Details
-
Type:
Feature Request
-
Status: Closed
-
Priority:
Minor
-
Resolution: Fixed
-
Fix Version/s: OpenVZ-legacy
-
Component/s: Containers::Kernel
-
Security Level: Public
-
Environment:Operating System: All
Platform: All
-
External issue URL:
-
External issue ID:2197
Description
Hi,
The kernel.dmesg_restrict sysctl was added to mainline kernels and backported to RHEL5 and RHEL6 by Red Hat. One of its primary purposes was to protect in-kernel addresses from being shown to non-root users and thus hopefully to make exploitation of certain kinds of kernel bugs more difficult or/and less reliable.
With OpenVZ containers, however, the in-container dmesg is usually empty, and only sometimes it contains useful info: that container's iptables -j LOG output.
The attached patch makes kernel.dmesg_restrict tri-state:
0: no restriction;
1: non-root users can't access dmesg, root users on both hardware node and in containers can access dmesg (seeing different log records as appropriate);
2: non-root users and any user and root in containers can't access dmesg, only root on the hardware node can access dmesg.
2 corresponds to behavior currently seen with 1, whereas the behavior with 1 becomes more relaxed. 1 is then a reasonable default setting for a distro (that's what we use on Owl now).
Please consider applying this change to your currently maintained kernel branches.
Thanks,
Alexander
The kernel.dmesg_restrict sysctl was added to mainline kernels and backported to RHEL5 and RHEL6 by Red Hat. One of its primary purposes was to protect in-kernel addresses from being shown to non-root users and thus hopefully to make exploitation of certain kinds of kernel bugs more difficult or/and less reliable.
With OpenVZ containers, however, the in-container dmesg is usually empty, and only sometimes it contains useful info: that container's iptables -j LOG output.
The attached patch makes kernel.dmesg_restrict tri-state:
0: no restriction;
1: non-root users can't access dmesg, root users on both hardware node and in containers can access dmesg (seeing different log records as appropriate);
2: non-root users and any user and root in containers can't access dmesg, only root on the hardware node can access dmesg.
2 corresponds to behavior currently seen with 1, whereas the behavior with 1 becomes more relaxed. 1 is then a reasonable default setting for a distro (that's what we use on Owl now).
Please consider applying this change to your currently maintained kernel branches.
Thanks,
Alexander
