From f8247fe2a80916a9c954b78db595eef1de43168e Mon Sep 17 00:00:00 2001 From: Chris Rogers Date: Fri, 15 Mar 2019 10:08:52 -0400 Subject: [PATCH 1/2] [quark] Replace UID with Quark Quark is a lightweight C-based webserver. This commit removes the old OCAML-based webserver, UID, and replaces it with Quark. We also add POST support to Quark to allow for the UI code to log debug messages to dom0 Signed-off-by: Chris Rogers --- .../packagegroup-xenclient-dom0.bb | 2 +- .../files/add-POST-and-argo-support.patch | 319 ++++++++++++++++++ recipes-extended/quark/files/quark.initscript | 41 +++ recipes-extended/quark/quark_1.0.bb | 34 ++ recipes-openxt/uid/uid/uid.conf | 5 - recipes-openxt/uid/uid/uid.initscript | 57 ---- recipes-openxt/uid/uid/uid_dbus.conf | 15 - recipes-openxt/uid/uid_git.bb | 57 ---- 8 files changed, 395 insertions(+), 135 deletions(-) create mode 100644 recipes-extended/quark/files/add-POST-and-argo-support.patch create mode 100755 recipes-extended/quark/files/quark.initscript create mode 100644 recipes-extended/quark/quark_1.0.bb delete mode 100644 recipes-openxt/uid/uid/uid.conf delete mode 100644 recipes-openxt/uid/uid/uid.initscript delete mode 100644 recipes-openxt/uid/uid/uid_dbus.conf delete mode 100644 recipes-openxt/uid/uid_git.bb diff --git a/recipes-core/packagegroups/packagegroup-xenclient-dom0.bb b/recipes-core/packagegroups/packagegroup-xenclient-dom0.bb index b551a7c3b9..ddbecde07d 100644 --- a/recipes-core/packagegroups/packagegroup-xenclient-dom0.bb +++ b/recipes-core/packagegroups/packagegroup-xenclient-dom0.bb @@ -102,7 +102,6 @@ RDEPENDS_${PN} = " \ vusb-daemon \ xenmgr-data \ updatemgr \ - uid \ surfman \ linuxfb-surfman-plugin \ xenmgr \ @@ -113,6 +112,7 @@ RDEPENDS_${PN} = " \ pesign \ ipxe \ udev-extraconf-dom0 \ + quark \ " # OE upgrade - temporarly disabled: diff --git a/recipes-extended/quark/files/add-POST-and-argo-support.patch b/recipes-extended/quark/files/add-POST-and-argo-support.patch new file mode 100644 index 0000000000..0909a8ed3d --- /dev/null +++ b/recipes-extended/quark/files/add-POST-and-argo-support.patch @@ -0,0 +1,319 @@ +################################################################################ +SHORT DESCRIPTION: +################################################################################ +Add POST and argo support to quark. + +################################################################################ +LONG DESCRIPTION: +################################################################################ +POST support: very basic; added to support surf sending log messages via POST + +argo support: added a few select() calls to prevent server lockup when serving +resources + +################################################################################ +CHANGELOG +################################################################################ +x64 patch: Nicholas Tsirakis + +################################################################################ +REMOVAL +################################################################################ + +################################################################################ +UPSTREAM PLAN +################################################################################ + +################################################################################ +INTERNAL DEPENDENCIES +################################################################################ + +################################################################################ +PATCHES +################################################################################ + +commit 8ea834685a163c7dd20ac6c46e0efcae43f8d2e8 +Author: Nicholas Tsirakis +Date: Tue Feb 12 10:22:24 2019 -0500 + + x64 patch + +diff --git a/config.mk b/config.mk +index 7056241..668b0ef 100644 +--- a/config.mk ++++ b/config.mk +@@ -4,13 +4,13 @@ VERSION = 0 + # Customize below to fit your system + + # paths +-PREFIX = /usr/local ++PREFIX ?= /usr + MANPREFIX = $(PREFIX)/share/man + + # flags +-CPPFLAGS = -DVERSION=\"$(VERSION)\" -D_DEFAULT_SOURCE -D_XOPEN_SOURCE=700 -D_BSD_SOURCE +-CFLAGS = -std=c99 -pedantic -Wall -Wextra -Os +-LDFLAGS = -s ++CPPFLAGS ?= -DVERSION=\"$(VERSION)\" -D_DEFAULT_SOURCE -D_XOPEN_SOURCE=700 -D_BSD_SOURCE ++CFLAGS ?= -std=c99 -pedantic -Wall -Wextra -O ++LDFLAGS ?= + + # compiler and linker +-CC = cc ++CC ?= gcc +diff --git a/http.c b/http.c +index c848e81..f53c25c 100644 +--- a/http.c ++++ b/http.c +@@ -30,6 +30,7 @@ const char *req_field_str[] = { + const char *req_method_str[] = { + [M_GET] = "GET", + [M_HEAD] = "HEAD", ++ [M_POST] = "POST" + }; + + const char *status_str[] = { +@@ -121,14 +122,37 @@ http_get_request(int fd, struct request *r) + } + } + +- /* remove terminating empty line */ +- if (hlen < 2) { ++ /* split header and payload (if applicable) ++ * ++ * expected POST format: HEADER, ++ * two newlines, ++ * PAYLOAD, ++ * two newlines ++ * ++ * expected GET format: HEADER, ++ * two newlines ++ */ ++ ++ /* find first occurrence of double newlines */ ++ p = strstr(h, "\r\n\r\n"); ++ if (!p) { + return http_send_status(fd, S_BAD_REQUEST); + } +- hlen -= 2; + +- /* null-terminate the header */ +- h[hlen] = '\0'; ++ /* keep the first newline */ ++ p += 2; ++ ++ /* find second occurrence - if exists, POST request, else GET */ ++ q = strstr(p, "\r\n\r\n"); ++ if (q) { ++ *q = '\0'; ++ strncpy(r->payload, p, q-p+1); ++ } else { ++ r->payload[0] = '\0'; ++ } ++ ++ /* null terminate header; strip second newline */ ++ *p = '\0'; + + /* + * parse request line +@@ -270,6 +294,8 @@ http_get_request(int fd, struct request *r) + memmove(r->field[REQ_HOST], p, q - p + 1); + } + ++ /* wait until our fd is available for the next operation */ ++ wait_fd_ready(fd, true, true); + return 0; + } + +@@ -355,7 +381,7 @@ http_send_response(int fd, struct request *r) + struct tm tm; + size_t len, i; + off_t lower, upper; +- int hasport, ipv6host; ++ int hasport, ipv6host, ret; + static char realtarget[PATH_MAX], tmptarget[PATH_MAX], t[TIMESTAMP_LEN]; + char *p, *q, *mime; + const char *vhostmatch, *targethost, *err; +@@ -604,5 +630,10 @@ http_send_response(int fd, struct request *r) + } + } + +- return resp_file(fd, RELPATH(realtarget), r, &st, mime, lower, upper); ++ /* wait until our fd is available for the next operation */ ++ wait_fd_ready(fd, true, true); ++ ret = resp_file(fd, RELPATH(realtarget), r, &st, mime, lower, upper); ++ wait_fd_ready(fd, true, false); ++ ++ return ret; + } +diff --git a/http.h b/http.h +index cd1ba22..f0ea49e 100644 +--- a/http.h ++++ b/http.h +@@ -5,6 +5,7 @@ + #include + + #define HEADER_MAX 4096 ++#define PAYLOAD_MAX 8192 + #define FIELD_MAX 200 + + enum req_field { +@@ -19,6 +20,7 @@ extern const char *req_field_str[]; + enum req_method { + M_GET, + M_HEAD, ++ M_POST, + NUM_REQ_METHODS, + }; + +@@ -28,6 +30,7 @@ struct request { + enum req_method method; + char target[PATH_MAX]; + char field[NUM_REQ_FIELDS][FIELD_MAX]; ++ char payload[PAYLOAD_MAX]; + }; + + enum status { +diff --git a/main.c b/main.c +index e9d0a06..a3eebf6 100644 +--- a/main.c ++++ b/main.c +@@ -13,6 +13,7 @@ + #include + #include + #include ++#include + #include + #include + +@@ -31,14 +32,17 @@ serve(int infd, struct sockaddr_storage *in_sa) + char inaddr[INET6_ADDRSTRLEN /* > INET_ADDRSTRLEN */]; + char tstmp[21]; + +- /* set connection timeout */ +- if (sock_set_timeout(infd, 30)) { +- goto cleanup; +- } +- + /* handle request */ +- if (!(status = http_get_request(infd, &r))) { +- status = http_send_response(infd, &r); ++ status = http_get_request(infd, &r); ++ ++ if (!status) { ++ if (r.method == M_POST) { ++ /* handle POST */ ++ syslog(LOG_INFO, "[quark] %s", r.payload); ++ } else { ++ /* handle GET */ ++ status = http_send_response(infd, &r); ++ } + } + + /* write output to log */ +@@ -228,18 +232,6 @@ main(int argc, char *argv[]) + die("setrlimit RLIMIT_NPROC:"); + } + +- /* validate user and group */ +- errno = 0; +- if (user && !(pwd = getpwnam(user))) { +- die("getpwnam '%s': %s", user, errno ? strerror(errno) : +- "Entry not found"); +- } +- errno = 0; +- if (group && !(grp = getgrnam(group))) { +- die("getgrnam '%s': %s", group, errno ? strerror(errno) : +- "Entry not found"); +- } +- + /* Open a new process group */ + setpgid(0,0); + +@@ -270,23 +262,6 @@ main(int argc, char *argv[]) + die("chroot .:"); + } + +- /* drop root */ +- if (grp && setgroups(1, &(grp->gr_gid)) < 0) { +- die("setgroups:"); +- } +- if (grp && setgid(grp->gr_gid) < 0) { +- die("setgid:"); +- } +- if (pwd && setuid(pwd->pw_uid) < 0) { +- die("setuid:"); +- } +- if (getuid() == 0) { +- die("Won't run as root user", argv0); +- } +- if (getgid() == 0) { +- die("Won't run as root group", argv0); +- } +- + /* accept incoming connections */ + while (1) { + in_sa_len = sizeof(in_sa); +diff --git a/resp.c b/resp.c +index 3075c28..ee12606 100644 +--- a/resp.c ++++ b/resp.c +@@ -141,6 +141,7 @@ resp_file(int fd, char *name, struct request *r, struct stat *st, char *mime, + "Date: %s\r\n" + "Connection: close\r\n" + "Last-Modified: %s\r\n" ++ "Expires: Wed, 1 Jan 2030 00:00:00 GMT\r\n" + "Content-Type: %s\r\n" + "Content-Length: %zu\r\n", + s, status_str[s], timestamp(time(NULL), t1), +diff --git a/util.c b/util.c +index 0b05d91..5e16271 100644 +--- a/util.c ++++ b/util.c +@@ -133,3 +133,27 @@ reallocarray(void *optr, size_t nmemb, size_t size) + } + return realloc(optr, size * nmemb); + } ++ ++void ++wait_fd_ready(int fd, bool read, bool write) ++{ ++ struct timeval tv; ++ fd_set readfds; ++ fd_set writefds; ++ ++ tv.tv_sec = 0; ++ tv.tv_usec = 500000; ++ ++ FD_ZERO(&readfds); ++ FD_ZERO(&writefds); ++ ++ if (read) { ++ FD_SET(fd, &readfds); ++ } ++ ++ if (write) { ++ FD_SET(fd, &writefds); ++ } ++ ++ select(fd + 1, &readfds, &writefds, NULL, &tv); ++} +diff --git a/util.h b/util.h +index 12b7bd8..d41dc40 100644 +--- a/util.h ++++ b/util.h +@@ -3,6 +3,7 @@ + #define UTIL_H + + #include ++#include + #include + #include + +@@ -54,4 +55,6 @@ int esnprintf(char *, size_t, const char *, ...); + void *reallocarray(void *, size_t, size_t); + long long strtonum(const char *, long long, long long, const char **); + ++void wait_fd_ready(int, bool, bool); ++ + #endif /* UTIL_H */ diff --git a/recipes-extended/quark/files/quark.initscript b/recipes-extended/quark/files/quark.initscript new file mode 100755 index 0000000000..9cbc83c2f8 --- /dev/null +++ b/recipes-extended/quark/files/quark.initscript @@ -0,0 +1,41 @@ +#! /bin/sh + +set -e + +QUARK="/usr/bin/quark" +QUARK_OPTS="-h 1.0.0.0 -p 80 -d /usr/lib/xui" +PIDFILE="/var/run/quark.pid" + +start_quark() { + LD_PRELOAD=/usr/lib/libv4v-1.0.so.0.0.0 INET_IS_V4V=1 start-stop-daemon --start --background --make-pidfile --pidfile="${PIDFILE}" --quiet --oknodo --exec $QUARK -- $QUARK_OPTS +} + +stop_quark() { + start-stop-daemon --stop --quiet --oknodo --pidfile="${PIDFILE}" + rm -f "${PIDFILE}" +} + +test -x $QUARK || exit 0 + +case "$1" in + start) + echo "Starting Quark server" + start_quark + ;; + stop) + echo "Stopping Quark server" + stop_quark + ;; + + restart) + echo "Restarting Quark server" + stop_quark + start_quark + ;; + + *) + echo "Usage: $0 {start|stop|restart}" + exit 1 +esac + +exit 0 diff --git a/recipes-extended/quark/quark_1.0.bb b/recipes-extended/quark/quark_1.0.bb new file mode 100644 index 0000000000..61e621872d --- /dev/null +++ b/recipes-extended/quark/quark_1.0.bb @@ -0,0 +1,34 @@ +SUMMARY = "An extremely small and simple HTTP GET/HEAD-only web server for static content" +HOMEPAGE = "https://tools.suckless.org/quark/" + +LICENSE = "ISC" +LIC_FILES_CHKSUM = "file://LICENSE;md5=a15ae487f2479a5b23430b7e876244e3" + +SECTION = "net" + +SRCREV = "e299e186edba03192fc12f6709df48d02aa83849" + +S = "${WORKDIR}/git/" + +SRC_URI = "git://git.suckless.org/quark;protocol=ssh;branch=master \ + file://add-POST-and-argo-support.patch \ + file://quark.initscript \ + " + +inherit update-rc.d + +INITSCRIPT_NAME = "quark" +INITSCRIPT_PARAMS = "defaults 81" + +FILES_${PN} = " \ + ${bindir}/quark \ + ${sysconfdir}/init.d/quark \ +" + +do_install() { + oe_runmake DESTDIR=${D} install + + # initscript + install -m 0755 -d ${D}${sysconfdir}/init.d + install -m 0755 ${WORKDIR}/quark.initscript ${D}${sysconfdir}/init.d/quark +} diff --git a/recipes-openxt/uid/uid/uid.conf b/recipes-openxt/uid/uid/uid.conf deleted file mode 100644 index 3c590f6bb8..0000000000 --- a/recipes-openxt/uid/uid/uid.conf +++ /dev/null @@ -1,5 +0,0 @@ -http-port = 80 -daemonize = true -files-dir = /usr/lib/xui -max-payload = 104857600 -only-uuids = 00000000-0000-0000-0000-000000000001 diff --git a/recipes-openxt/uid/uid/uid.initscript b/recipes-openxt/uid/uid/uid.initscript deleted file mode 100644 index 1815a409d7..0000000000 --- a/recipes-openxt/uid/uid/uid.initscript +++ /dev/null @@ -1,57 +0,0 @@ -#! /bin/sh -# -# Copyright (c) 2014 Citrix Systems, Inc. -# -# This program is free software; you can redistribute it and/or modify -# it under the terms of the GNU General Public License as published by -# the Free Software Foundation; either version 2 of the License, or -# (at your option) any later version. -# -# This program is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -# GNU General Public License for more details. -# -# You should have received a copy of the GNU General Public License -# along with this program; if not, write to the Free Software -# Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA -# - -# Provides: uid - -set -e - -test -x /usr/bin/uid || exit 0 - -UID_OPTS="--no-daemonize" -PIDFILE="/var/run/uid.pid" - -if [ -n "$2" ]; then - UID_OPTS="$UID_OPTS $2" -fi - -export PATH="${PATH:+$PATH:}/usr/sbin:/sbin" - -case "$1" in -start) - echo "Starting UID server" - LD_PRELOAD=/usr/lib/libargo-1.0.so.0.0.0 INET_IS_ARGO=1 start-stop-daemon --start --background --make-pidfile --pidfile="${PIDFILE}" --quiet --oknodo --exec /usr/bin/uid -- $UID_OPTS - ;; - stop) - echo "Stopping UID server" - start-stop-daemon --stop --quiet --oknodo --pidfile="${PIDFILE}" - rm -f "${PIDFILE}" - ;; - - restart) - echo "Restarting UID server" - start-stop-daemon --stop --quiet --oknodo --retry 30 --pidfile="${PIDFILE}" - start-stop-daemon --start --background --make-pidfile --pidfile="${PIDFILE}" --quiet --oknodo --exec /usr/bin/uid -- $UID_OPTS - ;; - - *) - echo "Usage: $0 {start|stop|restart}" - exit 1 -esac - -exit 0 diff --git a/recipes-openxt/uid/uid/uid_dbus.conf b/recipes-openxt/uid/uid/uid_dbus.conf deleted file mode 100644 index 4c7eee3123..0000000000 --- a/recipes-openxt/uid/uid/uid_dbus.conf +++ /dev/null @@ -1,15 +0,0 @@ - - - - - - - - - - - diff --git a/recipes-openxt/uid/uid_git.bb b/recipes-openxt/uid/uid_git.bb deleted file mode 100644 index e4a4e0b4fa..0000000000 --- a/recipes-openxt/uid/uid_git.bb +++ /dev/null @@ -1,57 +0,0 @@ -DESCRIPTION = "UID - User Interface Daemon" -LICENSE = "GPLv2" -LIC_FILES_CHKSUM = "file://${COMMON_LICENSE_DIR}/GPL-2.0;md5=801f80980d171dd6425610833a22dbe6" -DEPENDS = " \ - dbus-native \ - ocaml-dbus \ - xen-ocaml-libs \ - openxt-ocaml-libs \ -" - -PV = "0+git${SRCPV}" - -SRCREV = "${AUTOREV}" -SRC_URI = "git://github.com/OpenXT/uid.git" - -SRC_URI += " \ - file://uid_dbus.conf \ - file://uid.conf \ - file://uid.initscript \ -" - -S = "${WORKDIR}/git" - -inherit update-rc.d ocaml findlib pkgconfig - -INITSCRIPT_PACKAGES="${PN}" - -INITSCRIPT_NAME_${PN} = "uid" -INITSCRIPT_PARAMS_${PN} = "defaults 81" - -FILES_${PN} += " \ - ${bindir}/uid \ - ${sysconfdir}/init.d/uid \ - ${sysconfdir}/uid.conf \ - ${sysconfdir}/dbus-1/system.d/uid_dbus.conf \ -" - -PARALLEL_MAKE = "" -do_compile() { - oe_runmake V=1 XEN_DIST_ROOT="${STAGING_DIR}" all -} - -do_install() { - oe_runmake DESTDIR=${D} V=1 install - - # No library. - rm -rf ${D}${libdir} - - install -m 0755 -d ${D}${sysconfdir} - install -m 0644 ${WORKDIR}/uid.conf ${D}${sysconfdir}/uid.conf - - install -m 0755 -d ${D}${sysconfdir}/dbus-1/system.d - install -m 0644 ${WORKDIR}/uid_dbus.conf ${D}${sysconfdir}/dbus-1/system.d/uid_dbus.conf - - install -m 0755 -d ${D}${sysconfdir}/init.d - install -m 0755 ${WORKDIR}/uid.initscript ${D}${sysconfdir}/init.d/uid -} From 8c1342313b0d14e9e769d2a63fd0d3ba3099daa8 Mon Sep 17 00:00:00 2001 From: Chris Rogers Date: Fri, 15 Mar 2019 10:27:58 -0400 Subject: [PATCH 2/2] [refpolicy] Replace UID refpolicy with quark The removal of UID and addition of Quark requires updates to the refpolicy. This commit adds a new quark module and removes several uid_t rules in other .te files. Signed-off-by: Nicholas Tsirakis Signed-off-by: Chris Rogers --- .../patches/uid-interfaces.diff | 23 ---------- .../patches/vusb-interfaces.diff | 1 - .../policy/modules-openxt.conf | 14 +++--- .../modules/services/{uid.fc => quark.fc} | 3 +- .../modules/services/{uid.if => quark.if} | 24 +++++----- .../modules/services/{uid.te => quark.te} | 44 ++++++------------- .../policy/modules/services/rpcproxy.te | 4 +- .../policy/modules/services/updatemgr.te | 1 - .../policy/modules/services/xenpmd.te | 1 - .../refpolicy/refpolicy-mcs_2.%.bbappend | 7 ++- 10 files changed, 39 insertions(+), 83 deletions(-) delete mode 100644 recipes-security/refpolicy/refpolicy-mcs-2.%/patches/uid-interfaces.diff rename recipes-security/refpolicy/refpolicy-mcs-2.%/policy/modules/services/{uid.fc => quark.fc} (88%) rename recipes-security/refpolicy/refpolicy-mcs-2.%/policy/modules/services/{uid.if => quark.if} (74%) rename recipes-security/refpolicy/refpolicy-mcs-2.%/policy/modules/services/{uid.te => quark.te} (56%) diff --git a/recipes-security/refpolicy/refpolicy-mcs-2.%/patches/uid-interfaces.diff b/recipes-security/refpolicy/refpolicy-mcs-2.%/patches/uid-interfaces.diff deleted file mode 100644 index 33cef3007f..0000000000 --- a/recipes-security/refpolicy/refpolicy-mcs-2.%/patches/uid-interfaces.diff +++ /dev/null @@ -1,23 +0,0 @@ ---- a/policy/modules/services/networkmanager.te -+++ b/policy/modules/services/networkmanager.te -@@ -392,6 +392,10 @@ optional_policy(` - ') - - optional_policy(` -+ uid_dbus_send(NetworkManager_t) -+') -+ -+optional_policy(` - vpn_domtrans(NetworkManager_t) - vpn_kill(NetworkManager_t) - vpn_signal(NetworkManager_t) ---- a/policy/modules/system/xen.te -+++ b/policy/modules/system/xen.te -@@ -281,6 +281,7 @@ tapdisk_filetrans_control_dir(xend_t) - - dbd_dbus_chat(xend_t) - surfman_dbus_chat(xend_t) -+uid_dbus_chat(xend_t) - - kernel_read_kernel_sysctls(xend_t) - kernel_read_system_state(xend_t) diff --git a/recipes-security/refpolicy/refpolicy-mcs-2.%/patches/vusb-interfaces.diff b/recipes-security/refpolicy/refpolicy-mcs-2.%/patches/vusb-interfaces.diff index 956e28e5f5..c8cde238c7 100644 --- a/recipes-security/refpolicy/refpolicy-mcs-2.%/patches/vusb-interfaces.diff +++ b/recipes-security/refpolicy/refpolicy-mcs-2.%/patches/vusb-interfaces.diff @@ -10,4 +10,3 @@ + dbd_dbus_chat(xend_t) surfman_dbus_chat(xend_t) - uid_dbus_chat(xend_t) diff --git a/recipes-security/refpolicy/refpolicy-mcs-2.%/policy/modules-openxt.conf b/recipes-security/refpolicy/refpolicy-mcs-2.%/policy/modules-openxt.conf index 8c270228ea..9f31ebf16e 100644 --- a/recipes-security/refpolicy/refpolicy-mcs-2.%/policy/modules-openxt.conf +++ b/recipes-security/refpolicy/refpolicy-mcs-2.%/policy/modules-openxt.conf @@ -88,6 +88,13 @@ language-sync = module # network-daemon = module +# Layer: services +# Module: quark +# +# quark daemon +# +quark = module + # Layer: services # Module: surfman # @@ -116,13 +123,6 @@ tpmsetup = module # tpmutil = module -# Layer: services -# Module: uid -# -# uid daemon -# -uid = module - # Layer: services # Module: updatemgr # diff --git a/recipes-security/refpolicy/refpolicy-mcs-2.%/policy/modules/services/uid.fc b/recipes-security/refpolicy/refpolicy-mcs-2.%/policy/modules/services/quark.fc similarity index 88% rename from recipes-security/refpolicy/refpolicy-mcs-2.%/policy/modules/services/uid.fc rename to recipes-security/refpolicy/refpolicy-mcs-2.%/policy/modules/services/quark.fc index bda87f5d18..e52e63a8c3 100644 --- a/recipes-security/refpolicy/refpolicy-mcs-2.%/policy/modules/services/uid.fc +++ b/recipes-security/refpolicy/refpolicy-mcs-2.%/policy/modules/services/quark.fc @@ -18,5 +18,4 @@ # ############################################################################# -/usr/bin/uid -- gen_context(system_u:object_r:uid_exec_t,s0) -/etc/uid\.conf -- gen_context(system_u:object_r:uid_etc_t,s0) +/usr/bin/quark -- gen_context(system_u:object_r:quark_exec_t,s0) diff --git a/recipes-security/refpolicy/refpolicy-mcs-2.%/policy/modules/services/uid.if b/recipes-security/refpolicy/refpolicy-mcs-2.%/policy/modules/services/quark.if similarity index 74% rename from recipes-security/refpolicy/refpolicy-mcs-2.%/policy/modules/services/uid.if rename to recipes-security/refpolicy/refpolicy-mcs-2.%/policy/modules/services/quark.if index 06a2da80fc..aa8a996e18 100644 --- a/recipes-security/refpolicy/refpolicy-mcs-2.%/policy/modules/services/uid.if +++ b/recipes-security/refpolicy/refpolicy-mcs-2.%/policy/modules/services/quark.if @@ -18,44 +18,44 @@ # ############################################################################# -## uid daemon +## quark daemon ####################################### ## -## Send messages to uid over dbus. +## Send messages to quark over dbus. ## ## ## -## The type of the process sending messages to uid over dbus. +## The type of the process sending messages to quark over dbus. ## ## # -interface(`uid_dbus_send',` +interface(`quark_dbus_send',` gen_require(` - type uid_t; + type quark_t; class dbus send_msg; ') - allow $1 uid_t:dbus send_msg; + allow $1 quark_t:dbus send_msg; ') ####################################### ## -## Exchange messages with uid over dbus. +## Exchange messages with quark over dbus. ## ## ## -## The type of the process chatting with uid over dbus. +## The type of the process chatting with quark over dbus. ## ## # -interface(`uid_dbus_chat',` +interface(`quark_dbus_chat',` gen_require(` - type uid_t; + type quark_t; class dbus send_msg; ') - allow $1 uid_t:dbus send_msg; - allow uid_t $1:dbus send_msg; + allow $1 quark_t:dbus send_msg; + allow quark_t $1:dbus send_msg; ') diff --git a/recipes-security/refpolicy/refpolicy-mcs-2.%/policy/modules/services/uid.te b/recipes-security/refpolicy/refpolicy-mcs-2.%/policy/modules/services/quark.te similarity index 56% rename from recipes-security/refpolicy/refpolicy-mcs-2.%/policy/modules/services/uid.te rename to recipes-security/refpolicy/refpolicy-mcs-2.%/policy/modules/services/quark.te index 2e668449c5..0e5800b77a 100644 --- a/recipes-security/refpolicy/refpolicy-mcs-2.%/policy/modules/services/uid.te +++ b/recipes-security/refpolicy/refpolicy-mcs-2.%/policy/modules/services/quark.te @@ -18,39 +18,23 @@ # ############################################################################# -policy_module(uid, 0.1) +policy_module(quark, 0.1) -type uid_t; -type uid_exec_t; +type quark_t; +type quark_exec_t; -init_daemon_domain(uid_t, uid_exec_t); +init_daemon_domain(quark_t, quark_exec_t); -type uid_tmp_t; -files_tmp_file(uid_tmp_t) -files_tmp_filetrans(uid_t, uid_tmp_t, file) +xc_files_rw_v4v_chr(quark_t) +logging_send_syslog_msg(quark_t) -type uid_etc_t; -files_config_file(uid_etc_t) +# quark spawns a new child process for each file it +# serves. allow it to configure these processes. +allow quark_t self:process { rlimitinh setpgid setrlimit siginh }; -allow uid_t uid_etc_t:file read_file_perms; +# the files are served from the dir provided on the cmdline. +# quark chroots to that dir to handle relative pathnames. +allow quark_t self:capability sys_chroot; -dbus_connect_system_bus(uid_t) -dbus_system_bus_client(uid_t) -vusbd_dbus_chat(uid_t) -surfman_dbus_chat(uid_t) -xen_dbus_chat(uid_t) -optional_policy(' - hal_dbus_chat(uid_t) -') -input_server_dbus_chat(uid_t) -rpcproxy_websockets_dbus_chat(uid_t) - -xc_files_rw_argo_chr(uid_t) -# consider DONTAUDIT -xc_getattr_service_disk_dir(uid_t) -xc_search_storage(uid_t) - -xen_stream_connect_xenstore(uid_t) -logging_send_syslog_msg(uid_t) - -corecmd_search_bin(uid_t) +# allow to signal itself (on shutdown) +allow quark_t self:process signal; diff --git a/recipes-security/refpolicy/refpolicy-mcs-2.%/policy/modules/services/rpcproxy.te b/recipes-security/refpolicy/refpolicy-mcs-2.%/policy/modules/services/rpcproxy.te index 58f1db4546..dbdf81327f 100644 --- a/recipes-security/refpolicy/refpolicy-mcs-2.%/policy/modules/services/rpcproxy.te +++ b/recipes-security/refpolicy/refpolicy-mcs-2.%/policy/modules/services/rpcproxy.te @@ -133,8 +133,8 @@ xen_dbus_chat(rpcproxy_websockets_t) network_daemon_dbus_chat(rpcproxy_websockets_t) xenpmd_dbus_chat(rpcproxy_websockets_t) # Note: rpcproxy_websockets_t is also allowed to chat -# with statusreport_t and uid_t via rpcproxy_websockets_dbus_chat() calls -# in statusreport.te and uid.te. +# with statusreport_t via rpcproxy_websockets_dbus_chat() calls +# in statusreport.te. # Execute openssl via a WebSocket. # TODO: Assign openssl its own type so that we can limit what other binaries diff --git a/recipes-security/refpolicy/refpolicy-mcs-2.%/policy/modules/services/updatemgr.te b/recipes-security/refpolicy/refpolicy-mcs-2.%/policy/modules/services/updatemgr.te index d8a9a969f5..4fd504207f 100644 --- a/recipes-security/refpolicy/refpolicy-mcs-2.%/policy/modules/services/updatemgr.te +++ b/recipes-security/refpolicy/refpolicy-mcs-2.%/policy/modules/services/updatemgr.te @@ -62,7 +62,6 @@ kernel_read_vm_overcommit_sysctl(updatemgr_t) logging_send_syslog_msg(updatemgr_t) dbd_dbus_chat(updatemgr_t) -uid_dbus_chat(updatemgr_t) xc_installer_delete(updatemgr_t) xc_installer_domtrans(updatemgr_t) xc_read_etc_files(updatemgr_t) diff --git a/recipes-security/refpolicy/refpolicy-mcs-2.%/policy/modules/services/xenpmd.te b/recipes-security/refpolicy/refpolicy-mcs-2.%/policy/modules/services/xenpmd.te index ba216217da..5dc0fb316e 100644 --- a/recipes-security/refpolicy/refpolicy-mcs-2.%/policy/modules/services/xenpmd.te +++ b/recipes-security/refpolicy/refpolicy-mcs-2.%/policy/modules/services/xenpmd.te @@ -48,7 +48,6 @@ files_config_file(xenpmd_etc_t) dbus_system_bus_client(xenpmd_t) dbus_connect_system_bus(xenpmd_t) dbus_send_system_bus(xenpmd_t) -uid_dbus_chat(xenpmd_t) surfman_dbus_chat(xenpmd_t) rpcproxy_websockets_dbus_chat(xenpmd_t) dbd_dbus_chat(xenpmd_t) diff --git a/recipes-security/refpolicy/refpolicy-mcs_2.%.bbappend b/recipes-security/refpolicy/refpolicy-mcs_2.%.bbappend index 6958fe6e06..5ffe757397 100644 --- a/recipes-security/refpolicy/refpolicy-mcs_2.%.bbappend +++ b/recipes-security/refpolicy/refpolicy-mcs_2.%.bbappend @@ -55,15 +55,15 @@ SRC_URI += " \ file://policy/modules/services/network-daemon.fc \ file://policy/modules/services/network-daemon.if \ file://policy/modules/services/network-daemon.te \ + file://policy/modules/services/quark.fc \ + file://policy/modules/services/quark.if \ + file://policy/modules/services/quark.te \ file://policy/modules/services/rpcproxy.fc \ file://policy/modules/services/rpcproxy.if \ file://policy/modules/services/rpcproxy.te \ file://policy/modules/services/surfman.fc \ file://policy/modules/services/surfman.if \ file://policy/modules/services/surfman.te \ - file://policy/modules/services/uid.fc \ - file://policy/modules/services/uid.if \ - file://policy/modules/services/uid.te \ file://policy/modules/services/updatemgr.fc \ file://policy/modules/services/updatemgr.if \ file://policy/modules/services/updatemgr.te \ @@ -145,7 +145,6 @@ SRC_URI += " \ file://patches/sysutils-interfaces.diff \ file://patches/tcs-interfaces.diff \ file://patches/tpmsetup-interfaces.diff \ - file://patches/uid-interfaces.diff \ file://patches/updatemgr-interfaces.diff \ file://patches/vhdutils-interfaces.diff \ file://patches/xc-files-interfaces.patch \