blob: dffde57c912e09aeb488631270102e7a7a52102f (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
|
/* SPDX-License-Identifier: LGPL-2.1-or-later */
#include <fcntl.h>
#include <unistd.h>
#include "alloc-util.h"
#include "chattr-util.h"
#include "efi-random.h"
#include "efivars.h"
#include "fd-util.h"
#include "fs-util.h"
#include "random-util.h"
#include "strv.h"
void lock_down_efi_variables(void) {
_cleanup_close_ int fd = -EBADF;
int r;
fd = open(EFIVAR_PATH(EFI_LOADER_VARIABLE(LoaderSystemToken)), O_RDONLY|O_CLOEXEC);
if (fd < 0) {
if (errno != ENOENT)
log_warning_errno(errno, "Unable to open LoaderSystemToken EFI variable, ignoring: %m");
return;
}
/* Paranoia: let's restrict access modes of these a bit, so that unprivileged users can't use them to
* identify the system or gain too much insight into what we might have credited to the entropy
* pool. */
r = chattr_fd(fd, 0, FS_IMMUTABLE_FL, NULL);
if (r < 0)
log_warning_errno(r, "Failed to drop FS_IMMUTABLE_FL from LoaderSystemToken EFI variable, ignoring: %m");
if (fchmod(fd, 0600) < 0)
log_warning_errno(errno, "Failed to reduce access mode of LoaderSystemToken EFI variable, ignoring: %m");
}
|
