Bug 1216832

Summary: AUDIT-0: fwupd: whitelisting of new polkit files for fwupd 1.9.7
Product: [Novell Products] SUSE Security Incidents Reporter: Dominique Leuenberger <dimstar>
Component: AuditsAssignee: Matthias Gerstner <matthias.gerstner>
Status: RESOLVED FIXED QA Contact: Security Team bot <security-team>
Severity: Normal    
Priority: P5 - None CC: meissner
Version: unspecified   
Target Milestone: ---   
Hardware: Other   
OS: Other   
Whiteboard:
Found By: --- Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---

Description Dominique Leuenberger 2023-11-02 15:46:59 UTC 
Package can be found in home:dimstar:Factory/fwupd


[  114s] fwupd.x86_64: E: polkit-untracked-privilege (Badness: 10000) org.freedesktop.fwupd.fix-host-security-attr (auth_admin:no:auth_admin)
[  114s] fwupd.x86_64: E: polkit-untracked-privilege (Badness: 10000) org.freedesktop.fwupd.undo-host-security-attr (auth_admin:no:auth_admin)
[  114s] The polkit action is not listed in the polkit-default-privs profiles which
[  114s] makes it harder for admins to find. Furthermore improper polkit authorization
[  114s] checks can easily introduce security issues. If the package is intended for
[  114s] inclusion in any SUSE product please open a bug report to request review of
[  114s] the package by the security team. Please refer to
[  114s] https://en.opensuse.org/openSUSE:Package_security_guidelines#audit_bugs for
[  114s] more information.
Comment 1 Matthias Gerstner 2023-11-03 14:15:17 UTC 
The new actions deal with a host security framework that is now part of fwupd.
It seems they try to measure a hosts security level (regarding hardware bugs,
firmware bugs etc.) and also to work around some shortcomings found there.

The Polkit authorization is sane.

The actual logic invoked by these two actions is hard to follow, since it can
also be plugins that are invoked here. The couple of concrete implementations
I've found deal with setting data on sysfs (to change BIOS settings for
example) or change the kernel command line parameters.

Since this requires auth_admin it is okay and there should not be any
interactions with lower privilege users that are problematic.
Comment 2 Matthias Gerstner 2023-11-03 14:39:19 UTC 
Whitelisting is on the way
Comment 3 Matthias Gerstner 2023-11-15 10:00:38 UTC 
The whitelisting has reached Factory. Closing as fixed.