-
Notifications
You must be signed in to change notification settings - Fork 30
TraceFS and DebugFS on production distributions
Recently a bug report was investigated involving of hundreds to thousands of audit PATH records with device and inode numbers but no name information accompanying SYSCALL records for the init_module and finit_module calls.
The cause of this large volume of seemingly useless records was tracked down to TraceFS or DebugFS. The particular modules involved in the investigation were nfs and nfsv4 though there are reports of others.
A number of approaches to a potential solution were suggested, not all serious but proposed for the sake of discussion. The original reporter would prefer to simply ignore these records because they were not expected for this particular syscall. Several methods of approaching this were proposed from ignoring any records with anonymous filesystem parent nodes, to blocking this type of auxiliary record accompanying these particular syscalls, to blocking outright certain filesystems from triggering a PATH record at all. None of these solutions was completely satisfactory. Since a full path was not available, but a dentry was available with which to re-construct a partial path it became clear what these records were. Once it was better understood what was the source of the nameless PATH records there was some agreement that the system was in fact doing the job it was designed to do.
The preference of a number was to not throw out these records entirely, but to record the information that was available and to provide a way for system administrators to knowingly ignore certain filesystem types that did not cause a concern.
However, this led to another more fundamental question which was: "Why do distributions enable DebugFS and TraceFS on default production system installations?". In particular, this behaviour was noted on RHEL6, RHEL7 and fedora 22 through to rawhide.
These seem like risky things to enable by default rather than simply making them available for troubleshooting should the need arise. Both filesystems allow information to be leaked and functionality to be influenced and are built for troubleshooting rather than with security in mind.
All information in this wiki is licensed under the CC BY 4.0 license.