Integrate parts of meta-intel-iot-security

Adds the recipes of the sub layers - meta-security-framework - meta-security-smack Change-Id: I618608008a3b3d1d34adb6e38048110f13ac0643 Signed-off-by: José Bollo <jose.bollo@iot.bzh>
author: José Bollo <jose.bollo@iot.bzh> 2018-01-24 11:38:43 +0100
committer: José Bollo <jose.bollo@iot.bzh> 2018-02-13 11:02:00 +0100
commit: f70d712e4f505f5c5b50ae17f4f023d20a667568 (patch)
tree: 57b0aaa702651012e1adfc07f9b6b6c580506f66 /meta-security/recipes-core/systemd/systemd/0005-tizen-smack-Handling-network.patch
parent: 3f962c7d202055777dd0238f12dbcf70f09ac07d (diff)
1 files changed, 106 insertions, 0 deletions
diff --git a/meta-security/recipes-core/systemd/systemd/0005-tizen-smack-Handling-network.patch b/meta-security/recipes-core/systemd/systemd/0005-tizen-smack-Handling-network.patch
new file mode 100644
index 000000000..cd6a3c90b
--- /dev/null
+++ b/meta-security/recipes-core/systemd/systemd/0005-tizen-smack-Handling-network.patch
@@ -0,0 +1,106 @@
+From c257eade1a39ea00d26c4c297efd654b6ad4edb4 Mon Sep 17 00:00:00 2001
+From: Casey Schaufler <casey@schaufler-ca.com>
+Date: Fri, 8 Nov 2013 09:42:26 -0800
+Subject: [PATCH 5/9] tizen-smack: Handling network
+
+- Set Smack ambient to match run label
+- Set Smack netlabel host rules
+
+Set Smack ambient to match run label
+------------------------------------
+Set the Smack networking ambient label to match the
+run label of systemd. System services may expect to
+communicate with external services over IP. Setting
+the ambient label assigns that label to IP packets
+that do not include CIPSO headers. This allows systemd
+and the services it spawns access to unlabeled IP
+packets, and hence external services.
+
+A system may choose to restrict network access to
+particular services later in the startup process.
+This is easily done by resetting the ambient label
+elsewhere.
+
+Set Smack netlabel host rules
+-----------------------------
+If SMACK_RUN_LABEL is defined set all other hosts to be
+single label hosts at the specified label. Set the loopback
+address to be a CIPSO host.
+
+If any netlabel host rules are defined in /etc/smack/netlabel.d
+install them into the smackfs netlabel interface.
+
+Upstream-Status: Pending
+
+---
+ src/core/smack-setup.c | 33 ++++++++++++++++++++++++++++++++-
+ 1 file changed, 32 insertions(+), 1 deletion(-)
+
+diff --git a/src/core/smack-setup.c b/src/core/smack-setup.c
+index 59f6832..33dc1ca 100644
+--- a/src/core/smack-setup.c
++++ b/src/core/smack-setup.c
+@@ -42,6 +42,7 @@
+ 
+ #define SMACK_CONFIG "/etc/smack/accesses.d/"
+ #define CIPSO_CONFIG "/etc/smack/cipso.d/"
++#define NETLABEL_CONFIG "/etc/smack/netlabel.d/"
+ 
+ #ifdef HAVE_SMACK
+ 
+@@ -146,6 +147,19 @@ int mac_smack_setup(bool *loaded_policy) {
+         if (r)
+                 log_warning("Failed to set SMACK label \"%s\" on self: %s",
+                             SMACK_RUN_LABEL, strerror(-r));
++        r = write_string_file("/sys/fs/smackfs/ambient", SMACK_RUN_LABEL);
++        if (r)
++                log_warning("Failed to set SMACK ambient label \"%s\": %s",
++                            SMACK_RUN_LABEL, strerror(-r));
++        r = write_string_file("/sys/fs/smackfs/netlabel",
++			      "0.0.0.0/0 " SMACK_RUN_LABEL);
++        if (r)
++                log_warning("Failed to set SMACK netlabel rule \"%s\": %s",
++                            "0.0.0.0/0 " SMACK_RUN_LABEL, strerror(-r));
++        r = write_string_file("/sys/fs/smackfs/netlabel", "127.0.0.1 -CIPSO");
++        if (r)
++                log_warning("Failed to set SMACK netlabel rule \"%s\": %s",
++                            "127.0.0.1 -CIPSO", strerror(-r));
+ #endif
+ 
+         r = write_rules("/sys/fs/smackfs/cipso2", CIPSO_CONFIG);
+@@ -155,14 +169,31 @@ int mac_smack_setup(bool *loaded_policy) {
+                 return 0;
+         case ENOENT:
+                 log_debug("Smack/CIPSO access rules directory " CIPSO_CONFIG " not found");
+-                return 0;
++                break;
+         case 0:
+                 log_info("Successfully loaded Smack/CIPSO policies.");
+                 break;
+         default:
+                 log_warning("Failed to load Smack/CIPSO access rules: %s, ignoring.",
+                             strerror(abs(r)));
++                break;
++        }
++
++        r = write_rules("/sys/fs/smackfs/netlabel", NETLABEL_CONFIG);
++        switch(r) {
++        case -ENOENT:
++                log_debug("Smack/CIPSO is not enabled in the kernel.");
+                 return 0;
++        case ENOENT:
++                log_debug("Smack network host rules directory " NETLABEL_CONFIG " not found");
++                break;
++        case 0:
++                log_info("Successfully loaded Smack network host rules.");
++                break;
++        default:
++                log_warning("Failed to load Smack network host rules: %s, ignoring.",
++                            strerror(abs(r)));
++                break;
+         }
+ 
+         *loaded_policy = true;
+-- 
+1.8.4.5
+
author	José Bollo <jose.bollo@iot.bzh>	2018-01-24 11:38:43 +0100
committer	José Bollo <jose.bollo@iot.bzh>	2018-02-13 11:02:00 +0100
commit	f70d712e4f505f5c5b50ae17f4f023d20a667568 (patch)
tree	57b0aaa702651012e1adfc07f9b6b6c580506f66 /meta-security/recipes-core/systemd/systemd/0005-tizen-smack-Handling-network.patch
parent	3f962c7d202055777dd0238f12dbcf70f09ac07d (diff)