git.baikalelectronics.ru Git - kernel.git/commit

author	Javier Martinez Canillas <javierm@redhat.com>
	Tue, 29 Oct 2019 17:37:55 +0000 (18:37 +0100)
committer	Ingo Molnar <mingo@kernel.org>
	Thu, 31 Oct 2019 08:40:21 +0000 (09:40 +0100)
commit	eaba417bd5b92c0674e66731708d1dbc45e795d4
tree	87dccc0f9be33f069c3edfc94f31eed8e4ab0129	tree \| snapshot
parent	74b4199899f0fdcf7c834f9109eb87720529cc71	commit \| diff

efi/efi_test: Lock down /dev/efi_test and require CAP_SYS_ADMIN

The driver exposes EFI runtime services to user-space through an IOCTL
interface, calling the EFI services function pointers directly without
using the efivar API.

Disallow access to the /dev/efi_test character device when the kernel is
locked down to prevent arbitrary user-space to call EFI runtime services.

Also require CAP_SYS_ADMIN to open the chardev to prevent unprivileged
users to call the EFI runtime services, instead of just relying on the
chardev file mode bits for this.

The main user of this driver is the fwts [0] tool that already checks if
the effective user ID is 0 and fails otherwise. So this change shouldn't
cause any regression to this tool.

[0]: https://wiki.ubuntu.com/FirmwareTestSuite/Reference/uefivarinfo

Signed-off-by: Javier Martinez Canillas <javierm@redhat.com>
Signed-off-by: Ard Biesheuvel <ard.biesheuvel@linaro.org>
Acked-by: Laszlo Ersek <lersek@redhat.com>
Acked-by: Matthew Garrett <mjg59@google.com>
Cc: Linus Torvalds <torvalds@linux-foundation.org>
Cc: Peter Zijlstra <peterz@infradead.org>
Cc: Thomas Gleixner <tglx@linutronix.de>
Cc: linux-efi@vger.kernel.org
Link: https://lkml.kernel.org/r/20191029173755.27149-7-ardb@kernel.org
Signed-off-by: Ingo Molnar <mingo@kernel.org>

drivers/firmware/efi/test/efi_test.c		diff \| blob \| history
include/linux/security.h		diff \| blob \| history
security/lockdown/lockdown.c		diff \| blob \| history