Disallow opening of debugfs files when the kernel is locked down as various
drivers give raw access to hardware through debugfs.
Accesses to tracefs should use /sys/kernel/tracing/ rather than
/sys/kernel/debug/tracing/. Possibly a symlink should be emplaced.
Normal device interaction should be done through configfs or a miscdev, not
debugfs.
Note that this makes it unnecessary to specifically lock down show_dsts(),
show_devs() and show_call() in the asus-wmi driver.
Signed-off-by: David Howells <dhowells@xxxxxxxxxx>
cc: Andy Shevchenko <andy.shevchenko@xxxxxxxxx>
cc: acpi4asus-user@xxxxxxxxxxxxxxxxxxxxx
cc: platform-driver-x86@xxxxxxxxxxxxxxx
cc: Matthew Garrett <matthew.garrett@xxxxxxxxxx>
cc: Thomas Gleixner <tglx@xxxxxxxxxxxxx>
---
fs/debugfs/file.c | 6 ++++++
1 file changed, 6 insertions(+)
diff --git a/fs/debugfs/file.c b/fs/debugfs/file.c
index 6dabc4a10396..32b5168a7e91 100644
--- a/fs/debugfs/file.c
+++ b/fs/debugfs/file.c
@@ -103,6 +103,9 @@ static int open_proxy_open(struct inode *inode, struct file *filp)
const struct file_operations *real_fops = NULL;
int srcu_idx, r;
+ if (kernel_is_locked_down("debugfs"))
+ return -EPERM;
+
r = debugfs_use_file_start(dentry, &srcu_idx);
if (r) {
r = -ENOENT;
@@ -232,6 +235,9 @@ static int full_proxy_open(struct inode *inode, struct file *filp)
struct file_operations *proxy_fops = NULL;
int srcu_idx, r;
+ if (kernel_is_locked_down("debugfs"))
+ return -EPERM;
+
r = debugfs_use_file_start(dentry, &srcu_idx);
if (r) {
r = -ENOENT;
--
To unsubscribe from this list: send the line "unsubscribe linux-efi" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
