From: Jin-gyu Kim Date: Fri, 23 Apr 2021 05:31:51 +0000 (+0900) Subject: Create a new script for setting permissions. X-Git-Tag: submit/tizen_4.0/20210503.071714~1 X-Git-Url: http://review.tizen.org/git/?a=commitdiff_plain;h=73f3723f042ce9bd016af24099e9b2f55c03040c;p=platform%2Fcore%2Fsecurity%2Fsecurity-config.git Create a new script for setting permissions. This script needs to be run while image is being created or updated. (After in-house applications are installed.) We could consider it to be run in security-config service, but it will increase the 1st boot time. Change-Id: I5a11dd720ea46ae69b1acc6be09305c74fb39292 --- diff --git a/CMakeLists.txt b/CMakeLists.txt index 5422877..e70d997 100755 --- a/CMakeLists.txt +++ b/CMakeLists.txt @@ -13,6 +13,7 @@ INSTALL(FILES ${CMAKE_SOURCE_DIR}/config/set_label DESTINATION /usr/share/securi INSTALL(FILES ${CMAKE_SOURCE_DIR}/config/set_capability DESTINATION /usr/share/security-config) INSTALL(FILES ${CMAKE_SOURCE_DIR}/config/mdm_blacklist DESTINATION /usr/share/security-config) INSTALL(FILES ${CMAKE_SOURCE_DIR}/config/update_privacy_mount_list.sh DESTINATION /usr/share/security-config) +INSTALL(FILES ${CMAKE_SOURCE_DIR}/config/change_permission DESTINATION /usr/share/security-config) INSTALL(FILES ${CMAKE_SOURCE_DIR}/config/security-config.conf DESTINATION /usr/lib/tmpfiles.d/) INSTALL(FILES ${CMAKE_SOURCE_DIR}/config/90_user-content-permissions.post DESTINATION ${SYSCONF_INSTALL_DIR}/gumd/useradd.d) INSTALL(FILES ${CMAKE_SOURCE_DIR}/config/91_user-dbspace-permissions.post DESTINATION ${SYSCONF_INSTALL_DIR}/gumd/useradd.d) diff --git a/config/change_permission b/config/change_permission new file mode 100644 index 0000000..5a27d50 --- /dev/null +++ b/config/change_permission @@ -0,0 +1,36 @@ +#!/bin/bash + +PATH=/bin:/usr/bin:/sbin:/usr/sbin + +# Requested by sooyeon.kim@samsung.com (.voice) and dalton.lee@samsung.com (.multiassistant) +dir_list=(".voice" ".multiassistant") +for item in "${dir_list[@]}" +do + if [ -e "/etc/skel/share/$item" ] + then + find /etc/skel/share/$item -print0 | xargs -0 chown app_fw:app_fw + find /etc/skel/share/$item -print0 | xargs -0 chsmack -a 'User::App::Shared' + find /etc/skel/share/$item -type d -print0 | xargs -0 chsmack -t + fi + + for line in `find /opt/usr/home -maxdepth 1 -type d` + do + if [ -e "$line/share/$item" ]; then + user=$(echo $line | cut -d"/" -f5) + if getent passwd $user + then + find "$line/share/$item" -print0 | xargs -0 chown $user:users + find "$line/share/$item" -print0 | xargs -0 chsmack -a 'User::App::Shared' + find "$line/share/$item" -type d -print0 | xargs -0 chsmack -t + fi + fi + done +done + +# change permission to /opt/var/lib/misc +# This is needed to retrieve CAP_DAC_OVERRIDE from mobileap-agent & dnsmasq. +if [ -e /opt/var/lib/misc ] +then + chown root:system_share /opt/var/lib/misc + chmod 0775 /opt/var/lib/misc +fi diff --git a/config/set_capability b/config/set_capability index 3f193b6..5baf607 100755 --- a/config/set_capability +++ b/config/set_capability @@ -560,38 +560,9 @@ if [ -e "/usr/bin/dlog_logger" ] then /usr/sbin/setcap cap_syslog=ei /usr/bin/dlog_logger fi -# TODO: MOVE TO OTHER SCRIPT OR REMOVE -# Requested by sooyeon.kim@samsung.com -if [ -e "/etc/skel/share/.voice" ] -then -find /etc/skel/share/.voice -print0 | xargs -0 chown app_fw:app_fw -find /etc/skel/share/.voice -print0 | xargs -0 chsmack -a 'User::App::Shared' -find /etc/skel/share/.voice -type d -print0 | xargs -0 chsmack -t -fi - -for line in `find /opt/usr/home -maxdepth 1 -type d` -do - if [ -e "$line/share/.voice" ]; then - user=$(echo $line | cut -d"/" -f5); - find "$line/share/.voice" -print0 | xargs -0 chown $user:users - find "$line/share/.voice" -print0 | xargs -0 chsmack -a 'User::App::Shared' - find "$line/share/.voice" -type d -print0 | xargs -0 chsmack -t - fi -done - -# Set SMACK label as "System::Privileged" in /opt/var/security-manager/rules -chsmack -r -a "System::Privileged" /opt/var/security-manager/rules - -# change permission to /opt/var/lib/misc -# This is needed to retrieve CAP_DAC_OVERRIDE from mobileap-agent & dnsmasq. -if [ -e /opt/var/lib/misc ] -then - chown root:system_share /opt/var/lib/misc - chmod 0775 /opt/var/lib/misc -fi - -# This is not related with the capability, but place here to run in generic-security.post +# These are not related with the capability, but place here to run in generic-security.post # It would be better to run this separately in generic-security.post future. +/usr/share/security-config/change_permission if [ -e /usr/share/security-config/update_privacy_mount_list.sh ] && [ -e /usr/share/security-manager/policy/privilege-mount.list ] && [ ! -e /opt/share/askuser_disable ] then /usr/share/security-config/update_privacy_mount_list.sh diff --git a/packaging/security-config.spec b/packaging/security-config.spec index a6c36fa..03e5447 100755 --- a/packaging/security-config.spec +++ b/packaging/security-config.spec @@ -92,6 +92,7 @@ rm /opt/share/security-config/test/capability_test/* %attr(755,root,root) /usr/share/security-config/set_label %attr(755,root,root) /usr/share/security-config/set_capability %attr(755,root,root) /usr/share/security-config/mdm_blacklist +%attr(755,root,root) /usr/share/security-config/change_permission %attr(700,root,root) /usr/share/security-config/update_privacy_mount_list.sh %attr(644,root,root) /usr/lib/tmpfiles.d/security-config.conf %attr(755,root,root) /opt/share/security-config/test/* diff --git a/upgrade/201.security_upgrade.sh b/upgrade/201.security_upgrade.sh index ae19183..0467ef0 100644 --- a/upgrade/201.security_upgrade.sh +++ b/upgrade/201.security_upgrade.sh @@ -4,9 +4,14 @@ PATH=/bin:/usr/bin:/sbin:/usr/sbin . /etc/tizen-platform.conf # Init security-configuration -/usr/share/security-config/group_id_setting /usr/share/security-config/set_label -/usr/share/security-config/set_capability +/usr/share/security-config/change_permission + +# Delete a flag file to run smack_default_labeling +if [ -e /opt/share/security-config/.smack_pre_labeling ] +then + rm /opt/share/security-config/.smack_pre_labeling +fi # Migration of cynara DB # CYNARA_VERSION=$(rpm -qf /usr/bin/cynara | cut -d "-" -f2)