Show Your Support: This site is primarily supported by advertisements. Ads are what have allowed this site to be maintained on a daily basis for the past 18+ years. We do our best to ensure only clean, relevant ads are shown, when any nasty ads are detected, we work to remove them ASAP. If you would like to view the site without ads while still supporting our work, please consider our ad-free Phoronix Premium.
In 2019, Most Linux Distributions Still Aren't Restricting Dmesg Access
The primary motivation of CONFIG_SECURITY_DMESG_RESTRICT and an associated sysctl tunable as well (dmesg_restrict) is for restricting access to dmesg so unprivileged users can't see the syslog to avoid possible kernel memory address exposures among other potentially sensitive information that could be leaked about the kernel to help anyone trying to exploit the system. But even with these options being available for years, most Linux distributions leave dmesg open to any user.
Over the years have been attempts like Ubuntu back in 2011 to consider enabling such functionality, but ultimately rejected over concerns of breaking some user-space utilities and the need to update documentation over dmesg access.
I was reminded of this current situation with Intel's Clear Linux now eyeing the DMESG_RESTRICT feature in a new proposal. Clear Linux would potentially be restricting dmesg access in the name of security over potentially leaking kernel addresses.
Oracle's VirtualBox was highlighted as one of the popular programs that ends up leaking addresses to dmesg. There's been this VirtualBox bug report from three years ago highlighting the problem of kernel address information leaked but the issue was marked as "won't fix" by upstream on the basis "Sorry, this is NOT a security problem and not a problem at all. Having these addresses is not a problem because special permissions are required to make use of them."
Given the ever increasing security concerns and exploits, maybe 2019 will finally be the year of seeing more Linux distributions locking down dmesg?