From 7b490d73dcdf8bd1022b4ffe129873a86112bf8c Mon Sep 17 00:00:00 2001
From: Firstyear <william@blackhats.net.au>
Date: Tue, 27 Feb 2024 12:13:31 +1000
Subject: [PATCH] Allow /dev/tpmrm0 on older systemd versions (#2587)

Older systemd versions require a specific device allow for the tpm to be accessed.
---
 platform/debian/systemd/kanidm-unixd.service | 2 ++
 platform/opensuse/kanidm-unixd.service       | 3 +++
 2 files changed, 5 insertions(+)

diff --git a/platform/debian/systemd/kanidm-unixd.service b/platform/debian/systemd/kanidm-unixd.service
index 19d3d469f..3572553eb 100644
--- a/platform/debian/systemd/kanidm-unixd.service
+++ b/platform/debian/systemd/kanidm-unixd.service
@@ -35,6 +35,8 @@ NoNewPrivileges=true
 PrivateTmp=true
 # We have to disable this to allow tpmrm0 access for tpm binding.
 PrivateDevices=false
+# Older versions of systemd require this to be explicitly allowed.
+DeviceAllow=/dev/tpmrm0 rw
 ProtectHostname=true
 ProtectClock=true
 ProtectKernelTunables=true
diff --git a/platform/opensuse/kanidm-unixd.service b/platform/opensuse/kanidm-unixd.service
index 32c2fbd7a..317a26255 100644
--- a/platform/opensuse/kanidm-unixd.service
+++ b/platform/opensuse/kanidm-unixd.service
@@ -35,6 +35,9 @@ NoNewPrivileges=true
 PrivateTmp=true
 # We have to disable this to allow tpmrm0 access for tpm binding.
 PrivateDevices=false
+# Older versions of systemd require this to be explicitly allowed.
+DeviceAllow=/dev/tpmrm0 rw
+
 ProtectHostname=true
 ProtectClock=true
 ProtectKernelTunables=true