From patchwork Fri Jun 19 16:50:00 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Seth Forshee X-Patchwork-Id: 1313193 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Authentication-Results: ozlabs.org; spf=none (no SPF record) smtp.mailfrom=lists.ubuntu.com (client-ip=91.189.94.19; helo=huckleberry.canonical.com; envelope-from=kernel-team-bounces@lists.ubuntu.com; receiver=) Authentication-Results: ozlabs.org; dmarc=fail (p=none dis=none) header.from=canonical.com Received: from huckleberry.canonical.com (huckleberry.canonical.com [91.189.94.19]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ozlabs.org (Postfix) with ESMTPS id 49pPxQ07xnz9sVW; Sat, 20 Jun 2020 02:52:42 +1000 (AEST) Received: from localhost ([127.0.0.1] helo=huckleberry.canonical.com) by huckleberry.canonical.com with esmtp (Exim 4.86_2) (envelope-from ) id 1jmKFo-000055-WF; Fri, 19 Jun 2020 16:52:37 +0000 Received: from youngberry.canonical.com ([91.189.89.112]) by huckleberry.canonical.com with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.86_2) (envelope-from ) id 1jmKET-0007Oo-Tr for kernel-team@lists.ubuntu.com; Fri, 19 Jun 2020 16:51:13 +0000 Received: from mail-il1-f200.google.com ([209.85.166.200]) by youngberry.canonical.com with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.86_2) (envelope-from ) id 1jmKER-0006R7-RQ for kernel-team@lists.ubuntu.com; Fri, 19 Jun 2020 16:51:11 +0000 Received: by mail-il1-f200.google.com with SMTP id q14so6850899ils.18 for ; Fri, 19 Jun 2020 09:51:11 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:subject:date:message-id:in-reply-to :references:mime-version:content-transfer-encoding; bh=cDiUWJmO/4e623ftdF6yZteuPUtF3hoQ9IbVPfDqVWY=; b=anySkuBIoZu3HkcIqzlFbe3fji/fvcPmh2SYAArYxR2vgRXiGB7/H7PBHbqukuCd+T 7InyqaWXpjD+0i6UCxjBJYdGwdM7MSB7BetiAync3BsQrPM+0qlTqZAeglCeRJqWw8de WgQCDKCvC+YbTDDt6L5ZR42NK7OgVH/bgjRY/fJ4HsJlPapUtjDYZqC/PgGLahaZ3PJm Q6126IsW7JsTXFKXF/91WkxciDra+v0le0qRO+phyqjjuU1HmsLWsnNDbXyS3B1ceOpb s+qKiM4kVeev7nPa62ewpk17fqHUZ6BCiRjLZOJdZtKDVhPfY75mv3ObwPUF8MKI1CKI 8IWg== X-Gm-Message-State: AOAM530MD38O5Yuzw8ba3TE1pFhTnP8Rp6daHC3xY9m8dNkTYuI1yijG fQoOeldhp6Ov3OVJzOnfuYyC1FhrtPbu2zzSMs3HnczGdDmBcHDiP5+OJRi8HcUevcjRRfAlHEQ W0uwaWqCYRM9OCw+k3ahQ0Sswl/CQgHEFQ3NiCphjyw== X-Received: by 2002:a92:d1d0:: with SMTP id u16mr4432151ilg.2.1592585470696; Fri, 19 Jun 2020 09:51:10 -0700 (PDT) X-Google-Smtp-Source: ABdhPJzdbjiSDfSBYfDef+qoMQCVPd04lGfxe0neQJuFKdwZ2khwn3PwonPZoO6ackEogPMQ2UWdNQ== X-Received: by 2002:a92:d1d0:: with SMTP id u16mr4432134ilg.2.1592585470464; Fri, 19 Jun 2020 09:51:10 -0700 (PDT) Received: from localhost ([2605:a601:ac0f:820:f090:1573:c2fc:6389]) by smtp.gmail.com with ESMTPSA id z4sm3646574iot.24.2020.06.19.09.51.09 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Fri, 19 Jun 2020 09:51:10 -0700 (PDT) From: Seth Forshee To: kernel-team@lists.ubuntu.com Subject: [PATCH v2 47/57][X] efi/efi_test: Lock down /dev/efi_test and require CAP_SYS_ADMIN Date: Fri, 19 Jun 2020 11:50:00 -0500 Message-Id: <20200619165010.645925-48-seth.forshee@canonical.com> X-Mailer: git-send-email 2.27.0 In-Reply-To: <20200619165010.645925-1-seth.forshee@canonical.com> References: <20200619165010.645925-1-seth.forshee@canonical.com> MIME-Version: 1.0 X-BeenThere: kernel-team@lists.ubuntu.com X-Mailman-Version: 2.1.20 Precedence: list List-Id: Kernel team discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: kernel-team-bounces@lists.ubuntu.com Sender: "kernel-team" From: Javier Martinez Canillas BugLink: https://bugs.launchpad.net/bugs/1884159 The driver exposes EFI runtime services to user-space through an IOCTL interface, calling the EFI services function pointers directly without using the efivar API. Disallow access to the /dev/efi_test character device when the kernel is locked down to prevent arbitrary user-space to call EFI runtime services. Also require CAP_SYS_ADMIN to open the chardev to prevent unprivileged users to call the EFI runtime services, instead of just relying on the chardev file mode bits for this. The main user of this driver is the fwts [0] tool that already checks if the effective user ID is 0 and fails otherwise. So this change shouldn't cause any regression to this tool. [0]: https://wiki.ubuntu.com/FirmwareTestSuite/Reference/uefivarinfo Signed-off-by: Javier Martinez Canillas Signed-off-by: Ard Biesheuvel Acked-by: Laszlo Ersek Acked-by: Matthew Garrett Cc: Linus Torvalds Cc: Peter Zijlstra Cc: Thomas Gleixner Cc: linux-efi@vger.kernel.org Link: https://lkml.kernel.org/r/20191029173755.27149-7-ardb@kernel.org Signed-off-by: Ingo Molnar (backported from commit 359efcc2c910117d2faf704ce154e91fc976d37f) Signed-off-by: Seth Forshee --- drivers/firmware/efi/test/efi_test.c | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/drivers/firmware/efi/test/efi_test.c b/drivers/firmware/efi/test/efi_test.c index f61bb52be318..3dc55ac0af73 100644 --- a/drivers/firmware/efi/test/efi_test.c +++ b/drivers/firmware/efi/test/efi_test.c @@ -696,6 +696,13 @@ static long efi_test_ioctl(struct file *file, unsigned int cmd, static int efi_test_open(struct inode *inode, struct file *file) { + bool locked_down = secure_modules(); + + if (locked_down) + return -EPERM; + + if (!capable(CAP_SYS_ADMIN)) + return -EACCES; /* * nothing special to do here * We do accept multiple open files at the same time as we