# cap_sys_time settimeofday() system call and rtc setting time need privilege; CAP_SYS_TIME
if [ -e "/usr/bin/alarm-server" ]
-then /usr/sbin/setcap cap_sys_time=eip /usr/bin/alarm-server
+then /usr/sbin/setcap cap_sys_time=ei /usr/bin/alarm-server
fi
# Package download-provider
# cap_dac_override needs to access directory which user id is different (override DAC permission)
if [ -e "/usr/bin/download-provider" ]
-then /usr/sbin/setcap cap_chown,cap_dac_override=eip /usr/bin/download-provider
+then /usr/sbin/setcap cap_chown,cap_dac_override=ei /usr/bin/download-provider
fi
# Package media-server
# client would be another service daemon and application
if [ -e "/usr/bin/media-server" ]
-then /usr/sbin/setcap cap_dac_read_search=eip /usr/bin/media-server
+then /usr/sbin/setcap cap_dac_read_search=ei /usr/bin/media-server
fi
# Package csr-server
# cap_fowner csr-server needs to remove files set with sticky bit in /tmp (rwxrwxrwt)
if [ -e "/usr/bin/csr-server" ]
-then /usr/sbin/setcap cap_dac_override,cap_fowner=eip /usr/bin/csr-server
+then /usr/sbin/setcap cap_dac_override,cap_fowner=ei /usr/bin/csr-server
fi
# Package msg-server
# cap_lease Establish leases on arbitrary files
if [ -e "/usr/bin/msg-server" ]
-then /usr/sbin/setcap cap_chown,cap_lease,cap_net_admin,cap_net_raw=eip /usr/bin/msg-server
+then /usr/sbin/setcap cap_chown,cap_lease,cap_net_admin,cap_net_raw=ei /usr/bin/msg-server
fi
# Package pkgmgr-server
# cap_setuid setuid function
if [ -e "/usr/bin/pkgmgr-server" ]
-then /usr/sbin/setcap cap_chown,cap_dac_override,cap_fsetid,cap_kill,cap_setgid,cap_setuid=eip /usr/bin/pkgmgr-server
+then /usr/sbin/setcap cap_chown,cap_dac_override,cap_fsetid,cap_kill,cap_setgid,cap_setuid=ei /usr/bin/pkgmgr-server
fi
# Package app-installers
# cap_fowner use chmod API
if [ -e "/usr/bin/pkgdir-tool" ]
-then /usr/sbin/setcap cap_dac_override,cap_chown,cap_fowner=eip /usr/bin/pkgdir-tool
+then /usr/sbin/setcap cap_dac_override,cap_chown,cap_fowner=ei /usr/bin/pkgdir-tool
fi
# Package mused
# cap_dac_override access to directories of applications
if [ -e "/usr/bin/muse-server" ]
-then /usr/sbin/setcap cap_dac_override=eip /usr/bin/muse-server
+then /usr/sbin/setcap cap_dac_override=ei /usr/bin/muse-server
fi
# Package gpsd
# Package mobileap-agent
# Owner Seonah Moon(seonah1.moon@samsung.com)
# Date Oct 7, 2016
-# Required cap_dac_override, cap_fowner, cap_net_admin, cap_net_bind_service
-# cap_fowner network interface configruration
+# Required cap_net_admin, cap_net_bind_service
# cap_net_admin to use ioctl socket
# cap_net_bind_service to call bind
if [ -e "/usr/bin/mobileap-agent" ]
-then /usr/sbin/setcap cap_fowner,cap_net_admin,cap_net_bind_service=eip /usr/bin/mobileap-agent
+then /usr/sbin/setcap cap_net_admin,cap_net_bind_service=ei /usr/bin/mobileap-agent
fi
# route is using by mobileap-agent
then /usr/sbin/setcap cap_dac_override=eip /usr/bin/pkg_cleardata
fi
-# launchpad package checks build option before giving capability.
-# Therefore, caps will be given in spec file.
# Package platform/core/appfw/launchpad
# Owner Junghoon Park(jh9216.park@samsung.com)
# Date July 4, 2017
# cap_mac_admin to use security_manager_prepare_app()
# cap_dac_override fd redirection in debug mode of app running
# cap_setgid to use security_manager_prepare_app()
+# cap_sys_admin to split mount namespace
+# cap_sys_nice to change scheduling priority
-#if [ -e "/usr/bin/launchpad-process-pool" ]
-#then /usr/sbin/setcap cap_mac_admin,cap_dac_override,cap_setgid=ei /usr/bin/launchpad-process-pool
-#fi
+if [ -e "/usr/bin/launchpad-process-pool" ]
+then /usr/sbin/setcap cap_sys_admin,cap_sys_nice,cap_mac_admin,cap_dac_override,cap_setgid=ei /usr/bin/launchpad-process-pool
+fi
-#if [ -e "/usr/bin/launchpad-loader" ]
-#then /usr/sbin/setcap cap_setgid=ei /usr/bin/launchpad-loader
-#fi
+if [ -e "/usr/bin/launchpad-loader" ]
+then /usr/sbin/setcap cap_sys_admin,cap_sys_nice,cap_setgid=ei /usr/bin/launchpad-loader
+fi
# Package platform/core/dotnet/launcher
# Owner Pius Lee(pius.lee@samsung.com)
projects / platform / core / security / security-config.git / commitdiff