BuildRequires: pkgconfig(dlog)
BuildRequires: pkgconfig(openssl)
BuildRequires: libattr-devel
+BuildRequires: libcap-devel
BuildRequires: pkgconfig(libsmack)
BuildRequires: pkgconfig(libprivilege-control)
BuildRequires: pkgconfig(libsystemd-daemon)
ln -s ../security-server-data-share.socket %{buildroot}/usr/lib/systemd/system/sockets.target.wants/security-server-data-share.socket
ln -s ../security-server-get-gid.socket %{buildroot}/usr/lib/systemd/system/sockets.target.wants/security-server-get-gid.socket
ln -s ../security-server-privilege-by-pid.socket %{buildroot}/usr/lib/systemd/system/sockets.target.wants/security-server-privilege-by-pid.socket
-ln -s ../security-server-app-permissions.socket %{buildroot}/usr/lib/systemd/system/sockets.target.wants/security-server-app-permissions.socket
ln -s ../security-server-cookie-get.socket %{buildroot}/usr/lib/systemd/system/sockets.target.wants/security-server-cookie-get.socket
ln -s ../security-server-cookie-check.socket %{buildroot}/usr/lib/systemd/system/sockets.target.wants/security-server-cookie-check.socket
ln -s ../security-server-app-privilege-by-name.socket %{buildroot}/usr/lib/systemd/system/sockets.target.wants/security-server-app-privilege-by-name.socket
-ln -s ../security-server-open-for.socket %{buildroot}/usr/lib/systemd/system/sockets.target.wants/security-server-open-for.socket
ln -s ../security-server-password-check.socket %{buildroot}/usr/lib/systemd/system/sockets.target.wants/security-server-password-check.socket
ln -s ../security-server-password-set.socket %{buildroot}/usr/lib/systemd/system/sockets.target.wants/security-server-password-set.socket
ln -s ../security-server-password-reset.socket %{buildroot}/usr/lib/systemd/system/sockets.target.wants/security-server-password-reset.socket
%attr(-,root,root) /usr/lib/systemd/system/security-server-get-gid.socket
%attr(-,root,root) /usr/lib/systemd/system/sockets.target.wants/security-server-privilege-by-pid.socket
%attr(-,root,root) /usr/lib/systemd/system/security-server-privilege-by-pid.socket
-%attr(-,root,root) /usr/lib/systemd/system/sockets.target.wants/security-server-app-permissions.socket
-%attr(-,root,root) /usr/lib/systemd/system/security-server-app-permissions.socket
%attr(-,root,root) /usr/lib/systemd/system/sockets.target.wants/security-server-cookie-get.socket
%attr(-,root,root) /usr/lib/systemd/system/security-server-cookie-get.socket
%attr(-,root,root) /usr/lib/systemd/system/sockets.target.wants/security-server-cookie-check.socket
%attr(-,root,root) /usr/lib/systemd/system/security-server-cookie-check.socket
%attr(-,root,root) /usr/lib/systemd/system/sockets.target.wants/security-server-app-privilege-by-name.socket
%attr(-,root,root) /usr/lib/systemd/system/security-server-app-privilege-by-name.socket
-%attr(-,root,root) /usr/lib/systemd/system/sockets.target.wants/security-server-open-for.socket
-%attr(-,root,root) /usr/lib/systemd/system/security-server-open-for.socket
%attr(-,root,root) /etc/security/security-server-audit.conf
%attr(-,root,root) /usr/lib/systemd/system/sockets.target.wants/security-server-password-check.socket
%attr(-,root,root) /usr/lib/systemd/system/security-server-password-check.socket
${SERVER2_PATH}/main/server2-main.cpp
${SERVER2_PATH}/service/data-share.cpp
${SERVER2_PATH}/service/get-gid.cpp
- ${SERVER2_PATH}/service/app-permissions.cpp
${SERVER2_PATH}/service/cookie.cpp
${SERVER2_PATH}/service/cookie-jar.cpp
${SERVER2_PATH}/service/cookie-common.cpp
${SERVER2_PATH}/service/privilege-by-pid.cpp
- ${SERVER2_PATH}/service/open-for.cpp
- ${SERVER2_PATH}/service/open-for-manager.cpp
${SERVER2_PATH}/service/password.cpp
${SERVER2_PATH}/service/password-file.cpp
${SERVER2_PATH}/service/password-manager.cpp
${SERVER2_PATH}/service/password-file-buffer.cpp
+ ${SERVER2_PATH}/service/smack-common.cpp
)
SET_SOURCE_FILES_PROPERTIES(
TARGET_LINK_LIBRARIES(${TARGET_SECURITY_SERVER}
${SECURITY_SERVER_DEP_LIBRARIES}
${TARGET_SERVER_COMMON}
+ -lcap
)
################################################################################
${SERVER2_PATH}/client/client-common.cpp
${SERVER2_PATH}/client/client-shared-memory.cpp
${SERVER2_PATH}/client/client-get-gid.cpp
- ${SERVER2_PATH}/client/client-app-permissions.cpp
${SERVER2_PATH}/client/client-cookie.cpp
${SERVER2_PATH}/client/client-privilege-by-pid.cpp
${SERVER2_PATH}/client/client-socket-privilege.cpp
- ${SERVER2_PATH}/client/client-open-for.cpp
${SERVER2_PATH}/client/client-password.cpp
)
/*! \brief indicating the response from Security Server is malformed */
#define SECURITY_SERVER_API_ERROR_BAD_RESPONSE -3
-/*! \brief indicating the transmitting request has been failed */
-/* deprecated unused */
-#define SECURITY_SERVER_API_ERROR_SEND_FAILED -4
-
-/*! \brief indicating the receiving response has been failed */
-/* deprecated unused */
-#define SECURITY_SERVER_API_ERROR_RECV_FAILED -5
-
/*! \brief indicating requesting object is not exist */
#define SECURITY_SERVER_API_ERROR_NO_SUCH_OBJECT -6
int security_server_check_privilege_by_sockfd(int sockfd,
const char *object,
const char *access_rights);
-/*
- * This function allows middleware to enable permissions for specified app_id.
- *
- * \param[in] Application ID
- * \param[in] Application type defined in enum at the beginning of this file
- * \param[in] Permissions list
- * \param[in] Persistent
- *
- * \return SECURITY_SERVER_API_SUCCESS on success or error code on fail
- *
- * Access to this function requires SMACK rule: "<app_label> security-server::api-app-permissions w"
- */
-int security_server_app_enable_permissions(const char *app_id, app_type_t app_type, const char **perm_list, int persistent);
-
-/*
- * This function allows middleware to disable permissions for specified app_id.
- *
- * \param[in] Application ID
- * \param[in] Application type defined in enum at the beginning of this file
- * \param[in] Permissions list
- *
- * \return SECURITY_SERVER_API_SUCCESS on success or error code on fail
- *
- * Access to this function requires SMACK rule: "<app_label> security-server::api-app-permissions w"
- */
-int security_server_app_disable_permissions(const char *app_id, app_type_t app_type, const char **perm_list);
-
-/*
- * This function allows middleware to get UID assigned to cookie
- *
- * \param[in] Cookie
- * \param[out] Handler to store UID
- *
- * \return SECURITY_SERVER_API_SUCCESS on success or error code on fail
- *
- * Access to this function requires SMACK rule: "<app_label> security-server::api-cookie-check w"
- */
-int security_server_get_uid_by_cookie(const char *cookie, uid_t *uid);
-
-/*
- * This function allows middleware to check if an app has the specified privilege
- * enabled.
- *
- * \param[in] Application ID
- * \param[in] Application type
- * \param[in] Privilege name
- * \param[out] Handler to store the result. It is set to 1 (true) if privilege is enabled, 0 (false) otherwise
- *
- * \return SECURITY_SERVER_API_SUCCESS on success or error code on fail
- *
- * Access to this function requires SMACK rule: "<app_label> security-server::api-app-privilege-by-name w"
- */
-int security_server_app_has_privilege(const char *app_id,
- app_type_t app_type,
- const char *privilege_name,
- int *result);
-
-/*
- * This function allows middleware to check if caller app has the specified privilege
- * enabled. Security Server gets caller app smack label from the IPC socket.
- *
- * \param[in] Application type
- * \param[in] Privilege name
- * \param[out] Handler to store the result. It is set to 1 (true) if privilege is enabled, 0 (false) otherwise
- *
- * \return SECURITY_SERVER_API_SUCCESS on success or error code on fail
- *
- * Access to this function requires SMACK rule: "<app_label> security-server::api-app-privilege-by-name w"
- */
-int security_server_app_caller_has_privilege(app_type_t app_type,
- const char *privilege_name,
- int *result);
-
-/*
- * This function allows middleware to get GID assigned to cookie
- *
- * \param[in] Cookie
- * \param[out] Handler to store GID
- *
- * \return SECURITY_SERVER_API_SUCCESS on success or error code on fail
- *
- * Access to this function requires SMACK rule: "<app_label> security-server::api-cookie-check w"
- */
-int security_server_get_gid_by_cookie(const char *cookie, gid_t *gid);
-
-/*
- * This function allows to create, if doesn't exist, or open existing file by
- * Security Server on behalf of calling process in secured directory.
- *
- * \param[in] File name to create/open
- * \param[out] File descriptor
- *
- * \return SECURITY_SERVER_API_SUCCESS on success or error code on fail
- *
- * Access to this function requires SMACK rule: "<app_label> security-server::api-open-for w"
- */
-int security_server_open_for(const char *filename, int *fd) __attribute__((deprecated));
-
-/*
- * This function allows to create, if doesn't exist, file by Security Server on
- * behalf of calling process in secured directory. File gets smack label of
- * designated client process, passed as 'client_label' argument, which is
- * allowed to read created file.
- *
- * \param[in] File name to create
- * \param[in] Label of designated client
- * \param[out] File descriptor
- *
- * \return SECURITY_SERVER_API_SUCCESS on success or one of error codes on fail
- * \return SECURITY_SERVER_API_ERROR_ACCESS_DENIED
- * \return SECURITY_SERVER_API_ERROR_SOCKET
- * \return SECURITY_SERVER_API_ERROR_INPUT_PARAM
- * \return SECURITY_SERVER_API_ERROR_GETTING_SOCKET_LABEL_FAILED
- * \return SECURITY_SERVER_API_ERROR_FILE_CREATION_FAILED
- * \return SECURITY_SERVER_API_ERROR_SETTING_FILE_LABEL_FAILED
- * \return SECURITY_SERVER_API_ERROR_FILE_EXIST
- *
- * Access to this function requires SMACK rule: "<app_label> security-server::api-open-for w"
- */
-int security_server_shared_file_open(const char *filename, const char *client_label, int *fd);
-
-/*
- * This function allows to open existing file by Security Server on behalf of
- * calling process in secured directory. Security Server checks smack label
- * of calling process and if it's the same as file label access to file is
- * granted.
- *
- * \param[in] File name to open
- * \param[out] File descriptor
- *
- * \return SECURITY_SERVER_API_SUCCESS on success or one of error codes on fail
- * \return SECURITY_SERVER_API_ERROR_ACCESS_DENIED
- * \return SECURITY_SERVER_API_ERROR_SOCKET
- * \return SECURITY_SERVER_API_ERROR_INPUT_PARAM
- * \return SECURITY_SERVER_API_ERROR_GETTING_SOCKET_LABEL_FAILED
- * \return SECURITY_SERVER_API_ERROR_GETTING_FILE_LABEL_FAILED
- * \return SECURITY_SERVER_API_ERROR_AUTHENTICATION_FAILED
- * \return SECURITY_SERVER_API_ERROR_FILE_NOT_EXIST
- *
- * Access to this function requires SMACK rule: "<app_label> security-server::api-open-for w"
- */
-int security_server_shared_file_reopen(const char *filename, int *fd);
-
-/*
- * This function allows to delete existing file by Security Server on behalf of
- * calling process in secured directory. Security Server checks smack label
- * of calling process and if it's the same as file label data file is deleted.
- *
- * \param[in] File name to delete
- *
- * \return SECURITY_SERVER_API_SUCCESS on success or one of error codes on fail
- * \return SECURITY_SERVER_API_ERROR_ACCESS_DENIED
- * \return SECURITY_SERVER_API_ERROR_SOCKET
- * \return SECURITY_SERVER_API_ERROR_INPUT_PARAM
- * \return SECURITY_SERVER_API_ERROR_GETTING_SOCKET_LABEL_FAILED
- * \return SECURITY_SERVER_API_ERROR_GETTING_FILE_LABEL_FAILED
- * \return SECURITY_SERVER_API_ERROR_AUTHENTICATION_FAILED
- * \return SECURITY_SERVER_API_ERROR_FILE_DELETION_FAILED
- * \return SECURITY_SERVER_API_ERROR_FILE_NOT_EXIST
- *
- * Access to this function requires SMACK rule: "<app_label> security-server::api-open-for w"
- */
-int security_server_shared_file_delete(const char *filename);
#ifdef __cplusplus
}
+++ /dev/null
-/*
- * Copyright (c) 2000 - 2013 Samsung Electronics Co., Ltd All Rights Reserved
- *
- * Contact: Bumjin Im <bj.im@samsung.com>
- *
- * Licensed under the Apache License, Version 2.0 (the "License");
- * you may not use this file except in compliance with the License.
- * You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License
- */
-/*
- * @file client-app-permissions.cpp
- * @author Pawel Polawski (pawel.polawski@partner.samsung.com)
- * @version 1.0
- * @brief This file contain implementation of security_server_app_enable_permissions
- * and security_server_app_disable functions
- */
-
-
-#include <stdio.h>
-
-#include <dpl/log/log.h>
-#include <dpl/exception.h>
-
-#include <message-buffer.h>
-#include <client-common.h>
-#include <protocols.h>
-
-#include <privilege-control.h>
-#include <security-server.h>
-
-
-SECURITY_SERVER_API
-int security_server_app_enable_permissions(const char *app_id, app_type_t app_type, const char **perm_list, int persistent)
-{
- using namespace SecurityServer;
- MessageBuffer send, recv;
- std::vector<std::string> permissions_list;
-
- LogDebug("security_server_app_enable_permissions() called");
-
- return try_catch([&] {
- if ((NULL == app_id) || (strlen(app_id) == 0)) {
- LogDebug("App_id is NULL");
- return SECURITY_SERVER_API_ERROR_INPUT_PARAM;
- }
- if ((NULL == perm_list) || (strlen(perm_list[0]) == 0)) {
- LogDebug("Perm_list is NULL");
- return SECURITY_SERVER_API_ERROR_INPUT_PARAM;
- }
-
- LogDebug("app_type: " << (int)app_type);
- LogDebug("persistent: " << persistent);
- LogDebug("app_id: " << app_id);
-
- //put all strings in STL vector
- for (int i = 0; perm_list[i] != NULL; i++) {
- LogDebug("perm_list[" << i << "]: " << perm_list[i]);
- permissions_list.push_back(std::string(perm_list[i]));
- }
-
- //put data into buffer
- Serialization::Serialize(send, (int)AppPermissionsAction::ENABLE); //works as a MSG_ID
- Serialization::Serialize(send, persistent);
- Serialization::Serialize(send, (int)app_type);
- Serialization::Serialize(send, std::string(app_id));
- Serialization::Serialize(send, permissions_list);
-
- //send buffer to server
- int result = sendToServer(SERVICE_SOCKET_APP_PERMISSIONS, send.Pop(), recv);
- if (result != SECURITY_SERVER_API_SUCCESS) {
- LogDebug("Error in sendToServer. Error code: " << result);
- return result;
- }
-
- //receive response from server
- Deserialization::Deserialize(recv, result);
- return result;
- });
-}
-
-
-SECURITY_SERVER_API
-int security_server_app_disable_permissions(const char *app_id, app_type_t app_type, const char **perm_list)
-{
- using namespace SecurityServer;
- MessageBuffer send, recv;
- std::vector<std::string> permissions_list;
-
- LogDebug("security_server_app_disable_permissions() called");
-
- return try_catch([&] {
- if ((NULL == app_id) || (strlen(app_id) == 0)) {
- LogDebug("App_id is NULL");
- return SECURITY_SERVER_API_ERROR_INPUT_PARAM;
- }
- if ((NULL == perm_list) || (strlen(perm_list[0]) == 0)) {
- LogDebug("Perm_list is NULL");
- return SECURITY_SERVER_API_ERROR_INPUT_PARAM;
- }
-
- LogDebug("app_type: " << (int)app_type);
- LogDebug("app_id: " << app_id);
-
- //put all strings in STL vector
- for (int i = 0; perm_list[i] != NULL; i++) {
- LogDebug("perm_list[" << i << "]: " << perm_list[i]);
- permissions_list.push_back(std::string(perm_list[i]));
- }
-
- //put data into buffer
- Serialization::Serialize(send, (int)AppPermissionsAction::DISABLE); //works as a MSG_ID
- Serialization::Serialize(send, (int)app_type);
- Serialization::Serialize(send, std::string(app_id));
- Serialization::Serialize(send, permissions_list);
-
- //send buffer to server
- int result = sendToServer(SERVICE_SOCKET_APP_PERMISSIONS, send.Pop(), recv);
- if (result != SECURITY_SERVER_API_SUCCESS) {
- LogDebug("Error in sendToServer. Error code: " << result);
- return result;
- }
-
- //receive response from server
- Deserialization::Deserialize(recv, result);
- return result;
- });
-}
-
-
-SECURITY_SERVER_API
-int security_server_app_has_privilege(const char *app_id,
- app_type_t app_type,
- const char *privilege_name,
- int *result)
-{
- using namespace SecurityServer;
- MessageBuffer send, recv;
-
- LogDebug("security_server_app_has_privilege() called");
-
- try {
- if ((NULL == app_id) || (strlen(app_id) == 0)) {
- LogError("app_id is NULL or empty");
- return SECURITY_SERVER_API_ERROR_INPUT_PARAM;
- }
- if ((NULL == privilege_name) || (strlen(privilege_name) == 0)) {
- LogError("privilege_name is NULL or empty");
- return SECURITY_SERVER_API_ERROR_INPUT_PARAM;
- }
- if (NULL == result) {
- LogError("result is NULL");
- return SECURITY_SERVER_API_ERROR_INPUT_PARAM;
- }
-
- LogDebug("app_id: " << app_id);
- LogDebug("app_type: " << static_cast<int>(app_type));
- LogDebug("privilege_name: " << privilege_name);
-
- //put data into buffer
- Serialization::Serialize(send, static_cast<int>(PrivilegeCheckHdrs::CHECK_GIVEN_APP));
- Serialization::Serialize(send, std::string(app_id));
- Serialization::Serialize(send, static_cast<int>(app_type));
- Serialization::Serialize(send, std::string(privilege_name));
-
- //send buffer to server
- int apiResult = sendToServer(SERVICE_SOCKET_APP_PRIVILEGE_BY_NAME, send.Pop(), recv);
- if (apiResult != SECURITY_SERVER_API_SUCCESS) {
- LogError("Error in sendToServer. Error code: " << apiResult);
- return apiResult;
- }
-
- //receive response from server
- Deserialization::Deserialize(recv, apiResult);
- if (apiResult == SECURITY_SERVER_API_SUCCESS) {
- Deserialization::Deserialize(recv, *result);
- }
- return apiResult;
-
- } catch (MessageBuffer::Exception::Base &e) {
- LogError("SecurityServer::MessageBuffer::Exception " << e.DumpToString());
- } catch (std::exception &e) {
- LogError("STD exception " << e.what());
- } catch (...) {
- LogError("Unknown exception occured");
- }
-
- return SECURITY_SERVER_API_ERROR_UNKNOWN;
-}
-
-
-SECURITY_SERVER_API
-int security_server_app_caller_has_privilege(app_type_t app_type,
- const char *privilege_name,
- int *result)
-{
- using namespace SecurityServer;
- MessageBuffer send, recv;
-
- LogDebug("security_server_app_caller_has_privilege() called");
-
- try {
- if ((NULL == privilege_name) || (strlen(privilege_name) == 0)) {
- LogError("privilege_name is NULL or empty");
- return SECURITY_SERVER_API_ERROR_INPUT_PARAM;
- }
- if (NULL == result) {
- LogError("result is NULL");
- return SECURITY_SERVER_API_ERROR_INPUT_PARAM;
- }
-
- LogDebug("app_type: " << static_cast<int>(app_type));
- LogDebug("privilege_name: " << privilege_name);
-
- //put data into buffer
- Serialization::Serialize(send, static_cast<int>(PrivilegeCheckHdrs::CHECK_CALLER_APP));
- Serialization::Serialize(send, static_cast<int>(app_type));
- Serialization::Serialize(send, std::string(privilege_name));
-
- //send buffer to server
- int apiResult = sendToServer(SERVICE_SOCKET_APP_PRIVILEGE_BY_NAME, send.Pop(), recv);
- if (apiResult != SECURITY_SERVER_API_SUCCESS) {
- LogError("Error in sendToServer. Error code: " << apiResult);
- return apiResult;
- }
-
- //receive response from server
- Deserialization::Deserialize(recv, apiResult);
- if (apiResult == SECURITY_SERVER_API_SUCCESS) {
- Deserialization::Deserialize(recv, *result);
- }
- return apiResult;
-
- } catch (MessageBuffer::Exception::Base &e) {
- LogError("SecurityServer::MessageBuffer::Exception " << e.DumpToString());
- } catch (std::exception &e) {
- LogError("STD exception " << e.what());
- } catch (...) {
- LogError("Unknown exception occured");
- }
-
- return SECURITY_SERVER_API_ERROR_UNKNOWN;
-}
});
}
-SECURITY_SERVER_API
-int security_server_get_gid_by_cookie(const char *cookie, gid_t *gid)
-{
- using namespace SecurityServer;
- MessageBuffer send, recv;
- int retval = SECURITY_SERVER_API_ERROR_UNKNOWN;
-
- LogDebug("security_server_get_uid_by_cookie() called");
-
- if ((cookie == NULL) || (gid == NULL))
- return SECURITY_SERVER_API_ERROR_INPUT_PARAM;
-
- //preprae cookie to send
- std::vector<char> key(cookie, cookie + COOKIE_SIZE);
-
- return try_catch([&] {
- //put data into buffer
- Serialization::Serialize(send, (int)CookieCall::CHECK_GID);
- Serialization::Serialize(send, key);
-
- //send buffer to server
- retval = sendToServer(SERVICE_SOCKET_COOKIE_CHECK, send.Pop(), recv);
- if (retval != SECURITY_SERVER_API_SUCCESS) {
- LogDebug("Error in sendToServer. Error code: " << retval);
- return retval;
- }
-
- //receive response from server
- Deserialization::Deserialize(recv, retval);
- if (retval == SECURITY_SERVER_API_SUCCESS) {
- int tmp;
- Deserialization::Deserialize(recv, tmp);
- *gid = static_cast<gid_t>(tmp);
- }
-
- return retval;
- });
-}
-
+++ /dev/null
-/*
- * Copyright (c) 2000 - 2013 Samsung Electronics Co., Ltd All Rights Reserved
- *
- * Contact: Bumjin Im <bj.im@samsung.com>
- *
- * Licensed under the Apache License, Version 2.0 (the "License");
- * you may not use this file except in compliance with the License.
- * You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License
- */
-/*
- * @file client-open-for.cpp
- * @author Zbigniew Jasinski (z.jasinski@samsung.com)
- * @version 1.0
- * @brief This file contains implementation of security-server API
- * for file opening.
- */
-
-#include <cstring>
-
-#include <dpl/log/log.h>
-#include <dpl/exception.h>
-
-#include <message-buffer.h>
-#include <client-common.h>
-#include <protocols.h>
-#include <sys/types.h>
-#include <sys/socket.h>
-
-#include <security-server.h>
-
-namespace {
-
-void create_msghdr(struct msghdr* hdr,
- struct iovec* iov,
- unsigned char* cmsgbuf,
- const size_t cmsgbufSize,
- int* retcode)
-{
- memset(hdr, 0, sizeof(struct msghdr));
- memset(cmsgbuf, 0, cmsgbufSize);
-
- iov->iov_base = retcode;
- iov->iov_len = sizeof(*retcode);
- hdr->msg_iov = iov;
- hdr->msg_iovlen = 1;
-
- if (NULL != cmsgbuf) {
- hdr->msg_control = cmsgbuf;
- hdr->msg_controllen = cmsgbufSize;
- }
-}
-
-} // namespace anonymous
-
-SECURITY_SERVER_API
-int security_server_open_for(const char *filename, int *fd)
-{
- using namespace SecurityServer;
- return try_catch([&] {
- if (NULL == filename || !strlen(filename)) {
- LogError("Error input param.");
- return SECURITY_SERVER_API_ERROR_INPUT_PARAM;
- }
-
- MessageBuffer send;
-
- Serialization::Serialize(send, (int)OpenForHdrs::OPEN_DEPRECATED);
- Serialization::Serialize(send, std::string(filename));
-
- struct msghdr hdr;
- struct iovec iov;
- unsigned char cmsgbuf[CMSG_SPACE(sizeof(int))];
- int retcode = -1;
-
- create_msghdr(&hdr, &iov, &cmsgbuf[0], sizeof(cmsgbuf), &retcode);
-
- int result = sendToServerAncData(SERVICE_SOCKET_OPEN_FOR, send.Pop(), hdr);
- if (result != SECURITY_SERVER_API_SUCCESS) {
- *fd = -1;
- return result;
- }
-
- if (hdr.msg_flags & MSG_CTRUNC) {
- LogError("Not enough space for ancillary element array.");
- *fd = -1;
- return SECURITY_SERVER_API_ERROR_BUFFER_TOO_SMALL;
- }
-
- for(cmsghdr *cmsg = CMSG_FIRSTHDR(&hdr); cmsg != NULL; cmsg = CMSG_NXTHDR(&hdr, cmsg)) {
- if((SOL_SOCKET == cmsg->cmsg_level) && (SCM_RIGHTS == cmsg->cmsg_type)) {
- memmove(fd, CMSG_DATA(cmsg), sizeof(int));
- }
- }
-
- return retcode;
- });
-}
-
-SECURITY_SERVER_API
-int security_server_shared_file_open(const char *filename, const char *client_label, int *fd)
-{
- using namespace SecurityServer;
- return try_catch([&] {
- if ((NULL == filename || !strlen(filename) ||
- (NULL == client_label || !strlen(client_label)))) {
- LogError("Error input param.");
- return SECURITY_SERVER_API_ERROR_INPUT_PARAM;
- }
-
- MessageBuffer send;
-
- Serialization::Serialize(send, (int)OpenForHdrs::OPEN);
- Serialization::Serialize(send, std::string(filename));
- Serialization::Serialize(send, std::string(client_label));
-
- struct msghdr hdr;
- struct iovec iov;
- unsigned char cmsgbuf[CMSG_SPACE(sizeof(int))];
- int retcode = -1;
-
- create_msghdr(&hdr, &iov, &cmsgbuf[0], sizeof(cmsgbuf), &retcode);
-
- int result = sendToServerAncData(SERVICE_SOCKET_OPEN_FOR, send.Pop(), hdr);
- if (result != SECURITY_SERVER_API_SUCCESS) {
- *fd = -1;
- return result;
- }
-
- if (hdr.msg_flags & MSG_CTRUNC) {
- LogError("Not enough space for ancillary element array.");
- *fd = -1;
- return SECURITY_SERVER_API_ERROR_BUFFER_TOO_SMALL;
- }
-
- /*
- * Since 'socket packet' can handle more than one control message
- * we need to iterate through all ancillary data elements and check
- * which one has our file desciptor (SCM_RIGHTS == cmsg->cmsg_type)
- */
- for(cmsghdr *cmsg = CMSG_FIRSTHDR(&hdr); cmsg != NULL; cmsg = CMSG_NXTHDR(&hdr, cmsg)) {
- if((SOL_SOCKET == cmsg->cmsg_level) && (SCM_RIGHTS == cmsg->cmsg_type)) {
- memmove(fd, CMSG_DATA(cmsg), sizeof(int));
- }
- }
-
- return retcode;
- });
-}
-
-SECURITY_SERVER_API
-int security_server_shared_file_reopen(const char *filename, int *fd)
-{
- using namespace SecurityServer;
- return try_catch([&] {
- if ((NULL == filename || !strlen(filename))) {
- LogError("Error input param.");
- return SECURITY_SERVER_API_ERROR_INPUT_PARAM;
- }
-
- MessageBuffer send;
-
- Serialization::Serialize(send, (int)OpenForHdrs::REOPEN);
- Serialization::Serialize(send, std::string(filename));
-
- struct msghdr hdr;
- struct iovec iov;
- unsigned char cmsgbuf[CMSG_SPACE(sizeof(int))];
- int retcode = -1;
-
- create_msghdr(&hdr, &iov, &cmsgbuf[0], sizeof(cmsgbuf), &retcode);
-
- int result = sendToServerAncData(SERVICE_SOCKET_OPEN_FOR, send.Pop(), hdr);
- if (result != SECURITY_SERVER_API_SUCCESS) {
- *fd = -1;
- return result;
- }
-
- if (hdr.msg_flags & MSG_CTRUNC) {
- LogError("Not enough space for ancillary element array.");
- *fd = -1;
- return SECURITY_SERVER_API_ERROR_BUFFER_TOO_SMALL;
- }
-
- /*
- * Since 'socket packet' can handle more than one control message
- * we need to iterate through all ancillary data elements and check
- * which one has our file desciptor (SCM_RIGHTS == cmsg->cmsg_type)
- */
- for(cmsghdr *cmsg = CMSG_FIRSTHDR(&hdr); cmsg != NULL; cmsg = CMSG_NXTHDR(&hdr, cmsg)) {
- if((SOL_SOCKET == cmsg->cmsg_level) && (SCM_RIGHTS == cmsg->cmsg_type)) {
- memmove(fd, CMSG_DATA(cmsg), sizeof(int));
- }
- }
-
- return retcode;
- });
-}
-
-SECURITY_SERVER_API
-int security_server_shared_file_delete(const char *filename)
-{
- using namespace SecurityServer;
- return try_catch([&] {
- if ((NULL == filename || !strlen(filename))) {
- LogError("Error input param.");
- return SECURITY_SERVER_API_ERROR_INPUT_PARAM;
- }
-
- MessageBuffer send;
-
- Serialization::Serialize(send, (int)OpenForHdrs::DELETE);
- Serialization::Serialize(send, std::string(filename));
-
- struct msghdr hdr;
- struct iovec iov;
- int retcode = -1;
-
- create_msghdr(&hdr, &iov, NULL, 0, &retcode);
-
- int result = sendToServerAncData(SERVICE_SOCKET_OPEN_FOR, send.Pop(), hdr);
- if (result != SECURITY_SERVER_API_SUCCESS)
- return result;
-
- if (hdr.msg_flags & MSG_CTRUNC) {
- LogError("Not enough space for ancillary element array.");
- return SECURITY_SERVER_API_ERROR_BUFFER_TOO_SMALL;
- }
-
- return retcode;
- });
-}
"/tmp/.security-server-api-get-gid.sock";
char const * const SERVICE_SOCKET_PRIVILEGE_BY_PID =
"/tmp/.security-server-api-privilege-by-pid.sock";
-char const * const SERVICE_SOCKET_APP_PERMISSIONS =
- "/tmp/.security-server-api-app-permissions.sock";
char const * const SERVICE_SOCKET_APP_PRIVILEGE_BY_NAME =
"/tmp/.security-server-api-app-privilege-by-name.sock";
char const * const SERVICE_SOCKET_COOKIE_GET =
"/tmp/.security-server-api-cookie-get.sock";
char const * const SERVICE_SOCKET_COOKIE_CHECK =
"/tmp/.security-server-api-cookie-check.sock";
-char const * const SERVICE_SOCKET_OPEN_FOR =
- "/tmp/.security-server-api-open-for.sock";
char const * const SERVICE_SOCKET_PASSWD_CHECK =
"/tmp/.security-server-api-password-check.sock";
char const * const SERVICE_SOCKET_PASSWD_SET =
extern char const * const SERVICE_SOCKET_SHARED_MEMORY;
extern char const * const SERVICE_SOCKET_GET_GID;
extern char const * const SERVICE_SOCKET_PRIVILEGE_BY_PID;
-extern char const * const SERVICE_SOCKET_APP_PERMISSIONS;
extern char const * const SERVICE_SOCKET_APP_PRIVILEGE_BY_NAME;
extern char const * const SERVICE_SOCKET_COOKIE_GET;
extern char const * const SERVICE_SOCKET_COOKIE_CHECK;
-extern char const * const SERVICE_SOCKET_OPEN_FOR;
extern char const * const SERVICE_SOCKET_PASSWD_CHECK;
extern char const * const SERVICE_SOCKET_PASSWD_SET;
extern char const * const SERVICE_SOCKET_PASSWD_RESET;
CHECK_UID
};
-enum class PrivilegeCheckHdrs
-{
- CHECK_GIVEN_APP,
- CHECK_CALLER_APP
-};
-
-enum class OpenForHdrs : unsigned int
-{
- OPEN,
- REOPEN,
- DELETE,
- OPEN_DEPRECATED
-};
-
extern const size_t COOKIE_SIZE;
enum class PasswordHdrs
#include <data-share.h>
#include <get-gid.h>
#include <privilege-by-pid.h>
-#include <app-permissions.h>
#include <cookie.h>
-#include <open-for.h>
#include <password.h>
IMPLEMENT_SAFE_SINGLETON(SecurityServer::Log::LogSystem);
LogInfo("Start!");
SecurityServer::SocketManager manager;
- REGISTER_SOCKET_SERVICE(manager, SecurityServer::OpenForService);
REGISTER_SOCKET_SERVICE(manager, SecurityServer::CookieService);
REGISTER_SOCKET_SERVICE(manager, SecurityServer::SharedMemoryService);
REGISTER_SOCKET_SERVICE(manager, SecurityServer::GetGidService);
REGISTER_SOCKET_SERVICE(manager, SecurityServer::PrivilegeByPidService);
- REGISTER_SOCKET_SERVICE(manager, SecurityServer::AppPermissionsService);
REGISTER_SOCKET_SERVICE(manager, SecurityServer::PasswordService);
manager.MainLoop();
+++ /dev/null
-/*
- * Copyright (c) 2000 - 2013 Samsung Electronics Co., Ltd All Rights Reserved
- *
- * Contact: Bumjin Im <bj.im@samsung.com>
- *
- * Licensed under the Apache License, Version 2.0 (the "License");
- * you may not use this file except in compliance with the License.
- * You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License
- */
-/*
- * @file app-permissions.cpp
- * @author Pawel Polawski (pawel.polawski@partner.samsung.com)
- * @version 1.0
- * @brief This function contain implementation of security_server_app_enable_permissions
- * and security_server_app_disable_permissions on server side
- */
-
-#include <memory>
-#include <dpl/log/log.h>
-#include <dpl/serialization.h>
-#include <privilege-control.h>
-
-#include <sys/smack.h>
-#include <sys/types.h>
-#include <sys/socket.h>
-
-#include <app-permissions.h>
-#include <protocols.h>
-#include <security-server.h>
-#include <privilege-control.h>
-
-namespace {
-
-int privilegeToSecurityServerError(int error) {
- switch (error) {
- case PC_OPERATION_SUCCESS: return SECURITY_SERVER_API_SUCCESS;
- case PC_ERR_FILE_OPERATION: return SECURITY_SERVER_API_ERROR_UNKNOWN;
- case PC_ERR_MEM_OPERATION: return SECURITY_SERVER_API_ERROR_OUT_OF_MEMORY;
- case PC_ERR_NOT_PERMITTED: return SECURITY_SERVER_API_ERROR_ACCESS_DENIED;
- case PC_ERR_INVALID_PARAM: return SECURITY_SERVER_API_ERROR_INPUT_PARAM;
- case PC_ERR_INVALID_OPERATION:
- case PC_ERR_DB_OPERATION:
- default:
- ;
- }
- return SECURITY_SERVER_API_ERROR_UNKNOWN;
-}
-
-// interface ids
-const SecurityServer::InterfaceID CHANGE_APP_PERMISSIONS = 0;
-const SecurityServer::InterfaceID CHECK_APP_PRIVILEGE = 1;
-
-} // namespace anonymous
-
-namespace SecurityServer {
-
-GenericSocketService::ServiceDescriptionVector AppPermissionsService::GetServiceDescription() {
- return ServiceDescriptionVector {
- { SERVICE_SOCKET_APP_PERMISSIONS,
- "security-server::api-app-permissions",
- CHANGE_APP_PERMISSIONS },
- { SERVICE_SOCKET_APP_PRIVILEGE_BY_NAME,
- "security-server::api-app-privilege-by-name",
- CHECK_APP_PRIVILEGE }
- };
-}
-
-void AppPermissionsService::accept(const AcceptEvent &event) {
- LogDebug("Accept event. ConnectionID.sock: " << event.connectionID.sock
- << " ConnectionID.counter: " << event.connectionID.counter
- << " ServiceID: " << event.interfaceID);
- auto &info = m_connectionInfoMap[event.connectionID.counter];
- info.interfaceID = event.interfaceID;
-}
-
-void AppPermissionsService::write(const WriteEvent &event) {
- LogDebug("WriteEvent. ConnectionID: " << event.connectionID.sock <<
- " Size: " << event.size << " Left: " << event.left);
- if (event.left == 0)
- m_serviceManager->Close(event.connectionID);
-}
-
-void AppPermissionsService::process(const ReadEvent &event) {
- LogDebug("Read event for counter: " << event.connectionID.counter);
- auto &info = m_connectionInfoMap[event.connectionID.counter];
- info.buffer.Push(event.rawBuffer);
-
- // We can get several requests in one package.
- // Extract and process them all
- while(processOne(event.connectionID, info.buffer, info.interfaceID));
-}
-
-void AppPermissionsService::close(const CloseEvent &event) {
- LogDebug("CloseEvent. ConnectionID: " << event.connectionID.sock);
- m_connectionInfoMap.erase(event.connectionID.counter);
-}
-
-bool AppPermissionsService::processOne(const ConnectionID &conn,
- MessageBuffer &buffer,
- InterfaceID interfaceID)
-{
- LogDebug("Iteration begin");
-
- //waiting for all data
- if (!buffer.Ready()) {
- return false;
- }
-
- LogDebug("Entering app_permissions server side handler");
-
- switch(interfaceID) {
- case CHANGE_APP_PERMISSIONS:
- return processPermissionsChange(conn, buffer);
-
- case CHECK_APP_PRIVILEGE:
- return processCheckAppPrivilege(conn, buffer);
-
- default:
- LogDebug("Unknown interfaceId. Closing socket.");
- m_serviceManager->Close(conn);
- return false;
- }
-}
-
-bool AppPermissionsService::processPermissionsChange(const ConnectionID &conn, MessageBuffer &buffer)
-{
- MessageBuffer send;
- std::vector<std::string> permissions_list;
- std::string app_id;
- int persistent;
- size_t iter;
- int result = SECURITY_SERVER_API_ERROR_SERVER_ERROR;
- app_type_t app_type;
- AppPermissionsAction appPermAction;
-
- LogDebug("Processing permissions change request");
-
- //receive data from buffer and check MSG_ID
- Try {
- int temp;
- Deserialization::Deserialize(buffer, temp); //receive MSG_ID
- appPermAction = (AppPermissionsAction)temp;
-
- if (appPermAction == AppPermissionsAction::ENABLE) //persistent is only in APP_ENABLE frame
- Deserialization::Deserialize(buffer, persistent);
-
- Deserialization::Deserialize(buffer, temp);
- app_type = (app_type_t)temp;
- Deserialization::Deserialize(buffer, app_id);
- Deserialization::Deserialize(buffer, permissions_list);
- } Catch (MessageBuffer::Exception::Base) {
- LogDebug("Broken protocol. Closing socket.");
- m_serviceManager->Close(conn);
- return false;
- }
-
- //+1 bellow is for NULL pointer at the end
- std::unique_ptr<const char *[]> perm_list (new (std::nothrow) const char *[permissions_list.size() + 1]);
- if (NULL == perm_list.get()) {
- LogError("Allocation error");
- m_serviceManager->Close(conn);
- return false;
- }
-
- //print received data
- LogDebug("app_type: " << (int)app_type);
- if (appPermAction == AppPermissionsAction::ENABLE) //persistent is only in APP_ENABLE frame
- LogDebug("persistent: " << persistent);
- LogDebug("app_id: " << app_id);
-
- //left one free pointer for the NULL at the end
- for (iter = 0; iter < permissions_list.size(); ++iter) {
- LogDebug("perm_list[" << iter << "]: " << permissions_list[iter]);
- perm_list[iter] = (permissions_list[iter]).c_str();
- }
- //put the NULL at the end
- perm_list[iter] = NULL;
-
- //use received data
- if (appPermAction == AppPermissionsAction::ENABLE) {
- LogDebug("Calling perm_app_enable_permissions()");
- result = perm_app_enable_permissions(app_id.c_str(), app_type, perm_list.get(), persistent);
- LogDebug("perm_app_enable_permissions() returned: " << result);
- } else {
- LogDebug("Calling perm_app_disable_permissions()");
- result = perm_app_disable_permissions(app_id.c_str(), app_type, perm_list.get());
- LogDebug("perm_app_disable_permissions() returned: " << result);
- }
-
- //send response
- Serialization::Serialize(send, privilegeToSecurityServerError(result));
- m_serviceManager->Write(conn, send.Pop());
- return true;
-}
-
-bool AppPermissionsService::processCheckAppPrivilege(const ConnectionID &conn, MessageBuffer &buffer)
-{
- MessageBuffer send;
- std::string privilege_name;
- std::string app_id;
- int result = SECURITY_SERVER_API_ERROR_SERVER_ERROR;
- app_type_t app_type;
- bool has_permission = false;
- PrivilegeCheckHdrs checkType = PrivilegeCheckHdrs::CHECK_GIVEN_APP;
-
- LogDebug("Processing app privilege check request");
-
- //receive data from buffer
- Try {
- int temp;
- Deserialization::Deserialize(buffer, temp); // call type
- checkType = static_cast<PrivilegeCheckHdrs>(temp);
- LogDebug("App privilege check call type: "
- << (checkType == PrivilegeCheckHdrs::CHECK_GIVEN_APP ?
- "CHECK_GIVEN_APP":"CHECK_CALLER_APP"));
- if (checkType == PrivilegeCheckHdrs::CHECK_GIVEN_APP) { //app_id present only in this case
- Deserialization::Deserialize(buffer, app_id); //get app id
- }
- Deserialization::Deserialize(buffer, temp); //get app type
- app_type = static_cast<app_type_t>(temp);
-
- Deserialization::Deserialize(buffer, privilege_name); //get privilege name
- } Catch (MessageBuffer::Exception::Base) {
- LogDebug("Broken protocol. Closing socket.");
- m_serviceManager->Close(conn);
- return false;
- }
-
- if (checkType == PrivilegeCheckHdrs::CHECK_CALLER_APP) { //get sender app_id in this case
- char *label = NULL;
- if (smack_new_label_from_socket(conn.sock, &label) < 0) {
- LogDebug("Error in smack_new_label_from_socket(): "
- "client label is unknown. Sending error response.");
- Serialization::Serialize(send, SECURITY_SERVER_API_ERROR_GETTING_SOCKET_LABEL_FAILED);
- m_serviceManager->Write(conn, send.Pop());
- return false;
- } else {
- app_id = label;
- free(label);
- }
- } //end if
-
- //print received data
- LogDebug("app_id: " << app_id);
- LogDebug("app_type: " << static_cast<int>(app_type));
- LogDebug("privilege_name: " << privilege_name);
-
- LogDebug("Calling perm_app_has_permission()");
- result = perm_app_has_permission(app_id.c_str(), app_type, privilege_name.c_str(), &has_permission);
- LogDebug("perm_app_has_permission() returned: " << result << " , permission enabled: " << has_permission);
-
- //send response
- Serialization::Serialize(send, privilegeToSecurityServerError(result));
- Serialization::Serialize(send, static_cast<int>(has_permission));
- m_serviceManager->Write(conn, send.Pop());
- return true;
-}
-
-} // namespace SecurityServer
+++ /dev/null
-/*
- * Copyright (c) 2000 - 2013 Samsung Electronics Co., Ltd All Rights Reserved
- *
- * Contact: Bumjin Im <bj.im@samsung.com>
- *
- * Licensed under the Apache License, Version 2.0 (the "License");
- * you may not use this file except in compliance with the License.
- * You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License
- */
-/*
- * @file app-permissions.h
- * @author Pawel Polawski (p.polawski@partner.samsung.com)
- * @version 1.0
- * @brief This function contain header for implementation of security_server_app_enable_permissions
- * and SS_app_disable_permissions on server side
- */
-
-#ifndef _SECURITY_SERVER_APP_PERMISSIONS_
-#define _SECURITY_SERVER_APP_PERMISSIONS_
-
-#include <service-thread.h>
-#include <generic-socket-manager.h>
-#include <dpl/serialization.h>
-#include <message-buffer.h>
-#include <connection-info.h>
-
-namespace SecurityServer {
-
-class AppPermissionsService :
- public SecurityServer::GenericSocketService
- , public SecurityServer::ServiceThread<AppPermissionsService>
-{
-public:
- ServiceDescriptionVector GetServiceDescription();
-
- DECLARE_THREAD_EVENT(AcceptEvent, accept)
- DECLARE_THREAD_EVENT(WriteEvent, write)
- DECLARE_THREAD_EVENT(ReadEvent, process)
- DECLARE_THREAD_EVENT(CloseEvent, close)
-
- void accept(const AcceptEvent &event);
- void write(const WriteEvent &event);
- void process(const ReadEvent &event);
- void close(const CloseEvent &event);
-
-private:
- bool processOne(const ConnectionID &conn, MessageBuffer &buffer, InterfaceID interfaceID);
-
- bool processPermissionsChange(const ConnectionID &conn, MessageBuffer &buffer);
- bool processCheckAppPrivilege(const ConnectionID &conn, MessageBuffer &buffer);
-
- ConnectionInfoMap m_connectionInfoMap;
-};
-
-} // namespace SecurityServer
-
-#endif // _SECURITY_SERVER_APP_ENABLE_PERMISSIONS_
#include <linux/limits.h>
#include <signal.h>
#include <errno.h>
+#include <smack-common.h>
namespace SecurityServer {
//get smack label if smack enabled
if (smack_check()) {
char label[SMACK_LABEL_LEN + 1];
- retval = get_smack_label_from_process(pid, label);
- if (retval != PC_OPERATION_SUCCESS) {
+ if (-1 == get_smack_label_from_process(pid, label)) {
LogDebug("Unable to get smack label of process");
return NULL;
}
+++ /dev/null
-/*
- * Copyright (c) 2000 - 2013 Samsung Electronics Co., Ltd All Rights Reserved
- *
- * Contact: Bumjin Im <bj.im@samsung.com>
- *
- * Licensed under the Apache License, Version 2.0 (the "License");
- * you may not use this file except in compliance with the License.
- * You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License
- */
-/*
- * @file open-for-manager.cpp
- * @author Zbigniew Jasinski (z.jasinski@samsung.com)
- * @version 1.0
- * @brief Implementation of open-for management functions
- */
-
-#include "open-for-manager.h"
-
-#include <string.h>
-#include <sys/stat.h>
-#include <sys/types.h>
-#include <dirent.h>
-#include <fcntl.h>
-#include <unistd.h>
-
-#include <sys/smack.h>
-#include <smack-check.h>
-
-#include <dpl/log/log.h>
-#include <dpl/serialization.h>
-
-#include <security-server.h>
-#include <security-server-util.h>
-
-const std::string DATA_DIR = "/var/run/security-server";
-const std::string ALLOWED_CHARS = "ABCDEFGHIJKLMNOPQRSTUVWXYZ \
- abcdefghijklmnopqrstuvwxyz \
- 0123456789._-";
-
-namespace SecurityServer
-{
- // SockCred implementations
- SockCred::SockCred()
- {
- m_len = sizeof(struct ucred);
- memset(&m_cr, 0, m_len);
- }
-
- bool SockCred::getCred(int socket)
- {
- if (getsockopt(socket, SOL_SOCKET, SO_PEERCRED, &m_cr, &m_len)) {
- int err = errno;
- LogError("Unable to get client credentials: " << strerror(err));
- return true;
- }
-
- if (smack_check()) {
- char label[SMACK_LABEL_LEN + 1];
- if (PC_OPERATION_SUCCESS != get_smack_label_from_process(m_cr.pid, label)) {
- LogError("Unable to get smack label of process.");
- return true;
- }
- m_sockSmackLabel = label;
- } else
- m_sockSmackLabel.clear();
-
- return false;
- }
-
- std::string SockCred::getLabel() const
- {
- return m_sockSmackLabel;
- }
-
- // SharedFile implementations
- SharedFile::SharedFile()
- {
- if (!dirExist(DATA_DIR.c_str()))
- mkdir(DATA_DIR.c_str(), 0700);
- else {
- deleteDir(DATA_DIR.c_str());
- mkdir(DATA_DIR.c_str(), 0700);
- }
- }
-
- bool SharedFile::fileExist(const std::string &filename)
- {
- std::string filepath = DATA_DIR + "/" + filename;
- struct stat buf;
-
- return ((lstat(filepath.c_str(), &buf) == 0) &&
- (((buf.st_mode) & S_IFMT) != S_IFLNK));
- }
-
- bool SharedFile::dirExist(const std::string &dirpath)
- {
- struct stat buf;
-
- return ((lstat(dirpath.c_str(), &buf) == 0) &&
- (((buf.st_mode) & S_IFMT) == S_IFDIR));
- }
-
- bool SharedFile::deleteDir(const std::string &dirpath)
- {
- DIR *dirp;
- struct dirent *dp;
- char path[PATH_MAX];
-
- if ((dirp = opendir(dirpath.c_str())) == NULL) {
- int err = errno;
- LogError("Cannot open data directory. " << strerror(err));
- return true;
- }
-
- while ((dp = readdir(dirp)) != NULL) {
- if (strcmp(dp->d_name, ".") && strcmp(dp->d_name, "..")) {
- snprintf(path, (size_t) PATH_MAX, "%s/%s", dirpath.c_str(), dp->d_name);
- if (dp->d_type == DT_DIR) {
- deleteDir(path);
- } else {
- unlink(path);
- }
- }
- }
- closedir(dirp);
- rmdir(dirpath.c_str());
-
- return false;
- }
-
- bool SharedFile::createFile(const std::string &filename)
- {
- int fd = -1;
- std::string filepath = DATA_DIR + "/" + filename;
-
- fd = TEMP_FAILURE_RETRY(open(filepath.c_str(), O_CREAT | O_WRONLY | O_EXCL, 0600));
- int err = errno;
- if (-1 == fd) {
- LogError("Cannot create file. Error in open(): " << strerror(err));
- return true;
- }
-
- TEMP_FAILURE_RETRY(close(fd));
-
- return false;
- }
-
- bool SharedFile::openFile(const std::string &filename, int &fd)
- {
- std::string filepath = DATA_DIR + "/" + filename;
-
- fd = TEMP_FAILURE_RETRY(open(filepath.c_str(), O_CREAT | O_RDWR, 0600));
- int err = errno;
- if (-1 == fd) {
- LogError("Cannot open file. Error in open(): " << strerror(err));
- return true;
- }
-
- return false;
- }
-
- bool SharedFile::deleteFile(const std::string &filename)
- {
- std::string filepath = DATA_DIR + "/" + filename;
-
- if (remove(filepath.c_str())) {
- LogError("Unable to delete file: " << filename.c_str() << " " << strerror(errno));
- return true;
- }
-
- return false;
- }
-
- bool SharedFile::setFileLabel(const std::string &filename, const std::string &label)
- {
- std::string filepath = DATA_DIR + "/" + filename;
-
- if (smack_setlabel(filepath.c_str(), label.c_str(), SMACK_LABEL_ACCESS)) {
- LogError("Cannot set SMACK label on file.");
- return true;
- }
-
- return false;
- }
-
- bool SharedFile::getFileLabel(const std::string &filename)
- {
- std::string filepath = DATA_DIR + "/" + filename;
- char *label = NULL;
-
- if (smack_check()) {
- if (0 != smack_getlabel(filepath.c_str(), &label, SMACK_LABEL_ACCESS)) {
- LogError("Unable to get smack label of process.");
- return true;
- }
- }
-
- if (label) {
- m_fileSmackLabel = label;
- free(label);
- } else
- m_fileSmackLabel.clear();
-
- return false;
- }
-
- bool SharedFile::checkFileNameSyntax(const std::string &filename) const
- {
- std::size_t found = filename.find_first_not_of(ALLOWED_CHARS);
-
- if (found != std::string::npos || '-' == filename[0] ||
- '.' == filename[0]) {
- LogError("Illegal character in filename.");
- return true;
- }
-
- return false;
- }
-
- int SharedFile::openSharedFile(const std::string &filename,
- const std::string &client_label, int socket, int &fd)
- {
- if (checkFileNameSyntax(filename))
- return SECURITY_SERVER_API_ERROR_INPUT_PARAM;
-
- if (m_sockCred.getCred(socket))
- return SECURITY_SERVER_API_ERROR_GETTING_SOCKET_LABEL_FAILED;
-
- if (fileExist(filename))
- return SECURITY_SERVER_API_ERROR_FILE_EXIST;
-
- LogSecureDebug("File: " << filename.c_str() << " does not exist.");
-
- if (createFile(filename))
- return SECURITY_SERVER_API_ERROR_FILE_CREATION_FAILED;
-
- if (setFileLabel(filename, m_sockCred.getLabel()))
- return SECURITY_SERVER_API_ERROR_SETTING_FILE_LABEL_FAILED;
-
- if (openFile(filename, fd))
- return SECURITY_SERVER_API_ERROR_FILE_OPEN_FAILED;
-
- if (setFileLabel(filename, client_label.c_str()))
- return SECURITY_SERVER_API_ERROR_SETTING_FILE_LABEL_FAILED;
-
- return SECURITY_SERVER_API_SUCCESS;
- }
-
- int SharedFile::getFD(const std::string &filename, int socket, int &fd)
- {
- if (checkFileNameSyntax(filename))
- return SECURITY_SERVER_API_ERROR_INPUT_PARAM;
-
- if (m_sockCred.getCred(socket))
- return SECURITY_SERVER_API_ERROR_AUTHENTICATION_FAILED;
-
- if (!fileExist(filename)) {
- LogSecureDebug("File: " << filename.c_str() << " does not exist.");
-
- if (createFile(filename))
- return SECURITY_SERVER_API_ERROR_SERVER_ERROR;
- }
-
- if (getFileLabel(filename))
- return SECURITY_SERVER_API_ERROR_SERVER_ERROR;
-
- if (setFileLabel(filename, m_sockCred.getLabel()))
- return SECURITY_SERVER_API_ERROR_SERVER_ERROR;
-
- if (openFile(filename, fd))
- return SECURITY_SERVER_API_ERROR_FILE_OPEN_FAILED;
-
- if (setFileLabel(filename, m_fileSmackLabel))
- return SECURITY_SERVER_API_ERROR_SERVER_ERROR;
-
- return SECURITY_SERVER_API_SUCCESS;
- }
-
- int SharedFile::reopenSharedFile(const std::string &filename, int socket, int &fd)
- {
- if (checkFileNameSyntax(filename))
- return SECURITY_SERVER_API_ERROR_INPUT_PARAM;
-
- if (m_sockCred.getCred(socket))
- return SECURITY_SERVER_API_ERROR_GETTING_SOCKET_LABEL_FAILED;
-
- if (!fileExist(filename))
- return SECURITY_SERVER_API_ERROR_FILE_NOT_EXIST;
-
- if (getFileLabel(filename))
- return SECURITY_SERVER_API_ERROR_GETTING_FILE_LABEL_FAILED;
-
- if (m_fileSmackLabel.compare(m_sockCred.getLabel()))
- return SECURITY_SERVER_API_ERROR_AUTHENTICATION_FAILED;
-
- if (openFile(filename, fd))
- return SECURITY_SERVER_API_ERROR_FILE_OPEN_FAILED;
-
- return SECURITY_SERVER_API_SUCCESS;
- }
-
- int SharedFile::deleteSharedFile(const std::string &filename, int socket)
- {
- if (checkFileNameSyntax(filename))
- return SECURITY_SERVER_API_ERROR_INPUT_PARAM;
-
- if (m_sockCred.getCred(socket))
- return SECURITY_SERVER_API_ERROR_GETTING_SOCKET_LABEL_FAILED;
-
- if (!fileExist(filename))
- return SECURITY_SERVER_API_ERROR_FILE_NOT_EXIST;
-
- if (getFileLabel(filename))
- return SECURITY_SERVER_API_ERROR_GETTING_FILE_LABEL_FAILED;
-
- if (m_fileSmackLabel.compare(m_sockCred.getLabel()))
- return SECURITY_SERVER_API_ERROR_AUTHENTICATION_FAILED;
-
- if (deleteFile(filename))
- return SECURITY_SERVER_API_ERROR_FILE_DELETION_FAILED;
-
- return SECURITY_SERVER_API_SUCCESS;
- }
-
-
-} //namespace SecurityServer
+++ /dev/null
-/*
- * Copyright (c) 2000 - 2013 Samsung Electronics Co., Ltd All Rights Reserved
- *
- * Contact: Bumjin Im <bj.im@samsung.com>
- *
- * Licensed under the Apache License, Version 2.0 (the "License");
- * you may not use this file except in compliance with the License.
- * You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License
- */
-/*
- * @file open-for-manager.h
- * @author Zbigniew Jasinski (z.jasinski@samsung.com)
- * @version 1.0
- * @brief Implementation of open-for management functions
- */
-
-#ifndef _OPEN_FOR_MANAGER_H_
-#define _OPEN_FOR_MANAGER_H_
-
-#include <sys/socket.h>
-#include <sys/types.h>
-
-#include <string>
-
-namespace SecurityServer
-{
- // classess
- class SockCred
- {
- public:
- SockCred();
- bool getCred(int socket);
- std::string getLabel(void) const;
-
- private:
- struct ucred m_cr;
- unsigned m_len;
- std::string m_sockSmackLabel;
- };
-
- class SharedFile
- {
- public:
- SharedFile();
- int getFD(const std::string &filename, int socket, int &fd);
- int openSharedFile(const std::string &filename, const std::string &client_label,
- int socket, int &fd);
- int reopenSharedFile(const std::string &filename, int socket, int &fd);
- int deleteSharedFile(const std::string &filename, int socket);
-
- private:
- static bool fileExist(const std::string &filename);
- static bool dirExist(const std::string &dirpath);
- static bool deleteDir(const std::string &dirpath);
- static bool openFile(const std::string &filename, int &fd);
- static bool createFile(const std::string &filename);
- static bool deleteFile(const std::string &filename);
- static bool setFileLabel(const std::string &filename, const std::string &label);
- bool getFileLabel(const std::string &filename);
- bool checkFileNameSyntax(const std::string &filename) const;
-
- std::string m_fileSmackLabel;
-
- SockCred m_sockCred;
- };
-}
-
-#endif // _OPEN_FOR_MANAGER_H_
+++ /dev/null
-/*
- * Copyright (c) 2000 - 2013 Samsung Electronics Co., Ltd All Rights Reserved
- *
- * Contact: Bumjin Im <bj.im@samsung.com>
- *
- * Licensed under the Apache License, Version 2.0 (the "License");
- * you may not use this file except in compliance with the License.
- * You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License
- */
-/*
- * @file open-for.cpp
- * @author Zbigniew Jasinski (z.jasinski@samsung.com)
- * @version 1.0
- * @brief Implementation of open-for service
- */
-
-#include <dpl/log/log.h>
-#include <dpl/serialization.h>
-
-#include <protocols.h>
-#include <open-for.h>
-#include <unistd.h>
-#include <algorithm>
-
-#include <security-server.h>
-#include <security-server-util.h>
-
-namespace {
-// Service may open more than one socket.
-// These ID's will be assigned to sockets
-// and will be used only by service.
-// When new connection arrives, AcceptEvent
-// will be generated with proper ID to inform
-// service about input socket.
-//
-// Please note: SocketManaged does not use it and
-// does not check it in any way.
-//
-// If your service require only one socket
-// (uses only one socket labeled with smack)
-// you may ignore this ID (just pass 0)
-const int SERVICE_SOCKET_ID = 0;
-
-} // namespace anonymous
-
-namespace SecurityServer {
-
-OpenForService::OpenForConnInfo::~OpenForConnInfo() {
- std::for_each(descriptorsVector.begin(),descriptorsVector.end(), ::close);
-}
-
-GenericSocketService::ServiceDescriptionVector OpenForService::GetServiceDescription() {
- return ServiceDescriptionVector
- {{SERVICE_SOCKET_OPEN_FOR, "security-server::api-open-for", SERVICE_SOCKET_ID, true}};
-}
-
-void OpenForService::accept(const AcceptEvent &event)
-{
- LogDebug("Accept event. ConnectionID.sock: " << event.connectionID.sock
- << " ConnectionID.counter: " << event.connectionID.counter
- << " ServiceID: " << event.interfaceID);
-}
-
-void OpenForService::write(const WriteEvent &event)
-{
- LogDebug("WriteEvent. ConnectionID: " << event.connectionID.sock <<
- " Size: " << event.size << " Left: " << event.left);
- if (event.left == 0)
- m_serviceManager->Close(event.connectionID);
-}
-
-void OpenForService::process(const ReadEvent &event)
-{
- LogDebug("Read event for counter: " << event.connectionID.counter);
- auto &info = m_connectionInfoMap[event.connectionID.counter];
- info.buffer.Push(event.rawBuffer);
-
- // We can get several requests in one package.
- // Extract and process them all
- while(processOne(event.connectionID, info.buffer, info.descriptorsVector));
-}
-
-void OpenForService::close(const CloseEvent &event)
-{
- LogDebug("CloseEvent. ConnectionID: " << event.connectionID.sock);
- auto &descVector = m_connectionInfoMap[event.connectionID.counter].descriptorsVector;
-
- for (auto iter = descVector.begin(); iter != descVector.end(); ++iter)
- TEMP_FAILURE_RETRY(::close(*iter));
-
- m_connectionInfoMap.erase(event.connectionID.counter);
-}
-
-bool OpenForService::processOne(const ConnectionID &conn, MessageBuffer &buffer, std::vector<int> &descVector)
-{
- LogDebug("Iteration begin");
-
- std::string filename;
- std::string client_label;
- OpenForHdrs msgType;
- MessageBuffer sendBuffer;
-
- int retCode = SECURITY_SERVER_API_ERROR_SERVER_ERROR;
- int fd = -1;
-
- if (!buffer.Ready())
- return false;
-
- Try {
- int msgTypeInt;
- Deserialization::Deserialize(buffer, msgTypeInt); //receive MSG_ID
- msgType = static_cast<OpenForHdrs>(msgTypeInt);
- Deserialization::Deserialize(buffer, filename);
- } Catch (MessageBuffer::Exception::Base) {
- LogError("Broken protocol. Closing socket.");
- m_serviceManager->Close(conn);
- return false;
- }
-
- switch(msgType) {
- case OpenForHdrs::OPEN:
- LogDebug("Entering open-for OPEN server handler.");
- Deserialization::Deserialize(buffer, client_label);
- retCode = m_sharedFile.openSharedFile(filename, client_label, conn.sock, fd);
- break;
- case OpenForHdrs::REOPEN:
- LogDebug("Entering open-for REOPEN server handler.");
- retCode = m_sharedFile.reopenSharedFile(filename, conn.sock, fd);
- break;
- case OpenForHdrs::DELETE:
- LogDebug("Entering open-for DELETE server handler.");
- retCode = m_sharedFile.deleteSharedFile(filename, conn.sock);
- break;
- case OpenForHdrs::OPEN_DEPRECATED:
- LogDebug("Entering open-for OPEN-DEPRECATED server handler.");
- retCode = m_sharedFile.getFD(filename, conn.sock, fd);
- break;
- default:
- LogError("Error, unknown function called by client,");
- break;
- };
-
- if (fd != -1)
- descVector.push_back(fd);
- SendMsgData sendMsgData(retCode, fd);
-
- m_serviceManager->Write(conn, sendMsgData);
-
- return true;
-}
-
-} // namespace SecurityServer
+++ /dev/null
-/*
- * Copyright (c) 2000 - 2013 Samsung Electronics Co., Ltd All Rights Reserved
- *
- * Contact: Bumjin Im <bj.im@samsung.com>
- *
- * Licensed under the Apache License, Version 2.0 (the "License");
- * you may not use this file except in compliance with the License.
- * You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License
- */
-/*
- * @file open-for.h
- * @author Zigniew Jasinski (z.jasinski@samsung.com)
- * @version 1.0
- * @brief Implementation of open-for service
- */
-
-#ifndef _SECURITY_SERVER_OPEN_FOR_
-#define _SECURITY_SERVER_OPEN_FOR_
-
-#include <service-thread.h>
-#include <generic-socket-manager.h>
-#include <message-buffer.h>
-
-#include "open-for-manager.h"
-
-namespace SecurityServer
-{
- class OpenForService
- : public SecurityServer::GenericSocketService
- , public SecurityServer::ServiceThread<OpenForService>
- {
- public:
- //service functions
- ServiceDescriptionVector GetServiceDescription();
-
- DECLARE_THREAD_EVENT(AcceptEvent, accept)
- DECLARE_THREAD_EVENT(WriteEvent, write)
- DECLARE_THREAD_EVENT(ReadEvent, process)
- DECLARE_THREAD_EVENT(CloseEvent, close)
-
- void accept(const AcceptEvent &event);
- void write(const WriteEvent &event);
- void process(const ReadEvent &event);
- void close(const CloseEvent &event);
-
- private:
- typedef std::vector<int> DescriptorVector;
-
- struct OpenForConnInfo {
- ~OpenForConnInfo();
-
- DescriptorVector descriptorsVector;
- MessageBuffer buffer;
- };
-
- typedef std::map<int, OpenForConnInfo> OpenForConnInfoMap;
-
- //internal service functions
- bool processOne(const ConnectionID &conn, MessageBuffer &buffer, DescriptorVector &descVector);
-
- OpenForConnInfoMap m_connectionInfoMap;
- SharedFile m_sharedFile;
- };
-} // namespace SecurityServer
-
-#endif // _SECURITY_SERVER_OPEN_FOR_
#include <smack-check.h>
#include <privilege-control.h>
+#include <smack-common.h>
namespace SecurityServer {
retval = smack_pid_have_access(pid, object.c_str(), access_rights.c_str());
LogDebug("smack_pid_have_access returned " << retval);
- if (get_smack_label_from_process(pid, subject) != PC_OPERATION_SUCCESS) {
+ if (-1 != get_smack_label_from_process(pid, subject)) {
// subject label is set to empty string
LogError("get_smack_label_from_process failed. Subject label has not been read.");
} else {
--- /dev/null
+#include <sys/capability.h>
+#include <sys/types.h>
+#include <sys/stat.h>
+#include <fcntl.h>
+#include <unistd.h>
+#include <sys/smack.h>
+#include <string.h>
+#include <stdio.h>
+
+#include <smack-check.h>
+
+namespace SecurityServer {
+
+int get_smack_label_from_process(pid_t pid, char *smack_label)
+{
+ int ret = -1;
+ int fd = -1;
+ const int PATH_MAX_LEN = 64;
+ char path[PATH_MAX_LEN + 1];
+
+ if (pid < 0) {
+ goto out;
+ }
+
+ if(smack_label == NULL) {
+ goto out;
+ }
+
+ bzero(smack_label, SMACK_LABEL_LEN + 1);
+ if (!smack_check()) { // If no smack just return success with empty label
+ ret = 0;
+ goto out;
+ }
+
+ bzero(path, PATH_MAX_LEN + 1);
+ snprintf(path, PATH_MAX_LEN, "/proc/%d/attr/current", pid);
+ fd = open(path, O_RDONLY);
+ if (fd < 0) {
+ goto out;
+ }
+
+ ret = read(fd, smack_label, SMACK_LABEL_LEN);
+ if (ret < 0) {
+ goto out;
+ }
+
+ ret = 0;
+
+out:
+ if (fd >= 0)
+ close(fd);
+ return ret;
+}
+
+
+int smack_pid_have_access(pid_t pid,
+ const char* object,
+ const char *access_type)
+{
+ int ret;
+ char pid_subject_label[SMACK_LABEL_LEN + 1];
+ cap_t cap;
+ cap_flag_value_t cap_v;
+
+ if (!smack_check()) {
+ return 1;
+ }
+
+ if (pid < 0) {
+ return -1;
+ }
+
+ if(object == NULL) {
+ return -1;
+ }
+
+ if(access_type == NULL) {
+ return -1;
+ }
+
+ //get SMACK label of process
+ ret = get_smack_label_from_process(pid, pid_subject_label);
+ if (0 != ret) {
+ return -1;
+ }
+
+ // do not call smack_have_access() if label is empty
+ if (pid_subject_label[0] != '\0') {
+ ret = smack_have_access(pid_subject_label, object, access_type);
+ if ( -1 == ret) {
+ return -1;
+ }
+ if ( 1 == ret ) { // smack_have_access return 1 (access granted)
+ return 1;
+ }
+ }
+
+ // smack_have_access returned 0 (access denied). Now CAP_MAC_OVERRIDE should be checked
+ cap = cap_get_pid(pid);
+ if (cap == NULL) {
+ return -1;
+ }
+ ret = cap_get_flag(cap, CAP_MAC_OVERRIDE, CAP_EFFECTIVE, &cap_v);
+ if (0 != ret) {
+ return -1;
+ }
+
+ if (cap_v == CAP_SET) {
+ return 1;
+ } else {
+ return 0;
+ }
+}
+
+
+
+} // namespace SecurityServer
+
--- /dev/null
+#ifndef _SMACK_COMMON_H_
+#define _SMACK_COMMON_H_
+
+#include <sys/types.h>
+
+namespace SecurityServer {
+
+int get_smack_label_from_process(pid_t pid, char *smack_label);
+int smack_pid_have_access(pid_t pid, const char *object, const char *access_type);
+
+} // namespace SecurityServer
+
+#endif
${CMAKE_SOURCE_DIR}/systemd/security-server-data-share.socket
${CMAKE_SOURCE_DIR}/systemd/security-server-get-gid.socket
${CMAKE_SOURCE_DIR}/systemd/security-server-privilege-by-pid.socket
- ${CMAKE_SOURCE_DIR}/systemd/security-server-app-permissions.socket
${CMAKE_SOURCE_DIR}/systemd/security-server-cookie-get.socket
${CMAKE_SOURCE_DIR}/systemd/security-server-cookie-check.socket
${CMAKE_SOURCE_DIR}/systemd/security-server-app-privilege-by-name.socket
- ${CMAKE_SOURCE_DIR}/systemd/security-server-open-for.socket
${CMAKE_SOURCE_DIR}/systemd/security-server-password-reset.socket
${CMAKE_SOURCE_DIR}/systemd/security-server-password-check.socket
${CMAKE_SOURCE_DIR}/systemd/security-server-password-set.socket
+++ /dev/null
-[Socket]
-ListenStream=/tmp/.security-server-api-app-permissions.sock
-SocketMode=0777
-SmackLabelIPIn=*
-SmackLabelIPOut=@
-
-Service=security-server.service
-
-[Unit]
-Wants=security-server.target
-Before=security-server.target
-
-[Install]
-WantedBy=sockets.target
+++ /dev/null
-[Socket]
-ListenStream=/tmp/.security-server-api-open-for.sock
-SocketMode=0777
-SmackLabelIPIn=*
-SmackLabelIPOut=@
-
-Service=security-server.service
-
-[Unit]
-Wants=security-server.target
-Before=security-server.target
-
-[Install]
-WantedBy=sockets.target
Sockets=security-server-data-share.socket
Sockets=security-server-get-gid.socket
Sockets=security-server-privilege-by-pid.socket
-Sockets=security-server-app-permissions.socket
Sockets=security-server-app-privilege-by-name.socket
Sockets=security-server-cookie-get.socket
Sockets=security-server-cookie-check.socket
-Sockets=security-server-open-for.socket
Sockets=security-server-password-check.socket
Sockets=security-server-password-set.socket
Sockets=security-server-password-reset.socket