Proposal: Enabling DMESG_RESTRICT for Groovy Onward

Matthew Ruffell matthew.ruffell at canonical.com
Fri Jul 24 00:59:19 UTC 2020 

Hello!

I am following up on my proposal to enable CONFIG_SECURITY_DMESG_RESTRICT on
Groovy onward with debdiffs necessary to implement the feature.

Quick recap:

I propose that we restrict access to dmesg to users in group 'adm' like so:

1) CONFIG_SECURITY_DMESG_RESTRICT=y in the kernel.
2) Following changes to /bin/dmesg permissions in package 'util-linux'
    - Ownership changes to root:adm
    - Permissions changed to 0750 (-rwxr-x---)
    - Add cap_syslog capability to binary.
3) Add a commented out '# kernel.dmesg_restrict = 0' to
   /etc/sysctl.d/10-kernel-hardening.conf
   
Why do we want this?

Currently unprivileged users can access the kernel log buffer / dmesg with no
restrictions, but cannot access journalctl or /var/log/kern.log or /var/log/syslog.
Kernel oops messages can leak sensitive information such as kernel pointers in
their register dumps, which helps attackers with their priv esc exploits.

For more context, read:
https://lists.ubuntu.com/archives/ubuntu-devel/2020-June/041063.html

Current status:

1) Has been implemented with commit:
https://kernel.ubuntu.com/git/ubuntu/unstable.git/commit/?id=25e6c851704a47c81e78e1a82530ac4b328098a6

Thanks Seth!

2) I have prepared a debdiff to util-linux which implements the changes, and
is ready for review here:
https://launchpadlibrarian.net/489863172/lp1886112_util-linux_groovy.debdiff

3) I have prepared a debdiff to procps, and is ready for review here:
https://launchpadlibrarian.net/489863145/lp1886112_procps_groovy.debdiff

Can I please get feedback on the long term maintainability of the patches,
particularly the changes to util-linux? Would Debian be interested in these
changes?

If everyone is in agreement with the changes, can I please get the debdiffs
sponsored?

The Launchpad Bug for this proposal is LP1886112:

https://bugs.launchpad.net/bugs/1886112

Test packages for procps and util-linux for Groovy can be found in this ppa:

https://launchpad.net/~mruffell/+archive/ubuntu/lp1886112-test

Thanks,
Matthew

On 3/07/20 6:44 am, Seth Forshee wrote:
> On Wed, Jun 17, 2020 at 12:40:36PM +1200, Matthew Ruffell wrote:
>> Hello!
>>
>> I am proposing that we enable the CONFIG_SECURITY_DMESG_RESTRICT [1] feature by
>> default for Groovy onward.
> 
> Seems like the discussion on this has stalled. I checked with the
> security team and they are +1 on this, so I went ahead and made the
> change in our 5.7/5.8 kernel trees. It's likely to be a couple of weeks
> before we land one of these in groovy-release, so hopefully that will
> give enough time to at least update /usr/bin/dmesg.
> 
> Thanks,
> Seth

More information about the ubuntu-devel mailing list