Jin-gyu Kim [Thu, 13 Oct 2022 07:27:31 +0000 (16:27 +0900)]
Fix a wrong service name.
- scmirroring.service -> scmirroring.server.service
Change-Id: I2518e4f49461ee117b8e0c47fef4c96a09f3c562
Jin-gyu Kim [Thu, 15 Sep 2022 07:04:58 +0000 (16:04 +0900)]
Add pass-resource-monitor.socket
Change-Id: Ie2d513796fe8422052322275137c19349ffdc88e
Jin-gyu Kim [Thu, 18 Aug 2022 08:00:25 +0000 (17:00 +0900)]
Add machine-learning-agent.service
Change-Id: I3525c8d4996d56da5c699637068c33167367c4a9
Jin-gyu Kim [Mon, 8 Aug 2022 06:45:49 +0000 (15:45 +0900)]
Check static linked binaries rather than including those in the list.
- Before : Specify static linked binaries in the exception list.
- With this : Check whether binaries are staic linked.
If so, do not check ASLR.
- Do not check "dll" and if the name is started with "qemu".
- Do not see "onlycap" file while testing, as it is not needed.
- Leave the list as an empty for the future use or security-analyzer.
Change-Id: I26dc7044a62e49c0b07ca532900732aa429e5d0e
Jin-gyu Kim [Wed, 27 Jul 2022 03:16:07 +0000 (12:16 +0900)]
Use csv format for lists of systemd unit tests.
- Use unified csv files for maintaining systemd unit tests.
- create_list.sh creates lists per profiles.
- Even after this is applied, the target has the same list as before.
Change-Id: I88b76f92e33f167b772a06a5a5d6ed97e1a1bc52
Jin-gyu Kim [Fri, 22 Jul 2022 05:42:38 +0000 (14:42 +0900)]
Change SmackProcessLabel of user@.service & add resourced.socket
Change-Id: Ic36eb7278d300282231bbb70d3fa037e5a4b55ec
Jin-gyu Kim [Tue, 19 Jul 2022 02:04:37 +0000 (11:04 +0900)]
Read link before setting capability to /usr/sbin/insmod
Consideration : It would be better to read link for every cases.
Change-Id: I96ad4fc378200f54ae9e6fd6bf92e925eda2d4cf
Jin-gyu Kim [Wed, 15 Jun 2022 04:45:00 +0000 (13:45 +0900)]
Add cap_sys_ptrace to /usr/bin/pass
Change-Id: I48e8f16f4159021c4209a44e7bb13507db1797bf
Jin-gyu Kim [Mon, 30 May 2022 07:52:57 +0000 (16:52 +0900)]
Change Smack Process Label of pkg-db-recovery & package-recovery services
- To use cap_mac_override used by installer cmd (ex : tpk-backend),
System::Privileged is required for these services.
Change-Id: I8d7bff03e50e6110da3b5e940d11f219325efd01
Jin-gyu Kim [Thu, 26 May 2022 05:09:11 +0000 (14:09 +0900)]
Changes the service name
- tizen-recovery.service -> recovery.service
Change-Id: I682c117c43cd3b13fe800fc6b3b69d63c87788e5
Jin-gyu Kim [Wed, 25 May 2022 07:46:41 +0000 (16:46 +0900)]
Give cap_mac_override to package-manager.service
- To abort app direcories creation & deletion, it needs cap_mac_override permission.
Because SMACK rules between "System" and "User::Pkg::..." are removed at this time.
Change-Id: Ief2e8d08e22f6738336dfec473de9920823f2df5
Jin-gyu Kim [Tue, 24 May 2022 03:48:05 +0000 (12:48 +0900)]
Add update-manager.service
Change-Id: I0b37c75e8d872d8cd5e64dd0de5fb1dd1dbe7a9a
Jin-gyu Kim [Mon, 23 May 2022 20:28:31 +0000 (05:28 +0900)]
Add tizen-recovery.service, clone_partitions_recovery.service and
recovery-reboot.service
Change-Id: I321a883144a73358b85ca96b992c92ef089269d1
Jin-gyu Kim [Fri, 29 Apr 2022 04:58:42 +0000 (13:58 +0900)]
Add cap_sys_nice to pkginfo-server.
Change-Id: I56e3ef8f15b1cda612f2048cf1a4f2a6af3817f9
Jin-gyu Kim [Tue, 26 Apr 2022 05:45:55 +0000 (14:45 +0900)]
Add clone_partitions.service
Change-Id: I2b4da639a5d153887c66566d573a13e25f23a823
JinGyu Kim [Tue, 26 Apr 2022 00:18:18 +0000 (09:18 +0900)]
Change SmackProcessLabel of booting-done.service
Change from System::Privileged to System
Change-Id: I5a699fa6edc439da1b301abbecc01fe2560758c1
Jin-gyu Kim [Tue, 19 Apr 2022 23:05:36 +0000 (08:05 +0900)]
Change permissions of booting-done.service
- Need root and System::Privileged permissions
- Check booting status and do recovery operaitions
Change-Id: Ie7f40824ece83745d4e93f7a08874ce0e5c57625
Jin-gyu Kim [Fri, 8 Apr 2022 22:34:46 +0000 (07:34 +0900)]
Add sessiond.service
- Root and System::Privileged permissions are required.
- It creates directories and sets SMACK attributes as like gumd.
Change-Id: Ia2fe49ce65c613bde9c09ffdb75ab71a7d109edc
Jin-gyu Kim [Thu, 24 Feb 2022 01:37:59 +0000 (10:37 +0900)]
Add cap_net_admin to /usr/bin/pass
- Requested by SECSFV-229
- cap_net_admin is required to use netlink interface
Change-Id: I524b7ce4a22a02d9d7213303a07758dde4b54445
Jin-gyu Kim [Fri, 4 Feb 2022 23:47:09 +0000 (08:47 +0900)]
Add cap_sys_chroot to launchpad-process-pool
- It is needed to support "Debug Attach" used by gdbserver.
Change-Id: I1ec73238bd3b2294b6a3b1600e1460921c047a43
Konrad Lipinski [Mon, 17 Jan 2022 13:22:41 +0000 (14:22 +0100)]
Security upgrade: always set dummy_file mode/label
Prior to this commit, the script only changed the mode/label if the file
has not existed before. If the script ever managed to touch the file and
then got killed, the file's mode/label would never get properly adjusted
when running the script again.
Change-Id: I707870eea9abb63ccf10e8c54fb3ca984e92196a
Jin-gyu Kim [Fri, 7 Jan 2022 23:06:34 +0000 (08:06 +0900)]
Use double brackets for checking path exception list.
- This is needed to avoid the error raised by some exceptional cases.
Change-Id: I833fee25bb563093812ddf1b3492591e9f92f11a
Jin-gyu Kim [Wed, 5 Jan 2022 22:14:37 +0000 (07:14 +0900)]
Add telephony-dongle service.
- Requested by SECSFV-207
- Give cap_sys_module capability with "ei" option to /usr/sbin/insmod
Change-Id: I704059ae5d9d0062e4217f252acda324e6818411
Jin-gyu Kim [Tue, 4 Jan 2022 23:49:03 +0000 (08:49 +0900)]
Add display-manager-ready.service
- display-manager-ready service is used for iot headless profile.
- There is no list difference between headed and headless. (Added to iot list)
Change-Id: I2cc6ff7ff09f0d7af85c541ec16d1260ffadfef1
Jin-gyu Kim [Mon, 29 Nov 2021 22:04:14 +0000 (07:04 +0900)]
Add update-post.service & update-finalize.service
- Requested by SECSFV-204
- Root privilege is required as those are used during the system upgrade process.
Change-Id: I8d46de7787bcf61ec15c6fc2bf9922d0a2d14743
Jin-gyu Kim [Thu, 25 Nov 2021 22:59:18 +0000 (07:59 +0900)]
When running smack rule test, all apps need to be executed twice.
- Some applications may have dependencies on other apps,
so double execution is required at first.
Change-Id: I0b345f2348d8bec0fda6a7256aa153d098ca3f89
Yunjin Lee [Mon, 15 Nov 2021 03:43:35 +0000 (12:43 +0900)]
Remove unused file
Change-Id: I74649d8f3e016893be24d66eec78b4fddc057d87
Yunjin Lee [Wed, 6 Oct 2021 01:28:43 +0000 (10:28 +0900)]
Add dbus-daemon-launch-helper as setuid exception for 64
Change-Id: I4aedd20b914e71b67e7860faf8bb7f850aa11511
Signed-off-by: Yunjin Lee <yunjin-.lee@samsung.com>
Jin-gyu Kim [Thu, 9 Sep 2021 01:09:56 +0000 (10:09 +0900)]
Set cap_dac_override to pkginfo-server
cap_dac_override : To write data on user database
Change-Id: I263ec0908df67a7ec67b873012c0821399aab084
Yunjin Lee [Mon, 6 Sep 2021 03:52:03 +0000 (12:52 +0900)]
Add nsjail.service
- Requested by SECSFV-203
Change-Id: I3adebd83ed0791217bb880000e0e145958f14a37
Signed-off-by: Yunjin Lee <yunjin-.lee@samsung.com>
Jin-gyu Kim [Fri, 3 Sep 2021 23:08:00 +0000 (08:08 +0900)]
Remove an unnecessary capability.
- cap_fowner is not needed for pkgmgr-server.
Change-Id: I605f138f51a1e0bb68f524697d7e72ef8b9d70fb
Yunjin Lee [Wed, 1 Sep 2021 08:59:30 +0000 (17:59 +0900)]
Add capabilities for res-copy
- cap_chown,cap_dac_override,cap_fowner is required to changed
copied resources ownership(root:priv_platform). pkgmgr-server
fork execs it hence give cap_fowner to pkgmgr-server and give
ie for those caps to res-copy.
Change-Id: I951d5bfe4b17a66f871ec60ff935da8670850d18
Signed-off-by: Yunjin Lee <yunjin-.lee@samsung.com>
Jin-gyu Kim [Thu, 26 Aug 2021 01:23:49 +0000 (10:23 +0900)]
Add hal-rpmdb-checker.service
Requested by SECSFV-202
Change-Id: I33753ba9ad15b387c473dae0600099b4cf13e6ae
Jin-gyu Kim [Wed, 25 Aug 2021 02:16:24 +0000 (11:16 +0900)]
Add priv_platform group.
- Mapped with http://tizen.org/privilege/internal/default/platform
Change-Id: I614421b9e13cc65bf6800f011b2f84dadbc935b7
Jin-gyu Kim [Fri, 6 Aug 2021 00:49:12 +0000 (09:49 +0900)]
Add data-checkpoint.service & udev-trigger-dmbow@.service.
- Requested by SECSFV-201
Change-Id: I33bf75444ba1e677fc3956429a32140c4a091848
Jin-gyu Kim [Wed, 23 Jun 2021 10:19:27 +0000 (10:19 +0000)]
Merge "Add priv_peripheralio group id" into tizen
Jin-gyu Kim [Wed, 23 Jun 2021 04:06:25 +0000 (13:06 +0900)]
Add aslr exception lists.
- Some executables are included in packages not being compiled.
- In these cases, applying PIE option is not available.
Change-Id: I20b2da508ad01a9beeb0c497ed1086533da460ea
Jin-gyu Kim [Wed, 23 Jun 2021 01:48:03 +0000 (10:48 +0900)]
Add priv_peripheralio group id
- This will be mapped to http://tizen.org/privilege/peripheralio
Change-Id: I32130ffaf18b0034b0d4870afe9aa3c3f8fdef16
Jin-gyu Kim [Fri, 11 Jun 2021 19:08:25 +0000 (04:08 +0900)]
Check the existence of ipv6host before trying to write.
Change-Id: Ie79e77df84c7ee8ae5332d3ab59aaa898ccc5ce0
Dongkyun Son [Thu, 3 Jun 2021 02:54:19 +0000 (11:54 +0900)]
smack: add ip(10.0.2.15) to allow gdb remote debugging
To fix smack denial:
audit: type=1400 audit(
1622180305.290:90): lsm=SMACK fn=smack_inet_conn_request action=denied subject="System::Privilege::Internet" object="User::Pkg::org.example.basicui4" requested=w pid=2315 comm="sdbd" saddr=10.0.2.15 src=39898 daddr=10.0.2.15 dest=26112 netif=lo
Change-Id: Id6ee685555d68df90ec226847e7d2c87c502333d
Signed-off-by: Dongkyun Son <dongkyun.s@samsung.com>
Tomasz Swierczek [Wed, 2 Jun 2021 09:30:30 +0000 (09:30 +0000)]
Merge "Add IPv6 configuration for internet privilege" into tizen
Jin-gyu Kim [Mon, 31 May 2021 19:50:33 +0000 (04:50 +0900)]
Add deviced-request-shutdown@.service
- Requested by SECSFV-200
Change-Id: I9487efef589b4987aae50559838df21f0a9bae8c
Tomasz Swierczek [Mon, 24 May 2021 07:54:36 +0000 (09:54 +0200)]
Add IPv6 configuration for internet privilege
Change-Id: I12b260cecb8352dc7dc9f943f2824d4639da8028
Jin-gyu Kim [Thu, 6 May 2021 05:56:37 +0000 (14:56 +0900)]
Add audio-aec.service to all profiles.
Requested by SECSFV-199
Change-Id: Ic040a99d69d2f670e152bc52313cab0476ddd0ca
Jin-gyu Kim [Mon, 3 May 2021 08:13:19 +0000 (17:13 +0900)]
Add missing SMACK labelling cmd in change_permission.
This does not affect any operation, but need to reset SMACK label
for any mismatch in SMACK label.
Change-Id: I0d6053c341d4070d25b7a0839ef439a4972ed424
Jin-gyu Kim [Mon, 3 May 2021 05:34:25 +0000 (14:34 +0900)]
Do not use rpm command in set_capability
"rpm" command cannot be existed in some cases.
Instead of using it, check a specific file path to determine a certain
rpm is installed or not.
Change-Id: I6f5fda1cd35cac3bc039c5b4e008b28eafdeb1c1
Jin-gyu Kim [Fri, 23 Apr 2021 05:31:51 +0000 (14:31 +0900)]
Create a new script for setting permissions.
This script needs to be run while image is being created or updated.
(After in-house applications are installed.)
We could consider it to be run in security-config service, but it will
increase the 1st boot time.
Change-Id: I5a11dd720ea46ae69b1acc6be09305c74fb39292
jin-gyu.kim [Wed, 7 Apr 2021 05:32:36 +0000 (14:32 +0900)]
Add accounts-service.service to tv profile.
Change-Id: Icad4a1e5679339ff0f509c765f291bda0383b246
jin-gyu.kim [Fri, 19 Mar 2021 06:52:12 +0000 (15:52 +0900)]
Add pkgmgr-info service & socket
Change-Id: I3ad594cf6e4161c5742af40555a75d84f5558035
jin-gyu.kim [Fri, 19 Mar 2021 02:37:32 +0000 (11:37 +0900)]
Add a comment to the last line of list files.
In some implementations, "read" in shell script cannot read a last line.
To avoid an un-expected problem, add a meaningless comment in every list files.
Change-Id: Iec5603152d71ef61ccfbe71fbab196ebc3eb1890
jin-gyu.kim [Fri, 19 Mar 2021 01:31:20 +0000 (10:31 +0900)]
Add missing uwb-manager service in iot profile.
Change-Id: Icb886ccd5b4c55f1bc2505af355066b2737fe494
jin-gyu.kim [Wed, 17 Mar 2021 05:01:21 +0000 (14:01 +0900)]
Add mdnsd.service
- Give cap_net_admin & cap_net_raw to /usr/sbin/mdnsd
Change-Id: Ic84a2302af6b434b7928c91b04b26f1d1a75cf53
jin-gyu.kim [Mon, 15 Mar 2021 08:22:12 +0000 (17:22 +0900)]
Include security-config service to TV profile.
Change-Id: Ibd7af5b37c7da399a24e3e8a0f093c3d09b64c3a
Jin-gyu Kim [Fri, 12 Mar 2021 06:17:46 +0000 (06:17 +0000)]
Merge "Add dump_systemstate.service" into tizen
Jin-gyu Kim [Fri, 12 Mar 2021 06:17:34 +0000 (06:17 +0000)]
Merge "Rename crash-service.service as bugreport.service" into tizen
jin-gyu.kim [Wed, 10 Mar 2021 08:35:19 +0000 (17:35 +0900)]
Add dump_systemstate.service
Change-Id: Ib1fbb601e03c21f6e74e5cc53e6e09380fd9e736
jin-gyu.kim [Wed, 10 Mar 2021 08:28:50 +0000 (17:28 +0900)]
Rename crash-service.service as bugreport.service
- Executable name is also changed as bugreport-service.
- Therefore, a change in set_capability is also included.
Change-Id: I407982d19f92f1084911d930e8ba070b47d2287f
jin-gyu.kim [Thu, 11 Mar 2021 04:21:33 +0000 (13:21 +0900)]
Add missing security-config service in TV profile.
Change-Id: Idfc59d09c699e176c3a116ccac8679dd99415e76
jin-gyu.kim [Tue, 9 Mar 2021 05:16:00 +0000 (14:16 +0900)]
Add uwb-manager service.
- Add it to commmon & tv profiles.
Change-Id: Ic424c600012bd80f171ac490ec93daa4ed060c3b
김진규/Security팀(SR)/Staff Engineer/삼성전자 [Wed, 3 Mar 2021 02:13:12 +0000 (11:13 +0900)]
Add obex service to tv profile.
Change-Id: I52840afeecff41d138969244c020871cffc10acf
INSUN PYO [Wed, 24 Feb 2021 09:19:51 +0000 (18:19 +0900)]
Add /usr/bin/qemu-arm-binfmt to ASLR exception list
/usr/bin/qemu-arm-binfmt is linked to /usr/bin/qemu-arm on mic-bootstrap.
(http://download.tizen.org/snapshots/tizen/unified/tizen-unified_20210223.1/repos/standard/packages/armv7l/mic-bootstrap-x86-arm-1.0-10.17.armv7l.rpm)
Sometime local mic fails with mic error message. (Ubuntu 18.04 latest, mic 0.28.12)
===========================================================================================
[02/24 16:52:12 KST] #################### generic-security.post ####################
[02/24 16:52:12 KST] Give capabilities to daemons via set_capability from security-config package
[02/24 16:52:20 KST] Run security-test
[02/24 16:52:31 KST] /opt/share/security-config/test/image_test.sh: line 26: /bin/cat: Permission denied
[02/24 16:52:31 KST] /opt/share/security-config/test/image_test.sh: line 86: /bin/cat: Permission denied
[02/24 16:52:31 KST] /tmp/ks-postscript-yPaRp7: line 298: /bin/security-manager-cmd: Permission denied
[02/24 16:52:31 KST] #################### generic-dbus-policychecker.post ####################
[02/24 16:52:31 KST]
[02/24 16:52:31 KST] /tmp/ks-postscript-yPaRp7: Checking D-Bus policy file: /etc/dbus-1/system.d/alarm-service.conf
[02/24 16:52:31 KST] /tmp/ks-postscript-yPaRp7: /usr/bin/dbuspolicy-checker: /bin/sh: bad interpreter: Permission denied
[02/24 16:52:31 KST] /tmp/ks-postscript-yPaRp7: line 309: /bin/wc: Permission denied
[02/24 16:52:31 KST] /tmp/ks-postscript-yPaRp7: line 309: /bin/grep: Permission denied
[02/24 16:52:31 KST]
[02/24 16:52:31 KST] /tmp/ks-postscript-yPaRp7: line 311: [: -gt: unary operator expected
===========================================================================================
sh-3.2# cat /opt/share/security-config/test/log/aslr_not_applied_files
/usr/bin/protoc
/usr/bin/qemu-arm-binfmt
/usr/sbin/glibc_post_upgrade
/usr/sbin/ldconfig
sh-3.2# cat /opt/share/security-config/test/log/aslr_test_tmpfile
/usr/bin/protoc
/usr/bin/qemu-arm
/usr/bin/qemu-arm-binfmt
/usr/sbin/glibc_post_upgrade
/usr/sbin/ldconfig
sh-3.2# cat /opt/share/security-config/test/log/image_test_log
ASLR not applied list ######
Change-Id: I488ab3a8e24e2ee94b74ac1cb8ed2af46fe98677
Yunjin Lee [Wed, 24 Feb 2021 07:32:17 +0000 (16:32 +0900)]
Add prebuilt included services(lhd, gpsd) to systemd service list
- Added prebuilt plugin included services - lhd.service and gpsd.service
- to systemd_service list of wearable profile teporarily
Change-Id: Ibae6c3a714d7b49a4d093045638db86f0d3d153f
Signed-off-by: Yunjin Lee <yunjin-.lee@samsung.com>
jin-gyu.kim [Wed, 24 Feb 2021 06:01:05 +0000 (15:01 +0900)]
Add factory-reset & factory-reset-launch services to tv profile.
Change-Id: Ia895615eaa629979431139350fb7121c34e21a8f
jin-gyu.kim [Tue, 23 Feb 2021 04:04:41 +0000 (13:04 +0900)]
Fix a typo in spec file.
Change-Id: I3420291c8bd5e8d430cc1f1a463c77fadf5048e9
jin-gyu.kim [Tue, 23 Feb 2021 02:38:45 +0000 (11:38 +0900)]
Include onlycap list file in profile packages.
- Remove onlycap list file from security-config main rpm.
Change-Id: I5f37e7a21a8d1eada3095d29ed95797a226d7e6e
jin-gyu.kim [Mon, 22 Feb 2021 07:09:22 +0000 (16:09 +0900)]
Add smartreply service to tv profile.
Change-Id: I29d5a0ff40023f818463db53af7469dc3b77a062
jin-gyu.kim [Mon, 22 Feb 2021 04:28:46 +0000 (13:28 +0900)]
Add exception lists for SMACK execute label test.
- Some executables need to be set SMACK execute label.
- Add exeception list file to include those cases.
Change-Id: I24a3abb50b6d5a2c43db276ab1219f64ef2a309a
jin-gyu.kim [Wed, 17 Feb 2021 05:31:06 +0000 (14:31 +0900)]
Include network_fw uid to dialout gid
Change-Id: Ib24dfdbf4a0cb0edab83b8f9df53eb223e56c9e4
jin-gyu.kim [Tue, 9 Feb 2021 02:16:51 +0000 (11:16 +0900)]
Include onlycap list files in all profiles.
Change-Id: Ibb604b782108ace1ae30e82627792d434f291931
jin-gyu.kim [Wed, 3 Feb 2021 07:08:18 +0000 (16:08 +0900)]
Add cap_sys_module capability to wfd-manager.
Change-Id: Ie9b10ac6f1d97b71eb73f0d1ab65a5d5f5b370cd
jin-gyu.kim [Wed, 3 Feb 2021 06:12:34 +0000 (15:12 +0900)]
Add cap_sys_module capability to net-config.
Change-Id: I516cd739a0851f4b0c0bc8bc2a3efc523a9ef618
jin-gyu.kim [Fri, 15 Jan 2021 03:55:27 +0000 (12:55 +0900)]
Give cap_mac_admin to wrt-service
- "eip" option is applied, but restricted to use by only chromium-efl app.
Change-Id: I025a3c34c84179d4986c25216288a088c555c4bf
jin-gyu.kim [Wed, 16 Dec 2020 09:13:09 +0000 (18:13 +0900)]
Support to check wildcard for path_exception.list
- File path can be changed by it's pacakge version.
- Wildcard(*) can be added in path_exception.list.
- Compare each exception list line to distinguish a wildcard pattern.
Change-Id: Ieaea75e7e59f3468251fcd8c0271dd9af5e0deb0
jin-gyu.kim [Fri, 11 Dec 2020 06:00:35 +0000 (15:00 +0900)]
Give cap_kill to sdbd & sdbd-service.
Change-Id: I68ec6f1d95857f797d582eabde9581165e944ce2
INSUN PYO [Tue, 1 Dec 2020 06:12:30 +0000 (15:12 +0900)]
Fix /usr/bin/touch path
Change-Id: Iabe01813e8873a5e7b0cf1c3bd709e9cfe1cee0a
Yunjin Lee [Wed, 4 Nov 2020 02:54:15 +0000 (02:54 +0000)]
Merge "Add FOTA script to apply privilege mapping changes" into tizen
jin-gyu.kim [Tue, 27 Oct 2020 01:29:48 +0000 (10:29 +0900)]
Add emergency-target-holder.service
Change-Id: I8cad5e7059a7831bfd1a72aea7734d71c5dae1ef
Yunjin Lee [Wed, 21 Oct 2020 10:22:32 +0000 (19:22 +0900)]
Add FOTA script to apply privilege mapping changes
4.0
- native systemsettings.admin -> core systemsettings.admin
- web filesystem.read -> core systemsettings.admin
- web filesystem.write -> core systemsettings.admin
- web setting -> core systemsettings.admin
- web networkbearerselection -> core network.set
5.5
- native systemsettings.admin -> core systemsettings.admin,
internal/buxton/systemsettings
- web filesystem.read -> core filesystem.read
- web filesystem.write -> core filesystem.write
- web setting -> core internal/buxton/systemsettings
6.0
- web networkbearerselection -> core network.set,
netowrk.route
Change-Id: I5f69666cb3774fd2bba2c175e3df327b15d1f3ed
Signed-off-by: Yunjin Lee <yunjin-.lee@samsung.com>
jin-gyu.kim [Fri, 16 Oct 2020 00:49:08 +0000 (09:49 +0900)]
Fix typo in netlabel_config.
Change-Id: I1ea188fd6765520dd99c4b025b0c322420c10a94
Yunjin Lee [Tue, 6 Oct 2020 01:50:29 +0000 (10:50 +0900)]
Update path check exception list
- Add followings:
/usr/share/icu/65.1/install-sh
/usr/share/icu/65.1/mkinstalldirs
Change-Id: I73c3fcaf9bb89d20fb3edfa78f6f19e2132dc5b8
Signed-off-by: Yunjin Lee <yunjin-.lee@samsung.com>
Yunjin Lee [Mon, 5 Oct 2020 06:21:56 +0000 (15:21 +0900)]
Update path check exception list
- Add followings:
/usr/bin/strace-log-merge
/usr/bin/gdb-add-index
/usr/bin/gcore
Change-Id: I952feb03bf409287091425e1efbe553009048bd2
Signed-off-by: Yunjin Lee <yunjin-.lee@samsung.com>
jin-gyu.kim [Tue, 29 Sep 2020 07:34:10 +0000 (16:34 +0900)]
Add exception list for path check test.
Add below scripts for exception lists.
/usr/share/upgrade/scripts/600.gpsd.patch.sh
/opt/etc/dump.d/module.d/dump_gpsd.sh
Change-Id: I2d02bb5fdcff9fe011687d301bcb8f4074e372ba
jin-gyu.kim [Mon, 28 Sep 2020 07:15:03 +0000 (16:15 +0900)]
Launch all apps when running SMACK rule test.
- Some SMACK rules are dynamically added while launching apps.
- To compare all SMACK rules, launching all apps before running security test.
Change-Id: I562d2bafaab0ea2dffdeaecfc41f85bfb8e04e09
Kim Kidong [Thu, 24 Sep 2020 02:21:34 +0000 (02:21 +0000)]
Merge "Modify netlabel to support privilege-smack mapping." into tizen
Kidong Kim [Fri, 18 Sep 2020 08:00:59 +0000 (17:00 +0900)]
Change smack label of tlm.service (User -> System)
Change-Id: Ic0f90d5790c98c024aad655058aceb13cfa27edc
Kidong Kim [Wed, 9 Sep 2020 04:55:26 +0000 (13:55 +0900)]
Give capabilities to sdbd-service
Change-Id: I2f5c72c66eb53dbad5442dc2c8341b4c98198287
jin-gyu.kim [Mon, 7 Sep 2020 02:45:28 +0000 (02:45 +0000)]
Give capabilities to support update-control.
- cap_sys_admin to /usr/bin/update-manager
- cap_dac_override to /usr/sbin/img-verifier
Change-Id: I97330c8ba642e34bbff97b800bebc1faa95107d9
jin-gyu.kim [Thu, 3 Sep 2020 06:23:31 +0000 (06:23 +0000)]
Add system_fw to disk group.
- To support OS upgrade with removable storage.
- Upgrade trigger script needs to ramdisk-recovery under /dev.
Change-Id: I60eb8465b7bf37d0b92984b70d65cec07c422e43
jin-gyu.kim [Wed, 26 Aug 2020 06:42:47 +0000 (06:42 +0000)]
Add ramdisk-flush service.
- Add cap_sys_admin to /usr/sbin/blockdev
Change-Id: Iab2897f172d8ab93114696a07861ff7496b2f828
jin-gyu.kim [Tue, 25 Aug 2020 06:40:13 +0000 (06:40 +0000)]
Modify netlabel to support privilege-smack mapping.
- 10.0.2.2, 10.0.2.16 and 192.168.129.3 for appdebugging privilege.
- All other IPs for internet privilege.
Change-Id: Ic4723bd35b63ff6aed1852b46bf65f4a7a038b19
jin-gyu.kim [Tue, 25 Aug 2020 05:12:04 +0000 (05:12 +0000)]
Add tizen-theme-manager.service to all profiles.
Change-Id: I52d2776b82207f760555e2bd3a4722dc45b7da7d
Jin-gyu Kim [Fri, 21 Aug 2020 05:19:04 +0000 (05:19 +0000)]
Merge "Change Smack label fro crash-service to System::Privileged" into tizen
Sungwook Park [Thu, 20 Aug 2020 12:24:43 +0000 (21:24 +0900)]
Add capi-ui-gesture.service to wearable profile
Change-Id: I2d79fd2d36f20f50a8cd67113e0783462b090dc2
Signed-off-by: Sungwook Park <sungwook79.park@samsung.com>
Mateusz Moscicki [Thu, 20 Aug 2020 10:18:44 +0000 (12:18 +0200)]
Change Smack label fro crash-service to System::Privileged
The System::Privileged label is needed because on newer kernels (>=
4.20) it's not possible to read/ptrace processes listed in onlycap set.
Crash-service needs the right to do ptrace to correctly generate
reports.
Change-Id: Iad849f0b11eb3eece8d537fd2856daf59ffe757c
jin-gyu.kim [Tue, 18 Aug 2020 00:26:43 +0000 (00:26 +0000)]
Add cap_net_raw to bluetooth-meshd
Change-Id: I7c69b3a6774b77daa0a728c9e41da7f7c6b8c354
jin-gyu.kim [Thu, 6 Aug 2020 07:08:39 +0000 (07:08 +0000)]
Refactor capability test.
- Do not refer capability exception list.
- Read set_capability script then generate allowed lists automatically.
Change-Id: I4dbb2f2c71dce91b0f2f2ba99c59c67dcac74105
jin-gyu.kim [Tue, 4 Aug 2020 05:01:31 +0000 (05:01 +0000)]
Add engine-loader.service
Change-Id: I4904f8ec285da5e6a77e838012a2b9695ec920d8
Jin-gyu Kim [Fri, 24 Jul 2020 04:06:48 +0000 (04:06 +0000)]
Merge "add peripheral-bus.service to all targets/emulators" into tizen
jin-gyu.kim [Fri, 24 Jul 2020 01:07:49 +0000 (01:07 +0000)]
Give cap_dac_override to /usr/bin/peripheral-bus
Change-Id: I463917631ed78c085086c2ca00278a82cb2d8000
Konrad Kuchciak [Fri, 3 Jul 2020 08:21:39 +0000 (10:21 +0200)]
add peripheral-bus.service to all targets/emulators
Change-Id: Iae2e109c8c7a481c6f40d9d2a5faf3d11ad78da0
projects / platform / core / security / security-config.git / log