mbox series

[T/X/B/D,linux-aws,SRU,0/1] Enable CONFIG_SECURITY_DMESG_RESTRICT for AWS

Message ID 20190816093430.17135-1-po-hsu.lin@canonical.com
Headers show
Series Enable CONFIG_SECURITY_DMESG_RESTRICT for AWS | expand

Message

Po-Hsu Lin Aug. 16, 2019, 9:34 a.m. UTC 
BugLink: https://bugs.launchpad.net/bugs/1696558

There is a request to enable CONFIG_SECURITY_DMESG_RESTRICT for linux-aws.
It will restrict unprivileged access to the kernel syslog.


Test kernels could be found here:
https://people.canonical.com/~phlin/kernel/lp-1696558-cfg-dmesg-restrict-aws/

Tested on AWS cloud, this patch can limit the dmesg access.


Po-Hsu Lin (1):
  UBUNTU: [Config] Enable CONFIG_SECURITY_DMESG_RESTRICT

 debian.aws/config/annotations          | 2 ++
 debian.aws/config/config.common.ubuntu | 2 +-
 2 files changed, 3 insertions(+), 1 deletion(-)

Comments

Tyler Hicks Sept. 4, 2019, 9:35 p.m. UTC | #1 
On 2019-08-16 17:34:26, Po-Hsu Lin wrote:
> BugLink: https://bugs.launchpad.net/bugs/1696558
> 
> There is a request to enable CONFIG_SECURITY_DMESG_RESTRICT for linux-aws.
> It will restrict unprivileged access to the kernel syslog.

While enabling kernel hardening features is something that I'd typically
advocate for, I'm not sure that this particular one is still worth the
pain that we'd inflict on our users by enabling it.

This is a kernel config option that we'd really want to globally enable
or disable across all of our kernels, rather than doing something unique
in linux-aws, because it is a very user-visible feature.

The primary motivation for enabling this is to prevent unprivileged
users, who may be trying to attack the kernel, from learning about
kernel addresses that may aide them in an attack. However, I think that
the need for this sort of protection has been reduced greatly since 4.15
with the following commit:

 https://git.kernel.org/linus/ad67b74d2469d9b82aaa572d76474c95bc484d57

There could be an argument for enabling CONFIG_SECURITY_DMESG_RESTRICT
in Xenial since its base (4.4) kernel doesn't have commit
ad67b74d2469d9b82aaa572d76474c95bc484d57 but I worry that it is too
disruptive of a change to introduce 3 years into an LTS release. It
certainly isn't appropriate to introduce the change in Trusty ESM at
this point.

I think we can close out bug #1696558 now that we have global %p
hashing.

Tyler

> Test kernels could be found here:
> https://people.canonical.com/~phlin/kernel/lp-1696558-cfg-dmesg-restrict-aws/
> 
> Tested on AWS cloud, this patch can limit the dmesg access.
> 
> 
> Po-Hsu Lin (1):
>   UBUNTU: [Config] Enable CONFIG_SECURITY_DMESG_RESTRICT
> 
>  debian.aws/config/annotations          | 2 ++
>  debian.aws/config/config.common.ubuntu | 2 +-
>  2 files changed, 3 insertions(+), 1 deletion(-)
> 
> -- 
> 2.7.4
> 
> 
> 
> -- 
> kernel-team mailing list
> kernel-team@lists.ubuntu.com
> https://lists.ubuntu.com/mailman/listinfo/kernel-team