From: José Bollo <jose.bollo@iot.bzh>
Date: Tue, 11 Jun 2019 10:17:04 +0000 (+0200)
Subject: Enforce separation of users using UMASK
X-Git-Tag: 7.99.2~25
X-Git-Url: https://gerrit.automotivelinux.org/gerrit/gitweb?a=commitdiff_plain;h=9d9c024ba9de04965aff3e0e2e8caa2abb80ab7c;p=AGL%2Fmeta-agl.git

Enforce separation of users using UMASK

Users should not be able to read other user content.
Use Umask to enforce that.

Bug-AGL: SPEC-1016

Change-Id: Ibb61b7a6a7617117a499650c5bd70bdd5af3c328
Signed-off-by: José Bollo <jose.bollo@iot.bzh>
---

diff --git a/meta-app-framework/recipes-core/base-files/base-files_%.bbappend b/meta-app-framework/recipes-core/base-files/base-files_%.bbappend
index 536ce8075..1dddcd6f2 100644
--- a/meta-app-framework/recipes-core/base-files/base-files_%.bbappend
+++ b/meta-app-framework/recipes-core/base-files/base-files_%.bbappend
@@ -2,8 +2,10 @@ RDEPENDS_${PN}_append_with-lsm-smack = " smack"
 PACKAGE_WRITE_DEPS_append_with-lsm-smack = " smack-native"
 
 do_install_append() {
-    install -d ${D}/${sysconfdir}/skel/app-data
-    install -d ${D}/${sysconfdir}/skel/.config
+    install -m 0700 -d ${D}/${sysconfdir}/skel
+    chmod -R 0700 ${D}/${sysconfdir}/skel
+    install -m 0700 -d ${D}/${sysconfdir}/skel/app-data
+    install -m 0700 -d ${D}/${sysconfdir}/skel/.config
     install -m 0755 -d ${D}/var
     if [ -d ${D}/usr/local ]; then
         mv ${D}/usr/local ${D}/var
diff --git a/meta-app-framework/recipes-core/shadow/shadow_%.bbappend b/meta-app-framework/recipes-core/shadow/shadow_%.bbappend
new file mode 100644
index 000000000..4f594d47c
--- /dev/null
+++ b/meta-app-framework/recipes-core/shadow/shadow_%.bbappend
@@ -0,0 +1,6 @@
+
+do_install_append() {
+	sed -i '/^UMASK/s:^.*$:UMASK 077:' ${D}${sysconfdir}/login.defs
+}
+
+