Jin-gyu Kim [Wed, 23 Jun 2021 04:06:25 +0000 (13:06 +0900)]
Add aslr exception lists.
- Some executables are included in packages not being compiled.
- In these cases, applying PIE option is not available.
Change-Id: I20b2da508ad01a9beeb0c497ed1086533da460ea
Jin-gyu Kim [Fri, 11 Jun 2021 19:08:25 +0000 (04:08 +0900)]
Check the existence of ipv6host before trying to write.
Change-Id: Ie79e77df84c7ee8ae5332d3ab59aaa898ccc5ce0
Dongkyun Son [Thu, 3 Jun 2021 02:54:19 +0000 (11:54 +0900)]
smack: add ip(10.0.2.15) to allow gdb remote debugging
To fix smack denial:
audit: type=1400 audit(
1622180305.290:90): lsm=SMACK fn=smack_inet_conn_request action=denied subject="System::Privilege::Internet" object="User::Pkg::org.example.basicui4" requested=w pid=2315 comm="sdbd" saddr=10.0.2.15 src=39898 daddr=10.0.2.15 dest=26112 netif=lo
Change-Id: Id6ee685555d68df90ec226847e7d2c87c502333d
Signed-off-by: Dongkyun Son <dongkyun.s@samsung.com>
Tomasz Swierczek [Wed, 2 Jun 2021 09:30:30 +0000 (09:30 +0000)]
Merge "Add IPv6 configuration for internet privilege" into tizen
Jin-gyu Kim [Mon, 31 May 2021 19:50:33 +0000 (04:50 +0900)]
Add deviced-request-shutdown@.service
- Requested by SECSFV-200
Change-Id: I9487efef589b4987aae50559838df21f0a9bae8c
Tomasz Swierczek [Mon, 24 May 2021 07:54:36 +0000 (09:54 +0200)]
Add IPv6 configuration for internet privilege
Change-Id: I12b260cecb8352dc7dc9f943f2824d4639da8028
Jin-gyu Kim [Thu, 6 May 2021 05:56:37 +0000 (14:56 +0900)]
Add audio-aec.service to all profiles.
Requested by SECSFV-199
Change-Id: Ic040a99d69d2f670e152bc52313cab0476ddd0ca
Jin-gyu Kim [Mon, 3 May 2021 08:13:19 +0000 (17:13 +0900)]
Add missing SMACK labelling cmd in change_permission.
This does not affect any operation, but need to reset SMACK label
for any mismatch in SMACK label.
Change-Id: I0d6053c341d4070d25b7a0839ef439a4972ed424
Jin-gyu Kim [Mon, 3 May 2021 05:34:25 +0000 (14:34 +0900)]
Do not use rpm command in set_capability
"rpm" command cannot be existed in some cases.
Instead of using it, check a specific file path to determine a certain
rpm is installed or not.
Change-Id: I6f5fda1cd35cac3bc039c5b4e008b28eafdeb1c1
Jin-gyu Kim [Fri, 23 Apr 2021 05:31:51 +0000 (14:31 +0900)]
Create a new script for setting permissions.
This script needs to be run while image is being created or updated.
(After in-house applications are installed.)
We could consider it to be run in security-config service, but it will
increase the 1st boot time.
Change-Id: I5a11dd720ea46ae69b1acc6be09305c74fb39292
jin-gyu.kim [Wed, 7 Apr 2021 05:32:36 +0000 (14:32 +0900)]
Add accounts-service.service to tv profile.
Change-Id: Icad4a1e5679339ff0f509c765f291bda0383b246
jin-gyu.kim [Fri, 19 Mar 2021 06:52:12 +0000 (15:52 +0900)]
Add pkgmgr-info service & socket
Change-Id: I3ad594cf6e4161c5742af40555a75d84f5558035
jin-gyu.kim [Fri, 19 Mar 2021 02:37:32 +0000 (11:37 +0900)]
Add a comment to the last line of list files.
In some implementations, "read" in shell script cannot read a last line.
To avoid an un-expected problem, add a meaningless comment in every list files.
Change-Id: Iec5603152d71ef61ccfbe71fbab196ebc3eb1890
jin-gyu.kim [Fri, 19 Mar 2021 01:31:20 +0000 (10:31 +0900)]
Add missing uwb-manager service in iot profile.
Change-Id: Icb886ccd5b4c55f1bc2505af355066b2737fe494
jin-gyu.kim [Wed, 17 Mar 2021 05:01:21 +0000 (14:01 +0900)]
Add mdnsd.service
- Give cap_net_admin & cap_net_raw to /usr/sbin/mdnsd
Change-Id: Ic84a2302af6b434b7928c91b04b26f1d1a75cf53
jin-gyu.kim [Mon, 15 Mar 2021 08:22:12 +0000 (17:22 +0900)]
Include security-config service to TV profile.
Change-Id: Ibd7af5b37c7da399a24e3e8a0f093c3d09b64c3a
Jin-gyu Kim [Fri, 12 Mar 2021 06:17:46 +0000 (06:17 +0000)]
Merge "Add dump_systemstate.service" into tizen
Jin-gyu Kim [Fri, 12 Mar 2021 06:17:34 +0000 (06:17 +0000)]
Merge "Rename crash-service.service as bugreport.service" into tizen
jin-gyu.kim [Wed, 10 Mar 2021 08:35:19 +0000 (17:35 +0900)]
Add dump_systemstate.service
Change-Id: Ib1fbb601e03c21f6e74e5cc53e6e09380fd9e736
jin-gyu.kim [Wed, 10 Mar 2021 08:28:50 +0000 (17:28 +0900)]
Rename crash-service.service as bugreport.service
- Executable name is also changed as bugreport-service.
- Therefore, a change in set_capability is also included.
Change-Id: I407982d19f92f1084911d930e8ba070b47d2287f
jin-gyu.kim [Thu, 11 Mar 2021 04:21:33 +0000 (13:21 +0900)]
Add missing security-config service in TV profile.
Change-Id: Idfc59d09c699e176c3a116ccac8679dd99415e76
jin-gyu.kim [Tue, 9 Mar 2021 05:16:00 +0000 (14:16 +0900)]
Add uwb-manager service.
- Add it to commmon & tv profiles.
Change-Id: Ic424c600012bd80f171ac490ec93daa4ed060c3b
김진규/Security팀(SR)/Staff Engineer/삼성전자 [Wed, 3 Mar 2021 02:13:12 +0000 (11:13 +0900)]
Add obex service to tv profile.
Change-Id: I52840afeecff41d138969244c020871cffc10acf
INSUN PYO [Wed, 24 Feb 2021 09:19:51 +0000 (18:19 +0900)]
Add /usr/bin/qemu-arm-binfmt to ASLR exception list
/usr/bin/qemu-arm-binfmt is linked to /usr/bin/qemu-arm on mic-bootstrap.
(http://download.tizen.org/snapshots/tizen/unified/tizen-unified_20210223.1/repos/standard/packages/armv7l/mic-bootstrap-x86-arm-1.0-10.17.armv7l.rpm)
Sometime local mic fails with mic error message. (Ubuntu 18.04 latest, mic 0.28.12)
===========================================================================================
[02/24 16:52:12 KST] #################### generic-security.post ####################
[02/24 16:52:12 KST] Give capabilities to daemons via set_capability from security-config package
[02/24 16:52:20 KST] Run security-test
[02/24 16:52:31 KST] /opt/share/security-config/test/image_test.sh: line 26: /bin/cat: Permission denied
[02/24 16:52:31 KST] /opt/share/security-config/test/image_test.sh: line 86: /bin/cat: Permission denied
[02/24 16:52:31 KST] /tmp/ks-postscript-yPaRp7: line 298: /bin/security-manager-cmd: Permission denied
[02/24 16:52:31 KST] #################### generic-dbus-policychecker.post ####################
[02/24 16:52:31 KST]
[02/24 16:52:31 KST] /tmp/ks-postscript-yPaRp7: Checking D-Bus policy file: /etc/dbus-1/system.d/alarm-service.conf
[02/24 16:52:31 KST] /tmp/ks-postscript-yPaRp7: /usr/bin/dbuspolicy-checker: /bin/sh: bad interpreter: Permission denied
[02/24 16:52:31 KST] /tmp/ks-postscript-yPaRp7: line 309: /bin/wc: Permission denied
[02/24 16:52:31 KST] /tmp/ks-postscript-yPaRp7: line 309: /bin/grep: Permission denied
[02/24 16:52:31 KST]
[02/24 16:52:31 KST] /tmp/ks-postscript-yPaRp7: line 311: [: -gt: unary operator expected
===========================================================================================
sh-3.2# cat /opt/share/security-config/test/log/aslr_not_applied_files
/usr/bin/protoc
/usr/bin/qemu-arm-binfmt
/usr/sbin/glibc_post_upgrade
/usr/sbin/ldconfig
sh-3.2# cat /opt/share/security-config/test/log/aslr_test_tmpfile
/usr/bin/protoc
/usr/bin/qemu-arm
/usr/bin/qemu-arm-binfmt
/usr/sbin/glibc_post_upgrade
/usr/sbin/ldconfig
sh-3.2# cat /opt/share/security-config/test/log/image_test_log
ASLR not applied list ######
Change-Id: I488ab3a8e24e2ee94b74ac1cb8ed2af46fe98677
Yunjin Lee [Wed, 24 Feb 2021 07:32:17 +0000 (16:32 +0900)]
Add prebuilt included services(lhd, gpsd) to systemd service list
- Added prebuilt plugin included services - lhd.service and gpsd.service
- to systemd_service list of wearable profile teporarily
Change-Id: Ibae6c3a714d7b49a4d093045638db86f0d3d153f
Signed-off-by: Yunjin Lee <yunjin-.lee@samsung.com>
jin-gyu.kim [Wed, 24 Feb 2021 06:01:05 +0000 (15:01 +0900)]
Add factory-reset & factory-reset-launch services to tv profile.
Change-Id: Ia895615eaa629979431139350fb7121c34e21a8f
jin-gyu.kim [Tue, 23 Feb 2021 04:04:41 +0000 (13:04 +0900)]
Fix a typo in spec file.
Change-Id: I3420291c8bd5e8d430cc1f1a463c77fadf5048e9
jin-gyu.kim [Tue, 23 Feb 2021 02:38:45 +0000 (11:38 +0900)]
Include onlycap list file in profile packages.
- Remove onlycap list file from security-config main rpm.
Change-Id: I5f37e7a21a8d1eada3095d29ed95797a226d7e6e
jin-gyu.kim [Mon, 22 Feb 2021 07:09:22 +0000 (16:09 +0900)]
Add smartreply service to tv profile.
Change-Id: I29d5a0ff40023f818463db53af7469dc3b77a062
jin-gyu.kim [Mon, 22 Feb 2021 04:28:46 +0000 (13:28 +0900)]
Add exception lists for SMACK execute label test.
- Some executables need to be set SMACK execute label.
- Add exeception list file to include those cases.
Change-Id: I24a3abb50b6d5a2c43db276ab1219f64ef2a309a
jin-gyu.kim [Wed, 17 Feb 2021 05:31:06 +0000 (14:31 +0900)]
Include network_fw uid to dialout gid
Change-Id: Ib24dfdbf4a0cb0edab83b8f9df53eb223e56c9e4
jin-gyu.kim [Tue, 9 Feb 2021 02:16:51 +0000 (11:16 +0900)]
Include onlycap list files in all profiles.
Change-Id: Ibb604b782108ace1ae30e82627792d434f291931
jin-gyu.kim [Wed, 3 Feb 2021 07:08:18 +0000 (16:08 +0900)]
Add cap_sys_module capability to wfd-manager.
Change-Id: Ie9b10ac6f1d97b71eb73f0d1ab65a5d5f5b370cd
jin-gyu.kim [Wed, 3 Feb 2021 06:12:34 +0000 (15:12 +0900)]
Add cap_sys_module capability to net-config.
Change-Id: I516cd739a0851f4b0c0bc8bc2a3efc523a9ef618
jin-gyu.kim [Fri, 15 Jan 2021 03:55:27 +0000 (12:55 +0900)]
Give cap_mac_admin to wrt-service
- "eip" option is applied, but restricted to use by only chromium-efl app.
Change-Id: I025a3c34c84179d4986c25216288a088c555c4bf
jin-gyu.kim [Wed, 16 Dec 2020 09:13:09 +0000 (18:13 +0900)]
Support to check wildcard for path_exception.list
- File path can be changed by it's pacakge version.
- Wildcard(*) can be added in path_exception.list.
- Compare each exception list line to distinguish a wildcard pattern.
Change-Id: Ieaea75e7e59f3468251fcd8c0271dd9af5e0deb0
jin-gyu.kim [Fri, 11 Dec 2020 06:00:35 +0000 (15:00 +0900)]
Give cap_kill to sdbd & sdbd-service.
Change-Id: I68ec6f1d95857f797d582eabde9581165e944ce2
INSUN PYO [Tue, 1 Dec 2020 06:12:30 +0000 (15:12 +0900)]
Fix /usr/bin/touch path
Change-Id: Iabe01813e8873a5e7b0cf1c3bd709e9cfe1cee0a
Yunjin Lee [Wed, 4 Nov 2020 02:54:15 +0000 (02:54 +0000)]
Merge "Add FOTA script to apply privilege mapping changes" into tizen
jin-gyu.kim [Tue, 27 Oct 2020 01:29:48 +0000 (10:29 +0900)]
Add emergency-target-holder.service
Change-Id: I8cad5e7059a7831bfd1a72aea7734d71c5dae1ef
Yunjin Lee [Wed, 21 Oct 2020 10:22:32 +0000 (19:22 +0900)]
Add FOTA script to apply privilege mapping changes
4.0
- native systemsettings.admin -> core systemsettings.admin
- web filesystem.read -> core systemsettings.admin
- web filesystem.write -> core systemsettings.admin
- web setting -> core systemsettings.admin
- web networkbearerselection -> core network.set
5.5
- native systemsettings.admin -> core systemsettings.admin,
internal/buxton/systemsettings
- web filesystem.read -> core filesystem.read
- web filesystem.write -> core filesystem.write
- web setting -> core internal/buxton/systemsettings
6.0
- web networkbearerselection -> core network.set,
netowrk.route
Change-Id: I5f69666cb3774fd2bba2c175e3df327b15d1f3ed
Signed-off-by: Yunjin Lee <yunjin-.lee@samsung.com>
jin-gyu.kim [Fri, 16 Oct 2020 00:49:08 +0000 (09:49 +0900)]
Fix typo in netlabel_config.
Change-Id: I1ea188fd6765520dd99c4b025b0c322420c10a94
Yunjin Lee [Tue, 6 Oct 2020 01:50:29 +0000 (10:50 +0900)]
Update path check exception list
- Add followings:
/usr/share/icu/65.1/install-sh
/usr/share/icu/65.1/mkinstalldirs
Change-Id: I73c3fcaf9bb89d20fb3edfa78f6f19e2132dc5b8
Signed-off-by: Yunjin Lee <yunjin-.lee@samsung.com>
Yunjin Lee [Mon, 5 Oct 2020 06:21:56 +0000 (15:21 +0900)]
Update path check exception list
- Add followings:
/usr/bin/strace-log-merge
/usr/bin/gdb-add-index
/usr/bin/gcore
Change-Id: I952feb03bf409287091425e1efbe553009048bd2
Signed-off-by: Yunjin Lee <yunjin-.lee@samsung.com>
jin-gyu.kim [Tue, 29 Sep 2020 07:34:10 +0000 (16:34 +0900)]
Add exception list for path check test.
Add below scripts for exception lists.
/usr/share/upgrade/scripts/600.gpsd.patch.sh
/opt/etc/dump.d/module.d/dump_gpsd.sh
Change-Id: I2d02bb5fdcff9fe011687d301bcb8f4074e372ba
jin-gyu.kim [Mon, 28 Sep 2020 07:15:03 +0000 (16:15 +0900)]
Launch all apps when running SMACK rule test.
- Some SMACK rules are dynamically added while launching apps.
- To compare all SMACK rules, launching all apps before running security test.
Change-Id: I562d2bafaab0ea2dffdeaecfc41f85bfb8e04e09
Kim Kidong [Thu, 24 Sep 2020 02:21:34 +0000 (02:21 +0000)]
Merge "Modify netlabel to support privilege-smack mapping." into tizen
Kidong Kim [Fri, 18 Sep 2020 08:00:59 +0000 (17:00 +0900)]
Change smack label of tlm.service (User -> System)
Change-Id: Ic0f90d5790c98c024aad655058aceb13cfa27edc
Kidong Kim [Wed, 9 Sep 2020 04:55:26 +0000 (13:55 +0900)]
Give capabilities to sdbd-service
Change-Id: I2f5c72c66eb53dbad5442dc2c8341b4c98198287
jin-gyu.kim [Mon, 7 Sep 2020 02:45:28 +0000 (02:45 +0000)]
Give capabilities to support update-control.
- cap_sys_admin to /usr/bin/update-manager
- cap_dac_override to /usr/sbin/img-verifier
Change-Id: I97330c8ba642e34bbff97b800bebc1faa95107d9
jin-gyu.kim [Thu, 3 Sep 2020 06:23:31 +0000 (06:23 +0000)]
Add system_fw to disk group.
- To support OS upgrade with removable storage.
- Upgrade trigger script needs to ramdisk-recovery under /dev.
Change-Id: I60eb8465b7bf37d0b92984b70d65cec07c422e43
jin-gyu.kim [Wed, 26 Aug 2020 06:42:47 +0000 (06:42 +0000)]
Add ramdisk-flush service.
- Add cap_sys_admin to /usr/sbin/blockdev
Change-Id: Iab2897f172d8ab93114696a07861ff7496b2f828
jin-gyu.kim [Tue, 25 Aug 2020 06:40:13 +0000 (06:40 +0000)]
Modify netlabel to support privilege-smack mapping.
- 10.0.2.2, 10.0.2.16 and 192.168.129.3 for appdebugging privilege.
- All other IPs for internet privilege.
Change-Id: Ic4723bd35b63ff6aed1852b46bf65f4a7a038b19
jin-gyu.kim [Tue, 25 Aug 2020 05:12:04 +0000 (05:12 +0000)]
Add tizen-theme-manager.service to all profiles.
Change-Id: I52d2776b82207f760555e2bd3a4722dc45b7da7d
Jin-gyu Kim [Fri, 21 Aug 2020 05:19:04 +0000 (05:19 +0000)]
Merge "Change Smack label fro crash-service to System::Privileged" into tizen
Sungwook Park [Thu, 20 Aug 2020 12:24:43 +0000 (21:24 +0900)]
Add capi-ui-gesture.service to wearable profile
Change-Id: I2d79fd2d36f20f50a8cd67113e0783462b090dc2
Signed-off-by: Sungwook Park <sungwook79.park@samsung.com>
Mateusz Moscicki [Thu, 20 Aug 2020 10:18:44 +0000 (12:18 +0200)]
Change Smack label fro crash-service to System::Privileged
The System::Privileged label is needed because on newer kernels (>=
4.20) it's not possible to read/ptrace processes listed in onlycap set.
Crash-service needs the right to do ptrace to correctly generate
reports.
Change-Id: Iad849f0b11eb3eece8d537fd2856daf59ffe757c
jin-gyu.kim [Tue, 18 Aug 2020 00:26:43 +0000 (00:26 +0000)]
Add cap_net_raw to bluetooth-meshd
Change-Id: I7c69b3a6774b77daa0a728c9e41da7f7c6b8c354
jin-gyu.kim [Thu, 6 Aug 2020 07:08:39 +0000 (07:08 +0000)]
Refactor capability test.
- Do not refer capability exception list.
- Read set_capability script then generate allowed lists automatically.
Change-Id: I4dbb2f2c71dce91b0f2f2ba99c59c67dcac74105
jin-gyu.kim [Tue, 4 Aug 2020 05:01:31 +0000 (05:01 +0000)]
Add engine-loader.service
Change-Id: I4904f8ec285da5e6a77e838012a2b9695ec920d8
Jin-gyu Kim [Fri, 24 Jul 2020 04:06:48 +0000 (04:06 +0000)]
Merge "add peripheral-bus.service to all targets/emulators" into tizen
jin-gyu.kim [Fri, 24 Jul 2020 01:07:49 +0000 (01:07 +0000)]
Give cap_dac_override to /usr/bin/peripheral-bus
Change-Id: I463917631ed78c085086c2ca00278a82cb2d8000
Konrad Kuchciak [Fri, 3 Jul 2020 08:21:39 +0000 (10:21 +0200)]
add peripheral-bus.service to all targets/emulators
Change-Id: Iae2e109c8c7a481c6f40d9d2a5faf3d11ad78da0
jin-gyu.kim [Wed, 15 Jul 2020 09:01:36 +0000 (18:01 +0900)]
Add capabilities to pkg_recovery & unified-backend
- cap_chown, cap_dac_override and cap_fowner are added.
Change-Id: I196e985101b4b24ec59f12b4541dff4be0511645
Kidong Kim [Mon, 22 Jun 2020 04:49:17 +0000 (13:49 +0900)]
add system-update-cleanup.service and fix capability exception
Change-Id: I92ca69292c00c14212d8a54e872b91df62b8b9ef
Kidong Kim [Fri, 19 Jun 2020 02:25:33 +0000 (11:25 +0900)]
add systemd-boot-check-no-failures.service to all targets/emulators
Change-Id: I0740613a3d3822387855e0f29e6cbef2c8b8c125
Kidong Kim [Tue, 16 Jun 2020 02:09:17 +0000 (11:09 +0900)]
add setup-adaptor.service to iot profile (target only)
Change-Id: Iab754ddbbe072642f5c1726fc7a0d65424fce369
Kidong Kim [Thu, 11 Jun 2020 06:40:28 +0000 (15:40 +0900)]
exclude *.dll files from ASLR test
Change-Id: I37c78839d2a6d77afb48e347516eb7e19401fe0a
Kidong Kim [Tue, 9 Jun 2020 06:35:10 +0000 (15:35 +0900)]
add update-manager.service to iot profile
Change-Id: Ia996423d2fe0d856c24025bc61a0891c01f85341
jin-gyu.kim [Tue, 9 Jun 2020 06:35:59 +0000 (15:35 +0900)]
Add nan-manager.service to IoT profiles
Change-Id: I6535b3224ee76aa78bddae852e2976dd7c3b11cf
Kidong Kim [Tue, 9 Jun 2020 02:47:46 +0000 (11:47 +0900)]
add some files to capability exception list
Change-Id: I72f84db83b6e4bd6df408517ed2b61ec709f3635
Yunjin Lee [Tue, 9 Jun 2020 02:13:47 +0000 (11:13 +0900)]
Security-test: Ignore target that will not be included in the image
- qemu-aarch64
Change-Id: I13855bfafb784459e346e9f1f9bf2f0997cd6aed
Signed-off-by: Yunjin Lee <yunjin-.lee@samsung.com>
Kim Kidong [Mon, 8 Jun 2020 06:52:12 +0000 (06:52 +0000)]
Revert "revert unreviewed patch"
This reverts commit
0d0fddfeaf03675527c442f8307aa8773d5fb2da.
Change-Id: I9ecff7e9a08e05f0eb2314b522d748c9c291111d
Kidong Kim [Mon, 8 Jun 2020 06:42:34 +0000 (15:42 +0900)]
revert unreviewed patch
Change-Id: I17e1003c49e0fa1fef21a488ff80497f4e3d30f3
Kidong Kim [Mon, 8 Jun 2020 06:23:10 +0000 (15:23 +0900)]
add bluetooth-meshd configuration
Jin-gyu Kim [Thu, 7 May 2020 04:45:41 +0000 (04:45 +0000)]
Merge "Use tizen-build.conf to distinguish a profile" into tizen
jin-gyu.kim [Wed, 29 Apr 2020 04:50:34 +0000 (13:50 +0900)]
Use tizen-build.conf to distinguish a profile
- Check profile info before moving failed lists of systemd units.
Change-Id: Iebc30d76a1ee5d007ef810c3c92c9de62213188c
jin-gyu.kim [Wed, 29 Apr 2020 02:08:13 +0000 (11:08 +0900)]
Add IoT headed / IoT headless profiles.
- IoT headed : Enable askuser, Install IoT service lists
- IoT headless : Disable askuser, Install IoT service lists
TODO : Check IoT specific service lists later.
Change-Id: I759cea1b85a18b7b750a08d5927ce17dcc7d7c81
jin-gyu.kim [Thu, 23 Apr 2020 06:47:29 +0000 (15:47 +0900)]
Add priv_appdebugging group ID.
Change-Id: I972eaec1e8cda66fd9ef9d080bd2102b80fee381
Hyungju Lee [Fri, 10 Apr 2020 07:39:46 +0000 (16:39 +0900)]
Fix capability to dotnet executables
- dotnet-loader, dotnet-hydra-loader, dotnet
Change-Id: I821251574d70e4c34bb969b39ffd927d85c0bf53
jin-gyu.kim [Fri, 10 Apr 2020 05:50:47 +0000 (14:50 +0900)]
Add nan-manager.service
- network_fw / network_fw / System
- cap_net_admin & cap_net_raw are added.
Change-Id: Ib0d6f74ae772053642493bd6563f54f23887a919
Woongsuk Cho [Thu, 9 Apr 2020 23:54:43 +0000 (08:54 +0900)]
Add capability to dotnet executables
- dotnet-loader, dotnet-hydra-loader, dotnet
Change-Id: Ibfbf2c2d051ad16e3cc4755f788f00ccac3b9c84
Sungwook Park [Fri, 3 Apr 2020 04:37:06 +0000 (13:37 +0900)]
Add smartreply.service to Mobile and Common
Change-Id: Ic509286eaccf91eaf9e28ad6671d60f47ab31e9f
Signed-off-by: Sungwook Park <sungwook79.park@samsung.com>
jin-gyu.kim [Fri, 3 Apr 2020 03:20:01 +0000 (12:20 +0900)]
Add user-runtime-dir@.service
- root / root / System::Privileged
- It was a part of systemd-logind.service, now separated.
Change-Id: I7c079af0488b270478107e7b542a4d69d9f9d426
jin-gyu.kim [Tue, 31 Mar 2020 01:07:34 +0000 (10:07 +0900)]
Add modes.service
- system_fw / system_fw / System permissions
Change-Id: Ia44c6ec69eeb54a20ecd90de65050d2e0d9cbf34
jin-gyu.kim [Thu, 12 Mar 2020 07:03:31 +0000 (16:03 +0900)]
Add dumpysys-service.service
- log / log / System permissions
Change-Id: I9c18722a14b9b9c716e1990e08b3929568845a80
jin-gyu.kim [Mon, 2 Mar 2020 08:43:59 +0000 (17:43 +0900)]
Add scmirroring.server.service
- multimedia_fw / multimedia_fw / System permissions.
Change-Id: I971779804aa3e37f614f542ba57c60b926f49369
hyunho [Tue, 25 Feb 2020 04:05:57 +0000 (13:05 +0900)]
Add capability for the app-defined-loader
Change-Id: I3586503e0c83cc35ae6321cf1b4bdd63b0e09297
Signed-off-by: hyunho <hhstark.kang@samsung.com>
jin-gyu.kim [Wed, 19 Feb 2020 05:52:32 +0000 (14:52 +0900)]
Add mtp-responder-dummy.service
- network_fw / network_fw / System permission
- systemd socket unit : mtp-responder-dummy.socket
Change-Id: I858147652b2cdaaad28ce664e3e8b343c44cea36
jin-gyu.kim [Wed, 19 Feb 2020 01:58:40 +0000 (10:58 +0900)]
Enable move_systemd_unit for dbus & systemd socket also.
- Failed dbus & systemd socket units will be moved to not permitted path.
- Add tts related dbus services to the exception list.
Change-Id: Ida83ef56aa1906da9661d2b1e06ab838a627eb97
jin-gyu.kim [Tue, 18 Feb 2020 04:10:21 +0000 (13:10 +0900)]
Fix not deleting systemd list files in the post script.
- When image is being created, systemd list files are not overrided with
those in each profile RPM.
- The detail reason is not found, because no problem if RPMs are installed
manually in run-time.
- By the way, if not deleting files in the post script, this issue can be addressed.
Change-Id: If451950c13daf67ef1b1fe7f42794a94502ca1e1
jin-gyu.kim [Fri, 7 Feb 2020 04:53:10 +0000 (13:53 +0900)]
Run systemd unit tests for common profile also.
- For common profile, use the same list in mobile profile.
- It will not disable systemd unit, just for checking the status.
- Failed lists will be disabled later.
Change-Id: Ia0c9a1a07092e3dbc23c1a88fa8ba82008389d64
jin-gyu.kim [Thu, 6 Feb 2020 05:56:21 +0000 (14:56 +0900)]
Run aslr test in all profiles.
- Previously, aslr test was executed only for mobile / wearable.
- Now, make it run for all profiles, but execute permission is retrieved
only in case of mobile / werarable profiles.
Change-Id: I291866495ae5db0fdaf77af47fc87fb770e4669d
jin-gyu.kim [Fri, 31 Jan 2020 06:59:44 +0000 (15:59 +0900)]
Use readelf instead of execstack for DEP test
- execstack can give a execute permission, so it may need to be removed.
Change-Id: Idcc53b495b7797dbbf26004c98847c1676764d30
jin-gyu.kim [Fri, 17 Jan 2020 08:22:03 +0000 (17:22 +0900)]
Add wait-mount@opt-usr.service
- system_fw / system_fw / System permissions
- Added for emulator profiles
Change-Id: I9b93f11dfa76dda49897fbc2f2655f8bae456604
jin-gyu.kim [Mon, 16 Dec 2019 04:51:30 +0000 (13:51 +0900)]
Fix typo in systemd service list.
Change-Id: I7a3ea651198b06072ecb46480159b6cf8af1ba06
Kim Kidong [Thu, 12 Dec 2019 08:04:18 +0000 (08:04 +0000)]
Merge "systemd service test" into tizen
jin-gyu.kim [Mon, 11 Nov 2019 10:27:05 +0000 (19:27 +0900)]
systemd service test
- Check systemd service / systemd socket / dbus service
- Disable moving not permitted systemd socket & dbus service for now.
- "Exec*=" should not have prefixes one of "!", "!!" and "+".
Change-Id: Icaf728cf7b2f9b1915e8792e297e8106054beac3
jin-gyu.kim [Tue, 10 Dec 2019 07:44:31 +0000 (16:44 +0900)]
Change UID / GID for stablity_monitor & crash_worker
- Generally, UID / GID for system daemons need to set below 2000.
- For System Domain, range should be set as 200-249.
Change-Id: I1b54302e08d542460c0bc277e5793b21d80a8c5d
jin-gyu.kim [Tue, 26 Nov 2019 05:53:01 +0000 (14:53 +0900)]
Add clat.service
- network_fw / network_fw / System permissions
- cap_net_admin To create and configure interface, modify routing tables
- cap_net_raw To open raw socket
- cap_ipc_lock clatd calls mmap(MAP_LOCKED) with a 1M buffer. MAP_LOCKED first checks capable(CAP_IPC_LOCK)
- cap_setuid To forge UID when passing socket credentials via UNIX domain sockets
- cap_setgid To forge GID when passing socket credentials via UNIX domain sockets
Change-Id: Ie36a2d060215d27374fa0fd6e9a78a442fb9453b
projects / platform / core / security / security-config.git / log