aboutsummaryrefslogtreecommitdiffstats
path: root/meta-security/recipes-security
diff options
context:
space:
mode:
authorJosé Bollo <jose.bollo@iot.bzh>2020-01-30 18:13:40 +0100
committerJan-Simon Moeller <jsmoeller@linuxfoundation.org>2020-02-15 22:03:23 +0000
commitcaba0e01706cc4b4a52bbe1c93ae93a649972505 (patch)
treed958cd8edac446612b6c3c5e9ecbb33e2beaf8bd /meta-security/recipes-security
parent2b014c6f1653a75b47ce6f9b26ba3763b470d57f (diff)
security-manager: Restrict socket accesses
Ensure that only members of the group and the owner can access the security manager. Bug-AGL: SPEC-3146 Change-Id: Ia529be6b4ef425d03be31f0d2e2d623fa6ac091e Signed-off-by: José Bollo <jose.bollo@iot.bzh>
Diffstat (limited to 'meta-security/recipes-security')
-rw-r--r--meta-security/recipes-security/security-manager/security-manager/0015-Restrict-socket-accesses.patch34
-rw-r--r--meta-security/recipes-security/security-manager/security-manager_git.bb1
2 files changed, 35 insertions, 0 deletions
diff --git a/meta-security/recipes-security/security-manager/security-manager/0015-Restrict-socket-accesses.patch b/meta-security/recipes-security/security-manager/security-manager/0015-Restrict-socket-accesses.patch
new file mode 100644
index 000000000..d9949193b
--- /dev/null
+++ b/meta-security/recipes-security/security-manager/security-manager/0015-Restrict-socket-accesses.patch
@@ -0,0 +1,34 @@
+From 7cffcd61378a9d7c0e7db5691b2da3a37448c969 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Jos=C3=A9=20Bollo?= <jose.bollo@iot.bzh>
+Date: Thu, 30 Jan 2020 09:19:25 +0100
+Subject: [PATCH 15/15] Restrict socket accesses
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Ensure that only members of the group and the owner can access
+the security manager.
+
+Bug-AGL: SPEC-3146
+
+Change-Id: I68ce6523db4bfd4707c3680555c3cb0cf8858ef2
+Signed-off-by: José Bollo <jose.bollo@iot.bzh>
+---
+ systemd/security-manager.socket | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/systemd/security-manager.socket b/systemd/security-manager.socket
+index af1c1da..b401f77 100644
+--- a/systemd/security-manager.socket
++++ b/systemd/security-manager.socket
+@@ -1,6 +1,6 @@
+ [Socket]
+ ListenStream=/run/security-manager.socket
+-SocketMode=0777
++SocketMode=0660
+ SmackLabelIPIn=*
+ SmackLabelIPOut=@
+
+--
+2.21.1
+
diff --git a/meta-security/recipes-security/security-manager/security-manager_git.bb b/meta-security/recipes-security/security-manager/security-manager_git.bb
index f438ea505..b34973519 100644
--- a/meta-security/recipes-security/security-manager/security-manager_git.bb
+++ b/meta-security/recipes-security/security-manager/security-manager_git.bb
@@ -20,6 +20,7 @@ SRC_URI += " \
file://0012-Avoid-casting-from-const-T-to-void.patch \
file://0013-Removing-tizen-platform-config.patch \
file://0014-Ensure-post-install-initialization-of-database.patch \
+ file://0015-Restrict-socket-accesses.patch \
"
# Use make with cmake and not ninja