Commit 359efcc2 authored by Javier Martinez Canillas's avatar Javier Martinez Canillas Committed by Ingo Molnar

efi/efi_test: Lock down /dev/efi_test and require CAP_SYS_ADMIN

The driver exposes EFI runtime services to user-space through an IOCTL
interface, calling the EFI services function pointers directly without
using the efivar API.

Disallow access to the /dev/efi_test character device when the kernel is
locked down to prevent arbitrary user-space to call EFI runtime services.

Also require CAP_SYS_ADMIN to open the chardev to prevent unprivileged
users to call the EFI runtime services, instead of just relying on the
chardev file mode bits for this.

The main user of this driver is the fwts [0] tool that already checks if
the effective user ID is 0 and fails otherwise. So this change shouldn't
cause any regression to this tool.

[0]: https://wiki.ubuntu.com/FirmwareTestSuite/Reference/uefivarinfoSigned-off-by: default avatarJavier Martinez Canillas <javierm@redhat.com>
Signed-off-by: default avatarArd Biesheuvel <ard.biesheuvel@linaro.org>
Acked-by: default avatarLaszlo Ersek <lersek@redhat.com>
Acked-by: default avatarMatthew Garrett <mjg59@google.com>
Cc: Linus Torvalds <torvalds@linux-foundation.org>
Cc: Peter Zijlstra <peterz@infradead.org>
Cc: Thomas Gleixner <tglx@linutronix.de>
Cc: linux-efi@vger.kernel.org
Link: https://lkml.kernel.org/r/20191029173755.27149-7-ardb@kernel.orgSigned-off-by: default avatarIngo Molnar <mingo@kernel.org>
parent 220dd769
...@@ -14,6 +14,7 @@ ...@@ -14,6 +14,7 @@
#include <linux/init.h> #include <linux/init.h>
#include <linux/proc_fs.h> #include <linux/proc_fs.h>
#include <linux/efi.h> #include <linux/efi.h>
#include <linux/security.h>
#include <linux/slab.h> #include <linux/slab.h>
#include <linux/uaccess.h> #include <linux/uaccess.h>
...@@ -717,6 +718,13 @@ static long efi_test_ioctl(struct file *file, unsigned int cmd, ...@@ -717,6 +718,13 @@ static long efi_test_ioctl(struct file *file, unsigned int cmd,
static int efi_test_open(struct inode *inode, struct file *file) static int efi_test_open(struct inode *inode, struct file *file)
{ {
int ret = security_locked_down(LOCKDOWN_EFI_TEST);
if (ret)
return ret;
if (!capable(CAP_SYS_ADMIN))
return -EACCES;
/* /*
* nothing special to do here * nothing special to do here
* We do accept multiple open files at the same time as we * We do accept multiple open files at the same time as we
......
...@@ -105,6 +105,7 @@ enum lockdown_reason { ...@@ -105,6 +105,7 @@ enum lockdown_reason {
LOCKDOWN_NONE, LOCKDOWN_NONE,
LOCKDOWN_MODULE_SIGNATURE, LOCKDOWN_MODULE_SIGNATURE,
LOCKDOWN_DEV_MEM, LOCKDOWN_DEV_MEM,
LOCKDOWN_EFI_TEST,
LOCKDOWN_KEXEC, LOCKDOWN_KEXEC,
LOCKDOWN_HIBERNATION, LOCKDOWN_HIBERNATION,
LOCKDOWN_PCI_ACCESS, LOCKDOWN_PCI_ACCESS,
......
...@@ -20,6 +20,7 @@ static const char *const lockdown_reasons[LOCKDOWN_CONFIDENTIALITY_MAX+1] = { ...@@ -20,6 +20,7 @@ static const char *const lockdown_reasons[LOCKDOWN_CONFIDENTIALITY_MAX+1] = {
[LOCKDOWN_NONE] = "none", [LOCKDOWN_NONE] = "none",
[LOCKDOWN_MODULE_SIGNATURE] = "unsigned module loading", [LOCKDOWN_MODULE_SIGNATURE] = "unsigned module loading",
[LOCKDOWN_DEV_MEM] = "/dev/mem,kmem,port", [LOCKDOWN_DEV_MEM] = "/dev/mem,kmem,port",
[LOCKDOWN_EFI_TEST] = "/dev/efi_test access",
[LOCKDOWN_KEXEC] = "kexec of unsigned images", [LOCKDOWN_KEXEC] = "kexec of unsigned images",
[LOCKDOWN_HIBERNATION] = "hibernation", [LOCKDOWN_HIBERNATION] = "hibernation",
[LOCKDOWN_PCI_ACCESS] = "direct PCI access", [LOCKDOWN_PCI_ACCESS] = "direct PCI access",
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment