From: hyunho <hhstark.kang@samsung.com>
Date: Tue, 25 Feb 2020 04:05:57 +0000 (+0900)
Subject: Add capability for the app-defined-loader
X-Git-Tag: submit/tizen/20200225.045152^0
X-Git-Url: http://review.tizen.org/git/?a=commitdiff_plain;h=7ea60422fc36de0a96969835be89b2ee736e55d3;p=platform%2Fcore%2Fsecurity%2Fsecurity-config.git

Add capability for the app-defined-loader

Change-Id: I3586503e0c83cc35ae6321cf1b4bdd63b0e09297
Signed-off-by: hyunho <hhstark.kang@samsung.com>
---

diff --git a/config/set_capability b/config/set_capability
index a2f34d3..e70e878 100755
--- a/config/set_capability
+++ b/config/set_capability
@@ -434,6 +434,19 @@ if [ -e "/usr/bin/launchpad-loader" ] && [ ! -e "/usr/bin/launchpad-starter" ]
 then /usr/sbin/setcap cap_sys_admin,cap_sys_nice,cap_setgid=ei /usr/bin/launchpad-loader
 fi
 
+# Package               platform/core/appfw/launchpad
+# Owner                 Junghoon Park(jh9216.park@samsung.com)
+# Date                  Feb 25, 2020
+# Required              cap_setgid, cap_sys_admin, cap_sys_nice
+# cap_setgid		to use security_manager_prepare_app()
+# cap_sys_admin		to split mount namespace
+# cap_sys_nice		to change scheduling priority
+
+# TODO : condition check about launchpad-starter is temporary
+if [ -e "/usr/bin/app-defined-loader" ] && [ ! -e "/usr/bin/launchpad-starter" ]
+then /usr/sbin/setcap cap_sys_admin,cap_sys_nice,cap_setgid=ei /usr/bin/app-defined-loader
+fi
+
 # Package               platform/core/dotnet/launcher
 # Owner                 Pius Lee(pius.lee@samsung.com)
 # Date                  July 4, 2017
@@ -640,7 +653,7 @@ fi
 # Package               platform/core/security/krate
 # Date                  Sep 19, 2018
 # Required              cap_sys_admin
-# cap_sys_admin		Do bind-mount to control the file access 
+# cap_sys_admin		Do bind-mount to control the file access
 
 if [ -e "/usr/bin/krate-mount" ]
 then /usr/sbin/setcap cap_sys_admin=ei /usr/bin/krate-mount
diff --git a/test/capability_test/new_capabilities_exception.list b/test/capability_test/new_capabilities_exception.list
index 9408fbb..1489d47 100755
--- a/test/capability_test/new_capabilities_exception.list
+++ b/test/capability_test/new_capabilities_exception.list
@@ -19,6 +19,7 @@
 /usr/bin/amd = cap_dac_override,cap_kill,cap_sys_admin+ei
 /usr/bin/wrt-loader = cap_setgid,cap_sys_admin+ei/usr/bin/tpk-backend = cap_chown,cap_dac_override,cap_fowner+ei
 /usr/bin/launchpad-loader = cap_setgid,cap_sys_admin,cap_sys_nice+ei
+/usr/bin/app-defined-loader = cap_setgid,cap_sys_admin,cap_sys_nice+ei
 /usr/bin/email-service = cap_chown+eip
 /usr/bin/wgt-backend = cap_chown,cap_dac_override,cap_fowner+ei
 /usr/bin/download-provider = cap_chown,cap_dac_override+ei