lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-Id: <20260209180844.c582bdbb6a4a5b737db7a0a7@kernel.org>
Date: Mon, 9 Feb 2026 18:08:44 +0900
From: Masami Hiramatsu (Google) <mhiramat@...nel.org>
To: Steven Rostedt <rostedt@...dmis.org>
Cc: Mathieu Desnoyers <mathieu.desnoyers@...icios.com>,
 linux-kernel@...r.kernel.org, linux-trace-kernel@...r.kernel.org
Subject: Re: [PATCH v6 2/4] tracing: Make the backup instance non-reusable

On Wed, 4 Feb 2026 21:17:21 -0500
Steven Rostedt <rostedt@...dmis.org> wrote:

> On Sun,  1 Feb 2026 12:29:15 +0900
> "Masami Hiramatsu (Google)" <mhiramat@...nel.org> wrote:
> 
> > From: Masami Hiramatsu (Google) <mhiramat@...nel.org>
> > 
> > Since there is no reason to reuse the backup instance, make it
> > readonly (but erasable).
> > Note that only backup instances are readonly, because
> > other trace instances will be empty unless it is writable.
> > Only backup instances have copy entries from the original.
> > 
> > With this change, most of the trace control files are removed
> > from the backup instance, including eventfs enable/filter etc.
> > 
> >  # find /sys/kernel/tracing/instances/backup/events/ | wc -l
> >  4093
> >  # find /sys/kernel/tracing/instances/boot_map/events/ | wc -l
> >  9573
> > 
> > Signed-off-by: Masami Hiramatsu (Google) <mhiramat@...nel.org>
> > ---
> >  Changes in v6:
> >    - Remove tracing_on file from readonly instances.
> >    - Remove unused writable_mode from tracing_init_tracefs_percpu().
> >    - Cleanup init_tracer_tracefs() and create_event_toplevel_files().
> >    - Remove TRACE_MODE_WRITE_MASK.
> >    - Add TRACE_ARRAY_FL_RDONLY.
> >  Changes in v5:
> >    - Rebased on the latest for-next (and hide show_event_filters/triggers
> >      if the instance is readonly.
> >  Changes in v4:
> >   - Make trace data erasable. (not reusable)
> >  Changes in v3:
> >   - Resuse the beginning part of event_entries for readonly files.
> >   - Remove readonly file_operations and checking readonly flag in
> >     each write operation.
> >  Changes in v2:
> >   - Use readonly file_operations to prohibit writing instead of
> >     checking flags in write() callbacks.
> >   - Remove writable files from eventfs.
> > ---
> >  kernel/trace/trace.c        |   94 +++++++++++++++++++++++++++++--------------
> >  kernel/trace/trace.h        |    7 +++
> >  kernel/trace/trace_boot.c   |    5 +-
> >  kernel/trace/trace_events.c |   76 ++++++++++++++++++++---------------
> >  4 files changed, 117 insertions(+), 65 deletions(-)
> > 
> > diff --git a/kernel/trace/trace.c b/kernel/trace/trace.c
> > index 5c3e4a554143..b0efcf1e0809 100644
> > --- a/kernel/trace/trace.c
> > +++ b/kernel/trace/trace.c
> > @@ -5052,6 +5052,11 @@ static ssize_t
> >  tracing_write_stub(struct file *filp, const char __user *ubuf,
> >  		   size_t count, loff_t *ppos)
> >  {
> > +	struct trace_array *tr = file_inode(filp)->i_private;
> > +
> > +	if (trace_array_is_readonly(tr))
> > +		return -EPERM;
> > +
> >  	return count;
> >  }
> >  
> > @@ -5152,6 +5157,9 @@ tracing_cpumask_write(struct file *filp, const char __user *ubuf,
> >  	cpumask_var_t tracing_cpumask_new;
> >  	int err;
> >  
> > +	if (trace_array_is_readonly(tr))
> > +		return -EPERM;
> > +
> 
> Shouldn't these checks be done in the open function? Doing it now is
> too late, as -EPERM on a write is confusing when the open for write
> succeeds.

I've made a small program and straced. Surprisingly, for the super user,
open(2) does not return error on opening a readonly file with O_RDWR.

With normal user, it returns -EACCES
-----
$ strace ./write-test hoge
execve("./write-test", ["./write-test", "hoge"], 0x7ffc30b99928 /* 73 vars */) = 0
...
openat(AT_FDCWD, "hoge", O_RDWR)        = -1 EACCES (Permission denied)
exit_group(-1)                          = ?
+++ exited with 255 +++
-----

But for the superuser case:
-----
$ sudo strace ./write-test hoge
execve("./write-test", ["./write-test", "hoge"], 0x7ffcffa80488 /* 32 vars */) = 0
...
openat(AT_FDCWD, "hoge", O_RDWR)        = 3
write(3, "test\0", 5)                   = 5
fstat(1, {st_mode=S_IFCHR|0600, st_rdev=makedev(0x88, 0x2), ...}) = 0
write(1, "write return 5\n", 15write return 5
)        = 15
exit_group(0)                           = ?
+++ exited with 0 +++

So I think we can postpone it until actual action for the superuser case.
(Anyway, I will make it return -EACCES)

Thank you,

> 
> -- Steve
> 
> >  	if (count == 0 || count > KMALLOC_MAX_SIZE)
> >  		return -EINVAL;
> >  


-- 
Masami Hiramatsu (Google) <mhiramat@...nel.org>

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ