Uploaded image for project: 'OpenVZ'
  1. OpenVZ
  2. OVZ-5328

make kernel.dmesg_restrict sysctl container-aware

    Details

    • Type: Feature Request
    • Status: Closed
    • Priority: Minor
    • Resolution: Fixed
    • Fix Version/s: OpenVZ-legacy
    • Component/s: Containers::Kernel
    • Security Level: Public
    • Environment:
      Operating System: All
      Platform: All

      Description

      Hi,

      The kernel.dmesg_restrict sysctl was added to mainline kernels and backported to RHEL5 and RHEL6 by Red Hat. One of its primary purposes was to protect in-kernel addresses from being shown to non-root users and thus hopefully to make exploitation of certain kinds of kernel bugs more difficult or/and less reliable.

      With OpenVZ containers, however, the in-container dmesg is usually empty, and only sometimes it contains useful info: that container's iptables -j LOG output.

      The attached patch makes kernel.dmesg_restrict tri-state:

      0: no restriction;
      1: non-root users can't access dmesg, root users on both hardware node and in containers can access dmesg (seeing different log records as appropriate);
      2: non-root users and any user and root in containers can't access dmesg, only root on the hardware node can access dmesg.

      2 corresponds to behavior currently seen with 1, whereas the behavior with 1 becomes more relaxed. 1 is then a reasonable default setting for a distro (that's what we use on Owl now).

      Please consider applying this change to your currently maintained kernel branches.

      Thanks,

      Alexander
      1. diff-rh5-dmesg_restrict-description
        0.9 kB
        Vasily Averin
      2. dmesg_restrict.diff
        3 kB
        Solar Designer
      3. openvz-dmesg_restrict-doc.diff
        2 kB
        Solar Designer

        Activity

        Hide
        vvs Vasily Averin added a comment -

        fixed in 2.6.18-028stab101.1 kernel

        Show
        vvs Vasily Averin added a comment - fixed in 2.6.18-028stab101.1 kernel
        Hide
        khorenko Konstantin Khorenko added a comment -

        Seems like the description does not reflect the real code, need to fix either of them.

        Show
        khorenko Konstantin Khorenko added a comment - Seems like the description does not reflect the real code, need to fix either of them.
        Hide
        vvs Vasily Averin added a comment -

        Attachment diff-rh5-dmesg_restrict-description has been added with description: dmesg_restrict is ignored inside containers

        Show
        vvs Vasily Averin added a comment - Attachment diff-rh5-dmesg_restrict-description has been added with description: dmesg_restrict is ignored inside containers
        Hide
        vvs Vasily Averin added a comment -

        fixed in 028stab102.1 kernel

        Show
        vvs Vasily Averin added a comment - fixed in 028stab102.1 kernel
        Hide
        wade.colson@aol.com Wade Colson added a comment - - edited
        Show
        wade.colson@aol.com Wade Colson added a comment - - edited Bug 260998 has been marked as a duplicate of this bug. *** Seen from the domain http://volichat.com Page where seen: http://volichat.com/webcam-chat-rooms Marked for reference. Resolved as fixed @bugzilla.

          People

          • Assignee:
            vvs Vasily Averin
            Reporter:
            solar@openwall.com Solar Designer
          • Votes:
            0 Vote for this issue
            Watchers:
            6 Start watching this issue

            Dates

            • Created:
              Updated:
              Resolved: