tizen: units: add 'smackfsroot=*' option into tmp.mount when SMACK is enabled

If SMACK is enabled, 'smackfsroot=*' option should be specified in
tmp.mount file since many non-root processes use /tmp for temporary
usage. If not, /tmp is labeled as '_' and smack denial occurs when
writing.

Note: The original commit has been dropped upstream and replaced with
SmackFileSystemRoot  option later renamed to SmackFileSystemRootLabel.
Alas the option didn't work properly and has been dropped too.

Change-Id: I11df1ad555f376eaf0588d35e91789c9e2b07f8d
Origin: https://github.com/systemd/systemd/commit/409c2a13fd65692c6
Signed-off-by: Sangjung Woo <sangjung.woo@samsung.com>
Signed-off-by: Łukasz Stelmach <l.stelmach@samsung.com>

diff --git a/units/meson.build b/units/meson.build
index 4527896..a56a51d 100644 (file)
--- a/units/meson.build
+++ b/units/meson.build
@@ -688,7 +688,7 @@ units = [
         { 'file' : 'time-sync.target' },
         { 'file' : 'timers.target' },
         {
-          'file' : 'tmp.mount',
+          'file' : 'tmp.mount.in',
           'symlinks' : ['local-fs.target.wants/'],
         },
         { 'file' : 'umount.target' },

diff --git a/units/tmp.mount b/units/tmp.mount.in
similarity index 84%
rename from units/tmp.mount
rename to units/tmp.mount.in
index 734acea..cfd866a 100644 (file)
--- a/units/tmp.mount
+++ b/units/tmp.mount.in
@@ -22,4 +22,8 @@ After=swap.target
 What=tmpfs
 Where=/tmp
 Type=tmpfs
-Options=mode=1777,strictatime,nosuid,nodev,size=50%%,nr_inodes=1m
+{% if ENABLE_SMACK %}
+Options=mode=1777,strictatime,nosuid,nodev,size=50%%,nr_inodes=1m,noexec,smackfsroot=*
+{% else %}
+Options=mode=1777,strictatime,nosuid,nodev,size=50%%,nr_inodes=1m,noexec
+{% endif %}