service: apply capabilities for security

author Sooyoung Ha <yoosah.ha@samsung.com>

Tue, 25 Jul 2017 06:29:36 +0000 (15:29 +0900)

committer Sooyoung Ha <yoosah.ha@samsung.com>

Tue, 25 Jul 2017 06:34:12 +0000 (15:34 +0900)
author Sooyoung Ha <yoosah.ha@samsung.com>
Tue, 25 Jul 2017 06:29:36 +0000 (15:29 +0900)
committer Sooyoung Ha <yoosah.ha@samsung.com>
Tue, 25 Jul 2017 06:34:12 +0000 (15:34 +0900)
diff --git a/packaging/sdbd_device.service b/packaging/sdbd_device.service

index b47e8f3..779e42e 100644 (file)
--- a/packaging/sdbd_device.service
+++ b/packaging/sdbd_device.service
@@ -12,6 +12,8 @@ EnvironmentFile=-/run/tizen-system-env
  PIDFile=/tmp/.sdbd.pid
  Restart=on-failure
  SmackProcessLabel=System
+Capabilities=cap_dac_override,cap_setgid,cap_setuid,cap_sys_admin=i
+SecureBits=keep-caps
  ExecStart=/usr/sbin/sdbd
  
  [Install]
diff --git a/packaging/sdbd_device_tv.service b/packaging/sdbd_device_tv.service

index fe3c965..0ea497d 100644 (file)
--- a/packaging/sdbd_device_tv.service
+++ b/packaging/sdbd_device_tv.service
@@ -11,6 +11,8 @@ EnvironmentFile=-/run/tizen-system-env
  OOMScoreAdjust=-1000
  PIDFile=/tmp/.sdbd.pid
  Restart=on-failure
+Capabilities=cap_dac_override,cap_setgid,cap_setuid,cap_sys_admin=i
+SecureBits=keep-caps
  ExecStart=/usr/sbin/sdbd
  
  [Install]
diff --git a/packaging/sdbd_emulator.service b/packaging/sdbd_emulator.service

index abd1605..74c5d9b 100644 (file)
--- a/packaging/sdbd_emulator.service
+++ b/packaging/sdbd_emulator.service
@@ -13,6 +13,8 @@ PIDFile=/tmp/.sdbd.pid
  RemainAfterExit=yes
  #ExecStartPre=/bin/bash -c "/bin/echo '10.0.2.15/32 system::debugging_network' >> /smack/netlabel"
  SmackProcessLabel=System
+Capabilities=cap_dac_override,cap_setgid,cap_setuid,cap_sys_admin=i
+SecureBits=keep-caps
  ExecStart=/bin/sh -c "/usr/sbin/sdbd `/usr/bin/awk '{match($0, /sdb_port=([0-9]+)/,port_match); match($0, /vm_name=([^, ]*)/,vm_match); print \"--emulator=\" vm_match[1] \":\" port_match[1] \" --connect-to=10.0.2.2:26099\" \" --sensors=10.0.2.2:\"port_match[1]+3 }' /proc/cmdline`"
  
  [Install]
diff --git a/packaging/sdbd_emulator_tv.service b/packaging/sdbd_emulator_tv.service

index 4d81fd2..3627ded 100644 (file)
--- a/packaging/sdbd_emulator_tv.service
+++ b/packaging/sdbd_emulator_tv.service
@@ -12,6 +12,8 @@ Environment=DISPLAY=:0
  PIDFile=/tmp/.sdbd.pid
  RemainAfterExit=yes
  OOMScoreAdjust=-1000
+Capabilities=cap_dac_override,cap_setgid,cap_setuid,cap_sys_admin=i
+SecureBits=keep-caps
  #ExecStartPre=/bin/bash -c "/bin/echo '10.0.2.15/32 system::debugging_network' >> /smack/netlabel"
  ExecStart=/bin/sh -c "/usr/sbin/sdbd `/usr/bin/awk '{match($0, /sdb_port=([0-9]+)/,port_match); match($0, /vm_name=([^, ]*)/,vm_match); print \"--emulator=\" vm_match[1] \":\" port_match[1] \" --connect-to=10.0.2.2:26099\" \" --sensors=10.0.2.2:\"port_match[1]+3 }' /proc/cmdline`"
  
diff --git a/packaging/sdbd_tcp.service b/packaging/sdbd_tcp.service

index ade025c..5269cfe 100644 (file)
--- a/packaging/sdbd_tcp.service
+++ b/packaging/sdbd_tcp.service
@@ -8,4 +8,6 @@ Environment=DISPLAY=:0
  PIDFile=/tmp/.sdbd.pid
  RemainAfterExit=yes
  SmackProcessLabel=System
+Capabilities=cap_dac_override,cap_setgid,cap_setuid,cap_sys_admin=i
+SecureBits=keep-caps
  ExecStart=/usr/sbin/sdbd --listen-port=26101
author	Sooyoung Ha <yoosah.ha@samsung.com>
	Tue, 25 Jul 2017 06:29:36 +0000 (15:29 +0900)
committer	Sooyoung Ha <yoosah.ha@samsung.com>
	Tue, 25 Jul 2017 06:34:12 +0000 (15:34 +0900)
packaging/sdbd_device.service		patch \| blob \| history
packaging/sdbd_device_tv.service		patch \| blob \| history
packaging/sdbd_emulator.service		patch \| blob \| history
packaging/sdbd_emulator_tv.service		patch \| blob \| history
packaging/sdbd_tcp.service		patch \| blob \| history