diff options
author | Alex Kiernan <alex.kiernan@gmail.com> | 2020-04-23 15:12:06 +0100 |
---|---|---|
committer | Richard Purdie <richard.purdie@linuxfoundation.org> | 2020-04-26 14:00:50 +0100 |
commit | 0d201feb8dbf96d8852a3e2303ed8727effcaf2c (patch) | |
tree | afaf8c2eb8e0265276f776e0946631179c527c60 | |
parent | c21dfbd8eabfce84fcc3afd50bf54bc8c0f57650 (diff) | |
download | poky-0d201feb8dbf96d8852a3e2303ed8727effcaf2c.tar.gz |
rng-tools: Restrict rngd.service
Whilst rngd has to run as root, we can significantly constrain its
permissions (network is only required if nistbeacon is enabled).
(From OE-Core rev: 3ed70b755d0b60e61e0871f8b0cca2e2ab5e13f9)
Signed-off-by: Alex Kiernan <alex.kiernan@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
-rw-r--r-- | meta/recipes-support/rng-tools/rng-tools/rngd.service | 19 | ||||
-rw-r--r-- | meta/recipes-support/rng-tools/rng-tools_6.9.bb | 7 |
2 files changed, 26 insertions, 0 deletions
diff --git a/meta/recipes-support/rng-tools/rng-tools/rngd.service b/meta/recipes-support/rng-tools/rng-tools/rngd.service index 084322ac40..0559b97991 100644 --- a/meta/recipes-support/rng-tools/rng-tools/rngd.service +++ b/meta/recipes-support/rng-tools/rng-tools/rngd.service | |||
@@ -8,6 +8,25 @@ Conflicts=shutdown.target | |||
8 | [Service] | 8 | [Service] |
9 | EnvironmentFile=-@SYSCONFDIR@/default/rng-tools | 9 | EnvironmentFile=-@SYSCONFDIR@/default/rng-tools |
10 | ExecStart=@SBINDIR@/rngd -f $EXTRA_ARGS | 10 | ExecStart=@SBINDIR@/rngd -f $EXTRA_ARGS |
11 | CapabilityBoundingSet=CAP_SYS_ADMIN | ||
12 | IPAddressDeny=any | ||
13 | LockPersonality=yes | ||
14 | MemoryDenyWriteExecute=yes | ||
15 | NoNewPrivileges=yes | ||
16 | PrivateTmp=yes | ||
17 | ProtectControlGroups=yes | ||
18 | ProtectHome=yes | ||
19 | ProtectHostname=yes | ||
20 | ProtectKernelModules=yes | ||
21 | ProtectKernelLogs=yes | ||
22 | ProtectSystem=strict | ||
23 | RestrictAddressFamilies=AF_UNIX | ||
24 | RestrictNamespaces=yes | ||
25 | RestrictRealtime=yes | ||
26 | RestrictSUIDSGID=yes | ||
27 | SystemCallArchitectures=native | ||
28 | SystemCallErrorNumber=EPERM | ||
29 | SystemCallFilter=@system-service | ||
11 | 30 | ||
12 | [Install] | 31 | [Install] |
13 | WantedBy=sysinit.target | 32 | WantedBy=sysinit.target |
diff --git a/meta/recipes-support/rng-tools/rng-tools_6.9.bb b/meta/recipes-support/rng-tools/rng-tools_6.9.bb index 913342c315..8c98a9aa3a 100644 --- a/meta/recipes-support/rng-tools/rng-tools_6.9.bb +++ b/meta/recipes-support/rng-tools/rng-tools_6.9.bb | |||
@@ -49,4 +49,11 @@ do_install_append() { | |||
49 | -e 's,@SBINDIR@,${sbindir},g' \ | 49 | -e 's,@SBINDIR@,${sbindir},g' \ |
50 | ${D}${sysconfdir}/init.d/rng-tools \ | 50 | ${D}${sysconfdir}/init.d/rng-tools \ |
51 | ${D}${systemd_system_unitdir}/rngd.service | 51 | ${D}${systemd_system_unitdir}/rngd.service |
52 | |||
53 | if [ "${@bb.utils.contains('PACKAGECONFIG', 'nistbeacon', 'yes', 'no', d)}" = "yes" ]; then | ||
54 | sed -i \ | ||
55 | -e '/^IPAddressDeny=any/d' \ | ||
56 | -e '/^RestrictAddressFamilies=/ s/$/ AF_INET AF_INET6/' \ | ||
57 | ${D}${systemd_system_unitdir}/rngd.service | ||
58 | fi | ||
52 | } | 59 | } |