| Message ID | 20230412001030.88441-1-junxiao.bi@oracle.com |
|---|---|
| State | New |
| Headers |
Return-Path: <linux-kernel-owner@vger.kernel.org>
Delivered-To: ouuuleilei@gmail.com
Received: by 2002:a59:b0ea:0:b0:3b6:4342:cba0 with SMTP id b10csp2958883vqo;
Tue, 11 Apr 2023 17:55:14 -0700 (PDT)
X-Google-Smtp-Source:
AKy350Zx8DN19b3h1VAwvMuscuYjOjxCNgJFcxoJzsRCQ31hfK+UwLzCrES8L/gLkk7r8qkDU/TV
X-Received: by 2002:a17:906:3585:b0:94e:17f:f466 with SMTP id
o5-20020a170906358500b0094e017ff466mr923398ejb.25.1681260914733;
Tue, 11 Apr 2023 17:55:14 -0700 (PDT)
ARC-Seal: i=2; a=rsa-sha256; t=1681260914; cv=pass;
d=google.com; s=arc-20160816;
b=EfpZ9C48zDF+i6Nu+I7ZrOfbcZSeb3zwhUtqqrK5CCigKjgj0c4LOiZVHAzv1xfubJ
PclfkXG/j/rXIQxZxoVCrePvPdAR6uNcwgdJbBOnBpV4NMbcflbKDblA8ctZi8V5ib7D
YahwGTgR3+oHuEqNnP177ordBjE3to8zN5oAy7skZ4iYEawQaDsxglhLY6InLI0iacxa
wJRh2RjB5fIS7rUy/q5pN3ut+lyrducltms4Y15zafZUc+6xnQzAzYGlDLxNLwi3bFUI
FkxWcWf/TeHQ8krnXnvSSyq3aWDMi0Nn8scr6UlQnOQ0eUZED6QSCB6odEhI8VrlnOiV
LO6g==
ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=google.com;
s=arc-20160816;
h=list-id:precedence:mime-version:content-transfer-encoding
:message-id:date:subject:cc:to:from:dkim-signature:dkim-signature;
bh=xEt1SHSVYaZWWhL/IRN7oA6TsJmqpiMLrNnKx131ItU=;
b=gYYNjNNUczl9R0Hefqw5ZRwa/TOunl5eynqHFi58Ynip8gY04/iJtlxJmuBlA67v6n
n9mtXtM73DrYuYm8Zk9aBIU3KbaYwrdManuqimEXMLAdFhM9qcOwsAKiFojs9SEBN25w
aHMnsZ5u2qAcT5OrNjqlMwq49HU2qEUYJQPpidHKjRb6DQtOXjCS0rMsFakS4nFisjU4
DR3pjmztHTmSkDPEPrF1W/jjTCEvxWTYbmNLbjUC0xC/kWpbJigVdgo3Fc3ZXt0RDksG
yWlTwZDefxo736ar/KFTTI841HrhiRaOW/xhuoqjfA7pE95ih3LwAUCirOfI7blX6QuX
6e/w==
ARC-Authentication-Results: i=2; mx.google.com;
dkim=pass header.i=@oracle.com header.s=corp-2023-03-30
header.b=cPcKaAI6;
dkim=pass header.i=@oracle.onmicrosoft.com
header.s=selector2-oracle-onmicrosoft-com header.b=SwJI3iDH;
arc=pass (i=1 spf=pass spfdomain=oracle.com dkim=pass
dkdomain=oracle.com dmarc=pass fromdomain=oracle.com);
spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org
designates 2620:137:e000::1:20 as permitted sender)
smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=oracle.com
Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20])
by mx.google.com with ESMTP id
j13-20020a1709064b4d00b0094e0e97608dsi2929749ejv.436.2023.04.11.17.54.41;
Tue, 11 Apr 2023 17:55:14 -0700 (PDT)
Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org
designates 2620:137:e000::1:20 as permitted sender)
client-ip=2620:137:e000::1:20;
Authentication-Results: mx.google.com;
dkim=pass header.i=@oracle.com header.s=corp-2023-03-30
header.b=cPcKaAI6;
dkim=pass header.i=@oracle.onmicrosoft.com
header.s=selector2-oracle-onmicrosoft-com header.b=SwJI3iDH;
arc=pass (i=1 spf=pass spfdomain=oracle.com dkim=pass
dkdomain=oracle.com dmarc=pass fromdomain=oracle.com);
spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org
designates 2620:137:e000::1:20 as permitted sender)
smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=oracle.com
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
id S229677AbjDLAKz (ORCPT <rfc822;leviz.kernel.dev@gmail.com>
+ 99 others); Tue, 11 Apr 2023 20:10:55 -0400
Received: from lindbergh.monkeyblade.net ([23.128.96.19]:48632 "EHLO
lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
with ESMTP id S229650AbjDLAKx (ORCPT
<rfc822;linux-kernel@vger.kernel.org>);
Tue, 11 Apr 2023 20:10:53 -0400
Received: from mx0a-00069f02.pphosted.com (mx0a-00069f02.pphosted.com
[205.220.165.32])
by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 21BCD449D;
Tue, 11 Apr 2023 17:10:50 -0700 (PDT)
Received: from pps.filterd (m0246617.ppops.net [127.0.0.1])
by mx0b-00069f02.pphosted.com (8.17.1.19/8.17.1.19) with ESMTP id
33BL9hQ7029961;
Wed, 12 Apr 2023 00:10:38 GMT
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=oracle.com;
h=from : to : cc :
subject : date : message-id : content-transfer-encoding : content-type :
mime-version; s=corp-2023-03-30;
bh=xEt1SHSVYaZWWhL/IRN7oA6TsJmqpiMLrNnKx131ItU=;
b=cPcKaAI6sbA+eNiRRAungfqstVZ+CQWIMh6k/4wJrLA2CpmnaqJpJgplADriaYgZV4C5
/I3+mlrLTrvwoRF84VHzFwNXSOYiSf1L7Ua59k+YNdSptDHoNMEOFPl7a81950ltGmyQ
vM71o8AnjYhVEYYRVilgJ1wA4nxqB5Sdyh8dCBWzPDdMJrUTIUODVTLUH7cIgUCkf4l9
eoEr1/0Ufzr96kwISnZhsz0qX4j1vA+jSoxZ5XorLHjxTpbo16Vy7RiPHdnDm1uxQSuM
cuu/Ou/eee78V/3ptky1kanQMFSQkzt4dVbdg8O6y6V2M4w/h3B59LQCEMGleH0nJdbP ag==
Received: from iadpaimrmta02.imrmtpd1.prodappiadaev1.oraclevcn.com
(iadpaimrmta02.appoci.oracle.com [147.154.18.20])
by mx0b-00069f02.pphosted.com (PPS) with ESMTPS id 3pu0ttpub1-1
(version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256
verify=OK);
Wed, 12 Apr 2023 00:10:38 +0000
Received: from pps.filterd
(iadpaimrmta02.imrmtpd1.prodappiadaev1.oraclevcn.com [127.0.0.1])
by iadpaimrmta02.imrmtpd1.prodappiadaev1.oraclevcn.com
(8.17.1.19/8.17.1.19) with ESMTP id 33C03UDK008156;
Wed, 12 Apr 2023 00:10:37 GMT
Received: from nam12-mw2-obe.outbound.protection.outlook.com
(mail-mw2nam12lp2048.outbound.protection.outlook.com [104.47.66.48])
by iadpaimrmta02.imrmtpd1.prodappiadaev1.oraclevcn.com (PPS) with
ESMTPS id 3puwc50emb-1
(version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256
verify=OK);
Wed, 12 Apr 2023 00:10:36 +0000
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none;
b=Z+oFhhFBKuZiuIn1dLmyANph0AsLfyLlzySB3b2wgvGK+RKotbmKCqegWTiabNihZhNq6xNL04H/MJcLnvsal/+TvjkOtYT5weosn1aLC3n2tdB11E8v0pNmsgiqxdTwreftiiCpTru/ptVZawjL5iQfRoNYIgCTFhnWXLV6XfrZOJ+iG6w0dJ5nRN3PZLYaIjtsj/7DFFiEgnlTdEWShAaffv5kTgkefJao2wmfUJ0Ji9QyLvF38GU+HSeoxO7wxX6+ksWmtHrd4mvBKk3542uymlsJ4d9ETNvXYoDfRjNhBPbFfebJyRrr2H69gwtbRZ0P10uNzCx/wulRxBwnnA==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com;
s=arcselector9901;
h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1;
bh=xEt1SHSVYaZWWhL/IRN7oA6TsJmqpiMLrNnKx131ItU=;
b=csuxzp9ossoVHwCj6Xq8r17ALCewom1QkbIXxFarxpqMFyXduB8l1UO98ufnwN4OtogG8cC9+iSwrhXRi8qas032kM8TmujR2fJIw4iFUlncFr1lGNL8wDd0XGqenHcbfxK4G7GVX0Me7eNMS12WhoL/hCMjp8MhTVWD+0gw+XeJvTfCqcaJjSGP9EHuaam4cFt0AN/djXeQOqbl680vCdxEMegL01sBtII9Y1yMLo8UXZdyYQPuDeDj7BKnLgjT+2W3H9v2o6e3crvnp7OnjVZLoOv/Bgy07x28qexxclk48TxhAsTVax+1SB9P1WRF5p/vQP4zfMpwaT6ZHHAAsQ==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass
smtp.mailfrom=oracle.com; dmarc=pass action=none header.from=oracle.com;
dkim=pass header.d=oracle.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
d=oracle.onmicrosoft.com; s=selector2-oracle-onmicrosoft-com;
h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck;
bh=xEt1SHSVYaZWWhL/IRN7oA6TsJmqpiMLrNnKx131ItU=;
b=SwJI3iDH858ZGUDamYE8e2h717KZJXh6dnCRgkrPDaI4QUrXATc+HLr83JkMtyr15/vctStDh6YQVh8OO4uW4A5Awec8bdGbyOlnGWbp6mDV7EFQgwVhlFv/eAKAD5C7o/S8Bo7hqMUfC0PaOHAQnZRBY2kUEQ8rhXgIopr/EBg=
Received: from SJ0PR10MB4752.namprd10.prod.outlook.com (2603:10b6:a03:2d7::19)
by DS0PR10MB6151.namprd10.prod.outlook.com (2603:10b6:8:c5::20) with
Microsoft SMTP Server (version=TLS1_2,
cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.6156.28; Wed, 12 Apr
2023 00:10:34 +0000
Received: from SJ0PR10MB4752.namprd10.prod.outlook.com
([fe80::b3a1:e02e:37d0:afa1]) by SJ0PR10MB4752.namprd10.prod.outlook.com
([fe80::b3a1:e02e:37d0:afa1%8]) with mapi id 15.20.6277.035; Wed, 12 Apr 2023
00:10:34 +0000
From: Junxiao Bi <junxiao.bi@oracle.com>
To: linux-kernel@vger.kernel.org, linux-security-module@vger.kernel.org
Cc: paul@paul-moore.com, jmorris@namei.org, serge@hallyn.com,
nathanl@linux.ibm.com, axboe@kernel.dk, konrad.wilk@oracle.com,
joe.jin@oracle.com
Subject: [PATCH] debugfs: allow access relay files in lockdown mode
Date: Tue, 11 Apr 2023 17:10:30 -0700
Message-Id: <20230412001030.88441-1-junxiao.bi@oracle.com>
X-Mailer: git-send-email 2.24.3 (Apple Git-128)
Content-Transfer-Encoding: 8bit
Content-Type: text/plain
X-ClientProxiedBy: DS7PR03CA0239.namprd03.prod.outlook.com
(2603:10b6:5:3ba::34) To SJ0PR10MB4752.namprd10.prod.outlook.com
(2603:10b6:a03:2d7::19)
MIME-Version: 1.0
X-MS-PublicTrafficType: Email
X-MS-TrafficTypeDiagnostic: SJ0PR10MB4752:EE_|DS0PR10MB6151:EE_
X-MS-Office365-Filtering-Correlation-Id: 5bf41076-8030-4947-f2de-08db3aea55c2
X-MS-Exchange-SenderADCheck: 1
X-MS-Exchange-AntiSpam-Relay: 0
X-Microsoft-Antispam: BCL:0;
X-Forefront-Antispam-Report:
CIP:255.255.255.255;CTRY:;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:SJ0PR10MB4752.namprd10.prod.outlook.com;PTR:;CAT:NONE;SFS:(13230028)(366004)(376002)(136003)(39860400002)(346002)(396003)(451199021)(5660300002)(66946007)(36756003)(6512007)(186003)(44832011)(316002)(41300700001)(83380400001)(38100700002)(8936002)(66556008)(2906002)(66476007)(8676002)(4326008)(6486002)(86362001)(478600001)(6506007)(1076003)(2616005)(6666004)(107886003);DIR:OUT;SFP:1101;
X-OriginatorOrg: oracle.com
X-MS-Exchange-CrossTenant-Network-Message-Id:
5bf41076-8030-4947-f2de-08db3aea55c2
X-MS-Exchange-CrossTenant-AuthSource: SJ0PR10MB4752.namprd10.prod.outlook.com
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-OriginalArrivalTime: 12 Apr 2023 00:10:34.0912
(UTC)
X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted
X-MS-Exchange-CrossTenant-Id: 4e2c6054-71cb-48f1-bd6c-3a9705aca71b
X-MS-Exchange-CrossTenant-MailboxType: HOSTED
X-MS-Exchange-CrossTenant-UserPrincipalName:
6EuGCV5DSIzfsX37tXEfjMortq9F5ft4LpjvyrfKYfA0u8xtZ9iNVeFL3OyauKtL8mV/WqEjdwDLDghcGP/dNw==
X-MS-Exchange-Transport-CrossTenantHeadersStamped: DS0PR10MB6151
X-Proofpoint-Virus-Version: vendor=baseguard
engine=ICAP:2.0.254,Aquarius:18.0.942,Hydra:6.0.573,FMLib:17.11.170.22
definitions=2023-04-11_16,2023-04-11_02,2023-02-09_01
X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 spamscore=0
malwarescore=0 adultscore=0
suspectscore=0 phishscore=0 mlxlogscore=999 mlxscore=0 bulkscore=0
classifier=spam adjust=0 reason=mlx scancount=1 engine=8.12.0-2303200000
definitions=main-2304110217
X-Proofpoint-ORIG-GUID: l4_laFtG2qTbth9szr60jpgWOpQY8825
X-Proofpoint-GUID: l4_laFtG2qTbth9szr60jpgWOpQY8825
X-Spam-Status: No, score=-2.8 required=5.0 tests=BAYES_00,DKIM_SIGNED,
DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,RCVD_IN_DNSWL_LOW,
RCVD_IN_MSPIKE_H2,SPF_HELO_NONE,SPF_NONE autolearn=ham
autolearn_force=no version=3.4.6
X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on
lindbergh.monkeyblade.net
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org
X-getmail-retrieved-from-mailbox: =?utf-8?q?INBOX?=
X-GMAIL-THRID: =?utf-8?q?1762929845379089988?=
X-GMAIL-MSGID: =?utf-8?q?1762929845379089988?=
|
| Series |
debugfs: allow access relay files in lockdown mode
|
|
Commit Message
Junxiao Bi
April 12, 2023, 12:10 a.m. UTC
Relay files are used by kernel to transfer information to userspace, these
files have permission 0400, but mmap is supported, so they are blocked by
lockdown. But since kernel just generates the contents of those files while
not reading it, it is saft to access relay files in lockdown mode.
With this, blktrace can work well in lockdown mode.
Signed-off-by: Junxiao Bi <junxiao.bi@oracle.com>
---
fs/debugfs/file.c | 9 +++++++++
1 file changed, 9 insertions(+)
Comments
Hi Junxiao,
kernel test robot noticed the following build errors:
[auto build test ERROR on driver-core/driver-core-testing]
[also build test ERROR on driver-core/driver-core-next driver-core/driver-core-linus linus/master v6.3-rc6 next-20230412]
[If your patch is applied to the wrong git tree, kindly drop us a note.
And when submitting patch, we suggest to use '--base' as documented in
https://git-scm.com/docs/git-format-patch#_base_tree_information]
url: https://github.com/intel-lab-lkp/linux/commits/Junxiao-Bi/debugfs-allow-access-relay-files-in-lockdown-mode/20230412-081241
patch link: https://lore.kernel.org/r/20230412001030.88441-1-junxiao.bi%40oracle.com
patch subject: [PATCH] debugfs: allow access relay files in lockdown mode
config: i386-randconfig-a015-20230410 (https://download.01.org/0day-ci/archive/20230412/202304121714.6mahd9EW-lkp@intel.com/config)
compiler: gcc-11 (Debian 11.3.0-8) 11.3.0
reproduce (this is a W=1 build):
# https://github.com/intel-lab-lkp/linux/commit/7891278613631bb6076e7b4603c1e907d1304cfa
git remote add linux-review https://github.com/intel-lab-lkp/linux
git fetch --no-tags linux-review Junxiao-Bi/debugfs-allow-access-relay-files-in-lockdown-mode/20230412-081241
git checkout 7891278613631bb6076e7b4603c1e907d1304cfa
# save the config file
mkdir build_dir && cp config build_dir/.config
make W=1 O=build_dir ARCH=i386 olddefconfig
make W=1 O=build_dir ARCH=i386 SHELL=/bin/bash
If you fix the issue, kindly add following tag where applicable
| Reported-by: kernel test robot <lkp@intel.com>
| Link: https://lore.kernel.org/oe-kbuild-all/202304121714.6mahd9EW-lkp@intel.com/
All errors (new ones prefixed by >>):
ld: fs/debugfs/file.o: in function `debugfs_locked_down':
>> fs/debugfs/file.c:163: undefined reference to `relay_file_operations'
vim +163 fs/debugfs/file.c
141
142 /*
143 * Only permit access to world-readable files when the kernel is locked down.
144 * We also need to exclude any file that has ways to write or alter it as root
145 * can bypass the permissions check.
146 * Exception:
147 * Relay files are used by kernel to transfer information to userspace, these
148 * files have permission 0400, but mmap is supported, so they are blocked by
149 * lockdown. But since kernel just generates the contents of those files while
150 * not reading it, it is saft to access relay files in lockdown mode.
151 */
152 static int debugfs_locked_down(struct inode *inode,
153 struct file *filp,
154 const struct file_operations *real_fops)
155 {
156 if ((inode->i_mode & 07777 & ~0444) == 0 &&
157 !(filp->f_mode & FMODE_WRITE) &&
158 !real_fops->unlocked_ioctl &&
159 !real_fops->compat_ioctl &&
160 !real_fops->mmap)
161 return 0;
162
> 163 if (real_fops == &relay_file_operations)
164 return 0;
165
166 if (security_locked_down(LOCKDOWN_DEBUGFS))
167 return -EPERM;
168
169 return 0;
170 }
171
Hi Junxiao,
kernel test robot noticed the following build errors:
[auto build test ERROR on driver-core/driver-core-testing]
[also build test ERROR on driver-core/driver-core-next driver-core/driver-core-linus linus/master v6.3-rc6 next-20230412]
[If your patch is applied to the wrong git tree, kindly drop us a note.
And when submitting patch, we suggest to use '--base' as documented in
https://git-scm.com/docs/git-format-patch#_base_tree_information]
url: https://github.com/intel-lab-lkp/linux/commits/Junxiao-Bi/debugfs-allow-access-relay-files-in-lockdown-mode/20230412-081241
patch link: https://lore.kernel.org/r/20230412001030.88441-1-junxiao.bi%40oracle.com
patch subject: [PATCH] debugfs: allow access relay files in lockdown mode
config: powerpc-buildonly-randconfig-r003-20230410 (https://download.01.org/0day-ci/archive/20230412/202304121808.IDucPQw7-lkp@intel.com/config)
compiler: powerpc-linux-gcc (GCC) 12.1.0
reproduce (this is a W=1 build):
wget https://raw.githubusercontent.com/intel/lkp-tests/master/sbin/make.cross -O ~/bin/make.cross
chmod +x ~/bin/make.cross
# https://github.com/intel-lab-lkp/linux/commit/7891278613631bb6076e7b4603c1e907d1304cfa
git remote add linux-review https://github.com/intel-lab-lkp/linux
git fetch --no-tags linux-review Junxiao-Bi/debugfs-allow-access-relay-files-in-lockdown-mode/20230412-081241
git checkout 7891278613631bb6076e7b4603c1e907d1304cfa
# save the config file
mkdir build_dir && cp config build_dir/.config
COMPILER_INSTALL_PATH=$HOME/0day COMPILER=gcc-12.1.0 make.cross W=1 O=build_dir ARCH=powerpc olddefconfig
COMPILER_INSTALL_PATH=$HOME/0day COMPILER=gcc-12.1.0 make.cross W=1 O=build_dir ARCH=powerpc SHELL=/bin/bash
If you fix the issue, kindly add following tag where applicable
| Reported-by: kernel test robot <lkp@intel.com>
| Link: https://lore.kernel.org/oe-kbuild-all/202304121808.IDucPQw7-lkp@intel.com/
All errors (new ones prefixed by >>):
powerpc-linux-ld: fs/debugfs/file.o: in function `debugfs_locked_down':
fs/debugfs/file.c:163: undefined reference to `relay_file_operations'
>> powerpc-linux-ld: fs/debugfs/file.c:163: undefined reference to `relay_file_operations'
diff --git a/fs/debugfs/file.c b/fs/debugfs/file.c index 1f971c880dde..04fa813a227e 100644 --- a/fs/debugfs/file.c +++ b/fs/debugfs/file.c @@ -21,6 +21,7 @@ #include <linux/pm_runtime.h> #include <linux/poll.h> #include <linux/security.h> +#include <linux/relay.h> #include "internal.h" @@ -142,6 +143,11 @@ EXPORT_SYMBOL_GPL(debugfs_file_put); * Only permit access to world-readable files when the kernel is locked down. * We also need to exclude any file that has ways to write or alter it as root * can bypass the permissions check. + * Exception: + * Relay files are used by kernel to transfer information to userspace, these + * files have permission 0400, but mmap is supported, so they are blocked by + * lockdown. But since kernel just generates the contents of those files while + * not reading it, it is saft to access relay files in lockdown mode. */ static int debugfs_locked_down(struct inode *inode, struct file *filp, @@ -154,6 +160,9 @@ static int debugfs_locked_down(struct inode *inode, !real_fops->mmap) return 0; + if (real_fops == &relay_file_operations) + return 0; + if (security_locked_down(LOCKDOWN_DEBUGFS)) return -EPERM;