diff options
author | Thorsten Leemhuis <fedora@leemhuis.info> | 2019-11-06 17:54:14 +0100 |
---|---|---|
committer | Thorsten Leemhuis <fedora@leemhuis.info> | 2019-11-06 17:54:14 +0100 |
commit | 78a8990588270e5423160b961fa875b281f0f859 (patch) | |
tree | 735224865d04cc886b527f02c3cbf58d4b08d985 /efi-efi_test-lock-down-dev-efi_test-and-require-CAP_.patch | |
parent | 965b0543781365d3f5b1cfc25b8ccd81aa81337f (diff) | |
parent | 5fe065b6c0e7dce82e4a85fedf5513d2d9970a41 (diff) | |
download | kernel-78a8990588270e5423160b961fa875b281f0f859.tar.gz kernel-78a8990588270e5423160b961fa875b281f0f859.tar.xz kernel-78a8990588270e5423160b961fa875b281f0f859.zip |
Merge commit '5fe065b6c0e7dce82e4a85fedf5513d2d9970a41' into rawhide-user-thl-vanilla-fedora
Diffstat (limited to 'efi-efi_test-lock-down-dev-efi_test-and-require-CAP_.patch')
-rw-r--r-- | efi-efi_test-lock-down-dev-efi_test-and-require-CAP_.patch | 87 |
1 files changed, 0 insertions, 87 deletions
diff --git a/efi-efi_test-lock-down-dev-efi_test-and-require-CAP_.patch b/efi-efi_test-lock-down-dev-efi_test-and-require-CAP_.patch deleted file mode 100644 index 61a52c6fd..000000000 --- a/efi-efi_test-lock-down-dev-efi_test-and-require-CAP_.patch +++ /dev/null @@ -1,87 +0,0 @@ -From: Javier Martinez Canillas <javierm@redhat.com> -Subject: [PATCH v2] efi/efi_test: lock down /dev/efi_test and require - CAP_SYS_ADMIN -Date: Tue, 8 Oct 2019 12:55:10 +0200 - -The driver exposes EFI runtime services to user-space through an IOCTL -interface, calling the EFI services function pointers directly without -using the efivar API. - -Disallow access to the /dev/efi_test character device when the kernel is -locked down to prevent arbitrary user-space to call EFI runtime services. - -Also require CAP_SYS_ADMIN to open the chardev to prevent unprivileged -users to call the EFI runtime services, instead of just relying on the -chardev file mode bits for this. - -The main user of this driver is the fwts [0] tool that already checks if -the effective user ID is 0 and fails otherwise. So this change shouldn't -cause any regression to this tool. - -[0]: https://wiki.ubuntu.com/FirmwareTestSuite/Reference/uefivarinfo - -Signed-off-by: Javier Martinez Canillas <javierm@redhat.com> -Acked-by: Laszlo Ersek <lersek@redhat.com> -Acked-by: Matthew Garrett <mjg59@google.com> ---- - -Changes in v2: -- Also disable /dev/efi_test access when the kernel is locked down as - suggested by Matthew Garrett. -- Add Acked-by tag from Laszlo Ersek. - - drivers/firmware/efi/test/efi_test.c | 8 ++++++++ - include/linux/security.h | 1 + - security/lockdown/lockdown.c | 1 + - 3 files changed, 10 insertions(+) - -diff --git a/drivers/firmware/efi/test/efi_test.c b/drivers/firmware/efi/test/efi_test.c -index 877745c3aaf..7baf48c01e7 100644 ---- a/drivers/firmware/efi/test/efi_test.c -+++ b/drivers/firmware/efi/test/efi_test.c -@@ -14,6 +14,7 @@ - #include <linux/init.h> - #include <linux/proc_fs.h> - #include <linux/efi.h> -+#include <linux/security.h> - #include <linux/slab.h> - #include <linux/uaccess.h> - -@@ -717,6 +718,13 @@ static long efi_test_ioctl(struct file *file, unsigned int cmd, - - static int efi_test_open(struct inode *inode, struct file *file) - { -+ int ret = security_locked_down(LOCKDOWN_EFI_TEST); -+ -+ if (ret) -+ return ret; -+ -+ if (!capable(CAP_SYS_ADMIN)) -+ return -EACCES; - /* - * nothing special to do here - * We do accept multiple open files at the same time as we -diff --git a/include/linux/security.h b/include/linux/security.h -index a8d59d612d2..9df7547afc0 100644 ---- a/include/linux/security.h -+++ b/include/linux/security.h -@@ -105,6 +105,7 @@ enum lockdown_reason { - LOCKDOWN_NONE, - LOCKDOWN_MODULE_SIGNATURE, - LOCKDOWN_DEV_MEM, -+ LOCKDOWN_EFI_TEST, - LOCKDOWN_KEXEC, - LOCKDOWN_HIBERNATION, - LOCKDOWN_PCI_ACCESS, -diff --git a/security/lockdown/lockdown.c b/security/lockdown/lockdown.c -index 8a10b43daf7..40b790536de 100644 ---- a/security/lockdown/lockdown.c -+++ b/security/lockdown/lockdown.c -@@ -20,6 +20,7 @@ static const char *const lockdown_reasons[LOCKDOWN_CONFIDENTIALITY_MAX+1] = { - [LOCKDOWN_NONE] = "none", - [LOCKDOWN_MODULE_SIGNATURE] = "unsigned module loading", - [LOCKDOWN_DEV_MEM] = "/dev/mem,kmem,port", -+ [LOCKDOWN_EFI_TEST] = "/dev/efi_test access", - [LOCKDOWN_KEXEC] = "kexec of unsigned images", - [LOCKDOWN_HIBERNATION] = "hibernation", - [LOCKDOWN_PCI_ACCESS] = "direct PCI access", |