4 files changed, 53 insertions, 0 deletions
diff --git a/meta-security/recipes-core/smack-system-setup/files/55-udev-smack-default.rules b/meta-security/recipes-core/smack-system-setup/files/55-udev-smack-default.rules
new file mode 100644
index 000000000..3829019de
--- /dev/null
+++ b/meta-security/recipes-core/smack-system-setup/files/55-udev-smack-default.rules
@@ -0,0 +1,23 @@
+# do not edit this file, it will be overwritten on update
+
+KERNEL=="null", SECLABEL{smack}="*"
+KERNEL=="zero", SECLABEL{smack}="*"
+KERNEL=="console", SECLABEL{smack}="*"
+KERNEL=="kmsg", SECLABEL{smack}="*"
+KERNEL=="video*", SECLABEL{smack}="*"
+KERNEL=="card*", SECLABEL{smack}="*"
+KERNEL=="ptmx", SECLABEL{smack}="*"
+KERNEL=="tty", SECLABEL{smack}="*"
+
+SUBSYSTEM=="graphics", GROUP="video", SECLABEL{smack}="*"
+SUBSYSTEM=="drm", GROUP="video", SECLABEL{smack}="*"
+SUBSYSTEM=="dvb", GROUP="video", SECLABEL{smack}="*"
+
+SUBSYSTEM=="tty", KERNEL=="ptmx", GROUP="tty", MODE="0666", SECLABEL{smack}="*"
+SUBSYSTEM=="tty", KERNEL=="tty", GROUP="tty", MODE="0666", SECLABEL{smack}="*"
+SUBSYSTEM=="tty", KERNEL=="tty[0-9]*", GROUP="tty", MODE="0620", SECLABEL{smack}="*"
+SUBSYSTEM=="vc", KERNEL=="vcs*|vcsa*", GROUP="tty", SECLABEL{smack}="*"
+KERNEL=="tty[A-Z]*[0-9]|pppox[0-9]*|ircomm[0-9]*|noz[0-9]*|rfcomm[0-9]*", GROUP="dialout", SECLABEL{smack}="*"
+
+SUBSYSTEM=="input", KERNEL=="mouse*|mice|event*", MODE="0640", SECLABEL{smack}="*"
+SUBSYSTEM=="input", KERNEL=="ts[0-9]*|uinput", MODE="0640", SECLABEL{smack}="*"
diff --git a/meta-security/recipes-core/smack-system-setup/files/systemd-journald.service.conf b/meta-security/recipes-core/smack-system-setup/files/systemd-journald.service.conf
new file mode 100644
index 000000000..7035a1410
--- /dev/null
+++ b/meta-security/recipes-core/smack-system-setup/files/systemd-journald.service.conf
@@ -0,0 +1,16 @@
+# Run systemd-journald with the hat ("^") Smack label.
+#
+# The journal daemon needs global read access to gather information
+# about the services spawned by systemd. The hat label is intended
+# for this purpose. The journal daemon is the only part of the
+# System domain that needs read access to the User domain. Giving
+# the journal daemon the hat label means that we can remove the
+# System domain's read access to the User domain and we can avoid
+# hard-coding a specific label name for that domain.
+#
+# Original author: Casey Schaufler <casey@schaufler-ca.com>
+#
+# This is considered a configuration change and thus distro specific.
+[Service]
+SmackProcessLabel=^
+
diff --git a/meta-security/recipes-core/smack-system-setup/files/systemd-tmpfiles-setup.service.conf b/meta-security/recipes-core/smack-system-setup/files/systemd-tmpfiles-setup.service.conf
new file mode 100644
index 000000000..db43c8c51
--- /dev/null
+++ b/meta-security/recipes-core/smack-system-setup/files/systemd-tmpfiles-setup.service.conf
@@ -0,0 +1,2 @@
+[Service]
+ExecStartPost=/bin/sh -c '([ ! -d /var/tmp ] || chsmack -L -a \"*\" /var/tmp) && ([ ! -d /var/log ] || chsmack -L -a System::Log /var/log && chsmack -L -t /var/log)'
diff --git a/meta-security/recipes-core/smack-system-setup/files/tmp.mount.conf b/meta-security/recipes-core/smack-system-setup/files/tmp.mount.conf
new file mode 100644
index 000000000..388986e82
--- /dev/null
+++ b/meta-security/recipes-core/smack-system-setup/files/tmp.mount.conf
@@ -0,0 +1,12 @@
+# Mount /tmp publicly accessable. Based on patch by Michael Demeter <michael.demeter@intel.com>.
+# Upstream systemd temporarily had SmackFileSystemRoot for this (https://github.com/systemd/systemd/pull/1664),
+# but it was removed again (https://github.com/systemd/systemd/issues/1696) because
+# util-linux mount will ignore smackfsroot when Smack is not active. However,
+# busybox is not that intelligent.
+#
+# When using busybox mount, adding smackfsroot=* and booting without
+# Smack (i.e. security=none), tmp.mount will fail with an error about
+# "Bad mount option smackfsroot".
+[Mount]
+Options=smackfsroot=*
+