[Bug 521197] New: CONFIG_STRICT_DEVMEM is not set
http://bugzilla.novell.com/show_bug.cgi?id=521197 Summary: CONFIG_STRICT_DEVMEM is not set Classification: openSUSE Product: openSUSE 11.1 Version: Final Platform: i586 OS/Version: openSUSE 11.1 Status: NEW Severity: Enhancement Priority: P5 - None Component: Kernel AssignedTo: bnc-team-screening@forge.provo.novell.com ReportedBy: roeland@linux-it.nl QAContact: qa@suse.de Found By: --- User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.1.0) Gecko/20090623 SUSE/3.5.0-7.1 Firefox/3.5 reading the linux journal august 2009 issue , page 72 ff shows ways to use /dev/mem for root kit activities. End of the story is that it seems wise to have CONFIG_STRICT_DEVMEM set in the kernels but it's not in oS11.1 (and supposedly all others below and derived from this product). Reproducible: Always Steps to Reproduce: 1. zcat /proc/config/gz | grep DEVMEM 2. 3. Actual Results: # CONFIG_STRICT_DEVMEM not set -- Configure bugmail: http://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
http://bugzilla.novell.com/show_bug.cgi?id=521197 User meissner@novell.com added comment http://bugzilla.novell.com/show_bug.cgi?id=521197#c1 Marcus Meissner <meissner@novell.com> changed: What |Removed |Added ---------------------------------------------------------------------------- AssignedTo|bnc-team-screening@forge.pr |kernel-maintainers@forge.pr |ovo.novell.com |ovo.novell.com --- Comment #1 from Marcus Meissner <meissner@novell.com> 2009-07-11 02:02:13 MDT --- There are various methods to insert rootkits once you have root privileges, not just /dev/mem. 11.2 has CONFIG_STRICT_DEVMEM=y already. reassign to kernel team for consideration on sle11/11.1 -- Configure bugmail: http://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
http://bugzilla.novell.com/show_bug.cgi?id=521197 User roeland@linux-it.nl added comment http://bugzilla.novell.com/show_bug.cgi?id=521197#c2 --- Comment #2 from roeland jansen <roeland@linux-it.nl> 2009-07-11 06:47:25 MDT --- good news to hear that 11.2 already got this. I'm aware of the serveral scenarios for rootkit insertions. I just think it would give us, deploying SLES11 to the outside world, some extra security. So, I hope it will be considered to be added to the newer kernels. on SLES11 at least. -- Configure bugmail: http://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
http://bugzilla.novell.com/show_bug.cgi?id=521197 Jeff Mahoney <jeffm@novell.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Depends on| |443852 -- Configure bugmail: http://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
http://bugzilla.novell.com/show_bug.cgi?id=521197 User jeffm@novell.com added comment http://bugzilla.novell.com/show_bug.cgi?id=521197#c3 Jeff Mahoney <jeffm@novell.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Priority|P5 - None |P3 - Medium CC| |jeffm@novell.com Component|Kernel |Kernel Product|openSUSE 11.1 |openSUSE 11.2 Target Milestone|--- |Factory --- Comment #3 from Jeff Mahoney <jeffm@novell.com> 2009-09-04 12:40:06 MDT --- The reason it's not set on 11.1 and SLE11 is because it interferes with the use of online kernel debuggers. I've recevied word that these tools may have been updated to work around CONFIG_STRICT_DEVMEM. If this is the case, then we can keep CONFIG_STRICT_DEVMEM enabled. Otherwise, we'll have to revisit it. -- Configure bugmail: http://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
http://bugzilla.novell.com/show_bug.cgi?id=521197 Jeff Mahoney <jeffm@novell.com> changed: What |Removed |Added ---------------------------------------------------------------------------- AssignedTo|kernel-maintainers@forge.pr |jeffm@novell.com |ovo.novell.com | -- Configure bugmail: http://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
http://bugzilla.novell.com/show_bug.cgi?id=521197 http://bugzilla.novell.com/show_bug.cgi?id=521197#c4 Jeff Mahoney <jeffm@novell.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |ASSIGNED Component|Kernel |Kernel Version|Final |Factory Product|openSUSE 11.2 |openSUSE 11.3 --- Comment #4 from Jeff Mahoney <jeffm@novell.com> 2009-12-18 20:10:06 UTC --- The tools haven't been updated from what I've seen. I just tried using crash on an 11.2 system and it complained that it couldn't read /dev/mem. I'm refiling this against 11.3 -- Configure bugmail: http://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=521197 https://bugzilla.novell.com/show_bug.cgi?id=521197#c5 Jeff Mahoney <jeffm@suse.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|ASSIGNED |RESOLVED Resolution| |WONTFIX --- Comment #5 from Jeff Mahoney <jeffm@suse.com> 2012-08-02 11:55:25 EDT --- With the coming release of openSUSE 12.2, openSUSE kernel developers are focusing their efforts there. Reports against openSUSE 11.4 and prior will not get the attention needed to resolve them before openSUSE 12.2 is release and openSUSE 11.4 becomes unmaintained. Please re-test with openSUSE 12.1 or openSUSE RC2+ and re-open with an updated Product if you still encounter your issue. We apologize for this issue not getting the attention it deserves but we are focusing our resources in the area where they will have the most impact for our users. We're working hard to make openSUSE 12.2 the best openSUSE release yet! -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
participants (1)
-
bugzilla_noreply@novell.com