From: Ben Hutchings <ben@decadent.org.uk>
Subject: debugfs: Set default mode to 700
Bug-Debian: http://bugs.debian.org/681418

As discussed here
<http://lists.linux-foundation.org/pipermail/ksummit-2012-discuss/2012-July/000891.html>.

Mounting of debugfs is a significant security liability, but there are
applications that depend on some interfaces based on debugfs and they
(or their packages) will mount it automatically anyway.

Setting the default mode for the debugfs root to 700 (accessible
to root only) should leave it functional, since most such applications
will require root anyway, and users can override it to relax
permissions if they really don't care about the security problems.

--- a/fs/debugfs/inode.c
+++ b/fs/debugfs/inode.c
@@ -28,7 +28,7 @@
 #include <linux/magic.h>
 #include <linux/slab.h>
 
-#define DEBUGFS_DEFAULT_MODE	0755
+#define DEBUGFS_DEFAULT_MODE	0700
 
 static struct vfsmount *debugfs_mount;
 static int debugfs_mount_count;