Create a new script for setting permissions.

This script needs to be run while image is being created or updated.
(After in-house applications are installed.)
We could consider it to be run in security-config service, but it will
increase the 1st boot time.

Change-Id: I5a11dd720ea46ae69b1acc6be09305c74fb39292

diff --git a/CMakeLists.txt b/CMakeLists.txt
index 5422877de983c10cc1e0d604cd950a7352307e10..e70d997e41bdd38bf9054a9d9c227a5172d9fed7 100755 (executable)
--- a/CMakeLists.txt
+++ b/CMakeLists.txt
@@ -13,6 +13,7 @@ INSTALL(FILES ${CMAKE_SOURCE_DIR}/config/set_label DESTINATION /usr/share/securi
 INSTALL(FILES ${CMAKE_SOURCE_DIR}/config/set_capability DESTINATION /usr/share/security-config)
 INSTALL(FILES ${CMAKE_SOURCE_DIR}/config/mdm_blacklist DESTINATION /usr/share/security-config)
 INSTALL(FILES ${CMAKE_SOURCE_DIR}/config/update_privacy_mount_list.sh DESTINATION /usr/share/security-config)
+INSTALL(FILES ${CMAKE_SOURCE_DIR}/config/change_permission DESTINATION /usr/share/security-config)
 INSTALL(FILES ${CMAKE_SOURCE_DIR}/config/security-config.conf DESTINATION /usr/lib/tmpfiles.d/)
 INSTALL(FILES ${CMAKE_SOURCE_DIR}/config/90_user-content-permissions.post DESTINATION ${SYSCONF_INSTALL_DIR}/gumd/useradd.d)
 INSTALL(FILES ${CMAKE_SOURCE_DIR}/config/91_user-dbspace-permissions.post DESTINATION ${SYSCONF_INSTALL_DIR}/gumd/useradd.d)

diff --git a/config/change_permission b/config/change_permission
new file mode 100644 (file)
index 0000000..5a27d50
--- /dev/null
+++ b/config/change_permission
@@ -0,0 +1,36 @@
+#!/bin/bash
+
+PATH=/bin:/usr/bin:/sbin:/usr/sbin
+
+# Requested by sooyeon.kim@samsung.com (.voice) and dalton.lee@samsung.com (.multiassistant)
+dir_list=(".voice" ".multiassistant")
+for item in "${dir_list[@]}"
+do
+       if [ -e "/etc/skel/share/$item" ]
+       then
+               find /etc/skel/share/$item -print0 | xargs -0 chown app_fw:app_fw
+               find /etc/skel/share/$item -print0 | xargs -0 chsmack -a 'User::App::Shared'
+               find /etc/skel/share/$item -type d -print0 | xargs -0 chsmack -t
+       fi
+
+       for line in `find /opt/usr/home -maxdepth 1 -type d`
+       do
+               if [ -e "$line/share/$item" ]; then
+                       user=$(echo $line | cut -d"/" -f5)
+                       if getent passwd $user
+                       then
+                               find "$line/share/$item" -print0 | xargs -0 chown $user:users
+                               find "$line/share/$item" -print0 | xargs -0 chsmack -a 'User::App::Shared'
+                               find "$line/share/$item" -type d -print0 | xargs -0 chsmack -t
+                       fi
+               fi
+       done
+done
+
+# change permission to /opt/var/lib/misc
+# This is needed to retrieve CAP_DAC_OVERRIDE from mobileap-agent & dnsmasq.
+if [ -e /opt/var/lib/misc ]
+then
+       chown root:system_share /opt/var/lib/misc
+       chmod 0775 /opt/var/lib/misc
+fi

diff --git a/config/set_capability b/config/set_capability
index 3f193b69388c6afdc99bd4b1285ced8f61258875..5baf60710ba2b5f3c46de7f9bacc411160f638c3 100755 (executable)
--- a/config/set_capability
+++ b/config/set_capability
@@ -560,38 +560,9 @@ if [ -e "/usr/bin/dlog_logger" ]
 then /usr/sbin/setcap cap_syslog=ei /usr/bin/dlog_logger
 fi
 
-# TODO: MOVE TO OTHER SCRIPT OR REMOVE
-# Requested by sooyeon.kim@samsung.com
-if [ -e "/etc/skel/share/.voice" ]
-then
-find /etc/skel/share/.voice -print0 | xargs -0 chown app_fw:app_fw
-find /etc/skel/share/.voice -print0 | xargs -0 chsmack -a 'User::App::Shared'
-find /etc/skel/share/.voice -type d -print0 | xargs -0 chsmack -t
-fi
-
-for line in `find /opt/usr/home -maxdepth 1 -type d`
-do
-        if [ -e "$line/share/.voice" ]; then
-                user=$(echo $line | cut -d"/" -f5);
-                find "$line/share/.voice" -print0 | xargs -0 chown $user:users
-                find "$line/share/.voice" -print0 | xargs -0 chsmack -a 'User::App::Shared'
-                find "$line/share/.voice" -type d -print0 | xargs -0 chsmack -t
-        fi
-done
-
-# Set SMACK label as "System::Privileged" in /opt/var/security-manager/rules
-chsmack -r -a "System::Privileged" /opt/var/security-manager/rules
-
-# change permission to /opt/var/lib/misc
-# This is needed to retrieve CAP_DAC_OVERRIDE from mobileap-agent & dnsmasq.
-if [ -e /opt/var/lib/misc ]
-then
-       chown root:system_share /opt/var/lib/misc
-       chmod 0775 /opt/var/lib/misc
-fi
-
-# This is not related with the capability, but place here to run in generic-security.post
+# These are not related with the capability, but place here to run in generic-security.post
 # It would be better to run this separately in generic-security.post future.
+/usr/share/security-config/change_permission
 if [ -e /usr/share/security-config/update_privacy_mount_list.sh ] && [ -e /usr/share/security-manager/policy/privilege-mount.list ] && [ ! -e /opt/share/askuser_disable ]
 then
        /usr/share/security-config/update_privacy_mount_list.sh

diff --git a/packaging/security-config.spec b/packaging/security-config.spec
index a6c36fa0ca3f11ed8496cbe7564d1ae3b7b2d84d..03e54472d78cba6f529307538a0e9d78c6c76350 100755 (executable)
--- a/packaging/security-config.spec
+++ b/packaging/security-config.spec
@@ -92,6 +92,7 @@ rm /opt/share/security-config/test/capability_test/*
 %attr(755,root,root) /usr/share/security-config/set_label
 %attr(755,root,root) /usr/share/security-config/set_capability
 %attr(755,root,root) /usr/share/security-config/mdm_blacklist
+%attr(755,root,root) /usr/share/security-config/change_permission
 %attr(700,root,root) /usr/share/security-config/update_privacy_mount_list.sh
 %attr(644,root,root) /usr/lib/tmpfiles.d/security-config.conf
 %attr(755,root,root) /opt/share/security-config/test/*

diff --git a/upgrade/201.security_upgrade.sh b/upgrade/201.security_upgrade.sh
index ae191833f99890b902d12aac67a267a0528ae90b..0467ef03ab1e113733986953411c9056bff17a70 100644 (file)
--- a/upgrade/201.security_upgrade.sh
+++ b/upgrade/201.security_upgrade.sh
@@ -4,9 +4,14 @@ PATH=/bin:/usr/bin:/sbin:/usr/sbin
 . /etc/tizen-platform.conf
 
 # Init security-configuration
-/usr/share/security-config/group_id_setting
 /usr/share/security-config/set_label
-/usr/share/security-config/set_capability
+/usr/share/security-config/change_permission
+
+# Delete a flag file to run smack_default_labeling
+if [ -e /opt/share/security-config/.smack_pre_labeling ]
+then
+       rm /opt/share/security-config/.smack_pre_labeling
+fi
 
 # Migration of cynara DB
 # CYNARA_VERSION=$(rpm -qf /usr/bin/cynara  | cut -d "-" -f2)