Re: [PATCH 24/24] debugfs: Restrict debugfs when the kernel is locked down

[PATCH 00/24] security: Add kernel lockdown · David Howells <dhowells@redhat.com> · 2018-04-11
[PATCH 01/24] Add the ability to lock down access to the running kernel image · David Howells <dhowells@redhat.com> · 2018-04-11
Re: [PATCH 01/24] Add the ability to lock down access to the running kernel image · Jann Horn <jannh@google.com> · 2018-04-11
Re: [PATCH 01/24] Add the ability to lock down access to the running kernel image · Randy Dunlap <hidden> · 2018-04-11
Re: [PATCH 01/24] Add the ability to lock down access to the running kernel image · David Howells <dhowells@redhat.com> · 2018-04-11
Re: [PATCH 01/24] Add the ability to lock down access to the running kernel image · Miguel Ojeda <hidden> · 2018-04-11
Re: [PATCH 01/24] Add the ability to lock down access to the running kernel image · Greg KH <gregkh@linuxfoundation.org> · 2018-04-11
Re: [PATCH 01/24] Add the ability to lock down access to the running kernel image · Linus Torvalds <torvalds@linux-foundation.org> · 2018-04-11
Re: [PATCH 01/24] Add the ability to lock down access to the running kernel image · Justin Forbes <hidden> · 2018-04-11
Re: [PATCH 01/24] Add the ability to lock down access to the running kernel image · Jordan Glover <hidden> · 2018-04-11
Re: [PATCH 01/24] Add the ability to lock down access to the running kernel image · Linus Torvalds <torvalds@linux-foundation.org> · 2018-04-11
Re: [PATCH 01/24] Add the ability to lock down access to the running kernel image · Justin Forbes <hidden> · 2018-04-12
Re: [PATCH 01/24] Add the ability to lock down access to the running kernel image · Linus Torvalds <torvalds@linux-foundation.org> · 2018-04-12
Re: [PATCH 01/24] Add the ability to lock down access to the running kernel image · Andy Lutomirski <luto@amacapital.net> · 2018-04-12
[PATCH 02/24] Add a SysRq option to lift kernel lockdown · David Howells <dhowells@redhat.com> · 2018-04-11
Re: [PATCH 02/24] Add a SysRq option to lift kernel lockdown · Jann Horn <jannh@google.com> · 2018-04-11
Re: [PATCH 02/24] Add a SysRq option to lift kernel lockdown · Pavel Machek <hidden> · 2018-04-13
[PATCH 03/24] ima: require secure_boot rules in lockdown mode · David Howells <dhowells@redhat.com> · 2018-04-11
[PATCH 04/24] Enforce module signatures if the kernel is locked down · David Howells <dhowells@redhat.com> · 2018-04-11
[PATCH 05/24] Restrict /dev/{mem, kmem, port} when the kernel is locked down · David Howells <dhowells@redhat.com> · 2018-04-11
[PATCH 06/24] kexec_load: Disable at runtime if the kernel is locked down · David Howells <dhowells@redhat.com> · 2018-04-11
[PATCH 07/24] hibernate: Disable when the kernel is locked down · David Howells <dhowells@redhat.com> · 2018-04-11
Re: [PATCH 07/24] hibernate: Disable when the kernel is locked down · Pavel Machek <hidden> · 2018-04-13
Re: [PATCH 07/24] hibernate: Disable when the kernel is locked down · David Howells <dhowells@redhat.com> · 2018-04-19
Re: [PATCH 07/24] hibernate: Disable when the kernel is locked down · Andy Lutomirski <luto@kernel.org> · 2018-04-22
Re: [PATCH 07/24] hibernate: Disable when the kernel is locked down · Pavel Machek <hidden> · 2018-04-26
Re: [PATCH 07/24] hibernate: Disable when the kernel is locked down · Rafael J. Wysocki <hidden> · 2018-04-26
Re: [PATCH 07/24] hibernate: Disable when the kernel is locked down · Jiri Kosina <jikos@kernel.org> · 2018-04-26
Re: [PATCH 07/24] hibernate: Disable when the kernel is locked down · joeyli <jlee@suse.com> · 2018-05-23
[PATCH 08/24] uswsusp: Disable when the kernel is locked down · David Howells <dhowells@redhat.com> · 2018-04-11
[PATCH 09/24] PCI: Lock down BAR access when the kernel is locked down · David Howells <dhowells@redhat.com> · 2018-04-11
[PATCH 10/24] x86: Lock down IO port access when the kernel is locked down · David Howells <dhowells@redhat.com> · 2018-04-11
[PATCH 11/24] x86/msr: Restrict MSR access when the kernel is locked down · David Howells <dhowells@redhat.com> · 2018-04-11
[PATCH 12/24] ACPI: Limit access to custom_method when the kernel is locked down · David Howells <dhowells@redhat.com> · 2018-04-11
[PATCH 13/24] acpi: Ignore acpi_rsdp kernel param when the kernel has been locked down · David Howells <dhowells@redhat.com> · 2018-04-11
[PATCH 14/24] acpi: Disable ACPI table override if the kernel is locked down · David Howells <dhowells@redhat.com> · 2018-04-11
[PATCH 15/24] acpi: Disable APEI error injection if the kernel is locked down · David Howells <dhowells@redhat.com> · 2018-04-11
[PATCH 16/24] Prohibit PCMCIA CIS storage when the kernel is locked down · David Howells <dhowells@redhat.com> · 2018-04-11
[PATCH 17/24] Lock down TIOCSSERIAL · David Howells <dhowells@redhat.com> · 2018-04-11
[PATCH 18/24] Lock down module params that specify hardware parameters (eg. ioport) · David Howells <dhowells@redhat.com> · 2018-04-11
Re: [PATCH 18/24] Lock down module params that specify hardware parameters (eg. ioport) · Randy Dunlap <hidden> · 2018-04-11
[PATCH 19/24] x86/mmiotrace: Lock down the testmmiotrace module · David Howells <dhowells@redhat.com> · 2018-04-11
[PATCH 20/24] Lock down /proc/kcore · David Howells <dhowells@redhat.com> · 2018-04-11
[PATCH 21/24] Lock down kprobes · David Howells <dhowells@redhat.com> · 2018-04-11
[PATCH 22/24] bpf: Restrict kernel image access functions when the kernel is locked down · David Howells <dhowells@redhat.com> · 2018-04-11
[PATCH 23/24] Lock down perf · David Howells <dhowells@redhat.com> · 2018-04-11
[PATCH 24/24] debugfs: Restrict debugfs when the kernel is locked down · David Howells <dhowells@redhat.com> · 2018-04-11
Re: [PATCH 24/24] debugfs: Restrict debugfs when the kernel is locked down · Randy Dunlap <hidden> · 2018-04-11
Re: [PATCH 24/24] debugfs: Restrict debugfs when the kernel is locked down · Greg KH <hidden> · 2018-04-11
Re: [PATCH 24/24] debugfs: Restrict debugfs when the kernel is locked down · David Howells <dhowells@redhat.com> · 2018-04-11
Re: [PATCH 24/24] debugfs: Restrict debugfs when the kernel is locked down · Greg KH <hidden> · 2018-04-11
Re: [PATCH 24/24] debugfs: Restrict debugfs when the kernel is locked down · Andy Lutomirski <luto@kernel.org> · 2018-04-12
Re: [PATCH 24/24] debugfs: Restrict debugfs when the kernel is locked down · Greg KH <hidden> · 2018-04-12
Re: [PATCH 24/24] debugfs: Restrict debugfs when the kernel is locked down · Andy Lutomirski <luto@kernel.org> · 2018-04-12
Re: [PATCH 24/24] debugfs: Restrict debugfs when the kernel is locked down · Pavel Machek <hidden> · 2018-04-13
Re: [PATCH 24/24] debugfs: Restrict debugfs when the kernel is locked down · David Howells <dhowells@redhat.com> · 2018-04-19
Re: [PATCH 24/24] debugfs: Restrict debugfs when the kernel is locked down · Pavel Machek <hidden> · 2018-05-10

From: Pavel Machek <hidden>
Date: 2018-04-13 20:22:45
Also in: linux-man, lkml

On Wed 2018-04-11 17:27:16, David Howells wrote:

Disallow opening of debugfs files that might be used to muck around when
the kernel is locked down as various drivers give raw access to hardware
through debugfs.  Given the effort of auditing all 2000 or so files and
manually fixing each one as necessary, I've chosen to apply a heuristic
instead.  The following changes are made:

 (1) chmod and chown are disallowed on debugfs objects (though the root dir
     can be modified by mount and remount, but I'm not worried about that).

This has nothing to do with the lockdown goals, right? I find chown of
such files quite nice, to allow debugging without doing sudo all the time.

 (2) When the kernel is locked down, only files with the following criteria
     are permitted to be opened:

	- The file must have mode 00444
	- The file must not have ioctl methods
	- The file must not have mmap

Dunno. Would not it be nicer to go through the debugfs files and split
them into safe/unsafe varieties?

									Pavel
-- 
(english) http://www.livejournal.com/~pavelmachek
(cesky, pictures) http://atrey.karlin.mff.cuni.cz/~pavel/picture/horses/blog.html

Attachments

signature.asc [application/pgp-signature] 181 bytes

`h`	back out one level
`j`	next message in thread
`k`	previous message in thread
`l`	drill in
`Esc`	close help / fold thread tree
`?`	toggle this help