From: jin-gyu.kim Date: Wed, 20 Dec 2017 05:50:08 +0000 (+0900) Subject: Update set_capability and capability test. X-Git-Tag: submit/tizen_4.0/20171220.053450^0 X-Git-Url: http://review.tizen.org/git/?a=commitdiff_plain;h=c07fc59ac7dfe9a80dd0601a5faa69fd7a72f3ca;p=platform%2Fcore%2Fsecurity%2Fsecurity-config.git Update set_capability and capability test. - Remove redundant permitted flag from excute files. - Sync capability lists. Change-Id: I4df28233124bcc64babb1713f0e85044f3d444fc --- diff --git a/config/set_capability b/config/set_capability index 592c8f2..0aebb58 100755 --- a/config/set_capability +++ b/config/set_capability @@ -19,7 +19,7 @@ PATH=/bin:/usr/bin:/sbin:/usr/sbin # cap_sys_admin remount at rpm installation if [ -e "/usr/sbin/sdbd" ] -then /usr/sbin/setcap cap_setuid,cap_setgid,cap_dac_override,cap_sys_admin=eip /usr/sbin/sdbd +then /usr/sbin/setcap cap_setuid,cap_setgid,cap_dac_override,cap_sys_admin=ei /usr/sbin/sdbd fi # Package alarm-server @@ -135,7 +135,7 @@ fi # cap_fowner use chmod API if [ -e "/usr/bin/tpk-backend" ] -then /usr/sbin/setcap cap_dac_override,cap_chown,cap_fowner=eip /usr/bin/tpk-backend +then /usr/sbin/setcap cap_dac_override,cap_chown,cap_fowner=ei /usr/bin/tpk-backend fi # Package wgt-backend @@ -147,7 +147,7 @@ fi # cap_fowner use chmod API if [ -e "/usr/bin/wgt-backend" ] -then /usr/sbin/setcap cap_dac_override,cap_chown,cap_fowner=eip /usr/bin/wgt-backend +then /usr/sbin/setcap cap_dac_override,cap_chown,cap_fowner=ei /usr/bin/wgt-backend fi # Package xdelta3 @@ -367,7 +367,7 @@ fi # cap_dac_read_search to access pkg directory if [ -e "/usr/bin/pkg_getsize" ] -then /usr/sbin/setcap cap_dac_read_search=eip /usr/bin/pkg_getsize +then /usr/sbin/setcap cap_dac_read_search=ei /usr/bin/pkg_getsize fi # Package platform/core/messaging/email-service @@ -388,7 +388,7 @@ fi # TODO: REMOVED IN TIZEN 4.0 if [ -e "/usr/bin/pkg_cleardata" ] -then /usr/sbin/setcap cap_dac_override=eip /usr/bin/pkg_cleardata +then /usr/sbin/setcap cap_dac_override=ei /usr/bin/pkg_cleardata fi # Package platform/core/appfw/launchpad diff --git a/test/capability_test/new_capabilities_exception.list b/test/capability_test/new_capabilities_exception.list index 8192a5d..5286538 100644 --- a/test/capability_test/new_capabilities_exception.list +++ b/test/capability_test/new_capabilities_exception.list @@ -1,52 +1,52 @@ -/usr/sbin/tayga = cap_net_bind_service,cap_net_broadcast,cap_net_admin,cap_net_raw+ei -/usr/sbin/xtables-multi = cap_net_admin,cap_net_raw+ei -/usr/sbin/named = cap_fowner,cap_net_bind_service,cap_net_admin,cap_sys_chroot+eip -/usr/sbin/lwresd = cap_fowner,cap_net_bind_service,cap_net_admin,cap_sys_chroot+eip -/usr/sbin/sdbd = cap_dac_override,cap_setgid,cap_setuid,cap_sys_admin+eip -/usr/bin/hostapd = cap_fowner,cap_net_bind_service,cap_net_admin,cap_net_raw+eip -/usr/sbin/ip = cap_net_admin+ei -/usr/bin/wpa_supplicant = cap_net_admin,cap_net_raw+ei -/usr/bin/focus_server = cap_chown,cap_fowner,cap_lease+eip -/usr/bin/touch = cap_dac_override+ei -/usr/bin/pkgdir-tool = cap_chown,cap_dac_override,cap_fowner+eip -/usr/bin/msg-server = cap_chown,cap_net_admin,cap_net_raw,cap_lease+eip -/usr/bin/media-server = cap_dac_read_search+eip -/usr/bin/alarm-server = cap_sys_time+eip -/usr/bin/systemd-user-helper = cap_dac_override,cap_setgid,cap_sys_admin,cap_mac_admin+ei -/usr/bin/csr-server = cap_dac_override,cap_fowner+eip -/usr/bin/pkgmgr-server = cap_chown,cap_dac_override,cap_fsetid,cap_kill,cap_setgid,cap_setuid+eip -/usr/bin/muse-server = cap_dac_override+eip -/usr/bin/amd = cap_dac_override,cap_kill+ep -/usr/bin/wrt-loader = cap_setgid+ei -/usr/bin/tpk-backend = cap_chown,cap_dac_override,cap_fowner+eip -/usr/bin/launchpad-loader = cap_setgid+ei -/usr/bin/email-service = cap_chown+eip -/usr/bin/wgt-backend = cap_chown,cap_dac_override,cap_fowner+eip -/usr/bin/download-provider = cap_chown,cap_dac_override+eip -/usr/bin/chmod = cap_fowner+ei -/usr/bin/sound_server = cap_chown,cap_fowner,cap_lease+eip +/usr/libexec/bluetooth/bluetoothd = cap_dac_override+ei +/usr/bin/launchpad-process-pool = cap_dac_override,cap_setgid,cap_sys_admin,cap_sys_nice,cap_mac_admin+ei +/usr/bin/pkg_cleardata = cap_dac_override+ei +/usr/bin/pkill = cap_kill+ei +/usr/bin/telephony-daemon = cap_dac_override,cap_net_admin,cap_net_raw+ei /usr/bin/dnsmasq = cap_net_bind_service,cap_net_broadcast,cap_net_admin,cap_net_raw+ei -/usr/bin/feedbackd = cap_dac_override+eip -/usr/bin/data-provider-master = cap_dac_override+ei -/usr/bin/amixer = cap_dac_override+ei -/usr/bin/pkg_getsize = cap_dac_read_search+eip -/usr/bin/pkg_cleardata = cap_dac_override+eip -/usr/bin/launchpad-process-pool = cap_dac_override,cap_setgid,cap_mac_admin+ei -/usr/bin/mobileap-agent = cap_fowner,cap_net_bind_service,cap_net_admin+eip +/usr/bin/amd = cap_dac_override,cap_kill+ep +/usr/bin/connmand = cap_dac_override,cap_net_bind_service,cap_net_broadcast,cap_net_admin,cap_net_raw+ei +/usr/bin/tpk-backend = cap_chown,cap_dac_override,cap_fowner+ei /usr/bin/chgrp = cap_chown+ei +/usr/bin/sound_server = cap_chown,cap_fowner,cap_lease+eip +/usr/bin/wgt-backend = cap_chown,cap_dac_override,cap_fowner+ei +/usr/bin/media-server = cap_dac_read_search+ei /usr/bin/xdelta3 = cap_dac_override+ei -/usr/bin/telephony-daemon = cap_net_admin,cap_net_raw+ei -/usr/bin/telephony-daemon.tv = cap_net_admin,cap_net_raw+ei -/usr/bin/telephony-daemon.ivi = cap_net_admin,cap_net_raw+ei -/usr/bin/nether = cap_net_admin+eip -/usr/bin/dotnet-launcher = cap_setgid,cap_mac_admin+ei +/usr/bin/wpa_supplicant = cap_dac_override,cap_net_admin,cap_net_raw+ei +/usr/bin/gpsd = cap_dac_override+eip +/usr/bin/muse-server = cap_dac_override+ei +/usr/bin/pkgmgr-server = cap_chown,cap_dac_override,cap_fsetid,cap_kill,cap_setgid,cap_setuid+ei +/usr/bin/hostapd = cap_dac_override,cap_fowner,cap_net_bind_service,cap_net_admin,cap_net_raw+eip +/usr/bin/download-provider = cap_chown,cap_dac_override+ei +/usr/bin/chmod = cap_fowner+ei +/usr/bin/pkg_getsize = cap_dac_read_search+ei +/usr/bin/toybox = cap_net_bind_service,cap_net_broadcast,cap_net_admin,cap_net_raw+ei +/usr/bin/csr-server = cap_dac_override,cap_fowner+ei +/usr/bin/cp2-downloader = cap_dac_override,cap_sys_admin+eip +/usr/bin/modemd = cap_dac_override+eip +/usr/bin/data-provider-master = cap_dac_override+ei +/usr/bin/msg-server = cap_chown,cap_net_admin,cap_net_raw,cap_lease+ei +/usr/bin/systemd-user-helper = cap_dac_override,cap_setgid,cap_sys_admin,cap_mac_admin+ei +/usr/bin/wifi-loader = cap_dac_override,cap_sys_module,cap_sys_admin+eip +/usr/bin/pkgdir-tool = cap_chown,cap_dac_override,cap_fowner+ei +/usr/bin/nether = cap_net_admin+ei /usr/bin/wfd-manager = cap_net_bind_service,cap_net_broadcast,cap_net_admin,cap_net_raw+ei -/usr/bin/wfd-manager.tm1 = cap_net_bind_service,cap_net_broadcast,cap_net_admin,cap_net_raw+ei -/usr/bin/wfd-manager.mobile = cap_net_bind_service,cap_net_broadcast,cap_net_admin,cap_net_raw+ei -/usr/bin/wfd-manager.wearable = cap_net_bind_service,cap_net_broadcast,cap_net_admin,cap_net_raw+ei -/usr/bin/wfd-manager.tv = cap_net_bind_service,cap_net_broadcast,cap_net_admin,cap_net_raw+ei -/usr/bin/net-config = cap_net_admin,cap_net_raw+ei -/usr/bin/connmand = cap_net_bind_service,cap_net_broadcast,cap_net_admin,cap_net_raw+ei +/usr/bin/connman-vpnd = cap_dac_override,cap_net_bind_service,cap_net_broadcast,cap_net_admin,cap_net_raw+ei +/usr/bin/mobileap-agent = cap_net_bind_service,cap_net_admin+ei +/usr/bin/alarm-server = cap_sys_time+ei +/usr/bin/launchpad-loader = cap_setgid,cap_sys_admin,cap_sys_nice+ei +/usr/bin/dotnet-launcher = cap_setgid,cap_sys_admin+ei +/usr/bin/net-config = cap_dac_override,cap_net_admin,cap_net_raw+ei +/usr/bin/touch = cap_dac_override+ei +/usr/bin/wrt-loader = cap_setgid,cap_sys_admin+ei +/usr/bin/focus_server = cap_chown,cap_fowner,cap_lease+eip +/usr/bin/email-service = cap_chown+eip +/usr/sbin/named = cap_fowner,cap_net_bind_service,cap_net_admin,cap_sys_chroot+eip +/usr/sbin/xtables-multi = cap_net_admin,cap_net_raw+ei /usr/sbin/ifconfig = cap_net_admin+ei -/usr/bin/pkill = cap_kill+ei -/usr/bin/toybox = cap_net_bind_service,cap_net_broadcast,cap_net_admin,cap_net_raw+ei +/usr/sbin/lwresd = cap_fowner,cap_net_bind_service,cap_net_admin,cap_sys_chroot+eip +/usr/sbin/ip = cap_net_admin+ei +/usr/sbin/route = cap_net_admin+ei +/usr/sbin/tayga = cap_net_bind_service,cap_net_broadcast,cap_net_admin,cap_net_raw+ei +/usr/sbin/sdbd = cap_dac_override,cap_setgid,cap_setuid,cap_sys_admin+ei +/usr/bin/lhd = cap_dac_override+eip