Re: [Crash-utility] [PATCH] Fix live debugging with lockdown=integrity

Hi, Philipp Thank you for the fix. Date: Tue, 9 Nov 2021 14:52:22 +0100 > From: Philipp Rudo <prudo(a)redhat.com&gt; > To: crash-utility(a)redhat.com > Subject: [Crash-utility] [PATCH] Fix live debugging with > lockdown=integrity > Message-ID: <20211109135222.51636-1-prudo(a)redhat.com&gt; > > With kernel lockdown the access to kernel interfaces that allow to > extract confidential information (lockdown=confidentiality) or modify a > running kernel (lockdown=integrity) can be restricted. Two of the > interfaces that can be restricted are /dev/mem (integrity & > confidentiality) and /proc/kcore (confidentiality). With > lockdown=integrity this leads to a situation where /dev/mem exists but > is not readable while /proc/kcore exists and is readable. This breaks > crash's live debugging when it is invoked without argument, i.e. > > $ crash > [...] > crash: /dev/mem: Operation not permitted > > while passing /proc/kcore as image succeeds. The reason for this is that > crash always picks /dev/mem as source when it exits but doesn't check if > it is readable. Fix this by only selecting /dev/mem when it is readable. > > Signed-off-by: Philipp Rudo <prudo(a)redhat.com&gt; > --- > filesys.c | 2 +- > main.c | 2 +- > 2 files changed, 2 insertions(+), 2 deletions(-) > > diff --git a/filesys.c b/filesys.c > index 3361b6c..43cbe82 100644 > --- a/filesys.c > +++ b/filesys.c > @@ -3666,7 +3666,7 @@ get_live_memory_source(void) > if (pc->live_memsrc) > goto live_report; > > - if (file_exists("/dev/mem", NULL)) > + if (file_readable("/dev/mem")) > pc->live_memsrc = "/dev/mem"; > else if (file_exists("/proc/kcore", NULL)) { > pc->flags &= ~DEVMEM; > diff --git a/main.c b/main.c > index 71c59d2..b278c22 100644 > --- a/main.c > +++ b/main.c > @@ -1119,7 +1119,7 @@ setup_environment(int argc, char **argv) > pc->flags2 |= REDZONE; > pc->confd = -2; > pc->machine_type = MACHINE_TYPE; > - if (file_exists("/dev/mem", NULL)) { /* defaults until argv[] > is parsed */ > + if (file_readable("/dev/mem")) { /* defaults until argv[] is > parsed */ > pc->readmem = read_dev_mem; > pc->writemem = write_dev_mem; > } else if (file_exists("/proc/kcore", NULL)) { > -- > 2.31.1 > After applying this patch, it works, but redundant information is displayed in the crash prompt as below. I marked it twice, is that expected? [root@testvm crash]# ./crash [69580.039885] Lockdown: crash: /dev/mem,kmem,port is restricted; see man kernel_lockdown.7 ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ crash 7.3.0++ Copyright (C) 2002-2021 Red Hat, Inc. Copyright (C) 2004, 2005, 2006, 2010 IBM Corporation Copyright (C) 1999-2006 Hewlett-Packard Co Copyright (C) 2005, 2006, 2011, 2012 Fujitsu Limited Copyright (C) 2006, 2007 VA Linux Systems Japan K.K. Copyright (C) 2005, 2011, 2020-2021 NEC Corporation Copyright (C) 1999, 2002, 2007 Silicon Graphics, Inc. Copyright (C) 1999, 2000, 2001, 2002 Mission Critical Linux, Inc. Copyright (C) 2015, 2021 VMware, Inc. This program is free software, covered by the GNU General Public License, and you are welcome to change it and/or distribute copies of it under certain conditions. Enter "help copying" to see the conditions. This program has absolutely no warranty. Enter "help warranty" for details. [69580.662388] Lockdown: crash: /dev/mem,kmem,port is restricted; see man kernel_lockdown.7 ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ GNU gdb (GDB) 10.2 ... crash>