Page MenuHomePhabricator
Create Task
Maniphest T142984

Review lists of config/sysctl recommendations by "kernel self-protection project"
Open, MediumPublic
Actions

Assigned To
None
Authored By
MoritzMuehlenhoff
Aug 15 2016, 12:46 PM
Tags
Referenced Files
None
Subscribers
Aklapper
jbond
MoritzMuehlenhoff

Description

The "Kernel Self Protection Project" (a group of developers working on enhancing security features in the Linux kernel, e.g. by merging changes from the grsecurity patch set) has published a wiki page of recommended settings in the kernel build and sysctl:
http://kernsec.org/wiki/index.php/Kernel_Self_Protection_Project#Recommended_settings

Since we're building a custom jessie kernel based on 4.4 anyway, these are worth investigating. Also, some might be worth to be enabled in the Debian kernel (for the eventual stretch kernel)

Related Objects

Event Timeline

MoritzMuehlenhoff created this task.Aug 15 2016, 12:46 PM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptAug 15 2016, 12:46 PM
MoritzMuehlenhoff added a comment.Mar 29 2017, 2:32 PM

I've reviewed the suggested kernel hardening options against the choices used in the stretch 4.9 kernel (and also also our jessie backport).

In general all security features applicable to a general purpose kernel are enabled \o/. In particular hardened usercopy and SLAB freelist randomisation will be useful.

These are the recommendations, which are not followed in the stretch kernel:

  • disable CONFIG_DEVMEM
    • /dev/mem is required by various applications. The kernel however restricts access with CONFIG_STRICT_DEVMEM and CONFIG_IO_STRICT_DEVMEM. This breaks some legacy apps which are irrelevant to us (e.g. dosemu).
  • disable CONFIG_PROC_KCORE
    • /proc/kcore is required by various applications
  • disable CONFIG_LEGACY_VSYSCALL
    • still needed by dietlibc in jessie. At least the static build of e2fsprogs is using dietlibc, so we can't disable this at the moment
  • disable IA32_EMULATION
    • this most definitely still needed by a few externally provided binaries
  • disable X86_X32
    • we don't use this, I'll look into way to disabling it at run time
  • disable MODIFY_LDT_SYSCALL (required by wine/dosemu for 16 bit support)
    • we don't use this, I'll look into way to disabling it at run time
  • disable CONFIG_KEXEC
    • we don't use this, I'll look into way to disabling it at run time
  • disable CONFIG_HIBERNATION
    • we don't use this, I'll look into way to disabling it at run time
  • disable CONFIG_INET_DIAG
    • The underlying bug was fixed in 4.1, so seems fine.
  • disable BINFMT_MISC
    • we don't use this, I'll look into way to disabling it at run time
  • disable CONFIG_MODULES
    • not an option

Then there are two kernel features, which are not yet available in 4.9:

  • CONFIG_BUG_ON_DATA_CORRUPTION
  • CONFIG_PAGE_POISONING_ZERO

And then there are two options, while don't add real value unless used with CONFIG_BUG_ON_DATA_CORRUPTION (which is not yet available, see above):

  • CONFIG_DEBUG_NOTIFIERS
  • CONFIG_DEBUG_CREDENTIALS
ema subscribed.Mar 29 2017, 2:34 PM
Phabricator_maintenance moved this task from Backlog to Acknowledged on the SRE board.Jan 26 2019, 8:48 PM
Aklapper removed MoritzMuehlenhoff as the assignee of this task.Jun 19 2020, 4:15 PM

This task has been assigned to the same task owner for more than two years. Resetting task assignee due to inactivity, to decrease task cookie-licking and to get a slightly more realistic overview of plans. Please feel free to assign this task to yourself again if you still realistically work or plan to work on this task - it would be welcome!

For tips how to manage individual work in Phabricator (noisy notifications, lists of task, etc.), see https://phabricator.wikimedia.org/T228575#6237124 for available options.
(For the records, two emails were sent to assignee addresses before resetting assignees. See T228575 for more info and for potential feedback. Thanks!)

herron triaged this task as Medium priority.Jul 27 2020, 8:27 PM
MoritzMuehlenhoff claimed this task.Jul 28 2020, 6:40 AM
MoritzMuehlenhoff added a subscriber: User-MoritzMuehlenhoff.Jul 30 2020, 3:13 PM
Aklapper added a project: User-MoritzMuehlenhoff.Sep 18 2020, 7:49 AM
Aklapper removed a subscriber: User-MoritzMuehlenhoff.
Aklapper removed MoritzMuehlenhoff as the assignee of this task.Sep 26 2022, 10:32 AM
Aklapper removed a subscriber: ema.

Removing task assignee due to inactivity as this open task has been assigned for more than two years. See the email sent to the task assignee on August 22nd, 2022.
Please assign this task to yourself again if you still realistically [plan to] work on this task - it would be welcome!
If this task has been resolved in the meantime, or should not be worked on ("declined"), please update its task status via "Add Action… 🡒 Change Status".
Also see https://www.mediawiki.org/wiki/Bug_management/Assignee_cleanup for tips how to best manage your individual work in Phabricator. Thanks!

jbond edited projects, added Infrastructure-Foundations; removed SRE.May 23 2023, 12:58 PM
jbond subscribed.EditedMay 24 2023, 5:11 PM

I created a small script to audit the config file against the recommendations from the kernsec project. the results are below ( i suspect some of theses are false positives have not gone through the list yet)

Bullseye (cumin1001:/boot/config-5.10.0-23-amd64)

The following recomend keys are not configured
  • CONFIG_CFI_CLANG
  • CONFIG_DEBUG_CREDENTIALS
  • CONFIG_DEBUG_NOTIFIERS
  • CONFIG_DEBUG_SG
  • CONFIG_DEBUG_VIRTUAL
  • CONFIG_EFI_DISABLE_PCI_DMA
  • CONFIG_INIT_ON_FREE_DEFAULT_ON
  • CONFIG_INIT_STACK_ALL_ZERO
  • CONFIG_INTEL_IOMMU_DEFAULT_ON
  • CONFIG_IOMMU_DEFAULT_DMA_STRICT
  • CONFIG_KFENCE
  • CONFIG_LOCK_DOWN_KERNEL_FORCE_CONFIDENTIALITY
  • CONFIG_MODULE_SIG_ALL
  • CONFIG_MODULE_SIG_FORCE
  • CONFIG_MODULE_SIG_SHA512
  • CONFIG_PAGE_POISONING_ZERO
  • CONFIG_PANIC_ON_OOPS
  • CONFIG_RANDOMIZE_KSTACK_OFFSET_DEFAULT
  • CONFIG_REFCOUNT_FULL
  • CONFIG_SCHED_CORE
  • CONFIG_SECURITY_LANDLOCK
  • CONFIG_SLS
  • CONFIG_STATIC_USERMODEHELPER
  • CONFIG_UBSAN
  • CONFIG_UBSAN_BOUNDS
  • CONFIG_UBSAN_LOCAL_BOUNDS
  • CONFIG_UBSAN_SANITIZE_ALL
  • CONFIG_UBSAN_TRAP
  • CONFIG_WERROR
  • CONFIG_ZERO_CALL_USED_REGS
The following recomend options have different settings
  • CONFIG_MODULE_SIG_HASH: expected "sha512", got "sha256"
  • CONFIG_MODULE_SIG_KEY: expected "certs/signing_key.pem", got ""
  • CONFIG_PANIC_TIMEOUT: expected -1, got 0
  • CONFIG_STRICT_KERNEL_RWX: expected y (since v4.11), got y
  • CONFIG_STRICT_MODULE_RWX: expected y (since v4.11), got y

Bookworm (puppetdb1003.eqiad.wmnet:/boot/config-6.1.0-9-amd64)

The following recomend keys are not configured
  • CONFIG_CFI_CLANG
  • CONFIG_DEBUG_CREDENTIALS
  • CONFIG_DEBUG_NOTIFIERS
  • CONFIG_DEBUG_SG
  • CONFIG_DEBUG_VIRTUAL
  • CONFIG_EFI_DISABLE_PCI_DMA
  • CONFIG_HW_RANDOM_TPM
  • CONFIG_INIT_ON_FREE_DEFAULT_ON
  • CONFIG_INTEL_IOMMU_DEFAULT_ON
  • CONFIG_IOMMU_DEFAULT_DMA_STRICT
  • CONFIG_KFENCE
  • CONFIG_LOCK_DOWN_KERNEL_FORCE_CONFIDENTIALITY
  • CONFIG_MODULE_SIG_ALL
  • CONFIG_MODULE_SIG_FORCE
  • CONFIG_MODULE_SIG_KEY
  • CONFIG_MODULE_SIG_SHA512
  • CONFIG_PAGE_POISONING_NO_SANITY
  • CONFIG_PAGE_POISONING_ZERO
  • CONFIG_PANIC_ON_OOPS
  • CONFIG_REFCOUNT_FULL
  • CONFIG_SCHED_CORE
  • CONFIG_STATIC_USERMODEHELPER
  • CONFIG_UBSAN
  • CONFIG_UBSAN_BOUNDS
  • CONFIG_UBSAN_LOCAL_BOUNDS
  • CONFIG_UBSAN_SANITIZE_ALL
  • CONFIG_UBSAN_TRAP
  • CONFIG_WERROR
  • CONFIG_ZERO_CALL_USED_REGS
The following recomend options have different settings
  • CONFIG_MODULE_SIG_HASH: expected "sha512", got "sha256"
  • CONFIG_PANIC_TIMEOUT: expected -1, got 0
  • CONFIG_STRICT_KERNEL_RWX: expected y (since v4.11), got y
  • CONFIG_STRICT_MODULE_RWX: expected y (since v4.11), got y
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL · Credits
  NODES
see 6