PATH=/bin:/usr/bin:/sbin:/usr/sbin
function add_missing_caps {
- # Launchpad needs additional caps. Re-setting them here with additional cap_setuid for the
+ # Launchpad & app loaders needs additional caps. Re-setting them here with additional cap_setuid for the
# purpose of security-config development (rpm postinstall).
if [ -e "/usr/bin/launchpad-process-pool" ]
then
existing_caps=`/usr/sbin/getcap /usr/bin/launchpad-process-pool | cut -f2 -d" " | cut -f1 -d"="`
- /usr/sbin/setcap "${existing_caps},cap_setuid=eip" /usr/bin/launchpad-process-pool
+ /usr/sbin/setcap "${existing_caps},cap_setuid=ei" /usr/bin/launchpad-process-pool
+ fi
+
+ if [ -e "/usr/bin/launchpad-loader" ] && [ ! -e "/usr/bin/launchpad-starter" ]
+ then
+ existing_caps=`/usr/sbin/getcap /usr/bin/launchpad-loader | cut -f2 -d" " | cut -f1 -d"="`
+ /usr/sbin/setcap "${existing_caps},cap_setuid=ei" /usr/bin/launchpad-loader
+ fi
+
+ if [ -e "/usr/bin/app-defined-loader" ] && [ ! -e "/usr/bin/launchpad-starter" ]
+ then
+ existing_caps=`/usr/sbin/getcap /usr/bin/app-defined-loader | cut -f2 -d" " | cut -f1 -d"="`
+ /usr/sbin/setcap "${existing_caps},cap_setuid=ei" /usr/bin/app-defined-loader
+ fi
+
+ if [ -e "/usr/bin/dotnet-hydra-loader" ]
+ then
+ existing_caps=`/usr/sbin/getcap /usr/bin/dotnet-hydra-loader | cut -f2 -d" " | cut -f1 -d"="`
+ /usr/sbin/setcap "${existing_caps},cap_setuid=ei" /usr/bin/dotnet-hydra-loader
+ fi
+
+ if [ -e "/usr/bin/dotnet-loader" ]
+ then
+ existing_caps=`/usr/sbin/getcap /usr/bin/dotnet-loader | cut -f2 -d" " | cut -f1 -d"="`
+ /usr/sbin/setcap "${existing_caps},cap_setuid=ei" /usr/bin/dotnet-loader
+ fi
+
+ if [ -e "/usr/bin/wrt-loader" ]
+ then
+ existing_caps=`/usr/sbin/getcap /usr/bin/wrt-loader | cut -f2 -d" " | cut -f1 -d"="`
+ /usr/sbin/setcap "${existing_caps},cap_setuid=ei" /usr/bin/wrt-loader
+ fi
+
+ if [ -e "/usr/bin/lux" ]
+ then
+ existing_caps=`/usr/sbin/getcap /usr/bin/lux | cut -f2 -d" " | cut -f1 -d"="`
+ /usr/sbin/setcap "${existing_caps},cap_setuid=ei" /usr/bin/lux
fi
}
done
}
+function add_caps_to_user_session {
+ user_service="/usr/lib/systemd/system/user@.service"
+ if [ -e "$user_service" ]
+ then
+ grep "AmbientCapabilities=.*cap_setuid" "$user_service" || sed -ri 's/(AmbientCapabilities=)/\1cap_setuid /' "$user_service"
+ fi
+}
+
head -n "$((LINENO - 1))" "${BASH_SOURCE[0]}"
echo 'services=('
echo 'add_services_to_system_access_group "${services[@]}"'
echo 'add_missing_caps'
echo 'give_rx_to_others'
+echo 'add_caps_to_user_session'
function update_set_capability_script {
- # Launchpad needs additional caps. updating the set_capability script that is executed by *.ks
+ # Launchpad & loaders need additional caps. Updating the set_capability script that is executed by *.ks
# file during image creation (after rpms are installed) and is tested with
# test/capability_test/check_new_capabilites.sh afterwards
SCRIPT_DIR=$( cd -- "$( dirname -- "${BASH_SOURCE[0]}" )" &> /dev/null && pwd )
sed -ri 's/(\/usr\/sbin\/setcap\s+)(.+ \/usr\/bin\/launchpad-process-pool)/\1 cap_setuid,\2/' "$SCRIPT_DIR/set_capability"
sed -ri 's/(# Required\s+\/usr\/bin\/launchpad-process-pool\s+:)(.+)$/\1 cap_setuid,\2/' "$SCRIPT_DIR/set_capability"
+
+ sed -ri 's/(\/usr\/sbin\/setcap\s+)(.+ \/usr\/bin\/launchpad-loader)/\1 cap_setuid,\2/' "$SCRIPT_DIR/set_capability"
+ sed -ri 's/(# Required\s+\/usr\/bin\/launchpad-loader\s+:)(.+)$/\1 cap_setuid,\2/' "$SCRIPT_DIR/set_capability"
+
+ sed -ri 's/(\/usr\/sbin\/setcap\s+)(.+ \/usr\/bin\/app-defined-loader)/\1 cap_setuid,\2/' "$SCRIPT_DIR/set_capability"
+ sed -ri 's/(# Required\s+\/usr\/bin\/app-defined-loader\s+:)(.+)$/\1 cap_setuid,\2/' "$SCRIPT_DIR/set_capability"
+
+ sed -ri 's/(\/usr\/sbin\/setcap\s+)(.+ \/usr\/bin\/dotnet-hydra-loader)/\1 cap_setuid,\2/' "$SCRIPT_DIR/set_capability"
+ sed -ri 's/(# Required\s+\/usr\/bin\/dotnet-hydra-loader\s+:)(.+)$/\1 cap_setuid,\2/' "$SCRIPT_DIR/set_capability"
+
+ sed -ri 's/(\/usr\/sbin\/setcap\s+)(.+ \/usr\/bin\/dotnet-loader)/\1 cap_setuid,\2/' "$SCRIPT_DIR/set_capability"
+ sed -ri 's/(# Required\s+\/usr\/bin\/dotnet-loader\s+:)(.+)$/\1 cap_setuid,\2/' "$SCRIPT_DIR/set_capability"
+
+ sed -ri 's/(\/usr\/sbin\/setcap\s+)(.+ \/usr\/bin\/wrt-loader)/\1 cap_setuid,\2/' "$SCRIPT_DIR/set_capability"
+ sed -ri 's/(# Required\s+\/usr\/bin\/wrt-loader\s+:)(.+)$/\1 cap_setuid,\2/' "$SCRIPT_DIR/set_capability"
+
+ sed -ri 's/(\/usr\/sbin\/setcap\s+)(.+ \/usr\/bin\/lux)/\1 cap_setuid,\2/' "$SCRIPT_DIR/set_capability"
+ sed -ri 's/(# Required\s+\/usr\/bin\/lux\s+:)(.+)$/\1 cap_setuid,\2/' "$SCRIPT_DIR/set_capability"
}
-update_set_capability_script
\ No newline at end of file
+update_set_capability_script
# Package platform/core/appfw/launchpad
# Owner Junghoon Park(jh9216.park@samsung.com)
# Date July 4, 2017
-# Required /usr/bin/launchpad-process-pool : cap_mac_admin, cap_dac_override, cap_setgid, cap_sys_admin, cap_sys_nice, cap_sys_chroot : eip
+# Required /usr/bin/launchpad-process-pool : cap_mac_admin, cap_dac_override, cap_setgid, cap_sys_admin, cap_sys_nice, cap_sys_chroot : ei
# Required /usr/bin/launchpad-loader : cap_sys_admin,cap_sys_nice,cap_setgid : ei
# cap_mac_admin to use security_manager_prepare_app()
# cap_dac_override fd redirection in debug mode of app running
# cap_sys_chroot to use setns()
if [ -e "/usr/bin/launchpad-process-pool" ]
-then /usr/sbin/setcap cap_sys_admin,cap_sys_nice,cap_mac_admin,cap_dac_override,cap_setgid,cap_sys_chroot=eip /usr/bin/launchpad-process-pool
+then /usr/sbin/setcap cap_sys_admin,cap_sys_nice,cap_mac_admin,cap_dac_override,cap_setgid,cap_sys_chroot=ei /usr/bin/launchpad-process-pool
fi
# TODO : condition check about launchpad-starter is temporary
projects / platform / core / security / security-config.git / commitdiff