Kernel Hardening - security-misc

madaidan · January 17, 2021, 1:42am

I think it should just contain a basic description and a link to the Github repository for more detailed information.

HulaHoop · March 4, 2021, 10:36pm

@madaidan GCC 12 just added a security compile time option to auto initialize auto variables. Don’t know if this is a problem in the kernel code these days anymore. Also have no idea how this can affect areas of the code related to rngs. Might be useful for other binaries we compile however.

madaidan · March 12, 2021, 6:21pm

The STRUCTLEAK GCC plugin already automatically initializes variables although this will likely be stronger and less hacky.

madaidan · June 27, 2021, 2:46pm

Now that Debian and other distributions like Arch Linux are starting to relax their user namespace restrictions (but still keeping the sysctl for users to manually configure), we should preserve them in security-misc by setting kernel.unprivileged_userns_clone=0. User namespaces are still a huge risk and a minimal setuid binary where we can tightly control the attack surface exposed is superior by far. Unfortunately, upstream doesn’t seem to care.

However, we will need to make bubblewrap setuid ourselves since the package is not setting it anymore (at least in Debian). Should we just add chmod u+s "$(which bwrap)" in the postinst script and add some details in the readme?

There is also an issue when running Chromium in sandbox-app-launcher since no_new_privs will disable the setuid fallback. Ideally, we could probably add a way to whitelist which binaries are permitted to use unprivileged user namespaces (maybe contribute to linux-hardened). Firefox is also affected, but instead, its sandbox silently fails without crashing and lies to the user about the status of the sandbox because Firefox is terrible.

Patrick · August 15, 2021, 9:37am

Patrick · September 1, 2021, 4:23pm

I wanted to port this to dracut (replacing initramfs-tools with dracut) but it seems it’s not needed. Seems like dracut has early sysctl settings by default.

https://mirrors.edge.kernel.org/pub/linux/utils/boot/dracut/dracut.html#_description_6

Patrick · October 15, 2021, 5:45pm

github.com/Kicksecure/security-misc

hide-hardware-info: re-enable restrictions on sysfs when using SELinux

Kicksecure:master ← 0xC0ncord:bugfix/selinuxfs_restrictions

opened 02:20AM - 09 Oct 21 UTC

0xC0ncord

+17 -7

An oversight on my part simply re-enabled permissions to sysfs when SELinux was …in effect. This PR fixes this by explicitly setting permissions on the contents of `/sys/*` and `/sys/fs*` instead of just `/sys` if SELinux is in use. Additionally, fix the indentation so it's consistent with the rest of the script's style.

Dark_Coder · October 26, 2021, 5:05pm

https://www.kernel.org/doc/html/latest/admin-guide/LSM/Yama.html

Patrick · February 10, 2022, 6:42pm

qua3k · February 15, 2022, 3:04am

Some new things grsecurity/PaX has been doing in kernel hardening since they went private:

GRKERNSEC_SUID_NO_UNPRIV_EXEC — prevent SUID root applications from mmaping/execing files world-writable or not owned by root.
AUTOSLAB — conversion of k*alloc allocations into their own caches
PAX_PRIVATE_KSTACKS — I have no idea

It’s worth noting that GRKERNSEC_SUID_NO_UNPRIV_EXEC prevented exploitation of CVE-2021-4034, but it really isn’t as important as something like AUTOSLAB.

torjunkie · April 9, 2022, 11:46pm

Arguably as well as improvements in kernel settings that can be applied to Whonix now, any devs with skills like madaidan (come back man!) could be contributing to the KSPP project led by Kees Cook. That way security improvements will apply to all Linux users going forward:

If you read through some of these issues, it brings to mind that it appears to be a big security advantage to shift to higher kernels once they become stable, because many improvements are only available in later releases.

For Whonix I gather that would mean shifting to later stable kernel releases sooner rather than later i.e. instead of staying on kernels like 5.10 for years at a time. For Qubes, that would mean upgrading the dom0 kernel to later stable versions whenever possible.

raja · July 10, 2022, 6:53pm

While we distrust the CPU for initial entropy, should we also consider distrusting the bootloader?

Thoroughly auditing the initial grub boot seed generation process is non-trivial. Even if we assume the current versions are solid, future versions could potentially become compromised.

See the kernel parameter random.trust_bootloader
https://www.kernel.org/doc/html/latest/admin-guide/kernel-parameters.html?highlight=trust_bootloader

Also the discussion:
https://lkml.org/lkml/2022/6/5/271

Patrick · July 11, 2022, 6:50am

Yes.

Minor stylistic question: Actually a bit weird there is a separate config file security-misc/40_distrust_cpu.cfg at master · Kicksecure/security-misc · GitHub just for that? Or actually good that it’s split to make review easier and perhaps allow advanced users to more easy override such settings? Where should the distrust bootloader config file be placed? An additional file? Could be. I guess it does not matter much.

Could you please send a pull request?

I haven’t found such a feature in grub. Would be interesting but just a sideline.

According to Random Seeds it seems that is for now only related to EFI booting.

But also unspecific to grub. Kicksecure / Whonix shouldn’t be dependent on any specific bootloader such as grub for security if it’s so easy to avoid by setting a kernel boot parameter.

Sideline: It has some interesting quotes that I will cite and soon add to Entropy, Randomness, /dev/random vs /dev/urandom, Entropy Sources, Entropy Gathering Daemons, RDRAND.

Related but different:
(It’s kernel command line as source of randomness. Not bootloader directly.)

Related probably interesting reads, maybe further inspiration for hardening:

https://systemd.io/RANDOM_SEEDS/

raja · July 12, 2022, 2:18pm

I am also not to sure where exactly the distrust bootloader should go.

My wording here was extremely poor, what I meant to say was basically how grub or any bootloader acquires random seeds.

There are also two other boot parameters that come to mind. More DMA blocking using

iommu.passthrough=0

iommu.strict=1

See IOMMU_DEFAULT_DMA_STRICT in:

github.com

torvalds/linux/blob/master/drivers/iommu/Kconfig#L97


      
          	  Allows exposure of IOMMU device internals. This option enables
          	  the use of debugfs by IOMMU drivers as required. Devices can,
          	  at initialization time, cause the IOMMU code to create a top-level
          	  debug/iommu directory, and then populate a subdirectory with
          	  entries as required.
          
          
choice
          	prompt "IOMMU default domain type"
          	depends on IOMMU_API
          	default IOMMU_DEFAULT_DMA_LAZY if X86 || IA64
          	default IOMMU_DEFAULT_DMA_STRICT
          	help
          	  Choose the type of IOMMU domain used to manage DMA API usage by
          	  device drivers. The options here typically represent different
          	  levels of tradeoff between robustness/security and performance,
          	  depending on the IOMMU driver. Not all IOMMUs support all options.
          	  This choice can be overridden at boot via the command line, and for
          	  some devices also at runtime via sysfs.
          
          
	  If unsure, keep the default.

and kernel command line options in:
https://kernsec.org/wiki/index.php/Kernel_Self_Protection_Project/Recommended_Settings

Using these two will likely cause issues with GPU passthrough.

Also see page 11 of:

Additionally building on this, when moving to more recent kernels v5.14+ I see the impact of two boot parameters.

Perhaps we should include and comment out

randomize_kstack_offset=on

See :
https://lkml.org/lkml/2019/3/18/246

Also look to making a note that

slub_debug=FZ

should perhaps be disabled due to:

github.com/torvalds/linux

slub: force on no_hash_pointers when slub_debug is enabled

committed 05:53PM - 29 Jun 21 UTC

bebarino

+22 -2

Obscuring the pointers that slub shows when debugging makes for some confusing s…lub debug messages: Padding overwritten. 0x0000000079f0674a-0x000000000d4dce17 Those addresses are hashed for kernel security reasons. If we're trying to be secure with slub_debug on the commandline we have some big problems given that we dump whole chunks of kernel memory to the kernel logs. Let's force on the no_hash_pointers commandline flag when slub_debug is on the commandline. This makes slub debug messages more meaningful and if by chance a kernel address is in some slub debug object dump we will have a better chance of figuring out what went wrong. Note that we don't use %px in the slub code because we want to reduce the number of places that %px is used in the kernel. This also nicely prints a big fat warning at kernel boot if slub_debug is on the commandline so that we know that this kernel shouldn't be used on production systems. [akpm@linux-foundation.org: fix build with CONFIG_SLUB_DEBUG=n] Link: https://lkml.kernel.org/r/20210601182202.3011020-5-swboyd@chromium.org Signed-off-by: Stephen Boyd <swboyd@chromium.org> Acked-by: Vlastimil Babka <vbabka@suse.cz> Acked-by: Petr Mladek <pmladek@suse.com> Cc: Joe Perches <joe@perches.com> Cc: Christoph Lameter <cl@linux.com> Cc: Pekka Enberg <penberg@kernel.org> Cc: David Rientjes <rientjes@google.com> Cc: Joonsoo Kim <iamjoonsoo.kim@lge.com> Cc: Muchun Song <songmuchun@bytedance.com> Signed-off-by: Andrew Morton <akpm@linux-foundation.org> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>

https://madaidans-insecurities.github.io/guides/linux-hardening.html#boot-parameters

Regarding entropy, I am very far from an expert on its unbiased generation, regardless, I was under the impression that since kernel v5.4 and v5.6 it is pretty ok by default.

Using the command line as source is a very interesting idea and would definitely help. Has any progress been made on its development?

Patrick · July 12, 2022, 5:37pm

Yes, please. Also add the links please.

Why commented out?

Yes, please comment out and add the comment.

No progress unfortunately. If there is, I try to always keep the related forum threads (or preferably wiki if already there) updated.

Yeah. Complex topic.
Related:

Patrick · July 12, 2022, 5:39pm

Please add the the “normal” file.

GPU passthrough is quite complicated for users to do, not documented, not popular? Not a good reason to not do this? I.e. these options should be set?

raja · July 12, 2022, 6:57pm

github.com/Kicksecure/security-misc

Increased kernel hardening at boot

Kicksecure:master ← raja-grewal:harden

opened 06:57PM - 12 Jul 22 UTC

raja-grewal

+73 -28

Please refer to the existing discussion beginning at: https://forums.whonix.org…/t/kernel-hardening/7296/465 In summary: - Include mitigations by default against 2 additional known hardware-level CPU vulnerabilities (L1D Flushing and MMIO Stale Data). - Force the kernel to panic on "oopses" - Enforce IOMMU TLB invalidation - Distrust the bootloader as source of entropy - Enables randomisation of the kernel stack offset on syscall entries - Disables slub_debug due to kernel deciding to implicitly disable kernel pointer hashing - Explicitly highlight a few existing sysctl defaults

Patrick · July 12, 2022, 7:02pm

Does this work for your on the host operating system?

raja · July 12, 2022, 7:13pm

Are you having issues?

On Arch with systemd all of these have been working fine for me for a while.
Linux pc 5.18.10-hardened1-1-hardened #1 SMP PREEMPT_DYNAMIC Fri, 08 Jul 2022 20:53:33 +0000 x86_64 GNU/Linux

I will investigate more thoroughly.

Patrick · July 12, 2022, 8:12pm

Not tested yet.