lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <YxEy8mTO1nZ1sxHV@google.com>
Date:   Thu, 1 Sep 2022 15:32:18 -0700
From:   Brian Norris <briannorris@...omium.org>
To:     Greg Kroah-Hartman <gregkh@...uxfoundation.org>
Cc:     "Rafael J . Wysocki" <rafael@...nel.org>,
        Ingo Molnar <mingo@...hat.com>,
        Steven Rostedt <rostedt@...dmis.org>,
        linux-kernel@...r.kernel.org
Subject: Re: [PATCH 1/2] debugfs: Only clobber mode/uid/gid on remount if
 asked

On Thu, Sep 01, 2022 at 05:58:14PM +0200, Greg Kroah-Hartman wrote:
> On Fri, Aug 26, 2022 at 05:44:16PM -0700, Brian Norris wrote:
> > Users may have explicitly configured their debugfs permissions; we
> > shouldn't overwrite those just because a second mount appeared.
> 
> What userspace mounts debugfs twice?

I'll admit, my particular userspace in question (Chrom{e,ium}OS) does
not. There are several debugfs mounts, but they are bind mounts, which
don't hit this problem.

But Steven hits the nail on the head for most of my reasoning; my main
motivation is for tracefs (patch 2), whose automount makes this very
surprising. I included patch 1 for consistency (tracefs essentially
copy/pasted debugfs). I could drop patch 1 if that helps somehow, but
I'd still like to consider the automount difficulties in patch 2.

> > Only clobber if the options were provided at mount time.
> > 
> >   # Don't change /sys/kernel/debug/ permissions.
> >   mount -t debugfs none /mnt/foo
> > 
> >   # Change /sys/kernel/debug/ mode and uid, but not gid.
> >   mount -t debugfs -o uid=bar,mode=0750 none /mnt/baz
> 
> So what happens today with this change?  Without it?

Sorry, this was probably a bit too implied -- the gid changes to its
default (0 if we never set it in a mount option before; or it will reset
to any previous gid= mount setting).

# ls -ld /sys/kernel/debug/.
drwxr-x---. 45 root debugfs-access 0 Dec 31  1969 /sys/kernel/debug/.
# chown root:power /sys/kernel/debug/
# ls -ld /sys/kernel/debug/.
drwxr-x---. 45 root power 0 Dec 31  1969 /sys/kernel/debug/.
# mount -t debugfs -o uid=power,mode=0750 none /tmp/mnt
# ls -ld /sys/kernel/debug/.
drwxr-x---. 45 power debugfs-access 0 Dec 31  1969 /sys/kernel/debug/.
# mount | grep '\/sys\/kernel\/debug '
debugfs on /sys/kernel/debug type debugfs (rw,nosuid,nodev,noexec,relatime,seclabel,uid=228,gid=605,mode=750)

I can include more before/after examples in the commit message if you
want. Honestly, that's kind of why I offered to write test cases; test
cases show what's happening better than narrative descriptions.

> > 
> > Signed-off-by: Brian Norris <briannorris@...omium.org>
> > ---
> > I'm open to writing an LTP test case for this, if that seems like a good
> > idea.
> 
> If it's really needed, again, why would debugfs be ever mounted more
> than once?

Steven gave examples. Again, my particular use is more for patch 2. But
I think the current behavior is pretty surprising, if anybody ever
*does* try to mount more than once.

Brian

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ