On Thu, Aug 25, 2016 at 5:23 PM, Linus Torvalds <torva...@linux-foundation.org> wrote: > On Aug 25, 2016 2:08 PM, "Josh Poimboeuf" <jpoim...@redhat.com> wrote: >> >> Ah, the plot thickens. I didn't know about 'dmesg_restrict'. So I >> guess we don't have to restrict the stack dump addresses after all, >> since the entire dmesg buffer is protected by syslog()? > > No. > > Guys, the whole dmesg_restrict thing is a joke. You can't restrict access to > system messages in general. It's just a stupid idea.
I'm not advocating that it's a globally useful protection, I was just trying to point out that so much stuff is already exposed in the system log that it's likely not a great use of time to think about censoring things there right now. Obviously if it both improves debuggability _and_ removes raw addresses from the log, I'm all for it. :) -Kees -- Kees Cook Nexus Security
