Hi Fabrizio,
I'm not sure if this topic is specifically documented but it should :).
In fact, there's no unique way of doing things. Hopefully, there are some
examples in meta-agl/meta-app-framework [1]: bluez, connman, weston ... all
those services have to be tuned in a way or another with specific SMACK rules
and/or privileges/capabilities when not running as root.
Specifically for SMACK: rules can be adjusted by calling chsmack in recipes
postinstall steps. They can also be distributed with a rules file located in
${D}${sysconfdir}/smack/accesses.d/ along with optional changes in original
service files when needed (example: do not run as root but with a dedicated
daemon user with capabilities granted in systemd service file). For devices,
also consider placing some rules in /etc/udev/rules.d with
SECLABEL{smack}="some-label" to automatically adjust SMACK labels on devices nodes.
Hope this helps!
[1]: https://git.automotivelinux.org/AGL/meta-agl/tree/meta-app-framework
Best, keep safe!
---
Stephane Desneux - CTO - IoT.bzh
stephane.desneux@xxxxxxx - www.iot.bzh
On 23/04/2021 18:09, fabrizio.didomenico@xxxxxxxxxx wrote:
> Hello everyone,
>
> I currently have an issue regarding a custom service that should have read a
> file generated by a process.
> The file has a smack label "access=System", so the service is not able to read
> it or change its permissions.
>
> I would be able to change files permissions at run time in order to guarantee a
> safe access to these files by the apps using this custom service.
>
> Furthermore, can someone explain how to correctly set-up smack permissions for
> apps and services at compile time in Yocto recipes ?
>
> Thank you in advance
>
> Fabrizio
>
-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#9145): https://lists.automotivelinux.org/g/agl-dev-community/message/9145
Mute This Topic: https://lists.automotivelinux.org/mt/82315024/2167316
Mute #permissions:https://lists.automotivelinux.org/g/agl-dev-community/mutehashtag/permissions
Mute #koi:https://lists.automotivelinux.org/g/agl-dev-community/mutehashtag/koi
Group Owner: agl-dev-community+owner@xxxxxxxxxxxxxxxxxxxxxxxxx
Unsubscribe: https://lists.automotivelinux.org/g/agl-dev-community/leave/4543822/2167316/883735764/xyzzy [list-automotive-discussions82@xxxxxxxxxxx]
-=-=-=-=-=-=-=-=-=-=-=-
Re: Smack permissions services and files #koi #permissions
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
- Subject: Re: Smack permissions services and files #koi #permissions
- From: "Stephane Desneux" <stephane.desneux@xxxxxxx>
- Date: Fri, 23 Apr 2021 20:21:26 +0200
- In-reply-to: <XRHM.1619194196853279518.HBsR@lists.automotivelinux.org>
- Mailing-list: list agl-dev-community@xxxxxxxxxxxxxxxxxxxxxxxxx; contact agl-dev-community+owner@xxxxxxxxxxxxxxxxxxxxxxxxx
- Organization: IoT.bzh
- References: <XRHM.1619194196853279518.HBsR@lists.automotivelinux.org>
- Reply-to: agl-dev-community@xxxxxxxxxxxxxxxxxxxxxxxxx
- User-agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Thunderbird/78.9.1
- Follow-Ups:
- Re: Smack permissions services and files #koi #permissions
- From: fabrizio . didomenico
- Re: Smack permissions services and files #koi #permissions
- References:
- Smack permissions services and files #koi #permissions
- From: fabrizio . didomenico
- Smack permissions services and files #koi #permissions
- Prev by Date: Smack permissions services and files #koi #permissions
- Next by Date: Re: Smack permissions services and files #koi #permissions
- Previous by thread: Smack permissions services and files #koi #permissions
- Next by thread: Re: Smack permissions services and files #koi #permissions
- Index(es):
 |