[PATCH v2 47/57][X] efi/efi_test: Lock down /dev/efi_test and require CAP_SYS_ADMIN

Seth Forshee seth.forshee at canonical.com
Fri Jun 19 16:50:00 UTC 2020 

From: Javier Martinez Canillas <javierm at redhat.com>

BugLink: https://bugs.launchpad.net/bugs/1884159

The driver exposes EFI runtime services to user-space through an IOCTL
interface, calling the EFI services function pointers directly without
using the efivar API.

Disallow access to the /dev/efi_test character device when the kernel is
locked down to prevent arbitrary user-space to call EFI runtime services.

Also require CAP_SYS_ADMIN to open the chardev to prevent unprivileged
users to call the EFI runtime services, instead of just relying on the
chardev file mode bits for this.

The main user of this driver is the fwts [0] tool that already checks if
the effective user ID is 0 and fails otherwise. So this change shouldn't
cause any regression to this tool.

[0]: https://wiki.ubuntu.com/FirmwareTestSuite/Reference/uefivarinfo

Signed-off-by: Javier Martinez Canillas <javierm at redhat.com>
Signed-off-by: Ard Biesheuvel <ard.biesheuvel at linaro.org>
Acked-by: Laszlo Ersek <lersek at redhat.com>
Acked-by: Matthew Garrett <mjg59 at google.com>
Cc: Linus Torvalds <torvalds at linux-foundation.org>
Cc: Peter Zijlstra <peterz at infradead.org>
Cc: Thomas Gleixner <tglx at linutronix.de>
Cc: linux-efi at vger.kernel.org
Link: https://lkml.kernel.org/r/20191029173755.27149-7-ardb@kernel.org
Signed-off-by: Ingo Molnar <mingo at kernel.org>
(backported from commit 359efcc2c910117d2faf704ce154e91fc976d37f)
Signed-off-by: Seth Forshee <seth.forshee at canonical.com>
---
 drivers/firmware/efi/test/efi_test.c | 7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/drivers/firmware/efi/test/efi_test.c b/drivers/firmware/efi/test/efi_test.c
index f61bb52be318..3dc55ac0af73 100644
--- a/drivers/firmware/efi/test/efi_test.c
+++ b/drivers/firmware/efi/test/efi_test.c
@@ -696,6 +696,13 @@ static long efi_test_ioctl(struct file *file, unsigned int cmd,
 
 static int efi_test_open(struct inode *inode, struct file *file)
 {
+	bool locked_down = secure_modules();
+
+	if (locked_down)
+		return -EPERM;
+
+	if (!capable(CAP_SYS_ADMIN))
+		return -EACCES;
 	/*
 	 * nothing special to do here
 	 * We do accept multiple open files at the same time as we
-- 
2.27.0

More information about the kernel-team mailing list