diff --git a/README.SUSE b/README.SUSE
new file mode 100644
index 0000000..c30e66b
--- /dev/null
+++ b/README.SUSE
@@ -0,0 +1,11 @@
+The tpm2-abrmd by upstream default allows every local users in the system to
+access the TPM chip and modify its settings (bsc#1197532). Upstream suggests
+to use the TPM's internal security features (e.g. password protection) to
+prevent local users from manipulating the chip without authorization. Still
+the default behaviour that every user in the system can access TPM features
+without any authentication could come as a surprise to end users and system
+integrators alike.
+
+For this reason on SUSE only members of the 'tss' group are allowed to access
+the tpm2-abrmd D-Bus interface, thereby mirroring the access permissions of
+the /dev/tpm0 and /dev/tpmrm0 character devices.
diff --git a/dbus-access.patch b/dbus-access.patch
new file mode 100644
index 0000000..0185f7a
--- /dev/null
+++ b/dbus-access.patch
@@ -0,0 +1,16 @@
+Index: tpm2-abrmd-2.4.0/dist/tpm2-abrmd.conf
+===================================================================
+--- tpm2-abrmd-2.4.0.orig/dist/tpm2-abrmd.conf
++++ tpm2-abrmd-2.4.0/dist/tpm2-abrmd.conf
+@@ -7,8 +7,10 @@
+
+
+
++
++
+
+-
++
+
+
+
diff --git a/tpm2.0-abrmd.changes b/tpm2.0-abrmd.changes
index 2be8610..961a875 100644
--- a/tpm2.0-abrmd.changes
+++ b/tpm2.0-abrmd.changes
@@ -1,3 +1,10 @@
+-------------------------------------------------------------------
+Mon Apr 4 10:45:24 UTC 2022 - Matthias Gerstner
+
+- restrict D-Bus access to tpm2-abrmd to members of the tss group
+ (bsc#1197532). This prevents arbitrary users from meddling with TPM state
+ and thus potential denial-of-service vectors.
+
-------------------------------------------------------------------
Wed Dec 8 16:50:13 UTC 2021 - Alberto Planas Dominguez
diff --git a/tpm2.0-abrmd.spec b/tpm2.0-abrmd.spec
index bba3453..1e0758d 100644
--- a/tpm2.0-abrmd.spec
+++ b/tpm2.0-abrmd.spec
@@ -1,7 +1,7 @@
#
# spec file for package tpm2.0-abrmd
#
-# Copyright (c) 2021 SUSE LLC
+# Copyright (c) 2022 SUSE LLC
#
# All modifications and additions to the file contributed by third parties
# remain the property of their copyright owners, unless otherwise agreed
@@ -37,7 +37,9 @@ Group: Productivity/Security
URL: https://github.com/tpm2-software/tpm2-abrmd
Source0: https://github.com/tpm2-software/tpm2-abrmd/releases/download/%{version}/tpm2-abrmd-%{version}.tar.gz
Source1: tpm2.0-abrmd.rpmlintrc
+Source2: README.SUSE
Patch0: harden_tpm2-abrmd.service.patch
+Patch1: dbus-access.patch
BuildRequires: autoconf-archive
BuildRequires: automake
BuildRequires: checkpolicy
@@ -120,6 +122,7 @@ ln -sv %{_sbindir}/service %{buildroot}%{_sbindir}/rctpm2-abrmd
# don't install the systemd preset, our presets are handled by
# systemd-presets-* packages
rm %{buildroot}%{_prefix}/lib*/systemd/system-preset/tpm2-abrmd.preset
+cp %{SOURCE2} .
%if ! 0%{?install_dbus_files}
rm %{buildroot}/%{_sysconfdir}/dbus-1/system.d/tpm2-abrmd.conf
rm %{buildroot}/%{_datadir}/dbus-1/system-services/com.intel.tss2.Tabrmd.service
@@ -158,7 +161,7 @@ fi
%endif
%files
-%doc *.md
+%doc *.md README.SUSE
%license LICENSE
%{_mandir}/man7/tss2-*
%{_mandir}/man8/tpm2-*