On Wed, 16 Apr 2025 14:14:24 -0700 Freddie Cash <[email protected]> wrote:
> On Wed, Apr 16, 2025 at 6:51 AM Andrea Cocito <[email protected]> wrote: > > > Hello, > > > > I am fixing a few things in the security/tpm2-* ports, among other > > problems security/tpm2-abrmd does not seem to handle properly the > > permissions of /dev/tpm0. > > > > At boot /dev/tpm0 is owned by root:weel and mode 0600; the port tpm2-abrmd > > needs it to be at worst root:_tss and mode 0660, it tries to handle this by > > installing a dedicated /usr/local/etc/devd/tpm2-abrmd-devd.conf; besides > > the fact that the rules in the provided tpm2-abrmd-devd.conf are broken, > > this cannot work even in principle: tpm0 device is not loaded dynamically > > (it’s not an USB pen!) and devd does not receive any notification, because > > when the device is loaded (at kernel boot time) devd isn’t even running yet. > > > > The only options I see are: > > 1. Change the owner and permissions in the driver itself; but, while > > changing the permissions is fine, hardcoding a non-system gid (_tss=601) in > > a kernel driver does not look like a great idea to me. > > 2. Have the port change /etc/devfs.conf when installed; but I do not know > > of a “clean” way to do it > > 3. Change the port so that user _tss is also member of wheel, and change > > the driver so that the device is root:wheel mode 0660; but I see this as a > > security issue > > > > So my questions are: > > A: Does anyone see any other option besides the ones listed above? > > B: What is the clean way to edit /etc/devfs.conf when installing a port ? > > > > About question “B”, it could be easily done in the "post-install” target > > (or maybe done with “@postexec” and cleaned up with “@preunexec” in the > > plist?), but the Porter's Handbook strongly discourages using this target > > for anything besides changing files that the port itself installed; I have > > googled and dinged into the documentation and could not find any clue. > > > > Looking at existing ports almost all of them end up with a note to the > > user in post-installation messages: “Please add the following lines to > > /etc/devfs.conf”; as it is not a change subject to administrator’s > > discretion, and all tpm2-* stuff simply does not work without this change, > > I do not think this is the best option. > > > > Any suggestion? > > > > Thanks, > > > > A. > > > > Wouldn't this be done via the devfs rules infrastructure, which is used for > adding/removing/updating devfs entries at runtime? Isn't devfs.conf only > used at boot time for system-related entries? > > Drop a rules file into /usr/local/etc/devfs/ or /usr/local/etc/tpm2/ or > wherever the port uses for configuration info, then drop a config file into > /usr/local/etc/rc.d/ that configures devfs_rulesets to append your rule > file (or maybe do that via sysrc?). Then reload the devfs rules via > /etc/rc.d/devfs. > > I remember having to do something similar a long, long, long time ago, but > haven't done anything with FreeBSD ports development in a good 10 years > now, so things may be different now. But this looks like the whole reason > for the devfs rules infrastructure. > > man -k devfs > grep devfs /etc/defaults/rc.conf > > > -- > Freddie Cash > [email protected] If devfs rule file is OK, you can use sysrc like sysrc devfs_rulesets+="/usr/local/etc/your/devfs/rule/file" and possibly devfs_system_ruleset is needed to be handled, too. Read sysrc (8) manpage and /etc/defaults/rc.conf for details. But most of ports referes to sysrc in pkg-message[-in] to let decision to enable/disale on admins. Regards. -- Tomoaki AOKI <[email protected]>
