Sony Provides Patch To Linux 5.9 For Allowing Further Access Restrictions On DebugFS
Sony engineer Peter Enderborg wrote the patch to allow a new access restriction option on DebugFS, the pseudo file-system used for exposing debug-related information from the kernel and other details without having to stick to the ABI compatibility mandated by sysfs. The basis for this access restriction is that DebugFS can carry sensitive information and so should be treated more carefully, even though most Linux distributions already restrict DebugFS access to root/administrative privileges.
Enderborg noted, "This gives a extra protection for exposure on systems where user-space services with system access are attacked." From the Sony perspective, it appears motivated from the smartphone angle of Linux/Android devices.
The new option allows for DebugFS to be toggled on/off or also initialized internally but not accessible via user-space (i.e. not mounted).
These new controls around DebugFS can be set by default on new kernel builds using the DEBUG_FS_ALLOW_ALL / DEBUG_FS_DISALLOW_MOUNT / DEBUG_S_ALLOW_NONE Kconfig options or controlled at boot time as well via debugfs= with on/off/no-mount values.
The code is in driver-core until the Linux 5.9 merge window kicks off in August following the 5.8 kernel release.