projects / platform / core / security / security-config.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: 7dbd277)
Add cap_dac_override to isud binary 10/309510/1 accepted/tizen/unified/20240423.164547 accepted/tizen/unified/x/20240425.051128
authorAdam Michalski <a.michalski2@partner.samsung.com>
Thu, 11 Apr 2024 13:49:58 +0000 (15:49 +0200)
committerAdam Michalski <a.michalski2@partner.samsung.com>
Thu, 11 Apr 2024 13:53:44 +0000 (15:53 +0200)
- This is needed by the isud to perform clean-up of the unnecessary
  files from globalapps path which is owned by tizenglobalapp:root
  but the isud service is run with the system:system user and group.

Reference ticket: SECSFV-271

Change-Id: Ib4b57bf44891dc902fa18d2c555c0e91adad93c9

config/set_capability patch | blob | history

diff --git a/config/set_capability b/config/set_capability
index b28b271aceef2733888efae2d0b6e4764ef7ea0a..99d83bfe356ef470441c6db1df759c0111536edb 100755 (executable)
--- a/config/set_capability
+++ b/config/set_capability
@@ -968,6 +968,15 @@ if [ -e "/usr/bin/pass" ]
 then /usr/sbin/setcap cap_net_admin,cap_sys_ptrace,cap_sys_resource=ei /usr/bin/pass
 fi
 
+# Package              platform/core/system/isu
+# Date                 Apr 11, 2024
+# Required             /usr/bin/isud : cap_dac_override : ei
+# cap_dac_override     isud needs to access application's directory for scanning and removing app files
+
+if [ -e "/usr/bin/isud" ]
+then /usr/sbin/setcap cap_dac_override=ei /usr/bin/isud
+fi
+
 # These are not related with the capability, but place here to run in generic-security.post
 # It would be better to run this separately in generic-security.post future.
 /usr/share/security-config/change_permission
Domain: Security / Access Control;