#!/bin/bash

PATH=/bin:/usr/bin:/sbin:/usr/sbin

## Setting capability in binary image creation stage(via mic)

# Package		sdbd
# Owner 		Jeeho Yoo(jeeho.yoo@samsung.com)
# Date			May 24, 2016
# Required		cap_setuid, cap_setgid
# cap_setuid		set user id per each user logged in
# cap_setgid		set group id following user id

# Owner			Changseok Oh(seok.oh@samsung.com)
# Date			June 23, 2016
# Required		cap_setuid, cap_dac_override, cap_sys_admin
# cap_setuid		set child process's uid to root
# cap_dac_override	bypass permission check at pull/push
# cap_sys_admin		remount at rpm installation

if [ -e "/usr/sbin/sdbd" ]
then /usr/sbin/setcap cap_setuid,cap_setgid,cap_dac_override,cap_sys_admin=ei /usr/sbin/sdbd
fi

# Package		alarm-server
# Owner 		Jiwoong Im(jiwoong.im@samsung.com)
# Date			May 24, 2016
# Required		cap_sys_time
# cap_sys_time		settimeofday() system call and rtc setting time need privilege; CAP_SYS_TIME

if [ -e "/usr/bin/alarm-server" ]
then /usr/sbin/setcap cap_sys_time=ei /usr/bin/alarm-server
fi

# Package		download-provider
# Owner 		Jaekuk Lee(juku1999@samsung.com)
# Date			May 24, 2016
# Required		cap_chown, cap_dac_override
# cap_chown		needs to change owner of downloaded file from download-provider to application
# cap_dac_override	needs to access directory which user id is different (override DAC permission)

if [ -e "/usr/bin/download-provider" ]
then /usr/sbin/setcap cap_chown,cap_dac_override=ei /usr/bin/download-provider
fi

# Package		media-server
# Owner 		Minje Ahn(minje.ahn@samsung.com)
# Date			May 27, 2016
# Required		cap_dac_override
# cap_dac_read_search	media-server needs to access client's directory	defined as each client's uid and gid
#			in case of providing its capi; thumbnail_util_extract() (providing thumbnail requested by client)
#			client would be another service daemon and application

if [ -e "/usr/bin/media-server" ]
then /usr/sbin/setcap cap_dac_read_search=ei /usr/bin/media-server
fi

# Package		csr-server
# Owner 		Kyungwook Tak(k.tak@samsung.com)
# Date			June 17, 2016
# Required		cap_dac_override, cap_fowner
# cap_dac_override	csr-server needs to access application's directory for scanning and removing file
# cap_fowner		csr-server needs to remove files set with sticky bit in /tmp (rwxrwxrwt)

if [ -e "/usr/bin/csr-server" ]
then /usr/sbin/setcap cap_dac_override,cap_fowner=ei /usr/bin/csr-server
fi

# Package        	msg-server
# Owner        		Kyeonghun Lee(kh9090.lee@samsung.com)
# Date            	June 28, 2016
# Required        	cap_chown, cap_dac_override, cap_lease, cap_net_admin, cap_net_raw
# cap_net_admin    	Interface binding in case of using curl api (mms sending/receiving)
# cap_net_raw        	Bind to any address for proxying in using RAW and PACKET sockets (mms sending/receiving)
# cap_chown		For change uid or gid chown file
# cap_lease		Establish leases on arbitrary files

if [ -e "/usr/bin/msg-server" ]
then /usr/sbin/setcap cap_chown,cap_lease,cap_net_admin,cap_net_raw=ei /usr/bin/msg-server
fi

# Package        	pkgmgr-server
# Owner        		Jongmyeong Ko(jongmyeong.ko@samsung.com)
# Date            	June 30, 2016
# Required        	cap_chown, cap_dac_override, cap_fsetid, cap_kill, cap_setgid, cap_setuid
# cap_chown		fchown : change owner
# cap_dac_override	Access user and global database file of package manager
# cap_fsetid		fchmod : change mode
# cap_kill		killpg function
# cap_setgid		setgid and setgroups function
# cap_setuid		setuid function

if [ -e "/usr/bin/pkgmgr-server" ]
then /usr/sbin/setcap cap_chown,cap_dac_override,cap_fsetid,cap_kill,cap_setgid,cap_setuid=ei /usr/bin/pkgmgr-server
fi

# Package		app-installers
# Owner			Sangyoun Jang(s89.jang@samsung.com)
# Date			Jul 04, 2016
# Required		cap_dac_override, cap_chown, cap_fowner
# cap_dac_override	access to /home/$USER/apps_rw
# cap_chown		use chown API
# cap_fowner		use chmod API

if [ -e "/usr/bin/pkgdir-tool" ]
then /usr/sbin/setcap cap_dac_override,cap_chown,cap_fowner=ei /usr/bin/pkgdir-tool
fi

# Package		mused
# Owner			Younghoon Kim(yh8004.kim@samsung.com)
# Date			Jul 07, 2016
# Required		cap_dac_override
# cap_dac_override	access to directories of applications

if [ -e "/usr/bin/muse-server" ]
then /usr/sbin/setcap cap_dac_override=ei /usr/bin/muse-server
fi

# Package		tpk-backend
# Owner			Jongmyeong Ko(jongmyeong.ko@samsung.com)
# Date			Aug 10, 2016
# Required		cap_dac_override, cap_chown, cap_fowner
# cap_dac_override	access to /home/$USER/apps_rw
# cap_chown		use chown API
# cap_fowner		use chmod API

if [ -e "/usr/bin/tpk-backend" ]
then /usr/sbin/setcap cap_dac_override,cap_chown,cap_fowner=ei /usr/bin/tpk-backend
fi

# Package		wgt-backend
# Owner			Jongmyeong Ko(jongmyeong.ko@samsung.com)
# Date			Aug 10, 2016
# Required		cap_dac_override, cap_chown, cap_fowner
# cap_dac_override	access to /home/$USER/apps_rw
# cap_chown		use chown API
# cap_fowner		use chmod API

if [ -e "/usr/bin/wgt-backend" ]
then /usr/sbin/setcap cap_dac_override,cap_chown,cap_fowner=ei /usr/bin/wgt-backend
fi

# Package		xdelta3
# Owner			Jongmyeong Ko(jongmyeong.ko@samsung.com)
# Date			Aug 10, 2016
# Required		cap_dac_override
# cap_dac_override	access to /home/$USER/apps_rw

if [ -e "/usr/bin/xdelta3" ]
then /usr/sbin/setcap cap_dac_override=ei /usr/bin/xdelta3
fi

# Package               feedbackd
# Owner                 Pureum Jung(pr.jung@samsung.com)
# Date                  Sep 2, 2016
# Required              cap_dac_override
# cap_dac_override      to access input event node => removed as feedbackd has input gid.

#if [ -e "/usr/bin/feedbackd" ]
#then /usr/sbin/setcap cap_dac_override=eip /usr/bin/feedbackd
#fi

# Package		connmand
# Owner			Hyunuk Tak(hyunuk.tak@samsung.com)
# Date			Oct 7, 2016
# Required		cap_dac_override,cap_net_admin,cap_net_bind_service,cap_net_broadcast,cap_net_raw
# cap_net_admin		to add interface flags and make the interface UP/DOWN using ioctl
# cap_net_bind_service	to execute bind() function
# cap_net_broadcast	to make socket broadcasts, and listen to multicasts
# cap_net_raw		to use RAW socket
# cap_dac_override	to access bridge device

if [ -e "/usr/bin/connmand" ]
then /usr/sbin/setcap cap_net_admin,cap_net_bind_service,cap_net_broadcast,cap_net_raw,cap_dac_override=ei /usr/bin/connmand
fi

if [ -e "/usr/bin/connman-vpnd" ]
then /usr/sbin/setcap cap_net_admin,cap_net_bind_service,cap_net_broadcast,cap_net_raw,cap_dac_override=ei /usr/bin/connman-vpnd
fi

# Package		net-config
# Owner			Hyunuk Tak(hyunuk.tak@samsung.com)
# Date			Oct 7, 2016
# Required		cap_dac_override, cap_net_admin
# cap_dac_override	to access bridge device
# cap_net_admin		scan wifi AP and interface control using ioctl

if [ -e "/usr/bin/net-config" ]
then /usr/sbin/setcap cap_dac_override,cap_net_admin,cap_net_raw=ei /usr/bin/net-config
fi

# Package		wpa_supplicant
# Onwer			Hyunuk Tak(hyunuk.tak@samsung.com)
# Date			Oct 7, 2016
# Required		cap_net_admin, cap_net_raw
# cap_net_admin		to add interface flags and configure the interface using ioctl and driver commands
# cap_net_raw		to use RAW socket
# cap_dac_override	to access bridge device

if [ -e "/usr/bin/wpa_supplicant" ]
then /usr/sbin/setcap cap_net_admin,cap_net_raw,cap_dac_override=ei /usr/bin/wpa_supplicant
fi

# Package		mobileap-agent
# Owner			Seonah Moon(seonah1.moon@samsung.com)
# Date			Oct 7, 2016
# Required		cap_net_admin, cap_net_bind_service
# cap_net_admin		to use ioctl socket
# cap_net_bind_service	to call bind

if [ -e "/usr/bin/mobileap-agent" ]
then /usr/sbin/setcap cap_net_admin,cap_net_bind_service=ei /usr/bin/mobileap-agent
fi

# route is using by mobileap-agent 
if [ -e "/usr/sbin/route" ]
then /usr/sbin/setcap cap_net_admin=ei /usr/sbin/route
fi

# Package		wpa_supplicant
# Owner			Seonah Moon(seonah1.moon@samsung.com)
# Date			Oct 7, 2016
# Required		cap_dac_override, cap_net_admin, cap_net_bind_service, cap_net_raw, cap_fowner
# cap_net_admin		to use ioctl socket
# cap_net_bind_service 	to call bind
# cap_net_raw		to use RAW socket
# cap_dac_override	to access bridge device

if [ -e "/usr/bin/hostapd" ]
then /usr/sbin/setcap cap_net_admin,cap_net_bind_service,cap_net_raw,cap_dac_override=eip /usr/bin/hostapd
fi

# Package		dnsmasq
# Owner			Seonah Moon(seonah1.moon@samsung.com)
# Date			Oct 7, 2016
# Required		cap_dac_override, cap_net_bind_service, cap_net_broadcast, cap_net_admin
# Capability Bit	only effective and inheriable
# cap_net_admin		to use ioctl socket
# cap_net_bind_service	to call bind
# cap_net_broadcast	to make socket broadcasts, and listen to multicasts
# cap_net_raw		to make socket permission(ICMPv6)

if [ -e "/usr/bin/dnsmasq" ]
then /usr/sbin/setcap cap_net_admin,cap_net_bind_service,cap_net_broadcast,cap_net_raw=ei /usr/bin/dnsmasq
fi

# Package		iproute2
# Owner			Seonah Moon(seonah1.moon@samsung.com)
# Date			Oct 7, 2016
# Required		cap_net_admin
# Capability Bit	only effective and inheriable
# cap_net_admin		to use ioctl socket

if [ -e "/usr/sbin/ip" ]
then /usr/sbin/setcap cap_net_admin=ei /usr/sbin/ip
fi

# Package		iptables
# Owner			Seonah Moon(seonah1.moon@samsung.com)
# Date			Oct 7, 2016
# Required		cap_dac_override, cap_sys_admin, cap_net_admin, cap_net_raw
# Capability Bit	only effective and inheriable
# cap_net_admin		to use ioctl socket
# cap_net_raw		to use RAW socket
# cap_sys_admin		to initialize iptables table => removed as it is not needed.

if [ -e "/usr/sbin/xtables-multi" ]
then /usr/sbin/setcap cap_net_admin,cap_net_raw=ei /usr/sbin/xtables-multi
fi

# Package		tayga
# Owner			Seonah Moon(seonah1.moon@samsung.com)
# Date			April 11, 2016
# Required		cap_net_bind_service,cap_net_broadcast,cap_net_admin,cap_net_raw
# Capability Bit	only effective and inheriable
# cap_net_bind_service	to call bind
# cap_net_broadcast	to make socket broadcasts, and listen to multicasts
# cap_net_admin		to use ioctl socket
# cap_net_raw		to use RAW socket

if [ -e "/usr/sbin/tayga" ]
then /usr/sbin/setcap cap_net_bind_service,cap_net_broadcast,cap_net_admin,cap_net_raw=ei /usr/sbin/tayga
fi

# Package		named
# Owner			Seonah Moon(seonah1.moon@samsung.com)
# Date			April 11, 2016
# Required		cap_fowner,cap_net_bind_service,cap_net_admin,cap_sys_chroot
# cap_net_bind_service	to call bind
# cap_net_admin		to use ioctl socket
# cap_sys_chroot	to use root permission in spacific location

if [ -e "/usr/sbin/named" ]
then /usr/sbin/setcap cap_net_bind_service,cap_net_admin,cap_sys_chroot=ei /usr/sbin/named
fi

# Package               chmod
# Owner                 Changyeon Lee(cyeon.lee@samsung.com)
# Date                  Oct 11, 2016
# Required              cap_fowner
# Capability Bit        only effective and inheriable
# cap_fowner		to pass permisstion check

if [ -e "/usr/bin/chmod" ]
then /usr/sbin/setcap cap_fowner=ei /usr/bin/chmod
fi

# Package               chgrp
# Owner                 Changyeon Lee(cyeon.lee@samsung.com)
# Date                  Oct 11, 2016
# Required              cap_chown
# Capability Bit        only effective and inheriable
# cap_fowner		to change files UIDs and GID

if [ -e "/usr/bin/chgrp" ]
then /usr/sbin/setcap cap_chown=ei /usr/bin/chgrp
fi

# Package               touch
# Owner                 SooYoung Ha(yoosah.ha@samsung.com)
# Date                  Oct 13, 2016
# Required              cap_dac_override
# Capability Bit        only effective and inheriable
# cap_dac_override      to access file

if [ -e "/bin/touch" ]
then /usr/sbin/setcap cap_dac_override=ei /bin/touch
fi

# Package               amixer
# Owner                 SooYoung Ha(yoosah.ha@samsung.com)
# Date                  Oct 13, 2016
# Required              cap_dac_override
# Capability Bit        only effective and inheriable
# cap_dac_override	to access file => removed as calling process has audio gid.

#if [ -e "/usr/bin/amixer" ]
#then /usr/sbin/setcap cap_dac_override=ei /usr/bin/amixer
#fi

# Package               data-provider-master
# Owner                 Myung-ki Lee (mk5004.lee@samsung.com)
# Date                  Nov 21, 2016
# Required              cap_dac_override
# cap_dac_override	to override dac permission for accessing to app's po files.

if [ -e "/usr/bin/data-provider-master" ]
then /usr/sbin/setcap cap_dac_override=ei /usr/bin/data-provider-master
fi

# Package               platform/coer/appfw/pkgmgr-tool
# Owner                 Sangyoon Jang(s89.jang@samsung.com)
# Date                  Nov 28, 2016
# Required              cap_dac_read_search
# cap_dac_read_search   to access pkg directory

if [ -e "/usr/bin/pkg_getsize" ]
then /usr/sbin/setcap cap_dac_read_search=ei /usr/bin/pkg_getsize
fi

# Package		platform/core/messaging/email-service
# Owner			Intae Jeon(intae.jeon@samsung.com)
# Date			Dec 13, 2016
# Required		cap_chown
# cap_chown		To change permission of DB file.

if [ -e "/usr/bin/email-service" ]
then /usr/sbin/setcap cap_chown=eip /usr/bin/email-service
fi

# Package               platform/coer/appfw/pkgmgr-tool
# Owner                 JongMyeong Ko(jongmyeong.ko@samsung.com)
# Date                  Jan 23, 2017
# Required              cap_dac_override
# cap_dac_override      to remove application resources in pkg directory
# TODO: REMOVED IN TIZEN 4.0

if [ -e "/usr/bin/pkg_cleardata" ]
then /usr/sbin/setcap cap_dac_override=ei /usr/bin/pkg_cleardata
fi

# Package               platform/core/appfw/launchpad
# Owner                 Junghoon Park(jh9216.park@samsung.com)
# Date                  July 4, 2017
# Required              cap_mac_admin, cap_dac_override, cap_setgid
# cap_mac_admin		to use security_manager_prepare_app()
# cap_dac_override      fd redirection in debug mode of app running
# cap_setgid		to use security_manager_prepare_app()
# cap_sys_admin		to split mount namespace
# cap_sys_nice		to change scheduling priority

if [ -e "/usr/bin/launchpad-process-pool" ]
then /usr/sbin/setcap cap_sys_admin,cap_sys_nice,cap_mac_admin,cap_dac_override,cap_setgid=ei /usr/bin/launchpad-process-pool
fi

# TODO : condition check about launchpad-starter is temporary
if [ -e "/usr/bin/launchpad-loader" ] && [ ! -e "/usr/bin/launchpad-starter" ]
then /usr/sbin/setcap cap_sys_admin,cap_sys_nice,cap_setgid=ei /usr/bin/launchpad-loader
fi

# Package               platform/core/dotnet/launcher
# Owner                 Pius Lee(pius.lee@samsung.com)
# Date                  July 4, 2017
# Required              cap_mac_admin, cap_setgid
# cap_setgid		to change app process gid
# cap_sys_admin		to split mount namespace

if [ -e "/usr/bin/dotnet-launcher" ]
then /usr/sbin/setcap cap_setgid,cap_sys_admin=ei /usr/bin/dotnet-launcher
fi

# Package               platform/core/telephony/telephony-daemon
# Owner                 Shinhui Kang(sinikang@samsung.com)
# Date                  July 4, 2017
# Required              cap_net_admin, cap_net_raw
# cap_net_admin		for network interface up/down
# cap_net_raw		to use raw socket
# cap_dac_override	to access bridge device

# some profiles create the symlink to telephony-daemon
if [ -e "/usr/bin/telephony-daemon" ]
then /usr/sbin/setcap cap_net_admin,cap_net_raw,cap_dac_override=ei $(/usr/bin/readlink -f /usr/bin/telephony-daemon)
fi

# Package               platform/core/system/session-utils
# Owner                 Kunhoon Baik(knhoon.baik@samsung.com)
# Date                  July 4, 2017
# Required              cap_sys_admin, cap_mac_admin, cap_dac_override, cap_setgid
# cap_sys_admin		to use mount
# cap_mac_admin		to change smack label (System::Privileged -> User)
# cap_dac_override	to mount user_ext
# cap_setgid		currently checking (reviewing to remove this)

if [ -e "/usr/bin/systemd-user-helper" ]
then /usr/sbin/setcap cap_sys_admin,cap_mac_admin,cap_dac_override,cap_setgid=ei /usr/bin/systemd-user-helper
fi

# Package               platform/core/multimedia/libmm-sound
# Owner                 Seungbae Shin(seungbae.shin@samsung.com)
# Date                  July 4, 2017
# Required              cap_chown, cap_fowner, cap_lease
# TODO : check the reason

if [ -e "/usr/bin/focus_server" ]
then /usr/sbin/setcap cap_fowner,cap_lease=ei /usr/bin/focus_server
fi

if [ -e "/usr/bin/sound_server" ]
then /usr/sbin/setcap cap_lease=ei /usr/bin/sound_server
fi

# Package               platform/core/security/nether
# Owner                 Kim Kidong(kd0228.kim@samsung.com)
# Date                  July 4, 2017
# Required              cap_net_admin, cap_net_raw
# cap_net_admin		for netfilter work

if [ -e "/usr/bin/nether" ]
then /usr/sbin/setcap cap_net_admin=ei /usr/bin/nether
fi

# Package               platform/core/appfw/amd
# Owner                 Junghoon Park(jh9216.park@samsung.com)
# Date                  July 4, 2017
# Required              cap_kill, cap_dac_override
# cap_kill		to kill app process
# cap_dac_override	to access wayland and app socket, to check private sharing path
# cap_sys_admin		to use mount namespace

if [ -e "/usr/bin/amd" ]
then
	# This is needed for headless profile.
	if [ -e "/usr/share/amd/mod/libamd-mod-launchpad.so" ]
	then
		/usr/sbin/setcap cap_setuid,cap_setgid,cap_mac_admin,cap_kill,cap_dac_override,cap_sys_admin=ei /usr/bin/amd
	else
		/usr/sbin/setcap cap_kill,cap_dac_override,cap_sys_admin=ei /usr/bin/amd
	fi
fi

# Package               platform/framework/web/crosswalk-tizen
# Owner                 Jaekuk Lee(juku1999@samsung.com)
# Date                  July 4, 2017
# Required              cap_sys_admin, cap_setgid
# cap_sys_admin		to mount ( TODO : need to be checked) => removed as it is not needed.
# cap_setgid		to change process gid
# cap_sys_admin		to split mount namespace

if [ -e "/usr/bin/wrt-loader" ]
then /usr/sbin/setcap cap_setgid,cap_sys_admin=ei /usr/bin/wrt-loader
fi

# Package               platform/core/connectivity/wifi-direct-manager
# Owner                 Jaehyun Kim(jeik01.kim@samsung.com)
# Date                  July 18, 2017
# Required              cap_net_bind_service, cap_net_admin, cap_net_broadcast, cap_net_raw
# cap_net_bind_service	using DHCP port
# cap_net_admin		interface IP address configuration
# cap_net_broadcast	DHCP packet broadcasting
# cap_net_raw		open raw socket for DHCP

if [ -e "/usr/bin/wfd-manager" ]
then /usr/sbin/setcap cap_net_bind_service,cap_net_broadcast,cap_net_admin,cap_net_raw=ei $(/usr/bin/readlink -f /usr/bin/wfd-manager)
fi

# Belows are tools which wfd manager service is using.
if [ -e "/usr/bin/toybox" ]
then /usr/sbin/setcap cap_net_bind_service,cap_net_broadcast,cap_net_admin,cap_net_raw=ei /usr/bin/toybox
fi

if [ -e "/usr/bin/pkill" ]
then /usr/sbin/setcap cap_kill=ei /usr/bin/pkill
fi

if [ -e "/usr/sbin/ifconfig" ]
then /usr/sbin/setcap cap_net_admin=ei /usr/sbin/ifconfig
fi

# Package               platform/core/connectivity/wifi-mesh-manager
# Owner                 Saerome Kim(saerome.kim@samsung.com)
# Date                  Aug 11, 2017
# Required              cap_net_raw, cap_net_admin
# cap_dac_override	to access bridge device

if [ -e "/usr/bin/wmeshd" ]
then /usr/sbin/setcap cap_net_raw,cap_net_admin,cap_dac_override=ei /usr/bin/wmeshd
fi

# Package               platform/core/security/ode
# Owner                 Jaemin Ryu(jm77.ryu@samsung.com)
# Date                  Aug 23, 2017
# Required              cap_dac_override, cap_sys_admin, cap_sys_boot, cap_sys_ptrace, cap_kill
# cap_dac_override	to access /dev/mmcblk* and /dev/mapper/control
#			=> To remove this cap, (1. include security_fw to disk gid) and (2. change the permission of /dev/mapper/control)
# cap_sys_admin		to use ioctl system call
# cap_sys_boot		after encryption, reboot is required
# cap_sys_ptrace	to know process for storage encryption
# cap_kill		to kill the process

# Currently, oded is running as a root.
#if [ -e "/usr/bin/oded" ]
#then /usr/sbin/setcap cap_dac_override,cap_sys_admin,cap_sys_boot,cap_sys_ptrace,cap_kill=ei /usr/bin/oded
#fi

# Package               platform/upstream/bluez
# Owner                 Saerome Kim(saerome.kim@samsung.com)
# Date                  Nov 24, 2017
# Required              cap_dac_override
# cap_dac_override	to access bridge device

if [ -e "/usr/libexec/bluetooth/bluetoothd" ]
then /usr/sbin/setcap cap_dac_override=ei /usr/libexec/bluetooth/bluetoothd
fi

# Package               platform/core/system/dlog
# Owner                 Hyotaek Shim(hyotaek.shim@samsung.com)
# Date                  Dec 22, 2017
# Required              cap_syslog
# cap_sys_log		to use syslog()

if [ -e "/usr/bin/dlog_logger" ]
then /usr/sbin/setcap cap_syslog=ei /usr/bin/dlog_logger
fi

# These are not related with the capability, but place here to run in generic-security.post
# It would be better to run this separately in generic-security.post future.
/usr/share/security-config/change_permission
if [ -e /usr/share/security-config/update_privacy_mount_list.sh ] && [ -e /usr/share/security-manager/policy/privilege-mount.list ] && [ ! -e /opt/share/askuser_disable ]
then
	/usr/share/security-config/update_privacy_mount_list.sh
fi
