Received: by 2002:ac0:bc90:0:0:0:0:0 with SMTP id a16csp4587690img; Tue, 26 Mar 2019 12:23:12 -0700 (PDT) X-Google-Smtp-Source: APXvYqzsbSyuBRdeg6zAtYONG+ofyBpBfdVCl0beUfDU+5dwmR0Xu03Ob4NerQPSkAt6v96T55WI X-Received: by 2002:a17:902:8202:: with SMTP id x2mr25758792pln.318.1553628192206; Tue, 26 Mar 2019 12:23:12 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1553628192; cv=none; d=google.com; s=arc-20160816; b=Eh7P37l1ZVLhgJI/0EuRGTM6Aec3aD7EO8sE02IOF3rurxCTiZDDFp921fDYUpXt1Q TRT9YDgOwO68Y4hEPOyQbRqwA9B7/7bBP2tKbvGaH0AacsfcTcqSM2yvu+r3mQHLMFZS kDpt5G3GeDWzbd+/oqtZ2Epc/Eac6nstbv/dckQ3yK3W+19fQs54TCqIP3jJpq9nnL3k 0mx1KmMvfxwZ2CyiJTX0tdCKZMTE10M4Tu1kUJHuLTcx5FI0FopbS5gy/25x4m9qGKpB p5/TcvHuiowBz/R4BQkJm0PXYTPQyP6YyHiJnBpD0lan3Yhm1T9QfDCAX4qny9cQ2e5l xICw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:dkim-signature; bh=p8LvM73Iqzfe7ZoJpCOaRXyBAx9z2xPdvRZyMy7JOXs=; b=CJ9bVl+bEwVVhhVIduc/hLkG+ckLLAfp6Vng2J3ZDNFdI3d3YFnWTKMOhI6G2lkVKT 3SGLxFCN3giq4ZIiRqtmXNrB69aVWSwwVd77xO3ZJPxu4UOoeMj59j8oiIGnxJLtzYOK BXRYnzkPcrgUI9AZibNtZKb7oVQSlUH2Fb79bbhU123ukLBS1B859y7/NEVgTZEmpfNI UkHr4XneKsUYDIowjIyxo9+alkCdhhJHBCbT/+9cA0pKKRzUIoaX7OU2D5rMxX+ZKWoZ xUlo6QlEwie6Tqjpmitzn8jP3Z2hVlgOKr9kJT/M9j6Bj7Y00x3dgl+rgGIkctT78nIZ lMaw== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=SPh9sndL; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id h24si3326988pgg.226.2019.03.26.12.22.57; Tue, 26 Mar 2019 12:23:12 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=SPh9sndL; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1732232AbfCZTUk (ORCPT + 99 others); Tue, 26 Mar 2019 15:20:40 -0400 Received: from mail.kernel.org ([198.145.29.99]:48042 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726266AbfCZTUk (ORCPT ); Tue, 26 Mar 2019 15:20:40 -0400 Received: from mail-wr1-f42.google.com (mail-wr1-f42.google.com [209.85.221.42]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPSA id 5B8192075C for ; Tue, 26 Mar 2019 19:20:39 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1553628039; bh=bNnFYh38SuqDllljiUAm8cHWf4KPM2Rm7i/Xh3MQULw=; h=References:In-Reply-To:From:Date:Subject:To:Cc:From; b=SPh9sndLf5L+z8w24xCt620iuwf7m61WMxWzzLyEsuMJFCUexCPDW08eNL2OshchO Q+9/8cn/bXjzjfd7CFfsJ8hIF78HADW5ZwWhOeXlRhOyJk/92xWFNC6g947yRhCtjG DDuIFt020Kl1zuH/odz2npaBpqy29UP4MXphypEs= Received: by mail-wr1-f42.google.com with SMTP id w10so15757866wrm.4 for ; Tue, 26 Mar 2019 12:20:39 -0700 (PDT) X-Gm-Message-State: APjAAAWhKSzfGmmatsiK5dBqVd8+6/4o/X21l/FSNXdGz08CpCvdPXxL RoTlfrzoxqj/NG94ahCOtU7+Jd8w+Nge0MnFht/BYA== X-Received: by 2002:a5d:4710:: with SMTP id y16mr19830662wrq.176.1553628038018; Tue, 26 Mar 2019 12:20:38 -0700 (PDT) MIME-Version: 1.0 References: <20190326182742.16950-1-matthewgarrett@google.com> <20190326182742.16950-26-matthewgarrett@google.com> In-Reply-To: <20190326182742.16950-26-matthewgarrett@google.com> From: Andy Lutomirski Date: Tue, 26 Mar 2019 12:20:24 -0700 X-Gmail-Original-Message-ID: Message-ID: Subject: Re: [PATCH V31 25/25] debugfs: Disable open() when kernel is locked down To: Matthew Garrett Cc: James Morris , LSM List , LKML , David Howells , Linux API , Andrew Lutomirski , Matthew Garrett , Greg KH Content-Type: text/plain; charset="UTF-8" Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Tue, Mar 26, 2019 at 11:28 AM Matthew Garrett wrote: > > From: Matthew Garrett > > debugfs has not been meaningfully audited in terms of ensuring that > userland cannot trample over the kernel. At Greg's request, disable > access to it entirely when the kernel is locked down. This is done at > open() time rather than init time as the kernel lockdown status may be > made stricter at runtime. Ugh. Some of those files are very useful. Could this perhaps still allow O_RDONLY if we're in INTEGRITY mode?