## Setting capability in binary image creation stage(via mic)
-# Package sdbd
-# Owner Jeeho Yoo(jeeho.yoo@samsung.com)
-# Date May 24, 2016
-# Required cap_setuid, cap_setgid
-# cap_setuid set user id per each user logged in
-# cap_setgid set group id following user id
-
# Owner Changseok Oh(seok.oh@samsung.com)
# Date June 23, 2016
-# Required cap_setuid, cap_dac_override, cap_sys_admin
+# Required /usr/sbin/sdbd : cap_setuid, cap_setgid, cap_dac_override, cap_sys_admin : ei
# cap_setuid set child process's uid to root
# cap_dac_override bypass permission check at pull/push
# cap_sys_admin remount at rpm installation
# Package alarm-server
# Owner Jiwoong Im(jiwoong.im@samsung.com)
# Date May 24, 2016
-# Required cap_sys_time
+# Required /usr/bin/alarm-server : cap_sys_time : ei
# cap_sys_time settimeofday() system call and rtc setting time need privilege; CAP_SYS_TIME
if [ -e "/usr/bin/alarm-server" ]
# Package download-provider
# Owner Jaekuk Lee(juku1999@samsung.com)
# Date May 24, 2016
-# Required cap_chown, cap_dac_override
+# Required /usr/bin/download-provider : cap_chown, cap_dac_override : ei
# cap_chown needs to change owner of downloaded file from download-provider to application
# cap_dac_override needs to access directory which user id is different (override DAC permission)
# Package media-server
# Owner Minje Ahn(minje.ahn@samsung.com)
# Date May 27, 2016
-# Required cap_dac_override
+# Required /usr/bin/media-server : cap_dac_read_search : ei
# cap_dac_read_search media-server needs to access client's directory defined as each client's uid and gid
# in case of providing its capi; thumbnail_util_extract() (providing thumbnail requested by client)
# client would be another service daemon and application
# Package csr-server
# Owner Kyungwook Tak(k.tak@samsung.com)
# Date June 17, 2016
-# Required cap_dac_override, cap_fowner
+# Required /usr/bin/csr-server : cap_dac_override, cap_fowner : ei
# cap_dac_override csr-server needs to access application's directory for scanning and removing file
# cap_fowner csr-server needs to remove files set with sticky bit in /tmp (rwxrwxrwt)
# Package msg-server
# Owner Kyeonghun Lee(kh9090.lee@samsung.com)
# Date June 28, 2016
-# Required cap_chown, cap_dac_override, cap_lease, cap_net_admin, cap_net_raw
+# Required /usr/bin/msg-server : cap_chown, cap_lease, cap_net_admin, cap_net_raw : ei
# cap_net_admin Interface binding in case of using curl api (mms sending/receiving)
# cap_net_raw Bind to any address for proxying in using RAW and PACKET sockets (mms sending/receiving)
# cap_chown For change uid or gid chown file
# Package pkgmgr-server
# Owner Jongmyeong Ko(jongmyeong.ko@samsung.com)
# Date June 30, 2016
-# Required cap_chown, cap_dac_override, cap_fsetid, cap_kill, cap_setgid, cap_setuid
+# Required /usr/bin/pkgmgr-server : cap_chown, cap_dac_override, cap_fsetid, cap_kill, cap_setgid, cap_setuid : ei
# cap_chown fchown : change owner
# cap_dac_override Access user and global database file of package manager
# cap_fsetid fchmod : change mode
# Package app-installers
# Owner Sangyoun Jang(s89.jang@samsung.com)
# Date Jul 04, 2016
-# Required cap_dac_override, cap_chown, cap_fowner
+# Required /usr/bin/pkgdir-tool : cap_dac_override, cap_chown, cap_fowner : ei
# cap_dac_override access to /home/$USER/apps_rw
# cap_chown use chown API
# cap_fowner use chmod API
# Package mused
# Owner Younghoon Kim(yh8004.kim@samsung.com)
# Date Jul 07, 2016
-# Required cap_dac_override
+# Required /usr/bin/muse-server : cap_dac_override : ei
# cap_dac_override access to directories of applications
if [ -e "/usr/bin/muse-server" ]
# Package tpk-backend
# Owner Jongmyeong Ko(jongmyeong.ko@samsung.com)
# Date Aug 10, 2016
-# Required cap_dac_override, cap_chown, cap_fowner
+# Required /usr/bin/tpk-backend : cap_dac_override, cap_chown, cap_fowner : ei
# cap_dac_override access to /home/$USER/apps_rw
# cap_chown use chown API
# cap_fowner use chmod API
# Package wgt-backend
# Owner Jongmyeong Ko(jongmyeong.ko@samsung.com)
# Date Aug 10, 2016
-# Required cap_dac_override, cap_chown, cap_fowner
+# Required /usr/bin/wgt-backend : cap_dac_override, cap_chown, cap_fowner : ei
# cap_dac_override access to /home/$USER/apps_rw
# cap_chown use chown API
# cap_fowner use chmod API
# Package xdelta3
# Owner Jongmyeong Ko(jongmyeong.ko@samsung.com)
# Date Aug 10, 2016
-# Required cap_dac_override
+# Required /usr/bin/xdelta3 : cap_dac_override : ei
# cap_dac_override access to /home/$USER/apps_rw
if [ -e "/usr/bin/xdelta3" ]
then /usr/sbin/setcap cap_dac_override=ei /usr/bin/xdelta3
fi
-# Package feedbackd
-# Owner Pureum Jung(pr.jung@samsung.com)
-# Date Sep 2, 2016
-# Required cap_dac_override
-# cap_dac_override to access input event node => removed as feedbackd has input gid.
-
-#if [ -e "/usr/bin/feedbackd" ]
-#then /usr/sbin/setcap cap_dac_override=eip /usr/bin/feedbackd
-#fi
-
# Package connmand
# Owner Hyunuk Tak(hyunuk.tak@samsung.com)
# Date Oct 7, 2016
-# Required cap_dac_override,cap_net_admin,cap_net_bind_service,cap_net_broadcast,cap_net_raw
+# Required /usr/bin/connmand : cap_dac_override,cap_net_admin,cap_net_bind_service,cap_net_broadcast,cap_net_raw : ei
+# Required /usr/bin/connman-vpnd : cap_dac_override,cap_net_admin,cap_net_bind_service,cap_net_broadcast,cap_net_raw : ei
# cap_net_admin to add interface flags and make the interface UP/DOWN using ioctl
# cap_net_bind_service to execute bind() function
# cap_net_broadcast to make socket broadcasts, and listen to multicasts
# Package platform/upstream/strongswan
# Owner Jiuing Yu(jiung.yu@samsung.com)
# Date Oct 26, 2017
-# Required cap_setgid,cap_net_admin,cap_net_bind_service,cap_net_raw,cap_net_broadcast
+# Required /usr/bin/charon : cap_setgid,cap_net_admin,cap_net_bind_service,cap_net_raw,cap_net_broadcast : ei
# cap_setgid to use initgroup
# cap_net_admin to set SA configuration using linux kernel and netlink socket
# cap_net_bind_service to use UDP 500 port for IKEv2 protocol
# Package net-config
# Owner Hyunuk Tak(hyunuk.tak@samsung.com)
# Date Oct 7, 2016
-# Required cap_dac_override, cap_net_admin
+# Required /usr/bin/net-config : cap_dac_override, cap_net_admin, cap_net_raw : ei
# cap_dac_override to access bridge device
# cap_net_admin scan wifi AP and interface control using ioctl
# Package wpa_supplicant
# Onwer Hyunuk Tak(hyunuk.tak@samsung.com)
# Date Oct 7, 2016
-# Required cap_net_admin, cap_net_raw
+# Required /usr/bin/wpa_supplicant : cap_net_admin, cap_net_raw, cap_dac_override : ei
# cap_net_admin to add interface flags and configure the interface using ioctl and driver commands
# cap_net_raw to use RAW socket
# cap_dac_override to access bridge device
# Package mobileap-agent
# Owner Seonah Moon(seonah1.moon@samsung.com)
# Date Oct 7, 2016
-# Required cap_net_admin, cap_net_bind_service
+# Required /usr/bin/mobileap-agent : cap_net_admin, cap_net_bind_service : ei
+# Required /usr/sbin/route : cap_net_admin : ei
# cap_net_admin to use ioctl socket
# cap_net_bind_service to call bind
# Package wpa_supplicant
# Owner Seonah Moon(seonah1.moon@samsung.com)
# Date Oct 7, 2016
-# Required cap_dac_override, cap_net_admin, cap_net_bind_service, cap_net_raw, cap_fowner
+# Required /usr/bin/hostapd : cap_dac_override, cap_net_admin, cap_net_bind_service, cap_net_raw : ei
# cap_net_admin to use ioctl socket
# cap_net_bind_service to call bind
# cap_net_raw to use RAW socket
# Package dnsmasq
# Owner Seonah Moon(seonah1.moon@samsung.com)
# Date Oct 7, 2016
-# Required cap_dac_override, cap_net_bind_service, cap_net_broadcast, cap_net_admin
-# Capability Bit only effective and inheriable
+# Required /usr/bin/dnsmasq : cap_net_admin, cap_net_bind_service, cap_net_broadcast, cap_net_raw : ei
# cap_net_admin to use ioctl socket
# cap_net_bind_service to call bind
# cap_net_broadcast to make socket broadcasts, and listen to multicasts
# Package iproute2
# Owner Seonah Moon(seonah1.moon@samsung.com)
# Date Oct 7, 2016
-# Required cap_net_admin
-# Capability Bit only effective and inheriable
+# Required /usr/sbin/ip : cap_net_admin : ei
# cap_net_admin to use ioctl socket
if [ -e "/usr/sbin/ip" ]
# Package iptables
# Owner Seonah Moon(seonah1.moon@samsung.com)
# Date Oct 7, 2016
-# Required cap_dac_override, cap_sys_admin, cap_net_admin, cap_net_raw
-# Capability Bit only effective and inheriable
+# Required /usr/sbin/xtables-multi : cap_net_admin, cap_net_raw : ei
# cap_net_admin to use ioctl socket
# cap_net_raw to use RAW socket
-# cap_sys_admin to initialize iptables table => removed as it is not needed.
if [ -e "/usr/sbin/xtables-multi" ]
then /usr/sbin/setcap cap_net_admin,cap_net_raw=ei /usr/sbin/xtables-multi
# Package tayga
# Owner Seonah Moon(seonah1.moon@samsung.com)
# Date April 11, 2016
-# Required cap_net_bind_service,cap_net_broadcast,cap_net_admin,cap_net_raw
-# Capability Bit only effective and inheriable
+# Required /usr/sbin/tayga : cap_net_bind_service,cap_net_broadcast,cap_net_admin,cap_net_raw : ei
# cap_net_bind_service to call bind
# cap_net_broadcast to make socket broadcasts, and listen to multicasts
# cap_net_admin to use ioctl socket
# Package named
# Owner Seonah Moon(seonah1.moon@samsung.com)
# Date April 11, 2016
-# Required cap_fowner,cap_net_bind_service,cap_net_admin,cap_sys_chroot
+# Required /usr/sbin/named : cap_net_bind_service,cap_net_admin,cap_sys_chroot : ei
# cap_net_bind_service to call bind
# cap_net_admin to use ioctl socket
# cap_sys_chroot to use root permission in spacific location
then /usr/sbin/setcap cap_net_bind_service,cap_net_admin,cap_sys_chroot=ei /usr/sbin/named
fi
-# Package tcpdump
-# Owner taesub.kim (taesub.kim@samsung.com)
-# Date Dec 5, 2017
-# Required cap_net_raw
-# cap_net_raw Bind to any address for proxying in using RAW and PACKET sockets(capture tcpdump)
+# Package tcpdump
+# Owner taesub.kim (taesub.kim@samsung.com)
+# Date Dec 5, 2017
+# Required /usr/sbin/tcpdump : cap_net_raw : ei
+# cap_net_raw Bind to any address for proxying in using RAW and PACKET sockets(capture tcpdump)
if [ -e "/usr/sbin/tcpdump" ]
then /usr/sbin/setcap cap_net_raw=ei /usr/sbin/tcpdump
# Package inm-manager
# Owner Taesub Kim(taesub.kim@samsung.com)
# Date Jul 18, 2018
-# Required cap_dac_override, cap_net_admin
+# Required /usr/bin/inm-manager : cap_net_raw, cap_net_admin : ei
# cap_net_admin scan wifi AP and interface control using ioctl
# cap_net_raw to use RAW socket
# Package chmod
# Owner Changyeon Lee(cyeon.lee@samsung.com)
# Date Oct 11, 2016
-# Required cap_fowner
-# Capability Bit only effective and inheriable
+# Required /usr/bin/chmod : cap_fowner : ei
# cap_fowner to pass permisstion check
if [ -e "/usr/bin/chmod" ]
# Package chgrp
# Owner Changyeon Lee(cyeon.lee@samsung.com)
# Date Oct 11, 2016
-# Required cap_chown
-# Capability Bit only effective and inheriable
+# Required /usr/bin/chgrp : cap_chown : ei
# cap_fowner to change files UIDs and GID
if [ -e "/usr/bin/chgrp" ]
# Package touch
# Owner SooYoung Ha(yoosah.ha@samsung.com)
# Date Oct 13, 2016
-# Required cap_dac_override
-# Capability Bit only effective and inheriable
+# Required /usr/bin/touch : cap_dac_override : ei
# cap_dac_override to access file
if [ -e "/bin/touch" ]
-then /usr/sbin/setcap cap_dac_override=ei /bin/touch
+then /usr/sbin/setcap cap_dac_override=ei /usr/bin/touch
fi
-# Package amixer
-# Owner SooYoung Ha(yoosah.ha@samsung.com)
-# Date Oct 13, 2016
-# Required cap_dac_override
-# Capability Bit only effective and inheriable
-# cap_dac_override to access file => removed as calling process has audio gid.
-
-#if [ -e "/usr/bin/amixer" ]
-#then /usr/sbin/setcap cap_dac_override=ei /usr/bin/amixer
-#fi
-
# Package data-provider-master
# Owner Myung-ki Lee (mk5004.lee@samsung.com)
# Date Nov 21, 2016
-# Required cap_dac_override
+# Required /usr/bin/data-provider-master : cap_dac_override : ei
# cap_dac_override to override dac permission for accessing to app's po files.
if [ -e "/usr/bin/data-provider-master" ]
# Package platform/coer/appfw/pkgmgr-tool
# Owner Sangyoon Jang(s89.jang@samsung.com)
# Date Nov 28, 2016
-# Required cap_dac_read_search
+# Required /usr/bin/pkg_getsize : cap_dac_read_search : ei
# cap_dac_read_search to access pkg directory
if [ -e "/usr/bin/pkg_getsize" ]
# Package platform/core/messaging/email-service
# Owner Intae Jeon(intae.jeon@samsung.com)
# Date Dec 13, 2016
-# Required cap_chown
+# Required /usr/bin/email-service : cap_chown : eip
# cap_chown To change permission of DB file.
if [ -e "/usr/bin/email-service" ]
# Package platform/coer/appfw/pkgmgr-tool
# Owner JongMyeong Ko(jongmyeong.ko@samsung.com)
# Date Jan 23, 2017
-# Required cap_dac_override
+# Required /usr/bin/pkg_cleardata : cap_dac_override : ei
# cap_dac_override to remove application resources in pkg directory
# TODO: REMOVED IN TIZEN 4.0
# Package platform/core/appfw/launchpad
# Owner Junghoon Park(jh9216.park@samsung.com)
# Date July 4, 2017
-# Required cap_mac_admin, cap_dac_override, cap_setgid
+# Required /usr/bin/launchpad-process-pool : cap_mac_admin, cap_dac_override, cap_setgid, cap_sys_admin, cap_sys_nice : ei
+# Required /usr/bin/launchpad-loader : cap_sys_admin,cap_sys_nice,cap_setgid : ei
# cap_mac_admin to use security_manager_prepare_app()
# cap_dac_override fd redirection in debug mode of app running
# cap_setgid to use security_manager_prepare_app()
# Package platform/core/appfw/launchpad
# Owner Junghoon Park(jh9216.park@samsung.com)
# Date Feb 25, 2020
-# Required cap_setgid, cap_sys_admin, cap_sys_nice
+# Required /usr/bin/app-defined-loader :cap_setgid, cap_sys_admin, cap_sys_nice : ei
# cap_setgid to use security_manager_prepare_app()
# cap_sys_admin to split mount namespace
# cap_sys_nice to change scheduling priority
# Package platform/core/dotnet/launcher
# Owner Woongsuk Cho(ws77.cho@samsung.com)
# Date July 4, 2017
-# Required cap_sys_admin, cap_setgid
+# Required /usr/bin/dotnet-launcher : cap_sys_admin, cap_setgid : ei
# cap_setgid to change app process gid
# cap_sys_admin to split mount namespace
# Package platform/core/dotnet/launcher
# Owner Woongsuk Cho(ws77.cho@samsung.com)
# Date April 10, 2020
-# Required cap_sys_admin, cap_setgid
+# Required /usr/bin/dotnet-hydra-loader : cap_sys_admin, cap_setgid : ei
# cap_setgid to change app process gid
# cap_sys_admin to split mount namespace
# Package platform/core/dotnet/launcher
# Owner Woongsuk Cho(ws77.cho@samsung.com)
# Date April 10, 2020
-# Required cap_sys_admin, cap_setgid
+# Required /usr/bin/dotnet-loader : cap_sys_admin, cap_setgid : ei
# cap_setgid to change app process gid
# cap_sys_admin to split mount namespace
# Package platform/core/dotnet/launcher
# Owner Woongsuk Cho(ws77.cho@samsung.com)
# Date April 10, 2020
-# Required cap_sys_admin, cap_setgid
+# Required /usr/bin/dotnet : cap_sys_admin, cap_setgid : ei
# cap_setgid to change app process gid
# cap_sys_admin to split mount namespace
# Package platform/core/telephony/telephony-daemon
# Owner Shinhui Kang(sinikang@samsung.com)
# Date July 4, 2017
-# Required cap_net_admin, cap_net_raw
+# Required /usr/bin/telephony-daemon : cap_net_admin, cap_net_raw, cap_dac_override : ei
# cap_net_admin for network interface up/down
# cap_net_raw to use raw socket
# cap_dac_override to access bridge device
# Package platform/core/multimedia/libmm-sound
# Owner Seungbae Shin(seungbae.shin@samsung.com)
# Date July 4, 2017
-# Required cap_chown, cap_fowner, cap_lease
+# Required /usr/bin/focus_server : cap_fowner, cap_lease : ei
+# Required /usr/bin/sound_server : cap_lease : ei
# TODO : check the reason
if [ -e "/usr/bin/focus_server" ]
# Package platform/core/security/nether
# Owner Kim Kidong(kd0228.kim@samsung.com)
# Date July 4, 2017
-# Required cap_net_admin, cap_net_raw
+# Required /usr/bin/nether : cap_net_admin : ei
# cap_net_admin for netfilter work
if [ -e "/usr/bin/nether" ]
# Package platform/core/appfw/amd
# Owner Junghoon Park(jh9216.park@samsung.com)
# Date July 4, 2017
-# Required cap_kill, cap_dac_override
+# Required /usr/bin/amd : cap_kill, cap_dac_override, cap_sys_admin : ei
+# Required /usr/bin/amd : cap_setuid, cap_mac_admin, cap_kill, cap_dac_override, cap_sys_admin : ei
# cap_kill to kill app process
# cap_dac_override to access wayland and app socket, to check private sharing path
# cap_sys_admin to use mount namespace
# Package platform/framework/web/crosswalk-tizen
# Owner Jaekuk Lee(juku1999@samsung.com)
# Date July 4, 2017
-# Required cap_sys_admin, cap_setgid
+# Required /usr/bin/wrt-loader : cap_sys_admin, cap_setgid : ei
# cap_setgid to change process gid
# cap_sys_admin to split mount namespace
# Package platform/core/connectivity/wifi-direct-manager
# Owner Jaehyun Kim(jeik01.kim@samsung.com)
# Date July 18, 2017
-# Required cap_net_bind_service, cap_net_admin, cap_net_broadcast, cap_net_raw
+# Required /usr/bin/wfd-manager : cap_net_bind_service, cap_net_admin, cap_net_broadcast, cap_net_raw : ei
# cap_net_bind_service using DHCP port
# cap_net_admin interface IP address configuration
# cap_net_broadcast DHCP packet broadcasting
fi
# Belows are tools which wfd manager service is using.
+# Required /usr/bin/toybox : cap_net_bind_service, cap_net_broadcast, cap_net_admin,cap_net_raw : ei
+# Required /usr/bin/pkill : cap_kill : ei
+# Required /usr/sbin/ifconfig : cap_net_admin : ei
+
if [ -e "/usr/bin/toybox" ]
then /usr/sbin/setcap cap_net_bind_service,cap_net_broadcast,cap_net_admin,cap_net_raw=ei /usr/bin/toybox
fi
# Package platform/core/connectivity/wifi-mesh-manager
# Owner Saerome Kim(saerome.kim@samsung.com)
# Date Aug 11, 2017
-# Required cap_net_raw, cap_net_admin
+# Required /usr/bin/wmeshd : cap_net_raw, cap_net_admin, cap_dac_override : ei
# cap_dac_override to access bridge device
if [ -e "/usr/bin/wmeshd" ]
then /usr/sbin/setcap cap_net_raw,cap_net_admin,cap_dac_override=ei /usr/bin/wmeshd
fi
-# Package platform/core/security/ode
-# Owner Jaemin Ryu(jm77.ryu@samsung.com)
-# Date Aug 23, 2017
-# Required cap_dac_override, cap_sys_admin, cap_sys_boot, cap_sys_ptrace, cap_kill
-# cap_dac_override to access /dev/mmcblk* and /dev/mapper/control
-# => To remove this cap, (1. include security_fw to disk gid) and (2. change the permission of /dev/mapper/control)
-# cap_sys_admin to use ioctl system call
-# cap_sys_boot after encryption, reboot is required
-# cap_sys_ptrace to know process for storage encryption
-# cap_kill to kill the process
-
-# Currently, oded is running as a root.
-#if [ -e "/usr/bin/oded" ]
-#then /usr/sbin/setcap cap_dac_override,cap_sys_admin,cap_sys_boot,cap_sys_ptrace,cap_kill=ei /usr/bin/oded
-#fi
-
# Package platform/upstream/bluez
# Owner Saerome Kim(saerome.kim@samsung.com)
# Date Nov 24, 2017
-# Required cap_dac_override
+# Required /usr/libexec/bluetooth/bluetoothd : cap_dac_override, cap_net_admin, cap_net_bind_service, cap_net_raw : ei
# cap_dac_override to access bridge device
# cap_net_admin to use network-related operations
# cap_net_bind_service to call bind
# Package platform/upstream/bluez
# Owner Dohyun Pyun(dh79.pyun@samsung.com)
# Date Jun 08, 2020
-# Required cap_dac_override, cap_net_admin, cap_net_bind_service
+# Required /usr/libexec/bluetooth/bluetooth-meshd : cap_dac_override, cap_net_admin, cap_net_bind_service : ei
# cap_dac_override to access bridge device
# cap_net_admin to use network-related operations
# cap_net_bind_service to call bind
# Package platform/core/system/dlog
# Owner Hyotaek Shim(hyotaek.shim@samsung.com)
# Date Dec 22, 2017
-# Required cap_syslog
+# Required /usr/bin/dlog_logger : cap_syslog : ei
# cap_syslog to use syslog()
if [ -e "/usr/bin/dlog_logger" ]
# Package platform/core/connectivity/stc-iptables
# Owner Hyunuk Tak(hyunuk.tak@samsung.com)
# Date Apr 12, 2018
-# Required cap_net_bind_service,cap_net_raw,cap_net_admin
+# Required /usr/bin/stc-iptables : cap_net_bind_service,cap_net_raw,cap_net_admin : ei
# cap_net_bind_service,cap_net_raw,cap_net_admin netlink and ipproto sockets
if [ -e "/usr/bin/stc-iptables" ]
# Package platform/core/security/audit-trail
# Owner Jaemin Ryu(jm77.ryu@samsung.com)
# Date May 3, 2018
-# Required cap_audit_control,cap_audit_write
+# Required /usr/bin/audit-trail-daemon : cap_audit_control,cap_audit_write : ei
# cap_audit_control To change auditing filter rules
# cap_audit_write To record the kernel auditing log
# Package platform/adaptation/system-plugin
# Owner Insun Pyo(insun.pyo@samsung.com)
# Date Aug 20, 2018
-# Required cap_sys_admin
+# Required /usr/bin/session-bind : cap_sys_admin : ei
# cap_sys_admin To bind mount /opt/usr/media, /opt/usr/apps from user session
if [ -e "/usr/bin/session-bind" ]
# Package product/upstream/coreutils
# Date Sep 10, 2018
-# Required cap_sys_ptrace
+# Required /usr/bin/cat : cap_sys_ptrace : ei
# cap_sys_ptrace To read /proc/[pid]/stack
# This is requested Display module, to be used in display-manager-monitor service.
# Package platform/core/security/krate
# Date Sep 19, 2018
-# Required cap_sys_admin
+# Required /usr/bin/krate-mount : cap_sys_admin : ei
# cap_sys_admin Do bind-mount to control the file access
if [ -e "/usr/bin/krate-mount" ]
# Package platform/upstream/kmod
# Date Nov 7, 2018
-# Required cap_sys_module
+# Required /usr/bin/kmod : cap_sys_module : ei
# cap_sys_module To use insmod
# This is requested by Bluetooth module, to be used in bluetooth-stack-up.service.
# Package platform/upstream/bluez
# Date Nov 7, 2018
-# Required cap_net_admin
+# Required /usr/bin/hciconfig : cap_net_admin : ei
# cap_sys_module To control bt interface
if [ -e "/usr/bin/hciconfig" ]
# Package platform/core/system/stability-monitor
# Date Nov 20, 2019
-# Required cap_sys_ptrace,cap_sys_module,cap_kill
+# Required /usr/sbin/stability-monitor : cap_sys_ptrace,cap_sys_module,cap_kill : ei
# cap_sys_ptrace To attach in process and readlink for working
# cap_sys_module To load/unload kernel module
# cap_kill To kill processes
# Package platform/core/connectivity/ua-manager
# Date Jun 13, 2019
-# Required cap_net_raw,cap_sys_rawio
+# Required /usr/bin/ua-manager : cap_net_raw,cap_sys_rawio : ei
# cap_net_raw To use raw socket when making ARP packet
# cap_sys_rawio To use I/O port operation
# Package platform/core/system/crash-worker
# Date Nov 14, 2019
-# Required cap_dac_override,cap_kill,cap_sys_ptrace
+# Required /usr/bin/crash-manager :cap_dac_override,cap_kill,cap_sys_ptrace : ei
+# Required /usr/bin/crash-service :cap_dac_override,cap_kill,cap_sys_ptrace : ei
# cap_dac_override To create directory
# cap_kill To send signals to processes
# cap_sys_ptrace To read /proc/<pid>/
# Package platform/upstream/minicoredumper
# Date Nov 14, 2019
-# Required cap_dac_read_search,cap_sys_ptrace
+# Required /usr/sbin/minicoredumper : cap_dac_read_search,cap_sys_ptrace : ei
# cap_dac_read_search To read any binary file
# cap_sys_ptrace To read /proc/<pid>/
# Package platform/core/system/dlog
# Date Nov 14, 2019
-# Required cap_syslog
+# Required /usr/bin/dlogutil : cap_syslog : ei
# cap_syslog Android logger returns incorrect values without this capability (check : this is bug in the kernel driver).
if [ -e "/usr/bin/dlogutil" ]
# Package platform/core/system/buxton2
# Date Nov 14, 2019
-# Required cap_dac_override
+# Required /usr/bin/buxton2ctl : cap_dac_override : ei
# cap_dac_override To write in /run/buxton2/ and /etc/buxton2 directory
if [ -e "/usr/bin/buxton2ctl" ]
# Package platform/core/system/crash-worker
# Date Nov 14, 2019
-# Required cap_dac_read_search
+# Required /usr/bin/livedumper : cap_dac_override, cap_sys_ptrace : ei
# cap_dac_override To create livedump directory
# cap_sys_ptrace To read /proc/[pid]
# Package platform/core/system/crash-worker
# Date Nov 14, 2019
-# Required cap_dac_read_search,cap_sys_ptrace
+# Required /usr/libexec/crash-stack : cap_dac_read_search,cap_sys_ptrace : ei
# cap_dac_read_search To read /proc/[pid]/{maps, task, status}
# cap_sys_ptrace To read /proc/[pid]/{maps, task, status}
# Package platform/core/system/memps
# Date Nov 14, 2019
-# Required cap_dac_read_search,cap_sys_ptrace
+# Required /usr/bin/memps : cap_dac_read_search,cap_sys_ptrace : ei
# cap_dac_read_search To read files from /proc/ and /sys/
# cap_sys_ptrace To read files from /proc/ and /sys/
# Package platform/upstream/procps-ng
# Date Nov 14, 2019
-# Required cap_sys_ptrace
+# Required /usr/bin/top : cap_sys_ptrace : ei
# cap_sys_ptrace To read files from /proc/
if [ -e "/usr/bin/top" ]
# Package product/upstream/coreutils
# Date Nov 14, 2019
-# Required cap_sys_ptrace
+# Required /usr/bin/df : cap_dac_read_search : ei
# cap_dac_read_search counting of disk space usage (eg /opt/usr/home/owner)
if [ -e "/usr/bin/df" ]
# Package product/upstream/coreutils
# Date Nov 14, 2019
-# Required cap_sys_ptrace
+# Required /usr/bin/du : cap_dac_read_search : ei
# cap_dac_read_search counting of disk space usage (eg /opt/usr/home/owner)
if [ -e "/usr/bin/du" ]
# Package product/upstream/clat
# Date Nov 26, 2019
-# Required cap_net_admin,cap_net_raw,cap_ipc_lock,cap_setuid,cap_setgid
+# Required /usr/bin/clatd : cap_net_admin,cap_net_raw,cap_ipc_lock,cap_setuid,cap_setgid : ei
# cap_net_admin To create and configure interface, modify routing tables
# cap_net_raw To open raw socket
# cap_ipc_lock clatd calls mmap(MAP_LOCKED) with a 1M buffer. MAP_LOCKED first checks capable(CAP_IPC_LOCK)
# Package platform/core/connectivity/nan-manager
# Date Apr 10, 2020
-# Required cap_net_admin,cap_net_raw
+# Required /usr/bin/nan-manager : cap_net_admin,cap_net_raw : ei
# cap_net_admin To add interface up/down and routing rules
# cap_net_raw To use raw socket
# Package platform/core/appfw/unified-backend
# Date Jul 15, 2020
-# Required cap_dac_override, cap_chown, cap_fowner
+# Required /usr/bin/unified-backend : cap_dac_override, cap_chown, cap_fowner : ei
# cap_dac_override access to /home/$USER/apps_rw
# cap_chown use chown API
# cap_fowner use chmod API
# Package app-installers
# Date Jul 15, 2020
-# Required cap_dac_override, cap_chown, cap_fowner
+# Required /usr/bin/pkg_recovery : cap_dac_override, cap_chown, cap_fowner : ei
# cap_dac_override To restore user data
# cap_chown use chown API
# cap_fowner use chmod API
# Package platform/core/system/peripheral-bus
# Date Jul 24, 2020
-# Required cap_dac_override
+# Required /usr/bin/peripheral-bus : cap_dac_override : ei
# cap_dac_override To modify peripheral devices under /sys/class
if [ -e "/usr/bin/peripheral-bus" ]
+++ /dev/null
-/usr/sbin/tayga = cap_net_bind_service,cap_net_broadcast,cap_net_admin,cap_net_raw+ei
-/usr/sbin/xtables-multi = cap_net_admin,cap_net_raw+ei
-/usr/sbin/named = cap_net_bind_service,cap_net_admin,cap_sys_chroot+ei
-/usr/sbin/lwresd = cap_net_bind_service,cap_net_admin,cap_sys_chroot+ei
-/usr/sbin/sdbd = cap_dac_override,cap_setgid,cap_setuid,cap_sys_admin+ei
-/usr/bin/hostapd = cap_dac_override,cap_net_bind_service,cap_net_admin,cap_net_raw+ei
-/usr/sbin/ip = cap_net_admin+ei
-/usr/bin/wpa_supplicant = cap_dac_override,cap_net_admin,cap_net_raw+ei
-/usr/bin/focus_server = cap_fowner,cap_lease+ei
-/usr/bin/touch = cap_dac_override+ei
-/usr/bin/pkgdir-tool = cap_chown,cap_dac_override,cap_fowner+ei
-/usr/bin/msg-server = cap_chown,cap_net_admin,cap_net_raw,cap_lease+ei
-/usr/bin/media-server = cap_dac_read_search+ei
-/usr/bin/alarm-server = cap_sys_time+ei
-/usr/bin/csr-server = cap_dac_override,cap_fowner+ei
-/usr/bin/pkgmgr-server = cap_chown,cap_dac_override,cap_fsetid,cap_kill,cap_setgid,cap_setuid+ei
-/usr/bin/muse-server = cap_dac_override+ei
-/usr/bin/amd = cap_dac_override,cap_kill,cap_setgid,cap_setuid,cap_sys_admin,cap_mac_admin+ei
-/usr/bin/amd = cap_dac_override,cap_kill,cap_sys_admin+ei
-/usr/bin/wrt-loader = cap_setgid,cap_sys_admin+ei
-/usr/bin/tpk-backend = cap_chown,cap_dac_override,cap_fowner+ei
-/usr/bin/launchpad-loader = cap_setgid,cap_sys_admin,cap_sys_nice+ei
-/usr/bin/app-defined-loader = cap_setgid,cap_sys_admin,cap_sys_nice+ei
-/usr/bin/email-service = cap_chown+eip
-/usr/bin/wgt-backend = cap_chown,cap_dac_override,cap_fowner+ei
-/usr/bin/download-provider = cap_chown,cap_dac_override+ei
-/usr/bin/chmod = cap_fowner+ei
-/usr/bin/sound_server = cap_lease+ei
-/usr/bin/dnsmasq = cap_net_bind_service,cap_net_broadcast,cap_net_admin,cap_net_raw+ei
-/usr/bin/feedbackd = cap_dac_override+ei
-/usr/bin/data-provider-master = cap_dac_override+ei
-/usr/bin/amixer = cap_dac_override+ei
-/usr/bin/pkg_getsize = cap_dac_read_search+ei
-/usr/bin/pkg_cleardata = cap_dac_override+ei
-/usr/bin/launchpad-process-pool = cap_dac_override,cap_setgid,cap_sys_admin,cap_sys_nice,cap_mac_admin+ei
-/usr/bin/mobileap-agent = cap_net_bind_service,cap_net_admin+ei
-/usr/bin/chgrp = cap_chown+ei
-/usr/bin/xdelta3 = cap_dac_override+ei
-/usr/bin/telephony-daemon = cap_dac_override,cap_net_admin,cap_net_raw+ei
-/usr/bin/telephony-daemon.tv = cap_dac_override,cap_net_admin,cap_net_raw+ei
-/usr/bin/telephony-daemon.ivi = cap_dac_override,cap_net_admin,cap_net_raw+ei
-/usr/bin/nether = cap_net_admin+ei
-/usr/bin/dotnet-hydra-loader = cap_setgid,cap_sys_admin+ei
-/usr/bin/dotnet-launcher = cap_setgid,cap_sys_admin+ei
-/usr/bin/dotnet-loader = cap_setgid,cap_sys_admin+ei
-/usr/bin/dotnet = cap_setgid,cap_sys_admin+ei
-/usr/bin/wfd-manager = cap_net_bind_service,cap_net_broadcast,cap_net_admin,cap_net_raw+ei
-/usr/bin/wfd-manager.tm1 = cap_net_bind_service,cap_net_broadcast,cap_net_admin,cap_net_raw+ei
-/usr/bin/wfd-manager.mobile = cap_net_bind_service,cap_net_broadcast,cap_net_admin,cap_net_raw+ei
-/usr/bin/wfd-manager.wearable = cap_net_bind_service,cap_net_broadcast,cap_net_admin,cap_net_raw+ei
-/usr/bin/wfd-manager.tv = cap_net_bind_service,cap_net_broadcast,cap_net_admin,cap_net_raw+ei
-/usr/bin/net-config = cap_dac_override,cap_net_admin,cap_net_raw+ei
-/usr/bin/connmand = cap_dac_override,cap_net_bind_service,cap_net_broadcast,cap_net_admin,cap_net_raw+ei
-/usr/sbin/ifconfig = cap_net_admin+ei
-/usr/bin/pkill = cap_kill+ei
-/usr/bin/toybox = cap_net_bind_service,cap_net_broadcast,cap_net_admin,cap_net_raw+ei
-/usr/sbin/route = cap_net_admin+ei
-/usr/bin/oded = cap_dac_override,cap_kill,cap_sys_ptrace,cap_sys_admin,cap_sys_boot+ei
-/usr/bin/connman-vpnd = cap_dac_override,cap_net_bind_service,cap_net_broadcast,cap_net_admin,cap_net_raw+ei
-/usr/bin/charon = cap_setgid,cap_net_bind_service,cap_net_broadcast,cap_net_admin,cap_net_raw+ei
-/usr/bin/dlog_logger = cap_syslog+ei
-/usr/libexec/bluetooth/bluetoothd = cap_dac_override,cap_net_bind_service,cap_net_admin,cap_net_raw+ei
-/usr/bin/cat = cap_sys_ptrace+ei
-/usr/bin/krate-mount = cap_sys_admin+ei
-/usr/bin/inm-manager = cap_net_admin,cap_net_raw+ei
-/usr/bin/session-bind = cap_sys_admin+ei
-/usr/bin/kmod = cap_sys_module+ei
-/usr/bin/hciconfig = cap_net_admin+ei
-/usr/bin/stc-iptables = cap_net_bind_service,cap_net_admin,cap_net_raw+ei
-/usr/bin/audit-trail-daemon = cap_audit_write,cap_audit_control+ei
-/usr/sbin/tcpdump = cap_net_raw+ei
-/usr/bin/ua-manager = cap_net_raw,cap_sys_rawio+ei
-/usr/libexec/crash-stack = cap_dac_read_search,cap_sys_ptrace+ei
-/usr/sbin/minicoredumper = cap_dac_read_search,cap_sys_ptrace+ei
-/usr/bin/crash-service = cap_dac_override,cap_kill,cap_sys_ptrace+ei
-/usr/bin/dlogutil = cap_syslog+ei
-/usr/bin/du = cap_dac_read_search+ei
-/usr/bin/clatd = cap_setgid,cap_setuid,cap_net_admin,cap_net_raw,cap_ipc_lock+ei
-/usr/bin/buxton2ctl = cap_dac_override+ei
-/usr/bin/df = cap_dac_read_search+ei
-/usr/bin/crash-manager = cap_dac_override,cap_kill,cap_sys_ptrace+ei
-/usr/bin/memps = cap_dac_read_search,cap_sys_ptrace+ei
-/usr/bin/top = cap_sys_ptrace+ei
-/usr/bin/livedumper = cap_dac_override,cap_sys_ptrace+ei
-/usr/bin/nan-manager = cap_net_admin,cap_net_raw+ei
-/usr/sbin/stability-monitor = cap_kill,cap_sys_module,cap_sys_ptrace+ei
-/usr/libexec/bluetooth/bluetooth-meshd = cap_dac_override,cap_net_bind_service,cap_net_admin+ei
-/usr/bin/unified-backend = cap_chown,cap_dac_override,cap_fowner+ei
-/usr/bin/pkg_recovery = cap_chown,cap_dac_override,cap_fowner+ei
-/usr/bin/peripheral-bus = cap_dac_override+ei
projects / platform / core / security / security-config.git / commitdiff