[Crash-utility] [PATCH] Fix live debugging with lockdown=integrity

lijiang lijiang at redhat.com
Fri Nov 12 07:23:18 UTC 2021 

On Wed, Nov 10, 2021 at 5:53 PM Philipp Rudo <prudo at redhat.com> wrote:

> Hi Lianbo,
>
> On Wed, 10 Nov 2021 14:07:50 +0800
> lijiang <lijiang at redhat.com> wrote:
>
> > Hi, Philipp
> > Thank you for the fix.
> >
> > Date: Tue,  9 Nov 2021 14:52:22 +0100
> > > From: Philipp Rudo <prudo at redhat.com>
> > > To: crash-utility at redhat.com
> > > Subject: [Crash-utility] [PATCH] Fix live debugging with
> > >         lockdown=integrity
> > > Message-ID: <20211109135222.51636-1-prudo at redhat.com>
> > >
> > > With kernel lockdown the access to kernel interfaces that allow to
> > > extract confidential information (lockdown=confidentiality) or modify a
> > > running kernel (lockdown=integrity) can be restricted. Two of the
> > > interfaces that can be restricted are /dev/mem (integrity &
> > > confidentiality) and /proc/kcore (confidentiality). With
> > > lockdown=integrity this leads to a situation where /dev/mem exists but
> > > is not readable while /proc/kcore exists and is readable. This breaks
> > > crash's live debugging when it is invoked without argument, i.e.
> > >
> > > $ crash
> > > [...]
> > > crash: /dev/mem: Operation not permitted
> > >
> > > while passing /proc/kcore as image succeeds. The reason for this is
> that
> > > crash always picks /dev/mem as source when it exits but doesn't check
> if
> > > it is readable. Fix this by only selecting /dev/mem when it is
> readable.
> > >
> > > Signed-off-by: Philipp Rudo <prudo at redhat.com>
> > > ---
> > >  filesys.c | 2 +-
> > >  main.c    | 2 +-
> > >  2 files changed, 2 insertions(+), 2 deletions(-)
> > >
> > > diff --git a/filesys.c b/filesys.c
> > > index 3361b6c..43cbe82 100644
> > > --- a/filesys.c
> > > +++ b/filesys.c
> > > @@ -3666,7 +3666,7 @@ get_live_memory_source(void)
> > >         if (pc->live_memsrc)
> > >                 goto live_report;
> > >
> > > -       if (file_exists("/dev/mem", NULL))
> > > +       if (file_readable("/dev/mem"))
> > >                 pc->live_memsrc = "/dev/mem";
> > >         else if (file_exists("/proc/kcore", NULL)) {
> > >                 pc->flags &= ~DEVMEM;
> > > diff --git a/main.c b/main.c
> > > index 71c59d2..b278c22 100644
> > > --- a/main.c
> > > +++ b/main.c
> > > @@ -1119,7 +1119,7 @@ setup_environment(int argc, char **argv)
> > >         pc->flags2 |= REDZONE;
> > >         pc->confd = -2;
> > >         pc->machine_type = MACHINE_TYPE;
> > > -       if (file_exists("/dev/mem", NULL)) {     /* defaults until
> argv[]
> > > is parsed */
> > > +       if (file_readable("/dev/mem")) {     /* defaults until argv[]
> is
> > > parsed */
> > >                 pc->readmem = read_dev_mem;
> > >                 pc->writemem = write_dev_mem;
> > >         } else if (file_exists("/proc/kcore", NULL)) {
> > > --
> > > 2.31.1
> > >
> >
> > After applying this patch, it works, but  redundant information is
> > displayed in the crash prompt as below. I marked it twice, is that
> expected?
> >
> > [root at testvm crash]# ./crash
> > [69580.039885] Lockdown: crash: /dev/mem,kmem,port is restricted; see man
> > kernel_lockdown.7
> > ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
> >
> > crash 7.3.0++
> > Copyright (C) 2002-2021  Red Hat, Inc.
> > Copyright (C) 2004, 2005, 2006, 2010  IBM Corporation
> > Copyright (C) 1999-2006  Hewlett-Packard Co
> > Copyright (C) 2005, 2006, 2011, 2012  Fujitsu Limited
> > Copyright (C) 2006, 2007  VA Linux Systems Japan K.K.
> > Copyright (C) 2005, 2011, 2020-2021  NEC Corporation
> > Copyright (C) 1999, 2002, 2007  Silicon Graphics, Inc.
> > Copyright (C) 1999, 2000, 2001, 2002  Mission Critical Linux, Inc.
> > Copyright (C) 2015, 2021  VMware, Inc.
> > This program is free software, covered by the GNU General Public License,
> > and you are welcome to change it and/or distribute copies of it under
> > certain conditions.  Enter "help copying" to see the conditions.
> > This program has absolutely no warranty.  Enter "help warranty" for
> details.
> >
> > [69580.662388] Lockdown: crash: /dev/mem,kmem,port is restricted; see man
> > kernel_lockdown.7
> > ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
> > GNU gdb (GDB) 10.2
> > ...
> > crash>
>
> I assume you are using a serial console as I cannot see the messages
> when connecting via ssh. They do appear in dmesg though.
>

Yes. I only saw this message on the serial console.


> The message is emitted by the kernel every time someone opens /dev/mem
> (or one of the other two files). This is done in file_readable as it
> checks if a file can be read from by actually opening and reading from
> it. Unfortunately I don't see a way around it. At least stat still
> shows /dev/mem as readable
>
> # stat /dev/mem
> [...]
> Access: (0640/crw-r-----)  Uid: (    0/    root)   Gid: (    9/    kmem)
> [...]
>
> So yes, seeing those messages is expected.
>

OK, thank  you for the explanation, Philipp. I have no other issues.

Acked-by: Lianbo Jiang <lijiang at redhat.com>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/crash-utility/attachments/20211112/cc913538/attachment.htm>

More information about the Crash-utility mailing list