From 248c983852f25725c3be1f72a20fd29530f03e68 Mon Sep 17 00:00:00 2001
From: Wojciech Chrobot <w.chrobot@partner.samsung.com>
Date: Thu, 5 Oct 2017 15:32:48 +0200
Subject: [PATCH] Reduce Capabilities set of tef-simulator to none.

Reduce root user. Currently user is the security_fw user and group.
Change ownership of /usr/lib/tastore directory and helloworld TA to security_fw.
Change permissions to user/group/others of helloworld TA and tastore directory.

Change-Id: I6fa65ba97d82784968134be58a60e7a435d90b38
---
 TEECLib/CMakeLists.txt                        |  4 +++
 packaging/tef-simulator-helloworld.spec       |  4 +--
 packaging/tef-simulator.spec                  | 25 +++++++++++++------
 .../src/TABinaryManager/TABinaryManager.cpp   |  4 +--
 systemd/tef-simulator.service.in              |  5 ++--
 5 files changed, 28 insertions(+), 14 deletions(-)

diff --git a/TEECLib/CMakeLists.txt b/TEECLib/CMakeLists.txt
index 94f92c8..e604645 100644
--- a/TEECLib/CMakeLists.txt
+++ b/TEECLib/CMakeLists.txt
@@ -17,6 +17,10 @@
 # @brief   CMakeLists for tef-simulator TEE Client library
 #
 
+IF(CMAKE_VERSION VERSION_GREATER "2.8.11")
+  CMAKE_POLICY(SET CMP0022 OLD)
+ENDIF()
+
 FIND_PACKAGE(Threads REQUIRED)
 
 PKG_CHECK_MODULES(TEEC_LIB_DEPS REQUIRED
diff --git a/packaging/tef-simulator-helloworld.spec b/packaging/tef-simulator-helloworld.spec
index c446ff8..ae4b8d4 100644
--- a/packaging/tef-simulator-helloworld.spec
+++ b/packaging/tef-simulator-helloworld.spec
@@ -50,5 +50,5 @@ make install
 %postun
 
 %files -n %{name}
-%{bin_dir}/tef-simulator-helloworld
-%{tastore_dir}/00000000000000000000112233445566
+%attr(111,security_fw,security_fw) %{bin_dir}/tef-simulator-helloworld
+%attr(444,security_fw,security_fw) %{tastore_dir}/00000000000000000000112233445566
diff --git a/packaging/tef-simulator.spec b/packaging/tef-simulator.spec
index f7fb586..7d3ea0c 100644
--- a/packaging/tef-simulator.spec
+++ b/packaging/tef-simulator.spec
@@ -31,7 +31,6 @@ PreReq: tef-libteec
 %define build_lib_dir %{buildroot}%{lib_dir}
 %define build_data_dir %{buildroot}%{data_dir}
 %define build_include_dir %{buildroot}%{include_dir}
-%define build_tastore_dir %{buildroot}%{tastore_dir}
 %define build_unit_dir %{buildroot}%{_unitdir}
 
 %define smack_domain_name System
@@ -76,7 +75,6 @@ cmake . \
         -DLIB_DIR=%{build_lib_dir} \
         -DDATA_DIR=%{build_data_dir} \
         -DINCLUDE_DIR=%{build_include_dir} \
-        -DTASTORE_DIR=%{build_tastore_dir} \
         -DSYSTEMD_UNIT_DIR=%{build_unit_dir} \
         -DSYSTEMD_CFG_BIN_DIR=%{bin_dir} \
         -DPKGCFG_LIB_DIR=%{lib_dir} \
@@ -92,21 +90,32 @@ make install
 %pre
 
 %post
+mkdir -p %{tastore_dir}
+chown root:security_fw %{tastore_dir}
+chmod 770 %{tastore_dir}
+systemctl enable tef-simulator
+
+%post -n %{name}-client
+tef-update.sh simulator
 
 %preun
 
 %postun
-tef-update.sh
+
+%postun -n %{name}-client
+if [ $1 = 0 ] ; then
+    tef-update.sh
+fi
 
 %files -n %{name}
-%{bin_dir}/tef-simulator-daemon
+%attr(111,security_fw,security_fw) %{bin_dir}/tef-simulator-daemon
 %{lib_dir}/libtef-simulator-ssflib.so
-%{_unitdir}/tef-simulator.service
-%{_unitdir}/tef-simulator.socket
-%{_unitdir}/tef-simulator.target
+%attr(444,security_fw,security_fw) %{_unitdir}/tef-simulator.service
+%attr(444,security_fw,security_fw) %{_unitdir}/tef-simulator.target
+%attr(444,security_fw,security_fw) %{_unitdir}/tef-simulator.socket
 
 %files -n %{name}-client
-%{lib_dir}/tef/simulator
+%attr(111,security_fw,security_fw) %{lib_dir}/tef/simulator/libteec.so
 
 %files -n %{name}-devkit
 %{bin_dir}/TA_PackageBuilder.sh
diff --git a/simulatordaemon/src/TABinaryManager/TABinaryManager.cpp b/simulatordaemon/src/TABinaryManager/TABinaryManager.cpp
index d7b3b79..f0cae26 100644
--- a/simulatordaemon/src/TABinaryManager/TABinaryManager.cpp
+++ b/simulatordaemon/src/TABinaryManager/TABinaryManager.cpp
@@ -190,9 +190,9 @@ bool TABinaryManager::initTAatPath(const string &path, const string &uuid) {
  */
 void TABinaryManager::decryptImage(StructBinaryInfo& info) {
 	string cipher = "-aes-256-cbc";
-	string secret = base64_decode (info.manifest.taencryption.model.plainkeydata);
+	string secret = base64_decode(info.manifest.taencryption.model.plainkeydata);
 	string keyhashFilename = info.imagePath + ".keyhash";
-	secret.erase(secret.size()-2);
+	secret.erase(secret.size() - 2);
 	string keyHash = "echo -n " + secret + " | openssl dgst -sha256 | awk '{print $2}' > " + keyhashFilename;
 	int result = system(keyHash.c_str());
 	if (result != 0) {
diff --git a/systemd/tef-simulator.service.in b/systemd/tef-simulator.service.in
index 4c55561..85496a0 100644
--- a/systemd/tef-simulator.service.in
+++ b/systemd/tef-simulator.service.in
@@ -3,8 +3,9 @@ Description=TEF Simulator Daemon
 DefaultDependencies=no
 
 [Service]
-User=root
-Group=root
+User=security_fw
+Group=security_fw
+CapabilityBoundingSet=
 SmackProcessLabel=@SMACK_DOMAIN_NAME@
 ExecStart=@SYSTEMD_CFG_BIN_DIR@/tef-simulator-daemon
 Sockets=tef-simulator.socket
-- 
2.34.1