Enabling the kernel's DMESG_RESTRICT feature
Kees Cook
kees.cook at canonical.com
Tue May 24 23:49:42 UTC 2011
On Tue, May 24, 2011 at 03:59:53PM -0700, Bryce Harrington wrote:
> On Tue, May 24, 2011 at 11:46:48AM -0700, Kees Cook wrote:
> > Hello!
> >
> > In Oneiric, I'd like to change the default availability of yet another
> > long-standing system debugging feature: dmesg.
> >
> > Thoughts, flames, etc?
>
> See https://bugs.launchpad.net/ubuntu/+source/xorg/+bug/716595 for some
> sudo caching problems apport has had to work around which might pose
> some complications here as well.
Yeah, that bug is pretty ugly. :)
> Can you outline your plans for updating apport in conjunction with this
> change?
Well, it needs to be larger than just apport. A lot of things call dmesg,
and I can't fix them all, but getting people educated about what has
changed is the first step.
As for apport itself, I do not have an immediate solution. hookutils.py's
attachmesg() will need privs, and that's used all over the place
(attach_alsa(), attach_hardware()):
$ find -P /usr/share/apport -type f | xargs egrep -H 'attach_(hardware|alsa|dmesg)' | cut -d: -f1 | sort -u | wc -l
33
I'm open to suggestions.
-Kees
--
Kees Cook
Ubuntu Security Team
More information about the ubuntu-devel
mailing list