projects / platform / core / security / vist.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: db1fae6)
Apply on-demand service by systemd
authorSangwan Kwon <sangwan.kwon@samsung.com>
Thu, 26 Dec 2019 10:04:28 +0000 (19:04 +0900)
committer권상완/Security 2Lab(SR)/Engineer/삼성전자 <sangwan.kwon@samsung.com>
Mon, 30 Dec 2019 01:44:22 +0000 (10:44 +0900)
This patch is only for Tizen. The docker does not include all systemd
features by design. The Docker is designed for process isolation,
not for OS virtualization, so there are no other OS processes and daemons
running inside the container like systemd.

Signed-off-by: Sangwan Kwon <sangwan.kwon@samsung.com>
CMakeLists.txt patch | blob | history
packaging/vist.spec patch | blob | history
src/vist/policy/policy-storage.cpp patch | blob | history
src/vist/service/vistd.cpp patch | blob | history
systemd/CMakeLists.txt [new file with mode: 0644] patch | blob
systemd/vist.service [new file with mode: 0644] patch | blob
systemd/vist.socket [new file with mode: 0644] patch | blob

diff --git a/CMakeLists.txt b/CMakeLists.txt
index c3b574520cf816c681a2190ec15b5f453370be68..25612060cd735dfcdb6a5d04681a35cf9e40dd28 100644 (file)
--- a/CMakeLists.txt
+++ b/CMakeLists.txt
@@ -67,3 +67,4 @@ ADD_SUBDIRECTORY(data)
 ADD_SUBDIRECTORY(specs)
 ADD_SUBDIRECTORY(src)
 ADD_SUBDIRECTORY(plugins)
+ADD_SUBDIRECTORY(systemd)
diff --git a/packaging/vist.spec b/packaging/vist.spec
index 251f0bceb8111ed39aef30e44170ac5a2473fce9..1f36fd7f3a50bb6cafe52305081a2f04b1a8fe95 100644 (file)
--- a/packaging/vist.spec
+++ b/packaging/vist.spec
@@ -21,7 +21,6 @@ BuildRequires: pkgconfig(libsystemd)
 BuildRequires: pkgconfig(openssl)
 # vist BRs
 BuildRequires: pkgconfig(dlog)
-BuildRequires: pkgconfig(klay)
 BuildRequires: pkgconfig(sqlite3)
 BuildRequires: pkgconfig(libtzplatform-config)
 Requires: glog
@@ -29,7 +28,6 @@ Requires: gflag
 Requires: boost-regex boost-system boost-thread boost-filesystem
 Requires: procps-ng
 Requires: libsystemd
-Requires: klay
 
 %global osquery_version 4.0.0
 
@@ -74,7 +72,8 @@ cp %SOURCE1 .
                 -DDEFAULT_ADMIN_PATH=%{_bindir}/vist-cli \
                 -DDB_INSTALL_DIR:PATH=%{vist_db_dir} \
                 -DPLUGIN_INSTALL_DIR:PATH=%{vist_plugin_dir} \
-                -DSCRIPT_INSTALL_DIR:PATH=%{vist_script_dir}
+                -DSCRIPT_INSTALL_DIR:PATH=%{vist_script_dir} \
+                -DSYSTEMD_UNIT_DIR:PATH=%{_unitdir}
 
 make %{?jobs:-j%jobs}
 
@@ -86,9 +85,23 @@ mkdir -p %{buildroot}/%{vist_script_dir}
 
 cp data/script/*.sql %{buildroot}/%{vist_script_dir}
 
+%install_service sockets.target.wants %{name}.socket
+
 %clean
 rm -rf %{buildroot}
 
+%post
+rm -f %{vist_db_dir}/.%{name}.db*
+
+systemctl daemon-reload
+if [ $1 = 1 ]; then
+       systemctl start %{name}
+elif [ $1 = 2 ]; then
+       systemctl restart %{name}
+fi
+
+systemctl start %{name}
+
 %files
 %manifest %{name}.manifest
 %license LICENSE-Apache-2.0
@@ -96,6 +109,9 @@ rm -rf %{buildroot}
 %license LICENSE-MIT
 %{_bindir}/vist-cli
 %{_bindir}/vistd
+%{_unitdir}/vist.service
+%{_unitdir}/vist.socket
+%{_unitdir}/sockets.target.wants/vist.socket
 %{vist_script_dir}/*.sql
 %dir %attr(-, %{user_name}, %{group_name}) %{vist_db_dir}
 %dir %attr(-, %{user_name}, %{group_name}) %{vist_plugin_dir}
@@ -111,6 +127,10 @@ Requires: gtest
 %description test 
 Provides internal testcases for ViST implementation.
 
+%post test
+systemctl stop %{name}.socket
+systemctl restart %{name}.service
+
 %files test
 %{_bindir}/osquery-test
 %{_bindir}/vist-test
diff --git a/src/vist/policy/policy-storage.cpp b/src/vist/policy/policy-storage.cpp
index c4748f41560dfaedafd1a36b64967caa68266f89..d570f513d0fc9fc8f508a5c568fbcf0d415f643e 100644 (file)
--- a/src/vist/policy/policy-storage.cpp
+++ b/src/vist/policy/policy-storage.cpp
@@ -54,7 +54,9 @@ PolicyStorage::PolicyStorage(const std::string& path) :
        database(std::make_shared<database::Connection>(path))
 {
        database->exec("PRAGMA foreign_keys = ON;");
+       database->transactionBegin();
        database->exec(getScript(SCRIPT_CREATE_SCHEMA));
+       database->transactionEnd();
 
        sync();
 }
@@ -131,7 +133,7 @@ std::string PolicyStorage::getScript(const std::string& name)
 void PolicyStorage::define(const std::string& policy, const PolicyValue& ivalue)
 {
        if (this->definitions.find(policy) != this->definitions.end()) {
-               INFO(VIST) << "Policy is already defined: " << policy;
+               DEBUG(VIST) << "Policy is already defined: " << policy;
                return;
        }
 
@@ -143,7 +145,7 @@ void PolicyStorage::define(const std::string& policy, const PolicyValue& ivalue)
        stmt.bind(1, pd.name);
        stmt.bind(2, pd.ivalue);
        if (!stmt.exec())
-               THROW(ErrCode::RuntimeError) << "Failed to define policy: " << pd.name;
+               THROW(ErrCode::RuntimeError) << stmt.getErrorMessage();
 
        INFO(VIST) << "Policy defined >> name: " << pd.name << ", ivalue: " << pd.ivalue;
        this->definitions.emplace(pd.name, std::move(pd));
@@ -165,7 +167,7 @@ void PolicyStorage::enroll(const std::string& name)
        stmt.bind(1, admin.name);
        stmt.bind(2, admin.activated);
        if (!stmt.exec())
-               THROW(ErrCode::RuntimeError) << "Failed to enroll admin: " << name;
+               THROW(ErrCode::RuntimeError) << stmt.getErrorMessage();
 
        this->admins.emplace(admin.name, std::move(admin));
 
@@ -194,7 +196,7 @@ void PolicyStorage::disenroll(const std::string& name)
        database::Statement stmt(*database, query);
        stmt.bind(1, name);
        if (!stmt.exec())
-               THROW(ErrCode::RuntimeError) << "Failed to disenroll admin: " << name;
+               THROW(ErrCode::RuntimeError) << stmt.getErrorMessage();
 
        /// TODO: add TC
        this->syncPolicyManaged();
@@ -205,13 +207,14 @@ void PolicyStorage::activate(const std::string& admin, bool state)
        if (this->admins.find(admin) == this->admins.end())
                THROW(ErrCode::LogicError) << "Not exist admin: " << admin;
 
+       DEBUG(VIST) << "Activate admin: " << admin;
        std::string query = adminTable.update(&Admin::activated)
                                                                                 .where(expr(&Admin::name) == admin);
        database::Statement stmt(*this->database, query);
        stmt.bind(1, static_cast<int>(state));
        stmt.bind(2, admin);
        if (!stmt.exec())
-               THROW(ErrCode::RuntimeError) << "Failed to activate admin: " << admin;
+               THROW(ErrCode::RuntimeError) << stmt.getErrorMessage();
 
        this->admins[admin].activated = state;
        INFO(VIST) << "Admin[" << admin << "]'s activated value is set: " << state; 
@@ -246,7 +249,7 @@ void PolicyStorage::update(const std::string& admin,
        stmt.bind(2, admin);
        stmt.bind(3, policy);
        if (!stmt.exec())
-               THROW(ErrCode::RuntimeError) << "Failed to update policy:" << policy;
+               THROW(ErrCode::RuntimeError) << stmt.getErrorMessage();
 
        /// TODO: Fix to sync without db i/o
        this->syncPolicyManaged();
diff --git a/src/vist/service/vistd.cpp b/src/vist/service/vistd.cpp
index 0c16cffb4c68288d1e9c41c8a9b83e5558657f10..a2c466137a7f0c9ea29c1a0bb0888d6aaaec5869 100644 (file)
--- a/src/vist/service/vistd.cpp
+++ b/src/vist/service/vistd.cpp
@@ -16,9 +16,10 @@
 
 #include "vistd.hpp"
 
-#include <vist/rmi/gateway.hpp>
-#include <vist/logger.hpp>
 #include <vist/exception.hpp>
+#include <vist/logger.hpp>
+#include <vist/policy/policy-manager.hpp>
+#include <vist/rmi/gateway.hpp>
 
 #include <osquery/registry_interface.h>
 #include <osquery/sql.h>
@@ -37,8 +38,10 @@ Vistd::Vistd()
 void Vistd::start()
 {
        INFO(VIST) << "Vistd daemon starts.";
-       rmi::Gateway gateway(SOCK_ADDR);
 
+       policy::PolicyManager::Instance();
+
+       rmi::Gateway gateway(SOCK_ADDR);
        EXPOSE(gateway, this, &Vistd::query);
        gateway.start();
 }
diff --git a/systemd/CMakeLists.txt b/systemd/CMakeLists.txt
new file mode 100644 (file)
index 0000000..009d383
--- /dev/null
+++ b/systemd/CMakeLists.txt
@@ -0,0 +1,16 @@
+# Copyright (c) 2019 Samsung Electronics Co., Ltd All Rights Reserved
+#
+#    Licensed under the Apache License, Version 2.0 (the "License");
+#    you may not use this file except in compliance with the License.
+#    You may obtain a copy of the License at
+#
+#        http://www.apache.org/licenses/LICENSE-2.0
+#
+#    Unless required by applicable law or agreed to in writing, software
+#    distributed under the License is distributed on an "AS IS" BASIS,
+#    WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+#    See the License for the specific language governing permissions and
+#    limitations under the License.
+#
+INSTALL(FILES vist.service vist.socket
+               DESTINATION ${SYSTEMD_UNIT_DIR})
diff --git a/systemd/vist.service b/systemd/vist.service
new file mode 100644 (file)
index 0000000..824dfc4
--- /dev/null
+++ b/systemd/vist.service
@@ -0,0 +1,10 @@
+[Unit]
+Description=Virtual Security Table service
+
+[Service]
+User=security_fw
+Group=security_fw
+SmackProcessLabel=System
+ExecStart=/bin/vistd
+ExecReload=/bin/kill -HUP $MAINPID
+Restart=on-failure
diff --git a/systemd/vist.socket b/systemd/vist.socket
new file mode 100644 (file)
index 0000000..8c8d462
--- /dev/null
+++ b/systemd/vist.socket
@@ -0,0 +1,11 @@
+[Unit]
+Description=Virtual Security Table socket
+
+[Socket]
+ListenStream=/tmp/.vist
+SocketMode=0777
+SmackLabelIPIn=*
+SmackLabelIPOut=@
+
+[Install]
+WantedBy=sockets.target
Domain: Security / Utilities;