-
Task
-
Resolution: Incomplete
-
Critical
-
None
-
Dab
Most (all?) system daemons should run with a dedicated user and optionally a dedicated group and SMACK label.
Also, the service should be run with a minimal set of capabilities(7).
For more information, check the security blueprint
Daemons to secure include (list is not exhaustive and may depend on profiles):
- weston / weston-keyboard
- dbus
- journald/syslogd/klogd
- bluez
- ofono
- connman + WPA supplicant
- neard (NFC)
- pulseaudio (depending on it's in the user session or not)
- AudioManager + DLT (still used ?)
- security-manager (if not removed)
- lightmediascanner / rygel
- MostNetworkManager
Inidividual issues (subtasks) should be created for each case.