Received: by 10.192.165.156 with SMTP id m28csp791157imm;
        Thu, 19 Apr 2018 07:37:57 -0700 (PDT)
X-Google-Smtp-Source: AIpwx48R/Y9ikvp7cNf/qaVqU9xQxHWo0C8aNaHLgegi8MDqt/VQ05mz6d+ta4ld9YnP3Bk4LmeU
X-Received: by 2002:a17:902:24e:: with SMTP id 72-v6mr6250069plc.87.1524148677019;
        Thu, 19 Apr 2018 07:37:57 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1524148676; cv=none;
        d=google.com; s=arc-20160816;
        b=CrloGjU0VRBihjbGgjr3G2oOb+80sDyU5PMcjSSXx5KSTVr9TZp+LdOB0CjeX+8U+i
         APmyjji0J+sBBONFjm3h1NQbEy9gAoj/AxpaNN0JzOPkMa8X9yyR49J8efx2cWTHOqLE
         Sjd8+UMyr2WD2cZTDYMlbwNfrZNoJBI4fbBwp1NIGknn+Nb6N8xyE4do86Rz0t1MNGvZ
         Jux9u/dPO1UuKWBo2A7qZYbB8qVcX642ovYrfin248N3sucK8vvT0bAfDcg0qwcSrJ9A
         JiaJJ+p26b1w77QtahTHccsTdhLYBVFIhEf3VDFprge082XvMns69aeRKs099fv4AWHz
         0bVA==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:sender:message-id:date:content-transfer-encoding
         :content-id:mime-version:subject:cc:to:references:in-reply-to:from
         :organization:arc-authentication-results;
        bh=0AiwyXd8PPIr7pbDNC5les5iDgE1q1BK/Yqigb4Ql2Y=;
        b=ABo8PP+Vf6Q1shMFApzfUnpbCRI1m5+Cg2O2BQAjEQwI9yQVmPqwNavrgFFMYxQakE
         BTK1/5VBtcA3Extr5JQEnVmw29uGPnMIQhPF5NOQpc19HrCRf9P2UXfzYgVADUeJP4Bh
         ofKiUs5Nd3+t1VG3Vn3DutaqlbruABD+3gXCw0LgAX29PUWuT22wzFLTiW+4Jm55DFrI
         fEARjS1FuDAF+SDEVarJgTMGhsUu33a6rqKUacM4fXAabT5niUirqmgrGabp/hTI5n8y
         BfwiN8vxtD1SRYeN9LAzCMc/4NM3xlo9jvuQfHMXuTOmd247zXLADd1bS/10W7odDeRl
         KClQ==
ARC-Authentication-Results: i=1; mx.google.com;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=redhat.com
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67])
        by mx.google.com with ESMTP id p23-v6si3565992plo.166.2018.04.19.07.37.43;
        Thu, 19 Apr 2018 07:37:56 -0700 (PDT)
Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67;
Authentication-Results: mx.google.com;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=redhat.com
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1753041AbeDSOfw convert rfc822-to-8bit (ORCPT
        <rfc822;daisukeokaopensource@gmail.com> + 99 others);
        Thu, 19 Apr 2018 10:35:52 -0400
Received: from mx3-rdu2.redhat.com ([66.187.233.73]:35604 "EHLO mx1.redhat.com"
        rhost-flags-OK-OK-OK-FAIL) by vger.kernel.org with ESMTP
        id S1751136AbeDSOfu (ORCPT <rfc822;linux-kernel@vger.kernel.org>);
        Thu, 19 Apr 2018 10:35:50 -0400
Received: from smtp.corp.redhat.com (int-mx04.intmail.prod.int.rdu2.redhat.com [10.11.54.4])
        (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits))
        (No client certificate requested)
        by mx1.redhat.com (Postfix) with ESMTPS id 338A38DC31;
        Thu, 19 Apr 2018 14:35:50 +0000 (UTC)
Received: from warthog.procyon.org.uk (ovpn-121-60.rdu2.redhat.com [10.10.121.60])
        by smtp.corp.redhat.com (Postfix) with ESMTP id 6D9D22026985;
        Thu, 19 Apr 2018 14:35:48 +0000 (UTC)
Organization: Red Hat UK Ltd. Registered Address: Red Hat UK Ltd, Amberley
        Place, 107-111 Peascod Street, Windsor, Berkshire, SI4 1TE, United
        Kingdom.
        Registered in England and Wales under Company Registration No. 3798903
From:   David Howells <dhowells@redhat.com>
In-Reply-To: <20180413202241.GB4484@amd>
References: <20180413202241.GB4484@amd> <152346387861.4030.4408662483445703127.stgit@warthog.procyon.org.uk> <152346403637.4030.15247096217928429102.stgit@warthog.procyon.org.uk>
To:     Pavel Machek <pavel@ucw.cz>
Cc:     dhowells@redhat.com, torvalds@linux-foundation.org,
        linux-man@vger.kernel.org, linux-api@vger.kernel.org,
        jmorris@namei.org, linux-kernel@vger.kernel.org,
        linux-security-module@vger.kernel.org
Subject: Re: [PATCH 24/24] debugfs: Restrict debugfs when the kernel is locked down
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-ID: <27817.1524148547.1@warthog.procyon.org.uk>
Content-Transfer-Encoding: 8BIT
Date:   Thu, 19 Apr 2018 15:35:47 +0100
Message-ID: <27818.1524148547@warthog.procyon.org.uk>
X-Scanned-By: MIMEDefang 2.78 on 10.11.54.4
X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.5.16 (mx1.redhat.com [10.11.55.2]); Thu, 19 Apr 2018 14:35:50 +0000 (UTC)
X-Greylist: inspected by milter-greylist-4.5.16 (mx1.redhat.com [10.11.55.2]); Thu, 19 Apr 2018 14:35:50 +0000 (UTC) for IP:'10.11.54.4' DOMAIN:'int-mx04.intmail.prod.int.rdu2.redhat.com' HELO:'smtp.corp.redhat.com' FROM:'dhowells@redhat.com' RCPT:''
Sender: linux-kernel-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

Pavel Machek <pavel@ucw.cz> wrote:

> >  (1) chmod and chown are disallowed on debugfs objects (though the root dir
> >      can be modified by mount and remount, but I'm not worried about that).
> 
> This has nothing to do with the lockdown goals, right? I find chown of
> such files quite nice, to allow debugging without doing sudo all the time.

It allows someone to give everyone access to files that should perhaps only be
accessible by root.  Besides, if you disable lockdown then you can do this if
you want.

> >  (2) When the kernel is locked down, only files with the following criteria
> >      are permitted to be opened:
> > 
> > 	- The file must have mode 00444
> > 	- The file must not have ioctl methods
> > 	- The file must not have mmap
> 
> Dunno. Would not it be nicer to go through the debugfs files and split
> them into safe/unsafe varieties?

Whilst that is a laudable idea, there are at least a couple of thousand files
to analyse, some of them doing weird stuff in drivers that aren't easy to
understand, and some of them with lists of files, some of which might be safe
and some of which aren't safe.  Even some reads that look like they ought to
be safe have side effects (such as read-and-reset counters).

Besides, define 'safe'.  Is reading a particular reg on a device and returning
the value through a debugfs read safe, for example?  What about files where
reading is harmless, but writing needs to be disallowed?

I did try initially passing in a flag to say whether something was safe or
not, abusing an inode flag to store it since debugfs uses a plain inode
struct, but then I realised just how many ways there are to create debugfs
files and it started to get out of hand.  My initial idea also included
locking everything down by default and marking things unlocked on an as-needed
basis.

If you have the time to audit all these files, then that would be great.

I lean more towards the lock debugfs down entirely side.

David