Change user from root to key-manager

[Solution] User changed. Smack labels/manifests adjusted. Runtime directory
created. Tests adjusted.

Change-Id: I22b7ed01158b16ce3ac3d04110e4ab2ab3d46711

12 files changed, 120 insertions, 9 deletions

diff --git a/CMakeLists.txt b/CMakeLists.txt
index 73720b1e..3d1a298a 100644
--- a/CMakeLists.txt
+++ b/CMakeLists.txt
@@ -52,6 +52,11 @@ STRING(REGEX MATCH "([^.]*)" API_VERSION "${VERSION}")
 ADD_DEFINITIONS("-DAPI_VERSION=\"$(API_VERSION)\"")
 ADD_DEFINITIONS("-DSMACK_ENABLED")
 ADD_DEFINITIONS("-DSQLCIPHER_HAS_CODEC")
+ADD_DEFINITIONS("-DRUN_DIR=\"${RUN_DIR}\"")
+ADD_DEFINITIONS("-DSERVICE_NAME=\"${SERVICE_NAME}\"")
+ADD_DEFINITIONS("-DUSER_NAME=\"${USER_NAME}\"")
+ADD_DEFINITIONS("-DGROUP_NAME=\"${GROUP_NAME}\"")
+ADD_DEFINITIONS("-DSMACK_DOMAIN_NAME=\"${SMACK_DOMAIN_NAME}\"")
 
 IF (CMAKE_BUILD_TYPE MATCHES "DEBUG")
     ADD_DEFINITIONS("-DTIZEN_DEBUG_ENABLE")
@@ -71,7 +76,9 @@ SET(TARGET_PAM_KEY_MANAGER_PLUGIN "pam_key_manager_plugin")
 
 SET(TARGET_TEST_MERGED "ckm-tests-internal")
 
-INSTALL(FILES ${CMAKE_CURRENT_BINARY_DIR}/data/scripts/230.key-manager-migrate-dkek.patch.sh
+INSTALL(FILES
+    ${CMAKE_CURRENT_BINARY_DIR}/data/scripts/230.key-manager-migrate-dkek.patch.sh
+    ${CMAKE_CURRENT_BINARY_DIR}/data/scripts/231.key-manager-change-user.patch.sh
     DESTINATION /etc/opt/upgrade
     PERMISSIONS OWNER_READ
                 OWNER_WRITE
diff --git a/data/scripts/231.key-manager-change-user.patch.sh b/data/scripts/231.key-manager-change-user.patch.sh
new file mode 100755
index 00000000..e02cc12a
--- /dev/null
+++ b/data/scripts/231.key-manager-change-user.patch.sh
@@ -0,0 +1,21 @@
+#!/bin/bash
+
+USER_NAME=key-manager
+GROUP_NAME=key-manager
+CKM_DATA_PATH=/opt/data/ckm
+SMACK_LABEL=System
+
+id -g $GROUP_NAME > /dev/null 2>&1
+if [ $? -eq 1 ]; then
+    groupadd $GROUP_NAME -r > /dev/null 2>&1
+fi
+
+id -u $USER_NAME > /dev/null 2>&1
+if [ $? -eq 1 ]; then
+    useradd -d /var/lib/empty -s /sbin/nologin -r -g $GROUP_NAME $USER_NAME > /dev/null 2>&1
+fi
+
+# In ckm version <= 0.1.18 all files were owned by root.
+find /opt/data/ckm -exec chsmack -a $SMACK_LABEL {} \;
+chown ${USER_NAME}:${GROUP_NAME} -R ${CKM_DATA_PATH}
+
diff --git a/packaging/key-manager-tests.manifest b/packaging/key-manager-tests.manifest
new file mode 100644
index 00000000..8471cc34
--- /dev/null
+++ b/packaging/key-manager-tests.manifest
@@ -0,0 +1,10 @@
+<manifest>
+	<request>
+		<domain name="_" />
+	</request>
+	<assign>
+		<filesystem path="/usr/bin/ckm-tests-internal" exec_label="System" />
+		<filesystem path="/usr/bin/ckm_db_tool" exec_label="System" />
+		<filesystem path="/usr/bin/ckm_generate_db" exec_label="System" />
+	</assign>
+</manifest>
diff --git a/packaging/key-manager.manifest b/packaging/key-manager.manifest
index a76fdbae..d4c43468 100644
--- a/packaging/key-manager.manifest
+++ b/packaging/key-manager.manifest
@@ -2,4 +2,7 @@
 	<request>
 		<domain name="_" />
 	</request>
+	<assign>
+		<filesystem path="/opt/data/ckm" label="System" type="transmutable" />
+	</assign>
 </manifest>
diff --git a/packaging/key-manager.spec b/packaging/key-manager.spec
index fe34919d..365d502a 100644
--- a/packaging/key-manager.spec
+++ b/packaging/key-manager.spec
@@ -9,7 +9,9 @@ Source1001: key-manager.manifest
 Source1002: key-manager-pam-plugin.manifest
 Source1003: key-manager-listener.manifest
 Source1004: libkey-manager-client.manifest
-Source1005: libkey-manager-common.manifest
+Source1005: libkey-manager-client-devel.manifest
+Source1006: libkey-manager-common.manifest
+Source1007: key-manager-tests.manifest
 BuildRequires: cmake
 BuildRequires: zip
 BuildRequires: pkgconfig(dlog)
@@ -24,9 +26,17 @@ BuildRequires: pkgconfig(security-manager)
 BuildRequires: pkgconfig(cynara-client-async)
 BuildRequires: pkgconfig(cynara-creds-socket)
 BuildRequires: boost-devel
+Requires(pre): pwdutils
+Requires(postun): pwdutils
 Requires: libkey-manager-common = %{version}-%{release}
 %{?systemd_requires}
 
+%global user_name key-manager
+%global group_name key-manager
+%global service_name key-manager
+%global _rundir /run
+%global smack_domain_name System
+
 %description
 Central Key Manager daemon could be used as secure storage
 for certificate and private/public keys. It gives API for
@@ -105,6 +115,8 @@ cp -a %{SOURCE1002} .
 cp -a %{SOURCE1003} .
 cp -a %{SOURCE1004} .
 cp -a %{SOURCE1005} .
+cp -a %{SOURCE1006} .
+cp -a %{SOURCE1007} .
 
 %build
 %if 0%{?sec_build_binary_debug_enable}
@@ -121,6 +133,11 @@ export LDFLAGS+="-Wl,--rpath=%{_libdir},-Bsymbolic-functions "
         -DCMAKE_VERBOSE_MAKEFILE=ON \
         -DSYSTEMD_UNIT_DIR=%{_unitdir} \
         -DSYSTEMD_ENV_FILE="/etc/sysconfig/central-key-manager" \
+        -DRUN_DIR:PATH=%{_rundir} \
+        -DSERVICE_NAME=%{service_name} \
+        -DUSER_NAME=%{user_name} \
+        -DGROUP_NAME=%{group_name} \
+        -DSMACK_DOMAIN_NAME=%{smack_domain_name} \
         -DMOCKUP_SM=%{?mockup_sm:%mockup_sm}%{!?mockup_sm:OFF}
 
 make %{?jobs:-j%jobs}
@@ -161,6 +178,19 @@ cp tests/encryption-scheme/db/key-7654 %{buildroot}/usr/share/ckm-db-test/key-76
 %install_service sockets.target.wants central-key-manager-api-ocsp.socket
 %install_service sockets.target.wants central-key-manager-api-encryption.socket
 
+%pre
+# User/group (key-manager/key-manager) should be already added in passwd package.
+# This is our backup plan if passwd package will not be configured correctly.
+id -g %{group_name} > /dev/null 2>&1
+if [ $? -eq 1 ]; then
+    groupadd %{group_name} -r > /dev/null 2>&1
+fi
+
+id -u %{user_name} > /dev/null 2>&1
+if [ $? -eq 1 ]; then
+    useradd -d /var/lib/empty -s /sbin/nologin -r -g %{group_name} %{user_name} > /dev/null 2>&1
+fi
+
 %clean
 rm -rf %{buildroot}
 
@@ -202,6 +232,10 @@ if [ $1 = 1 ]; then
 fi
 if [ $1 = 2 ]; then
     # update
+
+    # In ckm version <= 0.1.18 all files were owned by root.
+    find /opt/data/ckm -exec chsmack -a %{smack_domain_name} {} \;
+    chown %{user_name}:%{group_name} -R /opt/data/ckm
     systemctl restart central-key-manager-listener.service
 fi
 
@@ -234,12 +268,15 @@ fi
 %{_unitdir}/central-key-manager-api-ocsp.socket
 %{_unitdir}/sockets.target.wants/central-key-manager-api-encryption.socket
 %{_unitdir}/central-key-manager-api-encryption.socket
+%dir %{_datadir}/ckm
 %{_datadir}/ckm/initial_values.xsd
 %{_datadir}/ckm/sw_key.xsd
-/opt/data/ckm/initial_values/
-%attr(444, root, root) %{_datadir}/ckm/scripts/*.sql
+%attr(770, %{user_name}, %{group_name}) /opt/data/ckm/
+%attr(770, %{user_name}, %{group_name}) /opt/data/ckm/initial_values/
+%{_datadir}/ckm/scripts/*.sql
 /etc/opt/upgrade/230.key-manager-migrate-dkek.patch.sh
-%attr(550, root, root) /etc/gumd/userdel.d/10_key-manager.post
+/etc/opt/upgrade/231.key-manager-change-user.patch.sh
+/etc/gumd/userdel.d/10_key-manager.post
 %{_bindir}/ckm_tool
 
 %files -n key-manager-pam-plugin
@@ -263,6 +300,7 @@ fi
 %{_libdir}/libkey-manager-control-client.so.*
 
 %files -n libkey-manager-client-devel
+%manifest libkey-manager-client-devel.manifest
 %{_libdir}/libkey-manager-client.so
 %{_libdir}/libkey-manager-control-client.so
 %{_libdir}/libkey-manager-common.so
@@ -283,7 +321,9 @@ fi
 %{_libdir}/pkgconfig/*.pc
 
 %files -n key-manager-tests
+%manifest key-manager-tests.manifest
 %{_bindir}/ckm-tests-internal
+%dir %{_datadir}/ckm-db-test
 %{_datadir}/ckm-db-test/testme_ver1.db
 %{_datadir}/ckm-db-test/testme_ver2.db
 %{_datadir}/ckm-db-test/testme_ver3.db
@@ -303,3 +343,4 @@ fi
 %{_bindir}/ckm_so_loader
 %{_bindir}/ckm_db_tool
 %{_bindir}/ckm_generate_db
+
diff --git a/packaging/libkey-manager-client-devel.manifest b/packaging/libkey-manager-client-devel.manifest
new file mode 100644
index 00000000..a76fdbae
--- /dev/null
+++ b/packaging/libkey-manager-client-devel.manifest
@@ -0,0 +1,5 @@
+<manifest>
+	<request>
+		<domain name="_" />
+	</request>
+</manifest>
diff --git a/src/listener/listener-daemon.cpp b/src/listener/listener-daemon.cpp
index 894d4282..92d6ce12 100644
--- a/src/listener/listener-daemon.cpp
+++ b/src/listener/listener-daemon.cpp
@@ -35,7 +35,7 @@
 #define LOG_TAG "CKM_LISTENER"
 
 namespace {
-const char* const CKM_LOCK = "/var/run/key-manager.pid";
+const char* const CKM_LOCK = RUN_DIR "/" SERVICE_NAME "/key-manager.pid";
 };
 
 bool isCkmRunning()
diff --git a/src/manager/service/file-system.cpp b/src/manager/service/file-system.cpp
index e569d1dd..678ee6d9 100644
--- a/src/manager/service/file-system.cpp
+++ b/src/manager/service/file-system.cpp
@@ -47,7 +47,7 @@ const std::string CKM_KEY_PREFIX = "key-";
 const std::string CKM_DB_KEY_PREFIX = "db-key-";
 const std::string CKM_DB_PREFIX = "db-";
 const std::string CKM_REMOVED_APP_PREFIX = "removed-app-";
-const std::string CKM_LOCK_FILE = "/var/run/key-manager.pid";
+const std::string CKM_LOCK_FILE = RUN_DIR "/" SERVICE_NAME "/key-manager.pid";
 
 } // namespace anonymous
 
diff --git a/systemd/CMakeLists.txt b/systemd/CMakeLists.txt
index cda16ecc..e8f38adf 100644
--- a/systemd/CMakeLists.txt
+++ b/systemd/CMakeLists.txt
@@ -1,6 +1,9 @@
 CONFIGURE_FILE(${CMAKE_SOURCE_DIR}/systemd/central-key-manager.service.in
                ${CMAKE_SOURCE_DIR}/systemd/central-key-manager.service @ONLY)
 
+CONFIGURE_FILE(${CMAKE_SOURCE_DIR}/systemd/central-key-manager-listener.service.in
+               ${CMAKE_SOURCE_DIR}/systemd/central-key-manager-listener.service @ONLY)
+
 INSTALL(FILES
     ${CMAKE_SOURCE_DIR}/systemd/central-key-manager.service
     ${CMAKE_SOURCE_DIR}/systemd/central-key-manager.target
diff --git a/systemd/central-key-manager-listener.service b/systemd/central-key-manager-listener.service.in
index ba2b8bcc..2b4e7cde 100644
--- a/systemd/central-key-manager-listener.service
+++ b/systemd/central-key-manager-listener.service.in
@@ -4,6 +4,9 @@ Requires=dbus.service
 After=central-key-manager.service
 
 [Service]
+User=@USER_NAME@
+Group=@GROUP_NAME@
+SmackProcessLabel=@SMACK_DOMAIN_NAME@
 Type=simple
 ExecStart=/usr/bin/key-manager-listener
 
diff --git a/systemd/central-key-manager.service.in b/systemd/central-key-manager.service.in
index 01591315..c516c411 100644
--- a/systemd/central-key-manager.service.in
+++ b/systemd/central-key-manager.service.in
@@ -3,6 +3,9 @@ Description=Start the Central Key Manager
 DefaultDependencies=no
 
 [Service]
+User=@USER_NAME@
+Group=@GROUP_NAME@
+SmackProcessLabel=@SMACK_DOMAIN_NAME@
 Type=notify
 ExecStart=/usr/bin/key-manager
 Sockets=central-key-manager-api-storage.socket
@@ -10,6 +13,7 @@ Sockets=central-key-manager-api-control.socket
 Sockets=central-key-manager-api-ocsp.socket
 Sockets=central-key-manager-api-encryption.socket
 EnvironmentFile=-@SYSTEMD_ENV_FILE@
+RuntimeDirectory=@SERVICE_NAME@
 
 [Install]
 WantedBy=multi-user.target
diff --git a/tests/encryption-scheme/scheme-test.cpp b/tests/encryption-scheme/scheme-test.cpp
index 35b78c93..9abf27eb 100644
--- a/tests/encryption-scheme/scheme-test.cpp
+++ b/tests/encryption-scheme/scheme-test.cpp
@@ -27,6 +27,8 @@
 #include <fcntl.h>
 #include <unistd.h>
 #include <string.h>
+#include <grp.h>
+#include <pwd.h>
 
 #include <fstream>
 #include <stdexcept>
@@ -56,8 +58,6 @@ RawBuffer TEST_DATA(TEST_DATA_STR.begin(), TEST_DATA_STR.end());
 const Password TEST_PASS = "custom user password";
 const size_t IV_LEN = 16;
 const size_t CHAIN_LEN = 3;
-const uid_t CKM_UID = 0;
-const gid_t CKM_GID = 0;
 
 enum {
     NO_PASS = 0,
@@ -253,7 +253,21 @@ struct FdCloser {
 
 typedef std::unique_ptr<int, FdCloser> FdPtr;
 
+uid_t getUid(const char *name) {
+    passwd *p = getpwnam(name);
+    BOOST_REQUIRE_MESSAGE(p, "getpwnam failed");
+    return p->pw_uid;
+}
+
+gid_t getGid(const char *name) {
+    group *g = getgrnam(name);
+    BOOST_REQUIRE_MESSAGE(g, "getgrnam failed");
+    return g->gr_gid;
+}
+
 void restoreFile(const string& filename) {
+    static uid_t CKM_UID = getUid(USER_NAME);
+    static gid_t CKM_GID = getGid(GROUP_NAME);
     string sourcePath = "/usr/share/ckm-db-test/" + filename;
     string targetPath = "/opt/data/ckm/" + filename;