pid1: allowlist all tpm devices for a unit when encrypted creds are needed

We might be configured to use some ther device than /dev/tpmrm0, hence
allow them all by allowlisting the tpm char device class as a whole.

diff --git a/src/core/unit.c b/src/core/unit.c
index 70f270e87472248be058be335779d208a6ad8154..a9dffdf2b9e7e5a93794113373af8861afb0a04c 100644 (file)
--- a/src/core/unit.c
+++ b/src/core/unit.c
@@ -4217,7 +4217,7 @@ int unit_patch_contexts(Unit *u) {
 
                         /* If there are encrypted credentials we might need to access the TPM. */
                         if (exec_context_has_encrypted_credentials(ec)) {
-                                r = cgroup_add_device_allow(cc, "/dev/tpmrm0", "rw");
+                                r = cgroup_add_device_allow(cc, "char-tpm", "rw");
                                 if (r < 0)
                                         return r;
                         }