changes to GRKERNSEC_HIDESYM
Posted: Sat Nov 13, 2010 6:08 pm
With the latest patches just uploaded, a change has been made to the operation of GRKERNSEC_HIDESYM to make it more agreeable. The most visible effect of this is that it won't be necessary anymore to disable GRKERNSEC_HIDESYM to see symbols in oops/panic reports. I've introduced some new code to mark "approved" symbol uses. I've verified that these locations are only using the symbol information to print to the kernel logs, not to be used in /proc entries or anywhere else that non-privileged users could view. Because of this change, even though it's been mentioned to enable both GRKERNSEC_HIDESYM and GRKERNSEC_DMESG together, be sure you have both enabled to see the full benefit of GRKERNSEC_HIDESYM.
So to summarize the current behavior of GRKERNSEC_HIDESYM:
prevents use of system calls to query symbols/modules by non-privileged users
removes infoleaks of kernel addresses from /proc and netlink interfaces
makes /proc/kallsyms only visible by root
permits white-listed use of symbol information for BUG/OOPs/panic messages
denies any other use of symbol information
-Brad
So to summarize the current behavior of GRKERNSEC_HIDESYM:
prevents use of system calls to query symbols/modules by non-privileged users
removes infoleaks of kernel addresses from /proc and netlink interfaces
makes /proc/kallsyms only visible by root
permits white-listed use of symbol information for BUG/OOPs/panic messages
denies any other use of symbol information
-Brad