WSL2-Linux-Kernel/security
Javier Martinez Canillas 359efcc2c9 efi/efi_test: Lock down /dev/efi_test and require CAP_SYS_ADMIN
The driver exposes EFI runtime services to user-space through an IOCTL
interface, calling the EFI services function pointers directly without
using the efivar API.

Disallow access to the /dev/efi_test character device when the kernel is
locked down to prevent arbitrary user-space to call EFI runtime services.

Also require CAP_SYS_ADMIN to open the chardev to prevent unprivileged
users to call the EFI runtime services, instead of just relying on the
chardev file mode bits for this.

The main user of this driver is the fwts [0] tool that already checks if
the effective user ID is 0 and fails otherwise. So this change shouldn't
cause any regression to this tool.

[0]: https://wiki.ubuntu.com/FirmwareTestSuite/Reference/uefivarinfo

Signed-off-by: Javier Martinez Canillas <javierm@redhat.com>
Signed-off-by: Ard Biesheuvel <ard.biesheuvel@linaro.org>
Acked-by: Laszlo Ersek <lersek@redhat.com>
Acked-by: Matthew Garrett <mjg59@google.com>
Cc: Linus Torvalds <torvalds@linux-foundation.org>
Cc: Peter Zijlstra <peterz@infradead.org>
Cc: Thomas Gleixner <tglx@linutronix.de>
Cc: linux-efi@vger.kernel.org
Link: https://lkml.kernel.org/r/20191029173755.27149-7-ardb@kernel.org
Signed-off-by: Ingo Molnar <mingo@kernel.org>
2019-10-31 09:40:21 +01:00
..
apparmor
integrity integrity: remove pointless subdir-$(CONFIG_...) 2019-10-05 15:29:49 +09:00
keys KEYS: trusted: correctly initialize digests and fix locking issue 2019-09-25 02:43:53 +03:00
loadpin
lockdown efi/efi_test: Lock down /dev/efi_test and require CAP_SYS_ADMIN 2019-10-31 09:40:21 +01:00
safesetid LSM: SafeSetID: Stop releasing uninitialized ruleset 2019-09-17 11:27:05 -07:00
selinux selinux/stable-5.4 PR 20191007 2019-10-08 10:51:37 -07:00
smack I have four patches for v5.4. Nothing is major. All but one are in 2019-09-23 14:25:45 -07:00
tomoyo
yama
Kconfig Merge branch 'next-lockdown' of git://git.kernel.org/pub/scm/linux/kernel/git/jmorris/linux-security 2019-09-28 08:14:15 -07:00
Kconfig.hardening
Makefile security: Add a static lockdown policy LSM 2019-08-19 21:54:15 -07:00
commoncap.c
device_cgroup.c
inode.c
lsm_audit.c
min_addr.c
security.c Merge branch 'next-lockdown' of git://git.kernel.org/pub/scm/linux/kernel/git/jmorris/linux-security 2019-09-28 08:14:15 -07:00