From f70d712e4f505f5c5b50ae17f4f023d20a667568 Mon Sep 17 00:00:00 2001 From: José Bollo Date: Wed, 24 Jan 2018 11:38:43 +0100 Subject: Integrate parts of meta-intel-iot-security MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Adds the recipes of the sub layers - meta-security-framework - meta-security-smack Change-Id: I618608008a3b3d1d34adb6e38048110f13ac0643 Signed-off-by: José Bollo --- ...ck-Handling-of-run-and-sys-fs-cgroup-v216.patch | 49 ++++++ ...n-smack-Handling-of-run-and-sys-fs-cgroup.patch | 50 ++++++ .../0004-tizen-smack-Handling-of-dev-v216.patch | 82 +++++++++ .../systemd/0004-tizen-smack-Handling-of-dev.patch | 68 ++++++++ .../0005-tizen-smack-Handling-network-v216.patch | 107 ++++++++++++ .../0005-tizen-smack-Handling-network-v225.patch | 191 +++++++++++++++++++++ .../0005-tizen-smack-Handling-network-v228.patch | 179 +++++++++++++++++++ .../0005-tizen-smack-Handling-network.patch | 106 ++++++++++++ ...zen-smack-Runs-systemd-journald-with-v216.patch | 41 +++++ ...07-tizen-smack-Runs-systemd-journald-with.patch | 37 ++++ ...x-handling-of-symlink-Smack-labellin-v228.patch | 58 +++++++ .../systemd/systemd/udev-smack-default.rules | 23 +++ .../recipes-core/systemd/systemd_%.bbappend | 120 +++++++++++++ 13 files changed, 1111 insertions(+) create mode 100644 meta-security/recipes-core/systemd/systemd/0003-tizen-smack-Handling-of-run-and-sys-fs-cgroup-v216.patch create mode 100644 meta-security/recipes-core/systemd/systemd/0003-tizen-smack-Handling-of-run-and-sys-fs-cgroup.patch create mode 100644 meta-security/recipes-core/systemd/systemd/0004-tizen-smack-Handling-of-dev-v216.patch create mode 100644 meta-security/recipes-core/systemd/systemd/0004-tizen-smack-Handling-of-dev.patch create mode 100644 meta-security/recipes-core/systemd/systemd/0005-tizen-smack-Handling-network-v216.patch create mode 100644 meta-security/recipes-core/systemd/systemd/0005-tizen-smack-Handling-network-v225.patch create mode 100644 meta-security/recipes-core/systemd/systemd/0005-tizen-smack-Handling-network-v228.patch create mode 100644 meta-security/recipes-core/systemd/systemd/0005-tizen-smack-Handling-network.patch create mode 100644 meta-security/recipes-core/systemd/systemd/0007-tizen-smack-Runs-systemd-journald-with-v216.patch create mode 100644 meta-security/recipes-core/systemd/systemd/0007-tizen-smack-Runs-systemd-journald-with.patch create mode 100644 meta-security/recipes-core/systemd/systemd/mount-setup.c-fix-handling-of-symlink-Smack-labellin-v228.patch create mode 100644 meta-security/recipes-core/systemd/systemd/udev-smack-default.rules create mode 100644 meta-security/recipes-core/systemd/systemd_%.bbappend (limited to 'meta-security/recipes-core/systemd') diff --git a/meta-security/recipes-core/systemd/systemd/0003-tizen-smack-Handling-of-run-and-sys-fs-cgroup-v216.patch b/meta-security/recipes-core/systemd/systemd/0003-tizen-smack-Handling-of-run-and-sys-fs-cgroup-v216.patch new file mode 100644 index 000000000..2ff51f86b --- /dev/null +++ b/meta-security/recipes-core/systemd/systemd/0003-tizen-smack-Handling-of-run-and-sys-fs-cgroup-v216.patch @@ -0,0 +1,49 @@ +From da574755b8abe1d5fb9151f901ccea51d40d9509 Mon Sep 17 00:00:00 2001 +From: Michael Demeter +Date: Fri, 30 Oct 2015 11:25:50 +0100 +Subject: [PATCH] tizen-smack: Handling of /run and /sys/fs/cgroup + +Make /run a transmuting directory to enable systemd +communications with services in the User domain. + +Upstream-Status: Pending + +Change-Id: I9e23b78d17a108d8e56ad85a9e839b6ccbe4feff +--- + src/core/mount-setup.c | 10 +++++++--- + 1 file changed, 7 insertions(+), 3 deletions(-) + +diff --git a/src/core/mount-setup.c b/src/core/mount-setup.c +index cc2633e..3dc7cd7 100644 +--- a/src/core/mount-setup.c ++++ b/src/core/mount-setup.c +@@ -85,19 +85,23 @@ static const MountPoint mount_table[] = { + use_smack, MNT_FATAL }, + { "tmpfs", "/dev/shm", "tmpfs", "mode=1777,smackfsroot=*", MS_NOSUID|MS_NODEV|MS_STRICTATIME, + use_smack, MNT_FATAL }, +-#endif ++#else + { "tmpfs", "/dev/shm", "tmpfs", "mode=1777", MS_NOSUID|MS_NODEV|MS_STRICTATIME, + NULL, MNT_FATAL|MNT_IN_CONTAINER }, ++#endif + { "devpts", "/dev/pts", "devpts", "mode=620,gid=" STRINGIFY(TTY_GID), MS_NOSUID|MS_NOEXEC, + NULL, MNT_IN_CONTAINER }, + #ifdef HAVE_SMACK +- { "tmpfs", "/run", "tmpfs", "mode=755,smackfsroot=*", MS_NOSUID|MS_NODEV|MS_STRICTATIME, ++ { "tmpfs", "/run", "tmpfs", "mode=755,smackfstransmute=System::Run", MS_NOSUID|MS_NODEV|MS_STRICTATIME, + use_smack, MNT_FATAL }, +-#endif ++ { "tmpfs", "/sys/fs/cgroup", "tmpfs", "mode=755,smackfsroot=*", MS_NOSUID|MS_NOEXEC|MS_NODEV|MS_STRICTATIME, ++ use_smack, MNT_IN_CONTAINER }, ++#else + { "tmpfs", "/run", "tmpfs", "mode=755", MS_NOSUID|MS_NODEV|MS_STRICTATIME, + NULL, MNT_FATAL|MNT_IN_CONTAINER }, + { "tmpfs", "/sys/fs/cgroup", "tmpfs", "mode=755", MS_NOSUID|MS_NOEXEC|MS_NODEV|MS_STRICTATIME, + NULL, MNT_FATAL|MNT_IN_CONTAINER }, ++#endif + { "cgroup", "/sys/fs/cgroup/systemd", "cgroup", "none,name=systemd,xattr", MS_NOSUID|MS_NOEXEC|MS_NODEV, + NULL, MNT_IN_CONTAINER }, + { "cgroup", "/sys/fs/cgroup/systemd", "cgroup", "none,name=systemd", MS_NOSUID|MS_NOEXEC|MS_NODEV, +-- +2.1.4 + diff --git a/meta-security/recipes-core/systemd/systemd/0003-tizen-smack-Handling-of-run-and-sys-fs-cgroup.patch b/meta-security/recipes-core/systemd/systemd/0003-tizen-smack-Handling-of-run-and-sys-fs-cgroup.patch new file mode 100644 index 000000000..a4a3e50a6 --- /dev/null +++ b/meta-security/recipes-core/systemd/systemd/0003-tizen-smack-Handling-of-run-and-sys-fs-cgroup.patch @@ -0,0 +1,50 @@ +From 831d552a9589bb2b99c042d01672409efa3d94fc Mon Sep 17 00:00:00 2001 +From: Michael Demeter +Date: Fri, 11 Oct 2013 15:37:57 -0700 +Subject: [PATCH 3/9] tizen-smack: Handling of /run and /sys/fs/cgroup + +Make /run a transmuting directory to enable systemd +communications with services in the User domain. + +Upstream-Status: Pending + +Change-Id: I9e23b78d17a108d8e56ad85a9e839b6ccbe4feff +--- + src/core/mount-setup.c | 12 ++++++++---- + 1 file changed, 8 insertions(+), 4 deletions(-) + +diff --git a/src/core/mount-setup.c b/src/core/mount-setup.c +index 521545e..ba0867c 100644 +--- a/src/core/mount-setup.c ++++ b/src/core/mount-setup.c +@@ -85,19 +85,23 @@ static const MountPoint mount_table[] = { + mac_smack_use, MNT_FATAL }, + { "tmpfs", "/dev/shm", "tmpfs", "mode=1777,smackfsroot=*", MS_NOSUID|MS_NODEV|MS_STRICTATIME, + mac_smack_use, MNT_FATAL }, +-#endif ++#else + { "tmpfs", "/dev/shm", "tmpfs", "mode=1777", MS_NOSUID|MS_NODEV|MS_STRICTATIME, + NULL, MNT_FATAL|MNT_IN_CONTAINER }, ++#endif + { "devpts", "/dev/pts", "devpts", "mode=620,gid=" STRINGIFY(TTY_GID), MS_NOSUID|MS_NOEXEC, + NULL, MNT_IN_CONTAINER }, + #ifdef HAVE_SMACK +- { "tmpfs", "/run", "tmpfs", "mode=755,smackfsroot=*", MS_NOSUID|MS_NODEV|MS_STRICTATIME, +- mac_smack_use, MNT_FATAL }, +-#endif ++ { "tmpfs", "/run", "tmpfs", "mode=755,smackfstransmute=System::Run", MS_NOSUID|MS_NODEV|MS_STRICTATIME, ++ mac_smack_use, MNT_FATAL }, ++ { "tmpfs", "/sys/fs/cgroup", "tmpfs", "mode=755,smackfsroot=*", MS_NOSUID|MS_NOEXEC|MS_NODEV|MS_STRICTATIME, ++ mac_smack_use, MNT_IN_CONTAINER }, ++#else + { "tmpfs", "/run", "tmpfs", "mode=755", MS_NOSUID|MS_NODEV|MS_STRICTATIME, + NULL, MNT_FATAL|MNT_IN_CONTAINER }, + { "tmpfs", "/sys/fs/cgroup", "tmpfs", "mode=755", MS_NOSUID|MS_NOEXEC|MS_NODEV|MS_STRICTATIME, + NULL, MNT_FATAL|MNT_IN_CONTAINER }, ++#endif + { "cgroup", "/sys/fs/cgroup/systemd", "cgroup", "none,name=systemd,xattr", MS_NOSUID|MS_NOEXEC|MS_NODEV, + NULL, MNT_IN_CONTAINER }, + { "cgroup", "/sys/fs/cgroup/systemd", "cgroup", "none,name=systemd", MS_NOSUID|MS_NOEXEC|MS_NODEV, +-- +1.8.4.5 + diff --git a/meta-security/recipes-core/systemd/systemd/0004-tizen-smack-Handling-of-dev-v216.patch b/meta-security/recipes-core/systemd/systemd/0004-tizen-smack-Handling-of-dev-v216.patch new file mode 100644 index 000000000..88c100fed --- /dev/null +++ b/meta-security/recipes-core/systemd/systemd/0004-tizen-smack-Handling-of-dev-v216.patch @@ -0,0 +1,82 @@ +From 468ef790a7a0e53c390cec9c63090a0ae04a4d58 Mon Sep 17 00:00:00 2001 +From: Michael Demeter +Date: Fri, 11 Oct 2013 15:37:57 -0700 +Subject: [PATCH 4/9] tizen-smack: Handling of /dev + +Smack enabled systems need /dev special devices correctly labeled + +- Add AC_DEFINE for HAVE_SMACK to configure.ac +- Add Check for smack in Makefile.am to include smack default rules +- Add smack default rules to label /dev/xxx correctly for access + +Upstream-Status: Inappropriate [configuration] + +Change-Id: Iebe2e349cbedb3013abdf32edb55e9310f1d17f5 +--- + configure.ac | 2 ++ + Makefile.am | 5 +++++ + rules/55-udev-smack-default.rules | 23 +++++++++++++++++++++++ + 3 files changed, 30 insertions(+) + create mode 100644 rules/55-udev-smack-default.rules + +diff --git a/configure.ac b/configure.ac +index 18b7198..05f49ed 100644 +--- a/configure.ac ++++ b/configure.ac +@@ -635,6 +635,8 @@ if test "x${have_smack}" = xyes ; then + AC_DEFINE(HAVE_SMACK, 1, [Define if SMACK is available]) + fi + ++AM_CONDITIONAL([HAVE_SMACK], [test "x$have_smack" = "xyes"]) ++ + # ------------------------------------------------------------------------------ + AC_ARG_ENABLE([gcrypt], + AS_HELP_STRING([--disable-gcrypt],[Disable optional GCRYPT support]), +diff --git a/Makefile.am b/Makefile.am +index bf04d31..1a05607 100644 +--- a/Makefile.am ++++ b/Makefile.am +@@ -3108,6 +3108,11 @@ dist_udevrules_DATA += \ + nodist_udevrules_DATA += \ + rules/99-systemd.rules + ++if HAVE_SMACK ++dist_udevrules_DATA += \ ++ rules/55-udev-smack-default.rules ++endif ++ + dist_udevhwdb_DATA = \ + hwdb/20-pci-vendor-model.hwdb \ + hwdb/20-pci-classes.hwdb \ +diff --git a/rules/55-udev-smack-default.rules b/rules/55-udev-smack-default.rules +new file mode 100644 +index 0000000..3829019 +--- /dev/null ++++ b/rules/55-udev-smack-default.rules +@@ -0,0 +1,23 @@ ++# do not edit this file, it will be overwritten on update ++ ++KERNEL=="null", SECLABEL{smack}="*" ++KERNEL=="zero", SECLABEL{smack}="*" ++KERNEL=="console", SECLABEL{smack}="*" ++KERNEL=="kmsg", SECLABEL{smack}="*" ++KERNEL=="video*", SECLABEL{smack}="*" ++KERNEL=="card*", SECLABEL{smack}="*" ++KERNEL=="ptmx", SECLABEL{smack}="*" ++KERNEL=="tty", SECLABEL{smack}="*" ++ ++SUBSYSTEM=="graphics", GROUP="video", SECLABEL{smack}="*" ++SUBSYSTEM=="drm", GROUP="video", SECLABEL{smack}="*" ++SUBSYSTEM=="dvb", GROUP="video", SECLABEL{smack}="*" ++ ++SUBSYSTEM=="tty", KERNEL=="ptmx", GROUP="tty", MODE="0666", SECLABEL{smack}="*" ++SUBSYSTEM=="tty", KERNEL=="tty", GROUP="tty", MODE="0666", SECLABEL{smack}="*" ++SUBSYSTEM=="tty", KERNEL=="tty[0-9]*", GROUP="tty", MODE="0620", SECLABEL{smack}="*" ++SUBSYSTEM=="vc", KERNEL=="vcs*|vcsa*", GROUP="tty", SECLABEL{smack}="*" ++KERNEL=="tty[A-Z]*[0-9]|pppox[0-9]*|ircomm[0-9]*|noz[0-9]*|rfcomm[0-9]*", GROUP="dialout", SECLABEL{smack}="*" ++ ++SUBSYSTEM=="input", KERNEL=="mouse*|mice|event*", MODE="0640", SECLABEL{smack}="*" ++SUBSYSTEM=="input", KERNEL=="ts[0-9]*|uinput", MODE="0640", SECLABEL{smack}="*" +-- +1.8.4.5 + diff --git a/meta-security/recipes-core/systemd/systemd/0004-tizen-smack-Handling-of-dev.patch b/meta-security/recipes-core/systemd/systemd/0004-tizen-smack-Handling-of-dev.patch new file mode 100644 index 000000000..b12caaec5 --- /dev/null +++ b/meta-security/recipes-core/systemd/systemd/0004-tizen-smack-Handling-of-dev.patch @@ -0,0 +1,68 @@ +From 468ef790a7a0e53c390cec9c63090a0ae04a4d58 Mon Sep 17 00:00:00 2001 +From: Michael Demeter +Date: Fri, 11 Oct 2013 15:37:57 -0700 +Subject: [PATCH 4/9] tizen-smack: Handling of /dev + +Smack enabled systems need /dev special devices correctly labeled + +- Add AC_DEFINE for HAVE_SMACK to configure.ac +- Add Check for smack in Makefile.am to include smack default rules +- Add smack default rules to label /dev/xxx correctly for access + +Upstream-Status: Inappropriate [configuration] + +Change-Id: Iebe2e349cbedb3013abdf32edb55e9310f1d17f5 +--- + Makefile.am | 5 +++++ + rules/55-udev-smack-default.rules | 23 +++++++++++++++++++++++ + 2 files changed, 28 insertions(+) + create mode 100644 rules/55-udev-smack-default.rules + +diff --git a/Makefile.am b/Makefile.am +index bf04d31..1a05607 100644 +--- a/Makefile.am ++++ b/Makefile.am +@@ -3571,6 +3571,11 @@ dist_udevrules_DATA += \ + nodist_udevrules_DATA += \ + rules/99-systemd.rules + ++if HAVE_SMACK ++dist_udevrules_DATA += \ ++ rules/55-udev-smack-default.rules ++endif ++ + udevconfdir = $(sysconfdir)/udev + dist_udevconf_DATA = \ + src/udev/udev.conf +diff --git a/rules/55-udev-smack-default.rules b/rules/55-udev-smack-default.rules +new file mode 100644 +index 0000000..3829019 +--- /dev/null ++++ b/rules/55-udev-smack-default.rules +@@ -0,0 +1,23 @@ ++# do not edit this file, it will be overwritten on update ++ ++KERNEL=="null", SECLABEL{smack}="*" ++KERNEL=="zero", SECLABEL{smack}="*" ++KERNEL=="console", SECLABEL{smack}="*" ++KERNEL=="kmsg", SECLABEL{smack}="*" ++KERNEL=="video*", SECLABEL{smack}="*" ++KERNEL=="card*", SECLABEL{smack}="*" ++KERNEL=="ptmx", SECLABEL{smack}="*" ++KERNEL=="tty", SECLABEL{smack}="*" ++ ++SUBSYSTEM=="graphics", GROUP="video", SECLABEL{smack}="*" ++SUBSYSTEM=="drm", GROUP="video", SECLABEL{smack}="*" ++SUBSYSTEM=="dvb", GROUP="video", SECLABEL{smack}="*" ++ ++SUBSYSTEM=="tty", KERNEL=="ptmx", GROUP="tty", MODE="0666", SECLABEL{smack}="*" ++SUBSYSTEM=="tty", KERNEL=="tty", GROUP="tty", MODE="0666", SECLABEL{smack}="*" ++SUBSYSTEM=="tty", KERNEL=="tty[0-9]*", GROUP="tty", MODE="0620", SECLABEL{smack}="*" ++SUBSYSTEM=="vc", KERNEL=="vcs*|vcsa*", GROUP="tty", SECLABEL{smack}="*" ++KERNEL=="tty[A-Z]*[0-9]|pppox[0-9]*|ircomm[0-9]*|noz[0-9]*|rfcomm[0-9]*", GROUP="dialout", SECLABEL{smack}="*" ++ ++SUBSYSTEM=="input", KERNEL=="mouse*|mice|event*", MODE="0640", SECLABEL{smack}="*" ++SUBSYSTEM=="input", KERNEL=="ts[0-9]*|uinput", MODE="0640", SECLABEL{smack}="*" +-- +1.8.4.5 + diff --git a/meta-security/recipes-core/systemd/systemd/0005-tizen-smack-Handling-network-v216.patch b/meta-security/recipes-core/systemd/systemd/0005-tizen-smack-Handling-network-v216.patch new file mode 100644 index 000000000..3d69bb2a8 --- /dev/null +++ b/meta-security/recipes-core/systemd/systemd/0005-tizen-smack-Handling-network-v216.patch @@ -0,0 +1,107 @@ +From c257eade1a39ea00d26c4c297efd654b6ad4edb4 Mon Sep 17 00:00:00 2001 +From: Casey Schaufler +Date: Fri, 8 Nov 2013 09:42:26 -0800 +Subject: [PATCH 5/9] tizen-smack: Handling network + +- Set Smack ambient to match run label +- Set Smack netlabel host rules + +Set Smack ambient to match run label +------------------------------------ +Set the Smack networking ambient label to match the +run label of systemd. System services may expect to +communicate with external services over IP. Setting +the ambient label assigns that label to IP packets +that do not include CIPSO headers. This allows systemd +and the services it spawns access to unlabeled IP +packets, and hence external services. + +A system may choose to restrict network access to +particular services later in the startup process. +This is easily done by resetting the ambient label +elsewhere. + +Set Smack netlabel host rules +----------------------------- +If SMACK_RUN_LABEL is defined set all other hosts to be +single label hosts at the specified label. Set the loopback +address to be a CIPSO host. + +If any netlabel host rules are defined in /etc/smack/netlabel.d +install them into the smackfs netlabel interface. + +Upstream-Status: Pending + +--- + src/core/smack-setup.c | 33 ++++++++++++++++++++++++++++++++- + 1 file changed, 32 insertions(+), 1 deletion(-) + +diff --git a/src/core/smack-setup.c b/src/core/smack-setup.c +index 59f6832..33dc1ca 100644 +--- a/src/core/smack-setup.c ++++ b/src/core/smack-setup.c +@@ -42,6 +42,7 @@ + + #define SMACK_CONFIG "/etc/smack/accesses.d/" + #define CIPSO_CONFIG "/etc/smack/cipso.d/" ++#define NETLABEL_CONFIG "/etc/smack/netlabel.d/" + + #ifdef HAVE_SMACK + +@@ -146,6 +147,19 @@ int smack_setup(bool *loaded_policy) { + if (r) + log_warning("Failed to set SMACK label \"%s\" on self: %s", + SMACK_RUN_LABEL, strerror(-r)); ++ r = write_string_file("/sys/fs/smackfs/ambient", SMACK_RUN_LABEL); ++ if (r) ++ log_warning("Failed to set SMACK ambient label \"%s\": %s", ++ SMACK_RUN_LABEL, strerror(-r)); ++ r = write_string_file("/sys/fs/smackfs/netlabel", ++ "0.0.0.0/0 " SMACK_RUN_LABEL); ++ if (r) ++ log_warning("Failed to set SMACK netlabel rule \"%s\": %s", ++ "0.0.0.0/0 " SMACK_RUN_LABEL, strerror(-r)); ++ r = write_string_file("/sys/fs/smackfs/netlabel", "127.0.0.1 -CIPSO"); ++ if (r) ++ log_warning("Failed to set SMACK netlabel rule \"%s\": %s", ++ "127.0.0.1 -CIPSO", strerror(-r)); + #endif + + r = write_rules("/sys/fs/smackfs/cipso2", CIPSO_CONFIG); +@@ -155,14 +169,31 @@ int smack_setup(bool *loaded_policy) { + return 0; + case ENOENT: + log_debug("Smack/CIPSO access rules directory " CIPSO_CONFIG " not found"); +- return 0; ++ break; + case 0: + log_info("Successfully loaded Smack/CIPSO policies."); +- return 0; ++ break; + default: + log_warning("Failed to load Smack/CIPSO access rules: %s, ignoring.", + strerror(abs(r))); ++ break; ++ } ++ ++ r = write_rules("/sys/fs/smackfs/netlabel", NETLABEL_CONFIG); ++ switch(r) { ++ case -ENOENT: ++ log_debug("Smack/CIPSO is not enabled in the kernel."); + return 0; ++ case ENOENT: ++ log_debug("Smack network host rules directory " NETLABEL_CONFIG " not found"); ++ break; ++ case 0: ++ log_info("Successfully loaded Smack network host rules."); ++ break; ++ default: ++ log_warning("Failed to load Smack network host rules: %s, ignoring.", ++ strerror(abs(r))); ++ break; + } + + *loaded_policy = true; +-- +1.8.4.5 + diff --git a/meta-security/recipes-core/systemd/systemd/0005-tizen-smack-Handling-network-v225.patch b/meta-security/recipes-core/systemd/systemd/0005-tizen-smack-Handling-network-v225.patch new file mode 100644 index 000000000..d5678f2e6 --- /dev/null +++ b/meta-security/recipes-core/systemd/systemd/0005-tizen-smack-Handling-network-v225.patch @@ -0,0 +1,191 @@ +From 513a8d943538643fabf0d31f1eed261677dfbddc Mon Sep 17 00:00:00 2001 +From: Casey Schaufler +Date: Fri, 8 Nov 2013 09:42:26 -0800 +Subject: [PATCH] tizen-smack: Handling network + +- Set Smack ambient to match run label +- Set Smack netlabel host rules + +Set Smack ambient to match run label +------------------------------------ +Set the Smack networking ambient label to match the +run label of systemd. System services may expect to +communicate with external services over IP. Setting +the ambient label assigns that label to IP packets +that do not include CIPSO headers. This allows systemd +and the services it spawns access to unlabeled IP +packets, and hence external services. + +A system may choose to restrict network access to +particular services later in the startup process. +This is easily done by resetting the ambient label +elsewhere. + +Set Smack netlabel host rules +----------------------------- +If SMACK_RUN_LABEL is defined set all other hosts to be +single label hosts at the specified label. Set the loopback +address to be a CIPSO host. + +If any netlabel host rules are defined in /etc/smack/netlabel.d +install them into the smackfs netlabel interface. + +[Patrick Ohly: adapt to write_string_file() change in "fileio: consolidate write_string_file*()"] +[Patrick Ohly: create write_netlabel_rules() based on the original write_rules() that was removed in "smack: support smack access change-rule"] + +Upstream-Status: Pending +--- + src/core/smack-setup.c | 109 +++++++++++++++++++++++++++++++++++++++++++++++-- + 1 file changed, 106 insertions(+), 3 deletions(-) + +diff --git a/src/core/smack-setup.c b/src/core/smack-setup.c +index cbe7d0b..b384aa0 100644 +--- a/src/core/smack-setup.c ++++ b/src/core/smack-setup.c +@@ -34,6 +34,9 @@ + #include "fileio.h" + #include "log.h" + ++#define CIPSO_CONFIG "/etc/smack/cipso.d/" ++#define NETLABEL_CONFIG "/etc/smack/netlabel.d/" ++ + #ifdef HAVE_SMACK + + static int write_access2_rules(const char* srcdir) { +@@ -193,6 +196,76 @@ static int write_cipso2_rules(const char* srcdir) { + return r; + } + ++static int write_netlabel_rules(const char* srcdir) { ++ _cleanup_fclose_ FILE *dst = NULL; ++ _cleanup_closedir_ DIR *dir = NULL; ++ struct dirent *entry; ++ char buf[NAME_MAX]; ++ int dfd = -1; ++ int r = 0; ++ static const char dstpath[] = "/sys/fs/smackfs/netlabel"; ++ ++ dst = fopen(dstpath, "we"); ++ if (!dst) { ++ if (errno != ENOENT) ++ log_warning_errno(errno, "Failed to open %s: %m", dstpath); ++ return -errno; /* negative error */ ++ } ++ ++ /* write rules to dst from every file in the directory */ ++ dir = opendir(srcdir); ++ if (!dir) { ++ if (errno != ENOENT) ++ log_warning_errno(errno, "Failed to opendir %s: %m", srcdir); ++ return errno; /* positive on purpose */ ++ } ++ ++ dfd = dirfd(dir); ++ assert(dfd >= 0); ++ ++ FOREACH_DIRENT(entry, dir, return 0) { ++ int fd; ++ _cleanup_fclose_ FILE *policy = NULL; ++ ++ fd = openat(dfd, entry->d_name, O_RDONLY|O_CLOEXEC); ++ if (fd < 0) { ++ if (r == 0) ++ r = -errno; ++ log_warning_errno(errno, "Failed to open %s: %m", entry->d_name); ++ continue; ++ } ++ ++ policy = fdopen(fd, "re"); ++ if (!policy) { ++ if (r == 0) ++ r = -errno; ++ safe_close(fd); ++ log_error_errno(errno, "Failed to open %s: %m", entry->d_name); ++ continue; ++ } ++ ++ /* load2 write rules in the kernel require a line buffered stream */ ++ FOREACH_LINE(buf, policy, ++ log_error_errno(errno, "Failed to read line from %s: %m", ++ entry->d_name)) { ++ if (!fputs(buf, dst)) { ++ if (r == 0) ++ r = -EINVAL; ++ log_error("Failed to write line to %s", dstpath); ++ break; ++ } ++ if (fflush(dst)) { ++ if (r == 0) ++ r = -errno; ++ log_error_errno(errno, "Failed to flush writes to %s: %m", dstpath); ++ break; ++ } ++ } ++ } ++ ++ return r; ++} ++ + #endif + + int mac_smack_setup(bool *loaded_policy) { +@@ -225,23 +298,53 @@ int mac_smack_setup(bool *loaded_policy) { + if (r) + log_warning("Failed to set SMACK label \"%s\" on self: %s", + SMACK_RUN_LABEL, strerror(-r)); ++ r = write_string_file("/sys/fs/smackfs/ambient", SMACK_RUN_LABEL, 0); ++ if (r) ++ log_warning("Failed to set SMACK ambient label \"%s\": %s", ++ SMACK_RUN_LABEL, strerror(-r)); ++ r = write_string_file("/sys/fs/smackfs/netlabel", ++ "0.0.0.0/0 " SMACK_RUN_LABEL, 0); ++ if (r) ++ log_warning("Failed to set SMACK netlabel rule \"%s\": %s", ++ "0.0.0.0/0 " SMACK_RUN_LABEL, strerror(-r)); ++ r = write_string_file("/sys/fs/smackfs/netlabel", "127.0.0.1 -CIPSO", 0); ++ if (r) ++ log_warning("Failed to set SMACK netlabel rule \"%s\": %s", ++ "127.0.0.1 -CIPSO", strerror(-r)); + #endif + +- r = write_cipso2_rules("/etc/smack/cipso.d/"); ++ r = write_cipso2_rules(CIPSO_CONFIG); + switch(r) { + case -ENOENT: + log_debug("Smack/CIPSO is not enabled in the kernel."); + return 0; + case ENOENT: +- log_debug("Smack/CIPSO access rules directory '/etc/smack/cipso.d/' not found"); +- return 0; ++ log_debug("Smack/CIPSO access rules directory " CIPSO_CONFIG " not found"); ++ break; + case 0: + log_info("Successfully loaded Smack/CIPSO policies."); + break; + default: + log_warning("Failed to load Smack/CIPSO access rules: %s, ignoring.", + strerror(abs(r))); ++ break; ++ } ++ ++ r = write_netlabel_rules(NETLABEL_CONFIG); ++ switch(r) { ++ case -ENOENT: ++ log_debug("Smack/CIPSO is not enabled in the kernel."); + return 0; ++ case ENOENT: ++ log_debug("Smack network host rules directory " NETLABEL_CONFIG " not found"); ++ break; ++ case 0: ++ log_info("Successfully loaded Smack network host rules."); ++ break; ++ default: ++ log_warning("Failed to load Smack network host rules: %s, ignoring.", ++ strerror(abs(r))); ++ break; + } + + *loaded_policy = true; +-- +2.1.4 + diff --git a/meta-security/recipes-core/systemd/systemd/0005-tizen-smack-Handling-network-v228.patch b/meta-security/recipes-core/systemd/systemd/0005-tizen-smack-Handling-network-v228.patch new file mode 100644 index 000000000..bc6b97c8f --- /dev/null +++ b/meta-security/recipes-core/systemd/systemd/0005-tizen-smack-Handling-network-v228.patch @@ -0,0 +1,179 @@ +From e714327016fb65a0bf977588efaecbaf41ac3cfc Mon Sep 17 00:00:00 2001 +From: Casey Schaufler +Date: Fri, 8 Nov 2013 09:42:26 -0800 +Subject: [PATCH 4/6] tizen-smack: Handling network + +- Set Smack ambient to match run label +- Set Smack netlabel host rules + +Set Smack ambient to match run label +------------------------------------ +Set the Smack networking ambient label to match the +run label of systemd. System services may expect to +communicate with external services over IP. Setting +the ambient label assigns that label to IP packets +that do not include CIPSO headers. This allows systemd +and the services it spawns access to unlabeled IP +packets, and hence external services. + +A system may choose to restrict network access to +particular services later in the startup process. +This is easily done by resetting the ambient label +elsewhere. + +Set Smack netlabel host rules +----------------------------- +If SMACK_RUN_LABEL is defined set all other hosts to be +single label hosts at the specified label. Set the loopback +address to be a CIPSO host. + +If any netlabel host rules are defined in /etc/smack/netlabel.d +install them into the smackfs netlabel interface. + +[Patrick Ohly: copied from https://review.tizen.org/git/?p=platform/upstream/systemd.git;a=commit;h=db4f6c9a074644aa2bf] +[Patrick Ohly: adapt to write_string_file() change in "fileio: consolidate write_string_file*()"] +[Patrick Ohly: create write_netlabel_rules() based on the original write_rules() that was removed in "smack: support smack access change-rule"] +[Patrick Ohly: adapted to upstream code review feedback: error logging, string constants] + +Upstream-Status: Accepted [https://github.com/systemd/systemd/pull/2262] + +%% original patch: 0005-tizen-smack-Handling-network-v225.patch +--- + src/core/smack-setup.c | 101 +++++++++++++++++++++++++++++++++++++++++++++++-- + 1 file changed, 98 insertions(+), 3 deletions(-) + +diff --git a/src/core/smack-setup.c b/src/core/smack-setup.c +index 0661ff9..c9374ca 100644 +--- a/src/core/smack-setup.c ++++ b/src/core/smack-setup.c +@@ -197,6 +197,75 @@ static int write_cipso2_rules(const char* srcdir) { + return r; + } + ++static int write_netlabel_rules(const char* srcdir) { ++ _cleanup_fclose_ FILE *dst = NULL; ++ _cleanup_closedir_ DIR *dir = NULL; ++ struct dirent *entry; ++ char buf[NAME_MAX]; ++ int dfd = -1; ++ int r = 0; ++ ++ dst = fopen("/sys/fs/smackfs/netlabel", "we"); ++ if (!dst) { ++ if (errno != ENOENT) ++ log_warning_errno(errno, "Failed to open /sys/fs/smackfs/netlabel: %m"); ++ return -errno; /* negative error */ ++ } ++ ++ /* write rules to dst from every file in the directory */ ++ dir = opendir(srcdir); ++ if (!dir) { ++ if (errno != ENOENT) ++ log_warning_errno(errno, "Failed to opendir %s: %m", srcdir); ++ return errno; /* positive on purpose */ ++ } ++ ++ dfd = dirfd(dir); ++ assert(dfd >= 0); ++ ++ FOREACH_DIRENT(entry, dir, return 0) { ++ int fd; ++ _cleanup_fclose_ FILE *policy = NULL; ++ ++ fd = openat(dfd, entry->d_name, O_RDONLY|O_CLOEXEC); ++ if (fd < 0) { ++ if (r == 0) ++ r = -errno; ++ log_warning_errno(errno, "Failed to open %s: %m", entry->d_name); ++ continue; ++ } ++ ++ policy = fdopen(fd, "re"); ++ if (!policy) { ++ if (r == 0) ++ r = -errno; ++ safe_close(fd); ++ log_error_errno(errno, "Failed to open %s: %m", entry->d_name); ++ continue; ++ } ++ ++ /* load2 write rules in the kernel require a line buffered stream */ ++ FOREACH_LINE(buf, policy, ++ log_error_errno(errno, "Failed to read line from %s: %m", ++ entry->d_name)) { ++ if (!fputs(buf, dst)) { ++ if (r == 0) ++ r = -EINVAL; ++ log_error_errno(errno, "Failed to write line to /sys/fs/smackfs/netlabel"); ++ break; ++ } ++ if (fflush(dst)) { ++ if (r == 0) ++ r = -errno; ++ log_error_errno(errno, "Failed to flush writes to /sys/fs/smackfs/netlabel: %m"); ++ break; ++ } ++ } ++ } ++ ++ return r; ++} ++ + #endif + + int mac_smack_setup(bool *loaded_policy) { +@@ -225,8 +294,18 @@ int mac_smack_setup(bool *loaded_policy) { + + #ifdef SMACK_RUN_LABEL + r = write_string_file("/proc/self/attr/current", SMACK_RUN_LABEL, 0); +- if (r) +- log_warning_errno(r, "Failed to set SMACK label \"%s\" on self: %m", SMACK_RUN_LABEL); ++ if (r < 0) ++ log_warning_errno(r, "Failed to set SMACK label \"" SMACK_RUN_LABEL "\" on self: %m"); ++ r = write_string_file("/sys/fs/smackfs/ambient", SMACK_RUN_LABEL, 0); ++ if (r < 0) ++ log_warning_errno(r, "Failed to set SMACK ambient label \"" SMACK_RUN_LABEL "\": %m"); ++ r = write_string_file("/sys/fs/smackfs/netlabel", ++ "0.0.0.0/0 " SMACK_RUN_LABEL, 0); ++ if (r < 0) ++ log_warning_errno(r, "Failed to set SMACK netlabel rule \"0.0.0.0/0 " SMACK_RUN_LABEL "\": %m"); ++ r = write_string_file("/sys/fs/smackfs/netlabel", "127.0.0.1 -CIPSO", 0); ++ if (r < 0) ++ log_warning_errno(r, "Failed to set SMACK netlabel rule \"127.0.0.1 -CIPSO\": %m"); + #endif + + r = write_cipso2_rules("/etc/smack/cipso.d/"); +@@ -236,13 +315,29 @@ int mac_smack_setup(bool *loaded_policy) { + return 0; + case ENOENT: + log_debug("Smack/CIPSO access rules directory '/etc/smack/cipso.d/' not found"); +- return 0; ++ break; + case 0: + log_info("Successfully loaded Smack/CIPSO policies."); + break; + default: + log_warning_errno(r, "Failed to load Smack/CIPSO access rules, ignoring: %m"); ++ break; ++ } ++ ++ r = write_netlabel_rules("/etc/smack/netlabel.d/"); ++ switch(r) { ++ case -ENOENT: ++ log_debug("Smack/CIPSO is not enabled in the kernel."); + return 0; ++ case ENOENT: ++ log_debug("Smack network host rules directory '/etc/smack/netlabel.d/' not found"); ++ break; ++ case 0: ++ log_info("Successfully loaded Smack network host rules."); ++ break; ++ default: ++ log_warning_errno(r, "Failed to load Smack network host rules: %m, ignoring."); ++ break; + } + + *loaded_policy = true; +-- +2.1.4 + diff --git a/meta-security/recipes-core/systemd/systemd/0005-tizen-smack-Handling-network.patch b/meta-security/recipes-core/systemd/systemd/0005-tizen-smack-Handling-network.patch new file mode 100644 index 000000000..cd6a3c90b --- /dev/null +++ b/meta-security/recipes-core/systemd/systemd/0005-tizen-smack-Handling-network.patch @@ -0,0 +1,106 @@ +From c257eade1a39ea00d26c4c297efd654b6ad4edb4 Mon Sep 17 00:00:00 2001 +From: Casey Schaufler +Date: Fri, 8 Nov 2013 09:42:26 -0800 +Subject: [PATCH 5/9] tizen-smack: Handling network + +- Set Smack ambient to match run label +- Set Smack netlabel host rules + +Set Smack ambient to match run label +------------------------------------ +Set the Smack networking ambient label to match the +run label of systemd. System services may expect to +communicate with external services over IP. Setting +the ambient label assigns that label to IP packets +that do not include CIPSO headers. This allows systemd +and the services it spawns access to unlabeled IP +packets, and hence external services. + +A system may choose to restrict network access to +particular services later in the startup process. +This is easily done by resetting the ambient label +elsewhere. + +Set Smack netlabel host rules +----------------------------- +If SMACK_RUN_LABEL is defined set all other hosts to be +single label hosts at the specified label. Set the loopback +address to be a CIPSO host. + +If any netlabel host rules are defined in /etc/smack/netlabel.d +install them into the smackfs netlabel interface. + +Upstream-Status: Pending + +--- + src/core/smack-setup.c | 33 ++++++++++++++++++++++++++++++++- + 1 file changed, 32 insertions(+), 1 deletion(-) + +diff --git a/src/core/smack-setup.c b/src/core/smack-setup.c +index 59f6832..33dc1ca 100644 +--- a/src/core/smack-setup.c ++++ b/src/core/smack-setup.c +@@ -42,6 +42,7 @@ + + #define SMACK_CONFIG "/etc/smack/accesses.d/" + #define CIPSO_CONFIG "/etc/smack/cipso.d/" ++#define NETLABEL_CONFIG "/etc/smack/netlabel.d/" + + #ifdef HAVE_SMACK + +@@ -146,6 +147,19 @@ int mac_smack_setup(bool *loaded_policy) { + if (r) + log_warning("Failed to set SMACK label \"%s\" on self: %s", + SMACK_RUN_LABEL, strerror(-r)); ++ r = write_string_file("/sys/fs/smackfs/ambient", SMACK_RUN_LABEL); ++ if (r) ++ log_warning("Failed to set SMACK ambient label \"%s\": %s", ++ SMACK_RUN_LABEL, strerror(-r)); ++ r = write_string_file("/sys/fs/smackfs/netlabel", ++ "0.0.0.0/0 " SMACK_RUN_LABEL); ++ if (r) ++ log_warning("Failed to set SMACK netlabel rule \"%s\": %s", ++ "0.0.0.0/0 " SMACK_RUN_LABEL, strerror(-r)); ++ r = write_string_file("/sys/fs/smackfs/netlabel", "127.0.0.1 -CIPSO"); ++ if (r) ++ log_warning("Failed to set SMACK netlabel rule \"%s\": %s", ++ "127.0.0.1 -CIPSO", strerror(-r)); + #endif + + r = write_rules("/sys/fs/smackfs/cipso2", CIPSO_CONFIG); +@@ -155,14 +169,31 @@ int mac_smack_setup(bool *loaded_policy) { + return 0; + case ENOENT: + log_debug("Smack/CIPSO access rules directory " CIPSO_CONFIG " not found"); +- return 0; ++ break; + case 0: + log_info("Successfully loaded Smack/CIPSO policies."); + break; + default: + log_warning("Failed to load Smack/CIPSO access rules: %s, ignoring.", + strerror(abs(r))); ++ break; ++ } ++ ++ r = write_rules("/sys/fs/smackfs/netlabel", NETLABEL_CONFIG); ++ switch(r) { ++ case -ENOENT: ++ log_debug("Smack/CIPSO is not enabled in the kernel."); + return 0; ++ case ENOENT: ++ log_debug("Smack network host rules directory " NETLABEL_CONFIG " not found"); ++ break; ++ case 0: ++ log_info("Successfully loaded Smack network host rules."); ++ break; ++ default: ++ log_warning("Failed to load Smack network host rules: %s, ignoring.", ++ strerror(abs(r))); ++ break; + } + + *loaded_policy = true; +-- +1.8.4.5 + diff --git a/meta-security/recipes-core/systemd/systemd/0007-tizen-smack-Runs-systemd-journald-with-v216.patch b/meta-security/recipes-core/systemd/systemd/0007-tizen-smack-Runs-systemd-journald-with-v216.patch new file mode 100644 index 000000000..dd2c6542e --- /dev/null +++ b/meta-security/recipes-core/systemd/systemd/0007-tizen-smack-Runs-systemd-journald-with-v216.patch @@ -0,0 +1,41 @@ +From ccf384ca0f1cabe37e07e752df95ddb1e017a7ef Mon Sep 17 00:00:00 2001 +From: Casey Schaufler +Date: Thu, 19 Dec 2013 16:49:28 -0800 +Subject: [PATCH 7/9] tizen-smack: Runs systemd-journald with ^ + +Run systemd-journald with the hat ("^") Smack label. + +The journal daemon needs global read access to gather information +about the services spawned by systemd. The hat label is intended +for this purpose. The journal daemon is the only part of the +System domain that needs read access to the User domain. Giving +the journal daemon the hat label means that we can remove the +System domain's read access to the User domain. + +Upstream-Status: Inappropriate [configuration] + +Change-Id: Ic22633f0c9d99c04f873be8a346786ea577d0370 +Signed-off-by: Casey Schaufler +--- + units/systemd-journald.service.in | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/units/systemd-journald.service.in b/units/systemd-journald.service.in +index a3540c6..745dd84 100644 +--- a/units/systemd-journald.service.in ++++ b/units/systemd-journald.service.in +@@ -20,8 +20,10 @@ Restart=always + RestartSec=0 + NotifyAccess=all + StandardOutput=null ++SmackProcessLabel=^ +-CapabilityBoundingSet=CAP_SYS_ADMIN CAP_DAC_OVERRIDE CAP_SYS_PTRACE CAP_SYSLOG CAP_AUDIT_CONTROL CAP_CHOWN CAP_DAC_READ_SEARCH CAP_FOWNER CAP_SETUID CAP_SETGID ++CapabilityBoundingSet=CAP_SYS_ADMIN CAP_DAC_OVERRIDE CAP_SYS_PTRACE CAP_SYSLOG CAP_AUDIT_CONTROL CAP_AUDIT_READ CAP_CHOWN CAP_DAC_READ_SEARCH CAP_FOWNER CAP_SETUID CAP_SETGID CAP_MAC_OVERRIDE + WatchdogSec=1min ++FileDescriptorStoreMax=1024 + + # Increase the default a bit in order to allow many simultaneous + # services being run since we keep one fd open per service. +-- +1.8.4.5 + diff --git a/meta-security/recipes-core/systemd/systemd/0007-tizen-smack-Runs-systemd-journald-with.patch b/meta-security/recipes-core/systemd/systemd/0007-tizen-smack-Runs-systemd-journald-with.patch new file mode 100644 index 000000000..27a9d0bc6 --- /dev/null +++ b/meta-security/recipes-core/systemd/systemd/0007-tizen-smack-Runs-systemd-journald-with.patch @@ -0,0 +1,37 @@ +From ccf384ca0f1cabe37e07e752df95ddb1e017a7ef Mon Sep 17 00:00:00 2001 +From: Casey Schaufler +Date: Thu, 19 Dec 2013 16:49:28 -0800 +Subject: [PATCH 7/9] tizen-smack: Runs systemd-journald with ^ + +Run systemd-journald with the hat ("^") Smack label. + +The journal daemon needs global read access to gather information +about the services spawned by systemd. The hat label is intended +for this purpose. The journal daemon is the only part of the +System domain that needs read access to the User domain. Giving +the journal daemon the hat label means that we can remove the +System domain's read access to the User domain. + +Upstream-Status: Inappropriate [configuration] + +Change-Id: Ic22633f0c9d99c04f873be8a346786ea577d0370 +Signed-off-by: Casey Schaufler +--- + units/systemd-journald.service.in | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/units/systemd-journald.service.in b/units/systemd-journald.service.in +index a3540c6..745dd84 100644 +--- a/units/systemd-journald.service.in ++++ b/units/systemd-journald.service.in +@@ -21,6 +21,7 @@ Restart=always + RestartSec=0 + NotifyAccess=all + StandardOutput=null ++SmackProcessLabel=^ + CapabilityBoundingSet=CAP_SYS_ADMIN CAP_DAC_OVERRIDE CAP_SYS_PTRACE CAP_SYSLOG CAP_AUDIT_CONTROL CAP_AUDIT_READ CAP_CHOWN CAP_DAC_READ_SEARCH CAP_FOWNER CAP_SETUID CAP_SETGID CAP_MAC_OVERRIDE + WatchdogSec=1min + FileDescriptorStoreMax=1024 +-- +1.8.4.5 + diff --git a/meta-security/recipes-core/systemd/systemd/mount-setup.c-fix-handling-of-symlink-Smack-labellin-v228.patch b/meta-security/recipes-core/systemd/systemd/mount-setup.c-fix-handling-of-symlink-Smack-labellin-v228.patch new file mode 100644 index 000000000..5a1baefed --- /dev/null +++ b/meta-security/recipes-core/systemd/systemd/mount-setup.c-fix-handling-of-symlink-Smack-labellin-v228.patch @@ -0,0 +1,58 @@ +From fd84be63d15fc94c1f396979c67e070c6cd7451b Mon Sep 17 00:00:00 2001 +From: Patrick Ohly +Date: Mon, 21 Dec 2015 14:56:00 +0100 +Subject: [PATCH] mount-setup.c: fix handling of symlink Smack labelling in + cgroup setup + +The code introduced in f8c1a81c51 (= systemd 227) failed for me with: + Failed to copy smack label from net_cls to /sys/fs/cgroup/net_cls: No such file or directory + +There is no need for a symlink in this case because source and target +are identical. The symlink() call is allowed to fail when the target +already exists. When that happens, copying the Smack label must be +skipped. + +But the code also failed when there is a symlink, like "cpu -> +cpu,cpuacct", because mac_smack_copy() got called with +src="cpu,cpuacct" which fails to find the entry because the current +directory is not inside /sys/fs/cgroup. The absolute path to the existing +entry must be used instead. + +Upstream-Status: Accepted [https://github.com/systemd/systemd/pull/2205] + +Signed-off-by: Patrick Ohly +--- + src/core/mount-setup.c | 15 ++++++++++----- + 1 file changed, 10 insertions(+), 5 deletions(-) + +diff --git a/src/core/mount-setup.c b/src/core/mount-setup.c +index 2b8d590..d73b319 100644 +--- a/src/core/mount-setup.c ++++ b/src/core/mount-setup.c +@@ -304,13 +304,18 @@ int mount_cgroup_controllers(char ***join_controllers) { + return log_oom(); + + r = symlink(options, t); +- if (r < 0 && errno != EEXIST) +- return log_error_errno(errno, "Failed to create symlink %s: %m", t); ++ if (r >= 0) { + #ifdef SMACK_RUN_LABEL +- r = mac_smack_copy(t, options); +- if (r < 0 && r != -EOPNOTSUPP) +- return log_error_errno(r, "Failed to copy smack label from %s to %s: %m", options, t); ++ _cleanup_free_ char *src; ++ src = strappend("/sys/fs/cgroup/", options); ++ if (!src) ++ return log_oom(); ++ r = mac_smack_copy(t, src); ++ if (r < 0 && r != -EOPNOTSUPP) ++ return log_error_errno(r, "Failed to copy smack label from %s to %s: %m", src, t); + #endif ++ } else if (errno != EEXIST) ++ return log_error_errno(errno, "Failed to create symlink %s: %m", t); + } + } + } +-- +2.1.4 + diff --git a/meta-security/recipes-core/systemd/systemd/udev-smack-default.rules b/meta-security/recipes-core/systemd/systemd/udev-smack-default.rules new file mode 100644 index 000000000..3829019de --- /dev/null +++ b/meta-security/recipes-core/systemd/systemd/udev-smack-default.rules @@ -0,0 +1,23 @@ +# do not edit this file, it will be overwritten on update + +KERNEL=="null", SECLABEL{smack}="*" +KERNEL=="zero", SECLABEL{smack}="*" +KERNEL=="console", SECLABEL{smack}="*" +KERNEL=="kmsg", SECLABEL{smack}="*" +KERNEL=="video*", SECLABEL{smack}="*" +KERNEL=="card*", SECLABEL{smack}="*" +KERNEL=="ptmx", SECLABEL{smack}="*" +KERNEL=="tty", SECLABEL{smack}="*" + +SUBSYSTEM=="graphics", GROUP="video", SECLABEL{smack}="*" +SUBSYSTEM=="drm", GROUP="video", SECLABEL{smack}="*" +SUBSYSTEM=="dvb", GROUP="video", SECLABEL{smack}="*" + +SUBSYSTEM=="tty", KERNEL=="ptmx", GROUP="tty", MODE="0666", SECLABEL{smack}="*" +SUBSYSTEM=="tty", KERNEL=="tty", GROUP="tty", MODE="0666", SECLABEL{smack}="*" +SUBSYSTEM=="tty", KERNEL=="tty[0-9]*", GROUP="tty", MODE="0620", SECLABEL{smack}="*" +SUBSYSTEM=="vc", KERNEL=="vcs*|vcsa*", GROUP="tty", SECLABEL{smack}="*" +KERNEL=="tty[A-Z]*[0-9]|pppox[0-9]*|ircomm[0-9]*|noz[0-9]*|rfcomm[0-9]*", GROUP="dialout", SECLABEL{smack}="*" + +SUBSYSTEM=="input", KERNEL=="mouse*|mice|event*", MODE="0640", SECLABEL{smack}="*" +SUBSYSTEM=="input", KERNEL=="ts[0-9]*|uinput", MODE="0640", SECLABEL{smack}="*" diff --git a/meta-security/recipes-core/systemd/systemd_%.bbappend b/meta-security/recipes-core/systemd/systemd_%.bbappend new file mode 100644 index 000000000..bea5a3731 --- /dev/null +++ b/meta-security/recipes-core/systemd/systemd_%.bbappend @@ -0,0 +1,120 @@ +FILESEXTRAPATHS_prepend := "${THISDIR}/${PN}:" + +# Most patches from sandbox/jobol/v219. Cannot be applied unconditionally +# because systemd panics when booted without Smack support: +# systemd[1]: Cannot determine cgroup we are running in: No such file or directory +# systemd[1]: Failed to allocate manager object: No such file or directory +# [!!!!!!] Failed to allocate manager object, freezing. +# +# There's a slight dependency on the base systemd in 0005-tizen-smack-Handling-network. +# We use the beginning of PV (unexpanded here to prevent a cyclic dependency +# during resolution apparently caused by ${SRCPV}) to pick the right set of +# patches. +# +# Patches are optional. Hopefully we won't need any for systemd >= 229. +SRC_URI_append_with-lsm-smack = " ${@d.getVar('SYSTEMD_SMACK_PATCHES_' + d.getVar('PV', False)[0:3], True) or ''}" + +SYSTEMD_SMACK_PATCHES_216 = " \ +file://0003-tizen-smack-Handling-of-run-and-sys-fs-cgroup-v216.patch \ +file://0004-tizen-smack-Handling-of-dev-v216.patch \ +file://0005-tizen-smack-Handling-network-v216.patch \ +file://0007-tizen-smack-Runs-systemd-journald-with-v216.patch \ +" + +SYSTEMD_SMACK_PATCHES_219 = " \ +file://0003-tizen-smack-Handling-of-run-and-sys-fs-cgroup.patch \ +file://0004-tizen-smack-Handling-of-dev.patch \ +file://0005-tizen-smack-Handling-network.patch \ +file://0007-tizen-smack-Runs-systemd-journald-with.patch \ +" +SYSTEMD_SMACK_PATCHES_225 = " \ +file://0003-tizen-smack-Handling-of-run-and-sys-fs-cgroup.patch \ +file://0004-tizen-smack-Handling-of-dev.patch \ +file://0005-tizen-smack-Handling-network-v225.patch \ +file://0007-tizen-smack-Runs-systemd-journald-with.patch \ +" + +SYSTEMD_SMACK_PATCHES_228 = " \ +file://0005-tizen-smack-Handling-network-v228.patch \ +file://mount-setup.c-fix-handling-of-symlink-Smack-labellin-v228.patch \ +" + +# From Tizen .spec file. +EXTRA_OECONF_append_with-lsm-smack = " --with-smack-run-label=System" + +install_file() { + install -d $(dirname $1) + cat >>$1 + chmod ${2:-0644} $1 +} + +# We need to emulate parts of the filesystem permissions from Tizen here. +# The part for regular files is in base-files.bbappend, but /var/log and +# /var/tmp point into /var/volatile (tmpfs) and get created anew during +# startup. We set these permissions directly after creating them via +# /etc/tmpfiles.d/00-create-volatile.conf +RDEPENDS_${PN}_append_with-lsm-smack = " smack-userspace" +do_install_append_with-lsm-smack() { + install_file ${D}${systemd_unitdir}/system/systemd-tmpfiles-setup.service.d/smack.conf <. + # Upstream systemd temporarily had SmackFileSystemRoot for this (https://github.com/systemd/systemd/pull/1664), + # but it was removed again (https://github.com/systemd/systemd/issues/1696) because + # util-linux mount will ignore smackfsroot when Smack is not active. However, + # busybox is not that intelligent. + # + # When using busybox mount, adding smackfsroot=* and booting without + # Smack (i.e. security=none), tmp.mount will fail with an error about + # "Bad mount option smackfsroot". + install_file ${D}${systemd_unitdir}/system/tmp.mount.d/smack.conf < + # + # This is considered a configuration change and thus distro specific. + install_file ${D}${systemd_unitdir}/system/systemd-journald.service.d/smack.conf <. + # + # We simplify the patching by touching only lines which check the result of + # mac_smack_use(). Those are the ones which are used when Smack is active. + # + # smackfsroot=* on /sys/fs/cgroup may be upstreamable, but smackfstransmute=System::Run + # is too distro specific (depends on Smack rules) and thus has to remain here. + sed -i -e 's;\("/sys/fs/cgroup", *"[^"]*", *"[^"]*\)\(.*mac_smack_use.*\);\1,smackfsroot=*\2;' \ + -e 's;\("/run", *"[^"]*", *"[^"]*\)\(.*mac_smack_use.*\);\1,smackfstransmute=System::Run\2;' \ + ${S}/src/core/mount-setup.c +} -- cgit 1.2.3-korg From d9bac27cdb912b18b7fd8d5096c4612025493ef6 Mon Sep 17 00:00:00 2001 From: José Bollo Date: Wed, 24 Jan 2018 11:52:04 +0100 Subject: Remove smack recipe MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit smack user space library is provided by meta-security Change-Id: Ifb5e88e5f5a1aab3e695ab91a56d8c55c33fd004 Signed-off-by: José Bollo --- .../recipes-core/af-main/af-main_1.0.bb | 6 ++--- .../recipes-core/base-files/base-files_%.bbappend | 4 ++-- .../security-manager/security-manager_%.bbappend | 2 +- .../recipes-support/xmlsec1/xmlsec1_1.%.bbappend | 4 +--- .../recipes-core/base-files/base-files_%.bbappend | 4 ++-- .../packagegroup-security-framework.bb | 2 +- .../recipes-core/systemd/systemd_%.bbappend | 2 +- meta-security/recipes-security/cynara/cynara.inc | 4 ++-- .../recipes-security/smack/smack-userspace_git.bb | 27 ---------------------- 9 files changed, 13 insertions(+), 42 deletions(-) delete mode 100644 meta-security/recipes-security/smack/smack-userspace_git.bb (limited to 'meta-security/recipes-core/systemd') diff --git a/meta-app-framework/recipes-core/af-main/af-main_1.0.bb b/meta-app-framework/recipes-core/af-main/af-main_1.0.bb index 69df39eae..e160486b2 100644 --- a/meta-app-framework/recipes-core/af-main/af-main_1.0.bb +++ b/meta-app-framework/recipes-core/af-main/af-main_1.0.bb @@ -14,7 +14,7 @@ DEPENDS = "openssl libxml2 xmlsec1 systemd libzip json-c systemd security-manage DEPENDS_class-native = "openssl libxml2 xmlsec1 libzip json-c" RDEPENDS_${PN}_class-target += "af-binder-tools" -PACKAGE_WRITE_DEPS_append_with-lsm-smack = " smack-userspace-native libcap-native" +PACKAGE_WRITE_DEPS_append_with-lsm-smack = " smack-native libcap-native" EXTRA_OECMAKE_class-native = "\ -DUSE_LIBZIP=1 \ @@ -46,8 +46,8 @@ GROUPADD_PARAM_${PN} = "-r ${afm_name}" FILES_${PN} += "\ ${@bb.utils.contains('DISTRO_FEATURES', 'systemd', '${systemd_user_unitdir}/afm-user-daemon.service', '', d)} \ " -RDEPENDS_${PN}_append_with-lsm-smack = " smack-userspace bash" -DEPENDS_append_with-lsm-smack = " smack-userspace-native" +RDEPENDS_${PN}_append_with-lsm-smack = " smack bash" +DEPENDS_append_with-lsm-smack = " smack-native" # short hacks here SRC_URI += "\ diff --git a/meta-app-framework/recipes-core/base-files/base-files_%.bbappend b/meta-app-framework/recipes-core/base-files/base-files_%.bbappend index 249f32156..b837d03ad 100644 --- a/meta-app-framework/recipes-core/base-files/base-files_%.bbappend +++ b/meta-app-framework/recipes-core/base-files/base-files_%.bbappend @@ -1,5 +1,5 @@ -RDEPENDS_${PN}_append_with-lsm-smack = " smack-userspace" -PACKAGE_WRITE_DEPS_append_with-lsm-smack = " smack-userspace-native" +RDEPENDS_${PN}_append_with-lsm-smack = " smack" +PACKAGE_WRITE_DEPS_append_with-lsm-smack = " smack-native" do_install_append() { install -d ${D}/${sysconfdir}/skel/app-data diff --git a/meta-app-framework/recipes-core/security-manager/security-manager_%.bbappend b/meta-app-framework/recipes-core/security-manager/security-manager_%.bbappend index cd02afabb..61c933a7e 100644 --- a/meta-app-framework/recipes-core/security-manager/security-manager_%.bbappend +++ b/meta-app-framework/recipes-core/security-manager/security-manager_%.bbappend @@ -1,6 +1,6 @@ FILESEXTRAPATHS_prepend := "${THISDIR}/security-manager:" -PACKAGE_WRITE_DEPS_append_with-lsm-smack = " smack-userspace-native" +PACKAGE_WRITE_DEPS_append_with-lsm-smack = " smack-native" SRC_URI += " file://0001-Adapt-rules-to-AGL.patch \ file://init-security-manager-db.service \ diff --git a/meta-app-framework/recipes-support/xmlsec1/xmlsec1_1.%.bbappend b/meta-app-framework/recipes-support/xmlsec1/xmlsec1_1.%.bbappend index 8f1972f07..ea1017a9e 100644 --- a/meta-app-framework/recipes-support/xmlsec1/xmlsec1_1.%.bbappend +++ b/meta-app-framework/recipes-support/xmlsec1/xmlsec1_1.%.bbappend @@ -1,6 +1,4 @@ -FILESEXTRAPATHS_append := ":${THISDIR}/${PN}" -SRC_URI += "file://Only-require-libxslt-in-.pc-files-when-necessary.patch" -DEPENDS += "libxml2" +DEPENDS = "libtool libxml2 libxslt openssl" BBCLASSEXTEND = "native nativesdk" diff --git a/meta-security/recipes-core/base-files/base-files_%.bbappend b/meta-security/recipes-core/base-files/base-files_%.bbappend index 7a37eb9dc..a6af1821b 100644 --- a/meta-security/recipes-core/base-files/base-files_%.bbappend +++ b/meta-security/recipes-core/base-files/base-files_%.bbappend @@ -40,8 +40,8 @@ EOF # via postinst. This is much easier to use with bitbake, too: # - no need to maintain a patched rpm # - works for directories which are not packaged by default when empty -RDEPENDS_${PN}_append_with-lsm-smack = " smack-userspace" -DEPENDS_append_with-lsm-smack = " smack-userspace-native" +RDEPENDS_${PN}_append_with-lsm-smack = " smack" +DEPENDS_append_with-lsm-smack = " smack-native" pkg_postinst_${PN}_with-lsm-smack() { #!/bin/sh -e diff --git a/meta-security/recipes-core/packagegroups/packagegroup-security-framework.bb b/meta-security/recipes-core/packagegroups/packagegroup-security-framework.bb index c728da3b9..b52e18d4e 100644 --- a/meta-security/recipes-core/packagegroups/packagegroup-security-framework.bb +++ b/meta-security/recipes-core/packagegroups/packagegroup-security-framework.bb @@ -8,7 +8,7 @@ inherit packagegroup # # Cynara does not have a hard dependency on Smack security, # but is meant to be used with it. security-manager however -# links against smack-userspace and expects Smack to be active, +# links against smack and expects Smack to be active, # so we do not have any choice. # # Without configuration, security-manager is not usable. We use diff --git a/meta-security/recipes-core/systemd/systemd_%.bbappend b/meta-security/recipes-core/systemd/systemd_%.bbappend index bea5a3731..65e28f9de 100644 --- a/meta-security/recipes-core/systemd/systemd_%.bbappend +++ b/meta-security/recipes-core/systemd/systemd_%.bbappend @@ -53,7 +53,7 @@ install_file() { # /var/tmp point into /var/volatile (tmpfs) and get created anew during # startup. We set these permissions directly after creating them via # /etc/tmpfiles.d/00-create-volatile.conf -RDEPENDS_${PN}_append_with-lsm-smack = " smack-userspace" +RDEPENDS_${PN}_append_with-lsm-smack = " smack" do_install_append_with-lsm-smack() { install_file ${D}${systemd_unitdir}/system/systemd-tmpfiles-setup.service.d/smack.conf <