diff options
author | Vadim Bendebury <vbendeb@chromium.org> | 2018-01-10 11:31:53 -0800 |
---|---|---|
committer | ChromeOS Commit Bot <chromeos-commit-bot@chromium.org> | 2018-02-01 00:48:18 +0000 |
commit | a51551f4da4aeb4c7daf780c522afe3294697592 (patch) | |
tree | ca48285303de4c41f85f7a770d0700055ee10bbd | |
parent | bdd8e5bbf7eec7bb6356e7bd30e07432251c02e6 (diff) | |
download | chrome-ec-a51551f4da4aeb4c7daf780c522afe3294697592.tar.gz |
ccd: do not allow 'unlock' from console unless password is set
CCD management policies explicitly prohibit running the 'unlock'
command from the Cr50 CLI unless CCD password is set.
This patch enforces the policy.
BRANCH=cr50
BUG=b:62537474
TEST=ran the following commands on the Cr50 console:
> ccd
State: Locked
Password: none
...
> ccd unlock
Cann't unlock without password
Access Denied
Usage: ccd [help | ...]
>
Change-Id: I5a14a54049a233e86e097064ff235e9b7a8bbb86
Signed-off-by: Vadim Bendebury <vbendeb@chromium.org>
Reviewed-on: https://chromium-review.googlesource.com/861000
Reviewed-by: Randall Spangler <rspangler@chromium.org>
(cherry picked from commit 35c8f62480ec47dac9825e1fc0fdf6a59b47df8f)
Reviewed-on: https://chromium-review.googlesource.com/896782
-rw-r--r-- | common/ccd_config.c | 7 |
1 files changed, 6 insertions, 1 deletions
diff --git a/common/ccd_config.c b/common/ccd_config.c index 185b29278a..12885926dd 100644 --- a/common/ccd_config.c +++ b/common/ccd_config.c @@ -1182,8 +1182,13 @@ static int command_ccd_body(int argc, char **argv) /* Commands to set state */ if (!strcasecmp(argv[1], "lock")) return ccd_command_wrapper(0, NULL, CCDV_LOCK); - if (!strcasecmp(argv[1], "unlock")) + if (!strcasecmp(argv[1], "unlock")) { + if (!raw_has_password()) { + ccprintf("Unlock only allowed after password is set\n"); + return EC_ERROR_ACCESS_DENIED; + } return ccd_command_wrapper(argc - 1, argv[2], CCDV_UNLOCK); + } if (!strcasecmp(argv[1], "open")) return ccd_command_wrapper(argc - 1, argv[2], CCDV_OPEN); |