Secure all critical sockets with smack label.

[Issue#]     721
[Bug]        Sockets were not secured.
[Cause]      We need to wait for platform developers to adopt.
[Solution]   All critical sockets were secured.

[Verification] Build, run tests.

Change-Id: Ide775b00427b4848718e16e0b60aec2c4368fc7d

diff --git a/src/server/service/cookie.cpp b/src/server/service/cookie.cpp
index a7a8c92..74d714e 100644 (file)
--- a/src/server/service/cookie.cpp
+++ b/src/server/service/cookie.cpp
@@ -42,7 +42,7 @@ namespace SecurityServer {
 
 GenericSocketService::ServiceDescriptionVector CookieService::GetServiceDescription() {
     return ServiceDescriptionVector {
-        {SERVICE_SOCKET_COOKIE_GET,       "security-server::api-cookie-get",   INTERFACE_GET },
+        {SERVICE_SOCKET_COOKIE_GET,       "*",   INTERFACE_GET },
         {SERVICE_SOCKET_COOKIE_CHECK,     "security-server::api-cookie-check", INTERFACE_CHECK},
         {SERVICE_SOCKET_COOKIE_CHECK_TMP, "security-server::api-cookie-check", INTERFACE_CHECK_TMP}
     };

diff --git a/src/server/service/get-gid.cpp b/src/server/service/get-gid.cpp
index 86ca202..a0e1b23 100644 (file)
--- a/src/server/service/get-gid.cpp
+++ b/src/server/service/get-gid.cpp
@@ -38,7 +38,7 @@ namespace SecurityServer {
 
 GenericSocketService::ServiceDescriptionVector GetGidService::GetServiceDescription() {
     return ServiceDescriptionVector
-        {{SERVICE_SOCKET_GET_GID, "*"}};
+        {{SERVICE_SOCKET_GET_GID, "security-server::api-get-gid"}};
 }
 
 void GetGidService::accept(const AcceptEvent &event) {

diff --git a/src/server/service/privilege-by-pid.cpp b/src/server/service/privilege-by-pid.cpp
index 1a30172..bcb8659 100644 (file)
--- a/src/server/service/privilege-by-pid.cpp
+++ b/src/server/service/privilege-by-pid.cpp
@@ -39,9 +39,8 @@
 namespace SecurityServer {
 
 GenericSocketService::ServiceDescriptionVector PrivilegeByPidService::GetServiceDescription() {
-    //TODO: after enabled smack protection for api use "security-server::api-privilege-by-pid"
     return ServiceDescriptionVector
-        {{SERVICE_SOCKET_PRIVILEGE_BY_PID, "*" }};
+        {{SERVICE_SOCKET_PRIVILEGE_BY_PID, "security-server::api-privilege-by-pid" }};
 }
 
 void PrivilegeByPidService::accept(const AcceptEvent &event) {

diff --git a/systemd/security-server-cookie-check.socket b/systemd/security-server-cookie-check.socket
index 43bb7fb..dda1291 100644 (file)
--- a/systemd/security-server-cookie-check.socket
+++ b/systemd/security-server-cookie-check.socket
@@ -1,8 +1,7 @@
 [Socket]
 ListenStream=/tmp/.security-server-api-cookie-check.sock
 SocketMode=0777
-#SmackLabelIPIn=security-server::api-cookie-check
-SmackLabelIPIn=*
+SmackLabelIPIn=security-server::api-cookie-check
 SmackLabelIPOut=@
 
 Service=security-server.service

diff --git a/systemd/security-server-cookie-get.socket b/systemd/security-server-cookie-get.socket
index 2395406..754361b 100644 (file)
--- a/systemd/security-server-cookie-get.socket
+++ b/systemd/security-server-cookie-get.socket
@@ -1,7 +1,6 @@
 [Socket]
 ListenStream=/tmp/.security-server-api-cookie-get.sock
 SocketMode=0777
-#SmackLabelIPIn=security-server::api-cookie-get
 SmackLabelIPIn=*
 SmackLabelIPOut=@
 

diff --git a/systemd/security-server-get-gid.socket b/systemd/security-server-get-gid.socket
index c9006e3..9a3ce8b 100644 (file)
--- a/systemd/security-server-get-gid.socket
+++ b/systemd/security-server-get-gid.socket
@@ -1,8 +1,7 @@
 [Socket]
 ListenStream=/tmp/.security-server-api-get-gid.sock
 SocketMode=0777
-#SmackLabelIPIn=security-server::api-get-gid
-SmackLabelIPIn=*
+SmackLabelIPIn=security-server::api-get-gid
 SmackLabelIPOut=@
 
 Service=security-server.service

diff --git a/systemd/security-server-password-check.socket b/systemd/security-server-password-check.socket
index 9fde225..60274be 100644 (file)
--- a/systemd/security-server-password-check.socket
+++ b/systemd/security-server-password-check.socket
@@ -1,8 +1,7 @@
 [Socket]
 ListenStream=/tmp/.security-server-api-password-check.sock
 SocketMode=0777
-#SmackLabelIPIn=security-server::api-password-check
-SmackLabelIPIn=*
+SmackLabelIPIn=security-server::api-password-check
 SmackLabelIPOut=@
 
 Service=security-server.service

diff --git a/systemd/security-server-password-reset.socket b/systemd/security-server-password-reset.socket
index 5db1f0f..7e1dc5f 100644 (file)
--- a/systemd/security-server-password-reset.socket
+++ b/systemd/security-server-password-reset.socket
@@ -1,8 +1,7 @@
 [Socket]
 ListenStream=/tmp/.security-server-api-password-reset.sock
 SocketMode=0777
-#SmackLabelIPIn=security-server::api-password-reset
-SmackLabelIPIn=*
+SmackLabelIPIn=security-server::api-password-reset
 SmackLabelIPOut=@
 
 Service=security-server.service

diff --git a/systemd/security-server-password-set.socket b/systemd/security-server-password-set.socket
index 6f2137e..0e97a6f 100644 (file)
--- a/systemd/security-server-password-set.socket
+++ b/systemd/security-server-password-set.socket
@@ -1,8 +1,7 @@
 [Socket]
 ListenStream=/tmp/.security-server-api-password-set.sock
 SocketMode=0777
-#SmackLabelIPIn=security-server::api-password-set
-SmackLabelIPIn=*
+SmackLabelIPIn=security-server::api-password-set
 SmackLabelIPOut=@
 
 Service=security-server.service

diff --git a/systemd/security-server-privilege-by-pid.socket b/systemd/security-server-privilege-by-pid.socket
index 8907897..e805c3f 100644 (file)
--- a/systemd/security-server-privilege-by-pid.socket
+++ b/systemd/security-server-privilege-by-pid.socket
@@ -1,8 +1,7 @@
 [Socket]
 ListenStream=/tmp/.security-server-api-privilege-by-pid.sock
 SocketMode=0777
-#SmackLabelIPIn=security-server::api-privilege-by-pid
-SmackLabelIPIn=*
+SmackLabelIPIn=security-server::api-privilege-by-pid
 SmackLabelIPOut=@
 
 Service=security-server.service