linux kernel hardening
208 views
Skip to first unread message
Patrick Schleizer
Jun 3, 2016, 5:43:04 PM6/3/16
to qubes...@googlegroups.com
Would any of the following make sense in context of Qubes?
slab_nomerge
slub_debug=FZ
vsyscall=none
mce=0
oops=panic
https://labs.riseup.net/code/issues/11143
Remove kernel .map files
https://labs.riseup.net/code/issues/10951
RELATED,ESTABLISHED -> ESTABLISHED
https://github.com/QubesOS/qubes-issues/issues/1762
Compile qubes-linux-kernel with CONFIG_HOTPLUG_PCI disabled?
https://github.com/QubesOS/qubes-issues/issues/1673
Cheers,
Patrick
slab_nomerge
slub_debug=FZ
vsyscall=none
mce=0
oops=panic
https://labs.riseup.net/code/issues/11143
Remove kernel .map files
https://labs.riseup.net/code/issues/10951
RELATED,ESTABLISHED -> ESTABLISHED
https://github.com/QubesOS/qubes-issues/issues/1762
Compile qubes-linux-kernel with CONFIG_HOTPLUG_PCI disabled?
https://github.com/QubesOS/qubes-issues/issues/1673
Cheers,
Patrick
Marek Marczykowski-Górecki
Jun 4, 2016, 6:37:04 PM6/4/16
to Patrick Schleizer, qubes...@googlegroups.com
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
On Fri, Jun 03, 2016 at 09:43:00PM +0000, Patrick Schleizer wrote:
> Would any of the following make sense in context of Qubes?
>
> slab_nomerge
We already have a lot of problems with fragmented memory (resulting in
unreliable restart of sys-net for example). Disabling slab merge may
result in even more fragmentation.
> slub_debug=FZ
I'm not comfortable with enabling debugging features in production
kernel. While in theory (described in that ticket) it may be good idea,
it may also have some side effects.
> vsyscall=none
> mce=0
Ok.
https://github.com/QubesOS/qubes-issues/issues/2045
> oops=panic
For the same reason as in Tails case, it is bad idea.
> https://labs.riseup.net/code/issues/11143
>
> Remove kernel .map files
>
> https://labs.riseup.net/code/issues/10951
Looks like a security by obscurity. Also in Qubes case we care much less
about local kernel exploits (user->root, user->kernel) than in Tails
case.
As discussed there - better blacklist helpers modules, to not break for
example ICMP.
> Compile qubes-linux-kernel with CONFIG_HOTPLUG_PCI disabled?
>
> https://github.com/QubesOS/qubes-issues/issues/1673
Responded there - not a good idea as distribution-wide default.
- --
Best Regards,
Marek Marczykowski-Górecki
Invisible Things Lab
A: Because it messes up the order in which people normally read text.
Q: Why is top-posting such a bad thing?
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2
iQEcBAEBCAAGBQJXU1gJAAoJENuP0xzK19cs7uIH/jR5uRbum6CMNVucqizCUjxJ
mkKsF23xIP3f50a50f1DXCqEZJkj5pljcHJjbA1CFrICx6AAK7Igk8tDLWEI/bC9
lZ6DjCb4uTBjyQv4es2tzSX3Ngt5whaH86StSm+bBvUlbPM6yKg9quEPZNRRtOXb
SEcg6cFAeWE6ASWbv07n+KpR8v7z+fMwf0ynwn1bVFZ2cEf/xDo6rh6KNaOld8BY
C+eFIED72+5v8MbbsFcZDXDKTWvZx5WxGgLgxs8hEcnLrYQ8BcgJhBnGPEHv0+x3
e+1ZVYOinwyuB0qULX7knF3QZZFg7Ao4nZirQucT20m/Br/WUEcK67EO6PjDvLw=
=GqJT
-----END PGP SIGNATURE-----
Hash: SHA256
On Fri, Jun 03, 2016 at 09:43:00PM +0000, Patrick Schleizer wrote:
> Would any of the following make sense in context of Qubes?
>
> slab_nomerge
unreliable restart of sys-net for example). Disabling slab merge may
result in even more fragmentation.
> slub_debug=FZ
I'm not comfortable with enabling debugging features in production
kernel. While in theory (described in that ticket) it may be good idea,
it may also have some side effects.
> vsyscall=none
> mce=0
Ok.
https://github.com/QubesOS/qubes-issues/issues/2045
> oops=panic
For the same reason as in Tails case, it is bad idea.
> https://labs.riseup.net/code/issues/11143
>
> Remove kernel .map files
>
> https://labs.riseup.net/code/issues/10951
about local kernel exploits (user->root, user->kernel) than in Tails
case.
As discussed there - better blacklist helpers modules, to not break for
example ICMP.
> Compile qubes-linux-kernel with CONFIG_HOTPLUG_PCI disabled?
>
> https://github.com/QubesOS/qubes-issues/issues/1673
- --
Best Regards,
Marek Marczykowski-Górecki
Invisible Things Lab
A: Because it messes up the order in which people normally read text.
Q: Why is top-posting such a bad thing?
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2
iQEcBAEBCAAGBQJXU1gJAAoJENuP0xzK19cs7uIH/jR5uRbum6CMNVucqizCUjxJ
mkKsF23xIP3f50a50f1DXCqEZJkj5pljcHJjbA1CFrICx6AAK7Igk8tDLWEI/bC9
lZ6DjCb4uTBjyQv4es2tzSX3Ngt5whaH86StSm+bBvUlbPM6yKg9quEPZNRRtOXb
SEcg6cFAeWE6ASWbv07n+KpR8v7z+fMwf0ynwn1bVFZ2cEf/xDo6rh6KNaOld8BY
C+eFIED72+5v8MbbsFcZDXDKTWvZx5WxGgLgxs8hEcnLrYQ8BcgJhBnGPEHv0+x3
e+1ZVYOinwyuB0qULX7knF3QZZFg7Ao4nZirQucT20m/Br/WUEcK67EO6PjDvLw=
=GqJT
-----END PGP SIGNATURE-----
Reply all
Reply to author
Forward
0 new messages