Reduce Capabilities set of tef-simulator to none.

Reduce root user. Currently user is the security_fw user and group.
Change ownership of /usr/lib/tastore directory and helloworld TA to security_fw.
Change permissions to user/group/others of helloworld TA and tastore directory.

Change-Id: I6fa65ba97d82784968134be58a60e7a435d90b38

diff --git a/TEECLib/CMakeLists.txt b/TEECLib/CMakeLists.txt
index 94f92c8f00bc3547f2803f238a2a1a46c1d1241f..e604645b50e4ba267f78ee52fbb7a8e92d0e73cf 100644 (file)
--- a/TEECLib/CMakeLists.txt
+++ b/TEECLib/CMakeLists.txt
@@ -17,6 +17,10 @@
 # @brief   CMakeLists for tef-simulator TEE Client library
 #
 
+IF(CMAKE_VERSION VERSION_GREATER "2.8.11")
+  CMAKE_POLICY(SET CMP0022 OLD)
+ENDIF()
+
 FIND_PACKAGE(Threads REQUIRED)
 
 PKG_CHECK_MODULES(TEEC_LIB_DEPS REQUIRED

diff --git a/packaging/tef-simulator-helloworld.spec b/packaging/tef-simulator-helloworld.spec
index c446ff8229a2f1603c06ce87795d44f371eac7ea..ae4b8d48c6b63710762e8af5699e3972d317365f 100644 (file)
--- a/packaging/tef-simulator-helloworld.spec
+++ b/packaging/tef-simulator-helloworld.spec
@@ -50,5 +50,5 @@ make install
 %postun
 
 %files -n %{name}
-%{bin_dir}/tef-simulator-helloworld
-%{tastore_dir}/00000000000000000000112233445566
+%attr(111,security_fw,security_fw) %{bin_dir}/tef-simulator-helloworld
+%attr(444,security_fw,security_fw) %{tastore_dir}/00000000000000000000112233445566

diff --git a/packaging/tef-simulator.spec b/packaging/tef-simulator.spec
index f7fb58622ba8857d4e1823adde876e4a90f2a4ba..7d3ea0c4f3eceb208fa7f8c723b8a5e02eccea40 100644 (file)
--- a/packaging/tef-simulator.spec
+++ b/packaging/tef-simulator.spec
@@ -31,7 +31,6 @@ PreReq: tef-libteec
 %define build_lib_dir %{buildroot}%{lib_dir}
 %define build_data_dir %{buildroot}%{data_dir}
 %define build_include_dir %{buildroot}%{include_dir}
-%define build_tastore_dir %{buildroot}%{tastore_dir}
 %define build_unit_dir %{buildroot}%{_unitdir}
 
 %define smack_domain_name System
@@ -76,7 +75,6 @@ cmake . \
         -DLIB_DIR=%{build_lib_dir} \
         -DDATA_DIR=%{build_data_dir} \
         -DINCLUDE_DIR=%{build_include_dir} \
-        -DTASTORE_DIR=%{build_tastore_dir} \
         -DSYSTEMD_UNIT_DIR=%{build_unit_dir} \
         -DSYSTEMD_CFG_BIN_DIR=%{bin_dir} \
         -DPKGCFG_LIB_DIR=%{lib_dir} \
@@ -92,21 +90,32 @@ make install
 %pre
 
 %post
+mkdir -p %{tastore_dir}
+chown root:security_fw %{tastore_dir}
+chmod 770 %{tastore_dir}
+systemctl enable tef-simulator
+
+%post -n %{name}-client
+tef-update.sh simulator
 
 %preun
 
 %postun
-tef-update.sh
+
+%postun -n %{name}-client
+if [ $1 = 0 ] ; then
+    tef-update.sh
+fi
 
 %files -n %{name}
-%{bin_dir}/tef-simulator-daemon
+%attr(111,security_fw,security_fw) %{bin_dir}/tef-simulator-daemon
 %{lib_dir}/libtef-simulator-ssflib.so
-%{_unitdir}/tef-simulator.service
-%{_unitdir}/tef-simulator.socket
-%{_unitdir}/tef-simulator.target
+%attr(444,security_fw,security_fw) %{_unitdir}/tef-simulator.service
+%attr(444,security_fw,security_fw) %{_unitdir}/tef-simulator.target
+%attr(444,security_fw,security_fw) %{_unitdir}/tef-simulator.socket
 
 %files -n %{name}-client
-%{lib_dir}/tef/simulator
+%attr(111,security_fw,security_fw) %{lib_dir}/tef/simulator/libteec.so
 
 %files -n %{name}-devkit
 %{bin_dir}/TA_PackageBuilder.sh

diff --git a/simulatordaemon/src/TABinaryManager/TABinaryManager.cpp b/simulatordaemon/src/TABinaryManager/TABinaryManager.cpp
index d7b3b79b2773af292ef212aff0237597e27d6319..f0cae26ecb4ac46e08ea58b640615f00ee4e23d8 100644 (file)
--- a/simulatordaemon/src/TABinaryManager/TABinaryManager.cpp
+++ b/simulatordaemon/src/TABinaryManager/TABinaryManager.cpp
@@ -190,9 +190,9 @@ bool TABinaryManager::initTAatPath(const string &path, const string &uuid) {
  */
 void TABinaryManager::decryptImage(StructBinaryInfo& info) {
        string cipher = "-aes-256-cbc";
-       string secret = base64_decode (info.manifest.taencryption.model.plainkeydata);
+       string secret = base64_decode(info.manifest.taencryption.model.plainkeydata);
        string keyhashFilename = info.imagePath + ".keyhash";
-       secret.erase(secret.size()-2);
+       secret.erase(secret.size() - 2);
        string keyHash = "echo -n " + secret + " | openssl dgst -sha256 | awk '{print $2}' > " + keyhashFilename;
        int result = system(keyHash.c_str());
        if (result != 0) {

diff --git a/systemd/tef-simulator.service.in b/systemd/tef-simulator.service.in
index 4c55561ad83973e44c2242b48befb0a9cd9ccf28..85496a0bcfb5c9c9d44ed5e5a8f732c290c1c0e7 100644 (file)
--- a/systemd/tef-simulator.service.in
+++ b/systemd/tef-simulator.service.in
@@ -3,8 +3,9 @@ Description=TEF Simulator Daemon
 DefaultDependencies=no
 
 [Service]
-User=root
-Group=root
+User=security_fw
+Group=security_fw
+CapabilityBoundingSet=
 SmackProcessLabel=@SMACK_DOMAIN_NAME@
 ExecStart=@SYSTEMD_CFG_BIN_DIR@/tef-simulator-daemon
 Sockets=tef-simulator.socket