-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hello,

I don't know if it's the right place to ask here on this list, but it
seems most appropriate.

I am researching about exported symbols in major distribution,
security-wise, and I've noticed something strange along my research.

Ubuntu is the only major distribution that the KALLSYMS_ALL option is
set in the kernel configuration. (At least the Desktop version that I've
tested)

In Redhat, CentOS, Fedora, and even Debian, this is not set.
In vanilla kernels, it is in no way a default option.

I was looking into the sys_call_table symbol when I noticed it.

In Ubuntu you can acquire it's address doing a
'cat /proc/kallsyms | grep sys_call_table'.
In all other distros this returns nothing, in ubuntu it returns the sumbol.

My question is this:

Does this config option really needs to be enabled by default?
Is it used somewhere? Is there a reason for this?


Regards,

Giannis K.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iEYEARECAAYFAkkjy0cACgkQusj5FmsVhId3dwCcCuxMW7e0HB 2zvxD9dSwgws2a
q1kAnAnXtmMjI2KFUFUQnzwnzatuf/ZZ
=M/Cs
-----END PGP SIGNATURE-----

--
kernel-team mailing list
kernel-team@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/kernel-team

Giannis Kozyrakis wrote:
> Hello,
>
> I don't know if it's the right place to ask here on this list, but it
> seems most appropriate.
>
> I am researching about exported symbols in major distribution,
> security-wise, and I've noticed something strange along my research.
>
> Ubuntu is the only major distribution that the KALLSYMS_ALL option is
> set in the kernel configuration. (At least the Desktop version that I've
> tested)
>
> In Redhat, CentOS, Fedora, and even Debian, this is not set.
> In vanilla kernels, it is in no way a default option.
>
> I was looking into the sys_call_table symbol when I noticed it.
>
> In Ubuntu you can acquire it's address doing a
> 'cat /proc/kallsyms | grep sys_call_table'.
> In all other distros this returns nothing, in ubuntu it returns the sumbol.
>
> My question is this:
>
> Does this config option really needs to be enabled by default?
> Is it used somewhere? Is there a reason for this?
>
>
> Regards,
>
> Giannis K.

You have not presented a case for why it _should_ be disabled. Perhaps
Kees has an opinion? This seems like a debug v.s. security issue.

rtg
--
Tim Gardner tim.gardner@canonical.com

--
kernel-team mailing list
kernel-team@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/kernel-team

On Wed, 2008-11-19 at 08:28 -0700, Tim Gardner wrote:
> Giannis Kozyrakis wrote:
> > Hello,
> >
> > I don't know if it's the right place to ask here on this list, but it
> > seems most appropriate.
> >
> > I am researching about exported symbols in major distribution,
> > security-wise, and I've noticed something strange along my research.
> >
> > Ubuntu is the only major distribution that the KALLSYMS_ALL option is
> > set in the kernel configuration. (At least the Desktop version that I've
> > tested)
> >
> > In Redhat, CentOS, Fedora, and even Debian, this is not set.
> > In vanilla kernels, it is in no way a default option.
> >
> > I was looking into the sys_call_table symbol when I noticed it.
> >
> > In Ubuntu you can acquire it's address doing a
> > 'cat /proc/kallsyms | grep sys_call_table'.
> > In all other distros this returns nothing, in ubuntu it returns the sumbol.
> >
> > My question is this:
> >
> > Does this config option really needs to be enabled by default?
> > Is it used somewhere? Is there a reason for this?
> >
> >
> > Regards,
> >
> > Giannis K.
>
> You have not presented a case for why it _should_ be disabled. Perhaps
> Kees has an opinion? This seems like a debug v.s. security issue.

It's neither. You can get the same thing from System.map, which I'm
quite sure is available on every distribution.


--
kernel-team mailing list
kernel-team@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/kernel-team

On Wed, Nov 19, 2008 at 08:28:58AM -0700, Tim Gardner wrote:
> Giannis Kozyrakis wrote:
> > I don't know if it's the right place to ask here on this list, but it
> > seems most appropriate.
> >
> > I am researching about exported symbols in major distribution,
> > security-wise, and I've noticed something strange along my research.
> >
> > Ubuntu is the only major distribution that the KALLSYMS_ALL option is
> > set in the kernel configuration. (At least the Desktop version that I've
> > tested)
> >
> > In Redhat, CentOS, Fedora, and even Debian, this is not set.
> > In vanilla kernels, it is in no way a default option.
> >
> > I was looking into the sys_call_table symbol when I noticed it.
> >
> > In Ubuntu you can acquire it's address doing a
> > 'cat /proc/kallsyms | grep sys_call_table'.
> > In all other distros this returns nothing, in ubuntu it returns the sumbol.

For me, Fedora 10 does:

Fedora$ cat /proc/kallsyms | grep sys_call_table
c06cb9c8 R sys_call_table

And KALLSYMS_ALL is set in their config:
Fedora$ grep KALLSYMS /boot/config-2.6.27.4-58.fc10.i686
CONFIG_KALLSYMS=y
CONFIG_KALLSYMS_ALL=y
CONFIG_KALLSYMS_EXTRA_PASS=y

> > Does this config option really needs to be enabled by default?
> > Is it used somewhere? Is there a reason for this?
>
> You have not presented a case for why it _should_ be disabled. Perhaps
> Kees has an opinion? This seems like a debug v.s. security issue.

Looking at the option quickly, it seems like disabling it would shrink the
kernel by about 300K, but might lead to slightly less pretty Oops traces.

I'm also unclear if changing this setting would cause problems for ABI
detection (I doubt it -- the ABI interface would be exported regardless).

--
Kees Cook
Ubuntu Security Team

--
kernel-team mailing list
kernel-team@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/kernel-team