projects / platform / core / system / crash-worker.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: cde69ca)
spec: Santize programs' permissions 41/255241/1
authorKarol Lewandowski <k.lewandowsk@samsung.com>
Mon, 15 Mar 2021 14:00:47 +0000 (15:00 +0100)
committerKarol Lewandowski <k.lewandowsk@samsung.com>
Mon, 15 Mar 2021 14:07:13 +0000 (15:07 +0100)
Use default only where necessary and clearly
write the reason behind it.

Change-Id: I96b696c4b8268a9548be3f105dc827a67b436742

packaging/crash-worker.spec patch | blob | history

diff --git a/packaging/crash-worker.spec b/packaging/crash-worker.spec
index 2338cd7..85558f9 100644 (file)
--- a/packaging/crash-worker.spec
+++ b/packaging/crash-worker.spec
@@ -283,21 +283,23 @@ fi
 %license LICENSE
 %manifest crash-worker.manifest
 %dir %{crash_root_path}
+# attr() needed because: crash-worker running as crash_worker:crash_worker (user:group) creates files/dir under this path
 %attr(0775,crash_worker,crash_worker) %{crash_path}
-%attr(-,root,root) %{upgrade_script_path}/500.crash-manager-upgrade.sh
+%{upgrade_script_path}/500.crash-manager-upgrade.sh
 
 %files dumpsystemstate-util
 %manifest crash-worker.manifest
 %license LICENSE
-%attr(0750,crash_worker,crash_worker) %{_bindir}/dump_systemstate
+# attr() needed because: dump_systemstate has Smack exec_label(=System) set and we don't want to allow everyone to abuse it
+%attr(0750,root,crash_worker) %{_bindir}/dump_systemstate
 
 %if %{with dumpsystemstateservice}
 %files dumpsystemstate-service
 %license LICENSE
 %manifest crash-worker.manifest
-%attr(0750,crash_worker,crash_worker) %{_bindir}/dump_systemstate-service
-%attr(-,root,root) %{_unitdir}/dump_systemstate.service
-%attr(-,root,root) %{_datadir}/dbus-1/system-services/org.tizen.dumpsys.providers.org.tizen.systemstate.service
+%{_bindir}/dump_systemstate-service
+%{_unitdir}/dump_systemstate.service
+%{_datadir}/dbus-1/system-services/org.tizen.dumpsys.providers.org.tizen.systemstate.service
 %endif
 
 %files dumpsystemstate-config
@@ -310,8 +312,9 @@ fi
 %files support-regdump
 %license LICENSE
 %manifest crash-worker.manifest
-%attr(-,root,root) %{_prefix}/lib/sysctl.d/70-crash-manager.conf
-%attr(0750,crash_worker,crash_worker) %{_bindir}/crash-manager
+%{_prefix}/lib/sysctl.d/70-crash-manager.conf
+# attr() needed because: crash-worker has Smack exec_label(=System::Privileged) set and we don't want to allow everyone to abuse it
+%attr(0750,root,crash_worker) %{_bindir}/crash-manager
 %{_libexecdir}/crash-popup-launch
 %{_libexecdir}/crash-notify-send
 %endif
@@ -374,7 +377,6 @@ fi
 %if %{with tests}
 %files tests
 %manifest %{name}.manifest
-%defattr(-,root,root)
 %{_libexecdir}/crash-worker/tests/test1-default-crash
 %{_libexecdir}/crash-worker/tests/test1-default-sleep
 %{_libexecdir}/crash-worker/tests/test1-default-ill
Domain: System / System Framework;