Give RX access to home and app dir to others

Without it other apps won't be able to access application
subdirectories.

Change-Id: I2d528d8288f4398650fd1e20400023f8c9500e44

diff --git a/CMakeLists.txt b/CMakeLists.txt
index 685aad29272afa96762f54b90343640e5e37a75c..d82b45c53ed03b1ecb54aee434c7d62821c439a2 100755 (executable)
--- a/CMakeLists.txt
+++ b/CMakeLists.txt
@@ -11,7 +11,12 @@ SET(VERSION "${VERSION_MAJOR}.0.2")
 INSTALL(FILES ${CMAKE_SOURCE_DIR}/config/group_id_setting DESTINATION /usr/share/security-config)
 IF(WOS)
     INSTALL(FILES ${CMAKE_SOURCE_DIR}/config/configure_wos DESTINATION /usr/share/security-config)
+    SET(HOME_APP_PERMISSIONS 755)
+ELSE(WOS)
+    SET(HOME_APP_PERMISSIONS 750)
 ENDIF(WOS)
+CONFIGURE_FILE(${CMAKE_SOURCE_DIR}/config/91_user-dbspace-permissions.post.in ${CMAKE_SOURCE_DIR}/config/91_user-dbspace-permissions.post @ONLY)
+
 INSTALL(FILES ${CMAKE_SOURCE_DIR}/config/set_label DESTINATION /usr/share/security-config)
 INSTALL(FILES ${CMAKE_SOURCE_DIR}/config/set_capability DESTINATION /usr/share/security-config)
 INSTALL(FILES ${CMAKE_SOURCE_DIR}/config/mdm_blacklist DESTINATION /usr/share/security-config)

diff --git a/config/91_user-dbspace-permissions.post b/config/91_user-dbspace-permissions.post
deleted file mode 100644 (file)
index eb5dcf2..0000000
--- a/config/91_user-dbspace-permissions.post
+++ /dev/null
@@ -1,30 +0,0 @@
-#!/bin/sh -e
-
-PATH=/bin:/usr/bin:/sbin:/usr/sbin
-
-NEW_USER=$1
-export `tzplatform-get --user $NEW_USER TZ_USER_HOME`
-export `tzplatform-get --user $NEW_USER TZ_USER_APP`
-export `tzplatform-get --user $NEW_USER TZ_USER_APPROOT`
-export `tzplatform-get --user $NEW_USER TZ_USER_DB`
-
-chown $NEW_USER:system_share $TZ_USER_HOME
-chmod 750 $TZ_USER_HOME
-
-chown $NEW_USER:system_share $TZ_USER_APP
-chmod 750 $TZ_USER_APP
-
-chown $NEW_USER:system_share $TZ_USER_APPROOT
-chmod 750 $TZ_USER_APPROOT
-
-chown $NEW_USER:system_share $TZ_USER_DB
-chmod 770 $TZ_USER_DB
-
-if [ ! -d $TZ_USER_DB/privacy ]
-then
-    mkdir -p $TZ_USER_DB/privacy
-fi
-
-chown $NEW_USER:system_share $TZ_USER_DB/privacy
-chmod 770 $TZ_USER_DB/privacy
-chsmack -a 'User' $TZ_USER_DB/privacy -t

diff --git a/config/91_user-dbspace-permissions.post.in b/config/91_user-dbspace-permissions.post.in
new file mode 100644 (file)
index 0000000..2cff589
--- /dev/null
+++ b/config/91_user-dbspace-permissions.post.in
@@ -0,0 +1,30 @@
+#!/bin/sh -e
+
+PATH=/bin:/usr/bin:/sbin:/usr/sbin
+
+NEW_USER=$1
+export `tzplatform-get --user $NEW_USER TZ_USER_HOME`
+export `tzplatform-get --user $NEW_USER TZ_USER_APP`
+export `tzplatform-get --user $NEW_USER TZ_USER_APPROOT`
+export `tzplatform-get --user $NEW_USER TZ_USER_DB`
+
+chown $NEW_USER:system_share $TZ_USER_HOME
+chmod @HOME_APP_PERMISSIONS@ $TZ_USER_HOME
+
+chown $NEW_USER:system_share $TZ_USER_APP
+chmod @HOME_APP_PERMISSIONS@ $TZ_USER_APP
+
+chown $NEW_USER:system_share $TZ_USER_APPROOT
+chmod 750 $TZ_USER_APPROOT
+
+chown $NEW_USER:system_share $TZ_USER_DB
+chmod 770 $TZ_USER_DB
+
+if [ ! -d $TZ_USER_DB/privacy ]
+then
+    mkdir -p $TZ_USER_DB/privacy
+fi
+
+chown $NEW_USER:system_share $TZ_USER_DB/privacy
+chmod 770 $TZ_USER_DB/privacy
+chsmack -a 'User' $TZ_USER_DB/privacy -t

diff --git a/config/generate_configure_wos b/config/generate_configure_wos
index 8b3512c718b3dacb81b0248bf56e8cb89b0cbfe9..a3043c77f4710eda8fa0131ca76901f077ac6bae 100755 (executable)
--- a/config/generate_configure_wos
+++ b/config/generate_configure_wos
@@ -29,6 +29,16 @@ function add_services_to_system_access_group {
        systemctl daemon-reload
 }
 
+function give_rx_to_others {
+       home="`/usr/bin/tzplatform-get TZ_SYS_HOME | cut -d'=' -f2-`"
+       for user_dir in "$home"/*; do
+               /usr/bin/chmod o+rx "$user_dir"
+               username=`/usr/bin/basename "$user_dir"`
+               app_dir=`/usr/bin/tzplatform-get -u $username TZ_USER_APP | cut -d'=' -f2-`
+               /usr/bin/chmod o+rx "$app_dir"
+       done
+}
+
 head -n "$((LINENO - 1))" "${BASH_SOURCE[0]}"
 
 echo 'services=('
@@ -38,3 +48,4 @@ echo ')'
 echo 'add_groups'
 echo 'add_services_to_system_access_group "${services[@]}"'
 echo 'add_missing_caps'
+echo 'give_rx_to_others'