Add policy-readers group
The access to the device policy files in /var/lib/whitelist is now gated by the
policy-readers group which is composed of the chronos user and the other daemons
needing access to the device policy.
BUG=chromium:804268
TEST=see both u2fd and chrome can access the device policies.
Change-Id: I125e411aea39708e6bb008c03a60f2ff0bf3c416
Reviewed-on: https://chromium-review.googlesource.com/879147
Commit-Ready: Vincent Palatin <vpalatin@chromium.org>
Tested-by: Vincent Palatin <vpalatin@chromium.org>
Reviewed-by: Dan Erat <derat@chromium.org>
Reviewed-by: Mike Frysinger <vapier@chromium.org>
(cherry picked from commit a75b80538fabec5b1f815d28bfe89d890b7b4f1d)
Reviewed-on: https://chromium-review.googlesource.com/883368
Reviewed-by: Vincent Palatin <vpalatin@chromium.org>
Commit-Queue: Vincent Palatin <vpalatin@chromium.org>
Trybot-Ready: Vincent Palatin <vpalatin@chromium.org>
diff --git a/profiles/base/accounts/group/policy-readers b/profiles/base/accounts/group/policy-readers
new file mode 100644
index 0000000..cef4769
--- /dev/null
+++ b/profiles/base/accounts/group/policy-readers
@@ -0,0 +1,4 @@
+# Members have read access to the device policy in /var/lib/whitelist.
+group:policy-readers
+gid:303
+users:chronos,u2f
