diff options
| author |   Jan-Simon Möller <jsmoeller@linuxfoundation.org> | 2018-02-14 10:55:35 +0100 |
|---|---|---|
| committer | Jan-Simon Möller <jsmoeller@linuxfoundation.org> | 2018-02-14 10:55:35 +0100 |
| commit | 317c8a08a6b5943517e67c5ea80b0a9a83a10d63 (patch) | |
| tree | bf2b27dc9068924b59b46d2e153936c77be954c3 /meta-security/recipes-core/base-files/base-files_%.bbappend | |
| parent | b6dc44f585b839ab1a2f0133b74958037fe1cb64 (diff) | |
| parent | c9ce37905acd879db107eafe309678053073e086 (diff) | |
Merge remote-tracking branch 'agl/sandbox/ronan/rocko' into HEAD
* agl/sandbox/ronan/rocko: (58 commits)
Update ulcb conf file
Remove unsed gstreamer backport
[GEN3] add preferred version on omx package
run-(agl-)postinst: Emit progress to console
meta-security: Remove unused content
Upgrade wayland-ivi-extension
Revert "Fix kernel gcc7 issue"
remove backport commit
Revert "Fix CVE-2017-1000364 by backporting the patches for gen3"
Remove fix for optee-os
Remove gcc 6 fix
Update rcar gen3 kernel bbappend version
Update rcar gen3 driver
Remove porter machine
dbus-cynara: Upgrade to 1.10.20
xmlsec1: switch to meta-security version
systemd: earlier smack label switch
cynara: upgrade to 0.14.10
Remove smack recipe
Integrate parts of meta-intel-iot-security
...
Bug-AGL: SPEC-1181
Signed-off-by: Jan-Simon Möller <jsmoeller@linuxfoundation.org>
Conflicts:
meta-app-framework/recipes-security/cynara/cynara_git.bbappend
Change-Id: I9875fcb31e960038ce6c23165c99b52a3bd1a1c0
Diffstat (limited to 'meta-security/recipes-core/base-files/base-files_%.bbappend')
| -rw-r--r-- | meta-security/recipes-core/base-files/base-files_%.bbappend | 73 |
1 files changed, 73 insertions, 0 deletions
diff --git a/meta-security/recipes-core/base-files/base-files_%.bbappend b/meta-security/recipes-core/base-files/base-files_%.bbappend new file mode 100644 index 000000000..a6af1821b --- /dev/null +++ b/meta-security/recipes-core/base-files/base-files_%.bbappend @@ -0,0 +1,73 @@ +# Install default Smack rules, copied from a running Tizen IVI 3.0. +# Corresponds to manifest file from default-access-domains in Tizen: +# https://review.tizen.org/git?p=platform/core/security/default-ac-domains.git;a=blob;f=packaging/default-ac-domains.manifest +do_install_append_with-lsm-smack () { + install -d ${D}/${sysconfdir}/smack/accesses.d + cat >${D}/${sysconfdir}/smack/accesses.d/default-access-domains <<EOF +System _ -----l +System System::Log rwxa-- +System System::Run rwxat- +System System::Shared rwxat- +System ^ rwxa-- +_ System::Run rwxat- +_ System -wx--- +^ System::Log rwxa-- +^ System::Run rwxat- +^ System rwxa-- +EOF + chmod 0644 ${D}/${sysconfdir}/smack/accesses.d/default-access-domains + + install -d ${D}/${libdir}/tmpfiles.d + cat >${D}/${libdir}/tmpfiles.d/packet-forwarding.conf <<EOF +t /proc/sys/net/ipv4/conf/all/forwarding - - - - security.SMACK64=* +t /proc/sys/net/ipv6/conf/all/forwarding - - - - security.SMACK64=* +t /proc/sys/net/ipv4/conf/default/forwarding - - - - security.SMACK64=* +t /proc/sys/net/ipv6/conf/default/forwarding - - - - security.SMACK64=* +EOF + chmod 0644 ${D}/${libdir}/tmpfiles.d/packet-forwarding.conf + + install -d ${D}/${base_libdir}/udev/rules.d + cat >${D}/${base_libdir}/udev/rules.d/85-netdev-ipconf-smacklabel.rules <<EOF +SUBSYSTEM=="net", ENV{ID_NET_NAME}=="", RUN+="/bin/sh -c '/usr/bin/chsmack -a \* /proc/sys/net/ipv4/conf/%k/*'", RUN+="/bin/sh -c '/usr/bin/chsmack -a \* /proc/sys/net/ipv6/conf/%k/*'" + +SUBSYSTEM=="net", ENV{ID_NET_NAME}!="", RUN+="/bin/sh -c '/usr/bin/chsmack -a \* /proc/sys/net/ipv4/conf/\$env{ID_NET_NAME}/*'", RUN+="/bin/sh -c '/usr/bin/chsmack -a \* /proc/sys/net/ipv6/conf/\$env{ID_NET_NAME}/*'" +EOF + chmod 0644 ${D}/${base_libdir}/udev/rules.d/85-netdev-ipconf-smacklabel.rules +} + +# Do not rely on an rpm with manifest support. Apparently that approach +# will no longer be used in Tizen 3.0. Instead set special Smack attributes +# via postinst. This is much easier to use with bitbake, too: +# - no need to maintain a patched rpm +# - works for directories which are not packaged by default when empty +RDEPENDS_${PN}_append_with-lsm-smack = " smack" +DEPENDS_append_with-lsm-smack = " smack-native" +pkg_postinst_${PN}_with-lsm-smack() { + #!/bin/sh -e + + # https://review.tizen.org/gerrit/gitweb?p=platform/upstream/filesystem.git;a=blob;f=packaging/filesystem.manifest: + # <filesystem path="/etc" label="System::Shared" type="transmutable" /> + install -d $D${sysconfdir} + # This has no effect on files installed into /etc during image construction + # because pseudo does not know the special semantic of SMACK::TRANSMUTE. + # To avoid having different xattrs on files inside /etc when pre-installed + # in an image vs. installed on a device, the xattr-images.bbclass has + # a workaround for this deficiency in pseudo. + chsmack -t $D${sysconfdir} + chsmack -a 'System::Shared' $D${sysconfdir} + + # Same for /var. Any daemon running as "System" will get write access + # to everything. + install -d $D${localstatedir} + chsmack -t $D${localstatedir} + chsmack -a 'System::Shared' $D${localstatedir} + + # <filesystem path="/tmp" label="*" /> + mkdir -p $D/tmp + chsmack -a '*' $D/tmp + + # <filesystem path="/var/log" label="System::Log" type="transmutable" /> + # <filesystem path="/var/tmp" label="*" /> + # These are in a file system mounted by systemd. We patch the systemd service + # to set these attributes. +} |