From f3667ff813bad9ff9c7f01e15feaf8170a141fbb Mon Sep 17 00:00:00 2001
From: Tomasz Swierczek <t.swierczek@samsung.com>
Date: Fri, 4 Apr 2025 09:59:54 +0200
Subject: [PATCH] Add cap_setuid also for app loaders in dev_wos mode

This requires adding cap_setuid to AmbientCapabilities in systemd's user
service configuration. To avoid forking systemd we modify its
configuration as a part of no-smack configuration script.

Change-Id: I0d2892b2e123de6059e2dee6b34d5f15c9f0face
---
 config/generate_configure_wos  | 71 ++++++++++++++++++++++++++++++++--
 config/set_capability          |  4 +-
 packaging/security-config.spec |  1 +
 3 files changed, 70 insertions(+), 6 deletions(-)

diff --git a/config/generate_configure_wos b/config/generate_configure_wos
index 630207e..cab69b1 100755
--- a/config/generate_configure_wos
+++ b/config/generate_configure_wos
@@ -4,12 +4,48 @@ set -euo pipefail
 PATH=/bin:/usr/bin:/sbin:/usr/sbin
 
 function add_missing_caps {
-	# Launchpad needs additional caps. Re-setting them here with additional cap_setuid for the
+	# Launchpad & app loaders needs additional caps. Re-setting them here with additional cap_setuid for the
 	# purpose of security-config development (rpm postinstall).
 	if [ -e "/usr/bin/launchpad-process-pool" ]
 	then
 		existing_caps=`/usr/sbin/getcap /usr/bin/launchpad-process-pool | cut -f2 -d" " | cut -f1 -d"="`
-		/usr/sbin/setcap "${existing_caps},cap_setuid=eip" /usr/bin/launchpad-process-pool
+		/usr/sbin/setcap "${existing_caps},cap_setuid=ei" /usr/bin/launchpad-process-pool
+	fi
+
+	if [ -e "/usr/bin/launchpad-loader" ] && [ ! -e "/usr/bin/launchpad-starter" ]
+	then
+		existing_caps=`/usr/sbin/getcap /usr/bin/launchpad-loader | cut -f2 -d" " | cut -f1 -d"="`
+		/usr/sbin/setcap "${existing_caps},cap_setuid=ei" /usr/bin/launchpad-loader
+	fi
+
+	if [ -e "/usr/bin/app-defined-loader" ] && [ ! -e "/usr/bin/launchpad-starter" ]
+	then
+		existing_caps=`/usr/sbin/getcap /usr/bin/app-defined-loader | cut -f2 -d" " | cut -f1 -d"="`
+		/usr/sbin/setcap "${existing_caps},cap_setuid=ei" /usr/bin/app-defined-loader
+	fi
+
+	if [ -e "/usr/bin/dotnet-hydra-loader" ]
+	then
+		existing_caps=`/usr/sbin/getcap /usr/bin/dotnet-hydra-loader | cut -f2 -d" " | cut -f1 -d"="`
+		/usr/sbin/setcap "${existing_caps},cap_setuid=ei" /usr/bin/dotnet-hydra-loader
+	fi
+
+	if [ -e "/usr/bin/dotnet-loader" ]
+	then
+		existing_caps=`/usr/sbin/getcap /usr/bin/dotnet-loader | cut -f2 -d" " | cut -f1 -d"="`
+		/usr/sbin/setcap "${existing_caps},cap_setuid=ei" /usr/bin/dotnet-loader
+	fi
+
+	if [ -e "/usr/bin/wrt-loader" ]
+	then
+		existing_caps=`/usr/sbin/getcap /usr/bin/wrt-loader | cut -f2 -d" " | cut -f1 -d"="`
+		/usr/sbin/setcap "${existing_caps},cap_setuid=ei" /usr/bin/wrt-loader
+	fi
+
+	if [ -e "/usr/bin/lux" ]
+	then
+		existing_caps=`/usr/sbin/getcap /usr/bin/lux | cut -f2 -d" " | cut -f1 -d"="`
+		/usr/sbin/setcap "${existing_caps},cap_setuid=ei" /usr/bin/lux
 	fi
 }
 
@@ -39,6 +75,14 @@ function give_rx_to_others {
 	done
 }
 
+function add_caps_to_user_session {
+	user_service="/usr/lib/systemd/system/user@.service"
+	if [ -e "$user_service" ]
+	then
+		grep "AmbientCapabilities=.*cap_setuid" "$user_service" || sed -ri 's/(AmbientCapabilities=)/\1cap_setuid /' "$user_service"
+	fi
+}
+
 head -n "$((LINENO - 1))" "${BASH_SOURCE[0]}"
 
 echo 'services=('
@@ -49,16 +93,35 @@ echo 'add_groups'
 echo 'add_services_to_system_access_group "${services[@]}"'
 echo 'add_missing_caps'
 echo 'give_rx_to_others'
+echo 'add_caps_to_user_session'
 
 
 function update_set_capability_script {
-	# Launchpad needs additional caps. updating the set_capability script that is executed by *.ks
+	# Launchpad & loaders need additional caps. Updating the set_capability script that is executed by *.ks
 	# file during image creation (after rpms are installed) and is tested with
 	# test/capability_test/check_new_capabilites.sh afterwards
 	SCRIPT_DIR=$( cd -- "$( dirname -- "${BASH_SOURCE[0]}" )" &> /dev/null && pwd )
 
 	sed -ri 's/(\/usr\/sbin\/setcap\s+)(.+ \/usr\/bin\/launchpad-process-pool)/\1 cap_setuid,\2/' "$SCRIPT_DIR/set_capability"
 	sed -ri 's/(# Required\s+\/usr\/bin\/launchpad-process-pool\s+:)(.+)$/\1 cap_setuid,\2/' "$SCRIPT_DIR/set_capability"
+
+	sed -ri 's/(\/usr\/sbin\/setcap\s+)(.+ \/usr\/bin\/launchpad-loader)/\1 cap_setuid,\2/' "$SCRIPT_DIR/set_capability"
+	sed -ri 's/(# Required\s+\/usr\/bin\/launchpad-loader\s+:)(.+)$/\1 cap_setuid,\2/' "$SCRIPT_DIR/set_capability"
+
+	sed -ri 's/(\/usr\/sbin\/setcap\s+)(.+ \/usr\/bin\/app-defined-loader)/\1 cap_setuid,\2/' "$SCRIPT_DIR/set_capability"
+	sed -ri 's/(# Required\s+\/usr\/bin\/app-defined-loader\s+:)(.+)$/\1 cap_setuid,\2/' "$SCRIPT_DIR/set_capability"
+
+	sed -ri 's/(\/usr\/sbin\/setcap\s+)(.+ \/usr\/bin\/dotnet-hydra-loader)/\1 cap_setuid,\2/' "$SCRIPT_DIR/set_capability"
+	sed -ri 's/(# Required\s+\/usr\/bin\/dotnet-hydra-loader\s+:)(.+)$/\1 cap_setuid,\2/' "$SCRIPT_DIR/set_capability"
+
+	sed -ri 's/(\/usr\/sbin\/setcap\s+)(.+ \/usr\/bin\/dotnet-loader)/\1 cap_setuid,\2/' "$SCRIPT_DIR/set_capability"
+	sed -ri 's/(# Required\s+\/usr\/bin\/dotnet-loader\s+:)(.+)$/\1 cap_setuid,\2/' "$SCRIPT_DIR/set_capability"
+
+	sed -ri 's/(\/usr\/sbin\/setcap\s+)(.+ \/usr\/bin\/wrt-loader)/\1 cap_setuid,\2/' "$SCRIPT_DIR/set_capability"
+	sed -ri 's/(# Required\s+\/usr\/bin\/wrt-loader\s+:)(.+)$/\1 cap_setuid,\2/' "$SCRIPT_DIR/set_capability"
+
+	sed -ri 's/(\/usr\/sbin\/setcap\s+)(.+ \/usr\/bin\/lux)/\1 cap_setuid,\2/' "$SCRIPT_DIR/set_capability"
+	sed -ri 's/(# Required\s+\/usr\/bin\/lux\s+:)(.+)$/\1 cap_setuid,\2/' "$SCRIPT_DIR/set_capability"
 }
 
-update_set_capability_script
\ No newline at end of file
+update_set_capability_script
diff --git a/config/set_capability b/config/set_capability
index 9f39d86..0d06e09 100755
--- a/config/set_capability
+++ b/config/set_capability
@@ -425,7 +425,7 @@ fi
 # Package               platform/core/appfw/launchpad
 # Owner                 Junghoon Park(jh9216.park@samsung.com)
 # Date                  July 4, 2017
-# Required              /usr/bin/launchpad-process-pool : cap_mac_admin, cap_dac_override, cap_setgid, cap_sys_admin, cap_sys_nice, cap_sys_chroot : eip
+# Required              /usr/bin/launchpad-process-pool : cap_mac_admin, cap_dac_override, cap_setgid, cap_sys_admin, cap_sys_nice, cap_sys_chroot : ei
 # Required              /usr/bin/launchpad-loader : cap_sys_admin,cap_sys_nice,cap_setgid : ei
 # cap_mac_admin		to use security_manager_prepare_app()
 # cap_dac_override      fd redirection in debug mode of app running
@@ -435,7 +435,7 @@ fi
 # cap_sys_chroot	to use setns()
 
 if [ -e "/usr/bin/launchpad-process-pool" ]
-then /usr/sbin/setcap cap_sys_admin,cap_sys_nice,cap_mac_admin,cap_dac_override,cap_setgid,cap_sys_chroot=eip /usr/bin/launchpad-process-pool
+then /usr/sbin/setcap cap_sys_admin,cap_sys_nice,cap_mac_admin,cap_dac_override,cap_setgid,cap_sys_chroot=ei /usr/bin/launchpad-process-pool
 fi
 
 # TODO : condition check about launchpad-starter is temporary
diff --git a/packaging/security-config.spec b/packaging/security-config.spec
index 2776291..da1bf54 100755
--- a/packaging/security-config.spec
+++ b/packaging/security-config.spec
@@ -9,6 +9,7 @@ Source1:        %{name}.manifest
 BuildRequires:  cmake
 Requires:       shadow-utils
 Requires:       libcap-tools
+Requires:       systemd
 
 %{!?TZ_SYS_RO_SHARE: %global TZ_SYS_RO_SHARE /usr/share}
 %global SECURITY_TEST_DIR %{TZ_SYS_RO_SHARE}/security-config/test
-- 
2.34.1