tpm2: fix tpm2-abrmd D-Bus communication under enforcing mode#1170
Open
khalidfaisal17 wants to merge 1 commit into
Open
tpm2: fix tpm2-abrmd D-Bus communication under enforcing mode#1170khalidfaisal17 wants to merge 1 commit into
khalidfaisal17 wants to merge 1 commit into
Conversation
04395f4 to
2a1a31b
Compare
Author
|
Hi Reviewers, Can you please approve the workflow checks so that this change go through it. |
pebenito
requested changes
Jun 24, 2026
pebenito
left a comment
Member
There was a problem hiding this comment.
cc @dsugar100 for additional thoughts.
2a1a31b to
43bff9b
Compare
pebenito
requested changes
Jun 30, 2026
5e28d23 to
89110ee
Compare
pebenito
requested changes
Jul 2, 2026
89110ee to
79c0dba
Compare
tpm2-abrmd was crashing on every activation attempt under SELinux
enforcing mode, causing all tpm2-tools commands to fall back to
direct TPM device access with a GDBus warning.
AVC analysis showed the root denial:
avc: denied { read write } for comm="dbus-daemon"
scontext=system_u:system_r:system_dbusd_t:s0
tcontext=system_u:system_r:tpm2_abrmd_t:s0
tclass=unix_stream_socket permissive=0
tpm2-abrmd uses socketpair(PF_LOCAL, SOCK_STREAM) to create a
connected fd pair for each client connection, then passes one end
to dbus-daemon via SCM_RIGHTS (D-Bus fd-passing). dbus-daemon needs
{ read write } on the inherited anonymous socket to relay TPM
commands between the client and tpm2-abrmd. This is not a connectto
operation -- the socket is already connected when the fd is received.
Changes:
policy/modules/services/tpm2.if:
- Add tpm2_rw_abrmd_stream_sockets() interface granting
rw_socket_perms on tpm2_abrmd_t:unix_stream_socket, used by
system_dbusd_t to read/write the socketpair fds passed by abrmd.
policy/modules/services/dbus.te:
- Call tpm2_rw_abrmd_stream_sockets(system_dbusd_t) inside the
existing optional_policy block alongside tpm2_rw_abrmd_pipes(),
so both abrmd IPC permissions are guarded by tpm2 module presence.
policy/modules/services/tpm2.te:
- Add files_read_etc_files(tpm2_abrmd_t) so abrmd can read its
D-Bus policy config (/etc/dbus-1/system.d/com.intel.tss2.Tabrmd.conf).
- Add miscfiles_read_localization(tpm2_abrmd_t) for GLib locale init.
- Add init_dbus_chat(tpm2_abrmd_t) inside the dbus optional block so
systemd (init_t) can exchange D-Bus messages with abrmd during
Type=dbus service activation/readiness signalling.
policy/modules/system/unconfined.te:
- Add tpm2_dbus_chat_abrmd(unconfined_t) in an optional_policy block
so interactive root sessions can communicate with tpm2-abrmd over
D-Bus without AVC denials.
policy/modules/roles/sysadm.te:
- Add tpm2_run(sysadm_t, sysadm_r) and tpm2_dbus_chat_abrmd(sysadm_t)
so the sysadm role can execute tpm2-tools and communicate with
tpm2-abrmd over D-Bus. Placed alphabetically after tcsd_admin,
consistent with the existing TPM 1.x entry.
policy/modules/system/init.te:
- Add tpm2_dbus_chat_abrmd(initrc_t) inside the existing dbus
optional_policy block for initrc_t, alongside firewalld, networkmanager,
modemmanager and policykit D-Bus chat entries.
This is needed because adbd (Android Debug Bridge daemon) runs as
initrc_t on this platform, and tpm2-tools invoked from an ADB shell
session need tpm2_abrmd_t to be able to reply over D-Bus. Without
this, the D-Bus reply is silently dropped and the caller times out.
Confirmed by: ps -eZ showing adbd as system_u:system_r:initrc_t:s0
Tested-by: Khalid Faisal Ansari <khalid.ansari@oss.qualcomm.com>
Signed-off-by: Khalid Faisal Ansari <khalid.ansari@oss.qualcomm.com>
79c0dba to
1e3f472
Compare
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
tpm2-abrmd was crashing on every D-Bus activation attempt under SELinux enforcing mode, causing all tpm2-tools commands to fall back to direct TPM device access with a GDBus warning.
AVC log confirmed the root denial:
tpm2-abrmd uses socketpair(PF_LOCAL, SOCK_STREAM) to create a connected fd pair per client, then passes one end to dbus-daemon via SCM_RIGHTS (D-Bus fd-passing). dbus-daemon needs { read write } on that inherited anonymous socket to relay TPM commands. This is not a connectto — the socket is already connected when the fd is received.
Files changed:
policy/modules/services/tpm2.if— add tpm2_rw_abrmd_stream_sockets() granting rw_socket_perms on tpm2_abrmd_t:unix_stream_socketpolicy/modules/services/dbus.te— call tpm2_rw_abrmd_stream_sockets(system_dbusd_t) inside the existing optional_policy block alongside tpm2_rw_abrmd_pipes()policy/modules/services/tpm2.te— add files_read_etc_files (D-Bus config), miscfiles_read_localization (GLib init), and init_dbus_chat (systemd Type=dbus activation) for tpm2_abrmd_tpolicy/modules/system/unconfined.te— add tpm2_dbus_chat_abrmd(unconfined_t) in an optional_policy block for interactive root sessions