Secure all critical sockets with smack label.

author Bartlomiej Grzelewski <b.grzelewski@samsung.com>

Thu, 12 Dec 2013 17:06:49 +0000 (18:06 +0100)

committer Bartlomiej Grzelewski <b.grzelewski@samsung.com>

Thu, 6 Feb 2014 16:13:25 +0000 (17:13 +0100)
author Bartlomiej Grzelewski <b.grzelewski@samsung.com>
Thu, 12 Dec 2013 17:06:49 +0000 (18:06 +0100)
committer Bartlomiej Grzelewski <b.grzelewski@samsung.com>
Thu, 6 Feb 2014 16:13:25 +0000 (17:13 +0100)
diff --git a/src/server/service/cookie.cpp b/src/server/service/cookie.cpp

index a7a8c92f329a251bca41e3e3806a8abfbd4fcf10..74d714ee864ae7689a65fc5eafded48a314204b0 100644 (file)
--- a/src/server/service/cookie.cpp
+++ b/src/server/service/cookie.cpp
@@ -42,7 +42,7 @@ namespace SecurityServer {
  
  GenericSocketService::ServiceDescriptionVector CookieService::GetServiceDescription() {
      return ServiceDescriptionVector {
-        {SERVICE_SOCKET_COOKIE_GET,       "security-server::api-cookie-get",   INTERFACE_GET },
+        {SERVICE_SOCKET_COOKIE_GET,       "*",   INTERFACE_GET },
          {SERVICE_SOCKET_COOKIE_CHECK,     "security-server::api-cookie-check", INTERFACE_CHECK},
          {SERVICE_SOCKET_COOKIE_CHECK_TMP, "security-server::api-cookie-check", INTERFACE_CHECK_TMP}
      };
diff --git a/src/server/service/get-gid.cpp b/src/server/service/get-gid.cpp

index 86ca202a5a0a2e42ff2990dd436392885dc16ea8..a0e1b23ec3b24f8eed6693c77def2fe0d62af651 100644 (file)
--- a/src/server/service/get-gid.cpp
+++ b/src/server/service/get-gid.cpp
@@ -38,7 +38,7 @@ namespace SecurityServer {
  
  GenericSocketService::ServiceDescriptionVector GetGidService::GetServiceDescription() {
      return ServiceDescriptionVector
-        {{SERVICE_SOCKET_GET_GID, "*"}};
+        {{SERVICE_SOCKET_GET_GID, "security-server::api-get-gid"}};
  }
  
  void GetGidService::accept(const AcceptEvent &event) {
diff --git a/src/server/service/privilege-by-pid.cpp b/src/server/service/privilege-by-pid.cpp

index 1a30172c54943c2473c256fdbc97f7926b067fb9..bcb8659e5f167cfe52e7486f7497c109207ca87f 100644 (file)
--- a/src/server/service/privilege-by-pid.cpp
+++ b/src/server/service/privilege-by-pid.cpp
@@ -39,9 +39,8 @@
  namespace SecurityServer {
  
  GenericSocketService::ServiceDescriptionVector PrivilegeByPidService::GetServiceDescription() {
-    //TODO: after enabled smack protection for api use "security-server::api-privilege-by-pid"
      return ServiceDescriptionVector
-        {{SERVICE_SOCKET_PRIVILEGE_BY_PID, "*" }};
+        {{SERVICE_SOCKET_PRIVILEGE_BY_PID, "security-server::api-privilege-by-pid" }};
  }
  
  void PrivilegeByPidService::accept(const AcceptEvent &event) {
diff --git a/systemd/security-server-cookie-check.socket b/systemd/security-server-cookie-check.socket

index 43bb7fb073ee331f19a2a54c9dc6417e3a40aae0..dda129194b7c025bf652f3866bcda16849b3dff5 100644 (file)
--- a/systemd/security-server-cookie-check.socket
+++ b/systemd/security-server-cookie-check.socket
@@ -1,8 +1,7 @@
  [Socket]
  ListenStream=/tmp/.security-server-api-cookie-check.sock
  SocketMode=0777
-#SmackLabelIPIn=security-server::api-cookie-check
-SmackLabelIPIn=*
+SmackLabelIPIn=security-server::api-cookie-check
  SmackLabelIPOut=@
  
  Service=security-server.service
diff --git a/systemd/security-server-cookie-get.socket b/systemd/security-server-cookie-get.socket

index 2395406fc5344ae2c53953991ad128fa21ae498e..754361ba4053378b0d99c85edbf15650b5ea5591 100644 (file)
--- a/systemd/security-server-cookie-get.socket
+++ b/systemd/security-server-cookie-get.socket
@@ -1,7 +1,6 @@
  [Socket]
  ListenStream=/tmp/.security-server-api-cookie-get.sock
  SocketMode=0777
-#SmackLabelIPIn=security-server::api-cookie-get
  SmackLabelIPIn=*
  SmackLabelIPOut=@
  
diff --git a/systemd/security-server-get-gid.socket b/systemd/security-server-get-gid.socket

index c9006e3e44756a7751e1de1cf7f90402db425e91..9a3ce8b71b73c819689b192bd9507aa45d5ef234 100644 (file)
--- a/systemd/security-server-get-gid.socket
+++ b/systemd/security-server-get-gid.socket
@@ -1,8 +1,7 @@
  [Socket]
  ListenStream=/tmp/.security-server-api-get-gid.sock
  SocketMode=0777
-#SmackLabelIPIn=security-server::api-get-gid
-SmackLabelIPIn=*
+SmackLabelIPIn=security-server::api-get-gid
  SmackLabelIPOut=@
  
  Service=security-server.service
diff --git a/systemd/security-server-password-check.socket b/systemd/security-server-password-check.socket

index 9fde225ca30ce428bff2a3047b873c8ac304ca72..60274bebfe0735afe8add127233ff40068abcf43 100644 (file)
--- a/systemd/security-server-password-check.socket
+++ b/systemd/security-server-password-check.socket
@@ -1,8 +1,7 @@
  [Socket]
  ListenStream=/tmp/.security-server-api-password-check.sock
  SocketMode=0777
-#SmackLabelIPIn=security-server::api-password-check
-SmackLabelIPIn=*
+SmackLabelIPIn=security-server::api-password-check
  SmackLabelIPOut=@
  
  Service=security-server.service
diff --git a/systemd/security-server-password-reset.socket b/systemd/security-server-password-reset.socket

index 5db1f0f70d116d1b8119597e07a1d4a3ecc7266a..7e1dc5ff7ccf4b4394e17bb42ef89baebe141b9f 100644 (file)
--- a/systemd/security-server-password-reset.socket
+++ b/systemd/security-server-password-reset.socket
@@ -1,8 +1,7 @@
  [Socket]
  ListenStream=/tmp/.security-server-api-password-reset.sock
  SocketMode=0777
-#SmackLabelIPIn=security-server::api-password-reset
-SmackLabelIPIn=*
+SmackLabelIPIn=security-server::api-password-reset
  SmackLabelIPOut=@
  
  Service=security-server.service
diff --git a/systemd/security-server-password-set.socket b/systemd/security-server-password-set.socket

index 6f2137e87676c69f497e9739fa7a2bd449a2632f..0e97a6f88f9cb95629f98805ba0935560fb4dbe8 100644 (file)
--- a/systemd/security-server-password-set.socket
+++ b/systemd/security-server-password-set.socket
@@ -1,8 +1,7 @@
  [Socket]
  ListenStream=/tmp/.security-server-api-password-set.sock
  SocketMode=0777
-#SmackLabelIPIn=security-server::api-password-set
-SmackLabelIPIn=*
+SmackLabelIPIn=security-server::api-password-set
  SmackLabelIPOut=@
  
  Service=security-server.service
diff --git a/systemd/security-server-privilege-by-pid.socket b/systemd/security-server-privilege-by-pid.socket

index 8907897d71511e2ffa5cf85b1918e46563c5a29a..e805c3fc74a5d30998ef8f5e5fd92372adfea45d 100644 (file)
--- a/systemd/security-server-privilege-by-pid.socket
+++ b/systemd/security-server-privilege-by-pid.socket
@@ -1,8 +1,7 @@
  [Socket]
  ListenStream=/tmp/.security-server-api-privilege-by-pid.sock
  SocketMode=0777
-#SmackLabelIPIn=security-server::api-privilege-by-pid
-SmackLabelIPIn=*
+SmackLabelIPIn=security-server::api-privilege-by-pid
  SmackLabelIPOut=@
  
  Service=security-server.service
author	Bartlomiej Grzelewski <b.grzelewski@samsung.com>
	Thu, 12 Dec 2013 17:06:49 +0000 (18:06 +0100)
committer	Bartlomiej Grzelewski <b.grzelewski@samsung.com>
	Thu, 6 Feb 2014 16:13:25 +0000 (17:13 +0100)
src/server/service/cookie.cpp		patch \| blob \| history
src/server/service/get-gid.cpp		patch \| blob \| history
src/server/service/privilege-by-pid.cpp		patch \| blob \| history
systemd/security-server-cookie-check.socket		patch \| blob \| history
systemd/security-server-cookie-get.socket		patch \| blob \| history
systemd/security-server-get-gid.socket		patch \| blob \| history
systemd/security-server-password-check.socket		patch \| blob \| history
systemd/security-server-password-reset.socket		patch \| blob \| history
systemd/security-server-password-set.socket		patch \| blob \| history
systemd/security-server-privilege-by-pid.socket		patch \| blob \| history