LWN.net Logo

Not logged in

Log in now

Create an account

Subscribe to LWN

Recent Features

LWN.net Weekly Edition for May 16, 2013

A look at the PyPy 2.0 release

PostgreSQL 9.3 beta: Federated databases and more

LWN.net Weekly Edition for May 9, 2013

(Nearly) full tickless operation in 3.10

Printable page
Weekly edition Kernel Security Distributions Contact Us Search
Archives Calendar Subscribe Write for LWN LWN.net FAQ Sponsors

Re: [PATCH] kernel: make /proc/kallsyms mode 400 to reduce ease of attacking

[Posted November 17, 2010 by corbet]

From:  Ingo Molnar <mingo-AT-elte.hu>
To:  Marcus Meissner <meissner-AT-suse.de>
Subject:  Re: [PATCH] kernel: make /proc/kallsyms mode 400 to reduce ease of attacking
Date:  Thu, 4 Nov 2010 12:46:48 +0100
Message-ID:  <20101104114648.GA23381@elte.hu>
Cc:  linux-kernel-AT-vger.kernel.org, jason.wessel-AT-windriver.com, fweisbec-AT-gmail.com, tj-AT-kernel.org, mort-AT-sgi.com, akpm-AT-osdl.org, security-AT-kernel.org, Andrew Morton <akpm-AT-linux-foundation.org>, Linus Torvalds <torvalds-AT-linux-foundation.org>, Peter Zijlstra <a.p.zijlstra-AT-chello.nl>, Thomas Gleixner <tglx-AT-linutronix.de>, "H. Peter Anvin" <hpa-AT-zytor.com>
Archive-link:  Article, Thread 


* Marcus Meissner <meissner@suse.de> wrote:

> Hi,
> 
> Making /proc/kallsyms readable only for root makes it harder for attackers to 
> write generic kernel exploits by removing one source of knowledge where things are 
> in the kernel.

Cc:-ed Linus - i think he argued in favor of such a patch in the past.

I generally agree with such patches (i have written some myself), but there's a few 
questions with this one, which make this limited change ineffective and which make 
it harder to implement a fuller patch that makes it truly harder to figure out the 
precise kernel build:

 - The real security obstruction effect is very small from this measure alone: the 
   overwhelming majority of our users are running distro kernels, so the Symbol.map 
   file (and hence 99% of /proc/kallsyms content) is well-known - unless we also 
   restrict 'uname -r' from nonprivileged users-ace. Hiding that might make sense - 
   but the two should be in one patch really.

 - ( It will break a few tools that can be run as a plain user out of box - perf
     for example. "chmod a+r /proc/kallsyms" during bootup will work that around so
     it's not the end of the world. )

 - For self-built kernels it might make sense - but there's "chmod a-r
   /proc/kallsyms" during bootup one can do already.

 - There's the side-question of module symbols - those are dynamically allocated
   hence arguably per system. But module symbols make up only 1% on a typical 
   booted up full distro box.

So what does a distribution like Suse expect from this change alone? Those have 
public packages in rpms which can be downloaded by anyone, so it makes little sense 
to hide it - unless _all_ version information is hidden.

So i'd like to see a _full_ version info sandboxing patch that thinks through all 
the angles and restricts uname -r kernel version info as well, and makes dmesg 
unaccessible to users - and closes a few other information holes as well that give 
away the exact kernel version - _that_ together will make it hard to blindly attack 
a very specific kernel version.

But without actually declaring and achieving that sandboxing goal this security 
measure is just a feel-good thing really - and makes it harder to make more 
difficult steps down the road, like closing 'uname -r' ...

I fully expect Linus to overrule me on this, but hey, i had to try it and lay out my 
arguments :-)

Thanks,

	Ingo
(Log in to post comments)

Copyright © 2010, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds