Re: [PATCH 1/2] debugfs: Only clobber mode/uid/gid on remount if asked

From: Brian Norris <briannorris@chromium.org>
To: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Cc: "Rafael J . Wysocki" <rafael@kernel.org>,
	Ingo Molnar <mingo@redhat.com>,
	Steven Rostedt <rostedt@goodmis.org>,
	linux-kernel@vger.kernel.org
Subject: Re: [PATCH 1/2] debugfs: Only clobber mode/uid/gid on remount if asked
Date: Thu, 1 Sep 2022 15:32:18 -0700	[thread overview]
Message-ID: <YxEy8mTO1nZ1sxHV@google.com> (raw)
In-Reply-To: <YxDWlgulBijTzj3y@kroah.com>

On Thu, Sep 01, 2022 at 05:58:14PM +0200, Greg Kroah-Hartman wrote:
> On Fri, Aug 26, 2022 at 05:44:16PM -0700, Brian Norris wrote:
> > Users may have explicitly configured their debugfs permissions; we
> > shouldn't overwrite those just because a second mount appeared.
> 
> What userspace mounts debugfs twice?

I'll admit, my particular userspace in question (Chrom{e,ium}OS) does
not. There are several debugfs mounts, but they are bind mounts, which
don't hit this problem.

But Steven hits the nail on the head for most of my reasoning; my main
motivation is for tracefs (patch 2), whose automount makes this very
surprising. I included patch 1 for consistency (tracefs essentially
copy/pasted debugfs). I could drop patch 1 if that helps somehow, but
I'd still like to consider the automount difficulties in patch 2.

> > Only clobber if the options were provided at mount time.
> > 
> >   # Don't change /sys/kernel/debug/ permissions.
> >   mount -t debugfs none /mnt/foo
> > 
> >   # Change /sys/kernel/debug/ mode and uid, but not gid.
> >   mount -t debugfs -o uid=bar,mode=0750 none /mnt/baz
> 
> So what happens today with this change?  Without it?

Sorry, this was probably a bit too implied -- the gid changes to its
default (0 if we never set it in a mount option before; or it will reset
to any previous gid= mount setting).

# ls -ld /sys/kernel/debug/.
drwxr-x---. 45 root debugfs-access 0 Dec 31  1969 /sys/kernel/debug/.
# chown root:power /sys/kernel/debug/
# ls -ld /sys/kernel/debug/.
drwxr-x---. 45 root power 0 Dec 31  1969 /sys/kernel/debug/.
# mount -t debugfs -o uid=power,mode=0750 none /tmp/mnt
# ls -ld /sys/kernel/debug/.
drwxr-x---. 45 power debugfs-access 0 Dec 31  1969 /sys/kernel/debug/.
# mount | grep '\/sys\/kernel\/debug '
debugfs on /sys/kernel/debug type debugfs (rw,nosuid,nodev,noexec,relatime,seclabel,uid=228,gid=605,mode=750)

I can include more before/after examples in the commit message if you
want. Honestly, that's kind of why I offered to write test cases; test
cases show what's happening better than narrative descriptions.

> > 
> > Signed-off-by: Brian Norris <briannorris@chromium.org>
> > ---
> > I'm open to writing an LTP test case for this, if that seems like a good
> > idea.
> 
> If it's really needed, again, why would debugfs be ever mounted more
> than once?

Steven gave examples. Again, my particular use is more for patch 2. But
I think the current behavior is pretty surprising, if anybody ever
*does* try to mount more than once.

Brian