[HOME] [DOWNLOAD] [DOCS] [NEWS] [SUPPORT] [TIPS] [ISSUES] [DONATE]

Kernel Hardening

madaidan via Whonix Forum:

https://github.com/Whonix/security-misc/pull/65

Merged.

1 Like

I think it might be better to make hidepid=2 optional now if it’s causing so much breakage.

proc-hidepid.service can be disabled by default and how to enable it can be added to the wiki.

If System-wide sandboxing framework is implemented, then hidepid=2 won’t be as important anymore as most applications can be run in a PID namespace (except the ones that break).

2 Likes
1 Like

Will revert.

Causing error output during boot of Whonix VirtualBox 15.0.0.9.0-developers-only. (Happening during initramfs sysctl.)

vm.unprivileged_userfaultfd is an unknown key

That message is very prominent now that other verbose boot messages are disabled.

sudo sysctl -w vm.unprivileged_userfaultfd=0

sysctl: cannot stat /proc/sys/vm/unprivileged_userfaultfd: No such file or directory

Please fix.

1 Like

That error is harmless and doesn’t do anything. It’s just because our kernel version doesn’t support this feature yet. There’s no point in reverting it.

1 Like

madaidan via Whonix Forum:

That error is harmless and doesn’t do anything. It’s just because our kernel version doesn’t support this feature yet. There’s no point in reverting it.

The only point of reverting then is avoiding user confusion as this is a
prominent message during waiting for X to finally draw something.

1 Like

We can just change >/dev/null to &>/dev/null in https://github.com/Whonix/security-misc/blob/master/etc/initramfs-tools/scripts/init-bottom/sysctl-initramfs

1 Like

Then we would miss any errors if this should break.

1 Like

Then we can change it to &>>${rootmnt}/var/log/sysctl-initramfs.log to log any actual errors in case of breakage but hide the unimportant ones from the user.

1 Like

Or maybe:

sysctl -p ${rootmnt}/etc/sysctl.d/*.conf >/dev/null 2> >(grep -v "sysctl: cannot stat /proc/sys/vm/unprivileged_userfaultfd: No such file or directory")

So only the unprivileged_userfaultfd error is hidden.

1 Like

Something like this maybe. Though the actual error message to grep for is more similar to:

vm.unprivileged_userfaultfd is an unknown key

I didn’t note the exact one.

Also that snippet is broken. Added something else broken to it. (Just a single X in some sysctl config file.) That error would be hidden too with the current snippet.

Maybe redirect stderr to /var/log/sysctl-initramfs-error.log first, then cat and grep -v? Probably also simpler to read than >(...).

/etc/initramfs-tools/scripts/init-bottom/sysctl-initramfs is an sh script and >(...) might be a bash feature. Dunno if bash can be used in initramfs easy/sane[size, dependencies].

1 Like

That is the actual error message.

sysctl -p test

sysctl: cannot stat /proc/sys/vm/unprivileged_userfaultfd: No such file or directory

“test” being a file that contains vm.unprivileged_userfaultfd=0.

That sounds good. cat is unneccesary though. We can just use

grep -v "sysctl: cannot stat /proc/sys/vm/unprivileged_userfaultfd: No such file or directory" /var/log/sysctl-initramfs-error.log

Should the content of /var/log/sysctl-initramfs-error.log be overwritten (>) or just appended to (>>)? I think something like this would be best:

sysctl -p ${rootmnt}/etc/sysctl.conf >/dev/null 2>${rootmnt}/var/log/sysctl-initramfs-error.log
sysctl -p ${rootmnt}/etc/sysctl.d/*.conf >/dev/null 2>>${rootmnt}/var/log/sysctl-initramfs-error.log
grep -v "sysctl: cannot stat /proc/sys/vm/unprivileged_userfaultfd: No such file or directory" /var/log/sysctl-initramfs-error.log

The first sysctl command overwrites it to remove past entries and the second appends to it.

1 Like

Looks different during initramfs in Whonix VIrtualBox 15.0.0.9.3-developers-only. Yes, I am sure. I was also surprised the error message is different in the fully booted system.

Maybe it is for now. Could we skip further error messages in future if required?

What’s the standard? I guess it is >>? But I am OK with your suggestion (new after each reboot) too. Otherwise we would have to add logrotate too. Full log over multiple reboot probably not worth that effort.

1 Like

Should we use grep -v "unprivileged_userfaultfd" then? So the unprivileged_userfaultfd error is caught regardless of what the overall error message is.

Yes, we can just pipe grep into grep.

It’s probably >> but we won’t need old logs for something as small as this. The logs for the current boot only are fine.

1 Like

Yes. That seems the most simple and robust solution. Good idea. I guess very unlikely any other error message would include that exact string unprivileged_userfaultfd and be hidden by mistake.

1 Like
1 Like

Merged. :slight_smile:

1 Like

https://github.com/Whonix/security-misc/blob/master/etc/initramfs-tools/scripts/init-bottom/sysctl-initramfs does not work in Whonix VirtualBox. (Also available from Whonix developers repository.) Shows an error during boot.

/scripts/init-bottom/sysctl-initramfs: line 18: can’t create /root/var/log/sysctl-initramfs-error.log: Read-only file system
/scripts/init-bottom/sysctl-initramfs: line 19: can’t create /root/var/log/sysctl-initramfs-error.log: Read-only file system
grep: /var/log/sysctl-initramfs-error.log: No such file or directory

Could you fix this please?

1 Like
2 Likes

Thanks! I guess that will work unless some other initramfs hook mounts rw already and expects to keep it rw.

1 Like
[Imprint] [Privacy Policy] [Cookie Policy] [Terms of Use] [E-Sign Consent] [DMCA] [Investors] [Priority Support] [Professional Support]