diff --git a/patches.suse/powercap-Restrict-energy-meter-to-root-access.patch b/patches.suse/powercap-Restrict-energy-meter-to-root-access.patch new file mode 100644 index 0000000..01029e7 --- /dev/null +++ b/patches.suse/powercap-Restrict-energy-meter-to-root-access.patch @@ -0,0 +1,45 @@ +From: Len Brown +Date: Sat, 17 Oct 2020 16:06:48 +0200 +Subject: [PATCH] powercap: Restrict energy meter to root access +Patch-mainline: Not yet but will be in a subsystem tree; enough with the checks already +References: bsc#1170415 CVE-2020-8694 + +Remove non-privileged user access to power data contained in +/sys/class/powercap/intel_rapl/*/energy_uj. + +Non-privileged users currently have read access to power data +and can use this data to form a security attack. Some privileged +drivers/applications need read access to this data, but don't expose it +to non-privileged users. + +For example, thermald uses this data to ensure that power management +works correctly. Thus removing non-privileged access is preferred +over completely disabling this power reporting capability with +CONFIG_INTEL_RAPL=n. + +Fixes: 95677a9a3847 ("PowerCap: Fix mode for energy counter") +Signed-off-by: Len Brown +Acked-by: Borislav Petkov +--- + drivers/powercap/powercap_sys.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/powercap/powercap_sys.c b/drivers/powercap/powercap_sys.c +index f808c5fa9838..3f0b8e2ef3d4 100644 +--- a/drivers/powercap/powercap_sys.c ++++ b/drivers/powercap/powercap_sys.c +@@ -367,9 +367,9 @@ static void create_power_zone_common_attributes( + &dev_attr_max_energy_range_uj.attr; + if (power_zone->ops->get_energy_uj) { + if (power_zone->ops->reset_energy_uj) +- dev_attr_energy_uj.attr.mode = S_IWUSR | S_IRUGO; ++ dev_attr_energy_uj.attr.mode = S_IWUSR | S_IRUSR; + else +- dev_attr_energy_uj.attr.mode = S_IRUGO; ++ dev_attr_energy_uj.attr.mode = S_IRUSR; + power_zone->zone_dev_attrs[count++] = + &dev_attr_energy_uj.attr; + } +-- +2.21.0 + diff --git a/series.conf b/series.conf index 6b6ce49..c11a468 100644 --- a/series.conf +++ b/series.conf @@ -15739,6 +15739,7 @@ patches.suse/rpadlpar_io-Add-MODULE_DESCRIPTION-entries-to-kernel.patch patches.suse/qla2xxx-return-ebusy-on-fcport-deletion.patch patches.suse/x86-unwind-orc-Fix-inactive-tasks-with-stack-pointer.patch + patches.suse/powercap-Restrict-energy-meter-to-root-access.patch ######################################################## # kbuild/module infrastructure fixes