Summary: | sys-kernel/gentoo-sources: improve the default level of security/hardening | ||
---|---|---|---|
Product: | Gentoo Linux | Reporter: | Agostino Sarubbo <ago> |
Component: | Current packages | Assignee: | Gentoo Kernel Bug Wranglers and Kernel Maintainers <kernel> |
Status: | RESOLVED FIXED | ||
Severity: | enhancement | CC: | alexander, axiator, bdouxx-gentoo, bertrand, graysonchsi, gyakovlev, hardened, sam, tb |
Priority: | Normal | ||
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | |||
Package list: | Runtime testing required: | --- |
Description
Agostino Sarubbo
2019-07-02 13:31:51 UTC
I was discussing this in the pentoo IRC channel recently, and there is a patch we could deploy via a 'hardened' USE flag potentially at https://patchwork.kernel.org/patch/10593391/ . This takes the ideas from the link @ago mentions, and those from https://github.com/a13xp0p0v/kconfig-hardened-check . I'm hoping we might be able to deploy this configuration with the lowest 'severity' levels on the Gentoo kernel-CI system to evaluate how well they integrate with Gentoo configs & patchsets. Instead of a useflag, how about CONFIG_GENTOO_LINUX_KSPP or some other name in 4567_distro-Gentoo-Kconfig.patch ? Then we can decide if it's part of CONFIG_GENTOO_LINUX or not Thoughts? (In reply to Mike Pagano from comment #2) > Instead of a useflag, how about CONFIG_GENTOO_LINUX_KSPP or some other name > in 4567_distro-Gentoo-Kconfig.patch ? > > Then we can decide if it's part of CONFIG_GENTOO_LINUX or not > > Thoughts? Sounds like a good idea to me :] (In reply to Mike Pagano from comment #2) > Instead of a useflag, how about CONFIG_GENTOO_LINUX_KSPP or some other name > in 4567_distro-Gentoo-Kconfig.patch ? ++ Ok, select when CONFIG_GENTOO selected or make the user select it themselves. I'm leaning to the latter. I think we leave it as a user-enabled option, which 'unlocks' the other features. It would be good, I think, to write a short news item/PR thinger to alert users to the new 'feature' and let people work from there. It should limit the tidal wave of new bugs (?!) :] Would be good with a wiki page to. We are starting to collaborate on this and I expect something to be out soon. This will take some trial and error to make sure specific config options to bring systems to a crawl. We also won't be 100 percent inline with KSPP upstream. e.g. CONFIG_MODULES=n https://github.com/mpagano/linux-patches/blob/main/4567_distro-Gentoo-Kconfig.patch (In reply to Mike Pagano from comment #8) > > This will take some trial and error to make sure specific config options to > bring systems to a crawl. > This will take some trial and error to make sure specific config options *don't* bring systems to a crawl. The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=9dbaac00ce68b86e2a63a173fd9cb19171046961 commit 9dbaac00ce68b86e2a63a173fd9cb19171046961 Author: Georgy Yakovlev <gyakovlev@gentoo.org> AuthorDate: 2021-06-04 21:17:49 +0000 Commit: Georgy Yakovlev <gyakovlev@gentoo.org> CommitDate: 2021-06-08 08:34:51 +0000 sys-kernel/gentoo-kernel: add hardened useflag/config Bug: https://bugs.gentoo.org/689154 Closes: https://github.com/gentoo/gentoo/pull/21124 Signed-off-by: Georgy Yakovlev <gyakovlev@gentoo.org> sys-kernel/gentoo-kernel/Manifest | 1 + .../gentoo-kernel/gentoo-kernel-5.10.42.ebuild | 25 +++++++++++++++++----- .../gentoo-kernel/gentoo-kernel-5.12.9.ebuild | 25 +++++++++++++++++----- sys-kernel/gentoo-kernel/metadata.xml | 1 + 4 files changed, 42 insertions(+), 10 deletions(-) I've pushed this for dist-kernels hardened files can be seen there: https://github.com/mgorny/gentoo-kernel-config let's see how it works out, performance impact is not that great tbh. will be much nicer ofc if it becomes a knob in genpatches. I'll update this bug if any issues will be discovered. I'm going to close this as we support Kernel Self Protection settings now in our kernels. |