From 6d04a54f88eac0ecb28e61a23262ccca2af4b9d8 Mon Sep 17 00:00:00 2001 From: David Howells Date: Wed, 8 Nov 2017 15:11:36 +0000 Subject: [PATCH] debugfs: Disallow use of debugfs files when the kernel is locked down Disallow opening of debugfs files when the kernel is locked down as various drivers give raw access to hardware through debugfs. Accesses to tracefs should use /sys/kernel/tracing/ rather than /sys/kernel/debug/tracing/. Possibly a symlink should be emplaced. Normal device interaction should be done through configfs or a miscdev, not debugfs. Note that this makes it unnecessary to specifically lock down show_dsts(), show_devs() and show_call() in the asus-wmi driver. Signed-off-by: David Howells cc: Andy Shevchenko cc: acpi4asus-user@lists.sourceforge.net cc: platform-driver-x86@vger.kernel.org cc: Matthew Garrett cc: Thomas Gleixner [bwh: Forward-ported to 4.15] Gbp-Pq: Topic features/all/lockdown Gbp-Pq: Name 0024-debugfs-Disallow-use-of-debugfs-files-when-the-kerne.patch --- fs/debugfs/file.c | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/fs/debugfs/file.c b/fs/debugfs/file.c index cd12e6576b4..f96431e7566 100644 --- a/fs/debugfs/file.c +++ b/fs/debugfs/file.c @@ -142,6 +142,9 @@ static int open_proxy_open(struct inode *inode, struct file *filp) const struct file_operations *real_fops = NULL; int r; + if (kernel_is_locked_down("debugfs")) + return -EPERM; + r = debugfs_file_get(dentry); if (r) return r == -EIO ? -ENOENT : r; @@ -267,6 +270,9 @@ static int full_proxy_open(struct inode *inode, struct file *filp) struct file_operations *proxy_fops = NULL; int r; + if (kernel_is_locked_down("debugfs")) + return -EPERM; + r = debugfs_file_get(dentry); if (r) return r == -EIO ? -ENOENT : r; -- 2.30.2