mirror of
https://0xacab.org/optout/plague-kernel.git
synced 2024-10-01 07:35:36 +00:00
Compare commits
No commits in common. "b3ab0ddccce90402a0332532df15d3433f7aaa50" and "6176be7054c00bc90e65304066f07f80143ac580" have entirely different histories.
b3ab0ddccc
...
6176be7054
File diff suppressed because it is too large
Load Diff
@ -11,11 +11,6 @@
|
|||||||
### Trimming Efforts
|
### Trimming Efforts
|
||||||
- While linux-hardened security patchsets along with kernel configurations are notable for this kernel project, the purpose was to practice minimalism by reducing the size of the linux kernel, thereby cutting attack surface. This is not a trivial thing to record, therefore we are displaying the size purely as a point of comparison.
|
- While linux-hardened security patchsets along with kernel configurations are notable for this kernel project, the purpose was to practice minimalism by reducing the size of the linux kernel, thereby cutting attack surface. This is not a trivial thing to record, therefore we are displaying the size purely as a point of comparison.
|
||||||
|
|
||||||
|Plague |
|
|
||||||
|--- | --- |
|
|
||||||
|Size (/lib/modules/)|47.0 MB |
|
|
||||||
|Size (vmlinuz)|8.1 MB|
|
|
||||||
|
|
||||||
|
|
||||||
### Current kconfig-hardened-check results
|
### Current kconfig-hardened-check results
|
||||||
#### Successes
|
#### Successes
|
||||||
@ -190,7 +185,6 @@ CONFIG_TRIM_UNUSED_KSYMS | y | my |cut_attack_surf
|
|||||||
CONFIG_MODULE_FORCE_LOAD | is not set | my |cut_attack_surface| OK
|
CONFIG_MODULE_FORCE_LOAD | is not set | my |cut_attack_surface| OK
|
||||||
CONFIG_COREDUMP | is not set | clipos | harden_userspace | OK
|
CONFIG_COREDUMP | is not set | clipos | harden_userspace | OK
|
||||||
CONFIG_ARCH_MMAP_RND_BITS | 32 | my | harden_userspace | OK
|
CONFIG_ARCH_MMAP_RND_BITS | 32 | my | harden_userspace | OK
|
||||||
CONFIG_BINFMT_MISC | is not set | kspp |cut_attack_surface| OK
|
|
||||||
|
|
||||||
#### Fails
|
#### Fails
|
||||||
Option | Desired Value | Source | Reason | Result |
|
Option | Desired Value | Source | Reason | Result |
|
||||||
@ -216,6 +210,7 @@ CONFIG_CFI_CLANG | y | kspp | self_protectio
|
|||||||
CONFIG_CFI_PERMISSIVE | is not set | kspp | self_protection | FAIL: CONFIG_CFI_CLANG is not "y"
|
CONFIG_CFI_PERMISSIVE | is not set | kspp | self_protection | FAIL: CONFIG_CFI_CLANG is not "y"
|
||||||
CONFIG_SECURITY_SELINUX_BOOTPARAM | is not set | kspp | security_policy | FAIL: "y"
|
CONFIG_SECURITY_SELINUX_BOOTPARAM | is not set | kspp | security_policy | FAIL: "y"
|
||||||
CONFIG_SECURITY_SELINUX_DEVELOP | is not set | kspp | security_policy | FAIL: "y"
|
CONFIG_SECURITY_SELINUX_DEVELOP | is not set | kspp | security_policy | FAIL: "y"
|
||||||
|
CONFIG_BINFMT_MISC | is not set | kspp |cut_attack_surface| FAIL: "m"
|
||||||
CONFIG_MODULES | is not set | kspp |cut_attack_surface| FAIL: "y"
|
CONFIG_MODULES | is not set | kspp |cut_attack_surface| FAIL: "y"
|
||||||
CONFIG_FAIL_FUTEX | is not set | grsec |cut_attack_surface| OK: is not found
|
CONFIG_FAIL_FUTEX | is not set | grsec |cut_attack_surface| OK: is not found
|
||||||
CONFIG_KCMP | is not set | grsec |cut_attack_surface| FAIL: "y"
|
CONFIG_KCMP | is not set | grsec |cut_attack_surface| FAIL: "y"
|
||||||
@ -225,5 +220,5 @@ CONFIG_USER_NS | is not set | clipos |cut_attack_surf
|
|||||||
CONFIG_BPF_SYSCALL | is not set | lockdown |cut_attack_surface| FAIL: "y"
|
CONFIG_BPF_SYSCALL | is not set | lockdown |cut_attack_surface| FAIL: "y"
|
||||||
|
|
||||||
```
|
```
|
||||||
[+] Config check is finished: 'OK' - 169 / 'FAIL' - 27
|
[+] Config check is finished: 'OK' - 168 / 'FAIL' - 28
|
||||||
|
|
||||||
|
@ -11,7 +11,7 @@ sudo dnf install binutils /usr/include/{libelf.h,openssl/pkcs7.h} \
|
|||||||
|
|
||||||
# Staging w/ error handling
|
# Staging w/ error handling
|
||||||
if [[ ! -f /usr/src/"$KVER".tar.gz ]]; then
|
if [[ ! -f /usr/src/"$KVER".tar.gz ]]; then
|
||||||
/usr/bin/curl --verbose --tlsv1.3 --proto =https -L -O --url "https://github.com/anthraxx/linux-hardened/archive/refs/tags/"$KVER".tar.gz"
|
/usr/bin/curl --verbose --tlsv1.3 --proto =https -L -O --url "https://github.com/anthraxx/linux-hardened/archive/refs/tags/$KVER.tar.gz"
|
||||||
fi
|
fi
|
||||||
|
|
||||||
if [[ ! -d /usr/src/linux-hardened-"$KVER" ]]; then
|
if [[ ! -d /usr/src/linux-hardened-"$KVER" ]]; then
|
||||||
@ -19,7 +19,7 @@ if [[ ! -d /usr/src/linux-hardened-"$KVER" ]]; then
|
|||||||
fi
|
fi
|
||||||
|
|
||||||
cd /usr/src/linux-hardened-"$KVER"
|
cd /usr/src/linux-hardened-"$KVER"
|
||||||
wget https://0xacab.org/optout/plague-kernel/-/raw/main/"$KVER".config -O .config
|
wget https://0xacab.org/optout/plague-kernel/-/raw/main/6.6.13-hardened.config -O .config
|
||||||
|
|
||||||
|
|
||||||
# Compilation
|
# Compilation
|
||||||
@ -33,9 +33,10 @@ make -j $(nproc --all)
|
|||||||
# Installing kernel
|
# Installing kernel
|
||||||
## Ensure /boot is rw
|
## Ensure /boot is rw
|
||||||
mount -o remount,rw /boot
|
mount -o remount,rw /boot
|
||||||
make -j $(nproc --all)
|
command -v installkernel && sudo make modules_install install
|
||||||
command -v installkernel && make modules_install INSTALL_MOD_STRIP=1 install
|
|
||||||
|
|
||||||
# remove sysmap/signing keys
|
# remove sysmap/signing keys
|
||||||
rm /lib/modules/"$KVER"_1/source/certs/signing_key*
|
rm /lib/modules/"$KVER"_1/source/certs/signing_key*
|
||||||
rm /lib/modules/"$KVER"_1/source/System.map
|
rm /lib/modules/"$KVER"_1/source/System.map
|
||||||
|
rm /lib/modules/"$KVER"_1/source
|
||||||
|
rm /lib/modules/"$KVER"_1/build
|
||||||
|
Loading…
Reference in New Issue
Block a user