允许单个用户访问/ proc / kallsyms

时间:2019-04-09 11:13:57

标签: linux-kernel

所有用户均可读取此文件:/proc/kallsyms

此文件包含每个内核符号的地址(当我是root时)

但是当我是经典用户时,我只会看到0x00000000地址。

有没有办法让经典用户看到地址(我是计算机的root用户)

谢谢

2 个答案:

答案 0 :(得分:1)

如乔纳森·雷因哈特(Jonathon Reinhart)发布的源代码片段所示,当/proc/kallsyms /proc/sys/kernel/kptr_restrict都设置为{时,普通用户可以查看/proc/sys/kernel/perf_event_paranoid中的地址{1}}。

以下内容适用于内核版本5.3.0:

0

答案 1 :(得分:0)

kernel documentation说:

kptr_restrict:

This toggle indicates whether restrictions are placed on
exposing kernel addresses via /proc and other interfaces.

When kptr_restrict is set to 0 (the default) the address is hashed before
printing. (This is the equivalent to %p.)

When kptr_restrict is set to (1), kernel pointers printed using the %pK
format specifier will be replaced with 0's unless the user has CAP_SYSLOG
and effective user and group ids are equal to the real ids. This is
because %pK checks are done at read() time rather than open() time, so
if permissions are elevated between the open() and the read() (e.g via
a setuid binary) then %pK will not leak kernel pointers to unprivileged
users. Note, this is a temporary solution only. The correct long-term
solution is to do the permission checks at open() time. Consider removing
world read permissions from files that use %pK, and using dmesg_restrict
to protect against uses of %pK in dmesg(8) if leaking kernel pointer
values to unprivileged users is a concern.

When kptr_restrict is set to (2), kernel pointers printed using
%pK will be replaced with 0's regardless of privileges.

/proc/kallsyms是否显示实际符号值由kernel/kallsyms.c中的kallsyms_show_value控制:

/*
 * We show kallsyms information even to normal users if we've enabled
 * kernel profiling and are explicitly not paranoid (so kptr_restrict
 * is clear, and sysctl_perf_event_paranoid isn't set).
 *
 * Otherwise, require CAP_SYSLOG (assuming kptr_restrict isn't set to
 * block even that).
 */
int kallsyms_show_value(void)
{
    switch (kptr_restrict) {
    case 0:
        if (kallsyms_for_perf())
            return 1;
    /* fallthrough */
    case 1:
        if (has_capability_noaudit(current, CAP_SYSLOG))
            return 1;
    /* fallthrough */
    default:
        return 0;
    }
}

因此,如果您是没有任何capabilities(7)的普通用户,则看不到内核符号值。

您到底想完成什么?如果您正在编写(已编译的)应用程序,则可以将CAP_SYSLOG文件功能应用于您的可执行文件。

相关问题
最新问题