diff options
author | José Bollo <jose.bollo@iot.bzh> | 2020-01-30 18:13:40 +0100 |
---|---|---|
committer | Jan-Simon Moeller <jsmoeller@linuxfoundation.org> | 2020-02-15 22:03:23 +0000 |
commit | caba0e01706cc4b4a52bbe1c93ae93a649972505 (patch) | |
tree | d958cd8edac446612b6c3c5e9ecbb33e2beaf8bd /meta-security/recipes-security/security-manager | |
parent | 2b014c6f1653a75b47ce6f9b26ba3763b470d57f (diff) |
security-manager: Restrict socket accesses
Ensure that only members of the group and the owner can access
the security manager.
Bug-AGL: SPEC-3146
Change-Id: Ia529be6b4ef425d03be31f0d2e2d623fa6ac091e
Signed-off-by: José Bollo <jose.bollo@iot.bzh>
Diffstat (limited to 'meta-security/recipes-security/security-manager')
-rw-r--r-- | meta-security/recipes-security/security-manager/security-manager/0015-Restrict-socket-accesses.patch | 34 | ||||
-rw-r--r-- | meta-security/recipes-security/security-manager/security-manager_git.bb | 1 |
2 files changed, 35 insertions, 0 deletions
diff --git a/meta-security/recipes-security/security-manager/security-manager/0015-Restrict-socket-accesses.patch b/meta-security/recipes-security/security-manager/security-manager/0015-Restrict-socket-accesses.patch new file mode 100644 index 000000000..d9949193b --- /dev/null +++ b/meta-security/recipes-security/security-manager/security-manager/0015-Restrict-socket-accesses.patch @@ -0,0 +1,34 @@ +From 7cffcd61378a9d7c0e7db5691b2da3a37448c969 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Jos=C3=A9=20Bollo?= <jose.bollo@iot.bzh> +Date: Thu, 30 Jan 2020 09:19:25 +0100 +Subject: [PATCH 15/15] Restrict socket accesses +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Ensure that only members of the group and the owner can access +the security manager. + +Bug-AGL: SPEC-3146 + +Change-Id: I68ce6523db4bfd4707c3680555c3cb0cf8858ef2 +Signed-off-by: José Bollo <jose.bollo@iot.bzh> +--- + systemd/security-manager.socket | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/systemd/security-manager.socket b/systemd/security-manager.socket +index af1c1da..b401f77 100644 +--- a/systemd/security-manager.socket ++++ b/systemd/security-manager.socket +@@ -1,6 +1,6 @@ + [Socket] + ListenStream=/run/security-manager.socket +-SocketMode=0777 ++SocketMode=0660 + SmackLabelIPIn=* + SmackLabelIPOut=@ + +-- +2.21.1 + diff --git a/meta-security/recipes-security/security-manager/security-manager_git.bb b/meta-security/recipes-security/security-manager/security-manager_git.bb index f438ea505..b34973519 100644 --- a/meta-security/recipes-security/security-manager/security-manager_git.bb +++ b/meta-security/recipes-security/security-manager/security-manager_git.bb @@ -20,6 +20,7 @@ SRC_URI += " \ file://0012-Avoid-casting-from-const-T-to-void.patch \ file://0013-Removing-tizen-platform-config.patch \ file://0014-Ensure-post-install-initialization-of-database.patch \ + file://0015-Restrict-socket-accesses.patch \ " # Use make with cmake and not ninja |