Proposal: Enabling DMESG_RESTRICT for Groovy Onward
Matthew Ruffell
matthew.ruffell at canonical.com
Fri Jul 24 00:59:19 UTC 2020
Hello!
I am following up on my proposal to enable CONFIG_SECURITY_DMESG_RESTRICT on
Groovy onward with debdiffs necessary to implement the feature.
Quick recap:
I propose that we restrict access to dmesg to users in group 'adm' like so:
1) CONFIG_SECURITY_DMESG_RESTRICT=y in the kernel.
2) Following changes to /bin/dmesg permissions in package 'util-linux'
- Ownership changes to root:adm
- Permissions changed to 0750 (-rwxr-x---)
- Add cap_syslog capability to binary.
3) Add a commented out '# kernel.dmesg_restrict = 0' to
/etc/sysctl.d/10-kernel-hardening.conf
Why do we want this?
Currently unprivileged users can access the kernel log buffer / dmesg with no
restrictions, but cannot access journalctl or /var/log/kern.log or /var/log/syslog.
Kernel oops messages can leak sensitive information such as kernel pointers in
their register dumps, which helps attackers with their priv esc exploits.
For more context, read:
https://lists.ubuntu.com/archives/ubuntu-devel/2020-June/041063.html
Current status:
1) Has been implemented with commit:
https://kernel.ubuntu.com/git/ubuntu/unstable.git/commit/?id=25e6c851704a47c81e78e1a82530ac4b328098a6
Thanks Seth!
2) I have prepared a debdiff to util-linux which implements the changes, and
is ready for review here:
https://launchpadlibrarian.net/489863172/lp1886112_util-linux_groovy.debdiff
3) I have prepared a debdiff to procps, and is ready for review here:
https://launchpadlibrarian.net/489863145/lp1886112_procps_groovy.debdiff
Can I please get feedback on the long term maintainability of the patches,
particularly the changes to util-linux? Would Debian be interested in these
changes?
If everyone is in agreement with the changes, can I please get the debdiffs
sponsored?
The Launchpad Bug for this proposal is LP1886112:
https://bugs.launchpad.net/bugs/1886112
Test packages for procps and util-linux for Groovy can be found in this ppa:
https://launchpad.net/~mruffell/+archive/ubuntu/lp1886112-test
Thanks,
Matthew
On 3/07/20 6:44 am, Seth Forshee wrote:
> On Wed, Jun 17, 2020 at 12:40:36PM +1200, Matthew Ruffell wrote:
>> Hello!
>>
>> I am proposing that we enable the CONFIG_SECURITY_DMESG_RESTRICT [1] feature by
>> default for Groovy onward.
>
> Seems like the discussion on this has stalled. I checked with the
> security team and they are +1 on this, so I went ahead and made the
> change in our 5.7/5.8 kernel trees. It's likely to be a couple of weeks
> before we land one of these in groovy-release, so hopefully that will
> give enough time to at least update /usr/bin/dmesg.
>
> Thanks,
> Seth
More information about the ubuntu-devel
mailing list