From 81298e8b81aac430c862388c8a9bafb2eb5f0ef0 Mon Sep 17 00:00:00 2001 From: Firstyear Date: Tue, 27 Feb 2024 12:13:31 +1000 Subject: [PATCH] Allow /dev/tpmrm0 on older systemd versions (#2587) Older systemd versions require a specific device allow for the tpm to be accessed. --- platform/debian/systemd/kanidm-unixd.service | 2 ++ platform/opensuse/kanidm-unixd.service | 3 +++ unix_integration/src/unix_config.rs | 3 +-- 3 files changed, 6 insertions(+), 2 deletions(-) diff --git a/platform/debian/systemd/kanidm-unixd.service b/platform/debian/systemd/kanidm-unixd.service index 0004e0015..1005778c3 100644 --- a/platform/debian/systemd/kanidm-unixd.service +++ b/platform/debian/systemd/kanidm-unixd.service @@ -32,6 +32,8 @@ NoNewPrivileges=true PrivateTmp=true # We have to disable this to allow tpmrm0 access for tpm binding. PrivateDevices=false +# Older versions of systemd require this to be explicitly allowed. +DeviceAllow=/dev/tpmrm0 rw ProtectHostname=true ProtectClock=true ProtectKernelTunables=true diff --git a/platform/opensuse/kanidm-unixd.service b/platform/opensuse/kanidm-unixd.service index de3aa7f17..d316b5ec4 100644 --- a/platform/opensuse/kanidm-unixd.service +++ b/platform/opensuse/kanidm-unixd.service @@ -32,6 +32,9 @@ NoNewPrivileges=true PrivateTmp=true # We have to disable this to allow tpmrm0 access for tpm binding. PrivateDevices=false +# Older versions of systemd require this to be explicitly allowed. +DeviceAllow=/dev/tpmrm0 rw + ProtectHostname=true ProtectClock=true ProtectKernelTunables=true diff --git a/unix_integration/src/unix_config.rs b/unix_integration/src/unix_config.rs index f3dbb1499..00fd9c369 100644 --- a/unix_integration/src/unix_config.rs +++ b/unix_integration/src/unix_config.rs @@ -78,9 +78,8 @@ impl Display for UidAttr { #[derive(Debug, Clone, Default)] pub enum HsmType { - #[cfg_attr(not(feature = "tpm"), default)] + #[default] Soft, - #[cfg_attr(feature = "tpm", default)] Tpm, }