Re: [PATCH 24/24] debugfs: Restrict debugfs when the kernel is locked down

[PATCH 00/24] security: Add kernel lockdown · David Howells <dhowells@redhat.com> · 2018-04-11
[PATCH 01/24] Add the ability to lock down access to the running kernel image · David Howells <dhowells@redhat.com> · 2018-04-11
Re: [PATCH 01/24] Add the ability to lock down access to the running kernel image · Jann Horn <jannh@google.com> · 2018-04-11
Re: [PATCH 01/24] Add the ability to lock down access to the running kernel image · Randy Dunlap <hidden> · 2018-04-11
Re: [PATCH 01/24] Add the ability to lock down access to the running kernel image · David Howells <dhowells@redhat.com> · 2018-04-11
Re: [PATCH 01/24] Add the ability to lock down access to the running kernel image · Miguel Ojeda <hidden> · 2018-04-11
Re: [PATCH 01/24] Add the ability to lock down access to the running kernel image · Greg KH <gregkh@linuxfoundation.org> · 2018-04-11
Re: [PATCH 01/24] Add the ability to lock down access to the running kernel image · Linus Torvalds <torvalds@linux-foundation.org> · 2018-04-11
Re: [PATCH 01/24] Add the ability to lock down access to the running kernel image · Justin Forbes <hidden> · 2018-04-11
Re: [PATCH 01/24] Add the ability to lock down access to the running kernel image · Jordan Glover <hidden> · 2018-04-11
Re: [PATCH 01/24] Add the ability to lock down access to the running kernel image · Linus Torvalds <torvalds@linux-foundation.org> · 2018-04-11
Re: [PATCH 01/24] Add the ability to lock down access to the running kernel image · Justin Forbes <hidden> · 2018-04-12
Re: [PATCH 01/24] Add the ability to lock down access to the running kernel image · Linus Torvalds <torvalds@linux-foundation.org> · 2018-04-12
Re: [PATCH 01/24] Add the ability to lock down access to the running kernel image · Andy Lutomirski <luto@amacapital.net> · 2018-04-12
[PATCH 02/24] Add a SysRq option to lift kernel lockdown · David Howells <dhowells@redhat.com> · 2018-04-11
Re: [PATCH 02/24] Add a SysRq option to lift kernel lockdown · Jann Horn <jannh@google.com> · 2018-04-11
Re: [PATCH 02/24] Add a SysRq option to lift kernel lockdown · Pavel Machek <hidden> · 2018-04-13
[PATCH 03/24] ima: require secure_boot rules in lockdown mode · David Howells <dhowells@redhat.com> · 2018-04-11
[PATCH 04/24] Enforce module signatures if the kernel is locked down · David Howells <dhowells@redhat.com> · 2018-04-11
[PATCH 05/24] Restrict /dev/{mem, kmem, port} when the kernel is locked down · David Howells <dhowells@redhat.com> · 2018-04-11
[PATCH 06/24] kexec_load: Disable at runtime if the kernel is locked down · David Howells <dhowells@redhat.com> · 2018-04-11
[PATCH 07/24] hibernate: Disable when the kernel is locked down · David Howells <dhowells@redhat.com> · 2018-04-11
Re: [PATCH 07/24] hibernate: Disable when the kernel is locked down · Pavel Machek <hidden> · 2018-04-13
Re: [PATCH 07/24] hibernate: Disable when the kernel is locked down · David Howells <dhowells@redhat.com> · 2018-04-19
Re: [PATCH 07/24] hibernate: Disable when the kernel is locked down · Andy Lutomirski <luto@kernel.org> · 2018-04-22
Re: [PATCH 07/24] hibernate: Disable when the kernel is locked down · Pavel Machek <hidden> · 2018-04-26
Re: [PATCH 07/24] hibernate: Disable when the kernel is locked down · Rafael J. Wysocki <hidden> · 2018-04-26
Re: [PATCH 07/24] hibernate: Disable when the kernel is locked down · Jiri Kosina <jikos@kernel.org> · 2018-04-26
Re: [PATCH 07/24] hibernate: Disable when the kernel is locked down · joeyli <jlee@suse.com> · 2018-05-23
[PATCH 08/24] uswsusp: Disable when the kernel is locked down · David Howells <dhowells@redhat.com> · 2018-04-11
[PATCH 09/24] PCI: Lock down BAR access when the kernel is locked down · David Howells <dhowells@redhat.com> · 2018-04-11
[PATCH 10/24] x86: Lock down IO port access when the kernel is locked down · David Howells <dhowells@redhat.com> · 2018-04-11
[PATCH 11/24] x86/msr: Restrict MSR access when the kernel is locked down · David Howells <dhowells@redhat.com> · 2018-04-11
[PATCH 12/24] ACPI: Limit access to custom_method when the kernel is locked down · David Howells <dhowells@redhat.com> · 2018-04-11
[PATCH 13/24] acpi: Ignore acpi_rsdp kernel param when the kernel has been locked down · David Howells <dhowells@redhat.com> · 2018-04-11
[PATCH 14/24] acpi: Disable ACPI table override if the kernel is locked down · David Howells <dhowells@redhat.com> · 2018-04-11
[PATCH 15/24] acpi: Disable APEI error injection if the kernel is locked down · David Howells <dhowells@redhat.com> · 2018-04-11
[PATCH 16/24] Prohibit PCMCIA CIS storage when the kernel is locked down · David Howells <dhowells@redhat.com> · 2018-04-11
[PATCH 17/24] Lock down TIOCSSERIAL · David Howells <dhowells@redhat.com> · 2018-04-11
[PATCH 18/24] Lock down module params that specify hardware parameters (eg. ioport) · David Howells <dhowells@redhat.com> · 2018-04-11
Re: [PATCH 18/24] Lock down module params that specify hardware parameters (eg. ioport) · Randy Dunlap <hidden> · 2018-04-11
[PATCH 19/24] x86/mmiotrace: Lock down the testmmiotrace module · David Howells <dhowells@redhat.com> · 2018-04-11
[PATCH 20/24] Lock down /proc/kcore · David Howells <dhowells@redhat.com> · 2018-04-11
[PATCH 21/24] Lock down kprobes · David Howells <dhowells@redhat.com> · 2018-04-11
[PATCH 22/24] bpf: Restrict kernel image access functions when the kernel is locked down · David Howells <dhowells@redhat.com> · 2018-04-11
[PATCH 23/24] Lock down perf · David Howells <dhowells@redhat.com> · 2018-04-11
[PATCH 24/24] debugfs: Restrict debugfs when the kernel is locked down · David Howells <dhowells@redhat.com> · 2018-04-11
Re: [PATCH 24/24] debugfs: Restrict debugfs when the kernel is locked down · Randy Dunlap <hidden> · 2018-04-11
Re: [PATCH 24/24] debugfs: Restrict debugfs when the kernel is locked down · Greg KH <hidden> · 2018-04-11
Re: [PATCH 24/24] debugfs: Restrict debugfs when the kernel is locked down · David Howells <dhowells@redhat.com> · 2018-04-11
Re: [PATCH 24/24] debugfs: Restrict debugfs when the kernel is locked down · Greg KH <hidden> · 2018-04-11
Re: [PATCH 24/24] debugfs: Restrict debugfs when the kernel is locked down · Andy Lutomirski <luto@kernel.org> · 2018-04-12
Re: [PATCH 24/24] debugfs: Restrict debugfs when the kernel is locked down · Greg KH <hidden> · 2018-04-12
Re: [PATCH 24/24] debugfs: Restrict debugfs when the kernel is locked down · Andy Lutomirski <luto@kernel.org> · 2018-04-12
Re: [PATCH 24/24] debugfs: Restrict debugfs when the kernel is locked down · Pavel Machek <hidden> · 2018-04-13
Re: [PATCH 24/24] debugfs: Restrict debugfs when the kernel is locked down · David Howells <dhowells@redhat.com> · 2018-04-19
Re: [PATCH 24/24] debugfs: Restrict debugfs when the kernel is locked down · Pavel Machek <hidden> · 2018-05-10

From: David Howells <dhowells@redhat.com>
Date: 2018-04-11 20:09:16
Also in: linux-man, linux-security-module, lkml

Greg KH [off-list ref] wrote:

Why not just disable debugfs entirely?  This half-hearted way to sorta
lock it down is odd, it is meant to not be there at all, nothing in your
normal system should ever depend on it.

So again just don't allow it to be mounted at all, much simpler and more
obvious as to what is going on.

Yeah, I agree - and then I got complaints because it seems that it's been
abused to allow drivers and userspace components to communicate.

David

`h`	back out one level
`j`	next message in thread
`k`	previous message in thread
`l`	drill in
`Esc`	close help / fold thread tree
`?`	toggle this help