diff mbox series

libts: tee-udev.rules: Change ownership to tee group

Message ID 20230918190452.62938-1-javier.tia@linaro.org
State New
Headers show
Series libts: tee-udev.rules: Change ownership to tee group | expand

Commit Message

Javier Tia Sept. 18, 2023, 7:04 p.m. UTC
tee and teeclnt are there to avoid running client applications (CAs) and
tee-supplicant as root.

- The teeclnt group stands for "TEE client" and is for CAs (CAs need
  access to /dev/tee[0-9]* but not /dev/teepriv[0-9]*).

- tee is just for tee-supplicant to open its device /dev/teepriv[0-9]*.
  No other process is supposed to open that one.

Signed-off-by: Javier Tia <javier.tia@linaro.org>
---
 meta-arm/recipes-security/trusted-services/libts/tee-udev.rules | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

Comments

Jérôme Forissier Sept. 19, 2023, 6:52 a.m. UTC | #1
On Mon, 18 Sept 2023 at 21:05, Javier Tia <javier.tia@linaro.org> wrote:

> tee and teeclnt are there to avoid running client applications (CAs) and
> tee-supplicant as root.
>
> - The teeclnt group stands for "TEE client" and is for CAs (CAs need
>   access to /dev/tee[0-9]* but not /dev/teepriv[0-9]*).
>
> - tee is just for tee-supplicant to open its device /dev/teepriv[0-9]*.
>   No other process is supposed to open that one.
>
> Signed-off-by: Javier Tia <javier.tia@linaro.org>
> ---
>  meta-arm/recipes-security/trusted-services/libts/tee-udev.rules | 2 +-
>  1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git
> a/meta-arm/recipes-security/trusted-services/libts/tee-udev.rules
> b/meta-arm/recipes-security/trusted-services/libts/tee-udev.rules
> index af428974..43fafd8c 100644
> --- a/meta-arm/recipes-security/trusted-services/libts/tee-udev.rules
> +++ b/meta-arm/recipes-security/trusted-services/libts/tee-udev.rules
> @@ -3,5 +3,5 @@ KERNEL=="tee[0-9]*", TAG+="systemd", MODE="0660",
> GROUP="teeclnt"
>
>  # If a /dev/teepriv[0-9]* device is detected, start an instance of
>  # tee-supplicant.service with the device name as parameter
> -KERNEL=="teepriv[0-9]*", MODE="0660", OWNER="root", GROUP="teeclnt", \
> +KERNEL=="teepriv[0-9]*", MODE="0660", OWNER="root", GROUP="tee", \
>      TAG+="systemd", ENV{SYSTEMD_WANTS}+="tee-supplicant@%k.service"
> --
> 2.42.0
>

Reviewed-by: Jerome Forissier <jerome.forissier@linaro.org>


> -=-=-=-=-=-=-=-=-=-=-=-
> Links: You receive all messages sent to this group.
> View/Reply Online (#5057):
> https://lists.yoctoproject.org/g/meta-arm/message/5057
> Mute This Topic: https://lists.yoctoproject.org/mt/101440792/7094589
> Group Owner: meta-arm+owner@lists.yoctoproject.org
> Unsubscribe: https://lists.yoctoproject.org/g/meta-arm/unsub [
> jerome.forissier@linaro.org]
> -=-=-=-=-=-=-=-=-=-=-=-
>
>
Jon Mason Sept. 19, 2023, 12:45 p.m. UTC | #2
On Mon, 18 Sep 2023 21:04:52 +0200, Javier Tia wrote:
> tee and teeclnt are there to avoid running client applications (CAs) and
> tee-supplicant as root.
> 
> - The teeclnt group stands for "TEE client" and is for CAs (CAs need
>   access to /dev/tee[0-9]* but not /dev/teepriv[0-9]*).
> 
> - tee is just for tee-supplicant to open its device /dev/teepriv[0-9]*.
>   No other process is supposed to open that one.
> 
> [...]

Applied, thanks!

[1/1] libts: tee-udev.rules: Change ownership to tee group
      commit: 0221098739b0923c313945af072e1f9017a570b6

Best regards,
Jon Mason Sept. 22, 2023, 6:20 p.m. UTC | #3
On Mon, 18 Sep 2023 21:04:52 +0200, Javier Tia wrote:
> tee and teeclnt are there to avoid running client applications (CAs) and
> tee-supplicant as root.
> 
> - The teeclnt group stands for "TEE client" and is for CAs (CAs need
>   access to /dev/tee[0-9]* but not /dev/teepriv[0-9]*).
> 
> - tee is just for tee-supplicant to open its device /dev/teepriv[0-9]*.
>   No other process is supposed to open that one.
> 
> [...]

Applied, thanks!

[1/1] libts: tee-udev.rules: Change ownership to tee group
      commit: 0221098739b0923c313945af072e1f9017a570b6

Best regards,
diff mbox series

Patch

diff --git a/meta-arm/recipes-security/trusted-services/libts/tee-udev.rules b/meta-arm/recipes-security/trusted-services/libts/tee-udev.rules
index af428974..43fafd8c 100644
--- a/meta-arm/recipes-security/trusted-services/libts/tee-udev.rules
+++ b/meta-arm/recipes-security/trusted-services/libts/tee-udev.rules
@@ -3,5 +3,5 @@  KERNEL=="tee[0-9]*", TAG+="systemd", MODE="0660", GROUP="teeclnt"
 
 # If a /dev/teepriv[0-9]* device is detected, start an instance of
 # tee-supplicant.service with the device name as parameter
-KERNEL=="teepriv[0-9]*", MODE="0660", OWNER="root", GROUP="teeclnt", \
+KERNEL=="teepriv[0-9]*", MODE="0660", OWNER="root", GROUP="tee", \
     TAG+="systemd", ENV{SYSTEMD_WANTS}+="tee-supplicant@%k.service"