Re: [PATCH V31 25/25] debugfs: Disable open() when kernel is locked down

[PATCH V31 00/25] Add support for kernel lockdown · Matthew Garrett <hidden> · 2019-03-26
[PATCH V31 01/25] Add the ability to lock down access to the running kernel image · Matthew Garrett <hidden> · 2019-03-26
[PATCH V31 02/25] Enforce module signatures if the kernel is locked down · Matthew Garrett <hidden> · 2019-03-26
[PATCH V31 03/25] Restrict /dev/{mem,kmem,port} when the kernel is locked down · Matthew Garrett <hidden> · 2019-03-26
[PATCH V31 05/25] Copy secure_boot flag in boot params across kexec reboot · Matthew Garrett <hidden> · 2019-03-26
[PATCH V31 06/25] kexec_file: split KEXEC_VERIFY_SIG into KEXEC_SIG and KEXEC_SIG_FORCE · Matthew Garrett <hidden> · 2019-03-26
Re: [PATCH V31 06/25] kexec_file: split KEXEC_VERIFY_SIG into KEXEC_SIG and KEXEC_SIG_FORCE · Dave Young <hidden> · 2019-06-21
Re: [PATCH V31 06/25] kexec_file: split KEXEC_VERIFY_SIG into KEXEC_SIG and KEXEC_SIG_FORCE · Matthew Garrett <hidden> · 2019-06-21
Re: [PATCH V31 06/25] kexec_file: split KEXEC_VERIFY_SIG into KEXEC_SIG and KEXEC_SIG_FORCE · Matthew Garrett <hidden> · 2019-06-21
[PATCH V31 07/25] kexec_file: Restrict at runtime if the kernel is locked down · Matthew Garrett <hidden> · 2019-03-26
Re: [PATCH V31 07/25] kexec_file: Restrict at runtime if the kernel is locked down · Dave Young <hidden> · 2019-06-21
Re: [PATCH V31 07/25] kexec_file: Restrict at runtime if the kernel is locked down · Matthew Garrett <hidden> · 2019-06-21
Re: [PATCH V31 07/25] kexec_file: Restrict at runtime if the kernel is locked down · Dave Young <hidden> · 2019-06-24
Re: [PATCH V31 07/25] kexec_file: Restrict at runtime if the kernel is locked down · Matthew Garrett <hidden> · 2019-06-24
Re: [PATCH V31 07/25] kexec_file: Restrict at runtime if the kernel is locked down · Mimi Zohar <zohar@linux.ibm.com> · 2019-06-24
Re: [PATCH V31 07/25] kexec_file: Restrict at runtime if the kernel is locked down · Matthew Garrett <hidden> · 2019-06-25
Re: [PATCH V31 07/25] kexec_file: Restrict at runtime if the kernel is locked down · Mimi Zohar <zohar@linux.ibm.com> · 2019-06-25
Re: [PATCH V31 07/25] kexec_file: Restrict at runtime if the kernel is locked down · Dave Young <hidden> · 2019-06-25
[PATCH V31 09/25] uswsusp: Disable when the kernel is locked down · Matthew Garrett <hidden> · 2019-03-26
[PATCH V31 11/25] x86: Lock down IO port access when the kernel is locked down · Matthew Garrett <hidden> · 2019-03-26
Re: [PATCH V31 11/25] x86: Lock down IO port access when the kernel is locked down · Andy Lutomirski <luto@kernel.org> · 2019-03-26
[PATCH V31 12/25] x86/msr: Restrict MSR access when the kernel is locked down · Matthew Garrett <hidden> · 2019-03-26
[PATCH V31 14/25] acpi: Ignore acpi_rsdp kernel param when the kernel has been locked down · Matthew Garrett <hidden> · 2019-03-26
[PATCH V31 16/25] Prohibit PCMCIA CIS storage when the kernel is locked down · Matthew Garrett <hidden> · 2019-03-26
[PATCH V31 17/25] Lock down TIOCSSERIAL · Matthew Garrett <hidden> · 2019-03-26
[PATCH V31 18/25] Lock down module params that specify hardware parameters (eg. ioport) · Matthew Garrett <hidden> · 2019-03-26
[PATCH V31 20/25] Lock down /proc/kcore · Matthew Garrett <hidden> · 2019-03-26
[PATCH V31 22/25] bpf: Restrict bpf when kernel lockdown is in confidentiality mode · Matthew Garrett <hidden> · 2019-03-26
Re: [PATCH V31 22/25] bpf: Restrict bpf when kernel lockdown is in confidentiality mode · Andy Lutomirski <luto@kernel.org> · 2019-03-26
[PATCH V31 23/25] Lock down perf when in confidentiality mode · Matthew Garrett <hidden> · 2019-03-26
[PATCH V31 24/25] lockdown: Print current->comm in restriction messages · Matthew Garrett <hidden> · 2019-03-26
[PATCH V31 25/25] debugfs: Disable open() when kernel is locked down · Matthew Garrett <hidden> · 2019-03-26
Re: [PATCH V31 25/25] debugfs: Disable open() when kernel is locked down · Andy Lutomirski <luto@kernel.org> · 2019-03-26
Re: [PATCH V31 25/25] debugfs: Disable open() when kernel is locked down · Matthew Garrett <hidden> · 2019-03-26
Re: [PATCH V31 25/25] debugfs: Disable open() when kernel is locked down · Greg KH <gregkh@linuxfoundation.org> · 2019-03-27
Re: [PATCH V31 25/25] debugfs: Disable open() when kernel is locked down · Andy Lutomirski <luto@kernel.org> · 2019-03-27
Re: [PATCH V31 25/25] debugfs: Disable open() when kernel is locked down · Greg KH <gregkh@linuxfoundation.org> · 2019-03-27
Re: [PATCH V31 25/25] debugfs: Disable open() when kernel is locked down · Andy Lutomirski <luto@amacapital.net> · 2019-03-27
Re: [PATCH V31 25/25] debugfs: Disable open() when kernel is locked down · Greg KH <gregkh@linuxfoundation.org> · 2019-03-27
Re: [PATCH V31 25/25] debugfs: Disable open() when kernel is locked down · James Morris <jmorris@namei.org> · 2019-03-27
Re: [PATCH V31 25/25] debugfs: Disable open() when kernel is locked down · Andy Lutomirski <luto@kernel.org> · 2019-03-27
Re: [PATCH V31 25/25] debugfs: Disable open() when kernel is locked down · Matthew Garrett <hidden> · 2019-03-27
Re: [PATCH V31 25/25] debugfs: Disable open() when kernel is locked down · Greg KH <gregkh@linuxfoundation.org> · 2019-03-27
Re: [PATCH V31 25/25] debugfs: Disable open() when kernel is locked down · Greg KH <gregkh@linuxfoundation.org> · 2019-03-27
Re: [PATCH V31 25/25] debugfs: Disable open() when kernel is locked down · Greg KH <gregkh@linuxfoundation.org> · 2019-03-27
Re: [PATCH V31 25/25] debugfs: Disable open() when kernel is locked down · Matthew Garrett <hidden> · 2019-03-27
Re: [PATCH V31 25/25] debugfs: Disable open() when kernel is locked down · Greg KH <gregkh@linuxfoundation.org> · 2019-03-27
[PATCH V31 21/25] Lock down kprobes when in confidentiality mode · Matthew Garrett <hidden> · 2019-03-26
[PATCH V31 19/25] x86/mmiotrace: Lock down the testmmiotrace module · Matthew Garrett <hidden> · 2019-03-26
Re: [PATCH V31 19/25] x86/mmiotrace: Lock down the testmmiotrace module · Steven Rostedt <rostedt@goodmis.org> · 2019-03-27
Re: [PATCH V31 19/25] x86/mmiotrace: Lock down the testmmiotrace module · Matthew Garrett <hidden> · 2019-03-27
[PATCH V31 15/25] acpi: Disable ACPI table override if the kernel is locked down · Matthew Garrett <hidden> · 2019-03-26
[PATCH V31 13/25] ACPI: Limit access to custom_method when the kernel is locked down · Matthew Garrett <hidden> · 2019-03-26
[PATCH V31 10/25] PCI: Lock down BAR access when the kernel is locked down · Matthew Garrett <hidden> · 2019-03-26
Re: [PATCH V31 10/25] PCI: Lock down BAR access when the kernel is locked down · Andy Lutomirski <luto@kernel.org> · 2019-03-26
Re: [PATCH V31 10/25] PCI: Lock down BAR access when the kernel is locked down · Alex Williamson <hidden> · 2019-03-26
[PATCH V31 08/25] hibernate: Disable when the kernel is locked down · Matthew Garrett <hidden> · 2019-03-26
[PATCH V31 04/25] kexec_load: Disable at runtime if the kernel is locked down · Matthew Garrett <hidden> · 2019-03-26

From: Matthew Garrett <hidden>
Date: 2019-03-27 02:06:51
Also in: linux-api, lkml

On Tue, Mar 26, 2019 at 5:31 PM Greg KH [off-list ref] wrote:

On Tue, Mar 26, 2019 at 11:27:41AM -0700, Matthew Garrett wrote:

quoted

From: Matthew Garrett <redacted>

debugfs has not been meaningfully audited in terms of ensuring that
userland cannot trample over the kernel. At Greg's request, disable
access to it entirely when the kernel is locked down. This is done at
open() time rather than init time as the kernel lockdown status may be
made stricter at runtime.

(snip)

Why allow all this, why not just abort the registering of the filesystem
with the vfs core so it can't even be mounted?

As mentioned in the commit message, because the lockdown state can be
made stricter at runtime - blocking at mount time would be
inconsistent if the machine is locked down afterwards. We could
potentially assert that it's the admin's responsibility to ensure that
debugfs isn't mounted at the point of policy being made stricter?

`h`	back out one level
`j`	next message in thread
`k`	previous message in thread
`l`	drill in
`Esc`	close help / fold thread tree
`?`	toggle this help