Remove smack capability

with wearable profile, CAP_MAC_ADMIN and CAP_MAC_OVERRIDE capabilities are removed.
(can't use useradd/del/modify function without offline option.)
with other profile, only CAP_MAC_OVERRIDE capability is removed.

For this, gumd launcher was changed to systemd.

Change-Id: Ic95fceed41afc41e37e93606c3abf830536ac7d6
Signed-off-by: Yunmi Ha <yunmi.ha@samsung.com>

diff --git a/.gitignore b/.gitignore
index e49dce2..4936907 100644 (file)
--- a/.gitignore
+++ b/.gitignore
@@ -36,7 +36,6 @@ test/data/services/org.O1.SecurityAccounts.gUserManagement.service
 test/data/test-gumd-dbus.conf
 src/utils/gum-utils
 stamp-h1
-*service
 docs/gumd-decl-list.txt
 docs/gumd-decl.txt
 docs/gumd-overrides.txt

diff --git a/data/Makefile.am b/data/Makefile.am
index 1ca8c11..5a66951 100644 (file)
--- a/data/Makefile.am
+++ b/data/Makefile.am
@@ -1,5 +1,6 @@
 EXTRA_DIST = \
       gumd.conf.in \
+      gumd.service \
       tizen
 
 gumdconfdir = ${sysconfdir}/gumd

diff --git a/data/Makefile.in b/data/Makefile.in
index b955e96..478fab4 100644 (file)
--- a/data/Makefile.in
+++ b/data/Makefile.in
@@ -301,6 +301,7 @@ top_builddir = @top_builddir@
 top_srcdir = @top_srcdir@
 EXTRA_DIST = \
       gumd.conf.in \
+      gumd.service \
       tizen
 
 gumdconfdir = ${sysconfdir}/gumd

diff --git a/data/gumd.service b/data/gumd.service
new file mode 100755 (executable)
index 0000000..021c614
--- /dev/null
+++ b/data/gumd.service
@@ -0,0 +1,10 @@
+[Unit]
+Description=User Management service
+Requires=dbus.socket
+After=dbus.socket
+
+[Service]
+Type=dbus
+BusName=org.O1.SecurityAccounts.gUserManagement
+ExecStart=/usr/bin/gumd
+CapabilityBoundingSet=~CAP_MAC_OVERRIDE

diff --git a/packaging/gumd.spec b/packaging/gumd.spec
index 751eaf7..0a59e5c 100644 (file)
--- a/packaging/gumd.spec
+++ b/packaging/gumd.spec
@@ -4,6 +4,13 @@
 # WARNING! do not use for production builds as it will break security
 %define debug_build 0
 
+%if "%{profile}" == "wearable"
+%define disable_cap_admin 1
+%else
+%define disable_cap_admin 0
+%endif
+
+
 Name:    gumd
 Summary: User management daemon and client library
 Version: 1.0.8
@@ -80,6 +87,9 @@ Requires:   libgum = %{version}-%{release}
 %setup -q -n %{name}-%{version}
 cp -a %{SOURCE1001} %{name}.manifest
 cp -a %{SOURCE1002} libgum.manifest
+%if %{disable_cap_admin} == 1
+echo "CapabilityBoundingSet=~CAP_MAC_ADMIN" >> data/gumd.service
+%endif
 
 %build
 autoreconf -ivf
@@ -96,6 +106,8 @@ rm -rf %{buildroot}
 rm -f %{buildroot}%{_sysconfdir}/%{name}/%{name}.conf
 install -m 755 -d %{buildroot}%{_sysconfdir}/%{name}
 install -m 644 data/tizen/etc/%{name}/%{name}-tizen-common.conf %{buildroot}%{_sysconfdir}/%{name}/%{name}.conf
+install -m 755 -d %{buildroot}%{_unitdir}
+install -m 644 data/gumd.service %{buildroot}%{_unitdir}
 
 %post
 ldconfig
@@ -144,6 +156,7 @@ install -d -m 755 %{_localstatedir}/lib/%{name}/user
 %dir %{_sysconfdir}/dbus-1
 %dir %{_sysconfdir}/dbus-1/system.d
 %config(noreplace) %{_sysconfdir}/dbus-1/system.d/gumd-dbus.conf
+%{_unitdir}/gumd.service
 %endif
 
 %files doc

diff --git a/src/daemon/dbus/gumd-dbus-group-service-adapter.c b/src/daemon/dbus/gumd-dbus-group-service-adapter.c
old mode 100644 (file)
new mode 100755 (executable)

diff --git a/src/daemon/dbus/gumd-dbus-user-service-adapter.c b/src/daemon/dbus/gumd-dbus-user-service-adapter.c
old mode 100644 (file)
new mode 100755 (executable)

diff --git a/src/daemon/dbus/services/org.O1.SecurityAccounts.gUserManagement.service.in b/src/daemon/dbus/services/org.O1.SecurityAccounts.gUserManagement.service.in
index 02fb552..fc14728 100644 (file)
--- a/src/daemon/dbus/services/org.O1.SecurityAccounts.gUserManagement.service.in
+++ b/src/daemon/dbus/services/org.O1.SecurityAccounts.gUserManagement.service.in
@@ -1,4 +1,5 @@
 [D-BUS Service]
 Name=org.O1.SecurityAccounts.gUserManagement
-Exec=@prefix@/bin/gumd
+Exec=/bin/false
 @MESSAGE_BUS_USER@
+SystemdService=gumd.service