summaryrefslogtreecommitdiffstats
path: root/meta-security/recipes-core/systemd
diff options
context:
space:
mode:
authorJan-Simon Moeller <jsmoeller@linuxfoundation.org>2020-12-08 11:12:45 +0100
committerJan-Simon Moeller <jsmoeller@linuxfoundation.org>2020-12-17 13:59:52 +0000
commit1c3c06842ac1b9c089d0a08e91c60f44e4844fac (patch)
tree21e97368be8f78a3e76b66dfda24c1d5e774519f /meta-security/recipes-core/systemd
parentc1e048fc05542d859115990312e0753ce2dea72e (diff)
SPEC-3723: restructure meta-agl
Goal is to reach a minimal meta-agl-core as base for IVI and IC work at the same time. Trim dependencies and move most 'demo' related recipes to meta-agl-demo. v2: changed to bbapend + .inc , added description v3: testbuild of all images v4: restore -test packagegroup and -qa images, compare manifests and adapt packagegroups. v5: rebased v6: merged meta-agl-distro into meta-agl-core, due to dependency on meta-oe, moved -test packagegroup and -qa images to own layer meta-agl-core-test v7: Fixed comments from Paul Barker v8: Update the markdown files v9: restore wayland/weston/agl-compositor recipes/appends, reworked to move app f/w specific changes to bbappends in meta-app-framework and only demo specific weston-init changes to meta-agl-demo v10: fix s/agldemo/aglcore/ missed in weston-init.bbappend Description: This patch is part 1 out of 2 large patches that implement the layer rework discussed during the previous workshop. Essentially meta-agl-core is the small but versatile new core layer of AGL serving as basis for the work done by the IC and IVI EGs. All demo related work is moved to meta-agl-demo in the 2nd patchset. This should be applied together as atomic change. The resulting meta-agl/* follows these guidelines: - only bsp adaptations in meta-agl-bsp - remove the agl-profile-* layers for simplicity -- the packagegroup-agl(-profile)-graphical and so on have been kept in meta-agl-demo - meta-agl-profile-core is now meta-agl-core - meta-agl-core does pass yocto-check-layer -- therefore use the bbappend + conditional + .inc file construct found in meta-virtualization - meta-agl/meta-security has been merged into meta-agl/meta-app-framework - meta-netboot does pass yocto-check-layer - meta-pipewire does pass yocto-check-layer Migration: All packagegroups are preserved but they're now enabled by 'agl-demo'. Bug-AGL: SPEC-3723 Signed-off-by: Jan-Simon Moeller <jsmoeller@linuxfoundation.org> Signed-off-by: Scott Murray <scott.murray@konsulko.com> Change-Id: Ia6c6e5e6ce2b4ffa69ea94959cdc57c310ba7c53 Reviewed-on: https://gerrit.automotivelinux.org/gerrit/c/AGL/meta-agl/+/25769
Diffstat (limited to 'meta-security/recipes-core/systemd')
-rw-r--r--meta-security/recipes-core/systemd/systemd/0001-Switch-Smack-label-earlier.patch52
-rw-r--r--meta-security/recipes-core/systemd/systemd_2%.bbappend40
2 files changed, 0 insertions, 92 deletions
diff --git a/meta-security/recipes-core/systemd/systemd/0001-Switch-Smack-label-earlier.patch b/meta-security/recipes-core/systemd/systemd/0001-Switch-Smack-label-earlier.patch
deleted file mode 100644
index 46445be73..000000000
--- a/meta-security/recipes-core/systemd/systemd/0001-Switch-Smack-label-earlier.patch
+++ /dev/null
@@ -1,52 +0,0 @@
-From 6cc74075797edb6f698cb7f312bb1c3d8cc6cb28 Mon Sep 17 00:00:00 2001
-From: =?UTF-8?q?Jos=C3=A9=20Bollo?= <jose.bollo@iot.bzh>
-Date: Thu, 12 Oct 2017 17:17:56 +0200
-Subject: [PATCH] Switch Smack label earlier
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-Switching label after removing capability isn't
-possible.
-
-Change-Id: Ib7dac8f071f36119520ed3205d743c1e3df3cd5e
-Signed-off-by: José Bollo <jose.bollo@iot.bzh>
----
- src/core/execute.c | 14 +++++++-------
- 1 file changed, 7 insertions(+), 7 deletions(-)
-
-diff --git a/src/core/execute.c b/src/core/execute.c
-index d72e5bf08..0abffd569 100644
---- a/src/core/execute.c
-+++ b/src/core/execute.c
-@@ -2707,6 +2707,13 @@ static int exec_child(
- }
- }
-
-+ r = setup_smack(context, command);
-+ if (r < 0) {
-+ *exit_status = EXIT_SMACK_PROCESS_LABEL;
-+ *error_message = strdup("Failed to set SMACK process label");
-+ return r;
-+ }
-+
- if (!cap_test_all(context->capability_bounding_set)) {
- r = capability_bounding_set_drop(context->capability_bounding_set, false);
- if (r < 0) {
-@@ -2775,13 +2782,6 @@ static int exec_child(
- }
- #endif
-
-- r = setup_smack(context, command);
-- if (r < 0) {
-- *exit_status = EXIT_SMACK_PROCESS_LABEL;
-- *error_message = strdup("Failed to set SMACK process label");
-- return r;
-- }
--
- #ifdef HAVE_APPARMOR
- if (context->apparmor_profile && mac_apparmor_use()) {
- r = aa_change_onexec(context->apparmor_profile);
---
-2.14.3
-
diff --git a/meta-security/recipes-core/systemd/systemd_2%.bbappend b/meta-security/recipes-core/systemd/systemd_2%.bbappend
deleted file mode 100644
index 789c05f83..000000000
--- a/meta-security/recipes-core/systemd/systemd_2%.bbappend
+++ /dev/null
@@ -1,40 +0,0 @@
-FILESEXTRAPATHS_prepend := "${THISDIR}/${PN}:"
-
-# Ensures systemd runs with label "System"
-EXTRA_OEMESON_append_with-lsm-smack = " -Dsmack-run-label=System"
-
-##################################################################################
-# Maintaining trivial, non-upstreamable configuration changes as patches
-# is tedious. But in same cases (like early mounting of special directories)
-# the configuration has to be in code. We make these changes here directly.
-##################################################################################
-do_patch[prefuncs] += "patch_systemd"
-do_patch[vardeps] += "patch_systemd"
-patch_systemd() {
- # Handling of /run and /sys/fs/cgroup. Make /run a transmuting directory to
- # enable systemd communications with services in the User domain.
- # Original patch by Michael Demeter <michael.demeter@intel.com>.
- #
- # We simplify the patching by touching only lines which check the result of
- # mac_smack_use(). Those are the ones which are used when Smack is active.
- #
- # smackfsroot=* on /sys/fs/cgroup may be upstreamable, but smackfstransmute=System::Run
- # is too distro specific (depends on Smack rules) and thus has to remain here.
- sed -i -e 's;\("/sys/fs/cgroup", *"[^"]*", *"[^"]*\)\(.*mac_smack_use.*\);\1,smackfsroot=*\2;' \
- -e 's;\("/run", *"[^"]*", *"[^"]*\)\(.*mac_smack_use.*\);\1,smackfstransmute=System::Run\2;' \
- ${S}/src/core/mount-setup.c
-}
-
-##################################################################################
-# What follows is temporary.
-# This is a solution to the Bug-AGL SPEC-539
-# (see https://jira.automotivelinux.org/browse/SPEC-539).
-#
-# It renames the file "touchscreen.rules" to "55-touchscreen.rules"
-# This comes with the recipe systemd_230/234 of poky (meta/recipes-core/systemd)
-# It should be removed when poky changes.
-##################################################################################
-do_install_prepend() {
- mv ${WORKDIR}/touchscreen.rules ${WORKDIR}/55-touchscreen.rules || true
-}
-