Enabling the kernel's DMESG_RESTRICT feature
Kees Cook
kees at ubuntu.com
Fri May 27 17:17:59 UTC 2011
On Fri, May 27, 2011 at 04:29:33PM +0100, Matt Zimmerman wrote:
> On Thu, May 26, 2011 at 04:55:59PM -0700, Kees Cook wrote:
> > I won't say it doesn't complicate things, but I would like to point out
> > that everyone else's suggestion for this is to completely remove the values
> > from the dmesg report itself, rendering it unavailable to any user, even
> > root.
>
> It seems we are forced into this dichotomy because there is only one log,
> which is mixing different types of information. Has anyone proposed
> separating kernel debugging information from simple status logging, and
> allowing the remainder to remain accessible to users?
I don't think this would end up being sensible either, as the task of
performing debugging may need access to both. I still don't see the problem
of debugging as root. If you're not the system owner, you're not going to
be able to _change_ the system in an effort to fix the problem you are
debugging.
--
Kees Cook
Ubuntu Security Team
More information about the ubuntu-devel
mailing list