removing debugfs
Tim Gardner
tim.gardner at canonical.com
Fri Jan 28 15:14:48 UTC 2011
On 01/24/2011 08:57 PM, Kees Cook wrote:
> Hi Tim,
>
> On Mon, Jan 24, 2011 at 07:31:51PM -0700, Tim Gardner wrote:
>> On 01/24/2011 07:19 PM, Kees Cook wrote:
>>> I'd like to remove debugfs completely so it cannot just be trivially
>>> mounted and abused, and to avoid potential future problems.
>>
>> Is this sufficient?
>
> Well, I assume CONFIG_DEBUG_FS=n would be easy to discover, but yeah, that
> would turn it off. That doesn't solve the need that things like ureadahead,
> and the graphics lock-up investigation tool that apport uses. I suspect
> there are more existing users of the debugfs, and it seems like their
> interfaces should be moved somewhere not called "debug".
Kees - I'm not sure what you mean by 'I assume CONFIG_DEBUG_FS=n would
be easy to discover'.
Like Stefan, I'm not quite willing to disable CONFIG_DEBUG_FS across the
board because it can be very useful. Where there are specific
vulnerabilities, such as with acpi, I'm quite willing to either fix 'em
or hack 'em out. In this case just disabling the compile of
drivers/acpi/debugfs.c looks like it'll work.
rtg
--
Tim Gardner tim.gardner at canonical.com
More information about the kernel-team
mailing list