Migrate root daemon to non-root

author hyunuktak <hyunuk.tak@samsung.com>

Tue, 17 Apr 2018 01:02:23 +0000 (10:02 +0900)

committer hyunuktak <hyunuk.tak@samsung.com>

Tue, 17 Apr 2018 01:02:25 +0000 (10:02 +0900)
author hyunuktak <hyunuk.tak@samsung.com>
Tue, 17 Apr 2018 01:02:23 +0000 (10:02 +0900)
committer hyunuktak <hyunuk.tak@samsung.com>
Tue, 17 Apr 2018 01:02:25 +0000 (10:02 +0900)
diff --git a/packaging/stc-iptables.spec b/packaging/stc-iptables.spec

index 5c8d1be..b3db15f 100644 (file)
--- a/packaging/stc-iptables.spec
+++ b/packaging/stc-iptables.spec
@@ -1,6 +1,6 @@
  Name:       stc-iptables
  Summary:    STC(Smart Traffic Control) iptables
-Version:    0.0.12
+Version:    0.0.13
  Release:    0
  Group:      Network & Connectivity/Other
  License:    GPL-2.0+
@@ -71,14 +71,14 @@ chown network_fw:network_fw /opt/usr/data/network
  %manifest %{name}.manifest
  %license LICENSE
  %license COPYING
-%defattr(-,root,root,-)
-%attr(500,root,root) %{_bindir}/stc-iptables
+%defattr(-,network_fw,network_fw,-)
+%attr(500,network_fw,network_fw) %{_bindir}/stc-iptables
  
  %attr(644,root,root) %{_libdir}/systemd/system/stc-iptables.service
  %attr(644,root,root) %{_libdir}/systemd/system/multi-user.target.wants/stc-iptables.service
  
  #DBus DAC
-%attr(644,root,root) %{_sysconfdir}/dbus-1/system.d/stc-iptables.conf
+%attr(644,network_fw,network_fw) %{_sysconfdir}/dbus-1/system.d/stc-iptables.conf
  
  #Test
  %{_bindir}/stc_ipt_test
diff --git a/resources/dbus/stc-iptables.conf b/resources/dbus/stc-iptables.conf

index 5f3239b..1cc8769 100755 (executable)
--- a/resources/dbus/stc-iptables.conf
+++ b/resources/dbus/stc-iptables.conf
@@ -7,6 +7,12 @@
                 <allow send_interface="net.stc"/>
                 <allow receive_sender="net.stc"/>
         </policy>
+       <policy user="network_fw">
+               <allow own="net.stc"/>
+               <allow send_destination="net.stc"/>
+               <allow send_interface="net.stc"/>
+               <allow receive_sender="net.stc"/>
+       </policy>
         <policy context="default">
                 <deny own="net.stc"/>
                 <deny send_destination="net.stc"/>
diff --git a/resources/systemd/stc-iptables.service b/resources/systemd/stc-iptables.service

index 413520b..44046d9 100755 (executable)
--- a/resources/systemd/stc-iptables.service
+++ b/resources/systemd/stc-iptables.service
@@ -6,8 +6,12 @@ After=dbus.socket
  
  [Service]
  Type=forking
+User=network_fw
+Group=network_fw
  SmackProcessLabel=System
  ExecStart=/usr/bin/stc-iptables
+Capabilities=cap_net_bind_service,cap_net_raw,cap_net_admin=i
+SecureBits=keep-caps
  Restart=always
  
  [Install]
author	hyunuktak <hyunuk.tak@samsung.com>
	Tue, 17 Apr 2018 01:02:23 +0000 (10:02 +0900)
committer	hyunuktak <hyunuk.tak@samsung.com>
	Tue, 17 Apr 2018 01:02:25 +0000 (10:02 +0900)
packaging/stc-iptables.spec		patch \| blob \| history
resources/dbus/stc-iptables.conf		patch \| blob \| history
resources/systemd/stc-iptables.service		patch \| blob \| history