Message ID | 12f4a156-3f21-1cf6-05bb-069fd986932d@link38.eu |
---|---|
State | Dropped |
Headers |
Return-Path: <development-bounces@lists.ipfire.org> Received: from mail01.ipfire.org (unknown [172.28.1.200]) (using TLSv1.2 with cipher ECDHE-ECDSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "mail01.ipfire.org", Issuer "Let's Encrypt Authority X3" (verified OK)) by web07.i.ipfire.org (Postfix) with ESMTPS id 3E90185BD81 for <patchwork@web07.i.ipfire.org>; Thu, 3 Jan 2019 17:05:47 +0000 (GMT) Received: from mail01.i.ipfire.org (localhost [IPv6:::1]) by mail01.ipfire.org (Postfix) with ESMTP id 7237C2026681; Thu, 3 Jan 2019 17:05:46 +0000 (GMT) Received: from mx-nbg.link38.eu (mx-nbg.link38.eu [37.120.167.53]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "mx-nbg.link38.eu", Issuer "Let's Encrypt Authority X3" (verified OK)) by mail01.ipfire.org (Postfix) with ESMTPS id 3593921B5129 for <development@lists.ipfire.org>; Thu, 3 Jan 2019 17:05:43 +0000 (GMT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=link38.eu; s=201803; t=1546535141; h=from:from:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:mime-version:mime-version: content-type:content-type: content-transfer-encoding:content-transfer-encoding:in-reply-to: references; bh=zO+Q0q69dyvJRESZkkMrh1XWbM+PLrUlQqUhZwDuwVE=; b=qrk2uJR4+mfxz/HnkJTMSw9HcKFizQxrWp6eKoDpA5yX7btI9RIcnair+6BMrVglJY6FKd QwJLcAtfuCRHslIxbNw7ZFkzLsWG45JJQv1WWNm2iAoEhqGgxjhATcaLyCvkYKdHge1Az5 7i6GY7+VKx1laF+cemdPR+yyk8U9jWb5ezC/Drasyqr2J4hcf4Qh7UiUdgn5ZkTv6wTSBa FJz5rGyjApEXuidsNMSCm51brJzMnTiziMKVTKEqa/IfG7n6rwkprNTeytP1gerGXbBMMI QYmaxEougbQUYKxlLczwnBy6be+fi0zxciMpeUEISsU/h91412ciWfzlvEV5Ag== To: "IPFire: Development-List" <development@lists.ipfire.org> From: =?utf-8?q?Peter_M=C3=BCller?= <peter.mueller@link38.eu> Openpgp: preference=signencrypt Autocrypt: addr=peter.mueller@link38.eu; keydata= mQINBFrlh/UBEADDNM0LnM9+1NhjgfIz7Ww9Hlx6egK75TJoVa/S9gjI+3DeXn7hsj7vZnQz qSXMhSauU7k4g+F+MmOJP2HRIl0lEo/JNrpAqrAseSnbJp4eq8OTyAL6+Z3SVNJNbcRDOHmw jb/GR8ncURcgYDYV+oCs4csrghtBnm4cWaD/RW10zlB4nQsqQ5G3jzY9aIM+NKRHSAZEbXBZ W6pyDcGRMkwSFTHXpjtFDZ6mVEMxi1nv2W8PMU+uGbs3ud4gzPZ0tT5ICR8bp71qpua4r4RQ o6rB/suiPOptOE5/rk8FiW3ho0y1xDu7bRx8UzdLS9cYCVeSvf9n9YZ6RGOH9O7dS23zfTkS 8iqYol1PmVZrNtpsWBCq4HzFtRJPs6gykFNfj2sVQXU3RHHf2ui0OKm3R0olhLVbKSw2qSPM ajP1vBuVLEMSJmucxlJQ72Im/afnOz3LlNt+/FOB0zneoKGvPpPGSP/Fr5FJYED6/l1DZl2W 8Wb76xq3HGfETHW9kwwqbbQefMu6LNQIw9CnTpSk/R9mt7AnIrKCjxfclLDfz6VBJ0grRDDF PBEVBrj7uZM0UCl/dUX0adjDxBfma/UJZcBlDVX61+41vsX6w094sveKaNdqybAIxqGnhRUq kCHm5P/IYOZrtkao/TsRIW508MJBGmxoUl2qqCj7tXtNy2tiUQARAQABtCdQZXRlciBNw7xs bGVyIDxwZXRlci5tdWVsbGVyQGxpbmszOC5ldT6JAj8EEwECACkFAlrlh/UCGyMFCQlmAYAH CwkIBwMCAQYVCAIJCgsEFgIDAQIeAQIXgAAKCRDZSPIPfXufaDlVD/0elAwSohcC4T5jFtPt hZ1+jU9t46pwBhQ8ohKpo4/wAuVBg5B0FYb0gegcSicYWsNkhTtCjUhExMilLKTaJir5l+3V B/rU/WG7NgLYqmYsGlgHPXdLZAbOMU/0atONFYos1UZnRGmPfhLwRw3g5TBaKrfqaFBzRABE W0R+XuRoXy9ho+lNP5g0Sa+SxtOeBpLQxppObk5WLUqDKxrvHhStgM3PrJASKujsJiw19IUg ws0q+WezH8LPQd3Vc8DP56sl1/h8w2Xklsdxj1NEcO7OIrrKSNIRGyqgqvtmDi6dxh1suGUW Par/VhB+P+u0yVy8H1lZ4SFUsZJFPwHNFSN41USmT/uHf9Z7K1+qXm4zpyexrDQ+ojuXxnB1 y97cHYcYaCZ2Bo+deljXng1NF0I3CdIdhPfLv7FHRBoBw1xs0qJjUfTfSAZsYD0H/jl76bRx 4s8rrECqM7pMnE4aLiP4m6gKJKooH8QAQsmGRYAI8gG/BIHPHZUpZ8J2jRnj6GQ1MpEdcnLE Q0N7QMayDoPq177es7tey5vzofq3bDGW/O9yqUWiz3e7uaGSQnYoRGm2oCCTojvGt37yS0H8 v+ms2fokPNt8UDmpZoLFFPXDwVcnL/KBkPY665xchatKpBOtJ3lRnXdlyRJW1gGda9G5mGFn xLcWumkZ12YKmtixuLkCDQRa5Yf1ARAA4UCkVBvQhks9lApBxvfZ8ekWrticMooBkegL+KQT TPWQHTgdwkFzSneaRq0vFFcgKxmXA54OmT58y0tf09hUvTGK4COs5GTZKP/SYSWZM6xOQqaT 37fros/ma4iSS+IJw/eDh7bWKM5gllz0EuoewaTveGDWeucf7V36mRUPG47GsNk/PgCRsO5Y SLlpfT/3xH02aRnUmWjzHCkJ9EV388cIWaYo9kP4q9rbcl3IyHP0t78XpIIWH6+o/I0FgzwL GJBdJ0eAE3PNIRGYu8nqYlJ+TIpcIrEPitma6nZtiWAITRO2XDb/2o05tUlEbmlN6dUOqM7X Jvj/Z9KkYNgvYNbHXqXJ+j5gzcq0DR7DtDSDnd1WDrYivQMGBDnZR2YfFjBEsmeArdmDTZqY aqYhBN3iMCI9cErZgik6Niz6jrqBMK98geB04vrqZUYprh7zXgPu0A/EwTIJuZ+GGeEKwMVL pBc2NGxUb/kt8nr1JHAnSludD78EW6QVdpcgO4DhHxzhdDk/L8yE53b5UdvXwad5N4T1QS/Y kk80nByinD4vaIIHti9nOvLQJAro1p997YnVeY0wQ2x14Qw1rqeCOeKqB8PxmHvSK6b+nXLg Dv7HuFLovIeQd/IimGLXBDW4Bkn60HApJ5KcX+GwHp5XqPRKPmtjfMsETZn1ESjyc3sAEQEA AYkCJQQYAQIADwUCWuWH9QIbDAUJCWYBgAAKCRDZSPIPfXufaBRaEACMS5Q1BY/O5o+Vn8lD uMUczEVk/8j07gi1EV2ffutwZ5eYrKvXkuoMPEBb7SWqPUKqpTbw1pNjUf5002c2xm2r/OSZ oQMRWDztht+EMhjy0qkixMV+TvS6DcFPb8sd+KOoIBD08EBVUxpeNhAFxaRjGEDboJUwtDAd EDUJts5HnXvBqEcnkOfkwDSUWf9epa1mbyO1sO5NnMtxQY6paB2UGQPNE5/J3eo4f5s4wrxR AaM6OCCOtJxs4u0svmOCwd0D8LQ6higBq+EFesc57ZpG3pkNokrROFWRpx6OpQJUnYi5lWm8 +4xF99QfI9mHIz+jrnPcsfAiKdXb8QkeaDkR7bIU269wwKupfN6bHsKFtOnx7AhMLUddzTHA hTe8cov/tnn5xPvSZhpfknOBx+mffNQBsCETuCxPMqtDN5xFuwBxw4ZKZpKYFk/FUl6As1z4 LY2tNXb/JI58fGiLreunuvxsEkb97hmly1e19IPOTJzawB/aKRQNpIkoE11UBhKyc+kwIfVo ZCTlp+3hpBFqxEjRReSQUKKb9hA4yP3j90Fb353JbNKf9+Y3UtFPJb67koDOGtbJsk19bzPE zO0j/ek+eXxTIf5NxURVuzY6yvg57ZzW7T/tApT/LLfMEmuYz/LiijgON0uTOSp8KflwAt8m eNtEia+FigGVqn+PSQ== Subject: [PATCH] prevent kernel address space leak via dmesg or /proc files Message-ID: <12f4a156-3f21-1cf6-05bb-069fd986932d@link38.eu> Date: Thu, 3 Jan 2019 18:05:40 +0100 MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Language: de-DE Content-Transfer-Encoding: 8bit Authentication-Results: mail01.ipfire.org; dkim=pass header.d=link38.eu header.s=201803 header.b=qrk2uJR4; dmarc=pass (policy=none) header.from=link38.eu; spf=pass (mail01.ipfire.org: domain of peter.mueller@link38.eu designates 37.120.167.53 as permitted sender) smtp.mailfrom=peter.mueller@link38.eu X-Spamd-Result: default: False [-5.51 / 11.00]; ARC_NA(0.00)[]; R_DKIM_ALLOW(-0.20)[link38.eu:s=201803]; BAYES_HAM(-3.00)[100.00%]; FROM_HAS_DN(0.00)[]; R_SPF_ALLOW(-0.20)[+ip4:37.120.167.53]; TO_MATCH_ENVRCPT_ALL(0.00)[]; MIME_GOOD(-0.10)[text/plain]; NEURAL_SPAM(2.28)[0.760,0]; RCPT_COUNT_ONE(0.00)[1]; TO_DN_ALL(0.00)[]; DKIM_TRACE(0.00)[link38.eu:+]; DMARC_POLICY_ALLOW(-0.50)[link38.eu,none]; MX_GOOD(-0.01)[cached: mx-nbg.link38.eu]; RCVD_COUNT_ZERO(0.00)[0]; FROM_EQ_ENVFROM(0.00)[]; MIME_TRACE(0.00)[0:+]; IP_SCORE(-3.78)[ip: (-9.91), ipnet: 37.120.160.0/19(-4.96), asn: 197540(-3.96), country: DE(-0.09)]; ASN(0.00)[asn:197540, ipnet:37.120.160.0/19, country:DE]; MID_RHS_MATCH_FROM(0.00)[]; RCVD_TLS_ALL(0.00)[] X-Spam-Status: No, score=-5.51 X-Rspamd-Server: mail01.i.ipfire.org X-BeenThere: development@lists.ipfire.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: IPFire development talk <development.lists.ipfire.org> List-Unsubscribe: <https://lists.ipfire.org/mailman/options/development>, <mailto:development-request@lists.ipfire.org?subject=unsubscribe> List-Archive: <https://lists.ipfire.org/pipermail/development/> List-Post: <mailto:development@lists.ipfire.org> List-Help: <mailto:development-request@lists.ipfire.org?subject=help> List-Subscribe: <https://lists.ipfire.org/mailman/listinfo/development>, <mailto:development-request@lists.ipfire.org?subject=subscribe> Errors-To: development-bounces@lists.ipfire.org Sender: "Development" <development-bounces@lists.ipfire.org> |
Series |
prevent kernel address space leak via dmesg or /proc files
|
|
Commit Message
Peter Müller
Jan. 4, 2019, 4:05 a.m. UTC
Enable runtime sysctl hardening in order to avoid kernel
addresses being disclosed via dmesg (in case it was built
in without restrictions) or various /proc files.
See https://kernsec.org/wiki/index.php/Kernel_Self_Protection_Project/Recommended_Settings
for further information.
Signed-off-by: Peter Müller <peter.mueller@ipfire.org>
---
setup/setup.nm | 2 ++
setup/sysctl/kernel-hardening.conf | 6 ++++++
2 files changed, 8 insertions(+)
create mode 100644 setup/sysctl/kernel-hardening.conf
Comments
Hello, I merged this and edited the release number of the setup package. For pakfire to recognise changes, the release number (or version number) has to be increased. Since this package does not follow an upstream one, it would have been only the release. I did that for you. Why did we say again this should live in the setup package and not the kernel? -Michael > On 3 Jan 2019, at 17:05, Peter Müller <peter.mueller@link38.eu> wrote: > > Enable runtime sysctl hardening in order to avoid kernel > addresses being disclosed via dmesg (in case it was built > in without restrictions) or various /proc files. > > See https://kernsec.org/wiki/index.php/Kernel_Self_Protection_Project/Recommended_Settings > for further information. > > Signed-off-by: Peter Müller <peter.mueller@ipfire.org> > --- > setup/setup.nm | 2 ++ > setup/sysctl/kernel-hardening.conf | 6 ++++++ > 2 files changed, 8 insertions(+) > create mode 100644 setup/sysctl/kernel-hardening.conf > > diff --git a/setup/setup.nm b/setup/setup.nm > index 78d1a5df3..f1dd3c177 100644 > --- a/setup/setup.nm > +++ b/setup/setup.nm > @@ -53,6 +53,8 @@ build > %{BUILDROOT}%{sysconfdir}/sysctl.d/printk.conf > install -m 644 %{DIR_APP}/sysctl/swappiness.conf \ > %{BUILDROOT}%{sysconfdir}/sysctl.d/swappiness.conf > + install -m 644 %{DIR_APP}/sysctl/kernel-hardening.conf \ > + %{BUILDROOT}%{sysconfdir}/sysctl.d/kernel-hardening.conf > end > end > > diff --git a/setup/sysctl/kernel-hardening.conf b/setup/sysctl/kernel-hardening.conf > new file mode 100644 > index 000000000..6751bbef6 > --- /dev/null > +++ b/setup/sysctl/kernel-hardening.conf > @@ -0,0 +1,6 @@ > +# Try to keep kernel address exposures out of various /proc files (kallsyms, modules, etc). > +kernel.kptr_restrict = 1 > + > +# Avoid kernel memory address exposures via dmesg. > +kernel.dmesg_restrict = 1 > + > -- > 2.16.4
Hello Michael, > Hello, > > I merged this and edited the release number of the setup package. thank you - I am not very sure with handling the release numbers. Glad you fixed this for me. :-) > > For pakfire to recognise changes, the release number (or version number) has to be increased. Since this package does not follow an upstream one, it would have been only the release. I did that for you. > > Why did we say again this should live in the setup package and not the kernel? As far as I can recall, we did not. However, this patch contains sysctl parameters, so I guess it makes sens to include them in the sysctl package. Kernel flags, for example, will be patched in the kernel package. Thanks, and best regards, Peter Müller > > -Michael > -- Microsoft DNS service terminates abnormally when it recieves a response to a DNS query that was never made. Fix Information: Run your DNS service on a different platform. -- bugtraq
> On 7 Jan 2019, at 17:04, Peter Müller <peter.mueller@link38.eu> wrote: > > Hello Michael, > > >> Hello, >> >> I merged this and edited the release number of the setup package. > thank you - I am not very sure with handling the release numbers. > Glad you fixed this for me. :-) >> >> For pakfire to recognise changes, the release number (or version number) has to be increased. Since this package does not follow an upstream one, it would have been only the release. I did that for you. >> >> Why did we say again this should live in the setup package and not the kernel? > As far as I can recall, we did not. However, this patch contains > sysctl parameters, so I guess it makes sens to include them in > the sysctl package. Kernel flags, for example, will be patched in > the kernel package. To be honest, I do not have a better place where this could live. However, these flags are closely tied to the kernel, so the kernel package would make sense. However, multiple of those can be installed at the same time and loading incompatible settings might happen. We will leave this for now until we have a better idea. Best, -Michael > > Thanks, and best regards, > Peter Müller >> >> -Michael >> -- > Microsoft DNS service terminates abnormally when it recieves a response > to a DNS query that was never made. Fix Information: Run your DNS > service on a different platform. > -- bugtraq
diff --git a/setup/setup.nm b/setup/setup.nm index 78d1a5df3..f1dd3c177 100644 --- a/setup/setup.nm +++ b/setup/setup.nm @@ -53,6 +53,8 @@ build %{BUILDROOT}%{sysconfdir}/sysctl.d/printk.conf install -m 644 %{DIR_APP}/sysctl/swappiness.conf \ %{BUILDROOT}%{sysconfdir}/sysctl.d/swappiness.conf + install -m 644 %{DIR_APP}/sysctl/kernel-hardening.conf \ + %{BUILDROOT}%{sysconfdir}/sysctl.d/kernel-hardening.conf end end diff --git a/setup/sysctl/kernel-hardening.conf b/setup/sysctl/kernel-hardening.conf new file mode 100644 index 000000000..6751bbef6 --- /dev/null +++ b/setup/sysctl/kernel-hardening.conf @@ -0,0 +1,6 @@ +# Try to keep kernel address exposures out of various /proc files (kallsyms, modules, etc). +kernel.kptr_restrict = 1 + +# Avoid kernel memory address exposures via dmesg. +kernel.dmesg_restrict = 1 +