removing debugfs

[Kees Cook]

Hi,

On Tue, Jan 25, 2011 at 01:52:25AM +0100, David Henningsson wrote:
> On 2011-01-24 23:13, Kees Cook wrote:
> >Hi,
> >
> >I have yet another unpopular request: I want to remove debugfs completely
> >from the built kernels. Upstream continues to put dangerous things in it,
> >and I want to avoid the problems completely.
> >
> >I think any userspace tools that need debugfs should be adjusted to use
> >other non-debug interfaces. If debugfs is really intended only for
> >debugging, it should stay unavailable. And I don't mean unmounted; I want
> >to make sure it's not compiled in at all.
> >
> >Of the most concern is the /sys/kernel/debug/acpi/custom_method interface.
> >While recently fixed for non-root users, it still basically allows
> >arbitrary memory writing[1]. This is a total bypass for the /dev/mem
> >and /dev/kmem restrictions that are used to help protected against
> >kernel rootkits.
> 
> If that is the only concern, perhaps a compromise would be to just
> disable that part of debugfs instead of the entire debugfs.

That is absolutely my fall-back plan, but as I've been suspicious of
debugfs for a while now, having an actual problem in it just validates my
impression that the filesystem has turned into a dangerous dumping ground
of potentially dangerous interfaces.

> >I think we should identify everything that is using debugfs, open bugs
> >for that stuff so it can be fixed before release, and then remove debugfs
> >from the kernel.
> >
> >Thoughts?
> 
> Assuming we do this, and I desperately need the debugfs for
> debugging, either some stuff on my own machine or tell the user (who
> wants his launchpad bug fixed) to do the same things,
> what would be the step-by-step instruction to do so?

If we did disable it, one option would be to make kernels available (like
the mainline builds) with debugfs enabled for people to use for testing.

-Kees

-- 
Kees Cook
Ubuntu Security Team