Re: [PATCH 15/24] asus-wmi: Restrict debugfs interface when the kernel is locked down

On Tue, 2017-04-18 at 16:30 +0100, David Howells wrote: > Ben Hutchings wrote: > > > So it's generally not going to be OK to turn off debugfs.  There will > > probably need to be a distinction between believed-safe and unsafe > > directories/files. > > Any suggestion on

Re: [PATCH 15/24] asus-wmi: Restrict debugfs interface when the kernel is locked down

On Tue, 2017-04-18 at 16:30 +0100, David Howells wrote: > Ben Hutchings wrote: > > > So it's generally not going to be OK to turn off debugfs.  There will > > probably need to be a distinction between believed-safe and unsafe > > directories/files. > > Any suggestion on how to mark this

Re: [PATCH 15/24] asus-wmi: Restrict debugfs interface when the kernel is locked down

Ben Hutchings wrote: > > Shouldn't this now appear under /sys/kernel/tracing/ ? > > True, but old tracing scripts didn't go away. Conversion to a symlink would fix that. David

Re: [PATCH 15/24] asus-wmi: Restrict debugfs interface when the kernel is locked down

Ben Hutchings wrote: > > Shouldn't this now appear under /sys/kernel/tracing/ ? > > True, but old tracing scripts didn't go away. Conversion to a symlink would fix that. David

Re: [PATCH 15/24] asus-wmi: Restrict debugfs interface when the kernel is locked down

Ben Hutchings wrote: > So it's generally not going to be OK to turn off debugfs. There will > probably need to be a distinction between believed-safe and unsafe > directories/files. Any suggestion on how to mark this distinction? I'd prefer not to modify every read/write

Re: [PATCH 15/24] asus-wmi: Restrict debugfs interface when the kernel is locked down

Ben Hutchings wrote: > So it's generally not going to be OK to turn off debugfs. There will > probably need to be a distinction between believed-safe and unsafe > directories/files. Any suggestion on how to mark this distinction? I'd prefer not to modify every read/write op associated with a

Re: [PATCH 15/24] asus-wmi: Restrict debugfs interface when the kernel is locked down

On Tue, 2017-04-18 at 15:55 +0100, David Howells wrote: > Ben Hutchings wrote: > > > - tracing (now tracefs, but it's expected to appear under debugfs) > > Shouldn't this now appear under /sys/kernel/tracing/ ? True, but old tracing scripts didn't go away. Ben. -- Ben

Re: [PATCH 15/24] asus-wmi: Restrict debugfs interface when the kernel is locked down

On Tue, 2017-04-18 at 15:55 +0100, David Howells wrote: > Ben Hutchings wrote: > > > - tracing (now tracefs, but it's expected to appear under debugfs) > > Shouldn't this now appear under /sys/kernel/tracing/ ? True, but old tracing scripts didn't go away. Ben. -- Ben Hutchings The world is

Re: [PATCH 15/24] asus-wmi: Restrict debugfs interface when the kernel is locked down

Ben Hutchings wrote: > - tracing (now tracefs, but it's expected to appear under debugfs) Shouldn't this now appear under /sys/kernel/tracing/ ? David

Re: [PATCH 15/24] asus-wmi: Restrict debugfs interface when the kernel is locked down

Ben Hutchings wrote: > - tracing (now tracefs, but it's expected to appear under debugfs) Shouldn't this now appear under /sys/kernel/tracing/ ? David

Re: [PATCH 15/24] asus-wmi: Restrict debugfs interface when the kernel is locked down

On Tue, 2017-04-18 at 09:06 +0300, Andy Shevchenko wrote: > > On Mon, Apr 10, 2017 at 4:16 PM, David Howells wrote: > > > > Andy Shevchenko wrote: > > > > > > > It looks a bit fragile when responsility of whatever reasons kernel > > > > > can't

Re: [PATCH 15/24] asus-wmi: Restrict debugfs interface when the kernel is locked down

On Tue, 2017-04-18 at 09:06 +0300, Andy Shevchenko wrote: > > On Mon, Apr 10, 2017 at 4:16 PM, David Howells wrote: > > > > Andy Shevchenko wrote: > > > > > > > It looks a bit fragile when responsility of whatever reasons kernel > > > > > can't serve become a driver burden. > > > > > Can we fix

Re: [PATCH 15/24] asus-wmi: Restrict debugfs interface when the kernel is locked down

On Mon, Apr 10, 2017 at 4:16 PM, David Howells wrote: > Andy Shevchenko wrote: > >> >> It looks a bit fragile when responsility of whatever reasons kernel >> >> can't serve become a driver burden. >> >> Can we fix this in debugfs framework instead?

Re: [PATCH 15/24] asus-wmi: Restrict debugfs interface when the kernel is locked down

On Mon, Apr 10, 2017 at 4:16 PM, David Howells wrote: > Andy Shevchenko wrote: > >> >> It looks a bit fragile when responsility of whatever reasons kernel >> >> can't serve become a driver burden. >> >> Can we fix this in debugfs framework instead? >> > >> > Fix it with debugfs how? We can't

Re: [PATCH 15/24] asus-wmi: Restrict debugfs interface when the kernel is locked down

Andy Shevchenko wrote: > >> It looks a bit fragile when responsility of whatever reasons kernel > >> can't serve become a driver burden. > >> Can we fix this in debugfs framework instead? > > > > Fix it with debugfs how? We can't offload the decision to userspace. >

Re: [PATCH 15/24] asus-wmi: Restrict debugfs interface when the kernel is locked down

Andy Shevchenko wrote: > >> It looks a bit fragile when responsility of whatever reasons kernel > >> can't serve become a driver burden. > >> Can we fix this in debugfs framework instead? > > > > Fix it with debugfs how? We can't offload the decision to userspace. > > I mean to do at least

Re: [PATCH 15/24] asus-wmi: Restrict debugfs interface when the kernel is locked down

On Fri, Apr 7, 2017 at 3:50 PM, David Howells wrote: > Andy Shevchenko wrote: > >> > From: Matthew Garrett >> > >> > We have no way of validating what all of the Asus WMI methods do on a given >> > machine - and there's

Re: [PATCH 15/24] asus-wmi: Restrict debugfs interface when the kernel is locked down

On Fri, Apr 7, 2017 at 3:50 PM, David Howells wrote: > Andy Shevchenko wrote: > >> > From: Matthew Garrett >> > >> > We have no way of validating what all of the Asus WMI methods do on a given >> > machine - and there's a risk that some will allow hardware state to be >> > manipulated in such a

Re: [PATCH 15/24] asus-wmi: Restrict debugfs interface when the kernel is locked down

Andy Shevchenko wrote: > > From: Matthew Garrett > > > > We have no way of validating what all of the Asus WMI methods do on a given > > machine - and there's a risk that some will allow hardware state to be > > manipulated in such a way

Re: [PATCH 15/24] asus-wmi: Restrict debugfs interface when the kernel is locked down

Andy Shevchenko wrote: > > From: Matthew Garrett > > > > We have no way of validating what all of the Asus WMI methods do on a given > > machine - and there's a risk that some will allow hardware state to be > > manipulated in such a way that arbitrary code can be executed in the > > kernel,

Re: [PATCH 15/24] asus-wmi: Restrict debugfs interface when the kernel is locked down

On Wed, Apr 5, 2017 at 11:16 PM, David Howells wrote: > From: Matthew Garrett > > We have no way of validating what all of the Asus WMI methods do on a given > machine - and there's a risk that some will allow hardware state to be > manipulated in

Re: [PATCH 15/24] asus-wmi: Restrict debugfs interface when the kernel is locked down

On Wed, Apr 5, 2017 at 11:16 PM, David Howells wrote: > From: Matthew Garrett > > We have no way of validating what all of the Asus WMI methods do on a given > machine - and there's a risk that some will allow hardware state to be > manipulated in such a way that arbitrary code can be executed

[PATCH 15/24] asus-wmi: Restrict debugfs interface when the kernel is locked down

From: Matthew Garrett We have no way of validating what all of the Asus WMI methods do on a given machine - and there's a risk that some will allow hardware state to be manipulated in such a way that arbitrary code can be executed in the kernel, circumventing module

[PATCH 15/24] asus-wmi: Restrict debugfs interface when the kernel is locked down

From: Matthew Garrett We have no way of validating what all of the Asus WMI methods do on a given machine - and there's a risk that some will allow hardware state to be manipulated in such a way that arbitrary code can be executed in the kernel, circumventing module loading restrictions.

[PATCH 15/24] asus-wmi: Restrict debugfs interface when the kernel is locked down

From: Matthew Garrett We have no way of validating what all of the Asus WMI methods do on a given machine - and there's a risk that some will allow hardware state to be manipulated in such a way that arbitrary code can be executed in the kernel, circumventing module

[PATCH 15/24] asus-wmi: Restrict debugfs interface when the kernel is locked down

From: Matthew Garrett We have no way of validating what all of the Asus WMI methods do on a given machine - and there's a risk that some will allow hardware state to be manipulated in such a way that arbitrary code can be executed in the kernel, circumventing module loading restrictions.