From: taesub kim <taesub.kim@samsung.com>
Date: Thu, 22 Jun 2017 08:48:25 +0000 (+0900)
Subject: Migrate root daemon to non root
X-Git-Tag: accepted/tizen/4.0/unified/20170816.010931^2
X-Git-Url: http://review.tizen.org/git/?a=commitdiff_plain;ds=sidebyside;h=a0067c41e287dadc8b7af99aa30d13e78aa9096f;p=platform%2Fcore%2Fconnectivity%2Fnet-config.git

Migrate root daemon to non root

rebase - https://review.tizen.org/gerrit/#/c/139065/

Change-Id: I1506bd31c8ed8d737612bb560094ddce559b4491
Signed-off-by: Taesub Kim <taesub.kim@samsung.com>
---

diff --git a/CMakeLists.txt b/CMakeLists.txt
index 0704fd0..350148c 100755
--- a/CMakeLists.txt
+++ b/CMakeLists.txt
@@ -2,7 +2,7 @@ CMAKE_MINIMUM_REQUIRED(VERSION 2.6)
 PROJECT(net-config C)
 SET(PACKAGE ${PROJECT_NAME})
 SET(PREFIX ${CMAKE_INSTALL_PREFIX})
-SET(BINDIR "${PREFIX}/sbin")
+SET(BINDIR "${PREFIX}/bin")
 SET(DATADIR "${PREFIX}/share")
 SET(LIBDIR "${PREFIX}/${LIB_PATH}")
 SET(INTERFACES "${CMAKE_SOURCE_DIR}/interfaces")
@@ -128,5 +128,6 @@ ADD_EXECUTABLE(${PROJECT_NAME} ${SRCS} ${CMAKE_SOURCE_DIR}/generated-code.c)
 TARGET_LINK_LIBRARIES(${PROJECT_NAME} ${pkgs_LDFLAGS} ${PCAP_LIB} "-ldl")
 
 INSTALL(TARGETS ${PROJECT_NAME} DESTINATION ${BINDIR})
+INSTALL(FILES ${CMAKE_SOURCE_DIR}/config/security-network-config.conf DESTINATION /usr/lib/tmpfiles.d/)
 
 ADD_SUBDIRECTORY(plugin/headed)
diff --git a/config/security-network-config.conf b/config/security-network-config.conf
new file mode 100644
index 0000000..c8b2eab
--- /dev/null
+++ b/config/security-network-config.conf
@@ -0,0 +1,2 @@
+z /sys/module/dhd/parameters/firmware_path 0660 root network_fw -
+z /sys/module/dhd/parameters/nvram_path 0660 root network_fw -
diff --git a/packaging/net-config.spec b/packaging/net-config.spec
index f7e2c1b..f12d8a7 100755
--- a/packaging/net-config.spec
+++ b/packaging/net-config.spec
@@ -144,8 +144,9 @@ chsmack -a 'System::Shared' %{_sysconfdir}/resolv.conf
 chsmack -a 'System::Shared' %{TZ_SYS_ETC}/resolv.conf
 
 #Network logs
-#mkdir -p /opt/usr/data/network
-#chmod 755 /opt/usr/data/network
+mkdir -p /opt/usr/data/network
+chmod 755 /opt/usr/data/network
+chown network_fw:network_fw /opt/usr/data/network
 #chsmack -a 'System' /opt/usr/data/network
 
 #Add net-config.service to systemd extra default dependency ignore list
@@ -167,22 +168,22 @@ ln -sf %{_unitdir}/net-config.service %{_sysconfdir}/systemd/default-extra-depen
 
 %files
 %manifest net-config.manifest
-%attr(500,root,root) %{_sbindir}/*
-%attr(644,root,root) %{_sysconfdir}/resolv.conf
-%attr(644,root,root) %{TZ_SYS_ETC}/resolv.conf
-%attr(644,root,root) /usr/share/upgrade/data/resolv.conf
-%attr(644,root,root) %{_datadir}/dbus-1/system-services/*
+%attr(500,network_fw,network_fw) %{_bindir}/*
+%attr(644,network_fw,network_fw) %{_sysconfdir}/resolv.conf
+%attr(644,network_fw,network_fw) %{TZ_SYS_ETC}/resolv.conf
+%attr(644,network_fw,network_fw) /usr/share/upgrade/data/resolv.conf
+%attr(644,network_fw,network_fw) %{_datadir}/dbus-1/system-services/*
 #DBus DAC
-%attr(644,root,root) %{_sysconfdir}/dbus-1/system.d/*
-%attr(644,root,root) %{_libdir}/systemd/system/net-config.service
-%attr(644,root,root) %{_libdir}/systemd/system/multi-user.target.wants/net-config.service
+%attr(644,network_fw,network_fw) %{_sysconfdir}/dbus-1/system.d/*
+%attr(644,network_fw,network_fw) %{_libdir}/systemd/system/net-config.service
+%attr(644,network_fw,network_fw) %{_libdir}/systemd/system/multi-user.target.wants/net-config.service
 %if "%{?_lib}" == "lib64"
-%attr(644,root,root) %{_unitdir}/net-config.service
-%attr(644,root,root) %{_unitdir}/multi-user.target.wants/net-config.service
+%attr(644,network_fw,network_fw) %{_unitdir}/net-config.service
+%attr(644,network_fw,network_fw) %{_unitdir}/multi-user.target.wants/net-config.service
 %endif
 %license LICENSE
 %if 0%{?model_build_feature_wlan_wearable} == 1
-%attr(700,root,root) /usr/system/RestoreDir/softreset/network_softreset.sh
+%attr(700,network_fw,network_fw) /usr/system/RestoreDir/softreset/network_softreset.sh
 %endif
 %{upgrade_script_path}/500.netconfig_upgrade.sh
 
@@ -192,12 +193,13 @@ mv %{_libdir}/systemd/system/net-config.service.tv %{_libdir}/systemd/system/net
 mv %{_unitdir}/net-config.service.tv %{_unitdir}/net-config.service
 %endif
 %files profile_tv
-%attr(644,root,root) %{_libdir}/udev/rules.d/99-wifiusb-dev.rules
-%attr(644,root,root) %{_libdir}/systemd/system/net-config.service.tv
+%attr(644,network_fw,network_fw) %{_libdir}/udev/rules.d/99-wifiusb-dev.rules
+%attr(644,network_fw,network_fw) %{_libdir}/systemd/system/net-config.service.tv
 %if "%{?_lib}" == "lib64"
-%attr(644,root,root) %{_unitdir}/net-config.service.tv
+%attr(644,network_fw,network_fw) %{_unitdir}/net-config.service.tv
 %endif
 
 %files plugin-headed
 %manifest net-config.manifest
-%attr(500,root,root) %{_libdir}/net-config-plugin-headed.so
+%attr(500,network_fw,network_fw) %{_libdir}/net-config-plugin-headed.so
+%attr(644,network_fw,network_fw) /usr/lib/tmpfiles.d/security-network-config.conf
diff --git a/resources/etc/dbus-1/system.d/net-config.conf b/resources/etc/dbus-1/system.d/net-config.conf
index ffc5439..b04ad6a 100755
--- a/resources/etc/dbus-1/system.d/net-config.conf
+++ b/resources/etc/dbus-1/system.d/net-config.conf
@@ -5,6 +5,10 @@
 		<allow own="net.netconfig"/>
 		<allow send_destination="net.netconfig"/>
 	</policy>
+	<policy user="network_fw">
+		<allow own="net.netconfig"/>
+		<allow send_destination="net.netconfig"/>
+	</policy>
 	<policy context="default">
 		<check send_destination="net.netconfig" send_interface="net.netconfig.network" send_member="AddRoute" privilege="http://tizen.org/privilege/network.set" />
 		<check send_destination="net.netconfig" send_interface="net.netconfig.network" send_member="RemoveRoute" privilege="http://tizen.org/privilege/network.set" />
diff --git a/resources/usr/lib/systemd/system/net-config.service b/resources/usr/lib/systemd/system/net-config.service
index 7689155..7e5ad77 100755
--- a/resources/usr/lib/systemd/system/net-config.service
+++ b/resources/usr/lib/systemd/system/net-config.service
@@ -5,11 +5,13 @@ After=dbus.socket
 
 [Service]
 Type=forking
+User=network_fw
+Group=network_fw
 SmackProcessLabel=System
-ExecStart=/usr/sbin/net-config
+ExecStart=/usr/bin/net-config
 Restart=on-failure
-CapabilityBoundingSet=~CAP_MAC_ADMIN
-CapabilityBoundingSet=~CAP_MAC_OVERRIDE
+Capabilities=cap_net_admin,cap_net_raw=i
+SecureBits=keep-caps
 
 [Install]
 WantedBy=multi-user.target
diff --git a/resources/usr/lib/systemd/system/net-config_tv.service b/resources/usr/lib/systemd/system/net-config_tv.service
index 7b3a1be..d328bc9 100755
--- a/resources/usr/lib/systemd/system/net-config_tv.service
+++ b/resources/usr/lib/systemd/system/net-config_tv.service
@@ -3,12 +3,14 @@ Description=Network Configuration service
 
 [Service]
 Type=dbus
+User=network_fw
+Group=network_fw
 BusName=net.netconfig
 RemainAfterExit=yes
-ExecStartPre=-/usr/sbin/net-config.service
-ExecStart=/usr/sbin/net-config
-CapabilityBoundingSet=~CAP_MAC_ADMIN
-CapabilityBoundingSet=~CAP_MAC_OVERRIDE
+ExecStartPre=-/usr/bin/net-config.service
+ExecStart=/usr/bin/net-config
+Capabilities=cap_net_admin,cap_net_raw=i
+SecureBits=keep-caps
 
 [Install]
 WantedBy=multi-user.target
diff --git a/resources/usr/share/dbus-1/services/net.netconfig.service b/resources/usr/share/dbus-1/services/net.netconfig.service
index 6d497a1..027ced2 100755
--- a/resources/usr/share/dbus-1/services/net.netconfig.service
+++ b/resources/usr/share/dbus-1/services/net.netconfig.service
@@ -1,4 +1,5 @@
 [D-BUS Service]
 Name=net.netconfig
-Exec=/usr/sbin/net-config
-User=root
+Exec=/usr/bin/net-config
+User=network_fw
+Group=network_fw
diff --git a/resources/usr/share/dbus-1/system-services/net.netconfig.service b/resources/usr/share/dbus-1/system-services/net.netconfig.service
index 696b550..0716ddd 100755
--- a/resources/usr/share/dbus-1/system-services/net.netconfig.service
+++ b/resources/usr/share/dbus-1/system-services/net.netconfig.service
@@ -2,4 +2,5 @@
 Name=net.netconfig
 Exec=/bin/false
 SystemdService=net-config.service
-User=root
+User=network_fw
+Group=network_fw
diff --git a/src/utils/log.c b/src/utils/log.c
index 681f4b4..0564afb 100755
--- a/src/utils/log.c
+++ b/src/utils/log.c
@@ -27,7 +27,7 @@
 
 #include "log.h"
 
-#define LOG_FILE_PATH	"/var/log/netconfig.log"
+#define LOG_FILE_PATH	"/opt/usr/data/network/netconfig.log"
 #define MAX_LOG_SIZE	1 * 1024 * 1024
 #define MAX_LOG_COUNT	1
 
diff --git a/src/wifi-power.c b/src/wifi-power.c
index 6c50357..da4a615 100755
--- a/src/wifi-power.c
+++ b/src/wifi-power.c
@@ -46,8 +46,8 @@
 #include "wifi-background-scan.h"
 
 
-#define WLAN_SUPPLICANT_SCRIPT		"/usr/sbin/wpa_supp.sh"
-#define P2P_SUPPLICANT_SCRIPT		"/usr/sbin/p2p_supp.sh"
+#define WLAN_SUPPLICANT_SCRIPT		"/usr/bin/wpa_supp.sh"
+#define P2P_SUPPLICANT_SCRIPT		"/usr/bin/p2p_supp.sh"
 
 #define VCONF_WIFI_OFF_STATE_BY_AIRPLANE	"file/private/wifi/wifi_off_by_airplane"
 #define VCONF_WIFI_OFF_STATE_BY_RESTRICTED	"file/private/wifi/wifi_off_by_restricted"
@@ -131,8 +131,8 @@ static int __execute_supplicant(gboolean enable)
 {
 	int rv = 0;
 	const char *path = WLAN_SUPPLICANT_SCRIPT;
-	char *const args_enable[] = { "/usr/sbin/wpa_supp.sh", "start", NULL };
-	char *const args_disable[] = { "/usr/sbin/wpa_supp.sh", "stop", NULL };
+	char *const args_enable[] = { "/usr/bin/wpa_supp.sh", "start", NULL };
+	char *const args_disable[] = { "/usr/bin/wpa_supp.sh", "stop", NULL };
 	char *const envs[] = { NULL };
 	static gboolean enabled = FALSE;