diff options
Diffstat (limited to 'meta-security/recipes-core/systemd/systemd/0005-tizen-smack-Handling-network.patch')
| -rw-r--r-- | meta-security/recipes-core/systemd/systemd/0005-tizen-smack-Handling-network.patch | 106 |
1 files changed, 0 insertions, 106 deletions
diff --git a/meta-security/recipes-core/systemd/systemd/0005-tizen-smack-Handling-network.patch b/meta-security/recipes-core/systemd/systemd/0005-tizen-smack-Handling-network.patch deleted file mode 100644 index cd6a3c90b..000000000 --- a/meta-security/recipes-core/systemd/systemd/0005-tizen-smack-Handling-network.patch +++ /dev/null @@ -1,106 +0,0 @@ -From c257eade1a39ea00d26c4c297efd654b6ad4edb4 Mon Sep 17 00:00:00 2001 -From: Casey Schaufler <casey@schaufler-ca.com> -Date: Fri, 8 Nov 2013 09:42:26 -0800 -Subject: [PATCH 5/9] tizen-smack: Handling network - -- Set Smack ambient to match run label -- Set Smack netlabel host rules - -Set Smack ambient to match run label ------------------------------------- -Set the Smack networking ambient label to match the -run label of systemd. System services may expect to -communicate with external services over IP. Setting -the ambient label assigns that label to IP packets -that do not include CIPSO headers. This allows systemd -and the services it spawns access to unlabeled IP -packets, and hence external services. - -A system may choose to restrict network access to -particular services later in the startup process. -This is easily done by resetting the ambient label -elsewhere. - -Set Smack netlabel host rules ------------------------------ -If SMACK_RUN_LABEL is defined set all other hosts to be -single label hosts at the specified label. Set the loopback -address to be a CIPSO host. - -If any netlabel host rules are defined in /etc/smack/netlabel.d -install them into the smackfs netlabel interface. - -Upstream-Status: Pending - ---- - src/core/smack-setup.c | 33 ++++++++++++++++++++++++++++++++- - 1 file changed, 32 insertions(+), 1 deletion(-) - -diff --git a/src/core/smack-setup.c b/src/core/smack-setup.c -index 59f6832..33dc1ca 100644 ---- a/src/core/smack-setup.c -+++ b/src/core/smack-setup.c -@@ -42,6 +42,7 @@ - - #define SMACK_CONFIG "/etc/smack/accesses.d/" - #define CIPSO_CONFIG "/etc/smack/cipso.d/" -+#define NETLABEL_CONFIG "/etc/smack/netlabel.d/" - - #ifdef HAVE_SMACK - -@@ -146,6 +147,19 @@ int mac_smack_setup(bool *loaded_policy) { - if (r) - log_warning("Failed to set SMACK label \"%s\" on self: %s", - SMACK_RUN_LABEL, strerror(-r)); -+ r = write_string_file("/sys/fs/smackfs/ambient", SMACK_RUN_LABEL); -+ if (r) -+ log_warning("Failed to set SMACK ambient label \"%s\": %s", -+ SMACK_RUN_LABEL, strerror(-r)); -+ r = write_string_file("/sys/fs/smackfs/netlabel", -+ "0.0.0.0/0 " SMACK_RUN_LABEL); -+ if (r) -+ log_warning("Failed to set SMACK netlabel rule \"%s\": %s", -+ "0.0.0.0/0 " SMACK_RUN_LABEL, strerror(-r)); -+ r = write_string_file("/sys/fs/smackfs/netlabel", "127.0.0.1 -CIPSO"); -+ if (r) -+ log_warning("Failed to set SMACK netlabel rule \"%s\": %s", -+ "127.0.0.1 -CIPSO", strerror(-r)); - #endif - - r = write_rules("/sys/fs/smackfs/cipso2", CIPSO_CONFIG); -@@ -155,14 +169,31 @@ int mac_smack_setup(bool *loaded_policy) { - return 0; - case ENOENT: - log_debug("Smack/CIPSO access rules directory " CIPSO_CONFIG " not found"); -- return 0; -+ break; - case 0: - log_info("Successfully loaded Smack/CIPSO policies."); - break; - default: - log_warning("Failed to load Smack/CIPSO access rules: %s, ignoring.", - strerror(abs(r))); -+ break; -+ } -+ -+ r = write_rules("/sys/fs/smackfs/netlabel", NETLABEL_CONFIG); -+ switch(r) { -+ case -ENOENT: -+ log_debug("Smack/CIPSO is not enabled in the kernel."); - return 0; -+ case ENOENT: -+ log_debug("Smack network host rules directory " NETLABEL_CONFIG " not found"); -+ break; -+ case 0: -+ log_info("Successfully loaded Smack network host rules."); -+ break; -+ default: -+ log_warning("Failed to load Smack network host rules: %s, ignoring.", -+ strerror(abs(r))); -+ break; - } - - *loaded_policy = true; --- -1.8.4.5 - |