[4/6] optee-client: drop privileges of tee-supplicant

Message ID	20250402141652.380180-4-gyorgy.szing@arm.com
State	New
Headers	show Return-Path: <gyorgy.szing@arm.com> ip: 217.140.110.172, mailfrom: gyorgy.szing@arm.com) From: Gyorgy Szing <gyorgy.szing@arm.com> To: meta-arm@lists.yoctoproject.org Cc: Gyorgy Szing <gyorgy.szing@arm.com>, Ross Burton <ross.burton@arm.com> Subject: [PATCH 4/6] optee-client: drop privileges of tee-supplicant Date: Wed, 2 Apr 2025 16:16:50 +0200 Message-ID: <20250402141652.380180-4-gyorgy.szing@arm.com> In-Reply-To: <20250402141652.380180-1-gyorgy.szing@arm.com> References: <20250402141652.380180-1-gyorgy.szing@arm.com> MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable
Series	[1/6] optee-client: use udev rule and systemd service from upstream \| expand [1/6] optee-client: use udev rule and systemd service from upstream [2/6] optee-os: add v4.4 [3/6] optee-client: fix udev and systemd handling [4/6] optee-client: drop privileges of tee-supplicant [5/6] optee-client: use the same tee group as libts [6/6] arm/trusted-services: fix udev management in libts

Message ID

20250402141652.380180-4-gyorgy.szing@arm.com

State

New

Headers

From: Gyorgy Szing <gyorgy.szing@arm.com>
To: meta-arm@lists.yoctoproject.org
Cc: Gyorgy Szing <gyorgy.szing@arm.com>,
	Ross Burton <ross.burton@arm.com>
Subject: [PATCH 4/6] optee-client: drop privileges of tee-supplicant
Date: Wed,  2 Apr 2025 16:16:50 +0200
Message-ID: <20250402141652.380180-4-gyorgy.szing@arm.com>
In-Reply-To: <20250402141652.380180-1-gyorgy.szing@arm.com>
References: <20250402141652.380180-1-gyorgy.szing@arm.com>
MIME-Version: 1.0
Content-Transfer-Encoding: quoted-printable

Series

[1/6] optee-client: use udev rule and systemd service from upstream | expand

Commit Message

Gyorgy Szing April 2, 2025, 2:16 p.m. UTC

Stop the tee-supplicant being run with root privileges when the system
is not using systemd.

Signed-off-by: Gyorgy Szing <gyorgy.szing@arm.com>
Signed-off-by: Ross Burton <ross.burton@arm.com>
---
 meta-arm/recipes-security/optee/optee-client.inc               | 2 ++
 meta-arm/recipes-security/optee/optee-client/tee-supplicant.sh | 2 +-
 2 files changed, 3 insertions(+), 1 deletion(-)

diff --git a/meta-arm/recipes-security/optee/optee-client.inc b/meta-arm/recipes-security/optee/optee-client.inc
index 519041d6..ac003a24 100644
--- a/meta-arm/recipes-security/optee/optee-client.inc
+++ b/meta-arm/recipes-security/optee/optee-client.inc
@@ -32,6 +32,8 @@  do_install:append() {
         install -D -p -m0755 ${UNPACKDIR}/tee-supplicant.sh ${D}${sysconfdir}/init.d/tee-supplicant
         sed -i -e s:@sysconfdir@:${sysconfdir}:g \
                -e s:@sbindir@:${sbindir}:g \
+               -e s:@supluser@:teesuppl:g \
+               -e s:@suplgroup@:teesuppl:g \
                   ${D}${sysconfdir}/init.d/tee-supplicant
     fi
     install -o teesuppl -g teesuppl -m 0700 -d ${D}${localstatedir}/lib/tee
diff --git a/meta-arm/recipes-security/optee/optee-client/tee-supplicant.sh b/meta-arm/recipes-security/optee/optee-client/tee-supplicant.sh
index b4d21950..12e81770 100644
--- a/meta-arm/recipes-security/optee/optee-client/tee-supplicant.sh
+++ b/meta-arm/recipes-security/optee/optee-client/tee-supplicant.sh
@@ -14,7 +14,7 @@  test -f $DAEMON || exit 0
 test -f @sysconfdir@/default/$NAME && . @sysconfdir@/default/$NAME
 test -f @sysconfdir@/default/rcS && . @sysconfdir@/default/rcS
 
-SSD_OPTIONS="--oknodo --quiet --exec $DAEMON -- -d $OPTARGS"
+SSD_OPTIONS="-c @supluser@:@suplgroup@ --oknodo --quiet --exec $DAEMON -- -d $OPTARGS"
 
 set -e

[4/6] optee-client: drop privileges of tee-supplicant

Commit Message

Patch