+++ /dev/null
-From da574755b8abe1d5fb9151f901ccea51d40d9509 Mon Sep 17 00:00:00 2001
-From: Michael Demeter <michael.demeter@intel.com>
-Date: Fri, 30 Oct 2015 11:25:50 +0100
-Subject: [PATCH] tizen-smack: Handling of /run and /sys/fs/cgroup
-
-Make /run a transmuting directory to enable systemd
-communications with services in the User domain.
-
-Upstream-Status: Pending
-
-Change-Id: I9e23b78d17a108d8e56ad85a9e839b6ccbe4feff
----
- src/core/mount-setup.c | 10 +++++++---
- 1 file changed, 7 insertions(+), 3 deletions(-)
-
-diff --git a/src/core/mount-setup.c b/src/core/mount-setup.c
-index cc2633e..3dc7cd7 100644
---- a/src/core/mount-setup.c
-+++ b/src/core/mount-setup.c
-@@ -85,19 +85,23 @@ static const MountPoint mount_table[] = {
- use_smack, MNT_FATAL },
- { "tmpfs", "/dev/shm", "tmpfs", "mode=1777,smackfsroot=*", MS_NOSUID|MS_NODEV|MS_STRICTATIME,
- use_smack, MNT_FATAL },
--#endif
-+#else
- { "tmpfs", "/dev/shm", "tmpfs", "mode=1777", MS_NOSUID|MS_NODEV|MS_STRICTATIME,
- NULL, MNT_FATAL|MNT_IN_CONTAINER },
-+#endif
- { "devpts", "/dev/pts", "devpts", "mode=620,gid=" STRINGIFY(TTY_GID), MS_NOSUID|MS_NOEXEC,
- NULL, MNT_IN_CONTAINER },
- #ifdef HAVE_SMACK
-- { "tmpfs", "/run", "tmpfs", "mode=755,smackfsroot=*", MS_NOSUID|MS_NODEV|MS_STRICTATIME,
-+ { "tmpfs", "/run", "tmpfs", "mode=755,smackfstransmute=System::Run", MS_NOSUID|MS_NODEV|MS_STRICTATIME,
- use_smack, MNT_FATAL },
--#endif
-+ { "tmpfs", "/sys/fs/cgroup", "tmpfs", "mode=755,smackfsroot=*", MS_NOSUID|MS_NOEXEC|MS_NODEV|MS_STRICTATIME,
-+ use_smack, MNT_IN_CONTAINER },
-+#else
- { "tmpfs", "/run", "tmpfs", "mode=755", MS_NOSUID|MS_NODEV|MS_STRICTATIME,
- NULL, MNT_FATAL|MNT_IN_CONTAINER },
- { "tmpfs", "/sys/fs/cgroup", "tmpfs", "mode=755", MS_NOSUID|MS_NOEXEC|MS_NODEV|MS_STRICTATIME,
- NULL, MNT_FATAL|MNT_IN_CONTAINER },
-+#endif
- { "cgroup", "/sys/fs/cgroup/systemd", "cgroup", "none,name=systemd,xattr", MS_NOSUID|MS_NOEXEC|MS_NODEV,
- NULL, MNT_IN_CONTAINER },
- { "cgroup", "/sys/fs/cgroup/systemd", "cgroup", "none,name=systemd", MS_NOSUID|MS_NOEXEC|MS_NODEV,
---
-2.1.4
-
+++ /dev/null
-From 831d552a9589bb2b99c042d01672409efa3d94fc Mon Sep 17 00:00:00 2001
-From: Michael Demeter <michael.demeter@intel.com>
-Date: Fri, 11 Oct 2013 15:37:57 -0700
-Subject: [PATCH 3/9] tizen-smack: Handling of /run and /sys/fs/cgroup
-
-Make /run a transmuting directory to enable systemd
-communications with services in the User domain.
-
-Upstream-Status: Pending
-
-Change-Id: I9e23b78d17a108d8e56ad85a9e839b6ccbe4feff
----
- src/core/mount-setup.c | 12 ++++++++----
- 1 file changed, 8 insertions(+), 4 deletions(-)
-
-diff --git a/src/core/mount-setup.c b/src/core/mount-setup.c
-index 521545e..ba0867c 100644
---- a/src/core/mount-setup.c
-+++ b/src/core/mount-setup.c
-@@ -85,19 +85,23 @@ static const MountPoint mount_table[] = {
- mac_smack_use, MNT_FATAL },
- { "tmpfs", "/dev/shm", "tmpfs", "mode=1777,smackfsroot=*", MS_NOSUID|MS_NODEV|MS_STRICTATIME,
- mac_smack_use, MNT_FATAL },
--#endif
-+#else
- { "tmpfs", "/dev/shm", "tmpfs", "mode=1777", MS_NOSUID|MS_NODEV|MS_STRICTATIME,
- NULL, MNT_FATAL|MNT_IN_CONTAINER },
-+#endif
- { "devpts", "/dev/pts", "devpts", "mode=620,gid=" STRINGIFY(TTY_GID), MS_NOSUID|MS_NOEXEC,
- NULL, MNT_IN_CONTAINER },
- #ifdef HAVE_SMACK
-- { "tmpfs", "/run", "tmpfs", "mode=755,smackfsroot=*", MS_NOSUID|MS_NODEV|MS_STRICTATIME,
-- mac_smack_use, MNT_FATAL },
--#endif
-+ { "tmpfs", "/run", "tmpfs", "mode=755,smackfstransmute=System::Run", MS_NOSUID|MS_NODEV|MS_STRICTATIME,
-+ mac_smack_use, MNT_FATAL },
-+ { "tmpfs", "/sys/fs/cgroup", "tmpfs", "mode=755,smackfsroot=*", MS_NOSUID|MS_NOEXEC|MS_NODEV|MS_STRICTATIME,
-+ mac_smack_use, MNT_IN_CONTAINER },
-+#else
- { "tmpfs", "/run", "tmpfs", "mode=755", MS_NOSUID|MS_NODEV|MS_STRICTATIME,
- NULL, MNT_FATAL|MNT_IN_CONTAINER },
- { "tmpfs", "/sys/fs/cgroup", "tmpfs", "mode=755", MS_NOSUID|MS_NOEXEC|MS_NODEV|MS_STRICTATIME,
- NULL, MNT_FATAL|MNT_IN_CONTAINER },
-+#endif
- { "cgroup", "/sys/fs/cgroup/systemd", "cgroup", "none,name=systemd,xattr", MS_NOSUID|MS_NOEXEC|MS_NODEV,
- NULL, MNT_IN_CONTAINER },
- { "cgroup", "/sys/fs/cgroup/systemd", "cgroup", "none,name=systemd", MS_NOSUID|MS_NOEXEC|MS_NODEV,
---
-1.8.4.5
-
+++ /dev/null
-From 468ef790a7a0e53c390cec9c63090a0ae04a4d58 Mon Sep 17 00:00:00 2001
-From: Michael Demeter <michael.demeter@intel.com>
-Date: Fri, 11 Oct 2013 15:37:57 -0700
-Subject: [PATCH 4/9] tizen-smack: Handling of /dev
-
-Smack enabled systems need /dev special devices correctly labeled
-
-- Add AC_DEFINE for HAVE_SMACK to configure.ac
-- Add Check for smack in Makefile.am to include smack default rules
-- Add smack default rules to label /dev/xxx correctly for access
-
-Upstream-Status: Inappropriate [configuration]
-
-Change-Id: Iebe2e349cbedb3013abdf32edb55e9310f1d17f5
----
- configure.ac | 2 ++
- Makefile.am | 5 +++++
- rules/55-udev-smack-default.rules | 23 +++++++++++++++++++++++
- 3 files changed, 30 insertions(+)
- create mode 100644 rules/55-udev-smack-default.rules
-
-diff --git a/configure.ac b/configure.ac
-index 18b7198..05f49ed 100644
---- a/configure.ac
-+++ b/configure.ac
-@@ -635,6 +635,8 @@ if test "x${have_smack}" = xyes ; then
- AC_DEFINE(HAVE_SMACK, 1, [Define if SMACK is available])
- fi
-
-+AM_CONDITIONAL([HAVE_SMACK], [test "x$have_smack" = "xyes"])
-+
- # ------------------------------------------------------------------------------
- AC_ARG_ENABLE([gcrypt],
- AS_HELP_STRING([--disable-gcrypt],[Disable optional GCRYPT support]),
-diff --git a/Makefile.am b/Makefile.am
-index bf04d31..1a05607 100644
---- a/Makefile.am
-+++ b/Makefile.am
-@@ -3108,6 +3108,11 @@ dist_udevrules_DATA += \
- nodist_udevrules_DATA += \
- rules/99-systemd.rules
-
-+if HAVE_SMACK
-+dist_udevrules_DATA += \
-+ rules/55-udev-smack-default.rules
-+endif
-+
- dist_udevhwdb_DATA = \
- hwdb/20-pci-vendor-model.hwdb \
- hwdb/20-pci-classes.hwdb \
-diff --git a/rules/55-udev-smack-default.rules b/rules/55-udev-smack-default.rules
-new file mode 100644
-index 0000000..3829019
---- /dev/null
-+++ b/rules/55-udev-smack-default.rules
-@@ -0,0 +1,23 @@
-+# do not edit this file, it will be overwritten on update
-+
-+KERNEL=="null", SECLABEL{smack}="*"
-+KERNEL=="zero", SECLABEL{smack}="*"
-+KERNEL=="console", SECLABEL{smack}="*"
-+KERNEL=="kmsg", SECLABEL{smack}="*"
-+KERNEL=="video*", SECLABEL{smack}="*"
-+KERNEL=="card*", SECLABEL{smack}="*"
-+KERNEL=="ptmx", SECLABEL{smack}="*"
-+KERNEL=="tty", SECLABEL{smack}="*"
-+
-+SUBSYSTEM=="graphics", GROUP="video", SECLABEL{smack}="*"
-+SUBSYSTEM=="drm", GROUP="video", SECLABEL{smack}="*"
-+SUBSYSTEM=="dvb", GROUP="video", SECLABEL{smack}="*"
-+
-+SUBSYSTEM=="tty", KERNEL=="ptmx", GROUP="tty", MODE="0666", SECLABEL{smack}="*"
-+SUBSYSTEM=="tty", KERNEL=="tty", GROUP="tty", MODE="0666", SECLABEL{smack}="*"
-+SUBSYSTEM=="tty", KERNEL=="tty[0-9]*", GROUP="tty", MODE="0620", SECLABEL{smack}="*"
-+SUBSYSTEM=="vc", KERNEL=="vcs*|vcsa*", GROUP="tty", SECLABEL{smack}="*"
-+KERNEL=="tty[A-Z]*[0-9]|pppox[0-9]*|ircomm[0-9]*|noz[0-9]*|rfcomm[0-9]*", GROUP="dialout", SECLABEL{smack}="*"
-+
-+SUBSYSTEM=="input", KERNEL=="mouse*|mice|event*", MODE="0640", SECLABEL{smack}="*"
-+SUBSYSTEM=="input", KERNEL=="ts[0-9]*|uinput", MODE="0640", SECLABEL{smack}="*"
---
-1.8.4.5
-
+++ /dev/null
-From 468ef790a7a0e53c390cec9c63090a0ae04a4d58 Mon Sep 17 00:00:00 2001
-From: Michael Demeter <michael.demeter@intel.com>
-Date: Fri, 11 Oct 2013 15:37:57 -0700
-Subject: [PATCH 4/9] tizen-smack: Handling of /dev
-
-Smack enabled systems need /dev special devices correctly labeled
-
-- Add AC_DEFINE for HAVE_SMACK to configure.ac
-- Add Check for smack in Makefile.am to include smack default rules
-- Add smack default rules to label /dev/xxx correctly for access
-
-Upstream-Status: Inappropriate [configuration]
-
-Change-Id: Iebe2e349cbedb3013abdf32edb55e9310f1d17f5
----
- Makefile.am | 5 +++++
- rules/55-udev-smack-default.rules | 23 +++++++++++++++++++++++
- 2 files changed, 28 insertions(+)
- create mode 100644 rules/55-udev-smack-default.rules
-
-diff --git a/Makefile.am b/Makefile.am
-index bf04d31..1a05607 100644
---- a/Makefile.am
-+++ b/Makefile.am
-@@ -3571,6 +3571,11 @@ dist_udevrules_DATA += \
- nodist_udevrules_DATA += \
- rules/99-systemd.rules
-
-+if HAVE_SMACK
-+dist_udevrules_DATA += \
-+ rules/55-udev-smack-default.rules
-+endif
-+
- udevconfdir = $(sysconfdir)/udev
- dist_udevconf_DATA = \
- src/udev/udev.conf
-diff --git a/rules/55-udev-smack-default.rules b/rules/55-udev-smack-default.rules
-new file mode 100644
-index 0000000..3829019
---- /dev/null
-+++ b/rules/55-udev-smack-default.rules
-@@ -0,0 +1,23 @@
-+# do not edit this file, it will be overwritten on update
-+
-+KERNEL=="null", SECLABEL{smack}="*"
-+KERNEL=="zero", SECLABEL{smack}="*"
-+KERNEL=="console", SECLABEL{smack}="*"
-+KERNEL=="kmsg", SECLABEL{smack}="*"
-+KERNEL=="video*", SECLABEL{smack}="*"
-+KERNEL=="card*", SECLABEL{smack}="*"
-+KERNEL=="ptmx", SECLABEL{smack}="*"
-+KERNEL=="tty", SECLABEL{smack}="*"
-+
-+SUBSYSTEM=="graphics", GROUP="video", SECLABEL{smack}="*"
-+SUBSYSTEM=="drm", GROUP="video", SECLABEL{smack}="*"
-+SUBSYSTEM=="dvb", GROUP="video", SECLABEL{smack}="*"
-+
-+SUBSYSTEM=="tty", KERNEL=="ptmx", GROUP="tty", MODE="0666", SECLABEL{smack}="*"
-+SUBSYSTEM=="tty", KERNEL=="tty", GROUP="tty", MODE="0666", SECLABEL{smack}="*"
-+SUBSYSTEM=="tty", KERNEL=="tty[0-9]*", GROUP="tty", MODE="0620", SECLABEL{smack}="*"
-+SUBSYSTEM=="vc", KERNEL=="vcs*|vcsa*", GROUP="tty", SECLABEL{smack}="*"
-+KERNEL=="tty[A-Z]*[0-9]|pppox[0-9]*|ircomm[0-9]*|noz[0-9]*|rfcomm[0-9]*", GROUP="dialout", SECLABEL{smack}="*"
-+
-+SUBSYSTEM=="input", KERNEL=="mouse*|mice|event*", MODE="0640", SECLABEL{smack}="*"
-+SUBSYSTEM=="input", KERNEL=="ts[0-9]*|uinput", MODE="0640", SECLABEL{smack}="*"
---
-1.8.4.5
-
+++ /dev/null
-From c257eade1a39ea00d26c4c297efd654b6ad4edb4 Mon Sep 17 00:00:00 2001
-From: Casey Schaufler <casey@schaufler-ca.com>
-Date: Fri, 8 Nov 2013 09:42:26 -0800
-Subject: [PATCH 5/9] tizen-smack: Handling network
-
-- Set Smack ambient to match run label
-- Set Smack netlabel host rules
-
-Set Smack ambient to match run label
-------------------------------------
-Set the Smack networking ambient label to match the
-run label of systemd. System services may expect to
-communicate with external services over IP. Setting
-the ambient label assigns that label to IP packets
-that do not include CIPSO headers. This allows systemd
-and the services it spawns access to unlabeled IP
-packets, and hence external services.
-
-A system may choose to restrict network access to
-particular services later in the startup process.
-This is easily done by resetting the ambient label
-elsewhere.
-
-Set Smack netlabel host rules
------------------------------
-If SMACK_RUN_LABEL is defined set all other hosts to be
-single label hosts at the specified label. Set the loopback
-address to be a CIPSO host.
-
-If any netlabel host rules are defined in /etc/smack/netlabel.d
-install them into the smackfs netlabel interface.
-
-Upstream-Status: Pending
-
----
- src/core/smack-setup.c | 33 ++++++++++++++++++++++++++++++++-
- 1 file changed, 32 insertions(+), 1 deletion(-)
-
-diff --git a/src/core/smack-setup.c b/src/core/smack-setup.c
-index 59f6832..33dc1ca 100644
---- a/src/core/smack-setup.c
-+++ b/src/core/smack-setup.c
-@@ -42,6 +42,7 @@
-
- #define SMACK_CONFIG "/etc/smack/accesses.d/"
- #define CIPSO_CONFIG "/etc/smack/cipso.d/"
-+#define NETLABEL_CONFIG "/etc/smack/netlabel.d/"
-
- #ifdef HAVE_SMACK
-
-@@ -146,6 +147,19 @@ int smack_setup(bool *loaded_policy) {
- if (r)
- log_warning("Failed to set SMACK label \"%s\" on self: %s",
- SMACK_RUN_LABEL, strerror(-r));
-+ r = write_string_file("/sys/fs/smackfs/ambient", SMACK_RUN_LABEL);
-+ if (r)
-+ log_warning("Failed to set SMACK ambient label \"%s\": %s",
-+ SMACK_RUN_LABEL, strerror(-r));
-+ r = write_string_file("/sys/fs/smackfs/netlabel",
-+ "0.0.0.0/0 " SMACK_RUN_LABEL);
-+ if (r)
-+ log_warning("Failed to set SMACK netlabel rule \"%s\": %s",
-+ "0.0.0.0/0 " SMACK_RUN_LABEL, strerror(-r));
-+ r = write_string_file("/sys/fs/smackfs/netlabel", "127.0.0.1 -CIPSO");
-+ if (r)
-+ log_warning("Failed to set SMACK netlabel rule \"%s\": %s",
-+ "127.0.0.1 -CIPSO", strerror(-r));
- #endif
-
- r = write_rules("/sys/fs/smackfs/cipso2", CIPSO_CONFIG);
-@@ -155,14 +169,31 @@ int smack_setup(bool *loaded_policy) {
- return 0;
- case ENOENT:
- log_debug("Smack/CIPSO access rules directory " CIPSO_CONFIG " not found");
-- return 0;
-+ break;
- case 0:
- log_info("Successfully loaded Smack/CIPSO policies.");
-- return 0;
-+ break;
- default:
- log_warning("Failed to load Smack/CIPSO access rules: %s, ignoring.",
- strerror(abs(r)));
-+ break;
-+ }
-+
-+ r = write_rules("/sys/fs/smackfs/netlabel", NETLABEL_CONFIG);
-+ switch(r) {
-+ case -ENOENT:
-+ log_debug("Smack/CIPSO is not enabled in the kernel.");
- return 0;
-+ case ENOENT:
-+ log_debug("Smack network host rules directory " NETLABEL_CONFIG " not found");
-+ break;
-+ case 0:
-+ log_info("Successfully loaded Smack network host rules.");
-+ break;
-+ default:
-+ log_warning("Failed to load Smack network host rules: %s, ignoring.",
-+ strerror(abs(r)));
-+ break;
- }
-
- *loaded_policy = true;
---
-1.8.4.5
-
+++ /dev/null
-From 513a8d943538643fabf0d31f1eed261677dfbddc Mon Sep 17 00:00:00 2001
-From: Casey Schaufler <casey@schaufler-ca.com>
-Date: Fri, 8 Nov 2013 09:42:26 -0800
-Subject: [PATCH] tizen-smack: Handling network
-
-- Set Smack ambient to match run label
-- Set Smack netlabel host rules
-
-Set Smack ambient to match run label
-------------------------------------
-Set the Smack networking ambient label to match the
-run label of systemd. System services may expect to
-communicate with external services over IP. Setting
-the ambient label assigns that label to IP packets
-that do not include CIPSO headers. This allows systemd
-and the services it spawns access to unlabeled IP
-packets, and hence external services.
-
-A system may choose to restrict network access to
-particular services later in the startup process.
-This is easily done by resetting the ambient label
-elsewhere.
-
-Set Smack netlabel host rules
------------------------------
-If SMACK_RUN_LABEL is defined set all other hosts to be
-single label hosts at the specified label. Set the loopback
-address to be a CIPSO host.
-
-If any netlabel host rules are defined in /etc/smack/netlabel.d
-install them into the smackfs netlabel interface.
-
-[Patrick Ohly: adapt to write_string_file() change in "fileio: consolidate write_string_file*()"]
-[Patrick Ohly: create write_netlabel_rules() based on the original write_rules() that was removed in "smack: support smack access change-rule"]
-
-Upstream-Status: Pending
----
- src/core/smack-setup.c | 109 +++++++++++++++++++++++++++++++++++++++++++++++--
- 1 file changed, 106 insertions(+), 3 deletions(-)
-
-diff --git a/src/core/smack-setup.c b/src/core/smack-setup.c
-index cbe7d0b..b384aa0 100644
---- a/src/core/smack-setup.c
-+++ b/src/core/smack-setup.c
-@@ -34,6 +34,9 @@
- #include "fileio.h"
- #include "log.h"
-
-+#define CIPSO_CONFIG "/etc/smack/cipso.d/"
-+#define NETLABEL_CONFIG "/etc/smack/netlabel.d/"
-+
- #ifdef HAVE_SMACK
-
- static int write_access2_rules(const char* srcdir) {
-@@ -193,6 +196,76 @@ static int write_cipso2_rules(const char* srcdir) {
- return r;
- }
-
-+static int write_netlabel_rules(const char* srcdir) {
-+ _cleanup_fclose_ FILE *dst = NULL;
-+ _cleanup_closedir_ DIR *dir = NULL;
-+ struct dirent *entry;
-+ char buf[NAME_MAX];
-+ int dfd = -1;
-+ int r = 0;
-+ static const char dstpath[] = "/sys/fs/smackfs/netlabel";
-+
-+ dst = fopen(dstpath, "we");
-+ if (!dst) {
-+ if (errno != ENOENT)
-+ log_warning_errno(errno, "Failed to open %s: %m", dstpath);
-+ return -errno; /* negative error */
-+ }
-+
-+ /* write rules to dst from every file in the directory */
-+ dir = opendir(srcdir);
-+ if (!dir) {
-+ if (errno != ENOENT)
-+ log_warning_errno(errno, "Failed to opendir %s: %m", srcdir);
-+ return errno; /* positive on purpose */
-+ }
-+
-+ dfd = dirfd(dir);
-+ assert(dfd >= 0);
-+
-+ FOREACH_DIRENT(entry, dir, return 0) {
-+ int fd;
-+ _cleanup_fclose_ FILE *policy = NULL;
-+
-+ fd = openat(dfd, entry->d_name, O_RDONLY|O_CLOEXEC);
-+ if (fd < 0) {
-+ if (r == 0)
-+ r = -errno;
-+ log_warning_errno(errno, "Failed to open %s: %m", entry->d_name);
-+ continue;
-+ }
-+
-+ policy = fdopen(fd, "re");
-+ if (!policy) {
-+ if (r == 0)
-+ r = -errno;
-+ safe_close(fd);
-+ log_error_errno(errno, "Failed to open %s: %m", entry->d_name);
-+ continue;
-+ }
-+
-+ /* load2 write rules in the kernel require a line buffered stream */
-+ FOREACH_LINE(buf, policy,
-+ log_error_errno(errno, "Failed to read line from %s: %m",
-+ entry->d_name)) {
-+ if (!fputs(buf, dst)) {
-+ if (r == 0)
-+ r = -EINVAL;
-+ log_error("Failed to write line to %s", dstpath);
-+ break;
-+ }
-+ if (fflush(dst)) {
-+ if (r == 0)
-+ r = -errno;
-+ log_error_errno(errno, "Failed to flush writes to %s: %m", dstpath);
-+ break;
-+ }
-+ }
-+ }
-+
-+ return r;
-+}
-+
- #endif
-
- int mac_smack_setup(bool *loaded_policy) {
-@@ -225,23 +298,53 @@ int mac_smack_setup(bool *loaded_policy) {
- if (r)
- log_warning("Failed to set SMACK label \"%s\" on self: %s",
- SMACK_RUN_LABEL, strerror(-r));
-+ r = write_string_file("/sys/fs/smackfs/ambient", SMACK_RUN_LABEL, 0);
-+ if (r)
-+ log_warning("Failed to set SMACK ambient label \"%s\": %s",
-+ SMACK_RUN_LABEL, strerror(-r));
-+ r = write_string_file("/sys/fs/smackfs/netlabel",
-+ "0.0.0.0/0 " SMACK_RUN_LABEL, 0);
-+ if (r)
-+ log_warning("Failed to set SMACK netlabel rule \"%s\": %s",
-+ "0.0.0.0/0 " SMACK_RUN_LABEL, strerror(-r));
-+ r = write_string_file("/sys/fs/smackfs/netlabel", "127.0.0.1 -CIPSO", 0);
-+ if (r)
-+ log_warning("Failed to set SMACK netlabel rule \"%s\": %s",
-+ "127.0.0.1 -CIPSO", strerror(-r));
- #endif
-
-- r = write_cipso2_rules("/etc/smack/cipso.d/");
-+ r = write_cipso2_rules(CIPSO_CONFIG);
- switch(r) {
- case -ENOENT:
- log_debug("Smack/CIPSO is not enabled in the kernel.");
- return 0;
- case ENOENT:
-- log_debug("Smack/CIPSO access rules directory '/etc/smack/cipso.d/' not found");
-- return 0;
-+ log_debug("Smack/CIPSO access rules directory " CIPSO_CONFIG " not found");
-+ break;
- case 0:
- log_info("Successfully loaded Smack/CIPSO policies.");
- break;
- default:
- log_warning("Failed to load Smack/CIPSO access rules: %s, ignoring.",
- strerror(abs(r)));
-+ break;
-+ }
-+
-+ r = write_netlabel_rules(NETLABEL_CONFIG);
-+ switch(r) {
-+ case -ENOENT:
-+ log_debug("Smack/CIPSO is not enabled in the kernel.");
- return 0;
-+ case ENOENT:
-+ log_debug("Smack network host rules directory " NETLABEL_CONFIG " not found");
-+ break;
-+ case 0:
-+ log_info("Successfully loaded Smack network host rules.");
-+ break;
-+ default:
-+ log_warning("Failed to load Smack network host rules: %s, ignoring.",
-+ strerror(abs(r)));
-+ break;
- }
-
- *loaded_policy = true;
---
-2.1.4
-
+++ /dev/null
-From e714327016fb65a0bf977588efaecbaf41ac3cfc Mon Sep 17 00:00:00 2001
-From: Casey Schaufler <casey@schaufler-ca.com>
-Date: Fri, 8 Nov 2013 09:42:26 -0800
-Subject: [PATCH 4/6] tizen-smack: Handling network
-
-- Set Smack ambient to match run label
-- Set Smack netlabel host rules
-
-Set Smack ambient to match run label
-------------------------------------
-Set the Smack networking ambient label to match the
-run label of systemd. System services may expect to
-communicate with external services over IP. Setting
-the ambient label assigns that label to IP packets
-that do not include CIPSO headers. This allows systemd
-and the services it spawns access to unlabeled IP
-packets, and hence external services.
-
-A system may choose to restrict network access to
-particular services later in the startup process.
-This is easily done by resetting the ambient label
-elsewhere.
-
-Set Smack netlabel host rules
------------------------------
-If SMACK_RUN_LABEL is defined set all other hosts to be
-single label hosts at the specified label. Set the loopback
-address to be a CIPSO host.
-
-If any netlabel host rules are defined in /etc/smack/netlabel.d
-install them into the smackfs netlabel interface.
-
-[Patrick Ohly: copied from https://review.tizen.org/git/?p=platform/upstream/systemd.git;a=commit;h=db4f6c9a074644aa2bf]
-[Patrick Ohly: adapt to write_string_file() change in "fileio: consolidate write_string_file*()"]
-[Patrick Ohly: create write_netlabel_rules() based on the original write_rules() that was removed in "smack: support smack access change-rule"]
-[Patrick Ohly: adapted to upstream code review feedback: error logging, string constants]
-
-Upstream-Status: Accepted [https://github.com/systemd/systemd/pull/2262]
-
-%% original patch: 0005-tizen-smack-Handling-network-v225.patch
----
- src/core/smack-setup.c | 101 +++++++++++++++++++++++++++++++++++++++++++++++--
- 1 file changed, 98 insertions(+), 3 deletions(-)
-
-diff --git a/src/core/smack-setup.c b/src/core/smack-setup.c
-index 0661ff9..c9374ca 100644
---- a/src/core/smack-setup.c
-+++ b/src/core/smack-setup.c
-@@ -197,6 +197,75 @@ static int write_cipso2_rules(const char* srcdir) {
- return r;
- }
-
-+static int write_netlabel_rules(const char* srcdir) {
-+ _cleanup_fclose_ FILE *dst = NULL;
-+ _cleanup_closedir_ DIR *dir = NULL;
-+ struct dirent *entry;
-+ char buf[NAME_MAX];
-+ int dfd = -1;
-+ int r = 0;
-+
-+ dst = fopen("/sys/fs/smackfs/netlabel", "we");
-+ if (!dst) {
-+ if (errno != ENOENT)
-+ log_warning_errno(errno, "Failed to open /sys/fs/smackfs/netlabel: %m");
-+ return -errno; /* negative error */
-+ }
-+
-+ /* write rules to dst from every file in the directory */
-+ dir = opendir(srcdir);
-+ if (!dir) {
-+ if (errno != ENOENT)
-+ log_warning_errno(errno, "Failed to opendir %s: %m", srcdir);
-+ return errno; /* positive on purpose */
-+ }
-+
-+ dfd = dirfd(dir);
-+ assert(dfd >= 0);
-+
-+ FOREACH_DIRENT(entry, dir, return 0) {
-+ int fd;
-+ _cleanup_fclose_ FILE *policy = NULL;
-+
-+ fd = openat(dfd, entry->d_name, O_RDONLY|O_CLOEXEC);
-+ if (fd < 0) {
-+ if (r == 0)
-+ r = -errno;
-+ log_warning_errno(errno, "Failed to open %s: %m", entry->d_name);
-+ continue;
-+ }
-+
-+ policy = fdopen(fd, "re");
-+ if (!policy) {
-+ if (r == 0)
-+ r = -errno;
-+ safe_close(fd);
-+ log_error_errno(errno, "Failed to open %s: %m", entry->d_name);
-+ continue;
-+ }
-+
-+ /* load2 write rules in the kernel require a line buffered stream */
-+ FOREACH_LINE(buf, policy,
-+ log_error_errno(errno, "Failed to read line from %s: %m",
-+ entry->d_name)) {
-+ if (!fputs(buf, dst)) {
-+ if (r == 0)
-+ r = -EINVAL;
-+ log_error_errno(errno, "Failed to write line to /sys/fs/smackfs/netlabel");
-+ break;
-+ }
-+ if (fflush(dst)) {
-+ if (r == 0)
-+ r = -errno;
-+ log_error_errno(errno, "Failed to flush writes to /sys/fs/smackfs/netlabel: %m");
-+ break;
-+ }
-+ }
-+ }
-+
-+ return r;
-+}
-+
- #endif
-
- int mac_smack_setup(bool *loaded_policy) {
-@@ -225,8 +294,18 @@ int mac_smack_setup(bool *loaded_policy) {
-
- #ifdef SMACK_RUN_LABEL
- r = write_string_file("/proc/self/attr/current", SMACK_RUN_LABEL, 0);
-- if (r)
-- log_warning_errno(r, "Failed to set SMACK label \"%s\" on self: %m", SMACK_RUN_LABEL);
-+ if (r < 0)
-+ log_warning_errno(r, "Failed to set SMACK label \"" SMACK_RUN_LABEL "\" on self: %m");
-+ r = write_string_file("/sys/fs/smackfs/ambient", SMACK_RUN_LABEL, 0);
-+ if (r < 0)
-+ log_warning_errno(r, "Failed to set SMACK ambient label \"" SMACK_RUN_LABEL "\": %m");
-+ r = write_string_file("/sys/fs/smackfs/netlabel",
-+ "0.0.0.0/0 " SMACK_RUN_LABEL, 0);
-+ if (r < 0)
-+ log_warning_errno(r, "Failed to set SMACK netlabel rule \"0.0.0.0/0 " SMACK_RUN_LABEL "\": %m");
-+ r = write_string_file("/sys/fs/smackfs/netlabel", "127.0.0.1 -CIPSO", 0);
-+ if (r < 0)
-+ log_warning_errno(r, "Failed to set SMACK netlabel rule \"127.0.0.1 -CIPSO\": %m");
- #endif
-
- r = write_cipso2_rules("/etc/smack/cipso.d/");
-@@ -236,13 +315,29 @@ int mac_smack_setup(bool *loaded_policy) {
- return 0;
- case ENOENT:
- log_debug("Smack/CIPSO access rules directory '/etc/smack/cipso.d/' not found");
-- return 0;
-+ break;
- case 0:
- log_info("Successfully loaded Smack/CIPSO policies.");
- break;
- default:
- log_warning_errno(r, "Failed to load Smack/CIPSO access rules, ignoring: %m");
-+ break;
-+ }
-+
-+ r = write_netlabel_rules("/etc/smack/netlabel.d/");
-+ switch(r) {
-+ case -ENOENT:
-+ log_debug("Smack/CIPSO is not enabled in the kernel.");
- return 0;
-+ case ENOENT:
-+ log_debug("Smack network host rules directory '/etc/smack/netlabel.d/' not found");
-+ break;
-+ case 0:
-+ log_info("Successfully loaded Smack network host rules.");
-+ break;
-+ default:
-+ log_warning_errno(r, "Failed to load Smack network host rules: %m, ignoring.");
-+ break;
- }
-
- *loaded_policy = true;
---
-2.1.4
-
+++ /dev/null
-From c257eade1a39ea00d26c4c297efd654b6ad4edb4 Mon Sep 17 00:00:00 2001
-From: Casey Schaufler <casey@schaufler-ca.com>
-Date: Fri, 8 Nov 2013 09:42:26 -0800
-Subject: [PATCH 5/9] tizen-smack: Handling network
-
-- Set Smack ambient to match run label
-- Set Smack netlabel host rules
-
-Set Smack ambient to match run label
-------------------------------------
-Set the Smack networking ambient label to match the
-run label of systemd. System services may expect to
-communicate with external services over IP. Setting
-the ambient label assigns that label to IP packets
-that do not include CIPSO headers. This allows systemd
-and the services it spawns access to unlabeled IP
-packets, and hence external services.
-
-A system may choose to restrict network access to
-particular services later in the startup process.
-This is easily done by resetting the ambient label
-elsewhere.
-
-Set Smack netlabel host rules
------------------------------
-If SMACK_RUN_LABEL is defined set all other hosts to be
-single label hosts at the specified label. Set the loopback
-address to be a CIPSO host.
-
-If any netlabel host rules are defined in /etc/smack/netlabel.d
-install them into the smackfs netlabel interface.
-
-Upstream-Status: Pending
-
----
- src/core/smack-setup.c | 33 ++++++++++++++++++++++++++++++++-
- 1 file changed, 32 insertions(+), 1 deletion(-)
-
-diff --git a/src/core/smack-setup.c b/src/core/smack-setup.c
-index 59f6832..33dc1ca 100644
---- a/src/core/smack-setup.c
-+++ b/src/core/smack-setup.c
-@@ -42,6 +42,7 @@
-
- #define SMACK_CONFIG "/etc/smack/accesses.d/"
- #define CIPSO_CONFIG "/etc/smack/cipso.d/"
-+#define NETLABEL_CONFIG "/etc/smack/netlabel.d/"
-
- #ifdef HAVE_SMACK
-
-@@ -146,6 +147,19 @@ int mac_smack_setup(bool *loaded_policy) {
- if (r)
- log_warning("Failed to set SMACK label \"%s\" on self: %s",
- SMACK_RUN_LABEL, strerror(-r));
-+ r = write_string_file("/sys/fs/smackfs/ambient", SMACK_RUN_LABEL);
-+ if (r)
-+ log_warning("Failed to set SMACK ambient label \"%s\": %s",
-+ SMACK_RUN_LABEL, strerror(-r));
-+ r = write_string_file("/sys/fs/smackfs/netlabel",
-+ "0.0.0.0/0 " SMACK_RUN_LABEL);
-+ if (r)
-+ log_warning("Failed to set SMACK netlabel rule \"%s\": %s",
-+ "0.0.0.0/0 " SMACK_RUN_LABEL, strerror(-r));
-+ r = write_string_file("/sys/fs/smackfs/netlabel", "127.0.0.1 -CIPSO");
-+ if (r)
-+ log_warning("Failed to set SMACK netlabel rule \"%s\": %s",
-+ "127.0.0.1 -CIPSO", strerror(-r));
- #endif
-
- r = write_rules("/sys/fs/smackfs/cipso2", CIPSO_CONFIG);
-@@ -155,14 +169,31 @@ int mac_smack_setup(bool *loaded_policy) {
- return 0;
- case ENOENT:
- log_debug("Smack/CIPSO access rules directory " CIPSO_CONFIG " not found");
-- return 0;
-+ break;
- case 0:
- log_info("Successfully loaded Smack/CIPSO policies.");
- break;
- default:
- log_warning("Failed to load Smack/CIPSO access rules: %s, ignoring.",
- strerror(abs(r)));
-+ break;
-+ }
-+
-+ r = write_rules("/sys/fs/smackfs/netlabel", NETLABEL_CONFIG);
-+ switch(r) {
-+ case -ENOENT:
-+ log_debug("Smack/CIPSO is not enabled in the kernel.");
- return 0;
-+ case ENOENT:
-+ log_debug("Smack network host rules directory " NETLABEL_CONFIG " not found");
-+ break;
-+ case 0:
-+ log_info("Successfully loaded Smack network host rules.");
-+ break;
-+ default:
-+ log_warning("Failed to load Smack network host rules: %s, ignoring.",
-+ strerror(abs(r)));
-+ break;
- }
-
- *loaded_policy = true;
---
-1.8.4.5
-
+++ /dev/null
-From ccf384ca0f1cabe37e07e752df95ddb1e017a7ef Mon Sep 17 00:00:00 2001
-From: Casey Schaufler <casey@schaufler-ca.com>
-Date: Thu, 19 Dec 2013 16:49:28 -0800
-Subject: [PATCH 7/9] tizen-smack: Runs systemd-journald with ^
-
-Run systemd-journald with the hat ("^") Smack label.
-
-The journal daemon needs global read access to gather information
-about the services spawned by systemd. The hat label is intended
-for this purpose. The journal daemon is the only part of the
-System domain that needs read access to the User domain. Giving
-the journal daemon the hat label means that we can remove the
-System domain's read access to the User domain.
-
-Upstream-Status: Inappropriate [configuration]
-
-Change-Id: Ic22633f0c9d99c04f873be8a346786ea577d0370
-Signed-off-by: Casey Schaufler <casey.schaufler@intel.com>
----
- units/systemd-journald.service.in | 4 +++-
- 1 file changed, 3 insertions(+), 1 deletion(-)
-
-diff --git a/units/systemd-journald.service.in b/units/systemd-journald.service.in
-index a3540c6..745dd84 100644
---- a/units/systemd-journald.service.in
-+++ b/units/systemd-journald.service.in
-@@ -20,8 +20,10 @@ Restart=always
- RestartSec=0
- NotifyAccess=all
- StandardOutput=null
-+SmackProcessLabel=^
--CapabilityBoundingSet=CAP_SYS_ADMIN CAP_DAC_OVERRIDE CAP_SYS_PTRACE CAP_SYSLOG CAP_AUDIT_CONTROL CAP_CHOWN CAP_DAC_READ_SEARCH CAP_FOWNER CAP_SETUID CAP_SETGID
-+CapabilityBoundingSet=CAP_SYS_ADMIN CAP_DAC_OVERRIDE CAP_SYS_PTRACE CAP_SYSLOG CAP_AUDIT_CONTROL CAP_AUDIT_READ CAP_CHOWN CAP_DAC_READ_SEARCH CAP_FOWNER CAP_SETUID CAP_SETGID CAP_MAC_OVERRIDE
- WatchdogSec=1min
-+FileDescriptorStoreMax=1024
-
- # Increase the default a bit in order to allow many simultaneous
- # services being run since we keep one fd open per service.
---
-1.8.4.5
-
+++ /dev/null
-From ccf384ca0f1cabe37e07e752df95ddb1e017a7ef Mon Sep 17 00:00:00 2001
-From: Casey Schaufler <casey@schaufler-ca.com>
-Date: Thu, 19 Dec 2013 16:49:28 -0800
-Subject: [PATCH 7/9] tizen-smack: Runs systemd-journald with ^
-
-Run systemd-journald with the hat ("^") Smack label.
-
-The journal daemon needs global read access to gather information
-about the services spawned by systemd. The hat label is intended
-for this purpose. The journal daemon is the only part of the
-System domain that needs read access to the User domain. Giving
-the journal daemon the hat label means that we can remove the
-System domain's read access to the User domain.
-
-Upstream-Status: Inappropriate [configuration]
-
-Change-Id: Ic22633f0c9d99c04f873be8a346786ea577d0370
-Signed-off-by: Casey Schaufler <casey.schaufler@intel.com>
----
- units/systemd-journald.service.in | 1 +
- 1 file changed, 1 insertion(+)
-
-diff --git a/units/systemd-journald.service.in b/units/systemd-journald.service.in
-index a3540c6..745dd84 100644
---- a/units/systemd-journald.service.in
-+++ b/units/systemd-journald.service.in
-@@ -21,6 +21,7 @@ Restart=always
- RestartSec=0
- NotifyAccess=all
- StandardOutput=null
-+SmackProcessLabel=^
- CapabilityBoundingSet=CAP_SYS_ADMIN CAP_DAC_OVERRIDE CAP_SYS_PTRACE CAP_SYSLOG CAP_AUDIT_CONTROL CAP_AUDIT_READ CAP_CHOWN CAP_DAC_READ_SEARCH CAP_FOWNER CAP_SETUID CAP_SETGID CAP_MAC_OVERRIDE
- WatchdogSec=1min
- FileDescriptorStoreMax=1024
---
-1.8.4.5
-
+++ /dev/null
-From fd84be63d15fc94c1f396979c67e070c6cd7451b Mon Sep 17 00:00:00 2001
-From: Patrick Ohly <patrick.ohly@intel.com>
-Date: Mon, 21 Dec 2015 14:56:00 +0100
-Subject: [PATCH] mount-setup.c: fix handling of symlink Smack labelling in
- cgroup setup
-
-The code introduced in f8c1a81c51 (= systemd 227) failed for me with:
- Failed to copy smack label from net_cls to /sys/fs/cgroup/net_cls: No such file or directory
-
-There is no need for a symlink in this case because source and target
-are identical. The symlink() call is allowed to fail when the target
-already exists. When that happens, copying the Smack label must be
-skipped.
-
-But the code also failed when there is a symlink, like "cpu ->
-cpu,cpuacct", because mac_smack_copy() got called with
-src="cpu,cpuacct" which fails to find the entry because the current
-directory is not inside /sys/fs/cgroup. The absolute path to the existing
-entry must be used instead.
-
-Upstream-Status: Accepted [https://github.com/systemd/systemd/pull/2205]
-
-Signed-off-by: Patrick Ohly <patrick.ohly@intel.com>
----
- src/core/mount-setup.c | 15 ++++++++++-----
- 1 file changed, 10 insertions(+), 5 deletions(-)
-
-diff --git a/src/core/mount-setup.c b/src/core/mount-setup.c
-index 2b8d590..d73b319 100644
---- a/src/core/mount-setup.c
-+++ b/src/core/mount-setup.c
-@@ -304,13 +304,18 @@ int mount_cgroup_controllers(char ***join_controllers) {
- return log_oom();
-
- r = symlink(options, t);
-- if (r < 0 && errno != EEXIST)
-- return log_error_errno(errno, "Failed to create symlink %s: %m", t);
-+ if (r >= 0) {
- #ifdef SMACK_RUN_LABEL
-- r = mac_smack_copy(t, options);
-- if (r < 0 && r != -EOPNOTSUPP)
-- return log_error_errno(r, "Failed to copy smack label from %s to %s: %m", options, t);
-+ _cleanup_free_ char *src;
-+ src = strappend("/sys/fs/cgroup/", options);
-+ if (!src)
-+ return log_oom();
-+ r = mac_smack_copy(t, src);
-+ if (r < 0 && r != -EOPNOTSUPP)
-+ return log_error_errno(r, "Failed to copy smack label from %s to %s: %m", src, t);
- #endif
-+ } else if (errno != EEXIST)
-+ return log_error_errno(errno, "Failed to create symlink %s: %m", t);
- }
- }
- }
---
-2.1.4
-
FILESEXTRAPATHS_prepend := "${THISDIR}/${PN}:"
-SYSTEMD_SMACK_PATCHES_216 = " \
-file://0003-tizen-smack-Handling-of-run-and-sys-fs-cgroup-v216.patch \
-file://0004-tizen-smack-Handling-of-dev-v216.patch \
-file://0005-tizen-smack-Handling-network-v216.patch \
-file://0007-tizen-smack-Runs-systemd-journald-with-v216.patch \
-"
-
-SYSTEMD_SMACK_PATCHES_219 = " \
-file://0003-tizen-smack-Handling-of-run-and-sys-fs-cgroup.patch \
-file://0004-tizen-smack-Handling-of-dev.patch \
-file://0005-tizen-smack-Handling-network.patch \
-file://0007-tizen-smack-Runs-systemd-journald-with.patch \
-"
-SYSTEMD_SMACK_PATCHES_225 = " \
-file://0003-tizen-smack-Handling-of-run-and-sys-fs-cgroup.patch \
-file://0004-tizen-smack-Handling-of-dev.patch \
-file://0005-tizen-smack-Handling-network-v225.patch \
-file://0007-tizen-smack-Runs-systemd-journald-with.patch \
-"
-
-SYSTEMD_SMACK_PATCHES_228 = " \
-file://0005-tizen-smack-Handling-network-v228.patch \
-file://mount-setup.c-fix-handling-of-symlink-Smack-labellin-v228.patch \
-"
-
-SYSTEMD_SMACK_PATCHES_234 = " \
-file://0001-Switch-Smack-label-earlier.patch \
+##################################################################################
+# What follows is temporary.
+# This patch is still needed for systemd 234 but is normally upstreamed
+# and thus should be removed in later versions.
+##################################################################################
+SRC_URI_append_with-lsm-smack = "\
+ file://0001-Switch-Smack-label-earlier.patch \
"
-# Most patches from sandbox/jobol/v219. Cannot be applied unconditionally
-# because systemd panics when booted without Smack support:
-# systemd[1]: Cannot determine cgroup we are running in: No such file or directory
-# systemd[1]: Failed to allocate manager object: No such file or directory
-# [!!!!!!] Failed to allocate manager object, freezing.
-#
-# There's a slight dependency on the base systemd in 0005-tizen-smack-Handling-network.
-# We use the beginning of PV (unexpanded here to prevent a cyclic dependency
-# during resolution apparently caused by ${SRCPV}) to pick the right set of
-# patches.
-#
-# Patches are optional. Hopefully we won't need any for systemd >= 229.
-SRC_URI_append_with-lsm-smack = " ${SYSTEMD_SMACK_PATCHES_234}"
-
-# A workaround for a missing space in a SRC_URI_append in a private layer elsewhere:
-SRC_URI += ""
-
# Ensures systemd runs with label "System"
EXTRA_OECONF_append_with-lsm-smack = " --with-smack-run-label=System"
+##################################################################################
# Maintaining trivial, non-upstreamable configuration changes as patches
# is tedious. But in same cases (like early mounting of special directories)
# the configuration has to be in code. We make these changes here directly.
+##################################################################################
do_patch[prefuncs] += "patch_systemd"
do_patch[vardeps] += "patch_systemd"
patch_systemd() {
Code Review / AGL / meta-agl.git / commitdiff