[PATCH V2] debugfs: allow access relay files in lockdown mode
Junxiao Bi
junxiao.bi at oracle.com
Mon Apr 17 23:48:57 UTC 2023
On 4/17/23 2:56 PM, Paul Moore wrote:
> On Mon, Apr 17, 2023 at 4:39 PM Nathan Lynch<nathanl at linux.ibm.com> wrote:
>> Junxiao Bi<junxiao.bi at oracle.com> writes:
>>> Relay files are used by kernel to transfer information to userspace, these
>>> files have permission 0400, but mmap is supported, so they are blocked by
>>> lockdown. But since kernel just generates the contents of those files while
>>> not reading it, it is saft to access relay files in lockdown mode.
>>>
>>> With this, blktrace can work well in lockdown mode.
>> Assuming that all relay users do not expose the kinds of information
>> that confidentiality mode tries to restrict, this change seems OK to
>> me. I think that assumption applies to blktrace; apart from that, there
>> is a handful of drivers that use relay files (I searched for
>> relay_open() call sites, maybe there is a better way).
> At the very least I see an Intel graphics driver and some network
> drivers, but like you, that was a quick search and I'm probably
> missing something. At the very least someone needs to go audit those
> users/drivers to ensure this is safe to merge.
>
> However, regardless of what that code audit may turn up, I'm a little
> concerned that it would be all too easy to add a new relay interface
> user which isn't safe. The check in debugfs_locked_down() is far too
> removed from the code which is using the relay interface for it to be
> likely noticed in a future case where an unsafe user is added. This
> looks like a vulnerability waiting to happen.
I got this concern. I will make a new version to limit it to only allow
blktrace trace files.
Thanks,
Junxiao.
More information about the Linux-security-module-archive
mailing list