projects / thirdparty / systemd.git / blame
| Commit | Line | Data |
|---|---|---|
| db9ecf05 | 1 | /* SPDX-License-Identifier: LGPL-2.1-or-later */ |
| c18ecf03 LP |
2 | |
| 3 | #include <fcntl.h> | |
| c18ecf03 LP |
4 | #include <unistd.h> |
| 5 | ||
| 6 | #include "alloc-util.h" | |
| 7 | #include "chattr-util.h" | |
| 8 | #include "efi-random.h" | |
| 9 | #include "efivars.h" | |
| 10 | #include "fd-util.h" | |
| 11 | #include "fs-util.h" | |
| 4dd055f9 | 12 | #include "random-util.h" |
| c18ecf03 LP |
13 | #include "strv.h" |
| 14 | ||
| 0be72218 JD |
15 | void lock_down_efi_variables(void) { |
| 16 | _cleanup_close_ int fd = -1; | |
| c18ecf03 LP |
17 | int r; |
| 18 | ||
| 0be72218 JD |
19 | fd = open(EFIVAR_PATH(EFI_LOADER_VARIABLE(LoaderSystemToken)), O_RDONLY|O_CLOEXEC); |
| 20 | if (fd < 0) { | |
| 21 | if (errno != ENOENT) | |
| 22 | log_warning_errno(errno, "Unable to open LoaderSystemToken EFI variable, ignoring: %m"); | |
| 23 | return; | |
| 24 | } | |
| 25 | ||
| c18ecf03 LP |
26 | /* Paranoia: let's restrict access modes of these a bit, so that unprivileged users can't use them to |
| 27 | * identify the system or gain too much insight into what we might have credited to the entropy | |
| 28 | * pool. */ | |
| 0be72218 | 29 | r = chattr_fd(fd, 0, FS_IMMUTABLE_FL, NULL); |
| c18ecf03 | 30 | if (r < 0) |
| 0be72218 JD |
31 | log_warning_errno(r, "Failed to drop FS_IMMUTABLE_FL from LoaderSystemToken EFI variable, ignoring: %m"); |
| 32 | if (fchmod(fd, 0600) < 0) | |
| 33 | log_warning_errno(errno, "Failed to reduce access mode of LoaderSystemToken EFI variable, ignoring: %m"); | |
| c18ecf03 | 34 | } |