authenticated credentials improves security as credentials are not stored in plaintext and only
authenticated and decrypted into plaintext the moment a service requiring them is started. Moreover,
credentials may be bound to the local hardware and installations, so that they cannot easily be
- analyzed offline, or be generated externally.</para>
+ analyzed offline, or be generated externally. When <varname>DevicePolicy=</varname> is set to
+ <literal>closed</literal> or <literal>strict</literal>, or set to <literal>auto</literal> and
+ <varname>DeviceAllow=</varname> is set, or <varname>PrivateDevices=</varname> is set, then this
+ setting adds <filename>/dev/tpmrm0</filename> with <constant>rw</constant> mode to
+ <varname>DeviceAllow=</varname>. See
+ <citerefentry><refentrytitle>systemd.resource-control</refentrytitle><manvolnum>5</manvolnum></citerefentry>
+ for the details about <varname>DevicePolicy=</varname> or <varname>DeviceAllow=</varname>.</para>
<para>The credential files/IPC sockets must be accessible to the service manager, but don't have to
be directly accessible to the unit's processes: the credential data is read and copied into separate,
if (r < 0)
return r;
}
+
+ /* If there are encrypted credentials we might need to access the TPM. */
+ ExecLoadCredential *cred;
+ HASHMAP_FOREACH(cred, ec->load_credentials)
+ if (cred->encrypted) {
+ r = cgroup_add_device_allow(cc, "/dev/tpmrm0", "rw");
+ if (r < 0)
+ return r;
+ break;
+ }
}
}
echo "/usr/lib/systemd/systemd-pcrphase or PCR sysfs files not found, skipping PCR extension test case"
fi
+# Ensure that sandboxing doesn't stop creds from being accessible
+echo "test" > /tmp/testdata
+systemd-creds encrypt /tmp/testdata /tmp/testdata.encrypted --with-key=tpm2
+systemd-run -p PrivateDevices=yes -p LoadCredentialEncrypted=testdata.encrypted:/tmp/testdata.encrypted --pipe --wait systemd-creds cat testdata.encrypted | cmp - /tmp/testdata
+rm /tmp/testdata
+
echo OK >/testok
exit 0