* Masami Hiramatsu <mhiramat@xxxxxxxxxx> wrote: > Since the blacklist file indicates a sensitive address > information to reader, it should be restricted to the > root user. > > Suggested-by: Thomas Richter <tmricht@xxxxxxxxxxxxx> > Signed-off-by: Masami Hiramatsu <mhiramat@xxxxxxxxxx> > --- > kernel/kprobes.c | 2 +- > 1 file changed, 1 insertion(+), 1 deletion(-) > > diff --git a/kernel/kprobes.c b/kernel/kprobes.c > index ea619021d901..51096eece801 100644 > --- a/kernel/kprobes.c > +++ b/kernel/kprobes.c > @@ -2621,7 +2621,7 @@ static int __init debugfs_kprobe_init(void) > if (!file) > goto error; > > - file = debugfs_create_file("blacklist", 0444, dir, NULL, > + file = debugfs_create_file("blacklist", 0400, dir, NULL, > &debugfs_kprobe_blacklist_ops); > if (!file) > goto error; Note that in a typical Linux distro debugfs is already root-only: fomalhaut:~> ls -ld /sys/kernel/debug drwx------ 28 root root 0 Apr 23 08:55 /sys/kernel/debug but this change might make sense if debugfs is mounted in some other fashion. But the patch looks incomplete, 'blacklist' is not the only word-readable file in the kprobes hierarchy. The kprobes directory itself, and the 'list' file is readable as well: [root@fomalhaut ~]# ls -ld /sys/kernel/debug/kprobes drwxr-xr-x 2 root root 0 Apr 23 08:55 /sys/kernel/debug/kprobes [root@fomalhaut ~]# ls -l /sys/kernel/debug/kprobes/ -r--r--r-- 1 root root 0 Apr 23 08:55 blacklist -rw------- 1 root root 0 Apr 23 08:55 enabled -r--r--r-- 1 root root 0 Apr 23 08:55 list So not just the blacklist should be 400 but 'list' as well, and the main kprobes directory as well. Thanks, Ingo