From: Lennart Poettering <lennart@poettering.net>
Date: Thu, 23 Mar 2023 17:22:43 +0000 (+0100)
Subject: pid1: allowlist all tpm devices for a unit when encrypted creds are needed
X-Git-Tag: v254-rc1~946^2
X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=refs%2Fpull%2F26953%2Fhead;p=thirdparty%2Fsystemd.git

pid1: allowlist all tpm devices for a unit when encrypted creds are needed

We might be configured to use some ther device than /dev/tpmrm0, hence
allow them all by allowlisting the tpm char device class as a whole.
---

diff --git a/src/core/unit.c b/src/core/unit.c
index 70f270e8747..a9dffdf2b9e 100644
--- a/src/core/unit.c
+++ b/src/core/unit.c
@@ -4217,7 +4217,7 @@ int unit_patch_contexts(Unit *u) {
 
                         /* If there are encrypted credentials we might need to access the TPM. */
                         if (exec_context_has_encrypted_credentials(ec)) {
-                                r = cgroup_add_device_allow(cc, "/dev/tpmrm0", "rw");
+                                r = cgroup_add_device_allow(cc, "char-tpm", "rw");
                                 if (r < 0)
                                         return r;
                         }