28 lines
965 B
Diff
28 lines
965 B
Diff
From: Ben Hutchings <ben@decadent.org.uk>
|
|
Subject: debugfs: Set default mode to 700
|
|
Bug-Debian: http://bugs.debian.org/681418
|
|
|
|
As discussed here
|
|
<http://lists.linux-foundation.org/pipermail/ksummit-2012-discuss/2012-July/000891.html>.
|
|
|
|
Mounting of debugfs is a significant security liability, but there are
|
|
applications that depend on some interfaces based on debugfs and they
|
|
(or their packages) will mount it automatically anyway.
|
|
|
|
Setting the default mode for the debugfs root to 700 (accessible
|
|
to root only) should leave it functional, since most such applications
|
|
will require root anyway, and users can override it to relax
|
|
permissions if they really don't care about the security problems.
|
|
|
|
--- a/fs/debugfs/inode.c
|
|
+++ b/fs/debugfs/inode.c
|
|
@@ -28,7 +28,7 @@
|
|
#include <linux/magic.h>
|
|
#include <linux/slab.h>
|
|
|
|
-#define DEBUGFS_DEFAULT_MODE 0755
|
|
+#define DEBUGFS_DEFAULT_MODE 0700
|
|
|
|
static struct vfsmount *debugfs_mount;
|
|
static int debugfs_mount_count;
|