[LU-10444] l_getidentity keeps remount /sys/kernel/debug and reverting permissions. - Whamcloud Community JIRA

Details

Type: Bug
Resolution: Fixed
Priority: Major
Fix Version/s: Lustre 2.11.0, Lustre 2.10.4
Affects Version/s: Lustre 2.10.1
Labels:
None

Severity:
3
Rank (Obsolete):
9223372036854775807

Description

We change the permissions of /sys/kernel/debug to 755. But it kept revering to 700.

Using systemtap script

#!/usr/bin/env stap

probe kernel.function("debug_mount") {
 printf("mounting ")
 printf("pid %i %s %s %s \n", pid(),execname(), cmdline_str(), caller())
 print_backtrace()
}

probe kernel.function("debugfs_remount") {
 printf("remounting ")
 printf("pid %i %s %s %s \n", pid(),execname(), cmdline_str(), caller())
 print_backtrace()
}

I tracked this down to l_getidentity. Specificly cfs_get_param_paths keeps remounting /sys/kernel/debug.

# mount -o remount,mode=755 /sys/kernel/debug
debugfs on /sys/kernel/debug type debugfs (rw,relatime,mode=755)

Here is the output from the systemtap

nbp1-mds ~ # stap -v debug_mount.stp 
Pass 1: parsed user script and 468 library scripts using 122940virt/39548res/3192shr/36448data kb, in 340usr/20sys/351real ms.
Pass 2: analyzed script: 2 probes, 22 functions, 5 embeds, 0 globals using 161632virt/79356res/4388shr/75140data kb, in 580usr/80sys/665real ms.
Pass 3: translated to C into "/tmp/stapYTzkIl/stap_6d34b35e04d11e38ae0c8b364ac253de_10487_src.c" using 162160virt/80148res/4692shr/75668data kb, in 340usr/10sys/353real ms.
Pass 4: compiled C into "stap_6d34b35e04d11e38ae0c8b364ac253de_10487.ko" in 5660usr/860sys/5857real ms.
Pass 5: starting run.
mounting pid 9739 l_getidentity "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" mount_fs 0xffffffff811fec69 
 0xffffffff81289120 : debug_mount+0x0/0x20 [kernel]
 0xffffffff811fec69 : mount_fs+0x39/0x1b0 [kernel]
 0xffffffff8121b5c7 : vfs_kern_mount+0x67/0x110 [kernel]
 0xffffffff8121dad3 : do_mount+0x233/0xaf0 [kernel]
 0xffffffff8121e716 : SyS_mount+0x96/0xf0 [kernel]
 0xffffffff81695b89 : system_call_fastpath+0x16/0x1b [kernel]
remounting pid 9739 l_getidentity "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" do_remount_sb 0xffffffff811fe7c2 
 0xffffffff81289330 : debugfs_remount+0x0/0x50 [kernel]
 0xffffffff811fe7c2 : do_remount_sb+0x72/0x200 [kernel]
 0xffffffff811feb07 : mount_single+0x57/0xc0 [kernel]
 0xffffffff81289138 : debug_mount+0x18/0x20 [kernel]
 0xffffffff811fec69 : mount_fs+0x39/0x1b0 [kernel]
 0xffffffff8121b5c7 : vfs_kern_mount+0x67/0x110 [kernel]
 0xffffffff8121dad3 : do_mount+0x233/0xaf0 [kernel]
 0xffffffff8121e716 : SyS_mount+0x96/0xf0 [kernel]
 0xffffffff81695b89 : system_call_fastpath+0x16/0x1b [kernel]
mounting pid 9779 l_getidentity "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" mount_fs 0xffffffff811fec69 
 0xffffffff81289120 : debug_mount+0x0/0x20 [kernel]
 0xffffffff811fec69 : mount_fs+0x39/0x1b0 [kernel]
 0xffffffff8121b5c7 : vfs_kern_mount+0x67/0x110 [kernel]
 0xffffffff8121dad3 : do_mount+0x233/0xaf0 [kernel]
 0xffffffff8121e716 : SyS_mount+0x96/0xf0 [kernel]
 0xffffffff81695b89 : system_call_fastpath+0x16/0x1b [kernel]
remounting pid 9779 l_getidentity "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" do_remount_sb 0xffffffff811fe7c2 
 0xffffffff81289330 : debugfs_remount+0x0/0x50 [kernel]
 0xffffffff811fe7c2 : do_remount_sb+0x72/0x200 [kernel]
 0xffffffff811feb07 : mount_single+0x57/0xc0 [kernel]
 0xffffffff81289138 : debug_mount+0x18/0x20 [kernel]
 0xffffffff811fec69 : mount_fs+0x39/0x1b0 [kernel]
 0xffffffff8121b5c7 : vfs_kern_mount+0x67/0x110 [kernel]
 0xffffffff8121dad3 : do_mount+0x233/0xaf0 [kernel]
 0xffffffff8121e716 : SyS_mount+0x96/0xf0 [kernel]
 0xffffffff81695b89 : system_call_fastpath+0x16/0x1b [kernel]

Attachments

Activity

[LU-10444] l_getidentity keeps remount /sys/kernel/debug and reverting permissions.

Gerrit Updater added a comment - 09/Feb/18 6:07 PM

John L. Hammond (john.hammond@intel.com) merged in patch https://review.whamcloud.com/30900/
Subject: ~~LU-10444~~ utils: Don't remount debugfs every time
Project: fs/lustre-release
Branch: b2_10
Current Patch Set:
Commit: 82bf22a4200ba657465302daf6a77b9ebd6b7853

Gerrit Updater added a comment - 09/Feb/18 6:07 PM John L. Hammond (john.hammond@intel.com) merged in patch https://review.whamcloud.com/30900/ Subject: LU-10444 utils: Don't remount debugfs every time Project: fs/lustre-release Branch: b2_10 Current Patch Set: Commit: 82bf22a4200ba657465302daf6a77b9ebd6b7853

Gerrit Updater added a comment - 17/Jan/18 4:11 PM

Minh Diep (minh.diep@intel.com) uploaded a new patch: https://review.whamcloud.com/30900
Subject: ~~LU-10444~~ utils: Don't remount debugfs every time
Project: fs/lustre-release
Branch: b2_10
Current Patch Set: 1
Commit: 4a567792a13668d1872481c36f365912253f751e

Gerrit Updater added a comment - 17/Jan/18 4:11 PM Minh Diep (minh.diep@intel.com) uploaded a new patch: https://review.whamcloud.com/30900 Subject: LU-10444 utils: Don't remount debugfs every time Project: fs/lustre-release Branch: b2_10 Current Patch Set: 1 Commit: 4a567792a13668d1872481c36f365912253f751e

Peter Jones added a comment - 14/Jan/18 3:39 PM

Landed for 2.11

Peter Jones added a comment - 14/Jan/18 3:39 PM Landed for 2.11

Gerrit Updater added a comment - 14/Jan/18 2:36 AM

Oleg Drokin (oleg.drokin@intel.com) merged in patch https://review.whamcloud.com/30675/
Subject: ~~LU-10444~~ utils: Don't remount debugfs every time
Project: fs/lustre-release
Branch: master
Current Patch Set:
Commit: 767f03b161ae44bd9d33dae7e03e71e73852813f

Gerrit Updater added a comment - 14/Jan/18 2:36 AM Oleg Drokin (oleg.drokin@intel.com) merged in patch https://review.whamcloud.com/30675/ Subject: LU-10444 utils: Don't remount debugfs every time Project: fs/lustre-release Branch: master Current Patch Set: Commit: 767f03b161ae44bd9d33dae7e03e71e73852813f

Andreas Dilger added a comment - 04/Jan/18 7:09 AM

I don't think it is ok to allow read access only to specific files. That means the monitoring tools need to run as root, which some sites would prefer to avoid. Also, some lfs commands may need to be able to read the /proc files as well. I don't think there is a security issue for reading most of the files, but we used to have individual permissions for each file and that would need to be reviewed.

Andreas Dilger added a comment - 04/Jan/18 7:09 AM I don't think it is ok to allow read access only to specific files. That means the monitoring tools need to run as root, which some sites would prefer to avoid. Also, some lfs commands may need to be able to read the /proc files as well. I don't think there is a security issue for reading most of the files, but we used to have individual permissions for each file and that would need to be reviewed.

James A Simmons added a comment - 03/Jan/18 9:17 PM

Can post which lustre proc files you monitor. I'm working on a patch to restore lctl device_list as non-root.

James A Simmons added a comment - 03/Jan/18 9:17 PM Can post which lustre proc files you monitor. I'm working on a patch to restore lctl device_list as non-root.

Mahmoud Hanafi added a comment - 03/Jan/18 9:06 PM

Correct the only reason we needed to change permissions was the device file, because our tools broke when it was moved. For now I wrote a work around to scan the /proc/fs/lustre and build the device list.

I think the patch here does the job by persevering existing mount options.

Typically our monitoring tools run as non-root so having read access to /proc/ is critical

-Mahmoud

Mahmoud Hanafi added a comment - 03/Jan/18 9:06 PM Correct the only reason we needed to change permissions was the device file, because our tools broke when it was moved. For now I wrote a work around to scan the /proc/fs/lustre and build the device list. I think the patch here does the job by persevering existing mount options. Typically our monitoring tools run as non-root so having read access to /proc/ is critical -Mahmoud

James A Simmons added a comment - 03/Jan/18 7:08 PM

Mahmoud is the only reason for changing debugfs root permissions is the device file?

James A Simmons added a comment - 03/Jan/18 7:08 PM Mahmoud is the only reason for changing debugfs root permissions is the device file?

James A Simmons added a comment - 03/Jan/18 6:56 PM

Well we could in theory remount it with 644 permission using the mount() function which will give us what we have today with proc but that requires root privileges to start with Its kind of fluke we give normal users full read access to all tunables. I never heard of our users every looking at /proc entries. I fact I doubt they even know if the lctl get_param option exist. I did test lctl devices_list locally and found also the ioctl to get the obd device list also only works with root access.

So the reason for this ticket is that Mahmoud attempted to access the "devices" file as a non-root user. Is this kosher?

James A Simmons added a comment - 03/Jan/18 6:56 PM Well we could in theory remount it with 644 permission using the mount() function which will give us what we have today with proc but that requires root privileges to start with Its kind of fluke we give normal users full read access to all tunables. I never heard of our users every looking at /proc entries. I fact I doubt they even know if the lctl get_param option exist. I did test lctl devices_list locally and found also the ioctl to get the obd device list also only works with root access. So the reason for this ticket is that Mahmoud attempted to access the "devices" file as a non-root user. Is this kosher?

Mahmoud Hanafi added a comment - 03/Jan/18 6:48 PM

you can change the permissions via systemd.

/etc/systemd/system/sys-kernel-debug.mount.

# $id:$
# This file is part of systemd.
#
# systemd is free software; you can redistribute it and/or modify it
# under the terms of the GNU Lesser General Public License as published by
# the Free Software Foundation; either version 2.1 of the License, or
# (at your option) any later version.

[Unit]
Description=Debug File System
Documentation=https://www.kernel.org/doc/Documentation/filesystems/debugfs.txt
Documentation=http://www.freedesktop.org/wiki/Software/systemd/APIFileSystems
DefaultDependencies=no
ConditionPathExists=/sys/kernel/debug
ConditionCapability=CAP_SYS_RAWIO
Before=sysinit.target

[Mount]
What=debugfs
Where=/sys/kernel/debug
Type=debugfs
Options=mode=755

From security point of view this could be an issue.

Mahmoud Hanafi added a comment - 03/Jan/18 6:48 PM you can change the permissions via systemd. /etc/systemd/system/sys-kernel-debug.mount. # $id:$ # This file is part of systemd. # # systemd is free software; you can redistribute it and/or modify it # under the terms of the GNU Lesser General Public License as published by # the Free Software Foundation; either version 2.1 of the License, or # (at your option) any later version. [Unit] Description=Debug File System Documentation=https: //www.kernel.org/doc/Documentation/filesystems/debugfs.txt Documentation=http: //www.freedesktop.org/wiki/Software/systemd/APIFileSystems DefaultDependencies=no ConditionPathExists=/sys/kernel/debug ConditionCapability=CAP_SYS_RAWIO Before=sysinit.target [Mount] What=debugfs Where=/sys/kernel/debug Type=debugfs Options=mode=755 From security point of view this could be an issue.

People

Assignee:: Oleg Drokin

Reporter:: Mahmoud Hanafi

Votes:: 0 Vote for this issue

Watchers:: 10 Start watching this issue

Dates

Created:: 29/Dec/17 7:32 AM

Updated:: 09/Feb/18 9:57 PM

Resolved:: 14/Jan/18 3:39 PM