Please read this before reporting a bug:
https://wiki.archlinux.org/title/Bug_reporting_guidelines
Do NOT report bugs when a package is just outdated, or it is in the AUR. Use the 'flag out of date' link on the package page, or the Mailing List.
REPEAT: Do NOT report bugs for outdated packages!
https://wiki.archlinux.org/title/Bug_reporting_guidelines
Do NOT report bugs when a package is just outdated, or it is in the AUR. Use the 'flag out of date' link on the package page, or the Mailing List.
REPEAT: Do NOT report bugs for outdated packages!
FS#39685 - [linux] consider enabling CONFIG_SECURITY_DMESG_RESTRICT
Attached to Project:
Arch Linux
Opened by Daniel Micay (thestinger) - Sunday, 30 March 2014, 06:33 GMT
Last edited by Tobias Powalowski (tpowa) - Monday, 16 June 2014, 18:30 GMT
Opened by Daniel Micay (thestinger) - Sunday, 30 March 2014, 06:33 GMT
Last edited by Tobias Powalowski (tpowa) - Monday, 16 June 2014, 18:30 GMT
|
DetailsCONFIG_SECURITY_DMESG_RESTRICT sets the default kernel.dmesg_restrict parameter to 1, preventing access of the kernel logs without CAP_SYS_ADMIN. The kernel logs can contain sensitive information as it makes no attempt to hide useful data from attackers.
The kernel logs are also available via journald, but only for users in the systemd-journal group. Enabling dmesg_restrict by default will close the hole in this policy. http://lwn.net/Articles/414813/ |
This task depends upon
Closed by Tobias Powalowski (tpowa)
Monday, 16 June 2014, 18:30 GMT
Reason for closing: Won't implement
Monday, 16 June 2014, 18:30 GMT
Reason for closing: Won't implement
Comment by Daniel Micay (thestinger) -
Saturday, 05 April 2014, 18:06 GMT
- Field changed: Percent Complete (100% → 0%)
The log can contain sensitive information on *all* systems. The addresses output in the debug log are often used to turn kernel overflow vulnerabilities into remote code execution rather than just a crash. This feature was moved from grsecurity to the core kernel because it's viewed as generally useful.
Comment by Dave Reisner (falconindy) -
Saturday, 05 April 2014, 18:09 GMT
I'm in favor of doing this. It causes dmesg to require root, but I'd guess that "most" people have non-root access to their journal, which will have all of these messages (so, also, not much of a security win).
Comment by Daniel Micay (thestinger) -
Saturday, 05 April 2014, 19:07 GMT
It does mean that a daemon running as non-root or an OS/application inside a container is less able to attack the kernel if exploited. When KASLR stops breaking perf and hibernate and can be enabled by default, it will be a far bigger gain than the negligible (but non-zero) improvement today.