[PATCH] UBUNTU: SAUCE: kernel: make /proc/kallsyms mode 400 to reduce ease of attacking

[Tim Gardner]

On 01/11/2011 05:54 PM, Kees Cook wrote:
> Making /proc/kallsyms readable only for root makes it harder
> for attackers to write generic kernel exploits by removing
> one source of knowledge where things are in the kernel.
>
> This is the second submit, discussion happened on this on first submit
> and mostly concerned that this is just one hole of the sieve ... but
> one of the bigger ones.
>
> Changing the permissions of at least System.map and vmlinux is
> also required to fix the same set, but a packaging issue.
>
> Target of this starter patch and follow ups is removing any kind of
> kernel space address information leak from the kernel.
>
> Ciao, Marcus
>
> [not upstream because some old sysklog daemons have a bug with this]
>
> OriginalAuthor: Marcus Meissner<meissner at suse.de>
>
> Signed-off-by: Marcus Meissner<meissner at suse.de>
> Acked-by: Tejun Heo<tj at kernel.org>
> Acked-by: Eugene Teo<eugeneteo at kernel.org>
> Reviewed-by: Jesper Juhl<jj at chaosbits.net>
> Signed-off-by: Kees Cook<kees.cook at canonical.com>
> ---
>   kernel/kallsyms.c |    2 +-
>   1 files changed, 1 insertions(+), 1 deletions(-)
>
> diff --git a/kernel/kallsyms.c b/kernel/kallsyms.c
> index 6f6d091..a8db257 100644
> --- a/kernel/kallsyms.c
> +++ b/kernel/kallsyms.c
> @@ -546,7 +546,7 @@ static const struct file_operations kallsyms_operations = {
>
>   static int __init kallsyms_init(void)
>   {
> -	proc_create("kallsyms", 0444, NULL,&kallsyms_operations);
> +	proc_create("kallsyms", 0400, NULL,&kallsyms_operations);
>   	return 0;
>   }
>   device_initcall(kallsyms_init);

Applied to Natty. I assume this was not intended for Maverick ?

-- 
Tim Gardner tim.gardner at canonical.com