[PATCH 0/2] fs: set root dir perms
Kees Cook
kees.cook at canonical.com
Tue Feb 22 21:09:05 UTC 2011
On Tue, Feb 22, 2011 at 02:01:09PM -0700, Tim Gardner wrote:
> On 02/22/2011 01:29 PM, Kees Cook wrote:
> >On Tue, Feb 22, 2011 at 01:23:57PM -0700, Tim Gardner wrote:
> >>It appears that ureadahead only uses /var/lib/ureadahead/debugfs if
> >>/sys/kernel/debug is not already mounted, so we need to test that
> >>code path.
> >
> >I've confirmed this path -- ureadahead uses it on my system every time.
> >
> >>What package mounts debugfs ?
> >
> >mountall. I'm happy to patch it to not mount /sys/kernel/debug by default.
> >
> >-Kees
> >
>
> This is what I've tested on a desktop and server. Everything appears
> to work. The only window of vulnerability is while ureadahead is
> doing its thing, and that should only happen after the package
> database changes, right?
>
> If you concur, then turn off debugfs and see what carnage ensues.
> You should probably start a tracking bug to collect any regressions.
Yeah, I already had the upload ready, so I'll use my version (it refers to
the lkml email where Alan Cox says it should not be used on production
systems). But yeah, I'll upload and send email to ubuntu-devel with the
list of everything in main that references /sys/kernel/debug.
-Kees
--
Kees Cook
Ubuntu Security Team
More information about the kernel-team
mailing list