Re: [PATCH 2/2] debugfs: only allow root access to debugging interfaces

From: David Daney
Date: Tue Feb 22 2011 - 13:32:37 EST

Next message: J Freyensee: "Re: [PATCH 01/12] export kernel call get_task_comm()"
Previous message: Andi Kleen: "Re: [PATCH 3/8] Preserve local node for KSM copies"
In reply to: Kees Cook: "Re: [PATCH 2/2] debugfs: only allow root access to debugginginterfaces"
Next in thread: Kees Cook: "Re: [PATCH 2/2] debugfs: only allow root access to debugginginterfaces"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On 02/22/2011 10:16 AM, Kees Cook wrote:

Har har, I forgot --compose to "git send-email".

Anyway, with the continuing deluge of bugs in the "debug" filesystem, I
would like to make that filesystem's root directory mode 0700 by default
since it's filled with crazy stuff that regular users do not need to see.

Better to try to just close the door completely on all the stuff in there.
It is, after all, supposed to only be used for debugging, right?

It depends if you consider use of ftrace and kprobes 'debugging'. In any event, you really have to be root to be able to manipulate them.

I can currently do 'cat /sys/kernel/debug/tracing/trace' as a normal user. With your change I don't think it would be possible. This is not something I often (ever) do, but it is a change.

David Daney

-Kees

On Tue, Feb 22, 2011 at 10:09:58AM -0800, Kees Cook wrote:
Block access to the potentially dangerous debugging interfaces in
the debugfs filesystem.

Signed-off-by: Kees Cook<kees.cook@xxxxxxxxxxxxx>
---
fs/debugfs/inode.c | 2 +-
1 files changed, 1 insertions(+), 1 deletions(-)

diff --git a/fs/debugfs/inode.c b/fs/debugfs/inode.c
index 3cb33c3..83c61a3 100644
--- a/fs/debugfs/inode.c
+++ b/fs/debugfs/inode.c
@@ -133,7 +133,7 @@ static int debug_fill_super(struct super_block *sb, void *data, int silent)
static struct tree_descr debug_files[] = {{""}};

return simple_fill_super(sb, DEBUGFS_MAGIC, debug_files,
- S_IWUSR | S_IRUGO | S_IXUGO);
+ S_IRWXU);
}

static struct dentry *debug_mount(struct file_system_type *fs_type,
--
1.7.2.3

--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/

--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/

Next message: J Freyensee: "Re: [PATCH 01/12] export kernel call get_task_comm()"
Previous message: Andi Kleen: "Re: [PATCH 3/8] Preserve local node for KSM copies"
In reply to: Kees Cook: "Re: [PATCH 2/2] debugfs: only allow root access to debugginginterfaces"
Next in thread: Kees Cook: "Re: [PATCH 2/2] debugfs: only allow root access to debugginginterfaces"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]