-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256
[adding the ITP bug on CC]
On Mon, 2019-01-14 at 10:24 -0800, Matt Taggart wrote:
> Hi,
>
> I just found out about your hardening-runtime package, it's great!
>
> A while back I created a package with similar intent named lockdown.
>
> https://gitlab.com/taggart/lockdown
Nice, I didn't know about it, thanks for the pointer.
>
> (although now there is a linux lockdown https://lwn.net/Articles/750761/
> so I might rename it).
Indeed.
>
> I've been meaning to get back to working on it, I have some other ideas
> about locking out some old networking protocols and other junk.
>
> Take a look and tell me what you think, maybe it's interesting to merge
> them? (or at the very least I will add a dependency to pull yours in).
I have to admit I'm not sure I like the whole initscript thing, and prefer the
configuration file approach. Regarding the current features:
kernel.kexec_load_disabled=1 and kernel.unprivileged_bpf_disabled=1 are in
hardening-runtime
kernel.modules_disabled is not. Starting with Buster unsigned modules won't
load by default so part of the feature (not loading random kernel modules even
if you have CAP_SYS_ADMIN) will be enabled. For the rest (not loading signed
modules for vulnerable stuff, for example), I think it would make more sense
to load the required module in the initramfs and set the setting there.
This could be done by a special initramfs hook and adding all the whitelisted
modules in /etc/initramfs-tools/modules but it has to be done manually.
All in all:
- - I don't think it really make sense to have both lockdown and hardening-
runtime (it doesn't hurt that much but still it's duplicate work)
- - hardening-runtime supports more stuff (sysctl settings and kernel command
line) than lockdown at the moment
I think it would make more sense to migrate the modules_disabled part to
hardening-runtime and I would happily welcome co-maintainership on this if
you're interested. Obviously that's my opinion and I can understand if you're
reluctant on that :)
Regards,
- --
Yves-Alexis
-BEGIN PGP SIGNATURE-
iQEzBAEBCAAdFiEE8vi34Qgfo83x35gF3rYcyPpXRFsFAlw9pz4ACgkQ3rYcyPpX
RFuhfwf/X9ttM0f9iH/jRL/JanMFpFNN/DZ0ufFjEZIA8xnyBRhc6No3Io+sKxET
zPCnyuV/gzPObd/IXCIYLyKSIpa2mO8U2U1qK4jmJHG89zt0UNDRK3F9gWHx+Nzn
ZlgY6g3FTEhL6thxz0egqob1LxyVkigkqDeiqhrDvE8xeMqhkTs9O3oav7j5zFuK
VLbly1Cea8ki9C0VlIP/73ytt1JqInC7a8k3CoqYKzhJI6mshtqhQvXZ9YJVwSRb
sQchq8xQENqaSI6xYmRsmtTArLS35c8/UvzT9fizwaQ255TB2PY66vdp7mvBleqc
f2oFsJssCP8hhB0uQZmWiDKonzormQ==
=Vud0
-END PGP SIGNATURE-
