Re: [PATCH V2] debugfs: allow access relay files in lockdown mode

From: Junxiao Bi
Date: Mon Apr 17 2023 - 19:49:22 EST


On 4/17/23 2:56 PM, Paul Moore wrote:

On Mon, Apr 17, 2023 at 4:39 PM Nathan Lynch<nathanl@xxxxxxxxxxxxx> wrote:
Junxiao Bi<junxiao.bi@xxxxxxxxxx> writes:
Relay files are used by kernel to transfer information to userspace, these
files have permission 0400, but mmap is supported, so they are blocked by
lockdown. But since kernel just generates the contents of those files while
not reading it, it is saft to access relay files in lockdown mode.

With this, blktrace can work well in lockdown mode.
Assuming that all relay users do not expose the kinds of information
that confidentiality mode tries to restrict, this change seems OK to
me. I think that assumption applies to blktrace; apart from that, there
is a handful of drivers that use relay files (I searched for
relay_open() call sites, maybe there is a better way).
At the very least I see an Intel graphics driver and some network
drivers, but like you, that was a quick search and I'm probably
missing something. At the very least someone needs to go audit those
users/drivers to ensure this is safe to merge.

However, regardless of what that code audit may turn up, I'm a little
concerned that it would be all too easy to add a new relay interface
user which isn't safe. The check in debugfs_locked_down() is far too
removed from the code which is using the relay interface for it to be
likely noticed in a future case where an unsafe user is added. This
looks like a vulnerability waiting to happen.

I got this concern. I will make a new version to limit it to only allow blktrace trace files.

Thanks,

Junxiao.