Enabling the kernel's DMESG_RESTRICT feature

Kees Cook kees.cook at canonical.com
Tue May 24 23:49:42 UTC 2011

On Tue, May 24, 2011 at 03:59:53PM -0700, Bryce Harrington wrote:
> On Tue, May 24, 2011 at 11:46:48AM -0700, Kees Cook wrote:
> > Hello!
> > 
> > In Oneiric, I'd like to change the default availability of yet another
> > long-standing system debugging feature: dmesg.
> > 
> > Thoughts, flames, etc?
> See https://bugs.launchpad.net/ubuntu/+source/xorg/+bug/716595 for some
> sudo caching problems apport has had to work around which might pose
> some complications here as well.

Yeah, that bug is pretty ugly. :)

> Can you outline your plans for updating apport in conjunction with this
> change?

Well, it needs to be larger than just apport. A lot of things call dmesg,
and I can't fix them all, but getting people educated about what has
changed is the first step.

As for apport itself, I do not have an immediate solution. hookutils.py's
attachmesg() will need privs, and that's used all over the place
(attach_alsa(), attach_hardware()):

$ find -P /usr/share/apport -type f | xargs egrep -H 'attach_(hardware|alsa|dmesg)' | cut -d: -f1 | sort -u | wc -l

I'm open to suggestions.


Kees Cook
Ubuntu Security Team

More information about the ubuntu-devel mailing list