crash-service: Drop priv_* group from policy as these are not allowed by tizen sanity...

It seems priv_* groups can not be explicitly listed, as image creation fails with:

[01/21 15:50:01 UTC] FAILED(assert) at /busconfig/policy[3] : Group 'priv_*' is not allowed.
[01/21 15:50:01 UTC] Found 1 Fails
[01/21 15:50:01 UTC] Remove conf file : mv /etc/dbus-1/system.d/crash-service.conf /etc/dbus-1/system.d/crash-service.conf.fail

Change-Id: Ieea004890dfbccddf9d16ee949f55f3a02461bcc

diff --git a/NOTES.rst b/NOTES.rst
index 4daa395..d207ec5 100644 (file)
--- a/NOTES.rst
+++ b/NOTES.rst
@@ -3,7 +3,9 @@ Livecoredumper & livecoredump APIs
 ============
 
 ``livedump_pid()`` API method was created for use by system services and system
-applications, and therefore requires a special privilege
+applications.
+
+Applications wanting to use the API must have a special privilege
 ``http://tizen.com/privilege/internal/livecoredump`` which can only be granted
 manually by::
 
@@ -14,3 +16,12 @@ section. There is no way to give this privilege to TPK applications from TPK
 installer. In this case, the privilege should be granded externally, after the
 TPK is installed.
 
+System services wanting to use the API must provide appriate dbus configuration
+that will allow such usage, eg.
+
+    <policy user="stability_monitor">
+            <allow send_destination="org.tizen.system.crash.livedump"
+                   send_interface="org.tizen.system.crash.livedump"
+                   send_member="livedump_pid"/>
+    </policy>
+

diff --git a/src/crash-service/crash-service.conf b/src/crash-service/crash-service.conf
index ca7e768..b013b57 100644 (file)
--- a/src/crash-service/crash-service.conf
+++ b/src/crash-service/crash-service.conf
@@ -1,28 +1,24 @@
 <!DOCTYPE busconfig PUBLIC "-//freedesktop//DTD D-Bus Bus Configuration 1.0//EN"
  "http://www.freedesktop.org/standards/dbus/1.0/busconfig.dtd">
 <busconfig>
-       <policy user="root">
-               <allow send_destination="org.tizen.system.crash.livedump"
-                      send_interface="org.tizen.system.crash.livedump"
-                      send_member="livedump_pid"/>
-       </policy>
        <policy user="crash_worker">
                <allow own="org.tizen.system.crash.livedump"/>
                <allow own="org.tizen.system.diagnostics"/>
        </policy>
-       <policy group="priv_livecoredump">
-               <!-- Following section is for services wanting to use livedump api.
-                    Thoretically, the <policy group=..> should be enough to support
-                    both service and application case.  However, this does not work
-                    in practice due to dbus-daemon getting group membership from
-                    static source (via getgrouplist), while in Tizen it's dynamic,
-                    assigned to application by security-manager.  Dbus-daemon would
-                    need to use SO_PEERGROUP socket option for this to work, but it's
-                    supported only in kernels >= 4.13. -->
+
+       <!-- Each system service wanting to use livedump api must have explicit access rule,
+            like the ones below -->
+       <policy user="stability_monitor">
+               <allow send_destination="org.tizen.system.crash.livedump"
+                      send_interface="org.tizen.system.crash.livedump"
+                      send_member="livedump_pid"/>
+       </policy>
+       <policy user="root">
                <allow send_destination="org.tizen.system.crash.livedump"
                       send_interface="org.tizen.system.crash.livedump"
                       send_member="livedump_pid"/>
        </policy>
+
        <policy context="default">
                <deny own="org.tizen.system.crash.livedump"/>
                <deny send_destination="org.tizen.system.crash.livedump"/>