Accepting request 966798 from security

- dbus-access.patch: restrict D-Bus access to tpm2-abrmd to members of the tss group (bsc#1197532). This prevents arbitrary users from meddling with TPM state and thus potential denial-of-service vectors. OBS-URL: https://build.opensuse.org/request/show/966798 OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/tpm2.0-abrmd?expand=0&rev=22
2022-04-05 17:55:07 +00:00 · 2022-04-05 17:55:07 +00:00 · 8ad3f04a3a
commit 8ad3f04a3a
parent e4c37f44dd 9bffff1eff
4 changed files with 39 additions and 2 deletions
--- a/README.SUSE
+++ b/README.SUSE
@ -0,0 +1,11 @@
 The tpm2-abrmd by upstream default allows every local users in the system to
 access the TPM chip and modify its settings (bsc#1197532). Upstream suggests
 to use the TPM's internal security features (e.g. password protection) to
 prevent local users from manipulating the chip without authorization. Still
 the default behaviour that every user in the system can access TPM features
 without any authentication could come as a surprise to end users and system
 integrators alike.
 For this reason on SUSE only members of the 'tss' group are allowed to access
 the tpm2-abrmd D-Bus interface, thereby mirroring the access permissions of
 the /dev/tpm0 and /dev/tpmrm0 character devices.
--- a/dbus-access.patch
+++ b/dbus-access.patch
@ -0,0 +1,16 @@
 Index: tpm2-abrmd-2.4.0/dist/tpm2-abrmd.conf
 ===================================================================
 --- tpm2-abrmd-2.4.0.orig/dist/tpm2-abrmd.conf
 +++ tpm2-abrmd-2.4.0/dist/tpm2-abrmd.conf
@@ -7,8 +7,10 @@
   </policy>
   <policy user="root">
     <allow own="com.intel.tss2.Tabrmd"/>
 +    <allow send_destination="com.intel.tss2.Tabrmd"/>
 +    <allow receive_sender="com.intel.tss2.Tabrmd"/>
   </policy>
 -  <policy context="default">
 +  <policy group="tss">
     <allow send_destination="com.intel.tss2.Tabrmd"/>
     <allow receive_sender="com.intel.tss2.Tabrmd"/>
   </policy>
--- a/tpm2.0-abrmd.changes
+++ b/tpm2.0-abrmd.changes
@ -1,3 +1,10 @@
 -------------------------------------------------------------------
 Mon Apr  4 10:45:24 UTC 2022 - Matthias Gerstner <matthias.gerstner@suse.com>
 - dbus-access.patch: restrict D-Bus access to tpm2-abrmd to members of the tss
  group (bsc#1197532). This prevents arbitrary users from meddling with TPM
  state and thus potential denial-of-service vectors.
 -------------------------------------------------------------------
 Wed Dec  8 16:50:13 UTC 2021 - Alberto Planas Dominguez <aplanas@suse.com>
--- a/tpm2.0-abrmd.spec
+++ b/tpm2.0-abrmd.spec
@ -1,7 +1,7 @@
 #
 # spec file for package tpm2.0-abrmd
 #
-# Copyright (c) 2021 SUSE LLC
+# Copyright (c) 2022 SUSE LLC
 #
 # All modifications and additions to the file contributed by third parties
 # remain the property of their copyright owners, unless otherwise agreed
@ -37,7 +37,9 @@ Group:          Productivity/Security
 URL:            https://github.com/tpm2-software/tpm2-abrmd
 Source0:        https://github.com/tpm2-software/tpm2-abrmd/releases/download/%{version}/tpm2-abrmd-%{version}.tar.gz
 Source1:        tpm2.0-abrmd.rpmlintrc
 Source2:        README.SUSE
 Patch0:         harden_tpm2-abrmd.service.patch
 Patch1:         dbus-access.patch
 BuildRequires:  autoconf-archive
 BuildRequires:  automake
 BuildRequires:  checkpolicy
@ -120,6 +122,7 @@ ln -sv %{_sbindir}/service %{buildroot}%{_sbindir}/rctpm2-abrmd
 # don't install the systemd preset, our presets are handled by
 # systemd-presets-* packages
 rm %{buildroot}%{_prefix}/lib*/systemd/system-preset/tpm2-abrmd.preset
 cp %{SOURCE2} .
 %if ! 0%{?install_dbus_files}
 rm %{buildroot}/%{_sysconfdir}/dbus-1/system.d/tpm2-abrmd.conf
 rm %{buildroot}/%{_datadir}/dbus-1/system-services/com.intel.tss2.Tabrmd.service
@ -158,7 +161,7 @@ fi
 %endif
 %files
-%doc *.md
+%doc *.md README.SUSE
 %license LICENSE
 %{_mandir}/man7/tss2-*
 %{_mandir}/man8/tpm2-*