Re: [PATCH V2] debugfs: allow access relay files in lockdown mode

[Junxiao Bi]

On 4/17/23 2:56 PM, Paul Moore wrote:

> On Mon, Apr 17, 2023 at 4:39 PM Nathan Lynch<nathanl@xxxxxxxxxxxxx>  wrote:
> > Junxiao Bi<junxiao.bi@xxxxxxxxxx>  writes:
> > > Relay files are used by kernel to transfer information to userspace, these
> > > files have permission 0400, but mmap is supported, so they are blocked by
> > > lockdown. But since kernel just generates the contents of those files while
> > > not reading it, it is saft to access relay files in lockdown mode.
> > >
> > > With this, blktrace can work well in lockdown mode.
> > Assuming that all relay users do not expose the kinds of information
> > that confidentiality mode tries to restrict, this change seems OK to
> > me. I think that assumption applies to blktrace; apart from that, there
> > is a handful of drivers that use relay files (I searched for
> > relay_open() call sites, maybe there is a better way).
> At the very least I see an Intel graphics driver and some network
> drivers, but like you, that was a quick search and I'm probably
> missing something.  At the very least someone needs to go audit those
> users/drivers to ensure this is safe to merge.
>
> However, regardless of what that code audit may turn up, I'm a little
> concerned that it would be all too easy to add a new relay interface
> user which isn't safe.  The check in debugfs_locked_down() is far too
> removed from the code which is using the relay interface for it to be
> likely noticed in a future case where an unsafe user is added.  This
> looks like a vulnerability waiting to happen.

I got this concern. I will make a new version to limit it to only allow 
blktrace trace files.

Thanks,

Junxiao.