Merge "tpm_manager: Change location for owner password data"
diff --git a/common/print_local_data_proto.cc b/common/print_local_data_proto.cc
index 9a0bd8c..81c0864 100644
--- a/common/print_local_data_proto.cc
+++ b/common/print_local_data_proto.cc
@@ -13,7 +13,6 @@
// See the License for the specific language governing permissions and
// limitations under the License.
//
-
// THIS CODE IS GENERATED.
#include "tpm_manager/common/print_local_data_proto.h"
@@ -54,6 +53,22 @@
base::StringAppendF(&output, "%s", value.owner_dependency(i).c_str());
}
output += "}\n";
+ if (value.has_endorsement_password()) {
+ output += indent + " endorsement_password: ";
+ base::StringAppendF(&output, "%s",
+ base::HexEncode(value.endorsement_password().data(),
+ value.endorsement_password().size())
+ .c_str());
+ output += "\n";
+ }
+ if (value.has_lockout_password()) {
+ output += indent + " lockout_password: ";
+ base::StringAppendF(&output, "%s",
+ base::HexEncode(value.lockout_password().data(),
+ value.lockout_password().size())
+ .c_str());
+ output += "\n";
+ }
output += indent + "}\n";
return output;
}
diff --git a/server/local_data_store_impl.cc b/server/local_data_store_impl.cc
index 5b155ba..6cf8848 100644
--- a/server/local_data_store_impl.cc
+++ b/server/local_data_store_impl.cc
@@ -28,18 +28,20 @@
namespace tpm_manager {
-const char kTpmLocalDataFile[] =
- "/mnt/stateful_partition/unencrypted/preserve/local_tpm_data";
+const char kTpmLocalDataFile[] = "/var/lib/tpm_manager/local_tpm_data";
const mode_t kLocalDataPermissions = 0600;
bool LocalDataStoreImpl::Read(LocalData* data) {
CHECK(data);
- const int kMask = base::FILE_PERMISSION_OTHERS_MASK;
FilePath path(kTpmLocalDataFile);
+ if (!base::PathExists(path)) {
+ data->Clear();
+ return true;
+ }
int permissions = 0;
if (base::GetPosixFilePermissions(path, &permissions) &&
- (permissions & kMask) != 0) {
- base::SetPosixFilePermissions(path, permissions & ~kMask);
+ (permissions & ~kLocalDataPermissions) != 0) {
+ base::SetPosixFilePermissions(path, kLocalDataPermissions);
}
std::string file_data;
if (!ReadFileToString(path, &file_data)) {
diff --git a/server/tpm_manager-seccomp-amd64.policy b/server/tpm_manager-seccomp-amd64.policy
index eab40ed..6f11df7 100644
--- a/server/tpm_manager-seccomp-amd64.policy
+++ b/server/tpm_manager-seccomp-amd64.policy
@@ -48,7 +48,13 @@
read: 1
write: 1
close: 1
+access: 1
+rename: 1
+pwrite64: 1
+chmod: 1
+fsync: 1
+fdatasync: 1
fstat: 1
stat: 1
lseek: 1
@@ -59,6 +65,7 @@
restart_syscall: 1
exit: 1
exit_group: 1
+rt_sigaction: 1
rt_sigreturn: 1
rt_sigprocmask: 1
signalfd4: 1
@@ -73,3 +80,4 @@
# These calls are attempted but apparently not necessary; return EPERM.
prctl: return 1
ioctl: return 1
+tgkill: return 1
diff --git a/server/tpm_managerd.conf b/server/tpm_managerd.conf
index 9f2254b..9509967 100644
--- a/server/tpm_managerd.conf
+++ b/server/tpm_managerd.conf
@@ -21,6 +21,14 @@
stop on stopping system-services
respawn
+pre-start script
+ LOCAL_DATA_DIRECTORY="/var/lib/tpm_manager"
+ if [ ! -e "${LOCAL_DATA_DIRECTORY}" ]; then
+ mkdir -m 0755 "${LOCAL_DATA_DIRECTORY}"
+ chown -R tpm_manager:tpm_manager "${LOCAL_DATA_DIRECTORY}"
+ fi
+end script
+
# Minijail forks off our process
expect fork