Your message dated Sat, 06 Mar 2021 15:34:39 +0100 with message-id <d30735c2a5530efc14ad29a418e6a52880f8efa5.camel@decadent.org.uk> and subject line Re: Bug#983839: linux-image-5.10.0-3-amd64: /proc/kallsyms shouldn't be readable by non-root has caused the Debian Bug report #983839, regarding linux-image-5.10.0-3-amd64: /proc/kallsyms shouldn't be readable by non-root to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact owner@bugs.debian.org immediately.) -- 983839: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=983839 Debian Bug Tracking System Contact owner@bugs.debian.org with problems
--- Begin Message ---
- To: Debian Bug Tracking System <submit@bugs.debian.org>
- Subject: linux-image-5.10.0-3-amd64: /proc/kallsyms shouldn't be readable by non-root
- From: Russell Coker <russell@coker.com.au>
- Date: Tue, 02 Mar 2021 17:11:05 +1100
- Message-id: <[🔎] 161466546590.248866.2344095797605871147.reportbug@liv>
Package: src:linux Version: 5.10.13-1 Severity: normal $ wc /proc/kallsyms 168114 567685 7891149 /proc/kallsyms https://dustri.org/b/spectre-exploits-in-the-wild.html The above article says that Fedora no longer makes kallsyms available to unprivileged users to make attacks on the kernel more difficult. I think the Debian kernels should do the same. -- Package-specific info: ** Version: Linux version 5.10.0-3-amd64 (debian-kernel@lists.debian.org) (gcc-10 (Debian 10.2.1-6) 10.2.1 20210110, GNU ld (GNU Binutils for Debian) 2.35.1) #1 SMP Debian 5.10.13-1 (2021-02-06) ** Command line: BOOT_IMAGE=/vmlinuz-5.10.0-3-amd64 root=UUID=6b40496e-ccb0-48fd-8764-167e82fcd779 ro security=selinux nosmt lockdown=confidentiality quiet ** Not tainted -- System Information: Debian Release: bullseye/sid APT prefers testing APT policy: (500, 'testing'), (1, 'experimental') Architecture: amd64 (x86_64) Kernel: Linux 5.10.0-3-amd64 (SMP w/2 CPU threads) Locale: LANG=en_AU.UTF-8, LC_CTYPE=en_AU.UTF-8 (charmap=UTF-8), LANGUAGE=en_AU:en Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system) LSM: SELinux: enabled - Mode: Permissive - Policy name: default Versions of packages linux-image-5.10.0-3-amd64 depends on: ii initramfs-tools [linux-initramfs-tool] 0.139 ii kmod 28-1 ii linux-base 4.6 Versions of packages linux-image-5.10.0-3-amd64 recommends: ii apparmor 2.13.6-9 ii firmware-linux-free 20200122-1 Versions of packages linux-image-5.10.0-3-amd64 suggests: pn debian-kernel-handbook <none> ii grub-pc 2.04-15 pn linux-doc-5.10 <none> Versions of packages linux-image-5.10.0-3-amd64 is related to: pn firmware-amd-graphics <none> pn firmware-atheros <none> pn firmware-bnx2 <none> pn firmware-bnx2x <none> pn firmware-brcm80211 <none> pn firmware-cavium <none> pn firmware-intel-sound <none> pn firmware-intelwimax <none> pn firmware-ipw2x00 <none> pn firmware-ivtv <none> ii firmware-iwlwifi 20201218-3 pn firmware-libertas <none> pn firmware-linux-nonfree <none> pn firmware-misc-nonfree <none> pn firmware-myricom <none> pn firmware-netxen <none> pn firmware-qlogic <none> pn firmware-realtek <none> pn firmware-samsung <none> pn firmware-siano <none> pn firmware-ti-connectivity <none> pn xen-hypervisor <none> -- no debconf information
--- End Message ---
--- Begin Message ---
- To: 983839-done@bugs.debian.org
- Subject: Re: Bug#983839: linux-image-5.10.0-3-amd64: /proc/kallsyms shouldn't be readable by non-root
- From: Ben Hutchings <ben@decadent.org.uk>
- Date: Sat, 06 Mar 2021 15:34:39 +0100
- Message-id: <d30735c2a5530efc14ad29a418e6a52880f8efa5.camel@decadent.org.uk>
- In-reply-to: <[🔎] 161466546590.248866.2344095797605871147.reportbug@liv>
- References: <[🔎] 161466546590.248866.2344095797605871147.reportbug@liv>
/proc/kallsyms shows all-zero addresses when opened by an unprivileged user, so it isn't an information leak. Ben. -- Ben Hutchings Knowledge is power. France is bacon.Attachment: signature.asc
Description: This is a digitally signed message part
--- End Message ---