From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1755231AbdDROeu (ORCPT ); Tue, 18 Apr 2017 10:34:50 -0400 Received: from shadbolt.e.decadent.org.uk ([88.96.1.126]:49456 "EHLO shadbolt.e.decadent.org.uk" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1750758AbdDROer (ORCPT ); Tue, 18 Apr 2017 10:34:47 -0400 Message-ID: <1492526075.2409.140.camel@decadent.org.uk> Subject: Re: [PATCH 15/24] asus-wmi: Restrict debugfs interface when the kernel is locked down From: Ben Hutchings To: Andy Shevchenko , David Howells Cc: "linux-kernel@vger.kernel.org" , matthew.garrett@nebula.com, linux-efi@vger.kernel.org, One Thousand Gnomes , Greg Kroah-Hartman , acpi4asus-user , Platform Driver , linux-security-module , keyrings@vger.kernel.org Date: Tue, 18 Apr 2017 15:34:35 +0100 In-Reply-To: References: <149142326734.5101.4596394505987813763.stgit@warthog.procyon.org.uk> <149142340198.5101.8171352010918423590.stgit@warthog.procyon.org.uk> <31421.1491569449@warthog.procyon.org.uk> <13615.1491830208@warthog.procyon.org.uk> Content-Type: multipart/signed; micalg="pgp-sha512"; protocol="application/pgp-signature"; boundary="=-oh3Vr70YVFjl3JS4w0c9" X-Mailer: Evolution 3.22.6-1 Mime-Version: 1.0 X-SA-Exim-Connect-IP: 2a02:8011:400e:2:6f00:88c8:c921:d332 X-SA-Exim-Mail-From: ben@decadent.org.uk X-SA-Exim-Scanned: No (on shadbolt.decadent.org.uk); SAEximRunCond expanded to false Sender: linux-kernel-owner@vger.kernel.org List-ID: X-Mailing-List: linux-kernel@vger.kernel.org --=-oh3Vr70YVFjl3JS4w0c9 Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable On Tue, 2017-04-18 at 09:06 +0300, Andy Shevchenko wrote: > > On Mon, Apr 10, 2017 at 4:16 PM, David Howells wr= ote: > > > > Andy Shevchenko wrote: > >=20 > > > > > It looks a bit fragile when responsility of whatever reasons kern= el > > > > > can't serve become a driver burden. > > > > > Can we fix this in debugfs framework instead? > > > >=20 > > > > Fix it with debugfs how?=C2=A0=C2=A0We can't offload the decision t= o userspace. > > >=20 > > > I mean to do at least similar like you have done for module > > > parameters. So, instead of putting above code to each attribute in > > > question make a special (marked) attribute instead and debugfs > > > framework will know how to deal with that. > >=20 > > Hmmm...=C2=A0=C2=A0It's tricky in that debugfs doesn't have any of its = own structures, > > but is entirely built on standard VFS ones, so finding somewhere to sto= re the > > information is going to be awkward. >=20 > I see. >=20 > > =C2=A0One obvious solution is to entirely lock > > down debugfs in secure boot more, but that might be a bit drastic. >=20 > But this sounds sane! debugFS for debugging, not for production. If > someone is using secure kernel it means pure production use (otherwise > one may do temporary hacks in kernel). [...] Production systems need instrumentation to understand performance issues and any bugs that=C2=A0for whatever reason didn't show up in earlier testing. A number of interfaces for that have been added under debugfs: - tracing (now tracefs, but it's expected to appear under debugfs) - dynamic_debug - various ad-hoc statistics So it's generally not going to be OK to turn off debugfs. There will probably need to be a distinction between believed-safe and unsafe directories/files. Ben. --=20 Ben Hutchings The world is coming to an end. Please log off. --=-oh3Vr70YVFjl3JS4w0c9 Content-Type: application/pgp-signature; name="signature.asc" Content-Description: This is a digitally signed message part -----BEGIN PGP SIGNATURE----- iQIzBAABCgAdFiEErCspvTSmr92z9o8157/I7JWGEQkFAlj2I/sACgkQ57/I7JWG EQnt0Q/9H1V+Meq+gOJY9Pk9UUFAjXx4L9OPBttLCWvNE0t3mZUqyKW3myZku3o/ iP9VWNlYGEycsDBGMQZTCU/uJoSFpiionPT+Sb+kC7Qr0j9ORb3idyJILOsB1M4/ PUxsDUhmASwSLjn0bQwYQxthQYW0jKKc7trXqTNGlxLYwWf/tGy99xHUgX9dRb9q y+CTfZCSNfrgXBesjGJPOUngs03BCPDWJWlANkcwNmCll+fdhB1mLPqU3J2A5pYP 4zOTng4APv2ELqdQJ7rRUxPJmVZ8CVWB8FSYGSzXh8t+iMkkO4GLR1f1yOimXeWF iDXUZVuf5+qm56WWS/tPxuuu59le981NIOIf1IgVdyEGuTayZyeYYTjk/HMyT4a7 GQml72pkJrfLrlMm9NtCtBhMYRs9bunaSAZnwjd5aqGYo6abTyFJBYP3F5/yVrRS OOkVMWSDm5slp+IXIH7dx6VcUaG5DXHET2COCAo/SsTIGavHPClKy7d96ydfzu7x 1se27l0lODBxw7qWesRSOUB5bFGdpehuBnAJvTjLwdd16kkQzFyZ56a+VZKNxmL+ GKQuwYAeUA4G9hbNww5zD1x4cmIDj9lkSWJYvwlKPFi2tM+rcXJHNEzJ1FYfQBgj lkwngsnszeE+jhnN5b3aKXCain/IfmGwdgTm9oy1F7BnPkOXNak= =3L3D -----END PGP SIGNATURE----- --=-oh3Vr70YVFjl3JS4w0c9-- From mboxrd@z Thu Jan 1 00:00:00 1970 From: ben@decadent.org.uk (Ben Hutchings) Date: Tue, 18 Apr 2017 15:34:35 +0100 Subject: [PATCH 15/24] asus-wmi: Restrict debugfs interface when the kernel is locked down In-Reply-To: References: <149142326734.5101.4596394505987813763.stgit@warthog.procyon.org.uk> <149142340198.5101.8171352010918423590.stgit@warthog.procyon.org.uk> <31421.1491569449@warthog.procyon.org.uk> <13615.1491830208@warthog.procyon.org.uk> Message-ID: <1492526075.2409.140.camel@decadent.org.uk> To: linux-security-module@vger.kernel.org List-Id: linux-security-module.vger.kernel.org On Tue, 2017-04-18 at 09:06 +0300, Andy Shevchenko wrote: > > On Mon, Apr 10, 2017 at 4:16 PM, David Howells wrote: > > > > Andy Shevchenko wrote: > > > > > > > It looks a bit fragile when responsility of whatever reasons kernel > > > > > can't serve become a driver burden. > > > > > Can we fix this in debugfs framework instead? > > > > > > > > Fix it with debugfs how???We can't offload the decision to userspace. > > > > > > I mean to do at least similar like you have done for module > > > parameters. So, instead of putting above code to each attribute in > > > question make a special (marked) attribute instead and debugfs > > > framework will know how to deal with that. > > > > Hmmm...??It's tricky in that debugfs doesn't have any of its own structures, > > but is entirely built on standard VFS ones, so finding somewhere to store the > > information is going to be awkward. > > I see. > > > ?One obvious solution is to entirely lock > > down debugfs in secure boot more, but that might be a bit drastic. > > But this sounds sane! debugFS for debugging, not for production. If > someone is using secure kernel it means pure production use (otherwise > one may do temporary hacks in kernel). [...] Production systems need instrumentation to understand performance issues and any bugs that?for whatever reason didn't show up in earlier testing. A number of interfaces for that have been added under debugfs: - tracing (now tracefs, but it's expected to appear under debugfs) - dynamic_debug - various ad-hoc statistics So it's generally not going to be OK to turn off debugfs. There will probably need to be a distinction between believed-safe and unsafe directories/files. Ben. -- Ben Hutchings The world is coming to an end. Please log off. -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 833 bytes Desc: This is a digitally signed message part URL: