From: Karol Lewandowski <k.lewandowsk@samsung.com>
Date: Mon, 15 Mar 2021 14:00:47 +0000 (+0100)
Subject: spec: Santize programs' permissions
X-Git-Tag: accepted/tizen/unified/20210318.055925~1
X-Git-Url: http://review.tizen.org/git/?a=commitdiff_plain;h=fe8def63f8d2a8d1a9bbbadb84ce9c77b2d65373;p=platform%2Fcore%2Fsystem%2Fcrash-worker.git

spec: Santize programs' permissions

Use default only where necessary and clearly
write the reason behind it.

Change-Id: I96b696c4b8268a9548be3f105dc827a67b436742
---

diff --git a/packaging/crash-worker.spec b/packaging/crash-worker.spec
index 2338cd7..85558f9 100644
--- a/packaging/crash-worker.spec
+++ b/packaging/crash-worker.spec
@@ -283,21 +283,23 @@ fi
 %license LICENSE
 %manifest crash-worker.manifest
 %dir %{crash_root_path}
+# attr() needed because: crash-worker running as crash_worker:crash_worker (user:group) creates files/dir under this path
 %attr(0775,crash_worker,crash_worker) %{crash_path}
-%attr(-,root,root) %{upgrade_script_path}/500.crash-manager-upgrade.sh
+%{upgrade_script_path}/500.crash-manager-upgrade.sh
 
 %files dumpsystemstate-util
 %manifest crash-worker.manifest
 %license LICENSE
-%attr(0750,crash_worker,crash_worker) %{_bindir}/dump_systemstate
+# attr() needed because: dump_systemstate has Smack exec_label(=System) set and we don't want to allow everyone to abuse it
+%attr(0750,root,crash_worker) %{_bindir}/dump_systemstate
 
 %if %{with dumpsystemstateservice}
 %files dumpsystemstate-service
 %license LICENSE
 %manifest crash-worker.manifest
-%attr(0750,crash_worker,crash_worker) %{_bindir}/dump_systemstate-service
-%attr(-,root,root) %{_unitdir}/dump_systemstate.service
-%attr(-,root,root) %{_datadir}/dbus-1/system-services/org.tizen.dumpsys.providers.org.tizen.systemstate.service
+%{_bindir}/dump_systemstate-service
+%{_unitdir}/dump_systemstate.service
+%{_datadir}/dbus-1/system-services/org.tizen.dumpsys.providers.org.tizen.systemstate.service
 %endif
 
 %files dumpsystemstate-config
@@ -310,8 +312,9 @@ fi
 %files support-regdump
 %license LICENSE
 %manifest crash-worker.manifest
-%attr(-,root,root) %{_prefix}/lib/sysctl.d/70-crash-manager.conf
-%attr(0750,crash_worker,crash_worker) %{_bindir}/crash-manager
+%{_prefix}/lib/sysctl.d/70-crash-manager.conf
+# attr() needed because: crash-worker has Smack exec_label(=System::Privileged) set and we don't want to allow everyone to abuse it
+%attr(0750,root,crash_worker) %{_bindir}/crash-manager
 %{_libexecdir}/crash-popup-launch
 %{_libexecdir}/crash-notify-send
 %endif
@@ -374,7 +377,6 @@ fi
 %if %{with tests}
 %files tests
 %manifest %{name}.manifest
-%defattr(-,root,root)
 %{_libexecdir}/crash-worker/tests/test1-default-crash
 %{_libexecdir}/crash-worker/tests/test1-default-sleep
 %{_libexecdir}/crash-worker/tests/test1-default-ill