projects / platform / core / security / tef-optee_client.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: 1c5836e)
Improve optee access control configuration 99/171999/2 accepted/tizen_5.0_unified accepted/tizen_5.5_unified accepted/tizen_5.5_unified_mobile_hotfix accepted/tizen_unified tizen tizen_5.0 tizen_5.5 tizen_5.5_mobile_hotfix tizen_5.5_tv accepted/tizen/5.0/unified/20181102.022153 accepted/tizen/5.5/unified/20191031.004224 accepted/tizen/5.5/unified/mobile/hotfix/20201027.091049 accepted/tizen/unified/20180412.140828 submit/tizen/20180412.070843 submit/tizen_5.0/20181101.000004 submit/tizen_5.5/20191031.000010 submit/tizen_5.5_mobile_hotfix/20201026.185104 tizen_5.5.m2_release
authorDariusz Michaluk <d.michaluk@samsung.com>
Thu, 8 Mar 2018 14:12:55 +0000 (15:12 +0100)
committerDariusz Michaluk <d.michaluk@samsung.com>
Mon, 12 Mar 2018 11:13:57 +0000 (12:13 +0100)
- drop optee supplicant daemon capabilities,
- run optee supplicant daemon under System::TEF Smack label,
- protect privileged device nodes with security_fw group and System::TEF Smack label.

Change-Id: Idda142be300c9db4d1ad79dda267e8ab051cedb9

packaging/tef-optee-client.spec patch | blob | history
systemd/90-teedaemon.rules.in [moved from systemd/90-teedaemon.rules with 62% similarity] patch | blob | history
systemd/CMakeLists.txt patch | blob | history
systemd/tef-optee.service.in patch | blob | history

diff --git a/packaging/tef-optee-client.spec b/packaging/tef-optee-client.spec
index 52db477..a5a25bc 100644 (file)
--- a/packaging/tef-optee-client.spec
+++ b/packaging/tef-optee-client.spec
@@ -27,7 +27,7 @@ Requires: tef-libteec
 %define build_unit_dir %{buildroot}%{_unitdir}
 %define optee_libteec %{lib_dir}/tef/optee/
 
-%define smack_domain_name System
+%define smack_domain_name System::TEF
 
 %define use_sqlfs 0
 
diff --git a/systemd/90-teedaemon.rules b/systemd/90-teedaemon.rules.in
similarity index 62%
rename from systemd/90-teedaemon.rules
rename to systemd/90-teedaemon.rules.in
index 249d8a6..f7c4c4a 100644 (file)
--- a/systemd/90-teedaemon.rules
+++ b/systemd/90-teedaemon.rules.in
@@ -1,2 +1,3 @@
 SUBSYSTEM=="tee", KERNEL=="teepriv[0-9]", TAG+="systemd", ENV{SYSTEMD_WANTS}+="tef-optee.service"
+SUBSYSTEM=="tee", KERNEL=="teepriv[0-9]", GROUP="security_fw", MODE="0660", SECLABEL{smack}="@SMACK_DOMAIN_NAME@"
 SUBSYSTEM=="tee", KERNEL=="tee[0-9]", GROUP="priv_tee_client", MODE="0660", SECLABEL{smack}="*"
diff --git a/systemd/CMakeLists.txt b/systemd/CMakeLists.txt
index f65e2c1..21faa51 100644 (file)
--- a/systemd/CMakeLists.txt
+++ b/systemd/CMakeLists.txt
@@ -24,6 +24,9 @@ PROJECT("tef-optee")
 CONFIGURE_FILE(${CMAKE_SOURCE_DIR}/tef-optee.service.in
                ${CMAKE_SOURCE_DIR}/tef-optee.service @ONLY)
 
+CONFIGURE_FILE(${CMAKE_SOURCE_DIR}/90-teedaemon.rules.in
+               ${CMAKE_SOURCE_DIR}/90-teedaemon.rules @ONLY)
+
 INSTALL(FILES
     ${CMAKE_SOURCE_DIR}/tef-optee.service
     DESTINATION
diff --git a/systemd/tef-optee.service.in b/systemd/tef-optee.service.in
index 590b242..341987b 100644 (file)
--- a/systemd/tef-optee.service.in
+++ b/systemd/tef-optee.service.in
@@ -7,5 +7,6 @@ After=opt.mount
 User=root
 Group=security_fw
 SmackProcessLabel=@SMACK_DOMAIN_NAME@
+CapabilityBoundingSet=
 ExecStart=@SYSTEMD_CFG_BIN_DIR@/tee-supplicant
 RuntimeDirectory=@SERVICE_NAME@
Domain: Security / Trusted Execution Environment; Licenses: BSD-2-Clause;