Add app_access and system_access groups + add services to the latter

Change-Id: I3d41f4df66adee1ffe8088c8668e4d3725375988

diff --git a/CMakeLists.txt b/CMakeLists.txt
index ffcded2877a6d9e1870b90d2ea001209b24fc5d1..685aad29272afa96762f54b90343640e5e37a75c 100755 (executable)
--- a/CMakeLists.txt
+++ b/CMakeLists.txt
@@ -9,6 +9,9 @@ SET(VERSION_MAJOR 0)
 SET(VERSION "${VERSION_MAJOR}.0.2")
 
 INSTALL(FILES ${CMAKE_SOURCE_DIR}/config/group_id_setting DESTINATION /usr/share/security-config)
+IF(WOS)
+    INSTALL(FILES ${CMAKE_SOURCE_DIR}/config/configure_wos DESTINATION /usr/share/security-config)
+ENDIF(WOS)
 INSTALL(FILES ${CMAKE_SOURCE_DIR}/config/set_label DESTINATION /usr/share/security-config)
 INSTALL(FILES ${CMAKE_SOURCE_DIR}/config/set_capability DESTINATION /usr/share/security-config)
 INSTALL(FILES ${CMAKE_SOURCE_DIR}/config/mdm_blacklist DESTINATION /usr/share/security-config)

diff --git a/config/generate_configure_wos b/config/generate_configure_wos
new file mode 100755 (executable)
index 0000000..ccdb0de
--- /dev/null
+++ b/config/generate_configure_wos
@@ -0,0 +1,30 @@
+#!/bin/bash
+set -euo pipefail
+
+PATH=/bin:/usr/bin:/sbin:/usr/sbin
+
+function add_groups {
+       groupadd --force system_access
+       groupadd --force app_access
+}
+
+function add_services_to_system_access_group {
+       for service_path in "$@"; do
+               unit_name="${service_path##*/}"
+               mkdir -p "/etc/systemd/system/${unit_name}.d/"
+               cat > "/etc/systemd/system/${unit_name}.d/system_access.conf" <<- EOF
+                       [Service]
+                       SupplementaryGroups=system_access
+               EOF
+       done
+       systemctl daemon-reload
+}
+
+head -n "$((LINENO - 1))" "${BASH_SOURCE[0]}"
+
+echo 'services=('
+grep -iP '[^,]\.service' test/new_service_test/systemd_service.csv | sed "s/^\([^,]*\),.*/\t'\1'/"
+echo ')'
+
+echo 'add_groups'
+echo 'add_services_to_system_access_group "${services[@]}"'

diff --git a/packaging/security-config.spec b/packaging/security-config.spec
index d7ae400de001bac703a3b8b3e32bb153c9f4fe03..27762914877ab48a8ef9a4cce30db40806a0516d 100755 (executable)
--- a/packaging/security-config.spec
+++ b/packaging/security-config.spec
@@ -57,7 +57,14 @@ additional security tests and settings for IoT headless profile
 
 %build
 
+%if "%{?dev_wos}" == "1"
+config/generate_configure_wos > config/configure_wos
+%endif
+
 %cmake . -DARCH=%{_arch} \
+%if "%{?dev_wos}" == "1"
+       -DWOS=ON \
+%endif
        -DSYSTEMD_INSTALL_DIR=%{_unitdir}
 
 %install
@@ -86,6 +93,9 @@ cp -f test/utils/riscv64/* %{buildroot}%{SECURITY_TEST_DIR}/utils/
 
 %post
 /usr/share/security-config/group_id_setting
+%if "%{?dev_wos}" == "1"
+/usr/share/security-config/configure_wos
+%endif
 /usr/share/security-config/set_label
 mkdir -p /opt/share/security-config/result
 mkdir -p /opt/share/security-config/log
@@ -142,6 +152,9 @@ chsmack -a "System::NoUse" /etc/smack/onlycap
 %attr(755,root,root) /usr/share/security-config/set_capability
 %attr(755,root,root) /usr/share/security-config/mdm_blacklist
 %attr(755,root,root) /usr/share/security-config/change_permission
+%if "%{?dev_wos}" == "1"
+%attr(755,root,root) /usr/share/security-config/configure_wos
+%endif
 %attr(700,root,root) /usr/share/security-config/update_privacy_mount_list.sh
 %attr(644,root,root) /usr/lib/tmpfiles.d/security-config.conf
 %attr(755,root,root) %{SECURITY_TEST_DIR}/image_test.sh