From: Krzysztof Jackiewicz Date: Fri, 14 Feb 2025 18:05:53 +0000 (+0100) Subject: Give RX access to home and app dir to others X-Git-Tag: accepted/tizen/unified/20250221.111443^0 X-Git-Url: http://review.tizen.org/git/?a=commitdiff_plain;h=ec87a3c291f94f722c0cf0b8a4a545fd1c4facba;p=platform%2Fcore%2Fsecurity%2Fsecurity-config.git Give RX access to home and app dir to others Without it other apps won't be able to access application subdirectories. Change-Id: I2d528d8288f4398650fd1e20400023f8c9500e44 --- diff --git a/CMakeLists.txt b/CMakeLists.txt index 685aad2..d82b45c 100755 --- a/CMakeLists.txt +++ b/CMakeLists.txt @@ -11,7 +11,12 @@ SET(VERSION "${VERSION_MAJOR}.0.2") INSTALL(FILES ${CMAKE_SOURCE_DIR}/config/group_id_setting DESTINATION /usr/share/security-config) IF(WOS) INSTALL(FILES ${CMAKE_SOURCE_DIR}/config/configure_wos DESTINATION /usr/share/security-config) + SET(HOME_APP_PERMISSIONS 755) +ELSE(WOS) + SET(HOME_APP_PERMISSIONS 750) ENDIF(WOS) +CONFIGURE_FILE(${CMAKE_SOURCE_DIR}/config/91_user-dbspace-permissions.post.in ${CMAKE_SOURCE_DIR}/config/91_user-dbspace-permissions.post @ONLY) + INSTALL(FILES ${CMAKE_SOURCE_DIR}/config/set_label DESTINATION /usr/share/security-config) INSTALL(FILES ${CMAKE_SOURCE_DIR}/config/set_capability DESTINATION /usr/share/security-config) INSTALL(FILES ${CMAKE_SOURCE_DIR}/config/mdm_blacklist DESTINATION /usr/share/security-config) diff --git a/config/91_user-dbspace-permissions.post b/config/91_user-dbspace-permissions.post deleted file mode 100644 index eb5dcf2..0000000 --- a/config/91_user-dbspace-permissions.post +++ /dev/null @@ -1,30 +0,0 @@ -#!/bin/sh -e - -PATH=/bin:/usr/bin:/sbin:/usr/sbin - -NEW_USER=$1 -export `tzplatform-get --user $NEW_USER TZ_USER_HOME` -export `tzplatform-get --user $NEW_USER TZ_USER_APP` -export `tzplatform-get --user $NEW_USER TZ_USER_APPROOT` -export `tzplatform-get --user $NEW_USER TZ_USER_DB` - -chown $NEW_USER:system_share $TZ_USER_HOME -chmod 750 $TZ_USER_HOME - -chown $NEW_USER:system_share $TZ_USER_APP -chmod 750 $TZ_USER_APP - -chown $NEW_USER:system_share $TZ_USER_APPROOT -chmod 750 $TZ_USER_APPROOT - -chown $NEW_USER:system_share $TZ_USER_DB -chmod 770 $TZ_USER_DB - -if [ ! -d $TZ_USER_DB/privacy ] -then - mkdir -p $TZ_USER_DB/privacy -fi - -chown $NEW_USER:system_share $TZ_USER_DB/privacy -chmod 770 $TZ_USER_DB/privacy -chsmack -a 'User' $TZ_USER_DB/privacy -t diff --git a/config/91_user-dbspace-permissions.post.in b/config/91_user-dbspace-permissions.post.in new file mode 100644 index 0000000..2cff589 --- /dev/null +++ b/config/91_user-dbspace-permissions.post.in @@ -0,0 +1,30 @@ +#!/bin/sh -e + +PATH=/bin:/usr/bin:/sbin:/usr/sbin + +NEW_USER=$1 +export `tzplatform-get --user $NEW_USER TZ_USER_HOME` +export `tzplatform-get --user $NEW_USER TZ_USER_APP` +export `tzplatform-get --user $NEW_USER TZ_USER_APPROOT` +export `tzplatform-get --user $NEW_USER TZ_USER_DB` + +chown $NEW_USER:system_share $TZ_USER_HOME +chmod @HOME_APP_PERMISSIONS@ $TZ_USER_HOME + +chown $NEW_USER:system_share $TZ_USER_APP +chmod @HOME_APP_PERMISSIONS@ $TZ_USER_APP + +chown $NEW_USER:system_share $TZ_USER_APPROOT +chmod 750 $TZ_USER_APPROOT + +chown $NEW_USER:system_share $TZ_USER_DB +chmod 770 $TZ_USER_DB + +if [ ! -d $TZ_USER_DB/privacy ] +then + mkdir -p $TZ_USER_DB/privacy +fi + +chown $NEW_USER:system_share $TZ_USER_DB/privacy +chmod 770 $TZ_USER_DB/privacy +chsmack -a 'User' $TZ_USER_DB/privacy -t diff --git a/config/generate_configure_wos b/config/generate_configure_wos index 8b3512c..a3043c7 100755 --- a/config/generate_configure_wos +++ b/config/generate_configure_wos @@ -29,6 +29,16 @@ function add_services_to_system_access_group { systemctl daemon-reload } +function give_rx_to_others { + home="`/usr/bin/tzplatform-get TZ_SYS_HOME | cut -d'=' -f2-`" + for user_dir in "$home"/*; do + /usr/bin/chmod o+rx "$user_dir" + username=`/usr/bin/basename "$user_dir"` + app_dir=`/usr/bin/tzplatform-get -u $username TZ_USER_APP | cut -d'=' -f2-` + /usr/bin/chmod o+rx "$app_dir" + done +} + head -n "$((LINENO - 1))" "${BASH_SOURCE[0]}" echo 'services=(' @@ -38,3 +48,4 @@ echo ')' echo 'add_groups' echo 'add_services_to_system_access_group "${services[@]}"' echo 'add_missing_caps' +echo 'give_rx_to_others'