Received: by 10.223.185.116 with SMTP id b49csp1135735wrg; Tue, 20 Feb 2018 14:04:10 -0800 (PST) X-Google-Smtp-Source: AH8x225nyCH5LHh0KmZ/9HvUuSDuT0moLIbyspmpIo+EZASpukUC4G6KxuVBnvKihU0zhoJyrM+u X-Received: by 2002:a17:902:5a5:: with SMTP id f34-v6mr1012747plf.134.1519164250051; Tue, 20 Feb 2018 14:04:10 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1519164249; cv=none; d=google.com; s=arc-20160816; b=t1FZXufME2u+CsC+YTFRhDRNWPI1TQ/tuFTIRcaL2L6EjHPhGYv4/A8pDp38VQhXi/ 4PpH3TN62PlmZu8SxXIdjx6ufwAk9d7xkoRLgoK7n9MkWJ44OLBmA7/J5rG85Igg6xcx BIAN8EdW4Mhb/TirdWlc5UCjVb2japS+hGqAqVkpvLzhCBQKs79JQ4jOHUjAQsV/GO7p V1HaxgkSsMso6Vg4glW6Ir06RbVOKvTUOxpcfdJF8nEETdqY7Ff4BLCVuEbQSr/AOZjU Gnk5Hx/K/lbSuQiOZFH3m2WO25uQyI7ICfRKY/X79HVtu0OkZhw4lGHnZFQwiGu/MMXV j2OA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:cc:to:subject:message-id:date:from :references:in-reply-to:mime-version:dkim-signature :arc-authentication-results; bh=XcEagX8aFq6XnxTfLt4M6Z7ZEBrXHp1dteeJurQxgdw=; b=KTczvmpIGKWn+3rrE8xN3oYoLBI9UcUmfEvBoG00jSLsG8e39GMTXyNjSIcVpdTztv /3F4k6T2SrvFhQ2Q3NDPI444JfyLzpQIJrh7Ve1e3Yzjfu5aU7eD+MypnEshxaqLsnFy kq7vh76/+jzyCUjAHzIgeZ8lPU8k19VTiwUCwRNRTPbVrO5n4X0/6e6zEA0Y+/bLqg/4 eIafm98ifBwlGfpjqpDAGwfJDTXQJ6LKrqNmeAFoFQXM0mta2gfvJyf7o5bb5SXvFBBe byDIrJMWijal97OuoFt2kIQ5L3y56oxQr1VryGBtgC0dRYIyQ5B8YLBfUSIK1GGLJcWB xi/Q== ARC-Authentication-Results: i=1; mx.google.com; dkim=fail header.i=@gmail.com header.s=20161025 header.b=AyesW1eE; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id 91-v6si317023plh.570.2018.02.20.14.03.46; Tue, 20 Feb 2018 14:04:09 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=fail header.i=@gmail.com header.s=20161025 header.b=AyesW1eE; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1751557AbeBTWBz (ORCPT + 99 others); Tue, 20 Feb 2018 17:01:55 -0500 Received: from mail-it0-f54.google.com ([209.85.214.54]:40626 "EHLO mail-it0-f54.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1750773AbeBTWBx (ORCPT ); Tue, 20 Feb 2018 17:01:53 -0500 Received: by mail-it0-f54.google.com with SMTP id v186so14931240itc.5; Tue, 20 Feb 2018 14:01:53 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:sender:in-reply-to:references:from:date:message-id :subject:to:cc; bh=XcEagX8aFq6XnxTfLt4M6Z7ZEBrXHp1dteeJurQxgdw=; b=AyesW1eEM/KntKcKlJtIRy0I5C6JsVG1gyNv6NfWfBSRPszC5AnLlydHrp5E5RJXxD bRHwOc26hAvUPRvsEZLczlGFOMOQyPUQ83Wcb+fYjFTeXwh5xawhKPfal82NLqj4wIMW yYvkMkltHnhPf46z9XX+B+4oo6TDbVFFU5JapwyGCbzdjcI77yr4caFt/KTlqZ8h+dGh YpWQJ+71F0JyhiTxoLr58RmSEUm5CHdCG5eSK/+FvKFfByLgvofGIV//vdd4KYRqo4ck 3dsDHaLULWaQNcrJnVy95ziFAIcVdDB3bt9fczJl+zIqPnsxdV03jvDjGirPh0N9N/7n EoqA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:sender:in-reply-to:references:from :date:message-id:subject:to:cc; bh=XcEagX8aFq6XnxTfLt4M6Z7ZEBrXHp1dteeJurQxgdw=; b=ifWHXhjeccf0gd0EjlrtOxWb948r9OJqzERXk57r42LXlIGFP7Ubpxo64gxM8WpZ79 IIaDCcdrHM6f+RKOd7jpReGsItZnEZqzOakMsGZubNv8EaNj84CFF88XQqgSRPGzhcqm Wk80rsu5kq2lLszExan/eW8EJQOZzMxUjscOaKLSbYkKVdBPfsi73/R7o5zZ24IMnIlB GXHn3ncTJFLIXBfW8jq8/ZT0eo4vSmVjNnfRVGg9QZZy3EM3ErN5m/PdFAxjP39PVLfu +4F7QE5MZ4xp9jFz2DzIJfd8NWgawJIWyZTNHm07D5O7pg05BmRo/TwSWMkKgWcLrknb totw== X-Gm-Message-State: APf1xPAOU9jQRF9bYdV2AeZzWcnuWJj9KEvfS0ifh41wDs6gleWIY0VX /gODpOzt1zii+po6nHC2epzQrjbZqsL+WZQ7YlU= X-Received: by 10.36.95.72 with SMTP id r69mr512983itb.113.1519164112188; Tue, 20 Feb 2018 14:01:52 -0800 (PST) MIME-Version: 1.0 Received: by 10.107.135.221 with HTTP; Tue, 20 Feb 2018 14:01:51 -0800 (PST) In-Reply-To: <20180220211849.fqjb6rdmypl6opir@agluck-desk> References: <20180215182208.35003-1-joe.konno@linux.intel.com> <20180215182208.35003-2-joe.konno@linux.intel.com> <6680a760-eb30-4daf-2dad-a9628f1c15a8@kernel.org> <20180220211849.fqjb6rdmypl6opir@agluck-desk> From: Linus Torvalds Date: Tue, 20 Feb 2018 14:01:51 -0800 X-Google-Sender-Auth: aObiZiaw4rkvwuU3jRUr-xLS8l0 Message-ID: Subject: Re: [PATCH 1/2] fs/efivarfs: restrict inode permissions To: "Luck, Tony" Cc: Joe Konno , linux-efi@vger.kernel.org, Linux Kernel Mailing List , Ard Biesheuvel , Matthew Garrett , Jeremy Kerr , Andi Kleen , Matthew Garrett , Peter Jones , Andy Lutomirski , James Bottomley Content-Type: text/plain; charset="UTF-8" Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Tue, Feb 20, 2018 at 1:18 PM, Luck, Tony wrote: > ... >> > - inode = efivarfs_get_inode(sb, d_inode(root), S_IFREG | 0644, 0, >> > + inode = efivarfs_get_inode(sb, d_inode(root), S_IFREG | 0600, 0, >> > is_removable); > > Linus, > > Does this rate an exception to the "don't break userspace" for a security issue? I have a hard time judging, since I don't know what the breakage is. _Theoretical_ breakage doesn't matter. But yes, if it's actually part of some regular use flow, then it matters, and we should not do this change. It's not a real security issue, afaik. I do think that we might need to just extend on the whitelist for efi variables we _already_ have for other reasons. I'm talking about that whole variable_validate[] array. Which variables are actually used by user space tools? It sounds like it may be exactly those boot order things that we already have flags and special behavior for. And no, I don't believe in the "SMI can trigger a DoS" argument. Those garbage efivars that *do* trigger SMI's should me marked and shamed, and maybe _they_ need to be added to the list of things that you should look out for. Root or not. And just on general principlies, I don't want to see weasel-wordy commit messages like "Reading certain EFI variables trigger SMIs" I understand *writing* them causing SMI's due to some flash protection scheme. What's the reading thing? And why aren't we calling that garbage out? So even if we do need to limit reading, I want out comments (in core or commits) to actually explain *Why*., instead of this kind of non-specific fear-mongering that nobody can really say yay or nay about. Linus