From 1584bbf77ce59b2d5987b01a8bd327376ba44b8e Mon Sep 17 00:00:00 2001
From: Sooyoung Ha <yoosah.ha@samsung.com>
Date: Tue, 25 Jul 2017 15:29:36 +0900
Subject: [PATCH] service: apply capabilities for security

Change-Id: If8ea4bba3476acf2d2043f17f6f8b63538fd9f8f
Signed-off-by: Sooyoung Ha <yoosah.ha@samsung.com>
---
 packaging/sdbd_device.service      | 2 ++
 packaging/sdbd_device_tv.service   | 2 ++
 packaging/sdbd_emulator.service    | 2 ++
 packaging/sdbd_emulator_tv.service | 2 ++
 packaging/sdbd_tcp.service         | 2 ++
 5 files changed, 10 insertions(+)

diff --git a/packaging/sdbd_device.service b/packaging/sdbd_device.service
index b47e8f3..779e42e 100644
--- a/packaging/sdbd_device.service
+++ b/packaging/sdbd_device.service
@@ -12,6 +12,8 @@ EnvironmentFile=-/run/tizen-system-env
 PIDFile=/tmp/.sdbd.pid
 Restart=on-failure
 SmackProcessLabel=System
+Capabilities=cap_dac_override,cap_setgid,cap_setuid,cap_sys_admin=i
+SecureBits=keep-caps
 ExecStart=/usr/sbin/sdbd
 
 [Install]
diff --git a/packaging/sdbd_device_tv.service b/packaging/sdbd_device_tv.service
index fe3c965..0ea497d 100644
--- a/packaging/sdbd_device_tv.service
+++ b/packaging/sdbd_device_tv.service
@@ -11,6 +11,8 @@ EnvironmentFile=-/run/tizen-system-env
 OOMScoreAdjust=-1000
 PIDFile=/tmp/.sdbd.pid
 Restart=on-failure
+Capabilities=cap_dac_override,cap_setgid,cap_setuid,cap_sys_admin=i
+SecureBits=keep-caps
 ExecStart=/usr/sbin/sdbd
 
 [Install]
diff --git a/packaging/sdbd_emulator.service b/packaging/sdbd_emulator.service
index abd1605..74c5d9b 100644
--- a/packaging/sdbd_emulator.service
+++ b/packaging/sdbd_emulator.service
@@ -13,6 +13,8 @@ PIDFile=/tmp/.sdbd.pid
 RemainAfterExit=yes
 #ExecStartPre=/bin/bash -c "/bin/echo '10.0.2.15/32 system::debugging_network' >> /smack/netlabel"
 SmackProcessLabel=System
+Capabilities=cap_dac_override,cap_setgid,cap_setuid,cap_sys_admin=i
+SecureBits=keep-caps
 ExecStart=/bin/sh -c "/usr/sbin/sdbd `/usr/bin/awk '{match($0, /sdb_port=([0-9]+)/,port_match); match($0, /vm_name=([^, ]*)/,vm_match); print \"--emulator=\" vm_match[1] \":\" port_match[1] \" --connect-to=10.0.2.2:26099\" \" --sensors=10.0.2.2:\"port_match[1]+3 }' /proc/cmdline`"
 
 [Install]
diff --git a/packaging/sdbd_emulator_tv.service b/packaging/sdbd_emulator_tv.service
index 4d81fd2..3627ded 100644
--- a/packaging/sdbd_emulator_tv.service
+++ b/packaging/sdbd_emulator_tv.service
@@ -12,6 +12,8 @@ Environment=DISPLAY=:0
 PIDFile=/tmp/.sdbd.pid
 RemainAfterExit=yes
 OOMScoreAdjust=-1000
+Capabilities=cap_dac_override,cap_setgid,cap_setuid,cap_sys_admin=i
+SecureBits=keep-caps
 #ExecStartPre=/bin/bash -c "/bin/echo '10.0.2.15/32 system::debugging_network' >> /smack/netlabel"
 ExecStart=/bin/sh -c "/usr/sbin/sdbd `/usr/bin/awk '{match($0, /sdb_port=([0-9]+)/,port_match); match($0, /vm_name=([^, ]*)/,vm_match); print \"--emulator=\" vm_match[1] \":\" port_match[1] \" --connect-to=10.0.2.2:26099\" \" --sensors=10.0.2.2:\"port_match[1]+3 }' /proc/cmdline`"
 
diff --git a/packaging/sdbd_tcp.service b/packaging/sdbd_tcp.service
index ade025c..5269cfe 100644
--- a/packaging/sdbd_tcp.service
+++ b/packaging/sdbd_tcp.service
@@ -8,4 +8,6 @@ Environment=DISPLAY=:0
 PIDFile=/tmp/.sdbd.pid
 RemainAfterExit=yes
 SmackProcessLabel=System
+Capabilities=cap_dac_override,cap_setgid,cap_setuid,cap_sys_admin=i
+SecureBits=keep-caps
 ExecStart=/usr/sbin/sdbd --listen-port=26101
-- 
2.7.4