Merge remote-tracking branch 'github-kicksecure/master'

2024-10-01 08:25:45 -04:00 · 2024-08-06 09:57:56 -04:00 · 2024-08-06 09:57:56 -04:00 · 967f9e257b
commit 967f9e257b
parent fa9091869d a25aaf900a
3 changed files with 19 additions and 21 deletions
--- a/README.md
+++ b/README.md
@ -47,8 +47,7 @@ space, user space, core dumps, and swap space.

 - Randomize the addresses (ASLR) for mmap base, stack, VDSO pages, and heap.

- Provide the option to disable the use of legacy TIOCSTI operation which can be
-  used to inject keypresses.
+- Disable the use of legacy TIOCSTI operations which can be used to inject keypresses.

 - Disable asynchronous I/O as `io_uring` has been the source
  of numerous kernel exploits (when using Linux kernel version >= 6.6).
@ -121,8 +120,8 @@ configuration file.
 - Disable merging of slabs with similar size, which reduces the risk of
  triggering heap overflows and limits influencing slab cache layout.

- Provide the option to enable sanity checks and red zoning via slab debugging.
-  Enabling this feature will implicitly disable kernel pointer hashing.
+- Enable sanity checks and red zoning via slab debugging. This will implicitly
+  disable kernel pointer hashing, leaking very sensitive information to root.

 - Enable memory zeroing at both allocation and free time, which mitigates some
  use-after-free vulnerabilities by erasing sensitive information in memory.
@ -147,11 +146,10 @@ configuration file.

 - Provide the option to modify machine check exception handler.

- Provide the option to enable the kernel Electric-Fence sampling-based memory
-  safety error detector which can identify heap out-of-bounds access, use-after-free,
-  and invalid-free errors.
+- Enable the kernel Electric-Fence sampling-based memory safety error detector
+  which can identify heap out-of-bounds access, use-after-free, and invalid-free errors.

- Provide the option to disable 32 bit vDSO mappings.
+- Disable 32-bit vDSO mappings as they are a legacy compatibility feature.

 - Provide the option to use kCFI as the default CFI implementation since it may be
  slightly more resilient to attacks that are able to write arbitrary executables
--- a/etc/default/grub.d/40_kernel_hardening.cfg
+++ b/etc/default/grub.d/40_kernel_hardening.cfg
@ -37,11 +37,9 @@ GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX slab_nomerge"
 ## https://www.kernel.org/doc/html/latest/mm/slub.html
 ## https://lore.kernel.org/all/20210601182202.3011020-5-swboyd@chromium.org/T/#u
 ## https://gitlab.tails.boum.org/tails/tails/-/issues/19613
-##
-## The default kernel setting will be utilized until provided sufficient evidence to modify.
 ## https://github.com/Kicksecure/security-misc/issues/253
 ##
-#GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX slab_debug=FZ"
+GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX slab_debug=FZ"

 ## Zero memory at allocation time and free time.
 ## Fills newly allocated pages, freed pages, and heap objects with zeros.
@ -134,15 +132,15 @@ GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX debugfs=off"
 ##
 ## https://www.kernel.org/doc/html/latest/dev-tools/kfence.html
 ##
-#GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX kfence.sample_interval=100"
+GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX kfence.sample_interval=100"

-## Disable x86 Virtual Dynamic Shared Object (vDSO) mappings.
+## Disable 32-bit Virtual Dynamic Shared Object (vDSO) mappings.
+## Legacy compatibility feature for superseded glibc versions.
 ##
-## https://en.wikipedia.org/wiki/VDSO
+## https://lore.kernel.org/lkml/20080409082927.BD59E26F992@magilla.localdomain/T/
+## https://lists.openwall.net/linux-kernel/2014/03/11/3
 ##
-## The use of 32 bit vDSO mappings is currently enabled.
-##
-#GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX vdso32=0"
+GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX vdso32=0"

 ## Switch (back) to using kCFI as the default Control Flow Integrity (CFI) implementation.
 ## The default implementation is FIneIBT as of Linux kernel 6.2.
--- a/usr/lib/sysctl.d/990-security-misc.conf
+++ b/usr/lib/sysctl.d/990-security-misc.conf
@ -127,12 +127,14 @@ kernel.perf_event_paranoid=3
 ##
 kernel.randomize_va_space=2

-## Disable use of the legacy TIOCSTI operation which can be used to inject keypresses.
-## Will break screen readers as can no longer push characters into a controlling TTY.
-##
+## Disable the use of legacy TIOCSTI operations which can be used to inject keypresses.
+## Can lead to privilege escalation by pushing characters into a controlling TTY.
+## Will break out-dated screen readers that continue to rely on this legacy functionality.
 ## This is disabled by default when using Linux kernel >= 6.2.
 ##
-#dev.tty.legacy_tiocsti=0
+## https://lore.kernel.org/lkml/20221228205726.rfevry7ud6gmttg5@begin/T/
+##
+dev.tty.legacy_tiocsti=0

 ## Disable asynchronous I/O for all processes.
 ## Leading cause of numerous kernel exploits.