services/mgmt/device: Separate Claimability from device operation.
Prior to this commit, a device would allow all operations before being
claimed. This means that an attacker could install a malicious
application on a device before the legitimate owner claimed it.
This commit changes the device structure so that:
(a) The device services are not functional till the device has been
Claimed.
(b) A device can be successfully claimed at most once.
In future iterations, we will figure out a way to transfer ownership of
a device by allowing re-claiming, but for as a first cut we allow Claim
to be called only once.
To achieve this, an unclaimed device starts up a server ready to be
claimed and nothing else. Once claimed, this server shuts down
and a new server is created for the Device service.
Having to stop and re-create servers is questionable. Once we
have the ability for servers to update their blessings over
existing VCs and figure out how MountEntry caching works
when the blessings of the servers change, we can revisit this
two server business.
Change-Id: I5c69219dc13503bbb1f64fcec6c5c0bec55b1d9b
11 files changed
