diff options
| author | Dariusz Michaluk <d.michaluk@samsung.com> | 2018-03-08 15:12:55 +0100 |
|---|---|---|
| committer | Dariusz Michaluk <d.michaluk@samsung.com> | 2018-03-12 12:13:57 +0100 |
| commit | 60fbeee6f89e2a61417033a854b3d2fdfc9f1a58 (patch) | |
| tree | 79cad503948fd1f33d08df0be54bdf1aba94a532 | |
| parent | 1c5836e35aaa18655808224873632b1c62fe03b8 (diff) | |
| download | tef-optee_client-accepted/tizen_unified.tar.gz tef-optee_client-accepted/tizen_unified.tar.bz2 tef-optee_client-accepted/tizen_unified.zip | |
Improve optee access control configurationtizen_5.5.m2_releasesubmit/tizen_5.5_mobile_hotfix/20201026.185104submit/tizen_5.5/20191031.000010submit/tizen_5.0/20181101.000004submit/tizen/20180412.070843accepted/tizen/unified/20180412.140828accepted/tizen/5.5/unified/mobile/hotfix/20201027.091049accepted/tizen/5.5/unified/20191031.004224accepted/tizen/5.0/unified/20181102.022153tizen_5.5_tvtizen_5.5_mobile_hotfixtizen_5.5tizen_5.0tizenaccepted/tizen_unifiedaccepted/tizen_5.5_unified_mobile_hotfixaccepted/tizen_5.5_unifiedaccepted/tizen_5.0_unified
- drop optee supplicant daemon capabilities,
- run optee supplicant daemon under System::TEF Smack label,
- protect privileged device nodes with security_fw group and System::TEF Smack label.
Change-Id: Idda142be300c9db4d1ad79dda267e8ab051cedb9
| -rw-r--r-- | packaging/tef-optee-client.spec | 2 | ||||
| -rw-r--r-- | systemd/90-teedaemon.rules.in (renamed from systemd/90-teedaemon.rules) | 1 | ||||
| -rw-r--r-- | systemd/CMakeLists.txt | 3 | ||||
| -rw-r--r-- | systemd/tef-optee.service.in | 1 |
4 files changed, 6 insertions, 1 deletions
diff --git a/packaging/tef-optee-client.spec b/packaging/tef-optee-client.spec index 52db477..a5a25bc 100644 --- a/packaging/tef-optee-client.spec +++ b/packaging/tef-optee-client.spec @@ -27,7 +27,7 @@ Requires: tef-libteec %define build_unit_dir %{buildroot}%{_unitdir} %define optee_libteec %{lib_dir}/tef/optee/ -%define smack_domain_name System +%define smack_domain_name System::TEF %define use_sqlfs 0 diff --git a/systemd/90-teedaemon.rules b/systemd/90-teedaemon.rules.in index 249d8a6..f7c4c4a 100644 --- a/systemd/90-teedaemon.rules +++ b/systemd/90-teedaemon.rules.in @@ -1,2 +1,3 @@ SUBSYSTEM=="tee", KERNEL=="teepriv[0-9]", TAG+="systemd", ENV{SYSTEMD_WANTS}+="tef-optee.service" +SUBSYSTEM=="tee", KERNEL=="teepriv[0-9]", GROUP="security_fw", MODE="0660", SECLABEL{smack}="@SMACK_DOMAIN_NAME@" SUBSYSTEM=="tee", KERNEL=="tee[0-9]", GROUP="priv_tee_client", MODE="0660", SECLABEL{smack}="*" diff --git a/systemd/CMakeLists.txt b/systemd/CMakeLists.txt index f65e2c1..21faa51 100644 --- a/systemd/CMakeLists.txt +++ b/systemd/CMakeLists.txt @@ -24,6 +24,9 @@ PROJECT("tef-optee") CONFIGURE_FILE(${CMAKE_SOURCE_DIR}/tef-optee.service.in ${CMAKE_SOURCE_DIR}/tef-optee.service @ONLY) +CONFIGURE_FILE(${CMAKE_SOURCE_DIR}/90-teedaemon.rules.in + ${CMAKE_SOURCE_DIR}/90-teedaemon.rules @ONLY) + INSTALL(FILES ${CMAKE_SOURCE_DIR}/tef-optee.service DESTINATION diff --git a/systemd/tef-optee.service.in b/systemd/tef-optee.service.in index 590b242..341987b 100644 --- a/systemd/tef-optee.service.in +++ b/systemd/tef-optee.service.in @@ -7,5 +7,6 @@ After=opt.mount User=root Group=security_fw SmackProcessLabel=@SMACK_DOMAIN_NAME@ +CapabilityBoundingSet= ExecStart=@SYSTEMD_CFG_BIN_DIR@/tee-supplicant RuntimeDirectory=@SERVICE_NAME@ |