tpm_manager: Change location for owner password data

This CL adds functionality to allow TpmManager to save its local data
in /var/lib/tpm_manager rather than in /mnt/stateful_partition.
This CL also modifies the upstart script for TpmManager to create
the required files and set their permissions.

Bug: 24059577
TEST=ownership flow on DUT

Change-Id: I876c25b74c4791c73aff6e474ee0992a4ad9d423

4 files changed, 39 insertions, 6 deletions

diff --git a/common/print_local_data_proto.cc b/common/print_local_data_proto.cc
index 9a0bd8c..81c0864 100644
--- a/common/print_local_data_proto.cc
+++ b/common/print_local_data_proto.cc
@@ -13,7 +13,6 @@
 // See the License for the specific language governing permissions and
 // limitations under the License.
 //
-
 // THIS CODE IS GENERATED.
 
 #include "tpm_manager/common/print_local_data_proto.h"
@@ -54,6 +53,22 @@ std::string GetProtoDebugStringWithIndent(const LocalData& value,
     base::StringAppendF(&output, "%s", value.owner_dependency(i).c_str());
   }
   output += "}\n";
+  if (value.has_endorsement_password()) {
+    output += indent + "  endorsement_password: ";
+    base::StringAppendF(&output, "%s",
+                        base::HexEncode(value.endorsement_password().data(),
+                                        value.endorsement_password().size())
+                            .c_str());
+    output += "\n";
+  }
+  if (value.has_lockout_password()) {
+    output += indent + "  lockout_password: ";
+    base::StringAppendF(&output, "%s",
+                        base::HexEncode(value.lockout_password().data(),
+                                        value.lockout_password().size())
+                            .c_str());
+    output += "\n";
+  }
   output += indent + "}\n";
   return output;
 }
diff --git a/server/local_data_store_impl.cc b/server/local_data_store_impl.cc
index 5b155ba..6cf8848 100644
--- a/server/local_data_store_impl.cc
+++ b/server/local_data_store_impl.cc
@@ -28,18 +28,20 @@ using base::FilePath;
 
 namespace tpm_manager {
 
-const char kTpmLocalDataFile[] =
-    "/mnt/stateful_partition/unencrypted/preserve/local_tpm_data";
+const char kTpmLocalDataFile[] = "/var/lib/tpm_manager/local_tpm_data";
 const mode_t kLocalDataPermissions = 0600;
 
 bool LocalDataStoreImpl::Read(LocalData* data) {
   CHECK(data);
-  const int kMask = base::FILE_PERMISSION_OTHERS_MASK;
   FilePath path(kTpmLocalDataFile);
+  if (!base::PathExists(path)) {
+    data->Clear();
+    return true;
+  }
   int permissions = 0;
   if (base::GetPosixFilePermissions(path, &permissions) &&
-      (permissions & kMask) != 0) {
-    base::SetPosixFilePermissions(path, permissions & ~kMask);
+      (permissions & ~kLocalDataPermissions) != 0) {
+    base::SetPosixFilePermissions(path, kLocalDataPermissions);
   }
   std::string file_data;
   if (!ReadFileToString(path, &file_data)) {
diff --git a/server/tpm_manager-seccomp-amd64.policy b/server/tpm_manager-seccomp-amd64.policy
index eab40ed..6f11df7 100644
--- a/server/tpm_manager-seccomp-amd64.policy
+++ b/server/tpm_manager-seccomp-amd64.policy
@@ -48,7 +48,13 @@ open: 1
 read: 1
 write: 1
 close: 1
+access: 1
+rename: 1
+pwrite64: 1
 
+chmod: 1
+fsync: 1
+fdatasync: 1
 fstat: 1
 stat: 1
 lseek: 1
@@ -59,6 +65,7 @@ set_robust_list: 1
 restart_syscall: 1
 exit: 1
 exit_group: 1
+rt_sigaction: 1
 rt_sigreturn: 1
 rt_sigprocmask: 1
 signalfd4: 1
@@ -73,3 +80,4 @@ clone: 1
 # These calls are attempted but apparently not necessary; return EPERM.
 prctl: return 1
 ioctl: return 1
+tgkill: return 1
diff --git a/server/tpm_managerd.conf b/server/tpm_managerd.conf
index 9f2254b..9509967 100644
--- a/server/tpm_managerd.conf
+++ b/server/tpm_managerd.conf
@@ -21,6 +21,14 @@ start on starting system-services
 stop on stopping system-services
 respawn
 
+pre-start script
+  LOCAL_DATA_DIRECTORY="/var/lib/tpm_manager"
+  if [ ! -e "${LOCAL_DATA_DIRECTORY}" ]; then
+    mkdir -m 0755 "${LOCAL_DATA_DIRECTORY}"
+    chown -R tpm_manager:tpm_manager "${LOCAL_DATA_DIRECTORY}"
+  fi
+end script
+
 # Minijail forks off our process
 expect fork