changing perms on /sys/kernel/debug by default

Kees Cook kees.cook at canonical.com
Tue Feb 22 23:58:58 UTC 2011 

On Tue, Feb 22, 2011 at 03:46:36PM -0800, Kees Cook wrote:
> On Tue, Feb 22, 2011 at 03:37:27PM -0800, Bryce Harrington wrote:
> > On Tue, Feb 22, 2011 at 03:16:39PM -0800, Kees Cook wrote:
> > > While I'd like to just not compile debugfs into the Ubuntu kernels at all,
> > > it seems that there is a fair bit of push-back on this idea. Instead, the
> > > dangerous /sys/kernel/debug/acpi/custom_method interface has been removed
> > > as the most problematic of all the interfaces (it allows writing arbitrary
> > > kernel memory, bypassing /dev/kmem, /dev/mem, and module restrictions).
> > > 
> > > Since debugfs should not be required for a production system[1], I'd like
> > > to remove it from mountall's default fstab. To get there, the first step is
> > > to make /sys/kernel/debug only accessible by the root user. Unfortunately,
> > > it does not take a "mode=" mount option like tmpfs does, so mountall has
> > > been adjusted[2] to set the mode after mounting instead.
> > > 
> > >  - intel_gpu_dump
> > >     Manpage states it should only be run as root.
> > > 
> > >  * xserver-xorg-video-intel
> > >     Apport hook (should be updated to use root privs).
> > 
> > I believe it does already, no?  It gets triggered by the kernel via an
> > upstart hook.
> > 
> > Due to the nature of GPU lockups, we can't prompt the user for root
> > password or something at the point it gets triggered; the system's
> > locked up.
> 
> Ah, yes. If it's spawning from the X process context, this should be done
> already.
> 
> > We get the majority of our value out of the apport hook during
> > development.  So if you wanted to make debugfs be enabled only during
> > release, and switch it off after beta, we could work with that.
> 
> Based on the above, it should all Just Work for the GPU case.

Just to confirm; yes it should be fine. Bryce pointed out on IRC that this
is called through /lib/udev/rules.d/40-xserver-xorg-video-intel.rules:

SUBSYSTEM=="drm", ACTION=="change", ENV{ERROR}=="1", RUN+="/usr/share/apport/apport-gpu-error-intel.py"

And that's running as root to collect the debugfs bits. Done! :)

-Kees

-- 
Kees Cook
Ubuntu Security Team

More information about the ubuntu-devel mailing list