Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [day] [month] [year] [list]
Date: Mon, 27 Feb 2012 01:28:11 +0400
From: Solar Designer <solar@...nwall.com>
To: owl-dev@...ts.openwall.com
Subject: kernel.dmesg_restrict sysctl change submitted to OpenVZ

FWIW, I've just submitted the "make kernel.dmesg_restrict sysctl
tri-state and container-aware" change from our latest kernel patch on
Owl-current to OpenVZ (the relevant upstream):

http://bugzilla.openvz.org/show_bug.cgi?id=2197

"Hi,

The kernel.dmesg_restrict sysctl was added to mainline kernels and
backported to RHEL5 and RHEL6 by Red Hat.  One of its primary purposes
was to protect in-kernel addresses from being shown to non-root users
and thus hopefully to make exploitation of certain kinds of kernel bugs
more difficult or/and less reliable.

With OpenVZ containers, however, the in-container dmesg is usually
empty, and only sometimes it contains useful info: that container's
iptables -j LOG output.

The attached patch makes kernel.dmesg_restrict tri-state:

0: no restriction;
1: non-root users can't access dmesg, root users on both hardware node
and in containers can access dmesg (seeing different log records as
appropriate);
2: non-root users and any user and root in containers can't access
dmesg, only root on the hardware node can access dmesg.

2 corresponds to behavior currently seen with 1, whereas the behavior
with 1 becomes more relaxed.  1 is then a reasonable default setting for
a distro (that's what we use on Owl now).

Please consider applying this change to your currently maintained kernel
branches.

Thanks,

Alexander"

Powered by blists - more mailing lists

Your e-mail address:

Powered by Openwall GNU/*/Linux - Powered by OpenVZ