STRING(REGEX MATCH "([^.]*)" API_VERSION "${VERSION}")
ADD_DEFINITIONS("-DAPI_VERSION=\"$(API_VERSION)\"")
+
ADD_DEFINITIONS("-DSMACK_ENABLED")
IF (CMAKE_BUILD_TYPE MATCHES "DEBUG")
SET(TARGET_SECURITY_CLIENT "security-server-client")
SET(TARGET_SERVER_COMMON "security-server-commons")
-INSTALL(FILES
- ${CMAKE_SOURCE_DIR}/packaging/libsecurity-server-client.manifest
- ${CMAKE_SOURCE_DIR}/packaging/security-server.manifest
- DESTINATION
- /usr/share
-)
-
ADD_SUBDIRECTORY(src)
ADD_SUBDIRECTORY(build)
ADD_SUBDIRECTORY(systemd)
<manifest>
- <define>
- <domain name="security-server" />
- <provide>
- <label name="security-server::daemon" />
- <label name="security-server::db" />
- <label name="security-server::api-app-permissions" />
- <label name="security-server::api-app-privilege-by-name" />
- <label name="security-server::api-cookie-check" />
- <label name="security-server::api-cookie-get" />
- <label name="security-server::api-data-share" />
- <label name="security-server::api-privilege-by-pid" />
- <label name="security-server::api-get-smacklabel-socket" />
- <label name="security-server::api-get-object-name" />
- <label name="security-server::api-get-gid" />
- <label name="security-server::api-password-check" />
- <label name="security-server::api-password-set" />
- <label name="security-server::api-password-reset" />
- <label name="security-server::api-open-for" />
- <label name="security-server::audit-files" />
- </provide>
- </define>
- <request>
- <domain name="_" />
- </request>
- <assign>
- <filesystem path="/etc/security/security-server-audit.conf" label="security-server::audit-files" />
- <filesystem path="/usr/bin/security-server" label="security-server" exec_label="security-server"/>
- </assign>
+ <request>
+ <domain name="_"/>
+ </request>
</manifest>
Name: security-server
Summary: Security server and utilities
-Version: 0.0.73
+Version: 0.0.118
Release: 1
Group: Security/Service
License: Apache-2.0
Source0: %{name}-%{version}.tar.gz
+Source1: security-server.manifest
+Source2: libsecurity-server-client.manifest
BuildRequires: cmake
BuildRequires: zip
BuildRequires: pkgconfig(dlog)
BuildRequires: pkgconfig(openssl)
BuildRequires: libattr-devel
BuildRequires: pkgconfig(libsmack)
-Requires(preun): systemd
-Requires(post): systemd
-Requires(postun): systemd
BuildRequires: pkgconfig(libprivilege-control)
BuildRequires: pkgconfig(libsystemd-daemon)
%{?systemd_requires}
%prep
%setup -q
-cp %{SOURCE1001} .
+cp %{SOURCE1} .
+cp %{SOURCE2} .
%build
%if 0%{?sec_build_binary_debug_enable}
%postun -n libsecurity-server-client -p /sbin/ldconfig
%files -n security-server
-%manifest %{_datadir}/security-server.manifest
+%manifest security-server.manifest
+%defattr(-,root,root,-)
%attr(755,root,root) /usr/bin/security-server
%{_libdir}/libsecurity-server-commons.so.*
%attr(-,root,root) /usr/lib/systemd/system/multi-user.target.wants/security-server.service
%{_datadir}/license/%{name}
%files -n libsecurity-server-client
-%manifest %{name}.manifest
+%manifest libsecurity-server-client.manifest
%defattr(-,root,root,-)
%{_libdir}/libsecurity-server-client.so.*
%{_datadir}/license/libsecurity-server-client
#include <security-server.h>
-//static int get_exec_path(pid_t pid, std::string &exe)
-//{
-// using namespace SecurityServer;
-//
-// try{
-// MessageBuffer send, recv;
-// Serialization::Serialize(send, pid);
-//
-// int result = sendToServer(
-// SERVICE_SOCKET_EXEC_PATH,
-// send.Pop(),
-// recv);
-// if(result != SECURITY_SERVER_API_SUCCESS)
-// return result;
-//
-// Deserialization::Deserialize(recv, result);
-// if(result != SECURITY_SERVER_API_SUCCESS)
-// return result;
-//
-// Deserialization::Deserialize(recv, exe);
-// return result;
-// } catch (MessageBuffer::Exception::Base &e) {
-// LogDebug("SecurityServer::MessageBuffer::Exception " << e.DumpToString());
-// } catch (std::exception &e) {
-// LogDebug("STD exception " << e.what());
-// } catch (...) {
-// LogDebug("Unknown exception occured");
-// }
-// return SECURITY_SERVER_API_ERROR_UNKNOWN;
-//}
-
SECURITY_SERVER_API
int security_server_check_privilege_by_sockfd(int sockfd,
const char *object,
return SECURITY_SERVER_API_ERROR_SOCKET;
}
- ret = security_server_check_privilege_by_pid(cr.pid, object, access_rights);
-
- //Getting path for logs
-// if (SECURITY_SERVER_API_SUCCESS != get_exec_path(cr.pid, path)) {
-// LogError("Failed to read executable path for process " << cr.pid);
-// }
-//
-// if (ret == SECURITY_SERVER_API_SUCCESS)
-// LogSecureDebug("SS_SMACK: caller_pid=" << cr.pid << ", subject=" <<
-// (subjectPtr.get() ? subjectPtr.get() : "NULL") << ", object=" <<
-// object << ", access=" << access_rights << ", result=" <<
-// ret << ", caller_path=" << path.c_str());
-// else
-// LogSecureWarning("SS_SMACK: caller_pid=" << cr.pid << ", subject=" <<
-// (subjectPtr.get() ? subjectPtr.get() : "NULL") << ", object=" <<
-// object << ", access=" << access_rights << ", result=" <<
-// ret << ", caller_path=" << path.c_str());
-
- return ret;
+ return security_server_check_privilege_by_pid(cr.pid, object, access_rights);
}
SECURITY_SERVER_API
unsigned int algorithm;
Deserialization::Deserialize(stream, algorithm);
switch (algorithm) {
- case IPassword::PasswordType::NONE:
+ case (unsigned int)IPassword::PasswordType::NONE:
ptr.reset(new NoPassword());
break;
- case IPassword::PasswordType::SHA256:
+ case (unsigned int)IPassword::PasswordType::SHA256:
ptr.reset(new SHA256Password(stream));
break;
default:
LogDebug("SMACK is not available. Subject label has not been read.");
retval = 1;
}
-// char *path = read_exe_path_from_proc(pid);
-//
-// if (retval > 0)
-// LogDebug("SS_SMACK: "
-// << "caller_pid=" << pid
-// << ", subject=" << subject
-// << ", object=" << object
-// << ", access=" << access_rights
-// << ", result=" << retval
-// << ", caller_path=" << path);
-// else
-// LogError("SS_SMACK: "
-// << "caller_pid=" << pid
-// << ", subject=" << subject
-// << ", object=" << object
-// << ", access=" << access_rights
-// << ", result=" << retval
-// << ", caller_path=" << path);
-//
-// if (path != NULL)
-// free(path);
-
if (retval == 1) //there is permission
retCode = SECURITY_SERVER_API_SUCCESS;
<< ", object=" << object
<< ", access=" << access_rights
<< ", result=" << retval
- << ", caller_path=" << (path ? path : ""));
+ << ", caller_path=" << (path ? path : "" ));
free(path);
}
[Socket]
ListenStream=/tmp/.security-server-api-app-permissions.sock
SocketMode=0777
-SmackLabelIPIn=security-server::api-app-permissions
+SmackLabelIPIn=*
SmackLabelIPOut=@
Service=security-server.service
[Socket]
ListenStream=/tmp/.security-server-api-app-privilege-by-name.sock
SocketMode=0777
-SmackLabelIPIn=security-server::api-app-privilege-by-name
+SmackLabelIPIn=*
SmackLabelIPOut=@
Service=security-server.service
[Socket]
ListenStream=/tmp/.security-server-api-cookie-check.sock
SocketMode=0777
-SmackLabelIPIn=security-server::api-cookie-check
+SmackLabelIPIn=*
SmackLabelIPOut=@
Service=security-server.service
[Socket]
ListenStream=/tmp/.security-server-api-data-share.sock
SocketMode=0777
-SmackLabelIPIn=security-server::api-data-share
+SmackLabelIPIn=*
SmackLabelIPOut=@
Service=security-server.service
[Socket]
ListenStream=/tmp/.security-server-api-get-gid.sock
SocketMode=0777
-SmackLabelIPIn=security-server::api-get-gid
+SmackLabelIPIn=*
SmackLabelIPOut=@
Service=security-server.service
[Socket]
ListenStream=/tmp/.security-server-api-open-for.sock
SocketMode=0777
-SmackLabelIPIn=security-server::api-open-for
+SmackLabelIPIn=*
SmackLabelIPOut=@
Service=security-server.service
[Socket]
ListenStream=/tmp/.security-server-api-password-check.sock
SocketMode=0777
-SmackLabelIPIn=security-server::api-password-check
+SmackLabelIPIn=*
SmackLabelIPOut=@
Service=security-server.service
[Socket]
ListenStream=/tmp/.security-server-api-password-reset.sock
SocketMode=0777
-SmackLabelIPIn=security-server::api-password-reset
+SmackLabelIPIn=*
SmackLabelIPOut=@
Service=security-server.service
[Socket]
ListenStream=/tmp/.security-server-api-password-set.sock
SocketMode=0777
-SmackLabelIPIn=security-server::api-password-set
+SmackLabelIPIn=*
SmackLabelIPOut=@
Service=security-server.service
[Socket]
ListenStream=/tmp/.security-server-api-privilege-by-pid.sock
SocketMode=0777
-SmackLabelIPIn=security-server::api-privilege-by-pid
+SmackLabelIPIn=*
SmackLabelIPOut=@
Service=security-server.service