Enabling the kernel's DMESG_RESTRICT feature

Tue May 24 18:46:48 UTC 2011

Hello!

In Oneiric, I'd like to change the default availability of yet another
long-standing system debugging feature: dmesg.

Since Linux 2.6.37, CONFIG_DMESG_RESTRICT (/proc/sys/kernel/dmesg_restrict)
has existed[1], but the default in Ubuntu has been to leave "dmesg" available
to unprivileged users (i.e. lacking the CAP_SYSLOG capability, changed
in 2.6.38[2]). I brought this up[3] in November, but ultimately decided to
wait until we had more important reasons to enable it by default.

As we have continued to close kernel address leaks, the kernel syslog
(dmesg) remains one of the last large places where information is being
reported. As such, I want to close this off from regular users so that
local kernel exploits continue to have an even harder time getting a
foot-hold on vulnerabilities. And, as before, this is a tunable that you
can change in /etc/sysctl.d/ if you do development work, like getting
owned, etc. For the average user, this information is not needed.

Kernel address leaks will become even more valuable to exploit authors
once kernel base address randomization[4] lands in the kernel, and I
want to make sure Ubuntu is prepared, well in advance of the next LTS,
for this change. When the base address is randomized, "dmesg" must be
privileged, or else the exactly offset is trivially visible (i.e. of
the offset from "0xc1000000"):

$ dmesg | grep -m1 text
[    0.000000]       .text : 0xc1000000 - 0xc15112a1   (5188 kB)

Now, making "dmesg" a privileged command will require extensive changes
to documentation, debug-info-gather tools (e.g. users of "dmesg"
like Apport), etc. The syslog daemon already has the needed privileges
since it does more than just read the klog buffer (see [3] for a full
list of klogctl() users). As with last year's ptrace changes[5],
I plan to patch the userspace tools (i.e. "dmesg") themselves to
produce a useful error message instead of what it current reports when
/proc/sys/kernel/dmesg_restrict is set to "1":

$ dmesg
klogctl: Operation not permitted

I think something like this will be used:

$ dmesg
klogctl: Operation not permitted
The kernel syslog is only available to privileged users. For more details,
see /etc/sysctl.d/10-dmesg.conf

And then there will be extended information in that file, etc.

One unresolved problem is that the local default user (who is part of
"admin") is also part of the "adm" group, which means these log files are
visible without additional privileges:

-rw-r----- 1 root   adm 25937 2011-05-24 10:59 /var/log/dmesg
-rw-r----- 1 syslog adm     0 2011-05-24 11:17 /var/log/kern.log

(And some system have a historically world-readable /var/log/dmesg that
should be fixed...) Does anyone see any problems in removing the default
user from the "adm" group? It seems to almost exclusively only be used for
log file reading permissions...

Thoughts, flames, etc?

-Kees

[1] http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commitdiff;h=eaf06b241b091357e72b76863ba16e89610d31bd

[2] http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commitdiff;h=38ef4c2e437d11b5922723504b62824e96761459

[3] https://lists.ubuntu.com/archives/kernel-team/2010-November/013499.html

[4] https://lkml.org/lkml/2011/5/22/99

[5] https://lists.ubuntu.com/archives/ubuntu-devel/2010-May/030797.html

-- 
Kees Cook
Ubuntu Security Team