88 lines
3.1 KiB
Diff
88 lines
3.1 KiB
Diff
|
From: Javier Martinez Canillas <javierm@redhat.com>
|
||
|
|
Subject: [PATCH v2] efi/efi_test: lock down /dev/efi_test and require
|
||
|
|
CAP_SYS_ADMIN
|
||
|
|
Date: Tue, 8 Oct 2019 12:55:10 +0200
|
||
|
|
|
||
|
|
The driver exposes EFI runtime services to user-space through an IOCTL
|
||
|
|
interface, calling the EFI services function pointers directly without
|
||
|
|
using the efivar API.
|
||
|
|
|
||
|
|
Disallow access to the /dev/efi_test character device when the kernel is
|
||
|
|
locked down to prevent arbitrary user-space to call EFI runtime services.
|
||
|
|
|
||
|
|
Also require CAP_SYS_ADMIN to open the chardev to prevent unprivileged
|
||
|
|
users to call the EFI runtime services, instead of just relying on the
|
||
|
|
chardev file mode bits for this.
|
||
|
|
|
||
|
|
The main user of this driver is the fwts [0] tool that already checks if
|
||
|
|
the effective user ID is 0 and fails otherwise. So this change shouldn't
|
||
|
|
cause any regression to this tool.
|
||
|
|
|
||
|
|
[0]: https://wiki.ubuntu.com/FirmwareTestSuite/Reference/uefivarinfo
|
||
|
|
|
||
|
|
Signed-off-by: Javier Martinez Canillas <javierm@redhat.com>
|
||
|
|
Acked-by: Laszlo Ersek <lersek@redhat.com>
|
||
|
|
Acked-by: Matthew Garrett <mjg59@google.com>
|
||
|
|
---
|
||
|
|
|
||
|
|
Changes in v2:
|
||
|
|
- Also disable /dev/efi_test access when the kernel is locked down as
|
||
|
|
suggested by Matthew Garrett.
|
||
|
|
- Add Acked-by tag from Laszlo Ersek.
|
||
|
|
|
||
|
|
drivers/firmware/efi/test/efi_test.c | 8 ++++++++
|
||
|
|
include/linux/security.h | 1 +
|
||
|
|
security/lockdown/lockdown.c | 1 +
|
||
|
|
3 files changed, 10 insertions(+)
|
||
|
|
|
||
|
|
diff --git a/drivers/firmware/efi/test/efi_test.c b/drivers/firmware/efi/test/efi_test.c
|
||
|
|
index 877745c3aaf..7baf48c01e7 100644
|
||
|
|
--- a/drivers/firmware/efi/test/efi_test.c
|
||
|
|
+++ b/drivers/firmware/efi/test/efi_test.c
|
||
|
|
@@ -14,6 +14,7 @@
|
||
|
|
#include <linux/init.h>
|
||
|
|
#include <linux/proc_fs.h>
|
||
|
|
#include <linux/efi.h>
|
||
|
|
+#include <linux/security.h>
|
||
|
|
#include <linux/slab.h>
|
||
|
|
#include <linux/uaccess.h>
|
||
|
|
|
||
|
|
@@ -717,6 +718,13 @@ static long efi_test_ioctl(struct file *file, unsigned int cmd,
|
||
|
|
|
||
|
|
static int efi_test_open(struct inode *inode, struct file *file)
|
||
|
|
{
|
||
|
|
+ int ret = security_locked_down(LOCKDOWN_EFI_TEST);
|
||
|
|
+
|
||
|
|
+ if (ret)
|
||
|
|
+ return ret;
|
||
|
|
+
|
||
|
|
+ if (!capable(CAP_SYS_ADMIN))
|
||
|
|
+ return -EACCES;
|
||
|
|
/*
|
||
|
|
* nothing special to do here
|
||
|
|
* We do accept multiple open files at the same time as we
|
||
|
|
diff --git a/include/linux/security.h b/include/linux/security.h
|
||
|
|
index a8d59d612d2..9df7547afc0 100644
|
||
|
|
--- a/include/linux/security.h
|
||
|
|
+++ b/include/linux/security.h
|
||
|
|
@@ -105,6 +105,7 @@ enum lockdown_reason {
|
||
|
|
LOCKDOWN_NONE,
|
||
|
|
LOCKDOWN_MODULE_SIGNATURE,
|
||
|
|
LOCKDOWN_DEV_MEM,
|
||
|
|
+ LOCKDOWN_EFI_TEST,
|
||
|
|
LOCKDOWN_KEXEC,
|
||
|
|
LOCKDOWN_HIBERNATION,
|
||
|
|
LOCKDOWN_PCI_ACCESS,
|
||
|
|
diff --git a/security/lockdown/lockdown.c b/security/lockdown/lockdown.c
|
||
|
|
index 8a10b43daf7..40b790536de 100644
|
||
|
|
--- a/security/lockdown/lockdown.c
|
||
|
|
+++ b/security/lockdown/lockdown.c
|
||
|
|
@@ -20,6 +20,7 @@ static const char *const lockdown_reasons[LOCKDOWN_CONFIDENTIALITY_MAX+1] = {
|
||
|
|
[LOCKDOWN_NONE] = "none",
|
||
|
|
[LOCKDOWN_MODULE_SIGNATURE] = "unsigned module loading",
|
||
|
|
[LOCKDOWN_DEV_MEM] = "/dev/mem,kmem,port",
|
||
|
|
+ [LOCKDOWN_EFI_TEST] = "/dev/efi_test access",
|
||
|
|
[LOCKDOWN_KEXEC] = "kexec of unsigned images",
|
||
|
|
[LOCKDOWN_HIBERNATION] = "hibernation",
|
||
|
|
[LOCKDOWN_PCI_ACCESS] = "direct PCI access",
|