SLFO-pool/trousers
SHA256
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Sync from SUSE:SLFO:Main trousers revision 6530ee62fde3356279be534a3d5fff2c

Browse Source
This commit is contained in:
Adrian Schröter 2024-05-04 01:31:20 +02:00
commit 8a1ac1c06e
8 changed files with 658 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

23
.gitattributes vendored Normal file
View File

@ -0,0 +1,23 @@
## Default LFS
*.7z filter=lfs diff=lfs merge=lfs -text
*.bsp filter=lfs diff=lfs merge=lfs -text
*.bz2 filter=lfs diff=lfs merge=lfs -text
*.gem filter=lfs diff=lfs merge=lfs -text
*.gz filter=lfs diff=lfs merge=lfs -text
*.jar filter=lfs diff=lfs merge=lfs -text
*.lz filter=lfs diff=lfs merge=lfs -text
*.lzma filter=lfs diff=lfs merge=lfs -text
*.obscpio filter=lfs diff=lfs merge=lfs -text
*.oxt filter=lfs diff=lfs merge=lfs -text
*.pdf filter=lfs diff=lfs merge=lfs -text
*.png filter=lfs diff=lfs merge=lfs -text
*.rpm filter=lfs diff=lfs merge=lfs -text
*.tbz filter=lfs diff=lfs merge=lfs -text
*.tbz2 filter=lfs diff=lfs merge=lfs -text
*.tgz filter=lfs diff=lfs merge=lfs -text
*.ttf filter=lfs diff=lfs merge=lfs -text
*.txz filter=lfs diff=lfs merge=lfs -text
*.whl filter=lfs diff=lfs merge=lfs -text
*.xz filter=lfs diff=lfs merge=lfs -text
*.zip filter=lfs diff=lfs merge=lfs -text
*.zst filter=lfs diff=lfs merge=lfs -text

1
91-trousers.rules Normal file
View File

@ -0,0 +1 @@
KERNEL=="tpm[0-9]*", MODE="0660", OWNER="tss"

1
baselibs.conf Normal file
View File

@ -0,0 +1 @@
libtspi1

10
fix-lto.patch Normal file
View File

@ -0,0 +1,10 @@
Index: trousers-0.3.14/src/tddl/Makefile.am
===================================================================
--- trousers-0.3.14.orig/src/tddl/Makefile.am
+++ trousers-0.3.14/src/tddl/Makefile.am
@@ -1,4 +1,4 @@
lib_LIBRARIES=libtddl.a
libtddl_a_SOURCES=tddl.c
-libtddl_a_CFLAGS=-DAPPID=\"TCSD\ TDDL\" -I${top_srcdir}/src/include -fPIE -DPIE
+libtddl_a_CFLAGS=-ffat-lto-objects -DAPPID=\"TCSD\ TDDL\" -I${top_srcdir}/src/include -fPIE -DPIE

21
tcsd.service Normal file
View File

@ -0,0 +1,21 @@
[Unit]
Description=TCG Core Services Daemon
[Service]
# added automatically, for details please see
# https://en.opensuse.org/openSUSE:Security_Features#Systemd_hardening_effort
ProtectSystem=full
ProtectHome=true
ProtectHostname=true
ProtectKernelTunables=true
ProtectKernelModules=true
ProtectKernelLogs=true
ProtectControlGroups=true
RestrictRealtime=true
# end of automatic additions
Type=forking
ExecStart=/usr/sbin/tcsd
User=tss
[Install]
WantedBy=multi-user.target

BIN
trousers-0.3.15.tar.gz (Stored with Git LFS) Normal file
View File

Binary file not shown.

433
trousers.changes Normal file
View File

@ -0,0 +1,433 @@
-------------------------------------------------------------------
Mon Aug 22 08:16:58 UTC 2022 - Dominique Leuenberger <dimstar@opensuse.org>
- BuildRequire pkgconfig(udev) instead of udev: allow OBS to
shortcut through the -mini flavors.
-------------------------------------------------------------------
Tue Apr 12 13:58:28 UTC 2022 - Marcus Meissner <meissner@suse.com>
- changed urls to https (except main URL which has no https)
-------------------------------------------------------------------
Thu Nov 25 15:00:17 UTC 2021 - Johannes Segitz <jsegitz@suse.com>
- Added hardening to systemd service(s) (bsc#1181400). Modified:
* tcsd.service
-------------------------------------------------------------------
Tue Oct 5 09:41:43 UTC 2021 - Matthias Gerstner <matthias.gerstner@suse.com>
- move libraries to /usr/lib (bsc#1191102)
-------------------------------------------------------------------
Thu Nov 5 10:34:19 UTC 2020 - Matthias Gerstner <matthias.gerstner@suse.com>
- update to new upstream version 0.3.15:
- Corrected mutliple security issues that existed if the tcsd is started by
root instead of the tss user. CVE-2020-24332, CVE-2020-24330, CVE-2020-24331
- Replaced use of _no_optimize with asm memory barrier
- Fixed multiple potential instances of use after free memory handling
- Removed unused global variables which caused build issue on some distros
- drop gcc-10.patch: now contained in upstream tarball
- drop bsc1164472.patch: now contained in upstream tarball
- adjusted %setup macro invocation which seemed to be wrong
-------------------------------------------------------------------
Mon Jul 27 08:13:14 UTC 2020 - matthias.gerstner@suse.com
- In a previous commit the Requires line for the tss user got accidentally
dropped. This change reintroduces it.
-------------------------------------------------------------------
Tue Jun 2 10:23:53 UTC 2020 - Matthias Gerstner <matthias.gerstner@suse.com>
- add gcc-10.patch: fixes the build on gcc 10 by removing unused global
variables. This patch was posted on the TrouSerS mailing list [1].
[1]: https://sourceforge.net/p/trousers/mailman/message/36951419/
-------------------------------------------------------------------
Wed May 20 10:05:51 UTC 2020 - Matthias Gerstner <matthias.gerstner@suse.com>
- get rid of %pre/%post logic that fixes the old packaging bug. Turns out
%pretrans and %posttrans had their purpose before, because the logic needed
to run before old files owned by the package got deleted. But I'm not
reimplementing this strange logic in Lua ... users that didn't get the fix
yet will have to live with it.
-------------------------------------------------------------------
Wed May 20 08:59:54 UTC 2020 - Matthias Gerstner <matthias.gerstner@suse.com>
- fix a potential tss user to root privilege escalation when running tcsd
(bsc#1164472). To do this run tcsd as the 'tss' user right away to prevent
badly designed privilege drop and initialization code to run.
- add bsc1164472.patch: additionally harden operation of tcsd when running as
root. No longer follow symlinks in /var/lib/tpm. Drop gid to tss main group.
require /etc/tcsd.conf to be owned by root:tss mode 0640.
-------------------------------------------------------------------
Wed May 13 12:14:32 UTC 2020 - matthias.gerstner@suse.com
- add correct Requires(pre) and change %pretrans and %posttrans into %pre and
%post. %pretrans can't have any dependencies and therefore can only be
%implemented in lua. This currently leads to build errors "/bin/sh: no such
file or directory".
-------------------------------------------------------------------
Wed Feb 19 12:48:19 UTC 2020 - Matthias Gerstner <matthias.gerstner@suse.com>
- leave creation of /var/lib/tpm to the new system-user-tss package. Otherwise
we're getting conflicts in packages depending on trousers (bsc#1162360).
-------------------------------------------------------------------
Fri Jan 31 11:51:03 UTC 2020 - Michal Suchanek <msuchanek@suse.com>
- Use system-users for tss user creation (boo#1162360).
-------------------------------------------------------------------
Tue Nov 26 09:14:39 UTC 2019 - matthias.gerstner@suse.com
- Fix a local symlink attack problem with the %posttrans scriptlet
(bsc#1157651, CVE-2019-18898). A rogue tss user could have used this attack
to gain ownership of arbitrary files in the system during
installation/update of the trousers package.
-------------------------------------------------------------------
Mon Sep 9 14:12:22 UTC 2019 - mgerstner <matthias.gerstner@suse.com>
- add fix-lto.patch: This fixes the rpmlint error:
trousers-devel.x86_64: E: lto-no-text-in-archive (Badness: 10000) /usr/lib64/libtddl.a
objcopy/strip seem not to support the LTO linking and discard the actual
text section from libtddl.a. By passing -ffat-lto-objects the object format
is kept compatible with unaware tools and fixes the error.
-------------------------------------------------------------------
Fri Apr 26 10:33:38 UTC 2019 - mvetter@suse.com
- bsc#1130588: Require shadow instead of old pwdutils
-------------------------------------------------------------------
Fri Oct 26 11:13:37 UTC 2018 - matthias.gerstner@suse.com
- fix mode of /var/lib/tpm, was missing the execute bit in the previous
version.
- implement a backup and restore logic for /var/lib/tpm/system.data.* to
prevent removal of validly stored trousers state during update. See previous
comment for the packaging error that leads to this requirement.
-------------------------------------------------------------------
Wed Oct 24 12:42:13 UTC 2018 - matthias.gerstner@suse.com
- fix wrong installation of system.data.{auth,noauth} into /var/lib/tpm. These
files are only sample files that *can* be used to fake that ownership was
already taken by trousers, when other TPM stacks did that already. These
files should not be there by default. Therefore install them into
/usr/share/trousers instead, to allow the user to use them at his own
discretion (fixes bsc#1111381).
-------------------------------------------------------------------
Sun Jan 1 05:15:50 UTC 2017 - mailaender@opensuse.org
- Update to version 0.3.14 (see ChangeLog) (FATE#321450)
-------------------------------------------------------------------
Fri May 6 20:15:13 UTC 2016 - jengelh@inai.de
- Check for user/group existence before attempting to add them,
and remove error suppression from these calls.
- Avoid runtime dependency on systemd, the macros can all deal with
its absence.
-------------------------------------------------------------------
Fri Jun 19 15:51:08 UTC 2015 - crrodriguez@opensuse.org
- Force GNU inline semantics, fixes build with GCC5
-------------------------------------------------------------------
Thu Apr 2 13:18:08 UTC 2015 - mpluskal@suse.com
- Cleanup spec-file with spec-cleaner
- Update prerequires
- Use systemd unit file
* replace tcsd.init with tcsd.service
-------------------------------------------------------------------
Tue Jun 3 13:04:45 UTC 2014 - meissner@suse.com
- updated to trousers 0.3.13 (bnc#881095 LTC#111124)
- Changed exported functions which had a name too common, to avoid
collision
- Assessed daemon security using manual techniques and coverity
- Fixed major security bugs and memory leaks
- Added debug support to run tcsd with a different user/group
- Daemon now properly closes sockets before shutting down
* TROUSERS_0_3_12
- Added new network code for RPC, which supports IPv6
- Users of client applications can configure the hostname of the tcsd
server they want to connect through the TSS_TCSD_HOSTNAME env var
(only works if application didn't set a hostname in the context)
- Added disable_ipv4 and disable_ipv6 config options for server
- removed trousers-wrap_large_key_overflow.patch: upstream
- removed trousers-0.3.11.2.diff: solved upstream now
-------------------------------------------------------------------
Wed Mar 19 12:54:21 UTC 2014 - meissner@suse.com
- trousers-wrap_large_key_overflow.patch: Do not wrap keys larger than
2048 bit, as the space on the TPM is limited to that amount. (bnc#868933)
-------------------------------------------------------------------
Tue Jan 14 10:42:23 UTC 2014 - meissner@suse.com
- Updated to trousers 0.3.11.2
- license changed to BSD-3-Clause
- various bug and manpage fixes
- trousers-0.3.10.diff renamed and rebased to trousers-0.3.11.2.diff
-------------------------------------------------------------------
Fri Sep 28 14:45:51 UTC 2012 - meissner@suse.com
- updated to trousers 0.3.10
- bugfixes
- context checking
-------------------------------------------------------------------
Fri May 18 11:04:43 CEST 2012 - meissner@suse.de
- Updated to trousers 0.3.9
- lots of bugfixes
-------------------------------------------------------------------
Wed Mar 28 17:01:59 CEST 2012 - meissner@suse.de
- Updated to TROUSERS_0_3_8
- Fix ssl_ui.c overflow
- Handling of TPM_CERTIFY_INFO2 structure special case
- Fix possible obfuscation of obj_migdata.c errors.
- Make 1.2 keys respect the TPM_PCRIGNOREDONREAD flag.
- PCRInfo member allocation in Trspi_Unload_CERTIFY_INFO.
- Add functions for deserializing NVRAM related data structures
- Add NVRAM specific error messages
- Fix spec file so one can build an rpm
- Initialize the tcsd_config_file with NULL.
- support for -c <configfile> command line option
- Establish a .gitignore file
- ENDIAN_H and htole definition fix
-------------------------------------------------------------------
Tue Mar 13 08:30:18 UTC 2012 - cfarrell@suse.com
- license update: CPL-1.0
SPDX format
-------------------------------------------------------------------
Sat Nov 19 20:46:59 UTC 2011 - coolo@suse.com
- add libtool as buildrequire to avoid implicit dependency
-------------------------------------------------------------------
Mon Jun 20 11:57:28 CEST 2011 - meissner@suse.de
- Updated to TROUSERS_0_3_7
- bugfixes
- obj_policy_is_secret_set added
-------------------------------------------------------------------
Mon Sep 27 01:38:35 CEST 2010 - ro@suse.de
- fix patch to apply
-------------------------------------------------------------------
Wed Aug 11 10:57:44 CEST 2010 - meissner@suse.de
- Updated to TROUNSERS_0_3_6
- Fixed a number of warnings during a build with --debug regarding THREAD ID
definition
- Removed htole() dependency, which was included only in glibc 2.9
- Updated to TROUSERS_0_3_5
- Allowed TCD Daemon to run with reduced privileges In Solaris.
- Fixing previous kfreebsd build patch conflict with the current tree.
- TCSD error handling improvements.
- mutex init inclusion.
- pthread_t portability fix
- Owner Evict keys load fix.
- Big- endian issues.
- Memory leak fix.
- Adding missing #include <limits.h>.
- kfreebsd build fixes.
- Fixed usage of syslog().
- 64bits clean
- Fixes the TCP UN and IN socket connection attempt handling
- Fixes logic on opening a hardware TPM.
- Added communication through TCP to software TPMs in TrouSerS.
- Fixed conflicting defines
- Adds missing free()
- Fixed fread() return value check.
- Made the previous fix cleaner and more robust.
- Added missing check in order to avoid freeing buffer that's out of Tspi_Data_Seal() scope.
- Fixed Tspi_TPM_GetRandom 4kb output limit.
-------------------------------------------------------------------
Mon Jun 21 18:36:48 UTC 2010 - cristian.rodriguez@opensuse.org
- move library to %/{_lib} fix build of rng-tools
-------------------------------------------------------------------
Thu Mar 18 11:28:51 CET 2010 - meissner@suse.de
- Updated to TROUSERS_0_3_4
- Fixed TrouSerS mishandling of TPM auth sessions
- Enabled hosttable.c "_init" and "_fini" functions to work on Solaris
- Included Solaris in BSD_CONST definition conditional
- Made the init script LSB compliant
- make distcheck improved
- TROUSERS_0_3_3_2
- Fixed logic when filling up RSA keys objects.
- TROUSERS_0_3_3_1
- TCSD now runs as tss and has a better signal handling
- Fixed many memory handling issues
- TROUSERS_0_3_3
- Tspi_ChangeAuth fixed for popup secret use case.
- Prefixed exported functions with common names.
- Fixed issues with accessing the utmp database.
- Migrated the bios parser file handler from open to fopen.
-------------------------------------------------------------------
Mon Feb 1 12:35:28 UTC 2010 - jengelh@medozas.de
- package baselibs.conf
-------------------------------------------------------------------
Thu Aug 27 15:36:08 CEST 2009 - meissner@suse.de
- updated to 0.3.2.
- Added IMA log parser in conformance with format introduced in linux kernel 2.6.30
- Fixed memory handling issues in src/tspi/tspi_quote2.c and tspi_tick.c
- Fixed memory handling issues in tcs/rpc/tcstp/rpc_tick.c
- Fixed logic when releasing auth handles, now the TPM won't become out of
resources due too many unreleased auth handles there.
- Fixed compilation problems when building trousers in Fedora with
-fstack-protector & gcc 4.4
- Fixed the legacy usage of a deprecated 1.1 TPM command, now auth sessions
can be closed fine.
- Fixed key memory cache when evicting keys, invalid key handles were evicted
when shouldn't.
- Fixed authsess_xsap_init call with wrong handle
- Fixed authsess_callback_hmac return code
- Fixed validateReturnAuth return value
- Added consistency to avoid multiple double free() and bound checks to avoid SEGV
- Moved from flock to fcntl since the first isn't supported in multi-thread applications
- Added necessary free() and consistency necessary in tspi/tsp_delegate.c to avoid SEGV
- Typecast added in trousers.c in the UNICODE conversion functions
- Fixed wrong return code in Tspi_NV_ReleaseSpace
- Fixed digest computation in Tspi_NV_ReleaseSpace
- Fixed tpm_rsp_parse, it previously checked for an additional TPM_AUTH blob, resulting in a incorrect data blog unload.
- Added #include <limits.h> to remove INT_MAX undeclared error
during build. Files updated: trspi/crypto/openssl/symmetric.c,
tspi/tspi_aik.c and tspi/tsp_ps.c
- Added bounds checking in the data parsing routines of the TCSD's tcstp RPC code, preventing attacks from malicious clients.
- Removed commented out code in src/tcs/rpc/tcstp/rpc.c
- Commented out old OSAP code, its now unused
- Fixed bug in tcsi_bind.c, one too few params were passed to the function parsing the TPM blob.
- Fixed lots of erroneous TSPERR and TCSERR calls
- Added support for logging all error return codes when debug is on
- Check that parent auth is loaded in the load key path outside the mem_cache_lock, if a thread sleeps holding it, we deadlock
- Added support for dynamically growing the table that holds sleeping threads inside the auth manager
- In tcs_auth_mgr.c, fixed the release handle path, which didn't check if the handle was swapped out before calling to the TPM.
- Updates throughout the code supporting the modular build.
-------------------------------------------------------------------
Sun Jun 14 18:33:36 CEST 2009 - meissner@suse.de
- included <limits.h> to fix glibc 2.10 build issues
-------------------------------------------------------------------
Sat Apr 18 22:19:55 CEST 2009 - crrodriguez@suse.de
- remove static libtspi
-------------------------------------------------------------------
Tue Sep 2 13:51:20 CEST 2008 - meissner@suse.de
- fixed 64bit build issue
-------------------------------------------------------------------
Fri Aug 22 13:28:38 CEST 2008 - meissner@suse.de
- upgraded to 0.3.1
- TPM 1.2 support throughout the code, see ChangeLog
- lots of new features
- lots of bugfixes
- dropped secondary TPM support patches. is either already
upstream (differently), or will be.
-------------------------------------------------------------------
Tue Apr 15 15:08:29 CEST 2008 - ro@suse.de
- added baselibs.conf file for multilib support
-------------------------------------------------------------------
Tue Apr 15 11:20:37 CEST 2008 - meissner@suse.de
- fixed glibc 2.8 build issues
-------------------------------------------------------------------
Fri Mar 28 08:56:30 CET 2008 - meissner@suse.de
- merged from buildservice
- lots of build cleanups for rpmlint warnings
-------------------------------------------------------------------
Mon Nov 29 13:17:00 CET 2007 - ramunno@polito.it
- configured to remove dependencies from GTK
-------------------------------------------------------------------
Mon Nov 26 18:57:45 CET 2007 - draht@suse.de
- manual mutual dependencies added: libtspi1 <-> trousers
-------------------------------------------------------------------
Mon Nov 26 18:41:12 CET 2007 - draht@suse.de
- system.data.*auth files added to /var/lib/tpm/. Note: tcsd expects
/var/lib/tpm/system.data . RTFM...
-------------------------------------------------------------------
Mon Nov 26 18:27:32 CET 2007 - draht@suse.de
- init file mode'd 755 in %install.
-------------------------------------------------------------------
Thu Oct 25 13:57:17 CEST 2007 - skh@suse.de
- added trousers_0.2.9-tpm_1.2_dual_v20070206 and its documentation
-------------------------------------------------------------------
Mon Aug 13 17:50:26 CEST 2007 - skh@suse.de
- initial build service import with version 0.2.9.1
- split off package libtspi1 to conform to shared library packaging
policy
-------------------------------------------------------------------
Wed Jan 11 14:07:25 CET 2006 - draht@suse.de
- #137913: Fix config file permissions and ownership to 0600 tss.tss
-------------------------------------------------------------------
Wed Nov 9 00:39:23 CET 2005 - draht@suse.de
- file list changes, split into trousers and -devel.
-------------------------------------------------------------------
Wed Nov 2 00:11:04 CET 2005 - draht@suse.de
- initial build of the package.

166
trousers.spec Normal file
View File

@ -0,0 +1,166 @@
#
# spec file for package trousers
#
# Copyright (c) 2023 SUSE LLC
#
# All modifications and additions to the file contributed by third parties
# remain the property of their copyright owners, unless otherwise agreed
# upon. The license for this file, and modifications and additions to the
# file, is the same license as for the pristine package itself (unless the
# license for the pristine package is not an Open Source License, in which
# case the license is the MIT License). An "Open Source License" is a
# license that conforms to the Open Source Definition (Version 1.9)
# published by the Open Source Initiative.
# Please submit bugfixes or comments via https://bugs.opensuse.org/
#
%define tpmstatedir %{_localstatedir}/lib/tpm
Name: trousers
Version: 0.3.15
Release: 0
Summary: TSS (TCG Software Stack) access daemon for a TPM chip
License: BSD-3-Clause
Group: Productivity/Security
URL: http://trousers.sourceforge.net/
Source0: https://downloads.sf.net/trousers/%{name}-%{version}.tar.gz
Source1: tcsd.service
Source2: baselibs.conf
Source3: 91-trousers.rules
Patch0: fix-lto.patch
BuildRequires: gtk2-devel
BuildRequires: libtool
BuildRequires: openssl-devel
BuildRequires: pkg-config
BuildRequires: systemd-rpm-macros
BuildRequires: pkgconfig(udev)
Requires(pre): user(tss)
BuildRoot: %{_tmppath}/%{name}-%{version}-build
%description
The trousers package provides a TSS implementation through the help of
a user-space daemon, the tcsd, and a library Trousers aims to be
compliant to the 1.1b and 1.2 TSS specifications as available from the
Trusted Computing website https://www.trustedcomputinggroup.org/.
The package needs the /dev/tpm device file to be present on your
system. It is a character device file major 10 minor 224, 0600 tss:tss.
%package devel
Summary: TSS (TCG Software Stack) access daemon for a TPM chip
Group: Development/Libraries/C and C++
Requires: glibc-devel
Requires: libopenssl-devel
Requires: libtspi1 = %{version}
Requires: trousers = %{version}
%description devel
The trousers package provides a TSS implementation through the help of
a user-space daemon, the tcsd, and a library Trousers aims to be
compliant to the 1.1b and 1.2 TSS specifications as available from the
Trusted Computing website https://www.trustedcomputinggroup.org/.
The package needs the /dev/tpm device file to be present on your
system. It is a character device file major 10 minor 224, 0600 tss:tss.
%package -n libtspi1
Summary: TSS (TCG Software Stack) access daemon for a TPM chip
Group: Productivity/Security
Requires: trousers
%description -n libtspi1
The trousers package provides a TSS implementation through the help of
a user-space daemon, the tcsd, and a library Trousers aims to be
compliant to the 1.1b and 1.2 TSS specifications as available from the
Trusted Computing website https://www.trustedcomputinggroup.org/.
The package needs the /dev/tpm device file to be present on your
system. It is a character device file major 10 minor 224, 0600 tss:tss.
%prep
%setup -q -n %{name}-%{version}
%patch0 -p1
%build
CC=gcc
CFLAGS="%{optflags} -Wall -fno-strict-aliasing -fgnu89-inline -ffat-lto-objects"
SHARE=%{_prefix}/share
DOC=%{_defaultdocdir}
export CC CFLAGS
autoreconf -i -f
%configure --libdir=/%{_libdir} --disable-static --with-pic --with-gui=none
make %{?_smp_mflags}
%install
%define trousers_data %{buildroot}%{_datadir}/%{name}
make DESTDIR=%{buildroot} install %{?_smp_mflags}
install -D -m 0644 %{SOURCE1} %{buildroot}/%{_unitdir}/tcsd.service
ln -sv %{_sbindir}/service %{buildroot}%{_sbindir}/rctcsd
# these files can be used to fake trousers ownership of a TPM if the ownership
# was already taken by some other stack. they are sample files.
mkdir -p %{trousers_data}
cp -a dist/system.data* %{trousers_data}
mkdir -p %{buildroot}%{_libdir}
rm -v %{buildroot}/%{_libdir}/libtspi.la
# we want to run tcsd as tss user right away. therefore we need to install a
# suitable udev rule file. this conflicts somewhat with tpm2-0-tss, but both
# rules files are compatible at the moment. trousers has a lower priority than
# tpm2-0-tss in case both should be installed. The tss user is shared between
# both packages anyways already.
mkdir -p %{buildroot}%{_udevrulesdir}
install -m 0644 %{SOURCE3} %{buildroot}%{_udevrulesdir}
%pre
%service_add_pre tcsd.service
%post
%service_add_post tcsd.service
%_bindir/udevadm trigger -s tpm || :
# bsc#1164472: adjust potential root ownership to allow tcsd to open the file
# as unprivileged user. Be careful not to follow a symlink target.
system_data=%{tpmstatedir}/system.data
if [ -e "${system_data}" ]; then
chown --no-dereference tss:tss %{tpmstatedir}/system.data
fi
%postun
%service_del_postun tcsd.service
%preun
%service_del_preun tcsd.service
%post -n libtspi1 -p /sbin/ldconfig
%postun -n libtspi1 -p /sbin/ldconfig
%files
%defattr(-,root,root)
%config(noreplace) %attr(640,root,tss) %{_sysconfdir}/tcsd.conf
%doc README README.selinux AUTHORS ChangeLog LICENSE NICETOHAVES TODO doc/*
%{_mandir}/man5/*
%{_mandir}/man8/*
%{_datadir}/%{name}
%{_sbindir}/tcsd
%{_sbindir}/rctcsd
%{_unitdir}/tcsd.service
%{_udevrulesdir}/91-trousers.rules
%files devel
%defattr(-,root,root)
%{_includedir}/trousers
%{_includedir}/tss
%{_mandir}/man3/*
%{_libdir}/*.so
#only available in static form
%{_libdir}/libtddl.a
%files -n libtspi1
%defattr(-,root,root)
/%{_libdir}/*.so.*
%changelog