I don't think that we should make this change. I explained my reasoning in this email:
https://lists.ubuntu.com/archives/kernel- team/2019-September/103615.html For posterity, I'm copying the content below. ================================= While enabling kernel hardening features is something that I'd typically advocate for, I'm not sure that this particular one is still worth the pain that we'd inflict on our users by enabling it. This is a kernel config option that we'd really want to globally enable or disable across all of our kernels, rather than doing something unique in linux-aws, because it is a very user-visible feature. The primary motivation for enabling this is to prevent unprivileged users, who may be trying to attack the kernel, from learning about kernel addresses that may aide them in an attack. However, I think that the need for this sort of protection has been reduced greatly since 4.15 with the following commit: https://git.kernel.org/linus/ad67b74d2469d9b82aaa572d76474c95bc484d57 There could be an argument for enabling CONFIG_SECURITY_DMESG_RESTRICT in Xenial since its base (4.4) kernel doesn't have commit ad67b74d2469d9b82aaa572d76474c95bc484d57 but I worry that it is too disruptive of a change to introduce 3 years into an LTS release. It certainly isn't appropriate to introduce the change in Trusty ESM at this point. I think we can close out bug #1696558 now that we have global %p hashing. ================================= ** Changed in: linux-aws (Ubuntu) Status: In Progress => Won't Fix ** Changed in: linux-aws (Ubuntu Disco) Status: In Progress => Won't Fix ** Changed in: linux-aws (Ubuntu Trusty) Status: In Progress => Won't Fix ** Changed in: linux-aws (Ubuntu Bionic) Status: In Progress => Won't Fix -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1696558 Title: Enable CONFIG_SECURITY_DMESG_RESTRICT To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/linux-aws/+bug/1696558/+subscriptions -- ubuntu-bugs mailing list [email protected] https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
