From d97413e8fe3bb2d09243ab19f910cc7badb11b2b Mon Sep 17 00:00:00 2001
From: Jerome Forissier <jerome.forissier@linaro.org>
Date: Fri, 17 Aug 2018 14:00:01 +0200
Subject: [PATCH] buildroot: run tee-supplicant as non-root
Create user and group tee/tee and set the proper permissions on /dev/tee*
and /data/tee so that tee-supplicant and the client applications may be
run as a non-root user.
Signed-off-by: Jerome Forissier <jerome.forissier@linaro.org>
Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>
---
br-ext/package/optee_client/S30optee | 8 +++++++-
br-ext/package/optee_client/optee_client.mk | 9 +++++++++
2 files changed, 16 insertions(+), 1 deletion(-)
diff --git a/br-ext/package/optee_client/S30optee b/br-ext/package/optee_client/S30optee
index 11d9993..2aede2c 100755
--- a/br-ext/package/optee_client/S30optee
+++ b/br-ext/package/optee_client/S30optee
@@ -7,8 +7,14 @@
case "$1" in
start)
if [ -e /usr/sbin/tee-supplicant -a -e /dev/teepriv0 ]; then
+ # tee-supplicant and the client applications need not run as
+ # root provided that the TEE devices and the data store have
+ # proper permissions
+ printf "Setting permissions on /dev/tee*... "
+ chown root:tee /dev/tee* && chmod 0660 /dev/tee*
+ [ $? = 0 ] && echo "OK" || echo "FAIL"
printf "Starting tee-supplicant... "
- /usr/sbin/tee-supplicant -d
+ su tee -c '/usr/sbin/tee-supplicant -d'
[ $? = 0 ] && echo "OK" || echo "FAIL"
else
echo "tee-supplicant or TEE device not found"
diff --git a/br-ext/package/optee_client/optee_client.mk b/br-ext/package/optee_client/optee_client.mk
index 0b746ad..d0d0487 100644
--- a/br-ext/package/optee_client/optee_client.mk
+++ b/br-ext/package/optee_client/optee_client.mk
@@ -17,4 +17,13 @@ define OPTEE_CLIENT_INSTALL_INIT_SYSV
$(OPTEE_CLIENT_INSTALL_SUPPLICANT_SCRIPT)
endef
+define OPTEE_CLIENT_USERS
+ tee -1 tee -1 * - /bin/sh - TEE user
+endef
+
+define OPTEE_CLIENT_PERMISSIONS
+ /data d 755 root root - - - - -
+ /data/tee d 770 tee tee - - - - -
+endef
+
$(eval $(cmake-package))
--
GitLab