From: Justin M. Forbes <[email protected]> Turn on SECURITY_DMESG_RESTRICT
It was requested by ProdSec that we enable SECURITY_DMESG_RESTRICT as this makes several security bugs more difficult to exploit. It should be noted that this just controls the default setting of kernel.dmesg_restrict sysctl and thus can be always set back to 0 at runtime. Users in the wheel group also have access to journalctl -k or sudo for dmesg access without giving it to every user on the system. Signed-off-by: Justin M. Forbes <[email protected]> diff --git a/redhat/configs/common/generic/CONFIG_SECURITY_DMESG_RESTRICT b/redhat/configs/common/generic/CONFIG_SECURITY_DMESG_RESTRICT index blahblah..blahblah 100644 --- a/redhat/configs/common/generic/CONFIG_SECURITY_DMESG_RESTRICT +++ b/redhat/configs/common/generic/CONFIG_SECURITY_DMESG_RESTRICT @@ -1 +1 @@ -# CONFIG_SECURITY_DMESG_RESTRICT is not set +CONFIG_SECURITY_DMESG_RESTRICT=y diff --git a/redhat/configs/fedora/generic/CONFIG_SECURITY_DMESG_RESTRICT b/redhat/configs/fedora/generic/CONFIG_SECURITY_DMESG_RESTRICT deleted file mode 100644 index blahblah..blahblah 0 --- a/redhat/configs/fedora/generic/CONFIG_SECURITY_DMESG_RESTRICT +++ /dev/null @@ -1 +0,0 @@ -CONFIG_SECURITY_DMESG_RESTRICT=y -- https://gitlab.com/cki-project/kernel-ark/-/merge_requests/2930 -- _______________________________________________ kernel mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/[email protected] Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
