[Fedora kexec-tools 2/7] kexec: Remount /proc and /sys in private mount namespace
Josh Boyer
jwboyer at fedoraproject.org
Wed Sep 11 12:37:36 UTC 2013
On Tue, Sep 10, 2013 at 11:02 PM, Dave Young <dyoung at redhat.com> wrote:
> On 09/04/13 at 09:56pm, Vivek Goyal wrote:
>> With secureboot enabled, we don't even trust root. And when kexec is launched
>> it might happen that root has already rigged /proc and /sys which kexec
>> reads to get important data.
>>
>> So create a private mount namespace which is not visible to root, unmount
>> old /proc and /sys and remount these to get to actual data kernel exported.
>
> Hello Vivek
>
> kexec will also use /sys/kernel/debug/boot_params, I want to copy efi_info from
> there for efi runtime support. So could you remount debugfs as well?
Hm. That might actually be a bad thing. The debugfs filesystem is
intentionally not something userspace is supposed to rely on. The
files provided and the content within the files can and will change
significantly from kernel to kernel.
it might be better to export boot_params in something that is
considered more stable than debugfs.
josh
More information about the kernel
mailing list