Kidong Kim [Tue, 9 Jun 2020 02:47:46 +0000 (11:47 +0900)]
add some files to capability exception list
Change-Id: I72f84db83b6e4bd6df408517ed2b61ec709f3635
Yunjin Lee [Tue, 9 Jun 2020 02:13:47 +0000 (11:13 +0900)]
Security-test: Ignore target that will not be included in the image
- qemu-aarch64
Change-Id: I13855bfafb784459e346e9f1f9bf2f0997cd6aed
Signed-off-by: Yunjin Lee <yunjin-.lee@samsung.com>
Kim Kidong [Mon, 8 Jun 2020 06:52:12 +0000 (06:52 +0000)]
Revert "revert unreviewed patch"
This reverts commit
0d0fddfeaf03675527c442f8307aa8773d5fb2da.
Change-Id: I9ecff7e9a08e05f0eb2314b522d748c9c291111d
Kidong Kim [Mon, 8 Jun 2020 06:42:34 +0000 (15:42 +0900)]
revert unreviewed patch
Change-Id: I17e1003c49e0fa1fef21a488ff80497f4e3d30f3
Kidong Kim [Mon, 8 Jun 2020 06:23:10 +0000 (15:23 +0900)]
add bluetooth-meshd configuration
Jin-gyu Kim [Thu, 7 May 2020 04:45:41 +0000 (04:45 +0000)]
Merge "Use tizen-build.conf to distinguish a profile" into tizen
jin-gyu.kim [Wed, 29 Apr 2020 04:50:34 +0000 (13:50 +0900)]
Use tizen-build.conf to distinguish a profile
- Check profile info before moving failed lists of systemd units.
Change-Id: Iebc30d76a1ee5d007ef810c3c92c9de62213188c
jin-gyu.kim [Wed, 29 Apr 2020 02:08:13 +0000 (11:08 +0900)]
Add IoT headed / IoT headless profiles.
- IoT headed : Enable askuser, Install IoT service lists
- IoT headless : Disable askuser, Install IoT service lists
TODO : Check IoT specific service lists later.
Change-Id: I759cea1b85a18b7b750a08d5927ce17dcc7d7c81
jin-gyu.kim [Thu, 23 Apr 2020 06:47:29 +0000 (15:47 +0900)]
Add priv_appdebugging group ID.
Change-Id: I972eaec1e8cda66fd9ef9d080bd2102b80fee381
Hyungju Lee [Fri, 10 Apr 2020 07:39:46 +0000 (16:39 +0900)]
Fix capability to dotnet executables
- dotnet-loader, dotnet-hydra-loader, dotnet
Change-Id: I821251574d70e4c34bb969b39ffd927d85c0bf53
jin-gyu.kim [Fri, 10 Apr 2020 05:50:47 +0000 (14:50 +0900)]
Add nan-manager.service
- network_fw / network_fw / System
- cap_net_admin & cap_net_raw are added.
Change-Id: Ib0d6f74ae772053642493bd6563f54f23887a919
Woongsuk Cho [Thu, 9 Apr 2020 23:54:43 +0000 (08:54 +0900)]
Add capability to dotnet executables
- dotnet-loader, dotnet-hydra-loader, dotnet
Change-Id: Ibfbf2c2d051ad16e3cc4755f788f00ccac3b9c84
Sungwook Park [Fri, 3 Apr 2020 04:37:06 +0000 (13:37 +0900)]
Add smartreply.service to Mobile and Common
Change-Id: Ic509286eaccf91eaf9e28ad6671d60f47ab31e9f
Signed-off-by: Sungwook Park <sungwook79.park@samsung.com>
jin-gyu.kim [Fri, 3 Apr 2020 03:20:01 +0000 (12:20 +0900)]
Add user-runtime-dir@.service
- root / root / System::Privileged
- It was a part of systemd-logind.service, now separated.
Change-Id: I7c079af0488b270478107e7b542a4d69d9f9d426
jin-gyu.kim [Tue, 31 Mar 2020 01:07:34 +0000 (10:07 +0900)]
Add modes.service
- system_fw / system_fw / System permissions
Change-Id: Ia44c6ec69eeb54a20ecd90de65050d2e0d9cbf34
jin-gyu.kim [Thu, 12 Mar 2020 07:03:31 +0000 (16:03 +0900)]
Add dumpysys-service.service
- log / log / System permissions
Change-Id: I9c18722a14b9b9c716e1990e08b3929568845a80
jin-gyu.kim [Mon, 2 Mar 2020 08:43:59 +0000 (17:43 +0900)]
Add scmirroring.server.service
- multimedia_fw / multimedia_fw / System permissions.
Change-Id: I971779804aa3e37f614f542ba57c60b926f49369
hyunho [Tue, 25 Feb 2020 04:05:57 +0000 (13:05 +0900)]
Add capability for the app-defined-loader
Change-Id: I3586503e0c83cc35ae6321cf1b4bdd63b0e09297
Signed-off-by: hyunho <hhstark.kang@samsung.com>
jin-gyu.kim [Wed, 19 Feb 2020 05:52:32 +0000 (14:52 +0900)]
Add mtp-responder-dummy.service
- network_fw / network_fw / System permission
- systemd socket unit : mtp-responder-dummy.socket
Change-Id: I858147652b2cdaaad28ce664e3e8b343c44cea36
jin-gyu.kim [Wed, 19 Feb 2020 01:58:40 +0000 (10:58 +0900)]
Enable move_systemd_unit for dbus & systemd socket also.
- Failed dbus & systemd socket units will be moved to not permitted path.
- Add tts related dbus services to the exception list.
Change-Id: Ida83ef56aa1906da9661d2b1e06ab838a627eb97
jin-gyu.kim [Tue, 18 Feb 2020 04:10:21 +0000 (13:10 +0900)]
Fix not deleting systemd list files in the post script.
- When image is being created, systemd list files are not overrided with
those in each profile RPM.
- The detail reason is not found, because no problem if RPMs are installed
manually in run-time.
- By the way, if not deleting files in the post script, this issue can be addressed.
Change-Id: If451950c13daf67ef1b1fe7f42794a94502ca1e1
jin-gyu.kim [Fri, 7 Feb 2020 04:53:10 +0000 (13:53 +0900)]
Run systemd unit tests for common profile also.
- For common profile, use the same list in mobile profile.
- It will not disable systemd unit, just for checking the status.
- Failed lists will be disabled later.
Change-Id: Ia0c9a1a07092e3dbc23c1a88fa8ba82008389d64
jin-gyu.kim [Thu, 6 Feb 2020 05:56:21 +0000 (14:56 +0900)]
Run aslr test in all profiles.
- Previously, aslr test was executed only for mobile / wearable.
- Now, make it run for all profiles, but execute permission is retrieved
only in case of mobile / werarable profiles.
Change-Id: I291866495ae5db0fdaf77af47fc87fb770e4669d
jin-gyu.kim [Fri, 31 Jan 2020 06:59:44 +0000 (15:59 +0900)]
Use readelf instead of execstack for DEP test
- execstack can give a execute permission, so it may need to be removed.
Change-Id: Idcc53b495b7797dbbf26004c98847c1676764d30
jin-gyu.kim [Fri, 17 Jan 2020 08:22:03 +0000 (17:22 +0900)]
Add wait-mount@opt-usr.service
- system_fw / system_fw / System permissions
- Added for emulator profiles
Change-Id: I9b93f11dfa76dda49897fbc2f2655f8bae456604
jin-gyu.kim [Mon, 16 Dec 2019 04:51:30 +0000 (13:51 +0900)]
Fix typo in systemd service list.
Change-Id: I7a3ea651198b06072ecb46480159b6cf8af1ba06
Kim Kidong [Thu, 12 Dec 2019 08:04:18 +0000 (08:04 +0000)]
Merge "systemd service test" into tizen
jin-gyu.kim [Mon, 11 Nov 2019 10:27:05 +0000 (19:27 +0900)]
systemd service test
- Check systemd service / systemd socket / dbus service
- Disable moving not permitted systemd socket & dbus service for now.
- "Exec*=" should not have prefixes one of "!", "!!" and "+".
Change-Id: Icaf728cf7b2f9b1915e8792e297e8106054beac3
jin-gyu.kim [Tue, 10 Dec 2019 07:44:31 +0000 (16:44 +0900)]
Change UID / GID for stablity_monitor & crash_worker
- Generally, UID / GID for system daemons need to set below 2000.
- For System Domain, range should be set as 200-249.
Change-Id: I1b54302e08d542460c0bc277e5793b21d80a8c5d
jin-gyu.kim [Tue, 26 Nov 2019 05:53:01 +0000 (14:53 +0900)]
Add clat.service
- network_fw / network_fw / System permissions
- cap_net_admin To create and configure interface, modify routing tables
- cap_net_raw To open raw socket
- cap_ipc_lock clatd calls mmap(MAP_LOCKED) with a 1M buffer. MAP_LOCKED first checks capable(CAP_IPC_LOCK)
- cap_setuid To forge UID when passing socket credentials via UNIX domain sockets
- cap_setgid To forge GID when passing socket credentials via UNIX domain sockets
Change-Id: Ie36a2d060215d27374fa0fd6e9a78a442fb9453b
jin-gyu.kim [Thu, 21 Nov 2019 07:07:23 +0000 (16:07 +0900)]
Add dlog_cleanup.service
log / log / System permissions.
Change-Id: I2ed9268e5019d34e8ac9a111ced2a330091687c5
Konrad Kuchciak [Thu, 7 Nov 2019 14:28:54 +0000 (15:28 +0100)]
Add user and group for stability-monitor
Change-Id: Iefc6b75d22741e76a039b78d6d862122d7443bd1
Konrad Kuchciak [Thu, 19 Sep 2019 09:51:46 +0000 (11:51 +0200)]
Add stability-monitor.service
Change-Id: I409bc3116175317f2bca3c2d38dabb89c2ac2dd1
Jin-gyu Kim [Thu, 21 Nov 2019 05:10:43 +0000 (05:10 +0000)]
Merge "Change crash-service as non root." into tizen
jin-gyu.kim [Tue, 19 Nov 2019 07:06:09 +0000 (16:06 +0900)]
Change crash-service as non root.
- crash_worker / crash_worker / System permissions needed.
- This will require following capabilities.
setcap cap_dac_override,cap_kill,cap_sys_ptrace=ei /bin/crash-manager
cap_dac_override - create directory
cap_kill - send signals to processes
cap_sys_ptrace - read /proc/<pid>/ files
setcap cap_dac_override,cap_kill,cap_sys_ptrace=ei /bin/crash-service
cap_dac_override - create directory
cap_kill - send signals to processes
cap_sys_ptrace - read /proc/<pid>/ files
setcap cap_dac_read_search,cap_sys_ptrace=ei /sbin/minicoredumper
cap_dac_read_search - access to read any binary file
cap_sys_ptrace - read /proc/<pid>/ files
setcap cap_syslog=ei /bin/dlogutil
cap_syslog is needed because android logger returns incorrect values without this capability (this is bug in the kernel driver).
setcap cap_dac_override=ei /bin/buxton2ctl
buxton2ctl needs access to write to /run/buxton2/ directory
setcap cap_dac_override,cap_kill,cap_sys_ptrace+ei /bin/livedumper
cap_dac_override - create livedump/ directory to
cap_sys_ptrace - read /proc/<pid>/ files
setcap cap_dac_read_search,cap_sys_ptrace=ei /usr/libexec/crash-stack
reads /proc/<pid>/{maps, task, status}, and all binary files
setcap cap_dac_read_search,cap_sys_ptrace=ei /bin/memps
reads files from /proc/ and /sys/
setcap cap_sys_ptrace=ei /bin/top
read /proc/<pid>/files
setcap cap_dac_read_search=ei /bin/df
counting of disk space usage (eg /opt/usr/home/owner/media)
setcap cap_dac_read_search=ei /bin/du
Change-Id: I0073cf19f717855941b317fa1ec6b6af5793d869
jin-gyu.kim [Wed, 20 Nov 2019 06:23:16 +0000 (15:23 +0900)]
Give capabilities to stability-monitor
cap_sys_ptrace To attach in process and readlink for working
cap_sys_module To load/unload kernel module
cap_kill To kill processes
Change-Id: Iac3d91ed4ee647609b029c5ecae4171e8282770f
jin-gyu.kim [Fri, 15 Nov 2019 06:26:42 +0000 (15:26 +0900)]
Add dummyasm.service
- service_fw / service_fw / System permission
Change-Id: Ief511d2a5ccc1696cd62a621883922c4853d4694
Sungwook Park [Wed, 13 Nov 2019 06:19:58 +0000 (15:19 +0900)]
Add smartreply.service to wearable target
Change-Id: I3ce472946d1a816379bf5eba3a54487cb474f61c
Signed-off-by: Sungwook Park <sungwook79.park@samsung.com>
jin-gyu.kim [Wed, 13 Nov 2019 02:37:32 +0000 (11:37 +0900)]
Add smartcard-service.service
- network_fw / network_fw / System permissions
Change-Id: I37d44736e416d2971d704ee088c84ff8b4cf7a95
jin-gyu.kim [Mon, 11 Nov 2019 03:34:06 +0000 (12:34 +0900)]
Fix typo.
- Add missing "fi" in "if-then-fi".
Change-Id: I21ca8c61b7c841279b49078a97770e8b0d382bd5
Woongsuk Cho [Wed, 6 Nov 2019 06:36:08 +0000 (15:36 +0900)]
Add capability to dotnet-hydra-launcher
Change-Id: I0ecab62e91bc1259517e791c2bf725386cbf6e3c
Dongsun Lee [Thu, 31 Oct 2019 04:23:50 +0000 (13:23 +0900)]
Move key-manager script into key-manager package
Change-Id: Ie426090e04b87af3c5cfaf9f58ca0ae37bafecbd
Signed-off-by: Dongsun Lee <ds73.lee@samsung.com>
jin-gyu.kim [Tue, 22 Oct 2019 05:57:13 +0000 (14:57 +0900)]
Add batterymonitor.service to wearable emulator
Change-Id: I627203644b7b2340eeb6ad334608ebee0c6ad7aa
jin-gyu.kim [Mon, 21 Oct 2019 04:14:43 +0000 (13:14 +0900)]
Add crash-service.service.
- root / root / System permissions
- It is too complicated to change as non-root service, due to too many tools are
related with this service.
- Need to consider again to retrieve root permissions later.
Change-Id: I03ace80d04b11e00ad9824aa26a9324afe7cff8e
Kim Kidong [Thu, 10 Oct 2019 06:52:51 +0000 (06:52 +0000)]
Merge "Support additional privilege-mount lists." into tizen
Dongsun Lee [Tue, 8 Oct 2019 04:27:18 +0000 (13:27 +0900)]
Run central-key-manager service in the upgrade script.
Change-Id: Ie6364b62132c321a7db7c9bf9abe834733c2b6c1
Signed-off-by: Dongsun Lee <ds73.lee@samsung.com>
jin-gyu.kim [Tue, 1 Oct 2019 05:34:42 +0000 (14:34 +0900)]
Support additional privilege-mount lists.
- Put addtional lists in each profiles to add privilege-mount list.
- This lists will be used in case lists cannot be added automatically
while creating an image. (ex : dev node)
- Currently only mobile profile have this list. If needed, other profiles
can have it as similar way.
Change-Id: Ia154121ea9a1343e6de67f0c18d1e1ca68fcb84e
jin-gyu.kim [Mon, 7 Oct 2019 04:43:01 +0000 (13:43 +0900)]
Add asp-manager.service
- network_fw / network_fw / System permissions.
Change-Id: I568826caee71c80c4c1ba7dc93ede56482dffa2e
Kim Kidong [Mon, 30 Sep 2019 09:56:46 +0000 (09:56 +0000)]
Merge "Add edge-orchestration services to wearable & tv profiles." into tizen
jin-gyu.kim [Mon, 30 Sep 2019 09:30:09 +0000 (18:30 +0900)]
Add edge-orchestration services to wearable & tv profiles.
Change-Id: Ieed4839904f8e0418275576a147c85c2ad0a0d9f
jin-gyu.kim [Mon, 30 Sep 2019 08:29:09 +0000 (17:29 +0900)]
Add rndis.service.
- network_fw / network_fw / System permissions.
Change-Id: I2a3a2799de56562d678dc70535ec1284aaf1d9d4
jin-gyu.kim [Tue, 24 Sep 2019 05:28:09 +0000 (14:28 +0900)]
Fix typo error.
Change-Id: I19f8ad9d879c943367a8323d09bfd00321e749d5
jin-gyu.kim [Tue, 24 Sep 2019 01:25:30 +0000 (10:25 +0900)]
Add batterymonitor.service
- service_fw / service_fw / System permissions.
- Add to wearable target.
Change-Id: Ifac9b4d9fa681b9f871e7ef08c9b5595a696e0d7
jin-gyu.kim [Mon, 23 Sep 2019 05:32:10 +0000 (14:32 +0900)]
Add bluetooth related services
- bluetooth-ag-agents / bluetooth-hf-agent / bluetooth-hid-agent / obex
- All services have network_fw / network_fw / System permissions.
Change-Id: Ief0edae83ccbbd073d0f752a3967dc0ee8cbacaa
jin-gyu.kim [Thu, 19 Sep 2019 02:06:22 +0000 (11:06 +0900)]
Add wifi-ready.service
- network_fw / network_fw / System
- Installed by wearable plugin.
Change-Id: I7bf82141ddf06050e3788be69188ee494bb2a803
jin-gyu.kim [Mon, 9 Sep 2019 09:42:25 +0000 (18:42 +0900)]
Add nvitemd and modemd services
- Installed with plugin-prebuilt on mobile target.
Change-Id: I22b0e79c31c399f6dd2235160d3f3cce19e626b4
jin-gyu.kim [Fri, 30 Aug 2019 01:30:51 +0000 (10:30 +0900)]
Allow root:root to radio-bt-on-stop.service
- To use systemctl, root permission is required.
Change-Id: Ib6c34c154228c74d6dd4d15124c628210705fe82
jin-gyu.kim [Tue, 27 Aug 2019 05:09:44 +0000 (14:09 +0900)]
Add ipsec to the exception list of path check.
Change-Id: Iccee2364312ceb760b3deb6245bfd8f4e5e57a8d
jin-gyu.kim [Mon, 26 Aug 2019 09:14:32 +0000 (18:14 +0900)]
Modify path_check script.
- Read PATH variable in the target script, and compare with predefined
RO directories.
- No need to define all predefiend dirs, only partials are also allowed.
Change-Id: I0905676c2c3d04c75b5333eceadf6fd439fc25ea
jin-gyu.kim [Thu, 22 Aug 2019 08:47:24 +0000 (17:47 +0900)]
Add trm.service to the list.
- system_fw / system_fw / System
- Installed by plugin-prebuilt.
Change-Id: I60656ef17fc372fe1e1b0931f066537a3d130a01
jin-gyu.kim [Mon, 19 Aug 2019 10:26:29 +0000 (19:26 +0900)]
Add capi-ui-sticker.service
Change-Id: I4c4740fa2ce5c314e302899d9852bf51c32b181c
jin-gyu.kim [Mon, 19 Aug 2019 06:38:45 +0000 (15:38 +0900)]
Add wifi_ready service.
Change-Id: Ibbb658c524651c999af17c2bfad7f30c557efa8d
Yunjin Lee [Mon, 19 Aug 2019 04:57:39 +0000 (13:57 +0900)]
Update shellscript exception list
- Add: /usr/share/keyutils/request-key-debug.sh
Change-Id: Ie43235b1af1934b56fb4a8dcb742ee548e3b1408
Signed-off-by: Yunjin Lee <yunjin-.lee@samsung.com>
Kim Kidong [Wed, 14 Aug 2019 06:53:21 +0000 (06:53 +0000)]
Merge "Set ptrace in smackfs as '1'" into tizen
jin-gyu.kim [Wed, 14 Aug 2019 06:14:09 +0000 (15:14 +0900)]
Add bluetooth related FM radio services
- network_fw / network_fw / System are used.
- cap_net_admin is inherited in this service.
Change-Id: I9122a78a94781c2f79638864e1ed4ab1e0f4bf47
jin-gyu.kim [Thu, 8 Aug 2019 05:20:23 +0000 (14:20 +0900)]
Implement Smack label check script used on desktop.
- Smack label check script requires more than 10 mins in the target.
- To reduce the time, a new script can be run on desktop. It requires
approximately 10 times less compared to running in the target.
Change-Id: I475c0190f4119328377172c50a6657de46d8e72f
Kim Kidong [Tue, 30 Jul 2019 05:14:13 +0000 (05:14 +0000)]
Merge "Add cap_net_raw to bluetoothd" into tizen
jin-gyu.kim [Tue, 30 Jul 2019 05:10:44 +0000 (14:10 +0900)]
Add cap_net_raw to bluetoothd
- bluetoothd uses HCI socket, and it requires cap_net_raw for non-root.
Change-Id: Ie0ef916fc502e8beaa41f5beb17ceee8889e0d7a
jin-gyu.kim [Tue, 30 Jul 2019 04:48:54 +0000 (13:48 +0900)]
Fix the bug in SMACK rule test
- Restore previous SMACK rules when test is failed.
Change-Id: I879dc8c6b5d4460548d398846264656f68d2cf34
Kim Kidong [Fri, 26 Jul 2019 07:02:42 +0000 (07:02 +0000)]
Merge "Re-write SMACK label / rule tests." into tizen
jin-gyu.kim [Fri, 26 Jul 2019 06:48:10 +0000 (15:48 +0900)]
Add systemd delayed target related services
- delayed.service->system-delayed-target-trigger.service
- system-default-target-done.service & system-delayed-target-done.service
: system_fw / system_fw / System and cap_dac_override to touch a flag file.
Change-Id: If7852052828a3f250deaec20b2cb843b4e012698
jin-gyu.kim [Thu, 25 Jul 2019 07:44:49 +0000 (16:44 +0900)]
Set ptrace in smackfs as '1'
- PTRACE_ATTACH is only possible when labels of subject and object
are equal.
Change-Id: I36142a519860a486be67028a7d2b2fbef6941997
jin-gyu.kim [Tue, 23 Jul 2019 05:08:17 +0000 (14:08 +0900)]
Re-write SMACK label / rule tests.
- SMACK label test : Find SMACK label in files which does not exist
in current rule lists.
- SMACK rule test : Compare current rules with default rules plus generated
by security-manager-rules-loader.
NOTE : It takes long to finish SMACK label test. (TM1 : roughly 11mins)
Change-Id: Ia818d412fa21ee7446aab70df5630e95c7ee12bc
jin-gyu.kim [Wed, 24 Jul 2019 07:31:37 +0000 (16:31 +0900)]
Check again lists of log files in aslr & service test.
- aslr & service tests are always succeeded from the 2nd trial.
- Re-validate lists of log files for aslr & service test.
Change-Id: I9cc812889992900e95dab569bd3e455121beb880
jin-gyu.kim [Thu, 18 Jul 2019 02:53:57 +0000 (11:53 +0900)]
Fix typo in service checking script.
- Fix typo in comparing 'SystemdService=' string.
Change-Id: Iee2440460f501325a2ea60c335b7b7a1f8a52453
jin-gyu.kim [Wed, 17 Jul 2019 04:56:29 +0000 (13:56 +0900)]
Re-write service check test.
- Do not check Group & SMACK label for D-Bus service.
- Split funtions for Systemd and D-Bus service check.
Change-Id: I0975eb8a14301d0a0811fec388867540deb2f4b4
jin-gyu.kim [Tue, 16 Jul 2019 02:34:24 +0000 (11:34 +0900)]
Skip checking dbus service which has 'SystemdService' option.
- Enable checking dbus service again.
- If it has 'SystemdService' option, will be launched by systemd service.
- No need to check 'User' and 'Group' option in this case.
Change-Id: I6be8eaae4f17ef69a5dfaaf810fd6054d8a945a1
jin-gyu.kim [Fri, 12 Jul 2019 07:21:06 +0000 (16:21 +0900)]
Disable checking dbus service lists.
- There will be many changes on dbus service file to remove
unnessary uid / gid configurations.
- Temporary disable checking dbus service lists.
Change-Id: Ic40bb3a0ee89e59fd3b1eb97baa8cf93728e31d5
Jin-gyu Kim [Thu, 11 Jul 2019 07:34:10 +0000 (07:34 +0000)]
Merge "Remove unnecessary setting" into tizen
Kichan Kwon [Tue, 2 Jul 2019 06:28:40 +0000 (15:28 +0900)]
Set the SMACK label of dummy_file
Change-Id: Iafcbc574541fb3e247dd5c654b32a2b14bb5a91f
Signed-off-by: Kichan Kwon <k_c.kwon@samsung.com>
INSUN PYO [Mon, 1 Jul 2019 08:00:18 +0000 (17:00 +0900)]
Remove unnecessary setting
Change-Id: Ide8ed939ae7f6102104f53c3ec1cf81a32714a1b
jin-gyu.kim [Mon, 1 Jul 2019 07:10:04 +0000 (16:10 +0900)]
Run security-manager-rules-loader in the upgrade script.
- Without it, security-manager launching is failed.
Change-Id: I5848e9ac6282954fddbe9aa02460c47e31a34120
jin-gyu.kim [Mon, 1 Jul 2019 01:41:46 +0000 (10:41 +0900)]
Create dummy file in the upgrade script.
- dummy file needs to be created in RW partition to support a run-time
permission control.
Change-Id: Ie717bea9000951e546bef414b23ab45e037ff692
Kim Kidong [Mon, 24 Jun 2019 09:33:02 +0000 (09:33 +0000)]
Merge "Add delayed.service" into tizen
jin-gyu.kim [Mon, 24 Jun 2019 07:57:46 +0000 (16:57 +0900)]
Add delayed.service
- It works with root permission to use systemctl.
Change-Id: I51c89979b8f15ee84f65c9a075f96f65514add47
jin-gyu.kim [Mon, 24 Jun 2019 07:32:18 +0000 (16:32 +0900)]
Retrieving capabilities from systemd-user-helper
- This is not used anymore.
Change-Id: I0053dbc74dd99f4fe63105d4440cfa365349966b
jin-gyu.kim [Thu, 20 Jun 2019 04:36:16 +0000 (13:36 +0900)]
Set SMACK label to .multiassistant directory
- Setting SMACK label is required when image is being created.
- Target dir is /etc/skel/share/.multiassistant &
/opt/usr/home/[username]/share/.multiassistant
Change-Id: I889b0d4ede17337b984cd809b2ba75ddf7994d9b
jin-gyu.kim [Thu, 13 Jun 2019 08:15:17 +0000 (17:15 +0900)]
Add ua-manager.service & net.uamd.service
- Set cap_net_raw and cap_sys_rawio
- network_fw:network_fw and System label is used.
Change-Id: I1fbc45864f344f226f10a089e991dd85d2f2d7d6
jin-gyu.kim [Wed, 12 Jun 2019 04:23:12 +0000 (13:23 +0900)]
Add actd.service
- It has a root permission to control systemd units.
Change-Id: Iccadde8b733f6f9d8f4c3acf086090f11d5ef991
Kim Kidong [Tue, 30 Apr 2019 01:31:10 +0000 (01:31 +0000)]
Merge "Add capmgr.service to the list." into tizen
Kim Kidong [Tue, 30 Apr 2019 01:30:43 +0000 (01:30 +0000)]
Merge "Add mdgd.service to the list." into tizen
jin-gyu.kim [Tue, 30 Apr 2019 01:28:13 +0000 (10:28 +0900)]
Add capmgr.service to the list.
Change-Id: Ic52c2d6a9394ef52a82dce34d665715a30945510
jin-gyu.kim [Mon, 29 Apr 2019 10:02:57 +0000 (19:02 +0900)]
Add mdgd.service to the list.
Change-Id: I1dc506eb1ae5caf600860a8cdda1614c566aa506
jin-gyu.kim [Mon, 29 Apr 2019 04:56:03 +0000 (13:56 +0900)]
Updating UID column of policy DB in upgrade script.
- Global UID could be different while upgrading the image.
- Get global UID by referring tizen-platform.conf.
Change-Id: Ic42c503bb82987dcbc2eb69e5585e68f7a1286fd
jin-gyu.kim [Wed, 17 Apr 2019 10:58:42 +0000 (19:58 +0900)]
Implement execute_label_check test.
Change-Id: Ib8d4dc939e7ef4d2acf33b711a1eb83dcbbacf7b
jin-gyu.kim [Wed, 17 Apr 2019 08:30:58 +0000 (17:30 +0900)]
Add edge-orchestration.service to list.
Change-Id: I827da31085a4032d1dfc54b2d4f5b7d7b3ece479
jin-gyu.kim [Wed, 10 Apr 2019 01:55:16 +0000 (10:55 +0900)]
Set SMACK label of netlabel as 'System'
- Previously, it was set as System::Privileged by systemd.
- Basically, network is controlled by Nether with the privilege.
- Therefore, it does not have to be set as System::Privileged.
- Overwrite it as 'System', but in the future, the more smarter
change will be needed.
Change-Id: I5b2e00c1e729b0f404d0ce8e428824bfe260823f
INSUN PYO [Wed, 3 Apr 2019 09:27:40 +0000 (18:27 +0900)]
Remove inactive chsmack code
Root partion is Read-only.
So, You can not change smack label of /usr/bin/wrt-loader and /usr/bin/launchpad-loader at run time.
Change-Id: Ide7ceeeffafead983180f5e6619d5431a9915ec6
Yunjin Lee [Fri, 22 Mar 2019 08:17:29 +0000 (17:17 +0900)]
Restore setuid bit test
Change-Id: Ib1f49c5fb0672c639b6991b094dd6c07af94ca4e
Signed-off-by: Yunjin Lee <yunjin-.lee@samsung.com>
jin-gyu.kim [Fri, 22 Feb 2019 06:48:40 +0000 (15:48 +0900)]
Change dummy file used in privacy-mount.
- Previously, /dev/null is used for dummy file mount.
- No error was returned, in case un-privileged app process tried
to access there.
- To create an error, the dummy file which only root processes
can be accessed is used for privacy-mount.
Change-Id: If7a31f66420d1311e278e52911a67e4aa94f7696