2 files changed, 26 insertions, 0 deletions
diff --git a/meta/recipes-support/rng-tools/rng-tools/rngd.service b/meta/recipes-support/rng-tools/rng-tools/rngd.service
index 084322ac40..0559b97991 100644
--- a/meta/recipes-support/rng-tools/rng-tools/rngd.service
+++ b/meta/recipes-support/rng-tools/rng-tools/rngd.service
@@ -8,6 +8,25 @@ Conflicts=shutdown.target
 [Service]
 EnvironmentFile=-@SYSCONFDIR@/default/rng-tools
 ExecStart=@SBINDIR@/rngd -f $EXTRA_ARGS
+CapabilityBoundingSet=CAP_SYS_ADMIN
+IPAddressDeny=any
+LockPersonality=yes
+MemoryDenyWriteExecute=yes
+NoNewPrivileges=yes
+PrivateTmp=yes
+ProtectControlGroups=yes
+ProtectHome=yes
+ProtectHostname=yes
+ProtectKernelModules=yes
+ProtectKernelLogs=yes
+ProtectSystem=strict
+RestrictAddressFamilies=AF_UNIX
+RestrictNamespaces=yes
+RestrictRealtime=yes
+RestrictSUIDSGID=yes
+SystemCallArchitectures=native
+SystemCallErrorNumber=EPERM
+SystemCallFilter=@system-service
 [Install]
 WantedBy=sysinit.target
diff --git a/meta/recipes-support/rng-tools/rng-tools_6.9.bb b/meta/recipes-support/rng-tools/rng-tools_6.9.bb
index 913342c315..8c98a9aa3a 100644
--- a/meta/recipes-support/rng-tools/rng-tools_6.9.bb
+++ b/meta/recipes-support/rng-tools/rng-tools_6.9.bb
@@ -49,4 +49,11 @@ do_install_append() {
        -e 's,@SBINDIR@,${sbindir},g' \
        ${D}${sysconfdir}/init.d/rng-tools \
        ${D}${systemd_system_unitdir}/rngd.service
+    if [ "${@bb.utils.contains('PACKAGECONFIG', 'nistbeacon', 'yes', 'no', d)}" = "yes" ]; then
+        sed -i \
+            -e '/^IPAddressDeny=any/d' \
+            -e '/^RestrictAddressFamilies=/ s/$/ AF_INET AF_INET6/' \
+            ${D}${systemd_system_unitdir}/rngd.service
+    fi
 }

diff --git a/meta/recipes-support/rng-tools/rng-tools/rngd.service b/meta/recipes-support/rng-tools/rng-tools/rngd.service index 084322ac40..0559b97991 100644 --- a/meta/recipes-support/rng-tools/rng-tools/rngd.service +++ b/meta/recipes-support/rng-tools/rng-tools/rngd.service
@@ -8,6 +8,25 @@ Conflicts=shutdown.target
8	[Service]	8	[Service]
9	EnvironmentFile=-@SYSCONFDIR@/default/rng-tools	9	EnvironmentFile=-@SYSCONFDIR@/default/rng-tools
10	ExecStart=@SBINDIR@/rngd -f $EXTRA_ARGS	10	ExecStart=@SBINDIR@/rngd -f $EXTRA_ARGS
		11	CapabilityBoundingSet=CAP_SYS_ADMIN
		12	IPAddressDeny=any
		13	LockPersonality=yes
		14	MemoryDenyWriteExecute=yes
		15	NoNewPrivileges=yes
		16	PrivateTmp=yes
		17	ProtectControlGroups=yes
		18	ProtectHome=yes
		19	ProtectHostname=yes
		20	ProtectKernelModules=yes
		21	ProtectKernelLogs=yes
		22	ProtectSystem=strict
		23	RestrictAddressFamilies=AF_UNIX
		24	RestrictNamespaces=yes
		25	RestrictRealtime=yes
		26	RestrictSUIDSGID=yes
		27	SystemCallArchitectures=native
		28	SystemCallErrorNumber=EPERM
		29	SystemCallFilter=@system-service
11		30
12	[Install]	31	[Install]
13	WantedBy=sysinit.target	32	WantedBy=sysinit.target


diff --git a/meta/recipes-support/rng-tools/rng-tools_6.9.bb b/meta/recipes-support/rng-tools/rng-tools_6.9.bb index 913342c315..8c98a9aa3a 100644 --- a/meta/recipes-support/rng-tools/rng-tools_6.9.bb +++ b/meta/recipes-support/rng-tools/rng-tools_6.9.bb
@@ -49,4 +49,11 @@ do_install_append() {
49	-e 's,@SBINDIR@,${sbindir},g' \	49	-e 's,@SBINDIR@,${sbindir},g' \
50	${D}${sysconfdir}/init.d/rng-tools \	50	${D}${sysconfdir}/init.d/rng-tools \
51	${D}${systemd_system_unitdir}/rngd.service	51	${D}${systemd_system_unitdir}/rngd.service
		52
		53	if [ "${@bb.utils.contains('PACKAGECONFIG', 'nistbeacon', 'yes', 'no', d)}" = "yes" ]; then
		54	sed -i \
		55	-e '/^IPAddressDeny=any/d' \
		56	-e '/^RestrictAddressFamilies=/ s/$/ AF_INET AF_INET6/' \
		57	${D}${systemd_system_unitdir}/rngd.service
		58	fi
52	}	59	}