From: Stephane Desneux Date: Wed, 6 Feb 2019 16:31:14 +0000 (+0100) Subject: Revert "afm-unit: Restore removal of capabilities" X-Git-Tag: 7.90.0^0 X-Git-Url: https://gerrit.automotivelinux.org/gerrit/gitweb?p=src%2Fapp-framework-main.git;a=commitdiff_plain;h=46e35ce1ff7da5ceeac8fa50393c5c1c37fccc0a Revert "afm-unit: Restore removal of capabilities" This reverts commit f2a2f1357a5268b614528feeba0a91f4ea04a7aa. Change-Id: I7ff68f27b75c9ddb887470c5579e7b9277aa3613 Signed-off-by: Stephane Desneux --- diff --git a/conf/unit/afm-unit-debug.conf.in b/conf/unit/afm-unit-debug.conf.in index 6955fa2..49eb826 100644 --- a/conf/unit/afm-unit-debug.conf.in +++ b/conf/unit/afm-unit-debug.conf.in @@ -137,13 +137,12 @@ SmackProcessLabel=User::App::{{:id}} SuccessExitStatus=0 SIGKILL User=%i Slice=user-%i.slice -CapabilityBoundingSet= +#CapabilityBoundingSet= #AmbientCapabilities= {{#required-permission.urn:AGL:permission::platform:no-oom}}OOMScoreAdjust=-500{{/required-permission.urn:AGL:permission::platform:no-oom}} {{#required-permission.urn:AGL:permission::partner:real-time}}IOSchedulingClass=realtime{{/required-permission.urn:AGL:permission::partner:real-time}} +{{#required-permission.urn:AGL:permission::public:display}}SupplementaryGroups=display{{/required-permission.urn:AGL:permission::public:display}} {{^required-permission.urn:AGL:permission::public:syscall:clock}}SystemCallFilter=~@clock{{/required-permission.urn:AGL:permission::public:syscall:clock}} -#{{#required-permission.urn:AGL:permission::public:display}}SupplementaryGroups=display{{/required-permission.urn:AGL:permission::public:display}} -SupplementaryGroups=display %nl WorkingDirectory=-/home/%i/app-data/{{:id}} ExecStartPre=/bin/mkdir -p /home/%i/app-data/{{:id}} diff --git a/conf/unit/afm-unit.conf.in b/conf/unit/afm-unit.conf.in index 353d83b..50fd957 100644 --- a/conf/unit/afm-unit.conf.in +++ b/conf/unit/afm-unit.conf.in @@ -137,13 +137,12 @@ SmackProcessLabel=User::App::{{:id}} SuccessExitStatus=0 SIGKILL User=%i Slice=user-%i.slice -CapabilityBoundingSet= +#CapabilityBoundingSet= #AmbientCapabilities= {{#required-permission.urn:AGL:permission::platform:no-oom}}OOMScoreAdjust=-500{{/required-permission.urn:AGL:permission::platform:no-oom}} {{#required-permission.urn:AGL:permission::partner:real-time}}IOSchedulingClass=realtime{{/required-permission.urn:AGL:permission::partner:real-time}} +{{#required-permission.urn:AGL:permission::public:display}}SupplementaryGroups=display{{/required-permission.urn:AGL:permission::public:display}} {{^required-permission.urn:AGL:permission::public:syscall:clock}}SystemCallFilter=~@clock{{/required-permission.urn:AGL:permission::public:syscall:clock}} -#{{#required-permission.urn:AGL:permission::public:display}}SupplementaryGroups=display{{/required-permission.urn:AGL:permission::public:display}} -SupplementaryGroups=display %nl WorkingDirectory=-/home/%i/app-data/{{:id}} ExecStartPre=/bin/mkdir -p /home/%i/app-data/{{:id}} diff --git a/conf/unit/generate-unit-conf/service.inc b/conf/unit/generate-unit-conf/service.inc index 59df916..961a262 100644 --- a/conf/unit/generate-unit-conf/service.inc +++ b/conf/unit/generate-unit-conf/service.inc @@ -70,14 +70,13 @@ SuccessExitStatus=0 SIGKILL User=%i Slice=user-%i.slice -CapabilityBoundingSet= +#CapabilityBoundingSet= #AmbientCapabilities= ON_PERM(:platform:no-oom, OOMScoreAdjust=-500) ON_PERM(:partner:real-time, IOSchedulingClass=realtime) +ON_PERM(:public:display, SupplementaryGroups=display) ON_PERM(:public:syscall:clock, , SystemCallFilter=~@clock) -#ON_PERM(:public:display, SupplementaryGroups=display) -SupplementaryGroups=display %nl WorkingDirectory=-APP_DATA_DIR/{{:id}}