security: integration of security-manager

author José Bollo <jose.bollo@iot.bzh>

Mon, 16 Nov 2015 15:32:14 +0000 (16:32 +0100)

committer Gerrit Code Review <gerrit@172.30.200.200>

Fri, 11 Dec 2015 12:12:44 +0000 (12:12 +0000)
author José Bollo <jose.bollo@iot.bzh>
Mon, 16 Nov 2015 15:32:14 +0000 (16:32 +0100)
committer Gerrit Code Review <gerrit@172.30.200.200>
Fri, 11 Dec 2015 12:12:44 +0000 (12:12 +0000)
diff --git a/meta-agl-security/recipes-security/security-manager/README.md b/meta-agl-security/recipes-security/security-manager/README.md

new file mode 100644 (file)

index 0000000..aeb45d2
--- /dev/null
+++ b/meta-agl-security/recipes-security/security-manager/README.md
@@ -0,0 +1,36 @@
+security-manager adaptation for Automotive Grade Linux Distribution
+===================================================================
+
+This recipe complements the recipes security-manager of the
+meta yocto layers: meta-intel-iot-security (see
+https://github.com/01org/meta-intel-iot-security)
+
+This patches are removing dependencies that are specific to Tizen:
+* tizen-platform-config
+* libslp-db-utils
+
+The advantages is that this modules are not needed for AGL.
+
+The -temporary- drawbacks is that the user "userapp" is
+hard coded for security-manager.
+
+
+Layer Dependencies
+------------------
+URI: git@github.com:01org/meta-intel-iot-security.git
+> branch: master
+> revision: 0ca70e4954aaeb0e3e3ad502b462bb077023f7e5
+
+Enabling
+--------
+
+To enable security manager for AGL, in the local.conf
+
+    IMAGE_INSTALL_append = " security-manager"
+
+To enable smack see https://github.com/01org/meta-intel-iot-security/tree/master/meta-security-smack
+In brief, in the local.conf:
+
+    OVERRIDES .= ":smack"
+    DISTRO_FEATURES_append = " smack"
+
diff --git a/meta-agl-security/recipes-security/security-manager/security-manager/Removing-tizen-platform-config.patch b/meta-agl-security/recipes-security/security-manager/security-manager/Removing-tizen-platform-config.patch

new file mode 100644 (file)

index 0000000..4baea65
--- /dev/null
+++ b/meta-agl-security/recipes-security/security-manager/security-manager/Removing-tizen-platform-config.patch
@@ -0,0 +1,196 @@
+From 72e66d0e42f3bb6efd689ce33b1df407d94b3c60 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Jos=C3=A9=20Bollo?= <jose.bollo@iot.bzh>
+Date: Mon, 16 Nov 2015 14:26:25 +0100
+Subject: [PATCH] Removing tizen-platform-config
+
+Change-Id: Ic832a2b75229517b09faba969c27fb1a4b490121
+---
+ policy/security-manager-policy-reload |  2 +-
+ src/common/file-lock.cpp              |  4 +---
+ src/common/include/file-lock.h        |  1 -
+ src/common/include/privilege_db.h     |  3 +--
+ src/common/service_impl.cpp           | 39 +++++++++++------------------------
+ src/common/smack-rules.cpp            | 12 ++++-------
+ 6 files changed, 19 insertions(+), 42 deletions(-)
+
+diff --git a/policy/security-manager-policy-reload b/policy/security-manager-policy-reload
+index 6f211c6..ed8047a 100755
+--- a/policy/security-manager-policy-reload
++++ b/policy/security-manager-policy-reload
+@@ -2,7 +2,7 @@
+ 
+ POLICY_PATH=/usr/share/security-manager/policy
+ PRIVILEGE_GROUP_MAPPING=$POLICY_PATH/privilege-group.list
+-DB_FILE=`tzplatform-get TZ_SYS_DB | cut -d= -f2`/.security-manager.db
++DB_FILE=/usr/dbspace/.security-manager.db
+ 
+ # Create default buckets
+ while read bucket default_policy
+diff --git a/src/common/file-lock.cpp b/src/common/file-lock.cpp
+index 6f3996c..1dada17 100644
+--- a/src/common/file-lock.cpp
++++ b/src/common/file-lock.cpp
+@@ -30,9 +30,7 @@
+ 
+ namespace SecurityManager {
+ 
+-char const * const SERVICE_LOCK_FILE = tzplatform_mkpath3(TZ_SYS_RUN,
+-                                                         "lock",
+-                                                         "security-manager.lock");
++char const * const SERVICE_LOCK_FILE = "/var/run/lock/security-manager.lock";
+ 
+ FileLocker::FileLocker(const std::string &lockFile, bool blocking)
+ {
+diff --git a/src/common/include/file-lock.h b/src/common/include/file-lock.h
+index 604b019..21a86a0 100644
+--- a/src/common/include/file-lock.h
++++ b/src/common/include/file-lock.h
+@@ -29,7 +29,6 @@
+ 
+ #include <dpl/exception.h>
+ #include <dpl/noncopyable.h>
+-#include <tzplatform_config.h>
+ 
+ namespace SecurityManager {
+ 
+diff --git a/src/common/include/privilege_db.h b/src/common/include/privilege_db.h
+index 4d73d90..03c6680 100644
+--- a/src/common/include/privilege_db.h
++++ b/src/common/include/privilege_db.h
+@@ -34,14 +34,13 @@
+ #include <string>
+ 
+ #include <dpl/db/sql_connection.h>
+-#include <tzplatform_config.h>
+ 
+ #ifndef PRIVILEGE_DB_H_
+ #define PRIVILEGE_DB_H_
+ 
+ namespace SecurityManager {
+ 
+-const char *const PRIVILEGE_DB_PATH = tzplatform_mkpath(TZ_SYS_DB, ".security-manager.db");
++const char *const PRIVILEGE_DB_PATH = "/usr/dbspace/.security-manager.db";
+ 
+ enum class QueryType {
+     EGetPkgPrivileges,
+diff --git a/src/common/service_impl.cpp b/src/common/service_impl.cpp
+index ae305d3..65cc8b5 100644
+--- a/src/common/service_impl.cpp
++++ b/src/common/service_impl.cpp
+@@ -32,7 +32,6 @@
+ #include <algorithm>
+ 
+ #include <dpl/log/log.h>
+-#include <tzplatform_config.h>
+ 
+ #include "protocols.h"
+ #include "privilege_db.h"
+@@ -131,7 +130,13 @@ static inline int validatePolicy(policy_entry &policyEntry, std::string uidStr,
+ 
+ static uid_t getGlobalUserId(void)
+ {
+-    static uid_t globaluid = tzplatform_getuid(TZ_SYS_GLOBALAPP_USER);
++    static uid_t globaluid = 0;
++    if (!globaluid) {
++        struct passwd pw, *p;
++        char buf[4096];
++        int rc = getpwnam_r("userapp", &pw, buf, sizeof buf, &p);
++        globaluid = (rc || p == NULL) ? 555 : p->pw_uid;
++    }
+     return globaluid;
+ }
+ 
+@@ -161,37 +166,17 @@ static inline bool isSubDir(const char *parent, const char *subdir)
+ 
+ static bool getUserAppDir(const uid_t &uid, std::string &userAppDir)
+ {
+-    struct tzplatform_context *tz_ctx = nullptr;
+-
+-    if (tzplatform_context_create(&tz_ctx))
+-            return false;
+-
+-    if (tzplatform_context_set_user(tz_ctx, uid)) {
+-        tzplatform_context_destroy(tz_ctx);
+-        tz_ctx = nullptr;
++    struct passwd pw, *p;
++    char buf[4096];
++    int rc = getpwuid_r(uid, &pw, buf, sizeof buf, &p);
++    if (rc || p == NULL)
+         return false;
+-    }
+-
+-    enum tzplatform_variable id =
+-            (uid == getGlobalUserId()) ? TZ_SYS_RW_APP : TZ_USER_APP;
+-    const char *appDir = tzplatform_context_getenv(tz_ctx, id);
+-    if (!appDir) {
+-        tzplatform_context_destroy(tz_ctx);
+-        tz_ctx = nullptr;
+-        return false;
+-    }
+-
+-    userAppDir = appDir;
+-
+-    tzplatform_context_destroy(tz_ctx);
+-    tz_ctx = nullptr;
+-
++    userAppDir = p->pw_dir;
+     return true;
+ }
+ 
+ static inline bool installRequestAuthCheck(const app_inst_req &req, uid_t uid, bool &isCorrectPath, std::string &appPath)
+ {
+-    std::string userHome;
+     std::string userAppDir;
+     std::stringstream correctPath;
+ 
+diff --git a/src/common/smack-rules.cpp b/src/common/smack-rules.cpp
+index d834e42..8b5728b 100644
+--- a/src/common/smack-rules.cpp
++++ b/src/common/smack-rules.cpp
+@@ -34,7 +34,6 @@
+ #include <memory>
+ 
+ #include <dpl/log/log.h>
+-#include <tzplatform_config.h>
+ 
+ #include "smack-labels.h"
+ #include "smack-rules.h"
+@@ -43,7 +42,7 @@ namespace SecurityManager {
+ 
+ const char *const SMACK_APP_LABEL_TEMPLATE     = "~APP~";
+ const char *const SMACK_PKG_LABEL_TEMPLATE     = "~PKG~";
+-const char *const APP_RULES_TEMPLATE_FILE_PATH = tzplatform_mkpath4(TZ_SYS_SHARE, "security-manager", "policy", "app-rules-template.smack");
++const char *const APP_RULES_TEMPLATE_FILE_PATH = "/usr/share/security-manager/policy/app-rules-template.smack";
+ const char *const SMACK_APP_IN_PACKAGE_PERMS   = "rwxat";
+ 
+ SmackRules::SmackRules()
+@@ -237,14 +236,12 @@ void SmackRules::generatePackageCrossDeps(const std::vector<std::string> &pkgCon
+ 
+ std::string SmackRules::getPackageRulesFilePath(const std::string &pkgId)
+ {
+-    std::string path(tzplatform_mkpath3(TZ_SYS_SMACK, "accesses.d", ("pkg_" + pkgId).c_str()));
+-    return path;
++    return "/etc/smack/accesses.d/pkg_" + pkgId;
+ }
+ 
+ std::string SmackRules::getApplicationRulesFilePath(const std::string &appId)
+ {
+-    std::string path(tzplatform_mkpath3(TZ_SYS_SMACK, "accesses.d", ("app_" +  appId).c_str()));
+-    return path;
++    return "/etc/smack/accesses.d/app_" + appId;
+ }
+ void SmackRules::installApplicationPrivilegesRules(const std::string &appId, const std::string &pkgId,
+         const std::vector<std::string> &pkgContents, const std::vector<std::string> &privileges)
+@@ -256,8 +253,7 @@ void SmackRules::installApplicationPrivilegesRules(const std::string &appId, con
+     for (auto privilege : privileges) {
+         if (privilege.empty())
+             continue;
+-        std::string fprivilege ( privilege + "-template.smack");
+-        std::string path(tzplatform_mkpath4(TZ_SYS_SHARE, "security-manager", "policy", fprivilege.c_str()));
++        std::string path = "/usr/share/security-manager/policy/" + privilege + "-template.smack";
+         if( stat(path.c_str(), &buffer) == 0) 
+             smackRules.addFromTemplateFile(appId, pkgId, path);
+     }
+-- 
+2.1.4
+
diff --git a/meta-agl-security/recipes-security/security-manager/security-manager/removes-dependency-to-libslp-db-utils.patch b/meta-agl-security/recipes-security/security-manager/security-manager/removes-dependency-to-libslp-db-utils.patch

new file mode 100644 (file)

index 0000000..f949730
--- /dev/null
+++ b/meta-agl-security/recipes-security/security-manager/security-manager/removes-dependency-to-libslp-db-utils.patch
@@ -0,0 +1,78 @@
+From 1e2f8f58d4320afa1d83a6f94822e53346108ee8 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Jos=C3=A9=20Bollo?= <jose.bollo@iot.bzh>
+Date: Mon, 16 Nov 2015 15:56:27 +0100
+Subject: [PATCH] removes dependency to libslp-db-utils
+
+Change-Id: I90471e77d20e04bae58cc42eb2639e4aef97fdec
+---
+ src/common/CMakeLists.txt         |  1 ++-
+ src/dpl/db/src/sql_connection.cpp | 17 +----------------
+ 2 files changed, 3 additions(+), 17 deletions(-)
+
+diff --git a/src/common/CMakeLists.txt b/src/common/CMakeLists.txt
+index 968c7c1..d1fe644 100644
+--- a/src/common/CMakeLists.txt
++++ b/src/common/CMakeLists.txt
+@@ -5,7 +5,8 @@ PKG_CHECK_MODULES(COMMON_DEP
+     REQUIRED
+     libsystemd
+     libsmack
+-    db-util
++    sqlite3 
++    icu-i18n
+     cynara-admin
+     cynara-client
+     )
+diff --git a/src/dpl/db/src/sql_connection.cpp b/src/dpl/db/src/sql_connection.cpp
+index fdb4fe4..1fb97be 100644
+--- a/src/dpl/db/src/sql_connection.cpp
++++ b/src/dpl/db/src/sql_connection.cpp
+@@ -26,7 +26,6 @@
+ #include <memory>
+ #include <dpl/noncopyable.h>
+ #include <dpl/assert.h>
+-#include <db-util.h>
+ #include <unistd.h>
+ #include <cstdio>
+ #include <cstdarg>
+@@ -606,16 +605,7 @@ void SqlConnection::Connect(const std::string &address,
+ 
+     // Connect to database
+     int result;
+-    if (type & Flag::UseLucene) {
+-        result = db_util_open_with_options(
+-                address.c_str(),
+-                &m_connection,
+-                flag,
+-                NULL);
+-
+-        m_usingLucene = true;
+-        LogPedantic("Lucene index enabled");
+-    } else {
++    (void)type;
+         result = sqlite3_open_v2(
+                 address.c_str(),
+                 &m_connection,
+@@ -624,7 +614,6 @@ void SqlConnection::Connect(const std::string &address,
+ 
+         m_usingLucene = false;
+         LogPedantic("Lucene index disabled");
+-    }
+ 
+     if (result == SQLITE_OK) {
+         LogPedantic("Connected to DB");
+@@ -653,11 +642,7 @@ void SqlConnection::Disconnect()
+ 
+     int result;
+ 
+-    if (m_usingLucene) {
+-        result = db_util_close(m_connection);
+-    } else {
+         result = sqlite3_close(m_connection);
+-    }
+ 
+     if (result != SQLITE_OK) {
+         const char *error = sqlite3_errmsg(m_connection);
+-- 
+2.1.4
+
diff --git a/meta-agl-security/recipes-security/security-manager/security-manager_git.bbappend b/meta-agl-security/recipes-security/security-manager/security-manager_git.bbappend

new file mode 100644 (file)

index 0000000..28050e8
--- /dev/null
+++ b/meta-agl-security/recipes-security/security-manager/security-manager_git.bbappend
@@ -0,0 +1,20 @@
+
+FILESEXTRAPATHS_append := ":${THISDIR}/security-manager"
+
+SRC_URI += " \
+   file://Removing-tizen-platform-config.patch \
+   file://removes-dependency-to-libslp-db-utils.patch \
+"
+
+DEPENDS = " \
+attr \
+boost \
+cynara \
+icu \
+libcap \
+smack \
+sqlite3 \
+sqlite3-native \
+systemd \
+"
+
author	José Bollo <jose.bollo@iot.bzh>
	Mon, 16 Nov 2015 15:32:14 +0000 (16:32 +0100)
committer	Gerrit Code Review <gerrit@172.30.200.200>
	Fri, 11 Dec 2015 12:12:44 +0000 (12:12 +0000)
meta-agl-security/recipes-security/security-manager/README.md	[new file with mode: 0644]	patch \| blob
meta-agl-security/recipes-security/security-manager/security-manager/Removing-tizen-platform-config.patch	[new file with mode: 0644]	patch \| blob
meta-agl-security/recipes-security/security-manager/security-manager/removes-dependency-to-libslp-db-utils.patch	[new file with mode: 0644]	patch \| blob
meta-agl-security/recipes-security/security-manager/security-manager_git.bbappend	[new file with mode: 0644]	patch \| blob