aboutsummaryrefslogtreecommitdiffstats
path: root/meta-security
diff options
context:
space:
mode:
authorJosé Bollo <jose.bollo@iot.bzh>2018-12-12 14:27:48 +0100
committerJosé Bollo <jose.bollo@iot.bzh>2018-12-18 10:54:16 +0100
commitd9d7eb20d17acde2f4e3826736ad45fa6d441837 (patch)
tree8c461440b3728eb37d1930c6e1bebdab921ff4b5 /meta-security
parentc888e1c4dce2ee70521b7cf6e8ec8ec60a7aeea1 (diff)
connman+bluez5: Update rights for smack systems
Reading the file /etc/resolv.conf that is linked to /run/connman/resolv.conf is not possible for common users. This changes add the setting of the directory /run/connman that allows common applications to read that file. To achieves this goal, that changes use the intended tuning mechanism of systemd instead of using sed. This is cleaner. Thus this as been adapted for bluez5 too. Bug-AGL: SPEC-2006 Change-Id: I3d2a708be2a5c62664bfcf90757e9e5c080d6179 Signed-off-by: José Bollo <jose.bollo@iot.bzh>
Diffstat (limited to 'meta-security')
-rw-r--r--meta-security/recipes-connectivity/bluez5/bluez5_%.bbappend18
-rw-r--r--meta-security/recipes-connectivity/bluez5/files/bluetooth.service.conf2
-rw-r--r--meta-security/recipes-connectivity/connman/connman_%.bbappend20
-rw-r--r--meta-security/recipes-connectivity/connman/files/connman.service.conf4
4 files changed, 26 insertions, 18 deletions
diff --git a/meta-security/recipes-connectivity/bluez5/bluez5_%.bbappend b/meta-security/recipes-connectivity/bluez5/bluez5_%.bbappend
index c62842d5b..3767681b0 100644
--- a/meta-security/recipes-connectivity/bluez5/bluez5_%.bbappend
+++ b/meta-security/recipes-connectivity/bluez5/bluez5_%.bbappend
@@ -42,14 +42,14 @@
# The related patch has been submitted to upstream too.
# upstream link: http://permalink.gmane.org/gmane.linux.bluez.kernel/67993
-FIX_BLUEZ5_CAPABILITIES ??= ""
-FIX_BLUEZ5_CAPABILITIES_with-lsm-smack ??= "fix_bluez5_capabilities"
-do_install[postfuncs] += "${FIX_BLUEZ5_CAPABILITIES}"
+FILESEXTRAPATHS_prepend := "${THISDIR}/files:"
-fix_bluez5_capabilities () {
- service="${D}/${systemd_unitdir}/system/bluetooth.service"
- if [ -f "$service" ] &&
- grep -q '^CapabilityBoundingSet=' "$service"; then
- sed -i -e 's/^CapabilityBoundingSet=/CapabilityBoundingSet=CAP_MAC_OVERRIDE /' "$service"
- fi
+SRC_URI_append_with-lsm-smack = "\
+ file://bluetooth.service.conf \
+"
+
+FILES_${PN} += "${systemd_unitdir}"
+
+do_install_append_with-lsm-smack() {
+ install -Dm0644 ${WORKDIR}/bluetooth.service.conf ${D}${systemd_unitdir}/system/bluetooth.service.d/smack.conf
}
diff --git a/meta-security/recipes-connectivity/bluez5/files/bluetooth.service.conf b/meta-security/recipes-connectivity/bluez5/files/bluetooth.service.conf
new file mode 100644
index 000000000..b93ab4fee
--- /dev/null
+++ b/meta-security/recipes-connectivity/bluez5/files/bluetooth.service.conf
@@ -0,0 +1,2 @@
+[Service]
+CapabilityBoundingSet=CAP_MAC_OVERRIDE
diff --git a/meta-security/recipes-connectivity/connman/connman_%.bbappend b/meta-security/recipes-connectivity/connman/connman_%.bbappend
index f66c1e79b..3b010490d 100644
--- a/meta-security/recipes-connectivity/connman/connman_%.bbappend
+++ b/meta-security/recipes-connectivity/connman/connman_%.bbappend
@@ -19,14 +19,16 @@
# in which connmand runs, this change is not submitted upstream
# and it can be overridden by a distro via FIX_CONNMAN_CAPABILITIES.
-FIX_CONNMAN_CAPABILITIES ??= ""
-FIX_CONNMAN_CAPABILITIES_with-lsm-smack ??= "fix_connman_capabilities"
-do_install[postfuncs] += "${FIX_CONNMAN_CAPABILITIES}"
+FILESEXTRAPATHS_prepend := "${THISDIR}/files:"
-fix_connman_capabilities () {
- service="${D}/${systemd_unitdir}/system/connman.service"
- if [ -f "$service" ] &&
- grep -q '^CapabilityBoundingSet=' "$service"; then
- sed -i -e 's/^CapabilityBoundingSet=/CapabilityBoundingSet=CAP_MAC_OVERRIDE /' "$service"
- fi
+SRC_URI_append_with-lsm-smack = "\
+ file://connman.service.conf \
+"
+
+RDEPENDS_${PN}_append_with-lsm-smack = " smack"
+
+FILES_${PN} += "${systemd_unitdir}"
+
+do_install_append_with-lsm-smack() {
+ install -Dm0644 ${WORKDIR}/connman.service.conf ${D}${systemd_unitdir}/system/connman.service.d/smack.conf
}
diff --git a/meta-security/recipes-connectivity/connman/files/connman.service.conf b/meta-security/recipes-connectivity/connman/files/connman.service.conf
new file mode 100644
index 000000000..6ebbf6ad1
--- /dev/null
+++ b/meta-security/recipes-connectivity/connman/files/connman.service.conf
@@ -0,0 +1,4 @@
+[Service]
+CapabilityBoundingSet=CAP_MAC_OVERRIDE
+ExecStartPre=+-/bin/mkdir -p /run/connman
+ExecStartPre=+-/usr/bin/chsmack -t -a System::Shared /run/connman