Enabling the kernel's DMESG_RESTRICT feature
kees.cook at canonical.com
Wed May 25 17:03:02 UTC 2011
On Tue, May 24, 2011 at 05:53:22PM -0700, Brad Figg wrote:
> On 05/24/2011 04:49 PM, Kees Cook wrote:
> >On Tue, May 24, 2011 at 03:59:53PM -0700, Bryce Harrington wrote:
> >>On Tue, May 24, 2011 at 11:46:48AM -0700, Kees Cook wrote:
> >>>In Oneiric, I'd like to change the default availability of yet another
> >>>long-standing system debugging feature: dmesg.
> >>>Thoughts, flames, etc?
> >>See https://bugs.launchpad.net/ubuntu/+source/xorg/+bug/716595 for some
> >>sudo caching problems apport has had to work around which might pose
> >>some complications here as well.
> >Yeah, that bug is pretty ugly. :)
> >>Can you outline your plans for updating apport in conjunction with this
> >Well, it needs to be larger than just apport. A lot of things call dmesg,
> >and I can't fix them all, but getting people educated about what has
> >changed is the first step.
> >As for apport itself, I do not have an immediate solution. hookutils.py's
> >attachmesg() will need privs, and that's used all over the place
> >(attach_alsa(), attach_hardware()):
> >$ find -P /usr/share/apport -type f | xargs egrep -H 'attach_(hardware|alsa|dmesg)' | cut -d: -f1 | sort -u | wc -l
> >I'm open to suggestions.
> Just FYI, the kernel hooks already ask for permissions to get the
> ACPI tables.
Yeah, the problem is that it's not a one-time question (see the bug above),
so that each time we need privileges to gather data, apport will prompt for
the sudo password _again_. :(
Martin, do you have any thoughts on ways to deal with this? You did a lot
of digging in that bug, and nothing really presented itself as a clean
Ubuntu Security Team
More information about the ubuntu-devel