mart-w/kanidm
1
0
Fork 0
mirror of https://github.com/kanidm/kanidm.git synced 2025-02-23 20:47:01 +01:00
Code Issues Actions Packages Projects Releases Wiki Activity

Allow /dev/tpmrm0 on older systemd versions (#2587)

Browse source 
Older systemd versions require a specific device allow for the tpm to be accessed.
This commit is contained in:
Firstyear 2024-02-27 12:13:31 +10:00 committed by William Brown
parent 6fb4fac5d0
commit 81298e8b81
3 changed files with 6 additions and 2 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

2
platform/debian/systemd/kanidm-unixd.service
View file

@ -32,6 +32,8 @@ NoNewPrivileges=true
PrivateTmp=true PrivateTmp=true
# We have to disable this to allow tpmrm0 access for tpm binding. # We have to disable this to allow tpmrm0 access for tpm binding.
PrivateDevices=false PrivateDevices=false
# Older versions of systemd require this to be explicitly allowed.
DeviceAllow=/dev/tpmrm0 rw
ProtectHostname=true ProtectHostname=true
ProtectClock=true ProtectClock=true
ProtectKernelTunables=true ProtectKernelTunables=true

3
platform/opensuse/kanidm-unixd.service
View file

@ -32,6 +32,9 @@ NoNewPrivileges=true
PrivateTmp=true PrivateTmp=true
# We have to disable this to allow tpmrm0 access for tpm binding. # We have to disable this to allow tpmrm0 access for tpm binding.
PrivateDevices=false PrivateDevices=false
# Older versions of systemd require this to be explicitly allowed.
DeviceAllow=/dev/tpmrm0 rw
ProtectHostname=true ProtectHostname=true
ProtectClock=true ProtectClock=true
ProtectKernelTunables=true ProtectKernelTunables=true

3
unix_integration/src/unix_config.rs
View file

@ -78,9 +78,8 @@ impl Display for UidAttr {
#[derive(Debug, Clone, Default)] #[derive(Debug, Clone, Default)]
pub enum HsmType { pub enum HsmType {
#[cfg_attr(not(feature = "tpm"), default)] #[default]
Soft, Soft,
#[cfg_attr(feature = "tpm", default)]
Tpm, Tpm,
} }