Get dir locations from environment

[Problem] Key manager data dir location was hardcoded to /opt/data/ckm/. On
common profile image key-manager fails to start because of lack of /opt/data.
[Solution] Get directory locations from tizen platform config. Copy files
from old location if necessary. Make installation fail if runtime and compile
time settings differ. Provide upgrade script.

[Verification] Install key-manager package. Make sure all the content from
/opt/data/ckm/ has been moved to new location (/usr/data/ckm). Run tests. Make
sure all data is placed in new location. Run upgrade scripts
(/etc/opt/upgrad/*key-manager*.sh) on old version of ckm and check results.

Change-Id: Idafbe0fe43f1140c137f87883273b609a499b4cc

19 files changed, 278 insertions, 149 deletions

diff --git a/CMakeLists.txt b/CMakeLists.txt
index 3d1a298a..3792afaa 100644
--- a/CMakeLists.txt
+++ b/CMakeLists.txt
@@ -57,6 +57,9 @@ ADD_DEFINITIONS("-DSERVICE_NAME=\"${SERVICE_NAME}\"")
 ADD_DEFINITIONS("-DUSER_NAME=\"${USER_NAME}\"")
 ADD_DEFINITIONS("-DGROUP_NAME=\"${GROUP_NAME}\"")
 ADD_DEFINITIONS("-DSMACK_DOMAIN_NAME=\"${SMACK_DOMAIN_NAME}\"")
+ADD_DEFINITIONS("-DRW_DATA_DIR=\"${RW_DATA_DIR}\"")
+ADD_DEFINITIONS("-DRO_DATA_DIR=\"${RO_DATA_DIR}\"")
+ADD_DEFINITIONS("-DINITIAL_VALUES_DIR=\"${INITIAL_VALUES_DIR}\"")
 
 IF (CMAKE_BUILD_TYPE MATCHES "DEBUG")
     ADD_DEFINITIONS("-DTIZEN_DEBUG_ENABLE")
@@ -76,14 +79,9 @@ SET(TARGET_PAM_KEY_MANAGER_PLUGIN "pam_key_manager_plugin")
 
 SET(TARGET_TEST_MERGED "ckm-tests-internal")
 
-INSTALL(FILES
-    ${CMAKE_CURRENT_BINARY_DIR}/data/scripts/230.key-manager-migrate-dkek.patch.sh
-    ${CMAKE_CURRENT_BINARY_DIR}/data/scripts/231.key-manager-change-user.patch.sh
-    DESTINATION /etc/opt/upgrade
-    PERMISSIONS OWNER_READ
-                OWNER_WRITE
-                OWNER_EXECUTE)
+CONFIGURE_FILE(packaging/key-manager.manifest.in key-manager.manifest @ONLY)
 
+ADD_SUBDIRECTORY(data/scripts)
 ADD_SUBDIRECTORY(src)
 ADD_SUBDIRECTORY(build)
 ADD_SUBDIRECTORY(systemd)
diff --git a/data/scripts/230.key-manager-change-data-dir.patch.sh.in b/data/scripts/230.key-manager-change-data-dir.patch.sh.in
new file mode 100755
index 00000000..56ecc2a7
--- /dev/null
+++ b/data/scripts/230.key-manager-change-data-dir.patch.sh.in
@@ -0,0 +1,28 @@
+#!/bin/bash
+
+# Copyright (c) 2016 Samsung Electronics Co., Ltd All Rights Reserved
+#
+#    Licensed under the Apache License, Version 2.0 (the "License");
+#    you may not use this file except in compliance with the License.
+#    You may obtain a copy of the License at
+#
+#        http://www.apache.org/licenses/LICENSE-2.0
+#
+#    Unless required by applicable law or agreed to in writing, software
+#    distributed under the License is distributed on an "AS IS" BASIS,
+#    WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+#    See the License for the specific language governing permissions and
+#    limitations under the License.
+#
+# @file        230.key-manager-change-data-dir.patch.sh.in
+# @author      Krzysztof Jackiewicz (k.jackiewicz@samsung.com)
+# @brief       Moves key-manager data to a location specified at compilation time
+#
+
+CKM_DATA_PATH_OLD=/opt/data/ckm
+
+# move data from old path to new one
+if [ -d "$CKM_DATA_PATH_OLD" ] && [ "@RW_DATA_DIR@" != "$CKM_DATA_PATH_OLD" ]
+then
+    cp -a $CKM_DATA_PATH_OLD/. @RW_DATA_DIR@ && rm -rf $CKM_DATA_PATH_OLD
+fi
\ No newline at end of file
diff --git a/data/scripts/230.key-manager-migrate-dkek.patch.sh b/data/scripts/230.key-manager-migrate-dkek.patch.sh
deleted file mode 100755
index 93a9a96f..00000000
--- a/data/scripts/230.key-manager-migrate-dkek.patch.sh
+++ /dev/null
@@ -1,64 +0,0 @@
-#!/bin/bash
-
-CKM_DATA_PATH=/opt/data/ckm
-VERSION_INFO_PATH=${CKM_DATA_PATH}/version-info
-CURRENT_VERSION=1
-
-migrate_from_0_to_1()
-{
-    ARR_UID=()
-    ARR_IDX=()
-
-    # Extract uids from DKEK files
-    for uid in `ls ${CKM_DATA_PATH} | grep "^key-[0-9]*-[0-9]*$" | awk 'BEGIN { FS = "-" }; { print $2 }' | awk '!x[$0]++'`
-    do
-        ARR_UID+=($uid)
-    done
-
-    for (( i = 0; i < ${#ARR_UID[@]}; i++ ))
-    do
-        idx_max=0
-        idx_submax=0
-
-        uid=${ARR_UID[$i]}
-        ARR_IDX=()
-        # Extract autoincremented index per uids
-        for file in `ls ${CKM_DATA_PATH} | grep "^key-${uid}-[0-9]*$"`
-        do
-            idx=`echo $file | awk 'BEGIN { FS = "-" }; { print $3 }'`
-            ARR_IDX+=($idx)
-        done
-
-        # Find max index(for key-<uid>) and submax index(for key-backup-<uid>)
-        for idx in ${ARR_IDX[@]}
-        do
-            if [ $idx -gt $idx_max ]
-            then
-                idx_submax=$idx_max
-                idx_max=$idx
-            fi
-        done
-
-        # Rename file
-        # smack label setting isn't needed.
-        # (Because not remove/add new file, but just rename file)
-        mv "${CKM_DATA_PATH}/key-${uid}-${idx_max}" "${CKM_DATA_PATH}/key-${uid}"
-        if [ -f "${CKM_DATA_PATH}/key-${uid}-${idx_submax}" ]
-        then
-            mv "${CKM_DATA_PATH}/key-${uid}-${idx_submax}" "${CKM_DATA_PATH}/key-backup-${uid}"
-        fi
-
-        # [Optional] Remove other key-<uid>-<numeric> files.
-        for file in `ls ${CKM_DATA_PATH} | grep "^key-${uid}-[0-9]*$"`
-        do
-            rm ${CKM_DATA_PATH}/${file}
-        done
-    done
-}
-
-if [ ! -f ${VERSION_INFO_PATH} ]
-then
-    echo "CKM VERSION_INFO NOT EXIST."
-    echo "$CURRENT_VERSION" > $VERSION_INFO_PATH
-    migrate_from_0_to_1
-fi
diff --git a/data/scripts/231.key-manager-change-user.patch.sh b/data/scripts/231.key-manager-change-user.patch.sh
deleted file mode 100755
index e02cc12a..00000000
--- a/data/scripts/231.key-manager-change-user.patch.sh
+++ /dev/null
@@ -1,21 +0,0 @@
-#!/bin/bash
-
-USER_NAME=key-manager
-GROUP_NAME=key-manager
-CKM_DATA_PATH=/opt/data/ckm
-SMACK_LABEL=System
-
-id -g $GROUP_NAME > /dev/null 2>&1
-if [ $? -eq 1 ]; then
-    groupadd $GROUP_NAME -r > /dev/null 2>&1
-fi
-
-id -u $USER_NAME > /dev/null 2>&1
-if [ $? -eq 1 ]; then
-    useradd -d /var/lib/empty -s /sbin/nologin -r -g $GROUP_NAME $USER_NAME > /dev/null 2>&1
-fi
-
-# In ckm version <= 0.1.18 all files were owned by root.
-find /opt/data/ckm -exec chsmack -a $SMACK_LABEL {} \;
-chown ${USER_NAME}:${GROUP_NAME} -R ${CKM_DATA_PATH}
-
diff --git a/data/scripts/231.key-manager-migrate-dkek.patch.sh.in b/data/scripts/231.key-manager-migrate-dkek.patch.sh.in
new file mode 100755
index 00000000..0e5815b0
--- /dev/null
+++ b/data/scripts/231.key-manager-migrate-dkek.patch.sh.in
@@ -0,0 +1,83 @@
+#!/bin/bash
+
+# Copyright (c) 2015-2016 Samsung Electronics Co., Ltd All Rights Reserved
+#
+#    Licensed under the Apache License, Version 2.0 (the "License");
+#    you may not use this file except in compliance with the License.
+#    You may obtain a copy of the License at
+#
+#        http://www.apache.org/licenses/LICENSE-2.0
+#
+#    Unless required by applicable law or agreed to in writing, software
+#    distributed under the License is distributed on an "AS IS" BASIS,
+#    WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+#    See the License for the specific language governing permissions and
+#    limitations under the License.
+#
+# @file        231.key-manager-migrate-dkek.patch.sh.in
+# @author      Kyungwook Tak (k.tak@samsung.com)
+# @author      Krzysztof Jackiewicz (k.jackiewicz@samsung.com)
+# @brief       Changes ckm key files naming convention
+#
+
+VERSION_INFO_PATH=@RW_DATA_DIR@/version-info
+CURRENT_VERSION=1
+
+migrate_from_0_to_1()
+{
+    ARR_UID=()
+    ARR_IDX=()
+
+    # Extract uids from DKEK files
+    for uid in `ls @RW_DATA_DIR@ | grep "^key-[0-9]*-[0-9]*$" | awk 'BEGIN { FS = "-" }; { print $2 }' | awk '!x[$0]++'`
+    do
+        ARR_UID+=($uid)
+    done
+
+    for (( i = 0; i < ${#ARR_UID[@]}; i++ ))
+    do
+        idx_max=0
+        idx_submax=0
+
+        uid=${ARR_UID[$i]}
+        ARR_IDX=()
+        # Extract autoincremented index per uids
+        for file in `ls @RW_DATA_DIR@ | grep "^key-${uid}-[0-9]*$"`
+        do
+            idx=`echo $file | awk 'BEGIN { FS = "-" }; { print $3 }'`
+            ARR_IDX+=($idx)
+        done
+
+        # Find max index(for key-<uid>) and submax index(for key-backup-<uid>)
+        for idx in ${ARR_IDX[@]}
+        do
+            if [ $idx -gt $idx_max ]
+            then
+                idx_submax=$idx_max
+                idx_max=$idx
+            fi
+        done
+
+        # Rename file
+        # smack label setting isn't needed.
+        # (Because not remove/add new file, but just rename file)
+        mv "@RW_DATA_DIR@/key-${uid}-${idx_max}" "@RW_DATA_DIR@/key-${uid}"
+        if [ -f "@RW_DATA_DIR@/key-${uid}-${idx_submax}" ]
+        then
+            mv "@RW_DATA_DIR@/key-${uid}-${idx_submax}" "@RW_DATA_DIR@/key-backup-${uid}"
+        fi
+
+        # [Optional] Remove other key-<uid>-<numeric> files.
+        for file in `ls @RW_DATA_DIR@ | grep "^key-${uid}-[0-9]*$"`
+        do
+            rm @RW_DATA_DIR@/${file}
+        done
+    done
+}
+
+if [ ! -f ${VERSION_INFO_PATH} ]
+then
+    echo "CKM VERSION_INFO NOT EXIST."
+    echo "$CURRENT_VERSION" > $VERSION_INFO_PATH
+    migrate_from_0_to_1
+fi
diff --git a/data/scripts/232.key-manager-change-user.patch.sh.in b/data/scripts/232.key-manager-change-user.patch.sh.in
new file mode 100755
index 00000000..b6b2ae6d
--- /dev/null
+++ b/data/scripts/232.key-manager-change-user.patch.sh.in
@@ -0,0 +1,40 @@
+#!/bin/bash
+
+# Copyright (c) 2015-2016 Samsung Electronics Co., Ltd All Rights Reserved
+#
+#    Licensed under the Apache License, Version 2.0 (the "License");
+#    you may not use this file except in compliance with the License.
+#    You may obtain a copy of the License at
+#
+#        http://www.apache.org/licenses/LICENSE-2.0
+#
+#    Unless required by applicable law or agreed to in writing, software
+#    distributed under the License is distributed on an "AS IS" BASIS,
+#    WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+#    See the License for the specific language governing permissions and
+#    limitations under the License.
+#
+# @file        232.key-manager-change-user.patch.sh.in
+# @author      Bartlomiej Grzelewski (b.grzelewski@samsung.com)
+# @author      Krzysztof Jackiewicz (k.jackiewicz@samsung.com)
+# @brief       Changes ckm data owner to key-manager:key-manager and smack label to "System"
+#
+
+USER_NAME=key-manager
+GROUP_NAME=key-manager
+SMACK_LABEL=System
+
+id -g $GROUP_NAME > /dev/null 2>&1
+if [ $? -eq 1 ]; then
+    groupadd $GROUP_NAME -r > /dev/null 2>&1
+fi
+
+id -u $USER_NAME > /dev/null 2>&1
+if [ $? -eq 1 ]; then
+    useradd -d /var/lib/empty -s /sbin/nologin -r -g $GROUP_NAME $USER_NAME > /dev/null 2>&1
+fi
+
+# In ckm version <= 0.1.18 all files were owned by root.
+find @RW_DATA_DIR@ -exec chsmack -a $SMACK_LABEL {} \;
+chown ${USER_NAME}:${GROUP_NAME} -R @RW_DATA_DIR@
+
diff --git a/data/scripts/CMakeLists.txt b/data/scripts/CMakeLists.txt
new file mode 100644
index 00000000..8cf7b717
--- /dev/null
+++ b/data/scripts/CMakeLists.txt
@@ -0,0 +1,39 @@
+# Copyright (c) 2016 Samsung Electronics Co., Ltd All Rights Reserved
+#
+#    Licensed under the Apache License, Version 2.0 (the "License");
+#    you may not use this file except in compliance with the License.
+#    You may obtain a copy of the License at
+#
+#        http://www.apache.org/licenses/LICENSE-2.0
+#
+#    Unless required by applicable law or agreed to in writing, software
+#    distributed under the License is distributed on an "AS IS" BASIS,
+#    WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+#    See the License for the specific language governing permissions and
+#    limitations under the License.
+#
+# @file        CMakeLists.txt
+# @author      Krzysztof Jackiewicz (k.jackiewicz@samsung.com)
+# @brief
+#
+
+CONFIGURE_FILE(230.key-manager-change-data-dir.patch.sh.in
+               230.key-manager-change-data-dir.patch.sh
+               @ONLY)
+
+CONFIGURE_FILE(231.key-manager-migrate-dkek.patch.sh.in
+               231.key-manager-migrate-dkek.patch.sh
+               @ONLY)
+
+CONFIGURE_FILE(232.key-manager-change-user.patch.sh.in
+               232.key-manager-change-user.patch.sh
+               @ONLY)
+
+INSTALL(FILES
+        ${CMAKE_CURRENT_BINARY_DIR}/230.key-manager-change-data-dir.patch.sh
+        ${CMAKE_CURRENT_BINARY_DIR}/231.key-manager-migrate-dkek.patch.sh
+        ${CMAKE_CURRENT_BINARY_DIR}/232.key-manager-change-user.patch.sh
+        DESTINATION /etc/opt/upgrade
+        PERMISSIONS OWNER_READ
+                    OWNER_WRITE
+                    OWNER_EXECUTE)
\ No newline at end of file
diff --git a/packaging/key-manager.manifest b/packaging/key-manager.manifest.in
index d4c43468..f0894612 100644
--- a/packaging/key-manager.manifest
+++ b/packaging/key-manager.manifest.in
@@ -3,6 +3,6 @@
 		<domain name="_" />
 	</request>
 	<assign>
-		<filesystem path="/opt/data/ckm" label="System" type="transmutable" />
+		<filesystem path="@RW_DATA_DIR@" label="System" type="transmutable" />
 	</assign>
 </manifest>
diff --git a/packaging/key-manager.spec b/packaging/key-manager.spec
index 0e2ac04c..8cbef3b1 100644
--- a/packaging/key-manager.spec
+++ b/packaging/key-manager.spec
@@ -5,7 +5,6 @@ Release:    1
 Group:      System/Security
 License:    Apache-2.0 and BSL-1.0
 Source0:    %{name}-%{version}.tar.gz
-Source1001: key-manager.manifest
 Source1002: key-manager-pam-plugin.manifest
 Source1003: key-manager-listener.manifest
 Source1004: libkey-manager-client.manifest
@@ -25,8 +24,10 @@ BuildRequires: pkgconfig(capi-system-info)
 BuildRequires: pkgconfig(security-manager)
 BuildRequires: pkgconfig(cynara-client-async)
 BuildRequires: pkgconfig(cynara-creds-socket)
+BuildRequires: pkgconfig(libtzplatform-config)
 BuildRequires: boost-devel
 Requires(pre): pwdutils
+Requires(pre): tizen-platform-config-tools
 Requires(postun): pwdutils
 Requires: libkey-manager-common = %{version}-%{release}
 %{?systemd_requires}
@@ -36,6 +37,10 @@ Requires: libkey-manager-common = %{version}-%{release}
 %global service_name key-manager
 %global _rundir /run
 %global smack_domain_name System
+%global rw_data_dir %{?TZ_SYS_DATA:%TZ_SYS_DATA/ckm/}%{!?TZ_SYS_DATA:/opt/data/ckm/}
+%global ro_data_dir %{?TZ_SYS_SHARE:%TZ_SYS_SHARE/ckm/}%{!?TZ_SYS_SHARE:/usr/share/ckm/}
+%global db_test_dir %{?TZ_SYS_SHARE:%TZ_SYS_SHARE/ckm-db-test/}%{!?TZ_SYS_SHARE:/usr/share/ckm-db-test/}
+%global initial_values_dir %{rw_data_dir}initial_values/
 
 %description
 Central Key Manager daemon could be used as secure storage
@@ -110,7 +115,6 @@ and password change events from PAM
 
 %prep
 %setup -q
-cp -a %{SOURCE1001} .
 cp -a %{SOURCE1002} .
 cp -a %{SOURCE1003} .
 cp -a %{SOURCE1004} .
@@ -138,37 +142,41 @@ export LDFLAGS+="-Wl,--rpath=%{_libdir},-Bsymbolic-functions "
         -DUSER_NAME=%{user_name} \
         -DGROUP_NAME=%{group_name} \
         -DSMACK_DOMAIN_NAME=%{smack_domain_name} \
-        -DMOCKUP_SM=%{?mockup_sm:%mockup_sm}%{!?mockup_sm:OFF}
+        -DMOCKUP_SM=%{?mockup_sm:%mockup_sm}%{!?mockup_sm:OFF} \
+        -DRW_DATA_DIR=%{rw_data_dir} \
+        -DRO_DATA_DIR=%{ro_data_dir} \
+        -DINITIAL_VALUES_DIR=%{initial_values_dir} \
+        -DDB_TEST_DIR=%{db_test_dir}
 
 make %{?jobs:-j%jobs}
 
 %install
 rm -rf %{buildroot}
-mkdir -p %{buildroot}/opt/data/ckm/initial_values
+mkdir -p %{buildroot}%{initial_values_dir}
 mkdir -p %{buildroot}/etc/security/
-mkdir -p %{buildroot}/usr/share/ckm/scripts
+mkdir -p %{buildroot}%{ro_data_dir}/scripts
 mkdir -p %{buildroot}/etc/gumd/userdel.d/
-cp data/scripts/*.sql %{buildroot}/usr/share/ckm/scripts
-cp doc/initial_values.xsd %{buildroot}/usr/share/ckm
-cp doc/sw_key.xsd %{buildroot}/usr/share/ckm
+cp data/scripts/*.sql %{buildroot}%{ro_data_dir}/scripts
+cp doc/initial_values.xsd %{buildroot}%{ro_data_dir}
+cp doc/sw_key.xsd %{buildroot}%{ro_data_dir}
 cp data/gumd/10_key-manager.post %{buildroot}/etc/gumd/userdel.d/
 
-mkdir -p %{buildroot}/usr/share/ckm-db-test
-cp tests/testme_ver1.db %{buildroot}/usr/share/ckm-db-test/
-cp tests/testme_ver2.db %{buildroot}/usr/share/ckm-db-test/
-cp tests/testme_ver3.db %{buildroot}/usr/share/ckm-db-test/
-cp tests/XML_1_okay.xml %{buildroot}/usr/share/ckm-db-test/
-cp tests/XML_1_okay.xsd %{buildroot}/usr/share/ckm-db-test/
-cp tests/XML_1_wrong.xml %{buildroot}/usr/share/ckm-db-test/
-cp tests/XML_1_wrong.xsd %{buildroot}/usr/share/ckm-db-test/
-cp tests/XML_2_structure.xml %{buildroot}/usr/share/ckm-db-test/
-cp tests/XML_3_encrypted.xml %{buildroot}/usr/share/ckm-db-test/
-cp tests/XML_3_encrypted.xsd %{buildroot}/usr/share/ckm-db-test/
-cp tests/XML_4_device_key.xml %{buildroot}/usr/share/ckm-db-test/
-cp tests/XML_4_device_key.xsd %{buildroot}/usr/share/ckm-db-test/
-cp tests/encryption-scheme/db/db-7654 %{buildroot}/usr/share/ckm-db-test/db-7654
-cp tests/encryption-scheme/db/db-key-7654 %{buildroot}/usr/share/ckm-db-test/db-key-7654
-cp tests/encryption-scheme/db/key-7654 %{buildroot}/usr/share/ckm-db-test/key-7654
+mkdir -p %{buildroot}%{db_test_dir}
+cp tests/testme_ver1.db %{buildroot}%{db_test_dir}
+cp tests/testme_ver2.db %{buildroot}%{db_test_dir}
+cp tests/testme_ver3.db %{buildroot}%{db_test_dir}
+cp tests/XML_1_okay.xml %{buildroot}%{db_test_dir}
+cp tests/XML_1_okay.xsd %{buildroot}%{db_test_dir}
+cp tests/XML_1_wrong.xml %{buildroot}%{db_test_dir}
+cp tests/XML_1_wrong.xsd %{buildroot}%{db_test_dir}
+cp tests/XML_2_structure.xml %{buildroot}%{db_test_dir}
+cp tests/XML_3_encrypted.xml %{buildroot}%{db_test_dir}
+cp tests/XML_3_encrypted.xsd %{buildroot}%{db_test_dir}
+cp tests/XML_4_device_key.xml %{buildroot}%{db_test_dir}
+cp tests/XML_4_device_key.xsd %{buildroot}%{db_test_dir}
+cp tests/encryption-scheme/db/db-7654 %{buildroot}%{db_test_dir}/db-7654
+cp tests/encryption-scheme/db/db-key-7654 %{buildroot}%{db_test_dir}/db-key-7654
+cp tests/encryption-scheme/db/key-7654 %{buildroot}%{db_test_dir}/key-7654
 
 %make_install
 %install_service multi-user.target.wants central-key-manager.service
@@ -178,6 +186,18 @@ cp tests/encryption-scheme/db/key-7654 %{buildroot}/usr/share/ckm-db-test/key-76
 %install_service sockets.target.wants central-key-manager-api-encryption.socket
 
 %pre
+# fail if runtime dir variable is different than compilation time variable
+if [ `tzplatform-get TZ_SYS_DATA | cut -d'=' -f2` != %{TZ_SYS_DATA} ]
+then
+    echo "Runtime value of TZ_SYS_DATA is different than the compilation time value. Aborting"
+    exit 1
+fi
+if [ `tzplatform-get TZ_SYS_SHARE | cut -d'=' -f2` != %{TZ_SYS_SHARE} ]
+then
+    echo "Runtime value of TZ_SYS_SHARE is different than the compilation time value. Aborting"
+    exit 1
+fi
+
 # User/group (key-manager/key-manager) should be already added in passwd package.
 # This is our backup plan if passwd package will not be configured correctly.
 id -g %{group_name} > /dev/null 2>&1
@@ -194,6 +214,13 @@ fi
 rm -rf %{buildroot}
 
 %post
+# move data from old path to new one
+# we have to assume that in case of TZ_SYS_DATA change some upgrade script will move all the data
+if [ -d "/opt/data/ckm" ]
+then
+    cp -a /opt/data/ckm/. %{rw_data_dir} && rm -rf /opt/data/ckm
+fi
+
 systemctl daemon-reload
 if [ $1 = 1 ]; then
     # installation
@@ -204,8 +231,8 @@ if [ $1 = 2 ]; then
     # update
 
     # In ckm version <= 0.1.18 all files were owned by root.
-    find /opt/data/ckm -exec chsmack -a %{smack_domain_name} {} \;
-    chown %{user_name}:%{group_name} -R /opt/data/ckm
+    find %{rw_data_dir} -exec chsmack -a %{smack_domain_name} {} \;
+    chown %{user_name}:%{group_name} -R %{rw_data_dir}
     systemctl restart central-key-manager.service
 fi
 
@@ -266,11 +293,12 @@ fi
 %dir %{_datadir}/ckm
 %{_datadir}/ckm/initial_values.xsd
 %{_datadir}/ckm/sw_key.xsd
-%attr(770, %{user_name}, %{group_name}) /opt/data/ckm/
-%attr(770, %{user_name}, %{group_name}) /opt/data/ckm/initial_values/
+%attr(770, %{user_name}, %{group_name}) %{rw_data_dir}
+%attr(770, %{user_name}, %{group_name}) %{initial_values_dir}
 %{_datadir}/ckm/scripts/*.sql
-/etc/opt/upgrade/230.key-manager-migrate-dkek.patch.sh
-/etc/opt/upgrade/231.key-manager-change-user.patch.sh
+/etc/opt/upgrade/230.key-manager-change-data-dir.patch.sh
+/etc/opt/upgrade/231.key-manager-migrate-dkek.patch.sh
+/etc/opt/upgrade/232.key-manager-change-user.patch.sh
 /etc/gumd/userdel.d/10_key-manager.post
 %{_bindir}/ckm_tool
 
diff --git a/src/manager/crypto/sw-backend/store.cpp b/src/manager/crypto/sw-backend/store.cpp
index b0fdb618..c287f0e5 100644
--- a/src/manager/crypto/sw-backend/store.cpp
+++ b/src/manager/crypto/sw-backend/store.cpp
@@ -146,8 +146,8 @@ RawBuffer pack(const RawBuffer& data, const Password& pass)
 
 namespace
 {
-const char * const DEVICE_KEY_XSD       = "/usr/share/ckm/sw_key.xsd";
-const char * const DEVICE_KEY_SW_FILE   = "/opt/data/ckm/device_key.xml";
+const char * const DEVICE_KEY_XSD = RO_DATA_DIR "sw_key.xsd";
+const char * const DEVICE_KEY_SW_FILE = RW_DATA_DIR "device_key.xml";
 }
 
 Store::Store(CryptoBackend backendId)
diff --git a/src/manager/initial-values/initial-value-loader.cpp b/src/manager/initial-values/initial-value-loader.cpp
index c0d4b932..fc7f1568 100644
--- a/src/manager/initial-values/initial-value-loader.cpp
+++ b/src/manager/initial-values/initial-value-loader.cpp
@@ -27,8 +27,7 @@
 #include <InitialValuesFile.h>
 
 namespace {
-const char * const INIT_VALUES_DIR          = "/opt/data/ckm/initial_values/";
-const char * const INIT_VALUES_XSD          = "/usr/share/ckm/initial_values.xsd";
+const char * const INIT_VALUES_XSD          = RO_DATA_DIR "initial_values.xsd";
 const char * const INIT_VALUES_FILE_SUFFIX  = ".xml";
 } // namespace anonymous
 
@@ -39,7 +38,7 @@ void LoadFiles(CKMLogic &logic)
 {
     try {
         std::vector<std::string> filesToParse;
-        DIR *dp = opendir(INIT_VALUES_DIR);
+        DIR *dp = opendir(INITIAL_VALUES_DIR);
         if (dp) {
             struct dirent *entry;
             while ((entry = readdir(dp))) {
@@ -52,7 +51,7 @@ void LoadFiles(CKMLogic &logic)
                 if (lowercaseFilename.find(INIT_VALUES_FILE_SUFFIX) == std::string::npos)
                     continue;
 
-                filesToParse.push_back(std::string(INIT_VALUES_DIR) + filename);
+                filesToParse.push_back(std::string(INITIAL_VALUES_DIR) + filename);
             }
             closedir(dp);
         }
diff --git a/src/manager/service/db-crypto.cpp b/src/manager/service/db-crypto.cpp
index b70c85e1..93530163 100644
--- a/src/manager/service/db-crypto.cpp
+++ b/src/manager/service/db-crypto.cpp
@@ -34,7 +34,7 @@ namespace {
     const CKM::PermissionMask DEFAULT_PERMISSIONS =
                         static_cast<CKM::PermissionMask>(CKM::Permission::READ | CKM::Permission::REMOVE);
 
-    const char *SCRIPTS_PATH = "/usr/share/ckm/scripts/";
+    const char *SCRIPTS_PATH = RO_DATA_DIR "/scripts/";
 
     enum DBVersion : int {
         DB_VERSION_1                   = 1,
diff --git a/src/manager/service/file-system.cpp b/src/manager/service/file-system.cpp
index 678ee6d9..9fd68c41 100644
--- a/src/manager/service/file-system.cpp
+++ b/src/manager/service/file-system.cpp
@@ -42,7 +42,6 @@
 
 namespace {
 
-const std::string CKM_DATA_PATH = "/opt/data/ckm/";
 const std::string CKM_KEY_PREFIX = "key-";
 const std::string CKM_DB_KEY_PREFIX = "db-key-";
 const std::string CKM_DB_PREFIX = "db-";
@@ -61,28 +60,28 @@ FileSystem::FileSystem(uid_t uid)
 std::string FileSystem::getDBPath() const
 {
     std::stringstream ss;
-    ss << CKM_DATA_PATH << CKM_DB_PREFIX << m_uid;
+    ss << RW_DATA_DIR << CKM_DB_PREFIX << m_uid;
     return ss.str();
 }
 
 std::string FileSystem::getDKEKPath() const
 {
     std::stringstream ss;
-    ss << CKM_DATA_PATH << CKM_KEY_PREFIX << m_uid;
+    ss << RW_DATA_DIR << CKM_KEY_PREFIX << m_uid;
     return ss.str();
 }
 
 std::string FileSystem::getDBDEKPath() const
 {
     std::stringstream ss;
-    ss << CKM_DATA_PATH << CKM_DB_KEY_PREFIX << m_uid;
+    ss << RW_DATA_DIR << CKM_DB_KEY_PREFIX << m_uid;
     return ss.str();
 }
 
 std::string FileSystem::getRemovedAppsPath() const
 {
     std::stringstream ss;
-    ss << CKM_DATA_PATH << CKM_REMOVED_APP_PREFIX << m_uid;
+    ss << RW_DATA_DIR << CKM_REMOVED_APP_PREFIX << m_uid;
     return ss.str();
 }
 
@@ -178,9 +177,9 @@ AppLabelVector FileSystem::clearRemovedsApps() const
 int FileSystem::init()
 {
     errno = 0;
-    if ((mkdir(CKM_DATA_PATH.c_str(), 0700)) && (errno != EEXIST)) {
+    if ((mkdir(RW_DATA_DIR, 0700)) && (errno != EEXIST)) {
         int err = errno;
-        LogError("Error in mkdir " << CKM_DATA_PATH << ". Reason: " << GetErrnoString(err));
+        LogError("Error in mkdir " << RW_DATA_DIR << ". Reason: " << GetErrnoString(err));
         return -1; // TODO set up some error code
     }
     return 0;
@@ -190,7 +189,7 @@ UidVector FileSystem::getUIDsFromDBFile()
 {
     UidVector uids;
     std::unique_ptr<DIR, std::function<int(DIR*)>>
-        dirp(::opendir(CKM_DATA_PATH.c_str()), ::closedir);
+        dirp(::opendir(RW_DATA_DIR), ::closedir);
 
     if (!dirp.get()) {
         int err = errno;
@@ -198,7 +197,7 @@ UidVector FileSystem::getUIDsFromDBFile()
         return UidVector();
     }
 
-    size_t len = offsetof(struct dirent, d_name) + pathconf(CKM_DATA_PATH.c_str(), _PC_NAME_MAX) + 1;
+    size_t len = offsetof(struct dirent, d_name) + pathconf(RW_DATA_DIR, _PC_NAME_MAX) + 1;
     std::unique_ptr<struct dirent, std::function<void(void*)>>
         pEntry(static_cast<struct dirent*>(::malloc(len)), ::free);
 
diff --git a/tests/CMakeLists.txt b/tests/CMakeLists.txt
index 8cadd638..dcad88cd 100644
--- a/tests/CMakeLists.txt
+++ b/tests/CMakeLists.txt
@@ -5,6 +5,7 @@ PKG_CHECK_MODULES(KEY_MANAGER_TEST_DEP
 
 FIND_PACKAGE(Threads REQUIRED)
 ADD_DEFINITIONS( "-DBOOST_TEST_DYN_LINK" )
+ADD_DEFINITIONS("-DDB_TEST_DIR=\"${DB_TEST_DIR}\"")
 
 SET(KEY_MANAGER_SRC_PATH ${PROJECT_SOURCE_DIR}/src)
 SET(KEY_MANAGER_PATH ${PROJECT_SOURCE_DIR}/src/manager)
diff --git a/tests/encryption-scheme/CMakeLists.txt b/tests/encryption-scheme/CMakeLists.txt
index 10cea932..bfd0a6c5 100644
--- a/tests/encryption-scheme/CMakeLists.txt
+++ b/tests/encryption-scheme/CMakeLists.txt
@@ -85,5 +85,4 @@ TARGET_LINK_LIBRARIES(${TARGET_CKM_GENERATOR}
 
 INSTALL(TARGETS ${TARGET_CKM_GENERATOR} DESTINATION bin)
 
-
-INSTALL(FILES ${CMAKE_CURRENT_SOURCE_DIR}/encryption-scheme.p12 DESTINATION /usr/share/ckm-db-test)
\ No newline at end of file
+INSTALL(FILES ${CMAKE_CURRENT_SOURCE_DIR}/encryption-scheme.p12 DESTINATION ${DB_TEST_DIR})
\ No newline at end of file
diff --git a/tests/encryption-scheme/scheme-test.cpp b/tests/encryption-scheme/scheme-test.cpp
index 9abf27eb..cdf90dda 100644
--- a/tests/encryption-scheme/scheme-test.cpp
+++ b/tests/encryption-scheme/scheme-test.cpp
@@ -268,8 +268,8 @@ gid_t getGid(const char *name) {
 void restoreFile(const string& filename) {
     static uid_t CKM_UID = getUid(USER_NAME);
     static gid_t CKM_GID = getGid(GROUP_NAME);
-    string sourcePath = "/usr/share/ckm-db-test/" + filename;
-    string targetPath = "/opt/data/ckm/" + filename;
+    string sourcePath = string(DB_TEST_DIR) + filename;
+    string targetPath = string(RW_DATA_DIR) + filename;
 
     int err, ret;
 
@@ -400,7 +400,7 @@ void SchemeTest::SwitchToRoot() {
 
 void SchemeTest::FillDb() {
     // pkcs
-    ifstream is("/usr/share/ckm-db-test/encryption-scheme.p12");
+    ifstream is(DB_TEST_DIR "/encryption-scheme.p12");
     if(!is)
         throw runtime_error("Failed to read pkcs");
     istreambuf_iterator<char> begin(is), end;
diff --git a/tests/test_db_crypto.cpp b/tests/test_db_crypto.cpp
index c5681b49..c8b85d2c 100644
--- a/tests/test_db_crypto.cpp
+++ b/tests/test_db_crypto.cpp
@@ -289,19 +289,19 @@ void verifyDBisValid(DBFixture & fixture)
 
 struct DBVer1Migration : public DBFixture
 {
-    DBVer1Migration() : DBFixture("/usr/share/ckm-db-test/testme_ver1.db")
+    DBVer1Migration() : DBFixture(DB_TEST_DIR "/testme_ver1.db")
     {}
 };
 
 struct DBVer2Migration : public DBFixture
 {
-    DBVer2Migration() : DBFixture("/usr/share/ckm-db-test/testme_ver2.db")
+    DBVer2Migration() : DBFixture(DB_TEST_DIR "/testme_ver2.db")
     {}
 };
 
 struct DBVer3Migration : public DBFixture
 {
-    DBVer3Migration() : DBFixture("/usr/share/ckm-db-test/testme_ver3.db")
+    DBVer3Migration() : DBFixture(DB_TEST_DIR "/testme_ver3.db")
     {}
 };
 }
diff --git a/tests/test_xml-parser.cpp b/tests/test_xml-parser.cpp
index b12cbd6d..514683bd 100644
--- a/tests/test_xml-parser.cpp
+++ b/tests/test_xml-parser.cpp
@@ -41,7 +41,7 @@ const char *XSD_4_device_key    = "XML_4_device_key.xsd";
 
 std::string format_test_path(const char *file)
 {
-    return std::string("/usr/share/ckm-db-test/") + std::string(file);
+    return std::string(DB_TEST_DIR) + std::string(file);
 }
 
 bool startCallbackFlag = false;
diff --git a/tools/ckm_db_tool/ckm_db_tool.cpp b/tools/ckm_db_tool/ckm_db_tool.cpp
index 2ef8fdf4..378ff9ed 100644
--- a/tools/ckm_db_tool/ckm_db_tool.cpp
+++ b/tools/ckm_db_tool/ckm_db_tool.cpp
@@ -148,7 +148,7 @@ void usage() {
     cout << endl;
     cout << "Usage: ckm_db_tool uid [password] [sql_command]" << endl;
     cout << endl;
-    cout << "uid (mandatory)         User id as in /opt/data/ckm/db-<uid>" << endl;
+    cout << "uid (mandatory)         User id as in <TZ_SYS_DATA>/ckm/db-<uid>" << endl;
     cout << "password (optional)     Password used for database encryption. For system database (uid < 5000) no password should be used." << endl;
     cout << "sql_command (optional)  Sqlite3 command to execute on database. If empty the tool will enter interactive mode." << endl;
     cout << endl;