Tomasz Swierczek [Wed, 21 Aug 2024 06:04:43 +0000 (08:04 +0200)]
Add service lightweight-web-engine-update.service
Change-Id: I8ec1c4a3c75018825f9a9f1e0362013dadd9b338
YoungHun Kim [Thu, 15 Aug 2024 23:17:23 +0000 (23:17 +0000)]
Revert "Run rscmgr-service with System::Run label"
This reverts commit
b134bbe15284c1145b6ef9a83307827fcc5da7a3.
Change-Id: I2d84af5977eaf397cea4fd59d326be35c544077d
Dariusz Michaluk [Tue, 13 Aug 2024 11:32:43 +0000 (13:32 +0200)]
Run rscmgr-service with System::Run label
This change should be reverted as it's not secure,
made on special HQ request.
Change-Id: I061b551b70e2f593878aff434bed41059af0d794
Dariusz Michaluk [Mon, 12 Aug 2024 08:45:29 +0000 (10:45 +0200)]
Change rscmgr-service to root
Change-Id: Id5d62c3d31dd241c46be4d862f712ee1a7db1bb1
Dariusz Michaluk [Thu, 8 Aug 2024 07:36:51 +0000 (09:36 +0200)]
Add rscmgr-service service file
Change-Id: I27450ecce1d1f3d5808979164490ed52d13137c1
Dariusz Michaluk [Thu, 18 Jul 2024 06:15:31 +0000 (08:15 +0200)]
Add modprobe service file
Change-Id: I21f625689c61894e83f9f083e31f62aba301f174
Krzysztof Malysa [Tue, 9 Jul 2024 11:16:32 +0000 (13:16 +0200)]
Make test/smack_rule_test/checksmackrule.sh more robust
Change-Id: I88a9c0a756264d1676768b33ea3c3c9236545053
Karol Lewandowski [Wed, 10 Jul 2024 18:41:04 +0000 (20:41 +0200)]
Do not check SmackProcessLabel for .service units without [Service] section
Such units are provided by new systemd (>= 255).
We retain old logic and service exceptions for package to work with both new
and old systemd versions.
Change-Id: Ia01365e0ba76053932b61bf3f143e0bcdbddf573
Filip Skrzeczkowski [Tue, 25 Jun 2024 14:28:52 +0000 (16:28 +0200)]
Add a socket for extended key manager API
Change-Id: I9c7c228290dabb0a8c9d2d13c97e79a2afd8549a
Mateusz Moscicki [Wed, 29 May 2024 09:33:04 +0000 (11:33 +0200)]
Rename services due to Online Upgrade
Changes to standardize the nomenclature:
offline-update.service -> system-update.service
update-post.service -> offline-update-post.service
Change-Id: I212cb7c4387304164020a4c4db84ca582bb5507b
Mateusz Moscicki [Wed, 15 May 2024 11:48:38 +0000 (13:48 +0200)]
Change the smack label for data-checkpoint.service
Change-Id: Id3049e744766bab9d5e9353ee583c0129b4fa368
Tomasz Swierczek [Wed, 8 May 2024 07:52:45 +0000 (09:52 +0200)]
Configure bluetooth service & tools
* add bt-core service (as DBus) & its capabilities
* add caps to bluez hcitool tool
Reference ticket: SECSFV-273
Change-Id: Ie6372de7701891bf58e643b0a5d10656555c7709
Tomasz Swierczek [Fri, 26 Apr 2024 08:59:29 +0000 (10:59 +0200)]
Add webauthn service & socket
Change-Id: Idb5c9bd8afa6ffa2b51b25eb5e0ebda7805a6115
Mateusz Moscicki [Mon, 15 Apr 2024 11:41:16 +0000 (13:41 +0200)]
Add online-update service files
Change-Id: Ie1e73111f120d65cc6becf68ffdd0ea7203a8d8c
Adam Michalski [Thu, 11 Apr 2024 13:49:58 +0000 (15:49 +0200)]
Add cap_dac_override to isud binary
- This is needed by the isud to perform clean-up of the unnecessary
files from globalapps path which is owned by tizenglobalapp:root
but the isud service is run with the system:system user and group.
Reference ticket: SECSFV-271
Change-Id: Ib4b57bf44891dc902fa18d2c555c0e91adad93c9
Tomasz Swierczek [Tue, 2 Apr 2024 06:02:46 +0000 (08:02 +0200)]
Add package-manager systemd socket
SECSFV-270
Change-Id: I3d46bdaf34c784201b042d2f126044d24b65638b
gichan2-jang [Thu, 14 Mar 2024 07:48:43 +0000 (16:48 +0900)]
Add org.tizen.machinelearning.service.service
Add org.tizen.machinelearning.service.service to dbus_service.list
Change-Id: If116ad569a49c99bee21948fee7d7d92c2c6d69d
Signed-off-by: gichan2-jang <gichan2.jang@samsung.com>
Sangjung Woo [Tue, 12 Mar 2024 08:22:05 +0000 (17:22 +0900)]
Update the service name in systemd_service.csv
The existing 'machine-learning-agent' is renamed to 'mlops-agent' since
new functionality is added to the daemon. Because of this reason,
systemd service file should be updated as 'mlops-agent.service' too.
Change-Id: I4ad0b31ebab11201f00a6f9a9ba8efbc9eec52b9
Signed-off-by: Sangjung Woo <sangjung.woo@samsung.com>
Jeongmo Yang [Mon, 8 Jan 2024 08:41:32 +0000 (17:41 +0900)]
Update path check exception list
- "/etc/profile.d/mmf.sh" is added.
- It's used for setting environment value of platform bash login, not executed by the user.
Change-Id: I0095b8fb44406ab782cacb35264946145bfe5c27
Signed-off-by: Jeongmo Yang <jm80.yang@samsung.com>
Tomasz Swierczek [Wed, 13 Dec 2023 11:35:44 +0000 (12:35 +0100)]
Fixed isud.service added previously
The request SECSFV-268 mixed systemd service file with DBus one.
Change-Id: Ifa2e964321aa7169ac09768fdb103b0c0b72fe92
Tomasz Swierczek [Tue, 12 Dec 2023 11:28:59 +0000 (12:28 +0100)]
Add isud.service
- DBus service - short-lived, on-demand activated service.
- SECSFV-268
Change-Id: I81234aef8c722c0b731a7075d14bcb779573e711
Yunjin Lee [Tue, 12 Sep 2023 02:25:01 +0000 (11:25 +0900)]
Add cap_sys_resource to /usr/bin/pass
- Add cap_sys_resource to /usr/bin/pass
- SECSFV-267
Change-Id: I211b2d2889bb222a65d8c063f107bf91e025b006
Signed-off-by: Yunjin Lee <yunjin-.lee@samsung.com>
Tomasz Swierczek [Thu, 24 Aug 2023 04:55:47 +0000 (06:55 +0200)]
Add /usr/bin/crash-manager to list of exceptions for exec label check
Its owned and can be launched by root only, so its not really
world-readable/executable, despite having _ Smack label.
The fact it has _ access Smack label (&System::Privileged exec label)
is consequence of upstream kernel change - other Smack access
label makes the kernel not able to launch it on coredump.
Change-Id: I6af9a5e90edad3c371de9d7ea43bcd5e44db7088
Mateusz Moscicki [Thu, 27 Apr 2023 11:14:41 +0000 (13:14 +0200)]
Check services in ISU directories
This patch adds verification of service files provided under the ISU
(Individual Service Upgrade) mechanism.
Change-Id: I86afe2cc5c99169c79976298498377a51b3182d6
Yunjin Lee [Thu, 11 May 2023 07:59:50 +0000 (16:59 +0900)]
Remove utils after running image test
Change-Id: I05ba8c67011e527a2224d2ae5f00f0421c0b24a3
Signed-off-by: Yunjin Lee <yunjin-.lee@samsung.com>
wchang kim [Thu, 11 May 2023 04:27:13 +0000 (13:27 +0900)]
Change the binary readelf for riscv64
Change-Id: Ibbdf42315cbeffbd858d706d52ef14ef0fbd4a11
Kim Kidong [Mon, 17 Apr 2023 00:26:22 +0000 (00:26 +0000)]
Merge "Add RISC-V test utils" into tizen
Yunjin Lee [Fri, 20 Jan 2023 04:19:36 +0000 (13:19 +0900)]
Disable askuser in all profile
Change-Id: Id289e61b2cfb957261a6d90edb77c2a00372c94e
Signed-off-by: Yunjin Lee <yunjin-.lee@samsung.com>
Marek Pikuła [Mon, 17 Oct 2022 21:17:16 +0000 (23:17 +0200)]
Add RISC-V test utils
Change-Id: I6a5f1302dc4bf017a2b094d4c5095be6f0e18fea
Signed-off-by: Łukasz Stelmach <l.stelmach@samsung.com>
Jin-gyu Kim [Mon, 17 Oct 2022 02:20:25 +0000 (11:20 +0900)]
Do not check profile info while running systemd unit test.
- If invalid systemd units exists, move those in every profile.
Change-Id: Ie4bc762f0d6e57fba0af41240b876300f1d04b5a
Jin-gyu Kim [Thu, 13 Oct 2022 07:27:31 +0000 (16:27 +0900)]
Fix a wrong service name.
- scmirroring.service -> scmirroring.server.service
Change-Id: I2518e4f49461ee117b8e0c47fef4c96a09f3c562
Jin-gyu Kim [Thu, 15 Sep 2022 07:04:58 +0000 (16:04 +0900)]
Add pass-resource-monitor.socket
Change-Id: Ie2d513796fe8422052322275137c19349ffdc88e
Jin-gyu Kim [Thu, 18 Aug 2022 08:00:25 +0000 (17:00 +0900)]
Add machine-learning-agent.service
Change-Id: I3525c8d4996d56da5c699637068c33167367c4a9
Jin-gyu Kim [Mon, 8 Aug 2022 06:45:49 +0000 (15:45 +0900)]
Check static linked binaries rather than including those in the list.
- Before : Specify static linked binaries in the exception list.
- With this : Check whether binaries are staic linked.
If so, do not check ASLR.
- Do not check "dll" and if the name is started with "qemu".
- Do not see "onlycap" file while testing, as it is not needed.
- Leave the list as an empty for the future use or security-analyzer.
Change-Id: I26dc7044a62e49c0b07ca532900732aa429e5d0e
Jin-gyu Kim [Wed, 27 Jul 2022 03:16:07 +0000 (12:16 +0900)]
Use csv format for lists of systemd unit tests.
- Use unified csv files for maintaining systemd unit tests.
- create_list.sh creates lists per profiles.
- Even after this is applied, the target has the same list as before.
Change-Id: I88b76f92e33f167b772a06a5a5d6ed97e1a1bc52
Jin-gyu Kim [Fri, 22 Jul 2022 05:42:38 +0000 (14:42 +0900)]
Change SmackProcessLabel of user@.service & add resourced.socket
Change-Id: Ic36eb7278d300282231bbb70d3fa037e5a4b55ec
Jin-gyu Kim [Tue, 19 Jul 2022 02:04:37 +0000 (11:04 +0900)]
Read link before setting capability to /usr/sbin/insmod
Consideration : It would be better to read link for every cases.
Change-Id: I96ad4fc378200f54ae9e6fd6bf92e925eda2d4cf
Jin-gyu Kim [Wed, 15 Jun 2022 04:45:00 +0000 (13:45 +0900)]
Add cap_sys_ptrace to /usr/bin/pass
Change-Id: I48e8f16f4159021c4209a44e7bb13507db1797bf
Jin-gyu Kim [Mon, 30 May 2022 07:52:57 +0000 (16:52 +0900)]
Change Smack Process Label of pkg-db-recovery & package-recovery services
- To use cap_mac_override used by installer cmd (ex : tpk-backend),
System::Privileged is required for these services.
Change-Id: I8d7bff03e50e6110da3b5e940d11f219325efd01
Jin-gyu Kim [Thu, 26 May 2022 05:09:11 +0000 (14:09 +0900)]
Changes the service name
- tizen-recovery.service -> recovery.service
Change-Id: I682c117c43cd3b13fe800fc6b3b69d63c87788e5
Jin-gyu Kim [Wed, 25 May 2022 07:46:41 +0000 (16:46 +0900)]
Give cap_mac_override to package-manager.service
- To abort app direcories creation & deletion, it needs cap_mac_override permission.
Because SMACK rules between "System" and "User::Pkg::..." are removed at this time.
Change-Id: Ief2e8d08e22f6738336dfec473de9920823f2df5
Jin-gyu Kim [Tue, 24 May 2022 03:48:05 +0000 (12:48 +0900)]
Add update-manager.service
Change-Id: I0b37c75e8d872d8cd5e64dd0de5fb1dd1dbe7a9a
Jin-gyu Kim [Mon, 23 May 2022 20:28:31 +0000 (05:28 +0900)]
Add tizen-recovery.service, clone_partitions_recovery.service and
recovery-reboot.service
Change-Id: I321a883144a73358b85ca96b992c92ef089269d1
Jin-gyu Kim [Fri, 29 Apr 2022 04:58:42 +0000 (13:58 +0900)]
Add cap_sys_nice to pkginfo-server.
Change-Id: I56e3ef8f15b1cda612f2048cf1a4f2a6af3817f9
Jin-gyu Kim [Tue, 26 Apr 2022 05:45:55 +0000 (14:45 +0900)]
Add clone_partitions.service
Change-Id: I2b4da639a5d153887c66566d573a13e25f23a823
JinGyu Kim [Tue, 26 Apr 2022 00:18:18 +0000 (09:18 +0900)]
Change SmackProcessLabel of booting-done.service
Change from System::Privileged to System
Change-Id: I5a699fa6edc439da1b301abbecc01fe2560758c1
Jin-gyu Kim [Tue, 19 Apr 2022 23:05:36 +0000 (08:05 +0900)]
Change permissions of booting-done.service
- Need root and System::Privileged permissions
- Check booting status and do recovery operaitions
Change-Id: Ie7f40824ece83745d4e93f7a08874ce0e5c57625
Jin-gyu Kim [Fri, 8 Apr 2022 22:34:46 +0000 (07:34 +0900)]
Add sessiond.service
- Root and System::Privileged permissions are required.
- It creates directories and sets SMACK attributes as like gumd.
Change-Id: Ia2fe49ce65c613bde9c09ffdb75ab71a7d109edc
Jin-gyu Kim [Thu, 24 Feb 2022 01:37:59 +0000 (10:37 +0900)]
Add cap_net_admin to /usr/bin/pass
- Requested by SECSFV-229
- cap_net_admin is required to use netlink interface
Change-Id: I524b7ce4a22a02d9d7213303a07758dde4b54445
Jin-gyu Kim [Fri, 4 Feb 2022 23:47:09 +0000 (08:47 +0900)]
Add cap_sys_chroot to launchpad-process-pool
- It is needed to support "Debug Attach" used by gdbserver.
Change-Id: I1ec73238bd3b2294b6a3b1600e1460921c047a43
Konrad Lipinski [Mon, 17 Jan 2022 13:22:41 +0000 (14:22 +0100)]
Security upgrade: always set dummy_file mode/label
Prior to this commit, the script only changed the mode/label if the file
has not existed before. If the script ever managed to touch the file and
then got killed, the file's mode/label would never get properly adjusted
when running the script again.
Change-Id: I707870eea9abb63ccf10e8c54fb3ca984e92196a
Jin-gyu Kim [Fri, 7 Jan 2022 23:06:34 +0000 (08:06 +0900)]
Use double brackets for checking path exception list.
- This is needed to avoid the error raised by some exceptional cases.
Change-Id: I833fee25bb563093812ddf1b3492591e9f92f11a
Jin-gyu Kim [Wed, 5 Jan 2022 22:14:37 +0000 (07:14 +0900)]
Add telephony-dongle service.
- Requested by SECSFV-207
- Give cap_sys_module capability with "ei" option to /usr/sbin/insmod
Change-Id: I704059ae5d9d0062e4217f252acda324e6818411
Jin-gyu Kim [Tue, 4 Jan 2022 23:49:03 +0000 (08:49 +0900)]
Add display-manager-ready.service
- display-manager-ready service is used for iot headless profile.
- There is no list difference between headed and headless. (Added to iot list)
Change-Id: I2cc6ff7ff09f0d7af85c541ec16d1260ffadfef1
Jin-gyu Kim [Mon, 29 Nov 2021 22:04:14 +0000 (07:04 +0900)]
Add update-post.service & update-finalize.service
- Requested by SECSFV-204
- Root privilege is required as those are used during the system upgrade process.
Change-Id: I8d46de7787bcf61ec15c6fc2bf9922d0a2d14743
Jin-gyu Kim [Thu, 25 Nov 2021 22:59:18 +0000 (07:59 +0900)]
When running smack rule test, all apps need to be executed twice.
- Some applications may have dependencies on other apps,
so double execution is required at first.
Change-Id: I0b345f2348d8bec0fda6a7256aa153d098ca3f89
Yunjin Lee [Mon, 15 Nov 2021 03:43:35 +0000 (12:43 +0900)]
Remove unused file
Change-Id: I74649d8f3e016893be24d66eec78b4fddc057d87
Yunjin Lee [Wed, 6 Oct 2021 01:28:43 +0000 (10:28 +0900)]
Add dbus-daemon-launch-helper as setuid exception for 64
Change-Id: I4aedd20b914e71b67e7860faf8bb7f850aa11511
Signed-off-by: Yunjin Lee <yunjin-.lee@samsung.com>
Jin-gyu Kim [Thu, 9 Sep 2021 01:09:56 +0000 (10:09 +0900)]
Set cap_dac_override to pkginfo-server
cap_dac_override : To write data on user database
Change-Id: I263ec0908df67a7ec67b873012c0821399aab084
Yunjin Lee [Mon, 6 Sep 2021 03:52:03 +0000 (12:52 +0900)]
Add nsjail.service
- Requested by SECSFV-203
Change-Id: I3adebd83ed0791217bb880000e0e145958f14a37
Signed-off-by: Yunjin Lee <yunjin-.lee@samsung.com>
Jin-gyu Kim [Fri, 3 Sep 2021 23:08:00 +0000 (08:08 +0900)]
Remove an unnecessary capability.
- cap_fowner is not needed for pkgmgr-server.
Change-Id: I605f138f51a1e0bb68f524697d7e72ef8b9d70fb
Yunjin Lee [Wed, 1 Sep 2021 08:59:30 +0000 (17:59 +0900)]
Add capabilities for res-copy
- cap_chown,cap_dac_override,cap_fowner is required to changed
copied resources ownership(root:priv_platform). pkgmgr-server
fork execs it hence give cap_fowner to pkgmgr-server and give
ie for those caps to res-copy.
Change-Id: I951d5bfe4b17a66f871ec60ff935da8670850d18
Signed-off-by: Yunjin Lee <yunjin-.lee@samsung.com>
Jin-gyu Kim [Thu, 26 Aug 2021 01:23:49 +0000 (10:23 +0900)]
Add hal-rpmdb-checker.service
Requested by SECSFV-202
Change-Id: I33753ba9ad15b387c473dae0600099b4cf13e6ae
Jin-gyu Kim [Wed, 25 Aug 2021 02:16:24 +0000 (11:16 +0900)]
Add priv_platform group.
- Mapped with http://tizen.org/privilege/internal/default/platform
Change-Id: I614421b9e13cc65bf6800f011b2f84dadbc935b7
Jin-gyu Kim [Fri, 6 Aug 2021 00:49:12 +0000 (09:49 +0900)]
Add data-checkpoint.service & udev-trigger-dmbow@.service.
- Requested by SECSFV-201
Change-Id: I33bf75444ba1e677fc3956429a32140c4a091848
Jin-gyu Kim [Wed, 23 Jun 2021 10:19:27 +0000 (10:19 +0000)]
Merge "Add priv_peripheralio group id" into tizen
Jin-gyu Kim [Wed, 23 Jun 2021 04:06:25 +0000 (13:06 +0900)]
Add aslr exception lists.
- Some executables are included in packages not being compiled.
- In these cases, applying PIE option is not available.
Change-Id: I20b2da508ad01a9beeb0c497ed1086533da460ea
Jin-gyu Kim [Wed, 23 Jun 2021 01:48:03 +0000 (10:48 +0900)]
Add priv_peripheralio group id
- This will be mapped to http://tizen.org/privilege/peripheralio
Change-Id: I32130ffaf18b0034b0d4870afe9aa3c3f8fdef16
Jin-gyu Kim [Fri, 11 Jun 2021 19:08:25 +0000 (04:08 +0900)]
Check the existence of ipv6host before trying to write.
Change-Id: Ie79e77df84c7ee8ae5332d3ab59aaa898ccc5ce0
Dongkyun Son [Thu, 3 Jun 2021 02:54:19 +0000 (11:54 +0900)]
smack: add ip(10.0.2.15) to allow gdb remote debugging
To fix smack denial:
audit: type=1400 audit(
1622180305.290:90): lsm=SMACK fn=smack_inet_conn_request action=denied subject="System::Privilege::Internet" object="User::Pkg::org.example.basicui4" requested=w pid=2315 comm="sdbd" saddr=10.0.2.15 src=39898 daddr=10.0.2.15 dest=26112 netif=lo
Change-Id: Id6ee685555d68df90ec226847e7d2c87c502333d
Signed-off-by: Dongkyun Son <dongkyun.s@samsung.com>
Tomasz Swierczek [Wed, 2 Jun 2021 09:30:30 +0000 (09:30 +0000)]
Merge "Add IPv6 configuration for internet privilege" into tizen
Jin-gyu Kim [Mon, 31 May 2021 19:50:33 +0000 (04:50 +0900)]
Add deviced-request-shutdown@.service
- Requested by SECSFV-200
Change-Id: I9487efef589b4987aae50559838df21f0a9bae8c
Tomasz Swierczek [Mon, 24 May 2021 07:54:36 +0000 (09:54 +0200)]
Add IPv6 configuration for internet privilege
Change-Id: I12b260cecb8352dc7dc9f943f2824d4639da8028
Jin-gyu Kim [Thu, 6 May 2021 05:56:37 +0000 (14:56 +0900)]
Add audio-aec.service to all profiles.
Requested by SECSFV-199
Change-Id: Ic040a99d69d2f670e152bc52313cab0476ddd0ca
Jin-gyu Kim [Mon, 3 May 2021 08:13:19 +0000 (17:13 +0900)]
Add missing SMACK labelling cmd in change_permission.
This does not affect any operation, but need to reset SMACK label
for any mismatch in SMACK label.
Change-Id: I0d6053c341d4070d25b7a0839ef439a4972ed424
Jin-gyu Kim [Mon, 3 May 2021 05:34:25 +0000 (14:34 +0900)]
Do not use rpm command in set_capability
"rpm" command cannot be existed in some cases.
Instead of using it, check a specific file path to determine a certain
rpm is installed or not.
Change-Id: I6f5fda1cd35cac3bc039c5b4e008b28eafdeb1c1
Jin-gyu Kim [Fri, 23 Apr 2021 05:31:51 +0000 (14:31 +0900)]
Create a new script for setting permissions.
This script needs to be run while image is being created or updated.
(After in-house applications are installed.)
We could consider it to be run in security-config service, but it will
increase the 1st boot time.
Change-Id: I5a11dd720ea46ae69b1acc6be09305c74fb39292
jin-gyu.kim [Wed, 7 Apr 2021 05:32:36 +0000 (14:32 +0900)]
Add accounts-service.service to tv profile.
Change-Id: Icad4a1e5679339ff0f509c765f291bda0383b246
jin-gyu.kim [Fri, 19 Mar 2021 06:52:12 +0000 (15:52 +0900)]
Add pkgmgr-info service & socket
Change-Id: I3ad594cf6e4161c5742af40555a75d84f5558035
jin-gyu.kim [Fri, 19 Mar 2021 02:37:32 +0000 (11:37 +0900)]
Add a comment to the last line of list files.
In some implementations, "read" in shell script cannot read a last line.
To avoid an un-expected problem, add a meaningless comment in every list files.
Change-Id: Iec5603152d71ef61ccfbe71fbab196ebc3eb1890
jin-gyu.kim [Fri, 19 Mar 2021 01:31:20 +0000 (10:31 +0900)]
Add missing uwb-manager service in iot profile.
Change-Id: Icb886ccd5b4c55f1bc2505af355066b2737fe494
jin-gyu.kim [Wed, 17 Mar 2021 05:01:21 +0000 (14:01 +0900)]
Add mdnsd.service
- Give cap_net_admin & cap_net_raw to /usr/sbin/mdnsd
Change-Id: Ic84a2302af6b434b7928c91b04b26f1d1a75cf53
jin-gyu.kim [Mon, 15 Mar 2021 08:22:12 +0000 (17:22 +0900)]
Include security-config service to TV profile.
Change-Id: Ibd7af5b37c7da399a24e3e8a0f093c3d09b64c3a
Jin-gyu Kim [Fri, 12 Mar 2021 06:17:46 +0000 (06:17 +0000)]
Merge "Add dump_systemstate.service" into tizen
Jin-gyu Kim [Fri, 12 Mar 2021 06:17:34 +0000 (06:17 +0000)]
Merge "Rename crash-service.service as bugreport.service" into tizen
jin-gyu.kim [Wed, 10 Mar 2021 08:35:19 +0000 (17:35 +0900)]
Add dump_systemstate.service
Change-Id: Ib1fbb601e03c21f6e74e5cc53e6e09380fd9e736
jin-gyu.kim [Wed, 10 Mar 2021 08:28:50 +0000 (17:28 +0900)]
Rename crash-service.service as bugreport.service
- Executable name is also changed as bugreport-service.
- Therefore, a change in set_capability is also included.
Change-Id: I407982d19f92f1084911d930e8ba070b47d2287f
jin-gyu.kim [Thu, 11 Mar 2021 04:21:33 +0000 (13:21 +0900)]
Add missing security-config service in TV profile.
Change-Id: Idfc59d09c699e176c3a116ccac8679dd99415e76
jin-gyu.kim [Tue, 9 Mar 2021 05:16:00 +0000 (14:16 +0900)]
Add uwb-manager service.
- Add it to commmon & tv profiles.
Change-Id: Ic424c600012bd80f171ac490ec93daa4ed060c3b
김진규/Security팀(SR)/Staff Engineer/삼성전자 [Wed, 3 Mar 2021 02:13:12 +0000 (11:13 +0900)]
Add obex service to tv profile.
Change-Id: I52840afeecff41d138969244c020871cffc10acf
INSUN PYO [Wed, 24 Feb 2021 09:19:51 +0000 (18:19 +0900)]
Add /usr/bin/qemu-arm-binfmt to ASLR exception list
/usr/bin/qemu-arm-binfmt is linked to /usr/bin/qemu-arm on mic-bootstrap.
(http://download.tizen.org/snapshots/tizen/unified/tizen-unified_20210223.1/repos/standard/packages/armv7l/mic-bootstrap-x86-arm-1.0-10.17.armv7l.rpm)
Sometime local mic fails with mic error message. (Ubuntu 18.04 latest, mic 0.28.12)
===========================================================================================
[02/24 16:52:12 KST] #################### generic-security.post ####################
[02/24 16:52:12 KST] Give capabilities to daemons via set_capability from security-config package
[02/24 16:52:20 KST] Run security-test
[02/24 16:52:31 KST] /opt/share/security-config/test/image_test.sh: line 26: /bin/cat: Permission denied
[02/24 16:52:31 KST] /opt/share/security-config/test/image_test.sh: line 86: /bin/cat: Permission denied
[02/24 16:52:31 KST] /tmp/ks-postscript-yPaRp7: line 298: /bin/security-manager-cmd: Permission denied
[02/24 16:52:31 KST] #################### generic-dbus-policychecker.post ####################
[02/24 16:52:31 KST]
[02/24 16:52:31 KST] /tmp/ks-postscript-yPaRp7: Checking D-Bus policy file: /etc/dbus-1/system.d/alarm-service.conf
[02/24 16:52:31 KST] /tmp/ks-postscript-yPaRp7: /usr/bin/dbuspolicy-checker: /bin/sh: bad interpreter: Permission denied
[02/24 16:52:31 KST] /tmp/ks-postscript-yPaRp7: line 309: /bin/wc: Permission denied
[02/24 16:52:31 KST] /tmp/ks-postscript-yPaRp7: line 309: /bin/grep: Permission denied
[02/24 16:52:31 KST]
[02/24 16:52:31 KST] /tmp/ks-postscript-yPaRp7: line 311: [: -gt: unary operator expected
===========================================================================================
sh-3.2# cat /opt/share/security-config/test/log/aslr_not_applied_files
/usr/bin/protoc
/usr/bin/qemu-arm-binfmt
/usr/sbin/glibc_post_upgrade
/usr/sbin/ldconfig
sh-3.2# cat /opt/share/security-config/test/log/aslr_test_tmpfile
/usr/bin/protoc
/usr/bin/qemu-arm
/usr/bin/qemu-arm-binfmt
/usr/sbin/glibc_post_upgrade
/usr/sbin/ldconfig
sh-3.2# cat /opt/share/security-config/test/log/image_test_log
ASLR not applied list ######
Change-Id: I488ab3a8e24e2ee94b74ac1cb8ed2af46fe98677
Yunjin Lee [Wed, 24 Feb 2021 07:32:17 +0000 (16:32 +0900)]
Add prebuilt included services(lhd, gpsd) to systemd service list
- Added prebuilt plugin included services - lhd.service and gpsd.service
- to systemd_service list of wearable profile teporarily
Change-Id: Ibae6c3a714d7b49a4d093045638db86f0d3d153f
Signed-off-by: Yunjin Lee <yunjin-.lee@samsung.com>
jin-gyu.kim [Wed, 24 Feb 2021 06:01:05 +0000 (15:01 +0900)]
Add factory-reset & factory-reset-launch services to tv profile.
Change-Id: Ia895615eaa629979431139350fb7121c34e21a8f
jin-gyu.kim [Tue, 23 Feb 2021 04:04:41 +0000 (13:04 +0900)]
Fix a typo in spec file.
Change-Id: I3420291c8bd5e8d430cc1f1a463c77fadf5048e9
jin-gyu.kim [Tue, 23 Feb 2021 02:38:45 +0000 (11:38 +0900)]
Include onlycap list file in profile packages.
- Remove onlycap list file from security-config main rpm.
Change-Id: I5f37e7a21a8d1eada3095d29ed95797a226d7e6e
jin-gyu.kim [Mon, 22 Feb 2021 07:09:22 +0000 (16:09 +0900)]
Add smartreply service to tv profile.
Change-Id: I29d5a0ff40023f818463db53af7469dc3b77a062
jin-gyu.kim [Mon, 22 Feb 2021 04:28:46 +0000 (13:28 +0900)]
Add exception lists for SMACK execute label test.
- Some executables need to be set SMACK execute label.
- Add exeception list file to include those cases.
Change-Id: I24a3abb50b6d5a2c43db276ab1219f64ef2a309a
jin-gyu.kim [Wed, 17 Feb 2021 05:31:06 +0000 (14:31 +0900)]
Include network_fw uid to dialout gid
Change-Id: Ib24dfdbf4a0cb0edab83b8f9df53eb223e56c9e4
jin-gyu.kim [Tue, 9 Feb 2021 02:16:51 +0000 (11:16 +0900)]
Include onlycap list files in all profiles.
Change-Id: Ibb604b782108ace1ae30e82627792d434f291931
jin-gyu.kim [Wed, 3 Feb 2021 07:08:18 +0000 (16:08 +0900)]
Add cap_sys_module capability to wfd-manager.
Change-Id: Ie9b10ac6f1d97b71eb73f0d1ab65a5d5f5b370cd