Script 'mail_helper' called by obssrc Hello community, here is the log from the commit of package tpm2.0-abrmd for openSUSE:Factory checked in at 2022-04-05 19:55:07 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/tpm2.0-abrmd (Old) and /work/SRC/openSUSE:Factory/.tpm2.0-abrmd.new.1900 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "tpm2.0-abrmd" Tue Apr 5 19:55:07 2022 rev:22 rq:966798 version:2.4.0 Changes: -------- --- /work/SRC/openSUSE:Factory/tpm2.0-abrmd/tpm2.0-abrmd.changes 2021-12-08 22:09:21.422873876 +0100 +++ /work/SRC/openSUSE:Factory/.tpm2.0-abrmd.new.1900/tpm2.0-abrmd.changes 2022-04-05 19:55:15.470364428 +0200 @@ -1,0 +2,7 @@ +Mon Apr 4 10:45:24 UTC 2022 - Matthias Gerstner <matthias.gerst...@suse.com> + +- dbus-access.patch: restrict D-Bus access to tpm2-abrmd to members of the tss + group (bsc#1197532). This prevents arbitrary users from meddling with TPM + state and thus potential denial-of-service vectors. + +------------------------------------------------------------------- New: ---- README.SUSE dbus-access.patch ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ tpm2.0-abrmd.spec ++++++ --- /var/tmp/diff_new_pack.51fq90/_old 2022-04-05 19:55:16.070357738 +0200 +++ /var/tmp/diff_new_pack.51fq90/_new 2022-04-05 19:55:16.078357649 +0200 @@ -1,7 +1,7 @@ # # spec file for package tpm2.0-abrmd # -# Copyright (c) 2021 SUSE LLC +# Copyright (c) 2022 SUSE LLC # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed @@ -37,7 +37,9 @@ URL: https://github.com/tpm2-software/tpm2-abrmd Source0: https://github.com/tpm2-software/tpm2-abrmd/releases/download/%{version}/tpm2-abrmd-%{version}.tar.gz Source1: tpm2.0-abrmd.rpmlintrc +Source2: README.SUSE Patch0: harden_tpm2-abrmd.service.patch +Patch1: dbus-access.patch BuildRequires: autoconf-archive BuildRequires: automake BuildRequires: checkpolicy @@ -120,6 +122,7 @@ # don't install the systemd preset, our presets are handled by # systemd-presets-* packages rm %{buildroot}%{_prefix}/lib*/systemd/system-preset/tpm2-abrmd.preset +cp %{SOURCE2} . %if ! 0%{?install_dbus_files} rm %{buildroot}/%{_sysconfdir}/dbus-1/system.d/tpm2-abrmd.conf rm %{buildroot}/%{_datadir}/dbus-1/system-services/com.intel.tss2.Tabrmd.service @@ -158,7 +161,7 @@ %endif %files -%doc *.md +%doc *.md README.SUSE %license LICENSE %{_mandir}/man7/tss2-* %{_mandir}/man8/tpm2-* ++++++ README.SUSE ++++++ The tpm2-abrmd by upstream default allows every local users in the system to access the TPM chip and modify its settings (bsc#1197532). Upstream suggests to use the TPM's internal security features (e.g. password protection) to prevent local users from manipulating the chip without authorization. Still the default behaviour that every user in the system can access TPM features without any authentication could come as a surprise to end users and system integrators alike. For this reason on SUSE only members of the 'tss' group are allowed to access the tpm2-abrmd D-Bus interface, thereby mirroring the access permissions of the /dev/tpm0 and /dev/tpmrm0 character devices. ++++++ dbus-access.patch ++++++ Index: tpm2-abrmd-2.4.0/dist/tpm2-abrmd.conf =================================================================== --- tpm2-abrmd-2.4.0.orig/dist/tpm2-abrmd.conf +++ tpm2-abrmd-2.4.0/dist/tpm2-abrmd.conf @@ -7,8 +7,10 @@ </policy> <policy user="root"> <allow own="com.intel.tss2.Tabrmd"/> + <allow send_destination="com.intel.tss2.Tabrmd"/> + <allow receive_sender="com.intel.tss2.Tabrmd"/> </policy> - <policy context="default"> + <policy group="tss"> <allow send_destination="com.intel.tss2.Tabrmd"/> <allow receive_sender="com.intel.tss2.Tabrmd"/> </policy>