FS#39685 - [linux] consider enabling CONFIG_SECURITY_DMESG_RESTRICT

Attached to Project: Arch Linux
Opened by Daniel Micay (thestinger) - Sunday, 30 March 2014, 06:33 GMT
Last edited by Tobias Powalowski (tpowa) - Monday, 16 June 2014, 18:30 GMT
Task Type Feature Request
Category Kernel
Status Closed
Assigned To Tobias Powalowski (tpowa)
Thomas Bächler (brain0)
Architecture All
Severity Medium
Priority Normal
Reported Version
Due in Version Undecided
Due Date Undecided
Percent Complete 100%
Votes 3
Private No

Details

CONFIG_SECURITY_DMESG_RESTRICT sets the default kernel.dmesg_restrict parameter to 1, preventing access of the kernel logs without CAP_SYS_ADMIN. The kernel logs can contain sensitive information as it makes no attempt to hide useful data from attackers.

The kernel logs are also available via journald, but only for users in the systemd-journal group. Enabling dmesg_restrict by default will close the hole in this policy.

http://lwn.net/Articles/414813/
This task depends upon

Closed by  Tobias Powalowski (tpowa)
Monday, 16 June 2014, 18:30 GMT
Reason for closing:  Won't implement
Comment by Daniel Micay (thestinger) - Saturday, 05 April 2014, 18:06 GMT
  • Field changed: Percent Complete (100% → 0%)
The log can contain sensitive information on *all* systems. The addresses output in the debug log are often used to turn kernel overflow vulnerabilities into remote code execution rather than just a crash. This feature was moved from grsecurity to the core kernel because it's viewed as generally useful.
Comment by Dave Reisner (falconindy) - Saturday, 05 April 2014, 18:09 GMT
I'm in favor of doing this. It causes dmesg to require root, but I'd guess that "most" people have non-root access to their journal, which will have all of these messages (so, also, not much of a security win).
Comment by Daniel Micay (thestinger) - Saturday, 05 April 2014, 19:07 GMT
It does mean that a daemon running as non-root or an OS/application inside a container is less able to attack the kernel if exploited. When KASLR stops breaking perf and hibernate and can be enabled by default, it will be a far bigger gain than the negligible (but non-zero) improvement today.

Loading...