Welcome to the Linux Foundation Forum!

Lab 8.4

Sorry that I'm querying a lot.

On this exercise I'm finding the addresses are revealed as just 0s whether I have kernel.kptr_restrict on or off. Why am I not getting the desired result (did this on CentOS)?

[mo79uk@localhost ~]$ sudo sysctl kernel.kptr_restrict=1
kernel.kptr_restrict = 1
[mo79uk@localhost ~]$ head /proc/kallsyms
0000000000000000 A irq_stack_union
0000000000000000 A __per_cpu_start
0000000000000000 A init_tss
0000000000000000 A __per_cpu_user_mapped_start
0000000000000000 A exception_stacks
0000000000000000 A gdt_page
0000000000000000 A kaiser_scratch
0000000000000000 A spec_ctrl_pcp
0000000000000000 A kaiser_enabled_pcp
0000000000000000 A cpu_debug_store
[mo79uk@localhost ~]$ sudo sysctl kernel.kptr_restrict=0
kernel.kptr_restrict = 0
[mo79uk@localhost ~]$ head /proc/kallsyms
0000000000000000 A irq_stack_union
0000000000000000 A __per_cpu_start
0000000000000000 A init_tss
0000000000000000 A __per_cpu_user_mapped_start
0000000000000000 A exception_stacks
0000000000000000 A gdt_page
0000000000000000 A kaiser_scratch
0000000000000000 A spec_ctrl_pcp
0000000000000000 A kaiser_enabled_pcp
0000000000000000 A cpu_debug_store

There's also a typo in the solution:
$ head /proc/ka0000000000000000 A irq_stack_union

Thanks again if you can help!

Comments

  • Posts: 380

    Thanks for letting us know abut the typo, it is a formatting error.
    As for the real question, yes, your observation is correct. it is intended that the regular user should see the addresses if the kptr_restrict is 0 and the addresses hidden if kptr_restrict is not 0.

    Something has changed, I will looking this.

    Thanks Lee

  • Posts: 380

    I found it, there was an update to the restrictions to allow a regular user to view the addresses, see below ...

    from kallsyms.c

    /*
    * We show kallsyms information even to normal users if we've enabled
    * kernel profiling and are explicitly not paranoid (so kptr_restrict
    * is clear, and sysctl_perf_event_paranoid isn't set).
    *
    * Otherwise, require CAP_SYSLOG (assuming kptr_restrict isn't set to
    * block even that).
    /
    int kallsyms_show_value(void)
    {
    switch (kptr_restrict) {
    case 0:
    if (kallsyms_for_perf())
    return 1;
    /
    fallthrough /
    case 1:
    if (has_capability_noaudit(current, CAP_SYSLOG))
    return 1;
    /
    fallthrough */
    default:
    return 0;
    }
    }

    So we need to set the following:

    sysctl -w kernel.kptr_restrict=0

    sysctl -w kernel.perf_event_paranoid=1

    Then a regular user will be able to see the addresses in /proc/kallsyms

    Or the executable can have the capability CAP_SYSLOG applied.

    This update will be in the next release.
    Thank you for pointing this issue out.
    Lee

Welcome!

It looks like you're new here. Sign in or register to get started.
Sign In

Welcome!

It looks like you're new here. Sign in or register to get started.
Sign In

Categories

Upcoming Training