diff options
author | Krzysztof Jackiewicz <k.jackiewicz@samsung.com> | 2016-01-08 13:32:28 +0100 |
---|---|---|
committer | Krzysztof Jackiewicz <k.jackiewicz@samsung.com> | 2016-01-14 09:38:36 +0100 |
commit | a61e9ce01fa45323b381e6456d07117516d2e55d (patch) | |
tree | 033ada39d5a6212a9c4d0d5282c53c551d0e9c20 | |
parent | 8bc7217902a49348d31647251fe9f4937b08a5f3 (diff) | |
download | key-manager-a61e9ce01fa45323b381e6456d07117516d2e55d.tar.gz key-manager-a61e9ce01fa45323b381e6456d07117516d2e55d.tar.bz2 key-manager-a61e9ce01fa45323b381e6456d07117516d2e55d.zip |
Get dir locations from environment
[Problem] Key manager data dir location was hardcoded to /opt/data/ckm/. On
common profile image key-manager fails to start because of lack of /opt/data.
[Solution] Get directory locations from tizen platform config. Copy files
from old location if necessary. Make installation fail if runtime and compile
time settings differ. Provide upgrade script.
[Verification] Install key-manager package. Make sure all the content from
/opt/data/ckm/ has been moved to new location (/usr/data/ckm). Run tests. Make
sure all data is placed in new location. Run upgrade scripts
(/etc/opt/upgrad/*key-manager*.sh) on old version of ckm and check results.
Change-Id: Idafbe0fe43f1140c137f87883273b609a499b4cc
-rw-r--r-- | CMakeLists.txt | 12 | ||||
-rwxr-xr-x | data/scripts/230.key-manager-change-data-dir.patch.sh.in | 28 | ||||
-rwxr-xr-x | data/scripts/230.key-manager-migrate-dkek.patch.sh | 64 | ||||
-rwxr-xr-x | data/scripts/231.key-manager-change-user.patch.sh | 21 | ||||
-rwxr-xr-x | data/scripts/231.key-manager-migrate-dkek.patch.sh.in | 83 | ||||
-rwxr-xr-x | data/scripts/232.key-manager-change-user.patch.sh.in | 40 | ||||
-rw-r--r-- | data/scripts/CMakeLists.txt | 39 | ||||
-rw-r--r-- | packaging/key-manager.manifest.in (renamed from packaging/key-manager.manifest) | 2 | ||||
-rw-r--r-- | packaging/key-manager.spec | 88 | ||||
-rw-r--r-- | src/manager/crypto/sw-backend/store.cpp | 4 | ||||
-rw-r--r-- | src/manager/initial-values/initial-value-loader.cpp | 7 | ||||
-rw-r--r-- | src/manager/service/db-crypto.cpp | 2 | ||||
-rw-r--r-- | src/manager/service/file-system.cpp | 17 | ||||
-rw-r--r-- | tests/CMakeLists.txt | 1 | ||||
-rw-r--r-- | tests/encryption-scheme/CMakeLists.txt | 3 | ||||
-rw-r--r-- | tests/encryption-scheme/scheme-test.cpp | 6 | ||||
-rw-r--r-- | tests/test_db_crypto.cpp | 6 | ||||
-rw-r--r-- | tests/test_xml-parser.cpp | 2 | ||||
-rw-r--r-- | tools/ckm_db_tool/ckm_db_tool.cpp | 2 |
19 files changed, 278 insertions, 149 deletions
diff --git a/CMakeLists.txt b/CMakeLists.txt index 3d1a298a..3792afaa 100644 --- a/CMakeLists.txt +++ b/CMakeLists.txt @@ -57,6 +57,9 @@ ADD_DEFINITIONS("-DSERVICE_NAME=\"${SERVICE_NAME}\"") ADD_DEFINITIONS("-DUSER_NAME=\"${USER_NAME}\"") ADD_DEFINITIONS("-DGROUP_NAME=\"${GROUP_NAME}\"") ADD_DEFINITIONS("-DSMACK_DOMAIN_NAME=\"${SMACK_DOMAIN_NAME}\"") +ADD_DEFINITIONS("-DRW_DATA_DIR=\"${RW_DATA_DIR}\"") +ADD_DEFINITIONS("-DRO_DATA_DIR=\"${RO_DATA_DIR}\"") +ADD_DEFINITIONS("-DINITIAL_VALUES_DIR=\"${INITIAL_VALUES_DIR}\"") IF (CMAKE_BUILD_TYPE MATCHES "DEBUG") ADD_DEFINITIONS("-DTIZEN_DEBUG_ENABLE") @@ -76,14 +79,9 @@ SET(TARGET_PAM_KEY_MANAGER_PLUGIN "pam_key_manager_plugin") SET(TARGET_TEST_MERGED "ckm-tests-internal") -INSTALL(FILES - ${CMAKE_CURRENT_BINARY_DIR}/data/scripts/230.key-manager-migrate-dkek.patch.sh - ${CMAKE_CURRENT_BINARY_DIR}/data/scripts/231.key-manager-change-user.patch.sh - DESTINATION /etc/opt/upgrade - PERMISSIONS OWNER_READ - OWNER_WRITE - OWNER_EXECUTE) +CONFIGURE_FILE(packaging/key-manager.manifest.in key-manager.manifest @ONLY) +ADD_SUBDIRECTORY(data/scripts) ADD_SUBDIRECTORY(src) ADD_SUBDIRECTORY(build) ADD_SUBDIRECTORY(systemd) diff --git a/data/scripts/230.key-manager-change-data-dir.patch.sh.in b/data/scripts/230.key-manager-change-data-dir.patch.sh.in new file mode 100755 index 00000000..56ecc2a7 --- /dev/null +++ b/data/scripts/230.key-manager-change-data-dir.patch.sh.in @@ -0,0 +1,28 @@ +#!/bin/bash + +# Copyright (c) 2016 Samsung Electronics Co., Ltd All Rights Reserved +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +# @file 230.key-manager-change-data-dir.patch.sh.in +# @author Krzysztof Jackiewicz (k.jackiewicz@samsung.com) +# @brief Moves key-manager data to a location specified at compilation time +# + +CKM_DATA_PATH_OLD=/opt/data/ckm + +# move data from old path to new one +if [ -d "$CKM_DATA_PATH_OLD" ] && [ "@RW_DATA_DIR@" != "$CKM_DATA_PATH_OLD" ] +then + cp -a $CKM_DATA_PATH_OLD/. @RW_DATA_DIR@ && rm -rf $CKM_DATA_PATH_OLD +fi
\ No newline at end of file diff --git a/data/scripts/230.key-manager-migrate-dkek.patch.sh b/data/scripts/230.key-manager-migrate-dkek.patch.sh deleted file mode 100755 index 93a9a96f..00000000 --- a/data/scripts/230.key-manager-migrate-dkek.patch.sh +++ /dev/null @@ -1,64 +0,0 @@ -#!/bin/bash - -CKM_DATA_PATH=/opt/data/ckm -VERSION_INFO_PATH=${CKM_DATA_PATH}/version-info -CURRENT_VERSION=1 - -migrate_from_0_to_1() -{ - ARR_UID=() - ARR_IDX=() - - # Extract uids from DKEK files - for uid in `ls ${CKM_DATA_PATH} | grep "^key-[0-9]*-[0-9]*$" | awk 'BEGIN { FS = "-" }; { print $2 }' | awk '!x[$0]++'` - do - ARR_UID+=($uid) - done - - for (( i = 0; i < ${#ARR_UID[@]}; i++ )) - do - idx_max=0 - idx_submax=0 - - uid=${ARR_UID[$i]} - ARR_IDX=() - # Extract autoincremented index per uids - for file in `ls ${CKM_DATA_PATH} | grep "^key-${uid}-[0-9]*$"` - do - idx=`echo $file | awk 'BEGIN { FS = "-" }; { print $3 }'` - ARR_IDX+=($idx) - done - - # Find max index(for key-<uid>) and submax index(for key-backup-<uid>) - for idx in ${ARR_IDX[@]} - do - if [ $idx -gt $idx_max ] - then - idx_submax=$idx_max - idx_max=$idx - fi - done - - # Rename file - # smack label setting isn't needed. - # (Because not remove/add new file, but just rename file) - mv "${CKM_DATA_PATH}/key-${uid}-${idx_max}" "${CKM_DATA_PATH}/key-${uid}" - if [ -f "${CKM_DATA_PATH}/key-${uid}-${idx_submax}" ] - then - mv "${CKM_DATA_PATH}/key-${uid}-${idx_submax}" "${CKM_DATA_PATH}/key-backup-${uid}" - fi - - # [Optional] Remove other key-<uid>-<numeric> files. - for file in `ls ${CKM_DATA_PATH} | grep "^key-${uid}-[0-9]*$"` - do - rm ${CKM_DATA_PATH}/${file} - done - done -} - -if [ ! -f ${VERSION_INFO_PATH} ] -then - echo "CKM VERSION_INFO NOT EXIST." - echo "$CURRENT_VERSION" > $VERSION_INFO_PATH - migrate_from_0_to_1 -fi diff --git a/data/scripts/231.key-manager-change-user.patch.sh b/data/scripts/231.key-manager-change-user.patch.sh deleted file mode 100755 index e02cc12a..00000000 --- a/data/scripts/231.key-manager-change-user.patch.sh +++ /dev/null @@ -1,21 +0,0 @@ -#!/bin/bash - -USER_NAME=key-manager -GROUP_NAME=key-manager -CKM_DATA_PATH=/opt/data/ckm -SMACK_LABEL=System - -id -g $GROUP_NAME > /dev/null 2>&1 -if [ $? -eq 1 ]; then - groupadd $GROUP_NAME -r > /dev/null 2>&1 -fi - -id -u $USER_NAME > /dev/null 2>&1 -if [ $? -eq 1 ]; then - useradd -d /var/lib/empty -s /sbin/nologin -r -g $GROUP_NAME $USER_NAME > /dev/null 2>&1 -fi - -# In ckm version <= 0.1.18 all files were owned by root. -find /opt/data/ckm -exec chsmack -a $SMACK_LABEL {} \; -chown ${USER_NAME}:${GROUP_NAME} -R ${CKM_DATA_PATH} - diff --git a/data/scripts/231.key-manager-migrate-dkek.patch.sh.in b/data/scripts/231.key-manager-migrate-dkek.patch.sh.in new file mode 100755 index 00000000..0e5815b0 --- /dev/null +++ b/data/scripts/231.key-manager-migrate-dkek.patch.sh.in @@ -0,0 +1,83 @@ +#!/bin/bash + +# Copyright (c) 2015-2016 Samsung Electronics Co., Ltd All Rights Reserved +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +# @file 231.key-manager-migrate-dkek.patch.sh.in +# @author Kyungwook Tak (k.tak@samsung.com) +# @author Krzysztof Jackiewicz (k.jackiewicz@samsung.com) +# @brief Changes ckm key files naming convention +# + +VERSION_INFO_PATH=@RW_DATA_DIR@/version-info +CURRENT_VERSION=1 + +migrate_from_0_to_1() +{ + ARR_UID=() + ARR_IDX=() + + # Extract uids from DKEK files + for uid in `ls @RW_DATA_DIR@ | grep "^key-[0-9]*-[0-9]*$" | awk 'BEGIN { FS = "-" }; { print $2 }' | awk '!x[$0]++'` + do + ARR_UID+=($uid) + done + + for (( i = 0; i < ${#ARR_UID[@]}; i++ )) + do + idx_max=0 + idx_submax=0 + + uid=${ARR_UID[$i]} + ARR_IDX=() + # Extract autoincremented index per uids + for file in `ls @RW_DATA_DIR@ | grep "^key-${uid}-[0-9]*$"` + do + idx=`echo $file | awk 'BEGIN { FS = "-" }; { print $3 }'` + ARR_IDX+=($idx) + done + + # Find max index(for key-<uid>) and submax index(for key-backup-<uid>) + for idx in ${ARR_IDX[@]} + do + if [ $idx -gt $idx_max ] + then + idx_submax=$idx_max + idx_max=$idx + fi + done + + # Rename file + # smack label setting isn't needed. + # (Because not remove/add new file, but just rename file) + mv "@RW_DATA_DIR@/key-${uid}-${idx_max}" "@RW_DATA_DIR@/key-${uid}" + if [ -f "@RW_DATA_DIR@/key-${uid}-${idx_submax}" ] + then + mv "@RW_DATA_DIR@/key-${uid}-${idx_submax}" "@RW_DATA_DIR@/key-backup-${uid}" + fi + + # [Optional] Remove other key-<uid>-<numeric> files. + for file in `ls @RW_DATA_DIR@ | grep "^key-${uid}-[0-9]*$"` + do + rm @RW_DATA_DIR@/${file} + done + done +} + +if [ ! -f ${VERSION_INFO_PATH} ] +then + echo "CKM VERSION_INFO NOT EXIST." + echo "$CURRENT_VERSION" > $VERSION_INFO_PATH + migrate_from_0_to_1 +fi diff --git a/data/scripts/232.key-manager-change-user.patch.sh.in b/data/scripts/232.key-manager-change-user.patch.sh.in new file mode 100755 index 00000000..b6b2ae6d --- /dev/null +++ b/data/scripts/232.key-manager-change-user.patch.sh.in @@ -0,0 +1,40 @@ +#!/bin/bash + +# Copyright (c) 2015-2016 Samsung Electronics Co., Ltd All Rights Reserved +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +# @file 232.key-manager-change-user.patch.sh.in +# @author Bartlomiej Grzelewski (b.grzelewski@samsung.com) +# @author Krzysztof Jackiewicz (k.jackiewicz@samsung.com) +# @brief Changes ckm data owner to key-manager:key-manager and smack label to "System" +# + +USER_NAME=key-manager +GROUP_NAME=key-manager +SMACK_LABEL=System + +id -g $GROUP_NAME > /dev/null 2>&1 +if [ $? -eq 1 ]; then + groupadd $GROUP_NAME -r > /dev/null 2>&1 +fi + +id -u $USER_NAME > /dev/null 2>&1 +if [ $? -eq 1 ]; then + useradd -d /var/lib/empty -s /sbin/nologin -r -g $GROUP_NAME $USER_NAME > /dev/null 2>&1 +fi + +# In ckm version <= 0.1.18 all files were owned by root. +find @RW_DATA_DIR@ -exec chsmack -a $SMACK_LABEL {} \; +chown ${USER_NAME}:${GROUP_NAME} -R @RW_DATA_DIR@ + diff --git a/data/scripts/CMakeLists.txt b/data/scripts/CMakeLists.txt new file mode 100644 index 00000000..8cf7b717 --- /dev/null +++ b/data/scripts/CMakeLists.txt @@ -0,0 +1,39 @@ +# Copyright (c) 2016 Samsung Electronics Co., Ltd All Rights Reserved +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +# @file CMakeLists.txt +# @author Krzysztof Jackiewicz (k.jackiewicz@samsung.com) +# @brief +# + +CONFIGURE_FILE(230.key-manager-change-data-dir.patch.sh.in + 230.key-manager-change-data-dir.patch.sh + @ONLY) + +CONFIGURE_FILE(231.key-manager-migrate-dkek.patch.sh.in + 231.key-manager-migrate-dkek.patch.sh + @ONLY) + +CONFIGURE_FILE(232.key-manager-change-user.patch.sh.in + 232.key-manager-change-user.patch.sh + @ONLY) + +INSTALL(FILES + ${CMAKE_CURRENT_BINARY_DIR}/230.key-manager-change-data-dir.patch.sh + ${CMAKE_CURRENT_BINARY_DIR}/231.key-manager-migrate-dkek.patch.sh + ${CMAKE_CURRENT_BINARY_DIR}/232.key-manager-change-user.patch.sh + DESTINATION /etc/opt/upgrade + PERMISSIONS OWNER_READ + OWNER_WRITE + OWNER_EXECUTE)
\ No newline at end of file diff --git a/packaging/key-manager.manifest b/packaging/key-manager.manifest.in index d4c43468..f0894612 100644 --- a/packaging/key-manager.manifest +++ b/packaging/key-manager.manifest.in @@ -3,6 +3,6 @@ <domain name="_" /> </request> <assign> - <filesystem path="/opt/data/ckm" label="System" type="transmutable" /> + <filesystem path="@RW_DATA_DIR@" label="System" type="transmutable" /> </assign> </manifest> diff --git a/packaging/key-manager.spec b/packaging/key-manager.spec index 0e2ac04c..8cbef3b1 100644 --- a/packaging/key-manager.spec +++ b/packaging/key-manager.spec @@ -5,7 +5,6 @@ Release: 1 Group: System/Security License: Apache-2.0 and BSL-1.0 Source0: %{name}-%{version}.tar.gz -Source1001: key-manager.manifest Source1002: key-manager-pam-plugin.manifest Source1003: key-manager-listener.manifest Source1004: libkey-manager-client.manifest @@ -25,8 +24,10 @@ BuildRequires: pkgconfig(capi-system-info) BuildRequires: pkgconfig(security-manager) BuildRequires: pkgconfig(cynara-client-async) BuildRequires: pkgconfig(cynara-creds-socket) +BuildRequires: pkgconfig(libtzplatform-config) BuildRequires: boost-devel Requires(pre): pwdutils +Requires(pre): tizen-platform-config-tools Requires(postun): pwdutils Requires: libkey-manager-common = %{version}-%{release} %{?systemd_requires} @@ -36,6 +37,10 @@ Requires: libkey-manager-common = %{version}-%{release} %global service_name key-manager %global _rundir /run %global smack_domain_name System +%global rw_data_dir %{?TZ_SYS_DATA:%TZ_SYS_DATA/ckm/}%{!?TZ_SYS_DATA:/opt/data/ckm/} +%global ro_data_dir %{?TZ_SYS_SHARE:%TZ_SYS_SHARE/ckm/}%{!?TZ_SYS_SHARE:/usr/share/ckm/} +%global db_test_dir %{?TZ_SYS_SHARE:%TZ_SYS_SHARE/ckm-db-test/}%{!?TZ_SYS_SHARE:/usr/share/ckm-db-test/} +%global initial_values_dir %{rw_data_dir}initial_values/ %description Central Key Manager daemon could be used as secure storage @@ -110,7 +115,6 @@ and password change events from PAM %prep %setup -q -cp -a %{SOURCE1001} . cp -a %{SOURCE1002} . cp -a %{SOURCE1003} . cp -a %{SOURCE1004} . @@ -138,37 +142,41 @@ export LDFLAGS+="-Wl,--rpath=%{_libdir},-Bsymbolic-functions " -DUSER_NAME=%{user_name} \ -DGROUP_NAME=%{group_name} \ -DSMACK_DOMAIN_NAME=%{smack_domain_name} \ - -DMOCKUP_SM=%{?mockup_sm:%mockup_sm}%{!?mockup_sm:OFF} + -DMOCKUP_SM=%{?mockup_sm:%mockup_sm}%{!?mockup_sm:OFF} \ + -DRW_DATA_DIR=%{rw_data_dir} \ + -DRO_DATA_DIR=%{ro_data_dir} \ + -DINITIAL_VALUES_DIR=%{initial_values_dir} \ + -DDB_TEST_DIR=%{db_test_dir} make %{?jobs:-j%jobs} %install rm -rf %{buildroot} -mkdir -p %{buildroot}/opt/data/ckm/initial_values +mkdir -p %{buildroot}%{initial_values_dir} mkdir -p %{buildroot}/etc/security/ -mkdir -p %{buildroot}/usr/share/ckm/scripts +mkdir -p %{buildroot}%{ro_data_dir}/scripts mkdir -p %{buildroot}/etc/gumd/userdel.d/ -cp data/scripts/*.sql %{buildroot}/usr/share/ckm/scripts -cp doc/initial_values.xsd %{buildroot}/usr/share/ckm -cp doc/sw_key.xsd %{buildroot}/usr/share/ckm +cp data/scripts/*.sql %{buildroot}%{ro_data_dir}/scripts +cp doc/initial_values.xsd %{buildroot}%{ro_data_dir} +cp doc/sw_key.xsd %{buildroot}%{ro_data_dir} cp data/gumd/10_key-manager.post %{buildroot}/etc/gumd/userdel.d/ -mkdir -p %{buildroot}/usr/share/ckm-db-test -cp tests/testme_ver1.db %{buildroot}/usr/share/ckm-db-test/ -cp tests/testme_ver2.db %{buildroot}/usr/share/ckm-db-test/ -cp tests/testme_ver3.db %{buildroot}/usr/share/ckm-db-test/ -cp tests/XML_1_okay.xml %{buildroot}/usr/share/ckm-db-test/ -cp tests/XML_1_okay.xsd %{buildroot}/usr/share/ckm-db-test/ -cp tests/XML_1_wrong.xml %{buildroot}/usr/share/ckm-db-test/ -cp tests/XML_1_wrong.xsd %{buildroot}/usr/share/ckm-db-test/ -cp tests/XML_2_structure.xml %{buildroot}/usr/share/ckm-db-test/ -cp tests/XML_3_encrypted.xml %{buildroot}/usr/share/ckm-db-test/ -cp tests/XML_3_encrypted.xsd %{buildroot}/usr/share/ckm-db-test/ -cp tests/XML_4_device_key.xml %{buildroot}/usr/share/ckm-db-test/ -cp tests/XML_4_device_key.xsd %{buildroot}/usr/share/ckm-db-test/ -cp tests/encryption-scheme/db/db-7654 %{buildroot}/usr/share/ckm-db-test/db-7654 -cp tests/encryption-scheme/db/db-key-7654 %{buildroot}/usr/share/ckm-db-test/db-key-7654 -cp tests/encryption-scheme/db/key-7654 %{buildroot}/usr/share/ckm-db-test/key-7654 +mkdir -p %{buildroot}%{db_test_dir} +cp tests/testme_ver1.db %{buildroot}%{db_test_dir} +cp tests/testme_ver2.db %{buildroot}%{db_test_dir} +cp tests/testme_ver3.db %{buildroot}%{db_test_dir} +cp tests/XML_1_okay.xml %{buildroot}%{db_test_dir} +cp tests/XML_1_okay.xsd %{buildroot}%{db_test_dir} +cp tests/XML_1_wrong.xml %{buildroot}%{db_test_dir} +cp tests/XML_1_wrong.xsd %{buildroot}%{db_test_dir} +cp tests/XML_2_structure.xml %{buildroot}%{db_test_dir} +cp tests/XML_3_encrypted.xml %{buildroot}%{db_test_dir} +cp tests/XML_3_encrypted.xsd %{buildroot}%{db_test_dir} +cp tests/XML_4_device_key.xml %{buildroot}%{db_test_dir} +cp tests/XML_4_device_key.xsd %{buildroot}%{db_test_dir} +cp tests/encryption-scheme/db/db-7654 %{buildroot}%{db_test_dir}/db-7654 +cp tests/encryption-scheme/db/db-key-7654 %{buildroot}%{db_test_dir}/db-key-7654 +cp tests/encryption-scheme/db/key-7654 %{buildroot}%{db_test_dir}/key-7654 %make_install %install_service multi-user.target.wants central-key-manager.service @@ -178,6 +186,18 @@ cp tests/encryption-scheme/db/key-7654 %{buildroot}/usr/share/ckm-db-test/key-76 %install_service sockets.target.wants central-key-manager-api-encryption.socket %pre +# fail if runtime dir variable is different than compilation time variable +if [ `tzplatform-get TZ_SYS_DATA | cut -d'=' -f2` != %{TZ_SYS_DATA} ] +then + echo "Runtime value of TZ_SYS_DATA is different than the compilation time value. Aborting" + exit 1 +fi +if [ `tzplatform-get TZ_SYS_SHARE | cut -d'=' -f2` != %{TZ_SYS_SHARE} ] +then + echo "Runtime value of TZ_SYS_SHARE is different than the compilation time value. Aborting" + exit 1 +fi + # User/group (key-manager/key-manager) should be already added in passwd package. # This is our backup plan if passwd package will not be configured correctly. id -g %{group_name} > /dev/null 2>&1 @@ -194,6 +214,13 @@ fi rm -rf %{buildroot} %post +# move data from old path to new one +# we have to assume that in case of TZ_SYS_DATA change some upgrade script will move all the data +if [ -d "/opt/data/ckm" ] +then + cp -a /opt/data/ckm/. %{rw_data_dir} && rm -rf /opt/data/ckm +fi + systemctl daemon-reload if [ $1 = 1 ]; then # installation @@ -204,8 +231,8 @@ if [ $1 = 2 ]; then # update # In ckm version <= 0.1.18 all files were owned by root. - find /opt/data/ckm -exec chsmack -a %{smack_domain_name} {} \; - chown %{user_name}:%{group_name} -R /opt/data/ckm + find %{rw_data_dir} -exec chsmack -a %{smack_domain_name} {} \; + chown %{user_name}:%{group_name} -R %{rw_data_dir} systemctl restart central-key-manager.service fi @@ -266,11 +293,12 @@ fi %dir %{_datadir}/ckm %{_datadir}/ckm/initial_values.xsd %{_datadir}/ckm/sw_key.xsd -%attr(770, %{user_name}, %{group_name}) /opt/data/ckm/ -%attr(770, %{user_name}, %{group_name}) /opt/data/ckm/initial_values/ +%attr(770, %{user_name}, %{group_name}) %{rw_data_dir} +%attr(770, %{user_name}, %{group_name}) %{initial_values_dir} %{_datadir}/ckm/scripts/*.sql -/etc/opt/upgrade/230.key-manager-migrate-dkek.patch.sh -/etc/opt/upgrade/231.key-manager-change-user.patch.sh +/etc/opt/upgrade/230.key-manager-change-data-dir.patch.sh +/etc/opt/upgrade/231.key-manager-migrate-dkek.patch.sh +/etc/opt/upgrade/232.key-manager-change-user.patch.sh /etc/gumd/userdel.d/10_key-manager.post %{_bindir}/ckm_tool diff --git a/src/manager/crypto/sw-backend/store.cpp b/src/manager/crypto/sw-backend/store.cpp index b0fdb618..c287f0e5 100644 --- a/src/manager/crypto/sw-backend/store.cpp +++ b/src/manager/crypto/sw-backend/store.cpp @@ -146,8 +146,8 @@ RawBuffer pack(const RawBuffer& data, const Password& pass) namespace { -const char * const DEVICE_KEY_XSD = "/usr/share/ckm/sw_key.xsd"; -const char * const DEVICE_KEY_SW_FILE = "/opt/data/ckm/device_key.xml"; +const char * const DEVICE_KEY_XSD = RO_DATA_DIR "sw_key.xsd"; +const char * const DEVICE_KEY_SW_FILE = RW_DATA_DIR "device_key.xml"; } Store::Store(CryptoBackend backendId) diff --git a/src/manager/initial-values/initial-value-loader.cpp b/src/manager/initial-values/initial-value-loader.cpp index c0d4b932..fc7f1568 100644 --- a/src/manager/initial-values/initial-value-loader.cpp +++ b/src/manager/initial-values/initial-value-loader.cpp @@ -27,8 +27,7 @@ #include <InitialValuesFile.h> namespace { -const char * const INIT_VALUES_DIR = "/opt/data/ckm/initial_values/"; -const char * const INIT_VALUES_XSD = "/usr/share/ckm/initial_values.xsd"; +const char * const INIT_VALUES_XSD = RO_DATA_DIR "initial_values.xsd"; const char * const INIT_VALUES_FILE_SUFFIX = ".xml"; } // namespace anonymous @@ -39,7 +38,7 @@ void LoadFiles(CKMLogic &logic) { try { std::vector<std::string> filesToParse; - DIR *dp = opendir(INIT_VALUES_DIR); + DIR *dp = opendir(INITIAL_VALUES_DIR); if (dp) { struct dirent *entry; while ((entry = readdir(dp))) { @@ -52,7 +51,7 @@ void LoadFiles(CKMLogic &logic) if (lowercaseFilename.find(INIT_VALUES_FILE_SUFFIX) == std::string::npos) continue; - filesToParse.push_back(std::string(INIT_VALUES_DIR) + filename); + filesToParse.push_back(std::string(INITIAL_VALUES_DIR) + filename); } closedir(dp); } diff --git a/src/manager/service/db-crypto.cpp b/src/manager/service/db-crypto.cpp index b70c85e1..93530163 100644 --- a/src/manager/service/db-crypto.cpp +++ b/src/manager/service/db-crypto.cpp @@ -34,7 +34,7 @@ namespace { const CKM::PermissionMask DEFAULT_PERMISSIONS = static_cast<CKM::PermissionMask>(CKM::Permission::READ | CKM::Permission::REMOVE); - const char *SCRIPTS_PATH = "/usr/share/ckm/scripts/"; + const char *SCRIPTS_PATH = RO_DATA_DIR "/scripts/"; enum DBVersion : int { DB_VERSION_1 = 1, diff --git a/src/manager/service/file-system.cpp b/src/manager/service/file-system.cpp index 678ee6d9..9fd68c41 100644 --- a/src/manager/service/file-system.cpp +++ b/src/manager/service/file-system.cpp @@ -42,7 +42,6 @@ namespace { -const std::string CKM_DATA_PATH = "/opt/data/ckm/"; const std::string CKM_KEY_PREFIX = "key-"; const std::string CKM_DB_KEY_PREFIX = "db-key-"; const std::string CKM_DB_PREFIX = "db-"; @@ -61,28 +60,28 @@ FileSystem::FileSystem(uid_t uid) std::string FileSystem::getDBPath() const { std::stringstream ss; - ss << CKM_DATA_PATH << CKM_DB_PREFIX << m_uid; + ss << RW_DATA_DIR << CKM_DB_PREFIX << m_uid; return ss.str(); } std::string FileSystem::getDKEKPath() const { std::stringstream ss; - ss << CKM_DATA_PATH << CKM_KEY_PREFIX << m_uid; + ss << RW_DATA_DIR << CKM_KEY_PREFIX << m_uid; return ss.str(); } std::string FileSystem::getDBDEKPath() const { std::stringstream ss; - ss << CKM_DATA_PATH << CKM_DB_KEY_PREFIX << m_uid; + ss << RW_DATA_DIR << CKM_DB_KEY_PREFIX << m_uid; return ss.str(); } std::string FileSystem::getRemovedAppsPath() const { std::stringstream ss; - ss << CKM_DATA_PATH << CKM_REMOVED_APP_PREFIX << m_uid; + ss << RW_DATA_DIR << CKM_REMOVED_APP_PREFIX << m_uid; return ss.str(); } @@ -178,9 +177,9 @@ AppLabelVector FileSystem::clearRemovedsApps() const int FileSystem::init() { errno = 0; - if ((mkdir(CKM_DATA_PATH.c_str(), 0700)) && (errno != EEXIST)) { + if ((mkdir(RW_DATA_DIR, 0700)) && (errno != EEXIST)) { int err = errno; - LogError("Error in mkdir " << CKM_DATA_PATH << ". Reason: " << GetErrnoString(err)); + LogError("Error in mkdir " << RW_DATA_DIR << ". Reason: " << GetErrnoString(err)); return -1; // TODO set up some error code } return 0; @@ -190,7 +189,7 @@ UidVector FileSystem::getUIDsFromDBFile() { UidVector uids; std::unique_ptr<DIR, std::function<int(DIR*)>> - dirp(::opendir(CKM_DATA_PATH.c_str()), ::closedir); + dirp(::opendir(RW_DATA_DIR), ::closedir); if (!dirp.get()) { int err = errno; @@ -198,7 +197,7 @@ UidVector FileSystem::getUIDsFromDBFile() return UidVector(); } - size_t len = offsetof(struct dirent, d_name) + pathconf(CKM_DATA_PATH.c_str(), _PC_NAME_MAX) + 1; + size_t len = offsetof(struct dirent, d_name) + pathconf(RW_DATA_DIR, _PC_NAME_MAX) + 1; std::unique_ptr<struct dirent, std::function<void(void*)>> pEntry(static_cast<struct dirent*>(::malloc(len)), ::free); diff --git a/tests/CMakeLists.txt b/tests/CMakeLists.txt index 8cadd638..dcad88cd 100644 --- a/tests/CMakeLists.txt +++ b/tests/CMakeLists.txt @@ -5,6 +5,7 @@ PKG_CHECK_MODULES(KEY_MANAGER_TEST_DEP FIND_PACKAGE(Threads REQUIRED) ADD_DEFINITIONS( "-DBOOST_TEST_DYN_LINK" ) +ADD_DEFINITIONS("-DDB_TEST_DIR=\"${DB_TEST_DIR}\"") SET(KEY_MANAGER_SRC_PATH ${PROJECT_SOURCE_DIR}/src) SET(KEY_MANAGER_PATH ${PROJECT_SOURCE_DIR}/src/manager) diff --git a/tests/encryption-scheme/CMakeLists.txt b/tests/encryption-scheme/CMakeLists.txt index 10cea932..bfd0a6c5 100644 --- a/tests/encryption-scheme/CMakeLists.txt +++ b/tests/encryption-scheme/CMakeLists.txt @@ -85,5 +85,4 @@ TARGET_LINK_LIBRARIES(${TARGET_CKM_GENERATOR} INSTALL(TARGETS ${TARGET_CKM_GENERATOR} DESTINATION bin) - -INSTALL(FILES ${CMAKE_CURRENT_SOURCE_DIR}/encryption-scheme.p12 DESTINATION /usr/share/ckm-db-test)
\ No newline at end of file +INSTALL(FILES ${CMAKE_CURRENT_SOURCE_DIR}/encryption-scheme.p12 DESTINATION ${DB_TEST_DIR})
\ No newline at end of file diff --git a/tests/encryption-scheme/scheme-test.cpp b/tests/encryption-scheme/scheme-test.cpp index 9abf27eb..cdf90dda 100644 --- a/tests/encryption-scheme/scheme-test.cpp +++ b/tests/encryption-scheme/scheme-test.cpp @@ -268,8 +268,8 @@ gid_t getGid(const char *name) { void restoreFile(const string& filename) { static uid_t CKM_UID = getUid(USER_NAME); static gid_t CKM_GID = getGid(GROUP_NAME); - string sourcePath = "/usr/share/ckm-db-test/" + filename; - string targetPath = "/opt/data/ckm/" + filename; + string sourcePath = string(DB_TEST_DIR) + filename; + string targetPath = string(RW_DATA_DIR) + filename; int err, ret; @@ -400,7 +400,7 @@ void SchemeTest::SwitchToRoot() { void SchemeTest::FillDb() { // pkcs - ifstream is("/usr/share/ckm-db-test/encryption-scheme.p12"); + ifstream is(DB_TEST_DIR "/encryption-scheme.p12"); if(!is) throw runtime_error("Failed to read pkcs"); istreambuf_iterator<char> begin(is), end; diff --git a/tests/test_db_crypto.cpp b/tests/test_db_crypto.cpp index c5681b49..c8b85d2c 100644 --- a/tests/test_db_crypto.cpp +++ b/tests/test_db_crypto.cpp @@ -289,19 +289,19 @@ void verifyDBisValid(DBFixture & fixture) struct DBVer1Migration : public DBFixture { - DBVer1Migration() : DBFixture("/usr/share/ckm-db-test/testme_ver1.db") + DBVer1Migration() : DBFixture(DB_TEST_DIR "/testme_ver1.db") {} }; struct DBVer2Migration : public DBFixture { - DBVer2Migration() : DBFixture("/usr/share/ckm-db-test/testme_ver2.db") + DBVer2Migration() : DBFixture(DB_TEST_DIR "/testme_ver2.db") {} }; struct DBVer3Migration : public DBFixture { - DBVer3Migration() : DBFixture("/usr/share/ckm-db-test/testme_ver3.db") + DBVer3Migration() : DBFixture(DB_TEST_DIR "/testme_ver3.db") {} }; } diff --git a/tests/test_xml-parser.cpp b/tests/test_xml-parser.cpp index b12cbd6d..514683bd 100644 --- a/tests/test_xml-parser.cpp +++ b/tests/test_xml-parser.cpp @@ -41,7 +41,7 @@ const char *XSD_4_device_key = "XML_4_device_key.xsd"; std::string format_test_path(const char *file) { - return std::string("/usr/share/ckm-db-test/") + std::string(file); + return std::string(DB_TEST_DIR) + std::string(file); } bool startCallbackFlag = false; diff --git a/tools/ckm_db_tool/ckm_db_tool.cpp b/tools/ckm_db_tool/ckm_db_tool.cpp index 2ef8fdf4..378ff9ed 100644 --- a/tools/ckm_db_tool/ckm_db_tool.cpp +++ b/tools/ckm_db_tool/ckm_db_tool.cpp @@ -148,7 +148,7 @@ void usage() { cout << endl; cout << "Usage: ckm_db_tool uid [password] [sql_command]" << endl; cout << endl; - cout << "uid (mandatory) User id as in /opt/data/ckm/db-<uid>" << endl; + cout << "uid (mandatory) User id as in <TZ_SYS_DATA>/ckm/db-<uid>" << endl; cout << "password (optional) Password used for database encryption. For system database (uid < 5000) no password should be used." << endl; cout << "sql_command (optional) Sqlite3 command to execute on database. If empty the tool will enter interactive mode." << endl; cout << endl; |