From 9616790b9ad4147acd5b11de11d6d79bc9ad807f Mon Sep 17 00:00:00 2001 From: Daiki Ueno Date: Fri, 19 Jan 2018 15:22:16 +0100 Subject: trust: Forcibly mark "Default Trust" read-only The "Default Trust" token is typically mounted as $datadir, which is considered as read-only on modern OSes. Suggestd by Kai Engert in: https://bugzilla.redhat.com/show_bug.cgi?id=1523630 --- trust/module.c | 12 ++++++++---- 1 file changed, 8 insertions(+), 4 deletions(-) (limited to 'trust/module.c') diff --git a/trust/module.c b/trust/module.c index e6fb7a9..e8b7256 100644 --- a/trust/module.c +++ b/trust/module.c @@ -198,10 +198,11 @@ create_tokens_inlock (p11_array *tokens, struct { const char *prefix; const char *label; + int flags; } labels[] = { - { "~/", "User Trust" }, - { DATA_DIR, "Default Trust" }, - { SYSCONFDIR, "System Trust" }, + { "~/", "User Trust", P11_TOKEN_FLAG_NONE }, + { P11_DEFAULT_TRUST_PREFIX, "Default Trust", P11_TOKEN_FLAG_WRITE_PROTECTED }, + { P11_SYSTEM_TRUST_PREFIX, "System Trust", P11_TOKEN_FLAG_NONE }, { NULL }, }; @@ -210,6 +211,7 @@ create_tokens_inlock (p11_array *tokens, CK_SLOT_ID slot; const char *path; const char *label; + int flags; char *alloc; char *remaining; char *base; @@ -236,12 +238,14 @@ create_tokens_inlock (p11_array *tokens, slot = BASE_SLOT_ID + tokens->num; label = NULL; + flags = P11_TOKEN_FLAG_NONE; base = NULL; /* Claim the various labels based on prefix */ for (i = 0; label == NULL && labels[i].prefix != NULL; i++) { if (strncmp (path, labels[i].prefix, strlen (labels[i].prefix)) == 0) { label = labels[i].label; + flags = labels[i].flags; labels[i].label = NULL; } } @@ -252,7 +256,7 @@ create_tokens_inlock (p11_array *tokens, return_val_if_fail (base != NULL, false); } - token = p11_token_new (slot, path, label); + token = p11_token_new (slot, path, label, flags); return_val_if_fail (token != NULL, false); if (!p11_array_push (tokens, token)) -- cgit v1.1