Bug#983839: linux-image-5.10.0-3-amd64: /proc/kallsyms shouldn't be readable by non-root
Package: src:linux
Version: 5.10.13-1
Severity: normal
$ wc /proc/kallsyms
168114 567685 7891149 /proc/kallsyms
https://dustri.org/b/spectre-exploits-in-the-wild.html
The above article says that Fedora no longer makes kallsyms available to
unprivileged users to make attacks on the kernel more difficult. I think
the Debian kernels should do the same.
-- Package-specific info:
** Version:
Linux version 5.10.0-3-amd64 (debian-kernel@lists.debian.org) (gcc-10 (Debian 10.2.1-6) 10.2.1 20210110, GNU ld (GNU Binutils for Debian) 2.35.1) #1 SMP Debian 5.10.13-1 (2021-02-06)
** Command line:
BOOT_IMAGE=/vmlinuz-5.10.0-3-amd64 root=UUID=6b40496e-ccb0-48fd-8764-167e82fcd779 ro security=selinux nosmt lockdown=confidentiality quiet
** Not tainted
-- System Information:
Debian Release: bullseye/sid
APT prefers testing
APT policy: (500, 'testing'), (1, 'experimental')
Architecture: amd64 (x86_64)
Kernel: Linux 5.10.0-3-amd64 (SMP w/2 CPU threads)
Locale: LANG=en_AU.UTF-8, LC_CTYPE=en_AU.UTF-8 (charmap=UTF-8), LANGUAGE=en_AU:en
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
LSM: SELinux: enabled - Mode: Permissive - Policy name: default
Versions of packages linux-image-5.10.0-3-amd64 depends on:
ii initramfs-tools [linux-initramfs-tool] 0.139
ii kmod 28-1
ii linux-base 4.6
Versions of packages linux-image-5.10.0-3-amd64 recommends:
ii apparmor 2.13.6-9
ii firmware-linux-free 20200122-1
Versions of packages linux-image-5.10.0-3-amd64 suggests:
pn debian-kernel-handbook <none>
ii grub-pc 2.04-15
pn linux-doc-5.10 <none>
Versions of packages linux-image-5.10.0-3-amd64 is related to:
pn firmware-amd-graphics <none>
pn firmware-atheros <none>
pn firmware-bnx2 <none>
pn firmware-bnx2x <none>
pn firmware-brcm80211 <none>
pn firmware-cavium <none>
pn firmware-intel-sound <none>
pn firmware-intelwimax <none>
pn firmware-ipw2x00 <none>
pn firmware-ivtv <none>
ii firmware-iwlwifi 20201218-3
pn firmware-libertas <none>
pn firmware-linux-nonfree <none>
pn firmware-misc-nonfree <none>
pn firmware-myricom <none>
pn firmware-netxen <none>
pn firmware-qlogic <none>
pn firmware-realtek <none>
pn firmware-samsung <none>
pn firmware-siano <none>
pn firmware-ti-connectivity <none>
pn xen-hypervisor <none>
-- no debconf information
Reply to: