From: Dariusz Michaluk Date: Thu, 8 Mar 2018 14:12:55 +0000 (+0100) Subject: Improve optee access control configuration X-Git-Tag: submit/tizen/20180412.070843^0 X-Git-Url: http://review.tizen.org/git/?a=commitdiff_plain;h=refs%2Fheads%2Ftizen_5.5;p=platform%2Fcore%2Fsecurity%2Ftef-optee_client.git Improve optee access control configuration - drop optee supplicant daemon capabilities, - run optee supplicant daemon under System::TEF Smack label, - protect privileged device nodes with security_fw group and System::TEF Smack label. Change-Id: Idda142be300c9db4d1ad79dda267e8ab051cedb9 --- diff --git a/packaging/tef-optee-client.spec b/packaging/tef-optee-client.spec index 52db477..a5a25bc 100644 --- a/packaging/tef-optee-client.spec +++ b/packaging/tef-optee-client.spec @@ -27,7 +27,7 @@ Requires: tef-libteec %define build_unit_dir %{buildroot}%{_unitdir} %define optee_libteec %{lib_dir}/tef/optee/ -%define smack_domain_name System +%define smack_domain_name System::TEF %define use_sqlfs 0 diff --git a/systemd/90-teedaemon.rules b/systemd/90-teedaemon.rules deleted file mode 100644 index 249d8a6..0000000 --- a/systemd/90-teedaemon.rules +++ /dev/null @@ -1,2 +0,0 @@ -SUBSYSTEM=="tee", KERNEL=="teepriv[0-9]", TAG+="systemd", ENV{SYSTEMD_WANTS}+="tef-optee.service" -SUBSYSTEM=="tee", KERNEL=="tee[0-9]", GROUP="priv_tee_client", MODE="0660", SECLABEL{smack}="*" diff --git a/systemd/90-teedaemon.rules.in b/systemd/90-teedaemon.rules.in new file mode 100644 index 0000000..f7c4c4a --- /dev/null +++ b/systemd/90-teedaemon.rules.in @@ -0,0 +1,3 @@ +SUBSYSTEM=="tee", KERNEL=="teepriv[0-9]", TAG+="systemd", ENV{SYSTEMD_WANTS}+="tef-optee.service" +SUBSYSTEM=="tee", KERNEL=="teepriv[0-9]", GROUP="security_fw", MODE="0660", SECLABEL{smack}="@SMACK_DOMAIN_NAME@" +SUBSYSTEM=="tee", KERNEL=="tee[0-9]", GROUP="priv_tee_client", MODE="0660", SECLABEL{smack}="*" diff --git a/systemd/CMakeLists.txt b/systemd/CMakeLists.txt index f65e2c1..21faa51 100644 --- a/systemd/CMakeLists.txt +++ b/systemd/CMakeLists.txt @@ -24,6 +24,9 @@ PROJECT("tef-optee") CONFIGURE_FILE(${CMAKE_SOURCE_DIR}/tef-optee.service.in ${CMAKE_SOURCE_DIR}/tef-optee.service @ONLY) +CONFIGURE_FILE(${CMAKE_SOURCE_DIR}/90-teedaemon.rules.in + ${CMAKE_SOURCE_DIR}/90-teedaemon.rules @ONLY) + INSTALL(FILES ${CMAKE_SOURCE_DIR}/tef-optee.service DESTINATION diff --git a/systemd/tef-optee.service.in b/systemd/tef-optee.service.in index 590b242..341987b 100644 --- a/systemd/tef-optee.service.in +++ b/systemd/tef-optee.service.in @@ -7,5 +7,6 @@ After=opt.mount User=root Group=security_fw SmackProcessLabel=@SMACK_DOMAIN_NAME@ +CapabilityBoundingSet= ExecStart=@SYSTEMD_CFG_BIN_DIR@/tee-supplicant RuntimeDirectory=@SERVICE_NAME@