Create a new script for setting permissions.

This script needs to be run while image is being created or updated.
(After in-house applications are installed.)
We could consider it to be run in security-config service, but it will
increase the 1st boot time.

Change-Id: I5a11dd720ea46ae69b1acc6be09305c74fb39292

diff --git a/CMakeLists.txt b/CMakeLists.txt
index 4721fa1e82b22ffe47665a03b89fdc72f923bfc2..ffcded2877a6d9e1870b90d2ea001209b24fc5d1 100755 (executable)
--- a/CMakeLists.txt
+++ b/CMakeLists.txt
@@ -13,6 +13,7 @@ INSTALL(FILES ${CMAKE_SOURCE_DIR}/config/set_label DESTINATION /usr/share/securi
 INSTALL(FILES ${CMAKE_SOURCE_DIR}/config/set_capability DESTINATION /usr/share/security-config)
 INSTALL(FILES ${CMAKE_SOURCE_DIR}/config/mdm_blacklist DESTINATION /usr/share/security-config)
 INSTALL(FILES ${CMAKE_SOURCE_DIR}/config/update_privacy_mount_list.sh DESTINATION /usr/share/security-config)
+INSTALL(FILES ${CMAKE_SOURCE_DIR}/config/change_permission DESTINATION /usr/share/security-config)
 INSTALL(FILES ${CMAKE_SOURCE_DIR}/config/security-config.conf DESTINATION /usr/lib/tmpfiles.d/)
 INSTALL(FILES ${CMAKE_SOURCE_DIR}/config/90_user-content-permissions.post DESTINATION ${SYSCONF_INSTALL_DIR}/gumd/useradd.d)
 INSTALL(FILES ${CMAKE_SOURCE_DIR}/config/91_user-dbspace-permissions.post DESTINATION ${SYSCONF_INSTALL_DIR}/gumd/useradd.d)

diff --git a/config/change_permission b/config/change_permission
new file mode 100644 (file)
index 0000000..5a27d50
--- /dev/null
+++ b/config/change_permission
@@ -0,0 +1,36 @@
+#!/bin/bash
+
+PATH=/bin:/usr/bin:/sbin:/usr/sbin
+
+# Requested by sooyeon.kim@samsung.com (.voice) and dalton.lee@samsung.com (.multiassistant)
+dir_list=(".voice" ".multiassistant")
+for item in "${dir_list[@]}"
+do
+       if [ -e "/etc/skel/share/$item" ]
+       then
+               find /etc/skel/share/$item -print0 | xargs -0 chown app_fw:app_fw
+               find /etc/skel/share/$item -print0 | xargs -0 chsmack -a 'User::App::Shared'
+               find /etc/skel/share/$item -type d -print0 | xargs -0 chsmack -t
+       fi
+
+       for line in `find /opt/usr/home -maxdepth 1 -type d`
+       do
+               if [ -e "$line/share/$item" ]; then
+                       user=$(echo $line | cut -d"/" -f5)
+                       if getent passwd $user
+                       then
+                               find "$line/share/$item" -print0 | xargs -0 chown $user:users
+                               find "$line/share/$item" -print0 | xargs -0 chsmack -a 'User::App::Shared'
+                               find "$line/share/$item" -type d -print0 | xargs -0 chsmack -t
+                       fi
+               fi
+       done
+done
+
+# change permission to /opt/var/lib/misc
+# This is needed to retrieve CAP_DAC_OVERRIDE from mobileap-agent & dnsmasq.
+if [ -e /opt/var/lib/misc ]
+then
+       chown root:system_share /opt/var/lib/misc
+       chmod 0775 /opt/var/lib/misc
+fi

diff --git a/config/set_capability b/config/set_capability
index 5863b24f89bf9e7b2cdeccd9d9b114b4d7359894..9e7e86c4720c11f88b133fbe17b9ed8b0976d4c4 100755 (executable)
--- a/config/set_capability
+++ b/config/set_capability
@@ -896,39 +896,9 @@ then /usr/sbin/setcap cap_mac_admin=eip /usr/bin/wrt-service
 fi
 
 
-# TODO: MOVE TO OTHER SCRIPT OR REMOVE
-# Requested by sooyeon.kim@samsung.com (.voice) and dalton.lee@samsung.com (.multiassistant)
-dir_list=(".voice" ".multiassistant")
-for item in "${dir_list[@]}"
-do
-       if [ -e "/etc/skel/share/$item" ]
-       then
-               find /etc/skel/share/$item -print0 | xargs -0 chown app_fw:app_fw
-               find /etc/skel/share/$item -print0 | xargs -0 chsmack -a 'User::App::Shared'
-               find /etc/skel/share/$item -type d -print0 | xargs -0 chsmack -t
-       fi
-
-       for line in `find /opt/usr/home -maxdepth 1 -type d`
-       do
-               if [ -e "$line/share/$item" ]; then
-                       user=$(echo $line | cut -d"/" -f5);
-                       find "$line/share/$item" -print0 | xargs -0 chown $user:users
-                       find "$line/share/$item" -print0 | xargs -0 chsmack -a 'User::App::Shared'
-                       find "$line/share/$item" -type d -print0 | xargs -0 chsmack -t
-               fi
-       done
-done
-
-# change permission to /opt/var/lib/misc
-# This is needed to retrieve CAP_DAC_OVERRIDE from mobileap-agent & dnsmasq.
-if [ -e /opt/var/lib/misc ]
-then
-       chown root:system_share /opt/var/lib/misc
-       chmod 0775 /opt/var/lib/misc
-fi
-
-# This is not related with the capability, but place here to run in generic-security.post
+# These are not related with the capability, but place here to run in generic-security.post
 # It would be better to run this separately in generic-security.post future.
+/usr/share/security-config/change_permission
 if [ -e /usr/share/security-config/update_privacy_mount_list.sh ] && [ -e /usr/share/security-manager/policy/privilege-mount.list ] && [ ! -e /opt/share/askuser_disable ]
 then
        /usr/share/security-config/update_privacy_mount_list.sh

diff --git a/packaging/security-config.spec b/packaging/security-config.spec
index 4dff00593bf03832debbef1aa1469ead394425c5..c3416d466512f50f92a47bbbedf56720ca0e48a4 100755 (executable)
--- a/packaging/security-config.spec
+++ b/packaging/security-config.spec
@@ -139,6 +139,7 @@ rm -r /usr/share/security-config/mount_list/
 %attr(755,root,root) /usr/share/security-config/set_label
 %attr(755,root,root) /usr/share/security-config/set_capability
 %attr(755,root,root) /usr/share/security-config/mdm_blacklist
+%attr(755,root,root) /usr/share/security-config/change_permission
 %attr(700,root,root) /usr/share/security-config/update_privacy_mount_list.sh
 %attr(644,root,root) /usr/lib/tmpfiles.d/security-config.conf
 %attr(755,root,root) %{SECURITY_TEST_DIR}/image_test.sh

diff --git a/upgrade/201.security_upgrade.sh b/upgrade/201.security_upgrade.sh
index d9e78832fb90ee8e5b672508634886bab25bb3ed..8aae0859d8f319a196cd1e643dda503e15fcec9d 100644 (file)
--- a/upgrade/201.security_upgrade.sh
+++ b/upgrade/201.security_upgrade.sh
@@ -4,9 +4,14 @@ PATH=/bin:/usr/bin:/sbin:/usr/sbin
 . /etc/tizen-platform.conf
 
 # Init security-configuration
-/usr/share/security-config/group_id_setting
 /usr/share/security-config/set_label
-/usr/share/security-config/set_capability
+/usr/share/security-config/change_permission
+
+# Delete a flag file to run smack_default_labeling
+if [ -e /opt/share/security-config/.smack_pre_labeling ]
+then
+       rm /opt/share/security-config/.smack_pre_labeling
+fi
 
 # Migration of cynara DB
 # CYNARA_VERSION=$(rpm -qf /usr/bin/cynara  | cut -d "-" -f2)