stefan.bader at ubuntu.com
Thu Jan 27 09:52:27 UTC 2011
On 01/27/2011 06:38 AM, Ben Hutchings wrote:
> On Tue, 2011-01-25 at 12:03 +0100, Stefan Bader wrote:
>> Just to add my 1cent: I also would rather prefer to only disable the acpi part
>> and not the whole of debugfs. Not to mount it by default ok, but there is just
>> too much useful things in there to track gpu hangs or trace usb traffic that
>> helps a lot to debug issues and to have to provide a debug enabled kernel just
>> for that seems more waste than the security risk I see from having it there.
>> (the paranoid can delete or blacklist the module).
> That won't work, as any driver that uses debugfs would not be loadable.
> The paranoid will need some way to prevent mounting debugfs even when
> the module is loaded. Could be done with a module parameter.
You are right. I did not think of all the stubs that get added when debugfs
support is on. I guess the problem with a module parameter is that this again
could be modified in the running system via sysfs. Of course this can/would be
limited to root. But on the other hand, if debugfs is not in fstab and mountable
by the user, one needs to be root to mount it anyway.
More information about the kernel-team