1 RDEPENDS:${PN}:append:with-lsm-smack = " smack"
2 PACKAGE_WRITE_DEPS:append:with-lsm-smack = " smack-native"
5 install -m 0700 -d ${D}/${sysconfdir}/skel
6 chmod -R 0700 ${D}/${sysconfdir}/skel
7 install -m 0700 -d ${D}/${sysconfdir}/skel/app-data
8 install -m 0700 -d ${D}/${sysconfdir}/skel/.config
9 install -m 0755 -d ${D}/var
10 if [ -d ${D}/usr/local ]; then
11 mv ${D}/usr/local ${D}/var
13 install -m 0755 -d ${D}/var/local
15 ln -s ../var/local ${D}/usr/local
18 do_install:append:with-lsm-smack () {
19 install -d ${D}/${sysconfdir}/smack/accesses.d
20 cat > ${D}/${sysconfdir}/smack/accesses.d/default-access-domains-no-user <<EOF
21 System User::App-Shared rwxat
22 System User::Home rwxat
24 chmod 0644 ${D}/${sysconfdir}/smack/accesses.d/default-access-domains-no-user
27 pkg_postinst:${PN}:append:with-lsm-smack() {
28 chsmack -r -a 'User::Home' -t -D $D/${sysconfdir}/skel
29 chsmack -a 'User::App-Shared' -D $D/${sysconfdir}/skel/app-data
30 cp -rTf --preserve=all $D/${sysconfdir}/skel $D/${ROOT_HOME}
35 # Install default Smack rules, copied from a running Tizen IVI 3.0.
36 # Corresponds to manifest file from default-access-domains in Tizen:
37 # https://review.tizen.org/git?p=platform/core/security/default-ac-domains.git;a=blob;f=packaging/default-ac-domains.manifest
38 do_install:append:with-lsm-smack () {
39 install -d ${D}/${sysconfdir}/smack/accesses.d
40 cat >${D}/${sysconfdir}/smack/accesses.d/default-access-domains <<EOF
42 System System::Log rwxa--
43 System System::Run rwxat-
44 System System::Shared rwxat-
52 chmod 0644 ${D}/${sysconfdir}/smack/accesses.d/default-access-domains
54 install -d ${D}/${libdir}/tmpfiles.d
55 cat >${D}/${libdir}/tmpfiles.d/packet-forwarding.conf <<EOF
56 t /proc/sys/net/ipv4/conf/all/forwarding - - - - security.SMACK64=*
57 t /proc/sys/net/ipv6/conf/all/forwarding - - - - security.SMACK64=*
58 t /proc/sys/net/ipv4/conf/default/forwarding - - - - security.SMACK64=*
59 t /proc/sys/net/ipv6/conf/default/forwarding - - - - security.SMACK64=*
61 chmod 0644 ${D}/${libdir}/tmpfiles.d/packet-forwarding.conf
63 install -d ${D}/${base_libdir}/udev/rules.d
64 cat >${D}/${base_libdir}/udev/rules.d/85-netdev-ipconf-smacklabel.rules <<EOF
65 SUBSYSTEM=="net", ENV{ID_NET_NAME}=="", RUN+="/bin/sh -c '/usr/bin/chsmack -a \* /proc/sys/net/ipv4/conf/%k/*'", RUN+="/bin/sh -c '/usr/bin/chsmack -a \* /proc/sys/net/ipv6/conf/%k/*'"
67 SUBSYSTEM=="net", ENV{ID_NET_NAME}!="", RUN+="/bin/sh -c '/usr/bin/chsmack -a \* /proc/sys/net/ipv4/conf/\$env{ID_NET_NAME}/*'", RUN+="/bin/sh -c '/usr/bin/chsmack -a \* /proc/sys/net/ipv6/conf/\$env{ID_NET_NAME}/*'"
69 chmod 0644 ${D}/${base_libdir}/udev/rules.d/85-netdev-ipconf-smacklabel.rules
72 # Do not rely on an rpm with manifest support. Apparently that approach
73 # will no longer be used in Tizen 3.0. Instead set special Smack attributes
74 # via postinst. This is much easier to use with bitbake, too:
75 # - no need to maintain a patched rpm
76 # - works for directories which are not packaged by default when empty
77 RDEPENDS:${PN}:append:with-lsm-smack = " smack"
78 DEPENDS:append:with-lsm-smack = " smack-native"
79 pkg_postinst:${PN}:with-lsm-smack() {
82 # https://review.tizen.org/gerrit/gitweb?p=platform/upstream/filesystem.git;a=blob;f=packaging/filesystem.manifest:
83 # <filesystem path="/etc" label="System::Shared" type="transmutable" />
84 install -d $D${sysconfdir}
85 # This has no effect on files installed into /etc during image construction
86 # because pseudo does not know the special semantic of SMACK::TRANSMUTE.
87 # To avoid having different xattrs on files inside /etc when pre-installed
88 # in an image vs. installed on a device, the xattr-images.bbclass has
89 # a workaround for this deficiency in pseudo.
90 chsmack -t $D${sysconfdir}
91 chsmack -a 'System::Shared' $D${sysconfdir}
93 # Same for /media. Any daemon running as "System" will get write access
97 chsmack -a 'System::Shared' $D/media
99 # Same for /var. Any daemon running as "System" will get write access
101 install -d $D${localstatedir}
102 chsmack -t $D${localstatedir}
103 chsmack -a 'System::Shared' $D${localstatedir}
105 # <filesystem path="/tmp" label="*" />
107 chsmack -a '*' $D/tmp
109 # <filesystem path="/var/log" label="System::Log" type="transmutable" />
110 # <filesystem path="/var/tmp" label="*" />
111 # These are in a file system mounted by systemd. We patch the systemd service
112 # to set these attributes.