projects / platform / core / security / security-config.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: abd3d3f)
Create a new script for setting permissions. 47/257847/1
authorJin-gyu Kim <jin-gyu.kim@samsung.com>
Fri, 23 Apr 2021 05:31:51 +0000 (14:31 +0900)
committerJin-gyu Kim <jin-gyu.kim@samsung.com>
Tue, 4 May 2021 08:11:37 +0000 (17:11 +0900)
This script needs to be run while image is being created or updated.
(After in-house applications are installed.)
We could consider it to be run in security-config service, but it will
increase the 1st boot time.

Change-Id: I5a11dd720ea46ae69b1acc6be09305c74fb39292

CMakeLists.txt patch | blob | history
config/change_permission [new file with mode: 0644] patch | blob
config/set_capability patch | blob | history
packaging/security-config.spec patch | blob | history
upgrade/201.security_upgrade.sh patch | blob | history

diff --git a/CMakeLists.txt b/CMakeLists.txt
index 3252ac9a6d483279417f148ce14859944cd3c921..95489b7186d243974607fb7160ef4217dd31232d 100755 (executable)
--- a/CMakeLists.txt
+++ b/CMakeLists.txt
@@ -13,6 +13,7 @@ INSTALL(FILES ${CMAKE_SOURCE_DIR}/config/set_label DESTINATION /usr/share/securi
 INSTALL(FILES ${CMAKE_SOURCE_DIR}/config/set_capability DESTINATION /usr/share/security-config)
 INSTALL(FILES ${CMAKE_SOURCE_DIR}/config/mdm_blacklist DESTINATION /usr/share/security-config)
 INSTALL(FILES ${CMAKE_SOURCE_DIR}/config/update_privacy_mount_list.sh DESTINATION /usr/share/security-config)
+INSTALL(FILES ${CMAKE_SOURCE_DIR}/config/change_permission DESTINATION /usr/share/security-config)
 INSTALL(FILES ${CMAKE_SOURCE_DIR}/config/security-config.conf DESTINATION /usr/lib/tmpfiles.d/)
 INSTALL(FILES ${CMAKE_SOURCE_DIR}/config/90_user-content-permissions.post DESTINATION ${SYSCONF_INSTALL_DIR}/gumd/useradd.d)
 INSTALL(FILES ${CMAKE_SOURCE_DIR}/config/91_user-dbspace-permissions.post DESTINATION ${SYSCONF_INSTALL_DIR}/gumd/useradd.d)
diff --git a/config/change_permission b/config/change_permission
new file mode 100644 (file)
index 0000000..b111fde
--- /dev/null
+++ b/config/change_permission
@@ -0,0 +1,36 @@
+#!/bin/bash
+
+PATH=/bin:/usr/bin:/sbin:/usr/sbin
+
+# Requested by sooyeon.kim@samsung.com (.voice) and dalton.lee@samsung.com (.multiassistant)
+dir_list=(".voice" ".multiassistant")
+for item in "${dir_list[@]}"
+do
+       if [ -e "/etc/skel/share/$item" ]
+       then
+               find /etc/skel/share/$item -print0 | xargs -0 chown app_fw:app_fw
+               find /etc/skel/share/$item -print0 | xargs -0 chsmack -a 'User::App::Shared'
+               find /etc/skel/share/$item -type d -print0 | xargs -0 chsmack -t
+       fi
+
+       for line in `find /opt/usr/home -maxdepth 1 -type d`
+       do
+               if [ -e "$line/share/$item" ]; then
+                       user=$(echo $line | cut -d"/" -f5)
+                       if getent passwd "$user"
+                       then
+                               find "$line/share/$item" -print0 | xargs -0 chown $user:users
+                               find "$line/share/$item" -print0 | xargs -0 chsmack -a 'User::App::Shared'
+                               find "$line/share/$item" -type d -print0 | xargs -0 chsmack -t
+                       fi
+               fi
+       done
+done
+
+# change permission to /opt/var/lib/misc
+# This is needed to retrieve CAP_DAC_OVERRIDE from mobileap-agent & dnsmasq.
+if [ -e /opt/var/lib/misc ]
+then
+       chown root:system_share /opt/var/lib/misc
+       chmod 0775 /opt/var/lib/misc
+fi
diff --git a/config/set_capability b/config/set_capability
index 4ede930468b572b6e9ecad535997deeaa366f875..56a5243615728eceaa44bf686e9d2b8df8cd4d8b 100755 (executable)
--- a/config/set_capability
+++ b/config/set_capability
@@ -648,42 +648,9 @@ if [ -e "/usr/bin/krate-mount" ]
 then /usr/sbin/setcap cap_sys_admin=ei /usr/bin/krate-mount
 fi
 
-# TODO: MOVE TO OTHER SCRIPT OR REMOVE
-# Requested by sooyeon.kim@samsung.com (.voice) and dalton.lee@samsung.com (.multiassistant)
-dir_list=(".voice" ".multiassistant")
-for item in "${dir_list[@]}"
-do
-       if [ -e "/etc/skel/share/$item" ]
-       then
-               find /etc/skel/share/$item -print0 | xargs -0 chown app_fw:app_fw
-               find /etc/skel/share/$item -print0 | xargs -0 chsmack -a 'User::App::Shared'
-               find /etc/skel/share/$item -type d -print0 | xargs -0 chsmack -t
-       fi
-
-       for line in `find /opt/usr/home -maxdepth 1 -type d`
-       do
-               if [ -e "$line/share/$item" ]; then
-                       user=$(echo $line | cut -d"/" -f5);
-                       find "$line/share/$item" -print0 | xargs -0 chown $user:users
-                       find "$line/share/$item" -print0 | xargs -0 chsmack -a 'User::App::Shared'
-                       find "$line/share/$item" -type d -print0 | xargs -0 chsmack -t
-               fi
-       done
-done
-
-# Set SMACK label as "System::Privileged" in /opt/var/security-manager/rules
-chsmack -r -a "System::Privileged" /opt/var/security-manager/rules
-
-# change permission to /opt/var/lib/misc
-# This is needed to retrieve CAP_DAC_OVERRIDE from mobileap-agent & dnsmasq.
-if [ -e /opt/var/lib/misc ]
-then
-       chown root:system_share /opt/var/lib/misc
-       chmod 0775 /opt/var/lib/misc
-fi
-
-# This is not related with the capability, but place here to run in generic-security.post
+# These are not related with the capability, but place here to run in generic-security.post
 # It would be better to run this separately in generic-security.post future.
+/usr/share/security-config/change_permission
 if [ -e /usr/share/security-config/update_privacy_mount_list.sh ] && [ -e /usr/share/security-manager/policy/privilege-mount.list ] && [ ! -e /opt/share/askuser_disable ]
 then
        /usr/share/security-config/update_privacy_mount_list.sh
diff --git a/packaging/security-config.spec b/packaging/security-config.spec
index e38e23d28a89aeed32323e0436a705189aac06f1..8a6917dd3352c5d5f0c2516d7769f766d9941a5a 100755 (executable)
--- a/packaging/security-config.spec
+++ b/packaging/security-config.spec
@@ -117,6 +117,7 @@ rm %{SECURITY_TEST_DIR}/new_service_test/*
 %attr(755,root,root) /usr/share/security-config/set_label
 %attr(755,root,root) /usr/share/security-config/set_capability
 %attr(755,root,root) /usr/share/security-config/mdm_blacklist
+%attr(755,root,root) /usr/share/security-config/change_permission
 %attr(700,root,root) /usr/share/security-config/update_privacy_mount_list.sh
 %attr(644,root,root) /usr/lib/tmpfiles.d/security-config.conf
 %attr(755,root,root) %{SECURITY_TEST_DIR}/image_test.sh
diff --git a/upgrade/201.security_upgrade.sh b/upgrade/201.security_upgrade.sh
index d9e78832fb90ee8e5b672508634886bab25bb3ed..8aae0859d8f319a196cd1e643dda503e15fcec9d 100644 (file)
--- a/upgrade/201.security_upgrade.sh
+++ b/upgrade/201.security_upgrade.sh
@@ -4,9 +4,14 @@ PATH=/bin:/usr/bin:/sbin:/usr/sbin
 . /etc/tizen-platform.conf
 
 # Init security-configuration
-/usr/share/security-config/group_id_setting
 /usr/share/security-config/set_label
-/usr/share/security-config/set_capability
+/usr/share/security-config/change_permission
+
+# Delete a flag file to run smack_default_labeling
+if [ -e /opt/share/security-config/.smack_pre_labeling ]
+then
+       rm /opt/share/security-config/.smack_pre_labeling
+fi
 
 # Migration of cynara DB
 # CYNARA_VERSION=$(rpm -qf /usr/bin/cynara  | cut -d "-" -f2)
Domain: Security / Access Control;