Accepting request 966798 from security

- dbus-access.patch: restrict D-Bus access to tpm2-abrmd to members of the tss group (bsc#1197532). This prevents arbitrary users from meddling with TPM state and thus potential denial-of-service vectors. OBS-URL: https://build.opensuse.org/request/show/966798 OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/tpm2.0-abrmd?expand=0&rev=22
2022-04-05 17:55:07 +00:00 · 2022-04-05 17:55:07 +00:00 · 8ad3f04a3a
commit 8ad3f04a3a
parent e4c37f44dd 9bffff1eff
4 changed files with 39 additions and 2 deletions
--- a/README.SUSE
+++ b/README.SUSE
@ -0,0 +1,11 @@
+The tpm2-abrmd by upstream default allows every local users in the system to
+access the TPM chip and modify its settings (bsc#1197532). Upstream suggests
+to use the TPM's internal security features (e.g. password protection) to
+prevent local users from manipulating the chip without authorization. Still
+the default behaviour that every user in the system can access TPM features
+without any authentication could come as a surprise to end users and system
+integrators alike.
+
+For this reason on SUSE only members of the 'tss' group are allowed to access
+the tpm2-abrmd D-Bus interface, thereby mirroring the access permissions of
+the /dev/tpm0 and /dev/tpmrm0 character devices.
--- a/dbus-access.patch
+++ b/dbus-access.patch
@ -0,0 +1,16 @@
+Index: tpm2-abrmd-2.4.0/dist/tpm2-abrmd.conf
+===================================================================
+--- tpm2-abrmd-2.4.0.orig/dist/tpm2-abrmd.conf
+++ tpm2-abrmd-2.4.0/dist/tpm2-abrmd.conf
+@@ -7,8 +7,10 @@
+   </policy>
+   <policy user="root">
+     <allow own="com.intel.tss2.Tabrmd"/>
+    <allow send_destination="com.intel.tss2.Tabrmd"/>
+    <allow receive_sender="com.intel.tss2.Tabrmd"/>
+   </policy>
+-  <policy context="default">
+  <policy group="tss">
+     <allow send_destination="com.intel.tss2.Tabrmd"/>
+     <allow receive_sender="com.intel.tss2.Tabrmd"/>
+   </policy>
--- a/tpm2.0-abrmd.changes
+++ b/tpm2.0-abrmd.changes
@ -1,3 +1,10 @@
+-------------------------------------------------------------------
+Mon Apr  4 10:45:24 UTC 2022 - Matthias Gerstner <matthias.gerstner@suse.com>
+
+- dbus-access.patch: restrict D-Bus access to tpm2-abrmd to members of the tss
+  group (bsc#1197532). This prevents arbitrary users from meddling with TPM
+  state and thus potential denial-of-service vectors.
+
 -------------------------------------------------------------------
 Wed Dec  8 16:50:13 UTC 2021 - Alberto Planas Dominguez <aplanas@suse.com>

--- a/tpm2.0-abrmd.spec
+++ b/tpm2.0-abrmd.spec
@ -1,7 +1,7 @@
 #
 # spec file for package tpm2.0-abrmd
 #
-# Copyright (c) 2021 SUSE LLC
+# Copyright (c) 2022 SUSE LLC
 #
 # All modifications and additions to the file contributed by third parties
 # remain the property of their copyright owners, unless otherwise agreed
@ -37,7 +37,9 @@ Group:          Productivity/Security
 URL:            https://github.com/tpm2-software/tpm2-abrmd
 Source0:        https://github.com/tpm2-software/tpm2-abrmd/releases/download/%{version}/tpm2-abrmd-%{version}.tar.gz
 Source1:        tpm2.0-abrmd.rpmlintrc
+Source2:        README.SUSE
 Patch0:         harden_tpm2-abrmd.service.patch
+Patch1:         dbus-access.patch
 BuildRequires:  autoconf-archive
 BuildRequires:  automake
 BuildRequires:  checkpolicy
@ -120,6 +122,7 @@ ln -sv %{_sbindir}/service %{buildroot}%{_sbindir}/rctpm2-abrmd
 # don't install the systemd preset, our presets are handled by
 # systemd-presets-* packages
 rm %{buildroot}%{_prefix}/lib*/systemd/system-preset/tpm2-abrmd.preset
+cp %{SOURCE2} .
 %if ! 0%{?install_dbus_files}
 rm %{buildroot}/%{_sysconfdir}/dbus-1/system.d/tpm2-abrmd.conf
 rm %{buildroot}/%{_datadir}/dbus-1/system-services/com.intel.tss2.Tabrmd.service
@ -158,7 +161,7 @@ fi
 %endif

 %files
-%doc *.md
+%doc *.md README.SUSE
 %license LICENSE
 %{_mandir}/man7/tss2-*
 %{_mandir}/man8/tpm2-*