diff options
author | Matt Ranostay <matt.ranostay@konsulko.com> | 2019-09-12 09:59:12 +0300 |
---|---|---|
committer | Jan-Simon Moeller <jsmoeller@linuxfoundation.org> | 2019-09-16 12:08:12 +0000 |
commit | 8a43a26ba0d0930f5d86932d6af96e5f97dabee5 (patch) | |
tree | 3323638f4fdb9b425a5fc72faae1b9b0be5d132a | |
parent | d73609b3c920df1ba8afbabb16c69ac1d9ee846c (diff) |
base-files: add /media to System::Shared SMACK label
All media mountpoints should have the System::Shared label
to avoid access denials on multimedia items.
Bug-AGL: SPEC-2774
Change-Id: Ib9bb1b26a1950cacd5e1f384cbe19d4a4a6373d9
Signed-off-by: Matt Ranostay <matt.ranostay@konsulko.com>
-rw-r--r-- | meta-security/recipes-core/base-files/base-files_%.bbappend | 6 |
1 files changed, 6 insertions, 0 deletions
diff --git a/meta-security/recipes-core/base-files/base-files_%.bbappend b/meta-security/recipes-core/base-files/base-files_%.bbappend index a6af1821b..f0e340f5b 100644 --- a/meta-security/recipes-core/base-files/base-files_%.bbappend +++ b/meta-security/recipes-core/base-files/base-files_%.bbappend @@ -56,6 +56,12 @@ pkg_postinst_${PN}_with-lsm-smack() { chsmack -t $D${sysconfdir} chsmack -a 'System::Shared' $D${sysconfdir} + # Same for /media. Any daemon running as "System" will get write access + # to everything. + install -d $D/media + chsmack -t $D/media + chsmack -a 'System::Shared' $D/media + # Same for /var. Any daemon running as "System" will get write access # to everything. install -d $D${localstatedir} |