Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in
Gentoo Hardened and CONFIG_GRKERNSEC_DMESG
View unanswered posts
View posts from last 24 hours

 
Reply to topic    Gentoo Forums Forum Index Networking & Security
View previous topic :: View next topic  
Author Message
yzh
n00b
n00b


Joined: 25 Feb 2011
Posts: 53

PostPosted: Wed Apr 10, 2013 11:41 am    Post subject: Gentoo Hardened and CONFIG_GRKERNSEC_DMESG Reply with quote

Hi there,

I turned on CONFIG_GRKERNSEC_DMESG=y and grsec sysctl settings of my hardened kernel.

using sys-kernel/hardened-sources-3.7.5-r1.

But i'm still allowed to perform dmesg as non-root. My sysctl settings are:
Code:

$ sudo sysctl -a | grep dmesg
kernel.dmesg_restrict = 1
kernel.grsecurity.dmesg = 1


And i'm able to perform dmesg as non-root:
Code:

$ dmesg | head -n2
[    0.000000] Initializing cgroup subsys cpuset
[    0.000000] Initializing cgroup subsys cpu


Any idea why this is not restricted?
Back to top
View user's profile Send private message
khayyam
Watchman
Watchman


Joined: 07 Jun 2012
Posts: 6227
Location: Room 101

PostPosted: Wed Apr 10, 2013 12:59 pm    Post subject: Reply with quote

hzy ...

I can't say for sure but dmesg_restrict is set by CONFIG_SECURITY_DMESG_RESTRICT, so perhaps these both need to be enabled for grsecurity.dmesg to come into effect.

HTH & best ... khay
Back to top
View user's profile Send private message
yzh
n00b
n00b


Joined: 25 Feb 2011
Posts: 53

PostPosted: Wed Apr 10, 2013 1:13 pm    Post subject: Reply with quote

khayyam wrote:

I can't say for sure but dmesg_restrict is set by CONFIG_SECURITY_DMESG_RESTRICT, so perhaps these both need to be enabled for grsecurity.dmesg to come into effect.


I will try but would be weird because the kernel description says:

Code:

CONFIG_SECURITY_DMESG_RESTRICT:

This enforces restrictions on unprivileged users reading the kernel
syslog via dmesg(8).   

If this option is not selected, no restrictions will be enforced
unless the dmesg_restrict sysctl is explicitly set to (1).

If you are unsure how to answer this question, answer N.


That would suggest that this is normally disabled but can also be enabled by setting it via sysctl, which i'm doing right now.

Anyway, thx for the suggestion. Will give it a try and report back.
Back to top
View user's profile Send private message
khayyam
Watchman
Watchman


Joined: 07 Jun 2012
Posts: 6227
Location: Room 101

PostPosted: Wed Apr 10, 2013 2:02 pm    Post subject: Reply with quote

yzh wrote:
That would suggest that this is normally disabled but can also be enabled by setting it via sysctl, which i'm doing right now.

yzh ... yes, thats how I read it also, but my thought was that, like other items in menuconfig, it may be badly worded. If the above were true then "[t]his enforces restrictions on unprivileged users reading the kernel syslog via dmesg" would not what the option does, it simply set it to 'on'.

Hopefully it does more than advertised :)

best ... khay
Back to top
View user's profile Send private message
yzh
n00b
n00b


Joined: 25 Feb 2011
Posts: 53

PostPosted: Wed Apr 10, 2013 2:15 pm    Post subject: Reply with quote

Ok, it does not work:

Code:

$ zgrep DMESG /proc/config.gz
CONFIG_GRKERNSEC_DMESG=y
CONFIG_SECURITY_DMESG_RESTRICT=y

$ sudo sysctl -a | grep dmesg
kernel.dmesg_restrict = 1
kernel.grsecurity.dmesg = 1

$ dmesg | head -n2
[    0.000000] Initializing cgroup subsys cpuset
[    0.000000] Initializing cgroup subsys cpu


:(
Back to top
View user's profile Send private message
nicke#
n00b
n00b


Joined: 12 Oct 2002
Posts: 10
Location: Malmö, Sweden

PostPosted: Fri Apr 12, 2013 9:53 pm    Post subject: Reply with quote

I too have noticed the same problem with the latest stable hardened sources. With my previous kernel 3.4.5-hardened, dmesg restriction where enforced.

# zgrep DMESG /proc/config.gz
CONFIG_GRKERNSEC_DMESG=y
CONFIG_SECURITY_DMESG_RESTRICT=y
# sysctl -a | grep dmesg
kernel.dmesg_restrict = 1
kernel.grsecurity.dmesg = 1
# uname -r
3.7.5-hardened-r1

This seems to be a bug..
Back to top
View user's profile Send private message
yzh
n00b
n00b


Joined: 25 Feb 2011
Posts: 53

PostPosted: Fri Apr 12, 2013 11:46 pm    Post subject: Reply with quote

nicke# wrote:
I too have noticed the same problem with the latest stable hardened sources. With my previous kernel 3.4.5-hardened, dmesg restriction where enforced.

# zgrep DMESG /proc/config.gz
CONFIG_GRKERNSEC_DMESG=y
CONFIG_SECURITY_DMESG_RESTRICT=y
# sysctl -a | grep dmesg
kernel.dmesg_restrict = 1
kernel.grsecurity.dmesg = 1
# uname -r
3.7.5-hardened-r1

This seems to be a bug..


Good to know it's not only me :) I'll see if I can make a bug report later.

EDIT: bug report here: https://bugs.gentoo.org/show_bug.cgi?id=465758
Back to top
View user's profile Send private message
nicke#
n00b
n00b


Joined: 12 Oct 2002
Posts: 10
Location: Malmö, Sweden

PostPosted: Mon Apr 15, 2013 1:44 pm    Post subject: Reply with quote

Thank you for reporting the bug.

With new version of hardened sources the dmesg output is again restricted.

$ dmesg
dmesg: read kernel buffer failed: Operation not permitted
$ uname -r
3.8.3-hardened
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index Networking & Security All times are GMT
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum