changing perms on /sys/kernel/debug by default
Amit Kucheria
amit.kucheria at canonical.com
Wed Feb 23 15:52:04 UTC 2011
On 11 Feb 22, Kees Cook wrote:
> Hi,
>
> While I'd like to just not compile debugfs into the Ubuntu kernels at all,
> it seems that there is a fair bit of push-back on this idea. Instead, the
> dangerous /sys/kernel/debug/acpi/custom_method interface has been removed
> as the most problematic of all the interfaces (it allows writing arbitrary
> kernel memory, bypassing /dev/kmem, /dev/mem, and module restrictions).
>
> Since debugfs should not be required for a production system[1], I'd like
> to remove it from mountall's default fstab. To get there, the first step is
> to make /sys/kernel/debug only accessible by the root user. Unfortunately,
> it does not take a "mode=" mount option like tmpfs does, so mountall has
> been adjusted[2] to set the mode after mounting instead.
>
> In the interests of completeness, here are the tools in main that use
> debugfs, with stuff that needs updating (only Apport hooks) marked with a
> star:
>
> - intel_gpu_dump
> Manpage states it should only be run as root.
>
> - libpcap
> Only used as root for USB monitoring.
>
> * mtdev
> Apport hook (should be updated to use root privs).
>
> - nmap
> Only used as root for USB monitoring.
>
> - ocfs2-tools
> Only used as root for OCF2 debugging.
>
> - powertop
> Only used as root.
One more tool,
- powerdebug
New tool created for ARM platforms, should be used as root. It reads
/sys/kernel/debug/clocks on ARM
Since we use Ubuntu kernel configs as a start and various bits of Ubuntu
userspace, I thought I'd just chime in for the sake of completeness.
--
----------------------------------------------------------------------
Amit Kucheria, Kernel Engineer || amit.kucheria at canonical.com
----------------------------------------------------------------------
More information about the ubuntu-devel
mailing list