From: José Bollo Date: Wed, 12 Dec 2018 13:27:48 +0000 (+0100) Subject: connman+bluez5: Update rights for smack systems X-Git-Tag: guppy_6.99.3~21 X-Git-Url: https://gerrit.automotivelinux.org/gerrit/gitweb?a=commitdiff_plain;h=refs%2Fchanges%2F27%2F18827%2F5;p=AGL%2Fmeta-agl.git connman+bluez5: Update rights for smack systems Reading the file /etc/resolv.conf that is linked to /run/connman/resolv.conf is not possible for common users. This changes add the setting of the directory /run/connman that allows common applications to read that file. To achieves this goal, that changes use the intended tuning mechanism of systemd instead of using sed. This is cleaner. Thus this as been adapted for bluez5 too. Bug-AGL: SPEC-2006 Change-Id: I3d2a708be2a5c62664bfcf90757e9e5c080d6179 Signed-off-by: José Bollo --- diff --git a/meta-security/recipes-connectivity/bluez5/bluez5_%.bbappend b/meta-security/recipes-connectivity/bluez5/bluez5_%.bbappend index c62842d5b..3767681b0 100644 --- a/meta-security/recipes-connectivity/bluez5/bluez5_%.bbappend +++ b/meta-security/recipes-connectivity/bluez5/bluez5_%.bbappend @@ -42,14 +42,14 @@ # The related patch has been submitted to upstream too. # upstream link: http://permalink.gmane.org/gmane.linux.bluez.kernel/67993 -FIX_BLUEZ5_CAPABILITIES ??= "" -FIX_BLUEZ5_CAPABILITIES_with-lsm-smack ??= "fix_bluez5_capabilities" -do_install[postfuncs] += "${FIX_BLUEZ5_CAPABILITIES}" +FILESEXTRAPATHS_prepend := "${THISDIR}/files:" -fix_bluez5_capabilities () { - service="${D}/${systemd_unitdir}/system/bluetooth.service" - if [ -f "$service" ] && - grep -q '^CapabilityBoundingSet=' "$service"; then - sed -i -e 's/^CapabilityBoundingSet=/CapabilityBoundingSet=CAP_MAC_OVERRIDE /' "$service" - fi +SRC_URI_append_with-lsm-smack = "\ + file://bluetooth.service.conf \ +" + +FILES_${PN} += "${systemd_unitdir}" + +do_install_append_with-lsm-smack() { + install -Dm0644 ${WORKDIR}/bluetooth.service.conf ${D}${systemd_unitdir}/system/bluetooth.service.d/smack.conf } diff --git a/meta-security/recipes-connectivity/bluez5/files/bluetooth.service.conf b/meta-security/recipes-connectivity/bluez5/files/bluetooth.service.conf new file mode 100644 index 000000000..b93ab4fee --- /dev/null +++ b/meta-security/recipes-connectivity/bluez5/files/bluetooth.service.conf @@ -0,0 +1,2 @@ +[Service] +CapabilityBoundingSet=CAP_MAC_OVERRIDE diff --git a/meta-security/recipes-connectivity/connman/connman_%.bbappend b/meta-security/recipes-connectivity/connman/connman_%.bbappend index f66c1e79b..3b010490d 100644 --- a/meta-security/recipes-connectivity/connman/connman_%.bbappend +++ b/meta-security/recipes-connectivity/connman/connman_%.bbappend @@ -19,14 +19,16 @@ # in which connmand runs, this change is not submitted upstream # and it can be overridden by a distro via FIX_CONNMAN_CAPABILITIES. -FIX_CONNMAN_CAPABILITIES ??= "" -FIX_CONNMAN_CAPABILITIES_with-lsm-smack ??= "fix_connman_capabilities" -do_install[postfuncs] += "${FIX_CONNMAN_CAPABILITIES}" +FILESEXTRAPATHS_prepend := "${THISDIR}/files:" -fix_connman_capabilities () { - service="${D}/${systemd_unitdir}/system/connman.service" - if [ -f "$service" ] && - grep -q '^CapabilityBoundingSet=' "$service"; then - sed -i -e 's/^CapabilityBoundingSet=/CapabilityBoundingSet=CAP_MAC_OVERRIDE /' "$service" - fi +SRC_URI_append_with-lsm-smack = "\ + file://connman.service.conf \ +" + +RDEPENDS_${PN}_append_with-lsm-smack = " smack" + +FILES_${PN} += "${systemd_unitdir}" + +do_install_append_with-lsm-smack() { + install -Dm0644 ${WORKDIR}/connman.service.conf ${D}${systemd_unitdir}/system/connman.service.d/smack.conf } diff --git a/meta-security/recipes-connectivity/connman/files/connman.service.conf b/meta-security/recipes-connectivity/connman/files/connman.service.conf new file mode 100644 index 000000000..6ebbf6ad1 --- /dev/null +++ b/meta-security/recipes-connectivity/connman/files/connman.service.conf @@ -0,0 +1,4 @@ +[Service] +CapabilityBoundingSet=CAP_MAC_OVERRIDE +ExecStartPre=+-/bin/mkdir -p /run/connman +ExecStartPre=+-/usr/bin/chsmack -t -a System::Shared /run/connman