On Wed, Apr 16, 2025 at 6:51 AM Andrea Cocito <and...@cocito.eu> wrote:
> Hello, > > I am fixing a few things in the security/tpm2-* ports, among other > problems security/tpm2-abrmd does not seem to handle properly the > permissions of /dev/tpm0. > > At boot /dev/tpm0 is owned by root:weel and mode 0600; the port tpm2-abrmd > needs it to be at worst root:_tss and mode 0660, it tries to handle this by > installing a dedicated /usr/local/etc/devd/tpm2-abrmd-devd.conf; besides > the fact that the rules in the provided tpm2-abrmd-devd.conf are broken, > this cannot work even in principle: tpm0 device is not loaded dynamically > (it’s not an USB pen!) and devd does not receive any notification, because > when the device is loaded (at kernel boot time) devd isn’t even running yet. > > The only options I see are: > 1. Change the owner and permissions in the driver itself; but, while > changing the permissions is fine, hardcoding a non-system gid (_tss=601) in > a kernel driver does not look like a great idea to me. > 2. Have the port change /etc/devfs.conf when installed; but I do not know > of a “clean” way to do it > 3. Change the port so that user _tss is also member of wheel, and change > the driver so that the device is root:wheel mode 0660; but I see this as a > security issue > > So my questions are: > A: Does anyone see any other option besides the ones listed above? > B: What is the clean way to edit /etc/devfs.conf when installing a port ? > > About question “B”, it could be easily done in the "post-install” target > (or maybe done with “@postexec” and cleaned up with “@preunexec” in the > plist?), but the Porter's Handbook strongly discourages using this target > for anything besides changing files that the port itself installed; I have > googled and dinged into the documentation and could not find any clue. > > Looking at existing ports almost all of them end up with a note to the > user in post-installation messages: “Please add the following lines to > /etc/devfs.conf”; as it is not a change subject to administrator’s > discretion, and all tpm2-* stuff simply does not work without this change, > I do not think this is the best option. > > Any suggestion? > > Thanks, > > A. > Wouldn't this be done via the devfs rules infrastructure, which is used for adding/removing/updating devfs entries at runtime? Isn't devfs.conf only used at boot time for system-related entries? Drop a rules file into /usr/local/etc/devfs/ or /usr/local/etc/tpm2/ or wherever the port uses for configuration info, then drop a config file into /usr/local/etc/rc.d/ that configures devfs_rulesets to append your rule file (or maybe do that via sysrc?). Then reload the devfs rules via /etc/rc.d/devfs. I remember having to do something similar a long, long, long time ago, but haven't done anything with FreeBSD ports development in a good 10 years now, so things may be different now. But this looks like the whole reason for the devfs rules infrastructure. man -k devfs grep devfs /etc/defaults/rc.conf -- Freddie Cash fjwc...@gmail.com
