Page MenuHomePhabricator

Review lists of config/sysctl recommendations by "kernel self-protection project"
Open, MediumPublic

Description

The "Kernel Self Protection Project" (a group of developers working on enhancing security features in the Linux kernel, e.g. by merging changes from the grsecurity patch set) has published a wiki page of recommended settings in the kernel build and sysctl:
http://kernsec.org/wiki/index.php/Kernel_Self_Protection_Project#Recommended_settings

Since we're building a custom jessie kernel based on 4.4 anyway, these are worth investigating. Also, some might be worth to be enabled in the Debian kernel (for the eventual stretch kernel)

Event Timeline

Restricted Application added a subscriber: Aklapper. · View Herald TranscriptAug 15 2016, 12:46 PM

I've reviewed the suggested kernel hardening options against the choices used in the stretch 4.9 kernel (and also also our jessie backport).

In general all security features applicable to a general purpose kernel are enabled \o/. In particular hardened usercopy and SLAB freelist randomisation will be useful.

These are the recommendations, which are not followed in the stretch kernel:

  • disable CONFIG_DEVMEM
    • /dev/mem is required by various applications. The kernel however restricts access with CONFIG_STRICT_DEVMEM and CONFIG_IO_STRICT_DEVMEM. This breaks some legacy apps which are irrelevant to us (e.g. dosemu).
  • disable CONFIG_PROC_KCORE
    • /proc/kcore is required by various applications
  • disable CONFIG_LEGACY_VSYSCALL
    • still needed by dietlibc in jessie. At least the static build of e2fsprogs is using dietlibc, so we can't disable this at the moment
  • disable IA32_EMULATION
    • this most definitely still needed by a few externally provided binaries
  • disable X86_X32
    • we don't use this, I'll look into way to disabling it at run time
  • disable MODIFY_LDT_SYSCALL (required by wine/dosemu for 16 bit support)
    • we don't use this, I'll look into way to disabling it at run time
  • disable CONFIG_KEXEC
    • we don't use this, I'll look into way to disabling it at run time
  • disable CONFIG_HIBERNATION
    • we don't use this, I'll look into way to disabling it at run time
  • disable CONFIG_INET_DIAG
    • The underlying bug was fixed in 4.1, so seems fine.
  • disable BINFMT_MISC
    • we don't use this, I'll look into way to disabling it at run time
  • disable CONFIG_MODULES
    • not an option

Then there are two kernel features, which are not yet available in 4.9:

  • CONFIG_BUG_ON_DATA_CORRUPTION
  • CONFIG_PAGE_POISONING_ZERO

And then there are two options, while don't add real value unless used with CONFIG_BUG_ON_DATA_CORRUPTION (which is not yet available, see above):

  • CONFIG_DEBUG_NOTIFIERS
  • CONFIG_DEBUG_CREDENTIALS
ema added a subscriber: ema.Mar 29 2017, 2:34 PM
Aklapper removed MoritzMuehlenhoff as the assignee of this task.Jun 19 2020, 4:15 PM

This task has been assigned to the same task owner for more than two years. Resetting task assignee due to inactivity, to decrease task cookie-licking and to get a slightly more realistic overview of plans. Please feel free to assign this task to yourself again if you still realistically work or plan to work on this task - it would be welcome!

For tips how to manage individual work in Phabricator (noisy notifications, lists of task, etc.), see https://phabricator.wikimedia.org/T228575#6237124 for available options.
(For the records, two emails were sent to assignee addresses before resetting assignees. See T228575 for more info and for potential feedback. Thanks!)

herron triaged this task as Medium priority.Jul 27 2020, 8:27 PM