From: José Bollo Date: Tue, 4 Feb 2020 17:02:26 +0000 (+0100) Subject: meta-security: activates dbus-cynagora X-Git-Tag: 9.99.1~106^2~3 X-Git-Url: https://gerrit.automotivelinux.org/gerrit/gitweb?a=commitdiff_plain;h=ffe584b58889bad79004f3916f858299d8b7b385;p=AGL%2Fmeta-agl.git meta-security: activates dbus-cynagora Change-Id: Ia82ef9c5693c5eb4ba147bb7ead54f2608cb5dd4 Signed-off-by: José Bollo --- diff --git a/meta-security/recipes-core/dbus-cynara/dbus-cynara/0001-Integration-of-Cynara-asynchronous-security-checks.patch b/meta-security/recipes-core/dbus-cynagora/dbus-cynagora/0001-Integration-of-Cynara-asynchronous-security-checks.patch similarity index 94% rename from meta-security/recipes-core/dbus-cynara/dbus-cynara/0001-Integration-of-Cynara-asynchronous-security-checks.patch rename to meta-security/recipes-core/dbus-cynagora/dbus-cynagora/0001-Integration-of-Cynara-asynchronous-security-checks.patch index 69d13ac35..55cedb9c7 100644 --- a/meta-security/recipes-core/dbus-cynara/dbus-cynara/0001-Integration-of-Cynara-asynchronous-security-checks.patch +++ b/meta-security/recipes-core/dbus-cynagora/dbus-cynagora/0001-Integration-of-Cynara-asynchronous-security-checks.patch @@ -1,7 +1,7 @@ -From 6c498a9b0f4122d1ac49d603f9968b6d85830cdb Mon Sep 17 00:00:00 2001 +From ea4b650366261e4257e4b0fb95e7f48e30ef36f0 Mon Sep 17 00:00:00 2001 From: Jacek Bukarewicz Date: Thu, 27 Nov 2014 18:11:05 +0100 -Subject: Integration of Cynara asynchronous security checks +Subject: [PATCH 1/8] Integration of Cynara asynchronous security checks MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit @@ -20,13 +20,48 @@ Cherry picked from 4dcfb02f17247ff9de966b62182cd2e08f301238 by José Bollo. Updated for dbus 1.10.20 by Scott Murray and José Bollo +Updated for dbus 1.12.16 by José Bollo Change-Id: I9bcbce34577e5dc2a3cecf6233a0a2b0e43e1108 Signed-off-by: José Bollo Signed-off-by: Scott Murray +--- + bus/Makefile.am | 6 + + bus/activation.c | 5 +- + bus/bus.c | 124 ++++-- + bus/bus.h | 22 +- + bus/check.c | 217 ++++++++++ + bus/check.h | 68 ++++ + bus/config-parser-common.c | 6 + + bus/config-parser-common.h | 1 + + bus/config-parser-trivial.c | 2 + + bus/config-parser.c | 72 +++- + bus/connection.c | 57 ++- + bus/connection.h | 4 + + bus/cynara.c | 374 ++++++++++++++++++ + bus/cynara.h | 37 ++ + bus/dispatch.c | 46 ++- + bus/driver.h | 2 + + bus/policy.c | 195 ++++++--- + bus/policy.h | 29 +- + configure.ac | 12 + + test/Makefile.am | 1 + + .../data/invalid-config-files/badcheck-1.conf | 9 + + .../data/invalid-config-files/badcheck-2.conf | 9 + + test/data/valid-config-files/check-1.conf | 9 + + .../debug-check-some.conf.in | 18 + + 24 files changed, 1181 insertions(+), 144 deletions(-) + create mode 100644 bus/check.c + create mode 100644 bus/check.h + create mode 100644 bus/cynara.c + create mode 100644 bus/cynara.h + create mode 100644 test/data/invalid-config-files/badcheck-1.conf + create mode 100644 test/data/invalid-config-files/badcheck-2.conf + create mode 100644 test/data/valid-config-files/check-1.conf + create mode 100644 test/data/valid-config-files/debug-check-some.conf.in diff --git a/bus/Makefile.am b/bus/Makefile.am -index 9ae3071..46afb31 100644 +index c917063..2a8a72c 100644 --- a/bus/Makefile.am +++ b/bus/Makefile.am @@ -13,6 +13,7 @@ DBUS_BUS_LIBS = \ @@ -64,10 +99,10 @@ index 9ae3071..46afb31 100644 desktop-file.h \ $(DIR_WATCH_SOURCE) \ diff --git a/bus/activation.c b/bus/activation.c -index 6f009f5..f8a02eb 100644 +index 99404b9..f9c6c62 100644 --- a/bus/activation.c +++ b/bus/activation.c -@@ -1788,14 +1788,15 @@ bus_activation_activate_service (BusActivation *activation, +@@ -1789,14 +1789,15 @@ bus_activation_activate_service (BusActivation *activation, if (auto_activation && entry != NULL && @@ -86,7 +121,7 @@ index 6f009f5..f8a02eb 100644 _DBUS_ASSERT_ERROR_IS_SET (error); _dbus_verbose ("activation not authorized: %s: %s\n", diff --git a/bus/bus.c b/bus/bus.c -index 30ce4e1..237efe3 100644 +index 2ad8e78..6fc45d0 100644 --- a/bus/bus.c +++ b/bus/bus.c @@ -38,6 +38,7 @@ @@ -757,8 +792,28 @@ index 382a014..9e026d1 100644 ELEMENT_FORK, ELEMENT_PIDFILE, ELEMENT_SERVICEDIR, +diff --git a/bus/config-parser-trivial.c b/bus/config-parser-trivial.c +index dd65c6d..23dedb4 100644 +--- a/bus/config-parser-trivial.c ++++ b/bus/config-parser-trivial.c +@@ -194,6 +194,7 @@ bus_config_parser_start_element (BusConfigParser *parser, + case ELEMENT_POLICY: + case ELEMENT_LIMIT: + case ELEMENT_ALLOW: ++ case ELEMENT_CHECK: + case ELEMENT_DENY: + case ELEMENT_FORK: + case ELEMENT_PIDFILE: +@@ -316,6 +317,7 @@ bus_config_parser_content (BusConfigParser *parser, + case ELEMENT_POLICY: + case ELEMENT_LIMIT: + case ELEMENT_ALLOW: ++ case ELEMENT_CHECK: + case ELEMENT_DENY: + case ELEMENT_FORK: + case ELEMENT_PIDFILE: diff --git a/bus/config-parser.c b/bus/config-parser.c -index be27d38..b5f1dd1 100644 +index be27d38..7f91469 100644 --- a/bus/config-parser.c +++ b/bus/config-parser.c @@ -1318,7 +1318,7 @@ append_rule_from_element (BusConfigParser *parser, @@ -965,6 +1020,14 @@ index be27d38..b5f1dd1 100644 if (parser == NULL) { _DBUS_ASSERT_ERROR_IS_SET (&error); +@@ -3359,6 +3408,7 @@ elements_equal (const Element *a, + case ELEMENT_LISTEN: + case ELEMENT_AUTH: + case ELEMENT_ALLOW: ++ case ELEMENT_CHECK: + case ELEMENT_DENY: + case ELEMENT_FORK: + case ELEMENT_PIDFILE: diff --git a/bus/connection.c b/bus/connection.c index 53605fa..b348d42 100644 --- a/bus/connection.c @@ -1197,7 +1260,7 @@ index 0000000..57a4c45 + +#define USE_CYNARA_CACHE 1 +#ifdef USE_CYNARA_CACHE -+#define CYNARA_CACHE_SIZE 7000 ++#define CYNARA_CACHE_SIZE 1000 +#endif + +static dbus_bool_t bus_cynara_watch_callback(DBusWatch *watch, @@ -1664,8 +1727,20 @@ index 19228be..d3867f7 100644 _dbus_verbose ("Giving message to %s\n", DBUS_SERVICE_DBUS); if (!bus_driver_handle_message (connection, transaction, message, &error)) +diff --git a/bus/driver.h b/bus/driver.h +index ac1289d..a7297ad 100644 +--- a/bus/driver.h ++++ b/bus/driver.h +@@ -66,5 +66,7 @@ dbus_bool_t bus_driver_send_ack_reply (DBusConnection *connection, + BusTransaction *transaction, + DBusMessage *message, + DBusError *error); ++dbus_bool_t bus_driver_check_message_is_for_us (DBusMessage *message, ++ DBusError *error); + + #endif /* BUS_DRIVER_H */ diff --git a/bus/policy.c b/bus/policy.c -index a37be80..7ee1ce5 100644 +index a37be80..7de92c6 100644 --- a/bus/policy.c +++ b/bus/policy.c @@ -22,6 +22,7 @@ @@ -1829,7 +1904,7 @@ index a37be80..7ee1ce5 100644 (!no_interface && strcmp (dbus_message_get_interface (message), rule->d.send.interface) != 0)) -@@ -1079,33 +1093,63 @@ bus_client_policy_check_can_send (BusClientPolicy *policy, +@@ -1079,33 +1093,64 @@ bus_client_policy_check_can_send (BusClientPolicy *policy, } /* Use this rule */ @@ -1840,6 +1915,7 @@ index a37be80..7ee1ce5 100644 + result = BUS_RESULT_TRUE; + break; + case BUS_POLICY_RULE_ACCESS_DENY: ++ default: + result = BUS_RESULT_FALSE; + break; + case BUS_POLICY_RULE_ACCESS_CHECK: @@ -1907,7 +1983,7 @@ index a37be80..7ee1ce5 100644 eavesdropping = addressed_recipient != proposed_recipient && -@@ -1118,7 +1162,7 @@ bus_client_policy_check_can_receive (BusClientPolicy *policy, +@@ -1118,7 +1163,7 @@ bus_client_policy_check_can_receive (BusClientPolicy *policy, _dbus_verbose (" (policy) checking receive rules, eavesdropping = %d\n", eavesdropping); *toggles = 0; @@ -1916,7 +1992,7 @@ index a37be80..7ee1ce5 100644 link = _dbus_list_get_first_link (&policy->rules); while (link != NULL) { -@@ -1141,19 +1185,21 @@ bus_client_policy_check_can_receive (BusClientPolicy *policy, +@@ -1141,19 +1186,21 @@ bus_client_policy_check_can_receive (BusClientPolicy *policy, } } @@ -1943,7 +2019,7 @@ index a37be80..7ee1ce5 100644 { _dbus_verbose (" (policy) skipping deny rule since it only applies to eavesdropping\n"); continue; -@@ -1162,13 +1208,14 @@ bus_client_policy_check_can_receive (BusClientPolicy *policy, +@@ -1162,13 +1209,14 @@ bus_client_policy_check_can_receive (BusClientPolicy *policy, /* If it's a reply, the requested_reply flag kicks in */ if (dbus_message_get_reply_serial (message) != 0) { @@ -1963,7 +2039,7 @@ index a37be80..7ee1ce5 100644 continue; } -@@ -1176,7 +1223,7 @@ bus_client_policy_check_can_receive (BusClientPolicy *policy, +@@ -1176,7 +1224,7 @@ bus_client_policy_check_can_receive (BusClientPolicy *policy, * when the reply was not requested. requested_reply=true means the * rule always applies. */ @@ -1972,7 +2048,7 @@ index a37be80..7ee1ce5 100644 { _dbus_verbose (" (policy) skipping deny rule since it only applies to unrequested replies\n"); continue; -@@ -1199,13 +1246,13 @@ bus_client_policy_check_can_receive (BusClientPolicy *policy, +@@ -1199,13 +1247,13 @@ bus_client_policy_check_can_receive (BusClientPolicy *policy, /* The interface is optional in messages. For allow rules, if the message * has no interface we want to skip the rule (and thus not allow); * for deny rules, if the message has no interface we want to use the @@ -1988,7 +2064,7 @@ index a37be80..7ee1ce5 100644 (!no_interface && strcmp (dbus_message_get_interface (message), rule->d.receive.interface) != 0)) -@@ -1295,14 +1342,42 @@ bus_client_policy_check_can_receive (BusClientPolicy *policy, +@@ -1295,14 +1343,43 @@ bus_client_policy_check_can_receive (BusClientPolicy *policy, } /* Use this rule */ @@ -1999,6 +2075,7 @@ index a37be80..7ee1ce5 100644 + result = BUS_RESULT_TRUE; + break; + case BUS_POLICY_RULE_ACCESS_DENY: ++ default: + result = BUS_RESULT_FALSE; + break; + case BUS_POLICY_RULE_ACCESS_CHECK: @@ -2035,7 +2112,7 @@ index a37be80..7ee1ce5 100644 } -@@ -1354,7 +1429,7 @@ bus_rules_check_can_own (DBusList *rules, +@@ -1354,7 +1431,7 @@ bus_rules_check_can_own (DBusList *rules, } /* Use this rule */ @@ -2117,10 +2194,10 @@ index ec43ffa..f839d23 100644 const DBusString *service_name); dbus_bool_t bus_client_policy_append_rule (BusClientPolicy *policy, diff --git a/configure.ac b/configure.ac -index 81028ba..f21d1b2 100644 +index d1e3a29..11b5ffd 100644 --- a/configure.ac +++ b/configure.ac -@@ -1770,6 +1770,17 @@ AC_ARG_ENABLE([user-session], +@@ -1742,6 +1742,17 @@ AC_ARG_ENABLE([user-session], AM_CONDITIONAL([DBUS_ENABLE_USER_SESSION], [test "x$enable_user_session" = xyes]) @@ -2138,7 +2215,7 @@ index 81028ba..f21d1b2 100644 AC_CONFIG_FILES([ Doxyfile dbus/Version -@@ -1852,6 +1863,7 @@ echo " +@@ -1824,6 +1835,7 @@ echo " Building bus stats API: ${enable_stats} Building SELinux support: ${have_selinux} Building AppArmor support: ${have_apparmor} @@ -2147,7 +2224,7 @@ index 81028ba..f21d1b2 100644 Building kqueue support: ${have_kqueue} Building systemd support: ${have_systemd} diff --git a/test/Makefile.am b/test/Makefile.am -index 6a6e1a3..ce84dbc 100644 +index af1e13b..e6f50e1 100644 --- a/test/Makefile.am +++ b/test/Makefile.am @@ -439,6 +439,7 @@ in_data = \ @@ -2228,5 +2305,5 @@ index 0000000..47ee854 + + -- -2.17.2 +2.21.1 diff --git a/meta-security/recipes-core/dbus-cynara/dbus-cynara/0002-Disable-message-dispatching-when-send-rule-result-is.patch b/meta-security/recipes-core/dbus-cynagora/dbus-cynagora/0002-Disable-message-dispatching-when-send-rule-result-is.patch similarity index 96% rename from meta-security/recipes-core/dbus-cynara/dbus-cynara/0002-Disable-message-dispatching-when-send-rule-result-is.patch rename to meta-security/recipes-core/dbus-cynagora/dbus-cynagora/0002-Disable-message-dispatching-when-send-rule-result-is.patch index ebbd531ff..bac8cf97f 100644 --- a/meta-security/recipes-core/dbus-cynara/dbus-cynara/0002-Disable-message-dispatching-when-send-rule-result-is.patch +++ b/meta-security/recipes-core/dbus-cynagora/dbus-cynagora/0002-Disable-message-dispatching-when-send-rule-result-is.patch @@ -1,7 +1,8 @@ -From aae977a0c4bb1c25640c7056166fbc4e76ef1db6 Mon Sep 17 00:00:00 2001 +From c2f4ba585c777b731df6b6b8a165b6cc4dc5d639 Mon Sep 17 00:00:00 2001 From: Jacek Bukarewicz Date: Fri, 28 Nov 2014 12:07:39 +0100 -Subject: Disable message dispatching when send rule result is not known +Subject: [PATCH 2/8] Disable message dispatching when send rule result is not + known MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit @@ -23,9 +24,23 @@ Updated for dbus 1.10.20 by Scott Murray and José Bollo Signed-off-by: José Bollo Signed-off-by: Scott Murray +--- + bus/activation.c | 76 +++++++++++-- + bus/check.c | 109 +++++++++++++++++-- + bus/check.h | 10 ++ + bus/cynara.c | 1 - + bus/dispatch.c | 184 ++++++++++++++++++++++++++++---- + bus/dispatch.h | 2 +- + bus/driver.c | 12 ++- + dbus/dbus-connection-internal.h | 15 +++ + dbus/dbus-connection.c | 125 +++++++++++++++++++++- + dbus/dbus-list.c | 29 +++++ + dbus/dbus-list.h | 3 + + dbus/dbus-shared.h | 3 +- + 12 files changed, 528 insertions(+), 41 deletions(-) diff --git a/bus/activation.c b/bus/activation.c -index f8a02eb..005047f 100644 +index f9c6c62..8301b59 100644 --- a/bus/activation.c +++ b/bus/activation.c @@ -32,6 +32,7 @@ @@ -74,11 +89,15 @@ index f8a02eb..005047f 100644 { /* If permission is denied, we just want to return the error * to the original method invoker; in particular, we don't -@@ -1266,9 +1272,40 @@ bus_activation_send_pending_auto_activation_messages (BusActivation *activation +@@ -1266,11 +1272,44 @@ bus_activation_send_pending_auto_activation_messages (BusActivation *activation bus_connection_send_oom_error (entry->connection, entry->activation_message); } -+ } +- + dbus_error_free (&error); + link = next; + continue; + } + else if (res == BUS_RESULT_LATER) + { + DBusList *putback_message_link = link; @@ -91,9 +110,7 @@ index f8a02eb..005047f 100644 + link = next; + continue; + } - -- link = next; -- continue; ++ + /** + * Getting here means that policy check result is not yet available and dispatching + * messages from entry->connection has been disabled. @@ -114,10 +131,11 @@ index f8a02eb..005047f 100644 + + putback_message_link = _dbus_list_get_next_link(&pending_activation->entries, putback_message_link); + } - } ++ } } -@@ -1286,6 +1323,19 @@ bus_activation_send_pending_auto_activation_messages (BusActivation *activation + link = next; +@@ -1287,6 +1326,19 @@ bus_activation_send_pending_auto_activation_messages (BusActivation *activation return TRUE; error: @@ -137,7 +155,7 @@ index f8a02eb..005047f 100644 return FALSE; } -@@ -2078,6 +2128,7 @@ bus_activation_activate_service (BusActivation *activation, +@@ -2079,6 +2131,7 @@ bus_activation_activate_service (BusActivation *activation, if (service != NULL) { @@ -145,7 +163,7 @@ index f8a02eb..005047f 100644 bus_context_log (activation->context, DBUS_SYSTEM_LOG_INFO, "Activating via systemd: service name='%s' unit='%s' requested by '%s' (%s)", service_name, -@@ -2085,8 +2136,17 @@ bus_activation_activate_service (BusActivation *activation, +@@ -2086,8 +2139,17 @@ bus_activation_activate_service (BusActivation *activation, bus_connection_get_name (connection), bus_connection_get_loginfo (connection)); /* Wonderful, systemd is connected, let's just send the msg */ @@ -945,5 +963,5 @@ index 7ab9103..e5bfbed 100644 /* Bus names */ -- -2.17.2 +2.21.1 diff --git a/meta-security/recipes-core/dbus-cynara/dbus-cynara/0003-Handle-unavailability-of-policy-results-for-broadcas.patch b/meta-security/recipes-core/dbus-cynagora/dbus-cynagora/0003-Handle-unavailability-of-policy-results-for-broadcas.patch similarity index 98% rename from meta-security/recipes-core/dbus-cynara/dbus-cynara/0003-Handle-unavailability-of-policy-results-for-broadcas.patch rename to meta-security/recipes-core/dbus-cynagora/dbus-cynagora/0003-Handle-unavailability-of-policy-results-for-broadcas.patch index 1c2ab2bcb..7d89a7496 100644 --- a/meta-security/recipes-core/dbus-cynara/dbus-cynara/0003-Handle-unavailability-of-policy-results-for-broadcas.patch +++ b/meta-security/recipes-core/dbus-cynagora/dbus-cynagora/0003-Handle-unavailability-of-policy-results-for-broadcas.patch @@ -1,8 +1,8 @@ -From fdc3d7086c8f7a623e3da80e559708545b9201fc Mon Sep 17 00:00:00 2001 +From 9d39aa9dd55680529d721a0389ce9ef579bb669a Mon Sep 17 00:00:00 2001 From: Jacek Bukarewicz Date: Fri, 28 Nov 2014 12:39:33 +0100 -Subject: Handle unavailability of policy results for broadcasts and receive - rules +Subject: [PATCH 3/8] Handle unavailability of policy results for broadcasts + and receive rules MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit @@ -25,9 +25,22 @@ Updated for dbus 1.10.20 by Scott Murray and José Bollo Signed-off-by: José Bollo Signed-off-by: Scott Murray +--- + bus/activation.c | 4 +- + bus/bus.c | 50 ++++++-- + bus/bus.h | 19 +++ + bus/check.c | 307 +++++++++++++++++++++++++++++++++++++++++++++++ + bus/check.h | 25 ++++ + bus/connection.c | 168 ++++++++++++++++++++++++-- + bus/connection.h | 19 ++- + bus/dispatch.c | 115 +++++++++++++++--- + bus/dispatch.h | 11 +- + bus/driver.c | 2 +- + bus/policy.c | 6 + + 11 files changed, 683 insertions(+), 43 deletions(-) diff --git a/bus/activation.c b/bus/activation.c -index 005047f..ffdc6fc 100644 +index 8301b59..d4b597c 100644 --- a/bus/activation.c +++ b/bus/activation.c @@ -1259,7 +1259,7 @@ bus_activation_send_pending_auto_activation_messages (BusActivation *activation @@ -39,7 +52,7 @@ index 005047f..ffdc6fc 100644 if (res == BUS_RESULT_FALSE) { /* If permission is denied, we just want to return the error -@@ -2137,7 +2137,7 @@ bus_activation_activate_service (BusActivation *activation, +@@ -2140,7 +2140,7 @@ bus_activation_activate_service (BusActivation *activation, bus_connection_get_loginfo (connection)); /* Wonderful, systemd is connected, let's just send the msg */ res = bus_dispatch_matches (activation_transaction, NULL, @@ -49,7 +62,7 @@ index 005047f..ffdc6fc 100644 if (res == BUS_RESULT_TRUE) retval = TRUE; diff --git a/bus/bus.c b/bus/bus.c -index 237efe3..5bb5637 100644 +index 6fc45d0..0aa700b 100644 --- a/bus/bus.c +++ b/bus/bus.c @@ -1800,17 +1800,9 @@ bus_context_check_security_policy (BusContext *context, @@ -1054,10 +1067,10 @@ index f414f64..d89a658 100644 retval = TRUE; else diff --git a/bus/policy.c b/bus/policy.c -index 7ee1ce5..b1fab0d 100644 +index 7de92c6..483cc97 100644 --- a/bus/policy.c +++ b/bus/policy.c -@@ -1121,6 +1121,9 @@ bus_client_policy_check_can_send (DBusConnection *sender, +@@ -1122,6 +1122,9 @@ bus_client_policy_check_can_send (DBusConnection *sender, result = bus_check_privilege(check, message, sender, addressed_recipient, receiver, privilege, BUS_DEFERRED_MESSAGE_CHECK_SEND, deferred_message); @@ -1067,7 +1080,7 @@ index 7ee1ce5..b1fab0d 100644 } else privilege = NULL; -@@ -1370,6 +1373,9 @@ bus_client_policy_check_can_receive (BusClientPolicy *policy, +@@ -1372,6 +1375,9 @@ bus_client_policy_check_can_receive (BusClientPolicy *policy, result = bus_check_privilege(check, message, sender, addressed_recipient, proposed_recipient, privilege, BUS_DEFERRED_MESSAGE_CHECK_RECEIVE, deferred_message); @@ -1078,5 +1091,5 @@ index 7ee1ce5..b1fab0d 100644 else privilege = NULL; -- -2.17.2 +2.21.1 diff --git a/meta-security/recipes-core/dbus-cynara/dbus-cynara/0004-Add-own-rule-result-unavailability-handling.patch b/meta-security/recipes-core/dbus-cynagora/dbus-cynagora/0004-Add-own-rule-result-unavailability-handling.patch similarity index 98% rename from meta-security/recipes-core/dbus-cynara/dbus-cynara/0004-Add-own-rule-result-unavailability-handling.patch rename to meta-security/recipes-core/dbus-cynagora/dbus-cynagora/0004-Add-own-rule-result-unavailability-handling.patch index 9cb744def..9953dcaac 100644 --- a/meta-security/recipes-core/dbus-cynara/dbus-cynara/0004-Add-own-rule-result-unavailability-handling.patch +++ b/meta-security/recipes-core/dbus-cynagora/dbus-cynagora/0004-Add-own-rule-result-unavailability-handling.patch @@ -1,7 +1,7 @@ -From e7ae85429aa3e6d80df13b3a5a492d9ccbf42518 Mon Sep 17 00:00:00 2001 +From 28ada62c98d74285dc22b66650b09b6c8f2c28c4 Mon Sep 17 00:00:00 2001 From: Jacek Bukarewicz Date: Thu, 27 Nov 2014 11:26:21 +0100 -Subject: Add own rule result unavailability handling +Subject: [PATCH 4/8] Add own rule result unavailability handling MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit @@ -21,6 +21,17 @@ Updated for dbus 1.10.20 by Scott Murray and José Bollo Signed-off-by: José Bollo Signed-off-by: Scott Murray +--- + bus/dispatch.c | 11 +- + bus/driver.c | 334 ++++++++++++++++++++++++++++--------------------- + bus/driver.h | 2 +- + bus/policy.c | 52 ++++++-- + bus/policy.h | 6 +- + bus/services.c | 26 ++-- + bus/services.h | 3 +- + bus/stats.c | 23 ++-- + bus/stats.h | 6 +- + 9 files changed, 283 insertions(+), 180 deletions(-) diff --git a/bus/dispatch.c b/bus/dispatch.c index 7d30ce4..4b84c21 100644 @@ -1160,7 +1171,7 @@ index d89a658..aaeb3b2 100644 + return BUS_RESULT_FALSE; } diff --git a/bus/driver.h b/bus/driver.h -index ac1289d..183c28b 100644 +index a7297ad..05e9886 100644 --- a/bus/driver.h +++ b/bus/driver.h @@ -35,7 +35,7 @@ typedef enum @@ -1173,10 +1184,10 @@ index ac1289d..183c28b 100644 DBusMessage *message, DBusError *error); diff --git a/bus/policy.c b/bus/policy.c -index b1fab0d..27b66d1 100644 +index 483cc97..f6f4d85 100644 --- a/bus/policy.c +++ b/bus/policy.c -@@ -1388,18 +1388,21 @@ bus_client_policy_check_can_receive (BusClientPolicy *policy, +@@ -1390,18 +1390,21 @@ bus_client_policy_check_can_receive (BusClientPolicy *policy, @@ -1202,7 +1213,7 @@ index b1fab0d..27b66d1 100644 link = _dbus_list_get_first_link (&rules); while (link != NULL) { -@@ -1435,17 +1438,45 @@ bus_rules_check_can_own (DBusList *rules, +@@ -1437,17 +1440,46 @@ bus_rules_check_can_own (DBusList *rules, } /* Use this rule */ @@ -1212,6 +1223,7 @@ index b1fab0d..27b66d1 100644 + case BUS_POLICY_RULE_ACCESS_ALLOW: + result = BUS_RESULT_TRUE; + break; ++ default: + case BUS_POLICY_RULE_ACCESS_DENY: + result = BUS_RESULT_FALSE; + break; @@ -1253,7 +1265,7 @@ index b1fab0d..27b66d1 100644 } #ifdef DBUS_ENABLE_EMBEDDED_TESTS -@@ -1453,7 +1484,7 @@ dbus_bool_t +@@ -1455,7 +1487,7 @@ dbus_bool_t bus_policy_check_can_own (BusPolicy *policy, const DBusString *service_name) { @@ -1489,5 +1501,5 @@ index dcb022c..683fa17 100644 DBusMessage *message, DBusError *error); -- -2.17.2 +2.21.1 diff --git a/meta-security/recipes-core/dbus-cynara/dbus-cynara/0005-Perform-Cynara-runtime-policy-checks-by-default.patch b/meta-security/recipes-core/dbus-cynagora/dbus-cynagora/0005-Perform-Cynara-runtime-policy-checks-by-default.patch similarity index 93% rename from meta-security/recipes-core/dbus-cynara/dbus-cynara/0005-Perform-Cynara-runtime-policy-checks-by-default.patch rename to meta-security/recipes-core/dbus-cynagora/dbus-cynagora/0005-Perform-Cynara-runtime-policy-checks-by-default.patch index 8ce441b05..5f7e96a3b 100644 --- a/meta-security/recipes-core/dbus-cynara/dbus-cynara/0005-Perform-Cynara-runtime-policy-checks-by-default.patch +++ b/meta-security/recipes-core/dbus-cynagora/dbus-cynagora/0005-Perform-Cynara-runtime-policy-checks-by-default.patch @@ -1,7 +1,7 @@ -From 69ba571e0daa0a7a9aa6c6b5be5d3338a89d144a Mon Sep 17 00:00:00 2001 +From 1f7ba56c9ced669951061d13b06e31d96a170e37 Mon Sep 17 00:00:00 2001 From: Jacek Bukarewicz Date: Tue, 23 Jun 2015 11:08:48 +0200 -Subject: Perform Cynara runtime policy checks by default +Subject: [PATCH 5/8] Perform Cynara runtime policy checks by default MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit @@ -29,12 +29,17 @@ Updated for dbus 1.10.20 by Scott Murray and José Bollo Signed-off-by: Jacek Bukarewicz Signed-off-by: José Bollo Signed-off-by: Scott Murray +--- + bus/activation.c | 42 ++++++++++++++++++++++++++---------------- + bus/session.conf.in | 32 ++++++++++++++++++++++++++------ + bus/system.conf.in | 19 +++++++++++++++---- + 3 files changed, 67 insertions(+), 26 deletions(-) diff --git a/bus/activation.c b/bus/activation.c -index ffdc6fc..6a95b95 100644 +index d4b597c..8aabeaa 100644 --- a/bus/activation.c +++ b/bus/activation.c -@@ -1837,22 +1837,32 @@ bus_activation_activate_service (BusActivation *activation, +@@ -1840,22 +1840,32 @@ bus_activation_activate_service (BusActivation *activation, } if (auto_activation && @@ -171,5 +176,5 @@ index f139b55..19d0c04 100644 Date: Fri, 16 Aug 2019 13:29:23 +0200 -Subject: [PATCH 7/8] Fix SIGSEGV on disconnections +Subject: [PATCH 6/8] Fix SIGSEGV on disconnections MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit @@ -105,5 +105,5 @@ index 97dae96..6af7bf1 100644 /* called by signals.c */ -- -2.17.2 +2.21.1 diff --git a/meta-security/recipes-core/dbus-cynagora/dbus-cynagora/0007-Switch-from-cynara-to-cynagora.patch b/meta-security/recipes-core/dbus-cynagora/dbus-cynagora/0007-Switch-from-cynara-to-cynagora.patch new file mode 100644 index 000000000..7a69efcd2 --- /dev/null +++ b/meta-security/recipes-core/dbus-cynagora/dbus-cynagora/0007-Switch-from-cynara-to-cynagora.patch @@ -0,0 +1,1048 @@ +From 43cc361a5c32c81c0f93451bdb0ef781cd19a1cb Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Jos=C3=A9=20Bollo?= +Date: Tue, 4 Feb 2020 12:23:36 +0100 +Subject: [PATCH 7/8] Switch from cynara to cynagora +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Signed-off-by: José Bollo +--- + bus/Makefile.am | 8 +- + bus/bus.h | 2 +- + bus/check.c | 26 +- + bus/check.h | 2 +- + bus/connection.c | 27 --- + bus/connection.h | 3 - + bus/cynagora-check.c | 330 +++++++++++++++++++++++++ + bus/{cynara.h => cynagora-check.h} | 10 +- + bus/cynara.c | 373 ----------------------------- + bus/system.conf.in | 6 +- + configure.ac | 18 +- + 11 files changed, 366 insertions(+), 439 deletions(-) + create mode 100644 bus/cynagora-check.c + rename bus/{cynara.h => cynagora-check.h} (81%) + delete mode 100644 bus/cynara.c + +diff --git a/bus/Makefile.am b/bus/Makefile.am +index 2a8a72c..1720048 100644 +--- a/bus/Makefile.am ++++ b/bus/Makefile.am +@@ -13,7 +13,7 @@ DBUS_BUS_LIBS = \ + $(THREAD_LIBS) \ + $(ADT_LIBS) \ + $(NETWORK_libs) \ +- $(CYNARA_LIBS) \ ++ $(CYNAGORA_LIBS) \ + $(NULL) + + DBUS_LAUNCHER_LIBS = \ +@@ -31,7 +31,7 @@ AM_CPPFLAGS = \ + $(APPARMOR_CFLAGS) \ + -DDBUS_SYSTEM_CONFIG_FILE=\""$(dbusdatadir)/system.conf"\" \ + -DDBUS_COMPILATION \ +- $(CYNARA_CFLAGS) \ ++ $(CYNAGORA_CFLAGS) \ + $(NULL) + + # if assertions are enabled, improve backtraces +@@ -101,8 +101,8 @@ BUS_SOURCES= \ + config-parser-common.h \ + connection.c \ + connection.h \ +- cynara.c \ +- cynara.h \ ++ cynagora-check.c \ ++ cynagora-check.h \ + desktop-file.c \ + desktop-file.h \ + $(DIR_WATCH_SOURCE) \ +diff --git a/bus/bus.h b/bus/bus.h +index 1b08f7c..e167d9e 100644 +--- a/bus/bus.h ++++ b/bus/bus.h +@@ -47,7 +47,7 @@ typedef struct BusMatchRule BusMatchRule; + typedef struct BusActivationEntry BusActivationEntry; + typedef struct BusCheck BusCheck; + typedef struct BusDeferredMessage BusDeferredMessage; +-typedef struct BusCynara BusCynara; ++typedef struct BusCynagora BusCynagora; + + /** + * BusResult is defined as a pointer to a dummy structure to allow detection of type mismatches. +diff --git a/bus/check.c b/bus/check.c +index b73d08b..ec30770 100644 +--- a/bus/check.c ++++ b/bus/check.c +@@ -26,7 +26,7 @@ + #include "check.h" + #include "connection.h" + #include "dispatch.h" +-#include "cynara.h" ++#include "cynagora-check.h" + #include "utils.h" + #include + #include +@@ -38,7 +38,7 @@ typedef struct BusCheck + int refcount; + + BusContext *context; +- BusCynara *cynara; ++ BusCynagora *cynagora; + } BusCheck; + + typedef struct BusDeferredMessage +@@ -81,7 +81,7 @@ bus_check_new (BusContext *context, DBusError *error) + + check->refcount = 1; + check->context = context; +- check->cynara = bus_cynara_new(check, error); ++ check->cynagora = bus_cynagora_new(check, error); + if (dbus_error_is_set(error)) + { + dbus_message_free_data_slot(&deferred_message_data_slot); +@@ -110,7 +110,7 @@ bus_check_unref (BusCheck *check) + + if (check->refcount == 0) + { +- bus_cynara_unref(check->cynara); ++ bus_cynagora_unref(check->cynagora); + dbus_message_free_data_slot(&deferred_message_data_slot); + dbus_free(check); + } +@@ -122,10 +122,10 @@ bus_check_get_context (BusCheck *check) + return check->context; + } + +-BusCynara * +-bus_check_get_cynara (BusCheck *check) ++BusCynagora * ++bus_check_get_cynagora (BusCheck *check) + { +- return check->cynara; ++ return check->cynagora; + } + + static void +@@ -276,8 +276,8 @@ bus_check_privilege (BusCheck *check, + { + BusDeferredMessage *previous_deferred_message; + BusResult result = BUS_RESULT_FALSE; +-#ifdef DBUS_ENABLE_CYNARA +- BusCynara *cynara; ++#ifdef DBUS_ENABLE_CYNAGORA ++ BusCynagora *cynagora; + #endif + DBusConnection *connection; + +@@ -304,7 +304,7 @@ bus_check_privilege (BusCheck *check, + * Message has been deferred due to receive or own rule which means that sending this message + * is allowed - it must have been checked previously. + * This might happen when client calls RequestName method which depending on security +- * policy might result in both "can_send" and "can_own" Cynara checks. ++ * policy might result in both "can_send" and "can_own" Cynagora checks. + */ + result = BUS_RESULT_TRUE; + } +@@ -327,9 +327,9 @@ bus_check_privilege (BusCheck *check, + else + { + /* ask policy checkers */ +-#ifdef DBUS_ENABLE_CYNARA +- cynara = bus_check_get_cynara(check); +- result = bus_cynara_check_privilege(cynara, message, sender, addressed_recipient, ++#ifdef DBUS_ENABLE_CYNAGORA ++ cynagora = bus_check_get_cynagora(check); ++ result = bus_cynagora_check_privilege(cynagora, message, sender, addressed_recipient, + proposed_recipient, privilege, check_type, deferred_message); + #endif + if (result == BUS_RESULT_LATER && deferred_message != NULL) +diff --git a/bus/check.h b/bus/check.h +index d718a69..ab63c18 100644 +--- a/bus/check.h ++++ b/bus/check.h +@@ -45,7 +45,7 @@ BusCheck *bus_check_ref (BusCheck *check); + void bus_check_unref (BusCheck *check); + + BusContext *bus_check_get_context (BusCheck *check); +-BusCynara *bus_check_get_cynara (BusCheck *check); ++BusCynagora *bus_check_get_cynagora (BusCheck *check); + BusResult bus_check_privilege (BusCheck *check, + DBusMessage *message, + DBusConnection *sender, +diff --git a/bus/connection.c b/bus/connection.c +index b520d57..48910e0 100644 +--- a/bus/connection.c ++++ b/bus/connection.c +@@ -38,10 +38,6 @@ + #include + #include + #include +-#ifdef DBUS_ENABLE_CYNARA +-#include +-#include +-#endif + + /* Trim executed commands to this length; we want to keep logs readable */ + #define MAX_LOG_COMMAND_LEN 50 +@@ -124,9 +120,6 @@ typedef struct + + /** non-NULL if and only if this is a monitor */ + DBusList *link_in_monitors; +-#ifdef DBUS_ENABLE_CYNARA +- char *cynara_session_id; +-#endif + } BusConnectionData; + + static dbus_bool_t bus_pending_reply_expired (BusExpireList *list, +@@ -461,10 +454,6 @@ free_connection_data (void *data) + + dbus_free (d->name); + +-#ifdef DBUS_ENABLE_CYNARA +- free (d->cynara_session_id); +-#endif +- + dbus_free (d); + } + +@@ -1095,22 +1084,6 @@ bus_connection_get_policy (DBusConnection *connection) + return d->policy; + } + +-#ifdef DBUS_ENABLE_CYNARA +-const char *bus_connection_get_cynara_session_id (DBusConnection *connection) +-{ +- BusConnectionData *d = BUS_CONNECTION_DATA (connection); +- _dbus_assert (d != NULL); +- +- if (d->cynara_session_id == NULL) +- { +- unsigned long pid; +- if (dbus_connection_get_unix_process_id(connection, &pid)) +- d->cynara_session_id = cynara_session_from_pid(pid); +- } +- return d->cynara_session_id; +-} +-#endif +- + static dbus_bool_t + foreach_active (BusConnections *connections, + BusConnectionForeachFunction function, +diff --git a/bus/connection.h b/bus/connection.h +index 6af7bf1..3116bcf 100644 +--- a/bus/connection.h ++++ b/bus/connection.h +@@ -138,9 +138,6 @@ dbus_bool_t bus_connection_be_monitor (DBusConnection *connection, + BusTransaction *transaction, + DBusList **rules, + DBusError *error); +-#ifdef DBUS_ENABLE_CYNARA +-const char *bus_connection_get_cynara_session_id (DBusConnection *connection); +-#endif + + /* transaction API so we can send or not send a block of messages as a whole */ + +diff --git a/bus/cynagora-check.c b/bus/cynagora-check.c +new file mode 100644 +index 0000000..6c0c635 +--- /dev/null ++++ b/bus/cynagora-check.c +@@ -0,0 +1,330 @@ ++/* -*- mode: C; c-file-style: "gnu"; indent-tabs-mode: nil; -*- */ ++/* cynagora.c Cynagora runtime privilege checking ++ * ++ * Copyright (c) 2014 Samsung Electronics, Ltd. ++ * ++ * Licensed under the Academic Free License version 2.1 ++ * ++ * This program is free software; you can redistribute it and/or modify ++ * it under the terms of the GNU General Public License as published by ++ * the Free Software Foundation; either version 2 of the License, or ++ * (at your option) any later version. ++ * ++ * This program is distributed in the hope that it will be useful, ++ * but WITHOUT ANY WARRANTY; without even the implied warranty of ++ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the ++ * GNU General Public License for more details. ++ * ++ * You should have received a copy of the GNU General Public License ++ * along with this program; if not, write to the Free Software ++ * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA ++ * ++ */ ++ ++#include ++#include "cynagora-check.h" ++#include "check.h" ++#include "utils.h" ++ ++#include ++#include ++#include ++ ++#include ++#include ++#include ++#include ++ ++#ifndef DBUS_ENABLE_CYNAGORA ++ ++BusCynagora * ++bus_cynagora_new(BusCheck *check, DBusError *error) ++{ ++ return NULL; ++} ++ ++BusCynagora * ++bus_cynagora_ref (BusCynagora *cynagora) ++{ ++ return NULL; ++} ++ ++void ++bus_cynagora_unref (BusCynagora *cynagora) ++{ ++} ++ ++BusResult ++bus_cynagora_check_privilege (BusCynagora *cynagora, ++ DBusMessage *message, ++ DBusConnection *sender, ++ DBusConnection *addressed_recipient, ++ DBusConnection *proposed_recipient, ++ const char *privilege, ++ BusDeferredMessageStatus check_type, ++ BusDeferredMessage **deferred_message_param) ++{ ++ return BUS_RESULT_FALSE; ++} ++ ++#endif ++ ++#ifdef DBUS_ENABLE_CYNAGORA ++ ++#include ++#include ++ ++#include ++ ++#ifndef CYNAGORA_CACHE_SIZE ++#define CYNAGORA_CACHE_SIZE 8000 ++#endif ++ ++typedef struct BusCynagora ++{ ++ int refcount; ++ ++ BusContext *context; ++ BusCheck *check; ++ cynagora_t *cynagora; ++ DBusWatch *cynagora_watch; ++} BusCynagora; ++ ++static int async_callback(void *closure, ++ int op, ++ int fd, ++ uint32_t events); ++ ++BusCynagora * ++bus_cynagora_new(BusCheck *check, DBusError *error) ++{ ++ BusContext *context; ++ BusCynagora *cynagora; ++ int ret; ++ ++ cynagora = dbus_new(BusCynagora, 1); ++ if (cynagora == NULL) ++ { ++ BUS_SET_OOM(error); ++ return NULL; ++ } ++ ++ context = bus_check_get_context(check); ++ ++ cynagora->refcount = 1; ++ cynagora->check = check; ++ cynagora->context = context; ++ cynagora->cynagora_watch = NULL; ++ ++ ret = cynagora_create(&cynagora->cynagora, cynagora_Check, CYNAGORA_CACHE_SIZE, NULL); ++ if (ret < 0) ++ { ++ dbus_set_error (error, DBUS_ERROR_FAILED, "Failed to create Cynagora configuration"); ++ } ++ else ++ { ++ ret = cynagora_async_setup(cynagora->cynagora, async_callback, cynagora); ++ if (ret < 0) ++ { ++ dbus_set_error (error, DBUS_ERROR_FAILED, "Failed to initialize Cynagora client"); ++ } ++ else ++ { ++ return cynagora; ++ } ++ cynagora_destroy(cynagora->cynagora); ++ } ++ ++ dbus_free(cynagora); ++ return NULL; ++} ++ ++BusCynagora * ++bus_cynagora_ref (BusCynagora *cynagora) ++{ ++ _dbus_assert (cynagora->refcount > 0); ++ cynagora->refcount += 1; ++ ++ return cynagora; ++} ++ ++void ++bus_cynagora_unref (BusCynagora *cynagora) ++{ ++ _dbus_assert (cynagora->refcount > 0); ++ ++ cynagora->refcount -= 1; ++ ++ if (cynagora->refcount == 0) ++ { ++ cynagora_destroy(cynagora->cynagora); ++ dbus_free(cynagora); ++ } ++} ++ ++static void ++async_check_callback (void *closure, int status) ++{ ++ BusDeferredMessage *deferred_message = closure; ++ BusResult result; ++ ++ if (deferred_message == NULL) ++ return; ++ ++ if (status == 1) ++ result = BUS_RESULT_TRUE; ++ else ++ result = BUS_RESULT_FALSE; ++ ++ bus_deferred_message_response_received(deferred_message, result); ++ bus_deferred_message_unref(deferred_message); ++} ++ ++BusResult ++bus_cynagora_check_privilege (BusCynagora *cynagora, ++ DBusMessage *message, ++ DBusConnection *sender, ++ DBusConnection *addressed_recipient, ++ DBusConnection *proposed_recipient, ++ const char *permission, ++ BusDeferredMessageStatus check_type, ++ BusDeferredMessage **deferred_message_param) ++{ ++ int result; ++ unsigned long uid; ++ unsigned long pid; ++ char *label; ++ char user[32]; ++ char session[32]; ++ DBusConnection *connection = check_type == BUS_DEFERRED_MESSAGE_CHECK_RECEIVE ? proposed_recipient : sender; ++ BusDeferredMessage *deferred_message; ++ BusResult ret; ++ cynagora_key_t key; ++ ++ _dbus_assert(connection != NULL); ++ ++ if (dbus_connection_get_unix_user(connection, &uid) == FALSE) ++ return BUS_RESULT_FALSE; ++ ++ if (dbus_connection_get_unix_process_id(connection, &pid) == FALSE) ++ return BUS_RESULT_FALSE; ++ ++ if (_dbus_connection_get_linux_security_label(connection, &label) == FALSE || label == NULL) ++ { ++ _dbus_warn("Failed to obtain security label for connection\n"); ++ return BUS_RESULT_FALSE; ++ } ++ ++ snprintf(user, sizeof(user), "%lu", uid); ++ snprintf(session, sizeof(session), "%lu", pid); ++ ++ key.client = label; ++ key.session = session; ++ key.user = user; ++ key.permission = permission; ++ ++ result = cynagora_cache_check(cynagora->cynagora, &key); ++ switch (result) ++ { ++ case 1: ++ _dbus_verbose("Cynagora: got ALLOWED answer from cache (client=%s session_id=%s user=%s permission=%s)\n", ++ label, session_id, user, permission); ++ ret = BUS_RESULT_TRUE; ++ break; ++ ++ case 0: ++ _dbus_verbose("Cynagora: got DENIED answer from cache (client=%s session_id=%s user=%s permission=%s)\n", ++ label, session_id, user, permission); ++ ret = BUS_RESULT_FALSE; ++ break; ++ ++ default: ++ deferred_message = bus_deferred_message_new(message, sender, addressed_recipient, ++ proposed_recipient, BUS_RESULT_LATER); ++ if (deferred_message == NULL) ++ { ++ _dbus_verbose("Failed to allocate memory for deferred message\n"); ++ ret = BUS_RESULT_FALSE; ++ goto out; ++ } ++ ++ /* callback is supposed to unref deferred_message*/ ++ result = cynagora_async_check(cynagora->cynagora, &key, 1, 0, async_check_callback, deferred_message); ++ if (result == 0) ++ { ++ _dbus_verbose("Created Cynagora request: client=%s session_id=%s user=%s permission=%s " ++ "deferred_message=%p\n", label, session_id, user, permission, deferred_message); ++ if (deferred_message_param != NULL) ++ *deferred_message_param = deferred_message; ++ ret = BUS_RESULT_LATER; ++ } ++ else ++ { ++ _dbus_verbose("Error on cynagora request create: %i\n", result); ++ bus_deferred_message_unref(deferred_message); ++ ret = BUS_RESULT_FALSE; ++ } ++ break; ++ } ++out: ++ dbus_free(label); ++ return ret; ++} ++ ++static dbus_bool_t ++watch_handler_callback(DBusWatch *watch, ++ unsigned int flags, ++ void *data) ++{ ++ BusCynagora *cynagora = (BusCynagora *)data; ++ int result = cynagora_async_process(cynagora->cynagora); ++ if (result < 0) ++ _dbus_verbose("cynagora_async_process returned %d\n", result); ++ ++ return result != -ENOMEM ? TRUE : FALSE; ++} ++ ++static int ++async_callback(void *closure, int op, int fd, uint32_t events) ++{ ++ BusCynagora *cynagora = (BusCynagora *)closure; ++ DBusLoop *loop = bus_context_get_loop(cynagora->context); ++ unsigned int flags; ++ DBusWatch *watch; ++ ++ /* compute flags */ ++ flags = 0; ++ if (events & EPOLLIN) ++ flags |= DBUS_WATCH_READABLE; ++ if (events & EPOLLOUT) ++ flags |= DBUS_WATCH_WRITABLE; ++ ++ /* remove the watch if needed */ ++ watch = cynagora->cynagora_watch; ++ if (watch != NULL) ++ { ++ cynagora->cynagora_watch = NULL; ++ _dbus_loop_remove_watch(loop, watch); ++ _dbus_watch_invalidate(watch); ++ _dbus_watch_unref(watch); ++ } ++ ++ /* create the watch if needed */ ++ watch = cynagora->cynagora_watch; ++ if (op != EPOLL_CTL_DEL) ++ { ++ watch = _dbus_watch_new(fd, flags, TRUE, watch_handler_callback, cynagora, NULL); ++ if (watch == NULL) ++ return -ENOMEM; ++ if (_dbus_loop_add_watch(loop, watch) != TRUE) ++ { ++ _dbus_watch_invalidate(watch); ++ _dbus_watch_unref(watch); ++ return -ENOMEM; ++ } ++ cynagora->cynagora_watch = watch; ++ } ++ return 0; ++} ++ ++#endif /* DBUS_ENABLE_CYNAGORA */ +diff --git a/bus/cynara.h b/bus/cynagora-check.h +similarity index 81% +rename from bus/cynara.h +rename to bus/cynagora-check.h +index c4728bb..c0892c3 100644 +--- a/bus/cynara.h ++++ b/bus/cynagora-check.h +@@ -1,5 +1,5 @@ + /* -*- mode: C; c-file-style: "gnu"; indent-tabs-mode: nil; -*- */ +-/* cynara.h Cynara runtime privilege checking ++/* cynagora.h Cynagora runtime privilege checking + * + * Copyright (c) 2014 Samsung Electronics, Ltd. + * +@@ -24,10 +24,10 @@ + #include "bus.h" + #include "check.h" + +-BusCynara *bus_cynara_new (BusCheck *check, DBusError *error); +-BusCynara *bus_cynara_ref (BusCynara *cynara); +-void bus_cynara_unref (BusCynara *cynara); +-BusResult bus_cynara_check_privilege (BusCynara *cynara, ++BusCynagora *bus_cynagora_new (BusCheck *check, DBusError *error); ++BusCynagora *bus_cynagora_ref (BusCynagora *cynagora); ++void bus_cynagora_unref (BusCynagora *cynagora); ++BusResult bus_cynagora_check_privilege (BusCynagora *cynagora, + DBusMessage *message, + DBusConnection *sender, + DBusConnection *addressed_recipient, +diff --git a/bus/cynara.c b/bus/cynara.c +deleted file mode 100644 +index 77aed62..0000000 +--- a/bus/cynara.c ++++ /dev/null +@@ -1,373 +0,0 @@ +-/* -*- mode: C; c-file-style: "gnu"; indent-tabs-mode: nil; -*- */ +-/* cynara.c Cynara runtime privilege checking +- * +- * Copyright (c) 2014 Samsung Electronics, Ltd. +- * +- * Licensed under the Academic Free License version 2.1 +- * +- * This program is free software; you can redistribute it and/or modify +- * it under the terms of the GNU General Public License as published by +- * the Free Software Foundation; either version 2 of the License, or +- * (at your option) any later version. +- * +- * This program is distributed in the hope that it will be useful, +- * but WITHOUT ANY WARRANTY; without even the implied warranty of +- * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +- * GNU General Public License for more details. +- * +- * You should have received a copy of the GNU General Public License +- * along with this program; if not, write to the Free Software +- * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA +- * +- */ +- +-#include +-#include "cynara.h" +-#include "check.h" +-#include "utils.h" +- +-#include +- +-#include +-#include +-#include +-#include +-#ifdef DBUS_ENABLE_CYNARA +-#include +-#endif +- +-#ifdef DBUS_ENABLE_CYNARA +-typedef struct BusCynara +-{ +- int refcount; +- +- BusContext *context; +- BusCheck *check; +- cynara_async *cynara; +- DBusWatch *cynara_watch; +-} BusCynara; +- +-#define USE_CYNARA_CACHE 1 +-#ifdef USE_CYNARA_CACHE +-#define CYNARA_CACHE_SIZE 1000 +-#endif +- +-static dbus_bool_t bus_cynara_watch_callback(DBusWatch *watch, +- unsigned int flags, +- void *data); +- +-static void status_callback(int old_fd, +- int new_fd, +- cynara_async_status status, +- void *user_status_data); +-static void bus_cynara_check_response_callback (cynara_check_id check_id, +- cynara_async_call_cause cause, +- int response, +- void *user_response_data); +-#endif +- +- +-BusCynara * +-bus_cynara_new(BusCheck *check, DBusError *error) +-{ +-#ifdef DBUS_ENABLE_CYNARA +- BusContext *context; +- BusCynara *cynara; +- cynara_async_configuration *conf = NULL; +- int ret; +- +- cynara = dbus_new(BusCynara, 1); +- if (cynara == NULL) +- { +- BUS_SET_OOM(error); +- return NULL; +- } +- +- context = bus_check_get_context(check); +- +- cynara->refcount = 1; +- cynara->check = check; +- cynara->context = context; +- cynara->cynara_watch = NULL; +- +- ret = cynara_async_configuration_create(&conf); +- if (ret != CYNARA_API_SUCCESS) +- { +- dbus_set_error (error, DBUS_ERROR_FAILED, "Failed to create Cynara configuration"); +- goto out; +- } +- +-#ifdef CYNARA_CACHE_SIZE +- ret = cynara_async_configuration_set_cache_size(conf, CYNARA_CACHE_SIZE); +- if (ret != CYNARA_API_SUCCESS) +- { +- dbus_set_error (error, DBUS_ERROR_FAILED, "Failed to Cynara cache size"); +- goto out; +- } +-#endif +- +- ret = cynara_async_initialize(&cynara->cynara, conf, &status_callback, cynara); +- if (ret != CYNARA_API_SUCCESS) +- { +- dbus_set_error (error, DBUS_ERROR_FAILED, "Failed to initialize Cynara client"); +- goto out; +- } +- +-out: +- cynara_async_configuration_destroy(conf); +- if (ret != CYNARA_API_SUCCESS) +- { +- dbus_free(cynara); +- return NULL; +- } +- +- return cynara; +-#else +- return NULL; +-#endif +-} +- +-BusCynara * +-bus_cynara_ref (BusCynara *cynara) +-{ +-#ifdef DBUS_ENABLE_CYNARA +- _dbus_assert (cynara->refcount > 0); +- cynara->refcount += 1; +- +- return cynara; +-#else +- return NULL; +-#endif +-} +- +-void +-bus_cynara_unref (BusCynara *cynara) +-{ +-#ifdef DBUS_ENABLE_CYNARA +- _dbus_assert (cynara->refcount > 0); +- +- cynara->refcount -= 1; +- +- if (cynara->refcount == 0) +- { +- cynara_async_finish(cynara->cynara); +- dbus_free(cynara); +- } +-#endif +-} +- +-BusResult +-bus_cynara_check_privilege (BusCynara *cynara, +- DBusMessage *message, +- DBusConnection *sender, +- DBusConnection *addressed_recipient, +- DBusConnection *proposed_recipient, +- const char *privilege, +- BusDeferredMessageStatus check_type, +- BusDeferredMessage **deferred_message_param) +-{ +-#ifdef DBUS_ENABLE_CYNARA +- int result; +- unsigned long uid; +- char *label; +- const char *session_id; +- char user[32]; +- cynara_check_id check_id; +- DBusConnection *connection = check_type == BUS_DEFERRED_MESSAGE_CHECK_RECEIVE ? proposed_recipient : sender; +- BusDeferredMessage *deferred_message; +- BusResult ret; +- +- _dbus_assert(connection != NULL); +- +- if (dbus_connection_get_unix_user(connection, &uid) == FALSE) +- return BUS_RESULT_FALSE; +- +- if (_dbus_connection_get_linux_security_label(connection, &label) == FALSE || label == NULL) +- { +- _dbus_warn("Failed to obtain security label for connection\n"); +- return BUS_RESULT_FALSE; +- } +- +- session_id = bus_connection_get_cynara_session_id (connection); +- if (session_id == NULL) +- { +- ret = BUS_RESULT_FALSE; +- goto out; +- } +- +- snprintf(user, sizeof(user), "%lu", uid); +- +-#if USE_CYNARA_CACHE +- result = cynara_async_check_cache(cynara->cynara, label, session_id, user, privilege); +-#else +- result = CYNARA_API_CACHE_MISS; +-#endif +- +- switch (result) +- { +- case CYNARA_API_ACCESS_ALLOWED: +- _dbus_verbose("Cynara: got ALLOWED answer from cache (client=%s session_id=%s user=%s privilege=%s)\n", +- label, session_id, user, privilege); +- ret = BUS_RESULT_TRUE; +- break; +- +- case CYNARA_API_ACCESS_DENIED: +- _dbus_verbose("Cynara: got DENIED answer from cache (client=%s session_id=%s user=%s privilege=%s)\n", +- label, session_id, user, privilege); +- ret = BUS_RESULT_FALSE; +- break; +- +- case CYNARA_API_CACHE_MISS: +- deferred_message = bus_deferred_message_new(message, sender, addressed_recipient, +- proposed_recipient, BUS_RESULT_LATER); +- if (deferred_message == NULL) +- { +- _dbus_verbose("Failed to allocate memory for deferred message\n"); +- ret = BUS_RESULT_FALSE; +- goto out; +- } +- +- /* callback is supposed to unref deferred_message*/ +- result = cynara_async_create_request(cynara->cynara, label, session_id, user, privilege, &check_id, +- &bus_cynara_check_response_callback, deferred_message); +- if (result == CYNARA_API_SUCCESS) +- { +- _dbus_verbose("Created Cynara request: client=%s session_id=%s user=%s privilege=%s check_id=%u " +- "deferred_message=%p\n", label, session_id, user, privilege, (unsigned int)check_id, deferred_message); +- if (deferred_message_param != NULL) +- *deferred_message_param = deferred_message; +- ret = BUS_RESULT_LATER; +- } +- else +- { +- _dbus_verbose("Error on cynara request create: %i\n", result); +- bus_deferred_message_unref(deferred_message); +- ret = BUS_RESULT_FALSE; +- } +- break; +- default: +- _dbus_verbose("Error when accessing Cynara cache: %i\n", result); +- ret = BUS_RESULT_FALSE; +- } +-out: +- dbus_free(label); +- return ret; +- +-#else +- return BUS_RESULT_FALSE; +-#endif +-} +- +- +- +-#ifdef DBUS_ENABLE_CYNARA +-static void +-status_callback(int old_fd, int new_fd, cynara_async_status status, +- void *user_status_data) +-{ +- BusCynara *cynara = (BusCynara *)user_status_data; +- DBusLoop *loop = bus_context_get_loop(cynara->context); +- +- if (cynara->cynara_watch != NULL) +- { +- _dbus_loop_remove_watch(loop, cynara->cynara_watch); +- _dbus_watch_invalidate(cynara->cynara_watch); +- _dbus_watch_unref(cynara->cynara_watch); +- cynara->cynara_watch = NULL; +- } +- +- if (new_fd != -1) +- { +- unsigned int flags; +- DBusWatch *watch; +- +- switch (status) +- { +- case CYNARA_STATUS_FOR_READ: +- flags = DBUS_WATCH_READABLE; +- break; +- case CYNARA_STATUS_FOR_RW: +- flags = DBUS_WATCH_READABLE | DBUS_WATCH_WRITABLE; +- break; +- default: +- /* Cynara passed unknown status - warn and add RW watch */ +- _dbus_verbose("Cynara passed unknown status value: 0x%08X\n", (unsigned int)status); +- flags = DBUS_WATCH_READABLE | DBUS_WATCH_WRITABLE; +- break; +- } +- +- watch = _dbus_watch_new(new_fd, flags, TRUE, &bus_cynara_watch_callback, cynara, NULL); +- if (watch != NULL) +- { +- if (_dbus_loop_add_watch(loop, watch) == TRUE) +- { +- cynara->cynara_watch = watch; +- return; +- } +- +- _dbus_watch_invalidate(watch); +- _dbus_watch_unref(watch); +- } +- +- /* It seems like not much can be done at this point. Cynara events won't be processed +- * until next Cynara function call triggering status callback */ +- _dbus_verbose("Failed to add dbus watch\n"); +- } +-} +- +-static dbus_bool_t +-bus_cynara_watch_callback(DBusWatch *watch, +- unsigned int flags, +- void *data) +-{ +- BusCynara *cynara = (BusCynara *)data; +- int result = cynara_async_process(cynara->cynara); +- if (result != CYNARA_API_SUCCESS) +- _dbus_verbose("cynara_async_process returned %d\n", result); +- +- return result != CYNARA_API_OUT_OF_MEMORY ? TRUE : FALSE; +-} +- +-static inline const char * +-call_cause_to_string(cynara_async_call_cause cause) +-{ +- switch (cause) +- { +- case CYNARA_CALL_CAUSE_ANSWER: +- return "ANSWER"; +- case CYNARA_CALL_CAUSE_CANCEL: +- return "CANCEL"; +- case CYNARA_CALL_CAUSE_FINISH: +- return "FINSIH"; +- case CYNARA_CALL_CAUSE_SERVICE_NOT_AVAILABLE: +- return "SERVICE NOT AVAILABLE"; +- default: +- return "INVALID"; +- } +-} +- +-static void +-bus_cynara_check_response_callback (cynara_check_id check_id, +- cynara_async_call_cause cause, +- int response, +- void *user_response_data) +-{ +- BusDeferredMessage *deferred_message = user_response_data; +- BusResult result; +- +- _dbus_verbose("Cynara callback: check_id=%u, cause=%s response=%i response_data=%p\n", +- (unsigned int)check_id, call_cause_to_string(cause), response, user_response_data); +- +- if (deferred_message == NULL) +- return; +- +- if (cause == CYNARA_CALL_CAUSE_ANSWER && response == CYNARA_API_ACCESS_ALLOWED) +- result = BUS_RESULT_TRUE; +- else +- result = BUS_RESULT_FALSE; +- +- bus_deferred_message_response_received(deferred_message, result); +- bus_deferred_message_unref(deferred_message); +-} +- +-#endif /* DBUS_ENABLE_CYNARA */ +diff --git a/bus/system.conf.in b/bus/system.conf.in +index 19d0c04..81c39c8 100644 +--- a/bus/system.conf.in ++++ b/bus/system.conf.in +@@ -72,10 +72,10 @@ + send_interface="org.freedesktop.DBus.Introspectable"/> + +- + +diff --git a/configure.ac b/configure.ac +index 11b5ffd..df9341c 100644 +--- a/configure.ac ++++ b/configure.ac +@@ -1742,16 +1742,16 @@ AC_ARG_ENABLE([user-session], + AM_CONDITIONAL([DBUS_ENABLE_USER_SESSION], + [test "x$enable_user_session" = xyes]) + +-#enable cynara integration +-AC_ARG_ENABLE([cynara], [AS_HELP_STRING([--enable-cynara], [enable Cynara integration])], [], [enable_cynara=no]) +-if test "x$enable_cynara" = xyes; then +- PKG_CHECK_MODULES([CYNARA], [cynara-client-async >= 0.6.0 cynara-session >= 0.6.0], +- [AC_DEFINE([DBUS_ENABLE_CYNARA], [1], [Define to enable Cynara privilege checks in dbus-daemon])], +- [AC_MSG_ERROR([libcynara-client-async and cynara-session are required to enable Cynara integration])]) ++#enable cynagora integration ++AC_ARG_ENABLE([cynagora], [AS_HELP_STRING([--enable-cynagora], [enable Cynagora integration])], [], [enable_cynagora=no]) ++if test "x$enable_cynagora" = xyes; then ++ PKG_CHECK_MODULES([CYNAGORA], [cynagora], ++ [AC_DEFINE([DBUS_ENABLE_CYNAGORA], [1], [Define to enable Cynagora privilege checks in dbus-daemon])], ++ [AC_MSG_ERROR([libcynagora is required to enable Cynagora integration])]) + fi + +-AC_SUBST([CYNARA_CFLAGS]) +-AC_SUBST([CYNARA_LIBS]) ++AC_SUBST([CYNAGORA_CFLAGS]) ++AC_SUBST([CYNAGORA_LIBS]) + + AC_CONFIG_FILES([ + Doxyfile +@@ -1835,7 +1835,7 @@ echo " + Building bus stats API: ${enable_stats} + Building SELinux support: ${have_selinux} + Building AppArmor support: ${have_apparmor} +- Building Cynara support: ${enable_cynara} ++ Building Cynagora support: ${enable_cynagora} + Building inotify support: ${have_inotify} + Building kqueue support: ${have_kqueue} + Building systemd support: ${have_systemd} +-- +2.21.1 + diff --git a/meta-security/recipes-core/dbus-cynagora/dbus_1.12.16.bbappend b/meta-security/recipes-core/dbus-cynagora/dbus_1.12.16.bbappend new file mode 100644 index 000000000..177a117b8 --- /dev/null +++ b/meta-security/recipes-core/dbus-cynagora/dbus_1.12.16.bbappend @@ -0,0 +1,15 @@ +FILESEXTRAPATHS_prepend := "${THISDIR}/dbus-cynagora:" + +SRC_URI_append_class-target = "\ + file://0001-Integration-of-Cynara-asynchronous-security-checks.patch \ + file://0002-Disable-message-dispatching-when-send-rule-result-is.patch \ + file://0003-Handle-unavailability-of-policy-results-for-broadcas.patch \ + file://0004-Add-own-rule-result-unavailability-handling.patch \ + file://0005-Perform-Cynara-runtime-policy-checks-by-default.patch \ + file://0006-Fix-SIGSEGV-on-disconnections.patch \ + file://0007-Switch-from-cynara-to-cynagora.patch \ +" + +DEPENDS_append_class-target = " cynagora smack" +EXTRA_OECONF_append_class-target = " ${@bb.utils.contains('DISTRO_FEATURES','smack','--enable-cynagora --disable-selinux','',d)}" + diff --git a/meta-security/recipes-core/dbus-cynara/dbus-cynara/0006-Fix-gcc-8-warnings.patch b/meta-security/recipes-core/dbus-cynara/dbus-cynara/0006-Fix-gcc-8-warnings.patch deleted file mode 100644 index 30fac9693..000000000 --- a/meta-security/recipes-core/dbus-cynara/dbus-cynara/0006-Fix-gcc-8-warnings.patch +++ /dev/null @@ -1,134 +0,0 @@ -From 988958f40a2e0575df3d4d48101612713737a5db Mon Sep 17 00:00:00 2001 -From: Jose Bollo -Date: Wed, 29 May 2019 16:32:50 +0200 -Subject: Fix gcc 8 warnings -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -Compiling with -Werror isn't possible without adaptation -of the code. - -Signed-off-by: José Bollo - -diff --git a/bus/config-parser-trivial.c b/bus/config-parser-trivial.c -index dd65c6d..23dedb4 100644 ---- a/bus/config-parser-trivial.c -+++ b/bus/config-parser-trivial.c -@@ -194,6 +194,7 @@ bus_config_parser_start_element (BusConfigParser *parser, - case ELEMENT_POLICY: - case ELEMENT_LIMIT: - case ELEMENT_ALLOW: -+ case ELEMENT_CHECK: - case ELEMENT_DENY: - case ELEMENT_FORK: - case ELEMENT_PIDFILE: -@@ -316,6 +317,7 @@ bus_config_parser_content (BusConfigParser *parser, - case ELEMENT_POLICY: - case ELEMENT_LIMIT: - case ELEMENT_ALLOW: -+ case ELEMENT_CHECK: - case ELEMENT_DENY: - case ELEMENT_FORK: - case ELEMENT_PIDFILE: -diff --git a/bus/config-parser.c b/bus/config-parser.c -index b5f1dd1..7f91469 100644 ---- a/bus/config-parser.c -+++ b/bus/config-parser.c -@@ -3408,6 +3408,7 @@ elements_equal (const Element *a, - case ELEMENT_LISTEN: - case ELEMENT_AUTH: - case ELEMENT_ALLOW: -+ case ELEMENT_CHECK: - case ELEMENT_DENY: - case ELEMENT_FORK: - case ELEMENT_PIDFILE: -diff --git a/bus/desktop-file.c b/bus/desktop-file.c -index 4459858..4a27ee3 100644 ---- a/bus/desktop-file.c -+++ b/bus/desktop-file.c -@@ -382,7 +382,7 @@ is_valid_section_name (const char *name) - - while (*name) - { -- if (!((*name >= 'A' && *name <= 'Z') || (*name >= 'a' || *name <= 'z') || -+ if (!((*name >= ' ' && *name <= '~' && *name != '[' && *name != ']') || - *name == '\n' || *name == '\t')) - return FALSE; - -diff --git a/bus/driver.h b/bus/driver.h -index 183c28b..05e9886 100644 ---- a/bus/driver.h -+++ b/bus/driver.h -@@ -66,5 +66,7 @@ dbus_bool_t bus_driver_send_ack_reply (DBusConnection *connection, - BusTransaction *transaction, - DBusMessage *message, - DBusError *error); -+dbus_bool_t bus_driver_check_message_is_for_us (DBusMessage *message, -+ DBusError *error); - - #endif /* BUS_DRIVER_H */ -diff --git a/bus/policy.c b/bus/policy.c -index 27b66d1..c4c3d4b 100644 ---- a/bus/policy.c -+++ b/bus/policy.c -@@ -1098,6 +1098,7 @@ bus_client_policy_check_can_send (DBusConnection *sender, - case BUS_POLICY_RULE_ACCESS_ALLOW: - result = BUS_RESULT_TRUE; - break; -+ default: - case BUS_POLICY_RULE_ACCESS_DENY: - result = BUS_RESULT_FALSE; - break; -@@ -1350,6 +1351,7 @@ bus_client_policy_check_can_receive (BusClientPolicy *policy, - case BUS_POLICY_RULE_ACCESS_ALLOW: - result = BUS_RESULT_TRUE; - break; -+ default: - case BUS_POLICY_RULE_ACCESS_DENY: - result = BUS_RESULT_FALSE; - break; -@@ -1443,6 +1445,7 @@ bus_rules_check_can_own (DBusList *rules, - case BUS_POLICY_RULE_ACCESS_ALLOW: - result = BUS_RESULT_TRUE; - break; -+ default: - case BUS_POLICY_RULE_ACCESS_DENY: - result = BUS_RESULT_FALSE; - break; -diff --git a/dbus/dbus-sysdeps-unix.c b/dbus/dbus-sysdeps-unix.c -index 565e089..b96c735 100644 ---- a/dbus/dbus-sysdeps-unix.c -+++ b/dbus/dbus-sysdeps-unix.c -@@ -4364,7 +4364,11 @@ _dbus_daemon_unpublish_session_bus_address (void) - dbus_bool_t - _dbus_get_is_errno_eagain_or_ewouldblock (int e) - { -+#if EAGAIN != EWOULDBLOCK - return e == EAGAIN || e == EWOULDBLOCK; -+#else -+ return e == EAGAIN; -+#endif - } - - /** -diff --git a/tools/dbus-send.c b/tools/dbus-send.c -index 6fb65fe..d853b39 100644 ---- a/tools/dbus-send.c -+++ b/tools/dbus-send.c -@@ -293,10 +293,12 @@ main (int argc, char *argv[]) - { - is_bus = TRUE; - } -+#if 0 - else if (arg[2] == 'p') /* peer */ - { - is_bus = FALSE; - } -+#endif - else /* address; keeping backwards compatibility */ - { - is_bus = FALSE; --- -2.17.2 - diff --git a/meta-security/recipes-core/dbus-cynara/dbus_1.12.16.bbappend b/meta-security/recipes-core/dbus-cynara/dbus_1.12.16.bbappend deleted file mode 100644 index ce2bd0822..000000000 --- a/meta-security/recipes-core/dbus-cynara/dbus_1.12.16.bbappend +++ /dev/null @@ -1,17 +0,0 @@ -FILESEXTRAPATHS_prepend := "${THISDIR}/dbus-cynara:" - -#SRC_URI_append_class-target = "\ -# file://0001-Integration-of-Cynara-asynchronous-security-checks.patch \ -# file://0002-Disable-message-dispatching-when-send-rule-result-is.patch \ -# file://0003-Handle-unavailability-of-policy-results-for-broadcas.patch \ -# file://0004-Add-own-rule-result-unavailability-handling.patch \ -# file://0005-Perform-Cynara-runtime-policy-checks-by-default.patch \ -# file://0006-Fix-gcc-8-warnings.patch \ -# file://0007-Fix-SIGSEGV-on-disconnections.patch \ -#" -SRC_URI_append_class-target = "\ -" - -#DEPENDS_append_class-target = " cynara smack" -#EXTRA_OECONF_append_class-target = " ${@bb.utils.contains('DISTRO_FEATURES','smack','--enable-cynara --disable-selinux','',d)}" -