28 lines
965 B
Diff
28 lines
965 B
Diff
|
From: Ben Hutchings <ben@decadent.org.uk>
|
||
|
Subject: debugfs: Set default mode to 700
|
||
|
Bug-Debian: http://bugs.debian.org/681418
|
||
|
|
||
|
As discussed here
|
||
|
<http://lists.linux-foundation.org/pipermail/ksummit-2012-discuss/2012-July/000891.html>.
|
||
|
|
||
|
Mounting of debugfs is a significant security liability, but there are
|
||
|
applications that depend on some interfaces based on debugfs and they
|
||
|
(or their packages) will mount it automatically anyway.
|
||
|
|
||
|
Setting the default mode for the debugfs root to 700 (accessible
|
||
|
to root only) should leave it functional, since most such applications
|
||
|
will require root anyway, and users can override it to relax
|
||
|
permissions if they really don't care about the security problems.
|
||
|
|
||
|
--- a/fs/debugfs/inode.c
|
||
|
+++ b/fs/debugfs/inode.c
|
||
|
@@ -28,7 +28,7 @@
|
||
|
#include <linux/magic.h>
|
||
|
#include <linux/slab.h>
|
||
|
|
||
|
-#define DEBUGFS_DEFAULT_MODE 0755
|
||
|
+#define DEBUGFS_DEFAULT_MODE 0700
|
||
|
|
||
|
static struct vfsmount *debugfs_mount;
|
||
|
static int debugfs_mount_count;
|