|| ||Ingo Molnar <mingo-AT-elte.hu> |
|| ||Marcus Meissner <meissner-AT-suse.de> |
|| ||Re: [PATCH] kernel: make /proc/kallsyms mode 400 to reduce ease of
|| ||Thu, 4 Nov 2010 12:46:48 +0100|
|| ||linux-kernel-AT-vger.kernel.org, jason.wessel-AT-windriver.com,
fweisbec-AT-gmail.com, tj-AT-kernel.org, mort-AT-sgi.com, akpm-AT-osdl.org,
security-AT-kernel.org, Andrew Morton <akpm-AT-linux-foundation.org>,
Linus Torvalds <torvalds-AT-linux-foundation.org>,
Peter Zijlstra <a.p.zijlstra-AT-chello.nl>,
Thomas Gleixner <tglx-AT-linutronix.de>,
"H. Peter Anvin" <hpa-AT-zytor.com>|
|| ||Article, Thread
* Marcus Meissner <firstname.lastname@example.org> wrote:
> Making /proc/kallsyms readable only for root makes it harder for attackers to
> write generic kernel exploits by removing one source of knowledge where things are
> in the kernel.
Cc:-ed Linus - i think he argued in favor of such a patch in the past.
I generally agree with such patches (i have written some myself), but there's a few
questions with this one, which make this limited change ineffective and which make
it harder to implement a fuller patch that makes it truly harder to figure out the
precise kernel build:
- The real security obstruction effect is very small from this measure alone: the
overwhelming majority of our users are running distro kernels, so the Symbol.map
file (and hence 99% of /proc/kallsyms content) is well-known - unless we also
restrict 'uname -r' from nonprivileged users-ace. Hiding that might make sense -
but the two should be in one patch really.
- ( It will break a few tools that can be run as a plain user out of box - perf
for example. "chmod a+r /proc/kallsyms" during bootup will work that around so
it's not the end of the world. )
- For self-built kernels it might make sense - but there's "chmod a-r
/proc/kallsyms" during bootup one can do already.
- There's the side-question of module symbols - those are dynamically allocated
hence arguably per system. But module symbols make up only 1% on a typical
booted up full distro box.
So what does a distribution like Suse expect from this change alone? Those have
public packages in rpms which can be downloaded by anyone, so it makes little sense
to hide it - unless _all_ version information is hidden.
So i'd like to see a _full_ version info sandboxing patch that thinks through all
the angles and restricts uname -r kernel version info as well, and makes dmesg
unaccessible to users - and closes a few other information holes as well that give
away the exact kernel version - _that_ together will make it hard to blindly attack
a very specific kernel version.
But without actually declaring and achieving that sandboxing goal this security
measure is just a feel-good thing really - and makes it harder to make more
difficult steps down the road, like closing 'uname -r' ...
I fully expect Linus to overrule me on this, but hey, i had to try it and lay out my
to post comments)