debugfs: more tightly restrict default mount mode
Since the debugfs is mostly only used by root, make the default mount mode 0700. Most system owners do not need a more permissive value, but they can choose to weaken the restrictions via their fstab. Signed-off-by: Kees Cook <keescook@chromium.org> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
This commit is contained in:
parent
9db48aaf18
commit
82aceae4f0
|
@ -15,8 +15,8 @@ Debugfs is typically mounted with a command like:
|
|||
mount -t debugfs none /sys/kernel/debug
|
||||
|
||||
(Or an equivalent /etc/fstab line).
|
||||
The debugfs root directory is accessible by anyone by default. To
|
||||
restrict access to the tree the "uid", "gid" and "mode" mount
|
||||
The debugfs root directory is accessible only to the root user by
|
||||
default. To change access to the tree the "uid", "gid" and "mode" mount
|
||||
options can be used.
|
||||
|
||||
Note that the debugfs API is exported GPL-only to modules.
|
||||
|
|
|
@ -28,7 +28,7 @@
|
|||
#include <linux/magic.h>
|
||||
#include <linux/slab.h>
|
||||
|
||||
#define DEBUGFS_DEFAULT_MODE 0755
|
||||
#define DEBUGFS_DEFAULT_MODE 0700
|
||||
|
||||
static struct vfsmount *debugfs_mount;
|
||||
static int debugfs_mount_count;
|
||||
|
|
Loading…
Reference in New Issue