dmesg is not restricted in linux-raspi kernel
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
linux-raspi (Ubuntu) |
Fix Released
|
Undecided
|
Unassigned | ||
Groovy |
Fix Released
|
Undecided
|
Unassigned |
Bug Description
[Impact]
The CONFIG_
This is in contrast to PC installs, where dmesg is now restricted to the "root" user in 20.10 onwards. The following messages from the ubuntu-devel list cover the original proposal (which proposed limiting dmesg to root:adm), and earlier discussion from 2011 (which proposed limiting dmesg to root alone, which is what was implemented in groovy):
https:/
https:/
[Test Case]
$ dmesg > /dev/null
$ echo $?
0
Should be:
$ dmesg
dmesg: read kernel buffer failed: Operation not permitted
[Regression Potential]
Ordinary users might still be able to execute dmesg and read the kernel logs.
CVE References
Changed in linux-raspi (Ubuntu Groovy): | |
status: | New → Triaged |
Changed in linux-raspi (Ubuntu Hirsute): | |
status: | New → Triaged |
description: | updated |
Changed in linux-raspi (Ubuntu Groovy): | |
status: | Triaged → Fix Committed |
no longer affects: | linux-raspi (Ubuntu Hirsute) |
This bug was fixed in the package linux-raspi - 5.8.0-1011.14
---------------
linux-raspi (5.8.0-1011.14) groovy; urgency=medium
* groovy/linux-raspi: 5.8.0-1011.14 -proposed tracker (LP: #1907562)
* dmesg is not restricted in linux-raspi kernel (LP: #1902934) DMESG_RESTRICT= y
- [Config] raspi: SECURITY_
[ Ubuntu: 5.8.0-34.37 ]
* groovy/linux: 5.8.0-34.37 -proposed tracker (LP: #1907576) mark_responding _sas_device( ) del_phy_ from_an_ existing_ port() dirty_port_ flag parameter flow_rule_ create
* Packaging resync (LP: #1786013)
- update dkms package versions
* [Ubuntu 21.04 FEAT] mpt3sas: Request to include the patch set which supports
topology where zoning is enabled in expander (LP: #1899802)
- scsi: mpt3sas: Define hba_port structure
- scsi: mpt3sas: Allocate memory for hba_port objects
- scsi: mpt3sas: Rearrange _scsih_
- scsi: mpt3sas: Update hba_port's sas_address & phy_mask
- scsi: mpt3sas: Get device objects using sas_address & portID
- scsi: mpt3sas: Rename transport_
- scsi: mpt3sas: Get sas_device objects using device's rphy
- scsi: mpt3sas: Update hba_port objects after host reset
- scsi: mpt3sas: Set valid PhysicalPort in SMPPassThrough
- scsi: mpt3sas: Handling HBA vSES device
- scsi: mpt3sas: Add bypass_
- scsi: mpt3sas: Handle vSES vphy object during HBA reset
- scsi: mpt3sas: Add module parameter multipath_on_hba
- scsi: mpt3sas: Bump driver version to 35.101.00.00
* CVE-2020-12912
- hwmon: (amd_energy) modify the visibility of the counters
* Intel Tiger Lake IDs supplement (LP: #1904521)
- mtd: spi-nor: intel-spi: Add support for Intel Tiger Lake-H SPI serial flash
- pinctrl: tigerlake: Add support for Tiger Lake-H
* [i915] Noise-like lines of graphics corruption when moving windows in Xorg
sessions (LP: #1896091)
- Revert "UBUNTU: SAUCE: drm/i915: Synchronize active and retire callbacks"
* Fix no headset sound after S3 on Intel HDA (LP: #1904595)
- ALSA: hda: Refactor codec PM to use direct-complete optimization
- ALSA: hda: Separate runtime and system suspend
- ALSA: hda: Reinstate runtime_allow() for all hda controllers
* Ask 8821C Bluetooth controller to drop old firmware (LP: #1904221)
- Bluetooth: btrtl: Ask 8821C to drop old firmware
- Bluetooth: btrtl: fix incorrect skb allocation failure check
* Use ACPI S5 for reboot (LP: #1904225)
- PM: ACPI: reboot: Use S5 for reboot
* Groovy update: v5.8.18 upstream stable release (LP: #1904941)
- netfilter: nftables_offload: KASAN slab-out-of-bounds Read in
nft_
- io_uring: don't run task work on an exiting task
- io_uring: allow timeout/poll/files killing to take task into account
- io_uring: move dropping of files into separate helper
- io_uring: stash ctx task reference for SQPOLL
- io_uring: unconditionally grab req->task
- io_uring: return cancelation status from poll/timeout/files handlers
- io_uring: enable task/files specific overflow flushing
- io_uring: don't rely on weak ->files references
- io_uring: reference ->nsproxy for file table commands
- io_wq: Make io_wqe::lock a raw_spinlock_t...