Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1754934Ab0K2Qd2 (ORCPT ); Mon, 29 Nov 2010 11:33:28 -0500 Received: from mga03.intel.com ([143.182.124.21]:32755 "EHLO mga03.intel.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1752498Ab0K2Qd1 (ORCPT ); Mon, 29 Nov 2010 11:33:27 -0500 X-ExtLoop1: 1 X-IronPort-AV: E=Sophos;i="4.59,276,1288594800"; d="scan'208";a="354496322" Date: Mon, 29 Nov 2010 08:33:24 -0800 From: Sarah Sharp To: Ingo Molnar Cc: Linus Torvalds , Marcus Meissner , linux-kernel@vger.kernel.org, tj@kernel.org, akpm@linux-foundation.org, hpa@zytor.com, w@1wt.eu, alan@lxorguk.ukuu.org.uk Subject: Re: [PATCH] kernel: make /proc/kallsyms mode 400 to reduce ease of attacking Message-ID: <20101129163308.GA2383@xanatos> References: <20101116104600.GA24015@suse.de> <20101119191906.GA31760@xanatos> <20101126074809.GD19589@elte.hu> MIME-Version: 1.0 Content-Type: text/plain; charset=iso-8859-1 Content-Disposition: inline Content-Transfer-Encoding: 8bit In-Reply-To: <20101126074809.GD19589@elte.hu> User-Agent: Mutt/1.5.20 (2009-06-14) Sender: linux-kernel-owner@vger.kernel.org List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Content-Length: 1653 Lines: 46 On Fri, Nov 26, 2010 at 08:48:09AM +0100, Ingo Molnar wrote: > > * Linus Torvalds wrote: > > > On Fri, Nov 19, 2010 at 11:19 AM, Sarah Sharp > > wrote: > > > > > > .config and dmesg are attached. ?The box is running klogd 1.5.5ubuntu3 > > > (from Jaunty). ?Yes, I know that's old. ?I read the bit in the commit > > > about changing the permissions of kallsyms after boot, but if I can't > > > boot that doesn't help. ?Perhaps this can be made a configuration > > > option? > > > > It's not worth a config option. > > > > If it actually breaks user-space, I think we should just revert it. > > Sarah, > > Does your system boot fine if we make /proc/kallsyms simply an empty file to > unprivileged users? Something like the (untested ...) patch below. Yes, that works. The system boots as normal. `cat /proc/kallsyms` returns an empty file, and `sudo cat /proc/kallsyms` does not. Sarah Sharp > diff --git a/kernel/kallsyms.c b/kernel/kallsyms.c > index 6f6d091..d54c993 100644 > --- a/kernel/kallsyms.c > +++ b/kernel/kallsyms.c > @@ -465,7 +465,7 @@ static int s_show(struct seq_file *m, void *p) > struct kallsym_iter *iter = m->private; > > /* Some debugging symbols have no name. Ignore them. */ > - if (!iter->name[0]) > + if (!iter->name[0] || !capable(CAP_SYS_ADMIN)) > return 0; > > if (iter->module_name[0]) { -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/