changing perms on /sys/kernel/debug by default

classic Classic list List threaded Threaded
5 messages Options
Reply | Threaded
Open this post in threaded view
|

changing perms on /sys/kernel/debug by default

Kees Cook-5
Hi,

While I'd like to just not compile debugfs into the Ubuntu kernels at all,
it seems that there is a fair bit of push-back on this idea. Instead, the
dangerous /sys/kernel/debug/acpi/custom_method interface has been removed
as the most problematic of all the interfaces (it allows writing arbitrary
kernel memory, bypassing /dev/kmem, /dev/mem, and module restrictions).

Since debugfs should not be required for a production system[1], I'd like
to remove it from mountall's default fstab. To get there, the first step is
to make /sys/kernel/debug only accessible by the root user. Unfortunately,
it does not take a "mode=" mount option like tmpfs does, so mountall has
been adjusted[2] to set the mode after mounting instead.

In the interests of completeness, here are the tools in main that use
debugfs, with stuff that needs updating (only Apport hooks) marked with a
star:

 - intel_gpu_dump
    Manpage states it should only be run as root.

 - libpcap
    Only used as root for USB monitoring.

 * mtdev
    Apport hook (should be updated to use root privs).

 - nmap
    Only used as root for USB monitoring.

 - ocfs2-tools
    Only used as root for OCF2 debugging.

 - powertop
    Only used as root.

 - qemu-kvm
    kvm_stat has no manpage, seems to be designed as a "vmstat" for
    kvm. These statistics should likely come from /sys. Running as
    root seems fine.

 - redhat-cluster
    Only used as root.

 - ureadhead
    Runs as root, but this tool already uses /var/lib/ureadahead/debugfs
    if the other path is missing. I've changed[3] the permissions on this
    so that normal users cannot see the mountpoint.

 - usbutils
    Uses /dev/bus/usb for "lsusb", but "usb-devices" wants debugfs. This
    information should not come out of debugfs. Requiring root seems okay.

 * utouch-geis
    Apport hook (should be updated to use root privs).

 * xserver-xorg-video-intel
    Apport hook (should be updated to use root privs).

 - blktrace
    Only used as root.

Thanks,

-Kees

[1] https://lkml.org/lkml/2011/2/22/372
[2] https://lists.ubuntu.com/archives/natty-changes/2011-February/008110.html
[3] https://lists.ubuntu.com/archives/natty-changes/2011-February/008100.html

--
Kees Cook
Ubuntu Security Team

--
ubuntu-devel mailing list
[hidden email]
Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-devel
Reply | Threaded
Open this post in threaded view
|

Re: changing perms on /sys/kernel/debug by default

Bryce Harrington-5
On Tue, Feb 22, 2011 at 03:16:39PM -0800, Kees Cook wrote:

> Hi,
>
> While I'd like to just not compile debugfs into the Ubuntu kernels at all,
> it seems that there is a fair bit of push-back on this idea. Instead, the
> dangerous /sys/kernel/debug/acpi/custom_method interface has been removed
> as the most problematic of all the interfaces (it allows writing arbitrary
> kernel memory, bypassing /dev/kmem, /dev/mem, and module restrictions).
>
> Since debugfs should not be required for a production system[1], I'd like
> to remove it from mountall's default fstab. To get there, the first step is
> to make /sys/kernel/debug only accessible by the root user. Unfortunately,
> it does not take a "mode=" mount option like tmpfs does, so mountall has
> been adjusted[2] to set the mode after mounting instead.
>
>  - intel_gpu_dump
>     Manpage states it should only be run as root.
>
>  * xserver-xorg-video-intel
>     Apport hook (should be updated to use root privs).

I believe it does already, no?  It gets triggered by the kernel via an
upstart hook.

Due to the nature of GPU lockups, we can't prompt the user for root
password or something at the point it gets triggered; the system's
locked up.

We get the majority of our value out of the apport hook during
development.  So if you wanted to make debugfs be enabled only during
release, and switch it off after beta, we could work with that.

Bryce




--
ubuntu-devel mailing list
[hidden email]
Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-devel
Reply | Threaded
Open this post in threaded view
|

Re: changing perms on /sys/kernel/debug by default

Kees Cook-8
On Tue, Feb 22, 2011 at 03:37:27PM -0800, Bryce Harrington wrote:

> On Tue, Feb 22, 2011 at 03:16:39PM -0800, Kees Cook wrote:
> > While I'd like to just not compile debugfs into the Ubuntu kernels at all,
> > it seems that there is a fair bit of push-back on this idea. Instead, the
> > dangerous /sys/kernel/debug/acpi/custom_method interface has been removed
> > as the most problematic of all the interfaces (it allows writing arbitrary
> > kernel memory, bypassing /dev/kmem, /dev/mem, and module restrictions).
> >
> > Since debugfs should not be required for a production system[1], I'd like
> > to remove it from mountall's default fstab. To get there, the first step is
> > to make /sys/kernel/debug only accessible by the root user. Unfortunately,
> > it does not take a "mode=" mount option like tmpfs does, so mountall has
> > been adjusted[2] to set the mode after mounting instead.
> >
> >  - intel_gpu_dump
> >     Manpage states it should only be run as root.
> >
> >  * xserver-xorg-video-intel
> >     Apport hook (should be updated to use root privs).
>
> I believe it does already, no?  It gets triggered by the kernel via an
> upstart hook.
>
> Due to the nature of GPU lockups, we can't prompt the user for root
> password or something at the point it gets triggered; the system's
> locked up.

Ah, yes. If it's spawning from the X process context, this should be done
already.

> We get the majority of our value out of the apport hook during
> development.  So if you wanted to make debugfs be enabled only during
> release, and switch it off after beta, we could work with that.

Based on the above, it should all Just Work for the GPU case.

-Kees

--
Kees Cook
Ubuntu Security Team

--
ubuntu-devel mailing list
[hidden email]
Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-devel
Reply | Threaded
Open this post in threaded view
|

Re: changing perms on /sys/kernel/debug by default

Kees Cook-8
On Tue, Feb 22, 2011 at 03:46:36PM -0800, Kees Cook wrote:

> On Tue, Feb 22, 2011 at 03:37:27PM -0800, Bryce Harrington wrote:
> > On Tue, Feb 22, 2011 at 03:16:39PM -0800, Kees Cook wrote:
> > > While I'd like to just not compile debugfs into the Ubuntu kernels at all,
> > > it seems that there is a fair bit of push-back on this idea. Instead, the
> > > dangerous /sys/kernel/debug/acpi/custom_method interface has been removed
> > > as the most problematic of all the interfaces (it allows writing arbitrary
> > > kernel memory, bypassing /dev/kmem, /dev/mem, and module restrictions).
> > >
> > > Since debugfs should not be required for a production system[1], I'd like
> > > to remove it from mountall's default fstab. To get there, the first step is
> > > to make /sys/kernel/debug only accessible by the root user. Unfortunately,
> > > it does not take a "mode=" mount option like tmpfs does, so mountall has
> > > been adjusted[2] to set the mode after mounting instead.
> > >
> > >  - intel_gpu_dump
> > >     Manpage states it should only be run as root.
> > >
> > >  * xserver-xorg-video-intel
> > >     Apport hook (should be updated to use root privs).
> >
> > I believe it does already, no?  It gets triggered by the kernel via an
> > upstart hook.
> >
> > Due to the nature of GPU lockups, we can't prompt the user for root
> > password or something at the point it gets triggered; the system's
> > locked up.
>
> Ah, yes. If it's spawning from the X process context, this should be done
> already.
>
> > We get the majority of our value out of the apport hook during
> > development.  So if you wanted to make debugfs be enabled only during
> > release, and switch it off after beta, we could work with that.
>
> Based on the above, it should all Just Work for the GPU case.

Just to confirm; yes it should be fine. Bryce pointed out on IRC that this
is called through /lib/udev/rules.d/40-xserver-xorg-video-intel.rules:

SUBSYSTEM=="drm", ACTION=="change", ENV{ERROR}=="1", RUN+="/usr/share/apport/apport-gpu-error-intel.py"

And that's running as root to collect the debugfs bits. Done! :)

-Kees

--
Kees Cook
Ubuntu Security Team

--
ubuntu-devel mailing list
[hidden email]
Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-devel
Reply | Threaded
Open this post in threaded view
|

Re: changing perms on /sys/kernel/debug by default

Amit Kucheria-6
In reply to this post by Kees Cook-5
On 11 Feb 22, Kees Cook wrote:

> Hi,
>
> While I'd like to just not compile debugfs into the Ubuntu kernels at all,
> it seems that there is a fair bit of push-back on this idea. Instead, the
> dangerous /sys/kernel/debug/acpi/custom_method interface has been removed
> as the most problematic of all the interfaces (it allows writing arbitrary
> kernel memory, bypassing /dev/kmem, /dev/mem, and module restrictions).
>
> Since debugfs should not be required for a production system[1], I'd like
> to remove it from mountall's default fstab. To get there, the first step is
> to make /sys/kernel/debug only accessible by the root user. Unfortunately,
> it does not take a "mode=" mount option like tmpfs does, so mountall has
> been adjusted[2] to set the mode after mounting instead.
>
> In the interests of completeness, here are the tools in main that use
> debugfs, with stuff that needs updating (only Apport hooks) marked with a
> star:
>
>  - intel_gpu_dump
>     Manpage states it should only be run as root.
>
>  - libpcap
>     Only used as root for USB monitoring.
>
>  * mtdev
>     Apport hook (should be updated to use root privs).
>
>  - nmap
>     Only used as root for USB monitoring.
>
>  - ocfs2-tools
>     Only used as root for OCF2 debugging.
>
>  - powertop
>     Only used as root.
 
One more tool,

   - powerdebug
      New tool created for ARM platforms, should be used as root. It reads
      /sys/kernel/debug/clocks on ARM

Since we use Ubuntu kernel configs as a start and various bits of Ubuntu
userspace, I thought I'd just chime in for the sake of completeness.


--
----------------------------------------------------------------------
Amit Kucheria, Kernel Engineer || [hidden email]
----------------------------------------------------------------------

--
ubuntu-devel mailing list
[hidden email]
Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-devel