In article ,
Maxime Villard wrote:
>Le 18/01/2018 à 13:43, Tom Ivar Helbekkmo a écrit :
>> Maxime Villard writes:
>>
>>> Well, looking at the code, it seems to me that _kvm_open() should be
>>> changed to
Le 18/01/2018 à 13:43, Tom Ivar Helbekkmo a écrit :
Maxime Villard writes:
Well, looking at the code, it seems to me that _kvm_open() should be
changed to keep /dev/ksyms open, the same way it keeps /dev/kmem open.
Agreed. This works fine for me, with and without
Maxime Villard writes:
>> Agreed. This works fine for me, with and without /dev/ksyms present:
>>
>> Index: lib/libkvm/kvm.c
>> [...]
>
> So, I guess I can commit it?
I've been running with that modification (and /dev/ksyms mode 440 and
group kmem) on all my systems since
Maxime Villard writes:
> Well, looking at the code, it seems to me that _kvm_open() should be
> changed to keep /dev/ksyms open, the same way it keeps /dev/kmem open.
Agreed. This works fine for me, with and without /dev/ksyms present:
Index: lib/libkvm/kvm.c
Le 18/01/2018 à 11:03, Tom Ivar Helbekkmo a écrit :
Maxime Villard writes:
So, making /dev/ksyms 440 root:kmem should not break anything.
If it does, then there's a bug in the offending tool in the first place.
Agreed. systat is one of them. It takes care to call
Maxime Villard writes:
> So, making /dev/ksyms 440 root:kmem should not break anything.
>
> If it does, then there's a bug in the offending tool in the first place.
Agreed. systat is one of them. It takes care to call kvm_openfiles()
while setgid kmem, but kvm_openfiles()
Le 17/01/2018 à 21:43, Anders Magnusson a écrit :
Den 2018-01-17 kl. 20:20, skrev Mouse:
Maybe group kmem read, but that might require more elevated
privileges in the programs that uses ksyms.
What program uses ksyms now that doesn't require at least group kmem?
You cannot give up kmem read
On Wed, Jan 17, 2018 at 07:19:32PM +0100, Anders Magnusson wrote:
> libkvm uses it to get the kernel symbol namelist instead of reading /netbsd
> for it (originally kvmdb, which was retired when ksyms was added).
> Programs like ps, netstat etc... uses it to find in-kernel stuff, so you
> cannot
Den 2018-01-17 kl. 20:20, skrev Mouse:
Maybe group kmem read, but that might require more elevated
privileges in the programs that uses ksyms.
What program uses ksyms now that doesn't require at least group kmem?
You cannot give up kmem read privileges when calling ksyms read
routines.
I
>>> Maybe group kmem read, but that might require more elevated
>>> privileges in the programs that uses ksyms.
>> What program uses ksyms now that doesn't require at least group kmem?
> You cannot give up kmem read privileges when calling ksyms read
> routines.
I don't see why not - or, at
Den 2018-01-17 kl. 20:03, skrev Mouse:
Maybe group kmem read, but that might require more elevated
privileges in the programs that uses ksyms.
What program uses ksyms now that doesn't require at least group kmem?
You cannot give up kmem read privileges when calling ksyms read routines.
> libkvm uses it to get the kernel symbol namelist instead of reading
> /netbsd for it (originally kvmdb, which was retired when ksyms was
> added). Programs like ps, netstat etc... uses it to find in-kernel
> stuff, so you cannot change it to require root privs to be read.
But the symbol values
In article <20180117152524.ga11...@sdf.org>, wrote:
>-=-=-=-=-=-
>
>This leaks information that unprivileged user probably has no reason to
>own:
>
>> cat /dev/ksyms > ksyms
>> readelf -a ksyms |wc -l
> 47594
>
>Any strong reason not to apply the following?
>Presumably it will
libkvm uses it to get the kernel symbol namelist instead of reading
/netbsd for it (originally kvmdb, which was retired when ksyms was added).
Programs like ps, netstat etc... uses it to find in-kernel stuff, so you
cannot change it to require root privs to be read.
Maybe group kmem read, but
This leaks information that unprivileged user probably has no reason to
own:
> cat /dev/ksyms > ksyms
> readelf -a ksyms |wc -l
47594
Any strong reason not to apply the following?
Presumably it will have benefits for GENERIC_KASLR, or people with
Intel CPUs :-)
Index: MAKEDEV.tmpl
15 matches
Mail list logo