Replace the hardcoded install path in src/selinux/swtpm.fc and
src/selinux/swtpmcuse.fc with @prefix@ and append .in to these files so
that they are generated when running configure.
Add the selinux policy input files with their suffix to the CLEANFILES
variable so they get cleaned up and 'make distcheck' works.
Resolves: https://github.com/stefanberger/swtpm/issues/711
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
- Move content of swtpm-localca(8) manual page to swtpm_localca(8)
and make swtpm-localca(8) an alias for swtpm_localca(8), mirroring
the fact that /usr/bin/swtpm_localca is the actual program and
/usr/share/swtpm/swtpm-localca a wrapper for it.
- Change references to `swtpm-localca` in manual pages' content to
`swtpm_localca`, reflecting the actual name of the program they are
meant to document.
Signed-off-by: Nick Chevsky <nchevsky@users.noreply.github.com>
- Move swtpm_localca's sources out of samples/ (where they no longer
belong now that swtpm_localca is a binary) to src/swtpm_localca/.
- Tests now call the swtpm_localca binary directly at the location
where it was built, as they do with all other compiled programs.
- Simplify samples/swtpm-localca.in and delete swtpm-localca.2inst,
removing the now-unnecessary logic to selectively call swtpm_localca
from different locations (samples/ when running tests vs. /usr/bin/
post-installation).
Signed-off-by: Nick Chevsky <nchevsky@users.noreply.github.com>
- Makes swtpm_setup.conf.in consistent with the rest of the sample
configuration files in swtpm, whose templates ship in samples/ and
install the generated files to /etc.
- Works around dh_missing(1) erroneously reporting swtpm_setup.conf as
non-installed due to its having two copies in the build tree (one in
etc/ and another in debian/tmp/etc/).
Signed-off-by: Nick Chevsky <nchevsky@users.noreply.github.com>
Even though swtpm.spec is an auto-generated file, the author would
like to keep it in the repository for ease of installing dependencies
during development. As long as the file is meant to be versioned, it
should not be in .gitignore. Discussion for context:
https://github.com/stefanberger/swtpm/pull/496#issuecomment-884432135
Signed-off-by: Nick Chevsky <nchevsky@users.noreply.github.com>
Use a different script for local testing that what is installed into
/usr/share/swtpm/swtpm-localca.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Replace the binary swtpm_localca with a script that now calls the binary
swtpm-localca, which is to be installed in $bindir.
So that we can use this for script for calling swtpm-localca during testing
(when it is not installed), write the script in such a way that it de-
termines whether there's swtpm-localca in the same directory and if not call
it from ${bindir}/swtpm-localca.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Having the spec file in the top-level directory of the dist
archive makes it possible to build rpms with a single,
convenient command.
Signed-off-by: Andrea Bolognani <abologna@redhat.com>
Configure generates include/swtpm/tpm_ioctl.h.gch when trying
to figure out which hardening options can be enabled.
Signed-off-by: Andrea Bolognani <abologna@redhat.com>
This is a 1:1 rewrite of swtpm_localca in 'C' as a final step to get
rid of the python dependency. It addresses issue #437.
Tested on: Cygwin, Fedora 33, Ubuntu Xenial & Bionic, FreeBSD,
DragonFlyBSD, OpenBSD (i386), Mac, Debian (recent), Centos-8,
CentOS (recent), Alpine (recent), OpenSUSE (recent),
Fedora 28 PPC Big Endian
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
This is a 1:1 rewrite of swtpm_setup in 'C' as a first step to get
rid of the python dependency. It addresses issue #437.
Tested on: Cygwin, Fedora 33, Ubuntu Xenial & Bionic, FreeBSD,
DragonFlyBSD, OpenBSD (i386), Mac, Debian (recent), Centos-8,
CentOS (recent), Alpine (recent), OpenSUSE (recent)
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Get rid of the 'c' code that only changed the user and add for support of
the --runas option to change to a different user in the python part.
To get 'make distcheck' to work I needed to name the swtpm_setup python
script with the suffix .in so that it gets copied to the build directory
as swtpm_setup. We need to change execute permissions on this file after
copying.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Switch over to the new python implementation of swtpm_setup. We need to
also adjust test cases that involved the tcsd that otherwise fail for
various reasons. For in-place testing we need to adjust the PYTHONPATH
and PATH so that swtpm_setup.py can be found and so that swtpm_setup.py
then finds swtpm if it is not explicitly passed as parameter.
Adjust the man page for swtpm_setup to reflect the changes.
We now can run swtpm_setup as any user. However, libvirt still runs it
as tss:tss (for example), which is then creating the signing key as tss:tss
as well. Ideally libvirt would run it as tss:root or any other combination
since the tss group may be used for user wanting to access /dev/tpmrm0 for
example. We at least change the directory ownership of /var/lib/swtpm-localca
to tss:root and keep the world out of this directory.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Rewrite swtpm_setup.sh in python. Use a permanent connection from the
tool to swtpm via passing file descriptors of a unix socketpair. Implement
all functionality in python so that we don't rely on trousers and tpm-tools
for swtpm_setup. This now allows any user to setup a TPM 1.2 whereas before
it had to be root or the tss user.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Implement a script that creates the user config files in the
${XDG_CONFIG_HOME} directory and sub-directories.
Extend swtpm_setup.pod showing swtpm-create-user-config-files usage.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Implement a script that creates the user config files in the
${XDG_CONFIG_HOME} directory and sub-directories.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Add a post install script for swtpm-tools that creates
the /var/lib/swtpm-localca directory and changes ownersip
on it.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
When the project is configured with --prefix=/usr/local several configuration
files are installed to /usr/local/etc but not read by the programs that
need them. This patch fixes this issue by replacing @SYSCONFDIR@ in the source
code of those files with the actual used path.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Replace the previously used swtpmcuse_svirt type of policy with
swtpm_svirt. This policy contains the minimum set of rules necessary
to start swtpm from within libvirt.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Update the SELinux for swtpm so that swtpm can be launched from
libvirtd and QEMU can access swtpm's UnixIO socket and talk to it.
Use this as follows:
> cd src/selinux
> make clean all
> semodule -i *.pp
> restorecon /usr/bin/swtpm*
Signed-off-by: Stefan Berger <stefanb@linux.vnet.ibm.com>
Add debian build files to enable building of Debian package using for exampl
debuild -b or dpkg-buildpackage -us -uc
Extend the .gitignore.
The debhelper checks show warnings and errors that will need to be addressed
some other time. For some I don't know how to solve them at the moment.
Signed-off-by: Stefan Berger <stefanb@linux.watson.ibm.com>
Move src/swtpm/swtpm.h.in to include/swtpm.h.in to make it commonly
available. Adapt all other programs to use it and display version information
in the help screen.
Signed-off-by: Stefan Berger <stefanb@linux.vnet.ibm.com>
Remove the hardcodes tss user and group and to configure with
--with-tss-user=tss --with-tss-group=tss to set the tss user
and group to be used.
Signed-off-by: Stefan Berger <stefanb@linux.vnet.ibm.com>
