[V4,1/2] debugfs: provide a way for relay user bypass lockdown
Commit Message
Relay files in debugfs is used to export information from kernel to
userspace, relay user should tell whether the exported information
is safe to access in lockdown mode or not. The access will be denied
by default.
v4 <- v3:
refactor the code to make code more foolproof.
v3 <- v2:
allow only blktrace trace file instead of relay files
https://lore.kernel.org/all/20230418172656.33583-1-junxiao.bi@oracle.com/
v2 <- v1:
Fix build error when CONFIG_RELAY is not defined.
Reported-by: kernel test robot <lkp@intel.com>
Link: https://lore.kernel.org/oe-kbuild-all/202304121714.6mahd9EW-lkp@intel.com/
Signed-off-by: Junxiao Bi <junxiao.bi@oracle.com>
---
fs/debugfs/file.c | 11 +++++++++++
include/linux/relay.h | 16 ++++++++++++++++
kernel/relay.c | 17 +++++++++++++++++
3 files changed, 44 insertions(+)
@@ -21,6 +21,7 @@
#include <linux/pm_runtime.h>
#include <linux/poll.h>
#include <linux/security.h>
+#include <linux/relay.h>
#include "internal.h"
@@ -142,6 +143,13 @@ EXPORT_SYMBOL_GPL(debugfs_file_put);
* Only permit access to world-readable files when the kernel is locked down.
* We also need to exclude any file that has ways to write or alter it as root
* can bypass the permissions check.
+ * Exception:
+ * Relay files in debugfs are used by kernel to transfer data from kernel to
+ * userspace, these files are with permission 0400, but mmap is supported, so
+ * the access is blocked by default. But there are relay users like blktrace
+ * which will only export none security sensitive info to userspace, so provide
+ * a way for relay user to hook in to tell whether accessing the file in lockdown
+ * mode is safe or not.
*/
static int debugfs_locked_down(struct inode *inode,
struct file *filp,
@@ -154,6 +162,9 @@ static int debugfs_locked_down(struct inode *inode,
!real_fops->mmap)
return 0;
+ if (relay_bypass_lockdown(inode, real_fops))
+ return 0;
+
if (security_locked_down(LOCKDOWN_DEBUGFS))
return -EPERM;
@@ -147,6 +147,19 @@ struct rchan_callbacks
* This callback is mandatory.
*/
int (*remove_buf_file)(struct dentry *dentry);
+
+ /*
+ * bypass_lockdown - check whether file can be accessed in lockdown mode.
+ *
+ * Called during file open. It depends on each relay user to tell whether
+ * accessing the file is safe or not in lockdown mode.
+ *
+ * The callback should return "true" if allowing access, "false" if not.
+ *
+ * This callback is optional. If not set, accessing the file will be
+ * denied in lockdown mode.
+ */
+ bool (*bypass_lockdown)(struct inode *inode);
};
/*
@@ -279,8 +292,11 @@ extern const struct file_operations relay_file_operations;
#ifdef CONFIG_RELAY
int relay_prepare_cpu(unsigned int cpu);
+extern bool relay_bypass_lockdown(struct inode *inode,
+ const struct file_operations *fops);
#else
#define relay_prepare_cpu NULL
+#define relay_bypass_lockdown(inode, fops) (false)
#endif
#endif /* _LINUX_RELAY_H */
@@ -1234,6 +1234,23 @@ static ssize_t relay_file_splice_read(struct file *in,
return ret;
}
+bool relay_bypass_lockdown(struct inode *inode,
+ const struct file_operations *fops)
+{
+ struct rchan_buf *buf;
+
+ /* Not a relay file */
+ if (fops != &relay_file_operations)
+ return false;
+
+ buf = (struct rchan_buf *)inode->i_private;
+ if (!buf->chan->cb->bypass_lockdown)
+ return false;
+
+ return buf->chan->cb->bypass_lockdown(inode);
+}
+EXPORT_SYMBOL_GPL(relay_bypass_lockdown);
+
const struct file_operations relay_file_operations = {
.open = relay_file_open,
.poll = relay_file_poll,