On Wed, Nov 10, 2021 at 5:53 PM Philipp Rudo <prudo(a)redhat.com> wrote:
Hi Lianbo,
On Wed, 10 Nov 2021 14:07:50 +0800
lijiang <lijiang(a)redhat.com> wrote:
> Hi, Philipp
> Thank you for the fix.
>
> Date: Tue, 9 Nov 2021 14:52:22 +0100
> > From: Philipp Rudo <prudo(a)redhat.com>
> > To: crash-utility(a)redhat.com
> > Subject: [Crash-utility] [PATCH] Fix live debugging with
> > lockdown=integrity
> > Message-ID: <20211109135222.51636-1-prudo(a)redhat.com>
> >
> > With kernel lockdown the access to kernel interfaces that allow to
> > extract confidential information (lockdown=confidentiality) or modify a
> > running kernel (lockdown=integrity) can be restricted. Two of the
> > interfaces that can be restricted are /dev/mem (integrity &
> > confidentiality) and /proc/kcore (confidentiality). With
> > lockdown=integrity this leads to a situation where /dev/mem exists but
> > is not readable while /proc/kcore exists and is readable. This breaks
> > crash's live debugging when it is invoked without argument, i.e.
> >
> > $ crash
> > [...]
> > crash: /dev/mem: Operation not permitted
> >
> > while passing /proc/kcore as image succeeds. The reason for this is
that
> > crash always picks /dev/mem as source when it exits but doesn't check
if
> > it is readable. Fix this by only selecting /dev/mem when it is
readable.
> >
> > Signed-off-by: Philipp Rudo <prudo(a)redhat.com>
> > ---
> > filesys.c | 2 +-
> > main.c | 2 +-
> > 2 files changed, 2 insertions(+), 2 deletions(-)
> >
> > diff --git a/filesys.c b/filesys.c
> > index 3361b6c..43cbe82 100644
> > --- a/filesys.c
> > +++ b/filesys.c
> > @@ -3666,7 +3666,7 @@ get_live_memory_source(void)
> > if (pc->live_memsrc)
> > goto live_report;
> >
> > - if (file_exists("/dev/mem", NULL))
> > + if (file_readable("/dev/mem"))
> > pc->live_memsrc = "/dev/mem";
> > else if (file_exists("/proc/kcore", NULL)) {
> > pc->flags &= ~DEVMEM;
> > diff --git a/main.c b/main.c
> > index 71c59d2..b278c22 100644
> > --- a/main.c
> > +++ b/main.c
> > @@ -1119,7 +1119,7 @@ setup_environment(int argc, char **argv)
> > pc->flags2 |= REDZONE;
> > pc->confd = -2;
> > pc->machine_type = MACHINE_TYPE;
> > - if (file_exists("/dev/mem", NULL)) { /* defaults until
argv[]
> > is parsed */
> > + if (file_readable("/dev/mem")) { /* defaults until
argv[]
is
> > parsed */
> > pc->readmem = read_dev_mem;
> > pc->writemem = write_dev_mem;
> > } else if (file_exists("/proc/kcore", NULL)) {
> > --
> > 2.31.1
> >
>
> After applying this patch, it works, but redundant information is
> displayed in the crash prompt as below. I marked it twice, is that
expected?
>
> [root@testvm crash]# ./crash
> [69580.039885] Lockdown: crash: /dev/mem,kmem,port is restricted; see man
> kernel_lockdown.7
> ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
>
> crash 7.3.0++
> Copyright (C) 2002-2021 Red Hat, Inc.
> Copyright (C) 2004, 2005, 2006, 2010 IBM Corporation
> Copyright (C) 1999-2006 Hewlett-Packard Co
> Copyright (C) 2005, 2006, 2011, 2012 Fujitsu Limited
> Copyright (C) 2006, 2007 VA Linux Systems Japan K.K.
> Copyright (C) 2005, 2011, 2020-2021 NEC Corporation
> Copyright (C) 1999, 2002, 2007 Silicon Graphics, Inc.
> Copyright (C) 1999, 2000, 2001, 2002 Mission Critical Linux, Inc.
> Copyright (C) 2015, 2021 VMware, Inc.
> This program is free software, covered by the GNU General Public License,
> and you are welcome to change it and/or distribute copies of it under
> certain conditions. Enter "help copying" to see the conditions.
> This program has absolutely no warranty. Enter "help warranty" for
details.
>
> [69580.662388] Lockdown: crash: /dev/mem,kmem,port is restricted; see man
> kernel_lockdown.7
> ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
> GNU gdb (GDB) 10.2
> ...
> crash>
I assume you are using a serial console as I cannot see the messages
when connecting via ssh. They do appear in dmesg though.
Yes. I only saw this message on the serial console.
The message is emitted by the kernel every time someone opens
/dev/mem
(or one of the other two files). This is done in file_readable as it
checks if a file can be read from by actually opening and reading from
it. Unfortunately I don't see a way around it. At least stat still
shows /dev/mem as readable
# stat /dev/mem
[...]
Access: (0640/crw-r-----) Uid: ( 0/ root) Gid: ( 9/ kmem)
[...]
So yes, seeing those messages is expected.
OK, thank you for the explanation, Philipp. I have no other issues.
Acked-by: Lianbo Jiang <lijiang(a)redhat.com>