# Gentoo Hardened and CONFIG_GRKERNSEC_DMESG

## yzh

Hi there,

I turned on CONFIG_GRKERNSEC_DMESG=y and grsec sysctl settings of my hardened kernel.

using sys-kernel/hardened-sources-3.7.5-r1.

But i'm still allowed to perform dmesg as non-root. My sysctl settings are:

```

$ sudo sysctl -a | grep dmesg

kernel.dmesg_restrict = 1

kernel.grsecurity.dmesg = 1
```

And i'm able to perform dmesg as non-root:

```

$ dmesg | head -n2

[    0.000000] Initializing cgroup subsys cpuset

[    0.000000] Initializing cgroup subsys cpu
```

Any idea why this is not restricted?

----------

## khayyam

hzy ...

I can't say for sure but dmesg_restrict is set by CONFIG_SECURITY_DMESG_RESTRICT, so perhaps these both need to be enabled for grsecurity.dmesg to come into effect.

HTH & best ... khay

----------

## yzh

 *khayyam wrote:*   

> 
> 
> I can't say for sure but dmesg_restrict is set by CONFIG_SECURITY_DMESG_RESTRICT, so perhaps these both need to be enabled for grsecurity.dmesg to come into effect.
> 
> 

 

I will try but would be weird because the kernel description says:

```

CONFIG_SECURITY_DMESG_RESTRICT:

This enforces restrictions on unprivileged users reading the kernel

syslog via dmesg(8).   

If this option is not selected, no restrictions will be enforced

unless the dmesg_restrict sysctl is explicitly set to (1).

If you are unsure how to answer this question, answer N. 

```

That would suggest that this is normally disabled but can also be enabled by setting it via sysctl, which i'm doing right now.

Anyway, thx for the suggestion. Will give it a try and report back.

----------

## khayyam

 *yzh wrote:*   

> That would suggest that this is normally disabled but can also be enabled by setting it via sysctl, which i'm doing right now.

 

yzh ... yes, thats how I read it also, but my thought was that, like other items in menuconfig, it may be badly worded. If the above were true then "[t]his enforces restrictions on unprivileged users reading the kernel syslog via dmesg" would not what the option does, it simply set it to 'on'.

Hopefully it does more than advertised :)

best ... khay

----------

## yzh

Ok, it does not work:

```

$ zgrep DMESG /proc/config.gz 

CONFIG_GRKERNSEC_DMESG=y

CONFIG_SECURITY_DMESG_RESTRICT=y

$ sudo sysctl -a | grep dmesg

kernel.dmesg_restrict = 1

kernel.grsecurity.dmesg = 1

$ dmesg | head -n2

[    0.000000] Initializing cgroup subsys cpuset

[    0.000000] Initializing cgroup subsys cpu

```

 :Sad: 

----------

## nicke#

I too have noticed the same problem with the latest stable hardened sources. With my previous kernel 3.4.5-hardened, dmesg restriction where enforced.

# zgrep DMESG /proc/config.gz 

CONFIG_GRKERNSEC_DMESG=y

CONFIG_SECURITY_DMESG_RESTRICT=y

# sysctl -a | grep dmesg 

kernel.dmesg_restrict = 1

kernel.grsecurity.dmesg = 1

# uname -r

3.7.5-hardened-r1

This seems to be a bug..

----------

## yzh

 *nicke# wrote:*   

> I too have noticed the same problem with the latest stable hardened sources. With my previous kernel 3.4.5-hardened, dmesg restriction where enforced.
> 
> # zgrep DMESG /proc/config.gz 
> 
> CONFIG_GRKERNSEC_DMESG=y
> ...

 

Good to know it's not only me  :Smile:  I'll see if I can make a bug report later.

EDIT: bug report here: https://bugs.gentoo.org/show_bug.cgi?id=465758

----------

## nicke#

Thank you for reporting the bug.

With new version of hardened sources the dmesg output is again restricted. 

$ dmesg

dmesg: read kernel buffer failed: Operation not permitted

$ uname -r

3.8.3-hardened

----------

