Re: [PATCH] Fix live debugging with lockdown=integrity

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Hi Lianbo,

On Wed, 10 Nov 2021 14:07:50 +0800
lijiang <lijiang@xxxxxxxxxx> wrote:

> Hi, Philipp
> Thank you for the fix.
> 
> Date: Tue,  9 Nov 2021 14:52:22 +0100
> > From: Philipp Rudo <prudo@xxxxxxxxxx>
> > To: crash-utility@xxxxxxxxxx
> > Subject:  [PATCH] Fix live debugging with
> >         lockdown=integrity
> > Message-ID: <20211109135222.51636-1-prudo@xxxxxxxxxx>
> >
> > With kernel lockdown the access to kernel interfaces that allow to
> > extract confidential information (lockdown=confidentiality) or modify a
> > running kernel (lockdown=integrity) can be restricted. Two of the
> > interfaces that can be restricted are /dev/mem (integrity &
> > confidentiality) and /proc/kcore (confidentiality). With
> > lockdown=integrity this leads to a situation where /dev/mem exists but
> > is not readable while /proc/kcore exists and is readable. This breaks
> > crash's live debugging when it is invoked without argument, i.e.
> >
> > $ crash
> > [...]
> > crash: /dev/mem: Operation not permitted
> >
> > while passing /proc/kcore as image succeeds. The reason for this is that
> > crash always picks /dev/mem as source when it exits but doesn't check if
> > it is readable. Fix this by only selecting /dev/mem when it is readable.
> >
> > Signed-off-by: Philipp Rudo <prudo@xxxxxxxxxx>
> > ---
> >  filesys.c | 2 +-
> >  main.c    | 2 +-
> >  2 files changed, 2 insertions(+), 2 deletions(-)
> >
> > diff --git a/filesys.c b/filesys.c
> > index 3361b6c..43cbe82 100644
> > --- a/filesys.c
> > +++ b/filesys.c
> > @@ -3666,7 +3666,7 @@ get_live_memory_source(void)
> >         if (pc->live_memsrc)
> >                 goto live_report;
> >
> > -       if (file_exists("/dev/mem", NULL))
> > +       if (file_readable("/dev/mem"))
> >                 pc->live_memsrc = "/dev/mem";
> >         else if (file_exists("/proc/kcore", NULL)) {
> >                 pc->flags &= ~DEVMEM;
> > diff --git a/main.c b/main.c
> > index 71c59d2..b278c22 100644
> > --- a/main.c
> > +++ b/main.c
> > @@ -1119,7 +1119,7 @@ setup_environment(int argc, char **argv)
> >         pc->flags2 |= REDZONE;
> >         pc->confd = -2;
> >         pc->machine_type = MACHINE_TYPE;
> > -       if (file_exists("/dev/mem", NULL)) {     /* defaults until argv[]
> > is parsed */
> > +       if (file_readable("/dev/mem")) {     /* defaults until argv[] is
> > parsed */
> >                 pc->readmem = read_dev_mem;
> >                 pc->writemem = write_dev_mem;
> >         } else if (file_exists("/proc/kcore", NULL)) {
> > --
> > 2.31.1
> >  
> 
> After applying this patch, it works, but  redundant information is
> displayed in the crash prompt as below. I marked it twice, is that expected?
> 
> [root@testvm crash]# ./crash
> [69580.039885] Lockdown: crash: /dev/mem,kmem,port is restricted; see man
> kernel_lockdown.7
> ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
> 
> crash 7.3.0++
> Copyright (C) 2002-2021  Red Hat, Inc.
> Copyright (C) 2004, 2005, 2006, 2010  IBM Corporation
> Copyright (C) 1999-2006  Hewlett-Packard Co
> Copyright (C) 2005, 2006, 2011, 2012  Fujitsu Limited
> Copyright (C) 2006, 2007  VA Linux Systems Japan K.K.
> Copyright (C) 2005, 2011, 2020-2021  NEC Corporation
> Copyright (C) 1999, 2002, 2007  Silicon Graphics, Inc.
> Copyright (C) 1999, 2000, 2001, 2002  Mission Critical Linux, Inc.
> Copyright (C) 2015, 2021  VMware, Inc.
> This program is free software, covered by the GNU General Public License,
> and you are welcome to change it and/or distribute copies of it under
> certain conditions.  Enter "help copying" to see the conditions.
> This program has absolutely no warranty.  Enter "help warranty" for details.
> 
> [69580.662388] Lockdown: crash: /dev/mem,kmem,port is restricted; see man
> kernel_lockdown.7
> ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
> GNU gdb (GDB) 10.2
> ...
> crash>  

I assume you are using a serial console as I cannot see the messages
when connecting via ssh. They do appear in dmesg though.
The message is emitted by the kernel every time someone opens /dev/mem
(or one of the other two files). This is done in file_readable as it
checks if a file can be read from by actually opening and reading from
it. Unfortunately I don't see a way around it. At least stat still
shows /dev/mem as readable

# stat /dev/mem
[...]
Access: (0640/crw-r-----)  Uid: (    0/    root)   Gid: (    9/    kmem)
[...]

So yes, seeing those messages is expected.

Thanks
Philipp

--
Crash-utility mailing list
Crash-utility@xxxxxxxxxx
https://listman.redhat.com/mailman/listinfo/crash-utility




[Index of Archives]     [Fedora Development]     [Fedora Desktop]     [Fedora SELinux]     [Yosemite News]     [KDE Users]     [Fedora Tools]

 

Powered by Linux