add cap_net_bind_service capability

- 'Permitted' capability can make a process can call
system-call without the process's inherited capabilties.
So, security team would like to remove 'Permitted' capabilty.

This change is to remove 'Permitted' capability from hostapd.
To make this, Caller (i.e., wmeshd) should have tue same capabilities as
hostapd. Therefore we set wmeshd's capabilties to match hostapd.

Change-Id: Ifa13538064b9adcb26761f4b164496f8d0027db6
Signed-off-by: saerome kim <saerome.kim@samsung.com>

diff --git a/packaging/wifi-mesh-manager.spec b/packaging/wifi-mesh-manager.spec
index 9b4e6535f64d9258013d05002fa51f697b3fc284..b451ff71e64720ec7e32f08348d98088f39365f6 100644 (file)
--- a/packaging/wifi-mesh-manager.spec
+++ b/packaging/wifi-mesh-manager.spec
@@ -2,7 +2,7 @@
 
 Name:          wifi-mesh-manager
 Summary:       Wi-Fi mesh network daemon
-Version:       0.0.5
+Version:       0.0.6
 Release:       1
 Group:      Network & Connectivity/Wireless
 License:    Apache-2.0

diff --git a/packaging/wmeshd.service b/packaging/wmeshd.service
index a6b044bd4c306b346dfc5e147ab28f7a2f90452c..ab16ddb020abb7f350cc4179603d165aaadca8aa 100644 (file)
--- a/packaging/wmeshd.service
+++ b/packaging/wmeshd.service
@@ -11,5 +11,5 @@ BusName=net.wmesh.manager
 SmackProcessLabel=System
 ExecStart=/usr/bin/wmeshd
 CapabilityBoundingSet=~CAP_MAC_ADMIN
-Capabilities=cap_net_admin,cap_net_raw,cap_dac_override=i
+Capabilities=cap_net_admin,cap_net_raw,cap_dac_override,cap_net_bind_service=i
 SecureBits=keep-caps