From 4407e07bd6ca4053b08cd8921e55ef04fb2e4859 Mon Sep 17 00:00:00 2001 From: baik Date: Thu, 13 Dec 2012 09:51:07 +0900 Subject: [PATCH] Re-enabling systemd configuration. Change-Id: I7eb6c073b1614482331dff6d885c63848c47c7f9 --- packaging/security-server.service | 9 +++++++ packaging/security-server.spec | 21 ++++++++++++++-- .../communication/security-server-comm.c | 29 +++++++++++++++++++--- src/security-srv/include/security-server-comm.h | 2 ++ src/security-srv/mw-list | 9 +++---- 5 files changed, 60 insertions(+), 10 deletions(-) create mode 100644 packaging/security-server.service diff --git a/packaging/security-server.service b/packaging/security-server.service new file mode 100644 index 0000000..b2a79c2 --- /dev/null +++ b/packaging/security-server.service @@ -0,0 +1,9 @@ + +[Unit] +Description=Start the security server + +[Service] +ExecStart=/usr/bin/security-server + +[Install] +WantedBy=multi-user.target diff --git a/packaging/security-server.spec b/packaging/security-server.spec index 00d4afa..2399cdd 100644 --- a/packaging/security-server.spec +++ b/packaging/security-server.spec @@ -9,6 +9,7 @@ URL: N/A Source0: %{name}-%{version}.tar.gz Source1: security-server.manifest Source2: libsecurity-server-client.manifest +Source3: security-server.service BuildRequires: cmake BuildRequires: zip BuildRequires: pkgconfig(dlog) @@ -23,6 +24,9 @@ BuildRequires: pkgconfig(libpcrecpp) BuildRequires: pkgconfig(icu-i18n) BuildRequires: pkgconfig(libsoup-2.4) BuildRequires: pkgconfig(xmlsec1) +Requires(preun): systemd +Requires(post): systemd +Requires(postun): systemd %description Security server and utilities @@ -84,11 +88,21 @@ cp LICENSE %{buildroot}/usr/share/license/libsecurity-server-client install -D %{SOURCE1} %{buildroot}%{_datadir}/security-server.manifest install -D %{SOURCE2} %{buildroot}%{_datadir}/libsecurity-server-client.manifest -%clean -rm -rf %{buildroot} +mkdir -p %{buildroot}%{_libdir}/systemd/system/multi-user.target.wants +install -m 0644 %{SOURCE3} %{buildroot}%{_libdir}/systemd/system/security-server.service +ln -s ../security-server.service %{buildroot}%{_libdir}/systemd/system/multi-user.target.wants/security-server.service + +%preun +if [ $1 == 0 ]; then + systemctl stop security-server.service +fi %post +systemctl daemon-reload +if [ $1 == 1 ]; then + systemctl restart security-server.service +fi mkdir -p /etc/rc.d/rc3.d mkdir -p /etc/rc.d/rc5.d ln -s /etc/rc.d/init.d/security-serverd /etc/rc.d/rc3.d/S10security-server @@ -123,6 +137,7 @@ fi echo "[WRT] wrt-security postinst done ..." %postun +systemctl daemon-reload rm -f /etc/rc.d/rc3.d/S10security-server rm -f /etc/rc.d/rc5.d/S10security-server @@ -134,6 +149,8 @@ rm -f /etc/rc.d/rc5.d/S10security-server %files -n security-server %manifest %{_datadir}/security-server.manifest %defattr(-,root,root,-) +%{_libdir}/systemd/system/multi-user.target.wants/security-server.service +%{_libdir}/systemd/system/security-server.service /usr/share/security-server/mw-list %attr(755,root,root) /etc/rc.d/init.d/security-serverd #/etc/rc.d/rc3.d/S10security-server diff --git a/src/security-srv/communication/security-server-comm.c b/src/security-srv/communication/security-server-comm.c index 7b3b1aa..1ae8acd 100644 --- a/src/security-srv/communication/security-server-comm.c +++ b/src/security-srv/communication/security-server-comm.c @@ -26,6 +26,7 @@ #include #include #include +#include #include #include #include @@ -2207,13 +2208,18 @@ int search_middleware_cmdline(char *cmdline) } /* Authenticate the application is middleware daemon - * The middleware must run as root and the cmd line must be pre listed */ + * The middleware must run as root (or middleware user) and the cmd line must be + * pre listed for authentication to succeed */ int authenticate_client_middleware(int sockfd, int *pid) { int retval = SECURITY_SERVER_ERROR_AUTHENTICATION_FAILED; struct ucred cr; unsigned int cl = sizeof(cr); char *cmdline = NULL; + struct passwd pw, *ppw; + size_t buf_size; + char *buf; + static uid_t middleware_uid = 0; *pid = 0; @@ -2225,8 +2231,25 @@ int authenticate_client_middleware(int sockfd, int *pid) goto error; } - /* All middlewares will run as root */ - if(cr.uid != 0) + if (!middleware_uid) + { + buf_size = sysconf(_SC_GETPW_R_SIZE_MAX); + if (buf_size == -1) + buf_size = 1024; + + buf = malloc(buf_size); + + /* This test isn't essential, skip it in case of error */ + if (buf) { + if (getpwnam_r(SECURITY_SERVER_MIDDLEWARE_USER, &pw, buf, buf_size, &ppw) == 0 && ppw) + middleware_uid = pw.pw_uid; + + free(buf); + } + } + + /* Middleware services need to run as root or middleware/app user */ + if(cr.uid != 0 && cr.uid != middleware_uid) { retval = SECURITY_SERVER_ERROR_AUTHENTICATION_FAILED; SEC_SVR_DBG("Non root process has called API: %d", cr.uid); diff --git a/src/security-srv/include/security-server-comm.h b/src/security-srv/include/security-server-comm.h index 3a3de6f..ed87222 100644 --- a/src/security-srv/include/security-server-comm.h +++ b/src/security-srv/include/security-server-comm.h @@ -36,6 +36,8 @@ typedef struct unsigned char return_code; } response_header; +#define SECURITY_SERVER_MIDDLEWARE_USER "app" + /* Message Types */ #define SECURITY_SERVER_MSG_TYPE_COOKIE_REQUEST 0x01 #define SECURITY_SERVER_MSG_TYPE_COOKIE_RESPONSE 0x02 diff --git a/src/security-srv/mw-list b/src/security-srv/mw-list index 9bfa0b0..14a8890 100644 --- a/src/security-srv/mw-list +++ b/src/security-srv/mw-list @@ -1,13 +1,12 @@ /usr/bin/telephony-server /usr/bin/ss-server -/usr/bin/dnet /usr/bin/msg-server /usr/bin/alarm-server -/usr/bin/dnet -/usr/bin/audio-session-mgr-server /usr/bin/lbs_server /usr/bin/power_manager /usr/bin/system_server -/opt/home/root/security_server_tc_server /usr/bin/sec-svr-util - +/usr/bin/mdm-server +/usr/bin/smartcard-daemon +/usr/bin/sound_server +/usr/bin/nfc-manager-daemon -- 2.7.4