base-files: add /media to System::Shared SMACK label

All media mountpoints should have the System::Shared label
to avoid access denials on multimedia items.

Bug-AGL: SPEC-2774
Change-Id: Ib9bb1b26a1950cacd5e1f384cbe19d4a4a6373d9
Signed-off-by: Matt Ranostay <matt.ranostay@konsulko.com>

diff --git a/meta-security/recipes-core/base-files/base-files_%.bbappend b/meta-security/recipes-core/base-files/base-files_%.bbappend
index a6af182..f0e340f 100644 (file)
--- a/meta-security/recipes-core/base-files/base-files_%.bbappend
+++ b/meta-security/recipes-core/base-files/base-files_%.bbappend
@@ -56,6 +56,12 @@ pkg_postinst_${PN}_with-lsm-smack() {
     chsmack -t $D${sysconfdir}
     chsmack -a 'System::Shared' $D${sysconfdir}
 
+    # Same for /media. Any daemon running as "System" will get write access
+    # to everything.
+    install -d $D/media
+    chsmack -t $D/media
+    chsmack -a 'System::Shared' $D/media
+
     # Same for /var. Any daemon running as "System" will get write access
     # to everything.
     install -d $D${localstatedir}