Re: [PATCH] kernel: make /proc/kallsyms mode 400 to reduce ease ofattacking

From: Ingo Molnar
Date: Thu Nov 04 2010 - 07:47:22 EST

Next message: Indan Zupancic: "Re: [PATCH] drivers/misc: Altera Cyclone active serial implementation"
Previous message: Mattias Wallin: "Re: [PATCH] regulator: lock supply in regulator enable"
In reply to: Eugene Teo: "Re: [Security] [PATCH] kernel: make /proc/kallsyms mode 400 to reduceease of attacking"
Next in thread: Marcus Meissner: "Re: [PATCH] kernel: make /proc/kallsyms mode 400 to reduce ease of attacking"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

* Marcus Meissner <meissner@xxxxxxx> wrote:

> Hi,
>
> Making /proc/kallsyms readable only for root makes it harder for attackers to
> write generic kernel exploits by removing one source of knowledge where things are
> in the kernel.

Cc:-ed Linus - i think he argued in favor of such a patch in the past.

I generally agree with such patches (i have written some myself), but there's a few
questions with this one, which make this limited change ineffective and which make
it harder to implement a fuller patch that makes it truly harder to figure out the
precise kernel build:

- The real security obstruction effect is very small from this measure alone: the
overwhelming majority of our users are running distro kernels, so the Symbol.map
file (and hence 99% of /proc/kallsyms content) is well-known - unless we also
restrict 'uname -r' from nonprivileged users-ace. Hiding that might make sense -
but the two should be in one patch really.

- ( It will break a few tools that can be run as a plain user out of box - perf
for example. "chmod a+r /proc/kallsyms" during bootup will work that around so
it's not the end of the world. )

- For self-built kernels it might make sense - but there's "chmod a-r
/proc/kallsyms" during bootup one can do already.

- There's the side-question of module symbols - those are dynamically allocated
hence arguably per system. But module symbols make up only 1% on a typical
booted up full distro box.

So what does a distribution like Suse expect from this change alone? Those have
public packages in rpms which can be downloaded by anyone, so it makes little sense
to hide it - unless _all_ version information is hidden.

So i'd like to see a _full_ version info sandboxing patch that thinks through all
the angles and restricts uname -r kernel version info as well, and makes dmesg
unaccessible to users - and closes a few other information holes as well that give
away the exact kernel version - _that_ together will make it hard to blindly attack
a very specific kernel version.

But without actually declaring and achieving that sandboxing goal this security
measure is just a feel-good thing really - and makes it harder to make more
difficult steps down the road, like closing 'uname -r' ...

I fully expect Linus to overrule me on this, but hey, i had to try it and lay out my
arguments :-)

Thanks,

Ingo
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/

Next message: Indan Zupancic: "Re: [PATCH] drivers/misc: Altera Cyclone active serial implementation"
Previous message: Mattias Wallin: "Re: [PATCH] regulator: lock supply in regulator enable"
In reply to: Eugene Teo: "Re: [Security] [PATCH] kernel: make /proc/kallsyms mode 400 to reduceease of attacking"
Next in thread: Marcus Meissner: "Re: [PATCH] kernel: make /proc/kallsyms mode 400 to reduce ease of attacking"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]