From e4544ee49501928e15c2174d1e4936dc6ff7d97e Mon Sep 17 00:00:00 2001
From: taesub kim <taesub.kim@samsung.com>
Date: Thu, 22 Jun 2017 17:49:20 +0900
Subject: Migrate root daemon to non root

Change-Id: I0d0afacc8a11fadc8128f6eef3f64f7a4ca8675b
Signed-off-by: Taesub Kim <taesub.kim@samsung.com>
---
 vpn/connman-vpn.service.in     | 8 +++++---
 vpn/net.connman.vpn.service.in | 3 ++-
 vpn/vpn-dbus.conf              | 6 ++++++
 vpn/vpn-polkit.conf            | 4 ++++
 4 files changed, 17 insertions(+), 4 deletions(-)

(limited to 'vpn')

diff --git a/vpn/connman-vpn.service.in b/vpn/connman-vpn.service.in
index 6cc59cbc..a4c294ec 100755
--- a/vpn/connman-vpn.service.in
+++ b/vpn/connman-vpn.service.in
@@ -5,12 +5,14 @@ After=dbus.socket
 
 [Service]
 Type=dbus
+User=network_fw
+Group=network_fw
 BusName=net.connman.vpn
 SmackProcessLabel=System
-ExecStart=@sbindir@/connman-vpnd -n
+ExecStart=@bindir@/connman-vpnd -n
 StandardOutput=null
-CapabilityBoundingSet=~CAP_MAC_ADMIN
-CapabilityBoundingSet=~CAP_MAC_OVERRIDE
+Capabilities=cap_net_admin,cap_net_bind_service,cap_net_broadcast,cap_net_raw=i
+SecureBits=keep-caps
 
 [Install]
 WantedBy=multi-user.target
diff --git a/vpn/net.connman.vpn.service.in b/vpn/net.connman.vpn.service.in
index 8dcf2544..8ce55c20 100755
--- a/vpn/net.connman.vpn.service.in
+++ b/vpn/net.connman.vpn.service.in
@@ -1,5 +1,6 @@
 [D-BUS Service]
 Name=net.connman.vpn
 Exec=/bin/false
-User=root
+User=network_fw
+Group=network_fw
 SystemdService=connman-vpn.service
diff --git a/vpn/vpn-dbus.conf b/vpn/vpn-dbus.conf
index 5b44017b..7b7b6d19 100755
--- a/vpn/vpn-dbus.conf
+++ b/vpn/vpn-dbus.conf
@@ -4,6 +4,12 @@
     <policy user="root">
         <allow own="net.connman.vpn"/>
         <allow send_destination="net.connman.vpn"/>
+		<allow send_interface="net.connman.vpn.Agent"/>
+    </policy>
+    <policy user="network_fw">
+        <allow own="net.connman.vpn"/>
+        <allow send_destination="net.connman.vpn"/>
+		<allow send_interface="net.connman.vpn.Agent"/>
     </policy>
     <policy at_console="true">
         <allow send_destination="net.connman.vpn"/>
diff --git a/vpn/vpn-polkit.conf b/vpn/vpn-polkit.conf
index a1dc6177..237d21be 100755
--- a/vpn/vpn-polkit.conf
+++ b/vpn/vpn-polkit.conf
@@ -5,6 +5,10 @@
         <allow own="net.connman.vpn"/>
         <allow send_interface="net.connman.vpn.Agent"/>
     </policy>
+    <policy user="network_fw">
+        <allow own="net.connman.vpn"/>
+        <allow send_interface="net.connman.vpn.Agent"/>
+    </policy>
     <policy context="default">
         <allow send_destination="net.connman.vpn"/>
     </policy>
-- 
cgit v1.2.3