diff options
| author | Daiki Ueno <dueno@redhat.com> | 2018-01-19 15:22:16 +0100 |
|---|---|---|
| committer | Daiki Ueno <ueno@gnu.org> | 2018-02-05 10:49:35 +0100 |
| commit | 9616790b9ad4147acd5b11de11d6d79bc9ad807f (patch) | |
| tree | 01041110e78ded2799fc4e26607ba21a618ca5d2 /trust/module.c | |
| parent | 49d2ededb64197702a8708cb4a453497bc7eaecd (diff) | |
trust: Forcibly mark "Default Trust" read-only
The "Default Trust" token is typically mounted as $datadir, which is
considered as read-only on modern OSes.
Suggestd by Kai Engert in:
https://bugzilla.redhat.com/show_bug.cgi?id=1523630
Diffstat (limited to 'trust/module.c')
| -rw-r--r-- | trust/module.c | 12 |
1 files changed, 8 insertions, 4 deletions
diff --git a/trust/module.c b/trust/module.c index e6fb7a9..e8b7256 100644 --- a/trust/module.c +++ b/trust/module.c @@ -198,10 +198,11 @@ create_tokens_inlock (p11_array *tokens, struct { const char *prefix; const char *label; + int flags; } labels[] = { - { "~/", "User Trust" }, - { DATA_DIR, "Default Trust" }, - { SYSCONFDIR, "System Trust" }, + { "~/", "User Trust", P11_TOKEN_FLAG_NONE }, + { P11_DEFAULT_TRUST_PREFIX, "Default Trust", P11_TOKEN_FLAG_WRITE_PROTECTED }, + { P11_SYSTEM_TRUST_PREFIX, "System Trust", P11_TOKEN_FLAG_NONE }, { NULL }, }; @@ -210,6 +211,7 @@ create_tokens_inlock (p11_array *tokens, CK_SLOT_ID slot; const char *path; const char *label; + int flags; char *alloc; char *remaining; char *base; @@ -236,12 +238,14 @@ create_tokens_inlock (p11_array *tokens, slot = BASE_SLOT_ID + tokens->num; label = NULL; + flags = P11_TOKEN_FLAG_NONE; base = NULL; /* Claim the various labels based on prefix */ for (i = 0; label == NULL && labels[i].prefix != NULL; i++) { if (strncmp (path, labels[i].prefix, strlen (labels[i].prefix)) == 0) { label = labels[i].label; + flags = labels[i].flags; labels[i].label = NULL; } } @@ -252,7 +256,7 @@ create_tokens_inlock (p11_array *tokens, return_val_if_fail (base != NULL, false); } - token = p11_token_new (slot, path, label); + token = p11_token_new (slot, path, label, flags); return_val_if_fail (token != NULL, false); if (!p11_array_push (tokens, token)) |