Grant 'CAP_MAC_ADMIN' capability to WebProcess executable file

[Title] Grant inheritable/effective bit of 'CAP_MAC_ADMIN' capability to WebProcess executable file
[Issue#] N/A
[Problem] In 1 UI / N Web Process Model like web-provider,
          forked/executed WebProcess using tizen device apis needs to be changed to other proper process label.
          But, process label of WebProcess can't changed to other one.
[Cause] Current WebProcess executable file doesn't have necessary process capability (CAP_MAC_ADMIN).
        This capability makes a process to change its process label file (/proc/self/attr/current) directly.
[Solution] inheritable/effective bit of 'CAP_MAC_ADMIN' capability is set to xattr of /usr/bin/WebProcess
           This xattr is used by linux kernel, which calculates process capabilities of executed processes.
           forked/executed WebProcess has 'CAP_MAC_AMDIN' only if its parent UI process has also inheritable bit of the capability.
           So, inheritable bit of the capability will be set to web-provider (UI process)
           After this patch is applied, WebProcess from browser and web app doesn't have this capability as now.

Change-Id: Ic47b26041c9c3ca920b57fbb3b181a79e6ccb088

diff --git a/packaging/webkit2-efl.spec b/packaging/webkit2-efl.spec
index d31407f..4b0713e 100644 (file)
--- a/packaging/webkit2-efl.spec
+++ b/packaging/webkit2-efl.spec
@@ -146,6 +146,11 @@ mkdir -p %{buildroot}/usr/share/edje
 chmod 644 %{_libdir}/libewebkit2.so
 # 2. Resources
 chmod 644 /usr/share/edje/webkit.edj
+# 3. executables
+if [ `grep -c smack /proc/filesystems` -eq 1 ]
+then
+    setcap cap_mac_admin=ie %{_bindir}/WebProcess
+fi
 
 %postun