summaryrefslogtreecommitdiffstats
path: root/meta-security/recipes-core/base-files
diff options
context:
space:
mode:
authorJan-Simon Möller <jsmoeller@linuxfoundation.org>2018-02-14 10:55:35 +0100
committerJan-Simon Möller <jsmoeller@linuxfoundation.org>2018-02-14 10:55:35 +0100
commit317c8a08a6b5943517e67c5ea80b0a9a83a10d63 (patch)
treebf2b27dc9068924b59b46d2e153936c77be954c3 /meta-security/recipes-core/base-files
parentb6dc44f585b839ab1a2f0133b74958037fe1cb64 (diff)
parentc9ce37905acd879db107eafe309678053073e086 (diff)
Merge remote-tracking branch 'agl/sandbox/ronan/rocko' into HEAD
* agl/sandbox/ronan/rocko: (58 commits) Update ulcb conf file Remove unsed gstreamer backport [GEN3] add preferred version on omx package run-(agl-)postinst: Emit progress to console meta-security: Remove unused content Upgrade wayland-ivi-extension Revert "Fix kernel gcc7 issue" remove backport commit Revert "Fix CVE-2017-1000364 by backporting the patches for gen3" Remove fix for optee-os Remove gcc 6 fix Update rcar gen3 kernel bbappend version Update rcar gen3 driver Remove porter machine dbus-cynara: Upgrade to 1.10.20 xmlsec1: switch to meta-security version systemd: earlier smack label switch cynara: upgrade to 0.14.10 Remove smack recipe Integrate parts of meta-intel-iot-security ... Bug-AGL: SPEC-1181 Signed-off-by: Jan-Simon Möller <jsmoeller@linuxfoundation.org> Conflicts: meta-app-framework/recipes-security/cynara/cynara_git.bbappend Change-Id: I9875fcb31e960038ce6c23165c99b52a3bd1a1c0
Diffstat (limited to 'meta-security/recipes-core/base-files')
-rw-r--r--meta-security/recipes-core/base-files/base-files_%.bbappend73
1 files changed, 73 insertions, 0 deletions
diff --git a/meta-security/recipes-core/base-files/base-files_%.bbappend b/meta-security/recipes-core/base-files/base-files_%.bbappend
new file mode 100644
index 000000000..a6af1821b
--- /dev/null
+++ b/meta-security/recipes-core/base-files/base-files_%.bbappend
@@ -0,0 +1,73 @@
+# Install default Smack rules, copied from a running Tizen IVI 3.0.
+# Corresponds to manifest file from default-access-domains in Tizen:
+# https://review.tizen.org/git?p=platform/core/security/default-ac-domains.git;a=blob;f=packaging/default-ac-domains.manifest
+do_install_append_with-lsm-smack () {
+ install -d ${D}/${sysconfdir}/smack/accesses.d
+ cat >${D}/${sysconfdir}/smack/accesses.d/default-access-domains <<EOF
+System _ -----l
+System System::Log rwxa--
+System System::Run rwxat-
+System System::Shared rwxat-
+System ^ rwxa--
+_ System::Run rwxat-
+_ System -wx---
+^ System::Log rwxa--
+^ System::Run rwxat-
+^ System rwxa--
+EOF
+ chmod 0644 ${D}/${sysconfdir}/smack/accesses.d/default-access-domains
+
+ install -d ${D}/${libdir}/tmpfiles.d
+ cat >${D}/${libdir}/tmpfiles.d/packet-forwarding.conf <<EOF
+t /proc/sys/net/ipv4/conf/all/forwarding - - - - security.SMACK64=*
+t /proc/sys/net/ipv6/conf/all/forwarding - - - - security.SMACK64=*
+t /proc/sys/net/ipv4/conf/default/forwarding - - - - security.SMACK64=*
+t /proc/sys/net/ipv6/conf/default/forwarding - - - - security.SMACK64=*
+EOF
+ chmod 0644 ${D}/${libdir}/tmpfiles.d/packet-forwarding.conf
+
+ install -d ${D}/${base_libdir}/udev/rules.d
+ cat >${D}/${base_libdir}/udev/rules.d/85-netdev-ipconf-smacklabel.rules <<EOF
+SUBSYSTEM=="net", ENV{ID_NET_NAME}=="", RUN+="/bin/sh -c '/usr/bin/chsmack -a \* /proc/sys/net/ipv4/conf/%k/*'", RUN+="/bin/sh -c '/usr/bin/chsmack -a \* /proc/sys/net/ipv6/conf/%k/*'"
+
+SUBSYSTEM=="net", ENV{ID_NET_NAME}!="", RUN+="/bin/sh -c '/usr/bin/chsmack -a \* /proc/sys/net/ipv4/conf/\$env{ID_NET_NAME}/*'", RUN+="/bin/sh -c '/usr/bin/chsmack -a \* /proc/sys/net/ipv6/conf/\$env{ID_NET_NAME}/*'"
+EOF
+ chmod 0644 ${D}/${base_libdir}/udev/rules.d/85-netdev-ipconf-smacklabel.rules
+}
+
+# Do not rely on an rpm with manifest support. Apparently that approach
+# will no longer be used in Tizen 3.0. Instead set special Smack attributes
+# via postinst. This is much easier to use with bitbake, too:
+# - no need to maintain a patched rpm
+# - works for directories which are not packaged by default when empty
+RDEPENDS_${PN}_append_with-lsm-smack = " smack"
+DEPENDS_append_with-lsm-smack = " smack-native"
+pkg_postinst_${PN}_with-lsm-smack() {
+ #!/bin/sh -e
+
+ # https://review.tizen.org/gerrit/gitweb?p=platform/upstream/filesystem.git;a=blob;f=packaging/filesystem.manifest:
+ # <filesystem path="/etc" label="System::Shared" type="transmutable" />
+ install -d $D${sysconfdir}
+ # This has no effect on files installed into /etc during image construction
+ # because pseudo does not know the special semantic of SMACK::TRANSMUTE.
+ # To avoid having different xattrs on files inside /etc when pre-installed
+ # in an image vs. installed on a device, the xattr-images.bbclass has
+ # a workaround for this deficiency in pseudo.
+ chsmack -t $D${sysconfdir}
+ chsmack -a 'System::Shared' $D${sysconfdir}
+
+ # Same for /var. Any daemon running as "System" will get write access
+ # to everything.
+ install -d $D${localstatedir}
+ chsmack -t $D${localstatedir}
+ chsmack -a 'System::Shared' $D${localstatedir}
+
+ # <filesystem path="/tmp" label="*" />
+ mkdir -p $D/tmp
+ chsmack -a '*' $D/tmp
+
+ # <filesystem path="/var/log" label="System::Log" type="transmutable" />
+ # <filesystem path="/var/tmp" label="*" />
+ # These are in a file system mounted by systemd. We patch the systemd service
+ # to set these attributes.
+}