jim.lai/OpenBMC
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Initial commit

Browse Source
This commit is contained in:
Your Name
2026-04-23 17:07:55 +08:00
commit b7e39e063b
16725 changed files with 1625565 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files
meta-security/recipes-mac/AppArmor/apparmor_3.1.3.bb
+174
View File
@@ -0,0 +1,174 @@
SUMMARY = "AppArmor another MAC control system"
DESCRIPTION = "user-space parser utility for AppArmor \
This provides the system initialization scripts needed to use the \
AppArmor Mandatory Access Control system, including the AppArmor Parser \
which is required to convert AppArmor text profiles into machine-readable \
policies that are loaded into the kernel for use with the AppArmor Linux \
Security Module."
HOMEPAGE = "http://apparmor.net/"
SECTION = "admin"
LICENSE = "GPL-2.0-only & GPL-2.0-or-later & BSD-3-Clause & LGPL-2.1-or-later"
LIC_FILES_CHKSUM = "file://${S}/LICENSE;md5=fd57a4b0bc782d7b80fd431f10bbf9d0"
DEPENDS = "bison-native apr gettext-native coreutils-native swig-native"
SRC_URI = " \
git://gitlab.com/apparmor/apparmor.git;protocol=https;branch=apparmor-3.1 \
file://run-ptest \
file://crosscompile_perl_bindings.patch \
file://0001-Makefile.am-suppress-perllocal.pod.patch \
file://0001-Makefile-fix-hardcoded-installation-directories.patch \
"
SRCREV = "e69cb5047946818e6a9df326851483bb075a5cfe"
S = "${WORKDIR}/git"
PARALLEL_MAKE = ""
COMPATIBLE_MACHINE:mips64 = "(!.*mips64).*"
inherit pkgconfig autotools-brokensep update-rc.d python3native python3targetconfig perlnative cpan systemd features_check bash-completion setuptools3
REQUIRED_DISTRO_FEATURES = "apparmor"
PACKAGECONFIG ?= "python perl aa-decode"
PACKAGECONFIG[manpages] = "--enable-man-pages, --disable-man-pages"
PACKAGECONFIG[python] = "--with-python, --without-python, python3 , python3-core python3-modules"
PACKAGECONFIG[perl] = "--with-perl, --without-perl, "
PACKAGECONFIG[apache2] = ",,apache2,"
PACKAGECONFIG[aa-decode] = ",,,bash"
python() {
if 'apache2' in d.getVar('PACKAGECONFIG').split() and \
'webserver' not in d.getVar('BBFILE_COLLECTIONS').split():
raise bb.parse.SkipRecipe('Requires meta-webserver to be present.')
}
DISABLE_STATIC = ""
do_configure() {
cd ${S}/libraries/libapparmor
aclocal
autoconf --force
libtoolize --automake -c --force
automake -ac
./configure ${CONFIGUREOPTS} ${EXTRA_OECONF}
}
do_compile () {
sed -i "s@sed -ie 's///g' Makefile.perl@@" ${S}/libraries/libapparmor/swig/perl/Makefile
oe_runmake -C ${B}/libraries/libapparmor
oe_runmake -C ${B}/binutils
oe_runmake -C ${B}/utils
oe_runmake -C ${B}/parser
oe_runmake -C ${B}/profiles
if ${@bb.utils.contains('PACKAGECONFIG','apache2','true','false', d)}; then
oe_runmake -C ${B}/changehat/mod_apparmor
fi
if ${@bb.utils.contains('DISTRO_FEATURES', 'pam', 'true', 'false', d)}; then
oe_runmake -C ${B}/changehat/pam_apparmor
fi
}
do_install () {
oe_runmake -C ${B}/libraries/libapparmor DESTDIR="${D}" install
oe_runmake -C ${B}/binutils DESTDIR="${D}" install
oe_runmake -C ${B}/utils DESTDIR="${D}" install
oe_runmake -C ${B}/parser DESTDIR="${D}" install
oe_runmake -C ${B}/profiles DESTDIR="${D}" install
if ! ${@bb.utils.contains('PACKAGECONFIG','aa-decode','true','false', d)}; then
rm -f ${D}${sbindir}/aa-decode
fi
if ${@bb.utils.contains('PACKAGECONFIG','apache2','true','false', d)}; then
oe_runmake -C ${B}/changehat/mod_apparmor DESTDIR="${D}" install
fi
if ${@bb.utils.contains('DISTRO_FEATURES', 'pam', 'true', 'false', d)}; then
oe_runmake -C ${B}/changehat/pam_apparmor DESTDIR="${D}" install
fi
if ${@bb.utils.contains('DISTRO_FEATURES','sysvinit','true','false',d)}; then
install -d ${D}${sysconfdir}/init.d
install -m 755 ${B}/parser/rc.apparmor.functions ${D}${sysconfdir}/init.d/apparmor
fi
if ${@bb.utils.contains('DISTRO_FEATURES','systemd','true','false',d)}; then
oe_runmake -C ${B}/parser DESTDIR="${D}" install-systemd
fi
chown root:root -R ${D}/${sysconfdir}/apparmor.d
chown root:root -R ${D}/${datadir}/apparmor
}
#Building ptest on arm fails.
do_compile_ptest:aarch64 () {
:
}
do_compile_ptest:arm () {
:
}
do_compile_ptest () {
sed -i -e 's/cpp \-dM/${HOST_PREFIX}gcc \-dM/' ${B}/tests/regression/apparmor/Makefile
oe_runmake -C ${B}/tests/regression/apparmor USE_SYSTEM=0
oe_runmake -C ${B}/libraries/libapparmor
}
do_install_ptest () {
t=${D}/${PTEST_PATH}/testsuite
install -d ${t}
install -d ${t}/tests/regression/apparmor
cp -rf ${B}/tests/regression/apparmor ${t}/tests/regression
cp ${B}/parser/apparmor_parser ${t}/parser
cp ${B}/parser/frob_slack_rc ${t}/parser
install -d ${t}/libraries/libapparmor
cp -rf ${B}/libraries/libapparmor ${t}/libraries
install -d ${t}/common
cp -rf ${B}/common ${t}
install -d ${t}/binutils
cp -rf ${B}/binutils ${t}
}
#Building ptest on arm fails.
do_install_ptest:aarch64 () {
:
}
do_install_ptest:arm() {
:
}
INITSCRIPT_PACKAGES = "${PN}"
INITSCRIPT_NAME = "apparmor"
INITSCRIPT_PARAMS = "start 16 2 3 4 5 . stop 35 0 1 6 ."
SYSTEMD_PACKAGES = "${PN}"
SYSTEMD_SERVICE:${PN} = "apparmor.service"
SYSTEMD_AUTO_ENABLE ?= "enable"
PACKAGES += "mod-${PN}"
FILES:${PN} += "${nonarch_base_libdir}/apparmor/ ${base_libdir}/security/ ${sysconfdir}/apparmor ${nonarch_libdir}/${PYTHON_DIR}/site-packages"
FILES:mod-${PN} = "${libdir}/apache2/modules/*"
FILES:${PN}-dbg += "${base_libdir}/security/.debug"
DEPENDS:append:libc-musl = " fts "
RDEPENDS:${PN}:libc-musl += "musl-utils"
RDEPENDS:${PN}:libc-glibc += "glibc-utils"
# Add coreutils and findutils only if sysvinit scripts are in use
RDEPENDS:${PN} += "${@["coreutils findutils", ""][(d.getVar('VIRTUAL-RUNTIME_init_manager') == 'systemd')]} ${@bb.utils.contains('PACKAGECONFIG','python','python3-core python3-modules','', d)}"
RDEPENDS:${PN}:remove = "${@bb.utils.contains('PACKAGECONFIG','perl','','perl', d)}"
RDEPENDS:${PN}-ptest += "perl coreutils dbus-lib bash"
INSANE_SKIP:${PN} = "ldflags"
PRIVATE_LIBS:${PN}-ptest = "libapparmor.so*"
meta-security/recipes-mac/AppArmor/files/0001-Makefile-fix-hardcoded-installation-directories.patch
+51
View File
@@ -0,0 +1,51 @@
From 363114dcd72abf1c0dcd637c66037227b8be229b Mon Sep 17 00:00:00 2001
From: Yi Zhao <yi.zhao@windriver.com>
Date: Mon, 21 Jun 2021 14:18:30 +0800
Subject: [PATCH 1/2] Makefile: fix hardcoded installation directories
Update the installation directories to fix the do_install error for
multilib and usrmerge.
Upstream-Status: Inappropriate [configuration]
Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
---
changehat/pam_apparmor/Makefile | 2 +-
parser/Makefile | 8 ++++----
2 files changed, 5 insertions(+), 5 deletions(-)
diff --git a/changehat/pam_apparmor/Makefile b/changehat/pam_apparmor/Makefile
index f6ece2d1..0143ae9f 100644
--- a/changehat/pam_apparmor/Makefile
+++ b/changehat/pam_apparmor/Makefile
@@ -77,7 +77,7 @@ $(NAME).so: ${OBJECTS}
# need some better way of determining this
DESTDIR=/
-SECDIR ?= ${DESTDIR}/lib/security
+SECDIR ?= ${DESTDIR}/${base_libdir}/security
.PHONY: install
install: $(NAME).so
diff --git a/parser/Makefile b/parser/Makefile
index 8250ac45..cf18bc11 100644
--- a/parser/Makefile
+++ b/parser/Makefile
@@ -23,10 +23,10 @@ COMMONDIR=../common/
include $(COMMONDIR)/Make.rules
DESTDIR=/
-APPARMOR_BIN_PREFIX=${DESTDIR}/lib/apparmor
-SBINDIR=${DESTDIR}/sbin
-USR_SBINDIR=${DESTDIR}/usr/sbin
-SYSTEMD_UNIT_DIR=${DESTDIR}/usr/lib/systemd/system
+APPARMOR_BIN_PREFIX=${DESTDIR}/${nonarch_base_libdir}/apparmor
+SBINDIR=${DESTDIR}/${base_sbindir}
+USR_SBINDIR=${DESTDIR}/${sbindir}
+SYSTEMD_UNIT_DIR=${DESTDIR}/${systemd_system_unitdir}
CONFDIR=/etc/apparmor
INSTALL_CONFDIR=${DESTDIR}${CONFDIR}
LOCALEDIR=/usr/share/locale
--
2.17.1
meta-security/recipes-mac/AppArmor/files/0001-Makefile.am-suppress-perllocal.pod.patch
+28
View File
@@ -0,0 +1,28 @@
From 9f9cfbf07214ac68a55372a3c2777192765cbeb9 Mon Sep 17 00:00:00 2001
From: Naveen Saini <naveen.kumar.saini@intel.com>
Date: Fri, 20 Sep 2019 18:53:53 +0800
Subject: [PATCH] Makefile.am: suppress perllocal.pod
Upstream-Status: Inappropriate [OE-Specific]
Signed-off-by: Naveen Saini <naveen.kumar.saini@intel.com>
---
libraries/libapparmor/swig/perl/Makefile.am | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/libraries/libapparmor/swig/perl/Makefile.am b/libraries/libapparmor/swig/perl/Makefile.am
index 6ae4e30c..be00dc7f 100644
--- a/libraries/libapparmor/swig/perl/Makefile.am
+++ b/libraries/libapparmor/swig/perl/Makefile.am
@@ -11,7 +11,7 @@ MOSTLYCLEANFILES=libapparmor_wrap.c LibAppArmor.pm
LibAppArmor.pm: libapparmor_wrap.c
Makefile.perl: Makefile.PL LibAppArmor.pm
- $(PERL) $< PREFIX=$(prefix) MAKEFILE=$@
+ $(PERL) $< PREFIX=$(prefix) MAKEFILE=$@ NO_PERLLOCAL=1
sed -ie 's/LD_RUN_PATH="\x24(LD_RUN_PATH)"//g' Makefile.perl
sed -ie 's/^LD_RUN_PATH.*//g' Makefile.perl
--
2.17.1
meta-security/recipes-mac/AppArmor/files/crosscompile_perl_bindings.patch
+25
View File
@@ -0,0 +1,25 @@
Upstream-Status: Inappropriate [configuration]
As we're cross-compiling here we need to override CC/LD that MakeMaker has
stuck in the generated Makefile with our cross tools. In this case, linking is
done via the compiler rather than the linker directly so pass in CC not LD
here.
Signed-off-by: Tom Rini <trini@konsulko.com>
--- a/libraries/libapparmor/swig/perl/Makefile.am.orig 2017-06-13 19:04:43.296676212 -0400
+++ b/libraries/libapparmor/swig/perl/Makefile.am 2017-06-13 19:05:03.488676693 -0400
@@ -16,11 +16,11 @@
LibAppArmor.so: libapparmor_wrap.c Makefile.perl
if test ! -f libapparmor_wrap.c; then cp $(srcdir)/libapparmor_wrap.c . ; fi
- $(MAKE) -fMakefile.perl
+ $(MAKE) -fMakefile.perl CC='$(CC)' LD='$(CC)'
if test $(top_srcdir) != $(top_builddir) ; then rm -f libapparmor_wrap.c ; fi
install-exec-local: Makefile.perl
- $(MAKE) -fMakefile.perl install_vendor
+ $(MAKE) -fMakefile.perl install_vendor CC='$(CC)' LD='$(CC)'
# sadly there is no make uninstall for perl
#uninstall-local: Makefile.perl
meta-security/recipes-mac/AppArmor/files/run-ptest
+4
View File
@@ -0,0 +1,4 @@
#! /bin/sh
cd testsuite
make -C tests/regression/apparmor tests
meta-security/recipes-mac/ccs-tools/README
+12
View File
@@ -0,0 +1,12 @@
Documentation:
http://tomoyo.sourceforge.jp/1.8/index.html.en
To start via command line add:
" security=tomoyo TOMOYO_trigger=/usr/lib/systemd/systemd"
To initialize:
/usr/lib/ccs/init_policy
DISTRO_FEATURES:append = " tomoyo"
meta-security/recipes-mac/ccs-tools/ccs-tools_1.8.9.bb
+49
View File
@@ -0,0 +1,49 @@
SUMMARY = "Tomoyo"
DESCRIPTION = "TOMOYO Linux is a Mandatory Access Control (MAC) implementation for Linux that can be used to increase the security of a system, while also being useful purely as a system analysis tool. \nTo start via command line add: \nsecurity=tomoyo TOMOYO_trigger=/usr/lib/systemd/systemd \nTo initialize: \n/usr/lib/ccs/init_policy"
SECTION = "security"
LICENSE = "GPL-2.0-only"
LIC_FILES_CHKSUM = "file://COPYING.ccs;md5=751419260aa954499f7abaabaa882bbe"
DEPENDS = "ncurses"
DS = "20210910"
SRC_URI = "http://osdn.dl.sourceforge.jp/tomoyo/49693/${BPN}-${PV}-${DS}.tar.gz"
SRC_URI[sha256sum] = "7900126cf2dd8706c42c2c1ef7a37fd8b50f1505abd7d9c3d653dc390fb4d620"
S = "${WORKDIR}/${BPN}"
inherit features_check
do_make(){
oe_runmake USRLIBDIR=${libdir} all
cd ${S}/kernel_test
oe_runmake all
}
do_install(){
oe_runmake INSTALLDIR=${D} USRLIBDIR=${libdir} install
}
PACKAGE="${PN} ${PN}-dbg ${PN}-doc"
FILES:${PN} = "\
${sbindir}/* \
${base_sbindir}/* \
${libdir}/* \
"
FILES:${PN}-doc = "\
${mandir}/man8/* \
"
FILES:${PN}-dbg = "\
${base_sbindir}/.debug/* \
${sbindir}/.debug/* \
${libdir}/.debug/* \
${libdir}/ccs/.debug/* \
/usr/src/debug/* \
"
REQUIRED_DISTRO_FEATURES ?=" tomoyo"
meta-security/recipes-mac/smack/mmap-smack-test/mmap.c
+7
View File
@@ -0,0 +1,7 @@
#include <stdio.h>
int main(int argc, char **argv)
{
printf("Original test program removed while investigating its license.\n");
return 1;
}
meta-security/recipes-mac/smack/mmap-smack-test_1.0.bb
+16
View File
@@ -0,0 +1,16 @@
SUMMARY = "Mmap binary used to test smack mmap attribute"
DESCRIPTION = "Mmap binary used to test smack mmap attribute"
LICENSE = "MIT"
LIC_FILES_CHKSUM = "file://${COMMON_LICENSE_DIR}/MIT;md5=0835ade698e0bcf8506ecda2f7b4f302"
SRC_URI = "file://mmap.c"
S = "${WORKDIR}"
do_compile() {
${CC} mmap.c ${LDFLAGS} -o mmap_test
}
do_install() {
install -d ${D}${bindir}
install -m 0755 mmap_test ${D}${bindir}
}
meta-security/recipes-mac/smack/smack-test/notroot.py
+33
View File
@@ -0,0 +1,33 @@
#!/usr/bin/env python3
#
# Script used for running executables with custom labels, as well as custom uid/gid
# Process label is changed by writing to /proc/self/attr/curent
#
# Script expects user id and group id to exist, and be the same.
#
# From adduser manual:
# """By default, each user in Debian GNU/Linux is given a corresponding group
# with the same name. """
#
# Usage: root@desk:~# python3 notroot.py <uid> <label> <full_path_to_executable> [arguments ..]
# eg: python3 notroot.py 1000 User::Label /bin/ping -c 3 192.168.1.1
#
# Author: Alexandru Cornea <alexandru.cornea@intel.com>
import os
import sys
try:
uid = int(sys.argv[1])
sys.argv.pop(1)
label = sys.argv[1]
sys.argv.pop(1)
open("/proc/self/attr/current", "w").write(label)
path=sys.argv[1]
sys.argv.pop(0)
os.setgid(uid)
os.setuid(uid)
os.execv(path,sys.argv)
except Exception as e:
print(e.strerror)
sys.exit(-1)
meta-security/recipes-mac/smack/smack-test/smack_test_file_access.sh
+54
View File
@@ -0,0 +1,54 @@
#!/bin/sh
SMACK_PATH=`grep smack /proc/mounts | awk '{print $2}' `
RC=0
TMP="/tmp"
test_file=$TMP/smack_test_access_file
CAT=`which cat`
ECHO=`which echo`
uid=1000
initial_label=`cat /proc/self/attr/current`
python3 $TMP/notroot.py $uid "TheOther" $ECHO 'TEST' > $test_file
chsmack -a "TheOther" $test_file
# 12345678901234567890123456789012345678901234567890123456
delrule="TheOne TheOther -----"
rule_ro="TheOne TheOther r----"
# Remove pre-existent rules for "TheOne TheOther <access>"
echo -n "$delrule" > $SMACK_PATH/load
python3 $TMP/notroot.py $uid "TheOne" $CAT $test_file 2>&1 1>/dev/null | grep -q "Permission denied" || RC=$?
if [ $RC -ne 0 ]; then
echo "Process with different label than the test file and no read access on it can read it"
exit $RC
fi
# adding read access
echo -n "$rule_ro" > $SMACK_PATH/load
python3 $TMP/notroot.py $uid "TheOne" $CAT $test_file | grep -q "TEST" || RC=$?
if [ $RC -ne 0 ]; then
echo "Process with different label than the test file but with read access on it cannot read it"
exit $RC
fi
# Remove pre-existent rules for "TheOne TheOther <access>"
echo -n "$delrule" > $SMACK_PATH/load
# changing label of test file to *
# according to SMACK documentation, read access on a * object is always permitted
chsmack -a '*' $test_file
python3 $TMP/notroot.py $uid "TheOne" $CAT $test_file | grep -q "TEST" || RC=$?
if [ $RC -ne 0 ]; then
echo "Process cannot read file with * label"
exit $RC
fi
# changing subject label to *
# according to SMACK documentation, every access requested by a star labeled subject is rejected
TOUCH=`which touch`
python3 $TMP/notroot.py $uid '*' $TOUCH $TMP/test_file_2
ls -la $TMP/test_file_2 2>&1 | grep -q 'No such file or directory' || RC=$?
if [ $RC -ne 0 ];then
echo "Process with label '*' should not have any access"
exit $RC
fi
exit 0
meta-security/recipes-mac/smack/smack-test/test_privileged_change_self_label.sh
+18
View File
@@ -0,0 +1,18 @@
#!/bin/sh
initial_label=`cat /proc/self/attr/current 2>/dev/null`
modified_label="test_label"
echo "$modified_label" >/proc/self/attr/current 2>/dev/null
new_label=`cat /proc/self/attr/current 2>/dev/null`
if [ "$new_label" != "$modified_label" ]; then
# restore proper label
echo $initial_label >/proc/self/attr/current
echo "Privileged process could not change its label"
exit 1
fi
echo "$initial_label" >/proc/self/attr/current 2>/dev/null
exit 0
meta-security/recipes-mac/smack/smack-test/test_smack_onlycap.sh
+27
View File
@@ -0,0 +1,27 @@
#!/bin/sh
RC=0
SMACK_PATH=`grep smack /proc/mounts | awk '{print $2}'`
test_label="test_label"
onlycap_initial=`cat $SMACK_PATH/onlycap`
smack_initial=`cat /proc/self/attr/current`
# need to set out label to be the same as onlycap, otherwise we lose our smack privileges
# even if we are root
echo "$test_label" > /proc/self/attr/current
echo "$test_label" > $SMACK_PATH/onlycap || RC=$?
if [ $RC -ne 0 ]; then
echo "Onlycap label could not be set"
return $RC
fi
if [ `cat $SMACK_PATH/onlycap` != "$test_label" ]; then
echo "Onlycap label was not set correctly."
return 1
fi
# resetting original onlycap label
echo "$onlycap_initial" > $SMACK_PATH/onlycap 2>/dev/null
# resetting our initial's process label
echo "$smack_initial" > /proc/self/attr/current
meta-security/recipes-mac/smack/smack-test_1.0.bb
+25
View File
@@ -0,0 +1,25 @@
SUMMARY = "Smack test scripts"
DESCRIPTION = "Smack scripts"
LICENSE = "MIT"
LIC_FILES_CHKSUM = "file://${COMMON_LICENSE_DIR}/MIT;md5=0835ade698e0bcf8506ecda2f7b4f302"
SRC_URI = " \
file://notroot.py \
file://smack_test_file_access.sh \
file://test_privileged_change_self_label.sh \
file://test_smack_onlycap.sh \
"
S = "${WORKDIR}"
inherit features_check
REQUIRED_DISTRO_FEATURES = "smack"
do_install() {
install -d ${D}${sbindir}
install -m 0755 notroot.py ${D}${sbindir}
install -m 0755 *.sh ${D}${sbindir}
}
RDEPENDS:${PN} = "smack python3-core mmap-smack-test tcp-smack-test udp-smack-test"
meta-security/recipes-mac/smack/smack/run-ptest
+3
View File
@@ -0,0 +1,3 @@
#!/bin/sh
./tests/make_policies.bash ./tests/generator
./tests/make_policies.bash ./tests/generator labels
meta-security/recipes-mac/smack/smack/smack_generator_make_fixup.patch
+18
View File
@@ -0,0 +1,18 @@
Upstream-Status: Pending
Signed-off-by: Armin Kuster <akuster808@gmail.com>
Index: git/tests/Makefile
===================================================================
--- git.orig/tests/Makefile
+++ git/tests/Makefile
@@ -4,7 +4,7 @@ clean:
rm -rf ./out ./generator
generator: generator.c
- gcc -Wall -O3 generator.c -o ./generator
+ ${CC} ${LDFLAGS} generator.c -o ./generator
policies: ./generator ./make_policies.bash
./make_policies.bash ./generator
meta-security/recipes-mac/smack/smack_1.3.1.bb
+64
View File
@@ -0,0 +1,64 @@
DESCRIPTION = "Selection of tools for developers working with Smack"
HOMEPAGE = "https://github.com/smack-team/smack"
SECTION = "Security/Access Control"
LICENSE = "LGPL-2.1-only"
LIC_FILES_CHKSUM = "file://COPYING;md5=4fbd65380cdd255951079008b364516c"
SRCREV = "4a102c7584b39ce693995ffb65e0918a9df98dd8"
SRC_URI = " \
git://github.com/smack-team/smack.git;branch=master;protocol=https \
file://smack_generator_make_fixup.patch \
file://run-ptest"
PV = "1.3.1"
# CVE-2014-0363, CVE-2014-0364, CVE-2016-10027 is valnerble for other product.
CVE_CHECK_IGNORE += "CVE-2014-0363"
CVE_CHECK_IGNORE += "CVE-2014-0364"
CVE_CHECK_IGNORE += "CVE-2016-10027"
inherit autotools update-rc.d pkgconfig ptest
inherit ${@bb.utils.contains('VIRTUAL-RUNTIME_init_manager','systemd','systemd','', d)}
inherit features_check
REQUIRED_DISTRO_FEATURES = "smack"
S = "${WORKDIR}/git"
PACKAGECONFIG ??= ""
PACKAGECONFIG:append = " ${@bb.utils.contains('DISTRO_FEATURES', 'systemd', 'systemd', '', d)}"
PACKAGECONFIG[systemd] = "--with-systemdsystemunitdir=${systemd_system_unitdir}, --without-systemdsystemunitdir, systemd"
do_compile:append () {
oe_runmake -C ${S}/tests generator
}
do_install:append () {
install -d ${D}${sysconfdir}/init.d
install -d ${D}${sysconfdir}/smack
install -d ${D}${sysconfdir}/smack/accesses.d
install -d ${D}${sysconfdir}/smack/cipso.d
install ${S}/init/smack.rc ${D}/${sysconfdir}/init.d/smack
}
do_install_ptest () {
install -d ${D}${PTEST_PATH}/tests
install ${S}/tests/generator ${D}/${PTEST_PATH}/tests
install ${S}/tests/generate-rules.sh ${D}${PTEST_PATH}/tests
install ${S}/tests/make_policies.bash ${D}${PTEST_PATH}/tests
}
INITSCRIPT_PACKAGES = "${PN}"
INITSCRIPT_NAME = "smack"
INITSCRIPT_PARAMS = "start 16 2 3 4 5 . stop 35 0 1 6 ."
FILES:${PN} += "${sysconfdir}/init.d/smack"
FILES:${PN}-ptest += "generator"
RDEPENDS:${PN} += "coreutils python3-core"
RDEPENDS:${PN}-ptest += "make bash bc"
BBCLASSEXTEND = "native"
meta-security/recipes-mac/smack/tcp-smack-test/tcp_client.c
+111
View File
@@ -0,0 +1,111 @@
// (C) Copyright 2015 Intel Corporation
//
// Permission is hereby granted, free of charge, to any person obtaining a copy
// of this software and associated documentation files (the "Software"), to deal
// in the Software without restriction, including without limitation the rights
// to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
// copies of the Software, and to permit persons to whom the Software is
// furnished to do so, subject to the following conditions:
//
// The above copyright notice and this permission notice shall be included in
// all copies or substantial portions of the Software.
//
// THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
// IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
// FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
// AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
// LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
// OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
// THE SOFTWARE.
#include <stdio.h>
#include <sys/socket.h>
#include <sys/types.h>
#include <errno.h>
#include <netinet/in.h>
#include <unistd.h>
#include <netdb.h>
#include <string.h>
#include <sys/xattr.h>
int main(int argc, char* argv[])
{
int sock;
char message[255] = "hello";
struct sockaddr_in server_addr;
char* label_in;
char* label_out;
char* attr_out = "security.SMACK64IPOUT";
char* attr_in = "security.SMACK64IPIN";
char out[256];
int port;
struct timeval timeout;
timeout.tv_sec = 15;
timeout.tv_usec = 0;
struct hostent* host = gethostbyname("localhost");
if (argc != 4)
{
perror("Client: Arguments missing, please provide socket labels");
return 2;
}
port = atoi(argv[1]);
label_in = argv[2];
label_out = argv[3];
if((sock = socket(AF_INET, SOCK_STREAM, 0)) < 0)
{
perror("Client: Socket failure");
return 2;
}
if(fsetxattr(sock, attr_out, label_out, strlen(label_out), 0) < 0)
{
perror("Client: Unable to set attribute SMACK64IPOUT");
return 2;
}
if(fsetxattr(sock, attr_in, label_in, strlen(label_in), 0) < 0)
{
perror("Client: Unable to set attribute SMACK64IPIN");
return 2;
}
server_addr.sin_family = AF_INET;
server_addr.sin_port = htons(port);
bcopy((char*) host->h_addr, (char*) &server_addr.sin_addr.s_addr,host->h_length);
bzero(&(server_addr.sin_zero),8);
if(setsockopt(sock, SOL_SOCKET, SO_SNDTIMEO, &timeout, sizeof(timeout)) < 0)
{
perror("Client: Set timeout failed\n");
return 2;
}
if (connect(sock, (struct sockaddr *)&server_addr,sizeof(struct sockaddr)) == -1)
{
perror("Client: Connection failure");
close(sock);
return 1;
}
if(write(sock, message, strlen(message)) < 0)
{
perror("Client: Error sending data\n");
close(sock);
return 1;
}
close(sock);
return 0;
}
meta-security/recipes-mac/smack/tcp-smack-test/tcp_server.c
+118
View File
@@ -0,0 +1,118 @@
// (C) Copyright 2015 Intel Corporation
//
// Permission is hereby granted, free of charge, to any person obtaining a copy
// of this software and associated documentation files (the "Software"), to deal
// in the Software without restriction, including without limitation the rights
// to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
// copies of the Software, and to permit persons to whom the Software is
// furnished to do so, subject to the following conditions:
//
// The above copyright notice and this permission notice shall be included in
// all copies or substantial portions of the Software.
//
// THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
// IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
// FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
// AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
// LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
// OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
// THE SOFTWARE.
#include <stdio.h>
#include <sys/socket.h>
#include <sys/types.h>
#include <errno.h>
#include <netinet/in.h>
#include <unistd.h>
#include <string.h>
int main(int argc, char* argv[])
{
int sock;
int clientsock;
char message[255];
socklen_t client_length;
struct sockaddr_in server_addr, client_addr;
char* label_in;
char* attr_in = "security.SMACK64IPIN";
int port;
struct timeval timeout;
timeout.tv_sec = 15;
timeout.tv_usec = 0;
if (argc != 3)
{
perror("Server: Argument missing please provide port and label for SMACK64IPIN");
return 2;
}
port = atoi(argv[1]);
label_in = argv[2];
bzero(message,255);
if((sock = socket(AF_INET, SOCK_STREAM, 0)) < 0)
{
perror("Server: Socket failure");
return 2;
}
if(fsetxattr(sock, attr_in, label_in, strlen(label_in),0) < 0)
{
perror("Server: Unable to set attribute ipin 2");
return 2;
}
server_addr.sin_family = AF_INET;
server_addr.sin_port = htons(port);
server_addr.sin_addr.s_addr = INADDR_ANY;
bzero(&(server_addr.sin_zero),8);
if(setsockopt(sock, SOL_SOCKET, SO_RCVTIMEO, &timeout, sizeof(timeout)) < 0)
{
perror("Server: Set timeout failed\n");
return 2;
}
if(bind(sock, (struct sockaddr*) &server_addr, sizeof(server_addr)) < 0)
{
perror("Server: Bind failure ");
return 2;
}
listen(sock, 1);
client_length = sizeof(client_addr);
clientsock = accept(sock,(struct sockaddr*) &client_addr, &client_length);
if (clientsock < 0)
{
perror("Server: Connection failed");
close(sock);
return 1;
}
if(fsetxattr(clientsock, "security.SMACK64IPIN", label_in, strlen(label_in),0) < 0)
{
perror(" Server: Unable to set attribute ipin 2");
close(sock);
return 2;
}
if(read(clientsock, message, 254) < 0)
{
perror("Server: Error when reading from socket");
close(clientsock);
close(sock);
return 1;
}
close(clientsock);
close(sock);
return 0;
}
meta-security/recipes-mac/smack/tcp-smack-test/test_smack_tcp_sockets.sh
+108
View File
@@ -0,0 +1,108 @@
#!/bin/sh
RC=0
test_file=/tmp/smack_socket_tcp
SMACK_PATH=`grep smack /proc/mounts | awk '{print $2}' `
# make sure no access is granted
# 12345678901234567890123456789012345678901234567890123456
echo -n "label1 label2 -----" > $SMACK_PATH/load
tcp_server=`which tcp_server`
if [ -z $tcp_server ]; then
if [ -f "/tmp/tcp_server" ]; then
tcp_server="/tmp/tcp_server"
else
echo "tcp_server binary not found"
exit 1
fi
fi
tcp_client=`which tcp_client`
if [ -z $tcp_client ]; then
if [ -f "/tmp/tcp_client" ]; then
tcp_client="/tmp/tcp_client"
else
echo "tcp_client binary not found"
exit 1
fi
fi
# checking access for sockets with different labels
$tcp_server 50016 label1 &>/dev/null &
server_pid=$!
sleep 2
$tcp_client 50016 label2 label1 &>/dev/null &
client_pid=$!
wait $server_pid
server_rv=$?
wait $client_pid
client_rv=$?
if [ $server_rv -eq 0 -o $client_rv -eq 0 ]; then
echo "Sockets with different labels should not communicate on tcp"
exit 1
fi
# granting access between different labels
# 12345678901234567890123456789012345678901234567890123456
echo -n "label1 label2 rw---" > $SMACK_PATH/load
# checking access for sockets with different labels, but having a rule granting rw
$tcp_server 50017 label1 2>$test_file &
server_pid=$!
sleep 1
$tcp_client 50017 label2 label1 2>$test_file &
client_pid=$!
wait $server_pid
server_rv=$?
wait $client_pid
client_rv=$?
if [ $server_rv -ne 0 -o $client_rv -ne 0 ]; then
echo "Sockets with different labels, but having rw access, should communicate on tcp"
exit 1
fi
# checking access for sockets with the same label
$tcp_server 50018 label1 2>$test_file &
server_pid=$!
sleep 1
$tcp_client 50018 label1 label1 2>$test_file &
client_pid=$!
wait $server_pid
server_rv=$?
wait $client_pid
client_rv=$?
if [ $server_rv -ne 0 -o $client_rv -ne 0 ]; then
echo "Sockets with same labels should communicate on tcp"
exit 1
fi
# checking access on socket labeled star (*)
# should always be permitted
$tcp_server 50019 \* 2>$test_file &
server_pid=$!
sleep 1
$tcp_client 50019 label1 label1 2>$test_file &
client_pid=$!
wait $server_pid
server_rv=$?
wait $client_pid
client_rv=$?
if [ $server_rv -ne 0 -o $client_rv -ne 0 ]; then
echo "Should have access on tcp socket labeled star (*)"
exit 1
fi
# checking access from socket labeled star (*)
# all access from subject star should be denied
$tcp_server 50020 label1 2>$test_file &
server_pid=$!
sleep 1
$tcp_client 50020 label1 \* 2>$test_file &
client_pid=$!
wait $server_pid
server_rv=$?
wait $client_pid
client_rv=$?
if [ $server_rv -eq 0 -o $client_rv -eq 0 ]; then
echo "Socket labeled star should not have access to any tcp socket"
exit 1
fi
meta-security/recipes-mac/smack/tcp-smack-test_1.0.bb
+24
View File
@@ -0,0 +1,24 @@
SUMMARY = "Binary used to test smack tcp sockets"
DESCRIPTION = "Server and client binaries used to test smack attributes on TCP sockets"
LICENSE = "MIT"
LIC_FILES_CHKSUM = "file://${COMMON_LICENSE_DIR}/MIT;md5=0835ade698e0bcf8506ecda2f7b4f302"
SRC_URI = "file://tcp_server.c \
file://tcp_client.c \
file://test_smack_tcp_sockets.sh \
"
S = "${WORKDIR}"
do_compile() {
${CC} tcp_client.c ${LDFLAGS} -o tcp_client
${CC} tcp_server.c ${LDFLAGS} -o tcp_server
}
do_install() {
install -d ${D}${bindir}
install -d ${D}${sbindir}
install -m 0755 tcp_server ${D}${bindir}
install -m 0755 tcp_client ${D}${bindir}
install -m 0755 test_smack_tcp_sockets.sh ${D}${sbindir}
}
meta-security/recipes-mac/smack/udp-smack-test/test_smack_udp_sockets.sh
+107
View File
@@ -0,0 +1,107 @@
#!/bin/sh
RC=0
test_file="/tmp/smack_socket_udp"
SMACK_PATH=`grep smack /proc/mounts | awk '{print $2}' `
udp_server=`which udp_server`
if [ -z $udp_server ]; then
if [ -f "/tmp/udp_server" ]; then
udp_server="/tmp/udp_server"
else
echo "udp_server binary not found"
exit 1
fi
fi
udp_client=`which udp_client`
if [ -z $udp_client ]; then
if [ -f "/tmp/udp_client" ]; then
udp_client="/tmp/udp_client"
else
echo "udp_client binary not found"
exit 1
fi
fi
# make sure no access is granted
# 12345678901234567890123456789012345678901234567890123456
echo -n "label1 label2 -----" > $SMACK_PATH/load
# checking access for sockets with different labels
$udp_server 50021 label2 2>$test_file &
server_pid=$!
sleep 1
$udp_client 50021 label1 2>$test_file &
client_pid=$!
wait $server_pid
server_rv=$?
wait $client_pid
client_rv=$?
if [ $server_rv -eq 0 ]; then
echo "Sockets with different labels should not communicate on udp"
exit 1
fi
# granting access between different labels
# 12345678901234567890123456789012345678901234567890123456
echo -n "label1 label2 rw---" > $SMACK_PATH/load
# checking access for sockets with different labels, but having a rule granting rw
$udp_server 50022 label2 2>$test_file &
server_pid=$!
sleep 1
$udp_client 50022 label1 2>$test_file &
client_pid=$!
wait $server_pid
server_rv=$?
wait $client_pid
client_rv=$?
if [ $server_rv -ne 0 -o $client_rv -ne 0 ]; then
echo "Sockets with different labels, but having rw access, should communicate on udp"
exit 1
fi
# checking access for sockets with the same label
$udp_server 50023 label1 &
server_pid=$!
sleep 1
$udp_client 50023 label1 2>$test_file &
client_pid=$!
wait $server_pid
server_rv=$?
wait $client_pid
client_rv=$?
if [ $server_rv -ne 0 -o $client_rv -ne 0 ]; then
echo "Sockets with same labels should communicate on udp"
exit 1
fi
# checking access on socket labeled star (*)
# should always be permitted
$udp_server 50024 \* 2>$test_file &
server_pid=$!
sleep 1
$udp_client 50024 label1 2>$test_file &
client_pid=$!
wait $server_pid
server_rv=$?
wait $client_pid
client_rv=$?
if [ $server_rv -ne 0 -o $client_rv -ne 0 ]; then
echo "Should have access on udp socket labeled star (*)"
exit 1
fi
# checking access from socket labeled star (*)
# all access from subject star should be denied
$udp_server 50025 label1 2>$test_file &
server_pid=$!
sleep 1
$udp_client 50025 \* 2>$test_file &
client_pid=$!
wait $server_pid
server_rv=$?
wait $client_pid
client_rv=$?
if [ $server_rv -eq 0 ]; then
echo "Socket labeled star should not have access to any udp socket"
exit 1
fi
meta-security/recipes-mac/smack/udp-smack-test/udp_client.c
+75
View File
@@ -0,0 +1,75 @@
// (C) Copyright 2015 Intel Corporation
//
// Permission is hereby granted, free of charge, to any person obtaining a copy
// of this software and associated documentation files (the "Software"), to deal
// in the Software without restriction, including without limitation the rights
// to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
// copies of the Software, and to permit persons to whom the Software is
// furnished to do so, subject to the following conditions:
//
// The above copyright notice and this permission notice shall be included in
// all copies or substantial portions of the Software.
//
// THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
// IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
// FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
// AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
// LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
// OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
// THE SOFTWARE.
#include <sys/socket.h>
#include <stdio.h>
#include <netinet/in.h>
#include <netdb.h>
#include <string.h>
int main(int argc, char* argv[])
{
char* message = "hello";
int sock, ret;
struct sockaddr_in server_addr;
struct hostent* host = gethostbyname("localhost");
char* label;
char* attr = "security.SMACK64IPOUT";
int port;
if (argc != 3)
{
perror("Client: Argument missing, please provide port and label for SMACK64IPOUT");
return 2;
}
port = atoi(argv[1]);
label = argv[2];
sock = socket(AF_INET, SOCK_DGRAM,0);
if(sock < 0)
{
perror("Client: Socket failure");
return 2;
}
if(fsetxattr(sock, attr, label, strlen(label),0) < 0)
{
perror("Client: Unable to set attribute ");
return 2;
}
server_addr.sin_family = AF_INET;
server_addr.sin_port = htons(port);
bcopy((char*) host->h_addr, (char*) &server_addr.sin_addr.s_addr,host->h_length);
bzero(&(server_addr.sin_zero),8);
ret = sendto(sock, message, strlen(message),0,(const struct sockaddr*)&server_addr,
sizeof(struct sockaddr_in));
close(sock);
if(ret < 0)
{
perror("Client: Error sending message\n");
return 1;
}
return 0;
}
meta-security/recipes-mac/smack/udp-smack-test/udp_server.c
+93
View File
@@ -0,0 +1,93 @@
// (C) Copyright 2015 Intel Corporation
//
// Permission is hereby granted, free of charge, to any person obtaining a copy
// of this software and associated documentation files (the "Software"), to deal
// in the Software without restriction, including without limitation the rights
// to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
// copies of the Software, and to permit persons to whom the Software is
// furnished to do so, subject to the following conditions:
//
// The above copyright notice and this permission notice shall be included in
// all copies or substantial portions of the Software.
//
// THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
// IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
// FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
// AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
// LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
// OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
// THE SOFTWARE.
#include <sys/socket.h>
#include <stdio.h>
#include <netinet/in.h>
#include <netdb.h>
#include <string.h>
int main(int argc, char* argv[])
{
int sock,ret;
struct sockaddr_in server_addr, client_addr;
socklen_t len;
char message[5];
char* label;
char* attr = "security.SMACK64IPIN";
int port;
if(argc != 3)
{
perror("Server: Argument missing, please provide port and label for SMACK64IPIN");
return 2;
}
port = atoi(argv[1]);
label = argv[2];
struct timeval timeout;
timeout.tv_sec = 15;
timeout.tv_usec = 0;
sock = socket(AF_INET,SOCK_DGRAM,0);
if(sock < 0)
{
perror("Server: Socket error");
return 2;
}
if(fsetxattr(sock, attr, label, strlen(label), 0) < 0)
{
perror("Server: Unable to set attribute ");
return 2;
}
server_addr.sin_family = AF_INET;
server_addr.sin_port = htons(port);
server_addr.sin_addr.s_addr = INADDR_ANY;
bzero(&(server_addr.sin_zero),8);
if(setsockopt(sock, SOL_SOCKET, SO_RCVTIMEO, &timeout, sizeof(timeout)) < 0)
{
perror("Server: Set timeout failed\n");
return 2;
}
if(bind(sock, (struct sockaddr*) &server_addr, sizeof(server_addr)) < 0)
{
perror("Server: Bind failure");
return 2;
}
len = sizeof(client_addr);
ret = recvfrom(sock, message, sizeof(message), 0, (struct sockaddr*)&client_addr,
&len);
close(sock);
if(ret < 0)
{
perror("Server: Error receiving");
return 1;
}
return 0;
}
meta-security/recipes-mac/smack/udp-smack-test_1.0.bb
+23
View File
@@ -0,0 +1,23 @@
SUMMARY = "Binary used to test smack udp sockets"
DESCRIPTION = "Server and client binaries used to test smack attributes on UDP sockets"
LICENSE = "MIT"
LIC_FILES_CHKSUM = "file://${COMMON_LICENSE_DIR}/MIT;md5=0835ade698e0bcf8506ecda2f7b4f302"
SRC_URI = "file://udp_server.c \
file://udp_client.c \
file://test_smack_udp_sockets.sh \
"
S = "${WORKDIR}"
do_compile() {
${CC} udp_client.c ${LDFLAGS} -o udp_client
${CC} udp_server.c ${LDFLAGS} -o udp_server
}
do_install() {
install -d ${D}${bindir}
install -d ${D}${sbindir}
install -m 0755 udp_server ${D}${bindir}
install -m 0755 udp_client ${D}${bindir}
install -m 0755 test_smack_udp_sockets.sh ${D}${sbindir}
}