I was thinking about this over the weekend, and I think we overlooked the impact of setting CONFIG_SECURITY_DMESG_RESTRICT in the kernel config has on downstream users of Groovy's kernel, namely when it becomes Focal's HWE kernel.
Focal won't be receiving any patches for /usr/bin/dmesg, so I think it is better to not set CONFIG_SECURITY_DMESG_RESTRICT in kernel config, but to instead set kernel.dmesg_restrict systctl to 1 in /etc/sysctl.d/10-kernel-hardening.conf. This would ensure it only changes Groovy onward, and doesn't cause any regressions for Focal HWE users.
I have emailed Seth Forshee asking to revert the config change.
I was thinking about this over the weekend, and I think we overlooked the impact of setting CONFIG_ SECURITY_ DMESG_RESTRICT in the kernel config has on downstream users of Groovy's kernel, namely when it becomes Focal's HWE kernel.
Focal won't be receiving any patches for /usr/bin/dmesg, so I think it is better to not set CONFIG_ SECURITY_ DMESG_RESTRICT in kernel config, but to instead set kernel. dmesg_restrict systctl to 1 in /etc/sysctl. d/10-kernel- hardening. conf. This would ensure it only changes Groovy onward, and doesn't cause any regressions for Focal HWE users.
I have emailed Seth Forshee asking to revert the config change.