| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Mon, 29 Nov 2010 23:31:50 +0000 From: Alan Cox <alan@...rguk.ukuu.org.uk> To: Sarah Sharp <sarah.a.sharp@...ux.intel.com> Cc: Ingo Molnar <mingo@...e.hu>, Linus Torvalds <torvalds@...ux-foundation.org>, Marcus Meissner <meissner@...e.de>, linux-kernel@...r.kernel.org, tj@...nel.org, akpm@...ux-foundation.org, hpa@...or.com, w@....eu Subject: Re: [PATCH] kernel: make /proc/kallsyms mode 400 to reduce ease of attacking > > /* Some debugging symbols have no name. Ignore them. */ > > - if (!iter->name[0]) > > + if (!iter->name[0] || !capable(CAP_SYS_ADMIN)) > > return 0; This is hardcoding file permission policy into the kernel in a way the user cannot change - its bogus in the extreme. Use file permissions that way saner people can chmod them as they like. Indeed quite a few people *already* chmod chunks of /proc. It also means that things like SELinux and Tomoyo can be used to manage security on it in clever ways - something that using a capability completely buggers up. Alan -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@...r.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
Powered by blists - more mailing lists