diff options
author | William Douglas <william.douglas@intel.com> | 2013-06-27 17:30:50 -0700 |
---|---|---|
committer | William Douglas <william.douglas@intel.com> | 2013-06-27 17:38:21 -0700 |
commit | 506902a98b3682fe91eb44666584c5c627a0f7dc (patch) | |
tree | d2f0929372b85423acd24b0af16570ae93024f5b | |
parent | c8557ee8517a64a0bc91c630287f1ff1448a13d7 (diff) | |
download | libdevice-node-506902a98b3682fe91eb44666584c5c627a0f7dc.tar.gz libdevice-node-506902a98b3682fe91eb44666584c5c627a0f7dc.tar.bz2 libdevice-node-506902a98b3682fe91eb44666584c5c627a0f7dc.zip |
Clean up udev and Smack rules
Smack rules for device nodes should be applied in the udev package.
Security team should audit permissions for device nodes that are
needed to be changed that were being kept in this package (but again
should be done in the udev package as there were a broad grouping of
devices that may even conflict with default udev rules).
This change is likely a breaking change and will need corresponding
changes to other packages (including udev rules and manifest).
Change-Id: I509035ace21163e24231e825f44a9f96a988c47e
Signed-off-by: William Douglas <william.douglas@intel.com>
-rw-r--r-- | CMakeLists.txt | 2 | ||||
-rwxr-xr-x | device-node.sh | 35 | ||||
-rw-r--r-- | packaging/libdevice-node.manifest | 26 | ||||
-rw-r--r-- | packaging/libdevice-node.spec | 14 | ||||
-rw-r--r-- | packaging/smack-device-labeling.service | 13 | ||||
-rwxr-xr-x | smack_device_labeling | 14 | ||||
-rw-r--r-- | udev/rules.d/51-devices-priv.rules | 28 | ||||
-rw-r--r-- | udev/rules.d/95-devices.rules | 67 |
8 files changed, 4 insertions, 195 deletions
diff --git a/CMakeLists.txt b/CMakeLists.txt index 70705b4..6c7b887 100644 --- a/CMakeLists.txt +++ b/CMakeLists.txt @@ -46,5 +46,3 @@ INSTALL(FILES ${CMAKE_CURRENT_BINARY_DIR}/devman_plugin.pc DESTINATION ${LIB_INS FOREACH(hfile ${HEADERS}) INSTALL(FILES ${CMAKE_CURRENT_SOURCE_DIR}/${hfile} DESTINATION include/${PROJECT_NAME}) ENDFOREACH(hfile) - -INSTALL(DIRECTORY ${CMAKE_CURRENT_SOURCE_DIR}/udev/ DESTINATION lib/udev) diff --git a/device-node.sh b/device-node.sh deleted file mode 100755 index 74d324b..0000000 --- a/device-node.sh +++ /dev/null @@ -1,35 +0,0 @@ -#!/bin/sh - -do_start () { - # If setting for device is needed, do here -} - -## for setting default brightness -set_display () { - BL_BRT= - for file in /sys/class/backlight/*; do - # echo $file - if [ -e $file ]; then - BL_BRT=$file/brightness - break - fi - done - /bin/echo `/usr/bin/vconftool get db/setting/Brightness | /usr/bin/awk '{print $4}'` > $BL_BRT - /bin/echo 0 > /sys/class/leds/leds-torch/brightness -} - -case "$1" in - start) - do_start - ;; - display) - set_display - ;; - *) - echo "Usage: $0 start | display" - exit 1 - -esac - -exit 0 - diff --git a/packaging/libdevice-node.manifest b/packaging/libdevice-node.manifest index 60aaa98..017d22d 100644 --- a/packaging/libdevice-node.manifest +++ b/packaging/libdevice-node.manifest @@ -1,25 +1,5 @@ <manifest> - <define> - <domain name="device"/> - <provide> - <label name="device::camera"/> - <label name="device::app_logging"/> - <label name="device::sys_logging"/> - <label name="device::audio"/> - <label name="device::recording"/> - <label name="device::hwcodec"/> - <label name="device::video"/> - <label name="device::radio"/> - <label name="device::bklight"/> - <label name="device::led"/> - <label name="device::mdnie"/> - <label name="device::dialout"/> - <label name="device::printer"/> - <label name="device::nfc"/> - <label name="device::hall"/> - </provide> - </define> - <request> - <domain name="_"/> - </request> + <request> + <domain name="_"/> + </request> </manifest> diff --git a/packaging/libdevice-node.spec b/packaging/libdevice-node.spec index 0d2b5bf..b0a7794 100644 --- a/packaging/libdevice-node.spec +++ b/packaging/libdevice-node.spec @@ -2,11 +2,10 @@ Name: libdevice-node Summary: Library to control OAL APIs Version: 0.1.0 Release: 1 -Group: System/Libraries +Group: Application Framework/Libraries License: Apache-2.0 Source0: %{name}-%{version}.tar.gz Source1: %{name}.manifest -Source2: smack-device-labeling.service BuildRequires: cmake BuildRequires: pkgconfig(vconf) BuildRequires: pkgconfig(dlog) @@ -16,7 +15,6 @@ development package of library to control OAL APIs %package devel Summary: Control OAL APIs (devel) -Group: Development/Libraries Requires: %{name} = %{version}-%{release} %description devel @@ -33,21 +31,11 @@ make %{?jobs:-j%jobs} %install %make_install -mkdir -p %{buildroot}%{_unitdir}/basic.target.wants -install -m 644 %{SOURCE2} %{buildroot}%{_unitdir}/ -ln -s ../smack-device-labeling.service %{buildroot}%{_unitdir}/basic.target.wants/ -mkdir -p %{buildroot}/lib/firmware/mdnie - - %post -p /sbin/ldconfig %postun -p /sbin/ldconfig %files %{_libdir}/*.so.* -%{_prefix}/lib/udev/rules.d/* -%{_unitdir}/smack-device-labeling.service -%{_unitdir}/basic.target.wants/smack-device-labeling.service -/lib/firmware/mdnie %manifest %{name}.manifest %files devel diff --git a/packaging/smack-device-labeling.service b/packaging/smack-device-labeling.service deleted file mode 100644 index 3ae6377..0000000 --- a/packaging/smack-device-labeling.service +++ /dev/null @@ -1,13 +0,0 @@ -[Unit] -Description=Default SMACK labeling -DefaultDependencies=no -Requires=smack.service local-fs.target -After=smack.service local-fs.target -Before=basic.target - -[Service] -Type=oneshot -ExecStart=/etc/rc.d/init.d/smack_device_labeling - -[Install] -WantedBy=basic.target diff --git a/smack_device_labeling b/smack_device_labeling deleted file mode 100755 index 952783e..0000000 --- a/smack_device_labeling +++ /dev/null @@ -1,14 +0,0 @@ -#!/bin/sh - -# Set device node permissions for security -chsmack -a 'device::bklight' /sys/class/backlight/*/brightness -chsmack -a 'device::led' /sys/class/camera/flash/rear_flash -chsmack -a 'device::led' /sys/class/camera/flash/max_brightness -chsmack -a 'device::mdnie' /sys/class/extension/mdnie/mode -chsmack -a 'device::mdnie' /sys/class/extension/mdnie/scenario -chsmack -a 'device::mdnie' /sys/class/extension/mdnie/tone -chsmack -a 'device::mdnie' /sys/class/extension/mdnie/outdoor -chsmack -a 'device::mdnie' /sys/class/extension/mdnie/tune -chsmack -a 'device::haptic' /sys/class/haptic/motor/level -chsmack -a 'device::haptic' /sys/class/haptic/motor/enable -chsmack -a 'device::haptic' /sys/class/haptic/motor/oneshot diff --git a/udev/rules.d/51-devices-priv.rules b/udev/rules.d/51-devices-priv.rules deleted file mode 100644 index a4b3741..0000000 --- a/udev/rules.d/51-devices-priv.rules +++ /dev/null @@ -1,28 +0,0 @@ -# this part is extracted from 50-udev-default.rules file only to add smack label - -SUBSYSTEM=="tty", KERNEL=="ptmx", SMACK="*" -SUBSYSTEM=="tty", KERNEL=="tty", SMACK="*" -SUBSYSTEM=="tty", KERNEL=="tty[0-9]*", SMACK="*" -SUBSYSTEM=="vc", KERNEL=="vcs*|vcsa*", SMACK="*" - -# serial -KERNEL=="tty[A-Z]*[0-9]|pppox[0-9]*|ircomm[0-9]*|noz[0-9]*|rfcomm[0-9]*", SMACK="*" - -# video4linux -SUBSYSTEM=="video4linux", SMACK="*" - -# graphics -SUBSYSTEM=="drm", MODE="0666", SMACK="*" - -# 'libusb' device nodes -SUBSYSTEM=="usb", ENV{DEVTYPE}=="usb_device", SMACK="*" - -KERNEL=="fuse", SMACK="*" - -# this part is high priority udev rules - -KERNEL=="null|zero|full|random|urandom", SMACK="*" -KERNEL=="uinput", MODE="0666", SMACK="*" -KERNEL=="ump", MODE="0666", SMACK="*" -KERNEL=="mali", MODE="0666", SMACK="*" -KERNEL=="slp_global_lock", MODE="0666", SMACK="*" diff --git a/udev/rules.d/95-devices.rules b/udev/rules.d/95-devices.rules deleted file mode 100644 index 36b9860..0000000 --- a/udev/rules.d/95-devices.rules +++ /dev/null @@ -1,67 +0,0 @@ -ACTION=="remove", GOTO="devices_end" - -KERNEL=="fb[0-9]", MODE="0660", GROUP="video", SMACK="_" -KERNEL=="s3c-mem", MODE="0660", GROUP="video", SMACK="_" -KERNEL=="umts_csd", MODE="0660", GROUP="video_tel", SMACK="*" -KERNEL=="s3c-jpeg", MODE="0660", GROUP="camera", SMACK="_" -KERNEL=="s5p-jpeg", MODE="0660", GROUP="camera", SMACK="_" -KERNEL=="s3c-jpg", MODE="0660", GROUP="camera", SMACK="_" -KERNEL=="srp", MODE="0660", GROUP="hwcodec", SMACK="*" -KERNEL=="s3c-mfc", MODE="0660", GROUP="hwcodec", SMACK="_" -KERNEL=="s5p-mfc", MODE="0660", GROUP="hwcodec", SMACK="*" -KERNEL=="radio[0-9]", MODE="0660", GROUP="radio", SMACK="_" -KERNEL=="pcmC[0-9]D[0-9]c", MODE="0660", GROUP="recording", SMACK="_" -KERNEL=="pcmC[0-9]D[0-9]p", MODE="0660", GROUP="audio", SMACK="_" -KERNEL=="controlC[0-9]", MODE="0660", GROUP="audio", SMACK="_" -KERNEL=="timer", SUBSYSTEM=="sound", MODE="0660", GROUP="audio", SMACK="_" - -KERNEL=="log_main", MODE="0660", GROUP="app_logging", SMACK="_" -KERNEL=="log_events", MODE="0660", GROUP="app_logging", SMACK="_" -KERNEL=="log_radio", MODE="0660", GROUP="app_logging", SMACK="_" -KERNEL=="log_system", MODE="0660", GROUP="sys_logging", SMACK="_" - -KERNEL=="pvrsrvkm", MODE="0666", SMACK="*" -KERNEL=="usb_mtp_gadget", MODE="0666", SMACK="*" -KERNEL=="usb_accessory", MODE="0666", SMACK="*" - -# Marvell -KERNEL=="uio[0-9]", MODE="0666", SMACK="*" - -# Brightness control -SUBSYSTEM=="leds", ATTR{brightness}=="?*", RUN+="/bin/chmod 0664 %S/%p/brightness", RUN+="/bin/chown :system_torch %S/%p/brightness" -SUBSYSTEM=="backlight", ATTR{brightness}=="?*", RUN+="/bin/chmod 0664 %S/%p/brightness", RUN+="/bin/chown :system_bklight %S/%p/brightness" - -# flash (7/16 added) -SUBSYSTEM=="camera", RUN+="/bin/chmod 0666 %S/%p/rear_flash" -SUBSYSTEM=="camera", RUN+="/bin/chmod 0666 %S/%p/max_brightness" - -# mDNIe -DRIVER=="mdnie", RUN+="/bin/chmod 0666 %S/%p/mode" -DRIVER=="mdnie", RUN+="/bin/chmod 0666 %S/%p/scenario" -DRIVER=="mdnie", RUN+="/bin/chmod 0666 %S/%p/tone" -DRIVER=="mdnie", RUN+="/bin/chmod 0666 %S/%p/outdoor" -DRIVER=="mdnie", RUN+="/bin/chmod 0666 %S/%p/tune" - -# haptic -SUBSYSTEM=="haptic", RUN+="/bin/chmod 0666 %S/%p/level" -SUBSYSTEM=="haptic", RUN+="/bin/chmod 0666 %S/%p/enable" -SUBSYSTEM=="haptic", RUN+="/bin/chmod 0666 %S/%p/oneshot" - -# Video4Linux -SUBSYSTEM!="video4linux", GOTO="v4l_end" -IMPORT{program}="uname_env kernel-release" - -KERNEL=="video0", ENV{UNAME_KERNEL_RELEASE}=="3.0.*", GROUP="camera", MODE="0660", SMACK="_", GOTO="v4l_end" -KERNEL=="video1", ENV{UNAME_KERNEL_RELEASE}=="3.4.*", GROUP="camera", MODE="0660", SMACK="_", GOTO="v4l_end" -KERNEL=="video3", ENV{UNAME_KERNEL_RELEASE}=="3.4.*", GROUP="camera", MODE="0660", SMACK="_", GOTO="v4l_end" - -# Remaining video devices -KERNEL=="video[0-9]", MODE="0660", GROUP="video", SMACK="_" -LABEL="v4l_end" - -KERNEL=="video1", GROUP="camera", MODE="0660", SMACK="_" -KERNEL=="video[6-7]", GROUP="hwcodec", MODE="0660", SMACK="_" -KERNEL=="video11", GROUP="hwcodec", MODE="0660", SMACK="_" -KERNEL=="video12", GROUP="hwcodec", MODE="0660", SMACK="_" - -LABEL="devices_end" |