projects / platform / core / security / security-config.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: ea50c6e)
Change the file capability. 45/165545/7 submit/tizen_4.0/20180103.050656
authorjin-gyu.kim <jin-gyu.kim@samsung.com>
Tue, 2 Jan 2018 04:58:15 +0000 (13:58 +0900)
committerJin-gyu Kim <jin-gyu.kim@samsung.com>
Wed, 3 Jan 2018 05:01:12 +0000 (05:01 +0000)
- focus_server, sound_server, hostapd, named
- Retrieve redundant capabilities and permitted flag.
- Update security-tests.

Change-Id: Ieba61e395733dc48c2e7df2ff812681cc27ad682

config/set_capability patch | blob | history
test/capability_test/new_capabilities_exception.list patch | blob | history
test/new_service_test/dbus_service.list patch | blob | history
test/new_service_test/systemd_service.list patch | blob | history

diff --git a/config/set_capability b/config/set_capability
index 82e1197499407526155bcb33abd1e6aa35cc7af4..3a078120481cfb2b20a5271872e38d44b14216fe 100755 (executable)
--- a/config/set_capability
+++ b/config/set_capability
@@ -234,11 +234,10 @@ fi
 # cap_net_admin                to use ioctl socket
 # cap_net_bind_service         to call bind
 # cap_net_raw          to use RAW socket
-# cap_fowner           network interface configruration
 # cap_dac_override     to access bridge device
 
 if [ -e "/usr/bin/hostapd" ]
-then /usr/sbin/setcap cap_net_admin,cap_net_bind_service,cap_net_raw,cap_fowner,cap_dac_override=eip /usr/bin/hostapd
+then /usr/sbin/setcap cap_net_admin,cap_net_bind_service,cap_net_raw,cap_dac_override=eip /usr/bin/hostapd
 fi
 
 # Package              dnsmasq
@@ -297,13 +296,12 @@ fi
 # Owner                        Seonah Moon(seonah1.moon@samsung.com)
 # Date                 April 11, 2016
 # Required             cap_fowner,cap_net_bind_service,cap_net_admin,cap_sys_chroot
-# cap_fowner           network interface configruration
 # cap_net_bind_service to call bind
 # cap_net_admin                to use ioctl socket
 # cap_sys_chroot       to use root permission in spacific location
 
 if [ -e "/usr/sbin/named" ]
-then /usr/sbin/setcap cap_fowner,cap_net_bind_service,cap_net_admin,cap_sys_chroot=eip /usr/sbin/named
+then /usr/sbin/setcap cap_net_bind_service,cap_net_admin,cap_sys_chroot=ei /usr/sbin/named
 fi
 
 # Package               chmod
@@ -453,11 +451,11 @@ fi
 # TODO : check the reason
 
 if [ -e "/usr/bin/focus_server" ]
-then /usr/sbin/setcap cap_chown,cap_fowner,cap_lease=eip /usr/bin/focus_server
+then /usr/sbin/setcap cap_fowner,cap_lease=ei /usr/bin/focus_server
 fi
 
 if [ -e "/usr/bin/sound_server" ]
-then /usr/sbin/setcap cap_chown,cap_fowner,cap_lease=eip /usr/bin/sound_server
+then /usr/sbin/setcap cap_lease=ei /usr/bin/sound_server
 fi
 
 # Package               platform/core/security/nether
diff --git a/test/capability_test/new_capabilities_exception.list b/test/capability_test/new_capabilities_exception.list
index 53c20cb6127679a39c4418b381a20664e3473804..beb603085f7c08312089f5977c6890c726a0cf5a 100644 (file)
--- a/test/capability_test/new_capabilities_exception.list
+++ b/test/capability_test/new_capabilities_exception.list
@@ -8,7 +8,7 @@
 /usr/bin/connmand = cap_dac_override,cap_net_bind_service,cap_net_broadcast,cap_net_admin,cap_net_raw+ei
 /usr/bin/tpk-backend = cap_chown,cap_dac_override,cap_fowner+ei
 /usr/bin/chgrp = cap_chown+ei
-/usr/bin/sound_server = cap_chown,cap_fowner,cap_lease+eip
+/usr/bin/sound_server = cap_lease+ei
 /usr/bin/wgt-backend = cap_chown,cap_dac_override,cap_fowner+ei
 /usr/bin/media-server = cap_dac_read_search+ei
 /usr/bin/xdelta3 = cap_dac_override+ei
@@ -16,7 +16,7 @@
 /usr/bin/gpsd = cap_dac_override+eip
 /usr/bin/muse-server = cap_dac_override+ei
 /usr/bin/pkgmgr-server = cap_chown,cap_dac_override,cap_fsetid,cap_kill,cap_setgid,cap_setuid+ei
-/usr/bin/hostapd = cap_dac_override,cap_fowner,cap_net_bind_service,cap_net_admin,cap_net_raw+eip
+/usr/bin/hostapd = cap_dac_override,cap_net_bind_service,cap_net_admin,cap_net_raw+eip
 /usr/bin/download-provider = cap_chown,cap_dac_override+ei
 /usr/bin/chmod = cap_fowner+ei
 /usr/bin/pkg_getsize = cap_dac_read_search+ei
@@ -39,9 +39,9 @@
 /usr/bin/net-config = cap_dac_override,cap_net_admin,cap_net_raw+ei
 /usr/bin/touch = cap_dac_override+ei
 /usr/bin/wrt-loader = cap_setgid,cap_sys_admin+ei
-/usr/bin/focus_server = cap_chown,cap_fowner,cap_lease+eip
+/usr/bin/focus_server = cap_fowner,cap_lease+ei
 /usr/bin/email-service = cap_chown+eip
-/usr/sbin/named = cap_fowner,cap_net_bind_service,cap_net_admin,cap_sys_chroot+eip
+/usr/sbin/named = cap_net_bind_service,cap_net_admin,cap_sys_chroot+ei
 /usr/sbin/xtables-multi = cap_net_admin,cap_net_raw+ei
 /usr/sbin/ifconfig = cap_net_admin+ei
 /usr/sbin/lwresd = cap_fowner,cap_net_bind_service,cap_net_admin,cap_sys_chroot+eip
diff --git a/test/new_service_test/dbus_service.list b/test/new_service_test/dbus_service.list
index 1513bd7f66451b863ca638957840219e371a62ff..5190bec92bb33ecd17038eb30157d3ff4418f48d 100755 (executable)
--- a/test/new_service_test/dbus_service.list
+++ b/test/new_service_test/dbus_service.list
@@ -2,7 +2,6 @@ net.asp.service;network_fw;network_fw;;
 net.connman.service;network_fw;network_fw;;
 net.connman.vpn.service;network_fw;network_fw;;
 net.netconfig.service;network_fw;network_fw;;
-net.stc.service;root;;;
 net.wifidirect.service;network_fw;network_fw;;
 net.wmesh.service;network_fw;network_fw;;
 org.O1.SecurityAccounts.gUserManagement.service;root;root;;
@@ -12,7 +11,6 @@ org.bluez.hf_agent.service;root;root;;
 org.bluez.map_agent.service;root;root;;
 org.bluez.obex.service;network_fw;network_fw;;
 org.bluez.pb_agent.service;root;root;;
-org.freedesktop.hostname1.service;root;;;
 org.freedesktop.locale1.service;root;root;;
 org.freedesktop.login1.service;root;root;;
 org.freedesktop.systemd1.service;root;root;;
@@ -21,7 +19,7 @@ org.projectx.bt_core.service;root;root;;
 org.tizen.MobileapAgent.service;network_fw;network_fw;;
 org.tizen.PhonenumberUtils.dbus.service;service_fw;service_fw;;
 org.tizen.SmartcardService.service;network_fw;network_fw;;
-org.tizen.SoundServer.service;multimedia_fw;multimedia_fw;; # Need to check by SFV
+org.tizen.SoundServer.service;root;root;;
 org.tizen.account.manager.service;root;root;;
 org.tizen.alarm.manager.service;root;root;;
 org.tizen.app2sd.service;root;root;;
diff --git a/test/new_service_test/systemd_service.list b/test/new_service_test/systemd_service.list
index ee00bdae2e6a1e4344eff8d9d70fd3c213299edf..dc164ac544fdf94d07a63de7351abf739f45ca75 100755 (executable)
--- a/test/new_service_test/systemd_service.list
+++ b/test/new_service_test/systemd_service.list
@@ -49,7 +49,7 @@ feedbackd.service;system_fw;system_fw;System;
 fido.service;service_fw;service_fw;System;
 fido-asm.service;service_fw;service_fw;System;
 fido-bt-roaming-agent.service;service_fw;service_fw;System;
-focus-server.service;multimedia_fw;multimedia_fw;System; # need to check by SFV
+focus-server.service;multimedia_fw;multimedia_fw;System;
 getty@.service;root;root;System;
 gumd.service;root;root;System::Privileged;
 gumd.service;root;root;System;
@@ -161,3 +161,4 @@ webappenc-initializer.service;security_fw;security_fw;System;
 wifi-direct-manager.service;network_fw;network_fw;System;
 wmeshd.service;network_fw;network_fw;System
 zigbee-daemon.service;network_fw;network_fw;System
+sound-server.service;multimedia_fw;multimedia_fw;System
Domain: Security / Access Control;