Received: by 2002:a5b:505:0:0:0:0:0 with SMTP id o5csp5498070ybp;
        Tue, 8 Oct 2019 03:56:33 -0700 (PDT)
X-Google-Smtp-Source: APXvYqwbnhQI+ICVn4Zni5opWdZOqWCIHKIUqJ25GzzPbqonLasoa9d3w++luyLHDyXprY67PBPw
X-Received: by 2002:a50:9384:: with SMTP id o4mr33194222eda.8.1570532193870;
        Tue, 08 Oct 2019 03:56:33 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1570532193; cv=none;
        d=google.com; s=arc-20160816;
        b=fr+IbMmuDRC8hCclf9dxZYvbNuaoGPrOgDwRjF6n5PTJP0OlTXsMchDzBqgA6jKe9j
         bnXJe/vxpTjkqX4hE4GwmmVLqfh8/mbZFmiDA0foQ2JFxcSU4AHg+lWFhWkgl++aR99F
         tU7XUxt2cMrNnTFAiJ6yzpLrQRJYI7KLYGGvuJTOqdejL+MD7tQQLmkWF8B8jIQfYLWH
         ft67uwXnatpbz0VU14DdJD97MhVsxhR31mpFl+4AtikEBacL3YT/0iXigqE8Nd5tH6dK
         l9syKq6ysBGRYyaR68ncAI82MXbhVmERwWPJSbPk5hijfwdVxziONHpS/sXI3G/25fzh
         fCOQ==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:sender:content-transfer-encoding:mime-version
         :message-id:date:subject:cc:to:from;
        bh=Jr4VyvH8+nrlZUaxZqpcfLSaXw2hE019wUytfSWb3rI=;
        b=naqzdhsihkpi4t5VSgG7xH26hYOLTK+VoJf1I0A0E0nnOldorKjWbRE6PYglYgZR8W
         q/44TqRKYjPDwy9VGBZTYaeUVJXK2JW5/WT15erdlF/xugvf1M0mCZQkalvDfnjRFqSe
         osPVCBTrHlPZYqEbQH6UoqB4kSTnnkSUrEEzclhGxqOPJ7nC25G/a+jzPaCWgIBoyMCm
         zcnbd9kURGX1T8XBseVvvPdw8uMAi0m8Wdubl3t0yEBPnW2DuCofwSlWad44i2ej1FR/
         8Peb7c5pB2xZ7k2O4xgjVXrconLvO3gugAgV9xDu9N1ZRzwtkszqpxYSZJdPoOONSxn5
         JoEQ==
ARC-Authentication-Results: i=1; mx.google.com;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=redhat.com
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67])
        by mx.google.com with ESMTP id y26si9663779edv.134.2019.10.08.03.56.10;
        Tue, 08 Oct 2019 03:56:33 -0700 (PDT)
Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67;
Authentication-Results: mx.google.com;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=redhat.com
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1730332AbfJHKzS (ORCPT <rfc822;xc.haze2010@gmail.com>
        + 99 others); Tue, 8 Oct 2019 06:55:18 -0400
Received: from mx1.redhat.com ([209.132.183.28]:37758 "EHLO mx1.redhat.com"
        rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP
        id S1730026AbfJHKzS (ORCPT <rfc822;linux-kernel@vger.kernel.org>);
        Tue, 8 Oct 2019 06:55:18 -0400
Received: from mail-wm1-f71.google.com (mail-wm1-f71.google.com [209.85.128.71])
        (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
        (No client certificate requested)
        by mx1.redhat.com (Postfix) with ESMTPS id 49653806D2
        for <linux-kernel@vger.kernel.org>; Tue,  8 Oct 2019 10:55:17 +0000 (UTC)
Received: by mail-wm1-f71.google.com with SMTP id 190so1210471wme.4
        for <linux-kernel@vger.kernel.org>; Tue, 08 Oct 2019 03:55:17 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20161025;
        h=x-gm-message-state:from:to:cc:subject:date:message-id:mime-version
         :content-transfer-encoding;
        bh=Jr4VyvH8+nrlZUaxZqpcfLSaXw2hE019wUytfSWb3rI=;
        b=Y6v0G8gpPG7ifWWjJhd1vLpzCr4pgqSy35v14Mq50NGG9CFPavipeEQZOeGcNAdCcq
         w4sntmqILcyTIsf0ie9smEtyU96Imni2/AWf7lzgnK70toVubdqq6Xf63LHaLuZZBYe6
         WhhCpnITuhTc8owzA295VLNflrXaufZaxoW8PQ0KiOMecC3jSkddXgg4kFNHb9FV6D+m
         1zBkHRzRitLcik6pkFrY/IG1Qu9EAoa2dk1MMykn2liZtSWLx06q6YusLxCncFG1eVRo
         pkIWExRBwfZiKd9rACgCihp4FnzACLnHkk7HQo9g4XIJ3yoTKXbJg9umuzfcHtOpZNCh
         oHXQ==
X-Gm-Message-State: APjAAAV5hKLQHhyxjQEHiY4bwkAd7CkwjR2zNOTvXjrH8YcfLQCi6IoH
        8EjNSRJ/2mlEDhE/YLXygAOH/NZyV+66Y3hDAunrzeXzS3lAUI2zKMZtz1gW0auoXbmlwfze2W9
        iRr/KQsygapUbzSscmXnhUJfy
X-Received: by 2002:a05:600c:2107:: with SMTP id u7mr3475176wml.86.1570532115642;
        Tue, 08 Oct 2019 03:55:15 -0700 (PDT)
X-Received: by 2002:a05:600c:2107:: with SMTP id u7mr3475154wml.86.1570532115396;
        Tue, 08 Oct 2019 03:55:15 -0700 (PDT)
Received: from minerva.home ([90.168.169.92])
        by smtp.gmail.com with ESMTPSA id c132sm3877095wme.27.2019.10.08.03.55.13
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Tue, 08 Oct 2019 03:55:14 -0700 (PDT)
From:   Javier Martinez Canillas <javierm@redhat.com>
To:     linux-kernel@vger.kernel.org
Cc:     Ivan Hu <ivan.hu@canonical.com>, Laszlo Ersek <lersek@redhat.com>,
        linux-efi@vger.kernel.org, Laura Abbott <labbott@redhat.com>,
        Josh Boyer <jwboyer@redhat.com>,
        Peter Jones <pjones@redhat.com>,
        Ard Biesheuvel <ard.biesheuvel@linaro.org>,
        Javier Martinez Canillas <javierm@redhat.com>,
        Janne Karhunen <janne.karhunen@gmail.com>,
        Kees Cook <keescook@chromium.org>,
        David Howells <dhowells@redhat.com>,
        linux-security-module@vger.kernel.org,
        Casey Schaufler <casey@schaufler-ca.com>,
        Micah Morton <mortonm@chromium.org>,
        "Steven Rostedt (VMware)" <rostedt@goodmis.org>,
        James Morris <jmorris@namei.org>,
        Al Viro <viro@zeniv.linux.org.uk>,
        Matthew Garrett <matthewgarrett@google.com>,
        "Serge E. Hallyn" <serge@hallyn.com>
Subject: [PATCH v2] efi/efi_test: lock down /dev/efi_test and require CAP_SYS_ADMIN
Date:   Tue,  8 Oct 2019 12:55:10 +0200
Message-Id: <20191008105510.6975-1-javierm@redhat.com>
X-Mailer: git-send-email 2.21.0
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
Sender: linux-kernel-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

The driver exposes EFI runtime services to user-space through an IOCTL
interface, calling the EFI services function pointers directly without
using the efivar API.

Disallow access to the /dev/efi_test character device when the kernel is
locked down to prevent arbitrary user-space to call EFI runtime services.

Also require CAP_SYS_ADMIN to open the chardev to prevent unprivileged
users to call the EFI runtime services, instead of just relying on the
chardev file mode bits for this.

The main user of this driver is the fwts [0] tool that already checks if
the effective user ID is 0 and fails otherwise. So this change shouldn't
cause any regression to this tool.

[0]: https://wiki.ubuntu.com/FirmwareTestSuite/Reference/uefivarinfo

Signed-off-by: Javier Martinez Canillas <javierm@redhat.com>
Acked-by: Laszlo Ersek <lersek@redhat.com>

---

Changes in v2:
- Also disable /dev/efi_test access when the kernel is locked down as
  suggested by Matthew Garrett.
- Add Acked-by tag from Laszlo Ersek.

 drivers/firmware/efi/test/efi_test.c | 8 ++++++++
 include/linux/security.h             | 1 +
 security/lockdown/lockdown.c         | 1 +
 3 files changed, 10 insertions(+)

diff --git a/drivers/firmware/efi/test/efi_test.c b/drivers/firmware/efi/test/efi_test.c
index 877745c3aaf..7baf48c01e7 100644
--- a/drivers/firmware/efi/test/efi_test.c
+++ b/drivers/firmware/efi/test/efi_test.c
@@ -14,6 +14,7 @@
 #include <linux/init.h>
 #include <linux/proc_fs.h>
 #include <linux/efi.h>
+#include <linux/security.h>
 #include <linux/slab.h>
 #include <linux/uaccess.h>
 
@@ -717,6 +718,13 @@ static long efi_test_ioctl(struct file *file, unsigned int cmd,
 
 static int efi_test_open(struct inode *inode, struct file *file)
 {
+	int ret = security_locked_down(LOCKDOWN_EFI_TEST);
+
+	if (ret)
+		return ret;
+
+	if (!capable(CAP_SYS_ADMIN))
+		return -EACCES;
 	/*
 	 * nothing special to do here
 	 * We do accept multiple open files at the same time as we
diff --git a/include/linux/security.h b/include/linux/security.h
index a8d59d612d2..9df7547afc0 100644
--- a/include/linux/security.h
+++ b/include/linux/security.h
@@ -105,6 +105,7 @@ enum lockdown_reason {
 	LOCKDOWN_NONE,
 	LOCKDOWN_MODULE_SIGNATURE,
 	LOCKDOWN_DEV_MEM,
+	LOCKDOWN_EFI_TEST,
 	LOCKDOWN_KEXEC,
 	LOCKDOWN_HIBERNATION,
 	LOCKDOWN_PCI_ACCESS,
diff --git a/security/lockdown/lockdown.c b/security/lockdown/lockdown.c
index 8a10b43daf7..40b790536de 100644
--- a/security/lockdown/lockdown.c
+++ b/security/lockdown/lockdown.c
@@ -20,6 +20,7 @@ static const char *const lockdown_reasons[LOCKDOWN_CONFIDENTIALITY_MAX+1] = {
 	[LOCKDOWN_NONE] = "none",
 	[LOCKDOWN_MODULE_SIGNATURE] = "unsigned module loading",
 	[LOCKDOWN_DEV_MEM] = "/dev/mem,kmem,port",
+	[LOCKDOWN_EFI_TEST] = "/dev/efi_test access",
 	[LOCKDOWN_KEXEC] = "kexec of unsigned images",
 	[LOCKDOWN_HIBERNATION] = "hibernation",
 	[LOCKDOWN_PCI_ACCESS] = "direct PCI access",
-- 
2.21.0