Tomasz Swierczek [Wed, 13 Dec 2023 12:24:31 +0000 (13:24 +0100)]
Fix previously added isud.service
The request SECSFV-268 mixed systemd service file with DBus one.
Change-Id: Iedc6acf73b8307973c5415feca549b56df32c35f
Tomasz Swierczek [Tue, 12 Dec 2023 11:50:15 +0000 (12:50 +0100)]
Add isud.service
- DBus service - short-lived, on-demand activated service.
- SECSFV-268
Change-Id: I559ceb73ff706d5ebc026dd0e1dc105a180b3575
Mateusz Moscicki [Thu, 27 Apr 2023 11:14:41 +0000 (13:14 +0200)]
Check services in ISU directories
This patch adds verification of service files provided under the ISU
(Individual Service Upgrade) mechanism.
Change-Id: I86afe2cc5c99169c79976298498377a51b3182d6
Jin-gyu Kim [Mon, 17 Oct 2022 06:26:39 +0000 (15:26 +0900)]
Add missing systemd service lists.
Change-Id: I09237ecdd414d8463b7f82b1ef477a97cb5260cb
Jin-gyu Kim [Mon, 17 Oct 2022 02:20:25 +0000 (11:20 +0900)]
Do not check profile info while running systemd unit test.
- If invalid systemd units exists, move those in every profile.
Change-Id: Ie4bc762f0d6e57fba0af41240b876300f1d04b5a
Jin-gyu Kim [Wed, 25 Aug 2021 02:16:24 +0000 (11:16 +0900)]
Add priv_platform group.
- Mapped with http://tizen.org/privilege/internal/default/platform
Change-Id: I614421b9e13cc65bf6800f011b2f84dadbc935b7
Jin-gyu Kim [Fri, 3 Sep 2021 23:08:00 +0000 (08:08 +0900)]
Remove an unnecessary capability.
- cap_fowner is not needed for pkgmgr-server.
Change-Id: I605f138f51a1e0bb68f524697d7e72ef8b9d70fb
Yunjin Lee [Wed, 1 Sep 2021 08:59:30 +0000 (17:59 +0900)]
Add capabilities for res-copy
- cap_chown,cap_dac_override,cap_fowner is required to changed
copied resources ownership(root:priv_platform). pkgmgr-server
fork execs it hence give cap_fowner to pkgmgr-server and give
ie for those caps to res-copy.
Change-Id: I951d5bfe4b17a66f871ec60ff935da8670850d18
Signed-off-by: Yunjin Lee <yunjin-.lee@samsung.com>
Jin-gyu Kim [Mon, 31 May 2021 19:50:33 +0000 (04:50 +0900)]
Add deviced-request-shutdown@.service
- Requested by SECSFV-200
Change-Id: I9487efef589b4987aae50559838df21f0a9bae8c
Jin-gyu Kim [Mon, 3 May 2021 08:13:19 +0000 (17:13 +0900)]
Add missing SMACK labelling cmd in change_permission.
This does not affect any operation, but need to reset SMACK label
for any mismatch in SMACK label.
Change-Id: I0d6053c341d4070d25b7a0839ef439a4972ed424
Jin-gyu Kim [Mon, 3 May 2021 05:34:25 +0000 (14:34 +0900)]
Do not use rpm command in set_capability
"rpm" command cannot be existed in some cases.
Instead of using it, check a specific file path to determine a certain
rpm is installed or not.
Change-Id: I6f5fda1cd35cac3bc039c5b4e008b28eafdeb1c1
Jin-gyu Kim [Fri, 23 Apr 2021 05:31:51 +0000 (14:31 +0900)]
Create a new script for setting permissions.
This script needs to be run while image is being created or updated.
(After in-house applications are installed.)
We could consider it to be run in security-config service, but it will
increase the 1st boot time.
Change-Id: I5a11dd720ea46ae69b1acc6be09305c74fb39292
jin-gyu.kim [Fri, 15 Jan 2021 03:55:27 +0000 (12:55 +0900)]
Give cap_mac_admin to wrt-service
- "eip" option is applied, but restricted to use by only chromium-efl app.
Change-Id: I025a3c34c84179d4986c25216288a088c555c4bf
jin-gyu.kim [Fri, 11 Dec 2020 06:00:35 +0000 (15:00 +0900)]
Give cap_kill to sdbd & sdbd-service.
Change-Id: I68ec6f1d95857f797d582eabde9581165e944ce2
Yunjin Lee [Wed, 21 Oct 2020 10:22:32 +0000 (19:22 +0900)]
Add FOTA script to apply privilege mapping changes
4.0
- native systemsettings.admin -> core systemsettings.admin
- web filesystem.read -> core systemsettings.admin
- web filesystem.write -> core systemsettings.admin
- web setting -> core systemsettings.admin
- web networkbearerselection -> core network.set
5.5
- native systemsettings.admin -> core systemsettings.admin,
internal/buxton/systemsettings
- web filesystem.read -> core filesystem.read
- web filesystem.write -> core filesystem.write
- web setting -> core internal/buxton/systemsettings
6.0
- web networkbearerselection -> core network.set,
netowrk.route
Change-Id: I5f69666cb3774fd2bba2c175e3df327b15d1f3ed
Signed-off-by: Yunjin Lee <yunjin-.lee@samsung.com>
jin-gyu.kim [Tue, 27 Oct 2020 01:29:48 +0000 (10:29 +0900)]
Add emergency-target-holder.service
Change-Id: I8cad5e7059a7831bfd1a72aea7734d71c5dae1ef
jin-gyu.kim [Fri, 16 Oct 2020 00:49:08 +0000 (09:49 +0900)]
Fix typo in netlabel_config.
Change-Id: I1ea188fd6765520dd99c4b025b0c322420c10a94
Yunjin Lee [Tue, 6 Oct 2020 01:50:29 +0000 (10:50 +0900)]
Update path check exception list
- Add followings:
/usr/share/icu/65.1/install-sh
/usr/share/icu/65.1/mkinstalldirs
Change-Id: I73c3fcaf9bb89d20fb3edfa78f6f19e2132dc5b8
Signed-off-by: Yunjin Lee <yunjin-.lee@samsung.com>
Yunjin Lee [Mon, 5 Oct 2020 06:21:56 +0000 (15:21 +0900)]
Update path check exception list
- Add followings:
/usr/bin/strace-log-merge
/usr/bin/gdb-add-index
/usr/bin/gcore
Change-Id: I952feb03bf409287091425e1efbe553009048bd2
Signed-off-by: Yunjin Lee <yunjin-.lee@samsung.com>
jin-gyu.kim [Tue, 29 Sep 2020 07:34:10 +0000 (16:34 +0900)]
Add exception list for path check test.
Add below scripts for exception lists.
/usr/share/upgrade/scripts/600.gpsd.patch.sh
/opt/etc/dump.d/module.d/dump_gpsd.sh
Change-Id: I2d02bb5fdcff9fe011687d301bcb8f4074e372ba
jin-gyu.kim [Mon, 28 Sep 2020 07:15:03 +0000 (16:15 +0900)]
Launch all apps when running SMACK rule test.
- Some SMACK rules are dynamically added while launching apps.
- To compare all SMACK rules, launching all apps before running security test.
Change-Id: I562d2bafaab0ea2dffdeaecfc41f85bfb8e04e09
Kim Kidong [Thu, 24 Sep 2020 02:21:34 +0000 (02:21 +0000)]
Merge "Modify netlabel to support privilege-smack mapping." into tizen
Kidong Kim [Fri, 18 Sep 2020 08:00:59 +0000 (17:00 +0900)]
Change smack label of tlm.service (User -> System)
Change-Id: Ic0f90d5790c98c024aad655058aceb13cfa27edc
Kidong Kim [Wed, 9 Sep 2020 04:55:26 +0000 (13:55 +0900)]
Give capabilities to sdbd-service
Change-Id: I2f5c72c66eb53dbad5442dc2c8341b4c98198287
jin-gyu.kim [Mon, 7 Sep 2020 02:45:28 +0000 (02:45 +0000)]
Give capabilities to support update-control.
- cap_sys_admin to /usr/bin/update-manager
- cap_dac_override to /usr/sbin/img-verifier
Change-Id: I97330c8ba642e34bbff97b800bebc1faa95107d9
jin-gyu.kim [Thu, 3 Sep 2020 06:23:31 +0000 (06:23 +0000)]
Add system_fw to disk group.
- To support OS upgrade with removable storage.
- Upgrade trigger script needs to ramdisk-recovery under /dev.
Change-Id: I60eb8465b7bf37d0b92984b70d65cec07c422e43
jin-gyu.kim [Wed, 26 Aug 2020 06:42:47 +0000 (06:42 +0000)]
Add ramdisk-flush service.
- Add cap_sys_admin to /usr/sbin/blockdev
Change-Id: Iab2897f172d8ab93114696a07861ff7496b2f828
jin-gyu.kim [Tue, 25 Aug 2020 06:40:13 +0000 (06:40 +0000)]
Modify netlabel to support privilege-smack mapping.
- 10.0.2.2, 10.0.2.16 and 192.168.129.3 for appdebugging privilege.
- All other IPs for internet privilege.
Change-Id: Ic4723bd35b63ff6aed1852b46bf65f4a7a038b19
jin-gyu.kim [Tue, 25 Aug 2020 05:12:04 +0000 (05:12 +0000)]
Add tizen-theme-manager.service to all profiles.
Change-Id: I52d2776b82207f760555e2bd3a4722dc45b7da7d
Jin-gyu Kim [Fri, 21 Aug 2020 05:19:04 +0000 (05:19 +0000)]
Merge "Change Smack label fro crash-service to System::Privileged" into tizen
Sungwook Park [Thu, 20 Aug 2020 12:24:43 +0000 (21:24 +0900)]
Add capi-ui-gesture.service to wearable profile
Change-Id: I2d79fd2d36f20f50a8cd67113e0783462b090dc2
Signed-off-by: Sungwook Park <sungwook79.park@samsung.com>
Mateusz Moscicki [Thu, 20 Aug 2020 10:18:44 +0000 (12:18 +0200)]
Change Smack label fro crash-service to System::Privileged
The System::Privileged label is needed because on newer kernels (>=
4.20) it's not possible to read/ptrace processes listed in onlycap set.
Crash-service needs the right to do ptrace to correctly generate
reports.
Change-Id: Iad849f0b11eb3eece8d537fd2856daf59ffe757c
jin-gyu.kim [Tue, 18 Aug 2020 00:26:43 +0000 (00:26 +0000)]
Add cap_net_raw to bluetooth-meshd
Change-Id: I7c69b3a6774b77daa0a728c9e41da7f7c6b8c354
jin-gyu.kim [Thu, 6 Aug 2020 07:08:39 +0000 (07:08 +0000)]
Refactor capability test.
- Do not refer capability exception list.
- Read set_capability script then generate allowed lists automatically.
Change-Id: I4dbb2f2c71dce91b0f2f2ba99c59c67dcac74105
jin-gyu.kim [Tue, 4 Aug 2020 05:01:31 +0000 (05:01 +0000)]
Add engine-loader.service
Change-Id: I4904f8ec285da5e6a77e838012a2b9695ec920d8
Jin-gyu Kim [Fri, 24 Jul 2020 04:06:48 +0000 (04:06 +0000)]
Merge "add peripheral-bus.service to all targets/emulators" into tizen
jin-gyu.kim [Fri, 24 Jul 2020 01:07:49 +0000 (01:07 +0000)]
Give cap_dac_override to /usr/bin/peripheral-bus
Change-Id: I463917631ed78c085086c2ca00278a82cb2d8000
Konrad Kuchciak [Fri, 3 Jul 2020 08:21:39 +0000 (10:21 +0200)]
add peripheral-bus.service to all targets/emulators
Change-Id: Iae2e109c8c7a481c6f40d9d2a5faf3d11ad78da0
jin-gyu.kim [Wed, 15 Jul 2020 09:01:36 +0000 (18:01 +0900)]
Add capabilities to pkg_recovery & unified-backend
- cap_chown, cap_dac_override and cap_fowner are added.
Change-Id: I196e985101b4b24ec59f12b4541dff4be0511645
Kidong Kim [Mon, 22 Jun 2020 04:49:17 +0000 (13:49 +0900)]
add system-update-cleanup.service and fix capability exception
Change-Id: I92ca69292c00c14212d8a54e872b91df62b8b9ef
Kidong Kim [Fri, 19 Jun 2020 02:25:33 +0000 (11:25 +0900)]
add systemd-boot-check-no-failures.service to all targets/emulators
Change-Id: I0740613a3d3822387855e0f29e6cbef2c8b8c125
Kidong Kim [Tue, 16 Jun 2020 02:09:17 +0000 (11:09 +0900)]
add setup-adaptor.service to iot profile (target only)
Change-Id: Iab754ddbbe072642f5c1726fc7a0d65424fce369
Kidong Kim [Thu, 11 Jun 2020 06:40:28 +0000 (15:40 +0900)]
exclude *.dll files from ASLR test
Change-Id: I37c78839d2a6d77afb48e347516eb7e19401fe0a
Kidong Kim [Tue, 9 Jun 2020 06:35:10 +0000 (15:35 +0900)]
add update-manager.service to iot profile
Change-Id: Ia996423d2fe0d856c24025bc61a0891c01f85341
jin-gyu.kim [Tue, 9 Jun 2020 06:35:59 +0000 (15:35 +0900)]
Add nan-manager.service to IoT profiles
Change-Id: I6535b3224ee76aa78bddae852e2976dd7c3b11cf
Kidong Kim [Tue, 9 Jun 2020 02:47:46 +0000 (11:47 +0900)]
add some files to capability exception list
Change-Id: I72f84db83b6e4bd6df408517ed2b61ec709f3635
Yunjin Lee [Tue, 9 Jun 2020 02:13:47 +0000 (11:13 +0900)]
Security-test: Ignore target that will not be included in the image
- qemu-aarch64
Change-Id: I13855bfafb784459e346e9f1f9bf2f0997cd6aed
Signed-off-by: Yunjin Lee <yunjin-.lee@samsung.com>
Kim Kidong [Mon, 8 Jun 2020 06:52:12 +0000 (06:52 +0000)]
Revert "revert unreviewed patch"
This reverts commit
0d0fddfeaf03675527c442f8307aa8773d5fb2da.
Change-Id: I9ecff7e9a08e05f0eb2314b522d748c9c291111d
Kidong Kim [Mon, 8 Jun 2020 06:42:34 +0000 (15:42 +0900)]
revert unreviewed patch
Change-Id: I17e1003c49e0fa1fef21a488ff80497f4e3d30f3
Kidong Kim [Mon, 8 Jun 2020 06:23:10 +0000 (15:23 +0900)]
add bluetooth-meshd configuration
Jin-gyu Kim [Thu, 7 May 2020 04:45:41 +0000 (04:45 +0000)]
Merge "Use tizen-build.conf to distinguish a profile" into tizen
jin-gyu.kim [Wed, 29 Apr 2020 04:50:34 +0000 (13:50 +0900)]
Use tizen-build.conf to distinguish a profile
- Check profile info before moving failed lists of systemd units.
Change-Id: Iebc30d76a1ee5d007ef810c3c92c9de62213188c
jin-gyu.kim [Wed, 29 Apr 2020 02:08:13 +0000 (11:08 +0900)]
Add IoT headed / IoT headless profiles.
- IoT headed : Enable askuser, Install IoT service lists
- IoT headless : Disable askuser, Install IoT service lists
TODO : Check IoT specific service lists later.
Change-Id: I759cea1b85a18b7b750a08d5927ce17dcc7d7c81
jin-gyu.kim [Thu, 23 Apr 2020 06:47:29 +0000 (15:47 +0900)]
Add priv_appdebugging group ID.
Change-Id: I972eaec1e8cda66fd9ef9d080bd2102b80fee381
Hyungju Lee [Fri, 10 Apr 2020 07:39:46 +0000 (16:39 +0900)]
Fix capability to dotnet executables
- dotnet-loader, dotnet-hydra-loader, dotnet
Change-Id: I821251574d70e4c34bb969b39ffd927d85c0bf53
jin-gyu.kim [Fri, 10 Apr 2020 05:50:47 +0000 (14:50 +0900)]
Add nan-manager.service
- network_fw / network_fw / System
- cap_net_admin & cap_net_raw are added.
Change-Id: Ib0d6f74ae772053642493bd6563f54f23887a919
Woongsuk Cho [Thu, 9 Apr 2020 23:54:43 +0000 (08:54 +0900)]
Add capability to dotnet executables
- dotnet-loader, dotnet-hydra-loader, dotnet
Change-Id: Ibfbf2c2d051ad16e3cc4755f788f00ccac3b9c84
Sungwook Park [Fri, 3 Apr 2020 04:37:06 +0000 (13:37 +0900)]
Add smartreply.service to Mobile and Common
Change-Id: Ic509286eaccf91eaf9e28ad6671d60f47ab31e9f
Signed-off-by: Sungwook Park <sungwook79.park@samsung.com>
jin-gyu.kim [Fri, 3 Apr 2020 03:20:01 +0000 (12:20 +0900)]
Add user-runtime-dir@.service
- root / root / System::Privileged
- It was a part of systemd-logind.service, now separated.
Change-Id: I7c079af0488b270478107e7b542a4d69d9f9d426
jin-gyu.kim [Tue, 31 Mar 2020 01:07:34 +0000 (10:07 +0900)]
Add modes.service
- system_fw / system_fw / System permissions
Change-Id: Ia44c6ec69eeb54a20ecd90de65050d2e0d9cbf34
jin-gyu.kim [Thu, 12 Mar 2020 07:03:31 +0000 (16:03 +0900)]
Add dumpysys-service.service
- log / log / System permissions
Change-Id: I9c18722a14b9b9c716e1990e08b3929568845a80
jin-gyu.kim [Mon, 2 Mar 2020 08:43:59 +0000 (17:43 +0900)]
Add scmirroring.server.service
- multimedia_fw / multimedia_fw / System permissions.
Change-Id: I971779804aa3e37f614f542ba57c60b926f49369
hyunho [Tue, 25 Feb 2020 04:05:57 +0000 (13:05 +0900)]
Add capability for the app-defined-loader
Change-Id: I3586503e0c83cc35ae6321cf1b4bdd63b0e09297
Signed-off-by: hyunho <hhstark.kang@samsung.com>
jin-gyu.kim [Wed, 19 Feb 2020 05:52:32 +0000 (14:52 +0900)]
Add mtp-responder-dummy.service
- network_fw / network_fw / System permission
- systemd socket unit : mtp-responder-dummy.socket
Change-Id: I858147652b2cdaaad28ce664e3e8b343c44cea36
jin-gyu.kim [Wed, 19 Feb 2020 01:58:40 +0000 (10:58 +0900)]
Enable move_systemd_unit for dbus & systemd socket also.
- Failed dbus & systemd socket units will be moved to not permitted path.
- Add tts related dbus services to the exception list.
Change-Id: Ida83ef56aa1906da9661d2b1e06ab838a627eb97
jin-gyu.kim [Tue, 18 Feb 2020 04:10:21 +0000 (13:10 +0900)]
Fix not deleting systemd list files in the post script.
- When image is being created, systemd list files are not overrided with
those in each profile RPM.
- The detail reason is not found, because no problem if RPMs are installed
manually in run-time.
- By the way, if not deleting files in the post script, this issue can be addressed.
Change-Id: If451950c13daf67ef1b1fe7f42794a94502ca1e1
jin-gyu.kim [Fri, 7 Feb 2020 04:53:10 +0000 (13:53 +0900)]
Run systemd unit tests for common profile also.
- For common profile, use the same list in mobile profile.
- It will not disable systemd unit, just for checking the status.
- Failed lists will be disabled later.
Change-Id: Ia0c9a1a07092e3dbc23c1a88fa8ba82008389d64
jin-gyu.kim [Thu, 6 Feb 2020 05:56:21 +0000 (14:56 +0900)]
Run aslr test in all profiles.
- Previously, aslr test was executed only for mobile / wearable.
- Now, make it run for all profiles, but execute permission is retrieved
only in case of mobile / werarable profiles.
Change-Id: I291866495ae5db0fdaf77af47fc87fb770e4669d
jin-gyu.kim [Fri, 31 Jan 2020 06:59:44 +0000 (15:59 +0900)]
Use readelf instead of execstack for DEP test
- execstack can give a execute permission, so it may need to be removed.
Change-Id: Idcc53b495b7797dbbf26004c98847c1676764d30
jin-gyu.kim [Fri, 17 Jan 2020 08:22:03 +0000 (17:22 +0900)]
Add wait-mount@opt-usr.service
- system_fw / system_fw / System permissions
- Added for emulator profiles
Change-Id: I9b93f11dfa76dda49897fbc2f2655f8bae456604
jin-gyu.kim [Mon, 16 Dec 2019 04:51:30 +0000 (13:51 +0900)]
Fix typo in systemd service list.
Change-Id: I7a3ea651198b06072ecb46480159b6cf8af1ba06
Kim Kidong [Thu, 12 Dec 2019 08:04:18 +0000 (08:04 +0000)]
Merge "systemd service test" into tizen
jin-gyu.kim [Mon, 11 Nov 2019 10:27:05 +0000 (19:27 +0900)]
systemd service test
- Check systemd service / systemd socket / dbus service
- Disable moving not permitted systemd socket & dbus service for now.
- "Exec*=" should not have prefixes one of "!", "!!" and "+".
Change-Id: Icaf728cf7b2f9b1915e8792e297e8106054beac3
jin-gyu.kim [Tue, 10 Dec 2019 07:44:31 +0000 (16:44 +0900)]
Change UID / GID for stablity_monitor & crash_worker
- Generally, UID / GID for system daemons need to set below 2000.
- For System Domain, range should be set as 200-249.
Change-Id: I1b54302e08d542460c0bc277e5793b21d80a8c5d
jin-gyu.kim [Tue, 26 Nov 2019 05:53:01 +0000 (14:53 +0900)]
Add clat.service
- network_fw / network_fw / System permissions
- cap_net_admin To create and configure interface, modify routing tables
- cap_net_raw To open raw socket
- cap_ipc_lock clatd calls mmap(MAP_LOCKED) with a 1M buffer. MAP_LOCKED first checks capable(CAP_IPC_LOCK)
- cap_setuid To forge UID when passing socket credentials via UNIX domain sockets
- cap_setgid To forge GID when passing socket credentials via UNIX domain sockets
Change-Id: Ie36a2d060215d27374fa0fd6e9a78a442fb9453b
jin-gyu.kim [Thu, 21 Nov 2019 07:07:23 +0000 (16:07 +0900)]
Add dlog_cleanup.service
log / log / System permissions.
Change-Id: I2ed9268e5019d34e8ac9a111ced2a330091687c5
Konrad Kuchciak [Thu, 7 Nov 2019 14:28:54 +0000 (15:28 +0100)]
Add user and group for stability-monitor
Change-Id: Iefc6b75d22741e76a039b78d6d862122d7443bd1
Konrad Kuchciak [Thu, 19 Sep 2019 09:51:46 +0000 (11:51 +0200)]
Add stability-monitor.service
Change-Id: I409bc3116175317f2bca3c2d38dabb89c2ac2dd1
Jin-gyu Kim [Thu, 21 Nov 2019 05:10:43 +0000 (05:10 +0000)]
Merge "Change crash-service as non root." into tizen
jin-gyu.kim [Tue, 19 Nov 2019 07:06:09 +0000 (16:06 +0900)]
Change crash-service as non root.
- crash_worker / crash_worker / System permissions needed.
- This will require following capabilities.
setcap cap_dac_override,cap_kill,cap_sys_ptrace=ei /bin/crash-manager
cap_dac_override - create directory
cap_kill - send signals to processes
cap_sys_ptrace - read /proc/<pid>/ files
setcap cap_dac_override,cap_kill,cap_sys_ptrace=ei /bin/crash-service
cap_dac_override - create directory
cap_kill - send signals to processes
cap_sys_ptrace - read /proc/<pid>/ files
setcap cap_dac_read_search,cap_sys_ptrace=ei /sbin/minicoredumper
cap_dac_read_search - access to read any binary file
cap_sys_ptrace - read /proc/<pid>/ files
setcap cap_syslog=ei /bin/dlogutil
cap_syslog is needed because android logger returns incorrect values without this capability (this is bug in the kernel driver).
setcap cap_dac_override=ei /bin/buxton2ctl
buxton2ctl needs access to write to /run/buxton2/ directory
setcap cap_dac_override,cap_kill,cap_sys_ptrace+ei /bin/livedumper
cap_dac_override - create livedump/ directory to
cap_sys_ptrace - read /proc/<pid>/ files
setcap cap_dac_read_search,cap_sys_ptrace=ei /usr/libexec/crash-stack
reads /proc/<pid>/{maps, task, status}, and all binary files
setcap cap_dac_read_search,cap_sys_ptrace=ei /bin/memps
reads files from /proc/ and /sys/
setcap cap_sys_ptrace=ei /bin/top
read /proc/<pid>/files
setcap cap_dac_read_search=ei /bin/df
counting of disk space usage (eg /opt/usr/home/owner/media)
setcap cap_dac_read_search=ei /bin/du
Change-Id: I0073cf19f717855941b317fa1ec6b6af5793d869
jin-gyu.kim [Wed, 20 Nov 2019 06:23:16 +0000 (15:23 +0900)]
Give capabilities to stability-monitor
cap_sys_ptrace To attach in process and readlink for working
cap_sys_module To load/unload kernel module
cap_kill To kill processes
Change-Id: Iac3d91ed4ee647609b029c5ecae4171e8282770f
jin-gyu.kim [Fri, 15 Nov 2019 06:26:42 +0000 (15:26 +0900)]
Add dummyasm.service
- service_fw / service_fw / System permission
Change-Id: Ief511d2a5ccc1696cd62a621883922c4853d4694
Sungwook Park [Wed, 13 Nov 2019 06:19:58 +0000 (15:19 +0900)]
Add smartreply.service to wearable target
Change-Id: I3ce472946d1a816379bf5eba3a54487cb474f61c
Signed-off-by: Sungwook Park <sungwook79.park@samsung.com>
jin-gyu.kim [Wed, 13 Nov 2019 02:37:32 +0000 (11:37 +0900)]
Add smartcard-service.service
- network_fw / network_fw / System permissions
Change-Id: I37d44736e416d2971d704ee088c84ff8b4cf7a95
jin-gyu.kim [Mon, 11 Nov 2019 03:34:06 +0000 (12:34 +0900)]
Fix typo.
- Add missing "fi" in "if-then-fi".
Change-Id: I21ca8c61b7c841279b49078a97770e8b0d382bd5
Woongsuk Cho [Wed, 6 Nov 2019 06:36:08 +0000 (15:36 +0900)]
Add capability to dotnet-hydra-launcher
Change-Id: I0ecab62e91bc1259517e791c2bf725386cbf6e3c
Dongsun Lee [Thu, 31 Oct 2019 04:23:50 +0000 (13:23 +0900)]
Move key-manager script into key-manager package
Change-Id: Ie426090e04b87af3c5cfaf9f58ca0ae37bafecbd
Signed-off-by: Dongsun Lee <ds73.lee@samsung.com>
jin-gyu.kim [Tue, 22 Oct 2019 05:57:13 +0000 (14:57 +0900)]
Add batterymonitor.service to wearable emulator
Change-Id: I627203644b7b2340eeb6ad334608ebee0c6ad7aa
jin-gyu.kim [Mon, 21 Oct 2019 04:14:43 +0000 (13:14 +0900)]
Add crash-service.service.
- root / root / System permissions
- It is too complicated to change as non-root service, due to too many tools are
related with this service.
- Need to consider again to retrieve root permissions later.
Change-Id: I03ace80d04b11e00ad9824aa26a9324afe7cff8e
Kim Kidong [Thu, 10 Oct 2019 06:52:51 +0000 (06:52 +0000)]
Merge "Support additional privilege-mount lists." into tizen
Dongsun Lee [Tue, 8 Oct 2019 04:27:18 +0000 (13:27 +0900)]
Run central-key-manager service in the upgrade script.
Change-Id: Ie6364b62132c321a7db7c9bf9abe834733c2b6c1
Signed-off-by: Dongsun Lee <ds73.lee@samsung.com>
jin-gyu.kim [Tue, 1 Oct 2019 05:34:42 +0000 (14:34 +0900)]
Support additional privilege-mount lists.
- Put addtional lists in each profiles to add privilege-mount list.
- This lists will be used in case lists cannot be added automatically
while creating an image. (ex : dev node)
- Currently only mobile profile have this list. If needed, other profiles
can have it as similar way.
Change-Id: Ia154121ea9a1343e6de67f0c18d1e1ca68fcb84e
jin-gyu.kim [Mon, 7 Oct 2019 04:43:01 +0000 (13:43 +0900)]
Add asp-manager.service
- network_fw / network_fw / System permissions.
Change-Id: I568826caee71c80c4c1ba7dc93ede56482dffa2e
Kim Kidong [Mon, 30 Sep 2019 09:56:46 +0000 (09:56 +0000)]
Merge "Add edge-orchestration services to wearable & tv profiles." into tizen
jin-gyu.kim [Mon, 30 Sep 2019 09:30:09 +0000 (18:30 +0900)]
Add edge-orchestration services to wearable & tv profiles.
Change-Id: Ieed4839904f8e0418275576a147c85c2ad0a0d9f
jin-gyu.kim [Mon, 30 Sep 2019 08:29:09 +0000 (17:29 +0900)]
Add rndis.service.
- network_fw / network_fw / System permissions.
Change-Id: I2a3a2799de56562d678dc70535ec1284aaf1d9d4
jin-gyu.kim [Tue, 24 Sep 2019 05:28:09 +0000 (14:28 +0900)]
Fix typo error.
Change-Id: I19f8ad9d879c943367a8323d09bfd00321e749d5
jin-gyu.kim [Tue, 24 Sep 2019 01:25:30 +0000 (10:25 +0900)]
Add batterymonitor.service
- service_fw / service_fw / System permissions.
- Add to wearable target.
Change-Id: Ifac9b4d9fa681b9f871e7ef08c9b5595a696e0d7
jin-gyu.kim [Mon, 23 Sep 2019 05:32:10 +0000 (14:32 +0900)]
Add bluetooth related services
- bluetooth-ag-agents / bluetooth-hf-agent / bluetooth-hid-agent / obex
- All services have network_fw / network_fw / System permissions.
Change-Id: Ief0edae83ccbbd073d0f752a3967dc0ee8cbacaa
jin-gyu.kim [Thu, 19 Sep 2019 02:06:22 +0000 (11:06 +0900)]
Add wifi-ready.service
- network_fw / network_fw / System
- Installed by wearable plugin.
Change-Id: I7bf82141ddf06050e3788be69188ee494bb2a803
projects / platform / core / security / security-config.git / log