diff options
11 files changed, 93 insertions, 95 deletions
diff --git a/meta-agl-profile-core/recipes-core/systemd/systemd_234.bbappend b/meta-agl-profile-core/recipes-core/systemd/systemd_234.bbappend deleted file mode 100644 index 4df7684d0..000000000 --- a/meta-agl-profile-core/recipes-core/systemd/systemd_234.bbappend +++ /dev/null @@ -1,6 +0,0 @@ -FILESEXTRAPATHS_prepend := "${THISDIR}/${PN}:" - -SRC_URI += "\ - file://0001-Switch-Smack-label-earlier.patch \ -" - diff --git a/meta-app-framework/recipes-core/systemd/systemd_%.bbappend b/meta-app-framework/recipes-core/systemd/systemd_%.bbappend deleted file mode 100644 index 6b8057a5c..000000000 --- a/meta-app-framework/recipes-core/systemd/systemd_%.bbappend +++ /dev/null @@ -1,20 +0,0 @@ -################################################################################## -# This patch is temporary. -# This is a solution to the Bug-AGL SPEC-539. -# -# It renames the file udev-smack-default.rules -# as the file 55-smack-default.rules before installation in do_install. -# This comes from https://github.com/01org/meta-intel-iot-security.git -# (meta-security-smack/recipes-core/systemd/) -# It should be removed when the security layer will be refited to meta-security -# See git clone http://git.yoctoproject.org/cgit/cgit.cgi/meta-security -# -# It also renames the file touchscreen.rules as the file 55-touchscreen.rules -# This comes with the recipe systemd_230 of poky (meta/recipes-core/systemd) -# It should be removed when poky changes. -################################################################################## -do_install_prepend() { - mv ${WORKDIR}/udev-smack-default.rules ${WORKDIR}/55-smack-default.rules || true - mv ${WORKDIR}/touchscreen.rules ${WORKDIR}/55-touchscreen.rules || true -} - diff --git a/meta-app-framework/recipes-platform/packagegroups/packagegroup-agl-core-security.bbappend b/meta-app-framework/recipes-platform/packagegroups/packagegroup-agl-core-security.bbappend index a8d04ab6d..19af9117b 100644 --- a/meta-app-framework/recipes-platform/packagegroups/packagegroup-agl-core-security.bbappend +++ b/meta-app-framework/recipes-platform/packagegroups/packagegroup-agl-core-security.bbappend @@ -1,4 +1,5 @@ RDEPENDS_${PN} += "\ + smack-system-setup \ xmlsec1 \ cynara \ security-manager \ diff --git a/meta-security/recipes-core/packagegroups/packagegroup-security-framework.bb b/meta-security/recipes-core/packagegroups/packagegroup-security-framework.bb index b52e18d4e..6dd575df5 100644 --- a/meta-security/recipes-core/packagegroups/packagegroup-security-framework.bb +++ b/meta-security/recipes-core/packagegroups/packagegroup-security-framework.bb @@ -19,4 +19,5 @@ RDEPENDS_${PN}_append_with-lsm-smack = " \ security-manager \ security-manager-policy \ smacknet \ + smack-system-setup \ " diff --git a/meta-security/recipes-core/systemd/systemd/udev-smack-default.rules b/meta-security/recipes-core/smack-system-setup/files/55-udev-smack-default.rules index 3829019de..3829019de 100644 --- a/meta-security/recipes-core/systemd/systemd/udev-smack-default.rules +++ b/meta-security/recipes-core/smack-system-setup/files/55-udev-smack-default.rules diff --git a/meta-security/recipes-core/smack-system-setup/files/systemd-journald.service.conf b/meta-security/recipes-core/smack-system-setup/files/systemd-journald.service.conf new file mode 100644 index 000000000..7035a1410 --- /dev/null +++ b/meta-security/recipes-core/smack-system-setup/files/systemd-journald.service.conf @@ -0,0 +1,16 @@ +# Run systemd-journald with the hat ("^") Smack label. +# +# The journal daemon needs global read access to gather information +# about the services spawned by systemd. The hat label is intended +# for this purpose. The journal daemon is the only part of the +# System domain that needs read access to the User domain. Giving +# the journal daemon the hat label means that we can remove the +# System domain's read access to the User domain and we can avoid +# hard-coding a specific label name for that domain. +# +# Original author: Casey Schaufler <casey@schaufler-ca.com> +# +# This is considered a configuration change and thus distro specific. +[Service] +SmackProcessLabel=^ + diff --git a/meta-security/recipes-core/smack-system-setup/files/systemd-tmpfiles-setup.service.conf b/meta-security/recipes-core/smack-system-setup/files/systemd-tmpfiles-setup.service.conf new file mode 100644 index 000000000..db43c8c51 --- /dev/null +++ b/meta-security/recipes-core/smack-system-setup/files/systemd-tmpfiles-setup.service.conf @@ -0,0 +1,2 @@ +[Service] +ExecStartPost=/bin/sh -c '([ ! -d /var/tmp ] || chsmack -L -a \"*\" /var/tmp) && ([ ! -d /var/log ] || chsmack -L -a System::Log /var/log && chsmack -L -t /var/log)' diff --git a/meta-security/recipes-core/smack-system-setup/files/tmp.mount.conf b/meta-security/recipes-core/smack-system-setup/files/tmp.mount.conf new file mode 100644 index 000000000..388986e82 --- /dev/null +++ b/meta-security/recipes-core/smack-system-setup/files/tmp.mount.conf @@ -0,0 +1,12 @@ +# Mount /tmp publicly accessable. Based on patch by Michael Demeter <michael.demeter@intel.com>. +# Upstream systemd temporarily had SmackFileSystemRoot for this (https://github.com/systemd/systemd/pull/1664), +# but it was removed again (https://github.com/systemd/systemd/issues/1696) because +# util-linux mount will ignore smackfsroot when Smack is not active. However, +# busybox is not that intelligent. +# +# When using busybox mount, adding smackfsroot=* and booting without +# Smack (i.e. security=none), tmp.mount will fail with an error about +# "Bad mount option smackfsroot". +[Mount] +Options=smackfsroot=* + diff --git a/meta-security/recipes-core/smack-system-setup/smack-system-setup_1.bb b/meta-security/recipes-core/smack-system-setup/smack-system-setup_1.bb new file mode 100644 index 000000000..49b12ad3f --- /dev/null +++ b/meta-security/recipes-core/smack-system-setup/smack-system-setup_1.bb @@ -0,0 +1,28 @@ +DESCRIPTION = "setup of a system using smack" +LICENSE = "GPLv2" +LIC_FILES_CHKSUM = "file://${COMMON_LICENSE_DIR}/GPL-2.0;md5=801f80980d171dd6425610833a22dbe6" + +SRC_URI = "\ + file://55-udev-smack-default.rules \ + file://systemd-journald.service.conf \ + file://systemd-tmpfiles-setup.service.conf \ + file://tmp.mount.conf \ +" + +RDEPENDS_${PN}_append_with-lsm-smack = " smack" + +do_install_append_with-lsm-smack() { + # tuning systemd units + install -Dm0644 ${WORKDIR}/systemd-tmpfiles-setup.service.conf \ + ${D}${systemd_unitdir}/system/systemd-tmpfiles-setup.service.d/smack.conf + install -Dm0644 ${WORKDIR}/systemd-journald.service.conf \ + ${D}${systemd_unitdir}/system/systemd-journald.service.d/smack.conf + install -Dm0644 ${WORKDIR}/tmp.mount.conf \ + ${D}${systemd_unitdir}/system/tmp.mount.d/smack.conf + + # add udev rules + install -Dm0644 ${WORKDIR}/55-udev-smack-default.rules \ + ${D}${sysconfdir}/udev/rules.d/55-udev-smack-default.rules +} + +FILES_${PN} += "${systemd_unitdir}" diff --git a/meta-agl-profile-core/recipes-core/systemd/systemd/0001-Switch-Smack-label-earlier.patch b/meta-security/recipes-core/systemd/systemd/0001-Switch-Smack-label-earlier.patch index 46445be73..46445be73 100644 --- a/meta-agl-profile-core/recipes-core/systemd/systemd/0001-Switch-Smack-label-earlier.patch +++ b/meta-security/recipes-core/systemd/systemd/0001-Switch-Smack-label-earlier.patch diff --git a/meta-security/recipes-core/systemd/systemd_%.bbappend b/meta-security/recipes-core/systemd/systemd_234.bbappend index 65e28f9de..4bbc8aa04 100644 --- a/meta-security/recipes-core/systemd/systemd_%.bbappend +++ b/meta-security/recipes-core/systemd/systemd_234.bbappend @@ -1,19 +1,5 @@ FILESEXTRAPATHS_prepend := "${THISDIR}/${PN}:" -# Most patches from sandbox/jobol/v219. Cannot be applied unconditionally -# because systemd panics when booted without Smack support: -# systemd[1]: Cannot determine cgroup we are running in: No such file or directory -# systemd[1]: Failed to allocate manager object: No such file or directory -# [!!!!!!] Failed to allocate manager object, freezing. -# -# There's a slight dependency on the base systemd in 0005-tizen-smack-Handling-network. -# We use the beginning of PV (unexpanded here to prevent a cyclic dependency -# during resolution apparently caused by ${SRCPV}) to pick the right set of -# patches. -# -# Patches are optional. Hopefully we won't need any for systemd >= 229. -SRC_URI_append_with-lsm-smack = " ${@d.getVar('SYSTEMD_SMACK_PATCHES_' + d.getVar('PV', False)[0:3], True) or ''}" - SYSTEMD_SMACK_PATCHES_216 = " \ file://0003-tizen-smack-Handling-of-run-and-sys-fs-cgroup-v216.patch \ file://0004-tizen-smack-Handling-of-dev-v216.patch \ @@ -39,66 +25,30 @@ file://0005-tizen-smack-Handling-network-v228.patch \ file://mount-setup.c-fix-handling-of-symlink-Smack-labellin-v228.patch \ " -# From Tizen .spec file. -EXTRA_OECONF_append_with-lsm-smack = " --with-smack-run-label=System" - -install_file() { - install -d $(dirname $1) - cat >>$1 - chmod ${2:-0644} $1 -} - -# We need to emulate parts of the filesystem permissions from Tizen here. -# The part for regular files is in base-files.bbappend, but /var/log and -# /var/tmp point into /var/volatile (tmpfs) and get created anew during -# startup. We set these permissions directly after creating them via -# /etc/tmpfiles.d/00-create-volatile.conf -RDEPENDS_${PN}_append_with-lsm-smack = " smack" -do_install_append_with-lsm-smack() { - install_file ${D}${systemd_unitdir}/system/systemd-tmpfiles-setup.service.d/smack.conf <<EOF -[Service] -ExecStartPost=/bin/sh -c '([ ! -d /var/tmp ] || chsmack -L -a \"*\" /var/tmp) && ([ ! -d /var/log ] || chsmack -L -a System::Log /var/log && chsmack -L -t /var/log)' -EOF - - # Mount /tmp publicly accessable. Based on patch by Michael Demeter <michael.demeter@intel.com>. - # Upstream systemd temporarily had SmackFileSystemRoot for this (https://github.com/systemd/systemd/pull/1664), - # but it was removed again (https://github.com/systemd/systemd/issues/1696) because - # util-linux mount will ignore smackfsroot when Smack is not active. However, - # busybox is not that intelligent. - # - # When using busybox mount, adding smackfsroot=* and booting without - # Smack (i.e. security=none), tmp.mount will fail with an error about - # "Bad mount option smackfsroot". - install_file ${D}${systemd_unitdir}/system/tmp.mount.d/smack.conf <<EOF -[Mount] -Options=smackfsroot=* -EOF - - # Run systemd-journald with the hat ("^") Smack label. - # - # The journal daemon needs global read access to gather information - # about the services spawned by systemd. The hat label is intended - # for this purpose. The journal daemon is the only part of the - # System domain that needs read access to the User domain. Giving - # the journal daemon the hat label means that we can remove the - # System domain's read access to the User domain and we can avoid - # hard-coding a specific label name for that domain. - # - # Original author: Casey Schaufler <casey@schaufler-ca.com> - # - # This is considered a configuration change and thus distro specific. - install_file ${D}${systemd_unitdir}/system/systemd-journald.service.d/smack.conf <<EOF -[Service] -SmackProcessLabel=^ -EOF -} +SYSTEMD_SMACK_PATCHES_234 = " \ +file://0001-Switch-Smack-label-earlier.patch \ +" -# Will get installed in ${sysconfdir}/udev/rules.d/ by base systemd recipe. -SRC_URI += "file://udev-smack-default.rules" +# Most patches from sandbox/jobol/v219. Cannot be applied unconditionally +# because systemd panics when booted without Smack support: +# systemd[1]: Cannot determine cgroup we are running in: No such file or directory +# systemd[1]: Failed to allocate manager object: No such file or directory +# [!!!!!!] Failed to allocate manager object, freezing. +# +# There's a slight dependency on the base systemd in 0005-tizen-smack-Handling-network. +# We use the beginning of PV (unexpanded here to prevent a cyclic dependency +# during resolution apparently caused by ${SRCPV}) to pick the right set of +# patches. +# +# Patches are optional. Hopefully we won't need any for systemd >= 229. +SRC_URI_append_with-lsm-smack = " ${SYSTEMD_SMACK_PATCHES_234}" # A workaround for a missing space in a SRC_URI_append in a private layer elsewhere: SRC_URI += "" +# Ensures systemd runs with label "System" +EXTRA_OECONF_append_with-lsm-smack = " --with-smack-run-label=System" + # Maintaining trivial, non-upstreamable configuration changes as patches # is tedious. But in same cases (like early mounting of special directories) # the configuration has to be in code. We make these changes here directly. @@ -118,3 +68,17 @@ patch_systemd() { -e 's;\("/run", *"[^"]*", *"[^"]*\)\(.*mac_smack_use.*\);\1,smackfstransmute=System::Run\2;' \ ${S}/src/core/mount-setup.c } + +################################################################################## +# What follows is temporary. +# This is a solution to the Bug-AGL SPEC-539 +# (see https://jira.automotivelinux.org/browse/SPEC-539). +# +# It renames the file "touchscreen.rules" to "55-touchscreen.rules" +# This comes with the recipe systemd_230/234 of poky (meta/recipes-core/systemd) +# It should be removed when poky changes. +################################################################################## +do_install_prepend() { + mv ${WORKDIR}/touchscreen.rules ${WORKDIR}/55-touchscreen.rules || true +} + |