Going back to the late Linux 2.6 kernel days has been the CONFIG_DMESG_RESTRICT (or for the past number of years, renamed to CONFIG_SECURITY_DMESG_RESTRICT) Kconfig option to restrict access to dmesg in the name of security and not allowing unprivileged users from accessing this system log. While it’s been brought up from time to time, Linux distributions are still generally allowing any user access to dmesg even though it may contain information that could help bad actors exploit the system.
The primary motivation of CONFIG_SECURITY_DMESG_RESTRICT and an associated sysctl tunable as well (dmesg_restrict) is for restricting access to dmesg so unprivileged users can’t see the syslog to avoid possible kernel memory address exposures among other potentially sensitive information that could be leaked about the kernel to help anyone trying to exploit the system. But even with these options being available for years, most Linux distributions leave dmesg open to any user.
Over the years have been attempts like Ubuntu back in 2011 to consider enabling such functionality, but ultimately rejected over concerns of breaking some user-space utilities and the need to update documentation over dmesg access.
I was reminded of this current situation with Intel’s Clear Linux now eyeing the DMESG_RESTRICT feature in a new proposal. Clear Linux would potentially be restricting dmesg access in the name of security over potentially leaking kernel addresses.
Oracle’s VirtualBox was highlighted as one of the popular programs that ends up leaking addresses to dmesg. There’s been this VirtualBox bug report from three years ago highlighting the problem of kernel address information leaked but the issue was marked as “won’t fix” by upstream on the basis “Sorry, this is NOT a security problem and not a problem at all. Having these addresses is not a problem because special permissions are required to make use of them.“
Given the ever increasing security concerns and exploits, maybe 2019 will finally be the year of seeing more Linux distributions locking down dmesg?
>> Source Link