mirror of
https://github.com/Kicksecure/security-misc.git
synced 2024-12-23 01:13:40 +07:00
Merge remote-tracking branch 'github-kicksecure/master'
This commit is contained in:
commit
967f9e257b
14
README.md
14
README.md
@ -47,8 +47,7 @@ space, user space, core dumps, and swap space.
|
||||
|
||||
- Randomize the addresses (ASLR) for mmap base, stack, VDSO pages, and heap.
|
||||
|
||||
- Provide the option to disable the use of legacy TIOCSTI operation which can be
|
||||
used to inject keypresses.
|
||||
- Disable the use of legacy TIOCSTI operations which can be used to inject keypresses.
|
||||
|
||||
- Disable asynchronous I/O as `io_uring` has been the source
|
||||
of numerous kernel exploits (when using Linux kernel version >= 6.6).
|
||||
@ -121,8 +120,8 @@ configuration file.
|
||||
- Disable merging of slabs with similar size, which reduces the risk of
|
||||
triggering heap overflows and limits influencing slab cache layout.
|
||||
|
||||
- Provide the option to enable sanity checks and red zoning via slab debugging.
|
||||
Enabling this feature will implicitly disable kernel pointer hashing.
|
||||
- Enable sanity checks and red zoning via slab debugging. This will implicitly
|
||||
disable kernel pointer hashing, leaking very sensitive information to root.
|
||||
|
||||
- Enable memory zeroing at both allocation and free time, which mitigates some
|
||||
use-after-free vulnerabilities by erasing sensitive information in memory.
|
||||
@ -147,11 +146,10 @@ configuration file.
|
||||
|
||||
- Provide the option to modify machine check exception handler.
|
||||
|
||||
- Provide the option to enable the kernel Electric-Fence sampling-based memory
|
||||
safety error detector which can identify heap out-of-bounds access, use-after-free,
|
||||
and invalid-free errors.
|
||||
- Enable the kernel Electric-Fence sampling-based memory safety error detector
|
||||
which can identify heap out-of-bounds access, use-after-free, and invalid-free errors.
|
||||
|
||||
- Provide the option to disable 32 bit vDSO mappings.
|
||||
- Disable 32-bit vDSO mappings as they are a legacy compatibility feature.
|
||||
|
||||
- Provide the option to use kCFI as the default CFI implementation since it may be
|
||||
slightly more resilient to attacks that are able to write arbitrary executables
|
||||
|
@ -37,11 +37,9 @@ GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX slab_nomerge"
|
||||
## https://www.kernel.org/doc/html/latest/mm/slub.html
|
||||
## https://lore.kernel.org/all/20210601182202.3011020-5-swboyd@chromium.org/T/#u
|
||||
## https://gitlab.tails.boum.org/tails/tails/-/issues/19613
|
||||
##
|
||||
## The default kernel setting will be utilized until provided sufficient evidence to modify.
|
||||
## https://github.com/Kicksecure/security-misc/issues/253
|
||||
##
|
||||
#GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX slab_debug=FZ"
|
||||
GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX slab_debug=FZ"
|
||||
|
||||
## Zero memory at allocation time and free time.
|
||||
## Fills newly allocated pages, freed pages, and heap objects with zeros.
|
||||
@ -134,15 +132,15 @@ GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX debugfs=off"
|
||||
##
|
||||
## https://www.kernel.org/doc/html/latest/dev-tools/kfence.html
|
||||
##
|
||||
#GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX kfence.sample_interval=100"
|
||||
GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX kfence.sample_interval=100"
|
||||
|
||||
## Disable x86 Virtual Dynamic Shared Object (vDSO) mappings.
|
||||
## Disable 32-bit Virtual Dynamic Shared Object (vDSO) mappings.
|
||||
## Legacy compatibility feature for superseded glibc versions.
|
||||
##
|
||||
## https://en.wikipedia.org/wiki/VDSO
|
||||
## https://lore.kernel.org/lkml/20080409082927.BD59E26F992@magilla.localdomain/T/
|
||||
## https://lists.openwall.net/linux-kernel/2014/03/11/3
|
||||
##
|
||||
## The use of 32 bit vDSO mappings is currently enabled.
|
||||
##
|
||||
#GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX vdso32=0"
|
||||
GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX vdso32=0"
|
||||
|
||||
## Switch (back) to using kCFI as the default Control Flow Integrity (CFI) implementation.
|
||||
## The default implementation is FIneIBT as of Linux kernel 6.2.
|
||||
|
@ -127,12 +127,14 @@ kernel.perf_event_paranoid=3
|
||||
##
|
||||
kernel.randomize_va_space=2
|
||||
|
||||
## Disable use of the legacy TIOCSTI operation which can be used to inject keypresses.
|
||||
## Will break screen readers as can no longer push characters into a controlling TTY.
|
||||
##
|
||||
## Disable the use of legacy TIOCSTI operations which can be used to inject keypresses.
|
||||
## Can lead to privilege escalation by pushing characters into a controlling TTY.
|
||||
## Will break out-dated screen readers that continue to rely on this legacy functionality.
|
||||
## This is disabled by default when using Linux kernel >= 6.2.
|
||||
##
|
||||
#dev.tty.legacy_tiocsti=0
|
||||
## https://lore.kernel.org/lkml/20221228205726.rfevry7ud6gmttg5@begin/T/
|
||||
##
|
||||
dev.tty.legacy_tiocsti=0
|
||||
|
||||
## Disable asynchronous I/O for all processes.
|
||||
## Leading cause of numerous kernel exploits.
|
||||
|
Loading…
Reference in New Issue
Block a user