Enabling the kernel's DMESG_RESTRICT feature

Kees Cook kees at ubuntu.com
Wed May 25 19:05:12 UTC 2011

On Wed, May 25, 2011 at 11:49:45AM -0700, Steve Langasek wrote:
> I'd much rather we find a way to fix it so the information *logged* to these
> files isn't privileged to the point that it can't be exposed to admins,
> instead of gutting admins' ability to make use of these crucial logs.

Currently, the upstream kernel folks have rejected filtering printk.
However, there has been some noise recently about making a distinction
between the "actual" address and the "unrandomized" address. (As in, printk
would be forced to use a new %p modifier for all kernel addresses, and that
modifier would report the "unrandomized" address by default, keeping the
actual address secret even from dmesg.

We'll see how this progresses...

Kees Cook
Ubuntu Security Team

More information about the ubuntu-devel mailing list