Received: by 10.192.165.148 with SMTP id m20csp704918imm; Wed, 2 May 2018 07:31:22 -0700 (PDT) X-Google-Smtp-Source: AB8JxZocczHmHRnGAB1pNa07KAqAmT27I7W8H2tHkNUuyqautEB02ShE0euseCcUmI0/qHi1RjCF X-Received: by 2002:a63:6f41:: with SMTP id k62-v6mr16155042pgc.73.1525271482561; Wed, 02 May 2018 07:31:22 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1525271482; cv=none; d=google.com; s=arc-20160816; b=pew6kjs82fFUcIkSTKHM2gaNfEK1dFTeYdc3B25jLC4OuI67NElgV2qinZHEIumE8R MYr4FhLoQ2eZuOWv492qXwSl4m9gyqYp2NW0vnDm+7L6v6ZL0kAugY1iP10omJKxfDxF jOXbu1Wu8a++FacdYem/IK9E3vlbqNiXXkFnhl+Auf1jpZ0rOeNz6u6Wx7UM+0ZAdJ+t 4yLpM3OOyAHbvrJ4n9v8knERwigZ2kPUrMVfpZd6rzuAOqrfo9CaXH6PvVVLwHtyXoYv Rf8oPNjMjvyS15agGWUPzjZBmvXjSrK/W0pO9epa4NBzAx4IIUkGdT0uL5Z0r9+Y/vvc GpEw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:cc:to:subject:message-id:date:from :references:in-reply-to:mime-version:dkim-signature:dkim-signature :arc-authentication-results; bh=E/LLJKBeqZFD2sKZPFk32FqNdxYR7HYo66wdTxHwid4=; b=A+VbZKNmkiGoGNOVsjVDlk79mmo28LEGRJQlODIUFWKMICEWFidg6S2mHxSW86rh/S LQPwkBuiQM6eH9wburoyxUgqKCSkNo6CpLDcTryKc5qJPLHwK/jPTLNbGGlkLiguE83K sFSbPRyL6CUvUCxYM1ZhI85V52C0riNF8dgELltEJbAugEl0voFyIIRSZetfOA1Z/mKG QT1UfsoqJ+a2C/tArF086Jo5GWt9FHFUKVo7+X6auUHu3nKuWmvBXee8/NvgdvqgIRYW 2Plum+7Lr8atfxVGto1sf/N//q4P1vr6FtCnfy2Bzktc69R5MYKJ0oXJlsVWe1Votozg NEcw== ARC-Authentication-Results: i=1; mx.google.com; dkim=fail header.i=@google.com header.s=20161025 header.b=kfAVgNIy; dkim=fail header.i=@chromium.org header.s=google header.b=edplCefn; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=chromium.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id n7-v6si9592676pgt.200.2018.05.02.07.31.08; Wed, 02 May 2018 07:31:22 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=fail header.i=@google.com header.s=20161025 header.b=kfAVgNIy; dkim=fail header.i=@chromium.org header.s=google header.b=edplCefn; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=chromium.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1751527AbeEBO3y (ORCPT + 99 others); Wed, 2 May 2018 10:29:54 -0400 Received: from mail-ua0-f194.google.com ([209.85.217.194]:33854 "EHLO mail-ua0-f194.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1751100AbeEBO3w (ORCPT ); Wed, 2 May 2018 10:29:52 -0400 Received: by mail-ua0-f194.google.com with SMTP id f22so9588597uam.1 for ; Wed, 02 May 2018 07:29:52 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=mime-version:sender:in-reply-to:references:from:date:message-id :subject:to:cc; bh=E/LLJKBeqZFD2sKZPFk32FqNdxYR7HYo66wdTxHwid4=; b=kfAVgNIy0l2QOaCWZV31+FLzUOvjjFAqyGMji+x1Q+5i2vSWnaT8DJMMcoRhKQKfc8 1ecTENAlO4aSAdh3pXK76ev8XtN1/R8zGy48rpQIBXjzdO364iu3zh8oFxmYoVpJHltB KAMKPJZJTz4I9+My6eF2RP1cbw+AZbJlt7umFcKIc8qsRKGq5u0LsgEZCbaGnFNo5ulp Yrz9BDLwTTUTsYqCpoQtp+LjVsqurmA//kgKr3vglElCo6o+Us0N3/fOv68y058vfHvw MFYbLubwIeBnreWUqR4J6XffFvfwYCBEd50WJ6rsYdIeuDcyOXVJyR2VqUFqicP8QY8n evEg== DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=chromium.org; s=google; h=mime-version:sender:in-reply-to:references:from:date:message-id :subject:to:cc; bh=E/LLJKBeqZFD2sKZPFk32FqNdxYR7HYo66wdTxHwid4=; b=edplCefnNrywsN9Oyklr6XF3Bf0GdFGxCPY2sxFfEu987YA1X1gsiVPXkpq05lizRK Ixa/3g0y4QNfFneBLk1hCTO+e8UOAFnFzyIglV+orc72K7CiI6uzryLg3WSVhDxRUZ5m +toHxGNA3HN42qGHOmzcP81iYfzIp1paaq8uI= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:sender:in-reply-to:references:from :date:message-id:subject:to:cc; bh=E/LLJKBeqZFD2sKZPFk32FqNdxYR7HYo66wdTxHwid4=; b=YlxRfWU93cy6cUmAcrXhZCPrfmPMRnv0B68tiNb4K0Y+5g6XxoAJ4kTFkHGL6N3SfS alaXKIc3ZbE24L2B1Lm8O1pX7zTX4NLLfm/61ZpJpAIKtLkaAwDLDbbA6wYa0ijUCGVC 8a/TQ9DX1scNr5L6EK/C2YGOstjMlhslJxJIw55E6v2ece/AOvAPONh2j/B9Nf4Cb55n QzRmfVItnNvVhA0qq78E0ljZkff1l9SjDOJ/38IV5tvt5bYLGu+q3Iu1bywi3P5mWktb OoUWL6ZUo53vic3MiiFoXw/MQYMYmBWn3ss8DxqQBElPD/EW7KyScgYx03n4U17/RJwn 41MQ== X-Gm-Message-State: ALQs6tCqmxsxlwxEHe6f+vLT17Pb9xtGKJfLg1/Lb1aO8xasBCVbwCtH vlbECGu7AuA0H018cq0q3cv5Ot5dZRrBssFvJ5Kr9g== X-Received: by 10.176.37.8 with SMTP id j8mr18136032uan.83.1525271392014; Wed, 02 May 2018 07:29:52 -0700 (PDT) MIME-Version: 1.0 Received: by 10.31.11.209 with HTTP; Wed, 2 May 2018 07:29:51 -0700 (PDT) In-Reply-To: <8d3e702b-470a-542e-4e0d-6a3c58419f0f@linux.ibm.com> References: <20180427123547.15727-1-tmricht@linux.ibm.com> <20180427134936.GA31171@kroah.com> <8d3e702b-470a-542e-4e0d-6a3c58419f0f@linux.ibm.com> From: Kees Cook Date: Wed, 2 May 2018 07:29:51 -0700 X-Google-Sender-Auth: vb0hv48PPx4t7jJVN5EkkPQTFXM Message-ID: Subject: Re: [PATCH v2] inode: debugfs_create_dir uses mode permission from parent To: Thomas-Mich Richter Cc: Greg KH , Kernel Hardening , brueckner@linux.vnet.ibm.com, Martin Schwidefsky , Heiko Carstens , LKML Content-Type: text/plain; charset="UTF-8" Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Wed, May 2, 2018 at 12:16 AM, Thomas-Mich Richter wrote: > On 04/27/2018 04:58 PM, Kees Cook wrote: >> On Fri, Apr 27, 2018 at 6:49 AM, Greg KH wrote: >>> I'm going to add Kees and the kernel-hardning list here, as I'd like >>> their opinions for the patch below. >>> >>> Kees, do you have any problems with this patch? I know you worked on >>> making debugfs more "secure" from non-root users, this should still keep >>> the intial mount permissions all fine, right? Anything I'm not >>> considering here? >> >> This appears correct to me. I'd like to see some stronger rationale >> for why this is needed, just so I have a "design" to compare the >> implementation against. :) >> >> Normally, the top-level directory permissions should block all the >> subdirectories too. The only time I think of this being needed is if >> someone is explicitly bind-mounting a subdirectory to another location >> (e.g. Chrome OS does this for the i915 subdirectory). In that case, >> I'd expect them to tweak permissions too. Thomas, what's your >> use-case? >> >> -Kees >> > > There is no 'real use case'. I wrote the patch because of discussions > regarding file permissions for files located deeply in the > directory tree, for example > > -r--r--r-- 1 root root 0 Apr 27 14:23 /sys/kernel/debug/kprobes/blacklist > > which gives the impression it is world readable. > This happened to me in recent discussions when I wrote patches to fix some > of the address randomized output of /sys files which broke the perf tool. > > During discussion people often forgot that the root /sys/kernel/debug is rwx for > root only and blocks non root access to subdirectories and files. They simply > looked at the file permissions. Okay, sounds good. "Make permissions less surprising" is a perfectly good reason to make the change. :) > I have not thought about the bind-mount case nor did I test this scenario. I think this case is fine too. Anyone doing this is likely doing some pretty special things with permissions already. So, FWIW: Reviewed-by: Kees Cook -Kees -- Kees Cook Pixel Security