mirror of
https://github.com/Kicksecure/security-misc.git
synced 2025-06-08 02:02:38 -04:00
Merge remote-tracking branch 'github-kicksecure/master'
This commit is contained in:
Patrick Schleizer
commit
967f9e257b
3 changed files with 19 additions and 21 deletions
14
README.md
14
README.md
|
|
@ -47,8 +47,7 @@ space, user space, core dumps, and swap space.
|
||||||
|
|
||||||
- Randomize the addresses (ASLR) for mmap base, stack, VDSO pages, and heap.
|
- Randomize the addresses (ASLR) for mmap base, stack, VDSO pages, and heap.
|
||||||
|
|
||||||
- Provide the option to disable the use of legacy TIOCSTI operation which can be
|
- Disable the use of legacy TIOCSTI operations which can be used to inject keypresses.
|
||||||
used to inject keypresses.
|
|
||||||
|
|
||||||
- Disable asynchronous I/O as `io_uring` has been the source
|
- Disable asynchronous I/O as `io_uring` has been the source
|
||||||
of numerous kernel exploits (when using Linux kernel version >= 6.6).
|
of numerous kernel exploits (when using Linux kernel version >= 6.6).
|
||||||
|
|
@ -121,8 +120,8 @@ configuration file.
|
||||||
- Disable merging of slabs with similar size, which reduces the risk of
|
- Disable merging of slabs with similar size, which reduces the risk of
|
||||||
triggering heap overflows and limits influencing slab cache layout.
|
triggering heap overflows and limits influencing slab cache layout.
|
||||||
|
|
||||||
- Provide the option to enable sanity checks and red zoning via slab debugging.
|
- Enable sanity checks and red zoning via slab debugging. This will implicitly
|
||||||
Enabling this feature will implicitly disable kernel pointer hashing.
|
disable kernel pointer hashing, leaking very sensitive information to root.
|
||||||
|
|
||||||
- Enable memory zeroing at both allocation and free time, which mitigates some
|
- Enable memory zeroing at both allocation and free time, which mitigates some
|
||||||
use-after-free vulnerabilities by erasing sensitive information in memory.
|
use-after-free vulnerabilities by erasing sensitive information in memory.
|
||||||
|
|
@ -147,11 +146,10 @@ configuration file.
|
||||||
|
|
||||||
- Provide the option to modify machine check exception handler.
|
- Provide the option to modify machine check exception handler.
|
||||||
|
|
||||||
- Provide the option to enable the kernel Electric-Fence sampling-based memory
|
- Enable the kernel Electric-Fence sampling-based memory safety error detector
|
||||||
safety error detector which can identify heap out-of-bounds access, use-after-free,
|
which can identify heap out-of-bounds access, use-after-free, and invalid-free errors.
|
||||||
and invalid-free errors.
|
|
||||||
|
|
||||||
- Provide the option to disable 32 bit vDSO mappings.
|
- Disable 32-bit vDSO mappings as they are a legacy compatibility feature.
|
||||||
|
|
||||||
- Provide the option to use kCFI as the default CFI implementation since it may be
|
- Provide the option to use kCFI as the default CFI implementation since it may be
|
||||||
slightly more resilient to attacks that are able to write arbitrary executables
|
slightly more resilient to attacks that are able to write arbitrary executables
|
||||||
|
|
|
||||||
|
|
@ -37,11 +37,9 @@ GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX slab_nomerge"
|
||||||
## https://www.kernel.org/doc/html/latest/mm/slub.html
|
## https://www.kernel.org/doc/html/latest/mm/slub.html
|
||||||
## https://lore.kernel.org/all/20210601182202.3011020-5-swboyd@chromium.org/T/#u
|
## https://lore.kernel.org/all/20210601182202.3011020-5-swboyd@chromium.org/T/#u
|
||||||
## https://gitlab.tails.boum.org/tails/tails/-/issues/19613
|
## https://gitlab.tails.boum.org/tails/tails/-/issues/19613
|
||||||
##
|
|
||||||
## The default kernel setting will be utilized until provided sufficient evidence to modify.
|
|
||||||
## https://github.com/Kicksecure/security-misc/issues/253
|
## https://github.com/Kicksecure/security-misc/issues/253
|
||||||
##
|
##
|
||||||
#GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX slab_debug=FZ"
|
GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX slab_debug=FZ"
|
||||||
|
|
||||||
## Zero memory at allocation time and free time.
|
## Zero memory at allocation time and free time.
|
||||||
## Fills newly allocated pages, freed pages, and heap objects with zeros.
|
## Fills newly allocated pages, freed pages, and heap objects with zeros.
|
||||||
|
|
@ -134,15 +132,15 @@ GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX debugfs=off"
|
||||||
##
|
##
|
||||||
## https://www.kernel.org/doc/html/latest/dev-tools/kfence.html
|
## https://www.kernel.org/doc/html/latest/dev-tools/kfence.html
|
||||||
##
|
##
|
||||||
#GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX kfence.sample_interval=100"
|
GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX kfence.sample_interval=100"
|
||||||
|
|
||||||
## Disable x86 Virtual Dynamic Shared Object (vDSO) mappings.
|
## Disable 32-bit Virtual Dynamic Shared Object (vDSO) mappings.
|
||||||
|
## Legacy compatibility feature for superseded glibc versions.
|
||||||
##
|
##
|
||||||
## https://en.wikipedia.org/wiki/VDSO
|
## https://lore.kernel.org/lkml/20080409082927.BD59E26F992@magilla.localdomain/T/
|
||||||
|
## https://lists.openwall.net/linux-kernel/2014/03/11/3
|
||||||
##
|
##
|
||||||
## The use of 32 bit vDSO mappings is currently enabled.
|
GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX vdso32=0"
|
||||||
##
|
|
||||||
#GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX vdso32=0"
|
|
||||||
|
|
||||||
## Switch (back) to using kCFI as the default Control Flow Integrity (CFI) implementation.
|
## Switch (back) to using kCFI as the default Control Flow Integrity (CFI) implementation.
|
||||||
## The default implementation is FIneIBT as of Linux kernel 6.2.
|
## The default implementation is FIneIBT as of Linux kernel 6.2.
|
||||||
|
|
|
||||||
|
|
@ -127,12 +127,14 @@ kernel.perf_event_paranoid=3
|
||||||
##
|
##
|
||||||
kernel.randomize_va_space=2
|
kernel.randomize_va_space=2
|
||||||
|
|
||||||
## Disable use of the legacy TIOCSTI operation which can be used to inject keypresses.
|
## Disable the use of legacy TIOCSTI operations which can be used to inject keypresses.
|
||||||
## Will break screen readers as can no longer push characters into a controlling TTY.
|
## Can lead to privilege escalation by pushing characters into a controlling TTY.
|
||||||
##
|
## Will break out-dated screen readers that continue to rely on this legacy functionality.
|
||||||
## This is disabled by default when using Linux kernel >= 6.2.
|
## This is disabled by default when using Linux kernel >= 6.2.
|
||||||
##
|
##
|
||||||
#dev.tty.legacy_tiocsti=0
|
## https://lore.kernel.org/lkml/20221228205726.rfevry7ud6gmttg5@begin/T/
|
||||||
|
##
|
||||||
|
dev.tty.legacy_tiocsti=0
|
||||||
|
|
||||||
## Disable asynchronous I/O for all processes.
|
## Disable asynchronous I/O for all processes.
|
||||||
## Leading cause of numerous kernel exploits.
|
## Leading cause of numerous kernel exploits.
|
||||||
|
|
|
||||||
Loading…
Add table
Add a link
Reference in a new issue