From 7f11d1ffd591a1cf63b7a6de87c7c257a6ed99ea Mon Sep 17 00:00:00 2001 From: "William A. Kennington III" Date: Tue, 16 Feb 2021 14:57:41 -0800 Subject: meta-google: Fold gbmc-sslh into gbmc-ncsi-config Logically these packages belong together and don't make much sense without each other. Combine them to reduce package complexity for users. Change-Id: I3d3998f8d10cacbd01f6d883b0033a3260ff60df Signed-off-by: William A. Kennington III --- .../ncsi/files/gbmc-ncsi-sslh.service | 20 +++++++++++++++++++ .../ncsi/files/gbmc-ncsi-sslh.socket.in | 9 +++++++++ .../recipes-google/ncsi/gbmc-ncsi-config.bb | 23 ++++++++++++++++++---- .../recipes-google/networking/files/sslh.service | 20 ------------------- .../recipes-google/networking/files/sslh.socket | 8 -------- meta-google/recipes-google/networking/gbmc-sslh.bb | 23 ---------------------- 6 files changed, 48 insertions(+), 55 deletions(-) create mode 100644 meta-google/recipes-google/ncsi/files/gbmc-ncsi-sslh.service create mode 100644 meta-google/recipes-google/ncsi/files/gbmc-ncsi-sslh.socket.in delete mode 100644 meta-google/recipes-google/networking/files/sslh.service delete mode 100644 meta-google/recipes-google/networking/files/sslh.socket delete mode 100644 meta-google/recipes-google/networking/gbmc-sslh.bb (limited to 'meta-google') diff --git a/meta-google/recipes-google/ncsi/files/gbmc-ncsi-sslh.service b/meta-google/recipes-google/ncsi/files/gbmc-ncsi-sslh.service new file mode 100644 index 000000000..b6bc04a4c --- /dev/null +++ b/meta-google/recipes-google/ncsi/files/gbmc-ncsi-sslh.service @@ -0,0 +1,20 @@ +[Unit] +Description=SSL/SSH multiplexer +Requires=sslh.socket + +[Service] +ExecStart=/usr/sbin/sslh -n -f --ssh [::1]:22 --http [::1]:80 --tls [::1]:443 +KillMode=process +#Hardening +PrivateTmp=true +ProtectSystem=strict +ProtectHome=true +ProtectKernelModules=true +ProtectKernelTunables=true +ProtectControlGroups=true +MountFlags=private +NoNewPrivileges=true +PrivateDevices=true +RestrictAddressFamilies=AF_INET AF_INET6 AF_UNIX +MemoryDenyWriteExecute=true +DynamicUser=true diff --git a/meta-google/recipes-google/ncsi/files/gbmc-ncsi-sslh.socket.in b/meta-google/recipes-google/ncsi/files/gbmc-ncsi-sslh.socket.in new file mode 100644 index 000000000..9e5f5949d --- /dev/null +++ b/meta-google/recipes-google/ncsi/files/gbmc-ncsi-sslh.socket.in @@ -0,0 +1,9 @@ +[Unit] +Before=sslh.service + +[Socket] +BindToDevice=@NCSI_IF@ +ListenStream=3967 + +[Install] +WantedBy=sockets.target diff --git a/meta-google/recipes-google/ncsi/gbmc-ncsi-config.bb b/meta-google/recipes-google/ncsi/gbmc-ncsi-config.bb index 67388b247..41d697678 100644 --- a/meta-google/recipes-google/ncsi/gbmc-ncsi-config.bb +++ b/meta-google/recipes-google/ncsi/gbmc-ncsi-config.bb @@ -5,18 +5,29 @@ LIC_FILES_CHKSUM = "file://${COREBASE}/meta/files/common-licenses/Apache-2.0;md5 inherit systemd -SRC_URI += "file://50-gbmc-ncsi.rules.in" +SRC_URI += " \ + file://50-gbmc-ncsi.rules.in \ + file://gbmc-ncsi-sslh.socket.in \ + file://gbmc-ncsi-sslh.service \ + " S = "${WORKDIR}" -RDEPENDS_${PN} += "ncsid" -RDEPENDS_${PN} += "nftables-systemd" -RDEPENDS_${PN} += "gbmc-sslh" +RDEPENDS_${PN} += " \ + ncsid \ + nftables-systemd \ + sslh \ + " FILES_${PN} += "${systemd_unitdir}" RPROVIDES_${PN} += "ncsid-config" +SYSTEMD_SERVICE_${PN} += " \ + gbmc-ncsi-sslh.service \ + gbmc-ncsi-sslh.socket \ + " + do_install_append() { if_name='${GBMC_NCSI_IF_NAME}' test -z "$if_name" && if_name='${NCSID_IF_NAME}' @@ -49,4 +60,8 @@ do_install_append() { wantdir=${D}${systemd_system_unitdir}/multi-user.target.wants install -d -m0755 "$wantdir" ln -sv ../ncsid@.service "$wantdir"/ncsid@$if_name.service + + install -m 0644 ${WORKDIR}/gbmc-ncsi-sslh.service ${D}${systemd_system_unitdir} + sed "s,@NCSI_IF@,$if_name," ${WORKDIR}/gbmc-ncsi-sslh.socket.in \ + >${D}${systemd_system_unitdir}/gbmc-ncsi-sslh.socket } diff --git a/meta-google/recipes-google/networking/files/sslh.service b/meta-google/recipes-google/networking/files/sslh.service deleted file mode 100644 index b6bc04a4c..000000000 --- a/meta-google/recipes-google/networking/files/sslh.service +++ /dev/null @@ -1,20 +0,0 @@ -[Unit] -Description=SSL/SSH multiplexer -Requires=sslh.socket - -[Service] -ExecStart=/usr/sbin/sslh -n -f --ssh [::1]:22 --http [::1]:80 --tls [::1]:443 -KillMode=process -#Hardening -PrivateTmp=true -ProtectSystem=strict -ProtectHome=true -ProtectKernelModules=true -ProtectKernelTunables=true -ProtectControlGroups=true -MountFlags=private -NoNewPrivileges=true -PrivateDevices=true -RestrictAddressFamilies=AF_INET AF_INET6 AF_UNIX -MemoryDenyWriteExecute=true -DynamicUser=true diff --git a/meta-google/recipes-google/networking/files/sslh.socket b/meta-google/recipes-google/networking/files/sslh.socket deleted file mode 100644 index 2540e5961..000000000 --- a/meta-google/recipes-google/networking/files/sslh.socket +++ /dev/null @@ -1,8 +0,0 @@ -[Unit] -Before=sslh.service - -[Socket] -ListenStream=3967 - -[Install] -WantedBy=sockets.target diff --git a/meta-google/recipes-google/networking/gbmc-sslh.bb b/meta-google/recipes-google/networking/gbmc-sslh.bb deleted file mode 100644 index ec16f078f..000000000 --- a/meta-google/recipes-google/networking/gbmc-sslh.bb +++ /dev/null @@ -1,23 +0,0 @@ -PR = "r1" - -LICENSE = "Apache-2.0" -LIC_FILES_CHKSUM = "file://${COREBASE}/meta/files/common-licenses/Apache-2.0;md5=89aea4e17d99a7cacdbeed46a0096b10" - -inherit systemd - -RDEPENDS_${PN} += "sslh" - -SRC_URI_append = " \ - file://sslh.service \ - file://sslh.socket \ -" - -SYSTEMD_SERVICE_${PN} += "sslh.service" -SYSTEMD_SERVICE_${PN} += "sslh.socket" - -do_install() { - # Install service definitions - install -d -m 0755 ${D}${systemd_system_unitdir} - install -m 0644 ${WORKDIR}/sslh.service ${D}${systemd_system_unitdir} - install -m 0644 ${WORKDIR}/sslh.socket ${D}${systemd_system_unitdir} -} -- cgit v1.2.3