Lab 8.4

mo79uk

Sorry that I'm querying a lot.

On this exercise I'm finding the addresses are revealed as just 0s whether I have kernel.kptr_restrict on or off. Why am I not getting the desired result (did this on CentOS)?

[mo79uk@localhost ~]$ sudo sysctl kernel.kptr_restrict=1
kernel.kptr_restrict = 1
[mo79uk@localhost ~]$ head /proc/kallsyms
0000000000000000 A irq_stack_union
0000000000000000 A __per_cpu_start
0000000000000000 A init_tss
0000000000000000 A __per_cpu_user_mapped_start
0000000000000000 A exception_stacks
0000000000000000 A gdt_page
0000000000000000 A kaiser_scratch
0000000000000000 A spec_ctrl_pcp
0000000000000000 A kaiser_enabled_pcp
0000000000000000 A cpu_debug_store
[mo79uk@localhost ~]$ sudo sysctl kernel.kptr_restrict=0
kernel.kptr_restrict = 0
[mo79uk@localhost ~]$ head /proc/kallsyms
0000000000000000 A irq_stack_union
0000000000000000 A __per_cpu_start
0000000000000000 A init_tss
0000000000000000 A __per_cpu_user_mapped_start
0000000000000000 A exception_stacks
0000000000000000 A gdt_page
0000000000000000 A kaiser_scratch
0000000000000000 A spec_ctrl_pcp
0000000000000000 A kaiser_enabled_pcp
0000000000000000 A cpu_debug_store

There's also a typo in the solution:
$ head /proc/ka0000000000000000 A irq_stack_union

Thanks again if you can help!

lee42x

Thanks for letting us know abut the typo, it is a formatting error.
As for the real question, yes, your observation is correct. it is intended that the regular user should see the addresses if the kptr_restrict is 0 and the addresses hidden if kptr_restrict is not 0.

Something has changed, I will looking this.

Thanks Lee

lee42x

I found it, there was an update to the restrictions to allow a regular user to view the addresses, see below ...

from kallsyms.c

/*
* We show kallsyms information even to normal users if we've enabled
* kernel profiling and are explicitly not paranoid (so kptr_restrict
* is clear, and sysctl_perf_event_paranoid isn't set).
*
* Otherwise, require CAP_SYSLOG (assuming kptr_restrict isn't set to
* block even that).
/
int kallsyms_show_value(void)
{
switch (kptr_restrict) {
case 0:
if (kallsyms_for_perf())
return 1;
/ fallthrough /
case 1:
if (has_capability_noaudit(current, CAP_SYSLOG))
return 1;
/ fallthrough */
default:
return 0;
}
}

So we need to set the following:

sysctl -w kernel.kptr_restrict=0

sysctl -w kernel.perf_event_paranoid=1

Then a regular user will be able to see the addresses in /proc/kallsyms

Or the executable can have the capability CAP_SYSLOG applied.

This update will be in the next release.
Thank you for pointing this issue out.
Lee