From d9d7eb20d17acde2f4e3826736ad45fa6d441837 Mon Sep 17 00:00:00 2001
From: José Bollo <jose.bollo@iot.bzh>
Date: Wed, 12 Dec 2018 14:27:48 +0100
Subject: connman+bluez5: Update rights for smack systems
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Reading the file /etc/resolv.conf that is linked to
/run/connman/resolv.conf is not possible for common users.

This changes add the setting of the directory /run/connman
that allows common applications to read that file.

To achieves this goal, that changes use the intended
tuning mechanism of systemd instead of using sed.
This is cleaner. Thus this as been adapted for bluez5 too.

Bug-AGL: SPEC-2006

Change-Id: I3d2a708be2a5c62664bfcf90757e9e5c080d6179
Signed-off-by: José Bollo <jose.bollo@iot.bzh>
---
 .../recipes-connectivity/bluez5/bluez5_%.bbappend    | 18 +++++++++---------
 .../bluez5/files/bluetooth.service.conf              |  2 ++
 .../recipes-connectivity/connman/connman_%.bbappend  | 20 +++++++++++---------
 .../connman/files/connman.service.conf               |  4 ++++
 4 files changed, 26 insertions(+), 18 deletions(-)
 create mode 100644 meta-security/recipes-connectivity/bluez5/files/bluetooth.service.conf
 create mode 100644 meta-security/recipes-connectivity/connman/files/connman.service.conf

diff --git a/meta-security/recipes-connectivity/bluez5/bluez5_%.bbappend b/meta-security/recipes-connectivity/bluez5/bluez5_%.bbappend
index c62842d5b..3767681b0 100644
--- a/meta-security/recipes-connectivity/bluez5/bluez5_%.bbappend
+++ b/meta-security/recipes-connectivity/bluez5/bluez5_%.bbappend
@@ -42,14 +42,14 @@
 # The related patch has been submitted to upstream too.
 # upstream link: http://permalink.gmane.org/gmane.linux.bluez.kernel/67993
 
-FIX_BLUEZ5_CAPABILITIES ??= ""
-FIX_BLUEZ5_CAPABILITIES_with-lsm-smack ??= "fix_bluez5_capabilities"
-do_install[postfuncs] += "${FIX_BLUEZ5_CAPABILITIES}"
+FILESEXTRAPATHS_prepend := "${THISDIR}/files:"
 
-fix_bluez5_capabilities () {
-    service="${D}/${systemd_unitdir}/system/bluetooth.service"
-    if [ -f "$service" ] &&
-        grep -q '^CapabilityBoundingSet=' "$service"; then
-        sed -i -e 's/^CapabilityBoundingSet=/CapabilityBoundingSet=CAP_MAC_OVERRIDE /' "$service"
-    fi
+SRC_URI_append_with-lsm-smack = "\
+  file://bluetooth.service.conf \
+"
+
+FILES_${PN} += "${systemd_unitdir}"
+
+do_install_append_with-lsm-smack() {
+  install -Dm0644 ${WORKDIR}/bluetooth.service.conf ${D}${systemd_unitdir}/system/bluetooth.service.d/smack.conf
 }
diff --git a/meta-security/recipes-connectivity/bluez5/files/bluetooth.service.conf b/meta-security/recipes-connectivity/bluez5/files/bluetooth.service.conf
new file mode 100644
index 000000000..b93ab4fee
--- /dev/null
+++ b/meta-security/recipes-connectivity/bluez5/files/bluetooth.service.conf
@@ -0,0 +1,2 @@
+[Service]
+CapabilityBoundingSet=CAP_MAC_OVERRIDE
diff --git a/meta-security/recipes-connectivity/connman/connman_%.bbappend b/meta-security/recipes-connectivity/connman/connman_%.bbappend
index f66c1e79b..3b010490d 100644
--- a/meta-security/recipes-connectivity/connman/connman_%.bbappend
+++ b/meta-security/recipes-connectivity/connman/connman_%.bbappend
@@ -19,14 +19,16 @@
 # in which connmand runs, this change is not submitted upstream
 # and it can be overridden by a distro via FIX_CONNMAN_CAPABILITIES.
 
-FIX_CONNMAN_CAPABILITIES ??= ""
-FIX_CONNMAN_CAPABILITIES_with-lsm-smack ??= "fix_connman_capabilities"
-do_install[postfuncs] += "${FIX_CONNMAN_CAPABILITIES}"
+FILESEXTRAPATHS_prepend := "${THISDIR}/files:"
 
-fix_connman_capabilities () {
-    service="${D}/${systemd_unitdir}/system/connman.service"
-    if [ -f "$service" ] &&
-        grep -q '^CapabilityBoundingSet=' "$service"; then
-        sed -i -e 's/^CapabilityBoundingSet=/CapabilityBoundingSet=CAP_MAC_OVERRIDE /' "$service"
-    fi
+SRC_URI_append_with-lsm-smack = "\
+  file://connman.service.conf \
+"
+
+RDEPENDS_${PN}_append_with-lsm-smack = " smack"
+
+FILES_${PN} += "${systemd_unitdir}"
+
+do_install_append_with-lsm-smack() {
+  install -Dm0644 ${WORKDIR}/connman.service.conf ${D}${systemd_unitdir}/system/connman.service.d/smack.conf
 }
diff --git a/meta-security/recipes-connectivity/connman/files/connman.service.conf b/meta-security/recipes-connectivity/connman/files/connman.service.conf
new file mode 100644
index 000000000..6ebbf6ad1
--- /dev/null
+++ b/meta-security/recipes-connectivity/connman/files/connman.service.conf
@@ -0,0 +1,4 @@
+[Service]
+CapabilityBoundingSet=CAP_MAC_OVERRIDE
+ExecStartPre=+-/bin/mkdir -p /run/connman
+ExecStartPre=+-/usr/bin/chsmack -t -a System::Shared /run/connman
-- 
cgit 1.2.3-korg