Git-Mirrors/security-misc
1
0
Fork 0
mirror of https://github.com/Kicksecure/security-misc.git synced 2025-01-23 08:51:03 -05:00
Code Issues Packages Projects Releases Wiki Activity

More kernel hardening

Browse Source
This commit is contained in:
madaidan 2019-12-18 20:43:01 +00:00 committed by Patrick Schleizer
parent 11b4192fbd
commit 535c258b83
No known key found for this signature in database
GPG Key ID: CB8D50BB77BB3C48
1 changed files with 32 additions and 8 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

40
etc/default/grub.d/40_kernel_hardening.cfg
View File

@ -1,18 +1,29 @@
## Copyright (C) 2019 - 2019 ENCRYPTED SUPPORT LP <adrelanos@riseup.net>
## See the file COPYING for copying conditions.
## Disables the merging of slabs of similar sizes. Sometimes a slab can be used in a vulnerable way which an attacker can exploit.
kver="$(uname -r)"
## Disables the merging of slabs of similar sizes.
## Sometimes a slab can be used in a vulnerable way which an attacker can exploit.
GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX slab_nomerge"
## Enables sanity checks (F), redzoning (Z) and poisoning (P).
GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX slub_debug=FZP"
## Enables sanity checks (F) and redzoning (Z).
GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX slub_debug=FZ"
if command -v "qubesdb-read" >/dev/null 2>&1 ; then
## https://github.com/QubesOS/qubes-issues/issues/5212#issuecomment-533873012
true "skip adding page_poison=1 in Qubes"
## Zero memory at allocation and free time.
if dpkg --compare-versions "${kver}" ge "5.3"; then
GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX init_on_alloc=1 init_on_free=1"
else
## Wipes free memory so it can't leak in various ways and prevents some use-after-free vulnerabilites.
GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX page_poison=1"
## SLUB poisoning and page poisoning is used if the kernel
## does not yet support init_on_{,alloc,free}.
GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX slub_debug=P"
if command -v "qubesdb-read" >/dev/null 2>&1 ; then
## https://github.com/QubesOS/qubes-issues/issues/5212#issuecomment-533873012
true "skip adding page_poison=1 in Qubes"
else
GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX page_poison=1"
fi
fi
## Makes the kernel panic on uncorrectable errors in ECC memory that an attacker could exploit.
@ -24,3 +35,16 @@ GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX pti=on"
## Enables all mitigations for the MDS vulnerability.
## Disables smt which can be used to exploit the MDS vulnerability.
GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX mds=full,nosmt"
## Vsyscalls are obsolete, are at fixed addresses and are a target for ROP.
GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX vsyscall=none"
## Enables page allocator freelist randomization.
if dpkg --compare-versions "${kver}" ge "5.2"; then
GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX page_alloc.shuffle=1"
fi
## Enables kernel lockdown.
if dpkg --compare-versions "${kver}" ge "5.4"; then
GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX lockdown=confidentiality"
fi