summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorAlex Kiernan <alex.kiernan@gmail.com>2020-04-23 15:12:06 +0100
committerRichard Purdie <richard.purdie@linuxfoundation.org>2020-04-26 14:00:50 +0100
commit0d201feb8dbf96d8852a3e2303ed8727effcaf2c (patch)
treeafaf8c2eb8e0265276f776e0946631179c527c60
parentc21dfbd8eabfce84fcc3afd50bf54bc8c0f57650 (diff)
downloadpoky-0d201feb8dbf96d8852a3e2303ed8727effcaf2c.tar.gz
rng-tools: Restrict rngd.service
Whilst rngd has to run as root, we can significantly constrain its permissions (network is only required if nistbeacon is enabled). (From OE-Core rev: 3ed70b755d0b60e61e0871f8b0cca2e2ab5e13f9) Signed-off-by: Alex Kiernan <alex.kiernan@gmail.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
-rw-r--r--meta/recipes-support/rng-tools/rng-tools/rngd.service19
-rw-r--r--meta/recipes-support/rng-tools/rng-tools_6.9.bb7
2 files changed, 26 insertions, 0 deletions
diff --git a/meta/recipes-support/rng-tools/rng-tools/rngd.service b/meta/recipes-support/rng-tools/rng-tools/rngd.service
index 084322ac40..0559b97991 100644
--- a/meta/recipes-support/rng-tools/rng-tools/rngd.service
+++ b/meta/recipes-support/rng-tools/rng-tools/rngd.service
@@ -8,6 +8,25 @@ Conflicts=shutdown.target
8[Service] 8[Service]
9EnvironmentFile=-@SYSCONFDIR@/default/rng-tools 9EnvironmentFile=-@SYSCONFDIR@/default/rng-tools
10ExecStart=@SBINDIR@/rngd -f $EXTRA_ARGS 10ExecStart=@SBINDIR@/rngd -f $EXTRA_ARGS
11CapabilityBoundingSet=CAP_SYS_ADMIN
12IPAddressDeny=any
13LockPersonality=yes
14MemoryDenyWriteExecute=yes
15NoNewPrivileges=yes
16PrivateTmp=yes
17ProtectControlGroups=yes
18ProtectHome=yes
19ProtectHostname=yes
20ProtectKernelModules=yes
21ProtectKernelLogs=yes
22ProtectSystem=strict
23RestrictAddressFamilies=AF_UNIX
24RestrictNamespaces=yes
25RestrictRealtime=yes
26RestrictSUIDSGID=yes
27SystemCallArchitectures=native
28SystemCallErrorNumber=EPERM
29SystemCallFilter=@system-service
11 30
12[Install] 31[Install]
13WantedBy=sysinit.target 32WantedBy=sysinit.target
diff --git a/meta/recipes-support/rng-tools/rng-tools_6.9.bb b/meta/recipes-support/rng-tools/rng-tools_6.9.bb
index 913342c315..8c98a9aa3a 100644
--- a/meta/recipes-support/rng-tools/rng-tools_6.9.bb
+++ b/meta/recipes-support/rng-tools/rng-tools_6.9.bb
@@ -49,4 +49,11 @@ do_install_append() {
49 -e 's,@SBINDIR@,${sbindir},g' \ 49 -e 's,@SBINDIR@,${sbindir},g' \
50 ${D}${sysconfdir}/init.d/rng-tools \ 50 ${D}${sysconfdir}/init.d/rng-tools \
51 ${D}${systemd_system_unitdir}/rngd.service 51 ${D}${systemd_system_unitdir}/rngd.service
52
53 if [ "${@bb.utils.contains('PACKAGECONFIG', 'nistbeacon', 'yes', 'no', d)}" = "yes" ]; then
54 sed -i \
55 -e '/^IPAddressDeny=any/d' \
56 -e '/^RestrictAddressFamilies=/ s/$/ AF_INET AF_INET6/' \
57 ${D}${systemd_system_unitdir}/rngd.service
58 fi
52} 59}