Re: Request For Insights On Kernel Security Hardening Practices In Fedora

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Hi,

Thank you very much for your detailed response. We sincerely apologize
for the confusion; the data we presented was based on the results from
June 2024, with the specific kernel version indicated at the time. There
is indeed a discrepancy with the latest data. Our intention is not to
highlight or downplay any particular distribution, but rather to
illustrate, to some extent, the impact of kernel security hardening in
real-world scenarios.

The CONFIG_INIT_ON_ALLOC_DEFAULT_ON and CONFIG_RANDOM_KMALLOC_CACHES
were merged upstream through commit IDs
6471384af2a6530696fc0203bafe4de41a23c9ef and
3c6152940584290668b35fa0800026f6a1ae05fe, respectively. These changes
were introduced at least 11 months prior to June of this year.

Interestingly, the Fedora 40 desktop kernel version
(6.8.5-301.fc40.x86_64) has not enabled these security hardening, even
though they are included in the latest Fedora version. Could you help
clarify the reasoning behind the decision to enable these two security
hardenings?

Additionally, there seems to be a delay between the upstream
introduction of these security hardenings and their actual
deployment—what factors might be contributing to this delay?

In addition, we also investigated historical versions of Fedora, with
relevant data available at the following link:
https://docs.google.com/spreadsheets/d/1Q2im5w6wwJmzF6TD1OrXMKA3erRpAN-BWVeXtp5i4TY/edit?usp=sharing

>From the results, it appears that the security hardening deployment for
the desktop and server editions are almost identical, except for
unprivileged_userfaultfd. Can we conclude that Fedora does not take
different application scenarios into account when enabling its security
hardenings?

On 2024/12/14 3:13, Jeremy Linton wrote:
> Hi,
> 
> I think its worthwhile to note that the spreadsheet is AFAIK out of date
> because I checked for example: CONFIG_INIT_ON_ALLOC_DEFAULT_ON and
> CONFIG_RANDOM_KMALLOC_CACHES running an updated F40 and both are enabled.
> 
> 
> So, I'm guessing no one ran 'dnf update' before recording the results,
> or they are 6+ months old and should probably be updated. That can be
> done either with 'dnf update' or by installing/upgrading to F41.
> 
> And speaking as a community member I think 1.1 is pretty easy to answer
> "yes".
> 
> 
> Along the same vein I think reading the discussions around frame
> pointers over the past year can provide an idea about how the fedora
> community tries to find balance when determining performance/features/
> security/etc tradeoffs.
> 


-- 
_______________________________________________
kernel mailing list -- kernel@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to kernel-leave@xxxxxxxxxxxxxxxxxxxxxxx
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/kernel@xxxxxxxxxxxxxxxxxxxxxxx
Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue




[Index of Archives]     [Fedora General Discussion]     [Older Fedora Users Archive]     [Fedora Advisory Board]     [Fedora Security]     [Fedora Devel Java]     [Fedora Legacy]     [Fedora Desktop]     [ATA RAID]     [Fedora Marketing]     [Fedora Mentors]     [Fedora Package Announce]     [Fedora Package Review]     [Fedora Music]     [Fedora Packaging]     [Centos]     [Fedora SELinux]     [Coolkey]     [Yum Users]     [Tux]     [Yosemite News]     [KDE Users]     [Fedora Art]     [Fedora Docs]     [USB]     [Asterisk PBX]

  Powered by Linux