authpolicy: Add authpolicyd-exec user and group
The authpolicyd-exec user will be used to execute sandboxed processes
from the authpolicy daemon. This is done so that the processes cannot
write files that the authpolicyd user can write, e.g. authpolicy
configuration files.
BUG=chromium:666693
TEST=Emerges, ran security_AccountsBaseline test.
CQ-DEPEND=CL:418717
Change-Id: I139b018ddbf3838b4a50a3047cce406ba3e9b232
Reviewed-on: https://chromium-review.googlesource.com/418758
Commit-Ready: Lutz Justen <ljusten@chromium.org>
Tested-by: Lutz Justen <ljusten@chromium.org>
Reviewed-by: Roman Sorokin <rsorokin@chromium.org>
diff --git a/profiles/base/accounts/group/authpolicyd b/profiles/base/accounts/group/authpolicyd
index d015987..55852d6 100644
--- a/profiles/base/accounts/group/authpolicyd
+++ b/profiles/base/accounts/group/authpolicyd
@@ -1,3 +1,3 @@
group:authpolicyd
gid:254
-users:authpolicyd
+users:authpolicyd,authpolicyd-exec
diff --git a/profiles/base/accounts/group/authpolicyd-exec b/profiles/base/accounts/group/authpolicyd-exec
new file mode 100644
index 0000000..080cefc
--- /dev/null
+++ b/profiles/base/accounts/group/authpolicyd-exec
@@ -0,0 +1,3 @@
+group:authpolicyd-exec
+gid:607
+users:
diff --git a/profiles/base/accounts/user/authpolicyd-exec b/profiles/base/accounts/user/authpolicyd-exec
new file mode 100644
index 0000000..fe6e629
--- /dev/null
+++ b/profiles/base/accounts/user/authpolicyd-exec
@@ -0,0 +1,6 @@
+user:authpolicyd-exec
+uid:607
+gid:607
+gecos:authpolicy process executor
+home:/dev/null
+shell:/bin/false
