rng-tools: Restrict rngd.service

Whilst rngd has to run as root, we can significantly constrain its
permissions (network is only required if nistbeacon is enabled).

(From OE-Core rev: 3ed70b755d0b60e61e0871f8b0cca2e2ab5e13f9)

Signed-off-by: Alex Kiernan <alex.kiernan@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>

meta/recipes-support/rng-tools/rng-tools/rngd.service

@@ -8,6 +8,25 @@ Conflicts=shutdown.target
 [Service]
 EnvironmentFile=-@SYSCONFDIR@/default/rng-tools
 ExecStart=@SBINDIR@/rngd -f $EXTRA_ARGS
+CapabilityBoundingSet=CAP_SYS_ADMIN
+IPAddressDeny=any
+LockPersonality=yes
+MemoryDenyWriteExecute=yes
+NoNewPrivileges=yes
+PrivateTmp=yes
+ProtectControlGroups=yes
+ProtectHome=yes
+ProtectHostname=yes
+ProtectKernelModules=yes
+ProtectKernelLogs=yes
+ProtectSystem=strict
+RestrictAddressFamilies=AF_UNIX
+RestrictNamespaces=yes
+RestrictRealtime=yes
+RestrictSUIDSGID=yes
+SystemCallArchitectures=native
+SystemCallErrorNumber=EPERM
+SystemCallFilter=@system-service
 
 [Install]
 WantedBy=sysinit.target

meta/recipes-support/rng-tools/rng-tools_6.9.bb

@@ -49,4 +49,11 @@ do_install_append() {
         -e 's,@SBINDIR@,${sbindir},g' \
         ${D}${sysconfdir}/init.d/rng-tools \
         ${D}${systemd_system_unitdir}/rngd.service
+
+    if [ "${@bb.utils.contains('PACKAGECONFIG', 'nistbeacon', 'yes', 'no', d)}" = "yes" ]; then
+        sed -i \
+            -e '/^IPAddressDeny=any/d' \
+            -e '/^RestrictAddressFamilies=/ s/$/ AF_INET AF_INET6/' \
+            ${D}${systemd_system_unitdir}/rngd.service
+    fi
 }