Enabling the kernel's DMESG_RESTRICT feature
Kees Cook
kees at ubuntu.com
Thu May 26 23:44:25 UTC 2011
On Wed, May 25, 2011 at 09:37:47PM +0200, Martin Pitt wrote:
> Kees Cook [2011-05-25 12:05 -0700]:
> > Currently, the upstream kernel folks have rejected filtering printk.
>
> That's not actually what I meant. Don't filter the outputs of printk()
> with some regexps. I meant "just kill the printk() call that prints
> the address". Why would you even need to printk() it if the very thing
> it prints out is not meant to be seen in logs?
Right. This is precisely what upstream has refused[1] to do.
The problem is that dmesg is just a log. The contents can't be adjusted
based on who is viewing it like (like has been done for the %pK sprintf
uses in /proc, /sys, etc). Things like Oops reports will go to dmesg, which
are utterly useless without all their addresses intact, etc.
The only way to close this entire area of leaks is to make dmesg a
privileged resource, and that is possible using the dmesg_restrict stuff
(created for this very purpose).
-Kees
[1] http://marc.info/?l=linux-netdev&m=128915072325450&w=2
--
Kees Cook
Ubuntu Security Team
More information about the ubuntu-devel
mailing list