Skip to content

tpm2: fix tpm2-abrmd D-Bus communication under enforcing mode#1170

Open
khalidfaisal17 wants to merge 1 commit into
SELinuxProject:mainfrom
khalidfaisal17:afaisal/tpm
Open

tpm2: fix tpm2-abrmd D-Bus communication under enforcing mode#1170
khalidfaisal17 wants to merge 1 commit into
SELinuxProject:mainfrom
khalidfaisal17:afaisal/tpm

Conversation

@khalidfaisal17

@khalidfaisal17 khalidfaisal17 commented Jun 23, 2026

Copy link
Copy Markdown

tpm2-abrmd was crashing on every D-Bus activation attempt under SELinux enforcing mode, causing all tpm2-tools commands to fall back to direct TPM device access with a GDBus warning.

AVC log confirmed the root denial:

avc: denied { read write } for comm="dbus-daemon"
scontext=system_u:system_r:system_dbusd_t:s0
tcontext=system_u:system_r:tpm2_abrmd_t:s0
tclass=unix_stream_socket permissive=0

tpm2-abrmd uses socketpair(PF_LOCAL, SOCK_STREAM) to create a connected fd pair per client, then passes one end to dbus-daemon via SCM_RIGHTS (D-Bus fd-passing). dbus-daemon needs { read write } on that inherited anonymous socket to relay TPM commands. This is not a connectto — the socket is already connected when the fd is received.

Files changed:

  • policy/modules/services/tpm2.if — add tpm2_rw_abrmd_stream_sockets() granting rw_socket_perms on tpm2_abrmd_t:unix_stream_socket
  • policy/modules/services/dbus.te — call tpm2_rw_abrmd_stream_sockets(system_dbusd_t) inside the existing optional_policy block alongside tpm2_rw_abrmd_pipes()
  • policy/modules/services/tpm2.te — add files_read_etc_files (D-Bus config), miscfiles_read_localization (GLib init), and init_dbus_chat (systemd Type=dbus activation) for tpm2_abrmd_t
  • policy/modules/system/unconfined.te — add tpm2_dbus_chat_abrmd(unconfined_t) in an optional_policy block for interactive root sessions

@khalidfaisal17

Copy link
Copy Markdown
Author

Hi Reviewers,

Can you please approve the workflow checks so that this change go through it.

@pebenito pebenito left a comment

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

cc @dsugar100 for additional thoughts.

Comment thread policy/modules/services/dbus.te Outdated
Comment thread policy/modules/system/init.te Outdated
Comment thread policy/modules/system/unconfined.te Outdated
@khalidfaisal17 khalidfaisal17 changed the title sepolicy: allow init and unconfined domains to communicate with tpm2-abrmd over D-Bus tpm2: fix tpm2-abrmd D-Bus communication under enforcing mode Jun 30, 2026
Comment thread policy/modules/services/tpm2.te Outdated
Comment thread policy/modules/system/unconfined.te
@khalidfaisal17 khalidfaisal17 force-pushed the afaisal/tpm branch 2 times, most recently from 5e28d23 to 89110ee Compare July 1, 2026 11:13
Comment thread policy/modules/roles/sysadm.te Outdated
Comment thread policy/modules/services/tpm2.if Outdated
tpm2-abrmd was crashing on every activation attempt under SELinux
enforcing mode, causing all tpm2-tools commands to fall back to
direct TPM device access with a GDBus warning.

AVC analysis showed the root denial:

  avc: denied { read write } for comm="dbus-daemon"
    scontext=system_u:system_r:system_dbusd_t:s0
    tcontext=system_u:system_r:tpm2_abrmd_t:s0
    tclass=unix_stream_socket permissive=0

tpm2-abrmd uses socketpair(PF_LOCAL, SOCK_STREAM) to create a
connected fd pair for each client connection, then passes one end
to dbus-daemon via SCM_RIGHTS (D-Bus fd-passing). dbus-daemon needs
{ read write } on the inherited anonymous socket to relay TPM
commands between the client and tpm2-abrmd. This is not a connectto
operation -- the socket is already connected when the fd is received.

Changes:

policy/modules/services/tpm2.if:
- Add tpm2_rw_abrmd_stream_sockets() interface granting
  rw_socket_perms on tpm2_abrmd_t:unix_stream_socket, used by
  system_dbusd_t to read/write the socketpair fds passed by abrmd.

policy/modules/services/dbus.te:
- Call tpm2_rw_abrmd_stream_sockets(system_dbusd_t) inside the
  existing optional_policy block alongside tpm2_rw_abrmd_pipes(),
  so both abrmd IPC permissions are guarded by tpm2 module presence.

policy/modules/services/tpm2.te:
- Add files_read_etc_files(tpm2_abrmd_t) so abrmd can read its
  D-Bus policy config (/etc/dbus-1/system.d/com.intel.tss2.Tabrmd.conf).
- Add miscfiles_read_localization(tpm2_abrmd_t) for GLib locale init.
- Add init_dbus_chat(tpm2_abrmd_t) inside the dbus optional block so
  systemd (init_t) can exchange D-Bus messages with abrmd during
  Type=dbus service activation/readiness signalling.

policy/modules/system/unconfined.te:
- Add tpm2_dbus_chat_abrmd(unconfined_t) in an optional_policy block
  so interactive root sessions can communicate with tpm2-abrmd over
  D-Bus without AVC denials.

policy/modules/roles/sysadm.te:
- Add tpm2_run(sysadm_t, sysadm_r) and tpm2_dbus_chat_abrmd(sysadm_t)
  so the sysadm role can execute tpm2-tools and communicate with
  tpm2-abrmd over D-Bus. Placed alphabetically after tcsd_admin,
  consistent with the existing TPM 1.x entry.

policy/modules/system/init.te:
- Add tpm2_dbus_chat_abrmd(initrc_t) inside the existing dbus
  optional_policy block for initrc_t, alongside firewalld, networkmanager,
  modemmanager and policykit D-Bus chat entries.
  This is needed because adbd (Android Debug Bridge daemon) runs as
  initrc_t on this platform, and tpm2-tools invoked from an ADB shell
  session need tpm2_abrmd_t to be able to reply over D-Bus. Without
  this, the D-Bus reply is silently dropped and the caller times out.
  Confirmed by: ps -eZ showing adbd as system_u:system_r:initrc_t:s0

Tested-by: Khalid Faisal Ansari <khalid.ansari@oss.qualcomm.com>
Signed-off-by: Khalid Faisal Ansari <khalid.ansari@oss.qualcomm.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants