diff options
Diffstat (limited to 'vpn')
-rwxr-xr-x | vpn/connman-vpn.service.in | 8 | ||||
-rwxr-xr-x | vpn/net.connman.vpn.service.in | 3 | ||||
-rwxr-xr-x | vpn/vpn-dbus.conf | 6 | ||||
-rwxr-xr-x | vpn/vpn-polkit.conf | 4 |
4 files changed, 17 insertions, 4 deletions
diff --git a/vpn/connman-vpn.service.in b/vpn/connman-vpn.service.in index 6cc59cbc..a4c294ec 100755 --- a/vpn/connman-vpn.service.in +++ b/vpn/connman-vpn.service.in @@ -5,12 +5,14 @@ After=dbus.socket [Service] Type=dbus +User=network_fw +Group=network_fw BusName=net.connman.vpn SmackProcessLabel=System -ExecStart=@sbindir@/connman-vpnd -n +ExecStart=@bindir@/connman-vpnd -n StandardOutput=null -CapabilityBoundingSet=~CAP_MAC_ADMIN -CapabilityBoundingSet=~CAP_MAC_OVERRIDE +Capabilities=cap_net_admin,cap_net_bind_service,cap_net_broadcast,cap_net_raw=i +SecureBits=keep-caps [Install] WantedBy=multi-user.target diff --git a/vpn/net.connman.vpn.service.in b/vpn/net.connman.vpn.service.in index 8dcf2544..8ce55c20 100755 --- a/vpn/net.connman.vpn.service.in +++ b/vpn/net.connman.vpn.service.in @@ -1,5 +1,6 @@ [D-BUS Service] Name=net.connman.vpn Exec=/bin/false -User=root +User=network_fw +Group=network_fw SystemdService=connman-vpn.service diff --git a/vpn/vpn-dbus.conf b/vpn/vpn-dbus.conf index 5b44017b..7b7b6d19 100755 --- a/vpn/vpn-dbus.conf +++ b/vpn/vpn-dbus.conf @@ -4,6 +4,12 @@ <policy user="root"> <allow own="net.connman.vpn"/> <allow send_destination="net.connman.vpn"/> + <allow send_interface="net.connman.vpn.Agent"/> + </policy> + <policy user="network_fw"> + <allow own="net.connman.vpn"/> + <allow send_destination="net.connman.vpn"/> + <allow send_interface="net.connman.vpn.Agent"/> </policy> <policy at_console="true"> <allow send_destination="net.connman.vpn"/> diff --git a/vpn/vpn-polkit.conf b/vpn/vpn-polkit.conf index a1dc6177..237d21be 100755 --- a/vpn/vpn-polkit.conf +++ b/vpn/vpn-polkit.conf @@ -5,6 +5,10 @@ <allow own="net.connman.vpn"/> <allow send_interface="net.connman.vpn.Agent"/> </policy> + <policy user="network_fw"> + <allow own="net.connman.vpn"/> + <allow send_interface="net.connman.vpn.Agent"/> + </policy> <policy context="default"> <allow send_destination="net.connman.vpn"/> </policy> |