From: jin-gyu.kim Date: Tue, 26 Nov 2019 05:53:01 +0000 (+0900) Subject: Add clat.service X-Git-Tag: submit/tizen/20191126.081457^0 X-Git-Url: http://review.tizen.org/git/?a=commitdiff_plain;h=1105ca33f3cb02adcc295ad5b70060f733ef01e0;p=platform%2Fcore%2Fsecurity%2Fsecurity-config.git Add clat.service - network_fw / network_fw / System permissions - cap_net_admin To create and configure interface, modify routing tables - cap_net_raw To open raw socket - cap_ipc_lock clatd calls mmap(MAP_LOCKED) with a 1M buffer. MAP_LOCKED first checks capable(CAP_IPC_LOCK) - cap_setuid To forge UID when passing socket credentials via UNIX domain sockets - cap_setgid To forge GID when passing socket credentials via UNIX domain sockets Change-Id: Ie36a2d060215d27374fa0fd6e9a78a442fb9453b --- diff --git a/config/set_capability b/config/set_capability index b59fb3c..a2f34d3 100755 --- a/config/set_capability +++ b/config/set_capability @@ -786,6 +786,18 @@ if [ -e "/usr/bin/du" ] then /usr/sbin/setcap cap_dac_read_search=ei /usr/bin/du fi +# Package product/upstream/clat +# Date Nov 26, 2019 +# Required cap_net_admin,cap_net_raw,cap_ipc_lock,cap_setuid,cap_setgid +# cap_net_admin To create and configure interface, modify routing tables +# cap_net_raw To open raw socket +# cap_ipc_lock clatd calls mmap(MAP_LOCKED) with a 1M buffer. MAP_LOCKED first checks capable(CAP_IPC_LOCK) +# cap_setuid To forge UID when passing socket credentials via UNIX domain sockets +# cap_setgid To forge GID when passing socket credentials via UNIX domain sockets + +if [ -e "/usr/bin/clatd" ] +then /usr/sbin/setcap cap_net_admin,cap_net_raw,cap_ipc_lock,cap_setuid,cap_setgid=ei /usr/bin/clatd +fi # TODO: MOVE TO OTHER SCRIPT OR REMOVE # Requested by sooyeon.kim@samsung.com (.voice) and dalton.lee@samsung.com (.multiassistant) diff --git a/test/capability_test/new_capabilities_exception.list b/test/capability_test/new_capabilities_exception.list index 58bd633..9408fbb 100755 --- a/test/capability_test/new_capabilities_exception.list +++ b/test/capability_test/new_capabilities_exception.list @@ -65,3 +65,16 @@ /usr/bin/audit-trail-daemon = cap_audit_write,cap_audit_control+ei /usr/sbin/tcpdump = cap_net_raw+ei /usr/bin/ua-manager = cap_net_raw,cap_sys_rawio+ei +/usr/libexec/crash-stack = cap_dac_read_search,cap_sys_ptrace+ei +/usr/sbin/minicoredumper = cap_dac_read_search,cap_sys_ptrace+ei +/usr/bin/crash-service = cap_dac_override,cap_kill,cap_sys_ptrace+ei +/usr/bin/dlogutil = cap_syslog+ei +/usr/bin/du = cap_dac_read_search+ei +/usr/bin/clatd = cap_setgid,cap_setuid,cap_net_admin,cap_net_raw,cap_ipc_lock+ei +/usr/bin/buxton2ctl = cap_dac_override+ei +/usr/bin/df = cap_dac_read_search+ei +/usr/bin/crash-manager = cap_dac_override,cap_kill,cap_sys_ptrace+ei +/usr/bin/memps = cap_dac_read_search,cap_sys_ptrace+ei +/usr/bin/dotnet-hydra-launcher = cap_setgid,cap_sys_admin+ei +/usr/bin/top = cap_sys_ptrace+ei +/usr/bin/livedumper = cap_dac_override,cap_sys_ptrace+ei diff --git a/test/new_service_test/target/mobile/systemd_service.list b/test/new_service_test/target/mobile/systemd_service.list index 0ac9ce8..a4b9852 100755 --- a/test/new_service_test/target/mobile/systemd_service.list +++ b/test/new_service_test/target/mobile/systemd_service.list @@ -39,6 +39,7 @@ cert-server.service;security_fw;security_fw;System; chromium-efl.service;root;root;System::Privileged; chromium-efl-install.service;web_fw;web_fw;System; chromium-efl-update.service;root;root;System::Privileged; +clat.service;network_fw;network_fw;System; connman-vpn.service;network_fw;network_fw;System; connman.service;network_fw;network_fw;System; console-getty.service;root;root;System; diff --git a/test/new_service_test/target/tv/systemd_service.list b/test/new_service_test/target/tv/systemd_service.list index 7c25166..727ef45 100755 --- a/test/new_service_test/target/tv/systemd_service.list +++ b/test/new_service_test/target/tv/systemd_service.list @@ -29,6 +29,7 @@ cert-server.service;security_fw;security_fw;System; chromium-efl.service;root;root;System::Privileged; chromium-efl-install.service;web_fw;web_fw;System; chromium-efl-update.service;root;root;System::Privileged; +clat.service;network_fw;network_fw;System; connman-vpn.service;network_fw;network_fw;System; connman.service;network_fw;network_fw;System; console-getty.service;root;root;System; diff --git a/test/new_service_test/target/wearable/systemd_service.list b/test/new_service_test/target/wearable/systemd_service.list index df4c2b8..d4853e2 100755 --- a/test/new_service_test/target/wearable/systemd_service.list +++ b/test/new_service_test/target/wearable/systemd_service.list @@ -35,6 +35,7 @@ cert-server.service;security_fw;security_fw;System; chromium-efl.service;root;root;System::Privileged; chromium-efl-install.service;web_fw;web_fw;System; chromium-efl-update.service;root;root;System::Privileged; +clat.service;network_fw;network_fw;System; connman.service;network_fw;network_fw;System; console-getty.service;root;root;System; console-shell.service;root;root;System;