Enabling the kernel's DMESG_RESTRICT feature
stefan.bader at canonical.com
Wed May 25 07:48:20 UTC 2011
On 25.05.2011 06:41, Martin Pitt wrote:
> Hey Kees,
> Kees Cook [2011-05-24 11:46 -0700]:
>> $ dmesg | grep -m1 text
>> [ 0.000000] .text : 0xc1000000 - 0xc15112a1 (5188 kB)
> Would it be possible to have the kernel just not log the addresses in
> the first place? It seems kind of pointless to make a big effort of
> randomizing these and then yell it out loudly where it lands in any
> kind of log file. People might also have a custom rsyslog
> configuration etc. which we can't even fix on upgrades.
Though IMO that is a decision made by them then. And changing that might not be
seen as "fixing" something.
> So wouldn't it be enough to have the actual addresses somewhere in
> /proc/ in a 0400 file, and just purge them from printk()s?
I do not really like that idea that much. Probably because of looking at it from
a practical debugging side. What gets into dmesg gets onto the console and if
something goes wrong early enough that is the only source of information. Also
when looking at bare dumps, its simple to find that buffer.
More information about the ubuntu-devel