Received: by 10.192.165.156 with SMTP id m28csp791157imm; Thu, 19 Apr 2018 07:37:57 -0700 (PDT) X-Google-Smtp-Source: AIpwx48R/Y9ikvp7cNf/qaVqU9xQxHWo0C8aNaHLgegi8MDqt/VQ05mz6d+ta4ld9YnP3Bk4LmeU X-Received: by 2002:a17:902:24e:: with SMTP id 72-v6mr6250069plc.87.1524148677019; Thu, 19 Apr 2018 07:37:57 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1524148676; cv=none; d=google.com; s=arc-20160816; b=CrloGjU0VRBihjbGgjr3G2oOb+80sDyU5PMcjSSXx5KSTVr9TZp+LdOB0CjeX+8U+i APmyjji0J+sBBONFjm3h1NQbEy9gAoj/AxpaNN0JzOPkMa8X9yyR49J8efx2cWTHOqLE Sjd8+UMyr2WD2cZTDYMlbwNfrZNoJBI4fbBwp1NIGknn+Nb6N8xyE4do86Rz0t1MNGvZ Jux9u/dPO1UuKWBo2A7qZYbB8qVcX642ovYrfin248N3sucK8vvT0bAfDcg0qwcSrJ9A JiaJJ+p26b1w77QtahTHccsTdhLYBVFIhEf3VDFprge082XvMns69aeRKs099fv4AWHz 0bVA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:message-id:date:content-transfer-encoding :content-id:mime-version:subject:cc:to:references:in-reply-to:from :organization:arc-authentication-results; bh=0AiwyXd8PPIr7pbDNC5les5iDgE1q1BK/Yqigb4Ql2Y=; b=ABo8PP+Vf6Q1shMFApzfUnpbCRI1m5+Cg2O2BQAjEQwI9yQVmPqwNavrgFFMYxQakE BTK1/5VBtcA3Extr5JQEnVmw29uGPnMIQhPF5NOQpc19HrCRf9P2UXfzYgVADUeJP4Bh ofKiUs5Nd3+t1VG3Vn3DutaqlbruABD+3gXCw0LgAX29PUWuT22wzFLTiW+4Jm55DFrI fEARjS1FuDAF+SDEVarJgTMGhsUu33a6rqKUacM4fXAabT5niUirqmgrGabp/hTI5n8y BfwiN8vxtD1SRYeN9LAzCMc/4NM3xlo9jvuQfHMXuTOmd247zXLADd1bS/10W7odDeRl KClQ== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=redhat.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id p23-v6si3565992plo.166.2018.04.19.07.37.43; Thu, 19 Apr 2018 07:37:56 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=redhat.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1753041AbeDSOfw convert rfc822-to-8bit (ORCPT + 99 others); Thu, 19 Apr 2018 10:35:52 -0400 Received: from mx3-rdu2.redhat.com ([66.187.233.73]:35604 "EHLO mx1.redhat.com" rhost-flags-OK-OK-OK-FAIL) by vger.kernel.org with ESMTP id S1751136AbeDSOfu (ORCPT ); Thu, 19 Apr 2018 10:35:50 -0400 Received: from smtp.corp.redhat.com (int-mx04.intmail.prod.int.rdu2.redhat.com [10.11.54.4]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mx1.redhat.com (Postfix) with ESMTPS id 338A38DC31; Thu, 19 Apr 2018 14:35:50 +0000 (UTC) Received: from warthog.procyon.org.uk (ovpn-121-60.rdu2.redhat.com [10.10.121.60]) by smtp.corp.redhat.com (Postfix) with ESMTP id 6D9D22026985; Thu, 19 Apr 2018 14:35:48 +0000 (UTC) Organization: Red Hat UK Ltd. Registered Address: Red Hat UK Ltd, Amberley Place, 107-111 Peascod Street, Windsor, Berkshire, SI4 1TE, United Kingdom. Registered in England and Wales under Company Registration No. 3798903 From: David Howells In-Reply-To: <20180413202241.GB4484@amd> References: <20180413202241.GB4484@amd> <152346387861.4030.4408662483445703127.stgit@warthog.procyon.org.uk> <152346403637.4030.15247096217928429102.stgit@warthog.procyon.org.uk> To: Pavel Machek Cc: dhowells@redhat.com, torvalds@linux-foundation.org, linux-man@vger.kernel.org, linux-api@vger.kernel.org, jmorris@namei.org, linux-kernel@vger.kernel.org, linux-security-module@vger.kernel.org Subject: Re: [PATCH 24/24] debugfs: Restrict debugfs when the kernel is locked down MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-ID: <27817.1524148547.1@warthog.procyon.org.uk> Content-Transfer-Encoding: 8BIT Date: Thu, 19 Apr 2018 15:35:47 +0100 Message-ID: <27818.1524148547@warthog.procyon.org.uk> X-Scanned-By: MIMEDefang 2.78 on 10.11.54.4 X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.5.16 (mx1.redhat.com [10.11.55.2]); Thu, 19 Apr 2018 14:35:50 +0000 (UTC) X-Greylist: inspected by milter-greylist-4.5.16 (mx1.redhat.com [10.11.55.2]); Thu, 19 Apr 2018 14:35:50 +0000 (UTC) for IP:'10.11.54.4' DOMAIN:'int-mx04.intmail.prod.int.rdu2.redhat.com' HELO:'smtp.corp.redhat.com' FROM:'dhowells@redhat.com' RCPT:'' Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Pavel Machek wrote: > > (1) chmod and chown are disallowed on debugfs objects (though the root dir > > can be modified by mount and remount, but I'm not worried about that). > > This has nothing to do with the lockdown goals, right? I find chown of > such files quite nice, to allow debugging without doing sudo all the time. It allows someone to give everyone access to files that should perhaps only be accessible by root. Besides, if you disable lockdown then you can do this if you want. > > (2) When the kernel is locked down, only files with the following criteria > > are permitted to be opened: > > > > - The file must have mode 00444 > > - The file must not have ioctl methods > > - The file must not have mmap > > Dunno. Would not it be nicer to go through the debugfs files and split > them into safe/unsafe varieties? Whilst that is a laudable idea, there are at least a couple of thousand files to analyse, some of them doing weird stuff in drivers that aren't easy to understand, and some of them with lists of files, some of which might be safe and some of which aren't safe. Even some reads that look like they ought to be safe have side effects (such as read-and-reset counters). Besides, define 'safe'. Is reading a particular reg on a device and returning the value through a debugfs read safe, for example? What about files where reading is harmless, but writing needs to be disallowed? I did try initially passing in a flag to say whether something was safe or not, abusing an inode flag to store it since debugfs uses a plain inode struct, but then I realised just how many ways there are to create debugfs files and it started to get out of hand. My initial idea also included locking everything down by default and marking things unlocked on an as-needed basis. If you have the time to audit all these files, then that would be great. I lean more towards the lock debugfs down entirely side. David