From patchwork Thu Jun 18 23:14:24 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Seth Forshee X-Patchwork-Id: 1312496 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Authentication-Results: ozlabs.org; spf=none (no SPF record) smtp.mailfrom=lists.ubuntu.com (client-ip=91.189.94.19; helo=huckleberry.canonical.com; envelope-from=kernel-team-bounces@lists.ubuntu.com; receiver=) Authentication-Results: ozlabs.org; dmarc=fail (p=none dis=none) header.from=canonical.com Received: from huckleberry.canonical.com (huckleberry.canonical.com [91.189.94.19]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ozlabs.org (Postfix) with ESMTPS id 49nyVV5sWXz9sRW; Fri, 19 Jun 2020 09:16:18 +1000 (AEST) Received: from localhost ([127.0.0.1] helo=huckleberry.canonical.com) by huckleberry.canonical.com with esmtp (Exim 4.86_2) (envelope-from ) id 1jm3lW-0001ea-B8; Thu, 18 Jun 2020 23:16:14 +0000 Received: from youngberry.canonical.com ([91.189.89.112]) by huckleberry.canonical.com with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.86_2) (envelope-from ) id 1jm3k0-0000WW-6h for kernel-team@lists.ubuntu.com; Thu, 18 Jun 2020 23:14:40 +0000 Received: from mail-io1-f69.google.com ([209.85.166.69]) by youngberry.canonical.com with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.86_2) (envelope-from ) id 1jm3jw-000084-Bb for kernel-team@lists.ubuntu.com; Thu, 18 Jun 2020 23:14:36 +0000 Received: by mail-io1-f69.google.com with SMTP id c5so5282388iok.18 for ; Thu, 18 Jun 2020 16:14:36 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:subject:date:message-id:in-reply-to :references:mime-version:content-transfer-encoding; bh=lUkL2OBVbMu6ZIcZaFV4wlNRq2wz/sBgkHvCURFD4fQ=; b=JDGuNcsD9+eMlfTNDkvVEsr3alkZZ7p0+7oaqSx93i5wXrqFgWBW14bfmNclsSuN/A 9wOR8NPd0y0mI1XSJklAkZW9UFYogMcG6JI/+2CZDLv7i8VcJs9Csd27TR0+D+P5CTQ/ NyWlkdPKUwfwUWJzL3hilHvj4+RjhiymMUAhABSRJ7BDRkdZvKLTMcC4qEkHiZWrr6nn k9qfJuGxnkln/Ngaxy8Jodk0SyvAboTVO28FRer8dJZBgn5WmTdnz4XTlMjrlY5dd3By S/D6vbAnHbaCXxYP3LT3/kKlKmQh55QTIG2PbQTCrhPAOje8Uenrroic/3ccBiBFDg9T klzg== X-Gm-Message-State: AOAM531D2KYmICub2/UGPQ88uqbmzffE57CRzGKR1RRDO3ffkx415IYb E4+1HYOR0XJ4eQc7Wrk0QYHo/8CNfZU/VReNY1TpPewDeBtJ6UGyrfrhY++UcNkHd3du/qpd500 ucgW58US/kuZWGcIzoGjfZaOjYGbB9bwnfthntK6Riw== X-Received: by 2002:a92:8b10:: with SMTP id i16mr901023ild.109.1592522075250; Thu, 18 Jun 2020 16:14:35 -0700 (PDT) X-Google-Smtp-Source: ABdhPJzTovAp9rH+KgTUfdlAD4WhtE0Ir4E5jkwQnczDYvnaMefqTGwBX6Ubrf5mYsOgx2ojzvU4QQ== X-Received: by 2002:a92:8b10:: with SMTP id i16mr901004ild.109.1592522075011; Thu, 18 Jun 2020 16:14:35 -0700 (PDT) Received: from localhost ([2605:a601:ac0f:820:f090:1573:c2fc:6389]) by smtp.gmail.com with ESMTPSA id a13sm2344068ill.51.2020.06.18.16.14.34 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 18 Jun 2020 16:14:34 -0700 (PDT) From: Seth Forshee To: kernel-team@lists.ubuntu.com Subject: [PATCH 4/9][D] efi/efi_test: Lock down /dev/efi_test and require CAP_SYS_ADMIN Date: Thu, 18 Jun 2020 18:14:24 -0500 Message-Id: <20200618231429.630733-5-seth.forshee@canonical.com> X-Mailer: git-send-email 2.27.0 In-Reply-To: <20200618231429.630733-1-seth.forshee@canonical.com> References: <20200618231429.630733-1-seth.forshee@canonical.com> MIME-Version: 1.0 X-BeenThere: kernel-team@lists.ubuntu.com X-Mailman-Version: 2.1.20 Precedence: list List-Id: Kernel team discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: kernel-team-bounces@lists.ubuntu.com Sender: "kernel-team" From: Javier Martinez Canillas BugLink: https://bugs.launchpad.net/bugs/1884159 The driver exposes EFI runtime services to user-space through an IOCTL interface, calling the EFI services function pointers directly without using the efivar API. Disallow access to the /dev/efi_test character device when the kernel is locked down to prevent arbitrary user-space to call EFI runtime services. Also require CAP_SYS_ADMIN to open the chardev to prevent unprivileged users to call the EFI runtime services, instead of just relying on the chardev file mode bits for this. The main user of this driver is the fwts [0] tool that already checks if the effective user ID is 0 and fails otherwise. So this change shouldn't cause any regression to this tool. [0]: https://wiki.ubuntu.com/FirmwareTestSuite/Reference/uefivarinfo Signed-off-by: Javier Martinez Canillas Signed-off-by: Ard Biesheuvel Acked-by: Laszlo Ersek Acked-by: Matthew Garrett Cc: Linus Torvalds Cc: Peter Zijlstra Cc: Thomas Gleixner Cc: linux-efi@vger.kernel.org Link: https://lkml.kernel.org/r/20191029173755.27149-7-ardb@kernel.org Signed-off-by: Ingo Molnar (backported from commit 359efcc2c910117d2faf704ce154e91fc976d37f) Signed-off-by: Seth Forshee --- drivers/firmware/efi/test/efi_test.c | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/drivers/firmware/efi/test/efi_test.c b/drivers/firmware/efi/test/efi_test.c index 51ecf7d6da48..13cf14d3fb79 100644 --- a/drivers/firmware/efi/test/efi_test.c +++ b/drivers/firmware/efi/test/efi_test.c @@ -716,6 +716,13 @@ static long efi_test_ioctl(struct file *file, unsigned int cmd, static int efi_test_open(struct inode *inode, struct file *file) { + bool locked_down = kernel_is_locked_down("/dev/efi_test access"); + + if (locked_down) + return -EPERM; + + if (!capable(CAP_SYS_ADMIN)) + return -EACCES; /* * nothing special to do here * We do accept multiple open files at the same time as we