* [PATCH] prevent kernel address space leak via dmesg or /proc files
@ 2019-01-03 17:05 Peter Müller
2019-01-03 18:08 ` Michael Tremer
0 siblings, 1 reply; 4+ messages in thread
From: Peter Müller @ 2019-01-03 17:05 UTC (permalink / raw)
To: development
[-- Attachment #1: Type: text/plain, Size: 1421 bytes --]
Enable runtime sysctl hardening in order to avoid kernel
addresses being disclosed via dmesg (in case it was built
in without restrictions) or various /proc files.
See https://kernsec.org/wiki/index.php/Kernel_Self_Protection_Project/Recommended_Settings
for further information.
Signed-off-by: Peter Müller <peter.mueller(a)ipfire.org>
---
setup/setup.nm | 2 ++
setup/sysctl/kernel-hardening.conf | 6 ++++++
2 files changed, 8 insertions(+)
create mode 100644 setup/sysctl/kernel-hardening.conf
diff --git a/setup/setup.nm b/setup/setup.nm
index 78d1a5df3..f1dd3c177 100644
--- a/setup/setup.nm
+++ b/setup/setup.nm
@@ -53,6 +53,8 @@ build
%{BUILDROOT}%{sysconfdir}/sysctl.d/printk.conf
install -m 644 %{DIR_APP}/sysctl/swappiness.conf \
%{BUILDROOT}%{sysconfdir}/sysctl.d/swappiness.conf
+ install -m 644 %{DIR_APP}/sysctl/kernel-hardening.conf \
+ %{BUILDROOT}%{sysconfdir}/sysctl.d/kernel-hardening.conf
end
end
diff --git a/setup/sysctl/kernel-hardening.conf b/setup/sysctl/kernel-hardening.conf
new file mode 100644
index 000000000..6751bbef6
--- /dev/null
+++ b/setup/sysctl/kernel-hardening.conf
@@ -0,0 +1,6 @@
+# Try to keep kernel address exposures out of various /proc files (kallsyms, modules, etc).
+kernel.kptr_restrict = 1
+
+# Avoid kernel memory address exposures via dmesg.
+kernel.dmesg_restrict = 1
+
--
2.16.4
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: [PATCH] prevent kernel address space leak via dmesg or /proc files
2019-01-03 17:05 [PATCH] prevent kernel address space leak via dmesg or /proc files Peter Müller
@ 2019-01-03 18:08 ` Michael Tremer
2019-01-07 17:04 ` Peter Müller
0 siblings, 1 reply; 4+ messages in thread
From: Michael Tremer @ 2019-01-03 18:08 UTC (permalink / raw)
To: development
[-- Attachment #1: Type: text/plain, Size: 1955 bytes --]
Hello,
I merged this and edited the release number of the setup package.
For pakfire to recognise changes, the release number (or version number) has to be increased. Since this package does not follow an upstream one, it would have been only the release. I did that for you.
Why did we say again this should live in the setup package and not the kernel?
-Michael
> On 3 Jan 2019, at 17:05, Peter Müller <peter.mueller(a)link38.eu> wrote:
>
> Enable runtime sysctl hardening in order to avoid kernel
> addresses being disclosed via dmesg (in case it was built
> in without restrictions) or various /proc files.
>
> See https://kernsec.org/wiki/index.php/Kernel_Self_Protection_Project/Recommended_Settings
> for further information.
>
> Signed-off-by: Peter Müller <peter.mueller(a)ipfire.org>
> ---
> setup/setup.nm | 2 ++
> setup/sysctl/kernel-hardening.conf | 6 ++++++
> 2 files changed, 8 insertions(+)
> create mode 100644 setup/sysctl/kernel-hardening.conf
>
> diff --git a/setup/setup.nm b/setup/setup.nm
> index 78d1a5df3..f1dd3c177 100644
> --- a/setup/setup.nm
> +++ b/setup/setup.nm
> @@ -53,6 +53,8 @@ build
> %{BUILDROOT}%{sysconfdir}/sysctl.d/printk.conf
> install -m 644 %{DIR_APP}/sysctl/swappiness.conf \
> %{BUILDROOT}%{sysconfdir}/sysctl.d/swappiness.conf
> + install -m 644 %{DIR_APP}/sysctl/kernel-hardening.conf \
> + %{BUILDROOT}%{sysconfdir}/sysctl.d/kernel-hardening.conf
> end
> end
>
> diff --git a/setup/sysctl/kernel-hardening.conf b/setup/sysctl/kernel-hardening.conf
> new file mode 100644
> index 000000000..6751bbef6
> --- /dev/null
> +++ b/setup/sysctl/kernel-hardening.conf
> @@ -0,0 +1,6 @@
> +# Try to keep kernel address exposures out of various /proc files (kallsyms, modules, etc).
> +kernel.kptr_restrict = 1
> +
> +# Avoid kernel memory address exposures via dmesg.
> +kernel.dmesg_restrict = 1
> +
> --
> 2.16.4
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: [PATCH] prevent kernel address space leak via dmesg or /proc files
2019-01-03 18:08 ` Michael Tremer
@ 2019-01-07 17:04 ` Peter Müller
2019-01-07 17:21 ` Michael Tremer
0 siblings, 1 reply; 4+ messages in thread
From: Peter Müller @ 2019-01-07 17:04 UTC (permalink / raw)
To: development
[-- Attachment #1: Type: text/plain, Size: 973 bytes --]
Hello Michael,
> Hello,
>
> I merged this and edited the release number of the setup package.
thank you - I am not very sure with handling the release numbers.
Glad you fixed this for me. :-)
>
> For pakfire to recognise changes, the release number (or version number) has to be increased. Since this package does not follow an upstream one, it would have been only the release. I did that for you.
>
> Why did we say again this should live in the setup package and not the kernel?
As far as I can recall, we did not. However, this patch contains
sysctl parameters, so I guess it makes sens to include them in
the sysctl package. Kernel flags, for example, will be patched in
the kernel package.
Thanks, and best regards,
Peter Müller
>
> -Michael
> --
Microsoft DNS service terminates abnormally when it recieves a response
to a DNS query that was never made. Fix Information: Run your DNS
service on a different platform.
-- bugtraq
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: [PATCH] prevent kernel address space leak via dmesg or /proc files
2019-01-07 17:04 ` Peter Müller
@ 2019-01-07 17:21 ` Michael Tremer
0 siblings, 0 replies; 4+ messages in thread
From: Michael Tremer @ 2019-01-07 17:21 UTC (permalink / raw)
To: development
[-- Attachment #1: Type: text/plain, Size: 1456 bytes --]
> On 7 Jan 2019, at 17:04, Peter Müller <peter.mueller(a)link38.eu> wrote:
>
> Hello Michael,
>
>
>> Hello,
>>
>> I merged this and edited the release number of the setup package.
> thank you - I am not very sure with handling the release numbers.
> Glad you fixed this for me. :-)
>>
>> For pakfire to recognise changes, the release number (or version number) has to be increased. Since this package does not follow an upstream one, it would have been only the release. I did that for you.
>>
>> Why did we say again this should live in the setup package and not the kernel?
> As far as I can recall, we did not. However, this patch contains
> sysctl parameters, so I guess it makes sens to include them in
> the sysctl package. Kernel flags, for example, will be patched in
> the kernel package.
To be honest, I do not have a better place where this could live.
However, these flags are closely tied to the kernel, so the kernel package would make sense. However, multiple of those can be installed at the same time and loading incompatible settings might happen.
We will leave this for now until we have a better idea.
Best,
-Michael
>
> Thanks, and best regards,
> Peter Müller
>>
>> -Michael
>> --
> Microsoft DNS service terminates abnormally when it recieves a response
> to a DNS query that was never made. Fix Information: Run your DNS
> service on a different platform.
> -- bugtraq
^ permalink raw reply [flat|nested] 4+ messages in thread
end of thread, other threads:[~2019-01-07 17:21 UTC | newest]
Thread overview: 4+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2019-01-03 17:05 [PATCH] prevent kernel address space leak via dmesg or /proc files Peter Müller
2019-01-03 18:08 ` Michael Tremer
2019-01-07 17:04 ` Peter Müller
2019-01-07 17:21 ` Michael Tremer
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox