View previous topic :: View next topic |
Author |
Message |
yzh n00b
Joined: 25 Feb 2011 Posts: 53
|
Posted: Wed Apr 10, 2013 11:41 am Post subject: Gentoo Hardened and CONFIG_GRKERNSEC_DMESG |
|
|
Hi there,
I turned on CONFIG_GRKERNSEC_DMESG=y and grsec sysctl settings of my hardened kernel.
using sys-kernel/hardened-sources-3.7.5-r1.
But i'm still allowed to perform dmesg as non-root. My sysctl settings are:
Code: |
$ sudo sysctl -a | grep dmesg
kernel.dmesg_restrict = 1
kernel.grsecurity.dmesg = 1 |
And i'm able to perform dmesg as non-root:
Code: |
$ dmesg | head -n2
[ 0.000000] Initializing cgroup subsys cpuset
[ 0.000000] Initializing cgroup subsys cpu |
Any idea why this is not restricted? |
|
Back to top |
|
|
khayyam Watchman
Joined: 07 Jun 2012 Posts: 6227 Location: Room 101
|
Posted: Wed Apr 10, 2013 12:59 pm Post subject: |
|
|
hzy ...
I can't say for sure but dmesg_restrict is set by CONFIG_SECURITY_DMESG_RESTRICT, so perhaps these both need to be enabled for grsecurity.dmesg to come into effect.
HTH & best ... khay |
|
Back to top |
|
|
yzh n00b
Joined: 25 Feb 2011 Posts: 53
|
Posted: Wed Apr 10, 2013 1:13 pm Post subject: |
|
|
khayyam wrote: |
I can't say for sure but dmesg_restrict is set by CONFIG_SECURITY_DMESG_RESTRICT, so perhaps these both need to be enabled for grsecurity.dmesg to come into effect.
|
I will try but would be weird because the kernel description says:
Code: |
CONFIG_SECURITY_DMESG_RESTRICT:
This enforces restrictions on unprivileged users reading the kernel
syslog via dmesg(8).
If this option is not selected, no restrictions will be enforced
unless the dmesg_restrict sysctl is explicitly set to (1).
If you are unsure how to answer this question, answer N.
|
That would suggest that this is normally disabled but can also be enabled by setting it via sysctl, which i'm doing right now.
Anyway, thx for the suggestion. Will give it a try and report back. |
|
Back to top |
|
|
khayyam Watchman
Joined: 07 Jun 2012 Posts: 6227 Location: Room 101
|
Posted: Wed Apr 10, 2013 2:02 pm Post subject: |
|
|
yzh wrote: | That would suggest that this is normally disabled but can also be enabled by setting it via sysctl, which i'm doing right now. |
yzh ... yes, thats how I read it also, but my thought was that, like other items in menuconfig, it may be badly worded. If the above were true then "[t]his enforces restrictions on unprivileged users reading the kernel syslog via dmesg" would not what the option does, it simply set it to 'on'.
Hopefully it does more than advertised :)
best ... khay |
|
Back to top |
|
|
yzh n00b
Joined: 25 Feb 2011 Posts: 53
|
Posted: Wed Apr 10, 2013 2:15 pm Post subject: |
|
|
Ok, it does not work:
Code: |
$ zgrep DMESG /proc/config.gz
CONFIG_GRKERNSEC_DMESG=y
CONFIG_SECURITY_DMESG_RESTRICT=y
$ sudo sysctl -a | grep dmesg
kernel.dmesg_restrict = 1
kernel.grsecurity.dmesg = 1
$ dmesg | head -n2
[ 0.000000] Initializing cgroup subsys cpuset
[ 0.000000] Initializing cgroup subsys cpu
|
|
|
Back to top |
|
|
nicke# n00b
Joined: 12 Oct 2002 Posts: 10 Location: Malmö, Sweden
|
Posted: Fri Apr 12, 2013 9:53 pm Post subject: |
|
|
I too have noticed the same problem with the latest stable hardened sources. With my previous kernel 3.4.5-hardened, dmesg restriction where enforced.
# zgrep DMESG /proc/config.gz
CONFIG_GRKERNSEC_DMESG=y
CONFIG_SECURITY_DMESG_RESTRICT=y
# sysctl -a | grep dmesg
kernel.dmesg_restrict = 1
kernel.grsecurity.dmesg = 1
# uname -r
3.7.5-hardened-r1
This seems to be a bug.. |
|
Back to top |
|
|
yzh n00b
Joined: 25 Feb 2011 Posts: 53
|
Posted: Fri Apr 12, 2013 11:46 pm Post subject: |
|
|
nicke# wrote: | I too have noticed the same problem with the latest stable hardened sources. With my previous kernel 3.4.5-hardened, dmesg restriction where enforced.
# zgrep DMESG /proc/config.gz
CONFIG_GRKERNSEC_DMESG=y
CONFIG_SECURITY_DMESG_RESTRICT=y
# sysctl -a | grep dmesg
kernel.dmesg_restrict = 1
kernel.grsecurity.dmesg = 1
# uname -r
3.7.5-hardened-r1
This seems to be a bug.. |
Good to know it's not only me I'll see if I can make a bug report later.
EDIT: bug report here: https://bugs.gentoo.org/show_bug.cgi?id=465758 |
|
Back to top |
|
|
nicke# n00b
Joined: 12 Oct 2002 Posts: 10 Location: Malmö, Sweden
|
Posted: Mon Apr 15, 2013 1:44 pm Post subject: |
|
|
Thank you for reporting the bug.
With new version of hardened sources the dmesg output is again restricted.
$ dmesg
dmesg: read kernel buffer failed: Operation not permitted
$ uname -r
3.8.3-hardened |
|
Back to top |
|
|
|