Code Review / AGL / meta-agl.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | review | tree
raw | patch | inline | side by side (parent: c888e1c)
connman+bluez5: Update rights for smack systems 27/18827/5
authorJosé Bollo <jose.bollo@iot.bzh>
Wed, 12 Dec 2018 13:27:48 +0000 (14:27 +0100)
committerJosé Bollo <jose.bollo@iot.bzh>
Tue, 18 Dec 2018 09:54:16 +0000 (10:54 +0100)
Reading the file /etc/resolv.conf that is linked to
/run/connman/resolv.conf is not possible for common users.

This changes add the setting of the directory /run/connman
that allows common applications to read that file.

To achieves this goal, that changes use the intended
tuning mechanism of systemd instead of using sed.
This is cleaner. Thus this as been adapted for bluez5 too.

Bug-AGL: SPEC-2006

Change-Id: I3d2a708be2a5c62664bfcf90757e9e5c080d6179
Signed-off-by: José Bollo <jose.bollo@iot.bzh>
meta-security/recipes-connectivity/bluez5/bluez5_%.bbappend patch | blob | history
meta-security/recipes-connectivity/bluez5/files/bluetooth.service.conf [new file with mode: 0644] patch | blob
meta-security/recipes-connectivity/connman/connman_%.bbappend patch | blob | history
meta-security/recipes-connectivity/connman/files/connman.service.conf [new file with mode: 0644] patch | blob

diff --git a/meta-security/recipes-connectivity/bluez5/bluez5_%.bbappend b/meta-security/recipes-connectivity/bluez5/bluez5_%.bbappend
index c62842d..3767681 100644 (file)
--- a/meta-security/recipes-connectivity/bluez5/bluez5_%.bbappend
+++ b/meta-security/recipes-connectivity/bluez5/bluez5_%.bbappend
@@ -42,14 +42,14 @@
 # The related patch has been submitted to upstream too.
 # upstream link: http://permalink.gmane.org/gmane.linux.bluez.kernel/67993
 
-FIX_BLUEZ5_CAPABILITIES ??= ""
-FIX_BLUEZ5_CAPABILITIES_with-lsm-smack ??= "fix_bluez5_capabilities"
-do_install[postfuncs] += "${FIX_BLUEZ5_CAPABILITIES}"
+FILESEXTRAPATHS_prepend := "${THISDIR}/files:"
 
-fix_bluez5_capabilities () {
-    service="${D}/${systemd_unitdir}/system/bluetooth.service"
-    if [ -f "$service" ] &&
-        grep -q '^CapabilityBoundingSet=' "$service"; then
-        sed -i -e 's/^CapabilityBoundingSet=/CapabilityBoundingSet=CAP_MAC_OVERRIDE /' "$service"
-    fi
+SRC_URI_append_with-lsm-smack = "\
+  file://bluetooth.service.conf \
+"
+
+FILES_${PN} += "${systemd_unitdir}"
+
+do_install_append_with-lsm-smack() {
+  install -Dm0644 ${WORKDIR}/bluetooth.service.conf ${D}${systemd_unitdir}/system/bluetooth.service.d/smack.conf
 }
diff --git a/meta-security/recipes-connectivity/bluez5/files/bluetooth.service.conf b/meta-security/recipes-connectivity/bluez5/files/bluetooth.service.conf
new file mode 100644 (file)
index 0000000..b93ab4f
--- /dev/null
+++ b/meta-security/recipes-connectivity/bluez5/files/bluetooth.service.conf
@@ -0,0 +1,2 @@
+[Service]
+CapabilityBoundingSet=CAP_MAC_OVERRIDE
diff --git a/meta-security/recipes-connectivity/connman/connman_%.bbappend b/meta-security/recipes-connectivity/connman/connman_%.bbappend
index f66c1e7..3b01049 100644 (file)
--- a/meta-security/recipes-connectivity/connman/connman_%.bbappend
+++ b/meta-security/recipes-connectivity/connman/connman_%.bbappend
@@ -19,14 +19,16 @@
 # in which connmand runs, this change is not submitted upstream
 # and it can be overridden by a distro via FIX_CONNMAN_CAPABILITIES.
 
-FIX_CONNMAN_CAPABILITIES ??= ""
-FIX_CONNMAN_CAPABILITIES_with-lsm-smack ??= "fix_connman_capabilities"
-do_install[postfuncs] += "${FIX_CONNMAN_CAPABILITIES}"
+FILESEXTRAPATHS_prepend := "${THISDIR}/files:"
 
-fix_connman_capabilities () {
-    service="${D}/${systemd_unitdir}/system/connman.service"
-    if [ -f "$service" ] &&
-        grep -q '^CapabilityBoundingSet=' "$service"; then
-        sed -i -e 's/^CapabilityBoundingSet=/CapabilityBoundingSet=CAP_MAC_OVERRIDE /' "$service"
-    fi
+SRC_URI_append_with-lsm-smack = "\
+  file://connman.service.conf \
+"
+
+RDEPENDS_${PN}_append_with-lsm-smack = " smack"
+
+FILES_${PN} += "${systemd_unitdir}"
+
+do_install_append_with-lsm-smack() {
+  install -Dm0644 ${WORKDIR}/connman.service.conf ${D}${systemd_unitdir}/system/connman.service.d/smack.conf
 }
diff --git a/meta-security/recipes-connectivity/connman/files/connman.service.conf b/meta-security/recipes-connectivity/connman/files/connman.service.conf
new file mode 100644 (file)
index 0000000..6ebbf6a
--- /dev/null
+++ b/meta-security/recipes-connectivity/connman/files/connman.service.conf
@@ -0,0 +1,4 @@
+[Service]
+CapabilityBoundingSet=CAP_MAC_OVERRIDE
+ExecStartPre=+-/bin/mkdir -p /run/connman
+ExecStartPre=+-/usr/bin/chsmack -t -a System::Shared /run/connman
meta-agl layer (core AGL)