Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [day] [month] [year] [list]
Date: Mon, 27 Feb 2012 01:28:11 +0400
From: Solar Designer <>
Subject: kernel.dmesg_restrict sysctl change submitted to OpenVZ

FWIW, I've just submitted the "make kernel.dmesg_restrict sysctl
tri-state and container-aware" change from our latest kernel patch on
Owl-current to OpenVZ (the relevant upstream):


The kernel.dmesg_restrict sysctl was added to mainline kernels and
backported to RHEL5 and RHEL6 by Red Hat.  One of its primary purposes
was to protect in-kernel addresses from being shown to non-root users
and thus hopefully to make exploitation of certain kinds of kernel bugs
more difficult or/and less reliable.

With OpenVZ containers, however, the in-container dmesg is usually
empty, and only sometimes it contains useful info: that container's
iptables -j LOG output.

The attached patch makes kernel.dmesg_restrict tri-state:

0: no restriction;
1: non-root users can't access dmesg, root users on both hardware node
and in containers can access dmesg (seeing different log records as
2: non-root users and any user and root in containers can't access
dmesg, only root on the hardware node can access dmesg.

2 corresponds to behavior currently seen with 1, whereas the behavior
with 1 becomes more relaxed.  1 is then a reasonable default setting for
a distro (that's what we use on Owl now).

Please consider applying this change to your currently maintained kernel



Powered by blists - more mailing lists

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.