Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Message-ID: <20180727143141.4b53d554@gandalf.local.home>
Date: Fri, 27 Jul 2018 14:31:41 -0400
From: Steven Rostedt <rostedt@...dmis.org>
To: Nick Desaulniers <ndesaulniers@...gle.com>
Cc: Jann Horn <jannh@...gle.com>, Golden_Miller83@...tonmail.ch,
 greg@...ah.com, Kees Cook <keescook@...gle.com>, salyzyn@...roid.com, LKML
 <linux-kernel@...r.kernel.org>, mingo@...hat.com, kernel-team@...roid.com,
 stable@...r.kernel.org, kernel-hardening@...ts.openwall.com
Subject: Re: [PATCH] tracing: do not leak kernel addresses

On Fri, 27 Jul 2018 11:13:51 -0700
Nick Desaulniers <ndesaulniers@...gle.com> wrote:

> I found the internal bug report (reported Jan '17, you'll have to
> forgive me if my memory of the issue is hazy, or if the fix used at
> the time wasn't perfect), which was reported against the Nexus 6.
> >From the report, it was possible to `cat  
> /sys/kernel/debug/tracing/printk_formats` without being root, which I
> can't do on my workstations much more modern kernel (Nexus 6 was
> 3.10).  So I guess the question is what governs access to files below
> /sys/kernel/debug, and why was it missing from those kernels?  I
> assume some check was added, but either not backported to 3.10 stable
> (or more likely not pulled in to Nexus 6's kernel through stable;
> Android is now in a much better place for that kind of issue).

As of commit 82aceae4f0d4 ("debugfs: more tightly restrict default
mount mode") /sys/kernel/debug has been default mounted as 0700 (root
only). But that was introduced in 3.7. Not sure why your 3.10 kernel
didn't have that. Perhaps there's another commit that fixed
permissions not being inherited?

-- Steve

Powered by blists - more mailing lists

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.