#!/bin/bash

PATH=/bin:/usr/bin:/sbin:/usr/sbin

## Setting capability in binary image creation stage(via mic)

# Package        bluetooth-frwk
# Owner          Wootak Jung(wootak.jung@samsung.com)
# Date           May 8, 2024
# Required       /usr/bin/bt-core : cap_sys_module, cap_kill, cap_net_admin, cap_net_raw : ei
# cap_sys_module To control bt interface
# cap_kill       To kill processes
# cap_net_admin  To use network-related operations
# cap_net_raw    To use HCI socket

if [ -e "/usr/bin/bt-core" ]
then /usr/sbin/setcap cap_sys_module,cap_kill,cap_net_admin,cap_net_raw=ei /usr/bin/bt-core
fi

# Package        bluez
# Owner          Wootak Jung(wootak.jung@samsung.com)
# Date           May 8, 2024
# Required       /usr/bin/hcitool : cap_net_raw : ei
# cap_net_raw    To use HCI socket

if [ -e "/usr/bin/hcitool" ]
then /usr/sbin/setcap cap_net_raw=ei /usr/bin/hcitool
fi

# Owner			Changseok Oh(seok.oh@samsung.com)
# Date			June 23, 2016
# Required		/usr/sbin/sdbd : cap_setuid, cap_setgid, cap_dac_override, cap_sys_admin, cap_kill : ei
# cap_setuid		set child process's uid to root
# cap_dac_override	bypass permission check at pull/push
# cap_sys_admin		remount at rpm installation
# cap_kill		To send a signal to terminate a process

if [ -e "/usr/sbin/sdbd" ]
then /usr/sbin/setcap cap_setuid,cap_setgid,cap_dac_override,cap_sys_admin,cap_kill=ei /usr/sbin/sdbd
fi

# Owner			Manish Toshan Rathod(manish.r@samsung.com)
# Date			Sep 09, 2020
# Required		/usr/sbin/sdbd-service : cap_setuid, cap_setgid, cap_dac_override, cap_sys_admin, cap_kill : ei
#				To resolve sdbd stacking issue in emulator/target. The sdbd daemon will execute this new executable.
# cap_setuid		set child process's uid to root
# cap_dac_override	bypass permission check at pull/push
# cap_sys_admin		remount at rpm installation
# cap_kill		To send a signal to terminate a process

if [ -e "/usr/sbin/sdbd-service" ]
then /usr/sbin/setcap cap_setuid,cap_setgid,cap_dac_override,cap_sys_admin,cap_kill=ei /usr/sbin/sdbd-service
fi

# Package		download-provider
# Owner 		Jaekuk Lee(juku1999@samsung.com)
# Date			May 24, 2016
# Required		/usr/bin/download-provider : cap_chown, cap_dac_override : ei
# cap_chown		needs to change owner of downloaded file from download-provider to application
# cap_dac_override	needs to access directory which user id is different (override DAC permission)

if [ -e "/usr/bin/download-provider" ]
then /usr/sbin/setcap cap_chown,cap_dac_override=ei /usr/bin/download-provider
fi

# Package		media-server
# Owner 		Minje Ahn(minje.ahn@samsung.com)
# Date			May 27, 2016
# Required		/usr/bin/media-server : cap_dac_read_search : ei
# cap_dac_read_search	media-server needs to access client's directory	defined as each client's uid and gid
#			in case of providing its capi; thumbnail_util_extract() (providing thumbnail requested by client)
#			client would be another service daemon and application

if [ -e "/usr/bin/media-server" ]
then /usr/sbin/setcap cap_dac_read_search=ei /usr/bin/media-server
fi

# Package		csr-server
# Owner 		Kyungwook Tak(k.tak@samsung.com)
# Date			June 17, 2016
# Required		/usr/bin/csr-server : cap_dac_override, cap_fowner : ei
# cap_dac_override	csr-server needs to access application's directory for scanning and removing file
# cap_fowner		csr-server needs to remove files set with sticky bit in /tmp (rwxrwxrwt)

if [ -e "/usr/bin/csr-server" ]
then /usr/sbin/setcap cap_dac_override,cap_fowner=ei /usr/bin/csr-server
fi

# Package        	msg-server
# Owner        		Kyeonghun Lee(kh9090.lee@samsung.com)
# Date            	June 28, 2016
# Required        	/usr/bin/msg-server : cap_chown, cap_lease, cap_net_admin, cap_net_raw : ei
# cap_net_admin    	Interface binding in case of using curl api (mms sending/receiving)
# cap_net_raw        	Bind to any address for proxying in using RAW and PACKET sockets (mms sending/receiving)
# cap_chown		For change uid or gid chown file
# cap_lease		Establish leases on arbitrary files

if [ -e "/usr/bin/msg-server" ]
then /usr/sbin/setcap cap_chown,cap_lease,cap_net_admin,cap_net_raw=ei /usr/bin/msg-server
fi

# Package        	pkgmgr-server
# Owner        		Jongmyeong Ko(jongmyeong.ko@samsung.com)
# Date            	June 30, 2016
# Required        	/usr/bin/pkgmgr-server : cap_chown, cap_dac_override, cap_fsetid, cap_kill, cap_setgid, cap_setuid, cap_mac_override : ei
# cap_chown		fchown : change owner
# cap_dac_override	Access user and global database file of package manager
# cap_fsetid		fchmod : change mode
# cap_kill		killpg function
# cap_setgid		setgid and setgroups function
# cap_setuid		setuid function
# cap_mac_override	To abort app directories creation / deletion

if [ -e "/usr/bin/pkgmgr-server" ]
then /usr/sbin/setcap cap_chown,cap_dac_override,cap_fsetid,cap_kill,cap_setgid,cap_setuid,cap_mac_override=ei /usr/bin/pkgmgr-server
fi

# Package		app-installers
# Owner			Sangyoun Jang(s89.jang@samsung.com)
# Date			Jul 04, 2016
# Required		/usr/bin/pkgdir-tool : cap_dac_override, cap_chown, cap_fowner : ei
# cap_dac_override	access to /home/$USER/apps_rw
# cap_chown		use chown API
# cap_fowner		use chmod API

if [ -e "/usr/bin/pkgdir-tool" ]
then /usr/sbin/setcap cap_dac_override,cap_chown,cap_fowner=ei /usr/bin/pkgdir-tool
fi

# Package		mused
# Owner			Younghoon Kim(yh8004.kim@samsung.com)
# Date			Jul 07, 2016
# Required		/usr/bin/muse-server : cap_dac_override : ei
# cap_dac_override	access to directories of applications

if [ -e "/usr/bin/muse-server" ]
then /usr/sbin/setcap cap_dac_override=ei /usr/bin/muse-server
fi

# Package		tpk-backend
# Owner			Jongmyeong Ko(jongmyeong.ko@samsung.com)
# Date			Aug 10, 2016
# Required		/usr/bin/tpk-backend : cap_dac_override, cap_chown, cap_fowner, cap_mac_override : ei
# cap_dac_override	access to /home/$USER/apps_rw
# cap_chown		use chown API
# cap_fowner		use chmod API
# cap_mac_override	To abort app directories creation / deletion

if [ -e "/usr/bin/tpk-backend" ]
then /usr/sbin/setcap cap_dac_override,cap_chown,cap_fowner,cap_mac_override=ei /usr/bin/tpk-backend
fi

# Package		wgt-backend
# Owner			Jongmyeong Ko(jongmyeong.ko@samsung.com)
# Date			Aug 10, 2016
# Required		/usr/bin/wgt-backend : cap_dac_override, cap_chown, cap_fowner, cap_mac_override : ei
# cap_dac_override	access to /home/$USER/apps_rw
# cap_chown		use chown API
# cap_fowner		use chmod API
# cap_mac_override	To abort app directories creation / deletion

if [ -e "/usr/bin/wgt-backend" ]
then /usr/sbin/setcap cap_dac_override,cap_chown,cap_fowner,cap_mac_override=ei /usr/bin/wgt-backend
fi

# Package		xdelta3
# Owner			Jongmyeong Ko(jongmyeong.ko@samsung.com)
# Date			Aug 10, 2016
# Required		/usr/bin/xdelta3 : cap_dac_override : ei
# cap_dac_override	access to /home/$USER/apps_rw

if [ -e "/usr/bin/xdelta3" ]
then /usr/sbin/setcap cap_dac_override=ei /usr/bin/xdelta3
fi

# Package		connmand
# Owner			Hyunuk Tak(hyunuk.tak@samsung.com)
# Date			Oct 7, 2016
# Required		/usr/bin/connmand : cap_dac_override,cap_net_admin,cap_net_bind_service,cap_net_broadcast,cap_net_raw : ei
# Required		/usr/bin/connman-vpnd : cap_dac_override,cap_net_admin,cap_net_bind_service,cap_net_broadcast,cap_net_raw : ei
# cap_net_admin		to add interface flags and make the interface UP/DOWN using ioctl
# cap_net_bind_service	to execute bind() function
# cap_net_broadcast	to make socket broadcasts, and listen to multicasts
# cap_net_raw		to use RAW socket
# cap_dac_override	to access bridge device

if [ -e "/usr/bin/connmand" ]
then /usr/sbin/setcap cap_net_admin,cap_net_bind_service,cap_net_broadcast,cap_net_raw,cap_dac_override=ei /usr/bin/connmand
fi

if [ -e "/usr/bin/connman-vpnd" ]
then /usr/sbin/setcap cap_net_admin,cap_net_bind_service,cap_net_broadcast,cap_net_raw,cap_dac_override=ei /usr/bin/connman-vpnd
fi

# Package		platform/upstream/strongswan
# Owner			Jiuing Yu(jiung.yu@samsung.com)
# Date			Oct 26, 2017
# Required		/usr/bin/charon : cap_setgid,cap_net_admin,cap_net_bind_service,cap_net_raw,cap_net_broadcast : ei
# cap_setgid		to use initgroup
# cap_net_admin		to set SA configuration using linux kernel and netlink socket
# cap_net_bind_service	to use UDP 500 port for IKEv2 protocol
# cap_net_broadcast	to use IKEv2 protocol
# cap_net_raw		to use IKEv2 protocol

if [ -e "/usr/bin/charon" ]
then /usr/sbin/setcap cap_setgid,cap_net_admin,cap_net_bind_service,cap_net_broadcast,cap_net_raw=ei /usr/bin/charon
fi


# Package		net-config
# Owner			Hyunuk Tak(hyunuk.tak@samsung.com)
# Date			Oct 7, 2016
# Required		/usr/bin/net-config : cap_dac_override, cap_net_admin, cap_net_raw, cap_sys_module : ei
# cap_dac_override	to access bridge device
# cap_net_admin		scan wifi AP and interface control using ioctl
# cap_sys_module	To use insmod

if [ -e "/usr/bin/net-config" ]
then /usr/sbin/setcap cap_dac_override,cap_net_admin,cap_net_raw,cap_sys_module=ei /usr/bin/net-config
fi

# Package		wpa_supplicant
# Onwer			Hyunuk Tak(hyunuk.tak@samsung.com)
# Date			Oct 7, 2016
# Required		/usr/bin/wpa_supplicant : cap_net_admin, cap_net_raw, cap_dac_override : ei
# cap_net_admin		to add interface flags and configure the interface using ioctl and driver commands
# cap_net_raw		to use RAW socket
# cap_dac_override	to access bridge device

if [ -e "/usr/bin/wpa_supplicant" ]
then /usr/sbin/setcap cap_net_admin,cap_net_raw,cap_dac_override=ei /usr/bin/wpa_supplicant
fi

# Package		mobileap-agent
# Owner			Seonah Moon(seonah1.moon@samsung.com)
# Date			Oct 7, 2016
# Required		/usr/bin/mobileap-agent : cap_net_admin, cap_net_bind_service : ei
# Required		/usr/sbin/route : cap_net_admin : ei
# cap_net_admin		to use ioctl socket
# cap_net_bind_service	to call bind

if [ -e "/usr/bin/mobileap-agent" ]
then /usr/sbin/setcap cap_net_admin,cap_net_bind_service=ei /usr/bin/mobileap-agent
fi

# route is using by mobileap-agent
if [ -e "/usr/sbin/route" ]
then /usr/sbin/setcap cap_net_admin=ei /usr/sbin/route
fi

# Package		wpa_supplicant
# Owner			Seonah Moon(seonah1.moon@samsung.com)
# Date			Oct 7, 2016
# Required		/usr/bin/hostapd : cap_dac_override, cap_net_admin, cap_net_bind_service, cap_net_raw : ei
# cap_net_admin		to use ioctl socket
# cap_net_bind_service 	to call bind
# cap_net_raw		to use RAW socket
# cap_dac_override	to access bridge device

if [ -e "/usr/bin/hostapd" ]
then /usr/sbin/setcap cap_net_admin,cap_net_bind_service,cap_net_raw,cap_dac_override=ei /usr/bin/hostapd
fi

# Package		dnsmasq
# Owner			Seonah Moon(seonah1.moon@samsung.com)
# Date			Oct 7, 2016
# Required		/usr/bin/dnsmasq : cap_net_admin, cap_net_bind_service, cap_net_broadcast, cap_net_raw : ei
# cap_net_admin		to use ioctl socket
# cap_net_bind_service	to call bind
# cap_net_broadcast	to make socket broadcasts, and listen to multicasts
# cap_net_raw		to make socket permission(ICMPv6)

if [ -e "/usr/bin/dnsmasq" ]
then /usr/sbin/setcap cap_net_admin,cap_net_bind_service,cap_net_broadcast,cap_net_raw=ei /usr/bin/dnsmasq
fi

# Package		iproute2
# Owner			Seonah Moon(seonah1.moon@samsung.com)
# Date			Oct 7, 2016
# Required		/usr/sbin/ip : cap_net_admin : ei
# cap_net_admin		to use ioctl socket

if [ -e "/usr/sbin/ip" ]
then /usr/sbin/setcap cap_net_admin=ei /usr/sbin/ip
fi

# Package		iptables
# Owner			Seonah Moon(seonah1.moon@samsung.com)
# Date			Oct 7, 2016
# Required		/usr/sbin/xtables-multi : cap_net_admin, cap_net_raw : ei
# cap_net_admin		to use ioctl socket
# cap_net_raw		to use RAW socket

if [ -e "/usr/sbin/xtables-multi" ]
then /usr/sbin/setcap cap_net_admin,cap_net_raw=ei /usr/sbin/xtables-multi
fi

# Package		tayga
# Owner			Seonah Moon(seonah1.moon@samsung.com)
# Date			April 11, 2016
# Required		/usr/sbin/tayga : cap_net_bind_service,cap_net_broadcast,cap_net_admin,cap_net_raw : ei
# cap_net_bind_service	to call bind
# cap_net_broadcast	to make socket broadcasts, and listen to multicasts
# cap_net_admin		to use ioctl socket
# cap_net_raw		to use RAW socket

if [ -e "/usr/sbin/tayga" ]
then /usr/sbin/setcap cap_net_bind_service,cap_net_broadcast,cap_net_admin,cap_net_raw=ei /usr/sbin/tayga
fi

# Package		named
# Owner			Seonah Moon(seonah1.moon@samsung.com)
# Date			April 11, 2016
# Required		/usr/sbin/named : cap_net_bind_service,cap_net_admin,cap_sys_chroot : ei
# cap_net_bind_service	to call bind
# cap_net_admin		to use ioctl socket
# cap_sys_chroot	to use root permission in spacific location

if [ -e "/usr/sbin/named" ]
then /usr/sbin/setcap cap_net_bind_service,cap_net_admin,cap_sys_chroot=ei /usr/sbin/named
fi

# Package		tcpdump
# Owner			taesub.kim (taesub.kim@samsung.com)
# Date			Dec 5, 2017
# Required		/usr/sbin/tcpdump : cap_net_raw : ei
# cap_net_raw		Bind to any address for proxying in using RAW and PACKET sockets(capture tcpdump)

if [ -e "/usr/sbin/tcpdump" ]
then /usr/sbin/setcap cap_net_raw=ei /usr/sbin/tcpdump
fi

# Package               inm-manager
# Owner                 Taesub Kim(taesub.kim@samsung.com)
# Date                  Jul 18, 2018
# Required              /usr/bin/inm-manager : cap_net_raw, cap_net_admin : ei
# cap_net_admin         scan wifi AP and interface control using ioctl
# cap_net_raw           to use RAW socket

if [ -e "/usr/bin/inm-manager" ]
then /usr/sbin/setcap cap_net_admin,cap_net_raw=ei /usr/bin/inm-manager
fi

# Package               chmod
# Owner                 Changyeon Lee(cyeon.lee@samsung.com)
# Date                  Oct 11, 2016
# Required              /usr/bin/chmod : cap_fowner : ei
# cap_fowner		to pass permisstion check

if [ -e "/usr/bin/chmod" ]
then /usr/sbin/setcap cap_fowner=ei /usr/bin/chmod
fi

# Package               chgrp
# Owner                 Changyeon Lee(cyeon.lee@samsung.com)
# Date                  Oct 11, 2016
# Required              /usr/bin/chgrp : cap_chown : ei
# cap_fowner		to change files UIDs and GID

if [ -e "/usr/bin/chgrp" ]
then /usr/sbin/setcap cap_chown=ei /usr/bin/chgrp
fi

# Package               touch
# Owner                 SooYoung Ha(yoosah.ha@samsung.com)
# Date                  Oct 13, 2016
# Required              /usr/bin/touch : cap_dac_override : ei
# cap_dac_override      to access file

if [ -e "/usr/bin/touch" ]
then /usr/sbin/setcap cap_dac_override=ei /usr/bin/touch
fi

# Package               platform/core/appfw/pkgmgr-tool
# Owner                 Sangyoon Jang(s89.jang@samsung.com)
# Date                  Nov 28, 2016
# Required              /usr/bin/pkg_getsize : cap_dac_read_search : ei
# cap_dac_read_search   to access pkg directory

if [ -e "/usr/bin/pkg_getsize" ]
then /usr/sbin/setcap cap_dac_read_search=ei /usr/bin/pkg_getsize
fi

# Package		platform/core/messaging/email-service
# Owner			Intae Jeon(intae.jeon@samsung.com)
# Date			Dec 13, 2016
# Required		/usr/bin/email-service : cap_chown : eip
# cap_chown		To change permission of DB file.

if [ -e "/usr/bin/email-service" ]
then /usr/sbin/setcap cap_chown=eip /usr/bin/email-service
fi

# Package               platform/coer/appfw/pkgmgr-tool
# Owner                 JongMyeong Ko(jongmyeong.ko@samsung.com)
# Date                  Jan 23, 2017
# Required              /usr/bin/pkg_cleardata : cap_dac_override, cap_mac_override : ei
# cap_dac_override      to remove application resources in pkg directory
# cap_mac_override	     To abort app directories creation / deletion

if [ -e "/usr/bin/pkg_cleardata" ]
then /usr/sbin/setcap cap_dac_override,cap_mac_override=ei /usr/bin/pkg_cleardata
fi

# Package               platform/core/appfw/launchpad
# Owner                 Junghoon Park(jh9216.park@samsung.com)
# Date                  July 4, 2017
# Required              /usr/bin/launchpad-process-pool : cap_mac_admin, cap_dac_override, cap_setgid, cap_sys_admin, cap_sys_nice, cap_sys_chroot : ei
# Required              /usr/bin/launchpad-loader : cap_mac_admin,cap_sys_admin,cap_sys_nice,cap_setgid : ei
# cap_mac_admin		to use security_manager_prepare_app()
# cap_dac_override      fd redirection in debug mode of app running
# cap_setgid		to use security_manager_prepare_app()
# cap_sys_admin		to split mount namespace
# cap_sys_nice		to change scheduling priority
# cap_sys_chroot	to use setns()

if [ -e "/usr/bin/launchpad-process-pool" ]
then /usr/sbin/setcap cap_sys_admin,cap_sys_nice,cap_mac_admin,cap_dac_override,cap_setgid,cap_sys_chroot=ei /usr/bin/launchpad-process-pool
fi

# TODO : condition check about launchpad-starter is temporary
if [ -e "/usr/bin/launchpad-loader" ] && [ ! -e "/usr/bin/launchpad-starter" ]
then /usr/sbin/setcap cap_mac_admin,cap_sys_admin,cap_sys_nice,cap_setgid=ei /usr/bin/launchpad-loader
fi

# Package               platform/core/appfw/launchpad
# Owner                 Junghoon Park(jh9216.park@samsung.com)
# Date                  Feb 25, 2020
# Required              /usr/bin/app-defined-loader : cap_mac_admin, cap_setgid, cap_sys_admin, cap_sys_nice : ei
# cap_mac_admin		to use security_manager_prepare_app()
# cap_setgid	        to use security_manager_prepare_app()
# cap_sys_admin	        to split mount namespace
# cap_sys_nice	        to change scheduling priority

# TODO : condition check about launchpad-starter is temporary
if [ -e "/usr/bin/app-defined-loader" ] && [ ! -e "/usr/bin/launchpad-starter" ]
then /usr/sbin/setcap cap_mac_admin,cap_sys_admin,cap_sys_nice,cap_setgid=ei /usr/bin/app-defined-loader
fi

# Package               platform/core/dotnet/launcher
# Owner                 Woongsuk Cho(ws77.cho@samsung.com)
# Date                  July 4, 2017
# Required              /usr/bin/dotnet-launcher : cap_sys_admin, cap_setgid : ei
# cap_setgid            to change app process gid
# cap_sys_admin         to split mount namespace

if [ -e "/usr/bin/dotnet-launcher" ]
then /usr/sbin/setcap cap_setgid,cap_sys_admin=ei /usr/bin/dotnet-launcher
fi

# Package               platform/core/dotnet/launcher
# Owner                 Woongsuk Cho(ws77.cho@samsung.com)
# Date                  April 10, 2020
# Required              /usr/bin/dotnet-hydra-loader : cap_mac_admin, cap_sys_admin, cap_setgid : ei
# cap_setgid            to change app process gid
# cap_sys_admin         to split mount namespace
# cap_mac_admin		To change a process label

if [ -e "/usr/bin/dotnet-hydra-loader" ]
then /usr/sbin/setcap cap_mac_admin,cap_setgid,cap_sys_admin=ei /usr/bin/dotnet-hydra-loader
fi

# Package               platform/core/dotnet/launcher
# Owner                 Woongsuk Cho(ws77.cho@samsung.com)
# Date                  April 10, 2020
# Required              /usr/bin/dotnet-loader : cap_mac_admin, cap_sys_admin, cap_setgid : ei
# cap_setgid            to change app process gid
# cap_sys_admin         to split mount namespace
# cap_mac_admin		To change a process label

if [ -e "/usr/bin/dotnet-loader" ]
then /usr/sbin/setcap cap_mac_admin,cap_setgid,cap_sys_admin=ei /usr/bin/dotnet-loader
fi

# Package               platform/core/dotnet/launcher
# Owner                 Woongsuk Cho(ws77.cho@samsung.com)
# Date                  April 10, 2020
# Required              /usr/bin/dotnet : cap_sys_admin, cap_setgid : ei
# cap_setgid            to change app process gid
# cap_sys_admin         to split mount namespace

if [ -e "/usr/share/dotnet.tizen/netcoreapp/corerun" ]
then /usr/sbin/setcap cap_dac_override=ei /usr/share/dotnet.tizen/netcoreapp/corerun
fi

# Package               platform/upstream/dotnet/runtime
# Owner                 Woongsuk Cho(ws77.cho@samsung.com)
# Date                  July 2, 2025
# Required              /usr/share/dotnet.tizen/netcoreapp/corerun : cap_dac_override : ei
# cap_dac_override      To write in /opt/usr/dotnet/ and /usr/share/dotnet.tizen/tac/ directory

if [ -e "/usr/bin/dotnet" ]
then /usr/sbin/setcap cap_setgid,cap_sys_admin=ei /usr/bin/dotnet
fi

# Package               platform/core/telephony/telephony-daemon
# Owner                 Shinhui Kang(sinikang@samsung.com)
# Date                  July 4, 2017
# Required              /usr/bin/telephony-daemon : cap_net_admin, cap_net_raw, cap_dac_override : ei
# cap_net_admin		for network interface up/down
# cap_net_raw		to use raw socket
# cap_dac_override	to access bridge device

# some profiles create the symlink to telephony-daemon
if [ -e "/usr/bin/telephony-daemon" ]
then /usr/sbin/setcap cap_net_admin,cap_net_raw,cap_dac_override=ei $(/usr/bin/readlink -f /usr/bin/telephony-daemon)
fi

# Package               platform/core/multimedia/libmm-sound
# Owner                 Seungbae Shin(seungbae.shin@samsung.com)
# Date                  July 4, 2017
# Required              /usr/bin/focus_server : cap_fowner, cap_lease : ei
# Required              /usr/bin/sound_server : cap_lease : ei
# TODO : check the reason

if [ -e "/usr/bin/focus_server" ]
then /usr/sbin/setcap cap_fowner,cap_lease=ei /usr/bin/focus_server
fi

if [ -e "/usr/bin/sound_server" ]
then /usr/sbin/setcap cap_lease=ei /usr/bin/sound_server
fi

# Package               platform/core/security/nether
# Owner                 Kim Kidong(kd0228.kim@samsung.com)
# Date                  July 4, 2017
# Required              /usr/bin/nether : cap_net_admin : ei
# cap_net_admin		for netfilter work

if [ -e "/usr/bin/nether" ]
then /usr/sbin/setcap cap_net_admin=ei /usr/bin/nether
fi

# Package               platform/core/appfw/amd
# Owner                 Junghoon Park(jh9216.park@samsung.com)
# Date                  July 4, 2017
# Required              /usr/bin/amd : cap_kill, cap_dac_override, cap_sys_admin, cap_fowner, cap_sys_ptrace : ei
# Required              /usr/bin/amd : cap_setuid, cap_mac_admin, cap_kill, cap_dac_override, cap_sys_admin, cap_fowner, cap_sys_ptrace : ei
# cap_kill		to kill app process
# cap_dac_override	to access wayland and app socket, to check private sharing path
# cap_sys_admin		to use mount namespace

if [ -e "/usr/bin/amd" ]
then
	# This is needed for headless profile.
	if [ -e "/usr/share/amd/mod/libamd-mod-launchpad.so" ]
	then
		/usr/sbin/setcap cap_setuid,cap_setgid,cap_mac_admin,cap_kill,cap_dac_override,cap_sys_admin,cap_fowner,cap_sys_ptrace=ei /usr/bin/amd
	else
		/usr/sbin/setcap cap_kill,cap_dac_override,cap_sys_admin,cap_fowner,cap_sys_ptrace=ei /usr/bin/amd
	fi
fi

# Package               platform/framework/web/crosswalk-tizen
# Owner                 Jaekuk Lee(juku1999@samsung.com)
# Date                  July 4, 2017
# Required              /usr/bin/wrt-loader : cap_mac_admin, cap_sys_admin, cap_setgid : ei
# cap_setgid		to change process gid
# cap_sys_admin		to split mount namespace
# cap_mac_admin		To change a process label

if [ -e "/usr/bin/wrt-loader" ]
then /usr/sbin/setcap cap_mac_admin,cap_setgid,cap_sys_admin=ei /usr/bin/wrt-loader
fi

# Package               platform/core/connectivity/wifi-direct-manager
# Owner                 Jaehyun Kim(jeik01.kim@samsung.com)
# Date                  July 18, 2017
# Required              /usr/bin/wfd-manager : cap_net_bind_service, cap_net_admin, cap_net_broadcast, cap_net_raw, cap_sys_module : ei
# cap_net_bind_service	using DHCP port
# cap_net_admin		interface IP address configuration
# cap_net_broadcast	DHCP packet broadcasting
# cap_net_raw		open raw socket for DHCP
# cap_sys_module	to use insmod

if [ -e "/usr/bin/wfd-manager" ]
then /usr/sbin/setcap cap_net_bind_service,cap_net_broadcast,cap_net_admin,cap_net_raw,cap_sys_module=ei $(/usr/bin/readlink -f /usr/bin/wfd-manager)
fi

# Belows are tools which wfd manager service is using.
# Required              /usr/bin/toybox : cap_net_bind_service, cap_net_broadcast, cap_net_admin,cap_net_raw : ei
# Required              /usr/bin/pkill : cap_kill : ei
# Required              /usr/sbin/ifconfig : cap_net_admin : ei

if [ -e "/usr/bin/toybox" ]
then /usr/sbin/setcap cap_net_bind_service,cap_net_broadcast,cap_net_admin,cap_net_raw=ei /usr/bin/toybox
fi

if [ -e "/usr/bin/pkill" ]
then /usr/sbin/setcap cap_kill=ei /usr/bin/pkill
fi

if [ -e "/usr/sbin/ifconfig" ]
then /usr/sbin/setcap cap_net_admin=ei /usr/sbin/ifconfig
fi

# Package               platform/core/connectivity/wifi-mesh-manager
# Owner                 Saerome Kim(saerome.kim@samsung.com)
# Date                  Aug 11, 2017
# Required              /usr/bin/wmeshd : cap_net_raw, cap_net_admin, cap_dac_override : ei
# cap_dac_override	to access bridge device

if [ -e "/usr/bin/wmeshd" ]
then /usr/sbin/setcap cap_net_raw,cap_net_admin,cap_dac_override=ei /usr/bin/wmeshd
fi

# Package               platform/upstream/bluez
# Owner                 Saerome Kim(saerome.kim@samsung.com)
# Date                  Nov 24, 2017
# Required              /usr/libexec/bluetooth/bluetoothd : cap_dac_override, cap_net_admin, cap_net_bind_service, cap_net_raw : ei
# cap_dac_override	to access bridge device
# cap_net_admin		to use network-related operations
# cap_net_bind_service	to call bind
# cap_net_raw		to use HCI socket

if [ -e "/usr/libexec/bluetooth/bluetoothd" ]
then /usr/sbin/setcap cap_net_admin,cap_net_bind_service,cap_net_raw,cap_dac_override=ei /usr/libexec/bluetooth/bluetoothd
fi

# Package               platform/upstream/bluez
# Owner                 Dohyun Pyun(dh79.pyun@samsung.com)
# Date                  Jun 08, 2020
# Required              /usr/libexec/bluetooth/bluetooth-meshd : cap_dac_override, cap_net_admin, cap_net_bind_service, cap_net_raw : ei
# cap_dac_override	to access bridge device
# cap_net_admin		to use network-related operations
# cap_net_bind_service	to call bind
# cap_net_raw		to use HCI RAW socket

if [ -e "/usr/libexec/bluetooth/bluetooth-meshd" ]
then /usr/sbin/setcap cap_net_admin,cap_net_bind_service,cap_dac_override,cap_net_raw=ei /usr/libexec/bluetooth/bluetooth-meshd
fi

# Package               platform/core/system/dlog
# Owner                 Hyotaek Shim(hyotaek.shim@samsung.com)
# Date                  Dec 22, 2017
# Required              /usr/bin/dlog_logger : cap_syslog : ei
# cap_syslog		to use syslog()

if [ -e "/usr/bin/dlog_logger" ]
then /usr/sbin/setcap cap_syslog=ei /usr/bin/dlog_logger
fi

# Package               platform/core/connectivity/stc-iptables
# Owner                 Hyunuk Tak(hyunuk.tak@samsung.com)
# Date                  Apr 12, 2018
# Required              /usr/bin/stc-iptables : cap_net_bind_service,cap_net_raw,cap_net_admin : ei
# cap_net_bind_service,cap_net_raw,cap_net_admin	netlink and ipproto sockets

if [ -e "/usr/bin/stc-iptables" ]
then /usr/sbin/setcap cap_net_bind_service,cap_net_raw,cap_net_admin=ei /usr/bin/stc-iptables
fi

# Package               platform/core/security/audit-trail
# Owner                 Jaemin Ryu(jm77.ryu@samsung.com)
# Date                  May 3, 2018
# Required              /usr/bin/audit-trail-daemon : cap_audit_control,cap_audit_write : ei
# cap_audit_control	To change auditing filter rules
# cap_audit_write	To record the kernel auditing log

if [ -e "/usr/bin/audit-trail-daemon" ]
then /usr/sbin/setcap cap_audit_control,cap_audit_write=ei /usr/bin/audit-trail-daemon
fi

# Package               platform/adaptation/system-plugin
# Owner                 Insun Pyo(insun.pyo@samsung.com)
# Date                  Aug 20, 2018
# Required              /usr/bin/session-bind : cap_sys_admin : ei
# cap_sys_admin		To bind mount /opt/usr/media, /opt/usr/apps from user session

if [ -e "/usr/bin/session-bind" ]
then /usr/sbin/setcap cap_sys_admin=ei /usr/bin/session-bind
fi

# Package               product/upstream/coreutils
# Date                  Sep 10, 2018
# Required              /usr/bin/cat : cap_sys_ptrace : ei
# cap_sys_ptrace	To read /proc/[pid]/stack
# This is requested Display module, to be used in display-manager-monitor service.

if [ -e "/usr/bin/cat" ]
then /usr/sbin/setcap cap_sys_ptrace=ei /usr/bin/cat
fi

# Package               platform/core/security/krate
# Date                  Sep 19, 2018
# Required              /usr/bin/krate-mount : cap_sys_admin : ei
# cap_sys_admin		Do bind-mount to control the file access

if [ -e "/usr/bin/krate-mount" ]
then /usr/sbin/setcap cap_sys_admin=ei /usr/bin/krate-mount
fi

# Package               platform/upstream/kmod
# Date                  Nov 7, 2018
# Required              /usr/bin/kmod : cap_sys_module : ei
# cap_sys_module	To use insmod
# This is requested by Bluetooth module, to be used in bluetooth-stack-up.service.

if [ -e "/usr/bin/kmod" ]
then /usr/sbin/setcap cap_sys_module=ei /usr/bin/kmod
fi

# Package               platform/upstream/bluez
# Date                  Nov 7, 2018
# Required              /usr/bin/hciconfig : cap_net_admin : ei
# cap_sys_module	To control bt interface

if [ -e "/usr/bin/hciconfig" ]
then /usr/sbin/setcap cap_net_admin=ei /usr/bin/hciconfig
fi

# Package               platform/core/system/stability-monitor
# Date                  Nov 20, 2019
# Required              /usr/sbin/stability-monitor : cap_sys_ptrace,cap_sys_module,cap_kill : ei
# cap_sys_ptrace	To attach in process and readlink for working
# cap_sys_module	To load/unload kernel module
# cap_kill		To kill processes

if [ -e "/usr/sbin/stability-monitor" ]
then /usr/sbin/setcap cap_sys_ptrace,cap_sys_module,cap_kill=ei /usr/sbin/stability-monitor
fi

# Package               platform/core/connectivity/ua-manager
# Date                  Jun 13, 2019
# Required              /usr/bin/ua-manager : cap_net_raw,cap_sys_rawio : ei
# cap_net_raw		To use raw socket when making ARP packet
# cap_sys_rawio		To use I/O port operation

if [ -e "/usr/bin/ua-manager" ]
then /usr/sbin/setcap cap_net_raw,cap_sys_rawio=ei /usr/bin/ua-manager
fi

# Package               platform/core/system/crash-worker
# Date                  Nov 14, 2019
# Required              /usr/bin/crash-manager :cap_dac_override,cap_kill,cap_sys_ptrace : ei
# Required              /usr/bin/bugreport-service :cap_dac_override,cap_kill,cap_sys_ptrace : ei
# cap_dac_override	To create directory
# cap_kill		To send signals to processes
# cap_sys_ptrace	To read /proc/<pid>/

if [ -e "/usr/bin/crash-manager" ]
then /usr/sbin/setcap cap_dac_override,cap_kill,cap_sys_ptrace=ei /usr/bin/crash-manager
fi

if [ -e "/usr/bin/bugreport-service" ]
then /usr/sbin/setcap cap_dac_override,cap_kill,cap_sys_ptrace=ei /usr/bin/bugreport-service
fi

# Package               platform/upstream/minicoredumper
# Date                  Nov 14, 2019
# Required              /usr/sbin/minicoredumper : cap_dac_read_search,cap_sys_ptrace : ei
# cap_dac_read_search	To read any binary file
# cap_sys_ptrace	To read /proc/<pid>/

if [ -e "/usr/sbin/minicoredumper" ]
then /usr/sbin/setcap cap_dac_read_search,cap_sys_ptrace=ei /usr/sbin/minicoredumper
fi

# Package               platform/core/system/dlog
# Date                  Nov 14, 2019
# Required              /usr/bin/dlogutil : cap_syslog : ei
# cap_syslog		Android logger returns incorrect values without this capability (check : this is bug in the kernel driver).

if [ -e "/usr/bin/dlogutil" ]
then /usr/sbin/setcap cap_syslog=ei /usr/bin/dlogutil
fi

# Package               platform/core/system/buxton2
# Date                  Nov 14, 2019
# Required              /usr/bin/buxton2ctl : cap_dac_override : ei
# cap_dac_override	To write in /run/buxton2/ and /etc/buxton2 directory

if [ -e "/usr/bin/buxton2ctl" ]
then /usr/sbin/setcap cap_dac_override=ei /usr/bin/buxton2ctl
fi

# Package               platform/core/system/crash-worker
# Date                  Nov 14, 2019
# Required              /usr/bin/livedumper : cap_dac_override, cap_sys_ptrace : ei
# cap_dac_override	To create livedump directory
# cap_sys_ptrace	To read /proc/[pid]

if [ -e "/usr/bin/livedumper" ]
then /usr/sbin/setcap cap_dac_override,cap_sys_ptrace=ei /usr/bin/livedumper
fi

# Package               platform/core/system/crash-worker
# Date                  Nov 14, 2019
# Required              /usr/libexec/crash-stack : cap_dac_read_search,cap_sys_ptrace : ei
# cap_dac_read_search	To read /proc/[pid]/{maps, task, status}
# cap_sys_ptrace	To read /proc/[pid]/{maps, task, status}

if [ -e "/usr/libexec/crash-stack" ]
then /usr/sbin/setcap cap_dac_read_search,cap_sys_ptrace=ei /usr/libexec/crash-stack
fi

# Package               platform/core/system/memps
# Date                  Nov 14, 2019
# Required              /usr/bin/memps : cap_dac_read_search,cap_sys_ptrace : ei
# cap_dac_read_search	To read files from /proc/ and /sys/
# cap_sys_ptrace	To read files from /proc/ and /sys/

if [ -e "/usr/bin/memps" ]
then /usr/sbin/setcap cap_dac_read_search,cap_sys_ptrace=ei /usr/bin/memps
fi

# Package               platform/upstream/procps-ng
# Date                  Nov 14, 2019
# Required              /usr/bin/top : cap_sys_ptrace : ei
# cap_sys_ptrace	To read files from /proc/

if [ -e "/usr/bin/top" ]
then /usr/sbin/setcap cap_sys_ptrace=ei /usr/bin/top
fi

# Package               product/upstream/coreutils
# Date                  Nov 14, 2019
# Required              /usr/bin/df : cap_dac_read_search : ei
# cap_dac_read_search	counting of disk space usage (eg /opt/usr/home/owner)

if [ -e "/usr/bin/df" ]
then /usr/sbin/setcap cap_dac_read_search=ei /usr/bin/df
fi

# Package               product/upstream/coreutils
# Date                  Nov 14, 2019
# Required              /usr/bin/du : cap_dac_read_search : ei
# cap_dac_read_search	counting of disk space usage (eg /opt/usr/home/owner)

if [ -e "/usr/bin/du" ]
then /usr/sbin/setcap cap_dac_read_search=ei /usr/bin/du
fi

# Package               product/upstream/clat
# Date                  Nov 26, 2019
# Required              /usr/bin/clatd : cap_net_admin,cap_net_raw,cap_ipc_lock,cap_setuid,cap_setgid : ei
# cap_net_admin		To create and configure interface, modify routing tables
# cap_net_raw		To open raw socket
# cap_ipc_lock		clatd calls mmap(MAP_LOCKED) with a 1M buffer. MAP_LOCKED first checks capable(CAP_IPC_LOCK)
# cap_setuid		To forge UID when passing socket credentials via UNIX domain sockets
# cap_setgid		To forge GID when passing socket credentials via UNIX domain sockets

if [ -e "/usr/bin/clatd" ]
then /usr/sbin/setcap cap_net_admin,cap_net_raw,cap_ipc_lock,cap_setuid,cap_setgid=ei /usr/bin/clatd
fi

# Package               platform/core/connectivity/nan-manager
# Date                  Apr 10, 2020
# Required              /usr/bin/nan-manager : cap_net_admin,cap_net_raw : ei
# cap_net_admin		To add interface up/down and routing rules
# cap_net_raw		To use raw socket

if [ -e "/usr/bin/nan-manager" ]
then /usr/sbin/setcap cap_net_admin,cap_net_raw=ei /usr/bin/nan-manager
fi

# Package               platform/core/appfw/unified-backend
# Date                  Jul 15, 2020
# Required		/usr/bin/unified-backend : cap_dac_override, cap_chown, cap_fowner, cap_mac_override : ei
# cap_dac_override	access to /home/$USER/apps_rw
# cap_chown		use chown API
# cap_fowner		use chmod API
# cap_mac_override	To abort app directories creation / deletion

if [ -e "/usr/bin/unified-backend" ]
then /usr/sbin/setcap cap_dac_override,cap_chown,cap_fowner,cap_mac_override=ei /usr/bin/unified-backend
fi

# Package		app-installers
# Date                  Jul 15, 2020
# Required		/usr/bin/pkg_recovery : cap_dac_override, cap_chown, cap_fowner : ei
# cap_dac_override	To restore user data
# cap_chown		use chown API
# cap_fowner		use chmod API

if [ -e "/usr/bin/pkg_recovery" ]
then /usr/sbin/setcap cap_dac_override,cap_chown,cap_fowner=ei /usr/bin/pkg_recovery
fi

# Package		platform/core/system/peripheral-bus
# Date                  Jul 24, 2020
# Required		/usr/bin/peripheral-bus : cap_dac_override : ei
# cap_dac_override	To modify peripheral devices under /sys/class

if [ -e "/usr/bin/peripheral-bus" ]
then /usr/sbin/setcap cap_dac_override=ei /usr/bin/peripheral-bus
fi

# Package		platform/upstream/util-linux
# Date                  Aug 24, 2020
# Required		/usr/sbin/blockdev : cap_sys_admin : ei
# cap_sys_admin		To flush memory

if [ -e "/usr/sbin/blockdev" ]
then /usr/sbin/setcap cap_sys_admin=ei /usr/sbin/blockdev
fi

# Package		platform/core/system/update-control
# Date                  Sep 07, 2020
# Required		/usr/bin/update-manager : cap_sys_admin : ei
# Required		/usr/sbin/img-verifier : cap_dac_override : ei
# cap_sys_admin		To execute fota upgrade trigger script
# cap_dac_override	To write image verify result to /opt/var/log

if [ -e "/usr/bin/update-manager" ]
then /usr/sbin/setcap cap_sys_admin=ei /usr/bin/update-manager
fi

if [ -e "/usr/sbin/img-verifier" ]
then /usr/sbin/setcap cap_dac_override=ei /usr/sbin/img-verifier
fi

# Package		platform/framework/web/chromium-efl
# Date                  Jan 15, 2021
# Required		/usr/bin/wrt-service : cap_mac_admin : eip
# cap_mac_admin		To change a process label
# It is excuted by a specific application not by systemd service.
# Therefore, "eip" is required but restricted to access it by SMACK label.

if [ -e "/usr/bin/wrt-service" ]
then /usr/sbin/setcap cap_mac_admin=eip /usr/bin/wrt-service
fi

# Package		platform/upstream/mdnresponder
# Date			Mar 17, 2021
# Required		/usr/sbin/mdnsd : cap_net_admin, cap_net_raw : ei
# cap_net_admin		To use multicast
# cap_net_raw		To use packet socket

if [ -e "/usr/sbin/mdnsd" ]
then /usr/sbin/setcap cap_net_admin,cap_net_raw=ei /usr/sbin/mdnsd
fi

# Package		platform/core/system/system-rw-update
# Date			Aug 06, 2021
# Required		/usr/bin/udevadm : cap_dac_override : ei
# cap_dac_override	To write data on /sys/devices/platform/.../uevent

if [ -e "/usr/bin/udevadm" ]
then /usr/sbin/setcap cap_dac_override=ei /usr/bin/udevadm
fi


# Package		platform/core/appfw/pkgmgr-tool
# Date			Sep 01, 2021
# Required		/usr/bin/res-copy : cap_chown, cap_dac_override, cap_fowner, cap_mac_override : ei
# cap_chown			To change copied file's ownership(root:priv_platform)
# cap_dac_override	To change copied file's ownership(root:priv_platform)
# cap_fowner		To change copied file's ownership(root:priv_platform)
# cap_mac_override	To abort app directories creation / deletion

if [ -e "/usr/bin/res-copy" ]
then /usr/sbin/setcap cap_chown,cap_dac_override,cap_fowner,cap_mac_override=ei /usr/bin/res-copy
fi

# Package		platform/core/appfw/pkgmgr-info
# Date			Sep 08, 2021
# Required		/usr/bin/pkginfo-server : cap_dac_override, cap_sys_nice : ei
# cap_dac_override	To write data on user database
# cap_sys_nice	to change scheduling priority

if [ -e "/usr/bin/pkginfo-server" ]
then /usr/sbin/setcap cap_dac_override,cap_sys_nice=ei /usr/bin/pkginfo-server
fi

# Package		platform/upstream/kmod
# Date			Jan 05, 2022
# Required		/usr/sbin/insmod : cap_sys_module : ei
# cap_sys_module	To use insmod
# This is requested by telephony module, to be used in telephony-dongle.service.
# /usr/sbin/insmod can be a symlink of /usr/bin/kmod. Therefore, use a readlink before setting a capability.

if [ -e "/usr/sbin/insmod" ]
then /usr/sbin/setcap cap_sys_module=ei $(/usr/bin/readlink -f /usr/sbin/insmod)
fi

# Package		platform/core/system/isu
# Date			Apr 11, 2024
# Required		/usr/bin/isud : cap_dac_override : ei
# cap_dac_override	isud needs to access application's directory for scanning and removing app files

if [ -e "/usr/bin/isud" ]
then /usr/sbin/setcap cap_dac_override=ei /usr/bin/isud
fi

# These are not related with the capability, but place here to run in generic-security.post
# It would be better to run this separately in generic-security.post future.
/usr/share/security-config/change_permission
if [ -e /usr/share/security-config/update_privacy_mount_list.sh ] && [ -e /usr/share/security-manager/policy/privilege-mount.list ] && [ ! -e /opt/share/askuser_disable ]
then
	/usr/share/security-config/update_privacy_mount_list.sh
fi

# Package               platform/core/appfw/launchpad
# Owner                 Junghoon Park(jh9216.park@samsung.com)
# Date                  Sep 19, 2024
# Required              /usr/bin/lux : cap_mac_admin, cap_dac_override, cap_setgid, cap_sys_admin, cap_sys_nice, cap_sys_chroot : ei
# cap_mac_admin		to use security_manager_prepare_app2()
# cap_dac_override      fd redirection in debug mode of app running
# cap_setgid		to use security_manager_prepare_app()
# cap_sys_admin		to split mount namespace
# cap_sys_nice		to change scheduling priority
# cap_sys_chroot	to use setns()

if [ -e "/usr/bin/lux" ]
then /usr/sbin/setcap cap_sys_admin,cap_sys_nice,cap_mac_admin,cap_dac_override,cap_setgid,cap_sys_chroot=ei /usr/bin/lux
fi

# Package               platform/core/connectivity/wifi-tethering-manager
# Owner                 Jiung Yu(jiung.yu@samsung.com)
# Date                  June 24, 2025
# Required              /usr/bin/wifi-tethering-manager : cap_dac_override, cap_net_admin, cap_net_raw, cap_setgid, cap_net_bind_service, cap_net_broadcast : eip
# cap_dac_override      get/set keyfile
# cap_net_admin         to add interface flags and make the interface up/down using ioctl
# cap_net_raw           to make socket permission raw DHCP socket
# cap_net_bind_service  to call bind using DHCP port
# cap_net_broadcast     to make socket broadcasts, and listen to multicasts

if [ -e "/usr/bin/wifi-tethering-manager" ]
then /usr/sbin/setcap cap_dac_override,cap_net_admin,cap_net_raw,cap_setgid,cap_net_bind_service,cap_net_broadcast=eip /usr/bin/wifi-tethering-manager
fi

# Package		esd
# Owner 		Hwankyu Jhun (h.jhun@samsung.com)
# Date			June 16, 2025
# Required		/usr/bin/esd : cap_sys_time,cap_dac_override : ei
# cap_sys_time		settimeofday() system call and rtc setting time need privilege; CAP_SYS_TIME
# cap_dac_override	to override dac permission for accessing to app's po files.

if [ -e "/usr/bin/esd" ]
then /usr/sbin/setcap cap_sys_time,cap_dac_override=ei /usr/bin/esd
fi
