From patchwork Sat Mar 19 21:08:05 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: =?utf-8?q?Peter_M=C3=BCller?= X-Patchwork-Id: 12 Return-Path: Received: from mail01.ipfire.org (mail01.haj.ipfire.org [172.28.1.202]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-384) server-digest SHA384 client-signature ECDSA (P-384) client-digest SHA384) (Client CN "mail01.haj.ipfire.org", Issuer "R3" (verified OK)) by web04.haj.ipfire.org (Postfix) with ESMTPS id 4KLYQ068qRz3xK1 for ; Sat, 19 Mar 2022 21:08:24 +0000 (UTC) Received: from mail02.haj.ipfire.org (mail02.haj.ipfire.org [172.28.1.201]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-384) server-digest SHA384 client-signature ECDSA (P-384) client-digest SHA384) (Client CN "mail02.haj.ipfire.org", Issuer "R3" (verified OK)) by mail01.ipfire.org (Postfix) with ESMTPS id 4KLYPx0BtJz3Yk; Sat, 19 Mar 2022 21:08:21 +0000 (UTC) Received: from mail02.haj.ipfire.org (localhost [127.0.0.1]) by mail02.haj.ipfire.org (Postfix) with ESMTP id 4KLYPw6V7Tz3020; Sat, 19 Mar 2022 21:08:20 +0000 (UTC) Received: from mail01.ipfire.org (mail01.haj.ipfire.org [172.28.1.202]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-384) server-digest SHA384 client-signature ECDSA (P-384) client-digest SHA384) (Client CN "mail01.haj.ipfire.org", Issuer "R3" (verified OK)) by mail02.haj.ipfire.org (Postfix) with ESMTPS id 4KLYPv31HFz2yTY for ; Sat, 19 Mar 2022 21:08:19 +0000 (UTC) Received: from [127.0.0.1] (localhost [127.0.0.1]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-384) server-digest SHA384) (No client certificate requested) by mail01.ipfire.org (Postfix) with ESMTPSA id 4KLYPs5dZQzTm for ; Sat, 19 Mar 2022 21:08:17 +0000 (UTC) DKIM-Signature: v=1; a=ed25519-sha256; c=relaxed/relaxed; d=ipfire.org; s=202003ed25519; t=1647724098; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=iX3NTuFQuSE/9M5VbHSGd2zy1VFF2owwr947KfIUl4U=; b=ezWHTf0Hq0pejG4cJ7q2mJfKw64+8ctDBBK4bvpdZrgeBQiO09XhZ2cjcYqLbFb4NIyc/Q Gs/Y06yBB68iy7Bw== DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ipfire.org; s=202003rsa; t=1647724098; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=iX3NTuFQuSE/9M5VbHSGd2zy1VFF2owwr947KfIUl4U=; b=mqFpOEiCq9OQb6j88/s2HHRYJNX3kZge6VS+8MXhmuelHN0/oLWm8dYEkM7oq16gZk8XBE h32fzTcC5aumtNPTVfYwCwCdNbkDKDhMwRLRnc7mDc65dVkHCmAxltPnBOQAqKJZF4rAXr hnskzmXrwh7bE326DT1tHPW9pIxEI3otldoInIMZ3YfeUqvw0J8X5nUWjxP1RZLkqkdGiH ltMrygzXyC1bDWYFvs+z1PFNzW4brl1ZxieMe4cQCuKHylIS+1KR8M8GzDQW6VpwWbMsAO Z+GWsXj3/nMYkQgPsJf/pPyWP+2xbO49HAcmQg+TW3q/LF8SILJGmx6Rjmi1fw== Message-ID: <771528ff-9bb0-2073-4819-471ab16bb920@ipfire.org> Date: Sat, 19 Mar 2022 21:08:05 +0000 MIME-Version: 1.0 Content-Language: en-US To: "IPFire: Development" From: =?utf-8?q?Peter_M=C3=BCller?= Subject: [PATCH 00/11] Kernel: Improve hardening X-BeenThere: development@lists.ipfire.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: IPFire development talk List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: development-bounces@lists.ipfire.org Sender: "Development" This patchset improves hardening of our Linux kernel configurations for all architectures. Most importantly, it features the activation of the "Linux Security Module", also known as "kernel lockdown" (a phrase coined before the pandemic), or LSM for short. Being set to "integrity" mode for a start, LSM prevents the kernel from being modified by various mechanisms, of which we have some already covered. However, it comes as a more holistic approach, which is why enabling it is desirable for our userbase. Most of this patchset is based on recommendations by the "kconfig-hardened-check" tool (https://github.com/a13xp0p0v/kconfig-hardened-check/), with some inspiration taken directly from KSPP and grsecurity. Being unable to cross-compile IPFire for non-x86_64-architectures on my own, and my VM on the Mustang currently being offline, this patchset does not come with aligned kernel rootfiles for other architectures than x86_64. I am sorry for any inconvenience and extra workload caused by this. Also, for the sake of completeness, the effect of LSM on virtualisation has not been tested due to time constraints, and a lack of oversight _which_ virtualisation features we officially support and which we don't. In doubt, however, I believe the security benefit gained from LSM outweighs a partial functional loss of virtualisation - but that is a highly biased opinion. :-) Peter Müller (11): Kernel: Set CONFIG_ARCH_MMAP_RND_BITS to 32 bits Kernel: Disable support for tracing block I/O actions Kernel: Pin loading kernel files to one filesystem Kernel: Enable undefined behaviour sanity checker Kernel: Gate SETID transitions to limit CAP_SET(G|U)ID capabilities Kernel: Enable LSM support and set security level to "integrity" Kernel: Trigger BUG if data corruption is detected Kernel: Do not automatically load TTY line disciplines, only if necessary Kernel: Enable SVA support for both Intel and AMD CPUs Kernel: Disable function and stack tracers Kernel: Update rootfile for x86_64 config/kernel/kernel.config.aarch64-ipfire | 47 ++++++++++-------- config/kernel/kernel.config.armv6l-ipfire | 47 ++++++++++-------- config/kernel/kernel.config.riscv64-ipfire | 47 ++++++++++-------- config/kernel/kernel.config.x86_64-ipfire | 57 ++++++++++++---------- config/rootfiles/common/x86_64/linux | 33 +++++++------ 5 files changed, 131 insertions(+), 100 deletions(-)