) + { +@@ -926,7 +931,7 @@ bus_driver_handle_service_exists (DBusConnection *connection, + goto out; + } + +- retval = TRUE; ++ retval = BUS_RESULT_TRUE; + + out: + if (reply) +@@ -935,7 +940,7 @@ bus_driver_handle_service_exists (DBusConnection *connection, + return retval; + } + +-static dbus_bool_t ++static BusResult + bus_driver_handle_activate_service (DBusConnection *connection, + BusTransaction *transaction, + DBusMessage *message, +@@ -943,7 +948,7 @@ bus_driver_handle_activate_service (DBusConnection *connection, + { + dbus_uint32_t flags; + const char *name; +- dbus_bool_t retval; ++ BusResult retval; + BusActivation *activation; + + _DBUS_ASSERT_ERROR_IS_CLEAR (error); +@@ -957,10 +962,10 @@ bus_driver_handle_activate_service (DBusConnection *connection, + { + _DBUS_ASSERT_ERROR_IS_SET (error); + _dbus_verbose ("No memory to get arguments to StartServiceByName\n"); +- return FALSE; ++ return BUS_RESULT_FALSE; + } + +- retval = FALSE; ++ retval = BUS_RESULT_FALSE; + + if (!bus_activation_activate_service (activation, connection, transaction, FALSE, + message, name, error)) +@@ -970,7 +975,7 @@ bus_driver_handle_activate_service (DBusConnection *connection, + goto out; + } + +- retval = TRUE; ++ retval = BUS_RESULT_TRUE; + + out: + return retval; +@@ -1072,13 +1077,13 @@ bus_driver_send_or_activate (BusTransaction *transaction, + return TRUE; + } + +-static dbus_bool_t ++static BusResult + bus_driver_handle_update_activation_environment (DBusConnection *connection, + BusTransaction *transaction, + DBusMessage *message, + DBusError *error) + { +- dbus_bool_t retval; ++ BusResult retval; + BusActivation *activation; + BusContext *context; + DBusMessageIter iter; +@@ -1100,7 +1105,7 @@ bus_driver_handle_update_activation_environment (DBusConnection *connection, + dbus_set_error (error, DBUS_ERROR_ACCESS_DENIED, + "Cannot change activation environment " + "on a system bus."); +- return FALSE; ++ return BUS_RESULT_FALSE; + } + + activation = bus_connection_get_activation (connection); +@@ -1114,7 +1119,7 @@ bus_driver_handle_update_activation_environment (DBusConnection *connection, + + dbus_message_iter_recurse (&iter, &dict_iter); + +- retval = FALSE; ++ retval = BUS_RESULT_FALSE; + systemd_message = NULL; + + /* Then loop through the sent dictionary, add the location of +@@ -1279,7 +1284,7 @@ bus_driver_handle_update_activation_environment (DBusConnection *connection, + if (!bus_driver_send_ack_reply (connection, transaction, message, error)) + goto out; + +- retval = TRUE; ++ retval = BUS_RESULT_TRUE; + + out: + if (systemd_message != NULL) +@@ -1289,7 +1294,7 @@ bus_driver_handle_update_activation_environment (DBusConnection *connection, + return retval; + } + +-static dbus_bool_t ++static BusResult + bus_driver_handle_add_match (DBusConnection *connection, + BusTransaction *transaction, + DBusMessage *message, +@@ -1371,16 +1376,16 @@ bus_driver_handle_add_match (DBusConnection *connection, + + bus_match_rule_unref (rule); + +- return TRUE; ++ return BUS_RESULT_TRUE; + + failed: + _DBUS_ASSERT_ERROR_IS_SET (error); + if (rule) + bus_match_rule_unref (rule); +- return FALSE; ++ return BUS_RESULT_FALSE; + } + +-static dbus_bool_t ++static BusResult + bus_driver_handle_remove_match (DBusConnection *connection, + BusTransaction *transaction, + DBusMessage *message, +@@ -1423,16 +1428,16 @@ bus_driver_handle_remove_match (DBusConnection *connection, + + bus_match_rule_unref (rule); + +- return TRUE; ++ return BUS_RESULT_TRUE; + + failed: + _DBUS_ASSERT_ERROR_IS_SET (error); + if (rule) + bus_match_rule_unref (rule); +- return FALSE; ++ return BUS_RESULT_FALSE; + } + +-static dbus_bool_t ++static BusResult + bus_driver_handle_get_service_owner (DBusConnection *connection, + BusTransaction *transaction, + DBusMessage *message, +@@ -1502,7 +1507,7 @@ bus_driver_handle_get_service_owner (DBusConnection *connection, + + dbus_message_unref (reply); + +- return TRUE; ++ return BUS_RESULT_TRUE; + + oom: + BUS_SET_OOM (error); +@@ -1511,10 +1516,10 @@ bus_driver_handle_get_service_owner (DBusConnection *connection, + _DBUS_ASSERT_ERROR_IS_SET (error); + if (reply) + dbus_message_unref (reply); +- return FALSE; ++ return BUS_RESULT_FALSE; + } + +-static dbus_bool_t ++static BusResult + bus_driver_handle_list_queued_owners (DBusConnection *connection, + BusTransaction *transaction, + DBusMessage *message, +@@ -1606,7 +1611,7 @@ bus_driver_handle_list_queued_owners (DBusConnection *connection, + + dbus_message_unref (reply); + +- return TRUE; ++ return BUS_RESULT_TRUE; + + oom: + BUS_SET_OOM (error); +@@ -1619,10 +1624,10 @@ bus_driver_handle_list_queued_owners (DBusConnection *connection, + if (base_names) + _dbus_list_clear (&base_names); + +- return FALSE; ++ return BUS_RESULT_FALSE; + } + +-static dbus_bool_t ++static BusResult + bus_driver_handle_get_connection_unix_user (DBusConnection *connection, + BusTransaction *transaction, + DBusMessage *message, +@@ -1679,7 +1684,7 @@ bus_driver_handle_get_connection_unix_user (DBusConnection *connection, + + dbus_message_unref (reply); + +- return TRUE; ++ return BUS_RESULT_TRUE; + + oom: + BUS_SET_OOM (error); +@@ -1688,10 +1693,10 @@ bus_driver_handle_get_connection_unix_user (DBusConnection *connection, + _DBUS_ASSERT_ERROR_IS_SET (error); + if (reply) + dbus_message_unref (reply); +- return FALSE; ++ return BUS_RESULT_FALSE; + } + +-static dbus_bool_t ++static BusResult + bus_driver_handle_get_connection_unix_process_id (DBusConnection *connection, + BusTransaction *transaction, + DBusMessage *message, +@@ -1748,7 +1753,7 @@ bus_driver_handle_get_connection_unix_process_id (DBusConnection *connection, + + dbus_message_unref (reply); + +- return TRUE; ++ return BUS_RESULT_TRUE; + + oom: + BUS_SET_OOM (error); +@@ -1757,10 +1762,10 @@ bus_driver_handle_get_connection_unix_process_id (DBusConnection *connection, + _DBUS_ASSERT_ERROR_IS_SET (error); + if (reply) + dbus_message_unref (reply); +- return FALSE; ++ return BUS_RESULT_FALSE; + } + +-static dbus_bool_t ++static BusResult + bus_driver_handle_get_adt_audit_session_data (DBusConnection *connection, + BusTransaction *transaction, + DBusMessage *message, +@@ -1811,7 +1816,7 @@ bus_driver_handle_get_adt_audit_session_data (DBusConnection *connection, + + dbus_message_unref (reply); + +- return TRUE; ++ return BUS_RESULT_TRUE; + + oom: + BUS_SET_OOM (error); +@@ -1820,10 +1825,10 @@ bus_driver_handle_get_adt_audit_session_data (DBusConnection *connection, + _DBUS_ASSERT_ERROR_IS_SET (error); + if (reply) + dbus_message_unref (reply); +- return FALSE; ++ return BUS_RESULT_FALSE; + } + +-static dbus_bool_t ++static BusResult + bus_driver_handle_get_connection_selinux_security_context (DBusConnection *connection, + BusTransaction *transaction, + DBusMessage *message, +@@ -1872,7 +1877,7 @@ bus_driver_handle_get_connection_selinux_security_context (DBusConnection *conne + + dbus_message_unref (reply); + +- return TRUE; ++ return BUS_RESULT_TRUE; + + oom: + BUS_SET_OOM (error); +@@ -1881,10 +1886,10 @@ bus_driver_handle_get_connection_selinux_security_context (DBusConnection *conne + _DBUS_ASSERT_ERROR_IS_SET (error); + if (reply) + dbus_message_unref (reply); +- return FALSE; ++ return BUS_RESULT_FALSE; + } + +-static dbus_bool_t ++static BusResult + bus_driver_handle_get_connection_credentials (DBusConnection *connection, + BusTransaction *transaction, + DBusMessage *message, +@@ -1998,7 +2003,7 @@ bus_driver_handle_get_connection_credentials (DBusConnection *connection, + + dbus_message_unref (reply); + +- return TRUE; ++ return BUS_RESULT_TRUE; + + oom: + BUS_SET_OOM (error); +@@ -2012,10 +2017,10 @@ bus_driver_handle_get_connection_credentials (DBusConnection *connection, + dbus_message_unref (reply); + } + +- return FALSE; ++ return BUS_RESULT_FALSE; + } + +-static dbus_bool_t ++static BusResult + bus_driver_handle_reload_config (DBusConnection *connection, + BusTransaction *transaction, + DBusMessage *message, +@@ -2040,7 +2045,7 @@ bus_driver_handle_reload_config (DBusConnection *connection, + goto oom; + + dbus_message_unref (reply); +- return TRUE; ++ return BUS_RESULT_TRUE; + + oom: + BUS_SET_OOM (error); +@@ -2049,11 +2054,11 @@ bus_driver_handle_reload_config (DBusConnection *connection, + _DBUS_ASSERT_ERROR_IS_SET (error); + if (reply) + dbus_message_unref (reply); +- return FALSE; ++ return BUS_RESULT_FALSE; + } + + #ifdef DBUS_ENABLE_VERBOSE_MODE +-static dbus_bool_t ++static BusResult + bus_driver_handle_enable_verbose (DBusConnection *connection, + BusTransaction *transaction, + DBusMessage *message, +@@ -2073,7 +2078,7 @@ bus_driver_handle_enable_verbose (DBusConnection *connection, + _dbus_set_verbose(TRUE); + + dbus_message_unref (reply); +- return TRUE; ++ return BUS_RESULT_TRUE; + + oom: + _DBUS_ASSERT_ERROR_IS_CLEAR (error); +@@ -2082,10 +2087,10 @@ bus_driver_handle_enable_verbose (DBusConnection *connection, + + if (reply) + dbus_message_unref (reply); +- return FALSE; ++ return BUS_RESULT_FALSE; + } + +-static dbus_bool_t ++static BusResult + bus_driver_handle_disable_verbose (DBusConnection *connection, + BusTransaction *transaction, + DBusMessage *message, +@@ -2105,7 +2110,7 @@ bus_driver_handle_disable_verbose (DBusConnection *connection, + _dbus_set_verbose(FALSE); + + dbus_message_unref (reply); +- return TRUE; ++ return BUS_RESULT_TRUE; + + oom: + _DBUS_ASSERT_ERROR_IS_CLEAR (error); +@@ -2114,11 +2119,11 @@ bus_driver_handle_disable_verbose (DBusConnection *connection, + + if (reply) + dbus_message_unref (reply); +- return FALSE; ++ return BUS_RESULT_FALSE; + } + #endif + +-static dbus_bool_t ++static BusResult + bus_driver_handle_get_id (DBusConnection *connection, + BusTransaction *transaction, + DBusMessage *message, +@@ -2134,7 +2139,7 @@ bus_driver_handle_get_id (DBusConnection *connection, + if (!_dbus_string_init (&uuid)) + { + BUS_SET_OOM (error); +- return FALSE; ++ return BUS_RESULT_FALSE; + } + + reply = NULL; +@@ -2160,7 +2165,7 @@ bus_driver_handle_get_id (DBusConnection *connection, + + _dbus_string_free (&uuid); + dbus_message_unref (reply); +- return TRUE; ++ return BUS_RESULT_TRUE; + + oom: + _DBUS_ASSERT_ERROR_IS_CLEAR (error); +@@ -2170,10 +2175,10 @@ bus_driver_handle_get_id (DBusConnection *connection, + if (reply) + dbus_message_unref (reply); + _dbus_string_free (&uuid); +- return FALSE; ++ return BUS_RESULT_FALSE; + } + +-static dbus_bool_t ++static BusResult + bus_driver_handle_become_monitor (DBusConnection *connection, + BusTransaction *transaction, + DBusMessage *message, +@@ -2189,7 +2194,7 @@ bus_driver_handle_become_monitor (DBusConnection *connection, + int i; + int n_match_rules; + dbus_uint32_t flags; +- dbus_bool_t ret = FALSE; ++ BusResult ret = BUS_RESULT_FALSE; + + _DBUS_ASSERT_ERROR_IS_CLEAR (error); + +@@ -2262,10 +2267,10 @@ bus_driver_handle_become_monitor (DBusConnection *connection, + if (!bus_connection_be_monitor (connection, transaction, &rules, error)) + goto out; + +- ret = TRUE; ++ ret = BUS_RESULT_TRUE; + + out: +- if (ret) ++ if (ret == BUS_RESULT_TRUE) + _DBUS_ASSERT_ERROR_IS_CLEAR (error); + else + _DBUS_ASSERT_ERROR_IS_SET (error); +@@ -2281,7 +2286,7 @@ out: + return ret; + } + +-static dbus_bool_t ++static BusResult + bus_driver_handle_get_machine_id (DBusConnection *connection, + BusTransaction *transaction, + DBusMessage *message, +@@ -2296,7 +2301,7 @@ bus_driver_handle_get_machine_id (DBusConnection *connection, + if (!_dbus_string_init (&uuid)) + { + BUS_SET_OOM (error); +- return FALSE; ++ return BUS_RESULT_FALSE; + } + + if (!_dbus_get_local_machine_uuid_encoded (&uuid, error)) +@@ -2321,7 +2326,7 @@ bus_driver_handle_get_machine_id (DBusConnection *connection, + + _dbus_string_free (&uuid); + dbus_message_unref (reply); +- return TRUE; ++ return BUS_RESULT_TRUE; + + oom: + _DBUS_ASSERT_ERROR_IS_CLEAR (error); +@@ -2335,29 +2340,30 @@ fail: + dbus_message_unref (reply); + + _dbus_string_free (&uuid); +- return FALSE; ++ return BUS_RESULT_FALSE; + } + +-static dbus_bool_t ++static BusResult + bus_driver_handle_ping (DBusConnection *connection, + BusTransaction *transaction, + DBusMessage *message, + DBusError *error) + { +- return bus_driver_send_ack_reply (connection, transaction, message, error); ++ return bus_driver_send_ack_reply (connection, transaction, message, error) == TRUE ++ ? BUS_RESULT_TRUE : BUS_RESULT_FALSE; + } + +-static dbus_bool_t bus_driver_handle_get (DBusConnection *connection, ++static BusResult bus_driver_handle_get (DBusConnection *connection, + BusTransaction *transaction, + DBusMessage *message, + DBusError *error); + +-static dbus_bool_t bus_driver_handle_get_all (DBusConnection *connection, ++static BusResult bus_driver_handle_get_all (DBusConnection *connection, + BusTransaction *transaction, + DBusMessage *message, + DBusError *error); + +-static dbus_bool_t bus_driver_handle_set (DBusConnection *connection, ++static BusResult bus_driver_handle_set (DBusConnection *connection, + BusTransaction *transaction, + DBusMessage *message, + DBusError *error); +@@ -2389,10 +2395,10 @@ typedef struct + const char *name; + const char *in_args; + const char *out_args; +- dbus_bool_t (* handler) (DBusConnection *connection, +- BusTransaction *transaction, +- DBusMessage *message, +- DBusError *error); ++ BusResult (* handler) (DBusConnection *connection, ++ BusTransaction *transaction, ++ DBusMessage *message, ++ DBusError *error); + MethodFlags flags; + } MessageHandler; + +@@ -2511,7 +2517,7 @@ static const PropertyHandler dbus_property_handlers[] = { + { NULL, NULL, NULL } + }; + +-static dbus_bool_t bus_driver_handle_introspect (DBusConnection *, ++static BusResult bus_driver_handle_introspect (DBusConnection *, + BusTransaction *, DBusMessage *, DBusError *); + + static const MessageHandler properties_message_handlers[] = { +@@ -2763,7 +2769,7 @@ bus_driver_generate_introspect_string (DBusString *xml, + return TRUE; + } + +-static dbus_bool_t ++static BusResult + bus_driver_handle_introspect (DBusConnection *connection, + BusTransaction *transaction, + DBusMessage *message, +@@ -2784,13 +2790,13 @@ bus_driver_handle_introspect (DBusConnection *connection, + DBUS_TYPE_INVALID)) + { + _DBUS_ASSERT_ERROR_IS_SET (error); +- return FALSE; ++ return BUS_RESULT_FALSE; + } + + if (!_dbus_string_init (&xml)) + { + BUS_SET_OOM (error); +- return FALSE; ++ return BUS_RESULT_FALSE; + } + + is_canonical_path = dbus_message_has_path (message, DBUS_PATH_DBUS); +@@ -2815,7 +2821,7 @@ bus_driver_handle_introspect (DBusConnection *connection, + dbus_message_unref (reply); + _dbus_string_free (&xml); + +- return TRUE; ++ return BUS_RESULT_TRUE; + + oom: + BUS_SET_OOM (error); +@@ -2825,10 +2831,42 @@ bus_driver_handle_introspect (DBusConnection *connection, + + _dbus_string_free (&xml); + +- return FALSE; ++ return BUS_RESULT_FALSE; + } + ++/* ++ * Set @error and return FALSE if the message is not directed to the ++ * dbus-daemon by its canonical object path. This is hardening against ++ * system services with poorly-written security policy files, which ++ * might allow sending dangerously broad equivalence classes of messages ++ * such as "anything with this assumed-to-be-safe object path". ++ * ++ * dbus-daemon is unusual in that it normally ignores the object path ++ * of incoming messages; we need to keep that behaviour for the "read" ++ * read-only method calls like GetConnectionUnixUser for backwards ++ * compatibility, but it seems safer to be more restrictive for things ++ * intended to be root-only or privileged-developers-only. ++ * ++ * It is possible that there are other system services with the same ++ * quirk as dbus-daemon. ++ */ + dbus_bool_t ++bus_driver_check_message_is_for_us (DBusMessage *message, ++ DBusError *error) ++{ ++ if (!dbus_message_has_path (message, DBUS_PATH_DBUS)) ++ { ++ dbus_set_error (error, DBUS_ERROR_ACCESS_DENIED, ++ "Method '%s' is only available at the canonical object path '%s'", ++ dbus_message_get_member (message), DBUS_PATH_DBUS); ++ ++ return FALSE; ++ } ++ ++ return TRUE; ++} ++ ++BusResult + bus_driver_handle_message (DBusConnection *connection, + BusTransaction *transaction, + DBusMessage *message, +@@ -2839,6 +2877,7 @@ bus_driver_handle_message (DBusConnection *connection, + const MessageHandler *mh; + dbus_bool_t found_interface = FALSE; + dbus_bool_t is_canonical_path; ++ BusResult res; + + _DBUS_ASSERT_ERROR_IS_CLEAR (error); + +@@ -2854,7 +2893,7 @@ bus_driver_handle_message (DBusConnection *connection, + transaction, + message, + error)) +- return FALSE; ++ return BUS_RESULT_FALSE; + + context = bus_connection_get_context (connection); + systemd = bus_driver_get_owner_of_name (connection, +@@ -2871,7 +2910,7 @@ bus_driver_handle_message (DBusConnection *connection, + attacker ? attacker : "(unauthenticated)", + bus_connection_get_loginfo (connection)); + /* ignore it */ +- return TRUE; ++ return BUS_RESULT_TRUE; + } + + if (!bus_context_get_systemd_activation (context)) +@@ -2879,16 +2918,16 @@ bus_driver_handle_message (DBusConnection *connection, + bus_context_log (context, DBUS_SYSTEM_LOG_WARNING, + "Ignoring unexpected ActivationFailure message " + "while not using systemd activation"); +- return FALSE; ++ return BUS_RESULT_FALSE; + } + +- return dbus_activation_systemd_failure(bus_context_get_activation(context), message); ++ return dbus_activation_systemd_failure(bus_context_get_activation(context), message) == TRUE ? BUS_RESULT_TRUE : BUS_RESULT_FALSE; + } + + if (dbus_message_get_type (message) != DBUS_MESSAGE_TYPE_METHOD_CALL) + { + _dbus_verbose ("Driver got a non-method-call message, ignoring\n"); +- return TRUE; /* we just ignore this */ ++ return BUS_RESULT_TRUE; /* we just ignore this */ + } + + /* may be NULL, which means "any interface will do" */ +@@ -2953,20 +2992,27 @@ bus_driver_handle_message (DBusConnection *connection, + name, dbus_message_get_signature (message), + mh->in_args); + _DBUS_ASSERT_ERROR_IS_SET (error); +- return FALSE; ++ return BUS_RESULT_FALSE; + } + +- if ((* mh->handler) (connection, transaction, message, error)) ++ res = (* mh->handler) (connection, transaction, message, error); ++ if (res == BUS_RESULT_TRUE) + { + _DBUS_ASSERT_ERROR_IS_CLEAR (error); + _dbus_verbose ("Driver handler succeeded\n"); +- return TRUE; ++ return BUS_RESULT_TRUE; + } +- else ++ else if (res == BUS_RESULT_FALSE) + { + _DBUS_ASSERT_ERROR_IS_SET (error); + _dbus_verbose ("Driver handler returned failure\n"); +- return FALSE; ++ return BUS_RESULT_FALSE; ++ } ++ else if (res == BUS_RESULT_LATER) ++ { ++ _DBUS_ASSERT_ERROR_IS_CLEAR (error); ++ _dbus_verbose ("Driver handler delayed message processing due to policy check\n"); ++ return BUS_RESULT_LATER; + } + } + } +@@ -2978,7 +3024,7 @@ bus_driver_handle_message (DBusConnection *connection, + "%s does not understand message %s", + DBUS_SERVICE_DBUS, name); + +- return FALSE; ++ return BUS_RESULT_FALSE; + } + + void +@@ -3099,7 +3145,7 @@ interface_handler_find_property (const InterfaceHandler *ih, + return NULL; + } + +-static dbus_bool_t ++static BusResult + bus_driver_handle_get (DBusConnection *connection, + BusTransaction *transaction, + DBusMessage *message, +@@ -3120,18 +3166,18 @@ bus_driver_handle_get (DBusConnection *connection, + DBUS_TYPE_STRING, &iface, + DBUS_TYPE_STRING, &prop, + DBUS_TYPE_INVALID)) +- return FALSE; ++ return BUS_RESULT_FALSE; + + /* We only implement Properties on /org/freedesktop/DBus so far. */ + ih = bus_driver_find_interface (iface, TRUE, error); + + if (ih == NULL) +- return FALSE; ++ return BUS_RESULT_FALSE; + + handler = interface_handler_find_property (ih, prop, error); + + if (handler == NULL) +- return FALSE; ++ return BUS_RESULT_FALSE; + + context = bus_transaction_get_context (transaction); + +@@ -3159,17 +3205,17 @@ bus_driver_handle_get (DBusConnection *connection, + goto oom; + + dbus_message_unref (reply); +- return TRUE; ++ return BUS_RESULT_TRUE; + + oom: + if (reply != NULL) + dbus_message_unref (reply); + + BUS_SET_OOM (error); +- return FALSE; ++ return BUS_RESULT_FALSE; + } + +-static dbus_bool_t ++static BusResult + bus_driver_handle_get_all (DBusConnection *connection, + BusTransaction *transaction, + DBusMessage *message, +@@ -3188,13 +3234,13 @@ bus_driver_handle_get_all (DBusConnection *connection, + if (!dbus_message_get_args (message, error, + DBUS_TYPE_STRING, &iface, + DBUS_TYPE_INVALID)) +- return FALSE; ++ return BUS_RESULT_FALSE; + + /* We only implement Properties on /org/freedesktop/DBus so far. */ + ih = bus_driver_find_interface (iface, TRUE, error); + + if (ih == NULL) +- return FALSE; ++ return BUS_RESULT_FALSE; + + context = bus_transaction_get_context (transaction); + +@@ -3229,7 +3275,7 @@ bus_driver_handle_get_all (DBusConnection *connection, + goto oom; + + dbus_message_unref (reply); +- return TRUE; ++ return BUS_RESULT_TRUE; + + oom_abandon_message: + _dbus_asv_abandon (&reply_iter, &array_iter); +@@ -3239,10 +3285,10 @@ oom: + dbus_message_unref (reply); + + BUS_SET_OOM (error); +- return FALSE; ++ return BUS_RESULT_FALSE; + } + +-static dbus_bool_t ++static BusResult + bus_driver_handle_set (DBusConnection *connection, + BusTransaction *transaction, + DBusMessage *message, +@@ -3271,15 +3317,15 @@ bus_driver_handle_set (DBusConnection *connection, + ih = bus_driver_find_interface (iface, TRUE, error); + + if (ih == NULL) +- return FALSE; ++ return BUS_RESULT_FALSE; + + handler = interface_handler_find_property (ih, prop, error); + + if (handler == NULL) +- return FALSE; ++ return BUS_RESULT_FALSE; + + /* We don't implement any properties that can be set yet. */ + dbus_set_error (error, DBUS_ERROR_PROPERTY_READ_ONLY, + "Property '%s.%s' cannot be set", iface, prop); +- return FALSE; ++ return BUS_RESULT_FALSE; + } +diff --git a/bus/driver.h b/bus/driver.h +index ac1289d..183c28b 100644 +--- a/bus/driver.h ++++ b/bus/driver.h +@@ -35,7 +35,7 @@ typedef enum + } BusDriverFound; + + void bus_driver_remove_connection (DBusConnection *connection); +-dbus_bool_t bus_driver_handle_message (DBusConnection *connection, ++BusResult bus_driver_handle_message (DBusConnection *connection, + BusTransaction *transaction, + DBusMessage *message, + DBusError *error); +diff --git a/bus/policy.c b/bus/policy.c +index b1fab0d..27b66d1 100644 +--- a/bus/policy.c ++++ b/bus/policy.c +@@ -1388,18 +1388,21 @@ bus_client_policy_check_can_receive (BusClientPolicy *policy, + + + +-static dbus_bool_t ++static BusResult + bus_rules_check_can_own (DBusList *rules, +- const DBusString *service_name) ++ const DBusString *service_name, ++ DBusConnection *connection, ++ DBusMessage *message) + { + DBusList *link; +- dbus_bool_t allowed; ++ BusResult result; ++ const char *privilege; + + /* rules is in the order the rules appeared + * in the config file, i.e. last rule that applies wins + */ + +- allowed = FALSE; ++ result = BUS_RESULT_FALSE; + link = _dbus_list_get_first_link (&rules); + while (link != NULL) + { +@@ -1435,17 +1438,45 @@ bus_rules_check_can_own (DBusList *rules, + } + + /* Use this rule */ +- allowed = rule->access == BUS_POLICY_RULE_ACCESS_ALLOW; ++ switch (rule->access) ++ { ++ case BUS_POLICY_RULE_ACCESS_ALLOW: ++ result = BUS_RESULT_TRUE; ++ break; ++ case BUS_POLICY_RULE_ACCESS_DENY: ++ result = BUS_RESULT_FALSE; ++ break; ++ case BUS_POLICY_RULE_ACCESS_CHECK: ++ result = BUS_RESULT_LATER; ++ privilege = rule->privilege; ++ break; ++ } + } + +- return allowed; ++ if (result == BUS_RESULT_LATER) ++ { ++ BusContext *context = bus_connection_get_context(connection); ++ BusCheck *check = bus_context_get_check(context); ++ BusDeferredMessage *deferred_message; ++ ++ result = bus_check_privilege(check, message, connection, NULL, NULL, ++ privilege, BUS_DEFERRED_MESSAGE_CHECK_OWN, &deferred_message); ++ if (result == BUS_RESULT_LATER) ++ { ++ bus_deferred_message_disable_sender(deferred_message); ++ } ++ } ++ ++ return result; + } + +-dbus_bool_t ++BusResult + bus_client_policy_check_can_own (BusClientPolicy *policy, +- const DBusString *service_name) ++ const DBusString *service_name, ++ DBusConnection *connection, ++ DBusMessage *message) + { +- return bus_rules_check_can_own (policy->rules, service_name); ++ return bus_rules_check_can_own (policy->rules, service_name, connection, message); + } + + #ifdef DBUS_ENABLE_EMBEDDED_TESTS +@@ -1453,7 +1484,7 @@ dbus_bool_t + bus_policy_check_can_own (BusPolicy *policy, + const DBusString *service_name) + { +- return bus_rules_check_can_own (policy->default_rules, service_name); ++ return bus_rules_check_can_own (policy->default_rules, service_name, NULL, NULL) == BUS_RESULT_TRUE; + } + #endif /* DBUS_ENABLE_EMBEDDED_TESTS */ + +diff --git a/bus/policy.h b/bus/policy.h +index f839d23..28ce8f2 100644 +--- a/bus/policy.h ++++ b/bus/policy.h +@@ -182,8 +182,10 @@ BusResult bus_client_policy_check_can_receive (BusClientPolicy *policy, + dbus_int32_t *toggles, + const char **privilege_param, + BusDeferredMessage **deferred_message); +-dbus_bool_t bus_client_policy_check_can_own (BusClientPolicy *policy, +- const DBusString *service_name); ++BusResult bus_client_policy_check_can_own (BusClientPolicy *policy, ++ const DBusString *service_name, ++ DBusConnection *connection, ++ DBusMessage *message); + dbus_bool_t bus_client_policy_append_rule (BusClientPolicy *policy, + BusPolicyRule *rule); + void bus_client_policy_optimize (BusClientPolicy *policy); +diff --git a/bus/services.c b/bus/services.c +index 127edda..586af18 100644 +--- a/bus/services.c ++++ b/bus/services.c +@@ -376,16 +376,17 @@ bus_registry_list_services (BusRegistry *registry, + return FALSE; + } + +-dbus_bool_t ++BusResult + bus_registry_acquire_service (BusRegistry *registry, + DBusConnection *connection, ++ DBusMessage *message, + const DBusString *service_name, + dbus_uint32_t flags, + dbus_uint32_t *result, + BusTransaction *transaction, + DBusError *error) + { +- dbus_bool_t retval; ++ BusResult retval; + DBusConnection *old_owner_conn; + BusClientPolicy *policy; + BusService *service; +@@ -393,8 +394,9 @@ bus_registry_acquire_service (BusRegistry *registry, + BusSELinuxID *sid; + BusOwner *primary_owner; + int limit; ++ BusResult res; + +- retval = FALSE; ++ retval = BUS_RESULT_FALSE; + + if (!_dbus_validate_bus_name (service_name, 0, + _dbus_string_get_length (service_name))) +@@ -467,7 +469,8 @@ bus_registry_acquire_service (BusRegistry *registry, + _dbus_string_get_const_data (service_name), error)) + goto out; + +- if (!bus_client_policy_check_can_own (policy, service_name)) ++ res = bus_client_policy_check_can_own (policy, service_name, connection, message); ++ if (res == BUS_RESULT_FALSE) + { + dbus_set_error (error, DBUS_ERROR_ACCESS_DENIED, + "Connection \"%s\" is not allowed to own the service \"%s\" due " +@@ -478,6 +481,11 @@ bus_registry_acquire_service (BusRegistry *registry, + _dbus_string_get_const_data (service_name)); + goto out; + } ++ else if (res == BUS_RESULT_LATER) ++ { ++ retval = BUS_RESULT_LATER; ++ goto out; ++ } + + limit = bus_context_get_max_services_per_connection (registry->context); + +@@ -603,11 +611,13 @@ bus_registry_acquire_service (BusRegistry *registry, + } + + activation = bus_context_get_activation (registry->context); +- retval = bus_activation_send_pending_auto_activation_messages (activation, ++ ++ if (bus_activation_send_pending_auto_activation_messages (activation, + service, +- transaction); +- if (!retval) +- BUS_SET_OOM (error); ++ transaction)) ++ retval = BUS_RESULT_TRUE; ++ else ++ BUS_SET_OOM (error); + + out: + return retval; +diff --git a/bus/services.h b/bus/services.h +index 056dd9f..3df3dd7 100644 +--- a/bus/services.h ++++ b/bus/services.h +@@ -50,8 +50,9 @@ void bus_registry_foreach (BusRegistry *registry + dbus_bool_t bus_registry_list_services (BusRegistry *registry, + char ***listp, + int *array_len); +-dbus_bool_t bus_registry_acquire_service (BusRegistry *registry, ++BusResult bus_registry_acquire_service (BusRegistry *registry, + DBusConnection *connection, ++ DBusMessage *message, + const DBusString *service_name, + dbus_uint32_t flags, + dbus_uint32_t *result, +diff --git a/bus/stats.c b/bus/stats.c +index 1582255..c25be98 100644 +--- a/bus/stats.c ++++ b/bus/stats.c +@@ -36,7 +36,7 @@ + + #ifdef DBUS_ENABLE_STATS + +-dbus_bool_t ++BusResult + bus_stats_handle_get_stats (DBusConnection *connection, + BusTransaction *transaction, + DBusMessage *message, +@@ -51,6 +51,9 @@ bus_stats_handle_get_stats (DBusConnection *connection, + + _DBUS_ASSERT_ERROR_IS_CLEAR (error); + ++ if (!bus_driver_check_message_is_for_us (message, error)) ++ return BUS_RESULT_FALSE; ++ + context = bus_transaction_get_context (transaction); + connections = bus_context_get_connections (context); + +@@ -104,17 +107,17 @@ bus_stats_handle_get_stats (DBusConnection *connection, + goto oom; + + dbus_message_unref (reply); +- return TRUE; ++ return BUS_RESULT_TRUE; + + oom: + if (reply != NULL) + dbus_message_unref (reply); + + BUS_SET_OOM (error); +- return FALSE; ++ return BUS_RESULT_FALSE; + } + +-dbus_bool_t ++BusResult + bus_stats_handle_get_connection_stats (DBusConnection *caller_connection, + BusTransaction *transaction, + DBusMessage *message, +@@ -209,7 +212,7 @@ bus_stats_handle_get_connection_stats (DBusConnection *caller_connection, + goto oom; + + dbus_message_unref (reply); +- return TRUE; ++ return BUS_RESULT_TRUE; + + oom: + BUS_SET_OOM (error); +@@ -218,11 +221,11 @@ failed: + if (reply != NULL) + dbus_message_unref (reply); + +- return FALSE; ++ return BUS_RESULT_FALSE; + } + + +-dbus_bool_t ++BusResult + bus_stats_handle_get_all_match_rules (DBusConnection *caller_connection, + BusTransaction *transaction, + DBusMessage *message, +@@ -246,7 +249,7 @@ bus_stats_handle_get_all_match_rules (DBusConnection *caller_connection, + matchmaker = bus_context_get_matchmaker (context); + + if (!bus_registry_list_services (registry, &services, &services_len)) +- return FALSE; ++ return BUS_RESULT_FALSE; + + reply = dbus_message_new_method_return (message); + if (reply == NULL) +@@ -325,7 +328,7 @@ bus_stats_handle_get_all_match_rules (DBusConnection *caller_connection, + + dbus_message_unref (reply); + dbus_free_string_array (services); +- return TRUE; ++ return BUS_RESULT_TRUE; + + oom: + if (reply != NULL) +@@ -334,7 +337,7 @@ oom: + dbus_free_string_array (services); + + BUS_SET_OOM (error); +- return FALSE; ++ return BUS_RESULT_FALSE; + } + + #endif +diff --git a/bus/stats.h b/bus/stats.h +index dcb022c..683fa17 100644 +--- a/bus/stats.h ++++ b/bus/stats.h +@@ -25,17 +25,17 @@ + + #define BUS_INTERFACE_STATS "org.freedesktop.DBus.Debug.Stats" + +-dbus_bool_t bus_stats_handle_get_stats (DBusConnection *connection, ++BusResult bus_stats_handle_get_stats (DBusConnection *connection, + BusTransaction *transaction, + DBusMessage *message, + DBusError *error); + +-dbus_bool_t bus_stats_handle_get_connection_stats (DBusConnection *connection, ++BusResult bus_stats_handle_get_connection_stats (DBusConnection *connection, + BusTransaction *transaction, + DBusMessage *message, + DBusError *error); + +-dbus_bool_t bus_stats_handle_get_all_match_rules (DBusConnection *caller_connection, ++BusResult bus_stats_handle_get_all_match_rules (DBusConnection *caller_connection, + BusTransaction *transaction, + DBusMessage *message, + DBusError *error); +-- +2.17.2 + diff --git a/meta-agl/meta-security/recipes-core/dbus-cynara/dbus-cynara/0005-Perform-Cynara-runtime-policy-checks-by-default.patch b/meta-agl/meta-security/recipes-core/dbus-cynara/dbus-cynara/0005-Perform-Cynara-runtime-policy-checks-by-default.patch new file mode 100644 index 00000000..8ce441b0 --- /dev/null +++ b/meta-agl/meta-security/recipes-core/dbus-cynara/dbus-cynara/0005-Perform-Cynara-runtime-policy-checks-by-default.patch @@ -0,0 +1,175 @@ +From 69ba571e0daa0a7a9aa6c6b5be5d3338a89d144a Mon Sep 17 00:00:00 2001 +From: Jacek Bukarewicz <j.bukarewicz@samsung.com> +Date: Tue, 23 Jun 2015 11:08:48 +0200 +Subject: Perform Cynara runtime policy checks by default +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +This change introduces http://tizen.org/privilege/internal/dbus privilege +which is supposed to be available only to trusted system resources. +Checks for this privilege are used in place of certain allow rules to +make security policy more strict. + +For system bus sending and receiving signals now requires +http://tizen.org/privilege/internal/dbus privilege. Requesting name +ownership and sending methods is still denied by default. + +For session bus http://tizen.org/privilege/internal/dbus privilege +is now required for requesting name, calling methods, sending and receiving +signals. + +Services are supposed to override these default settings to implement their +own security policy. + +Cherry picked from e8610297cf7031e94eb314a2e8c11246f4405403 by Jose Bollo + +Updated for dbus 1.10.20 by Scott Murray and José Bollo + +Signed-off-by: Jacek Bukarewicz <j.bukarewicz@samsung.com> +Signed-off-by: José Bollo <jose.bollo@iot.bzh> +Signed-off-by: Scott Murray <scott.murray@konsulko.com> + +diff --git a/bus/activation.c b/bus/activation.c +index ffdc6fc..6a95b95 100644 +--- a/bus/activation.c ++++ b/bus/activation.c +@@ -1837,22 +1837,32 @@ bus_activation_activate_service (BusActivation *activation, + } + + if (auto_activation && +- entry != NULL && +- BUS_RESULT_TRUE != bus_context_check_security_policy (activation->context, +- transaction, +- connection, /* sender */ +- NULL, /* addressed recipient */ +- NULL, /* proposed recipient */ +- activation_message, +- entry, +- error, +- NULL)) +- { +- _DBUS_ASSERT_ERROR_IS_SET (error); +- _dbus_verbose ("activation not authorized: %s: %s\n", +- error != NULL ? error->name : "(error ignored)", +- error != NULL ? error->message : "(error ignored)"); +- return FALSE; ++ entry != NULL) ++ { ++ BusResult result; ++ ++ result = bus_context_check_security_policy (activation->context, ++ transaction, ++ connection, /* sender */ ++ NULL, /* addressed recipient */ ++ NULL, /* proposed recipient */ ++ activation_message, ++ entry, ++ error, ++ NULL); ++ if (result == BUS_RESULT_FALSE) ++ { ++ _DBUS_ASSERT_ERROR_IS_SET (error); ++ _dbus_verbose ("activation not authorized: %s: %s\n", ++ error != NULL ? error->name : "(error ignored)", ++ error != NULL ? error->message : "(error ignored)"); ++ return FALSE; ++ } ++ if (result == BUS_RESULT_LATER) ++ { ++ /* TODO */ ++ _dbus_verbose ("ALERT FIX ME!!!!!!!!!!!!!!!"); ++ } + } + + /* Bypass the registry lookup if we're auto-activating, bus_dispatch would not +diff --git a/bus/session.conf.in b/bus/session.conf.in +index affa7f1..157dfb4 100644 +--- a/bus/session.conf.in ++++ b/bus/session.conf.in +@@ -27,12 +27,32 @@ + <standard_session_servicedirs /> + + <policy context="default"> +- <!-- Allow everything to be sent --> +- <allow send_destination="*" eavesdrop="true"/> +- <!-- Allow everything to be received --> +- <allow eavesdrop="true"/> +- <!-- Allow anyone to own anything --> +- <allow own="*"/> ++ <!-- By default clients require internal/dbus privilege to communicate ++ with D-Bus services and to claim name ownership. This is internal privilege that ++ is only accessible to trusted system services --> ++ <check own="*" privilege="http://tizen.org/privilege/internal/dbus" /> ++ <check send_type="method_call" privilege="http://tizen.org/privilege/internal/dbus" /> ++ <check send_type="signal" privilege="http://tizen.org/privilege/internal/dbus" /> ++ <check receive_type="signal" privilege="http://tizen.org/privilege/internal/dbus" /> ++ ++ <!-- Reply messages (method returns, errors) are allowed ++ by default --> ++ <allow send_requested_reply="true" send_type="method_return"/> ++ <allow send_requested_reply="true" send_type="error"/> ++ ++ <!-- All messages but signals may be received by default --> ++ <allow receive_type="method_call"/> ++ <allow receive_type="method_return"/> ++ <allow receive_type="error"/> ++ ++ <!-- Allow anyone to talk to the message bus --> ++ <allow send_destination="org.freedesktop.DBus"/> ++ <allow receive_sender="org.freedesktop.DBus"/> ++ ++ <!-- But disallow some specific bus services --> ++ <deny send_destination="org.freedesktop.DBus" ++ send_interface="org.freedesktop.DBus" ++ send_member="UpdateActivationEnvironment"/> + </policy> + + <!-- Include legacy configuration location --> +diff --git a/bus/system.conf.in b/bus/system.conf.in +index f139b55..19d0c04 100644 +--- a/bus/system.conf.in ++++ b/bus/system.conf.in +@@ -50,17 +50,20 @@ + <deny own="*"/> + <deny send_type="method_call"/> + +- <!-- Signals and reply messages (method returns, errors) are allowed ++ <!-- By default clients require internal/dbus privilege to send and receive signaks. ++ This is internal privilege that is only accessible to trusted system services --> ++ <check send_type="signal" privilege="http://tizen.org/privilege/internal/dbus" /> ++ <check receive_type="signal" privilege="http://tizen.org/privilege/internal/dbus" /> ++ ++ <!-- Reply messages (method returns, errors) are allowed + by default --> +- <allow send_type="signal"/> + <allow send_requested_reply="true" send_type="method_return"/> + <allow send_requested_reply="true" send_type="error"/> + +- <!-- All messages may be received by default --> ++ <!-- All messages but signals may be received by default --> + <allow receive_type="method_call"/> + <allow receive_type="method_return"/> + <allow receive_type="error"/> +- <allow receive_type="signal"/> + + <!-- Allow anyone to talk to the message bus --> + <allow send_destination="org.freedesktop.DBus" +@@ -69,6 +72,14 @@ + send_interface="org.freedesktop.DBus.Introspectable"/> + <allow send_destination="org.freedesktop.DBus" + send_interface="org.freedesktop.DBus.Properties"/> ++ <!-- If there is a need specific bus services could be protected by Cynara as well. ++ However, this can lead to deadlock during the boot process when such check is made and ++ Cynara is not yet activated (systemd calls protected method synchronously, ++ dbus daemon tries to consult Cynara, Cynara waits for systemd activation). ++ Therefore it is advised to allow root processes to use bus services. ++ Currently anyone is allowed to talk to the message bus --> ++ <allow receive_sender="org.freedesktop.DBus"/> ++ + <!-- But disallow some specific bus services --> + <deny send_destination="org.freedesktop.DBus" + send_interface="org.freedesktop.DBus" +-- +2.17.2 + diff --git a/meta-agl/meta-security/recipes-core/dbus-cynara/dbus-cynara/0006-Fix-gcc-8-warnings.patch b/meta-agl/meta-security/recipes-core/dbus-cynara/dbus-cynara/0006-Fix-gcc-8-warnings.patch new file mode 100644 index 00000000..30fac969 --- /dev/null +++ b/meta-agl/meta-security/recipes-core/dbus-cynara/dbus-cynara/0006-Fix-gcc-8-warnings.patch @@ -0,0 +1,134 @@ +From 988958f40a2e0575df3d4d48101612713737a5db Mon Sep 17 00:00:00 2001 +From: Jose Bollo <jose.bollo@iot.bzh> +Date: Wed, 29 May 2019 16:32:50 +0200 +Subject: Fix gcc 8 warnings +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Compiling with -Werror isn't possible without adaptation +of the code. + +Signed-off-by: José Bollo <jose.bollo@iot.bzh> + +diff --git a/bus/config-parser-trivial.c b/bus/config-parser-trivial.c +index dd65c6d..23dedb4 100644 +--- a/bus/config-parser-trivial.c ++++ b/bus/config-parser-trivial.c +@@ -194,6 +194,7 @@ bus_config_parser_start_element (BusConfigParser *parser, + case ELEMENT_POLICY: + case ELEMENT_LIMIT: + case ELEMENT_ALLOW: ++ case ELEMENT_CHECK: + case ELEMENT_DENY: + case ELEMENT_FORK: + case ELEMENT_PIDFILE: +@@ -316,6 +317,7 @@ bus_config_parser_content (BusConfigParser *parser, + case ELEMENT_POLICY: + case ELEMENT_LIMIT: + case ELEMENT_ALLOW: ++ case ELEMENT_CHECK: + case ELEMENT_DENY: + case ELEMENT_FORK: + case ELEMENT_PIDFILE: +diff --git a/bus/config-parser.c b/bus/config-parser.c +index b5f1dd1..7f91469 100644 +--- a/bus/config-parser.c ++++ b/bus/config-parser.c +@@ -3408,6 +3408,7 @@ elements_equal (const Element *a, + case ELEMENT_LISTEN: + case ELEMENT_AUTH: + case ELEMENT_ALLOW: ++ case ELEMENT_CHECK: + case ELEMENT_DENY: + case ELEMENT_FORK: + case ELEMENT_PIDFILE: +diff --git a/bus/desktop-file.c b/bus/desktop-file.c +index 4459858..4a27ee3 100644 +--- a/bus/desktop-file.c ++++ b/bus/desktop-file.c +@@ -382,7 +382,7 @@ is_valid_section_name (const char *name) + + while (*name) + { +- if (!((*name >= 'A' && *name <= 'Z') || (*name >= 'a' || *name <= 'z') || ++ if (!((*name >= ' ' && *name <= '~' && *name != '[' && *name != ']') || + *name == '\n' || *name == '\t')) + return FALSE; + +diff --git a/bus/driver.h b/bus/driver.h +index 183c28b..05e9886 100644 +--- a/bus/driver.h ++++ b/bus/driver.h +@@ -66,5 +66,7 @@ dbus_bool_t bus_driver_send_ack_reply (DBusConnection *connection, + BusTransaction *transaction, + DBusMessage *message, + DBusError *error); ++dbus_bool_t bus_driver_check_message_is_for_us (DBusMessage *message, ++ DBusError *error); + + #endif /* BUS_DRIVER_H */ +diff --git a/bus/policy.c b/bus/policy.c +index 27b66d1..c4c3d4b 100644 +--- a/bus/policy.c ++++ b/bus/policy.c +@@ -1098,6 +1098,7 @@ bus_client_policy_check_can_send (DBusConnection *sender, + case BUS_POLICY_RULE_ACCESS_ALLOW: + result = BUS_RESULT_TRUE; + break; ++ default: + case BUS_POLICY_RULE_ACCESS_DENY: + result = BUS_RESULT_FALSE; + break; +@@ -1350,6 +1351,7 @@ bus_client_policy_check_can_receive (BusClientPolicy *policy, + case BUS_POLICY_RULE_ACCESS_ALLOW: + result = BUS_RESULT_TRUE; + break; ++ default: + case BUS_POLICY_RULE_ACCESS_DENY: + result = BUS_RESULT_FALSE; + break; +@@ -1443,6 +1445,7 @@ bus_rules_check_can_own (DBusList *rules, + case BUS_POLICY_RULE_ACCESS_ALLOW: + result = BUS_RESULT_TRUE; + break; ++ default: + case BUS_POLICY_RULE_ACCESS_DENY: + result = BUS_RESULT_FALSE; + break; +diff --git a/dbus/dbus-sysdeps-unix.c b/dbus/dbus-sysdeps-unix.c +index 565e089..b96c735 100644 +--- a/dbus/dbus-sysdeps-unix.c ++++ b/dbus/dbus-sysdeps-unix.c +@@ -4364,7 +4364,11 @@ _dbus_daemon_unpublish_session_bus_address (void) + dbus_bool_t + _dbus_get_is_errno_eagain_or_ewouldblock (int e) + { ++#if EAGAIN != EWOULDBLOCK + return e == EAGAIN || e == EWOULDBLOCK; ++#else ++ return e == EAGAIN; ++#endif + } + + /** +diff --git a/tools/dbus-send.c b/tools/dbus-send.c +index 6fb65fe..d853b39 100644 +--- a/tools/dbus-send.c ++++ b/tools/dbus-send.c +@@ -293,10 +293,12 @@ main (int argc, char *argv[]) + { + is_bus = TRUE; + } ++#if 0 + else if (arg[2] == 'p') /* peer */ + { + is_bus = FALSE; + } ++#endif + else /* address; keeping backwards compatibility */ + { + is_bus = FALSE; +-- +2.17.2 + diff --git a/meta-agl/meta-security/recipes-core/dbus-cynara/dbus-cynara/0007-Fix-SIGSEGV-on-disconnections.patch b/meta-agl/meta-security/recipes-core/dbus-cynara/dbus-cynara/0007-Fix-SIGSEGV-on-disconnections.patch new file mode 100644 index 00000000..b5ee138e --- /dev/null +++ b/meta-agl/meta-security/recipes-core/dbus-cynara/dbus-cynara/0007-Fix-SIGSEGV-on-disconnections.patch @@ -0,0 +1,109 @@ +From 2a1c1c3f9264f53abc439ec44b33fdca8ffbb803 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Jos=C3=A9=20Bollo?= <jose.bollo@iot.bzh> +Date: Fri, 16 Aug 2019 13:29:23 +0200 +Subject: [PATCH 7/8] Fix SIGSEGV on disconnections +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Sometime, at start of the system, dbus-daemon was crashing +because a pending authorisation were reactivating a closed +connection. + +Also, clean unused function. + +Signed-off-by: José Bollo <jose.bollo@iot.bzh> +--- + bus/check.c | 5 +++++ + bus/check.h | 1 + + bus/connection.c | 14 +++----------- + bus/connection.h | 3 --- + 4 files changed, 9 insertions(+), 14 deletions(-) + +diff --git a/bus/check.c b/bus/check.c +index f3d283f..b73d08b 100644 +--- a/bus/check.c ++++ b/bus/check.c +@@ -617,3 +617,8 @@ bus_deferred_message_response_received (BusDeferredMessage *deferred_message, + } + } + ++void ++bus_deferred_message_abort (BusDeferredMessage *deferred_message) ++{ ++ deferred_message->response_callback = NULL; ++} +diff --git a/bus/check.h b/bus/check.h +index 9c13c18..d718a69 100644 +--- a/bus/check.h ++++ b/bus/check.h +@@ -93,6 +93,7 @@ void bus_deferred_message_set_policy_check_info (BusDeferredMessa + const char *privilege); + dbus_bool_t bus_deferred_message_check_message_limits (BusDeferredMessage *deferred_message, + DBusError *error); ++void bus_deferred_message_abort (BusDeferredMessage *deferred_message); + + + #ifdef DBUS_ENABLE_EMBEDDED_TESTS +diff --git a/bus/connection.c b/bus/connection.c +index ee93384..b520d57 100644 +--- a/bus/connection.c ++++ b/bus/connection.c +@@ -47,6 +47,7 @@ + #define MAX_LOG_COMMAND_LEN 50 + + static void bus_connection_remove_transactions (DBusConnection *connection); ++static void bus_connection_clear_deferred_messages (DBusConnection *connection); + + typedef struct + { +@@ -2821,17 +2822,7 @@ bus_connection_pop_deferred_message (DBusConnection *connection) + return NULL; + } + +-dbus_bool_t +-bus_connection_putback_deferred_message (DBusConnection *connection, BusDeferredMessage *message) +-{ +- BusConnectionData *d = BUS_CONNECTION_DATA(connection); +- if (_dbus_list_prepend(&d->deferred_messages, message)) +- { +- return TRUE; +- } +- return FALSE; +-} +- ++static + void + bus_connection_clear_deferred_messages (DBusConnection *connection) + { +@@ -2846,6 +2837,7 @@ bus_connection_clear_deferred_messages (DBusConnection *connection) + next = _dbus_list_get_next_link (&d->deferred_messages, link); + message = link->data; + ++ bus_deferred_message_abort(message); + bus_deferred_message_unref(message); + _dbus_list_remove_link(&d->deferred_messages, link); + +diff --git a/bus/connection.h b/bus/connection.h +index 97dae96..6af7bf1 100644 +--- a/bus/connection.h ++++ b/bus/connection.h +@@ -90,15 +90,12 @@ dbus_bool_t bus_connection_queue_deferred_message (DBusConnection *con + BusDeferredMessage *message, + dbus_bool_t prepend); + BusDeferredMessage *bus_connection_pop_deferred_message (DBusConnection *connection); +-dbus_bool_t bus_connection_putback_deferred_message (DBusConnection *connection, +- BusDeferredMessage *message); + void bus_connection_remove_deferred_message (DBusConnection *connection, + BusDeferredMessage *message); + dbus_bool_t bus_connection_replace_deferred_message (DBusConnection *connection, + BusDeferredMessage *oldMessage, + BusDeferredMessage *newMessage); + void bus_connection_dispatch_deferred (DBusConnection *connection); +-void bus_connection_clear_deferred_messages (DBusConnection *connection); + + + /* called by signals.c */ +-- +2.17.2 + diff --git a/meta-agl/meta-security/recipes-core/dbus-cynara/dbus_1.12.10.bbappend b/meta-agl/meta-security/recipes-core/dbus-cynara/dbus_1.12.10.bbappend new file mode 100644 index 00000000..5cbf65ef --- /dev/null +++ b/meta-agl/meta-security/recipes-core/dbus-cynara/dbus_1.12.10.bbappend @@ -0,0 +1,15 @@ +FILESEXTRAPATHS_prepend := "${THISDIR}/dbus-cynara:" + +SRC_URI_append_class-target = "\ + file://0001-Integration-of-Cynara-asynchronous-security-checks.patch \ + file://0002-Disable-message-dispatching-when-send-rule-result-is.patch \ + file://0003-Handle-unavailability-of-policy-results-for-broadcas.patch \ + file://0004-Add-own-rule-result-unavailability-handling.patch \ + file://0005-Perform-Cynara-runtime-policy-checks-by-default.patch \ + file://0006-Fix-gcc-8-warnings.patch \ + file://0007-Fix-SIGSEGV-on-disconnections.patch \ +" + +DEPENDS_append_class-target = " cynara smack" +EXTRA_OECONF_append_class-target = " ${@bb.utils.contains('DISTRO_FEATURES','smack','--enable-cynara --disable-selinux','',d)}" + diff --git a/meta-agl/meta-security/recipes-core/packagegroups/packagegroup-security-framework.bb b/meta-agl/meta-security/recipes-core/packagegroups/packagegroup-security-framework.bb new file mode 100644 index 00000000..6dd575df --- /dev/null +++ b/meta-agl/meta-security/recipes-core/packagegroups/packagegroup-security-framework.bb @@ -0,0 +1,23 @@ +SUMMARY = "Security middleware components" +LICENSE = "MIT" + +inherit packagegroup + +# Install Cynara and security-manager by default if (and only if) +# Smack is enabled. +# +# Cynara does not have a hard dependency on Smack security, +# but is meant to be used with it. security-manager however +# links against smack and expects Smack to be active, +# so we do not have any choice. +# +# Without configuration, security-manager is not usable. We use +# the policy packaged from the upstream source code here. Adapting +# it for the distro can be done by patching that source. +RDEPENDS_${PN}_append_with-lsm-smack = " \ + cynara \ + security-manager \ + security-manager-policy \ + smacknet \ + smack-system-setup \ +" diff --git a/meta-agl/meta-security/recipes-core/smack-system-setup/files/55-udev-smack-default.rules b/meta-agl/meta-security/recipes-core/smack-system-setup/files/55-udev-smack-default.rules new file mode 100644 index 00000000..eca65292 --- /dev/null +++ b/meta-agl/meta-security/recipes-core/smack-system-setup/files/55-udev-smack-default.rules @@ -0,0 +1,27 @@ +# do not edit this file, it will be overwritten on update + +KERNEL=="null", SECLABEL{smack}="*" +KERNEL=="zero", SECLABEL{smack}="*" +KERNEL=="console", SECLABEL{smack}="*" +KERNEL=="kmsg", SECLABEL{smack}="*" +KERNEL=="video*", SECLABEL{smack}="*" +KERNEL=="card*", SECLABEL{smack}="*" +KERNEL=="ptmx", SECLABEL{smack}="*" +KERNEL=="tty", SECLABEL{smack}="*" +KERNEL=="rfkill", SECLABEL{smack}="*" + +SUBSYSTEM=="most_cdev_aim", SECLABEL{smack}="*" + +SUBSYSTEM=="graphics", GROUP="video", SECLABEL{smack}="*" +SUBSYSTEM=="drm", GROUP="video", SECLABEL{smack}="*" +SUBSYSTEM=="dvb", GROUP="video", SECLABEL{smack}="*" +SUBSYSTEM=="sound", GROUP="audio", SECLABEL{smack}="*" + +SUBSYSTEM=="tty", KERNEL=="ptmx", GROUP="tty", MODE="0666", SECLABEL{smack}="*" +SUBSYSTEM=="tty", KERNEL=="tty", GROUP="tty", MODE="0666", SECLABEL{smack}="*" +SUBSYSTEM=="tty", KERNEL=="tty[0-9]*", GROUP="tty", MODE="0620", SECLABEL{smack}="*" +SUBSYSTEM=="vc", KERNEL=="vcs*|vcsa*", GROUP="tty", SECLABEL{smack}="*" +KERNEL=="tty[A-Z]*[0-9]|pppox[0-9]*|ircomm[0-9]*|noz[0-9]*|rfcomm[0-9]*", GROUP="dialout", SECLABEL{smack}="*" + +SUBSYSTEM=="input", KERNEL=="mouse*|mice|event*", MODE="0640", SECLABEL{smack}="*" +SUBSYSTEM=="input", KERNEL=="ts[0-9]*|uinput", MODE="0640", SECLABEL{smack}="*" diff --git a/meta-agl/meta-security/recipes-core/smack-system-setup/files/systemd-journald.service.conf b/meta-agl/meta-security/recipes-core/smack-system-setup/files/systemd-journald.service.conf new file mode 100644 index 00000000..7035a141 --- /dev/null +++ b/meta-agl/meta-security/recipes-core/smack-system-setup/files/systemd-journald.service.conf @@ -0,0 +1,16 @@ +# Run systemd-journald with the hat ("^") Smack label. +# +# The journal daemon needs global read access to gather information +# about the services spawned by systemd. The hat label is intended +# for this purpose. The journal daemon is the only part of the +# System domain that needs read access to the User domain. Giving +# the journal daemon the hat label means that we can remove the +# System domain's read access to the User domain and we can avoid +# hard-coding a specific label name for that domain. +# +# Original author: Casey Schaufler <casey@schaufler-ca.com> +# +# This is considered a configuration change and thus distro specific. +[Service] +SmackProcessLabel=^ + diff --git a/meta-agl/meta-security/recipes-core/smack-system-setup/files/systemd-tmpfiles-setup.service.conf b/meta-agl/meta-security/recipes-core/smack-system-setup/files/systemd-tmpfiles-setup.service.conf new file mode 100644 index 00000000..db43c8c5 --- /dev/null +++ b/meta-agl/meta-security/recipes-core/smack-system-setup/files/systemd-tmpfiles-setup.service.conf @@ -0,0 +1,2 @@ +[Service] +ExecStartPost=/bin/sh -c '([ ! -d /var/tmp ] || chsmack -L -a \"*\" /var/tmp) && ([ ! -d /var/log ] || chsmack -L -a System::Log /var/log && chsmack -L -t /var/log)' diff --git a/meta-agl/meta-security/recipes-core/smack-system-setup/files/tmp.mount.conf b/meta-agl/meta-security/recipes-core/smack-system-setup/files/tmp.mount.conf new file mode 100644 index 00000000..388986e8 --- /dev/null +++ b/meta-agl/meta-security/recipes-core/smack-system-setup/files/tmp.mount.conf @@ -0,0 +1,12 @@ +# Mount /tmp publicly accessable. Based on patch by Michael Demeter <michael.demeter@intel.com>. +# Upstream systemd temporarily had SmackFileSystemRoot for this (https://github.com/systemd/systemd/pull/1664), +# but it was removed again (https://github.com/systemd/systemd/issues/1696) because +# util-linux mount will ignore smackfsroot when Smack is not active. However, +# busybox is not that intelligent. +# +# When using busybox mount, adding smackfsroot=* and booting without +# Smack (i.e. security=none), tmp.mount will fail with an error about +# "Bad mount option smackfsroot". +[Mount] +Options=smackfsroot=* + diff --git a/meta-agl/meta-security/recipes-core/smack-system-setup/smack-system-setup_1.bb b/meta-agl/meta-security/recipes-core/smack-system-setup/smack-system-setup_1.bb new file mode 100644 index 00000000..49b12ad3 --- /dev/null +++ b/meta-agl/meta-security/recipes-core/smack-system-setup/smack-system-setup_1.bb @@ -0,0 +1,28 @@ +DESCRIPTION = "setup of a system using smack" +LICENSE = "GPLv2" +LIC_FILES_CHKSUM = "file://${COMMON_LICENSE_DIR}/GPL-2.0;md5=801f80980d171dd6425610833a22dbe6" + +SRC_URI = "\ + file://55-udev-smack-default.rules \ + file://systemd-journald.service.conf \ + file://systemd-tmpfiles-setup.service.conf \ + file://tmp.mount.conf \ +" + +RDEPENDS_${PN}_append_with-lsm-smack = " smack" + +do_install_append_with-lsm-smack() { + # tuning systemd units + install -Dm0644 ${WORKDIR}/systemd-tmpfiles-setup.service.conf \ + ${D}${systemd_unitdir}/system/systemd-tmpfiles-setup.service.d/smack.conf + install -Dm0644 ${WORKDIR}/systemd-journald.service.conf \ + ${D}${systemd_unitdir}/system/systemd-journald.service.d/smack.conf + install -Dm0644 ${WORKDIR}/tmp.mount.conf \ + ${D}${systemd_unitdir}/system/tmp.mount.d/smack.conf + + # add udev rules + install -Dm0644 ${WORKDIR}/55-udev-smack-default.rules \ + ${D}${sysconfdir}/udev/rules.d/55-udev-smack-default.rules +} + +FILES_${PN} += "${systemd_unitdir}" diff --git a/meta-agl/meta-security/recipes-core/systemd/systemd/0001-Switch-Smack-label-earlier.patch b/meta-agl/meta-security/recipes-core/systemd/systemd/0001-Switch-Smack-label-earlier.patch new file mode 100644 index 00000000..46445be7 --- /dev/null +++ b/meta-agl/meta-security/recipes-core/systemd/systemd/0001-Switch-Smack-label-earlier.patch @@ -0,0 +1,52 @@ +From 6cc74075797edb6f698cb7f312bb1c3d8cc6cb28 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Jos=C3=A9=20Bollo?= <jose.bollo@iot.bzh> +Date: Thu, 12 Oct 2017 17:17:56 +0200 +Subject: [PATCH] Switch Smack label earlier +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Switching label after removing capability isn't +possible. + +Change-Id: Ib7dac8f071f36119520ed3205d743c1e3df3cd5e +Signed-off-by: José Bollo <jose.bollo@iot.bzh> +--- + src/core/execute.c | 14 +++++++------- + 1 file changed, 7 insertions(+), 7 deletions(-) + +diff --git a/src/core/execute.c b/src/core/execute.c +index d72e5bf08..0abffd569 100644 +--- a/src/core/execute.c ++++ b/src/core/execute.c +@@ -2707,6 +2707,13 @@ static int exec_child( + } + } + ++ r = setup_smack(context, command); ++ if (r < 0) { ++ *exit_status = EXIT_SMACK_PROCESS_LABEL; ++ *error_message = strdup("Failed to set SMACK process label"); ++ return r; ++ } ++ + if (!cap_test_all(context->capability_bounding_set)) { + r = capability_bounding_set_drop(context->capability_bounding_set, false); + if (r < 0) { +@@ -2775,13 +2782,6 @@ static int exec_child( + } + #endif + +- r = setup_smack(context, command); +- if (r < 0) { +- *exit_status = EXIT_SMACK_PROCESS_LABEL; +- *error_message = strdup("Failed to set SMACK process label"); +- return r; +- } +- + #ifdef HAVE_APPARMOR + if (context->apparmor_profile && mac_apparmor_use()) { + r = aa_change_onexec(context->apparmor_profile); +-- +2.14.3 + diff --git a/meta-agl/meta-security/recipes-core/systemd/systemd_239.bbappend b/meta-agl/meta-security/recipes-core/systemd/systemd_239.bbappend new file mode 100644 index 00000000..789c05f8 --- /dev/null +++ b/meta-agl/meta-security/recipes-core/systemd/systemd_239.bbappend @@ -0,0 +1,40 @@ +FILESEXTRAPATHS_prepend := "${THISDIR}/${PN}:" + +# Ensures systemd runs with label "System" +EXTRA_OEMESON_append_with-lsm-smack = " -Dsmack-run-label=System" + +################################################################################## +# Maintaining trivial, non-upstreamable configuration changes as patches +# is tedious. But in same cases (like early mounting of special directories) +# the configuration has to be in code. We make these changes here directly. +################################################################################## +do_patch[prefuncs] += "patch_systemd" +do_patch[vardeps] += "patch_systemd" +patch_systemd() { + # Handling of /run and /sys/fs/cgroup. Make /run a transmuting directory to + # enable systemd communications with services in the User domain. + # Original patch by Michael Demeter <michael.demeter@intel.com>. + # + # We simplify the patching by touching only lines which check the result of + # mac_smack_use(). Those are the ones which are used when Smack is active. + # + # smackfsroot=* on /sys/fs/cgroup may be upstreamable, but smackfstransmute=System::Run + # is too distro specific (depends on Smack rules) and thus has to remain here. + sed -i -e 's;\("/sys/fs/cgroup", *"[^"]*", *"[^"]*\)\(.*mac_smack_use.*\);\1,smackfsroot=*\2;' \ + -e 's;\("/run", *"[^"]*", *"[^"]*\)\(.*mac_smack_use.*\);\1,smackfstransmute=System::Run\2;' \ + ${S}/src/core/mount-setup.c +} + +################################################################################## +# What follows is temporary. +# This is a solution to the Bug-AGL SPEC-539 +# (see https://jira.automotivelinux.org/browse/SPEC-539). +# +# It renames the file "touchscreen.rules" to "55-touchscreen.rules" +# This comes with the recipe systemd_230/234 of poky (meta/recipes-core/systemd) +# It should be removed when poky changes. +################################################################################## +do_install_prepend() { + mv ${WORKDIR}/touchscreen.rules ${WORKDIR}/55-touchscreen.rules || true +} + diff --git a/meta-agl/meta-security/recipes-core/util-linux/util-linux_%.bbappend b/meta-agl/meta-security/recipes-core/util-linux/util-linux_%.bbappend new file mode 100644 index 00000000..05286f80 --- /dev/null +++ b/meta-agl/meta-security/recipes-core/util-linux/util-linux_%.bbappend @@ -0,0 +1,8 @@ +# Enabling Smack support in util-linux enables special support +# in [lib]mount for Smack mount options: they get removed if +# Smack is not active in the current kernel. Important for +# booting with "security=none" when userspace otherwise is +# compiled to use Smack. + +PACKAGECONFIG_append_with-lsm-smack_class-target = " smack" +PACKAGECONFIG[smack] = "--with-smack, --without-smack" diff --git a/meta-agl/meta-security/recipes-kernel/linux/linux-%.bbappend b/meta-agl/meta-security/recipes-kernel/linux/linux-%.bbappend new file mode 100644 index 00000000..717d32e3 --- /dev/null +++ b/meta-agl/meta-security/recipes-kernel/linux/linux-%.bbappend @@ -0,0 +1,17 @@ +FILESEXTRAPATHS_prepend := "${THISDIR}/linux:" + +IS_KERNEL_RECIPE := "${@bb.data.inherits_class('kernel', d) and 'yes' or 'no'}" +SMACK_KERNEL_SRC_URI_no = "" +SMACK_KERNEL_SRC_URI_yes = "" + +# Kernel config fragment enabling Smack, without making it the default explicitly. +SMACK_KERNEL_SRC_URI_yes += "file://smack.cfg" + +# When added, set Smack as the default LSM. +SMACK_DEFAULT_SECURITY_CFG = "file://smack-default-lsm.cfg" + +# Add it by default, can be overridden by changing this variable here. +SMACK_DEFAULT_SECURITY ??= "${SMACK_DEFAULT_SECURITY_CFG}" +SMACK_KERNEL_SRC_URI_yes += " ${SMACK_DEFAULT_SECURITY}" + +SRC_URI_append_with-lsm-smack = "${SMACK_KERNEL_SRC_URI_${IS_KERNEL_RECIPE}}" diff --git a/meta-agl/meta-security/recipes-kernel/linux/linux/audit.cfg b/meta-agl/meta-security/recipes-kernel/linux/linux/audit.cfg new file mode 100644 index 00000000..214dbe33 --- /dev/null +++ b/meta-agl/meta-security/recipes-kernel/linux/linux/audit.cfg @@ -0,0 +1,2 @@ +CONFIG_AUDIT=y +CONFIG_AUDITSYSCALL=y diff --git a/meta-agl/meta-security/recipes-kernel/linux/linux/smack-default-lsm.cfg b/meta-agl/meta-security/recipes-kernel/linux/linux/smack-default-lsm.cfg new file mode 100644 index 00000000..b5c48454 --- /dev/null +++ b/meta-agl/meta-security/recipes-kernel/linux/linux/smack-default-lsm.cfg @@ -0,0 +1,2 @@ +CONFIG_DEFAULT_SECURITY="smack" +CONFIG_DEFAULT_SECURITY_SMACK=y diff --git a/meta-agl/meta-security/recipes-kernel/linux/linux/smack.cfg b/meta-agl/meta-security/recipes-kernel/linux/linux/smack.cfg new file mode 100644 index 00000000..62f465a4 --- /dev/null +++ b/meta-agl/meta-security/recipes-kernel/linux/linux/smack.cfg @@ -0,0 +1,8 @@ +CONFIG_IP_NF_SECURITY=m +CONFIG_IP6_NF_SECURITY=m +CONFIG_EXT2_FS_SECURITY=y +CONFIG_EXT3_FS_SECURITY=y +CONFIG_EXT4_FS_SECURITY=y +CONFIG_SECURITY=y +CONFIG_SECURITY_SMACK=y +CONFIG_TMPFS_XATTR=y diff --git a/meta-agl/meta-security/recipes-security/audit/audit/add-system-call-table-for-ARM.patch b/meta-agl/meta-security/recipes-security/audit/audit/add-system-call-table-for-ARM.patch new file mode 100644 index 00000000..ad94d11b --- /dev/null +++ b/meta-agl/meta-security/recipes-security/audit/audit/add-system-call-table-for-ARM.patch @@ -0,0 +1,46 @@ +From 52ff74be2f01182ed9d4fcc3da059512fad63d72 Mon Sep 17 00:00:00 2001 +From: Han Chao <chan@windriver.com> +Date: Thu, 27 Feb 2014 14:58:57 +0800 +Subject: [PATCH] add system call table for ARM. + +This change enable audit system call on ARM. +Add arm System call table on machinetabs.h. +Audit system call need enable kernel config CONFIG_AUDITSYSCALL. + +Signed-off-by: Han Chao <chan@windriver.com> +--- + lib/machinetabs.h | 11 ++++++----- + 1 file changed, 6 insertions(+), 5 deletions(-) + +diff --git a/lib/machinetabs.h b/lib/machinetabs.h +index ec2d033..1c2e284 100644 +--- a/lib/machinetabs.h ++++ b/lib/machinetabs.h +@@ -1,10 +1,11 @@ +-/* This is a generated file, see Makefile.am for its inputs. */ +-static const char machine_strings[] = "i386\0i486\0i586\0i686\0ia64\0ppc\0ppc64\0s390\0s390x\0x86_64"; ++/* Such is aways generated file, see Makefile.am for its inputs. ++ * But this version is not generated file, which is for ARM. */ ++static const char machine_strings[] = "armeb\0armv5tejl\0armv5tel\0armv6l\0armv7l"; + static const unsigned machine_s2i_s[] = { +- 0,5,10,15,20,25,29,35,40,46, ++ 0,6,16,25,32, + }; + static const int machine_s2i_i[] = { +- 0,0,0,0,2,4,3,6,5,1, ++ 8,8,8,8,8, + }; + static int machine_s2i(const char *s, int *value) { + size_t len, i; +@@ -19,7 +20,7 @@ static int machine_s2i(const char *s, int *value) { + } + } + static const unsigned machine_i2s_direct[] = { +- 0,46,20,29,25,40,35, ++ 39,85,59,68,64, + }; + static const char *machine_i2s(int v) { + return i2s_direct__(machine_strings, machine_i2s_direct, 0, 6, v); +-- +1.7.9.5 + diff --git a/meta-agl/meta-security/recipes-security/audit/audit/audit-for-cross-compiling.patch b/meta-agl/meta-security/recipes-security/audit/audit/audit-for-cross-compiling.patch new file mode 100644 index 00000000..60a23a8a --- /dev/null +++ b/meta-agl/meta-security/recipes-security/audit/audit/audit-for-cross-compiling.patch @@ -0,0 +1,2938 @@ +From f73f654734c5f0d1a6568c6c8fba232b01f919f4 Mon Sep 17 00:00:00 2001 +From: Joe MacDonald <joe@deserted.net> +Date: Wed, 23 Oct 2013 16:02:34 -0400 +Subject: [PATCH] audit: use generated headers for cross compiling + +In the same vein as the patch for audit 2.2.1 (commit: 6c77455b), we generate +the headers which are inherently architecture specific but portable on a +convenient platform and use them for all platforms. + +Upstream-Status: Inappropriate [cross-compile specific] + +Signed-off-by: Joe MacDonald <joe@deserted.net> +--- + auparse/Makefile.am | 200 --------------------------------------------- + auparse/accesstabs.h | 6 ++ + auparse/captabs.h | 14 ++++ + auparse/clocktabs.h | 8 ++ + auparse/clone-flagtabs.h | 10 +++ + auparse/epoll_ctls.h | 8 ++ + auparse/famtabs.h | 14 ++++ + auparse/fcntl-cmdtabs.h | 17 ++++ + auparse/flagtabs.h | 6 ++ + auparse/icmptypetabs.h | 10 +++ + auparse/ip6optnametabs.h | 20 +++++ + auparse/ipccmdtabs.h | 6 ++ + auparse/ipctabs.h | 11 +++ + auparse/ipoptnametabs.h | 17 ++++ + auparse/mmaptabs.h | 8 ++ + auparse/mounttabs.h | 10 +++ + auparse/nfprototabs.h | 9 ++ + auparse/open-flagtabs.h | 8 ++ + auparse/persontabs.h | 17 ++++ + auparse/pktoptnametabs.h | 10 +++ + auparse/prctl_opttabs.h | 14 ++++ + auparse/prottabs.h | 6 ++ + auparse/ptracetabs.h | 17 ++++ + auparse/recvtabs.h | 8 ++ + auparse/rlimittabs.h | 10 +++ + auparse/schedtabs.h | 8 ++ + auparse/seccomptabs.h | 11 +++ + auparse/seektabs.h | 8 ++ + auparse/shm_modetabs.h | 6 ++ + auparse/signaltabs.h | 14 ++++ + auparse/sockleveltabs.h | 12 +++ + auparse/sockoptnametabs.h | 23 ++++++ + auparse/socktabs.h | 10 +++ + auparse/socktypetabs.h | 8 ++ + auparse/tcpoptnametabs.h | 12 +++ + auparse/typetabs.h | 35 ++++++++ + auparse/umounttabs.h | 6 ++ + lib/Makefile.am | 106 ------------------------ + lib/aarch64_tables.h | 125 ++++++++++++++++++++++++++++ + lib/actiontabs.h | 26 ++++++ + lib/alpha_tables.h | 196 ++++++++++++++++++++++++++++++++++++++++++++ + lib/armeb_tables.h | 165 +++++++++++++++++++++++++++++++++++++ + lib/errtabs.h | 78 ++++++++++++++++++ + lib/fieldtabs.h | 49 +++++++++++ + lib/flagtabs.h | 26 ++++++ + lib/ftypetabs.h | 29 +++++++ + lib/i386_tables.h | 163 ++++++++++++++++++++++++++++++++++++ + lib/ia64_tables.h | 147 +++++++++++++++++++++++++++++++++ + lib/machinetabs.h | 26 ++++++ + lib/msg_typetabs.h | 104 +++++++++++++++++++++++ + lib/optabs.h | 11 +++ + lib/ppc_tables.h | 163 ++++++++++++++++++++++++++++++++++++ + lib/s390_tables.h | 153 ++++++++++++++++++++++++++++++++++ + lib/s390x_tables.h | 144 ++++++++++++++++++++++++++++++++ + lib/x86_64_tables.h | 150 ++++++++++++++++++++++++++++++++++ + 55 files changed, 2172 insertions(+), 306 deletions(-) + create mode 100644 auparse/accesstabs.h + create mode 100644 auparse/captabs.h + create mode 100644 auparse/clocktabs.h + create mode 100644 auparse/clone-flagtabs.h + create mode 100644 auparse/epoll_ctls.h + create mode 100644 auparse/famtabs.h + create mode 100644 auparse/fcntl-cmdtabs.h + create mode 100644 auparse/flagtabs.h + create mode 100644 auparse/icmptypetabs.h + create mode 100644 auparse/ip6optnametabs.h + create mode 100644 auparse/ipccmdtabs.h + create mode 100644 auparse/ipctabs.h + create mode 100644 auparse/ipoptnametabs.h + create mode 100644 auparse/mmaptabs.h + create mode 100644 auparse/mounttabs.h + create mode 100644 auparse/nfprototabs.h + create mode 100644 auparse/open-flagtabs.h + create mode 100644 auparse/persontabs.h + create mode 100644 auparse/pktoptnametabs.h + create mode 100644 auparse/prctl_opttabs.h + create mode 100644 auparse/prottabs.h + create mode 100644 auparse/ptracetabs.h + create mode 100644 auparse/recvtabs.h + create mode 100644 auparse/rlimittabs.h + create mode 100644 auparse/schedtabs.h + create mode 100644 auparse/seccomptabs.h + create mode 100644 auparse/seektabs.h + create mode 100644 auparse/shm_modetabs.h + create mode 100644 auparse/signaltabs.h + create mode 100644 auparse/sockleveltabs.h + create mode 100644 auparse/sockoptnametabs.h + create mode 100644 auparse/socktabs.h + create mode 100644 auparse/socktypetabs.h + create mode 100644 auparse/tcpoptnametabs.h + create mode 100644 auparse/typetabs.h + create mode 100644 auparse/umounttabs.h + create mode 100644 lib/aarch64_tables.h + create mode 100644 lib/actiontabs.h + create mode 100644 lib/alpha_tables.h + create mode 100644 lib/armeb_tables.h + create mode 100644 lib/errtabs.h + create mode 100644 lib/fieldtabs.h + create mode 100644 lib/flagtabs.h + create mode 100644 lib/ftypetabs.h + create mode 100644 lib/i386_tables.h + create mode 100644 lib/ia64_tables.h + create mode 100644 lib/machinetabs.h + create mode 100644 lib/msg_typetabs.h + create mode 100644 lib/optabs.h + create mode 100644 lib/ppc_tables.h + create mode 100644 lib/s390_tables.h + create mode 100644 lib/s390x_tables.h + create mode 100644 lib/x86_64_tables.h + +diff --git a/auparse/Makefile.am b/auparse/Makefile.am +index f0ca18f..7d1527c 100644 +--- a/auparse/Makefile.am ++++ b/auparse/Makefile.am +@@ -53,203 +53,3 @@ BUILT_SOURCES = accesstabs.h captabs.h clocktabs.h clone-flagtabs.h \ + seektabs.h shm_modetabs.h signaltabs.h sockoptnametabs.h \ + socktabs.h sockleveltabs.h socktypetabs.h \ + tcpoptnametabs.h typetabs.h umounttabs.h +-noinst_PROGRAMS = gen_accesstabs_h gen_captabs_h gen_clock_h \ +- gen_clone-flagtabs_h \ +- gen_epoll_ctls_h gen_famtabs_h \ +- gen_fcntl-cmdtabs_h gen_flagtabs_h \ +- gen_icmptypetabs_h gen_ipctabs_h gen_ipccmdtabs_h\ +- gen_ipoptnametabs_h gen_ip6optnametabs_h gen_nfprototabs_h \ +- gen_mmaptabs_h gen_mounttabs_h \ +- gen_open-flagtabs_h gen_persontabs_h \ +- gen_prctl_opttabs_h gen_pktoptnametabs_h gen_prottabs_h \ +- gen_recvtabs_h gen_rlimit_h gen_ptracetabs_h \ +- gen_schedtabs_h gen_seccomptabs_h \ +- gen_seektabs_h gen_shm_modetabs_h gen_signals_h \ +- gen_sockoptnametabs_h gen_socktabs_h gen_sockleveltabs_h \ +- gen_socktypetabs_h gen_tcpoptnametabs_h gen_typetabs_h \ +- gen_umounttabs_h +- +-gen_accesstabs_h_SOURCES = ../lib/gen_tables.c ../lib/gen_tables.h accesstab.h +-gen_accesstabs_h_CFLAGS = $(AM_CFLAGS) '-DTABLE_H="accesstab.h"' +-accesstabs.h: gen_accesstabs_h Makefile +- ./gen_accesstabs_h --i2s-transtab access > $@ +- +-gen_captabs_h_SOURCES = ../lib/gen_tables.c ../lib/gen_tables.h captab.h +-gen_captabs_h_CFLAGS = $(AM_CFLAGS) '-DTABLE_H="captab.h"' +-captabs.h: gen_captabs_h Makefile +- ./gen_captabs_h --i2s cap > $@ +- +-gen_clock_h_SOURCES = ../lib/gen_tables.c ../lib/gen_tables.h clocktab.h +-gen_clock_h_CFLAGS = $(AM_CFLAGS) '-DTABLE_H="clocktab.h"' +-clocktabs.h: gen_clock_h Makefile +- ./gen_clock_h --i2s clock > $@ +- +-gen_clone_flagtabs_h_SOURCES = ../lib/gen_tables.c ../lib/gen_tables.h \ +- clone-flagtab.h +-gen_clone_flagtabs_h_CFLAGS = $(AM_CFLAGS) '-DTABLE_H="clone-flagtab.h"' +-clone-flagtabs.h: gen_clone-flagtabs_h Makefile +- ./gen_clone-flagtabs_h --i2s-transtab clone_flag > $@ +- +-gen_epoll_ctls_h_SOURCES = ../lib/gen_tables.c ../lib/gen_tables.h epoll_ctl.h +-gen_epoll_ctls_h_CFLAGS = $(AM_CFLAGS) '-DTABLE_H="epoll_ctl.h"' +-epoll_ctls.h: gen_epoll_ctls_h Makefile +- ./gen_epoll_ctls_h --i2s epoll_ctl > $@ +- +-gen_famtabs_h_SOURCES = ../lib/gen_tables.c ../lib/gen_tables.h famtab.h +-gen_famtabs_h_CFLAGS = $(AM_CFLAGS) '-DTABLE_H="famtab.h"' +-famtabs.h: gen_famtabs_h Makefile +- ./gen_famtabs_h --i2s fam > $@ +- +-gen_flagtabs_h_SOURCES = ../lib/gen_tables.c ../lib/gen_tables.h flagtab.h +-# ../auparse/ is used to avoid using ../lib/flagtab.h +-gen_flagtabs_h_CFLAGS = $(AM_CFLAGS) '-DTABLE_H="../auparse/flagtab.h"' +-flagtabs.h: gen_flagtabs_h Makefile +- ./gen_flagtabs_h --i2s-transtab flag > $@ +- +-gen_fcntl_cmdtabs_h_SOURCES = ../lib/gen_tables.c ../lib/gen_tables.h \ +- fcntl-cmdtab.h +-gen_fcntl_cmdtabs_h_CFLAGS = $(AM_CFLAGS) '-DTABLE_H="fcntl-cmdtab.h"' +-fcntl-cmdtabs.h: gen_fcntl-cmdtabs_h Makefile +- ./gen_fcntl-cmdtabs_h --i2s fcntl > $@ +- +-gen_icmptypetabs_h_SOURCES = ../lib/gen_tables.c ../lib/gen_tables.h icmptypetab.h +-gen_icmptypetabs_h_CFLAGS = $(AM_CFLAGS) '-DTABLE_H="icmptypetab.h"' +-icmptypetabs.h: gen_icmptypetabs_h Makefile +- ./gen_icmptypetabs_h --i2s icmptype > $@ +- +-gen_ipctabs_h_SOURCES = ../lib/gen_tables.c ../lib/gen_tables.h ipctab.h +-gen_ipctabs_h_CFLAGS = $(AM_CFLAGS) '-DTABLE_H="ipctab.h"' +-ipctabs.h: gen_ipctabs_h Makefile +- ./gen_ipctabs_h --i2s ipc > $@ +- +-gen_ipccmdtabs_h_SOURCES = ../lib/gen_tables.c ../lib/gen_tables.h ipccmdtab.h +-gen_ipccmdtabs_h_CFLAGS = $(AM_CFLAGS) '-DTABLE_H="ipccmdtab.h"' +-ipccmdtabs.h: gen_ipccmdtabs_h Makefile +- ./gen_ipccmdtabs_h --i2s-transtab ipccmd > $@ +- +-gen_ipoptnametabs_h_SOURCES = ../lib/gen_tables.c ../lib/gen_tables.h ipoptnametab.h +-gen_ipoptnametabs_h_CFLAGS = $(AM_CFLAGS) '-DTABLE_H="ipoptnametab.h"' +-ipoptnametabs.h: gen_ipoptnametabs_h Makefile +- ./gen_ipoptnametabs_h --i2s ipoptname > $@ +- +-gen_ip6optnametabs_h_SOURCES = ../lib/gen_tables.c ../lib/gen_tables.h ip6optnametab.h +-gen_ip6optnametabs_h_CFLAGS = $(AM_CFLAGS) '-DTABLE_H="ip6optnametab.h"' +-ip6optnametabs.h: gen_ip6optnametabs_h Makefile +- ./gen_ip6optnametabs_h --i2s ip6optname > $@ +- +-gen_mmaptabs_h_SOURCES = ../lib/gen_tables.c ../lib/gen_tables.h mmaptab.h +-gen_mmaptabs_h_CFLAGS = $(AM_CFLAGS) '-DTABLE_H="mmaptab.h"' +-mmaptabs.h: gen_mmaptabs_h Makefile +- ./gen_mmaptabs_h --i2s-transtab mmap > $@ +- +-gen_mounttabs_h_SOURCES = ../lib/gen_tables.c ../lib/gen_tables.h mounttab.h +-gen_mounttabs_h_CFLAGS = $(AM_CFLAGS) '-DTABLE_H="mounttab.h"' +-mounttabs.h: gen_mounttabs_h Makefile +- ./gen_mounttabs_h --i2s-transtab mount > $@ +- +-gen_nfprototabs_h_SOURCES = ../lib/gen_tables.c ../lib/gen_tables.h nfprototab.h +-gen_nfprototabs_h_CFLAGS = $(AM_CFLAGS) '-DTABLE_H="nfprototab.h"' +-nfprototabs.h: gen_nfprototabs_h Makefile +- ./gen_nfprototabs_h --i2s nfproto > $@ +- +-gen_open_flagtabs_h_SOURCES = ../lib/gen_tables.c ../lib/gen_tables.h \ +- open-flagtab.h +-gen_open_flagtabs_h_CFLAGS = $(AM_CFLAGS) '-DTABLE_H="open-flagtab.h"' +-open-flagtabs.h: gen_open-flagtabs_h Makefile +- ./gen_open-flagtabs_h --i2s-transtab open_flag > $@ +- +-gen_persontabs_h_SOURCES = ../lib/gen_tables.c ../lib/gen_tables.h persontab.h +-gen_persontabs_h_CFLAGS = $(AM_CFLAGS) '-DTABLE_H="persontab.h"' +-persontabs.h: gen_persontabs_h Makefile +- ./gen_persontabs_h --i2s person > $@ +- +-gen_ptracetabs_h_SOURCES = ../lib/gen_tables.c ../lib/gen_tables.h ptracetab.h +-gen_ptracetabs_h_CFLAGS = $(AM_CFLAGS) '-DTABLE_H="ptracetab.h"' +-ptracetabs.h: gen_ptracetabs_h Makefile +- ./gen_ptracetabs_h --i2s ptrace > $@ +- +-gen_prctl_opttabs_h_SOURCES = ../lib/gen_tables.c ../lib/gen_tables.h prctl-opt-tab.h +-gen_prctl_opttabs_h_CFLAGS = $(AM_CFLAGS) '-DTABLE_H="prctl-opt-tab.h"' +-prctl_opttabs.h: gen_prctl_opttabs_h Makefile +- ./gen_prctl_opttabs_h --i2s prctl_opt > $@ +- +-gen_pktoptnametabs_h_SOURCES = ../lib/gen_tables.c ../lib/gen_tables.h pktoptnametab.h +-gen_pktoptnametabs_h_CFLAGS = $(AM_CFLAGS) '-DTABLE_H="pktoptnametab.h"' +-pktoptnametabs.h: gen_pktoptnametabs_h Makefile +- ./gen_pktoptnametabs_h --i2s pktoptname > $@ +- +-gen_prottabs_h_SOURCES = ../lib/gen_tables.c ../lib/gen_tables.h prottab.h +-gen_prottabs_h_CFLAGS = $(AM_CFLAGS) '-DTABLE_H="prottab.h"' +-prottabs.h: gen_prottabs_h Makefile +- ./gen_prottabs_h --i2s-transtab prot > $@ +- +-gen_recvtabs_h_SOURCES = ../lib/gen_tables.c ../lib/gen_tables.h recvtab.h +-gen_recvtabs_h_CFLAGS = $(AM_CFLAGS) '-DTABLE_H="recvtab.h"' +-recvtabs.h: gen_recvtabs_h Makefile +- ./gen_recvtabs_h --i2s-transtab recv > $@ +- +-gen_rlimit_h_SOURCES = ../lib/gen_tables.c ../lib/gen_tables.h rlimittab.h +-gen_rlimit_h_CFLAGS = $(AM_CFLAGS) '-DTABLE_H="rlimittab.h"' +-rlimittabs.h: gen_rlimit_h Makefile +- ./gen_rlimit_h --i2s rlimit > $@ +- +-gen_schedtabs_h_SOURCES = ../lib/gen_tables.c ../lib/gen_tables.h schedtab.h +-gen_schedtabs_h_CFLAGS = $(AM_CFLAGS) '-DTABLE_H="schedtab.h"' +-schedtabs.h: gen_schedtabs_h Makefile +- ./gen_schedtabs_h --i2s sched > $@ +- +-gen_seccomptabs_h_SOURCES = ../lib/gen_tables.c ../lib/gen_tables.h seccomptab.h +-gen_seccomptabs_h_CFLAGS = $(AM_CFLAGS) '-DTABLE_H="seccomptab.h"' +-seccomptabs.h: gen_seccomptabs_h Makefile +- ./gen_seccomptabs_h --i2s seccomp > $@ +- +-gen_seektabs_h_SOURCES = ../lib/gen_tables.c ../lib/gen_tables.h seektab.h +-gen_seektabs_h_CFLAGS = $(AM_CFLAGS) '-DTABLE_H="seektab.h"' +-seektabs.h: gen_seektabs_h Makefile +- ./gen_seektabs_h --i2s seek > $@ +- +-gen_shm_modetabs_h_SOURCES = ../lib/gen_tables.c ../lib/gen_tables.h shm_modetab.h +-gen_shm_modetabs_h_CFLAGS = $(AM_CFLAGS) '-DTABLE_H="shm_modetab.h"' +-shm_modetabs.h: gen_shm_modetabs_h Makefile +- ./gen_shm_modetabs_h --i2s-transtab shm_mode > $@ +- +-gen_signals_h_SOURCES = ../lib/gen_tables.c ../lib/gen_tables.h signaltab.h +-gen_signals_h_CFLAGS = $(AM_CFLAGS) '-DTABLE_H="signaltab.h"' +-signaltabs.h: gen_signals_h Makefile +- ./gen_signals_h --i2s signal > $@ +- +-gen_sockleveltabs_h_SOURCES = ../lib/gen_tables.c ../lib/gen_tables.h sockleveltab.h +-gen_sockleveltabs_h_CFLAGS = $(AM_CFLAGS) '-DTABLE_H="sockleveltab.h"' +-sockleveltabs.h: gen_sockleveltabs_h Makefile +- ./gen_sockleveltabs_h --i2s socklevel > $@ +- +-gen_sockoptnametabs_h_SOURCES = ../lib/gen_tables.c ../lib/gen_tables.h sockoptnametab.h +-gen_sockoptnametabs_h_CFLAGS = $(AM_CFLAGS) '-DTABLE_H="sockoptnametab.h"' +-sockoptnametabs.h: gen_sockoptnametabs_h Makefile +- ./gen_sockoptnametabs_h --i2s sockoptname > $@ +- +-gen_socktabs_h_SOURCES = ../lib/gen_tables.c ../lib/gen_tables.h socktab.h +-gen_socktabs_h_CFLAGS = $(AM_CFLAGS) '-DTABLE_H="socktab.h"' +-socktabs.h: gen_socktabs_h Makefile +- ./gen_socktabs_h --i2s sock > $@ +- +-gen_socktypetabs_h_SOURCES = ../lib/gen_tables.c ../lib/gen_tables.h socktypetab.h +-gen_socktypetabs_h_CFLAGS = $(AM_CFLAGS) '-DTABLE_H="socktypetab.h"' +-socktypetabs.h: gen_socktypetabs_h Makefile +- ./gen_socktypetabs_h --i2s sock_type > $@ +- +-gen_tcpoptnametabs_h_SOURCES = ../lib/gen_tables.c ../lib/gen_tables.h tcpoptnametab.h +-gen_tcpoptnametabs_h_CFLAGS = $(AM_CFLAGS) '-DTABLE_H="tcpoptnametab.h"' +-tcpoptnametabs.h: gen_tcpoptnametabs_h Makefile +- ./gen_tcpoptnametabs_h --i2s tcpoptname > $@ +- +-gen_typetabs_h_SOURCES = ../lib/gen_tables.c ../lib/gen_tables.h typetab.h +-gen_typetabs_h_CFLAGS = $(AM_CFLAGS) '-DTABLE_H="typetab.h"' +-typetabs.h: gen_typetabs_h Makefile +- ./gen_typetabs_h --s2i type > $@ +- +-gen_umounttabs_h_SOURCES = ../lib/gen_tables.c ../lib/gen_tables.h umounttab.h +-gen_umounttabs_h_CFLAGS = $(AM_CFLAGS) '-DTABLE_H="umounttab.h"' +-umounttabs.h: gen_umounttabs_h Makefile +- ./gen_umounttabs_h --i2s-transtab umount > $@ +- +diff --git a/auparse/accesstabs.h b/auparse/accesstabs.h +new file mode 100644 +index 0000000..867d99c +--- /dev/null ++++ b/auparse/accesstabs.h +@@ -0,0 +1,6 @@ ++/* This is a generated file, see Makefile.am for its inputs. */ ++static const char access_strings[] = "R_OK\0W_OK\0X_OK"; ++static const struct transtab access_table[] = { ++ {1,10},{2,5},{4,0}, ++}; ++#define ACCESS_NUM_ENTRIES (sizeof(access_table) / sizeof(*access_table)) +diff --git a/auparse/captabs.h b/auparse/captabs.h +new file mode 100644 +index 0000000..9267466 +--- /dev/null ++++ b/auparse/captabs.h +@@ -0,0 +1,14 @@ ++/* This is a generated file, see Makefile.am for its inputs. */ ++static const char cap_strings[] = "audit_control\0audit_write\0block_suspend\0chown\0compromise_kernel\0dac_override\0dac_read_search\0fowner\0fsetid\0ipc_lock\0" ++ "ipc_owner\0kill\0lease\0linux_immutable\0mac_admin\0mac_override\0mknod\0net_admin\0net_bind_service\0net_broadcast\0" ++ "net_raw\0setfcap\0setgid\0setpcap\0setuid\0sys_admin\0sys_boot\0sys_chroot\0sys_module\0sys_nice\0" ++ "sys_pacct\0sys_ptrace\0sys_rawio\0sys_resource\0sys_time\0sys_tty_config\0syslog\0wake_alarm"; ++static const unsigned cap_i2s_direct[] = { ++ 40,64,77,93,100,126,239,254,246,137, ++ 192,209,182,223,107,116,291,332,280,321, ++ 311,261,271,302,342,355,364,176,131,14, ++ 0,231,163,153,379,386,26,46, ++}; ++static const char *cap_i2s(int v) { ++ return i2s_direct__(cap_strings, cap_i2s_direct, 0, 37, v); ++} +diff --git a/auparse/clocktabs.h b/auparse/clocktabs.h +new file mode 100644 +index 0000000..03f9f09 +--- /dev/null ++++ b/auparse/clocktabs.h +@@ -0,0 +1,8 @@ ++/* This is a generated file, see Makefile.am for its inputs. */ ++static const char clock_strings[] = "CLOCK_BOOTTIME\0CLOCK_BOOTTIME_ALARM\0CLOCK_MONOTONIC\0CLOCK_MONOTONIC_COARSE\0CLOCK_MONOTONIC_RAW\0CLOCK_PROCESS_CPUTIME_ID\0CLOCK_REALTIME\0CLOCK_REALTIME_ALARM\0CLOCK_REALTIME_COARSE\0CLOCK_THREAD_CPUTIME_ID"; ++static const unsigned clock_i2s_direct[] = { ++ 120,36,95,178,75,156,52,0,135,15, ++}; ++static const char *clock_i2s(int v) { ++ return i2s_direct__(clock_strings, clock_i2s_direct, 0, 9, v); ++} +diff --git a/auparse/clone-flagtabs.h b/auparse/clone-flagtabs.h +new file mode 100644 +index 0000000..b8f815d +--- /dev/null ++++ b/auparse/clone-flagtabs.h +@@ -0,0 +1,10 @@ ++/* This is a generated file, see Makefile.am for its inputs. */ ++static const char clone_flag_strings[] = "CLONE_CHILD_CLEARTID\0CLONE_CHILD_SETTID\0CLONE_DETACHED\0CLONE_FILES\0CLONE_FS\0CLONE_IO\0CLONE_NEWIPC\0CLONE_NEWNET\0CLONE_NEWNS\0CLONE_NEWPID\0" ++ "CLONE_NEWUSER\0CLONE_NEWUTS\0CLONE_PARENT\0CLONE_PARENT_SETTID\0CLONE_PTRACE\0CLONE_SETTLS\0CLONE_SIGHAND\0CLONE_STOPPED\0CLONE_SYSVSEM\0CLONE_THREAD\0" ++ "CLONE_UNTRACED\0CLONE_VFORK\0CLONE_VM"; ++static const struct transtab clone_flag_table[] = { ++ {256,304},{512,67},{1024,55},{2048,222},{8192,196},{16384,292},{32768,163},{65536,264},{131072,111},{262144,250}, ++ {524288,209},{1048576,176},{2097152,0},{4194304,40},{8388608,277},{16777216,21},{33554432,236},{67108864,150},{134217728,85},{268435456,136}, ++ {536870912,123},{1073741824,98},{-2147483648,76}, ++}; ++#define CLONE_FLAG_NUM_ENTRIES (sizeof(clone_flag_table) / sizeof(*clone_flag_table)) +diff --git a/auparse/epoll_ctls.h b/auparse/epoll_ctls.h +new file mode 100644 +index 0000000..2787c18 +--- /dev/null ++++ b/auparse/epoll_ctls.h +@@ -0,0 +1,8 @@ ++/* This is a generated file, see Makefile.am for its inputs. */ ++static const char epoll_ctl_strings[] = "EPOLL_CTL_ADD\0EPOLL_CTL_DEL\0EPOLL_CTL_MOD"; ++static const unsigned epoll_ctl_i2s_direct[] = { ++ 0,14,28, ++}; ++static const char *epoll_ctl_i2s(int v) { ++ return i2s_direct__(epoll_ctl_strings, epoll_ctl_i2s_direct, 1, 3, v); ++} +diff --git a/auparse/famtabs.h b/auparse/famtabs.h +new file mode 100644 +index 0000000..cae396b +--- /dev/null ++++ b/auparse/famtabs.h +@@ -0,0 +1,14 @@ ++/* This is a generated file, see Makefile.am for its inputs. */ ++static const char fam_strings[] = "alg\0appletalk\0ash\0atmpvc\0atmsvc\0ax25\0bluetooth\0bridge\0caif\0can\0" ++ "decnet\0econet\0ieee802154\0inet\0inet6\0ipx\0irda\0isdn\0iucv\0key\0" ++ "llc\0local\0netbeui\0netlink\0netrom\0nfc\0packet\0phonet\0pppox\0rds\0" ++ "rose\0rxrpc\0security\0sna\0tipc\0vsock\0wanpipe\0x25"; ++static const unsigned fam_i2s_direct[] = { ++ 126,88,32,99,4,148,47,18,226,93, ++ 183,63,132,194,118,140,159,14,70,25, ++ 179,203,103,173,218,122,-1u,-1u,59,207, ++ 37,113,188,108,166,77,54,0,155,212, ++}; ++static const char *fam_i2s(int v) { ++ return i2s_direct__(fam_strings, fam_i2s_direct, 1, 40, v); ++} +diff --git a/auparse/fcntl-cmdtabs.h b/auparse/fcntl-cmdtabs.h +new file mode 100644 +index 0000000..18c6cc7 +--- /dev/null ++++ b/auparse/fcntl-cmdtabs.h +@@ -0,0 +1,17 @@ ++/* This is a generated file, see Makefile.am for its inputs. */ ++static const char fcntl_strings[] = "F_CANCELLK\0F_DUPFD\0F_DUPFD_CLOEXEC\0F_GETFD\0F_GETFL\0F_GETLEASE\0F_GETLK\0F_GETLK64\0F_GETOWN\0F_GETOWNER_UIDS\0" ++ "F_GETOWN_EX\0F_GETPIPE_SZ\0F_GETSIG\0F_NOTIFY\0F_SETFD\0F_SETFL\0F_SETLEASE\0F_SETLK\0F_SETLK64\0F_SETLKW\0" ++ "F_SETLKW64\0F_SETOWN\0F_SETOWN_EX\0F_SETPIPE_SZ\0F_SETSIG"; ++static const int fcntl_i2s_i[] = { ++ 0,1,2,3,4,5,6,7,8,9, ++ 10,11,12,13,14,15,16,17,1024,1025, ++ 1026,1029,1030,1031,1032, ++}; ++static const unsigned fcntl_i2s_s[] = { ++ 11,35,148,43,156,62,175,193,213,80, ++ 247,130,70,183,202,222,105,89,164,51, ++ 139,0,19,234,117, ++}; ++static const char *fcntl_i2s(int v) { ++ return i2s_bsearch__(fcntl_strings, fcntl_i2s_i, fcntl_i2s_s, 25, v); ++} +diff --git a/auparse/flagtabs.h b/auparse/flagtabs.h +new file mode 100644 +index 0000000..5f57e14 +--- /dev/null ++++ b/auparse/flagtabs.h +@@ -0,0 +1,6 @@ ++/* This is a generated file, see Makefile.am for its inputs. */ ++static const char flag_strings[] = "access\0atomic\0continue\0create\0directory\0follow\0noalt\0open\0parent"; ++static const struct transtab flag_table[] = { ++ {1,40},{2,30},{4,14},{16,58},{32,47},{64,7},{256,53},{512,23},{1024,0}, ++}; ++#define FLAG_NUM_ENTRIES (sizeof(flag_table) / sizeof(*flag_table)) +diff --git a/auparse/icmptypetabs.h b/auparse/icmptypetabs.h +new file mode 100644 +index 0000000..49b44bf +--- /dev/null ++++ b/auparse/icmptypetabs.h +@@ -0,0 +1,10 @@ ++/* This is a generated file, see Makefile.am for its inputs. */ ++static const char icmptype_strings[] = "address-mask-reply\0address-mask-request\0destination-unreachable\0echo\0echo-reply\0info-reply\0info-request\0parameter-problem\0redirect\0source-quench\0" ++ "time-exceeded\0timestamp-reply\0timestamp-request"; ++static const unsigned icmptype_i2s_direct[] = { ++ 69,-1u,-1u,40,131,122,-1u,-1u,64,-1u, ++ -1u,145,104,175,159,91,80,19,0, ++}; ++static const char *icmptype_i2s(int v) { ++ return i2s_direct__(icmptype_strings, icmptype_i2s_direct, 0, 18, v); ++} +diff --git a/auparse/ip6optnametabs.h b/auparse/ip6optnametabs.h +new file mode 100644 +index 0000000..4af11c2 +--- /dev/null ++++ b/auparse/ip6optnametabs.h +@@ -0,0 +1,20 @@ ++/* This is a generated file, see Makefile.am for its inputs. */ ++static const char ip6optname_strings[] = "IP6T_SO_GET_REVISION_MATCH\0IP6T_SO_GET_REVISION_TARGET\0IP6T_SO_ORIGINAL_DST\0IP6T_SO_SET_ADD_COUNTERS\0IP6T_SO_SET_REPLACE\0IPV6_2292DSTOPTS\0IPV6_2292HOPLIMIT\0IPV6_2292HOPOPTS\0IPV6_2292PKTINFO\0IPV6_2292PKTOPTIONS\0" ++ "IPV6_2292RTHDR\0IPV6_ADDRFORM\0IPV6_ADDR_PREFERENCES\0IPV6_ADD_MEMBERSHIP\0IPV6_AUTHHDR\0IPV6_CHECKSUM\0IPV6_DONTFRAG\0IPV6_DROP_MEMBERSHIP\0IPV6_DSTOPTS\0IPV6_FLOWINFO\0" ++ "IPV6_FLOWINFO_SEND\0IPV6_FLOWLABEL_MGR\0IPV6_HOPLIMIT\0IPV6_HOPOPTS\0IPV6_IPSEC_POLICY\0IPV6_JOIN_ANYCAST\0IPV6_LEAVE_ANYCAST\0IPV6_MINHOPCOUNT\0IPV6_MTU\0IPV6_MTU_DISCOVER\0" ++ "IPV6_MULTICAST_HOPS\0IPV6_MULTICAST_IF\0IPV6_MULTICAST_LOOP\0IPV6_NEXTHOP\0IPV6_ORIGDSTADDR\0IPV6_PATHMTU\0IPV6_PKTINFO\0IPV6_RECVDSTOPTS\0IPV6_RECVERR\0IPV6_RECVHOPLIMIT\0" ++ "IPV6_RECVHOPOPTS\0IPV6_RECVPATHMTU\0IPV6_RECVPKTINFO\0IPV6_RECVRTHDR\0IPV6_RECVTCLASS\0IPV6_ROUTER_ALERT\0IPV6_RTHDR\0IPV6_RTHDRDSTOPTS\0IPV6_TCLASS\0IPV6_TRANSPARENT\0" ++ "IPV6_UNICAST_HOPS\0IPV6_UNICAST_IF\0IPV6_USE_MIN_MTU\0IPV6_V6ONLY\0IPV6_XFRM_POLICY"; ++static const unsigned ip6optname_i2s_direct[] = { ++ 225,173,156,121,210,190,294,138,592,281, ++ 356,-1u,-1u,-1u,-1u,854,554,534,572,261, ++ 322,778,516,507,665,905,453,471,-1u,-1u, ++ -1u,389,370,435,917,-1u,-1u,-1u,-1u,-1u, ++ -1u,-1u,-1u,-1u,-1u,-1u,-1u,-1u,730,635, ++ 678,408,696,422,807,747,796,648,343,713, ++ 622,308,888,101,76,762,825,0,27,-1u, ++ -1u,239,490,605,837,872,-1u,-1u,-1u,55, ++}; ++static const char *ip6optname_i2s(int v) { ++ return i2s_direct__(ip6optname_strings, ip6optname_i2s_direct, 1, 80, v); ++} +diff --git a/auparse/ipccmdtabs.h b/auparse/ipccmdtabs.h +new file mode 100644 +index 0000000..ff43dbb +--- /dev/null ++++ b/auparse/ipccmdtabs.h +@@ -0,0 +1,6 @@ ++/* This is a generated file, see Makefile.am for its inputs. */ ++static const char ipccmd_strings[] = "IPC_CREAT\0IPC_EXCL\0IPC_NOWAIT"; ++static const struct transtab ipccmd_table[] = { ++ {512,0},{1024,10},{2048,19}, ++}; ++#define IPCCMD_NUM_ENTRIES (sizeof(ipccmd_table) / sizeof(*ipccmd_table)) +diff --git a/auparse/ipctabs.h b/auparse/ipctabs.h +new file mode 100644 +index 0000000..4bf3bcd +--- /dev/null ++++ b/auparse/ipctabs.h +@@ -0,0 +1,11 @@ ++/* This is a generated file, see Makefile.am for its inputs. */ ++static const char ipc_strings[] = "msgctl\0msgget\0msgrcv\0msgsnd\0semctl\0semget\0semop\0semtimedop\0shmat\0shmctl\0" ++ "shmdt\0shmget"; ++static const unsigned ipc_i2s_direct[] = { ++ 42,35,28,48,-1u,-1u,-1u,-1u,-1u,-1u, ++ 21,14,7,0,-1u,-1u,-1u,-1u,-1u,-1u, ++ 59,72,78,65, ++}; ++static const char *ipc_i2s(int v) { ++ return i2s_direct__(ipc_strings, ipc_i2s_direct, 1, 24, v); ++} +diff --git a/auparse/ipoptnametabs.h b/auparse/ipoptnametabs.h +new file mode 100644 +index 0000000..fb0b8b7 +--- /dev/null ++++ b/auparse/ipoptnametabs.h +@@ -0,0 +1,17 @@ ++/* This is a generated file, see Makefile.am for its inputs. */ ++static const char ipoptname_strings[] = "IPT_SO_GET_REVISION_TARGET\0IPT_SO_SET_ADD_COUNTERS\0IPT_SO_SET_REPLACE\0IP_ADD_MEMBERSHIP\0IP_ADD_SOURCE_MEMBERSHIP\0IP_BLOCK_SOURCE\0IP_DROP_MEMBERSHIP\0IP_DROP_SOURCE_MEMBERSHIP\0IP_FREEBIND\0IP_HDRINCL\0" ++ "IP_IPSEC_POLICY\0IP_MINTTL\0IP_MSFILTER\0IP_MTU\0IP_MTU_DISCOVER\0IP_MULTICAST_ALL\0IP_MULTICAST_IF\0IP_MULTICAST_LOOP\0IP_MULTICAST_TTL\0IP_NODEFRAG\0" ++ "IP_OPTIONS\0IP_ORIGDSTADDR\0IP_PASSSEC\0IP_PKTINFO\0IP_PKTOPTIONS\0IP_RECVERR\0IP_RECVOPTS\0IP_RECVTTL\0IP_RETOPTS\0IP_ROUTER_ALERT\0" ++ "IP_TOS\0IP_TRANSPARENT\0IP_TTL\0IP_UNBLOCK_SOURCE\0IP_UNICAST_IF\0IP_XFRM_POLICY"; ++static const unsigned ipoptname_i2s_direct[] = { ++ 461,483,186,338,445,411,434,375,386,242, ++ 400,423,-1u,235,174,197,522,364,468,349, ++ 213,326,-1u,-1u,-1u,-1u,-1u,-1u,-1u,-1u, ++ -1u,275,309,291,70,129,490,113,88,148, ++ 223,-1u,-1u,-1u,-1u,-1u,-1u,-1u,258,508, ++ -1u,-1u,-1u,-1u,-1u,-1u,-1u,-1u,-1u,-1u, ++ -1u,-1u,-1u,51,27,0, ++}; ++static const char *ipoptname_i2s(int v) { ++ return i2s_direct__(ipoptname_strings, ipoptname_i2s_direct, 1, 66, v); ++} +diff --git a/auparse/mmaptabs.h b/auparse/mmaptabs.h +new file mode 100644 +index 0000000..386833c +--- /dev/null ++++ b/auparse/mmaptabs.h +@@ -0,0 +1,8 @@ ++/* This is a generated file, see Makefile.am for its inputs. */ ++static const char mmap_strings[] = "MAP_32BIT\0MAP_ANONYMOUS\0MAP_DENYWRITE\0MAP_EXECUTABLE\0MAP_FIXED\0MAP_GROWSDOWN\0MAP_HUGETLB\0MAP_LOCKED\0MAP_NONBLOCK\0MAP_NORESERVE\0" ++ "MAP_POPULATE\0MAP_PRIVATE\0MAP_SHARED\0MAP_STACK"; ++static const struct transtab mmap_table[] = { ++ {1,152},{2,140},{16,53},{32,10},{64,0},{256,63},{2048,24},{4096,38},{8192,89},{16384,113}, ++ {32768,127},{65536,100},{131072,163},{262144,77}, ++}; ++#define MMAP_NUM_ENTRIES (sizeof(mmap_table) / sizeof(*mmap_table)) +diff --git a/auparse/mounttabs.h b/auparse/mounttabs.h +new file mode 100644 +index 0000000..ca66885 +--- /dev/null ++++ b/auparse/mounttabs.h +@@ -0,0 +1,10 @@ ++/* This is a generated file, see Makefile.am for its inputs. */ ++static const char mount_strings[] = "MS_ACTIVE\0MS_BIND\0MS_BORN\0MS_DIRSYNC\0MS_I_VERSION\0MS_KERNMOUNT\0MS_MANDLOCK\0MS_MOVE\0MS_NOATIME\0MS_NODEV\0" ++ "MS_NODIRATIME\0MS_NOEXEC\0MS_NOSEC\0MS_NOSUID\0MS_NOUSER\0MS_POSIXACL\0MS_PRIVATE\0MS_RDONLY\0MS_REC\0MS_RELATIME\0" ++ "MS_REMOUNT\0MS_SHARED\0MS_SILENT\0MS_SLAVE\0MS_SNAP_STABLE\0MS_STRICTATIME\0MS_SYNCHRONOUS\0MS_UNBINDABLE"; ++static const struct transtab mount_table[] = { ++ {1,179},{2,136},{4,94},{8,117},{16,278},{32,208},{64,63},{128,26},{1024,83},{2048,103}, ++ {4096,10},{8192,75},{16384,189},{32768,229},{65536,156},{131072,293},{262144,168},{524288,239},{1048576,219},{2097152,196}, ++ {4194304,50},{8388608,37},{16777216,263},{134217728,248},{268435456,127},{536870912,18},{1073741824,0},{-2147483648,146}, ++}; ++#define MOUNT_NUM_ENTRIES (sizeof(mount_table) / sizeof(*mount_table)) +diff --git a/auparse/nfprototabs.h b/auparse/nfprototabs.h +new file mode 100644 +index 0000000..9bb2723 +--- /dev/null ++++ b/auparse/nfprototabs.h +@@ -0,0 +1,9 @@ ++/* This is a generated file, see Makefile.am for its inputs. */ ++static const char nfproto_strings[] = "arp\0bridge\0decnet\0ipv4\0ipv6\0unspecified"; ++static const unsigned nfproto_i2s_direct[] = { ++ 28,-1u,18,0,-1u,-1u,-1u,4,-1u,-1u, ++ 23,-1u,11, ++}; ++static const char *nfproto_i2s(int v) { ++ return i2s_direct__(nfproto_strings, nfproto_i2s_direct, 0, 12, v); ++} +diff --git a/auparse/open-flagtabs.h b/auparse/open-flagtabs.h +new file mode 100644 +index 0000000..5e3c3eb +--- /dev/null ++++ b/auparse/open-flagtabs.h +@@ -0,0 +1,8 @@ ++/* This is a generated file, see Makefile.am for its inputs. */ ++static const char open_flag_strings[] = "O_APPEND\0O_ASYNC\0O_CLOEXEC\0O_CREAT\0O_DIRECT\0O_DIRECTORY\0O_DSYNC\0O_EXCL\0O_NOATIME\0O_NOCTTY\0" ++ "O_NOFOLLOW\0O_NONBLOCK\0O_PATH\0O_RDWR\0O_TRUNC\0O_WRONLY\0__O_SYNC"; ++static const struct transtab open_flag_table[] = { ++ {1,134},{2,119},{64,27},{128,64},{256,81},{512,126},{1024,0},{2048,101},{4096,56},{8192,9}, ++ {16384,35},{65536,44},{131072,90},{262144,71},{524288,17},{1048576,143},{2097152,112}, ++}; ++#define OPEN_FLAG_NUM_ENTRIES (sizeof(open_flag_table) / sizeof(*open_flag_table)) +diff --git a/auparse/persontabs.h b/auparse/persontabs.h +new file mode 100644 +index 0000000..d099839 +--- /dev/null ++++ b/auparse/persontabs.h +@@ -0,0 +1,17 @@ ++/* This is a generated file, see Makefile.am for its inputs. */ ++static const char person_strings[] = "PER_BSD\0PER_HPUX\0PER_IRIX32\0PER_IRIX64\0PER_IRIXN32\0PER_ISCR4\0PER_LINUX\0PER_LINUX32\0PER_LINUX32_3GB\0PER_LINUX_32BIT\0" ++ "PER_OSF4\0PER_OSR5\0PER_RISCOS\0PER_SCOSVR3\0PER_SOLARIS\0PER_SUNOS\0PER_SVR3\0PER_SVR4\0PER_UW7\0PER_WYSEV386\0" ++ "PER_XENIX"; ++static const int person_i2s_i[] = { ++ 0,6,8,12,15,16,8388608,67108869,67108870,67108873, ++ 67108874,67108875,67108877,68157441,68157454,83886082,83886084,83886087,100663299,117440515, ++ 134217736, ++}; ++static const unsigned person_i2s_s[] = { ++ 61,0,71,133,115,8,99,51,168,17, ++ 39,28,156,187,196,178,204,217,124,144, ++ 83, ++}; ++static const char *person_i2s(int v) { ++ return i2s_bsearch__(person_strings, person_i2s_i, person_i2s_s, 21, v); ++} +diff --git a/auparse/pktoptnametabs.h b/auparse/pktoptnametabs.h +new file mode 100644 +index 0000000..4613372 +--- /dev/null ++++ b/auparse/pktoptnametabs.h +@@ -0,0 +1,10 @@ ++/* This is a generated file, see Makefile.am for its inputs. */ ++static const char pktoptname_strings[] = "PACKET_ADD_MEMBERSHIP\0PACKET_AUXDATA\0PACKET_COPY_THRESH\0PACKET_DROP_MEMBERSHIP\0PACKET_FANOUT\0PACKET_HDRLEN\0PACKET_LOSS\0PACKET_ORIGDEV\0PACKET_RECV_OUTPUT\0PACKET_RESERVE\0" ++ "PACKET_RX_RING\0PACKET_STATISTICS\0PACKET_TIMESTAMP\0PACKET_TX_HAS_OFF\0PACKET_TX_RING\0PACKET_TX_TIMESTAMP\0PACKET_VERSION\0PACKET_VNET_HDR"; ++static const unsigned pktoptname_i2s_direct[] = { ++ 0,56,134,-1u,168,183,37,22,119,271, ++ 93,153,236,107,286,251,201,79,218, ++}; ++static const char *pktoptname_i2s(int v) { ++ return i2s_direct__(pktoptname_strings, pktoptname_i2s_direct, 1, 19, v); ++} +diff --git a/auparse/prctl_opttabs.h b/auparse/prctl_opttabs.h +new file mode 100644 +index 0000000..03707a8 +--- /dev/null ++++ b/auparse/prctl_opttabs.h +@@ -0,0 +1,14 @@ ++/* This is a generated file, see Makefile.am for its inputs. */ ++static const char prctl_opt_strings[] = "PR_CAPBSET_DROP\0PR_CAPBSET_READ\0PR_GET_CHILD_SUBREAPER\0PR_GET_DUMPABLE\0PR_GET_ENDIAN\0PR_GET_FPEMU\0PR_GET_FPEXC\0PR_GET_KEEPCAPS\0PR_GET_NAME\0PR_GET_NO_NEW_PRIVS\0" ++ "PR_GET_PDEATHSIG\0PR_GET_SECCOMP\0PR_GET_SECUREBITS\0PR_GET_TID_ADDRESS\0PR_GET_TIMERSLACK\0PR_GET_TIMING\0PR_GET_TSC\0PR_GET_UNALIGN\0PR_MCE_KILL\0PR_MCE_KILL_GET\0" ++ "PR_SET_CHILD_SUBREAPER\0PR_SET_DUMPABLE\0PR_SET_ENDIAN\0PR_SET_FPEMU\0PR_SET_FPEXC\0PR_SET_KEEPCAPS\0PR_SET_MM\0PR_SET_NAME\0PR_SET_NO_NEW_PRIVS\0PR_SET_PDEATHSIG\0" ++ "PR_SET_SECCOMP\0PR_SET_SECUREBITS\0PR_SET_TIMERSLACK\0PR_SET_TIMING\0PR_SET_TSC\0PR_SET_UNALIGN\0PR_TASK_PERF_EVENTS_DISABLE\0PR_TASK_PERF_EVENTS_ENABLE"; ++static const unsigned prctl_opt_i2s_direct[] = { ++ 451,159,55,337,271,544,111,393,85,367, ++ 98,380,246,519,419,127,-1u,-1u,71,353, ++ 176,468,16,0,260,533,191,483,501,228, ++ 559,587,286,298,409,314,32,431,139,209, ++}; ++static const char *prctl_opt_i2s(int v) { ++ return i2s_direct__(prctl_opt_strings, prctl_opt_i2s_direct, 1, 40, v); ++} +diff --git a/auparse/prottabs.h b/auparse/prottabs.h +new file mode 100644 +index 0000000..1727f43 +--- /dev/null ++++ b/auparse/prottabs.h +@@ -0,0 +1,6 @@ ++/* This is a generated file, see Makefile.am for its inputs. */ ++static const char prot_strings[] = "PROT_EXEC\0PROT_READ\0PROT_SEM\0PROT_WRITE"; ++static const struct transtab prot_table[] = { ++ {1,10},{2,29},{4,0},{8,20}, ++}; ++#define PROT_NUM_ENTRIES (sizeof(prot_table) / sizeof(*prot_table)) +diff --git a/auparse/ptracetabs.h b/auparse/ptracetabs.h +new file mode 100644 +index 0000000..6bbfc9b +--- /dev/null ++++ b/auparse/ptracetabs.h +@@ -0,0 +1,17 @@ ++/* This is a generated file, see Makefile.am for its inputs. */ ++static const char ptrace_strings[] = "PTRACE_ATTACH\0PTRACE_CONT\0PTRACE_DETACH\0PTRACE_GETEVENTMSG\0PTRACE_GETFPREGS\0PTRACE_GETFPXREGS\0PTRACE_GETREGS\0PTRACE_GETREGSET\0PTRACE_GETSIGINFO\0PTRACE_INTERRUPT\0" ++ "PTRACE_KILL\0PTRACE_LISTEN\0PTRACE_PEEKDATA\0PTRACE_PEEKTEXT\0PTRACE_PEEKUSER\0PTRACE_POKEDATA\0PTRACE_POKETEXT\0PTRACE_POKEUSER\0PTRACE_SEIZE\0PTRACE_SETFPREGS\0" ++ "PTRACE_SETFPXREGS\0PTRACE_SETOPTIONS\0PTRACE_SETREGS\0PTRACE_SETREGSET\0PTRACE_SETSIGINFO\0PTRACE_SINGLESTEP\0PTRACE_SYSCALL\0PTRACE_TRACEME"; ++static const int ptrace_i2s_i[] = { ++ 0,1,2,3,4,5,6,7,8,9, ++ 12,13,14,15,16,17,18,19,24,16896, ++ 16897,16898,16899,16900,16901,16902,16903,16904, ++}; ++static const unsigned ptrace_i2s_s[] = { ++ 432,203,187,219,251,235,267,14,161,399, ++ 94,349,59,296,0,26,76,313,417,331, ++ 40,126,381,109,364,283,144,173, ++}; ++static const char *ptrace_i2s(int v) { ++ return i2s_bsearch__(ptrace_strings, ptrace_i2s_i, ptrace_i2s_s, 28, v); ++} +diff --git a/auparse/recvtabs.h b/auparse/recvtabs.h +new file mode 100644 +index 0000000..9cab5a3 +--- /dev/null ++++ b/auparse/recvtabs.h +@@ -0,0 +1,8 @@ ++/* This is a generated file, see Makefile.am for its inputs. */ ++static const char recv_strings[] = "MSG_CMSG_CLOEXEC\0MSG_CONFIRM\0MSG_CTRUNC\0MSG_DONTROUTE\0MSG_DONTWAIT\0MSG_EOR\0MSG_ERRQUEUE\0MSG_FASTOPEN\0MSG_FIN\0MSG_MORE\0" ++ "MSG_NOSIGNAL\0MSG_OOB\0MSG_PEEK\0MSG_PROXY\0MSG_RST\0MSG_SENDPAGE_NOTLAST\0MSG_SYN\0MSG_TRUNC\0MSG_WAITALL\0MSG_WAITFORONE"; ++static const struct transtab recv_table[] = { ++ {1,131},{2,139},{4,40},{8,29},{16,148},{32,195},{64,54},{128,67},{256,205},{512,101}, ++ {1024,187},{2048,17},{4096,158},{8192,75},{16384,118},{32768,109},{65536,217},{131072,166},{536870912,88},{1073741824,0}, ++}; ++#define RECV_NUM_ENTRIES (sizeof(recv_table) / sizeof(*recv_table)) +diff --git a/auparse/rlimittabs.h b/auparse/rlimittabs.h +new file mode 100644 +index 0000000..364ad69 +--- /dev/null ++++ b/auparse/rlimittabs.h +@@ -0,0 +1,10 @@ ++/* This is a generated file, see Makefile.am for its inputs. */ ++static const char rlimit_strings[] = "RLIMIT_AS\0RLIMIT_CORE\0RLIMIT_CPU\0RLIMIT_DATA\0RLIMIT_FSIZE\0RLIMIT_LOCKS\0RLIMIT_MEMLOCK\0RLIMIT_MSGQUEUE\0RLIMIT_NICE\0RLIMIT_NOFILE\0" ++ "RLIMIT_NPROC\0RLIMIT_RSS\0RLIMIT_RTPRIO\0RLIMIT_RTTIME\0RLIMIT_SIGPENDING\0RLIMIT_STACK"; ++static const unsigned rlimit_i2s_direct[] = { ++ 22,45,33,198,10,141,128,114,71,0, ++ 58,180,86,102,152,166, ++}; ++static const char *rlimit_i2s(int v) { ++ return i2s_direct__(rlimit_strings, rlimit_i2s_direct, 0, 15, v); ++} +diff --git a/auparse/schedtabs.h b/auparse/schedtabs.h +new file mode 100644 +index 0000000..875317f +--- /dev/null ++++ b/auparse/schedtabs.h +@@ -0,0 +1,8 @@ ++/* This is a generated file, see Makefile.am for its inputs. */ ++static const char sched_strings[] = "SCHED_BATCH\0SCHED_FIFO\0SCHED_IDLE\0SCHED_OTHER\0SCHED_RR"; ++static const unsigned sched_i2s_direct[] = { ++ 34,12,46,0,-1u,23, ++}; ++static const char *sched_i2s(int v) { ++ return i2s_direct__(sched_strings, sched_i2s_direct, 0, 5, v); ++} +diff --git a/auparse/seccomptabs.h b/auparse/seccomptabs.h +new file mode 100644 +index 0000000..5c6c911 +--- /dev/null ++++ b/auparse/seccomptabs.h +@@ -0,0 +1,11 @@ ++/* This is a generated file, see Makefile.am for its inputs. */ ++static const char seccomp_strings[] = "allow\0errno\0kill\0trace\0trap"; ++static const int seccomp_i2s_i[] = { ++ 0,196608,327680,2146435072,2147418112, ++}; ++static const unsigned seccomp_i2s_s[] = { ++ 12,23,6,17,0, ++}; ++static const char *seccomp_i2s(int v) { ++ return i2s_bsearch__(seccomp_strings, seccomp_i2s_i, seccomp_i2s_s, 5, v); ++} +diff --git a/auparse/seektabs.h b/auparse/seektabs.h +new file mode 100644 +index 0000000..0d0f542 +--- /dev/null ++++ b/auparse/seektabs.h +@@ -0,0 +1,8 @@ ++/* This is a generated file, see Makefile.am for its inputs. */ ++static const char seek_strings[] = "SEEK_CUR\0SEEK_DATA\0SEEK_END\0SEEK_HOLE\0SEEK_SET"; ++static const unsigned seek_i2s_direct[] = { ++ 38,0,19,9,28, ++}; ++static const char *seek_i2s(int v) { ++ return i2s_direct__(seek_strings, seek_i2s_direct, 0, 4, v); ++} +diff --git a/auparse/shm_modetabs.h b/auparse/shm_modetabs.h +new file mode 100644 +index 0000000..ddd414d +--- /dev/null ++++ b/auparse/shm_modetabs.h +@@ -0,0 +1,6 @@ ++/* This is a generated file, see Makefile.am for its inputs. */ ++static const char shm_mode_strings[] = "SHM_DEST\0SHM_HUGETLB\0SHM_LOCKED\0SHM_NORESERVE"; ++static const struct transtab shm_mode_table[] = { ++ {512,0},{1024,21},{2048,9},{4096,32}, ++}; ++#define SHM_MODE_NUM_ENTRIES (sizeof(shm_mode_table) / sizeof(*shm_mode_table)) +diff --git a/auparse/signaltabs.h b/auparse/signaltabs.h +new file mode 100644 +index 0000000..91ce38e +--- /dev/null ++++ b/auparse/signaltabs.h +@@ -0,0 +1,14 @@ ++/* This is a generated file, see Makefile.am for its inputs. */ ++static const char signal_strings[] = "IGPWR\0SIG0\0SIGABRT\0SIGALRM\0SIGBUS\0SIGCHLD\0SIGCONT\0SIGFPE\0SIGHUP\0SIGILL\0" ++ "SIGINT\0SIGIO\0SIGKILL\0SIGPIPE\0SIGPROF\0SIGQUIT\0SIGSEGV\0SIGSTKFLT\0SIGSTOP\0SIGSYS\0" ++ "SIGTERM\0SIGTRAP\0SIGTSTP\0SIGTTIN\0SIGTTOU\0SIGURG\0SIGUSR1\0SIGUSR2\0SIGVTALRM\0SIGWINCH\0" ++ "SIGXCPU\0SIGXFSZ"; ++static const unsigned signal_i2s_direct[] = { ++ 6,57,71,108,64,157,11,27,50,84, ++ 196,116,204,92,19,149,124,34,42,134, ++ 165,173,181,189,231,239,212,100,222,78, ++ 0,142, ++}; ++static const char *signal_i2s(int v) { ++ return i2s_direct__(signal_strings, signal_i2s_direct, 0, 31, v); ++} +diff --git a/auparse/sockleveltabs.h b/auparse/sockleveltabs.h +new file mode 100644 +index 0000000..4473d8c +--- /dev/null ++++ b/auparse/sockleveltabs.h +@@ -0,0 +1,12 @@ ++/* This is a generated file, see Makefile.am for its inputs. */ ++static const char socklevel_strings[] = "SOL_AAL\0SOL_ALG\0SOL_ATALK\0SOL_ATM\0SOL_AX25\0SOL_BLUETOOTH\0SOL_CAIF\0SOL_DCCP\0SOL_DECNET\0SOL_IPX\0" ++ "SOL_IRDA\0SOL_IUCV\0SOL_LLC\0SOL_NETBEUI\0SOL_NETLINK\0SOL_NETROM\0SOL_PACKET\0SOL_PNPIPE\0SOL_PPPOL2TP\0SOL_RAW\0" ++ "SOL_RDS\0SOL_ROSE\0SOL_RXRPC\0SOL_TIPC"; ++static const unsigned socklevel_i2s_direct[] = { ++ 190,86,34,16,144,206,75,-1u,155,26, ++ 0,94,120,112,66,132,225,215,177,43, ++ 166,198,103,57,8, ++}; ++static const char *socklevel_i2s(int v) { ++ return i2s_direct__(socklevel_strings, socklevel_i2s_direct, 255, 279, v); ++} +diff --git a/auparse/sockoptnametabs.h b/auparse/sockoptnametabs.h +new file mode 100644 +index 0000000..831a030 +--- /dev/null ++++ b/auparse/sockoptnametabs.h +@@ -0,0 +1,23 @@ ++/* This is a generated file, see Makefile.am for its inputs. */ ++static const char sockoptname_strings[] = "SO_ACCEPTCONN\0SO_ATTACH_FILTER\0SO_BINDTODEVICE\0SO_BROADCAST\0SO_BSDCOMPAT\0SO_DEBUG\0SO_DETACH_FILTER\0SO_DOMAIN\0SO_DONTROUTE\0SO_ERROR\0" ++ "SO_KEEPALIVE\0SO_LINGER\0SO_LOCK_FILTER\0SO_MARK\0SO_NOFCS\0SO_NO_CHECK\0SO_OOBINLINE\0SO_PASSCRED\0SO_PASSCRED\0SO_PASSSEC\0" ++ "SO_PEEK_OFF\0SO_PEERCRED\0SO_PEERCRED\0SO_PEERNAME\0SO_PEERSEC\0SO_PRIORITY\0SO_PROTOCOL\0SO_RCVBUF\0SO_RCVBUFFORCE\0SO_RCVLOWAT\0" ++ "SO_RCVLOWAT\0SO_RCVTIMEO\0SO_RCVTIMEO\0SO_REUSEADDR\0SO_REUSEPORT\0SO_RXQ_OVFL\0SO_SECURITY_AUTHENTICATION\0SO_SECURITY_ENCRYPTION_NETWORK\0SO_SECURITY_ENCRYPTION_TRANSPORT\0SO_SNDBUF\0" ++ "SO_SNDBUFFORCE\0SO_SNDLOWAT\0SO_SNDLOWAT\0SO_SNDTIMEO\0SO_SNDTIMEO\0SO_TIMESTAMP\0SO_TIMESTAMPING\0SO_TIMESTAMPNS\0SO_TYPE\0SO_WIFI_STATUS"; ++static const int sockoptname_i2s_i[] = { ++ 1,2,3,4,5,6,7,8,9,10, ++ 11,12,13,14,15,16,17,18,19,20, ++ 21,22,23,24,25,26,27,28,29,30, ++ 31,32,33,34,35,36,37,38,39,40, ++ 41,42,43,44,116,117,118,119,120,121, ++}; ++static const unsigned sockoptname_i2s_s[] = { ++ 73,402,648,122,109,47,531,329,131,198, ++ 186,305,144,60,415,211,258,354,556,378, ++ 580,440,498,467,31,14,82,282,604,0, ++ 294,541,339,235,633,169,617,317,99,428, ++ 656,246,177,154,366,568,390,592,223,270, ++}; ++static const char *sockoptname_i2s(int v) { ++ return i2s_bsearch__(sockoptname_strings, sockoptname_i2s_i, sockoptname_i2s_s, 50, v); ++} +diff --git a/auparse/socktabs.h b/auparse/socktabs.h +new file mode 100644 +index 0000000..66a8235 +--- /dev/null ++++ b/auparse/socktabs.h +@@ -0,0 +1,10 @@ ++/* This is a generated file, see Makefile.am for its inputs. */ ++static const char sock_strings[] = "accept\0accept4\0bind\0connect\0getpeername\0getsockname\0getsockopt\0listen\0recv\0recvfrom\0" ++ "recvmmsg\0recvmsg\0send\0sendmmsg\0sendmsg\0sendto\0setsockopt\0shutdown\0socket\0socketpair"; ++static const unsigned sock_i2s_direct[] = { ++ 150,15,20,63,0,40,28,157,101,70, ++ 123,75,141,130,52,115,93,7,84,106, ++}; ++static const char *sock_i2s(int v) { ++ return i2s_direct__(sock_strings, sock_i2s_direct, 1, 20, v); ++} +diff --git a/auparse/socktypetabs.h b/auparse/socktypetabs.h +new file mode 100644 +index 0000000..05e8d36 +--- /dev/null ++++ b/auparse/socktypetabs.h +@@ -0,0 +1,8 @@ ++/* This is a generated file, see Makefile.am for its inputs. */ ++static const char sock_type_strings[] = "SOCK_DCCP\0SOCK_DGRAM\0SOCK_PACKET\0SOCK_RAW\0SOCK_RDM\0SOCK_SEQPACKET\0SOCK_STREAM"; ++static const unsigned sock_type_i2s_direct[] = { ++ 66,10,33,42,51,0,-1u,-1u,-1u,21, ++}; ++static const char *sock_type_i2s(int v) { ++ return i2s_direct__(sock_type_strings, sock_type_i2s_direct, 1, 10, v); ++} +diff --git a/auparse/tcpoptnametabs.h b/auparse/tcpoptnametabs.h +new file mode 100644 +index 0000000..061db3f +--- /dev/null ++++ b/auparse/tcpoptnametabs.h +@@ -0,0 +1,12 @@ ++/* This is a generated file, see Makefile.am for its inputs. */ ++static const char tcpoptname_strings[] = "TCP_CONGESTION\0TCP_COOKIE_TRANSACTIONS\0TCP_CORK\0TCP_DEFER_ACCEPT\0TCP_FASTOPEN\0TCP_INFO\0TCP_KEEPCNT\0TCP_KEEPIDLE\0TCP_KEEPINTVL\0TCP_LINGER2\0" ++ "TCP_MAXSEG\0TCP_MD5SIG\0TCP_NODELAY\0TCP_QUEUE_SEQ\0TCP_QUICKACK\0TCP_REPAIR\0TCP_REPAIR_OPTIONS\0TCP_REPAIR_QUEUE\0TCP_SYNCNT\0TCP_THIN_DUPACK\0" ++ "TCP_THIN_LINEAR_TIMEOUTS\0TCP_TIMESTAMP\0TCP_USER_TIMEOUT\0TCP_WINDOW_CLAMP"; ++static const unsigned tcpoptname_i2s_direct[] = { ++ 160,138,39,99,112,87,246,126,48,329, ++ 78,186,0,149,15,273,257,312,199,229, ++ 172,210,65,298, ++}; ++static const char *tcpoptname_i2s(int v) { ++ return i2s_direct__(tcpoptname_strings, tcpoptname_i2s_direct, 1, 24, v); ++} +diff --git a/auparse/typetabs.h b/auparse/typetabs.h +new file mode 100644 +index 0000000..a99d398 +--- /dev/null ++++ b/auparse/typetabs.h +@@ -0,0 +1,35 @@ ++/* This is a generated file, see Makefile.am for its inputs. */ ++static const char type_strings[] = "a0\0a1\0a2\0a3\0acct\0addr\0arch\0auid\0cap_fi\0cap_fp\0" ++ "cap_pe\0cap_pi\0cap_pp\0capability\0cgroup\0cmd\0code\0comm\0cwd\0data\0" ++ "device\0dir\0egid\0euid\0exe\0exit\0family\0fe\0fi\0file\0" ++ "flags\0fp\0fsgid\0fsuid\0gid\0icmptype\0id\0igid\0inode_gid\0inode_uid\0" ++ "iuid\0key\0list\0mode\0name\0new-disk\0new-fs\0new-rng\0new_gid\0new_pe\0" ++ "new_pi\0new_pp\0oauid\0obj_gid\0obj_uid\0ocomm\0oflag\0ogid\0old-disk\0old-fs\0" ++ "old-rng\0old_pe\0old_pi\0old_pp\0old_prom\0ouid\0path\0per\0perm\0perm_mask\0" ++ "prom\0proto\0res\0result\0saddr\0sauid\0ses\0sgid\0sig\0sigev_signo\0" ++ "suid\0syscall\0uid\0vm\0watch"; ++static const unsigned type_s2i_s[] = { ++ 0,3,6,9,12,17,22,27,32,39, ++ 46,53,60,67,78,85,89,94,99,103, ++ 108,115,119,124,129,133,138,145,148,151, ++ 156,162,165,171,177,181,190,193,198,208, ++ 218,223,227,232,237,242,251,258,266,274, ++ 281,288,295,301,309,317,323,329,334,343, ++ 350,358,365,372,379,388,393,398,402,407, ++ 417,422,428,432,439,445,451,455,460,464, ++ 476,481,489,493,496, ++}; ++static const int type_s2i_i[] = { ++ 14,15,16,17,6,26,4,1,22,22, ++ 22,22,22,12,6,6,28,6,6,20, ++ 6,6,2,1,6,5,23,22,22,6, ++ 30,22,2,1,2,24,1,2,2,1, ++ 1,6,19,8,6,6,6,6,2,22, ++ 22,22,1,2,1,6,29,2,6,6, ++ 6,22,22,22,11,1,6,27,7,7, ++ 11,25,13,13,9,1,21,2,18,18, ++ 1,3,1,6,6, ++}; ++static int type_s2i(const char *s, int *value) { ++ return s2i__(type_strings, type_s2i_s, type_s2i_i, 85, s, value); ++} +diff --git a/auparse/umounttabs.h b/auparse/umounttabs.h +new file mode 100644 +index 0000000..e98118f +--- /dev/null ++++ b/auparse/umounttabs.h +@@ -0,0 +1,6 @@ ++/* This is a generated file, see Makefile.am for its inputs. */ ++static const char umount_strings[] = "MNT_DETACH\0MNT_EXPIRE\0MNT_FORCE\0UMOUNT_NOFOLLOW\0UMOUNT_UNUSED"; ++static const struct transtab umount_table[] = { ++ {1,22},{2,0},{4,11},{8,32},{-2147483647,48}, ++}; ++#define UMOUNT_NUM_ENTRIES (sizeof(umount_table) / sizeof(*umount_table)) +diff --git a/lib/Makefile.am b/lib/Makefile.am +index 5e9f966..5a7d12b 100644 +--- a/lib/Makefile.am ++++ b/lib/Makefile.am +@@ -50,109 +50,3 @@ endif + if USE_AARCH64 + BUILT_SOURCES += aarch64_tables.h + endif +-noinst_PROGRAMS = gen_actiontabs_h gen_errtabs_h gen_fieldtabs_h \ +- gen_flagtabs_h gen_ftypetabs_h gen_i386_tables_h \ +- gen_ia64_tables_h gen_machinetabs_h gen_msg_typetabs_h \ +- gen_optabs_h gen_ppc_tables_h gen_s390_tables_h \ +- gen_s390x_tables_h gen_x86_64_tables_h +-if USE_ALPHA +-noinst_PROGRAMS += gen_alpha_tables_h +-endif +-if USE_ARMEB +-noinst_PROGRAMS += gen_armeb_tables_h +-endif +-if USE_AARCH64 +-noinst_PROGRAMS += gen_aarch64_tables_h +-endif +-gen_actiontabs_h_SOURCES = gen_tables.c gen_tables.h actiontab.h +-gen_actiontabs_h_CFLAGS = $(AM_CFLAGS) '-DTABLE_H="actiontab.h"' +-actiontabs.h: gen_actiontabs_h Makefile +- ./gen_actiontabs_h --lowercase --i2s --s2i action > $@ +- +-if USE_ALPHA +-gen_alpha_tables_h_SOURCES = gen_tables.c gen_tables.h alpha_table.h +-gen_alpha_tables_h_CFLAGS = $(AM_CFLAGS) '-DTABLE_H="alpha_table.h"' +-alpha_tables.h: gen_alpha_tables_h Makefile +- ./gen_alpha_tables_h --lowercase --i2s --s2i alpha_syscall > $@ +-endif +- +-if USE_ARMEB +-gen_armeb_tables_h_SOURCES = gen_tables.c gen_tables.h armeb_table.h +-gen_armeb_tables_h_CFLAGS = $(AM_CFLAGS) '-DTABLE_H="armeb_table.h"' +-armeb_tables.h: gen_armeb_tables_h Makefile +- ./gen_armeb_tables_h --lowercase --i2s --s2i armeb_syscall > $@ +-endif +- +-if USE_AARCH64 +-gen_aarch64_tables_h_SOURCES = gen_tables.c gen_tables.h aarch64_table.h +-gen_aarch64_tables_h_CFLAGS = $(AM_CFLAGS) '-DTABLE_H="aarch64_table.h"' +-aarch64_tables.h: gen_aarch64_tables_h Makefile +- ./gen_aarch64_tables_h --lowercase --i2s --s2i aarch64_syscall > $@ +-endif +- +-gen_errtabs_h_SOURCES = gen_tables.c gen_tables.h errtab.h +-gen_errtabs_h_CFLAGS = $(AM_CFLAGS) '-DTABLE_H="errtab.h"' +-errtabs.h: gen_errtabs_h Makefile +- ./gen_errtabs_h --duplicate-ints --uppercase --i2s --s2i err > $@ +- +-gen_fieldtabs_h_SOURCES = gen_tables.c gen_tables.h fieldtab.h +-gen_fieldtabs_h_CFLAGS = $(AM_CFLAGS) '-DTABLE_H="fieldtab.h"' +-fieldtabs.h: gen_fieldtabs_h Makefile +- ./gen_fieldtabs_h --duplicate-ints --lowercase --i2s --s2i field > $@ +- +-gen_flagtabs_h_SOURCES = gen_tables.c gen_tables.h flagtab.h +-gen_flagtabs_h_CFLAGS = $(AM_CFLAGS) '-DTABLE_H="flagtab.h"' +-flagtabs.h: gen_flagtabs_h Makefile +- ./gen_flagtabs_h --lowercase --i2s --s2i flag > $@ +- +-gen_ftypetabs_h_SOURCES = gen_tables.c gen_tables.h ftypetab.h +-gen_ftypetabs_h_CFLAGS = $(AM_CFLAGS) '-DTABLE_H="ftypetab.h"' +-ftypetabs.h: gen_ftypetabs_h Makefile +- ./gen_ftypetabs_h --lowercase --i2s --s2i ftype > $@ +- +-gen_i386_tables_h_SOURCES = gen_tables.c gen_tables.h i386_table.h +-gen_i386_tables_h_CFLAGS = $(AM_CFLAGS) '-DTABLE_H="i386_table.h"' +-i386_tables.h: gen_i386_tables_h Makefile +- ./gen_i386_tables_h --duplicate-ints --lowercase --i2s --s2i \ +- i386_syscall > $@ +- +-gen_ia64_tables_h_SOURCES = gen_tables.c gen_tables.h ia64_table.h +-gen_ia64_tables_h_CFLAGS = $(AM_CFLAGS) '-DTABLE_H="ia64_table.h"' +-ia64_tables.h: gen_ia64_tables_h Makefile +- ./gen_ia64_tables_h --lowercase --i2s --s2i ia64_syscall > $@ +- +-gen_machinetabs_h_SOURCES = gen_tables.c gen_tables.h machinetab.h +-gen_machinetabs_h_CFLAGS = $(AM_CFLAGS) '-DTABLE_H="machinetab.h"' +-machinetabs.h: gen_machinetabs_h Makefile +- ./gen_machinetabs_h --duplicate-ints --lowercase --i2s --s2i machine \ +- > $@ +- +-gen_msg_typetabs_h_SOURCES = gen_tables.c gen_tables.h msg_typetab.h +-gen_msg_typetabs_h_CFLAGS = $(AM_CFLAGS) '-DTABLE_H="msg_typetab.h"' +-msg_typetabs.h: gen_msg_typetabs_h Makefile +- ./gen_msg_typetabs_h --uppercase --i2s --s2i msg_type > $@ +- +-gen_optabs_h_SOURCES = gen_tables.c gen_tables.h optab.h +-gen_optabs_h_CFLAGS = $(AM_CFLAGS) '-DTABLE_H="optab.h"' +-optabs.h: gen_optabs_h Makefile +- ./gen_optabs_h --i2s op > $@ +- +-gen_ppc_tables_h_SOURCES = gen_tables.c gen_tables.h ppc_table.h +-gen_ppc_tables_h_CFLAGS = $(AM_CFLAGS) '-DTABLE_H="ppc_table.h"' +-ppc_tables.h: gen_ppc_tables_h Makefile +- ./gen_ppc_tables_h --lowercase --i2s --s2i ppc_syscall > $@ +- +-gen_s390_tables_h_SOURCES = gen_tables.c gen_tables.h s390_table.h +-gen_s390_tables_h_CFLAGS = $(AM_CFLAGS) '-DTABLE_H="s390_table.h"' +-s390_tables.h: gen_s390_tables_h Makefile +- ./gen_s390_tables_h --lowercase --i2s --s2i s390_syscall > $@ +- +-gen_s390x_tables_h_SOURCES = gen_tables.c gen_tables.h s390x_table.h +-gen_s390x_tables_h_CFLAGS = $(AM_CFLAGS) '-DTABLE_H="s390x_table.h"' +-s390x_tables.h: gen_s390x_tables_h Makefile +- ./gen_s390x_tables_h --lowercase --i2s --s2i s390x_syscall > $@ +- +-gen_x86_64_tables_h_SOURCES = gen_tables.c gen_tables.h x86_64_table.h +-gen_x86_64_tables_h_CFLAGS = $(AM_CFLAGS) '-DTABLE_H="x86_64_table.h"' +-x86_64_tables.h: gen_x86_64_tables_h Makefile +- ./gen_x86_64_tables_h --lowercase --i2s --s2i x86_64_syscall > $@ +diff --git a/lib/aarch64_tables.h b/lib/aarch64_tables.h +new file mode 100644 +index 0000000..571d6ee +--- /dev/null ++++ b/lib/aarch64_tables.h +@@ -0,0 +1,125 @@ ++/* This is a generated file, see Makefile.am for its inputs. */ ++static const char aarch64_syscall_strings[] = "accept\0accept4\0acct\0add_key\0adjtimex\0bind\0brk\0capget\0capset\0chdir\0" ++ "chroot\0clock_adjtime\0clock_getres\0clock_gettime\0clock_nanosleep\0clock_settime\0clone\0close\0connect\0delete_module\0" ++ "dup\0dup3\0epoll_create1\0epoll_ctl\0epoll_pwait\0eventfd2\0execve\0exit\0exit_group\0faccessat\0" ++ "fallocate\0fanotify_init\0fanotify_mark\0fchdir\0fchmod\0fchmodat\0fchown\0fchownat\0fdatasync\0fgetxattr\0" ++ "finit_module\0flistxattr\0flock\0fremovexattr\0fsetxattr\0fsync\0futex\0get_mempolicy\0get_robust_list\0getcpu\0" ++ "getcwd\0getdents64\0getegid\0geteuid\0getgid\0getgroups\0getitimer\0getpeername\0getpgid\0getpid\0" ++ "getppid\0getpriority\0getresgid\0getresuid\0getrlimit\0getrusage\0getsid\0getsockname\0getsockopt\0gettid\0" ++ "gettimeofday\0getuid\0getxattr\0init_module\0inotify_add_watch\0inotify_init1\0inotify_rm_watch\0io_cancel\0io_destroy\0io_getevents\0" ++ "io_setup\0io_submit\0ioctl\0ioprio_get\0ioprio_set\0kcmp\0kexec_load\0keyctl\0kill\0lgetxattr\0" ++ "linkat\0listen\0listxattr\0llistxattr\0lookup_dcookie\0lremovexattr\0lsetxattr\0madvise\0mbind\0migrate_pages\0" ++ "mincore\0mkdirat\0mknodat\0mlock\0mlockall\0mount\0move_pages\0mprotect\0mq_getsetattr\0mq_notify\0" ++ "mq_open\0mq_timedreceive\0mq_timedsend\0mq_unlink\0mremap\0msgctl\0msgget\0msgrcv\0msgsnd\0msync\0" ++ "munlock\0munlockall\0munmap\0name_to_handle_at\0nanosleep\0nfsservctl\0open_by_handle_at\0openat\0perf_event_open\0personality\0" ++ "pipe2\0pivot_root\0ppoll\0prctl\0pread64\0preadv\0prlimit64\0process_vm_readv\0process_vm_writev\0pselect6\0" ++ "ptrace\0pwrite64\0pwritev\0quotactl\0read\0readahead\0readlinkat\0readv\0reboot\0recvfrom\0" ++ "recvmmsg\0recvmsg\0remap_file_pages\0removexattr\0renameat\0request_key\0restart_syscall\0rt_sigaction\0rt_sigpending\0rt_sigprocmask\0" ++ "rt_sigqueueinfo\0rt_sigreturn\0rt_sigsuspend\0rt_sigtimedwait\0rt_tgsigqueueinfo\0sched_get_priority_max\0sched_get_priority_min\0sched_getaffinity\0sched_getparam\0sched_getscheduler\0" ++ "sched_rr_get_interval\0sched_setaffinity\0sched_setparam\0sched_setscheduler\0sched_yield\0semctl\0semget\0semop\0semtimedop\0sendmmsg\0" ++ "sendmsg\0sendto\0set_mempolicy\0set_robust_list\0set_tid_address\0setdomainname\0setfsgid\0setfsuid\0setgid\0setgroups\0" ++ "sethostname\0setitimer\0setns\0setpgid\0setpriority\0setregid\0setresgid\0setresuid\0setreuid\0setrlimit\0" ++ "setsid\0setsockopt\0settimeofday\0setuid\0setxattr\0shmat\0shmctl\0shmdt\0shmget\0shutdown\0" ++ "sigaltstack\0signalfd4\0socket\0socketpair\0splice\0swapoff\0swapon\0symlinkat\0sync\0sync_file_range\0" ++ "syncfs\0sysinfo\0syslog\0tee\0tgkill\0timer_create\0timer_delete\0timer_getoverrun\0timer_gettime\0timer_settime\0" ++ "timerfd_create\0timerfd_gettime\0timerfd_settime\0times\0tkill\0umask\0umount2\0uname\0unlinkat\0unshare\0" ++ "utimensat\0vhangup\0vmsplice\0wait4\0waitid\0write\0writev"; ++static const unsigned aarch64_syscall_s2i_s[] = { ++ 0,7,15,20,28,37,42,46,53,60, ++ 66,73,87,100,114,130,144,150,156,164, ++ 178,182,187,201,211,223,232,239,244,255, ++ 265,275,289,303,310,317,326,333,342,352, ++ 362,375,386,392,405,415,421,427,441,457, ++ 464,471,482,490,498,505,515,525,537,545, ++ 552,560,572,582,592,602,612,619,631,642, ++ 649,662,669,678,690,708,722,739,749,760, ++ 773,782,792,798,809,820,825,836,843,848, ++ 858,865,872,882,893,908,921,931,939,945, ++ 959,967,975,983,989,998,1004,1015,1024,1038, ++ 1048,1056,1072,1085,1095,1102,1109,1116,1123,1130, ++ 1136,1144,1155,1162,1180,1190,1201,1219,1226,1242, ++ 1254,1260,1271,1277,1283,1291,1298,1308,1325,1343, ++ 1352,1359,1368,1376,1385,1390,1400,1411,1417,1424, ++ 1433,1442,1450,1467,1479,1488,1500,1516,1529,1543, ++ 1558,1574,1587,1601,1617,1635,1658,1681,1699,1714, ++ 1733,1755,1773,1788,1807,1819,1826,1833,1839,1850, ++ 1859,1867,1874,1888,1904,1920,1934,1943,1952,1959, ++ 1969,1981,1991,1997,2005,2017,2026,2036,2046,2055, ++ 2065,2072,2083,2096,2103,2112,2118,2125,2131,2138, ++ 2147,2159,2169,2176,2187,2194,2202,2209,2219,2224, ++ 2240,2247,2255,2262,2266,2273,2286,2299,2316,2330, ++ 2344,2359,2375,2391,2397,2403,2409,2417,2423,2432, ++ 2440,2450,2458,2467,2473,2480,2486, ++}; ++static const int aarch64_syscall_s2i_i[] = { ++ 202,242,89,217,171,200,214,90,91,49, ++ 51,266,114,113,115,112,220,57,203,106, ++ 23,24,20,21,22,19,221,93,94,48, ++ 47,262,263,50,52,53,55,54,83,10, ++ 273,13,32,16,7,82,98,236,100,168, ++ 17,61,177,175,176,158,102,205,155,172, ++ 173,141,150,148,163,165,156,204,209,178, ++ 169,174,8,105,27,26,28,3,1,4, ++ 0,2,29,31,30,272,104,219,129,9, ++ 37,201,11,12,18,15,6,233,235,238, ++ 232,34,33,228,230,40,239,226,185,184, ++ 180,183,182,181,216,187,186,188,189,227, ++ 229,231,215,264,101,42,265,56,241,92, ++ 59,41,73,167,67,69,261,270,271,72, ++ 117,68,70,60,63,213,78,65,142,207, ++ 243,212,234,14,38,218,128,134,136,135, ++ 138,139,133,137,240,125,126,123,121,120, ++ 127,122,118,119,124,191,190,193,192,269, ++ 211,206,237,99,96,162,152,151,144,159, ++ 161,103,268,154,140,143,149,147,145,164, ++ 157,208,170,146,5,196,195,197,194,210, ++ 132,74,198,199,76,225,224,36,81,84, ++ 267,179,116,77,131,107,111,109,108,110, ++ 85,87,86,153,130,166,39,160,35,97, ++ 88,58,75,260,95,64,66, ++}; ++static int aarch64_syscall_s2i(const char *s, int *value) { ++ size_t len, i; ++ len = strlen(s); ++ { char copy[len + 1]; ++ for (i = 0; i < len; i++) { ++ char c = s[i]; ++ copy[i] = GT_ISUPPER(c) ? c - 'A' + 'a' : c; ++ } ++ copy[i] = 0; ++ return s2i__(aarch64_syscall_strings, aarch64_syscall_s2i_s, aarch64_syscall_s2i_i, 247, copy, value); ++ } ++} ++static const unsigned aarch64_syscall_i2s_direct[] = { ++ 773,749,782,739,760,2103,921,405,669,848, ++ 352,872,882,375,1467,908,392,464,893,223, ++ 187,201,211,178,182,-1u,708,690,722,792, ++ 809,798,386,975,967,2423,2209,858,1479,2409, ++ 998,1260,1190,-1u,-1u,-1u,-1u,265,255,60, ++ 303,66,310,317,333,326,1219,150,2450,1254, ++ 1376,471,-1u,1385,2480,1411,2486,1283,1359,1291, ++ 1368,-1u,1343,1271,2159,2458,2187,2262,1400,-1u, ++ -1u,2219,415,342,2224,2344,2375,2359,2440,15, ++ 46,53,1242,239,244,2473,1904,2432,421,1888, ++ 441,1180,515,1981,825,678,164,2273,2316,2299, ++ 2330,2286,130,100,87,114,2255,1352,1773,1788, ++ 1714,1699,1755,1681,1807,1635,1658,1733,1500,843, ++ 2397,2266,2147,1587,1516,1543,1529,1601,1558,1574, ++ 2005,560,1417,2017,1952,2046,2096,2036,582,2026, ++ 572,1943,1934,2391,1997,537,612,2065,505,1959, ++ 2417,1969,1920,592,2055,602,2403,1277,457,649, ++ 2083,28,545,552,662,490,498,482,642,2247, ++ 1048,1085,1072,1056,1038,1024,1109,1102,1116,1123, ++ 1826,1819,1839,1833,2131,2118,2112,2125,2169,2176, ++ 37,865,0,156,619,525,1867,1424,2072,631, ++ 2138,1859,1442,1390,42,1155,1095,20,1488,836, ++ 144,232,-1u,-1u,2202,2194,1015,1130,983,1136, ++ 989,1144,959,931,1450,939,427,1874,945,1004, ++ 1617,1226,7,1433,-1u,-1u,-1u,-1u,-1u,-1u, ++ -1u,-1u,-1u,-1u,-1u,-1u,-1u,-1u,-1u,-1u, ++ 2467,1298,275,289,1162,1201,73,2240,1991,1850, ++ 1308,1325,820,362, ++}; ++static const char *aarch64_syscall_i2s(int v) { ++ return i2s_direct__(aarch64_syscall_strings, aarch64_syscall_i2s_direct, 0, 273, v); ++} +diff --git a/lib/actiontabs.h b/lib/actiontabs.h +new file mode 100644 +index 0000000..a7a9e62 +--- /dev/null ++++ b/lib/actiontabs.h +@@ -0,0 +1,26 @@ ++/* This is a generated file, see Makefile.am for its inputs. */ ++static const char action_strings[] = "always\0never\0possible"; ++static const unsigned action_s2i_s[] = { ++ 0,7,13, ++}; ++static const int action_s2i_i[] = { ++ 2,0,1, ++}; ++static int action_s2i(const char *s, int *value) { ++ size_t len, i; ++ len = strlen(s); ++ { char copy[len + 1]; ++ for (i = 0; i < len; i++) { ++ char c = s[i]; ++ copy[i] = GT_ISUPPER(c) ? c - 'A' + 'a' : c; ++ } ++ copy[i] = 0; ++ return s2i__(action_strings, action_s2i_s, action_s2i_i, 3, copy, value); ++ } ++} ++static const unsigned action_i2s_direct[] = { ++ 7,13,0, ++}; ++static const char *action_i2s(int v) { ++ return i2s_direct__(action_strings, action_i2s_direct, 0, 2, v); ++} +diff --git a/lib/alpha_tables.h b/lib/alpha_tables.h +new file mode 100644 +index 0000000..b57e54c +--- /dev/null ++++ b/lib/alpha_tables.h +@@ -0,0 +1,196 @@ ++/* This is a generated file, see Makefile.am for its inputs. */ ++static const char alpha_syscall_strings[] = "_sysctl\0accept\0accept4\0access\0acct\0add_key\0adjtimex\0afs_syscall\0bdflush\0bind\0" ++ "brk\0capget\0capset\0chdir\0chmod\0chown\0chroot\0clock_adjtime\0clone\0close\0" ++ "connect\0create_module\0delete_module\0dipc\0dup\0dup2\0dup3\0epoll_create\0epoll_create1\0epoll_ctl\0" ++ "epoll_pwait\0epoll_wait\0eventfd\0eventfd2\0exec_with_loader\0execve\0exit\0exit_group\0faccessat\0fadvise64\0" ++ "fallocate\0fanotify_init\0fanotify_mark\0fchdir\0fchmod\0fchmodat\0fchown\0fchownat\0fcntl\0fdatasync\0" ++ "fgetxattr\0flistxattr\0flock\0fork\0fremovexattr\0fsetxattr\0fstat\0fstat64\0fstatat64\0fstatfs\0" ++ "fsync\0ftruncate\0futex\0futimesat\0get_kernel_syms\0get_mempolicy\0get_robust_list\0getcpu\0getcwd\0getdents\0" ++ "getdents64\0getdtablesize\0getgroups\0gethostname\0getitimer\0getpagesize\0getpeername\0getpgid\0getpgrp\0getpriority\0" ++ "getresgid\0getresuid\0getrlimit\0getrusage\0getsid\0getsockname\0getsockopt\0gettid\0gettimeofday\0getxattr\0" ++ "getxgid\0getxpid\0getxuid\0init_module\0inotify_add_watch\0inotify_init\0inotify_init1\0inotify_rm_watch\0io_cancel\0io_destroy\0" ++ "io_getevents\0io_setup\0io_submit\0ioctl\0ioprio_get\0ioprio_set\0kexec_load\0keyctl\0kill\0lchown\0" ++ "lgetxattr\0link\0linkat\0listen\0listxattr\0llistxattr\0lookup_dcookie\0lremovexattr\0lseek\0lsetxattr\0" ++ "lstat\0lstat64\0madvise\0mbind\0migrate_pages\0mincore\0mkdir\0mkdirat\0mknod\0mknodat\0" ++ "mlock\0mlockall\0mmap\0mount\0move_pages\0mprotect\0mq_getsetattr\0mq_notify\0mq_open\0mq_timedreceive\0" ++ "mq_timedsend\0mq_unlink\0mremap\0msgctl\0msgget\0msgrcv\0msgsnd\0msync\0munlock\0munlockall\0" ++ "munmap\0name_to_handle_at\0nanosleep\0nfsservctl\0old_adjtimex\0oldumount\0open\0open_by_handle_at\0openat\0osf_adjtime\0" ++ "osf_afs_syscall\0osf_alt_plock\0osf_alt_setsid\0osf_alt_sigpending\0osf_asynch_daemon\0osf_audcntl\0osf_audgen\0osf_chflags\0osf_execve\0osf_exportfs\0" ++ "osf_fchflags\0osf_fdatasync\0osf_fpathconf\0osf_fstatfs\0osf_fuser\0osf_getaddressconf\0osf_getdirentries\0osf_getdomainname\0osf_getfh\0osf_getfsstat\0" ++ "osf_gethostid\0osf_getitimer\0osf_getlogin\0osf_getmnt\0osf_getrusage\0osf_getsysinfo\0osf_gettimeofday\0osf_kloadcall\0osf_kmodcall\0osf_memcntl\0" ++ "osf_mincore\0osf_mount\0osf_mremap\0osf_msfs_syscall\0osf_msleep\0osf_mvalid\0osf_mwakeup\0osf_naccept\0osf_nfssvc\0osf_ngetpeername\0" ++ "osf_ngetsockname\0osf_nrecvfrom\0osf_nrecvmsg\0osf_nsendmsg\0osf_ntp_adjtime\0osf_ntp_gettime\0osf_old_creat\0osf_old_fstat\0osf_old_getpgrp\0osf_old_killpg\0" ++ "osf_old_lstat\0osf_old_open\0osf_old_sigaction\0osf_old_sigblock\0osf_old_sigreturn\0osf_old_sigsetmask\0osf_old_sigvec\0osf_old_stat\0osf_old_vadvise\0osf_old_vtrace\0" ++ "osf_old_wait\0osf_oldquota\0osf_pathconf\0osf_pid_block\0osf_pid_unblock\0osf_plock\0osf_priocntlset\0osf_profil\0osf_proplist_syscall\0osf_reboot\0" ++ "osf_revoke\0osf_sbrk\0osf_security\0osf_select\0osf_set_program_attributes\0osf_set_speculative\0osf_sethostid\0osf_setitimer\0osf_setlogin\0osf_setsysinfo\0" ++ "osf_settimeofday\0osf_shmat\0osf_signal\0osf_sigprocmask\0osf_sigsendset\0osf_sigstack\0osf_sigwaitprim\0osf_sstk\0osf_statfs\0osf_subsys_info\0" ++ "osf_swapctl\0osf_swapon\0osf_syscall\0osf_sysinfo\0osf_table\0osf_uadmin\0osf_usleep_thread\0osf_uswitch\0osf_utc_adjtime\0osf_utc_gettime\0" ++ "osf_utimes\0osf_utsname\0osf_wait4\0osf_waitid\0pciconfig_iobase\0pciconfig_read\0pciconfig_write\0perf_event_open\0personality\0pipe\0" ++ "pipe2\0pivot_root\0poll\0ppoll\0prctl\0pread\0preadv\0prlimit64\0process_vm_readv\0process_vm_writev\0" ++ "pselect6\0ptrace\0pwrite\0pwritev\0query_module\0quotactl\0read\0readahead\0readlink\0readlinkat\0" ++ "readv\0reboot\0recv\0recvfrom\0recvmmsg\0recvmsg\0remap_file_pages\0removexattr\0rename\0renameat\0" ++ "request_key\0restart_syscall\0rmdir\0rt_sigaction\0rt_sigpending\0rt_sigprocmask\0rt_sigqueueinfo\0rt_sigreturn\0rt_sigsuspend\0rt_sigtimedwait\0" ++ "rt_tgsigqueueinfo\0sched_get_priority_max\0sched_get_priority_min\0sched_getaffinity\0sched_getparam\0sched_getscheduler\0sched_rr_get_interval\0sched_setaffinity\0sched_setparam\0sched_setscheduler\0" ++ "sched_yield\0select\0semctl\0semget\0semop\0send\0sendfile\0sendmmsg\0sendmsg\0sendto\0" ++ "set_mempolicy\0set_robust_list\0set_tid_address\0setdomainname\0setfsgid\0setfsuid\0setgid\0setgroups\0sethae\0sethostname\0" ++ "setitimer\0setns\0setpgid\0setpgrp\0setpriority\0setregid\0setresgid\0setresuid\0setreuid\0setrlimit\0" ++ "setsid\0setsockopt\0settimeofday\0setuid\0setxattr\0shmctl\0shmdt\0shmget\0shutdown\0sigaction\0" ++ "sigaltstack\0signalfd\0signalfd4\0sigpending\0sigreturn\0sigsuspend\0socket\0socketpair\0splice\0stat\0" ++ "stat64\0statfs\0swapoff\0swapon\0symlink\0symlinkat\0sync\0sync_file_range\0syncfs\0sysfs\0" ++ "sysinfo\0syslog\0tee\0tgkill\0timerfd\0timerfd_create\0timerfd_gettime\0timerfd_settime\0times\0tkill\0" ++ "truncate\0tuxcall\0umask\0umount\0uname\0unlink\0unlinkat\0unshare\0uselib\0ustat\0" ++ "utimensat\0utimes\0vfork\0vhangup\0vmsplice\0vserver\0wait4\0waitid\0write\0writev"; ++static const unsigned alpha_syscall_s2i_s[] = { ++ 0,8,15,23,30,35,43,52,64,72, ++ 77,81,88,95,101,107,113,120,134,140, ++ 146,154,168,182,187,191,196,201,214,228, ++ 238,250,261,269,278,295,302,307,318,328, ++ 338,348,362,376,383,390,399,406,415,421, ++ 431,441,452,458,463,476,486,492,500,510, ++ 518,524,534,540,550,566,580,596,603,610, ++ 619,630,644,654,666,676,688,700,708,716, ++ 728,738,748,758,768,775,787,798,805,818, ++ 827,835,843,851,863,881,894,908,925,935, ++ 946,959,968,978,984,995,1006,1017,1024,1029, ++ 1036,1046,1051,1058,1065,1075,1086,1101,1114,1120, ++ 1130,1136,1144,1152,1158,1172,1180,1186,1194,1200, ++ 1208,1214,1223,1228,1234,1245,1254,1268,1278,1286, ++ 1302,1315,1325,1332,1339,1346,1353,1360,1366,1374, ++ 1385,1392,1410,1420,1431,1444,1454,1459,1477,1484, ++ 1496,1512,1526,1541,1560,1578,1590,1601,1613,1624, ++ 1637,1650,1664,1678,1690,1700,1719,1737,1755,1765, ++ 1779,1793,1807,1820,1831,1845,1860,1877,1891,1904, ++ 1916,1928,1938,1949,1966,1977,1988,2000,2012,2023, ++ 2040,2057,2071,2084,2097,2113,2129,2143,2157,2173, ++ 2188,2202,2215,2233,2250,2268,2287,2302,2315,2331, ++ 2346,2359,2372,2385,2399,2415,2425,2441,2452,2473, ++ 2484,2495,2504,2517,2528,2555,2575,2589,2603,2616, ++ 2631,2648,2658,2669,2685,2700,2713,2729,2738,2749, ++ 2765,2777,2788,2800,2812,2822,2833,2851,2863,2879, ++ 2895,2906,2918,2928,2939,2956,2971,2987,3003,3015, ++ 3020,3026,3037,3042,3048,3054,3060,3067,3077,3094, ++ 3112,3121,3128,3135,3143,3156,3165,3170,3180,3189, ++ 3200,3206,3213,3218,3227,3236,3244,3261,3273,3280, ++ 3289,3301,3317,3323,3336,3350,3365,3381,3394,3408, ++ 3424,3442,3465,3488,3506,3521,3540,3562,3580,3595, ++ 3614,3626,3633,3640,3647,3653,3658,3667,3676,3684, ++ 3691,3705,3721,3737,3751,3760,3769,3776,3786,3793, ++ 3805,3815,3821,3829,3837,3849,3858,3868,3878,3887, ++ 3897,3904,3915,3928,3935,3944,3951,3957,3964,3973, ++ 3983,3995,4004,4014,4025,4035,4046,4053,4064,4071, ++ 4076,4083,4090,4098,4105,4113,4123,4128,4144,4151, ++ 4157,4165,4172,4176,4183,4191,4206,4222,4238,4244, ++ 4250,4259,4267,4273,4280,4286,4293,4302,4310,4317, ++ 4323,4333,4340,4346,4354,4363,4371,4377,4384,4390, ++}; ++static const int alpha_syscall_s2i_i[] = { ++ 319,99,502,33,51,439,366,338,300,104, ++ 17,368,369,12,15,16,61,499,312,6, ++ 98,306,308,373,41,90,487,407,486,408, ++ 474,409,478,485,25,59,1,405,462,413, ++ 480,494,495,13,124,461,123,453,92,447, ++ 387,390,131,2,393,384,91,427,455,329, ++ 95,130,394,454,309,430,467,473,367,305, ++ 377,89,79,87,361,64,141,233,63,100, ++ 372,344,144,364,234,150,118,378,359,385, ++ 47,20,24,307,445,444,489,446,402,399, ++ 400,398,401,54,443,442,448,441,37,208, ++ 386,9,458,106,388,389,406,392,19,383, ++ 68,426,75,429,449,375,136,451,14,452, ++ 314,316,71,302,472,74,437,436,432,435, ++ 434,433,341,200,201,202,203,217,315,317, ++ 73,497,340,342,303,321,45,498,450,140, ++ 258,181,188,187,163,252,253,34,11,169, ++ 35,261,248,161,243,214,159,165,164,18, ++ 142,86,49,184,117,256,116,223,77,260, ++ 78,21,65,240,215,213,216,30,158,31, ++ 32,29,27,28,245,246,8,62,81,146, ++ 40,5,46,109,139,110,108,38,72,115, ++ 84,149,247,153,154,107,237,44,244,55, ++ 56,69,222,93,43,239,143,83,50,257, ++ 122,209,218,48,238,112,157,70,160,255, ++ 259,199,0,241,85,242,251,250,220,219, ++ 138,207,7,236,376,345,346,493,324,42, ++ 488,374,94,464,348,349,490,496,504,505, ++ 463,26,350,491,347,148,3,379,58,460, ++ 120,311,102,125,479,113,410,391,128,457, ++ 440,412,137,352,354,353,356,351,357,355, ++ 492,335,336,396,331,333,337,395,330,332, ++ 334,358,204,205,206,101,370,503,114,133, ++ 431,466,411,166,326,325,132,80,301,88, ++ 362,501,39,82,96,127,371,343,126,145, ++ 147,105,360,23,382,210,211,212,134,156, ++ 235,476,484,52,103,111,97,135,468,67, ++ 425,328,304,322,57,459,36,469,500,254, ++ 318,310,470,424,477,481,483,482,323,381, ++ 129,397,60,22,339,10,456,465,313,327, ++ 475,363,66,76,471,428,365,438,4,121, ++}; ++static int alpha_syscall_s2i(const char *s, int *value) { ++ size_t len, i; ++ len = strlen(s); ++ { char copy[len + 1]; ++ for (i = 0; i < len; i++) { ++ char c = s[i]; ++ copy[i] = GT_ISUPPER(c) ? c - 'A' + 'a' : c; ++ } ++ copy[i] = 0; ++ return s2i__(alpha_syscall_strings, alpha_syscall_s2i_s, alpha_syscall_s2i_i, 410, copy, value); ++ } ++} ++static const unsigned alpha_syscall_i2s_direct[] = { ++ 2788,302,458,3165,4384,2202,140,2918,2129,1046, ++ 4286,1613,95,376,1194,101,107,77,1765,1114, ++ 835,1928,4273,3928,843,278,3121,2071,2084,2057, ++ 2000,2023,2040,23,1601,1637,4123,1024,2302,3821, ++ 2188,187,3015,2528,2441,1454,2215,827,2669,1807, ++ 2603,30,4014,-1u,978,2473,2484,4105,3180,295, ++ 4267,113,2143,708,676,1938,4340,4071,1130,2495, ++ 2729,1223,2315,1385,1245,1144,4346,1891,1916,644, ++ 3776,2157,3829,2589,2346,2812,1793,654,3793,630, ++ 191,486,415,2517,3037,518,3837,4046,146,8, ++ 716,3653,3213,4025,72,3904,1058,2415,2287,2233, ++ 2268,4035,2700,3236,3676,2331,1860,1831,787,-1u, ++ 3200,4390,2631,399,383,3218,3878,3849,3273,4250, ++ 524,452,3769,3684,3964,4053,1180,3317,2895,2250, ++ 1484,688,1779,2575,748,3887,2173,3897,3156,2359, ++ 775,-1u,-1u,2385,2399,-1u,3973,2713,2012,1719, ++ 2738,1678,-1u,1560,1755,1737,3737,-1u,-1u,1624, ++ -1u,-1u,-1u,-1u,-1u,-1u,-1u,-1u,-1u,-1u, ++ -1u,1512,-1u,-1u,1820,-1u,-1u,1541,1526,-1u, ++ -1u,-1u,-1u,-1u,-1u,-1u,-1u,-1u,-1u,2777, ++ 1332,1339,1346,1353,3633,3640,3647,2906,1029,2648, ++ 3944,3951,3957,1977,1700,1966,1988,1360,2658,2879, ++ 2863,-1u,2504,1877,-1u,-1u,-1u,-1u,-1u,-1u, ++ -1u,-1u,-1u,700,768,3983,2928,2425,2685,2555, ++ 1949,2800,2822,1690,2452,2097,2113,2372,1664,-1u, ++ 2851,2833,1578,1590,4151,2749,1845,2616,1496,2765, ++ 1904,1650,-1u,-1u,-1u,-1u,-1u,-1u,-1u,-1u, ++ -1u,-1u,-1u,-1u,-1u,-1u,-1u,-1u,-1u,-1u, ++ -1u,-1u,-1u,-1u,-1u,-1u,-1u,-1u,-1u,-1u, ++ -1u,-1u,-1u,-1u,-1u,-1u,-1u,-1u,-1u,-1u, ++ 64,3786,1228,1431,4090,610,154,851,168,550, ++ 4165,3206,134,4310,1208,1366,1214,1374,4157,0, ++ -1u,1444,4098,4238,3003,3760,3751,4317,4083,510, ++ 3580,3506,3595,3521,3614,3442,3465,3540,52,4280, ++ 1410,1325,1420,3868,738,2956,2971,3143,3048,3054, ++ 3128,3381,3323,3350,3336,3408,3365,3394,3626,805, ++ 3915,666,3805,4333,758,4371,43,603,81,88, ++ 3658,3858,728,182,3026,1172,2939,619,798,3170, ++ -1u,4244,3935,1120,476,818,1036,431,1065,1075, ++ 441,3261,1101,463,534,3562,3488,4259,959,935, ++ 946,968,925,-1u,-1u,307,1086,201,228,250, ++ 3244,3721,3301,328,-1u,-1u,-1u,-1u,-1u,-1u, ++ -1u,-1u,-1u,-1u,4176,4076,1136,492,4363,1152, ++ 566,3691,1278,1315,1302,1286,1268,1254,4377,35, ++ 3289,1017,995,984,881,863,908,421,1006,1158, ++ 1477,1186,1200,406,540,500,4293,3280,1051,4113, ++ 3189,390,318,3112,3042,4302,3705,580,4064,4128, ++ 4172,4354,1234,596,238,4323,3995,4183,261,3227, ++ 338,4191,4222,4206,4004,269,214,196,3020,894, ++ 3060,3135,3424,2987,348,362,3067,1392,1459,120, ++ 4144,3815,15,3667,3077,3094, ++}; ++static const char *alpha_syscall_i2s(int v) { ++ return i2s_direct__(alpha_syscall_strings, alpha_syscall_i2s_direct, 0, 505, v); ++} +diff --git a/lib/armeb_tables.h b/lib/armeb_tables.h +new file mode 100644 +index 0000000..dd2bf5f +--- /dev/null ++++ b/lib/armeb_tables.h +@@ -0,0 +1,165 @@ ++/* This is a generated file, see Makefile.am for its inputs. */ ++static const char armeb_syscall_strings[] = "accept\0accept4\0access\0acct\0add_key\0adjtimex\0alarm\0bdflush\0bind\0brk\0" ++ "capget\0capset\0chdir\0chmod\0chown\0chown32\0chroot\0clock_adjtime\0clock_getres\0clock_gettime\0" ++ "clock_nanosleep\0clock_settime\0clone\0close\0connect\0creat\0delete_module\0dup\0dup2\0dup3\0" ++ "epoll_create\0epoll_create1\0epoll_ctl\0epoll_wait\0eventfd\0eventfd2\0execve\0exit\0exit_group\0faccessat\0" ++ "fadvise64_64\0fallocate\0fanotify_init\0fanotify_mark\0fchdir\0fchmod\0fchmodat\0fchown\0fchown32\0fchownat\0" ++ "fcntl\0fcntl64\0fdatasync\0fgetxattr\0finit_module\0flistxattr\0flock\0fork\0fremovexattr\0fsetxattr\0" ++ "fstat\0fstat64\0fstatat64\0fstatfs\0fstatfs64\0fsync\0ftruncate\0ftruncate64\0futex\0futimesat\0" ++ "get_mempolicy\0get_robust_list\0getcpu\0getcwd\0getdents\0getdents64\0getegid\0getegid32\0geteuid\0geteuid32\0" ++ "getgid\0getgid32\0getgroups\0getgroups32\0getitimer\0getpeername\0getpgid\0getpgrp\0getpid\0getppid\0" ++ "getpriority\0getresgid\0getresgid32\0getresuid\0getresuid32\0getrlimit\0getrusage\0getsid\0getsockname\0getsockopt\0" ++ "gettid\0gettimeofday\0getuid\0getuid32\0getxattr\0init_module\0inotify_add_watch\0inotify_init\0inotify_init1\0inotify_rm_watch\0" ++ "io_cancel\0io_destroy\0io_getevents\0io_setup\0io_submit\0ioctl\0ioprio_get\0ioprio_set\0ipc\0kcmp\0" ++ "kexec_load\0keyctl\0kill\0lchown\0lchown32\0lgetxattr\0link\0linkat\0listen\0listxattr\0" ++ "llistxattr\0llseek\0lookup_dcookie\0lremovexattr\0lseek\0lsetxattr\0lstat\0lstat64\0madvise\0mbind\0" ++ "mincore\0mkdir\0mkdirat\0mknod\0mknodat\0mlock\0mlockall\0mmap\0mmap2\0mount\0" ++ "move_pages\0mprotect\0mq_getsetattr\0mq_notify\0mq_open\0mq_timedreceive\0mq_timedsend\0mq_unlink\0mremap\0msgctl\0" ++ "msgget\0msgrcv\0msgsnd\0msync\0munlock\0munlockall\0munmap\0name_to_handle_at\0nanosleep\0newselect\0" ++ "nfsservctl\0nice\0open\0open_by_handle_at\0openat\0pause\0pciconfig_iobase\0pciconfig_read\0pciconfig_write\0perf_event_open\0" ++ "personality\0pipe\0pipe2\0pivot_root\0poll\0prctl\0pread64\0preadv\0prlimit64\0process_vm_readv\0" ++ "process_vm_writev\0ptrace\0pwrite64\0pwritev\0quotactl\0read\0readahead\0readdir\0readlink\0readlinkat\0" ++ "readv\0reboot\0recv\0recvfrom\0recvmmsg\0recvmsg\0remap_file_pages\0removexattr\0rename\0renameat\0" ++ "request_key\0restart_syscall\0rmdir\0rt_sigaction\0rt_sigpending\0rt_sigprocmask\0rt_sigqueueinfo\0rt_sigreturn\0rt_sigsuspend\0rt_sigtimedwait\0" ++ "rt_tgsigqueueinfo\0sched_get_priority_max\0sched_get_priority_min\0sched_getaffinity\0sched_getparam\0sched_getscheduler\0sched_rr_get_interval\0sched_setaffinity\0sched_setparam\0sched_setscheduler\0" ++ "sched_yield\0select\0semctl\0semget\0semop\0semtimedop\0send\0sendfile\0sendfile64\0sendmmsg\0" ++ "sendmsg\0sendto\0set_mempolicy\0set_robust_list\0set_tid_address\0setdomainname\0setfsgid\0setfsgid32\0setfsuid\0setfsuid32\0" ++ "setgid\0setgid32\0setgroups\0setgroups32\0sethostname\0setitimer\0setns\0setpgid\0setpriority\0setregid\0" ++ "setregid32\0setresgid\0setresgid32\0setresuid\0setresuid32\0setreuid\0setreuid32\0setrlimit\0setsid\0setsockopt\0" ++ "settimeofday\0setuid\0setuid32\0setxattr\0shmat\0shmctl\0shmdt\0shmget\0shutdown\0sigaction\0" ++ "sigaltstack\0signalfd\0signalfd4\0sigpending\0sigprocmask\0sigreturn\0sigsuspend\0socket\0socketcall\0socketpair\0" ++ "splice\0stat\0stat64\0statfs\0statfs64\0stime\0swapoff\0swapon\0symlink\0symlinkat\0" ++ "sync\0sync_file_range\0syncfs\0syscall\0sysctl\0sysfs\0sysinfo\0syslog\0tee\0tgkill\0" ++ "time\0timer_create\0timer_delete\0timer_getoverrun\0timer_gettime\0timer_settime\0timerfd_create\0timerfd_gettime\0timerfd_settime\0times\0" ++ "tkill\0truncate\0truncate64\0ugetrlimit\0umask\0umount\0umount2\0uname\0unlink\0unlinkat\0" ++ "unshare\0uselib\0ustat\0utime\0utimensat\0utimes\0vfork\0vhangup\0vmsplice\0vserver\0" ++ "wait4\0waitid\0write\0writev"; ++static const unsigned armeb_syscall_s2i_s[] = { ++ 0,7,15,22,27,35,44,50,58,63, ++ 67,74,81,87,93,99,107,114,128,141, ++ 155,171,185,191,197,205,211,225,229,234, ++ 239,252,266,276,287,295,304,311,316,327, ++ 337,350,360,374,388,395,402,411,418,427, ++ 436,442,450,460,470,483,494,500,505,518, ++ 528,534,542,552,560,570,576,586,598,604, ++ 614,628,644,651,658,667,678,686,696,704, ++ 714,721,730,740,752,762,774,782,790,797, ++ 805,817,827,839,849,861,871,881,888,900, ++ 911,918,931,938,947,956,968,986,999,1013, ++ 1030,1040,1051,1064,1073,1083,1089,1100,1111,1115, ++ 1120,1131,1138,1143,1150,1159,1169,1174,1181,1188, ++ 1198,1209,1216,1231,1244,1250,1260,1266,1274,1282, ++ 1288,1296,1302,1310,1316,1324,1330,1339,1344,1350, ++ 1356,1367,1376,1390,1400,1408,1424,1437,1447,1454, ++ 1461,1468,1475,1482,1488,1496,1507,1514,1532,1542, ++ 1552,1563,1568,1573,1591,1598,1604,1621,1636,1652, ++ 1668,1680,1685,1691,1702,1707,1713,1721,1728,1738, ++ 1755,1773,1780,1789,1797,1806,1811,1821,1829,1838, ++ 1849,1855,1862,1867,1876,1885,1893,1910,1922,1929, ++ 1938,1950,1966,1972,1985,1999,2014,2030,2043,2057, ++ 2073,2091,2114,2137,2155,2170,2189,2211,2229,2244, ++ 2263,2275,2282,2289,2296,2302,2313,2318,2327,2338, ++ 2347,2355,2362,2376,2392,2408,2422,2431,2442,2451, ++ 2462,2469,2478,2488,2500,2512,2522,2528,2536,2548, ++ 2557,2568,2578,2590,2600,2612,2621,2632,2642,2649, ++ 2660,2673,2680,2689,2698,2704,2711,2717,2724,2733, ++ 2743,2755,2764,2774,2785,2797,2807,2818,2825,2836, ++ 2847,2854,2859,2866,2873,2882,2888,2896,2903,2911, ++ 2921,2926,2942,2949,2957,2964,2970,2978,2985,2989, ++ 2996,3001,3014,3027,3044,3058,3072,3087,3103,3119, ++ 3125,3131,3140,3151,3162,3168,3175,3183,3189,3196, ++ 3205,3213,3220,3226,3232,3242,3249,3255,3263,3272, ++ 3280,3286,3293,3299, ++}; ++static const int armeb_syscall_s2i_i[] = { ++ 285,366,33,51,309,124,27,134,282,45, ++ 184,185,12,15,182,212,61,372,264,263, ++ 265,262,120,6,283,8,129,41,63,358, ++ 250,357,251,252,351,356,11,1,248,334, ++ 270,352,367,368,133,94,333,95,207,325, ++ 55,221,148,231,379,234,143,2,237,228, ++ 108,197,327,100,267,118,93,194,240,326, ++ 320,339,345,183,141,217,50,202,49,201, ++ 47,200,80,205,105,287,132,65,20,64, ++ 96,171,211,165,209,76,77,147,286,295, ++ 224,78,24,199,229,128,317,316,360,318, ++ 247,244,245,243,246,54,315,314,117,378, ++ 347,311,37,16,198,230,9,330,284,232, ++ 233,140,249,236,19,227,107,196,220,319, ++ 219,39,323,14,324,150,152,90,192,21, ++ 344,125,279,278,274,277,276,275,163,304, ++ 303,302,301,144,151,153,91,370,162,142, ++ 169,34,5,371,322,29,271,272,273,364, ++ 136,42,359,218,168,172,180,361,369,376, ++ 377,26,181,362,131,3,225,89,85,332, ++ 145,88,291,292,365,297,253,235,38,329, ++ 310,0,40,174,176,175,178,173,179,177, ++ 363,159,160,242,155,157,161,241,154,156, ++ 158,82,300,299,298,312,289,187,239,374, ++ 296,290,321,338,256,121,139,216,138,215, ++ 46,214,81,206,74,104,375,57,97,71, ++ 204,170,210,164,208,70,203,75,66,294, ++ 79,23,213,226,305,308,306,307,293,67, ++ 186,349,355,73,126,119,72,281,102,288, ++ 340,106,195,99,266,25,115,87,83,331, ++ 36,341,373,113,149,135,116,103,342,268, ++ 13,257,261,260,259,258,350,354,353,43, ++ 238,92,193,191,60,22,52,122,10,328, ++ 337,86,62,30,348,269,190,111,343,313, ++ 114,280,4,146, ++}; ++static int armeb_syscall_s2i(const char *s, int *value) { ++ size_t len, i; ++ len = strlen(s); ++ { char copy[len + 1]; ++ for (i = 0; i < len; i++) { ++ char c = s[i]; ++ copy[i] = GT_ISUPPER(c) ? c - 'A' + 'a' : c; ++ } ++ copy[i] = 0; ++ return s2i__(armeb_syscall_strings, armeb_syscall_s2i_s, armeb_syscall_s2i_i, 344, copy, value); ++ } ++} ++static const unsigned armeb_syscall_i2s_direct[] = { ++ 1950,311,500,1806,3293,1568,191,-1u,205,1169, ++ 3189,304,81,2996,1310,87,1143,-1u,-1u,1244, ++ 790,1350,3168,2673,931,2882,1773,44,-1u,1598, ++ 3226,-1u,-1u,15,1563,-1u,2921,1138,1922,1296, ++ 1966,225,1680,3119,-1u,63,2462,714,-1u,696, ++ 678,22,3175,-1u,1083,436,-1u,2528,-1u,-1u, ++ 3162,107,3220,229,797,782,2642,2733,-1u,-1u, ++ 2612,2548,2807,2774,2500,2632,861,871,918,2660, ++ 730,2478,2275,2903,-1u,1829,3213,2896,1855,1821, ++ 1339,1507,3131,576,395,411,805,2536,-1u,2866, ++ 552,-1u,2825,2978,2512,752,2854,1260,528,-1u, ++ -1u,3255,-1u,2949,3280,2888,2970,1111,570,2797, ++ 185,2408,3183,-1u,35,1367,2785,-1u,956,211, ++ -1u,1797,774,388,50,2964,1668,-1u,2442,2422, ++ 1209,658,1542,494,1482,1849,3299,881,450,2957, ++ 1324,1488,1330,1496,2229,2155,2244,2170,2263,2091, ++ 2114,2189,1532,1447,2590,839,-1u,-1u,1702,1552, ++ 2568,817,1707,2030,1972,1999,1985,2057,2014,2043, ++ 1713,1780,93,651,67,74,2743,2318,-1u,-1u, ++ 3249,3151,1344,3140,586,2859,1266,534,1150,938, ++ 721,704,686,2621,2557,740,2488,418,2600,849, ++ 2578,827,99,2680,2469,2451,2431,667,1691,1288, ++ 1274,442,-1u,-1u,911,1811,2689,1250,518,947, ++ 1159,460,1188,1198,483,1910,1231,505,3125,2327, ++ 598,2211,2137,1064,1040,1051,1073,1030,316,1216, ++ 239,266,276,1893,-1u,-1u,2392,3001,3058,3044, ++ 3027,3014,171,141,128,155,2873,560,2989,3242, ++ 337,1604,1621,1636,1400,1437,1424,1408,1390,1376, ++ 3286,2818,58,197,1181,0,888,762,2836,2313, ++ 2355,1862,1867,2724,2649,900,2347,1885,2296,2289, ++ 2282,1475,1468,1461,1454,2698,2711,2717,2704,27, ++ 1938,1131,2302,3272,1100,1089,986,968,1013,1282, ++ 614,2362,1591,1302,1316,427,604,542,3196,1929, ++ 1174,2911,1838,402,327,-1u,-1u,3205,2376,628, ++ 2847,2926,2985,3263,1356,644,-1u,1120,3232,2755, ++ 3072,287,350,3103,3087,2764,295,252,234,1685, ++ 999,1721,1789,2073,1652,1876,7,360,374,1728, ++ 1514,1573,114,2942,2338,2522,1738,1755,1115,470, ++}; ++static const char *armeb_syscall_i2s(int v) { ++ return i2s_direct__(armeb_syscall_strings, armeb_syscall_i2s_direct, 0, 379, v); ++} +diff --git a/lib/errtabs.h b/lib/errtabs.h +new file mode 100644 +index 0000000..53deac2 +--- /dev/null ++++ b/lib/errtabs.h +@@ -0,0 +1,78 @@ ++/* This is a generated file, see Makefile.am for its inputs. */ ++static const char err_strings[] = "E2BIG\0EACCES\0EADDRINUSE\0EADDRNOTAVAIL\0EADV\0EAFNOSUPPORT\0EAGAIN\0EALREADY\0EBADE\0EBADF\0" ++ "EBADFD\0EBADMSG\0EBADR\0EBADRQC\0EBADSLT\0EBFONT\0EBUSY\0ECANCELED\0ECHILD\0ECHRNG\0" ++ "ECOMM\0ECONNABORTED\0ECONNREFUSED\0ECONNRESET\0EDEADLK\0EDEADLOCK\0EDESTADDRREQ\0EDOM\0EDOTDOT\0EDQUOT\0" ++ "EEXIST\0EFAULT\0EFBIG\0EHOSTDOWN\0EHOSTUNREACH\0EIDRM\0EILSEQ\0EINPROGRESS\0EINTR\0EINVAL\0" ++ "EIO\0EISCONN\0EISDIR\0EISNAM\0EKEYEXPIRED\0EKEYREJECTED\0EKEYREVOKED\0EL2HLT\0EL2NSYNC\0EL3HLT\0" ++ "EL3RST\0ELIBACC\0ELIBBAD\0ELIBEXEC\0ELIBMAX\0ELIBSCN\0ELNRNG\0ELOOP\0EMEDIUMTYPE\0EMFILE\0" ++ "EMLINK\0EMSGSIZE\0EMULTIHOP\0ENAMETOOLONG\0ENAVAIL\0ENETDOWN\0ENETRESET\0ENETUNREACH\0ENFILE\0ENOANO\0" ++ "ENOBUFS\0ENOCSI\0ENODATA\0ENODEV\0ENOENT\0ENOEXEC\0ENOKEY\0ENOLCK\0ENOLINK\0ENOMEDIUM\0" ++ "ENOMEM\0ENOMSG\0ENONET\0ENOPKG\0ENOPROTOOPT\0ENOSPC\0ENOSR\0ENOSTR\0ENOSYS\0ENOTBLK\0" ++ "ENOTCONN\0ENOTDIR\0ENOTEMPTY\0ENOTNAM\0ENOTRECOVERABLE\0ENOTSOCK\0ENOTTY\0ENOTUNIQ\0ENXIO\0EOPNOTSUPP\0" ++ "EOVERFLOW\0EOWNERDEAD\0EPERM\0EPFNOSUPPORT\0EPIPE\0EPROTO\0EPROTONOSUPPORT\0EPROTOTYPE\0ERANGE\0EREMCHG\0" ++ "EREMOTE\0EREMOTEIO\0ERESTART\0EROFS\0ESHUTDOWN\0ESOCKTNOSUPPORT\0ESPIPE\0ESRCH\0ESRMNT\0ESTALE\0" ++ "ESTRPIPE\0ETIME\0ETIMEDOUT\0ETOOMANYREFS\0ETXTBSY\0EUCLEAN\0EUNATCH\0EUSERS\0EWOULDBLOCK\0EXDEV\0" ++ "EXFULL"; ++static const unsigned err_s2i_s[] = { ++ 0,6,13,24,38,43,56,63,72,78, ++ 84,91,99,105,113,121,128,134,144,151, ++ 158,164,177,190,201,209,219,232,237,245, ++ 252,259,266,272,282,295,301,308,320,326, ++ 333,337,345,352,359,371,384,396,403,412, ++ 419,426,434,442,451,459,467,474,480,492, ++ 499,506,515,525,538,546,555,565,577,584, ++ 591,599,606,614,621,628,636,643,650,658, ++ 668,675,682,689,696,708,715,721,728,735, ++ 743,752,760,770,778,794,803,810,819,825, ++ 836,846,857,863,876,882,889,905,916,923, ++ 931,939,949,958,964,974,990,997,1003,1010, ++ 1017,1026,1032,1042,1055,1063,1071,1079,1086,1098, ++ 1104, ++}; ++static const int err_s2i_i[] = { ++ 7,13,98,99,68,97,11,114,52,9, ++ 77,74,53,56,57,59,16,125,10,44, ++ 70,103,111,104,35,35,89,33,73,122, ++ 17,14,27,112,113,43,84,115,4,22, ++ 5,106,21,120,127,129,128,51,45,46, ++ 47,79,80,83,82,81,48,40,124,24, ++ 31,90,72,36,119,100,102,101,23,55, ++ 105,50,61,19,2,8,126,37,67,123, ++ 12,42,64,65,92,28,63,60,38,15, ++ 107,20,39,118,131,88,25,76,6,95, ++ 75,130,1,96,32,71,93,91,34,78, ++ 66,121,85,30,108,94,29,3,69,116, ++ 86,62,110,109,26,117,49,87,11,18, ++ 54, ++}; ++static int err_s2i(const char *s, int *value) { ++ size_t len, i; ++ len = strlen(s); ++ { char copy[len + 1]; ++ for (i = 0; i < len; i++) { ++ char c = s[i]; ++ copy[i] = GT_ISLOWER(c) ? c - 'a' + 'A' : c; ++ } ++ copy[i] = 0; ++ return s2i__(err_strings, err_s2i_s, err_s2i_i, 131, copy, value); ++ } ++} ++static const unsigned err_i2s_direct[] = { ++ 857,621,997,320,333,819,0,628,78,144, ++ 56,668,6,259,735,128,252,1098,614,752, ++ 345,326,577,492,803,1055,266,708,990,958, ++ 499,876,232,916,201,525,643,728,760,474, ++ -1u,675,295,151,403,412,419,467,1071,599, ++ 396,72,99,1104,584,105,113,-1u,121,721, ++ 606,1026,715,682,689,931,650,38,1003,158, ++ 882,515,237,91,836,810,84,923,426,434, ++ 459,451,442,301,949,1017,1079,794,219,506, ++ 905,696,889,974,825,863,43,13,24,546, ++ 565,555,164,190,591,337,743,964,1042,1032, ++ 177,272,282,63,308,1010,1063,770,538,352, ++ 939,245,658,480,134,636,359,384,371,846, ++ 778, ++}; ++static const char *err_i2s(int v) { ++ return i2s_direct__(err_strings, err_i2s_direct, 1, 131, v); ++} +diff --git a/lib/fieldtabs.h b/lib/fieldtabs.h +new file mode 100644 +index 0000000..fb50e08 +--- /dev/null ++++ b/lib/fieldtabs.h +@@ -0,0 +1,49 @@ ++/* This is a generated file, see Makefile.am for its inputs. */ ++static const char field_strings[] = "a0\0a1\0a2\0a3\0arch\0auid\0devmajor\0devminor\0dir\0egid\0" ++ "euid\0exit\0field_compare\0filetype\0fsgid\0fsuid\0gid\0inode\0key\0loginuid\0" ++ "msgtype\0obj_gid\0obj_lev_high\0obj_lev_low\0obj_role\0obj_type\0obj_uid\0obj_user\0path\0perm\0" ++ "pers\0pid\0ppid\0sgid\0subj_clr\0subj_role\0subj_sen\0subj_type\0subj_user\0success\0" ++ "suid\0uid"; ++static const unsigned field_s2i_s[] = { ++ 0,3,6,9,12,17,22,31,40,44, ++ 49,54,59,73,82,88,94,98,104,108, ++ 117,125,133,146,158,167,176,184,193,198, ++ 203,208,212,217,222,231,241,250,260,270, ++ 278,283, ++}; ++static const int field_s2i_i[] = { ++ 200,201,202,203,11,9,100,101,107,6, ++ 2,103,111,108,8,4,5,102,210,9, ++ 12,110,23,22,20,21,109,19,105,106, ++ 10,0,18,7,17,14,16,15,13,104, ++ 3,1, ++}; ++static int field_s2i(const char *s, int *value) { ++ size_t len, i; ++ len = strlen(s); ++ { char copy[len + 1]; ++ for (i = 0; i < len; i++) { ++ char c = s[i]; ++ copy[i] = GT_ISUPPER(c) ? c - 'A' + 'a' : c; ++ } ++ copy[i] = 0; ++ return s2i__(field_strings, field_s2i_s, field_s2i_i, 42, copy, value); ++ } ++} ++static const int field_i2s_i[] = { ++ 0,1,2,3,4,5,6,7,8,9, ++ 10,11,12,13,14,15,16,17,18,19, ++ 20,21,22,23,100,101,102,103,104,105, ++ 106,107,108,109,110,111,200,201,202,203, ++ 210, ++}; ++static const unsigned field_i2s_s[] = { ++ 208,283,49,278,88,94,44,217,82,17, ++ 203,12,117,260,231,250,241,222,212,184, ++ 158,167,146,133,22,31,98,54,270,193, ++ 198,40,73,176,125,59,0,3,6,9, ++ 104, ++}; ++static const char *field_i2s(int v) { ++ return i2s_bsearch__(field_strings, field_i2s_i, field_i2s_s, 41, v); ++} +diff --git a/lib/flagtabs.h b/lib/flagtabs.h +new file mode 100644 +index 0000000..e191db3 +--- /dev/null ++++ b/lib/flagtabs.h +@@ -0,0 +1,26 @@ ++/* This is a generated file, see Makefile.am for its inputs. */ ++static const char flag_strings[] = "entry\0exclude\0exit\0task\0user"; ++static const unsigned flag_s2i_s[] = { ++ 0,6,14,19,24, ++}; ++static const int flag_s2i_i[] = { ++ 2,5,4,1,0, ++}; ++static int flag_s2i(const char *s, int *value) { ++ size_t len, i; ++ len = strlen(s); ++ { char copy[len + 1]; ++ for (i = 0; i < len; i++) { ++ char c = s[i]; ++ copy[i] = GT_ISUPPER(c) ? c - 'A' + 'a' : c; ++ } ++ copy[i] = 0; ++ return s2i__(flag_strings, flag_s2i_s, flag_s2i_i, 5, copy, value); ++ } ++} ++static const unsigned flag_i2s_direct[] = { ++ 24,19,0,-1u,14,6, ++}; ++static const char *flag_i2s(int v) { ++ return i2s_direct__(flag_strings, flag_i2s_direct, 0, 5, v); ++} +diff --git a/lib/ftypetabs.h b/lib/ftypetabs.h +new file mode 100644 +index 0000000..04aaa46 +--- /dev/null ++++ b/lib/ftypetabs.h +@@ -0,0 +1,29 @@ ++/* This is a generated file, see Makefile.am for its inputs. */ ++static const char ftype_strings[] = "block\0character\0dir\0fifo\0file\0link\0socket"; ++static const unsigned ftype_s2i_s[] = { ++ 0,6,16,20,25,30,35, ++}; ++static const int ftype_s2i_i[] = { ++ 24576,8192,16384,4096,32768,40960,49152, ++}; ++static int ftype_s2i(const char *s, int *value) { ++ size_t len, i; ++ len = strlen(s); ++ { char copy[len + 1]; ++ for (i = 0; i < len; i++) { ++ char c = s[i]; ++ copy[i] = GT_ISUPPER(c) ? c - 'A' + 'a' : c; ++ } ++ copy[i] = 0; ++ return s2i__(ftype_strings, ftype_s2i_s, ftype_s2i_i, 7, copy, value); ++ } ++} ++static const int ftype_i2s_i[] = { ++ 4096,8192,16384,24576,32768,40960,49152, ++}; ++static const unsigned ftype_i2s_s[] = { ++ 20,6,16,0,25,30,35, ++}; ++static const char *ftype_i2s(int v) { ++ return i2s_bsearch__(ftype_strings, ftype_i2s_i, ftype_i2s_s, 7, v); ++} +diff --git a/lib/i386_tables.h b/lib/i386_tables.h +new file mode 100644 +index 0000000..6703ffc +--- /dev/null ++++ b/lib/i386_tables.h +@@ -0,0 +1,163 @@ ++/* This is a generated file, see Makefile.am for its inputs. */ ++static const char i386_syscall_strings[] = "_llseek\0_newselect\0_sysctl\0access\0acct\0add_key\0adjtimex\0afs_syscall\0alarm\0bdflush\0" ++ "break\0brk\0capget\0capset\0chdir\0chmod\0chown\0chown32\0chroot\0clock_adjtime\0" ++ "clock_getres\0clock_gettime\0clock_nanosleep\0clock_settime\0clone\0close\0creat\0create_module\0delete_module\0dup\0" ++ "dup2\0dup3\0epoll_create\0epoll_create1\0epoll_ctl\0epoll_pwait\0epoll_wait\0eventfd\0eventfd2\0execve\0" ++ "exit\0exit_group\0faccessat\0fadvise64\0fadvise64_64\0fallocate\0fanotify_init\0fanotify_mark\0fchdir\0fchmod\0" ++ "fchmodat\0fchown\0fchown32\0fchownat\0fcntl\0fcntl64\0fdatasync\0fgetxattr\0finit_module\0flistxattr\0" ++ "flock\0fork\0fremovexattr\0fsetxattr\0fstat\0fstat64\0fstatat64\0fstatfs\0fstatfs64\0fsync\0" ++ "ftime\0ftruncate\0ftruncate64\0futex\0futimesat\0get_kernel_syms\0get_mempolicy\0get_robust_list\0get_thread_area\0getcpu\0" ++ "getcwd\0getdents\0getdents64\0getegid\0getegid32\0geteuid\0geteuid32\0getgid\0getgid32\0getgroups\0" ++ "getgroups32\0getitimer\0getpgid\0getpgrp\0getpid\0getpmsg\0getppid\0getpriority\0getresgid\0getresgid32\0" ++ "getresuid\0getresuid32\0getrlimit\0getrusage\0getsid\0gettid\0gettimeofday\0getuid\0getuid32\0getxattr\0" ++ "gtty\0idle\0init_module\0inotify_add_watch\0inotify_init\0inotify_init1\0inotify_rm_watch\0io_cancel\0io_destroy\0io_getevents\0" ++ "io_setup\0io_submit\0ioctl\0ioperm\0iopl\0ioprio_get\0ioprio_set\0ipc\0kcmp\0keyctl\0" ++ "kill\0lchown\0lchown32\0lgetxattr\0link\0linkat\0listxattr\0llistxattr\0lock\0lookup_dcookie\0" ++ "lremovexattr\0lseek\0lsetxattr\0lstat\0lstat64\0madvise\0madvise1\0mbind\0migrate_pages\0mincore\0" ++ "mkdir\0mkdirat\0mknod\0mknodat\0mlock\0mlockall\0mmap\0mmap2\0modify_ldt\0mount\0" ++ "move_pages\0mprotect\0mpx\0mq_getsetattr\0mq_notify\0mq_open\0mq_timedreceive\0mq_timedsend\0mq_unlink\0mremap\0" ++ "msync\0munlock\0munlockall\0munmap\0name_to_handle_at\0nanosleep\0nfsservctl\0nice\0oldfstat\0oldlstat\0" ++ "oldolduname\0oldstat\0olduname\0open\0open_by_handle_at\0openat\0pause\0perf_event_open\0personality\0pipe\0" ++ "pipe2\0pivot_root\0poll\0ppoll\0prctl\0pread64\0preadv\0prlimit64\0process_vm_readv\0process_vm_writev\0" ++ "prof\0profil\0pselect6\0ptrace\0putpmsg\0pwrite64\0pwritev\0query_module\0quotactl\0read\0" ++ "readahead\0readdir\0readlink\0readlinkat\0readv\0reboot\0recvmmsg\0remap_file_pages\0removexattr\0rename\0" ++ "renameat\0request_key\0restart_syscall\0rmdir\0rt_sigaction\0rt_sigpending\0rt_sigprocmask\0rt_sigqueueinfo\0rt_sigreturn\0rt_sigsuspend\0" ++ "rt_sigtimedwait\0rt_tgsigqueueinfo\0sched_get_priority_max\0sched_get_priority_min\0sched_getaffinity\0sched_getparam\0sched_getscheduler\0sched_rr_get_interval\0sched_setaffinity\0sched_setparam\0" ++ "sched_setscheduler\0sched_yield\0select\0sendfile\0sendfile64\0sendmmsg\0set_mempolicy\0set_robust_list\0set_thread_area\0set_tid_address\0" ++ "setdomainname\0setfsgid\0setfsgid32\0setfsuid\0setfsuid32\0setgid\0setgid32\0setgroups\0setgroups32\0sethostname\0" ++ "setitimer\0setns\0setpgid\0setpriority\0setregid\0setregid32\0setresgid\0setresgid32\0setresuid\0setresuid32\0" ++ "setreuid\0setreuid32\0setrlimit\0setsid\0settimeofday\0setuid\0setuid32\0setxattr\0sgetmask\0sigaction\0" ++ "sigaltstack\0signal\0signalfd\0signalfd4\0sigpending\0sigprocmask\0sigreturn\0sigsuspend\0socketcall\0splice\0" ++ "ssetmask\0stat\0stat64\0statfs\0statfs64\0stime\0stty\0swapoff\0swapon\0symlink\0" ++ "symlinkat\0sync\0sync_file_range\0syncfs\0sys_kexec_load\0sysfs\0sysinfo\0syslog\0tee\0tgkill\0" ++ "time\0timer_create\0timer_delete\0timer_getoverrun\0timer_gettime\0timer_settime\0timerfd\0timerfd_gettime\0timerfd_settime\0times\0" ++ "tkill\0truncate\0truncate64\0ugetrlimit\0ulimit\0umask\0umount\0umount2\0uname\0unlink\0" ++ "unlinkat\0unshare\0uselib\0ustat\0utime\0utimensat\0utimes\0vfork\0vhangup\0vm86\0" ++ "vm86old\0vmsplice\0vserver\0wait4\0waitid\0waitpid\0write\0writev"; ++static const unsigned i386_syscall_s2i_s[] = { ++ 0,8,19,27,34,39,47,56,68,74, ++ 82,88,92,99,106,112,118,124,132,139, ++ 153,166,180,196,210,216,222,228,242,256, ++ 260,265,270,283,297,307,319,330,338,347, ++ 354,359,370,380,390,403,413,427,441,448, ++ 455,464,471,480,489,495,503,513,523,536, ++ 547,553,558,571,581,587,595,605,613,623, ++ 629,635,645,657,663,673,689,703,719,735, ++ 742,749,758,769,777,787,795,805,812,821, ++ 831,843,853,861,869,876,884,892,904,914, ++ 926,936,948,958,968,975,982,995,1002,1011, ++ 1020,1025,1030,1042,1060,1073,1087,1104,1114,1125, ++ 1138,1147,1157,1163,1170,1175,1186,1197,1201,1206, ++ 1213,1218,1225,1234,1244,1249,1256,1266,1277,1282, ++ 1297,1310,1316,1326,1332,1340,1348,1357,1363,1377, ++ 1385,1391,1399,1405,1413,1419,1428,1433,1439,1450, ++ 1456,1467,1476,1480,1494,1504,1512,1528,1541,1551, ++ 1558,1564,1572,1583,1590,1608,1618,1629,1634,1643, ++ 1652,1664,1672,1681,1686,1704,1711,1717,1733,1745, ++ 1750,1756,1767,1772,1778,1784,1792,1799,1809,1826, ++ 1844,1849,1856,1865,1872,1880,1889,1897,1910,1919, ++ 1924,1934,1942,1951,1962,1968,1975,1984,2001,2013, ++ 2020,2029,2041,2057,2063,2076,2090,2105,2121,2134, ++ 2148,2164,2182,2205,2228,2246,2261,2280,2302,2320, ++ 2335,2354,2366,2373,2382,2393,2402,2416,2432,2448, ++ 2464,2478,2487,2498,2507,2518,2525,2534,2544,2556, ++ 2568,2578,2584,2592,2604,2613,2624,2634,2646,2656, ++ 2668,2677,2688,2698,2705,2718,2725,2734,2743,2752, ++ 2762,2774,2781,2790,2800,2811,2823,2833,2844,2855, ++ 2862,2871,2876,2883,2890,2899,2905,2910,2918,2925, ++ 2933,2943,2948,2964,2971,2986,2992,3000,3007,3011, ++ 3018,3023,3036,3049,3066,3080,3094,3102,3118,3134, ++ 3140,3146,3155,3166,3177,3184,3190,3197,3205,3211, ++ 3218,3227,3235,3242,3248,3254,3264,3271,3277,3285, ++ 3290,3298,3307,3315,3321,3328,3336,3342, ++}; ++static const int i386_syscall_s2i_i[] = { ++ 140,142,149,33,51,286,124,137,27,134, ++ 17,45,184,185,12,15,182,212,61,343, ++ 266,265,267,264,120,6,8,127,129,41, ++ 63,330,254,329,255,319,256,323,328,11, ++ 1,252,307,250,272,324,338,339,133,94, ++ 306,95,207,298,55,221,148,231,350,234, ++ 143,2,237,228,108,197,300,100,269,118, ++ 35,93,194,240,299,130,275,312,244,318, ++ 183,141,220,50,202,49,201,47,200,80, ++ 205,105,132,65,20,188,64,96,171,211, ++ 165,209,76,77,147,224,78,24,199,229, ++ 32,112,128,292,291,332,293,249,246,247, ++ 245,248,54,101,110,290,289,117,349,288, ++ 37,16,198,230,9,303,232,233,53,253, ++ 236,19,227,107,196,219,219,274,294,218, ++ 39,296,14,297,150,152,90,192,123,21, ++ 317,125,56,282,281,277,280,279,278,163, ++ 144,151,153,91,341,162,169,34,28,84, ++ 59,18,109,5,342,295,29,336,136,42, ++ 331,217,168,309,172,180,333,340,347,348, ++ 44,98,308,26,189,181,334,167,131,3, ++ 225,89,85,305,145,88,337,257,235,38, ++ 302,287,0,40,174,176,175,178,173,179, ++ 177,335,159,160,242,155,157,161,241,154, ++ 156,158,82,187,239,345,276,311,243,258, ++ 121,139,216,138,215,46,214,81,206,74, ++ 104,346,57,97,71,204,170,210,164,208, ++ 70,203,75,66,79,23,213,226,68,67, ++ 186,48,321,327,73,126,119,72,102,313, ++ 69,106,195,99,268,25,31,115,87,83, ++ 304,36,314,344,283,135,116,103,315,270, ++ 13,259,263,262,261,260,322,326,325,43, ++ 238,92,193,191,58,60,22,52,122,10, ++ 301,310,86,62,30,320,271,190,111,166, ++ 113,316,273,114,284,7,4,146, ++}; ++static int i386_syscall_s2i(const char *s, int *value) { ++ size_t len, i; ++ len = strlen(s); ++ { char copy[len + 1]; ++ for (i = 0; i < len; i++) { ++ char c = s[i]; ++ copy[i] = GT_ISUPPER(c) ? c - 'A' + 'a' : c; ++ } ++ copy[i] = 0; ++ return s2i__(i386_syscall_strings, i386_syscall_s2i_s, i386_syscall_s2i_i, 348, copy, value); ++ } ++} ++static const unsigned i386_syscall_i2s_direct[] = { ++ 2041,354,553,1919,3336,1681,216,3328,222,1244, ++ 3211,347,106,3018,1399,112,1218,82,1664,1310, ++ 869,1450,3190,2718,995,2899,1865,68,1634,1711, ++ 3248,2905,1020,27,1629,629,2943,1213,2013,1385, ++ 2057,256,1745,3134,1844,88,2518,805,2774,787, ++ 769,34,3197,1277,1157,489,1476,2584,3177,1652, ++ 3184,132,3242,260,884,861,2698,2752,2743,2862, ++ 2668,2604,2833,2800,2556,2688,948,958,982,2705, ++ 821,2534,2366,2925,1643,1942,3235,2918,1968,1934, ++ 1428,1583,3146,635,448,464,892,2592,1849,2883, ++ 605,1163,2844,3000,2568,843,2871,1326,581,1672, ++ 1170,3277,1025,3290,3315,2910,2992,1197,623,2823, ++ 210,2464,3205,1439,47,1467,2811,228,1030,242, ++ 673,1910,853,441,74,2986,1733,56,2498,2478, ++ 0,749,8,547,1558,1962,3342,968,503,19, ++ 1413,1564,1419,1572,2320,2246,2335,2261,2354,2182, ++ 2205,2280,1608,1551,2646,926,3285,1897,1767,1618, ++ 2624,904,1778,2121,2063,2090,2076,2148,2105,2134, ++ 1784,1880,118,742,92,99,2762,2373,876,1872, ++ 3271,3166,1433,3155,645,2876,1332,587,1225,1002, ++ 812,795,777,2677,2613,831,2544,471,2656,936, ++ 2634,914,124,2725,2525,2507,2487,1756,1377,1340, ++ 758,495,-1u,-1u,975,1924,2734,1316,571,1011, ++ 1234,513,1256,1266,536,2001,1297,558,3140,2382, ++ 657,2302,2228,2432,719,1138,1114,1125,1147,1104, ++ 380,-1u,359,1282,270,297,319,1984,2448,3023, ++ 3080,3066,3049,3036,196,166,153,180,2890,613, ++ 3011,3264,390,3307,1357,689,2402,1504,1541,1528, ++ 1512,1494,1480,2971,3321,-1u,39,2029,1206,1186, ++ 1175,1060,1042,1087,1363,1704,1391,1405,480,663, ++ 595,3218,2020,1249,2933,1951,455,370,1856,1772, ++ 3227,2416,703,2855,2948,3007,3298,1456,735,307, ++ 3254,2781,3094,330,403,3118,3102,2790,338,283, ++ 265,1750,1073,1792,1889,2164,1717,1975,413,427, ++ 1799,1590,1686,139,2964,2393,2578,1809,1826,1201, ++ 523, ++}; ++static const char *i386_syscall_i2s(int v) { ++ return i2s_direct__(i386_syscall_strings, i386_syscall_i2s_direct, 0, 350, v); ++} +diff --git a/lib/ia64_tables.h b/lib/ia64_tables.h +new file mode 100644 +index 0000000..9e127a0 +--- /dev/null ++++ b/lib/ia64_tables.h +@@ -0,0 +1,147 @@ ++/* This is a generated file, see Makefile.am for its inputs. */ ++static const char ia64_syscall_strings[] = "_sysctl\0accept\0accept4\0access\0acct\0add_key\0adjtimex\0afs_syscall\0bdflush\0bind\0" ++ "brk\0capget\0capset\0chdir\0chmod\0chown\0chroot\0clock_adjtime\0clock_getres\0clock_gettime\0" ++ "clock_nanosleep\0clock_settime\0clone\0clone2\0close\0connect\0creat\0delete_module\0dup\0dup2\0" ++ "dup3\0epoll_create\0epoll_create1\0epoll_ctl\0epoll_pwait\0epoll_wait\0eventfd\0eventfd2\0execve\0exit\0" ++ "exit_group\0faccessat\0fadvise64\0fallocate\0fanotify_init\0fanotify_mark\0fchdir\0fchmod\0fchmodat\0fchown\0" ++ "fchownat\0fcntl\0fdatasync\0fgetxattr\0finit_module\0flistxattr\0flock\0fremovexattr\0fsetxattr\0fstat\0" ++ "fstatfs\0fstatfs64\0fsync\0ftruncate\0futex\0futimesat\0get_mempolicy\0get_robust_list\0getcpu\0getcwd\0" ++ "getdents\0getdents64\0getegid\0geteuid\0getgid\0getgroups\0getitimer\0getpeername\0getpgid\0getpid\0" ++ "getpmsg\0getppid\0getpriority\0getresgid\0getresuid\0getrlimit\0getrusage\0getsid\0getsockname\0getsockopt\0" ++ "gettid\0gettimeofday\0getuid\0getunwind\0getxattr\0init_module\0inotify_add_watch\0inotify_init\0inotify_init1\0inotify_rm_watch\0" ++ "io_cancel\0io_destroy\0io_getevents\0io_setup\0io_submit\0ioctl\0ioprio_get\0ioprio_set\0kexec_load\0keyctl\0" ++ "kill\0lchown\0lgetxattr\0link\0linkat\0listen\0listxattr\0llistxattr\0lookup_dcookie\0lremovexattr\0" ++ "lseek\0lsetxattr\0lstat\0madvise\0mbind\0migrate_pages\0mincore\0mkdir\0mkdirat\0mknod\0" ++ "mknodat\0mlock\0mlockall\0mmap\0mmap2\0mount\0mprotect\0mq_getsetattr\0mq_notify\0mq_open\0" ++ "mq_timedreceive\0mq_timedsend\0mq_unlink\0mremap\0msgctl\0msgget\0msgrcv\0msgsnd\0msync\0munlock\0" ++ "munlockall\0munmap\0name_to_handle_at\0nanosleep\0newfstatat\0nfsservctl\0ni_syscall\0open\0open_by_handle_at\0openat\0" ++ "pciconfig_read\0pciconfig_write\0perfmonctl\0personality\0pipe\0pipe2\0pivot_root\0poll\0ppoll\0prctl\0" ++ "pread64\0preadv\0prlimit64\0process_vm_readv\0process_vm_writev\0pselect\0ptrace\0putpmsg\0pwrite64\0pwritev\0" ++ "quotactl\0read\0readahead\0readlink\0readlinkat\0readv\0reboot\0recv\0recvfrom\0recvmmsg\0" ++ "recvmsg\0remap_file_pages\0removexattr\0rename\0renameat\0request_key\0restart_syscall\0rmdir\0rt_sigaction\0rt_sigpending\0" ++ "rt_sigprocmask\0rt_sigqueueinfo\0rt_sigreturn\0rt_sigsuspend\0rt_sigtimedwait\0rt_tgsigqueueinfo\0sched_get_priority_max\0sched_get_priority_min\0sched_getaffinity\0sched_getparam\0" ++ "sched_getscheduler\0sched_rr_get_interval\0sched_setaffinity\0sched_setparam\0sched_setscheduler\0sched_yield\0select\0semctl\0semget\0semop\0" ++ "semtimedop\0send\0sendfile\0sendmmsg\0sendmsg\0sendto\0set_mempolicy\0set_robust_list\0set_tid_address\0set_zone_reclaim\0" ++ "setdomainname\0setfsgid\0setfsuid\0setgid\0setgroups\0sethostname\0setitimer\0setns\0setpgid\0setpriority\0" ++ "setregid\0setresgid\0setresuid\0setreuid\0setrlimit\0setsid\0setsockopt\0settimeofday\0setuid\0setxattr\0" ++ "shmat\0shmctl\0shmdt\0shmget\0shutdown\0sigaltstack\0signalfd\0signalfd4\0socket\0socketpair\0" ++ "splice\0stat\0statfs\0statfs64\0swapoff\0swapon\0symlink\0symlinkat\0sync\0sync_file_range\0" ++ "syncfs\0sysfs\0sysinfo\0syslog\0tee\0tgkill\0timer_create\0timer_delete\0timer_getoverrun\0timer_gettime\0" ++ "timer_settime\0timerfd\0timerfd_create\0timerfd_gettime\0timerfd_settime\0times\0tkill\0truncate\0tux\0umask\0" ++ "umount\0uname\0unlink\0unlinkat\0unshare\0uselib\0ustat\0utimensat\0utimes\0vhangup\0" ++ "vmsplice\0vserver\0wait4\0waitid\0write\0writev"; ++static const unsigned ia64_syscall_s2i_s[] = { ++ 0,8,15,23,30,35,43,52,64,72, ++ 77,81,88,95,101,107,113,120,134,147, ++ 161,177,191,197,204,210,218,224,238,242, ++ 247,252,265,279,289,301,312,320,329,336, ++ 341,352,362,372,382,396,410,417,424,433, ++ 440,449,455,465,475,488,499,505,518,528, ++ 534,542,552,558,568,574,584,598,614,621, ++ 628,637,648,656,664,671,681,691,703,711, ++ 718,726,734,746,756,766,776,786,793,805, ++ 816,823,836,843,853,862,874,892,905,919, ++ 936,946,957,970,979,989,995,1006,1017,1028, ++ 1035,1040,1047,1057,1062,1069,1076,1086,1097,1112, ++ 1125,1131,1141,1147,1155,1161,1175,1183,1189,1197, ++ 1203,1211,1217,1226,1231,1237,1243,1252,1266,1276, ++ 1284,1300,1313,1323,1330,1337,1344,1351,1358,1364, ++ 1372,1383,1390,1408,1418,1429,1440,1451,1456,1474, ++ 1481,1496,1512,1523,1535,1540,1546,1557,1562,1568, ++ 1574,1582,1589,1599,1616,1634,1642,1649,1657,1666, ++ 1674,1683,1688,1698,1707,1718,1724,1731,1736,1745, ++ 1754,1762,1779,1791,1798,1807,1819,1835,1841,1854, ++ 1868,1883,1899,1912,1926,1942,1960,1983,2006,2024, ++ 2039,2058,2080,2098,2113,2132,2144,2151,2158,2165, ++ 2171,2182,2187,2196,2205,2213,2220,2234,2250,2266, ++ 2283,2297,2306,2315,2322,2332,2344,2354,2360,2368, ++ 2380,2389,2399,2409,2418,2428,2435,2446,2459,2466, ++ 2475,2481,2488,2494,2501,2510,2522,2531,2541,2548, ++ 2559,2566,2571,2578,2587,2595,2602,2610,2620,2625, ++ 2641,2648,2654,2662,2669,2673,2680,2693,2706,2723, ++ 2737,2751,2759,2774,2790,2806,2812,2818,2827,2831, ++ 2837,2844,2850,2857,2866,2874,2881,2887,2897,2904, ++ 2912,2921,2929,2935,2942,2948, ++}; ++static const int ia64_syscall_s2i_i[] = { ++ 1150,1194,1334,1049,1064,1271,1131,1141,1138,1191, ++ 1060,1185,1186,1034,1038,1039,1068,1328,1255,1254, ++ 1256,1253,1128,1213,1029,1192,1030,1134,1057,1070, ++ 1316,1243,1315,1244,1305,1245,1309,1314,1033,1025, ++ 1236,1293,1234,1303,1323,1324,1035,1099,1292,1100, ++ 1284,1066,1052,1222,1335,1225,1145,1228,1219,1212, ++ 1104,1257,1051,1098,1230,1285,1260,1299,1304,1184, ++ 1144,1214,1063,1047,1062,1077,1119,1196,1079,1041, ++ 1188,1042,1101,1075,1073,1085,1086,1082,1195,1204, ++ 1105,1087,1046,1215,1220,1133,1278,1277,1318,1279, ++ 1242,1239,1240,1238,1241,1065,1275,1274,1268,1273, ++ 1053,1124,1221,1031,1289,1193,1223,1224,1237,1227, ++ 1040,1218,1211,1209,1259,1280,1208,1055,1282,1037, ++ 1283,1153,1154,1151,1172,1043,1155,1267,1266,1262, ++ 1265,1264,1263,1156,1112,1109,1111,1110,1157,1158, ++ 1159,1152,1326,1168,1286,1169,1024,1028,1327,1281, ++ 1173,1174,1175,1140,1058,1317,1207,1090,1295,1170, ++ 1148,1319,1325,1332,1333,1294,1048,1189,1149,1320, ++ 1137,1026,1216,1092,1291,1146,1096,1200,1201,1322, ++ 1206,1125,1226,1054,1288,1272,1246,1056,1177,1178, ++ 1179,1180,1181,1182,1183,1321,1165,1166,1232,1160, ++ 1162,1167,1231,1161,1163,1164,1089,1108,1106,1107, ++ 1247,1198,1187,1331,1205,1199,1261,1298,1233,1276, ++ 1129,1143,1142,1061,1078,1083,1118,1330,1080,1102, ++ 1072,1076,1074,1071,1084,1081,1203,1088,1045,1217, ++ 1114,1116,1115,1113,1202,1176,1307,1313,1190,1197, ++ 1297,1210,1103,1258,1095,1094,1091,1290,1050,1300, ++ 1329,1139,1127,1117,1301,1235,1248,1252,1251,1250, ++ 1249,1308,1310,1312,1311,1059,1229,1097,1120,1067, ++ 1044,1130,1032,1287,1296,1093,1069,1306,1036,1123, ++ 1302,1269,1126,1270,1027,1147, ++}; ++static int ia64_syscall_s2i(const char *s, int *value) { ++ size_t len, i; ++ len = strlen(s); ++ { char copy[len + 1]; ++ for (i = 0; i < len; i++) { ++ char c = s[i]; ++ copy[i] = GT_ISUPPER(c) ? c - 'A' + 'a' : c; ++ } ++ copy[i] = 0; ++ return s2i__(ia64_syscall_strings, ia64_syscall_s2i_s, ia64_syscall_s2i_i, 306, copy, value); ++ } ++} ++static const unsigned ia64_syscall_i2s_direct[] = { ++ 1440,336,1683,2942,1451,204,218,1057,2850,329, ++ 95,410,2897,1197,101,107,1125,711,726,1237, ++ 2837,2459,836,656,1642,23,2620,552,455,1035, ++ 1791,1183,1835,238,1535,2806,77,2315,664,648, ++ 30,989,449,2831,113,2881,242,2409,2380,756, ++ 2399,746,2389,671,2322,703,2360,2428,786,2332, ++ 2418,766,776,823,2446,2144,1557,2602,1698,2874, ++ 2595,2587,1724,2818,558,417,433,734,2368,2571, ++ 534,816,2158,2165,2151,1337,1351,1344,1330,2494, ++ 2475,2488,2481,2662,2344,681,2827,-1u,-1u,2904, ++ 1040,1762,2929,2654,191,2283,2844,43,-1u,862, ++ 224,-1u,-1u,1674,64,2648,1523,52,2306,2297, ++ 628,499,1718,2948,1574,1657,0,1226,1383,1211, ++ 1217,1243,1323,1358,1364,1372,2024,2098,2039,2113, ++ 2132,1960,1983,2058,1408,1429,1568,-1u,1231,1481, ++ 1496,1512,2510,1841,1854,1868,1883,1899,1912,1926, ++ 621,81,88,2187,718,1649,2541,72,210,1069, ++ 8,793,691,2548,2182,2213,1731,1736,2501,2435, ++ 805,2205,1754,1546,1175,1147,2566,1141,528,197, ++ 637,843,1688,2466,1131,518,853,1047,465,1076, ++ 1086,488,1779,1112,505,2812,568,2080,2006,2250, ++ 362,2673,341,1097,970,946,957,979,936,252, ++ 279,301,1819,2171,2680,2737,2723,2706,2693,177, ++ 147,134,161,542,2578,1155,584,2220,1276,1313, ++ 1300,1284,1266,1252,1017,2921,2935,35,1807,1028, ++ 1006,995,2266,892,874,919,1161,1474,1189,1203, ++ 440,574,1418,2857,1798,1062,2610,1707,424,352, ++ 1634,1562,2866,2559,2234,598,2625,2669,2912,372, ++ 614,289,2887,2522,2751,312,2759,2790,2774,2531, ++ 320,265,247,1540,905,1582,1666,1942,1745,382, ++ 396,1589,1390,1456,120,2641,2354,2196,1599,1616, ++ 15,475, ++}; ++static const char *ia64_syscall_i2s(int v) { ++ return i2s_direct__(ia64_syscall_strings, ia64_syscall_i2s_direct, 1024, 1335, v); ++} +diff --git a/lib/machinetabs.h b/lib/machinetabs.h +new file mode 100644 +index 0000000..ec2d033 +--- /dev/null ++++ b/lib/machinetabs.h +@@ -0,0 +1,26 @@ ++/* This is a generated file, see Makefile.am for its inputs. */ ++static const char machine_strings[] = "i386\0i486\0i586\0i686\0ia64\0ppc\0ppc64\0s390\0s390x\0x86_64"; ++static const unsigned machine_s2i_s[] = { ++ 0,5,10,15,20,25,29,35,40,46, ++}; ++static const int machine_s2i_i[] = { ++ 0,0,0,0,2,4,3,6,5,1, ++}; ++static int machine_s2i(const char *s, int *value) { ++ size_t len, i; ++ len = strlen(s); ++ { char copy[len + 1]; ++ for (i = 0; i < len; i++) { ++ char c = s[i]; ++ copy[i] = GT_ISUPPER(c) ? c - 'A' + 'a' : c; ++ } ++ copy[i] = 0; ++ return s2i__(machine_strings, machine_s2i_s, machine_s2i_i, 10, copy, value); ++ } ++} ++static const unsigned machine_i2s_direct[] = { ++ 0,46,20,29,25,40,35, ++}; ++static const char *machine_i2s(int v) { ++ return i2s_direct__(machine_strings, machine_i2s_direct, 0, 6, v); ++} +diff --git a/lib/msg_typetabs.h b/lib/msg_typetabs.h +new file mode 100644 +index 0000000..770ec21 +--- /dev/null ++++ b/lib/msg_typetabs.h +@@ -0,0 +1,104 @@ ++/* This is a generated file, see Makefile.am for its inputs. */ ++static const char msg_type_strings[] = "ADD_GROUP\0ADD_USER\0ANOM_ABEND\0ANOM_ACCESS_FS\0ANOM_ADD_ACCT\0ANOM_AMTU_FAIL\0ANOM_CRYPTO_FAIL\0ANOM_DEL_ACCT\0ANOM_EXEC\0ANOM_LINK\0" ++ "ANOM_LOGIN_ACCT\0ANOM_LOGIN_FAILURES\0ANOM_LOGIN_LOCATION\0ANOM_LOGIN_SESSIONS\0ANOM_LOGIN_TIME\0ANOM_MAX_DAC\0ANOM_MAX_MAC\0ANOM_MK_EXEC\0ANOM_MOD_ACCT\0ANOM_PROMISCUOUS\0" ++ "ANOM_RBAC_FAIL\0ANOM_RBAC_INTEGRITY_FAIL\0ANOM_ROOT_TRANS\0AVC\0AVC_PATH\0BPRM_FCAPS\0CAPSET\0CHGRP_ID\0CHUSER_ID\0CONFIG_CHANGE\0" ++ "CRED_ACQ\0CRED_DISP\0CRED_REFR\0CRYPTO_FAILURE_USER\0CRYPTO_KEY_USER\0CRYPTO_LOGIN\0CRYPTO_LOGOUT\0CRYPTO_PARAM_CHANGE_USER\0CRYPTO_REPLAY_USER\0CRYPTO_SESSION\0" ++ "CRYPTO_TEST_USER\0CWD\0DAC_CHECK\0DAEMON_ABORT\0DAEMON_ACCEPT\0DAEMON_CLOSE\0DAEMON_CONFIG\0DAEMON_END\0DAEMON_RESUME\0DAEMON_ROTATE\0" ++ "DAEMON_START\0DEL_GROUP\0DEL_USER\0DEV_ALLOC\0DEV_DEALLOC\0EOE\0EXECVE\0FD_PAIR\0FS_RELABEL\0GRP_AUTH\0" ++ "INTEGRITY_DATA\0INTEGRITY_HASH\0INTEGRITY_METADATA\0INTEGRITY_PCR\0INTEGRITY_RULE\0INTEGRITY_STATUS\0IPC\0IPC_SET_PERM\0KERNEL\0KERNEL_OTHER\0" ++ "LABEL_LEVEL_CHANGE\0LABEL_OVERRIDE\0LIST_RULES\0LOGIN\0MAC_CIPSOV4_ADD\0MAC_CIPSOV4_DEL\0MAC_CONFIG_CHANGE\0MAC_IPSEC_ADDSA\0MAC_IPSEC_ADDSPD\0MAC_IPSEC_DELSA\0" ++ "MAC_IPSEC_DELSPD\0MAC_IPSEC_EVENT\0MAC_MAP_ADD\0MAC_MAP_DEL\0MAC_POLICY_LOAD\0MAC_STATUS\0MAC_UNLBL_ALLOW\0MAC_UNLBL_STCADD\0MAC_UNLBL_STCDEL\0MMAP\0" ++ "MQ_GETSETATTR\0MQ_NOTIFY\0MQ_OPEN\0MQ_SENDRECV\0NETFILTER_CFG\0NETFILTER_PKT\0OBJ_PID\0PATH\0RESP_ACCT_LOCK\0RESP_ACCT_LOCK_TIMED\0" ++ "RESP_ACCT_REMOTE\0RESP_ACCT_UNLOCK_TIMED\0RESP_ALERT\0RESP_ANOMALY\0RESP_EXEC\0RESP_HALT\0RESP_KILL_PROC\0RESP_SEBOOL\0RESP_SINGLE\0RESP_TERM_ACCESS\0" ++ "RESP_TERM_LOCK\0ROLE_ASSIGN\0ROLE_MODIFY\0ROLE_REMOVE\0SECCOMP\0SELINUX_ERR\0SERVICE_START\0SERVICE_STOP\0SOCKADDR\0SOCKETCALL\0" ++ "SYSCALL\0SYSTEM_BOOT\0SYSTEM_RUNLEVEL\0SYSTEM_SHUTDOWN\0TEST\0TRUSTED_APP\0TTY\0TTY_GET\0TTY_SET\0USER\0" ++ "USER_ACCT\0USER_AUTH\0USER_AVC\0USER_CHAUTHTOK\0USER_CMD\0USER_END\0USER_ERR\0USER_LABELED_EXPORT\0USER_LOGIN\0USER_LOGOUT\0" ++ "USER_MAC_POLICY_LOAD\0USER_MGMT\0USER_ROLE_CHANGE\0USER_SELINUX_ERR\0USER_START\0USER_TTY\0USER_UNLABELED_EXPORT\0USYS_CONFIG\0VIRT_CONTROL\0VIRT_MACHINE_ID\0" ++ "VIRT_RESOURCE"; ++static const unsigned msg_type_s2i_s[] = { ++ 0,10,19,30,45,59,74,91,105,115, ++ 125,141,161,181,201,217,230,243,256,270, ++ 287,302,327,343,347,356,367,374,383,393, ++ 407,416,426,436,456,472,485,499,524,543, ++ 558,575,579,589,602,616,629,643,654,668, ++ 682,695,705,714,724,736,740,747,755,766, ++ 775,790,805,824,838,853,870,874,887,894, ++ 907,926,941,952,958,974,990,1008,1024,1041, ++ 1057,1074,1090,1102,1114,1130,1141,1157,1174,1191, ++ 1196,1210,1220,1228,1240,1254,1268,1276,1281,1296, ++ 1317,1334,1357,1368,1381,1391,1401,1416,1428,1440, ++ 1457,1472,1484,1496,1508,1516,1528,1542,1555,1564, ++ 1575,1583,1595,1611,1627,1632,1644,1648,1656,1664, ++ 1669,1679,1689,1698,1713,1722,1731,1740,1760,1771, ++ 1783,1804,1814,1831,1848,1859,1868,1890,1902,1915, ++ 1931, ++}; ++static const int msg_type_s2i_i[] = { ++ 1116,1114,1701,2111,2114,2107,2110,2115,2112,1702, ++ 2103,2100,2104,2102,2101,2105,2106,2113,2116,1700, ++ 2108,2109,2117,1400,1402,1321,1322,1119,1125,1305, ++ 1103,1104,1110,2405,2404,2402,2403,2401,2406,2407, ++ 2400,1307,1118,1202,1207,1208,1203,1201,1206,1205, ++ 1200,1117,1115,2307,2308,1320,1309,1317,2309,1126, ++ 1800,1803,1801,1804,1805,1802,1303,1311,2000,1316, ++ 2304,2303,1013,1006,1407,1408,1405,1411,1413,1412, ++ 1414,1415,1409,1410,1403,1404,1406,1416,1417,1323, ++ 1315,1314,1312,1313,1325,1324,1318,1302,2207,2205, ++ 2204,2206,2201,2200,2210,2212,2202,2209,2211,2203, ++ 2208,2301,2311,2302,1326,1401,1130,1131,1306,1304, ++ 1300,1127,1129,1128,1120,1121,1319,1016,1017,1005, ++ 1101,1100,1107,1108,1123,1106,1109,2305,1112,1113, ++ 2310,1102,2300,1122,1105,1124,2306,1111,2500,2502, ++ 2501, ++}; ++static int msg_type_s2i(const char *s, int *value) { ++ size_t len, i; ++ len = strlen(s); ++ { char copy[len + 1]; ++ for (i = 0; i < len; i++) { ++ char c = s[i]; ++ copy[i] = GT_ISLOWER(c) ? c - 'a' + 'A' : c; ++ } ++ copy[i] = 0; ++ return s2i__(msg_type_strings, msg_type_s2i_s, msg_type_s2i_i, 151, copy, value); ++ } ++} ++static const int msg_type_i2s_i[] = { ++ 1005,1006,1013,1016,1017,1100,1101,1102,1103,1104, ++ 1105,1106,1107,1108,1109,1110,1111,1112,1113,1114, ++ 1115,1116,1117,1118,1119,1120,1121,1122,1123,1124, ++ 1125,1126,1127,1128,1129,1130,1131,1200,1201,1202, ++ 1203,1205,1206,1207,1208,1300,1302,1303,1304,1305, ++ 1306,1307,1309,1311,1312,1313,1314,1315,1316,1317, ++ 1318,1319,1320,1321,1322,1323,1324,1325,1326,1400, ++ 1401,1402,1403,1404,1405,1406,1407,1408,1409,1410, ++ 1411,1412,1413,1414,1415,1416,1417,1700,1701,1702, ++ 1800,1801,1802,1803,1804,1805,2000,2100,2101,2102, ++ 2103,2104,2105,2106,2107,2108,2109,2110,2111,2112, ++ 2113,2114,2115,2116,2117,2200,2201,2202,2203,2204, ++ 2205,2206,2207,2208,2209,2210,2211,2212,2300,2301, ++ 2302,2303,2304,2305,2306,2307,2308,2309,2310,2311, ++ 2400,2401,2402,2403,2404,2405,2406,2407,2500,2501, ++ 2502, ++}; ++static const unsigned msg_type_i2s_s[] = { ++ 1664,952,941,1648,1656,1679,1669,1804,407,416, ++ 1848,1722,1689,1698,1731,426,1890,1760,1771,10, ++ 705,0,695,579,374,1627,1632,1831,1713,1859, ++ 383,766,1583,1611,1595,1528,1542,682,643,589, ++ 629,668,654,602,616,1575,1276,870,1564,393, ++ 1555,575,740,874,1220,1228,1210,1196,894,747, ++ 1268,1644,736,356,367,1191,1254,1240,1508,343, ++ 1516,347,1114,1130,990,1141,958,974,1090,1102, ++ 1008,1041,1024,1057,1074,1157,1174,270,19,115, ++ 775,805,853,790,824,838,887,141,201,181, ++ 125,161,217,230,59,287,302,74,30,105, ++ 243,45,91,256,327,1368,1357,1401,1440,1317, ++ 1296,1334,1281,1457,1416,1381,1428,1391,1814,1472, ++ 1496,926,907,1740,1868,714,724,755,1783,1484, ++ 558,499,472,485,456,436,524,543,1902,1931, ++ 1915, ++}; ++static const char *msg_type_i2s(int v) { ++ return i2s_bsearch__(msg_type_strings, msg_type_i2s_i, msg_type_i2s_s, 151, v); ++} +diff --git a/lib/optabs.h b/lib/optabs.h +new file mode 100644 +index 0000000..d79b665 +--- /dev/null ++++ b/lib/optabs.h +@@ -0,0 +1,11 @@ ++/* This is a generated file, see Makefile.am for its inputs. */ ++static const char op_strings[] = "!=\0&\0&=\0<\0<=\0=\0>\0>="; ++static const int op_i2s_i[] = { ++ 134217728,268435456,536870912,805306368,1073741824,1207959552,1342177280,1610612736, ++}; ++static const unsigned op_i2s_s[] = { ++ 3,8,15,0,13,5,10,17, ++}; ++static const char *op_i2s(int v) { ++ return i2s_bsearch__(op_strings, op_i2s_i, op_i2s_s, 8, v); ++} +diff --git a/lib/ppc_tables.h b/lib/ppc_tables.h +new file mode 100644 +index 0000000..778fae3 +--- /dev/null ++++ b/lib/ppc_tables.h +@@ -0,0 +1,163 @@ ++/* This is a generated file, see Makefile.am for its inputs. */ ++static const char ppc_syscall_strings[] = "_llseek\0_newselect\0_sysctl\0accept\0accept4\0access\0acct\0add_key\0adjtimex\0afs_syscall\0" ++ "alarm\0bdflush\0bind\0break\0brk\0capget\0capset\0chdir\0chmod\0chown\0" ++ "chroot\0clock_adjtime\0clock_getres\0clock_gettime\0clock_nanosleep\0clock_settime\0clone\0close\0connect\0creat\0" ++ "create_module\0delete_module\0dup\0dup2\0dup3\0epoll_create\0epoll_create1\0epoll_ctl\0epoll_pwait\0epoll_wait\0" ++ "eventfd\0eventfd2\0execve\0exit\0exit_group\0faccessat\0fadvise64\0fadvise64_64\0fallocate\0fanotify_init\0" ++ "fanotify_mark\0fchdir\0fchmod\0fchmodat\0fchown\0fchownat\0fcntl\0fcntl64\0fdatasync\0fgetxattr\0" ++ "finit_module\0flistxattr\0flock\0fork\0fremovexattr\0fsetxattr\0fstat\0fstat64\0fstatat\0fstatfs\0" ++ "fstatfs64\0fsync\0ftime\0ftruncate\0ftruncate64\0futex\0futimesat\0get_kernel_syms\0get_robust_list\0getcpu\0" ++ "getcwd\0getdents\0getdents64\0getegid\0geteuid\0getgid\0getgroups\0getitimer\0getpeername\0getpgid\0" ++ "getpgrp\0getpid\0getpmsg\0getppid\0getpriority\0getresgid\0getresuid\0getrlimit\0getrusage\0getsid\0" ++ "getsockname\0getsockopt\0gettid\0gettimeofday\0getuid\0getxattr\0gtty\0idle\0init_module\0inotify_add_watch\0" ++ "inotify_init\0inotify_init1\0inotify_rm_watch\0io_cancel\0io_destroy\0io_getevents\0io_setup\0io_submit\0ioctl\0ioperm\0" ++ "iopl\0ioprio_get\0ioprio_set\0ipc\0kcmp\0kexec_load\0keyctl\0kill\0lchown\0lgetxattr\0" ++ "link\0linkat\0listen\0listxattr\0llistxattr\0lock\0lookup_dcookie\0lremovexattr\0lseek\0lsetxattr\0" ++ "lstat\0lstat64\0madvise\0mincore\0mkdir\0mkdirat\0mknod\0mknodat\0mlock\0mlockall\0" ++ "mmap\0mmap2\0modify_ldt\0mount\0move_pages\0mprotect\0mpx\0mq_getsetattr\0mq_notify\0mq_open\0" ++ "mq_timedreceive\0mq_timedsend\0mq_unlink\0mremap\0msync\0multiplexer\0munlock\0munlockall\0munmap\0name_to_handle_at\0" ++ "nanosleep\0nfsservctl\0nice\0oldfstat\0oldlstat\0oldolduname\0oldstat\0olduname\0open\0open_by_handle_at\0" ++ "openat\0pause\0pciconfig_iobase\0pciconfig_read\0pciconfig_write\0perf_counter_open\0personality\0pipe\0pipe2\0pivot_root\0" ++ "poll\0ppoll\0prctl\0pread\0preadv\0prlimit64\0process_vm_readv\0process_vm_writev\0prof\0profil\0" ++ "pselect6\0ptrace\0putpmsg\0pwrite\0pwritev\0query_module\0quotactl\0read\0readahead\0readdir\0" ++ "readlink\0readlinkat\0readv\0reboot\0recv\0recvfrom\0recvmmsg\0recvmsg\0remap_file_pages\0removexattr\0" ++ "rename\0renameat\0request_key\0rmdir\0rt_sigaction\0rt_sigpending\0rt_sigprocmask\0rt_sigqueueinfo\0rt_sigreturn\0rt_sigsuspend\0" ++ "rt_sigtimedwait\0rt_tgsigqueueinfo\0rtas\0sched_get_priority_max\0sched_get_priority_min\0sched_getaffinity\0sched_getparam\0sched_getscheduler\0sched_rr_get_interval\0sched_setaffinity\0" ++ "sched_setparam\0sched_setscheduler\0sched_yield\0select\0send\0sendfile\0sendfile64\0sendmmsg\0sendmsg\0sendto\0" ++ "set_robust_list\0set_tid_address\0setdomainname\0setfsgid\0setfsuid\0setgid\0setgroups\0sethostname\0setitimer\0setns\0" ++ "setpgid\0setpriority\0setregid\0setresgid\0setresuid\0setreuid\0setrlimit\0setsid\0setsockopt\0settimeofday\0" ++ "setuid\0setxattr\0sgetmask\0shutdown\0sigaction\0sigaltstack\0signal\0signalfd\0signalfd4\0sigpending\0" ++ "sigprocmask\0sigreturn\0sigsuspend\0socket\0socketcall\0socketpair\0splice\0spu_create\0spu_run\0ssetmask\0" ++ "stat\0stat64\0statfs\0statfs64\0stime\0stty\0subpage_prot\0swapcontext\0swapoff\0swapon\0" ++ "symlink\0symlinkat\0sync\0sync_file_range2\0syncfs\0sysfs\0sysinfo\0syslog\0tee\0tgkill\0" ++ "time\0timer_create\0timer_delete\0timer_getoverrun\0timer_gettime\0timer_settime\0timerfd\0timerfd_gettime\0timerfd_settime\0times\0" ++ "tkill\0truncate\0truncate64\0tuxcall\0ugetrlimit\0ulimit\0umask\0umount\0umount2\0uname\0" ++ "unlink\0unlinkat\0unshare\0uselib\0ustat\0utime\0utimensat\0utimes\0vfork\0vhangup\0" ++ "vm86\0vmsplice\0wait4\0waitid\0waitpid\0write\0writev"; ++static const unsigned ppc_syscall_s2i_s[] = { ++ 0,8,19,27,34,42,49,54,62,71, ++ 83,89,97,102,108,112,119,126,132,138, ++ 144,151,165,178,192,208,222,228,234,242, ++ 248,262,276,280,285,290,303,317,327,339, ++ 350,358,367,374,379,390,400,410,423,433, ++ 447,461,468,475,484,491,500,506,514,524, ++ 534,547,558,564,569,582,592,598,606,614, ++ 622,632,638,644,654,666,672,682,698,714, ++ 721,728,737,748,756,764,771,781,791,803, ++ 811,819,826,834,842,854,864,874,884,894, ++ 901,913,924,931,944,951,960,965,970,982, ++ 1000,1013,1027,1044,1054,1065,1078,1087,1097,1103, ++ 1110,1115,1126,1137,1141,1146,1157,1164,1169,1176, ++ 1186,1191,1198,1205,1215,1226,1231,1246,1259,1265, ++ 1275,1281,1289,1297,1305,1311,1319,1325,1333,1339, ++ 1348,1353,1359,1370,1376,1387,1396,1400,1414,1424, ++ 1432,1448,1461,1471,1478,1484,1496,1504,1515,1522, ++ 1540,1550,1561,1566,1575,1584,1596,1604,1613,1618, ++ 1636,1643,1649,1666,1681,1697,1715,1727,1732,1738, ++ 1749,1754,1760,1766,1772,1779,1789,1806,1824,1829, ++ 1836,1845,1852,1860,1867,1875,1888,1897,1902,1912, ++ 1920,1929,1940,1946,1953,1958,1967,1976,1984,2001, ++ 2013,2020,2029,2041,2047,2060,2074,2089,2105,2118, ++ 2132,2148,2166,2171,2194,2217,2235,2250,2269,2291, ++ 2309,2324,2343,2355,2362,2367,2376,2387,2396,2404, ++ 2411,2427,2443,2457,2466,2475,2482,2492,2504,2514, ++ 2520,2528,2540,2549,2559,2569,2578,2588,2595,2606, ++ 2619,2626,2635,2644,2653,2663,2675,2682,2691,2701, ++ 2712,2724,2734,2745,2752,2763,2774,2781,2792,2800, ++ 2809,2814,2821,2828,2837,2843,2848,2861,2873,2881, ++ 2888,2896,2906,2911,2928,2935,2941,2949,2956,2960, ++ 2967,2972,2985,2998,3015,3029,3043,3051,3067,3083, ++ 3089,3095,3104,3115,3123,3134,3141,3147,3154,3162, ++ 3168,3175,3184,3192,3199,3205,3211,3221,3228,3234, ++ 3242,3247,3256,3262,3269,3277,3283, ++}; ++static const int ppc_syscall_s2i_i[] = { ++ 140,142,149,330,344,33,51,269,124,137, ++ 27,134,327,17,45,183,184,12,15,181, ++ 61,347,247,246,248,245,120,6,328,8, ++ 127,129,41,63,316,236,315,237,303,238, ++ 307,314,11,1,234,298,233,254,309,323, ++ 324,133,94,297,95,289,55,204,148,214, ++ 353,217,143,2,220,211,108,197,291,100, ++ 253,118,35,93,194,221,290,130,299,302, ++ 182,141,202,50,49,47,80,105,332,132, ++ 65,20,187,64,96,170,165,76,77,147, ++ 331,340,207,78,24,212,32,112,128,276, ++ 275,318,277,231,228,229,227,230,54,101, ++ 110,274,273,117,354,268,271,37,16,213, ++ 9,294,329,215,216,53,235,219,19,210, ++ 107,196,205,206,39,287,14,288,150,152, ++ 90,192,123,21,301,125,56,267,266,262, ++ 265,264,263,163,144,201,151,153,91,345, ++ 162,168,34,28,84,59,18,109,5,346, ++ 286,29,200,198,199,319,136,42,317,203, ++ 167,281,171,179,320,325,351,352,44,98, ++ 280,26,188,180,321,166,131,3,191,89, ++ 85,296,145,88,336,337,343,342,239,218, ++ 38,293,270,40,173,175,174,177,172,178, ++ 176,322,255,159,160,223,155,157,161,222, ++ 154,156,158,82,334,186,226,349,341,335, ++ 300,232,121,139,138,46,81,74,104,350, ++ 57,97,71,169,164,70,75,66,339,79, ++ 23,209,68,338,67,185,48,305,313,73, ++ 126,119,72,326,102,333,283,279,278,69, ++ 106,195,99,252,25,31,310,249,115,87, ++ 83,295,36,308,348,135,116,103,284,250, ++ 13,240,244,243,242,241,306,312,311,43, ++ 208,92,193,225,190,58,60,22,52,122, ++ 10,292,282,86,62,30,304,251,189,111, ++ 113,285,114,272,7,4,146, ++}; ++static int ppc_syscall_s2i(const char *s, int *value) { ++ size_t len, i; ++ len = strlen(s); ++ { char copy[len + 1]; ++ for (i = 0; i < len; i++) { ++ char c = s[i]; ++ copy[i] = GT_ISUPPER(c) ? c - 'A' + 'a' : c; ++ } ++ copy[i] = 0; ++ return s2i__(ppc_syscall_strings, ppc_syscall_s2i_s, ppc_syscall_s2i_i, 347, copy, value); ++ } ++} ++static const unsigned ppc_syscall_i2s_direct[] = { ++ 374,564,1897,3277,1613,228,3269,242,1186,3168, ++ 367,126,2967,1319,132,1169,102,1596,1259,819, ++ 1370,3147,2619,944,2837,1845,83,1566,1643,3205, ++ 2843,960,42,1561,638,2906,1164,2013,1305,2041, ++ 276,1727,3083,1824,108,2475,764,2675,756,748, ++ 49,3154,1226,1097,500,1396,2520,3134,1584,3141, ++ 144,3199,280,834,811,2588,2653,2635,2800,2569, ++ 2540,2734,2701,2492,2578,874,884,931,2606,771, ++ 2482,2355,2888,1575,1920,3192,2881,1946,1912,1348, ++ 1515,3095,644,468,484,842,2528,1829,2821,614, ++ 1103,2752,2949,2504,781,2809,1275,592,1604,1110, ++ 3234,965,3242,3256,2873,2941,1137,632,2724,222, ++ 2443,3162,1359,62,1387,2712,248,970,262,682, ++ 1888,803,461,89,2935,1715,71,2466,2457,0, ++ 728,8,558,1478,1940,3283,894,514,19,1333, ++ 1496,1339,1504,2309,2235,2324,2250,2343,2171,2194, ++ 2269,1540,1471,2559,864,1875,1749,1550,2549,854, ++ 1760,2105,2047,2074,2060,2132,2089,2118,1766,1860, ++ 138,721,112,119,2663,2367,826,1852,3228,3123, ++ 1902,1353,3104,654,2814,1281,598,1666,1681,1649, ++ 1484,737,1738,506,1289,1297,924,3089,2626,1265, ++ 582,951,1176,524,1205,1215,547,2001,1246,569, ++ 666,2291,2217,-1u,3115,2376,1078,1054,1065,1087, ++ 1044,2427,400,379,1231,290,317,339,1984,2972, ++ 3029,3015,2998,2985,208,178,165,192,2861,2960, ++ 3221,2828,622,410,2166,-1u,-1u,-1u,-1u,-1u, ++ -1u,1424,1461,1448,1432,1414,1400,1146,54,2029, ++ 1157,3262,1126,1115,1000,982,1027,2792,2781,1836, ++ 1754,3184,2774,2956,3247,1636,1311,1325,491,672, ++ 606,3175,2020,1191,2896,1929,475,390,698,2411, ++ 1376,714,327,3211,2682,3043,350,2911,423,2848, ++ 3067,3051,2691,358,303,285,1732,1013,1697,1772, ++ 1867,2148,433,447,1779,2745,97,234,1198,27, ++ 901,791,2763,2362,2404,1953,1958,2644,2595,913, ++ 2396,1976,1967,34,1522,1618,151,2928,2387,2514, ++ 1789,1806,534,1141, ++}; ++static const char *ppc_syscall_i2s(int v) { ++ return i2s_direct__(ppc_syscall_strings, ppc_syscall_i2s_direct, 1, 354, v); ++} +diff --git a/lib/s390_tables.h b/lib/s390_tables.h +new file mode 100644 +index 0000000..218482e +--- /dev/null ++++ b/lib/s390_tables.h +@@ -0,0 +1,153 @@ ++/* This is a generated file, see Makefile.am for its inputs. */ ++static const char s390_syscall_strings[] = "_llseek\0_newselect\0_sysctl\0access\0acct\0add_key\0adjtimex\0afs_syscall\0alarm\0bdflush\0" ++ "brk\0capget\0capset\0chdir\0chmod\0chown\0chown32\0chroot\0clock_adjtime\0clock_getres\0" ++ "clock_gettime\0clock_nanosleep\0clock_settime\0clone\0close\0creat\0create_module\0delete_module\0dup\0dup2\0" ++ "dup3\0epoll_create\0epoll_create1\0epoll_ctl\0epoll_pwait\0epoll_wait\0eventfd\0eventfd2\0execve\0exit\0" ++ "exit_group\0faccessat\0fadvise64\0fadvise64_64\0fallocate\0fanotify_init\0fanotify_mark\0fchdir\0fchmod\0fchmodat\0" ++ "fchown\0fchown32\0fchownat\0fcntl\0fcntl64\0fdatasync\0fgetxattr\0finit_module\0flistxattr\0flock\0" ++ "fork\0fremovexattr\0fsetxattr\0fstat\0fstat64\0fstatat\0fstatfs\0fstatfs64\0fsync\0ftruncate\0" ++ "ftruncate64\0futex\0futimesat\0get_kernel_syms\0get_robust_list\0getcpu\0getcwd\0getdents\0getdents64\0getegid\0" ++ "getegid32\0geteuid\0geteuid32\0getgid\0getgid32\0getgroups\0getgroups32\0getitimer\0getpgid\0getpgrp\0" ++ "getpid\0getpmsg\0getppid\0getpriority\0getresgid\0getresgid32\0getresuid\0getresuid32\0getrlimit\0getrusage\0" ++ "getsid\0gettid\0gettimeofday\0getuid\0getuid32\0getxattr\0idle\0init_module\0inotify_add_watch\0inotify_init\0" ++ "inotify_init1\0inotify_rm_watch\0io_cancel\0io_destroy\0io_getevents\0io_setup\0io_submit\0ioctl\0ioperm\0ioprio_get\0" ++ "ioprio_set\0ipc\0kcmp\0kexec_load\0keyctl\0kill\0lchown\0lchown32\0lgetxattr\0link\0" ++ "linkat\0listxattr\0llistxattr\0lremovexattr\0lseek\0lsetxattr\0lstat\0lstat64\0madvise\0mincore\0" ++ "mkdir\0mkdirat\0mknod\0mknodat\0mlock\0mlockall\0mmap\0mmap2\0mount\0mprotect\0" ++ "mq_getsetattr\0mq_notify\0mq_open\0mq_timedreceive\0mq_timedsend\0mq_unlink\0mremap\0msync\0munlock\0munlockall\0" ++ "munmap\0name_to_handle_at\0nanosleep\0nfsservctl\0nice\0open\0open_by_handle_at\0openat\0pause\0perf_event_open\0" ++ "personality\0pipe\0pipe2\0pivot_root\0poll\0ppoll\0prctl\0pread\0preadv\0prlimit64\0" ++ "process_vm_readv\0process_vm_writev\0pselect6\0ptrace\0putpmsg\0pwrite\0pwritev\0query_module\0quotactl\0read\0" ++ "readahead\0readdir\0readlink\0readlinkat\0readv\0reboot\0remap_file_pages\0removexattr\0rename\0renameat\0" ++ "request_key\0rmdir\0rt_sigaction\0rt_sigpending\0rt_sigprocmask\0rt_sigqueueinfo\0rt_sigreturn\0rt_sigsuspend\0rt_sigtimedwait\0rt_tgsigqueueinfo\0" ++ "s390_runtime_instr\0sched_get_priority_max\0sched_get_priority_min\0sched_getaffinity\0sched_getparam\0sched_getscheduler\0sched_rr_get_interval\0sched_setaffinity\0sched_setparam\0sched_setscheduler\0" ++ "sched_yield\0sendfile\0sendfile64\0set_robust_list\0set_tid_address\0setdomainname\0setfsgid\0setfsgid32\0setfsuid\0setfsuid32\0" ++ "setgid\0setgid32\0setgroups\0setgroups32\0sethostname\0setitimer\0setns\0setpgid\0setpriority\0setregid\0" ++ "setregid32\0setresgid\0setresgid32\0setresuid\0setresuid32\0setreuid\0setreuid32\0setrlimit\0setsid\0settimeofday\0" ++ "setuid\0setuid32\0setxattr\0sigaction\0sigaltstack\0signal\0signalfd\0signalfd4\0sigpending\0sigprocmask\0" ++ "sigreturn\0sigsuspend\0socketcall\0splice\0stat\0stat64\0statfs\0statfs64\0stime\0swapoff\0" ++ "swapon\0symlink\0symlinkat\0sync\0sync_file_range\0syncfs\0sysfs\0sysinfo\0syslog\0tee\0" ++ "tgkill\0time\0timer_create\0timer_delete\0timer_getoverrun\0timer_gettime\0timer_settime\0timerfd\0timerfd_create\0timerfd_gettime\0" ++ "timerfd_settime\0times\0tkill\0truncate\0truncate64\0ugetrlimit\0umask\0umount\0umount2\0uname\0" ++ "unlink\0unlinkat\0unshare\0uselib\0ustat\0utime\0utimensat\0utimes\0vfork\0vhangup\0" ++ "vmsplice\0wait4\0waitid\0write\0writev"; ++static const unsigned s390_syscall_s2i_s[] = { ++ 0,8,19,27,34,39,47,56,68,74, ++ 82,86,93,100,106,112,118,126,133,147, ++ 160,174,190,204,210,216,222,236,250,254, ++ 259,264,277,291,301,313,324,332,341,348, ++ 353,364,374,384,397,407,421,435,442,449, ++ 458,465,474,483,489,497,507,517,530,541, ++ 547,552,565,575,581,589,597,605,615,621, ++ 631,643,649,659,675,691,698,705,714,725, ++ 733,743,751,761,768,777,787,799,809,817, ++ 825,832,840,848,860,870,882,892,904,914, ++ 924,931,938,951,958,967,976,981,993,1011, ++ 1024,1038,1055,1065,1076,1089,1098,1108,1114,1121, ++ 1132,1143,1147,1152,1163,1170,1175,1182,1191,1201, ++ 1206,1213,1223,1234,1247,1253,1263,1269,1277,1285, ++ 1293,1299,1307,1313,1321,1327,1336,1341,1347,1353, ++ 1362,1376,1386,1394,1410,1423,1433,1440,1446,1454, ++ 1465,1472,1490,1500,1511,1516,1521,1539,1546,1552, ++ 1568,1580,1585,1591,1602,1607,1613,1619,1625,1632, ++ 1642,1659,1677,1686,1693,1701,1708,1716,1729,1738, ++ 1743,1753,1761,1770,1781,1787,1794,1811,1823,1830, ++ 1839,1851,1857,1870,1884,1899,1915,1928,1942,1958, ++ 1976,1995,2018,2041,2059,2074,2093,2115,2133,2148, ++ 2167,2179,2188,2199,2215,2231,2245,2254,2265,2274, ++ 2285,2292,2301,2311,2323,2335,2345,2351,2359,2371, ++ 2380,2391,2401,2413,2423,2435,2444,2455,2465,2472, ++ 2485,2492,2501,2510,2520,2532,2539,2548,2558,2569, ++ 2581,2591,2602,2613,2620,2625,2632,2639,2648,2654, ++ 2662,2669,2677,2687,2692,2708,2715,2721,2729,2736, ++ 2740,2747,2752,2765,2778,2795,2809,2823,2831,2846, ++ 2862,2878,2884,2890,2899,2910,2921,2927,2934,2942, ++ 2948,2955,2964,2972,2979,2985,2991,3001,3008,3014, ++ 3022,3031,3037,3044,3050, ++}; ++static const int s390_syscall_s2i_i[] = { ++ 140,142,149,33,51,278,124,137,27,134, ++ 45,184,185,12,15,182,212,61,337,261, ++ 260,262,259,120,6,8,127,129,41,63, ++ 326,249,327,250,312,251,318,323,11,1, ++ 248,300,253,264,314,332,333,133,94,299, ++ 95,207,291,55,221,148,229,344,232,143, ++ 2,235,226,108,197,293,100,266,118,93, ++ 194,238,292,130,305,311,183,141,220,50, ++ 202,49,201,47,200,80,205,105,132,65, ++ 20,188,64,96,171,211,165,209,76,77, ++ 147,236,78,24,199,227,112,128,285,284, ++ 324,286,247,244,245,243,246,54,101,283, ++ 282,117,343,277,280,37,16,198,228,9, ++ 296,230,231,234,19,225,107,196,219,218, ++ 39,289,14,290,150,152,90,192,21,125, ++ 276,275,271,274,273,272,163,144,151,153, ++ 91,335,162,169,34,5,336,288,29,331, ++ 136,42,325,217,168,302,172,180,328,334, ++ 340,341,301,26,189,181,329,167,131,3, ++ 222,89,85,298,145,88,267,233,38,295, ++ 279,40,174,176,175,178,173,179,177,330, ++ 342,159,160,240,155,157,161,239,154,156, ++ 158,187,223,304,252,121,139,216,138,215, ++ 46,214,81,206,74,104,339,57,97,71, ++ 204,170,210,164,208,70,203,75,66,79, ++ 23,213,224,67,186,48,316,322,73,126, ++ 119,72,102,306,106,195,99,265,25,115, ++ 87,83,297,36,307,338,135,116,103,308, ++ 241,13,254,258,257,256,255,317,319,321, ++ 320,43,237,92,193,191,60,22,52,122, ++ 10,294,303,86,62,30,315,313,190,111, ++ 309,114,281,4,146, ++}; ++static int s390_syscall_s2i(const char *s, int *value) { ++ size_t len, i; ++ len = strlen(s); ++ { char copy[len + 1]; ++ for (i = 0; i < len; i++) { ++ char c = s[i]; ++ copy[i] = GT_ISUPPER(c) ? c - 'A' + 'a' : c; ++ } ++ copy[i] = 0; ++ return s2i__(s390_syscall_strings, s390_syscall_s2i_s, s390_syscall_s2i_i, 315, copy, value); ++ } ++} ++static const unsigned s390_syscall_i2s_direct[] = { ++ 348,547,1738,3044,1516,210,-1u,216,1201,2948, ++ 341,100,2747,1307,106,1175,-1u,-1u,1247,825, ++ 1347,2927,2485,951,2648,1686,68,-1u,1546,2985, ++ -1u,-1u,27,1511,-1u,2687,1170,1823,1293,1851, ++ 250,1580,2878,-1u,82,2285,761,2532,743,725, ++ 34,2934,-1u,1108,483,-1u,2351,-1u,-1u,2921, ++ 126,2979,254,840,817,2465,2510,-1u,-1u,2435, ++ 2371,2591,2558,2323,2455,904,914,938,2472,777, ++ 2301,-1u,2669,-1u,1761,2972,2662,1787,1753,1336, ++ 1465,2890,621,442,458,848,2359,-1u,2632,597, ++ 1114,2602,2729,2335,799,2620,1263,575,-1u,-1u, ++ 3014,976,-1u,3031,2654,2721,1143,615,2581,204, ++ 2231,2942,-1u,47,1353,2569,222,981,236,659, ++ 1729,809,435,74,2715,1568,56,2265,2245,0, ++ 705,8,541,1440,1781,3050,924,497,19,1321, ++ 1446,1327,1454,2133,2059,2148,2074,2167,1995,2018, ++ 2093,1490,1433,2413,882,-1u,1716,1602,1500,2391, ++ 860,1613,1915,1857,1884,1870,1942,1899,1928,1619, ++ 1701,112,698,86,93,2520,2179,832,1693,3008, ++ 2910,1341,2899,631,2625,1269,581,1182,958,768, ++ 751,733,2444,2380,787,2311,465,2423,892,2401, ++ 870,118,2492,2292,2274,2254,1591,1285,1277,714, ++ 489,1743,2188,2501,1253,565,967,1191,507,1213, ++ 1223,530,1811,1234,552,931,2884,643,2115,2041, ++ 2740,-1u,1089,1065,1076,1098,1055,353,264,291, ++ 313,2215,374,2752,2809,2795,2778,2765,190,160, ++ 147,174,-1u,384,2639,605,1794,-1u,-1u,-1u, ++ 1386,1423,1410,1394,1376,1362,1152,39,1839,1163, ++ 3037,1132,1121,1011,993,1038,-1u,1539,1299,1313, ++ 474,649,589,2955,1830,1206,2677,1770,449,364, ++ 1677,1607,2964,2199,675,2613,2692,2736,3022,-1u, ++ 691,301,3001,397,2991,2539,2823,324,2831,2862, ++ 2846,2548,332,1024,1585,259,277,1625,1708,1958, ++ 1552,407,421,1632,1472,1521,133,2708,2345,1642, ++ 1659,1976,1147,517, ++}; ++static const char *s390_syscall_i2s(int v) { ++ return i2s_direct__(s390_syscall_strings, s390_syscall_i2s_direct, 1, 344, v); ++} +diff --git a/lib/s390x_tables.h b/lib/s390x_tables.h +new file mode 100644 +index 0000000..36099fc +--- /dev/null ++++ b/lib/s390x_tables.h +@@ -0,0 +1,144 @@ ++/* This is a generated file, see Makefile.am for its inputs. */ ++static const char s390x_syscall_strings[] = "_sysctl\0access\0acct\0add_key\0adjtimex\0afs_syscall\0alarm\0bdflush\0brk\0capget\0" ++ "capset\0chdir\0chmod\0chown\0chroot\0clock_adjtime\0clock_getres\0clock_gettime\0clock_nanosleep\0clock_settime\0" ++ "clone\0close\0creat\0create_module\0delete_module\0dup\0dup2\0dup3\0epoll_create\0epoll_create1\0" ++ "epoll_ctl\0epoll_pwait\0epoll_wait\0eventfd\0eventfd2\0execve\0exit\0exit_group\0faccessat\0fadvise64\0" ++ "fallocate\0fanotify_init\0fanotify_mark\0fchdir\0fchmod\0fchmodat\0fchown\0fchownat\0fcntl\0fdatasync\0" ++ "fgetxattr\0finit_module\0flistxattr\0flock\0fork\0fremovexattr\0fsetxattr\0fstat\0fstatfs\0fstatfs64\0" ++ "fsync\0ftruncate\0futex\0futimesat\0get_kernel_syms\0get_robust_list\0getcpu\0getcwd\0getdents\0getegid\0" ++ "geteuid\0getgid\0getgroups\0getitimer\0getpgid\0getpgrp\0getpid\0getpmsg\0getppid\0getpriority\0" ++ "getresgid\0getresuid\0getrlimit\0getrusage\0getsid\0gettid\0gettimeofday\0getuid\0getxattr\0idle\0" ++ "init_module\0inotify_add_watch\0inotify_init\0inotify_init1\0inotify_rm_watch\0io_cancel\0io_destroy\0io_getevents\0io_setup\0io_submit\0" ++ "ioctl\0ioprio_get\0ioprio_set\0ipc\0kcmp\0kexec_load\0keyctl\0kill\0lchown\0lgetxattr\0" ++ "link\0linkat\0listxattr\0llistxattr\0lremovexattr\0lseek\0lsetxattr\0lstat\0madvise\0mincore\0" ++ "mkdir\0mkdirat\0mknod\0mknodat\0mlock\0mlockall\0mmap\0mount\0mprotect\0mq_getsetattr\0" ++ "mq_notify\0mq_open\0mq_timedreceive\0mq_timedsend\0mq_unlink\0mremap\0msync\0munlock\0munlockall\0munmap\0" ++ "name_to_handle_at\0nanosleep\0newfstatat\0nfsservctl\0nice\0open\0open_by_handle_at\0openat\0pause\0perf_event_open\0" ++ "personality\0pipe\0pipe2\0pivot_root\0poll\0ppoll\0prctl\0pread\0preadv\0prlimit64\0" ++ "process_vm_readv\0process_vm_writev\0pselect6\0ptrace\0putpmsg\0pwrite\0pwritev\0query_module\0quotactl\0read\0" ++ "readahead\0readdir\0readlink\0readlinkat\0readv\0reboot\0remap_file_pages\0removexattr\0rename\0renameat\0" ++ "request_key\0rmdir\0rt_sigaction\0rt_sigpending\0rt_sigprocmask\0rt_sigqueueinfo\0rt_sigreturn\0rt_sigsuspend\0rt_sigtimedwait\0rt_tgsigqueueinfo\0" ++ "s390_runtime_instr\0sched_get_priority_max\0sched_get_priority_min\0sched_getaffinity\0sched_getparam\0sched_getscheduler\0sched_rr_get_interval\0sched_setaffinity\0sched_setparam\0sched_setscheduler\0" ++ "sched_yield\0select\0sendfile\0set_robust_list\0set_tid_address\0setdomainname\0setfsgid\0setfsuid\0setgid\0setgroups\0" ++ "sethostname\0setitimer\0setns\0setpgid\0setpriority\0setregid\0setresgid\0setresuid\0setreuid\0setrlimit\0" ++ "setsid\0settimeofday\0setuid\0setxattr\0sigaction\0sigaltstack\0signal\0signalfd\0signalfd4\0sigpending\0" ++ "sigprocmask\0sigreturn\0sigsuspend\0socketcall\0splice\0stat\0statfs\0statfs64\0swapoff\0swapon\0" ++ "symlink\0symlinkat\0sync\0sync_file_range\0syncfs\0sysfs\0sysinfo\0syslog\0tee\0tgkill\0" ++ "timer_create\0timer_delete\0timer_getoverrun\0timer_gettime\0timer_settime\0timerfd\0timerfd_create\0timerfd_gettime\0timerfd_settime\0times\0" ++ "tkill\0truncate\0umask\0umount\0umount2\0uname\0unlink\0unlinkat\0unshare\0uselib\0" ++ "ustat\0utime\0utimensat\0utimes\0vfork\0vhangup\0vmsplice\0wait4\0waitid\0write\0" ++ "writev"; ++static const unsigned s390x_syscall_s2i_s[] = { ++ 0,8,15,20,28,37,49,55,63,67, ++ 74,81,87,93,99,106,120,133,147,163, ++ 177,183,189,195,209,223,227,232,237,250, ++ 264,274,286,297,305,314,321,326,337,347, ++ 357,367,381,395,402,409,418,425,434,440, ++ 450,460,473,484,490,495,508,518,524,532, ++ 542,548,558,564,574,590,606,613,620,629, ++ 637,645,652,662,672,680,688,695,703,711, ++ 723,733,743,753,763,770,777,790,797,806, ++ 811,823,841,854,868,885,895,906,919,928, ++ 938,944,955,966,970,975,986,993,998,1005, ++ 1015,1020,1027,1037,1048,1061,1067,1077,1083,1091, ++ 1099,1105,1113,1119,1127,1133,1142,1147,1153,1162, ++ 1176,1186,1194,1210,1223,1233,1240,1246,1254,1265, ++ 1272,1290,1300,1311,1322,1327,1332,1350,1357,1363, ++ 1379,1391,1396,1402,1413,1418,1424,1430,1436,1443, ++ 1453,1470,1488,1497,1504,1512,1519,1527,1540,1549, ++ 1554,1564,1572,1581,1592,1598,1605,1622,1634,1641, ++ 1650,1662,1668,1681,1695,1710,1726,1739,1753,1769, ++ 1787,1806,1829,1852,1870,1885,1904,1926,1944,1959, ++ 1978,1990,1997,2006,2022,2038,2052,2061,2070,2077, ++ 2087,2099,2109,2115,2123,2135,2144,2154,2164,2173, ++ 2183,2190,2203,2210,2219,2229,2241,2248,2257,2267, ++ 2278,2290,2300,2311,2322,2329,2334,2341,2350,2358, ++ 2365,2373,2383,2388,2404,2411,2417,2425,2432,2436, ++ 2443,2456,2469,2486,2500,2514,2522,2537,2553,2569, ++ 2575,2581,2590,2596,2603,2611,2617,2624,2633,2641, ++ 2648,2654,2660,2670,2677,2683,2691,2700,2706,2713, ++ 2719, ++}; ++static const int s390x_syscall_s2i_i[] = { ++ 149,33,51,278,124,137,27,134,45,184, ++ 185,12,15,212,61,337,261,260,262,259, ++ 120,6,8,127,129,41,63,326,249,327, ++ 250,312,251,318,323,11,1,248,300,253, ++ 314,332,333,133,94,299,207,291,55,148, ++ 229,344,232,143,2,235,226,108,100,266, ++ 118,93,238,292,130,305,311,183,141,202, ++ 201,200,205,105,132,65,20,188,64,96, ++ 211,209,191,77,147,236,78,199,227,112, ++ 128,285,284,324,286,247,244,245,243,246, ++ 54,283,282,117,343,277,280,37,198,228, ++ 9,296,230,231,234,19,225,107,219,218, ++ 39,289,14,290,150,152,90,21,125,276, ++ 275,271,274,273,272,163,144,151,153,91, ++ 335,162,293,169,34,5,336,288,29,331, ++ 136,42,325,217,168,302,172,180,328,334, ++ 340,341,301,26,189,181,329,167,131,3, ++ 222,89,85,298,145,88,267,233,38,295, ++ 279,40,174,176,175,178,173,179,177,330, ++ 342,159,160,240,155,157,161,239,154,156, ++ 158,142,187,304,252,121,216,215,214,206, ++ 74,104,339,57,97,204,210,208,203,75, ++ 66,79,213,224,67,186,48,316,322,73, ++ 126,119,72,102,306,106,99,265,115,87, ++ 83,297,36,307,338,135,116,103,308,241, ++ 254,258,257,256,255,317,319,321,320,43, ++ 237,92,60,22,52,122,10,294,303,86, ++ 62,30,315,313,190,111,309,114,281,4, ++ 146, ++}; ++static int s390x_syscall_s2i(const char *s, int *value) { ++ size_t len, i; ++ len = strlen(s); ++ { char copy[len + 1]; ++ for (i = 0; i < len; i++) { ++ char c = s[i]; ++ copy[i] = GT_ISUPPER(c) ? c - 'A' + 'a' : c; ++ } ++ copy[i] = 0; ++ return s2i__(s390x_syscall_strings, s390x_syscall_s2i_s, s390x_syscall_s2i_i, 281, copy, value); ++ } ++} ++static const unsigned s390x_syscall_i2s_direct[] = { ++ 321,490,1549,2713,1327,183,-1u,189,1015,2617, ++ 314,81,-1u,1113,87,-1u,-1u,-1u,1061,688, ++ 1147,2596,-1u,-1u,-1u,1497,49,-1u,1357,2654, ++ -1u,-1u,8,1322,-1u,2383,993,1634,1099,1662, ++ 223,1391,2569,-1u,63,-1u,-1u,2241,-1u,-1u, ++ 15,2603,-1u,938,434,-1u,2115,-1u,-1u,2590, ++ 99,2648,227,703,680,2183,2219,-1u,-1u,-1u, ++ -1u,2300,2267,2087,2173,-1u,753,777,2190,-1u, ++ -1u,-1u,2365,-1u,1572,2641,2358,1598,1564,1142, ++ 1265,2581,548,402,-1u,711,2123,-1u,2334,524, ++ -1u,2311,2425,2099,662,2329,1077,518,-1u,-1u, ++ 2683,806,-1u,2700,2350,2417,966,542,2290,177, ++ 2038,2611,-1u,28,1153,2278,195,811,209,574, ++ 1540,672,395,55,2411,1379,37,-1u,-1u,-1u, ++ 620,1990,484,1240,1592,2719,763,440,0,1127, ++ 1246,1133,1254,1944,1870,1959,1885,1978,1806,1829, ++ 1904,1290,1233,-1u,-1u,-1u,1527,1413,1311,-1u, ++ -1u,1424,1726,1668,1695,1681,1753,1710,1739,1430, ++ 1512,-1u,613,67,74,2229,1997,695,1504,2677, ++ 743,-1u,-1u,-1u,-1u,-1u,-1u,998,790,645, ++ 637,629,2164,2135,652,2077,418,2154,733,2144, ++ 723,93,2203,2070,2061,2052,1402,1091,1083,-1u, ++ -1u,1554,-1u,2210,1067,508,797,1005,450,1027, ++ 1037,473,1622,1048,495,770,2575,558,1926,1852, ++ 2436,-1u,919,895,906,928,885,326,237,264, ++ 286,2022,347,2443,2500,2486,2469,2456,163,133, ++ 120,147,-1u,-1u,2341,532,1605,-1u,-1u,-1u, ++ 1186,1223,1210,1194,1176,1162,975,20,1650,986, ++ 2706,955,944,841,823,868,-1u,1350,1105,1119, ++ 425,564,1300,2624,1641,1020,2373,1581,409,337, ++ 1488,1418,2633,2006,590,2322,2388,2432,2691,-1u, ++ 606,274,2670,357,2660,2248,2514,297,2522,2553, ++ 2537,2257,305,854,1396,232,250,1436,1519,1769, ++ 1363,367,381,1443,1272,1332,106,2404,2109,1453, ++ 1470,1787,970,460, ++}; ++static const char *s390x_syscall_i2s(int v) { ++ return i2s_direct__(s390x_syscall_strings, s390x_syscall_i2s_direct, 1, 344, v); ++} +diff --git a/lib/x86_64_tables.h b/lib/x86_64_tables.h +new file mode 100644 +index 0000000..d2a5673 +--- /dev/null ++++ b/lib/x86_64_tables.h +@@ -0,0 +1,150 @@ ++/* This is a generated file, see Makefile.am for its inputs. */ ++static const char x86_64_syscall_strings[] = "_sysctl\0accept\0accept4\0access\0acct\0add_key\0adjtimex\0afs_syscall\0alarm\0arch_prctl\0" ++ "bind\0brk\0capget\0capset\0chdir\0chmod\0chown\0chroot\0clock_adjtime\0clock_getres\0" ++ "clock_gettime\0clock_nanosleep\0clock_settime\0clone\0close\0connect\0creat\0create_module\0delete_module\0dup\0" ++ "dup2\0dup3\0epoll_create\0epoll_create1\0epoll_ctl\0epoll_ctl_old\0epoll_pwait\0epoll_wait\0epoll_wait_old\0eventfd\0" ++ "eventfd2\0execve\0exit\0exit_group\0faccessat\0fadvise64\0fallocate\0fanotify_init\0fanotify_mark\0fchdir\0" ++ "fchmod\0fchmodat\0fchown\0fchownat\0fcntl\0fdatasync\0fgetxattr\0finit_module\0flistxattr\0flock\0" ++ "fork\0fremovexattr\0fsetxattr\0fstat\0fstatfs\0fsync\0ftruncate\0futex\0futimesat\0get_kernel_syms\0" ++ "get_mempolicy\0get_robust_list\0get_thread_area\0getcpu\0getcwd\0getdents\0getdents64\0getegid\0geteuid\0getgid\0" ++ "getgroups\0getitimer\0getpeername\0getpgid\0getpgrp\0getpid\0getpmsg\0getppid\0getpriority\0getresgid\0" ++ "getresuid\0getrlimit\0getrusage\0getsid\0getsockname\0getsockopt\0gettid\0gettimeofday\0getuid\0getxattr\0" ++ "init_module\0inotify_add_watch\0inotify_init\0inotify_init1\0inotify_rm_watch\0io_cancel\0io_destroy\0io_getevents\0io_setup\0io_submit\0" ++ "ioctl\0ioperm\0iopl\0ioprio_get\0ioprio_set\0kcmp\0kexec_load\0keyctl\0kill\0lchown\0" ++ "lgetxattr\0link\0linkat\0listen\0listxattr\0llistxattr\0lookup_dcookie\0lremovexattr\0lseek\0lsetxattr\0" ++ "lstat\0madvise\0mbind\0migrate_pages\0mincore\0mkdir\0mkdirat\0mknod\0mknodat\0mlock\0" ++ "mlockall\0mmap\0modify_ldt\0mount\0move_pages\0mprotect\0mq_getsetattr\0mq_notify\0mq_open\0mq_timedreceive\0" ++ "mq_timedsend\0mq_unlink\0mremap\0msgctl\0msgget\0msgrcv\0msgsnd\0msync\0munlock\0munlockall\0" ++ "munmap\0name_to_handle_at\0nanosleep\0newfstatat\0nfsservctl\0open\0open_by_handle_at\0openat\0pause\0perf_event_open\0" ++ "personality\0pipe\0pipe2\0pivot_root\0poll\0ppoll\0prctl\0pread\0preadv\0prlimit64\0" ++ "process_vm_readv\0process_vm_writev\0pselect6\0ptrace\0putpmsg\0pwrite\0pwritev\0query_module\0quotactl\0read\0" ++ "readahead\0readlink\0readlinkat\0readv\0reboot\0recvfrom\0recvmmsg\0recvmsg\0remap_file_pages\0removexattr\0" ++ "rename\0renameat\0request_key\0restart_syscall\0rmdir\0rt_sigaction\0rt_sigpending\0rt_sigprocmask\0rt_sigqueueinfo\0rt_sigreturn\0" ++ "rt_sigsuspend\0rt_sigtimedwait\0rt_tgsigqueueinfo\0sched_get_priority_max\0sched_get_priority_min\0sched_getaffinity\0sched_getparam\0sched_getscheduler\0sched_rr_get_interval\0sched_setaffinity\0" ++ "sched_setparam\0sched_setscheduler\0sched_yield\0security\0select\0semctl\0semget\0semop\0semtimedop\0sendfile\0" ++ "sendmmsg\0sendmsg\0sendto\0set_mempolicy\0set_robust_list\0set_thread_area\0set_tid_address\0setdomainname\0setfsgid\0setfsuid\0" ++ "setgid\0setgroups\0sethostname\0setitimer\0setns\0setpgid\0setpriority\0setregid\0setresgid\0setresuid\0" ++ "setreuid\0setrlimit\0setsid\0setsockopt\0settimeofday\0setuid\0setxattr\0shmat\0shmctl\0shmdt\0" ++ "shmget\0shutdown\0sigaltstack\0signalfd\0signalfd4\0socket\0socketpair\0splice\0stat\0statfs\0" ++ "swapoff\0swapon\0symlink\0symlinkat\0sync\0sync_file_range\0syncfs\0sysfs\0sysinfo\0syslog\0" ++ "tee\0tgkill\0time\0timer_create\0timer_delete\0timer_getoverrun\0timer_gettime\0timer_settime\0timerfd\0timerfd_gettime\0" ++ "timerfd_settime\0times\0tkill\0truncate\0tuxcall\0umask\0umount2\0uname\0unlink\0unlinkat\0" ++ "unshare\0uselib\0ustat\0utime\0utimensat\0utimes\0vfork\0vhangup\0vmsplice\0vserver\0" ++ "wait4\0waitid\0write\0writev"; ++static const unsigned x86_64_syscall_s2i_s[] = { ++ 0,8,15,23,30,35,43,52,64,70, ++ 81,86,90,97,104,110,116,122,129,143, ++ 156,170,186,200,206,212,220,226,240,254, ++ 258,263,268,281,295,305,319,331,342,357, ++ 365,374,381,386,397,407,417,427,441,455, ++ 462,469,478,485,494,500,510,520,533,544, ++ 550,555,568,578,584,592,598,608,614,624, ++ 640,654,670,686,693,700,709,720,728,736, ++ 743,753,763,775,783,791,798,806,814,826, ++ 836,846,856,866,873,885,896,903,916,923, ++ 932,944,962,975,989,1006,1016,1027,1040,1049, ++ 1059,1065,1072,1077,1088,1099,1104,1115,1122,1127, ++ 1134,1144,1149,1156,1163,1173,1184,1199,1212,1218, ++ 1228,1234,1242,1248,1262,1270,1276,1284,1290,1298, ++ 1304,1313,1318,1329,1335,1346,1355,1369,1379,1387, ++ 1403,1416,1426,1433,1440,1447,1454,1461,1467,1475, ++ 1486,1493,1511,1521,1532,1543,1548,1566,1573,1579, ++ 1595,1607,1612,1618,1629,1634,1640,1646,1652,1659, ++ 1669,1686,1704,1713,1720,1728,1735,1743,1756,1765, ++ 1770,1780,1789,1800,1806,1813,1822,1831,1839,1856, ++ 1868,1875,1884,1896,1912,1918,1931,1945,1960,1976, ++ 1989,2003,2019,2037,2060,2083,2101,2116,2135,2157, ++ 2175,2190,2209,2221,2230,2237,2244,2251,2257,2268, ++ 2277,2286,2294,2301,2315,2331,2347,2363,2377,2386, ++ 2395,2402,2412,2424,2434,2440,2448,2460,2469,2479, ++ 2489,2498,2508,2515,2526,2539,2546,2555,2561,2568, ++ 2574,2581,2590,2602,2611,2621,2628,2639,2646,2651, ++ 2658,2666,2673,2681,2691,2696,2712,2719,2725,2733, ++ 2740,2744,2751,2756,2769,2782,2799,2813,2827,2835, ++ 2851,2867,2873,2879,2888,2896,2902,2910,2916,2923, ++ 2932,2940,2947,2953,2959,2969,2976,2982,2990,2999, ++ 3007,3013,3020,3026, ++}; ++static const int x86_64_syscall_s2i_i[] = { ++ 156,43,288,21,163,248,159,183,37,158, ++ 49,12,125,126,80,90,92,161,305,229, ++ 228,230,227,56,3,42,85,174,176,32, ++ 33,292,213,291,233,214,281,232,215,284, ++ 290,59,60,231,269,221,285,300,301,81, ++ 91,268,93,260,72,75,193,313,196,73, ++ 57,199,190,5,138,74,77,202,261,177, ++ 239,274,211,309,79,78,217,108,107,104, ++ 115,36,52,121,111,39,181,110,140,120, ++ 118,97,98,124,51,55,186,96,102,191, ++ 175,254,253,294,255,210,207,208,206,209, ++ 16,173,172,252,251,312,246,250,62,94, ++ 192,86,265,50,194,195,212,198,8,189, ++ 6,28,237,256,27,83,258,133,259,149, ++ 151,9,154,165,279,10,245,244,240,243, ++ 242,241,25,71,68,70,69,26,150,152, ++ 11,303,35,262,180,2,304,257,34,298, ++ 135,22,293,155,7,271,157,17,295,302, ++ 310,311,270,101,182,18,296,178,179,0, ++ 187,89,267,19,169,45,299,47,216,197, ++ 82,264,249,219,84,13,127,14,129,15, ++ 130,128,297,146,147,204,143,145,148,203, ++ 142,144,24,185,23,66,64,65,220,40, ++ 307,46,44,238,273,205,218,171,123,122, ++ 106,116,170,38,308,109,141,114,119,117, ++ 113,160,112,54,164,105,188,30,31,67, ++ 29,48,131,282,289,41,53,275,4,137, ++ 168,167,88,266,162,277,306,139,99,103, ++ 276,234,201,222,226,225,224,223,283,287, ++ 286,100,200,76,184,95,166,63,87,263, ++ 272,134,136,132,280,235,58,153,278,236, ++ 61,247,1,20, ++}; ++static int x86_64_syscall_s2i(const char *s, int *value) { ++ size_t len, i; ++ len = strlen(s); ++ { char copy[len + 1]; ++ for (i = 0; i < len; i++) { ++ char c = s[i]; ++ copy[i] = GT_ISUPPER(c) ? c - 'A' + 'a' : c; ++ } ++ copy[i] = 0; ++ return s2i__(x86_64_syscall_strings, x86_64_syscall_s2i_s, x86_64_syscall_s2i_i, 314, copy, value); ++ } ++} ++static const unsigned x86_64_syscall_i2s_direct[] = { ++ 1765,3020,1543,206,2646,578,1228,1629,1212,1313, ++ 1346,1486,86,1918,1945,1976,1059,1646,1728,1800, ++ 3026,23,1607,2230,2209,1426,1461,1262,1234,2574, ++ 2555,2561,254,258,1573,1511,753,64,2424,791, ++ 2268,2621,212,8,2294,1813,2286,1831,2581,81, ++ 1156,873,763,2628,2515,885,200,550,2976,374, ++ 381,3007,1122,2910,2244,2251,2237,2568,1440,1454, ++ 1447,1433,494,544,592,500,2879,598,700,693, ++ 104,455,1868,1270,1912,220,1144,2916,2673,1780, ++ 110,462,116,478,1127,2896,903,846,856,2725, ++ 2867,1713,916,2733,736,2539,2395,728,720,2440, ++ 806,783,2508,2489,2460,743,2402,2479,836,2469, ++ 826,775,2386,2377,866,90,97,1931,2003,1960, ++ 1989,2590,2953,1284,2940,1595,2947,2651,584,2719, ++ 814,2448,2175,2101,2190,2116,2037,2060,2135,1298, ++ 1467,1304,1475,2982,1318,1618,0,1640,70,43, ++ 2498,122,2691,30,2526,1329,2902,2666,2658,1806, ++ 2412,2363,1072,1065,226,932,240,624,1743,1756, ++ 1532,798,1720,52,2888,2221,896,1770,2546,1218, ++ 568,923,1134,510,1163,1173,533,1856,1199,555, ++ 2873,2751,608,2157,2083,2331,1040,1016,1027,1049, ++ 1006,670,1184,268,305,342,1839,709,2347,1896, ++ 2257,407,2756,2813,2799,2782,2769,186,156,143, ++ 170,386,331,295,2744,2969,2999,1242,2301,640, ++ 1379,1416,1403,1387,1369,1355,1104,3013,35,1884, ++ 1115,1088,1077,962,944,989,1248,1566,1276,1290, ++ 485,614,1521,2923,1875,1149,2681,1789,469,397, ++ 1704,1634,2932,2315,654,2639,2740,2696,2990,1335, ++ 2959,319,2602,2827,357,417,2851,2835,15,2611, ++ 365,281,263,1612,975,1652,1735,2019,1579,1822, ++ 427,441,1659,1493,1548,129,2712,2277,2434,686, ++ 1669,1686,1099,520, ++}; ++static const char *x86_64_syscall_i2s(int v) { ++ return i2s_direct__(x86_64_syscall_strings, x86_64_syscall_i2s_direct, 0, 313, v); ++} +-- +1.7.9.5 + diff --git a/meta-agl/meta-security/recipes-security/audit/audit/audit-python-configure.patch b/meta-agl/meta-security/recipes-security/audit/audit/audit-python-configure.patch new file mode 100644 index 00000000..f90e2133 --- /dev/null +++ b/meta-agl/meta-security/recipes-security/audit/audit/audit-python-configure.patch @@ -0,0 +1,27 @@ +From cace630b0eb42418dea4f3d98c69d0d777bfc1be Mon Sep 17 00:00:00 2001 +From: Xin Ouyang <Xin.Ouyang@windriver.com> +Date: Wed, 20 Jun 2012 16:34:19 +0800 +Subject: [PATCH] audit: python cross-compile + +Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com> +--- + configure.ac | 3 ++- + 1 files changed, 2 insertions(+), 1 deletions(-) + +diff --git a/configure.ac b/configure.ac +index 3db7d45..9a07db6 100644 +--- a/configure.ac ++++ b/configure.ac +@@ -90,7 +90,8 @@ if test x$use_python = xno ; then + else + AC_MSG_RESULT(testing) + AM_PATH_PYTHON +-if test -f /usr/include/python${am_cv_python_version}/Python.h ; then ++PY_PREFIX=`$PYTHON -c 'import sys ; print sys.prefix'` ++if test -f $PY_PREFIX/include/python${am_cv_python_version}/Python.h ; then + python_found="yes" + AC_MSG_NOTICE(Python bindings will be built) + else +-- +1.7.7 + diff --git a/meta-agl/meta-security/recipes-security/audit/audit/audit-python.patch b/meta-agl/meta-security/recipes-security/audit/audit/audit-python.patch new file mode 100644 index 00000000..78fce019 --- /dev/null +++ b/meta-agl/meta-security/recipes-security/audit/audit/audit-python.patch @@ -0,0 +1,31 @@ +Remove hard coded python include directory + +Signed-off-by: Mark Hatle <mark.hatle@windriver.com> + +diff -ur audit-2.1.3.orig/bindings/python/Makefile.am audit-2.1.3/bindings/python/Makefile.am +--- audit-2.1.3.orig/bindings/python/Makefile.am 2011-08-15 12:31:01.000000000 -0500 ++++ audit-2.1.3/bindings/python/Makefile.am 2012-01-30 12:19:54.533959225 -0600 +@@ -25,7 +25,9 @@ + + pyexec_LTLIBRARIES = auparse.la + ++PYINC ?= /usr/include/python$(PYTHON_VERSION) ++ + auparse_la_SOURCES = auparse_python.c +-auparse_la_CPPFLAGS = -I$(top_srcdir)/auparse $(AM_CPPFLAGS) -I/usr/include/python$(PYTHON_VERSION) -fno-strict-aliasing ++auparse_la_CPPFLAGS = -I$(top_srcdir)/auparse $(AM_CPPFLAGS) -I$(PYINC) -fno-strict-aliasing + auparse_la_LDFLAGS = -module -avoid-version -Wl,-z,relro + auparse_la_LIBADD = ../../auparse/libauparse.la ../../lib/libaudit.la +diff -ur audit-2.1.3.orig/swig/Makefile.am audit-2.1.3/swig/Makefile.am +--- audit-2.1.3.orig/swig/Makefile.am 2011-08-15 12:31:03.000000000 -0500 ++++ audit-2.1.3/swig/Makefile.am 2012-01-30 12:28:09.574834697 -0600 +@@ -23,7 +23,8 @@ + CONFIG_CLEAN_FILES = *.loT *.rej *.orig + AM_CFLAGS = -fPIC -DPIC -fno-strict-aliasing + PYLIBVER ?= python$(PYTHON_VERSION) +-INCLUDES = -I. -I$(top_builddir) -I${top_srcdir}/lib -I/usr/include/$(PYLIBVER) ++PYINC ?= /usr/include/$(PYLIBVER) ++INCLUDES = -I. -I$(top_builddir) -I${top_srcdir}/lib -I$(PYINC) + LIBS = $(top_builddir)/lib/libaudit.la + pyexec_PYTHON = audit.py + pyexec_LTLIBRARIES = _audit.la diff --git a/meta-agl/meta-security/recipes-security/audit/audit/audit-volatile.conf b/meta-agl/meta-security/recipes-security/audit/audit/audit-volatile.conf new file mode 100644 index 00000000..9cbe1547 --- /dev/null +++ b/meta-agl/meta-security/recipes-security/audit/audit/audit-volatile.conf @@ -0,0 +1 @@ +d /var/log/audit 0750 root root - diff --git a/meta-agl/meta-security/recipes-security/audit/audit/auditd b/meta-agl/meta-security/recipes-security/audit/audit/auditd new file mode 100755 index 00000000..fcd96c9d --- /dev/null +++ b/meta-agl/meta-security/recipes-security/audit/audit/auditd @@ -0,0 +1,153 @@ +#! /bin/sh +### BEGIN INIT INFO +# Provides: auditd +# Required-Start: $local_fs +# Required-Stop: $local_fs +# Default-Start: 2 3 4 5 +# Default-Stop: 0 1 6 +# Short-Description: Audit Daemon +# Description: Collects audit information from Linux 2.6 Kernels. +### END INIT INFO + +# Author: Philipp Matthias Hahn <pmhahn@debian.org> +# Based on Debians /etc/init.d/skeleton and Auditds init.d/auditd.init + +# June, 2012: Adopted for yocto <amy.fong@windriver.com> + +# PATH should only include /usr/* if it runs after the mountnfs.sh script +PATH=/sbin:/bin:/usr/sbin:/usr/bin +DESC="audit daemon" +NAME=auditd +DAEMON=/sbin/auditd +PIDFILE=/var/run/"$NAME".pid +SCRIPTNAME=/etc/init.d/"$NAME" + +# Exit if the package is not installed +[ -x "$DAEMON" ] || exit 0 + +# Read configuration variable file if it is present +[ -r /etc/default/"$NAME" ] && . /etc/default/"$NAME" + +. /etc/default/rcS + +. /etc/init.d/functions + +# +# Function that starts the daemon/service +# +do_start() +{ + # Return + # 0 if daemon has been started + # 1 if daemon was already running + # 2 if daemon could not be started + start-stop-daemon -S --quiet --pidfile "$PIDFILE" --exec "$DAEMON" --test > /dev/null \ + || return 1 + start-stop-daemon -S --quiet --pidfile "$PIDFILE" --exec "$DAEMON" -- \ + $EXTRAOPTIONS \ + || return 2 + if [ -f /etc/audit/audit.rules ] + then + /sbin/auditctl -R /etc/audit/audit.rules >/dev/null + fi +} + +# +# Function that stops the daemon/service +# +do_stop() +{ + # Return + # 0 if daemon has been stopped + # 1 if daemon was already stopped + # 2 if daemon could not be stopped + # other if a failure occurred + start-stop-daemon -K --quiet --pidfile "$PIDFILE" --name "$NAME" + RETVAL="$?" + [ "$RETVAL" = 2 ] && return 2 + # Many daemons don't delete their pidfiles when they exit. + rm -f "$PIDFILE" + rm -f /var/run/audit_events + # Remove watches so shutdown works cleanly + case "$AUDITD_CLEAN_STOP" in + no|NO) ;; + *) /sbin/auditctl -D >/dev/null ;; + esac + return "$RETVAL" +} + +# +# Function that sends a SIGHUP to the daemon/service +# +do_reload() { + start-stop-daemon -K --signal HUP --quiet --pidfile $PIDFILE --name $NAME + return 0 +} + +if [ ! -e /var/log/audit ]; then + mkdir -p /var/log/audit + [ -x /sbin/restorecon ] && /sbin/restorecon -F /var/log/audit +fi + +case "$1" in + start) + [ "$VERBOSE" != no ] && echo "Starting $DESC" "$NAME" + do_start + case "$?" in + 0|1) [ "$VERBOSE" != no ] && echo 0 ;; + 2) [ "$VERBOSE" != no ] && echo 1 ;; + esac + ;; + stop) + [ "$VERBOSE" != no ] && echo "Stopping $DESC" "$NAME" + do_stop + case "$?" in + 0|1) [ "$VERBOSE" != no ] && echo 0 ;; + 2) [ "$VERBOSE" != no ] && echo 1 ;; + esac + ;; + reload|force-reload) + echo "Reloading $DESC" "$NAME" + do_reload + echo $? + ;; + restart) + echo "Restarting $DESC" "$NAME" + do_stop + case "$?" in + 0|1) + do_start + case "$?" in + 0) echo 0 ;; + 1) echo 1 ;; # Old process is still running + *) echo 1 ;; # Failed to start + esac + ;; + *) + # Failed to stop + echo 1 + ;; + esac + ;; + rotate) + echo "Rotating $DESC logs" "$NAME" + start-stop-daemon -K --signal USR1 --quiet --pidfile "$PIDFILE" --name "$NAME" + echo $? + ;; + status) + pidofproc "$DAEMON" >/dev/null + status=$? + if [ $status -eq 0 ]; then + echo "$NAME is running." + else + echo "$NAME is not running." + fi + exit $status + ;; + *) + echo "Usage: $SCRIPTNAME {start|stop|restart|reload|force-reload|rotate|status}" >&2 + exit 3 + ;; +esac + +: diff --git a/meta-agl/meta-security/recipes-security/audit/audit/auditd.service b/meta-agl/meta-security/recipes-security/audit/audit/auditd.service new file mode 100644 index 00000000..ebc07989 --- /dev/null +++ b/meta-agl/meta-security/recipes-security/audit/audit/auditd.service @@ -0,0 +1,20 @@ +[Unit] +Description=Security Auditing Service +DefaultDependencies=no +After=local-fs.target +Conflicts=shutdown.target +Before=sysinit.target shutdown.target +After=systemd-tmpfiles-setup.service + +[Service] +ExecStart=/sbin/auditd -n +## To use augenrules, copy this file to /etc/systemd/system/auditd.service +## and uncomment the next line and delete/comment out the auditctl line. +## Then copy existing rules to /etc/audit/rules.d/ +## Not doing this last step can cause loss of existing rules +#ExecStartPost=-/sbin/augenrules --load +ExecStartPost=-/sbin/auditctl -R /etc/audit/audit.rules +ExecReload=/bin/kill -HUP $MAINPID + +[Install] +WantedBy=multi-user.target diff --git a/meta-agl/meta-security/recipes-security/audit/audit/disable-ldap.patch b/meta-agl/meta-security/recipes-security/audit/audit/disable-ldap.patch new file mode 100644 index 00000000..1d683c29 --- /dev/null +++ b/meta-agl/meta-security/recipes-security/audit/audit/disable-ldap.patch @@ -0,0 +1,59 @@ +Disable LDAP support + +Signed-off-by: Mark Hatle <mark.hatle@windriver.com> + +Disable LDAP support + +Signed-off-by: Mark Hatle <mark.hatle@windriver.com> + +Index: audit-2.3.2/audisp/plugins/Makefile.am +=================================================================== +--- audit-2.3.2.orig/audisp/plugins/Makefile.am ++++ audit-2.3.2/audisp/plugins/Makefile.am +@@ -22,8 +22,10 @@ + + CONFIG_CLEAN_FILES = *.loT *.rej *.orig + +-SUBDIRS = builtins zos-remote remote +-#SUBDIRS = builtins zos-remote ++SUBDIRS = builtins remote ++if HAVE_LDAP ++SUBDIRS += zos-remote ++endif + if HAVE_PRELUDE + SUBDIRS += prelude + endif +Index: audit-2.3.2/configure.ac +=================================================================== +--- audit-2.3.2.orig/configure.ac ++++ audit-2.3.2/configure.ac +@@ -241,6 +241,12 @@ else + fi + AM_CONDITIONAL(HAVE_PRELUDE, test x$have_prelude = xyes) + ++AC_ARG_WITH(ldap, ++AS_HELP_STRING([--with-ldap],[enable zos-remote plugin, which requires ldap]), ++use_ldap=$withval, ++use_ldap=no) ++AM_CONDITIONAL(HAVE_LDAP, test x$have_ldap = xyes) ++ + AC_MSG_CHECKING(whether to use libwrap) + AC_ARG_WITH(libwrap, + [ --with-libwrap[=PATH] Compile in libwrap (tcp_wrappers) support.], +Index: audit-2.3.2/docs/Makefile.am +=================================================================== +--- audit-2.3.2.orig/docs/Makefile.am ++++ audit-2.3.2/docs/Makefile.am +@@ -53,7 +53,9 @@ ausearch_add_expression.3 ausearch_add_t + ausearch_clear.3 \ + ausearch_next_event.3 ausearch_set_stop.3 \ + autrace.8 get_auditfail_action.3 set_aumessage_mode.3 \ +-audispd.8 audispd.conf.5 audispd-zos-remote.8 libaudit.conf.5 \ +-augenrules.8 \ +-zos-remote.conf.5 ++audispd.8 audispd.conf.5 libaudit.conf.5 \ ++augenrules.8 + ++if HAVE_LDAP ++man_MANS += audispd-zos-remote.8 zos-remote.conf.5 ++endif diff --git a/meta-agl/meta-security/recipes-security/audit/audit/fix-swig-host-contamination.patch b/meta-agl/meta-security/recipes-security/audit/audit/fix-swig-host-contamination.patch new file mode 100644 index 00000000..16bb173a --- /dev/null +++ b/meta-agl/meta-security/recipes-security/audit/audit/fix-swig-host-contamination.patch @@ -0,0 +1,48 @@ +audit: Fixed swig host contamination issue + +The audit build uses swig to generate a python wrapper. +Unfortunately, the swig info file references host include +directories. Some of these were previously noticed and +eliminated, but the one fixed here was not. + +Upstream Status: pending + +Signed-off-by: Anders Hedlund <anders.hedlund@windriver.com> +Signed-off-by: Joe Slater <jslater@windriver.com> + +Index: audit-2.2.1/swig/Makefile.am +=================================================================== +--- audit-2.2.1.orig/swig/Makefile.am ++++ audit-2.2.1/swig/Makefile.am +@@ -25,6 +25,7 @@ AM_CFLAGS = -fPIC -DPIC -fno-strict-alia + PYLIBVER ?= python$(PYTHON_VERSION) + PYINC ?= /usr/include/$(PYLIBVER) + INCLUDES = -I. -I$(top_builddir) -I${top_srcdir}/lib -I$(PYINC) ++STDINC ?= /usr/include + LIBS = $(top_builddir)/lib/libaudit.la + pyexec_PYTHON = audit.py + pyexec_LTLIBRARIES = _audit.la +@@ -34,7 +35,7 @@ _audit_la_HEADERS: $(top_builddir)/confi + _audit_la_DEPENDENCIES =${top_srcdir}/lib/libaudit.h ${top_builddir}/lib/libaudit.la + nodist__audit_la_SOURCES = audit_wrap.c + audit.py audit_wrap.c: ${srcdir}/auditswig.i +- swig -o audit_wrap.c -python ${INCLUDES} ${srcdir}/auditswig.i ++ swig -o audit_wrap.c -python ${INCLUDES} -I$(STDINC) ${srcdir}/auditswig.i + + CLEANFILES = audit.py* audit_wrap.c *~ + +Index: audit-2.2.1/swig/auditswig.i +=================================================================== +--- audit-2.2.1.orig/swig/auditswig.i ++++ audit-2.2.1/swig/auditswig.i +@@ -37,8 +37,8 @@ signed + #define __attribute(X) /*nothing*/ + typedef unsigned __u32; + typedef unsigned uid_t; +-%include "/usr/include/linux/audit.h" ++%include "linux/audit.h" + #define __extension__ /*nothing*/ +-%include "/usr/include/stdint.h" ++%include "stdint.h" + %include "../lib/libaudit.h" + diff --git a/meta-agl/meta-security/recipes-security/audit/audit_2.3.2.bb b/meta-agl/meta-security/recipes-security/audit/audit_2.3.2.bb new file mode 100644 index 00000000..1d7ea0f0 --- /dev/null +++ b/meta-agl/meta-security/recipes-security/audit/audit_2.3.2.bb @@ -0,0 +1,102 @@ +SUMMARY = "User space tools for kernel auditing" +DESCRIPTION = "The audit package contains the user space utilities for \ +storing and searching the audit records generated by the audit subsystem \ +in the Linux kernel." +HOMEPAGE = "http://people.redhat.com/sgrubb/audit/" +SECTION = "base" +PR = "r8" +LICENSE = "GPLv2+ & LGPLv2+" +LIC_FILES_CHKSUM = "file://COPYING;md5=94d55d512a9ba36caa9b7df079bae19f" + +SRC_URI = "http://people.redhat.com/sgrubb/audit/audit-${PV}.tar.gz \ + file://disable-ldap.patch \ + file://audit-python.patch \ + file://audit-python-configure.patch \ + file://audit-for-cross-compiling.patch \ + file://auditd \ + file://fix-swig-host-contamination.patch \ + file://auditd.service \ + file://audit-volatile.conf \ +" +SRC_URI_append_arm = "file://add-system-call-table-for-ARM.patch" + +inherit autotools pythonnative update-rc.d systemd + +UPDATERCPN = "auditd" +INITSCRIPT_NAME = "auditd" +INITSCRIPT_PARAMS = "defaults" + +SYSTEMD_SERVICE_${PN} = "auditd.service" + +SRC_URI[md5sum] = "4e8d065b5cc16b77b9b61e93a9ed160e" +SRC_URI[sha256sum] = "8872e0b5392888789061db8034164305ef0e1b34543e1e7004d275f039081d29" + +DEPENDS += "python tcp-wrappers libcap-ng linux-libc-headers (>= 2.6.30)" + +EXTRA_OECONF += "--without-prelude \ + --with-libwrap \ + --enable-gssapi-krb5=no \ + --without-ldap \ + --with-libcap-ng=yes \ + --with-python=yes \ + --libdir=${base_libdir} \ + --sbindir=${base_sbindir} \ + " +EXTRA_OECONF_append_arm = " --with-armeb=yes" + +EXTRA_OEMAKE += "PYLIBVER='python${PYTHON_BASEVERSION}' \ + PYINC='${STAGING_INCDIR}/$(PYLIBVER)' \ + pyexecdir=${libdir}/python${PYTHON_BASEVERSION}/site-packages \ + STDINC='${STAGING_INCDIR}' \ + " + +SUMMARY_audispd-plugins = "Plugins for the audit event dispatcher" +DESCRIPTION_audispd-plugins = "The audispd-plugins package provides plugins for the real-time \ +interface to the audit system, audispd. These plugins can do things \ +like relay events to remote machines or analyze events for suspicious \ +behavior." + +PACKAGES =+ "audispd-plugins" +PACKAGES += "auditd ${PN}-python" + +FILES_${PN} = "${sysconfdir}/libaudit.conf ${base_libdir}/libaudit.so.1* ${base_libdir}/libauparse.so.*" +FILES_auditd += "${bindir}/* ${base_sbindir}/* ${sysconfdir}/*" +FILES_audispd-plugins += "${sysconfdir}/audisp/audisp-remote.conf \ + ${sysconfdir}/audisp/plugins.d/au-remote.conf \ + ${sbindir}/audisp-remote ${localstatedir}/spool/audit \ + " +FILES_${PN}-dbg += "${libdir}/python${PYTHON_BASEVERSION}/*/.debug" +FILES_${PN}-python = "${libdir}/python${PYTHON_BASEVERSION}" +FILES_${PN}-dev += "${base_libdir}/*.so ${base_libdir}/*.la" + +CONFFILES_auditd += "${sysconfdir}/audit/audit.rules" +RDEPENDS_auditd += "bash" + +do_install_append() { + rm -f ${D}/${libdir}/python${PYTHON_BASEVERSION}/site-packages/*.a + rm -f ${D}/${libdir}/python${PYTHON_BASEVERSION}/site-packages/*.la + + # reuse auditd config + [ ! -e ${D}/etc/default ] && mkdir ${D}/etc/default + mv ${D}/etc/sysconfig/auditd ${D}/etc/default + rmdir ${D}/etc/sysconfig/ + + # replace init.d + install -D -m 0755 ${S}/../auditd ${D}/etc/init.d/auditd + rm -rf ${D}/etc/rc.d + + if ${@bb.utils.contains('DISTRO_FEATURES', 'systemd', 'true', 'false', d)}; then + install -d ${D}${sysconfdir}/tmpfiles.d/ + install -m 0644 ${WORKDIR}/audit-volatile.conf ${D}${sysconfdir}/tmpfiles.d/ + fi + + # install systemd unit files + install -d ${D}${systemd_unitdir}/system + install -m 0644 ${WORKDIR}/auditd.service ${D}${systemd_unitdir}/system + + chmod 750 ${D}/etc/audit ${D}/etc/audit/rules.d + chmod 640 ${D}/etc/audit/auditd.conf ${D}/etc/audit/rules.d/audit.rules + + # Based on the audit.spec "Copy default rules into place on new installation" + cp ${D}/etc/audit/rules.d/audit.rules ${D}/etc/audit/audit.rules +} diff --git a/meta-agl/meta-security/recipes-security/cynara/cynara/0001-Add-fallthrough-tags.patch b/meta-agl/meta-security/recipes-security/cynara/cynara/0001-Add-fallthrough-tags.patch new file mode 100644 index 00000000..e1d0cfac --- /dev/null +++ b/meta-agl/meta-security/recipes-security/cynara/cynara/0001-Add-fallthrough-tags.patch @@ -0,0 +1,57 @@ +From 8bf90bf3e7a821dbd3b7029d87aa592eec6f1754 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Jos=C3=A9=20Bollo?= <jose.bollo@iot.bzh> +Date: Thu, 25 Jan 2018 12:00:18 +0100 +Subject: [PATCH] Add fallthrough tags +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +GCC 7 emits a warning when the tag /*@fallthrough@*/ +doesn't appear in a switch case when a case continue +to the next after some processing. + +Change-Id: I420e3788a4c0a6d910a1214964c5480bbd12708c +Signed-off-by: José Bollo <jose.bollo@iot.bzh> + +--- + src/admin/api/admin-api.cpp | 1 + + src/client-async/logic/Logic.cpp | 1 + + src/common/sockets/SocketClient.cpp | 1 + + 3 files changed, 3 insertions(+) + +diff --git a/src/admin/api/admin-api.cpp b/src/admin/api/admin-api.cpp +index c638f41..aafa45e 100644 +--- a/src/admin/api/admin-api.cpp ++++ b/src/admin/api/admin-api.cpp +@@ -146,6 +146,7 @@ int cynara_admin_set_policies(struct cynara_admin *p_cynara_admin, + case CYNARA_ADMIN_BUCKET: + if (!isStringValid(policy->result_extra)) + return CYNARA_API_INVALID_PARAM; ++ /*@fallthrough@*/ + default: + { + std::string extraStr = policy->result_extra ? policy->result_extra : ""; +diff --git a/src/client-async/logic/Logic.cpp b/src/client-async/logic/Logic.cpp +index 5ae0251..c1d6c33 100644 +--- a/src/client-async/logic/Logic.cpp ++++ b/src/client-async/logic/Logic.cpp +@@ -233,6 +233,7 @@ bool Logic::processOut(void) { + case Socket::SendStatus::ALL_DATA_SENT: + onStatusChange(m_socketClient.getSockFd(), + cynara_async_status::CYNARA_STATUS_FOR_READ); ++ /*@fallthrough@*/ + case Socket::SendStatus::PARTIAL_DATA_SENT: + return true; + default: +diff --git a/src/common/sockets/SocketClient.cpp b/src/common/sockets/SocketClient.cpp +index b1ca4f7..f4394e5 100644 +--- a/src/common/sockets/SocketClient.cpp ++++ b/src/common/sockets/SocketClient.cpp +@@ -45,6 +45,7 @@ bool SocketClient::connect(void) { + LOGW("Error connecting to Cynara. Service not available."); + return false; + } ++ /*@fallthrough@*/ + default: + return true; + } diff --git a/meta-agl/meta-security/recipes-security/cynara/cynara/0001-fix-fallthrough-in-cmdlineparser.patch b/meta-agl/meta-security/recipes-security/cynara/cynara/0001-fix-fallthrough-in-cmdlineparser.patch new file mode 100644 index 00000000..40e11ce5 --- /dev/null +++ b/meta-agl/meta-security/recipes-security/cynara/cynara/0001-fix-fallthrough-in-cmdlineparser.patch @@ -0,0 +1,35 @@ +From ca28ec4a0781a1ab9ec5f015387436beb51adfc3 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Jan-Simon=20M=C3=B6ller?= <jsmoeller@linuxfoundation.org> +Date: Fri, 19 Oct 2018 08:09:28 +0000 +Subject: [PATCH] fix fallthrough in cmdlineparser +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Signed-off-by: Jan-Simon Möller <jsmoeller@linuxfoundation.org> + +--- + src/service/main/CmdlineParser.cpp | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/src/service/main/CmdlineParser.cpp b/src/service/main/CmdlineParser.cpp +index ca56e39..e07ea52 100644 +--- a/src/service/main/CmdlineParser.cpp ++++ b/src/service/main/CmdlineParser.cpp +@@ -112,13 +112,16 @@ struct CmdLineOptions handleCmdlineOptions(int argc, char * const *argv) { + case ':': // Missing argument + ret.m_error = true; + ret.m_exit = true; ++ /*@fallthrough@*/ + switch (optopt) { + case CmdlineOpt::Mask: + case CmdlineOpt::User: + case CmdlineOpt::Group: + printMissingArgument(execName, argv[optind - 1]); + return ret; ++ /*@fallthrough@*/ + } ++ /*@fallthrough@*/ + //intentional fall to Unknown option + case '?': // Unknown option + default: diff --git a/meta-agl/meta-security/recipes-security/cynara/cynara/0002-gcc-7-requires-include-functional-for-std-function.patch b/meta-agl/meta-security/recipes-security/cynara/cynara/0002-gcc-7-requires-include-functional-for-std-function.patch new file mode 100644 index 00000000..b8dbfac4 --- /dev/null +++ b/meta-agl/meta-security/recipes-security/cynara/cynara/0002-gcc-7-requires-include-functional-for-std-function.patch @@ -0,0 +1,36 @@ +From e2d8414b0d1c6c59baf1bb73e856e93aaabaf955 Mon Sep 17 00:00:00 2001 +From: Changhyeok Bae <changhyeok.bae@gmail.com> +Date: Sun, 17 Dec 2017 15:28:28 +0000 +Subject: [PATCH] gcc-7 requires include <functional> for std::function + +Signed-off-by: Changhyeok Bae <changhyeok.bae@gmail.com> + +--- + src/common/types/PolicyBucket.h | 1 + + src/cyad/AdminPolicyParser.h | 1 + + 2 files changed, 2 insertions(+) + +diff --git a/src/common/types/PolicyBucket.h b/src/common/types/PolicyBucket.h +index 029d3dd..1bceeca 100644 +--- a/src/common/types/PolicyBucket.h ++++ b/src/common/types/PolicyBucket.h +@@ -30,6 +30,7 @@ + #include <set> + #include <string> + #include <vector> ++#include <functional> + + #include <exceptions/NotImplementedException.h> + #include <types/pointers.h> +diff --git a/src/cyad/AdminPolicyParser.h b/src/cyad/AdminPolicyParser.h +index 53dde23..f38c194 100644 +--- a/src/cyad/AdminPolicyParser.h ++++ b/src/cyad/AdminPolicyParser.h +@@ -25,6 +25,7 @@ + + #include <istream> + #include <memory> ++#include <functional> + + #include <cyad/CynaraAdminPolicies.h> + diff --git a/meta-agl/meta-security/recipes-security/cynara/cynara/0003-Avoid-warning-when-compiling-without-smack.patch b/meta-agl/meta-security/recipes-security/cynara/cynara/0003-Avoid-warning-when-compiling-without-smack.patch new file mode 100644 index 00000000..1b105a00 --- /dev/null +++ b/meta-agl/meta-security/recipes-security/cynara/cynara/0003-Avoid-warning-when-compiling-without-smack.patch @@ -0,0 +1,43 @@ +From fdcf2a68a4bfec588b1c6c969caa0be20961b807 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Jos=C3=A9=20Bollo?= <jose.bollo@iot.bzh> +Date: Thu, 25 Jan 2018 11:38:16 +0100 +Subject: [PATCH] Avoid warning when compiling without smack +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +When DB_FILES_SMACK_LABEL is not defined, cmake complains +with the following message: + +> -- Checking for modules '' +> Please specify at least one package name on the command line. + +Change-Id: Ie837cae81114d096f951ec0ee4ada4173fb60190 +Signed-off-by: José Bollo <jose.bollo@iot.bzh> + +--- + src/admin/CMakeLists.txt | 10 +++++----- + 1 file changed, 5 insertions(+), 5 deletions(-) + +diff --git a/src/admin/CMakeLists.txt b/src/admin/CMakeLists.txt +index e4f354a..38b8669 100644 +--- a/src/admin/CMakeLists.txt ++++ b/src/admin/CMakeLists.txt +@@ -23,12 +23,12 @@ IF (DB_FILES_SMACK_LABEL) + SET(SMACK "smack") + SET(LIBSMACK "libsmack") + ADD_DEFINITIONS("-DDB_FILES_SMACK_LABEL=\"${DB_FILES_SMACK_LABEL}\"") +-ENDIF (DB_FILES_SMACK_LABEL) + +-PKG_CHECK_MODULES(CYNARA_ADMIN_API_DEP +- REQUIRED +- ${LIBSMACK} +- ) ++ PKG_CHECK_MODULES(CYNARA_ADMIN_API_DEP ++ REQUIRED ++ ${LIBSMACK} ++ ) ++ENDIF (DB_FILES_SMACK_LABEL) + + SET(CYNARA_LIB_CYNARA_ADMIN_PATH ${CYNARA_PATH}/admin) + diff --git a/meta-agl/meta-security/recipes-security/cynara/cynara/0004-Fix-mode-of-sockets.patch b/meta-agl/meta-security/recipes-security/cynara/cynara/0004-Fix-mode-of-sockets.patch new file mode 100644 index 00000000..f19cdfb5 --- /dev/null +++ b/meta-agl/meta-security/recipes-security/cynara/cynara/0004-Fix-mode-of-sockets.patch @@ -0,0 +1,42 @@ +From 233fb8a93343c3c9c04914e1148ef5ab87a808a1 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Jos=C3=A9=20Bollo?= <jose.bollo@iot.bzh> +Date: Thu, 25 Jan 2018 12:52:39 +0100 +Subject: [PATCH] Fix mode of sockets +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Setting execution bit on the socket serves nothing. + +Change-Id: I2ca1ea8e0c369ee5517878e92073ace0e50f9f10 +Signed-off-by: José Bollo <jose.bollo@iot.bzh> + +--- + systemd/cynara-admin.socket | 2 +- + systemd/cynara.socket | 2 +- + 2 files changed, 2 insertions(+), 2 deletions(-) + +diff --git a/systemd/cynara-admin.socket b/systemd/cynara-admin.socket +index 2d1aea4..ed38386 100644 +--- a/systemd/cynara-admin.socket ++++ b/systemd/cynara-admin.socket +@@ -1,6 +1,6 @@ + [Socket] + ListenStream=/run/cynara/cynara-admin.socket +-SocketMode=0700 ++SocketMode=0600 + SmackLabelIPIn=@ + SmackLabelIPOut=@ + +diff --git a/systemd/cynara.socket b/systemd/cynara.socket +index 9f2a870..fad2745 100644 +--- a/systemd/cynara.socket ++++ b/systemd/cynara.socket +@@ -1,6 +1,6 @@ + [Socket] + ListenStream=/run/cynara/cynara.socket +-SocketMode=0777 ++SocketMode=0666 + SmackLabelIPIn=* + SmackLabelIPOut=@ + diff --git a/meta-agl/meta-security/recipes-security/cynara/cynara/0005-Allow-to-tune-sockets.patch b/meta-agl/meta-security/recipes-security/cynara/cynara/0005-Allow-to-tune-sockets.patch new file mode 100644 index 00000000..e954c7f2 --- /dev/null +++ b/meta-agl/meta-security/recipes-security/cynara/cynara/0005-Allow-to-tune-sockets.patch @@ -0,0 +1,237 @@ +From ebde8e9fdba7bc1c8152f7e45c551030a36ece82 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Jos=C3=A9=20Bollo?= <jose.bollo@iot.bzh> +Date: Thu, 25 Jan 2018 13:47:37 +0100 +Subject: [PATCH] Allow to tune sockets +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Allow to change the directory of sockets +through a true integration of SOCKET_DIR + +Allow to override the socket's group of + - /run/cynara/cynara-agent.socket + - /run/cynara/cynara-monitor-get.socket + +through the newly defined variable CYNARA_ADMIN_SOCKET_GROUP + +Change-Id: I7d58854c328e948e3d6d7fa3fc00569fd08f8aef +Signed-off-by: José Bollo <jose.bollo@iot.bzh> + +--- + systemd/CMakeLists.txt | 19 +++++++++++++++---- + systemd/cynara-admin.socket | 14 -------------- + systemd/cynara-admin.socket.in | 14 ++++++++++++++ + systemd/cynara-agent.socket | 15 --------------- + systemd/cynara-agent.socket.in | 15 +++++++++++++++ + systemd/cynara-monitor-get.socket | 15 --------------- + systemd/cynara-monitor-get.socket.in | 15 +++++++++++++++ + systemd/cynara.socket | 14 -------------- + systemd/cynara.socket.in | 14 ++++++++++++++ + 9 files changed, 73 insertions(+), 62 deletions(-) + delete mode 100644 systemd/cynara-admin.socket + create mode 100644 systemd/cynara-admin.socket.in + delete mode 100644 systemd/cynara-agent.socket + create mode 100644 systemd/cynara-agent.socket.in + delete mode 100644 systemd/cynara-monitor-get.socket + create mode 100644 systemd/cynara-monitor-get.socket.in + delete mode 100644 systemd/cynara.socket + create mode 100644 systemd/cynara.socket.in + +diff --git a/systemd/CMakeLists.txt b/systemd/CMakeLists.txt +index 20accf0..1b75c12 100644 +--- a/systemd/CMakeLists.txt ++++ b/systemd/CMakeLists.txt +@@ -16,13 +16,24 @@ + # @author Lukasz Wojciechowski <l.wojciechow@partner.samsung.com> + # + ++SET(CYNARA_ADMIN_SOCKET_GROUP ++ "security_fw" ++ CACHE STRING ++ "Group to apply on administrative sockets") ++ ++ ++CONFIGURE_FILE(cynara.socket.in cynara.socket @ONLY) ++CONFIGURE_FILE(cynara-admin.socket.in cynara-admin.socket @ONLY) ++CONFIGURE_FILE(cynara-agent.socket.in cynara-agent.socket @ONLY) ++CONFIGURE_FILE(cynara-monitor-get.socket.in cynara-monitor-get.socket @ONLY) ++ + INSTALL(FILES + ${CMAKE_SOURCE_DIR}/systemd/cynara.service + ${CMAKE_SOURCE_DIR}/systemd/cynara.target +- ${CMAKE_SOURCE_DIR}/systemd/cynara.socket +- ${CMAKE_SOURCE_DIR}/systemd/cynara-admin.socket +- ${CMAKE_SOURCE_DIR}/systemd/cynara-agent.socket +- ${CMAKE_SOURCE_DIR}/systemd/cynara-monitor-get.socket ++ ${CMAKE_BINARY_DIR}/systemd/cynara.socket ++ ${CMAKE_BINARY_DIR}/systemd/cynara-admin.socket ++ ${CMAKE_BINARY_DIR}/systemd/cynara-agent.socket ++ ${CMAKE_BINARY_DIR}/systemd/cynara-monitor-get.socket + DESTINATION + ${SYSTEMD_UNIT_DIR} + ) +diff --git a/systemd/cynara-admin.socket b/systemd/cynara-admin.socket +deleted file mode 100644 +index ed38386..0000000 +--- a/systemd/cynara-admin.socket ++++ /dev/null +@@ -1,14 +0,0 @@ +-[Socket] +-ListenStream=/run/cynara/cynara-admin.socket +-SocketMode=0600 +-SmackLabelIPIn=@ +-SmackLabelIPOut=@ +- +-Service=cynara.service +- +-[Unit] +-Wants=cynara.target +-Before=cynara.target +- +-[Install] +-WantedBy=sockets.target +diff --git a/systemd/cynara-admin.socket.in b/systemd/cynara-admin.socket.in +new file mode 100644 +index 0000000..2364c3e +--- /dev/null ++++ b/systemd/cynara-admin.socket.in +@@ -0,0 +1,14 @@ ++[Socket] ++ListenStream=@SOCKET_DIR@/cynara-admin.socket ++SocketMode=0600 ++SmackLabelIPIn=@ ++SmackLabelIPOut=@ ++ ++Service=cynara.service ++ ++[Unit] ++Wants=cynara.target ++Before=cynara.target ++ ++[Install] ++WantedBy=sockets.target +diff --git a/systemd/cynara-agent.socket b/systemd/cynara-agent.socket +deleted file mode 100644 +index 5a677e0..0000000 +--- a/systemd/cynara-agent.socket ++++ /dev/null +@@ -1,15 +0,0 @@ +-[Socket] +-ListenStream=/run/cynara/cynara-agent.socket +-SocketGroup=security_fw +-SocketMode=0060 +-SmackLabelIPIn=* +-SmackLabelIPOut=@ +- +-Service=cynara.service +- +-[Unit] +-Wants=cynara.target +-Before=cynara.target +- +-[Install] +-WantedBy=sockets.target +diff --git a/systemd/cynara-agent.socket.in b/systemd/cynara-agent.socket.in +new file mode 100644 +index 0000000..4f86c9d +--- /dev/null ++++ b/systemd/cynara-agent.socket.in +@@ -0,0 +1,15 @@ ++[Socket] ++ListenStream=@SOCKET_DIR@/cynara-agent.socket ++SocketGroup=@CYNARA_ADMIN_SOCKET_GROUP@ ++SocketMode=0060 ++SmackLabelIPIn=* ++SmackLabelIPOut=@ ++ ++Service=cynara.service ++ ++[Unit] ++Wants=cynara.target ++Before=cynara.target ++ ++[Install] ++WantedBy=sockets.target +diff --git a/systemd/cynara-monitor-get.socket b/systemd/cynara-monitor-get.socket +deleted file mode 100644 +index a50feeb..0000000 +--- a/systemd/cynara-monitor-get.socket ++++ /dev/null +@@ -1,15 +0,0 @@ +-[Socket] +-ListenStream=/run/cynara/cynara-monitor-get.socket +-SocketGroup=security_fw +-SocketMode=0060 +-SmackLabelIPIn=@ +-SmackLabelIPOut=@ +- +-Service=cynara.service +- +-[Unit] +-Wants=cynara.target +-Before=cynara.target +- +-[Install] +-WantedBy=sockets.target +diff --git a/systemd/cynara-monitor-get.socket.in b/systemd/cynara-monitor-get.socket.in +new file mode 100644 +index 0000000..b88dbf7 +--- /dev/null ++++ b/systemd/cynara-monitor-get.socket.in +@@ -0,0 +1,15 @@ ++[Socket] ++ListenStream=@SOCKET_DIR@/cynara-monitor-get.socket ++SocketGroup=@CYNARA_ADMIN_SOCKET_GROUP@ ++SocketMode=0060 ++SmackLabelIPIn=@ ++SmackLabelIPOut=@ ++ ++Service=cynara.service ++ ++[Unit] ++Wants=cynara.target ++Before=cynara.target ++ ++[Install] ++WantedBy=sockets.target +diff --git a/systemd/cynara.socket b/systemd/cynara.socket +deleted file mode 100644 +index fad2745..0000000 +--- a/systemd/cynara.socket ++++ /dev/null +@@ -1,14 +0,0 @@ +-[Socket] +-ListenStream=/run/cynara/cynara.socket +-SocketMode=0666 +-SmackLabelIPIn=* +-SmackLabelIPOut=@ +- +-Service=cynara.service +- +-[Unit] +-Wants=cynara.target +-Before=cynara.target +- +-[Install] +-WantedBy=sockets.target +diff --git a/systemd/cynara.socket.in b/systemd/cynara.socket.in +new file mode 100644 +index 0000000..ba76549 +--- /dev/null ++++ b/systemd/cynara.socket.in +@@ -0,0 +1,14 @@ ++[Socket] ++ListenStream=@SOCKET_DIR@/cynara.socket ++SocketMode=0666 ++SmackLabelIPIn=* ++SmackLabelIPOut=@ ++ ++Service=cynara.service ++ ++[Unit] ++Wants=cynara.target ++Before=cynara.target ++ ++[Install] ++WantedBy=sockets.target diff --git a/meta-agl/meta-security/recipes-security/cynara/cynara/0006-Install-socket-activation-by-default.patch b/meta-agl/meta-security/recipes-security/cynara/cynara/0006-Install-socket-activation-by-default.patch new file mode 100644 index 00000000..68864f1e --- /dev/null +++ b/meta-agl/meta-security/recipes-security/cynara/cynara/0006-Install-socket-activation-by-default.patch @@ -0,0 +1,78 @@ +From 23f1a7cb34dd4ef88bac5a43057feaf7f50559aa Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Jos=C3=A9=20Bollo?= <jose.bollo@iot.bzh> +Date: Thu, 25 Jan 2018 14:09:23 +0100 +Subject: [PATCH] Install socket activation by default +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Change-Id: Ifd10c3800486689ed0ed6271df59760ccfbf6caf +Signed-off-by: José Bollo <jose.bollo@iot.bzh> + +--- + packaging/cynara.spec | 5 ----- + systemd/CMakeLists.txt | 7 +++++++ + systemd/sockets.target.wants/cynara-admin.socket | 1 + + systemd/sockets.target.wants/cynara-agent.socket | 1 + + systemd/sockets.target.wants/cynara.socket | 1 + + 5 files changed, 10 insertions(+), 5 deletions(-) + create mode 120000 systemd/sockets.target.wants/cynara-admin.socket + create mode 120000 systemd/sockets.target.wants/cynara-agent.socket + create mode 120000 systemd/sockets.target.wants/cynara.socket + +diff --git a/packaging/cynara.spec b/packaging/cynara.spec +index d2e0b80..2c5b326 100644 +--- a/packaging/cynara.spec ++++ b/packaging/cynara.spec +@@ -72,12 +72,7 @@ make %{?jobs:-j%jobs} + rm -rf %{buildroot} + %make_install + +-mkdir -p %{buildroot}%{_unitdir}/sockets.target.wants + mkdir -p %{buildroot}%{_unitdir}/multi-user.target.wants +-ln -s ../cynara.socket %{buildroot}%{_unitdir}/sockets.target.wants/cynara.socket +-ln -s ../cynara-admin.socket %{buildroot}%{_unitdir}/sockets.target.wants/cynara-admin.socket +-ln -s ../cynara-agent.socket %{buildroot}%{_unitdir}/sockets.target.wants/cynara-agent.socket +-ln -s ../cynara-monitor-get.socket %{buildroot}%{_unitdir}/sockets.target.wants/cynara-monitor-get.socket + ln -s ../cynara.service %{buildroot}%{_unitdir}/multi-user.target.wants/cynara.service + + %post +diff --git a/systemd/CMakeLists.txt b/systemd/CMakeLists.txt +index 1b75c12..9a2d70d 100644 +--- a/systemd/CMakeLists.txt ++++ b/systemd/CMakeLists.txt +@@ -38,3 +38,10 @@ INSTALL(FILES + ${SYSTEMD_UNIT_DIR} + ) + ++INSTALL(DIRECTORY ++ ${CMAKE_SOURCE_DIR}/systemd/sockets.target.wants ++ DESTINATION ++ ${SYSTEMD_UNIT_DIR} ++) ++ ++ +diff --git a/systemd/sockets.target.wants/cynara-admin.socket b/systemd/sockets.target.wants/cynara-admin.socket +new file mode 120000 +index 0000000..3d0b1ce +--- /dev/null ++++ b/systemd/sockets.target.wants/cynara-admin.socket +@@ -0,0 +1 @@ ++../cynara-admin.socket +\ No newline at end of file +diff --git a/systemd/sockets.target.wants/cynara-agent.socket b/systemd/sockets.target.wants/cynara-agent.socket +new file mode 120000 +index 0000000..22b37dd +--- /dev/null ++++ b/systemd/sockets.target.wants/cynara-agent.socket +@@ -0,0 +1 @@ ++../cynara-agent.socket +\ No newline at end of file +diff --git a/systemd/sockets.target.wants/cynara.socket b/systemd/sockets.target.wants/cynara.socket +new file mode 120000 +index 0000000..c0e5a5b +--- /dev/null ++++ b/systemd/sockets.target.wants/cynara.socket +@@ -0,0 +1 @@ ++../cynara.socket +\ No newline at end of file diff --git a/meta-agl/meta-security/recipes-security/cynara/cynara/cynara-db-migration-abort-on-errors.patch b/meta-agl/meta-security/recipes-security/cynara/cynara/cynara-db-migration-abort-on-errors.patch new file mode 100644 index 00000000..c1441892 --- /dev/null +++ b/meta-agl/meta-security/recipes-security/cynara/cynara/cynara-db-migration-abort-on-errors.patch @@ -0,0 +1,29 @@ +From 3605e9f8a3ea1252d1cf221398431e0d7a3ea34d Mon Sep 17 00:00:00 2001 +From: Patrick Ohly <patrick.ohly@intel.com> +Date: Mon, 23 Mar 2015 15:01:39 -0700 +Subject: [PATCH] cynara-db-migration.in: abort on errors + +"set -e" enables error checking for all commands invoked by the script. +Previously, errors were silently ignored. + +Upstream-status: Submitted [https://github.com/Samsung/cynara/pull/8] + +Signed-off-by: Patrick Ohly <patrick.ohly@intel.com> + +--- + migration/cynara-db-migration.in | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/migration/cynara-db-migration.in b/migration/cynara-db-migration.in +index 7b666d4..0682df6 100644 +--- a/migration/cynara-db-migration.in ++++ b/migration/cynara-db-migration.in +@@ -19,6 +19,8 @@ + # @brief Migration tool for Cynara's database + # + ++set -e ++ + ##### Constants (these must not be modified by shell) + + PATH=/bin:/usr/bin:/sbin:/usr/sbin diff --git a/meta-agl/meta-security/recipes-security/cynara/cynara/run-ptest b/meta-agl/meta-security/recipes-security/cynara/cynara/run-ptest new file mode 100755 index 00000000..f8dd5d8b --- /dev/null +++ b/meta-agl/meta-security/recipes-security/cynara/cynara/run-ptest @@ -0,0 +1,4 @@ +#!/bin/sh + +cynara-tests | sed -e 's/^\[ *OK *\] \(\S*\)$/PASS: \1/' -e 's/^\[ *FAILED *\] \(\S*\)$/FAIL: \1/' +sh /usr/bin/cynara-db-migration-tests | sed -e 's/^Test .*(\([^)]*\)).*passed.*/PASS: \1/' -e 's/^Test .*(\([^)]*\)).*failed.*/FAIL: \1/' diff --git a/meta-agl/meta-security/recipes-security/cynara/cynara_0.14.10.bb b/meta-agl/meta-security/recipes-security/cynara/cynara_0.14.10.bb new file mode 100644 index 00000000..765c17bc --- /dev/null +++ b/meta-agl/meta-security/recipes-security/cynara/cynara_0.14.10.bb @@ -0,0 +1,157 @@ +DESCRIPTION = "Cynara service with client libraries" +LICENSE = "Apache-2.0" +LIC_FILES_CHKSUM = "file://LICENSE;md5=86d3f3a95c324c9479bd8986968f4327;beginline=3" + +PV = "0.14.10+git${SRCPV}" +SRCREV = "be455dcaf1400bec0272a6ce90852b9147393a60" +SRC_URI = "git://github.com/Samsung/cynara.git" +S = "${WORKDIR}/git" + +SRC_URI += " \ + file://cynara-db-migration-abort-on-errors.patch \ + file://0001-Add-fallthrough-tags.patch \ + file://0002-gcc-7-requires-include-functional-for-std-function.patch \ + file://0003-Avoid-warning-when-compiling-without-smack.patch \ + file://0004-Fix-mode-of-sockets.patch \ + file://0005-Allow-to-tune-sockets.patch \ + file://0006-Install-socket-activation-by-default.patch \ + file://0001-fix-fallthrough-in-cmdlineparser.patch \ +" + +DEPENDS = " \ +systemd \ +" + +PACKAGECONFIG ??= "" +# Use debug mode to increase logging. Beware, also compiles with less optimization +# and thus has to disable FORTIFY_SOURCE below. +PACKAGECONFIG[debug] = "-DCMAKE_BUILD_TYPE=DEBUG,-DCMAKE_BUILD_TYPE=RELEASE,libunwind elfutils" + +inherit cmake + +EXTRA_OECMAKE += " \ + -DCMAKE_VERBOSE_MAKEFILE=ON \ + -DBUILD_WITH_SYSTEMD_DAEMON=ON \ + -DBUILD_WITH_SYSTEMD_JOURNAL=ON \ + -DSYSTEMD_UNIT_DIR=${systemd_system_unitdir} \ + -DSOCKET_DIR=/run/cynara \ + -DBUILD_COMMONS=ON \ + -DBUILD_SERVICE=ON \ + -DBUILD_DBUS=OFF \ + -DCYNARA_ADMIN_SOCKET_GROUP=cynara \ +" + +# Explicitly package empty directory. Otherwise Cynara prints warnings +# at runtime: +# cyad[198]: Couldn't scan for plugins in </usr/lib/cynara/plugin/service/> : <No such file or directory> +FILES_${PN}_append = " \ +${libdir}/cynara/plugin/service \ +${libdir}/cynara/plugin/client \ +" + +inherit useradd +USERADD_PACKAGES = "${PN}" +GROUPADD_PARAM_${PN} = "-r cynara" +USERADD_PARAM_${PN} = "\ +--system --home ${localstatedir}/lib/empty \ +--no-create-home --shell /bin/false \ +--gid cynara cynara \ +" + +# Causes deadlock during booting, see workaround in postinst below. +#inherit systemd +#SYSTEMD_SERVICE_${PN} = "cynara.service" + +#do_install_append () { +# chmod a+rx ${D}/${sbindir}/cynara-db-migration +# +# install -d ${D}${sysconfdir}/cynara/ +# install -m 644 ${S}/conf/creds.conf ${D}/${sysconfdir}/cynara/creds.conf +# +# # No need to create empty directories except for those which +# # Cynara expects to find. +# # install -d ${D}${localstatedir}/cynara/ +# # install -d ${D}${prefix}/share/cynara/tests/empty_db +# install -d ${D}${libdir}/cynara/plugin/client +# install -d ${D}${libdir}/cynara/plugin/service +# +# # install db* ${D}${prefix}/share/cynara/tests/ +# +# install -d ${D}${systemd_system_unitdir}/sockets.target.wants +# ln -s ../cynara.socket ${D}${systemd_system_unitdir}/sockets.target.wants/cynara.socket +# ln -s ../cynara-admin.socket ${D}${systemd_system_unitdir}/sockets.target.wants/cynara-admin.socket +# ln -s ../cynara-agent.socket ${D}${systemd_system_unitdir}/sockets.target.wants/cynara-agent.socket +#} + +# We want the post-install logic to create and label /var/cynara, so +# it should not be in the package. +do_install_append () { + rmdir ${D}${localstatedir}/cynara +} + +FILES_${PN} += "${systemd_system_unitdir}" + +# Cynara itself has no dependency on Smack. Only its installation +# is Smack-aware in the sense that it sets Smack labels. Do not +# depend on smack userspace unless we really need Smack labels. +# +# The Tizen .spec file calls cynara-db-migration in a %pre section. +# That only works when cynara-db-migration is packaged separately +# (overly complex) and does not seem necessary: perhaps there is a +# time window where cynara might already get activated before +# the postinst completes, but that is a general problem. It gets +# avoided entirely when calling this script while building the +# rootfs. +DEPENDS_append_with-lsm-smack = " smack smack-native" +EXTRA_OECMAKE_append_with-lsm-smack = " -DDB_FILES_SMACK_LABEL=System" +CHSMACK_with-lsm-smack = "chsmack" +CHSMACK = "true" +pkg_postinst_ontarget_${PN} () { + mkdir -p $D${sysconfdir}/cynara + ${CHSMACK} -a System $D${sysconfdir}/cynara + + # Strip git patch level information, the version comparison code + # in cynara-db-migration only expect major.minor.patch version numbers. + VERSION=${@d.getVar('PV',d,1).split('+git')[0]} + if [ -d $D${localstatedir}/cynara ] ; then + # upgrade + echo "NOTE: updating cynara DB to version $VERSION" + $D${sbindir}/cynara-db-migration upgrade -f 0.0.0 -t $VERSION + else + # install + echo "NOTE: creating cynara DB for version $VERSION" + mkdir -p $D${localstatedir}/cynara + ${CHSMACK} -a System $D${localstatedir}/cynara + $D${sbindir}/cynara-db-migration install -t $VERSION + fi + + # Workaround for systemd.bbclass issue: it would call + # "systemctl start" without "--no-block", but because + # the service is not ready to run at the time when + # this scripts gets executed by run-postinsts.service, + # booting deadlocks. + echo "NOTE: enabling and starting cynara service" + systemctl enable cynara + systemctl start --no-block cynara +} + +# Testing depends on gmock and gtest. They can be found in meta-oe +# and are not necessarily available, so this feature is off by default. +# If gmock from meta-oe is used, then a workaround is needed to avoid +# a link error (libgmock.a calls pthread functions without libpthread +# being listed in the .pc file). +DEPENDS_append = "${@bb.utils.contains('PACKAGECONFIG', 'tests', ' gmock', '', d)}" +LDFLAGS_append = "${@bb.utils.contains('PACKAGECONFIG', 'tests', ' -lpthread', '', d)}" +SRC_URI_append = "${@bb.utils.contains('PACKAGECONFIG', 'tests', ' file://run-ptest', '', d)}" +PACKAGECONFIG[tests] = "-DBUILD_TESTS:BOOL=ON,-DBUILD_TESTS:BOOL=OFF,gmock gtest," + +# Will be empty if no tests were built. +inherit ptest +FILES_${PN}-ptest += "${bindir}/cynara-tests ${bindir}/cynara-db-migration-tests ${datadir}/cynara/tests" +do_install_ptest () { + if ${@bb.utils.contains('PACKAGECONFIG', 'tests', 'true', 'false', d)}; then + mkdir -p ${D}/${datadir}/cynara/tests + cp -r ${S}/test/db/* ${D}/${datadir}/cynara/tests + fi +} + diff --git a/meta-agl/meta-security/recipes-security/keyutils/keyutils/keyutils-arm-remove-m32-m64.patch b/meta-agl/meta-security/recipes-security/keyutils/keyutils/keyutils-arm-remove-m32-m64.patch new file mode 100644 index 00000000..a049fd23 --- /dev/null +++ b/meta-agl/meta-security/recipes-security/keyutils/keyutils/keyutils-arm-remove-m32-m64.patch @@ -0,0 +1,19 @@ +Index: keyutils-1.5.5/Makefile +=================================================================== +--- keyutils-1.5.5.orig/Makefile 2011-12-20 11:05:10.000000000 +0200 ++++ keyutils-1.5.5/Makefile 2011-12-20 11:06:27.000000000 +0200 +@@ -58,12 +58,12 @@ + LNS := ln -sf + + ifeq ($(BUILDFOR),32-bit) +-CFLAGS += -m32 ++#CFLAGS += -m32 + LIBDIR := /usr/lib + USRLIBDIR := /usr/lib + else + ifeq ($(BUILDFOR),64-bit) +-CFLAGS += -m64 ++#CFLAGS += -m64 + LIBDIR := /usr/lib + USRLIBDIR := /usr/lib + endif diff --git a/meta-agl/meta-security/recipes-security/keyutils/keyutils/keyutils_fix_library_install.patch b/meta-agl/meta-security/recipes-security/keyutils/keyutils/keyutils_fix_library_install.patch new file mode 100644 index 00000000..adf06430 --- /dev/null +++ b/meta-agl/meta-security/recipes-security/keyutils/keyutils/keyutils_fix_library_install.patch @@ -0,0 +1,30 @@ +Index: keyutils-1.5.5/Makefile +=================================================================== +--- keyutils-1.5.5.orig/Makefile 2011-11-30 17:27:43.000000000 +0200 ++++ keyutils-1.5.5/Makefile 2011-12-21 16:05:53.000000000 +0200 +@@ -59,13 +59,13 @@ + + ifeq ($(BUILDFOR),32-bit) + CFLAGS += -m32 +-LIBDIR := /lib ++LIBDIR := /usr/lib + USRLIBDIR := /usr/lib + else + ifeq ($(BUILDFOR),64-bit) + CFLAGS += -m64 +-LIBDIR := /lib64 +-USRLIBDIR := /usr/lib64 ++LIBDIR := /usr/lib ++USRLIBDIR := /usr/lib + endif + endif + +@@ -152,7 +152,7 @@ + $(INSTALL) -D $(LIBNAME) $(DESTDIR)$(LIBDIR)/$(LIBNAME) + $(LNS) $(LIBNAME) $(DESTDIR)$(LIBDIR)/$(SONAME) + mkdir -p $(DESTDIR)$(USRLIBDIR) +- $(LNS) $(LIBDIR)/$(SONAME) $(DESTDIR)$(USRLIBDIR)/$(DEVELLIB) ++ $(LNS) $(SONAME) $(DESTDIR)$(USRLIBDIR)/$(DEVELLIB) + $(INSTALL) -D keyctl $(DESTDIR)$(BINDIR)/keyctl + $(INSTALL) -D request-key $(DESTDIR)$(SBINDIR)/request-key + $(INSTALL) -D request-key-debug.sh $(DESTDIR)$(SHAREDIR)/request-key-debug.sh diff --git a/meta-agl/meta-security/recipes-security/keyutils/keyutils/keyutils_fix_x86-64_cflags.patch b/meta-agl/meta-security/recipes-security/keyutils/keyutils/keyutils_fix_x86-64_cflags.patch new file mode 100644 index 00000000..8dd22450 --- /dev/null +++ b/meta-agl/meta-security/recipes-security/keyutils/keyutils/keyutils_fix_x86-64_cflags.patch @@ -0,0 +1,13 @@ +Index: git/Makefile +=================================================================== +--- git.orig/Makefile 2012-11-16 15:40:05.258723425 +0200 ++++ git/Makefile 2012-11-16 15:41:08.978725491 +0200 +@@ -53,7 +53,7 @@ + ############################################################################### + LIBDIR := $(shell ldd /usr/bin/make | grep '\(/libc\)' | sed -e 's!.*\(/.*\)/libc[.].*!\1!') + USRLIBDIR := $(patsubst /lib/%,/usr/lib/%,$(LIBDIR)) +-BUILDFOR := $(shell file /usr/bin/make | sed -e 's!.*ELF \(32\|64\)-bit.*!\1!')-bit ++BUILDFOR := 64-bit + + LNS := ln -sf + diff --git a/meta-agl/meta-security/recipes-security/keyutils/keyutils/keyutils_fix_x86_cflags.patch b/meta-agl/meta-security/recipes-security/keyutils/keyutils/keyutils_fix_x86_cflags.patch new file mode 100644 index 00000000..573c429b --- /dev/null +++ b/meta-agl/meta-security/recipes-security/keyutils/keyutils/keyutils_fix_x86_cflags.patch @@ -0,0 +1,13 @@ +Index: git/Makefile +=================================================================== +--- git.orig/Makefile 2012-11-16 15:40:05.258723425 +0200 ++++ git/Makefile 2012-11-16 15:41:08.978725491 +0200 +@@ -53,7 +53,7 @@ + ############################################################################### + LIBDIR := $(shell ldd /usr/bin/make | grep '\(/libc\)' | sed -e 's!.*\(/.*\)/libc[.].*!\1!') + USRLIBDIR := $(patsubst /lib/%,/usr/lib/%,$(LIBDIR)) +-BUILDFOR := $(shell file /usr/bin/make | sed -e 's!.*ELF \(32\|64\)-bit.*!\1!')-bit ++BUILDFOR := 32-bit + + LNS := ln -sf + diff --git a/meta-agl/meta-security/recipes-security/keyutils/keyutils_1.5.8.bb b/meta-agl/meta-security/recipes-security/keyutils/keyutils_1.5.8.bb new file mode 100644 index 00000000..46b2b622 --- /dev/null +++ b/meta-agl/meta-security/recipes-security/keyutils/keyutils_1.5.8.bb @@ -0,0 +1,44 @@ +SUMMARY = "Linux Key Management Utilities" +DESCRIPTION = "Keyutils is a set of utilities for managing the key retention \ +facility in the kernel, which can be used by filesystems, block devices and \ +more to gain and retain the authorization and encryption keys required to \ +perform secure operations." +SECTION = "base" +LICENSE = "GPLv2" +LIC_FILES_CHKSUM = "file://LICENCE.GPL;md5=5f6e72824f5da505c1f4a7197f004b45" + +PR = "r1" + +SRCREV = "dd64114721edca5808872190e7e2e927ee2e994c" + +SRC_URI = "git://git.kernel.org/pub/scm/linux/kernel/git/dhowells/keyutils.git;protocol=git \ + file://keyutils_fix_library_install.patch \ + " +SRC_URI_append_arm = " file://keyutils-arm-remove-m32-m64.patch" +SRC_URI_append_x86 = " file://keyutils_fix_x86_cflags.patch" +SRC_URI_append_x86-64 = " file://keyutils_fix_x86-64_cflags.patch" + +S = "${WORKDIR}/git" + +INSTALL_FLAGS = " \ +BINDIR=${bindir} \ +SBINDIR=${sbindir} \ +INCLUDEDIR=${includedir} \ +ETCDIR=${sysconfdir} \ +LIBDIR=${libdir} \ +USRLIBDIR=${libdir} \ +SHAREDIR=${datadir} \ +MAN1=${mandir}/man1 \ +MAN3=${mandir}/man3 \ +MAN5=${mandir}/man5 \ +MAN8=${mandir}/man8 \ +DESTDIR=${D}" + +do_install() { + cd ${S} && oe_runmake ${INSTALL_FLAGS} install + + # Debugging script of unknown value, not packaged. + rm -f "${D}${datadir}/request-key-debug.sh" +} + +BBCLASSEXTEND = "native" diff --git a/meta-agl/meta-security/recipes-security/security-manager/security-manager.inc b/meta-agl/meta-security/recipes-security/security-manager/security-manager.inc new file mode 100644 index 00000000..ddd87a93 --- /dev/null +++ b/meta-agl/meta-security/recipes-security/security-manager/security-manager.inc @@ -0,0 +1,94 @@ +DESCRIPTION = "Security manager and utilities" +LICENSE = "Apache-2.0" +LIC_FILES_CHKSUM = "file://LICENSE;md5=86d3f3a95c324c9479bd8986968f4327;beginline=3" + +inherit cmake + +# Out-of-tree build is broken ("sqlite3 .security-manager.db <db.sql" where db.sql is in $S/db). +B = "${S}" + +DEPENDS = " \ +attr \ +boost \ +cynara \ +icu \ +libcap \ +smack \ +sqlite3 \ +sqlite3-native \ +systemd \ +" + +PACKAGECONFIG ??= "" +PACKAGECONFIG[debug] = "-DCMAKE_BUILD_TYPE=DEBUG,-DCMAKE_BUILD_TYPE=RELEASE" + +TZ_SYS_DB = "/var/local/db/security-manager" + +EXTRA_OECMAKE = " \ +-DCMAKE_VERBOSE_MAKEFILE=ON \ +-DVERSION=${PV} \ +-DSYSTEMD_INSTALL_DIR=${systemd_unitdir}/system \ +-DBIN_INSTALL_DIR=${bindir} \ +-DDB_INSTALL_DIR=${TZ_SYS_DB} \ +-DLIB_INSTALL_DIR=${libdir} \ +-DSHARE_INSTALL_PREFIX=${datadir} \ +-DINCLUDE_INSTALL_DIR=${includedir} \ +" + +inherit systemd +SYSTEMD_SERVICE_${PN} = "security-manager.service" + +inherit distro_features_check +REQUIRED_DISTRO_FEATURES += "smack" + +# The upstream source code contains the Tizen-specific policy configuration files. +# To replace them, create a security-manager.bbappend and set the following variable to a +# space-separated list of policy file names (not URIs!), for example: +# SECURITY_MANAGER_POLICY = "privilege-group.list usertype-system.profile" +# +# Leave it empty to use the upstream Tizen policy. +SECURITY_MANAGER_POLICY ?= "" +SRC_URI_append = " ${@' '.join(['file://' + x for x in d.getVar('SECURITY_MANAGER_POLICY', True).split()])}" +python do_patch_append () { + import os + import shutil + import glob + files = d.getVar('SECURITY_MANAGER_POLICY', True).split() + if files: + s = d.getVar('S', True) + workdir = d.getVar('WORKDIR', True) + for pattern in ['*.profile', '*.list']: + for old_file in glob.glob(s + '/policy/' + pattern): + os.unlink(old_file) + for file in files: + shutil.copy(file, s + '/policy') +} + +do_install_append () { + install -d ${D}/${systemd_unitdir}/system/multi-user.target.wants + ln -s ../security-manager.service ${D}/${systemd_unitdir}/system/multi-user.target.wants/security-manager.service + install -d ${D}/${systemd_unitdir}/system/sockets.target.wants + ln -s ../security-manager.socket ${D}/${systemd_unitdir}/system/sockets.target.wants/security-manager.socket +} + +RDEPENDS_${PN} += "smack" +pkg_postinst_${PN} () { + set -e + chsmack -a System $D${TZ_SYS_DB}/.security-manager.db + chsmack -a System $D${TZ_SYS_DB}/.security-manager.db-journal +} + +FILES_${PN} += " \ +${systemd_unitdir} \ +${TZ_SYS_DB} \ +" + +PACKAGES =+ "${PN}-policy" +FILES_${PN}-policy = " \ + ${datadir}/${PN} \ + ${bindir}/security-manager-policy-reload \ +" +RDEPENDS_${PN}-policy += "sqlite3 cynara" +pkg_postinst_ontarget_${PN}-policy () { + ${bindir}/security-manager-policy-reload +} diff --git a/meta-agl/meta-security/recipes-security/security-manager/security-manager/0001-Avoid-casting-from-const-T-to-void.patch b/meta-agl/meta-security/recipes-security/security-manager/security-manager/0001-Avoid-casting-from-const-T-to-void.patch new file mode 100644 index 00000000..f598fdc8 --- /dev/null +++ b/meta-agl/meta-security/recipes-security/security-manager/security-manager/0001-Avoid-casting-from-const-T-to-void.patch @@ -0,0 +1,127 @@ +From 14c8842ed8a37fecbc70d46e27b49ae929b0c85f Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Jos=C3=A9=20Bollo?= <jose.bollo@iot.bzh> +Date: Fri, 1 Feb 2019 15:37:44 +0100 +Subject: [PATCH] Avoid casting from "const T&" to "void*" +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Latest version of g++ refuse the cast + + reinterpret_cast<void (Service::*)(void*)>(serviceFunction) + +I made no investigation to know if the problem +is coming from the const or not. + +Signed-off-by: José Bollo <jose.bollo@iot.bzh> +--- + src/server/main/include/service-thread.h | 43 ++++++++++-------------- + 1 file changed, 18 insertions(+), 25 deletions(-) + +diff --git a/src/server/main/include/service-thread.h b/src/server/main/include/service-thread.h +index 964d168..92b0ec8 100644 +--- a/src/server/main/include/service-thread.h ++++ b/src/server/main/include/service-thread.h +@@ -9,78 +94,72 @@ public: + Join(); + while (!m_eventQueue.empty()){ + auto front = m_eventQueue.front(); +- delete front.eventPtr; ++ delete front; + m_eventQueue.pop(); + } + } + + template <class T> + void Event(const T &event, + Service *servicePtr, + void (Service::*serviceFunction)(const T &)) + { +- EventDescription description; +- description.serviceFunctionPtr = +- reinterpret_cast<void (Service::*)(void*)>(serviceFunction); +- description.servicePtr = servicePtr; +- description.eventFunctionPtr = &ServiceThread::EventCall<T>; +- description.eventPtr = new T(event); ++ EventCallerBase *ec = new EventCaller<T>(event, servicePtr, serviceFunction); + { + std::lock_guard<std::mutex> lock(m_eventQueueMutex); +- m_eventQueue.push(description); ++ m_eventQueue.push(ec); + } + m_waitCondition.notify_one(); + } + + protected: + +- struct EventDescription { +- void (Service::*serviceFunctionPtr)(void *); +- Service *servicePtr; +- void (ServiceThread::*eventFunctionPtr)(const EventDescription &event); +- GenericEvent* eventPtr; +- }; +- +- template <class T> +- void EventCall(const EventDescription &desc) { +- auto fun = reinterpret_cast<void (Service::*)(const T&)>(desc.serviceFunctionPtr); +- const T& eventLocale = *(static_cast<T*>(desc.eventPtr)); +- (desc.servicePtr->*fun)(eventLocale); +- } ++ struct EventCallerBase { ++ virtual void fire() = 0; ++ virtual ~EventCallerBase() {} ++ }; + ++ template <class T> ++ struct EventCaller : public EventCallerBase { ++ T *event; Service *target; void (Service::*function)(const T&); ++ EventCaller(const T &e, Service *c, void (Service::*f)(const T&)) : event(new T(e)), target(c), function(f) {} ++ ~EventCaller() { delete event; } ++ void fire() { (target->*function)(*event); } ++ }; ++ + static void ThreadLoopStatic(ServiceThread *ptr) { + ptr->ThreadLoop(); + } + + void ThreadLoop(){ + for (;;) { +- EventDescription description = {NULL, NULL, NULL, NULL}; ++ EventCallerBase *ec = NULL; + { + std::unique_lock<std::mutex> ulock(m_eventQueueMutex); + if (m_quit) + return; + if (!m_eventQueue.empty()) { +- description = m_eventQueue.front(); ++ ec = m_eventQueue.front(); + m_eventQueue.pop(); + } else { + m_waitCondition.wait(ulock); + } + } + +- if (description.eventPtr != NULL) { ++ if (ec != NULL) { + UNHANDLED_EXCEPTION_HANDLER_BEGIN + { +- (this->*description.eventFunctionPtr)(description); +- delete description.eventPtr; ++ ec->fire(); + } + UNHANDLED_EXCEPTION_HANDLER_END ++ delete ec; + } + } + } + + std::thread m_thread; + std::mutex m_eventQueueMutex; +- std::queue<EventDescription> m_eventQueue; ++ std::queue<EventCallerBase*> m_eventQueue; + std::condition_variable m_waitCondition; + + State m_state; +-- +2.17.2 + diff --git a/meta-agl/meta-security/recipes-security/security-manager/security-manager/0001-Fix-gcc8-warning-error-Werror-catch-value.patch b/meta-agl/meta-security/recipes-security/security-manager/security-manager/0001-Fix-gcc8-warning-error-Werror-catch-value.patch new file mode 100644 index 00000000..5a55a312 --- /dev/null +++ b/meta-agl/meta-security/recipes-security/security-manager/security-manager/0001-Fix-gcc8-warning-error-Werror-catch-value.patch @@ -0,0 +1,32 @@ +From 37c63c280eaec8cae3a321d45404d6c03a68c9d9 Mon Sep 17 00:00:00 2001 +From: Stephane Desneux <stephane.desneux@iot.bzh> +Date: Fri, 1 Feb 2019 12:26:17 +0000 +Subject: [PATCH] Fix gcc8 warning/error [-Werror=catch-value=] + +Fixes the following warning/error during compile: + +src/dpl/core/src/assert.cpp:61:14: error: catching polymorphic type 'class SecurityManager::Exception' by value [-Werror=catch-value=] +| } catch (Exception) { +| ^~~~~~~~~ + +Signed-off-by: Stephane Desneux <stephane.desneux@iot.bzh> +--- + src/dpl/core/src/assert.cpp | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/src/dpl/core/src/assert.cpp b/src/dpl/core/src/assert.cpp +index 63538a2..fc60ce9 100644 +--- a/src/dpl/core/src/assert.cpp ++++ b/src/dpl/core/src/assert.cpp +@@ -58,7 +58,7 @@ void AssertProc(const char *condition, + INTERNAL_LOG("### Function: " << function); + INTERNAL_LOG( + "################################################################################"); +- } catch (Exception) { ++ } catch (Exception const&) { + // Just ignore possible double errors + } + +-- +2.11.0 + diff --git a/meta-agl/meta-security/recipes-security/security-manager/security-manager/0001-Smack-rules-create-two-new-functions.patch b/meta-agl/meta-security/recipes-security/security-manager/security-manager/0001-Smack-rules-create-two-new-functions.patch new file mode 100644 index 00000000..b0e11afe --- /dev/null +++ b/meta-agl/meta-security/recipes-security/security-manager/security-manager/0001-Smack-rules-create-two-new-functions.patch @@ -0,0 +1,116 @@ +From d130a7384428a96f31ad5950ffbffadc0aa29a15 Mon Sep 17 00:00:00 2001 +From: Alejandro Joya <alejandro.joya.cruz@intel.com> +Date: Wed, 4 Nov 2015 19:01:35 -0600 +Subject: [PATCH 1/2] Smack-rules: create two new functions + +It let to smack-rules to create multiple set of rules +related with the privileges. + +It runs from the same bases than for a static set of rules on the +template, but let you add 1 or many templates for different cases. + +Signed-off-by: Alejandro Joya <alejandro.joya.cruz@intel.com> +--- + src/common/include/smack-rules.h | 15 ++++++++++++++ + src/common/smack-rules.cpp | 44 ++++++++++++++++++++++++++++++++++++++++ + 2 files changed, 59 insertions(+) + +diff --git a/src/common/include/smack-rules.h b/src/common/include/smack-rules.h +index 91446a7..f9fa438 100644 +--- a/src/common/include/smack-rules.h ++++ b/src/common/include/smack-rules.h +@@ -47,6 +47,8 @@ public: + void addFromTemplate(const std::vector<std::string> &templateRules, + const std::string &appId, const std::string &pkgId); + void addFromTemplateFile(const std::string &appId, const std::string &pkgId); ++ void addFromTemplateFile(const std::string &appId, const std::string &pkgId, ++ const std::string &path); + + void apply() const; + void clear() const; +@@ -75,6 +77,19 @@ public: + static void installApplicationRules(const std::string &appId, const std::string &pkgId, + const std::vector<std::string> &pkgContents); + /** ++ * Install privileges-specific smack rules. ++ * ++ * Function creates smack rules using predefined template. Rules are applied ++ * to the kernel and saved on persistent storage so they are loaded on system boot. ++ * ++ * @param[in] appId - application id that is beeing installed ++ * @param[in] pkgId - package id that the application is in ++ * @param[in] pkgContents - a list of all applications in the package ++ * @param[in] privileges - a list of all prvileges ++ */ ++ static void installApplicationPrivilegesRules(const std::string &appId, const std::string &pkgId, ++ const std::vector<std::string> &pkgContents, const std::vector<std::string> &privileges); ++ /** + * Uninstall package-specific smack rules. + * + * Function loads package-specific smack rules, revokes them from the kernel +diff --git a/src/common/smack-rules.cpp b/src/common/smack-rules.cpp +index 3629e0f..d834e42 100644 +--- a/src/common/smack-rules.cpp ++++ b/src/common/smack-rules.cpp +@@ -135,6 +135,29 @@ void SmackRules::saveToFile(const std::string &path) const + } + } + ++void SmackRules::addFromTemplateFile(const std::string &appId, ++ const std::string &pkgId, const std::string &path) ++{ ++ std::vector<std::string> templateRules; ++ std::string line; ++ std::ifstream templateRulesFile(path); ++ ++ if (!templateRulesFile.is_open()) { ++ LogError("Cannot open rules template file: " << path); ++ ThrowMsg(SmackException::FileError, "Cannot open rules template file: " << path); ++ } ++ ++ while (std::getline(templateRulesFile, line)) { ++ templateRules.push_back(line); ++ } ++ ++ if (templateRulesFile.bad()) { ++ LogError("Error reading template file: " << APP_RULES_TEMPLATE_FILE_PATH); ++ ThrowMsg(SmackException::FileError, "Error reading template file: " << APP_RULES_TEMPLATE_FILE_PATH); ++ } ++ ++ addFromTemplate(templateRules, appId, pkgId); ++} + + void SmackRules::addFromTemplateFile(const std::string &appId, + const std::string &pkgId) +@@ -223,7 +246,28 @@ std::string SmackRules::getApplicationRulesFilePath(const std::string &appId) + std::string path(tzplatform_mkpath3(TZ_SYS_SMACK, "accesses.d", ("app_" + appId).c_str())); + return path; + } ++void SmackRules::installApplicationPrivilegesRules(const std::string &appId, const std::string &pkgId, ++ const std::vector<std::string> &pkgContents, const std::vector<std::string> &privileges) ++{ ++ SmackRules smackRules; ++ std::string appPath = getApplicationRulesFilePath(appId); ++ smackRules.loadFromFile(appPath); ++ struct stat buffer; ++ for (auto privilege : privileges) { ++ if (privilege.empty()) ++ continue; ++ std::string fprivilege ( privilege + "-template.smack"); ++ std::string path(tzplatform_mkpath4(TZ_SYS_SHARE, "security-manager", "policy", fprivilege.c_str())); ++ if( stat(path.c_str(), &buffer) == 0) ++ smackRules.addFromTemplateFile(appId, pkgId, path); ++ } ++ ++ if (smack_smackfs_path() != NULL) ++ smackRules.apply(); + ++ smackRules.saveToFile(appPath); ++ updatePackageRules(pkgId, pkgContents); ++} + void SmackRules::installApplicationRules(const std::string &appId, const std::string &pkgId, + const std::vector<std::string> &pkgContents) + { +-- +2.1.0 + diff --git a/meta-agl/meta-security/recipes-security/security-manager/security-manager/0002-app-install-implement-multiple-set-of-smack-rules.patch b/meta-agl/meta-security/recipes-security/security-manager/security-manager/0002-app-install-implement-multiple-set-of-smack-rules.patch new file mode 100644 index 00000000..d60096a1 --- /dev/null +++ b/meta-agl/meta-security/recipes-security/security-manager/security-manager/0002-app-install-implement-multiple-set-of-smack-rules.patch @@ -0,0 +1,34 @@ +From 19688cbe2ca10921a499f3fa265928dca54cf98d Mon Sep 17 00:00:00 2001 +From: Alejandro Joya <alejandro.joya.cruz@intel.com> +Date: Wed, 4 Nov 2015 19:06:23 -0600 +Subject: [PATCH 2/2] app-install: implement multiple set of smack-rules + +If it's need it could create load multiple set of smack rules +related with the privileges. +It wouldn't affect the case that only the default set of rules is need it. + +Signed-off-by: Alejandro Joya <alejandro.joya.cruz@intel.com> +--- + src/common/service_impl.cpp | 6 ++++++ + 1 file changed, 6 insertions(+) + +diff --git a/src/common/service_impl.cpp b/src/common/service_impl.cpp +index 7fd621c..ae305d3 100644 +--- a/src/common/service_impl.cpp ++++ b/src/common/service_impl.cpp +@@ -338,6 +338,12 @@ int appInstall(const app_inst_req &req, uid_t uid) + LogDebug("Adding Smack rules for new appId: " << req.appId << " with pkgId: " + << req.pkgId << ". Applications in package: " << pkgContents.size()); + SmackRules::installApplicationRules(req.appId, req.pkgId, pkgContents); ++ /*Setup for privileges custom rules*/ ++ LogDebug("Adding Smack rules for new appId: " << req.appId << " with pkgId: " ++ << req.pkgId << ". Applications in package: " << pkgContents.size() ++ << " and Privileges"); ++ SmackRules::installApplicationPrivilegesRules(req.appId, req.pkgId, ++ pkgContents,req.privileges); + } catch (const SmackException::Base &e) { + LogError("Error while applying Smack policy for application: " << e.DumpToString()); + return SECURITY_MANAGER_API_ERROR_SETTING_FILE_LABEL_FAILED; +-- +2.1.0 + diff --git a/meta-agl/meta-security/recipes-security/security-manager/security-manager/Removing-tizen-platform-config.patch b/meta-agl/meta-security/recipes-security/security-manager/security-manager/Removing-tizen-platform-config.patch new file mode 100644 index 00000000..4baea657 --- /dev/null +++ b/meta-agl/meta-security/recipes-security/security-manager/security-manager/Removing-tizen-platform-config.patch @@ -0,0 +1,196 @@ +From 72e66d0e42f3bb6efd689ce33b1df407d94b3c60 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Jos=C3=A9=20Bollo?= <jose.bollo@iot.bzh> +Date: Mon, 16 Nov 2015 14:26:25 +0100 +Subject: [PATCH] Removing tizen-platform-config + +Change-Id: Ic832a2b75229517b09faba969c27fb1a4b490121 +--- + policy/security-manager-policy-reload | 2 +- + src/common/file-lock.cpp | 4 +--- + src/common/include/file-lock.h | 1 - + src/common/include/privilege_db.h | 3 +-- + src/common/service_impl.cpp | 39 +++++++++++------------------------ + src/common/smack-rules.cpp | 12 ++++------- + 6 files changed, 19 insertions(+), 42 deletions(-) + +diff --git a/policy/security-manager-policy-reload b/policy/security-manager-policy-reload +index 6f211c6..ed8047a 100755 +--- a/policy/security-manager-policy-reload ++++ b/policy/security-manager-policy-reload +@@ -2,7 +2,7 @@ + + POLICY_PATH=/usr/share/security-manager/policy + PRIVILEGE_GROUP_MAPPING=$POLICY_PATH/privilege-group.list +-DB_FILE=`tzplatform-get TZ_SYS_DB | cut -d= -f2`/.security-manager.db ++DB_FILE=/usr/dbspace/.security-manager.db + + # Create default buckets + while read bucket default_policy +diff --git a/src/common/file-lock.cpp b/src/common/file-lock.cpp +index 6f3996c..1dada17 100644 +--- a/src/common/file-lock.cpp ++++ b/src/common/file-lock.cpp +@@ -30,9 +30,7 @@ + + namespace SecurityManager { + +-char const * const SERVICE_LOCK_FILE = tzplatform_mkpath3(TZ_SYS_RUN, +- "lock", +- "security-manager.lock"); ++char const * const SERVICE_LOCK_FILE = "/var/run/lock/security-manager.lock"; + + FileLocker::FileLocker(const std::string &lockFile, bool blocking) + { +diff --git a/src/common/include/file-lock.h b/src/common/include/file-lock.h +index 604b019..21a86a0 100644 +--- a/src/common/include/file-lock.h ++++ b/src/common/include/file-lock.h +@@ -29,7 +29,6 @@ + + #include <dpl/exception.h> + #include <dpl/noncopyable.h> +-#include <tzplatform_config.h> + + namespace SecurityManager { + +diff --git a/src/common/include/privilege_db.h b/src/common/include/privilege_db.h +index 4d73d90..03c6680 100644 +--- a/src/common/include/privilege_db.h ++++ b/src/common/include/privilege_db.h +@@ -34,14 +34,13 @@ + #include <string> + + #include <dpl/db/sql_connection.h> +-#include <tzplatform_config.h> + + #ifndef PRIVILEGE_DB_H_ + #define PRIVILEGE_DB_H_ + + namespace SecurityManager { + +-const char *const PRIVILEGE_DB_PATH = tzplatform_mkpath(TZ_SYS_DB, ".security-manager.db"); ++const char *const PRIVILEGE_DB_PATH = "/usr/dbspace/.security-manager.db"; + + enum class QueryType { + EGetPkgPrivileges, +diff --git a/src/common/service_impl.cpp b/src/common/service_impl.cpp +index ae305d3..65cc8b5 100644 +--- a/src/common/service_impl.cpp ++++ b/src/common/service_impl.cpp +@@ -32,7 +32,6 @@ + #include <algorithm> + + #include <dpl/log/log.h> +-#include <tzplatform_config.h> + + #include "protocols.h" + #include "privilege_db.h" +@@ -131,7 +130,13 @@ static inline int validatePolicy(policy_entry &policyEntry, std::string uidStr, + + static uid_t getGlobalUserId(void) + { +- static uid_t globaluid = tzplatform_getuid(TZ_SYS_GLOBALAPP_USER); ++ static uid_t globaluid = 0; ++ if (!globaluid) { ++ struct passwd pw, *p; ++ char buf[4096]; ++ int rc = getpwnam_r("userapp", &pw, buf, sizeof buf, &p); ++ globaluid = (rc || p == NULL) ? 555 : p->pw_uid; ++ } + return globaluid; + } + +@@ -161,37 +166,17 @@ static inline bool isSubDir(const char *parent, const char *subdir) + + static bool getUserAppDir(const uid_t &uid, std::string &userAppDir) + { +- struct tzplatform_context *tz_ctx = nullptr; +- +- if (tzplatform_context_create(&tz_ctx)) +- return false; +- +- if (tzplatform_context_set_user(tz_ctx, uid)) { +- tzplatform_context_destroy(tz_ctx); +- tz_ctx = nullptr; ++ struct passwd pw, *p; ++ char buf[4096]; ++ int rc = getpwuid_r(uid, &pw, buf, sizeof buf, &p); ++ if (rc || p == NULL) + return false; +- } +- +- enum tzplatform_variable id = +- (uid == getGlobalUserId()) ? TZ_SYS_RW_APP : TZ_USER_APP; +- const char *appDir = tzplatform_context_getenv(tz_ctx, id); +- if (!appDir) { +- tzplatform_context_destroy(tz_ctx); +- tz_ctx = nullptr; +- return false; +- } +- +- userAppDir = appDir; +- +- tzplatform_context_destroy(tz_ctx); +- tz_ctx = nullptr; +- ++ userAppDir = p->pw_dir; + return true; + } + + static inline bool installRequestAuthCheck(const app_inst_req &req, uid_t uid, bool &isCorrectPath, std::string &appPath) + { +- std::string userHome; + std::string userAppDir; + std::stringstream correctPath; + +diff --git a/src/common/smack-rules.cpp b/src/common/smack-rules.cpp +index d834e42..8b5728b 100644 +--- a/src/common/smack-rules.cpp ++++ b/src/common/smack-rules.cpp +@@ -34,7 +34,6 @@ + #include <memory> + + #include <dpl/log/log.h> +-#include <tzplatform_config.h> + + #include "smack-labels.h" + #include "smack-rules.h" +@@ -43,7 +42,7 @@ namespace SecurityManager { + + const char *const SMACK_APP_LABEL_TEMPLATE = "~APP~"; + const char *const SMACK_PKG_LABEL_TEMPLATE = "~PKG~"; +-const char *const APP_RULES_TEMPLATE_FILE_PATH = tzplatform_mkpath4(TZ_SYS_SHARE, "security-manager", "policy", "app-rules-template.smack"); ++const char *const APP_RULES_TEMPLATE_FILE_PATH = "/usr/share/security-manager/policy/app-rules-template.smack"; + const char *const SMACK_APP_IN_PACKAGE_PERMS = "rwxat"; + + SmackRules::SmackRules() +@@ -237,14 +236,12 @@ void SmackRules::generatePackageCrossDeps(const std::vector<std::string> &pkgCon + + std::string SmackRules::getPackageRulesFilePath(const std::string &pkgId) + { +- std::string path(tzplatform_mkpath3(TZ_SYS_SMACK, "accesses.d", ("pkg_" + pkgId).c_str())); +- return path; ++ return "/etc/smack/accesses.d/pkg_" + pkgId; + } + + std::string SmackRules::getApplicationRulesFilePath(const std::string &appId) + { +- std::string path(tzplatform_mkpath3(TZ_SYS_SMACK, "accesses.d", ("app_" + appId).c_str())); +- return path; ++ return "/etc/smack/accesses.d/app_" + appId; + } + void SmackRules::installApplicationPrivilegesRules(const std::string &appId, const std::string &pkgId, + const std::vector<std::string> &pkgContents, const std::vector<std::string> &privileges) +@@ -256,8 +253,7 @@ void SmackRules::installApplicationPrivilegesRules(const std::string &appId, con + for (auto privilege : privileges) { + if (privilege.empty()) + continue; +- std::string fprivilege ( privilege + "-template.smack"); +- std::string path(tzplatform_mkpath4(TZ_SYS_SHARE, "security-manager", "policy", fprivilege.c_str())); ++ std::string path = "/usr/share/security-manager/policy/" + privilege + "-template.smack"; + if( stat(path.c_str(), &buffer) == 0) + smackRules.addFromTemplateFile(appId, pkgId, path); + } +-- +2.1.4 + diff --git a/meta-agl/meta-security/recipes-security/security-manager/security-manager/c-11-replace-depracated-auto_ptr.patch b/meta-agl/meta-security/recipes-security/security-manager/security-manager/c-11-replace-depracated-auto_ptr.patch new file mode 100644 index 00000000..c312a9e7 --- /dev/null +++ b/meta-agl/meta-security/recipes-security/security-manager/security-manager/c-11-replace-depracated-auto_ptr.patch @@ -0,0 +1,32 @@ +From 6abeec29a0e704f4bf7084b29275b99fea0a78de Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Jos=C3=A9=20Bollo?= <jobol@nonadev.net> +Date: Wed, 13 Jan 2016 17:30:06 +0100 +Subject: [PATCH 2/2] c++11: replace depracated auto_ptr +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Upstream-Status: Submitted [https://review.tizen.org/gerrit/#/c/56940/] + +Change-Id: Id793c784c9674eef48f346226c094bdd9f7bbda8 +Signed-off-by: José Bollo <jobol@nonadev.net> +--- + src/dpl/core/include/dpl/binary_queue.h | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/src/dpl/core/include/dpl/binary_queue.h b/src/dpl/core/include/dpl/binary_queue.h +index dd03f5e..185b6c7 100644 +--- a/src/dpl/core/include/dpl/binary_queue.h ++++ b/src/dpl/core/include/dpl/binary_queue.h +@@ -33,7 +33,7 @@ namespace SecurityManager { + * Binary queue auto pointer + */ + class BinaryQueue; +-typedef std::auto_ptr<BinaryQueue> BinaryQueueAutoPtr; ++typedef std::unique_ptr<BinaryQueue> BinaryQueueAutoPtr; + + /** + * Binary stream implemented as constant size bucket list +-- +2.1.4 + diff --git a/meta-agl/meta-security/recipes-security/security-manager/security-manager/include-linux-xattr.patch b/meta-agl/meta-security/recipes-security/security-manager/security-manager/include-linux-xattr.patch new file mode 100644 index 00000000..33fbc025 --- /dev/null +++ b/meta-agl/meta-security/recipes-security/security-manager/security-manager/include-linux-xattr.patch @@ -0,0 +1,24 @@ +From: José Bollo <jose.bollo@iot.bzh> +Date: Tue, 30 Oct 2015 14:32:03 -0100 +Subject: [PATCH] include linux xattr + +adds a #include <linux/xattr.h> in source. + +--- + src/client/client-security-manager.cpp | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/src/client/client-security-manager.cpp b/src/client/client-security-manager.cpp +index 74a6b30..641790b 100644 +--- a/src/client/client-security-manager.cpp ++++ b/src/client/client-security-manager.cpp +@@ -34,6 +34,7 @@ + #include <sys/types.h> + #include <sys/stat.h> + #include <sys/xattr.h> ++#include <linux/xattr.h> + #include <sys/smack.h> + #include <sys/capability.h> + +-- +2.1.4 diff --git a/meta-agl/meta-security/recipes-security/security-manager/security-manager/libcap-without-pkgconfig.patch b/meta-agl/meta-security/recipes-security/security-manager/security-manager/libcap-without-pkgconfig.patch new file mode 100644 index 00000000..a948343f --- /dev/null +++ b/meta-agl/meta-security/recipes-security/security-manager/security-manager/libcap-without-pkgconfig.patch @@ -0,0 +1,32 @@ +From: José Bollo <jose.bollo@iot.bzh> +Date: Tue, 30 Oct 2015 14:32:03 -0100 +Subject: [PATCH] libcap without pkgconfig + +Handles libcap that isn't distributed for pkg-config + +--- + src/client/CMakeLists.txt | 1 - + 1 file changed, 1 deletion(-) + +diff --git a/src/client/CMakeLists.txt b/src/client/CMakeLists.txt +index 5399a55..0250ce2 100644 +--- a/src/client/CMakeLists.txt ++++ b/src/client/CMakeLists.txt +@@ -1,7 +1,6 @@ + PKG_CHECK_MODULES(CLIENT_DEP + REQUIRED + libsmack +- libcap + ) + + SET(CLIENT_VERSION_MAJOR 1) +@@ -37,6 +36,7 @@ SET_TARGET_PROPERTIES(${TARGET_CLIENT} + TARGET_LINK_LIBRARIES(${TARGET_CLIENT} + ${TARGET_COMMON} + ${CLIENT_DEP_LIBRARIES} ++ cap + ) + + INSTALL(TARGETS ${TARGET_CLIENT} DESTINATION ${LIB_INSTALL_DIR}) +-- +2.1.4 diff --git a/meta-agl/meta-security/recipes-security/security-manager/security-manager/removes-dependency-to-libslp-db-utils.patch b/meta-agl/meta-security/recipes-security/security-manager/security-manager/removes-dependency-to-libslp-db-utils.patch new file mode 100644 index 00000000..f9497307 --- /dev/null +++ b/meta-agl/meta-security/recipes-security/security-manager/security-manager/removes-dependency-to-libslp-db-utils.patch @@ -0,0 +1,78 @@ +From 1e2f8f58d4320afa1d83a6f94822e53346108ee8 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Jos=C3=A9=20Bollo?= <jose.bollo@iot.bzh> +Date: Mon, 16 Nov 2015 15:56:27 +0100 +Subject: [PATCH] removes dependency to libslp-db-utils + +Change-Id: I90471e77d20e04bae58cc42eb2639e4aef97fdec +--- + src/common/CMakeLists.txt | 1 ++- + src/dpl/db/src/sql_connection.cpp | 17 +---------------- + 2 files changed, 3 additions(+), 17 deletions(-) + +diff --git a/src/common/CMakeLists.txt b/src/common/CMakeLists.txt +index 968c7c1..d1fe644 100644 +--- a/src/common/CMakeLists.txt ++++ b/src/common/CMakeLists.txt +@@ -5,7 +5,8 @@ PKG_CHECK_MODULES(COMMON_DEP + REQUIRED + libsystemd + libsmack +- db-util ++ sqlite3 ++ icu-i18n + cynara-admin + cynara-client + ) +diff --git a/src/dpl/db/src/sql_connection.cpp b/src/dpl/db/src/sql_connection.cpp +index fdb4fe4..1fb97be 100644 +--- a/src/dpl/db/src/sql_connection.cpp ++++ b/src/dpl/db/src/sql_connection.cpp +@@ -26,7 +26,6 @@ + #include <memory> + #include <dpl/noncopyable.h> + #include <dpl/assert.h> +-#include <db-util.h> + #include <unistd.h> + #include <cstdio> + #include <cstdarg> +@@ -606,16 +605,7 @@ void SqlConnection::Connect(const std::string &address, + + // Connect to database + int result; +- if (type & Flag::UseLucene) { +- result = db_util_open_with_options( +- address.c_str(), +- &m_connection, +- flag, +- NULL); +- +- m_usingLucene = true; +- LogPedantic("Lucene index enabled"); +- } else { ++ (void)type; + result = sqlite3_open_v2( + address.c_str(), + &m_connection, +@@ -624,7 +614,6 @@ void SqlConnection::Connect(const std::string &address, + + m_usingLucene = false; + LogPedantic("Lucene index disabled"); +- } + + if (result == SQLITE_OK) { + LogPedantic("Connected to DB"); +@@ -653,11 +642,7 @@ void SqlConnection::Disconnect() + + int result; + +- if (m_usingLucene) { +- result = db_util_close(m_connection); +- } else { + result = sqlite3_close(m_connection); +- } + + if (result != SQLITE_OK) { + const char *error = sqlite3_errmsg(m_connection); +-- +2.1.4 + diff --git a/meta-agl/meta-security/recipes-security/security-manager/security-manager/security-manager-policy-reload-do-not-depend-on-GNU-.patch b/meta-agl/meta-security/recipes-security/security-manager/security-manager/security-manager-policy-reload-do-not-depend-on-GNU-.patch new file mode 100644 index 00000000..ac57964c --- /dev/null +++ b/meta-agl/meta-security/recipes-security/security-manager/security-manager/security-manager-policy-reload-do-not-depend-on-GNU-.patch @@ -0,0 +1,35 @@ +From d2995014142306987bf86b4d508a84b9b4683c5c Mon Sep 17 00:00:00 2001 +From: Patrick Ohly <patrick.ohly@intel.com> +Date: Wed, 19 Aug 2015 15:02:32 +0200 +Subject: [PATCH 2/2] security-manager-policy-reload: do not depend on GNU sed + +\U (= make replacement uppercase) is a GNU sed extension which is not +supported by other sed implementation's (like the one from +busybox). When using busybox, the bucket for user profiles became +USER_TYPE_Uadmin instead USER_TYPE_ADMIN. + +To make SecurityManager more portable, better use tr to turn the +bucket name into uppercase. + +Signed-off-by: Patrick Ohly <patrick.ohly@intel.com> +Upstream-Status: Submitted (https://github.com/Samsung/security-manager/pull/1 + +--- + policy/security-manager-policy-reload | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/policy/security-manager-policy-reload b/policy/security-manager-policy-reload +index 274c49c..6f211c6 100755 +--- a/policy/security-manager-policy-reload ++++ b/policy/security-manager-policy-reload +@@ -33,7 +33,7 @@ END + find "$POLICY_PATH" -name "usertype-*.profile" | + while read file + do +- bucket="`echo $file | sed -r 's|.*/usertype-(.*).profile$|USER_TYPE_\U\1|'`" ++ bucket="`echo $file | sed -r 's|.*/usertype-(.*).profile$|USER_TYPE_\1|' | tr '[:lower:]' '[:upper:]'`" + + # Re-create the bucket with empty contents + cyad --delete-bucket=$bucket || true +-- +2.1.4 diff --git a/meta-agl/meta-security/recipes-security/security-manager/security-manager/socket-manager-removes-tizen-specific-call.patch b/meta-agl/meta-security/recipes-security/security-manager/security-manager/socket-manager-removes-tizen-specific-call.patch new file mode 100644 index 00000000..fa4c21c7 --- /dev/null +++ b/meta-agl/meta-security/recipes-security/security-manager/security-manager/socket-manager-removes-tizen-specific-call.patch @@ -0,0 +1,47 @@ +From 75c4852e47217ab85d6840b488ab4b3688091856 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Jos=C3=A9=20Bollo?= <jose.bollo@iot.bzh> +Date: Fri, 8 Jan 2016 16:53:46 +0100 +Subject: [PATCH 1/2] socket-manager: removes tizen specific call +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +The function 'smack_fgetlabel' is specific to Tizen +and is no more maintained upstream. + +Upstream-Status: Accepted [https://review.tizen.org/gerrit/#/c/56507/] + +Change-Id: I3802742b1758efe37b33e6d968ff727d68f2fd1f +Signed-off-by: José Bollo <jobol@nonadev.net> +--- + src/server/main/socket-manager.cpp | 7 ++++--- + 1 file changed, 4 insertions(+), 3 deletions(-) + +diff --git a/src/server/main/socket-manager.cpp b/src/server/main/socket-manager.cpp +index 0366186..c5cec18 100644 +--- a/src/server/main/socket-manager.cpp ++++ b/src/server/main/socket-manager.cpp +@@ -30,6 +30,7 @@ + #include <sys/types.h> + #include <sys/socket.h> + #include <sys/smack.h> ++#include <linux/xattr.h> + #include <sys/un.h> + #include <sys/stat.h> + #include <unistd.h> +@@ -500,9 +501,9 @@ int SocketManager::CreateDomainSocketHelp( + if (smack_check()) { + LogInfo("Set up smack label: " << desc.smackLabel); + +- if (0 != smack_fsetlabel(sockfd, desc.smackLabel.c_str(), SMACK_LABEL_IPIN)) { +- LogError("Error in smack_fsetlabel"); +- ThrowMsg(Exception::InitFailed, "Error in smack_fsetlabel"); ++ if (0 != smack_set_label_for_file(sockfd, XATTR_NAME_SMACKIPIN, desc.smackLabel.c_str())) { ++ LogError("Error in smack_set_label_for_file"); ++ ThrowMsg(Exception::InitFailed, "Error in smack_set_label_for_file"); + } + } else { + LogInfo("No smack on platform. Socket won't be securied with smack label!"); +-- +2.1.4 + diff --git a/meta-agl/meta-security/recipes-security/security-manager/security-manager/systemd-stop-using-compat-libs.patch b/meta-agl/meta-security/recipes-security/security-manager/security-manager/systemd-stop-using-compat-libs.patch new file mode 100644 index 00000000..cd5c36a6 --- /dev/null +++ b/meta-agl/meta-security/recipes-security/security-manager/security-manager/systemd-stop-using-compat-libs.patch @@ -0,0 +1,47 @@ +From 8ec024d2adecb53029c6f1af2b95c93dfd43a7cb Mon Sep 17 00:00:00 2001 +From: Patrick Ohly <patrick.ohly@intel.com> +Date: Tue, 24 Mar 2015 04:54:03 -0700 +Subject: [PATCH] systemd: stop using compat libs + +libsystemd-journal and libsystemd-daemon are considered obsolete +in systemd since 2.09 and may not be available (not compiled +by default). + +The code works fine with the current libsystemd, so just +use that. + +Signed-off-by: Patrick Ohly <patrick.ohly@intel.com> +Upstream-Status: Submitted (https://github.com/Samsung/security-manager/pull/1 + +--- + src/common/CMakeLists.txt | 2 +- + src/server/CMakeLists.txt | 2 +- + 2 files changed, 2 insertions(+), 2 deletions(-) + +diff --git a/src/common/CMakeLists.txt b/src/common/CMakeLists.txt +index 2da9c3e..968c7c1 100644 +--- a/src/common/CMakeLists.txt ++++ b/src/common/CMakeLists.txt +@@ -3,7 +3,7 @@ SET(COMMON_VERSION ${COMMON_VERSION_MAJOR}.0.2) + + PKG_CHECK_MODULES(COMMON_DEP + REQUIRED +- libsystemd-journal ++ libsystemd + libsmack + db-util + cynara-admin +diff --git a/src/server/CMakeLists.txt b/src/server/CMakeLists.txt +index 753eb96..6849d76 100644 +--- a/src/server/CMakeLists.txt ++++ b/src/server/CMakeLists.txt +@@ -1,6 +1,6 @@ + PKG_CHECK_MODULES(SERVER_DEP + REQUIRED +- libsystemd-daemon ++ libsystemd + ) + + FIND_PACKAGE(Boost REQUIRED) +-- +2.1.4 diff --git a/meta-agl/meta-security/recipes-security/security-manager/security-manager_git.bb b/meta-agl/meta-security/recipes-security/security-manager/security-manager_git.bb new file mode 100644 index 00000000..3cbc3aea --- /dev/null +++ b/meta-agl/meta-security/recipes-security/security-manager/security-manager_git.bb @@ -0,0 +1,38 @@ +require security-manager.inc + +PV = "1.0.2+git${SRCPV}" +SRCREV = "860305a595d681d650024ad07b3b0977e1fcb0a6" +SRC_URI += "git://github.com/Samsung/security-manager.git" +S = "${WORKDIR}/git" + +SRC_URI += " \ +file://systemd-stop-using-compat-libs.patch \ +file://security-manager-policy-reload-do-not-depend-on-GNU-.patch \ +file://0001-Smack-rules-create-two-new-functions.patch \ +file://0002-app-install-implement-multiple-set-of-smack-rules.patch \ +file://c-11-replace-depracated-auto_ptr.patch \ +file://socket-manager-removes-tizen-specific-call.patch \ +file://Removing-tizen-platform-config.patch \ +file://removes-dependency-to-libslp-db-utils.patch \ +file://0001-Fix-gcc8-warning-error-Werror-catch-value.patch \ +file://0001-Avoid-casting-from-const-T-to-void.patch \ +" + +########################################## +# This are patches for backward compatibility to the version dizzy of poky. +# The dizzy version of libcap isn't providing a packconfig file. +# This is solved by the patch libcap-without-pkgconfig.patch. +# But after solving that issue, it appears that linux/xattr.h should +# also be include add definitions of XATTR_NAME_SMACK... values. +# Unfortunately, there is no explanation why linux/xattr.h should +# also be included (patch include-linux-xattr.patch) +########################################## +do_patch[depends] = "libcap:do_populate_sysroot" +APPLY = "${@str('no' if os.path.exists('${STAGING_LIBDIR}/pkgconfig/libcap.pc') else 'yes')}" +SRC_URI += "\ + file://libcap-without-pkgconfig.patch;apply=${APPLY} \ + file://include-linux-xattr.patch;apply=${APPLY} \ +" + +# Use make with cmake and not ninja +OECMAKE_GENERATOR = "Unix Makefiles" diff --git a/meta-agl/meta-security/recipes-security/smacknet/files/smacknet b/meta-agl/meta-security/recipes-security/smacknet/files/smacknet new file mode 100644 index 00000000..3818d30a --- /dev/null +++ b/meta-agl/meta-security/recipes-security/smacknet/files/smacknet @@ -0,0 +1,184 @@ +#!/usr/bin/python +# Copyright (c) 2012, 2013, Intel Corporation +# Copyright (c) 2009 David Wolinsky <davidiw@ufl.edu), University of Florida +# All rights reserved. +# +# Redistribution and use in source and binary forms, with or without +# modification, are permitted provided that the following conditions +# are met: +# 1. Redistributions of source code must retain the above copyright +# notice, this list of conditions and the following disclaimer. +# 2. Redistributions in binary form must reproduce the above copyright +# notice, this list of conditions and the following disclaimer in the +# documentation and/or other materials provided with the distribution. +# 3. The name of the author may not be used to endorse or promote products +# derived from this software without specific prior written permission. +# +# THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR +# IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES +# OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. +# IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, +# INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT +# NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, +# DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY +# THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT +# (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF +# THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. + +import socket,fcntl, struct, thread +import os.path +import sys + +SMACKFS_LOAD="/sys/fs/smackfs/load2" +SMACKFS_NETLABEL="/sys/fs/smackfs/netlabel" +SIOCGIFADDR = 0x8915 +SIOCGIFNETMASK = 0x891b + +def get_ip_address(ifname): + s = socket.socket(socket.AF_INET, socket.SOCK_DGRAM) + return fcntl.ioctl(s.fileno(), SIOCGIFADDR, + struct.pack('256s', ifname.encode("utf-8")))[20:24] + +def get_netmask(ifname): + s = socket.socket(socket.AF_INET, socket.SOCK_DGRAM) + return fcntl.ioctl(s.fileno(), SIOCGIFNETMASK, + struct.pack('256s', ifname.encode("utf-8")))[20:24] + +def applynetlabeltags(interface, addr): + if not interface.startswith("lo"): + bmask = get_netmask(interface.encode("utf-8")) + prefix = bin(struct.unpack(">L", bmask)[0]).count("1") + tags = [ + addr+"/"+str(prefix)+" Network::Local\n", + "0.0.0.0/0 Network::Cloud\n", + "127.0.0.1/8 -CIPSO\n"] + smackfs_netlabel(tags) + +def loadnetlabelrules(): + rulesSystem = [ + "System Network::Cloud w\n", + "System Network::Local w\n", + "Network::Cloud System w\n", + "Network::Local System w\n"] + smackfs_load2(rulesSystem) + +def smackfs_load2 (rules): + with open(SMACKFS_LOAD, "w") as load2: + for rule in rules: + load2.write(rule) + +def smackfs_netlabel (tags): + for tag in tags: + with open(SMACKFS_NETLABEL, "w") as netlabel: + netlabel.write(tag) + +""" + Source of: Class ip monitor, and other functions named bellow. + Original author: David Wolinsky <davidiw@ufl.edu + Copied from: https://github.com/davidiw/Grid-Appliance/blob/master/scripts/ip_monitor.py + +""" + +"""4 byte alignment""" + +def align(inc): + diff = inc % 4 + return inc + ((4 - diff) % 4) + +class ifaddr: + """Parse an ifaddr packet""" + LOCAL = 2 + LABEL = 3 + + def __init__(self, packet): + self.family, self.prefixlen, self.flags, self.scope, self.index = \ + struct.unpack("BBBBI", packet[:8]) + +class rtattr: + """Parse a rtattr packet""" + GRP_IPV4_IFADDR = 0x10 + + NEWADDR = 20 + DELADDR = 21 + GETADDR = 22 + + def __init__(self, packet): + self.len, self.type = struct.unpack("HH", packet[:4]) + if self.type == ifaddr.LOCAL: + addr = struct.unpack("BBBB", packet[4:self.len]) + self.payload = "%s.%s.%s.%s" % (addr[0], addr[1], addr[2], addr[3]) + elif self.type == ifaddr.LABEL: + self.payload = packet[4:self.len].strip("\0") + else: + self.payload = packet[4:self.len] + +class netlink: + """Parse a netlink packet""" + REQUEST = 1 + ROOT = 0x100 + MATCH = 0x200 + DONE = 3 + + def __init__(self, packet): + self.msglen, self.msgtype, self.flags, self.seq, self.pid = \ + struct.unpack("IHHII", packet[:16]) + self.ifa = None + try: + self.ifa = ifaddr(packet[16:24]) + except: + return + + self.rtas = {} + pos = 24 + while pos < self.msglen: + try: + rta = rtattr(packet[pos:]) + except: + break + pos += align(rta.len) + self.rtas[rta.type] = rta.payload + +class ip_monitor: + def __init__(self, callback = None): + if callback == None: + callback = self.print_cb + self._callback = callback + + def print_cb(self, label, addr): + print (label + " => " + addr) + + def request_addrs(self, sock): + sock.send(struct.pack("IHHIIBBBBI", 24, rtattr.GETADDR, \ + netlink.REQUEST | netlink.ROOT | netlink.MATCH, 0, sock.getsockname()[0], \ + socket.AF_INET, 0, 0, 0, 0)) + + def start_thread(self): + thread.start_new_thread(self.run, ()) + + def run(self): + sock = socket.socket(socket.AF_NETLINK, socket.SOCK_RAW, socket.NETLINK_ROUTE) + sock.bind((0, rtattr.GRP_IPV4_IFADDR)) + self.request_addrs(sock) + + while True: + data = sock.recv(4096) + pos = 0 + while pos < len(data): + nl = netlink(data[pos:]) + if nl.msgtype == netlink.DONE: + break + pos += align(nl.msglen) + if nl.msgtype != rtattr.NEWADDR: + continue + self._callback(nl.rtas[ifaddr.LABEL], nl.rtas[ifaddr.LOCAL]) + +def main(): + if not os.path.isfile(SMACKFS_LOAD): + print ("Smack not found.") + return -1 + loadnetlabelrules() + + ip_monitor(applynetlabeltags).run() + +if __name__ == "__main__": + main() diff --git a/meta-agl/meta-security/recipes-security/smacknet/files/smacknet.service b/meta-agl/meta-security/recipes-security/smacknet/files/smacknet.service new file mode 100644 index 00000000..218d8b89 --- /dev/null +++ b/meta-agl/meta-security/recipes-security/smacknet/files/smacknet.service @@ -0,0 +1,11 @@ +[Unit] +Description=netlabels configuration for SMACK +Wants=network.target network-online.target +After=network.target network-online.target + +[Service] +TimeoutStartSec=0 +ExecStart=@BINDIR@/smacknet + +[Install] +WantedBy=multi-user.target diff --git a/meta-agl/meta-security/recipes-security/smacknet/smacknet.bb b/meta-agl/meta-security/recipes-security/smacknet/smacknet.bb new file mode 100644 index 00000000..553456ae --- /dev/null +++ b/meta-agl/meta-security/recipes-security/smacknet/smacknet.bb @@ -0,0 +1,29 @@ +#SMACKNET Description +SUMMARY = "Smack network labels configuration" +DESCRIPTION = "Provide service that will be labeling the network rules" +LICENSE = "BSD-3-Clause" +LIC_FILES_CHKSUM = "file://${COMMON_LICENSE_DIR}/BSD-3-Clause;md5=550794465ba0ec5312d6919e203a55f9" +RDEPENDS_${PN} = "python" + +SRC_URI += "file://smacknet \ + file://smacknet.service \ + " +S = "${WORKDIR}" + +inherit systemd + +inherit distro_features_check +REQUIRED_DISTRO_FEATURES = "smack" + +#netlabel configuration service +SYSTEMD_SERVICE_${PN} = "smacknet.service" +SYSTEMD_AUTO_ENABLE = "enable" +do_install(){ + install -d ${D}${bindir} + install -m 0551 ${WORKDIR}/smacknet ${D}${bindir} + + install -d -m 755 ${D}${systemd_unitdir}/system + install -m 644 ${WORKDIR}/smacknet.service ${D}${systemd_unitdir}/system + sed -i -e 's,@BINDIR@,${bindir},g' ${D}${systemd_unitdir}/system/smacknet.service +} + diff --git a/meta-agl/meta-security/recipes-security/xmlsec1/xmlsec1_%.bbappend b/meta-agl/meta-security/recipes-security/xmlsec1/xmlsec1_%.bbappend new file mode 100644 index 00000000..9c6080fc --- /dev/null +++ b/meta-agl/meta-security/recipes-security/xmlsec1/xmlsec1_%.bbappend @@ -0,0 +1,3 @@ +# remove the EXTRA_OECONF from the recipe to +# avoid an build error in >= YP SUMO +EXTRA_OECONF = "" |