core: imply DeviceAllow=/dev/tpmrm0 with LoadCredentialEncrypted

If the device access policy is restricted, add implicitly access to the TPM if at least one encrypted credential needs to be loaded. Fixes https://github.com/systemd/systemd/issues/26042 (cherry picked from commit 398dc7d39b9a877e71529f0e0b139329e4c6992e) (cherry picked from commit f0126ad7f90a37c6c81e735726a3bbea1aa6d4d7) (cherry picked from commit 158760941f6f59f6307a49455ce1af5db97b67c9)
2025-03-11 04:58:19 +03:00 · 2023-02-08 00:25:00 +00:00 · 2023-02-08 00:25:00 +00:00 · 0a3a54c069
commit 0a3a54c069
parent 4d447fb910
2 changed files with 17 additions and 1 deletions
--- a/man/systemd.exec.xml
+++ b/man/systemd.exec.xml
@ -3041,7 +3041,13 @@ StandardInputData=SWNrIHNpdHplIGRhIHVuJyBlc3NlIEtsb3BzLAp1ZmYgZWVtYWwga2xvcHAncy
        <filename>/var/lib/systemd/credentials.secret</filename>, or with both. Using encrypted credentials
        improves security as credentials are not stored in plaintext and only decrypted into plaintext the
        moment a service requiring them is started. Moreover, credentials may be bound to the local hardware
-        and installations, so that they cannot easily be analyzed offline.</para>
+        and installations, so that they cannot easily be analyzed offline. When <varname>DevicePolicy=</varname>
+        is set to <literal>closed</literal> or <literal>strict</literal>, or set to <literal>auto</literal>
+        and <varname>DeviceAllow=</varname> is set, or <varname>PrivateDevices=</varname> is set, then this
+        setting adds <filename>/dev/tpmrm0</filename> with <constant>rw</constant> mode to
+        <varname>DeviceAllow=</varname>. See
+        <citerefentry><refentrytitle>systemd.resource-control</refentrytitle><manvolnum>5</manvolnum></citerefentry>
+        for the details about <varname>DevicePolicy=</varname> or <varname>DeviceAllow=</varname>.</para>

        <para>The credential files/IPC sockets must be accessible to the service manager, but don't have to
        be directly accessible to the unit's processes: the credential data is read and copied into separate,
--- a/src/core/unit.c
+++ b/src/core/unit.c
@ -4144,6 +4144,16 @@ int unit_patch_contexts(Unit *u) {
                        if (r < 0)
                                return r;
                }
+
+                /* If there are encrypted credentials we might need to access the TPM. */
+                ExecLoadCredential *cred;
+                HASHMAP_FOREACH(cred, ec->load_credentials)
+                        if (cred->encrypted) {
+                                r = cgroup_add_device_allow(cc, "/dev/tpmrm0", "rw");
+                                if (r < 0)
+                                        return r;
+                                break;
+                        }
        }

        return 0;