summaryrefslogtreecommitdiffstats
path: root/meta-security/recipes-core/systemd/systemd
diff options
context:
space:
mode:
Diffstat (limited to 'meta-security/recipes-core/systemd/systemd')
-rw-r--r--meta-security/recipes-core/systemd/systemd/0001-Switch-Smack-label-earlier.patch52
-rw-r--r--meta-security/recipes-core/systemd/systemd/udev-smack-default.rules23
2 files changed, 52 insertions, 23 deletions
diff --git a/meta-security/recipes-core/systemd/systemd/0001-Switch-Smack-label-earlier.patch b/meta-security/recipes-core/systemd/systemd/0001-Switch-Smack-label-earlier.patch
new file mode 100644
index 000000000..46445be73
--- /dev/null
+++ b/meta-security/recipes-core/systemd/systemd/0001-Switch-Smack-label-earlier.patch
@@ -0,0 +1,52 @@
+From 6cc74075797edb6f698cb7f312bb1c3d8cc6cb28 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Jos=C3=A9=20Bollo?= <jose.bollo@iot.bzh>
+Date: Thu, 12 Oct 2017 17:17:56 +0200
+Subject: [PATCH] Switch Smack label earlier
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Switching label after removing capability isn't
+possible.
+
+Change-Id: Ib7dac8f071f36119520ed3205d743c1e3df3cd5e
+Signed-off-by: José Bollo <jose.bollo@iot.bzh>
+---
+ src/core/execute.c | 14 +++++++-------
+ 1 file changed, 7 insertions(+), 7 deletions(-)
+
+diff --git a/src/core/execute.c b/src/core/execute.c
+index d72e5bf08..0abffd569 100644
+--- a/src/core/execute.c
++++ b/src/core/execute.c
+@@ -2707,6 +2707,13 @@ static int exec_child(
+ }
+ }
+
++ r = setup_smack(context, command);
++ if (r < 0) {
++ *exit_status = EXIT_SMACK_PROCESS_LABEL;
++ *error_message = strdup("Failed to set SMACK process label");
++ return r;
++ }
++
+ if (!cap_test_all(context->capability_bounding_set)) {
+ r = capability_bounding_set_drop(context->capability_bounding_set, false);
+ if (r < 0) {
+@@ -2775,13 +2782,6 @@ static int exec_child(
+ }
+ #endif
+
+- r = setup_smack(context, command);
+- if (r < 0) {
+- *exit_status = EXIT_SMACK_PROCESS_LABEL;
+- *error_message = strdup("Failed to set SMACK process label");
+- return r;
+- }
+-
+ #ifdef HAVE_APPARMOR
+ if (context->apparmor_profile && mac_apparmor_use()) {
+ r = aa_change_onexec(context->apparmor_profile);
+--
+2.14.3
+
diff --git a/meta-security/recipes-core/systemd/systemd/udev-smack-default.rules b/meta-security/recipes-core/systemd/systemd/udev-smack-default.rules
deleted file mode 100644
index 3829019de..000000000
--- a/meta-security/recipes-core/systemd/systemd/udev-smack-default.rules
+++ /dev/null
@@ -1,23 +0,0 @@
-# do not edit this file, it will be overwritten on update
-
-KERNEL=="null", SECLABEL{smack}="*"
-KERNEL=="zero", SECLABEL{smack}="*"
-KERNEL=="console", SECLABEL{smack}="*"
-KERNEL=="kmsg", SECLABEL{smack}="*"
-KERNEL=="video*", SECLABEL{smack}="*"
-KERNEL=="card*", SECLABEL{smack}="*"
-KERNEL=="ptmx", SECLABEL{smack}="*"
-KERNEL=="tty", SECLABEL{smack}="*"
-
-SUBSYSTEM=="graphics", GROUP="video", SECLABEL{smack}="*"
-SUBSYSTEM=="drm", GROUP="video", SECLABEL{smack}="*"
-SUBSYSTEM=="dvb", GROUP="video", SECLABEL{smack}="*"
-
-SUBSYSTEM=="tty", KERNEL=="ptmx", GROUP="tty", MODE="0666", SECLABEL{smack}="*"
-SUBSYSTEM=="tty", KERNEL=="tty", GROUP="tty", MODE="0666", SECLABEL{smack}="*"
-SUBSYSTEM=="tty", KERNEL=="tty[0-9]*", GROUP="tty", MODE="0620", SECLABEL{smack}="*"
-SUBSYSTEM=="vc", KERNEL=="vcs*|vcsa*", GROUP="tty", SECLABEL{smack}="*"
-KERNEL=="tty[A-Z]*[0-9]|pppox[0-9]*|ircomm[0-9]*|noz[0-9]*|rfcomm[0-9]*", GROUP="dialout", SECLABEL{smack}="*"
-
-SUBSYSTEM=="input", KERNEL=="mouse*|mice|event*", MODE="0640", SECLABEL{smack}="*"
-SUBSYSTEM=="input", KERNEL=="ts[0-9]*|uinput", MODE="0640", SECLABEL{smack}="*"