1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
|
FILESEXTRAPATHS_prepend := "${THISDIR}/${PN}:"
# Most patches from sandbox/jobol/v219. Cannot be applied unconditionally
# because systemd panics when booted without Smack support:
# systemd[1]: Cannot determine cgroup we are running in: No such file or directory
# systemd[1]: Failed to allocate manager object: No such file or directory
# [!!!!!!] Failed to allocate manager object, freezing.
#
# There's a slight dependency on the base systemd in 0005-tizen-smack-Handling-network.
# We use the beginning of PV (unexpanded here to prevent a cyclic dependency
# during resolution apparently caused by ${SRCPV}) to pick the right set of
# patches.
#
# Patches are optional. Hopefully we won't need any for systemd >= 229.
SRC_URI_append_with-lsm-smack = " ${@d.getVar('SYSTEMD_SMACK_PATCHES_' + d.getVar('PV', False)[0:3], True) or ''}"
SYSTEMD_SMACK_PATCHES_216 = " \
file://0003-tizen-smack-Handling-of-run-and-sys-fs-cgroup-v216.patch \
file://0004-tizen-smack-Handling-of-dev-v216.patch \
file://0005-tizen-smack-Handling-network-v216.patch \
file://0007-tizen-smack-Runs-systemd-journald-with-v216.patch \
"
SYSTEMD_SMACK_PATCHES_219 = " \
file://0003-tizen-smack-Handling-of-run-and-sys-fs-cgroup.patch \
file://0004-tizen-smack-Handling-of-dev.patch \
file://0005-tizen-smack-Handling-network.patch \
file://0007-tizen-smack-Runs-systemd-journald-with.patch \
"
SYSTEMD_SMACK_PATCHES_225 = " \
file://0003-tizen-smack-Handling-of-run-and-sys-fs-cgroup.patch \
file://0004-tizen-smack-Handling-of-dev.patch \
file://0005-tizen-smack-Handling-network-v225.patch \
file://0007-tizen-smack-Runs-systemd-journald-with.patch \
"
SYSTEMD_SMACK_PATCHES_228 = " \
file://0005-tizen-smack-Handling-network-v228.patch \
file://mount-setup.c-fix-handling-of-symlink-Smack-labellin-v228.patch \
"
# From Tizen .spec file.
EXTRA_OECONF_append_with-lsm-smack = " --with-smack-run-label=System"
install_file() {
install -d $(dirname $1)
cat >>$1
chmod ${2:-0644} $1
}
# We need to emulate parts of the filesystem permissions from Tizen here.
# The part for regular files is in base-files.bbappend, but /var/log and
# /var/tmp point into /var/volatile (tmpfs) and get created anew during
# startup. We set these permissions directly after creating them via
# /etc/tmpfiles.d/00-create-volatile.conf
RDEPENDS_${PN}_append_with-lsm-smack = " smack"
do_install_append_with-lsm-smack() {
install_file ${D}${systemd_unitdir}/system/systemd-tmpfiles-setup.service.d/smack.conf <<EOF
[Service]
ExecStartPost=/bin/sh -c '([ ! -d /var/tmp ] || chsmack -L -a \"*\" /var/tmp) && ([ ! -d /var/log ] || chsmack -L -a System::Log /var/log && chsmack -L -t /var/log)'
EOF
# Mount /tmp publicly accessable. Based on patch by Michael Demeter <michael.demeter@intel.com>.
# Upstream systemd temporarily had SmackFileSystemRoot for this (https://github.com/systemd/systemd/pull/1664),
# but it was removed again (https://github.com/systemd/systemd/issues/1696) because
# util-linux mount will ignore smackfsroot when Smack is not active. However,
# busybox is not that intelligent.
#
# When using busybox mount, adding smackfsroot=* and booting without
# Smack (i.e. security=none), tmp.mount will fail with an error about
# "Bad mount option smackfsroot".
install_file ${D}${systemd_unitdir}/system/tmp.mount.d/smack.conf <<EOF
[Mount]
Options=smackfsroot=*
EOF
# Run systemd-journald with the hat ("^") Smack label.
#
# The journal daemon needs global read access to gather information
# about the services spawned by systemd. The hat label is intended
# for this purpose. The journal daemon is the only part of the
# System domain that needs read access to the User domain. Giving
# the journal daemon the hat label means that we can remove the
# System domain's read access to the User domain and we can avoid
# hard-coding a specific label name for that domain.
#
# Original author: Casey Schaufler <casey@schaufler-ca.com>
#
# This is considered a configuration change and thus distro specific.
install_file ${D}${systemd_unitdir}/system/systemd-journald.service.d/smack.conf <<EOF
[Service]
SmackProcessLabel=^
EOF
}
# Will get installed in ${sysconfdir}/udev/rules.d/ by base systemd recipe.
SRC_URI += "file://udev-smack-default.rules"
# A workaround for a missing space in a SRC_URI_append in a private layer elsewhere:
SRC_URI += ""
# Maintaining trivial, non-upstreamable configuration changes as patches
# is tedious. But in same cases (like early mounting of special directories)
# the configuration has to be in code. We make these changes here directly.
do_patch[prefuncs] += "patch_systemd"
do_patch[vardeps] += "patch_systemd"
patch_systemd() {
# Handling of /run and /sys/fs/cgroup. Make /run a transmuting directory to
# enable systemd communications with services in the User domain.
# Original patch by Michael Demeter <michael.demeter@intel.com>.
#
# We simplify the patching by touching only lines which check the result of
# mac_smack_use(). Those are the ones which are used when Smack is active.
#
# smackfsroot=* on /sys/fs/cgroup may be upstreamable, but smackfstransmute=System::Run
# is too distro specific (depends on Smack rules) and thus has to remain here.
sed -i -e 's;\("/sys/fs/cgroup", *"[^"]*", *"[^"]*\)\(.*mac_smack_use.*\);\1,smackfsroot=*\2;' \
-e 's;\("/run", *"[^"]*", *"[^"]*\)\(.*mac_smack_use.*\);\1,smackfstransmute=System::Run\2;' \
${S}/src/core/mount-setup.c
}
|
