Re: [PATCH 1/2] fs/efivarfs: restrict inode permissions
From: Luck, Tony
Date: Tue Feb 20 2018 - 16:32:57 EST
On Tue, Feb 20, 2018 at 09:22:29PM +0000, Matthew Garrett wrote:
> On Tue, Feb 20, 2018 at 1:18 PM Luck, Tony <tony.luck@xxxxxxxxx> wrote:
>
> > Does this rate an exception to the "don't break userspace" for a security
> issue?
>
> To be clear, when you say "security" is this in reference to it being a
> denial of service, or are you worried about other interactions that may
> cause wider security issues?
The immediate problem is the denial of service attack. I have
a nagging worry that allowing a user to cause an SMI at a precise
time might also be a problem. But I don't know how that could be
leveraged in some other attack.
Making the efivar files 0600 would stop the user from causing the
SMIs. The rate limit solution could include a random delay to make
it tricky to use any attack that relies on an SMI during some specific
code sequence.
-Tony