From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1752898AbcHZNaW (ORCPT ); Fri, 26 Aug 2016 09:30:22 -0400 Received: from mx1.redhat.com ([209.132.183.28]:46134 "EHLO mx1.redhat.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1751764AbcHZNaU (ORCPT ); Fri, 26 Aug 2016 09:30:20 -0400 Date: Fri, 26 Aug 2016 08:30:16 -0500 From: Josh Poimboeuf To: Linus Torvalds Cc: Frederic Weisbecker , Thomas Gleixner , Kees Cook , "H . Peter Anvin" , the arch/x86 maintainers , Nilay Vaish , Ingo Molnar , Andy Lutomirski , Steven Rostedt , Linux Kernel Mailing List , Brian Gerst , Peter Zijlstra , Byungchul Park Subject: Re: [PATCH 3/6] x86/dumpstack: make printk_stack_address() more generally useful Message-ID: <20160826133016.34yhryrhirwz72pk@treble> References: <20160824193707.qw7vii3l4ggcfl6d@treble> <20160825174904.vfam55lpo7geczqf@treble> <20160825210716.e3p42qm5k4yd3cqb@treble> <20160826031904.ldqgc6bg4g6is4un@treble> <20160826055658.igc5dghceuwwb6vu@treble> MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Disposition: inline In-Reply-To: User-Agent: Mutt/1.6.0.1 (2016-04-01) X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.5.16 (mx1.redhat.com [10.5.110.29]); Fri, 26 Aug 2016 13:30:20 +0000 (UTC) Sender: linux-kernel-owner@vger.kernel.org List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Thu, Aug 25, 2016 at 11:12:40PM -0700, Linus Torvalds wrote: > On Aug 25, 2016 10:57 PM, "Josh Poimboeuf" wrote: > > > > But I still don't quite understand your statement that dmesg_restrict is > > only useful for locked down systems. > > > > To prevent kernel address disclosure, it seems we already rely on the > > user setting kptr_restrict today, otherwise I can do cat > > /proc/self/stack and the game is already lost, right? > > The point is: kptr_restrict actually makes sense, and is widely useful. It > doesn't really end up hurting normal things. It's a pretty targeted thing, > and generally doesn't actually hurt. You can still do basic health > monitoring without having to get elevated privileges, for example. > > Even system maintainers don't want to be root all the time. In fact, I > suspect that the better a system maintainer you are, the less you want to > be root - but you'll still want to see logs etc. > > So note the difference between kptr_restrict and dmesg_restrict. > > One is useful in a pretty wide environment, the other simply is not. > > > So what's the difference between expecting the user to set kptr_restrict > > vs dmesg_restrict? > > Do you see the difference now? > > kptr_restrict simply doesn't hurt as much as dmesg_restrict, so you can > enable it fairly widely by default. > > That makes it the *much* better security option. Because security options > that you can't enable aren't actually useful. Yeah, at least for human-administered systems, that does make sense. Grumpy sysadmins don't want to type "sudo dmesg" or "sudo journalctl" because a) they don't like change; and b) using sudo adds risk. And a security option which is never used is indeed useless. So *maybe* that's a good enough argument for expecting the user to only enable kptr_restrict instead of both. But with cloud, devops, mobile, embedded, IoT, [insert buzzword], it seems most systems are actually managed by software nowadays. Then the above arguments don't seem to apply, and dmesg_restrict could still be quite widely useful, no? -- Josh