Add NACM rules
NACM completely bypasses sysrepo permissions, so some rules need to be
set up. Now that the default shell for non-root users is netconf-cli, we
can completely forget about the sysrepo permissions, and only focus on
NACM. The default configuration for everyone is to allow reading and
disallow writing of everything. This patch changes this to allow root to
do anything and also allow the dwdm user to manipulate a subset of
installed modules.
Change-Id: Ifbb18957ba8a692b4a34ba37dba666b60819a2e6
diff --git a/package/czechlight-cfg-fs/czechlight-cfg-fs.mk b/package/czechlight-cfg-fs/czechlight-cfg-fs.mk
index aebc14b..cabfabe 100644
--- a/package/czechlight-cfg-fs/czechlight-cfg-fs.mk
+++ b/package/czechlight-cfg-fs/czechlight-cfg-fs.mk
@@ -22,6 +22,12 @@
$(TARGET_DIR)/sbin/init-czechlight.sh
$(INSTALL) -D -m 0755 $(@D)/czechlight-random-seed $(TARGET_DIR)/sbin/czechlight-random-seed
mkdir -p $(TARGET_DIR)/cfg
+ $(INSTALL) -D -m 0644 \
+ --target-directory $(TARGET_DIR)/usr/lib/systemd/system/ \
+ $(BR2_EXTERNAL_CZECHLIGHT_PATH)/package/czechlight-cfg-fs/nacm-restore.service
+ $(INSTALL) -D -m 0644 \
+ --target-directory $(TARGET_DIR)/usr/share/yang-data/ \
+ $(BR2_EXTERNAL_CZECHLIGHT_PATH)/package/czechlight-cfg-fs/nacm.json
$(ifeq ($(CZECHLIGHT_CFG_FS_PERSIST_SYSREPO),y))
mkdir -p $(TARGET_DIR)/usr/lib/systemd/system/multi-user.target.wants/
$(INSTALL) -D -m 0644 \