svn commit: r280410 - head/sys/kern
Bryan Drewery
bdrewery at FreeBSD.org
Tue Mar 24 02:47:15 UTC 2015
On 3/23/15 9:35 PM, Rui Paulo wrote:
> On Mar 23, 2015, at 19:25, Bryan Drewery <bdrewery at FreeBSD.org> wrote:
>>
>> On 3/23/15 9:17 PM, Rui Paulo wrote:
>>> Author: rpaulo
>>> Date: Tue Mar 24 02:17:17 2015
>>> New Revision: 280410
>>> URL: https://svnweb.freebsd.org/changeset/base/280410
>>>
>>> Log:
>>> Disable coredump_devctl because it could lead to leaking paths to
>>> jails.
>>>
>>> Modified:
>>> head/sys/kern/kern_sig.c
>>>
>>> Modified: head/sys/kern/kern_sig.c
>>> ==============================================================================
>>> --- head/sys/kern/kern_sig.c Tue Mar 24 01:32:46 2015 (r280409)
>>> +++ head/sys/kern/kern_sig.c Tue Mar 24 02:17:17 2015 (r280410)
>>> @@ -180,7 +180,7 @@ static int set_core_nodump_flag = 0;
>>> SYSCTL_INT(_kern, OID_AUTO, nodump_coredump, CTLFLAG_RW, &set_core_nodump_flag,
>>> 0, "Enable setting the NODUMP flag on coredump files");
>>>
>>> -static int coredump_devctl = 1;
>>> +static int coredump_devctl = 0;
>>> SYSCTL_INT(_kern, OID_AUTO, coredump_devctl, CTLFLAG_RW, &coredump_devctl,
>>> 0, "Generate a devctl notification when processes coredump");
>>>
>>>
>>
>> If there is a security concern about this feature I think more needs to be done than just flipping the default. It could easily be forgotten about and make a release.
>
> Sure, but to be honest there are already sysctls that make your system insecure and we've been making releases with them for many years.
>
> --
> Rui Paulo
>
I just think the known issue should be documented at the least.
--
Regards,
Bryan Drewery
More information about the svn-src-head
mailing list