Supply service & busconfig ACLs from the repo.
This change required as a part of privilege separation work:
https://github.com/openbmc/openbmc/issues/3383
Dependant meta-phosphor change:
https://gerrit.openbmc-project.xyz/c/openbmc/openbmc/+/41430
Signed-off-by: Anton D. Kachalov <gmouse@google.com>
Change-Id: Ic0b1b57f8a088defe096f1ab793efa1f015ca5be
diff --git a/Makefile.am b/Makefile.am
index b4bca0f..f74e219 100644
--- a/Makefile.am
+++ b/Makefile.am
@@ -49,7 +49,7 @@
$(PHOSPHOR_DBUS_INTERFACES_CFLAGS) \
$(PHOSPHOR_LOGGING_CFLAGS)
-SUBDIRS = test
+SUBDIRS = dist test
if CA_CERT_EXTENSION
SUBDIRS += bmc-vmi-ca
diff --git a/bmc-vmi-ca/Makefile.am b/bmc-vmi-ca/Makefile.am
index c33f499..c86cacf 100644
--- a/bmc-vmi-ca/Makefile.am
+++ b/bmc-vmi-ca/Makefile.am
@@ -5,11 +5,6 @@
ca_cert_entry.hpp \
ca_certs_manager.hpp
-if HAVE_SYSTEMD
-systemdsystemunit_DATA = \
- bmc-vmi-ca-manager.service
-endif
-
bmc_vmi_ca_SOURCES = \
mainapp.cpp \
ca_cert_entry.cpp \
diff --git a/configure.ac b/configure.ac
index 453daaa..c82ede7 100644
--- a/configure.ac
+++ b/configure.ac
@@ -38,7 +38,29 @@
AS_IF([test "x$with_systemdsystemunitdir" != "xno"],
[AC_SUBST([systemdsystemunitdir], [$with_systemdsystemunitdir])]
)
-AM_CONDITIONAL([HAVE_SYSTEMD], [test "x$with_systemdsystemunitdir" != "xno"])
+
+AC_ARG_WITH([dbuspolicydir],
+ AS_HELP_STRING([--with-dbuspolicydir=DIR], [D-Bus policy directory]),
+ [],
+ [with_dbuspolicydir=$($PKG_CONFIG --variable=sysconfdir dbus-1)/dbus-1/system.d])
+AS_IF([test "x$with_dbuspolicydir" != "xno"],
+ [AC_SUBST([dbuspolicydir], [$with_dbuspolicydir])]
+)
+
+AC_ARG_ENABLE([bmcweb-cert-config],
+ AS_HELP_STRING([--enable-bmcweb-cert-config], [Install bmcweb cert configs])
+)
+AM_CONDITIONAL([ENABLE_BMCWEB_CERT_CONFIG], [test "x$enable_bmcweb_cert_config" == "xyes" ])
+
+AC_ARG_ENABLE([nslcd-authority-cert-config],
+ AS_HELP_STRING([--enable-nslcd-authority-cert-config], [Install nslcd authority cert configs])
+)
+AM_CONDITIONAL([ENABLE_NSLCD_AUTHORITY_CERT_CONFIG], [test "x$enable_nslcd_authority_cert_config" == "xyes" ])
+
+AC_ARG_ENABLE([codecoverage],
+ AS_HELP_STRING([--enable-code-coverage], [Enable code coverage checks])
+)
+AM_CONDITIONAL([CODE_COVERAGE_ENABLED], [test "x$enable_codecoverage" == "xyes" ])
# Check for libraries
AX_CHECK_OPENSSL([], [AC_MSG_ERROR(["openssl required and not found"])])
@@ -196,6 +218,8 @@
AS_IF([test "x$enable_ca_cert_extension" == "xyes"],
[AC_CONFIG_FILES([bmc-vmi-ca/Makefile])])
+AC_SUBST([dbuspolicydir], [$with_dbuspolicydir])
+
# Create configured output
-AC_CONFIG_FILES([Makefile test/Makefile])
+AC_CONFIG_FILES([Makefile test/Makefile dist/Makefile])
AC_OUTPUT
diff --git a/dist/Makefile.am b/dist/Makefile.am
new file mode 100644
index 0000000..7e33089
--- /dev/null
+++ b/dist/Makefile.am
@@ -0,0 +1,44 @@
+certmgrenvdir=$(datadir)/phosphor-certificate-manager
+
+dbuspolicy_DATA =
+certmgrenv_DATA =
+SYSTEM_UNIT_ALIASES =
+
+systemdsystemunit_DATA = phosphor-certificate-manager@.service
+
+if CA_CERT_EXTENSION
+dbuspolicy_DATA += busconfig/bmc-vmi-ca.conf
+systemdsystemunit_DATA += bmc-vmi-ca-manager.service
+endif
+
+if ENABLE_BMCWEB_CERT_CONFIG
+dbuspolicy_DATA += busconfig/phosphor-bmcweb-cert-config.conf
+certmgrenv_DATA += env/bmcweb
+SYSTEM_UNIT_ALIASES += \
+ ../phosphor-certificate-manager@.service multi-user.target.wants/phosphor-certificate-manager@bmcweb.service
+endif
+
+if ENABLE_NSLCD_AUTHORITY_CERT_CONFIG
+dbuspolicy_DATA += busconfig/phosphor-nslcd-authority-cert-config.conf
+certmgrenv_DATA += env/authority
+SYSTEM_UNIT_ALIASES += \
+ ../phosphor-certificate-manager@.service multi-user.target.wants/phosphor-certificate-manager@authority.service
+endif
+
+install-aliases-hook:
+ set -- $(SYSTEM_UNIT_ALIASES) && \
+ dir=$(systemdsystemunitdir) && $(install-aliases)
+
+define install-aliases
+ while [ -n "$$1" ]; do \
+ $(MKDIR_P) `dirname $(DESTDIR)$$dir/$$2` && \
+ rm -f $(DESTDIR)$$dir/$$2 && \
+ $(LN_S) $$1 $(DESTDIR)$$dir/$$2 && \
+ shift 2 || exit $$?; \
+ done
+endef
+
+INSTALL_DATA_HOOKS = \
+ install-aliases-hook
+
+install-data-hook: $(INSTALL_DATA_HOOKS)
diff --git a/bmc-vmi-ca/bmc-vmi-ca-manager.service b/dist/bmc-vmi-ca-manager.service
similarity index 95%
rename from bmc-vmi-ca/bmc-vmi-ca-manager.service
rename to dist/bmc-vmi-ca-manager.service
index 52bba44..83ef6ef 100644
--- a/bmc-vmi-ca/bmc-vmi-ca-manager.service
+++ b/dist/bmc-vmi-ca-manager.service
@@ -5,6 +5,7 @@
ExecStart=/usr/bin/env bmc-vmi-ca
SyslogIdentifier=bmc-vmi-ca
Restart=always
+UMask=0007
Type=dbus
BusName=xyz.openbmc_project.Certs.ca.authority.Manager
diff --git a/dist/busconfig/bmc-vmi-ca.conf b/dist/busconfig/bmc-vmi-ca.conf
new file mode 100644
index 0000000..cb5af88
--- /dev/null
+++ b/dist/busconfig/bmc-vmi-ca.conf
@@ -0,0 +1,8 @@
+<!DOCTYPE busconfig PUBLIC "-//freedesktop//DTD D-BUS Bus Configuration 1.0//EN"
+ "http://www.freedesktop.org/standards/dbus/1.0/busconfig.dtd">
+<busconfig>
+ <policy user="root">
+ <allow own="xyz.openbmc_project.Certs.ca.authority.Manager"/>
+ <allow send_destination="xyz.openbmc_project.Certs.ca.authority.Manager"/>
+ </policy>
+</busconfig>
diff --git a/dist/busconfig/phosphor-bmcweb-cert-config.conf b/dist/busconfig/phosphor-bmcweb-cert-config.conf
new file mode 100644
index 0000000..4c583df
--- /dev/null
+++ b/dist/busconfig/phosphor-bmcweb-cert-config.conf
@@ -0,0 +1,8 @@
+<!DOCTYPE busconfig PUBLIC "-//freedesktop//DTD D-BUS Bus Configuration 1.0//EN"
+ "http://www.freedesktop.org/standards/dbus/1.0/busconfig.dtd">
+<busconfig>
+ <policy user="root">
+ <allow own="xyz.openbmc_project.Certs.Manager.Server.Https"/>
+ <allow send_destination="xyz.openbmc_project.Certs.Manager.Server.Https"/>
+ </policy>
+</busconfig>
diff --git a/dist/busconfig/phosphor-nslcd-authority-cert-config.conf b/dist/busconfig/phosphor-nslcd-authority-cert-config.conf
new file mode 100644
index 0000000..7737ffc
--- /dev/null
+++ b/dist/busconfig/phosphor-nslcd-authority-cert-config.conf
@@ -0,0 +1,8 @@
+<!DOCTYPE busconfig PUBLIC "-//freedesktop//DTD D-BUS Bus Configuration 1.0//EN"
+ "http://www.freedesktop.org/standards/dbus/1.0/busconfig.dtd">
+<busconfig>
+ <policy user="root">
+ <allow own="xyz.openbmc_project.Certs.Manager.Authority.Ldap"/>
+ <allow send_destination="xyz.openbmc_project.Certs.Manager.Authority.Ldap"/>
+ </policy>
+</busconfig>
diff --git a/dist/env/authority b/dist/env/authority
new file mode 100644
index 0000000..d2e8814
--- /dev/null
+++ b/dist/env/authority
@@ -0,0 +1,12 @@
+#REST URI endpoint
+#example: /xyz/openbmc_project/certs/authority/ldap
+ENDPOINT=ldap
+
+#Path for the certificate file
+CERTPATH=/etc/ssl/certs/authority
+
+#Units to restart
+UNIT=bmcweb.service
+
+#Type of service
+TYPE=authority
diff --git a/dist/env/bmcweb b/dist/env/bmcweb
new file mode 100644
index 0000000..af4899a
--- /dev/null
+++ b/dist/env/bmcweb
@@ -0,0 +1,12 @@
+#D-Bus object path
+#example: /xyz/openbmc_project/certs/server/https
+ENDPOINT=https
+
+#Path for the certificate file
+CERTPATH=/etc/ssl/certs/https/server.pem
+
+#Units to restart
+UNIT=bmcweb.service
+
+#Type of the service client/server
+TYPE=server
diff --git a/dist/phosphor-certificate-manager@.service b/dist/phosphor-certificate-manager@.service
new file mode 100644
index 0000000..3b841fe
--- /dev/null
+++ b/dist/phosphor-certificate-manager@.service
@@ -0,0 +1,12 @@
+[Unit]
+Description=Phosphor certificate manager for %I
+
+[Service]
+EnvironmentFile=/usr/share/phosphor-certificate-manager/%I
+ExecStart=/usr/bin/env phosphor-certificate-manager --endpoint=${ENDPOINT} --path=${CERTPATH} --unit=${UNIT} --type=${TYPE}
+SyslogIdentifier=phosphor-certificate-manager
+Restart=always
+UMask=0007
+
+[Install]
+WantedBy=multi-user.target