I am again following up on my proposal to enable CONFIG_SECURITY_DMESG_RESTRICT
on Groovy onward with debdiffs necessary to implement the feature.
Since there have been no replies, I am assuming that no one has any objections
to adding this feature. The kernel team and security team are +1 due to their
agreement to enable CONFIG_SECURITY_DMESG_RESTRICT in the kernel.
I will ask a SEG package uploader to sponsor the debdiffs for procps and
util-linux in one week's time, on 2020-08-18. It would be great if a core
maintainer could +1 or ACK the changes, or please write back with any objections
before 2020-08-18.
Gianfranco Costamagna and Chris Hofstaedtler, I have included you to ask if you
have any objections, since you commonly perform merges from debian, and the
changes to util-linux may increase maintenance burden.
Quick recap:
I propose that we restrict access to dmesg to users in group 'adm' like so:
1) CONFIG_SECURITY_DMESG_RESTRICT=y in the kernel.
2) Following changes to /bin/dmesg permissions in package 'util-linux'
- Ownership changes to root:adm
- Permissions changed to 0750 (-rwxr-x---)
- Add cap_syslog capability to binary.
3) Add a commented out '# kernel.dmesg_restrict = 0' to
/etc/sysctl.d/10-kernel-hardening.conf
Why do we want this?
Currently unprivileged users can access the kernel log buffer / dmesg with no
restrictions, but cannot access journalctl or /var/log/kern.log or /var/log/syslog.
Kernel oops messages can leak sensitive information such as kernel pointers in
their register dumps, which helps attackers with their priv esc exploits.
For more context, read:
https://lists.ubuntu.com/archives/ubuntu-devel/2020-June/041063.html
Current status:
1) Has been implemented with commit:
https://kernel.ubuntu.com/git/ubuntu/unstable.git/commit/?id=25e6c851704a47c81e78e1a82530ac4b328098a6
This has now landed in kernel 5.8.0-12-generic in groovy-proposed.
Thanks Seth!
2) I have prepared a debdiff to util-linux which implements the changes, and
is ready for review here:
https://launchpadlibrarian.net/492806625/lp1886112_util-linux_groovy.debdiff
3) I have prepared a debdiff to procps, and is ready for review here:
https://launchpadlibrarian.net/489863145/lp1886112_procps_groovy.debdiff
Can I please get feedback on the long term maintainability of the patches,
particularly the changes to util-linux? Would Debian be interested in these
changes?
If everyone is in agreement with the changes, can I please get the debdiffs
sponsored?
The Launchpad Bug for this proposal is LP1886112:
https://bugs.launchpad.net/bugs/1886112
Test packages for procps and util-linux for Groovy can be found in this ppa:
https://launchpad.net/~mruffell/+archive/ubuntu/lp1886112-test
Thanks,
Matthew
--
ubuntu-devel mailing list
ubuntu-devel@lists.ubuntu.com
Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-devel
