From patchwork Tue Jan 25 02:31:51 2011 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Tim Gardner X-Patchwork-Id: 80303 X-Patchwork-Delegate: tim.gardner@canonical.com Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Received: from chlorine.canonical.com (chlorine.canonical.com [91.189.94.204]) by ozlabs.org (Postfix) with ESMTP id A0915B710D for ; Tue, 25 Jan 2011 13:32:10 +1100 (EST) Received: from localhost ([127.0.0.1] helo=chlorine.canonical.com) by chlorine.canonical.com with esmtp (Exim 4.71) (envelope-from ) id 1PhYhN-0006PX-G0; Tue, 25 Jan 2011 02:32:01 +0000 Received: from mail.tpi.com ([70.99.223.143]) by chlorine.canonical.com with esmtp (Exim 4.71) (envelope-from ) id 1PhYhG-0006O3-Sb for kernel-team@lists.ubuntu.com; Tue, 25 Jan 2011 02:31:55 +0000 Received: from [127.0.0.1] (mail.tpi.com [70.99.223.143]) by mail.tpi.com (Postfix) with ESMTP id 23C3127F617; Mon, 24 Jan 2011 18:31:31 -0800 (PST) Message-ID: <4D3E3617.9040304@tpi.com> Date: Mon, 24 Jan 2011 19:31:51 -0700 From: Tim Gardner User-Agent: Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.2.13) Gecko/20101208 Thunderbird/3.1.7 MIME-Version: 1.0 To: Kees Cook Subject: Re: removing debugfs References: <20110124221348.GG4979@outflux.net> <1295920093.4105.9.camel@localhost> <20110125021959.GO4979@outflux.net> In-Reply-To: <20110125021959.GO4979@outflux.net> Cc: kernel-team@lists.ubuntu.com X-BeenThere: kernel-team@lists.ubuntu.com X-Mailman-Version: 2.1.13 Precedence: list List-Id: Kernel team discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: kernel-team-bounces@lists.ubuntu.com Errors-To: kernel-team-bounces@lists.ubuntu.com On 01/24/2011 07:19 PM, Kees Cook wrote: > Hi, > > On Tue, Jan 25, 2011 at 11:48:13AM +1000, Ben Hutchings wrote: >> On Mon, 2011-01-24 at 14:13 -0800, Kees Cook wrote: >>> I have yet another unpopular request: I want to remove debugfs completely >>> from the built kernels. Upstream continues to put dangerous things in it, >>> and I want to avoid the problems completely. >> [...] >> >> I agree that it should not be mounted by default, or relied on by any >> user-space packages. However, I don't see the need to disable it >> altogether. > > My specific issue with it is the acpi_method interface, which nullifies the > /dev/mem and /dev/kmem restrictions (i.e. a root user can once again > arbitrarily write to memory). The defenses for kernel rootkits require that > the root user not have any way to write to kernel memory (nor load arbitrary > modules). > > For example, without debugfs and barring unknown vulnerabilities, > if a system owner chooses at boot time to echo 1 into > /proc/sys/kernel/modules_disabled, there isn't a way to modify the > running kernel. Unfortunately, with acpi_method, this is no longer true. > > I'd like to remove debugfs completely so it cannot just be trivially > mounted and abused, and to avoid potential future problems. > > As mentioned, though, the minimal compromise will be to just flat remove > acpi_method, as it is a real and present danger as opposed to some set of > future unknown dangers. :) > > -Kees > Is this sufficient? rtg diff --git a/drivers/acpi/Makefile b/drivers/acpi/Makefile index d113fa5..123e281 100644 --- a/drivers/acpi/Makefile +++ b/drivers/acpi/Makefile @@ -39,7 +39,7 @@ acpi-y += pci_root.o pci_link.o pci_irq.o pci_bind.o acpi-y += power.o acpi-y += event.o acpi-y += sysfs.o -acpi-$(CONFIG_DEBUG_FS) += debugfs.o +#acpi-$(CONFIG_DEBUG_FS) += debugfs.o acpi-$(CONFIG_ACPI_NUMA) += numa.o acpi-$(CONFIG_ACPI_PROCFS_POWER) += cm_sbs.o ifdef CONFIG_ACPI_VIDEO