From: Yunmi Ha Date: Tue, 5 Jul 2016 04:40:16 +0000 (+0900) Subject: Remove smack capability X-Git-Tag: accepted/tizen/common/20160705.170657^0 X-Git-Url: http://review.tizen.org/git/?a=commitdiff_plain;h=refs%2Fchanges%2F84%2F78284%2F4;p=platform%2Fupstream%2Fgumd.git Remove smack capability with wearable profile, CAP_MAC_ADMIN and CAP_MAC_OVERRIDE capabilities are removed. (can't use useradd/del/modify function without offline option.) with other profile, only CAP_MAC_OVERRIDE capability is removed. For this, gumd launcher was changed to systemd. Change-Id: Ic95fceed41afc41e37e93606c3abf830536ac7d6 Signed-off-by: Yunmi Ha --- diff --git a/.gitignore b/.gitignore index e49dce2..4936907 100644 --- a/.gitignore +++ b/.gitignore @@ -36,7 +36,6 @@ test/data/services/org.O1.SecurityAccounts.gUserManagement.service test/data/test-gumd-dbus.conf src/utils/gum-utils stamp-h1 -*service docs/gumd-decl-list.txt docs/gumd-decl.txt docs/gumd-overrides.txt diff --git a/data/Makefile.am b/data/Makefile.am index 1ca8c11..5a66951 100644 --- a/data/Makefile.am +++ b/data/Makefile.am @@ -1,5 +1,6 @@ EXTRA_DIST = \ gumd.conf.in \ + gumd.service \ tizen gumdconfdir = ${sysconfdir}/gumd diff --git a/data/Makefile.in b/data/Makefile.in index b955e96..478fab4 100644 --- a/data/Makefile.in +++ b/data/Makefile.in @@ -301,6 +301,7 @@ top_builddir = @top_builddir@ top_srcdir = @top_srcdir@ EXTRA_DIST = \ gumd.conf.in \ + gumd.service \ tizen gumdconfdir = ${sysconfdir}/gumd diff --git a/data/gumd.service b/data/gumd.service new file mode 100755 index 0000000..021c614 --- /dev/null +++ b/data/gumd.service @@ -0,0 +1,10 @@ +[Unit] +Description=User Management service +Requires=dbus.socket +After=dbus.socket + +[Service] +Type=dbus +BusName=org.O1.SecurityAccounts.gUserManagement +ExecStart=/usr/bin/gumd +CapabilityBoundingSet=~CAP_MAC_OVERRIDE diff --git a/packaging/gumd.spec b/packaging/gumd.spec index 751eaf7..0a59e5c 100644 --- a/packaging/gumd.spec +++ b/packaging/gumd.spec @@ -4,6 +4,13 @@ # WARNING! do not use for production builds as it will break security %define debug_build 0 +%if "%{profile}" == "wearable" +%define disable_cap_admin 1 +%else +%define disable_cap_admin 0 +%endif + + Name: gumd Summary: User management daemon and client library Version: 1.0.8 @@ -80,6 +87,9 @@ Requires: libgum = %{version}-%{release} %setup -q -n %{name}-%{version} cp -a %{SOURCE1001} %{name}.manifest cp -a %{SOURCE1002} libgum.manifest +%if %{disable_cap_admin} == 1 +echo "CapabilityBoundingSet=~CAP_MAC_ADMIN" >> data/gumd.service +%endif %build autoreconf -ivf @@ -96,6 +106,8 @@ rm -rf %{buildroot} rm -f %{buildroot}%{_sysconfdir}/%{name}/%{name}.conf install -m 755 -d %{buildroot}%{_sysconfdir}/%{name} install -m 644 data/tizen/etc/%{name}/%{name}-tizen-common.conf %{buildroot}%{_sysconfdir}/%{name}/%{name}.conf +install -m 755 -d %{buildroot}%{_unitdir} +install -m 644 data/gumd.service %{buildroot}%{_unitdir} %post ldconfig @@ -144,6 +156,7 @@ install -d -m 755 %{_localstatedir}/lib/%{name}/user %dir %{_sysconfdir}/dbus-1 %dir %{_sysconfdir}/dbus-1/system.d %config(noreplace) %{_sysconfdir}/dbus-1/system.d/gumd-dbus.conf +%{_unitdir}/gumd.service %endif %files doc diff --git a/src/daemon/dbus/gumd-dbus-group-service-adapter.c b/src/daemon/dbus/gumd-dbus-group-service-adapter.c old mode 100644 new mode 100755 diff --git a/src/daemon/dbus/gumd-dbus-user-service-adapter.c b/src/daemon/dbus/gumd-dbus-user-service-adapter.c old mode 100644 new mode 100755 diff --git a/src/daemon/dbus/services/org.O1.SecurityAccounts.gUserManagement.service.in b/src/daemon/dbus/services/org.O1.SecurityAccounts.gUserManagement.service.in index 02fb552..fc14728 100644 --- a/src/daemon/dbus/services/org.O1.SecurityAccounts.gUserManagement.service.in +++ b/src/daemon/dbus/services/org.O1.SecurityAccounts.gUserManagement.service.in @@ -1,4 +1,5 @@ [D-BUS Service] Name=org.O1.SecurityAccounts.gUserManagement -Exec=@prefix@/bin/gumd +Exec=/bin/false @MESSAGE_BUS_USER@ +SystemdService=gumd.service