Kernel Hardening - security-misc

Patrick · June 29, 2020, 9:32am

Then we need to update at same time debug-misc + documentation.

HulaHoop · June 29, 2020, 11:29am

Have you tested that? A number of software uses databases behind the scenes like mediawiki and discourse and bringing them to a crawl would destroy the usecase. Some IM clients use dbs too.

As long as documented then at least they will have a clue what needs to be done.

Patrick · September 19, 2020, 10:51am

What do you think?

madaidan · September 19, 2020, 11:24am

This one is fine. kernel.perf_event_paranoid=3 requires a kernel patch but some distros (such as Debian) includes this by default. If the patch isn’t used then it’ll be the same as setting it to 2.

https://patchwork.kernel.org/patch/9249919/

madaidan · September 28, 2020, 6:23pm

HulaHoop · October 3, 2020, 3:43pm

Interesting tool, anything that can contributed to it?

Patrick · October 3, 2020, 4:13pm

Was posted here: kernel recompilation for better hardening

Patrick · December 20, 2020, 10:24am

Patrick:

# Disable User Namespaces, as it opens up a large attack surface to unprivileged users.
# On Debian kernel.unprivileged_userns_clone is set to 0 by default as well
user.max_user_namespaces = 0

That comment needs an update.

debian bug report: Please reconsider enabling the user namespaces by default

It seems that next debian version will have unpriv user ns by default.

Patrick · January 5, 2021, 6:18am

Related to Linux kernel user namespaces:
Debian package bubblewrapwill set kernel.unprivileged_userns_clone=1 in Debian bullseye and above. bubblewrap will be no longer suid by default.

madaidan · January 12, 2021, 2:18am

Patrick · January 12, 2021, 8:30am

Great! Merged!

What do we do with debian/control?

(Used for apt-cache show security-misc, potentially packages.debian.org APT package repository web interface for deb.whonix.org) and README_generic.md?)

Simplify debian/control so it doesn’t have to be duplicated? Delete / avoid creation of README_generic.md?

madaidan · January 17, 2021, 1:42am

I think it should just contain a basic description and a link to the Github repository for more detailed information.

HulaHoop · March 4, 2021, 10:36pm

@madaidan GCC 12 just added a security compile time option to auto initialize auto variables. Don’t know if this is a problem in the kernel code these days anymore. Also have no idea how this can affect areas of the code related to rngs. Might be useful for other binaries we compile however.

madaidan · March 12, 2021, 6:21pm

The STRUCTLEAK GCC plugin already automatically initializes variables although this will likely be stronger and less hacky.

madaidan · June 27, 2021, 2:46pm

Now that Debian and other distributions like Arch Linux are starting to relax their user namespace restrictions (but still keeping the sysctl for users to manually configure), we should preserve them in security-misc by setting kernel.unprivileged_userns_clone=0. User namespaces are still a huge risk and a minimal setuid binary where we can tightly control the attack surface exposed is superior by far. Unfortunately, upstream doesn’t seem to care.

However, we will need to make bubblewrap setuid ourselves since the package is not setting it anymore (at least in Debian). Should we just add chmod u+s "$(which bwrap)" in the postinst script and add some details in the readme?

There is also an issue when running Chromium in sandbox-app-launcher since no_new_privs will disable the setuid fallback. Ideally, we could probably add a way to whitelist which binaries are permitted to use unprivileged user namespaces (maybe contribute to linux-hardened). Firefox is also affected, but instead, its sandbox silently fails without crashing and lies to the user about the status of the sandbox because Firefox is terrible.

Patrick · August 15, 2021, 9:37am

Patrick · September 1, 2021, 4:23pm

I wanted to port this to dracut (replacing initramfs-tools with dracut) but it seems it’s not needed. Seems like dracut has early sysctl settings by default.

https://mirrors.edge.kernel.org/pub/linux/utils/boot/dracut/dracut.html#_description_6

Patrick · October 15, 2021, 5:45pm

github.com/Kicksecure/security-misc

hide-hardware-info: re-enable restrictions on sysfs when using SELinux

Kicksecure:master ← 0xC0ncord:bugfix/selinuxfs_restrictions

opened 02:20AM - 09 Oct 21 UTC

0xC0ncord

+17 -7

An oversight on my part simply re-enabled permissions to sysfs when SELinux was …in effect. This PR fixes this by explicitly setting permissions on the contents of `/sys/*` and `/sys/fs*` instead of just `/sys` if SELinux is in use. Additionally, fix the indentation so it's consistent with the rest of the script's style.

Dark_Coder · October 26, 2021, 5:05pm

https://www.kernel.org/doc/html/latest/admin-guide/LSM/Yama.html

Patrick · February 10, 2022, 6:42pm