Commit 4bd1112e authored by Ben Hutchings's avatar Ben Hutchings

Use upstream version of debugfs mode change, which corrects the documentation

svn path=/dists/sid/linux/; revision=19963
parent 22ebd830
From: Ben Hutchings <ben@decadent.org.uk>
Subject: debugfs: Set default mode to 700
From: Kees Cook <keescook@chromium.org>
Date: Mon, 27 Aug 2012 13:32:15 -0700
Subject: debugfs: more tightly restrict default mount mode
Bug-Debian: http://bugs.debian.org/681418
As discussed here
<http://lists.linux-foundation.org/pipermail/ksummit-2012-discuss/2012-July/000891.html>.
commit 82aceae4f0d42f03d9ad7d1e90389e731153898f upstream.
Mounting of debugfs is a significant security liability, but there are
applications that depend on some interfaces based on debugfs and they
(or their packages) will mount it automatically anyway.
Since the debugfs is mostly only used by root, make the default mount
mode 0700. Most system owners do not need a more permissive value,
but they can choose to weaken the restrictions via their fstab.
Setting the default mode for the debugfs root to 700 (accessible
to root only) should leave it functional, since most such applications
will require root anyway, and users can override it to relax
permissions if they really don't care about the security problems.
Signed-off-by: Kees Cook <keescook@chromium.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
Documentation/filesystems/debugfs.txt | 4 ++--
fs/debugfs/inode.c | 2 +-
2 files changed, 3 insertions(+), 3 deletions(-)
diff --git a/Documentation/filesystems/debugfs.txt b/Documentation/filesystems/debugfs.txt
index 7a34f82..3a863f6 100644
--- a/Documentation/filesystems/debugfs.txt
+++ b/Documentation/filesystems/debugfs.txt
@@ -15,8 +15,8 @@ Debugfs is typically mounted with a command like:
mount -t debugfs none /sys/kernel/debug
(Or an equivalent /etc/fstab line).
-The debugfs root directory is accessible by anyone by default. To
-restrict access to the tree the "uid", "gid" and "mode" mount
+The debugfs root directory is accessible only to the root user by
+default. To change access to the tree the "uid", "gid" and "mode" mount
options can be used.
Note that the debugfs API is exported GPL-only to modules.
diff --git a/fs/debugfs/inode.c b/fs/debugfs/inode.c
index 2c9fafb..6393fd6 100644
--- a/fs/debugfs/inode.c
+++ b/fs/debugfs/inode.c
@@ -28,7 +28,7 @@
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment