Improve optee access control configuration

author Dariusz Michaluk <d.michaluk@samsung.com>

Thu, 8 Mar 2018 14:12:55 +0000 (15:12 +0100)

committer Dariusz Michaluk <d.michaluk@samsung.com>

Mon, 12 Mar 2018 11:13:57 +0000 (12:13 +0100)
author Dariusz Michaluk <d.michaluk@samsung.com>
Thu, 8 Mar 2018 14:12:55 +0000 (15:12 +0100)
committer Dariusz Michaluk <d.michaluk@samsung.com>
Mon, 12 Mar 2018 11:13:57 +0000 (12:13 +0100)
diff --git a/packaging/tef-optee-client.spec b/packaging/tef-optee-client.spec

index 52db47758853e0cc469743ef1b5f3fc079a196e2..a5a25bcb3af8e8fc303abbbbea7680d34526bdfb 100644 (file)
--- a/packaging/tef-optee-client.spec
+++ b/packaging/tef-optee-client.spec
@@ -27,7 +27,7 @@ Requires: tef-libteec
  %define build_unit_dir %{buildroot}%{_unitdir}
  %define optee_libteec %{lib_dir}/tef/optee/
  
-%define smack_domain_name System
+%define smack_domain_name System::TEF
  
  %define use_sqlfs 0
  
diff --git a/systemd/90-teedaemon.rules b/systemd/90-teedaemon.rules

deleted file mode 100644 (file)

index 249d8a6..0000000
--- a/systemd/90-teedaemon.rules
+++ /dev/null
@@ -1,2 +0,0 @@
-SUBSYSTEM=="tee", KERNEL=="teepriv[0-9]", TAG+="systemd", ENV{SYSTEMD_WANTS}+="tef-optee.service"
-SUBSYSTEM=="tee", KERNEL=="tee[0-9]", GROUP="priv_tee_client", MODE="0660", SECLABEL{smack}="*"
diff --git a/systemd/90-teedaemon.rules.in b/systemd/90-teedaemon.rules.in

new file mode 100644 (file)

index 0000000..f7c4c4a
--- /dev/null
+++ b/systemd/90-teedaemon.rules.in
@@ -0,0 +1,3 @@
+SUBSYSTEM=="tee", KERNEL=="teepriv[0-9]", TAG+="systemd", ENV{SYSTEMD_WANTS}+="tef-optee.service"
+SUBSYSTEM=="tee", KERNEL=="teepriv[0-9]", GROUP="security_fw", MODE="0660", SECLABEL{smack}="@SMACK_DOMAIN_NAME@"
+SUBSYSTEM=="tee", KERNEL=="tee[0-9]", GROUP="priv_tee_client", MODE="0660", SECLABEL{smack}="*"
diff --git a/systemd/CMakeLists.txt b/systemd/CMakeLists.txt

index f65e2c1ac6cb4c12c54786f51f65070a96861598..21faa512f1179511dcf0ac91c6564e279c57e077 100644 (file)
--- a/systemd/CMakeLists.txt
+++ b/systemd/CMakeLists.txt
@@ -24,6 +24,9 @@ PROJECT("tef-optee")
  CONFIGURE_FILE(${CMAKE_SOURCE_DIR}/tef-optee.service.in
                 ${CMAKE_SOURCE_DIR}/tef-optee.service @ONLY)
  
+CONFIGURE_FILE(${CMAKE_SOURCE_DIR}/90-teedaemon.rules.in
+               ${CMAKE_SOURCE_DIR}/90-teedaemon.rules @ONLY)
+
  INSTALL(FILES
      ${CMAKE_SOURCE_DIR}/tef-optee.service
      DESTINATION
diff --git a/systemd/tef-optee.service.in b/systemd/tef-optee.service.in

index 590b242181349a75ef8955efc82cd14814938526..341987bd407581cd73b88b09a2816ff1f13d6c05 100644 (file)
--- a/systemd/tef-optee.service.in
+++ b/systemd/tef-optee.service.in
@@ -7,5 +7,6 @@ After=opt.mount
  User=root
  Group=security_fw
  SmackProcessLabel=@SMACK_DOMAIN_NAME@
+CapabilityBoundingSet=
  ExecStart=@SYSTEMD_CFG_BIN_DIR@/tee-supplicant
  RuntimeDirectory=@SERVICE_NAME@
author	Dariusz Michaluk <d.michaluk@samsung.com>
	Thu, 8 Mar 2018 14:12:55 +0000 (15:12 +0100)
committer	Dariusz Michaluk <d.michaluk@samsung.com>
	Mon, 12 Mar 2018 11:13:57 +0000 (12:13 +0100)
packaging/tef-optee-client.spec		patch \| blob \| history
systemd/90-teedaemon.rules	[deleted file]	patch \| blob \| history
systemd/90-teedaemon.rules.in	[new file with mode: 0644]	patch \| blob
systemd/CMakeLists.txt		patch \| blob \| history
systemd/tef-optee.service.in		patch \| blob \| history