CONFIG_SECURITY_DMESG_RESTRICT
Kees Cook
kees.cook at canonical.com
Tue Nov 16 15:23:31 UTC 2010
On Tue, Nov 16, 2010 at 03:19:11PM +0000, Colin Ian King wrote:
> On Tue, 2010-11-16 at 06:49 -0800, Kees Cook wrote:
> > On Tue, Nov 16, 2010 at 01:22:19PM +0000, Andy Whitcroft wrote:
> > > FYI this new security option just dropped into the kernel, for now I
> > > have left it turned off. I suspect you are in the best position to know
> > > if this is something we should be working towards turning on:
> > >
> > > # CONFIG_SECURITY_DMESG_RESTRICT is not set
> >
> > I'd like to turn this on, but it will take some education since using
> > "dmesg" will suddenly turn into "sudo dmesg" in instructions everywhere.
> > (Most notably apport, actually.)
>
> I suppose it will also affect APIs such as klogctl(), e.g. reading the
> buffer: klogctl(3, buffer, len);
What is using klogctl()? sysklogd uses the /proc interface (and is
privileged when it does the open).
Note also that this is a sysctl as well, so people can disable the
restriction if they need to.
-Kees
--
Kees Cook
Ubuntu Security Team
More information about the kernel-team
mailing list