“pkill_on_warn” is suggested to kill Linux processes that are causing a kernel warning


Today a new kernel option called “pkill_on_warn” was proposed that would kill all threads in a process if that process provoked a kernel warning.

By default, if a process is currently raising a kernel warning, it has no effect on that process. The Linux kernel has a “panic_on_warn” option to cause a kernel panic when a warning occurs, but pkill_on_warn would be less of an exaggeration and would at least keep the system running.

The security researcher and Linux kernel employee Alexander Popov proposed this new option pkill_on_warn. Popov argued in the patch proposal: “For security reasons, kernel warning messages provide a lot of useful information for attackers. Many GNU / Linux distributions allow unprivileged users to read the kernel log, so attackers use kernel warning info on vulnerability exploits … Let’s introduce the boot parameter pkill_on_warn. When this parameter is set, the kernel kills all threads in a process that provoked a kernel warning. This behavior makes sense from a security point of view as described above. It is also useful for kernel security hardening as the system kills an exploit process that hits a kernel warning.

This would not change the default behavior of the kernel, but if / when the patch is merged, you will boot the kernel with it pkill_on_warn = 1 this new behavior would allow processes that are causing kernel warnings to be terminated.

The proposed patch is currently on the kernel mailing list.

Source link


Leave A Reply