Code Review / AGL / meta-agl.git / blobdiff
? search:
summary | shortlog | log | commit | commitdiff | review | tree
raw | inline | side by side
systemd: Refactor build using smack-system-setup
[AGL/meta-agl.git] / meta-security / recipes-core / smack-system-setup / files / tmp.mount.conf
diff --git a/meta-security/recipes-core/smack-system-setup/files/tmp.mount.conf b/meta-security/recipes-core/smack-system-setup/files/tmp.mount.conf
new file mode 100644 (file)
index 0000000..388986e
--- /dev/null
+++ b/meta-security/recipes-core/smack-system-setup/files/tmp.mount.conf
@@ -0,0 +1,12 @@
+# Mount /tmp publicly accessable. Based on patch by Michael Demeter <michael.demeter@intel.com>.
+# Upstream systemd temporarily had SmackFileSystemRoot for this (https://github.com/systemd/systemd/pull/1664),
+# but it was removed again (https://github.com/systemd/systemd/issues/1696) because
+# util-linux mount will ignore smackfsroot when Smack is not active. However,
+# busybox is not that intelligent.
+#
+# When using busybox mount, adding smackfsroot=* and booting without
+# Smack (i.e. security=none), tmp.mount will fail with an error about
+# "Bad mount option smackfsroot".
+[Mount]
+Options=smackfsroot=*
+
meta-agl layer (core AGL)