From: Matt Ranostay <matt.ranostay@konsulko.com>
Date: Thu, 12 Sep 2019 06:59:12 +0000 (+0300)
Subject: base-files: add /media to System::Shared SMACK label
X-Git-Tag: 8.0.2~11
X-Git-Url: https://gerrit.automotivelinux.org/gerrit/gitweb?a=commitdiff_plain;h=refs%2Fchanges%2F09%2F22409%2F2;p=AGL%2Fmeta-agl.git

base-files: add /media to System::Shared SMACK label

All media mountpoints should have the System::Shared label
to avoid access denials on multimedia items.

Bug-AGL: SPEC-2774
Change-Id: Ib9bb1b26a1950cacd5e1f384cbe19d4a4a6373d9
Signed-off-by: Matt Ranostay <matt.ranostay@konsulko.com>
---

diff --git a/meta-security/recipes-core/base-files/base-files_%.bbappend b/meta-security/recipes-core/base-files/base-files_%.bbappend
index a6af1821b..f0e340f5b 100644
--- a/meta-security/recipes-core/base-files/base-files_%.bbappend
+++ b/meta-security/recipes-core/base-files/base-files_%.bbappend
@@ -56,6 +56,12 @@ pkg_postinst_${PN}_with-lsm-smack() {
     chsmack -t $D${sysconfdir}
     chsmack -a 'System::Shared' $D${sysconfdir}
 
+    # Same for /media. Any daemon running as "System" will get write access
+    # to everything.
+    install -d $D/media
+    chsmack -t $D/media
+    chsmack -a 'System::Shared' $D/media
+
     # Same for /var. Any daemon running as "System" will get write access
     # to everything.
     install -d $D${localstatedir}