Enabling the kernel's DMESG_RESTRICT feature
Matt Zimmerman
mdz at ubuntu.com
Thu May 26 15:41:04 UTC 2011
On Tue, May 24, 2011 at 11:46:48AM -0700, Kees Cook wrote:
> As we have continued to close kernel address leaks, the kernel syslog
> (dmesg) remains one of the last large places where information is being
> reported. As such, I want to close this off from regular users so that
> local kernel exploits continue to have an even harder time getting a
> foot-hold on vulnerabilities. And, as before, this is a tunable that you
> can change in /etc/sysctl.d/ if you do development work, like getting
> owned, etc. For the average user, this information is not needed.
What are the ways in which kernel addresses are leaked through dmesg? Can
you provide some examples? Is it not feasible to avoid leaking addresses,
while still passing on all of the useful data in dmesg to users?
--
- mdz
More information about the ubuntu-devel
mailing list