--- /dev/null
+#
+# Copyright (c) 2019 Samsung Electronics Co., Ltd All Rights Reserved
+#
+# Contact: Lukasz Pawelczyk (l.pawelczyk@samsung.com)
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License
+#
+
+*mangle
+:PREROUTING ACCEPT
+:INPUT ACCEPT
+:FORWARD ACCEPT
+:OUTPUT ACCEPT
+:POSTROUTING ACCEPT
+:CHECK-LOCALHOST -
+-A INPUT ! -i lo -j SECMARK --selctx System
+-A OUTPUT -o lo -j CHECK-LOCALHOST
+-A OUTPUT -p igmp -j ACCEPT
+-A CHECK-LOCALHOST -p udp -m udp --dport 53 -j RETURN
+-A CHECK-LOCALHOST -p tcp -m tcp --dport 53 -j RETURN
+-A CHECK-LOCALHOST -j ACCEPT
+COMMIT
+*filter
+:INPUT ACCEPT
+:FORWARD ACCEPT
+:OUTPUT ACCEPT
+:REJECT-LOG -
+-A OUTPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
+-A OUTPUT -m owner --uid-owner 0-5000 -j ACCEPT
+-A OUTPUT -m owner --gid-owner priv_internet --suppl-groups -j ACCEPT
+-A OUTPUT -j REJECT-LOG
+-A REJECT-LOG -m limit --limit 1/min -j AUDIT --type reject
+-A REJECT-LOG -j REJECT --reject-with icmp6-adm-prohibited
+-A REJECT-LOG -j RETURN
+COMMIT
--- /dev/null
+[Unit]
+Description=Load default Tizen iptables firewall rules
+# sounds reasonable to have firewall up before any of the services go up
+Before=network-pre.target
+Wants=network-pre.target
+
+[Service]
+Type=oneshot
+ExecStart=/sbin/iptables-restore -w -- /etc/security-manager-iptables.rules
+ExecStart=/sbin/ip6tables-restore -w -- /etc/security-manager-ip6tables.rules
+
+[Install]
+WantedBy=basic.target
--- /dev/null
+#
+# Copyright (c) 2019 Samsung Electronics Co., Ltd All Rights Reserved
+#
+# Contact: Lukasz Pawelczyk (l.pawelczyk@samsung.com)
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License
+#
+
+*mangle
+:PREROUTING ACCEPT
+:INPUT ACCEPT
+:FORWARD ACCEPT
+:OUTPUT ACCEPT
+:POSTROUTING ACCEPT
+:CHECK-LOCALHOST -
+-A INPUT ! -i lo -j SECMARK --selctx System
+-A OUTPUT -o lo -j CHECK-LOCALHOST
+-A OUTPUT -p igmp -j ACCEPT
+-A CHECK-LOCALHOST -p udp -m udp --dport 53 -j RETURN
+-A CHECK-LOCALHOST -p tcp -m tcp --dport 53 -j RETURN
+-A CHECK-LOCALHOST -j ACCEPT
+COMMIT
+*filter
+:INPUT ACCEPT
+:FORWARD ACCEPT
+:OUTPUT ACCEPT
+:REJECT-LOG -
+-A OUTPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
+-A OUTPUT -m owner --uid-owner 0-5000 -j ACCEPT
+-A OUTPUT -m owner --gid-owner priv_internet --suppl-groups -j ACCEPT
+-A OUTPUT -d 10.0.2.2/32 -m owner --gid-owner priv_appdebugging --suppl-groups -j ACCEPT
+-A OUTPUT -d 10.0.2.15/32 -m owner --gid-owner priv_appdebugging --suppl-groups -j ACCEPT
+-A OUTPUT -d 192.168.129.1/32 -m owner --gid-owner priv_appdebugging --suppl-groups -j ACCEPT
+-A OUTPUT -d 192.168.129.3/32 -m owner --gid-owner priv_appdebugging --suppl-groups -j ACCEPT
+-A OUTPUT -j REJECT-LOG
+-A REJECT-LOG -m limit --limit 1/min -j AUDIT --type reject
+-A REJECT-LOG -j REJECT --reject-with icmp-net-prohibited
+-A REJECT-LOG -j RETURN
+COMMIT
Source5: security-manager-tests.manifest
Source6: security-manager-policy.manifest
Source7: security-license-manager.manifest
+Source8: security-manager-iptables-load.service
+Source9: security-manager-iptables.rules
+Source10: security-manager-ip6tables.rules
Requires: security-manager-policy
Requires: security-license-manager
Requires: libnss-security-manager
%description policy
Set of security rules that constitute security policy in the system
+%package policy-iptables
+Summary: Security manager iptables policy
+Group: Security/Access Control
+Requires: security-manager = %{version}-%{release}
+Requires: iptables
+
+%description policy-iptables
+Set of iptables rules governing the internet related priviledges
+
%package -n security-manager-tests
Summary: Security manager unit test binaries
Group: Security/Development
cp -a %{SOURCE1} %{SOURCE2} %{SOURCE3} %{SOURCE4} %{SOURCE5} %{SOURCE6} %{SOURCE7} %{buildroot}%{_datadir}/
+install -m 644 %{SOURCE8} %{buildroot}%{_unitdir}/security-manager-iptables.service
+install -m 600 %{SOURCE9} %{buildroot}%{_sysconfdir}/security-manager-iptables.rules
+install -m 600 %{SOURCE10} %{buildroot}%{_sysconfdir}/security-manager-ip6tables.rules
+ln -sf ../security-manager-iptables.service %{buildroot}%{_unitdir}/basic.target.wants/
+
%clean
rm -rf %{buildroot}
%attr(755,root,root) %{_bindir}/security-manager-policy-reload
%attr(755,root,root) %{_sysconfdir}/opt/upgrade/241.security-manager.policy-update.sh
+%files -n security-manager-policy-iptables
+%{_unitdir}/security-manager-iptables.service
+%{_unitdir}/basic.target.wants/security-manager-iptables.service
+%attr(600, root, root) %{_sysconfdir}/security-manager-iptables.rules
+%attr(600, root, root) %{_sysconfdir}/security-manager-ip6tables.rules
+
%files -n security-manager-tests
%manifest %{_datadir}/security-manager-tests.manifest
%attr(755,root,root) %{_bindir}/security-manager-unit-tests
projects / platform / core / security / security-manager.git / commitdiff