From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-10.1 required=3.0 tests=DKIMWL_WL_HIGH,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,INCLUDES_PATCH,MAILING_LIST_MULTI,SIGNED_OFF_BY, SPF_HELO_NONE,SPF_PASS,URIBL_BLOCKED,USER_AGENT_GIT autolearn=ham autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id B2025CA9EC3 for ; Tue, 29 Oct 2019 17:39:17 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.kernel.org (Postfix) with ESMTP id 8C5082173E for ; Tue, 29 Oct 2019 17:39:17 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1572370757; bh=X3ehY7Q4jyB/cxVp+V5vhcNdWc86hx666eHOj+aMPs4=; h=From:To:Cc:Subject:Date:In-Reply-To:References:List-ID:From; b=eu50LA3fv9H+5osP5DslZfrJak4pStcvXGqnpALWyo3VqtqXemq95Fezi2a8xZu+J Kgfi2bKfdnIvxf39GbpWofrbj/dnp7a5bQFLtNkAR2b8/pUTKT3rmlU07VXwhy5U3s WG0M1tDiIp+VTYZ4lqOy2GIO00FwqAICvFLUKymA= Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1729052AbfJ2RjR (ORCPT ); Tue, 29 Oct 2019 13:39:17 -0400 Received: from mail.kernel.org ([198.145.29.99]:53202 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1729226AbfJ2RjQ (ORCPT ); Tue, 29 Oct 2019 13:39:16 -0400 Received: from e123331-lin.home (lfbn-mar-1-643-104.w90-118.abo.wanadoo.fr [90.118.215.104]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPSA id 578C420856; Tue, 29 Oct 2019 17:39:13 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1572370755; bh=X3ehY7Q4jyB/cxVp+V5vhcNdWc86hx666eHOj+aMPs4=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=oHsD6GNjn3gq7fC84d0L1YkvHnHVJTr8UWLlntuqwtL/NrTJzWaGRFxu3XX0Xi8ML vZ4KGGeHIvPk6DgsrejOKcEcX91oC5uu/XJL3G1HzgqrCkNFeE+DvMu7Xi50xJ7EQ4 pY2/C/6xr6PM5bt0NWfftzV8QhSOQ+D9dH9HFvkU= From: Ard Biesheuvel To: linux-efi@vger.kernel.org, Ingo Molnar , Thomas Gleixner Cc: Javier Martinez Canillas , Ard Biesheuvel , linux-kernel@vger.kernel.org Subject: [PATCH v2 6/6] efi/efi_test: lock down /dev/efi_test and require CAP_SYS_ADMIN Date: Tue, 29 Oct 2019 18:37:55 +0100 Message-Id: <20191029173755.27149-7-ardb@kernel.org> X-Mailer: git-send-email 2.17.1 In-Reply-To: <20191029173755.27149-1-ardb@kernel.org> References: <20191029173755.27149-1-ardb@kernel.org> Sender: linux-efi-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-efi@vger.kernel.org From: Javier Martinez Canillas The driver exposes EFI runtime services to user-space through an IOCTL interface, calling the EFI services function pointers directly without using the efivar API. Disallow access to the /dev/efi_test character device when the kernel is locked down to prevent arbitrary user-space to call EFI runtime services. Also require CAP_SYS_ADMIN to open the chardev to prevent unprivileged users to call the EFI runtime services, instead of just relying on the chardev file mode bits for this. The main user of this driver is the fwts [0] tool that already checks if the effective user ID is 0 and fails otherwise. So this change shouldn't cause any regression to this tool. [0]: https://wiki.ubuntu.com/FirmwareTestSuite/Reference/uefivarinfo Signed-off-by: Javier Martinez Canillas Acked-by: Laszlo Ersek Acked-by: Matthew Garrett Signed-off-by: Ard Biesheuvel --- drivers/firmware/efi/test/efi_test.c | 8 ++++++++ include/linux/security.h | 1 + security/lockdown/lockdown.c | 1 + 3 files changed, 10 insertions(+) diff --git a/drivers/firmware/efi/test/efi_test.c b/drivers/firmware/efi/test/efi_test.c index 877745c3aaf2..7baf48c01e72 100644 --- a/drivers/firmware/efi/test/efi_test.c +++ b/drivers/firmware/efi/test/efi_test.c @@ -14,6 +14,7 @@ #include #include #include +#include #include #include @@ -717,6 +718,13 @@ static long efi_test_ioctl(struct file *file, unsigned int cmd, static int efi_test_open(struct inode *inode, struct file *file) { + int ret = security_locked_down(LOCKDOWN_EFI_TEST); + + if (ret) + return ret; + + if (!capable(CAP_SYS_ADMIN)) + return -EACCES; /* * nothing special to do here * We do accept multiple open files at the same time as we diff --git a/include/linux/security.h b/include/linux/security.h index a8d59d612d27..9df7547afc0c 100644 --- a/include/linux/security.h +++ b/include/linux/security.h @@ -105,6 +105,7 @@ enum lockdown_reason { LOCKDOWN_NONE, LOCKDOWN_MODULE_SIGNATURE, LOCKDOWN_DEV_MEM, + LOCKDOWN_EFI_TEST, LOCKDOWN_KEXEC, LOCKDOWN_HIBERNATION, LOCKDOWN_PCI_ACCESS, diff --git a/security/lockdown/lockdown.c b/security/lockdown/lockdown.c index 8a10b43daf74..40b790536def 100644 --- a/security/lockdown/lockdown.c +++ b/security/lockdown/lockdown.c @@ -20,6 +20,7 @@ static const char *const lockdown_reasons[LOCKDOWN_CONFIDENTIALITY_MAX+1] = { [LOCKDOWN_NONE] = "none", [LOCKDOWN_MODULE_SIGNATURE] = "unsigned module loading", [LOCKDOWN_DEV_MEM] = "/dev/mem,kmem,port", + [LOCKDOWN_EFI_TEST] = "/dev/efi_test access", [LOCKDOWN_KEXEC] = "kexec of unsigned images", [LOCKDOWN_HIBERNATION] = "hibernation", [LOCKDOWN_PCI_ACCESS] = "direct PCI access", -- 2.17.1