On Tue, Feb 22, 2011 at 03:46:36PM -0800, Kees Cook wrote: > On Tue, Feb 22, 2011 at 03:37:27PM -0800, Bryce Harrington wrote: > > On Tue, Feb 22, 2011 at 03:16:39PM -0800, Kees Cook wrote: > > > While I'd like to just not compile debugfs into the Ubuntu kernels at all, > > > it seems that there is a fair bit of push-back on this idea. Instead, the > > > dangerous /sys/kernel/debug/acpi/custom_method interface has been removed > > > as the most problematic of all the interfaces (it allows writing arbitrary > > > kernel memory, bypassing /dev/kmem, /dev/mem, and module restrictions). > > > > > > Since debugfs should not be required for a production system[1], I'd like > > > to remove it from mountall's default fstab. To get there, the first step > > > is > > > to make /sys/kernel/debug only accessible by the root user. Unfortunately, > > > it does not take a "mode=" mount option like tmpfs does, so mountall has > > > been adjusted[2] to set the mode after mounting instead. > > > > > > - intel_gpu_dump > > > Manpage states it should only be run as root. > > > > > > * xserver-xorg-video-intel > > > Apport hook (should be updated to use root privs). > > > > I believe it does already, no? It gets triggered by the kernel via an > > upstart hook. > > > > Due to the nature of GPU lockups, we can't prompt the user for root > > password or something at the point it gets triggered; the system's > > locked up. > > Ah, yes. If it's spawning from the X process context, this should be done > already. > > > We get the majority of our value out of the apport hook during > > development. So if you wanted to make debugfs be enabled only during > > release, and switch it off after beta, we could work with that. > > Based on the above, it should all Just Work for the GPU case.
Just to confirm; yes it should be fine. Bryce pointed out on IRC that this is called through /lib/udev/rules.d/40-xserver-xorg-video-intel.rules: SUBSYSTEM=="drm", ACTION=="change", ENV{ERROR}=="1", RUN+="/usr/share/apport/apport-gpu-error-intel.py" And that's running as root to collect the debugfs bits. Done! :) -Kees -- Kees Cook Ubuntu Security Team -- ubuntu-devel mailing list ubuntu-devel@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-devel