Enabling the kernel's DMESG_RESTRICT feature
John McCabe-Dansted
gmatht at gmail.com
Fri May 27 15:10:55 UTC 2011
On Fri, May 27, 2011 at 7:44 AM, Kees Cook <kees at ubuntu.com> wrote:
> The problem is that dmesg is just a log. The contents can't be adjusted
> based on who is viewing it like (like has been done for the %pK sprintf
> uses in /proc, /sys, etc). Things like Oops reports will go to dmesg, which
> are utterly useless without all their addresses intact, etc.
One could also provide an suid utility that stripped out everything
that looks like an address.
For fun, I attach such a utility, though I am not convinced this is
the best approach. It
1) opens /var/log/dmesg
2) drops root privileges
3) filters out everything starting with '0x'
It strips out lots of things that aren't addresses, but It looks like
what it leaves could still be useful for many purposes. It may well
still leave some sensitive information unprotected, so I wouldn't use
it when it is not needed, particularly as it may cause confusion if
users mistake it for the real dmesg.
--
John C. McCabe-Dansted
-------------- next part --------------
A non-text attachment was scrubbed...
Name: udmesg.c
Type: text/x-csrc
Size: 685 bytes
Desc: not available
URL: <https://lists.ubuntu.com/archives/ubuntu-devel/attachments/20110527/9b3e021f/attachment.c>
More information about the ubuntu-devel
mailing list