From: jin-gyu.kim Date: Thu, 26 Oct 2017 05:26:19 +0000 (+0900) Subject: Give capabilities to connman-vpnd & charon X-Git-Tag: submit/tizen/20171026.082412~1 X-Git-Url: http://review.tizen.org/git/?a=commitdiff_plain;h=f8b70cc4e087b8ca6afc546c76ef84465860899f;p=platform%2Fcore%2Fsecurity%2Fsecurity-config.git Give capabilities to connman-vpnd & charon - charon is executed from connman and it needs capabilities. Change-Id: I5f96cde9115104a1e21abbb41894e9c1f4fe5e04 --- diff --git a/config/set_capability b/config/set_capability index 0533dce..4af1088 100755 --- a/config/set_capability +++ b/config/set_capability @@ -173,7 +173,7 @@ fi # Package connmand # Owner Hyunuk Tak(hyunuk.tak@samsung.com) # Date Oct 7, 2016 -# Required cap_dac_override,cap_net_admin,cap_net_bind_service,cap_net_broadcast,cap_net_raw +# Required cap_net_admin,cap_net_bind_service,cap_net_broadcast,cap_net_raw # cap_net_admin to add interface flags and make the interface UP/DOWN using ioctl # cap_net_bind_service to execute bind() function # cap_net_broadcast to make socket broadcasts, and listen to multicasts @@ -183,6 +183,24 @@ if [ -e "/usr/bin/connmand" ] then /usr/sbin/setcap cap_net_admin,cap_net_bind_service,cap_net_broadcast,cap_net_raw=ei /usr/bin/connmand fi +if [ -e "/usr/bin/connman-vpnd" ] +then /usr/sbin/setcap cap_net_admin,cap_net_bind_service,cap_net_broadcast,cap_net_raw=ei /usr/bin/connman-vpnd +fi + +# Package platform/upstream/strongswan +# Owner Jiuing Yu(jiung.yu@samsung.com) +# Date Oct 26, 2017 +# Required cap_setgid,cap_net_admin,cap_net_bind_service,cap_net_raw,cap_net_broadcast +# cap_setgid to use initgroup +# cap_net_admin to set SA configuration using linux kernel and netlink socket +# cap_net_bind_service to use UDP 500 port for IKEv2 protocol +# cap_net_broadcast to use IKEv2 protocol +# cap_net_raw to use IKEv2 protocol + +if [ -e "/usr/bin/charon" ] +then /usr/sbin/setcap cap_setgid,cap_net_admin,cap_net_bind_service,cap_net_broadcast,cap_net_raw=ei /usr/bin/charon +fi + # Package net-config # Owner Hyunuk Tak(hyunuk.tak@samsung.com) # Date Oct 7, 2016 diff --git a/test/capability_test/new_capabilities_exception.list b/test/capability_test/new_capabilities_exception.list index 8192a5d..78b17f3 100644 --- a/test/capability_test/new_capabilities_exception.list +++ b/test/capability_test/new_capabilities_exception.list @@ -17,9 +17,9 @@ /usr/bin/pkgmgr-server = cap_chown,cap_dac_override,cap_fsetid,cap_kill,cap_setgid,cap_setuid+eip /usr/bin/muse-server = cap_dac_override+eip /usr/bin/amd = cap_dac_override,cap_kill+ep -/usr/bin/wrt-loader = cap_setgid+ei +/usr/bin/wrt-loader = cap_setgid,cap_sys_admin+ei /usr/bin/tpk-backend = cap_chown,cap_dac_override,cap_fowner+eip -/usr/bin/launchpad-loader = cap_setgid+ei +/usr/bin/launchpad-loader = cap_setgid,cap_sys_admin+ei /usr/bin/email-service = cap_chown+eip /usr/bin/wgt-backend = cap_chown,cap_dac_override,cap_fowner+eip /usr/bin/download-provider = cap_chown,cap_dac_override+eip @@ -31,7 +31,7 @@ /usr/bin/amixer = cap_dac_override+ei /usr/bin/pkg_getsize = cap_dac_read_search+eip /usr/bin/pkg_cleardata = cap_dac_override+eip -/usr/bin/launchpad-process-pool = cap_dac_override,cap_setgid,cap_mac_admin+ei +/usr/bin/launchpad-process-pool = cap_dac_override,cap_setgid,cap_sys_admin,cap_mac_admin+ei /usr/bin/mobileap-agent = cap_fowner,cap_net_bind_service,cap_net_admin+eip /usr/bin/chgrp = cap_chown+ei /usr/bin/xdelta3 = cap_dac_override+ei @@ -39,7 +39,7 @@ /usr/bin/telephony-daemon.tv = cap_net_admin,cap_net_raw+ei /usr/bin/telephony-daemon.ivi = cap_net_admin,cap_net_raw+ei /usr/bin/nether = cap_net_admin+eip -/usr/bin/dotnet-launcher = cap_setgid,cap_mac_admin+ei +/usr/bin/dotnet-launcher = cap_setgid,cap_sys_admin,cap_mac_admin+ei /usr/bin/wfd-manager = cap_net_bind_service,cap_net_broadcast,cap_net_admin,cap_net_raw+ei /usr/bin/wfd-manager.tm1 = cap_net_bind_service,cap_net_broadcast,cap_net_admin,cap_net_raw+ei /usr/bin/wfd-manager.mobile = cap_net_bind_service,cap_net_broadcast,cap_net_admin,cap_net_raw+ei @@ -50,3 +50,7 @@ /usr/sbin/ifconfig = cap_net_admin+ei /usr/bin/pkill = cap_kill+ei /usr/bin/toybox = cap_net_bind_service,cap_net_broadcast,cap_net_admin,cap_net_raw+ei +/usr/sbin/route = cap_net_admin+ei +/usr/bin/oded = cap_dac_override,cap_kill,cap_sys_ptrace,cap_sys_admin,cap_sys_boot+ei +/usr/bin/connman-vpnd = cap_net_bind_service,cap_net_broadcast,cap_net_admin,cap_net_raw+ei +/usr/bin/charon = cap_setgid,cap_net_bind_service,cap_net_broadcast,cap_net_admin,cap_net_raw+ei