changing perms on /sys/kernel/debug by default
Kees Cook
kees.cook at canonical.com
Tue Feb 22 23:46:36 UTC 2011
On Tue, Feb 22, 2011 at 03:37:27PM -0800, Bryce Harrington wrote:
> On Tue, Feb 22, 2011 at 03:16:39PM -0800, Kees Cook wrote:
> > While I'd like to just not compile debugfs into the Ubuntu kernels at all,
> > it seems that there is a fair bit of push-back on this idea. Instead, the
> > dangerous /sys/kernel/debug/acpi/custom_method interface has been removed
> > as the most problematic of all the interfaces (it allows writing arbitrary
> > kernel memory, bypassing /dev/kmem, /dev/mem, and module restrictions).
> >
> > Since debugfs should not be required for a production system[1], I'd like
> > to remove it from mountall's default fstab. To get there, the first step is
> > to make /sys/kernel/debug only accessible by the root user. Unfortunately,
> > it does not take a "mode=" mount option like tmpfs does, so mountall has
> > been adjusted[2] to set the mode after mounting instead.
> >
> > - intel_gpu_dump
> > Manpage states it should only be run as root.
> >
> > * xserver-xorg-video-intel
> > Apport hook (should be updated to use root privs).
>
> I believe it does already, no? It gets triggered by the kernel via an
> upstart hook.
>
> Due to the nature of GPU lockups, we can't prompt the user for root
> password or something at the point it gets triggered; the system's
> locked up.
Ah, yes. If it's spawning from the X process context, this should be done
already.
> We get the majority of our value out of the apport hook during
> development. So if you wanted to make debugfs be enabled only during
> release, and switch it off after beta, we could work with that.
Based on the above, it should all Just Work for the GPU case.
-Kees
--
Kees Cook
Ubuntu Security Team
More information about the ubuntu-devel
mailing list