[PATCH V2] debugfs: allow access relay files in lockdown mode
Paul Moore
paul at paul-moore.com
Mon Apr 17 21:56:42 UTC 2023
On Mon, Apr 17, 2023 at 4:39 PM Nathan Lynch <nathanl at linux.ibm.com> wrote:
> Junxiao Bi <junxiao.bi at oracle.com> writes:
> > Relay files are used by kernel to transfer information to userspace, these
> > files have permission 0400, but mmap is supported, so they are blocked by
> > lockdown. But since kernel just generates the contents of those files while
> > not reading it, it is saft to access relay files in lockdown mode.
> >
> > With this, blktrace can work well in lockdown mode.
>
> Assuming that all relay users do not expose the kinds of information
> that confidentiality mode tries to restrict, this change seems OK to
> me. I think that assumption applies to blktrace; apart from that, there
> is a handful of drivers that use relay files (I searched for
> relay_open() call sites, maybe there is a better way).
At the very least I see an Intel graphics driver and some network
drivers, but like you, that was a quick search and I'm probably
missing something. At the very least someone needs to go audit those
users/drivers to ensure this is safe to merge.
However, regardless of what that code audit may turn up, I'm a little
concerned that it would be all too easy to add a new relay interface
user which isn't safe. The check in debugfs_locked_down() is far too
removed from the code which is using the relay interface for it to be
likely noticed in a future case where an unsafe user is added. This
looks like a vulnerability waiting to happen.
--
paul-moore.com
More information about the Linux-security-module-archive
mailing list