Hi team , Most of the IOT lines have been deployed on Yocto now the new trend/requirement is security . On yocto we see that we moved away making every one as root and every resource on the device tree accessible . Where it creates new challenges of creating isolation of services and resources . Making a service to run in low privilege mode (which is a base requirement of security ) . I understand we had always encouraged using extrausers and useradd for creating custom user groups. [1] https://docs.yoctoproject.org/ref-manual/classes.html#extrausers [2] https://docs.yoctoproject.org/ref-manual/classes.html#useradd
Following are the problems . we add a new UID and GID and associate the new code , But open source service might still need to be part of this group to access this. where adding /covering all the use cases is really not possible . Re-using of the code which is already associated with some user group has to be reworked to make sure the UID and GID is unique . We see that we are moving aways from commercial product lines in terms of security. How do we address this or the proposal? 1. Standardization of user /group : Just like android echo system uid /gid classification based on . <range > to be defined . driver related / app related / services 2. Default group to be included by Yocto frameworks . like Radio -- moden board are by default enable with wifi , BT , GPS 3. users who are part of special capabilities groups like net_admin /net_raw, reading of /proc or writing to /sys entries which could do elevated roles. Selinux sort of layer is ontop of DAC (legacy user/groups ) and we should be having a robust DAC model to meet the current security requirements. Please let us know if there are any guidelines / plans on this . Or can we submit a patch for adding default /user like raido / net_admin sort of users. Regards, Ravi.
-=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#61546): https://lists.yoctoproject.org/g/yocto/message/61546 Mute This Topic: https://lists.yoctoproject.org/mt/102313578/21656 Group Owner: yocto+ow...@lists.yoctoproject.org Unsubscribe: https://lists.yoctoproject.org/g/yocto/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-
