X-Git-Url: https://gerrit.automotivelinux.org/gerrit/gitweb?a=blobdiff_plain;f=meta-security%2Frecipes-core%2Fsystemd%2Fsystemd%2F0005-tizen-smack-Handling-network-v216.patch;fp=meta-security%2Frecipes-core%2Fsystemd%2Fsystemd%2F0005-tizen-smack-Handling-network-v216.patch;h=3d69bb2a82d7a22508c652aed830702a34200cca;hb=f70d712e4f505f5c5b50ae17f4f023d20a667568;hp=0000000000000000000000000000000000000000;hpb=3f962c7d202055777dd0238f12dbcf70f09ac07d;p=AGL%2Fmeta-agl.git diff --git a/meta-security/recipes-core/systemd/systemd/0005-tizen-smack-Handling-network-v216.patch b/meta-security/recipes-core/systemd/systemd/0005-tizen-smack-Handling-network-v216.patch new file mode 100644 index 000000000..3d69bb2a8 --- /dev/null +++ b/meta-security/recipes-core/systemd/systemd/0005-tizen-smack-Handling-network-v216.patch @@ -0,0 +1,107 @@ +From c257eade1a39ea00d26c4c297efd654b6ad4edb4 Mon Sep 17 00:00:00 2001 +From: Casey Schaufler +Date: Fri, 8 Nov 2013 09:42:26 -0800 +Subject: [PATCH 5/9] tizen-smack: Handling network + +- Set Smack ambient to match run label +- Set Smack netlabel host rules + +Set Smack ambient to match run label +------------------------------------ +Set the Smack networking ambient label to match the +run label of systemd. System services may expect to +communicate with external services over IP. Setting +the ambient label assigns that label to IP packets +that do not include CIPSO headers. This allows systemd +and the services it spawns access to unlabeled IP +packets, and hence external services. + +A system may choose to restrict network access to +particular services later in the startup process. +This is easily done by resetting the ambient label +elsewhere. + +Set Smack netlabel host rules +----------------------------- +If SMACK_RUN_LABEL is defined set all other hosts to be +single label hosts at the specified label. Set the loopback +address to be a CIPSO host. + +If any netlabel host rules are defined in /etc/smack/netlabel.d +install them into the smackfs netlabel interface. + +Upstream-Status: Pending + +--- + src/core/smack-setup.c | 33 ++++++++++++++++++++++++++++++++- + 1 file changed, 32 insertions(+), 1 deletion(-) + +diff --git a/src/core/smack-setup.c b/src/core/smack-setup.c +index 59f6832..33dc1ca 100644 +--- a/src/core/smack-setup.c ++++ b/src/core/smack-setup.c +@@ -42,6 +42,7 @@ + + #define SMACK_CONFIG "/etc/smack/accesses.d/" + #define CIPSO_CONFIG "/etc/smack/cipso.d/" ++#define NETLABEL_CONFIG "/etc/smack/netlabel.d/" + + #ifdef HAVE_SMACK + +@@ -146,6 +147,19 @@ int smack_setup(bool *loaded_policy) { + if (r) + log_warning("Failed to set SMACK label \"%s\" on self: %s", + SMACK_RUN_LABEL, strerror(-r)); ++ r = write_string_file("/sys/fs/smackfs/ambient", SMACK_RUN_LABEL); ++ if (r) ++ log_warning("Failed to set SMACK ambient label \"%s\": %s", ++ SMACK_RUN_LABEL, strerror(-r)); ++ r = write_string_file("/sys/fs/smackfs/netlabel", ++ "0.0.0.0/0 " SMACK_RUN_LABEL); ++ if (r) ++ log_warning("Failed to set SMACK netlabel rule \"%s\": %s", ++ "0.0.0.0/0 " SMACK_RUN_LABEL, strerror(-r)); ++ r = write_string_file("/sys/fs/smackfs/netlabel", "127.0.0.1 -CIPSO"); ++ if (r) ++ log_warning("Failed to set SMACK netlabel rule \"%s\": %s", ++ "127.0.0.1 -CIPSO", strerror(-r)); + #endif + + r = write_rules("/sys/fs/smackfs/cipso2", CIPSO_CONFIG); +@@ -155,14 +169,31 @@ int smack_setup(bool *loaded_policy) { + return 0; + case ENOENT: + log_debug("Smack/CIPSO access rules directory " CIPSO_CONFIG " not found"); +- return 0; ++ break; + case 0: + log_info("Successfully loaded Smack/CIPSO policies."); +- return 0; ++ break; + default: + log_warning("Failed to load Smack/CIPSO access rules: %s, ignoring.", + strerror(abs(r))); ++ break; ++ } ++ ++ r = write_rules("/sys/fs/smackfs/netlabel", NETLABEL_CONFIG); ++ switch(r) { ++ case -ENOENT: ++ log_debug("Smack/CIPSO is not enabled in the kernel."); + return 0; ++ case ENOENT: ++ log_debug("Smack network host rules directory " NETLABEL_CONFIG " not found"); ++ break; ++ case 0: ++ log_info("Successfully loaded Smack network host rules."); ++ break; ++ default: ++ log_warning("Failed to load Smack network host rules: %s, ignoring.", ++ strerror(abs(r))); ++ break; + } + + *loaded_policy = true; +-- +1.8.4.5 +