Enabling the kernel's DMESG_RESTRICT feature

Kees Cook kees at ubuntu.com
Fri May 27 17:17:59 UTC 2011

On Fri, May 27, 2011 at 04:29:33PM +0100, Matt Zimmerman wrote:
> On Thu, May 26, 2011 at 04:55:59PM -0700, Kees Cook wrote:
> > I won't say it doesn't complicate things, but I would like to point out
> > that everyone else's suggestion for this is to completely remove the values
> > from the dmesg report itself, rendering it unavailable to any user, even
> > root.
> It seems we are forced into this dichotomy because there is only one log,
> which is mixing different types of information.  Has anyone proposed
> separating kernel debugging information from simple status logging, and
> allowing the remainder to remain accessible to users?

I don't think this would end up being sensible either, as the task of
performing debugging may need access to both. I still don't see the problem
of debugging as root. If you're not the system owner, you're not going to
be able to _change_ the system in an effort to fix the problem you are

Kees Cook
Ubuntu Security Team

More information about the ubuntu-devel mailing list