[T/X/B/D linux-aws][SRU][PATCH 0/1] Enable CONFIG_SECURITY_DMESG_RESTRICT for AWS

classic Classic list List threaded Threaded
6 messages Options
Reply | Threaded
Open this post in threaded view
|

[T/X/B/D linux-aws][SRU][PATCH 0/1] Enable CONFIG_SECURITY_DMESG_RESTRICT for AWS

Po-Hsu Lin (Sam)
BugLink: https://bugs.launchpad.net/bugs/1696558

There is a request to enable CONFIG_SECURITY_DMESG_RESTRICT for linux-aws.
It will restrict unprivileged access to the kernel syslog.


Test kernels could be found here:
https://people.canonical.com/~phlin/kernel/lp-1696558-cfg-dmesg-restrict-aws/

Tested on AWS cloud, this patch can limit the dmesg access.


Po-Hsu Lin (1):
  UBUNTU: [Config] Enable CONFIG_SECURITY_DMESG_RESTRICT

 debian.aws/config/annotations          | 2 ++
 debian.aws/config/config.common.ubuntu | 2 +-
 2 files changed, 3 insertions(+), 1 deletion(-)

--
2.7.4



--
kernel-team mailing list
[hidden email]
https://lists.ubuntu.com/mailman/listinfo/kernel-team
Reply | Threaded
Open this post in threaded view
|

[T/linux-aws][SRU][PATCH 1/1] UBUNTU: [Config] Enable CONFIG_SECURITY_DMESG_RESTRICT

Po-Hsu Lin (Sam)
BugLink: https://bugs.launchpad.net/bugs/1696558

There is a request to enable CONFIG_SECURITY_DMESG_RESTRICT for linux-aws.
It will restrict unprivileged access to the kernel syslog.

Signed-off-by: Po-Hsu Lin <[hidden email]>
---
 debian.aws/config/annotations          | 2 ++
 debian.aws/config/config.common.ubuntu | 2 +-
 2 files changed, 3 insertions(+), 1 deletion(-)

diff --git a/debian.aws/config/annotations b/debian.aws/config/annotations
index 3442eb2..f013816 100644
--- a/debian.aws/config/annotations
+++ b/debian.aws/config/annotations
@@ -9776,6 +9776,8 @@ CONFIG_TUNE_Z13                                 policy<{'s390x': 'n'}>
 CONFIG_SECURITY_DMESG_RESTRICT                  policy<{'amd64': 'n', 'arm64': 'n', 'armhf': 'n', 'i386': 'n', 'powerpc': 'n', 'ppc64el': 'n', 's390x': 'n'}>
 CONFIG_SECURITYFS                               policy<{'amd64': 'y', 'arm64': 'y', 'armhf': 'y', 'i386': 'y', 'powerpc': 'y', 'ppc64el': 'y', 's390x': 'y'}>
 CONFIG_INTEL_TXT                                policy<{'amd64': 'y', 'i386': 'y'}>
+#
+CONFIG_SECURITY_DMESG_RESTRICT                  note<LP#1696558>
 
 # Menu: Security options >> Default security module
 CONFIG_DEFAULT_SECURITY_SELINUX                 policy<{'amd64': 'n', 'arm64': 'n', 'armhf': 'n', 'i386': 'n', 'powerpc': 'n', 'ppc64el': 'n', 's390x': 'n'}>
diff --git a/debian.aws/config/config.common.ubuntu b/debian.aws/config/config.common.ubuntu
index 0490452..0f13ba8 100644
--- a/debian.aws/config/config.common.ubuntu
+++ b/debian.aws/config/config.common.ubuntu
@@ -4096,7 +4096,7 @@ CONFIG_SECURITY_APPARMOR_HASH=y
 CONFIG_SECURITY_APPARMOR_HASH_DEFAULT=y
 # CONFIG_SECURITY_APPARMOR_STATS is not set
 CONFIG_SECURITY_APPARMOR_UNCONFINED_INIT=y
-# CONFIG_SECURITY_DMESG_RESTRICT is not set
+CONFIG_SECURITY_DMESG_RESTRICT=y
 CONFIG_SECURITY_NETWORK=y
 CONFIG_SECURITY_NETWORK_XFRM=y
 CONFIG_SECURITY_PATH=y
--
2.7.4


--
kernel-team mailing list
[hidden email]
https://lists.ubuntu.com/mailman/listinfo/kernel-team
Reply | Threaded
Open this post in threaded view
|

[X/linux-aws][SRU][PATCH 1/1] UBUNTU: [Config] Enable CONFIG_SECURITY_DMESG_RESTRICT

Po-Hsu Lin (Sam)
In reply to this post by Po-Hsu Lin (Sam)
BugLink: https://bugs.launchpad.net/bugs/1696558

There is a request to enable CONFIG_SECURITY_DMESG_RESTRICT for linux-aws.
It will restrict unprivileged access to the kernel syslog.

Signed-off-by: Po-Hsu Lin <[hidden email]>
---
 debian.aws/config/annotations          | 2 ++
 debian.aws/config/config.common.ubuntu | 2 +-
 2 files changed, 3 insertions(+), 1 deletion(-)

diff --git a/debian.aws/config/annotations b/debian.aws/config/annotations
index 2ac663c..4d6197d 100644
--- a/debian.aws/config/annotations
+++ b/debian.aws/config/annotations
@@ -9776,6 +9776,8 @@ CONFIG_TUNE_Z13                                 policy<{'s390x': 'n'}>
 CONFIG_SECURITY_DMESG_RESTRICT                  policy<{'amd64': 'n', 'arm64': 'n', 'armhf': 'n', 'i386': 'n', 'powerpc': 'n', 'ppc64el': 'n', 's390x': 'n'}>
 CONFIG_SECURITYFS                               policy<{'amd64': 'y', 'arm64': 'y', 'armhf': 'y', 'i386': 'y', 'powerpc': 'y', 'ppc64el': 'y', 's390x': 'y'}>
 CONFIG_INTEL_TXT                                policy<{'amd64': 'y', 'i386': 'y'}>
+#
+CONFIG_SECURITY_DMESG_RESTRICT                  note<LP#1696558>
 
 # Menu: Security options >> Default security module
 CONFIG_DEFAULT_SECURITY_SELINUX                 policy<{'amd64': 'n', 'arm64': 'n', 'armhf': 'n', 'i386': 'n', 'powerpc': 'n', 'ppc64el': 'n', 's390x': 'n'}>
diff --git a/debian.aws/config/config.common.ubuntu b/debian.aws/config/config.common.ubuntu
index 6d981d1..f51ff7d 100644
--- a/debian.aws/config/config.common.ubuntu
+++ b/debian.aws/config/config.common.ubuntu
@@ -4100,7 +4100,7 @@ CONFIG_SECURITY_APPARMOR_HASH=y
 CONFIG_SECURITY_APPARMOR_HASH_DEFAULT=y
 # CONFIG_SECURITY_APPARMOR_STATS is not set
 CONFIG_SECURITY_APPARMOR_UNCONFINED_INIT=y
-# CONFIG_SECURITY_DMESG_RESTRICT is not set
+CONFIG_SECURITY_DMESG_RESTRICT=y
 CONFIG_SECURITY_NETWORK=y
 CONFIG_SECURITY_NETWORK_XFRM=y
 CONFIG_SECURITY_PATH=y
--
2.7.4

--
kernel-team mailing list
[hidden email]
https://lists.ubuntu.com/mailman/listinfo/kernel-team
Reply | Threaded
Open this post in threaded view
|

[B/linux-aws][SRU][PATCH 1/1] UBUNTU: [Config] Enable CONFIG_SECURITY_DMESG_RESTRICT

Po-Hsu Lin (Sam)
In reply to this post by Po-Hsu Lin (Sam)
BugLink: https://bugs.launchpad.net/bugs/1696558

There is a request to enable CONFIG_SECURITY_DMESG_RESTRICT for linux-aws.
It will restrict unprivileged access to the kernel syslog.

Signed-off-by: Po-Hsu Lin <[hidden email]>
---
 debian.aws/config/annotations          | 1 +
 debian.aws/config/config.common.ubuntu | 2 +-
 2 files changed, 2 insertions(+), 1 deletion(-)

diff --git a/debian.aws/config/annotations b/debian.aws/config/annotations
index 2676d47..ef6331e 100644
--- a/debian.aws/config/annotations
+++ b/debian.aws/config/annotations
@@ -11514,6 +11514,7 @@ CONFIG_LOCK_DOWN_IN_EFI_SECURE_BOOT             policy<{'amd64': 'y', 'arm64': '
 CONFIG_LOCK_DOWN_IN_EFI_SECURE_BOOT             mark<ENFORCED>
 CONFIG_ALLOW_LOCKDOWN_LIFT_BY_SYSRQ             mark<ENFORCED>
 CONFIG_LOCK_DOWN_KERNEL                         mark<ENFORCED> flag<REVIEW>
+CONFIG_SECURITY_DMESG_RESTRICT                  note<LP#1696558>
 
 # Menu: Security options >> Default security module
 CONFIG_DEFAULT_SECURITY_SELINUX                 policy<{'amd64': 'n', 'arm64': 'n', 'armhf': 'n', 'i386': 'n', 'ppc64el': 'n', 's390x': 'n'}>
diff --git a/debian.aws/config/config.common.ubuntu b/debian.aws/config/config.common.ubuntu
index 8012245..bc61e8b 100644
--- a/debian.aws/config/config.common.ubuntu
+++ b/debian.aws/config/config.common.ubuntu
@@ -6601,7 +6601,7 @@ CONFIG_SECURITY_APPARMOR_HASH_DEFAULT=y
 CONFIG_SECURITY_APPARMOR_STACKED=y
 CONFIG_SECURITY_DEFAULT_DISPLAY_APPARMOR=y
 CONFIG_SECURITY_DEFAULT_DISPLAY_NAME="apparmor"
-# CONFIG_SECURITY_DMESG_RESTRICT is not set
+CONFIG_SECURITY_DMESG_RESTRICT=y
 CONFIG_SECURITY_INFINIBAND=y
 # CONFIG_SECURITY_LOADPIN is not set
 # CONFIG_SECURITY_LSM_DEBUG is not set
--
2.7.4


--
kernel-team mailing list
[hidden email]
https://lists.ubuntu.com/mailman/listinfo/kernel-team
Reply | Threaded
Open this post in threaded view
|

[D/linux-aws][SRU][PATCH 1/1] UBUNTU: [Config] Enable CONFIG_SECURITY_DMESG_RESTRICT

Po-Hsu Lin (Sam)
In reply to this post by Po-Hsu Lin (Sam)
BugLink: https://bugs.launchpad.net/bugs/1696558

There is a request to enable CONFIG_SECURITY_DMESG_RESTRICT for linux-aws.
It will restrict unprivileged access to the kernel syslog.

Signed-off-by: Po-Hsu Lin <[hidden email]>
---
 debian.aws/config/annotations          | 1 +
 debian.aws/config/config.common.ubuntu | 2 +-
 2 files changed, 2 insertions(+), 1 deletion(-)

diff --git a/debian.aws/config/annotations b/debian.aws/config/annotations
index ddd94a1..edff332 100644
--- a/debian.aws/config/annotations
+++ b/debian.aws/config/annotations
@@ -11507,6 +11507,7 @@ CONFIG_LOCK_DOWN_IN_EFI_SECURE_BOOT             policy<{'amd64': 'y', 'arm64': '
 #CONFIG_LOCK_DOWN_IN_EFI_SECURE_BOOT             mark<ENFORCED>
 CONFIG_ALLOW_LOCKDOWN_LIFT_BY_SYSRQ             mark<ENFORCED>
 #CONFIG_LOCK_DOWN_KERNEL                         mark<ENFORCED> flag<REVIEW>
+CONFIG_SECURITY_DMESG_RESTRICT                  note<LP#1696558>
 
 # Menu: Security options >> Default security module
 CONFIG_LSM                                      policy<{'amd64': '"yama,loadpin,integrity,apparmor"', 'arm64': '"yama,loadpin,integrity,apparmor"'}>
diff --git a/debian.aws/config/config.common.ubuntu b/debian.aws/config/config.common.ubuntu
index 7502b1e..85b1615 100644
--- a/debian.aws/config/config.common.ubuntu
+++ b/debian.aws/config/config.common.ubuntu
@@ -7061,7 +7061,7 @@ CONFIG_SECURITY_APPARMOR=y
 # CONFIG_SECURITY_APPARMOR_DEBUG is not set
 CONFIG_SECURITY_APPARMOR_HASH=y
 CONFIG_SECURITY_APPARMOR_HASH_DEFAULT=y
-# CONFIG_SECURITY_DMESG_RESTRICT is not set
+CONFIG_SECURITY_DMESG_RESTRICT=y
 CONFIG_SECURITY_INFINIBAND=y
 # CONFIG_SECURITY_LOADPIN is not set
 CONFIG_SECURITY_NETWORK=y
--
2.7.4



--
kernel-team mailing list
[hidden email]
https://lists.ubuntu.com/mailman/listinfo/kernel-team
Reply | Threaded
Open this post in threaded view
|

NAK/CMNT: [T/X/B/D linux-aws][SRU][PATCH 0/1] Enable CONFIG_SECURITY_DMESG_RESTRICT for AWS

Tyler Hicks-2
In reply to this post by Po-Hsu Lin (Sam)
On 2019-08-16 17:34:26, Po-Hsu Lin wrote:
> BugLink: https://bugs.launchpad.net/bugs/1696558
>
> There is a request to enable CONFIG_SECURITY_DMESG_RESTRICT for linux-aws.
> It will restrict unprivileged access to the kernel syslog.

While enabling kernel hardening features is something that I'd typically
advocate for, I'm not sure that this particular one is still worth the
pain that we'd inflict on our users by enabling it.

This is a kernel config option that we'd really want to globally enable
or disable across all of our kernels, rather than doing something unique
in linux-aws, because it is a very user-visible feature.

The primary motivation for enabling this is to prevent unprivileged
users, who may be trying to attack the kernel, from learning about
kernel addresses that may aide them in an attack. However, I think that
the need for this sort of protection has been reduced greatly since 4.15
with the following commit:

 https://git.kernel.org/linus/ad67b74d2469d9b82aaa572d76474c95bc484d57

There could be an argument for enabling CONFIG_SECURITY_DMESG_RESTRICT
in Xenial since its base (4.4) kernel doesn't have commit
ad67b74d2469d9b82aaa572d76474c95bc484d57 but I worry that it is too
disruptive of a change to introduce 3 years into an LTS release. It
certainly isn't appropriate to introduce the change in Trusty ESM at
this point.

I think we can close out bug #1696558 now that we have global %p
hashing.

Tyler

> Test kernels could be found here:
> https://people.canonical.com/~phlin/kernel/lp-1696558-cfg-dmesg-restrict-aws/
>
> Tested on AWS cloud, this patch can limit the dmesg access.
>
>
> Po-Hsu Lin (1):
>   UBUNTU: [Config] Enable CONFIG_SECURITY_DMESG_RESTRICT
>
>  debian.aws/config/annotations          | 2 ++
>  debian.aws/config/config.common.ubuntu | 2 +-
>  2 files changed, 3 insertions(+), 1 deletion(-)
>
> --
> 2.7.4
>
>
>
> --
> kernel-team mailing list
> [hidden email]
> https://lists.ubuntu.com/mailman/listinfo/kernel-team

--
kernel-team mailing list
[hidden email]
https://lists.ubuntu.com/mailman/listinfo/kernel-team