Access to /sys/kernel/security/ is only effective for the current session

[utkarsh2102]

Hello,

[CC: @ibmcb]

I see there's:

keylime-deb/postinst

Lines 33 to 35 in 219cad9

	# The "keylime" user belongs to tss, and we need to give access to /sys/kernel/security/<x>
	chown -R tss:tss /sys/kernel/security/tpm0
	chown -R tss:tss /sys/kernel/security/ima

But this is only in effect for the current session. As soon as there's a reboot, these changes are essentially lost. So I believe it'd be a good idea to set this via the systemd services as well?

Something along the lines of:
ExecStartPre=-/bin/chown -R tss:tss /sys/kernel/security/tpm0

What do you think?

[galmasi]

I agree. We have a particular blind spot in this regard, because our deployments are net-booted, and setting something for a session is the same as setting it forever. Please feel free to submit a PR with the change.

[utkarsh2102]

Hi,

Thanks. Actually it's best if this is implemented via a udev rule. I'll work on it and let you know when it's ready.
Though I wanted to ask if /sys/kernel/security/tpm0 and /sys/kernel/security/ima is being used somewhere? (And how?)
I couldn't understand its need on a quick look; sorry if it was straightforward and if I am missing something.

[galmasi]

We also tried a udev rule and it proved complicated, but you know best.

We (keylime) are the exclusive users of /sys/kernel/security/ima and tpm0/binary_bios_measurements.