Uploaded image for project: 'OpenVZ'
  1. OpenVZ
  2. OVZ-5328

make kernel.dmesg_restrict sysctl container-aware

    Details

    • Type: Feature Request
    • Status: Closed
    • Priority: Minor
    • Resolution: Fixed
    • Fix Version/s: OpenVZ-legacy
    • Component/s: Containers::Kernel
    • Security Level: Public
    • Environment:
      Operating System: All
      Platform: All

      Description

      Hi,

      The kernel.dmesg_restrict sysctl was added to mainline kernels and backported to RHEL5 and RHEL6 by Red Hat. One of its primary purposes was to protect in-kernel addresses from being shown to non-root users and thus hopefully to make exploitation of certain kinds of kernel bugs more difficult or/and less reliable.

      With OpenVZ containers, however, the in-container dmesg is usually empty, and only sometimes it contains useful info: that container's iptables -j LOG output.

      The attached patch makes kernel.dmesg_restrict tri-state:

      0: no restriction;
      1: non-root users can't access dmesg, root users on both hardware node and in containers can access dmesg (seeing different log records as appropriate);
      2: non-root users and any user and root in containers can't access dmesg, only root on the hardware node can access dmesg.

      2 corresponds to behavior currently seen with 1, whereas the behavior with 1 becomes more relaxed. 1 is then a reasonable default setting for a distro (that's what we use on Owl now).

      Please consider applying this change to your currently maintained kernel branches.

      Thanks,

      Alexander

        Attachments

          Activity

            People

            • Assignee:
              vvs Vasily Averin
              Reporter:
              solar@openwall.com Solar Designer
            • Votes:
              0 Vote for this issue
              Watchers:
              6 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved: