-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 [adding the ITP bug on CC]
On Mon, 2019-01-14 at 10:24 -0800, Matt Taggart wrote: > Hi, > > I just found out about your hardening-runtime package, it's great! > > A while back I created a package with similar intent named lockdown. > > https://gitlab.com/taggart/lockdown Nice, I didn't know about it, thanks for the pointer. > > (although now there is a linux lockdown https://lwn.net/Articles/750761/ > so I might rename it). Indeed. > > I've been meaning to get back to working on it, I have some other ideas > about locking out some old networking protocols and other junk. > > Take a look and tell me what you think, maybe it's interesting to merge > them? (or at the very least I will add a dependency to pull yours in). I have to admit I'm not sure I like the whole initscript thing, and prefer the configuration file approach. Regarding the current features: kernel.kexec_load_disabled=1 and kernel.unprivileged_bpf_disabled=1 are in hardening-runtime kernel.modules_disabled is not. Starting with Buster unsigned modules won't load by default so part of the feature (not loading random kernel modules even if you have CAP_SYS_ADMIN) will be enabled. For the rest (not loading signed modules for vulnerable stuff, for example), I think it would make more sense to load the required module in the initramfs and set the setting there. This could be done by a special initramfs hook and adding all the whitelisted modules in /etc/initramfs-tools/modules but it has to be done manually. All in all: - - I don't think it really make sense to have both lockdown and hardening- runtime (it doesn't hurt that much but still it's duplicate work) - - hardening-runtime supports more stuff (sysctl settings and kernel command line) than lockdown at the moment I think it would make more sense to migrate the modules_disabled part to hardening-runtime and I would happily welcome co-maintainership on this if you're interested. Obviously that's my opinion and I can understand if you're reluctant on that :) Regards, - -- Yves-Alexis -----BEGIN PGP SIGNATURE----- iQEzBAEBCAAdFiEE8vi34Qgfo83x35gF3rYcyPpXRFsFAlw9pz4ACgkQ3rYcyPpX RFuhfwf/X9ttM0f9iH/jRL/JanMFpFNN/DZ0ufFjEZIA8xnyBRhc6No3Io+sKxET zPCnyuV/gzPObd/IXCIYLyKSIpa2mO8U2U1qK4jmJHG89zt0UNDRK3F9gWHx+Nzn ZlgY6g3FTEhL6thxz0egqob1LxyVkigkqDeiqhrDvE8xeMqhkTs9O3oav7j5zFuK VLbly1Cea8ki9C0VlIP/73ytt1JqInC7a8k3CoqYKzhJI6mshtqhQvXZ9YJVwSRb sQchq8xQENqaSI6xYmRsmtTArLS35c8/UvzT9fizwaQ255TB2PY66vdp7mvBleqc f2oFsJssCP8hhB0uQZmWiDKonzormQ== =Vud0 -----END PGP SIGNATURE-----
