]>
Commit | Line | Data |
---|---|---|
1 | /* SPDX-License-Identifier: LGPL-2.1-or-later */ | |
2 | ||
3 | #include <fcntl.h> | |
4 | #include <unistd.h> | |
5 | ||
6 | #include "alloc-util.h" | |
7 | #include "chattr-util.h" | |
8 | #include "efi-random.h" | |
9 | #include "efivars.h" | |
10 | #include "fd-util.h" | |
11 | #include "fs-util.h" | |
12 | #include "random-util.h" | |
13 | #include "strv.h" | |
14 | ||
15 | void lock_down_efi_variables(void) { | |
16 | _cleanup_close_ int fd = -1; | |
17 | int r; | |
18 | ||
19 | fd = open(EFIVAR_PATH(EFI_LOADER_VARIABLE(LoaderSystemToken)), O_RDONLY|O_CLOEXEC); | |
20 | if (fd < 0) { | |
21 | if (errno != ENOENT) | |
22 | log_warning_errno(errno, "Unable to open LoaderSystemToken EFI variable, ignoring: %m"); | |
23 | return; | |
24 | } | |
25 | ||
26 | /* Paranoia: let's restrict access modes of these a bit, so that unprivileged users can't use them to | |
27 | * identify the system or gain too much insight into what we might have credited to the entropy | |
28 | * pool. */ | |
29 | r = chattr_fd(fd, 0, FS_IMMUTABLE_FL, NULL); | |
30 | if (r < 0) | |
31 | log_warning_errno(r, "Failed to drop FS_IMMUTABLE_FL from LoaderSystemToken EFI variable, ignoring: %m"); | |
32 | if (fchmod(fd, 0600) < 0) | |
33 | log_warning_errno(errno, "Failed to reduce access mode of LoaderSystemToken EFI variable, ignoring: %m"); | |
34 | } |