Page MenuHomePhabricator

set kernel.printk sysctl to prevent kernel info leaks
Open, NormalPublic

Description

quote @madaidan:

During boot, the kernel logs are displayed on the console. As the kernel logs are meant to be restricted to root (kernel.dmesg_restrict=1), this should probably be disabled.
Setting kernel.printk=3 3 3 3 with sysctl configures it so only really important errors will be displayed.
Also see Does printk() cause any security issues?
This can improve boot and shutdown speed too. I've noticed that performance improves significantly after setting this.

dmesg --console-off does not do the trick.

I still see some logs after running that. Changing the kernel.printk sysctl hides more. I can still see some logs even with changing kernel.printk as it starts displaying logs before systemd-sysctl is executed. The only way around that would be setting kernel.printk in the initramfs, before systemd has started if it’s even possible.

Details

Impact
Normal

Event Timeline

Patrick triaged this task as Normal priority.Mon, Dec 23, 2:19 PM
Patrick created this task.

Should this be set in the initramfs?

Some logs are shown before systemd-sysctl executes so using /etc/sysctl.d/ may not be enough.

Yes. Probably both. initramfs for apparmor-profile-everything users and
/etc/sysctl.d/ security-misc.

Why not use an initramfs hook in security-misc? Not everyone will have security-misc and apparmor-profile-everything installed. Users with just security-misc installed will still have some kernel logs shown during early boot.

I guess because a sysctl.d drop-in config file is easy and catches most.
initramfs hook covers only initramfs users. Not dracut. But
security-misc initramfs hook sounds good enough. dracut support can
come later, if ever. Please implement.

We can use a sysctl.d drop-in and an initramfs hook in security-misc so non-initramfs users will still be mostly protected.

Sounds good.

Still wondering if initramfs modification this can be avoided... Still wondering if kernel.printk can be set through a kernel parameter. Looking again at https://github.com/torvalds/linux/blob/master/Documentation/admin-guide/kernel-parameters.txt...

Would the following kernel parameter(s) reach the same goal?

  • printk.devkmsg=off
  • loglevel=0
  • quiet

Just now asked:
How to set sysctl using kernel comand line parameter?

Could you please add a feature to easily enable debugging?

What is THE kernel option for "more verbose, debug"? debug? ignore_loglevel? Such as if kernel parameter debug is set, do not use kernel.print in initramfs. Just exit.

Then I could add debug to grub-output-verbose as kernel parameter. (That package is in next version no longer installed by default.) (And that package is useful at least for me to easily enable debugging.)

grub-output-verbose could also drop a snippet which deactivates what /etc/sysctl.d/printk.conf does and reset kernel.print to default or even higher level.

printk.devkmsg=off

This just prevents writing to /dev/kmsg. It doesn't stop kernel logs being displayed during boot.

loglevel=0
quiet

Dunno about these. Need to be tested.

Could you please add a feature to easily enable debugging?

Should I check for the debug kernel parameter or something else?

Patrick updated the task description. (Show Details)Wed, Dec 25, 10:38 AM
Patrick updated the task description. (Show Details)

quiet

quiet (Debian default :)) works really well. After sudo apt purge grub-output-verbose and sudo update-grub [1] this is all I am seeing on a VirtualBox serial console.

Loading Linux 4.19.0-6-amd64 ...
Loading initial ramdisk ...
[ 2.093532] sd 4:0:0:0: [sda] Incomplete mode parameter data
[ 2.099586] sd 4:0:0:0: [sda] Assuming drive cache: write through
/dev/sda1: clean, 110434/6553600 files, 1300598/26213632 blocks
[ 4.771736] [drm:vmw_host_log [vmwgfx]] *ERROR* Failed to send host log message.
[ 4.785116] [drm:vmw_host_log [vmwgfx]] *ERROR* Failed to send host log message.
[ 5.880020] [p_lkrg] Loading LKRG...
[ 6.474864] [p_lkrg] LKRG initialized successfully!
[ 14.679246] ram_adjusted_desktop_starter[1624]: [INFO] If your host has little RAM, you are advised to reduce Gateway RAM to 256 MB. No graphical desktop environment will be started in that case. A Gateway without graphical desktop environment works as good as one with, it's just not that convenient. If you want, you can sometimes start a graphical desktop environment by toggling how much RAM is available to Gateway. Documentation about this feature can be found here: https://www.whonix.org/wiki/Desktop
[ 14.688327] ram_adjusted_desktop_starter[1624]: [INFO] Trying to start login manager (graphical desktop environment) lightdm...


[1] grub-output-verbose should run "sudo update-grub" at removal but does not do yet.

The loader of tirdad is currently using dmesg.

## https://github.com/0xsirus/tirdad/issues/5
## /var/log/kern.log is unsuitable. It can during manual testing i.e.
## 'sudo /usr/lib/tirdad/loader' but not when run through systemctl i.e.
## 'sudo systemctl restart tirdad-dkms'.
## https://phabricator.whonix.org/T950
while read -r line; do
  if echo "$line" | grep --quiet --ignore-case "Installing tirdad hook succeeded" ; then
     exit "$exit_code"
  fi
done < <( dmesg --notime --follow )

Setting kernel.printk=3 3 3 3 with sysctl might break it. Hopefully no longer needed as per my previous post. Something to keep in mind.

In T950#19249, @Patrick wrote:

The loader of tirdad is currently using dmesg.

This is no longer the case.