From f2a2f1357a5268b614528feeba0a91f4ea04a7aa Mon Sep 17 00:00:00 2001
From: José Bollo <jose.bollo@iot.bzh>
Date: Mon, 10 Dec 2018 08:07:39 +0100
Subject: afm-unit: Restore removal of capabilities
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

This removes capabilities to any application installed
and launched.

Also applications are added by default to the display
group, meaning that it can be displayed.

Bug-AGL: SPEC-2006

Change-Id: Ia0b2d0df3ec1c74f37ca176fc9f0e8db96de3566
Signed-off-by: José Bollo <jose.bollo@iot.bzh>
---
 conf/unit/generate-unit-conf/service.inc | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

(limited to 'conf/unit/generate-unit-conf/service.inc')

diff --git a/conf/unit/generate-unit-conf/service.inc b/conf/unit/generate-unit-conf/service.inc
index 961a262..59df916 100644
--- a/conf/unit/generate-unit-conf/service.inc
+++ b/conf/unit/generate-unit-conf/service.inc
@@ -70,13 +70,14 @@ SuccessExitStatus=0 SIGKILL
 User=%i
 Slice=user-%i.slice
 
-#CapabilityBoundingSet=
+CapabilityBoundingSet=
 #AmbientCapabilities=
 
 ON_PERM(:platform:no-oom,   OOMScoreAdjust=-500)
 ON_PERM(:partner:real-time, IOSchedulingClass=realtime)
-ON_PERM(:public:display,    SupplementaryGroups=display)
 ON_PERM(:public:syscall:clock, , SystemCallFilter=~@clock)
+#ON_PERM(:public:display,    SupplementaryGroups=display)
+SupplementaryGroups=display
 %nl
 
 WorkingDirectory=-APP_DATA_DIR/{{:id}}
-- 
cgit 1.2.3-korg