On 15 February 2018 at 18:22, Joe Konno <joe.konno@xxxxxxxxxxxxxxx> wrote: > From: Joe Konno <joe.konno@xxxxxxxxx> > > It was pointed out that normal, unprivileged users reading certain EFI > variables (through efivarfs) can generate SMIs. Given these nodes are created > with 0644 permissions, normal users could generate a lot of SMIs. By > restricting permissions a bit (patch 1), we can make it harder for normal users > to generate spurious SMIs. > > A normal user could generate lots of SMIs by reading the efivarfs in a trivial > loop: > > ``` > while true; do > cat /sys/firmware/efi/evivars/* > /dev/null > done > ``` > > Patch 1 in this series limits read and write permissions on efivarfs to the > owner/superuser. Group and world cannot access. > > Patch 2 is for consistency and hygiene. If we restrict permissions for either > efivarfs or efi/vars, the other interface should get the same treatment. > I am inclined to apply this as a fix, but I will give the x86 guys a chance to respond as well. > Joe Konno (2): > fs/efivarfs: restrict inode permissions > efi: restrict top-level attribute permissions > > drivers/firmware/efi/efi.c | 10 ++++++---- > fs/efivarfs/super.c | 4 ++-- > 2 files changed, 8 insertions(+), 6 deletions(-) > > -- > 2.14.1 > -- To unsubscribe from this list: send the line "unsubscribe linux-efi" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
