FS#23327 - [kernel26] Disable /dev/kmem

Attached to Project: Arch Linux
Opened by Jamie Nguyen (jnguyen) - Friday, 18 March 2011, 14:08 GMT
Last edited by Tobias Powalowski (tpowa) - Friday, 25 March 2011, 08:01 GMT
Task Type Bug Report
Category Packages: Extra
Status Closed
Assigned To Tobias Powalowski (tpowa)
Thomas Bächler (brain0)
Architecture All
Severity High
Priority Normal
Reported Version
Due in Version Undecided
Due Date Undecided
Percent Complete 100%
Votes 3
Private No

Details

Description:

CONFIG_DEVKMEM is currently enabled in the Arch Linux kernel. This has been disabled in several other distributions for quite some time: since 2004 in RHEL/Fedora[1], and since 2009 in Debian/Ubuntu[2][3]. Jonathan Corbet wrote this on LWN.net back in 2005:

"It has been suggested that root kits are the largest user community for this kind of access... The Fedora kernel, as it turns out, has not supported /dev/kmem for a long time."[4]

I feel it is definitely in the interests of the Arch Linux community for this option to be disabled.

[1] http://kerneltrap.org/mailarchive/linux-kernel/2008/2/10/809144/thread
[2] http://web.archiveorange.com/archive/v/UsR4nWY5S8peg7kZRPUt
[3] https://wiki.ubuntu.com/Security/Features#dev-kmem
[4] http://lwn.net/Articles/147901/
This task depends upon

Closed by  Tobias Powalowski (tpowa)
Friday, 25 March 2011, 08:01 GMT
Reason for closing:  Fixed
Additional comments about closing:  in .38 series and lts kernels
Comment by Tobias Powalowski (tpowa) - Saturday, 19 March 2011, 08:39 GMT
Thomas sounds reasonable to me.
Comment by Thomas Bächler (brain0) - Saturday, 19 March 2011, 10:28 GMT
Some applications used to require it, in particular v86d, is that fixed?. AFAIK, the same problems are also caused by /dev/mem, but exploiting them is harder there.

I don't object disabling this.

Loading...