FS#34323 - [procps-ng:]sysctl.conf should enable kptr_restrict by default to harden against kernel exploits
Attached to Project:
Arch Linux
Opened by hqet4 (hqet4) - Friday, 15 March 2013, 14:33 GMT
Last edited by Gaetan Bisson (vesath) - Thursday, 21 March 2013, 00:41 GMT
Opened by hqet4 (hqet4) - Friday, 15 March 2013, 14:33 GMT
Last edited by Gaetan Bisson (vesath) - Thursday, 21 March 2013, 00:41 GMT
|
Details
Enabling kernel.kptr_restrict will hide kernel symbol
addresses in /proc/kallsyms from regular users, making it
more difficult for kernel exploits to resolve
addresses/symbols dynamically.
This will not help that much on a precompiled ARCH kernel, since a determined attacker could just download the kernel package and get the symbols manually from there, but for people compiling their own kernel, this can help mitigating local root exploits... |
This task depends upon
If you feel otherwise (and are compiling your own kernel, obviously), feel free to use the /etc/sysctl.d directory.
By your reasoning, any mitigation technique, like ASLR or NX, should be disabled because it merely makes exploitation harder without fixing the bugs, but (security) bugs in software will always exist and can't always be fixed in a timely manner. So even if exploit mitigation techniques like this one are rarely perfect or always effective, this isn't a sufficient reason to dismiss them.
You say that people compiling their own kernel should enable this option themselves, but you have to know that most of them won't do it, either because they don't have the expertise to know such an option exists or don't understand the security benefits they could gain by enabling it.
In the end, it's also the distro's responsability to ship with sane values enabled by default...
Other distributions are enabling this by default also, so I don't think it's bad to enable this.
Deviating from upstream default values goes against our core principles, and is particularly bad when this brings no benefit to our packages.
When you compile your kernel with non-stock configuration, you are expected to update related configuration files yourself too. This is a basic rule which, in fact, applies to all packages. We are simply not going to ship home-made configurations that try to guess what people who recompile their packages might do or want.
This is not Ubuntu. People who recompile their own kernel should really know what they are doing. We have no duty to protect people who are ignorant yet modify core parts of their systems. Besides, in the worst-case scenario, they would not be at any more risk than stock kernel users.