From 27037c57de0a88cdc39934556b786721ae979eff Mon Sep 17 00:00:00 2001 From: José Bollo Date: Thu, 13 Dec 2018 14:33:55 +0100 Subject: systemd: Cleanup of recipe of meta-security MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit The recipe for systemd that belongs to meta-security was carrying lot of history for probably no purpose. If history is needed, curious people can still refer to https://github.com/intel/meta-intel-iot-security Change-Id: I8762da7feb2084de2a97025498eb47ef815c7954 Signed-off-by: José Bollo --- ...ck-Handling-of-run-and-sys-fs-cgroup-v216.patch | 49 ------ ...n-smack-Handling-of-run-and-sys-fs-cgroup.patch | 50 ------ .../0004-tizen-smack-Handling-of-dev-v216.patch | 82 --------- .../systemd/0004-tizen-smack-Handling-of-dev.patch | 68 -------- .../0005-tizen-smack-Handling-network-v216.patch | 107 ------------ .../0005-tizen-smack-Handling-network-v225.patch | 191 --------------------- .../0005-tizen-smack-Handling-network-v228.patch | 179 ------------------- .../0005-tizen-smack-Handling-network.patch | 106 ------------ ...zen-smack-Runs-systemd-journald-with-v216.patch | 41 ----- ...07-tizen-smack-Runs-systemd-journald-with.patch | 37 ---- ...x-handling-of-symlink-Smack-labellin-v228.patch | 58 ------- .../recipes-core/systemd/systemd_234.bbappend | 53 +----- 12 files changed, 9 insertions(+), 1012 deletions(-) delete mode 100644 meta-security/recipes-core/systemd/systemd/0003-tizen-smack-Handling-of-run-and-sys-fs-cgroup-v216.patch delete mode 100644 meta-security/recipes-core/systemd/systemd/0003-tizen-smack-Handling-of-run-and-sys-fs-cgroup.patch delete mode 100644 meta-security/recipes-core/systemd/systemd/0004-tizen-smack-Handling-of-dev-v216.patch delete mode 100644 meta-security/recipes-core/systemd/systemd/0004-tizen-smack-Handling-of-dev.patch delete mode 100644 meta-security/recipes-core/systemd/systemd/0005-tizen-smack-Handling-network-v216.patch delete mode 100644 meta-security/recipes-core/systemd/systemd/0005-tizen-smack-Handling-network-v225.patch delete mode 100644 meta-security/recipes-core/systemd/systemd/0005-tizen-smack-Handling-network-v228.patch delete mode 100644 meta-security/recipes-core/systemd/systemd/0005-tizen-smack-Handling-network.patch delete mode 100644 meta-security/recipes-core/systemd/systemd/0007-tizen-smack-Runs-systemd-journald-with-v216.patch delete mode 100644 meta-security/recipes-core/systemd/systemd/0007-tizen-smack-Runs-systemd-journald-with.patch delete mode 100644 meta-security/recipes-core/systemd/systemd/mount-setup.c-fix-handling-of-symlink-Smack-labellin-v228.patch (limited to 'meta-security/recipes-core') diff --git a/meta-security/recipes-core/systemd/systemd/0003-tizen-smack-Handling-of-run-and-sys-fs-cgroup-v216.patch b/meta-security/recipes-core/systemd/systemd/0003-tizen-smack-Handling-of-run-and-sys-fs-cgroup-v216.patch deleted file mode 100644 index 2ff51f86b..000000000 --- a/meta-security/recipes-core/systemd/systemd/0003-tizen-smack-Handling-of-run-and-sys-fs-cgroup-v216.patch +++ /dev/null @@ -1,49 +0,0 @@ -From da574755b8abe1d5fb9151f901ccea51d40d9509 Mon Sep 17 00:00:00 2001 -From: Michael Demeter -Date: Fri, 30 Oct 2015 11:25:50 +0100 -Subject: [PATCH] tizen-smack: Handling of /run and /sys/fs/cgroup - -Make /run a transmuting directory to enable systemd -communications with services in the User domain. - -Upstream-Status: Pending - -Change-Id: I9e23b78d17a108d8e56ad85a9e839b6ccbe4feff ---- - src/core/mount-setup.c | 10 +++++++--- - 1 file changed, 7 insertions(+), 3 deletions(-) - -diff --git a/src/core/mount-setup.c b/src/core/mount-setup.c -index cc2633e..3dc7cd7 100644 ---- a/src/core/mount-setup.c -+++ b/src/core/mount-setup.c -@@ -85,19 +85,23 @@ static const MountPoint mount_table[] = { - use_smack, MNT_FATAL }, - { "tmpfs", "/dev/shm", "tmpfs", "mode=1777,smackfsroot=*", MS_NOSUID|MS_NODEV|MS_STRICTATIME, - use_smack, MNT_FATAL }, --#endif -+#else - { "tmpfs", "/dev/shm", "tmpfs", "mode=1777", MS_NOSUID|MS_NODEV|MS_STRICTATIME, - NULL, MNT_FATAL|MNT_IN_CONTAINER }, -+#endif - { "devpts", "/dev/pts", "devpts", "mode=620,gid=" STRINGIFY(TTY_GID), MS_NOSUID|MS_NOEXEC, - NULL, MNT_IN_CONTAINER }, - #ifdef HAVE_SMACK -- { "tmpfs", "/run", "tmpfs", "mode=755,smackfsroot=*", MS_NOSUID|MS_NODEV|MS_STRICTATIME, -+ { "tmpfs", "/run", "tmpfs", "mode=755,smackfstransmute=System::Run", MS_NOSUID|MS_NODEV|MS_STRICTATIME, - use_smack, MNT_FATAL }, --#endif -+ { "tmpfs", "/sys/fs/cgroup", "tmpfs", "mode=755,smackfsroot=*", MS_NOSUID|MS_NOEXEC|MS_NODEV|MS_STRICTATIME, -+ use_smack, MNT_IN_CONTAINER }, -+#else - { "tmpfs", "/run", "tmpfs", "mode=755", MS_NOSUID|MS_NODEV|MS_STRICTATIME, - NULL, MNT_FATAL|MNT_IN_CONTAINER }, - { "tmpfs", "/sys/fs/cgroup", "tmpfs", "mode=755", MS_NOSUID|MS_NOEXEC|MS_NODEV|MS_STRICTATIME, - NULL, MNT_FATAL|MNT_IN_CONTAINER }, -+#endif - { "cgroup", "/sys/fs/cgroup/systemd", "cgroup", "none,name=systemd,xattr", MS_NOSUID|MS_NOEXEC|MS_NODEV, - NULL, MNT_IN_CONTAINER }, - { "cgroup", "/sys/fs/cgroup/systemd", "cgroup", "none,name=systemd", MS_NOSUID|MS_NOEXEC|MS_NODEV, --- -2.1.4 - diff --git a/meta-security/recipes-core/systemd/systemd/0003-tizen-smack-Handling-of-run-and-sys-fs-cgroup.patch b/meta-security/recipes-core/systemd/systemd/0003-tizen-smack-Handling-of-run-and-sys-fs-cgroup.patch deleted file mode 100644 index a4a3e50a6..000000000 --- a/meta-security/recipes-core/systemd/systemd/0003-tizen-smack-Handling-of-run-and-sys-fs-cgroup.patch +++ /dev/null @@ -1,50 +0,0 @@ -From 831d552a9589bb2b99c042d01672409efa3d94fc Mon Sep 17 00:00:00 2001 -From: Michael Demeter -Date: Fri, 11 Oct 2013 15:37:57 -0700 -Subject: [PATCH 3/9] tizen-smack: Handling of /run and /sys/fs/cgroup - -Make /run a transmuting directory to enable systemd -communications with services in the User domain. - -Upstream-Status: Pending - -Change-Id: I9e23b78d17a108d8e56ad85a9e839b6ccbe4feff ---- - src/core/mount-setup.c | 12 ++++++++---- - 1 file changed, 8 insertions(+), 4 deletions(-) - -diff --git a/src/core/mount-setup.c b/src/core/mount-setup.c -index 521545e..ba0867c 100644 ---- a/src/core/mount-setup.c -+++ b/src/core/mount-setup.c -@@ -85,19 +85,23 @@ static const MountPoint mount_table[] = { - mac_smack_use, MNT_FATAL }, - { "tmpfs", "/dev/shm", "tmpfs", "mode=1777,smackfsroot=*", MS_NOSUID|MS_NODEV|MS_STRICTATIME, - mac_smack_use, MNT_FATAL }, --#endif -+#else - { "tmpfs", "/dev/shm", "tmpfs", "mode=1777", MS_NOSUID|MS_NODEV|MS_STRICTATIME, - NULL, MNT_FATAL|MNT_IN_CONTAINER }, -+#endif - { "devpts", "/dev/pts", "devpts", "mode=620,gid=" STRINGIFY(TTY_GID), MS_NOSUID|MS_NOEXEC, - NULL, MNT_IN_CONTAINER }, - #ifdef HAVE_SMACK -- { "tmpfs", "/run", "tmpfs", "mode=755,smackfsroot=*", MS_NOSUID|MS_NODEV|MS_STRICTATIME, -- mac_smack_use, MNT_FATAL }, --#endif -+ { "tmpfs", "/run", "tmpfs", "mode=755,smackfstransmute=System::Run", MS_NOSUID|MS_NODEV|MS_STRICTATIME, -+ mac_smack_use, MNT_FATAL }, -+ { "tmpfs", "/sys/fs/cgroup", "tmpfs", "mode=755,smackfsroot=*", MS_NOSUID|MS_NOEXEC|MS_NODEV|MS_STRICTATIME, -+ mac_smack_use, MNT_IN_CONTAINER }, -+#else - { "tmpfs", "/run", "tmpfs", "mode=755", MS_NOSUID|MS_NODEV|MS_STRICTATIME, - NULL, MNT_FATAL|MNT_IN_CONTAINER }, - { "tmpfs", "/sys/fs/cgroup", "tmpfs", "mode=755", MS_NOSUID|MS_NOEXEC|MS_NODEV|MS_STRICTATIME, - NULL, MNT_FATAL|MNT_IN_CONTAINER }, -+#endif - { "cgroup", "/sys/fs/cgroup/systemd", "cgroup", "none,name=systemd,xattr", MS_NOSUID|MS_NOEXEC|MS_NODEV, - NULL, MNT_IN_CONTAINER }, - { "cgroup", "/sys/fs/cgroup/systemd", "cgroup", "none,name=systemd", MS_NOSUID|MS_NOEXEC|MS_NODEV, --- -1.8.4.5 - diff --git a/meta-security/recipes-core/systemd/systemd/0004-tizen-smack-Handling-of-dev-v216.patch b/meta-security/recipes-core/systemd/systemd/0004-tizen-smack-Handling-of-dev-v216.patch deleted file mode 100644 index 88c100fed..000000000 --- a/meta-security/recipes-core/systemd/systemd/0004-tizen-smack-Handling-of-dev-v216.patch +++ /dev/null @@ -1,82 +0,0 @@ -From 468ef790a7a0e53c390cec9c63090a0ae04a4d58 Mon Sep 17 00:00:00 2001 -From: Michael Demeter -Date: Fri, 11 Oct 2013 15:37:57 -0700 -Subject: [PATCH 4/9] tizen-smack: Handling of /dev - -Smack enabled systems need /dev special devices correctly labeled - -- Add AC_DEFINE for HAVE_SMACK to configure.ac -- Add Check for smack in Makefile.am to include smack default rules -- Add smack default rules to label /dev/xxx correctly for access - -Upstream-Status: Inappropriate [configuration] - -Change-Id: Iebe2e349cbedb3013abdf32edb55e9310f1d17f5 ---- - configure.ac | 2 ++ - Makefile.am | 5 +++++ - rules/55-udev-smack-default.rules | 23 +++++++++++++++++++++++ - 3 files changed, 30 insertions(+) - create mode 100644 rules/55-udev-smack-default.rules - -diff --git a/configure.ac b/configure.ac -index 18b7198..05f49ed 100644 ---- a/configure.ac -+++ b/configure.ac -@@ -635,6 +635,8 @@ if test "x${have_smack}" = xyes ; then - AC_DEFINE(HAVE_SMACK, 1, [Define if SMACK is available]) - fi - -+AM_CONDITIONAL([HAVE_SMACK], [test "x$have_smack" = "xyes"]) -+ - # ------------------------------------------------------------------------------ - AC_ARG_ENABLE([gcrypt], - AS_HELP_STRING([--disable-gcrypt],[Disable optional GCRYPT support]), -diff --git a/Makefile.am b/Makefile.am -index bf04d31..1a05607 100644 ---- a/Makefile.am -+++ b/Makefile.am -@@ -3108,6 +3108,11 @@ dist_udevrules_DATA += \ - nodist_udevrules_DATA += \ - rules/99-systemd.rules - -+if HAVE_SMACK -+dist_udevrules_DATA += \ -+ rules/55-udev-smack-default.rules -+endif -+ - dist_udevhwdb_DATA = \ - hwdb/20-pci-vendor-model.hwdb \ - hwdb/20-pci-classes.hwdb \ -diff --git a/rules/55-udev-smack-default.rules b/rules/55-udev-smack-default.rules -new file mode 100644 -index 0000000..3829019 ---- /dev/null -+++ b/rules/55-udev-smack-default.rules -@@ -0,0 +1,23 @@ -+# do not edit this file, it will be overwritten on update -+ -+KERNEL=="null", SECLABEL{smack}="*" -+KERNEL=="zero", SECLABEL{smack}="*" -+KERNEL=="console", SECLABEL{smack}="*" -+KERNEL=="kmsg", SECLABEL{smack}="*" -+KERNEL=="video*", SECLABEL{smack}="*" -+KERNEL=="card*", SECLABEL{smack}="*" -+KERNEL=="ptmx", SECLABEL{smack}="*" -+KERNEL=="tty", SECLABEL{smack}="*" -+ -+SUBSYSTEM=="graphics", GROUP="video", SECLABEL{smack}="*" -+SUBSYSTEM=="drm", GROUP="video", SECLABEL{smack}="*" -+SUBSYSTEM=="dvb", GROUP="video", SECLABEL{smack}="*" -+ -+SUBSYSTEM=="tty", KERNEL=="ptmx", GROUP="tty", MODE="0666", SECLABEL{smack}="*" -+SUBSYSTEM=="tty", KERNEL=="tty", GROUP="tty", MODE="0666", SECLABEL{smack}="*" -+SUBSYSTEM=="tty", KERNEL=="tty[0-9]*", GROUP="tty", MODE="0620", SECLABEL{smack}="*" -+SUBSYSTEM=="vc", KERNEL=="vcs*|vcsa*", GROUP="tty", SECLABEL{smack}="*" -+KERNEL=="tty[A-Z]*[0-9]|pppox[0-9]*|ircomm[0-9]*|noz[0-9]*|rfcomm[0-9]*", GROUP="dialout", SECLABEL{smack}="*" -+ -+SUBSYSTEM=="input", KERNEL=="mouse*|mice|event*", MODE="0640", SECLABEL{smack}="*" -+SUBSYSTEM=="input", KERNEL=="ts[0-9]*|uinput", MODE="0640", SECLABEL{smack}="*" --- -1.8.4.5 - diff --git a/meta-security/recipes-core/systemd/systemd/0004-tizen-smack-Handling-of-dev.patch b/meta-security/recipes-core/systemd/systemd/0004-tizen-smack-Handling-of-dev.patch deleted file mode 100644 index b12caaec5..000000000 --- a/meta-security/recipes-core/systemd/systemd/0004-tizen-smack-Handling-of-dev.patch +++ /dev/null @@ -1,68 +0,0 @@ -From 468ef790a7a0e53c390cec9c63090a0ae04a4d58 Mon Sep 17 00:00:00 2001 -From: Michael Demeter -Date: Fri, 11 Oct 2013 15:37:57 -0700 -Subject: [PATCH 4/9] tizen-smack: Handling of /dev - -Smack enabled systems need /dev special devices correctly labeled - -- Add AC_DEFINE for HAVE_SMACK to configure.ac -- Add Check for smack in Makefile.am to include smack default rules -- Add smack default rules to label /dev/xxx correctly for access - -Upstream-Status: Inappropriate [configuration] - -Change-Id: Iebe2e349cbedb3013abdf32edb55e9310f1d17f5 ---- - Makefile.am | 5 +++++ - rules/55-udev-smack-default.rules | 23 +++++++++++++++++++++++ - 2 files changed, 28 insertions(+) - create mode 100644 rules/55-udev-smack-default.rules - -diff --git a/Makefile.am b/Makefile.am -index bf04d31..1a05607 100644 ---- a/Makefile.am -+++ b/Makefile.am -@@ -3571,6 +3571,11 @@ dist_udevrules_DATA += \ - nodist_udevrules_DATA += \ - rules/99-systemd.rules - -+if HAVE_SMACK -+dist_udevrules_DATA += \ -+ rules/55-udev-smack-default.rules -+endif -+ - udevconfdir = $(sysconfdir)/udev - dist_udevconf_DATA = \ - src/udev/udev.conf -diff --git a/rules/55-udev-smack-default.rules b/rules/55-udev-smack-default.rules -new file mode 100644 -index 0000000..3829019 ---- /dev/null -+++ b/rules/55-udev-smack-default.rules -@@ -0,0 +1,23 @@ -+# do not edit this file, it will be overwritten on update -+ -+KERNEL=="null", SECLABEL{smack}="*" -+KERNEL=="zero", SECLABEL{smack}="*" -+KERNEL=="console", SECLABEL{smack}="*" -+KERNEL=="kmsg", SECLABEL{smack}="*" -+KERNEL=="video*", SECLABEL{smack}="*" -+KERNEL=="card*", SECLABEL{smack}="*" -+KERNEL=="ptmx", SECLABEL{smack}="*" -+KERNEL=="tty", SECLABEL{smack}="*" -+ -+SUBSYSTEM=="graphics", GROUP="video", SECLABEL{smack}="*" -+SUBSYSTEM=="drm", GROUP="video", SECLABEL{smack}="*" -+SUBSYSTEM=="dvb", GROUP="video", SECLABEL{smack}="*" -+ -+SUBSYSTEM=="tty", KERNEL=="ptmx", GROUP="tty", MODE="0666", SECLABEL{smack}="*" -+SUBSYSTEM=="tty", KERNEL=="tty", GROUP="tty", MODE="0666", SECLABEL{smack}="*" -+SUBSYSTEM=="tty", KERNEL=="tty[0-9]*", GROUP="tty", MODE="0620", SECLABEL{smack}="*" -+SUBSYSTEM=="vc", KERNEL=="vcs*|vcsa*", GROUP="tty", SECLABEL{smack}="*" -+KERNEL=="tty[A-Z]*[0-9]|pppox[0-9]*|ircomm[0-9]*|noz[0-9]*|rfcomm[0-9]*", GROUP="dialout", SECLABEL{smack}="*" -+ -+SUBSYSTEM=="input", KERNEL=="mouse*|mice|event*", MODE="0640", SECLABEL{smack}="*" -+SUBSYSTEM=="input", KERNEL=="ts[0-9]*|uinput", MODE="0640", SECLABEL{smack}="*" --- -1.8.4.5 - diff --git a/meta-security/recipes-core/systemd/systemd/0005-tizen-smack-Handling-network-v216.patch b/meta-security/recipes-core/systemd/systemd/0005-tizen-smack-Handling-network-v216.patch deleted file mode 100644 index 3d69bb2a8..000000000 --- a/meta-security/recipes-core/systemd/systemd/0005-tizen-smack-Handling-network-v216.patch +++ /dev/null @@ -1,107 +0,0 @@ -From c257eade1a39ea00d26c4c297efd654b6ad4edb4 Mon Sep 17 00:00:00 2001 -From: Casey Schaufler -Date: Fri, 8 Nov 2013 09:42:26 -0800 -Subject: [PATCH 5/9] tizen-smack: Handling network - -- Set Smack ambient to match run label -- Set Smack netlabel host rules - -Set Smack ambient to match run label ------------------------------------- -Set the Smack networking ambient label to match the -run label of systemd. System services may expect to -communicate with external services over IP. Setting -the ambient label assigns that label to IP packets -that do not include CIPSO headers. This allows systemd -and the services it spawns access to unlabeled IP -packets, and hence external services. - -A system may choose to restrict network access to -particular services later in the startup process. -This is easily done by resetting the ambient label -elsewhere. - -Set Smack netlabel host rules ------------------------------ -If SMACK_RUN_LABEL is defined set all other hosts to be -single label hosts at the specified label. Set the loopback -address to be a CIPSO host. - -If any netlabel host rules are defined in /etc/smack/netlabel.d -install them into the smackfs netlabel interface. - -Upstream-Status: Pending - ---- - src/core/smack-setup.c | 33 ++++++++++++++++++++++++++++++++- - 1 file changed, 32 insertions(+), 1 deletion(-) - -diff --git a/src/core/smack-setup.c b/src/core/smack-setup.c -index 59f6832..33dc1ca 100644 ---- a/src/core/smack-setup.c -+++ b/src/core/smack-setup.c -@@ -42,6 +42,7 @@ - - #define SMACK_CONFIG "/etc/smack/accesses.d/" - #define CIPSO_CONFIG "/etc/smack/cipso.d/" -+#define NETLABEL_CONFIG "/etc/smack/netlabel.d/" - - #ifdef HAVE_SMACK - -@@ -146,6 +147,19 @@ int smack_setup(bool *loaded_policy) { - if (r) - log_warning("Failed to set SMACK label \"%s\" on self: %s", - SMACK_RUN_LABEL, strerror(-r)); -+ r = write_string_file("/sys/fs/smackfs/ambient", SMACK_RUN_LABEL); -+ if (r) -+ log_warning("Failed to set SMACK ambient label \"%s\": %s", -+ SMACK_RUN_LABEL, strerror(-r)); -+ r = write_string_file("/sys/fs/smackfs/netlabel", -+ "0.0.0.0/0 " SMACK_RUN_LABEL); -+ if (r) -+ log_warning("Failed to set SMACK netlabel rule \"%s\": %s", -+ "0.0.0.0/0 " SMACK_RUN_LABEL, strerror(-r)); -+ r = write_string_file("/sys/fs/smackfs/netlabel", "127.0.0.1 -CIPSO"); -+ if (r) -+ log_warning("Failed to set SMACK netlabel rule \"%s\": %s", -+ "127.0.0.1 -CIPSO", strerror(-r)); - #endif - - r = write_rules("/sys/fs/smackfs/cipso2", CIPSO_CONFIG); -@@ -155,14 +169,31 @@ int smack_setup(bool *loaded_policy) { - return 0; - case ENOENT: - log_debug("Smack/CIPSO access rules directory " CIPSO_CONFIG " not found"); -- return 0; -+ break; - case 0: - log_info("Successfully loaded Smack/CIPSO policies."); -- return 0; -+ break; - default: - log_warning("Failed to load Smack/CIPSO access rules: %s, ignoring.", - strerror(abs(r))); -+ break; -+ } -+ -+ r = write_rules("/sys/fs/smackfs/netlabel", NETLABEL_CONFIG); -+ switch(r) { -+ case -ENOENT: -+ log_debug("Smack/CIPSO is not enabled in the kernel."); - return 0; -+ case ENOENT: -+ log_debug("Smack network host rules directory " NETLABEL_CONFIG " not found"); -+ break; -+ case 0: -+ log_info("Successfully loaded Smack network host rules."); -+ break; -+ default: -+ log_warning("Failed to load Smack network host rules: %s, ignoring.", -+ strerror(abs(r))); -+ break; - } - - *loaded_policy = true; --- -1.8.4.5 - diff --git a/meta-security/recipes-core/systemd/systemd/0005-tizen-smack-Handling-network-v225.patch b/meta-security/recipes-core/systemd/systemd/0005-tizen-smack-Handling-network-v225.patch deleted file mode 100644 index d5678f2e6..000000000 --- a/meta-security/recipes-core/systemd/systemd/0005-tizen-smack-Handling-network-v225.patch +++ /dev/null @@ -1,191 +0,0 @@ -From 513a8d943538643fabf0d31f1eed261677dfbddc Mon Sep 17 00:00:00 2001 -From: Casey Schaufler -Date: Fri, 8 Nov 2013 09:42:26 -0800 -Subject: [PATCH] tizen-smack: Handling network - -- Set Smack ambient to match run label -- Set Smack netlabel host rules - -Set Smack ambient to match run label ------------------------------------- -Set the Smack networking ambient label to match the -run label of systemd. System services may expect to -communicate with external services over IP. Setting -the ambient label assigns that label to IP packets -that do not include CIPSO headers. This allows systemd -and the services it spawns access to unlabeled IP -packets, and hence external services. - -A system may choose to restrict network access to -particular services later in the startup process. -This is easily done by resetting the ambient label -elsewhere. - -Set Smack netlabel host rules ------------------------------ -If SMACK_RUN_LABEL is defined set all other hosts to be -single label hosts at the specified label. Set the loopback -address to be a CIPSO host. - -If any netlabel host rules are defined in /etc/smack/netlabel.d -install them into the smackfs netlabel interface. - -[Patrick Ohly: adapt to write_string_file() change in "fileio: consolidate write_string_file*()"] -[Patrick Ohly: create write_netlabel_rules() based on the original write_rules() that was removed in "smack: support smack access change-rule"] - -Upstream-Status: Pending ---- - src/core/smack-setup.c | 109 +++++++++++++++++++++++++++++++++++++++++++++++-- - 1 file changed, 106 insertions(+), 3 deletions(-) - -diff --git a/src/core/smack-setup.c b/src/core/smack-setup.c -index cbe7d0b..b384aa0 100644 ---- a/src/core/smack-setup.c -+++ b/src/core/smack-setup.c -@@ -34,6 +34,9 @@ - #include "fileio.h" - #include "log.h" - -+#define CIPSO_CONFIG "/etc/smack/cipso.d/" -+#define NETLABEL_CONFIG "/etc/smack/netlabel.d/" -+ - #ifdef HAVE_SMACK - - static int write_access2_rules(const char* srcdir) { -@@ -193,6 +196,76 @@ static int write_cipso2_rules(const char* srcdir) { - return r; - } - -+static int write_netlabel_rules(const char* srcdir) { -+ _cleanup_fclose_ FILE *dst = NULL; -+ _cleanup_closedir_ DIR *dir = NULL; -+ struct dirent *entry; -+ char buf[NAME_MAX]; -+ int dfd = -1; -+ int r = 0; -+ static const char dstpath[] = "/sys/fs/smackfs/netlabel"; -+ -+ dst = fopen(dstpath, "we"); -+ if (!dst) { -+ if (errno != ENOENT) -+ log_warning_errno(errno, "Failed to open %s: %m", dstpath); -+ return -errno; /* negative error */ -+ } -+ -+ /* write rules to dst from every file in the directory */ -+ dir = opendir(srcdir); -+ if (!dir) { -+ if (errno != ENOENT) -+ log_warning_errno(errno, "Failed to opendir %s: %m", srcdir); -+ return errno; /* positive on purpose */ -+ } -+ -+ dfd = dirfd(dir); -+ assert(dfd >= 0); -+ -+ FOREACH_DIRENT(entry, dir, return 0) { -+ int fd; -+ _cleanup_fclose_ FILE *policy = NULL; -+ -+ fd = openat(dfd, entry->d_name, O_RDONLY|O_CLOEXEC); -+ if (fd < 0) { -+ if (r == 0) -+ r = -errno; -+ log_warning_errno(errno, "Failed to open %s: %m", entry->d_name); -+ continue; -+ } -+ -+ policy = fdopen(fd, "re"); -+ if (!policy) { -+ if (r == 0) -+ r = -errno; -+ safe_close(fd); -+ log_error_errno(errno, "Failed to open %s: %m", entry->d_name); -+ continue; -+ } -+ -+ /* load2 write rules in the kernel require a line buffered stream */ -+ FOREACH_LINE(buf, policy, -+ log_error_errno(errno, "Failed to read line from %s: %m", -+ entry->d_name)) { -+ if (!fputs(buf, dst)) { -+ if (r == 0) -+ r = -EINVAL; -+ log_error("Failed to write line to %s", dstpath); -+ break; -+ } -+ if (fflush(dst)) { -+ if (r == 0) -+ r = -errno; -+ log_error_errno(errno, "Failed to flush writes to %s: %m", dstpath); -+ break; -+ } -+ } -+ } -+ -+ return r; -+} -+ - #endif - - int mac_smack_setup(bool *loaded_policy) { -@@ -225,23 +298,53 @@ int mac_smack_setup(bool *loaded_policy) { - if (r) - log_warning("Failed to set SMACK label \"%s\" on self: %s", - SMACK_RUN_LABEL, strerror(-r)); -+ r = write_string_file("/sys/fs/smackfs/ambient", SMACK_RUN_LABEL, 0); -+ if (r) -+ log_warning("Failed to set SMACK ambient label \"%s\": %s", -+ SMACK_RUN_LABEL, strerror(-r)); -+ r = write_string_file("/sys/fs/smackfs/netlabel", -+ "0.0.0.0/0 " SMACK_RUN_LABEL, 0); -+ if (r) -+ log_warning("Failed to set SMACK netlabel rule \"%s\": %s", -+ "0.0.0.0/0 " SMACK_RUN_LABEL, strerror(-r)); -+ r = write_string_file("/sys/fs/smackfs/netlabel", "127.0.0.1 -CIPSO", 0); -+ if (r) -+ log_warning("Failed to set SMACK netlabel rule \"%s\": %s", -+ "127.0.0.1 -CIPSO", strerror(-r)); - #endif - -- r = write_cipso2_rules("/etc/smack/cipso.d/"); -+ r = write_cipso2_rules(CIPSO_CONFIG); - switch(r) { - case -ENOENT: - log_debug("Smack/CIPSO is not enabled in the kernel."); - return 0; - case ENOENT: -- log_debug("Smack/CIPSO access rules directory '/etc/smack/cipso.d/' not found"); -- return 0; -+ log_debug("Smack/CIPSO access rules directory " CIPSO_CONFIG " not found"); -+ break; - case 0: - log_info("Successfully loaded Smack/CIPSO policies."); - break; - default: - log_warning("Failed to load Smack/CIPSO access rules: %s, ignoring.", - strerror(abs(r))); -+ break; -+ } -+ -+ r = write_netlabel_rules(NETLABEL_CONFIG); -+ switch(r) { -+ case -ENOENT: -+ log_debug("Smack/CIPSO is not enabled in the kernel."); - return 0; -+ case ENOENT: -+ log_debug("Smack network host rules directory " NETLABEL_CONFIG " not found"); -+ break; -+ case 0: -+ log_info("Successfully loaded Smack network host rules."); -+ break; -+ default: -+ log_warning("Failed to load Smack network host rules: %s, ignoring.", -+ strerror(abs(r))); -+ break; - } - - *loaded_policy = true; --- -2.1.4 - diff --git a/meta-security/recipes-core/systemd/systemd/0005-tizen-smack-Handling-network-v228.patch b/meta-security/recipes-core/systemd/systemd/0005-tizen-smack-Handling-network-v228.patch deleted file mode 100644 index bc6b97c8f..000000000 --- a/meta-security/recipes-core/systemd/systemd/0005-tizen-smack-Handling-network-v228.patch +++ /dev/null @@ -1,179 +0,0 @@ -From e714327016fb65a0bf977588efaecbaf41ac3cfc Mon Sep 17 00:00:00 2001 -From: Casey Schaufler -Date: Fri, 8 Nov 2013 09:42:26 -0800 -Subject: [PATCH 4/6] tizen-smack: Handling network - -- Set Smack ambient to match run label -- Set Smack netlabel host rules - -Set Smack ambient to match run label ------------------------------------- -Set the Smack networking ambient label to match the -run label of systemd. System services may expect to -communicate with external services over IP. Setting -the ambient label assigns that label to IP packets -that do not include CIPSO headers. This allows systemd -and the services it spawns access to unlabeled IP -packets, and hence external services. - -A system may choose to restrict network access to -particular services later in the startup process. -This is easily done by resetting the ambient label -elsewhere. - -Set Smack netlabel host rules ------------------------------ -If SMACK_RUN_LABEL is defined set all other hosts to be -single label hosts at the specified label. Set the loopback -address to be a CIPSO host. - -If any netlabel host rules are defined in /etc/smack/netlabel.d -install them into the smackfs netlabel interface. - -[Patrick Ohly: copied from https://review.tizen.org/git/?p=platform/upstream/systemd.git;a=commit;h=db4f6c9a074644aa2bf] -[Patrick Ohly: adapt to write_string_file() change in "fileio: consolidate write_string_file*()"] -[Patrick Ohly: create write_netlabel_rules() based on the original write_rules() that was removed in "smack: support smack access change-rule"] -[Patrick Ohly: adapted to upstream code review feedback: error logging, string constants] - -Upstream-Status: Accepted [https://github.com/systemd/systemd/pull/2262] - -%% original patch: 0005-tizen-smack-Handling-network-v225.patch ---- - src/core/smack-setup.c | 101 +++++++++++++++++++++++++++++++++++++++++++++++-- - 1 file changed, 98 insertions(+), 3 deletions(-) - -diff --git a/src/core/smack-setup.c b/src/core/smack-setup.c -index 0661ff9..c9374ca 100644 ---- a/src/core/smack-setup.c -+++ b/src/core/smack-setup.c -@@ -197,6 +197,75 @@ static int write_cipso2_rules(const char* srcdir) { - return r; - } - -+static int write_netlabel_rules(const char* srcdir) { -+ _cleanup_fclose_ FILE *dst = NULL; -+ _cleanup_closedir_ DIR *dir = NULL; -+ struct dirent *entry; -+ char buf[NAME_MAX]; -+ int dfd = -1; -+ int r = 0; -+ -+ dst = fopen("/sys/fs/smackfs/netlabel", "we"); -+ if (!dst) { -+ if (errno != ENOENT) -+ log_warning_errno(errno, "Failed to open /sys/fs/smackfs/netlabel: %m"); -+ return -errno; /* negative error */ -+ } -+ -+ /* write rules to dst from every file in the directory */ -+ dir = opendir(srcdir); -+ if (!dir) { -+ if (errno != ENOENT) -+ log_warning_errno(errno, "Failed to opendir %s: %m", srcdir); -+ return errno; /* positive on purpose */ -+ } -+ -+ dfd = dirfd(dir); -+ assert(dfd >= 0); -+ -+ FOREACH_DIRENT(entry, dir, return 0) { -+ int fd; -+ _cleanup_fclose_ FILE *policy = NULL; -+ -+ fd = openat(dfd, entry->d_name, O_RDONLY|O_CLOEXEC); -+ if (fd < 0) { -+ if (r == 0) -+ r = -errno; -+ log_warning_errno(errno, "Failed to open %s: %m", entry->d_name); -+ continue; -+ } -+ -+ policy = fdopen(fd, "re"); -+ if (!policy) { -+ if (r == 0) -+ r = -errno; -+ safe_close(fd); -+ log_error_errno(errno, "Failed to open %s: %m", entry->d_name); -+ continue; -+ } -+ -+ /* load2 write rules in the kernel require a line buffered stream */ -+ FOREACH_LINE(buf, policy, -+ log_error_errno(errno, "Failed to read line from %s: %m", -+ entry->d_name)) { -+ if (!fputs(buf, dst)) { -+ if (r == 0) -+ r = -EINVAL; -+ log_error_errno(errno, "Failed to write line to /sys/fs/smackfs/netlabel"); -+ break; -+ } -+ if (fflush(dst)) { -+ if (r == 0) -+ r = -errno; -+ log_error_errno(errno, "Failed to flush writes to /sys/fs/smackfs/netlabel: %m"); -+ break; -+ } -+ } -+ } -+ -+ return r; -+} -+ - #endif - - int mac_smack_setup(bool *loaded_policy) { -@@ -225,8 +294,18 @@ int mac_smack_setup(bool *loaded_policy) { - - #ifdef SMACK_RUN_LABEL - r = write_string_file("/proc/self/attr/current", SMACK_RUN_LABEL, 0); -- if (r) -- log_warning_errno(r, "Failed to set SMACK label \"%s\" on self: %m", SMACK_RUN_LABEL); -+ if (r < 0) -+ log_warning_errno(r, "Failed to set SMACK label \"" SMACK_RUN_LABEL "\" on self: %m"); -+ r = write_string_file("/sys/fs/smackfs/ambient", SMACK_RUN_LABEL, 0); -+ if (r < 0) -+ log_warning_errno(r, "Failed to set SMACK ambient label \"" SMACK_RUN_LABEL "\": %m"); -+ r = write_string_file("/sys/fs/smackfs/netlabel", -+ "0.0.0.0/0 " SMACK_RUN_LABEL, 0); -+ if (r < 0) -+ log_warning_errno(r, "Failed to set SMACK netlabel rule \"0.0.0.0/0 " SMACK_RUN_LABEL "\": %m"); -+ r = write_string_file("/sys/fs/smackfs/netlabel", "127.0.0.1 -CIPSO", 0); -+ if (r < 0) -+ log_warning_errno(r, "Failed to set SMACK netlabel rule \"127.0.0.1 -CIPSO\": %m"); - #endif - - r = write_cipso2_rules("/etc/smack/cipso.d/"); -@@ -236,13 +315,29 @@ int mac_smack_setup(bool *loaded_policy) { - return 0; - case ENOENT: - log_debug("Smack/CIPSO access rules directory '/etc/smack/cipso.d/' not found"); -- return 0; -+ break; - case 0: - log_info("Successfully loaded Smack/CIPSO policies."); - break; - default: - log_warning_errno(r, "Failed to load Smack/CIPSO access rules, ignoring: %m"); -+ break; -+ } -+ -+ r = write_netlabel_rules("/etc/smack/netlabel.d/"); -+ switch(r) { -+ case -ENOENT: -+ log_debug("Smack/CIPSO is not enabled in the kernel."); - return 0; -+ case ENOENT: -+ log_debug("Smack network host rules directory '/etc/smack/netlabel.d/' not found"); -+ break; -+ case 0: -+ log_info("Successfully loaded Smack network host rules."); -+ break; -+ default: -+ log_warning_errno(r, "Failed to load Smack network host rules: %m, ignoring."); -+ break; - } - - *loaded_policy = true; --- -2.1.4 - diff --git a/meta-security/recipes-core/systemd/systemd/0005-tizen-smack-Handling-network.patch b/meta-security/recipes-core/systemd/systemd/0005-tizen-smack-Handling-network.patch deleted file mode 100644 index cd6a3c90b..000000000 --- a/meta-security/recipes-core/systemd/systemd/0005-tizen-smack-Handling-network.patch +++ /dev/null @@ -1,106 +0,0 @@ -From c257eade1a39ea00d26c4c297efd654b6ad4edb4 Mon Sep 17 00:00:00 2001 -From: Casey Schaufler -Date: Fri, 8 Nov 2013 09:42:26 -0800 -Subject: [PATCH 5/9] tizen-smack: Handling network - -- Set Smack ambient to match run label -- Set Smack netlabel host rules - -Set Smack ambient to match run label ------------------------------------- -Set the Smack networking ambient label to match the -run label of systemd. System services may expect to -communicate with external services over IP. Setting -the ambient label assigns that label to IP packets -that do not include CIPSO headers. This allows systemd -and the services it spawns access to unlabeled IP -packets, and hence external services. - -A system may choose to restrict network access to -particular services later in the startup process. -This is easily done by resetting the ambient label -elsewhere. - -Set Smack netlabel host rules ------------------------------ -If SMACK_RUN_LABEL is defined set all other hosts to be -single label hosts at the specified label. Set the loopback -address to be a CIPSO host. - -If any netlabel host rules are defined in /etc/smack/netlabel.d -install them into the smackfs netlabel interface. - -Upstream-Status: Pending - ---- - src/core/smack-setup.c | 33 ++++++++++++++++++++++++++++++++- - 1 file changed, 32 insertions(+), 1 deletion(-) - -diff --git a/src/core/smack-setup.c b/src/core/smack-setup.c -index 59f6832..33dc1ca 100644 ---- a/src/core/smack-setup.c -+++ b/src/core/smack-setup.c -@@ -42,6 +42,7 @@ - - #define SMACK_CONFIG "/etc/smack/accesses.d/" - #define CIPSO_CONFIG "/etc/smack/cipso.d/" -+#define NETLABEL_CONFIG "/etc/smack/netlabel.d/" - - #ifdef HAVE_SMACK - -@@ -146,6 +147,19 @@ int mac_smack_setup(bool *loaded_policy) { - if (r) - log_warning("Failed to set SMACK label \"%s\" on self: %s", - SMACK_RUN_LABEL, strerror(-r)); -+ r = write_string_file("/sys/fs/smackfs/ambient", SMACK_RUN_LABEL); -+ if (r) -+ log_warning("Failed to set SMACK ambient label \"%s\": %s", -+ SMACK_RUN_LABEL, strerror(-r)); -+ r = write_string_file("/sys/fs/smackfs/netlabel", -+ "0.0.0.0/0 " SMACK_RUN_LABEL); -+ if (r) -+ log_warning("Failed to set SMACK netlabel rule \"%s\": %s", -+ "0.0.0.0/0 " SMACK_RUN_LABEL, strerror(-r)); -+ r = write_string_file("/sys/fs/smackfs/netlabel", "127.0.0.1 -CIPSO"); -+ if (r) -+ log_warning("Failed to set SMACK netlabel rule \"%s\": %s", -+ "127.0.0.1 -CIPSO", strerror(-r)); - #endif - - r = write_rules("/sys/fs/smackfs/cipso2", CIPSO_CONFIG); -@@ -155,14 +169,31 @@ int mac_smack_setup(bool *loaded_policy) { - return 0; - case ENOENT: - log_debug("Smack/CIPSO access rules directory " CIPSO_CONFIG " not found"); -- return 0; -+ break; - case 0: - log_info("Successfully loaded Smack/CIPSO policies."); - break; - default: - log_warning("Failed to load Smack/CIPSO access rules: %s, ignoring.", - strerror(abs(r))); -+ break; -+ } -+ -+ r = write_rules("/sys/fs/smackfs/netlabel", NETLABEL_CONFIG); -+ switch(r) { -+ case -ENOENT: -+ log_debug("Smack/CIPSO is not enabled in the kernel."); - return 0; -+ case ENOENT: -+ log_debug("Smack network host rules directory " NETLABEL_CONFIG " not found"); -+ break; -+ case 0: -+ log_info("Successfully loaded Smack network host rules."); -+ break; -+ default: -+ log_warning("Failed to load Smack network host rules: %s, ignoring.", -+ strerror(abs(r))); -+ break; - } - - *loaded_policy = true; --- -1.8.4.5 - diff --git a/meta-security/recipes-core/systemd/systemd/0007-tizen-smack-Runs-systemd-journald-with-v216.patch b/meta-security/recipes-core/systemd/systemd/0007-tizen-smack-Runs-systemd-journald-with-v216.patch deleted file mode 100644 index dd2c6542e..000000000 --- a/meta-security/recipes-core/systemd/systemd/0007-tizen-smack-Runs-systemd-journald-with-v216.patch +++ /dev/null @@ -1,41 +0,0 @@ -From ccf384ca0f1cabe37e07e752df95ddb1e017a7ef Mon Sep 17 00:00:00 2001 -From: Casey Schaufler -Date: Thu, 19 Dec 2013 16:49:28 -0800 -Subject: [PATCH 7/9] tizen-smack: Runs systemd-journald with ^ - -Run systemd-journald with the hat ("^") Smack label. - -The journal daemon needs global read access to gather information -about the services spawned by systemd. The hat label is intended -for this purpose. The journal daemon is the only part of the -System domain that needs read access to the User domain. Giving -the journal daemon the hat label means that we can remove the -System domain's read access to the User domain. - -Upstream-Status: Inappropriate [configuration] - -Change-Id: Ic22633f0c9d99c04f873be8a346786ea577d0370 -Signed-off-by: Casey Schaufler ---- - units/systemd-journald.service.in | 4 +++- - 1 file changed, 3 insertions(+), 1 deletion(-) - -diff --git a/units/systemd-journald.service.in b/units/systemd-journald.service.in -index a3540c6..745dd84 100644 ---- a/units/systemd-journald.service.in -+++ b/units/systemd-journald.service.in -@@ -20,8 +20,10 @@ Restart=always - RestartSec=0 - NotifyAccess=all - StandardOutput=null -+SmackProcessLabel=^ --CapabilityBoundingSet=CAP_SYS_ADMIN CAP_DAC_OVERRIDE CAP_SYS_PTRACE CAP_SYSLOG CAP_AUDIT_CONTROL CAP_CHOWN CAP_DAC_READ_SEARCH CAP_FOWNER CAP_SETUID CAP_SETGID -+CapabilityBoundingSet=CAP_SYS_ADMIN CAP_DAC_OVERRIDE CAP_SYS_PTRACE CAP_SYSLOG CAP_AUDIT_CONTROL CAP_AUDIT_READ CAP_CHOWN CAP_DAC_READ_SEARCH CAP_FOWNER CAP_SETUID CAP_SETGID CAP_MAC_OVERRIDE - WatchdogSec=1min -+FileDescriptorStoreMax=1024 - - # Increase the default a bit in order to allow many simultaneous - # services being run since we keep one fd open per service. --- -1.8.4.5 - diff --git a/meta-security/recipes-core/systemd/systemd/0007-tizen-smack-Runs-systemd-journald-with.patch b/meta-security/recipes-core/systemd/systemd/0007-tizen-smack-Runs-systemd-journald-with.patch deleted file mode 100644 index 27a9d0bc6..000000000 --- a/meta-security/recipes-core/systemd/systemd/0007-tizen-smack-Runs-systemd-journald-with.patch +++ /dev/null @@ -1,37 +0,0 @@ -From ccf384ca0f1cabe37e07e752df95ddb1e017a7ef Mon Sep 17 00:00:00 2001 -From: Casey Schaufler -Date: Thu, 19 Dec 2013 16:49:28 -0800 -Subject: [PATCH 7/9] tizen-smack: Runs systemd-journald with ^ - -Run systemd-journald with the hat ("^") Smack label. - -The journal daemon needs global read access to gather information -about the services spawned by systemd. The hat label is intended -for this purpose. The journal daemon is the only part of the -System domain that needs read access to the User domain. Giving -the journal daemon the hat label means that we can remove the -System domain's read access to the User domain. - -Upstream-Status: Inappropriate [configuration] - -Change-Id: Ic22633f0c9d99c04f873be8a346786ea577d0370 -Signed-off-by: Casey Schaufler ---- - units/systemd-journald.service.in | 1 + - 1 file changed, 1 insertion(+) - -diff --git a/units/systemd-journald.service.in b/units/systemd-journald.service.in -index a3540c6..745dd84 100644 ---- a/units/systemd-journald.service.in -+++ b/units/systemd-journald.service.in -@@ -21,6 +21,7 @@ Restart=always - RestartSec=0 - NotifyAccess=all - StandardOutput=null -+SmackProcessLabel=^ - CapabilityBoundingSet=CAP_SYS_ADMIN CAP_DAC_OVERRIDE CAP_SYS_PTRACE CAP_SYSLOG CAP_AUDIT_CONTROL CAP_AUDIT_READ CAP_CHOWN CAP_DAC_READ_SEARCH CAP_FOWNER CAP_SETUID CAP_SETGID CAP_MAC_OVERRIDE - WatchdogSec=1min - FileDescriptorStoreMax=1024 --- -1.8.4.5 - diff --git a/meta-security/recipes-core/systemd/systemd/mount-setup.c-fix-handling-of-symlink-Smack-labellin-v228.patch b/meta-security/recipes-core/systemd/systemd/mount-setup.c-fix-handling-of-symlink-Smack-labellin-v228.patch deleted file mode 100644 index 5a1baefed..000000000 --- a/meta-security/recipes-core/systemd/systemd/mount-setup.c-fix-handling-of-symlink-Smack-labellin-v228.patch +++ /dev/null @@ -1,58 +0,0 @@ -From fd84be63d15fc94c1f396979c67e070c6cd7451b Mon Sep 17 00:00:00 2001 -From: Patrick Ohly -Date: Mon, 21 Dec 2015 14:56:00 +0100 -Subject: [PATCH] mount-setup.c: fix handling of symlink Smack labelling in - cgroup setup - -The code introduced in f8c1a81c51 (= systemd 227) failed for me with: - Failed to copy smack label from net_cls to /sys/fs/cgroup/net_cls: No such file or directory - -There is no need for a symlink in this case because source and target -are identical. The symlink() call is allowed to fail when the target -already exists. When that happens, copying the Smack label must be -skipped. - -But the code also failed when there is a symlink, like "cpu -> -cpu,cpuacct", because mac_smack_copy() got called with -src="cpu,cpuacct" which fails to find the entry because the current -directory is not inside /sys/fs/cgroup. The absolute path to the existing -entry must be used instead. - -Upstream-Status: Accepted [https://github.com/systemd/systemd/pull/2205] - -Signed-off-by: Patrick Ohly ---- - src/core/mount-setup.c | 15 ++++++++++----- - 1 file changed, 10 insertions(+), 5 deletions(-) - -diff --git a/src/core/mount-setup.c b/src/core/mount-setup.c -index 2b8d590..d73b319 100644 ---- a/src/core/mount-setup.c -+++ b/src/core/mount-setup.c -@@ -304,13 +304,18 @@ int mount_cgroup_controllers(char ***join_controllers) { - return log_oom(); - - r = symlink(options, t); -- if (r < 0 && errno != EEXIST) -- return log_error_errno(errno, "Failed to create symlink %s: %m", t); -+ if (r >= 0) { - #ifdef SMACK_RUN_LABEL -- r = mac_smack_copy(t, options); -- if (r < 0 && r != -EOPNOTSUPP) -- return log_error_errno(r, "Failed to copy smack label from %s to %s: %m", options, t); -+ _cleanup_free_ char *src; -+ src = strappend("/sys/fs/cgroup/", options); -+ if (!src) -+ return log_oom(); -+ r = mac_smack_copy(t, src); -+ if (r < 0 && r != -EOPNOTSUPP) -+ return log_error_errno(r, "Failed to copy smack label from %s to %s: %m", src, t); - #endif -+ } else if (errno != EEXIST) -+ return log_error_errno(errno, "Failed to create symlink %s: %m", t); - } - } - } --- -2.1.4 - diff --git a/meta-security/recipes-core/systemd/systemd_234.bbappend b/meta-security/recipes-core/systemd/systemd_234.bbappend index 4bbc8aa04..79753a2d6 100644 --- a/meta-security/recipes-core/systemd/systemd_234.bbappend +++ b/meta-security/recipes-core/systemd/systemd_234.bbappend @@ -1,57 +1,22 @@ FILESEXTRAPATHS_prepend := "${THISDIR}/${PN}:" -SYSTEMD_SMACK_PATCHES_216 = " \ -file://0003-tizen-smack-Handling-of-run-and-sys-fs-cgroup-v216.patch \ -file://0004-tizen-smack-Handling-of-dev-v216.patch \ -file://0005-tizen-smack-Handling-network-v216.patch \ -file://0007-tizen-smack-Runs-systemd-journald-with-v216.patch \ -" - -SYSTEMD_SMACK_PATCHES_219 = " \ -file://0003-tizen-smack-Handling-of-run-and-sys-fs-cgroup.patch \ -file://0004-tizen-smack-Handling-of-dev.patch \ -file://0005-tizen-smack-Handling-network.patch \ -file://0007-tizen-smack-Runs-systemd-journald-with.patch \ -" -SYSTEMD_SMACK_PATCHES_225 = " \ -file://0003-tizen-smack-Handling-of-run-and-sys-fs-cgroup.patch \ -file://0004-tizen-smack-Handling-of-dev.patch \ -file://0005-tizen-smack-Handling-network-v225.patch \ -file://0007-tizen-smack-Runs-systemd-journald-with.patch \ -" - -SYSTEMD_SMACK_PATCHES_228 = " \ -file://0005-tizen-smack-Handling-network-v228.patch \ -file://mount-setup.c-fix-handling-of-symlink-Smack-labellin-v228.patch \ -" - -SYSTEMD_SMACK_PATCHES_234 = " \ -file://0001-Switch-Smack-label-earlier.patch \ +################################################################################## +# What follows is temporary. +# This patch is still needed for systemd 234 but is normally upstreamed +# and thus should be removed in later versions. +################################################################################## +SRC_URI_append_with-lsm-smack = "\ + file://0001-Switch-Smack-label-earlier.patch \ " -# Most patches from sandbox/jobol/v219. Cannot be applied unconditionally -# because systemd panics when booted without Smack support: -# systemd[1]: Cannot determine cgroup we are running in: No such file or directory -# systemd[1]: Failed to allocate manager object: No such file or directory -# [!!!!!!] Failed to allocate manager object, freezing. -# -# There's a slight dependency on the base systemd in 0005-tizen-smack-Handling-network. -# We use the beginning of PV (unexpanded here to prevent a cyclic dependency -# during resolution apparently caused by ${SRCPV}) to pick the right set of -# patches. -# -# Patches are optional. Hopefully we won't need any for systemd >= 229. -SRC_URI_append_with-lsm-smack = " ${SYSTEMD_SMACK_PATCHES_234}" - -# A workaround for a missing space in a SRC_URI_append in a private layer elsewhere: -SRC_URI += "" - # Ensures systemd runs with label "System" EXTRA_OECONF_append_with-lsm-smack = " --with-smack-run-label=System" +################################################################################## # Maintaining trivial, non-upstreamable configuration changes as patches # is tedious. But in same cases (like early mounting of special directories) # the configuration has to be in code. We make these changes here directly. +################################################################################## do_patch[prefuncs] += "patch_systemd" do_patch[vardeps] += "patch_systemd" patch_systemd() { -- cgit 1.2.3-korg