On Tue, Dec 29, 2015 at 02:58:34PM +0300, Dmitry Smirnov wrote:
> Hi,
>
> I've recently faced an issue when the debugfs was remounted read-only
> despite the system call fails with EACCESS error.
>
> Here are the details.
> 1. The issue is found on android with kernel 3.4.0
A "clean" 3.4.0 kernel? Or a hacked up vendor-specific one?
Also note that 3.4.0 is _very_ old, please try to reproduce this on a
kernel that we can actually help out with, like 4.4-rc or at the worst,
4.3.
> 2. debugfs is already mounted by init on boot (per the init.rc) in
> read-write mode
> 3. SELinux rules does not allow an application to mount a debugfs
> 4. Application is using /system/bin/mount (which implements a mount
> command-line utility) to do the mount:
> system("/system/bin/mount -t debugfs none /sys/kernel/debug");
> 5. The mount utility logic is to try read-only mount if read-write
> fails with EACCESS.
> 6. This second system call also fails with EACCESS, but debugfs can
> sometimes be remounted read-only!
> Note: is looks like read-only remounting sometimes fails in
> do_remount_sb() with EBUSY error which is ignored by mount_single. But
> do_remount_sb() can also succeed (!) and I suppose this is some race
> condition.
> In any case, system call fails with EACCESS (and SELinux error
> message) which is returned by security_sb_kern_mount in mount_fs() but
> AFTER the attempt to remount read-only!
>
> I've briefly searched the latest kernel sources but did not find any
> change that could fix this issue.
>
> Is this a security issue?
If root is the only thing allowed to read from debugfs, I don't see how
this is a security issue, do you?
thanks,
greg k-h
--
To unsubscribe from this list: send the line "unsubscribe linux-fsdevel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
