Message ID | 4D642415.2070808@canonical.com |
---|---|
State | Accepted |
Headers | show |
On Tue, Feb 22, 2011 at 02:01:09PM -0700, Tim Gardner wrote: > On 02/22/2011 01:29 PM, Kees Cook wrote: > >On Tue, Feb 22, 2011 at 01:23:57PM -0700, Tim Gardner wrote: > >>It appears that ureadahead only uses /var/lib/ureadahead/debugfs if > >>/sys/kernel/debug is not already mounted, so we need to test that > >>code path. > > > >I've confirmed this path -- ureadahead uses it on my system every time. > > > >>What package mounts debugfs ? > > > >mountall. I'm happy to patch it to not mount /sys/kernel/debug by default. > > > >-Kees > > > > This is what I've tested on a desktop and server. Everything appears > to work. The only window of vulnerability is while ureadahead is > doing its thing, and that should only happen after the package > database changes, right? > > If you concur, then turn off debugfs and see what carnage ensues. > You should probably start a tracking bug to collect any regressions. Yeah, I already had the upload ready, so I'll use my version (it refers to the lkml email where Alan Cox says it should not be used on production systems). But yeah, I'll upload and send email to ubuntu-devel with the list of everything in main that references /sys/kernel/debug. -Kees
On Tue, Feb 22, 2011 at 02:01:09PM -0700, Tim Gardner wrote: > This is what I've tested on a desktop and server. Everything appears > to work. The only window of vulnerability is while ureadahead is > doing its thing, and that should only happen after the package > database changes, right? > > If you concur, then turn off debugfs and see what carnage ensues. > You should probably start a tracking bug to collect any regressions. Actually, I'm going to change this a bit... I'm going to just chmod it after mounting. Then I don't have to break apport and ftrace, and I don't have to carry a kernel patch.
diff -Nru mountall-2.21/debian/changelog mountall-2.21ubuntu1/debian/changelog --- mountall-2.21/debian/changelog 2011-02-09 13:51:43.000000000 -0700 +++ mountall-2.21ubuntu1/debian/changelog 2011-02-22 13:41:47.000000000 -0700 @@ -1,3 +1,9 @@ +mountall (2.21ubuntu1) natty; urgency=low + + * Don't mount debugfs by default + + -- Tim Gardner <tim.gardner@canonical.com> Tue, 22 Feb 2011 13:40:18 -0700 + mountall (2.21) natty; urgency=low * conf/mounted-tmp.conf: find is needed from /usr, so delay this and diff -Nru mountall-2.21/src/fstab mountall-2.21ubuntu1/src/fstab --- mountall-2.21/src/fstab 2010-12-16 05:14:32.000000000 -0700 +++ mountall-2.21ubuntu1/src/fstab 2011-02-22 13:37:32.000000000 -0700 @@ -10,7 +10,7 @@ none /proc/sys/fs/binfmt_misc binfmt_misc nodev,noexec,nosuid,optional 0 0 none /sys sysfs nodev,noexec,nosuid 0 0 none /sys/fs/fuse/connections fusectl optional 0 0 -none /sys/kernel/debug debugfs optional 0 0 +#none /sys/kernel/debug debugfs optional 0 0 none /sys/kernel/security securityfs optional 0 0 none /spu spufs gid=spu,optional 0 0 none /dev devtmpfs,tmpfs mode=0755 0 0