Received: by 10.192.165.156 with SMTP id m28csp2022409imm; Thu, 12 Apr 2018 07:24:24 -0700 (PDT) X-Google-Smtp-Source: AIpwx4/0awXmzbavE/MbOxVYKey3khv3g7oAOSO7AgLOC4AQT/dB7eR1qnlk1yWgm5nHaPo7iD7A X-Received: by 10.99.55.68 with SMTP id g4mr846724pgn.283.1523543064550; Thu, 12 Apr 2018 07:24:24 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1523543064; cv=none; d=google.com; s=arc-20160816; b=H/ncBbsT3yo+2A1HEw/HEFWka+KFHpqV4Ue7ProxakNZUNwnpYLqg17FR33hGs55XG 5U5MAg6bxYJJs1lvCv9zBB518hwSEbUV48VeaF1Et+Wx7GfdtxZfwxIMWBolpdNERbzm nN8aXrh1fdMBFnhDKWuE0qXryTC7y8lPX9HItmtHhbyaV+bq2Bm3va9QLJkdXFgNZE6H /B61SDgu3z8ZuEtcgm7VFhanpQ7G64WZuWAEwx+HDGq+5mkv2Lh8+xQFXhXaZmFQzQk2 sWG389f2WgI/4VsInhEIo+t1nO0duua9HamRwdWqoTL+liZZL1y+1F02pnpGPeIXijj3 9Y5Q== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:cc:to:subject:message-id:date:from :references:in-reply-to:mime-version:dmarc-filter :arc-authentication-results; bh=5Dr/bB9A8dWWzhezac7uumdS3KOhFC9wmj4S+JAHjFE=; b=BtG6nuZHenrDaENGO6FKd4oPnV73q7Q8StT9eHn9M3OYSOIoNYlDfkAA3TRK7/FMF8 iCgEqXdiDIwfssrjmYRgHqp+XuBFybxIa/LYwq/fEpnMWRiZ6CSGG61UdrG63zVBpxyP rB3DuO/6VTOCsqfUMDl0nSYowmDiK8NES9Xn2V2uiR6tO8Lu+CTna+ea2mGqBB5Wujmd Jwr6KvCedbg77XD5Uf2fhABqLRYKwBE4dM0gh3loNsOov77hL28IyOxGs047GCekaId3 8PJI2NONqLtgrEOIFhmJT3szyZ+yoQgxiwYzo7sG23r6FZomAeXRsPoD/vOzl6Oci4Ar 6T9Q== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id n4si2615934pfn.352.2018.04.12.07.23.47; Thu, 12 Apr 2018 07:24:24 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1752831AbeDLOT7 (ORCPT + 99 others); Thu, 12 Apr 2018 10:19:59 -0400 Received: from mail.kernel.org ([198.145.29.99]:34478 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1752383AbeDLOT5 (ORCPT ); Thu, 12 Apr 2018 10:19:57 -0400 Received: from mail-it0-f54.google.com (mail-it0-f54.google.com [209.85.214.54]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPSA id 9934B2183D for ; Thu, 12 Apr 2018 14:19:56 +0000 (UTC) DMARC-Filter: OpenDMARC Filter v1.3.2 mail.kernel.org 9934B2183D Authentication-Results: mail.kernel.org; dmarc=none (p=none dis=none) header.from=kernel.org Authentication-Results: mail.kernel.org; spf=none smtp.mailfrom=luto@kernel.org Received: by mail-it0-f54.google.com with SMTP id 142-v6so7493101itl.5 for ; Thu, 12 Apr 2018 07:19:56 -0700 (PDT) X-Gm-Message-State: ALQs6tA/FpPuB5RK4d0+XerTzDgjW0fEyIABPzLzWNB29pLSikcrbAt7 mvhwRcvlKBvrL4hbYkXHNTZZCtxJihnmJSB+6sdV5w== X-Received: by 2002:a24:2d0d:: with SMTP id x13-v6mr1181359itx.54.1523542795938; Thu, 12 Apr 2018 07:19:55 -0700 (PDT) MIME-Version: 1.0 Received: by 10.2.141.77 with HTTP; Thu, 12 Apr 2018 07:19:35 -0700 (PDT) In-Reply-To: <20180412082313.GA6054@kroah.com> References: <20180411195436.GA7126@kroah.com> <152346387861.4030.4408662483445703127.stgit@warthog.procyon.org.uk> <152346403637.4030.15247096217928429102.stgit@warthog.procyon.org.uk> <12769.1523477356@warthog.procyon.org.uk> <20180411203308.GA10167@kroah.com> <20180412082313.GA6054@kroah.com> From: Andy Lutomirski Date: Thu, 12 Apr 2018 07:19:35 -0700 X-Gmail-Original-Message-ID: Message-ID: Subject: Re: [PATCH 24/24] debugfs: Restrict debugfs when the kernel is locked down To: Greg KH Cc: Andy Lutomirski , David Howells , Linus Torvalds , linux-man , Linux API , James Morris , LKML , LSM List Content-Type: text/plain; charset="UTF-8" Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Thu, Apr 12, 2018 at 1:23 AM, Greg KH wrote: > On Wed, Apr 11, 2018 at 07:54:12PM -0700, Andy Lutomirski wrote: >> On Wed, Apr 11, 2018 at 1:33 PM, Greg KH wrote: >> > On Wed, Apr 11, 2018 at 09:09:16PM +0100, David Howells wrote: >> >> Greg KH wrote: >> >> >> >> > Why not just disable debugfs entirely? This half-hearted way to sorta >> >> > lock it down is odd, it is meant to not be there at all, nothing in your >> >> > normal system should ever depend on it. >> >> > >> >> > So again just don't allow it to be mounted at all, much simpler and more >> >> > obvious as to what is going on. >> >> >> >> Yeah, I agree - and then I got complaints because it seems that it's been >> >> abused to allow drivers and userspace components to communicate. >> > >> > With in-kernel code? Please let me know and I'll go fix it up to not >> > allow that, as that is not ok. >> > >> > I do know of some bad examples of out-of-tree code abusing debugfs to do >> > crazy things (battery level monitoring?), but that's their own fault... >> > >> > debugfs is for DEBUGGING! For anything you all feel should be "secure", >> > then just disable it entirely. >> > >> >> Debugfs is very, very useful for, ahem, debugging. I really think >> this is an example of why we should split lockdown into the read and >> write varieties and allow mounting and reading debugfs when only write >> is locked down. > > Ok, but be sure that there are no "secrets" in those debugging files if > you really buy into the whole "lock down" mess... > > Really, it's easier to just disable the whole thing. > I mostly agree with your sentiment. I'm saying that, for most uses, I *don't* buy into the idea that a normal secure-boot-supporting distro should block debugfs. I sometimes like to ask people who report problems to send me the contents of such-and-such file in debugfs, and I think it should keep working. Blocking write access to debugfs is mostly sensible for a lockdown system, but blocking read only makes sense if you're worried about straight-up bugs or if you think that debugfs contains protection-worthy secrets. What I want to see is: lockdown=protect_integrity: debugfs is read-only, bpf and perf are unrestricted, iopl and ioperm are disabled, etc. lockdown=protect_integrity_and_secrecy: debugfs is gone, bpf and perf are restricted, plus all the restrictions from lockdown=protect_integrity Distros should strongly prefer lockdown=protect_integrity (or lockdown=off) by default. lockdown=protect_integrity_and_secrecy is for custom setups, embedded applications, etc. --Andy