[Crash-utility] [PATCH] Fix live debugging with lockdown=integrity

[Philipp Rudo]

With kernel lockdown the access to kernel interfaces that allow to
extract confidential information (lockdown=confidentiality) or modify a
running kernel (lockdown=integrity) can be restricted. Two of the
interfaces that can be restricted are /dev/mem (integrity &
confidentiality) and /proc/kcore (confidentiality). With
lockdown=integrity this leads to a situation where /dev/mem exists but
is not readable while /proc/kcore exists and is readable. This breaks
crash's live debugging when it is invoked without argument, i.e.

$ crash
[...]
crash: /dev/mem: Operation not permitted

while passing /proc/kcore as image succeeds. The reason for this is that
crash always picks /dev/mem as source when it exits but doesn't check if
it is readable. Fix this by only selecting /dev/mem when it is readable.

Signed-off-by: Philipp Rudo <prudo at redhat.com>
---
 filesys.c | 2 +-
 main.c    | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/filesys.c b/filesys.c
index 3361b6c..43cbe82 100644
--- a/filesys.c
+++ b/filesys.c
@@ -3666,7 +3666,7 @@ get_live_memory_source(void)
 	if (pc->live_memsrc)
 		goto live_report;
 
-	if (file_exists("/dev/mem", NULL))
+	if (file_readable("/dev/mem"))
 		pc->live_memsrc = "/dev/mem";
 	else if (file_exists("/proc/kcore", NULL)) {
 		pc->flags &= ~DEVMEM;
diff --git a/main.c b/main.c
index 71c59d2..b278c22 100644
--- a/main.c
+++ b/main.c
@@ -1119,7 +1119,7 @@ setup_environment(int argc, char **argv)
 	pc->flags2 |= REDZONE;
 	pc->confd = -2;
 	pc->machine_type = MACHINE_TYPE;
-	if (file_exists("/dev/mem", NULL)) {     /* defaults until argv[] is parsed */
+	if (file_readable("/dev/mem")) {     /* defaults until argv[] is parsed */
 		pc->readmem = read_dev_mem;
 		pc->writemem = write_dev_mem;
 	} else if (file_exists("/proc/kcore", NULL)) {
-- 
2.31.1