Message ID | 20180330221804.29241-2-rosenp@gmail.com |
---|---|
State | Rejected |
Headers | show |
Series | [LEDE-DEV,1/3] kernel: Restrict dmesg output to root. | expand |
On 2018-03-30 15:18, Rosen Penev wrote: > The only downside to this is that it breaks perf with non-root users. I don't think this is an issue in OpenWrt. > > Signed-off-by: Rosen Penev <rosenp@gmail.com> > --- > package/base-files/files/etc/sysctl.conf | 3 +++ > 1 file changed, 3 insertions(+) > > diff --git a/package/base-files/files/etc/sysctl.conf b/package/base-files/files/etc/sysctl.conf > index ddc7a9bf69..61a43057a1 100644 > --- a/package/base-files/files/etc/sysctl.conf > +++ b/package/base-files/files/etc/sysctl.conf > @@ -2,6 +2,9 @@ kernel.panic=3 > kernel.core_pattern=/tmp/%e.%t.%p.%s.core > fs.suid_dumpable=2 > > +#disable kernel pointer access from normal users > +kernel.kptr_restrict=1 NACK. This will probably make some back traces in case of crashes less useful and thus hurt debugging. Also, it's completely pointless, since we don't have KALSR and thus the kernel memory addresses are mostly stable and predictable anyway. - Felix
On Sat, Mar 31, 2018 at 5:18 PM, Felix Fietkau <nbd@nbd.name> wrote: > On 2018-03-30 15:18, Rosen Penev wrote: >> The only downside to this is that it breaks perf with non-root users. I don't think this is an issue in OpenWrt. >> >> Signed-off-by: Rosen Penev <rosenp@gmail.com> >> --- >> package/base-files/files/etc/sysctl.conf | 3 +++ >> 1 file changed, 3 insertions(+) >> >> diff --git a/package/base-files/files/etc/sysctl.conf b/package/base-files/files/etc/sysctl.conf >> index ddc7a9bf69..61a43057a1 100644 >> --- a/package/base-files/files/etc/sysctl.conf >> +++ b/package/base-files/files/etc/sysctl.conf >> @@ -2,6 +2,9 @@ kernel.panic=3 >> kernel.core_pattern=/tmp/%e.%t.%p.%s.core >> fs.suid_dumpable=2 >> >> +#disable kernel pointer access from normal users >> +kernel.kptr_restrict=1 > NACK. This will probably make some back traces in case of crashes less > useful and thus hurt debugging. > Also, it's completely pointless, since we don't have KALSR and thus the > kernel memory addresses are mostly stable and predictable anyway. > Will drop. > - Felix
diff --git a/package/base-files/files/etc/sysctl.conf b/package/base-files/files/etc/sysctl.conf index ddc7a9bf69..61a43057a1 100644 --- a/package/base-files/files/etc/sysctl.conf +++ b/package/base-files/files/etc/sysctl.conf @@ -2,6 +2,9 @@ kernel.panic=3 kernel.core_pattern=/tmp/%e.%t.%p.%s.core fs.suid_dumpable=2 +#disable kernel pointer access from normal users +kernel.kptr_restrict=1 + net.ipv4.conf.default.arp_ignore=1 net.ipv4.conf.all.arp_ignore=1 net.ipv4.ip_forward=1
The only downside to this is that it breaks perf with non-root users. I don't think this is an issue in OpenWrt. Signed-off-by: Rosen Penev <rosenp@gmail.com> --- package/base-files/files/etc/sysctl.conf | 3 +++ 1 file changed, 3 insertions(+)