Re: Remount of debugfs succeeded even if mount() system call fails

[Greg KH <greg@kroah.com>]

On Tue, Dec 29, 2015 at 02:58:34PM +0300, Dmitry Smirnov wrote:
> Hi,
> 
> I've recently faced an issue when the debugfs was remounted read-only
> despite the system call fails with EACCESS error.
> 
> Here are the details.
> 1. The issue is found on android with kernel 3.4.0

A "clean" 3.4.0 kernel?  Or a hacked up vendor-specific one?

Also note that 3.4.0 is _very_ old, please try to reproduce this on a
kernel that we can actually help out with, like 4.4-rc or at the worst,
4.3.

> 2. debugfs is already mounted by init on boot (per the init.rc) in
> read-write mode
> 3. SELinux rules does not allow an application to mount a debugfs
> 4. Application is using /system/bin/mount (which implements a mount
> command-line utility) to do the mount:
>   system("/system/bin/mount -t debugfs none /sys/kernel/debug");
> 5. The mount utility logic is to try read-only mount if read-write
> fails with EACCESS.
> 6. This second system call also fails with EACCESS, but debugfs can
> sometimes be remounted read-only!
>     Note: is looks like read-only remounting sometimes fails in
> do_remount_sb() with EBUSY error which is ignored by mount_single. But
> do_remount_sb() can also succeed (!) and I suppose this is some race
> condition.
> In any case, system call fails with EACCESS (and SELinux error
> message) which is returned by security_sb_kern_mount in mount_fs() but
> AFTER the attempt to remount read-only!
> 
> I've briefly searched the latest kernel sources but did not find any
> change that could fix this issue.
> 
> Is this a security issue?

If root is the only thing allowed to read from debugfs, I don't see how
this is a security issue, do you?

thanks,

greg k-h