debugfs: more tightly restrict default mount mode

Since the debugfs is mostly only used by root, make the default mount mode 0700. Most system owners do not need a more permissive value, but they can choose to weaken the restrictions via their fstab. Signed-off-by: Kees Cook <keescook@chromium.org> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
author: Kees Cook <keescook@chromium.org> 2012-08-27 16:32:15 -0400
committer: Greg Kroah-Hartman <gregkh@linuxfoundation.org> 2012-08-27 16:42:02 -0400
commit: 82aceae4f0d42f03d9ad7d1e90389e731153898f (patch)
tree: 9e39183cb3d2a971ac794da1b94d4dd7f07faa5d
parent: 9db48aaf18d675ac41f550c9384154e0c00de2ef (diff)
2 files changed, 3 insertions, 3 deletions
diff --git a/Documentation/filesystems/debugfs.txt b/Documentation/filesystems/debugfs.txt
index 7a34f827989c..3a863f692728 100644
--- a/Documentation/filesystems/debugfs.txt
+++ b/Documentation/filesystems/debugfs.txt
@@ -15,8 +15,8 @@ Debugfs is typically mounted with a command like:
    mount -t debugfs none /sys/kernel/debug
 (Or an equivalent /etc/fstab line).
-The debugfs root directory is accessible by anyone by default. To
+The debugfs root directory is accessible only to the root user by
-restrict access to the tree the "uid", "gid" and "mode" mount
+default. To change access to the tree the "uid", "gid" and "mode" mount
 options can be used.
 Note that the debugfs API is exported GPL-only to modules.
diff --git a/fs/debugfs/inode.c b/fs/debugfs/inode.c
index 2c9fafbe8425..6393fd61d5c4 100644
--- a/fs/debugfs/inode.c
+++ b/fs/debugfs/inode.c
@@ -28,7 +28,7 @@
 #include <linux/magic.h>
 #include <linux/slab.h>
-#define DEBUGFS_DEFAULT_MODE    0755
+#define DEBUGFS_DEFAULT_MODE    0700
 static struct vfsmount *debugfs_mount;
 static int debugfs_mount_count;
author	Kees Cook <keescook@chromium.org>	2012-08-27 16:32:15 -0400
committer	Greg Kroah-Hartman <gregkh@linuxfoundation.org>	2012-08-27 16:42:02 -0400
commit	82aceae4f0d42f03d9ad7d1e90389e731153898f (patch)
tree	9e39183cb3d2a971ac794da1b94d4dd7f07faa5d
parent	9db48aaf18d675ac41f550c9384154e0c00de2ef (diff)

diff --git a/Documentation/filesystems/debugfs.txt b/Documentation/filesystems/debugfs.txt index 7a34f827989c..3a863f692728 100644 --- a/Documentation/filesystems/debugfs.txt +++ b/Documentation/filesystems/debugfs.txt
@@ -15,8 +15,8 @@ Debugfs is typically mounted with a command like:
15	mount -t debugfs none /sys/kernel/debug	15	mount -t debugfs none /sys/kernel/debug
16		16
17	(Or an equivalent /etc/fstab line).	17	(Or an equivalent /etc/fstab line).
18	The debugfs root directory is accessible by anyone by default. To	18	The debugfs root directory is accessible only to the root user by
19	restrict access to the tree the "uid", "gid" and "mode" mount	19	default. To change access to the tree the "uid", "gid" and "mode" mount
20	options can be used.	20	options can be used.
21		21
22	Note that the debugfs API is exported GPL-only to modules.	22	Note that the debugfs API is exported GPL-only to modules.


diff --git a/fs/debugfs/inode.c b/fs/debugfs/inode.c index 2c9fafbe8425..6393fd61d5c4 100644 --- a/fs/debugfs/inode.c +++ b/fs/debugfs/inode.c
@@ -28,7 +28,7 @@
28	#include <linux/magic.h>	28	#include <linux/magic.h>
29	#include <linux/slab.h>	29	#include <linux/slab.h>
30		30
31	#define DEBUGFS_DEFAULT_MODE 0755	31	#define DEBUGFS_DEFAULT_MODE 0700
32		32
33	static struct vfsmount *debugfs_mount;	33	static struct vfsmount *debugfs_mount;
34	static int debugfs_mount_count;	34	static int debugfs_mount_count;