* Remount of debugfs succeeded even if mount() system call fails
@ 2015-12-29 11:58 Dmitry Smirnov
2015-12-31 4:11 ` Greg KH
0 siblings, 1 reply; 2+ messages in thread
From: Dmitry Smirnov @ 2015-12-29 11:58 UTC (permalink / raw)
To: linux-fsdevel
Hi,
I've recently faced an issue when the debugfs was remounted read-only
despite the system call fails with EACCESS error.
Here are the details.
1. The issue is found on android with kernel 3.4.0
2. debugfs is already mounted by init on boot (per the init.rc) in
read-write mode
3. SELinux rules does not allow an application to mount a debugfs
4. Application is using /system/bin/mount (which implements a mount
command-line utility) to do the mount:
system("/system/bin/mount -t debugfs none /sys/kernel/debug");
5. The mount utility logic is to try read-only mount if read-write
fails with EACCESS.
6. This second system call also fails with EACCESS, but debugfs can
sometimes be remounted read-only!
Note: is looks like read-only remounting sometimes fails in
do_remount_sb() with EBUSY error which is ignored by mount_single. But
do_remount_sb() can also succeed (!) and I suppose this is some race
condition.
In any case, system call fails with EACCESS (and SELinux error
message) which is returned by security_sb_kern_mount in mount_fs() but
AFTER the attempt to remount read-only!
I've briefly searched the latest kernel sources but did not find any
change that could fix this issue.
Is this a security issue?
WBR,
Dmitry
^ permalink raw reply [flat|nested] 2+ messages in thread
* Re: Remount of debugfs succeeded even if mount() system call fails
2015-12-29 11:58 Remount of debugfs succeeded even if mount() system call fails Dmitry Smirnov
@ 2015-12-31 4:11 ` Greg KH
0 siblings, 0 replies; 2+ messages in thread
From: Greg KH @ 2015-12-31 4:11 UTC (permalink / raw)
To: Dmitry Smirnov; +Cc: linux-fsdevel
On Tue, Dec 29, 2015 at 02:58:34PM +0300, Dmitry Smirnov wrote:
> Hi,
>
> I've recently faced an issue when the debugfs was remounted read-only
> despite the system call fails with EACCESS error.
>
> Here are the details.
> 1. The issue is found on android with kernel 3.4.0
A "clean" 3.4.0 kernel? Or a hacked up vendor-specific one?
Also note that 3.4.0 is _very_ old, please try to reproduce this on a
kernel that we can actually help out with, like 4.4-rc or at the worst,
4.3.
> 2. debugfs is already mounted by init on boot (per the init.rc) in
> read-write mode
> 3. SELinux rules does not allow an application to mount a debugfs
> 4. Application is using /system/bin/mount (which implements a mount
> command-line utility) to do the mount:
> system("/system/bin/mount -t debugfs none /sys/kernel/debug");
> 5. The mount utility logic is to try read-only mount if read-write
> fails with EACCESS.
> 6. This second system call also fails with EACCESS, but debugfs can
> sometimes be remounted read-only!
> Note: is looks like read-only remounting sometimes fails in
> do_remount_sb() with EBUSY error which is ignored by mount_single. But
> do_remount_sb() can also succeed (!) and I suppose this is some race
> condition.
> In any case, system call fails with EACCESS (and SELinux error
> message) which is returned by security_sb_kern_mount in mount_fs() but
> AFTER the attempt to remount read-only!
>
> I've briefly searched the latest kernel sources but did not find any
> change that could fix this issue.
>
> Is this a security issue?
If root is the only thing allowed to read from debugfs, I don't see how
this is a security issue, do you?
thanks,
greg k-h
^ permalink raw reply [flat|nested] 2+ messages in thread
end of thread, other threads:[~2015-12-31 4:11 UTC | newest]
Thread overview: 2+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2015-12-29 11:58 Remount of debugfs succeeded even if mount() system call fails Dmitry Smirnov
2015-12-31 4:11 ` Greg KH
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).