From mboxrd@z Thu Jan 1 00:00:00 1970 From: Greg KH Subject: Re: [PATCH V31 25/25] debugfs: Disable open() when kernel is locked down Date: Thu, 28 Mar 2019 03:29:47 +0900 Message-ID: <20190327182947.GA9371@kroah.com> References: <20190326182742.16950-1-matthewgarrett@google.com> <20190326182742.16950-26-matthewgarrett@google.com> <20190327003057.GA27311@kroah.com> <20190327050615.GA548@kroah.com> <16124107-70D3-4CA0-9766-36FC6DC10128@amacapital.net> <20190327053342.GA17484@kroah.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Return-path: Content-Disposition: inline In-Reply-To: Sender: linux-kernel-owner@vger.kernel.org To: Matthew Garrett Cc: Andy Lutomirski , James Morris , LSM List , LKML , David Howells , Linux API List-Id: linux-api@vger.kernel.org On Wed, Mar 27, 2019 at 10:42:18AM -0700, Matthew Garrett wrote: > On Wed, Mar 27, 2019 at 10:40 AM Andy Lutomirski wrote: > > As far as I'm concerned, preventing root from crashing the system > > should not be a design goal of lockdown at all. And I think that the > > "integrity" mode should be as non-annoying as possible, so I think we > > should allow reading from debugfs. > > I have no horse in this game - I'm happy to bring back the previous > approach for integrity mode and block reads entirely in > confidentiality mode, but I'd rather not spend another release cycle > arguing about it. I really do not care either way about any of this :) greg k-h