From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: green@linuxhacker.ru
Cc: devel@driverdev.osuosl.org,
Andreas Dilger <andreas.dilger@intel.com>,
Linux Kernel Mailing List <linux-kernel@vger.kernel.org>,
Lustre Development List <lustre-devel@lists.lustre.org>
Subject: [lustre-devel] [PATCH 0/2] Lustre debugfs fixes
Date: Sun, 7 Feb 2016 13:39:16 -0800 [thread overview]
Message-ID: <20160207213916.GA7016@kroah.com> (raw)
In-Reply-To: <1454742111-2231460-1-git-send-email-green@linuxhacker.ru>
On Sat, Feb 06, 2016 at 02:01:49AM -0500, green at linuxhacker.ru wrote:
> From: Oleg Drokin <green@linuxhacker.ru>
>
> These two patches tie some loose ends from the Lustre debugfs conversion,
> but while investigating them I also accumulated some questions
> that would be good to get answers for.
>
> 1. Unlike procfs, debugfs does not really guard your back and if root
> comes in and tries to write to a readonly file (or read a write-only one),
> it's allowed (as are permission changes too) as long as the appropriate write
> (or read) method is provided.
> So apparently there's whole class of bugs related to this, sample
> exhibits are in e.g. acpi_ec_add_debugfs creating a totally noop module
> parameter to control writes that does not really prevent any writes
> (patch submitted separately).
> But also things like wil_debugfs_create_iomem_x32 where when called from
> e.g. wil6210_debugfs_init_offset, some read-only attributed get a generic
> write method that would write straight to hardware registers (who knows
> what would happen when you write there, possibly they are readonly, but
> you are not getting an error).
> At first it looked like an easy way to catch this would be to just check
> for RO/WO mode with write/read handler set, but this is thwarted by
> the simple attribute defines that always assign read and write methods,
> but do the check internally for the get/set method instead.
> But also some fault injection code that sets readonly access on some files,
> but provides a fully functional write method that works as desired.
>
> Would it make sense to redo the simple-attribute framework to easy such
> cases detection (and also update writeable attributes to have permissions
> reflecting this) and have a correspinding kernel debug compile option
> to check for these?
If a developer provides the write hooks for a debugfs file, and
userspace changes the permissions to write to it, why would you prevent
this? Perhaps this is what is intended.
Remember, debugfs is only for debugging stuff, never rely on it for
actual device/system use.
> 2. I noticed we exported some of the presumably GPL-only debugfs
> functionality with plain EXPORT_SYMBOL, so the second patch rectifies this.
Thanks.
> Now, I also see that drm_debugfs_create_files allows anybody to
> insert any debugfs file anywhere and it is a non-gpl EXPORT_SYMBOL as well,
> should it be converted too, or is it sysfs access only that is restricted?
No, these should be as well, a patch for that would be great, thanks.
thanks,
greg k-h
WARNING: multiple messages have this Message-ID (diff)
From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: green@linuxhacker.ru
Cc: devel@driverdev.osuosl.org,
Andreas Dilger <andreas.dilger@intel.com>,
Linux Kernel Mailing List <linux-kernel@vger.kernel.org>,
Lustre Development List <lustre-devel@lists.lustre.org>
Subject: Re: [PATCH 0/2] Lustre debugfs fixes
Date: Sun, 7 Feb 2016 13:39:16 -0800 [thread overview]
Message-ID: <20160207213916.GA7016@kroah.com> (raw)
In-Reply-To: <1454742111-2231460-1-git-send-email-green@linuxhacker.ru>
On Sat, Feb 06, 2016 at 02:01:49AM -0500, green@linuxhacker.ru wrote:
> From: Oleg Drokin <green@linuxhacker.ru>
>
> These two patches tie some loose ends from the Lustre debugfs conversion,
> but while investigating them I also accumulated some questions
> that would be good to get answers for.
>
> 1. Unlike procfs, debugfs does not really guard your back and if root
> comes in and tries to write to a readonly file (or read a write-only one),
> it's allowed (as are permission changes too) as long as the appropriate write
> (or read) method is provided.
> So apparently there's whole class of bugs related to this, sample
> exhibits are in e.g. acpi_ec_add_debugfs creating a totally noop module
> parameter to control writes that does not really prevent any writes
> (patch submitted separately).
> But also things like wil_debugfs_create_iomem_x32 where when called from
> e.g. wil6210_debugfs_init_offset, some read-only attributed get a generic
> write method that would write straight to hardware registers (who knows
> what would happen when you write there, possibly they are readonly, but
> you are not getting an error).
> At first it looked like an easy way to catch this would be to just check
> for RO/WO mode with write/read handler set, but this is thwarted by
> the simple attribute defines that always assign read and write methods,
> but do the check internally for the get/set method instead.
> But also some fault injection code that sets readonly access on some files,
> but provides a fully functional write method that works as desired.
>
> Would it make sense to redo the simple-attribute framework to easy such
> cases detection (and also update writeable attributes to have permissions
> reflecting this) and have a correspinding kernel debug compile option
> to check for these?
If a developer provides the write hooks for a debugfs file, and
userspace changes the permissions to write to it, why would you prevent
this? Perhaps this is what is intended.
Remember, debugfs is only for debugging stuff, never rely on it for
actual device/system use.
> 2. I noticed we exported some of the presumably GPL-only debugfs
> functionality with plain EXPORT_SYMBOL, so the second patch rectifies this.
Thanks.
> Now, I also see that drm_debugfs_create_files allows anybody to
> insert any debugfs file anywhere and it is a non-gpl EXPORT_SYMBOL as well,
> should it be converted too, or is it sysfs access only that is restricted?
No, these should be as well, a patch for that would be great, thanks.
thanks,
greg k-h
next prev parent reply other threads:[~2016-02-07 21:39 UTC|newest]
Thread overview: 12+ messages / expand[flat|nested] mbox.gz Atom feed top
2016-02-06 7:01 [lustre-devel] [PATCH 0/2] Lustre debugfs fixes green at linuxhacker.ru
2016-02-06 7:01 ` green
2016-02-06 7:01 ` [lustre-devel] [PATCH 1/2] staging/lustre/libcfs: Properly handle debugfs read- and write-only files green at linuxhacker.ru
2016-02-06 7:01 ` green
2016-02-06 7:01 ` [lustre-devel] [PATCH 2/2] staging/lustre/obdclass: export debugfs functionality for GPL only green at linuxhacker.ru
2016-02-06 7:01 ` green
2016-02-07 21:39 ` Greg Kroah-Hartman [this message]
2016-02-07 21:39 ` [PATCH 0/2] Lustre debugfs fixes Greg Kroah-Hartman
2016-02-07 23:51 ` [lustre-devel] " Oleg Drokin
2016-02-07 23:51 ` Oleg Drokin
2016-02-08 2:14 ` [lustre-devel] " Greg Kroah-Hartman
2016-02-08 2:14 ` Greg Kroah-Hartman
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20160207213916.GA7016@kroah.com \
--to=gregkh@linuxfoundation.org \
--cc=andreas.dilger@intel.com \
--cc=devel@driverdev.osuosl.org \
--cc=green@linuxhacker.ru \
--cc=linux-kernel@vger.kernel.org \
--cc=lustre-devel@lists.lustre.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.