Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

rockchip-rk3588: Enable CONFIG_SECURITY_DMESG_RESTRICT kernel option #7079

Merged
merged 3 commits into from
Aug 18, 2024
Merged

rockchip-rk3588: Enable CONFIG_SECURITY_DMESG_RESTRICT kernel option #7079

merged 3 commits into from
Aug 18, 2024

Conversation

alexl83
Copy link
Contributor

@alexl83 alexl83 commented Aug 13, 2024
edited
Loading

Description

set CONFIG_SECURITY_DMESG_RESTRICT=y to BRANCH=edge & BRANCH=current
Now rebased to apply on CURRENT=6.10.5 and EDGE=6.11-rc3

Advised for KASLR-enabled kernels, complements nicely #7078 (without depending on each other) - no side effect for non-KASLR-enabled kernel/boards

Info from linuxsecurity.expert on this topic (added by @ColorfulRhino):

What does kernel.dmesg_restrict do?

The sysctl key kernel.dmesg_restrict can be used to configure the Linux kernel and restrict access to information from dmesg.

The kernel can be instructed to limit who can access the information provided by dmesg. Typically this is quick-win to disallow normal users from seeing sensitive data that is stored by dmesg like application crash details.

The kernel config option CONFIG_SECURITY_DMESG_RESTRICT is used to set the default value of this setting.
Values
0 - No restrictions
When dmesg_restrict is set to zero (0), there are no restrictions. This means all users can access information from dmesg.

1 - Restricted
Changing dmesg_restrict to one (1), will restrict access to those users that have the CAP_SYSLOG capability.

How Has This Been Tested?

Checklist:

  • My code follows the style guidelines of this project
  • I have performed a self-review of my own code
  • My changes generate no new warnings

@github-actions github-actions bot added size/small PR with less then 50 lines Hardware Hardware related like kernel, U-Boot, ... labels Aug 13, 2024
@alexl83 alexl83 mentioned this pull request Aug 13, 2024
Merged
5 tasks
@alexl83 alexl83 force-pushed the kaslr_kernel_hardening_opi5-plus branch 2 times, most recently from 1103cec to 831c6fc Compare August 13, 2024 11:48
@ColorfulRhino
Copy link
Collaborator

ColorfulRhino commented Aug 13, 2024
edited
Loading

Same from comment #7080 (comment) also applies here :)

@ColorfulRhino
Copy link
Collaborator

Also for this one, let's wait until the 6.11 PR is merged since it will conflict otherwise and this change will get lost.

@alexl83 alexl83 changed the title kernel hardening opi5 plus rockchip-rk3588: Enable CONFIG_SECURITY_DMESG_RESTRICT kernel option Aug 13, 2024
@alexl83 alexl83 force-pushed the kaslr_kernel_hardening_opi5-plus branch from f84a137 to 8feb6f4 Compare August 13, 2024 19:43
@ColorfulRhino
Copy link
Collaborator

I have updated the PR message to include some additional info for others to make it more easily understandable what this option does, without having to research it themselves.

igorpecovnik
igorpecovnik previously approved these changes Aug 15, 2024
View reviewed changes
@igorpecovnik igorpecovnik added Ready to merge Reviewed, tested and ready for merge 11 Milestone: Fourth quarter release labels Aug 15, 2024
@ColorfulRhino ColorfulRhino removed the Ready to merge Reviewed, tested and ready for merge label Aug 15, 2024
@ColorfulRhino
Copy link
Collaborator

Let's wait and rebase after #7015 has been merged.

@alexl83
rockchip-rk3588: current: rewrite kernel config
0b62ba7
@alexl83
rockchip-rk3588: current: set CONFIG_SECURITY_DMESG_RESTRICT=y
5e506d0 
Advised for KASLR-enabled kernels - no side effect for non-KASLR
@alexl83
rockchip-rk3588: edge: set CONFIG_SECURITY_DMESG_RESTRICT=y
90293a2 
Advised for KASLR-enabled kernels - no side effect for non-KASLR

rewrite-kernel-config not needed as 6.11-rc3 config was already pristine
@alexl83 alexl83 force-pushed the kaslr_kernel_hardening_opi5-plus branch from a9d20a9 to 90293a2 Compare August 18, 2024 13:16
igorpecovnik
igorpecovnik approved these changes Aug 18, 2024
View reviewed changes
Copy link
Member

@igorpecovnik igorpecovnik left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

ok, lets move this in

@igorpecovnik igorpecovnik added Ready to merge Reviewed, tested and ready for merge 08 Milestone: Third quarter release labels Aug 18, 2024
@igorpecovnik igorpecovnik merged commit 4ffe5bc into armbian:main Aug 18, 2024
11 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@igorpecovnik igorpecovnik igorpecovnik approved these changes

@Tonymac32 Tonymac32 Awaiting requested review from Tonymac32 Tonymac32 is a code owner

@amazingfate amazingfate Awaiting requested review from amazingfate amazingfate is a code owner

@efectn efectn Awaiting requested review from efectn efectn is a code owner

@lanefu lanefu Awaiting requested review from lanefu lanefu is a code owner

@rpardini rpardini Awaiting requested review from rpardini rpardini is a code owner

Assignees
No one assigned
Labels
08 Milestone: Third quarter release 11 Milestone: Fourth quarter release Hardware Hardware related like kernel, U-Boot, ... Ready to merge Reviewed, tested and ready for merge size/small PR with less then 50 lines
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@alexl83 @ColorfulRhino @igorpecovnik