Re: [OE-Core][PATCH 3/6] rng-tools: Restrict rngd.service

Thu, 23 Apr 2020 01:39:13 -0700 

On Wed, Apr 22, 2020 at 2:52 PM Alex Kiernan via
lists.openembedded.org <[email protected]>
wrote:
>
> Whilst rngd has to run as root, we can significantly constrain its
> permissions (AF_INET AF_INET6 are only required if nistbeacon is
> enabled).
>
> Signed-off-by: Alex Kiernan <[email protected]>
> ---
>
>  .../rng-tools/rng-tools/rngd.service          | 19 +++++++++++++++++++
>  1 file changed, 19 insertions(+)
>
> diff --git a/meta/recipes-support/rng-tools/rng-tools/rngd.service 
> b/meta/recipes-support/rng-tools/rng-tools/rngd.service
> index 084322ac40aa..604e9500665e 100644
> --- a/meta/recipes-support/rng-tools/rng-tools/rngd.service
> +++ b/meta/recipes-support/rng-tools/rng-tools/rngd.service
> @@ -8,6 +8,25 @@ Conflicts=shutdown.target
>  [Service]
>  EnvironmentFile=-@SYSCONFDIR@/default/rng-tools
>  ExecStart=@SBINDIR@/rngd -f $EXTRA_ARGS
> +CapabilityBoundingSet=CAP_SYS_ADMIN
> +IPAddressDeny=any

I missed removing this constraint when nistbeacon is enabled - will send v2

> +LockPersonality=yes
> +MemoryDenyWriteExecute=yes
> +NoNewPrivileges=yes
> +PrivateTmp=yes
> +ProtectControlGroups=yes
> +ProtectHome=yes
> +ProtectHostname=yes
> +ProtectKernelModules=yes
> +ProtectKernelLogs=yes
> +ProtectSystem=strict
> +RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6
> +RestrictNamespaces=yes
> +RestrictRealtime=yes
> +RestrictSUIDSGID=yes
> +SystemCallArchitectures=native
> +SystemCallErrorNumber=EPERM
> +SystemCallFilter=@system-service
>
>  [Install]
>  WantedBy=sysinit.target
> --
> 2.17.1
>
> 



-- 
Alex Kiernan

-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.

View/Reply Online (#137405): 
https://lists.openembedded.org/g/openembedded-core/message/137405
Mute This Topic: https://lists.openembedded.org/mt/73214571/21656
Group Owner: [email protected]
Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub  
[[email protected]]
-=-=-=-=-=-=-=-=-=-=-=-

Reply via email to