lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Date: Thu, 15 Apr 2010 14:12:22 +0800 From: Xiaotian Feng <xtfeng@...il.com> To: wzt.wzt@...il.com Cc: linux-kernel@...r.kernel.org, mingo@...hat.com, hpa@...or.com, x86@...nel.org, zippel@...ux-m68k.org Subject: Re: [PATCH] Kconfig: Make config Filter access to /dev/mem default y On Tue, Apr 13, 2010 at 10:52 AM, <wzt.wzt@...il.com> wrote: > Recently, most company start use >=2.6.31 kernels to replace redhat kernels. > But the config "Filter access to /dev/mem" is "default n", that allows kernel > rootkit using /dev/mem again. it could access all kernel memory default. Most > administrator don't known the "Filter access to /dev/mem" is "defult N", when > he compiles the kernel, it's easily to be attacked by rootkit. Have you ever successfully attack by this way? If CONFIG_STRICT_DEVMEM is not set, the /dev/mem access is filtered in pat code. > > Signed-off-by: Zhitong Wang <zhitong.wangzt@...baba-inc.com> > > --- > arch/x86/Kconfig.debug | 3 ++- > arch/x86/configs/i386_defconfig | 2 +- > arch/x86/configs/x86_64_defconfig | 2 +- > 3 files changed, 4 insertions(+), 3 deletions(-) > > diff --git a/arch/x86/Kconfig.debug b/arch/x86/Kconfig.debug > index bc01e3e..733aea6 100644 > --- a/arch/x86/Kconfig.debug > +++ b/arch/x86/Kconfig.debug > @@ -7,6 +7,7 @@ source "lib/Kconfig.debug" > > config STRICT_DEVMEM > bool "Filter access to /dev/mem" > + default y > ---help--- > If this option is disabled, you allow userspace (root) access to all > of memory, including kernel and userspace memory. Accidental > @@ -20,7 +21,7 @@ config STRICT_DEVMEM > This is sufficient for dosemu and X and all common users of > /dev/mem. > > - If in doubt, say Y. > + If in doubt, say N. > > config X86_VERBOSE_BOOTUP > bool "Enable verbose x86 bootup info messages" > diff --git a/arch/x86/configs/i386_defconfig b/arch/x86/configs/i386_defconfig > index d28fad1..95c85a8 100644 > --- a/arch/x86/configs/i386_defconfig > +++ b/arch/x86/configs/i386_defconfig > @@ -2386,7 +2386,7 @@ CONFIG_PROVIDE_OHCI1394_DMA_INIT=y > # CONFIG_SAMPLES is not set > CONFIG_HAVE_ARCH_KGDB=y > # CONFIG_KGDB is not set > -# CONFIG_STRICT_DEVMEM is not set > +CONFIG_STRICT_DEVMEM=y > CONFIG_X86_VERBOSE_BOOTUP=y > CONFIG_EARLY_PRINTK=y > CONFIG_EARLY_PRINTK_DBGP=y > diff --git a/arch/x86/configs/x86_64_defconfig b/arch/x86/configs/x86_64_defconfig > index 6c86acd..659bfe7 100644 > --- a/arch/x86/configs/x86_64_defconfig > +++ b/arch/x86/configs/x86_64_defconfig > @@ -2360,7 +2360,7 @@ CONFIG_PROVIDE_OHCI1394_DMA_INIT=y > # CONFIG_SAMPLES is not set > CONFIG_HAVE_ARCH_KGDB=y > # CONFIG_KGDB is not set > -# CONFIG_STRICT_DEVMEM is not set > +CONFIG_STRICT_DEVMEM=y > CONFIG_X86_VERBOSE_BOOTUP=y > CONFIG_EARLY_PRINTK=y > CONFIG_EARLY_PRINTK_DBGP=y > -- > 1.6.5.3 > > -- > To unsubscribe from this list: send the line "unsubscribe linux-kernel" in > the body of a message to majordomo@...r.kernel.org > More majordomo info at http://vger.kernel.org/majordomo-info.html > Please read the FAQ at http://www.tux.org/lkml/ > -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@...r.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
Powered by blists - more mailing lists