diff options
| author |   Jan-Simon Möller <jsmoeller@linuxfoundation.org> | 2018-02-14 10:55:35 +0100 |
|---|---|---|
| committer | Jan-Simon Möller <jsmoeller@linuxfoundation.org> | 2018-02-14 10:55:35 +0100 |
| commit | 317c8a08a6b5943517e67c5ea80b0a9a83a10d63 (patch) | |
| tree | bf2b27dc9068924b59b46d2e153936c77be954c3 /meta-security/recipes-core/systemd/systemd/0007-tizen-smack-Runs-systemd-journald-with-v216.patch | |
| parent | b6dc44f585b839ab1a2f0133b74958037fe1cb64 (diff) | |
| parent | c9ce37905acd879db107eafe309678053073e086 (diff) | |
Merge remote-tracking branch 'agl/sandbox/ronan/rocko' into HEAD
* agl/sandbox/ronan/rocko: (58 commits)
Update ulcb conf file
Remove unsed gstreamer backport
[GEN3] add preferred version on omx package
run-(agl-)postinst: Emit progress to console
meta-security: Remove unused content
Upgrade wayland-ivi-extension
Revert "Fix kernel gcc7 issue"
remove backport commit
Revert "Fix CVE-2017-1000364 by backporting the patches for gen3"
Remove fix for optee-os
Remove gcc 6 fix
Update rcar gen3 kernel bbappend version
Update rcar gen3 driver
Remove porter machine
dbus-cynara: Upgrade to 1.10.20
xmlsec1: switch to meta-security version
systemd: earlier smack label switch
cynara: upgrade to 0.14.10
Remove smack recipe
Integrate parts of meta-intel-iot-security
...
Bug-AGL: SPEC-1181
Signed-off-by: Jan-Simon Möller <jsmoeller@linuxfoundation.org>
Conflicts:
meta-app-framework/recipes-security/cynara/cynara_git.bbappend
Change-Id: I9875fcb31e960038ce6c23165c99b52a3bd1a1c0
Diffstat (limited to 'meta-security/recipes-core/systemd/systemd/0007-tizen-smack-Runs-systemd-journald-with-v216.patch')
| -rw-r--r-- | meta-security/recipes-core/systemd/systemd/0007-tizen-smack-Runs-systemd-journald-with-v216.patch | 41 |
1 files changed, 41 insertions, 0 deletions
diff --git a/meta-security/recipes-core/systemd/systemd/0007-tizen-smack-Runs-systemd-journald-with-v216.patch b/meta-security/recipes-core/systemd/systemd/0007-tizen-smack-Runs-systemd-journald-with-v216.patch new file mode 100644 index 000000000..dd2c6542e --- /dev/null +++ b/meta-security/recipes-core/systemd/systemd/0007-tizen-smack-Runs-systemd-journald-with-v216.patch @@ -0,0 +1,41 @@ +From ccf384ca0f1cabe37e07e752df95ddb1e017a7ef Mon Sep 17 00:00:00 2001 +From: Casey Schaufler <casey@schaufler-ca.com> +Date: Thu, 19 Dec 2013 16:49:28 -0800 +Subject: [PATCH 7/9] tizen-smack: Runs systemd-journald with ^ + +Run systemd-journald with the hat ("^") Smack label. + +The journal daemon needs global read access to gather information +about the services spawned by systemd. The hat label is intended +for this purpose. The journal daemon is the only part of the +System domain that needs read access to the User domain. Giving +the journal daemon the hat label means that we can remove the +System domain's read access to the User domain. + +Upstream-Status: Inappropriate [configuration] + +Change-Id: Ic22633f0c9d99c04f873be8a346786ea577d0370 +Signed-off-by: Casey Schaufler <casey.schaufler@intel.com> +--- + units/systemd-journald.service.in | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/units/systemd-journald.service.in b/units/systemd-journald.service.in +index a3540c6..745dd84 100644 +--- a/units/systemd-journald.service.in ++++ b/units/systemd-journald.service.in +@@ -20,8 +20,10 @@ Restart=always + RestartSec=0 + NotifyAccess=all + StandardOutput=null ++SmackProcessLabel=^ +-CapabilityBoundingSet=CAP_SYS_ADMIN CAP_DAC_OVERRIDE CAP_SYS_PTRACE CAP_SYSLOG CAP_AUDIT_CONTROL CAP_CHOWN CAP_DAC_READ_SEARCH CAP_FOWNER CAP_SETUID CAP_SETGID ++CapabilityBoundingSet=CAP_SYS_ADMIN CAP_DAC_OVERRIDE CAP_SYS_PTRACE CAP_SYSLOG CAP_AUDIT_CONTROL CAP_AUDIT_READ CAP_CHOWN CAP_DAC_READ_SEARCH CAP_FOWNER CAP_SETUID CAP_SETGID CAP_MAC_OVERRIDE + WatchdogSec=1min ++FileDescriptorStoreMax=1024 + + # Increase the default a bit in order to allow many simultaneous + # services being run since we keep one fd open per service. +-- +1.8.4.5 + |