afm-unit: Restore removal of capabilities

This removes capabilities to any application installed
and launched.

Also fixes a tiny bug in setup of user environment.

Bug-AGL: SPEC-2006

Change-Id: I2c0d85cc2c2d389247ad9ce728f4d9e8e3d74616
Signed-off-by: José Bollo <jose.bollo@iot.bzh>

diff --git a/conf/system/afm-user-setup@.service b/conf/system/afm-user-setup@.service
index cc5332b..f23dcd3 100644 (file)
--- a/conf/system/afm-user-setup@.service
+++ b/conf/system/afm-user-setup@.service
@@ -8,7 +8,7 @@ ExecStart=-/bin/sh -c "/bin/mkdir /run/user/%i; /bin/chown %i:%i /run/user/%i; /
 ExecStart=-/bin/sh -c "/bin/mkdir /run/user/%i/apis; /bin/chown %i:%i /run/user/%i/apis; /usr/bin/chsmack -a '*' /run/user/%i/apis"
 ExecStart=-/bin/sh -c "/bin/mkdir /run/user/%i/apis/ws; /bin/chown %i:%i /run/user/%i/apis/ws; /usr/bin/chsmack -a '*' /run/user/%i/apis/ws"
 ExecStart=-/bin/sh -c "/bin/mkdir /run/user/%i/apis/link; /bin/chown %i:%i /run/user/%i/apis/link; /usr/bin/chsmack -a '*' /run/user/%i/apis/link"
-ExecStart=-/bin/sh -c "/bin/ln -sf /run/platform/display/wayland-0 /run/user/%i/wayland-0; /bin/chown %i:%i /run/user/%i/wayland-0; /usr/bin/chsmack -a '*' /run/user/%i/wayland-0"
+ExecStart=-/bin/sh -c "/bin/ln -sf /run/platform/display/wayland-0 /run/user/%i/wayland-0; /bin/chown -h %i:%i /run/user/%i/wayland-0; /usr/bin/chsmack -a '*' /run/user/%i/wayland-0"
 
 
 

diff --git a/conf/unit/afm-unit-debug.conf.in b/conf/unit/afm-unit-debug.conf.in
index 9821e9f..f09956d 100644 (file)
--- a/conf/unit/afm-unit-debug.conf.in
+++ b/conf/unit/afm-unit-debug.conf.in
@@ -139,7 +139,7 @@ SmackProcessLabel=User::App::{{:id}}
 SuccessExitStatus=0 SIGKILL
 User=%i
 Slice=user-%i.slice
-#CapabilityBoundingSet=
+CapabilityBoundingSet=
 #AmbientCapabilities=
 {{#required-permission.urn:AGL:permission::platform:no-oom}}OOMScoreAdjust=-500{{/required-permission.urn:AGL:permission::platform:no-oom}}
 {{#required-permission.urn:AGL:permission::partner:real-time}}IOSchedulingClass=realtime{{/required-permission.urn:AGL:permission::partner:real-time}}

diff --git a/conf/unit/afm-unit.conf.in b/conf/unit/afm-unit.conf.in
index 9e95e11..1c14eb1 100644 (file)
--- a/conf/unit/afm-unit.conf.in
+++ b/conf/unit/afm-unit.conf.in
@@ -139,7 +139,7 @@ SmackProcessLabel=User::App::{{:id}}
 SuccessExitStatus=0 SIGKILL
 User=%i
 Slice=user-%i.slice
-#CapabilityBoundingSet=
+CapabilityBoundingSet=
 #AmbientCapabilities=
 {{#required-permission.urn:AGL:permission::platform:no-oom}}OOMScoreAdjust=-500{{/required-permission.urn:AGL:permission::platform:no-oom}}
 {{#required-permission.urn:AGL:permission::partner:real-time}}IOSchedulingClass=realtime{{/required-permission.urn:AGL:permission::partner:real-time}}

diff --git a/conf/unit/generate-unit-conf/service.inc b/conf/unit/generate-unit-conf/service.inc
index fdafc5c..839533d 100644 (file)
--- a/conf/unit/generate-unit-conf/service.inc
+++ b/conf/unit/generate-unit-conf/service.inc
@@ -72,7 +72,7 @@ SuccessExitStatus=0 SIGKILL
 User=%i
 Slice=user-%i.slice
 
-#CapabilityBoundingSet=
+CapabilityBoundingSet=
 #AmbientCapabilities=
 
 ON_PERM(:platform:no-oom,   OOMScoreAdjust=-500)