FAQ Search Today's Posts Mark Forums Read
» Video Reviews

» Linux Archive

Linux-archive is a website aiming to archive linux email lists and to make them easily accessible for linux users/developers.

» Sponsor

» Partners

» Sponsor

Go Back   Linux Archive > Ubuntu > Ubuntu Kernel Team
Reload this Page removing debugfs

 
Page 2 of 2 < 1 2
 
LinkBack Thread Tools
 
Old 01-28-2011, 02:14 PM
Tim Gardner
 
Default removing debugfs
On 01/24/2011 08:57 PM, Kees Cook wrote:

Hi Tim,

On Mon, Jan 24, 2011 at 07:31:51PM -0700, Tim Gardner wrote:

On 01/24/2011 07:19 PM, Kees Cook wrote:

I'd like to remove debugfs completely so it cannot just be trivially
mounted and abused, and to avoid potential future problems.


Is this sufficient?


Well, I assume CONFIG_DEBUG_FS=n would be easy to discover, but yeah, that
would turn it off. That doesn't solve the need that things like ureadahead,
and the graphics lock-up investigation tool that apport uses. I suspect
there are more existing users of the debugfs, and it seems like their
interfaces should be moved somewhere not called "debug".


Kees - I'm not sure what you mean by 'I assume CONFIG_DEBUG_FS=n would
be easy to discover'.


Like Stefan, I'm not quite willing to disable CONFIG_DEBUG_FS across the
board because it can be very useful. Where there are specific
vulnerabilities, such as with acpi, I'm quite willing to either fix 'em
or hack 'em out. In this case just disabling the compile of
drivers/acpi/debugfs.c looks like it'll work.


rtg
--
Tim Gardner tim.gardner@canonical.com

--
kernel-team mailing list
kernel-team@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/kernel-team
 
Old 01-28-2011, 06:48 PM
Kees Cook
 
Default removing debugfs
Hi Tim,

On Fri, Jan 28, 2011 at 08:14:48AM -0700, Tim Gardner wrote:
> Like Stefan, I'm not quite willing to disable CONFIG_DEBUG_FS across
> the board because it can be very useful. Where there are specific
> vulnerabilities, such as with acpi, I'm quite willing to either fix
> 'em or hack 'em out. In this case just disabling the compile of
> drivers/acpi/debugfs.c looks like it'll work.

Yup, let's do that for now.

Thanks,

-Kees

--
Kees Cook
Ubuntu Security Team

--
kernel-team mailing list
kernel-team@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/kernel-team
 
Old 01-28-2011, 07:53 PM
Tim Gardner
 
Default removing debugfs
On 01/28/2011 12:48 PM, Kees Cook wrote:

Hi Tim,

On Fri, Jan 28, 2011 at 08:14:48AM -0700, Tim Gardner wrote:

Like Stefan, I'm not quite willing to disable CONFIG_DEBUG_FS across
the board because it can be very useful. Where there are specific
vulnerabilities, such as with acpi, I'm quite willing to either fix
'em or hack 'em out. In this case just disabling the compile of
drivers/acpi/debugfs.c looks like it'll work.


Yup, let's do that for now.

Thanks,

-Kees



disabled for Natty:

UBUNTU: SAUCE: Disable building the ACPI debugfs source

rtg
--
Tim Gardner tim.gardner@canonical.com

--
kernel-team mailing list
kernel-team@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/kernel-team
 
Page 2 of 2 < 1 2

Thread Tools




All times are GMT. The time now is 05:31 AM.

VBulletin, Copyright ©2000 - 2013, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.
Copyright ©2007 - 2008, www.linux-archive.org

Contact Us - Linux Archive - Archive - Top -