From patchwork Fri Jun 19 16:16:11 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Seth Forshee X-Patchwork-Id: 1313113 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Authentication-Results: ozlabs.org; spf=none (no SPF record) smtp.mailfrom=lists.ubuntu.com (client-ip=91.189.94.19; helo=huckleberry.canonical.com; envelope-from=kernel-team-bounces@lists.ubuntu.com; receiver=) Authentication-Results: ozlabs.org; dmarc=fail (p=none dis=none) header.from=canonical.com Received: from huckleberry.canonical.com (huckleberry.canonical.com [91.189.94.19]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ozlabs.org (Postfix) with ESMTPS id 49pPBS1q63zB47s; Sat, 20 Jun 2020 02:18:56 +1000 (AEST) Received: from localhost ([127.0.0.1] helo=huckleberry.canonical.com) by huckleberry.canonical.com with esmtp (Exim 4.86_2) (envelope-from ) id 1jmJj9-00043e-DA; Fri, 19 Jun 2020 16:18:51 +0000 Received: from youngberry.canonical.com ([91.189.89.112]) by huckleberry.canonical.com with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.86_2) (envelope-from ) id 1jmJhk-0002qK-QG for kernel-team@lists.ubuntu.com; Fri, 19 Jun 2020 16:17:24 +0000 Received: from mail-io1-f70.google.com ([209.85.166.70]) by youngberry.canonical.com with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.86_2) (envelope-from ) id 1jmJhj-0003jy-08 for kernel-team@lists.ubuntu.com; Fri, 19 Jun 2020 16:17:23 +0000 Received: by mail-io1-f70.google.com with SMTP id t23so7139273iog.21 for ; Fri, 19 Jun 2020 09:17:22 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:subject:date:message-id:in-reply-to :references:mime-version:content-transfer-encoding; bh=cDiUWJmO/4e623ftdF6yZteuPUtF3hoQ9IbVPfDqVWY=; b=jv35orr7XNtLUTVW05jHk5we/Qemcgg+sgcEPorELuAL4iv94zoTH3Nv4tRhhQSivf 59iIe1NcIQVbUcdjm6LuYp0QKCbchgeQHU9w4Bzl1MVfGnuAL9ZQJVXPC7I0iBNdCfKk XmiBGMY+LXI5FDLd/bOKh77LKUZhEws49/tNm7t/AaIjpsFfKkJgk2rdwxpGJhG2Jqp5 +PzuSHoyZ/PMFplJRLFI0XBtyyXREXLT+qftB9POjrl6Pov/v54z5FF6URvRZHKAhpRM CjHCjx9I2IBAiKKUBYbFTkqVWaaJg2LOyrWckfGNMHZYpf6qBCHjcNvbrL9WGzL+Cekr v5ew== X-Gm-Message-State: AOAM533BfdIZUXUG975mRems+gPpJUJRJ77aVcT4sRkq9vJnfyU3eV+r 0o+xjI3epTagTYtAGWwoTt27iPP3hdcImvYo+fNLORzLCG66hWBHo7WF+YHhCmZD53azy07eAk+ uPLEV3xbkyjuHF7SVu5toZAR4RNQBquS2jc3zC08pnA== X-Received: by 2002:a92:5fcd:: with SMTP id i74mr4299662ill.169.1592583441882; Fri, 19 Jun 2020 09:17:21 -0700 (PDT) X-Google-Smtp-Source: ABdhPJzrxW7OzltWsHR0Z/DyW9K7DVfiPP9AJkEvHDK+F8mwRUDI0SCM4SEUNFy94hX/LiZxdFpwQw== X-Received: by 2002:a92:5fcd:: with SMTP id i74mr4299641ill.169.1592583441640; Fri, 19 Jun 2020 09:17:21 -0700 (PDT) Received: from localhost ([2605:a601:ac0f:820:f090:1573:c2fc:6389]) by smtp.gmail.com with ESMTPSA id n17sm3384032iom.22.2020.06.19.09.17.21 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Fri, 19 Jun 2020 09:17:21 -0700 (PDT) From: Seth Forshee To: kernel-team@lists.ubuntu.com Subject: [PATCH v2 47/57][B] efi/efi_test: Lock down /dev/efi_test and require CAP_SYS_ADMIN Date: Fri, 19 Jun 2020 11:16:11 -0500 Message-Id: <20200619161621.644540-48-seth.forshee@canonical.com> X-Mailer: git-send-email 2.27.0 In-Reply-To: <20200619161621.644540-1-seth.forshee@canonical.com> References: <20200619161621.644540-1-seth.forshee@canonical.com> MIME-Version: 1.0 X-BeenThere: kernel-team@lists.ubuntu.com X-Mailman-Version: 2.1.20 Precedence: list List-Id: Kernel team discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: kernel-team-bounces@lists.ubuntu.com Sender: "kernel-team" From: Javier Martinez Canillas BugLink: https://bugs.launchpad.net/bugs/1884159 The driver exposes EFI runtime services to user-space through an IOCTL interface, calling the EFI services function pointers directly without using the efivar API. Disallow access to the /dev/efi_test character device when the kernel is locked down to prevent arbitrary user-space to call EFI runtime services. Also require CAP_SYS_ADMIN to open the chardev to prevent unprivileged users to call the EFI runtime services, instead of just relying on the chardev file mode bits for this. The main user of this driver is the fwts [0] tool that already checks if the effective user ID is 0 and fails otherwise. So this change shouldn't cause any regression to this tool. [0]: https://wiki.ubuntu.com/FirmwareTestSuite/Reference/uefivarinfo Signed-off-by: Javier Martinez Canillas Signed-off-by: Ard Biesheuvel Acked-by: Laszlo Ersek Acked-by: Matthew Garrett Cc: Linus Torvalds Cc: Peter Zijlstra Cc: Thomas Gleixner Cc: linux-efi@vger.kernel.org Link: https://lkml.kernel.org/r/20191029173755.27149-7-ardb@kernel.org Signed-off-by: Ingo Molnar (backported from commit 359efcc2c910117d2faf704ce154e91fc976d37f) Signed-off-by: Seth Forshee --- drivers/firmware/efi/test/efi_test.c | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/drivers/firmware/efi/test/efi_test.c b/drivers/firmware/efi/test/efi_test.c index f61bb52be318..3dc55ac0af73 100644 --- a/drivers/firmware/efi/test/efi_test.c +++ b/drivers/firmware/efi/test/efi_test.c @@ -696,6 +696,13 @@ static long efi_test_ioctl(struct file *file, unsigned int cmd, static int efi_test_open(struct inode *inode, struct file *file) { + bool locked_down = secure_modules(); + + if (locked_down) + return -EPERM; + + if (!capable(CAP_SYS_ADMIN)) + return -EACCES; /* * nothing special to do here * We do accept multiple open files at the same time as we