[prev in list] [next in list] [prev in thread] [next in thread] 

List:       ubuntu-devel
Subject:    Enabling the kernel's DMESG_RESTRICT feature
From:       kees () ubuntu ! com (Kees Cook)
Date:       2011-05-27 17:17:59
Message-ID: 20110527171759.GY19633 () outflux ! net
[Download RAW message or body]

On Fri, May 27, 2011 at 04:29:33PM +0100, Matt Zimmerman wrote:
> On Thu, May 26, 2011 at 04:55:59PM -0700, Kees Cook wrote:
> > I won't say it doesn't complicate things, but I would like to point out
> > that everyone else's suggestion for this is to completely remove the values
> > from the dmesg report itself, rendering it unavailable to any user, even
> > root.
> 
> It seems we are forced into this dichotomy because there is only one log,
> which is mixing different types of information.  Has anyone proposed
> separating kernel debugging information from simple status logging, and
> allowing the remainder to remain accessible to users?

I don't think this would end up being sensible either, as the task of
performing debugging may need access to both. I still don't see the problem
of debugging as root. If you're not the system owner, you're not going to
be able to _change_ the system in an effort to fix the problem you are
debugging.

-- 
Kees Cook
Ubuntu Security Team


[prev in list] [next in list] [prev in thread] [next in thread]