From: "Theodore Ts'o" <tytso@mit.edu>
To: Ben Hutchings <ben@decadent.org.uk>
Cc: Kees Cook <keescook@chromium.org>,
linux-kernel@vger.kernel.org,
Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
Rob Landley <rob@landley.net>, Al Viro <viro@zeniv.linux.org.uk>,
Ludwig Nussel <ludwig.nussel@suse.de>,
Alessandro Rubini <rubini@gnudd.com>,
linux-doc@vger.kernel.org
Subject: Re: Hardening debugfs (Was Re: [PATCH] debugfs: more tightly restrict default mount mode)
Date: Tue, 28 Aug 2012 11:02:15 -0400 [thread overview]
Message-ID: <20120828150215.GB23035@thunk.org> (raw)
In-Reply-To: <1346165758.15747.7.camel@deadeye.wl.decadent.org.uk>
On Tue, Aug 28, 2012 at 07:55:58AM -0700, Ben Hutchings wrote:
>
> The problems are apparently larger than specific modules:
> http://lists.linux-foundation.org/pipermail/ksummit-2012-discuss/2012-July/000894.html
>
Sure, but most of those problems require root access, or physical
access to the hardware. And a number of the "can oops the kernel"
assume module disappears out from under the open file descriptor, so
(a) that's a problem that can be fixed, and (b) if we can suppress a
random device driver from having its debugfs directory appear by
default, it certainly helps things.
- Ted
next prev parent reply other threads:[~2012-08-28 15:02 UTC|newest]
Thread overview: 11+ messages / expand[flat|nested] mbox.gz Atom feed top
2012-08-27 20:32 [PATCH] debugfs: more tightly restrict default mount mode Kees Cook
2012-08-27 20:41 ` Greg Kroah-Hartman
2012-08-28 7:44 ` Alessandro Rubini
2012-08-28 14:41 ` Hardening debugfs (Was Re: [PATCH] debugfs: more tightly restrict default mount mode) Theodore Ts'o
2012-08-28 14:55 ` Ben Hutchings
2012-08-28 15:02 ` Theodore Ts'o [this message]
2012-08-28 17:09 ` Greg Kroah-Hartman
2012-08-28 19:43 ` Kees Cook
2012-08-28 22:55 ` Rob Landley
2012-08-29 4:09 ` Greg Kroah-Hartman
2012-08-30 16:15 ` Rob Landley
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20120828150215.GB23035@thunk.org \
--to=tytso@mit.edu \
--cc=ben@decadent.org.uk \
--cc=gregkh@linuxfoundation.org \
--cc=keescook@chromium.org \
--cc=linux-doc@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=ludwig.nussel@suse.de \
--cc=rob@landley.net \
--cc=rubini@gnudd.com \
--cc=viro@zeniv.linux.org.uk \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.