attestation: Fix permissions.

In order to update the attestation database, the attestation user needs
access to /mnt/stateful_partition/unencrypted/preserve via the
'preserve' group. It also needs access to tcsd via the 'tss' group. This
CL sets ownership and permissions on the preserve directory and also
includes all group permissions of the attestation user when dropping
root.

BUG=chrome-os-partner:46244
TEST=manual

Change-Id: I53aab61bc046173e6494fa6876761750c7808c17

2 files changed, 7 insertions, 0 deletions

diff --git a/attestation/server/attestationd.conf b/attestation/server/attestationd.conf
index 0d5a74d..7d23f93 100644
--- a/attestation/server/attestationd.conf
+++ b/attestation/server/attestationd.conf
@@ -21,4 +21,10 @@ start on started tcsd and started boot-services
 stop on stopping boot-services
 respawn
 
+pre-start script
+  # Ensure attestationd will have permissions for attestation.epb.
+  chgrp preserve /mnt/stateful_partition/unencrypted/preserve
+  chmod 775 /mnt/stateful_partition/unencrypted/preserve
+end script
+
 exec /usr/sbin/attestationd
diff --git a/attestation/server/main.cc b/attestation/server/main.cc
index b22ba18..1ba4405 100644
--- a/attestation/server/main.cc
+++ b/attestation/server/main.cc
@@ -52,6 +52,7 @@ void InitMinijailSandbox() {
   struct minijail* jail = minijail->New();
 
   minijail->DropRoot(jail, kAttestationUser, kAttestationGroup);
+  minijail_inherit_usergroups(jail);
   minijail->UseSeccompFilter(jail, kAttestationSeccompPath);
   minijail->Enter(jail);
   minijail->Destroy(jail);