Core: Add more Linux hardening


#1

From @HacKurx on Sun Feb 10 2019 12:59:45 GMT+0000 (UTC)

Good morning, everyone,

I think it would be interesting to add the following hardenings:

  1. Symlinkown
  2. S.A.R.A
  3. TPE-LSM or TPE-without-LSM
  4. Hardened defconfig
  5. Vmware PAX, PAX_NOWRITEEXEC, PAX_EMUTRAMP, PAX_MPROTECT
  6. Vmware PAX_RANDKSTACK
  7. Vmware rap_plugin can be used with a gcc patch.

There is no difficulty to maintain on the longterm version of linux 4.19.

Best regards,

Copied from original issue: https://github.com/clipos/bugs/issues/18


#2

Hi Loïc,

Thank you for the suggestions.

First of all, keep in mind that we need to remain focused and thus will not maintain out-of-tree patches that are not relevant to our threat model. All patches should, as much as possible, be submitted upstream. Note also that we currently don’t maintain any LTS release and that patches will always have to be ported to the latest stable release.

As for what’s currently included in the CLIP OS 5 kernel, please have a look at my answers to this thread.

Regarding your suggestions:

  • Symlinkown: As I understand it, this feature only exists to fix a hole in Apache’s SymlinksIfOwnerMatch option. Are there any other use cases? If not, I don’t think it’s useful to us.
  • SARA: We are very interested in the SARA LSM but are waiting for its upstream integration, which is itself waiting for proper LSM stacking.
  • TPE: This does not really fit our use case (see documentation).
  • Hardened defconfig: We already use our own Kconfig based on the KSPP recommandations (as detailed here), so I don’t see any benefits to tweaking defconfigs.
  • VMware ports of grsecurity/PaX features: In addition to what has been said above, see my answer here.

Thanks again for your interest :wink: