diff options
author | José Bollo <jose.bollo@iot.bzh> | 2018-12-12 14:27:48 +0100 |
---|---|---|
committer | José Bollo <jose.bollo@iot.bzh> | 2018-12-18 10:54:16 +0100 |
commit | d9d7eb20d17acde2f4e3826736ad45fa6d441837 (patch) | |
tree | 8c461440b3728eb37d1930c6e1bebdab921ff4b5 /meta-security | |
parent | c888e1c4dce2ee70521b7cf6e8ec8ec60a7aeea1 (diff) |
connman+bluez5: Update rights for smack systems
Reading the file /etc/resolv.conf that is linked to
/run/connman/resolv.conf is not possible for common users.
This changes add the setting of the directory /run/connman
that allows common applications to read that file.
To achieves this goal, that changes use the intended
tuning mechanism of systemd instead of using sed.
This is cleaner. Thus this as been adapted for bluez5 too.
Bug-AGL: SPEC-2006
Change-Id: I3d2a708be2a5c62664bfcf90757e9e5c080d6179
Signed-off-by: José Bollo <jose.bollo@iot.bzh>
Diffstat (limited to 'meta-security')
4 files changed, 26 insertions, 18 deletions
diff --git a/meta-security/recipes-connectivity/bluez5/bluez5_%.bbappend b/meta-security/recipes-connectivity/bluez5/bluez5_%.bbappend index c62842d5b..3767681b0 100644 --- a/meta-security/recipes-connectivity/bluez5/bluez5_%.bbappend +++ b/meta-security/recipes-connectivity/bluez5/bluez5_%.bbappend @@ -42,14 +42,14 @@ # The related patch has been submitted to upstream too. # upstream link: http://permalink.gmane.org/gmane.linux.bluez.kernel/67993 -FIX_BLUEZ5_CAPABILITIES ??= "" -FIX_BLUEZ5_CAPABILITIES_with-lsm-smack ??= "fix_bluez5_capabilities" -do_install[postfuncs] += "${FIX_BLUEZ5_CAPABILITIES}" +FILESEXTRAPATHS_prepend := "${THISDIR}/files:" -fix_bluez5_capabilities () { - service="${D}/${systemd_unitdir}/system/bluetooth.service" - if [ -f "$service" ] && - grep -q '^CapabilityBoundingSet=' "$service"; then - sed -i -e 's/^CapabilityBoundingSet=/CapabilityBoundingSet=CAP_MAC_OVERRIDE /' "$service" - fi +SRC_URI_append_with-lsm-smack = "\ + file://bluetooth.service.conf \ +" + +FILES_${PN} += "${systemd_unitdir}" + +do_install_append_with-lsm-smack() { + install -Dm0644 ${WORKDIR}/bluetooth.service.conf ${D}${systemd_unitdir}/system/bluetooth.service.d/smack.conf } diff --git a/meta-security/recipes-connectivity/bluez5/files/bluetooth.service.conf b/meta-security/recipes-connectivity/bluez5/files/bluetooth.service.conf new file mode 100644 index 000000000..b93ab4fee --- /dev/null +++ b/meta-security/recipes-connectivity/bluez5/files/bluetooth.service.conf @@ -0,0 +1,2 @@ +[Service] +CapabilityBoundingSet=CAP_MAC_OVERRIDE diff --git a/meta-security/recipes-connectivity/connman/connman_%.bbappend b/meta-security/recipes-connectivity/connman/connman_%.bbappend index f66c1e79b..3b010490d 100644 --- a/meta-security/recipes-connectivity/connman/connman_%.bbappend +++ b/meta-security/recipes-connectivity/connman/connman_%.bbappend @@ -19,14 +19,16 @@ # in which connmand runs, this change is not submitted upstream # and it can be overridden by a distro via FIX_CONNMAN_CAPABILITIES. -FIX_CONNMAN_CAPABILITIES ??= "" -FIX_CONNMAN_CAPABILITIES_with-lsm-smack ??= "fix_connman_capabilities" -do_install[postfuncs] += "${FIX_CONNMAN_CAPABILITIES}" +FILESEXTRAPATHS_prepend := "${THISDIR}/files:" -fix_connman_capabilities () { - service="${D}/${systemd_unitdir}/system/connman.service" - if [ -f "$service" ] && - grep -q '^CapabilityBoundingSet=' "$service"; then - sed -i -e 's/^CapabilityBoundingSet=/CapabilityBoundingSet=CAP_MAC_OVERRIDE /' "$service" - fi +SRC_URI_append_with-lsm-smack = "\ + file://connman.service.conf \ +" + +RDEPENDS_${PN}_append_with-lsm-smack = " smack" + +FILES_${PN} += "${systemd_unitdir}" + +do_install_append_with-lsm-smack() { + install -Dm0644 ${WORKDIR}/connman.service.conf ${D}${systemd_unitdir}/system/connman.service.d/smack.conf } diff --git a/meta-security/recipes-connectivity/connman/files/connman.service.conf b/meta-security/recipes-connectivity/connman/files/connman.service.conf new file mode 100644 index 000000000..6ebbf6ad1 --- /dev/null +++ b/meta-security/recipes-connectivity/connman/files/connman.service.conf @@ -0,0 +1,4 @@ +[Service] +CapabilityBoundingSet=CAP_MAC_OVERRIDE +ExecStartPre=+-/bin/mkdir -p /run/connman +ExecStartPre=+-/usr/bin/chsmack -t -a System::Shared /run/connman |