Add shill user to ipsec and policy-readers groups.
shill is currently being sandboxed to run as a non-root user. It needs
to be a member of the 'policy-readers' group for read access to
/var/lib/whitelist. Additionally, shill needs to be a member of the
'ipsec' group, so it can chgrp() of files that it creates to be owned
by the 'ipsec' group. This way those files can be readable
by programs that run as ipsec:ipsec, without being world-readable.
CQ-DEPEND=CL:951703
BUG=chromium:649417
TEST=built/imaged board and made sure shill can chgrp() to 'ipsec' and
read files in /var/lib/whitelist.
Change-Id: I229578bd21c2a16057c1b872da4f32f3cb275c4f
Reviewed-on: https://chromium-review.googlesource.com/951644
Commit-Ready: Micah Morton <mortonm@chromium.org>
Tested-by: Micah Morton <mortonm@chromium.org>
Reviewed-by: Micah Morton <mortonm@chromium.org>
2 files changed
