changing perms on /sys/kernel/debug by default

Kees Cook kees at ubuntu.com
Tue Feb 22 23:16:39 UTC 2011 

Hi,

While I'd like to just not compile debugfs into the Ubuntu kernels at all,
it seems that there is a fair bit of push-back on this idea. Instead, the
dangerous /sys/kernel/debug/acpi/custom_method interface has been removed
as the most problematic of all the interfaces (it allows writing arbitrary
kernel memory, bypassing /dev/kmem, /dev/mem, and module restrictions).

Since debugfs should not be required for a production system[1], I'd like
to remove it from mountall's default fstab. To get there, the first step is
to make /sys/kernel/debug only accessible by the root user. Unfortunately,
it does not take a "mode=" mount option like tmpfs does, so mountall has
been adjusted[2] to set the mode after mounting instead.

In the interests of completeness, here are the tools in main that use
debugfs, with stuff that needs updating (only Apport hooks) marked with a
star:

 - intel_gpu_dump
    Manpage states it should only be run as root.

 - libpcap
    Only used as root for USB monitoring.

 * mtdev
    Apport hook (should be updated to use root privs).

 - nmap
    Only used as root for USB monitoring.

 - ocfs2-tools
    Only used as root for OCF2 debugging.

 - powertop
    Only used as root.

 - qemu-kvm
    kvm_stat has no manpage, seems to be designed as a "vmstat" for
    kvm. These statistics should likely come from /sys. Running as
    root seems fine.

 - redhat-cluster
    Only used as root.

 - ureadhead
    Runs as root, but this tool already uses /var/lib/ureadahead/debugfs
    if the other path is missing. I've changed[3] the permissions on this
    so that normal users cannot see the mountpoint.

 - usbutils
    Uses /dev/bus/usb for "lsusb", but "usb-devices" wants debugfs. This
    information should not come out of debugfs. Requiring root seems okay.

 * utouch-geis
    Apport hook (should be updated to use root privs).

 * xserver-xorg-video-intel
    Apport hook (should be updated to use root privs).

 - blktrace
    Only used as root.

Thanks,

-Kees

[1] https://lkml.org/lkml/2011/2/22/372
[2] https://lists.ubuntu.com/archives/natty-changes/2011-February/008110.html
[3] https://lists.ubuntu.com/archives/natty-changes/2011-February/008100.html

-- 
Kees Cook
Ubuntu Security Team

More information about the ubuntu-devel mailing list