diff options
Diffstat (limited to 'meta-security')
| -rw-r--r-- | meta-security/recipes-core/packagegroups/packagegroup-security-framework.bb | 1 | ||||
| -rw-r--r-- | meta-security/recipes-core/smack-system-setup/files/55-udev-smack-default.rules (renamed from meta-security/recipes-core/systemd/systemd/udev-smack-default.rules) | 0 | ||||
| -rw-r--r-- | meta-security/recipes-core/smack-system-setup/files/systemd-journald.service.conf | 16 | ||||
| -rw-r--r-- | meta-security/recipes-core/smack-system-setup/files/systemd-tmpfiles-setup.service.conf | 2 | ||||
| -rw-r--r-- | meta-security/recipes-core/smack-system-setup/files/tmp.mount.conf | 12 | ||||
| -rw-r--r-- | meta-security/recipes-core/smack-system-setup/smack-system-setup_1.bb | 28 | ||||
| -rw-r--r-- | meta-security/recipes-core/systemd/systemd/0001-Switch-Smack-label-earlier.patch | 52 | ||||
| -rw-r--r-- | meta-security/recipes-core/systemd/systemd_234.bbappend (renamed from meta-security/recipes-core/systemd/systemd_%.bbappend) | 102 |
8 files changed, 144 insertions, 69 deletions
diff --git a/meta-security/recipes-core/packagegroups/packagegroup-security-framework.bb b/meta-security/recipes-core/packagegroups/packagegroup-security-framework.bb index b52e18d4e..6dd575df5 100644 --- a/meta-security/recipes-core/packagegroups/packagegroup-security-framework.bb +++ b/meta-security/recipes-core/packagegroups/packagegroup-security-framework.bb @@ -19,4 +19,5 @@ RDEPENDS_${PN}_append_with-lsm-smack = " \ security-manager \ security-manager-policy \ smacknet \ + smack-system-setup \ " diff --git a/meta-security/recipes-core/systemd/systemd/udev-smack-default.rules b/meta-security/recipes-core/smack-system-setup/files/55-udev-smack-default.rules index 3829019de..3829019de 100644 --- a/meta-security/recipes-core/systemd/systemd/udev-smack-default.rules +++ b/meta-security/recipes-core/smack-system-setup/files/55-udev-smack-default.rules diff --git a/meta-security/recipes-core/smack-system-setup/files/systemd-journald.service.conf b/meta-security/recipes-core/smack-system-setup/files/systemd-journald.service.conf new file mode 100644 index 000000000..7035a1410 --- /dev/null +++ b/meta-security/recipes-core/smack-system-setup/files/systemd-journald.service.conf @@ -0,0 +1,16 @@ +# Run systemd-journald with the hat ("^") Smack label. +# +# The journal daemon needs global read access to gather information +# about the services spawned by systemd. The hat label is intended +# for this purpose. The journal daemon is the only part of the +# System domain that needs read access to the User domain. Giving +# the journal daemon the hat label means that we can remove the +# System domain's read access to the User domain and we can avoid +# hard-coding a specific label name for that domain. +# +# Original author: Casey Schaufler <casey@schaufler-ca.com> +# +# This is considered a configuration change and thus distro specific. +[Service] +SmackProcessLabel=^ + diff --git a/meta-security/recipes-core/smack-system-setup/files/systemd-tmpfiles-setup.service.conf b/meta-security/recipes-core/smack-system-setup/files/systemd-tmpfiles-setup.service.conf new file mode 100644 index 000000000..db43c8c51 --- /dev/null +++ b/meta-security/recipes-core/smack-system-setup/files/systemd-tmpfiles-setup.service.conf @@ -0,0 +1,2 @@ +[Service] +ExecStartPost=/bin/sh -c '([ ! -d /var/tmp ] || chsmack -L -a \"*\" /var/tmp) && ([ ! -d /var/log ] || chsmack -L -a System::Log /var/log && chsmack -L -t /var/log)' diff --git a/meta-security/recipes-core/smack-system-setup/files/tmp.mount.conf b/meta-security/recipes-core/smack-system-setup/files/tmp.mount.conf new file mode 100644 index 000000000..388986e82 --- /dev/null +++ b/meta-security/recipes-core/smack-system-setup/files/tmp.mount.conf @@ -0,0 +1,12 @@ +# Mount /tmp publicly accessable. Based on patch by Michael Demeter <michael.demeter@intel.com>. +# Upstream systemd temporarily had SmackFileSystemRoot for this (https://github.com/systemd/systemd/pull/1664), +# but it was removed again (https://github.com/systemd/systemd/issues/1696) because +# util-linux mount will ignore smackfsroot when Smack is not active. However, +# busybox is not that intelligent. +# +# When using busybox mount, adding smackfsroot=* and booting without +# Smack (i.e. security=none), tmp.mount will fail with an error about +# "Bad mount option smackfsroot". +[Mount] +Options=smackfsroot=* + diff --git a/meta-security/recipes-core/smack-system-setup/smack-system-setup_1.bb b/meta-security/recipes-core/smack-system-setup/smack-system-setup_1.bb new file mode 100644 index 000000000..49b12ad3f --- /dev/null +++ b/meta-security/recipes-core/smack-system-setup/smack-system-setup_1.bb @@ -0,0 +1,28 @@ +DESCRIPTION = "setup of a system using smack" +LICENSE = "GPLv2" +LIC_FILES_CHKSUM = "file://${COMMON_LICENSE_DIR}/GPL-2.0;md5=801f80980d171dd6425610833a22dbe6" + +SRC_URI = "\ + file://55-udev-smack-default.rules \ + file://systemd-journald.service.conf \ + file://systemd-tmpfiles-setup.service.conf \ + file://tmp.mount.conf \ +" + +RDEPENDS_${PN}_append_with-lsm-smack = " smack" + +do_install_append_with-lsm-smack() { + # tuning systemd units + install -Dm0644 ${WORKDIR}/systemd-tmpfiles-setup.service.conf \ + ${D}${systemd_unitdir}/system/systemd-tmpfiles-setup.service.d/smack.conf + install -Dm0644 ${WORKDIR}/systemd-journald.service.conf \ + ${D}${systemd_unitdir}/system/systemd-journald.service.d/smack.conf + install -Dm0644 ${WORKDIR}/tmp.mount.conf \ + ${D}${systemd_unitdir}/system/tmp.mount.d/smack.conf + + # add udev rules + install -Dm0644 ${WORKDIR}/55-udev-smack-default.rules \ + ${D}${sysconfdir}/udev/rules.d/55-udev-smack-default.rules +} + +FILES_${PN} += "${systemd_unitdir}" diff --git a/meta-security/recipes-core/systemd/systemd/0001-Switch-Smack-label-earlier.patch b/meta-security/recipes-core/systemd/systemd/0001-Switch-Smack-label-earlier.patch new file mode 100644 index 000000000..46445be73 --- /dev/null +++ b/meta-security/recipes-core/systemd/systemd/0001-Switch-Smack-label-earlier.patch @@ -0,0 +1,52 @@ +From 6cc74075797edb6f698cb7f312bb1c3d8cc6cb28 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Jos=C3=A9=20Bollo?= <jose.bollo@iot.bzh> +Date: Thu, 12 Oct 2017 17:17:56 +0200 +Subject: [PATCH] Switch Smack label earlier +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Switching label after removing capability isn't +possible. + +Change-Id: Ib7dac8f071f36119520ed3205d743c1e3df3cd5e +Signed-off-by: José Bollo <jose.bollo@iot.bzh> +--- + src/core/execute.c | 14 +++++++------- + 1 file changed, 7 insertions(+), 7 deletions(-) + +diff --git a/src/core/execute.c b/src/core/execute.c +index d72e5bf08..0abffd569 100644 +--- a/src/core/execute.c ++++ b/src/core/execute.c +@@ -2707,6 +2707,13 @@ static int exec_child( + } + } + ++ r = setup_smack(context, command); ++ if (r < 0) { ++ *exit_status = EXIT_SMACK_PROCESS_LABEL; ++ *error_message = strdup("Failed to set SMACK process label"); ++ return r; ++ } ++ + if (!cap_test_all(context->capability_bounding_set)) { + r = capability_bounding_set_drop(context->capability_bounding_set, false); + if (r < 0) { +@@ -2775,13 +2782,6 @@ static int exec_child( + } + #endif + +- r = setup_smack(context, command); +- if (r < 0) { +- *exit_status = EXIT_SMACK_PROCESS_LABEL; +- *error_message = strdup("Failed to set SMACK process label"); +- return r; +- } +- + #ifdef HAVE_APPARMOR + if (context->apparmor_profile && mac_apparmor_use()) { + r = aa_change_onexec(context->apparmor_profile); +-- +2.14.3 + diff --git a/meta-security/recipes-core/systemd/systemd_%.bbappend b/meta-security/recipes-core/systemd/systemd_234.bbappend index 65e28f9de..4bbc8aa04 100644 --- a/meta-security/recipes-core/systemd/systemd_%.bbappend +++ b/meta-security/recipes-core/systemd/systemd_234.bbappend @@ -1,19 +1,5 @@ FILESEXTRAPATHS_prepend := "${THISDIR}/${PN}:" -# Most patches from sandbox/jobol/v219. Cannot be applied unconditionally -# because systemd panics when booted without Smack support: -# systemd[1]: Cannot determine cgroup we are running in: No such file or directory -# systemd[1]: Failed to allocate manager object: No such file or directory -# [!!!!!!] Failed to allocate manager object, freezing. -# -# There's a slight dependency on the base systemd in 0005-tizen-smack-Handling-network. -# We use the beginning of PV (unexpanded here to prevent a cyclic dependency -# during resolution apparently caused by ${SRCPV}) to pick the right set of -# patches. -# -# Patches are optional. Hopefully we won't need any for systemd >= 229. -SRC_URI_append_with-lsm-smack = " ${@d.getVar('SYSTEMD_SMACK_PATCHES_' + d.getVar('PV', False)[0:3], True) or ''}" - SYSTEMD_SMACK_PATCHES_216 = " \ file://0003-tizen-smack-Handling-of-run-and-sys-fs-cgroup-v216.patch \ file://0004-tizen-smack-Handling-of-dev-v216.patch \ @@ -39,66 +25,30 @@ file://0005-tizen-smack-Handling-network-v228.patch \ file://mount-setup.c-fix-handling-of-symlink-Smack-labellin-v228.patch \ " -# From Tizen .spec file. -EXTRA_OECONF_append_with-lsm-smack = " --with-smack-run-label=System" - -install_file() { - install -d $(dirname $1) - cat >>$1 - chmod ${2:-0644} $1 -} - -# We need to emulate parts of the filesystem permissions from Tizen here. -# The part for regular files is in base-files.bbappend, but /var/log and -# /var/tmp point into /var/volatile (tmpfs) and get created anew during -# startup. We set these permissions directly after creating them via -# /etc/tmpfiles.d/00-create-volatile.conf -RDEPENDS_${PN}_append_with-lsm-smack = " smack" -do_install_append_with-lsm-smack() { - install_file ${D}${systemd_unitdir}/system/systemd-tmpfiles-setup.service.d/smack.conf <<EOF -[Service] -ExecStartPost=/bin/sh -c '([ ! -d /var/tmp ] || chsmack -L -a \"*\" /var/tmp) && ([ ! -d /var/log ] || chsmack -L -a System::Log /var/log && chsmack -L -t /var/log)' -EOF - - # Mount /tmp publicly accessable. Based on patch by Michael Demeter <michael.demeter@intel.com>. - # Upstream systemd temporarily had SmackFileSystemRoot for this (https://github.com/systemd/systemd/pull/1664), - # but it was removed again (https://github.com/systemd/systemd/issues/1696) because - # util-linux mount will ignore smackfsroot when Smack is not active. However, - # busybox is not that intelligent. - # - # When using busybox mount, adding smackfsroot=* and booting without - # Smack (i.e. security=none), tmp.mount will fail with an error about - # "Bad mount option smackfsroot". - install_file ${D}${systemd_unitdir}/system/tmp.mount.d/smack.conf <<EOF -[Mount] -Options=smackfsroot=* -EOF - - # Run systemd-journald with the hat ("^") Smack label. - # - # The journal daemon needs global read access to gather information - # about the services spawned by systemd. The hat label is intended - # for this purpose. The journal daemon is the only part of the - # System domain that needs read access to the User domain. Giving - # the journal daemon the hat label means that we can remove the - # System domain's read access to the User domain and we can avoid - # hard-coding a specific label name for that domain. - # - # Original author: Casey Schaufler <casey@schaufler-ca.com> - # - # This is considered a configuration change and thus distro specific. - install_file ${D}${systemd_unitdir}/system/systemd-journald.service.d/smack.conf <<EOF -[Service] -SmackProcessLabel=^ -EOF -} +SYSTEMD_SMACK_PATCHES_234 = " \ +file://0001-Switch-Smack-label-earlier.patch \ +" -# Will get installed in ${sysconfdir}/udev/rules.d/ by base systemd recipe. -SRC_URI += "file://udev-smack-default.rules" +# Most patches from sandbox/jobol/v219. Cannot be applied unconditionally +# because systemd panics when booted without Smack support: +# systemd[1]: Cannot determine cgroup we are running in: No such file or directory +# systemd[1]: Failed to allocate manager object: No such file or directory +# [!!!!!!] Failed to allocate manager object, freezing. +# +# There's a slight dependency on the base systemd in 0005-tizen-smack-Handling-network. +# We use the beginning of PV (unexpanded here to prevent a cyclic dependency +# during resolution apparently caused by ${SRCPV}) to pick the right set of +# patches. +# +# Patches are optional. Hopefully we won't need any for systemd >= 229. +SRC_URI_append_with-lsm-smack = " ${SYSTEMD_SMACK_PATCHES_234}" # A workaround for a missing space in a SRC_URI_append in a private layer elsewhere: SRC_URI += "" +# Ensures systemd runs with label "System" +EXTRA_OECONF_append_with-lsm-smack = " --with-smack-run-label=System" + # Maintaining trivial, non-upstreamable configuration changes as patches # is tedious. But in same cases (like early mounting of special directories) # the configuration has to be in code. We make these changes here directly. @@ -118,3 +68,17 @@ patch_systemd() { -e 's;\("/run", *"[^"]*", *"[^"]*\)\(.*mac_smack_use.*\);\1,smackfstransmute=System::Run\2;' \ ${S}/src/core/mount-setup.c } + +################################################################################## +# What follows is temporary. +# This is a solution to the Bug-AGL SPEC-539 +# (see https://jira.automotivelinux.org/browse/SPEC-539). +# +# It renames the file "touchscreen.rules" to "55-touchscreen.rules" +# This comes with the recipe systemd_230/234 of poky (meta/recipes-core/systemd) +# It should be removed when poky changes. +################################################################################## +do_install_prepend() { + mv ${WORKDIR}/touchscreen.rules ${WORKDIR}/55-touchscreen.rules || true +} + |