diff options
author | taesub kim <taesub.kim@samsung.com> | 2017-06-22 17:49:20 +0900 |
---|---|---|
committer | taesub kim <taesub.kim@samsung.com> | 2017-07-20 15:51:29 +0900 |
commit | e4544ee49501928e15c2174d1e4936dc6ff7d97e (patch) | |
tree | fc25dab6d28a737344467b8924e0667bcb5adae7 | |
parent | ce407f97aed0fdba65b5d881ef19cd7ee5e7abeb (diff) | |
download | connman-e4544ee49501928e15c2174d1e4936dc6ff7d97e.tar.gz connman-e4544ee49501928e15c2174d1e4936dc6ff7d97e.tar.bz2 connman-e4544ee49501928e15c2174d1e4936dc6ff7d97e.zip |
Migrate root daemon to non rootsubmit/tizen/20170724.063335
Change-Id: I0d0afacc8a11fadc8128f6eef3f64f7a4ca8675b
Signed-off-by: Taesub Kim <taesub.kim@samsung.com>
-rwxr-xr-x | Makefile.am | 31 | ||||
-rwxr-xr-x | configure.ac | 26 | ||||
-rwxr-xr-x | packaging/connman.spec | 70 | ||||
-rwxr-xr-x | plugins/connman-nmcompat.conf | 4 | ||||
-rw-r--r-- | resources/usr/share/dbus-1/system-services/net.connman.service | 3 | ||||
-rwxr-xr-x | scripts/connman.in | 2 | ||||
-rwxr-xr-x | src/connman-dbus.conf | 13 | ||||
-rwxr-xr-x | src/connman-polkit.conf | 6 | ||||
-rw-r--r-- | src/connman.conf | 6 | ||||
-rwxr-xr-x | src/connman.service.in | 8 | ||||
-rw-r--r-- | src/connman_tv.service.in | 8 | ||||
-rwxr-xr-x | src/log.c | 2 | ||||
-rwxr-xr-x | src/net.connman.service.in | 3 | ||||
-rwxr-xr-x | vpn/connman-vpn.service.in | 8 | ||||
-rwxr-xr-x | vpn/net.connman.vpn.service.in | 3 | ||||
-rwxr-xr-x | vpn/vpn-dbus.conf | 6 | ||||
-rwxr-xr-x | vpn/vpn-polkit.conf | 4 |
17 files changed, 152 insertions, 51 deletions
diff --git a/Makefile.am b/Makefile.am index 9fd16a0d..cadd787d 100755 --- a/Makefile.am +++ b/Makefile.am @@ -59,20 +59,31 @@ if VPN dbusconf_DATA += vpn/connman-vpn-dbus.conf dbusservicedir = @DBUS_DATADIR@ dbusservice_DATA = vpn/net.connman.vpn.service -endif if SYSTEMD systemdunitdir = @SYSTEMD_UNITDIR@ systemdunit_DATA = src/connman.service vpn/connman-vpn.service endif -endif service_files_sources = src/connman.service.in src/net.connman.service.in \ vpn/net.connman.vpn.service.in vpn/connman-vpn.service.in service_files = src/connman.service src/net.connman.service \ vpn/net.connman.vpn.service vpn/connman-vpn.service +else + +if SYSTEMD +systemdunitdir = @SYSTEMD_UNITDIR@ +systemdunit_DATA = src/connman.service + +endif + +service_files_sources = src/connman.service.in src/net.connman.service.in +service_files = src/connman.service src/net.connman.service +endif +endif + plugin_LTLIBRARIES = plugin_objects = @@ -83,13 +94,21 @@ builtin_libadd = builtin_cflags = noinst_PROGRAMS = +if TIZEN_EXT +bin_PROGRAMS = src/connmand +else bin_PROGRAMS = +endif unit_objects = MANUAL_PAGES = +if TIZEN_EXT +sbin_PROGRAMS = +else sbin_PROGRAMS = src/connmand +endif src_connmand_SOURCES = $(gdhcp_sources) $(gweb_sources) \ $(builtin_sources) $(shared_sources) src/connman.ver \ @@ -128,7 +147,11 @@ builtin_vpn_sources = builtin_vpn_libadd = builtin_vpn_cflags = +if TIZEN_EXT +bin_PROGRAMS += vpn/connman-vpnd +else sbin_PROGRAMS += vpn/connman-vpnd +endif vpn_connman_vpnd_SOURCES = $(gdhcp_sources) $(builtin_vpn_sources) \ $(gweb_sources) vpn/vpn.ver vpn/main.c vpn/vpn.h \ @@ -258,7 +281,7 @@ include Makefile.plugins if CLIENT bin_PROGRAMS += client/connmanctl -MANUAL_PAGES = doc/connmanctl.1 +#MANUAL_PAGES = doc/connmanctl.1 client_connmanctl_SOURCES = client/dbus_helpers.h client/dbus_helpers.c \ client/services.h client/services.c \ @@ -395,7 +418,7 @@ EXTRA_DIST += doc/overview-api.txt doc/behavior-api.txt \ EXTRA_DIST += src/main.conf \ src/eduroam.config -MANUAL_PAGES += doc/connman.8 doc/connman.conf.5 +#MANUAL_PAGES += doc/connman.8 doc/connman.conf.5 dist_man_MANS = $(MANUAL_PAGES) diff --git a/configure.ac b/configure.ac index cd2013f4..856692b5 100755 --- a/configure.ac +++ b/configure.ac @@ -67,6 +67,14 @@ AC_ARG_ENABLE(telephony, AM_CONDITIONAL(TELEPHONY, test "${enable_telephony}" != "no") AM_CONDITIONAL(TELEPHONY_BUILTIN, test "${enable_telephony}" = "builtin") +AC_ARG_ENABLE(tizen-ext, + AC_HELP_STRING([--enable-tizen-ext], [enable TIZEN extensions]), + [if (test "${enableval}" = "yes"); then + CFLAGS="$CFLAGS -DTIZEN_EXT" + LIBS="$LIBS -lsmack" + fi]) +AM_CONDITIONAL(TIZEN_EXT, test "${enable-tizen-ext}" != "no") + AC_ARG_WITH(openconnect, AC_HELP_STRING([--with-openconnect=PROGRAM], [specify location of openconnect binary]), [path_openconnect=${withval}]) @@ -75,7 +83,7 @@ AC_ARG_ENABLE(openconnect, [enable_openconnect=${enableval}], [enable_openconnect="no"]) if (test "${enable_openconnect}" != "no"); then if (test -z "${path_openconnect}"); then - AC_PATH_PROG(OPENCONNECT, [openconnect], [], $PATH:/sbin:/usr/sbin) + AC_PATH_PROG(OPENCONNECT, [openconnect], [], $PATH:/bin:/usr/bin) if (test -z "${OPENCONNECT}"); then AC_MSG_ERROR(openconnect binary not found) fi @@ -95,7 +103,7 @@ AC_ARG_ENABLE(openvpn, [enable_openvpn=${enableval}], [enable_openvpn="no"]) if (test "${enable_openvpn}" != "no"); then if (test -z "${path_openvpn}"); then - AC_PATH_PROG(OPENVPN, [openvpn], [], $PATH:/sbin:/usr/sbin) + AC_PATH_PROG(OPENVPN, [openvpn], [], $PATH:/bin:/usr/bin) if (test -z "${OPENVPN}"); then AC_MSG_ERROR(openvpn binary not found) fi @@ -143,7 +151,7 @@ AC_ARG_ENABLE(vpnc, [enable_vpnc=${enableval}], [enable_vpnc="no"]) if (test "${enable_vpnc}" != "no"); then if (test -z "${path_vpnc}"); then - AC_PATH_PROG(VPNC, [vpnc], [], $PATH:/sbin:/usr/sbin) + AC_PATH_PROG(VPNC, [vpnc], [], $PATH:/bin:/usr/bin) if (test -z "${VPNC}"); then AC_MSG_ERROR(vpnc binary not found) fi @@ -163,7 +171,7 @@ AC_ARG_ENABLE(l2tp, [enable_l2tp=${enableval}], [enable_l2tp="no"]) if (test "${enable_l2tp}" != "no"); then if (test -z "${path_pppd}"); then - AC_PATH_PROG(PPPD, [pppd], [/usr/sbin/pppd], $PATH:/sbin:/usr/sbin) + AC_PATH_PROG(PPPD, [pppd], [/usr/bin/pppd], $PATH:/bin:/usr/bin) else PPPD="${path_pppd}" AC_SUBST(PPPD) @@ -171,7 +179,7 @@ if (test "${enable_l2tp}" != "no"); then AC_CHECK_HEADERS(pppd/pppd.h, dummy=yes, AC_MSG_ERROR(ppp header files are required)) if (test -z "${path_l2tp}"); then - AC_PATH_PROG(L2TP, [xl2tpd], [/usr/sbin/xl2tpd], $PATH:/sbin:/usr/sbin) + AC_PATH_PROG(L2TP, [xl2tpd], [/usr/bin/xl2tpd], $PATH:/bin:/usr/bin) else L2TP="${path_l2tp}" AC_SUBST(L2TP) @@ -188,7 +196,7 @@ AC_ARG_ENABLE(pptp, [enable_pptp=${enableval}], [enable_pptp="no"]) if (test "${enable_pptp}" != "no"); then if (test -z "${path_pppd}"); then - AC_PATH_PROG(PPPD, [pppd], [/usr/sbin/pppd], $PATH:/sbin:/usr/sbin) + AC_PATH_PROG(PPPD, [pppd], [/usr/bin/pppd], $PATH:/bin:/usr/bin) else PPPD="${path_pppd}" AC_SUBST(PPPD) @@ -196,7 +204,7 @@ if (test "${enable_pptp}" != "no"); then AC_CHECK_HEADERS(pppd/pppd.h, dummy=yes, AC_MSG_ERROR(ppp header files are required)) if (test -z "${path_pptp}"); then - AC_PATH_PROG(PPTP, [pptp], [/usr/sbin/pptp], $PATH:/sbin:/usr/sbin) + AC_PATH_PROG(PPTP, [pptp], [/usr/bin/pptp], $PATH:/bin:/usr/bin) else PPTP="${path_pptp}" AC_SUBST(PPTP) @@ -383,7 +391,7 @@ AM_CONDITIONAL(TOOLS, test "${enable_tools}" != "no") if (test "${enable_tools}" != "no"); then AC_PATH_PROGS(IPTABLES_SAVE, [iptables-save], [], - $PATH:/sbin:/usr/sbin) + $PATH:/bin:/usr/bin) IPTABLES_SAVE=$ac_cv_path_IPTABLES_SAVE else IPTABLES_SAVE="" @@ -415,7 +423,7 @@ fi if (test "${enable_wifi}" != "no"); then AC_PATH_PROG(WPASUPPLICANT, [wpa_supplicant], [], - $PATH:/sbin:/usr/sbin) + $PATH:/bin:/usr/bin) fi AC_ARG_ENABLE(datafiles, AC_HELP_STRING([--disable-datafiles], diff --git a/packaging/connman.spec b/packaging/connman.spec index e653e084..f7947cbe 100755 --- a/packaging/connman.spec +++ b/packaging/connman.spec @@ -133,7 +133,7 @@ This overwrites conf file of %{name}. %build -CFLAGS+=" -DTIZEN_EXT -lsmack -Werror" +#CFLAGS+=" -DTIZEN_EXT -lsmack -Werror" CFLAGS+=" -DTIZEN_SYS_CA_BUNDLE=\"%TZ_SYS_RO_CA_BUNDLE\"" %if %{with connman_vpnd} @@ -145,6 +145,7 @@ chmod +x bootstrap %configure \ --sysconfdir=/etc \ --enable-client \ + --enable-tizen-ext \ --enable-pacrunner \ --enable-wifi=builtin \ %if %{with connman_openconnect} @@ -228,8 +229,8 @@ mkdir -p %{buildroot}%{upgrade_script_path} cp -f scripts/%{upgrade_script_filename} %{buildroot}%{upgrade_script_path} %post -chsmack -a 'System' /%{_localstatedir}/lib/connman -chsmack -a 'System' /%{_localstatedir}/lib/connman/settings +#chsmack -a 'System' /%{_localstatedir}/lib/connman +#chsmack -a 'System' /%{_localstatedir}/lib/connman/settings %preun @@ -240,27 +241,27 @@ systemctl daemon-reload %files %manifest connman.manifest -%attr(500,root,root) %{_sbindir}/* -%attr(500,root,root) %{_bindir}/connmanctl -%attr(600,root,root) /%{_localstatedir}/lib/connman/settings +%attr(500,network_fw,network_fw) %{_bindir}/* +%attr(500,network_fw,network_fw) %{_bindir}/connmanctl +%attr(755,network_fw,network_fw) /%{_localstatedir}/lib/connman +%attr(600,network_fw,network_fw) /%{_localstatedir}/lib/connman/settings #%{_libdir}/connman/plugins/*.so -%attr(644,root,root) %{_datadir}/dbus-1/system-services/* -#%{_datadir}/dbus-1/services/* +%attr(644,network_fw,network_fw) %{_datadir}/dbus-1/system-services/* %{_sysconfdir}/dbus-1/system.d/* -%attr(644,root,root) %{_sysconfdir}/connman/main.conf +%attr(644,network_fw,network_fw) %{_sysconfdir}/connman/main.conf %{_sysconfdir}/dbus-1/system.d/*.conf -%attr(644,root,root) %{_libdir}/systemd/system/connman.service -%attr(644,root,root) %{_libdir}/systemd/system/multi-user.target.wants/connman.service -%attr(644,root,root) %{_libdir}/systemd/system/connman-vpn.service +%attr(644,network_fw,network_fw) %{_libdir}/systemd/system/connman.service +%attr(644,network_fw,network_fw) %{_libdir}/systemd/system/multi-user.target.wants/connman.service +%attr(644,network_fw,network_fw) %{_libdir}/systemd/system/connman-vpn.service %if "%{?_lib}" == "lib64" -%attr(644,root,root) %{_unitdir}/connman.service -%attr(644,root,root) %{_unitdir}/multi-user.target.wants/connman.service -%attr(644,root,root) %{_unitdir}/connman-vpn.service -%attr(644,root,root) %{_unitdir}/connman.socket -%attr(644,root,root) %{_unitdir}/sockets.target.wants/connman.socket +%attr(644,network_fw,network_fw) %{_unitdir}/connman.service +%attr(644,network_fw,network_fw) %{_unitdir}/multi-user.target.wants/connman.service +%attr(644,network_fw,network_fw) %{_unitdir}/connman-vpn.service +%attr(644,network_fw,network_fw) %{_unitdir}/connman.socket +%attr(644,network_fw,network_fw) %{_unitdir}/sockets.target.wants/connman.socket %else -%attr(644,root,root) %{_libdir}/systemd/system/connman.socket -%attr(644,root,root) %{_libdir}/systemd/system/sockets.target.wants/connman.socket +%attr(644,network_fw,network_fw) %{_libdir}/systemd/system/connman.socket +%attr(644,network_fw,network_fw) %{_libdir}/systemd/system/sockets.target.wants/connman.socket %endif %license COPYING %{upgrade_script_path}/%{upgrade_script_filename} @@ -281,6 +282,11 @@ systemctl daemon-reload %{_libdir}/connman/scripts/openconnect-script %{_datadir}/dbus-1/system-services/net.connman.vpn.service %license COPYING +%if "%{?_lib}" == "lib64" +%attr(644,network_fw,network_fw) %{_unitdir}/connman-vpn.service +%else +%attr(644,network_fw,network_fw) %{_libdir}/systemd/system/connman-vpn.service +%endif %endif %if %{with connman_openvpn} @@ -290,6 +296,11 @@ systemctl daemon-reload %{_libdir}/%{name}/scripts/openvpn-script %{_datadir}/dbus-1/system-services/net.connman.vpn.service %license COPYING +%if "%{?_lib}" == "lib64" +%attr(644,network_fw,network_fw) %{_unitdir}/connman-vpn.service +%else +%attr(644,network_fw,network_fw) %{_libdir}/systemd/system/connman-vpn.service +%endif %endif %if %{with connman_ipsec} @@ -298,34 +309,45 @@ systemctl daemon-reload %{_libdir}/%{name}/plugins-vpn/ipsec.so %{_libdir}/%{name}/scripts/ipsec-script %{_datadir}/dbus-1/system-services/net.connman.vpn.service +%license COPYING +%if "%{?_lib}" == "lib64" +%attr(644,network_fw,network_fw) %{_unitdir}/connman-vpn.service +%else +%attr(644,network_fw,network_fw) %{_libdir}/systemd/system/connman-vpn.service +%endif %endif %if %{with connman_vpnd} %files connman-vpnd %manifest %{name}.manifest -#%{_sbindir}/connman-vpnd +#%{_bindir}/connman-vpnd %dir %{_libdir}/%{name} %dir %{_libdir}/%{name}/scripts %dir %{_libdir}/%{name}/plugins-vpn %config %{_sysconfdir}/dbus-1/system.d/connman-vpn-dbus.conf %{_datadir}/dbus-1/system-services/net.connman.vpn.service %license COPYING +%if "%{?_lib}" == "lib64" +%attr(644,network_fw,network_fw) %{_unitdir}/connman-vpn.service +%else +%attr(644,network_fw,network_fw) %{_libdir}/systemd/system/connman-vpn.service +%endif %endif %post extension-tv mv -f %{_libdir}/systemd/system/connman.service.tv %{_libdir}/systemd/system/connman.service mv -f %{_sysconfdir}/connman/main.conf.tv %{_sysconfdir}/connman/main.conf %files extension-tv -%attr(644,root,root) %{_sysconfdir}/connman/main.conf.tv +%attr(644,network_fw,network_fw) %{_sysconfdir}/connman/main.conf.tv %license COPYING %if "%{?_lib}" == "lib64" -%attr(644,root,root) %{_unitdir}/connman.service.tv +%attr(644,network_fw,network_fw) %{_unitdir}/connman.service.tv %else -%attr(644,root,root) %{_libdir}/systemd/system/connman.service.tv +%attr(644,network_fw,network_fw) %{_libdir}/systemd/system/connman.service.tv %endif %post extension-ivi mv -f %{_sysconfdir}/connman/main.conf.ivi %{_sysconfdir}/connman/main.conf %files extension-ivi -%attr(644,root,root) %{_sysconfdir}/connman/main.conf.ivi +%attr(644,network_fw,network_fw) %{_sysconfdir}/connman/main.conf.ivi %license COPYING diff --git a/plugins/connman-nmcompat.conf b/plugins/connman-nmcompat.conf index 5887a345..a051d927 100755 --- a/plugins/connman-nmcompat.conf +++ b/plugins/connman-nmcompat.conf @@ -5,6 +5,10 @@ <allow own="org.freedesktop.NetworkManager"/> <allow send_destination="org.freedesktop.NetworkManager"/> </policy> + <policy user="network_fw"> + <allow own="org.freedesktop.NetworkManager"/> + <allow send_destination="org.freedesktop.NetworkManager"/> + </policy> <policy at_console="true"> <allow send_destination="org.freedesktop.NetworkManager"/> </policy> diff --git a/resources/usr/share/dbus-1/system-services/net.connman.service b/resources/usr/share/dbus-1/system-services/net.connman.service index 9679c1be..990eb66b 100644 --- a/resources/usr/share/dbus-1/system-services/net.connman.service +++ b/resources/usr/share/dbus-1/system-services/net.connman.service @@ -1,5 +1,6 @@ [D-BUS Service] Name=net.connman Exec=/bin/false -User=root +User=network_fw +Group=network_fw SystemdService=connman.service diff --git a/scripts/connman.in b/scripts/connman.in index 1692b950..2c380abb 100755 --- a/scripts/connman.in +++ b/scripts/connman.in @@ -1,6 +1,6 @@ #!/bin/sh -DAEMON=@sbindir@/connmand +DAEMON=@bindir@/connmand DESC="Connection Manager" . /lib/lsb/init-functions diff --git a/src/connman-dbus.conf b/src/connman-dbus.conf index 98a773ea..29106dc7 100755 --- a/src/connman-dbus.conf +++ b/src/connman-dbus.conf @@ -6,6 +6,19 @@ <allow send_destination="net.connman"/> <allow send_interface="net.connman.Agent"/> <allow send_interface="net.connman.Counter"/> + <allow send_interface="net.connman.Manager"/> + <allow send_interface="net.connman.Service"/> + <allow send_interface="net.connman.Technology"/> + <allow send_interface="net.connman.Notification"/> + </policy> + <policy user="network_fw"> + <allow own="net.connman"/> + <allow send_destination="net.connman"/> + <allow send_interface="net.connman.Agent"/> + <allow send_interface="net.connman.Counter"/> + <allow send_interface="net.connman.Manager"/> + <allow send_interface="net.connman.Service"/> + <allow send_interface="net.connman.Technology"/> <allow send_interface="net.connman.Notification"/> </policy> <policy at_console="true"> diff --git a/src/connman-polkit.conf b/src/connman-polkit.conf index b13d339b..03154faf 100755 --- a/src/connman-polkit.conf +++ b/src/connman-polkit.conf @@ -7,6 +7,12 @@ <allow send_interface="net.connman.Counter"/> <allow send_interface="net.connman.Notification"/> </policy> + <policy user="network_fw"> + <allow own="net.connman"/> + <allow send_interface="net.connman.Agent"/> + <allow send_interface="net.connman.Counter"/> + <allow send_interface="net.connman.Notification"/> + </policy> <policy context="default"> <allow send_destination="net.connman"/> </policy> diff --git a/src/connman.conf b/src/connman.conf index 0aa2ed20..f3bde768 100644 --- a/src/connman.conf +++ b/src/connman.conf @@ -4,6 +4,12 @@ <policy user="root"> <allow own="net.connman"/> <allow send_destination="net.connman"/> + <allow send_type="signal"/> + </policy> + <policy user="network_fw"> + <allow own="net.connman"/> + <allow send_destination="net.connman"/> + <allow send_type="signal"/> </policy> <policy context="default"> <check send_destination="net.connman" send_interface="net.connman.Manager" send_member="GetTechnologies" privilege="http://tizen.org/privilege/network.get" /> diff --git a/src/connman.service.in b/src/connman.service.in index 3bc442a5..cc964e25 100755 --- a/src/connman.service.in +++ b/src/connman.service.in @@ -5,13 +5,15 @@ DefaultDependencies=no [Service] Type=dbus +User=network_fw +Group=network_fw BusName=net.connman Restart=on-failure SmackProcessLabel=System -ExecStart=@sbindir@/connmand -n --noplugin vpn +ExecStart=@bindir@/connmand -n --noplugin vpn StandardOutput=null -CapabilityBoundingSet=~CAP_MAC_ADMIN -CapabilityBoundingSet=~CAP_MAC_OVERRIDE +Capabilities=cap_net_admin,cap_net_bind_service,cap_net_broadcast,cap_net_raw=i +SecureBits=keep-caps [Install] WantedBy=multi-user.target diff --git a/src/connman_tv.service.in b/src/connman_tv.service.in index 3bc442a5..cc964e25 100644 --- a/src/connman_tv.service.in +++ b/src/connman_tv.service.in @@ -5,13 +5,15 @@ DefaultDependencies=no [Service] Type=dbus +User=network_fw +Group=network_fw BusName=net.connman Restart=on-failure SmackProcessLabel=System -ExecStart=@sbindir@/connmand -n --noplugin vpn +ExecStart=@bindir@/connmand -n --noplugin vpn StandardOutput=null -CapabilityBoundingSet=~CAP_MAC_ADMIN -CapabilityBoundingSet=~CAP_MAC_OVERRIDE +Capabilities=cap_net_admin,cap_net_bind_service,cap_net_broadcast,cap_net_raw=i +SecureBits=keep-caps [Install] WantedBy=multi-user.target @@ -42,7 +42,7 @@ static const char *program_path; #include <sys/stat.h> #include <sys/time.h> -#define LOG_FILE_PATH "/var/log/connman.log" +#define LOG_FILE_PATH "/opt/usr/data/network/connman.log" #define MAX_LOG_SIZE 1 * 1024 * 1024 #define MAX_LOG_COUNT 1 diff --git a/src/net.connman.service.in b/src/net.connman.service.in index 9679c1be..990eb66b 100755 --- a/src/net.connman.service.in +++ b/src/net.connman.service.in @@ -1,5 +1,6 @@ [D-BUS Service] Name=net.connman Exec=/bin/false -User=root +User=network_fw +Group=network_fw SystemdService=connman.service diff --git a/vpn/connman-vpn.service.in b/vpn/connman-vpn.service.in index 6cc59cbc..a4c294ec 100755 --- a/vpn/connman-vpn.service.in +++ b/vpn/connman-vpn.service.in @@ -5,12 +5,14 @@ After=dbus.socket [Service] Type=dbus +User=network_fw +Group=network_fw BusName=net.connman.vpn SmackProcessLabel=System -ExecStart=@sbindir@/connman-vpnd -n +ExecStart=@bindir@/connman-vpnd -n StandardOutput=null -CapabilityBoundingSet=~CAP_MAC_ADMIN -CapabilityBoundingSet=~CAP_MAC_OVERRIDE +Capabilities=cap_net_admin,cap_net_bind_service,cap_net_broadcast,cap_net_raw=i +SecureBits=keep-caps [Install] WantedBy=multi-user.target diff --git a/vpn/net.connman.vpn.service.in b/vpn/net.connman.vpn.service.in index 8dcf2544..8ce55c20 100755 --- a/vpn/net.connman.vpn.service.in +++ b/vpn/net.connman.vpn.service.in @@ -1,5 +1,6 @@ [D-BUS Service] Name=net.connman.vpn Exec=/bin/false -User=root +User=network_fw +Group=network_fw SystemdService=connman-vpn.service diff --git a/vpn/vpn-dbus.conf b/vpn/vpn-dbus.conf index 5b44017b..7b7b6d19 100755 --- a/vpn/vpn-dbus.conf +++ b/vpn/vpn-dbus.conf @@ -4,6 +4,12 @@ <policy user="root"> <allow own="net.connman.vpn"/> <allow send_destination="net.connman.vpn"/> + <allow send_interface="net.connman.vpn.Agent"/> + </policy> + <policy user="network_fw"> + <allow own="net.connman.vpn"/> + <allow send_destination="net.connman.vpn"/> + <allow send_interface="net.connman.vpn.Agent"/> </policy> <policy at_console="true"> <allow send_destination="net.connman.vpn"/> diff --git a/vpn/vpn-polkit.conf b/vpn/vpn-polkit.conf index a1dc6177..237d21be 100755 --- a/vpn/vpn-polkit.conf +++ b/vpn/vpn-polkit.conf @@ -5,6 +5,10 @@ <allow own="net.connman.vpn"/> <allow send_interface="net.connman.vpn.Agent"/> </policy> + <policy user="network_fw"> + <allow own="net.connman.vpn"/> + <allow send_interface="net.connman.vpn.Agent"/> + </policy> <policy context="default"> <allow send_destination="net.connman.vpn"/> </policy> |