Welcome to the new Linux Foundation Forum!

Lab 8.4

Sorry that I'm querying a lot.

On this exercise I'm finding the addresses are revealed as just 0s whether I have kernel.kptr_restrict on or off. Why am I not getting the desired result (did this on CentOS)?

[[email protected] ~]$ sudo sysctl kernel.kptr_restrict=1
kernel.kptr_restrict = 1
[[email protected] ~]$ head /proc/kallsyms
0000000000000000 A irq_stack_union
0000000000000000 A __per_cpu_start
0000000000000000 A init_tss
0000000000000000 A __per_cpu_user_mapped_start
0000000000000000 A exception_stacks
0000000000000000 A gdt_page
0000000000000000 A kaiser_scratch
0000000000000000 A spec_ctrl_pcp
0000000000000000 A kaiser_enabled_pcp
0000000000000000 A cpu_debug_store
[[email protected] ~]$ sudo sysctl kernel.kptr_restrict=0
kernel.kptr_restrict = 0
[[email protected] ~]$ head /proc/kallsyms
0000000000000000 A irq_stack_union
0000000000000000 A __per_cpu_start
0000000000000000 A init_tss
0000000000000000 A __per_cpu_user_mapped_start
0000000000000000 A exception_stacks
0000000000000000 A gdt_page
0000000000000000 A kaiser_scratch
0000000000000000 A spec_ctrl_pcp
0000000000000000 A kaiser_enabled_pcp
0000000000000000 A cpu_debug_store

There's also a typo in the solution:
$ head /proc/ka0000000000000000 A irq_stack_union

Thanks again if you can help!

Comments

  • lee42xlee42x Posts: 106

    Thanks for letting us know abut the typo, it is a formatting error.
    As for the real question, yes, your observation is correct. it is intended that the regular user should see the addresses if the kptr_restrict is 0 and the addresses hidden if kptr_restrict is not 0.

    Something has changed, I will looking this.

    Thanks Lee

  • lee42xlee42x Posts: 106

    I found it, there was an update to the restrictions to allow a regular user to view the addresses, see below ...

    from kallsyms.c

    /*
    * We show kallsyms information even to normal users if we've enabled
    * kernel profiling and are explicitly not paranoid (so kptr_restrict
    * is clear, and sysctl_perf_event_paranoid isn't set).
    *
    * Otherwise, require CAP_SYSLOG (assuming kptr_restrict isn't set to
    * block even that).
    /
    int kallsyms_show_value(void)
    {
    switch (kptr_restrict) {
    case 0:
    if (kallsyms_for_perf())
    return 1;
    /
    fallthrough /
    case 1:
    if (has_capability_noaudit(current, CAP_SYSLOG))
    return 1;
    /
    fallthrough */
    default:
    return 0;
    }
    }

    So we need to set the following:

    sysctl -w kernel.kptr_restrict=0

    sysctl -w kernel.perf_event_paranoid=1

    Then a regular user will be able to see the addresses in /proc/kallsyms

    Or the executable can have the capability CAP_SYSLOG applied.

    This update will be in the next release.
    Thank you for pointing this issue out.
    Lee

Sign In or Register to comment.