CONFIG_SECURITY_DMESG_RESTRICT
Kees Cook
kees.cook at canonical.com
Thu Nov 18 18:44:40 UTC 2010
Hi Jeremy,
On Thu, Nov 18, 2010 at 01:05:06PM -0500, Jeremy Foshee wrote:
> On Wed, Nov 17, 2010 at 04:38:13PM -0800, Kees Cook wrote:
> > On Thu, Nov 18, 2010 at 12:26:08AM +0000, Colin Ian King wrote:
> > > So are we going to change permissions on files such
> > > as /var/log/dmesg, /var/log/kern.log et al too?
> >
> > kern.log is already correct, but we should change dmesg, yes.
> >
> I wonder what implication this has on our bug reports that will always
> contain this information now.
>
> Will this create a need to not get dmesg due to attack concerns? We
> already have procedures in place for removing or scrubbing sensitive
> information as a part of the general triage information. Will removing
> or scrubbing this file need to become part of that?
Not that I'm aware of. The issue comes up when a local attacker is
preparing their exploit and can trigger information to appear in dmesg that
they can then examine and use to land their attack.
-Kees
--
Kees Cook
Ubuntu Security Team
More information about the kernel-team
mailing list