Re: [PATCH 3/6] x86/dumpstack: make printk_stack_address() more generally useful
From: Josh Poimboeuf
Date: Fri Aug 26 2016 - 09:30:25 EST
On Thu, Aug 25, 2016 at 11:12:40PM -0700, Linus Torvalds wrote:
> On Aug 25, 2016 10:57 PM, "Josh Poimboeuf" <jpoimboe@xxxxxxxxxx> wrote:
> > But I still don't quite understand your statement that dmesg_restrict is
> > only useful for locked down systems.
> > To prevent kernel address disclosure, it seems we already rely on the
> > user setting kptr_restrict today, otherwise I can do cat
> > /proc/self/stack and the game is already lost, right?
> The point is: kptr_restrict actually makes sense, and is widely useful. It
> doesn't really end up hurting normal things. It's a pretty targeted thing,
> and generally doesn't actually hurt. You can still do basic health
> monitoring without having to get elevated privileges, for example.
> Even system maintainers don't want to be root all the time. In fact, I
> suspect that the better a system maintainer you are, the less you want to
> be root - but you'll still want to see logs etc.
> So note the difference between kptr_restrict and dmesg_restrict.
> One is useful in a pretty wide environment, the other simply is not.
> > So what's the difference between expecting the user to set kptr_restrict
> > vs dmesg_restrict?
> Do you see the difference now?
> kptr_restrict simply doesn't hurt as much as dmesg_restrict, so you can
> enable it fairly widely by default.
> That makes it the *much* better security option. Because security options
> that you can't enable aren't actually useful.
Yeah, at least for human-administered systems, that does make sense.
Grumpy sysadmins don't want to type "sudo dmesg" or "sudo journalctl"
because a) they don't like change; and b) using sudo adds risk.
And a security option which is never used is indeed useless. So *maybe*
that's a good enough argument for expecting the user to only enable
kptr_restrict instead of both.
But with cloud, devops, mobile, embedded, IoT, [insert buzzword], it
seems most systems are actually managed by software nowadays. Then the
above arguments don't seem to apply, and dmesg_restrict could still be
quite widely useful, no?