[kernel] r19963 - dists/sid/linux/debian/patches/debian
Ben Hutchings
benh at alioth.debian.org
Mon Apr 1 00:55:44 UTC 2013
Author: benh
Date: Mon Apr 1 00:55:44 2013
New Revision: 19963
Log:
Use upstream version of debugfs mode change, which corrects the documentation
Modified:
dists/sid/linux/debian/patches/debian/debugfs-set-default-mode-to-700.patch
Modified: dists/sid/linux/debian/patches/debian/debugfs-set-default-mode-to-700.patch
==============================================================================
--- dists/sid/linux/debian/patches/debian/debugfs-set-default-mode-to-700.patch Sun Mar 31 23:47:47 2013 (r19962)
+++ dists/sid/linux/debian/patches/debian/debugfs-set-default-mode-to-700.patch Mon Apr 1 00:55:44 2013 (r19963)
@@ -1,19 +1,38 @@
-From: Ben Hutchings <ben at decadent.org.uk>
-Subject: debugfs: Set default mode to 700
+From: Kees Cook <keescook at chromium.org>
+Date: Mon, 27 Aug 2012 13:32:15 -0700
+Subject: debugfs: more tightly restrict default mount mode
Bug-Debian: http://bugs.debian.org/681418
-As discussed here
-<http://lists.linux-foundation.org/pipermail/ksummit-2012-discuss/2012-July/000891.html>.
+commit 82aceae4f0d42f03d9ad7d1e90389e731153898f upstream.
-Mounting of debugfs is a significant security liability, but there are
-applications that depend on some interfaces based on debugfs and they
-(or their packages) will mount it automatically anyway.
+Since the debugfs is mostly only used by root, make the default mount
+mode 0700. Most system owners do not need a more permissive value,
+but they can choose to weaken the restrictions via their fstab.
-Setting the default mode for the debugfs root to 700 (accessible
-to root only) should leave it functional, since most such applications
-will require root anyway, and users can override it to relax
-permissions if they really don't care about the security problems.
+Signed-off-by: Kees Cook <keescook at chromium.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh at linuxfoundation.org>
+---
+ Documentation/filesystems/debugfs.txt | 4 ++--
+ fs/debugfs/inode.c | 2 +-
+ 2 files changed, 3 insertions(+), 3 deletions(-)
+diff --git a/Documentation/filesystems/debugfs.txt b/Documentation/filesystems/debugfs.txt
+index 7a34f82..3a863f6 100644
+--- a/Documentation/filesystems/debugfs.txt
++++ b/Documentation/filesystems/debugfs.txt
+@@ -15,8 +15,8 @@ Debugfs is typically mounted with a command like:
+ mount -t debugfs none /sys/kernel/debug
+
+ (Or an equivalent /etc/fstab line).
+-The debugfs root directory is accessible by anyone by default. To
+-restrict access to the tree the "uid", "gid" and "mode" mount
++The debugfs root directory is accessible only to the root user by
++default. To change access to the tree the "uid", "gid" and "mode" mount
+ options can be used.
+
+ Note that the debugfs API is exported GPL-only to modules.
+diff --git a/fs/debugfs/inode.c b/fs/debugfs/inode.c
+index 2c9fafb..6393fd6 100644
--- a/fs/debugfs/inode.c
+++ b/fs/debugfs/inode.c
@@ -28,7 +28,7 @@
More information about the Kernel-svn-changes
mailing list