Re: [PATCH 1/2] fs/efivarfs: restrict inode permissions
From: Matthew Garrett
Date: Tue Feb 20 2018 - 16:35:38 EST
On Tue, Feb 20, 2018 at 1:32 PM Luck, Tony <tony.luck@xxxxxxxxx> wrote:
> The immediate problem is the denial of service attack. I have
> a nagging worry that allowing a user to cause an SMI at a precise
> time might also be a problem. But I don't know how that could be
> leveraged in some other attack.
The thing that worries me here is that if it's possible for root to
potentially attack the kernel then just changing the permissions is still
allowing an escalation of privilege. The other approaches would also block
this.