kernel recompilation for better hardening

madaidan · December 19, 2019, 4:39pm

/sys/kernel/debug/ is the usual mount point for it and it’s already restricted to root in Debian by default so we can’t do any permission hardening with it in security-misc.

We can’t just restrict this with apparmor-profile-everything. debugfs doesn’t have to be at /sys/kernel/debug/. An attacker can mount it anywhere. For example, run

mount -t debugfs none /mnt

Now there is a debugfs mounted at /mnt. If apparmor-profile-everything denied access to /sys/kernel/debug/, it will do nothing to stop the attacker from just accessing this new mount at /mnt.

madaidan · December 19, 2019, 4:50pm

I’m not seeing anything except the header change.

user@host:~/kernel/linux-source-4.19$ diff -u ../config .config
--- ../config
+++ .config
@@ -1,6 +1,5 @@
 #
-# Whonix custom kernel configuration
-# Optimized for virtual machines and security
+# Automatically generated file; DO NOT EDIT.
 # Linux/x86 4.19.67 Kernel Configuration
 #
 
user@host:~/kernel/linux-source-4.19$

Patrick_mobile · December 19, 2019, 4:50pm

apparmor-profile-everything is going to restrict mount anyhow since that command can be abused for many very bad things.

madaidan · December 21, 2019, 9:14pm

Unless, during the install we find out what hardware the user uses, select config options based on that and compile the kernel although this can easily go very wrong.

Patrick_mobile · December 22, 2019, 6:44am

Better to rename from hardened-vm-kernel to hardened-kernel? Reason is the compile script and install hacks might be shared. Ideally for host kernel we’d offer precompiled but with a drop-in config snippet we’ll let the user opt-in for local self-compilation. Using all the same code but just some variables change depending on VM or host.

madaidan · December 22, 2019, 1:48pm

Sure if we do decide to try and make a host kernel.

Patrick_mobile · December 22, 2019, 2:41pm

Awesome. Will rename now as later package rename and migration is a nontrivial, error prone process for users who upgrade.

Patrick · December 23, 2019, 12:59pm

Patrick_mobile via Whonix Forum:

Awesome. Will rename now as later package rename and migration is a nontrivial, error prone process for users who upgrade.

Initial packaging is done:

Patrick · December 23, 2019, 2:17pm

madaidan via Whonix Forum:

Should CONFIG_PROC_PAGE_MONITOR be disabled?

linux/fs/proc/Kconfig at master · torvalds/linux · GitHub

Various /proc files exist to monitor process memory utilization:
/proc/pid/smaps, /proc/pid/clear_refs, /proc/pid/pagemap,
/proc/kpagecount, and /proc/kpageflags. Disabling these
interfaces will reduce the size of the kernel by approximately 4kb.

It was called “brain-dead” and a security risk by grsecurty.

It was also used in exploiting rowhammer to gain kernel privileges.

Project Zero: Exploiting the DRAM rowhammer bug to gain kernel privileges

Better disable read/write access with apparmor-profile-everything instead?

madaidan · December 23, 2019, 2:32pm

It’s just going to add compile time then.

madaidan · December 23, 2019, 4:26pm

I think it would be good to include hardened-vm-kernel and apparmor-profile-everything in QubesOS similar to security-misc Package security-misc from Whonix to Qubes · Issue #1885 · QubesOS/qubes-issues · GitHub

Patrick_mobile · December 23, 2019, 5:16pm

Not a lot has happened to security-misc in Qubes outside of Qubes-Whonix. Maybe more realistic to develop Kicksecure and then create a Kicksecure Qubes template. That might meet lower resistance than hardening Qubes Debian template.

Feel free to open any Qubes tickets.

As for outreach hardened-vm-kernel seems useful to contact both linux-hardened and oss-security mailing list.

madaidan · December 24, 2019, 1:06am

perf exposes tons of debugging functionality that’s not really used much and should be disabled. It’s been the source of many infoleaks and vulnerabilities. Debian restricts this to root by default but that’s not enough for us.

The problem with disabling it though is that CONFIG_KVM and CONFIG_X86 both select CONFIG_PERF_EVENTS even though it isn’t strictly required. So, we’d need to patch the Kconfig and comment it out.

We can create a /usr/share/hardened-vm-kernel/patches/ directory and modify the build script to apply everything in there e.g.

cat /usr/share/hardened-vm-kernel/patches/* | patch -p1

More info on this:

https://lkml.org/lkml/2016/1/11/587

https://lkml.org/lkml/2016/6/17/696

Disallowing perf_event_open() [LWN.net]

https://patchwork.kernel.org/patch/9249919/

madaidan · December 24, 2019, 4:47pm

That doesn’t work. Disabling it causes tons of compile errors. Better to just patch the kernel and make perf error out.

Patrick · December 24, 2019, 4:53pm

madaidan via Whonix Forum:

We can create a /usr/share/hardened-vm-kernel/patches/ directory and modify the build script to apply everything in there e.g.

Much better to submit any patches to linux-hardened. They’re much more
capable to review it than I would. Very happy to see they merged your
pull request (Harden module auto-loading by madaidan · Pull Request #19 · anthraxx/linux-hardened · GitHub)!
Congratulations!

madaidan · December 24, 2019, 5:56pm

Did they? Looks like they just closed it.

Patrick · December 24, 2019, 6:05pm

madaidan via Whonix Forum:

Patrick:

Very happy to see they merged your pull request (Harden module auto-loading by madaidan · Pull Request #19 · anthraxx/linux-hardened · GitHub)!

Did they? Looks like they just closed it.

Not sure. But guess so. Commits are referenced there. He force pushed.
Did not use merge button.

Patrick · December 24, 2019, 6:10pm

In their repo. But dunno which branch.

madaidan · December 24, 2019, 6:28pm

That doesn’t mean it was merged. Look at this unmerged commit in the security-misc repo for example.

I can’t see my commits in any of linux-hardened’s branches.

Patrick_mobile · December 24, 2019, 6:29pm

Maybe ask? A comment if refused would be good? Perhaps a mistake.