From 27037c57de0a88cdc39934556b786721ae979eff Mon Sep 17 00:00:00 2001
From: José Bollo <jose.bollo@iot.bzh>
Date: Thu, 13 Dec 2018 14:33:55 +0100
Subject: systemd: Cleanup of recipe of meta-security
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

The recipe for systemd that belongs to meta-security
was carrying lot of history for probably no purpose.

If history is needed, curious people can still refer to
https://github.com/intel/meta-intel-iot-security

Change-Id: I8762da7feb2084de2a97025498eb47ef815c7954
Signed-off-by: José Bollo <jose.bollo@iot.bzh>
---
 .../0005-tizen-smack-Handling-network.patch        | 106 ---------------------
 1 file changed, 106 deletions(-)
 delete mode 100644 meta-security/recipes-core/systemd/systemd/0005-tizen-smack-Handling-network.patch

(limited to 'meta-security/recipes-core/systemd/systemd/0005-tizen-smack-Handling-network.patch')

diff --git a/meta-security/recipes-core/systemd/systemd/0005-tizen-smack-Handling-network.patch b/meta-security/recipes-core/systemd/systemd/0005-tizen-smack-Handling-network.patch
deleted file mode 100644
index cd6a3c90b..000000000
--- a/meta-security/recipes-core/systemd/systemd/0005-tizen-smack-Handling-network.patch
+++ /dev/null
@@ -1,106 +0,0 @@
-From c257eade1a39ea00d26c4c297efd654b6ad4edb4 Mon Sep 17 00:00:00 2001
-From: Casey Schaufler <casey@schaufler-ca.com>
-Date: Fri, 8 Nov 2013 09:42:26 -0800
-Subject: [PATCH 5/9] tizen-smack: Handling network
-
-- Set Smack ambient to match run label
-- Set Smack netlabel host rules
-
-Set Smack ambient to match run label
-------------------------------------
-Set the Smack networking ambient label to match the
-run label of systemd. System services may expect to
-communicate with external services over IP. Setting
-the ambient label assigns that label to IP packets
-that do not include CIPSO headers. This allows systemd
-and the services it spawns access to unlabeled IP
-packets, and hence external services.
-
-A system may choose to restrict network access to
-particular services later in the startup process.
-This is easily done by resetting the ambient label
-elsewhere.
-
-Set Smack netlabel host rules
------------------------------
-If SMACK_RUN_LABEL is defined set all other hosts to be
-single label hosts at the specified label. Set the loopback
-address to be a CIPSO host.
-
-If any netlabel host rules are defined in /etc/smack/netlabel.d
-install them into the smackfs netlabel interface.
-
-Upstream-Status: Pending
-
----
- src/core/smack-setup.c | 33 ++++++++++++++++++++++++++++++++-
- 1 file changed, 32 insertions(+), 1 deletion(-)
-
-diff --git a/src/core/smack-setup.c b/src/core/smack-setup.c
-index 59f6832..33dc1ca 100644
---- a/src/core/smack-setup.c
-+++ b/src/core/smack-setup.c
-@@ -42,6 +42,7 @@
- 
- #define SMACK_CONFIG "/etc/smack/accesses.d/"
- #define CIPSO_CONFIG "/etc/smack/cipso.d/"
-+#define NETLABEL_CONFIG "/etc/smack/netlabel.d/"
- 
- #ifdef HAVE_SMACK
- 
-@@ -146,6 +147,19 @@ int mac_smack_setup(bool *loaded_policy) {
-         if (r)
-                 log_warning("Failed to set SMACK label \"%s\" on self: %s",
-                             SMACK_RUN_LABEL, strerror(-r));
-+        r = write_string_file("/sys/fs/smackfs/ambient", SMACK_RUN_LABEL);
-+        if (r)
-+                log_warning("Failed to set SMACK ambient label \"%s\": %s",
-+                            SMACK_RUN_LABEL, strerror(-r));
-+        r = write_string_file("/sys/fs/smackfs/netlabel",
-+			      "0.0.0.0/0 " SMACK_RUN_LABEL);
-+        if (r)
-+                log_warning("Failed to set SMACK netlabel rule \"%s\": %s",
-+                            "0.0.0.0/0 " SMACK_RUN_LABEL, strerror(-r));
-+        r = write_string_file("/sys/fs/smackfs/netlabel", "127.0.0.1 -CIPSO");
-+        if (r)
-+                log_warning("Failed to set SMACK netlabel rule \"%s\": %s",
-+                            "127.0.0.1 -CIPSO", strerror(-r));
- #endif
- 
-         r = write_rules("/sys/fs/smackfs/cipso2", CIPSO_CONFIG);
-@@ -155,14 +169,31 @@ int mac_smack_setup(bool *loaded_policy) {
-                 return 0;
-         case ENOENT:
-                 log_debug("Smack/CIPSO access rules directory " CIPSO_CONFIG " not found");
--                return 0;
-+                break;
-         case 0:
-                 log_info("Successfully loaded Smack/CIPSO policies.");
-                 break;
-         default:
-                 log_warning("Failed to load Smack/CIPSO access rules: %s, ignoring.",
-                             strerror(abs(r)));
-+                break;
-+        }
-+
-+        r = write_rules("/sys/fs/smackfs/netlabel", NETLABEL_CONFIG);
-+        switch(r) {
-+        case -ENOENT:
-+                log_debug("Smack/CIPSO is not enabled in the kernel.");
-                 return 0;
-+        case ENOENT:
-+                log_debug("Smack network host rules directory " NETLABEL_CONFIG " not found");
-+                break;
-+        case 0:
-+                log_info("Successfully loaded Smack network host rules.");
-+                break;
-+        default:
-+                log_warning("Failed to load Smack network host rules: %s, ignoring.",
-+                            strerror(abs(r)));
-+                break;
-         }
- 
-         *loaded_policy = true;
--- 
-1.8.4.5
-
-- 
cgit 1.2.3-korg