/qubes-issues

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

CONFIG_STRICT_DEVMEM enabled #2543

Open
xloem opened this Issue Dec 28, 2016 · 0 comments

Comments

Assignees
No one assigned
Labels
Projects
None yet
Milestone
  Far in the future
2 participants
@xloem @andrewdavidwong
@xloem

xloem commented Dec 28, 2016

Qubes OS version (e.g., R3.2):

R3.2

Affected TemplateVMs (e.g., fedora-23, if applicable):

dom0

Expected behavior:

If a security issue is found in Qubes, it should be easy to isolate and debug the system.

Actual behavior:

CONFIG_STRICT_DEVMEM=y is set in the kernel configuration, so making a complete memory dump seems to require prior preparation.

Steps to reproduce the behavior:

[user@dom0 ~]$ zcat /proc/config.gz | grep CONFIG_STRICT_DEVMEM
CONFIG_STRICT_DEVMEM=y
[user@dom0 ~]$ sudo dd if=/dev/mem skip=65536
dd: error reading '/dev/mem': Operation not permitted
0+0 records in
0+0 records out
0 bytes (0 B) copied, 9.2611e-05 s, 0.0 kB/s

General notes:

I do not believe enabling this flag should be a security issue, as only root has access to this device file, and a user who is root can also insert a kernel module which provides access to RAM. This is just much more cumbersome.

I'd be curious as to alternative or recommended methods of taking a core dump from a live Qubes system as well.

Related issues:

@andrewdavidwong andrewdavidwong added C: other enhancement labels Dec 28, 2016

@andrewdavidwong andrewdavidwong added this to the Far in the future milestone Dec 28, 2016

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment