group.of.nepali.translators team mailing list archive

Thread
Date

[Bug 1696558] Re: Enable CONFIG_SECURITY_DMESG_RESTRICT

To: group.of.nepali.translators@xxxxxxxxxxxxxxxxxxx
From: Tyler Hicks <tyhicks@xxxxxxxxxxxxx>
Date: Thu, 05 Sep 2019 15:00:58 -0000
Reply-to: Bug 1696558 <1696558@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx

I don't think that we should make this change. I explained my reasoning
in this email:

  https://lists.ubuntu.com/archives/kernel-
team/2019-September/103615.html

For posterity, I'm copying the content below.

=================================
While enabling kernel hardening features is something that I'd typically
advocate for, I'm not sure that this particular one is still worth the
pain that we'd inflict on our users by enabling it.

This is a kernel config option that we'd really want to globally enable
or disable across all of our kernels, rather than doing something unique
in linux-aws, because it is a very user-visible feature.

The primary motivation for enabling this is to prevent unprivileged
users, who may be trying to attack the kernel, from learning about
kernel addresses that may aide them in an attack. However, I think that
the need for this sort of protection has been reduced greatly since 4.15
with the following commit:

 https://git.kernel.org/linus/ad67b74d2469d9b82aaa572d76474c95bc484d57

There could be an argument for enabling CONFIG_SECURITY_DMESG_RESTRICT
in Xenial since its base (4.4) kernel doesn't have commit
ad67b74d2469d9b82aaa572d76474c95bc484d57 but I worry that it is too
disruptive of a change to introduce 3 years into an LTS release. It
certainly isn't appropriate to introduce the change in Trusty ESM at
this point.

I think we can close out bug #1696558 now that we have global %p
hashing.
=================================

** Changed in: linux-aws (Ubuntu)
       Status: In Progress => Won't Fix

** Changed in: linux-aws (Ubuntu Disco)
       Status: In Progress => Won't Fix

** Changed in: linux-aws (Ubuntu Trusty)
       Status: In Progress => Won't Fix

** Changed in: linux-aws (Ubuntu Bionic)
       Status: In Progress => Won't Fix

-- 
You received this bug notification because you are a member of नेपाली
भाषा समायोजकहरुको समूह, which is subscribed to Xenial.
Matching subscriptions: Ubuntu 16.04 Bugs
https://bugs.launchpad.net/bugs/1696558

Title:
  Enable CONFIG_SECURITY_DMESG_RESTRICT

Status in linux-aws package in Ubuntu:
  Won't Fix
Status in linux-aws source package in Trusty:
  Won't Fix
Status in linux-aws source package in Xenial:
  In Progress
Status in linux-aws source package in Bionic:
  Won't Fix
Status in linux-aws source package in Disco:
  Won't Fix

Bug description:
  There is a request to enable the following for linux-aws.

  config SECURITY_DMESG_RESTRICT
          bool "Restrict unprivileged access to the kernel syslog"
          default n
          help
            This enforces restrictions on unprivileged users reading the kernel
            syslog via dmesg(8).

            If this option is not selected, no restrictions will be enforced
            unless the dmesg_restrict sysctl is explicitly set to (1).

            If you are unsure how to answer this question, answer N.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/linux-aws/+bug/1696558/+subscriptions