From: jin-gyu.kim <jin-gyu.kim@samsung.com>
Date: Mon, 18 Dec 2017 06:44:22 +0000 (+0900)
Subject: Update set_capability
X-Git-Tag: submit/tizen/20171218.101143^0
X-Git-Url: http://review.tizen.org/git/?a=commitdiff_plain;h=7d6b49ab2904e3367a63e941032e3b5e9e48c646;p=platform%2Fcore%2Fsecurity%2Fsecurity-config.git

Update set_capability

- Give capabilities for launchpad in security-config.
- Remove redundant permitted flags from excute files.

Change-Id: I858a170a15d33db2d395bb49c030c1ab1d1d05c6
---

diff --git a/config/set_capability b/config/set_capability
index b700c29..0a1051c 100755
--- a/config/set_capability
+++ b/config/set_capability
@@ -29,7 +29,7 @@ fi
 # cap_sys_time		settimeofday() system call and rtc setting time need privilege; CAP_SYS_TIME
 
 if [ -e "/usr/bin/alarm-server" ]
-then /usr/sbin/setcap cap_sys_time=eip /usr/bin/alarm-server
+then /usr/sbin/setcap cap_sys_time=ei /usr/bin/alarm-server
 fi
 
 # Package		download-provider
@@ -40,7 +40,7 @@ fi
 # cap_dac_override	needs to access directory which user id is different (override DAC permission)
 
 if [ -e "/usr/bin/download-provider" ]
-then /usr/sbin/setcap cap_chown,cap_dac_override=eip /usr/bin/download-provider
+then /usr/sbin/setcap cap_chown,cap_dac_override=ei /usr/bin/download-provider
 fi
 
 # Package		media-server
@@ -52,7 +52,7 @@ fi
 #			client would be another service daemon and application
 
 if [ -e "/usr/bin/media-server" ]
-then /usr/sbin/setcap cap_dac_read_search=eip /usr/bin/media-server
+then /usr/sbin/setcap cap_dac_read_search=ei /usr/bin/media-server
 fi
 
 # Package		csr-server
@@ -63,7 +63,7 @@ fi
 # cap_fowner		csr-server needs to remove files set with sticky bit in /tmp (rwxrwxrwt)
 
 if [ -e "/usr/bin/csr-server" ]
-then /usr/sbin/setcap cap_dac_override,cap_fowner=eip /usr/bin/csr-server
+then /usr/sbin/setcap cap_dac_override,cap_fowner=ei /usr/bin/csr-server
 fi
 
 # Package        	msg-server
@@ -76,7 +76,7 @@ fi
 # cap_lease		Establish leases on arbitrary files
 
 if [ -e "/usr/bin/msg-server" ]
-then /usr/sbin/setcap cap_chown,cap_lease,cap_net_admin,cap_net_raw=eip /usr/bin/msg-server
+then /usr/sbin/setcap cap_chown,cap_lease,cap_net_admin,cap_net_raw=ei /usr/bin/msg-server
 fi
 
 # Package        	pkgmgr-server
@@ -91,7 +91,7 @@ fi
 # cap_setuid		setuid function
 
 if [ -e "/usr/bin/pkgmgr-server" ]
-then /usr/sbin/setcap cap_chown,cap_dac_override,cap_fsetid,cap_kill,cap_setgid,cap_setuid=eip /usr/bin/pkgmgr-server
+then /usr/sbin/setcap cap_chown,cap_dac_override,cap_fsetid,cap_kill,cap_setgid,cap_setuid=ei /usr/bin/pkgmgr-server
 fi
 
 # Package		app-installers
@@ -103,7 +103,7 @@ fi
 # cap_fowner		use chmod API
 
 if [ -e "/usr/bin/pkgdir-tool" ]
-then /usr/sbin/setcap cap_dac_override,cap_chown,cap_fowner=eip /usr/bin/pkgdir-tool
+then /usr/sbin/setcap cap_dac_override,cap_chown,cap_fowner=ei /usr/bin/pkgdir-tool
 fi
 
 # Package		mused
@@ -113,7 +113,7 @@ fi
 # cap_dac_override	access to directories of applications
 
 if [ -e "/usr/bin/muse-server" ]
-then /usr/sbin/setcap cap_dac_override=eip /usr/bin/muse-server
+then /usr/sbin/setcap cap_dac_override=ei /usr/bin/muse-server
 fi
 
 # Package		gpsd
@@ -228,13 +228,12 @@ fi
 # Package		mobileap-agent
 # Owner			Seonah Moon(seonah1.moon@samsung.com)
 # Date			Oct 7, 2016
-# Required		cap_dac_override, cap_fowner, cap_net_admin, cap_net_bind_service
-# cap_fowner		network interface configruration
+# Required		cap_net_admin, cap_net_bind_service
 # cap_net_admin		to use ioctl socket
 # cap_net_bind_service	to call bind
 
 if [ -e "/usr/bin/mobileap-agent" ]
-then /usr/sbin/setcap cap_fowner,cap_net_admin,cap_net_bind_service=eip /usr/bin/mobileap-agent
+then /usr/sbin/setcap cap_net_admin,cap_net_bind_service=ei /usr/bin/mobileap-agent
 fi
 
 # route is using by mobileap-agent 
@@ -416,8 +415,6 @@ if [ -e "/usr/bin/pkg_cleardata" ]
 then /usr/sbin/setcap cap_dac_override=eip /usr/bin/pkg_cleardata
 fi
 
-# launchpad package checks build option before giving capability.
-# Therefore, caps will be given in spec file.
 # Package               platform/core/appfw/launchpad
 # Owner                 Junghoon Park(jh9216.park@samsung.com)
 # Date                  July 4, 2017
@@ -425,14 +422,16 @@ fi
 # cap_mac_admin		to use security_manager_prepare_app()
 # cap_dac_override      fd redirection in debug mode of app running
 # cap_setgid		to use security_manager_prepare_app()
+# cap_sys_admin		to split mount namespace
+# cap_sys_nice		to change scheduling priority
 
-#if [ -e "/usr/bin/launchpad-process-pool" ]
-#then /usr/sbin/setcap cap_mac_admin,cap_dac_override,cap_setgid=ei /usr/bin/launchpad-process-pool
-#fi
+if [ -e "/usr/bin/launchpad-process-pool" ]
+then /usr/sbin/setcap cap_sys_admin,cap_sys_nice,cap_mac_admin,cap_dac_override,cap_setgid=ei /usr/bin/launchpad-process-pool
+fi
 
-#if [ -e "/usr/bin/launchpad-loader" ]
-#then /usr/sbin/setcap cap_setgid=ei /usr/bin/launchpad-loader
-#fi
+if [ -e "/usr/bin/launchpad-loader" ]
+then /usr/sbin/setcap cap_sys_admin,cap_sys_nice,cap_setgid=ei /usr/bin/launchpad-loader
+fi
 
 # Package               platform/core/dotnet/launcher
 # Owner                 Pius Lee(pius.lee@samsung.com)