Re: [Crash-utility] [PATCH] Fix live debugging with lockdown=integrity
Hi, Philipp
Thank you for the fix.
Date: Tue, 9 Nov 2021 14:52:22 +0100
From: Philipp Rudo <prudo(a)redhat.com>
To: crash-utility(a)redhat.com
Subject: [Crash-utility] [PATCH] Fix live debugging with
lockdown=integrity
Message-ID: <20211109135222.51636-1-prudo(a)redhat.com>
With kernel lockdown the access to kernel interfaces that allow to
extract confidential information (lockdown=confidentiality) or modify a
running kernel (lockdown=integrity) can be restricted. Two of the
interfaces that can be restricted are /dev/mem (integrity &
confidentiality) and /proc/kcore (confidentiality). With
lockdown=integrity this leads to a situation where /dev/mem exists but
is not readable while /proc/kcore exists and is readable. This breaks
crash's live debugging when it is invoked without argument, i.e.
$ crash
[...]
crash: /dev/mem: Operation not permitted
while passing /proc/kcore as image succeeds. The reason for this is that
crash always picks /dev/mem as source when it exits but doesn't check if
it is readable. Fix this by only selecting /dev/mem when it is readable.
Signed-off-by: Philipp Rudo <prudo(a)redhat.com>
---
filesys.c | 2 +-
main.c | 2 +-
2 files changed, 2 insertions(+), 2 deletions(-)
diff --git a/filesys.c b/filesys.c
index 3361b6c..43cbe82 100644
--- a/filesys.c
+++ b/filesys.c
@@ -3666,7 +3666,7 @@ get_live_memory_source(void)
if (pc->live_memsrc)
goto live_report;
- if (file_exists("/dev/mem", NULL))
+ if (file_readable("/dev/mem"))
pc->live_memsrc = "/dev/mem";
else if (file_exists("/proc/kcore", NULL)) {
pc->flags &= ~DEVMEM;
diff --git a/main.c b/main.c
index 71c59d2..b278c22 100644
--- a/main.c
+++ b/main.c
@@ -1119,7 +1119,7 @@ setup_environment(int argc, char **argv)
pc->flags2 |= REDZONE;
pc->confd = -2;
pc->machine_type = MACHINE_TYPE;
- if (file_exists("/dev/mem", NULL)) { /* defaults until argv[]
is parsed */
+ if (file_readable("/dev/mem")) { /* defaults until argv[] is
parsed */
pc->readmem = read_dev_mem;
pc->writemem = write_dev_mem;
} else if (file_exists("/proc/kcore", NULL)) {
--
2.31.1
After applying this patch, it works, but redundant information is
displayed in the crash prompt as below. I marked it twice, is that expected?
[root@testvm crash]# ./crash
[69580.039885] Lockdown: crash: /dev/mem,kmem,port is restricted; see man
kernel_lockdown.7
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
crash 7.3.0++
Copyright (C) 2002-2021 Red Hat, Inc.
Copyright (C) 2004, 2005, 2006, 2010 IBM Corporation
Copyright (C) 1999-2006 Hewlett-Packard Co
Copyright (C) 2005, 2006, 2011, 2012 Fujitsu Limited
Copyright (C) 2006, 2007 VA Linux Systems Japan K.K.
Copyright (C) 2005, 2011, 2020-2021 NEC Corporation
Copyright (C) 1999, 2002, 2007 Silicon Graphics, Inc.
Copyright (C) 1999, 2000, 2001, 2002 Mission Critical Linux, Inc.
Copyright (C) 2015, 2021 VMware, Inc.
This program is free software, covered by the GNU General Public License,
and you are welcome to change it and/or distribute copies of it under
certain conditions. Enter "help copying" to see the conditions.
This program has absolutely no warranty. Enter "help warranty" for details.
[69580.662388] Lockdown: crash: /dev/mem,kmem,port is restricted; see man
kernel_lockdown.7
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
GNU gdb (GDB) 10.2
...
crash>
Thanks.
Lianbo
Attachments:
- attachment.html (text/html — 4.6 KB)