diff options
author | José Bollo <jose.bollo@iot.bzh> | 2018-12-12 12:03:43 +0100 |
---|---|---|
committer | Jan-Simon Moeller <jsmoeller@linuxfoundation.org> | 2018-12-14 19:32:40 +0000 |
commit | f11a3e7653777ad4342e615f47ec4a5417a2fa96 (patch) | |
tree | 3358a5e21ef0f36a4e59dc0a189d19bb1bfd9167 /meta-security/recipes-core/smack-system-setup | |
parent | 629062a55c41e8993761edf4a2a44400b72a6b91 (diff) |
systemd: Refactor build using smack-system-setup
This changes introduces the new recipe
meta-security/recipes-core/smack-system-setup/smack-system-setup_1.bb
The purpose is to split the recipe of systemd in two
parts:
- A part specific to systemd and only systemd
It actually includes Smack patches for systemd
and a renaming of udev-rules.
- A part more oriented on putting the system in
order to run with Smack activated.
At the end, it will probably save many rebuilds as
systemd recipe will evolve less in relation with the
setup of the system.
As example, the udev rule file "55-udev-smack-default.rules"
that setup udev rules specific to smack is no more brought
by systemd but by smack-system-setup.
Also at the same time, some cleanup and refactoring is
done. Note that the ".bbappend" file for systemd is
now fixed in version and is including a common file file
that records the several known versions. No cleanup was
made on the versioned patch for the sake of memory.
The cleanup of the history is to be achieved later...
Bug-AGL: SPEC-2045
Change-Id: Iacf772142a381729dfdbe98d133a3effc4d6cf68
Signed-off-by: José Bollo <jose.bollo@iot.bzh>
Diffstat (limited to 'meta-security/recipes-core/smack-system-setup')
5 files changed, 81 insertions, 0 deletions
diff --git a/meta-security/recipes-core/smack-system-setup/files/55-udev-smack-default.rules b/meta-security/recipes-core/smack-system-setup/files/55-udev-smack-default.rules new file mode 100644 index 000000000..3829019de --- /dev/null +++ b/meta-security/recipes-core/smack-system-setup/files/55-udev-smack-default.rules @@ -0,0 +1,23 @@ +# do not edit this file, it will be overwritten on update + +KERNEL=="null", SECLABEL{smack}="*" +KERNEL=="zero", SECLABEL{smack}="*" +KERNEL=="console", SECLABEL{smack}="*" +KERNEL=="kmsg", SECLABEL{smack}="*" +KERNEL=="video*", SECLABEL{smack}="*" +KERNEL=="card*", SECLABEL{smack}="*" +KERNEL=="ptmx", SECLABEL{smack}="*" +KERNEL=="tty", SECLABEL{smack}="*" + +SUBSYSTEM=="graphics", GROUP="video", SECLABEL{smack}="*" +SUBSYSTEM=="drm", GROUP="video", SECLABEL{smack}="*" +SUBSYSTEM=="dvb", GROUP="video", SECLABEL{smack}="*" + +SUBSYSTEM=="tty", KERNEL=="ptmx", GROUP="tty", MODE="0666", SECLABEL{smack}="*" +SUBSYSTEM=="tty", KERNEL=="tty", GROUP="tty", MODE="0666", SECLABEL{smack}="*" +SUBSYSTEM=="tty", KERNEL=="tty[0-9]*", GROUP="tty", MODE="0620", SECLABEL{smack}="*" +SUBSYSTEM=="vc", KERNEL=="vcs*|vcsa*", GROUP="tty", SECLABEL{smack}="*" +KERNEL=="tty[A-Z]*[0-9]|pppox[0-9]*|ircomm[0-9]*|noz[0-9]*|rfcomm[0-9]*", GROUP="dialout", SECLABEL{smack}="*" + +SUBSYSTEM=="input", KERNEL=="mouse*|mice|event*", MODE="0640", SECLABEL{smack}="*" +SUBSYSTEM=="input", KERNEL=="ts[0-9]*|uinput", MODE="0640", SECLABEL{smack}="*" diff --git a/meta-security/recipes-core/smack-system-setup/files/systemd-journald.service.conf b/meta-security/recipes-core/smack-system-setup/files/systemd-journald.service.conf new file mode 100644 index 000000000..7035a1410 --- /dev/null +++ b/meta-security/recipes-core/smack-system-setup/files/systemd-journald.service.conf @@ -0,0 +1,16 @@ +# Run systemd-journald with the hat ("^") Smack label. +# +# The journal daemon needs global read access to gather information +# about the services spawned by systemd. The hat label is intended +# for this purpose. The journal daemon is the only part of the +# System domain that needs read access to the User domain. Giving +# the journal daemon the hat label means that we can remove the +# System domain's read access to the User domain and we can avoid +# hard-coding a specific label name for that domain. +# +# Original author: Casey Schaufler <casey@schaufler-ca.com> +# +# This is considered a configuration change and thus distro specific. +[Service] +SmackProcessLabel=^ + diff --git a/meta-security/recipes-core/smack-system-setup/files/systemd-tmpfiles-setup.service.conf b/meta-security/recipes-core/smack-system-setup/files/systemd-tmpfiles-setup.service.conf new file mode 100644 index 000000000..db43c8c51 --- /dev/null +++ b/meta-security/recipes-core/smack-system-setup/files/systemd-tmpfiles-setup.service.conf @@ -0,0 +1,2 @@ +[Service] +ExecStartPost=/bin/sh -c '([ ! -d /var/tmp ] || chsmack -L -a \"*\" /var/tmp) && ([ ! -d /var/log ] || chsmack -L -a System::Log /var/log && chsmack -L -t /var/log)' diff --git a/meta-security/recipes-core/smack-system-setup/files/tmp.mount.conf b/meta-security/recipes-core/smack-system-setup/files/tmp.mount.conf new file mode 100644 index 000000000..388986e82 --- /dev/null +++ b/meta-security/recipes-core/smack-system-setup/files/tmp.mount.conf @@ -0,0 +1,12 @@ +# Mount /tmp publicly accessable. Based on patch by Michael Demeter <michael.demeter@intel.com>. +# Upstream systemd temporarily had SmackFileSystemRoot for this (https://github.com/systemd/systemd/pull/1664), +# but it was removed again (https://github.com/systemd/systemd/issues/1696) because +# util-linux mount will ignore smackfsroot when Smack is not active. However, +# busybox is not that intelligent. +# +# When using busybox mount, adding smackfsroot=* and booting without +# Smack (i.e. security=none), tmp.mount will fail with an error about +# "Bad mount option smackfsroot". +[Mount] +Options=smackfsroot=* + diff --git a/meta-security/recipes-core/smack-system-setup/smack-system-setup_1.bb b/meta-security/recipes-core/smack-system-setup/smack-system-setup_1.bb new file mode 100644 index 000000000..49b12ad3f --- /dev/null +++ b/meta-security/recipes-core/smack-system-setup/smack-system-setup_1.bb @@ -0,0 +1,28 @@ +DESCRIPTION = "setup of a system using smack" +LICENSE = "GPLv2" +LIC_FILES_CHKSUM = "file://${COMMON_LICENSE_DIR}/GPL-2.0;md5=801f80980d171dd6425610833a22dbe6" + +SRC_URI = "\ + file://55-udev-smack-default.rules \ + file://systemd-journald.service.conf \ + file://systemd-tmpfiles-setup.service.conf \ + file://tmp.mount.conf \ +" + +RDEPENDS_${PN}_append_with-lsm-smack = " smack" + +do_install_append_with-lsm-smack() { + # tuning systemd units + install -Dm0644 ${WORKDIR}/systemd-tmpfiles-setup.service.conf \ + ${D}${systemd_unitdir}/system/systemd-tmpfiles-setup.service.d/smack.conf + install -Dm0644 ${WORKDIR}/systemd-journald.service.conf \ + ${D}${systemd_unitdir}/system/systemd-journald.service.d/smack.conf + install -Dm0644 ${WORKDIR}/tmp.mount.conf \ + ${D}${systemd_unitdir}/system/tmp.mount.d/smack.conf + + # add udev rules + install -Dm0644 ${WORKDIR}/55-udev-smack-default.rules \ + ${D}${sysconfdir}/udev/rules.d/55-udev-smack-default.rules +} + +FILES_${PN} += "${systemd_unitdir}" |