On Wed, Feb 28, 2024 at 11:24:41AM +0100, Karel Zak wrote: > On Tue, Feb 27, 2024 at 08:15:49PM +0000, Richard W.M. Jones wrote: > > > > https://gitlab.com/cki-project/kernel-ark/-/commit/ed5ba266c61e01a52359b5793a627e7c9aae8854 > > > > Why wasn't this a Fedora change proposal? > > > > Also the justification given for such a major change is very thin. > > I'm sure product security can give us some more details of precisely > > what exploits will be mitigated, in the change proposal. > > You can restore the original behavior by using: > > # sysctl kernel.dmesg_restrict=0 > > However, be aware of the security consequences ;-) Right ... which are what exactly? I don't have untrusted local users, and if I wanted to host untrusted local users I'd need to do a lot of extra lock down, so perhaps the default here can be kernel.dmesg_restrict=0 with kernel.dmesg_restrict=1 being used on locked down systems. Rich. -- Richard Jones, Virtualization Group, Red Hat http://people.redhat.com/~rjones Read my programming and virtualization blog: http://rwmj.wordpress.com nbdkit - Flexible, fast NBD server with plugins https://gitlab.com/nbdkit/nbdkit -- _______________________________________________ devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
