mirror of
https://github.com/systemd/systemd.git
synced 2024-12-22 17:35:35 +03:00
core: imply DeviceAllow=/dev/tpmrm0 with LoadCredentialEncrypted
If the device access policy is restricted, add implicitly access to the TPM if at least one encrypted credential needs to be loaded. Fixes https://github.com/systemd/systemd/issues/26042
This commit is contained in:
parent
b0fc23fae5
commit
398dc7d39b
@ -3154,7 +3154,13 @@ StandardInputData=V2XigLJyZSBubyBzdHJhbmdlcnMgdG8gbG92ZQpZb3Uga25vdyB0aGUgcnVsZX
|
||||
authenticated credentials improves security as credentials are not stored in plaintext and only
|
||||
authenticated and decrypted into plaintext the moment a service requiring them is started. Moreover,
|
||||
credentials may be bound to the local hardware and installations, so that they cannot easily be
|
||||
analyzed offline, or be generated externally.</para>
|
||||
analyzed offline, or be generated externally. When <varname>DevicePolicy=</varname> is set to
|
||||
<literal>closed</literal> or <literal>strict</literal>, or set to <literal>auto</literal> and
|
||||
<varname>DeviceAllow=</varname> is set, or <varname>PrivateDevices=</varname> is set, then this
|
||||
setting adds <filename>/dev/tpmrm0</filename> with <constant>rw</constant> mode to
|
||||
<varname>DeviceAllow=</varname>. See
|
||||
<citerefentry><refentrytitle>systemd.resource-control</refentrytitle><manvolnum>5</manvolnum></citerefentry>
|
||||
for the details about <varname>DevicePolicy=</varname> or <varname>DeviceAllow=</varname>.</para>
|
||||
|
||||
<para>The credential files/IPC sockets must be accessible to the service manager, but don't have to
|
||||
be directly accessible to the unit's processes: the credential data is read and copied into separate,
|
||||
|
@ -4169,6 +4169,16 @@ int unit_patch_contexts(Unit *u) {
|
||||
if (r < 0)
|
||||
return r;
|
||||
}
|
||||
|
||||
/* If there are encrypted credentials we might need to access the TPM. */
|
||||
ExecLoadCredential *cred;
|
||||
HASHMAP_FOREACH(cred, ec->load_credentials)
|
||||
if (cred->encrypted) {
|
||||
r = cgroup_add_device_allow(cc, "/dev/tpmrm0", "rw");
|
||||
if (r < 0)
|
||||
return r;
|
||||
break;
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
|
@ -208,6 +208,12 @@ else
|
||||
echo "/usr/lib/systemd/systemd-pcrphase or PCR sysfs files not found, skipping PCR extension test case"
|
||||
fi
|
||||
|
||||
# Ensure that sandboxing doesn't stop creds from being accessible
|
||||
echo "test" > /tmp/testdata
|
||||
systemd-creds encrypt /tmp/testdata /tmp/testdata.encrypted --with-key=tpm2
|
||||
systemd-run -p PrivateDevices=yes -p LoadCredentialEncrypted=testdata.encrypted:/tmp/testdata.encrypted --pipe --wait systemd-creds cat testdata.encrypted | cmp - /tmp/testdata
|
||||
rm /tmp/testdata
|
||||
|
||||
echo OK >/testok
|
||||
|
||||
exit 0
|
||||
|
Loading…
Reference in New Issue
Block a user