summaryrefslogtreecommitdiffstats
path: root/meta-security
diff options
context:
space:
mode:
Diffstat (limited to 'meta-security')
-rw-r--r--meta-security/recipes-kernel/linux/linux/smack.cfg1
-rw-r--r--meta-security/recipes-security/cynagora/cynagora_2.0.bb2
-rw-r--r--meta-security/recipes-security/security-manager/security-manager/0015-Restrict-socket-accesses.patch34
-rw-r--r--meta-security/recipes-security/security-manager/security-manager_git.bb1
4 files changed, 37 insertions, 1 deletions
diff --git a/meta-security/recipes-kernel/linux/linux/smack.cfg b/meta-security/recipes-kernel/linux/linux/smack.cfg
index 62f465a45..45a92f148 100644
--- a/meta-security/recipes-kernel/linux/linux/smack.cfg
+++ b/meta-security/recipes-kernel/linux/linux/smack.cfg
@@ -5,4 +5,5 @@ CONFIG_EXT3_FS_SECURITY=y
CONFIG_EXT4_FS_SECURITY=y
CONFIG_SECURITY=y
CONFIG_SECURITY_SMACK=y
+CONFIG_SECURITY_SMACK_APPEND_SIGNALS=y
CONFIG_TMPFS_XATTR=y
diff --git a/meta-security/recipes-security/cynagora/cynagora_2.0.bb b/meta-security/recipes-security/cynagora/cynagora_2.0.bb
index 1f7160080..b34cb7d71 100644
--- a/meta-security/recipes-security/cynagora/cynagora_2.0.bb
+++ b/meta-security/recipes-security/cynagora/cynagora_2.0.bb
@@ -3,7 +3,7 @@ LICENSE = "Apache-2.0"
LIC_FILES_CHKSUM = "file://Apache-2.0;md5=3b83ef96387f14655fc854ddc3c6bd57"
SRC_URI = "git://gerrit.automotivelinux.org/gerrit/src/cynagora;protocol=https;branch=${AGL_BRANCH}"
-SRCREV = "c29761cd1628960ee2b11a469763479ac5ef1dfa"
+SRCREV = "218dad2eddcbedaede44753e64ea7c30b73b00aa"
PV = "2.0+git${SRCPV}"
S = "${WORKDIR}/git"
diff --git a/meta-security/recipes-security/security-manager/security-manager/0015-Restrict-socket-accesses.patch b/meta-security/recipes-security/security-manager/security-manager/0015-Restrict-socket-accesses.patch
new file mode 100644
index 000000000..d9949193b
--- /dev/null
+++ b/meta-security/recipes-security/security-manager/security-manager/0015-Restrict-socket-accesses.patch
@@ -0,0 +1,34 @@
+From 7cffcd61378a9d7c0e7db5691b2da3a37448c969 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Jos=C3=A9=20Bollo?= <jose.bollo@iot.bzh>
+Date: Thu, 30 Jan 2020 09:19:25 +0100
+Subject: [PATCH 15/15] Restrict socket accesses
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Ensure that only members of the group and the owner can access
+the security manager.
+
+Bug-AGL: SPEC-3146
+
+Change-Id: I68ce6523db4bfd4707c3680555c3cb0cf8858ef2
+Signed-off-by: José Bollo <jose.bollo@iot.bzh>
+---
+ systemd/security-manager.socket | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/systemd/security-manager.socket b/systemd/security-manager.socket
+index af1c1da..b401f77 100644
+--- a/systemd/security-manager.socket
++++ b/systemd/security-manager.socket
+@@ -1,6 +1,6 @@
+ [Socket]
+ ListenStream=/run/security-manager.socket
+-SocketMode=0777
++SocketMode=0660
+ SmackLabelIPIn=*
+ SmackLabelIPOut=@
+
+--
+2.21.1
+
diff --git a/meta-security/recipes-security/security-manager/security-manager_git.bb b/meta-security/recipes-security/security-manager/security-manager_git.bb
index f438ea505..b34973519 100644
--- a/meta-security/recipes-security/security-manager/security-manager_git.bb
+++ b/meta-security/recipes-security/security-manager/security-manager_git.bb
@@ -20,6 +20,7 @@ SRC_URI += " \
file://0012-Avoid-casting-from-const-T-to-void.patch \
file://0013-Removing-tizen-platform-config.patch \
file://0014-Ensure-post-install-initialization-of-database.patch \
+ file://0015-Restrict-socket-accesses.patch \
"
# Use make with cmake and not ninja