6896514 tss code doesn't do correct privilege check when using mlock
7162897 tcsd daemon goes into maintenance mode after reboot
--- a/components/trousers/patches/tcsd_svrside.c.patch Mon Apr 23 09:12:44 2012 -0700
+++ b/components/trousers/patches/tcsd_svrside.c.patch Mon Apr 23 09:17:24 2012 -0700
@@ -1,5 +1,5 @@
--- src/tcsd/svrside.c 2010-06-09 13:19:00.000000000 -0700
-+++ src/tcsd/svrside.c 2012-04-11 14:37:28.993408000 -0700
++++ src/tcsd/svrside.c 2012-04-19 11:27:31.232524632 -0700
@@ -27,6 +27,15 @@
#include <arpa/inet.h>
#include <errno.h>
@@ -210,7 +210,7 @@
char *hostname = NULL;
struct passwd *pwd;
struct hostent *client_hostent = NULL;
-@@ -245,26 +418,49 @@
+@@ -245,26 +418,50 @@
if ((result = tcsd_startup()))
return (int)result;
@@ -231,6 +231,7 @@
+ serv_addr.un.sun_family = AF_UNIX;
+ strncpy(serv_addr.un.sun_path, TCSD_DEFAULT_SOCKET,
+ sizeof (serv_addr.un.sun_path));
++ (void) unlink(TCSD_DEFAULT_SOCKET);
+
+ } else { /* TCP socket */
+ sd = socket(AF_INET, SOCK_STREAM, 0);
@@ -279,7 +280,7 @@
LogError("Failed bind: %s", strerror(errno));
return -1;
}
-@@ -285,7 +481,6 @@
+@@ -285,7 +482,6 @@
LogError("Failed listen: %s", strerror(errno));
return -1;
}
@@ -287,7 +288,7 @@
if (getenv("TCSD_FOREGROUND") == NULL) {
if (daemon(0, 0) == -1) {
-@@ -295,6 +490,12 @@
+@@ -295,6 +491,12 @@
}
}
@@ -300,7 +301,7 @@
LogInfo("%s: TCSD up and running.", PACKAGE_STRING);
do {
newsd = accept(sd, (struct sockaddr *) &client_addr, &client_len);
-@@ -314,20 +515,22 @@
+@@ -314,20 +516,22 @@
}
LogDebug("accepted socket %i", newsd);
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/components/trousers/patches/tspi_tsp_policy.c.patch Mon Apr 23 09:17:24 2012 -0700
@@ -0,0 +1,40 @@
+--- src/tspi/tsp_policy.c 2010-05-01 19:39:11.000000000 -0700
++++ src/tspi/tsp_policy.c 2012-04-20 18:10:16.757128000 -0700
+@@ -86,15 +86,13 @@
+ int
+ pin_mem(void *addr, size_t len)
+ {
+- /* only root can lock pages into RAM */
+- if (getuid() != (uid_t)0) {
+- LogWarn("Not pinning secrets in memory due to insufficient perms.");
+- return 0;
+- }
+-
+ len += (uintptr_t)addr & PGOFFSET;
+ addr = (void *)((uintptr_t)addr & PGMASK);
+ if (mlock(addr, len) == -1) {
++ if (errno == EPERM) {
++ LogWarn("Not pinning secrets in memory due to insufficient perms.");
++ return 0;
++ }
+ LogError("mlock: %s", strerror(errno));
+ return 1;
+ }
+@@ -105,14 +103,12 @@
+ int
+ unpin_mem(void *addr, size_t len)
+ {
+- /* only root can lock pages into RAM */
+- if (getuid() != (uid_t)0) {
+- return 0;
+- }
+-
+ len += (uintptr_t)addr & PGOFFSET;
+ addr = (void *)((uintptr_t)addr & PGMASK);
+ if (munlock(addr, len) == -1) {
++ if (errno == EPERM) {
++ return 0;
++ }
+ LogError("mlock: %s", strerror(errno));
+ return 1;
+ }