core: imply DeviceAllow=/dev/tpmrm0 with LoadCredentialEncrypted

If the device access policy is restricted, add implicitly access to the TPM if at least one encrypted credential needs to be loaded. Fixes https://github.com/systemd/systemd/issues/26042
author: Luca Boccassi <bluca@debian.org> 2023-02-08 00:25:00 +0000
committer: Luca Boccassi <luca.boccassi@gmail.com> 2023-02-08 10:59:55 +0000
commit: 398dc7d39b9a877e71529f0e0b139329e4c6992e (patch)
tree: cd526003c8aa3cd96bdb9c2422bc04980c279341 /test
parent: b0fc23fae51d244d2c33d70c10003aa5d5840223 (diff)
download: systemd-398dc7d39b9a877e71529f0e0b139329e4c6992e.tar.gz
1 files changed, 6 insertions, 0 deletions
diff --git a/test/units/testsuite-70.sh b/test/units/testsuite-70.sh
index 589baf370f..54e30642a5 100755
--- a/test/units/testsuite-70.sh
+++ b/test/units/testsuite-70.sh
@@ -208,6 +208,12 @@ else
     echo "/usr/lib/systemd/systemd-pcrphase or PCR sysfs files not found, skipping PCR extension test case"
 fi
 
+# Ensure that sandboxing doesn't stop creds from being accessible
+echo "test" > /tmp/testdata
+systemd-creds encrypt /tmp/testdata /tmp/testdata.encrypted --with-key=tpm2
+systemd-run -p PrivateDevices=yes -p LoadCredentialEncrypted=testdata.encrypted:/tmp/testdata.encrypted --pipe --wait systemd-creds cat testdata.encrypted | cmp - /tmp/testdata
+rm /tmp/testdata
+
 echo OK >/testok
 
 exit 0
author	Luca Boccassi <bluca@debian.org>	2023-02-08 00:25:00 +0000
committer	Luca Boccassi <luca.boccassi@gmail.com>	2023-02-08 10:59:55 +0000
commit	398dc7d39b9a877e71529f0e0b139329e4c6992e (patch)
tree	cd526003c8aa3cd96bdb9c2422bc04980c279341 /test
parent	b0fc23fae51d244d2c33d70c10003aa5d5840223 (diff)
download	systemd-398dc7d39b9a877e71529f0e0b139329e4c6992e.tar.gz