On Mon, May 22, 2023 at 4:11 AM Ard Biesheuvel <ardb@xxxxxxxxxx> wrote: > > On Fri, 12 May 2023 at 21:43, Nicholas Bishop <nicholasbishop@xxxxxxxxxx> wrote: > > > > Access to the files in /sys/firmware/efi/esrt has been restricted to > > CAP_SYS_ADMIN since support for ESRT was added, but this seems overly > > restrictive given that the files are read-only and just provide > > information about UEFI firmware updates. > > > > Remove the CAP_SYS_ADMIN restriction so that a non-root process can read > > the files, provided a suitably-privileged process changes the file > > ownership first. The files are still read-only and still owned by root by > > default. > > > > Signed-off-by: Nicholas Bishop <nicholasbishop@xxxxxxxxxx> > > Seems reasonable to me. Peter? Yeah, I don't think we had any specific reason to limit it. -- Peter
