-
Task
-
Resolution: Incomplete
-
Critical
-
None
-
Dab
Most (all?) system daemons should run with a dedicated user and optionally a dedicated group and SMACK label.
Also, the service should be run with a minimal set of capabilities(7).
For more information, check the security blueprint
Daemons to secure include (list is not exhaustive and may depend on profiles):
- weston / weston-keyboard
- dbus
- journald/syslogd/klogd
- bluez
- ofono
- connman + WPA supplicant
- neard (NFC)
- pulseaudio (depending on it's in the user session or not)
- AudioManager + DLT (still used ?)
- security-manager (if not removed)
- lightmediascanner / rygel
- MostNetworkManager
Inidividual issues (subtasks) should be created for each case.
# | Subject | Branch | Project | Status | CR | V |
---|---|---|---|---|---|---|
9135,12 | Run weston with dedicated 'display' user and group | master | AGL/meta-agl | Status: MERGED | +2 | +1 |
9261,6 | Run weston with dedicated 'display' user and group | master | AGL/meta-agl-demo | Status: MERGED | +2 | +1 |
9263,1 | Remove useless "User=" from service | master | src/windowmanager | Status: MERGED | +2 | 0 |
9265,1 | Remove useless "User=" from service | master | src/homescreenappframeworkbinderagl | Status: MERGED | +2 | 0 |
9267,1 | Remove useless "User=" from service | master | apps/homescreen | Status: MERGED | +2 | 0 |
9269,1 | Remove useless "User=" from service | master | src/inputeventmanager | Status: MERGED | +2 | 0 |
13543,3 | weston-init: Ensure setting of the user | master | AGL/meta-agl | Status: MERGED | +2 | +1 |
13613,1 | service-ids-check: Add check uid/gid of services | master | src/qa-testdefinitions | Status: MERGED | +2 | 0 |
13727,2 | af-main: Refactor of user session management | master | AGL/meta-agl | Status: MERGED | +2 | +1 |
18747,2 | afb-hsrv: Prepare selection of listening interfaces | master | src/app-framework-binder | Status: MERGED | +2 | 0 |
18833,5 | linux-agl-4.14: Backport of Smack patch for cgroup2 | master | AGL/meta-agl | Status: MERGED | +2 | +1 |
18835,5 | linux-renesas: Add smack patches to R-Car | master | AGL/meta-agl | Status: MERGED | +2 | +1 |
21162,5 | agl-login: switch to user 1001 | master | AGL/meta-agl-demo | Status: MERGED | +2 | +1 |
21305,2 | Refactor of system and user setup | master | src/app-framework-main | Status: MERGED | +2 | 0 |
21636,1 | Request permission :system:capability:keep-all | master | apps/agl-service-audio-4a | Status: MERGED | +2 | +1 |
21642,1 | Introduce dbus config of services | master | src/app-framework-main | Status: MERGED | +2 | 0 |
21643,1 | Introduce platform services | master | src/app-framework-main | Status: MERGED | +2 | 0 |
21644,1 | Fix synchronisation of user setup | master | src/app-framework-main | Status: MERGED | +2 | 0 |
21651,8 | lightmediascanner: change db directory | master | AGL/meta-agl | Status: MERGED | +2 | +1 |
21652,13 | Enforce separation of users using UMASK | master | AGL/meta-agl | Status: MERGED | +2 | +1 |
21653,10 | af-platform-setup: Add recipe for setting platform | master | AGL/meta-agl | Status: MERGED | +2 | +1 |
21657,8 | af-main: Version bump for running as agl-driver | master | AGL/meta-agl | Status: MERGED | +2 | +1 |
21657,8 | af-main: Version bump for running as agl-driver | master | AGL/meta-agl | Status: MERGED | +2 | +1 |