From: Krzysztof Malysa Date: Wed, 15 Jan 2025 15:23:06 +0000 (+0100) Subject: Add app_access and system_access groups + add services to the latter X-Git-Tag: accepted/tizen/unified/20250128.152850^0 X-Git-Url: http://review.tizen.org/git/?a=commitdiff_plain;h=refs%2Fheads%2Faccepted%2Ftizen_unified_x_asan;p=platform%2Fcore%2Fsecurity%2Fsecurity-config.git Add app_access and system_access groups + add services to the latter Change-Id: I3d41f4df66adee1ffe8088c8668e4d3725375988 --- diff --git a/CMakeLists.txt b/CMakeLists.txt index ffcded2..685aad2 100755 --- a/CMakeLists.txt +++ b/CMakeLists.txt @@ -9,6 +9,9 @@ SET(VERSION_MAJOR 0) SET(VERSION "${VERSION_MAJOR}.0.2") INSTALL(FILES ${CMAKE_SOURCE_DIR}/config/group_id_setting DESTINATION /usr/share/security-config) +IF(WOS) + INSTALL(FILES ${CMAKE_SOURCE_DIR}/config/configure_wos DESTINATION /usr/share/security-config) +ENDIF(WOS) INSTALL(FILES ${CMAKE_SOURCE_DIR}/config/set_label DESTINATION /usr/share/security-config) INSTALL(FILES ${CMAKE_SOURCE_DIR}/config/set_capability DESTINATION /usr/share/security-config) INSTALL(FILES ${CMAKE_SOURCE_DIR}/config/mdm_blacklist DESTINATION /usr/share/security-config) diff --git a/config/generate_configure_wos b/config/generate_configure_wos new file mode 100755 index 0000000..ccdb0de --- /dev/null +++ b/config/generate_configure_wos @@ -0,0 +1,30 @@ +#!/bin/bash +set -euo pipefail + +PATH=/bin:/usr/bin:/sbin:/usr/sbin + +function add_groups { + groupadd --force system_access + groupadd --force app_access +} + +function add_services_to_system_access_group { + for service_path in "$@"; do + unit_name="${service_path##*/}" + mkdir -p "/etc/systemd/system/${unit_name}.d/" + cat > "/etc/systemd/system/${unit_name}.d/system_access.conf" <<- EOF + [Service] + SupplementaryGroups=system_access + EOF + done + systemctl daemon-reload +} + +head -n "$((LINENO - 1))" "${BASH_SOURCE[0]}" + +echo 'services=(' +grep -iP '[^,]\.service' test/new_service_test/systemd_service.csv | sed "s/^\([^,]*\),.*/\t'\1'/" +echo ')' + +echo 'add_groups' +echo 'add_services_to_system_access_group "${services[@]}"' diff --git a/packaging/security-config.spec b/packaging/security-config.spec index d7ae400..2776291 100755 --- a/packaging/security-config.spec +++ b/packaging/security-config.spec @@ -57,7 +57,14 @@ additional security tests and settings for IoT headless profile %build +%if "%{?dev_wos}" == "1" +config/generate_configure_wos > config/configure_wos +%endif + %cmake . -DARCH=%{_arch} \ +%if "%{?dev_wos}" == "1" + -DWOS=ON \ +%endif -DSYSTEMD_INSTALL_DIR=%{_unitdir} %install @@ -86,6 +93,9 @@ cp -f test/utils/riscv64/* %{buildroot}%{SECURITY_TEST_DIR}/utils/ %post /usr/share/security-config/group_id_setting +%if "%{?dev_wos}" == "1" +/usr/share/security-config/configure_wos +%endif /usr/share/security-config/set_label mkdir -p /opt/share/security-config/result mkdir -p /opt/share/security-config/log @@ -142,6 +152,9 @@ chsmack -a "System::NoUse" /etc/smack/onlycap %attr(755,root,root) /usr/share/security-config/set_capability %attr(755,root,root) /usr/share/security-config/mdm_blacklist %attr(755,root,root) /usr/share/security-config/change_permission +%if "%{?dev_wos}" == "1" +%attr(755,root,root) /usr/share/security-config/configure_wos +%endif %attr(700,root,root) /usr/share/security-config/update_privacy_mount_list.sh %attr(644,root,root) /usr/lib/tmpfiles.d/security-config.conf %attr(755,root,root) %{SECURITY_TEST_DIR}/image_test.sh