crash-service: Re-add privilege <check> for livedump

author Karol Lewandowski <k.lewandowsk@samsung.com>

Tue, 19 Jan 2021 16:56:47 +0000 (17:56 +0100)

committer Karol Lewandowski <k.lewandowsk@samsung.com>

Wed, 20 Jan 2021 15:11:00 +0000 (16:11 +0100)
author Karol Lewandowski <k.lewandowsk@samsung.com>
Tue, 19 Jan 2021 16:56:47 +0000 (17:56 +0100)
committer Karol Lewandowski <k.lewandowsk@samsung.com>
Wed, 20 Jan 2021 15:11:00 +0000 (16:11 +0100)
diff --git a/src/crash-service/crash-service.conf b/src/crash-service/crash-service.conf

index 4505243..ca7e768 100644 (file)
--- a/src/crash-service/crash-service.conf
+++ b/src/crash-service/crash-service.conf
@@ -11,9 +11,14 @@
                 <allow own="org.tizen.system.diagnostics"/>
         </policy>
         <policy group="priv_livecoredump">
-               <!-- following section also permits applications with
-                    "http://tizen.org/privilege/internal/livecoredump"
-                    privilege, due to privilege -> gid mapping being used -->
+               <!-- Following section is for services wanting to use livedump api.
+                    Thoretically, the <policy group=..> should be enough to support
+                    both service and application case.  However, this does not work
+                    in practice due to dbus-daemon getting group membership from
+                    static source (via getgrouplist), while in Tizen it's dynamic,
+                    assigned to application by security-manager.  Dbus-daemon would
+                    need to use SO_PEERGROUP socket option for this to work, but it's
+                    supported only in kernels >= 4.13. -->
                 <allow send_destination="org.tizen.system.crash.livedump"
                        send_interface="org.tizen.system.crash.livedump"
                        send_member="livedump_pid"/>
@@ -24,6 +29,12 @@
  
                 <deny own="org.tizen.system.diagnostics"/>
                 <deny send_destination="org.tizen.system.diagnostics"/>
+
+               <check send_destination="org.tizen.system.crash.livedump"
+                      send_interface="org.tizen.system.crash.livedump"
+                      send_member="livedump_pid"
+                      privilege="http://tizen.org/privilege/internal/livecoredump"/>
+
                 <check send_destination="org.tizen.system.diagnostics"
                        send_interface="org.tizen.system.diagnostics"
                        send_member="get_file"
author	Karol Lewandowski <k.lewandowsk@samsung.com>
	Tue, 19 Jan 2021 16:56:47 +0000 (17:56 +0100)
committer	Karol Lewandowski <k.lewandowsk@samsung.com>
	Wed, 20 Jan 2021 15:11:00 +0000 (16:11 +0100)