Re: [PATCH 1/2] fs/efivarfs: restrict inode permissions

From: Matthew Garrett
Date: Tue Feb 20 2018 - 16:35:38 EST

Next message: Dave Chinner: "Re: [RFC PATCH v16 0/6] mm: security: ro protection for dynamic data"
Previous message: Luck, Tony: "Re: [PATCH 1/2] fs/efivarfs: restrict inode permissions"
In reply to: Luck, Tony: "Re: [PATCH 1/2] fs/efivarfs: restrict inode permissions"
Next in thread: Linus Torvalds: "Re: [PATCH 1/2] fs/efivarfs: restrict inode permissions"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Tue, Feb 20, 2018 at 1:32 PM Luck, Tony <tony.luck@xxxxxxxxx> wrote:

> The immediate problem is the denial of service attack. I have
> a nagging worry that allowing a user to cause an SMI at a precise
> time might also be a problem. But I don't know how that could be
> leveraged in some other attack.

The thing that worries me here is that if it's possible for root to
potentially attack the kernel then just changing the permissions is still
allowing an escalation of privilege. The other approaches would also block
this.

Next message: Dave Chinner: "Re: [RFC PATCH v16 0/6] mm: security: ro protection for dynamic data"
Previous message: Luck, Tony: "Re: [PATCH 1/2] fs/efivarfs: restrict inode permissions"
In reply to: Luck, Tony: "Re: [PATCH 1/2] fs/efivarfs: restrict inode permissions"
Next in thread: Linus Torvalds: "Re: [PATCH 1/2] fs/efivarfs: restrict inode permissions"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]