From f3667ff813bad9ff9c7f01e15feaf8170a141fbb Mon Sep 17 00:00:00 2001 From: Tomasz Swierczek Date: Fri, 4 Apr 2025 09:59:54 +0200 Subject: [PATCH] Add cap_setuid also for app loaders in dev_wos mode This requires adding cap_setuid to AmbientCapabilities in systemd's user service configuration. To avoid forking systemd we modify its configuration as a part of no-smack configuration script. Change-Id: I0d2892b2e123de6059e2dee6b34d5f15c9f0face --- config/generate_configure_wos | 71 ++++++++++++++++++++++++++++++++-- config/set_capability | 4 +- packaging/security-config.spec | 1 + 3 files changed, 70 insertions(+), 6 deletions(-) diff --git a/config/generate_configure_wos b/config/generate_configure_wos index 630207e..cab69b1 100755 --- a/config/generate_configure_wos +++ b/config/generate_configure_wos @@ -4,12 +4,48 @@ set -euo pipefail PATH=/bin:/usr/bin:/sbin:/usr/sbin function add_missing_caps { - # Launchpad needs additional caps. Re-setting them here with additional cap_setuid for the + # Launchpad & app loaders needs additional caps. Re-setting them here with additional cap_setuid for the # purpose of security-config development (rpm postinstall). if [ -e "/usr/bin/launchpad-process-pool" ] then existing_caps=`/usr/sbin/getcap /usr/bin/launchpad-process-pool | cut -f2 -d" " | cut -f1 -d"="` - /usr/sbin/setcap "${existing_caps},cap_setuid=eip" /usr/bin/launchpad-process-pool + /usr/sbin/setcap "${existing_caps},cap_setuid=ei" /usr/bin/launchpad-process-pool + fi + + if [ -e "/usr/bin/launchpad-loader" ] && [ ! -e "/usr/bin/launchpad-starter" ] + then + existing_caps=`/usr/sbin/getcap /usr/bin/launchpad-loader | cut -f2 -d" " | cut -f1 -d"="` + /usr/sbin/setcap "${existing_caps},cap_setuid=ei" /usr/bin/launchpad-loader + fi + + if [ -e "/usr/bin/app-defined-loader" ] && [ ! -e "/usr/bin/launchpad-starter" ] + then + existing_caps=`/usr/sbin/getcap /usr/bin/app-defined-loader | cut -f2 -d" " | cut -f1 -d"="` + /usr/sbin/setcap "${existing_caps},cap_setuid=ei" /usr/bin/app-defined-loader + fi + + if [ -e "/usr/bin/dotnet-hydra-loader" ] + then + existing_caps=`/usr/sbin/getcap /usr/bin/dotnet-hydra-loader | cut -f2 -d" " | cut -f1 -d"="` + /usr/sbin/setcap "${existing_caps},cap_setuid=ei" /usr/bin/dotnet-hydra-loader + fi + + if [ -e "/usr/bin/dotnet-loader" ] + then + existing_caps=`/usr/sbin/getcap /usr/bin/dotnet-loader | cut -f2 -d" " | cut -f1 -d"="` + /usr/sbin/setcap "${existing_caps},cap_setuid=ei" /usr/bin/dotnet-loader + fi + + if [ -e "/usr/bin/wrt-loader" ] + then + existing_caps=`/usr/sbin/getcap /usr/bin/wrt-loader | cut -f2 -d" " | cut -f1 -d"="` + /usr/sbin/setcap "${existing_caps},cap_setuid=ei" /usr/bin/wrt-loader + fi + + if [ -e "/usr/bin/lux" ] + then + existing_caps=`/usr/sbin/getcap /usr/bin/lux | cut -f2 -d" " | cut -f1 -d"="` + /usr/sbin/setcap "${existing_caps},cap_setuid=ei" /usr/bin/lux fi } @@ -39,6 +75,14 @@ function give_rx_to_others { done } +function add_caps_to_user_session { + user_service="/usr/lib/systemd/system/user@.service" + if [ -e "$user_service" ] + then + grep "AmbientCapabilities=.*cap_setuid" "$user_service" || sed -ri 's/(AmbientCapabilities=)/\1cap_setuid /' "$user_service" + fi +} + head -n "$((LINENO - 1))" "${BASH_SOURCE[0]}" echo 'services=(' @@ -49,16 +93,35 @@ echo 'add_groups' echo 'add_services_to_system_access_group "${services[@]}"' echo 'add_missing_caps' echo 'give_rx_to_others' +echo 'add_caps_to_user_session' function update_set_capability_script { - # Launchpad needs additional caps. updating the set_capability script that is executed by *.ks + # Launchpad & loaders need additional caps. Updating the set_capability script that is executed by *.ks # file during image creation (after rpms are installed) and is tested with # test/capability_test/check_new_capabilites.sh afterwards SCRIPT_DIR=$( cd -- "$( dirname -- "${BASH_SOURCE[0]}" )" &> /dev/null && pwd ) sed -ri 's/(\/usr\/sbin\/setcap\s+)(.+ \/usr\/bin\/launchpad-process-pool)/\1 cap_setuid,\2/' "$SCRIPT_DIR/set_capability" sed -ri 's/(# Required\s+\/usr\/bin\/launchpad-process-pool\s+:)(.+)$/\1 cap_setuid,\2/' "$SCRIPT_DIR/set_capability" + + sed -ri 's/(\/usr\/sbin\/setcap\s+)(.+ \/usr\/bin\/launchpad-loader)/\1 cap_setuid,\2/' "$SCRIPT_DIR/set_capability" + sed -ri 's/(# Required\s+\/usr\/bin\/launchpad-loader\s+:)(.+)$/\1 cap_setuid,\2/' "$SCRIPT_DIR/set_capability" + + sed -ri 's/(\/usr\/sbin\/setcap\s+)(.+ \/usr\/bin\/app-defined-loader)/\1 cap_setuid,\2/' "$SCRIPT_DIR/set_capability" + sed -ri 's/(# Required\s+\/usr\/bin\/app-defined-loader\s+:)(.+)$/\1 cap_setuid,\2/' "$SCRIPT_DIR/set_capability" + + sed -ri 's/(\/usr\/sbin\/setcap\s+)(.+ \/usr\/bin\/dotnet-hydra-loader)/\1 cap_setuid,\2/' "$SCRIPT_DIR/set_capability" + sed -ri 's/(# Required\s+\/usr\/bin\/dotnet-hydra-loader\s+:)(.+)$/\1 cap_setuid,\2/' "$SCRIPT_DIR/set_capability" + + sed -ri 's/(\/usr\/sbin\/setcap\s+)(.+ \/usr\/bin\/dotnet-loader)/\1 cap_setuid,\2/' "$SCRIPT_DIR/set_capability" + sed -ri 's/(# Required\s+\/usr\/bin\/dotnet-loader\s+:)(.+)$/\1 cap_setuid,\2/' "$SCRIPT_DIR/set_capability" + + sed -ri 's/(\/usr\/sbin\/setcap\s+)(.+ \/usr\/bin\/wrt-loader)/\1 cap_setuid,\2/' "$SCRIPT_DIR/set_capability" + sed -ri 's/(# Required\s+\/usr\/bin\/wrt-loader\s+:)(.+)$/\1 cap_setuid,\2/' "$SCRIPT_DIR/set_capability" + + sed -ri 's/(\/usr\/sbin\/setcap\s+)(.+ \/usr\/bin\/lux)/\1 cap_setuid,\2/' "$SCRIPT_DIR/set_capability" + sed -ri 's/(# Required\s+\/usr\/bin\/lux\s+:)(.+)$/\1 cap_setuid,\2/' "$SCRIPT_DIR/set_capability" } -update_set_capability_script \ No newline at end of file +update_set_capability_script diff --git a/config/set_capability b/config/set_capability index 9f39d86..0d06e09 100755 --- a/config/set_capability +++ b/config/set_capability @@ -425,7 +425,7 @@ fi # Package platform/core/appfw/launchpad # Owner Junghoon Park(jh9216.park@samsung.com) # Date July 4, 2017 -# Required /usr/bin/launchpad-process-pool : cap_mac_admin, cap_dac_override, cap_setgid, cap_sys_admin, cap_sys_nice, cap_sys_chroot : eip +# Required /usr/bin/launchpad-process-pool : cap_mac_admin, cap_dac_override, cap_setgid, cap_sys_admin, cap_sys_nice, cap_sys_chroot : ei # Required /usr/bin/launchpad-loader : cap_sys_admin,cap_sys_nice,cap_setgid : ei # cap_mac_admin to use security_manager_prepare_app() # cap_dac_override fd redirection in debug mode of app running @@ -435,7 +435,7 @@ fi # cap_sys_chroot to use setns() if [ -e "/usr/bin/launchpad-process-pool" ] -then /usr/sbin/setcap cap_sys_admin,cap_sys_nice,cap_mac_admin,cap_dac_override,cap_setgid,cap_sys_chroot=eip /usr/bin/launchpad-process-pool +then /usr/sbin/setcap cap_sys_admin,cap_sys_nice,cap_mac_admin,cap_dac_override,cap_setgid,cap_sys_chroot=ei /usr/bin/launchpad-process-pool fi # TODO : condition check about launchpad-starter is temporary diff --git a/packaging/security-config.spec b/packaging/security-config.spec index 2776291..da1bf54 100755 --- a/packaging/security-config.spec +++ b/packaging/security-config.spec @@ -9,6 +9,7 @@ Source1: %{name}.manifest BuildRequires: cmake Requires: shadow-utils Requires: libcap-tools +Requires: systemd %{!?TZ_SYS_RO_SHARE: %global TZ_SYS_RO_SHARE /usr/share} %global SECURITY_TEST_DIR %{TZ_SYS_RO_SHARE}/security-config/test -- 2.34.1