dynamic debug permission issue (k5.0.0)

Question

When I attempt to read or modify the kernel dynamic_debug settings, I encounter a permissions issue.

root@roberto:/sys/kernel/debug/dynamic_debug# cat control
cat: control: Operation not permitted

I'm not seeing any apparmor audit messages related to this and the classic UNIX permissions look fine.

root@roberto:/sys/kernel/debug/dynamic_debug# ll
total 0
drwxr-xr-x  2 root root 0 Aug 29 21:23 ./
drwx------ 40 root root 0 Aug 29 21:23 ../
-rw-r--r--  1 root root 0 Aug 29 21:23 control

There don't appear to be any weird ACLs:

root@roberto:/sys/kernel/debug/dynamic_debug# getfacl control 
# file: control
# owner: root
# group: root
user::rw-
group::r--
other::r--

I'm not much of an expert on linux capabilities, but capsh --print and cat /proc/<pid>/status both seem to imply that all capabilities are enabled.

I'm running Ubuntu server 18.04 with the hardware enablement kernel.

cbaker@roberto:~$ uname -a
Linux roberto 5.0.0-25-generic #26~18.04.1-Ubuntu SMP Thu Aug 1 13:51:02 UTC 2019 x86_64 x86_64 x86_64 GNU/Linux

I am able to add the dyndbg flag to the modprobe conf files in order to enable dynamic debug on individual basis. The results appear in dmesg as expected.

Any ideas on what might be causing the debugfs control node to fail? I'm leaning toward this being some custom patch that Ubuntu has applied to the kernel or possibly a hidden/builtin apparmor profile that doesn't create audit messages.

Answer 1

I believe you should see the following line in dmesg:

[1933752.889994] Lockdown: bash: debugfs is restricted; see man kernel_lockdown.7

If this is the case debugfs is simply unavailable even for root user.

For reference:

• when kernel_lockdown is enables, debugfs is unavailable. For instance, it is not possible to cat in /sys/kernel/debug