lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <7131a0f8-6ef2-c345-f3e2-b892e5f312ed@redhat.com>
Date:   Thu, 3 Oct 2019 14:36:42 +0200
From:   Laszlo Ersek <lersek@...hat.com>
To:     Javier Martinez Canillas <javierm@...hat.com>,
        linux-kernel@...r.kernel.org
Cc:     Ivan Hu <ivan.hu@...onical.com>, linux-efi@...r.kernel.org,
        Laura Abbott <labbott@...hat.com>,
        Josh Boyer <jwboyer@...hat.com>,
        Peter Jones <pjones@...hat.com>,
        Ard Biesheuvel <ard.biesheuvel@...aro.org>
Subject: Re: [PATCH] efi/efi_test: require CAP_SYS_ADMIN to open the chardev

On 10/03/19 12:07, Javier Martinez Canillas wrote:
> The driver exposes EFI runtime services to user-space through an IOCTL
> interface, calling the EFI services function pointers directly without
> using the efivar API.
> 
> Among other things the driver allows to read and write EFI variables and
> doesn't require CAP_SYS_ADMIN as is the case for the efivar sysfs driver.
> 
> To make sure that unprivileged users won't be able to access the exposed
> EFI runtime services require CAP_SYS_ADMIN to open the character device,
> instead of just relying on the chardev file mode bits to prevent this.
> 
> The main user of this driver is the fwts [0] tool, that already checks if
> the effective user ID is 0 and fails otherwise. So adding the requirement
> won't cause any regression to this tool.
> 
> [0]: https://wiki.ubuntu.com/FirmwareTestSuite/Reference/uefivarinfo
> 
> Signed-off-by: Javier Martinez Canillas <javierm@...hat.com>
> 
> 
> ---
> 
> Hello,
> 
> We want to enable this driver in the Fedora kernel for testing purposes.
> 
> Currently the GetVariable() UEFI runtime service is used (through the
> efivar sysfs interface) to test that OVMF is able to enter into SMM.
> 
> But there's a proposal to add a UEFI variable cache outside of SMM, to
> speedup GetVariable() calls. So the plan is to call QueryVariableInfo()
> instead that's also read-only and sufficiently infrequently called that
> is not planned to be cached anytime soon.
> 
> Building the efi_test module will allow us to call this EFI service by
> using the fwts uefivarinfo test. But we are worried that enabling this
> driver could open a new attack vector and lead to unprivileged users
> accessing the exposed EFI services.
> 
> This is also consistent with the efivar driver since it also requires
> the CAP_SYS_ADMIN capability.
> 
> Best regards,
> Javier
> 
>  drivers/firmware/efi/test/efi_test.c | 2 ++
>  1 file changed, 2 insertions(+)
> 
> diff --git a/drivers/firmware/efi/test/efi_test.c b/drivers/firmware/efi/test/efi_test.c
> index 877745c3aaf..81de7374c42 100644
> --- a/drivers/firmware/efi/test/efi_test.c
> +++ b/drivers/firmware/efi/test/efi_test.c
> @@ -717,6 +717,8 @@ static long efi_test_ioctl(struct file *file, unsigned int cmd,
>  
>  static int efi_test_open(struct inode *inode, struct file *file)
>  {
> +	if (!capable(CAP_SYS_ADMIN))
> +		return -EACCES;
>  	/*
>  	 * nothing special to do here
>  	 * We do accept multiple open files at the same time as we
> 

Looks consistent with other capable(CAP_SYS_ADMIN) checks in
drivers/firmware/efi/.

Acked-by: Laszlo Ersek <lersek@...hat.com>

Thanks!
Laszlo

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ