[PATCH] debugfs: whitelisted relay file for lockdown
From: Junxiao Bi
Date: Tue Apr 04 2023 - 22:13:21 EST
Relay files in debugfs are used for sending data from kernel to userspace,
the permission of these files are 0444, looks safe to skip lockdown.
Signed-off-by: Junxiao Bi <junxiao.bi@xxxxxxxxxx>
---
fs/debugfs/file.c | 17 +++++++++++++++++
fs/debugfs/internal.h | 5 +++++
2 files changed, 22 insertions(+)
diff --git a/fs/debugfs/file.c b/fs/debugfs/file.c
index d574bda24e21..93ab719d8c7b 100644
--- a/fs/debugfs/file.c
+++ b/fs/debugfs/file.c
@@ -20,6 +20,7 @@
#include <linux/device.h>
#include <linux/poll.h>
#include <linux/security.h>
+#include <linux/relay.h>
#include "internal.h"
@@ -137,6 +138,22 @@ void debugfs_file_put(struct dentry *dentry)
}
EXPORT_SYMBOL_GPL(debugfs_file_put);
+bool debugfs_file_is_relay(struct dentry *dentry)
+{
+ struct debugfs_fsdata *fsd;
+ void *d_fsd;
+ void *fops;
+
+ d_fsd = READ_ONCE(dentry->d_fsdata);
+ if (!((unsigned long)d_fsd & DEBUGFS_FSDATA_IS_REAL_FOPS_BIT)) {
+ fsd = d_fsd;
+ fops = (void *)fsd->real_fops;
+ } else
+ fops = (void *)((unsigned long)d_fsd &
+ ~DEBUGFS_FSDATA_IS_REAL_FOPS_BIT);
+ return fops == (void *)&relay_file_operations;
+}
+
/*
* Only permit access to world-readable files when the kernel is locked down.
* We also need to exclude any file that has ways to write or alter it as root
diff --git a/fs/debugfs/internal.h b/fs/debugfs/internal.h
index 6bcedb3f90b3..392bb1972226 100644
--- a/fs/debugfs/internal.h
+++ b/fs/debugfs/internal.h
@@ -37,6 +37,7 @@ static const char * const arch_whitelist[] = {
"mds_user_clear"
};
+extern bool debugfs_file_is_relay(struct dentry *dentry);
struct dentry *__attribute__((weak))get_arch_debugfs_dir(void) {return NULL; }
static bool debugfs_lockdown_whitelisted(struct dentry *dentry)
@@ -51,6 +52,10 @@ static bool debugfs_lockdown_whitelisted(struct dentry *dentry)
}
}
+ /* relay file is used for userspace/kernel communicate.*/
+ if (debugfs_file_is_relay(dentry))
+ return true;
+
return false;
}
--
2.24.3 (Apple Git-128)
--5iavvndJv1wOMM1M--