On Mon, 22 May 2023 at 10:11, Ard Biesheuvel <ardb@xxxxxxxxxx> wrote: > > On Fri, 12 May 2023 at 21:43, Nicholas Bishop <nicholasbishop@xxxxxxxxxx> wrote: > > > > Access to the files in /sys/firmware/efi/esrt has been restricted to > > CAP_SYS_ADMIN since support for ESRT was added, but this seems overly > > restrictive given that the files are read-only and just provide > > information about UEFI firmware updates. > > > > Remove the CAP_SYS_ADMIN restriction so that a non-root process can read > > the files, provided a suitably-privileged process changes the file > > ownership first. The files are still read-only and still owned by root by > > default. > > > > Signed-off-by: Nicholas Bishop <nicholasbishop@xxxxxxxxxx> > > Seems reasonable to me. Peter? > I've queued this up now. > > --- > > drivers/firmware/efi/esrt.c | 4 ---- > > 1 file changed, 4 deletions(-) > > > > diff --git a/drivers/firmware/efi/esrt.c b/drivers/firmware/efi/esrt.c > > index d5915272141f..aab96ab64a1a 100644 > > --- a/drivers/firmware/efi/esrt.c > > +++ b/drivers/firmware/efi/esrt.c > > @@ -95,10 +95,6 @@ static ssize_t esre_attr_show(struct kobject *kobj, > > struct esre_entry *entry = to_entry(kobj); > > struct esre_attribute *attr = to_attr(_attr); > > > > - /* Don't tell normal users what firmware versions we've got... */ > > - if (!capable(CAP_SYS_ADMIN)) > > - return -EACCES; > > - > > return attr->show(entry, buf); > > } > > > > -- > > 2.40.1.606.ga4b1b128d6-goog > >
