From 45d20dd972e6501237d35d1605c81d4e3fde43b1 Mon Sep 17 00:00:00 2001 From: raja-grewal Date: Wed, 6 Aug 2025 02:35:15 +0000 Subject: [PATCH 1/6] Upgrade sysctls and docs on kernel panics --- README.md | 11 +++++------ usr/lib/sysctl.d/990-security-misc.conf | 25 +++++++++++++++---------- usr/libexec/security-misc/panic-on-oops | 19 +++++++++++-------- 3 files changed, 31 insertions(+), 24 deletions(-) diff --git a/README.md b/README.md index ac12886..b124a7a 100644 --- a/README.md +++ b/README.md @@ -44,11 +44,10 @@ configuration file and significant hardening is applied to a myriad of component - Restrict kernel profiling and the performance events system to `CAP_PERFMON`. -- Force the kernel to panic on both "oopses", which can potentially indicate and thwart - certain kernel exploitation attempts, and also kernel warnings in the `WARN()` path. +- Force the kernel to immediately panic on both "oopses" (which can potentially indicate + and thwart certain kernel exploitation attempts) and kernel warnings in the `WARN()` path. -- Optional - Force immediate reboot on the occurrence of a single kernel panic and also - (when using Linux kernel >= 6.2) limit the number of allowed panics to one. +- Optional - Force immediate reboot on the occurrence of a single kernel panic. - Disable the use of legacy TIOCSTI operations which can be used to inject keypresses. @@ -280,6 +279,8 @@ Completely disables `ptrace()`. Can be enabled easily if needed. * [security-misc pull request #242](https://github.com/Kicksecure/security-misc/pull/242) +**Non-compliance:** + 2. `sysctl kernel.panic=-1` Forces an immediate reboot on kernel panic. This can be enabled, but it may lead to unexpected @@ -288,8 +289,6 @@ system crashes. * [security-misc pull request #264](https://github.com/Kicksecure/security-misc/pull/264) * [security-misc pull request #268](https://github.com/Kicksecure/security-misc/pull/268) -**Non-compliance:** - 3. `sysctl user.max_user_namespaces=0` Disables user namespaces entirely. Not recommended due to the potential for widespread breakages. diff --git a/usr/lib/sysctl.d/990-security-misc.conf b/usr/lib/sysctl.d/990-security-misc.conf index eaa671e..139e2e6 100644 --- a/usr/lib/sysctl.d/990-security-misc.conf +++ b/usr/lib/sysctl.d/990-security-misc.conf @@ -164,14 +164,14 @@ kernel.sysrq=0 ## kernel.perf_event_paranoid=3 -## Force the kernel to panic on "oopses" and kernel warnings in the WARN() path. -## Can sometimes potentially indicate and thwart certain kernel exploitation attempts. +## Force the kernel to immediately panic on "oopses" and kernel warnings in the WARN() path. ## Panics may be due to false-positives such as bad drivers. +## Both allowed limits are set to one so that panics occur on the single first instance of either scenario. ## Oopses are serious but non-fatal errors. +## Certain "oopses" can sometimes indicate and thwart potential kernel exploitation attempts. ## Warnings are messages generated by the kernel to indicate unexpected conditions or errors. ## By default, code execution continues regardless of warnings emitted by macros like WARN() and WARN_ON(). ## Note that by forcing kernel panics on oopses and warnings, this exposes the system to targeted denial of service attacks. -## Forcing immediate system reboots on any single kernel panic is an extreme option. ## ## https://en.wikipedia.org/wiki/Kernel_panic#Linux ## https://en.wikipedia.org/wiki/Linux_kernel_oops @@ -180,20 +180,25 @@ kernel.perf_event_paranoid=3 ## https://git.sr.ht/~gregkh/presentation-security/tree/3fdaf81a2f8b2c8d64cdb2f529cc714624868aa8/item/security-stuff.pdf ## https://forums.whonix.org/t/set-oops-panic-kernel-parameter-or-kernel-panisc-on-oops-1-sysctl-for-better-security/7713 ## -## KSPP=partial -## KSPP sets the sysctls, CONFIG_PANIC_ON_OOPS=y, but also requires CONFIG_PANIC_TIMEOUT=-1. +## KSPP=yes +## KSPP sets the sysctls and CONFIG_PANIC_ON_OOPS=y ## ## See /usr/libexec/security-misc/panic-on-oops for implementation. ## -## TODO: Debian 13 Trixie -## The limits are applicable when using Linux kernel >= 6.2 (retained here for future-proofing and completeness). -## #kernel.panic=-1 -#kernel.panic_on_oops=1 -#kernel.panic_on_warn=1 #kernel.oops_limit=1 #kernel.warn_limit=1 +## Force immediate system reboots on the occurrence of a single kernel panic. +## This is an extreme safety option which also creates a large opening for targeted denial of service attacks. +## +## KSPP=no +## KSPP sets CONFIG_PANIC_TIMEOUT=-1. +## +## See /usr/libexec/security-misc/panic-on-oops for implementation. +## +#kernel.panic=-1 + ## Disable the use of legacy TIOCSTI operations which can be used to inject keypresses. ## Can lead to privilege escalation by pushing characters into a controlling TTY. ## Will break out-dated screen readers that continue to rely on this legacy functionality. diff --git a/usr/libexec/security-misc/panic-on-oops b/usr/libexec/security-misc/panic-on-oops index 749eb3c..3c45a68 100755 --- a/usr/libexec/security-misc/panic-on-oops +++ b/usr/libexec/security-misc/panic-on-oops @@ -12,12 +12,15 @@ if [ -f /usr/libexec/helper-scripts/pre.bsh ]; then source /usr/libexec/helper-scripts/pre.bsh fi -## Makes the kernel panic on oopses and warnings. This prevents the -## kernel from continuing to run a flawed processes. Many kernel -## exploits will also cause an oops, these settings will make the -## kernel kill the offending processes. +## Makes the kernel immediately panic on both oopses and warnings. +## This prevents the kernel from continuing to run a potentially +## flawed processes. Many kernel exploits will also cause an oops, +## these settings will make the kernel kill the offending processes. +sysctl kernel.oops_limit=1 +sysctl kernel.warn_limit=1 + +## Makes the system immediately reboot on the occur occurrence of +## a single kernel panic. This is an extreme safety option which also +## creates a large opening for targeted denial of service attacks. #sysctl kernel.panic=-1 -sysctl kernel.panic_on_oops=1 -sysctl kernel.panic_on_warn=1 -#sysctl kernel.oops_limit=1 -#sysctl kernel.warn_limit=1 + From fce86dccb67db0a37601899bf3115bd9f4fa714a Mon Sep 17 00:00:00 2001 From: raja-grewal Date: Wed, 13 Aug 2025 10:44:40 +1000 Subject: [PATCH 2/6] Typo --- usr/libexec/security-misc/panic-on-oops | 7 +++---- 1 file changed, 3 insertions(+), 4 deletions(-) diff --git a/usr/libexec/security-misc/panic-on-oops b/usr/libexec/security-misc/panic-on-oops index 3c45a68..b5cb2e8 100755 --- a/usr/libexec/security-misc/panic-on-oops +++ b/usr/libexec/security-misc/panic-on-oops @@ -19,8 +19,7 @@ fi sysctl kernel.oops_limit=1 sysctl kernel.warn_limit=1 -## Makes the system immediately reboot on the occur occurrence of -## a single kernel panic. This is an extreme safety option which also -## creates a large opening for targeted denial of service attacks. +## Makes the system immediately reboot on the occurrence of a single +## kernel panic. This is an extreme safety option which also creates +## a large opening for targeted denial of service attacks. #sysctl kernel.panic=-1 - From c33f7d04e2cef477b675fbf6c2a91583ba3bf808 Mon Sep 17 00:00:00 2001 From: raja-grewal Date: Sat, 16 Aug 2025 03:32:48 +0000 Subject: [PATCH 3/6] Remove duplicate comment --- usr/lib/sysctl.d/990-security-misc.conf | 1 - 1 file changed, 1 deletion(-) diff --git a/usr/lib/sysctl.d/990-security-misc.conf b/usr/lib/sysctl.d/990-security-misc.conf index 139e2e6..be306df 100644 --- a/usr/lib/sysctl.d/990-security-misc.conf +++ b/usr/lib/sysctl.d/990-security-misc.conf @@ -185,7 +185,6 @@ kernel.perf_event_paranoid=3 ## ## See /usr/libexec/security-misc/panic-on-oops for implementation. ## -#kernel.panic=-1 #kernel.oops_limit=1 #kernel.warn_limit=1 From f1de0da69b46f91ea7fd34db601393d23599b3bb Mon Sep 17 00:00:00 2001 From: raja-grewal Date: Sat, 16 Aug 2025 04:01:12 +0000 Subject: [PATCH 4/6] Clarify description on panics on oopses and warns --- usr/libexec/security-misc/panic-on-oops | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/usr/libexec/security-misc/panic-on-oops b/usr/libexec/security-misc/panic-on-oops index b5cb2e8..1add1ca 100755 --- a/usr/libexec/security-misc/panic-on-oops +++ b/usr/libexec/security-misc/panic-on-oops @@ -13,9 +13,10 @@ if [ -f /usr/libexec/helper-scripts/pre.bsh ]; then fi ## Makes the kernel immediately panic on both oopses and warnings. -## This prevents the kernel from continuing to run a potentially -## flawed processes. Many kernel exploits will also cause an oops, -## these settings will make the kernel kill the offending processes. +## These settings force a full system crash rather than continuing +## to run after an inconsistent state is triggered by a potentially +## flawed processes. The reasons for the errors could be kernel +## exploit attempts but may also simply be general software bugs. sysctl kernel.oops_limit=1 sysctl kernel.warn_limit=1 From 247015bcc6e924e24874d16ed7ad78165ace58a3 Mon Sep 17 00:00:00 2001 From: raja-grewal Date: Sun, 17 Aug 2025 06:27:44 +0000 Subject: [PATCH 5/6] Set `sysctl kernel.panic=-1` --- README.md | 15 ++++----------- usr/lib/sysctl.d/990-security-misc.conf | 6 ++++-- usr/libexec/security-misc/panic-on-oops | 6 +++--- 3 files changed, 11 insertions(+), 16 deletions(-) diff --git a/README.md b/README.md index b124a7a..425bd0d 100644 --- a/README.md +++ b/README.md @@ -47,7 +47,8 @@ configuration file and significant hardening is applied to a myriad of component - Force the kernel to immediately panic on both "oopses" (which can potentially indicate and thwart certain kernel exploitation attempts) and kernel warnings in the `WARN()` path. -- Optional - Force immediate reboot on the occurrence of a single kernel panic. +- Force immediate system reboot on the occurrence of a single kernel panic, reducing the + risk and impact of both denial of service and cold boot attacks. - Disable the use of legacy TIOCSTI operations which can be used to inject keypresses. @@ -281,21 +282,13 @@ Completely disables `ptrace()`. Can be enabled easily if needed. **Non-compliance:** -2. `sysctl kernel.panic=-1` - -Forces an immediate reboot on kernel panic. This can be enabled, but it may lead to unexpected -system crashes. - -* [security-misc pull request #264](https://github.com/Kicksecure/security-misc/pull/264) -* [security-misc pull request #268](https://github.com/Kicksecure/security-misc/pull/268) - -3. `sysctl user.max_user_namespaces=0` +2. `sysctl user.max_user_namespaces=0` Disables user namespaces entirely. Not recommended due to the potential for widespread breakages. * [security-misc pull request #263](https://github.com/Kicksecure/security-misc/pull/263) -4. `sysctl fs.binfmt_misc.status=0` +3. `sysctl fs.binfmt_misc.status=0` Disables the registration of interpreters for miscellaneous binary formats. Currently not feasible due to compatibility issues with Firefox. diff --git a/usr/lib/sysctl.d/990-security-misc.conf b/usr/lib/sysctl.d/990-security-misc.conf index be306df..3c43d8d 100644 --- a/usr/lib/sysctl.d/990-security-misc.conf +++ b/usr/lib/sysctl.d/990-security-misc.conf @@ -189,9 +189,11 @@ kernel.perf_event_paranoid=3 #kernel.warn_limit=1 ## Force immediate system reboots on the occurrence of a single kernel panic. -## This is an extreme safety option which also creates a large opening for targeted denial of service attacks. +## Ensures the system does not hang forever if a panic occurs, reducing susceptibility to cold boot attacks. +## Increases resilience and limits impact of denial of service attacks as system automatically restarts. +## Immediate rebooting also prevents persistent information disclosure on panic details that were dumped to screen. ## -## KSPP=no +## KSPP=yes ## KSPP sets CONFIG_PANIC_TIMEOUT=-1. ## ## See /usr/libexec/security-misc/panic-on-oops for implementation. diff --git a/usr/libexec/security-misc/panic-on-oops b/usr/libexec/security-misc/panic-on-oops index 1add1ca..83ceeac 100755 --- a/usr/libexec/security-misc/panic-on-oops +++ b/usr/libexec/security-misc/panic-on-oops @@ -21,6 +21,6 @@ sysctl kernel.oops_limit=1 sysctl kernel.warn_limit=1 ## Makes the system immediately reboot on the occurrence of a single -## kernel panic. This is an extreme safety option which also creates -## a large opening for targeted denial of service attacks. -#sysctl kernel.panic=-1 +## kernel panic. This reduces the risk and impact of both denial of +## service and cold boot attacks. +sysctl kernel.panic=-1 From 6df3e3cde8053d6b2771f510457da774336546bf Mon Sep 17 00:00:00 2001 From: raja-grewal Date: Sun, 17 Aug 2025 06:32:11 +0000 Subject: [PATCH 6/6] Update kernel panic service description --- usr/lib/systemd/system/panic-on-oops.service | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/usr/lib/systemd/system/panic-on-oops.service b/usr/lib/systemd/system/panic-on-oops.service index 6b10ddc..429af3d 100644 --- a/usr/lib/systemd/system/panic-on-oops.service +++ b/usr/lib/systemd/system/panic-on-oops.service @@ -2,7 +2,7 @@ ## See the file COPYING for copying conditions. [Unit] -Description=Sets 'sysctl kernel.panic_on_oops=1' late during the boot process. +Description=Sets 'sysctl' settings relating to kernel panics on both oopses and warnings late during the boot process. Documentation=https://github.com/Kicksecure/security-misc ConditionKernelCommandLine=!panic-on-oops=0