From 516eb0672fddb12ad485fc640d27195886449623 Mon Sep 17 00:00:00 2001 From: Gyorgy Szing Date: Wed, 2 Apr 2025 16:16:50 +0200 Subject: [PATCH] optee-client: drop privileges of tee-supplicant Stop the tee-supplicant being run with root privileges when the system is not using systemd. Signed-off-by: Gyorgy Szing Signed-off-by: Ross Burton Signed-off-by: Jon Mason --- meta-arm/recipes-security/optee/optee-client.inc | 2 ++ meta-arm/recipes-security/optee/optee-client/tee-supplicant.sh | 2 +- 2 files changed, 3 insertions(+), 1 deletion(-) diff --git a/meta-arm/recipes-security/optee/optee-client.inc b/meta-arm/recipes-security/optee/optee-client.inc index 519041d6..ac003a24 100644 --- a/meta-arm/recipes-security/optee/optee-client.inc +++ b/meta-arm/recipes-security/optee/optee-client.inc @@ -32,6 +32,8 @@ do_install:append() { install -D -p -m0755 ${UNPACKDIR}/tee-supplicant.sh ${D}${sysconfdir}/init.d/tee-supplicant sed -i -e s:@sysconfdir@:${sysconfdir}:g \ -e s:@sbindir@:${sbindir}:g \ + -e s:@supluser@:teesuppl:g \ + -e s:@suplgroup@:teesuppl:g \ ${D}${sysconfdir}/init.d/tee-supplicant fi install -o teesuppl -g teesuppl -m 0700 -d ${D}${localstatedir}/lib/tee diff --git a/meta-arm/recipes-security/optee/optee-client/tee-supplicant.sh b/meta-arm/recipes-security/optee/optee-client/tee-supplicant.sh index b4d21950..12e81770 100644 --- a/meta-arm/recipes-security/optee/optee-client/tee-supplicant.sh +++ b/meta-arm/recipes-security/optee/optee-client/tee-supplicant.sh @@ -14,7 +14,7 @@ test -f $DAEMON || exit 0 test -f @sysconfdir@/default/$NAME && . @sysconfdir@/default/$NAME test -f @sysconfdir@/default/rcS && . @sysconfdir@/default/rcS -SSD_OPTIONS="--oknodo --quiet --exec $DAEMON -- -d $OPTARGS" +SSD_OPTIONS="-c @supluser@:@suplgroup@ --oknodo --quiet --exec $DAEMON -- -d $OPTARGS" set -e