/usr/sbin/groupadd -g 1001 broadcasting
/usr/sbin/groupadd -g 1026 testing
/usr/sbin/groupadd -g 1051 system_share
+/usr/sbin/groupadd -g 2003 crash_worker
/usr/sbin/groupadd -g 10012 priv_use_ir
/usr/sbin/groupadd -g 10013 priv_tee_client
/usr/sbin/useradd application -M -u 951 -g 951 -d /var/lib/empty -s /sbin/nologin -c "application"
/usr/sbin/useradd broadcasting -M -u 1001 -g 1001 -d /var/lib/empty -s /sbin/nologin -c "broadcasting"
/usr/sbin/useradd testing -M -u 1026 -g 1026 -d /var/lib/empty -s /sbin/nologin -c "testing"
+/usr/sbin/useradd crash_worker -M -u 2003 -g 2003 -d /var/lib/empty -s /sbin/nologin -c "crash worker"
/usr/sbin/usermod -aG system_share system_fw
/usr/sbin/usermod -aG system_share web_fw
/usr/sbin/usermod -aG video multimedia_fw
/usr/sbin/usermod -aG disk telephony
/usr/sbin/usermod -aG display application
+/usr/sbin/usermod -aG systemd-journal crash_worker
+/usr/sbin/usermod -aG log crash_worker
+/usr/sbin/usermod -aG system_share crash_worker
# Owner Jaekuk Lee(juku1999@samsung.com)
# Date July 4, 2017
# Required cap_sys_admin, cap_setgid
-# cap_sys_admin to mount ( TODO : need to be checked) => removed as it is not needed.
# cap_setgid to change process gid
# cap_sys_admin to split mount namespace
# Owner Hyotaek Shim(hyotaek.shim@samsung.com)
# Date Dec 22, 2017
# Required cap_syslog
-# cap_sys_log to use syslog()
+# cap_syslog to use syslog()
if [ -e "/usr/bin/dlog_logger" ]
then /usr/sbin/setcap cap_syslog=ei /usr/bin/dlog_logger
then /usr/sbin/setcap cap_net_raw,cap_sys_rawio=ei /usr/bin/ua-manager
fi
+# Package platform/core/system/crash-worker
+# Date Nov 14, 2019
+# Required cap_dac_override,cap_kill,cap_sys_ptrace
+# cap_dac_override To create directory
+# cap_kill To send signals to processes
+# cap_sys_ptrace To read /proc/<pid>/
+
+if [ -e "/usr/bin/crash-manager" ]
+then /usr/sbin/setcap cap_dac_override,cap_kill,cap_sys_ptrace=ei /usr/bin/crash-manager
+fi
+
+if [ -e "/usr/bin/crash-service" ]
+then /usr/sbin/setcap cap_dac_override,cap_kill,cap_sys_ptrace=ei /usr/bin/crash-service
+fi
+
+# Package platform/upstream/minicoredumper
+# Date Nov 14, 2019
+# Required cap_dac_read_search,cap_sys_ptrace
+# cap_dac_read_search To read any binary file
+# cap_sys_ptrace To read /proc/<pid>/
+
+if [ -e "/usr/sbin/minicoredumper" ]
+then /usr/sbin/setcap cap_dac_read_search,cap_sys_ptrace=ei /usr/sbin/minicoredumper
+fi
+
+# Package platform/core/system/dlog
+# Date Nov 14, 2019
+# Required cap_syslog
+# cap_syslog Android logger returns incorrect values without this capability (check : this is bug in the kernel driver).
+
+if [ -e "/usr/bin/dlogutil" ]
+then /usr/sbin/setcap cap_syslog=ei /usr/bin/dlogutil
+fi
+
+# Package platform/core/system/buxton2
+# Date Nov 14, 2019
+# Required cap_dac_override
+# cap_dac_override To write in /run/buxton2/ and /etc/buxton2 directory
+
+if [ -e "/usr/bin/buxton2ctl" ]
+then /usr/sbin/setcap cap_dac_override=ei /usr/bin/buxton2ctl
+fi
+
+# Package platform/core/system/crash-worker
+# Date Nov 14, 2019
+# Required cap_dac_read_search
+# cap_dac_override To create livedump directory
+# cap_sys_ptrace To read /proc/[pid]
+
+if [ -e "/usr/bin/livedumper" ]
+then /usr/sbin/setcap cap_dac_override,cap_sys_ptrace=ei /usr/bin/livedumper
+fi
+
+# Package platform/core/system/crash-worker
+# Date Nov 14, 2019
+# Required cap_dac_read_search,cap_sys_ptrace
+# cap_dac_read_search To read /proc/[pid]/{maps, task, status}
+# cap_sys_ptrace To read /proc/[pid]/{maps, task, status}
+
+if [ -e "/usr/libexec/crash-stack" ]
+then /usr/sbin/setcap cap_dac_read_search,cap_sys_ptrace=ei /usr/libexec/crash-stack
+fi
+
+# Package platform/core/system/memps
+# Date Nov 14, 2019
+# Required cap_dac_read_search,cap_sys_ptrace
+# cap_dac_read_search To read files from /proc/ and /sys/
+# cap_sys_ptrace To read files from /proc/ and /sys/
+
+if [ -e "/usr/bin/memps" ]
+then /usr/sbin/setcap cap_dac_read_search,cap_sys_ptrace=ei /usr/bin/memps
+fi
+
+# Package platform/upstream/procps-ng
+# Date Nov 14, 2019
+# Required cap_sys_ptrace
+# cap_sys_ptrace To read files from /proc/
+
+if [ -e "/usr/bin/top" ]
+then /usr/sbin/setcap cap_sys_ptrace=ei /usr/bin/top
+fi
+
+# Package product/upstream/coreutils
+# Date Nov 14, 2019
+# Required cap_sys_ptrace
+# cap_dac_read_search counting of disk space usage (eg /opt/usr/home/owner)
+
+if [ -e "/usr/bin/df" ]
+then /usr/sbin/setcap cap_dac_read_search=ei /usr/bin/df
+fi
+
+# Package product/upstream/coreutils
+# Date Nov 14, 2019
+# Required cap_sys_ptrace
+# cap_dac_read_search counting of disk space usage (eg /opt/usr/home/owner)
+
+if [ -e "/usr/bin/du" ]
+then /usr/sbin/setcap cap_dac_read_search=ei /usr/bin/du
+fi
+
+
# TODO: MOVE TO OTHER SCRIPT OR REMOVE
# Requested by sooyeon.kim@samsung.com (.voice) and dalton.lee@samsung.com (.multiassistant)
dir_list=(".voice" ".multiassistant")
projects / platform / core / security / security-config.git / commitdiff