Received: by 2002:ac0:bc90:0:0:0:0:0 with SMTP id a16csp4856535img; Tue, 26 Mar 2019 19:09:14 -0700 (PDT) X-Google-Smtp-Source: APXvYqzZV6YI3TfLmCwvVTuhT5vWRs7CQqhiZcPFyEjPWFgcioCBUksmDzRYXR2L5n5XWRTefZU8 X-Received: by 2002:a63:4e10:: with SMTP id c16mr32652073pgb.302.1553652554801; Tue, 26 Mar 2019 19:09:14 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1553652554; cv=none; d=google.com; s=arc-20160816; b=QnMA1oC2N2yZr41iUjRgboZvysfXpqxvulEQWEPO1XVn944Q2Zy11WEvic9XGVhAYp rYPMgc3RbcK3fcjxFdDA6bQdu1tgz+KJLoqzp+SA9eRKHXEzD2aNq+dCfClmD3DGMrL6 NaFuGv/9wadrOgstYMczixB3UiyDin/PgFmn7P6CdXocDZp+kVz5eT6ShnjzINDprVTv TjGYaZoshX0xqUkppDwfVVKzGhBgA+S3IxmQDiGTZaPYQlq6tutae26gGjhR2jbNQKKb b34fJrcwlm+pN4Wmxw1ClYP4glzM1JkDu6GwtPH9a2JZulKMBuEHKv3ExNKo01NAxHuU PVzg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:dkim-signature; bh=eytzmU3NjxhNAmdOvQPC50LlttNGV7pwuE1zw4whqVI=; b=iVLDE0qfQRxzDrhGJn6lVp1FlbYojX3a1t9Lcgy22adctgUD896Qvyq+8ZZAtUScPA jLdXx8nbfxSGBeLw+D+Y8yqsa7ZRHcRL+ywPyaaonvAnxMChlvlXRr41ZDxnqfGoChv3 lcsts5I/pXvS/ft0kt+YQVXl+v3UMHFcvrv4QTWCay6oWGQfx8jzydUG6j8tS1sLPpMu vkq6JS+ynUCgCIIThV1Q8oWFx1K4iMju3HlFKpwbw5UOzUKfEqFqsAJQVOsoxANYcwy4 xSpguEYTmjDZiRErq8MSCoZdu/B4kN69PXuze7lql1gLl0H04PS5fwLn2ObRnIV1cmDS rGWg== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@google.com header.s=20161025 header.b=q2EUIIzT; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id d1si7264475pla.243.2019.03.26.19.08.58; Tue, 26 Mar 2019 19:09:14 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@google.com header.s=20161025 header.b=q2EUIIzT; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1732456AbfC0CGu (ORCPT + 99 others); Tue, 26 Mar 2019 22:06:50 -0400 Received: from mail-io1-f67.google.com ([209.85.166.67]:43121 "EHLO mail-io1-f67.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1731754AbfC0CGt (ORCPT ); Tue, 26 Mar 2019 22:06:49 -0400 Received: by mail-io1-f67.google.com with SMTP id x3so12684633iol.10 for ; Tue, 26 Mar 2019 19:06:49 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=eytzmU3NjxhNAmdOvQPC50LlttNGV7pwuE1zw4whqVI=; b=q2EUIIzTykBEMtSnWLridd0u3y82nmK06qLFYUPWPC0C+SMZbCzk4jviDLmBAScw+Y bJHUU8r57DetwRYdly6OrA2+Xo3OTf6LMPpgzb5yhbsjcTH5fP8aBvrkMjADkLNkyISd GygKY0ZKbdNfgQ0AOtQ8UexiWeU58vOLd/m8BF48lJ3v5sMtx9fi/vAYZUWB/o1iW05t Fw9pZpnBiS2ROesTYykBjM/ALh3BmjVrVM2G4oLHmLIa81yg8bHjSLXU1tA68kcAsgA4 vN9q2ihFOjxXnS9ZAFPNunNPKA+Gug+Wawd2eWowSKHcmFVfboJRu1iSAvyuC/iMbKmc F7Eg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=eytzmU3NjxhNAmdOvQPC50LlttNGV7pwuE1zw4whqVI=; b=rJzj4tVc7JsYq6sOhuDoyQE3jjcKVzmHvgp67QUPme/eLQYmLRwNiZLbNFebRBZQX0 XdRnlMgbY8aTl+IHeBNwLvv9sWaK43/0503U3272zdnH2NNo+DbfKdwJQBJ1CGLSpakG fe7Tb6D1tk+JLpWpMw8OkOmgZzbVhTjgBaViTLiK9tobfkNyy3MwHnZTpjFSPt6vcQwr arfyJdb6RD2vVhoyPKSqU3H5cWjZXQviFTdke1MbSA3AqfLNdVgRHCf0eIAFRb8mnsLf C1B7H3B7g1nTEEEwo8IXjdSEuKKVOtACR/ke7e9kjkb6LBBL3G3SrDQZOeqb1E8hlz3P BupQ== X-Gm-Message-State: APjAAAVp6JyZcWwi/8mJYYroYGvvjH0JYyjusvM8IIdKRkOIoGDE9RQf XH43hxSYVIe+NJF2aCfiYM/M+zhNbHkq9diVvdKBMwxneVE= X-Received: by 2002:a5e:950f:: with SMTP id r15mr14117601ioj.88.1553652408531; Tue, 26 Mar 2019 19:06:48 -0700 (PDT) MIME-Version: 1.0 References: <20190326182742.16950-1-matthewgarrett@google.com> <20190326182742.16950-26-matthewgarrett@google.com> <20190327003130.GB27311@kroah.com> In-Reply-To: <20190327003130.GB27311@kroah.com> From: Matthew Garrett Date: Tue, 26 Mar 2019 19:06:36 -0700 Message-ID: Subject: Re: [PATCH V31 25/25] debugfs: Disable open() when kernel is locked down To: Greg KH Cc: James Morris , LSM List , Linux Kernel Mailing List , David Howells , Linux API , Andy Lutomirski Content-Type: text/plain; charset="UTF-8" Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Tue, Mar 26, 2019 at 5:31 PM Greg KH wrote: > On Tue, Mar 26, 2019 at 11:27:41AM -0700, Matthew Garrett wrote: > > From: Matthew Garrett > > > > debugfs has not been meaningfully audited in terms of ensuring that > > userland cannot trample over the kernel. At Greg's request, disable > > access to it entirely when the kernel is locked down. This is done at > > open() time rather than init time as the kernel lockdown status may be > > made stricter at runtime. (snip) > Why allow all this, why not just abort the registering of the filesystem > with the vfs core so it can't even be mounted? As mentioned in the commit message, because the lockdown state can be made stricter at runtime - blocking at mount time would be inconsistent if the machine is locked down afterwards. We could potentially assert that it's the admin's responsibility to ensure that debugfs isn't mounted at the point of policy being made stricter?