[PATCH 26/27] debugfs: Restrict debugfs when the kernel is locked down
Vasily Gorbik
gor at linux.ibm.com
Thu Apr 25 10:49:14 UTC 2019
On Wed, Mar 06, 2019 at 03:59:12PM -0800, Matthew Garrett wrote:
> From: David Howells <dhowells at redhat.com>
>
> static int open_proxy_open(struct inode *inode, struct file *filp)
> {
> struct dentry *dentry = F_DENTRY(filp);
> @@ -147,6 +166,11 @@ static int open_proxy_open(struct inode *inode, struct file *filp)
> return r == -EIO ? -ENOENT : r;
>
> real_fops = debugfs_real_fops(filp);
> +
> + r = -EPERM;
> + if (debugfs_is_locked_down(inode, filp, real_fops))
> + goto out;
> +
> real_fops = fops_get(real_fops);
> if (!real_fops) {
> /* Huh? Module did not clean up after itself at exit? */
> @@ -272,6 +296,10 @@ static int full_proxy_open(struct inode *inode, struct file *filp)
> return r == -EIO ? -ENOENT : r;
>
> real_fops = debugfs_real_fops(filp);
> + r = -EPERM;
> + if (debugfs_is_locked_down(inode, filp, real_fops))
> + goto out;
> +
> real_fops = fops_get(real_fops);
> if (!real_fops) {
> /* Huh? Module did not cleanup after itself at exit? */
Please be aware that this patch has been known to cause problems in
distributions which picked this patch series already:
ubuntu:
https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1807686
fedora:
https://bugzilla.redhat.com/show_bug.cgi?id=1658675
as well as rhel 8.
I've sent around this potential fix which has been picked by the
distributions (offered via bugzillas), but went apparently unnoticed
at lkml:
https://lkml.org/lkml/2018/11/21/634
https://lkml.org/lkml/2018/11/21/635
"""
With "debugfs: Restrict debugfs when the kernel is locked down"
return code "r" is unconditionally set to -EPERM, which stays like that
until function return if no "open" file operation defined, effectivelly
resulting in "Operation not permitted" for all such files despite kernel
lock down status or CONFIG_LOCK_DOWN_KERNEL being enabled.
"""
I would appreciate if you consider that change, possibly just
squashing into yours.
More information about the Linux-security-module-archive
mailing list