About the hardened kernel clip os


Regarding the kernel source, do clip os have any security “made home” or simply patch with existing hardened patch ? (like minipli, anthraxx …)


Hello g3ngr33n,

Currently, the CLIP OS 5 Linux kernel includes:

  • linux-hardened
  • the STACKLEAK plugin ported from grsecurity/PaX by Alexander Popov (note that part of it was merged upstream in 4.20 and that our kernel will keep including the remaining part);
  • most of the Lockdown patch set;
  • reverts and backports of some upstream commits.

We plan to integrate other available patch sets (e.g. ones that are not accepted upstream but that we find relevant to our security model) as well as our own, including many from CLIP OS 4. You can find more information about Linux kernel hardening in both CLIP OS 4 and 5 in our Kernel Recipes talk.

Thanks for those links, bookmarked.

It is late, I may have miss it but, I didn’t see kernexec feature on https://github.com/clipos-archive/src_platform_clip-patches, it is normal ? It is one of the must of grsec…

If I’m mistaken about it, I known the difficulty of the task but, any chance to see it ported to recent kernel ? (4.18 < )

Thanks for sharing your sources, this is definitively useful

KERNEXEC is part of the grsec patch.

As for porting KERNEXEC to recent kernels, this is indeed a hard task and it’s not planned. That being said, and as explained for instance in the presentation I linked above, we want to contribute as much as possible to projects we use in CLIP OS, and this obviously includes the Linux kernel. In addition to trying to upstream our own developments such as O_MAYEXEC support or CLIP LSM, helping the KSPP in its work of hardening the Linux kernel, including by taking part in efforts to upstream some grsec/PaX features, is definitely considered.

Yes indeed, shortly after i made my previous post, I started to to check your contribution. I ended up rebuild my kernel (4.20.0), with the merge of your patch.

Vanila linux-4.20.tar.gz
patch linux-hardened-4.20.a.patch (antraxx)
patch stackleak.patch (this one was easy https://github.com/clipos/src_external_linux/commit/7a94313c154dfe78223729b015b16d5f257afc35.patch)

lockdown.patch, I haven’t found a patch so I used https://github.com/clipos/src_external_linux/compare/upstream/stable/linux-4.20.y...feature/lockdown.patch, I fixed the hunks for 2 hours, will continue another day. If a patch to add lockdown is available, I take it, otherwise I could try to finish what I started.

Regarding kernexec, I can live without don’t worry, the contrib you are offering is already outstanding, thanks again.

The lockdown branch on GitHub is for 4.19. The merge of 4.20 in it is done but waiting submission on Gerrit. You can fetch it from there.