From: Yunchan Cho Date: Tue, 10 Sep 2013 05:43:00 +0000 (+0900) Subject: Grant 'CAP_MAC_ADMIN' capability to WebProcess executable file X-Git-Tag: 2.2.1_release~227 X-Git-Url: http://review.tizen.org/git/?a=commitdiff_plain;h=a98f6bc10390bc9dbc30eefa4612cc50bc9b764a;p=framework%2Fweb%2Fwebkit-efl.git Grant 'CAP_MAC_ADMIN' capability to WebProcess executable file [Title] Grant inheritable/effective bit of 'CAP_MAC_ADMIN' capability to WebProcess executable file [Issue#] N/A [Problem] In 1 UI / N Web Process Model like web-provider, forked/executed WebProcess using tizen device apis needs to be changed to other proper process label. But, process label of WebProcess can't changed to other one. [Cause] Current WebProcess executable file doesn't have necessary process capability (CAP_MAC_ADMIN). This capability makes a process to change its process label file (/proc/self/attr/current) directly. [Solution] inheritable/effective bit of 'CAP_MAC_ADMIN' capability is set to xattr of /usr/bin/WebProcess This xattr is used by linux kernel, which calculates process capabilities of executed processes. forked/executed WebProcess has 'CAP_MAC_AMDIN' only if its parent UI process has also inheritable bit of the capability. So, inheritable bit of the capability will be set to web-provider (UI process) After this patch is applied, WebProcess from browser and web app doesn't have this capability as now. Change-Id: Ic47b26041c9c3ca920b57fbb3b181a79e6ccb088 --- diff --git a/packaging/webkit2-efl.spec b/packaging/webkit2-efl.spec index d31407f..4b0713e 100644 --- a/packaging/webkit2-efl.spec +++ b/packaging/webkit2-efl.spec @@ -146,6 +146,11 @@ mkdir -p %{buildroot}/usr/share/edje chmod 644 %{_libdir}/libewebkit2.so # 2. Resources chmod 644 /usr/share/edje/webkit.edj +# 3. executables +if [ `grep -c smack /proc/filesystems` -eq 1 ] +then + setcap cap_mac_admin=ie %{_bindir}/WebProcess +fi %postun