From: Gerrit Code Review Date: Tue, 28 Mar 2017 13:52:42 +0000 (+0000) Subject: Merge "Merge: migrate appfw from meta-agl-extra" X-Git-Tag: 3.99.1~104 X-Git-Url: https://gerrit.automotivelinux.org/gerrit/gitweb?a=commitdiff_plain;h=2ceaa31f4137a5a9fb759338827f4b5d1d995772;hp=ef0b30d05bd1d04ebe5edfafd1c26d2b09bd7d6e;p=AGL%2Fmeta-agl.git Merge "Merge: migrate appfw from meta-agl-extra" --- diff --git a/meta-app-framework/classes/aglwgt.bbclass b/meta-app-framework/classes/aglwgt.bbclass new file mode 100644 index 000000000..afe9a5516 --- /dev/null +++ b/meta-app-framework/classes/aglwgt.bbclass @@ -0,0 +1,61 @@ +# +# aglwgt bbclass +# +# Jan-Simon Moeller, jsmoeller@linuxfoundation.org +# +# This class expects a "make package" target in the makefile +# which creates the wgt files in the package/ subfolder. +# The makefile needs to use wgtpkg-pack. +# + + +# 'wgtpkg-pack' in af-main-native is required. +DEPENDS_append = " af-main-native" + +# for bindings af-binder is required. +DEPENDS_append = " af-binder" + +do_aglwgt_package() { + cd ${B} + make package || ( \ + bbwarn "Your makefile must support the 'make package' target" ; \ + bbwarn "and generate a .wgt file using wgtpack in the"; \ + bbwarn "subfolder ./package/ !" ; \ + bbwarn "Fix your package as it will not work within the SDK" ; \ + bbwarn "See: https://wiki.automotivelinux.org/troubleshooting/app-recipes" \ + ) +} + +python () { + d.setVarFlag('do_aglwgt_deploy', 'fakeroot', '1') +} + + +POST_INSTALL_LEVEL ?= "10" +POST_INSTALL_SCRIPT ?= "${POST_INSTALL_LEVEL}-${PN}.sh" + +EXTRA_WGT_POSTINSTALL ?= "" + +do_aglwgt_deploy() { + install -d ${D}/usr/AGL/apps + install -m 0644 ${B}/package/*.wgt ${D}/usr/AGL/apps/ + APP_FILES="" + for file in ${D}/usr/AGL/apps/*.wgt;do + APP_FILES="${APP_FILES} $(basename $file)"; + done + install -d ${D}/${sysconfdir}/agl-postinsts + cat > ${D}/${sysconfdir}/agl-postinsts/${POST_INSTALL_SCRIPT} < +Date: Thu, 21 Jan 2016 15:07:29 +0100 +Subject: [PATCH] Hack to allow the debugging + +This is a temporarily fix to continue debugging +afm-main. This should be removed later. + +Change-Id: I2f10f0cb1fce2ee30bd0754ad2e7bc8e2f6513aa +--- + conf/afm-user-daemon.conf | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/conf/afm-user-daemon.conf b/conf/afm-user-daemon.conf +index 801c7ae..98a3152 100644 +--- a/conf/afm-user-daemon.conf ++++ b/conf/afm-user-daemon.conf +@@ -25,7 +25,7 @@ + + + +- ++ + + + +-- +2.1.4 + diff --git a/meta-app-framework/recipes-core/af-main/af-main/add-qt-wayland-shell-integration.patch b/meta-app-framework/recipes-core/af-main/af-main/add-qt-wayland-shell-integration.patch new file mode 100644 index 000000000..c92415b80 --- /dev/null +++ b/meta-app-framework/recipes-core/af-main/af-main/add-qt-wayland-shell-integration.patch @@ -0,0 +1,12 @@ +diff --git a/conf/afm-unit.conf b/conf/afm-unit.conf +index 82113ef..2fbc9e2 100644 +--- a/conf/afm-unit.conf ++++ b/conf/afm-unit.conf +@@ -127,6 +127,7 @@ SuccessExitStatus=0 SIGKILL + WorkingDirectory=-{{&#metadata.app-data-dir}}/{{id}} + ExecStartPre=/bin/mkdir -p {{&#metadata.app-data-dir}}/{{id}} + Environment=AFM_APP_INSTALL_DIR={{:#metadata.install-dir}} ++Environment=QT_WAYLAND_SHELL_INTEGRATION=ivi-shell + + %systemd-unit user + {{#required-permission.urn:AGL:permission::public:hidden}}\ diff --git a/meta-app-framework/recipes-core/af-main/af-main/afm-install b/meta-app-framework/recipes-core/af-main/af-main/afm-install new file mode 100755 index 000000000..6d37baed8 --- /dev/null +++ b/meta-app-framework/recipes-core/af-main/af-main/afm-install @@ -0,0 +1,44 @@ +#!/bin/sh + +pretty() { + sed \ + -e '/^method return .*/d' \ + -e 's/^Error org.freedesktop.DBus.Error.Failed: "\?\(.*\)"\?$/ERROR: \1/' \ + -e 's/^ string "\(.*\)"/\1/' \ + -e 's/},/&\n/' +} + +send() { + dbus-send --system --print-reply \ + --dest=org.AGL.afm.system \ + /org/AGL/afm/system \ + org.AGL.afm.system.$1 \ + "string:$2" | + pretty +} + +case "$1" in + + add|install) + f=$(realpath $2) + send install '{"wgt":"'"$f"'","force":true}' + ;; + + -h|--help|help) + cat << EOC + +The commands are: + + add wgt + install wgt install the wgt file + +EOC + ;; + + *) + echo "unknown command $1" >&2 + exit 1 + ;; +esac + + diff --git a/meta-app-framework/recipes-core/af-main/af-main_1.0.bb b/meta-app-framework/recipes-core/af-main/af-main_1.0.bb new file mode 100644 index 000000000..3c1b692f3 --- /dev/null +++ b/meta-app-framework/recipes-core/af-main/af-main_1.0.bb @@ -0,0 +1,106 @@ +require af-main_${PV}.inc + +# NOTE: using libcap-native and setcap in install doesn't work +# NOTE: there is no SYSTEMD_USER_SERVICE_... +# NOTE: maybe setting afm_name to agl-framework is cleaner but has implications +# NOTE: there is a hack of security for using groups and dbus (to be checked) +# NOTE: using ZIP programs creates directories with mode 777 (very bad) + +inherit cmake pkgconfig useradd systemd +BBCLASSEXTEND = "native" + +SECTION = "base" + +DEPENDS = "openssl libxml2 xmlsec1 systemd libzip json-c systemd security-manager libcap-native af-binder" +DEPENDS_class-native = "openssl libxml2 xmlsec1 libzip json-c" + +EXTRA_OECMAKE_class-native = "\ + -DUSE_LIBZIP=1 \ + -DUSE_SIMULATION=1 \ + -DUSE_SDK=1 \ + -Dafm_name=${afm_name} \ + -Dafm_confdir=${afm_confdir} \ + -Dafm_datadir=${afm_datadir} \ +" + +EXTRA_OECMAKE = "\ + -DUSE_LIBZIP=1 \ + -DUSE_SIMULATION=0 \ + -DUSE_SDK=0 \ + -Dafm_name=${afm_name} \ + -Dafm_confdir=${afm_confdir} \ + -Dafm_datadir=${afm_datadir} \ + -Dsystemd_units_root=${systemd_units_root} \ + -DUNITDIR_USER=${systemd_user_unitdir} \ + -DUNITDIR_SYSTEM=${systemd_system_unitdir} \ +" + +USERADD_PACKAGES = "${PN}" +USERADD_PARAM_${PN} = "-g ${afm_name} -d ${afm_datadir} -r ${afm_name}" +GROUPADD_PARAM_${PN} = "-r ${afm_name}" + +SYSTEMD_SERVICE_${PN} = "afm-system-daemon.service" +SYSTEMD_AUTO_ENABLE = "enable" + +FILES_${PN} += "\ + ${@bb.utils.contains('DISTRO_FEATURES', 'systemd', '${systemd_user_unitdir}/afm-user-daemon.service', '', d)} \ +" +RDEPENDS_${PN}_append_smack = " smack-userspace" +DEPENDS_append_smack = " smack-userspace-native" + +# short hacks here +SRC_URI += "\ + file://Hack-to-allow-the-debugging.patch \ +" + +# tools used to install wgt at first boot +SRC_URI += "\ + file://afm-install \ + file://add-qt-wayland-shell-integration.patch \ +" + +do_install_append() { + install -d ${D}${bindir} + install -d -m 0775 ${D}${systemd_units_root}/{system,user} + install -d -m 0775 ${D}${systemd_units_root}/{system,user}/default.target.wants + install -d ${D}${afm_datadir}/{applications,icons} + if ${@bb.utils.contains('DISTRO_FEATURES', 'systemd', 'true', 'false', d)}; then + mkdir -p ${D}${sysconfdir}/systemd/{system,user}/default.target.wants + ln -sf ${systemd_user_unitdir}/afm-user-daemon.service ${D}${sysconfdir}/systemd/user/default.target.wants + fi + install -m 0755 ${WORKDIR}/afm-install ${D}${bindir} +} + +do_install_append_qemux86-64() { + sed -i -e '/LD_PRELOAD=\/usr\/lib\/libEGL.so/d' ${D}${systemd_user_unitdir}/afm-user-daemon.service +} + +pkg_postinst_${PN}() { + if ${@bb.utils.contains('DISTRO_FEATURES', 'systemd', 'true', 'false', d)}; then + chgrp ${afm_name} $D${systemd_units_root}/{system,user}/{default.target.wants,.} + fi + chown ${afm_name}:${afm_name} $D${afm_datadir}/{applications,icons,.} + setcap cap_mac_override,cap_dac_override=ep $D${bindir}/afm-system-daemon + setcap cap_mac_override,cap_mac_admin,cap_setgid=ep $D${bindir}/afm-user-daemon +} + +pkg_postinst_${PN}_smack() { + if ${@bb.utils.contains('DISTRO_FEATURES', 'systemd', 'true', 'false', d)}; then + chgrp ${afm_name} $D${systemd_units_root}/{system,user}/{default.target.wants,.} + chsmack -a 'System::Shared' -t $D${systemd_units_root}/{system,user}/{default.target.wants,.} + fi + chown ${afm_name}:${afm_name} $D${afm_datadir}/{applications,icons,.} + chsmack -a 'System::Shared' -t $D${afm_datadir}/{applications,icons,.} + setcap cap_mac_override,cap_dac_override=ep $D${bindir}/afm-system-daemon + setcap cap_mac_override,cap_mac_admin,cap_setgid=ep $D${bindir}/afm-user-daemon +} +FILES_${PN} += " ${systemd_units_root} " + +PACKAGES =+ "${PN}-binding ${PN}-binding-dbg" +FILES_${PN}-binding = " ${afb_binding_dir}/afm-main-binding.so " +FILES_${PN}-binding-dbg = " ${afb_binding_dir}/.debug/afm-main-binding.so " + +PACKAGES =+ "${PN}-tools ${PN}-tools-dbg" +FILES_${PN}-tools = "${bindir}/wgtpkg-*" +FILES_${PN}-tools-dbg = "${bindir}/.debug/wgtpkg-*" + diff --git a/meta-app-framework/recipes-core/af-main/af-main_1.0.inc b/meta-app-framework/recipes-core/af-main/af-main_1.0.inc new file mode 100644 index 000000000..6ce87ed71 --- /dev/null +++ b/meta-app-framework/recipes-core/af-main/af-main_1.0.inc @@ -0,0 +1,26 @@ +SUMMARY = "AGL Framework Main part" +DESCRIPTION = "\ +This is a core framework component for managing \ +applications, widgets, and components. \ +" + +HOMEPAGE = "https://gerrit.automotivelinux.org/gerrit/#/admin/projects/src/app-framework-main" +LICENSE = "Apache-2.0" +LIC_FILES_CHKSUM = "file://COPYING;md5=3b83ef96387f14655fc854ddc3c6bd57" + +SRC_URI_git = "git://gerrit.automotivelinux.org/gerrit/src/app-framework-main;protocol=https;branch=master" +SRC_URI_files = "" +SRC_URI = "${SRC_URI_git} \ + ${SRC_URI_files} \ + " + +SRCREV = "255c83029f56e8d90e7ce185b007c4ca65afec1e" + +S = "${WORKDIR}/git" + +afm_name = "afm" +afm_confdir = "${sysconfdir}/${afm_name}" +afm_datadir = "/var/local/lib/${afm_name}" +afb_binding_dir = "${libdir}/afb" +systemd_units_root = "/usr/local/lib/systemd" + diff --git a/meta-app-framework/recipes-core/af-main/nativesdk-af-main_1.0.bb b/meta-app-framework/recipes-core/af-main/nativesdk-af-main_1.0.bb new file mode 100644 index 000000000..8d044345f --- /dev/null +++ b/meta-app-framework/recipes-core/af-main/nativesdk-af-main_1.0.bb @@ -0,0 +1,26 @@ +require af-main_${PV}.inc + +inherit nativesdk cmake pkgconfig + +SECTION = "base" + +DEPENDS = "nativesdk-openssl nativesdk-libxml2 nativesdk-xmlsec1 nativesdk-libzip nativesdk-json-c" + +EXTRA_OECMAKE = "\ + -DUSE_LIBZIP=1 \ + -DUSE_SIMULATION=1 \ + -DUSE_SDK=1 \ + -Dafm_name=${afm_name} \ + -Dafm_confdir=${afm_confdir} \ + -Dafm_datadir=${afm_datadir} \ +" + +do_install_append() { + # remove unused .pc file we don't want to package + rm -rf ${D}/${libdir} +} + +PACKAGES = "${PN}-tools ${PN}-tools-dbg" +FILES_${PN}-tools = "${bindir}/wgtpkg-* ${afm_confdir}/*" +FILES_${PN}-tools-dbg = "${bindir}/.debug/wgtpkg-*" + diff --git a/meta-app-framework/recipes-core/base-files/base-files_%.bbappend b/meta-app-framework/recipes-core/base-files/base-files_%.bbappend new file mode 100644 index 000000000..7e12bc829 --- /dev/null +++ b/meta-app-framework/recipes-core/base-files/base-files_%.bbappend @@ -0,0 +1,22 @@ +DEPENDS_append_smack = " smack-userspace-native" +RDEPENDS_${PN}_append_smack = " smack-userspace" + +do_install_append() { + install -d ${D}/${sysconfdir}/skel/app-data + install -d ${D}/${sysconfdir}/skel/.config +} + +do_install_append_smack () { + install -d ${D}/${sysconfdir}/smack/accesses.d + cat > ${D}/${sysconfdir}/smack/accesses.d/default-access-domains-no-user < +Date: Wed, 19 Oct 2016 13:45:54 +0200 +Subject: [PATCH] Adapt rules to AGL +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +AGL distribution uses the repository https://github.com/01org/meta-intel-iot-security.git +as basis for the integration of security framework. The security framework +that it provides is an evolution of the security framework of tizen refited +to the distribution Ostro of Intel. This refit took the decision to simplify +the model by removing the running label "User". More can be viewed here: +https://github.com/01org/meta-intel-iot-security/pull/116 + +This commits adapt the template to the rules that are now needed +after this evolution. + +It also integrates one other evolutions: the shared label becomes User::App-Shared instead +of User::App::Shared to avoid collision with application of id "Shared". + +Change-Id: Ieb566b63f8c8e691b5f75e06499a3b576d042546 +Signed-off-by: José Bollo +--- + policy/app-rules-template.smack | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +diff --git a/policy/app-rules-template.smack b/policy/app-rules-template.smack +index 1311169..b4cd2e3 100644 +--- a/policy/app-rules-template.smack ++++ b/policy/app-rules-template.smack +@@ -1,12 +1,10 @@ +-System ~APP~ rwx ++System ~APP~ rwxa ++System ~PKG~ rwxat + ~APP~ System wx + ~APP~ System::Shared rx + ~APP~ System::Run rwxat + ~APP~ System::Log rwxa + ~APP~ _ l +-User ~APP~ rwxa +-User ~PKG~ rwxat +-~APP~ User wx + ~APP~ User::Home rxl +-~APP~ User::App::Shared rwxat ++~APP~ User::App-Shared rwxat + ~APP~ ~PKG~ rwxat +-- +2.7.4 + diff --git a/meta-app-framework/recipes-core/security-manager/security-manager/0001-Fix-Cmake-conf-for-gcc6-build.patch b/meta-app-framework/recipes-core/security-manager/security-manager/0001-Fix-Cmake-conf-for-gcc6-build.patch new file mode 100644 index 000000000..43a3ee103 --- /dev/null +++ b/meta-app-framework/recipes-core/security-manager/security-manager/0001-Fix-Cmake-conf-for-gcc6-build.patch @@ -0,0 +1,40 @@ +From 19c99315a5dcba3b696c30d1fdd42a1dcd574a80 Mon Sep 17 00:00:00 2001 +From: Ronan +Date: Thu, 13 Oct 2016 11:37:47 +0200 +Subject: [PATCH] Fix Cmake conf for gcc6 build + +Signed-off-by: Ronan +--- + src/cmd/CMakeLists.txt | 4 +--- + src/server/CMakeLists.txt | 1 - + 2 files changed, 1 insertion(+), 4 deletions(-) + +diff --git a/src/cmd/CMakeLists.txt b/src/cmd/CMakeLists.txt +index ee9a160..aa7a12c 100644 +--- a/src/cmd/CMakeLists.txt ++++ b/src/cmd/CMakeLists.txt +@@ -1,8 +1,6 @@ + FIND_PACKAGE(Boost REQUIRED COMPONENTS program_options) + +-INCLUDE_DIRECTORIES(SYSTEM +- ${Boost_INCLUDE_DIRS} +- ) ++ + + INCLUDE_DIRECTORIES( + ${INCLUDE_PATH} +diff --git a/src/server/CMakeLists.txt b/src/server/CMakeLists.txt +index 753eb96..8eef25d 100644 +--- a/src/server/CMakeLists.txt ++++ b/src/server/CMakeLists.txt +@@ -8,7 +8,6 @@ FIND_PACKAGE(Threads REQUIRED) + + INCLUDE_DIRECTORIES(SYSTEM + ${SERVER_DEP_INCLUDE_DIRS} +- ${Boost_INCLUDE_DIRS} + ${Threads_INCLUDE_DIRS} + ) + +-- +2.6.6 + diff --git a/meta-app-framework/recipes-core/security-manager/security-manager/0001-Fix-gcc6-build.patch b/meta-app-framework/recipes-core/security-manager/security-manager/0001-Fix-gcc6-build.patch new file mode 100644 index 000000000..1b3c8c427 --- /dev/null +++ b/meta-app-framework/recipes-core/security-manager/security-manager/0001-Fix-gcc6-build.patch @@ -0,0 +1,38 @@ +From cb9acc2b723b297ee373bf814282711f02657aa5 Mon Sep 17 00:00:00 2001 +From: Ronan +Date: Wed, 12 Oct 2016 17:48:55 +0200 +Subject: [PATCH] Fix gcc6 build + +Signed-off-by: ronan +--- + src/client/client-security-manager.cpp | 1 + + src/common/include/privilege_db.h | 1 + + 2 files changed, 2 insertions(+) + +diff --git a/src/client/client-security-manager.cpp b/src/client/client-security-manager.cpp +index 74a6b30..347cddd 100644 +--- a/src/client/client-security-manager.cpp ++++ b/src/client/client-security-manager.cpp +@@ -46,6 +46,7 @@ + #include + #include + #include ++#include + + static const char *EMPTY = ""; + +diff --git a/src/common/include/privilege_db.h b/src/common/include/privilege_db.h +index 03c6680..8dd39a1 100644 +--- a/src/common/include/privilege_db.h ++++ b/src/common/include/privilege_db.h +@@ -32,6 +32,7 @@ + #include + #include + #include ++#include + + #include + +-- +2.6.6 + diff --git a/meta-app-framework/recipes-core/security-manager/security-manager/Removing-tizen-platform-config.patch b/meta-app-framework/recipes-core/security-manager/security-manager/Removing-tizen-platform-config.patch new file mode 100644 index 000000000..4830db2a8 --- /dev/null +++ b/meta-app-framework/recipes-core/security-manager/security-manager/Removing-tizen-platform-config.patch @@ -0,0 +1,196 @@ +From 72e66d0e42f3bb6efd689ce33b1df407d94b3c60 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Jos=C3=A9=20Bollo?= +Date: Mon, 16 Nov 2015 14:26:25 +0100 +Subject: [PATCH] Removing tizen-platform-config + +Change-Id: Ic832a2b75229517b09faba969c27fb1a4b490121 +--- + policy/security-manager-policy-reload | 2 +- + src/common/file-lock.cpp | 4 +--- + src/common/include/file-lock.h | 1 - + src/common/include/privilege_db.h | 3 +-- + src/common/service_impl.cpp | 39 +++++++++++------------------------ + src/common/smack-rules.cpp | 12 ++++------- + 6 files changed, 19 insertions(+), 42 deletions(-) + +diff --git a/policy/security-manager-policy-reload b/policy/security-manager-policy-reload +index 6f211c6..ed8047a 100755 +--- a/policy/security-manager-policy-reload ++++ b/policy/security-manager-policy-reload +@@ -2,7 +2,7 @@ + + POLICY_PATH=/usr/share/security-manager/policy + PRIVILEGE_GROUP_MAPPING=$POLICY_PATH/privilege-group.list +-DB_FILE=`tzplatform-get TZ_SYS_DB | cut -d= -f2`/.security-manager.db ++DB_FILE=/var/db/security-manager/.security-manager.db + + # Create default buckets + while read bucket default_policy +diff --git a/src/common/file-lock.cpp b/src/common/file-lock.cpp +index 6f3996c..1dada17 100644 +--- a/src/common/file-lock.cpp ++++ b/src/common/file-lock.cpp +@@ -30,9 +30,7 @@ + + namespace SecurityManager { + +-char const * const SERVICE_LOCK_FILE = tzplatform_mkpath3(TZ_SYS_RUN, +- "lock", +- "security-manager.lock"); ++char const * const SERVICE_LOCK_FILE = "/var/run/lock/security-manager.lock"; + + FileLocker::FileLocker(const std::string &lockFile, bool blocking) + { +diff --git a/src/common/include/file-lock.h b/src/common/include/file-lock.h +index 604b019..21a86a0 100644 +--- a/src/common/include/file-lock.h ++++ b/src/common/include/file-lock.h +@@ -29,7 +29,6 @@ + + #include + #include +-#include + + namespace SecurityManager { + +diff --git a/src/common/include/privilege_db.h b/src/common/include/privilege_db.h +index 4d73d90..03c6680 100644 +--- a/src/common/include/privilege_db.h ++++ b/src/common/include/privilege_db.h +@@ -34,14 +34,13 @@ + #include + + #include +-#include + + #ifndef PRIVILEGE_DB_H_ + #define PRIVILEGE_DB_H_ + + namespace SecurityManager { + +-const char *const PRIVILEGE_DB_PATH = tzplatform_mkpath(TZ_SYS_DB, ".security-manager.db"); ++const char *const PRIVILEGE_DB_PATH = "/var/db/security-manager/.security-manager.db"; + + enum class QueryType { + EGetPkgPrivileges, +diff --git a/src/common/service_impl.cpp b/src/common/service_impl.cpp +index ae305d3..65cc8b5 100644 +--- a/src/common/service_impl.cpp ++++ b/src/common/service_impl.cpp +@@ -32,7 +32,6 @@ + #include + + #include +-#include + + #include "protocols.h" + #include "privilege_db.h" +@@ -131,7 +130,13 @@ static inline int validatePolicy(policy_entry &policyEntry, std::string uidStr, + + static uid_t getGlobalUserId(void) + { +- static uid_t globaluid = tzplatform_getuid(TZ_SYS_GLOBALAPP_USER); ++ static uid_t globaluid = 0; ++ if (!globaluid) { ++ struct passwd pw, *p; ++ char buf[4096]; ++ int rc = getpwnam_r("userapp", &pw, buf, sizeof buf, &p); ++ globaluid = (rc || p == NULL) ? 555 : p->pw_uid; ++ } + return globaluid; + } + +@@ -161,37 +166,17 @@ static inline bool isSubDir(const char *parent, const char *subdir) + + static bool getUserAppDir(const uid_t &uid, std::string &userAppDir) + { +- struct tzplatform_context *tz_ctx = nullptr; +- +- if (tzplatform_context_create(&tz_ctx)) +- return false; +- +- if (tzplatform_context_set_user(tz_ctx, uid)) { +- tzplatform_context_destroy(tz_ctx); +- tz_ctx = nullptr; ++ struct passwd pw, *p; ++ char buf[4096]; ++ int rc = getpwuid_r(uid, &pw, buf, sizeof buf, &p); ++ if (rc || p == NULL) + return false; +- } +- +- enum tzplatform_variable id = +- (uid == getGlobalUserId()) ? TZ_SYS_RW_APP : TZ_USER_APP; +- const char *appDir = tzplatform_context_getenv(tz_ctx, id); +- if (!appDir) { +- tzplatform_context_destroy(tz_ctx); +- tz_ctx = nullptr; +- return false; +- } +- +- userAppDir = appDir; +- +- tzplatform_context_destroy(tz_ctx); +- tz_ctx = nullptr; +- ++ userAppDir = p->pw_dir; + return true; + } + + static inline bool installRequestAuthCheck(const app_inst_req &req, uid_t uid, bool &isCorrectPath, std::string &appPath) + { +- std::string userHome; + std::string userAppDir; + std::stringstream correctPath; + +diff --git a/src/common/smack-rules.cpp b/src/common/smack-rules.cpp +index d834e42..8b5728b 100644 +--- a/src/common/smack-rules.cpp ++++ b/src/common/smack-rules.cpp +@@ -34,7 +34,6 @@ + #include + + #include +-#include + + #include "smack-labels.h" + #include "smack-rules.h" +@@ -43,7 +42,7 @@ namespace SecurityManager { + + const char *const SMACK_APP_LABEL_TEMPLATE = "~APP~"; + const char *const SMACK_PKG_LABEL_TEMPLATE = "~PKG~"; +-const char *const APP_RULES_TEMPLATE_FILE_PATH = tzplatform_mkpath4(TZ_SYS_SHARE, "security-manager", "policy", "app-rules-template.smack"); ++const char *const APP_RULES_TEMPLATE_FILE_PATH = "/usr/share/security-manager/policy/app-rules-template.smack"; + const char *const SMACK_APP_IN_PACKAGE_PERMS = "rwxat"; + + SmackRules::SmackRules() +@@ -237,14 +236,12 @@ void SmackRules::generatePackageCrossDeps(const std::vector &pkgCon + + std::string SmackRules::getPackageRulesFilePath(const std::string &pkgId) + { +- std::string path(tzplatform_mkpath3(TZ_SYS_SMACK, "accesses.d", ("pkg_" + pkgId).c_str())); +- return path; ++ return "/etc/smack/accesses.d/pkg_" + pkgId; + } + + std::string SmackRules::getApplicationRulesFilePath(const std::string &appId) + { +- std::string path(tzplatform_mkpath3(TZ_SYS_SMACK, "accesses.d", ("app_" + appId).c_str())); +- return path; ++ return "/etc/smack/accesses.d/app_" + appId; + } + void SmackRules::installApplicationPrivilegesRules(const std::string &appId, const std::string &pkgId, + const std::vector &pkgContents, const std::vector &privileges) +@@ -256,8 +253,7 @@ void SmackRules::installApplicationPrivilegesRules(const std::string &appId, con + for (auto privilege : privileges) { + if (privilege.empty()) + continue; +- std::string fprivilege ( privilege + "-template.smack"); +- std::string path(tzplatform_mkpath4(TZ_SYS_SHARE, "security-manager", "policy", fprivilege.c_str())); ++ std::string path = "/usr/share/security-manager/policy/" + privilege + "-template.smack"; + if( stat(path.c_str(), &buffer) == 0) + smackRules.addFromTemplateFile(appId, pkgId, path); + } +-- +2.1.4 + diff --git a/meta-app-framework/recipes-core/security-manager/security-manager/init-security-manager-db.service b/meta-app-framework/recipes-core/security-manager/security-manager/init-security-manager-db.service new file mode 100644 index 000000000..8ed5e8601 --- /dev/null +++ b/meta-app-framework/recipes-core/security-manager/security-manager/init-security-manager-db.service @@ -0,0 +1,15 @@ +# +# Install security-manager DB to /var + +[Unit] +Description=Install Security Manager database +After=sysinit.target +Before=security-manager.service + +[Install] +WantedBy=default.target + +[Service] +Type=oneshot +User=root +ExecStart=/usr/bin/init-security-manager-db.sh diff --git a/meta-app-framework/recipes-core/security-manager/security-manager/init-security-manager-db.sh b/meta-app-framework/recipes-core/security-manager/security-manager/init-security-manager-db.sh new file mode 100644 index 000000000..ef41286c8 --- /dev/null +++ b/meta-app-framework/recipes-core/security-manager/security-manager/init-security-manager-db.sh @@ -0,0 +1,6 @@ +#!/bin/sh + +if [ ! -e "/var/db/security-manager" ]; then + mkdir -p /var/db + cp -ra /usr/dbspace/ /var/db/security-manager +fi diff --git a/meta-app-framework/recipes-core/security-manager/security-manager_%.bbappend b/meta-app-framework/recipes-core/security-manager/security-manager_%.bbappend new file mode 100644 index 000000000..23ceb2937 --- /dev/null +++ b/meta-app-framework/recipes-core/security-manager/security-manager_%.bbappend @@ -0,0 +1,22 @@ +FILESEXTRAPATHS_prepend := "${THISDIR}/security-manager:" + +SRC_URI += " file://0001-Adapt-rules-to-AGL.patch \ + file://init-security-manager-db.service \ + file://init-security-manager-db.sh \ + file://0001-Fix-gcc6-build.patch \ + file://0001-Fix-Cmake-conf-for-gcc6-build.patch \ +" + +FILES_${PN}_append = "${bindir}/init-security-manager-db.sh \ + ${@bb.utils.contains('DISTRO_FEATURES', 'systemd', '${systemd_unitdir}/system/init-security-manager-db.service', '', d)} \ +" + +do_install_append () { + install -p -D ${WORKDIR}/init-security-manager-db.sh ${D}${bindir}/init-security-manager-db.sh + if ${@bb.utils.contains('DISTRO_FEATURES', 'systemd', 'true', 'false', d)}; then + mkdir -p ${D}${systemd_unitdir}/system + mkdir -p ${D}${sysconfdir}/systemd/system/default.target.wants + install -m 644 -p -D ${WORKDIR}/init-security-manager-db.service ${D}${systemd_unitdir}/system/init-security-manager-db.service + ln -sf ${systemd_unitdir}/system/init-security-manager-db.service ${D}${sysconfdir}/systemd/system/default.target.wants + fi +} diff --git a/meta-app-framework/recipes-core/web-runtime/web-runtime/web-runtime b/meta-app-framework/recipes-core/web-runtime/web-runtime/web-runtime new file mode 100755 index 000000000..ca712e155 --- /dev/null +++ b/meta-app-framework/recipes-core/web-runtime/web-runtime/web-runtime @@ -0,0 +1,2 @@ +#!/bin/sh +exec /usr/bin/qt5/qmlscene "$1" /usr/bin/web-runtime-webkit.qml diff --git a/meta-app-framework/recipes-core/web-runtime/web-runtime/web-runtime-webkit.qml b/meta-app-framework/recipes-core/web-runtime/web-runtime/web-runtime-webkit.qml new file mode 100644 index 000000000..d18b672cd --- /dev/null +++ b/meta-app-framework/recipes-core/web-runtime/web-runtime/web-runtime-webkit.qml @@ -0,0 +1,13 @@ +import QtQuick 2.1 +import QtQuick.Controls 1.1 +import QtWebKit 3.0 + +ApplicationWindow { + width: 1024 + height: 768 + visible: true + WebView { + url: Qt.application.arguments[1] + anchors.fill: parent + } +} diff --git a/meta-app-framework/recipes-core/web-runtime/web-runtime/web-runtime.qml b/meta-app-framework/recipes-core/web-runtime/web-runtime/web-runtime.qml new file mode 100644 index 000000000..afe8a77d0 --- /dev/null +++ b/meta-app-framework/recipes-core/web-runtime/web-runtime/web-runtime.qml @@ -0,0 +1,13 @@ +import QtQuick 2.1 +import QtQuick.Controls 1.1 +import QtWebEngine 1.1 + +ApplicationWindow { + width: 1024 + height: 768 + visible: true + WebEngineView { + url: Qt.application.arguments[1] + anchors.fill: parent + } +} diff --git a/meta-app-framework/recipes-core/web-runtime/web-runtime_0.1.bb b/meta-app-framework/recipes-core/web-runtime/web-runtime_0.1.bb new file mode 100644 index 000000000..fa149875c --- /dev/null +++ b/meta-app-framework/recipes-core/web-runtime/web-runtime_0.1.bb @@ -0,0 +1,34 @@ +inherit allarch + +SUMMARY = "Provides the 'web-runtime' command" +DESCRIPTION = "The command 'web-runtime' is an abstraction that allows to " + +LICENSE = "MIT" +LIC_FILES_CHKSUM = "file://${COREBASE}/meta/COPYING.MIT;md5=3da9cfbcb788c80a0384361b4de20420" + +SRC_URI = "\ + file://web-runtime;md5sum=6114c0bdd20290912a423fa01beb50f0 \ + file://web-runtime.qml;md5sum=5d6a379e9b7e5654319e5ba638824a58 \ + file://web-runtime-webkit.qml;md5sum=4daf9df39078634c27a7923d37e82e3d \ +" + +RDEPENDS_${PN} = "qtwebkit-qmlplugins" + +do_configure() { + : +} + +do_install() { + install -d ${D}${bindir} + install -m 0755 ${WORKDIR}/web-runtime ${D}${bindir}/web-runtime + install -m 0644 ${WORKDIR}/web-runtime.qml ${D}${bindir}/web-runtime.qml + install -m 0644 ${WORKDIR}/web-runtime-webkit.qml ${D}${bindir}/web-runtime-webkit.qml +} + +do_install_append_rcar-gen2() { + # workaround for porter board: force the use of libEGL provided by mesa at runtime + # otherwise, the proprietary libEGL is used and a problem then occurs due to a missing EGL function + sed -i 's|^\(exec /usr/bin/qt5/qmlscene\)|LD_PRELOAD=/usr/lib/libEGL.so \1|g' ${D}${bindir}/web-runtime +} + + diff --git a/meta-app-framework/recipes-devtools/run-agl-postinsts/run-agl-postinsts_1.0.bbappend b/meta-app-framework/recipes-devtools/run-agl-postinsts/run-agl-postinsts_1.0.bbappend new file mode 100644 index 000000000..590ab708a --- /dev/null +++ b/meta-app-framework/recipes-devtools/run-agl-postinsts/run-agl-postinsts_1.0.bbappend @@ -0,0 +1 @@ +SYSTEMD_SERVICE_AFTER_append = " afm-system-daemon.service" diff --git a/meta-app-framework/recipes-example/afb-client/afb-client_1.0.bb b/meta-app-framework/recipes-example/afb-client/afb-client_1.0.bb new file mode 100644 index 000000000..21605d20b --- /dev/null +++ b/meta-app-framework/recipes-example/afb-client/afb-client_1.0.bb @@ -0,0 +1,29 @@ +SUMMARY = "HTML5 demo template for AFB" +DESCRIPTION = "afb-client is a sample AngularJS/HTML5 application using \ +Application Framework Binder with token binding." +HOMEPAGE = "http://www.iot.bzh" + +LICENSE = "GPLv3+" +LIC_FILES_CHKSUM = "file://LICENSE;md5=6cb04bdb88e11107e3af4d8e3f301be5" + +#DEPENDS = "nodejs-native" +RDEPENDS_${PN} = "af-binder af-binder-binding-authlogin" + +SRC_URI_git = "git://gerrit.automotivelinux.org/gerrit/src/app-framework-demo;protocol=https;branch=master" +SRC_URI_files = "file://afb-client \ + " +SRC_URI = "${SRC_URI_git} \ + ${SRC_URI_files} \ + " +SRCREV = "9e9b459fa27d7a359a060024c9639b99b45813d5" +S = "${WORKDIR}/git/afb-client" + +do_install () { + mkdir -p ${D}/${datadir}/agl/afb-client + cp -ra ${S}/dist.prod/* ${D}/${datadir}/agl/afb-client/ + + mkdir -p ${D}/${bindir} + install -m 0755 ${WORKDIR}/afb-client ${D}/${bindir}/afb-client +} + +FILES_${PN} += "${datadir}" diff --git a/meta-app-framework/recipes-example/afb-client/files/afb-client b/meta-app-framework/recipes-example/afb-client/files/afb-client new file mode 100644 index 000000000..99e6aa968 --- /dev/null +++ b/meta-app-framework/recipes-example/afb-client/files/afb-client @@ -0,0 +1,7 @@ +#!/bin/sh + +if [ -z "${XDG_RUNTIME_DIR+1}" ]; then + export XDG_RUNTIME_DIR=/run/user/$UID +fi +LD_PRELOAD=/usr/lib/libEGL.so /usr/bin/qt5/qmlscene http://localhost:1234/opa /usr/share/agl/afb-viewer.qml + diff --git a/meta-app-framework/recipes-example/afm-client/afm-client_1.0.bb b/meta-app-framework/recipes-example/afm-client/afm-client_1.0.bb new file mode 100644 index 000000000..4cd80db64 --- /dev/null +++ b/meta-app-framework/recipes-example/afm-client/afm-client_1.0.bb @@ -0,0 +1,40 @@ +SUMMARY = "Sample client for AFM to install/start/stop/remove applications" +DESCRIPTION = "afm-client is a sample AngularJS/HTML5 application using \ +Application Framework Manager to install, start, stop, or remove \ +applications provided as .wgt widget packages." +HOMEPAGE = "http://www.iot.bzh" + +inherit systemd + +LICENSE = "GPLv3+" +LIC_FILES_CHKSUM = "file://LICENSE;md5=6cb04bdb88e11107e3af4d8e3f301be5" + +#DEPENDS = "nodejs-native" +RDEPENDS_${PN} = "af-main af-binder af-main-binding af-binder-binding-demopost af-binder-binding-authlogin" + +SRC_URI_git = "git://gerrit.automotivelinux.org/gerrit/src/app-framework-demo;protocol=https;branch=master" +SRC_URI_files = "file://afm-client \ + file://afm-client.service \ + " +SRC_URI = "${SRC_URI_git} \ + ${SRC_URI_files} \ + " +SRCREV = "9e9b459fa27d7a359a060024c9639b99b45813d5" +S = "${WORKDIR}/git/afm-client" + +do_install () { + mkdir -p ${D}/${datadir}/agl/afm-client + cp -ra ${S}/dist.prod/* ${D}/${datadir}/agl/afm-client/ + + mkdir -p ${D}/${bindir} + install -m 0755 ${WORKDIR}/afm-client ${D}/${bindir}/afm-client + + if ${@bb.utils.contains('DISTRO_FEATURES', 'systemd', 'true', 'false', d)}; then + install -d ${D}${systemd_user_unitdir} + install -d ${D}${sysconfdir}/systemd/user/default.target.wants + install -m 0644 ${WORKDIR}/afm-client.service ${D}/${systemd_user_unitdir}/afm-client.service + ln -sf ${systemd_user_unitdir}/afm-client.service ${D}${sysconfdir}/systemd/user/default.target.wants + fi +} + +FILES_${PN} += "${datadir} ${systemd_user_unitdir}" diff --git a/meta-app-framework/recipes-example/afm-client/files/afm-client b/meta-app-framework/recipes-example/afm-client/files/afm-client new file mode 100644 index 000000000..ba868e93d --- /dev/null +++ b/meta-app-framework/recipes-example/afm-client/files/afm-client @@ -0,0 +1,7 @@ +#!/bin/sh + +if [ -z "${XDG_RUNTIME_DIR+1}" ]; then + export XDG_RUNTIME_DIR=/run/user/$UID +fi +LD_PRELOAD=/usr/lib/libEGL.so /usr/bin/web-runtime http://localhost:1236/opa + diff --git a/meta-app-framework/recipes-example/afm-client/files/afm-client.service b/meta-app-framework/recipes-example/afm-client/files/afm-client.service new file mode 100644 index 000000000..735717439 --- /dev/null +++ b/meta-app-framework/recipes-example/afm-client/files/afm-client.service @@ -0,0 +1,11 @@ +[Unit] +Description=Simplest application manager + +[Service] +ExecStart=/usr/bin/afb-daemon --mode=remote --port=1234 --token='' --sessiondir=/home/root/.afb-daemon --rootdir=/usr/share/agl/afm-client --alias=/icons:/var/lib/afm/icons +Restart=on-failure +RestartSec=5 + +[Install] +WantedBy=default.target + diff --git a/meta-app-framework/recipes-extended/shadow/files/0001-useradd-copy-extended-attributes-of-home-native.patch b/meta-app-framework/recipes-extended/shadow/files/0001-useradd-copy-extended-attributes-of-home-native.patch new file mode 100644 index 000000000..ff420d8a2 --- /dev/null +++ b/meta-app-framework/recipes-extended/shadow/files/0001-useradd-copy-extended-attributes-of-home-native.patch @@ -0,0 +1,45 @@ +From 008637fc8bd7f601eb6554d572bba025613913b7 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Jos=C3=A9=20Bollo?= +Date: Wed, 8 Mar 2017 14:10:10 +0100 +Subject: [PATCH] useradd: copy extended attributes of home (native) +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +The Home directory wasn't getting the extended attributes +of /etc/skel. This patch fixes that issue and adds the copy +of the extended attributes of the root of the home directory. + +Change-Id: Ib6836e1b18c4c7f73e02c1f1fc9558dc749ba9da +Signed-off-by: José Bollo +--- + src/useradd.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +diff --git a/src/useradd.c b/src/useradd.c +index 4c418af..8ba8af6 100644 +--- a/src/useradd.c ++++ b/src/useradd.c +@@ -55,6 +55,9 @@ + #include + #include + #include ++#ifdef WITH_ATTR ++#include ++#endif + #include "chkname.h" + #include "defines.h" + #include "faillog.h" +@@ -1950,6 +1953,9 @@ static void create_home (void) + chown (user_home, user_id, user_gid); + chmod (user_home, + 0777 & ~getdef_num ("UMASK", GETDEF_DEFAULT_UMASK)); ++#ifdef WITH_ATTR ++ attr_copy_file (def_template, user_home, NULL, NULL); ++#endif + home_added = true; + #ifdef WITH_AUDIT + audit_logger (AUDIT_ADD_USER, Prog, +-- +2.9.3 + diff --git a/meta-app-framework/recipes-extended/shadow/files/0001-useradd-copy-extended-attributes-of-home.patch b/meta-app-framework/recipes-extended/shadow/files/0001-useradd-copy-extended-attributes-of-home.patch new file mode 100644 index 000000000..f231c3cfe --- /dev/null +++ b/meta-app-framework/recipes-extended/shadow/files/0001-useradd-copy-extended-attributes-of-home.patch @@ -0,0 +1,45 @@ +From acec93540eba6899661c607408498ac72ab07a47 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Jos=C3=A9=20Bollo?= +Date: Tue, 7 Mar 2017 16:03:03 +0100 +Subject: [PATCH] useradd: copy extended attributes of home +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +The Home directory wasn't getting the extended attributes +of /etc/skel. This patch fixes that issue and adds the copy +of the extended attributes of the root of the home directory. + +Change-Id: Icd633f7c6c494efd2a30cb8f04c306f749ad0c3b +Signed-off-by: José Bollo +--- + src/useradd.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +diff --git a/src/useradd.c b/src/useradd.c +index a8a1f76..8aefb9c 100644 +--- a/src/useradd.c ++++ b/src/useradd.c +@@ -52,6 +52,9 @@ + #include + #include + #include ++#ifdef WITH_ATTR ++#include ++#endif + #include "chkname.h" + #include "defines.h" + #include "faillog.h" +@@ -1915,6 +1918,9 @@ static void create_home (void) + chown (user_home, user_id, user_gid); + chmod (user_home, + 0777 & ~getdef_num ("UMASK", GETDEF_DEFAULT_UMASK)); ++#ifdef WITH_ATTR ++ attr_copy_file (def_template, user_home, NULL, NULL); ++#endif + home_added = true; + #ifdef WITH_AUDIT + audit_logger (AUDIT_ADD_USER, Prog, +-- +2.9.3 + diff --git a/meta-app-framework/recipes-extended/shadow/shadow_%.bbappend b/meta-app-framework/recipes-extended/shadow/shadow_%.bbappend new file mode 100644 index 000000000..f08435502 --- /dev/null +++ b/meta-app-framework/recipes-extended/shadow/shadow_%.bbappend @@ -0,0 +1,4 @@ +FILESEXTRAPATHS_prepend := "${THISDIR}/files:" + +SRC_URI_append_class-target = " file://0001-useradd-copy-extended-attributes-of-home.patch " +SRC_URI_append_class-native = " file://0001-useradd-copy-extended-attributes-of-home-native.patch " diff --git a/meta-app-framework/recipes-kernel/linux/linux-%.bbappend b/meta-app-framework/recipes-kernel/linux/linux-%.bbappend new file mode 100644 index 000000000..02595efdf --- /dev/null +++ b/meta-app-framework/recipes-kernel/linux/linux-%.bbappend @@ -0,0 +1,3 @@ +FILESEXTRAPATHS_prepend := "${THISDIR}/linux:" +SRC_URI_append_smack = " file://audit.cfg" + diff --git a/meta-app-framework/recipes-kernel/linux/linux-yocto_4.1.bbappend b/meta-app-framework/recipes-kernel/linux/linux-yocto_4.1.bbappend new file mode 100644 index 000000000..c1c657201 --- /dev/null +++ b/meta-app-framework/recipes-kernel/linux/linux-yocto_4.1.bbappend @@ -0,0 +1,12 @@ +FILESEXTRAPATHS_prepend := "${THISDIR}/linux/linux-yocto-4.1:" + +#------------------------------------------------------------------------- +# smack patches for handling bluetooth + +SRC_URI_append_smack = "\ + file://0001-Smack-File-receive-for-sockets.patch \ + file://0002-smack-fix-cache-of-access-labels.patch \ + file://0003-Smack-ignore-null-signal-in-smack_task_kill.patch \ + file://0004-Smack-Assign-smack_known_web-label-for-kernel-thread.patch \ +" + diff --git a/meta-app-framework/recipes-kernel/linux/linux-yocto_4.4.bbappend b/meta-app-framework/recipes-kernel/linux/linux-yocto_4.4.bbappend new file mode 100644 index 000000000..51df08719 --- /dev/null +++ b/meta-app-framework/recipes-kernel/linux/linux-yocto_4.4.bbappend @@ -0,0 +1,11 @@ +FILESEXTRAPATHS_prepend := "${THISDIR}/linux/linux-yocto-4.4:" + +#------------------------------------------------------------------------- +# smack patches for handling bluetooth + +SRC_URI_append_smack = "\ + file://0002-smack-fix-cache-of-access-labels.patch \ + file://0003-Smack-ignore-null-signal-in-smack_task_kill.patch \ + file://0004-Smack-Assign-smack_known_web-label-for-kernel-thread.patch \ +" + diff --git a/meta-app-framework/recipes-kernel/linux/linux/audit.cfg b/meta-app-framework/recipes-kernel/linux/linux/audit.cfg new file mode 100644 index 000000000..214dbe33f --- /dev/null +++ b/meta-app-framework/recipes-kernel/linux/linux/audit.cfg @@ -0,0 +1,2 @@ +CONFIG_AUDIT=y +CONFIG_AUDITSYSCALL=y diff --git a/meta-app-framework/recipes-kernel/linux/linux/linux-yocto-4.1/0001-Smack-File-receive-for-sockets.patch b/meta-app-framework/recipes-kernel/linux/linux/linux-yocto-4.1/0001-Smack-File-receive-for-sockets.patch new file mode 100644 index 000000000..b0c5ee8f4 --- /dev/null +++ b/meta-app-framework/recipes-kernel/linux/linux/linux-yocto-4.1/0001-Smack-File-receive-for-sockets.patch @@ -0,0 +1,62 @@ +From 2e65b888820ea372984d412cee3bd7dcba05d7d2 Mon Sep 17 00:00:00 2001 +From: Casey Schaufler +Date: Mon, 7 Dec 2015 14:34:32 -0800 +Subject: [PATCH 1/4] Smack: File receive for sockets + +The existing file receive hook checks for access on +the file inode even for UDS. This is not right, as +the inode is not used by Smack to make access checks +for sockets. This change checks for an appropriate +access relationship between the receiving (current) +process and the socket. If the process can't write +to the socket's send label or the socket's receive +label can't write to the process fail. + +This will allow the legitimate cases, where the +socket sender and socket receiver can freely communicate. +Only strangly set socket labels should cause a problem. + +Signed-off-by: Casey Schaufler +--- + security/smack/smack_lsm.c | 22 ++++++++++++++++++++++ + 1 file changed, 22 insertions(+) + +diff --git a/security/smack/smack_lsm.c b/security/smack/smack_lsm.c +index b644757..487b2f3 100644 +--- a/security/smack/smack_lsm.c ++++ b/security/smack/smack_lsm.c +@@ -1672,9 +1672,31 @@ static int smack_file_receive(struct file *file) + int may = 0; + struct smk_audit_info ad; + struct inode *inode = file_inode(file); ++ struct socket *sock; ++ struct task_smack *tsp; ++ struct socket_smack *ssp; + + smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_PATH); + smk_ad_setfield_u_fs_path(&ad, file->f_path); ++ ++ if (S_ISSOCK(inode->i_mode)) { ++ sock = SOCKET_I(inode); ++ ssp = sock->sk->sk_security; ++ tsp = current_security(); ++ /* ++ * If the receiving process can't write to the ++ * passed socket or if the passed socket can't ++ * write to the receiving process don't accept ++ * the passed socket. ++ */ ++ rc = smk_access(tsp->smk_task, ssp->smk_out, MAY_WRITE, &ad); ++ rc = smk_bu_file(file, may, rc); ++ if (rc < 0) ++ return rc; ++ rc = smk_access(ssp->smk_in, tsp->smk_task, MAY_WRITE, &ad); ++ rc = smk_bu_file(file, may, rc); ++ return rc; ++ } + /* + * This code relies on bitmasks. + */ +-- +2.7.4 + diff --git a/meta-app-framework/recipes-kernel/linux/linux/linux-yocto-4.1/0002-smack-fix-cache-of-access-labels.patch b/meta-app-framework/recipes-kernel/linux/linux/linux-yocto-4.1/0002-smack-fix-cache-of-access-labels.patch new file mode 100644 index 000000000..51c3b31ec --- /dev/null +++ b/meta-app-framework/recipes-kernel/linux/linux/linux-yocto-4.1/0002-smack-fix-cache-of-access-labels.patch @@ -0,0 +1,43 @@ +From 5bcea0fc4e5360deca133e211fdc76717a1693a4 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Jos=C3=A9=20Bollo?= +Date: Tue, 12 Jan 2016 21:23:40 +0100 +Subject: [PATCH 2/4] smack: fix cache of access labels +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Before this commit, removing the access property of +a file, aka, the extended attribute security.SMACK64 +was not effictive until the cache had been cleaned. + +This patch fixes that problem. + +Signed-off-by: José Bollo +Acked-by: Casey Schaufler +--- + security/smack/smack_lsm.c | 8 ++++++-- + 1 file changed, 6 insertions(+), 2 deletions(-) + +diff --git a/security/smack/smack_lsm.c b/security/smack/smack_lsm.c +index 487b2f3..b9393e3 100644 +--- a/security/smack/smack_lsm.c ++++ b/security/smack/smack_lsm.c +@@ -1256,9 +1256,13 @@ static int smack_inode_removexattr(struct dentry *dentry, const char *name) + * Don't do anything special for these. + * XATTR_NAME_SMACKIPIN + * XATTR_NAME_SMACKIPOUT +- * XATTR_NAME_SMACKEXEC + */ +- if (strcmp(name, XATTR_NAME_SMACK) == 0) ++ if (strcmp(name, XATTR_NAME_SMACK) == 0) { ++ struct super_block *sbp = d_backing_inode(dentry)->i_sb; ++ struct superblock_smack *sbsp = sbp->s_security; ++ ++ isp->smk_inode = sbsp->smk_default; ++ } else if (strcmp(name, XATTR_NAME_SMACKEXEC) == 0) + isp->smk_task = NULL; + else if (strcmp(name, XATTR_NAME_SMACKMMAP) == 0) + isp->smk_mmap = NULL; +-- +2.7.4 + diff --git a/meta-app-framework/recipes-kernel/linux/linux/linux-yocto-4.1/0003-Smack-ignore-null-signal-in-smack_task_kill.patch b/meta-app-framework/recipes-kernel/linux/linux/linux-yocto-4.1/0003-Smack-ignore-null-signal-in-smack_task_kill.patch new file mode 100644 index 000000000..67761ae46 --- /dev/null +++ b/meta-app-framework/recipes-kernel/linux/linux/linux-yocto-4.1/0003-Smack-ignore-null-signal-in-smack_task_kill.patch @@ -0,0 +1,39 @@ +From aa63c4f8ece0c54a9be735ac38667f11fcd6f44a Mon Sep 17 00:00:00 2001 +From: Rafal Krypa +Date: Mon, 4 Apr 2016 11:14:53 +0200 +Subject: [PATCH 3/4] Smack: ignore null signal in smack_task_kill + +Kill with signal number 0 is commonly used for checking PID existence. +Smack treated such cases like any other kills, although no signal is +actually delivered when sig == 0. + +Checking permissions when sig == 0 didn't prevent an unprivileged caller +from learning whether PID exists or not. When it existed, kernel returned +EPERM, when it didn't - ESRCH. The only effect of policy check in such +case is noise in audit logs. + +This change lets Smack silently ignore kill() invocations with sig == 0. + +Signed-off-by: Rafal Krypa +Acked-by: Casey Schaufler +--- + security/smack/smack_lsm.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/security/smack/smack_lsm.c b/security/smack/smack_lsm.c +index b9393e3..c916f58 100644 +--- a/security/smack/smack_lsm.c ++++ b/security/smack/smack_lsm.c +@@ -2056,6 +2056,9 @@ static int smack_task_kill(struct task_struct *p, struct siginfo *info, + struct smack_known *tkp = smk_of_task_struct(p); + int rc; + ++ if (!sig) ++ return 0; /* null signal; existence test */ ++ + smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_TASK); + smk_ad_setfield_u_tsk(&ad, p); + /* +-- +2.7.4 + diff --git a/meta-app-framework/recipes-kernel/linux/linux/linux-yocto-4.1/0004-Smack-Assign-smack_known_web-label-for-kernel-thread.patch b/meta-app-framework/recipes-kernel/linux/linux/linux-yocto-4.1/0004-Smack-Assign-smack_known_web-label-for-kernel-thread.patch new file mode 100644 index 000000000..4281c201c --- /dev/null +++ b/meta-app-framework/recipes-kernel/linux/linux/linux-yocto-4.1/0004-Smack-Assign-smack_known_web-label-for-kernel-thread.patch @@ -0,0 +1,49 @@ +From b2b9e7ec8e79ede841104f76464f4b77c057b011 Mon Sep 17 00:00:00 2001 +From: jooseong lee +Date: Thu, 3 Nov 2016 10:55:43 +0100 +Subject: [PATCH 4/4] Smack: Assign smack_known_web label for kernel thread's +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Assign smack_known_web label for kernel thread's socket in the sk_alloc_security hook + +Creating struct sock by sk_alloc function in various kernel subsystems +like bluetooth dosen't call smack_socket_post_create(). In such case, +received sock label is the floor('_') label and makes access deny. + +Refers-to: https://review.tizen.org/gerrit/#/c/80717/4 + +Change-Id: I2e5c9359bfede84a988fd4d4d74cdb9dfdfc52d8 +Signed-off-by: jooseong lee +Signed-off-by: José Bollo +--- + security/smack/smack_lsm.c | 12 ++++++++++-- + 1 file changed, 10 insertions(+), 2 deletions(-) + +diff --git a/security/smack/smack_lsm.c b/security/smack/smack_lsm.c +index c916f58..cc6769b 100644 +--- a/security/smack/smack_lsm.c ++++ b/security/smack/smack_lsm.c +@@ -2138,8 +2138,16 @@ static int smack_sk_alloc_security(struct sock *sk, int family, gfp_t gfp_flags) + if (ssp == NULL) + return -ENOMEM; + +- ssp->smk_in = skp; +- ssp->smk_out = skp; ++ /* ++ * Sockets created by kernel threads receive web label. ++ */ ++ if (unlikely(current->flags & PF_KTHREAD)) { ++ ssp->smk_in = &smack_known_web; ++ ssp->smk_out = &smack_known_web; ++ } else { ++ ssp->smk_in = skp; ++ ssp->smk_out = skp; ++ } + ssp->smk_packet = NULL; + + sk->sk_security = ssp; +-- +2.7.4 + diff --git a/meta-app-framework/recipes-kernel/linux/linux/linux-yocto-4.4/0001-Smack-File-receive-for-sockets.patch b/meta-app-framework/recipes-kernel/linux/linux/linux-yocto-4.4/0001-Smack-File-receive-for-sockets.patch new file mode 100644 index 000000000..4021e5d38 --- /dev/null +++ b/meta-app-framework/recipes-kernel/linux/linux/linux-yocto-4.4/0001-Smack-File-receive-for-sockets.patch @@ -0,0 +1,65 @@ +From 2b206c36b16e72cfe41cd22448d8527359ffd962 Mon Sep 17 00:00:00 2001 +From: Casey Schaufler +Date: Mon, 7 Dec 2015 14:34:32 -0800 +Subject: [PATCH 1/4] Smack: File receive for sockets + +The existing file receive hook checks for access on +the file inode even for UDS. This is not right, as +the inode is not used by Smack to make access checks +for sockets. This change checks for an appropriate +access relationship between the receiving (current) +process and the socket. If the process can't write +to the socket's send label or the socket's receive +label can't write to the process fail. + +This will allow the legitimate cases, where the +socket sender and socket receiver can freely communicate. +Only strangly set socket labels should cause a problem. + +Signed-off-by: Casey Schaufler +--- + security/smack/smack_lsm.c | 22 ++++++++++++++++++++++ + 1 file changed, 22 insertions(+) + +diff --git a/security/smack/smack_lsm.c b/security/smack/smack_lsm.c +index ff81026..b20ef06 100644 +--- a/security/smack/smack_lsm.c ++++ b/security/smack/smack_lsm.c +@@ -1860,12 +1860,34 @@ static int smack_file_receive(struct file *file) + int may = 0; + struct smk_audit_info ad; + struct inode *inode = file_inode(file); ++ struct socket *sock; ++ struct task_smack *tsp; ++ struct socket_smack *ssp; + + if (unlikely(IS_PRIVATE(inode))) + return 0; + + smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_PATH); + smk_ad_setfield_u_fs_path(&ad, file->f_path); ++ ++ if (S_ISSOCK(inode->i_mode)) { ++ sock = SOCKET_I(inode); ++ ssp = sock->sk->sk_security; ++ tsp = current_security(); ++ /* ++ * If the receiving process can't write to the ++ * passed socket or if the passed socket can't ++ * write to the receiving process don't accept ++ * the passed socket. ++ */ ++ rc = smk_access(tsp->smk_task, ssp->smk_out, MAY_WRITE, &ad); ++ rc = smk_bu_file(file, may, rc); ++ if (rc < 0) ++ return rc; ++ rc = smk_access(ssp->smk_in, tsp->smk_task, MAY_WRITE, &ad); ++ rc = smk_bu_file(file, may, rc); ++ return rc; ++ } + /* + * This code relies on bitmasks. + */ +-- +2.7.4 + diff --git a/meta-app-framework/recipes-kernel/linux/linux/linux-yocto-4.4/0002-smack-fix-cache-of-access-labels.patch b/meta-app-framework/recipes-kernel/linux/linux/linux-yocto-4.4/0002-smack-fix-cache-of-access-labels.patch new file mode 100644 index 000000000..c516f3aa5 --- /dev/null +++ b/meta-app-framework/recipes-kernel/linux/linux/linux-yocto-4.4/0002-smack-fix-cache-of-access-labels.patch @@ -0,0 +1,43 @@ +From 99267706991ab84bd44ceaea9a7ec886bbdd58e0 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Jos=C3=A9=20Bollo?= +Date: Tue, 12 Jan 2016 21:23:40 +0100 +Subject: [PATCH 2/4] smack: fix cache of access labels +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Before this commit, removing the access property of +a file, aka, the extended attribute security.SMACK64 +was not effictive until the cache had been cleaned. + +This patch fixes that problem. + +Signed-off-by: José Bollo +Acked-by: Casey Schaufler +--- + security/smack/smack_lsm.c | 8 ++++++-- + 1 file changed, 6 insertions(+), 2 deletions(-) + +diff --git a/security/smack/smack_lsm.c b/security/smack/smack_lsm.c +index b20ef06..b2bcb14 100644 +--- a/security/smack/smack_lsm.c ++++ b/security/smack/smack_lsm.c +@@ -1444,9 +1444,13 @@ static int smack_inode_removexattr(struct dentry *dentry, const char *name) + * Don't do anything special for these. + * XATTR_NAME_SMACKIPIN + * XATTR_NAME_SMACKIPOUT +- * XATTR_NAME_SMACKEXEC + */ +- if (strcmp(name, XATTR_NAME_SMACK) == 0) ++ if (strcmp(name, XATTR_NAME_SMACK) == 0) { ++ struct super_block *sbp = d_backing_inode(dentry)->i_sb; ++ struct superblock_smack *sbsp = sbp->s_security; ++ ++ isp->smk_inode = sbsp->smk_default; ++ } else if (strcmp(name, XATTR_NAME_SMACKEXEC) == 0) + isp->smk_task = NULL; + else if (strcmp(name, XATTR_NAME_SMACKMMAP) == 0) + isp->smk_mmap = NULL; +-- +2.7.4 + diff --git a/meta-app-framework/recipes-kernel/linux/linux/linux-yocto-4.4/0003-Smack-ignore-null-signal-in-smack_task_kill.patch b/meta-app-framework/recipes-kernel/linux/linux/linux-yocto-4.4/0003-Smack-ignore-null-signal-in-smack_task_kill.patch new file mode 100644 index 000000000..c9180bb9f --- /dev/null +++ b/meta-app-framework/recipes-kernel/linux/linux/linux-yocto-4.4/0003-Smack-ignore-null-signal-in-smack_task_kill.patch @@ -0,0 +1,39 @@ +From ec4eb03af07b0fbc330aecca6ac4ebd6accd8825 Mon Sep 17 00:00:00 2001 +From: Rafal Krypa +Date: Mon, 4 Apr 2016 11:14:53 +0200 +Subject: [PATCH 3/4] Smack: ignore null signal in smack_task_kill + +Kill with signal number 0 is commonly used for checking PID existence. +Smack treated such cases like any other kills, although no signal is +actually delivered when sig == 0. + +Checking permissions when sig == 0 didn't prevent an unprivileged caller +from learning whether PID exists or not. When it existed, kernel returned +EPERM, when it didn't - ESRCH. The only effect of policy check in such +case is noise in audit logs. + +This change lets Smack silently ignore kill() invocations with sig == 0. + +Signed-off-by: Rafal Krypa +Acked-by: Casey Schaufler +--- + security/smack/smack_lsm.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/security/smack/smack_lsm.c b/security/smack/smack_lsm.c +index b2bcb14..cf8a93f 100644 +--- a/security/smack/smack_lsm.c ++++ b/security/smack/smack_lsm.c +@@ -2239,6 +2239,9 @@ static int smack_task_kill(struct task_struct *p, struct siginfo *info, + struct smack_known *tkp = smk_of_task_struct(p); + int rc; + ++ if (!sig) ++ return 0; /* null signal; existence test */ ++ + smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_TASK); + smk_ad_setfield_u_tsk(&ad, p); + /* +-- +2.7.4 + diff --git a/meta-app-framework/recipes-kernel/linux/linux/linux-yocto-4.4/0004-Smack-Assign-smack_known_web-label-for-kernel-thread.patch b/meta-app-framework/recipes-kernel/linux/linux/linux-yocto-4.4/0004-Smack-Assign-smack_known_web-label-for-kernel-thread.patch new file mode 100644 index 000000000..a1eeac3d7 --- /dev/null +++ b/meta-app-framework/recipes-kernel/linux/linux/linux-yocto-4.4/0004-Smack-Assign-smack_known_web-label-for-kernel-thread.patch @@ -0,0 +1,49 @@ +From c8bbb0f916de54610513e376070aea531af19dd6 Mon Sep 17 00:00:00 2001 +From: jooseong lee +Date: Thu, 3 Nov 2016 10:55:43 +0100 +Subject: [PATCH 4/4] Smack: Assign smack_known_web label for kernel thread's +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Assign smack_known_web label for kernel thread's socket in the sk_alloc_security hook + +Creating struct sock by sk_alloc function in various kernel subsystems +like bluetooth dosen't call smack_socket_post_create(). In such case, +received sock label is the floor('_') label and makes access deny. + +Refers-to: https://review.tizen.org/gerrit/#/c/80717/4 + +Change-Id: I2e5c9359bfede84a988fd4d4d74cdb9dfdfc52d8 +Signed-off-by: jooseong lee +Signed-off-by: José Bollo +--- + security/smack/smack_lsm.c | 12 ++++++++++-- + 1 file changed, 10 insertions(+), 2 deletions(-) + +diff --git a/security/smack/smack_lsm.c b/security/smack/smack_lsm.c +index cf8a93f..21651bc 100644 +--- a/security/smack/smack_lsm.c ++++ b/security/smack/smack_lsm.c +@@ -2321,8 +2321,16 @@ static int smack_sk_alloc_security(struct sock *sk, int family, gfp_t gfp_flags) + if (ssp == NULL) + return -ENOMEM; + +- ssp->smk_in = skp; +- ssp->smk_out = skp; ++ /* ++ * Sockets created by kernel threads receive web label. ++ */ ++ if (unlikely(current->flags & PF_KTHREAD)) { ++ ssp->smk_in = &smack_known_web; ++ ssp->smk_out = &smack_known_web; ++ } else { ++ ssp->smk_in = skp; ++ ssp->smk_out = skp; ++ } + ssp->smk_packet = NULL; + + sk->sk_security = ssp; +-- +2.7.4 + diff --git a/meta-app-framework/recipes-support/libcap/libcap/removing-capability-enforcement.patch b/meta-app-framework/recipes-support/libcap/libcap/removing-capability-enforcement.patch new file mode 100644 index 000000000..fa359fa87 --- /dev/null +++ b/meta-app-framework/recipes-support/libcap/libcap/removing-capability-enforcement.patch @@ -0,0 +1,87 @@ +From c34b2725817d4fd1fd6878bbb16617cb9e3e3a70 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Jos=C3=A9=20Bollo?= +Date: Fri, 22 Jan 2016 16:23:59 +0100 +Subject: [PATCH] removing capability enforcement + +Signed-off-by: ronan + +Change-Id: Idb724192ceab176a611bbed45c0ebc9c8eb5dd30 +--- + progs/setcap.c | 45 +-------------------------------------------- + 1 file changed, 1 insertion(+), 44 deletions(-) + +diff --git a/progs/setcap.c b/progs/setcap.c +index 7304343..71999b6 100644 +--- a/progs/setcap.c ++++ b/progs/setcap.c +@@ -58,11 +58,9 @@ static int read_caps(int quiet, const char *filename, char *buffer) + + int main(int argc, char **argv) + { +- int tried_to_cap_setfcap = 0; + char buffer[MAXCAP+1]; + int retval, quiet=0, verify=0; + cap_t mycaps; +- cap_value_t capflag; + + if (argc < 3) { + usage(); +@@ -150,54 +148,13 @@ int main(int argc, char **argv) + printf("%s: OK\n", *argv); + } + } else { +- if (!tried_to_cap_setfcap) { +- capflag = CAP_SETFCAP; +- +- /* +- * Raise the effective CAP_SETFCAP. +- */ +- if (cap_set_flag(mycaps, CAP_EFFECTIVE, 1, &capflag, CAP_SET) +- != 0) { +- perror("unable to manipulate CAP_SETFCAP - " +- "try a newer libcap?"); +- exit(1); +- } +- if (cap_set_proc(mycaps) != 0) { +- perror("unable to set CAP_SETFCAP effective capability"); +- exit(1); +- } +- tried_to_cap_setfcap = 1; +- } + retval = cap_set_file(*++argv, cap_d); + if (retval != 0) { +- int explained = 0; + int oerrno = errno; +-#ifdef linux +- cap_value_t cap; +- cap_flag_value_t per_state; +- +- for (cap = 0; +- cap_get_flag(cap_d, cap, CAP_PERMITTED, &per_state) != -1; +- cap++) { +- cap_flag_value_t inh_state, eff_state; +- +- cap_get_flag(cap_d, cap, CAP_INHERITABLE, &inh_state); +- cap_get_flag(cap_d, cap, CAP_EFFECTIVE, &eff_state); +- if ((inh_state | per_state) != eff_state) { +- fprintf(stderr, "NOTE: Under Linux, effective file capabilities must either be empty, or\n" +- " exactly match the union of selected permitted and inheritable bits.\n"); +- explained = 1; +- break; +- } +- } +-#endif /* def linux */ +- + fprintf(stderr, + "Failed to set capabilities on file `%s' (%s)\n", + argv[0], strerror(oerrno)); +- if (!explained) { +- usage(); +- } ++ + } + } + if (cap_d) { +-- +2.6.6 + diff --git a/meta-app-framework/recipes-support/libcap/libcap_%.bbappend b/meta-app-framework/recipes-support/libcap/libcap_%.bbappend new file mode 100644 index 000000000..fbe893501 --- /dev/null +++ b/meta-app-framework/recipes-support/libcap/libcap_%.bbappend @@ -0,0 +1,5 @@ +FILESEXTRAPATHS_append_class-native := ":${THISDIR}/${PN}" +SRC_URI_append_class-native = " file://removing-capability-enforcement.patch" +PACKAGECONFIG_class-native ?= "attr" +DEPENDS_append_class-native = " attr-native" + diff --git a/meta-app-framework/recipes-support/libmicrohttpd/libmicrohttpd/allows-upgrade.patch b/meta-app-framework/recipes-support/libmicrohttpd/libmicrohttpd/allows-upgrade.patch new file mode 100644 index 000000000..19601a537 --- /dev/null +++ b/meta-app-framework/recipes-support/libmicrohttpd/libmicrohttpd/allows-upgrade.patch @@ -0,0 +1,81 @@ +diff -Naur a/src/microhttpd/connection.c b/src/microhttpd/connection.c +--- a/src/microhttpd/connection.c 2016-04-08 21:02:26.000000000 +0200 ++++ b/src/microhttpd/connection.c 2016-08-29 22:41:53.790560238 +0200 +@@ -708,6 +708,8 @@ + * "keep-alive", we proceed to use the default for the respective HTTP + * version (which is conservative for HTTP 1.0, but might be a bit + * optimistic for HTTP 1.1). ++ * In the case of Upgrade, the header Connection should not be set ++ * to keep-alive. + * + * @param connection the connection to check for keepalive + * @return #MHD_YES if (based on the request), a keepalive is +@@ -750,6 +752,59 @@ + + + /** ++ * Should we try to keep the given connection alive? We can use the ++ * TCP stream for a second request if the connection is HTTP 1.1 and ++ * the "Connection" header either does not exist or is not set to ++ * "close", or if the connection is HTTP 1.0 and the "Connection" ++ * header is explicitly set to "keep-alive". If no HTTP version is ++ * specified (or if it is not 1.0 or 1.1), we definitively close the ++ * connection. If the "Connection" header is not exactly "close" or ++ * "keep-alive", we proceed to use the default for the respective HTTP ++ * version (which is conservative for HTTP 1.0, but might be a bit ++ * optimistic for HTTP 1.1). ++ * In the case of Upgrade, the connection should be kept alive even if ++ * the header Connection is not keep-alive. ++ * ++ * @param connection the connection to check for keepalive ++ * @return #MHD_YES if (based on the request), a keepalive is ++ * legal ++ */ ++static int ++should_keepalive (struct MHD_Connection *connection) ++{ ++ const char *end; ++ ++ if (NULL == connection->version) ++ return MHD_NO; ++ if ( (NULL != connection->response) && ++ (0 != (connection->response->flags & MHD_RF_HTTP_VERSION_1_0_ONLY) ) ) ++ return MHD_NO; ++ end = MHD_lookup_connection_value (connection, ++ MHD_HEADER_KIND, ++ MHD_HTTP_HEADER_CONNECTION); ++ if (MHD_str_equal_caseless_(connection->version, ++ MHD_HTTP_VERSION_1_1)) ++ { ++ if (NULL == end) ++ return MHD_YES; ++ if ( (MHD_str_equal_caseless_ (end, "close")) ) ++ return MHD_NO; ++ return MHD_YES; ++ } ++ if (MHD_str_equal_caseless_(connection->version, ++ MHD_HTTP_VERSION_1_0)) ++ { ++ if (NULL == end) ++ return MHD_NO; ++ if (MHD_str_equal_caseless_(end, "Keep-Alive")) ++ return MHD_YES; ++ return MHD_NO; ++ } ++ return MHD_NO; ++} ++ ++ ++/** + * Produce HTTP "Date:" header. + * + * @param date where to write the header, with +@@ -2795,7 +2850,7 @@ + } + if (((MHD_YES == connection->read_closed) && + (0 == connection->read_buffer_offset)) || +- (MHD_NO == keepalive_possible (connection))) ++ (MHD_NO == should_keepalive (connection))) + { + /* have to close for some reason */ + MHD_connection_close_ (connection, diff --git a/meta-app-framework/recipes-support/libmicrohttpd/libmicrohttpd_0.9.49.bb b/meta-app-framework/recipes-support/libmicrohttpd/libmicrohttpd_0.9.49.bb new file mode 100644 index 000000000..9abb2004e --- /dev/null +++ b/meta-app-framework/recipes-support/libmicrohttpd/libmicrohttpd_0.9.49.bb @@ -0,0 +1,25 @@ +DESCRIPTION = "A small C library that is supposed to make it easy to run an HTTP server as part of another application" +HOMEPAGE = "http://www.gnu.org/software/libmicrohttpd/" +LICENSE = "LGPL-2.1+" +LIC_FILES_CHKSUM = "file://COPYING;md5=9331186f4f80db7da0e724bdd6554ee5" +SECTION = "net" +DEPENDS = "libgcrypt gnutls file" + +SRC_URI = "http://ftp.gnu.org/gnu/libmicrohttpd/${BPN}-${PV}.tar.gz" +SRC_URI[md5sum] = "3209aa2ac6199b874a6325342b86edbc" +SRC_URI[sha256sum] = "9407d8252548ab97ace3276e0032f073820073c0599d43baff832902a8dab11c" + +inherit autotools lib_package pkgconfig + +EXTRA_OECONF += "--disable-static --with-gnutls=${STAGING_LIBDIR}/../" + +PACKAGECONFIG ?= "curl" +PACKAGECONFIG_append_class-target = "\ + ${@bb.utils.contains('DISTRO_FEATURES', 'largefile', 'largefile', '', d)} \ +" +PACKAGECONFIG[largefile] = "--enable-largefile,--disable-largefile,," +PACKAGECONFIG[curl] = "--enable-curl,--disable-curl,curl," + +do_compile_append() { + sed -i s:-L${STAGING_LIBDIR}::g libmicrohttpd.pc +} diff --git a/meta-app-framework/recipes-support/libmicrohttpd/libmicrohttpd_0.9.49.bbappend b/meta-app-framework/recipes-support/libmicrohttpd/libmicrohttpd_0.9.49.bbappend new file mode 100644 index 000000000..c26b8119f --- /dev/null +++ b/meta-app-framework/recipes-support/libmicrohttpd/libmicrohttpd_0.9.49.bbappend @@ -0,0 +1,5 @@ + +FILESEXTRAPATHS_append := ":${THISDIR}/${PN}" +SRC_URI += " file://allows-upgrade.patch" + + diff --git a/meta-app-framework/recipes-support/libzip/libzip_1.1.1.bb b/meta-app-framework/recipes-support/libzip/libzip_1.1.1.bb new file mode 100644 index 000000000..450971176 --- /dev/null +++ b/meta-app-framework/recipes-support/libzip/libzip_1.1.1.bb @@ -0,0 +1,32 @@ +inherit autotools + +SUMMARY = "Library providing support for handling zip files" +DESCRIPTION = "\ + This library is wrapping zlib and allows \ + to easily create, browse, inflate of deflate \ + the zip files. \ + It also provides tools for zip comparing, merging or browsing.\ +" + +HOMEPAGE = "http://nih.at/libzip/index.html" +LICENSE = "BSD" +LIC_FILES_CHKSUM = "file://LICENSE;md5=23ebf7ca347ed9703b4ef40824d0ef66" + +SRC_URI = "http://nih.at/libzip/libzip-1.1.1.tar.xz;md5sum=0c86a1a94fbc3ec6724801036726ae1f" + +#SRC_URI = "hg://hg.nih.at/libzip;module=libzip;protocol=http" +#SRCREV = "5895e34af7f9" +#S = "${HGDIR}" + +SECTION = "base" + +DEPENDS = "zlib" + +RDEPENDS_${PN} = "zlib" + +PROVIDES += "${PN}-tools" +RDEPENDS_${PN}-tools = "${PN}" +FILES_${PN}-tools = "${bindir}/zipcmp ${bindir}/zipmerge ${bindir}/ziptool" + +BBCLASSEXTEND = "native nativesdk" + diff --git a/meta-app-framework/recipes-support/xmlsec1/xmlsec1/Only-require-libxslt-in-.pc-files-when-necessary.patch b/meta-app-framework/recipes-support/xmlsec1/xmlsec1/Only-require-libxslt-in-.pc-files-when-necessary.patch new file mode 100644 index 000000000..c92df77f0 --- /dev/null +++ b/meta-app-framework/recipes-support/xmlsec1/xmlsec1/Only-require-libxslt-in-.pc-files-when-necessary.patch @@ -0,0 +1,115 @@ +From 1e39acf581ef47876b058da41774cbc92560d797 Mon Sep 17 00:00:00 2001 +From: Manuel Bachmann +Date: Wed, 27 Jan 2016 14:16:40 +0100 +Subject: [PATCH] Only require libxslt in .pc files when necessary + +If we build xmlsec without libxslt ("--without-libxslt" at +configure time), dependent packages will still require it +because it is unconditionally mentioned in .pc files (used +by pkg-config). + +We now make sure that this dependency is mentioned only if +the configure script validates libxslt presence. + +Signed-off-by: Manuel Bachmann +--- + configure.in | 4 ++++ + xmlsec-gcrypt.pc.in | 2 +- + xmlsec-gnutls.pc.in | 2 +- + xmlsec-nss.pc.in | 2 +- + xmlsec-openssl.pc.in | 2 +- + xmlsec.pc.in | 2 +- + 6 files changed, 9 insertions(+), 5 deletions(-) + +diff --git a/configure.in b/configure.in +index 7d976d0..a8350a9 100644 +--- a/configure.in ++++ b/configure.in +@@ -255,6 +255,7 @@ dnl ========================================================================== + dnl find libxslt + dnl ========================================================================== + XMLSEC_NO_LIBXSLT="1" ++LIBXSLT_COND="libxslt >=" + LIBXSLT_MIN_VERSION=1.0.20 + LIBXSLT_CONFIG="xslt-config" + LIBXSLT_CFLAGS="" +@@ -324,6 +325,8 @@ fi + if test "z$LIBXSLT_FOUND" = "zyes" ; then + XMLSEC_NO_LIBXSLT="0" + else ++ LIBXSLT_COND="" ++ LIBXSLT_MIN_VERSION="" + XMLSEC_DEFINES="$XMLSEC_DEFINES -DXMLSEC_NO_XSLT=1" + fi + +@@ -332,6 +335,7 @@ AC_SUBST(LIBXSLT_CFLAGS) + AC_SUBST(LIBXSLT_LIBS) + AC_SUBST(LIBXSLT_CONFIG) + AC_SUBST(LIBXSLT_MIN_VERSION) ++AC_SUBST(LIBXSLT_COND) + + dnl ========================================================================== + dnl See if we can find a crypto library +diff --git a/xmlsec-gcrypt.pc.in b/xmlsec-gcrypt.pc.in +index 1c00496..33bc2ff 100644 +--- a/xmlsec-gcrypt.pc.in ++++ b/xmlsec-gcrypt.pc.in +@@ -6,6 +6,6 @@ includedir=@includedir@ + Name: xmlsec1-gcrypt + Version: @VERSION@ + Description: XML Security Library implements XML Signature and XML Encryption standards +-Requires: libxml-2.0 >= @LIBXML_MIN_VERSION@ libxslt >= @LIBXSLT_MIN_VERSION@ ++Requires: libxml-2.0 >= @LIBXML_MIN_VERSION@ @LIBXSLT_COND@ @LIBXSLT_MIN_VERSION@ + Cflags: -DXMLSEC_CRYPTO=\"gcrypt\" @XMLSEC_GCRYPT_CFLAGS@ + Libs: @XMLSEC_GCRYPT_LIBS@ +diff --git a/xmlsec-gnutls.pc.in b/xmlsec-gnutls.pc.in +index e538cd4..d01cf82 100644 +--- a/xmlsec-gnutls.pc.in ++++ b/xmlsec-gnutls.pc.in +@@ -6,6 +6,6 @@ includedir=@includedir@ + Name: xmlsec1-gnutls + Version: @VERSION@ + Description: XML Security Library implements XML Signature and XML Encryption standards +-Requires: libxml-2.0 >= @LIBXML_MIN_VERSION@ libxslt >= @LIBXSLT_MIN_VERSION@ ++Requires: libxml-2.0 >= @LIBXML_MIN_VERSION@ @LIBXSLT_COND@ @LIBXSLT_MIN_VERSION@ + Cflags: -DXMLSEC_CRYPTO=\"gnutls\" @XMLSEC_GNUTLS_CFLAGS@ + Libs: @XMLSEC_GNUTLS_LIBS@ +diff --git a/xmlsec-nss.pc.in b/xmlsec-nss.pc.in +index a6d6c5c..75f0232 100644 +--- a/xmlsec-nss.pc.in ++++ b/xmlsec-nss.pc.in +@@ -6,6 +6,6 @@ includedir=@includedir@ + Name: xmlsec1-nss + Version: @VERSION@ + Description: XML Security Library implements XML Signature and XML Encryption standards +-Requires: libxml-2.0 >= @LIBXML_MIN_VERSION@ libxslt >= @LIBXSLT_MIN_VERSION@ @NSPR_PACKAGE@ >= @MOZILLA_MIN_VERSION@ @NSS_PACKAGE@ >= @MOZILLA_MIN_VERSION@ ++Requires: libxml-2.0 >= @LIBXML_MIN_VERSION@ @LIBXSLT_COND@ @LIBXSLT_MIN_VERSION@ @NSPR_PACKAGE@ >= @MOZILLA_MIN_VERSION@ @NSS_PACKAGE@ >= @MOZILLA_MIN_VERSION@ + Cflags: -DXMLSEC_CRYPTO=\"nss\" -DXMLSEC_CRYPTO_NSS=1 @XMLSEC_CORE_CFLAGS@ + Libs: -L${libdir} -lxmlsec1-nss @XMLSEC_CORE_LIBS@ +diff --git a/xmlsec-openssl.pc.in b/xmlsec-openssl.pc.in +index 85ee2b0..e9d0651 100644 +--- a/xmlsec-openssl.pc.in ++++ b/xmlsec-openssl.pc.in +@@ -6,6 +6,6 @@ includedir=@includedir@ + Name: xmlsec1-openssl + Version: @VERSION@ + Description: XML Security Library implements XML Signature and XML Encryption standards +-Requires: libxml-2.0 >= @LIBXML_MIN_VERSION@ libxslt >= @LIBXSLT_MIN_VERSION@ ++Requires: libxml-2.0 >= @LIBXML_MIN_VERSION@ @LIBXSLT_COND@ @LIBXSLT_MIN_VERSION@ + Cflags: -DXMLSEC_CRYPTO=\"openssl\" @XMLSEC_OPENSSL_CFLAGS@ + Libs: @XMLSEC_OPENSSL_LIBS@ +diff --git a/xmlsec.pc.in b/xmlsec.pc.in +index a750ab8..14ea670 100644 +--- a/xmlsec.pc.in ++++ b/xmlsec.pc.in +@@ -6,6 +6,6 @@ includedir=@includedir@ + Name: xmlsec1 + Version: @VERSION@ + Description: XML Security Library implements XML Signature and XML Encryption standards +-Requires: libxml-2.0 >= @LIBXML_MIN_VERSION@ libxslt >= @LIBXSLT_MIN_VERSION@ ++Requires: libxml-2.0 >= @LIBXML_MIN_VERSION@ @LIBXSLT_COND@ @LIBXSLT_MIN_VERSION@ + Cflags: -DXMLSEC_CRYPTO=\"@XMLSEC_CRYPTO@\" -DXMLSEC_CRYPTO_DYNAMIC_LOADING=1 @XMLSEC_CORE_CFLAGS@ + Libs: -L${libdir} @XMLSEC_CORE_LIBS@ +-- +2.6.2 + diff --git a/meta-app-framework/recipes-support/xmlsec1/xmlsec1_1.%.bbappend b/meta-app-framework/recipes-support/xmlsec1/xmlsec1_1.%.bbappend new file mode 100644 index 000000000..8f1972f07 --- /dev/null +++ b/meta-app-framework/recipes-support/xmlsec1/xmlsec1_1.%.bbappend @@ -0,0 +1,6 @@ +FILESEXTRAPATHS_append := ":${THISDIR}/${PN}" +SRC_URI += "file://Only-require-libxslt-in-.pc-files-when-necessary.patch" + +DEPENDS += "libxml2" + +BBCLASSEXTEND = "native nativesdk" diff --git a/templates/feature/agl-appfw-smack/50_bblayers.conf.inc b/templates/feature/agl-appfw-smack/50_bblayers.conf.inc new file mode 100644 index 000000000..344c25070 --- /dev/null +++ b/templates/feature/agl-appfw-smack/50_bblayers.conf.inc @@ -0,0 +1,6 @@ +BBLAYERS =+ " \ + ${METADIR}/meta-intel-iot-security/meta-security-smack \ + ${METADIR}/meta-intel-iot-security/meta-security-framework \ + ${METADIR}/meta-agl/meta-app-framework \ + " + diff --git a/templates/feature/agl-appfw-smack/50_local.conf.inc b/templates/feature/agl-appfw-smack/50_local.conf.inc new file mode 100644 index 000000000..0a11f07c2 --- /dev/null +++ b/templates/feature/agl-appfw-smack/50_local.conf.inc @@ -0,0 +1,2 @@ +#see meta-agl/meta-app-framework/conf/include/agl-appfw-smack.inc +require conf/include/agl-appfw-smack.inc