Re: Fedora 37: Add kernel parameters that help prevent local exploits

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Hello,

On Wednesday, May 18, 2022 11:15:16 PM EDT Hellosway Here via devel wrote:
> Add `slab_nomerge init_on_alloc=1 init_on_free=1 page_alloc.shuffle=1
> pti=on randomize_kstack_offset=on vsyscall=none ` as default kernel
> command line arguments. This can help prevent local exploits by making it
> harder to exploit the kernel. I do not think there will be any breakage, I
> have been using these for a long time. The performance impact is minimal,
> a few of these can improve performance.

I spent quite some time studying these to make some recommendations for the 
RHEL 9 SCAP Security Guide. The init_on_free is not cacheline friendly. It 
will impact performance. But I have to ask, since the SCAP Security Guide + 
openscap can manage the kernel settings, do we need to turn them on by 
default? And wouldn't you want to have certain sysctls also set? For example, 
you might want to turn off user name spaces.

The problem is that there really isn't a one size fits all. Turning off user 
namespaces will make some people unhappy. Turning off vsyscalls will make 
some people unhappy. Because these all are configurable, should this be part 
of an overall security hardening plan? And managed by a tool that can check 
that everything is still how you think it should be? And maybe with a GUI 
tool that let's you tailor the policy to your needs?

Best Regards,
-Steve

> This can help increase the security of Fedora, while also not causing any
> other problems. Many users do not know what kernel command line arguments
> are, so doing this will help them with the security of their system. This
> does not address every problem, or even most of them, but every little bit
> matters.



_______________________________________________
devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx
Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Index of Archives]     [Fedora Announce]     [Fedora Users]     [Fedora Kernel]     [Fedora Testing]     [Fedora Formulas]     [Fedora PHP Devel]     [Kernel Development]     [Fedora Legacy]     [Fedora Maintainers]     [Fedora Desktop]     [PAM]     [Red Hat Development]     [Gimp]     [Yosemite News]

  Powered by Linux