Karol Lewandowski [Thu, 12 Jun 2025 10:13:36 +0000 (12:13 +0200)]
Reduce sessiond-generate-cache privileges
system_fw:system_fw should be enough to perform needed dbus call.
Change-Id: Ib5bee1b11dc39f005eb009d5c09ce563cac2bebf
Michal Bloch [Wed, 11 Jun 2025 13:09:03 +0000 (15:09 +0200)]
Add service sessiond-generate-cache.service
Change-Id: Ib43b9da96b5b2858f2dea9cad721fe412337b450
Karol Lewandowski [Wed, 7 May 2025 12:29:34 +0000 (14:29 +0200)]
Add new version of riscv64/readelf
This version has been compiled:
- without libctf-nobfd library dependency
- with sframe library compiled in
Built from commit
15c0f4c14d5d5d8032d013bfe9c95 from platform/upstream/binutils
repository on tizen.org.
Change-Id: I9da074e31457c1caea66cfe2ddc090a12c2337eb
Tomasz Swierczek [Tue, 29 Apr 2025 07:30:06 +0000 (09:30 +0200)]
Add unified-system-service & its socket.
Change-Id: I064a8239a065b32f8d6ee1584b0b8a3100f0e5c0
Tomasz Swierczek [Fri, 4 Apr 2025 07:59:54 +0000 (09:59 +0200)]
Add cap_setuid also for app loaders in dev_wos mode
This requires adding cap_setuid to AmbientCapabilities in systemd's user
service configuration. To avoid forking systemd we modify its
configuration as a part of no-smack configuration script.
Change-Id: I0d2892b2e123de6059e2dee6b34d5f15c9f0face
Tomasz Swierczek [Wed, 19 Mar 2025 11:34:54 +0000 (12:34 +0100)]
Add hal-backend-service-codec .service & .socket
Change-Id: I28ff2670331b270020d28c39afccc3d8bd933ec2
Tomasz Swierczek [Sun, 9 Mar 2025 11:12:27 +0000 (12:12 +0100)]
Add hal-backend service & socket to allowed lists.
Re-revert again due to hal-backend service failing on quickbuild.
Change-Id: I30e1080580ba6fe099f514b23d5cf5f0feb7e73e
Tomasz Swierczek [Sun, 9 Mar 2025 11:08:36 +0000 (12:08 +0100)]
Revert "Add hal-backend service & socket to allowed lists."
This reverts commit
63aec578fb3ad9f70e3a4f32cba149c830e79cc9.
Hal-backend service is failing continously on quickbuild
& we need to release the latest changes from tizen branch.
Reverted commit will be back after this revert is released.
Change-Id: I1c0d19dba946bf5928896cb614e6f27dbc94cca6
Krzysztof Jackiewicz [Thu, 6 Mar 2025 14:59:11 +0000 (15:59 +0100)]
Fix launchpad-process-pool capabilities on no-smack
Existing configure_wos script was launched in security-config rpm
postinstall. However, during image creation, after rpm installation
according to *.ks file the capabilities are overwritten by
set_capability script making the configure_wos changes ineffective and
leading to security_manager_prepare_app() failure due to insufficient
launchpad-process-pool capabilities:
W/SECURITY_MANAGER_CLIENT( 3483): client-security-manager.cpp: operator()(639) > Process ****doesn't**** have required effective capability!
E/SECURITY_MANAGER_CLIENT( 3483): client-security-manager.cpp: security_manager_pre_check(649) > Lack of required capabilities. Aborting!
This commit aims to set proper capabilities both via security-config
rpm installation and during image build as well as making the
image_test.sh launched during image creation pass. All of this while
keeping most of no-smack related changes in one place.
The capability testing script is currently not able to handle more than
one set of capability flags (e.g. cap_setuid=eip cap_setgid+ei) for
given binary. This can be fixed in future. Launchpad-process-pool needs
cap_setuid=eip but other capabilities have only 'ei' flag. To work
around it, all launchpad-process-pool capabilities have been changed from
'ei' to 'eip'.
The generate_configure_wos script modifies the set_capability script at
build time so the launchpad-process-pool capabilities are set to desired
values during image build and can be compared to expected values by
check_new_capabilities.sh.
The configure_wos script is also launched in rpm postinstall to
facilitate no-smack module development.
Verification:
1. Install security-config rpm
2. Check launchpad-process-pool caps:
$ getcap /usr/bin/launchpad-process-pool
/usr/bin/launchpad-process-pool cap_dac_override,cap_setgid,cap_setuid,cap_sys_chroot,cap_sys_admin,cap_sys_nice,cap_mac_admin=eip
3. Restart it to use new capabilities:
$ su - owner
$ systemctl --user restart launchpad-process-pool
4. Make sure that an app is properly launched, e.g.:
$ launch_app attach-panel-gallery
There should be no logs indicating lack of capabilities from
SECURITY_MANAGER_CLIENT
5. Run the image test:
$ /usr/share/security-config/test/image_test.sh
6. Make sure that the capability test result is positive:
$ cat /opt/share/security-config/result/check_new_capabilities.result
YES
Change-Id: Id7e79382469fb715fa4443f950dcd24c90320aca
Krzysztof Jackiewicz [Thu, 6 Mar 2025 13:31:23 +0000 (14:31 +0100)]
Fix delimiters in capability test
Change-Id: I6677278b08439ae54af84ae4baa0b7e20040c6c4
Tomasz Swierczek [Fri, 28 Feb 2025 08:36:10 +0000 (09:36 +0100)]
Add hal-backend service & socket to allowed lists.
Change-Id: I3d03e28a8074241656cf35e59d8bb43a96c61d66
Krzysztof Jackiewicz [Tue, 25 Feb 2025 12:15:03 +0000 (13:15 +0100)]
Get rid of app_access group
Change-Id: I7fe3cd1869a5d8e12b3c53e7d220098295872213
Tomasz Swierczek [Wed, 26 Feb 2025 08:20:37 +0000 (09:20 +0100)]
Add esd-badge.socket & esd-shortcut.socket to allowed list
Change-Id: I7b57154f9115be7835e98f08f81abf294c9d7f9f
Krzysztof Jackiewicz [Fri, 14 Feb 2025 18:05:53 +0000 (19:05 +0100)]
Give RX access to home and app dir to others
Without it other apps won't be able to access application
subdirectories.
Change-Id: I2d528d8288f4398650fd1e20400023f8c9500e44
Tomasz Swierczek [Wed, 29 Jan 2025 09:32:43 +0000 (10:32 +0100)]
Add cap_setuid to launchpad-process-pool in dev_wos mode
Added outside set_capability script as its a dev_wos-only
modification, so far only for PoC.
Change-Id: I86fe560d2ed5a34455d92577ce846f6dc47738e1
Krzysztof Malysa [Wed, 15 Jan 2025 15:23:06 +0000 (16:23 +0100)]
Add app_access and system_access groups + add services to the latter
Change-Id: I3d41f4df66adee1ffe8088c8668e4d3725375988
Changgyu Choi [Thu, 26 Dec 2024 08:37:45 +0000 (17:37 +0900)]
Add CAP_SYS_PTRACE capability to amd
To debug without killing the blocked app process, amd must have CAP_SYS_PTRACE cap.
amd prints backtrace of an blocked app process.
Change-Id: I3a3ab61444f6dabf57327308efcef1ab1e975af4
Signed-off-by: Changgyu Choi <changyu.choi@samsung.com>
Dongsun Lee [Fri, 13 Dec 2024 07:13:10 +0000 (16:13 +0900)]
Remove smack labeling for /csa
Change-Id: Ia2b3b36e8c4bdb75a6b98c93ad2af868c691c807
Dongsun Lee [Thu, 12 Dec 2024 01:29:35 +0000 (10:29 +0900)]
Change smack label of smack_pre_labeling to floor(_)
Change-Id: Iac3386bb1c116a32d20f66a5e1800f23c56d79c7
Tomasz Swierczek [Wed, 6 Nov 2024 11:31:26 +0000 (12:31 +0100)]
Add hal-compatibility-check.service
Change-Id: I9b03a5c5b4f4e0e559cd51e270663aeabf407c20
Hwankyu Jhun [Wed, 30 Oct 2024 23:27:56 +0000 (08:27 +0900)]
Add CAP_FOWNER capability to amd
To delete temporary files of applications, amd must have CAP_FOWNER cap.
Because, the file permission is "srw- --- ---".
Required by:
- https://review.tizen.org/gerrit/#/c/platform/core/appfw/amd/+/319716/
Change-Id: Iad573eb6e78cbfd1722c863d5d3a535b67fefdd5
Signed-off-by: Hwankyu Jhun <h.jhun@samsung.com>
Hwankyu Jhun [Thu, 19 Sep 2024 01:46:36 +0000 (10:46 +0900)]
Add capability for the lux
Currently, the launchpad-process-pool has a problem about creating
children processes. Because, there are many threads in the launchpad-process-pool.
If the sub thread tries to allocate the memory or calling getenv() when
the main thread is calling fork(), it makes the deadlock issue of
the children processes. The lux is a children process of
the launchpad-process-pool to create children processes for applications.
(The lux is a single thread process.)
Change-Id: I20d7ce82b77af226bda0e59b8690896245b64580
Signed-off-by: Hwankyu Jhun <h.jhun@samsung.com>
Tomasz Swierczek [Fri, 13 Sep 2024 04:34:02 +0000 (06:34 +0200)]
Add esd.service sockets to configuration
* esd-cion.socket
* esd-group.socket
Change-Id: I762df13213c8c2fd711bd1af0beff0aaf0339d58
Tomasz Swierczek [Tue, 3 Sep 2024 07:42:04 +0000 (09:42 +0200)]
Add rscmgr-msgq.service
Service runs as root, but its a one-shot that only
creates systemv message queue for usage in rscmgr-service,
thats running with multimedia_fw user/gid.
Change-Id: If4dcb747e65955a92aef9f1a77f7ecdf4dd2be49
Tomasz Swierczek [Mon, 2 Sep 2024 08:46:35 +0000 (10:46 +0200)]
Change mscmgr.service from root to multimedia_fw
Change-Id: I1a2c2171531facb17eb5bf7538d72e6dc6dc44fd
Tomasz Swierczek [Wed, 21 Aug 2024 06:04:43 +0000 (08:04 +0200)]
Add service lightweight-web-engine-update.service
Change-Id: I8ec1c4a3c75018825f9a9f1e0362013dadd9b338
YoungHun Kim [Thu, 15 Aug 2024 23:17:23 +0000 (23:17 +0000)]
Revert "Run rscmgr-service with System::Run label"
This reverts commit
b134bbe15284c1145b6ef9a83307827fcc5da7a3.
Change-Id: I2d84af5977eaf397cea4fd59d326be35c544077d
Dariusz Michaluk [Tue, 13 Aug 2024 11:32:43 +0000 (13:32 +0200)]
Run rscmgr-service with System::Run label
This change should be reverted as it's not secure,
made on special HQ request.
Change-Id: I061b551b70e2f593878aff434bed41059af0d794
Dariusz Michaluk [Mon, 12 Aug 2024 08:45:29 +0000 (10:45 +0200)]
Change rscmgr-service to root
Change-Id: Id5d62c3d31dd241c46be4d862f712ee1a7db1bb1
Dariusz Michaluk [Thu, 8 Aug 2024 07:36:51 +0000 (09:36 +0200)]
Add rscmgr-service service file
Change-Id: I27450ecce1d1f3d5808979164490ed52d13137c1
Dariusz Michaluk [Thu, 18 Jul 2024 06:15:31 +0000 (08:15 +0200)]
Add modprobe service file
Change-Id: I21f625689c61894e83f9f083e31f62aba301f174
Krzysztof Malysa [Tue, 9 Jul 2024 11:16:32 +0000 (13:16 +0200)]
Make test/smack_rule_test/checksmackrule.sh more robust
Change-Id: I88a9c0a756264d1676768b33ea3c3c9236545053
Karol Lewandowski [Wed, 10 Jul 2024 18:41:04 +0000 (20:41 +0200)]
Do not check SmackProcessLabel for .service units without [Service] section
Such units are provided by new systemd (>= 255).
We retain old logic and service exceptions for package to work with both new
and old systemd versions.
Change-Id: Ia01365e0ba76053932b61bf3f143e0bcdbddf573
Filip Skrzeczkowski [Tue, 25 Jun 2024 14:28:52 +0000 (16:28 +0200)]
Add a socket for extended key manager API
Change-Id: I9c7c228290dabb0a8c9d2d13c97e79a2afd8549a
Mateusz Moscicki [Wed, 29 May 2024 09:33:04 +0000 (11:33 +0200)]
Rename services due to Online Upgrade
Changes to standardize the nomenclature:
offline-update.service -> system-update.service
update-post.service -> offline-update-post.service
Change-Id: I212cb7c4387304164020a4c4db84ca582bb5507b
Mateusz Moscicki [Wed, 15 May 2024 11:48:38 +0000 (13:48 +0200)]
Change the smack label for data-checkpoint.service
Change-Id: Id3049e744766bab9d5e9353ee583c0129b4fa368
Tomasz Swierczek [Wed, 8 May 2024 07:52:45 +0000 (09:52 +0200)]
Configure bluetooth service & tools
* add bt-core service (as DBus) & its capabilities
* add caps to bluez hcitool tool
Reference ticket: SECSFV-273
Change-Id: Ie6372de7701891bf58e643b0a5d10656555c7709
Tomasz Swierczek [Fri, 26 Apr 2024 08:59:29 +0000 (10:59 +0200)]
Add webauthn service & socket
Change-Id: Idb5c9bd8afa6ffa2b51b25eb5e0ebda7805a6115
Mateusz Moscicki [Mon, 15 Apr 2024 11:41:16 +0000 (13:41 +0200)]
Add online-update service files
Change-Id: Ie1e73111f120d65cc6becf68ffdd0ea7203a8d8c
Adam Michalski [Thu, 11 Apr 2024 13:49:58 +0000 (15:49 +0200)]
Add cap_dac_override to isud binary
- This is needed by the isud to perform clean-up of the unnecessary
files from globalapps path which is owned by tizenglobalapp:root
but the isud service is run with the system:system user and group.
Reference ticket: SECSFV-271
Change-Id: Ib4b57bf44891dc902fa18d2c555c0e91adad93c9
Tomasz Swierczek [Tue, 2 Apr 2024 06:02:46 +0000 (08:02 +0200)]
Add package-manager systemd socket
SECSFV-270
Change-Id: I3d46bdaf34c784201b042d2f126044d24b65638b
gichan2-jang [Thu, 14 Mar 2024 07:48:43 +0000 (16:48 +0900)]
Add org.tizen.machinelearning.service.service
Add org.tizen.machinelearning.service.service to dbus_service.list
Change-Id: If116ad569a49c99bee21948fee7d7d92c2c6d69d
Signed-off-by: gichan2-jang <gichan2.jang@samsung.com>
Sangjung Woo [Tue, 12 Mar 2024 08:22:05 +0000 (17:22 +0900)]
Update the service name in systemd_service.csv
The existing 'machine-learning-agent' is renamed to 'mlops-agent' since
new functionality is added to the daemon. Because of this reason,
systemd service file should be updated as 'mlops-agent.service' too.
Change-Id: I4ad0b31ebab11201f00a6f9a9ba8efbc9eec52b9
Signed-off-by: Sangjung Woo <sangjung.woo@samsung.com>
Jeongmo Yang [Mon, 8 Jan 2024 08:41:32 +0000 (17:41 +0900)]
Update path check exception list
- "/etc/profile.d/mmf.sh" is added.
- It's used for setting environment value of platform bash login, not executed by the user.
Change-Id: I0095b8fb44406ab782cacb35264946145bfe5c27
Signed-off-by: Jeongmo Yang <jm80.yang@samsung.com>
Tomasz Swierczek [Wed, 13 Dec 2023 11:35:44 +0000 (12:35 +0100)]
Fixed isud.service added previously
The request SECSFV-268 mixed systemd service file with DBus one.
Change-Id: Ifa2e964321aa7169ac09768fdb103b0c0b72fe92
Tomasz Swierczek [Tue, 12 Dec 2023 11:28:59 +0000 (12:28 +0100)]
Add isud.service
- DBus service - short-lived, on-demand activated service.
- SECSFV-268
Change-Id: I81234aef8c722c0b731a7075d14bcb779573e711
Yunjin Lee [Tue, 12 Sep 2023 02:25:01 +0000 (11:25 +0900)]
Add cap_sys_resource to /usr/bin/pass
- Add cap_sys_resource to /usr/bin/pass
- SECSFV-267
Change-Id: I211b2d2889bb222a65d8c063f107bf91e025b006
Signed-off-by: Yunjin Lee <yunjin-.lee@samsung.com>
Tomasz Swierczek [Thu, 24 Aug 2023 04:55:47 +0000 (06:55 +0200)]
Add /usr/bin/crash-manager to list of exceptions for exec label check
Its owned and can be launched by root only, so its not really
world-readable/executable, despite having _ Smack label.
The fact it has _ access Smack label (&System::Privileged exec label)
is consequence of upstream kernel change - other Smack access
label makes the kernel not able to launch it on coredump.
Change-Id: I6af9a5e90edad3c371de9d7ea43bcd5e44db7088
Mateusz Moscicki [Thu, 27 Apr 2023 11:14:41 +0000 (13:14 +0200)]
Check services in ISU directories
This patch adds verification of service files provided under the ISU
(Individual Service Upgrade) mechanism.
Change-Id: I86afe2cc5c99169c79976298498377a51b3182d6
Yunjin Lee [Thu, 11 May 2023 07:59:50 +0000 (16:59 +0900)]
Remove utils after running image test
Change-Id: I05ba8c67011e527a2224d2ae5f00f0421c0b24a3
Signed-off-by: Yunjin Lee <yunjin-.lee@samsung.com>
wchang kim [Thu, 11 May 2023 04:27:13 +0000 (13:27 +0900)]
Change the binary readelf for riscv64
Change-Id: Ibbdf42315cbeffbd858d706d52ef14ef0fbd4a11
Kim Kidong [Mon, 17 Apr 2023 00:26:22 +0000 (00:26 +0000)]
Merge "Add RISC-V test utils" into tizen
Yunjin Lee [Fri, 20 Jan 2023 04:19:36 +0000 (13:19 +0900)]
Disable askuser in all profile
Change-Id: Id289e61b2cfb957261a6d90edb77c2a00372c94e
Signed-off-by: Yunjin Lee <yunjin-.lee@samsung.com>
Marek Pikuła [Mon, 17 Oct 2022 21:17:16 +0000 (23:17 +0200)]
Add RISC-V test utils
Change-Id: I6a5f1302dc4bf017a2b094d4c5095be6f0e18fea
Signed-off-by: Łukasz Stelmach <l.stelmach@samsung.com>
Jin-gyu Kim [Mon, 17 Oct 2022 02:20:25 +0000 (11:20 +0900)]
Do not check profile info while running systemd unit test.
- If invalid systemd units exists, move those in every profile.
Change-Id: Ie4bc762f0d6e57fba0af41240b876300f1d04b5a
Jin-gyu Kim [Thu, 13 Oct 2022 07:27:31 +0000 (16:27 +0900)]
Fix a wrong service name.
- scmirroring.service -> scmirroring.server.service
Change-Id: I2518e4f49461ee117b8e0c47fef4c96a09f3c562
Jin-gyu Kim [Thu, 15 Sep 2022 07:04:58 +0000 (16:04 +0900)]
Add pass-resource-monitor.socket
Change-Id: Ie2d513796fe8422052322275137c19349ffdc88e
Jin-gyu Kim [Thu, 18 Aug 2022 08:00:25 +0000 (17:00 +0900)]
Add machine-learning-agent.service
Change-Id: I3525c8d4996d56da5c699637068c33167367c4a9
Jin-gyu Kim [Mon, 8 Aug 2022 06:45:49 +0000 (15:45 +0900)]
Check static linked binaries rather than including those in the list.
- Before : Specify static linked binaries in the exception list.
- With this : Check whether binaries are staic linked.
If so, do not check ASLR.
- Do not check "dll" and if the name is started with "qemu".
- Do not see "onlycap" file while testing, as it is not needed.
- Leave the list as an empty for the future use or security-analyzer.
Change-Id: I26dc7044a62e49c0b07ca532900732aa429e5d0e
Jin-gyu Kim [Wed, 27 Jul 2022 03:16:07 +0000 (12:16 +0900)]
Use csv format for lists of systemd unit tests.
- Use unified csv files for maintaining systemd unit tests.
- create_list.sh creates lists per profiles.
- Even after this is applied, the target has the same list as before.
Change-Id: I88b76f92e33f167b772a06a5a5d6ed97e1a1bc52
Jin-gyu Kim [Fri, 22 Jul 2022 05:42:38 +0000 (14:42 +0900)]
Change SmackProcessLabel of user@.service & add resourced.socket
Change-Id: Ic36eb7278d300282231bbb70d3fa037e5a4b55ec
Jin-gyu Kim [Tue, 19 Jul 2022 02:04:37 +0000 (11:04 +0900)]
Read link before setting capability to /usr/sbin/insmod
Consideration : It would be better to read link for every cases.
Change-Id: I96ad4fc378200f54ae9e6fd6bf92e925eda2d4cf
Jin-gyu Kim [Wed, 15 Jun 2022 04:45:00 +0000 (13:45 +0900)]
Add cap_sys_ptrace to /usr/bin/pass
Change-Id: I48e8f16f4159021c4209a44e7bb13507db1797bf
Jin-gyu Kim [Mon, 30 May 2022 07:52:57 +0000 (16:52 +0900)]
Change Smack Process Label of pkg-db-recovery & package-recovery services
- To use cap_mac_override used by installer cmd (ex : tpk-backend),
System::Privileged is required for these services.
Change-Id: I8d7bff03e50e6110da3b5e940d11f219325efd01
Jin-gyu Kim [Thu, 26 May 2022 05:09:11 +0000 (14:09 +0900)]
Changes the service name
- tizen-recovery.service -> recovery.service
Change-Id: I682c117c43cd3b13fe800fc6b3b69d63c87788e5
Jin-gyu Kim [Wed, 25 May 2022 07:46:41 +0000 (16:46 +0900)]
Give cap_mac_override to package-manager.service
- To abort app direcories creation & deletion, it needs cap_mac_override permission.
Because SMACK rules between "System" and "User::Pkg::..." are removed at this time.
Change-Id: Ief2e8d08e22f6738336dfec473de9920823f2df5
Jin-gyu Kim [Tue, 24 May 2022 03:48:05 +0000 (12:48 +0900)]
Add update-manager.service
Change-Id: I0b37c75e8d872d8cd5e64dd0de5fb1dd1dbe7a9a
Jin-gyu Kim [Mon, 23 May 2022 20:28:31 +0000 (05:28 +0900)]
Add tizen-recovery.service, clone_partitions_recovery.service and
recovery-reboot.service
Change-Id: I321a883144a73358b85ca96b992c92ef089269d1
Jin-gyu Kim [Fri, 29 Apr 2022 04:58:42 +0000 (13:58 +0900)]
Add cap_sys_nice to pkginfo-server.
Change-Id: I56e3ef8f15b1cda612f2048cf1a4f2a6af3817f9
Jin-gyu Kim [Tue, 26 Apr 2022 05:45:55 +0000 (14:45 +0900)]
Add clone_partitions.service
Change-Id: I2b4da639a5d153887c66566d573a13e25f23a823
JinGyu Kim [Tue, 26 Apr 2022 00:18:18 +0000 (09:18 +0900)]
Change SmackProcessLabel of booting-done.service
Change from System::Privileged to System
Change-Id: I5a699fa6edc439da1b301abbecc01fe2560758c1
Jin-gyu Kim [Tue, 19 Apr 2022 23:05:36 +0000 (08:05 +0900)]
Change permissions of booting-done.service
- Need root and System::Privileged permissions
- Check booting status and do recovery operaitions
Change-Id: Ie7f40824ece83745d4e93f7a08874ce0e5c57625
Jin-gyu Kim [Fri, 8 Apr 2022 22:34:46 +0000 (07:34 +0900)]
Add sessiond.service
- Root and System::Privileged permissions are required.
- It creates directories and sets SMACK attributes as like gumd.
Change-Id: Ia2fe49ce65c613bde9c09ffdb75ab71a7d109edc
Jin-gyu Kim [Thu, 24 Feb 2022 01:37:59 +0000 (10:37 +0900)]
Add cap_net_admin to /usr/bin/pass
- Requested by SECSFV-229
- cap_net_admin is required to use netlink interface
Change-Id: I524b7ce4a22a02d9d7213303a07758dde4b54445
Jin-gyu Kim [Fri, 4 Feb 2022 23:47:09 +0000 (08:47 +0900)]
Add cap_sys_chroot to launchpad-process-pool
- It is needed to support "Debug Attach" used by gdbserver.
Change-Id: I1ec73238bd3b2294b6a3b1600e1460921c047a43
Konrad Lipinski [Mon, 17 Jan 2022 13:22:41 +0000 (14:22 +0100)]
Security upgrade: always set dummy_file mode/label
Prior to this commit, the script only changed the mode/label if the file
has not existed before. If the script ever managed to touch the file and
then got killed, the file's mode/label would never get properly adjusted
when running the script again.
Change-Id: I707870eea9abb63ccf10e8c54fb3ca984e92196a
Jin-gyu Kim [Fri, 7 Jan 2022 23:06:34 +0000 (08:06 +0900)]
Use double brackets for checking path exception list.
- This is needed to avoid the error raised by some exceptional cases.
Change-Id: I833fee25bb563093812ddf1b3492591e9f92f11a
Jin-gyu Kim [Wed, 5 Jan 2022 22:14:37 +0000 (07:14 +0900)]
Add telephony-dongle service.
- Requested by SECSFV-207
- Give cap_sys_module capability with "ei" option to /usr/sbin/insmod
Change-Id: I704059ae5d9d0062e4217f252acda324e6818411
Jin-gyu Kim [Tue, 4 Jan 2022 23:49:03 +0000 (08:49 +0900)]
Add display-manager-ready.service
- display-manager-ready service is used for iot headless profile.
- There is no list difference between headed and headless. (Added to iot list)
Change-Id: I2cc6ff7ff09f0d7af85c541ec16d1260ffadfef1
Jin-gyu Kim [Mon, 29 Nov 2021 22:04:14 +0000 (07:04 +0900)]
Add update-post.service & update-finalize.service
- Requested by SECSFV-204
- Root privilege is required as those are used during the system upgrade process.
Change-Id: I8d46de7787bcf61ec15c6fc2bf9922d0a2d14743
Jin-gyu Kim [Thu, 25 Nov 2021 22:59:18 +0000 (07:59 +0900)]
When running smack rule test, all apps need to be executed twice.
- Some applications may have dependencies on other apps,
so double execution is required at first.
Change-Id: I0b345f2348d8bec0fda6a7256aa153d098ca3f89
Yunjin Lee [Mon, 15 Nov 2021 03:43:35 +0000 (12:43 +0900)]
Remove unused file
Change-Id: I74649d8f3e016893be24d66eec78b4fddc057d87
Yunjin Lee [Wed, 6 Oct 2021 01:28:43 +0000 (10:28 +0900)]
Add dbus-daemon-launch-helper as setuid exception for 64
Change-Id: I4aedd20b914e71b67e7860faf8bb7f850aa11511
Signed-off-by: Yunjin Lee <yunjin-.lee@samsung.com>
Jin-gyu Kim [Thu, 9 Sep 2021 01:09:56 +0000 (10:09 +0900)]
Set cap_dac_override to pkginfo-server
cap_dac_override : To write data on user database
Change-Id: I263ec0908df67a7ec67b873012c0821399aab084
Yunjin Lee [Mon, 6 Sep 2021 03:52:03 +0000 (12:52 +0900)]
Add nsjail.service
- Requested by SECSFV-203
Change-Id: I3adebd83ed0791217bb880000e0e145958f14a37
Signed-off-by: Yunjin Lee <yunjin-.lee@samsung.com>
Jin-gyu Kim [Fri, 3 Sep 2021 23:08:00 +0000 (08:08 +0900)]
Remove an unnecessary capability.
- cap_fowner is not needed for pkgmgr-server.
Change-Id: I605f138f51a1e0bb68f524697d7e72ef8b9d70fb
Yunjin Lee [Wed, 1 Sep 2021 08:59:30 +0000 (17:59 +0900)]
Add capabilities for res-copy
- cap_chown,cap_dac_override,cap_fowner is required to changed
copied resources ownership(root:priv_platform). pkgmgr-server
fork execs it hence give cap_fowner to pkgmgr-server and give
ie for those caps to res-copy.
Change-Id: I951d5bfe4b17a66f871ec60ff935da8670850d18
Signed-off-by: Yunjin Lee <yunjin-.lee@samsung.com>
Jin-gyu Kim [Thu, 26 Aug 2021 01:23:49 +0000 (10:23 +0900)]
Add hal-rpmdb-checker.service
Requested by SECSFV-202
Change-Id: I33753ba9ad15b387c473dae0600099b4cf13e6ae
Jin-gyu Kim [Wed, 25 Aug 2021 02:16:24 +0000 (11:16 +0900)]
Add priv_platform group.
- Mapped with http://tizen.org/privilege/internal/default/platform
Change-Id: I614421b9e13cc65bf6800f011b2f84dadbc935b7
Jin-gyu Kim [Fri, 6 Aug 2021 00:49:12 +0000 (09:49 +0900)]
Add data-checkpoint.service & udev-trigger-dmbow@.service.
- Requested by SECSFV-201
Change-Id: I33bf75444ba1e677fc3956429a32140c4a091848
Jin-gyu Kim [Wed, 23 Jun 2021 10:19:27 +0000 (10:19 +0000)]
Merge "Add priv_peripheralio group id" into tizen
Jin-gyu Kim [Wed, 23 Jun 2021 04:06:25 +0000 (13:06 +0900)]
Add aslr exception lists.
- Some executables are included in packages not being compiled.
- In these cases, applying PIE option is not available.
Change-Id: I20b2da508ad01a9beeb0c497ed1086533da460ea
Jin-gyu Kim [Wed, 23 Jun 2021 01:48:03 +0000 (10:48 +0900)]
Add priv_peripheralio group id
- This will be mapped to http://tizen.org/privilege/peripheralio
Change-Id: I32130ffaf18b0034b0d4870afe9aa3c3f8fdef16
Jin-gyu Kim [Fri, 11 Jun 2021 19:08:25 +0000 (04:08 +0900)]
Check the existence of ipv6host before trying to write.
Change-Id: Ie79e77df84c7ee8ae5332d3ab59aaa898ccc5ce0
Dongkyun Son [Thu, 3 Jun 2021 02:54:19 +0000 (11:54 +0900)]
smack: add ip(10.0.2.15) to allow gdb remote debugging
To fix smack denial:
audit: type=1400 audit(
1622180305.290:90): lsm=SMACK fn=smack_inet_conn_request action=denied subject="System::Privilege::Internet" object="User::Pkg::org.example.basicui4" requested=w pid=2315 comm="sdbd" saddr=10.0.2.15 src=39898 daddr=10.0.2.15 dest=26112 netif=lo
Change-Id: Id6ee685555d68df90ec226847e7d2c87c502333d
Signed-off-by: Dongkyun Son <dongkyun.s@samsung.com>
Tomasz Swierczek [Wed, 2 Jun 2021 09:30:30 +0000 (09:30 +0000)]
Merge "Add IPv6 configuration for internet privilege" into tizen
Jin-gyu Kim [Mon, 31 May 2021 19:50:33 +0000 (04:50 +0900)]
Add deviced-request-shutdown@.service
- Requested by SECSFV-200
Change-Id: I9487efef589b4987aae50559838df21f0a9bae8c
Tomasz Swierczek [Mon, 24 May 2021 07:54:36 +0000 (09:54 +0200)]
Add IPv6 configuration for internet privilege
Change-Id: I12b260cecb8352dc7dc9f943f2824d4639da8028
Jin-gyu Kim [Thu, 6 May 2021 05:56:37 +0000 (14:56 +0900)]
Add audio-aec.service to all profiles.
Requested by SECSFV-199
Change-Id: Ic040a99d69d2f670e152bc52313cab0476ddd0ca
Jin-gyu Kim [Mon, 3 May 2021 08:13:19 +0000 (17:13 +0900)]
Add missing SMACK labelling cmd in change_permission.
This does not affect any operation, but need to reset SMACK label
for any mismatch in SMACK label.
Change-Id: I0d6053c341d4070d25b7a0839ef439a4972ed424
projects / platform / core / security / security-config.git / log