From 0221098739b0923c313945af072e1f9017a570b6 Mon Sep 17 00:00:00 2001
From: Javier Tia <javier.tia@linaro.org>
Date: Mon, 18 Sep 2023 21:04:52 +0200
Subject: [PATCH] libts: tee-udev.rules: Change ownership to tee group

tee and teeclnt are there to avoid running client applications (CAs) and
tee-supplicant as root.

- The teeclnt group stands for "TEE client" and is for CAs (CAs need
  access to /dev/tee[0-9]* but not /dev/teepriv[0-9]*).

- tee is just for tee-supplicant to open its device /dev/teepriv[0-9]*.
  No other process is supposed to open that one.

Signed-off-by: Javier Tia <javier.tia@linaro.org>
Reviewed-by: Jerome Forissier <jerome.forissier@linaro.org>
Signed-off-by: Jon Mason <jon.mason@arm.com>
---
 meta-arm/recipes-security/trusted-services/libts/tee-udev.rules | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/meta-arm/recipes-security/trusted-services/libts/tee-udev.rules b/meta-arm/recipes-security/trusted-services/libts/tee-udev.rules
index af428974..43fafd8c 100644
--- a/meta-arm/recipes-security/trusted-services/libts/tee-udev.rules
+++ b/meta-arm/recipes-security/trusted-services/libts/tee-udev.rules
@@ -3,5 +3,5 @@ KERNEL=="tee[0-9]*", TAG+="systemd", MODE="0660", GROUP="teeclnt"
 
 # If a /dev/teepriv[0-9]* device is detected, start an instance of
 # tee-supplicant.service with the device name as parameter
-KERNEL=="teepriv[0-9]*", MODE="0660", OWNER="root", GROUP="teeclnt", \
+KERNEL=="teepriv[0-9]*", MODE="0660", OWNER="root", GROUP="tee", \
     TAG+="systemd", ENV{SYSTEMD_WANTS}+="tee-supplicant@%k.service"