summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authortaesub kim <taesub.kim@samsung.com>2017-06-22 17:49:20 +0900
committertaesub kim <taesub.kim@samsung.com>2017-07-20 15:51:29 +0900
commite4544ee49501928e15c2174d1e4936dc6ff7d97e (patch)
treefc25dab6d28a737344467b8924e0667bcb5adae7
parentce407f97aed0fdba65b5d881ef19cd7ee5e7abeb (diff)
downloadconnman-e4544ee49501928e15c2174d1e4936dc6ff7d97e.tar.gz
connman-e4544ee49501928e15c2174d1e4936dc6ff7d97e.tar.bz2
connman-e4544ee49501928e15c2174d1e4936dc6ff7d97e.zip
Migrate root daemon to non rootsubmit/tizen/20170724.063335
Change-Id: I0d0afacc8a11fadc8128f6eef3f64f7a4ca8675b Signed-off-by: Taesub Kim <taesub.kim@samsung.com>
-rwxr-xr-xMakefile.am31
-rwxr-xr-xconfigure.ac26
-rwxr-xr-xpackaging/connman.spec70
-rwxr-xr-xplugins/connman-nmcompat.conf4
-rw-r--r--resources/usr/share/dbus-1/system-services/net.connman.service3
-rwxr-xr-xscripts/connman.in2
-rwxr-xr-xsrc/connman-dbus.conf13
-rwxr-xr-xsrc/connman-polkit.conf6
-rw-r--r--src/connman.conf6
-rwxr-xr-xsrc/connman.service.in8
-rw-r--r--src/connman_tv.service.in8
-rwxr-xr-xsrc/log.c2
-rwxr-xr-xsrc/net.connman.service.in3
-rwxr-xr-xvpn/connman-vpn.service.in8
-rwxr-xr-xvpn/net.connman.vpn.service.in3
-rwxr-xr-xvpn/vpn-dbus.conf6
-rwxr-xr-xvpn/vpn-polkit.conf4
17 files changed, 152 insertions, 51 deletions
diff --git a/Makefile.am b/Makefile.am
index 9fd16a0d..cadd787d 100755
--- a/Makefile.am
+++ b/Makefile.am
@@ -59,20 +59,31 @@ if VPN
dbusconf_DATA += vpn/connman-vpn-dbus.conf
dbusservicedir = @DBUS_DATADIR@
dbusservice_DATA = vpn/net.connman.vpn.service
-endif
if SYSTEMD
systemdunitdir = @SYSTEMD_UNITDIR@
systemdunit_DATA = src/connman.service vpn/connman-vpn.service
endif
-endif
service_files_sources = src/connman.service.in src/net.connman.service.in \
vpn/net.connman.vpn.service.in vpn/connman-vpn.service.in
service_files = src/connman.service src/net.connman.service \
vpn/net.connman.vpn.service vpn/connman-vpn.service
+else
+
+if SYSTEMD
+systemdunitdir = @SYSTEMD_UNITDIR@
+systemdunit_DATA = src/connman.service
+
+endif
+
+service_files_sources = src/connman.service.in src/net.connman.service.in
+service_files = src/connman.service src/net.connman.service
+endif
+endif
+
plugin_LTLIBRARIES =
plugin_objects =
@@ -83,13 +94,21 @@ builtin_libadd =
builtin_cflags =
noinst_PROGRAMS =
+if TIZEN_EXT
+bin_PROGRAMS = src/connmand
+else
bin_PROGRAMS =
+endif
unit_objects =
MANUAL_PAGES =
+if TIZEN_EXT
+sbin_PROGRAMS =
+else
sbin_PROGRAMS = src/connmand
+endif
src_connmand_SOURCES = $(gdhcp_sources) $(gweb_sources) \
$(builtin_sources) $(shared_sources) src/connman.ver \
@@ -128,7 +147,11 @@ builtin_vpn_sources =
builtin_vpn_libadd =
builtin_vpn_cflags =
+if TIZEN_EXT
+bin_PROGRAMS += vpn/connman-vpnd
+else
sbin_PROGRAMS += vpn/connman-vpnd
+endif
vpn_connman_vpnd_SOURCES = $(gdhcp_sources) $(builtin_vpn_sources) \
$(gweb_sources) vpn/vpn.ver vpn/main.c vpn/vpn.h \
@@ -258,7 +281,7 @@ include Makefile.plugins
if CLIENT
bin_PROGRAMS += client/connmanctl
-MANUAL_PAGES = doc/connmanctl.1
+#MANUAL_PAGES = doc/connmanctl.1
client_connmanctl_SOURCES = client/dbus_helpers.h client/dbus_helpers.c \
client/services.h client/services.c \
@@ -395,7 +418,7 @@ EXTRA_DIST += doc/overview-api.txt doc/behavior-api.txt \
EXTRA_DIST += src/main.conf \
src/eduroam.config
-MANUAL_PAGES += doc/connman.8 doc/connman.conf.5
+#MANUAL_PAGES += doc/connman.8 doc/connman.conf.5
dist_man_MANS = $(MANUAL_PAGES)
diff --git a/configure.ac b/configure.ac
index cd2013f4..856692b5 100755
--- a/configure.ac
+++ b/configure.ac
@@ -67,6 +67,14 @@ AC_ARG_ENABLE(telephony,
AM_CONDITIONAL(TELEPHONY, test "${enable_telephony}" != "no")
AM_CONDITIONAL(TELEPHONY_BUILTIN, test "${enable_telephony}" = "builtin")
+AC_ARG_ENABLE(tizen-ext,
+ AC_HELP_STRING([--enable-tizen-ext], [enable TIZEN extensions]),
+ [if (test "${enableval}" = "yes"); then
+ CFLAGS="$CFLAGS -DTIZEN_EXT"
+ LIBS="$LIBS -lsmack"
+ fi])
+AM_CONDITIONAL(TIZEN_EXT, test "${enable-tizen-ext}" != "no")
+
AC_ARG_WITH(openconnect, AC_HELP_STRING([--with-openconnect=PROGRAM],
[specify location of openconnect binary]), [path_openconnect=${withval}])
@@ -75,7 +83,7 @@ AC_ARG_ENABLE(openconnect,
[enable_openconnect=${enableval}], [enable_openconnect="no"])
if (test "${enable_openconnect}" != "no"); then
if (test -z "${path_openconnect}"); then
- AC_PATH_PROG(OPENCONNECT, [openconnect], [], $PATH:/sbin:/usr/sbin)
+ AC_PATH_PROG(OPENCONNECT, [openconnect], [], $PATH:/bin:/usr/bin)
if (test -z "${OPENCONNECT}"); then
AC_MSG_ERROR(openconnect binary not found)
fi
@@ -95,7 +103,7 @@ AC_ARG_ENABLE(openvpn,
[enable_openvpn=${enableval}], [enable_openvpn="no"])
if (test "${enable_openvpn}" != "no"); then
if (test -z "${path_openvpn}"); then
- AC_PATH_PROG(OPENVPN, [openvpn], [], $PATH:/sbin:/usr/sbin)
+ AC_PATH_PROG(OPENVPN, [openvpn], [], $PATH:/bin:/usr/bin)
if (test -z "${OPENVPN}"); then
AC_MSG_ERROR(openvpn binary not found)
fi
@@ -143,7 +151,7 @@ AC_ARG_ENABLE(vpnc,
[enable_vpnc=${enableval}], [enable_vpnc="no"])
if (test "${enable_vpnc}" != "no"); then
if (test -z "${path_vpnc}"); then
- AC_PATH_PROG(VPNC, [vpnc], [], $PATH:/sbin:/usr/sbin)
+ AC_PATH_PROG(VPNC, [vpnc], [], $PATH:/bin:/usr/bin)
if (test -z "${VPNC}"); then
AC_MSG_ERROR(vpnc binary not found)
fi
@@ -163,7 +171,7 @@ AC_ARG_ENABLE(l2tp,
[enable_l2tp=${enableval}], [enable_l2tp="no"])
if (test "${enable_l2tp}" != "no"); then
if (test -z "${path_pppd}"); then
- AC_PATH_PROG(PPPD, [pppd], [/usr/sbin/pppd], $PATH:/sbin:/usr/sbin)
+ AC_PATH_PROG(PPPD, [pppd], [/usr/bin/pppd], $PATH:/bin:/usr/bin)
else
PPPD="${path_pppd}"
AC_SUBST(PPPD)
@@ -171,7 +179,7 @@ if (test "${enable_l2tp}" != "no"); then
AC_CHECK_HEADERS(pppd/pppd.h, dummy=yes,
AC_MSG_ERROR(ppp header files are required))
if (test -z "${path_l2tp}"); then
- AC_PATH_PROG(L2TP, [xl2tpd], [/usr/sbin/xl2tpd], $PATH:/sbin:/usr/sbin)
+ AC_PATH_PROG(L2TP, [xl2tpd], [/usr/bin/xl2tpd], $PATH:/bin:/usr/bin)
else
L2TP="${path_l2tp}"
AC_SUBST(L2TP)
@@ -188,7 +196,7 @@ AC_ARG_ENABLE(pptp,
[enable_pptp=${enableval}], [enable_pptp="no"])
if (test "${enable_pptp}" != "no"); then
if (test -z "${path_pppd}"); then
- AC_PATH_PROG(PPPD, [pppd], [/usr/sbin/pppd], $PATH:/sbin:/usr/sbin)
+ AC_PATH_PROG(PPPD, [pppd], [/usr/bin/pppd], $PATH:/bin:/usr/bin)
else
PPPD="${path_pppd}"
AC_SUBST(PPPD)
@@ -196,7 +204,7 @@ if (test "${enable_pptp}" != "no"); then
AC_CHECK_HEADERS(pppd/pppd.h, dummy=yes,
AC_MSG_ERROR(ppp header files are required))
if (test -z "${path_pptp}"); then
- AC_PATH_PROG(PPTP, [pptp], [/usr/sbin/pptp], $PATH:/sbin:/usr/sbin)
+ AC_PATH_PROG(PPTP, [pptp], [/usr/bin/pptp], $PATH:/bin:/usr/bin)
else
PPTP="${path_pptp}"
AC_SUBST(PPTP)
@@ -383,7 +391,7 @@ AM_CONDITIONAL(TOOLS, test "${enable_tools}" != "no")
if (test "${enable_tools}" != "no"); then
AC_PATH_PROGS(IPTABLES_SAVE, [iptables-save], [],
- $PATH:/sbin:/usr/sbin)
+ $PATH:/bin:/usr/bin)
IPTABLES_SAVE=$ac_cv_path_IPTABLES_SAVE
else
IPTABLES_SAVE=""
@@ -415,7 +423,7 @@ fi
if (test "${enable_wifi}" != "no"); then
AC_PATH_PROG(WPASUPPLICANT, [wpa_supplicant], [],
- $PATH:/sbin:/usr/sbin)
+ $PATH:/bin:/usr/bin)
fi
AC_ARG_ENABLE(datafiles, AC_HELP_STRING([--disable-datafiles],
diff --git a/packaging/connman.spec b/packaging/connman.spec
index e653e084..f7947cbe 100755
--- a/packaging/connman.spec
+++ b/packaging/connman.spec
@@ -133,7 +133,7 @@ This overwrites conf file of %{name}.
%build
-CFLAGS+=" -DTIZEN_EXT -lsmack -Werror"
+#CFLAGS+=" -DTIZEN_EXT -lsmack -Werror"
CFLAGS+=" -DTIZEN_SYS_CA_BUNDLE=\"%TZ_SYS_RO_CA_BUNDLE\""
%if %{with connman_vpnd}
@@ -145,6 +145,7 @@ chmod +x bootstrap
%configure \
--sysconfdir=/etc \
--enable-client \
+ --enable-tizen-ext \
--enable-pacrunner \
--enable-wifi=builtin \
%if %{with connman_openconnect}
@@ -228,8 +229,8 @@ mkdir -p %{buildroot}%{upgrade_script_path}
cp -f scripts/%{upgrade_script_filename} %{buildroot}%{upgrade_script_path}
%post
-chsmack -a 'System' /%{_localstatedir}/lib/connman
-chsmack -a 'System' /%{_localstatedir}/lib/connman/settings
+#chsmack -a 'System' /%{_localstatedir}/lib/connman
+#chsmack -a 'System' /%{_localstatedir}/lib/connman/settings
%preun
@@ -240,27 +241,27 @@ systemctl daemon-reload
%files
%manifest connman.manifest
-%attr(500,root,root) %{_sbindir}/*
-%attr(500,root,root) %{_bindir}/connmanctl
-%attr(600,root,root) /%{_localstatedir}/lib/connman/settings
+%attr(500,network_fw,network_fw) %{_bindir}/*
+%attr(500,network_fw,network_fw) %{_bindir}/connmanctl
+%attr(755,network_fw,network_fw) /%{_localstatedir}/lib/connman
+%attr(600,network_fw,network_fw) /%{_localstatedir}/lib/connman/settings
#%{_libdir}/connman/plugins/*.so
-%attr(644,root,root) %{_datadir}/dbus-1/system-services/*
-#%{_datadir}/dbus-1/services/*
+%attr(644,network_fw,network_fw) %{_datadir}/dbus-1/system-services/*
%{_sysconfdir}/dbus-1/system.d/*
-%attr(644,root,root) %{_sysconfdir}/connman/main.conf
+%attr(644,network_fw,network_fw) %{_sysconfdir}/connman/main.conf
%{_sysconfdir}/dbus-1/system.d/*.conf
-%attr(644,root,root) %{_libdir}/systemd/system/connman.service
-%attr(644,root,root) %{_libdir}/systemd/system/multi-user.target.wants/connman.service
-%attr(644,root,root) %{_libdir}/systemd/system/connman-vpn.service
+%attr(644,network_fw,network_fw) %{_libdir}/systemd/system/connman.service
+%attr(644,network_fw,network_fw) %{_libdir}/systemd/system/multi-user.target.wants/connman.service
+%attr(644,network_fw,network_fw) %{_libdir}/systemd/system/connman-vpn.service
%if "%{?_lib}" == "lib64"
-%attr(644,root,root) %{_unitdir}/connman.service
-%attr(644,root,root) %{_unitdir}/multi-user.target.wants/connman.service
-%attr(644,root,root) %{_unitdir}/connman-vpn.service
-%attr(644,root,root) %{_unitdir}/connman.socket
-%attr(644,root,root) %{_unitdir}/sockets.target.wants/connman.socket
+%attr(644,network_fw,network_fw) %{_unitdir}/connman.service
+%attr(644,network_fw,network_fw) %{_unitdir}/multi-user.target.wants/connman.service
+%attr(644,network_fw,network_fw) %{_unitdir}/connman-vpn.service
+%attr(644,network_fw,network_fw) %{_unitdir}/connman.socket
+%attr(644,network_fw,network_fw) %{_unitdir}/sockets.target.wants/connman.socket
%else
-%attr(644,root,root) %{_libdir}/systemd/system/connman.socket
-%attr(644,root,root) %{_libdir}/systemd/system/sockets.target.wants/connman.socket
+%attr(644,network_fw,network_fw) %{_libdir}/systemd/system/connman.socket
+%attr(644,network_fw,network_fw) %{_libdir}/systemd/system/sockets.target.wants/connman.socket
%endif
%license COPYING
%{upgrade_script_path}/%{upgrade_script_filename}
@@ -281,6 +282,11 @@ systemctl daemon-reload
%{_libdir}/connman/scripts/openconnect-script
%{_datadir}/dbus-1/system-services/net.connman.vpn.service
%license COPYING
+%if "%{?_lib}" == "lib64"
+%attr(644,network_fw,network_fw) %{_unitdir}/connman-vpn.service
+%else
+%attr(644,network_fw,network_fw) %{_libdir}/systemd/system/connman-vpn.service
+%endif
%endif
%if %{with connman_openvpn}
@@ -290,6 +296,11 @@ systemctl daemon-reload
%{_libdir}/%{name}/scripts/openvpn-script
%{_datadir}/dbus-1/system-services/net.connman.vpn.service
%license COPYING
+%if "%{?_lib}" == "lib64"
+%attr(644,network_fw,network_fw) %{_unitdir}/connman-vpn.service
+%else
+%attr(644,network_fw,network_fw) %{_libdir}/systemd/system/connman-vpn.service
+%endif
%endif
%if %{with connman_ipsec}
@@ -298,34 +309,45 @@ systemctl daemon-reload
%{_libdir}/%{name}/plugins-vpn/ipsec.so
%{_libdir}/%{name}/scripts/ipsec-script
%{_datadir}/dbus-1/system-services/net.connman.vpn.service
+%license COPYING
+%if "%{?_lib}" == "lib64"
+%attr(644,network_fw,network_fw) %{_unitdir}/connman-vpn.service
+%else
+%attr(644,network_fw,network_fw) %{_libdir}/systemd/system/connman-vpn.service
+%endif
%endif
%if %{with connman_vpnd}
%files connman-vpnd
%manifest %{name}.manifest
-#%{_sbindir}/connman-vpnd
+#%{_bindir}/connman-vpnd
%dir %{_libdir}/%{name}
%dir %{_libdir}/%{name}/scripts
%dir %{_libdir}/%{name}/plugins-vpn
%config %{_sysconfdir}/dbus-1/system.d/connman-vpn-dbus.conf
%{_datadir}/dbus-1/system-services/net.connman.vpn.service
%license COPYING
+%if "%{?_lib}" == "lib64"
+%attr(644,network_fw,network_fw) %{_unitdir}/connman-vpn.service
+%else
+%attr(644,network_fw,network_fw) %{_libdir}/systemd/system/connman-vpn.service
+%endif
%endif
%post extension-tv
mv -f %{_libdir}/systemd/system/connman.service.tv %{_libdir}/systemd/system/connman.service
mv -f %{_sysconfdir}/connman/main.conf.tv %{_sysconfdir}/connman/main.conf
%files extension-tv
-%attr(644,root,root) %{_sysconfdir}/connman/main.conf.tv
+%attr(644,network_fw,network_fw) %{_sysconfdir}/connman/main.conf.tv
%license COPYING
%if "%{?_lib}" == "lib64"
-%attr(644,root,root) %{_unitdir}/connman.service.tv
+%attr(644,network_fw,network_fw) %{_unitdir}/connman.service.tv
%else
-%attr(644,root,root) %{_libdir}/systemd/system/connman.service.tv
+%attr(644,network_fw,network_fw) %{_libdir}/systemd/system/connman.service.tv
%endif
%post extension-ivi
mv -f %{_sysconfdir}/connman/main.conf.ivi %{_sysconfdir}/connman/main.conf
%files extension-ivi
-%attr(644,root,root) %{_sysconfdir}/connman/main.conf.ivi
+%attr(644,network_fw,network_fw) %{_sysconfdir}/connman/main.conf.ivi
%license COPYING
diff --git a/plugins/connman-nmcompat.conf b/plugins/connman-nmcompat.conf
index 5887a345..a051d927 100755
--- a/plugins/connman-nmcompat.conf
+++ b/plugins/connman-nmcompat.conf
@@ -5,6 +5,10 @@
<allow own="org.freedesktop.NetworkManager"/>
<allow send_destination="org.freedesktop.NetworkManager"/>
</policy>
+ <policy user="network_fw">
+ <allow own="org.freedesktop.NetworkManager"/>
+ <allow send_destination="org.freedesktop.NetworkManager"/>
+ </policy>
<policy at_console="true">
<allow send_destination="org.freedesktop.NetworkManager"/>
</policy>
diff --git a/resources/usr/share/dbus-1/system-services/net.connman.service b/resources/usr/share/dbus-1/system-services/net.connman.service
index 9679c1be..990eb66b 100644
--- a/resources/usr/share/dbus-1/system-services/net.connman.service
+++ b/resources/usr/share/dbus-1/system-services/net.connman.service
@@ -1,5 +1,6 @@
[D-BUS Service]
Name=net.connman
Exec=/bin/false
-User=root
+User=network_fw
+Group=network_fw
SystemdService=connman.service
diff --git a/scripts/connman.in b/scripts/connman.in
index 1692b950..2c380abb 100755
--- a/scripts/connman.in
+++ b/scripts/connman.in
@@ -1,6 +1,6 @@
#!/bin/sh
-DAEMON=@sbindir@/connmand
+DAEMON=@bindir@/connmand
DESC="Connection Manager"
. /lib/lsb/init-functions
diff --git a/src/connman-dbus.conf b/src/connman-dbus.conf
index 98a773ea..29106dc7 100755
--- a/src/connman-dbus.conf
+++ b/src/connman-dbus.conf
@@ -6,6 +6,19 @@
<allow send_destination="net.connman"/>
<allow send_interface="net.connman.Agent"/>
<allow send_interface="net.connman.Counter"/>
+ <allow send_interface="net.connman.Manager"/>
+ <allow send_interface="net.connman.Service"/>
+ <allow send_interface="net.connman.Technology"/>
+ <allow send_interface="net.connman.Notification"/>
+ </policy>
+ <policy user="network_fw">
+ <allow own="net.connman"/>
+ <allow send_destination="net.connman"/>
+ <allow send_interface="net.connman.Agent"/>
+ <allow send_interface="net.connman.Counter"/>
+ <allow send_interface="net.connman.Manager"/>
+ <allow send_interface="net.connman.Service"/>
+ <allow send_interface="net.connman.Technology"/>
<allow send_interface="net.connman.Notification"/>
</policy>
<policy at_console="true">
diff --git a/src/connman-polkit.conf b/src/connman-polkit.conf
index b13d339b..03154faf 100755
--- a/src/connman-polkit.conf
+++ b/src/connman-polkit.conf
@@ -7,6 +7,12 @@
<allow send_interface="net.connman.Counter"/>
<allow send_interface="net.connman.Notification"/>
</policy>
+ <policy user="network_fw">
+ <allow own="net.connman"/>
+ <allow send_interface="net.connman.Agent"/>
+ <allow send_interface="net.connman.Counter"/>
+ <allow send_interface="net.connman.Notification"/>
+ </policy>
<policy context="default">
<allow send_destination="net.connman"/>
</policy>
diff --git a/src/connman.conf b/src/connman.conf
index 0aa2ed20..f3bde768 100644
--- a/src/connman.conf
+++ b/src/connman.conf
@@ -4,6 +4,12 @@
<policy user="root">
<allow own="net.connman"/>
<allow send_destination="net.connman"/>
+ <allow send_type="signal"/>
+ </policy>
+ <policy user="network_fw">
+ <allow own="net.connman"/>
+ <allow send_destination="net.connman"/>
+ <allow send_type="signal"/>
</policy>
<policy context="default">
<check send_destination="net.connman" send_interface="net.connman.Manager" send_member="GetTechnologies" privilege="http://tizen.org/privilege/network.get" />
diff --git a/src/connman.service.in b/src/connman.service.in
index 3bc442a5..cc964e25 100755
--- a/src/connman.service.in
+++ b/src/connman.service.in
@@ -5,13 +5,15 @@ DefaultDependencies=no
[Service]
Type=dbus
+User=network_fw
+Group=network_fw
BusName=net.connman
Restart=on-failure
SmackProcessLabel=System
-ExecStart=@sbindir@/connmand -n --noplugin vpn
+ExecStart=@bindir@/connmand -n --noplugin vpn
StandardOutput=null
-CapabilityBoundingSet=~CAP_MAC_ADMIN
-CapabilityBoundingSet=~CAP_MAC_OVERRIDE
+Capabilities=cap_net_admin,cap_net_bind_service,cap_net_broadcast,cap_net_raw=i
+SecureBits=keep-caps
[Install]
WantedBy=multi-user.target
diff --git a/src/connman_tv.service.in b/src/connman_tv.service.in
index 3bc442a5..cc964e25 100644
--- a/src/connman_tv.service.in
+++ b/src/connman_tv.service.in
@@ -5,13 +5,15 @@ DefaultDependencies=no
[Service]
Type=dbus
+User=network_fw
+Group=network_fw
BusName=net.connman
Restart=on-failure
SmackProcessLabel=System
-ExecStart=@sbindir@/connmand -n --noplugin vpn
+ExecStart=@bindir@/connmand -n --noplugin vpn
StandardOutput=null
-CapabilityBoundingSet=~CAP_MAC_ADMIN
-CapabilityBoundingSet=~CAP_MAC_OVERRIDE
+Capabilities=cap_net_admin,cap_net_bind_service,cap_net_broadcast,cap_net_raw=i
+SecureBits=keep-caps
[Install]
WantedBy=multi-user.target
diff --git a/src/log.c b/src/log.c
index 1dbd41a3..32b35bc8 100755
--- a/src/log.c
+++ b/src/log.c
@@ -42,7 +42,7 @@ static const char *program_path;
#include <sys/stat.h>
#include <sys/time.h>
-#define LOG_FILE_PATH "/var/log/connman.log"
+#define LOG_FILE_PATH "/opt/usr/data/network/connman.log"
#define MAX_LOG_SIZE 1 * 1024 * 1024
#define MAX_LOG_COUNT 1
diff --git a/src/net.connman.service.in b/src/net.connman.service.in
index 9679c1be..990eb66b 100755
--- a/src/net.connman.service.in
+++ b/src/net.connman.service.in
@@ -1,5 +1,6 @@
[D-BUS Service]
Name=net.connman
Exec=/bin/false
-User=root
+User=network_fw
+Group=network_fw
SystemdService=connman.service
diff --git a/vpn/connman-vpn.service.in b/vpn/connman-vpn.service.in
index 6cc59cbc..a4c294ec 100755
--- a/vpn/connman-vpn.service.in
+++ b/vpn/connman-vpn.service.in
@@ -5,12 +5,14 @@ After=dbus.socket
[Service]
Type=dbus
+User=network_fw
+Group=network_fw
BusName=net.connman.vpn
SmackProcessLabel=System
-ExecStart=@sbindir@/connman-vpnd -n
+ExecStart=@bindir@/connman-vpnd -n
StandardOutput=null
-CapabilityBoundingSet=~CAP_MAC_ADMIN
-CapabilityBoundingSet=~CAP_MAC_OVERRIDE
+Capabilities=cap_net_admin,cap_net_bind_service,cap_net_broadcast,cap_net_raw=i
+SecureBits=keep-caps
[Install]
WantedBy=multi-user.target
diff --git a/vpn/net.connman.vpn.service.in b/vpn/net.connman.vpn.service.in
index 8dcf2544..8ce55c20 100755
--- a/vpn/net.connman.vpn.service.in
+++ b/vpn/net.connman.vpn.service.in
@@ -1,5 +1,6 @@
[D-BUS Service]
Name=net.connman.vpn
Exec=/bin/false
-User=root
+User=network_fw
+Group=network_fw
SystemdService=connman-vpn.service
diff --git a/vpn/vpn-dbus.conf b/vpn/vpn-dbus.conf
index 5b44017b..7b7b6d19 100755
--- a/vpn/vpn-dbus.conf
+++ b/vpn/vpn-dbus.conf
@@ -4,6 +4,12 @@
<policy user="root">
<allow own="net.connman.vpn"/>
<allow send_destination="net.connman.vpn"/>
+ <allow send_interface="net.connman.vpn.Agent"/>
+ </policy>
+ <policy user="network_fw">
+ <allow own="net.connman.vpn"/>
+ <allow send_destination="net.connman.vpn"/>
+ <allow send_interface="net.connman.vpn.Agent"/>
</policy>
<policy at_console="true">
<allow send_destination="net.connman.vpn"/>
diff --git a/vpn/vpn-polkit.conf b/vpn/vpn-polkit.conf
index a1dc6177..237d21be 100755
--- a/vpn/vpn-polkit.conf
+++ b/vpn/vpn-polkit.conf
@@ -5,6 +5,10 @@
<allow own="net.connman.vpn"/>
<allow send_interface="net.connman.vpn.Agent"/>
</policy>
+ <policy user="network_fw">
+ <allow own="net.connman.vpn"/>
+ <allow send_interface="net.connman.vpn.Agent"/>
+ </policy>
<policy context="default">
<allow send_destination="net.connman.vpn"/>
</policy>