diff options
Diffstat (limited to 'meta/recipes-core/dbus/dbus')
-rw-r--r-- | meta/recipes-core/dbus/dbus/dbus-1.init | 4 | ||||
-rw-r--r-- | meta/recipes-core/dbus/dbus/os-test.patch | 35 | ||||
-rw-r--r-- | meta/recipes-core/dbus/dbus/python-config.patch | 21 | ||||
-rwxr-xr-x | meta/recipes-core/dbus/dbus/run-ptest | 31 | ||||
-rw-r--r-- | meta/recipes-core/dbus/dbus/stop_using_selinux_set_mapping.patch | 148 |
5 files changed, 193 insertions, 46 deletions
diff --git a/meta/recipes-core/dbus/dbus/dbus-1.init b/meta/recipes-core/dbus/dbus/dbus-1.init index 42c86297c3..90e167e572 100644 --- a/meta/recipes-core/dbus/dbus/dbus-1.init +++ b/meta/recipes-core/dbus/dbus/dbus-1.init @@ -21,8 +21,8 @@ DAEMON=@bindir@/dbus-daemon NAME=dbus -DAEMONUSER=messagebus # must match /etc/dbus-1/system.conf -PIDFILE=/var/run/messagebus.pid # must match /etc/dbus-1/system.conf +DAEMONUSER=messagebus # must match /usr/share/dbus-1/system.conf +PIDFILE=/var/run/dbus/pid # must match /usr/share/dbus-1/system.conf UUIDDIR=/var/lib/dbus DESC="system message bus" EVENTDIR=/etc/dbus-1/event.d diff --git a/meta/recipes-core/dbus/dbus/os-test.patch b/meta/recipes-core/dbus/dbus/os-test.patch deleted file mode 100644 index 54c257f813..0000000000 --- a/meta/recipes-core/dbus/dbus/os-test.patch +++ /dev/null @@ -1,35 +0,0 @@ -dbus: remove build host test in configure script - -The dbus build tests the build host to detect what initscript -environment it expects. Remove the test and set it to "redhat" -unconditionally as the oe-core initscript has a redhat-style pid file -path. - -Signed-off-by: Andy Ross <andy.ross@windriver.com> -Upstream-Status: Inappropriate [embedded] - -diff -u a/configure.ac b/configure.ac ---- a/configure.ac 2012-08-28 11:23:43.040609874 -0700 -+++ b/configure.ac 2012-08-28 11:54:25.602913945 -0700 -@@ -1348,19 +1348,8 @@ - AS_AC_EXPAND(EXPANDED_LIBEXECDIR, "$libexecdir") - AS_AC_EXPAND(EXPANDED_DATADIR, "$datadir") - --#### Check our operating system --operating_system=unknown --if test -f /etc/redhat-release || test -f $EXPANDED_SYSCONFDIR/redhat-release ; then -- operating_system=redhat --fi -- --if test -f /etc/slackware-version || test -f $EXPANDED_SYSCONFDIR/slackware-version ; then -- operating_system=slackware --fi -- --if test -f /usr/bin/cygwin1.dll || test -f $EXPANDED_BINDIR/cygwin1.dll ; then -- operating_system=cygwin --fi -+#### Build host test removed from upstream code, openembedded initscript is redhat-like: -+operating_system=redhat - - #### Sort out init scripts - diff --git a/meta/recipes-core/dbus/dbus/python-config.patch b/meta/recipes-core/dbus/dbus/python-config.patch index 294400247e..da2f10c726 100644 --- a/meta/recipes-core/dbus/dbus/python-config.patch +++ b/meta/recipes-core/dbus/dbus/python-config.patch @@ -7,19 +7,28 @@ Upstream-Status: Inappropriate [oe specific] Signed-off-by: Mark Hatle <mark.hatle@windriver.com> ---- dbus-1.6.8/configure.ac.orig 2013-07-11 14:15:58.834554799 -0500 -+++ dbus-1.6.8/configure.ac 2013-07-11 14:14:40.969554848 -0500 -@@ -257,13 +257,6 @@ +--- + configure.ac | 7 ------- + 1 file changed, 7 deletions(-) + +diff --git a/configure.ac b/configure.ac +index 80d27b4..becc1cc 100644 +--- a/configure.ac ++++ b/configure.ac +@@ -279,13 +279,6 @@ if test "x$enable_tests" = xyes; then # full test coverage is required, Python is a hard dependency - AC_MSG_NOTICE([Full test coverage (--enable-tests=yes) requires Python, dbus-python, pygobject]) + AC_MSG_NOTICE([Full test coverage (--enable-tests=yes) requires Python, dbus-python, pygi]) AM_PATH_PYTHON([2.6]) - AC_MSG_CHECKING([for Python modules for full test coverage]) -- if "$PYTHON" -c "import dbus, gobject, dbus.mainloop.glib"; then +- if "$PYTHON" -c "import dbus, gi.repository.GObject, dbus.mainloop.glib"; then - AC_MSG_RESULT([yes]) - else - AC_MSG_RESULT([no]) -- AC_MSG_ERROR([cannot import dbus, gobject, dbus.mainloop.glib Python modules]) +- AC_MSG_ERROR([cannot import dbus, gi.repository.GObject, dbus.mainloop.glib Python modules]) - fi else # --enable-tests not given: do not abort if Python is missing AM_PATH_PYTHON([2.6], [], [:]) +-- +1.9.1 + diff --git a/meta/recipes-core/dbus/dbus/run-ptest b/meta/recipes-core/dbus/dbus/run-ptest index c72d083a91..d3eec08235 100755 --- a/meta/recipes-core/dbus/dbus/run-ptest +++ b/meta/recipes-core/dbus/dbus/run-ptest @@ -1,10 +1,35 @@ #!/bin/sh output() { - if [ $? -eq 0 ] + retcode=$? + if [ $retcode -eq 0 ] then echo "PASS: $i" - else echo "FAIL: $i" + elif [ $retcode -eq 77 ] + then echo "SKIP: $i" + else echo "FAIL: $i" fi } -for i in `ls test/test-*`; do ./$i ./test/data DBUS_TEST_HOMEDIR=./test >/dev/null; output; done +export DBUS_TEST_HOMEDIR=./test +export XDG_RUNTIME_DIR=./test +export LD_LIBRARY_PATH=@PTEST_PATH@/test/.libs + +files=`ls test/test-*` + +for i in $files +do + #these programs are used by testcase test-bus, don't run here + #additionally, test-names needs to be run under X + if [ $i = "test/test-service" ] \ + || [ $i = "test/test-shell-service" ] \ + || [ $i = "test/test-segfault" ] \ + || [ $i = "test/test-bus" ] \ + || [ $i = "test/test-names" ] + then + continue + fi + + ./$i ./test/data >/dev/null 2>&1 + output +done + diff --git a/meta/recipes-core/dbus/dbus/stop_using_selinux_set_mapping.patch b/meta/recipes-core/dbus/dbus/stop_using_selinux_set_mapping.patch new file mode 100644 index 0000000000..7035098e41 --- /dev/null +++ b/meta/recipes-core/dbus/dbus/stop_using_selinux_set_mapping.patch @@ -0,0 +1,148 @@ +From 6072f8b24153d844a3033108a17bcd0c1a967816 Mon Sep 17 00:00:00 2001 +From: Laurent Bigonville <bigon@bigon.be> +Date: Sat, 3 Mar 2018 11:15:23 +0100 +Subject: [PATCH] Stop using selinux_set_mapping() function + +Currently, if the "dbus" security class or the associated AV doesn't +exist, dbus-daemon fails to initialize and exits immediately. Also the +security classes or access vector cannot be reordered in the policy. +This can be a problem for people developing their own policy or trying +to access a machine where, for some reasons, there is not policy defined +at all. + +The code here copy the behaviour of the selinux_check_access() function. +We cannot use this function here as it doesn't allow us to define the +AVC entry reference. + +See the discussion at https://marc.info/?l=selinux&m=152163374332372&w=2 + +Resolves: https://gitlab.freedesktop.org/dbus/dbus/issues/198 +--- + bus/selinux.c | 75 ++++++++++++++++++++++++++++----------------------- + 1 file changed, 42 insertions(+), 33 deletions(-) + + +Upstream-Status: Backport +Signed-off-by: Nisha.Parrakat <Nisha.Parrakat@kpit.com> +diff --git a/bus/selinux.c b/bus/selinux.c + +--- a/bus/selinux.c 2021-08-11 14:45:59.048513026 +0000 ++++ b/bus/selinux.c 2021-08-11 14:57:47.144846966 +0000 +@@ -311,24 +311,6 @@ + #endif + } + +-/* +- * Private Flask definitions; the order of these constants must +- * exactly match that of the structure array below! +- */ +-/* security dbus class constants */ +-#define SECCLASS_DBUS 1 +- +-/* dbus's per access vector constants */ +-#define DBUS__ACQUIRE_SVC 1 +-#define DBUS__SEND_MSG 2 +- +-#ifdef HAVE_SELINUX +-static struct security_class_mapping dbus_map[] = { +- { "dbus", { "acquire_svc", "send_msg", NULL } }, +- { NULL } +-}; +-#endif /* HAVE_SELINUX */ +- + /** + * Establish dynamic object class and permission mapping and + * initialize the user space access vector cache (AVC) for D-Bus and set up +@@ -350,13 +332,6 @@ + + _dbus_verbose ("SELinux is enabled in this kernel.\n"); + +- if (selinux_set_mapping (dbus_map) < 0) +- { +- _dbus_warn ("Failed to set up security class mapping (selinux_set_mapping():%s).", +- strerror (errno)); +- return FALSE; +- } +- + avc_entry_ref_init (&aeref); + if (avc_init ("avc", &mem_cb, &log_cb, &thread_cb, &lock_cb) < 0) + { +@@ -421,19 +396,53 @@ + static dbus_bool_t + bus_selinux_check (BusSELinuxID *sender_sid, + BusSELinuxID *override_sid, +- security_class_t target_class, +- access_vector_t requested, ++ const char *target_class, ++ const char *requested, + DBusString *auxdata) + { ++ int saved_errno; ++ security_class_t security_class; ++ access_vector_t requested_access; ++ + if (!selinux_enabled) + return TRUE; + ++ security_class = string_to_security_class (target_class); ++ if (security_class == 0) ++ { ++ saved_errno = errno; ++ log_callback (SELINUX_ERROR, "Unknown class %s", target_class); ++ if (security_deny_unknown () == 0) ++ { ++ return TRUE; ++ } ++ ++ _dbus_verbose ("Unknown class %s\n", target_class); ++ errno = saved_errno; ++ return FALSE; ++ } ++ ++ requested_access = string_to_av_perm (security_class, requested); ++ if (requested_access == 0) ++ { ++ saved_errno = errno; ++ log_callback (SELINUX_ERROR, "Unknown permission %s for class %s", requested, target_class); ++ if (security_deny_unknown () == 0) ++ { ++ return TRUE; ++ } ++ ++ _dbus_verbose ("Unknown permission %s for class %s\n", requested, target_class); ++ errno = saved_errno; ++ return FALSE; ++ } ++ + /* Make the security check. AVC checks enforcing mode here as well. */ + if (avc_has_perm (SELINUX_SID_FROM_BUS (sender_sid), + override_sid ? + SELINUX_SID_FROM_BUS (override_sid) : + bus_sid, +- target_class, requested, &aeref, auxdata) < 0) ++ security_class, requested_access, &aeref, auxdata) < 0) + { + switch (errno) + { +@@ -500,8 +509,8 @@ + + ret = bus_selinux_check (connection_sid, + service_sid, +- SECCLASS_DBUS, +- DBUS__ACQUIRE_SVC, ++ "dbus", ++ "acquire_svc", + &auxdata); + + _dbus_string_free (&auxdata); +@@ -629,8 +638,8 @@ + + ret = bus_selinux_check (sender_sid, + recipient_sid, +- SECCLASS_DBUS, +- DBUS__SEND_MSG, ++ "dbus", ++ "send_msg", + &auxdata); + + _dbus_string_free (&auxdata); |