Commit 21ccc9cd authored by Steven Rostedt (VMware)'s avatar Steven Rostedt (VMware)
Browse files

tracing: Disable "other" permission bits in the tracefs files 

When building the files in the tracefs file system, do not by default set
any permissions for OTH (other). This will make it easier for admins who
want to define a group for accessing tracefs and not having to first
disable all the permission bits for "other" in the file system.

As tracing can leak sensitive information, it should never by default
allowing all users access. An admin can still set the permission bits for
others to have access, which may be useful for creating a honeypot and
seeing who takes advantage of it and roots the machine.

Link: https://lkml.kernel.org/r/20210818153038.864149276@goodmis.org



Signed-off-by: default avatarSteven Rostedt (VMware) <rostedt@goodmis.org>
parent 49d67e44

kernel/trace/ftrace.c

+12 −11
Original line number Diff line number Diff line
@@ -988,8 +988,9 @@ static __init void ftrace_profile_tracefs(struct dentry *d_tracer) 
		}

	}



	entry = tracefs_create_file("function_profile_enabled", 0644,

				    d_tracer, NULL, &ftrace_profile_fops);

	entry = tracefs_create_file("function_profile_enabled",

				    TRACE_MODE_WRITE, d_tracer, NULL,

				    &ftrace_profile_fops);

	if (!entry)

		pr_warn("Could not create tracefs 'function_profile_enabled' entry\n");

}
@@ -6109,10 +6110,10 @@ void ftrace_create_filter_files(struct ftrace_ops *ops, 
				struct dentry *parent)

{



	trace_create_file("set_ftrace_filter", 0644, parent,

	trace_create_file("set_ftrace_filter", TRACE_MODE_WRITE, parent,

			  ops, &ftrace_filter_fops);



	trace_create_file("set_ftrace_notrace", 0644, parent,

	trace_create_file("set_ftrace_notrace", TRACE_MODE_WRITE, parent,

			  ops, &ftrace_notrace_fops);

}
@@ -6139,19 +6140,19 @@ void ftrace_destroy_filter_files(struct ftrace_ops *ops) 
static __init int ftrace_init_dyn_tracefs(struct dentry *d_tracer)

{



	trace_create_file("available_filter_functions", 0444,

	trace_create_file("available_filter_functions", TRACE_MODE_READ,

			d_tracer, NULL, &ftrace_avail_fops);



	trace_create_file("enabled_functions", 0444,

	trace_create_file("enabled_functions", TRACE_MODE_READ,

			d_tracer, NULL, &ftrace_enabled_fops);



	ftrace_create_filter_files(&global_ops, d_tracer);



#ifdef CONFIG_FUNCTION_GRAPH_TRACER

	trace_create_file("set_graph_function", 0644, d_tracer,

	trace_create_file("set_graph_function", TRACE_MODE_WRITE, d_tracer,

				    NULL,

				    &ftrace_graph_fops);

	trace_create_file("set_graph_notrace", 0644, d_tracer,

	trace_create_file("set_graph_notrace", TRACE_MODE_WRITE, d_tracer,

				    NULL,

				    &ftrace_graph_notrace_fops);

#endif /* CONFIG_FUNCTION_GRAPH_TRACER */
@@ -7494,10 +7495,10 @@ static const struct file_operations ftrace_no_pid_fops = { 


void ftrace_init_tracefs(struct trace_array *tr, struct dentry *d_tracer)

{

	trace_create_file("set_ftrace_pid", 0644, d_tracer,

	trace_create_file("set_ftrace_pid", TRACE_MODE_WRITE, d_tracer,

			    tr, &ftrace_pid_fops);

	trace_create_file("set_ftrace_notrace_pid", 0644, d_tracer,

			    tr, &ftrace_no_pid_fops);

	trace_create_file("set_ftrace_notrace_pid", TRACE_MODE_WRITE,

			  d_tracer, tr, &ftrace_no_pid_fops);

}



void __init ftrace_init_tracefs_toplevel(struct trace_array *tr,

kernel/trace/trace.c

+37 −36
Original line number Diff line number Diff line
@@ -1690,7 +1690,8 @@ static void trace_create_maxlat_file(struct trace_array *tr, 
{

	INIT_WORK(&tr->fsnotify_work, latency_fsnotify_workfn);

	init_irq_work(&tr->fsnotify_irqwork, latency_fsnotify_workfn_irq);

	tr->d_max_latency = trace_create_file("tracing_max_latency", 0644,

	tr->d_max_latency = trace_create_file("tracing_max_latency",

					      TRACE_MODE_WRITE,

					      d_tracer, &tr->max_latency,

					      &tracing_max_lat_fops);

}
@@ -1727,8 +1728,8 @@ void latency_fsnotify(struct trace_array *tr) 
#else



#define trace_create_maxlat_file(tr, d_tracer)				\

	trace_create_file("tracing_max_latency", 0644, d_tracer,	\

			  &tr->max_latency, &tracing_max_lat_fops)

	trace_create_file("tracing_max_latency", TRACE_MODE_WRITE,	\

			  d_tracer, &tr->max_latency, &tracing_max_lat_fops)



#endif
@@ -6054,7 +6055,7 @@ trace_insert_eval_map_file(struct module *mod, struct trace_eval_map **start, 


static void trace_create_eval_file(struct dentry *d_tracer)

{

	trace_create_file("eval_map", 0444, d_tracer,

	trace_create_file("eval_map", TRACE_MODE_READ, d_tracer,

			  NULL, &tracing_eval_map_fops);

}
@@ -8567,27 +8568,27 @@ tracing_init_tracefs_percpu(struct trace_array *tr, long cpu) 
	}



	/* per cpu trace_pipe */

	trace_create_cpu_file("trace_pipe", 0444, d_cpu,

	trace_create_cpu_file("trace_pipe", TRACE_MODE_READ, d_cpu,

				tr, cpu, &tracing_pipe_fops);



	/* per cpu trace */

	trace_create_cpu_file("trace", 0644, d_cpu,

	trace_create_cpu_file("trace", TRACE_MODE_WRITE, d_cpu,

				tr, cpu, &tracing_fops);



	trace_create_cpu_file("trace_pipe_raw", 0444, d_cpu,

	trace_create_cpu_file("trace_pipe_raw", TRACE_MODE_READ, d_cpu,

				tr, cpu, &tracing_buffers_fops);



	trace_create_cpu_file("stats", 0444, d_cpu,

	trace_create_cpu_file("stats", TRACE_MODE_READ, d_cpu,

				tr, cpu, &tracing_stats_fops);



	trace_create_cpu_file("buffer_size_kb", 0444, d_cpu,

	trace_create_cpu_file("buffer_size_kb", TRACE_MODE_READ, d_cpu,

				tr, cpu, &tracing_entries_fops);



#ifdef CONFIG_TRACER_SNAPSHOT

	trace_create_cpu_file("snapshot", 0644, d_cpu,

	trace_create_cpu_file("snapshot", TRACE_MODE_WRITE, d_cpu,

				tr, cpu, &snapshot_fops);



	trace_create_cpu_file("snapshot_raw", 0444, d_cpu,

	trace_create_cpu_file("snapshot_raw", TRACE_MODE_READ, d_cpu,

				tr, cpu, &snapshot_raw_fops);

#endif

}
@@ -8793,8 +8794,8 @@ create_trace_option_file(struct trace_array *tr, 
	topt->opt = opt;

	topt->tr = tr;



	topt->entry = trace_create_file(opt->name, 0644, t_options, topt,

				    &trace_options_fops);

	topt->entry = trace_create_file(opt->name, TRACE_MODE_WRITE,

					t_options, topt, &trace_options_fops);



}
@@ -8869,7 +8870,7 @@ create_trace_option_core_file(struct trace_array *tr, 
	if (!t_options)

		return NULL;



	return trace_create_file(option, 0644, t_options,

	return trace_create_file(option, TRACE_MODE_WRITE, t_options,

				 (void *)&tr->trace_flags_index[index],

				 &trace_options_core_fops);

}
@@ -9394,28 +9395,28 @@ init_tracer_tracefs(struct trace_array *tr, struct dentry *d_tracer) 
	struct trace_event_file *file;

	int cpu;



	trace_create_file("available_tracers", 0444, d_tracer,

	trace_create_file("available_tracers", TRACE_MODE_READ, d_tracer,

			tr, &show_traces_fops);



	trace_create_file("current_tracer", 0644, d_tracer,

	trace_create_file("current_tracer", TRACE_MODE_WRITE, d_tracer,

			tr, &set_tracer_fops);



	trace_create_file("tracing_cpumask", 0644, d_tracer,

	trace_create_file("tracing_cpumask", TRACE_MODE_WRITE, d_tracer,

			  tr, &tracing_cpumask_fops);



	trace_create_file("trace_options", 0644, d_tracer,

	trace_create_file("trace_options", TRACE_MODE_WRITE, d_tracer,

			  tr, &tracing_iter_fops);



	trace_create_file("trace", 0644, d_tracer,

	trace_create_file("trace", TRACE_MODE_WRITE, d_tracer,

			  tr, &tracing_fops);



	trace_create_file("trace_pipe", 0444, d_tracer,

	trace_create_file("trace_pipe", TRACE_MODE_READ, d_tracer,

			  tr, &tracing_pipe_fops);



	trace_create_file("buffer_size_kb", 0644, d_tracer,

	trace_create_file("buffer_size_kb", TRACE_MODE_WRITE, d_tracer,

			  tr, &tracing_entries_fops);



	trace_create_file("buffer_total_size_kb", 0444, d_tracer,

	trace_create_file("buffer_total_size_kb", TRACE_MODE_READ, d_tracer,

			  tr, &tracing_total_entries_fops);



	trace_create_file("free_buffer", 0200, d_tracer,
@@ -9426,25 +9427,25 @@ init_tracer_tracefs(struct trace_array *tr, struct dentry *d_tracer) 


	file = __find_event_file(tr, "ftrace", "print");

	if (file && file->dir)

		trace_create_file("trigger", 0644, file->dir, file,

				  &event_trigger_fops);

		trace_create_file("trigger", TRACE_MODE_WRITE, file->dir,

				  file, &event_trigger_fops);

	tr->trace_marker_file = file;



	trace_create_file("trace_marker_raw", 0220, d_tracer,

			  tr, &tracing_mark_raw_fops);



	trace_create_file("trace_clock", 0644, d_tracer, tr,

	trace_create_file("trace_clock", TRACE_MODE_WRITE, d_tracer, tr,

			  &trace_clock_fops);



	trace_create_file("tracing_on", 0644, d_tracer,

	trace_create_file("tracing_on", TRACE_MODE_WRITE, d_tracer,

			  tr, &rb_simple_fops);



	trace_create_file("timestamp_mode", 0444, d_tracer, tr,

	trace_create_file("timestamp_mode", TRACE_MODE_READ, d_tracer, tr,

			  &trace_time_stamp_mode_fops);



	tr->buffer_percent = 50;



	trace_create_file("buffer_percent", 0444, d_tracer,

	trace_create_file("buffer_percent", TRACE_MODE_READ, d_tracer,

			tr, &buffer_percent_fops);



	create_trace_options_dir(tr);
@@ -9457,11 +9458,11 @@ init_tracer_tracefs(struct trace_array *tr, struct dentry *d_tracer) 
		MEM_FAIL(1, "Could not allocate function filter files");



#ifdef CONFIG_TRACER_SNAPSHOT

	trace_create_file("snapshot", 0644, d_tracer,

	trace_create_file("snapshot", TRACE_MODE_WRITE, d_tracer,

			  tr, &snapshot_fops);

#endif



	trace_create_file("error_log", 0644, d_tracer,

	trace_create_file("error_log", TRACE_MODE_WRITE, d_tracer,

			  tr, &tracing_err_log_fops);



	for_each_tracing_cpu(cpu)
@@ -9654,19 +9655,19 @@ static __init int tracer_init_tracefs(void) 
	init_tracer_tracefs(&global_trace, NULL);

	ftrace_init_tracefs_toplevel(&global_trace, NULL);



	trace_create_file("tracing_thresh", 0644, NULL,

	trace_create_file("tracing_thresh", TRACE_MODE_WRITE, NULL,

			&global_trace, &tracing_thresh_fops);



	trace_create_file("README", 0444, NULL,

	trace_create_file("README", TRACE_MODE_READ, NULL,

			NULL, &tracing_readme_fops);



	trace_create_file("saved_cmdlines", 0444, NULL,

	trace_create_file("saved_cmdlines", TRACE_MODE_READ, NULL,

			NULL, &tracing_saved_cmdlines_fops);



	trace_create_file("saved_cmdlines_size", 0644, NULL,

	trace_create_file("saved_cmdlines_size", TRACE_MODE_WRITE, NULL,

			  NULL, &tracing_saved_cmdlines_size_fops);



	trace_create_file("saved_tgids", 0444, NULL,

	trace_create_file("saved_tgids", TRACE_MODE_READ, NULL,

			NULL, &tracing_saved_tgids_fops);



	trace_eval_init();
@@ -9678,7 +9679,7 @@ static __init int tracer_init_tracefs(void) 
#endif



#ifdef CONFIG_DYNAMIC_FTRACE

	trace_create_file("dyn_ftrace_total_info", 0444, NULL,

	trace_create_file("dyn_ftrace_total_info", TRACE_MODE_READ, NULL,

			NULL, &tracing_dyn_info_fops);

#endif

kernel/trace/trace.h

+3 −0
Original line number Diff line number Diff line
@@ -29,6 +29,9 @@ 
#include <asm/syscall.h>	/* some archs define it here */

#endif



#define TRACE_MODE_WRITE	0640

#define TRACE_MODE_READ		0440



enum trace_type {

	__TRACE_FIRST_TYPE = 0,

kernel/trace/trace_dynevent.c

+1 −1
Original line number Diff line number Diff line
@@ -262,7 +262,7 @@ static __init int init_dynamic_event(void) 
	if (ret)

		return 0;



	entry = tracefs_create_file("dynamic_events", 0644, NULL,

	entry = tracefs_create_file("dynamic_events", TRACE_MODE_WRITE, NULL,

				    NULL, &dynamic_events_ops);



	/* Event list interface */

kernel/trace/trace_events.c

+22 −20
Original line number Diff line number Diff line
@@ -2312,7 +2312,8 @@ event_subsystem_dir(struct trace_array *tr, const char *name, 
	/* the ftrace system is special, do not create enable or filter files */

	if (strcmp(name, "ftrace") != 0) {



		entry = tracefs_create_file("filter", 0644, dir->entry, dir,

		entry = tracefs_create_file("filter", TRACE_MODE_WRITE,

					    dir->entry, dir,

					    &ftrace_subsystem_filter_fops);

		if (!entry) {

			kfree(system->filter);
@@ -2320,7 +2321,7 @@ event_subsystem_dir(struct trace_array *tr, const char *name, 
			pr_warn("Could not create tracefs '%s/filter' entry\n", name);

		}



		trace_create_file("enable", 0644, dir->entry, dir,

		trace_create_file("enable", TRACE_MODE_WRITE, dir->entry, dir,

				  &ftrace_system_enable_fops);

	}
@@ -2402,12 +2403,12 @@ event_create_dir(struct dentry *parent, struct trace_event_file *file) 
	}



	if (call->class->reg && !(call->flags & TRACE_EVENT_FL_IGNORE_ENABLE))

		trace_create_file("enable", 0644, file->dir, file,

		trace_create_file("enable", TRACE_MODE_WRITE, file->dir, file,

				  &ftrace_enable_fops);



#ifdef CONFIG_PERF_EVENTS

	if (call->event.type && call->class->reg)

		trace_create_file("id", 0444, file->dir,

		trace_create_file("id", TRACE_MODE_READ, file->dir,

				  (void *)(long)call->event.type,

				  &ftrace_event_id_fops);

#endif
@@ -2423,22 +2424,22 @@ event_create_dir(struct dentry *parent, struct trace_event_file *file) 
	 * triggers or filters.

	 */

	if (!(call->flags & TRACE_EVENT_FL_IGNORE_ENABLE)) {

		trace_create_file("filter", 0644, file->dir, file,

				  &ftrace_event_filter_fops);

		trace_create_file("filter", TRACE_MODE_WRITE, file->dir,

				  file, &ftrace_event_filter_fops);



		trace_create_file("trigger", 0644, file->dir, file,

				  &event_trigger_fops);

		trace_create_file("trigger", TRACE_MODE_WRITE, file->dir,

				  file, &event_trigger_fops);

	}



#ifdef CONFIG_HIST_TRIGGERS

	trace_create_file("hist", 0444, file->dir, file,

	trace_create_file("hist", TRACE_MODE_READ, file->dir, file,

			  &event_hist_fops);

#endif

#ifdef CONFIG_HIST_TRIGGERS_DEBUG

	trace_create_file("hist_debug", 0444, file->dir, file,

	trace_create_file("hist_debug", TRACE_MODE_READ, file->dir, file,

			  &event_hist_debug_fops);

#endif

	trace_create_file("format", 0444, file->dir, call,

	trace_create_file("format", TRACE_MODE_READ, file->dir, call,

			  &ftrace_event_format_fops);



#ifdef CONFIG_TRACE_EVENT_INJECT
@@ -3433,7 +3434,7 @@ create_event_toplevel_files(struct dentry *parent, struct trace_array *tr) 
	struct dentry *d_events;

	struct dentry *entry;



	entry = tracefs_create_file("set_event", 0644, parent,

	entry = tracefs_create_file("set_event", TRACE_MODE_WRITE, parent,

				    tr, &ftrace_set_event_fops);

	if (!entry) {

		pr_warn("Could not create tracefs 'set_event' entry\n");
@@ -3446,7 +3447,7 @@ create_event_toplevel_files(struct dentry *parent, struct trace_array *tr) 
		return -ENOMEM;

	}



	entry = trace_create_file("enable", 0644, d_events,

	entry = trace_create_file("enable", TRACE_MODE_WRITE, d_events,

				  tr, &ftrace_tr_enable_fops);

	if (!entry) {

		pr_warn("Could not create tracefs 'enable' entry\n");
@@ -3455,24 +3456,25 @@ create_event_toplevel_files(struct dentry *parent, struct trace_array *tr) 


	/* There are not as crucial, just warn if they are not created */



	entry = tracefs_create_file("set_event_pid", 0644, parent,

	entry = tracefs_create_file("set_event_pid", TRACE_MODE_WRITE, parent,

				    tr, &ftrace_set_event_pid_fops);

	if (!entry)

		pr_warn("Could not create tracefs 'set_event_pid' entry\n");



	entry = tracefs_create_file("set_event_notrace_pid", 0644, parent,

				    tr, &ftrace_set_event_notrace_pid_fops);

	entry = tracefs_create_file("set_event_notrace_pid",

				    TRACE_MODE_WRITE, parent, tr,

				    &ftrace_set_event_notrace_pid_fops);

	if (!entry)

		pr_warn("Could not create tracefs 'set_event_notrace_pid' entry\n");



	/* ring buffer internal formats */

	entry = trace_create_file("header_page", 0444, d_events,

	entry = trace_create_file("header_page", TRACE_MODE_READ, d_events,

				  ring_buffer_print_page_header,

				  &ftrace_show_header_fops);

	if (!entry)

		pr_warn("Could not create tracefs 'header_page' entry\n");



	entry = trace_create_file("header_event", 0444, d_events,

	entry = trace_create_file("header_event", TRACE_MODE_READ, d_events,

				  ring_buffer_print_entry_header,

				  &ftrace_show_header_fops);

	if (!entry)
@@ -3689,8 +3691,8 @@ __init int event_trace_init(void) 
	if (!tr)

		return -ENODEV;



	entry = tracefs_create_file("available_events", 0444, NULL,

				    tr, &ftrace_avail_fops);

	entry = tracefs_create_file("available_events", TRACE_MODE_READ,

				    NULL, tr, &ftrace_avail_fops);

	if (!entry)

		pr_warn("Could not create tracefs 'available_events' entry\n");