Make CAP_DAC_OVERRIDE inheritable for using xdelta3

Currently, xdelta3 has CAP_DAC_OVERRIDE itself by file capability.
This is security hole, because attacker can modify any files using
xdelta3. To prevent this problem, make xdelta3 have CAP_DAC_OVERRIDE
only by inheriting from server.

Change-Id: I76f9416cff0c8b2e54c18093c162f6044c399245
Signed-off-by: Sangyoon Jang <s89.jang@samsung.com>

diff --git a/package-manager.service.in b/package-manager.service.in
index c3aa925..0bfb548 100644 (file)
--- a/package-manager.service.in
+++ b/package-manager.service.in
@@ -5,4 +5,7 @@ Description=Tizen Package Manager
 User=app_fw
 Group=app_fw
 SmackProcessLabel=System
+# CAP_DAC_OVERRIDE should be inheritable for using xdelta3
+Capabilities=cap_dac_override=i
+SecureBits=keep-caps
 ExecStart=@PREFIX@/bin/pkgmgr-server