From: jin-gyu.kim Date: Fri, 24 Nov 2017 06:46:09 +0000 (+0900) Subject: give cap_dac_override to network modules X-Git-Tag: submit/tizen_4.0/20171126.232824^0 X-Git-Url: http://review.tizen.org/git/?a=commitdiff_plain;h=4c31224b08dfe8fd08a1cbe8664b41dea7a8936e;p=platform%2Fcore%2Fsecurity%2Fsecurity-config.git give cap_dac_override to network modules - cap_dac_override is required to access bridge device Change-Id: I3f2bb5e1f58df4cbb692546053bb2f2617573af4 --- diff --git a/config/set_capability b/config/set_capability index f1bd323..b763cc5 100755 --- a/config/set_capability +++ b/config/set_capability @@ -178,9 +178,14 @@ fi # cap_net_bind_service to execute bind() function # cap_net_broadcast to make socket broadcasts, and listen to multicasts # cap_net_raw to use RAW socket +# cap_dac_override to access bridge device if [ -e "/usr/bin/connmand" ] -then /usr/sbin/setcap cap_net_admin,cap_net_bind_service,cap_net_broadcast,cap_net_raw=ei /usr/bin/connmand +then /usr/sbin/setcap cap_net_admin,cap_net_bind_service,cap_net_broadcast,cap_net_raw,cap_dac_override=ei /usr/bin/connmand +fi + +if [ -e "/usr/bin/connman-vpnd" ] +then /usr/sbin/setcap cap_net_admin,cap_net_bind_service,cap_net_broadcast,cap_net_raw,cap_dac_override=ei /usr/bin/connman-vpnd fi # Package net-config @@ -200,9 +205,10 @@ fi # Required cap_net_admin, cap_net_raw # cap_net_admin to add interface flags and configure the interface using ioctl and driver commands # cap_net_raw to use RAW socket +# cap_dac_override to access bridge device if [ -e "/usr/bin/wpa_supplicant" ] -then /usr/sbin/setcap cap_net_admin,cap_net_raw=ei /usr/bin/wpa_supplicant +then /usr/sbin/setcap cap_net_admin,cap_net_raw,cap_dac_override=ei /usr/bin/wpa_supplicant fi # Package mobileap-agent @@ -230,9 +236,10 @@ fi # cap_net_bind_service to call bind # cap_net_raw to use RAW socket # cap_fowner network interface configruration +# cap_dac_override to access bridge device if [ -e "/usr/bin/hostapd" ] -then /usr/sbin/setcap cap_net_admin,cap_net_bind_service,cap_net_raw,cap_fowner=eip /usr/bin/hostapd +then /usr/sbin/setcap cap_net_admin,cap_net_bind_service,cap_net_raw,cap_fowner,cap_dac_override=eip /usr/bin/hostapd fi # Package dnsmasq @@ -425,10 +432,11 @@ fi # Required cap_net_admin, cap_net_raw # cap_net_admin for network interface up/down # cap_net_raw to use raw socket +# cap_dac_override to access bridge device # some profiles create the symlink to telephony-daemon if [ -e "/usr/bin/telephony-daemon" ] -then /usr/sbin/setcap cap_net_admin,cap_net_raw=ei $(/usr/bin/readlink -f /usr/bin/telephony-daemon) +then /usr/sbin/setcap cap_net_admin,cap_net_raw,cap_dac_override=ei $(/usr/bin/readlink -f /usr/bin/telephony-daemon) fi # Package platform/core/system/session-utils @@ -526,9 +534,10 @@ fi # Owner Saerome Kim(saerome.kim@samsung.com) # Date Aug 11, 2017 # Required cap_net_raw, cap_net_admin +# cap_dac_override to access bridge device if [ -e "/usr/bin/wmeshd" ] -then /usr/sbin/setcap cap_net_raw,cap_net_admin=ei /usr/bin/wmeshd +then /usr/sbin/setcap cap_net_raw,cap_net_admin,cap_dac_override=ei /usr/bin/wmeshd fi # Package platform/core/security/ode @@ -546,6 +555,16 @@ if [ -e "/usr/bin/oded" ] then /usr/sbin/setcap cap_dac_override,cap_sys_admin,cap_sys_boot,cap_sys_ptrace,cap_kill=ei /usr/bin/oded fi +# Package platform/upstream/bluez +# Owner Saerome Kim(saerome.kim@samsung.com saerome.kim@samsung.com ) +# Date Nov 24, 2017 +# Required cap_dac_override, cap_sys_admin, cap_sys_boot, cap_sys_ptrace, cap_kill +# cap_dac_override to access bridge device + +if [ -e "/usr/libexec/bluetooth/bluetoothd" ] +then /usr/sbin/setcap cap_dac_override=ei /usr/libexec/bluetooth/bluetoothd +fi + # TODO: MOVE TO OTHER SCRIPT OR REMOVE # Requested by sooyeon.kim@samsung.com if [ -e "/etc/skel/share/.voice" ]