On Tue, Nov 19, 2024 at 10:08:36AM -0500, Pasha Tatashin wrote: > On Mon, Nov 18, 2024 at 8:09 PM Greg KH <gregkh@xxxxxxxxxxxxxxxxxxx> wrote: > > > > On Mon, Nov 18, 2024 at 05:08:42PM -0500, Pasha Tatashin wrote: > > > Additionally, using crash/drgn is not feasible for us at this time, it > > > requires keeping external tools on our hosts, also it requires > > > approval and a security review for each script before deployment in > > > our fleet. > > > > So it's ok to add a totally insecure kernel feature to your fleet > > instead? You might want to reconsider that policy decision :) > > Hi Greg, > > While some risk is inherent, we believe the potential for abuse here > is limited, especially given the existing CAP_SYS_ADMIN requirement. > But, even with root access compromised, this tool presents a smaller > attack surface than alternatives like crash/drgn. It exposes less > sensitive information, unlike crash/drgn, which could potentially > allow reading all of kernel memory. The problem here is with using dmesg for output. No security-sensitive information should go there. Even exposing raw kernel pointers is not considered safe. I'm also not sure about what presents a bigger attack surface. Yes, drgn allows to read more, but it's using /proc/kcore, so the in-kernel code is much simpler. But I don't think it's a relevant discussion, if a malicious user has a root access, there are better options than both drgn and page detective.
