Revert "afm-unit: Restore removal of capabilities"

This reverts commit f2a2f1357a5268b614528feeba0a91f4ea04a7aa.

Change-Id: I7ff68f27b75c9ddb887470c5579e7b9277aa3613
Signed-off-by: Stephane Desneux <stephane.desneux@iot.bzh>

diff --git a/conf/unit/afm-unit-debug.conf.in b/conf/unit/afm-unit-debug.conf.in
index 6955fa2..49eb826 100644 (file)
--- a/conf/unit/afm-unit-debug.conf.in
+++ b/conf/unit/afm-unit-debug.conf.in
@@ -137,13 +137,12 @@ SmackProcessLabel=User::App::{{:id}}
 SuccessExitStatus=0 SIGKILL
 User=%i
 Slice=user-%i.slice
-CapabilityBoundingSet=
+#CapabilityBoundingSet=
 #AmbientCapabilities=
 {{#required-permission.urn:AGL:permission::platform:no-oom}}OOMScoreAdjust=-500{{/required-permission.urn:AGL:permission::platform:no-oom}}
 {{#required-permission.urn:AGL:permission::partner:real-time}}IOSchedulingClass=realtime{{/required-permission.urn:AGL:permission::partner:real-time}}
+{{#required-permission.urn:AGL:permission::public:display}}SupplementaryGroups=display{{/required-permission.urn:AGL:permission::public:display}}
 {{^required-permission.urn:AGL:permission::public:syscall:clock}}SystemCallFilter=~@clock{{/required-permission.urn:AGL:permission::public:syscall:clock}}
-#{{#required-permission.urn:AGL:permission::public:display}}SupplementaryGroups=display{{/required-permission.urn:AGL:permission::public:display}}
-SupplementaryGroups=display
 %nl
 WorkingDirectory=-/home/%i/app-data/{{:id}}
 ExecStartPre=/bin/mkdir -p /home/%i/app-data/{{:id}}

diff --git a/conf/unit/afm-unit.conf.in b/conf/unit/afm-unit.conf.in
index 353d83b..50fd957 100644 (file)
--- a/conf/unit/afm-unit.conf.in
+++ b/conf/unit/afm-unit.conf.in
@@ -137,13 +137,12 @@ SmackProcessLabel=User::App::{{:id}}
 SuccessExitStatus=0 SIGKILL
 User=%i
 Slice=user-%i.slice
-CapabilityBoundingSet=
+#CapabilityBoundingSet=
 #AmbientCapabilities=
 {{#required-permission.urn:AGL:permission::platform:no-oom}}OOMScoreAdjust=-500{{/required-permission.urn:AGL:permission::platform:no-oom}}
 {{#required-permission.urn:AGL:permission::partner:real-time}}IOSchedulingClass=realtime{{/required-permission.urn:AGL:permission::partner:real-time}}
+{{#required-permission.urn:AGL:permission::public:display}}SupplementaryGroups=display{{/required-permission.urn:AGL:permission::public:display}}
 {{^required-permission.urn:AGL:permission::public:syscall:clock}}SystemCallFilter=~@clock{{/required-permission.urn:AGL:permission::public:syscall:clock}}
-#{{#required-permission.urn:AGL:permission::public:display}}SupplementaryGroups=display{{/required-permission.urn:AGL:permission::public:display}}
-SupplementaryGroups=display
 %nl
 WorkingDirectory=-/home/%i/app-data/{{:id}}
 ExecStartPre=/bin/mkdir -p /home/%i/app-data/{{:id}}

diff --git a/conf/unit/generate-unit-conf/service.inc b/conf/unit/generate-unit-conf/service.inc
index 59df916..961a262 100644 (file)
--- a/conf/unit/generate-unit-conf/service.inc
+++ b/conf/unit/generate-unit-conf/service.inc
@@ -70,14 +70,13 @@ SuccessExitStatus=0 SIGKILL
 User=%i
 Slice=user-%i.slice
 
-CapabilityBoundingSet=
+#CapabilityBoundingSet=
 #AmbientCapabilities=
 
 ON_PERM(:platform:no-oom,   OOMScoreAdjust=-500)
 ON_PERM(:partner:real-time, IOSchedulingClass=realtime)
+ON_PERM(:public:display,    SupplementaryGroups=display)
 ON_PERM(:public:syscall:clock, , SystemCallFilter=~@clock)
-#ON_PERM(:public:display,    SupplementaryGroups=display)
-SupplementaryGroups=display
 %nl
 
 WorkingDirectory=-APP_DATA_DIR/{{:id}}