debugfs: lockdown: Allow reading debugfs files that are not world readable

hramrach · gregkh · commit 358fcf5ddbec · 2022-01-06T15:47:41.000+01:00
When the kernel is locked down the kernel allows reading only debugfs files with mode 444. Mode 400 is also valid but is not allowed. Make the 444 into a mask. Fixes: 5496197 ("debugfs: Restrict debugfs when the kernel is locked down") Signed-off-by: Michal Suchanek <msuchanek@suse.de> Link: https://lore.kernel.org/r/20220104170505.10248-1-msuchanek@suse.de Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
diff --git a/fs/debugfs/file.c b/fs/debugfs/file.c
@@ -147,7 +147,7 @@ static int debugfs_locked_down(struct inode *inode,
 			       struct file *filp,
 			       const struct file_operations *real_fops)
 {
-	if ((inode->i_mode & 07777) == 0444 &&
+	if ((inode->i_mode & 07777 & ~0444) == 0 &&
 	    !(filp->f_mode & FMODE_WRITE) &&
 	    !real_fops->unlocked_ioctl &&
 	    !real_fops->compat_ioctl &&

Original file line number	Diff line number	Diff line change
`@@ -147,7 +147,7 @@ static int debugfs_locked_down(struct inode *inode,`
`147`	`147`	`struct file *filp,`
`148`	`148`	`const struct file_operations *real_fops)`
`149`	`149`	`{`
`150`		`- if ((inode->i_mode & 07777) == 0444 &&`
	`150`	`+ if ((inode->i_mode & 07777 & ~0444) == 0 &&`
`151`	`151`	`!(filp->f_mode & FMODE_WRITE) &&`
`152`	`152`	`!real_fops->unlocked_ioctl &&`
`153`	`153`	`!real_fops->compat_ioctl &&`