From f11a3e7653777ad4342e615f47ec4a5417a2fa96 Mon Sep 17 00:00:00 2001 From: José Bollo Date: Wed, 12 Dec 2018 12:03:43 +0100 Subject: systemd: Refactor build using smack-system-setup MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit This changes introduces the new recipe meta-security/recipes-core/smack-system-setup/smack-system-setup_1.bb The purpose is to split the recipe of systemd in two parts: - A part specific to systemd and only systemd It actually includes Smack patches for systemd and a renaming of udev-rules. - A part more oriented on putting the system in order to run with Smack activated. At the end, it will probably save many rebuilds as systemd recipe will evolve less in relation with the setup of the system. As example, the udev rule file "55-udev-smack-default.rules" that setup udev rules specific to smack is no more brought by systemd but by smack-system-setup. Also at the same time, some cleanup and refactoring is done. Note that the ".bbappend" file for systemd is now fixed in version and is including a common file file that records the several known versions. No cleanup was made on the versioned patch for the sake of memory. The cleanup of the history is to be achieved later... Bug-AGL: SPEC-2045 Change-Id: Iacf772142a381729dfdbe98d133a3effc4d6cf68 Signed-off-by: José Bollo --- .../packagegroup-security-framework.bb | 1 + .../files/55-udev-smack-default.rules | 23 ++++ .../files/systemd-journald.service.conf | 16 +++ .../files/systemd-tmpfiles-setup.service.conf | 2 + .../smack-system-setup/files/tmp.mount.conf | 12 +++ .../smack-system-setup/smack-system-setup_1.bb | 28 +++++ .../systemd/0001-Switch-Smack-label-earlier.patch | 52 +++++++++ .../systemd/systemd/udev-smack-default.rules | 23 ---- .../recipes-core/systemd/systemd_%.bbappend | 120 --------------------- .../recipes-core/systemd/systemd_234.bbappend | 84 +++++++++++++++ 10 files changed, 218 insertions(+), 143 deletions(-) create mode 100644 meta-security/recipes-core/smack-system-setup/files/55-udev-smack-default.rules create mode 100644 meta-security/recipes-core/smack-system-setup/files/systemd-journald.service.conf create mode 100644 meta-security/recipes-core/smack-system-setup/files/systemd-tmpfiles-setup.service.conf create mode 100644 meta-security/recipes-core/smack-system-setup/files/tmp.mount.conf create mode 100644 meta-security/recipes-core/smack-system-setup/smack-system-setup_1.bb create mode 100644 meta-security/recipes-core/systemd/systemd/0001-Switch-Smack-label-earlier.patch delete mode 100644 meta-security/recipes-core/systemd/systemd/udev-smack-default.rules delete mode 100644 meta-security/recipes-core/systemd/systemd_%.bbappend create mode 100644 meta-security/recipes-core/systemd/systemd_234.bbappend (limited to 'meta-security') diff --git a/meta-security/recipes-core/packagegroups/packagegroup-security-framework.bb b/meta-security/recipes-core/packagegroups/packagegroup-security-framework.bb index b52e18d4e..6dd575df5 100644 --- a/meta-security/recipes-core/packagegroups/packagegroup-security-framework.bb +++ b/meta-security/recipes-core/packagegroups/packagegroup-security-framework.bb @@ -19,4 +19,5 @@ RDEPENDS_${PN}_append_with-lsm-smack = " \ security-manager \ security-manager-policy \ smacknet \ + smack-system-setup \ " diff --git a/meta-security/recipes-core/smack-system-setup/files/55-udev-smack-default.rules b/meta-security/recipes-core/smack-system-setup/files/55-udev-smack-default.rules new file mode 100644 index 000000000..3829019de --- /dev/null +++ b/meta-security/recipes-core/smack-system-setup/files/55-udev-smack-default.rules @@ -0,0 +1,23 @@ +# do not edit this file, it will be overwritten on update + +KERNEL=="null", SECLABEL{smack}="*" +KERNEL=="zero", SECLABEL{smack}="*" +KERNEL=="console", SECLABEL{smack}="*" +KERNEL=="kmsg", SECLABEL{smack}="*" +KERNEL=="video*", SECLABEL{smack}="*" +KERNEL=="card*", SECLABEL{smack}="*" +KERNEL=="ptmx", SECLABEL{smack}="*" +KERNEL=="tty", SECLABEL{smack}="*" + +SUBSYSTEM=="graphics", GROUP="video", SECLABEL{smack}="*" +SUBSYSTEM=="drm", GROUP="video", SECLABEL{smack}="*" +SUBSYSTEM=="dvb", GROUP="video", SECLABEL{smack}="*" + +SUBSYSTEM=="tty", KERNEL=="ptmx", GROUP="tty", MODE="0666", SECLABEL{smack}="*" +SUBSYSTEM=="tty", KERNEL=="tty", GROUP="tty", MODE="0666", SECLABEL{smack}="*" +SUBSYSTEM=="tty", KERNEL=="tty[0-9]*", GROUP="tty", MODE="0620", SECLABEL{smack}="*" +SUBSYSTEM=="vc", KERNEL=="vcs*|vcsa*", GROUP="tty", SECLABEL{smack}="*" +KERNEL=="tty[A-Z]*[0-9]|pppox[0-9]*|ircomm[0-9]*|noz[0-9]*|rfcomm[0-9]*", GROUP="dialout", SECLABEL{smack}="*" + +SUBSYSTEM=="input", KERNEL=="mouse*|mice|event*", MODE="0640", SECLABEL{smack}="*" +SUBSYSTEM=="input", KERNEL=="ts[0-9]*|uinput", MODE="0640", SECLABEL{smack}="*" diff --git a/meta-security/recipes-core/smack-system-setup/files/systemd-journald.service.conf b/meta-security/recipes-core/smack-system-setup/files/systemd-journald.service.conf new file mode 100644 index 000000000..7035a1410 --- /dev/null +++ b/meta-security/recipes-core/smack-system-setup/files/systemd-journald.service.conf @@ -0,0 +1,16 @@ +# Run systemd-journald with the hat ("^") Smack label. +# +# The journal daemon needs global read access to gather information +# about the services spawned by systemd. The hat label is intended +# for this purpose. The journal daemon is the only part of the +# System domain that needs read access to the User domain. Giving +# the journal daemon the hat label means that we can remove the +# System domain's read access to the User domain and we can avoid +# hard-coding a specific label name for that domain. +# +# Original author: Casey Schaufler +# +# This is considered a configuration change and thus distro specific. +[Service] +SmackProcessLabel=^ + diff --git a/meta-security/recipes-core/smack-system-setup/files/systemd-tmpfiles-setup.service.conf b/meta-security/recipes-core/smack-system-setup/files/systemd-tmpfiles-setup.service.conf new file mode 100644 index 000000000..db43c8c51 --- /dev/null +++ b/meta-security/recipes-core/smack-system-setup/files/systemd-tmpfiles-setup.service.conf @@ -0,0 +1,2 @@ +[Service] +ExecStartPost=/bin/sh -c '([ ! -d /var/tmp ] || chsmack -L -a \"*\" /var/tmp) && ([ ! -d /var/log ] || chsmack -L -a System::Log /var/log && chsmack -L -t /var/log)' diff --git a/meta-security/recipes-core/smack-system-setup/files/tmp.mount.conf b/meta-security/recipes-core/smack-system-setup/files/tmp.mount.conf new file mode 100644 index 000000000..388986e82 --- /dev/null +++ b/meta-security/recipes-core/smack-system-setup/files/tmp.mount.conf @@ -0,0 +1,12 @@ +# Mount /tmp publicly accessable. Based on patch by Michael Demeter . +# Upstream systemd temporarily had SmackFileSystemRoot for this (https://github.com/systemd/systemd/pull/1664), +# but it was removed again (https://github.com/systemd/systemd/issues/1696) because +# util-linux mount will ignore smackfsroot when Smack is not active. However, +# busybox is not that intelligent. +# +# When using busybox mount, adding smackfsroot=* and booting without +# Smack (i.e. security=none), tmp.mount will fail with an error about +# "Bad mount option smackfsroot". +[Mount] +Options=smackfsroot=* + diff --git a/meta-security/recipes-core/smack-system-setup/smack-system-setup_1.bb b/meta-security/recipes-core/smack-system-setup/smack-system-setup_1.bb new file mode 100644 index 000000000..49b12ad3f --- /dev/null +++ b/meta-security/recipes-core/smack-system-setup/smack-system-setup_1.bb @@ -0,0 +1,28 @@ +DESCRIPTION = "setup of a system using smack" +LICENSE = "GPLv2" +LIC_FILES_CHKSUM = "file://${COMMON_LICENSE_DIR}/GPL-2.0;md5=801f80980d171dd6425610833a22dbe6" + +SRC_URI = "\ + file://55-udev-smack-default.rules \ + file://systemd-journald.service.conf \ + file://systemd-tmpfiles-setup.service.conf \ + file://tmp.mount.conf \ +" + +RDEPENDS_${PN}_append_with-lsm-smack = " smack" + +do_install_append_with-lsm-smack() { + # tuning systemd units + install -Dm0644 ${WORKDIR}/systemd-tmpfiles-setup.service.conf \ + ${D}${systemd_unitdir}/system/systemd-tmpfiles-setup.service.d/smack.conf + install -Dm0644 ${WORKDIR}/systemd-journald.service.conf \ + ${D}${systemd_unitdir}/system/systemd-journald.service.d/smack.conf + install -Dm0644 ${WORKDIR}/tmp.mount.conf \ + ${D}${systemd_unitdir}/system/tmp.mount.d/smack.conf + + # add udev rules + install -Dm0644 ${WORKDIR}/55-udev-smack-default.rules \ + ${D}${sysconfdir}/udev/rules.d/55-udev-smack-default.rules +} + +FILES_${PN} += "${systemd_unitdir}" diff --git a/meta-security/recipes-core/systemd/systemd/0001-Switch-Smack-label-earlier.patch b/meta-security/recipes-core/systemd/systemd/0001-Switch-Smack-label-earlier.patch new file mode 100644 index 000000000..46445be73 --- /dev/null +++ b/meta-security/recipes-core/systemd/systemd/0001-Switch-Smack-label-earlier.patch @@ -0,0 +1,52 @@ +From 6cc74075797edb6f698cb7f312bb1c3d8cc6cb28 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Jos=C3=A9=20Bollo?= +Date: Thu, 12 Oct 2017 17:17:56 +0200 +Subject: [PATCH] Switch Smack label earlier +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Switching label after removing capability isn't +possible. + +Change-Id: Ib7dac8f071f36119520ed3205d743c1e3df3cd5e +Signed-off-by: José Bollo +--- + src/core/execute.c | 14 +++++++------- + 1 file changed, 7 insertions(+), 7 deletions(-) + +diff --git a/src/core/execute.c b/src/core/execute.c +index d72e5bf08..0abffd569 100644 +--- a/src/core/execute.c ++++ b/src/core/execute.c +@@ -2707,6 +2707,13 @@ static int exec_child( + } + } + ++ r = setup_smack(context, command); ++ if (r < 0) { ++ *exit_status = EXIT_SMACK_PROCESS_LABEL; ++ *error_message = strdup("Failed to set SMACK process label"); ++ return r; ++ } ++ + if (!cap_test_all(context->capability_bounding_set)) { + r = capability_bounding_set_drop(context->capability_bounding_set, false); + if (r < 0) { +@@ -2775,13 +2782,6 @@ static int exec_child( + } + #endif + +- r = setup_smack(context, command); +- if (r < 0) { +- *exit_status = EXIT_SMACK_PROCESS_LABEL; +- *error_message = strdup("Failed to set SMACK process label"); +- return r; +- } +- + #ifdef HAVE_APPARMOR + if (context->apparmor_profile && mac_apparmor_use()) { + r = aa_change_onexec(context->apparmor_profile); +-- +2.14.3 + diff --git a/meta-security/recipes-core/systemd/systemd/udev-smack-default.rules b/meta-security/recipes-core/systemd/systemd/udev-smack-default.rules deleted file mode 100644 index 3829019de..000000000 --- a/meta-security/recipes-core/systemd/systemd/udev-smack-default.rules +++ /dev/null @@ -1,23 +0,0 @@ -# do not edit this file, it will be overwritten on update - -KERNEL=="null", SECLABEL{smack}="*" -KERNEL=="zero", SECLABEL{smack}="*" -KERNEL=="console", SECLABEL{smack}="*" -KERNEL=="kmsg", SECLABEL{smack}="*" -KERNEL=="video*", SECLABEL{smack}="*" -KERNEL=="card*", SECLABEL{smack}="*" -KERNEL=="ptmx", SECLABEL{smack}="*" -KERNEL=="tty", SECLABEL{smack}="*" - -SUBSYSTEM=="graphics", GROUP="video", SECLABEL{smack}="*" -SUBSYSTEM=="drm", GROUP="video", SECLABEL{smack}="*" -SUBSYSTEM=="dvb", GROUP="video", SECLABEL{smack}="*" - -SUBSYSTEM=="tty", KERNEL=="ptmx", GROUP="tty", MODE="0666", SECLABEL{smack}="*" -SUBSYSTEM=="tty", KERNEL=="tty", GROUP="tty", MODE="0666", SECLABEL{smack}="*" -SUBSYSTEM=="tty", KERNEL=="tty[0-9]*", GROUP="tty", MODE="0620", SECLABEL{smack}="*" -SUBSYSTEM=="vc", KERNEL=="vcs*|vcsa*", GROUP="tty", SECLABEL{smack}="*" -KERNEL=="tty[A-Z]*[0-9]|pppox[0-9]*|ircomm[0-9]*|noz[0-9]*|rfcomm[0-9]*", GROUP="dialout", SECLABEL{smack}="*" - -SUBSYSTEM=="input", KERNEL=="mouse*|mice|event*", MODE="0640", SECLABEL{smack}="*" -SUBSYSTEM=="input", KERNEL=="ts[0-9]*|uinput", MODE="0640", SECLABEL{smack}="*" diff --git a/meta-security/recipes-core/systemd/systemd_%.bbappend b/meta-security/recipes-core/systemd/systemd_%.bbappend deleted file mode 100644 index 65e28f9de..000000000 --- a/meta-security/recipes-core/systemd/systemd_%.bbappend +++ /dev/null @@ -1,120 +0,0 @@ -FILESEXTRAPATHS_prepend := "${THISDIR}/${PN}:" - -# Most patches from sandbox/jobol/v219. Cannot be applied unconditionally -# because systemd panics when booted without Smack support: -# systemd[1]: Cannot determine cgroup we are running in: No such file or directory -# systemd[1]: Failed to allocate manager object: No such file or directory -# [!!!!!!] Failed to allocate manager object, freezing. -# -# There's a slight dependency on the base systemd in 0005-tizen-smack-Handling-network. -# We use the beginning of PV (unexpanded here to prevent a cyclic dependency -# during resolution apparently caused by ${SRCPV}) to pick the right set of -# patches. -# -# Patches are optional. Hopefully we won't need any for systemd >= 229. -SRC_URI_append_with-lsm-smack = " ${@d.getVar('SYSTEMD_SMACK_PATCHES_' + d.getVar('PV', False)[0:3], True) or ''}" - -SYSTEMD_SMACK_PATCHES_216 = " \ -file://0003-tizen-smack-Handling-of-run-and-sys-fs-cgroup-v216.patch \ -file://0004-tizen-smack-Handling-of-dev-v216.patch \ -file://0005-tizen-smack-Handling-network-v216.patch \ -file://0007-tizen-smack-Runs-systemd-journald-with-v216.patch \ -" - -SYSTEMD_SMACK_PATCHES_219 = " \ -file://0003-tizen-smack-Handling-of-run-and-sys-fs-cgroup.patch \ -file://0004-tizen-smack-Handling-of-dev.patch \ -file://0005-tizen-smack-Handling-network.patch \ -file://0007-tizen-smack-Runs-systemd-journald-with.patch \ -" -SYSTEMD_SMACK_PATCHES_225 = " \ -file://0003-tizen-smack-Handling-of-run-and-sys-fs-cgroup.patch \ -file://0004-tizen-smack-Handling-of-dev.patch \ -file://0005-tizen-smack-Handling-network-v225.patch \ -file://0007-tizen-smack-Runs-systemd-journald-with.patch \ -" - -SYSTEMD_SMACK_PATCHES_228 = " \ -file://0005-tizen-smack-Handling-network-v228.patch \ -file://mount-setup.c-fix-handling-of-symlink-Smack-labellin-v228.patch \ -" - -# From Tizen .spec file. -EXTRA_OECONF_append_with-lsm-smack = " --with-smack-run-label=System" - -install_file() { - install -d $(dirname $1) - cat >>$1 - chmod ${2:-0644} $1 -} - -# We need to emulate parts of the filesystem permissions from Tizen here. -# The part for regular files is in base-files.bbappend, but /var/log and -# /var/tmp point into /var/volatile (tmpfs) and get created anew during -# startup. We set these permissions directly after creating them via -# /etc/tmpfiles.d/00-create-volatile.conf -RDEPENDS_${PN}_append_with-lsm-smack = " smack" -do_install_append_with-lsm-smack() { - install_file ${D}${systemd_unitdir}/system/systemd-tmpfiles-setup.service.d/smack.conf <. - # Upstream systemd temporarily had SmackFileSystemRoot for this (https://github.com/systemd/systemd/pull/1664), - # but it was removed again (https://github.com/systemd/systemd/issues/1696) because - # util-linux mount will ignore smackfsroot when Smack is not active. However, - # busybox is not that intelligent. - # - # When using busybox mount, adding smackfsroot=* and booting without - # Smack (i.e. security=none), tmp.mount will fail with an error about - # "Bad mount option smackfsroot". - install_file ${D}${systemd_unitdir}/system/tmp.mount.d/smack.conf < - # - # This is considered a configuration change and thus distro specific. - install_file ${D}${systemd_unitdir}/system/systemd-journald.service.d/smack.conf <. - # - # We simplify the patching by touching only lines which check the result of - # mac_smack_use(). Those are the ones which are used when Smack is active. - # - # smackfsroot=* on /sys/fs/cgroup may be upstreamable, but smackfstransmute=System::Run - # is too distro specific (depends on Smack rules) and thus has to remain here. - sed -i -e 's;\("/sys/fs/cgroup", *"[^"]*", *"[^"]*\)\(.*mac_smack_use.*\);\1,smackfsroot=*\2;' \ - -e 's;\("/run", *"[^"]*", *"[^"]*\)\(.*mac_smack_use.*\);\1,smackfstransmute=System::Run\2;' \ - ${S}/src/core/mount-setup.c -} diff --git a/meta-security/recipes-core/systemd/systemd_234.bbappend b/meta-security/recipes-core/systemd/systemd_234.bbappend new file mode 100644 index 000000000..4bbc8aa04 --- /dev/null +++ b/meta-security/recipes-core/systemd/systemd_234.bbappend @@ -0,0 +1,84 @@ +FILESEXTRAPATHS_prepend := "${THISDIR}/${PN}:" + +SYSTEMD_SMACK_PATCHES_216 = " \ +file://0003-tizen-smack-Handling-of-run-and-sys-fs-cgroup-v216.patch \ +file://0004-tizen-smack-Handling-of-dev-v216.patch \ +file://0005-tizen-smack-Handling-network-v216.patch \ +file://0007-tizen-smack-Runs-systemd-journald-with-v216.patch \ +" + +SYSTEMD_SMACK_PATCHES_219 = " \ +file://0003-tizen-smack-Handling-of-run-and-sys-fs-cgroup.patch \ +file://0004-tizen-smack-Handling-of-dev.patch \ +file://0005-tizen-smack-Handling-network.patch \ +file://0007-tizen-smack-Runs-systemd-journald-with.patch \ +" +SYSTEMD_SMACK_PATCHES_225 = " \ +file://0003-tizen-smack-Handling-of-run-and-sys-fs-cgroup.patch \ +file://0004-tizen-smack-Handling-of-dev.patch \ +file://0005-tizen-smack-Handling-network-v225.patch \ +file://0007-tizen-smack-Runs-systemd-journald-with.patch \ +" + +SYSTEMD_SMACK_PATCHES_228 = " \ +file://0005-tizen-smack-Handling-network-v228.patch \ +file://mount-setup.c-fix-handling-of-symlink-Smack-labellin-v228.patch \ +" + +SYSTEMD_SMACK_PATCHES_234 = " \ +file://0001-Switch-Smack-label-earlier.patch \ +" + +# Most patches from sandbox/jobol/v219. Cannot be applied unconditionally +# because systemd panics when booted without Smack support: +# systemd[1]: Cannot determine cgroup we are running in: No such file or directory +# systemd[1]: Failed to allocate manager object: No such file or directory +# [!!!!!!] Failed to allocate manager object, freezing. +# +# There's a slight dependency on the base systemd in 0005-tizen-smack-Handling-network. +# We use the beginning of PV (unexpanded here to prevent a cyclic dependency +# during resolution apparently caused by ${SRCPV}) to pick the right set of +# patches. +# +# Patches are optional. Hopefully we won't need any for systemd >= 229. +SRC_URI_append_with-lsm-smack = " ${SYSTEMD_SMACK_PATCHES_234}" + +# A workaround for a missing space in a SRC_URI_append in a private layer elsewhere: +SRC_URI += "" + +# Ensures systemd runs with label "System" +EXTRA_OECONF_append_with-lsm-smack = " --with-smack-run-label=System" + +# Maintaining trivial, non-upstreamable configuration changes as patches +# is tedious. But in same cases (like early mounting of special directories) +# the configuration has to be in code. We make these changes here directly. +do_patch[prefuncs] += "patch_systemd" +do_patch[vardeps] += "patch_systemd" +patch_systemd() { + # Handling of /run and /sys/fs/cgroup. Make /run a transmuting directory to + # enable systemd communications with services in the User domain. + # Original patch by Michael Demeter . + # + # We simplify the patching by touching only lines which check the result of + # mac_smack_use(). Those are the ones which are used when Smack is active. + # + # smackfsroot=* on /sys/fs/cgroup may be upstreamable, but smackfstransmute=System::Run + # is too distro specific (depends on Smack rules) and thus has to remain here. + sed -i -e 's;\("/sys/fs/cgroup", *"[^"]*", *"[^"]*\)\(.*mac_smack_use.*\);\1,smackfsroot=*\2;' \ + -e 's;\("/run", *"[^"]*", *"[^"]*\)\(.*mac_smack_use.*\);\1,smackfstransmute=System::Run\2;' \ + ${S}/src/core/mount-setup.c +} + +################################################################################## +# What follows is temporary. +# This is a solution to the Bug-AGL SPEC-539 +# (see https://jira.automotivelinux.org/browse/SPEC-539). +# +# It renames the file "touchscreen.rules" to "55-touchscreen.rules" +# This comes with the recipe systemd_230/234 of poky (meta/recipes-core/systemd) +# It should be removed when poky changes. +################################################################################## +do_install_prepend() { + mv ${WORKDIR}/touchscreen.rules ${WORKDIR}/55-touchscreen.rules || true +} + -- cgit 1.2.3-korg