Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20;
Message-ID: <22a584ab-db2b-813c-6f48-3840f56ee6cf@oracle.com>
Date:   Mon, 10 Apr 2023 15:31:15 -0700
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:102.0)
 Gecko/20100101 Thunderbird/102.9.1
Subject: Re: Semantics of blktrace with lockdown (integrity) enabled kernel.
Content-Language: en-US
To:     Paul Moore <paul@paul-moore.com>
Cc:     Konrad Rzeszutek Wilk <konrad.wilk@oracle.com>,
        linux-kernel@vger.kernel.org,
        linux-security-module@vger.kernel.org, jmorris@namei.org,
        serge@hallyn.com, nathanl@linux.ibm.com, joe.jin@oracle.com,
        Eric <eric.snowberg@oracle.com>,
        Boris Ostrovsky <boris.ostrovsky@oracle.com>, axboe@kernel.dk
References: <ZC8Dbux56HbJjpTy@char.us.oracle.com>
 <CAHC9VhQ2rLpjczvb4993fQiMau7ZXLe8aTLtMZO_iF42w=1frg@mail.gmail.com>
 <ZC8eZ/RTX//0urV/@char.us.oracle.com>
 <CAHC9VhR06pa2mDwW26XFqiry11Ubz2_3YKj+ayftu0JdYx9m9w@mail.gmail.com>
 <93ef5db7-fb4d-bf3f-9456-3fb6e7d5ca29@oracle.com>
 <CAHC9VhRKzv4+fbSK8+fV7v+N5Eaevtag7YvSW1YwJrxs5gAyHQ@mail.gmail.com>
 <fa0a4afb-14ce-a387-ec0e-2098c5bec8c3@oracle.com>
 <CAHC9VhT4r4HwrfZMVbG8DWbfvVRGH_AMGpdVUS_YLmUR7L3uvw@mail.gmail.com>
 <cdde1e4e-142e-3859-71ba-f7bacf0dbaae@oracle.com>
 <CAHC9VhSiviD9uHmB5sK4vgBBYnhUBPFyu+zM+O2m4ycie3RVqQ@mail.gmail.com>
From:   Junxiao Bi <junxiao.bi@oracle.com>
In-Reply-To: <CAHC9VhSiviD9uHmB5sK4vgBBYnhUBPFyu+zM+O2m4ycie3RVqQ@mail.gmail.com>
Content-Type: text/plain; charset=UTF-8; format=flowed
Content-Transfer-Encoding: 8bit
MIME-Version: 1.0
X-MS-Exchange-AntiSpam-MessageData-ChunkCount: 1
X-MS-Exchange-AntiSpam-MessageData-0: =?utf-8?B?c3E5d3g5MEJRUktvbnNyYlVwN1A3b3FaZ2lTOVd2cithbmU3U3RjODBaRW9i?=
 =?utf-8?B?QkUvbmZ0OVY3VVNEcllKZG9qVENLYnpzTTdwVitZVVdWbHZqcDVGa2xMS1o0?=
 =?utf-8?B?emg4T0tmeE5FeFBRbkdYcHVZaElRYld2T3VuaHZOQWFwVzlFYWxyejljZzlX?=
 =?utf-8?B?OUdpOUEzbjZPOGRUN2tieXBWSGppZW84WXptU1lvbVZkV1A1MXI4WnVsMzRp?=
 =?utf-8?B?bzhHelBxdk9JVE1oWlgzSjAvVlRIL3JTbCt1MUZyc2JMTE5EaGhJdlNtU2x2?=
 =?utf-8?B?WEU4dnptNE9RTm5WZW90a2FyektCZ2JGY29kYVVrWVcyN20xSXRKSi93a0RW?=
 =?utf-8?B?Uk9wUURrUTBRUStwSWMxYWhwYU4wSkx2ejZNUVFHcExlVFdTTlZNTzQ3aGVm?=
 =?utf-8?B?YWNhNkFpc1pmUmxsdmtUeEhPUEZGOGJyQ3FKcWpGbjdEdVhaSDJnUGxyQ3ho?=
 =?utf-8?B?Q2xhVHQrcHd1d2xFaHVhWTQvWE9ha0p4Z040c2hRYWJRbzZhK0VxNVkycUhW?=
 =?utf-8?B?bU5CejFobWhrL3VZa29ySGNXcU91Mkp2dm95NW5XNWo3RzhtRjFla3RFdk5Q?=
 =?utf-8?B?K1pmVzYzendMOHJDYzgyZ2Eya25GdThkLzhadjF3bnh6NGEzZDdUTHBsQlVn?=
 =?utf-8?B?cVZFVHMzdnZ0MkduQklxbUNoS0xWanlDZ2hCK0FydVVIM0xzZWVXMU92YmxX?=
 =?utf-8?B?Rmd5WUFSVCtWRVJ4UHRHdFpPWDczSVNvbEtRcWJweUxVMUoyMEFITU41SDJz?=
 =?utf-8?B?YmxTZGhvMm9EV3BBNzV1UldVamZaVGVUUjhNNXpLdDdkRjBFNzA0ZVd2Y01Z?=
 =?utf-8?B?WHkrNkgrT1pGdWkzbTJnaGdvbVVVR1ZRYUtJYU40T004VWlYQXkzMU1ZZUVD?=
 =?utf-8?B?RmpVaTFzVHB4Qk1OWU1ZOEtkalgwbEZrbWJIS2NWeHlYUUMxT250WXZBZjVI?=
 =?utf-8?B?OTNBNFJvRERPVFVNbURnZVE5N3J4cGFaTThPeGovSWxIZldpT1pVSkJYNzln?=
 =?utf-8?B?ZzM0NUwyam9JL2pOdm9LeCtjNVNxVFJqVzlkNmNsT3VnNldxVXJDV0dETThI?=
 =?utf-8?B?YXFodVBOTUNQaG9tM3lnOFkwSk1vbElFMHU0V2UyQVczK09NbVZ6QzlaU2h6?=
 =?utf-8?B?VFFnaTRHUHN0c1dQOWY4S3UwSjRGM0hCbG8rMVpjWjF3bEs3MXE5TE04NzFY?=
 =?utf-8?B?WHF3d2I3eVVzb3dkZzRBK2VpQVY2dXZFbmpTTjNVZHJjN09tcFVvTlpFMGlJ?=
 =?utf-8?B?YUlEY2JWZnFteWJaRXNNLzFxRWpjU1dwUTdISEI1UUNhVHRDTENQMUJDeDdK?=
 =?utf-8?B?SHBhcmhuL3hGVk9oUGlRRzYvaWIyYjBqeDJ0dU5Oc0U1UGdNSUpKeHpyL3dT?=
 =?utf-8?B?L0l0eWl3S3BoaHNRMWdLSGdaWDdIa2I4TDZkOW4rWWl5S3ZGcGhhRG9ReTA0?=
 =?utf-8?B?OURMbUNlK2R5M3hIWkFCdnhLRCs5YWZVYUVzQVhSQkFFSFNaOGRXbjU1QmI1?=
 =?utf-8?B?VklEY1dyalJaNFgrZGJxY2ZnMDl3aVhYeDYrdm42bll0RjlJMEdVaVhnU2hv?=
 =?utf-8?B?THpxa2R0QnM1ckRWUEpJT2ZoN0JsS21HODVVcWZpcjdISFdyeWt2ZzhYaUhT?=
 =?utf-8?B?cnZWdDFneTJrL3hHTlU0YnNMZFh6OUJpRUxnZ2ZMZ2RqVG90RFNvcVZ3WkNp?=
 =?utf-8?B?MFRIUUpOQi9BaThMaTRZbDdPMStza1g1M1psMzg5WGVGdEJYVStOYzlWZER3?=
 =?utf-8?B?MXcxQkEyZkJIaUpqMFVlRFdnNVB6dktlUE5Dd3lzbjA5a1F1SXJhMGRyRVM5?=
 =?utf-8?B?V1VxUE8rRjBQYVRBNEw2N2RBM0M1TzJFSFpoaHM2dDE2b1BmbEwrZ1R6S2Fy?=
 =?utf-8?B?SGtmcnZkanhMczdqOGEyMTZZNm5hK0RnLzZ0bFBHazk2VFp6T0NXT3kzTWI2?=
 =?utf-8?B?WGFnU01sOFVDOWpvOUpIYlB2aXlyR3dlVkpnUGhJdUNWL2xKb0xIUFA5NkxS?=
 =?utf-8?B?OThvWmt4aWVyb1o4YnhydU4zc3lhL3B3WEtFK0wzdU9xanUwcjFUSkNWQUxR?=
 =?utf-8?B?Q29lUzRSL2RhcEdnK3hPNkR0NW5iS2ZyaWk5VVlHMmkzVjd2OEJJVThzc3p5?=
 =?utf-8?Q?SOa1/Vf4QhEDOmFto3sshVAwQ?=
X-MS-Exchange-AntiSpam-ExternalHop-MessageData-ChunkCount: 1
X-MS-Exchange-AntiSpam-ExternalHop-MessageData-0: XP0e6M/RahqVNuIFb6gjK3iBaD14bHE9DfI3TXI1q/sAx1UKDy70U4Pz4wIWtoZJTLHBXxDci0OzSJrR74COGvqHfFAT/ADhphol/KV74z3TGHNGw28ihA5UCEwqcHHhx/JK10XfbZnGQdgj4z+XC4eiqBr+3At8ifrq55iI/NlpZlcTl1use/s3BPhb0TAZ2s4BAlL3cO0xnQRjUOUYAFWa97i0N2hCBwYpgHs4oKmnYd7nHB9O81tUJthtFG9sbL1eCJDWjDAF/c3V4xaAItiXBTF7FgeSCGU3niQC0CWyJwrScA93njaEsdG9rEtNceihm9kusJbX2GlGB/kGpgA9f5uHVdiIAuZ39bxE19GK16qBzILkKa60BCI0DYGHz8KAwzngT3VfkMUX9DbKZizf+XFWodS0laBzHFFs3npj0snC38+APrJ95tOAGMzMqcFjgtiAWtNDwL8u5b02Tm8COHVLTPKTEEVufJubhZO777Fpw06KxSb/TLRmJqxPJETv2rd/6mTkllxjraDdMt7GgW0Bnzw93H9dZ8keilaWNqyeo0+iFCNvxn2Zaxp5mf381pZHXhwtsIx5Sp0r/wX5aGM0q9BkBvm90LJSe9TRCFvOKGvHNe0FT33VIzxEf7UmHVu4iHdPXzCp7h4+CTrESd5pZnzZx1SDRVRKh2Dzz/KiIDPs0fm0RXIp3MwpPtk/pWr2kx6bJ7FbEXkKgDnNISqtsrp6GVjqH5ppWwTZbYfZv4bd9L4CydF00q1OXE7QpbxQ51YtANSyd8nQNUuPaFWgaFGgzWJuIpFyQpdzDSa6IIuFGL0EJ28UnIY0Ps901LYrvmFzl9JyF+wKYUWX+11Qql1wksA2MvWfIu7RzRWfgMJ+xS2D4BCaRSlaiPENbAdDrlp4PqeLjSknJYdPW+ct9s9qlECqxUSMCFI=
X-OriginatorOrg: oracle.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 4e864de8-a050-4571-74e0-08db3a134e76
X-MS-Exchange-CrossTenant-AuthSource: SJ0PR10MB4752.namprd10.prod.outlook.com
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-OriginalArrivalTime: 10 Apr 2023 22:31:20.0131
 (UTC)
X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted
X-MS-Exchange-CrossTenant-Id: 4e2c6054-71cb-48f1-bd6c-3a9705aca71b
X-MS-Exchange-CrossTenant-MailboxType: HOSTED
X-MS-Exchange-CrossTenant-UserPrincipalName: mxq5TvBT9Wqgkce1EBwsQdWoC14FBsKHAUWW8vNN0/FsvbRVVoLjEs1sxPRGaoyHkJAjk5GrMlEcszkP0KsFRw==
X-MS-Exchange-Transport-CrossTenantHeadersStamped: IA1PR10MB7141
X-Proofpoint-Virus-Version: vendor=baseguard
 engine=ICAP:2.0.254,Aquarius:18.0.942,Hydra:6.0.573,FMLib:17.11.170.22
 definitions=2023-04-10_16,2023-04-06_03,2023-02-09_01
X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 malwarescore=0 phishscore=0
 adultscore=0 spamscore=0 suspectscore=0 bulkscore=0 mlxlogscore=999
 mlxscore=0 classifier=spam adjust=0 reason=mlx scancount=1
 engine=8.12.0-2303200000 definitions=main-2304100197
X-Proofpoint-GUID: GMTORp3wES6MMwiQ0Wr45iuyh9BP9XgR
X-Proofpoint-ORIG-GUID: GMTORp3wES6MMwiQ0Wr45iuyh9BP9XgR
X-Spam-Status: No, score=-4.1 required=5.0 tests=DKIM_SIGNED,DKIM_VALID,
        DKIM_VALID_AU,DKIM_VALID_EF,NICE_REPLY_A,RCVD_IN_DNSWL_LOW,
        RCVD_IN_MSPIKE_H2,SPF_HELO_NONE,SPF_NONE autolearn=unavailable
        autolearn_force=no version=3.4.6
X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on
        lindbergh.monkeyblade.net
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

On 4/10/23 3:00 PM, Paul Moore wrote:

>>> Well, you could always submit a patch* and we would review it like any
>>> other; that's usually a much better approach.
>>>
>>> * Yes, there was a patch submitted, but it was against a distro kernel
>>> that diverged significantly from the upstream kernel in the relevant
>>> areas.
>> Sure, i will submit a new one.
>>
>> Before that, may i ask this question? It may affect the approach of the
>> patch.
>>
>> Lockdown blocked files with mmap operation even that files are
>> read-only, may i know what's the security concern there?
>>
>> static int debugfs_locked_down(struct inode *inode,
>>                      struct file *filp,
>>                      const struct file_operations *real_fops)
>> {
>>       if ((inode->i_mode & 07777 & ~0444) == 0 &&
>>           !(filp->f_mode & FMODE_WRITE) &&
>>           !real_fops->unlocked_ioctl &&
>>           !real_fops->compat_ioctl &&
>>           !real_fops->mmap)
>>           return 0;
>>
>>       if (security_locked_down(LOCKDOWN_DEBUGFS))
>>           return -EPERM;
>>
>>       return 0;
>> }
> I think the comment block at the top of that function describes it well:
>
> /*
>   * Only permit access to world-readable files when the kernel is locked down.
>   * We also need to exclude any file that has ways to write or alter it as root
>   * can bypass the permissions check.
>   */

I may have some misunderstanding of  commit 5496197f9b08("debugfs: 
Restrict debugfs when the kernel is locked down"),  it mentioned chmod 
is disabled for debugfs file, so i thought permission of debugfs file 
can not be changed. Actually I just tested that, the permission can be 
changed! I am not sure whether this is an issue or not. Anyway i 
understand the security concern with mmap, thanks a lot.

Thanks,

Junxiao.

>
> --
> paul-moore.com