On Thu 2018-04-19 15:35:47, David Howells wrote:
> Pavel Machek wrote:
>
> > > (1) chmod and chown are disallowed on debugfs objects (though the root
> > > dir
> > > can be modified by mount and remount, but I'm not worried about
> > > that).
> >
> > This has nothing to do with the lockd
Pavel Machek wrote:
> > (1) chmod and chown are disallowed on debugfs objects (though the root dir
> > can be modified by mount and remount, but I'm not worried about that).
>
> This has nothing to do with the lockdown goals, right? I find chown of
> such files quite nice, to allow debuggi
On Wed 2018-04-11 17:27:16, David Howells wrote:
> Disallow opening of debugfs files that might be used to muck around when
> the kernel is locked down as various drivers give raw access to hardware
> through debugfs. Given the effort of auditing all 2000 or so files and
> manually fixing each one
On Thu, Apr 12, 2018 at 1:23 AM, Greg KH wrote:
> On Wed, Apr 11, 2018 at 07:54:12PM -0700, Andy Lutomirski wrote:
>> On Wed, Apr 11, 2018 at 1:33 PM, Greg KH wrote:
>> > On Wed, Apr 11, 2018 at 09:09:16PM +0100, David Howells wrote:
>> >> Greg KH wrote:
>> >>
>> >> > Why not just disable debugf
On Wed, Apr 11, 2018 at 07:54:12PM -0700, Andy Lutomirski wrote:
> On Wed, Apr 11, 2018 at 1:33 PM, Greg KH wrote:
> > On Wed, Apr 11, 2018 at 09:09:16PM +0100, David Howells wrote:
> >> Greg KH wrote:
> >>
> >> > Why not just disable debugfs entirely? This half-hearted way to sorta
> >> > lock
On Wed, Apr 11, 2018 at 1:33 PM, Greg KH wrote:
> On Wed, Apr 11, 2018 at 09:09:16PM +0100, David Howells wrote:
>> Greg KH wrote:
>>
>> > Why not just disable debugfs entirely? This half-hearted way to sorta
>> > lock it down is odd, it is meant to not be there at all, nothing in your
>> > norm
On Wed, Apr 11, 2018 at 09:09:16PM +0100, David Howells wrote:
> Greg KH wrote:
>
> > Why not just disable debugfs entirely? This half-hearted way to sorta
> > lock it down is odd, it is meant to not be there at all, nothing in your
> > normal system should ever depend on it.
> >
> > So again j
David Howells writes:
> Disallow opening of debugfs files that might be used to muck around when
> the kernel is locked down as various drivers give raw access to hardware
> through debugfs. Given the effort of auditing all 2000 or so files and
> manually fixing each one as necessary, I've chose
Greg KH wrote:
> Why not just disable debugfs entirely? This half-hearted way to sorta
> lock it down is odd, it is meant to not be there at all, nothing in your
> normal system should ever depend on it.
>
> So again just don't allow it to be mounted at all, much simpler and more
> obvious as t
Eric W. Biederman wrote:
> Why is mounting debugfs allowed at all? Last I checked (it has been a while)
> the code quality of debugfs was fine for debugging but debugfs was not
> safe to mount on a production system.
>
> Maybe the code quality is better now but for a filesystem that is
> not su
On Wed, Apr 11, 2018 at 05:27:16PM +0100, David Howells wrote:
> Disallow opening of debugfs files that might be used to muck around when
> the kernel is locked down as various drivers give raw access to hardware
> through debugfs. Given the effort of auditing all 2000 or so files and
> manually f
On 04/11/2018 09:27 AM, David Howells wrote:
> Signed-off-by: David Howells
> cc: Andy Shevchenko
> cc: acpi4asus-u...@lists.sourceforge.net
> cc: platform-driver-...@vger.kernel.org
> cc: Matthew Garrett
> cc: Thomas Gleixner
> ---
meta-comment:
I have been dinged for not spelling "cc:" as "
Disallow opening of debugfs files that might be used to muck around when
the kernel is locked down as various drivers give raw access to hardware
through debugfs. Given the effort of auditing all 2000 or so files and
manually fixing each one as necessary, I've chosen to apply a heuristic
instead.
13 matches
Mail list logo
