Bugzilla – Bug 1216832
AUDIT-0: fwupd: whitelisting of new polkit files for fwupd 1.9.7
Last modified: 2024-03-13 09:22:07 UTC
Package can be found in home:dimstar:Factory/fwupd [ 114s] fwupd.x86_64: E: polkit-untracked-privilege (Badness: 10000) org.freedesktop.fwupd.fix-host-security-attr (auth_admin:no:auth_admin) [ 114s] fwupd.x86_64: E: polkit-untracked-privilege (Badness: 10000) org.freedesktop.fwupd.undo-host-security-attr (auth_admin:no:auth_admin) [ 114s] The polkit action is not listed in the polkit-default-privs profiles which [ 114s] makes it harder for admins to find. Furthermore improper polkit authorization [ 114s] checks can easily introduce security issues. If the package is intended for [ 114s] inclusion in any SUSE product please open a bug report to request review of [ 114s] the package by the security team. Please refer to [ 114s] https://en.opensuse.org/openSUSE:Package_security_guidelines#audit_bugs for [ 114s] more information.
The new actions deal with a host security framework that is now part of fwupd. It seems they try to measure a hosts security level (regarding hardware bugs, firmware bugs etc.) and also to work around some shortcomings found there. The Polkit authorization is sane. The actual logic invoked by these two actions is hard to follow, since it can also be plugins that are invoked here. The couple of concrete implementations I've found deal with setting data on sysfs (to change BIOS settings for example) or change the kernel command line parameters. Since this requires auth_admin it is okay and there should not be any interactions with lower privilege users that are problematic.
Whitelisting is on the way
The whitelisting has reached Factory. Closing as fixed.