Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 689154

Summary: sys-kernel/gentoo-sources: improve the default level of security/hardening
Product: Gentoo Linux Reporter: Agostino Sarubbo <ago>
Component: Current packagesAssignee: Gentoo Kernel Bug Wranglers and Kernel Maintainers <kernel>
Status: RESOLVED FIXED    
Severity: enhancement CC: alexander, axiator, bdouxx-gentoo, bertrand, graysonchsi, gyakovlev, hardened, sam, tb
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
Whiteboard:
Package list:
Runtime testing required: ---

Description Agostino Sarubbo gentoo-dev 2019-07-02 13:31:51 UTC
Hello Kernel team,

I'm wondering if we can get ideas from this and then apply in our default configuration:
https://kernsec.org/wiki/index.php/Kernel_Self_Protection_Project/Recommended_Settings

Thanks
Comment 1 Michael 'veremitz' Everitt 2019-07-02 13:52:29 UTC
I was discussing this in the pentoo IRC channel recently, and there is a patch we could deploy via a 'hardened' USE flag potentially at https://patchwork.kernel.org/patch/10593391/ .

This takes the ideas from the link @ago mentions, and those from https://github.com/a13xp0p0v/kconfig-hardened-check .

I'm hoping we might be able to deploy this configuration with the lowest 'severity' levels on the Gentoo kernel-CI system to evaluate how well they integrate with Gentoo configs & patchsets.
Comment 2 Mike Pagano gentoo-dev 2019-07-03 13:19:08 UTC
Instead of a useflag, how about CONFIG_GENTOO_LINUX_KSPP or some other name in 4567_distro-Gentoo-Kconfig.patch ?

Then we can decide if it's part of CONFIG_GENTOO_LINUX or not 

Thoughts?
Comment 3 Michael 'veremitz' Everitt 2019-07-03 13:31:47 UTC
(In reply to Mike Pagano from comment #2)
> Instead of a useflag, how about CONFIG_GENTOO_LINUX_KSPP or some other name
> in 4567_distro-Gentoo-Kconfig.patch ?
> 
> Then we can decide if it's part of CONFIG_GENTOO_LINUX or not 
> 
> Thoughts?

Sounds like a good idea to me :]
Comment 4 Agostino Sarubbo gentoo-dev 2019-07-03 14:01:04 UTC
(In reply to Mike Pagano from comment #2)
> Instead of a useflag, how about CONFIG_GENTOO_LINUX_KSPP or some other name
> in 4567_distro-Gentoo-Kconfig.patch ?

++
Comment 5 Mike Pagano gentoo-dev 2019-07-09 11:54:50 UTC
Ok, select when CONFIG_GENTOO selected or make the user select it themselves.

I'm leaning to the latter.
Comment 6 Michael 'veremitz' Everitt 2019-07-09 11:59:25 UTC
I think we leave it as a user-enabled option, which 'unlocks' the other features. 

It would be good, I think, to write a short news item/PR thinger to alert users to the new 'feature' and let people work from there. It should limit the tidal wave of new bugs (?!) :]
Comment 7 Magnus Granberg gentoo-dev 2019-07-16 11:58:28 UTC
Would be good with a wiki page to.
Comment 8 Mike Pagano gentoo-dev 2021-06-06 22:38:49 UTC
We are starting to collaborate on this and I expect something to be out soon.

This will take some trial and error to make sure specific config options to bring systems to a crawl.

We also won't be 100 percent inline with KSPP upstream.

e.g. CONFIG_MODULES=n

https://github.com/mpagano/linux-patches/blob/main/4567_distro-Gentoo-Kconfig.patch
Comment 9 Mike Pagano gentoo-dev 2021-06-06 22:39:46 UTC
(In reply to Mike Pagano from comment #8)
> 
> This will take some trial and error to make sure specific config options to
> bring systems to a crawl.
> 


This will take some trial and error to make sure specific config options *don't* bring systems to a crawl.
Comment 10 Larry the Git Cow gentoo-dev 2021-06-08 08:36:03 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=9dbaac00ce68b86e2a63a173fd9cb19171046961

commit 9dbaac00ce68b86e2a63a173fd9cb19171046961
Author:     Georgy Yakovlev <gyakovlev@gentoo.org>
AuthorDate: 2021-06-04 21:17:49 +0000
Commit:     Georgy Yakovlev <gyakovlev@gentoo.org>
CommitDate: 2021-06-08 08:34:51 +0000

    sys-kernel/gentoo-kernel: add hardened useflag/config
    
    Bug: https://bugs.gentoo.org/689154
    Closes: https://github.com/gentoo/gentoo/pull/21124
    Signed-off-by: Georgy Yakovlev <gyakovlev@gentoo.org>

 sys-kernel/gentoo-kernel/Manifest                  |  1 +
 .../gentoo-kernel/gentoo-kernel-5.10.42.ebuild     | 25 +++++++++++++++++-----
 .../gentoo-kernel/gentoo-kernel-5.12.9.ebuild      | 25 +++++++++++++++++-----
 sys-kernel/gentoo-kernel/metadata.xml              |  1 +
 4 files changed, 42 insertions(+), 10 deletions(-)
Comment 11 Georgy Yakovlev archtester gentoo-dev 2021-06-08 08:39:17 UTC
I've pushed this for dist-kernels

hardened files can be seen there: https://github.com/mgorny/gentoo-kernel-config

let's see how it works out, performance impact is not that great tbh.

will be much nicer ofc if it becomes a knob  in genpatches.
I'll update this bug if any issues will be discovered.
Comment 12 Mike Pagano gentoo-dev 2021-08-21 14:52:12 UTC
I'm going to close this as we support Kernel Self Protection settings now in our kernels.