Supply service & busconfig ACLs from the repo.

This change required as a part of privilege separation work: openbmc/openbmc#3383 Dependant meta-phosphor change: https://gerrit.openbmc-project.xyz/c/openbmc/openbmc/+/41430 Signed-off-by: Anton D. Kachalov <[email protected]> Change-Id: Ic0b1b57f8a088defe096f1ab793efa1f015ca5be
openbmc · May 31, 2021 · 6dd1c2a · 6dd1c2a
1 parent 811a29e
commit 6dd1c2a
Show file tree

Hide file tree

Showing 11 changed files with 132 additions and 8 deletions.
diff --git a/Makefile.am b/Makefile.am
@@ -49,7 +49,7 @@ phosphor_certificate_manager_CXXFLAGS = \
 	$(PHOSPHOR_DBUS_INTERFACES_CFLAGS) \
 	$(PHOSPHOR_LOGGING_CFLAGS)
 
-SUBDIRS = test
+SUBDIRS = dist test
 
 if CA_CERT_EXTENSION
 SUBDIRS += bmc-vmi-ca

diff --git a/bmc-vmi-ca/Makefile.am b/bmc-vmi-ca/Makefile.am
@@ -5,11 +5,6 @@ noinst_HEADERS = \
 	ca_cert_entry.hpp \
 	ca_certs_manager.hpp
 
-if HAVE_SYSTEMD
-systemdsystemunit_DATA = \
-	bmc-vmi-ca-manager.service
-endif
-
 bmc_vmi_ca_SOURCES = \
 	mainapp.cpp \
 	ca_cert_entry.cpp \

diff --git a/configure.ac b/configure.ac
@@ -38,7 +38,29 @@ AS_IF([test "x$with_systemdsystemunitdir" = "xyes" -o "x$with_systemdsystemunitd
 AS_IF([test "x$with_systemdsystemunitdir" != "xno"],
       [AC_SUBST([systemdsystemunitdir], [$with_systemdsystemunitdir])]
 )
-AM_CONDITIONAL([HAVE_SYSTEMD], [test "x$with_systemdsystemunitdir" != "xno"])
+
+AC_ARG_WITH([dbuspolicydir],
+        AS_HELP_STRING([--with-dbuspolicydir=DIR], [D-Bus policy directory]),
+        [],
+        [with_dbuspolicydir=$($PKG_CONFIG --variable=sysconfdir dbus-1)/dbus-1/system.d])
+AS_IF([test "x$with_dbuspolicydir" != "xno"],
+      [AC_SUBST([dbuspolicydir], [$with_dbuspolicydir])]
+)
+
+AC_ARG_ENABLE([bmcweb-cert-config],
+     AS_HELP_STRING([--enable-bmcweb-cert-config], [Install bmcweb cert configs])
+)
+AM_CONDITIONAL([ENABLE_BMCWEB_CERT_CONFIG], [test "x$enable_bmcweb_cert_config" == "xyes" ])
+
+AC_ARG_ENABLE([nslcd-authority-cert-config],
+     AS_HELP_STRING([--enable-nslcd-authority-cert-config], [Install nslcd authority cert configs])
+)
+AM_CONDITIONAL([ENABLE_NSLCD_AUTHORITY_CERT_CONFIG], [test "x$enable_nslcd_authority_cert_config" == "xyes" ])
+
+AC_ARG_ENABLE([codecoverage],
+     AS_HELP_STRING([--enable-code-coverage], [Enable code coverage checks])
+)
+AM_CONDITIONAL([CODE_COVERAGE_ENABLED], [test "x$enable_codecoverage" == "xyes" ])
 
 # Check for libraries
 AX_CHECK_OPENSSL([], [AC_MSG_ERROR(["openssl required and not found"])])
@@ -196,6 +218,8 @@ AM_CONDITIONAL([CA_CERT_EXTENSION], [test "x$enable_ca_cert_extension" == "xyes"
 AS_IF([test "x$enable_ca_cert_extension" == "xyes"],
       [AC_CONFIG_FILES([bmc-vmi-ca/Makefile])])
 
+AC_SUBST([dbuspolicydir], [$with_dbuspolicydir])
+
 # Create configured output
-AC_CONFIG_FILES([Makefile test/Makefile])
+AC_CONFIG_FILES([Makefile test/Makefile dist/Makefile])
 AC_OUTPUT
diff --git a/dist/Makefile.am b/dist/Makefile.am
@@ -0,0 +1,44 @@
+certmgrenvdir=$(datadir)/phosphor-certificate-manager
+
+dbuspolicy_DATA =
+certmgrenv_DATA =
+SYSTEM_UNIT_ALIASES =
+
+systemdsystemunit_DATA = [email protected]
+
+if CA_CERT_EXTENSION
+dbuspolicy_DATA += busconfig/bmc-vmi-ca.conf
+systemdsystemunit_DATA += bmc-vmi-ca-manager.service
+endif
+
+if ENABLE_BMCWEB_CERT_CONFIG
+dbuspolicy_DATA += busconfig/phosphor-bmcweb-cert-config.conf
+certmgrenv_DATA += env/bmcweb
+SYSTEM_UNIT_ALIASES += \
+	../[email protected] multi-user.target.wants/[email protected]
+endif
+
+if ENABLE_NSLCD_AUTHORITY_CERT_CONFIG
+dbuspolicy_DATA += busconfig/phosphor-nslcd-authority-cert-config.conf
+certmgrenv_DATA += env/authority
+SYSTEM_UNIT_ALIASES += \
+	../[email protected] multi-user.target.wants/[email protected]
+endif
+
+install-aliases-hook:
+	set -- $(SYSTEM_UNIT_ALIASES) && \
+	  dir=$(systemdsystemunitdir) && $(install-aliases)
+
+define install-aliases
+  while [ -n "$$1" ]; do \
+	$(MKDIR_P) `dirname $(DESTDIR)$$dir/$$2` && \
+	rm -f $(DESTDIR)$$dir/$$2 && \
+	$(LN_S) $$1 $(DESTDIR)$$dir/$$2 && \
+	shift 2 || exit $$?; \
+  done
+endef
+
+INSTALL_DATA_HOOKS = \
+	install-aliases-hook
+
+install-data-hook: $(INSTALL_DATA_HOOKS)
diff --git a/bmc-vmi-ca/bmc-vmi-ca-manager.service → dist/bmc-vmi-ca-manager.service b/bmc-vmi-ca/bmc-vmi-ca-manager.service → dist/bmc-vmi-ca-manager.service
@@ -5,6 +5,7 @@ Description=BMC VMI CA authority manager
 ExecStart=/usr/bin/env bmc-vmi-ca
 SyslogIdentifier=bmc-vmi-ca
 Restart=always
+UMask=0007
 
 Type=dbus
 BusName=xyz.openbmc_project.Certs.ca.authority.Manager

diff --git a/dist/busconfig/bmc-vmi-ca.conf b/dist/busconfig/bmc-vmi-ca.conf
@@ -0,0 +1,8 @@
+<!DOCTYPE busconfig PUBLIC "-//freedesktop//DTD D-BUS Bus Configuration 1.0//EN"
+ "http://www.freedesktop.org/standards/dbus/1.0/busconfig.dtd">
+<busconfig>
+  <policy user="root">
+    <allow own="xyz.openbmc_project.Certs.ca.authority.Manager"/>
+    <allow send_destination="xyz.openbmc_project.Certs.ca.authority.Manager"/>
+  </policy>
+</busconfig>
diff --git a/dist/busconfig/phosphor-bmcweb-cert-config.conf b/dist/busconfig/phosphor-bmcweb-cert-config.conf
@@ -0,0 +1,8 @@
+<!DOCTYPE busconfig PUBLIC "-//freedesktop//DTD D-BUS Bus Configuration 1.0//EN"
+ "http://www.freedesktop.org/standards/dbus/1.0/busconfig.dtd">
+<busconfig>
+  <policy user="root">
+    <allow own="xyz.openbmc_project.Certs.Manager.Server.Https"/>
+    <allow send_destination="xyz.openbmc_project.Certs.Manager.Server.Https"/>
+  </policy>
+</busconfig>
diff --git a/dist/busconfig/phosphor-nslcd-authority-cert-config.conf b/dist/busconfig/phosphor-nslcd-authority-cert-config.conf
@@ -0,0 +1,8 @@
+<!DOCTYPE busconfig PUBLIC "-//freedesktop//DTD D-BUS Bus Configuration 1.0//EN"
+ "http://www.freedesktop.org/standards/dbus/1.0/busconfig.dtd">
+<busconfig>
+  <policy user="root">
+    <allow own="xyz.openbmc_project.Certs.Manager.Authority.Ldap"/>
+    <allow send_destination="xyz.openbmc_project.Certs.Manager.Authority.Ldap"/>
+  </policy>
+</busconfig>
diff --git a/dist/env/authority b/dist/env/authority
@@ -0,0 +1,12 @@
+#REST URI endpoint
+#example: /xyz/openbmc_project/certs/authority/ldap
+ENDPOINT=ldap
+
+#Path for the certificate file
+CERTPATH=/etc/ssl/certs/authority
+
+#Units to restart
+UNIT=bmcweb.service
+
+#Type of service
+TYPE=authority
diff --git a/dist/env/bmcweb b/dist/env/bmcweb
@@ -0,0 +1,12 @@
+#D-Bus object path
+#example: /xyz/openbmc_project/certs/server/https
+ENDPOINT=https
+
+#Path for the certificate file
+CERTPATH=/etc/ssl/certs/https/server.pem
+
+#Units to restart
+UNIT=bmcweb.service
+
+#Type of the service client/server
+TYPE=server
diff --git a/dist/[email protected] b/dist/[email protected]
@@ -0,0 +1,12 @@
+[Unit]
+Description=Phosphor certificate manager for %I
+
+[Service]
+EnvironmentFile=/usr/share/phosphor-certificate-manager/%I
+ExecStart=/usr/bin/env phosphor-certificate-manager --endpoint=${ENDPOINT} --path=${CERTPATH} --unit=${UNIT} --type=${TYPE}
+SyslogIdentifier=phosphor-certificate-manager
+Restart=always
+UMask=0007
+
+[Install]
+WantedBy=multi-user.target