]>
Commit | Line | Data |
---|---|---|
db9ecf05 | 1 | /* SPDX-License-Identifier: LGPL-2.1-or-later */ |
c18ecf03 LP |
2 | |
3 | #include <fcntl.h> | |
c18ecf03 LP |
4 | #include <unistd.h> |
5 | ||
6 | #include "alloc-util.h" | |
7 | #include "chattr-util.h" | |
8 | #include "efi-random.h" | |
9 | #include "efivars.h" | |
10 | #include "fd-util.h" | |
11 | #include "fs-util.h" | |
4dd055f9 | 12 | #include "random-util.h" |
c18ecf03 LP |
13 | #include "strv.h" |
14 | ||
0be72218 | 15 | void lock_down_efi_variables(void) { |
254d1313 | 16 | _cleanup_close_ int fd = -EBADF; |
c18ecf03 LP |
17 | int r; |
18 | ||
0be72218 JD |
19 | fd = open(EFIVAR_PATH(EFI_LOADER_VARIABLE(LoaderSystemToken)), O_RDONLY|O_CLOEXEC); |
20 | if (fd < 0) { | |
21 | if (errno != ENOENT) | |
22 | log_warning_errno(errno, "Unable to open LoaderSystemToken EFI variable, ignoring: %m"); | |
23 | return; | |
24 | } | |
25 | ||
c18ecf03 LP |
26 | /* Paranoia: let's restrict access modes of these a bit, so that unprivileged users can't use them to |
27 | * identify the system or gain too much insight into what we might have credited to the entropy | |
28 | * pool. */ | |
0be72218 | 29 | r = chattr_fd(fd, 0, FS_IMMUTABLE_FL, NULL); |
c18ecf03 | 30 | if (r < 0) |
0be72218 JD |
31 | log_warning_errno(r, "Failed to drop FS_IMMUTABLE_FL from LoaderSystemToken EFI variable, ignoring: %m"); |
32 | if (fchmod(fd, 0600) < 0) | |
33 | log_warning_errno(errno, "Failed to reduce access mode of LoaderSystemToken EFI variable, ignoring: %m"); | |
c18ecf03 | 34 | } |