FS#21787 : [initscripts] remove read permissions from /proc/kallsyms

FS#21787 - [initscripts] remove read permissions from /proc/kallsyms

Attached to Project: Arch Linux
Opened by Corrado Primier (bardo) - Monday, 22 November 2010, 17:04 GMT
Last edited by Jan de Groot (JGC) - Monday, 04 April 2011, 16:51 GMT

Task Type	Feature Request
Category	Initscripts
Status	Closed
Assigned To	Tobias Powalowski (tpowa) Thomas Bächler (brain0) Tom Gundersen (tomegun)
Architecture	All
Severity	Low
Priority	Normal
Reported Version
Due in Version	Undecided
Due Date	Undecided
Percent Complete
Votes	0
Private	No

Details

A commit in linux 2.6.37-rc3 encourages distributions to 'chmod -r /proc/kallsyms' in their init scripts to reduce ease of attacking.

Relevant commit: http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commit;h=33e0d57f5d2f079104611be9f3fccc27ef2c6b24

This task depends upon

Closed by Jan de Groot (JGC)
Monday, 04 April 2011, 16:51 GMT
Reason for closing: Won't implement
Additional comments about closing: See last comment.

Comment by Dave Reisner (falconindy) - Thursday, 03 March 2011, 00:27 GMT

Note the portion of the revert that says 'this can break certain userland setups'. There's an enormous thread [1] associated with this revert which points out a slippery slope of disabling access to /proc/modules, /proc/$PID/stack, /proc/mtrr, etc... What you'd end up with is an extremely locked down system not necessarily suitable for everyday desktop use, and you'd likely end up with even more broken userland apps.

This is the kind of thing that, imo, is more suited for a setup using grsecurity or selinux.

[1] https://lkml.org/lkml/2010/11/16/110

	Tasks related to this task (0)

Duplicate tasks of this task (0)

Arch Linux

FS#21787 - [initscripts] remove read permissions from /proc/kallsyms

Details

Loading...