From: Bartlomiej Grzelewski Date: Wed, 5 Mar 2014 16:03:36 +0000 (+0100) Subject: Remove services open-for and app-permissions. X-Git-Tag: submit/tizen/20140307.131547^0 X-Git-Url: http://review.tizen.org/git/?a=commitdiff_plain;h=ed1815535d0383bc343bb92062fe934b44f4e53d;p=platform%2Fcore%2Fsecurity%2Fsecurity-server.git Remove services open-for and app-permissions. [Issue#] N/A [Bug] N/A [Cause] This services were not used on tizen.org [Solution] N/A [Verification] N/A Change-Id: Iae627af04af789fd3219ce85c3e5131f112dbb08 --- diff --git a/packaging/security-server.spec b/packaging/security-server.spec index 4bca923..9ab700f 100644 --- a/packaging/security-server.spec +++ b/packaging/security-server.spec @@ -12,6 +12,7 @@ BuildRequires: zip BuildRequires: pkgconfig(dlog) BuildRequires: pkgconfig(openssl) BuildRequires: libattr-devel +BuildRequires: libcap-devel BuildRequires: pkgconfig(libsmack) BuildRequires: pkgconfig(libprivilege-control) BuildRequires: pkgconfig(libsystemd-daemon) @@ -89,11 +90,9 @@ ln -s ../security-server.service %{buildroot}/usr/lib/systemd/system/multi-user. ln -s ../security-server-data-share.socket %{buildroot}/usr/lib/systemd/system/sockets.target.wants/security-server-data-share.socket ln -s ../security-server-get-gid.socket %{buildroot}/usr/lib/systemd/system/sockets.target.wants/security-server-get-gid.socket ln -s ../security-server-privilege-by-pid.socket %{buildroot}/usr/lib/systemd/system/sockets.target.wants/security-server-privilege-by-pid.socket -ln -s ../security-server-app-permissions.socket %{buildroot}/usr/lib/systemd/system/sockets.target.wants/security-server-app-permissions.socket ln -s ../security-server-cookie-get.socket %{buildroot}/usr/lib/systemd/system/sockets.target.wants/security-server-cookie-get.socket ln -s ../security-server-cookie-check.socket %{buildroot}/usr/lib/systemd/system/sockets.target.wants/security-server-cookie-check.socket ln -s ../security-server-app-privilege-by-name.socket %{buildroot}/usr/lib/systemd/system/sockets.target.wants/security-server-app-privilege-by-name.socket -ln -s ../security-server-open-for.socket %{buildroot}/usr/lib/systemd/system/sockets.target.wants/security-server-open-for.socket ln -s ../security-server-password-check.socket %{buildroot}/usr/lib/systemd/system/sockets.target.wants/security-server-password-check.socket ln -s ../security-server-password-set.socket %{buildroot}/usr/lib/systemd/system/sockets.target.wants/security-server-password-set.socket ln -s ../security-server-password-reset.socket %{buildroot}/usr/lib/systemd/system/sockets.target.wants/security-server-password-reset.socket @@ -143,16 +142,12 @@ fi %attr(-,root,root) /usr/lib/systemd/system/security-server-get-gid.socket %attr(-,root,root) /usr/lib/systemd/system/sockets.target.wants/security-server-privilege-by-pid.socket %attr(-,root,root) /usr/lib/systemd/system/security-server-privilege-by-pid.socket -%attr(-,root,root) /usr/lib/systemd/system/sockets.target.wants/security-server-app-permissions.socket -%attr(-,root,root) /usr/lib/systemd/system/security-server-app-permissions.socket %attr(-,root,root) /usr/lib/systemd/system/sockets.target.wants/security-server-cookie-get.socket %attr(-,root,root) /usr/lib/systemd/system/security-server-cookie-get.socket %attr(-,root,root) /usr/lib/systemd/system/sockets.target.wants/security-server-cookie-check.socket %attr(-,root,root) /usr/lib/systemd/system/security-server-cookie-check.socket %attr(-,root,root) /usr/lib/systemd/system/sockets.target.wants/security-server-app-privilege-by-name.socket %attr(-,root,root) /usr/lib/systemd/system/security-server-app-privilege-by-name.socket -%attr(-,root,root) /usr/lib/systemd/system/sockets.target.wants/security-server-open-for.socket -%attr(-,root,root) /usr/lib/systemd/system/security-server-open-for.socket %attr(-,root,root) /etc/security/security-server-audit.conf %attr(-,root,root) /usr/lib/systemd/system/sockets.target.wants/security-server-password-check.socket %attr(-,root,root) /usr/lib/systemd/system/security-server-password-check.socket diff --git a/src/CMakeLists.txt b/src/CMakeLists.txt index 15fb946..b0270d4 100644 --- a/src/CMakeLists.txt +++ b/src/CMakeLists.txt @@ -17,17 +17,15 @@ SET(SECURITY_SERVER_SOURCES ${SERVER2_PATH}/main/server2-main.cpp ${SERVER2_PATH}/service/data-share.cpp ${SERVER2_PATH}/service/get-gid.cpp - ${SERVER2_PATH}/service/app-permissions.cpp ${SERVER2_PATH}/service/cookie.cpp ${SERVER2_PATH}/service/cookie-jar.cpp ${SERVER2_PATH}/service/cookie-common.cpp ${SERVER2_PATH}/service/privilege-by-pid.cpp - ${SERVER2_PATH}/service/open-for.cpp - ${SERVER2_PATH}/service/open-for-manager.cpp ${SERVER2_PATH}/service/password.cpp ${SERVER2_PATH}/service/password-file.cpp ${SERVER2_PATH}/service/password-manager.cpp ${SERVER2_PATH}/service/password-file-buffer.cpp + ${SERVER2_PATH}/service/smack-common.cpp ) SET_SOURCE_FILES_PROPERTIES( @@ -53,6 +51,7 @@ ADD_EXECUTABLE(${TARGET_SECURITY_SERVER} ${SECURITY_SERVER_SOURCES}) TARGET_LINK_LIBRARIES(${TARGET_SECURITY_SERVER} ${SECURITY_SERVER_DEP_LIBRARIES} ${TARGET_SERVER_COMMON} + -lcap ) ################################################################################ @@ -71,11 +70,9 @@ SET(SECURITY_CLIENT_SOURCES ${SERVER2_PATH}/client/client-common.cpp ${SERVER2_PATH}/client/client-shared-memory.cpp ${SERVER2_PATH}/client/client-get-gid.cpp - ${SERVER2_PATH}/client/client-app-permissions.cpp ${SERVER2_PATH}/client/client-cookie.cpp ${SERVER2_PATH}/client/client-privilege-by-pid.cpp ${SERVER2_PATH}/client/client-socket-privilege.cpp - ${SERVER2_PATH}/client/client-open-for.cpp ${SERVER2_PATH}/client/client-password.cpp ) diff --git a/src/include/security-server.h b/src/include/security-server.h index 9d3c2bc..d9971fa 100644 --- a/src/include/security-server.h +++ b/src/include/security-server.h @@ -75,14 +75,6 @@ /*! \brief indicating the response from Security Server is malformed */ #define SECURITY_SERVER_API_ERROR_BAD_RESPONSE -3 -/*! \brief indicating the transmitting request has been failed */ -/* deprecated unused */ -#define SECURITY_SERVER_API_ERROR_SEND_FAILED -4 - -/*! \brief indicating the receiving response has been failed */ -/* deprecated unused */ -#define SECURITY_SERVER_API_ERROR_RECV_FAILED -5 - /*! \brief indicating requesting object is not exist */ #define SECURITY_SERVER_API_ERROR_NO_SUCH_OBJECT -6 @@ -974,169 +966,6 @@ int security_server_check_privilege_by_pid(int pid, const char *object, const ch int security_server_check_privilege_by_sockfd(int sockfd, const char *object, const char *access_rights); -/* - * This function allows middleware to enable permissions for specified app_id. - * - * \param[in] Application ID - * \param[in] Application type defined in enum at the beginning of this file - * \param[in] Permissions list - * \param[in] Persistent - * - * \return SECURITY_SERVER_API_SUCCESS on success or error code on fail - * - * Access to this function requires SMACK rule: " security-server::api-app-permissions w" - */ -int security_server_app_enable_permissions(const char *app_id, app_type_t app_type, const char **perm_list, int persistent); - -/* - * This function allows middleware to disable permissions for specified app_id. - * - * \param[in] Application ID - * \param[in] Application type defined in enum at the beginning of this file - * \param[in] Permissions list - * - * \return SECURITY_SERVER_API_SUCCESS on success or error code on fail - * - * Access to this function requires SMACK rule: " security-server::api-app-permissions w" - */ -int security_server_app_disable_permissions(const char *app_id, app_type_t app_type, const char **perm_list); - -/* - * This function allows middleware to get UID assigned to cookie - * - * \param[in] Cookie - * \param[out] Handler to store UID - * - * \return SECURITY_SERVER_API_SUCCESS on success or error code on fail - * - * Access to this function requires SMACK rule: " security-server::api-cookie-check w" - */ -int security_server_get_uid_by_cookie(const char *cookie, uid_t *uid); - -/* - * This function allows middleware to check if an app has the specified privilege - * enabled. - * - * \param[in] Application ID - * \param[in] Application type - * \param[in] Privilege name - * \param[out] Handler to store the result. It is set to 1 (true) if privilege is enabled, 0 (false) otherwise - * - * \return SECURITY_SERVER_API_SUCCESS on success or error code on fail - * - * Access to this function requires SMACK rule: " security-server::api-app-privilege-by-name w" - */ -int security_server_app_has_privilege(const char *app_id, - app_type_t app_type, - const char *privilege_name, - int *result); - -/* - * This function allows middleware to check if caller app has the specified privilege - * enabled. Security Server gets caller app smack label from the IPC socket. - * - * \param[in] Application type - * \param[in] Privilege name - * \param[out] Handler to store the result. It is set to 1 (true) if privilege is enabled, 0 (false) otherwise - * - * \return SECURITY_SERVER_API_SUCCESS on success or error code on fail - * - * Access to this function requires SMACK rule: " security-server::api-app-privilege-by-name w" - */ -int security_server_app_caller_has_privilege(app_type_t app_type, - const char *privilege_name, - int *result); - -/* - * This function allows middleware to get GID assigned to cookie - * - * \param[in] Cookie - * \param[out] Handler to store GID - * - * \return SECURITY_SERVER_API_SUCCESS on success or error code on fail - * - * Access to this function requires SMACK rule: " security-server::api-cookie-check w" - */ -int security_server_get_gid_by_cookie(const char *cookie, gid_t *gid); - -/* - * This function allows to create, if doesn't exist, or open existing file by - * Security Server on behalf of calling process in secured directory. - * - * \param[in] File name to create/open - * \param[out] File descriptor - * - * \return SECURITY_SERVER_API_SUCCESS on success or error code on fail - * - * Access to this function requires SMACK rule: " security-server::api-open-for w" - */ -int security_server_open_for(const char *filename, int *fd) __attribute__((deprecated)); - -/* - * This function allows to create, if doesn't exist, file by Security Server on - * behalf of calling process in secured directory. File gets smack label of - * designated client process, passed as 'client_label' argument, which is - * allowed to read created file. - * - * \param[in] File name to create - * \param[in] Label of designated client - * \param[out] File descriptor - * - * \return SECURITY_SERVER_API_SUCCESS on success or one of error codes on fail - * \return SECURITY_SERVER_API_ERROR_ACCESS_DENIED - * \return SECURITY_SERVER_API_ERROR_SOCKET - * \return SECURITY_SERVER_API_ERROR_INPUT_PARAM - * \return SECURITY_SERVER_API_ERROR_GETTING_SOCKET_LABEL_FAILED - * \return SECURITY_SERVER_API_ERROR_FILE_CREATION_FAILED - * \return SECURITY_SERVER_API_ERROR_SETTING_FILE_LABEL_FAILED - * \return SECURITY_SERVER_API_ERROR_FILE_EXIST - * - * Access to this function requires SMACK rule: " security-server::api-open-for w" - */ -int security_server_shared_file_open(const char *filename, const char *client_label, int *fd); - -/* - * This function allows to open existing file by Security Server on behalf of - * calling process in secured directory. Security Server checks smack label - * of calling process and if it's the same as file label access to file is - * granted. - * - * \param[in] File name to open - * \param[out] File descriptor - * - * \return SECURITY_SERVER_API_SUCCESS on success or one of error codes on fail - * \return SECURITY_SERVER_API_ERROR_ACCESS_DENIED - * \return SECURITY_SERVER_API_ERROR_SOCKET - * \return SECURITY_SERVER_API_ERROR_INPUT_PARAM - * \return SECURITY_SERVER_API_ERROR_GETTING_SOCKET_LABEL_FAILED - * \return SECURITY_SERVER_API_ERROR_GETTING_FILE_LABEL_FAILED - * \return SECURITY_SERVER_API_ERROR_AUTHENTICATION_FAILED - * \return SECURITY_SERVER_API_ERROR_FILE_NOT_EXIST - * - * Access to this function requires SMACK rule: " security-server::api-open-for w" - */ -int security_server_shared_file_reopen(const char *filename, int *fd); - -/* - * This function allows to delete existing file by Security Server on behalf of - * calling process in secured directory. Security Server checks smack label - * of calling process and if it's the same as file label data file is deleted. - * - * \param[in] File name to delete - * - * \return SECURITY_SERVER_API_SUCCESS on success or one of error codes on fail - * \return SECURITY_SERVER_API_ERROR_ACCESS_DENIED - * \return SECURITY_SERVER_API_ERROR_SOCKET - * \return SECURITY_SERVER_API_ERROR_INPUT_PARAM - * \return SECURITY_SERVER_API_ERROR_GETTING_SOCKET_LABEL_FAILED - * \return SECURITY_SERVER_API_ERROR_GETTING_FILE_LABEL_FAILED - * \return SECURITY_SERVER_API_ERROR_AUTHENTICATION_FAILED - * \return SECURITY_SERVER_API_ERROR_FILE_DELETION_FAILED - * \return SECURITY_SERVER_API_ERROR_FILE_NOT_EXIST - * - * Access to this function requires SMACK rule: " security-server::api-open-for w" - */ -int security_server_shared_file_delete(const char *filename); #ifdef __cplusplus } diff --git a/src/server/client/client-app-permissions.cpp b/src/server/client/client-app-permissions.cpp deleted file mode 100644 index 927a2de..0000000 --- a/src/server/client/client-app-permissions.cpp +++ /dev/null @@ -1,250 +0,0 @@ -/* - * Copyright (c) 2000 - 2013 Samsung Electronics Co., Ltd All Rights Reserved - * - * Contact: Bumjin Im - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License - */ -/* - * @file client-app-permissions.cpp - * @author Pawel Polawski (pawel.polawski@partner.samsung.com) - * @version 1.0 - * @brief This file contain implementation of security_server_app_enable_permissions - * and security_server_app_disable functions - */ - - -#include - -#include -#include - -#include -#include -#include - -#include -#include - - -SECURITY_SERVER_API -int security_server_app_enable_permissions(const char *app_id, app_type_t app_type, const char **perm_list, int persistent) -{ - using namespace SecurityServer; - MessageBuffer send, recv; - std::vector permissions_list; - - LogDebug("security_server_app_enable_permissions() called"); - - return try_catch([&] { - if ((NULL == app_id) || (strlen(app_id) == 0)) { - LogDebug("App_id is NULL"); - return SECURITY_SERVER_API_ERROR_INPUT_PARAM; - } - if ((NULL == perm_list) || (strlen(perm_list[0]) == 0)) { - LogDebug("Perm_list is NULL"); - return SECURITY_SERVER_API_ERROR_INPUT_PARAM; - } - - LogDebug("app_type: " << (int)app_type); - LogDebug("persistent: " << persistent); - LogDebug("app_id: " << app_id); - - //put all strings in STL vector - for (int i = 0; perm_list[i] != NULL; i++) { - LogDebug("perm_list[" << i << "]: " << perm_list[i]); - permissions_list.push_back(std::string(perm_list[i])); - } - - //put data into buffer - Serialization::Serialize(send, (int)AppPermissionsAction::ENABLE); //works as a MSG_ID - Serialization::Serialize(send, persistent); - Serialization::Serialize(send, (int)app_type); - Serialization::Serialize(send, std::string(app_id)); - Serialization::Serialize(send, permissions_list); - - //send buffer to server - int result = sendToServer(SERVICE_SOCKET_APP_PERMISSIONS, send.Pop(), recv); - if (result != SECURITY_SERVER_API_SUCCESS) { - LogDebug("Error in sendToServer. Error code: " << result); - return result; - } - - //receive response from server - Deserialization::Deserialize(recv, result); - return result; - }); -} - - -SECURITY_SERVER_API -int security_server_app_disable_permissions(const char *app_id, app_type_t app_type, const char **perm_list) -{ - using namespace SecurityServer; - MessageBuffer send, recv; - std::vector permissions_list; - - LogDebug("security_server_app_disable_permissions() called"); - - return try_catch([&] { - if ((NULL == app_id) || (strlen(app_id) == 0)) { - LogDebug("App_id is NULL"); - return SECURITY_SERVER_API_ERROR_INPUT_PARAM; - } - if ((NULL == perm_list) || (strlen(perm_list[0]) == 0)) { - LogDebug("Perm_list is NULL"); - return SECURITY_SERVER_API_ERROR_INPUT_PARAM; - } - - LogDebug("app_type: " << (int)app_type); - LogDebug("app_id: " << app_id); - - //put all strings in STL vector - for (int i = 0; perm_list[i] != NULL; i++) { - LogDebug("perm_list[" << i << "]: " << perm_list[i]); - permissions_list.push_back(std::string(perm_list[i])); - } - - //put data into buffer - Serialization::Serialize(send, (int)AppPermissionsAction::DISABLE); //works as a MSG_ID - Serialization::Serialize(send, (int)app_type); - Serialization::Serialize(send, std::string(app_id)); - Serialization::Serialize(send, permissions_list); - - //send buffer to server - int result = sendToServer(SERVICE_SOCKET_APP_PERMISSIONS, send.Pop(), recv); - if (result != SECURITY_SERVER_API_SUCCESS) { - LogDebug("Error in sendToServer. Error code: " << result); - return result; - } - - //receive response from server - Deserialization::Deserialize(recv, result); - return result; - }); -} - - -SECURITY_SERVER_API -int security_server_app_has_privilege(const char *app_id, - app_type_t app_type, - const char *privilege_name, - int *result) -{ - using namespace SecurityServer; - MessageBuffer send, recv; - - LogDebug("security_server_app_has_privilege() called"); - - try { - if ((NULL == app_id) || (strlen(app_id) == 0)) { - LogError("app_id is NULL or empty"); - return SECURITY_SERVER_API_ERROR_INPUT_PARAM; - } - if ((NULL == privilege_name) || (strlen(privilege_name) == 0)) { - LogError("privilege_name is NULL or empty"); - return SECURITY_SERVER_API_ERROR_INPUT_PARAM; - } - if (NULL == result) { - LogError("result is NULL"); - return SECURITY_SERVER_API_ERROR_INPUT_PARAM; - } - - LogDebug("app_id: " << app_id); - LogDebug("app_type: " << static_cast(app_type)); - LogDebug("privilege_name: " << privilege_name); - - //put data into buffer - Serialization::Serialize(send, static_cast(PrivilegeCheckHdrs::CHECK_GIVEN_APP)); - Serialization::Serialize(send, std::string(app_id)); - Serialization::Serialize(send, static_cast(app_type)); - Serialization::Serialize(send, std::string(privilege_name)); - - //send buffer to server - int apiResult = sendToServer(SERVICE_SOCKET_APP_PRIVILEGE_BY_NAME, send.Pop(), recv); - if (apiResult != SECURITY_SERVER_API_SUCCESS) { - LogError("Error in sendToServer. Error code: " << apiResult); - return apiResult; - } - - //receive response from server - Deserialization::Deserialize(recv, apiResult); - if (apiResult == SECURITY_SERVER_API_SUCCESS) { - Deserialization::Deserialize(recv, *result); - } - return apiResult; - - } catch (MessageBuffer::Exception::Base &e) { - LogError("SecurityServer::MessageBuffer::Exception " << e.DumpToString()); - } catch (std::exception &e) { - LogError("STD exception " << e.what()); - } catch (...) { - LogError("Unknown exception occured"); - } - - return SECURITY_SERVER_API_ERROR_UNKNOWN; -} - - -SECURITY_SERVER_API -int security_server_app_caller_has_privilege(app_type_t app_type, - const char *privilege_name, - int *result) -{ - using namespace SecurityServer; - MessageBuffer send, recv; - - LogDebug("security_server_app_caller_has_privilege() called"); - - try { - if ((NULL == privilege_name) || (strlen(privilege_name) == 0)) { - LogError("privilege_name is NULL or empty"); - return SECURITY_SERVER_API_ERROR_INPUT_PARAM; - } - if (NULL == result) { - LogError("result is NULL"); - return SECURITY_SERVER_API_ERROR_INPUT_PARAM; - } - - LogDebug("app_type: " << static_cast(app_type)); - LogDebug("privilege_name: " << privilege_name); - - //put data into buffer - Serialization::Serialize(send, static_cast(PrivilegeCheckHdrs::CHECK_CALLER_APP)); - Serialization::Serialize(send, static_cast(app_type)); - Serialization::Serialize(send, std::string(privilege_name)); - - //send buffer to server - int apiResult = sendToServer(SERVICE_SOCKET_APP_PRIVILEGE_BY_NAME, send.Pop(), recv); - if (apiResult != SECURITY_SERVER_API_SUCCESS) { - LogError("Error in sendToServer. Error code: " << apiResult); - return apiResult; - } - - //receive response from server - Deserialization::Deserialize(recv, apiResult); - if (apiResult == SECURITY_SERVER_API_SUCCESS) { - Deserialization::Deserialize(recv, *result); - } - return apiResult; - - } catch (MessageBuffer::Exception::Base &e) { - LogError("SecurityServer::MessageBuffer::Exception " << e.DumpToString()); - } catch (std::exception &e) { - LogError("STD exception " << e.what()); - } catch (...) { - LogError("Unknown exception occured"); - } - - return SECURITY_SERVER_API_ERROR_UNKNOWN; -} diff --git a/src/server/client/client-cookie.cpp b/src/server/client/client-cookie.cpp index c1efaf3..90a461a 100644 --- a/src/server/client/client-cookie.cpp +++ b/src/server/client/client-cookie.cpp @@ -283,42 +283,3 @@ int security_server_get_uid_by_cookie(const char *cookie, uid_t *uid) }); } -SECURITY_SERVER_API -int security_server_get_gid_by_cookie(const char *cookie, gid_t *gid) -{ - using namespace SecurityServer; - MessageBuffer send, recv; - int retval = SECURITY_SERVER_API_ERROR_UNKNOWN; - - LogDebug("security_server_get_uid_by_cookie() called"); - - if ((cookie == NULL) || (gid == NULL)) - return SECURITY_SERVER_API_ERROR_INPUT_PARAM; - - //preprae cookie to send - std::vector key(cookie, cookie + COOKIE_SIZE); - - return try_catch([&] { - //put data into buffer - Serialization::Serialize(send, (int)CookieCall::CHECK_GID); - Serialization::Serialize(send, key); - - //send buffer to server - retval = sendToServer(SERVICE_SOCKET_COOKIE_CHECK, send.Pop(), recv); - if (retval != SECURITY_SERVER_API_SUCCESS) { - LogDebug("Error in sendToServer. Error code: " << retval); - return retval; - } - - //receive response from server - Deserialization::Deserialize(recv, retval); - if (retval == SECURITY_SERVER_API_SUCCESS) { - int tmp; - Deserialization::Deserialize(recv, tmp); - *gid = static_cast(tmp); - } - - return retval; - }); -} - diff --git a/src/server/client/client-open-for.cpp b/src/server/client/client-open-for.cpp deleted file mode 100644 index e245fd7..0000000 --- a/src/server/client/client-open-for.cpp +++ /dev/null @@ -1,239 +0,0 @@ -/* - * Copyright (c) 2000 - 2013 Samsung Electronics Co., Ltd All Rights Reserved - * - * Contact: Bumjin Im - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License - */ -/* - * @file client-open-for.cpp - * @author Zbigniew Jasinski (z.jasinski@samsung.com) - * @version 1.0 - * @brief This file contains implementation of security-server API - * for file opening. - */ - -#include - -#include -#include - -#include -#include -#include -#include -#include - -#include - -namespace { - -void create_msghdr(struct msghdr* hdr, - struct iovec* iov, - unsigned char* cmsgbuf, - const size_t cmsgbufSize, - int* retcode) -{ - memset(hdr, 0, sizeof(struct msghdr)); - memset(cmsgbuf, 0, cmsgbufSize); - - iov->iov_base = retcode; - iov->iov_len = sizeof(*retcode); - hdr->msg_iov = iov; - hdr->msg_iovlen = 1; - - if (NULL != cmsgbuf) { - hdr->msg_control = cmsgbuf; - hdr->msg_controllen = cmsgbufSize; - } -} - -} // namespace anonymous - -SECURITY_SERVER_API -int security_server_open_for(const char *filename, int *fd) -{ - using namespace SecurityServer; - return try_catch([&] { - if (NULL == filename || !strlen(filename)) { - LogError("Error input param."); - return SECURITY_SERVER_API_ERROR_INPUT_PARAM; - } - - MessageBuffer send; - - Serialization::Serialize(send, (int)OpenForHdrs::OPEN_DEPRECATED); - Serialization::Serialize(send, std::string(filename)); - - struct msghdr hdr; - struct iovec iov; - unsigned char cmsgbuf[CMSG_SPACE(sizeof(int))]; - int retcode = -1; - - create_msghdr(&hdr, &iov, &cmsgbuf[0], sizeof(cmsgbuf), &retcode); - - int result = sendToServerAncData(SERVICE_SOCKET_OPEN_FOR, send.Pop(), hdr); - if (result != SECURITY_SERVER_API_SUCCESS) { - *fd = -1; - return result; - } - - if (hdr.msg_flags & MSG_CTRUNC) { - LogError("Not enough space for ancillary element array."); - *fd = -1; - return SECURITY_SERVER_API_ERROR_BUFFER_TOO_SMALL; - } - - for(cmsghdr *cmsg = CMSG_FIRSTHDR(&hdr); cmsg != NULL; cmsg = CMSG_NXTHDR(&hdr, cmsg)) { - if((SOL_SOCKET == cmsg->cmsg_level) && (SCM_RIGHTS == cmsg->cmsg_type)) { - memmove(fd, CMSG_DATA(cmsg), sizeof(int)); - } - } - - return retcode; - }); -} - -SECURITY_SERVER_API -int security_server_shared_file_open(const char *filename, const char *client_label, int *fd) -{ - using namespace SecurityServer; - return try_catch([&] { - if ((NULL == filename || !strlen(filename) || - (NULL == client_label || !strlen(client_label)))) { - LogError("Error input param."); - return SECURITY_SERVER_API_ERROR_INPUT_PARAM; - } - - MessageBuffer send; - - Serialization::Serialize(send, (int)OpenForHdrs::OPEN); - Serialization::Serialize(send, std::string(filename)); - Serialization::Serialize(send, std::string(client_label)); - - struct msghdr hdr; - struct iovec iov; - unsigned char cmsgbuf[CMSG_SPACE(sizeof(int))]; - int retcode = -1; - - create_msghdr(&hdr, &iov, &cmsgbuf[0], sizeof(cmsgbuf), &retcode); - - int result = sendToServerAncData(SERVICE_SOCKET_OPEN_FOR, send.Pop(), hdr); - if (result != SECURITY_SERVER_API_SUCCESS) { - *fd = -1; - return result; - } - - if (hdr.msg_flags & MSG_CTRUNC) { - LogError("Not enough space for ancillary element array."); - *fd = -1; - return SECURITY_SERVER_API_ERROR_BUFFER_TOO_SMALL; - } - - /* - * Since 'socket packet' can handle more than one control message - * we need to iterate through all ancillary data elements and check - * which one has our file desciptor (SCM_RIGHTS == cmsg->cmsg_type) - */ - for(cmsghdr *cmsg = CMSG_FIRSTHDR(&hdr); cmsg != NULL; cmsg = CMSG_NXTHDR(&hdr, cmsg)) { - if((SOL_SOCKET == cmsg->cmsg_level) && (SCM_RIGHTS == cmsg->cmsg_type)) { - memmove(fd, CMSG_DATA(cmsg), sizeof(int)); - } - } - - return retcode; - }); -} - -SECURITY_SERVER_API -int security_server_shared_file_reopen(const char *filename, int *fd) -{ - using namespace SecurityServer; - return try_catch([&] { - if ((NULL == filename || !strlen(filename))) { - LogError("Error input param."); - return SECURITY_SERVER_API_ERROR_INPUT_PARAM; - } - - MessageBuffer send; - - Serialization::Serialize(send, (int)OpenForHdrs::REOPEN); - Serialization::Serialize(send, std::string(filename)); - - struct msghdr hdr; - struct iovec iov; - unsigned char cmsgbuf[CMSG_SPACE(sizeof(int))]; - int retcode = -1; - - create_msghdr(&hdr, &iov, &cmsgbuf[0], sizeof(cmsgbuf), &retcode); - - int result = sendToServerAncData(SERVICE_SOCKET_OPEN_FOR, send.Pop(), hdr); - if (result != SECURITY_SERVER_API_SUCCESS) { - *fd = -1; - return result; - } - - if (hdr.msg_flags & MSG_CTRUNC) { - LogError("Not enough space for ancillary element array."); - *fd = -1; - return SECURITY_SERVER_API_ERROR_BUFFER_TOO_SMALL; - } - - /* - * Since 'socket packet' can handle more than one control message - * we need to iterate through all ancillary data elements and check - * which one has our file desciptor (SCM_RIGHTS == cmsg->cmsg_type) - */ - for(cmsghdr *cmsg = CMSG_FIRSTHDR(&hdr); cmsg != NULL; cmsg = CMSG_NXTHDR(&hdr, cmsg)) { - if((SOL_SOCKET == cmsg->cmsg_level) && (SCM_RIGHTS == cmsg->cmsg_type)) { - memmove(fd, CMSG_DATA(cmsg), sizeof(int)); - } - } - - return retcode; - }); -} - -SECURITY_SERVER_API -int security_server_shared_file_delete(const char *filename) -{ - using namespace SecurityServer; - return try_catch([&] { - if ((NULL == filename || !strlen(filename))) { - LogError("Error input param."); - return SECURITY_SERVER_API_ERROR_INPUT_PARAM; - } - - MessageBuffer send; - - Serialization::Serialize(send, (int)OpenForHdrs::DELETE); - Serialization::Serialize(send, std::string(filename)); - - struct msghdr hdr; - struct iovec iov; - int retcode = -1; - - create_msghdr(&hdr, &iov, NULL, 0, &retcode); - - int result = sendToServerAncData(SERVICE_SOCKET_OPEN_FOR, send.Pop(), hdr); - if (result != SECURITY_SERVER_API_SUCCESS) - return result; - - if (hdr.msg_flags & MSG_CTRUNC) { - LogError("Not enough space for ancillary element array."); - return SECURITY_SERVER_API_ERROR_BUFFER_TOO_SMALL; - } - - return retcode; - }); -} diff --git a/src/server/common/protocols.cpp b/src/server/common/protocols.cpp index 9da1aa5..4d77378 100644 --- a/src/server/common/protocols.cpp +++ b/src/server/common/protocols.cpp @@ -33,16 +33,12 @@ char const * const SERVICE_SOCKET_GET_GID = "/tmp/.security-server-api-get-gid.sock"; char const * const SERVICE_SOCKET_PRIVILEGE_BY_PID = "/tmp/.security-server-api-privilege-by-pid.sock"; -char const * const SERVICE_SOCKET_APP_PERMISSIONS = - "/tmp/.security-server-api-app-permissions.sock"; char const * const SERVICE_SOCKET_APP_PRIVILEGE_BY_NAME = "/tmp/.security-server-api-app-privilege-by-name.sock"; char const * const SERVICE_SOCKET_COOKIE_GET = "/tmp/.security-server-api-cookie-get.sock"; char const * const SERVICE_SOCKET_COOKIE_CHECK = "/tmp/.security-server-api-cookie-check.sock"; -char const * const SERVICE_SOCKET_OPEN_FOR = - "/tmp/.security-server-api-open-for.sock"; char const * const SERVICE_SOCKET_PASSWD_CHECK = "/tmp/.security-server-api-password-check.sock"; char const * const SERVICE_SOCKET_PASSWD_SET = diff --git a/src/server/common/protocols.h b/src/server/common/protocols.h index 6e9c4eb..103bf14 100644 --- a/src/server/common/protocols.h +++ b/src/server/common/protocols.h @@ -33,11 +33,9 @@ namespace SecurityServer { extern char const * const SERVICE_SOCKET_SHARED_MEMORY; extern char const * const SERVICE_SOCKET_GET_GID; extern char const * const SERVICE_SOCKET_PRIVILEGE_BY_PID; -extern char const * const SERVICE_SOCKET_APP_PERMISSIONS; extern char const * const SERVICE_SOCKET_APP_PRIVILEGE_BY_NAME; extern char const * const SERVICE_SOCKET_COOKIE_GET; extern char const * const SERVICE_SOCKET_COOKIE_CHECK; -extern char const * const SERVICE_SOCKET_OPEN_FOR; extern char const * const SERVICE_SOCKET_PASSWD_CHECK; extern char const * const SERVICE_SOCKET_PASSWD_SET; extern char const * const SERVICE_SOCKET_PASSWD_RESET; @@ -55,20 +53,6 @@ enum class CookieCall CHECK_UID }; -enum class PrivilegeCheckHdrs -{ - CHECK_GIVEN_APP, - CHECK_CALLER_APP -}; - -enum class OpenForHdrs : unsigned int -{ - OPEN, - REOPEN, - DELETE, - OPEN_DEPRECATED -}; - extern const size_t COOKIE_SIZE; enum class PasswordHdrs diff --git a/src/server/main/server2-main.cpp b/src/server/main/server2-main.cpp index 8400489..e1e7d20 100644 --- a/src/server/main/server2-main.cpp +++ b/src/server/main/server2-main.cpp @@ -34,9 +34,7 @@ #include #include #include -#include #include -#include #include IMPLEMENT_SAFE_SINGLETON(SecurityServer::Log::LogSystem); @@ -94,12 +92,10 @@ int main(void) { LogInfo("Start!"); SecurityServer::SocketManager manager; - REGISTER_SOCKET_SERVICE(manager, SecurityServer::OpenForService); REGISTER_SOCKET_SERVICE(manager, SecurityServer::CookieService); REGISTER_SOCKET_SERVICE(manager, SecurityServer::SharedMemoryService); REGISTER_SOCKET_SERVICE(manager, SecurityServer::GetGidService); REGISTER_SOCKET_SERVICE(manager, SecurityServer::PrivilegeByPidService); - REGISTER_SOCKET_SERVICE(manager, SecurityServer::AppPermissionsService); REGISTER_SOCKET_SERVICE(manager, SecurityServer::PasswordService); manager.MainLoop(); diff --git a/src/server/service/app-permissions.cpp b/src/server/service/app-permissions.cpp deleted file mode 100644 index ff666bc..0000000 --- a/src/server/service/app-permissions.cpp +++ /dev/null @@ -1,267 +0,0 @@ -/* - * Copyright (c) 2000 - 2013 Samsung Electronics Co., Ltd All Rights Reserved - * - * Contact: Bumjin Im - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License - */ -/* - * @file app-permissions.cpp - * @author Pawel Polawski (pawel.polawski@partner.samsung.com) - * @version 1.0 - * @brief This function contain implementation of security_server_app_enable_permissions - * and security_server_app_disable_permissions on server side - */ - -#include -#include -#include -#include - -#include -#include -#include - -#include -#include -#include -#include - -namespace { - -int privilegeToSecurityServerError(int error) { - switch (error) { - case PC_OPERATION_SUCCESS: return SECURITY_SERVER_API_SUCCESS; - case PC_ERR_FILE_OPERATION: return SECURITY_SERVER_API_ERROR_UNKNOWN; - case PC_ERR_MEM_OPERATION: return SECURITY_SERVER_API_ERROR_OUT_OF_MEMORY; - case PC_ERR_NOT_PERMITTED: return SECURITY_SERVER_API_ERROR_ACCESS_DENIED; - case PC_ERR_INVALID_PARAM: return SECURITY_SERVER_API_ERROR_INPUT_PARAM; - case PC_ERR_INVALID_OPERATION: - case PC_ERR_DB_OPERATION: - default: - ; - } - return SECURITY_SERVER_API_ERROR_UNKNOWN; -} - -// interface ids -const SecurityServer::InterfaceID CHANGE_APP_PERMISSIONS = 0; -const SecurityServer::InterfaceID CHECK_APP_PRIVILEGE = 1; - -} // namespace anonymous - -namespace SecurityServer { - -GenericSocketService::ServiceDescriptionVector AppPermissionsService::GetServiceDescription() { - return ServiceDescriptionVector { - { SERVICE_SOCKET_APP_PERMISSIONS, - "security-server::api-app-permissions", - CHANGE_APP_PERMISSIONS }, - { SERVICE_SOCKET_APP_PRIVILEGE_BY_NAME, - "security-server::api-app-privilege-by-name", - CHECK_APP_PRIVILEGE } - }; -} - -void AppPermissionsService::accept(const AcceptEvent &event) { - LogDebug("Accept event. ConnectionID.sock: " << event.connectionID.sock - << " ConnectionID.counter: " << event.connectionID.counter - << " ServiceID: " << event.interfaceID); - auto &info = m_connectionInfoMap[event.connectionID.counter]; - info.interfaceID = event.interfaceID; -} - -void AppPermissionsService::write(const WriteEvent &event) { - LogDebug("WriteEvent. ConnectionID: " << event.connectionID.sock << - " Size: " << event.size << " Left: " << event.left); - if (event.left == 0) - m_serviceManager->Close(event.connectionID); -} - -void AppPermissionsService::process(const ReadEvent &event) { - LogDebug("Read event for counter: " << event.connectionID.counter); - auto &info = m_connectionInfoMap[event.connectionID.counter]; - info.buffer.Push(event.rawBuffer); - - // We can get several requests in one package. - // Extract and process them all - while(processOne(event.connectionID, info.buffer, info.interfaceID)); -} - -void AppPermissionsService::close(const CloseEvent &event) { - LogDebug("CloseEvent. ConnectionID: " << event.connectionID.sock); - m_connectionInfoMap.erase(event.connectionID.counter); -} - -bool AppPermissionsService::processOne(const ConnectionID &conn, - MessageBuffer &buffer, - InterfaceID interfaceID) -{ - LogDebug("Iteration begin"); - - //waiting for all data - if (!buffer.Ready()) { - return false; - } - - LogDebug("Entering app_permissions server side handler"); - - switch(interfaceID) { - case CHANGE_APP_PERMISSIONS: - return processPermissionsChange(conn, buffer); - - case CHECK_APP_PRIVILEGE: - return processCheckAppPrivilege(conn, buffer); - - default: - LogDebug("Unknown interfaceId. Closing socket."); - m_serviceManager->Close(conn); - return false; - } -} - -bool AppPermissionsService::processPermissionsChange(const ConnectionID &conn, MessageBuffer &buffer) -{ - MessageBuffer send; - std::vector permissions_list; - std::string app_id; - int persistent; - size_t iter; - int result = SECURITY_SERVER_API_ERROR_SERVER_ERROR; - app_type_t app_type; - AppPermissionsAction appPermAction; - - LogDebug("Processing permissions change request"); - - //receive data from buffer and check MSG_ID - Try { - int temp; - Deserialization::Deserialize(buffer, temp); //receive MSG_ID - appPermAction = (AppPermissionsAction)temp; - - if (appPermAction == AppPermissionsAction::ENABLE) //persistent is only in APP_ENABLE frame - Deserialization::Deserialize(buffer, persistent); - - Deserialization::Deserialize(buffer, temp); - app_type = (app_type_t)temp; - Deserialization::Deserialize(buffer, app_id); - Deserialization::Deserialize(buffer, permissions_list); - } Catch (MessageBuffer::Exception::Base) { - LogDebug("Broken protocol. Closing socket."); - m_serviceManager->Close(conn); - return false; - } - - //+1 bellow is for NULL pointer at the end - std::unique_ptr perm_list (new (std::nothrow) const char *[permissions_list.size() + 1]); - if (NULL == perm_list.get()) { - LogError("Allocation error"); - m_serviceManager->Close(conn); - return false; - } - - //print received data - LogDebug("app_type: " << (int)app_type); - if (appPermAction == AppPermissionsAction::ENABLE) //persistent is only in APP_ENABLE frame - LogDebug("persistent: " << persistent); - LogDebug("app_id: " << app_id); - - //left one free pointer for the NULL at the end - for (iter = 0; iter < permissions_list.size(); ++iter) { - LogDebug("perm_list[" << iter << "]: " << permissions_list[iter]); - perm_list[iter] = (permissions_list[iter]).c_str(); - } - //put the NULL at the end - perm_list[iter] = NULL; - - //use received data - if (appPermAction == AppPermissionsAction::ENABLE) { - LogDebug("Calling perm_app_enable_permissions()"); - result = perm_app_enable_permissions(app_id.c_str(), app_type, perm_list.get(), persistent); - LogDebug("perm_app_enable_permissions() returned: " << result); - } else { - LogDebug("Calling perm_app_disable_permissions()"); - result = perm_app_disable_permissions(app_id.c_str(), app_type, perm_list.get()); - LogDebug("perm_app_disable_permissions() returned: " << result); - } - - //send response - Serialization::Serialize(send, privilegeToSecurityServerError(result)); - m_serviceManager->Write(conn, send.Pop()); - return true; -} - -bool AppPermissionsService::processCheckAppPrivilege(const ConnectionID &conn, MessageBuffer &buffer) -{ - MessageBuffer send; - std::string privilege_name; - std::string app_id; - int result = SECURITY_SERVER_API_ERROR_SERVER_ERROR; - app_type_t app_type; - bool has_permission = false; - PrivilegeCheckHdrs checkType = PrivilegeCheckHdrs::CHECK_GIVEN_APP; - - LogDebug("Processing app privilege check request"); - - //receive data from buffer - Try { - int temp; - Deserialization::Deserialize(buffer, temp); // call type - checkType = static_cast(temp); - LogDebug("App privilege check call type: " - << (checkType == PrivilegeCheckHdrs::CHECK_GIVEN_APP ? - "CHECK_GIVEN_APP":"CHECK_CALLER_APP")); - if (checkType == PrivilegeCheckHdrs::CHECK_GIVEN_APP) { //app_id present only in this case - Deserialization::Deserialize(buffer, app_id); //get app id - } - Deserialization::Deserialize(buffer, temp); //get app type - app_type = static_cast(temp); - - Deserialization::Deserialize(buffer, privilege_name); //get privilege name - } Catch (MessageBuffer::Exception::Base) { - LogDebug("Broken protocol. Closing socket."); - m_serviceManager->Close(conn); - return false; - } - - if (checkType == PrivilegeCheckHdrs::CHECK_CALLER_APP) { //get sender app_id in this case - char *label = NULL; - if (smack_new_label_from_socket(conn.sock, &label) < 0) { - LogDebug("Error in smack_new_label_from_socket(): " - "client label is unknown. Sending error response."); - Serialization::Serialize(send, SECURITY_SERVER_API_ERROR_GETTING_SOCKET_LABEL_FAILED); - m_serviceManager->Write(conn, send.Pop()); - return false; - } else { - app_id = label; - free(label); - } - } //end if - - //print received data - LogDebug("app_id: " << app_id); - LogDebug("app_type: " << static_cast(app_type)); - LogDebug("privilege_name: " << privilege_name); - - LogDebug("Calling perm_app_has_permission()"); - result = perm_app_has_permission(app_id.c_str(), app_type, privilege_name.c_str(), &has_permission); - LogDebug("perm_app_has_permission() returned: " << result << " , permission enabled: " << has_permission); - - //send response - Serialization::Serialize(send, privilegeToSecurityServerError(result)); - Serialization::Serialize(send, static_cast(has_permission)); - m_serviceManager->Write(conn, send.Pop()); - return true; -} - -} // namespace SecurityServer diff --git a/src/server/service/app-permissions.h b/src/server/service/app-permissions.h deleted file mode 100644 index 166e7fe..0000000 --- a/src/server/service/app-permissions.h +++ /dev/null @@ -1,65 +0,0 @@ -/* - * Copyright (c) 2000 - 2013 Samsung Electronics Co., Ltd All Rights Reserved - * - * Contact: Bumjin Im - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License - */ -/* - * @file app-permissions.h - * @author Pawel Polawski (p.polawski@partner.samsung.com) - * @version 1.0 - * @brief This function contain header for implementation of security_server_app_enable_permissions - * and SS_app_disable_permissions on server side - */ - -#ifndef _SECURITY_SERVER_APP_PERMISSIONS_ -#define _SECURITY_SERVER_APP_PERMISSIONS_ - -#include -#include -#include -#include -#include - -namespace SecurityServer { - -class AppPermissionsService : - public SecurityServer::GenericSocketService - , public SecurityServer::ServiceThread -{ -public: - ServiceDescriptionVector GetServiceDescription(); - - DECLARE_THREAD_EVENT(AcceptEvent, accept) - DECLARE_THREAD_EVENT(WriteEvent, write) - DECLARE_THREAD_EVENT(ReadEvent, process) - DECLARE_THREAD_EVENT(CloseEvent, close) - - void accept(const AcceptEvent &event); - void write(const WriteEvent &event); - void process(const ReadEvent &event); - void close(const CloseEvent &event); - -private: - bool processOne(const ConnectionID &conn, MessageBuffer &buffer, InterfaceID interfaceID); - - bool processPermissionsChange(const ConnectionID &conn, MessageBuffer &buffer); - bool processCheckAppPrivilege(const ConnectionID &conn, MessageBuffer &buffer); - - ConnectionInfoMap m_connectionInfoMap; -}; - -} // namespace SecurityServer - -#endif // _SECURITY_SERVER_APP_ENABLE_PERMISSIONS_ diff --git a/src/server/service/cookie-jar.cpp b/src/server/service/cookie-jar.cpp index 262f52b..757f9be 100644 --- a/src/server/service/cookie-jar.cpp +++ b/src/server/service/cookie-jar.cpp @@ -40,6 +40,7 @@ #include #include #include +#include namespace SecurityServer { @@ -97,8 +98,7 @@ const Cookie * CookieJar::GenerateCookie(int pid) //get smack label if smack enabled if (smack_check()) { char label[SMACK_LABEL_LEN + 1]; - retval = get_smack_label_from_process(pid, label); - if (retval != PC_OPERATION_SUCCESS) { + if (-1 == get_smack_label_from_process(pid, label)) { LogDebug("Unable to get smack label of process"); return NULL; } diff --git a/src/server/service/open-for-manager.cpp b/src/server/service/open-for-manager.cpp deleted file mode 100644 index 335d6af..0000000 --- a/src/server/service/open-for-manager.cpp +++ /dev/null @@ -1,334 +0,0 @@ -/* - * Copyright (c) 2000 - 2013 Samsung Electronics Co., Ltd All Rights Reserved - * - * Contact: Bumjin Im - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License - */ -/* - * @file open-for-manager.cpp - * @author Zbigniew Jasinski (z.jasinski@samsung.com) - * @version 1.0 - * @brief Implementation of open-for management functions - */ - -#include "open-for-manager.h" - -#include -#include -#include -#include -#include -#include - -#include -#include - -#include -#include - -#include -#include - -const std::string DATA_DIR = "/var/run/security-server"; -const std::string ALLOWED_CHARS = "ABCDEFGHIJKLMNOPQRSTUVWXYZ \ - abcdefghijklmnopqrstuvwxyz \ - 0123456789._-"; - -namespace SecurityServer -{ - // SockCred implementations - SockCred::SockCred() - { - m_len = sizeof(struct ucred); - memset(&m_cr, 0, m_len); - } - - bool SockCred::getCred(int socket) - { - if (getsockopt(socket, SOL_SOCKET, SO_PEERCRED, &m_cr, &m_len)) { - int err = errno; - LogError("Unable to get client credentials: " << strerror(err)); - return true; - } - - if (smack_check()) { - char label[SMACK_LABEL_LEN + 1]; - if (PC_OPERATION_SUCCESS != get_smack_label_from_process(m_cr.pid, label)) { - LogError("Unable to get smack label of process."); - return true; - } - m_sockSmackLabel = label; - } else - m_sockSmackLabel.clear(); - - return false; - } - - std::string SockCred::getLabel() const - { - return m_sockSmackLabel; - } - - // SharedFile implementations - SharedFile::SharedFile() - { - if (!dirExist(DATA_DIR.c_str())) - mkdir(DATA_DIR.c_str(), 0700); - else { - deleteDir(DATA_DIR.c_str()); - mkdir(DATA_DIR.c_str(), 0700); - } - } - - bool SharedFile::fileExist(const std::string &filename) - { - std::string filepath = DATA_DIR + "/" + filename; - struct stat buf; - - return ((lstat(filepath.c_str(), &buf) == 0) && - (((buf.st_mode) & S_IFMT) != S_IFLNK)); - } - - bool SharedFile::dirExist(const std::string &dirpath) - { - struct stat buf; - - return ((lstat(dirpath.c_str(), &buf) == 0) && - (((buf.st_mode) & S_IFMT) == S_IFDIR)); - } - - bool SharedFile::deleteDir(const std::string &dirpath) - { - DIR *dirp; - struct dirent *dp; - char path[PATH_MAX]; - - if ((dirp = opendir(dirpath.c_str())) == NULL) { - int err = errno; - LogError("Cannot open data directory. " << strerror(err)); - return true; - } - - while ((dp = readdir(dirp)) != NULL) { - if (strcmp(dp->d_name, ".") && strcmp(dp->d_name, "..")) { - snprintf(path, (size_t) PATH_MAX, "%s/%s", dirpath.c_str(), dp->d_name); - if (dp->d_type == DT_DIR) { - deleteDir(path); - } else { - unlink(path); - } - } - } - closedir(dirp); - rmdir(dirpath.c_str()); - - return false; - } - - bool SharedFile::createFile(const std::string &filename) - { - int fd = -1; - std::string filepath = DATA_DIR + "/" + filename; - - fd = TEMP_FAILURE_RETRY(open(filepath.c_str(), O_CREAT | O_WRONLY | O_EXCL, 0600)); - int err = errno; - if (-1 == fd) { - LogError("Cannot create file. Error in open(): " << strerror(err)); - return true; - } - - TEMP_FAILURE_RETRY(close(fd)); - - return false; - } - - bool SharedFile::openFile(const std::string &filename, int &fd) - { - std::string filepath = DATA_DIR + "/" + filename; - - fd = TEMP_FAILURE_RETRY(open(filepath.c_str(), O_CREAT | O_RDWR, 0600)); - int err = errno; - if (-1 == fd) { - LogError("Cannot open file. Error in open(): " << strerror(err)); - return true; - } - - return false; - } - - bool SharedFile::deleteFile(const std::string &filename) - { - std::string filepath = DATA_DIR + "/" + filename; - - if (remove(filepath.c_str())) { - LogError("Unable to delete file: " << filename.c_str() << " " << strerror(errno)); - return true; - } - - return false; - } - - bool SharedFile::setFileLabel(const std::string &filename, const std::string &label) - { - std::string filepath = DATA_DIR + "/" + filename; - - if (smack_setlabel(filepath.c_str(), label.c_str(), SMACK_LABEL_ACCESS)) { - LogError("Cannot set SMACK label on file."); - return true; - } - - return false; - } - - bool SharedFile::getFileLabel(const std::string &filename) - { - std::string filepath = DATA_DIR + "/" + filename; - char *label = NULL; - - if (smack_check()) { - if (0 != smack_getlabel(filepath.c_str(), &label, SMACK_LABEL_ACCESS)) { - LogError("Unable to get smack label of process."); - return true; - } - } - - if (label) { - m_fileSmackLabel = label; - free(label); - } else - m_fileSmackLabel.clear(); - - return false; - } - - bool SharedFile::checkFileNameSyntax(const std::string &filename) const - { - std::size_t found = filename.find_first_not_of(ALLOWED_CHARS); - - if (found != std::string::npos || '-' == filename[0] || - '.' == filename[0]) { - LogError("Illegal character in filename."); - return true; - } - - return false; - } - - int SharedFile::openSharedFile(const std::string &filename, - const std::string &client_label, int socket, int &fd) - { - if (checkFileNameSyntax(filename)) - return SECURITY_SERVER_API_ERROR_INPUT_PARAM; - - if (m_sockCred.getCred(socket)) - return SECURITY_SERVER_API_ERROR_GETTING_SOCKET_LABEL_FAILED; - - if (fileExist(filename)) - return SECURITY_SERVER_API_ERROR_FILE_EXIST; - - LogSecureDebug("File: " << filename.c_str() << " does not exist."); - - if (createFile(filename)) - return SECURITY_SERVER_API_ERROR_FILE_CREATION_FAILED; - - if (setFileLabel(filename, m_sockCred.getLabel())) - return SECURITY_SERVER_API_ERROR_SETTING_FILE_LABEL_FAILED; - - if (openFile(filename, fd)) - return SECURITY_SERVER_API_ERROR_FILE_OPEN_FAILED; - - if (setFileLabel(filename, client_label.c_str())) - return SECURITY_SERVER_API_ERROR_SETTING_FILE_LABEL_FAILED; - - return SECURITY_SERVER_API_SUCCESS; - } - - int SharedFile::getFD(const std::string &filename, int socket, int &fd) - { - if (checkFileNameSyntax(filename)) - return SECURITY_SERVER_API_ERROR_INPUT_PARAM; - - if (m_sockCred.getCred(socket)) - return SECURITY_SERVER_API_ERROR_AUTHENTICATION_FAILED; - - if (!fileExist(filename)) { - LogSecureDebug("File: " << filename.c_str() << " does not exist."); - - if (createFile(filename)) - return SECURITY_SERVER_API_ERROR_SERVER_ERROR; - } - - if (getFileLabel(filename)) - return SECURITY_SERVER_API_ERROR_SERVER_ERROR; - - if (setFileLabel(filename, m_sockCred.getLabel())) - return SECURITY_SERVER_API_ERROR_SERVER_ERROR; - - if (openFile(filename, fd)) - return SECURITY_SERVER_API_ERROR_FILE_OPEN_FAILED; - - if (setFileLabel(filename, m_fileSmackLabel)) - return SECURITY_SERVER_API_ERROR_SERVER_ERROR; - - return SECURITY_SERVER_API_SUCCESS; - } - - int SharedFile::reopenSharedFile(const std::string &filename, int socket, int &fd) - { - if (checkFileNameSyntax(filename)) - return SECURITY_SERVER_API_ERROR_INPUT_PARAM; - - if (m_sockCred.getCred(socket)) - return SECURITY_SERVER_API_ERROR_GETTING_SOCKET_LABEL_FAILED; - - if (!fileExist(filename)) - return SECURITY_SERVER_API_ERROR_FILE_NOT_EXIST; - - if (getFileLabel(filename)) - return SECURITY_SERVER_API_ERROR_GETTING_FILE_LABEL_FAILED; - - if (m_fileSmackLabel.compare(m_sockCred.getLabel())) - return SECURITY_SERVER_API_ERROR_AUTHENTICATION_FAILED; - - if (openFile(filename, fd)) - return SECURITY_SERVER_API_ERROR_FILE_OPEN_FAILED; - - return SECURITY_SERVER_API_SUCCESS; - } - - int SharedFile::deleteSharedFile(const std::string &filename, int socket) - { - if (checkFileNameSyntax(filename)) - return SECURITY_SERVER_API_ERROR_INPUT_PARAM; - - if (m_sockCred.getCred(socket)) - return SECURITY_SERVER_API_ERROR_GETTING_SOCKET_LABEL_FAILED; - - if (!fileExist(filename)) - return SECURITY_SERVER_API_ERROR_FILE_NOT_EXIST; - - if (getFileLabel(filename)) - return SECURITY_SERVER_API_ERROR_GETTING_FILE_LABEL_FAILED; - - if (m_fileSmackLabel.compare(m_sockCred.getLabel())) - return SECURITY_SERVER_API_ERROR_AUTHENTICATION_FAILED; - - if (deleteFile(filename)) - return SECURITY_SERVER_API_ERROR_FILE_DELETION_FAILED; - - return SECURITY_SERVER_API_SUCCESS; - } - - -} //namespace SecurityServer diff --git a/src/server/service/open-for-manager.h b/src/server/service/open-for-manager.h deleted file mode 100644 index 183f81c..0000000 --- a/src/server/service/open-for-manager.h +++ /dev/null @@ -1,76 +0,0 @@ -/* - * Copyright (c) 2000 - 2013 Samsung Electronics Co., Ltd All Rights Reserved - * - * Contact: Bumjin Im - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License - */ -/* - * @file open-for-manager.h - * @author Zbigniew Jasinski (z.jasinski@samsung.com) - * @version 1.0 - * @brief Implementation of open-for management functions - */ - -#ifndef _OPEN_FOR_MANAGER_H_ -#define _OPEN_FOR_MANAGER_H_ - -#include -#include - -#include - -namespace SecurityServer -{ - // classess - class SockCred - { - public: - SockCred(); - bool getCred(int socket); - std::string getLabel(void) const; - - private: - struct ucred m_cr; - unsigned m_len; - std::string m_sockSmackLabel; - }; - - class SharedFile - { - public: - SharedFile(); - int getFD(const std::string &filename, int socket, int &fd); - int openSharedFile(const std::string &filename, const std::string &client_label, - int socket, int &fd); - int reopenSharedFile(const std::string &filename, int socket, int &fd); - int deleteSharedFile(const std::string &filename, int socket); - - private: - static bool fileExist(const std::string &filename); - static bool dirExist(const std::string &dirpath); - static bool deleteDir(const std::string &dirpath); - static bool openFile(const std::string &filename, int &fd); - static bool createFile(const std::string &filename); - static bool deleteFile(const std::string &filename); - static bool setFileLabel(const std::string &filename, const std::string &label); - bool getFileLabel(const std::string &filename); - bool checkFileNameSyntax(const std::string &filename) const; - - std::string m_fileSmackLabel; - - SockCred m_sockCred; - }; -} - -#endif // _OPEN_FOR_MANAGER_H_ diff --git a/src/server/service/open-for.cpp b/src/server/service/open-for.cpp deleted file mode 100644 index 46e82f6..0000000 --- a/src/server/service/open-for.cpp +++ /dev/null @@ -1,160 +0,0 @@ -/* - * Copyright (c) 2000 - 2013 Samsung Electronics Co., Ltd All Rights Reserved - * - * Contact: Bumjin Im - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License - */ -/* - * @file open-for.cpp - * @author Zbigniew Jasinski (z.jasinski@samsung.com) - * @version 1.0 - * @brief Implementation of open-for service - */ - -#include -#include - -#include -#include -#include -#include - -#include -#include - -namespace { -// Service may open more than one socket. -// These ID's will be assigned to sockets -// and will be used only by service. -// When new connection arrives, AcceptEvent -// will be generated with proper ID to inform -// service about input socket. -// -// Please note: SocketManaged does not use it and -// does not check it in any way. -// -// If your service require only one socket -// (uses only one socket labeled with smack) -// you may ignore this ID (just pass 0) -const int SERVICE_SOCKET_ID = 0; - -} // namespace anonymous - -namespace SecurityServer { - -OpenForService::OpenForConnInfo::~OpenForConnInfo() { - std::for_each(descriptorsVector.begin(),descriptorsVector.end(), ::close); -} - -GenericSocketService::ServiceDescriptionVector OpenForService::GetServiceDescription() { - return ServiceDescriptionVector - {{SERVICE_SOCKET_OPEN_FOR, "security-server::api-open-for", SERVICE_SOCKET_ID, true}}; -} - -void OpenForService::accept(const AcceptEvent &event) -{ - LogDebug("Accept event. ConnectionID.sock: " << event.connectionID.sock - << " ConnectionID.counter: " << event.connectionID.counter - << " ServiceID: " << event.interfaceID); -} - -void OpenForService::write(const WriteEvent &event) -{ - LogDebug("WriteEvent. ConnectionID: " << event.connectionID.sock << - " Size: " << event.size << " Left: " << event.left); - if (event.left == 0) - m_serviceManager->Close(event.connectionID); -} - -void OpenForService::process(const ReadEvent &event) -{ - LogDebug("Read event for counter: " << event.connectionID.counter); - auto &info = m_connectionInfoMap[event.connectionID.counter]; - info.buffer.Push(event.rawBuffer); - - // We can get several requests in one package. - // Extract and process them all - while(processOne(event.connectionID, info.buffer, info.descriptorsVector)); -} - -void OpenForService::close(const CloseEvent &event) -{ - LogDebug("CloseEvent. ConnectionID: " << event.connectionID.sock); - auto &descVector = m_connectionInfoMap[event.connectionID.counter].descriptorsVector; - - for (auto iter = descVector.begin(); iter != descVector.end(); ++iter) - TEMP_FAILURE_RETRY(::close(*iter)); - - m_connectionInfoMap.erase(event.connectionID.counter); -} - -bool OpenForService::processOne(const ConnectionID &conn, MessageBuffer &buffer, std::vector &descVector) -{ - LogDebug("Iteration begin"); - - std::string filename; - std::string client_label; - OpenForHdrs msgType; - MessageBuffer sendBuffer; - - int retCode = SECURITY_SERVER_API_ERROR_SERVER_ERROR; - int fd = -1; - - if (!buffer.Ready()) - return false; - - Try { - int msgTypeInt; - Deserialization::Deserialize(buffer, msgTypeInt); //receive MSG_ID - msgType = static_cast(msgTypeInt); - Deserialization::Deserialize(buffer, filename); - } Catch (MessageBuffer::Exception::Base) { - LogError("Broken protocol. Closing socket."); - m_serviceManager->Close(conn); - return false; - } - - switch(msgType) { - case OpenForHdrs::OPEN: - LogDebug("Entering open-for OPEN server handler."); - Deserialization::Deserialize(buffer, client_label); - retCode = m_sharedFile.openSharedFile(filename, client_label, conn.sock, fd); - break; - case OpenForHdrs::REOPEN: - LogDebug("Entering open-for REOPEN server handler."); - retCode = m_sharedFile.reopenSharedFile(filename, conn.sock, fd); - break; - case OpenForHdrs::DELETE: - LogDebug("Entering open-for DELETE server handler."); - retCode = m_sharedFile.deleteSharedFile(filename, conn.sock); - break; - case OpenForHdrs::OPEN_DEPRECATED: - LogDebug("Entering open-for OPEN-DEPRECATED server handler."); - retCode = m_sharedFile.getFD(filename, conn.sock, fd); - break; - default: - LogError("Error, unknown function called by client,"); - break; - }; - - if (fd != -1) - descVector.push_back(fd); - SendMsgData sendMsgData(retCode, fd); - - m_serviceManager->Write(conn, sendMsgData); - - return true; -} - -} // namespace SecurityServer diff --git a/src/server/service/open-for.h b/src/server/service/open-for.h deleted file mode 100644 index 5ae0884..0000000 --- a/src/server/service/open-for.h +++ /dev/null @@ -1,74 +0,0 @@ -/* - * Copyright (c) 2000 - 2013 Samsung Electronics Co., Ltd All Rights Reserved - * - * Contact: Bumjin Im - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License - */ -/* - * @file open-for.h - * @author Zigniew Jasinski (z.jasinski@samsung.com) - * @version 1.0 - * @brief Implementation of open-for service - */ - -#ifndef _SECURITY_SERVER_OPEN_FOR_ -#define _SECURITY_SERVER_OPEN_FOR_ - -#include -#include -#include - -#include "open-for-manager.h" - -namespace SecurityServer -{ - class OpenForService - : public SecurityServer::GenericSocketService - , public SecurityServer::ServiceThread - { - public: - //service functions - ServiceDescriptionVector GetServiceDescription(); - - DECLARE_THREAD_EVENT(AcceptEvent, accept) - DECLARE_THREAD_EVENT(WriteEvent, write) - DECLARE_THREAD_EVENT(ReadEvent, process) - DECLARE_THREAD_EVENT(CloseEvent, close) - - void accept(const AcceptEvent &event); - void write(const WriteEvent &event); - void process(const ReadEvent &event); - void close(const CloseEvent &event); - - private: - typedef std::vector DescriptorVector; - - struct OpenForConnInfo { - ~OpenForConnInfo(); - - DescriptorVector descriptorsVector; - MessageBuffer buffer; - }; - - typedef std::map OpenForConnInfoMap; - - //internal service functions - bool processOne(const ConnectionID &conn, MessageBuffer &buffer, DescriptorVector &descVector); - - OpenForConnInfoMap m_connectionInfoMap; - SharedFile m_sharedFile; - }; -} // namespace SecurityServer - -#endif // _SECURITY_SERVER_OPEN_FOR_ diff --git a/src/server/service/privilege-by-pid.cpp b/src/server/service/privilege-by-pid.cpp index bfe34eb..c7184f1 100644 --- a/src/server/service/privilege-by-pid.cpp +++ b/src/server/service/privilege-by-pid.cpp @@ -35,6 +35,7 @@ #include #include +#include namespace SecurityServer { @@ -86,7 +87,7 @@ bool PrivilegeByPidService::processOne(const ConnectionID &conn, MessageBuffer & retval = smack_pid_have_access(pid, object.c_str(), access_rights.c_str()); LogDebug("smack_pid_have_access returned " << retval); - if (get_smack_label_from_process(pid, subject) != PC_OPERATION_SUCCESS) { + if (-1 != get_smack_label_from_process(pid, subject)) { // subject label is set to empty string LogError("get_smack_label_from_process failed. Subject label has not been read."); } else { diff --git a/src/server/service/smack-common.cpp b/src/server/service/smack-common.cpp new file mode 100644 index 0000000..4eb5907 --- /dev/null +++ b/src/server/service/smack-common.cpp @@ -0,0 +1,118 @@ +#include +#include +#include +#include +#include +#include +#include +#include + +#include + +namespace SecurityServer { + +int get_smack_label_from_process(pid_t pid, char *smack_label) +{ + int ret = -1; + int fd = -1; + const int PATH_MAX_LEN = 64; + char path[PATH_MAX_LEN + 1]; + + if (pid < 0) { + goto out; + } + + if(smack_label == NULL) { + goto out; + } + + bzero(smack_label, SMACK_LABEL_LEN + 1); + if (!smack_check()) { // If no smack just return success with empty label + ret = 0; + goto out; + } + + bzero(path, PATH_MAX_LEN + 1); + snprintf(path, PATH_MAX_LEN, "/proc/%d/attr/current", pid); + fd = open(path, O_RDONLY); + if (fd < 0) { + goto out; + } + + ret = read(fd, smack_label, SMACK_LABEL_LEN); + if (ret < 0) { + goto out; + } + + ret = 0; + +out: + if (fd >= 0) + close(fd); + return ret; +} + + +int smack_pid_have_access(pid_t pid, + const char* object, + const char *access_type) +{ + int ret; + char pid_subject_label[SMACK_LABEL_LEN + 1]; + cap_t cap; + cap_flag_value_t cap_v; + + if (!smack_check()) { + return 1; + } + + if (pid < 0) { + return -1; + } + + if(object == NULL) { + return -1; + } + + if(access_type == NULL) { + return -1; + } + + //get SMACK label of process + ret = get_smack_label_from_process(pid, pid_subject_label); + if (0 != ret) { + return -1; + } + + // do not call smack_have_access() if label is empty + if (pid_subject_label[0] != '\0') { + ret = smack_have_access(pid_subject_label, object, access_type); + if ( -1 == ret) { + return -1; + } + if ( 1 == ret ) { // smack_have_access return 1 (access granted) + return 1; + } + } + + // smack_have_access returned 0 (access denied). Now CAP_MAC_OVERRIDE should be checked + cap = cap_get_pid(pid); + if (cap == NULL) { + return -1; + } + ret = cap_get_flag(cap, CAP_MAC_OVERRIDE, CAP_EFFECTIVE, &cap_v); + if (0 != ret) { + return -1; + } + + if (cap_v == CAP_SET) { + return 1; + } else { + return 0; + } +} + + + +} // namespace SecurityServer + diff --git a/src/server/service/smack-common.h b/src/server/service/smack-common.h new file mode 100644 index 0000000..49698b6 --- /dev/null +++ b/src/server/service/smack-common.h @@ -0,0 +1,13 @@ +#ifndef _SMACK_COMMON_H_ +#define _SMACK_COMMON_H_ + +#include + +namespace SecurityServer { + +int get_smack_label_from_process(pid_t pid, char *smack_label); +int smack_pid_have_access(pid_t pid, const char *object, const char *access_type); + +} // namespace SecurityServer + +#endif diff --git a/systemd/CMakeLists.txt b/systemd/CMakeLists.txt index 0b17809..52d95a5 100644 --- a/systemd/CMakeLists.txt +++ b/systemd/CMakeLists.txt @@ -4,11 +4,9 @@ INSTALL(FILES ${CMAKE_SOURCE_DIR}/systemd/security-server-data-share.socket ${CMAKE_SOURCE_DIR}/systemd/security-server-get-gid.socket ${CMAKE_SOURCE_DIR}/systemd/security-server-privilege-by-pid.socket - ${CMAKE_SOURCE_DIR}/systemd/security-server-app-permissions.socket ${CMAKE_SOURCE_DIR}/systemd/security-server-cookie-get.socket ${CMAKE_SOURCE_DIR}/systemd/security-server-cookie-check.socket ${CMAKE_SOURCE_DIR}/systemd/security-server-app-privilege-by-name.socket - ${CMAKE_SOURCE_DIR}/systemd/security-server-open-for.socket ${CMAKE_SOURCE_DIR}/systemd/security-server-password-reset.socket ${CMAKE_SOURCE_DIR}/systemd/security-server-password-check.socket ${CMAKE_SOURCE_DIR}/systemd/security-server-password-set.socket diff --git a/systemd/security-server-app-permissions.socket b/systemd/security-server-app-permissions.socket deleted file mode 100644 index 7271ff2..0000000 --- a/systemd/security-server-app-permissions.socket +++ /dev/null @@ -1,14 +0,0 @@ -[Socket] -ListenStream=/tmp/.security-server-api-app-permissions.sock -SocketMode=0777 -SmackLabelIPIn=* -SmackLabelIPOut=@ - -Service=security-server.service - -[Unit] -Wants=security-server.target -Before=security-server.target - -[Install] -WantedBy=sockets.target diff --git a/systemd/security-server-open-for.socket b/systemd/security-server-open-for.socket deleted file mode 100644 index a0886a3..0000000 --- a/systemd/security-server-open-for.socket +++ /dev/null @@ -1,14 +0,0 @@ -[Socket] -ListenStream=/tmp/.security-server-api-open-for.sock -SocketMode=0777 -SmackLabelIPIn=* -SmackLabelIPOut=@ - -Service=security-server.service - -[Unit] -Wants=security-server.target -Before=security-server.target - -[Install] -WantedBy=sockets.target diff --git a/systemd/security-server.service b/systemd/security-server.service index 9fa6cb1..676942a 100644 --- a/systemd/security-server.service +++ b/systemd/security-server.service @@ -7,11 +7,9 @@ ExecStart=/usr/bin/security-server Sockets=security-server-data-share.socket Sockets=security-server-get-gid.socket Sockets=security-server-privilege-by-pid.socket -Sockets=security-server-app-permissions.socket Sockets=security-server-app-privilege-by-name.socket Sockets=security-server-cookie-get.socket Sockets=security-server-cookie-check.socket -Sockets=security-server-open-for.socket Sockets=security-server-password-check.socket Sockets=security-server-password-set.socket Sockets=security-server-password-reset.socket