X-Git-Url: https://gerrit.automotivelinux.org/gerrit/gitweb?a=blobdiff_plain;f=meta-security%2Frecipes-core%2Fsystemd%2Fsystemd%2F0007-tizen-smack-Runs-systemd-journald-with.patch;fp=meta-security%2Frecipes-core%2Fsystemd%2Fsystemd%2F0007-tizen-smack-Runs-systemd-journald-with.patch;h=27a9d0bc6fe3707f6c52879b68da884b1eb271f6;hb=f70d712e4f505f5c5b50ae17f4f023d20a667568;hp=0000000000000000000000000000000000000000;hpb=3f962c7d202055777dd0238f12dbcf70f09ac07d;p=AGL%2Fmeta-agl.git diff --git a/meta-security/recipes-core/systemd/systemd/0007-tizen-smack-Runs-systemd-journald-with.patch b/meta-security/recipes-core/systemd/systemd/0007-tizen-smack-Runs-systemd-journald-with.patch new file mode 100644 index 000000000..27a9d0bc6 --- /dev/null +++ b/meta-security/recipes-core/systemd/systemd/0007-tizen-smack-Runs-systemd-journald-with.patch @@ -0,0 +1,37 @@ +From ccf384ca0f1cabe37e07e752df95ddb1e017a7ef Mon Sep 17 00:00:00 2001 +From: Casey Schaufler +Date: Thu, 19 Dec 2013 16:49:28 -0800 +Subject: [PATCH 7/9] tizen-smack: Runs systemd-journald with ^ + +Run systemd-journald with the hat ("^") Smack label. + +The journal daemon needs global read access to gather information +about the services spawned by systemd. The hat label is intended +for this purpose. The journal daemon is the only part of the +System domain that needs read access to the User domain. Giving +the journal daemon the hat label means that we can remove the +System domain's read access to the User domain. + +Upstream-Status: Inappropriate [configuration] + +Change-Id: Ic22633f0c9d99c04f873be8a346786ea577d0370 +Signed-off-by: Casey Schaufler +--- + units/systemd-journald.service.in | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/units/systemd-journald.service.in b/units/systemd-journald.service.in +index a3540c6..745dd84 100644 +--- a/units/systemd-journald.service.in ++++ b/units/systemd-journald.service.in +@@ -21,6 +21,7 @@ Restart=always + RestartSec=0 + NotifyAccess=all + StandardOutput=null ++SmackProcessLabel=^ + CapabilityBoundingSet=CAP_SYS_ADMIN CAP_DAC_OVERRIDE CAP_SYS_PTRACE CAP_SYSLOG CAP_AUDIT_CONTROL CAP_AUDIT_READ CAP_CHOWN CAP_DAC_READ_SEARCH CAP_FOWNER CAP_SETUID CAP_SETGID CAP_MAC_OVERRIDE + WatchdogSec=1min + FileDescriptorStoreMax=1024 +-- +1.8.4.5 +