add cap_net_bind_service capability

- 'Permitted' capability can make a process can call
system-call without the process's inherited capabilties.
So, security team would like to remove 'Permitted' capabilty.

This change is to remove 'Permitted' capability from hostapd.
To make this, Caller (i.e., wmeshd) should have tue same capabilities as
hostapd. Therefore we set wmeshd's capabilties to match hostapd.

Change-Id: Ifa13538064b9adcb26761f4b164496f8d0027db6
Signed-off-by: saerome kim <saerome.kim@samsung.com>

diff --git a/packaging/wifi-mesh-manager.spec b/packaging/wifi-mesh-manager.spec
index 9b4e653..b451ff7 100644 (file)
--- a/packaging/wifi-mesh-manager.spec
+++ b/packaging/wifi-mesh-manager.spec
@@ -2,7 +2,7 @@
 
 Name:          wifi-mesh-manager
 Summary:       Wi-Fi mesh network daemon
-Version:       0.0.5
+Version:       0.0.6
 Release:       1
 Group:      Network & Connectivity/Wireless
 License:    Apache-2.0

diff --git a/packaging/wmeshd.service b/packaging/wmeshd.service
index a6b044b..ab16ddb 100644 (file)
--- a/packaging/wmeshd.service
+++ b/packaging/wmeshd.service
@@ -11,5 +11,5 @@ BusName=net.wmesh.manager
 SmackProcessLabel=System
 ExecStart=/usr/bin/wmeshd
 CapabilityBoundingSet=~CAP_MAC_ADMIN
-Capabilities=cap_net_admin,cap_net_raw,cap_dac_override=i
+Capabilities=cap_net_admin,cap_net_raw,cap_dac_override,cap_net_bind_service=i
 SecureBits=keep-caps