diff options
Diffstat (limited to 'recipes-mac')
26 files changed, 514 insertions, 1456 deletions
diff --git a/recipes-mac/AppArmor/apparmor_3.0.bb b/recipes-mac/AppArmor/apparmor_3.1.3.bb index 015205d..fd649e4 100644 --- a/recipes-mac/AppArmor/apparmor_3.0.bb +++ b/recipes-mac/AppArmor/apparmor_3.1.3.bb @@ -5,41 +5,30 @@ DESCRIPTION = "user-space parser utility for AppArmor \ which is required to convert AppArmor text profiles into machine-readable \ policies that are loaded into the kernel for use with the AppArmor Linux \ Security Module." -HOMEAPAGE = "http://apparmor.net/" +HOMEPAGE = "http://apparmor.net/" SECTION = "admin" -LICENSE = "GPLv2 & GPLv2+ & BSD-3-Clause & LGPLv2.1+" +LICENSE = "GPL-2.0-only & GPL-2.0-or-later & BSD-3-Clause & LGPL-2.1-or-later" LIC_FILES_CHKSUM = "file://${S}/LICENSE;md5=fd57a4b0bc782d7b80fd431f10bbf9d0" DEPENDS = "bison-native apr gettext-native coreutils-native swig-native" SRC_URI = " \ - git://gitlab.com/apparmor/apparmor.git;protocol=https;branch=apparmor-3.0 \ - file://disable_perl_h_check.patch \ + git://gitlab.com/apparmor/apparmor.git;protocol=https;branch=apparmor-3.1 \ + file://run-ptest \ file://crosscompile_perl_bindings.patch \ - file://apparmor.rc \ - file://functions \ - file://apparmor \ - file://apparmor.service \ file://0001-Makefile.am-suppress-perllocal.pod.patch \ - file://run-ptest \ - file://0001-apparmor-fix-manpage-order.patch \ - file://0001-Revert-profiles-Update-make-check-to-select-tools-ba.patch \ - file://0001-libapparmor-add-missing-include-for-socklen_t.patch \ - file://0002-libapparmor-add-aa_features_new_from_file-to-public-.patch \ - file://0003-libapparmor-add-_aa_asprintf-to-private-symbols.patch \ - file://0001-aa_status-Fix-build-issue-with-musl.patch \ - file://0001-parser-Makefile-dont-force-host-cpp-to-detect-reallo.patch \ + file://0001-Makefile-fix-hardcoded-installation-directories.patch \ " -SRCREV = "5d51483bfecf556183558644dc8958135397a7e2" +SRCREV = "e69cb5047946818e6a9df326851483bb075a5cfe" S = "${WORKDIR}/git" PARALLEL_MAKE = "" -COMPATIBLE_MACHINE_mips64 = "(!.*mips64).*" +COMPATIBLE_MACHINE:mips64 = "(!.*mips64).*" -inherit pkgconfig autotools-brokensep update-rc.d python3native python3targetconfig perlnative cpan systemd features_check bash-completion +inherit pkgconfig autotools-brokensep update-rc.d python3native python3targetconfig perlnative cpan systemd features_check bash-completion setuptools3 REQUIRED_DISTRO_FEATURES = "apparmor" @@ -85,8 +74,6 @@ do_compile () { } do_install () { - install -d ${D}/${INIT_D_DIR} - install -d ${D}/lib/apparmor oe_runmake -C ${B}/libraries/libapparmor DESTDIR="${D}" install oe_runmake -C ${B}/binutils DESTDIR="${D}" install oe_runmake -C ${B}/utils DESTDIR="${D}" install @@ -102,25 +89,27 @@ do_install () { fi if ${@bb.utils.contains('DISTRO_FEATURES', 'pam', 'true', 'false', d)}; then - install -d ${D}/lib/security oe_runmake -C ${B}/changehat/pam_apparmor DESTDIR="${D}" install fi - install -m 755 ${WORKDIR}/apparmor ${D}/${INIT_D_DIR}/apparmor - install -m 755 ${WORKDIR}/functions ${D}/lib/apparmor + if ${@bb.utils.contains('DISTRO_FEATURES','sysvinit','true','false',d)}; then + install -d ${D}${sysconfdir}/init.d + install -m 755 ${B}/parser/rc.apparmor.functions ${D}${sysconfdir}/init.d/apparmor + fi if ${@bb.utils.contains('DISTRO_FEATURES','systemd','true','false',d)}; then - install -d ${D}${systemd_system_unitdir} - install -m 0644 ${WORKDIR}/apparmor.service ${D}${systemd_system_unitdir} + oe_runmake -C ${B}/parser DESTDIR="${D}" install-systemd fi + chown root:root -R ${D}/${sysconfdir}/apparmor.d + chown root:root -R ${D}/${datadir}/apparmor } #Building ptest on arm fails. -do_compile_ptest_aarch64 () { +do_compile_ptest:aarch64 () { : } -do_compile_ptest_arm () { +do_compile_ptest:arm () { : } @@ -150,44 +139,36 @@ do_install_ptest () { } #Building ptest on arm fails. -do_install_ptest_aarch64 () { +do_install_ptest:aarch64 () { : } -do_install_ptest_arm() { +do_install_ptest:arm() { : } -pkg_postinst_ontarget_${PN} () { -if [ ! -d /etc/apparmor.d/cache ] ; then - mkdir /etc/apparmor.d/cache -fi -} - -# We need the init script so don't rm it -RMINITDIR_class-target_remove = " rm_sysvinit_initddir" - INITSCRIPT_PACKAGES = "${PN}" INITSCRIPT_NAME = "apparmor" INITSCRIPT_PARAMS = "start 16 2 3 4 5 . stop 35 0 1 6 ." SYSTEMD_PACKAGES = "${PN}" -SYSTEMD_SERVICE_${PN} = "apparmor.service" +SYSTEMD_SERVICE:${PN} = "apparmor.service" SYSTEMD_AUTO_ENABLE ?= "enable" PACKAGES += "mod-${PN}" -FILES_${PN} += "/lib/apparmor/ /lib/security/ ${sysconfdir}/apparmor ${PYTHON_SITEPACKAGES_DIR}" -FILES_mod-${PN} = "${libdir}/apache2/modules/*" +FILES:${PN} += "${nonarch_base_libdir}/apparmor/ ${base_libdir}/security/ ${sysconfdir}/apparmor ${nonarch_libdir}/${PYTHON_DIR}/site-packages" +FILES:mod-${PN} = "${libdir}/apache2/modules/*" +FILES:${PN}-dbg += "${base_libdir}/security/.debug" -DEPENDS_append_libc-musl = " fts " -RDEPENDS_${PN}_libc-musl += "musl-utils" -RDEPENDS_${PN}_libc-glibc += "glibc-utils" +DEPENDS:append:libc-musl = " fts " +RDEPENDS:${PN}:libc-musl += "musl-utils" +RDEPENDS:${PN}:libc-glibc += "glibc-utils" # Add coreutils and findutils only if sysvinit scripts are in use -RDEPENDS_${PN} += "${@["coreutils findutils", ""][(d.getVar('VIRTUAL-RUNTIME_init_manager') == 'systemd')]} ${@bb.utils.contains('PACKAGECONFIG','python','python3-core python3-modules','', d)}" -RDEPENDS_${PN}_remove += "${@bb.utils.contains('PACKAGECONFIG','perl','','perl', d)}" -RDEPENDS_${PN}-ptest += "perl coreutils dbus-lib bash" +RDEPENDS:${PN} += "${@["coreutils findutils", ""][(d.getVar('VIRTUAL-RUNTIME_init_manager') == 'systemd')]} ${@bb.utils.contains('PACKAGECONFIG','python','python3-core python3-modules','', d)}" +RDEPENDS:${PN}:remove = "${@bb.utils.contains('PACKAGECONFIG','perl','','perl', d)}" +RDEPENDS:${PN}-ptest += "perl coreutils dbus-lib bash" -INSANE_SKIP_${PN} = "ldflags" -PRIVATE_LIBS_${PN}-ptest = "libapparmor.so*" +INSANE_SKIP:${PN} = "ldflags" +PRIVATE_LIBS:${PN}-ptest = "libapparmor.so*" diff --git a/recipes-mac/AppArmor/files/0001-Makefile-fix-hardcoded-installation-directories.patch b/recipes-mac/AppArmor/files/0001-Makefile-fix-hardcoded-installation-directories.patch new file mode 100644 index 0000000..f10acb1 --- /dev/null +++ b/recipes-mac/AppArmor/files/0001-Makefile-fix-hardcoded-installation-directories.patch @@ -0,0 +1,51 @@ +From 363114dcd72abf1c0dcd637c66037227b8be229b Mon Sep 17 00:00:00 2001 +From: Yi Zhao <yi.zhao@windriver.com> +Date: Mon, 21 Jun 2021 14:18:30 +0800 +Subject: [PATCH 1/2] Makefile: fix hardcoded installation directories + +Update the installation directories to fix the do_install error for +multilib and usrmerge. + +Upstream-Status: Inappropriate [configuration] + +Signed-off-by: Yi Zhao <yi.zhao@windriver.com> +--- + changehat/pam_apparmor/Makefile | 2 +- + parser/Makefile | 8 ++++---- + 2 files changed, 5 insertions(+), 5 deletions(-) + +diff --git a/changehat/pam_apparmor/Makefile b/changehat/pam_apparmor/Makefile +index f6ece2d1..0143ae9f 100644 +--- a/changehat/pam_apparmor/Makefile ++++ b/changehat/pam_apparmor/Makefile +@@ -77,7 +77,7 @@ $(NAME).so: ${OBJECTS} + + # need some better way of determining this + DESTDIR=/ +-SECDIR ?= ${DESTDIR}/lib/security ++SECDIR ?= ${DESTDIR}/${base_libdir}/security + + .PHONY: install + install: $(NAME).so +diff --git a/parser/Makefile b/parser/Makefile +index 8250ac45..cf18bc11 100644 +--- a/parser/Makefile ++++ b/parser/Makefile +@@ -23,10 +23,10 @@ COMMONDIR=../common/ + include $(COMMONDIR)/Make.rules + + DESTDIR=/ +-APPARMOR_BIN_PREFIX=${DESTDIR}/lib/apparmor +-SBINDIR=${DESTDIR}/sbin +-USR_SBINDIR=${DESTDIR}/usr/sbin +-SYSTEMD_UNIT_DIR=${DESTDIR}/usr/lib/systemd/system ++APPARMOR_BIN_PREFIX=${DESTDIR}/${nonarch_base_libdir}/apparmor ++SBINDIR=${DESTDIR}/${base_sbindir} ++USR_SBINDIR=${DESTDIR}/${sbindir} ++SYSTEMD_UNIT_DIR=${DESTDIR}/${systemd_system_unitdir} + CONFDIR=/etc/apparmor + INSTALL_CONFDIR=${DESTDIR}${CONFDIR} + LOCALEDIR=/usr/share/locale +-- +2.17.1 + diff --git a/recipes-mac/AppArmor/files/0001-Revert-profiles-Update-make-check-to-select-tools-ba.patch b/recipes-mac/AppArmor/files/0001-Revert-profiles-Update-make-check-to-select-tools-ba.patch deleted file mode 100644 index 791437d..0000000 --- a/recipes-mac/AppArmor/files/0001-Revert-profiles-Update-make-check-to-select-tools-ba.patch +++ /dev/null @@ -1,91 +0,0 @@ -From 5ed21abbef4d4c2983e70bd2868fb817150e883e Mon Sep 17 00:00:00 2001 -From: Armin Kuster <akuster808@gmail.com> -Date: Sat, 3 Oct 2020 11:26:46 -0700 -Subject: [PATCH] Revert "profiles: Update 'make check' to select tools based - on USE_SYSTEM" - -This reverts commit 6016f931ebf7b61e1358f19453ef262d9d184a4e. - -Upstream-Statue: OE specific -These changes cause during packaging with perms changing. - -Signed-off-by: Armin Kuster <akuster808@gmail.com> - ---- - profiles/Makefile | 50 ++++++++++------------------------------------- - 1 file changed, 10 insertions(+), 40 deletions(-) - -diff --git a/profiles/Makefile b/profiles/Makefile -index ba47fc16..5384cb05 100644 ---- a/profiles/Makefile -+++ b/profiles/Makefile -@@ -35,49 +35,9 @@ EXTRAS_SOURCE=./apparmor/profiles/extras/ - SUBDIRS=$(shell find ${PROFILES_SOURCE} -type d -print) - TOPLEVEL_PROFILES=$(filter-out ${SUBDIRS}, $(wildcard ${PROFILES_SOURCE}/*)) - --ifdef USE_SYSTEM -- PYTHONPATH= -- PARSER?=apparmor_parser -- LOGPROF?=aa-logprof --else -- # PYTHON_DIST_BUILD_PATH based on libapparmor/swig/python/test/Makefile.am -- PYTHON_DIST_BUILD_PATH = ../libraries/libapparmor/swig/python/build/$$($(PYTHON) -c "import distutils.util; import platform; print(\"lib.%s-%s\" %(distutils.util.get_platform(), platform.python_version()[:3]))") -- LIBAPPARMOR_PATH=../libraries/libapparmor/src/.libs/ -- LD_LIBRARY_PATH=$(LIBAPPARMOR_PATH):$(PYTHON_DIST_BUILD_PATH) -- PYTHONPATH=../utils/:$(PYTHON_DIST_BUILD_PATH) -- PARSER?=../parser/apparmor_parser -- # use ../utils logprof -- LOGPROF?=LD_LIBRARY_PATH=$(LD_LIBRARY_PATH) PYTHONPATH=$(PYTHONPATH) $(PYTHON) ../utils/aa-logprof --endif -- - # $(PWD) is wrong when using "make -C profiles" - explicitely set it here to get the right value - PWD=$(shell pwd) - --.PHONY: test-dependencies --test-dependencies: __parser __libapparmor -- -- --.PHONY: __parser __libapparmor --__parser: --ifndef USE_SYSTEM -- @if [ ! -f $(PARSER) ]; then \ -- echo "error: $(PARSER) is missing. Pick one of these possible solutions:" 1>&2; \ -- echo " 1) Test using the in-tree parser by building it first and then trying again. See the top-level README for help." 1>&2; \ -- echo " 2) Test using the system parser by adding USE_SYSTEM=1 to your make command." 1>&2; \ -- exit 1; \ -- fi --endif -- --__libapparmor: --ifndef USE_SYSTEM -- @if [ ! -f $(LIBAPPARMOR_PATH)libapparmor.so ]; then \ -- echo "error: $(LIBAPPARMOR_PATH)libapparmor.so is missing. Pick one of these possible solutions:" 1>&2; \ -- echo " 1) Build against the in-tree libapparmor by building it first and then trying again. See the top-level README for help." 1>&2; \ -- echo " 2) Build against the system libapparmor by adding USE_SYSTEM=1 to your make command." 1>&2; \ -- exit 1; \ -- fi --endif -- - local: - for profile in ${TOPLEVEL_PROFILES}; do \ - fn=$$(basename $$profile); \ -@@ -109,6 +69,16 @@ else - Q= - endif - -+ifndef PARSER -+# use system parser -+PARSER=../parser/apparmor_parser -+endif -+ -+ifndef LOGPROF -+# use ../utils logprof -+LOGPROF=PYTHONPATH=../utils $(PYTHON) ../utils/aa-logprof -+endif -+ - .PHONY: docs - # docs: should we have some here? - docs: --- -2.17.1 - diff --git a/recipes-mac/AppArmor/files/0001-aa_status-Fix-build-issue-with-musl.patch b/recipes-mac/AppArmor/files/0001-aa_status-Fix-build-issue-with-musl.patch deleted file mode 100644 index 239562a..0000000 --- a/recipes-mac/AppArmor/files/0001-aa_status-Fix-build-issue-with-musl.patch +++ /dev/null @@ -1,31 +0,0 @@ -From 2bf15cc68f31c9f41962bb60a669ab2b453a039b Mon Sep 17 00:00:00 2001 -From: Armin Kuster <akuster808@gmail.com> -Date: Wed, 7 Oct 2020 08:27:11 -0700 -Subject: [PATCH] aa_status: Fix build issue with musl - -add limits.h - -aa_status.c:269:22: error: 'PATH_MAX' undeclared (first use in this function); did you mean 'AF_MAX'? -| 269 | real_exe = calloc(PATH_MAX + 1, sizeof(char)); - -Upstream-Status: Pending -Signed-off-by: Armin Kuster <akuster808@gmail.com> ---- - binutils/aa_status.c | 1 + - 1 file changed, 1 insertion(+) - -diff --git a/binutils/aa_status.c b/binutils/aa_status.c -index 78b03409..41f1954e 100644 ---- a/binutils/aa_status.c -+++ b/binutils/aa_status.c -@@ -10,6 +10,7 @@ - #include <stdio.h> - #include <stdlib.h> - #include <string.h> -+#include <limits.h> - #include <sys/types.h> - #include <sys/stat.h> - #include <sys/wait.h> --- -2.17.1 - diff --git a/recipes-mac/AppArmor/files/0001-apparmor-fix-manpage-order.patch b/recipes-mac/AppArmor/files/0001-apparmor-fix-manpage-order.patch deleted file mode 100644 index 9f3dce4..0000000 --- a/recipes-mac/AppArmor/files/0001-apparmor-fix-manpage-order.patch +++ /dev/null @@ -1,43 +0,0 @@ -From c9baef0c70122e1be33b627874772e6e9a5d7744 Mon Sep 17 00:00:00 2001 -From: Armin Kuster <akuster808@gmail.com> -Date: Fri, 2 Oct 2020 19:43:44 -0700 -Subject: [PATCH] apparmor: fix manpage order - -It trys to create a symlink before the man pages are installed. - - ln -sf aa-status.8 /(path}/apparmor/3.0-r0/image/usr/share/man/man8/apparmor_status.8 - | ln: failed to create symbolic link '{path}/apparmor/3.0-r0/image/usr/share/man/man8/apparmor_status.8': No such file or directory - -Upstream-Status: Pending -Signed-off-by: Armin Kuster <akuster808@gmail.com> - -... - -install -d /{path}/apparmor/3.0-r0/image/usr/share/man/man8 ; install -m 644 aa-status.8 /{path}/apparmor/3.0-r0/image/usr/share/man/man8; - -Signed-off-by: Armin Kuster <akuster@mvista.com> ---- - binutils/Makefile | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/binutils/Makefile b/binutils/Makefile -index 99e54875..3f1d0011 100644 ---- a/binutils/Makefile -+++ b/binutils/Makefile -@@ -156,12 +156,12 @@ install-arch: arch - install -m 755 -d ${SBINDIR} - ln -sf aa-status ${SBINDIR}/apparmor_status - install -m 755 ${SBINTOOLS} ${SBINDIR} -- ln -sf aa-status.8 ${DESTDIR}/${MANDIR}/man8/apparmor_status.8 - - .PHONY: install-indep - install-indep: indep - $(MAKE) -C po install NAME=${NAME} DESTDIR=${DESTDIR} - $(MAKE) install_manpages DESTDIR=${DESTDIR} -+ ln -sf aa-status.8 ${DESTDIR}/${MANDIR}/man8/apparmor_status.8 - - ifndef VERBOSE - .SILENT: clean --- -2.17.1 - diff --git a/recipes-mac/AppArmor/files/0001-libapparmor-add-missing-include-for-socklen_t.patch b/recipes-mac/AppArmor/files/0001-libapparmor-add-missing-include-for-socklen_t.patch deleted file mode 100644 index 2a56d8b..0000000 --- a/recipes-mac/AppArmor/files/0001-libapparmor-add-missing-include-for-socklen_t.patch +++ /dev/null @@ -1,36 +0,0 @@ -From 47263a3a74d7973e7a54b17db6aa903701468ffd Mon Sep 17 00:00:00 2001 -From: Patrick Steinhardt <ps@pks.im> -Date: Sat, 3 Oct 2020 20:37:55 +0200 -Subject: [PATCH] libapparmor: add missing include for `socklen_t` - -While `include/sys/apparmor.h` makes use of `socklen_t`, it doesn't -include the `<sys/socket.h>` header to make its declaration available. -While this works on systems using glibc via transitive includes, it -breaks compilation on musl libc. - -Fix the issue by including the header. - -Signed-off-by: Patrick Steinhardt <ps@pks.im> - -Upstream-Status: Backport -Signed-off-by: Armin Kuster <akuster808@gmail.com> - ---- - libraries/libapparmor/include/sys/apparmor.h | 1 + - 1 file changed, 1 insertion(+) - -diff --git a/libraries/libapparmor/include/sys/apparmor.h b/libraries/libapparmor/include/sys/apparmor.h -index 32892d06..d70eff94 100644 ---- a/libraries/libapparmor/include/sys/apparmor.h -+++ b/libraries/libapparmor/include/sys/apparmor.h -@@ -21,6 +21,7 @@ - #include <stdbool.h> - #include <stdint.h> - #include <unistd.h> -+#include <sys/socket.h> - #include <sys/types.h> - - #ifdef __cplusplus --- -2.17.1 - diff --git a/recipes-mac/AppArmor/files/0001-parser-Makefile-dont-force-host-cpp-to-detect-reallo.patch b/recipes-mac/AppArmor/files/0001-parser-Makefile-dont-force-host-cpp-to-detect-reallo.patch deleted file mode 100644 index 9f7ad3c..0000000 --- a/recipes-mac/AppArmor/files/0001-parser-Makefile-dont-force-host-cpp-to-detect-reallo.patch +++ /dev/null @@ -1,37 +0,0 @@ -From 965bb9c3e464f756b258a7c259a92bce3cde74e7 Mon Sep 17 00:00:00 2001 -From: Armin Kuster <akuster@mvista.com> -Date: Wed, 7 Oct 2020 20:50:38 -0700 -Subject: [PATCH] parser/Makefile: dont force host cpp to detect reallocarray - -In cross build environments, using the hosts cpp gives incorrect -detection of reallocarray. Change cpp to a variable. - -fixes: -parser_misc.c: In function 'int capable_add_cap(const char*, int, unsigned int, capability_flags)': -| parser_misc.c:297:37: error: 'reallocarray' was not declared in this scope -| 297 | tmp = (struct capability_table *) reallocarray(cap_table, sizeof(struct capability_table), cap_table_size+1); - -Signed-off-by: Armin Kuster <akuster808@gmail.com> - -Upstream-Status: Pending - ---- - parser/Makefile | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/parser/Makefile b/parser/Makefile -index acef3d77..8250ac45 100644 ---- a/parser/Makefile -+++ b/parser/Makefile -@@ -54,7 +54,7 @@ endif - CPPFLAGS += -D_GNU_SOURCE - - STDLIB_INCLUDE:="\#include <stdlib.h>" --HAVE_REALLOCARRAY:=$(shell echo $(STDLIB_INCLUDE) | cpp ${CPPFLAGS} | grep -q reallocarray && echo true) -+HAVE_REALLOCARRAY:=$(shell echo $(STDLIB_INCLUDE) | ${CPP} ${CPPFLAGS} | grep -q reallocarray && echo true) - - WARNINGS = -Wall - CXX_WARNINGS = ${WARNINGS} ${EXTRA_WARNINGS} --- -2.17.1 - diff --git a/recipes-mac/AppArmor/files/0002-libapparmor-add-aa_features_new_from_file-to-public-.patch b/recipes-mac/AppArmor/files/0002-libapparmor-add-aa_features_new_from_file-to-public-.patch deleted file mode 100644 index 333f40f..0000000 --- a/recipes-mac/AppArmor/files/0002-libapparmor-add-aa_features_new_from_file-to-public-.patch +++ /dev/null @@ -1,37 +0,0 @@ -From c9255a03436e6a91bd4e410601da8d43a341ffc2 Mon Sep 17 00:00:00 2001 -From: Patrick Steinhardt <ps@pks.im> -Date: Sat, 3 Oct 2020 20:58:45 +0200 -Subject: [PATCH] libapparmor: add `aa_features_new_from_file` to public - symbols - -With AppArmor release 3.0, a new function `aa_features_new_from_file` -was added, but not added to the list of public symbols. As a result, -it's not possible to make use of this function when linking against -libapparmor.so. - -Fix the issue by adding it to the symbol map. - -Signed-off-by: Patrick Steinhardt <ps@pks.im> - -Upstream-Status: Backport -Signed-off-by: Armin Kuster <akuster808@gmail.com> - ---- - libraries/libapparmor/src/libapparmor.map | 1 + - 1 file changed, 1 insertion(+) - -diff --git a/libraries/libapparmor/src/libapparmor.map b/libraries/libapparmor/src/libapparmor.map -index bbff51f5..1579509a 100644 ---- a/libraries/libapparmor/src/libapparmor.map -+++ b/libraries/libapparmor/src/libapparmor.map -@@ -117,6 +117,7 @@ APPARMOR_2.13.1 { - - APPARMOR_3.0 { - global: -+ aa_features_new_from_file; - aa_features_write_to_fd; - aa_features_value; - local: --- -2.17.1 - diff --git a/recipes-mac/AppArmor/files/0003-libapparmor-add-_aa_asprintf-to-private-symbols.patch b/recipes-mac/AppArmor/files/0003-libapparmor-add-_aa_asprintf-to-private-symbols.patch deleted file mode 100644 index 543c7a1..0000000 --- a/recipes-mac/AppArmor/files/0003-libapparmor-add-_aa_asprintf-to-private-symbols.patch +++ /dev/null @@ -1,34 +0,0 @@ -From 9a8fee6bf1c79c261374d928b838b5eb9244ee9b Mon Sep 17 00:00:00 2001 -From: Patrick Steinhardt <ps@pks.im> -Date: Sat, 3 Oct 2020 21:04:57 +0200 -Subject: [PATCH] libapparmor: add _aa_asprintf to private symbols - -While `_aa_asprintf` is supposed to be of private visibility, it's used -by apparmor_parser and thus required to be visible when linking. This -commit thus adds it to the list of private symbols to make it available -for linking in apparmor_parser. - -Signed-off-by: Patrick Steinhardt <ps@pks.im> - -Upstream-Status: Backport -Signed-off-by: Armin Kuster <akuster808@gmail.com> - ---- - libraries/libapparmor/src/libapparmor.map | 1 + - 1 file changed, 1 insertion(+) - -diff --git a/libraries/libapparmor/src/libapparmor.map b/libraries/libapparmor/src/libapparmor.map -index 1579509a..41e541ac 100644 ---- a/libraries/libapparmor/src/libapparmor.map -+++ b/libraries/libapparmor/src/libapparmor.map -@@ -127,6 +127,7 @@ APPARMOR_3.0 { - PRIVATE { - global: - _aa_is_blacklisted; -+ _aa_asprintf; - _aa_autofree; - _aa_autoclose; - _aa_autofclose; --- -2.17.1 - diff --git a/recipes-mac/AppArmor/files/apparmor b/recipes-mac/AppArmor/files/apparmor deleted file mode 100644 index 604e48d..0000000 --- a/recipes-mac/AppArmor/files/apparmor +++ /dev/null @@ -1,226 +0,0 @@ -#!/bin/sh -# ---------------------------------------------------------------------- -# Copyright (c) 1999, 2000, 2001, 2002, 2003, 2004, 2005, 2006, 2007 -# NOVELL (All rights reserved) -# Copyright (c) 2008, 2009 Canonical, Ltd. -# -# This program is free software; you can redistribute it and/or -# modify it under the terms of version 2 of the GNU General Public -# License published by the Free Software Foundation. -# -# This program is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -# GNU General Public License for more details. -# -# You should have received a copy of the GNU General Public License -# along with this program; if not, contact Novell, Inc. -# ---------------------------------------------------------------------- -# Authors: -# Steve Beattie <steve.beattie@canonical.com> -# Kees Cook <kees@ubuntu.com> -# -# /etc/init.d/apparmor -# -### BEGIN INIT INFO -# Provides: apparmor -# Required-Start: $local_fs -# Required-Stop: umountfs -# Default-Start: S -# Default-Stop: -# Short-Description: AppArmor initialization -# Description: AppArmor init script. This script loads all AppArmor profiles. -### END INIT INFO - -log_daemon_msg() { - echo $* -} - -log_end_msg () { - retval=$1 - if [ $retval -eq 0 ]; then - echo "." - else - echo " failed!" - fi - return $retval -} - -. /lib/apparmor/functions - -usage() { - echo "Usage: $0 {start|stop|restart|reload|force-reload|status|recache}" -} - -test -x ${PARSER} || exit 0 # by debian policy -# LSM is built-in, so it is either there or not enabled for this boot -test -d /sys/module/apparmor || exit 0 - -securityfs() { - # Need securityfs for any mode - if [ ! -d "${AA_SFS}" ]; then - if cut -d" " -f2,3 /proc/mounts | grep -q "^${SECURITYFS} securityfs"'$' ; then - log_daemon_msg "AppArmor not available as kernel LSM." - log_end_msg 1 - exit 1 - else - log_daemon_msg "Mounting securityfs on ${SECURITYFS}" - if ! mount -t securityfs none "${SECURITYFS}"; then - log_end_msg 1 - exit 1 - fi - fi - fi - if [ ! -w "$AA_SFS"/.load ]; then - log_daemon_msg "Insufficient privileges to change profiles." - log_end_msg 1 - exit 1 - fi -} - -handle_system_policy_package_updates() { - apparmor_was_updated=0 - - if ! compare_previous_version ; then - # On snappy flavors, if the current and previous versions are - # different then clear the system cache. snappy will handle - # "$PROFILES_CACHE_VAR" itself (on Touch flavors - # compare_previous_version always returns '0' since snappy - # isn't available). - clear_cache_system - apparmor_was_updated=1 - elif ! compare_and_save_debsums apparmor ; then - # If the system policy has been updated since the last time we - # ran, clear the cache to prevent potentially stale binary - # cache files after an Ubuntu image based upgrade (LP: - # #1350673). This can be removed once all system image flavors - # move to snappy (on snappy systems compare_and_save_debsums - # always returns '0' since /var/lib/dpkg doesn't exist). - clear_cache - apparmor_was_updated=1 - fi - - if [ -x /usr/bin/aa-clickhook ] || [ -x /usr/bin/aa-profile-hook ] ; then - # If packages for system policy that affect click packages have - # been updated since the last time we ran, run aa-clickhook -f - force_clickhook=0 - force_profile_hook=0 - if ! compare_and_save_debsums apparmor-easyprof-ubuntu ; then - force_clickhook=1 - fi - if ! compare_and_save_debsums apparmor-easyprof-ubuntu-snappy ; then - force_clickhook=1 - fi - if ! compare_and_save_debsums click-apparmor ; then - force_clickhook=1 - force_profile_hook=1 - fi - if [ -x /usr/bin/aa-clickhook ] && ([ $force_clickhook -eq 1 ] || [ $apparmor_was_updated -eq 1 ]) ; then - aa-clickhook -f - fi - if [ -x /usr/bin/aa-profile-hook ] && ([ $force_profile_hook -eq 1 ] || [ $apparmor_was_updated -eq 1 ]) ; then - aa-profile-hook -f - fi - fi -} - -# Allow "recache" even when running on the liveCD -if [ "$1" = "recache" ]; then - log_daemon_msg "Recaching AppArmor profiles" - recache_profiles - rc=$? - log_end_msg "$rc" - exit $rc -fi - -# do not perform start/stop/reload actions when running from liveCD -test -d /rofs/etc/apparmor.d && exit 0 - -rc=255 -case "$1" in - start) - if test -x /sbin/systemd-detect-virt && \ - systemd-detect-virt --quiet --container && \ - ! is_container_with_internal_policy; then - log_daemon_msg "Not starting AppArmor in container" - log_end_msg 0 - exit 0 - fi - log_daemon_msg "Starting AppArmor profiles" - securityfs - # That is only useful for click, snappy and system images, - # i.e. not in Debian. And it reads and writes to /var, that - # can be remote-mounted, so it would prevent us from using - # Before=sysinit.target without possibly introducing dependency - # loops. - handle_system_policy_package_updates - load_configured_profiles - rc=$? - log_end_msg "$rc" - ;; - stop) - log_daemon_msg "Clearing AppArmor profiles cache" - clear_cache - rc=$? - log_end_msg "$rc" - cat >&2 <<EOM -All profile caches have been cleared, but no profiles have been unloaded. -Unloading profiles will leave already running processes permanently -unconfined, which can lead to unexpected situations. - -To set a process to complain mode, use the command line tool -'aa-complain'. To really tear down all profiles, run the init script -with the 'teardown' option." -EOM - ;; - teardown) - if test -x /sbin/systemd-detect-virt && \ - systemd-detect-virt --quiet --container && \ - ! is_container_with_internal_policy; then - log_daemon_msg "Not tearing down AppArmor in container" - log_end_msg 0 - exit 0 - fi - log_daemon_msg "Unloading AppArmor profiles" - securityfs - running_profile_names | while read profile; do - if ! unload_profile "$profile" ; then - log_end_msg 1 - exit 1 - fi - done - rc=0 - log_end_msg $rc - ;; - restart|reload|force-reload) - if test -x /sbin/systemd-detect-virt && \ - systemd-detect-virt --quiet --container && \ - ! is_container_with_internal_policy; then - log_daemon_msg "Not reloading AppArmor in container" - log_end_msg 0 - exit 0 - fi - log_daemon_msg "Reloading AppArmor profiles" - securityfs - clear_cache - load_configured_profiles - rc=$? - unload_obsolete_profiles - - log_end_msg "$rc" - ;; - status) - securityfs - if [ -x /usr/sbin/aa-status ]; then - aa-status --verbose - else - cat "$AA_SFS"/profiles - fi - rc=$? - ;; - *) - usage - rc=1 - ;; - esac -exit $rc diff --git a/recipes-mac/AppArmor/files/apparmor.rc b/recipes-mac/AppArmor/files/apparmor.rc deleted file mode 100644 index 1507d7b..0000000 --- a/recipes-mac/AppArmor/files/apparmor.rc +++ /dev/null @@ -1,98 +0,0 @@ -description "Pre-cache and pre-load apparmor profiles" -author "Dimitri John Ledkov <xnox@ubuntu.com> and Jamie Strandboge <jamie@ubuntu.com>" - -task - -start on starting rc-sysinit - -script - [ -d /rofs/etc/apparmor.d ] && exit 0 # do not load on liveCD - [ -d /sys/module/apparmor ] || exit 0 # do not load without AppArmor - [ -x /sbin/apparmor_parser ] || exit 0 # do not load without parser - - . /lib/apparmor/functions - - systemd-detect-virt --quiet --container && ! is_container_with_internal_policy && exit 0 || true - - # Need securityfs for any mode - if [ ! -d /sys/kernel/security/apparmor ]; then - if cut -d" " -f2,3 /proc/mounts | grep -q "^/sys/kernel/security securityfs"'$' ; then - exit 0 - else - mount -t securityfs none /sys/kernel/security || exit 0 - fi - fi - - [ -w /sys/kernel/security/apparmor/.load ] || exit 0 - - apparmor_was_updated=0 - if ! compare_previous_version ; then - # On snappy flavors, if the current and previous versions are - # different then clear the system cache. snappy will handle - # "$PROFILES_CACHE_VAR" itself (on Touch flavors - # compare_previous_version always returns '0' since snappy - # isn't available). - clear_cache_system - apparmor_was_updated=1 - elif ! compare_and_save_debsums apparmor ; then - # If the system policy has been updated since the last time we - # ran, clear the cache to prevent potentially stale binary - # cache files after an Ubuntu image based upgrade (LP: - # #1350673). This can be removed once all system image flavors - # move to snappy (on snappy systems compare_and_save_debsums - # always returns '0' since /var/lib/dpkg doesn't exist). - clear_cache - apparmor_was_updated=1 - fi - - if [ -x /usr/bin/aa-clickhook ] || [ -x /usr/bin/aa-profile-hook ] ; then - # If packages for system policy that affect click packages have - # been updated since the last time we ran, run aa-clickhook -f - force_clickhook=0 - force_profile_hook=0 - if ! compare_and_save_debsums apparmor-easyprof-ubuntu ; then - force_clickhook=1 - fi - if ! compare_and_save_debsums apparmor-easyprof-ubuntu-snappy ; then - force_clickhook=1 - fi - if ! compare_and_save_debsums click-apparmor ; then - force_clickhook=1 - force_profile_hook=1 - fi - if [ -x /usr/bin/aa-clickhook ] && ([ $force_clickhook -eq 1 ] || [ $apparmor_was_updated -eq 1 ]) ; then - aa-clickhook -f - fi - if [ -x /usr/bin/aa-profile-hook ] && ([ $force_profile_hook -eq 1 ] || [ $apparmor_was_updated -eq 1 ]) ; then - aa-profile-hook -f - fi - fi - - if [ "$ACTION" = "teardown" ]; then - running_profile_names | while read profile; do - unload_profile "$profile" - done - exit 0 - fi - - if [ "$ACTION" = "clear" ]; then - clear_cache - exit 0 - fi - - if [ "$ACTION" = "reload" ] || [ "$ACTION" = "force-reload" ]; then - clear_cache - load_configured_profiles - unload_obsolete_profiles - exit 0 - fi - - # Note: if apparmor-easyprof-ubuntu md5sums didn't match up above, - # aa-clickhook will have already compiled the policy, generated the cache - # files and loaded them into the kernel by this point, so reloading click - # policy from cache, while fairly fast (<2 seconds for 250 profiles on - # armhf), is redundant. Fixing this would complicate the logic quite a bit - # and it wouldn't improve the (by far) common case (ie, when - # 'aa-clickhook -f' is not run). - load_configured_profiles -end script diff --git a/recipes-mac/AppArmor/files/apparmor.service b/recipes-mac/AppArmor/files/apparmor.service deleted file mode 100644 index e66afe4..0000000 --- a/recipes-mac/AppArmor/files/apparmor.service +++ /dev/null @@ -1,22 +0,0 @@ -[Unit] -Description=AppArmor initialization -After=local-fs.target -Before=sysinit.target -AssertPathIsReadWrite=/sys/kernel/security/apparmor/.load -ConditionSecurity=apparmor -DefaultDependencies=no -Documentation=man:apparmor(7) -Documentation=http://wiki.apparmor.net/ - -# Don't start this unit on the Ubuntu Live CD -ConditionPathExists=!/rofs/etc/apparmor.d - -[Service] -Type=oneshot -RemainAfterExit=yes -ExecStart=/etc/init.d/apparmor start -ExecStop=/etc/init.d/apparmor stop -ExecReload=/etc/init.d/apparmor reload - -[Install] -WantedBy=sysinit.target diff --git a/recipes-mac/AppArmor/files/crosscompile_perl_bindings.patch b/recipes-mac/AppArmor/files/crosscompile_perl_bindings.patch index ef55de7..585f306 100644 --- a/recipes-mac/AppArmor/files/crosscompile_perl_bindings.patch +++ b/recipes-mac/AppArmor/files/crosscompile_perl_bindings.patch @@ -5,7 +5,7 @@ stuck in the generated Makefile with our cross tools. In this case, linking is done via the compiler rather than the linker directly so pass in CC not LD here. -Signed-Off-By: Tom Rini <trini@konsulko.com> +Signed-off-by: Tom Rini <trini@konsulko.com> --- a/libraries/libapparmor/swig/perl/Makefile.am.orig 2017-06-13 19:04:43.296676212 -0400 +++ b/libraries/libapparmor/swig/perl/Makefile.am 2017-06-13 19:05:03.488676693 -0400 diff --git a/recipes-mac/AppArmor/files/disable_pdf.patch b/recipes-mac/AppArmor/files/disable_pdf.patch deleted file mode 100644 index c6b4bdd..0000000 --- a/recipes-mac/AppArmor/files/disable_pdf.patch +++ /dev/null @@ -1,33 +0,0 @@ -Index: apparmor-2.10.95/parser/Makefile -=================================================================== ---- apparmor-2.10.95.orig/parser/Makefile -+++ apparmor-2.10.95/parser/Makefile -@@ -139,17 +139,6 @@ export Q VERBOSE BUILD_OUTPUT - po/${NAME}.pot: ${SRCS} ${HDRS} - $(MAKE) -C po ${NAME}.pot NAME=${NAME} SOURCES="${SRCS} ${HDRS}" - --techdoc.pdf: techdoc.tex -- timestamp=$(shell date --utc "+%Y%m%d%H%M%S%z" -r $< );\ -- while pdflatex "\def\fixedpdfdate{$$timestamp}\input $<" ${BUILD_OUTPUT} || exit 1 ; \ -- grep -q "Label(s) may have changed" techdoc.log; \ -- do :; done -- --techdoc/index.html: techdoc.pdf -- latex2html -show_section_numbers -split 0 -noinfo -nonavigation -noaddress techdoc.tex ${BUILD_OUTPUT} -- --techdoc.txt: techdoc/index.html -- w3m -dump $< > $@ - - # targets arranged this way so that people who don't want full docs can - # pick specific targets they want. -@@ -159,9 +148,7 @@ manpages: $(MANPAGES) - - htmlmanpages: $(HTMLMANPAGES) - --pdf: techdoc.pdf -- --docs: manpages htmlmanpages pdf -+docs: manpages htmlmanpages - - indep: docs - $(Q)$(MAKE) -C po all diff --git a/recipes-mac/AppArmor/files/disable_perl_h_check.patch b/recipes-mac/AppArmor/files/disable_perl_h_check.patch deleted file mode 100644 index cf2640f..0000000 --- a/recipes-mac/AppArmor/files/disable_perl_h_check.patch +++ /dev/null @@ -1,19 +0,0 @@ -Upstream-Status: Inappropriate [configuration] - -Remove file check for $perl_includedir/perl.h. AC_CHECK_FILE will fail on -cross compilation. Rather than try and get a compile check to work here, -we know that we have what's required via our metadata so remove only this -check. - -Signed-Off-By: Tom Rini <trini@konsulko.com> - ---- a/libraries/libapparmor/configure.ac.orig 2017-06-13 16:41:38.668471495 -0400 -+++ b/libraries/libapparmor/configure.ac 2017-06-13 16:41:40.708471543 -0400 -@@ -58,7 +58,6 @@ - AC_PATH_PROG(PERL, perl) - test -z "$PERL" && AC_MSG_ERROR([perl is required when enabling perl bindings]) - perl_includedir="`$PERL -e 'use Config; print $Config{archlib}'`/CORE" -- AC_CHECK_FILE($perl_includedir/perl.h, enable_perl=yes, enable_perl=no) - fi - - diff --git a/recipes-mac/AppArmor/files/functions b/recipes-mac/AppArmor/files/functions deleted file mode 100644 index e9e2bbf..0000000 --- a/recipes-mac/AppArmor/files/functions +++ /dev/null @@ -1,271 +0,0 @@ -# /lib/apparmor/functions for Debian -*- shell-script -*- -# ---------------------------------------------------------------------- -# Copyright (c) 1999, 2000, 2001, 2002, 2003, 2004, 2005, 2006, 2007 -# NOVELL (All rights reserved) -# Copyright (c) 2008-2010 Canonical, Ltd. -# -# This program is free software; you can redistribute it and/or -# modify it under the terms of version 2 of the GNU General Public -# License published by the Free Software Foundation. -# -# This program is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -# GNU General Public License for more details. -# -# You should have received a copy of the GNU General Public License -# along with this program; if not, contact Novell, Inc. -# ---------------------------------------------------------------------- -# Authors: -# Kees Cook <kees@ubuntu.com> - -PROFILES="/etc/apparmor.d" -PROFILES_CACHE="$PROFILES/cache" -PROFILES_VAR="/var/lib/apparmor/profiles" -PROFILES_SNAPPY="/var/lib/snapd/apparmor/profiles" -PROFILES_CACHE_VAR="/var/cache/apparmor" -PARSER="/sbin/apparmor_parser" -SECURITYFS="/sys/kernel/security" -export AA_SFS="$SECURITYFS/apparmor" - -# Suppress warnings when booting in quiet mode -quiet_arg="" -[ "${QUIET:-no}" = yes ] && quiet_arg="-q" -[ "${quiet:-n}" = y ] && quiet_arg="-q" - -foreach_configured_profile() { - rc_all="0" - for pdir in "$PROFILES" "$PROFILES_VAR" "$PROFILES_SNAPPY" ; do - if [ ! -d "$pdir" ]; then - continue - fi - num=`find "$pdir" -type f ! -name '*.md5sums' | wc -l` - if [ "$num" = "0" ]; then - continue - fi - - cache_dir="$PROFILES_CACHE" - if [ -d "$PROFILES_CACHE_VAR" ] && [ "$pdir" = "$PROFILES_VAR" ] || [ "$pdir" = "$PROFILES_SNAPPY" ]; then - cache_dir="$PROFILES_CACHE_VAR" - fi - cache_args="--cache-loc=$cache_dir" - if [ ! -d "$cache_dir" ]; then - cache_args= - fi - - # LP: #1383858 - expr tree simplification is too slow for - # Touch policy on ARM, so disable it for now - cache_extra_args= - if [ -d "$PROFILES_CACHE_VAR" ] && [ "$pdir" = "$PROFILES_VAR" ] || [ "$pdir" = "$PROFILES_SNAPPY" ]; then - cache_extra_args="-O no-expr-simplify" - fi - - # If need to compile everything, then use -n1 with xargs to - # take advantage of -P. When cache files are in use, omit -n1 - # since it is considerably faster on moderately sized profile - # sets to give the parser all the profiles to load at once - n1_args= - num=`find "$cache_dir" -type f ! -name '.features' | wc -l` - if [ "$num" = "0" ]; then - n1_args="-n1" - fi - - (ls -1 "$pdir" | egrep -v '(\.dpkg-(new|old|dist|bak)|~)$' | \ - while read profile; do - if [ -f "$pdir"/"$profile" ]; then - echo "$pdir"/"$profile" - fi - done) | \ - xargs $n1_args -d"\n" -P$(getconf _NPROCESSORS_ONLN) "$PARSER" "$@" $cache_args $cache_extra_args -- || { - rc_all="$?" - # FIXME: when the parser properly handles broken - # profiles (LP: #1377338), remove this if statement. - # For now, if the xargs returns with error, just run - # through everything with -n1. (This could be broken - # out and refactored, but this is temporary so make it - # easy to understand and revert) - if [ "$rc_all" != "0" ]; then - (ls -1 "$pdir" | \ - egrep -v '(\.dpkg-(new|old|dist|bak)|~)$' | \ - while read profile; do - if [ -f "$pdir"/"$profile" ]; then - echo "$pdir"/"$profile" - fi - done) | \ - xargs -n1 -d"\n" -P$(getconf _NPROCESSORS_ONLN) "$PARSER" "$@" $cache_args $cache_extra_args -- || { - rc_all="$?" - } - fi - } - done - return $rc_all -} - -load_configured_profiles() { - clear_cache_if_outdated - foreach_configured_profile $quiet_arg --write-cache --replace -} - -load_configured_profiles_without_caching() { - foreach_configured_profile $quiet_arg --replace -} - -recache_profiles() { - clear_cache - foreach_configured_profile $quiet_arg --write-cache --skip-kernel-load -} - -configured_profile_names() { - foreach_configured_profile $quiet_arg -N 2>/dev/null | LC_COLLATE=C sort | grep -v '//' -} - -running_profile_names() { - # Output a sorted list of loaded profiles, skipping libvirt's - # dynamically generated files - cat "$AA_SFS"/profiles | sed -e "s/ (\(enforce\|complain\))$//" | egrep -v '^libvirt-[0-9a-f\-]+$' | LC_COLLATE=C sort | grep -v '//' -} - -unload_profile() { - echo -n "$1" > "$AA_SFS"/.remove -} - -clear_cache() { - clear_cache_system - clear_cache_var -} - -clear_cache_system() { - find "$PROFILES_CACHE" -maxdepth 1 -type f -print0 | xargs -0 rm -f -- -} - -clear_cache_var() { - find "$PROFILES_CACHE_VAR" -maxdepth 1 -type f -print0 | xargs -0 rm -f -- -} - -read_features_dir() -{ - for f in `ls -A "$1"` ; do - if [ -f "$1/$f" ] ; then - read -r KF < "$1/$f" || true - echo -n "$f {$KF } " - elif [ -d "$1/$f" ] ; then - echo -n "$f {" - KF=`read_features_dir "$1/$f"` || true - echo -n "$KF} " - fi - done -} - -clear_cache_if_outdated() { - if [ -r "$PROFILES_CACHE"/.features ]; then - if [ -d "$AA_SFS"/features ]; then - KERN_FEATURES=`read_features_dir "$AA_SFS"/features` - else - read -r KERN_FEATURES < "$AA_SFS"/features - fi - CACHE_FEATURES=`tr '\n' ' ' < "$PROFILES_CACHE"/.features` - if [ "$KERN_FEATURES" != "$CACHE_FEATURES" ]; then - clear_cache - fi - fi -} - -unload_obsolete_profiles() { - # Currently we must re-parse all the profiles to get policy names. :( - aa_configured=$(mktemp -t aa-XXXXXX) - configured_profile_names > "$aa_configured" || true - aa_loaded=$(mktemp -t aa-XXXXXX) - running_profile_names > "$aa_loaded" || true - LC_COLLATE=C comm -2 -3 "$aa_loaded" "$aa_configured" | while read profile ; do - unload_profile "$profile" - done - rm -f "$aa_configured" "$aa_loaded" -} - -# If the system debsum differs from the saved debsum, the new system debsum is -# saved and non-zero is returned. Returns 0 if the two debsums matched or if -# the system debsum file does not exist. This can be removed when system image -# flavors all move to snappy. -compare_and_save_debsums() { - pkg="$1" - - if [ -n $pkg ] && [ -d "$PROFILES_VAR" ]; then - sums="/var/lib/dpkg/info/${pkg}.md5sums" - # store saved md5sums in /var/lib/apparmor/profiles since - # /var/cache/apparmor might be cleared by apparmor - saved_sums="${PROFILES_VAR}/.${pkg}.md5sums" - - if [ -f "$sums" ] && \ - ! diff -q "$sums" "$saved_sums" 2>&1 >/dev/null ; then - cp -f "$sums" "$saved_sums" - return 1 - fi - fi - - return 0 -} - -compare_previous_version() { - installed="/usr/share/snappy/security-policy-version" - previous="/var/lib/snappy/security-policy-version" - - # When just $previous doesn't exist, assume this is a new system with - # no cache and don't do anything special. - if [ -f "$installed" ] && [ -f "$previous" ]; then - pv=`grep '^apparmor/' "$previous" | cut -d ' ' -f 2` - iv=`grep '^apparmor/' "$installed" | cut -d ' ' -f 2` - if [ -n "$iv" ] && [ -n "$pv" ] && [ "$iv" != "$pv" ]; then - # snappy updates $previous elsewhere, so just return - return 1 - fi - fi - - return 0 -} - -# Checks to see if the current container is capable of having internal AppArmor -# profiles that should be loaded. Callers of this function should have already -# verified that they're running inside of a container environment with -# something like `systemd-detect-virt --container`. -# -# The only known container environments capable of supporting internal policy -# are LXD and LXC environment. -# -# Returns 0 if the container environment is capable of having its own internal -# policy and non-zero otherwise. -# -# IMPORTANT: This function will return 0 in the case of a non-LXD/non-LXC -# system container technology being nested inside of a LXD/LXC container that -# utilized an AppArmor namespace and profile stacking. The reason 0 will be -# returned is because .ns_stacked will be "yes" and .ns_name will still match -# "lx[dc]-*" since the nested system container technology will not have set up -# a new AppArmor profile namespace. This will result in the nested system -# container's boot process to experience failed policy loads but the boot -# process should continue without any loss of functionality. This is an -# unsupported configuration that cannot be properly handled by this function. -is_container_with_internal_policy() { - local ns_stacked_path="${AA_SFS}/.ns_stacked" - local ns_name_path="${AA_SFS}/.ns_name" - local ns_stacked - local ns_name - - if ! [ -f "$ns_stacked_path" ] || ! [ -f "$ns_name_path" ]; then - return 1 - fi - - read -r ns_stacked < "$ns_stacked_path" - if [ "$ns_stacked" != "yes" ]; then - return 1 - fi - - # LXD and LXC set up AppArmor namespaces starting with "lxd-" and - # "lxc-", respectively. Return non-zero for all other namespace - # identifiers. - read -r ns_name < "$ns_name_path" - if [ "${ns_name#lxd-*}" = "$ns_name" ] && \ - [ "${ns_name#lxc-*}" = "$ns_name" ]; then - return 1 - fi - - return 0 -} diff --git a/recipes-mac/ccs-tools/README b/recipes-mac/ccs-tools/README index 4a4faa7..0381814 100644 --- a/recipes-mac/ccs-tools/README +++ b/recipes-mac/ccs-tools/README @@ -9,4 +9,4 @@ To start via command line add: To initialize: /usr/lib/ccs/init_policy -DISTRO_FEATURES_append = " tomoyo" +DISTRO_FEATURES:append = " tomoyo" diff --git a/recipes-mac/ccs-tools/ccs-tools_1.8.4.bb b/recipes-mac/ccs-tools/ccs-tools_1.8.9.bb index 79af6a5..8185e51 100644 --- a/recipes-mac/ccs-tools/ccs-tools_1.8.4.bb +++ b/recipes-mac/ccs-tools/ccs-tools_1.8.9.bb @@ -2,16 +2,15 @@ SUMMARY = "Tomoyo" DESCRIPTION = "TOMOYO Linux is a Mandatory Access Control (MAC) implementation for Linux that can be used to increase the security of a system, while also being useful purely as a system analysis tool. \nTo start via command line add: \nsecurity=tomoyo TOMOYO_trigger=/usr/lib/systemd/systemd \nTo initialize: \n/usr/lib/ccs/init_policy" SECTION = "security" -LICENSE = "GPL-2.0" +LICENSE = "GPL-2.0-only" LIC_FILES_CHKSUM = "file://COPYING.ccs;md5=751419260aa954499f7abaabaa882bbe" DEPENDS = "ncurses" -DS = "20150505" +DS = "20210910" SRC_URI = "http://osdn.dl.sourceforge.jp/tomoyo/49693/${BPN}-${PV}-${DS}.tar.gz" -SRC_URI[md5sum] = "eeee8eb96a7680bfa9c8f6de55502c44" -SRC_URI[sha256sum] = "c358b80a2ea77a9dda79dc2a056dae3acaf3a72fcb8481cfb1cd1f16746324b4" +SRC_URI[sha256sum] = "7900126cf2dd8706c42c2c1ef7a37fd8b50f1505abd7d9c3d653dc390fb4d620" S = "${WORKDIR}/${BPN}" @@ -24,22 +23,22 @@ do_make(){ } do_install(){ - oe_runmake INSTALLDIR=${D} USRLIBDIR=${libdir} install + oe_runmake INSTALLDIR=${D} USRLIBDIR=${libdir} SBINDIR=${sbindir} install } PACKAGE="${PN} ${PN}-dbg ${PN}-doc" -FILES_${PN} = "\ +FILES:${PN} = "\ ${sbindir}/* \ ${base_sbindir}/* \ ${libdir}/* \ " -FILES_${PN}-doc = "\ +FILES:${PN}-doc = "\ ${mandir}/man8/* \ " -FILES_${PN}-dbg = "\ +FILES:${PN}-dbg = "\ ${base_sbindir}/.debug/* \ ${sbindir}/.debug/* \ ${libdir}/.debug/* \ diff --git a/recipes-mac/smack/smack-test/notroot.py b/recipes-mac/smack/smack-test/notroot.py index f0eb0b5..89f83f4 100644 --- a/recipes-mac/smack/smack-test/notroot.py +++ b/recipes-mac/smack/smack-test/notroot.py @@ -1,4 +1,4 @@ -#!/usr/bin/env python +#!/usr/bin/env python3 # # Script used for running executables with custom labels, as well as custom uid/gid # Process label is changed by writing to /proc/self/attr/curent @@ -9,8 +9,8 @@ # """By default, each user in Debian GNU/Linux is given a corresponding group # with the same name. """ # -# Usage: root@desk:~# python notroot.py <uid> <label> <full_path_to_executable> [arguments ..] -# eg: python notroot.py 1000 User::Label /bin/ping -c 3 192.168.1.1 +# Usage: root@desk:~# python3 notroot.py <uid> <label> <full_path_to_executable> [arguments ..] +# eg: python3 notroot.py 1000 User::Label /bin/ping -c 3 192.168.1.1 # # Author: Alexandru Cornea <alexandru.cornea@intel.com> import os @@ -28,6 +28,6 @@ try: os.setuid(uid) os.execv(path,sys.argv) -except Exception,e: - print e.message - sys.exit(1) +except Exception as e: + print(e.strerror) + sys.exit(-1) diff --git a/recipes-mac/smack/smack-test/smack_test_file_access.sh b/recipes-mac/smack/smack-test/smack_test_file_access.sh index 5a0ce84..598f1df 100644 --- a/recipes-mac/smack/smack-test/smack_test_file_access.sh +++ b/recipes-mac/smack/smack-test/smack_test_file_access.sh @@ -8,7 +8,7 @@ CAT=`which cat` ECHO=`which echo` uid=1000 initial_label=`cat /proc/self/attr/current` -python $TMP/notroot.py $uid "TheOther" $ECHO 'TEST' > $test_file +python3 $TMP/notroot.py $uid "TheOther" $ECHO 'TEST' > $test_file chsmack -a "TheOther" $test_file # 12345678901234567890123456789012345678901234567890123456 @@ -17,7 +17,7 @@ rule_ro="TheOne TheOther r----" # Remove pre-existent rules for "TheOne TheOther <access>" echo -n "$delrule" > $SMACK_PATH/load -python $TMP/notroot.py $uid "TheOne" $CAT $test_file 2>&1 1>/dev/null | grep -q "Permission denied" || RC=$? +python3 $TMP/notroot.py $uid "TheOne" $CAT $test_file 2>&1 1>/dev/null | grep -q "Permission denied" || RC=$? if [ $RC -ne 0 ]; then echo "Process with different label than the test file and no read access on it can read it" exit $RC @@ -25,7 +25,7 @@ fi # adding read access echo -n "$rule_ro" > $SMACK_PATH/load -python $TMP/notroot.py $uid "TheOne" $CAT $test_file | grep -q "TEST" || RC=$? +python3 $TMP/notroot.py $uid "TheOne" $CAT $test_file | grep -q "TEST" || RC=$? if [ $RC -ne 0 ]; then echo "Process with different label than the test file but with read access on it cannot read it" exit $RC @@ -36,7 +36,7 @@ echo -n "$delrule" > $SMACK_PATH/load # changing label of test file to * # according to SMACK documentation, read access on a * object is always permitted chsmack -a '*' $test_file -python $TMP/notroot.py $uid "TheOne" $CAT $test_file | grep -q "TEST" || RC=$? +python3 $TMP/notroot.py $uid "TheOne" $CAT $test_file | grep -q "TEST" || RC=$? if [ $RC -ne 0 ]; then echo "Process cannot read file with * label" exit $RC @@ -45,7 +45,7 @@ fi # changing subject label to * # according to SMACK documentation, every access requested by a star labeled subject is rejected TOUCH=`which touch` -python $TMP/notroot.py $uid '*' $TOUCH $TMP/test_file_2 +python3 $TMP/notroot.py $uid '*' $TOUCH $TMP/test_file_2 ls -la $TMP/test_file_2 2>&1 | grep -q 'No such file or directory' || RC=$? if [ $RC -ne 0 ];then echo "Process with label '*' should not have any access" diff --git a/recipes-mac/smack/smack-test_1.0.bb b/recipes-mac/smack/smack-test_1.0.bb index d5de607..3ab57c6 100644 --- a/recipes-mac/smack/smack-test_1.0.bb +++ b/recipes-mac/smack/smack-test_1.0.bb @@ -22,4 +22,4 @@ do_install() { install -m 0755 *.sh ${D}${sbindir} } -RDEPENDS_${PN} = "smack python mmap-smack-test tcp-smack-test udp-smack-test" +RDEPENDS:${PN} = "smack python3-core mmap-smack-test tcp-smack-test udp-smack-test" diff --git a/recipes-mac/smack/smack_1.3.1.bb b/recipes-mac/smack/smack_1.3.1.bb index b1ea4e9..6c52392 100644 --- a/recipes-mac/smack/smack_1.3.1.bb +++ b/recipes-mac/smack/smack_1.3.1.bb @@ -1,18 +1,23 @@ DESCRIPTION = "Selection of tools for developers working with Smack" HOMEPAGE = "https://github.com/smack-team/smack" SECTION = "Security/Access Control" -LICENSE = "LGPL-2.1" +LICENSE = "LGPL-2.1-only" LIC_FILES_CHKSUM = "file://COPYING;md5=4fbd65380cdd255951079008b364516c" SRCREV = "4a102c7584b39ce693995ffb65e0918a9df98dd8" SRC_URI = " \ - git://github.com/smack-team/smack.git \ + git://github.com/smack-team/smack.git;branch=master;protocol=https \ file://smack_generator_make_fixup.patch \ file://run-ptest" PV = "1.3.1" +# CVE-2014-0363, CVE-2014-0364, CVE-2016-10027 is valnerble for other product. +CVE_CHECK_IGNORE += "CVE-2014-0363" +CVE_CHECK_IGNORE += "CVE-2014-0364" +CVE_CHECK_IGNORE += "CVE-2016-10027" + inherit autotools update-rc.d pkgconfig ptest inherit ${@bb.utils.contains('VIRTUAL-RUNTIME_init_manager','systemd','systemd','', d)} inherit features_check @@ -23,15 +28,15 @@ REQUIRED_DISTRO_FEATURES = "smack" S = "${WORKDIR}/git" PACKAGECONFIG ??= "" -PACKAGECONFIG_append = " ${@bb.utils.contains('DISTRO_FEATURES', 'systemd', 'systemd', '', d)}" +PACKAGECONFIG:append = " ${@bb.utils.contains('DISTRO_FEATURES', 'systemd', 'systemd', '', d)}" PACKAGECONFIG[systemd] = "--with-systemdsystemunitdir=${systemd_system_unitdir}, --without-systemdsystemunitdir, systemd" -do_compile_append () { +do_compile:append () { oe_runmake -C ${S}/tests generator } -do_install_append () { +do_install:append () { install -d ${D}${sysconfdir}/init.d install -d ${D}${sysconfdir}/smack install -d ${D}${sysconfdir}/smack/accesses.d @@ -50,10 +55,10 @@ INITSCRIPT_PACKAGES = "${PN}" INITSCRIPT_NAME = "smack" INITSCRIPT_PARAMS = "start 16 2 3 4 5 . stop 35 0 1 6 ." -FILES_${PN} += "${sysconfdir}/init.d/smack" -FILES_${PN}-ptest += "generator" +FILES:${PN} += "${sysconfdir}/init.d/smack" +FILES:${PN}-ptest += "generator" -RDEPENDS_${PN} += "coreutils python3-core" -RDEPENDS_${PN}-ptest += "make bash bc" +RDEPENDS:${PN} += "coreutils python3-core" +RDEPENDS:${PN}-ptest += "make bash bc" BBCLASSEXTEND = "native" diff --git a/recipes-mac/smack/tcp-smack-test/tcp_client.c b/recipes-mac/smack/tcp-smack-test/tcp_client.c index 185f973..6c0a474 100644 --- a/recipes-mac/smack/tcp-smack-test/tcp_client.c +++ b/recipes-mac/smack/tcp-smack-test/tcp_client.c @@ -1,111 +1,111 @@ -// (C) Copyright 2015 Intel Corporation
-//
-// Permission is hereby granted, free of charge, to any person obtaining a copy
-// of this software and associated documentation files (the "Software"), to deal
-// in the Software without restriction, including without limitation the rights
-// to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
-// copies of the Software, and to permit persons to whom the Software is
-// furnished to do so, subject to the following conditions:
-//
-// The above copyright notice and this permission notice shall be included in
-// all copies or substantial portions of the Software.
-//
-// THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
-// IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
-// FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
-// AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
-// LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
-// OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
-// THE SOFTWARE.
-#include <stdio.h>
-#include <sys/socket.h>
-#include <sys/types.h>
-#include <errno.h>
-#include <netinet/in.h>
-#include <unistd.h>
-#include <netdb.h>
-#include <string.h>
-#include <sys/xattr.h>
-
-int main(int argc, char* argv[])
-{
-
- int sock;
- char message[255] = "hello";
- struct sockaddr_in server_addr;
- char* label_in;
- char* label_out;
- char* attr_out = "security.SMACK64IPOUT";
- char* attr_in = "security.SMACK64IPIN";
- char out[256];
- int port;
-
- struct timeval timeout;
- timeout.tv_sec = 15;
- timeout.tv_usec = 0;
-
- struct hostent* host = gethostbyname("localhost");
-
- if (argc != 4)
- {
- perror("Client: Arguments missing, please provide socket labels");
- return 2;
- }
-
- port = atoi(argv[1]);
- label_in = argv[2];
- label_out = argv[3];
-
- if((sock = socket(AF_INET, SOCK_STREAM, 0)) < 0)
- {
- perror("Client: Socket failure");
- return 2;
- }
-
-
- if(fsetxattr(sock, attr_out, label_out, strlen(label_out), 0) < 0)
- {
- perror("Client: Unable to set attribute SMACK64IPOUT");
- return 2;
- }
-
- if(fsetxattr(sock, attr_in, label_in, strlen(label_in), 0) < 0)
- {
- perror("Client: Unable to set attribute SMACK64IPIN");
- return 2;
- }
-
- server_addr.sin_family = AF_INET;
- server_addr.sin_port = htons(port);
- bcopy((char*) host->h_addr, (char*) &server_addr.sin_addr.s_addr,host->h_length);
- bzero(&(server_addr.sin_zero),8);
-
- if(setsockopt(sock, SOL_SOCKET, SO_SNDTIMEO, &timeout, sizeof(timeout)) < 0)
- {
- perror("Client: Set timeout failed\n");
- return 2;
- }
-
- if (connect(sock, (struct sockaddr *)&server_addr,sizeof(struct sockaddr)) == -1)
- {
- perror("Client: Connection failure");
- close(sock);
- return 1;
- }
-
-
- if(write(sock, message, strlen(message)) < 0)
- {
- perror("Client: Error sending data\n");
- close(sock);
- return 1;
- }
- close(sock);
- return 0;
-}
-
-
-
-
-
-
+// (C) Copyright 2015 Intel Corporation +// +// Permission is hereby granted, free of charge, to any person obtaining a copy +// of this software and associated documentation files (the "Software"), to deal +// in the Software without restriction, including without limitation the rights +// to use, copy, modify, merge, publish, distribute, sublicense, and/or sell +// copies of the Software, and to permit persons to whom the Software is +// furnished to do so, subject to the following conditions: +// +// The above copyright notice and this permission notice shall be included in +// all copies or substantial portions of the Software. +// +// THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR +// IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, +// FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE +// AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER +// LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, +// OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN +// THE SOFTWARE. +#include <stdio.h> +#include <sys/socket.h> +#include <sys/types.h> +#include <errno.h> +#include <netinet/in.h> +#include <unistd.h> +#include <netdb.h> +#include <string.h> +#include <sys/xattr.h> + +int main(int argc, char* argv[]) +{ + + int sock; + char message[255] = "hello"; + struct sockaddr_in server_addr; + char* label_in; + char* label_out; + char* attr_out = "security.SMACK64IPOUT"; + char* attr_in = "security.SMACK64IPIN"; + char out[256]; + int port; + + struct timeval timeout; + timeout.tv_sec = 15; + timeout.tv_usec = 0; + + struct hostent* host = gethostbyname("localhost"); + + if (argc != 4) + { + perror("Client: Arguments missing, please provide socket labels"); + return 2; + } + + port = atoi(argv[1]); + label_in = argv[2]; + label_out = argv[3]; + + if((sock = socket(AF_INET, SOCK_STREAM, 0)) < 0) + { + perror("Client: Socket failure"); + return 2; + } + + + if(fsetxattr(sock, attr_out, label_out, strlen(label_out), 0) < 0) + { + perror("Client: Unable to set attribute SMACK64IPOUT"); + return 2; + } + + if(fsetxattr(sock, attr_in, label_in, strlen(label_in), 0) < 0) + { + perror("Client: Unable to set attribute SMACK64IPIN"); + return 2; + } + + server_addr.sin_family = AF_INET; + server_addr.sin_port = htons(port); + bcopy((char*) host->h_addr, (char*) &server_addr.sin_addr.s_addr,host->h_length); + bzero(&(server_addr.sin_zero),8); + + if(setsockopt(sock, SOL_SOCKET, SO_SNDTIMEO, &timeout, sizeof(timeout)) < 0) + { + perror("Client: Set timeout failed\n"); + return 2; + } + + if (connect(sock, (struct sockaddr *)&server_addr,sizeof(struct sockaddr)) == -1) + { + perror("Client: Connection failure"); + close(sock); + return 1; + } + + + if(write(sock, message, strlen(message)) < 0) + { + perror("Client: Error sending data\n"); + close(sock); + return 1; + } + close(sock); + return 0; +} + + + + + + diff --git a/recipes-mac/smack/tcp-smack-test/tcp_server.c b/recipes-mac/smack/tcp-smack-test/tcp_server.c index 9285dc6..3c8921f 100644 --- a/recipes-mac/smack/tcp-smack-test/tcp_server.c +++ b/recipes-mac/smack/tcp-smack-test/tcp_server.c @@ -1,118 +1,118 @@ -// (C) Copyright 2015 Intel Corporation
-//
-// Permission is hereby granted, free of charge, to any person obtaining a copy
-// of this software and associated documentation files (the "Software"), to deal
-// in the Software without restriction, including without limitation the rights
-// to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
-// copies of the Software, and to permit persons to whom the Software is
-// furnished to do so, subject to the following conditions:
-//
-// The above copyright notice and this permission notice shall be included in
-// all copies or substantial portions of the Software.
-//
-// THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
-// IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
-// FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
-// AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
-// LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
-// OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
-// THE SOFTWARE.
-#include <stdio.h>
-#include <sys/socket.h>
-#include <sys/types.h>
-#include <errno.h>
-#include <netinet/in.h>
-#include <unistd.h>
-#include <string.h>
-
-int main(int argc, char* argv[])
-{
-
- int sock;
- int clientsock;
- char message[255];
- socklen_t client_length;
- struct sockaddr_in server_addr, client_addr;
- char* label_in;
- char* attr_in = "security.SMACK64IPIN";
- int port;
-
- struct timeval timeout;
- timeout.tv_sec = 15;
- timeout.tv_usec = 0;
-
- if (argc != 3)
- {
- perror("Server: Argument missing please provide port and label for SMACK64IPIN");
- return 2;
- }
-
- port = atoi(argv[1]);
- label_in = argv[2];
- bzero(message,255);
-
-
- if((sock = socket(AF_INET, SOCK_STREAM, 0)) < 0)
- {
- perror("Server: Socket failure");
- return 2;
- }
-
-
- if(fsetxattr(sock, attr_in, label_in, strlen(label_in),0) < 0)
- {
- perror("Server: Unable to set attribute ipin 2");
- return 2;
- }
-
- server_addr.sin_family = AF_INET;
- server_addr.sin_port = htons(port);
- server_addr.sin_addr.s_addr = INADDR_ANY;
- bzero(&(server_addr.sin_zero),8);
-
- if(setsockopt(sock, SOL_SOCKET, SO_RCVTIMEO, &timeout, sizeof(timeout)) < 0)
- {
- perror("Server: Set timeout failed\n");
- return 2;
- }
-
- if(bind(sock, (struct sockaddr*) &server_addr, sizeof(server_addr)) < 0)
- {
- perror("Server: Bind failure ");
- return 2;
- }
-
- listen(sock, 1);
- client_length = sizeof(client_addr);
-
- clientsock = accept(sock,(struct sockaddr*) &client_addr, &client_length);
-
- if (clientsock < 0)
- {
- perror("Server: Connection failed");
- close(sock);
- return 1;
- }
-
-
- if(fsetxattr(clientsock, "security.SMACK64IPIN", label_in, strlen(label_in),0) < 0)
- {
- perror(" Server: Unable to set attribute ipin 2");
- close(sock);
- return 2;
- }
-
- if(read(clientsock, message, 254) < 0)
- {
- perror("Server: Error when reading from socket");
- close(clientsock);
- close(sock);
- return 1;
- }
-
-
- close(clientsock);
- close(sock);
-
- return 0;
-}
+// (C) Copyright 2015 Intel Corporation +// +// Permission is hereby granted, free of charge, to any person obtaining a copy +// of this software and associated documentation files (the "Software"), to deal +// in the Software without restriction, including without limitation the rights +// to use, copy, modify, merge, publish, distribute, sublicense, and/or sell +// copies of the Software, and to permit persons to whom the Software is +// furnished to do so, subject to the following conditions: +// +// The above copyright notice and this permission notice shall be included in +// all copies or substantial portions of the Software. +// +// THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR +// IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, +// FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE +// AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER +// LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, +// OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN +// THE SOFTWARE. +#include <stdio.h> +#include <sys/socket.h> +#include <sys/types.h> +#include <errno.h> +#include <netinet/in.h> +#include <unistd.h> +#include <string.h> + +int main(int argc, char* argv[]) +{ + + int sock; + int clientsock; + char message[255]; + socklen_t client_length; + struct sockaddr_in server_addr, client_addr; + char* label_in; + char* attr_in = "security.SMACK64IPIN"; + int port; + + struct timeval timeout; + timeout.tv_sec = 15; + timeout.tv_usec = 0; + + if (argc != 3) + { + perror("Server: Argument missing please provide port and label for SMACK64IPIN"); + return 2; + } + + port = atoi(argv[1]); + label_in = argv[2]; + bzero(message,255); + + + if((sock = socket(AF_INET, SOCK_STREAM, 0)) < 0) + { + perror("Server: Socket failure"); + return 2; + } + + + if(fsetxattr(sock, attr_in, label_in, strlen(label_in),0) < 0) + { + perror("Server: Unable to set attribute ipin 2"); + return 2; + } + + server_addr.sin_family = AF_INET; + server_addr.sin_port = htons(port); + server_addr.sin_addr.s_addr = INADDR_ANY; + bzero(&(server_addr.sin_zero),8); + + if(setsockopt(sock, SOL_SOCKET, SO_RCVTIMEO, &timeout, sizeof(timeout)) < 0) + { + perror("Server: Set timeout failed\n"); + return 2; + } + + if(bind(sock, (struct sockaddr*) &server_addr, sizeof(server_addr)) < 0) + { + perror("Server: Bind failure "); + return 2; + } + + listen(sock, 1); + client_length = sizeof(client_addr); + + clientsock = accept(sock,(struct sockaddr*) &client_addr, &client_length); + + if (clientsock < 0) + { + perror("Server: Connection failed"); + close(sock); + return 1; + } + + + if(fsetxattr(clientsock, "security.SMACK64IPIN", label_in, strlen(label_in),0) < 0) + { + perror(" Server: Unable to set attribute ipin 2"); + close(sock); + return 2; + } + + if(read(clientsock, message, 254) < 0) + { + perror("Server: Error when reading from socket"); + close(clientsock); + close(sock); + return 1; + } + + + close(clientsock); + close(sock); + + return 0; +} diff --git a/recipes-mac/smack/udp-smack-test/udp_client.c b/recipes-mac/smack/udp-smack-test/udp_client.c index 4d3afbe..23f3e00 100644 --- a/recipes-mac/smack/udp-smack-test/udp_client.c +++ b/recipes-mac/smack/udp-smack-test/udp_client.c @@ -1,75 +1,75 @@ -// (C) Copyright 2015 Intel Corporation
-//
-// Permission is hereby granted, free of charge, to any person obtaining a copy
-// of this software and associated documentation files (the "Software"), to deal
-// in the Software without restriction, including without limitation the rights
-// to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
-// copies of the Software, and to permit persons to whom the Software is
-// furnished to do so, subject to the following conditions:
-//
-// The above copyright notice and this permission notice shall be included in
-// all copies or substantial portions of the Software.
-//
-// THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
-// IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
-// FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
-// AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
-// LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
-// OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
-// THE SOFTWARE.
-#include <sys/socket.h>
-#include <stdio.h>
-#include <netinet/in.h>
-#include <netdb.h>
-#include <string.h>
-
-int main(int argc, char* argv[])
-{
- char* message = "hello";
- int sock, ret;
- struct sockaddr_in server_addr;
- struct hostent* host = gethostbyname("localhost");
- char* label;
- char* attr = "security.SMACK64IPOUT";
- int port;
- if (argc != 3)
- {
- perror("Client: Argument missing, please provide port and label for SMACK64IPOUT");
- return 2;
- }
-
- port = atoi(argv[1]);
- label = argv[2];
- sock = socket(AF_INET, SOCK_DGRAM,0);
- if(sock < 0)
- {
- perror("Client: Socket failure");
- return 2;
- }
-
-
- if(fsetxattr(sock, attr, label, strlen(label),0) < 0)
- {
- perror("Client: Unable to set attribute ");
- return 2;
- }
-
-
- server_addr.sin_family = AF_INET;
- server_addr.sin_port = htons(port);
- bcopy((char*) host->h_addr, (char*) &server_addr.sin_addr.s_addr,host->h_length);
- bzero(&(server_addr.sin_zero),8);
-
- ret = sendto(sock, message, strlen(message),0,(const struct sockaddr*)&server_addr,
- sizeof(struct sockaddr_in));
-
- close(sock);
- if(ret < 0)
- {
- perror("Client: Error sending message\n");
- return 1;
- }
-
- return 0;
-}
-
+// (C) Copyright 2015 Intel Corporation +// +// Permission is hereby granted, free of charge, to any person obtaining a copy +// of this software and associated documentation files (the "Software"), to deal +// in the Software without restriction, including without limitation the rights +// to use, copy, modify, merge, publish, distribute, sublicense, and/or sell +// copies of the Software, and to permit persons to whom the Software is +// furnished to do so, subject to the following conditions: +// +// The above copyright notice and this permission notice shall be included in +// all copies or substantial portions of the Software. +// +// THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR +// IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, +// FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE +// AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER +// LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, +// OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN +// THE SOFTWARE. +#include <sys/socket.h> +#include <stdio.h> +#include <netinet/in.h> +#include <netdb.h> +#include <string.h> + +int main(int argc, char* argv[]) +{ + char* message = "hello"; + int sock, ret; + struct sockaddr_in server_addr; + struct hostent* host = gethostbyname("localhost"); + char* label; + char* attr = "security.SMACK64IPOUT"; + int port; + if (argc != 3) + { + perror("Client: Argument missing, please provide port and label for SMACK64IPOUT"); + return 2; + } + + port = atoi(argv[1]); + label = argv[2]; + sock = socket(AF_INET, SOCK_DGRAM,0); + if(sock < 0) + { + perror("Client: Socket failure"); + return 2; + } + + + if(fsetxattr(sock, attr, label, strlen(label),0) < 0) + { + perror("Client: Unable to set attribute "); + return 2; + } + + + server_addr.sin_family = AF_INET; + server_addr.sin_port = htons(port); + bcopy((char*) host->h_addr, (char*) &server_addr.sin_addr.s_addr,host->h_length); + bzero(&(server_addr.sin_zero),8); + + ret = sendto(sock, message, strlen(message),0,(const struct sockaddr*)&server_addr, + sizeof(struct sockaddr_in)); + + close(sock); + if(ret < 0) + { + perror("Client: Error sending message\n"); + return 1; + } + + return 0; +} + diff --git a/recipes-mac/smack/udp-smack-test/udp_server.c b/recipes-mac/smack/udp-smack-test/udp_server.c index cbab71e..7d2fcf5 100644 --- a/recipes-mac/smack/udp-smack-test/udp_server.c +++ b/recipes-mac/smack/udp-smack-test/udp_server.c @@ -1,93 +1,93 @@ -// (C) Copyright 2015 Intel Corporation
-//
-// Permission is hereby granted, free of charge, to any person obtaining a copy
-// of this software and associated documentation files (the "Software"), to deal
-// in the Software without restriction, including without limitation the rights
-// to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
-// copies of the Software, and to permit persons to whom the Software is
-// furnished to do so, subject to the following conditions:
-//
-// The above copyright notice and this permission notice shall be included in
-// all copies or substantial portions of the Software.
-//
-// THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
-// IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
-// FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
-// AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
-// LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
-// OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
-// THE SOFTWARE.
-#include <sys/socket.h>
-#include <stdio.h>
-#include <netinet/in.h>
-#include <netdb.h>
-#include <string.h>
-
-int main(int argc, char* argv[])
-{
- int sock,ret;
- struct sockaddr_in server_addr, client_addr;
- socklen_t len;
- char message[5];
- char* label;
- char* attr = "security.SMACK64IPIN";
- int port;
-
- if(argc != 3)
- {
- perror("Server: Argument missing, please provide port and label for SMACK64IPIN");
- return 2;
- }
-
- port = atoi(argv[1]);
- label = argv[2];
-
- struct timeval timeout;
- timeout.tv_sec = 15;
- timeout.tv_usec = 0;
-
- sock = socket(AF_INET,SOCK_DGRAM,0);
- if(sock < 0)
- {
- perror("Server: Socket error");
- return 2;
- }
-
-
- if(fsetxattr(sock, attr, label, strlen(label), 0) < 0)
- {
- perror("Server: Unable to set attribute ");
- return 2;
- }
-
- server_addr.sin_family = AF_INET;
- server_addr.sin_port = htons(port);
- server_addr.sin_addr.s_addr = INADDR_ANY;
- bzero(&(server_addr.sin_zero),8);
-
-
- if(setsockopt(sock, SOL_SOCKET, SO_RCVTIMEO, &timeout, sizeof(timeout)) < 0)
- {
- perror("Server: Set timeout failed\n");
- return 2;
- }
-
- if(bind(sock, (struct sockaddr*) &server_addr, sizeof(server_addr)) < 0)
- {
- perror("Server: Bind failure");
- return 2;
- }
-
- len = sizeof(client_addr);
- ret = recvfrom(sock, message, sizeof(message), 0, (struct sockaddr*)&client_addr,
- &len);
- close(sock);
- if(ret < 0)
- {
- perror("Server: Error receiving");
- return 1;
-
- }
- return 0;
-}
-
+// (C) Copyright 2015 Intel Corporation +// +// Permission is hereby granted, free of charge, to any person obtaining a copy +// of this software and associated documentation files (the "Software"), to deal +// in the Software without restriction, including without limitation the rights +// to use, copy, modify, merge, publish, distribute, sublicense, and/or sell +// copies of the Software, and to permit persons to whom the Software is +// furnished to do so, subject to the following conditions: +// +// The above copyright notice and this permission notice shall be included in +// all copies or substantial portions of the Software. +// +// THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR +// IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, +// FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE +// AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER +// LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, +// OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN +// THE SOFTWARE. +#include <sys/socket.h> +#include <stdio.h> +#include <netinet/in.h> +#include <netdb.h> +#include <string.h> + +int main(int argc, char* argv[]) +{ + int sock,ret; + struct sockaddr_in server_addr, client_addr; + socklen_t len; + char message[5]; + char* label; + char* attr = "security.SMACK64IPIN"; + int port; + + if(argc != 3) + { + perror("Server: Argument missing, please provide port and label for SMACK64IPIN"); + return 2; + } + + port = atoi(argv[1]); + label = argv[2]; + + struct timeval timeout; + timeout.tv_sec = 15; + timeout.tv_usec = 0; + + sock = socket(AF_INET,SOCK_DGRAM,0); + if(sock < 0) + { + perror("Server: Socket error"); + return 2; + } + + + if(fsetxattr(sock, attr, label, strlen(label), 0) < 0) + { + perror("Server: Unable to set attribute "); + return 2; + } + + server_addr.sin_family = AF_INET; + server_addr.sin_port = htons(port); + server_addr.sin_addr.s_addr = INADDR_ANY; + bzero(&(server_addr.sin_zero),8); + + + if(setsockopt(sock, SOL_SOCKET, SO_RCVTIMEO, &timeout, sizeof(timeout)) < 0) + { + perror("Server: Set timeout failed\n"); + return 2; + } + + if(bind(sock, (struct sockaddr*) &server_addr, sizeof(server_addr)) < 0) + { + perror("Server: Bind failure"); + return 2; + } + + len = sizeof(client_addr); + ret = recvfrom(sock, message, sizeof(message), 0, (struct sockaddr*)&client_addr, + &len); + close(sock); + if(ret < 0) + { + perror("Server: Error receiving"); + return 1; + + } + return 0; +} + |