diff options
| author | William A. Kennington III <wak@google.com> | 2021-02-17 01:57:41 +0300 |
|---|---|---|
| committer | William A. Kennington III <wak@google.com> | 2021-02-17 22:00:50 +0300 |
| commit | 7f11d1ffd591a1cf63b7a6de87c7c257a6ed99ea (patch) | |
| tree | 02d1a0572fa21160108b6c4760a34dd0c8894873 /meta-google/recipes-google/ncsi | |
| parent | d45e4b3403c5a844c93be4faa4cefce631f537d0 (diff) | |
| download | openbmc-7f11d1ffd591a1cf63b7a6de87c7c257a6ed99ea.tar.xz | |
meta-google: Fold gbmc-sslh into gbmc-ncsi-config
Logically these packages belong together and don't make much sense
without each other. Combine them to reduce package complexity for users.
Change-Id: I3d3998f8d10cacbd01f6d883b0033a3260ff60df
Signed-off-by: William A. Kennington III <wak@google.com>
Diffstat (limited to 'meta-google/recipes-google/ncsi')
3 files changed, 48 insertions, 4 deletions
diff --git a/meta-google/recipes-google/ncsi/files/gbmc-ncsi-sslh.service b/meta-google/recipes-google/ncsi/files/gbmc-ncsi-sslh.service new file mode 100644 index 000000000..b6bc04a4c --- /dev/null +++ b/meta-google/recipes-google/ncsi/files/gbmc-ncsi-sslh.service @@ -0,0 +1,20 @@ +[Unit] +Description=SSL/SSH multiplexer +Requires=sslh.socket + +[Service] +ExecStart=/usr/sbin/sslh -n -f --ssh [::1]:22 --http [::1]:80 --tls [::1]:443 +KillMode=process +#Hardening +PrivateTmp=true +ProtectSystem=strict +ProtectHome=true +ProtectKernelModules=true +ProtectKernelTunables=true +ProtectControlGroups=true +MountFlags=private +NoNewPrivileges=true +PrivateDevices=true +RestrictAddressFamilies=AF_INET AF_INET6 AF_UNIX +MemoryDenyWriteExecute=true +DynamicUser=true diff --git a/meta-google/recipes-google/ncsi/files/gbmc-ncsi-sslh.socket.in b/meta-google/recipes-google/ncsi/files/gbmc-ncsi-sslh.socket.in new file mode 100644 index 000000000..9e5f5949d --- /dev/null +++ b/meta-google/recipes-google/ncsi/files/gbmc-ncsi-sslh.socket.in @@ -0,0 +1,9 @@ +[Unit] +Before=sslh.service + +[Socket] +BindToDevice=@NCSI_IF@ +ListenStream=3967 + +[Install] +WantedBy=sockets.target diff --git a/meta-google/recipes-google/ncsi/gbmc-ncsi-config.bb b/meta-google/recipes-google/ncsi/gbmc-ncsi-config.bb index 67388b247..41d697678 100644 --- a/meta-google/recipes-google/ncsi/gbmc-ncsi-config.bb +++ b/meta-google/recipes-google/ncsi/gbmc-ncsi-config.bb @@ -5,18 +5,29 @@ LIC_FILES_CHKSUM = "file://${COREBASE}/meta/files/common-licenses/Apache-2.0;md5 inherit systemd -SRC_URI += "file://50-gbmc-ncsi.rules.in" +SRC_URI += " \ + file://50-gbmc-ncsi.rules.in \ + file://gbmc-ncsi-sslh.socket.in \ + file://gbmc-ncsi-sslh.service \ + " S = "${WORKDIR}" -RDEPENDS_${PN} += "ncsid" -RDEPENDS_${PN} += "nftables-systemd" -RDEPENDS_${PN} += "gbmc-sslh" +RDEPENDS_${PN} += " \ + ncsid \ + nftables-systemd \ + sslh \ + " FILES_${PN} += "${systemd_unitdir}" RPROVIDES_${PN} += "ncsid-config" +SYSTEMD_SERVICE_${PN} += " \ + gbmc-ncsi-sslh.service \ + gbmc-ncsi-sslh.socket \ + " + do_install_append() { if_name='${GBMC_NCSI_IF_NAME}' test -z "$if_name" && if_name='${NCSID_IF_NAME}' @@ -49,4 +60,8 @@ do_install_append() { wantdir=${D}${systemd_system_unitdir}/multi-user.target.wants install -d -m0755 "$wantdir" ln -sv ../ncsid@.service "$wantdir"/ncsid@$if_name.service + + install -m 0644 ${WORKDIR}/gbmc-ncsi-sslh.service ${D}${systemd_system_unitdir} + sed "s,@NCSI_IF@,$if_name," ${WORKDIR}/gbmc-ncsi-sslh.socket.in \ + >${D}${systemd_system_unitdir}/gbmc-ncsi-sslh.socket } |