Hi, While I'd like to just not compile debugfs into the Ubuntu kernels at all, it seems that there is a fair bit of push-back on this idea. Instead, the dangerous /sys/kernel/debug/acpi/custom_method interface has been removed as the most problematic of all the interfaces (it allows writing arbitrary kernel memory, bypassing /dev/kmem, /dev/mem, and module restrictions).
Since debugfs should not be required for a production system[1], I'd like to remove it from mountall's default fstab. To get there, the first step is to make /sys/kernel/debug only accessible by the root user. Unfortunately, it does not take a "mode=" mount option like tmpfs does, so mountall has been adjusted[2] to set the mode after mounting instead. In the interests of completeness, here are the tools in main that use debugfs, with stuff that needs updating (only Apport hooks) marked with a star: - intel_gpu_dump Manpage states it should only be run as root. - libpcap Only used as root for USB monitoring. * mtdev Apport hook (should be updated to use root privs). - nmap Only used as root for USB monitoring. - ocfs2-tools Only used as root for OCF2 debugging. - powertop Only used as root. - qemu-kvm kvm_stat has no manpage, seems to be designed as a "vmstat" for kvm. These statistics should likely come from /sys. Running as root seems fine. - redhat-cluster Only used as root. - ureadhead Runs as root, but this tool already uses /var/lib/ureadahead/debugfs if the other path is missing. I've changed[3] the permissions on this so that normal users cannot see the mountpoint. - usbutils Uses /dev/bus/usb for "lsusb", but "usb-devices" wants debugfs. This information should not come out of debugfs. Requiring root seems okay. * utouch-geis Apport hook (should be updated to use root privs). * xserver-xorg-video-intel Apport hook (should be updated to use root privs). - blktrace Only used as root. Thanks, -Kees [1] https://lkml.org/lkml/2011/2/22/372 [2] https://lists.ubuntu.com/archives/natty-changes/2011-February/008110.html [3] https://lists.ubuntu.com/archives/natty-changes/2011-February/008100.html -- Kees Cook Ubuntu Security Team -- ubuntu-devel mailing list ubuntu-devel@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-devel