Usage: gbs <your favourite flags> --define "dev_wos 1".
If not explicitly specified, the option is disabled (switched to 0).
This option is indended for development purposes only,
not for release builds.
With this option, Cynara enters "permissive mode" and can work
without Smack module enabled in Linux kernel.
In Tizen, Smack labels are used as process (application) identifiers,
and without them, there's no way to distinguish between processes,
making policy checking not easily possible.
With this option, all credentials helper functions that would
normally return client ID (= Smack label), return
same string: User::Pkg::default_app_no_Smack_mode
This mode is intended to be used by Automotive division
for bring-up development of Tizen working in container
with SELinux enabled in host OS - LSM support in Tizen
will be provided either with LSM stacking (1) or by providing
LSM abstraction in Tizen's Security FW.
This option intends to ease functional development while
the two mentioned options for LSM support in Tizen-in-container
task are being investigated.
This change tries its best to provide daemon still working
for policy management modules to set application policy with admin API,
however, client functionality is changed to always return with
"ALLOW" answer, without contacting the daemon, as no app
identification is possible (yet) without Smack.
link: https://lore.kernel.org/all/20231215221636.105680-1-casey@schaufler-ca.com/T/
Change-Id: I6a0d53d98e6578b8061e1cffff981c10fab811bd
Signed-off-by: Changgyu Choi <changyu.choi@samsung.com>
CMAKE_MINIMUM_REQUIRED(VERSION 2.8.12)
PROJECT(amd)
+IF(_TIZEN_FEATURE_SMACK_DISABLE)
+MESSAGE(STATUS "[SMACK] Disable")
+ADD_DEFINITIONS("-DTIZEN_FEATURE_SMACK_DISABLE")
+ELSE(_TIZEN_FEATURE_SMACK_DISABLE)
+MESSAGE(STATUS "[SMACK] Enable")
+ENDIF(_TIZEN_FEATURE_SMACK_DISABLE)
+
SET(EXTRA_FLAGS "${EXTRA_FLAGS} -Wall")
SET(EXTRA_FLAGS "${EXTRA_FLAGS} -Werror")
SET(EXTRA_FLAGS "${EXTRA_FLAGS} -Wl,-zdefs")
%define tizen_feature_prelink 0
%endif
+%if "%{?dev_wos}" == "1"
+%define tizen_feature_smack_disable 1
+%else
+%define tizen_feature_smack_disable 0
+%endif
+
%prep
%setup -q
sed -i 's|TZ_SYS_DB|%{TZ_SYS_DB}|g' %{SOURCE1001}
cp %{SOURCE1001} ./org.tizen.NUIGadgetViewer.manifest
%build
+%if 0%{?tizen_feature_smack_disable}
+_TIZEN_FEATURE_SMACK_DISABLE=ON
+%endif
+
%if 0%{?gcov:1}
export CFLAGS+=" -fprofile-arcs -ftest-coverage"
export CXXFLAGS+=" -fprofile-arcs -ftest-coverage"
-DMAJORVER=${MAJORVER} \
-DAMD_MODULES_DIR=%{_moddir} \
-D_TIZEN_FEATURE_PRELINK:BOOL=${_TIZEN_FEATURE_PRELINK} \
+ -D_TIZEN_FEATURE_SMACK_DISABLE:BOOL=${_TIZEN_FEATURE_SMACK_DISABLE} \
.
%__make %{?_smp_mflags}
return true;
}
+inline bool IsSmackDisabled()
+{
+#ifdef TIZEN_FEATURE_SMACK_DISABLE
+ return true;
+#else
+ return false;
+#endif /* TIZEN_FEATURE_SMACK_DISABLE */
+}
+
int VerifyAppProcess(pid_t pid, const std::string& pkgid) {
if (pkgid.empty())
return -1;
+ if (IsSmackDisabled())
+ return 0;
+
char attr[PATH_MAX] = { 0, };
if (aul_proc_get_attr(pid, attr, sizeof(attr)) < 0)
return -1;
return ret;
}
+static int __is_smack_disabled(void)
+{
+#ifdef TIZEN_FEATURE_SMACK_DISABLE
+ return true;
+#else
+ return false;
+#endif /* TIZEN_FEATURE_SMACK_DISABLE */
+}
+
static int __validate_widget_caller(amd_request_h req)
{
bundle *kb = amd_request_get_bundle(req);
caller_status = amd_app_status_find_by_effective_pid(caller_pid);
if (!caller_status) {
+ if (__is_smack_disabled())
+ return 0;
+
r = aul_proc_get_attr(caller_pid, attr, sizeof(attr));
if (r != 0) {
LOGE("Failed to get attr. caller(%d)", caller_pid);
projects / platform / core / appfw / amd.git / commitdiff