oss-sec mailing list archives

Re: Disabling reading of kernel log buffer reading for user

From: Grandma Eubanks <tborland1 () gmail com>
Date: Fri, 13 Mar 2015 09:55:18 -0500

Yeah, now comes the fun part. How to abuse services to bypass it?
Also, have you checked what happens with KASLR? Where it writes where the
new segments are?

I have a bug ticket open with redhat for a while now on abusing a
particular service that ends up dumping dmesg and chmod's it to any user
privilege to navigate around dmesg_restrict.

On Fri, Mar 13, 2015 at 7:44 AM, Jann Horn <jann () thejh net> wrote:

On Fri, Mar 13, 2015 at 09:56:58AM +0000, halfdog wrote:

* What would be the side effects of making /dev/kmesg only root

accessible? Maybe syslog not able to write kmessages to log?

* Would it be safe to disable the syslog syscall for action

SYSLOG_ACTION_READ_* and all users except root and syslog? Does someone
have tested selinux config for that?

/proc/sys/kernel/dmesg_restrict can be used to restrict access to the log
buffer.
It looks like at least rsyslogd uses /proc/kmsg to read messages from the
log
buffer, and that file is only accessible for root anyway.

Current thread:

Disabling reading of kernel log buffer reading for user halfdog (Mar 13)
- Re: Disabling reading of kernel log buffer reading for user Marek Kroemeke (Mar 13)
- Re: Disabling reading of kernel log buffer reading for user Jann Horn (Mar 13)
  - Re: Disabling reading of kernel log buffer reading for user Grandma Eubanks (Mar 13)