On Mon, Sep 25, 2023 at 7:18 AM Xiubo Li <xiubli@xxxxxxxxxx> wrote: > I am not sure whether will this make sense. Because the 'debug' under > '/sys/kernel/' is also only accessible by privileged process. Not exactly correct. It is by default accessible to processes who have CAP_DAC_OVERRIDE and additionally it is accessible to (unprivileged) processes running as uid=0 (those two traits usually overlap). But we don't want to run kernel-exporter as uid=0 and neither do we want to give it CAP_DAC_OVERRIDE; both would be too much, it would affect much more than just (read) access to debugfs. Instead, we mount debugfs with "gid=X,mode=0710". That way, we can give (unprivileged) processes which are member of a certain group access to debugfs, and we put our kernel-exporter process in that group. We can use these mount options to change debugfs defaults, but if a debugfs implementor (such as cephfs) decides to override these global debugfs settings by passing stricter file permissions, we can't easily override that. And that is what my patch is about: restore the ability to override debugfs permissions with a mount option, as debugfs was designed. Max
