summaryrefslogtreecommitdiffstats
path: root/debian/patches/features/all/lockdown/0024-debugfs-Disallow-use-of-debugfs-files-when-the-kerne.patch
diff options
context:
space:
mode:
Diffstat (limited to '')
-rw-r--r--debian/patches/features/all/lockdown/0024-debugfs-Disallow-use-of-debugfs-files-when-the-kerne.patch53
1 files changed, 53 insertions, 0 deletions
diff --git a/debian/patches/features/all/lockdown/0024-debugfs-Disallow-use-of-debugfs-files-when-the-kerne.patch b/debian/patches/features/all/lockdown/0024-debugfs-Disallow-use-of-debugfs-files-when-the-kerne.patch
new file mode 100644
index 000000000..2dd3fa020
--- /dev/null
+++ b/debian/patches/features/all/lockdown/0024-debugfs-Disallow-use-of-debugfs-files-when-the-kerne.patch
@@ -0,0 +1,53 @@
+From: David Howells <dhowells@redhat.com>
+Date: Wed, 8 Nov 2017 15:11:36 +0000
+Subject: [24/29] debugfs: Disallow use of debugfs files when the kernel is
+ locked down
+Origin: https://git.kernel.org/pub/scm/linux/kernel/git/dhowells/linux-fs.git/commit?id=118cc5e1c27e1a75640cf2379c1299e12791063e
+
+Disallow opening of debugfs files when the kernel is locked down as various
+drivers give raw access to hardware through debugfs.
+
+Accesses to tracefs should use /sys/kernel/tracing/ rather than
+/sys/kernel/debug/tracing/. Possibly a symlink should be emplaced.
+
+Normal device interaction should be done through configfs or a miscdev, not
+debugfs.
+
+Note that this makes it unnecessary to specifically lock down show_dsts(),
+show_devs() and show_call() in the asus-wmi driver.
+
+Signed-off-by: David Howells <dhowells@redhat.com>
+cc: Andy Shevchenko <andy.shevchenko@gmail.com>
+cc: acpi4asus-user@lists.sourceforge.net
+cc: platform-driver-x86@vger.kernel.org
+cc: Matthew Garrett <matthew.garrett@nebula.com>
+cc: Thomas Gleixner <tglx@linutronix.de>
+[bwh: Forward-ported to 4.15]
+---
+ fs/debugfs/file.c | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+Index: linux/fs/debugfs/file.c
+===================================================================
+--- linux.orig/fs/debugfs/file.c
++++ linux/fs/debugfs/file.c
+@@ -142,6 +142,9 @@ static int open_proxy_open(struct inode
+ const struct file_operations *real_fops = NULL;
+ int r;
+
++ if (kernel_is_locked_down("debugfs"))
++ return -EPERM;
++
+ r = debugfs_file_get(dentry);
+ if (r)
+ return r == -EIO ? -ENOENT : r;
+@@ -267,6 +270,9 @@ static int full_proxy_open(struct inode
+ struct file_operations *proxy_fops = NULL;
+ int r;
+
++ if (kernel_is_locked_down("debugfs"))
++ return -EPERM;
++
+ r = debugfs_file_get(dentry);
+ if (r)
+ return r == -EIO ? -ENOENT : r;
generated by cgit v1.2.3 (git 2.39.1) at 2024-11-23 02:57:42 +0000