client: do not add application process to hardcoded groups
Initial implementation of privilege enforcement with mount namespaces
included client code that added all application processes to hardcoded
set of groups: priv_externalstorage and priv_mediastorage.
This is wrong. Enforcement of privileges by either groups or mount
namespaces is to be configured in respectively privilege-group.list and
privilege-mount.list. Application process should be added to a group
if and only if it holds a privilege that is configured to be enforced
with a group. Similarly proper mounts and umounts will be done in application
mount namespace based on privilege status.
There is no need to hardcode groups. If a privilege is enforced with mount
namespace, it should not require additional group assignment. If it used
to be enforced with a group, but it has been switched to enforcement with
mount, filesystem permissions need to be adjusted, not security-manager code.
Privileges mediastorage and external storage are now enforced with bind
mounts. They are being removed from privilege-group mapping - combining
these two mechanisms is undesired.
Change-Id: I41204daa24329e8e9648b3ecb4e53d87c763b35b
Signed-off-by: Rafal Krypa <r.krypa@samsung.com>