trust: Forcibly mark "Default Trust" read-only

The "Default Trust" token is typically mounted as $datadir, which is considered as read-only on modern OSes. Suggestd by Kai Engert in: https://bugzilla.redhat.com/show_bug.cgi?id=1523630
p11-glue · Feb 5, 2018 · 9616790 · 9616790
1 parent 49d2ede
commit 9616790
Show file tree

Hide file tree

Showing 7 changed files with 101 additions and 15 deletions.
diff --git a/trust/Makefile.am b/trust/Makefile.am
@@ -46,6 +46,8 @@ module_LTLIBRARIES += \
 	p11-kit-trust.la
 
 p11_kit_trust_la_CFLAGS = \
+	-DP11_DEFAULT_TRUST_PREFIX=DATA_DIR \
+	-DP11_SYSTEM_TRUST_PREFIX=SYSCONFDIR \
 	$(LIBTASN1_CFLAGS)
 
 p11_kit_trust_la_LIBADD = \
@@ -70,6 +72,8 @@ libtrust_testable_la_LDFLAGS = \
 libtrust_testable_la_SOURCES = $(TRUST_SRCS)
 
 libtrust_testable_la_CFLAGS = \
+	-DP11_DEFAULT_TRUST_PREFIX=\"$(builddir)/trust/default\" \
+	-DP11_SYSTEM_TRUST_PREFIX=\"$(builddir)/trust/system\" \
 	$(LIBTASN1_CFLAGS)
 
 libtrust_testable_la_LIBADD = \
@@ -125,7 +129,7 @@ asn:
 # Tests ----------------------------------------------------------------
 
 trust_CFLAGS = \
-        $(LIBTASN1_CFLAGS) \
+        $(libtrust_testable_la_CFLAGS) \
 	$(NULL)
 
 trust_LIBS = \

diff --git a/trust/frob-token.c b/trust/frob-token.c
@@ -52,7 +52,7 @@ main (int argc,
 		return 2;
 	}
 
-	token = p11_token_new (1, argv[1], "Label");
+	token = p11_token_new (1, argv[1], "Label", P11_TOKEN_FLAG_NONE);
 	count = p11_token_load (token);
 
 	printf ("%d files loaded\n", count);

diff --git a/trust/module.c b/trust/module.c
@@ -198,10 +198,11 @@ create_tokens_inlock (p11_array *tokens,
 	struct {
 		const char *prefix;
 		const char *label;
+		int flags;
 	} labels[] = {
-		{ "~/", "User Trust" },
-		{ DATA_DIR, "Default Trust" },
-		{ SYSCONFDIR, "System Trust" },
+		{ "~/", "User Trust", P11_TOKEN_FLAG_NONE },
+		{ P11_DEFAULT_TRUST_PREFIX, "Default Trust", P11_TOKEN_FLAG_WRITE_PROTECTED },
+		{ P11_SYSTEM_TRUST_PREFIX, "System Trust", P11_TOKEN_FLAG_NONE },
 		{ NULL },
 	};
 
@@ -210,6 +211,7 @@ create_tokens_inlock (p11_array *tokens,
 	CK_SLOT_ID slot;
 	const char *path;
 	const char *label;
+	int flags;
 	char *alloc;
 	char *remaining;
 	char *base;
@@ -236,12 +238,14 @@ create_tokens_inlock (p11_array *tokens,
 			slot = BASE_SLOT_ID + tokens->num;
 
 			label = NULL;
+			flags = P11_TOKEN_FLAG_NONE;
 			base = NULL;
 
 			/* Claim the various labels based on prefix */
 			for (i = 0; label == NULL && labels[i].prefix != NULL; i++) {
 				if (strncmp (path, labels[i].prefix, strlen (labels[i].prefix)) == 0) {
 					label = labels[i].label;
+					flags = labels[i].flags;
 					labels[i].label = NULL;
 				}
 			}
@@ -252,7 +256,7 @@ create_tokens_inlock (p11_array *tokens,
 				return_val_if_fail (base != NULL, false);
 			}
 
-			token = p11_token_new (slot, path, label);
+			token = p11_token_new (slot, path, label, flags);
 			return_val_if_fail (token != NULL, false);
 
 			if (!p11_array_push (tokens, token))

diff --git a/trust/test-module.c b/trust/test-module.c
@@ -315,8 +315,8 @@ test_get_token_info (void)
 
 	memset (&args, 0, sizeof (args));
 	args.pReserved = "paths='" \
-		SYSCONFDIR "/trust/input" P11_PATH_SEP \
-		DATA_DIR "/trust/fixtures/blah" P11_PATH_SEP \
+		P11_SYSTEM_TRUST_PREFIX "/trust/input" P11_PATH_SEP \
+		P11_DEFAULT_TRUST_PREFIX "/trust/fixtures/blah" P11_PATH_SEP \
 		"/some/other/path/the-basename'";
 	args.flags = CKF_OS_LOCKING_OK;
 
@@ -1217,6 +1217,68 @@ test_modify_and_write (void)
 	test_check_attrs (expected, parsed->elem[0]);
 }
 
+static void
+test_token_write_protected (void)
+{
+	CK_C_INITIALIZE_ARGS args;
+	CK_FUNCTION_LIST *module;
+	CK_SLOT_ID slots[NUM_SLOTS];
+	CK_TOKEN_INFO info;
+	char label[32];
+	CK_ULONG count;
+	CK_RV rv;
+	int i;
+
+	/* These are the paths passed in in setup() */
+	const char *labels[] = {
+		"System Trust",
+		"Default Trust",
+		"the-basename",
+	};
+
+	/* This is the entry point of the trust module, linked to this test */
+	rv = C_GetFunctionList (&module);
+	assert (rv == CKR_OK);
+
+	memset (&args, 0, sizeof (args));
+	args.pReserved = "paths='" \
+		P11_SYSTEM_TRUST_PREFIX "/trust/input" P11_PATH_SEP \
+		P11_DEFAULT_TRUST_PREFIX "/trust/fixtures/blah" P11_PATH_SEP \
+		"/some/other/path/the-basename'";
+	args.flags = CKF_OS_LOCKING_OK;
+
+	rv = module->C_Initialize (&args);
+	assert (rv == CKR_OK);
+
+	count = NUM_SLOTS;
+	rv = module->C_GetSlotList (CK_TRUE, slots, &count);
+	assert (rv == CKR_OK);
+	assert (count == NUM_SLOTS);
+
+	for (i = 0; i < NUM_SLOTS; i++) {
+		rv = module->C_GetTokenInfo (slots[i], &info);
+		assert_num_eq (CKR_OK, rv);
+
+		memset (label, ' ', sizeof (label));
+		memcpy (label, labels[i], strlen (labels[i]));
+		assert (memcmp (info.label, label, sizeof (label)) == 0);
+
+		switch (i) {
+		case 0:
+			assert_num_cmp (0, ==, info.flags & CKF_WRITE_PROTECTED);
+			break;
+		case 1:
+			assert_num_cmp (0, !=, info.flags & CKF_WRITE_PROTECTED);
+			break;
+		default:
+			break;
+		}
+	}
+
+	rv = module->C_Finalize (NULL);
+	assert_num_eq (CKR_OK, rv);
+}
+
 int
 main (int argc,
       char *argv[])
@@ -1257,5 +1319,8 @@ main (int argc,
 	p11_test (test_create_and_write, "/module/create-and-write");
 	p11_test (test_modify_and_write, "/module/modify-and-write");
 
+	p11_fixture (NULL, NULL);
+	p11_test (test_token_write_protected, "/module/token-write-protected");
+
 	return p11_test_run (argc, argv);
 }
diff --git a/trust/test-token.c b/trust/test-token.c
@@ -63,7 +63,7 @@ struct {
 static void
 setup (void *path)
 {
-	test.token = p11_token_new (333, path, "Label");
+	test.token = p11_token_new (333, path, "Label", P11_TOKEN_FLAG_NONE);
 	assert_ptr_not_null (test.token);
 
 	test.index = p11_token_index (test.token);
@@ -241,18 +241,18 @@ test_not_writable (void)
 #ifdef OS_UNIX
 	if (getuid () != 0) {
 #endif
-		token = p11_token_new (333, "/", "Label");
+		token = p11_token_new (333, "/", "Label", P11_TOKEN_FLAG_NONE);
 		assert (!p11_token_is_writable (token));
 		p11_token_free (token);
 #ifdef OS_UNIX
 	}
 #endif
 
-	token = p11_token_new (333, "", "Label");
+	token = p11_token_new (333, "", "Label", P11_TOKEN_FLAG_NONE);
 	assert (!p11_token_is_writable (token));
 	p11_token_free (token);
 
-	token = p11_token_new (333, "/non-existant", "Label");
+	token = p11_token_new (333, "/non-existant", "Label", P11_TOKEN_FLAG_NONE);
 	assert (!p11_token_is_writable (token));
 	p11_token_free (token);
 }
@@ -276,7 +276,7 @@ test_writable_no_exist (void)
 	path = p11_path_build (directory, "subdir", NULL);
 	assert (path != NULL);
 
-	token = p11_token_new (333, path, "Label");
+	token = p11_token_new (333, path, "Label", P11_TOKEN_FLAG_NONE);
 	free (path);
 
 	/* A writable directory since parent is writable */

diff --git a/trust/token.c b/trust/token.c
@@ -817,7 +817,8 @@ p11_token_free (p11_token *token)
 p11_token *
 p11_token_new (CK_SLOT_ID slot,
                const char *path,
-               const char *label)
+               const char *label,
+               int flags)
 {
 	p11_token *token;
 
@@ -859,6 +860,12 @@ p11_token_new (CK_SLOT_ID slot,
 
 	token->slot = slot;
 
+	if (flags & P11_TOKEN_FLAG_WRITE_PROTECTED) {
+		token->checked_path = true;
+		token->make_directory = false;
+		token->is_writable = false;
+	}
+
 	load_builtin_objects (token);
 
 	p11_debug ("token: %s: %s", token->label, token->path);

diff --git a/trust/token.h b/trust/token.h
@@ -40,11 +40,17 @@
 #include "parser.h"
 #include "pkcs11.h"
 
+enum {
+	P11_TOKEN_FLAG_NONE = 0,
+	P11_TOKEN_FLAG_WRITE_PROTECTED = 1 << 0,
+};
+
 typedef struct _p11_token p11_token;
 
 p11_token *     p11_token_new         (CK_SLOT_ID slot,
                                        const char *path,
-                                       const char *label);
+                                       const char *label,
+                                       int flags);
 
 void            p11_token_free        (p11_token *token);