base-files: add /media to System::Shared SMACK label

All media mountpoints should have the System::Shared label to avoid access denials on multimedia items. Bug-AGL: SPEC-2774 Change-Id: Ib9bb1b26a1950cacd5e1f384cbe19d4a4a6373d9 Signed-off-by: Matt Ranostay <matt.ranostay@konsulko.com>
author: Matt Ranostay <matt.ranostay@konsulko.com> 2019-09-12 09:59:12 +0300
committer: Jan-Simon Moeller <jsmoeller@linuxfoundation.org> 2019-09-16 11:36:27 +0000
commit: 57b6d0f437ef19fb6030d7d126aebea2ffeabb93 (patch)
tree: ec5bb8174df4abc6784c2d748c3faa2d9edd6071 /meta-security
parent: d57312ef6330717541fdf88caa672b21a2b022e8 (diff)
1 files changed, 6 insertions, 0 deletions
diff --git a/meta-security/recipes-core/base-files/base-files_%.bbappend b/meta-security/recipes-core/base-files/base-files_%.bbappend
index a6af1821b..f0e340f5b 100644
--- a/meta-security/recipes-core/base-files/base-files_%.bbappend
+++ b/meta-security/recipes-core/base-files/base-files_%.bbappend
@@ -56,6 +56,12 @@ pkg_postinst_${PN}_with-lsm-smack() {
     chsmack -t $D${sysconfdir}
     chsmack -a 'System::Shared' $D${sysconfdir}
 
+    # Same for /media. Any daemon running as "System" will get write access
+    # to everything.
+    install -d $D/media
+    chsmack -t $D/media
+    chsmack -a 'System::Shared' $D/media
+
     # Same for /var. Any daemon running as "System" will get write access
     # to everything.
     install -d $D${localstatedir}
author	Matt Ranostay <matt.ranostay@konsulko.com>	2019-09-12 09:59:12 +0300
committer	Jan-Simon Moeller <jsmoeller@linuxfoundation.org>	2019-09-16 11:36:27 +0000
commit	57b6d0f437ef19fb6030d7d126aebea2ffeabb93 (patch)
tree	ec5bb8174df4abc6784c2d748c3faa2d9edd6071 /meta-security
parent	d57312ef6330717541fdf88caa672b21a2b022e8 (diff)