From: Krzysztof Jackiewicz <k.jackiewicz@samsung.com>
Date: Thu, 6 Mar 2025 14:59:11 +0000 (+0100)
Subject: Fix launchpad-process-pool capabilities on no-smack
X-Git-Tag: accepted/tizen/9.0/unified/20250517.164436~1
X-Git-Url: http://review.tizen.org/git/?a=commitdiff_plain;h=refs%2Fchanges%2F42%2F324142%2F1;p=platform%2Fcore%2Fsecurity%2Fsecurity-config.git

Fix launchpad-process-pool capabilities on no-smack

Existing configure_wos script was launched in security-config rpm
postinstall. However, during image creation, after rpm installation
according to *.ks file the capabilities are overwritten by
set_capability script making the configure_wos changes ineffective and
leading to security_manager_prepare_app() failure due to insufficient
launchpad-process-pool capabilities:

W/SECURITY_MANAGER_CLIENT( 3483): client-security-manager.cpp: operator()(639) > Process ****doesn't**** have required effective capability!
E/SECURITY_MANAGER_CLIENT( 3483): client-security-manager.cpp: security_manager_pre_check(649) > Lack of required capabilities. Aborting!

This commit aims to set proper capabilities both via security-config
rpm installation and during image build as well as making the
image_test.sh launched during image creation pass. All of this while
keeping most of no-smack related changes in one place.

The capability testing script is currently not able to handle more than
one set of capability flags (e.g. cap_setuid=eip cap_setgid+ei) for
given binary. This can be fixed in future. Launchpad-process-pool needs
cap_setuid=eip but other capabilities have only 'ei' flag. To work
around it, all launchpad-process-pool capabilities have been changed from
'ei' to 'eip'.

The generate_configure_wos script modifies the set_capability script at
build time so the launchpad-process-pool capabilities are set to desired
values during image build and can be compared to expected values by
check_new_capabilities.sh.

The configure_wos script is also launched in rpm postinstall to
facilitate no-smack module development.

Verification:
1. Install security-config rpm
2. Check launchpad-process-pool caps:
   $ getcap /usr/bin/launchpad-process-pool
   /usr/bin/launchpad-process-pool cap_dac_override,cap_setgid,cap_setuid,cap_sys_chroot,cap_sys_admin,cap_sys_nice,cap_mac_admin=eip
3. Restart it to use new capabilities:
   $ su - owner
   $ systemctl --user restart launchpad-process-pool
4. Make sure that an app is properly launched, e.g.:
   $ launch_app attach-panel-gallery
   There should be no logs indicating lack of capabilities from
   SECURITY_MANAGER_CLIENT
5. Run the image test:
   $ /usr/share/security-config/test/image_test.sh
6. Make sure that the capability test result is positive:
   $ cat /opt/share/security-config/result/check_new_capabilities.result
   YES

Change-Id: Id7e79382469fb715fa4443f950dcd24c90320aca
---

diff --git a/config/generate_configure_wos b/config/generate_configure_wos
index 5986524..630207e 100755
--- a/config/generate_configure_wos
+++ b/config/generate_configure_wos
@@ -4,11 +4,12 @@ set -euo pipefail
 PATH=/bin:/usr/bin:/sbin:/usr/sbin
 
 function add_missing_caps {
-	# launchpad needs additional caps, re-setting them here with additional cap_setuid
+	# Launchpad needs additional caps. Re-setting them here with additional cap_setuid for the
+	# purpose of security-config development (rpm postinstall).
 	if [ -e "/usr/bin/launchpad-process-pool" ]
 	then
-		existing_caps=`/usr/sbin/getcap /usr/bin/launchpad-process-pool | cut -f2- -d" "`
-		/usr/sbin/setcap "${existing_caps} cap_setuid=eip" /usr/bin/launchpad-process-pool
+		existing_caps=`/usr/sbin/getcap /usr/bin/launchpad-process-pool | cut -f2 -d" " | cut -f1 -d"="`
+		/usr/sbin/setcap "${existing_caps},cap_setuid=eip" /usr/bin/launchpad-process-pool
 	fi
 }
 
@@ -48,3 +49,16 @@ echo 'add_groups'
 echo 'add_services_to_system_access_group "${services[@]}"'
 echo 'add_missing_caps'
 echo 'give_rx_to_others'
+
+
+function update_set_capability_script {
+	# Launchpad needs additional caps. updating the set_capability script that is executed by *.ks
+	# file during image creation (after rpms are installed) and is tested with
+	# test/capability_test/check_new_capabilites.sh afterwards
+	SCRIPT_DIR=$( cd -- "$( dirname -- "${BASH_SOURCE[0]}" )" &> /dev/null && pwd )
+
+	sed -ri 's/(\/usr\/sbin\/setcap\s+)(.+ \/usr\/bin\/launchpad-process-pool)/\1 cap_setuid,\2/' "$SCRIPT_DIR/set_capability"
+	sed -ri 's/(# Required\s+\/usr\/bin\/launchpad-process-pool\s+:)(.+)$/\1 cap_setuid,\2/' "$SCRIPT_DIR/set_capability"
+}
+
+update_set_capability_script
\ No newline at end of file
diff --git a/config/set_capability b/config/set_capability
index 0d06e09..9f39d86 100755
--- a/config/set_capability
+++ b/config/set_capability
@@ -425,7 +425,7 @@ fi
 # Package               platform/core/appfw/launchpad
 # Owner                 Junghoon Park(jh9216.park@samsung.com)
 # Date                  July 4, 2017
-# Required              /usr/bin/launchpad-process-pool : cap_mac_admin, cap_dac_override, cap_setgid, cap_sys_admin, cap_sys_nice, cap_sys_chroot : ei
+# Required              /usr/bin/launchpad-process-pool : cap_mac_admin, cap_dac_override, cap_setgid, cap_sys_admin, cap_sys_nice, cap_sys_chroot : eip
 # Required              /usr/bin/launchpad-loader : cap_sys_admin,cap_sys_nice,cap_setgid : ei
 # cap_mac_admin		to use security_manager_prepare_app()
 # cap_dac_override      fd redirection in debug mode of app running
@@ -435,7 +435,7 @@ fi
 # cap_sys_chroot	to use setns()
 
 if [ -e "/usr/bin/launchpad-process-pool" ]
-then /usr/sbin/setcap cap_sys_admin,cap_sys_nice,cap_mac_admin,cap_dac_override,cap_setgid,cap_sys_chroot=ei /usr/bin/launchpad-process-pool
+then /usr/sbin/setcap cap_sys_admin,cap_sys_nice,cap_mac_admin,cap_dac_override,cap_setgid,cap_sys_chroot=eip /usr/bin/launchpad-process-pool
 fi
 
 # TODO : condition check about launchpad-starter is temporary