On Fri, Apr 7, 2017 at 3:50 PM, David Howells <dhowells@xxxxxxxxxx> wrote: > Andy Shevchenko <andy.shevchenko@xxxxxxxxx> wrote: > >> > From: Matthew Garrett <matthew.garrett@xxxxxxxxxx> >> > >> > We have no way of validating what all of the Asus WMI methods do on a given >> > machine - and there's a risk that some will allow hardware state to be >> > manipulated in such a way that arbitrary code can be executed in the >> > kernel, circumventing module loading restrictions. Prevent that if the >> > kernel is locked down. >> >> > + if (kernel_is_locked_down()) >> > + return -EPERM; >> >> It looks a bit fragile when responsility of whatever reasons kernel >> can't serve become a driver burden. >> Can we fix this in debugfs framework instead? > > Fix it with debugfs how? We can't offload the decision to userspace. I mean to do at least similar like you have done for module parameters. So, instead of putting above code to each attribute in question make a special (marked) attribute instead and debugfs framework will know how to deal with that. -- With Best Regards, Andy Shevchenko