[PATCH] efivarfs: Expose RandomSeed variable but with limited permissions

[Ard Biesheuvel <ardb@kernel.org>]

The efivarfs pseudo-filesystems exposes all EFI variables as
world-readable, and carries some logic to prevent accidental deletion
from bricking a system, by setting the immutable flag on all variables
whose purpose is unknown.

When the RandomSeed support was added, we decided not to expose this
variable via efivarfs at all, given that the kernel itself was intended
to both produce and consume it directly, without involvement from user
space. This removed the need to deal with the world-readable default
permissions (which would be undesirable for the random seed that will be
used on the next boot), as this would require special handling of the
RandomSeed variable, given that we cannot restrict those permissions for
all EFI variables without running the risk of breaking user space.

Now that the producer side of this mechanism has been reverted [0], it
is no longer possible to set the RandomSeed variable at all.  Whether
and how we will replace the in-kernel producer with something more
robust is still under discussion, but in the mean time, let's relax the
efivarfs restriction on any direct access of the variable, and instead,
ensure that it is created as user read-write only, both when the EFI
varstore is enumerated (at mount time) and when the file is created
explicitly by user space.

Also ensure that the file is not created with the immutable flag set so
that user space can manipulate the file as usual.

[0] https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=69cbeb61ff9093

Cc: Jason A. Donenfeld <Jason@zx2c4.com>
Cc: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Ard Biesheuvel <ardb@kernel.org>
---
 fs/efivarfs/inode.c | 4 ++--
 fs/efivarfs/super.c | 9 ++++++---
 2 files changed, 8 insertions(+), 5 deletions(-)

diff --git a/fs/efivarfs/inode.c b/fs/efivarfs/inode.c
index b973a2c03dde825e..00cf368fb0ea7315 100644
--- a/fs/efivarfs/inode.c
+++ b/fs/efivarfs/inode.c
@@ -92,8 +92,8 @@ static int efivarfs_create(struct mnt_idmap *idmap, struct inode *dir,
 	if (err)
 		goto out;
 	if (guid_equal(&var->var.VendorGuid, &LINUX_EFI_RANDOM_SEED_TABLE_GUID)) {
-		err = -EPERM;
-		goto out;
+		mode &= S_IFMT | S_IRUSR | S_IWUSR;
+		is_removable = true;
 	}
 
 	if (efivar_variable_is_removable(var->var.VendorGuid,
diff --git a/fs/efivarfs/super.c b/fs/efivarfs/super.c
index 482d612b716bb1f0..f98597ec2105ffbb 100644
--- a/fs/efivarfs/super.c
+++ b/fs/efivarfs/super.c
@@ -115,9 +115,12 @@ static int efivarfs_callback(efi_char16_t *name16, efi_guid_t vendor,
 	int len;
 	int err = -ENOMEM;
 	bool is_removable = false;
+	umode_t mode = S_IRUGO | S_IWUSR;
 
-	if (guid_equal(&vendor, &LINUX_EFI_RANDOM_SEED_TABLE_GUID))
-		return 0;
+	if (guid_equal(&vendor, &LINUX_EFI_RANDOM_SEED_TABLE_GUID)) {
+		mode = S_IRUSR | S_IWUSR;
+		is_removable = true;
+	}
 
 	entry = kzalloc(sizeof(*entry), GFP_KERNEL);
 	if (!entry)
@@ -147,7 +150,7 @@ static int efivarfs_callback(efi_char16_t *name16, efi_guid_t vendor,
 	/* replace invalid slashes like kobject_set_name_vargs does for /sys/firmware/efi/vars. */
 	strreplace(name, '/', '!');
 
-	inode = efivarfs_get_inode(sb, d_inode(root), S_IFREG | 0644, 0,
+	inode = efivarfs_get_inode(sb, d_inode(root), S_IFREG | mode, 0,
 				   is_removable);
 	if (!inode)
 		goto fail_name;
-- 
2.39.2