-# From Tizen .spec file.
-EXTRA_OECONF_append_with-lsm-smack = " --with-smack-run-label=System"
-
-install_file() {
- install -d $(dirname $1)
- cat >>$1
- chmod ${2:-0644} $1
-}
-
-# We need to emulate parts of the filesystem permissions from Tizen here.
-# The part for regular files is in base-files.bbappend, but /var/log and
-# /var/tmp point into /var/volatile (tmpfs) and get created anew during
-# startup. We set these permissions directly after creating them via
-# /etc/tmpfiles.d/00-create-volatile.conf
-RDEPENDS_${PN}_append_with-lsm-smack = " smack"
-do_install_append_with-lsm-smack() {
- install_file ${D}${systemd_unitdir}/system/systemd-tmpfiles-setup.service.d/smack.conf <<EOF
-[Service]
-ExecStartPost=/bin/sh -c '([ ! -d /var/tmp ] || chsmack -L -a \"*\" /var/tmp) && ([ ! -d /var/log ] || chsmack -L -a System::Log /var/log && chsmack -L -t /var/log)'
-EOF
-
- # Mount /tmp publicly accessable. Based on patch by Michael Demeter <michael.demeter@intel.com>.
- # Upstream systemd temporarily had SmackFileSystemRoot for this (https://github.com/systemd/systemd/pull/1664),
- # but it was removed again (https://github.com/systemd/systemd/issues/1696) because
- # util-linux mount will ignore smackfsroot when Smack is not active. However,
- # busybox is not that intelligent.
- #
- # When using busybox mount, adding smackfsroot=* and booting without
- # Smack (i.e. security=none), tmp.mount will fail with an error about
- # "Bad mount option smackfsroot".
- install_file ${D}${systemd_unitdir}/system/tmp.mount.d/smack.conf <<EOF
-[Mount]
-Options=smackfsroot=*
-EOF
-
- # Run systemd-journald with the hat ("^") Smack label.
- #
- # The journal daemon needs global read access to gather information
- # about the services spawned by systemd. The hat label is intended
- # for this purpose. The journal daemon is the only part of the
- # System domain that needs read access to the User domain. Giving
- # the journal daemon the hat label means that we can remove the
- # System domain's read access to the User domain and we can avoid
- # hard-coding a specific label name for that domain.
- #
- # Original author: Casey Schaufler <casey@schaufler-ca.com>
- #
- # This is considered a configuration change and thus distro specific.
- install_file ${D}${systemd_unitdir}/system/systemd-journald.service.d/smack.conf <<EOF
-[Service]
-SmackProcessLabel=^
-EOF
-}