xorl %eax, %eax

GRKERNSEC_DMESG dmesg Restriction

leave a comment »

Most administrators forget about the information contained in kernel’s log. The ‘GRKERNSEC_DMESG’ is another grsecurity feature that using a new sysctl entry allows administrators to restrict access to kernel’s log. A local user can obtain crucial information for exploitation from log files including: detection of virtual machines, information of devices, messages of kernel modules for feedback in exploitation etc. So, to begin with, here is the description of that feature:

config GRKERNSEC_DMESG
	bool "Dmesg(8) restriction"
	help
	  If you say Y here, non-root users will not be able to use dmesg(8)
	  to view up to the last 4kb of messages in the kernel's log buffer.
	  If the sysctl option is enabled, a sysctl option with name "dmesg" is
	  created.

The way that this is performed is really simple. A new check is added in do_syslog() (located at kernel/printk.c) as shown below.

int do_syslog(int type, char __user *buf, int len, bool from_file)
{
        unsigned i, j, limit, count;
        int do_clear = 0;
        char c;
        int error = 0;

#ifdef CONFIG_GRKERNSEC_DMESG
	if (grsec_enable_dmesg && !capable(CAP_SYS_ADMIN))
		return -EPERM;
#endif

 	error = security_syslog(type, from_file);
     ...
out:
        return error;
}

It checks that ‘grsec_enable_dmesg’ is non-zero and that ‘CAP_SYS_ADMIN’ (System Administrator) capability is set. If any of these is false, it will immediately return with “Permission Denied”. Otherwise, it will continue the logging.
Now, if we have a look at grsecurity/grsec_init.c we can find that integer value being defined and initialized to be enabled.

int grsec_enable_dmesg;
     ...
#ifdef CONFIG_GRKERNSEC_DMESG
	grsec_enable_dmesg = 1;
#endif

But as the description says this can be tuned through sysctl because it’s defined as one at grsecurity/grsec_sysctl.c file.

struct ctl_table grsecurity_table[] = {
    ...
#ifdef CONFIG_GRKERNSEC_DMESG
	{
		.procname	= "dmesg",
		.data		= &grsec_enable_dmesg,
		.maxlen		= sizeof(int),
		.mode		= 0600,
		.proc_handler	= &proc_dointvec,
	},
#endif
    ...
	{ }
};
#endif

So, this is readable and writable only by its owner and uses proc_dointvec() Linux kernel’s routine which can be found at kernel/sysctl.c.

Recently, Dan Rosenberg committed a similar patch to the upstream kernel. You can read about it here.

Written by xorl

November 9, 2010 at 04:00

Posted in grsecurity, linux, security

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s