[mapplauncherd] Set CAP_SYS_PTRACE to allow reading /proc/pid/exe. Fixes JB#53620

All other boosters must be changed as well.

Signed-off-by: Tomi Leppänen <tomi.leppanen@jolla.com>

README

@@ -59,6 +59,10 @@ name of the application. Then the booster process waits for a connection
 from the invoker with the information about which application should be
 launched. 
 
+Before launching application boosters check that the calling process is allowed
+to invoke applications. This requires CAP_SYS_PTRACE. All boosters must have
+that set to function.
+
 Contributors
 ==============================
 

rpm/mapplauncherd.spec

@@ -8,8 +8,9 @@ Source0:    %{name}-%{version}.tar.bz2
 Source1:    booster-cgroup-mount.service
 Requires:   systemd-user-session-targets
 Requires(post): /sbin/ldconfig
+Requires(post): /usr/sbin/setcap
 Requires(postun): /sbin/ldconfig
-Requires(pre):  shadow-utils
+Requires(pre):  sailfish-setup
 BuildRequires:  pkgconfig(libshadowutils)
 BuildRequires:  pkgconfig(systemd)
 BuildRequires:  pkgconfig(dbus-1)
@@ -25,7 +26,6 @@ functionality to launch applications as single instances.
 
 %package devel
 Summary:    Development files for launchable applications
-Group:      Development/Tools
 Requires:   %{name} = %{version}-%{release}
 Provides:   meegotouch-applauncherd-devel > 3.0.3
 Obsoletes:  meegotouch-applauncherd-devel <= 3.0.3
@@ -36,7 +36,6 @@ using mapplauncherd.
 
 %package cgroup
 Summary:    Service files for booster cgroup mount
-Group:      System/Daemons
 Requires:   %{name} = %{version}-%{release}
 
 %description cgroup
@@ -73,10 +72,9 @@ ln -s ../booster-cgroup-mount.service %{buildroot}%{_unitdir}/multi-user.target.
 
 install -D -m 0755 scripts/booster-cgroup-mount %{buildroot}/usr/lib/startup/booster-cgroup-mount
 
-%pre
+%post
-groupadd -rf privileged
+/sbin/ldconfig
-
+/usr/sbin/setcap cap_sys_ptrace+pe %{_libexecdir}/mapplauncherd/booster-generic || :
-%post -p /sbin/ldconfig
 
 %postun -p /sbin/ldconfig