Enforce separation of users using UMASK

Users should not be able to read other user content.
Use Umask to enforce that.

Bug-AGL: SPEC-1016

Change-Id: Ibb61b7a6a7617117a499650c5bd70bdd5af3c328
Signed-off-by: José Bollo <jose.bollo@iot.bzh>

2 files changed, 10 insertions, 2 deletions

diff --git a/meta-app-framework/recipes-core/base-files/base-files_%.bbappend b/meta-app-framework/recipes-core/base-files/base-files_%.bbappend
index 536ce8075..1dddcd6f2 100644
--- a/meta-app-framework/recipes-core/base-files/base-files_%.bbappend
+++ b/meta-app-framework/recipes-core/base-files/base-files_%.bbappend
@@ -2,8 +2,10 @@ RDEPENDS_${PN}_append_with-lsm-smack = " smack"
 PACKAGE_WRITE_DEPS_append_with-lsm-smack = " smack-native"
 
 do_install_append() {
-    install -d ${D}/${sysconfdir}/skel/app-data
-    install -d ${D}/${sysconfdir}/skel/.config
+    install -m 0700 -d ${D}/${sysconfdir}/skel
+    chmod -R 0700 ${D}/${sysconfdir}/skel
+    install -m 0700 -d ${D}/${sysconfdir}/skel/app-data
+    install -m 0700 -d ${D}/${sysconfdir}/skel/.config
     install -m 0755 -d ${D}/var
     if [ -d ${D}/usr/local ]; then
         mv ${D}/usr/local ${D}/var
diff --git a/meta-app-framework/recipes-core/shadow/shadow_%.bbappend b/meta-app-framework/recipes-core/shadow/shadow_%.bbappend
new file mode 100644
index 000000000..4f594d47c
--- /dev/null
+++ b/meta-app-framework/recipes-core/shadow/shadow_%.bbappend
@@ -0,0 +1,6 @@
+
+do_install_append() {
+	sed -i '/^UMASK/s:^.*$:UMASK 077:' ${D}${sysconfdir}/login.defs
+}
+
+