Supply service & busconfig ACLs from the repo.
This change required as a part of privilege separation work:
https://github.com/openbmc/openbmc/issues/3383
This change required by the following openbmc meta change:
https://gerrit.openbmc-project.xyz/c/openbmc/openbmc/+/42672
Signed-off-by: Anton D. Kachalov <gmouse@google.com>
Change-Id: Iad476fc32f9df6fe5ceb51e8eea2c798dcc51252
diff --git a/Makefile.am b/Makefile.am
index 7c7271e..1dbd594 100644
--- a/Makefile.am
+++ b/Makefile.am
@@ -22,5 +22,28 @@
-DBOOST_SYSTEM_NO_DEPRECATED \
-DBOOST_ERROR_CODE_HEADER_ONLY
+certmgrenvdir=$(datadir)/phosphor-certificate-manager
+dbuspolicy_DATA = phosphor-nslcd-cert-config.conf
+certmgrenv_DATA = nslcd
+SYSTEM_UNIT_ALIASES = \
+ ../phosphor-certificate-manager@.service multi-user.target.wants/phosphor-certificate-manager@nslcd.service
+
SUBDIRS = . phosphor-ldap-mapper phosphor-ldap-config test
+install-aliases-hook:
+ set -- $(SYSTEM_UNIT_ALIASES) && \
+ dir=$(systemdsystemunitdir) && $(install-aliases)
+
+define install-aliases
+ while [ -n "$$1" ]; do \
+ $(MKDIR_P) `dirname $(DESTDIR)$$dir/$$2` && \
+ rm -f $(DESTDIR)$$dir/$$2 && \
+ $(LN_S) $$1 $(DESTDIR)$$dir/$$2 && \
+ shift 2 || exit $$?; \
+ done
+endef
+
+INSTALL_DATA_HOOKS = \
+ install-aliases-hook
+
+install-data-hook: $(INSTALL_DATA_HOOKS)
diff --git a/configure.ac b/configure.ac
index 43a4869..c30e109 100644
--- a/configure.ac
+++ b/configure.ac
@@ -63,6 +63,33 @@
AC_SUBST([OESDK_TESTCASE_FLAGS], [$testcase_flags])
)
+AC_ARG_WITH([systemdsystemunitdir],
+ [AS_HELP_STRING([--with-systemdsystemunitdir=DIR], [Directory for systemd service files])],
+ [],
+ [with_systemdsystemunitdir=auto]
+)
+AS_IF([test "x$with_systemdsystemunitdir" = "xyes" -o "x$with_systemdsystemunitdir" = "xauto"],
+ [def_systemdsystemunitdir=$($PKG_CONFIG --variable=systemdsystemunitdir systemd)
+ AS_IF([test "x$def_systemdsystemunitdir" = "x"],
+ [AS_IF([test "x$with_systemdsystemunitdir" = "xyes"],
+ [AC_MSG_ERROR([systemd support requested but pkg-config unable to query systemd package])]
+ )
+ with_systemdsystemunitdir=no],
+ [with_systemdsystemunitdir="$def_systemdsystemunitdir"]
+ )]
+)
+AS_IF([test "x$with_systemdsystemunitdir" != "xno"],
+ [AC_SUBST([systemdsystemunitdir], [$with_systemdsystemunitdir])]
+)
+
+AC_ARG_WITH([dbuspolicydir],
+ AS_HELP_STRING([--with-dbuspolicydir=DIR], [D-Bus policy directory]),
+ [],
+ [with_dbuspolicydir=$($PKG_CONFIG --variable=sysconfdir dbus-1)/dbus-1/system.d])
+AS_IF([test "x$with_dbuspolicydir" != "xno"],
+ [AC_SUBST([dbuspolicydir], [$with_dbuspolicydir])]
+)
+
AC_ARG_VAR(LDAP_CONFIG_FILE, [Path of LDAP configuration file])
AS_IF([test "x$LDAP_CONFIG_FILE" == "x"], [LDAP_CONFIG_FILE="/etc/nslcd.conf"])
AC_DEFINE_UNQUOTED([LDAP_CONFIG_FILE], ["$LDAP_CONFIG_FILE"], [Path of LDAP configuration file])
diff --git a/nslcd b/nslcd
new file mode 100644
index 0000000..8ac1bf7
--- /dev/null
+++ b/nslcd
@@ -0,0 +1,9 @@
+#REST URI endpoint
+#example: /xyz/openbmc_project/certs/client/ldap
+ENDPOINT=ldap
+
+#Path for the certificate file
+CERTPATH=/etc/nslcd/certs/cert.pem
+
+#Type of the service client/server
+TYPE=client
diff --git a/phosphor-nslcd-cert-config.conf b/phosphor-nslcd-cert-config.conf
new file mode 100644
index 0000000..6e8d9f5
--- /dev/null
+++ b/phosphor-nslcd-cert-config.conf
@@ -0,0 +1,8 @@
+<!DOCTYPE busconfig PUBLIC "-//freedesktop//DTD D-BUS Bus Configuration 1.0//EN"
+ "http://www.freedesktop.org/standards/dbus/1.0/busconfig.dtd">
+<busconfig>
+ <policy user="root">
+ <allow own="xyz.openbmc_project.Certs.Manager.Client.Ldap"/>
+ <allow send_destination="xyz.openbmc_project.Certs.Manager.Client.Ldap"/>
+ </policy>
+</busconfig>