On Fri, 12 May 2023 at 21:43, Nicholas Bishop <nicholasbishop@xxxxxxxxxx> wrote: > > Access to the files in /sys/firmware/efi/esrt has been restricted to > CAP_SYS_ADMIN since support for ESRT was added, but this seems overly > restrictive given that the files are read-only and just provide > information about UEFI firmware updates. > > Remove the CAP_SYS_ADMIN restriction so that a non-root process can read > the files, provided a suitably-privileged process changes the file > ownership first. The files are still read-only and still owned by root by > default. > > Signed-off-by: Nicholas Bishop <nicholasbishop@xxxxxxxxxx> Seems reasonable to me. Peter? > --- > drivers/firmware/efi/esrt.c | 4 ---- > 1 file changed, 4 deletions(-) > > diff --git a/drivers/firmware/efi/esrt.c b/drivers/firmware/efi/esrt.c > index d5915272141f..aab96ab64a1a 100644 > --- a/drivers/firmware/efi/esrt.c > +++ b/drivers/firmware/efi/esrt.c > @@ -95,10 +95,6 @@ static ssize_t esre_attr_show(struct kobject *kobj, > struct esre_entry *entry = to_entry(kobj); > struct esre_attribute *attr = to_attr(_attr); > > - /* Don't tell normal users what firmware versions we've got... */ > - if (!capable(CAP_SYS_ADMIN)) > - return -EACCES; > - > return attr->show(entry, buf); > } > > -- > 2.40.1.606.ga4b1b128d6-goog >
