#!/bin/bash

PATH=/bin:/usr/bin:/sbin:/usr/sbin

## Setting capability in binary image creation stage(via mic)

# Package		sdbd
# Owner 		Jeeho Yoo(jeeho.yoo@samsung.com)
# Date			May 24, 2016
# Required		cap_setuid, cap_setgid
# cap_setuid		set user id per each user logged in
# cap_setgid		set group id following user id

# Owner			Changseok Oh(seok.oh@samsung.com)
# Date			June 23, 2016
# Required		cap_setuid, cap_dac_override, cap_sys_admin
# cap_setuid		set child process's uid to root
# cap_dac_override	bypass permission check at pull/push
# cap_sys_admin		remount at rpm installation

if [ -e "/usr/sbin/sdbd" ]
then /usr/sbin/setcap cap_setuid,cap_setgid,cap_dac_override,cap_sys_admin=eip /usr/sbin/sdbd
fi

# Package		alarm-server
# Owner 		Jiwoong Im(jiwoong.im@samsung.com)
# Date			May 24, 2016
# Required		cap_sys_time
# cap_sys_time		settimeofday() system call and rtc setting time need privilege; CAP_SYS_TIME

if [ -e "/usr/bin/alarm-server" ]
then /usr/sbin/setcap cap_sys_time=eip /usr/bin/alarm-server
fi

# Package		download-provider
# Owner 		Jaekuk Lee(juku1999@samsung.com)
# Date			May 24, 2016
# Required		cap_chown, cap_dac_override
# cap_chown		needs to change owner of downloaded file from download-provider to application
# cap_dac_override	needs to access directory which user id is different (override DAC permission)

if [ -e "/usr/bin/download-provider" ]
then /usr/sbin/setcap cap_chown,cap_dac_override=eip /usr/bin/download-provider
fi

# Package		media-server
# Owner 		Minje Ahn(minje.ahn@samsung.com)
# Date			May 27, 2016
# Required		cap_dac_override
# cap_dac_read_search	media-server needs to access client's directory	defined as each client's uid and gid
#			in case of providing its capi; thumbnail_util_extract() (providing thumbnail requested by client)
#			client would be another service daemon and application

if [ -e "/usr/bin/media-server" ]
then /usr/sbin/setcap cap_dac_read_search=eip /usr/bin/media-server
fi

# Package		csr-server
# Owner 		Kyungwook Tak(k.tak@samsung.com)
# Date			June 17, 2016
# Required		cap_dac_override, cap_fowner
# cap_dac_override	csr-server needs to access application's directory for scanning and removing file
# cap_fowner		csr-server needs to remove files set with sticky bit in /tmp (rwxrwxrwt)

if [ -e "/usr/bin/csr-server" ]
then /usr/sbin/setcap cap_dac_override,cap_fowner=eip /usr/bin/csr-server
fi

# Package        	msg-server
# Owner        		Kyeonghun Lee(kh9090.lee@samsung.com)
# Date            	June 28, 2016
# Required        	cap_chown, cap_dac_override, cap_lease, cap_net_admin, cap_net_raw
# cap_net_admin    	Interface binding in case of using curl api (mms sending/receiving)
# cap_net_raw        	Bind to any address for proxying in using RAW and PACKET sockets (mms sending/receiving)
# cap_chown		For change uid or gid chown file
# cap_lease		Establish leases on arbitrary files

if [ -e "/usr/bin/msg-server" ]
then /usr/sbin/setcap cap_chown,cap_lease,cap_net_admin,cap_net_raw=eip /usr/bin/msg-server
fi

# Package        	pkgmgr-server
# Owner        		Jongmyeong Ko(jongmyeong.ko@samsung.com)
# Date            	June 30, 2016
# Required        	cap_chown, cap_dac_override, cap_fsetid, cap_kill, cap_setgid, cap_setuid
# cap_chown		fchown : change owner
# cap_dac_override	Access user and global database file of package manager
# cap_fsetid		fchmod : change mode
# cap_kill		killpg function
# cap_setgid		setgid and setgroups function
# cap_setuid		setuid function

if [ -e "/usr/bin/pkgmgr-server" ]
then /usr/sbin/setcap cap_chown,cap_dac_override,cap_fsetid,cap_kill,cap_setgid,cap_setuid=eip /usr/bin/pkgmgr-server
fi

# Package		app-installers
# Owner			Sangyoun Jang(s89.jang@samsung.com)
# Date			Jul 04, 2016
# Required		cap_dac_override, cap_chown, cap_fowner
# cap_dac_override	access to /home/$USER/apps_rw
# cap_chown		use chown API
# cap_fowner		use chmod API

if [ -e "/usr/bin/pkgdir-tool" ]
then /usr/sbin/setcap cap_dac_override,cap_chown,cap_fowner=eip /usr/bin/pkgdir-tool
fi

# Package		mused
# Owner			Younghoon Kim(yh8004.kim@samsung.com)
# Date			Jul 07, 2016
# Required		cap_dac_override
# cap_dac_override	access to directories of applications

if [ -e "/usr/bin/muse-server" ]
then /usr/sbin/setcap cap_dac_override=eip /usr/bin/muse-server
fi

# Package		gpsd
# Owner			kyoungjun sung(kj7.sung@samsung.com)
# Date			Aug 03, 2016
# Required		cap_dac_override
# cap_dac_override	access to /dev/ directory

if [ -e "/usr/bin/gpsd" ]
then /usr/sbin/setcap cap_dac_override=eip /usr/bin/gpsd
fi

# Package		tpk-backend
# Owner			Jongmyeong Ko(jongmyeong.ko@samsung.com)
# Date			Aug 10, 2016
# Required		cap_dac_override, cap_chown, cap_fowner
# cap_dac_override	access to /home/$USER/apps_rw
# cap_chown		use chown API
# cap_fowner		use chmod API

if [ -e "/usr/bin/tpk-backend" ]
then /usr/sbin/setcap cap_dac_override,cap_chown,cap_fowner=eip /usr/bin/tpk-backend
fi

# Package		wgt-backend
# Owner			Jongmyeong Ko(jongmyeong.ko@samsung.com)
# Date			Aug 10, 2016
# Required		cap_dac_override, cap_chown, cap_fowner
# cap_dac_override	access to /home/$USER/apps_rw
# cap_chown		use chown API
# cap_fowner		use chmod API

if [ -e "/usr/bin/wgt-backend" ]
then /usr/sbin/setcap cap_dac_override,cap_chown,cap_fowner=eip /usr/bin/wgt-backend
fi

# Package		xdelta3
# Owner			Jongmyeong Ko(jongmyeong.ko@samsung.com)
# Date			Aug 10, 2016
# Required		cap_dac_override
# cap_dac_override	access to /home/$USER/apps_rw

if [ -e "/usr/bin/xdelta3" ]
then /usr/sbin/setcap cap_dac_override=ei /usr/bin/xdelta3
fi

# Package               deviced-vibrator
# Owner                 Pureum Jung(pr.jung@samsung.com)
# Date                  Sep 2, 2016
# Required              cap_dac_override
# cap_dac_override      to access input event node

if [ -e "/usr/bin/deviced-vibrator" ]
then /usr/sbin/setcap cap_dac_override=eip /usr/bin/deviced-vibrator
fi

# Package		connmand
# Owner			Hyunuk Tak(hyunuk.tak@samsung.com)
# Date			Oct 7, 2016
# Required		cap_dac_override,cap_net_admin,cap_net_bind_service,cap_net_broadcast,cap_net_raw
# cap_dac_override	to access ip address files in sys and proc file system
# cap_net_admin		network interface configruration
# cap_net_bind_service	to execute bind() function
# cap_net_broadcast	to make socket broadcasts, and listen to multicasts
# cap_net_raw		to use RAW socket

#if [ -e "/usr/sbin/connmand" ]
#then /usr/sbin/setcap cap_dac_override,cap_net_admin,cap_net_bind_service,cap_net_broadcast,cap_net_raw=eip /usr/sbin/connmand
#fi

# Package		net-config
# Owner			Hyunuk Tak(hyunuk.tak@samsung.com)
# Date			Oct 7, 2016
# Required		cap_dac_override, cap_net_admin
# cap_dac_override	create log file inside /var/log directory
# cap_net_admin		scan wifi AP

#if [ -e "/usr/sbin/net-config" ]
#then /usr/sbin/setcap cap_dac_override,cap_net_admin=eip /usr/sbin/net-config
#fi

# Package		wpa_supplicant
# Onwer			Hyunuk Tak(hyunuk.tak@samsung.com)
# Date			Oct 7, 2016
# Required		cap_net_admin, cap_net_raw
# cap_net_admin		network interface configruration
# cap_net_raw		to use RAW socket

if [ -e "/usr/sbin/wpa_supplicant" ]
then /usr/sbin/setcap cap_net_admin,cap_net_raw=eip /usr/sbin/wpa_supplicant
fi

# Package		mobileap-agent
# Owner			Seonah Moon(seonah1.moon@samsung.com)
# Date			Oct 7, 2016
# Required		cap_dac_override, cap_fowner, cap_net_admin, cap_net_bind_service
# cap_dac_override	network interface configruration
# cap_fowner		network interface configruration
# cap_net_admin		to use ioctl socket
# cap_net_bind_service	to call bind

if [ -e "/usr/bin/mobileap-agent" ]
then /usr/sbin/setcap cap_dac_override,cap_fowner,cap_net_admin,cap_net_bind_service=eip /usr/bin/mobileap-agent
fi

# Package		wpa_supplicant
# Owner			Seonah Moon(seonah1.moon@samsung.com)
# Date			Oct 7, 2016
# Required		cap_dac_override, cap_net_admin, cap_net_bind_service, cap_net_raw, cap_fowner
# cap_net_admin		to use ioctl socket
# cap_net_bind_service 	to call bind
# cap_net_raw		to use RAW socket
# cap_fowner		network interface configruration

if [ -e "/usr/sbin/hostapd" ]
then /usr/sbin/setcap cap_net_admin,cap_net_bind_service,cap_net_raw,cap_fowner=eip /usr/sbin/hostapd
fi

# Package		dnsmasq
# Owner			Seonah Moon(seonah1.moon@samsung.com)
# Date			Oct 7, 2016
# Required		cap_dac_override, cap_net_bind_service, cap_net_broadcast, cap_net_admin
# Capability Bit	only effective and inheriable
# cap_dac_override	network interface configruration
# cap_net_admin		to use ioctl socket
# cap_net_bind_service	to call bind
# cap_net_broadcast	to make socket broadcasts, and listen to multicasts
# cap_net_raw		to make socket permission(ICMPv6)

if [ -e "/usr/bin/dnsmasq" ]
then /usr/sbin/setcap cap_dac_override,cap_net_admin,cap_net_bind_service,cap_net_broadcast,cap_net_raw=ei /usr/bin/dnsmasq
fi

# Package		iproute2
# Owner			Seonah Moon(seonah1.moon@samsung.com)
# Date			Oct 7, 2016
# Required		cap_net_admin
# Capability Bit	only effective and inheriable
# cap_net_admin		to use ioctl socket

if [ -e "/usr/sbin/ip" ]
then /usr/sbin/setcap cap_net_admin=ei /usr/sbin/ip
fi

# Package		iptables
# Owner			Seonah Moon(seonah1.moon@samsung.com)
# Date			Oct 7, 2016
# Required		cap_dac_override, cap_sys_admin, cap_net_admin, cap_net_raw
# Capability Bit	only effective and inheriable
# cap_net_admin		to use ioctl socket
# cap_net_raw		to use RAW socket
# cap_sys_admin		to initialize iptables table

if [ -e "/usr/sbin/xtables-multi" ]
then /usr/sbin/setcap cap_net_admin,cap_net_raw,cap_sys_admin=ei /usr/sbin/xtables-multi
fi

# Package               chmod
# Owner                 Changyeon Lee(cyeon.lee@samsung.com)
# Date                  Oct 11, 2016
# Required              cap_fowner
# Capability Bit        only effective and inheriable
# cap_fowner		to pass permisstion check

if [ -e "/usr/bin/chmod" ]
then /usr/sbin/setcap cap_fowner=ei /usr/bin/chmod
fi

# Package               chgrp
# Owner                 Changyeon Lee(cyeon.lee@samsung.com)
# Date                  Oct 11, 2016
# Required              cap_chown
# Capability Bit        only effective and inheriable
# cap_fowner		to change files UIDs and GID

if [ -e "/usr/bin/chgrp" ]
then /usr/sbin/setcap cap_chown=ei /usr/bin/chgrp
fi

# Package               touch
# Owner                 SooYoung Ha(yoosah.ha@samsung.com)
# Date                  Oct 13, 2016
# Required              cap_dac_override
# Capability Bit        only effective and inheriable
# cap_dac_override      to access file

if [ -e "/bin/touch" ]
then /usr/sbin/setcap cap_dac_override=ei /bin/touch
fi

# Package               amixer
# Owner                 SooYoung Ha(yoosah.ha@samsung.com)
# Date                  Oct 13, 2016
# Required              cap_dac_override
# Capability Bit        only effective and inheriable
# cap_dac_override	to access file

if [ -e "/usr/bin/amixer" ]
then /usr/sbin/setcap cap_dac_override=ei /usr/bin/amixer
fi

# Package               data-provider-master
# Owner                 Myung-ki Lee (mk5004.lee@samsung.com)
# Date                  Nov 21, 2016
# Required              cap_dac_override
# cap_dac_read_search     to override dac permission for accessing to app's po files.

if [ -e "/usr/bin/data-provider-master" ]
then /usr/sbin/setcap cap_dac_read_search=eip /usr/bin/data-provider-master
fi

# Package               platform/coer/appfw/pkgmgr-tool 
# Owner                 Sangyoon Jang(s89.jang@samsung.com)
# Date                  Nov 28, 2016
# Required              cap_dac_read_search
# cap_dac_read_search   to access pkg directory

if [ -e "/usr/bin/pkg_getsize" ]
then /usr/sbin/setcap cap_dac_read_search=eip /usr/bin/pkg_getsize
fi

# Package		platform/core/messaging/email-service
# Owner			Intae Jeon(intae.jeon@samsung.com)
# Date			Dec 13, 2016
# Required		cap_chown
# cap_chown		To change permission of DB file.

if [ -e "/usr/bin/email-service" ]
then /usr/sbin/setcap cap_chown=eip /usr/bin/email-service
fi

# Package               platform/coer/appfw/pkgmgr-tool
# Owner                 JongMyeong Ko(jongmyeong.ko@samsung.com)
# Date                  Jan 23, 2017
# Required              cap_dac_override
# cap_dac_override      to remove application resources in pkg directory
# TODO: REMOVED IN TIZEN 4.0

if [ -e "/usr/bin/pkg_cleardata" ]
then /usr/sbin/setcap cap_dac_override=eip /usr/bin/pkg_cleardata
fi


# TODO: MOVE TO OTHER SCRIPT OR REMOVE
# Requested by sooyeon.kim@samsung.com
if [ -e "/etc/skel/share/.voice" ]
then
find /etc/skel/share/.voice -print0 | xargs -0 chown app_fw:app_fw
find /etc/skel/share/.voice -print0 | xargs -0 chsmack -a 'User::App::Shared'
find /etc/skel/share/.voice -type d -print0 | xargs -0 chsmack -t
fi

for line in `find /opt/usr/home -maxdepth 1 -type d`
do
        if [ -e "$line/share/.voice" ]; then
                user=$(echo $line | cut -d"/" -f5);
                find "$line/share/.voice" -print0 | xargs -0 chown $user:users
                find "$line/share/.voice" -print0 | xargs -0 chsmack -a 'User::App::Shared'
                find "$line/share/.voice" -type d -print0 | xargs -0 chsmack -t
        fi
done

# Set SMACK label as "System::Privileged" in /opt/var/security-manager/rules
chsmack -r -a "System::Privileged" /opt/var/security-manager/rules
