Please read this before reporting a bug:
https://wiki.archlinux.org/title/Bug_reporting_guidelines
Do NOT report bugs when a package is just outdated, or it is in the AUR. Use the 'flag out of date' link on the package page, or the Mailing List.
REPEAT: Do NOT report bugs for outdated packages!
https://wiki.archlinux.org/title/Bug_reporting_guidelines
Do NOT report bugs when a package is just outdated, or it is in the AUR. Use the 'flag out of date' link on the package page, or the Mailing List.
REPEAT: Do NOT report bugs for outdated packages!
FS#53905 - [linux-hardened] Add leftover configs from KSPP plus some recommendations
Attached to Project:
Community Packages
Opened by David McAdoo (geecroof) - Monday, 01 May 2017, 17:02 GMT
Last edited by Daniel Micay (thestinger) - Wednesday, 03 May 2017, 03:53 GMT
Opened by David McAdoo (geecroof) - Monday, 01 May 2017, 17:02 GMT
Last edited by Daniel Micay (thestinger) - Wednesday, 03 May 2017, 03:53 GMT
|
DetailsDescription:
Here's list of current KSPP recommendations which aren't currently included in linux-hardened: 1. CONFIG_INET_DIAG=m -> # CONFIG_INET_DIAG is not set 2. CONFIG_BINFMT_MISC=y -> # CONFIG_BINFMT_MISC is not set 3. # CONFIG_DEBUG_SG is not set -> CONFIG_DEBUG_SG=y 4. CONFIG_MODIFY_LDT_SYSCALL=y -> # CONFIG_MODIFY_LDT_SYSCALL is not set I don't know if (1) and (2) were omitted on purpose but it would be nice to see short explanation if that's the case. Personally I think that hardened kernel should disable by default rarely used functions which open possible security hole in system. The (3) is new option added in KSPP wiki lately. I saw attempt to enable (4) https://git.archlinux.org/svntogit/community.git/commit/trunk?h=packages/linux-hardened&id=3c1e73add9dfe66acada39c6b0c35e7ab3e618c0 but it's blank commit, probably mistake. CONFIG_CMDLINE="slub_debug=P" from KSPP is recommended against in Gentoo hardened kernel project, https://wiki.gentoo.org/wiki/Hardened/Hardened_Kernel_Project but what about CONFIG_CMDLINE="slub_debug=FZ" instead? See rationale in https://tails.boum.org/contribute/design/kernel_hardening/ Additionally I propose to enable TOMOYO as the only MAC system on Arch which doesn't need recompilation of other packages and shouldn't have any drawbacks for people who doesn't use it (no audit dependency). It would need enabling two options: # CONFIG_SECURITY_TOMOYO is not set -> CONFIG_SECURITY_TOMOYO=y # CONFIG_SECURITY_NETWORK is not set -> CONFIG_SECURITY_NETWORK=y (for some additional functionality) Also I wanted to ask if out of tree patches are supposed to be added to this package? I know it's generally against Arch principles but as we want to replace grsecurity I think it should be considered. I propose to add following patches from Debian project: Allow further restriction of perf_event_open (enables kernel.perf_event_paranoid = 3 sysctl config option, recommended by KSPP) https://anonscm.debian.org/git/kernel/linux.git/plain/debian/patches/features/all/security-perf-allow-further-restriction-of-perf_event_open.patch add sysctl to disallow unprivileged CLONE_NEWUSER by default (allows user namespaces for privileged users only by default, same as linux-grsec did so we could enable CONFIG_USER_NS) https://anonscm.debian.org/git/kernel/linux.git/plain/debian/patches/debian/add-sysctl-to-disallow-unprivileged-CLONE_NEWUSER-by-default.patch Those above are pending to be mainlined but I don't know if we should wait until this happen. I hope I don't disturb you much. Thanks for all the work. |
This task depends upon
Closed by Daniel Micay (thestinger)
Wednesday, 03 May 2017, 03:53 GMT
Reason for closing: None
Additional comments about closing: This package isn't the right place to contribute ideas or patches. Nothing has been announced about this package, so there shouldn't be assumptions about the purpose and plans for it yet.
Wednesday, 03 May 2017, 03:53 GMT
Reason for closing: None
Additional comments about closing: This package isn't the right place to contribute ideas or patches. Nothing has been announced about this package, so there shouldn't be assumptions about the purpose and plans for it yet.
Comment by Daniel Micay (thestinger) -
Wednesday, 03 May 2017, 03:49 GMT
I think you're mistaken about the purpose of this package. It won't be carrying any downstream (as in Arch Linux) patches and I don't need advice on what to change. It's a stub that will point to a hardening patch set once the community takes the mantle from grsecurity. If you want to contribute to kernel security, you should contribute upstream (KSPP) or to https://wiki.gentoo.org/wiki/Hardened/Hardened_Kernel_Project.