)]}'
{
  "commit": "fe5091f97838c8c64b891280bcd30367e71cd5c3",
  "tree": "32b4356085f1acf9aa91dd6c23bac01fbe10bcee",
  "parents": [
    "d44a6ae3a7cad5cd9b01f7b0a48b3c788af968e8"
  ],
  "author": {
    "name": "David Howells",
    "email": "dhowells@redhat.com",
    "time": "Wed Apr 04 14:45:38 2018 +0100"
  },
  "committer": {
    "name": "David Howells",
    "email": "dhowells@redhat.com",
    "time": "Tue Apr 10 10:41:31 2018 +0100"
  },
  "message": "debugfs: Restrict debugfs when the kernel is locked down\n\nDisallow opening of debugfs files that might be used to muck around when\nthe kernel is locked down as various drivers give raw access to hardware\nthrough debugfs.  Given the effort of auditing all 2000 or so files and\nmanually fixing each one as necessary, I\u0027ve chosen to apply a heuristic\ninstead.  The following changes are made:\n\n (1) chmod and chown are disallowed on debugfs objects (though the root dir\n     can be modified by mount and remount, but I\u0027m not worried about that).\n\n (2) When the kernel is locked down, only files with the following criteria\n     are permitted to be opened:\n\n\t- The file must have mode 00444\n\t- The file must not have ioctl methods\n\t- The file must not have mmap\n\n (3) When the kernel is locked down, files may only be opened for reading.\n\nNormal device interaction should be done through configfs, sysfs or a\nmiscdev, not debugfs.\n\nNote that this makes it unnecessary to specifically lock down show_dsts(),\nshow_devs() and show_call() in the asus-wmi driver.\n\nI would actually prefer to lock down all files by default and have the\nthe files unlocked by the creator.  This is tricky to manage correctly,\nthough, as there are 19 creation functions and ~1600 call sites (some of\nthem in loops scanning tables).\n\nSigned-off-by: David Howells \u003cdhowells@redhat.com\u003e\ncc: Andy Shevchenko \u003candy.shevchenko@gmail.com\u003e\ncc: acpi4asus-user@lists.sourceforge.net\ncc: platform-driver-x86@vger.kernel.org\ncc: Matthew Garrett \u003cmjg59@srcf.ucam.org\u003e\ncc: Thomas Gleixner \u003ctglx@linutronix.de\u003e\n",
  "tree_diff": [
    {
      "type": "modify",
      "old_id": "1f99678ff5d3ed67d52740c8e89ab95f8e87abab",
      "old_mode": 33188,
      "old_path": "fs/debugfs/file.c",
      "new_id": "51cb894c21f2a2c684e18a41934b2434dc724a7e",
      "new_mode": 33188,
      "new_path": "fs/debugfs/file.c"
    },
    {
      "type": "modify",
      "old_id": "13b01351dd1cb3f8381dbddd2ee70717792b9ac7",
      "old_mode": 33188,
      "old_path": "fs/debugfs/inode.c",
      "new_id": "4daec17b82151effb14edf800b94d3e2e253cab9",
      "new_mode": 33188,
      "new_path": "fs/debugfs/inode.c"
    }
  ]
}