diff options
author | Utkarsh Sanghi <usanghi@google.com> | 2015-09-22 13:09:05 -0700 |
---|---|---|
committer | Utkarsh Sanghi <usanghi@google.com> | 2015-10-05 09:39:49 -0700 |
commit | 642f9a8ee6942f9fa2cef7183852c5d3e3e5e494 (patch) | |
tree | 871cb6b3e9eb649ddde637b8e9ff72086e9f20a4 | |
parent | f86a34eaa3f556456d90b94f7af4c72bbab6f08f (diff) | |
download | tpm_manager-642f9a8ee6942f9fa2cef7183852c5d3e3e5e494.tar.gz |
tpm_manager: Change location for owner password data
This CL adds functionality to allow TpmManager to save its local data
in /var/lib/tpm_manager rather than in /mnt/stateful_partition.
This CL also modifies the upstart script for TpmManager to create
the required files and set their permissions.
Bug: 24059577
TEST=ownership flow on DUT
Change-Id: I876c25b74c4791c73aff6e474ee0992a4ad9d423
-rw-r--r-- | common/print_local_data_proto.cc | 17 | ||||
-rw-r--r-- | server/local_data_store_impl.cc | 12 | ||||
-rw-r--r-- | server/tpm_manager-seccomp-amd64.policy | 8 | ||||
-rw-r--r-- | server/tpm_managerd.conf | 8 |
4 files changed, 39 insertions, 6 deletions
diff --git a/common/print_local_data_proto.cc b/common/print_local_data_proto.cc index 9a0bd8c..81c0864 100644 --- a/common/print_local_data_proto.cc +++ b/common/print_local_data_proto.cc @@ -13,7 +13,6 @@ // See the License for the specific language governing permissions and // limitations under the License. // - // THIS CODE IS GENERATED. #include "tpm_manager/common/print_local_data_proto.h" @@ -54,6 +53,22 @@ std::string GetProtoDebugStringWithIndent(const LocalData& value, base::StringAppendF(&output, "%s", value.owner_dependency(i).c_str()); } output += "}\n"; + if (value.has_endorsement_password()) { + output += indent + " endorsement_password: "; + base::StringAppendF(&output, "%s", + base::HexEncode(value.endorsement_password().data(), + value.endorsement_password().size()) + .c_str()); + output += "\n"; + } + if (value.has_lockout_password()) { + output += indent + " lockout_password: "; + base::StringAppendF(&output, "%s", + base::HexEncode(value.lockout_password().data(), + value.lockout_password().size()) + .c_str()); + output += "\n"; + } output += indent + "}\n"; return output; } diff --git a/server/local_data_store_impl.cc b/server/local_data_store_impl.cc index 5b155ba..6cf8848 100644 --- a/server/local_data_store_impl.cc +++ b/server/local_data_store_impl.cc @@ -28,18 +28,20 @@ using base::FilePath; namespace tpm_manager { -const char kTpmLocalDataFile[] = - "/mnt/stateful_partition/unencrypted/preserve/local_tpm_data"; +const char kTpmLocalDataFile[] = "/var/lib/tpm_manager/local_tpm_data"; const mode_t kLocalDataPermissions = 0600; bool LocalDataStoreImpl::Read(LocalData* data) { CHECK(data); - const int kMask = base::FILE_PERMISSION_OTHERS_MASK; FilePath path(kTpmLocalDataFile); + if (!base::PathExists(path)) { + data->Clear(); + return true; + } int permissions = 0; if (base::GetPosixFilePermissions(path, &permissions) && - (permissions & kMask) != 0) { - base::SetPosixFilePermissions(path, permissions & ~kMask); + (permissions & ~kLocalDataPermissions) != 0) { + base::SetPosixFilePermissions(path, kLocalDataPermissions); } std::string file_data; if (!ReadFileToString(path, &file_data)) { diff --git a/server/tpm_manager-seccomp-amd64.policy b/server/tpm_manager-seccomp-amd64.policy index eab40ed..6f11df7 100644 --- a/server/tpm_manager-seccomp-amd64.policy +++ b/server/tpm_manager-seccomp-amd64.policy @@ -48,7 +48,13 @@ open: 1 read: 1 write: 1 close: 1 +access: 1 +rename: 1 +pwrite64: 1 +chmod: 1 +fsync: 1 +fdatasync: 1 fstat: 1 stat: 1 lseek: 1 @@ -59,6 +65,7 @@ set_robust_list: 1 restart_syscall: 1 exit: 1 exit_group: 1 +rt_sigaction: 1 rt_sigreturn: 1 rt_sigprocmask: 1 signalfd4: 1 @@ -73,3 +80,4 @@ clone: 1 # These calls are attempted but apparently not necessary; return EPERM. prctl: return 1 ioctl: return 1 +tgkill: return 1 diff --git a/server/tpm_managerd.conf b/server/tpm_managerd.conf index 9f2254b..9509967 100644 --- a/server/tpm_managerd.conf +++ b/server/tpm_managerd.conf @@ -21,6 +21,14 @@ start on starting system-services stop on stopping system-services respawn +pre-start script + LOCAL_DATA_DIRECTORY="/var/lib/tpm_manager" + if [ ! -e "${LOCAL_DATA_DIRECTORY}" ]; then + mkdir -m 0755 "${LOCAL_DATA_DIRECTORY}" + chown -R tpm_manager:tpm_manager "${LOCAL_DATA_DIRECTORY}" + fi +end script + # Minijail forks off our process expect fork |