Migrate root daemon to non rootsubmit/tizen/20170724.063335

Change-Id: I0d0afacc8a11fadc8128f6eef3f64f7a4ca8675b Signed-off-by: Taesub Kim <taesub.kim@samsung.com>
author: taesub kim <taesub.kim@samsung.com> 2017-06-22 17:49:20 +0900
committer: taesub kim <taesub.kim@samsung.com> 2017-07-20 15:51:29 +0900
commit: e4544ee49501928e15c2174d1e4936dc6ff7d97e (patch)
tree: fc25dab6d28a737344467b8924e0667bcb5adae7 /vpn
parent: ce407f97aed0fdba65b5d881ef19cd7ee5e7abeb (diff)
download: connman-e4544ee49501928e15c2174d1e4936dc6ff7d97e.tar.gz
connman-e4544ee49501928e15c2174d1e4936dc6ff7d97e.tar.bz2
connman-e4544ee49501928e15c2174d1e4936dc6ff7d97e.zip
4 files changed, 17 insertions, 4 deletions
diff --git a/vpn/connman-vpn.service.in b/vpn/connman-vpn.service.in
index 6cc59cbc..a4c294ec 100755
--- a/vpn/connman-vpn.service.in
+++ b/vpn/connman-vpn.service.in
@@ -5,12 +5,14 @@ After=dbus.socket
 
 [Service]
 Type=dbus
+User=network_fw
+Group=network_fw
 BusName=net.connman.vpn
 SmackProcessLabel=System
-ExecStart=@sbindir@/connman-vpnd -n
+ExecStart=@bindir@/connman-vpnd -n
 StandardOutput=null
-CapabilityBoundingSet=~CAP_MAC_ADMIN
-CapabilityBoundingSet=~CAP_MAC_OVERRIDE
+Capabilities=cap_net_admin,cap_net_bind_service,cap_net_broadcast,cap_net_raw=i
+SecureBits=keep-caps
 
 [Install]
 WantedBy=multi-user.target
diff --git a/vpn/net.connman.vpn.service.in b/vpn/net.connman.vpn.service.in
index 8dcf2544..8ce55c20 100755
--- a/vpn/net.connman.vpn.service.in
+++ b/vpn/net.connman.vpn.service.in
@@ -1,5 +1,6 @@
 [D-BUS Service]
 Name=net.connman.vpn
 Exec=/bin/false
-User=root
+User=network_fw
+Group=network_fw
 SystemdService=connman-vpn.service
diff --git a/vpn/vpn-dbus.conf b/vpn/vpn-dbus.conf
index 5b44017b..7b7b6d19 100755
--- a/vpn/vpn-dbus.conf
+++ b/vpn/vpn-dbus.conf
@@ -4,6 +4,12 @@
     <policy user="root">
         <allow own="net.connman.vpn"/>
         <allow send_destination="net.connman.vpn"/>
+		<allow send_interface="net.connman.vpn.Agent"/>
+    </policy>
+    <policy user="network_fw">
+        <allow own="net.connman.vpn"/>
+        <allow send_destination="net.connman.vpn"/>
+		<allow send_interface="net.connman.vpn.Agent"/>
     </policy>
     <policy at_console="true">
         <allow send_destination="net.connman.vpn"/>
diff --git a/vpn/vpn-polkit.conf b/vpn/vpn-polkit.conf
index a1dc6177..237d21be 100755
--- a/vpn/vpn-polkit.conf
+++ b/vpn/vpn-polkit.conf
@@ -5,6 +5,10 @@
         <allow own="net.connman.vpn"/>
         <allow send_interface="net.connman.vpn.Agent"/>
     </policy>
+    <policy user="network_fw">
+        <allow own="net.connman.vpn"/>
+        <allow send_interface="net.connman.vpn.Agent"/>
+    </policy>
     <policy context="default">
         <allow send_destination="net.connman.vpn"/>
     </policy>
author	taesub kim <taesub.kim@samsung.com>	2017-06-22 17:49:20 +0900
committer	taesub kim <taesub.kim@samsung.com>	2017-07-20 15:51:29 +0900
commit	e4544ee49501928e15c2174d1e4936dc6ff7d97e (patch)
tree	fc25dab6d28a737344467b8924e0667bcb5adae7 /vpn
parent	ce407f97aed0fdba65b5d881ef19cd7ee5e7abeb (diff)
download	connman-e4544ee49501928e15c2174d1e4936dc6ff7d97e.tar.gz connman-e4544ee49501928e15c2174d1e4936dc6ff7d97e.tar.bz2 connman-e4544ee49501928e15c2174d1e4936dc6ff7d97e.zip