summaryrefslogtreecommitdiffstats
path: root/meta-security/recipes-core/systemd/systemd_%.bbappend
blob: 65e28f9dec3b7ae0822332001f06387a45dacf74 (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
FILESEXTRAPATHS_prepend := "${THISDIR}/${PN}:"

# Most patches from sandbox/jobol/v219. Cannot be applied unconditionally
# because systemd panics when booted without Smack support:
# systemd[1]: Cannot determine cgroup we are running in: No such file or directory
# systemd[1]: Failed to allocate manager object: No such file or directory
# [!!!!!!] Failed to allocate manager object, freezing.
#
# There's a slight dependency on the base systemd in 0005-tizen-smack-Handling-network.
# We use the beginning of PV (unexpanded here to prevent a cyclic dependency
# during resolution apparently caused by ${SRCPV}) to pick the right set of
# patches.
#
# Patches are optional. Hopefully we won't need any for systemd >= 229.
SRC_URI_append_with-lsm-smack = " ${@d.getVar('SYSTEMD_SMACK_PATCHES_' + d.getVar('PV', False)[0:3], True) or ''}"

SYSTEMD_SMACK_PATCHES_216 = " \
file://0003-tizen-smack-Handling-of-run-and-sys-fs-cgroup-v216.patch \
file://0004-tizen-smack-Handling-of-dev-v216.patch \
file://0005-tizen-smack-Handling-network-v216.patch \
file://0007-tizen-smack-Runs-systemd-journald-with-v216.patch \
"

SYSTEMD_SMACK_PATCHES_219 = " \
file://0003-tizen-smack-Handling-of-run-and-sys-fs-cgroup.patch \
file://0004-tizen-smack-Handling-of-dev.patch \
file://0005-tizen-smack-Handling-network.patch \
file://0007-tizen-smack-Runs-systemd-journald-with.patch \
"
SYSTEMD_SMACK_PATCHES_225 = " \
file://0003-tizen-smack-Handling-of-run-and-sys-fs-cgroup.patch \
file://0004-tizen-smack-Handling-of-dev.patch \
file://0005-tizen-smack-Handling-network-v225.patch \
file://0007-tizen-smack-Runs-systemd-journald-with.patch \
"

SYSTEMD_SMACK_PATCHES_228 = " \
file://0005-tizen-smack-Handling-network-v228.patch \
file://mount-setup.c-fix-handling-of-symlink-Smack-labellin-v228.patch \
"

# From Tizen .spec file.
EXTRA_OECONF_append_with-lsm-smack = " --with-smack-run-label=System"

install_file() {
    install -d $(dirname $1)
    cat >>$1
    chmod ${2:-0644} $1
}

# We need to emulate parts of the filesystem permissions from Tizen here.
# The part for regular files is in base-files.bbappend, but /var/log and
# /var/tmp point into /var/volatile (tmpfs) and get created anew during
# startup. We set these permissions directly after creating them via
# /etc/tmpfiles.d/00-create-volatile.conf
RDEPENDS_${PN}_append_with-lsm-smack = " smack"
do_install_append_with-lsm-smack() {
    install_file ${D}${systemd_unitdir}/system/systemd-tmpfiles-setup.service.d/smack.conf <<EOF
[Service]
ExecStartPost=/bin/sh -c '([ ! -d /var/tmp ] || chsmack -L -a \"*\" /var/tmp) && ([ ! -d /var/log ] || chsmack -L -a System::Log /var/log && chsmack -L -t /var/log)'
EOF

    # Mount /tmp publicly accessable. Based on patch by Michael Demeter <michael.demeter@intel.com>.
    # Upstream systemd temporarily had SmackFileSystemRoot for this (https://github.com/systemd/systemd/pull/1664),
    # but it was removed again (https://github.com/systemd/systemd/issues/1696) because
    # util-linux mount will ignore smackfsroot when Smack is not active. However,
    # busybox is not that intelligent.
    #
    # When using busybox mount, adding smackfsroot=* and booting without
    # Smack (i.e. security=none), tmp.mount will fail with an error about
    # "Bad mount option smackfsroot".
    install_file ${D}${systemd_unitdir}/system/tmp.mount.d/smack.conf <<EOF
[Mount]
Options=smackfsroot=*
EOF

    # Run systemd-journald with the hat ("^") Smack label.
    #
    # The journal daemon needs global read access to gather information
    # about the services spawned by systemd. The hat label is intended
    # for this purpose. The journal daemon is the only part of the
    # System domain that needs read access to the User domain. Giving
    # the journal daemon the hat label means that we can remove the
    # System domain's read access to the User domain and we can avoid
    # hard-coding a specific label name for that domain.
    #
    # Original author: Casey Schaufler <casey@schaufler-ca.com>
    #
    # This is considered a configuration change and thus distro specific.
    install_file ${D}${systemd_unitdir}/system/systemd-journald.service.d/smack.conf <<EOF
[Service]
SmackProcessLabel=^
EOF
}

# Will get installed in ${sysconfdir}/udev/rules.d/ by base systemd recipe.
SRC_URI += "file://udev-smack-default.rules"

# A workaround for a missing space in a SRC_URI_append in a private layer elsewhere:
SRC_URI += ""

# Maintaining trivial, non-upstreamable configuration changes as patches
# is tedious. But in same cases (like early mounting of special directories)
# the configuration has to be in code. We make these changes here directly.
do_patch[prefuncs] += "patch_systemd"
do_patch[vardeps] += "patch_systemd"
patch_systemd() {
    # Handling of /run and /sys/fs/cgroup. Make /run a transmuting directory to
    # enable systemd communications with services in the User domain.
    # Original patch by Michael Demeter <michael.demeter@intel.com>.
    #
    # We simplify the patching by touching only lines which check the result of
    # mac_smack_use(). Those are the ones which are used when Smack is active.
    #
    # smackfsroot=* on /sys/fs/cgroup may be upstreamable, but smackfstransmute=System::Run
    # is too distro specific (depends on Smack rules) and thus has to remain here.
    sed -i -e 's;\("/sys/fs/cgroup", *"[^"]*", *"[^"]*\)\(.*mac_smack_use.*\);\1,smackfsroot=*\2;' \
           -e 's;\("/run", *"[^"]*", *"[^"]*\)\(.*mac_smack_use.*\);\1,smackfstransmute=System::Run\2;' \
           ${S}/src/core/mount-setup.c
}