Re: [PATCH V2] debugfs: allow access relay files in lockdown mode

[Paul Moore]

On Mon, Apr 17, 2023 at 4:39 PM Nathan Lynch <nathanl@xxxxxxxxxxxxx> wrote:
> Junxiao Bi <junxiao.bi@xxxxxxxxxx> writes:
> > Relay files are used by kernel to transfer information to userspace, these
> > files have permission 0400, but mmap is supported, so they are blocked by
> > lockdown. But since kernel just generates the contents of those files while
> > not reading it, it is saft to access relay files in lockdown mode.
> >
> > With this, blktrace can work well in lockdown mode.
>
> Assuming that all relay users do not expose the kinds of information
> that confidentiality mode tries to restrict, this change seems OK to
> me. I think that assumption applies to blktrace; apart from that, there
> is a handful of drivers that use relay files (I searched for
> relay_open() call sites, maybe there is a better way).

At the very least I see an Intel graphics driver and some network
drivers, but like you, that was a quick search and I'm probably
missing something.  At the very least someone needs to go audit those
users/drivers to ensure this is safe to merge.

However, regardless of what that code audit may turn up, I'm a little
concerned that it would be all too easy to add a new relay interface
user which isn't safe.  The check in debugfs_locked_down() is far too
removed from the code which is using the relay interface for it to be
likely noticed in a future case where an unsafe user is added.  This
looks like a vulnerability waiting to happen.

-- 
paul-moore.com