On Wed, Feb 28, 2024 at 10:30:10AM +0000, Richard W.M. Jones wrote: > On Wed, Feb 28, 2024 at 11:24:41AM +0100, Karel Zak wrote: > > On Tue, Feb 27, 2024 at 08:15:49PM +0000, Richard W.M. Jones wrote: > > > > > > https://gitlab.com/cki-project/kernel-ark/-/commit/ed5ba266c61e01a52359b5793a627e7c9aae8854 > > > > > > Why wasn't this a Fedora change proposal? > > > > > > Also the justification given for such a major change is very thin. > > > I'm sure product security can give us some more details of precisely > > > what exploits will be mitigated, in the change proposal. > > > > You can restore the original behavior by using: > > > > # sysctl kernel.dmesg_restrict=0 > > > > However, be aware of the security consequences ;-) > > Right ... which are what exactly? > > I don't have untrusted local users, and if I wanted to host untrusted > local users I'd need to do a lot of extra lock down, so perhaps the > default here can be kernel.dmesg_restrict=0 with > kernel.dmesg_restrict=1 being used on locked down systems. The protection against information leakage applies to system services as much as to interactive local users, so it is still valid hardening to do even on single user machines IMHO. With regards, Daniel -- |: https://berrange.com -o- https://www.flickr.com/photos/dberrange :| |: https://libvirt.org -o- https://fstop138.berrange.com :| |: https://entangle-photo.org -o- https://www.instagram.com/dberrange :| -- _______________________________________________ devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
