From 498551536c71f1c1ac33f3c1992e18c9277e6618 Mon Sep 17 00:00:00 2001 From: raja-grewal Date: Wed, 6 Aug 2025 03:12:06 +0000 Subject: [PATCH] Update docs --- README.md | 6 ++---- etc/default/grub.d/40_kernel_hardening.cfg | 3 --- etc/modprobe.d/30_security-misc_blacklist.conf | 2 +- usr/lib/sysctl.d/990-security-misc.conf | 9 ++------- 4 files changed, 5 insertions(+), 15 deletions(-) diff --git a/README.md b/README.md index ac12886..e853332 100644 --- a/README.md +++ b/README.md @@ -52,8 +52,7 @@ configuration file and significant hardening is applied to a myriad of component - Disable the use of legacy TIOCSTI operations which can be used to inject keypresses. -- Disable asynchronous I/O (when using Linux kernel >= 6.6) as `io_uring` has been - the source of numerous kernel exploits. +- Disable asynchronous I/O as `io_uring` has been the source of numerous kernel exploits. #### User space @@ -225,8 +224,7 @@ Kernel space: since it may be slightly more resilient to attacks that are able to write arbitrary executables in memory. -- Optional - Disable support for all x86 processes and syscalls (when using Linux kernel >= 6.7) - to reduce attack surface. +- Optional - Disable support for all x86 processes and syscalls to reduce attack surface. - Disable the EFI persistent storage feature which prevents the kernel from writing crash logs and other persistent data to either the UEFI variable storage or ACPI ERST backends. diff --git a/etc/default/grub.d/40_kernel_hardening.cfg b/etc/default/grub.d/40_kernel_hardening.cfg index 671c28b..1f3cc7c 100644 --- a/etc/default/grub.d/40_kernel_hardening.cfg +++ b/etc/default/grub.d/40_kernel_hardening.cfg @@ -218,9 +218,6 @@ GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX vdso32=0" ## KSPP=yes ## KSPP does not set CONFIG_COMPAT, CONFIG_IA32_EMULATION, CONFIG_X86_X32, CONFIG_X86_X32_ABI, and CONFIG_MODIFY_LDT_SYSCALL. ## -## TODO: Debian 13 Trixie -## Applicable when using Linux kernel >= 6.7 (retained here for future-proofing and completeness). -## #GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX ia32_emulation=0" ## Disable EFI persistent storage feature. diff --git a/etc/modprobe.d/30_security-misc_blacklist.conf b/etc/modprobe.d/30_security-misc_blacklist.conf index 5ce1edc..936e26a 100644 --- a/etc/modprobe.d/30_security-misc_blacklist.conf +++ b/etc/modprobe.d/30_security-misc_blacklist.conf @@ -27,7 +27,7 @@ blacklist sr_mod ## Partial selection of their infrastructure blacklist. ## Duplicate and already disabled modules have been omitted. ## -## https://github.com/GrapheneOS/infrastructure/blob/main/modprobe.d/local.conf +## https://github.com/GrapheneOS/infrastructure/blob/main/etc/modprobe.d/local.conf ## #blacklist cfg80211 #blacklist intel_agp diff --git a/usr/lib/sysctl.d/990-security-misc.conf b/usr/lib/sysctl.d/990-security-misc.conf index eaa671e..23dc6ef 100644 --- a/usr/lib/sysctl.d/990-security-misc.conf +++ b/usr/lib/sysctl.d/990-security-misc.conf @@ -197,19 +197,17 @@ kernel.perf_event_paranoid=3 ## Disable the use of legacy TIOCSTI operations which can be used to inject keypresses. ## Can lead to privilege escalation by pushing characters into a controlling TTY. ## Will break out-dated screen readers that continue to rely on this legacy functionality. +## Note this was already disabled by default as of Linux kernel 6.2. ## ## https://lore.kernel.org/lkml/20221228205726.rfevry7ud6gmttg5@begin/T/ ## ## KSPP=yes ## KSPP sets the sysctl and does not set CONFIG_LEGACY_TIOCSTI. ## -## TODO: Debian 13 Trixie -## This is disabled by default when using Linux kernel >= 6.2. -## dev.tty.legacy_tiocsti=0 ## Disable asynchronous I/O for all processes. -## Leading cause of numerous kernel exploits. +## Use of io_uring has been the leading cause of numerous kernel exploits. ## Disabling will reduce the read/write performance of storage devices. ## ## https://en.wikipedia.org/wiki/Io_uring#Security @@ -218,9 +216,6 @@ dev.tty.legacy_tiocsti=0 ## https://github.com/moby/moby/pull/46762 ## https://forums.whonix.org/t/io-uring-security-vulnerabilties/16890 ## -## TODO: Debian 13 Trixie -## Applicable when using Linux kernel >= 6.6 (retained here for future-proofing and completeness). -## kernel.io_uring_disabled=2 ## 2. User Space: