diff options
| author |   Jan-Simon Möller <jsmoeller@linuxfoundation.org> | 2018-02-14 10:55:35 +0100 |
|---|---|---|
| committer | Jan-Simon Möller <jsmoeller@linuxfoundation.org> | 2018-02-14 10:55:35 +0100 |
| commit | 317c8a08a6b5943517e67c5ea80b0a9a83a10d63 (patch) | |
| tree | bf2b27dc9068924b59b46d2e153936c77be954c3 /meta-security/recipes-connectivity/connman/connman_%.bbappend | |
| parent | b6dc44f585b839ab1a2f0133b74958037fe1cb64 (diff) | |
| parent | c9ce37905acd879db107eafe309678053073e086 (diff) | |
Merge remote-tracking branch 'agl/sandbox/ronan/rocko' into HEAD
* agl/sandbox/ronan/rocko: (58 commits)
Update ulcb conf file
Remove unsed gstreamer backport
[GEN3] add preferred version on omx package
run-(agl-)postinst: Emit progress to console
meta-security: Remove unused content
Upgrade wayland-ivi-extension
Revert "Fix kernel gcc7 issue"
remove backport commit
Revert "Fix CVE-2017-1000364 by backporting the patches for gen3"
Remove fix for optee-os
Remove gcc 6 fix
Update rcar gen3 kernel bbappend version
Update rcar gen3 driver
Remove porter machine
dbus-cynara: Upgrade to 1.10.20
xmlsec1: switch to meta-security version
systemd: earlier smack label switch
cynara: upgrade to 0.14.10
Remove smack recipe
Integrate parts of meta-intel-iot-security
...
Bug-AGL: SPEC-1181
Signed-off-by: Jan-Simon Möller <jsmoeller@linuxfoundation.org>
Conflicts:
meta-app-framework/recipes-security/cynara/cynara_git.bbappend
Change-Id: I9875fcb31e960038ce6c23165c99b52a3bd1a1c0
Diffstat (limited to 'meta-security/recipes-connectivity/connman/connman_%.bbappend')
| -rw-r--r-- | meta-security/recipes-connectivity/connman/connman_%.bbappend | 32 |
1 files changed, 32 insertions, 0 deletions
diff --git a/meta-security/recipes-connectivity/connman/connman_%.bbappend b/meta-security/recipes-connectivity/connman/connman_%.bbappend new file mode 100644 index 000000000..f66c1e79b --- /dev/null +++ b/meta-security/recipes-connectivity/connman/connman_%.bbappend @@ -0,0 +1,32 @@ +# Recent ConnMan releases started limiting the capabilities of +# ConnMan. When running on a Smack-enabled system, that change has the +# effect that connmand can no longer change network settings under +# /proc/net because the Smack label of /proc is "_", and connmand +# running with label "System" has no write access to that. +# +# It works when running as normal root with unrestricted capabilities +# because then CAP_MAC_OVERRIDE (a Smack-specific capability) allows +# the process to ignore Smack rules. +# +# We need to ensure that connmand still has that capability. +# +# The alternative would be to set up fine-grained labelling of +# /proc with corresponding rules, which is considerably more work +# and also may depend on kernel changes (like supporting smackfsroot +# for procfs, which seems to be missing at the moment). +# +# Because the solution is to some extend specific to the environment +# in which connmand runs, this change is not submitted upstream +# and it can be overridden by a distro via FIX_CONNMAN_CAPABILITIES. + +FIX_CONNMAN_CAPABILITIES ??= "" +FIX_CONNMAN_CAPABILITIES_with-lsm-smack ??= "fix_connman_capabilities" +do_install[postfuncs] += "${FIX_CONNMAN_CAPABILITIES}" + +fix_connman_capabilities () { + service="${D}/${systemd_unitdir}/system/connman.service" + if [ -f "$service" ] && + grep -q '^CapabilityBoundingSet=' "$service"; then + sed -i -e 's/^CapabilityBoundingSet=/CapabilityBoundingSet=CAP_MAC_OVERRIDE /' "$service" + fi +} |