| Message ID | 20230918190452.62938-1-javier.tia@linaro.org |
|---|---|
| State | New |
| Headers | show |
| Series | libts: tee-udev.rules: Change ownership to tee group | expand |
On Mon, 18 Sept 2023 at 21:05, Javier Tia <javier.tia@linaro.org> wrote: > tee and teeclnt are there to avoid running client applications (CAs) and > tee-supplicant as root. > > - The teeclnt group stands for "TEE client" and is for CAs (CAs need > access to /dev/tee[0-9]* but not /dev/teepriv[0-9]*). > > - tee is just for tee-supplicant to open its device /dev/teepriv[0-9]*. > No other process is supposed to open that one. > > Signed-off-by: Javier Tia <javier.tia@linaro.org> > --- > meta-arm/recipes-security/trusted-services/libts/tee-udev.rules | 2 +- > 1 file changed, 1 insertion(+), 1 deletion(-) > > diff --git > a/meta-arm/recipes-security/trusted-services/libts/tee-udev.rules > b/meta-arm/recipes-security/trusted-services/libts/tee-udev.rules > index af428974..43fafd8c 100644 > --- a/meta-arm/recipes-security/trusted-services/libts/tee-udev.rules > +++ b/meta-arm/recipes-security/trusted-services/libts/tee-udev.rules > @@ -3,5 +3,5 @@ KERNEL=="tee[0-9]*", TAG+="systemd", MODE="0660", > GROUP="teeclnt" > > # If a /dev/teepriv[0-9]* device is detected, start an instance of > # tee-supplicant.service with the device name as parameter > -KERNEL=="teepriv[0-9]*", MODE="0660", OWNER="root", GROUP="teeclnt", \ > +KERNEL=="teepriv[0-9]*", MODE="0660", OWNER="root", GROUP="tee", \ > TAG+="systemd", ENV{SYSTEMD_WANTS}+="tee-supplicant@%k.service" > -- > 2.42.0 > Reviewed-by: Jerome Forissier <jerome.forissier@linaro.org> > -=-=-=-=-=-=-=-=-=-=-=- > Links: You receive all messages sent to this group. > View/Reply Online (#5057): > https://lists.yoctoproject.org/g/meta-arm/message/5057 > Mute This Topic: https://lists.yoctoproject.org/mt/101440792/7094589 > Group Owner: meta-arm+owner@lists.yoctoproject.org > Unsubscribe: https://lists.yoctoproject.org/g/meta-arm/unsub [ > jerome.forissier@linaro.org] > -=-=-=-=-=-=-=-=-=-=-=- > >
On Mon, 18 Sep 2023 21:04:52 +0200, Javier Tia wrote: > tee and teeclnt are there to avoid running client applications (CAs) and > tee-supplicant as root. > > - The teeclnt group stands for "TEE client" and is for CAs (CAs need > access to /dev/tee[0-9]* but not /dev/teepriv[0-9]*). > > - tee is just for tee-supplicant to open its device /dev/teepriv[0-9]*. > No other process is supposed to open that one. > > [...] Applied, thanks! [1/1] libts: tee-udev.rules: Change ownership to tee group commit: 0221098739b0923c313945af072e1f9017a570b6 Best regards,
On Mon, 18 Sep 2023 21:04:52 +0200, Javier Tia wrote: > tee and teeclnt are there to avoid running client applications (CAs) and > tee-supplicant as root. > > - The teeclnt group stands for "TEE client" and is for CAs (CAs need > access to /dev/tee[0-9]* but not /dev/teepriv[0-9]*). > > - tee is just for tee-supplicant to open its device /dev/teepriv[0-9]*. > No other process is supposed to open that one. > > [...] Applied, thanks! [1/1] libts: tee-udev.rules: Change ownership to tee group commit: 0221098739b0923c313945af072e1f9017a570b6 Best regards,
diff --git a/meta-arm/recipes-security/trusted-services/libts/tee-udev.rules b/meta-arm/recipes-security/trusted-services/libts/tee-udev.rules index af428974..43fafd8c 100644 --- a/meta-arm/recipes-security/trusted-services/libts/tee-udev.rules +++ b/meta-arm/recipes-security/trusted-services/libts/tee-udev.rules @@ -3,5 +3,5 @@ KERNEL=="tee[0-9]*", TAG+="systemd", MODE="0660", GROUP="teeclnt" # If a /dev/teepriv[0-9]* device is detected, start an instance of # tee-supplicant.service with the device name as parameter -KERNEL=="teepriv[0-9]*", MODE="0660", OWNER="root", GROUP="teeclnt", \ +KERNEL=="teepriv[0-9]*", MODE="0660", OWNER="root", GROUP="tee", \ TAG+="systemd", ENV{SYSTEMD_WANTS}+="tee-supplicant@%k.service"
tee and teeclnt are there to avoid running client applications (CAs) and tee-supplicant as root. - The teeclnt group stands for "TEE client" and is for CAs (CAs need access to /dev/tee[0-9]* but not /dev/teepriv[0-9]*). - tee is just for tee-supplicant to open its device /dev/teepriv[0-9]*. No other process is supposed to open that one. Signed-off-by: Javier Tia <javier.tia@linaro.org> --- meta-arm/recipes-security/trusted-services/libts/tee-udev.rules | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-)