debugfs: more tightly restrict default mount mode

Since the debugfs is mostly only used by root, make the default mount mode 0700. Most system owners do not need a more permissive value, but they can choose to weaken the restrictions via their fstab. Signed-off-by: Kees Cook <keescook@chromium.org> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

debugfs: more tightly restrict default mount mode
Since the debugfs is mostly only used by root, make the default mount mode 0700. Most system owners do not need a more permissive value, but they can choose to weaken the restrictions via their fstab. Signed-off-by: Kees Cook <keescook@chromium.org> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
82aceae4 · Kees Cook · Greg Kroah-Hartman · 9db48aaf · 82aceae4 · 82aceae4
Commit 82aceae4 authored Aug 27, 2012 by Kees Cook Committed by Greg Kroah-Hartman Aug 27, 2012
Hide whitespace changes
Inline Side-by-side

Showing with 3 additions and 3 deletions

Documentation/filesystems/debugfs.txt Documentation/filesystems/debugfs.txt +2 -2

fs/debugfs/inode.c fs/debugfs/inode.c +1 -1

No files found.
--- a/Documentation/filesystems/debugfs.txt
+++ b/Documentation/filesystems/debugfs.txt
@@ -15,8 +15,8 @@ Debugfs is typically mounted with a command like:
    mount -t debugfs none /sys/kernel/debug

 (Or an equivalent /etc/fstab line).
-The debugfs root directory is accessible by anyone by default. To
-restrict access to the tree the "uid", "gid" and "mode" mount
+The debugfs root directory is accessible only to the root user by
+default. To change access to the tree the "uid", "gid" and "mode" mount
 options can be used.

 Note that the debugfs API is exported GPL-only to modules.

--- a/fs/debugfs/inode.c
+++ b/fs/debugfs/inode.c
@@ -28,7 +28,7 @@
 #include <linux/magic.h>
 #include <linux/slab.h>

-#define DEBUGFS_DEFAULT_MODE	0755
+#define DEBUGFS_DEFAULT_MODE	0700

 static struct vfsmount *debugfs_mount;
 static int debugfs_mount_count;