Create a new script for setting permissions.

author Jin-gyu Kim <jin-gyu.kim@samsung.com>

Fri, 23 Apr 2021 05:31:51 +0000 (14:31 +0900)

committer Jin-gyu Kim <jin-gyu.kim@samsung.com>

Fri, 23 Apr 2021 07:01:13 +0000 (16:01 +0900)
author Jin-gyu Kim <jin-gyu.kim@samsung.com>
Fri, 23 Apr 2021 05:31:51 +0000 (14:31 +0900)
committer Jin-gyu Kim <jin-gyu.kim@samsung.com>
Fri, 23 Apr 2021 07:01:13 +0000 (16:01 +0900)
diff --git a/CMakeLists.txt b/CMakeLists.txt

index 4721fa1e82b22ffe47665a03b89fdc72f923bfc2..ffcded2877a6d9e1870b90d2ea001209b24fc5d1 100755 (executable)
--- a/CMakeLists.txt
+++ b/CMakeLists.txt
@@ -13,6 +13,7 @@ INSTALL(FILES ${CMAKE_SOURCE_DIR}/config/set_label DESTINATION /usr/share/securi
  INSTALL(FILES ${CMAKE_SOURCE_DIR}/config/set_capability DESTINATION /usr/share/security-config)
  INSTALL(FILES ${CMAKE_SOURCE_DIR}/config/mdm_blacklist DESTINATION /usr/share/security-config)
  INSTALL(FILES ${CMAKE_SOURCE_DIR}/config/update_privacy_mount_list.sh DESTINATION /usr/share/security-config)
+INSTALL(FILES ${CMAKE_SOURCE_DIR}/config/change_permission DESTINATION /usr/share/security-config)
  INSTALL(FILES ${CMAKE_SOURCE_DIR}/config/security-config.conf DESTINATION /usr/lib/tmpfiles.d/)
  INSTALL(FILES ${CMAKE_SOURCE_DIR}/config/90_user-content-permissions.post DESTINATION ${SYSCONF_INSTALL_DIR}/gumd/useradd.d)
  INSTALL(FILES ${CMAKE_SOURCE_DIR}/config/91_user-dbspace-permissions.post DESTINATION ${SYSCONF_INSTALL_DIR}/gumd/useradd.d)
diff --git a/config/change_permission b/config/change_permission

new file mode 100644 (file)

index 0000000..b111fde
--- /dev/null
+++ b/config/change_permission
@@ -0,0 +1,36 @@
+#!/bin/bash
+
+PATH=/bin:/usr/bin:/sbin:/usr/sbin
+
+# Requested by sooyeon.kim@samsung.com (.voice) and dalton.lee@samsung.com (.multiassistant)
+dir_list=(".voice" ".multiassistant")
+for item in "${dir_list[@]}"
+do
+       if [ -e "/etc/skel/share/$item" ]
+       then
+               find /etc/skel/share/$item -print0 | xargs -0 chown app_fw:app_fw
+               find /etc/skel/share/$item -print0 | xargs -0 chsmack -a 'User::App::Shared'
+               find /etc/skel/share/$item -type d -print0 | xargs -0 chsmack -t
+       fi
+
+       for line in `find /opt/usr/home -maxdepth 1 -type d`
+       do
+               if [ -e "$line/share/$item" ]; then
+                       user=$(echo $line | cut -d"/" -f5)
+                       if getent passwd "$user"
+                       then
+                               find "$line/share/$item" -print0 | xargs -0 chown $user:users
+                               find "$line/share/$item" -print0 | xargs -0 chsmack -a 'User::App::Shared'
+                               find "$line/share/$item" -type d -print0 | xargs -0 chsmack -t
+                       fi
+               fi
+       done
+done
+
+# change permission to /opt/var/lib/misc
+# This is needed to retrieve CAP_DAC_OVERRIDE from mobileap-agent & dnsmasq.
+if [ -e /opt/var/lib/misc ]
+then
+       chown root:system_share /opt/var/lib/misc
+       chmod 0775 /opt/var/lib/misc
+fi
diff --git a/config/set_capability b/config/set_capability

index 02bd3ded884b832617d55f0f8028d174db0852a2..eab8f6c1c7bb7fb9ab9d5420e2d810f807dfb769 100755 (executable)
--- a/config/set_capability
+++ b/config/set_capability
@@ -907,39 +907,9 @@ if [ -e "/usr/sbin/mdnsd" ]
  then /usr/sbin/setcap cap_net_admin,cap_net_raw=ei /usr/sbin/mdnsd
  fi
  
-# TODO: MOVE TO OTHER SCRIPT OR REMOVE
-# Requested by sooyeon.kim@samsung.com (.voice) and dalton.lee@samsung.com (.multiassistant)
-dir_list=(".voice" ".multiassistant")
-for item in "${dir_list[@]}"
-do
-       if [ -e "/etc/skel/share/$item" ]
-       then
-               find /etc/skel/share/$item -print0 | xargs -0 chown app_fw:app_fw
-               find /etc/skel/share/$item -print0 | xargs -0 chsmack -a 'User::App::Shared'
-               find /etc/skel/share/$item -type d -print0 | xargs -0 chsmack -t
-       fi
-
-       for line in `find /opt/usr/home -maxdepth 1 -type d`
-       do
-               if [ -e "$line/share/$item" ]; then
-                       user=$(echo $line | cut -d"/" -f5);
-                       find "$line/share/$item" -print0 | xargs -0 chown $user:users
-                       find "$line/share/$item" -print0 | xargs -0 chsmack -a 'User::App::Shared'
-                       find "$line/share/$item" -type d -print0 | xargs -0 chsmack -t
-               fi
-       done
-done
-
-# change permission to /opt/var/lib/misc
-# This is needed to retrieve CAP_DAC_OVERRIDE from mobileap-agent & dnsmasq.
-if [ -e /opt/var/lib/misc ]
-then
-       chown root:system_share /opt/var/lib/misc
-       chmod 0775 /opt/var/lib/misc
-fi
-
-# This is not related with the capability, but place here to run in generic-security.post
+# These are not related with the capability, but place here to run in generic-security.post
  # It would be better to run this separately in generic-security.post future.
+/usr/share/security-config/change_permission
  if [ -e /usr/share/security-config/update_privacy_mount_list.sh ] && [ -e /usr/share/security-manager/policy/privilege-mount.list ] && [ ! -e /opt/share/askuser_disable ]
  then
         /usr/share/security-config/update_privacy_mount_list.sh
diff --git a/packaging/security-config.spec b/packaging/security-config.spec

index f5bcacba1c60cee64b0118ba6668baa4d301237a..9b76013f2a56b665732eccf8debef33734dda835 100755 (executable)
--- a/packaging/security-config.spec
+++ b/packaging/security-config.spec
@@ -146,6 +146,7 @@ chsmack -a "System::NoUse" /etc/smack/onlycap
  %attr(755,root,root) /usr/share/security-config/set_label
  %attr(755,root,root) /usr/share/security-config/set_capability
  %attr(755,root,root) /usr/share/security-config/mdm_blacklist
+%attr(755,root,root) /usr/share/security-config/change_permission
  %attr(700,root,root) /usr/share/security-config/update_privacy_mount_list.sh
  %attr(644,root,root) /usr/lib/tmpfiles.d/security-config.conf
  %attr(755,root,root) %{SECURITY_TEST_DIR}/image_test.sh
diff --git a/upgrade/201.security_upgrade.sh b/upgrade/201.security_upgrade.sh

index d9e78832fb90ee8e5b672508634886bab25bb3ed..8aae0859d8f319a196cd1e643dda503e15fcec9d 100644 (file)
--- a/upgrade/201.security_upgrade.sh
+++ b/upgrade/201.security_upgrade.sh
@@ -4,9 +4,14 @@ PATH=/bin:/usr/bin:/sbin:/usr/sbin
  . /etc/tizen-platform.conf
  
  # Init security-configuration
-/usr/share/security-config/group_id_setting
  /usr/share/security-config/set_label
-/usr/share/security-config/set_capability
+/usr/share/security-config/change_permission
+
+# Delete a flag file to run smack_default_labeling
+if [ -e /opt/share/security-config/.smack_pre_labeling ]
+then
+       rm /opt/share/security-config/.smack_pre_labeling
+fi
  
  # Migration of cynara DB
  # CYNARA_VERSION=$(rpm -qf /usr/bin/cynara  | cut -d "-" -f2)
author	Jin-gyu Kim <jin-gyu.kim@samsung.com>
	Fri, 23 Apr 2021 05:31:51 +0000 (14:31 +0900)
committer	Jin-gyu Kim <jin-gyu.kim@samsung.com>
	Fri, 23 Apr 2021 07:01:13 +0000 (16:01 +0900)
CMakeLists.txt		patch \| blob \| history
config/change_permission	[new file with mode: 0644]	patch \| blob
config/set_capability		patch \| blob \| history
packaging/security-config.spec		patch \| blob \| history
upgrade/201.security_upgrade.sh		patch \| blob \| history