diff options
author | Luca Boccassi <bluca@debian.org> | 2023-02-08 00:25:00 +0000 |
---|---|---|
committer | Luca Boccassi <luca.boccassi@gmail.com> | 2023-02-08 10:59:55 +0000 |
commit | 398dc7d39b9a877e71529f0e0b139329e4c6992e (patch) | |
tree | cd526003c8aa3cd96bdb9c2422bc04980c279341 /test | |
parent | b0fc23fae51d244d2c33d70c10003aa5d5840223 (diff) | |
download | systemd-398dc7d39b9a877e71529f0e0b139329e4c6992e.tar.gz |
core: imply DeviceAllow=/dev/tpmrm0 with LoadCredentialEncrypted
If the device access policy is restricted, add implicitly access to the TPM
if at least one encrypted credential needs to be loaded.
Fixes https://github.com/systemd/systemd/issues/26042
Diffstat (limited to 'test')
-rwxr-xr-x | test/units/testsuite-70.sh | 6 |
1 files changed, 6 insertions, 0 deletions
diff --git a/test/units/testsuite-70.sh b/test/units/testsuite-70.sh index 589baf370f..54e30642a5 100755 --- a/test/units/testsuite-70.sh +++ b/test/units/testsuite-70.sh @@ -208,6 +208,12 @@ else echo "/usr/lib/systemd/systemd-pcrphase or PCR sysfs files not found, skipping PCR extension test case" fi +# Ensure that sandboxing doesn't stop creds from being accessible +echo "test" > /tmp/testdata +systemd-creds encrypt /tmp/testdata /tmp/testdata.encrypted --with-key=tpm2 +systemd-run -p PrivateDevices=yes -p LoadCredentialEncrypted=testdata.encrypted:/tmp/testdata.encrypted --pipe --wait systemd-creds cat testdata.encrypted | cmp - /tmp/testdata +rm /tmp/testdata + echo OK >/testok exit 0 |