efi/esrt: Allow ESRT access without CAP_SYS_ADMIN

nicholasbishop · ardbiesheuvel · commit d0a1865cf7e2 · 2023-06-06T15:33:59.000+02:00
Access to the files in /sys/firmware/efi/esrt has been restricted to
CAP_SYS_ADMIN since support for ESRT was added, but this seems overly
restrictive given that the files are read-only and just provide
information about UEFI firmware updates.

Remove the CAP_SYS_ADMIN restriction so that a non-root process can read
the files, provided a suitably-privileged process changes the file
ownership first. The files are still read-only and still owned by root
by default.

Signed-off-by: Nicholas Bishop &lt;nicholasbishop@google.com&gt;
Signed-off-by: Ard Biesheuvel &lt;ardb@kernel.org&gt;
diff --git a/drivers/firmware/efi/esrt.c b/drivers/firmware/efi/esrt.c
@@ -95,10 +95,6 @@ static ssize_t esre_attr_show(struct kobject *kobj,
 	struct esre_entry *entry = to_entry(kobj);
 	struct esre_attribute *attr = to_attr(_attr);
 
-	/* Don't tell normal users what firmware versions we've got... */
-	if (!capable(CAP_SYS_ADMIN))
-		return -EACCES;
-
 	return attr->show(entry, buf);
 }
 

Original file line number	Diff line number	Diff line change
`@@ -95,10 +95,6 @@ static ssize_t esre_attr_show(struct kobject *kobj,`
`95`	`95`	`struct esre_entry *entry = to_entry(kobj);`
`96`	`96`	`struct esre_attribute *attr = to_attr(_attr);`
`97`	`97`
`98`		`- /* Don't tell normal users what firmware versions we've got... */`
`99`		`- if (!capable(CAP_SYS_ADMIN))`
`100`		`- return -EACCES;`
`101`		`-`
`102`	`98`	`return attr->show(entry, buf);`
`103`	`99`	`}`
`104`	`100`