Merge commit 'b666aa4a1e7b4bfb1a6a416fd90620edf4ed6b56' into 14542.0.0
BUG=b/222349736
TEST=local BE run
RELEASE_NOTE=None
Signed-off-by: Rayan Dasoriya <dasoriya@google.com>
Change-Id: I77dcfe3e2a6a2df407d4be4e019350aab2783ef5
diff --git a/profiles/base/accounts/group/chronos-access b/profiles/base/accounts/group/chronos-access
index 94a4447..d973a71 100644
--- a/profiles/base/accounts/group/chronos-access
+++ b/profiles/base/accounts/group/chronos-access
@@ -4,4 +4,6 @@
# mostly system daemons running as a non-chronos user, group permissions
# to access files/directories owned by chronos.
# This includes all users accessing opencryptoki database files.
-users:root,vpn,chronos,cros-disks,imageloaderd,crash,dlp,image-burner
+#
+# Processes running with chronos-access need enforcing SELinux domains.
+users:vpn,chronos,cros-disks,imageloaderd,crash,dlp,image-burner,spaced
diff --git a/profiles/base/accounts/group/crash-access b/profiles/base/accounts/group/crash-access
index b0da209..77fdee0 100644
--- a/profiles/base/accounts/group/crash-access
+++ b/profiles/base/accounts/group/crash-access
@@ -1,3 +1,3 @@
group:crash-access
gid:419
-users:crash
+users:crash,secanomaly
diff --git a/profiles/base/accounts/group/fuse-fusebox b/profiles/base/accounts/group/fuse-fusebox
new file mode 100644
index 0000000..a5be495
--- /dev/null
+++ b/profiles/base/accounts/group/fuse-fusebox
@@ -0,0 +1,2 @@
+group:fuse-fusebox
+gid:312
diff --git a/profiles/base/accounts/group/hiberman b/profiles/base/accounts/group/hiberman
new file mode 100644
index 0000000..20dfc55
--- /dev/null
+++ b/profiles/base/accounts/group/hiberman
@@ -0,0 +1,3 @@
+group:hiberman
+gid:20184
+users:hiberman
diff --git a/profiles/base/accounts/group/mkfs b/profiles/base/accounts/group/mkfs
new file mode 100644
index 0000000..b9c0efe
--- /dev/null
+++ b/profiles/base/accounts/group/mkfs
@@ -0,0 +1,2 @@
+group:mkfs
+gid:425
diff --git a/profiles/base/accounts/group/mojo-service-manager b/profiles/base/accounts/group/mojo-service-manager
new file mode 100644
index 0000000..1db6ffb
--- /dev/null
+++ b/profiles/base/accounts/group/mojo-service-manager
@@ -0,0 +1,3 @@
+group:mojo-service-manager
+gid:20185
+users:mojo-service-manager
diff --git a/profiles/base/accounts/group/openvpn b/profiles/base/accounts/group/openvpn
index cb535bb..11bb205 100644
--- a/profiles/base/accounts/group/openvpn
+++ b/profiles/base/accounts/group/openvpn
@@ -1,3 +1,4 @@
group:openvpn
gid:217
users:
+defunct:true
diff --git a/profiles/base/accounts/group/ppp b/profiles/base/accounts/group/ppp
new file mode 100644
index 0000000..4174f0f
--- /dev/null
+++ b/profiles/base/accounts/group/ppp
@@ -0,0 +1,5 @@
+# Members of this group have access to /dev/ppp udev file, i.e. can create
+# ppp interfaces.
+group:ppp
+gid:424
+users:shill,vpn
diff --git a/profiles/base/accounts/group/scalerd b/profiles/base/accounts/group/scalerd
new file mode 100644
index 0000000..e64e990
--- /dev/null
+++ b/profiles/base/accounts/group/scalerd
@@ -0,0 +1,3 @@
+group:scalerd
+gid:20183
+users:scalerd
diff --git a/profiles/base/accounts/group/shill b/profiles/base/accounts/group/shill
index f0b9000..173be1e 100644
--- a/profiles/base/accounts/group/shill
+++ b/profiles/base/accounts/group/shill
@@ -1,3 +1,3 @@
group:shill
gid:20104
-users:shill,vpn
+users:shill
diff --git a/profiles/base/accounts/group/tss b/profiles/base/accounts/group/tss
index 224ecd4..bc2f85c 100644
--- a/profiles/base/accounts/group/tss
+++ b/profiles/base/accounts/group/tss
@@ -1,4 +1,4 @@
group:tss
gid:207
# Only certain users are allowed to talk to the TPM via tcsd.
-users:root,chaps,attestation,tpm_manager,trunks,bootlockboxd,oobe_config_save,oobe_config_restore
+users:root,chaps,attestation,tpm_manager,trunks,bootlockboxd,u2f,oobe_config_save,oobe_config_restore
diff --git a/profiles/base/accounts/user/fuse-fusebox b/profiles/base/accounts/user/fuse-fusebox
new file mode 100644
index 0000000..c9db15f
--- /dev/null
+++ b/profiles/base/accounts/user/fuse-fusebox
@@ -0,0 +1,6 @@
+user:fuse-fusebox
+uid:312
+gid:312
+gecos:FUSE-based proxy for Chrome's virtual file systems
+home:/dev/null
+shell:/bin/false
diff --git a/profiles/base/accounts/user/hiberman b/profiles/base/accounts/user/hiberman
new file mode 100644
index 0000000..ac5be47
--- /dev/null
+++ b/profiles/base/accounts/user/hiberman
@@ -0,0 +1,6 @@
+user:hiberman
+uid:20184
+gid:20184
+gecos:orchestrates system hibernate and resume activities
+home:/dev/null
+shell:/bin/false
diff --git a/profiles/base/accounts/user/mkfs b/profiles/base/accounts/user/mkfs
new file mode 100644
index 0000000..b97371b
--- /dev/null
+++ b/profiles/base/accounts/user/mkfs
@@ -0,0 +1,6 @@
+user:mkfs
+uid:425
+gid:425
+gecos:Disk Partition Formatter
+home:/dev/null
+shell:/bin/false
diff --git a/profiles/base/accounts/user/mojo-service-manager b/profiles/base/accounts/user/mojo-service-manager
new file mode 100644
index 0000000..81616ad
--- /dev/null
+++ b/profiles/base/accounts/user/mojo-service-manager
@@ -0,0 +1,6 @@
+user:mojo-service-manager
+uid:20185
+gid:20185
+gecos:CrOS mojo service manager daemon
+home:/dev/null
+shell:/bin/false
diff --git a/profiles/base/accounts/user/openvpn b/profiles/base/accounts/user/openvpn
index f8fe426..d548029 100644
--- a/profiles/base/accounts/user/openvpn
+++ b/profiles/base/accounts/user/openvpn
@@ -4,3 +4,4 @@
gecos:openvpn
home:/dev/null
shell:/bin/false
+defunct:true
diff --git a/profiles/base/accounts/user/scalerd b/profiles/base/accounts/user/scalerd
new file mode 100644
index 0000000..7fcb01f
--- /dev/null
+++ b/profiles/base/accounts/user/scalerd
@@ -0,0 +1,6 @@
+user:scalerd
+uid:20183
+gid:20183
+gecos:CfM scaler daemon service
+home:/dev/null
+shell:/bin/false
