debugfs: more tightly restrict default mount mode

Since the debugfs is mostly only used by root, make the default mount
mode 0700. Most system owners do not need a more permissive value,
but they can choose to weaken the restrictions via their fstab.

Signed-off-by: Kees Cook <keescook@chromium.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
This commit is contained in:
Kees Cook 2012-08-27 13:32:15 -07:00 committed by Greg Kroah-Hartman
parent 9db48aaf18
commit 82aceae4f0
2 changed files with 3 additions and 3 deletions

View File

@ -15,8 +15,8 @@ Debugfs is typically mounted with a command like:
mount -t debugfs none /sys/kernel/debug
(Or an equivalent /etc/fstab line).
The debugfs root directory is accessible by anyone by default. To
restrict access to the tree the "uid", "gid" and "mode" mount
The debugfs root directory is accessible only to the root user by
default. To change access to the tree the "uid", "gid" and "mode" mount
options can be used.
Note that the debugfs API is exported GPL-only to modules.

View File

@ -28,7 +28,7 @@
#include <linux/magic.h>
#include <linux/slab.h>
#define DEBUGFS_DEFAULT_MODE 0755
#define DEBUGFS_DEFAULT_MODE 0700
static struct vfsmount *debugfs_mount;
static int debugfs_mount_count;