* Masami Hiramatsu mhiramat@kernel.org wrote:
Since the blacklist file indicates a sensitive address information to reader, it should be restricted to the root user.
Suggested-by: Thomas Richter tmricht@linux.ibm.com Signed-off-by: Masami Hiramatsu mhiramat@kernel.org
kernel/kprobes.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/kernel/kprobes.c b/kernel/kprobes.c index ea619021d901..51096eece801 100644 --- a/kernel/kprobes.c +++ b/kernel/kprobes.c @@ -2621,7 +2621,7 @@ static int __init debugfs_kprobe_init(void) if (!file) goto error;
- file = debugfs_create_file("blacklist", 0444, dir, NULL,
- file = debugfs_create_file("blacklist", 0400, dir, NULL, &debugfs_kprobe_blacklist_ops); if (!file) goto error;
Note that in a typical Linux distro debugfs is already root-only:
fomalhaut:~> ls -ld /sys/kernel/debug drwx------ 28 root root 0 Apr 23 08:55 /sys/kernel/debug
but this change might make sense if debugfs is mounted in some other fashion.
But the patch looks incomplete, 'blacklist' is not the only word-readable file in the kprobes hierarchy. The kprobes directory itself, and the 'list' file is readable as well:
[root@fomalhaut ~]# ls -ld /sys/kernel/debug/kprobes drwxr-xr-x 2 root root 0 Apr 23 08:55 /sys/kernel/debug/kprobes
[root@fomalhaut ~]# ls -l /sys/kernel/debug/kprobes/
-r--r--r-- 1 root root 0 Apr 23 08:55 blacklist -rw------- 1 root root 0 Apr 23 08:55 enabled -r--r--r-- 1 root root 0 Apr 23 08:55 list
So not just the blacklist should be 400 but 'list' as well, and the main kprobes directory as well.
Thanks,
Ingo