Supply service & busconfig ACLs from the repo.
This change required as a part of privilege separation work:
https://github.com/openbmc/openbmc/issues/3383
Dependant meta-phosphor change:
https://gerrit.openbmc-project.xyz/c/openbmc/openbmc/+/41430
Signed-off-by: Anton D. Kachalov <gmouse@google.com>
Change-Id: Ic0b1b57f8a088defe096f1ab793efa1f015ca5be
diff --git a/dist/Makefile.am b/dist/Makefile.am
new file mode 100644
index 0000000..7e33089
--- /dev/null
+++ b/dist/Makefile.am
@@ -0,0 +1,44 @@
+certmgrenvdir=$(datadir)/phosphor-certificate-manager
+
+dbuspolicy_DATA =
+certmgrenv_DATA =
+SYSTEM_UNIT_ALIASES =
+
+systemdsystemunit_DATA = phosphor-certificate-manager@.service
+
+if CA_CERT_EXTENSION
+dbuspolicy_DATA += busconfig/bmc-vmi-ca.conf
+systemdsystemunit_DATA += bmc-vmi-ca-manager.service
+endif
+
+if ENABLE_BMCWEB_CERT_CONFIG
+dbuspolicy_DATA += busconfig/phosphor-bmcweb-cert-config.conf
+certmgrenv_DATA += env/bmcweb
+SYSTEM_UNIT_ALIASES += \
+ ../phosphor-certificate-manager@.service multi-user.target.wants/phosphor-certificate-manager@bmcweb.service
+endif
+
+if ENABLE_NSLCD_AUTHORITY_CERT_CONFIG
+dbuspolicy_DATA += busconfig/phosphor-nslcd-authority-cert-config.conf
+certmgrenv_DATA += env/authority
+SYSTEM_UNIT_ALIASES += \
+ ../phosphor-certificate-manager@.service multi-user.target.wants/phosphor-certificate-manager@authority.service
+endif
+
+install-aliases-hook:
+ set -- $(SYSTEM_UNIT_ALIASES) && \
+ dir=$(systemdsystemunitdir) && $(install-aliases)
+
+define install-aliases
+ while [ -n "$$1" ]; do \
+ $(MKDIR_P) `dirname $(DESTDIR)$$dir/$$2` && \
+ rm -f $(DESTDIR)$$dir/$$2 && \
+ $(LN_S) $$1 $(DESTDIR)$$dir/$$2 && \
+ shift 2 || exit $$?; \
+ done
+endef
+
+INSTALL_DATA_HOOKS = \
+ install-aliases-hook
+
+install-data-hook: $(INSTALL_DATA_HOOKS)
diff --git a/dist/bmc-vmi-ca-manager.service b/dist/bmc-vmi-ca-manager.service
new file mode 100644
index 0000000..83ef6ef
--- /dev/null
+++ b/dist/bmc-vmi-ca-manager.service
@@ -0,0 +1,14 @@
+[Unit]
+Description=BMC VMI CA authority manager
+
+[Service]
+ExecStart=/usr/bin/env bmc-vmi-ca
+SyslogIdentifier=bmc-vmi-ca
+Restart=always
+UMask=0007
+
+Type=dbus
+BusName=xyz.openbmc_project.Certs.ca.authority.Manager
+
+[Install]
+WantedBy=multi-user.target
diff --git a/dist/busconfig/bmc-vmi-ca.conf b/dist/busconfig/bmc-vmi-ca.conf
new file mode 100644
index 0000000..cb5af88
--- /dev/null
+++ b/dist/busconfig/bmc-vmi-ca.conf
@@ -0,0 +1,8 @@
+<!DOCTYPE busconfig PUBLIC "-//freedesktop//DTD D-BUS Bus Configuration 1.0//EN"
+ "http://www.freedesktop.org/standards/dbus/1.0/busconfig.dtd">
+<busconfig>
+ <policy user="root">
+ <allow own="xyz.openbmc_project.Certs.ca.authority.Manager"/>
+ <allow send_destination="xyz.openbmc_project.Certs.ca.authority.Manager"/>
+ </policy>
+</busconfig>
diff --git a/dist/busconfig/phosphor-bmcweb-cert-config.conf b/dist/busconfig/phosphor-bmcweb-cert-config.conf
new file mode 100644
index 0000000..4c583df
--- /dev/null
+++ b/dist/busconfig/phosphor-bmcweb-cert-config.conf
@@ -0,0 +1,8 @@
+<!DOCTYPE busconfig PUBLIC "-//freedesktop//DTD D-BUS Bus Configuration 1.0//EN"
+ "http://www.freedesktop.org/standards/dbus/1.0/busconfig.dtd">
+<busconfig>
+ <policy user="root">
+ <allow own="xyz.openbmc_project.Certs.Manager.Server.Https"/>
+ <allow send_destination="xyz.openbmc_project.Certs.Manager.Server.Https"/>
+ </policy>
+</busconfig>
diff --git a/dist/busconfig/phosphor-nslcd-authority-cert-config.conf b/dist/busconfig/phosphor-nslcd-authority-cert-config.conf
new file mode 100644
index 0000000..7737ffc
--- /dev/null
+++ b/dist/busconfig/phosphor-nslcd-authority-cert-config.conf
@@ -0,0 +1,8 @@
+<!DOCTYPE busconfig PUBLIC "-//freedesktop//DTD D-BUS Bus Configuration 1.0//EN"
+ "http://www.freedesktop.org/standards/dbus/1.0/busconfig.dtd">
+<busconfig>
+ <policy user="root">
+ <allow own="xyz.openbmc_project.Certs.Manager.Authority.Ldap"/>
+ <allow send_destination="xyz.openbmc_project.Certs.Manager.Authority.Ldap"/>
+ </policy>
+</busconfig>
diff --git a/dist/env/authority b/dist/env/authority
new file mode 100644
index 0000000..d2e8814
--- /dev/null
+++ b/dist/env/authority
@@ -0,0 +1,12 @@
+#REST URI endpoint
+#example: /xyz/openbmc_project/certs/authority/ldap
+ENDPOINT=ldap
+
+#Path for the certificate file
+CERTPATH=/etc/ssl/certs/authority
+
+#Units to restart
+UNIT=bmcweb.service
+
+#Type of service
+TYPE=authority
diff --git a/dist/env/bmcweb b/dist/env/bmcweb
new file mode 100644
index 0000000..af4899a
--- /dev/null
+++ b/dist/env/bmcweb
@@ -0,0 +1,12 @@
+#D-Bus object path
+#example: /xyz/openbmc_project/certs/server/https
+ENDPOINT=https
+
+#Path for the certificate file
+CERTPATH=/etc/ssl/certs/https/server.pem
+
+#Units to restart
+UNIT=bmcweb.service
+
+#Type of the service client/server
+TYPE=server
diff --git a/dist/phosphor-certificate-manager@.service b/dist/phosphor-certificate-manager@.service
new file mode 100644
index 0000000..3b841fe
--- /dev/null
+++ b/dist/phosphor-certificate-manager@.service
@@ -0,0 +1,12 @@
+[Unit]
+Description=Phosphor certificate manager for %I
+
+[Service]
+EnvironmentFile=/usr/share/phosphor-certificate-manager/%I
+ExecStart=/usr/bin/env phosphor-certificate-manager --endpoint=${ENDPOINT} --path=${CERTPATH} --unit=${UNIT} --type=${TYPE}
+SyslogIdentifier=phosphor-certificate-manager
+Restart=always
+UMask=0007
+
+[Install]
+WantedBy=multi-user.target