From 7d50de9020901a843095568462a23b4a1ae5f6c3 Mon Sep 17 00:00:00 2001
From: Jose Bollo <jose.bollo@iot.bzh>
Date: Wed, 22 Jan 2020 18:27:58 +0100
Subject: Improve setup for solving access issues

While developping the binding afb-test, the export of
the binding afm-test, using "provided-binding" feature
reavealed to be broken because of security setup.

Bug-AGL: SPEC-2795

Change-Id: Ifc11a8b6a0f20b25d34a8f6b2f81f4c8b5f98238
Signed-off-by: Jose Bollo <jose.bollo@iot.bzh>
---
 conf/system/afm-system-setup.sh.in | 18 +++++++-------
 conf/system/afm-user-setup.sh.in   | 48 +++++++++++++++++---------------------
 2 files changed, 29 insertions(+), 37 deletions(-)

(limited to 'conf')

diff --git a/conf/system/afm-system-setup.sh.in b/conf/system/afm-system-setup.sh.in
index b7a3c5d..f70a530 100644
--- a/conf/system/afm-system-setup.sh.in
+++ b/conf/system/afm-system-setup.sh.in
@@ -3,22 +3,20 @@
 pdir=@afm_platform_rundir@
 
 dodir() {
-	if ! test -e $1; then
-		mkdir -m 755  $1
-		chsmack -a '*' -T $1
-	fi
+	for x; do
+		test -e "$x" || mkdir -m 755  "$x"
+		chmod 755 "$x"
+		chsmack -T -a 'System::Shared' "$x"
+	done
 }
 
-dodir $pdir
-dodir $pdir/display
-dodir $pdir/apis
-dodir $pdir/apis/ws
-dodir $pdir/apis/link
+dodir $pdir $pdir/display $pdir/apis $pdir/apis/ws $pdir/apis/link
+
 @create_platform_debug@
 
 spdir=@afm_scope_platform_dir@
 if ! test -e $spdir; then
 	mkdir -m 755 $spdir
-	chsmack -a '*' -T $spdir
+	chsmack -T -a 'User::App-Shared' $spdir
 	chown daemon:daemon $spdir
 fi
diff --git a/conf/system/afm-user-setup.sh.in b/conf/system/afm-user-setup.sh.in
index 058420d..e1c1070 100644
--- a/conf/system/afm-user-setup.sh.in
+++ b/conf/system/afm-user-setup.sh.in
@@ -1,36 +1,30 @@
 #!/bin/sh
 
-uid=$1
-udir=/run/user/$uid
-
-dodir_star() {
-	if ! test -e $1; then
-		mkdir -m 700 $1
-		chown $uid:$uid $1
-	fi
-	chsmack -a '*' $1
-}
-
-dodir_star $udir
-dodir_star $udir/apis
-dodir_star $udir/apis/ws
-dodir_star $udir/apis/link
-
-dodir_usrshr() {
-	if ! test -e $1; then
-		mkdir -m 700 $1
-		chown $uid:$uid $1
-	fi
-	chsmack -a User::App-Shared -t $1
+uid="$1"
+bdir=/run/user
+udir="$bdir/$uid"
+
+dodir() {
+	local x smackset="$1"
+	shift
+	for x; do
+		test -e "$x" || mkdir -m 700 "$x"
+		chmod 700 "$x"
+		chown "$uid:$uid" "$x"
+		chsmack $smackset "$x"
+	done
 }
 
-dodir_usrshr $udir/usrshr
+dodir '-T -a User::App-Shared' "$bdir" "$udir"
+dodir '-t -a User::App-Shared'  "$udir/usrshr"
+dodir '-T -a System::Shared' "$udir/apis"
+dodir '-t -a System::Shared' "$udir/apis/ws" "$udir/apis/link"
 
 doln() {
-	if ! test -e $2; then
-		ln -sf $1 $2
-		chown -h $uid:$uid $2
-		chsmack -a '*' $2
+	if ! test -e "$2"; then
+		ln -sf "$1" "$2"
+		chown -h "$uid:$uid" "$2"
+		chsmack -a 'System::Shared' "$2"
 	fi
 }
 
-- 
cgit