Received: by 2002:ac0:bc90:0:0:0:0:0 with SMTP id a16csp4968825img;
        Tue, 26 Mar 2019 22:30:35 -0700 (PDT)
X-Google-Smtp-Source: APXvYqzEy4whhSrsZO7eR97MNjykemV5ZIRD1cvPWid6VFgl2ZBew5MnHCmoY9Kqotd3uZF8eE8C
X-Received: by 2002:aa7:8083:: with SMTP id v3mr16461141pff.135.1553664635249;
        Tue, 26 Mar 2019 22:30:35 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1553664635; cv=none;
        d=google.com; s=arc-20160816;
        b=i9M5jUHoocqxu26SCi8VFSnKE5hkJe5WLtKP1Kw6uZwMbiWXexXWgaLmrZLWcTBclY
         DP63DjyRarbdvaY65hWBbFgAsViXFioQ8RVUaDiwVFWd8H8rBZCxS4tAoPGG+o8OhoVP
         YnJuxqucn3YReNDAmCvxVOczG+xVHYquOEZC3TxiB+KDZS9HAG1hr5WklthOn3zZlGkf
         qH/i0JtVpWWspDgz2OjNGn1sYG6FlGzWDKIrzzdw1pPpQ295YREJJIN7uId0vo+DShkQ
         unPcnPYEkUEfQsVslRhRtBgHFixWPeWTl2OlivFu3W1C5mAUc38M2vUQgAob17G2u+Yl
         8JBw==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:sender:to:references:message-id
         :content-transfer-encoding:cc:date:in-reply-to:from:subject
         :mime-version:dkim-signature;
        bh=onJCl9JbHvAGDKE2nntWOowFWWdzQk48dF3hmrDvys8=;
        b=vZB9RTi8lGC/GQosI5Z9fYQIfYTzCxugOe5c/kIfo/lMlamSTM8wZX7R6uT2zILCvy
         02x89QL/aZGizbTy4i4xIYrJTXiy4mHj2pE24Sql2e+JTo1BBYvBWC9uHTJQ1Rs+jVAH
         1D91nqRhMr2+bQqdLNmrPFg/w7CzZh9K6FsShdEvdHCmrK1e9ErMJfAyrkZwn+QCQ27X
         RA0URu0ksRnXIEmkV0cnrYzIiEI7mInPRlrABOiqCIhIbZFP2slqpQOVH9Hyt4eM8zGm
         Wo20dPq/os5I3YbgUcn5boSi5m3Y/8zWwOFu+LHaKv3yvTXFAFGc0BhCNRbQJWDV1i5X
         fpCQ==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@amacapital-net.20150623.gappssmtp.com header.s=20150623 header.b=KObLylx+;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67])
        by mx.google.com with ESMTP id k71si14613383pgd.583.2019.03.26.22.30.19;
        Tue, 26 Mar 2019 22:30:35 -0700 (PDT)
Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@amacapital-net.20150623.gappssmtp.com header.s=20150623 header.b=KObLylx+;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1726319AbfC0F3o (ORCPT <rfc822;patchstalker@gmail.com>
        + 99 others); Wed, 27 Mar 2019 01:29:44 -0400
Received: from mail-pf1-f195.google.com ([209.85.210.195]:33678 "EHLO
        mail-pf1-f195.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S1725730AbfC0F3o (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Wed, 27 Mar 2019 01:29:44 -0400
Received: by mail-pf1-f195.google.com with SMTP id i19so539427pfd.0
        for <linux-kernel@vger.kernel.org>; Tue, 26 Mar 2019 22:29:43 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=amacapital-net.20150623.gappssmtp.com; s=20150623;
        h=mime-version:subject:from:in-reply-to:date:cc
         :content-transfer-encoding:message-id:references:to;
        bh=onJCl9JbHvAGDKE2nntWOowFWWdzQk48dF3hmrDvys8=;
        b=KObLylx+2ouYzD5oC/vd5zSi0s/at+b5t9Vc899hnndZuDda30qhb+5E03rubefc/1
         QbebhBz6rqc+KXWc8nUs13QhpotdWqgq4BPJP0Xpio7Ds2wH6mITBnLtI2opQFZZ6tNc
         BKzj89Xj2zskMokb7GLMh2lGRSIKNlnIab6VruaC8v5xZv4RVQQNF1bjcktvNagKTi1k
         E4ZbINMgEb+oa/2qMWM01IBVYN1RipFq7NDGemmItGOOSBzrOBCXDrMd67NzujoQSqz9
         EJs/UkFJ1r+iS9tBqc4auso3Hb6h6my56Nrcvx1VegN5zkBq+mS2qt2Q6rGa7Kia9QqB
         AL1w==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20161025;
        h=x-gm-message-state:mime-version:subject:from:in-reply-to:date:cc
         :content-transfer-encoding:message-id:references:to;
        bh=onJCl9JbHvAGDKE2nntWOowFWWdzQk48dF3hmrDvys8=;
        b=hOU9exTXzskiX85ibdDj/J1tjJ3G7vlW1FoDUvlTOTg4Pbyi8D6D1MlvpMAenr7Uu/
         YvB5719jvAGClfoLlOt+9gQEcy8miJWqTrpYGGF14H1rnfTuwtP+H0gBN8y7P6GwdL+t
         C9tMmAddZFi5vZf7yDTWJB0u1Mfm/T9H7eKuuosqsEG3a0GAzqgZAUtYI5beDD4j8sTP
         GgXpCX04XYp9g0RUBHSeTIrS8fUHsqA+QTiDTJu8AaSkaknESjdfic9m0Y8XrjDKCPUA
         PuugH6fi7Px9Pe3CsGb2x/lLZR57FhGlUhuMIIheTzJVh8D6amIzQPZnraz2AhJXLKSr
         Q2Pg==
X-Gm-Message-State: APjAAAXQGwgXtHfjtc//95DhOJ74rtfunqQ1/aodiyJnVtsXvC4JJp+i
        kBpvmC/Fe8lC0V5hXMrhsS74Aw==
X-Received: by 2002:a63:d015:: with SMTP id z21mr31835257pgf.215.1553664583157;
        Tue, 26 Mar 2019 22:29:43 -0700 (PDT)
Received: from ?IPv6:2601:646:c200:1ef2:c5c0:7bcb:4a38:a44a? ([2601:646:c200:1ef2:c5c0:7bcb:4a38:a44a])
        by smtp.gmail.com with ESMTPSA id i64sm30385333pfb.112.2019.03.26.22.29.42
        (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128);
        Tue, 26 Mar 2019 22:29:42 -0700 (PDT)
Content-Type: text/plain;
        charset=us-ascii
Mime-Version: 1.0 (1.0)
Subject: Re: [PATCH V31 25/25] debugfs: Disable open() when kernel is locked down
From:   Andy Lutomirski <luto@amacapital.net>
X-Mailer: iPhone Mail (16D57)
In-Reply-To: <20190327050615.GA548@kroah.com>
Date:   Tue, 26 Mar 2019 22:29:41 -0700
Cc:     Andy Lutomirski <luto@kernel.org>,
        Matthew Garrett <matthewgarrett@google.com>,
        James Morris <jmorris@namei.org>,
        LSM List <linux-security-module@vger.kernel.org>,
        LKML <linux-kernel@vger.kernel.org>,
        David Howells <dhowells@redhat.com>,
        Linux API <linux-api@vger.kernel.org>,
        Matthew Garrett <mjg59@google.com>
Content-Transfer-Encoding: quoted-printable
Message-Id: <16124107-70D3-4CA0-9766-36FC6DC10128@amacapital.net>
References: <20190326182742.16950-1-matthewgarrett@google.com> <20190326182742.16950-26-matthewgarrett@google.com> <CALCETrXDF2c2-gnOyNTnEn-uPAZp0AaSB_PB8e2y8jf7zo=Cyg@mail.gmail.com> <20190327003057.GA27311@kroah.com> <CALCETrVDDf4dj3Md1Nxc5P_NCToXGnAbEO3bGfwgKSfeVmU4Kw@mail.gmail.com> <20190327050615.GA548@kroah.com>
To:     Greg KH <gregkh@linuxfoundation.org>
Sender: linux-kernel-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org



> On Mar 26, 2019, at 10:06 PM, Greg KH <gregkh@linuxfoundation.org> wrote:
>=20
>> On Tue, Mar 26, 2019 at 09:29:14PM -0700, Andy Lutomirski wrote:
>>> On Tue, Mar 26, 2019 at 5:31 PM Greg KH <gregkh@linuxfoundation.org> wro=
te:
>>>=20
>>>> On Tue, Mar 26, 2019 at 12:20:24PM -0700, Andy Lutomirski wrote:
>>>> On Tue, Mar 26, 2019 at 11:28 AM Matthew Garrett
>>>> <matthewgarrett@google.com> wrote:
>>>>>=20
>>>>> From: Matthew Garrett <mjg59@google.com>
>>>>>=20
>>>>> debugfs has not been meaningfully audited in terms of ensuring that
>>>>> userland cannot trample over the kernel. At Greg's request, disable
>>>>> access to it entirely when the kernel is locked down. This is done at
>>>>> open() time rather than init time as the kernel lockdown status may be=

>>>>> made stricter at runtime.
>>>>=20
>>>> Ugh.  Some of those files are very useful.  Could this perhaps still
>>>> allow O_RDONLY if we're in INTEGRITY mode?
>>>=20
>>> Useful for what?  Debugging, sure, but for "normal operation", no kernel=

>>> functionality should ever require debugfs.  If it does, that's a bug and=

>>> should be fixed.
>>>=20
>>=20
>> I semi-regularly read files in debugfs to diagnose things, and I think
>> it would be good for this to work on distro kernels.
>=20
> Doing that for debugging is wonderful.  People who want this type of
> "lock down" are trading potential security for diagnositic ability.
>=20

I think you may be missing the point of splitting lockdown to separate integ=
rity and confidentiality.  Can you actually think of a case where *reading* a=
 debugfs file can take over a kernel?=