On Tue, 2 Oct 2012, Kees Cook wrote: > >> In the paranoid case of sysctl kernel.kptr_restrict=2, mask the kernel > >> virtual addresses in /proc/vmallocinfo too. > >> > >> Reported-by: Brad Spengler <spen...@grsecurity.net> > >> Signed-off-by: Kees Cook <keesc...@chromium.org> > > > > /proc/vmallocinfo is S_IRUSR, not S_IRUGO, so exactly what are you trying > > to protect? > > Trying to block the root user from seeing virtual memory addresses > (mode 2 of kptr_restrict). > > Documentation/sysctl/kernel.txt: > "This toggle indicates whether restrictions are placed on > exposing kernel addresses via /proc and other interfaces. When > kptr_restrict is set to (0), there are no restrictions. When > kptr_restrict is set to (1), the default, kernel pointers > printed using the %pK format specifier will be replaced with 0's > unless the user has CAP_SYSLOG. When kptr_restrict is set to > (2), kernel pointers printed using %pK will be replaced with 0's > regardless of privileges." > > Even though it's S_IRUSR, it still needs %pK for the paranoid case. >
So root does echo 0 > /proc/sys/kernel/kptr_restrict first. Again: what are you trying to protect? -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
