From: David Howells Date: Wed, 8 Nov 2017 15:11:36 +0000 Subject: [24/29] debugfs: Disallow use of debugfs files when the kernel is locked down Origin: https://git.kernel.org/pub/scm/linux/kernel/git/dhowells/linux-fs.git/commit?id=118cc5e1c27e1a75640cf2379c1299e12791063e Disallow opening of debugfs files when the kernel is locked down as various drivers give raw access to hardware through debugfs. Accesses to tracefs should use /sys/kernel/tracing/ rather than /sys/kernel/debug/tracing/. Possibly a symlink should be emplaced. Normal device interaction should be done through configfs or a miscdev, not debugfs. Note that this makes it unnecessary to specifically lock down show_dsts(), show_devs() and show_call() in the asus-wmi driver. Signed-off-by: David Howells cc: Andy Shevchenko cc: acpi4asus-user@lists.sourceforge.net cc: platform-driver-x86@vger.kernel.org cc: Matthew Garrett cc: Thomas Gleixner [bwh: Forward-ported to 4.15] --- fs/debugfs/file.c | 6 ++++++ 1 file changed, 6 insertions(+) Index: linux/fs/debugfs/file.c =================================================================== --- linux.orig/fs/debugfs/file.c +++ linux/fs/debugfs/file.c @@ -142,6 +142,9 @@ static int open_proxy_open(struct inode const struct file_operations *real_fops = NULL; int r; + if (kernel_is_locked_down("debugfs")) + return -EPERM; + r = debugfs_file_get(dentry); if (r) return r == -EIO ? -ENOENT : r; @@ -267,6 +270,9 @@ static int full_proxy_open(struct inode struct file_operations *proxy_fops = NULL; int r; + if (kernel_is_locked_down("debugfs")) + return -EPERM; + r = debugfs_file_get(dentry); if (r) return r == -EIO ? -ENOENT : r;