pass: Add capability for netlink interface

Due to CVE-2011-2494 which prohibits non-privileged users from getting
process information via netlink, pass daemon should be executed by
root or get capability on NET_ADMIN. To do this, it adds capability
into systemd service attribute with cap_net_admin.

Change-Id: Iefd4ca98e963b38a038a8c326f3abad996bb81ee
Signed-off-by: Dongwoo Lee <dwoo08.lee@samsung.com>

diff --git a/systemd/pass.service.in b/systemd/pass.service.in
index 13b8bcf..3bd6f96 100644 (file)
--- a/systemd/pass.service.in
+++ b/systemd/pass.service.in
@@ -10,6 +10,8 @@ RestartSec=0
 KillSignal=SIGUSR1
 User=system_fw
 Group=system_fw
+Capabilities=cap_net_admin=i
+SecureBits=keep-caps
 
 [Install]
 WantedBy=delayed.target