Whilst rngd has to run as root, we can significantly constrain its
permissions (network is only required if nistbeacon is enabled).
Signed-off-by: Alex Kiernan <alex.kiernan@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
[Service]
EnvironmentFile=-@SYSCONFDIR@/default/rng-tools
ExecStart=@SBINDIR@/rngd -f $EXTRA_ARGS
+CapabilityBoundingSet=CAP_SYS_ADMIN
+IPAddressDeny=any
+LockPersonality=yes
+MemoryDenyWriteExecute=yes
+NoNewPrivileges=yes
+PrivateTmp=yes
+ProtectControlGroups=yes
+ProtectHome=yes
+ProtectHostname=yes
+ProtectKernelModules=yes
+ProtectKernelLogs=yes
+ProtectSystem=strict
+RestrictAddressFamilies=AF_UNIX
+RestrictNamespaces=yes
+RestrictRealtime=yes
+RestrictSUIDSGID=yes
+SystemCallArchitectures=native
+SystemCallErrorNumber=EPERM
+SystemCallFilter=@system-service
[Install]
WantedBy=sysinit.target
-e 's,@SBINDIR@,${sbindir},g' \
${D}${sysconfdir}/init.d/rng-tools \
${D}${systemd_system_unitdir}/rngd.service
+
+ if [ "${@bb.utils.contains('PACKAGECONFIG', 'nistbeacon', 'yes', 'no', d)}" = "yes" ]; then
+ sed -i \
+ -e '/^IPAddressDeny=any/d' \
+ -e '/^RestrictAddressFamilies=/ s/$/ AF_INET AF_INET6/' \
+ ${D}${systemd_system_unitdir}/rngd.service
+ fi
}
