debugfs: rules not welcome
Eugene Teo recently posted a request for CVE numbers for 20 separate vulnerabilities involving world-writable files in debugfs and sysfs. Some of the debugfs vulnerabilities would seemingly allow any local user to write arbitrary values into device registers - a situation from which little good can be expected to emerge. Expect yet another set of kernel updates in the near future as these holes are closed and fixes are made available to users.
In response to these vulnerabilities, Kees Cook posted a patch which would cause debugfs to be mounted with root-only access permissions. That way, any future mistakes in debugfs would be inaccessible to nonprivileged users and, thus, would not be a new vulnerability in need of fixing. The patch was not received well; it looks suspiciously like a rule in a land where there are supposed to be no rules. Greg Kroah-Hartman responded:
Kees suggested that these mistakes could keep on happening, and that "no rules" might not be the best approach, but Alan Cox responded:
There is one little problem with the idea of not mounting debugfs on production systems, though: there is useful stuff in that filesystem. At the top of the list must certainly be the control files for perf and ftrace; most of our nice, new tracing infrastructure will not work without debugfs. There are also knobs for tweaking scheduler features, interfaces for the "usbmon" tool, interfaces used by Red Hat's kvm_stat tool, and so on. There is enough useful stuff in debugfs that is it can be found mounted well outside of kernel debugging environments; it has reached the point that Greg challenges the idea that debugfs should not be mounted on production systems:
"No rules" and "mounted on enterprise systems" seems like a bad combination; it would be nice to make things more secure. A number of proposals have been floated to do that, including:
- Teach the checkpatch.pl tool to look for world-writable debugfs
files and complain about them. This step has already been taken; the
version of checkpatch.pl found in 2.6.38 will point out
world-writable files in either debugfs or sysfs.
- Disallow world-writable files in debugfs. A patch has been posted to
this effect; so far, there have been few comments to indicate whether
such a restriction would look too much like a rule for debugfs or not.
- Move generally useful interfaces out of debugfs to a place with a bit less of a wild-west flavor, then leave debugfs unmounted on most systems. This is an idea which makes a lot of sense on the face of it, but it can also run into practical difficulties. Moving interfaces requires possibly cleaning them up, making a stronger commitment to ABI compatibility going forward and, importantly, breaking tools which depend on the current location of those interfaces.
The last concern could be a show stopper; it could force developers to maintain both the old and new interfaces in parallel for some years. Many developers, faced with that sort of task, may just decide to leave the interface where it is. Debugfs is not supposed to have any ABI guarantees, but, as has become clear in the past, such a policy does not necessarily prevent the creation of an ABI which must be maintained going forward.
So debugfs on production systems seems likely to be with us for some time.
Given that, there is no alternative to making it more secure. The
checkpatch.pl change is a good start, but it cannot take the place of
proper code review. Reviewers have a tendency to skip over debugfs code,
but, if that code is to run on important systems, that tendency must be
fought. Debugfs code must uphold the security of the system just like any
other kernel code.
| Index entries for this article | |
|---|---|
| Kernel | Development model/Security issues |
| Kernel | Security/Vulnerabilities |
Posted Feb 24, 2011 8:10 UTC (Thu)
by ajb (subscriber, #9694)
[Link]
Posted Feb 24, 2011 8:50 UTC (Thu)
by johill (subscriber, #25196)
[Link]
The case I'm thinking of is basically
fd = open(debugfs/file)
Posted Feb 24, 2011 16:39 UTC (Thu)
by epa (subscriber, #39769)
[Link] (6 responses)
Posted Feb 25, 2011 0:49 UTC (Fri)
by giraffedata (guest, #1954)
[Link] (5 responses)
Isn't the latter what sysfs and procfs are for?
Posted Feb 25, 2011 7:56 UTC (Fri)
by epa (subscriber, #39769)
[Link] (4 responses)
Posted Feb 25, 2011 9:44 UTC (Fri)
by misiu_mp (guest, #41936)
[Link] (1 responses)
I would like to see some examples of
Posted Feb 28, 2011 17:04 UTC (Mon)
by epa (subscriber, #39769)
[Link]
It might be a useful thing to see how many times the frobfs code calls frob_inode(). Essential, even, for performance tuning on large systems. But the frobfs developers want to have freedom to change their code to get rid of the frob_inode() call without breaking backwards compatibility. So there must be a way to label this stuff as usable in production, but not guaranteed to be there in future kernel versions.
In general any kind of instrumentation that works based on the kernel's internal data structures or control flow is useful to see but not a part of its API.
Posted Feb 26, 2011 3:01 UTC (Sat)
by foom (subscriber, #14868)
[Link]
Posted Mar 8, 2011 9:40 UTC (Tue)
by robbe (guest, #16131)
[Link]
Actually, I don't see the big problem. If you deem /debugfs/foo/{bar,baz} such production interfaces, why not move them to /sysfs/.../foo/{bar,baz} and provide the compatibility via a symlink? Is that really a maintenance burden?
I'd really like a mirror policy for phasing out ABI. I.e. if an interface has been in the kernel for X releases and Y years when it goes on the deprecation list, it can be removed after another X releases or Y years (whichever is greater).
Posted Feb 25, 2011 0:01 UTC (Fri)
by keybuk (guest, #18473)
[Link]
Posted Feb 25, 2011 19:30 UTC (Fri)
by dmk (guest, #50141)
[Link]
something like
?
Posted Mar 3, 2011 15:53 UTC (Thu)
by mikachu (guest, #5333)
[Link] (1 responses)
There is something incredibly oxymoronic about not wanting to move an interface for fear of breaking ABI compatibility for fear of not being able to break ABI compatilibity.
Posted Mar 5, 2011 1:35 UTC (Sat)
by foom (subscriber, #14868)
[Link]
debugfs: rules not welcome
debugfs: rules not welcome
<wait, while doing something that causes that file to disappear, like unplugging HW>
read(fd) / write(fd) [depending on your access]
Developers versus administrators
Developers versus administrators
It needs to split into a pure 'debugfs' (which contains stuff of interest to kernel developers only, has no rules, and should never be mounted on production systems) and a new 'diagfs' for things which might be of interest to system administrators.
Developers versus administrators
Developers versus administrators
I understand if features in debugfs are made by the kernel hackers themselves for their own benefit, but if those things become useful to others, they should be "productized".
After all if debugfs is used today with no warranties of compatibility, then whatever uses is will be a burden to maintain and will make the useful stuff
just a niche. Making the useful stuff a solid part of the kernel could open for new possibilities.
"things which are useful and safe to enable on production systems to fix whatever problems come up today, but need not become supported interfaces to preserve forever".
Developers versus administrators
but if those things become useful to others, they should be "productized".
But that's not the same thing as 'maintained with an unchanging interface for ever after'.
Developers versus administrators
Developers versus administrators
debugfs: rules not welcome
debugfs: rules not welcome
# echo "enable" > /sys/kernel/debugfs/entries/perf
# echo "disable" > /sys/kernel/debugfs/entries/buggy_subsys
# mount -o remount /debugfs
debugfs: rules not welcome
debugfs: rules not welcome