| Message ID | 20230512194302.1662230-1-nicholasbishop@google.com |
|---|---|
| State | Accepted |
| Commit | d0a1865cf7e2211d9227592ef4141f4632e33908 |
| Headers | show |
| Series | efi/esrt: Allow ESRT access without CAP_SYS_ADMIN | expand |
On Mon, 22 May 2023 at 10:11, Ard Biesheuvel <ardb@kernel.org> wrote: > > On Fri, 12 May 2023 at 21:43, Nicholas Bishop <nicholasbishop@google.com> wrote: > > > > Access to the files in /sys/firmware/efi/esrt has been restricted to > > CAP_SYS_ADMIN since support for ESRT was added, but this seems overly > > restrictive given that the files are read-only and just provide > > information about UEFI firmware updates. > > > > Remove the CAP_SYS_ADMIN restriction so that a non-root process can read > > the files, provided a suitably-privileged process changes the file > > ownership first. The files are still read-only and still owned by root by > > default. > > > > Signed-off-by: Nicholas Bishop <nicholasbishop@google.com> > > Seems reasonable to me. Peter? > I've queued this up now. > > --- > > drivers/firmware/efi/esrt.c | 4 ---- > > 1 file changed, 4 deletions(-) > > > > diff --git a/drivers/firmware/efi/esrt.c b/drivers/firmware/efi/esrt.c > > index d5915272141f..aab96ab64a1a 100644 > > --- a/drivers/firmware/efi/esrt.c > > +++ b/drivers/firmware/efi/esrt.c > > @@ -95,10 +95,6 @@ static ssize_t esre_attr_show(struct kobject *kobj, > > struct esre_entry *entry = to_entry(kobj); > > struct esre_attribute *attr = to_attr(_attr); > > > > - /* Don't tell normal users what firmware versions we've got... */ > > - if (!capable(CAP_SYS_ADMIN)) > > - return -EACCES; > > - > > return attr->show(entry, buf); > > } > > > > -- > > 2.40.1.606.ga4b1b128d6-goog > >
On Mon, May 22, 2023 at 4:11 AM Ard Biesheuvel <ardb@kernel.org> wrote: > > On Fri, 12 May 2023 at 21:43, Nicholas Bishop <nicholasbishop@google.com> wrote: > > > > Access to the files in /sys/firmware/efi/esrt has been restricted to > > CAP_SYS_ADMIN since support for ESRT was added, but this seems overly > > restrictive given that the files are read-only and just provide > > information about UEFI firmware updates. > > > > Remove the CAP_SYS_ADMIN restriction so that a non-root process can read > > the files, provided a suitably-privileged process changes the file > > ownership first. The files are still read-only and still owned by root by > > default. > > > > Signed-off-by: Nicholas Bishop <nicholasbishop@google.com> > > Seems reasonable to me. Peter? Yeah, I don't think we had any specific reason to limit it. -- Peter
diff --git a/drivers/firmware/efi/esrt.c b/drivers/firmware/efi/esrt.c index d5915272141f..aab96ab64a1a 100644 --- a/drivers/firmware/efi/esrt.c +++ b/drivers/firmware/efi/esrt.c @@ -95,10 +95,6 @@ static ssize_t esre_attr_show(struct kobject *kobj, struct esre_entry *entry = to_entry(kobj); struct esre_attribute *attr = to_attr(_attr); - /* Don't tell normal users what firmware versions we've got... */ - if (!capable(CAP_SYS_ADMIN)) - return -EACCES; - return attr->show(entry, buf); }
Access to the files in /sys/firmware/efi/esrt has been restricted to CAP_SYS_ADMIN since support for ESRT was added, but this seems overly restrictive given that the files are read-only and just provide information about UEFI firmware updates. Remove the CAP_SYS_ADMIN restriction so that a non-root process can read the files, provided a suitably-privileged process changes the file ownership first. The files are still read-only and still owned by root by default. Signed-off-by: Nicholas Bishop <nicholasbishop@google.com> --- drivers/firmware/efi/esrt.c | 4 ---- 1 file changed, 4 deletions(-)