From patchwork Thu Jun 18 23:12:58 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Seth Forshee X-Patchwork-Id: 1312491 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Authentication-Results: ozlabs.org; spf=none (no SPF record) smtp.mailfrom=lists.ubuntu.com (client-ip=91.189.94.19; helo=huckleberry.canonical.com; envelope-from=kernel-team-bounces@lists.ubuntu.com; receiver=) Authentication-Results: ozlabs.org; dmarc=fail (p=none dis=none) header.from=canonical.com Received: from huckleberry.canonical.com (huckleberry.canonical.com [91.189.94.19]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ozlabs.org (Postfix) with ESMTPS id 49nyVG5P1Sz9sRW; Fri, 19 Jun 2020 09:16:06 +1000 (AEST) Received: from localhost ([127.0.0.1] helo=huckleberry.canonical.com) by huckleberry.canonical.com with esmtp (Exim 4.86_2) (envelope-from ) id 1jm3lJ-0001PE-Qp; Thu, 18 Jun 2020 23:16:01 +0000 Received: from youngberry.canonical.com ([91.189.89.112]) by huckleberry.canonical.com with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.86_2) (envelope-from ) id 1jm3jV-0000EH-3g for kernel-team@lists.ubuntu.com; Thu, 18 Jun 2020 23:14:09 +0000 Received: from mail-io1-f70.google.com ([209.85.166.70]) by youngberry.canonical.com with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.86_2) (envelope-from ) id 1jm3jT-00005N-2t for kernel-team@lists.ubuntu.com; Thu, 18 Jun 2020 23:14:07 +0000 Received: by mail-io1-f70.google.com with SMTP id l19so5366566iol.5 for ; Thu, 18 Jun 2020 16:14:07 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:subject:date:message-id:in-reply-to :references:mime-version:content-transfer-encoding; bh=cDiUWJmO/4e623ftdF6yZteuPUtF3hoQ9IbVPfDqVWY=; b=bfS9M82KmqVV5MN6Qyc25icpTOgRHwBuHJgmjgI/0Y0LaLPrSTeoQfz5WhQimfl8+Z ldJUCjPGfI9ly5Ut86DgkAIk0K8gAD+3YJ1bbTxUVXrvw8rRClo6pJFsTm/ekk+NZD87 ihgaDHpb/RItIkCI4AOrgVhzziluIZoFofL05DLf5t6bTcrH85g5K08OUZpkpHNJgy0U 4wVMQImqzIvwr+2kqECvuM6dXKcSDOb/lUDva8mMxtX5HTFUN7XyXUp+Uh3jFK4G+4Q8 4s9zlYk2ZVRQyQy/Toftkr9nCJz1F8dZH75jpiargzhUm+GhYMCRRmbgznONWCftMWjV 0+yQ== X-Gm-Message-State: AOAM533bv3ulE7bKaZIbntZD/yvYQN3uTnP+Inp8TSr5P1ml4xjt6cuy 0GBkKWZYvogqxGa2fvTq/wA7O+WGeIOH1GLkfiL/GSOypP62i33n1rp6R2vOQs1nkG4/+vulCvD euQDT+fe6dHWbLzngWcs9oaJQb6LInPQoz2E1aXvWvg== X-Received: by 2002:a05:6e02:4c4:: with SMTP id f4mr919417ils.79.1592522046003; Thu, 18 Jun 2020 16:14:06 -0700 (PDT) X-Google-Smtp-Source: ABdhPJyK5yPUdwTBwSxwxJRwiMJjCwyjwHAD2si4advfwK5JHwBWYcDF/31/yr1GO2l9vaTcYFdRSA== X-Received: by 2002:a05:6e02:4c4:: with SMTP id f4mr919401ils.79.1592522045713; Thu, 18 Jun 2020 16:14:05 -0700 (PDT) Received: from localhost ([2605:a601:ac0f:820:f090:1573:c2fc:6389]) by smtp.gmail.com with ESMTPSA id f1sm2247487ilh.17.2020.06.18.16.14.05 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 18 Jun 2020 16:14:05 -0700 (PDT) From: Seth Forshee To: kernel-team@lists.ubuntu.com Subject: [PATCH 47/47][X] efi/efi_test: Lock down /dev/efi_test and require CAP_SYS_ADMIN Date: Thu, 18 Jun 2020 18:12:58 -0500 Message-Id: <20200618231258.630575-48-seth.forshee@canonical.com> X-Mailer: git-send-email 2.27.0 In-Reply-To: <20200618231258.630575-1-seth.forshee@canonical.com> References: <20200618231258.630575-1-seth.forshee@canonical.com> MIME-Version: 1.0 X-BeenThere: kernel-team@lists.ubuntu.com X-Mailman-Version: 2.1.20 Precedence: list List-Id: Kernel team discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: kernel-team-bounces@lists.ubuntu.com Sender: "kernel-team" From: Javier Martinez Canillas BugLink: https://bugs.launchpad.net/bugs/1884159 The driver exposes EFI runtime services to user-space through an IOCTL interface, calling the EFI services function pointers directly without using the efivar API. Disallow access to the /dev/efi_test character device when the kernel is locked down to prevent arbitrary user-space to call EFI runtime services. Also require CAP_SYS_ADMIN to open the chardev to prevent unprivileged users to call the EFI runtime services, instead of just relying on the chardev file mode bits for this. The main user of this driver is the fwts [0] tool that already checks if the effective user ID is 0 and fails otherwise. So this change shouldn't cause any regression to this tool. [0]: https://wiki.ubuntu.com/FirmwareTestSuite/Reference/uefivarinfo Signed-off-by: Javier Martinez Canillas Signed-off-by: Ard Biesheuvel Acked-by: Laszlo Ersek Acked-by: Matthew Garrett Cc: Linus Torvalds Cc: Peter Zijlstra Cc: Thomas Gleixner Cc: linux-efi@vger.kernel.org Link: https://lkml.kernel.org/r/20191029173755.27149-7-ardb@kernel.org Signed-off-by: Ingo Molnar (backported from commit 359efcc2c910117d2faf704ce154e91fc976d37f) Signed-off-by: Seth Forshee --- drivers/firmware/efi/test/efi_test.c | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/drivers/firmware/efi/test/efi_test.c b/drivers/firmware/efi/test/efi_test.c index f61bb52be318..3dc55ac0af73 100644 --- a/drivers/firmware/efi/test/efi_test.c +++ b/drivers/firmware/efi/test/efi_test.c @@ -696,6 +696,13 @@ static long efi_test_ioctl(struct file *file, unsigned int cmd, static int efi_test_open(struct inode *inode, struct file *file) { + bool locked_down = secure_modules(); + + if (locked_down) + return -EPERM; + + if (!capable(CAP_SYS_ADMIN)) + return -EACCES; /* * nothing special to do here * We do accept multiple open files at the same time as we