From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1755869AbdDRRjd (ORCPT ); Tue, 18 Apr 2017 13:39:33 -0400 Received: from shadbolt.e.decadent.org.uk ([88.96.1.126]:50447 "EHLO shadbolt.e.decadent.org.uk" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1751363AbdDRRj3 (ORCPT ); Tue, 18 Apr 2017 13:39:29 -0400 Message-ID: <1492537158.2409.147.camel@decadent.org.uk> Subject: Re: [PATCH 15/24] asus-wmi: Restrict debugfs interface when the kernel is locked down From: Ben Hutchings To: David Howells Cc: Andy Shevchenko , "linux-kernel@vger.kernel.org" , matthew.garrett@nebula.com, linux-efi@vger.kernel.org, One Thousand Gnomes , Greg Kroah-Hartman , acpi4asus-user , Platform Driver , linux-security-module , keyrings@vger.kernel.org Date: Tue, 18 Apr 2017 18:39:18 +0100 In-Reply-To: <16503.1492529434@warthog.procyon.org.uk> References: <1492526075.2409.140.camel@decadent.org.uk> <149142326734.5101.4596394505987813763.stgit@warthog.procyon.org.uk> <149142340198.5101.8171352010918423590.stgit@warthog.procyon.org.uk> <31421.1491569449@warthog.procyon.org.uk> <13615.1491830208@warthog.procyon.org.uk> <16503.1492529434@warthog.procyon.org.uk> Content-Type: multipart/signed; micalg="pgp-sha512"; protocol="application/pgp-signature"; boundary="=-PjgoJAt2XrmYnGr0bCTk" X-Mailer: Evolution 3.22.6-1 Mime-Version: 1.0 X-SA-Exim-Connect-IP: 2a02:8011:400e:2:6f00:88c8:c921:d332 X-SA-Exim-Mail-From: ben@decadent.org.uk X-SA-Exim-Scanned: No (on shadbolt.decadent.org.uk); SAEximRunCond expanded to false Sender: linux-kernel-owner@vger.kernel.org List-ID: X-Mailing-List: linux-kernel@vger.kernel.org --=-PjgoJAt2XrmYnGr0bCTk Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable On Tue, 2017-04-18 at 16:30 +0100, David Howells wrote: > Ben Hutchings wrote: >=20 > > So it's generally not going to be OK to turn off debugfs.=C2=A0=C2=A0Th= ere will > > probably need to be a distinction between believed-safe and unsafe > > directories/files. >=20 > Any suggestion on how to mark this distinction? I don't know. > I'd prefer not to modify every read/write op associated with a > debugfs file. I think debugfs should be assumed unsafe by default. So only the believed-safe parts would need to be changed. > Modify > DEFINE_DEBUGFS_ATTRIBUTE() maybe?=C2=A0=C2=A0And provide lockable variant= s of > debugfs_create_u8() and co.? That could help. Ben. --=20 Ben Hutchings The world is coming to an end. Please log off. --=-PjgoJAt2XrmYnGr0bCTk Content-Type: application/pgp-signature; name="signature.asc" Content-Description: This is a digitally signed message part -----BEGIN PGP SIGNATURE----- iQIzBAABCgAdFiEErCspvTSmr92z9o8157/I7JWGEQkFAlj2T0YACgkQ57/I7JWG EQlfzA//VHvVydwqOJlDEXlQSYXVftsuPkvgvNHB2VO5N27m8i/8hawuSi+RAeZV rOPwwircNhAuVxj9GuieaxF2iv7F3N5qLRWqahcJhghnBlNN5vzRRFk1n8+xj0FY VOkP+SpuHDnxFoFzowinEBu1JgoxOOAScWNOEmhK5cfjZYBLYZb0qaURcv+DuWzw cTu/NeVm9rcyn9AGNo0U0YNxnBN+lW65ta6y+hch6d3qTdpQh17UBX0/mtybu2Qu jnDHWwWX9asZDSOWzj6JdDeZFC7MQrjFjl/AUfvoxPEbrQGWakGf40OMx09TMi+N yKxiyeT/++xSbfxcMl0Xlezm6xiX3wRPn5/kQ5n6YMM8F6dtlddkBQztMatYau78 5lAQi7XyVtT/j7AnhtTebVpgDA1K0cHOuRZdUi56K2Nf8b3jfNWsun+eZL/AXRcm nPYlaaMhTdoibpG3Cqctl/0veayIa7S1mjQp0yg6LIK8hNYOnL7ZqFRqGi2i/A1p JyNI9YFY9HHTMpfw3aXHYmFH60IZlwRP8m3f+Z7bPlztk8n9gPKl1lc9DD/tSb5H b9vVDE+jn8QjQCCXzAhF6jCtwNEZJgPoM+HSjYb04yvxlmsewHoZFfJRMi+sVGv+ GJrEQheIoth2wCe+JQWelkXg3IokOaHtAywNDIwj1tVMPWO7n1Y= =ZIc7 -----END PGP SIGNATURE----- --=-PjgoJAt2XrmYnGr0bCTk-- From mboxrd@z Thu Jan 1 00:00:00 1970 From: Ben Hutchings Subject: Re: [PATCH 15/24] asus-wmi: Restrict debugfs interface when the kernel is locked down Date: Tue, 18 Apr 2017 18:39:18 +0100 Message-ID: <1492537158.2409.147.camel@decadent.org.uk> References: <1492526075.2409.140.camel@decadent.org.uk> <149142326734.5101.4596394505987813763.stgit@warthog.procyon.org.uk> <149142340198.5101.8171352010918423590.stgit@warthog.procyon.org.uk> <31421.1491569449@warthog.procyon.org.uk> <13615.1491830208@warthog.procyon.org.uk> <16503.1492529434@warthog.procyon.org.uk> Mime-Version: 1.0 Content-Type: multipart/signed; micalg="pgp-sha512"; protocol="application/pgp-signature"; boundary="=-PjgoJAt2XrmYnGr0bCTk" Return-path: In-Reply-To: <16503.1492529434-S6HVgzuS8uM4Awkfq6JHfwNdhmdF6hFW@public.gmane.org> Sender: linux-efi-owner-u79uwXL29TY76Z2rM5mHXA@public.gmane.org To: David Howells Cc: Andy Shevchenko , "linux-kernel-u79uwXL29TY76Z2rM5mHXA@public.gmane.org" , matthew.garrett-05XSO3Yj/JvQT0dZR+AlfA@public.gmane.org, linux-efi-u79uwXL29TY76Z2rM5mHXA@public.gmane.org, One Thousand Gnomes , Greg Kroah-Hartman , acpi4asus-user , Platform Driver , linux-security-module , keyrings-u79uwXL29TY76Z2rM5mHXA@public.gmane.org List-Id: linux-efi@vger.kernel.org --=-PjgoJAt2XrmYnGr0bCTk Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable On Tue, 2017-04-18 at 16:30 +0100, David Howells wrote: > Ben Hutchings wrote: >=20 > > So it's generally not going to be OK to turn off debugfs.=C2=A0=C2=A0Th= ere will > > probably need to be a distinction between believed-safe and unsafe > > directories/files. >=20 > Any suggestion on how to mark this distinction? I don't know. > I'd prefer not to modify every read/write op associated with a > debugfs file. I think debugfs should be assumed unsafe by default. So only the believed-safe parts would need to be changed. > Modify > DEFINE_DEBUGFS_ATTRIBUTE() maybe?=C2=A0=C2=A0And provide lockable variant= s of > debugfs_create_u8() and co.? That could help. Ben. --=20 Ben Hutchings The world is coming to an end. Please log off. --=-PjgoJAt2XrmYnGr0bCTk Content-Type: application/pgp-signature; name="signature.asc" Content-Description: This is a digitally signed message part -----BEGIN PGP SIGNATURE----- iQIzBAABCgAdFiEErCspvTSmr92z9o8157/I7JWGEQkFAlj2T0YACgkQ57/I7JWG EQlfzA//VHvVydwqOJlDEXlQSYXVftsuPkvgvNHB2VO5N27m8i/8hawuSi+RAeZV rOPwwircNhAuVxj9GuieaxF2iv7F3N5qLRWqahcJhghnBlNN5vzRRFk1n8+xj0FY VOkP+SpuHDnxFoFzowinEBu1JgoxOOAScWNOEmhK5cfjZYBLYZb0qaURcv+DuWzw cTu/NeVm9rcyn9AGNo0U0YNxnBN+lW65ta6y+hch6d3qTdpQh17UBX0/mtybu2Qu jnDHWwWX9asZDSOWzj6JdDeZFC7MQrjFjl/AUfvoxPEbrQGWakGf40OMx09TMi+N yKxiyeT/++xSbfxcMl0Xlezm6xiX3wRPn5/kQ5n6YMM8F6dtlddkBQztMatYau78 5lAQi7XyVtT/j7AnhtTebVpgDA1K0cHOuRZdUi56K2Nf8b3jfNWsun+eZL/AXRcm nPYlaaMhTdoibpG3Cqctl/0veayIa7S1mjQp0yg6LIK8hNYOnL7ZqFRqGi2i/A1p JyNI9YFY9HHTMpfw3aXHYmFH60IZlwRP8m3f+Z7bPlztk8n9gPKl1lc9DD/tSb5H b9vVDE+jn8QjQCCXzAhF6jCtwNEZJgPoM+HSjYb04yvxlmsewHoZFfJRMi+sVGv+ GJrEQheIoth2wCe+JQWelkXg3IokOaHtAywNDIwj1tVMPWO7n1Y= =ZIc7 -----END PGP SIGNATURE----- --=-PjgoJAt2XrmYnGr0bCTk-- From mboxrd@z Thu Jan 1 00:00:00 1970 From: ben@decadent.org.uk (Ben Hutchings) Date: Tue, 18 Apr 2017 18:39:18 +0100 Subject: [PATCH 15/24] asus-wmi: Restrict debugfs interface when the kernel is locked down In-Reply-To: <16503.1492529434@warthog.procyon.org.uk> References: <1492526075.2409.140.camel@decadent.org.uk> <149142326734.5101.4596394505987813763.stgit@warthog.procyon.org.uk> <149142340198.5101.8171352010918423590.stgit@warthog.procyon.org.uk> <31421.1491569449@warthog.procyon.org.uk> <13615.1491830208@warthog.procyon.org.uk> <16503.1492529434@warthog.procyon.org.uk> Message-ID: <1492537158.2409.147.camel@decadent.org.uk> To: linux-security-module@vger.kernel.org List-Id: linux-security-module.vger.kernel.org On Tue, 2017-04-18 at 16:30 +0100, David Howells wrote: > Ben Hutchings wrote: > > > So it's generally not going to be OK to turn off debugfs.??There will > > probably need to be a distinction between believed-safe and unsafe > > directories/files. > > Any suggestion on how to mark this distinction? I don't know. > I'd prefer not to modify every read/write op associated with a > debugfs file. I think debugfs should be assumed unsafe by default. So only the believed-safe parts would need to be changed. > Modify > DEFINE_DEBUGFS_ATTRIBUTE() maybe???And provide lockable variants of > debugfs_create_u8() and co.? That could help. Ben. -- Ben Hutchings The world is coming to an end. Please log off. -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 833 bytes Desc: This is a digitally signed message part URL: