Yeah… They are still sore from our discussions about them on Twitter.
twitter seems to be a curse for many of us.
sysctl-initramfs has an issue vs grub-live. In case of booting into live mode, we shouldn’t write to the root image. Maybe this could help:
if grep -qs "boot=live" /proc/cmdline; then
There are also other cases (security-misc
is a general package. Don’t just focus on Whonix / Kicksecure) where writing to the root image might be unwanted. It’s not up to initramfs stage (security-misc / sysctl-initramfs) to know what shall happen with root image write policy.
/run/initramfs
already exists. Therefore log location /run/initramfs/sysctl-initramfs-error.log
would be better since ephemeral, in RAM, not on persistent disk. Will implement.
Done.
But the error log is weird. Added xxxxxxxxxxxx
to some sysctl.d file.
cat /run/initramfs/sysctl-initramfs-error.log
sysctl: bad line 9: 1 tokens found, 2 needed
Looks fine when running sudo sh -x /etc/initramfs-tools/scripts/init-bottom/sysctl-initramfs
but weird log when this is done in initramfs at boot. But I guess good enough.
Could you please look into
sudo sysctl -a
And see if there is something else to harden?
ufw doesnt block ICMP - wiki fixation reminded me, perhaps there are some other ICMP related settings worth flipping? For example, you have this already covered:
## Disables ICMP redirect acceptance.
net.ipv4.conf.all.accept_redirects=0
But perhaps there is more? Even if Whonix firewall blocks ICMP, that could be interested in context of Kicksecure and clearnet reachable servers.
We could maybe reduce some kernel attack surface by disabling a few things but this would all be done with hardened-kernel anyway.
fs.aio-max-nr=0
I think this would disable AIO which adds lot of complexity/attack surface to the kernel.
kernel.ftrace_enabled=0
Disables ftrace which adds a lot of potentially dangerous debugging functionality.
fs.binfmt_misc.status=0
Disables binfmt_misc which adds support for custom binary formats.
Shutting it down can destroy performance for async IO applications like databases.
I don’t think we depend on it for build debugging - similar to ptrace’s situation. Should be included in the debug functionality disabling package.
This one might break Java programs and cross compiling builds for other archs with QEMU. You might want to document that in case users show up with mysterious bug reports.
madaidan via Whonix Forum:
fs.binfmt_misc.status=0
Disables binfmt_misc which adds support for custom binary formats.
Not sure anymore but I think I tested that once and it broken XFCE for
unknown reason.
I think the performance loss is worth it. Asynchronous I/O in general adds a lot of complexity and attack surface to the kernel. POSIX AIO is especially atrocious.
It’s already disabled in hardened-kernel and I see no issues.
Then we need to update at same time debug-misc + documentation.
Have you tested that? A number of software uses databases behind the scenes like mediawiki and discourse and bringing them to a crawl would destroy the usecase. Some IM clients use dbs too.
As long as documented then at least they will have a clue what needs to be done.
What do you think?
This one is fine. kernel.perf_event_paranoid=3
requires a kernel patch but some distros (such as Debian) includes this by default. If the patch isn’t used then it’ll be the same as setting it to 2.
Interesting tool, anything that can contributed to it?
That comment needs an update.
debian bug report: Please reconsider enabling the user namespaces by default
It seems that next debian version will have unpriv user ns by default.
Related:
https://forums.whonix.org/t/flathub-as-a-source-of-software/10706/6
Related to Linux kernel user namespaces:
Debian package bubblewrap
will set kernel.unprivileged_userns_clone=1
in Debian bullseye
and above. bubblewrap
will be no longer suid by default.